3ff4053d48972dff182866ed62b554245874899b
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-14  Oliver Hunt  <oliver@apple.com>
2
3         Reinstate intialiser syntax in for-in loops
4         https://bugs.webkit.org/show_bug.cgi?id=130269
5
6         Reviewed by Michael Saboff.
7
8         Disallowing the initialiser broke some sites so this patch re-allows
9         the syntax.  We still disallow the syntax in 'of' and pattern based
10         enumeration.
11
12         * parser/ASTBuilder.h:
13         (JSC::ASTBuilder::isBindingNode):
14         * parser/Parser.cpp:
15         (JSC::Parser<LexerType>::parseVarDeclarationList):
16         (JSC::Parser<LexerType>::parseForStatement):
17         * parser/SyntaxChecker.h:
18         (JSC::SyntaxChecker::operatorStackPop):
19
20 2014-03-14  Mark Lam  <mark.lam@apple.com>
21
22         Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
23         <https://webkit.org/b/130279>
24
25         Reviewed by Filip Pizlo.
26
27         If neither the getter nor setter are defined, accessing __lookupGetter__
28         and __lookupSetter__ will return undefined as expected.  However, if the
29         getter is defined but the setter is not, accessing __lookupSetter__ will
30         crash the VM.  Similarly, accessing __lookupGetter__ when only the setter
31         is defined will crash the VM.
32
33         The reason is because objectProtoFuncLookupGetter() and
34         objectProtoFuncLookupSetter() did not check if the getter and setter
35         value is non-null before returning it as an EncodedJSValue.  The fix is
36         to add the appropriate null checks.
37
38         * runtime/ObjectPrototype.cpp:
39         (JSC::objectProtoFuncLookupGetter):
40         (JSC::objectProtoFuncLookupSetter):
41
42 2014-03-14  Mark Rowe  <mrowe@apple.com>
43
44         Fix the production build.
45
46         Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
47         be at the expected relative path when working from installed source.
48
49         * Configurations/Base.xcconfig:
50
51 2014-03-14  Maciej Stachowiak  <mjs@apple.com>
52
53         Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
54         https://bugs.webkit.org/show_bug.cgi?id=130276
55         <rdar://problem/16266927>
56
57         Reviewed by Simon Fraser.
58
59         * API/APICast.h:
60         * API/JSBase.cpp:
61         * API/JSBase.h:
62         * API/JSBasePrivate.h:
63         * API/JSCallbackConstructor.cpp:
64         * API/JSCallbackConstructor.h:
65         * API/JSCallbackFunction.cpp:
66         * API/JSCallbackFunction.h:
67         * API/JSCallbackObject.cpp:
68         * API/JSCallbackObject.h:
69         * API/JSCallbackObjectFunctions.h:
70         * API/JSClassRef.cpp:
71         * API/JSClassRef.h:
72         * API/JSContextRef.cpp:
73         * API/JSContextRef.h:
74         * API/JSContextRefPrivate.h:
75         * API/JSObjectRef.cpp:
76         * API/JSObjectRef.h:
77         * API/JSProfilerPrivate.cpp:
78         * API/JSProfilerPrivate.h:
79         * API/JSRetainPtr.h:
80         * API/JSStringRef.cpp:
81         * API/JSStringRef.h:
82         * API/JSStringRefBSTR.cpp:
83         * API/JSStringRefBSTR.h:
84         * API/JSStringRefCF.cpp:
85         * API/JSStringRefCF.h:
86         * API/JSValueRef.cpp:
87         * API/JSValueRef.h:
88         * API/JavaScript.h:
89         * API/JavaScriptCore.h:
90         * API/OpaqueJSString.cpp:
91         * API/OpaqueJSString.h:
92         * API/tests/JSNode.c:
93         * API/tests/JSNode.h:
94         * API/tests/JSNodeList.c:
95         * API/tests/JSNodeList.h:
96         * API/tests/Node.c:
97         * API/tests/Node.h:
98         * API/tests/NodeList.c:
99         * API/tests/NodeList.h:
100         * API/tests/minidom.c:
101         * API/tests/minidom.js:
102         * API/tests/testapi.c:
103         * API/tests/testapi.js:
104         * DerivedSources.make:
105         * bindings/ScriptValue.cpp:
106         * bytecode/CodeBlock.cpp:
107         * bytecode/CodeBlock.h:
108         * bytecode/EvalCodeCache.h:
109         * bytecode/Instruction.h:
110         * bytecode/JumpTable.cpp:
111         * bytecode/JumpTable.h:
112         * bytecode/Opcode.cpp:
113         * bytecode/Opcode.h:
114         * bytecode/SamplingTool.cpp:
115         * bytecode/SamplingTool.h:
116         * bytecode/SpeculatedType.cpp:
117         * bytecode/SpeculatedType.h:
118         * bytecode/ValueProfile.h:
119         * bytecompiler/BytecodeGenerator.cpp:
120         * bytecompiler/BytecodeGenerator.h:
121         * bytecompiler/Label.h:
122         * bytecompiler/LabelScope.h:
123         * bytecompiler/RegisterID.h:
124         * debugger/DebuggerCallFrame.cpp:
125         * debugger/DebuggerCallFrame.h:
126         * dfg/DFGDesiredStructureChains.cpp:
127         * dfg/DFGDesiredStructureChains.h:
128         * heap/GCActivityCallback.cpp:
129         * heap/GCActivityCallback.h:
130         * inspector/ConsoleMessage.cpp:
131         * inspector/ConsoleMessage.h:
132         * inspector/IdentifiersFactory.cpp:
133         * inspector/IdentifiersFactory.h:
134         * inspector/InjectedScriptManager.cpp:
135         * inspector/InjectedScriptManager.h:
136         * inspector/InjectedScriptSource.js:
137         * inspector/ScriptBreakpoint.h:
138         * inspector/ScriptDebugListener.h:
139         * inspector/ScriptDebugServer.cpp:
140         * inspector/ScriptDebugServer.h:
141         * inspector/agents/InspectorAgent.cpp:
142         * inspector/agents/InspectorAgent.h:
143         * inspector/agents/InspectorDebuggerAgent.cpp:
144         * inspector/agents/InspectorDebuggerAgent.h:
145         * interpreter/Interpreter.cpp:
146         * interpreter/Interpreter.h:
147         * interpreter/JSStack.cpp:
148         * interpreter/JSStack.h:
149         * interpreter/Register.h:
150         * jit/CompactJITCodeMap.h:
151         * jit/JITStubs.cpp:
152         * jit/JITStubs.h:
153         * jit/JITStubsARM.h:
154         * jit/JITStubsARMv7.h:
155         * jit/JITStubsX86.h:
156         * jit/JITStubsX86_64.h:
157         * os-win32/stdbool.h:
158         * parser/SourceCode.h:
159         * parser/SourceProvider.h:
160         * profiler/LegacyProfiler.cpp:
161         * profiler/LegacyProfiler.h:
162         * profiler/ProfileNode.cpp:
163         * profiler/ProfileNode.h:
164         * runtime/ArrayBufferView.cpp:
165         * runtime/ArrayBufferView.h:
166         * runtime/BatchedTransitionOptimizer.h:
167         * runtime/CallData.h:
168         * runtime/ConstructData.h:
169         * runtime/DumpContext.cpp:
170         * runtime/DumpContext.h:
171         * runtime/ExceptionHelpers.cpp:
172         * runtime/ExceptionHelpers.h:
173         * runtime/InitializeThreading.cpp:
174         * runtime/InitializeThreading.h:
175         * runtime/IntegralTypedArrayBase.h:
176         * runtime/IntendedStructureChain.cpp:
177         * runtime/IntendedStructureChain.h:
178         * runtime/JSActivation.cpp:
179         * runtime/JSActivation.h:
180         * runtime/JSExportMacros.h:
181         * runtime/JSGlobalObject.cpp:
182         * runtime/JSNotAnObject.cpp:
183         * runtime/JSNotAnObject.h:
184         * runtime/JSPropertyNameIterator.cpp:
185         * runtime/JSPropertyNameIterator.h:
186         * runtime/JSSegmentedVariableObject.cpp:
187         * runtime/JSSegmentedVariableObject.h:
188         * runtime/JSSymbolTableObject.cpp:
189         * runtime/JSSymbolTableObject.h:
190         * runtime/JSTypeInfo.h:
191         * runtime/JSVariableObject.cpp:
192         * runtime/JSVariableObject.h:
193         * runtime/PropertyTable.cpp:
194         * runtime/PutPropertySlot.h:
195         * runtime/SamplingCounter.cpp:
196         * runtime/SamplingCounter.h:
197         * runtime/Structure.cpp:
198         * runtime/Structure.h:
199         * runtime/StructureChain.cpp:
200         * runtime/StructureChain.h:
201         * runtime/StructureInlines.h:
202         * runtime/StructureTransitionTable.h:
203         * runtime/SymbolTable.cpp:
204         * runtime/SymbolTable.h:
205         * runtime/TypedArrayBase.h:
206         * runtime/TypedArrayType.cpp:
207         * runtime/TypedArrayType.h:
208         * runtime/VM.cpp:
209         * runtime/VM.h:
210         * yarr/RegularExpression.cpp:
211         * yarr/RegularExpression.h:
212
213 2014-03-14  Filip Pizlo  <fpizlo@apple.com>
214
215         Final FTL iOS build magic
216         https://bugs.webkit.org/show_bug.cgi?id=130281
217
218         Reviewed by Michael Saboff.
219
220         * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
221         * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
222
223 2014-03-14  Joseph Pecoraro  <pecoraro@apple.com>
224
225         Web Inspector: Gracefully handle nil name -[JSContext setName:]
226         https://bugs.webkit.org/show_bug.cgi?id=130262
227
228         Reviewed by Mark Hahnenberg.
229
230         * API/JSContext.mm:
231         (-[JSContext setName:]):
232         Gracefully handle nil input.
233
234         * API/tests/testapi.c:
235         (globalContextNameTest):
236         * API/tests/testapi.mm:
237         Test for nil / NULL names in the ObjC and C APIs.
238
239 2014-03-11  Oliver Hunt  <oliver@apple.com>
240
241         Improve dom error messages
242         https://bugs.webkit.org/show_bug.cgi?id=130103
243
244         Reviewed by Andreas Kling.
245
246         Add new helper function.
247
248         * runtime/Error.h:
249         (JSC::throwVMTypeError):
250
251 2014-03-14  László Langó  <llango.u-szeged@partner.samsung.com>
252
253         Remove unused method declaration.
254         https://bugs.webkit.org/show_bug.cgi?id=130238
255
256         Reviewed by Filip Pizlo.
257
258         The implementation of CallFrame::dumpCaller was removed in
259         http://trac.webkit.org/changeset/153183, but the declaration of it was not.
260
261         * interpreter/CallFrame.h:
262         Remove CallFrame::dumpCaller() method declaration.
263
264 2014-03-12  Sergio Villar Senin  <svillar@igalia.com>
265
266         Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
267         https://bugs.webkit.org/show_bug.cgi?id=129612
268
269         Reviewed by Darin Adler.
270
271         For new code use static NeverDestroyed<T> instead.
272
273         * API/JSAPIWrapperObject.mm:
274         (jsAPIWrapperObjectHandleOwner):
275         * API/JSManagedValue.mm:
276         (managedValueHandleOwner):
277         * inspector/agents/InspectorDebuggerAgent.cpp:
278         (Inspector::objectGroupForBreakpointAction):
279         * inspector/scripts/CodeGeneratorInspectorStrings.py:
280         * interpreter/JSStack.cpp:
281         (JSC::stackStatisticsMutex):
282         * jit/ExecutableAllocator.cpp:
283         (JSC::DemandExecutableAllocator::allocators):
284
285 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
286
287         Reduce memory use for static property maps
288         https://bugs.webkit.org/show_bug.cgi?id=129986
289
290         Reviewed by Andreas Kling.
291
292         Static property tables are currently duplicated on first use from read-only memory into dirty memory
293         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
294         (we use a custom hash table without a rehash) a lot of memory may be wasted.
295
296         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
297         from string hashes to indicies into a densely packed array of values. Compute the index table at
298         compile time as a part of the derived sources step, such that this may be read-only data.
299
300         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
301         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
302         keys, which are Identifiers.
303
304         * create_hash_table:
305             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
306         * parser/Lexer.cpp:
307         (JSC::Lexer<LChar>::parseIdentifier):
308         (JSC::Lexer<UChar>::parseIdentifier):
309         (JSC::Lexer<T>::parseIdentifierSlowCase):
310             - HashEntry -> HashTableValue.
311         * parser/Lexer.h:
312         (JSC::Keywords::getKeyword):
313             - HashEntry -> HashTableValue.
314         * runtime/ClassInfo.h:
315             - removed HashEntry.
316         * runtime/JSObject.cpp:
317         (JSC::getClassPropertyNames):
318             - use HashTable::ConstIterator.
319         (JSC::JSObject::put):
320         (JSC::JSObject::deleteProperty):
321         (JSC::JSObject::findPropertyHashEntry):
322             - HashEntry -> HashTableValue.
323         (JSC::JSObject::reifyStaticFunctionsForDelete):
324             - changed HashTable::ConstIterator interface.
325         * runtime/JSObject.h:
326             - HashEntry -> HashTableValue.
327         * runtime/Lookup.cpp:
328         (JSC::HashTable::createTable):
329             - table -> keys, keys array is now densely packed.
330         (JSC::HashTable::deleteTable):
331             - table -> keys.
332         (JSC::setUpStaticFunctionSlot):
333             - HashEntry -> HashTableValue.
334         * runtime/Lookup.h:
335         (JSC::HashTableValue::builtinGenerator):
336         (JSC::HashTableValue::function):
337         (JSC::HashTableValue::functionLength):
338         (JSC::HashTableValue::propertyGetter):
339         (JSC::HashTableValue::propertyPutter):
340         (JSC::HashTableValue::lexerValue):
341             - added accessor methods from HashEntry.
342         (JSC::HashTable::copy):
343             - fields changed.
344         (JSC::HashTable::initializeIfNeeded):
345             - table -> keys.
346         (JSC::HashTable::entry):
347             - HashEntry -> HashTableValue.
348         (JSC::HashTable::ConstIterator::ConstIterator):
349             - iterate packed value array, so no need to skipInvalidKeys().
350         (JSC::HashTable::ConstIterator::value):
351         (JSC::HashTable::ConstIterator::key):
352         (JSC::HashTable::ConstIterator::operator->):
353             - accessors now get HashTableValue/StringImpl* separately.
354         (JSC::HashTable::ConstIterator::operator++):
355             - iterate packed value array, so no need to skipInvalidKeys().
356         (JSC::HashTable::end):
357             - end is now size of dense not sparse array.
358         (JSC::getStaticPropertySlot):
359         (JSC::getStaticFunctionSlot):
360         (JSC::getStaticValueSlot):
361         (JSC::putEntry):
362         (JSC::lookupPut):
363             - HashEntry -> HashTableValue.
