FTL build fix attempt after r165141.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
2
3         FTL build fix attempt after r165141.
4
5         * ftl/FTLCompile.cpp:
6         (JSC::FTL::fixFunctionBasedOnStackMaps):
7
8 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
9
10         https://bugs.webkit.org/show_bug.cgi?id=128625
11         Add fast mapping from StringImpl to JSString
12
13         Unreviewed roll-out.
14
15         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
16
17         * runtime/JSString.cpp:
18         * runtime/JSString.h:
19         * runtime/VM.cpp:
20         (JSC::VM::createLeaked):
21         * runtime/VM.h:
22
23 2014-03-03  Oliver Hunt  <oliver@apple.com>
24
25         Support caching of custom setters
26         https://bugs.webkit.org/show_bug.cgi?id=129519
27
28         Reviewed by Filip Pizlo.
29
30         This patch adds caching of assignment to properties that
31         are backed by C functions. This provides most of the leg
32         work required to start supporting setters, and resolves
33         the remaining regressions from moving DOM properties up
34         the prototype chain.
35
36         * JavaScriptCore.xcodeproj/project.pbxproj:
37         * bytecode/PolymorphicPutByIdList.cpp:
38         (JSC::PutByIdAccess::visitWeak):
39         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
40         (JSC::PolymorphicPutByIdList::from):
41         * bytecode/PolymorphicPutByIdList.h:
42         (JSC::PutByIdAccess::transition):
43         (JSC::PutByIdAccess::replace):
44         (JSC::PutByIdAccess::customSetter):
45         (JSC::PutByIdAccess::isCustom):
46         (JSC::PutByIdAccess::oldStructure):
47         (JSC::PutByIdAccess::chain):
48         (JSC::PutByIdAccess::stubRoutine):
49         * bytecode/PutByIdStatus.cpp:
50         (JSC::PutByIdStatus::computeForStubInfo):
51         (JSC::PutByIdStatus::computeFor):
52         (JSC::PutByIdStatus::dump):
53         * bytecode/PutByIdStatus.h:
54         (JSC::PutByIdStatus::PutByIdStatus):
55         (JSC::PutByIdStatus::takesSlowPath):
56         (JSC::PutByIdStatus::makesCalls):
57         * bytecode/StructureStubInfo.h:
58         * dfg/DFGAbstractInterpreterInlines.h:
59         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
60         * dfg/DFGByteCodeParser.cpp:
61         (JSC::DFG::ByteCodeParser::emitPutById):
62         (JSC::DFG::ByteCodeParser::handlePutById):
63         * dfg/DFGClobberize.h:
64         (JSC::DFG::clobberize):
65         * dfg/DFGCommon.h:
66         * dfg/DFGConstantFoldingPhase.cpp:
67         (JSC::DFG::ConstantFoldingPhase::foldConstants):
68         * dfg/DFGFixupPhase.cpp:
69         (JSC::DFG::FixupPhase::fixupNode):
70         * dfg/DFGNode.h:
71         (JSC::DFG::Node::hasIdentifier):
72         * dfg/DFGNodeType.h:
73         * dfg/DFGPredictionPropagationPhase.cpp:
74         (JSC::DFG::PredictionPropagationPhase::propagate):
75         * dfg/DFGSafeToExecute.h:
76         (JSC::DFG::safeToExecute):
77         * dfg/DFGSpeculativeJIT.cpp:
78         (JSC::DFG::SpeculativeJIT::compileIn):
79         * dfg/DFGSpeculativeJIT.h:
80         * dfg/DFGSpeculativeJIT32_64.cpp:
81         (JSC::DFG::SpeculativeJIT::cachedGetById):
82         (JSC::DFG::SpeculativeJIT::cachedPutById):
83         (JSC::DFG::SpeculativeJIT::compile):
84         * dfg/DFGSpeculativeJIT64.cpp:
85         (JSC::DFG::SpeculativeJIT::cachedGetById):
86         (JSC::DFG::SpeculativeJIT::cachedPutById):
87         (JSC::DFG::SpeculativeJIT::compile):
88         * jit/CCallHelpers.h:
89         (JSC::CCallHelpers::setupArgumentsWithExecState):
90         * jit/JITInlineCacheGenerator.cpp:
91         (JSC::JITByIdGenerator::JITByIdGenerator):
92         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
93         * jit/JITInlineCacheGenerator.h:
94         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
95         * jit/JITOperations.cpp:
96         * jit/JITOperations.h:
97         * jit/JITPropertyAccess.cpp:
98         (JSC::JIT::emit_op_get_by_id):
99         (JSC::JIT::emit_op_put_by_id):
100         * jit/JITPropertyAccess32_64.cpp:
101         (JSC::JIT::emit_op_get_by_id):
102         (JSC::JIT::emit_op_put_by_id):
103         * jit/Repatch.cpp:
104         (JSC::tryCacheGetByID):
105         (JSC::tryBuildGetByIDList):
106         (JSC::emitCustomSetterStub):
107         (JSC::tryCachePutByID):
108         (JSC::tryBuildPutByIdList):
109         * jit/SpillRegistersMode.h: Added.
110         * llint/LLIntSlowPaths.cpp:
111         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
112         * runtime/Lookup.h:
113         (JSC::putEntry):
114         * runtime/PutPropertySlot.h:
115         (JSC::PutPropertySlot::setCacheableCustomProperty):
116         (JSC::PutPropertySlot::customSetter):
117         (JSC::PutPropertySlot::isCacheablePut):
118         (JSC::PutPropertySlot::isCacheableCustomProperty):
119         (JSC::PutPropertySlot::cachedOffset):
120
121 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
122
123         JSCell::m_gcData should encode its information differently
124         https://bugs.webkit.org/show_bug.cgi?id=129741
125
126         Reviewed by Geoffrey Garen.
127
128         We want to keep track of three GC states for an object:
129
130         1. Not marked (which implies not in the remembered set)
131         2. Marked but not in the remembered set
132         3. Marked and in the remembered set
133         
134         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
135         barrier, we only want to take the slow path if the object being stored to is in state #2. 
136         We'd like to make the test for state #2 as fast as possible, which means making it a 
137         compare against 0.
138
139         * dfg/DFGOSRExitCompilerCommon.cpp:
140         (JSC::DFG::osrWriteBarrier):
141         * dfg/DFGSpeculativeJIT.cpp:
142         (JSC::DFG::SpeculativeJIT::checkMarkByte):
143         (JSC::DFG::SpeculativeJIT::writeBarrier):
144         * dfg/DFGSpeculativeJIT.h:
145         * dfg/DFGSpeculativeJIT32_64.cpp:
146         (JSC::DFG::SpeculativeJIT::writeBarrier):
147         * dfg/DFGSpeculativeJIT64.cpp:
148         (JSC::DFG::SpeculativeJIT::writeBarrier):
149         * ftl/FTLLowerDFGToLLVM.cpp:
150         (JSC::FTL::LowerDFGToLLVM::allocateCell):
151         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
152         * heap/Heap.cpp:
153         (JSC::Heap::clearRememberedSet):
154         (JSC::Heap::addToRememberedSet):
155         * jit/AssemblyHelpers.h:
156         (JSC::AssemblyHelpers::checkMarkByte):
157         * jit/JIT.h:
158         * jit/JITPropertyAccess.cpp:
159         (JSC::JIT::checkMarkByte):
160         (JSC::JIT::emitWriteBarrier):
161         * jit/Repatch.cpp:
162         (JSC::writeBarrier):
163         * llint/LowLevelInterpreter.asm:
164         * llint/LowLevelInterpreter32_64.asm:
165         * llint/LowLevelInterpreter64.asm:
166         * runtime/JSCell.h:
167         (JSC::JSCell::mark):
168         (JSC::JSCell::remember):
169         (JSC::JSCell::forget):
170         (JSC::JSCell::isMarked):
171         (JSC::JSCell::isRemembered):
172         * runtime/JSCellInlines.h:
173         (JSC::JSCell::JSCell):
174         * runtime/StructureIDBlob.h:
175         (JSC::StructureIDBlob::StructureIDBlob):
176
177 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
178
179         More FTL ARM fixes
180         https://bugs.webkit.org/show_bug.cgi?id=129755
181
182         Reviewed by Geoffrey Garen.
183         
184         - Be more defensive about inline caches that have degenerate chains.
185         
186         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
187           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
188         
189         - Don't even emit intrinsic declarations on non-x86 platforms.
190         
191         - More debug printing support.
192         
193         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
194           but somehow it gets lucky on x86.
195
196         * bytecode/GetByIdStatus.cpp:
197         (JSC::GetByIdStatus::appendVariant):
198         (JSC::GetByIdStatus::computeForChain):
199         (JSC::GetByIdStatus::computeForStubInfo):
200         * bytecode/GetByIdStatus.h:
201         * bytecode/PutByIdStatus.cpp:
202         (JSC::PutByIdStatus::appendVariant):
203         (JSC::PutByIdStatus::computeForStubInfo):
204         * bytecode/PutByIdStatus.h:
205         * bytecode/StructureSet.h:
206         (JSC::StructureSet::overlaps):
207         * ftl/FTLCompile.cpp:
208         (JSC::FTL::mmAllocateDataSection):
209         * ftl/FTLDataSection.cpp:
210         (JSC::FTL::DataSection::DataSection):
211         (JSC::FTL::DataSection::~DataSection):
212         * ftl/FTLDataSection.h:
213         * ftl/FTLLowerDFGToLLVM.cpp:
214         (JSC::FTL::LowerDFGToLLVM::lower):
215         * ftl/FTLOutput.h:
216         (JSC::FTL::Output::doubleSin):
217         (JSC::FTL::Output::doubleCos):
218         * runtime/JSCJSValue.cpp:
219         (JSC::JSValue::dumpInContext):
220         * runtime/JSCell.h:
221         (JSC::JSCell::structureID):
222
223 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
224
225         [Win32][LLINT] Crash when running JSC stress tests.
226         https://bugs.webkit.org/show_bug.cgi?id=129429
227
228         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
229         where the guard page is a barrier between committed and uncommitted memory.
230         When data from the guard page is read or written, the guard page is moved, and memory is committed.
231         This is how the system grows the stack.
232         When using the C stack on Windows we need to precommit the needed stack space.
233         Otherwise we might crash later if we access uncommitted stack memory.
234         This can happen if we allocate stack space larger than the page guard size (4K).
235         The system does not get the chance to move the guard page, and commit more memory,
236         and we crash if uncommitted memory is accessed.
237         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
238         when needed, see http://support.microsoft.com/kb/100775.
239
240         Reviewed by Geoffrey Garen.
241
242         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
243         * jit/Repatch.cpp:
244         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
245         * offlineasm/x86.rb: Compile fix, and small simplification.
246         * runtime/VM.cpp:
247         (JSC::preCommitStackMemory): Added function to precommit stack memory.
248         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
249
250 2014-03-05  Michael Saboff  <msaboff@apple.com>
251
252         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
253         https://bugs.webkit.org/show_bug.cgi?id=129746
254
255         Reviewed by Filip Pizlo.
256
257         Changed to use a union to manually assemble or disassemble the various types
258         from / to the corresponding bytes.  All memory access is now done using
259         byte accesses.
260
261         * runtime/JSDataViewPrototype.cpp:
262         (JSC::getData):
263         (JSC::setData):
264
265 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
266
267         FTL loadStructure always generates invalid IR
268         https://bugs.webkit.org/show_bug.cgi?id=129747
269
270         Reviewed by Mark Hahnenberg.
271
272         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
273         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
274         to have a pointer to a type, and you can only load things of that type from that
275         pointer. Pointer arithmetic is basically not possible except through the bizarre
276         getelementptr operator. This doesn't fit with how the JS object model works since
277         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
278         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
279         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
280         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
281         this for us, but that would require that to use the FTL, JSC itself would have to
282         be compiled with clang. Worse, it would have to be compiled with a clang that uses
283         a version of LLVM that is compatible with the one against which the FTL is linked.
284         Yuck!
285
286         The solution is to NEVER use LLVM pointers. This has always been the case in the
287         FTL. But it causes some confusion.
288         
289         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
290         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
291         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
292         pointer that has the type that we want. The load and store operations over pointers
293         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
294         "64", "Ptr", "Float", or "Double.
295         
296         There is unavoidable confusion here. It would be bizarre for the FTL to call its
297         "pointer-wide integers" anything other than "pointers", since they are, in all
298         respects that we care about, simply pointers. But they are *not* LLVM pointers and
299         they never will be that.
300         
301         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
302         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
303         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
304         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
305         methods for access called Output::get and Output::set. These lower to LLVM load
306         and store, since FTL references are just LLVM pointers.
307         
308         This confusion appears to have led to incorrect code in loadStructure().
309         loadStructure() was using get() and set() to access FTL pointers. But those methods
310         don't work on FTL pointers and never will, since they are for FTL references.
311         
312         The worst part of this is that it was previously impossible to have test coverage
313         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
314         patch fixes this by introducing a Masquerader object to jsc.cpp.
315         
316         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
317         * ftl/FTLLowerDFGToLLVM.cpp:
318         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
319         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
320         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
321         (WTF::Masquerader::Masquerader):
322         (WTF::Masquerader::create):
323         (WTF::Masquerader::createStructure):
324         (GlobalObject::finishCreation):
325         (functionMakeMasquerader):
326         * tests/stress/equals-masquerader.js: Added.
327         (foo):
328         (test):
329
330 2014-03-05  Anders Carlsson  <andersca@apple.com>
331
332         Tweak after r165109 to avoid extra copies
333         https://bugs.webkit.org/show_bug.cgi?id=129745
334
335         Reviewed by Geoffrey Garen.
336
337         * heap/Heap.cpp:
338         (JSC::Heap::visitProtectedObjects):
339         (JSC::Heap::visitTempSortVectors):
340         (JSC::Heap::clearRememberedSet):
341         * heap/Heap.h:
342         (JSC::Heap::forEachProtectedCell):
343
344 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
345
346         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
347         https://bugs.webkit.org/show_bug.cgi?id=129717
348
349         Reviewed by Filip Pizlo.
350
351         * dfg/DFGStoreBarrierElisionPhase.cpp:
352         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
353         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
354
355 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
356
357         Use range-based loops where possible in Heap methods
358         https://bugs.webkit.org/show_bug.cgi?id=129513
359
360         Reviewed by Mark Lam.
361
362         Replace old school iterator based loops with the new range-based loop hotness
363         for a better tomorrow.
364
365         * heap/CodeBlockSet.cpp:
366         (JSC::CodeBlockSet::~CodeBlockSet):
367         (JSC::CodeBlockSet::clearMarks):
368         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
369         (JSC::CodeBlockSet::traceMarked):
370         * heap/Heap.cpp:
371         (JSC::Heap::visitProtectedObjects):
372         (JSC::Heap::visitTempSortVectors):
373         (JSC::Heap::clearRememberedSet):
374         * heap/Heap.h:
375         (JSC::Heap::forEachProtectedCell):
376
377 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
378
379         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
380         https://bugs.webkit.org/show_bug.cgi?id=129563
381
382         Reviewed by Geoffrey Garen.
383         
384         Rolling this back in after fixing an assertion failure. speculateMisc() should have
385         said DFG_TYPE_CHECK instead of typeCheck.
386         
387         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
388         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
389         user of this was EarleyBoyer, and in that benchmark what it was really doing was
390         comparing undefined, null, and booleans to each other.
391         
392         This also adds support for miscellaneous things that I needed to make my various test
393         cases work. This includes comparison over booleans and the various Throw-related node
394         types.
395         
396         This also improves constant folding of CompareStrictEq and CompareEq.
397         
398         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
399         based on profiling, which caused some downstream badness. We don't actually support
400         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
401         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
402         shouldn't factor out the bounds check since the access is not InBounds but then the
403         backend would ignore the flag and assume that the bounds check was already emitted.
404         This showed up on an existing test but I added a test for this explicitly to have more
405         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
406         that we'll have a bounds check anyway.
407         
408         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
409         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
410         still a lot more coverage work to be done there.
411
412         * bytecode/SpeculatedType.cpp:
413         (JSC::speculationToAbbreviatedString):
414         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
415         (JSC::valuesCouldBeEqual):
416         * bytecode/SpeculatedType.h:
417         (JSC::isMiscSpeculation):
418         * dfg/DFGAbstractInterpreterInlines.h:
419         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
420         * dfg/DFGArrayMode.cpp:
421         (JSC::DFG::ArrayMode::refine):
422         * dfg/DFGArrayMode.h:
423         * dfg/DFGFixupPhase.cpp:
424         (JSC::DFG::FixupPhase::fixupNode):
425         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
426         * dfg/DFGNode.h:
427         (JSC::DFG::Node::shouldSpeculateMisc):
428         * dfg/DFGSafeToExecute.h:
429         (JSC::DFG::SafeToExecuteEdge::operator()):
430         * dfg/DFGSpeculativeJIT.cpp:
431         (JSC::DFG::SpeculativeJIT::compileStrictEq):
432         (JSC::DFG::SpeculativeJIT::speculateMisc):
433         (JSC::DFG::SpeculativeJIT::speculate):
434         * dfg/DFGSpeculativeJIT.h:
435         * dfg/DFGSpeculativeJIT32_64.cpp:
436         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
437         * dfg/DFGSpeculativeJIT64.cpp:
438         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
439         * dfg/DFGUseKind.cpp:
440         (WTF::printInternal):
441         * dfg/DFGUseKind.h:
442         (JSC::DFG::typeFilterFor):
443         * ftl/FTLCapabilities.cpp:
444         (JSC::FTL::canCompile):
445         * ftl/FTLLowerDFGToLLVM.cpp:
446         (JSC::FTL::LowerDFGToLLVM::compileNode):
447         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
448         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
449         (JSC::FTL::LowerDFGToLLVM::compileThrow):
450         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
451         (JSC::FTL::LowerDFGToLLVM::isMisc):
452         (JSC::FTL::LowerDFGToLLVM::speculate):
453         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
454         * tests/stress/float32-array-out-of-bounds.js: Added.