364
365 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
366
367         Unreviewed, fix Mac no-FTL build.
368
369         * llvm/library/LLVMExports.cpp:
370         (initializeAndGetJSCLLVMAPI):
371
372 2014-03-13  Juergen Ributzka  <juergen@apple.com>
373
374         Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
375         https://bugs.webkit.org/show_bug.cgi?id=130224
376
377         Reviewed by Filip Pizlo.
378
379         This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
380         the LLVM dylib. This allows the dylib to be safely used with other LLVM
381         dylibs on the same system. It also reduces the dynamic linking overhead
382         and also reduces the size by 6MB, because the linker can now dead strip
383         many unused functions.
384
385         * Configurations/LLVMForJSC.xcconfig:
386
387 2014-03-13  Andreas Kling  <akling@apple.com>
388
389         VM::discardAllCode() should clear the RegExp cache.
390         <https://webkit.org/b/130144>
391
392         Reviewed by Michael Saboff.
393
394         * runtime/VM.cpp:
395         (JSC::VM::discardAllCode):
396
397 2014-03-13  Andreas Kling  <akling@apple.com>
398
399         Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
400         <https://webkit.org/b/129995>
401
402         This code path is not taken anymore on DYEB, and I can't explain why
403         it was showing up in my profiles. Backing it out per JoePeck's suggestion.
404
405         * inspector/JSGlobalObjectInspectorController.cpp:
406         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
407
408 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
409
410         FTL should support IsBlah
411         https://bugs.webkit.org/show_bug.cgi?id=130202
412
413         Reviewed by Geoffrey Garen.
414
415         * ftl/FTLCapabilities.cpp:
416         (JSC::FTL::canCompile):
417         * ftl/FTLIntrinsicRepository.h:
418         * ftl/FTLLowerDFGToLLVM.cpp:
419         (JSC::FTL::LowerDFGToLLVM::compileNode):
420         (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
421         (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
422         (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
423         (JSC::FTL::LowerDFGToLLVM::compileIsString):
424         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
425         (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
426         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
427         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
428         (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
429         (JSC::FTL::LowerDFGToLLVM::isNumber):
430         (JSC::FTL::LowerDFGToLLVM::isNotNumber):
431         (JSC::FTL::LowerDFGToLLVM::isBoolean):
432         * ftl/FTLOSRExitCompiler.cpp:
433         * tests/stress/is-undefined-exit-on-masquerader.js: Added.
434         (bar):
435         (foo):
436         (test):
437         * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
438         (foo):
439         (test):
440         * tests/stress/is-undefined-masquerader.js: Added.
441         (foo):
442         (test):
443
444 2014-03-13  Mark Lam  <mark.lam@apple.com>
445
446         JS benchmarks crash with a bus error on 32-bit x86.
447         <https://webkit.org/b/130203>
448
449         Reviewed by Geoffrey Garen.
450
451         The issue is that generateGetByIdStub() can potentially use the same register
452         for the JSValue base register and the target tag register.  After loading the
453         tag value into the target tag register, the JSValue base address is lost.
454         The code then proceeds to load the payload value using the base register, and
455         this results in a crash.
456
457         The fix is to check if the base register is the same as the target tag register.
458         If so, we should make a copy the base register first before loading the tag
459         value, and use the copy to load the payload value instead.
460
461         * jit/Repatch.cpp:
462         (JSC::generateGetByIdStub):
463
464 2014-03-12  Filip Pizlo  <fpizlo@apple.com>
465
466         WebKit shouldn't crash on uniprocessor machines
467         https://bugs.webkit.org/show_bug.cgi?id=130176
468
469         Reviewed by Michael Saboff.
470         
471         Previously the math for computing the number of JIT compiler threads would come up with
472         zero threads on uniprocessor machines, and then the Worklist code would assert.
473
474         * runtime/Options.cpp:
475         (JSC::computeNumberOfWorkerThreads):
476         * runtime/Options.h:
477
478 2014-03-13  Radu Stavila  <stavila@adobe.com>
479
480         Webkit not building on XCode 5.1 due to garbage collection no longer being supported
481         https://bugs.webkit.org/show_bug.cgi?id=130087
482
483         Reviewed by Mark Rowe.
484
485         Disable garbage collection on macosx when not using internal SDK.
486
487         * Configurations/Base.xcconfig:
488
489 2014-03-10  Darin Adler  <darin@apple.com>
490
491         Avoid copy-prone idiom "for (auto item : collection)"
492         https://bugs.webkit.org/show_bug.cgi?id=129990
493
494         Reviewed by Geoffrey Garen.
495
496         * heap/CodeBlockSet.h:
497         (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
498         * inspector/ScriptDebugServer.cpp:
499         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
500         make explicit that we are iterating through pointers.
501         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
502         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
503         * inspector/agents/InspectorDebuggerAgent.cpp:
504         (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
505         get rid of an unneeded local variable.
506
507 2014-03-13  Brian Burg  <bburg@apple.com>
508
509         Web Inspector: Remove unused callId parameter from evaluateInWebInspector
510         https://bugs.webkit.org/show_bug.cgi?id=129744
511
512         Reviewed by Timothy Hatcher.
513
514         * inspector/agents/InspectorAgent.cpp:
515         (Inspector::InspectorAgent::enable):
516         (Inspector::InspectorAgent::evaluateForTestInFrontend):
517         * inspector/agents/InspectorAgent.h:
518         * inspector/protocol/InspectorDomain.json:
519
520 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
521
522         ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
523         https://bugs.webkit.org/show_bug.cgi?id=130069
524
525         Reviewed by Geoffrey Garen.
526         
527         This was a great assertion, and it represents our strictest interpretation of the rules of
528         our intermediate representation. However, fixing DCE to actually preserve the relevant
529         property would be hard, and it wouldn't have an observable effect right now because nobody
530         actually uses the propery of CPS that this assertion is checking for.
531         
532         In particular, we do always require, and rely on, the fact that non-captured variables
533         have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
534         block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
535         PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
536         broken in this regard. But, in the strictest sense, CPS also means that for captured
537         variables, variablesAtTail also continues to point to the last relevant use of the
538         variable. In particular, if there are multiple GetLocals, then it should point to the last
539         one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
540         variables, except to check the VariableAccessData; but in that case, we don't really need
541         the *last* relevant use of the variable - any node that mentions the same variable will do
542         just fine.
543         
544         So, this change loosens the assertion and adds a detailed FIXME describing what we would
545         have to do if we wanted to preserve the more strict property.
546         
547         This also makes changes to various debug printing paths so that validation doesn't crash
548         during graph dump. This also adds tests for the interesting cases of DCE failing to
549         preserve CPS in the strictest sense. This also attempts to win the record for longest test
550         name.
551
552         * bytecode/CodeBlock.cpp:
553         (JSC::CodeBlock::hashAsStringIfPossible):
554         (JSC::CodeBlock::dumpAssumingJITType):
555         * bytecode/CodeBlock.h:
556         * bytecode/CodeOrigin.cpp:
557         (JSC::InlineCallFrame::hashAsStringIfPossible):
558         (JSC::InlineCallFrame::dumpBriefFunctionInformation):
559         * bytecode/CodeOrigin.h:
560         * dfg/DFGCPSRethreadingPhase.cpp:
561         (JSC::DFG::CPSRethreadingPhase::run):
562         * dfg/DFGDCEPhase.cpp:
563         (JSC::DFG::DCEPhase::cleanVariables):
564         * dfg/DFGInPlaceAbstractState.cpp:
565         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
566         * runtime/FunctionExecutableDump.cpp:
567         (JSC::FunctionExecutableDump::dump):
568         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
569         (foo):
570         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
571         (foo):
572
573 2014-03-12  Brian Burg  <bburg@apple.com>
574
575         Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
576         https://bugs.webkit.org/show_bug.cgi?id=129445
577
578         Reviewed by Timothy Hatcher.
579
580         There was a bug in the replay inputs code generator that would include
581         headers for definitions of enum classes, even though they can be safely
582         forward-declared.
583
584         * replay/scripts/CodeGeneratorReplayInputs.py:
585         (Generator.generate_includes): Only include for copy constructor if the
586         type is a heavy scalar (i.e., String, URL), not a normal scalar
587         (i.e., int, double, enum classes).
588
589         (Generator.generate_type_forward_declarations): Forward-declare scalars
590         that are enums or enum classes.
591
592 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
593
594         Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
595         https://bugs.webkit.org/show_bug.cgi?id=130118
596
597         Reviewed by Timothy Hatcher.
598
599         * Configurations/FeatureDefines.xcconfig:
600
601 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
602
603         Web Inspector: Hang in Remote Inspection triggering breakpoint from console
604         https://bugs.webkit.org/show_bug.cgi?id=130032
605
606         Reviewed by Timothy Hatcher.
607
608         * inspector/EventLoop.h:
609         * inspector/EventLoop.cpp:
610         (Inspector::EventLoop::remoteInspectorRunLoopMode):
611         (Inspector::EventLoop::cycle):
612         Expose the run loop mode name so it can be used if needed by others.
613
614         * inspector/remote/RemoteInspectorDebuggableConnection.h:
615         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
616         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
617         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
618         (Inspector::RemoteInspectorBlock::operator=):
619         (Inspector::RemoteInspectorBlock::operator()):
620         (Inspector::RemoteInspectorQueueTask):
621         Instead of a dispatch_queue, have our own static Vector of debugger tasks.
622
623         (Inspector::RemoteInspectorHandleRunSource):
624         (Inspector::RemoteInspectorInitializeQueue):
625         Initialize the static queue and run loop source. When the run loop source
626         fires, it will exhaust the queue of debugger messages.
627
628         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
629         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
630         When we get a debuggable connection add a run loop source for inspector commands.
631
632         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
633         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
634         Enqueue blocks on our Vector instead of our dispatch_queue.
635
636 2014-03-12  Commit Queue  <commit-queue@webkit.org>
637
638         Unreviewed, rolling out r165482.
639         https://bugs.webkit.org/show_bug.cgi?id=130157
640
641         Broke the windows build; "error C2466: cannot allocate an
642         array of constant size 0" (Requested by jernoble on #webkit).
643
644         Reverted changeset:
645
646         "Reduce memory use for static property maps"
647         https://bugs.webkit.org/show_bug.cgi?id=129986
648         http://trac.webkit.org/changeset/165482
649
650 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
651
652         Remove HandleSet::m_nextToFinalize
653         https://bugs.webkit.org/show_bug.cgi?id=130109
654
655         Reviewed by Mark Lam.
656
657         This is a remnant of when HandleSet contained things that needed to be finalized. 
658
659         * heap/HandleSet.cpp:
660         (JSC::HandleSet::HandleSet):
661         (JSC::HandleSet::writeBarrier):
662         * heap/HandleSet.h:
663         (JSC::HandleSet::allocate):
664         (JSC::HandleSet::deallocate):
665
666 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
667
668         Layout Test fast/workers/worker-gc.html is failing
669         https://bugs.webkit.org/show_bug.cgi?id=130135
670
671         Reviewed by Geoffrey Garen.
672
673         When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's 
674         main list of blocks, i.e. not in the retired list. When shutting down the VM this
675         wasn't always the case which was causing ASSERTs to fire. We should rearrange things 
676         so that allocators are notified with lastChanceToFinalize. This will give them 
677         the chance to move their retired blocks back into the main list before removing them all.
678
679         * heap/MarkedAllocator.cpp:
680         (JSC::LastChanceToFinalize::operator()):
681         (JSC::MarkedAllocator::lastChanceToFinalize):
682         * heap/MarkedAllocator.h:
683         * heap/MarkedSpace.cpp:
684         (JSC::LastChanceToFinalize::operator()):
685         (JSC::MarkedSpace::lastChanceToFinalize):
686
687 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
688
689         Reduce memory use for static property maps
690         https://bugs.webkit.org/show_bug.cgi?id=129986
691
692         Reviewed by Andreas Kling.
693
694         Static property tables are currently duplicated on first use from read-only memory into dirty memory
695         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
696         (we use a custom hash table without a rehash) a lot of memory may be wasted.
697
698         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
699         from string hashes to indicies into a densely packed array of values. Compute the index table at
700         compile time as a part of the derived sources step, such that this may be read-only data.
701
702         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
703         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
704         keys, which are Identifiers.
705
706         * create_hash_table:
707             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
708         * parser/Lexer.cpp:
709         (JSC::Lexer<LChar>::parseIdentifier):
710         (JSC::Lexer<UChar>::parseIdentifier):
711         (JSC::Lexer<T>::parseIdentifierSlowCase):
712             - HashEntry -> HashTableValue.
713         * parser/Lexer.h:
714         (JSC::Keywords::getKeyword):
715             - HashEntry -> HashTableValue.
716         * runtime/ClassInfo.h:
717             - removed HashEntry.
718         * runtime/JSObject.cpp:
719         (JSC::getClassPropertyNames):
720             - use HashTable::ConstIterator.
721         (JSC::JSObject::put):
722         (JSC::JSObject::deleteProperty):
723         (JSC::JSObject::findPropertyHashEntry):
724             - HashEntry -> HashTableValue.
725         (JSC::JSObject::reifyStaticFunctionsForDelete):
726             - changed HashTable::ConstIterator interface.
727         * runtime/JSObject.h:
728             - HashEntry -> HashTableValue.
729         * runtime/Lookup.cpp:
730         (JSC::HashTable::createTable):
731             - table -> keys, keys array is now densely packed.
732         (JSC::HashTable::deleteTable):
733             - table -> keys.
734         (JSC::setUpStaticFunctionSlot):
735             - HashEntry -> HashTableValue.
736         * runtime/Lookup.h:
737         (JSC::HashTableValue::builtinGenerator):
738         (JSC::HashTableValue::function):
739         (JSC::HashTableValue::functionLength):
740         (JSC::HashTableValue::propertyGetter):
741         (JSC::HashTableValue::propertyPutter):
742         (JSC::HashTableValue::lexerValue):
743             - added accessor methods from HashEntry.
744         (JSC::HashTable::copy):
745             - fields changed.
746         (JSC::HashTable::initializeIfNeeded):
747             - table -> keys.
748         (JSC::HashTable::entry):
749             - HashEntry -> HashTableValue.
750         (JSC::HashTable::ConstIterator::ConstIterator):
751             - iterate packed value array, so no need to skipInvalidKeys().
752         (JSC::HashTable::ConstIterator::value):
753         (JSC::HashTable::ConstIterator::key):
754         (JSC::HashTable::ConstIterator::operator->):
755             - accessors now get HashTableValue/StringImpl* separately.
756         (JSC::HashTable::ConstIterator::operator++):
757             - iterate packed value array, so no need to skipInvalidKeys().
758         (JSC::HashTable::end):
759             - end is now size of dense not sparse array.
760         (JSC::getStaticPropertySlot):
761         (JSC::getStaticFunctionSlot):
762         (JSC::getStaticValueSlot):
763         (JSC::putEntry):
764         (JSC::lookupPut):
765             - HashEntry -> HashTableValue.
766
767 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
768
769         It should be possible to build WebKit with FTL on iOS
770         https://bugs.webkit.org/show_bug.cgi?id=130116
771
772         Reviewed by Dan Bernstein.
773
774         * Configurations/Base.xcconfig:
775
776 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
777
778         GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
779         https://bugs.webkit.org/show_bug.cgi?id=129778
780
781         Reviewed by Geoffrey Garen.
782         
783         Also deduplicate the GetById getter call caching. Also add some small tests for
784         get stubs.
785         
786         This change reduces the amount of code involved in GetById access caching and it
787         creates data structures that can serve as an elegant scaffold for introducing other
788         kinds of caches or improving current caching styles. It will definitely make getter
789         performance improvements easier to implement.
790
791         * CMakeLists.txt:
792         * GNUmakefile.list.am:
793         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
794         * JavaScriptCore.xcodeproj/project.pbxproj:
795         * bytecode/CodeBlock.cpp:
796         (JSC::CodeBlock::printGetByIdCacheStatus):
797         * bytecode/GetByIdStatus.cpp:
798         (JSC::GetByIdStatus::computeForStubInfo):
799         * bytecode/PolymorphicGetByIdList.cpp: Added.
800         (JSC::GetByIdAccess::GetByIdAccess):
801         (JSC::GetByIdAccess::~GetByIdAccess):
802         (JSC::GetByIdAccess::fromStructureStubInfo):
803         (JSC::GetByIdAccess::visitWeak):
804         (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
805         (JSC::PolymorphicGetByIdList::from):
806         (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
807         (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
808         (JSC::PolymorphicGetByIdList::addAccess):
809         (JSC::PolymorphicGetByIdList::isFull):
810         (JSC::PolymorphicGetByIdList::isAlmostFull):
811         (JSC::PolymorphicGetByIdList::didSelfPatching):
812         (JSC::PolymorphicGetByIdList::visitWeak):
813         * bytecode/PolymorphicGetByIdList.h: Added.
814         (JSC::GetByIdAccess::GetByIdAccess):
815         (JSC::GetByIdAccess::isSet):
816         (JSC::GetByIdAccess::operator!):
817         (JSC::GetByIdAccess::type):
818         (JSC::GetByIdAccess::structure):
819         (JSC::GetByIdAccess::chain):
820         (JSC::GetByIdAccess::chainCount):
821         (JSC::GetByIdAccess::stubRoutine):
822         (JSC::GetByIdAccess::doesCalls):
823         (JSC::PolymorphicGetByIdList::isEmpty):
824         (JSC::PolymorphicGetByIdList::size):
825         (JSC::PolymorphicGetByIdList::at):
826         (JSC::PolymorphicGetByIdList::operator[]):
827         * bytecode/StructureStubInfo.cpp:
828         (JSC::StructureStubInfo::deref):
829         (JSC::StructureStubInfo::visitWeakReferences):
830         * bytecode/StructureStubInfo.h:
831         (JSC::isGetByIdAccess):
832         (JSC::StructureStubInfo::initGetByIdList):
833         * jit/Repatch.cpp:
834         (JSC::generateGetByIdStub):
835         (JSC::tryCacheGetByID):
836         (JSC::patchJumpToGetByIdStub):
837         (JSC::tryBuildGetByIDList):
838         (JSC::tryBuildPutByIdList):
839         * tests/stress/getter.js: Added.
840         (foo):
841         (.o):
842         * tests/stress/polymorphic-prototype-accesses.js: Added.
843         (Foo):
844         (Bar):
845         (foo):
846         * tests/stress/prototype-getter.js: Added.
847         (Foo):
848         (foo):
849         * tests/stress/simple-prototype-accesses.js: Added.
850         (Foo):
851         (foo):
852
853 2014-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>
854
855         MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
856         https://bugs.webkit.org/show_bug.cgi?id=129920
857
858         Reviewed by Geoffrey Garen.
859
860         This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
861         when the amount of free space in a MarkedBlock drops below a certain threshold.
862         Retired blocks are not considered for sweeping.
863
864         This is profitable because it reduces churn during sweeping. To build a free list, 
865         we have to scan through each cell in a block. After a collection, all objects that 
866         are live in the block will remain live until the next FullCollection, at which time
867         we un-retire all previously retired blocks. Thus, a small number of objects in a block
868         that die during each EdenCollection could cause us to do a disproportiante amount of 
869         sweeping for how much free memory we get back.
870
871         This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
872
873         * heap/Heap.h:
874         (JSC::Heap::didRetireBlockWithFreeListSize):
875         * heap/MarkedAllocator.cpp:
876         (JSC::MarkedAllocator::tryAllocateHelper):
877         (JSC::MarkedAllocator::removeBlock):
878         (JSC::MarkedAllocator::reset):
879         * heap/MarkedAllocator.h:
880         (JSC::MarkedAllocator::MarkedAllocator):
881         (JSC::MarkedAllocator::forEachBlock):
882         * heap/MarkedBlock.cpp:
883         (JSC::MarkedBlock::sweepHelper):
884         (JSC::MarkedBlock::clearMarksWithCollectionType):
885         (JSC::MarkedBlock::didRetireBlock):
886         * heap/MarkedBlock.h:
887         (JSC::MarkedBlock::willRemoveBlock):
888         (JSC::MarkedBlock::isLive):
889         * heap/MarkedSpace.cpp:
890         (JSC::MarkedSpace::clearNewlyAllocated):
891         (JSC::MarkedSpace::clearMarks):
892         * runtime/Options.h:
893
894 2014-03-11  Andreas Kling  <akling@apple.com>
895
896         Streamline PropertyTable for lookup-only access.
897         <https://webkit.org/b/130060>
898
899         The PropertyTable lookup algorithm was written to support both read
900         and write access. This wasn't actually needed in most places.
901
902         This change adds a PropertyTable::get() that just returns the value
903         type (instead of an insertion iterator.) It also adds an early return
904         for empty tables.
905
906         Finally, up the minimum table capacity from 8 to 16. It was lowered
907         to 8 in order to save memory, but that was before PropertyTables were
908         GC allocated. Nowadays we don't have nearly as many tables, since all
909         the unpinned transitions die off.
910
911         Reviewed by Darin Adler.
912
913         * runtime/PropertyMapHashTable.h:
914         (JSC::PropertyTable::get):
915         * runtime/Structure.cpp:
916         (JSC::Structure::despecifyDictionaryFunction):
917         (JSC::Structure::attributeChangeTransition):
918         (JSC::Structure::get):
919         (JSC::Structure::despecifyFunction):
920         * runtime/StructureInlines.h:
921         (JSC::Structure::get):
922
923 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
924
925         REGRESSION(r165407): DoYouEvenBench crashes in DRT
926         https://bugs.webkit.org/show_bug.cgi?id=130066
927
928         Reviewed by Geoffrey Garen.
929
930         The baseline JIT does a conditional store barrier for the put_by_id, but we need 
931         an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
932
933         * jit/JIT.h:
934         * jit/JITPropertyAccess.cpp:
935         (JSC::JIT::emit_op_put_by_id):
936         (JSC::JIT::emitWriteBarrier):
937
938 2014-03-10  Mark Lam  <mark.lam@apple.com>
939
940         Resurrect bit-rotted JIT::probe() mechanism.
941         <https://webkit.org/b/130067>
942
943         Reviewed by Geoffrey Garen.
944
945         * jit/JITStubs.cpp:
946         - Added the needed #include <wtf/InlineASM.h>.
947
948 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
949
950         Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
951
952         Rubber-stamped by Dan Bernstein.
953
954         * Configurations/JavaScriptCore.xcconfig:
955
956 2014-03-10  Mark Lam  <mark.lam@apple.com>
957
958         r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
959         <https://webkit.org/b/130065>
960
961         Reviewed by Michael Saboff.
962
963         There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
964         being able to return InvalidIndex.  Hence, the assertion is invalid.  Ditto for
965         FPRInfo::toIndex().
966
967         The fix is to remove the "result != InvalidIndex" assertions.
968
969         * jit/FPRInfo.h:
970         (JSC::FPRInfo::toIndex):
971         * jit/GPRInfo.h:
972         (JSC::GPRInfo::toIndex):
973
974 2014-03-10  Mark Lam  <mark.lam@apple.com>
975
976         Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
977         <https://webkit.org/b/129955>
978
979         Reviewed by Geoffrey Garen.
980
981         The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
982         stack memory every time it was called.  This is now fixed.
983
984         * jit/JITOperations.cpp:
985
986 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
987
988         Better JSContext API for named evaluations (other than //# sourceURL)
989         https://bugs.webkit.org/show_bug.cgi?id=129911
990
991         Reviewed by Geoffrey Garen.
992
993         * API/JSBase.h:
994         * API/JSContext.h:
995         * API/JSContext.mm:
996         (-[JSContext evaluateScript:]):
997         (-[JSContext evaluateScript:withSourceURL:]):
998         Add new evaluateScript:withSourceURL:.
999
1000         * API/tests/testapi.c:
1001         (main):
1002         * API/tests/testapi.mm:
1003         (testObjectiveCAPI):
1004         Add tests for sourceURL in evaluate APIs. It should
1005         affect the exception objects.
1006
1007 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
1008
1009         Repatch should save and restore all used registers - not just temp ones - when making a call
1010         https://bugs.webkit.org/show_bug.cgi?id=130041
1011
1012         Reviewed by Geoffrey Garen and Mark Hahnenberg.
1013         
1014         The save/restore code was written back when the only client was the DFG, which only uses a
1015         subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
1016         other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
1017         lead to data corruption on ARM64. 
1018
1019         * jit/RegisterSet.cpp:
1020         (JSC::RegisterSet::calleeSaveRegisters):
1021         (JSC::RegisterSet::numberOfSetGPRs):
1022         (JSC::RegisterSet::numberOfSetFPRs):
1023         * jit/RegisterSet.h:
1024         * jit/Repatch.cpp:
1025         (JSC::storeToWriteBarrierBuffer):
1026         (JSC::emitPutTransitionStub):
1027         * jit/ScratchRegisterAllocator.cpp:
1028         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1029         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1030         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1031         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
1032         (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
1033         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
1034         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
1035         * jit/ScratchRegisterAllocator.h:
1036
1037 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
1038
1039         Remove ConditionalStore barrier
1040         https://bugs.webkit.org/show_bug.cgi?id=130040
1041
1042         Reviewed by Geoffrey Garen.
1043
1044         ConditionalStoreBarrier was created when barriers were much more expensive. Now that 
1045         they're cheap(er), we can get rid of them. This also allows us to get rid of the write 
1046         barrier logic in emitPutTransitionStub because we always will have executed a write barrier 
1047         on the base object in the case where we are allocating and storing a new Butterfly into it. 
1048         Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, 
1049         so we'd have to emit a write barrier in the transition case.
1050
1051         This is performance neutral on the benchmarks we track.
1052
1053         * dfg/DFGAbstractInterpreterInlines.h:
1054         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1055         * dfg/DFGClobberize.h:
1056         (JSC::DFG::clobberize):
1057         * dfg/DFGConstantFoldingPhase.cpp:
1058         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1059         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1060         * dfg/DFGFixupPhase.cpp:
1061         (JSC::DFG::FixupPhase::fixupNode):
1062         (JSC::DFG::FixupPhase::insertStoreBarrier):
1063         * dfg/DFGNode.h:
1064         (JSC::DFG::Node::isStoreBarrier):
1065         * dfg/DFGNodeType.h:
1066         * dfg/DFGPredictionPropagationPhase.cpp:
1067         (JSC::DFG::PredictionPropagationPhase::propagate):
1068         * dfg/DFGSafeToExecute.h:
1069         (JSC::DFG::safeToExecute):
1070         * dfg/DFGSpeculativeJIT.cpp:
1071         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1072         * dfg/DFGSpeculativeJIT32_64.cpp:
1073         (JSC::DFG::SpeculativeJIT::compile):
1074         * dfg/DFGSpeculativeJIT64.cpp:
1075         (JSC::DFG::SpeculativeJIT::compile):
1076         * ftl/FTLCapabilities.cpp:
1077         (JSC::FTL::canCompile):
1078         * ftl/FTLLowerDFGToLLVM.cpp:
1079         (JSC::FTL::LowerDFGToLLVM::compileNode):
1080         * jit/Repatch.cpp:
1081         (JSC::emitPutTransitionStub):
1082
1083 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
1084
1085         DFG and FTL should know that comparing anything to Misc is cheap and easy
1086         https://bugs.webkit.org/show_bug.cgi?id=130001
1087
1088         Reviewed by Geoffrey Garen.
1089         
1090         - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
1091           comparison is just Untyped:.
1092         
1093         - This obviates the need for CompareStrictEqConstant, so remove it.
1094         
1095         - FTL had a thing called "Nully" which is really "Other". Rename it and add
1096           OtherUse.
1097         
1098         9% speed-up on box2d.
1099
1100         * dfg/DFGAbstractInterpreterInlines.h:
1101         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1102         * dfg/DFGByteCodeParser.cpp:
1103         (JSC::DFG::ByteCodeParser::parseBlock):
1104         * dfg/DFGClobberize.h:
1105         (JSC::DFG::clobberize):
1106         * dfg/DFGFixupPhase.cpp:
1107         (JSC::DFG::FixupPhase::fixupNode):
1108         * dfg/DFGNode.h:
1109         (JSC::DFG::Node::isBinaryUseKind):
1110         (JSC::DFG::Node::shouldSpeculateOther):
1111         * dfg/DFGNodeType.h:
1112         * dfg/DFGPredictionPropagationPhase.cpp:
1113         (JSC::DFG::PredictionPropagationPhase::propagate):
1114         * dfg/DFGSafeToExecute.h:
1115         (JSC::DFG::safeToExecute):
1116         * dfg/DFGSpeculativeJIT.cpp:
1117         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1118         (JSC::DFG::SpeculativeJIT::compare):
1119         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1120         * dfg/DFGSpeculativeJIT.h:
1121         * dfg/DFGSpeculativeJIT32_64.cpp:
1122         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1123         (JSC::DFG::SpeculativeJIT::compile):
1124         * dfg/DFGSpeculativeJIT64.cpp:
1125         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1126         (JSC::DFG::SpeculativeJIT::compile):
1127         * ftl/FTLCapabilities.cpp:
1128         (JSC::FTL::canCompile):
1129         * ftl/FTLLowerDFGToLLVM.cpp:
1130         (JSC::FTL::LowerDFGToLLVM::compileNode):
1131         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1132         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1133         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
1134         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1135         (JSC::FTL::LowerDFGToLLVM::isNotOther):
1136         (JSC::FTL::LowerDFGToLLVM::isOther):
1137         (JSC::FTL::LowerDFGToLLVM::speculate):
1138         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
1139         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
1140         (JSC::FTL::LowerDFGToLLVM::speculateOther):
1141         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
1142         * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
1143
1144 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
1145
1146         Unreviewed, remove unintended change.
1147
1148         * dfg/DFGDriver.cpp:
1149         (JSC::DFG::compileImpl):
1150
1151 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
1152
1153         jsc commandline shouldn't have a "console" because that confuses some tests into thinking
1154         that they're running in the browser.
1155
1156         Rubber stamped by Mark Hahnenberg.
1157
1158         * jsc.cpp:
1159         (GlobalObject::finishCreation):
1160
1161 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
1162
1163         Out-line ScratchRegisterAllocator
1164
1165         Rubber stamped by Mark Hahnenberg.
1166
1167         * CMakeLists.txt:
1168         * GNUmakefile.list.am:
1169         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1170         * JavaScriptCore.xcodeproj/project.pbxproj:
1171         * dfg/DFGDriver.cpp:
1172         (JSC::DFG::compileImpl):
1173         * jit/ScratchRegisterAllocator.cpp: Added.