455         * tests/stress/weird-equality-folding-cases.js: Added.
456
457 2014-03-04  Commit Queue  <commit-queue@webkit.org>
458
459         Unreviewed, rolling out r165085.
460         http://trac.webkit.org/changeset/165085
461         https://bugs.webkit.org/show_bug.cgi?id=129729
462
463         Broke imported/w3c/html-templates/template-element/template-
464         content.html (Requested by ap on #webkit).
465
466         * bytecode/SpeculatedType.cpp:
467         (JSC::speculationToAbbreviatedString):
468         * bytecode/SpeculatedType.h:
469         * dfg/DFGAbstractInterpreterInlines.h:
470         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
471         * dfg/DFGArrayMode.cpp:
472         (JSC::DFG::ArrayMode::refine):
473         * dfg/DFGArrayMode.h:
474         * dfg/DFGFixupPhase.cpp:
475         (JSC::DFG::FixupPhase::fixupNode):
476         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
477         * dfg/DFGNode.h:
478         (JSC::DFG::Node::shouldSpeculateBoolean):
479         * dfg/DFGSafeToExecute.h:
480         (JSC::DFG::SafeToExecuteEdge::operator()):
481         * dfg/DFGSpeculativeJIT.cpp:
482         (JSC::DFG::SpeculativeJIT::compileStrictEq):
483         (JSC::DFG::SpeculativeJIT::speculate):
484         * dfg/DFGSpeculativeJIT.h:
485         * dfg/DFGSpeculativeJIT32_64.cpp:
486         * dfg/DFGSpeculativeJIT64.cpp:
487         * dfg/DFGUseKind.cpp:
488         (WTF::printInternal):
489         * dfg/DFGUseKind.h:
490         (JSC::DFG::typeFilterFor):
491         * ftl/FTLCapabilities.cpp:
492         (JSC::FTL::canCompile):
493         * ftl/FTLLowerDFGToLLVM.cpp:
494         (JSC::FTL::LowerDFGToLLVM::compileNode):
495         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
496         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
497         (JSC::FTL::LowerDFGToLLVM::speculate):
498         * tests/stress/float32-array-out-of-bounds.js: Removed.
499         * tests/stress/weird-equality-folding-cases.js: Removed.
500
501 2014-03-04  Brian Burg  <bburg@apple.com>
502
503         Inspector does not restore breakpoints after a page reload
504         https://bugs.webkit.org/show_bug.cgi?id=129655
505
506         Reviewed by Joseph Pecoraro.
507
508         Fix a regression introduced by r162096 that erroneously removed
509         the inspector backend's mapping of files to breakpoints whenever the
510         global object was cleared.
511
512         The inspector's breakpoint mappings should only be cleared when the
513         debugger agent is disabled or destroyed. We should only clear the
514         debugger's breakpoint state when the global object is cleared.
515
516         To make it clearer what state is being cleared, the two cases have
517         been split into separate methods.
518
519         * inspector/agents/InspectorDebuggerAgent.cpp:
520         (Inspector::InspectorDebuggerAgent::disable):
521         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
522         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
523         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
524         * inspector/agents/InspectorDebuggerAgent.h:
525
526 2014-03-04  Andreas Kling  <akling@apple.com>
527
528         Streamline JSValue::get().
529         <https://webkit.org/b/129720>
530
531         Fetch each Structure and VM only once when walking the prototype chain
532         in JSObject::getPropertySlot(), then pass it along to the functions
533         we call from there, so they don't have to re-fetch it.
534
535         Reviewed by Geoff Garen.
536
537         * runtime/JSObject.h:
538         (JSC::JSObject::inlineGetOwnPropertySlot):
539         (JSC::JSObject::fastGetOwnPropertySlot):
540         (JSC::JSObject::getPropertySlot):
541
542 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
543
544         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
545         https://bugs.webkit.org/show_bug.cgi?id=129563
546
547         Reviewed by Geoffrey Garen.
548         
549         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
550         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
551         user of this was EarleyBoyer, and in that benchmark what it was really doing was
552         comparing undefined, null, and booleans to each other.
553         
554         This also adds support for miscellaneous things that I needed to make my various test
555         cases work. This includes comparison over booleans and the various Throw-related node
556         types.
557         
558         This also improves constant folding of CompareStrictEq and CompareEq.
559         
560         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
561         based on profiling, which caused some downstream badness. We don't actually support
562         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
563         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
564         shouldn't factor out the bounds check since the access is not InBounds but then the
565         backend would ignore the flag and assume that the bounds check was already emitted.
566         This showed up on an existing test but I added a test for this explicitly to have more
567         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
568         that we'll have a bounds check anyway.
569         
570         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
571         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
572         still a lot more coverage work to be done there.
573
574         * bytecode/SpeculatedType.cpp:
575         (JSC::speculationToAbbreviatedString):
576         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
577         (JSC::valuesCouldBeEqual):
578         * bytecode/SpeculatedType.h:
579         (JSC::isMiscSpeculation):
580         * dfg/DFGAbstractInterpreterInlines.h:
581         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
582         * dfg/DFGFixupPhase.cpp:
583         (JSC::DFG::FixupPhase::fixupNode):
584         * dfg/DFGNode.h:
585         (JSC::DFG::Node::shouldSpeculateMisc):
586         * dfg/DFGSafeToExecute.h:
587         (JSC::DFG::SafeToExecuteEdge::operator()):
588         * dfg/DFGSpeculativeJIT.cpp:
589         (JSC::DFG::SpeculativeJIT::compileStrictEq):
590         (JSC::DFG::SpeculativeJIT::speculateMisc):
591         (JSC::DFG::SpeculativeJIT::speculate):
592         * dfg/DFGSpeculativeJIT.h:
593         * dfg/DFGSpeculativeJIT32_64.cpp:
594         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
595         * dfg/DFGSpeculativeJIT64.cpp:
596         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
597         * dfg/DFGUseKind.cpp:
598         (WTF::printInternal):
599         * dfg/DFGUseKind.h:
600         (JSC::DFG::typeFilterFor):
601         * ftl/FTLCapabilities.cpp:
602         (JSC::FTL::canCompile):
603         * ftl/FTLLowerDFGToLLVM.cpp:
604         (JSC::FTL::LowerDFGToLLVM::compileNode):
605         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
606         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
607         (JSC::FTL::LowerDFGToLLVM::compileThrow):
608         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
609         (JSC::FTL::LowerDFGToLLVM::isMisc):
610         (JSC::FTL::LowerDFGToLLVM::speculate):
611         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
612         * tests/stress/float32-array-out-of-bounds.js: Added.
613         * tests/stress/weird-equality-folding-cases.js: Added.
614
615 2014-03-04  Andreas Kling  <akling@apple.com>
616
617         Spam static branch prediction hints on JS bindings.
618         <https://webkit.org/b/129703>
619
620         Add LIKELY hint to jsDynamicCast since it's always used in a context
621         where we expect it to succeed and takes an error path when it doesn't.
622
623         Reviewed by Geoff Garen.
624
625         * runtime/JSCell.h:
626         (JSC::jsDynamicCast):
627
628 2014-03-04  Andreas Kling  <akling@apple.com>
629
630         Get to Structures more efficiently in JSCell::methodTable().
631         <https://webkit.org/b/129702>
632
633         In JSCell::methodTable(), get the VM once and pass that along to
634         structure(VM&) instead of using the heavier structure().
635
636         In JSCell::methodTable(VM&), replace calls to structure() with
637         calls to structure(VM&).
638
639         Reviewed by Mark Hahnenberg.
640
641         * runtime/JSCellInlines.h:
642         (JSC::JSCell::methodTable):
643
644 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
645
646         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
647         https://bugs.webkit.org/show_bug.cgi?id=129697
648
649         Reviewed by Timothy Hatcher.
650
651         * inspector/remote/RemoteInspectorXPCConnection.mm:
652         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
653         (Inspector::RemoteInspectorXPCConnection::handleEvent):
654
655 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
656
657         Merge API shims and JSLock
658         https://bugs.webkit.org/show_bug.cgi?id=129650
659
660         Reviewed by Mark Lam.
661
662         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
663         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
664
665         * API/APICallbackFunction.h:
666         (JSC::APICallbackFunction::call):
667         (JSC::APICallbackFunction::construct):
668         * API/APIShims.h: Removed.
669         * API/JSBase.cpp:
670         (JSEvaluateScript):
671         (JSCheckScriptSyntax):
672         (JSGarbageCollect):
673         (JSReportExtraMemoryCost):
674         (JSSynchronousGarbageCollectForDebugging):
675         * API/JSCallbackConstructor.cpp:
676         * API/JSCallbackFunction.cpp:
677         * API/JSCallbackObjectFunctions.h:
678         (JSC::JSCallbackObject<Parent>::init):
679         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
680         (JSC::JSCallbackObject<Parent>::put):
681         (JSC::JSCallbackObject<Parent>::putByIndex):
682         (JSC::JSCallbackObject<Parent>::deleteProperty):
683         (JSC::JSCallbackObject<Parent>::construct):
684         (JSC::JSCallbackObject<Parent>::customHasInstance):
685         (JSC::JSCallbackObject<Parent>::call):
686         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
687         (JSC::JSCallbackObject<Parent>::getStaticValue):
688         (JSC::JSCallbackObject<Parent>::callbackGetter):
689         * API/JSContext.mm:
690         (-[JSContext setException:]):
691         (-[JSContext wrapperForObjCObject:]):
692         (-[JSContext wrapperForJSObject:]):
693         * API/JSContextRef.cpp:
694         (JSContextGroupRelease):
695         (JSContextGroupSetExecutionTimeLimit):
696         (JSContextGroupClearExecutionTimeLimit):
697         (JSGlobalContextCreateInGroup):
698         (JSGlobalContextRetain):
699         (JSGlobalContextRelease):
700         (JSContextGetGlobalObject):
701         (JSContextGetGlobalContext):
702         (JSGlobalContextCopyName):
703         (JSGlobalContextSetName):
704         * API/JSManagedValue.mm:
705         (-[JSManagedValue value]):
706         * API/JSObjectRef.cpp:
707         (JSObjectMake):
708         (JSObjectMakeFunctionWithCallback):
709         (JSObjectMakeConstructor):
710         (JSObjectMakeFunction):
711         (JSObjectMakeArray):
712         (JSObjectMakeDate):
713         (JSObjectMakeError):
714         (JSObjectMakeRegExp):
715         (JSObjectGetPrototype):
716         (JSObjectSetPrototype):
717         (JSObjectHasProperty):
718         (JSObjectGetProperty):
719         (JSObjectSetProperty):
720         (JSObjectGetPropertyAtIndex):
721         (JSObjectSetPropertyAtIndex):
722         (JSObjectDeleteProperty):
723         (JSObjectGetPrivateProperty):
724         (JSObjectSetPrivateProperty):
725         (JSObjectDeletePrivateProperty):
726         (JSObjectIsFunction):
727         (JSObjectCallAsFunction):
728         (JSObjectCallAsConstructor):
729         (JSObjectCopyPropertyNames):
730         (JSPropertyNameArrayRelease):
731         (JSPropertyNameAccumulatorAddName):
732         * API/JSScriptRef.cpp:
733         * API/JSValue.mm:
734         (isDate):
735         (isArray):
736         (containerValueToObject):
737         (valueToArray):
738         (valueToDictionary):
739         (objectToValue):
740         * API/JSValueRef.cpp:
741         (JSValueGetType):
742         (JSValueIsUndefined):
743         (JSValueIsNull):
744         (JSValueIsBoolean):
745         (JSValueIsNumber):
746         (JSValueIsString):
747         (JSValueIsObject):
748         (JSValueIsObjectOfClass):
749         (JSValueIsEqual):
750         (JSValueIsStrictEqual):
751         (JSValueIsInstanceOfConstructor):
752         (JSValueMakeUndefined):
753         (JSValueMakeNull):
754         (JSValueMakeBoolean):
755         (JSValueMakeNumber):
756         (JSValueMakeString):
757         (JSValueMakeFromJSONString):
758         (JSValueCreateJSONString):
759         (JSValueToBoolean):
760         (JSValueToNumber):
761         (JSValueToStringCopy):
762         (JSValueToObject):
763         (JSValueProtect):
764         (JSValueUnprotect):
765         * API/JSVirtualMachine.mm:
766         (-[JSVirtualMachine addManagedReference:withOwner:]):
767         (-[JSVirtualMachine removeManagedReference:withOwner:]):
768         * API/JSWeakObjectMapRefPrivate.cpp:
769         * API/JSWrapperMap.mm:
770         (constructorHasInstance):
771         (makeWrapper):
772         (tryUnwrapObjcObject):
773         * API/ObjCCallbackFunction.mm:
774         (JSC::objCCallbackFunctionCallAsFunction):
775         (JSC::objCCallbackFunctionCallAsConstructor):
776         (objCCallbackFunctionForInvocation):
777         * CMakeLists.txt:
778         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
779         * GNUmakefile.list.am:
780         * JavaScriptCore.xcodeproj/project.pbxproj:
781         * dfg/DFGWorklist.cpp:
782         * heap/DelayedReleaseScope.h:
783         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
784         * heap/HeapTimer.cpp:
785         (JSC::HeapTimer::timerDidFire):
786         (JSC::HeapTimer::timerEvent):
787         * heap/IncrementalSweeper.cpp:
788         * inspector/InjectedScriptModule.cpp:
789         (Inspector::InjectedScriptModule::ensureInjected):
790         * jsc.cpp:
791         (jscmain):
792         * runtime/GCActivityCallback.cpp:
793         (JSC::DefaultGCActivityCallback::doWork):
794         * runtime/JSGlobalObjectDebuggable.cpp:
795         (JSC::JSGlobalObjectDebuggable::connect):
796         (JSC::JSGlobalObjectDebuggable::disconnect):
797         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
798         * runtime/JSLock.cpp:
799         (JSC::JSLock::lock):
800         (JSC::JSLock::didAcquireLock):
801         (JSC::JSLock::unlock):
802         (JSC::JSLock::willReleaseLock):
803         (JSC::JSLock::DropAllLocks::DropAllLocks):
804         (JSC::JSLock::DropAllLocks::~DropAllLocks):
805         * runtime/JSLock.h:
806         * testRegExp.cpp:
807         (realMain):
808
809 2014-03-04  Commit Queue  <commit-queue@webkit.org>
810
811         Unreviewed, rolling out r164812.
812         http://trac.webkit.org/changeset/164812
813         https://bugs.webkit.org/show_bug.cgi?id=129699
814
815         it made things run slower (Requested by pizlo on #webkit).
816
817         * interpreter/Interpreter.cpp:
818         (JSC::Interpreter::execute):
819         * jsc.cpp:
820         (GlobalObject::finishCreation):
821         * runtime/BatchedTransitionOptimizer.h:
822         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
823         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
824
825 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
826
827         GetMyArgumentByVal in FTL
828         https://bugs.webkit.org/show_bug.cgi?id=128850
829
830         Reviewed by Oliver Hunt.
831         
832         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
833         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
834         caused it to think that the arity check had failed if the caller had passed more
835         arguments than needed. This would cause the call frame copying to sort of go into
836         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
837         throwing off a bunch of math) and the stack would end up being corrupted.
838         
839         The bug was revealed by two existing tests although as far as I could tell, neither
840         test was intending to cover this case directly. So, I added a new test.
841
842         * ftl/FTLCapabilities.cpp:
843         (JSC::FTL::canCompile):
844         * ftl/FTLLowerDFGToLLVM.cpp:
845         (JSC::FTL::LowerDFGToLLVM::compileNode):
846         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
847         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
848         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
849         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
850         * ftl/FTLOSRExitCompiler.cpp:
851         (JSC::FTL::compileStub):
852         * ftl/FTLState.h:
853         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
854         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
855         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
856         * tests/stress/ftl-get-my-argument-by-val.js: Added.
857
858 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
859
860         [GTK] Build the Udis86 disassembler
861         https://bugs.webkit.org/show_bug.cgi?id=129679
862
863         Reviewed by Michael Saboff.
864
865         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
866         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
867
868 2014-03-04  Andreas Kling  <akling@apple.com>
869
870         Fix too-narrow assertion I added in r165054.
871
872         It's okay for a 1-character string to come in here. This will happen
873         if the VM small string optimization doesn't apply (ch > 0xFF)
874
875         * runtime/JSString.h:
876         (JSC::jsStringWithWeakOwner):
877
878 2014-03-04  Andreas Kling  <akling@apple.com>
879
880         Micro-optimize Strings in JS bindings.
881         <https://webkit.org/b/129673>
882
883         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
884         This avoids branches in length() and operator[].
885
886         Also call JSString::create() directly instead of jsString() and just
887         assert that the string length is >1. This way we don't duplicate the
888         optimizations for empty and single-character strings.