1174         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1175         (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
1176         (JSC::ScratchRegisterAllocator::lock):
1177         (JSC::ScratchRegisterAllocator::allocateScratch):
1178         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
1179         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
1180         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1181         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1182         (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
1183         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
1184         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
1185         * jit/ScratchRegisterAllocator.h:
1186
1187 2014-03-10  Brent Fulgham  <bfulgham@apple.com>
1188
1189         [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
1190         https://bugs.webkit.org/show_bug.cgi?id=130023
1191
1192         Reviewed by Dean Jackson.
1193
1194         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
1195         path names to avoid accidental escaping of later string substitutions.
1196
1197 2014-03-10  Andreas Kling  <akling@apple.com>
1198
1199         [X86_64] Smaller code for testb_i8r when register is accumulator.
1200         <https://webkit.org/b/130026>
1201
1202         Generate the shorthand version of "test al, imm" when possible.
1203
1204         Reviewed by Michael Saboff.
1205
1206         * assembler/X86Assembler.h:
1207         (JSC::X86Assembler::testb_i8r):
1208
1209 2014-03-10  Andreas Kling  <akling@apple.com>
1210
1211         [X86_64] Smaller code for sub_ir when register is accumulator.
1212         <https://webkit.org/b/130025>
1213
1214         Generate the shorthand version of "sub eax, imm" when possible.
1215
1216         Reviewed by Michael Saboff.
1217
1218         * assembler/X86Assembler.h:
1219         (JSC::X86Assembler::subl_ir):
1220         (JSC::X86Assembler::subq_ir):
1221
1222 2014-03-10  Andreas Kling  <akling@apple.com>
1223
1224         [X86_64] Smaller code for add_ir when register is accumulator.
1225         <https://webkit.org/b/130024>
1226
1227         Generate the shorthand version of "add eax, imm" when possible.
1228
1229         Reviewed by Michael Saboff.
1230
1231         * assembler/X86Assembler.h:
1232         (JSC::X86Assembler::addl_ir):
1233         (JSC::X86Assembler::addq_ir):
1234
1235 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
1236
1237         writeBarrier in emitPutReplaceStub is unnecessary
1238         https://bugs.webkit.org/show_bug.cgi?id=130030
1239
1240         Reviewed by Filip Pizlo.
1241
1242         We already emit write barriers for each put-by-id when they're first compiled, so it's 
1243         redundant to emit a write barrier as part of the repatched code.
1244
1245         * jit/Repatch.cpp:
1246         (JSC::emitPutReplaceStub):
1247
1248 2014-03-10  Andreas Kling  <akling@apple.com>
1249
1250         [X86_64] Smaller code for xor_ir when register is accumulator.
1251         <https://webkit.org/b/130008>
1252
1253         Generate the shorthand version of "xor eax, imm" when possible.
1254
1255         Reviewed by Benjamin Poulain.
1256
1257         * assembler/X86Assembler.h:
1258         (JSC::X86Assembler::xorl_ir):
1259         (JSC::X86Assembler::xorq_ir):
1260
1261 2014-03-10  Andreas Kling  <akling@apple.com>
1262
1263         [X86_64] Smaller code for or_ir when register is accumulator.
1264         <https://webkit.org/b/130007>
1265
1266         Generate the shorthand version of "or eax, imm" when possible.
1267
1268         Reviewed by Benjamin Poulain.
1269
1270         * assembler/X86Assembler.h:
1271         (JSC::X86Assembler::orl_ir):
1272         (JSC::X86Assembler::orq_ir):
1273
1274 2014-03-10  Andreas Kling  <akling@apple.com>
1275
1276         [X86_64] Smaller code for test_ir when register is accumulator.
1277         <https://webkit.org/b/130006>
1278
1279         Generate the shorthand version of "test eax, imm" when possible.
1280
1281         Reviewed by Benjamin Poulain.
1282
1283         * assembler/X86Assembler.h:
1284         (JSC::X86Assembler::testl_i32r):
1285         (JSC::X86Assembler::testq_i32r):
1286
1287 2014-03-10  Andreas Kling  <akling@apple.com>
1288
1289         [X86_64] Smaller code for cmp_ir when register is accumulator.
1290         <https://webkit.org/b/130005>
1291
1292         Generate the shorthand version of "cmp eax, imm" when possible.
1293
1294         Reviewed by Benjamin Poulain.
1295
1296         * assembler/X86Assembler.h:
1297         (JSC::X86Assembler::cmpl_ir):
1298         (JSC::X86Assembler::cmpq_ir):
1299
1300 2014-03-10  Andreas Kling  <akling@apple.com>
1301
1302         [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
1303         <https://webkit.org/b/130002>
1304
1305         Generate this:
1306
1307             mov [address], imm32
1308
1309         Instead of this:
1310
1311             mov scratchRegister, imm32
1312             mov [address], scratchRegister
1313
1314         For store64(imm, address) where the 64-bit immediate can be passed as
1315         a sign-extended 32-bit value.
1316
1317         Reviewed by Benjamin Poulain.
1318
1319         * assembler/MacroAssemblerX86_64.h:
1320         (CAN_SIGN_EXTEND_32_64):
1321         (JSC::MacroAssemblerX86_64::store64):
1322
1323 2014-03-10  Andreas Kling  <akling@apple.com>
1324
1325         [X86_64] Smaller code for xchg_rr when one register is accumulator.
1326         <https://webkit.org/b/130004>
1327
1328         Generate the 1-byte version of "xchg eax, reg" when possible.
1329
1330         Reviewed by Benjamin Poulain.
1331
1332         * assembler/X86Assembler.h:
1333         (JSC::X86Assembler::xchgl_rr):
1334         (JSC::X86Assembler::xchgq_rr):
1335
1336 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
1337
1338         GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
1339         https://bugs.webkit.org/show_bug.cgi?id=129998
1340
1341         Reviewed by Geoffrey Garen.
1342         
1343         Not only is that the established contract, but this is used to signal to
1344         ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
1345         that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
1346         some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
1347         fine but previously it would have led to either an assertion failure, or data corruption, in
1348         the ScratchRegisterAllocator.
1349
1350         * jit/GPRInfo.h:
1351         (JSC::GPRInfo::toIndex):
1352
1353 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
1354
1355         FTL fails the new equals-masquerader strictEqualConstant test
1356         https://bugs.webkit.org/show_bug.cgi?id=129996
1357
1358         Reviewed by Mark Lam.
1359         
1360         It turns out that the FTL was trying to do the masquerading stuff for ===null. But
1361         that's wrong since none of the other engines do it. The DFG even had an ancient
1362         FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
1363         don't do it and JSValue::strictEqual() doesn't do it.
1364         
1365         Remove the FIXME and remove the extra checks in the FTL.
1366         
1367         This is a glorious patch: nothing but red and it fixes a test failure.
1368
1369         * dfg/DFGSpeculativeJIT.cpp:
1370         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
1371         * ftl/FTLLowerDFGToLLVM.cpp:
1372         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
1373
1374 2014-03-09  Andreas Kling  <akling@apple.com>
1375
1376         Short-circuit JSGlobalObjectInspectorController when not inspecting.
1377         <https://webkit.org/b/129995>
1378
1379         Add an early return in reportAPIException() when the console agent
1380         is disabled. This avoids expensive symbolication during exceptions
1381         if there's nobody expecting the fancy backtrace anyway.
1382
1383         ~2% progression on DYEB on my MBP.
1384
1385         Reviewed by Geoff Garen.
1386
1387         * inspector/JSGlobalObjectInspectorController.cpp:
1388         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1389
1390 2014-03-09  Andreas Kling  <akling@apple.com>
1391
1392         Inline the trivial parts of GC deferral.
1393         <https://webkit.org/b/129984>
1394
1395         Made most of the functions called by the DeferGC RAII object inline
1396         to avoid function call overhead.
1397
1398         Looks like ~1% progression on DYEB.
1399
1400         Reviewed by Geoffrey Garen.
1401
1402         * heap/Heap.cpp:
1403         * heap/Heap.h:
1404         (JSC::Heap::incrementDeferralDepth):
1405         (JSC::Heap::decrementDeferralDepth):
1406         (JSC::Heap::collectIfNecessaryOrDefer):
1407         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1408
1409 2014-03-08  Mark Lam  <mark.lam@apple.com>
1410
1411         32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
1412         <https://webkit.org/b/129969>
1413
1414         Reviewed by Geoffrey Garen.
1415
1416         The 32-bit version of handleUncaughtException was missing the handling of an
1417         edge case for stack overflows where the current frame may already be the
1418         sentinel frame.  This edge case was handled in the 64-bit version.  The fix
1419         is to bring the 32-bit version up to parity.
1420
1421         * jit/JIT.cpp:
1422         (JSC::JIT::privateCompile):
1423         * llint/LowLevelInterpreter32_64.asm:
1424
1425 2014-03-07  Mark Lam  <mark.lam@apple.com>
1426
1427         Fix bugs in 32-bit Structure implementation.
1428         <https://webkit.org/b/129947>
1429
1430         Reviewed by Mark Hahnenberg.
1431
1432         Added the loading of the Structure (from the JSCell) before use that was
1433         missing in a few places.  Also added more test cases to equals-masquerader.js.
1434
1435         * dfg/DFGSpeculativeJIT32_64.cpp:
1436         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1437         (JSC::DFG::SpeculativeJIT::compile):
1438         * dfg/DFGSpeculativeJIT64.cpp:
1439         (JSC::DFG::SpeculativeJIT::compile):
1440         * llint/LowLevelInterpreter32_64.asm:
1441         * tests/stress/equals-masquerader.js:
1442         (equalsNull):
1443         (notEqualsNull):
1444         (strictEqualsNull):
1445         (strictNotEqualsNull):
1446         (equalsUndefined):
1447         (notEqualsUndefined):
1448         (strictEqualsUndefined):
1449         (strictNotEqualsUndefined):
1450         (isFalsey):
1451         (test):
1452
1453 2014-03-07  Andrew Trick  <atrick@apple.com>
1454
1455         Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
1456         https://bugs.webkit.org/show_bug.cgi?id=129954
1457
1458         Reviewed by Filip Pizlo.
1459
1460         * tests/stress/float32-repeat-out-of-bounds.js:
1461         * tests/stress/int8-repeat-out-of-bounds.js:
1462
1463 2014-03-07  Michael Saboff  <msaboff@apple.com>
1464
1465         .cfi directives in LowLevelInterpreter.cpp are providing no benefit
1466         https://bugs.webkit.org/show_bug.cgi?id=129945
1467
1468         Reviewed by Mark Lam.
1469
1470         Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
1471         or in lldb.
1472
1473         * llint/LowLevelInterpreter.cpp:
1474
1475 2014-03-07  Oliver Hunt  <oliver@apple.com>
1476
1477         Continue hangs when performing for-of over arguments
1478         https://bugs.webkit.org/show_bug.cgi?id=129915
1479
1480         Reviewed by Geoffrey Garen.
1481
1482         Put the continue label in the right place
1483
1484         * bytecompiler/BytecodeGenerator.cpp:
1485         (JSC::BytecodeGenerator::emitEnumeration):
1486
1487 2014-03-07  peavo@outlook.com  <peavo@outlook.com>
1488
1489         [Win64] Compile error after r165128.
1490         https://bugs.webkit.org/show_bug.cgi?id=129807
1491
1492         Reviewed by Mark Lam.
1493
1494         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
1495         Check platform environment variable to determine if an assembler file should be generated.
1496
1497 2014-03-07  Michael Saboff  <msaboff@apple.com>
1498
1499         Clarify how we deal with "special" registers
1500         https://bugs.webkit.org/show_bug.cgi?id=129806
1501
1502         Already reviewed change being relanded.
1503
1504         Relanding change set r165196 as it wasn't responsible for the breakage reported in
1505         https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or
1506
1507         Reviewed by Michael Saboff.
1508         configuration issue.
1509
1510         * assembler/ARM64Assembler.h:
1511         (JSC::ARM64Assembler::lastRegister):
1512         * assembler/MacroAssembler.h:
1513         (JSC::MacroAssembler::nextRegister):
1514         * ftl/FTLLocation.cpp:
1515         (JSC::FTL::Location::restoreInto):
1516         * ftl/FTLSaveRestore.cpp:
1517         (JSC::FTL::saveAllRegisters):
1518         (JSC::FTL::restoreAllRegisters):
1519         * ftl/FTLSlowPathCall.cpp:
1520         * jit/RegisterSet.cpp:
1521         (JSC::RegisterSet::reservedHardwareRegisters):
1522         (JSC::RegisterSet::runtimeRegisters):
1523         (JSC::RegisterSet::specialRegisters):
1524         (JSC::RegisterSet::calleeSaveRegisters):
1525         * jit/RegisterSet.h:
1526
1527 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1528
1529         Move GCActivityCallback to heap
1530         https://bugs.webkit.org/show_bug.cgi?id=129457
1531
1532         Reviewed by Geoffrey Garen.
1533
1534         All the other GC timer related stuff is there already.
1535
1536         * CMakeLists.txt:
1537         * GNUmakefile.list.am:
1538         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1539         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1540         * JavaScriptCore.xcodeproj/project.pbxproj:
1541         * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
1542         * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
1543         * runtime/GCActivityCallback.cpp: Removed.
1544         * runtime/GCActivityCallback.h: Removed.
1545
1546 2014-03-07  Andrew Trick  <atrick@apple.com>
1547
1548         Correct a comment typo from:
1549         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
1550         https://bugs.webkit.org/show_bug.cgi?id=129865
1551
1552         Reviewed by Mark Lam.
1553
1554         * ftl/FTLOutput.h:
1555         (JSC::FTL::Output::doubleRem):
1556
1557 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1558
1559         Use OwnPtr in StructureIDTable
1560         https://bugs.webkit.org/show_bug.cgi?id=129828
1561
1562         Reviewed by Geoffrey Garen.
1563
1564         This reduces the amount of boilerplate and fixes a memory leak.
1565
1566         * runtime/StructureIDTable.cpp:
1567         (JSC::StructureIDTable::StructureIDTable):
1568         (JSC::StructureIDTable::resize):
1569         (JSC::StructureIDTable::flushOldTables):
1570         (JSC::StructureIDTable::allocateID):
1571         (JSC::StructureIDTable::deallocateID):
1572         * runtime/StructureIDTable.h:
1573         (JSC::StructureIDTable::table):
1574         (JSC::StructureIDTable::get):
1575
1576 2014-03-07  Andrew Trick  <atrick@apple.com>
1577
1578         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
1579         https://bugs.webkit.org/show_bug.cgi?id=129865
1580
1581         Reviewed by Filip Pizlo.
1582
1583         * ftl/FTLIntrinsicRepository.h:
1584         * ftl/FTLOutput.h:
1585         (JSC::FTL::Output::doubleRem):
1586
1587 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1588
1589         If the FTL is build-time enabled then it should be run-time enabled.
1590
1591         Rubber stamped by Geoffrey Garen.
1592
1593         * runtime/Options.cpp:
1594         (JSC::recomputeDependentOptions):
1595         * runtime/Options.h:
1596
1597 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
1598
1599         [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
1600         https://bugs.webkit.org/show_bug.cgi?id=129852
1601
1602         Reviewed by Geoffrey Garen.
1603
1604         * framework.sb: Added.
1605         Sandbox extension to allow access to "com.apple.webinspector".
1606
1607         * JavaScriptCore.xcodeproj/project.pbxproj:
1608         Add a Copy Resources build phase and include framework.sb.
1609
1610         * Configurations/JavaScriptCore.xcconfig:
1611         Do not copy framework.sb on iOS.
1612
1613 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
1614
1615         JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
1616         https://bugs.webkit.org/show_bug.cgi?id=129858
1617
1618         Reviewed by Mark Lam.
1619
1620         It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
1621         but now it ends up overwriting the IdentifierTable that JSLock just restored.
1622
1623         * API/JSContextRef.cpp:
1624         (JSGlobalContextRelease):
1625
1626 2014-03-06  Oliver Hunt  <oliver@apple.com>
1627
1628         Fix FTL build.
1629
1630         * dfg/DFGConstantFoldingPhase.cpp:
1631         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1632
1633 2014-03-06  Brent Fulgham  <bfulgham@apple.com>
1634
1635         Unreviewed build fix after r165128.
1636
1637         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
1638         performing 'Production' and 'DebugSuffix' type builds.
1639
1640 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
1641
1642         Unreviewed, fix style in my previous commit.
1643         https://bugs.webkit.org/show_bug.cgi?id=129833
1644
1645         * runtime/JSConsole.cpp:
1646
1647 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
1648
1649         Build fix: add missing include in JSConole.cpp.
1650         https://bugs.webkit.org/show_bug.cgi?id=129833
1651
1652         Reviewed by Oliver Hunt.
1653
1654         * runtime/JSConsole.cpp:
1655
1656 2014-03-06  Oliver Hunt  <oliver@apple.com>
1657
1658         Fix ARMv7
1659
1660         * jit/CCallHelpers.h:
1661         (JSC::CCallHelpers::setupArgumentsWithExecState):
1662
1663 2014-03-06  Commit Queue  <commit-queue@webkit.org>
1664
1665         Unreviewed, rolling out r165196.
1666         http://trac.webkit.org/changeset/165196
1667         https://bugs.webkit.org/show_bug.cgi?id=129822
1668
1669         broke arm64 on hardware (Requested by bfulgham on #webkit).
1670
1671         * assembler/ARM64Assembler.h:
1672         (JSC::ARM64Assembler::lastRegister):
1673         * assembler/MacroAssembler.h:
1674         (JSC::MacroAssembler::isStackRelated):
1675         (JSC::MacroAssembler::firstRealRegister):
1676         (JSC::MacroAssembler::nextRegister):
1677         (JSC::MacroAssembler::secondRealRegister):
1678         * ftl/FTLLocation.cpp:
1679         (JSC::FTL::Location::restoreInto):
1680         * ftl/FTLSaveRestore.cpp:
1681         (JSC::FTL::saveAllRegisters):
1682         (JSC::FTL::restoreAllRegisters):
1683         * ftl/FTLSlowPathCall.cpp:
1684         * jit/RegisterSet.cpp:
1685         (JSC::RegisterSet::specialRegisters):
1686         (JSC::RegisterSet::calleeSaveRegisters):
1687         * jit/RegisterSet.h:
1688
1689 2014-03-06  Mark Lam  <mark.lam@apple.com>
1690
1691         REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
1692         <https://webkit.org/b/129813>
1693
1694         Reviewed by Michael Saboff.
1695
1696         Fixed broken C loop LLINT build.
1697
1698         * llint/LowLevelInterpreter.cpp:
1699         (JSC::CLoop::execute):
1700         * offlineasm/cloop.rb:
1701
1702 2014-03-03  Oliver Hunt  <oliver@apple.com>
1703
1704         Support caching of custom setters
1705         https://bugs.webkit.org/show_bug.cgi?id=129519
1706
1707         Reviewed by Filip Pizlo.
1708
1709         This patch adds caching of assignment to properties that
1710         are backed by C functions. This provides most of the leg
1711         work required to start supporting setters, and resolves
1712         the remaining regressions from moving DOM properties up
1713         the prototype chain.
1714
1715         * JavaScriptCore.xcodeproj/project.pbxproj:
1716         * bytecode/PolymorphicPutByIdList.cpp:
1717         (JSC::PutByIdAccess::visitWeak):
1718         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
1719         (JSC::PolymorphicPutByIdList::from):
1720         * bytecode/PolymorphicPutByIdList.h:
1721         (JSC::PutByIdAccess::transition):
1722         (JSC::PutByIdAccess::replace):
1723         (JSC::PutByIdAccess::customSetter):
1724         (JSC::PutByIdAccess::isCustom):
1725         (JSC::PutByIdAccess::oldStructure):
1726         (JSC::PutByIdAccess::chain):
1727         (JSC::PutByIdAccess::stubRoutine):
1728         * bytecode/PutByIdStatus.cpp:
1729         (JSC::PutByIdStatus::computeForStubInfo):
1730         (JSC::PutByIdStatus::computeFor):
1731         (JSC::PutByIdStatus::dump):
1732         * bytecode/PutByIdStatus.h:
1733         (JSC::PutByIdStatus::PutByIdStatus):
1734         (JSC::PutByIdStatus::takesSlowPath):
1735         (JSC::PutByIdStatus::makesCalls):
1736         * bytecode/StructureStubInfo.h:
1737         * dfg/DFGAbstractInterpreterInlines.h:
1738         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1739         * dfg/DFGByteCodeParser.cpp:
1740         (JSC::DFG::ByteCodeParser::emitPutById):
1741         (JSC::DFG::ByteCodeParser::handlePutById):
1742         * dfg/DFGClobberize.h:
1743         (JSC::DFG::clobberize):
1744         * dfg/DFGCommon.h:
1745         * dfg/DFGConstantFoldingPhase.cpp:
1746         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1747         * dfg/DFGFixupPhase.cpp:
1748         (JSC::DFG::FixupPhase::fixupNode):
1749         * dfg/DFGNode.h:
1750         (JSC::DFG::Node::hasIdentifier):
1751         * dfg/DFGNodeType.h:
1752         * dfg/DFGPredictionPropagationPhase.cpp:
1753         (JSC::DFG::PredictionPropagationPhase::propagate):
1754         * dfg/DFGSafeToExecute.h:
1755         (JSC::DFG::safeToExecute):
1756         * dfg/DFGSpeculativeJIT.cpp:
1757         (JSC::DFG::SpeculativeJIT::compileIn):
1758         * dfg/DFGSpeculativeJIT.h:
1759         * dfg/DFGSpeculativeJIT32_64.cpp:
1760         (JSC::DFG::SpeculativeJIT::cachedGetById):
1761         (JSC::DFG::SpeculativeJIT::cachedPutById):
1762         (JSC::DFG::SpeculativeJIT::compile):
1763         * dfg/DFGSpeculativeJIT64.cpp:
1764         (JSC::DFG::SpeculativeJIT::cachedGetById):
1765         (JSC::DFG::SpeculativeJIT::cachedPutById):
1766         (JSC::DFG::SpeculativeJIT::compile):
1767         * jit/CCallHelpers.h:
1768         (JSC::CCallHelpers::setupArgumentsWithExecState):
1769         * jit/JITInlineCacheGenerator.cpp:
1770         (JSC::JITByIdGenerator::JITByIdGenerator):
1771         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1772         * jit/JITInlineCacheGenerator.h:
1773         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1774         * jit/JITOperations.cpp:
1775         * jit/JITOperations.h:
1776         * jit/JITPropertyAccess.cpp:
1777         (JSC::JIT::emit_op_get_by_id):
1778         (JSC::JIT::emit_op_put_by_id):
1779         * jit/JITPropertyAccess32_64.cpp:
1780         (JSC::JIT::emit_op_get_by_id):
1781         (JSC::JIT::emit_op_put_by_id):
1782         * jit/Repatch.cpp:
1783         (JSC::tryCacheGetByID):
1784         (JSC::tryBuildGetByIDList):
1785         (JSC::emitCustomSetterStub):
1786         (JSC::tryCachePutByID):
1787         (JSC::tryBuildPutByIdList):
1788         * jit/SpillRegistersMode.h: Added.
1789         * llint/LLIntSlowPaths.cpp:
1790         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1791         * runtime/Lookup.h:
1792         (JSC::putEntry):
1793         * runtime/PutPropertySlot.h:
1794         (JSC::PutPropertySlot::setCacheableCustomProperty):
1795         (JSC::PutPropertySlot::customSetter):
1796         (JSC::PutPropertySlot::isCacheablePut):
1797         (JSC::PutPropertySlot::isCacheableCustomProperty):
1798         (JSC::PutPropertySlot::cachedOffset):
1799
1800 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1801
1802         FTL arity fixup should work on ARM64
1803         https://bugs.webkit.org/show_bug.cgi?id=129810
1804
1805         Reviewed by Michael Saboff.
1806         
1807         - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
1808           callee-save.
1809         
1810         - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
1811         
1812         This makes some more tests pass.
1813
1814         * dfg/DFGJITCompiler.cpp:
1815         (JSC::DFG::JITCompiler::compileFunction):
1816         * ftl/FTLLink.cpp:
1817         (JSC::FTL::link):
1818         * jit/AssemblyHelpers.h:
1819         (JSC::AssemblyHelpers::prologueStackPointerDelta):
1820         * jit/JIT.cpp:
1821         (JSC::JIT::privateCompile):
1822         * jit/ThunkGenerators.cpp:
1823         (JSC::arityFixup):
1824         * llint/LowLevelInterpreter64.asm:
1825         * offlineasm/arm64.rb:
1826         * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
1827
1828 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
1829
1830         Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
1831         https://bugs.webkit.org/show_bug.cgi?id=129760
1832
1833         Reviewed by Geoffrey Garen.
1834
1835         r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
1836         The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
1837
1838         * dfg/DFGSpeculativeJIT.cpp:
1839         (JSC::DFG::SpeculativeJIT::writeBarrier):
1840         * dfg/DFGSpeculativeJIT.h:
1841         * dfg/DFGSpeculativeJIT32_64.cpp:
1842         (JSC::DFG::SpeculativeJIT::writeBarrier):
1843         * dfg/DFGSpeculativeJIT64.cpp:
1844         (JSC::DFG::SpeculativeJIT::writeBarrier):
1845         * jit/AssemblyHelpers.h:
1846         (JSC::AssemblyHelpers::checkMarkByte):
1847         * jit/JIT.h:
1848         * jit/JITPropertyAccess.cpp:
1849         * jit/Repatch.cpp:
1850         (JSC::writeBarrier):
1851
1852 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
1853
1854         Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
1855         https://bugs.webkit.org/show_bug.cgi?id=127944
1856
1857         Reviewed by Geoffrey Garen.
1858
1859         Always expose the Console object in JSContexts, just like we
1860         do for web pages. The default behavior will route to an
1861         attached JSContext inspector. This can be overriden by
1862         setting the ConsoleClient on the JSGlobalObject, which WebCore
1863         does to get slightly different behavior.
1864
1865         * CMakeLists.txt:
1866         * GNUmakefile.list.am:
1867         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1868         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1869         * JavaScriptCore.xcodeproj/project.pbxproj:
1870         Update build systems.
1871
1872         * API/tests/testapi.js:
1873         * API/tests/testapi.mm:
1874         Test that "console" exists in C and ObjC contexts.
1875
1876         * runtime/ConsoleClient.cpp: Added.
1877         (JSC::ConsoleClient::printURLAndPosition):
1878         (JSC::ConsoleClient::printMessagePrefix):
1879         (JSC::ConsoleClient::printConsoleMessage):
1880         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1881         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
1882         (JSC::ConsoleClient::logWithLevel):
1883         (JSC::ConsoleClient::clear):
1884         (JSC::ConsoleClient::dir):
1885         (JSC::ConsoleClient::dirXML):
1886         (JSC::ConsoleClient::table):
1887         (JSC::ConsoleClient::trace):
1888         (JSC::ConsoleClient::assertCondition):
1889         (JSC::ConsoleClient::group):
1890         (JSC::ConsoleClient::groupCollapsed):
1891         (JSC::ConsoleClient::groupEnd):
1892         * runtime/ConsoleClient.h: Added.
1893         (JSC::ConsoleClient::~ConsoleClient):
1894         New private interface for handling the console object's methods.
1895         A lot of the methods funnel through messageWithTypeAndLevel.
1896
1897         * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
1898         Moved to JSC namespace.
1899
1900         * runtime/JSGlobalObject.cpp:
1901         (JSC::JSGlobalObject::JSGlobalObject):
1902         (JSC::JSGlobalObject::init):
1903         (JSC::JSGlobalObject::reset):
1904         (JSC::JSGlobalObject::visitChildren):
1905         Create the "console" object when initializing the environment.
1906         Also set the default console client to be the JS context inspector.
1907
1908         * runtime/JSGlobalObject.h:
1909         (JSC::JSGlobalObject::setConsoleClient):
1910         (JSC::JSGlobalObject::consoleClient):
1911         Ability to change the console client, so WebCore can set a custom client.
1912
1913         * runtime/ConsolePrototype.cpp: Added.
1914         (JSC::ConsolePrototype::finishCreation):
1915         (JSC::valueToStringWithUndefinedOrNullCheck):
1916         (JSC::consoleLogWithLevel):
1917         (JSC::consoleProtoFuncDebug):
1918         (JSC::consoleProtoFuncError):
1919         (JSC::consoleProtoFuncLog):
1920         (JSC::consoleProtoFuncWarn):
1921         (JSC::consoleProtoFuncClear):
1922         (JSC::consoleProtoFuncDir):
1923         (JSC::consoleProtoFuncDirXML):
1924         (JSC::consoleProtoFuncTable):
1925         (JSC::consoleProtoFuncTrace):
1926         (JSC::consoleProtoFuncAssert):
1927         (JSC::consoleProtoFuncCount):
1928         (JSC::consoleProtoFuncProfile):
1929         (JSC::consoleProtoFuncProfileEnd):
1930         (JSC::consoleProtoFuncTime):
1931         (JSC::consoleProtoFuncTimeEnd):
1932         (JSC::consoleProtoFuncTimeStamp):
1933         (JSC::consoleProtoFuncGroup):
1934         (JSC::consoleProtoFuncGroupCollapsed):
1935         (JSC::consoleProtoFuncGroupEnd):
1936         * runtime/ConsolePrototype.h: Added.
1937         (JSC::ConsolePrototype::create):
1938         (JSC::ConsolePrototype::createStructure):
1939         (JSC::ConsolePrototype::ConsolePrototype):
1940         Define the console object interface. Parse out required / expected
1941         arguments and throw expcetions when methods are misused.
1942
1943         * runtime/JSConsole.cpp: Added.
1944         * runtime/JSConsole.h: Added.