889
890         Reviewed by Ryosuke Niwa.
891
892         * runtime/JSString.h:
893         (JSC::jsStringWithWeakOwner):
894
895 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
896
897         Implement Number.prototype.clz()
898         https://bugs.webkit.org/show_bug.cgi?id=129479
899
900         Reviewed by Oliver Hunt.
901
902         Implemented Number.prototype.clz() as specified in the ES6 standard.
903
904         * runtime/NumberPrototype.cpp:
905         (JSC::numberProtoFuncClz):
906
907 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
908
909         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
910         https://bugs.webkit.org/show_bug.cgi?id=129631
911
912         Reviewed by Timothy Hatcher.
913
914         Avoid deref() too early if a client calls close(). The xpc_connection_close
915         will cause another XPC_ERROR event to come in from the queue, deref then.
916         Likewise, protect multithreaded access to m_client. If a client calls
917         close() we want to immediately clear the pointer to prevent calls to it.
918
919         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
920         growing too complicated for probably little benefit. We may want to
921         clean this up later.
922
923         * inspector/remote/RemoteInspector.mm:
924         (Inspector::RemoteInspector::xpcConnectionFailed):
925         * inspector/remote/RemoteInspectorXPCConnection.h:
926         * inspector/remote/RemoteInspectorXPCConnection.mm:
927         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
928         (Inspector::RemoteInspectorXPCConnection::close):
929         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
930         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
931         (Inspector::RemoteInspectorXPCConnection::handleEvent):
932         (Inspector::RemoteInspectorXPCConnection::sendMessage):
933
934 2014-03-03  Michael Saboff  <msaboff@apple.com>
935
936         AbstractMacroAssembler::CachedTempRegister should start out invalid
937         https://bugs.webkit.org/show_bug.cgi?id=129657
938
939         Reviewed by Filip Pizlo.
940
941         * assembler/AbstractMacroAssembler.h:
942         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
943         - Invalidate all cached registers in constructor as we don't know the
944           contents of any register at the entry to the code we are going to
945           generate.
946
947 2014-03-03  Andreas Kling  <akling@apple.com>
948
949         StructureOrOffset should be fastmalloced.
950         <https://webkit.org/b/129640>
951
952         Reviewed by Geoffrey Garen.
953
954         * runtime/StructureIDTable.h:
955
956 2014-03-03  Michael Saboff  <msaboff@apple.com>
957
958         Crash in JIT code while watching a video @ storyboard.tumblr.com
959         https://bugs.webkit.org/show_bug.cgi?id=129635
960
961         Reviewed by Filip Pizlo.
962
963         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
964         construtor.
965
966         * jit/TempRegisterSet.cpp:
967         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
968         * jit/TempRegisterSet.h:
969         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
970         (JSC::TempRegisterSet::clearAll): New private helper.
971
972 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
973
974         [x86] Improve code generation of byte test
975         https://bugs.webkit.org/show_bug.cgi?id=129597
976
977         Reviewed by Geoffrey Garen.
978
979         When possible, test the 8 bit register to itself instead of comparing it
980         to a literal.
981
982         * assembler/MacroAssemblerX86Common.h:
983         (JSC::MacroAssemblerX86Common::test32):
984
985 2014-03-03  Mark Lam  <mark.lam@apple.com>
986
987         Web Inspector: debugger statements do not break.
988         <https://webkit.org/b/129524>
989
990         Reviewed by Geoff Garen.
991
992         Since we no longer call op_debug hooks unless there is a debugger request
993         made on the CodeBlock, the op_debug for the debugger statement never gets
994         serviced.
995
996         With this fix, we check in the CodeBlock constructor if any debugger
997         statements are present.  If so, we set a m_hasDebuggerStatement flag that
998         causes the CodeBlock to show as having debugger requests.  Hence,
999         breaking at debugger statements is now restored.
1000
1001         * bytecode/CodeBlock.cpp:
1002         (JSC::CodeBlock::CodeBlock):
1003         * bytecode/CodeBlock.h:
1004         (JSC::CodeBlock::hasDebuggerRequests):
1005         (JSC::CodeBlock::clearDebuggerRequests):
1006
1007 2014-03-03  Mark Lam  <mark.lam@apple.com>
1008
1009         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
1010         <https://webkit.org/b/129393>
1011
1012         Reviewed by Geoffrey Garen.
1013
1014         The issue manifests because the debugger will iterate all CodeBlocks in
1015         the heap when setting / clearing breakpoints, but it is possible for a
1016         CodeBlock to have been instantiate but is not yet registered with the
1017         debugger.  This can happen because of the following:
1018
1019         1. DFG worklist compilation is still in progress, and the target
1020            codeBlock is not ready for installation in its executable yet.
1021
1022         2. DFG compilation failed and we have a codeBlock that will never be
1023            installed in its executable, and the codeBlock has not been cleaned
1024            up by the GC yet.
1025
1026         The code for installing the codeBlock in its executable is the same code
1027         that registers it with the debugger.  Hence, these codeBlocks are not
1028         registered with the debugger, and any pending breakpoints that would map
1029         to that CodeBlock is as yet unset or will never be set.  As such, an
1030         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
1031
1032         To fix this, we do the following:
1033
1034         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
1035            compilation.  This is achieved by providing a
1036            DeferredCompilationCallback::compilationDidComplete() that does this
1037            clean up, and have all sub classes call it at the end of their
1038            compilationDidComplete() methods.
1039
1040         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
1041            will wait for all compilations to complete before proceeding.  This
1042            ensures that:
1043            1. any zombie CodeBlocks would have been cleaned up, and won't be
1044               seen by the debugger or profiler.
1045            2. all CodeBlocks that the debugger and profiler needs to operate on
1046               will be "ready" for whatever needs to be done to them e.g.
1047               jettison'ing of DFG codeBlocks.
1048
1049         * bytecode/DeferredCompilationCallback.cpp:
1050         (JSC::DeferredCompilationCallback::compilationDidComplete):
1051         * bytecode/DeferredCompilationCallback.h:
1052         - Provide default implementation method to clean up zombie CodeBlocks.
1053
1054         * debugger/Debugger.cpp:
1055         (JSC::Debugger::forEachCodeBlock):
1056         - Utility function to iterate CodeBlocks.  It ensures that all compilations
1057           are complete before proceeding.
1058         (JSC::Debugger::setSteppingMode):
1059         (JSC::Debugger::toggleBreakpoint):
1060         (JSC::Debugger::recompileAllJSFunctions):
1061         (JSC::Debugger::clearBreakpoints):
1062         (JSC::Debugger::clearDebuggerRequests):
1063         - Use the utility iterator function.
1064
1065         * debugger/Debugger.h:
1066         * dfg/DFGOperations.cpp:
1067         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
1068
1069         * dfg/DFGPlan.cpp:
1070         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1071         - Remove unneeded code (that was not the best solution anyway) for ensuring
1072           that we don't generate new DFG codeBlocks after enabling the debugger or
1073           profiler.  Now that we wait for compilations to complete before proceeding
1074           with debugger and profiler work, this scenario will never happen.
1075
1076         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1077         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1078         - Call the super class method to clean up zombie codeBlocks.
1079
1080         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1081         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
1082         - Call the super class method to clean up zombie codeBlocks.
1083
1084         * heap/CodeBlockSet.cpp:
1085         (JSC::CodeBlockSet::remove):
1086         * heap/CodeBlockSet.h:
1087         * heap/Heap.h:
1088         (JSC::Heap::removeCodeBlock):
1089         - New method to remove a codeBlock from the codeBlock set.
1090
1091         * jit/JITOperations.cpp:
1092         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
1093
1094         * jit/JITToDFGDeferredCompilationCallback.cpp:
1095         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1096         - Call the super class method to clean up zombie codeBlocks.
1097
1098         * runtime/VM.cpp:
1099         (JSC::VM::waitForCompilationsToComplete):
1100         - Renamed from prepareToDiscardCode() to be clearer about what it does.
1101
1102         (JSC::VM::discardAllCode):
1103         (JSC::VM::releaseExecutableMemory):
1104         (JSC::VM::setEnabledProfiler):
1105         - Wait for compilation to complete before enabling the profiler.
1106
1107         * runtime/VM.h:
1108
1109 2014-03-03  Brian Burg  <bburg@apple.com>
1110
1111         Another unreviewed build fix attempt for Windows after r164986.
1112
1113         We never told Visual Studio to copy over the web replay code generator scripts
1114         and the generated headers for JavaScriptCore replay inputs as if they were
1115         private headers.
1116
1117         * JavaScriptCore.vcxproj/copy-files.cmd:
1118
1119 2014-03-03  Brian Burg  <bburg@apple.com>
1120
1121         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
1122         https://bugs.webkit.org/show_bug.cgi?id=128782
1123
1124         Reviewed by Timothy Hatcher.
1125
1126         Alter the replay inputs code generator so that it knows when it is necessary to
1127         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
1128
1129         * JavaScriptCore.xcodeproj/project.pbxproj:
1130         * replay/scripts/CodeGeneratorReplayInputs.py:
1131         (Framework.fromString):
1132         (Frameworks): Add WTF as an allowed framework for code generation.
1133         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
1134         (Generator.generate_includes.declaration):
1135         (Generator.generate_includes.or):
1136         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
1137
1138 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1139
1140         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
1141         https://bugs.webkit.org/show_bug.cgi?id=129591
1142
1143         Reviewed by Michael Saboff.
1144
1145         * bytecode/PolymorphicPutByIdList.cpp:
1146         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
1147         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
1148         (JSC::PolymorphicPutByIdList::from):
1149         * bytecode/PolymorphicPutByIdList.h:
1150         (JSC::PutByIdAccess::stubRoutine):
1151         * jit/Repatch.cpp:
1152         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
1153
1154 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1155
1156         Debugging improvements from my gbemu investigation session
1157         https://bugs.webkit.org/show_bug.cgi?id=129599
1158
1159         Reviewed by Mark Lam.
1160         
1161         Various improvements from when I was investigating bug 129411.
1162
1163         * bytecode/CodeBlock.cpp:
1164         (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
1165         * jsc.cpp:
1166         (GlobalObject::finishCreation):
1167         (functionDescribe): Make describe() return a string rather than printing the string.
1168         (functionDescribeArray): Like describe(), but prints details about arrays.
1169
1170 2014-02-25  Andreas Kling  <akling@apple.com>
1171
1172         JSDOMWindow::commonVM() should return a reference.
1173         <https://webkit.org/b/129293>
1174
1175         Added a DropAllLocks constructor that takes VM& without null checks.
1176
1177         Reviewed by Geoff Garen.
1178
1179 2014-03-02  Mark Lam  <mark.lam@apple.com>
1180
1181         CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
1182         <https://webkit.org/b/129584>
1183
1184         Reviewed by Darin Adler.
1185
1186         * bytecode/CodeBlock.h:
1187         (JSC::CodeBlock::hasDebuggerRequests):
1188
1189 2014-03-02  Mark Lam  <mark.lam@apple.com>
1190
1191         Clean up use of Options::enableConcurrentJIT().
1192         <https://webkit.org/b/129582>
1193
1194         Reviewed by Filip Pizlo.
1195
1196         DFG Driver was conditionally checking Options::enableConcurrentJIT()
1197         only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
1198         enableConcurrentJIT set to false.
1199
1200         Instead we should configure Options::enableConcurrentJIT() to be false
1201         in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
1202         check Options::enableConcurrentJIT().  This makes the code read a little
1203         cleaner.
1204
1205         * dfg/DFGDriver.cpp:
1206         (JSC::DFG::compileImpl):
1207         * runtime/Options.cpp:
1208         (JSC::recomputeDependentOptions):
1209
1210 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
1211
1212         This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
1213         stress tests.
1214
1215         * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
1216
1217 2014-03-01  Andreas Kling  <akling@apple.com>
1218
1219         JSCell::fastGetOwnProperty() should get the Structure more efficiently.
1220         <https://webkit.org/b/129560>
1221
1222         Now that structure() is nontrivial and we have a faster structure(VM&),
1223         make use of that in fastGetOwnProperty() since we already have VM.
1224
1225         Reviewed by Sam Weinig.
1226
1227         * runtime/JSCellInlines.h:
1228         (JSC::JSCell::fastGetOwnProperty):
1229
1230 2014-03-01  Andreas Kling  <akling@apple.com>
1231
1232         Avoid going through ExecState for VM when we already have it (in some places.)
1233         <https://webkit.org/b/129554>
1234
1235         Tweak some places that jump through unnecessary hoops to get the VM.
1236         There are many more like this.
1237
1238         Reviewed by Sam Weinig.
1239
1240         * runtime/JSObject.cpp:
1241         (JSC::JSObject::putByIndexBeyondVectorLength):
1242         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1243         * runtime/ObjectPrototype.cpp:
1244         (JSC::objectProtoFuncToString):
1245
1246 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1247
1248         FTL should support PhantomArguments
1249         https://bugs.webkit.org/show_bug.cgi?id=113986
1250
1251         Reviewed by Oliver Hunt.
1252         
1253         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
1254         object into the FTL's OSR exit compiler.
1255         
1256         This isn't a speed-up yet, since there is still more to be done to fully support
1257         all of the arguments craziness that our varargs benchmarks do.
1258
1259         * dfg/DFGOSRExitCompiler32_64.cpp:
1260         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
1261         * dfg/DFGOSRExitCompiler64.cpp:
1262         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
1263         * dfg/DFGOSRExitCompilerCommon.cpp:
1264         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
1265         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
1266         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
1267         * dfg/DFGOSRExitCompilerCommon.h:
1268         * ftl/FTLCapabilities.cpp:
1269         (JSC::FTL::canCompile):
1270         * ftl/FTLExitValue.cpp:
1271         (JSC::FTL::ExitValue::dumpInContext):
1272         * ftl/FTLExitValue.h:
1273         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
1274         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
1275         (JSC::FTL::ExitValue::valueFormat):
1276         * ftl/FTLLowerDFGToLLVM.cpp:
1277         (JSC::FTL::LowerDFGToLLVM::compileNode):
1278         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
1279         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1280         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
1281         * ftl/FTLOSRExitCompiler.cpp:
1282         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
1283         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
1284         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
1285
1286 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1287
1288         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
1289
1290         * dfg/DFGCSEPhase.cpp:
1291         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1292
1293 2014-02-28  Andreas Kling  <akling@apple.com>
1294
1295         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
1296         <https://webkit.org/b/129529>
1297
1298         Callers already have VM in a local, and findPropertyHashEntry() only
1299         uses the VM, no need to go all the way through ExecState.
1300
1301         Reviewed by Geoffrey Garen.
1302
1303         * runtime/JSObject.cpp:
1304         (JSC::JSObject::put):
1305         (JSC::JSObject::deleteProperty):
1306         (JSC::JSObject::findPropertyHashEntry):
1307         * runtime/JSObject.h:
1308
1309 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
1310
1311         Deadlock remotely inspecting iOS Simulator
1312         https://bugs.webkit.org/show_bug.cgi?id=129511
1313
1314         Reviewed by Timothy Hatcher.
1315
1316         Avoid synchronous setup. Do it asynchronously, and let
1317         the RemoteInspector singleton know later if it failed.
1318
1319         * inspector/remote/RemoteInspector.h:
1320         * inspector/remote/RemoteInspector.mm:
1321         (Inspector::RemoteInspector::setupFailed):
1322         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1323         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1324         (Inspector::RemoteInspectorDebuggableConnection::setup):
1325
1326 2014-02-28  Oliver Hunt  <oliver@apple.com>
1327
1328         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
1329         https://bugs.webkit.org/show_bug.cgi?id=129488
1330
1331         Reviewed by Mark Lam.
1332
1333         Whoops, modify the right register.
1334
1335         * jit/JITCall32_64.cpp:
1336         (JSC::JIT::compileLoadVarargs):
1337
1338 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1339
1340         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
1341         https://bugs.webkit.org/show_bug.cgi?id=129503
1342
1343         Reviewed by Mark Lam.
1344
1345         * ftl/FTLIntrinsicRepository.h:
1346         * ftl/FTLOutput.h:
1347         (JSC::FTL::Output::doubleSin):
1348         (JSC::FTL::Output::doubleCos):
1349         (JSC::FTL::Output::intrinsicOrOperation):
1350
1351 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1352
1353         Fix !ENABLE(GGC) builds
1354
1355         * heap/Heap.cpp:
1356         (JSC::Heap::markRoots):
1357         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
1358
1359 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1360
1361         Clean up Heap::collect and Heap::markRoots
1362         https://bugs.webkit.org/show_bug.cgi?id=129464
1363
1364         Reviewed by Geoffrey Garen.
1365
1366         These functions have built up a lot of cruft recently. 
1367         We should do a bit of cleanup to make them easier to grok.
1368
1369         * heap/Heap.cpp:
1370         (JSC::Heap::finalizeUnconditionalFinalizers):
1371         (JSC::Heap::gatherStackRoots):
1372         (JSC::Heap::gatherJSStackRoots):
1373         (JSC::Heap::gatherScratchBufferRoots):
1374         (JSC::Heap::clearLivenessData):
1375         (JSC::Heap::visitSmallStrings):
1376         (JSC::Heap::visitConservativeRoots):
1377         (JSC::Heap::visitCompilerWorklists):
1378         (JSC::Heap::markProtectedObjects):
1379         (JSC::Heap::markTempSortVectors):
1380         (JSC::Heap::markArgumentBuffers):
1381         (JSC::Heap::visitException):
1382         (JSC::Heap::visitStrongHandles):
1383         (JSC::Heap::visitHandleStack):
1384         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1385         (JSC::Heap::converge):
1386         (JSC::Heap::visitWeakHandles):
1387         (JSC::Heap::clearRememberedSet):
1388         (JSC::Heap::updateObjectCounts):
1389         (JSC::Heap::resetVisitors):
1390         (JSC::Heap::markRoots):
1391         (JSC::Heap::copyBackingStores):
1392         (JSC::Heap::deleteUnmarkedCompiledCode):
1393         (JSC::Heap::collect):
1394         (JSC::Heap::collectIfNecessaryOrDefer):
1395         (JSC::Heap::suspendCompilerThreads):
1396         (JSC::Heap::willStartCollection):
1397         (JSC::Heap::deleteOldCode):
1398         (JSC::Heap::flushOldStructureIDTables):
1399         (JSC::Heap::flushWriteBarrierBuffer):
1400         (JSC::Heap::stopAllocation):
1401         (JSC::Heap::reapWeakHandles):
1402         (JSC::Heap::sweepArrayBuffers):
1403         (JSC::Heap::snapshotMarkedSpace):
1404         (JSC::Heap::deleteSourceProviderCaches):
1405         (JSC::Heap::notifyIncrementalSweeper):
1406         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
1407         (JSC::Heap::resetAllocators):
1408         (JSC::Heap::updateAllocationLimits):
1409         (JSC::Heap::didFinishCollection):
1410         (JSC::Heap::resumeCompilerThreads):
1411         * heap/Heap.h:
1412
1413 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
1414
1415         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
1416         https://bugs.webkit.org/show_bug.cgi?id=129466
1417
1418         Reviewed by Michael Saboff.
1419
1420         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
1421
1422         * runtime/StringPrototype.cpp:
1423         (JSC::stringProtoFuncIndexOf):
1424         (JSC::stringProtoFuncLastIndexOf):
1425
1426 2014-02-27  Timothy Hatcher  <timothy@apple.com>
1427
1428         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
1429
1430         https://bugs.webkit.org/show_bug.cgi?id=129458
1431
1432         Reviewed by Joseph Pecoraro.
1433
1434         * inspector/ContentSearchUtilities.cpp:
1435         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
1436         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
1437         line ending type and don't try to strip the line ending. Use size_t
1438         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
1439         This will include the line ending in the lines, but that is okay.
1440         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
1441         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
1442
1443 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1444
1445         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
1446         https://bugs.webkit.org/show_bug.cgi?id=129446
1447
1448         Reviewed by Timothy Hatcher.
1449
1450         Remove duplicate header entries in Copy Header build phase.
1451
1452         * JavaScriptCore.xcodeproj/project.pbxproj:
1453
1454 2014-02-27  Oliver Hunt  <oliver@apple.com>
1455
1456         Whoops, include all of last patch.
1457
1458         * jit/JITCall32_64.cpp:
1459         (JSC::JIT::compileLoadVarargs):
1460
1461 2014-02-27  Oliver Hunt  <oliver@apple.com>
1462
1463         Slow cases for function.apply and function.call should not require vm re-entry
1464         https://bugs.webkit.org/show_bug.cgi?id=129454
1465
1466         Reviewed by Geoffrey Garen.
1467
1468         Implement call and apply using builtins. Happily the use
1469         of @call and @apply don't perform function equality checks
1470         and just plant direct var_args calls. This did expose a few
1471         codegen issues, but they're all covered by existing tests
1472         once call and apply are implemented in JS.
1473
1474         * JavaScriptCore.xcodeproj/project.pbxproj:
1475         * builtins/Function.prototype.js: Added.
1476         (call):
1477         (apply):
1478         * bytecompiler/NodesCodegen.cpp:
1479         (JSC::CallFunctionCallDotNode::emitBytecode):
1480         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1481         * dfg/DFGCapabilities.cpp:
1482         (JSC::DFG::capabilityLevel):
1483         * interpreter/Interpreter.cpp:
1484         (JSC::sizeFrameForVarargs):
1485         (JSC::loadVarargs):
1486         * interpreter/Interpreter.h:
1487         * jit/JITCall.cpp:
1488         (JSC::JIT::compileLoadVarargs):
1489         * parser/ASTBuilder.h:
1490         (JSC::ASTBuilder::makeFunctionCallNode):
1491         * parser/Lexer.cpp:
1492         (JSC::isSafeBuiltinIdentifier):
1493         * runtime/CommonIdentifiers.h:
1494         * runtime/FunctionPrototype.cpp:
1495         (JSC::FunctionPrototype::addFunctionProperties):
1496         * runtime/JSObject.cpp:
1497         (JSC::JSObject::putDirectBuiltinFunction):
1498         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
1499         * runtime/JSObject.h:
1500
1501 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1502
1503         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
1504         https://bugs.webkit.org/show_bug.cgi?id=129443
1505
1506         Reviewed by Timothy Hatcher.
1507
1508         This queue is specific to the JSContext debuggable connections,
1509         there is no XPC involved. Give it a better name.
1510
1511         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1512         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
1513
1514 2014-02-27  David Kilzer  <ddkilzer@apple.com>
1515
1516         Remove jsc symlink if it already exists
1517
1518         This is a follow-up fix for:
1519
1520         Create symlink to /usr/local/bin/jsc during installation
1521         <http://webkit.org/b/129399>
1522         <rdar://problem/16168734>
1523
1524         * JavaScriptCore.xcodeproj/project.pbxproj:
1525         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
1526         exists where we're about to create the symlink, remove the old
1527         one first.
1528
1529 2014-02-27  Michael Saboff  <msaboff@apple.com>
1530
1531         Unreviewed build fix for Mac tools after r164814
1532
1533         * Configurations/ToolExecutable.xcconfig:
1534         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
1535         * JavaScriptCore.xcodeproj/project.pbxproj:
1536         - Changed productName to testRegExp for testRegExp target.
1537
1538 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1539
1540         Web Inspector: JSContext inspection should report exceptions in the console
1541         https://bugs.webkit.org/show_bug.cgi?id=128776
1542
1543         Reviewed by Timothy Hatcher.
1544
1545         When JavaScript API functions have an exception, let the inspector
1546         know so it can log the JavaScript and Native backtrace that caused
1547         the exception.
1548
1549         Include some clean up of ConsoleMessage and ScriptCallStack construction.
1550
1551         * API/JSBase.cpp:
1552         (JSEvaluateScript):
1553         (JSCheckScriptSyntax):
1554         * API/JSObjectRef.cpp:
1555         (JSObjectMakeFunction):
1556         (JSObjectMakeArray):
1557         (JSObjectMakeDate):
1558         (JSObjectMakeError):
1559         (JSObjectMakeRegExp):
1560         (JSObjectGetProperty):
1561         (JSObjectSetProperty):
1562         (JSObjectGetPropertyAtIndex):
1563         (JSObjectSetPropertyAtIndex):
1564         (JSObjectDeleteProperty):
1565         (JSObjectCallAsFunction):
1566         (JSObjectCallAsConstructor):
1567         * API/JSValue.mm:
1568         (reportExceptionToInspector):
1569         (valueToArray):
1570         (valueToDictionary):
1571         * API/JSValueRef.cpp:
1572         (JSValueIsEqual):
1573         (JSValueIsInstanceOfConstructor):
1574         (JSValueCreateJSONString):
1575         (JSValueToNumber):
1576         (JSValueToStringCopy):
1577         (JSValueToObject):
1578         When seeing an exception, let the inspector know there was an exception.
1579
1580         * inspector/JSGlobalObjectInspectorController.h:
1581         * inspector/JSGlobalObjectInspectorController.cpp:
1582         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1583         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1584         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1585         Log API exceptions by also grabbing the native backtrace.
1586
1587         * inspector/ScriptCallStack.h:
1588         * inspector/ScriptCallStack.cpp:
1589         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
1590         (Inspector::ScriptCallStack::append):
1591         Minor extensions to ScriptCallStack to make it easier to work with.
1592
1593         * inspector/ConsoleMessage.cpp:
1594         (Inspector::ConsoleMessage::ConsoleMessage):
1595         (Inspector::ConsoleMessage::autogenerateMetadata):
1596         Provide better default information if the first call frame was native.
1597
1598         * inspector/ScriptCallStackFactory.cpp:
1599         (Inspector::createScriptCallStack):
1600         (Inspector::extractSourceInformationFromException):
1601         (Inspector::createScriptCallStackFromException):
1602         Perform the handling here of inserting a fake call frame for exceptions
1603         if there was no call stack (e.g. a SyntaxError) or if the first call
1604         frame had no information.
1605
1606         * inspector/ConsoleMessage.cpp:
1607         (Inspector::ConsoleMessage::ConsoleMessage):
1608         (Inspector::ConsoleMessage::autogenerateMetadata):
1609         * inspector/ConsoleMessage.h:
1610         * inspector/ScriptCallStackFactory.cpp:
1611         (Inspector::createScriptCallStack):
1612         (Inspector::createScriptCallStackForConsole):
1613         * inspector/ScriptCallStackFactory.h:
1614         * inspector/agents/InspectorConsoleAgent.cpp:
1615         (Inspector::InspectorConsoleAgent::enable):
1616         (Inspector::InspectorConsoleAgent::addMessageToConsole):
1617         (Inspector::InspectorConsoleAgent::count):
1618         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1619         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
1620         ConsoleMessage cleanup.
1621
1622 2014-02-27  David Kilzer  <ddkilzer@apple.com>
1623
1624         Create symlink to /usr/local/bin/jsc during installation
1625         <http://webkit.org/b/129399>
1626         <rdar://problem/16168734>
1627
1628         Reviewed by Dan Bernstein.
1629
1630         * JavaScriptCore.xcodeproj/project.pbxproj:
1631         - Add "Create /usr/local/bin/jsc symlink" build phase script to
1632           create the symlink during installation.
1633
1634 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1635
1636         Math.{max, min}() must not return after first NaN value
1637         https://bugs.webkit.org/show_bug.cgi?id=104147
1638
1639         Reviewed by Oliver Hunt.
1640
1641         According to the spec, ToNumber going to be called on each argument
1642         even if a `NaN` value was already found
1643
1644         * runtime/MathObject.cpp:
1645         (JSC::mathProtoFuncMax):
1646         (JSC::mathProtoFuncMin):
1647
1648 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
1649
1650         JSType upper limit (0xff) assertion can be removed.
1651         https://bugs.webkit.org/show_bug.cgi?id=129424
1652
1653         Reviewed by Geoffrey Garen.
1654
1655         * runtime/JSTypeInfo.h:
1656         (JSC::TypeInfo::TypeInfo):
1657
1658 2014-02-26  Michael Saboff  <msaboff@apple.com>
1659
1660         Auto generate bytecode information for bytecode parser and LLInt
1661         https://bugs.webkit.org/show_bug.cgi?id=129181
1662
1663         Reviewed by Mark Lam.
1664
1665         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
1666         helpers.  It also includes bytecode length and other information used to generate files.
1667         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
1668         in DerivedSources/JavaScriptCore/.
1669
1670         Added the generation of these files to the "DerivedSource" build step.
1671         Slighty changed the build order, since the Bytecodes.h file is needed by
1672         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
1673         to be run after JSCLLIntOffsetsExtractor.
1674
1675         Made related changes to OPCODE macros and their use.
1676
1677         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
1678         jsc to resolve Mac build issue.
1679
1680         * CMakeLists.txt:
1681         * Configurations/JSC.xcconfig:
1682         * DerivedSources.make:
1683         * GNUmakefile.am:
1684         * GNUmakefile.list.am:
1685         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1686         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1687         * JavaScriptCore.vcxproj/copy-files.cmd:
1688         * JavaScriptCore.xcodeproj/project.pbxproj:
1689         * bytecode/Opcode.h:
1690         (JSC::padOpcodeName):
1691         * llint/LLIntCLoop.cpp:
1692         (JSC::LLInt::CLoop::initialize):
1693         * llint/LLIntCLoop.h:
1694         * llint/LLIntData.cpp:
1695         (JSC::LLInt::initialize):
1696         * llint/LLIntOpcode.h:
1697         * llint/LowLevelInterpreter.asm:
1698
1699 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
1700
1701         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
1702         https://bugs.webkit.org/show_bug.cgi?id=129420
1703
1704         Reviewed by Geoffrey Garen.
1705
1706         * dfg/DFGSpeculativeJIT.h:
1707         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
1708         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
1709
1710 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
1711
1712         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
1713         https://bugs.webkit.org/show_bug.cgi?id=129435
1714
1715         Reviewed by Oliver Hunt.
1716         
1717         This is a 5-10% speed-up on Octane/closure.
1718
1719         * interpreter/Interpreter.cpp:
1720         (JSC::Interpreter::execute):
1721         * jsc.cpp:
1722         (GlobalObject::finishCreation):
1723         (functionClearCodeCache):
1724         * runtime/BatchedTransitionOptimizer.h:
1725         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1726         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
1727
1728 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
1729
1730         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
1731
1732         * inspector/scripts: Added property svn:ignore.
1733         * replay/scripts: Added property svn:ignore.
1734
1735 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
1736
1737         r164764 broke the ARM build
1738         https://bugs.webkit.org/show_bug.cgi?id=129415
1739
1740         Reviewed by Zoltan Herczeg.
1741
1742         * assembler/MacroAssemblerARM.h:
1743         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
1744         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
1745         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
1746         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
1747
1748 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1749
1750         r164764 broke the ARM build
1751         https://bugs.webkit.org/show_bug.cgi?id=129415
1752
1753         Reviewed by Geoffrey Garen.
1754
1755         * assembler/MacroAssemblerARM.h:
1756         (JSC::MacroAssemblerARM::moveWithPatch):
1757
1758 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1759
1760         r164764 broke the ARM build
1761         https://bugs.webkit.org/show_bug.cgi?id=129415
1762
1763         Reviewed by Geoffrey Garen.
1764
1765         * assembler/MacroAssemblerARM.h:
1766         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
1767
1768 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1769
1770         EFL build fix
1771
1772         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
1773         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1774         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1775
1776 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1777
1778         Make JSCells have 32-bit Structure pointers
1779         https://bugs.webkit.org/show_bug.cgi?id=123195
1780
1781         Reviewed by Filip Pizlo.
1782
1783         This patch changes JSCells such that they no longer have a full 64-bit Structure
1784         pointer in their header. Instead they now have a 32-bit index into
1785         a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
1786         pointers.
1787
1788         This change frees up an additional 32 bits of information in our object headers.
1789         We then use this extra space to store the indexing type of the object, the JSType
1790         of the object, some various type flags, and garbage collection data (e.g. mark bit).
1791         Because this inline type information is now faster to read, it pays for the slowdown 
1792         incurred by having to perform an extra indirection through the StructureIDTable.
1793
1794         This patch also threads a reference to the current VM through more of the C++ runtime
1795         to offset the cost of having to look up the VM to get the actual Structure pointer.