1945         (JSC::JSConsole::createStructure):
1946         (JSC::JSConsole::create):
1947         (JSC::JSConsole::JSConsole):
1948         Empty "console" object. Everything is in the prototype.
1949
1950         * inspector/JSConsoleClient.cpp: Added.
1951         (Inspector::JSConsoleClient::JSGlobalObjectConsole):
1952         (Inspector::JSConsoleClient::count):
1953         (Inspector::JSConsoleClient::profile):
1954         (Inspector::JSConsoleClient::profileEnd):
1955         (Inspector::JSConsoleClient::time):
1956         (Inspector::JSConsoleClient::timeEnd):
1957         (Inspector::JSConsoleClient::timeStamp):
1958         (Inspector::JSConsoleClient::warnUnimplemented):
1959         (Inspector::JSConsoleClient::internalAddMessage):
1960         * inspector/JSConsoleClient.h: Added.
1961         * inspector/JSGlobalObjectInspectorController.cpp:
1962         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1963         (Inspector::JSGlobalObjectInspectorController::consoleClient):
1964         * inspector/JSGlobalObjectInspectorController.h:
1965         Default JSContext ConsoleClient implementation. Handle nearly
1966         everything exception profile/profileEnd and timeStamp.
1967
1968 2014-03-06  Andreas Kling  <akling@apple.com>
1969
1970         Drop unlinked function code on memory pressure.
1971         <https://webkit.org/b/129789>
1972
1973         Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
1974         are not currently being compiled.
1975
1976         4.5 MB progression on Membuster.
1977
1978         Reviewed by Geoffrey Garen.
1979
1980         * heap/Heap.cpp:
1981         (JSC::Heap::deleteAllUnlinkedFunctionCode):
1982         * heap/Heap.h:
1983         * runtime/VM.cpp:
1984         (JSC::VM::discardAllCode):
1985
1986 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1987
1988         Clarify how we deal with "special" registers
1989         https://bugs.webkit.org/show_bug.cgi?id=129806
1990
1991         Reviewed by Michael Saboff.
1992         
1993         Previously we had two different places that defined what "stack" registers are, a thing
1994         called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
1995         "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
1996         one place and had a baked-in notion of what it meant for a register to be "real" or not.
1997         
1998         It's not cool to use words like "real" and "special" to describe registers, especially if you
1999         fail to qualify what that means. This originally made sense on X86 - "real" registers were
2000         the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
2001         you also have to worry about the LR register, which we'd want to say is "not real" but it's
2002         also not a "stack" register. This got super confusing.
2003         
2004         So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
2005         a "stack" register, and uses the word special only in places where it's clearly defined and
2006         where no better word comes to mind.
2007         
2008         This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
2009         Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
2010         magically didn't break anything because you never need to save/restore either FP or Q0, but
2011         it was still super weird.
2012
2013         * assembler/ARM64Assembler.h:
2014         (JSC::ARM64Assembler::lastRegister):
2015         * assembler/MacroAssembler.h:
2016         (JSC::MacroAssembler::nextRegister):
2017         * ftl/FTLLocation.cpp:
2018         (JSC::FTL::Location::restoreInto):
2019         * ftl/FTLSaveRestore.cpp:
2020         (JSC::FTL::saveAllRegisters):
2021         (JSC::FTL::restoreAllRegisters):
2022         * ftl/FTLSlowPathCall.cpp:
2023         * jit/RegisterSet.cpp:
2024         (JSC::RegisterSet::reservedHardwareRegisters):
2025         (JSC::RegisterSet::runtimeRegisters):
2026         (JSC::RegisterSet::specialRegisters):
2027         (JSC::RegisterSet::calleeSaveRegisters):
2028         * jit/RegisterSet.h:
2029
2030 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
2031
2032         Unreviewed, fix build.
2033
2034         * disassembler/ARM64Disassembler.cpp:
2035
2036 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
2037
2038         Use the LLVM disassembler on ARM64 if we are enabling the FTL
2039         https://bugs.webkit.org/show_bug.cgi?id=129785
2040
2041         Reviewed by Geoffrey Garen.
2042         
2043         Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
2044         is strictly more capable at this point. Use it if it's available.
2045
2046         * disassembler/ARM64Disassembler.cpp:
2047         (JSC::tryToDisassemble):
2048
2049 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
2050
2051         Web Inspector: Reduce RWI message frequency
2052         https://bugs.webkit.org/show_bug.cgi?id=129767
2053
2054         Reviewed by Timothy Hatcher.
2055
2056         This used to be 0.2s and changed by accident to 0.02s.
2057
2058         * inspector/remote/RemoteInspector.mm:
2059         (Inspector::RemoteInspector::pushListingSoon):
2060
2061 2014-03-05  Commit Queue  <commit-queue@webkit.org>
2062
2063         Unreviewed, rolling out r165141, r165157, and r165158.
2064         http://trac.webkit.org/changeset/165141
2065         http://trac.webkit.org/changeset/165157
2066         http://trac.webkit.org/changeset/165158
2067         https://bugs.webkit.org/show_bug.cgi?id=129772
2068
2069         "broke ftl" (Requested by olliej_ on #webkit).
2070
2071         * JavaScriptCore.xcodeproj/project.pbxproj:
2072         * bytecode/PolymorphicPutByIdList.cpp:
2073         (JSC::PutByIdAccess::visitWeak):
2074         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
2075         (JSC::PolymorphicPutByIdList::from):
2076         * bytecode/PolymorphicPutByIdList.h:
2077         (JSC::PutByIdAccess::transition):
2078         (JSC::PutByIdAccess::replace):
2079         (JSC::PutByIdAccess::oldStructure):
2080         (JSC::PutByIdAccess::chain):
2081         (JSC::PutByIdAccess::stubRoutine):
2082         * bytecode/PutByIdStatus.cpp:
2083         (JSC::PutByIdStatus::computeForStubInfo):
2084         (JSC::PutByIdStatus::computeFor):
2085         (JSC::PutByIdStatus::dump):
2086         * bytecode/PutByIdStatus.h:
2087         (JSC::PutByIdStatus::PutByIdStatus):
2088         (JSC::PutByIdStatus::takesSlowPath):
2089         * bytecode/StructureStubInfo.h:
2090         * dfg/DFGAbstractInterpreterInlines.h:
2091         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2092         * dfg/DFGByteCodeParser.cpp:
2093         (JSC::DFG::ByteCodeParser::emitPutById):
2094         (JSC::DFG::ByteCodeParser::handlePutById):
2095         * dfg/DFGClobberize.h:
2096         (JSC::DFG::clobberize):
2097         * dfg/DFGCommon.h:
2098         * dfg/DFGConstantFoldingPhase.cpp:
2099         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2100         * dfg/DFGFixupPhase.cpp:
2101         (JSC::DFG::FixupPhase::fixupNode):
2102         * dfg/DFGNode.h:
2103         (JSC::DFG::Node::hasIdentifier):
2104         * dfg/DFGNodeType.h:
2105         * dfg/DFGPredictionPropagationPhase.cpp:
2106         (JSC::DFG::PredictionPropagationPhase::propagate):
2107         * dfg/DFGSafeToExecute.h:
2108         (JSC::DFG::safeToExecute):
2109         * dfg/DFGSpeculativeJIT.cpp:
2110         (JSC::DFG::SpeculativeJIT::compileIn):
2111         * dfg/DFGSpeculativeJIT.h:
2112         * dfg/DFGSpeculativeJIT32_64.cpp:
2113         (JSC::DFG::SpeculativeJIT::cachedGetById):
2114         (JSC::DFG::SpeculativeJIT::cachedPutById):
2115         (JSC::DFG::SpeculativeJIT::compile):
2116         * dfg/DFGSpeculativeJIT64.cpp:
2117         (JSC::DFG::SpeculativeJIT::cachedGetById):
2118         (JSC::DFG::SpeculativeJIT::cachedPutById):
2119         (JSC::DFG::SpeculativeJIT::compile):
2120         * ftl/FTLCompile.cpp:
2121         (JSC::FTL::fixFunctionBasedOnStackMaps):
2122         * jit/CCallHelpers.h:
2123         (JSC::CCallHelpers::setupArgumentsWithExecState):
2124         * jit/JITInlineCacheGenerator.cpp:
2125         (JSC::JITByIdGenerator::JITByIdGenerator):
2126         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2127         * jit/JITInlineCacheGenerator.h:
2128         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2129         * jit/JITOperations.cpp:
2130         * jit/JITOperations.h:
2131         * jit/JITPropertyAccess.cpp:
2132         (JSC::JIT::emit_op_get_by_id):
2133         (JSC::JIT::emit_op_put_by_id):
2134         * jit/JITPropertyAccess32_64.cpp:
2135         (JSC::JIT::emit_op_get_by_id):
2136         (JSC::JIT::emit_op_put_by_id):
2137         * jit/Repatch.cpp:
2138         (JSC::tryCacheGetByID):
2139         (JSC::tryBuildGetByIDList):
2140         (JSC::tryCachePutByID):
2141         (JSC::tryBuildPutByIdList):
2142         * jit/SpillRegistersMode.h: Removed.
2143         * llint/LLIntSlowPaths.cpp:
2144         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2145         * runtime/Lookup.h:
2146         (JSC::putEntry):
2147         * runtime/PutPropertySlot.h:
2148         (JSC::PutPropertySlot::isCacheable):
2149         (JSC::PutPropertySlot::cachedOffset):
2150
2151 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
2152
2153         Web Inspector: Prevent possible deadlock in view indication
2154         https://bugs.webkit.org/show_bug.cgi?id=129766
2155
2156         Reviewed by Geoffrey Garen.
2157
2158         * inspector/remote/RemoteInspector.mm:
2159         (Inspector::RemoteInspector::receivedIndicateMessage):
2160
2161 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
2162
2163         JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
2164         https://bugs.webkit.org/show_bug.cgi?id=129754
2165
2166         Reviewed by Geoffrey Garen.
2167
2168         InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
2169
2170         * runtime/JSCell.h:
2171         (JSC::JSCell::inlineTypeFlags):
2172         * runtime/JSObject.h:
2173         (JSC::JSObject::fastGetOwnPropertySlot):
2174         * runtime/JSTypeInfo.h:
2175         (JSC::TypeInfo::TypeInfo):
2176         (JSC::TypeInfo::overridesGetOwnPropertySlot):
2177
2178 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
2179
2180         Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
2181         https://bugs.webkit.org/show_bug.cgi?id=129763
2182
2183         Reviewed by Geoffrey Garen.
2184
2185         Clear the list of all breakpoints, including unresolved breakpoints.
2186
2187         * inspector/agents/InspectorDebuggerAgent.cpp:
2188         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
2189
2190 2014-03-05  Mark Lam  <mark.lam@apple.com>
2191
2192         llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
2193         <https://webkit.org/b/129768>
2194
2195         Reviewed by Mark Hahnenberg.
2196
2197         When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
2198         and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
2199         path llint_slow_path_check_has_instance(), and execute a code path that does the
2200         following:
2201         1. Adjusts the byte code PC to the jump target PC.
2202         2. For the purpose of storing the result, get the result registerIndex from the
2203            1st operand using the PC as if the PC is still pointing to op_check_has_instance
2204            bytecode.
2205
2206         The result is that whatever value resides after where the jump target PC is will
2207         be used as a result register value.  Depending on what that value is, the result
2208         can be:
2209         1. the code coincidently works correctly
2210         2. memory corruption
2211         3. crashes
2212
2213         The fix is to only adjust the byte code PC after we have stored the result.
2214         
2215         * llint/LLIntSlowPaths.cpp:
2216         (llint_slow_path_check_has_instance):
2217
2218 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
2219
2220         Another build fix attempt after r165141.
2221
2222         * ftl/FTLCompile.cpp:
2223         (JSC::FTL::fixFunctionBasedOnStackMaps):
2224
2225 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
2226
2227         FTL build fix attempt after r165141.
2228
2229         * ftl/FTLCompile.cpp:
2230         (JSC::FTL::fixFunctionBasedOnStackMaps):
2231
2232 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
2233
2234         https://bugs.webkit.org/show_bug.cgi?id=128625
2235         Add fast mapping from StringImpl to JSString
2236
2237         Unreviewed roll-out.
2238
2239         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
2240
2241         * runtime/JSString.cpp:
2242         * runtime/JSString.h:
2243         * runtime/VM.cpp:
2244         (JSC::VM::createLeaked):
2245         * runtime/VM.h:
2246
2247 2014-03-03  Oliver Hunt  <oliver@apple.com>
2248
2249         Support caching of custom setters
2250         https://bugs.webkit.org/show_bug.cgi?id=129519
2251
2252         Reviewed by Filip Pizlo.
2253
2254         This patch adds caching of assignment to properties that
2255         are backed by C functions. This provides most of the leg
2256         work required to start supporting setters, and resolves
2257         the remaining regressions from moving DOM properties up
2258         the prototype chain.
2259
2260         * JavaScriptCore.xcodeproj/project.pbxproj:
2261         * bytecode/PolymorphicPutByIdList.cpp:
2262         (JSC::PutByIdAccess::visitWeak):
2263         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
2264         (JSC::PolymorphicPutByIdList::from):
2265         * bytecode/PolymorphicPutByIdList.h:
2266         (JSC::PutByIdAccess::transition):
2267         (JSC::PutByIdAccess::replace):
2268         (JSC::PutByIdAccess::customSetter):
2269         (JSC::PutByIdAccess::isCustom):
2270         (JSC::PutByIdAccess::oldStructure):
2271         (JSC::PutByIdAccess::chain):
2272         (JSC::PutByIdAccess::stubRoutine):
2273         * bytecode/PutByIdStatus.cpp:
2274         (JSC::PutByIdStatus::computeForStubInfo):
2275         (JSC::PutByIdStatus::computeFor):
2276         (JSC::PutByIdStatus::dump):
2277         * bytecode/PutByIdStatus.h:
2278         (JSC::PutByIdStatus::PutByIdStatus):
2279         (JSC::PutByIdStatus::takesSlowPath):
2280         (JSC::PutByIdStatus::makesCalls):
2281         * bytecode/StructureStubInfo.h:
2282         * dfg/DFGAbstractInterpreterInlines.h:
2283         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2284         * dfg/DFGByteCodeParser.cpp:
2285         (JSC::DFG::ByteCodeParser::emitPutById):
2286         (JSC::DFG::ByteCodeParser::handlePutById):
2287         * dfg/DFGClobberize.h:
2288         (JSC::DFG::clobberize):
2289         * dfg/DFGCommon.h:
2290         * dfg/DFGConstantFoldingPhase.cpp:
2291         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2292         * dfg/DFGFixupPhase.cpp:
2293         (JSC::DFG::FixupPhase::fixupNode):
2294         * dfg/DFGNode.h:
2295         (JSC::DFG::Node::hasIdentifier):
2296         * dfg/DFGNodeType.h:
2297         * dfg/DFGPredictionPropagationPhase.cpp:
2298         (JSC::DFG::PredictionPropagationPhase::propagate):
2299         * dfg/DFGSafeToExecute.h:
2300         (JSC::DFG::safeToExecute):
2301         * dfg/DFGSpeculativeJIT.cpp:
2302         (JSC::DFG::SpeculativeJIT::compileIn):
2303         * dfg/DFGSpeculativeJIT.h:
2304         * dfg/DFGSpeculativeJIT32_64.cpp:
2305         (JSC::DFG::SpeculativeJIT::cachedGetById):
2306         (JSC::DFG::SpeculativeJIT::cachedPutById):
2307         (JSC::DFG::SpeculativeJIT::compile):
2308         * dfg/DFGSpeculativeJIT64.cpp:
2309         (JSC::DFG::SpeculativeJIT::cachedGetById):
2310         (JSC::DFG::SpeculativeJIT::cachedPutById):
2311         (JSC::DFG::SpeculativeJIT::compile):
2312         * jit/CCallHelpers.h:
2313         (JSC::CCallHelpers::setupArgumentsWithExecState):
2314         * jit/JITInlineCacheGenerator.cpp:
2315         (JSC::JITByIdGenerator::JITByIdGenerator):
2316         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2317         * jit/JITInlineCacheGenerator.h:
2318         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2319         * jit/JITOperations.cpp:
2320         * jit/JITOperations.h:
2321         * jit/JITPropertyAccess.cpp:
2322         (JSC::JIT::emit_op_get_by_id):
2323         (JSC::JIT::emit_op_put_by_id):
2324         * jit/JITPropertyAccess32_64.cpp:
2325         (JSC::JIT::emit_op_get_by_id):
2326         (JSC::JIT::emit_op_put_by_id):
2327         * jit/Repatch.cpp:
2328         (JSC::tryCacheGetByID):
2329         (JSC::tryBuildGetByIDList):
2330         (JSC::emitCustomSetterStub):
2331         (JSC::tryCachePutByID):
2332         (JSC::tryBuildPutByIdList):
2333         * jit/SpillRegistersMode.h: Added.