1796
1797         * API/JSContext.mm:
1798         (-[JSContext setException:]):
1799         (-[JSContext wrapperForObjCObject:]):
1800         (-[JSContext wrapperForJSObject:]):
1801         * API/JSContextRef.cpp:
1802         (JSContextGroupRelease):
1803         (JSGlobalContextRelease):
1804         * API/JSObjectRef.cpp:
1805         (JSObjectIsFunction):
1806         (JSObjectCopyPropertyNames):
1807         * API/JSValue.mm:
1808         (containerValueToObject):
1809         * API/JSWrapperMap.mm:
1810         (tryUnwrapObjcObject):
1811         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1812         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1813         * JavaScriptCore.xcodeproj/project.pbxproj:
1814         * assembler/AbstractMacroAssembler.h:
1815         * assembler/MacroAssembler.h:
1816         (JSC::MacroAssembler::patchableBranch32WithPatch):
1817         (JSC::MacroAssembler::patchableBranch32):
1818         * assembler/MacroAssemblerARM64.h:
1819         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
1820         (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
1821         (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
1822         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
1823         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
1824         * assembler/MacroAssemblerARMv7.h:
1825         (JSC::MacroAssemblerARMv7::store8):
1826         (JSC::MacroAssemblerARMv7::branch32WithPatch):
1827         (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
1828         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
1829         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
1830         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
1831         * assembler/MacroAssemblerX86.h:
1832         (JSC::MacroAssemblerX86::branch32WithPatch):
1833         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
1834         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
1835         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
1836         * assembler/MacroAssemblerX86_64.h:
1837         (JSC::MacroAssemblerX86_64::store32):
1838         (JSC::MacroAssemblerX86_64::moveWithPatch):
1839         (JSC::MacroAssemblerX86_64::branch32WithPatch):
1840         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
1841         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
1842         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
1843         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
1844         * assembler/RepatchBuffer.h:
1845         (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
1846         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
1847         * assembler/X86Assembler.h:
1848         (JSC::X86Assembler::revertJumpTo_movq_i64r):
1849         (JSC::X86Assembler::revertJumpTo_movl_i32r):
1850         * bytecode/ArrayProfile.cpp:
1851         (JSC::ArrayProfile::computeUpdatedPrediction):
1852         * bytecode/ArrayProfile.h:
1853         (JSC::ArrayProfile::ArrayProfile):
1854         (JSC::ArrayProfile::addressOfLastSeenStructureID):
1855         (JSC::ArrayProfile::observeStructure):
1856         * bytecode/CodeBlock.h:
1857         (JSC::CodeBlock::heap):
1858         * bytecode/UnlinkedCodeBlock.h:
1859         * debugger/Debugger.h:
1860         * dfg/DFGAbstractHeap.h:
1861         * dfg/DFGArrayifySlowPathGenerator.h:
1862         * dfg/DFGClobberize.h:
1863         (JSC::DFG::clobberize):
1864         * dfg/DFGJITCompiler.h:
1865         (JSC::DFG::JITCompiler::branchWeakStructure):
1866         (JSC::DFG::JITCompiler::branchStructurePtr):
1867         * dfg/DFGOSRExitCompiler32_64.cpp:
1868         (JSC::DFG::OSRExitCompiler::compileExit):
1869         * dfg/DFGOSRExitCompiler64.cpp:
1870         (JSC::DFG::OSRExitCompiler::compileExit):
1871         * dfg/DFGOSRExitCompilerCommon.cpp:
1872         (JSC::DFG::osrWriteBarrier):
1873         (JSC::DFG::adjustAndJumpToTarget):
1874         * dfg/DFGOperations.cpp:
1875         (JSC::DFG::putByVal):
1876         * dfg/DFGSpeculativeJIT.cpp:
1877         (JSC::DFG::SpeculativeJIT::checkArray):
1878         (JSC::DFG::SpeculativeJIT::arrayify):
1879         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1880         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1881         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1882         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1883         (JSC::DFG::SpeculativeJIT::speculateObject):
1884         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
1885         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1886         (JSC::DFG::SpeculativeJIT::speculateString):
1887         (JSC::DFG::SpeculativeJIT::speculateStringObject):
1888         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
1889         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
1890         (JSC::DFG::SpeculativeJIT::emitSwitchString):
1891         (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
1892         (JSC::DFG::SpeculativeJIT::writeBarrier):
1893         * dfg/DFGSpeculativeJIT.h:
1894         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1895         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
1896         * dfg/DFGSpeculativeJIT32_64.cpp:
1897         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1898         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1899         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1900         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1901         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1902         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1903         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1904         (JSC::DFG::SpeculativeJIT::compile):
1905         (JSC::DFG::SpeculativeJIT::writeBarrier):
1906         * dfg/DFGSpeculativeJIT64.cpp:
1907         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1908         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1909         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1910         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1911         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1912         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1913         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1914         (JSC::DFG::SpeculativeJIT::compile):
1915         (JSC::DFG::SpeculativeJIT::writeBarrier):
1916         * dfg/DFGWorklist.cpp:
1917         * ftl/FTLAbstractHeapRepository.cpp:
1918         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1919         * ftl/FTLAbstractHeapRepository.h:
1920         * ftl/FTLLowerDFGToLLVM.cpp:
1921         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
1922         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1923         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1924         (JSC::FTL::LowerDFGToLLVM::compileToString):
1925         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1926         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1927         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1928         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1929         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1930         (JSC::FTL::LowerDFGToLLVM::isObject):
1931         (JSC::FTL::LowerDFGToLLVM::isString):
1932         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1933         (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
1934         (JSC::FTL::LowerDFGToLLVM::isType):
1935         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
1936         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
1937         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
1938         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
1939         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
1940         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1941         (JSC::FTL::LowerDFGToLLVM::weakStructure):
1942         * ftl/FTLOSRExitCompiler.cpp:
1943         (JSC::FTL::compileStub):
1944         * ftl/FTLOutput.h:
1945         (JSC::FTL::Output::store8):
1946         * heap/GCAssertions.h:
1947         * heap/Heap.cpp:
1948         (JSC::Heap::getConservativeRegisterRoots):
1949         (JSC::Heap::collect):
1950         (JSC::Heap::writeBarrier):
1951         * heap/Heap.h:
1952         (JSC::Heap::structureIDTable):
1953         * heap/MarkedSpace.h:
1954         (JSC::MarkedSpace::forEachBlock):
1955         * heap/SlotVisitorInlines.h:
1956         (JSC::SlotVisitor::internalAppend):
1957         * jit/AssemblyHelpers.h:
1958         (JSC::AssemblyHelpers::branchIfCellNotObject):
1959         (JSC::AssemblyHelpers::genericWriteBarrier):
1960         (JSC::AssemblyHelpers::emitLoadStructure):
1961         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1962         * jit/JIT.h:
1963         * jit/JITCall.cpp:
1964         (JSC::JIT::compileOpCall):
1965         (JSC::JIT::privateCompileClosureCall):
1966         * jit/JITCall32_64.cpp:
1967         (JSC::JIT::emit_op_ret_object_or_this):
1968         (JSC::JIT::compileOpCall):
1969         (JSC::JIT::privateCompileClosureCall):
1970         * jit/JITInlineCacheGenerator.cpp:
1971         (JSC::JITByIdGenerator::generateFastPathChecks):
1972         * jit/JITInlineCacheGenerator.h:
1973         * jit/JITInlines.h:
1974         (JSC::JIT::emitLoadCharacterString):
1975         (JSC::JIT::checkStructure):
1976         (JSC::JIT::emitJumpIfCellNotObject):
1977         (JSC::JIT::emitAllocateJSObject):
1978         (JSC::JIT::emitArrayProfilingSiteWithCell):
1979         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
1980         (JSC::JIT::branchStructure):
1981         (JSC::branchStructure):
1982         * jit/JITOpcodes.cpp:
1983         (JSC::JIT::emit_op_check_has_instance):
1984         (JSC::JIT::emit_op_instanceof):
1985         (JSC::JIT::emit_op_is_undefined):
1986         (JSC::JIT::emit_op_is_string):
1987         (JSC::JIT::emit_op_ret_object_or_this):
1988         (JSC::JIT::emit_op_to_primitive):
1989         (JSC::JIT::emit_op_jeq_null):
1990         (JSC::JIT::emit_op_jneq_null):
1991         (JSC::JIT::emit_op_get_pnames):
1992         (JSC::JIT::emit_op_next_pname):
1993         (JSC::JIT::emit_op_eq_null):
1994         (JSC::JIT::emit_op_neq_null):
1995         (JSC::JIT::emit_op_to_this):
1996         (JSC::JIT::emitSlow_op_to_this):
1997         * jit/JITOpcodes32_64.cpp:
1998         (JSC::JIT::emit_op_check_has_instance):
1999         (JSC::JIT::emit_op_instanceof):
2000         (JSC::JIT::emit_op_is_undefined):
2001         (JSC::JIT::emit_op_is_string):
2002         (JSC::JIT::emit_op_to_primitive):
2003         (JSC::JIT::emit_op_jeq_null):
2004         (JSC::JIT::emit_op_jneq_null):
2005         (JSC::JIT::emitSlow_op_eq):
2006         (JSC::JIT::emitSlow_op_neq):
2007         (JSC::JIT::compileOpStrictEq):
2008         (JSC::JIT::emit_op_eq_null):
2009         (JSC::JIT::emit_op_neq_null):
2010         (JSC::JIT::emit_op_get_pnames):
2011         (JSC::JIT::emit_op_next_pname):
2012         (JSC::JIT::emit_op_to_this):
2013         * jit/JITOperations.cpp:
2014         * jit/JITPropertyAccess.cpp:
2015         (JSC::JIT::stringGetByValStubGenerator):
2016         (JSC::JIT::emit_op_get_by_val):
2017         (JSC::JIT::emitSlow_op_get_by_val):
2018         (JSC::JIT::emit_op_get_by_pname):
2019         (JSC::JIT::emit_op_put_by_val):
2020         (JSC::JIT::emit_op_get_by_id):
2021         (JSC::JIT::emitLoadWithStructureCheck):
2022         (JSC::JIT::emitSlow_op_get_from_scope):
2023         (JSC::JIT::emitSlow_op_put_to_scope):
2024         (JSC::JIT::checkMarkWord):
2025         (JSC::JIT::emitWriteBarrier):
2026         (JSC::JIT::addStructureTransitionCheck):
2027         (JSC::JIT::emitIntTypedArrayGetByVal):
2028         (JSC::JIT::emitFloatTypedArrayGetByVal):
2029         (JSC::JIT::emitIntTypedArrayPutByVal):
2030         (JSC::JIT::emitFloatTypedArrayPutByVal):
2031         * jit/JITPropertyAccess32_64.cpp:
2032         (JSC::JIT::stringGetByValStubGenerator):
2033         (JSC::JIT::emit_op_get_by_val):
2034         (JSC::JIT::emitSlow_op_get_by_val):
2035         (JSC::JIT::emit_op_put_by_val):
2036         (JSC::JIT::emit_op_get_by_id):
2037         (JSC::JIT::emit_op_get_by_pname):
2038         (JSC::JIT::emitLoadWithStructureCheck):
2039         * jit/JSInterfaceJIT.h:
2040         (JSC::JSInterfaceJIT::emitJumpIfNotType):
2041         * jit/Repatch.cpp:
2042         (JSC::repatchByIdSelfAccess):
2043         (JSC::addStructureTransitionCheck):
2044         (JSC::replaceWithJump):
2045         (JSC::generateProtoChainAccessStub):
2046         (JSC::tryCacheGetByID):
2047         (JSC::tryBuildGetByIDList):
2048         (JSC::writeBarrier):
2049         (JSC::emitPutReplaceStub):
2050         (JSC::emitPutTransitionStub):
2051         (JSC::tryBuildPutByIdList):
2052         (JSC::tryRepatchIn):
2053         (JSC::linkClosureCall):
2054         (JSC::resetGetByID):
2055         (JSC::resetPutByID):
2056         * jit/SpecializedThunkJIT.h:
2057         (JSC::SpecializedThunkJIT::loadJSStringArgument):
2058         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2059         * jit/ThunkGenerators.cpp:
2060         (JSC::virtualForThunkGenerator):
2061         (JSC::arrayIteratorNextThunkGenerator):
2062         * jit/UnusedPointer.h:
2063         * llint/LowLevelInterpreter.asm:
2064         * llint/LowLevelInterpreter32_64.asm:
2065         * llint/LowLevelInterpreter64.asm:
2066         * runtime/Arguments.cpp:
2067         (JSC::Arguments::createStrictModeCallerIfNecessary):
2068         (JSC::Arguments::createStrictModeCalleeIfNecessary):
2069         * runtime/Arguments.h:
2070         (JSC::Arguments::createStructure):
2071         * runtime/ArrayPrototype.cpp:
2072         (JSC::shift):
2073         (JSC::unshift):
2074         (JSC::arrayProtoFuncToString):
2075         (JSC::arrayProtoFuncPop):
2076         (JSC::arrayProtoFuncReverse):
2077         (JSC::performSlowSort):
2078         (JSC::arrayProtoFuncSort):
2079         (JSC::arrayProtoFuncSplice):
2080         (JSC::arrayProtoFuncUnShift):
2081         * runtime/CommonSlowPaths.cpp:
2082         (JSC::SLOW_PATH_DECL):
2083         * runtime/Executable.h:
2084         (JSC::ExecutableBase::isFunctionExecutable):
2085         (JSC::ExecutableBase::clearCodeVirtual):
2086         (JSC::ScriptExecutable::unlinkCalls):
2087         * runtime/GetterSetter.cpp:
2088         (JSC::callGetter):
2089         (JSC::callSetter):
2090         * runtime/InitializeThreading.cpp:
2091         * runtime/JSArray.cpp:
2092         (JSC::JSArray::unshiftCountSlowCase):
2093         (JSC::JSArray::setLength):
2094         (JSC::JSArray::pop):
2095         (JSC::JSArray::push):
2096         (JSC::JSArray::shiftCountWithArrayStorage):
2097         (JSC::JSArray::shiftCountWithAnyIndexingType):
2098         (JSC::JSArray::unshiftCountWithArrayStorage):
2099         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2100         (JSC::JSArray::sortNumericVector):
2101         (JSC::JSArray::sortNumeric):
2102         (JSC::JSArray::sortCompactedVector):
2103         (JSC::JSArray::sort):
2104         (JSC::JSArray::sortVector):
2105         (JSC::JSArray::fillArgList):
2106         (JSC::JSArray::copyToArguments):
2107         (JSC::JSArray::compactForSorting):
2108         * runtime/JSCJSValueInlines.h:
2109         (JSC::JSValue::toThis):
2110         (JSC::JSValue::put):
2111         (JSC::JSValue::putByIndex):
2112         (JSC::JSValue::equalSlowCaseInline):
2113         * runtime/JSCell.cpp:
2114         (JSC::JSCell::put):
2115         (JSC::JSCell::putByIndex):
2116         (JSC::JSCell::deleteProperty):
2117         (JSC::JSCell::deletePropertyByIndex):
2118         * runtime/JSCell.h:
2119         (JSC::JSCell::clearStructure):
2120         (JSC::JSCell::mark):
2121         (JSC::JSCell::isMarked):
2122         (JSC::JSCell::structureIDOffset):
2123         (JSC::JSCell::typeInfoFlagsOffset):
2124         (JSC::JSCell::typeInfoTypeOffset):
2125         (JSC::JSCell::indexingTypeOffset):
2126         (JSC::JSCell::gcDataOffset):
2127         * runtime/JSCellInlines.h:
2128         (JSC::JSCell::JSCell):
2129         (JSC::JSCell::finishCreation):
2130         (JSC::JSCell::type):
2131         (JSC::JSCell::indexingType):
2132         (JSC::JSCell::structure):
2133         (JSC::JSCell::visitChildren):
2134         (JSC::JSCell::isObject):
2135         (JSC::JSCell::isString):
2136         (JSC::JSCell::isGetterSetter):
2137         (JSC::JSCell::isProxy):
2138         (JSC::JSCell::isAPIValueWrapper):
2139         (JSC::JSCell::setStructure):
2140         (JSC::JSCell::methodTable):
2141         (JSC::Heap::writeBarrier):
2142         * runtime/JSDataView.cpp:
2143         (JSC::JSDataView::createStructure):
2144         * runtime/JSDestructibleObject.h:
2145         (JSC::JSCell::classInfo):
2146         * runtime/JSFunction.cpp:
2147         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2148         (JSC::JSFunction::put):
2149         (JSC::JSFunction::defineOwnProperty):
2150         * runtime/JSGenericTypedArrayView.h:
2151         (JSC::JSGenericTypedArrayView::createStructure):
2152         * runtime/JSObject.cpp:
2153         (JSC::getCallableObjectSlow):
2154         (JSC::JSObject::copyButterfly):
2155         (JSC::JSObject::visitButterfly):
2156         (JSC::JSFinalObject::visitChildren):
2157         (JSC::JSObject::getOwnPropertySlotByIndex):
2158         (JSC::JSObject::put):
2159         (JSC::JSObject::putByIndex):
2160         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2161         (JSC::JSObject::enterDictionaryIndexingMode):
2162         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2163         (JSC::JSObject::createInitialIndexedStorage):
2164         (JSC::JSObject::createInitialUndecided):
2165         (JSC::JSObject::createInitialInt32):
2166         (JSC::JSObject::createInitialDouble):
2167         (JSC::JSObject::createInitialContiguous):
2168         (JSC::JSObject::createArrayStorage):
2169         (JSC::JSObject::convertUndecidedToInt32):
2170         (JSC::JSObject::convertUndecidedToDouble):
2171         (JSC::JSObject::convertUndecidedToContiguous):
2172         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2173         (JSC::JSObject::convertUndecidedToArrayStorage):
2174         (JSC::JSObject::convertInt32ToDouble):
2175         (JSC::JSObject::convertInt32ToContiguous):
2176         (JSC::JSObject::convertInt32ToArrayStorage):
2177         (JSC::JSObject::genericConvertDoubleToContiguous):
2178         (JSC::JSObject::convertDoubleToArrayStorage):
2179         (JSC::JSObject::convertContiguousToArrayStorage):
2180         (JSC::JSObject::ensureInt32Slow):
2181         (JSC::JSObject::ensureDoubleSlow):
2182         (JSC::JSObject::ensureContiguousSlow):
2183         (JSC::JSObject::ensureArrayStorageSlow):
2184         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2185         (JSC::JSObject::switchToSlowPutArrayStorage):
2186         (JSC::JSObject::setPrototype):
2187         (JSC::JSObject::setPrototypeWithCycleCheck):
2188         (JSC::JSObject::putDirectNonIndexAccessor):
2189         (JSC::JSObject::deleteProperty):
2190         (JSC::JSObject::hasOwnProperty):
2191         (JSC::JSObject::deletePropertyByIndex):
2192         (JSC::JSObject::getPrimitiveNumber):
2193         (JSC::JSObject::hasInstance):
2194         (JSC::JSObject::getPropertySpecificValue):
2195         (JSC::JSObject::getPropertyNames):
2196         (JSC::JSObject::getOwnPropertyNames):
2197         (JSC::JSObject::getOwnNonIndexPropertyNames):
2198         (JSC::JSObject::seal):
2199         (JSC::JSObject::freeze):
2200         (JSC::JSObject::preventExtensions):
2201         (JSC::JSObject::reifyStaticFunctionsForDelete):
2202         (JSC::JSObject::removeDirect):
2203         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2204         (JSC::JSObject::putByIndexBeyondVectorLength):
2205         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2206         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2207         (JSC::JSObject::getNewVectorLength):
2208         (JSC::JSObject::countElements):
2209         (JSC::JSObject::increaseVectorLength):
2210         (JSC::JSObject::ensureLengthSlow):
2211         (JSC::JSObject::growOutOfLineStorage):
2212         (JSC::JSObject::getOwnPropertyDescriptor):
2213         (JSC::putDescriptor):
2214         (JSC::JSObject::defineOwnNonIndexProperty):
2215         * runtime/JSObject.h:
2216         (JSC::getJSFunction):
2217         (JSC::JSObject::getArrayLength):
2218         (JSC::JSObject::getVectorLength):
2219         (JSC::JSObject::putByIndexInline):
2220         (JSC::JSObject::canGetIndexQuickly):
2221         (JSC::JSObject::getIndexQuickly):
2222         (JSC::JSObject::tryGetIndexQuickly):
2223         (JSC::JSObject::getDirectIndex):
2224         (JSC::JSObject::canSetIndexQuickly):
2225         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2226         (JSC::JSObject::setIndexQuickly):
2227         (JSC::JSObject::initializeIndex):
2228         (JSC::JSObject::hasSparseMap):
2229         (JSC::JSObject::inSparseIndexingMode):
2230         (JSC::JSObject::getDirect):
2231         (JSC::JSObject::getDirectOffset):
2232         (JSC::JSObject::isSealed):
2233         (JSC::JSObject::isFrozen):
2234         (JSC::JSObject::flattenDictionaryObject):
2235         (JSC::JSObject::ensureInt32):
2236         (JSC::JSObject::ensureDouble):
2237         (JSC::JSObject::ensureContiguous):
2238         (JSC::JSObject::rageEnsureContiguous):
2239         (JSC::JSObject::ensureArrayStorage):
2240         (JSC::JSObject::arrayStorage):
2241         (JSC::JSObject::arrayStorageOrNull):
2242         (JSC::JSObject::ensureLength):
2243         (JSC::JSObject::currentIndexingData):
2244         (JSC::JSObject::getHolyIndexQuickly):
2245         (JSC::JSObject::currentRelevantLength):
2246         (JSC::JSObject::isGlobalObject):
2247         (JSC::JSObject::isVariableObject):
2248         (JSC::JSObject::isStaticScopeObject):
2249         (JSC::JSObject::isNameScopeObject):
2250         (JSC::JSObject::isActivationObject):
2251         (JSC::JSObject::isErrorInstance):
2252         (JSC::JSObject::inlineGetOwnPropertySlot):
2253         (JSC::JSObject::fastGetOwnPropertySlot):
2254         (JSC::JSObject::getPropertySlot):
2255         (JSC::JSObject::putDirectInternal):
2256         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2257         * runtime/JSPropertyNameIterator.h:
2258         (JSC::JSPropertyNameIterator::createStructure):
2259         * runtime/JSProxy.cpp:
2260         (JSC::JSProxy::getOwnPropertySlot):
2261         (JSC::JSProxy::getOwnPropertySlotByIndex):
2262         (JSC::JSProxy::put):
2263         (JSC::JSProxy::putByIndex):
2264         (JSC::JSProxy::defineOwnProperty):
2265         (JSC::JSProxy::deleteProperty):
2266         (JSC::JSProxy::deletePropertyByIndex):
2267         (JSC::JSProxy::getPropertyNames):
2268         (JSC::JSProxy::getOwnPropertyNames):
2269         * runtime/JSScope.cpp:
2270         (JSC::JSScope::objectAtScope):
2271         * runtime/JSString.h:
2272         (JSC::JSString::createStructure):
2273         (JSC::isJSString):
2274         * runtime/JSType.h:
2275         * runtime/JSTypeInfo.h:
2276         (JSC::TypeInfo::TypeInfo):
2277         (JSC::TypeInfo::isObject):
2278         (JSC::TypeInfo::structureIsImmortal):
2279         (JSC::TypeInfo::zeroedGCDataOffset):
2280         (JSC::TypeInfo::inlineTypeFlags):
2281         * runtime/MapData.h:
2282         * runtime/ObjectConstructor.cpp:
2283         (JSC::objectConstructorGetOwnPropertyNames):
2284         (JSC::objectConstructorKeys):
2285         (JSC::objectConstructorDefineProperty):
2286         (JSC::defineProperties):
2287         (JSC::objectConstructorSeal):
2288         (JSC::objectConstructorFreeze):
2289         (JSC::objectConstructorIsSealed):
2290         (JSC::objectConstructorIsFrozen):
2291         * runtime/ObjectPrototype.cpp:
2292         (JSC::objectProtoFuncDefineGetter):
2293         (JSC::objectProtoFuncDefineSetter):
2294         (JSC::objectProtoFuncToString):
2295         * runtime/Operations.cpp:
2296         (JSC::jsTypeStringForValue):
2297         (JSC::jsIsObjectType):
2298         * runtime/Operations.h:
2299         (JSC::normalizePrototypeChainForChainAccess):
2300         (JSC::normalizePrototypeChain):
2301         * runtime/PropertyMapHashTable.h:
2302         (JSC::PropertyTable::createStructure):
2303         * runtime/RegExp.h:
2304         (JSC::RegExp::createStructure):
2305         * runtime/SparseArrayValueMap.h:
2306         * runtime/Structure.cpp:
2307         (JSC::Structure::Structure):
2308         (JSC::Structure::~Structure):
2309         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2310         * runtime/Structure.h:
2311         (JSC::Structure::id):
2312         (JSC::Structure::idBlob):
2313         (JSC::Structure::objectInitializationFields):
2314         (JSC::Structure::structureIDOffset):
2315         * runtime/StructureChain.h:
2316         (JSC::StructureChain::createStructure):
2317         * runtime/StructureIDTable.cpp: Added.
2318         (JSC::StructureIDTable::StructureIDTable):
2319         (JSC::StructureIDTable::~StructureIDTable):
2320         (JSC::StructureIDTable::resize):
2321         (JSC::StructureIDTable::flushOldTables):
2322         (JSC::StructureIDTable::allocateID):
2323         (JSC::StructureIDTable::deallocateID):
2324         * runtime/StructureIDTable.h: Added.
2325         (JSC::StructureIDTable::base):
2326         (JSC::StructureIDTable::get):
2327         * runtime/SymbolTable.h:
2328         * runtime/TypedArrayType.cpp:
2329         (JSC::typeForTypedArrayType):
2330         * runtime/TypedArrayType.h:
2331         * runtime/WeakMapData.h:
2332
2333 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2334
2335         Unconditional logging in compileFTLOSRExit
2336         https://bugs.webkit.org/show_bug.cgi?id=129407
2337
2338         Reviewed by Michael Saboff.
2339
2340         This was causing tests to fail with the FTL enabled.
2341
2342         * ftl/FTLOSRExitCompiler.cpp:
2343         (JSC::FTL::compileFTLOSRExit):
2344
2345 2014-02-26  Oliver Hunt  <oliver@apple.com>
2346
2347         Remove unused access types
2348         https://bugs.webkit.org/show_bug.cgi?id=129385
2349
2350         Reviewed by Filip Pizlo.
2351
2352         Remove unused cruft.
2353
2354         * bytecode/CodeBlock.cpp:
2355         (JSC::CodeBlock::printGetByIdCacheStatus):
2356         * bytecode/StructureStubInfo.cpp:
2357         (JSC::StructureStubInfo::deref):
2358         * bytecode/StructureStubInfo.h:
2359         (JSC::isGetByIdAccess):
2360         (JSC::isPutByIdAccess):
2361
2362 2014-02-26  Oliver Hunt  <oliver@apple.com>
2363
2364         Function.prototype.apply has a bad time with the spread operator
2365         https://bugs.webkit.org/show_bug.cgi?id=129381
2366
2367         Reviewed by Mark Hahnenberg.
2368
2369         Make sure our apply logic handle the spread operator correctly.
2370         To do this we simply emit the enumeration logic that we'd normally
2371         use for other enumerations, but only store the first two results
2372         to registers.  Then perform a varargs call.
2373
2374         * bytecompiler/NodesCodegen.cpp:
2375         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2376
2377 2014-02-26  Mark Lam  <mark.lam@apple.com>
2378
2379         Compilation policy management belongs in operationOptimize(), not the DFG Driver.
2380         <https://webkit.org/b/129355>
2381
2382         Reviewed by Filip Pizlo.
2383
2384         By compilation policy, I mean the rules for determining whether to
2385         compile, when to compile, when to attempt compilation again, etc.  The
2386         few of these policy decisions that were previously being made in the
2387         DFG driver are now moved to operationOptimize() where we keep the rest
2388         of the policy logic.  Decisions that are based on the capabilities
2389         supported by the DFG are moved to DFG capabiliityLevel().
2390
2391         I've run the following benchmarks:
2392         1. the collection of jsc benchmarks on the jsc executable vs. its
2393            baseline.
2394         2. Octane 2.0 in browser without the WebInspector.
2395         3. Octane 2.0 in browser with the WebInspector open and a breakpoint
2396            set somewhere where it won't break.
2397
2398         In all of these, the results came out to be a wash as expected.
2399
2400         * dfg/DFGCapabilities.cpp:
2401         (JSC::DFG::isSupported):
2402         (JSC::DFG::mightCompileEval):
2403         (JSC::DFG::mightCompileProgram):
2404         (JSC::DFG::mightCompileFunctionForCall):
2405         (JSC::DFG::mightCompileFunctionForConstruct):
2406         (JSC::DFG::mightInlineFunctionForCall):
2407         (JSC::DFG::mightInlineFunctionForClosureCall):
2408         (JSC::DFG::mightInlineFunctionForConstruct):
2409         * dfg/DFGCapabilities.h:
2410         * dfg/DFGDriver.cpp:
2411         (JSC::DFG::compileImpl):
2412         * jit/JITOperations.cpp:
2413
2414 2014-02-26  Mark Lam  <mark.lam@apple.com>
2415
2416         ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
2417         <https://webkit.org/b/129364>
2418
2419         Reviewed by Alexey Proskuryakov.
2420
2421         InjectedScriptModule::ensureInjected() needs an APIEntryShim.
2422
2423         * inspector/InjectedScriptModule.cpp:
2424         (Inspector::InjectedScriptModule::ensureInjected):
2425         - Added the needed but missing APIEntryShim. 
2426
2427 2014-02-25  Mark Lam  <mark.lam@apple.com>
2428
2429         Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
2430         <https://webkit.org/b/128766>
2431
2432         Reviewed by Geoffrey Garen.
2433
2434         Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
2435         The reasoning is that we don't know of any clients that need unordered
2436         re-entry into the VM from different threads. So, we're enforcing ordered
2437         re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
2438
2439         The crash in this bug happened because we were allowing unordered re-entry,
2440         and the following type of scenario occurred:
2441
2442         1. Thread T1 locks the VM, and enters the VM to execute some JS code.
2443         2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
2444            first time it entered the VM.
2445            T1 sets VM::m_entryScope to T1's entryScope.
2446         3. T1 drops all locks.
2447
2448         4. Thread T2 locks the VM, and enters the VM to execute some JS code.
2449            On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
2450            does not set the entryScope.
2451         5. T2 drops all locks.
2452
2453         6. T1 re-grabs locks.
2454         7. T1 returns all the way out of JS code. On exit from the outer most
2455            JS function, T1 clears VM::m_entryScope (because T1 was the one who
2456            set it).
2457         8. T1 unlocks the VM.
2458
2459         9. T2 re-grabs locks.
2460         10. T2 proceeds to execute some code and expects VM::m_entryScope to be
2461             NOT null, but it turns out to be null. Assertion failures and
2462             crashes ensue.
2463
2464         With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
2465         the VM. Hence, the issue will no longer manifest.
2466
2467         * runtime/JSLock.cpp:
2468         (JSC::JSLock::dropAllLocks):
2469         (JSC::JSLock::grabAllLocks):
2470         * runtime/JSLock.h:
2471         (JSC::JSLock::DropAllLocks::dropDepth):
2472
2473 2014-02-25  Mark Lam  <mark.lam@apple.com>
2474
2475         Need to initialize VM stack data even when the VM is on an exclusive thread.
2476         <https://webkit.org/b/129265>
2477
2478         Not reviewed.
2479
2480         Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
2481
2482         * API/APIShims.h:
2483         (JSC::APIEntryShim::APIEntryShim):
2484         (JSC::APICallbackShim::shouldDropAllLocks):
2485         * heap/MachineStackMarker.cpp:
2486         (JSC::MachineThreads::addCurrentThread):
2487         * runtime/JSLock.cpp:
2488         (JSC::JSLockHolder::JSLockHolder):
2489         (JSC::JSLockHolder::init):
2490         (JSC::JSLockHolder::~JSLockHolder):
2491         (JSC::JSLock::JSLock):
2492         (JSC::JSLock::setExclusiveThread):
2493         (JSC::JSLock::lock):
2494         (JSC::JSLock::unlock):
2495         (JSC::JSLock::currentThreadIsHoldingLock):
2496         (JSC::JSLock::dropAllLocks):
2497         (JSC::JSLock::grabAllLocks):
2498         * runtime/JSLock.h:
2499         (JSC::JSLock::hasExclusiveThread):
2500         (JSC::JSLock::exclusiveThread):
2501         * runtime/VM.cpp:
2502         (JSC::VM::VM):
2503         * runtime/VM.h:
2504         (JSC::VM::hasExclusiveThread):
2505         (JSC::VM::exclusiveThread):
2506         (JSC::VM::setExclusiveThread):
2507         (JSC::VM::currentThreadIsHoldingAPILock):
2508
2509 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2510
2511         Inline caching in the FTL on ARM64 should "work"
2512         https://bugs.webkit.org/show_bug.cgi?id=129334
2513
2514         Reviewed by Mark Hahnenberg.
2515         
2516         Gets us to the point where simple tests that use inline caching are passing.
2517
2518         * assembler/LinkBuffer.cpp:
2519         (JSC::LinkBuffer::copyCompactAndLinkCode):
2520         (JSC::LinkBuffer::shrink):
2521         * ftl/FTLInlineCacheSize.cpp:
2522         (JSC::FTL::sizeOfGetById):
2523         (JSC::FTL::sizeOfPutById):
2524         (JSC::FTL::sizeOfCall):
2525         * ftl/FTLOSRExitCompiler.cpp:
2526         (JSC::FTL::compileFTLOSRExit):
2527         * ftl/FTLThunks.cpp:
2528         (JSC::FTL::osrExitGenerationThunkGenerator):
2529         * jit/GPRInfo.h:
2530         * offlineasm/arm64.rb:
2531
2532 2014-02-25  Commit Queue  <commit-queue@webkit.org>
2533
2534         Unreviewed, rolling out r164627.
2535         http://trac.webkit.org/changeset/164627
2536         https://bugs.webkit.org/show_bug.cgi?id=129325
2537
2538         Broke SubtleCrypto tests (Requested by ap on #webkit).
2539
2540         * API/APIShims.h:
2541         (JSC::APIEntryShim::APIEntryShim):
2542         (JSC::APICallbackShim::shouldDropAllLocks):
2543         * heap/MachineStackMarker.cpp:
2544         (JSC::MachineThreads::addCurrentThread):
2545         * runtime/JSLock.cpp:
2546         (JSC::JSLockHolder::JSLockHolder):
2547         (JSC::JSLockHolder::init):
2548         (JSC::JSLockHolder::~JSLockHolder):
2549         (JSC::JSLock::JSLock):
2550         (JSC::JSLock::lock):
2551         (JSC::JSLock::unlock):
2552         (JSC::JSLock::currentThreadIsHoldingLock):
2553         (JSC::JSLock::dropAllLocks):
2554         (JSC::JSLock::grabAllLocks):
2555         * runtime/JSLock.h:
2556         * runtime/VM.cpp:
2557         (JSC::VM::VM):
2558         * runtime/VM.h:
2559         (JSC::VM::currentThreadIsHoldingAPILock):
2560
2561 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2562
2563         ARM64 rshift64 should be an arithmetic shift
2564         https://bugs.webkit.org/show_bug.cgi?id=129323
2565
2566         Reviewed by Mark Hahnenberg.
2567
2568         * assembler/MacroAssemblerARM64.h:
2569         (JSC::MacroAssemblerARM64::rshift64):
2570
2571 2014-02-25  Sergio Villar Senin  <svillar@igalia.com>
2572
2573         [CSS Grid Layout] Add ENABLE flag
2574         https://bugs.webkit.org/show_bug.cgi?id=129153
2575
2576         Reviewed by Simon Fraser.
2577
2578         * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
2579
2580 2014-02-25  Michael Saboff  <msaboff@apple.com>
2581
2582         JIT Engines use the wrong stack limit for stack checks
2583         https://bugs.webkit.org/show_bug.cgi?id=129314
2584
2585         Reviewed by Filip Pizlo.
2586
2587         Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
2588
2589         * dfg/DFGJITCompiler.cpp:
2590         (JSC::DFG::JITCompiler::compileFunction):
2591         * jit/JIT.cpp:
2592         (JSC::JIT::privateCompile):
2593         * jit/JITCall.cpp:
2594         (JSC::JIT::compileLoadVarargs):
2595         * jit/JITCall32_64.cpp:
2596         (JSC::JIT::compileLoadVarargs):
2597         * runtime/VM.h:
2598         (JSC::VM::addressOfStackLimit):
2599
2600 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2601
2602         Unreviewed, roll out http://trac.webkit.org/changeset/164493.
2603         
2604         It causes crashes, apparently because it's removing too many barriers. I will investigate
2605         later.