2334         * llint/LLIntSlowPaths.cpp:
2335         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2336         * runtime/Lookup.h:
2337         (JSC::putEntry):
2338         * runtime/PutPropertySlot.h:
2339         (JSC::PutPropertySlot::setCacheableCustomProperty):
2340         (JSC::PutPropertySlot::customSetter):
2341         (JSC::PutPropertySlot::isCacheablePut):
2342         (JSC::PutPropertySlot::isCacheableCustomProperty):
2343         (JSC::PutPropertySlot::cachedOffset):
2344
2345 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
2346
2347         JSCell::m_gcData should encode its information differently
2348         https://bugs.webkit.org/show_bug.cgi?id=129741
2349
2350         Reviewed by Geoffrey Garen.
2351
2352         We want to keep track of three GC states for an object:
2353
2354         1. Not marked (which implies not in the remembered set)
2355         2. Marked but not in the remembered set
2356         3. Marked and in the remembered set
2357         
2358         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
2359         barrier, we only want to take the slow path if the object being stored to is in state #2. 
2360         We'd like to make the test for state #2 as fast as possible, which means making it a 
2361         compare against 0.
2362
2363         * dfg/DFGOSRExitCompilerCommon.cpp:
2364         (JSC::DFG::osrWriteBarrier):
2365         * dfg/DFGSpeculativeJIT.cpp:
2366         (JSC::DFG::SpeculativeJIT::checkMarkByte):
2367         (JSC::DFG::SpeculativeJIT::writeBarrier):
2368         * dfg/DFGSpeculativeJIT.h:
2369         * dfg/DFGSpeculativeJIT32_64.cpp:
2370         (JSC::DFG::SpeculativeJIT::writeBarrier):
2371         * dfg/DFGSpeculativeJIT64.cpp:
2372         (JSC::DFG::SpeculativeJIT::writeBarrier):
2373         * ftl/FTLLowerDFGToLLVM.cpp:
2374         (JSC::FTL::LowerDFGToLLVM::allocateCell):
2375         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2376         * heap/Heap.cpp:
2377         (JSC::Heap::clearRememberedSet):
2378         (JSC::Heap::addToRememberedSet):
2379         * jit/AssemblyHelpers.h:
2380         (JSC::AssemblyHelpers::checkMarkByte):
2381         * jit/JIT.h:
2382         * jit/JITPropertyAccess.cpp:
2383         (JSC::JIT::checkMarkByte):
2384         (JSC::JIT::emitWriteBarrier):
2385         * jit/Repatch.cpp:
2386         (JSC::writeBarrier):
2387         * llint/LowLevelInterpreter.asm:
2388         * llint/LowLevelInterpreter32_64.asm:
2389         * llint/LowLevelInterpreter64.asm:
2390         * runtime/JSCell.h:
2391         (JSC::JSCell::mark):
2392         (JSC::JSCell::remember):
2393         (JSC::JSCell::forget):
2394         (JSC::JSCell::isMarked):
2395         (JSC::JSCell::isRemembered):
2396         * runtime/JSCellInlines.h:
2397         (JSC::JSCell::JSCell):
2398         * runtime/StructureIDBlob.h:
2399         (JSC::StructureIDBlob::StructureIDBlob):
2400
2401 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
2402
2403         More FTL ARM fixes
2404         https://bugs.webkit.org/show_bug.cgi?id=129755
2405
2406         Reviewed by Geoffrey Garen.
2407         
2408         - Be more defensive about inline caches that have degenerate chains.
2409         
2410         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
2411           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
2412         
2413         - Don't even emit intrinsic declarations on non-x86 platforms.
2414         
2415         - More debug printing support.
2416         
2417         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
2418           but somehow it gets lucky on x86.
2419
2420         * bytecode/GetByIdStatus.cpp:
2421         (JSC::GetByIdStatus::appendVariant):
2422         (JSC::GetByIdStatus::computeForChain):
2423         (JSC::GetByIdStatus::computeForStubInfo):
2424         * bytecode/GetByIdStatus.h:
2425         * bytecode/PutByIdStatus.cpp:
2426         (JSC::PutByIdStatus::appendVariant):
2427         (JSC::PutByIdStatus::computeForStubInfo):
2428         * bytecode/PutByIdStatus.h:
2429         * bytecode/StructureSet.h:
2430         (JSC::StructureSet::overlaps):
2431         * ftl/FTLCompile.cpp:
2432         (JSC::FTL::mmAllocateDataSection):
2433         * ftl/FTLDataSection.cpp:
2434         (JSC::FTL::DataSection::DataSection):
2435         (JSC::FTL::DataSection::~DataSection):
2436         * ftl/FTLDataSection.h:
2437         * ftl/FTLLowerDFGToLLVM.cpp:
2438         (JSC::FTL::LowerDFGToLLVM::lower):
2439         * ftl/FTLOutput.h:
2440         (JSC::FTL::Output::doubleSin):
2441         (JSC::FTL::Output::doubleCos):
2442         * runtime/JSCJSValue.cpp:
2443         (JSC::JSValue::dumpInContext):
2444         * runtime/JSCell.h:
2445         (JSC::JSCell::structureID):
2446
2447 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
2448
2449         [Win32][LLINT] Crash when running JSC stress tests.
2450         https://bugs.webkit.org/show_bug.cgi?id=129429
2451
2452         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
2453         where the guard page is a barrier between committed and uncommitted memory.
2454         When data from the guard page is read or written, the guard page is moved, and memory is committed.
2455         This is how the system grows the stack.
2456         When using the C stack on Windows we need to precommit the needed stack space.
2457         Otherwise we might crash later if we access uncommitted stack memory.
2458         This can happen if we allocate stack space larger than the page guard size (4K).
2459         The system does not get the chance to move the guard page, and commit more memory,
2460         and we crash if uncommitted memory is accessed.
2461         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
2462         when needed, see http://support.microsoft.com/kb/100775.
2463
2464         Reviewed by Geoffrey Garen.
2465
2466         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
2467         * jit/Repatch.cpp:
2468         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
2469         * offlineasm/x86.rb: Compile fix, and small simplification.
2470         * runtime/VM.cpp:
2471         (JSC::preCommitStackMemory): Added function to precommit stack memory.
2472         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
2473
2474 2014-03-05  Michael Saboff  <msaboff@apple.com>
2475
2476         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
2477         https://bugs.webkit.org/show_bug.cgi?id=129746
2478
2479         Reviewed by Filip Pizlo.
2480
2481         Changed to use a union to manually assemble or disassemble the various types
2482         from / to the corresponding bytes.  All memory access is now done using
2483         byte accesses.
2484
2485         * runtime/JSDataViewPrototype.cpp:
2486         (JSC::getData):
2487         (JSC::setData):
2488
2489 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
2490
2491         FTL loadStructure always generates invalid IR
2492         https://bugs.webkit.org/show_bug.cgi?id=129747
2493
2494         Reviewed by Mark Hahnenberg.
2495
2496         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
2497         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
2498         to have a pointer to a type, and you can only load things of that type from that
2499         pointer. Pointer arithmetic is basically not possible except through the bizarre
2500         getelementptr operator. This doesn't fit with how the JS object model works since
2501         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
2502         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
2503         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
2504         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
2505         this for us, but that would require that to use the FTL, JSC itself would have to
2506         be compiled with clang. Worse, it would have to be compiled with a clang that uses
2507         a version of LLVM that is compatible with the one against which the FTL is linked.
2508         Yuck!
2509
2510         The solution is to NEVER use LLVM pointers. This has always been the case in the
2511         FTL. But it causes some confusion.
2512         
2513         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
2514         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
2515         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
2516         pointer that has the type that we want. The load and store operations over pointers
2517         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
2518         "64", "Ptr", "Float", or "Double.
2519         
2520         There is unavoidable confusion here. It would be bizarre for the FTL to call its
2521         "pointer-wide integers" anything other than "pointers", since they are, in all
2522         respects that we care about, simply pointers. But they are *not* LLVM pointers and
2523         they never will be that.
2524         
2525         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
2526         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
2527         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
2528         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
2529         methods for access called Output::get and Output::set. These lower to LLVM load
2530         and store, since FTL references are just LLVM pointers.
2531         
2532         This confusion appears to have led to incorrect code in loadStructure().
2533         loadStructure() was using get() and set() to access FTL pointers. But those methods
2534         don't work on FTL pointers and never will, since they are for FTL references.
2535         
2536         The worst part of this is that it was previously impossible to have test coverage
2537         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
2538         patch fixes this by introducing a Masquerader object to jsc.cpp.
2539         
2540         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
2541         * ftl/FTLLowerDFGToLLVM.cpp:
2542         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
2543         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
2544         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
2545         (WTF::Masquerader::Masquerader):
2546         (WTF::Masquerader::create):
2547         (WTF::Masquerader::createStructure):
2548         (GlobalObject::finishCreation):
2549         (functionMakeMasquerader):
2550         * tests/stress/equals-masquerader.js: Added.
2551         (foo):
2552         (test):
2553
2554 2014-03-05  Anders Carlsson  <andersca@apple.com>
2555
2556         Tweak after r165109 to avoid extra copies
2557         https://bugs.webkit.org/show_bug.cgi?id=129745
2558
2559         Reviewed by Geoffrey Garen.
2560
2561         * heap/Heap.cpp:
2562         (JSC::Heap::visitProtectedObjects):
2563         (JSC::Heap::visitTempSortVectors):
2564         (JSC::Heap::clearRememberedSet):
2565         * heap/Heap.h:
2566         (JSC::Heap::forEachProtectedCell):
2567
2568 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
2569
2570         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
2571         https://bugs.webkit.org/show_bug.cgi?id=129717
2572
2573         Reviewed by Filip Pizlo.
2574
2575         * dfg/DFGStoreBarrierElisionPhase.cpp:
2576         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
2577         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
2578
2579 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
2580
2581         Use range-based loops where possible in Heap methods
2582         https://bugs.webkit.org/show_bug.cgi?id=129513
2583
2584         Reviewed by Mark Lam.
2585
2586         Replace old school iterator based loops with the new range-based loop hotness
2587         for a better tomorrow.
2588
2589         * heap/CodeBlockSet.cpp:
2590         (JSC::CodeBlockSet::~CodeBlockSet):
2591         (JSC::CodeBlockSet::clearMarks):
2592         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2593         (JSC::CodeBlockSet::traceMarked):
2594         * heap/Heap.cpp:
2595         (JSC::Heap::visitProtectedObjects):
2596         (JSC::Heap::visitTempSortVectors):
2597         (JSC::Heap::clearRememberedSet):
2598         * heap/Heap.h:
2599         (JSC::Heap::forEachProtectedCell):
2600
2601 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
2602
2603         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
2604         https://bugs.webkit.org/show_bug.cgi?id=129563
2605
2606         Reviewed by Geoffrey Garen.
2607         
2608         Rolling this back in after fixing an assertion failure. speculateMisc() should have
2609         said DFG_TYPE_CHECK instead of typeCheck.
2610         
2611         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
2612         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
2613         user of this was EarleyBoyer, and in that benchmark what it was really doing was
2614         comparing undefined, null, and booleans to each other.
2615         
2616         This also adds support for miscellaneous things that I needed to make my various test
2617         cases work. This includes comparison over booleans and the various Throw-related node
2618         types.
2619         
2620         This also improves constant folding of CompareStrictEq and CompareEq.
2621         
2622         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
2623         based on profiling, which caused some downstream badness. We don't actually support
2624         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
2625         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
2626         shouldn't factor out the bounds check since the access is not InBounds but then the
2627         backend would ignore the flag and assume that the bounds check was already emitted.
2628         This showed up on an existing test but I added a test for this explicitly to have more
2629         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
2630         that we'll have a bounds check anyway.
2631         
2632         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
2633         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
2634         still a lot more coverage work to be done there.
2635
2636         * bytecode/SpeculatedType.cpp:
2637         (JSC::speculationToAbbreviatedString):
2638         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2639         (JSC::valuesCouldBeEqual):
2640         * bytecode/SpeculatedType.h:
2641         (JSC::isMiscSpeculation):
2642         * dfg/DFGAbstractInterpreterInlines.h:
2643         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2644         * dfg/DFGArrayMode.cpp:
2645         (JSC::DFG::ArrayMode::refine):
2646         * dfg/DFGArrayMode.h:
2647         * dfg/DFGFixupPhase.cpp:
2648         (JSC::DFG::FixupPhase::fixupNode):
2649         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2650         * dfg/DFGNode.h:
2651         (JSC::DFG::Node::shouldSpeculateMisc):
2652         * dfg/DFGSafeToExecute.h:
2653         (JSC::DFG::SafeToExecuteEdge::operator()):
2654         * dfg/DFGSpeculativeJIT.cpp:
2655         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2656         (JSC::DFG::SpeculativeJIT::speculateMisc):
2657         (JSC::DFG::SpeculativeJIT::speculate):
2658         * dfg/DFGSpeculativeJIT.h:
2659         * dfg/DFGSpeculativeJIT32_64.cpp:
2660         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2661         * dfg/DFGSpeculativeJIT64.cpp:
2662         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2663         * dfg/DFGUseKind.cpp:
2664         (WTF::printInternal):
2665         * dfg/DFGUseKind.h:
2666         (JSC::DFG::typeFilterFor):
2667         * ftl/FTLCapabilities.cpp:
2668         (JSC::FTL::canCompile):
2669         * ftl/FTLLowerDFGToLLVM.cpp:
2670         (JSC::FTL::LowerDFGToLLVM::compileNode):
2671         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2672         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2673         (JSC::FTL::LowerDFGToLLVM::compileThrow):
2674         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
2675         (JSC::FTL::LowerDFGToLLVM::isMisc):
2676         (JSC::FTL::LowerDFGToLLVM::speculate):
2677         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
2678         * tests/stress/float32-array-out-of-bounds.js: Added.