2606
2607         * bytecode/SpeculatedType.cpp:
2608         (JSC::speculationToAbbreviatedString):
2609         * bytecode/SpeculatedType.h:
2610         * dfg/DFGFixupPhase.cpp:
2611         (JSC::DFG::FixupPhase::fixupNode):
2612         (JSC::DFG::FixupPhase::insertStoreBarrier):
2613         * dfg/DFGNode.h:
2614         * ftl/FTLCapabilities.cpp:
2615         (JSC::FTL::canCompile):
2616         * ftl/FTLLowerDFGToLLVM.cpp:
2617         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2618         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2619         (JSC::FTL::LowerDFGToLLVM::isNotNully):
2620         (JSC::FTL::LowerDFGToLLVM::isNully):
2621         (JSC::FTL::LowerDFGToLLVM::speculate):
2622         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2623         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
2624
2625 2014-02-24  Oliver Hunt  <oliver@apple.com>
2626
2627         Fix build.
2628
2629         * jit/CCallHelpers.h:
2630         (JSC::CCallHelpers::setupArgumentsWithExecState):
2631
2632 2014-02-24  Oliver Hunt  <oliver@apple.com>
2633
2634         Spread operator has a bad time when applied to call function
2635         https://bugs.webkit.org/show_bug.cgi?id=128853
2636
2637         Reviewed by Geoffrey Garen.
2638
2639         Follow on from the previous patch the added an extra slot to
2640         op_call_varargs (and _call, _call_eval, _construct).  We now
2641         use the slot as an offset to in effect act as a 'slice' on
2642         the spread subject.  This allows us to automatically retain
2643         all our existing argument and array optimisatons.  Most of
2644         this patch is simply threading the offset around.
2645
2646         * bytecode/CodeBlock.cpp:
2647         (JSC::CodeBlock::dumpBytecode):
2648         * bytecompiler/BytecodeGenerator.cpp:
2649         (JSC::BytecodeGenerator::emitCall):
2650         (JSC::BytecodeGenerator::emitCallVarargs):
2651         * bytecompiler/BytecodeGenerator.h:
2652         * bytecompiler/NodesCodegen.cpp:
2653         (JSC::getArgumentByVal):
2654         (JSC::CallFunctionCallDotNode::emitBytecode):
2655         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2656         * interpreter/Interpreter.cpp:
2657         (JSC::sizeFrameForVarargs):
2658         (JSC::loadVarargs):
2659         * interpreter/Interpreter.h:
2660         * jit/CCallHelpers.h:
2661         (JSC::CCallHelpers::setupArgumentsWithExecState):
2662         * jit/JIT.h:
2663         * jit/JITCall.cpp:
2664         (JSC::JIT::compileLoadVarargs):
2665         * jit/JITInlines.h:
2666         (JSC::JIT::callOperation):
2667         * jit/JITOperations.cpp:
2668         * jit/JITOperations.h:
2669         * llint/LLIntSlowPaths.cpp:
2670         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2671         * runtime/Arguments.cpp:
2672         (JSC::Arguments::copyToArguments):
2673         * runtime/Arguments.h:
2674         * runtime/JSArray.cpp:
2675         (JSC::JSArray::copyToArguments):
2676         * runtime/JSArray.h:
2677
2678 2014-02-24  Mark Lam  <mark.lam@apple.com>
2679
2680         Need to initialize VM stack data even when the VM is on an exclusive thread.
2681         <https://webkit.org/b/129265>
2682
2683         Reviewed by Geoffrey Garen.
2684
2685         We check VM::exclusiveThread as an optimization to forego the need to do
2686         JSLock locking. However, we recently started piggy backing on JSLock's
2687         lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
2688         and lastStackTop) to appropriate values for the current thread. This is
2689         needed because we may be acquiring the lock to enter the VM on a different
2690         thread.
2691
2692         As a result, we ended up not initializing the VM stack data when
2693         VM::exclusiveThread causes us to bypass the locking activity. Even though
2694         the VM::exclusiveThread will not have to deal with the VM being entered
2695         on a different thread, it still needs to initialize the VM stack data.
2696         The VM relies on that data being initialized properly once it has been
2697         entered.
2698
2699         With this fix, we push the check for exclusiveThread down into the JSLock,
2700         and handle the bypassing of unneeded locking activity there while still
2701         executing the necessary the VM stack data initialization.
2702
2703         * API/APIShims.h:
2704         (JSC::APIEntryShim::APIEntryShim):
2705         (JSC::APICallbackShim::shouldDropAllLocks):
2706         * heap/MachineStackMarker.cpp:
2707         (JSC::MachineThreads::addCurrentThread):
2708         * runtime/JSLock.cpp:
2709         (JSC::JSLockHolder::JSLockHolder):
2710         (JSC::JSLockHolder::init):
2711         (JSC::JSLockHolder::~JSLockHolder):
2712         (JSC::JSLock::JSLock):
2713         (JSC::JSLock::setExclusiveThread):
2714         (JSC::JSLock::lock):
2715         (JSLock::unlock):
2716         (JSLock::currentThreadIsHoldingLock):
2717         (JSLock::dropAllLocks):
2718         (JSLock::grabAllLocks):
2719         * runtime/JSLock.h:
2720         (JSC::JSLock::exclusiveThread):
2721         * runtime/VM.cpp:
2722         (JSC::VM::VM):
2723         * runtime/VM.h:
2724         (JSC::VM::exclusiveThread):
2725         (JSC::VM::setExclusiveThread):
2726         (JSC::VM::currentThreadIsHoldingAPILock):
2727
2728 2014-02-24  Filip Pizlo  <fpizlo@apple.com>
2729
2730         FTL should do polymorphic PutById inlining
2731         https://bugs.webkit.org/show_bug.cgi?id=129210
2732
2733         Reviewed by Mark Hahnenberg and Oliver Hunt.
2734         
2735         This makes PutByIdStatus inform us about polymorphic cases by returning an array of
2736         PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
2737         selection of multiple inlined PutByIdVariants.
2738         
2739         MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
2740         http://trac.webkit.org/changeset/164207.
2741         
2742         This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
2743         that generate similar code.
2744         
2745         1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
2746         sometimes swaps field insertion order, creating fake polymorphism.
2747
2748         * CMakeLists.txt:
2749         * GNUmakefile.list.am:
2750         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2751         * JavaScriptCore.xcodeproj/project.pbxproj:
2752         * bytecode/PutByIdStatus.cpp:
2753         (JSC::PutByIdStatus::computeFromLLInt):
2754         (JSC::PutByIdStatus::computeFor):
2755         (JSC::PutByIdStatus::computeForStubInfo):
2756         (JSC::PutByIdStatus::dump):
2757         * bytecode/PutByIdStatus.h:
2758         (JSC::PutByIdStatus::PutByIdStatus):
2759         (JSC::PutByIdStatus::isSimple):
2760         (JSC::PutByIdStatus::numVariants):
2761         (JSC::PutByIdStatus::variants):
2762         (JSC::PutByIdStatus::at):
2763         (JSC::PutByIdStatus::operator[]):
2764         * bytecode/PutByIdVariant.cpp: Added.
2765         (JSC::PutByIdVariant::dump):
2766         (JSC::PutByIdVariant::dumpInContext):
2767         * bytecode/PutByIdVariant.h: Added.
2768         (JSC::PutByIdVariant::PutByIdVariant):
2769         (JSC::PutByIdVariant::replace):
2770         (JSC::PutByIdVariant::transition):
2771         (JSC::PutByIdVariant::kind):
2772         (JSC::PutByIdVariant::isSet):
2773         (JSC::PutByIdVariant::operator!):
2774         (JSC::PutByIdVariant::structure):
2775         (JSC::PutByIdVariant::oldStructure):
2776         (JSC::PutByIdVariant::newStructure):
2777         (JSC::PutByIdVariant::structureChain):
2778         (JSC::PutByIdVariant::offset):
2779         * dfg/DFGAbstractInterpreterInlines.h:
2780         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2781         * dfg/DFGByteCodeParser.cpp:
2782         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2783         (JSC::DFG::ByteCodeParser::handleGetById):
2784         (JSC::DFG::ByteCodeParser::emitPutById):
2785         (JSC::DFG::ByteCodeParser::handlePutById):
2786         (JSC::DFG::ByteCodeParser::parseBlock):
2787         * dfg/DFGCSEPhase.cpp:
2788         (JSC::DFG::CSEPhase::checkStructureElimination):
2789         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2790         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2791         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2792         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
2793         * dfg/DFGClobberize.h:
2794         (JSC::DFG::clobberize):
2795         * dfg/DFGConstantFoldingPhase.cpp:
2796         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2797         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2798         * dfg/DFGFixupPhase.cpp:
2799         (JSC::DFG::FixupPhase::fixupNode):
2800         * dfg/DFGGraph.cpp:
2801         (JSC::DFG::Graph::dump):
2802         * dfg/DFGGraph.h:
2803         * dfg/DFGNode.cpp:
2804         (JSC::DFG::MultiPutByOffsetData::writesStructures):
2805         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
2806         * dfg/DFGNode.h:
2807         (JSC::DFG::Node::convertToPutByOffset):
2808         (JSC::DFG::Node::hasMultiPutByOffsetData):
2809         (JSC::DFG::Node::multiPutByOffsetData):
2810         * dfg/DFGNodeType.h:
2811         * dfg/DFGPredictionPropagationPhase.cpp:
2812         (JSC::DFG::PredictionPropagationPhase::propagate):
2813         * dfg/DFGSafeToExecute.h:
2814         (JSC::DFG::safeToExecute):
2815         * dfg/DFGSpeculativeJIT32_64.cpp:
2816         (JSC::DFG::SpeculativeJIT::compile):
2817         * dfg/DFGSpeculativeJIT64.cpp:
2818         (JSC::DFG::SpeculativeJIT::compile):
2819         * dfg/DFGTypeCheckHoistingPhase.cpp:
2820         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2821         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2822         * ftl/FTLCapabilities.cpp:
2823         (JSC::FTL::canCompile):
2824         * ftl/FTLLowerDFGToLLVM.cpp:
2825         (JSC::FTL::LowerDFGToLLVM::compileNode):
2826         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
2827         (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
2828         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
2829         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
2830         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2831         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
2832         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2833         (JSC::FTL::LowerDFGToLLVM::loadProperty):
2834         (JSC::FTL::LowerDFGToLLVM::storeProperty):
2835         (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
2836         (JSC::FTL::LowerDFGToLLVM::storageForTransition):
2837         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
2838         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
2839         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2840         * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
2841         * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
2842         * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
2843
2844 2014-02-24  peavo@outlook.com  <peavo@outlook.com>
2845
2846         JSC regressions after r164494
2847         https://bugs.webkit.org/show_bug.cgi?id=129272
2848
2849         Reviewed by Mark Lam.
2850
2851         * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
2852
2853 2014-02-24  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
2854
2855         Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
2856         https://bugs.webkit.org/show_bug.cgi?id=129255
2857
2858         Reviewed by Csaba Osztrogonác.
2859
2860         ENABLE_WORKERS macro was removed in r159679.
2861         Support is now also removed from xcconfig files.
2862
2863         * Configurations/FeatureDefines.xcconfig:
2864
2865 2014-02-24  David Kilzer  <ddkilzer@apple.com>
2866
2867         Remove redundant setting in FeatureDefines.xcconfig
2868
2869         * Configurations/FeatureDefines.xcconfig:
2870
2871 2014-02-23  Sam Weinig  <sam@webkit.org>
2872
2873         Update FeatureDefines.xcconfig
2874
2875         Rubber-stamped by Anders Carlsson.
2876
2877         * Configurations/FeatureDefines.xcconfig:
2878
2879 2014-02-23  Dean Jackson  <dino@apple.com>
2880
2881         Sort the project file with sort-Xcode-project-file.
2882
2883         Rubber-stamped by Sam Weinig.
2884
2885         * JavaScriptCore.xcodeproj/project.pbxproj:
2886
2887 2014-02-23  Sam Weinig  <sam@webkit.org>
2888
2889         Move telephone number detection behind its own ENABLE macro
2890         https://bugs.webkit.org/show_bug.cgi?id=129236
2891
2892         Reviewed by Dean Jackson.
2893
2894         * Configurations/FeatureDefines.xcconfig:
2895         Add ENABLE_TELEPHONE_NUMBER_DETECTION.
2896
2897 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
2898
2899         Refine DFG+FTL inlining and compilation limits
2900         https://bugs.webkit.org/show_bug.cgi?id=129212
2901
2902         Reviewed by Mark Hahnenberg.
2903         
2904         Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
2905         and set that limit quite high. Institute a limit on inlining-into. The idea here is
2906         that large functions tend to be autogenerated, and code generators like emscripten
2907         appear to leave few inlining opportunities anyway. Also, we don't want the code
2908         size explosion that we would risk if we allowed compilation of a large function and
2909         then inlined a ton of stuff into it.
2910         
2911         This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
2912         regression. This is a 9% speed-up on AsmBench.
2913
2914         * bytecode/CodeBlock.cpp:
2915         (JSC::CodeBlock::noticeIncomingCall):
2916         * dfg/DFGByteCodeParser.cpp:
2917         (JSC::DFG::ByteCodeParser::handleInlining):
2918         * dfg/DFGCapabilities.h:
2919         (JSC::DFG::isSmallEnoughToInlineCodeInto):
2920         * ftl/FTLCapabilities.cpp:
2921         (JSC::FTL::canCompile):
2922         * ftl/FTLState.h:
2923         (JSC::FTL::shouldShowDisassembly):
2924         * runtime/Options.h:
2925
2926 2014-02-22  Dan Bernstein  <mitz@apple.com>
2927
2928         REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
2929         https://bugs.webkit.org/show_bug.cgi?id=129227
2930
2931         Reviewed by Eric Carlson.
2932
2933         Reverted r164507.
2934
2935         * API/JSBase.cpp:
2936         (JSEvaluateScript):
2937         (JSCheckScriptSyntax):
2938         * API/JSObjectRef.cpp:
2939         (JSObjectMakeFunction):
2940         (JSObjectMakeArray):
2941         (JSObjectMakeDate):
2942         (JSObjectMakeError):
2943         (JSObjectMakeRegExp):
2944         (JSObjectGetProperty):
2945         (JSObjectSetProperty):
2946         (JSObjectGetPropertyAtIndex):
2947         (JSObjectSetPropertyAtIndex):
2948         (JSObjectDeleteProperty):
2949         (JSObjectCallAsFunction):
2950         (JSObjectCallAsConstructor):
2951         * API/JSValue.mm:
2952         (valueToArray):
2953         (valueToDictionary):
2954         * API/JSValueRef.cpp:
2955         (JSValueIsEqual):
2956         (JSValueIsInstanceOfConstructor):
2957         (JSValueCreateJSONString):
2958         (JSValueToNumber):
2959         (JSValueToStringCopy):
2960         (JSValueToObject):
2961         * inspector/ConsoleMessage.cpp:
2962         (Inspector::ConsoleMessage::ConsoleMessage):
2963         (Inspector::ConsoleMessage::autogenerateMetadata):
2964         * inspector/ConsoleMessage.h:
2965         * inspector/JSGlobalObjectInspectorController.cpp:
2966         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2967         * inspector/JSGlobalObjectInspectorController.h:
2968         * inspector/ScriptCallStack.cpp:
2969         * inspector/ScriptCallStack.h:
2970         * inspector/ScriptCallStackFactory.cpp:
2971         (Inspector::createScriptCallStack):
2972         (Inspector::createScriptCallStackForConsole):
2973         (Inspector::createScriptCallStackFromException):
2974         * inspector/ScriptCallStackFactory.h:
2975         * inspector/agents/InspectorConsoleAgent.cpp:
2976         (Inspector::InspectorConsoleAgent::enable):
2977         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2978         (Inspector::InspectorConsoleAgent::count):
2979         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2980         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2981
2982 2014-02-22  Joseph Pecoraro  <pecoraro@apple.com>
2983
2984         Remove some unreachable code (-Wunreachable-code)
2985         https://bugs.webkit.org/show_bug.cgi?id=129220
2986
2987         Reviewed by Eric Carlson.
2988
2989         * API/tests/testapi.c:
2990         (EvilExceptionObject_convertToType):
2991         * disassembler/udis86/udis86_decode.c:
2992         (decode_operand):
2993
2994 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
2995
2996         Unreviewed, ARMv7 build fix.
2997
2998         * assembler/ARMv7Assembler.h:
2999
3000 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
3001
3002         It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
3003         https://bugs.webkit.org/show_bug.cgi?id=124733
3004
3005         Reviewed by Oliver Hunt.
3006         
3007         This also takes the opportunity to de-duplicate some branch compaction code.
3008
3009         * assembler/ARM64Assembler.h:
3010         * assembler/ARMv7Assembler.h:
3011         (JSC::ARMv7Assembler::buffer):
3012         * assembler/AssemblerBuffer.h:
3013         (JSC::AssemblerData::AssemblerData):
3014         (JSC::AssemblerBuffer::AssemblerBuffer):
3015         (JSC::AssemblerBuffer::storage):
3016         (JSC::AssemblerBuffer::grow):
3017         * assembler/LinkBuffer.h:
3018         (JSC::LinkBuffer::LinkBuffer):
3019         (JSC::LinkBuffer::executableOffsetFor):
3020         (JSC::LinkBuffer::applyOffset):
3021         * assembler/MacroAssemblerARM64.h:
3022         (JSC::MacroAssemblerARM64::link):
3023         * assembler/MacroAssemblerARMv7.h:
3024
3025 2014-02-21  Brent Fulgham  <bfulgham@apple.com>
3026
3027         Extend media support for WebVTT sources
3028         https://bugs.webkit.org/show_bug.cgi?id=129156
3029
3030         Reviewed by Eric Carlson.
3031
3032         * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
3033
3034 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3035
3036         Web Inspector: JSContext inspection should report exceptions in the console
3037         https://bugs.webkit.org/show_bug.cgi?id=128776
3038
3039         Reviewed by Timothy Hatcher.
3040
3041         When JavaScript API functions have an exception, let the inspector
3042         know so it can log the JavaScript and Native backtrace that caused
3043         the exception.
3044
3045         Include some clean up of ConsoleMessage and ScriptCallStack construction.
3046
3047         * API/JSBase.cpp:
3048         (JSEvaluateScript):
3049         (JSCheckScriptSyntax):
3050         * API/JSObjectRef.cpp:
3051         (JSObjectMakeFunction):
3052         (JSObjectMakeArray):
3053         (JSObjectMakeDate):
3054         (JSObjectMakeError):
3055         (JSObjectMakeRegExp):
3056         (JSObjectGetProperty):
3057         (JSObjectSetProperty):
3058         (JSObjectGetPropertyAtIndex):
3059         (JSObjectSetPropertyAtIndex):
3060         (JSObjectDeleteProperty):
3061         (JSObjectCallAsFunction):
3062         (JSObjectCallAsConstructor):
3063         * API/JSValue.mm:
3064         (reportExceptionToInspector):
3065         (valueToArray):
3066         (valueToDictionary):
3067         * API/JSValueRef.cpp:
3068         (JSValueIsEqual):
3069         (JSValueIsInstanceOfConstructor):
3070         (JSValueCreateJSONString):
3071         (JSValueToNumber):
3072         (JSValueToStringCopy):
3073         (JSValueToObject):
3074         When seeing an exception, let the inspector know there was an exception.
3075
3076         * inspector/JSGlobalObjectInspectorController.h:
3077         * inspector/JSGlobalObjectInspectorController.cpp:
3078         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3079         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3080         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3081         Log API exceptions by also grabbing the native backtrace.
3082
3083         * inspector/ScriptCallStack.h:
3084         * inspector/ScriptCallStack.cpp:
3085         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
3086         (Inspector::ScriptCallStack::append):
3087         Minor extensions to ScriptCallStack to make it easier to work with.
3088
3089         * inspector/ConsoleMessage.cpp:
3090         (Inspector::ConsoleMessage::ConsoleMessage):
3091         (Inspector::ConsoleMessage::autogenerateMetadata):
3092         Provide better default information if the first call frame was native.
3093
3094         * inspector/ScriptCallStackFactory.cpp:
3095         (Inspector::createScriptCallStack):
3096         (Inspector::extractSourceInformationFromException):
3097         (Inspector::createScriptCallStackFromException):
3098         Perform the handling here of inserting a fake call frame for exceptions
3099         if there was no call stack (e.g. a SyntaxError) or if the first call
3100         frame had no information.
3101
3102         * inspector/ConsoleMessage.cpp:
3103         (Inspector::ConsoleMessage::ConsoleMessage):
3104         (Inspector::ConsoleMessage::autogenerateMetadata):
3105         * inspector/ConsoleMessage.h:
3106         * inspector/ScriptCallStackFactory.cpp:
3107         (Inspector::createScriptCallStack):
3108         (Inspector::createScriptCallStackForConsole):
3109         * inspector/ScriptCallStackFactory.h:
3110         * inspector/agents/InspectorConsoleAgent.cpp:
3111         (Inspector::InspectorConsoleAgent::enable):
3112         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3113         (Inspector::InspectorConsoleAgent::count):
3114         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3115         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3116         ConsoleMessage cleanup.
3117
3118 2014-02-21  Oliver Hunt  <oliver@apple.com>
3119
3120         Add extra space to op_call and related opcodes
3121         https://bugs.webkit.org/show_bug.cgi?id=129170
3122
3123         Reviewed by Mark Lam.
3124
3125         No change in behaviour, just some refactoring to add an extra
3126         slot to the op_call instructions, and refactoring to make similar
3127         changes easier in future.
3128
3129         * bytecode/CodeBlock.cpp:
3130         (JSC::CodeBlock::printCallOp):
3131         * bytecode/Opcode.h:
3132         (JSC::padOpcodeName):
3133         * bytecompiler/BytecodeGenerator.cpp:
3134         (JSC::BytecodeGenerator::emitCall):
3135         (JSC::BytecodeGenerator::emitCallVarargs):
3136         (JSC::BytecodeGenerator::emitConstruct):
3137         * dfg/DFGByteCodeParser.cpp:
3138         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3139         * jit/JITCall.cpp:
3140         (JSC::JIT::compileOpCall):
3141         * jit/JITCall32_64.cpp:
3142         (JSC::JIT::compileOpCall):
3143         * llint/LowLevelInterpreter.asm:
3144         * llint/LowLevelInterpreter32_64.asm:
3145         * llint/LowLevelInterpreter64.asm:
3146
3147 2014-02-21  Mark Lam  <mark.lam@apple.com>
3148
3149         gatherFromOtherThread() needs to align the sp before gathering roots.
3150         <https://webkit.org/b/129169>
3151
3152         Reviewed by Geoffrey Garen.
3153
3154         The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
3155         gatherFromOtherThread() defines the range of the other thread's stack as
3156         being bounded by the other thread's stack pointer and stack base. While
3157         the stack base will always be aligned to sizeof(void*), the stack pointer
3158         may not be. This is because the other thread may have just pushed a 32-bit
3159         value on its stack before we suspended it for scanning.
3160
3161         The fix is to round the stack pointer up to the next aligned address of
3162         sizeof(void*) and start scanning from there. On 64-bit systems, we will
3163         effectively ignore the 32-bit word at the bottom of the stack (top of the
3164         stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
3165         64-bit pointers should always be stored on 64-bit aligned boundaries (our
3166         conservative scan algorithm already depends on this assumption).
3167
3168         On 32-bit systems, the rounding is effectively a no-op.
3169
3170         * heap/ConservativeRoots.cpp:
3171         (JSC::ConservativeRoots::genericAddSpan):
3172         - Hardened somne assertions so that we can catch misalignment issues on
3173           release builds as well.
3174         * heap/MachineStackMarker.cpp:
3175         (JSC::MachineThreads::gatherFromOtherThread):
3176
3177 2014-02-21  Matthew Mirman  <mmirman@apple.com>
3178
3179         Added a GetMyArgumentsLengthSafe and added a speculation check.
3180         https://bugs.webkit.org/show_bug.cgi?id=129051
3181
3182         Reviewed by Filip Pizlo.
3183
3184         * ftl/FTLLowerDFGToLLVM.cpp:
3185         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
3186
3187 2014-02-21  peavo@outlook.com  <peavo@outlook.com>
3188
3189         [Win][LLINT] Many JSC stress test failures.
3190         https://bugs.webkit.org/show_bug.cgi?id=129155
3191
3192         Reviewed by Michael Saboff.
3193
3194         Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
3195         Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
3196         E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
3197
3198         * offlineasm/x86.rb: Swap operand order on Windows.
3199
3200 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
3201
3202         DFG write barriers should do more speculations
3203         https://bugs.webkit.org/show_bug.cgi?id=129160
3204
3205         Reviewed by Mark Hahnenberg.
3206         
3207         Replace ConditionalStoreBarrier with the cheapest speculation that you could do
3208         instead.
3209         
3210         Miniscule speed-up on some things. It's a decent difference in code size, though.
3211
3212         * bytecode/SpeculatedType.cpp:
3213         (JSC::speculationToAbbreviatedString):
3214         * bytecode/SpeculatedType.h:
3215         (JSC::isNotCellSpeculation):
3216         * dfg/DFGFixupPhase.cpp:
3217         (JSC::DFG::FixupPhase::fixupNode):
3218         (JSC::DFG::FixupPhase::insertStoreBarrier):
3219         (JSC::DFG::FixupPhase::insertPhantomCheck):
3220         * dfg/DFGNode.h:
3221         (JSC::DFG::Node::shouldSpeculateOther):
3222         (JSC::DFG::Node::shouldSpeculateNotCell):
3223         * ftl/FTLCapabilities.cpp:
3224         (JSC::FTL::canCompile):
3225         * ftl/FTLLowerDFGToLLVM.cpp:
3226         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
3227         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3228         (JSC::FTL::LowerDFGToLLVM::isNotOther):
3229         (JSC::FTL::LowerDFGToLLVM::isOther):
3230         (JSC::FTL::LowerDFGToLLVM::speculate):
3231         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
3232         (JSC::FTL::LowerDFGToLLVM::speculateOther):
3233         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
3234
3235 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3236
3237         Revert r164486, causing a number of test failures.
3238
3239         Unreviewed rollout.
3240
3241 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
3242
3243         Revive SABI (aka shouldAlwaysBeInlined)
3244         https://bugs.webkit.org/show_bug.cgi?id=129159
3245
3246         Reviewed by Mark Hahnenberg.
3247         
3248         This is a small Octane speed-up.
3249
3250         * jit/Repatch.cpp:
3251         (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
3252
3253 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3254
3255         Web Inspector: JSContext inspection should report exceptions in the console
3256         https://bugs.webkit.org/show_bug.cgi?id=128776
3257
3258         Reviewed by Timothy Hatcher.
3259
3260         When JavaScript API functions have an exception, let the inspector
3261         know so it can log the JavaScript and Native backtrace that caused
3262         the exception.
3263
3264         Include some clean up of ConsoleMessage and ScriptCallStack construction.
3265
3266         * API/JSBase.cpp:
3267         (JSEvaluateScript):
3268         (JSCheckScriptSyntax):
3269         * API/JSObjectRef.cpp:
3270         (JSObjectMakeFunction):
3271         (JSObjectMakeArray):
3272         (JSObjectMakeDate):
3273         (JSObjectMakeError):
3274         (JSObjectMakeRegExp):
3275         (JSObjectGetProperty):
3276         (JSObjectSetProperty):
3277         (JSObjectGetPropertyAtIndex):
3278         (JSObjectSetPropertyAtIndex):
3279         (JSObjectDeleteProperty):
3280         (JSObjectCallAsFunction):
3281         (JSObjectCallAsConstructor):
3282         * API/JSValue.mm:
3283         (reportExceptionToInspector):
3284         (valueToArray):
3285         (valueToDictionary):
3286         * API/JSValueRef.cpp:
3287         (JSValueIsEqual):
3288         (JSValueIsInstanceOfConstructor):
3289         (JSValueCreateJSONString):
3290         (JSValueToNumber):
3291         (JSValueToStringCopy):
3292         (JSValueToObject):
3293         When seeing an exception, let the inspector know there was an exception.
3294
3295         * inspector/JSGlobalObjectInspectorController.h:
3296         * inspector/JSGlobalObjectInspectorController.cpp:
3297         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3298         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3299         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3300         Log API exceptions by also grabbing the native backtrace.
3301
3302         * inspector/ScriptCallStack.h:
3303         * inspector/ScriptCallStack.cpp:
3304         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
3305         (Inspector::ScriptCallStack::append):
3306         Minor extensions to ScriptCallStack to make it easier to work with.
3307
3308         * inspector/ConsoleMessage.cpp:
3309         (Inspector::ConsoleMessage::ConsoleMessage):
3310         (Inspector::ConsoleMessage::autogenerateMetadata):
3311         Provide better default information if the first call frame was native.
3312
3313         * inspector/ScriptCallStackFactory.cpp:
3314         (Inspector::createScriptCallStack):
3315         (Inspector::extractSourceInformationFromException):
3316         (Inspector::createScriptCallStackFromException):
3317         Perform the handling here of inserting a fake call frame for exceptions
3318         if there was no call stack (e.g. a SyntaxError) or if the first call
3319         frame had no information.
3320
3321         * inspector/ConsoleMessage.cpp:
3322         (Inspector::ConsoleMessage::ConsoleMessage):
3323         (Inspector::ConsoleMessage::autogenerateMetadata):
3324         * inspector/ConsoleMessage.h:
3325         * inspector/ScriptCallStackFactory.cpp:
3326         (Inspector::createScriptCallStack):
3327         (Inspector::createScriptCallStackForConsole):
3328         * inspector/ScriptCallStackFactory.h:
3329         * inspector/agents/InspectorConsoleAgent.cpp:
3330         (Inspector::InspectorConsoleAgent::enable):
3331         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3332         (Inspector::InspectorConsoleAgent::count):
3333         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3334         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3335         ConsoleMessage cleanup.
3336
3337 2014-02-20  Anders Carlsson  <andersca@apple.com>
3338
3339         Modernize JSGlobalLock and JSLockHolder
3340         https://bugs.webkit.org/show_bug.cgi?id=129105
3341
3342         Reviewed by Michael Saboff.
3343
3344         Use std::mutex and std::thread::id where possible.
3345
3346         * runtime/JSLock.cpp:
3347         (JSC::GlobalJSLock::GlobalJSLock):
3348         (JSC::GlobalJSLock::~GlobalJSLock):
3349         (JSC::GlobalJSLock::initialize):
3350         (JSC::JSLock::JSLock):
3351         (JSC::JSLock::lock):
3352         (JSC::JSLock::unlock):
3353         (JSC::JSLock::currentThreadIsHoldingLock):
3354         * runtime/JSLock.h:
3355
3356 2014-02-20  Mark Lam  <mark.lam@apple.com>
3357
3358         virtualForWithFunction() should not throw an exception with a partially initialized frame.
3359         <https://webkit.org/b/129134>
3360
3361         Reviewed by Michael Saboff.
3362
3363         Currently, when JITOperations.cpp's virtualForWithFunction() fails to
3364         prepare the callee function for execution, it proceeds to throw the
3365         exception using the callee frame which is only partially initialized
3366         thus far. Instead, it should be throwing the exception using the caller
3367         frame because:
3368         1. the error happened "in" the caller while preparing the callee for
3369            execution i.e. the caller frame is the top fully initialized frame
3370            on the stack.
3371         2. the callee frame is not fully initialized yet, and the unwind
3372            mechanism cannot depend on the data in it.
3373
3374         * jit/JITOperations.cpp:
3375
3376 2014-02-20  Mark Lam  <mark.lam@apple.com>
3377
3378         DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
3379         <https://webkit.org/b/129131>
3380
3381         Reviewed by Mark Hahnenberg.
3382
3383         Currently, DefaultGCActivityCallback::doWork() does not check if the GC
3384         needs to be deferred before commencing. As a result, the GC may crash
3385         and/or corrupt data because the VM is not in the consistent state needed
3386         for the GC to run. With this fix, doWork() now checks if the GC is
3387         supposed to be deferred and re-schedules if needed. It only commences
3388         with GC'ing when it's safe to do so.
3389
3390         * runtime/GCActivityCallback.cpp:
3391         (JSC::DefaultGCActivityCallback::doWork):
3392
3393 2014-02-20  Geoffrey Garen  <ggaren@apple.com>
3394
3395         Math.imul gives wrong results
3396         https://bugs.webkit.org/show_bug.cgi?id=126345
3397
3398         Reviewed by Mark Hahnenberg.
3399
3400         Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
3401         Instead, take a slow path that will do the right thing.
3402
3403         * jit/ThunkGenerators.cpp:
3404         (JSC::imulThunkGenerator):
3405
3406 2014-02-20  Filip Pizlo  <fpizlo@apple.com>
3407
3408         DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
3409         https://bugs.webkit.org/show_bug.cgi?id=1291