2679         * tests/stress/weird-equality-folding-cases.js: Added.
2680
2681 2014-03-04  Commit Queue  <commit-queue@webkit.org>
2682
2683         Unreviewed, rolling out r165085.
2684         http://trac.webkit.org/changeset/165085
2685         https://bugs.webkit.org/show_bug.cgi?id=129729
2686
2687         Broke imported/w3c/html-templates/template-element/template-
2688         content.html (Requested by ap on #webkit).
2689
2690         * bytecode/SpeculatedType.cpp:
2691         (JSC::speculationToAbbreviatedString):
2692         * bytecode/SpeculatedType.h:
2693         * dfg/DFGAbstractInterpreterInlines.h:
2694         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2695         * dfg/DFGArrayMode.cpp:
2696         (JSC::DFG::ArrayMode::refine):
2697         * dfg/DFGArrayMode.h:
2698         * dfg/DFGFixupPhase.cpp:
2699         (JSC::DFG::FixupPhase::fixupNode):
2700         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2701         * dfg/DFGNode.h:
2702         (JSC::DFG::Node::shouldSpeculateBoolean):
2703         * dfg/DFGSafeToExecute.h:
2704         (JSC::DFG::SafeToExecuteEdge::operator()):
2705         * dfg/DFGSpeculativeJIT.cpp:
2706         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2707         (JSC::DFG::SpeculativeJIT::speculate):
2708         * dfg/DFGSpeculativeJIT.h:
2709         * dfg/DFGSpeculativeJIT32_64.cpp:
2710         * dfg/DFGSpeculativeJIT64.cpp:
2711         * dfg/DFGUseKind.cpp:
2712         (WTF::printInternal):
2713         * dfg/DFGUseKind.h:
2714         (JSC::DFG::typeFilterFor):
2715         * ftl/FTLCapabilities.cpp:
2716         (JSC::FTL::canCompile):
2717         * ftl/FTLLowerDFGToLLVM.cpp:
2718         (JSC::FTL::LowerDFGToLLVM::compileNode):
2719         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2720         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2721         (JSC::FTL::LowerDFGToLLVM::speculate):
2722         * tests/stress/float32-array-out-of-bounds.js: Removed.
2723         * tests/stress/weird-equality-folding-cases.js: Removed.
2724
2725 2014-03-04  Brian Burg  <bburg@apple.com>
2726
2727         Inspector does not restore breakpoints after a page reload
2728         https://bugs.webkit.org/show_bug.cgi?id=129655
2729
2730         Reviewed by Joseph Pecoraro.
2731
2732         Fix a regression introduced by r162096 that erroneously removed
2733         the inspector backend's mapping of files to breakpoints whenever the
2734         global object was cleared.
2735
2736         The inspector's breakpoint mappings should only be cleared when the
2737         debugger agent is disabled or destroyed. We should only clear the
2738         debugger's breakpoint state when the global object is cleared.
2739
2740         To make it clearer what state is being cleared, the two cases have
2741         been split into separate methods.
2742
2743         * inspector/agents/InspectorDebuggerAgent.cpp:
2744         (Inspector::InspectorDebuggerAgent::disable):
2745         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
2746         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
2747         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
2748         * inspector/agents/InspectorDebuggerAgent.h:
2749
2750 2014-03-04  Andreas Kling  <akling@apple.com>
2751
2752         Streamline JSValue::get().
2753         <https://webkit.org/b/129720>
2754
2755         Fetch each Structure and VM only once when walking the prototype chain
2756         in JSObject::getPropertySlot(), then pass it along to the functions
2757         we call from there, so they don't have to re-fetch it.
2758
2759         Reviewed by Geoff Garen.
2760
2761         * runtime/JSObject.h:
2762         (JSC::JSObject::inlineGetOwnPropertySlot):
2763         (JSC::JSObject::fastGetOwnPropertySlot):
2764         (JSC::JSObject::getPropertySlot):
2765
2766 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
2767
2768         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
2769         https://bugs.webkit.org/show_bug.cgi?id=129563
2770
2771         Reviewed by Geoffrey Garen.
2772         
2773         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
2774         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
2775         user of this was EarleyBoyer, and in that benchmark what it was really doing was
2776         comparing undefined, null, and booleans to each other.
2777         
2778         This also adds support for miscellaneous things that I needed to make my various test
2779         cases work. This includes comparison over booleans and the various Throw-related node
2780         types.
2781         
2782         This also improves constant folding of CompareStrictEq and CompareEq.
2783         
2784         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
2785         based on profiling, which caused some downstream badness. We don't actually support
2786         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
2787         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
2788         shouldn't factor out the bounds check since the access is not InBounds but then the
2789         backend would ignore the flag and assume that the bounds check was already emitted.
2790         This showed up on an existing test but I added a test for this explicitly to have more
2791         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
2792         that we'll have a bounds check anyway.
2793         
2794         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
2795         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
2796         still a lot more coverage work to be done there.
2797
2798         * bytecode/SpeculatedType.cpp:
2799         (JSC::speculationToAbbreviatedString):
2800         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2801         (JSC::valuesCouldBeEqual):
2802         * bytecode/SpeculatedType.h:
2803         (JSC::isMiscSpeculation):
2804         * dfg/DFGAbstractInterpreterInlines.h:
2805         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2806         * dfg/DFGFixupPhase.cpp:
2807         (JSC::DFG::FixupPhase::fixupNode):
2808         * dfg/DFGNode.h:
2809         (JSC::DFG::Node::shouldSpeculateMisc):
2810         * dfg/DFGSafeToExecute.h:
2811         (JSC::DFG::SafeToExecuteEdge::operator()):
2812         * dfg/DFGSpeculativeJIT.cpp:
2813         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2814         (JSC::DFG::SpeculativeJIT::speculateMisc):
2815         (JSC::DFG::SpeculativeJIT::speculate):
2816         * dfg/DFGSpeculativeJIT.h:
2817         * dfg/DFGSpeculativeJIT32_64.cpp:
2818         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2819         * dfg/DFGSpeculativeJIT64.cpp:
2820         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2821         * dfg/DFGUseKind.cpp:
2822         (WTF::printInternal):
2823         * dfg/DFGUseKind.h:
2824         (JSC::DFG::typeFilterFor):
2825         * ftl/FTLCapabilities.cpp:
2826         (JSC::FTL::canCompile):
2827         * ftl/FTLLowerDFGToLLVM.cpp:
2828         (JSC::FTL::LowerDFGToLLVM::compileNode):
2829         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2830         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2831         (JSC::FTL::LowerDFGToLLVM::compileThrow):
2832         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
2833         (JSC::FTL::LowerDFGToLLVM::isMisc):
2834         (JSC::FTL::LowerDFGToLLVM::speculate):
2835         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
2836         * tests/stress/float32-array-out-of-bounds.js: Added.
2837         * tests/stress/weird-equality-folding-cases.js: Added.
2838
2839 2014-03-04  Andreas Kling  <akling@apple.com>
2840
2841         Spam static branch prediction hints on JS bindings.
2842         <https://webkit.org/b/129703>
2843
2844         Add LIKELY hint to jsDynamicCast since it's always used in a context
2845         where we expect it to succeed and takes an error path when it doesn't.
2846
2847         Reviewed by Geoff Garen.
2848
2849         * runtime/JSCell.h:
2850         (JSC::jsDynamicCast):
2851
2852 2014-03-04  Andreas Kling  <akling@apple.com>
2853
2854         Get to Structures more efficiently in JSCell::methodTable().
2855         <https://webkit.org/b/129702>
2856
2857         In JSCell::methodTable(), get the VM once and pass that along to
2858         structure(VM&) instead of using the heavier structure().
2859
2860         In JSCell::methodTable(VM&), replace calls to structure() with
2861         calls to structure(VM&).
2862
2863         Reviewed by Mark Hahnenberg.
2864
2865         * runtime/JSCellInlines.h:
2866         (JSC::JSCell::methodTable):
2867
2868 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
2869
2870         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
2871         https://bugs.webkit.org/show_bug.cgi?id=129697
2872
2873         Reviewed by Timothy Hatcher.
2874
2875         * inspector/remote/RemoteInspectorXPCConnection.mm:
2876         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
2877         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2878
2879 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
2880
2881         Merge API shims and JSLock
2882         https://bugs.webkit.org/show_bug.cgi?id=129650
2883
2884         Reviewed by Mark Lam.
2885
2886         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
2887         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
2888
2889         * API/APICallbackFunction.h:
2890         (JSC::APICallbackFunction::call):
2891         (JSC::APICallbackFunction::construct):
2892         * API/APIShims.h: Removed.
2893         * API/JSBase.cpp:
2894         (JSEvaluateScript):
2895         (JSCheckScriptSyntax):
2896         (JSGarbageCollect):
2897         (JSReportExtraMemoryCost):
2898         (JSSynchronousGarbageCollectForDebugging):
2899         * API/JSCallbackConstructor.cpp:
2900         * API/JSCallbackFunction.cpp:
2901         * API/JSCallbackObjectFunctions.h:
2902         (JSC::JSCallbackObject<Parent>::init):
2903         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
2904         (JSC::JSCallbackObject<Parent>::put):
2905         (JSC::JSCallbackObject<Parent>::putByIndex):
2906         (JSC::JSCallbackObject<Parent>::deleteProperty):
2907         (JSC::JSCallbackObject<Parent>::construct):
2908         (JSC::JSCallbackObject<Parent>::customHasInstance):
2909         (JSC::JSCallbackObject<Parent>::call):
2910         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2911         (JSC::JSCallbackObject<Parent>::getStaticValue):
2912         (JSC::JSCallbackObject<Parent>::callbackGetter):
2913         * API/JSContext.mm:
2914         (-[JSContext setException:]):
2915         (-[JSContext wrapperForObjCObject:]):
2916         (-[JSContext wrapperForJSObject:]):
2917         * API/JSContextRef.cpp:
2918         (JSContextGroupRelease):
2919         (JSContextGroupSetExecutionTimeLimit):
2920         (JSContextGroupClearExecutionTimeLimit):
2921         (JSGlobalContextCreateInGroup):
2922         (JSGlobalContextRetain):
2923         (JSGlobalContextRelease):
2924         (JSContextGetGlobalObject):
2925         (JSContextGetGlobalContext):
2926         (JSGlobalContextCopyName):
2927         (JSGlobalContextSetName):
2928         * API/JSManagedValue.mm:
2929         (-[JSManagedValue value]):
2930         * API/JSObjectRef.cpp:
2931         (JSObjectMake):
2932         (JSObjectMakeFunctionWithCallback):
2933         (JSObjectMakeConstructor):
2934         (JSObjectMakeFunction):
2935         (JSObjectMakeArray):
2936         (JSObjectMakeDate):
2937         (JSObjectMakeError):
2938         (JSObjectMakeRegExp):
2939         (JSObjectGetPrototype):
2940         (JSObjectSetPrototype):
2941         (JSObjectHasProperty):
2942         (JSObjectGetProperty):
2943         (JSObjectSetProperty):
2944         (JSObjectGetPropertyAtIndex):
2945         (JSObjectSetPropertyAtIndex):
2946         (JSObjectDeleteProperty):
2947         (JSObjectGetPrivateProperty):
2948         (JSObjectSetPrivateProperty):
2949         (JSObjectDeletePrivateProperty):
2950         (JSObjectIsFunction):
2951         (JSObjectCallAsFunction):
2952         (JSObjectCallAsConstructor):
2953         (JSObjectCopyPropertyNames):
2954         (JSPropertyNameArrayRelease):
2955         (JSPropertyNameAccumulatorAddName):
2956         * API/JSScriptRef.cpp:
2957         * API/JSValue.mm:
2958         (isDate):
2959         (isArray):
2960         (containerValueToObject):
2961         (valueToArray):
2962         (valueToDictionary):
2963         (objectToValue):
2964         * API/JSValueRef.cpp:
2965         (JSValueGetType):
2966         (JSValueIsUndefined):
2967         (JSValueIsNull):
2968         (JSValueIsBoolean):
2969         (JSValueIsNumber):
2970         (JSValueIsString):
2971         (JSValueIsObject):
2972         (JSValueIsObjectOfClass):
2973         (JSValueIsEqual):
2974         (JSValueIsStrictEqual):
2975         (JSValueIsInstanceOfConstructor):
2976         (JSValueMakeUndefined):
2977         (JSValueMakeNull):
2978         (JSValueMakeBoolean):
2979         (JSValueMakeNumber):
2980         (JSValueMakeString):
2981         (JSValueMakeFromJSONString):
2982         (JSValueCreateJSONString):
2983         (JSValueToBoolean):
2984         (JSValueToNumber):
2985         (JSValueToStringCopy):
2986         (JSValueToObject):
2987         (JSValueProtect):
2988         (JSValueUnprotect):
2989         * API/JSVirtualMachine.mm:
2990         (-[JSVirtualMachine addManagedReference:withOwner:]):
2991         (-[JSVirtualMachine removeManagedReference:withOwner:]):
2992         * API/JSWeakObjectMapRefPrivate.cpp:
2993         * API/JSWrapperMap.mm:
2994         (constructorHasInstance):
2995         (makeWrapper):
2996         (tryUnwrapObjcObject):
2997         * API/ObjCCallbackFunction.mm:
2998         (JSC::objCCallbackFunctionCallAsFunction):
2999         (JSC::objCCallbackFunctionCallAsConstructor):
3000         (objCCallbackFunctionForInvocation):
3001         * CMakeLists.txt:
3002         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
3003         * GNUmakefile.list.am:
3004         * JavaScriptCore.xcodeproj/project.pbxproj:
3005         * dfg/DFGWorklist.cpp:
3006         * heap/DelayedReleaseScope.h:
3007         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
3008         * heap/HeapTimer.cpp:
3009         (JSC::HeapTimer::timerDidFire):
3010         (JSC::HeapTimer::timerEvent):
3011         * heap/IncrementalSweeper.cpp:
3012         * inspector/InjectedScriptModule.cpp:
3013         (Inspector::InjectedScriptModule::ensureInjected):
3014         * jsc.cpp:
3015         (jscmain):
3016         * runtime/GCActivityCallback.cpp:
3017         (JSC::DefaultGCActivityCallback::doWork):
3018         * runtime/JSGlobalObjectDebuggable.cpp:
3019         (JSC::JSGlobalObjectDebuggable::connect):
3020         (JSC::JSGlobalObjectDebuggable::disconnect):
3021         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
3022         * runtime/JSLock.cpp:
3023         (JSC::JSLock::lock):
3024         (JSC::JSLock::didAcquireLock):
3025         (JSC::JSLock::unlock):
3026         (JSC::JSLock::willReleaseLock):
3027         (JSC::JSLock::DropAllLocks::DropAllLocks):
3028         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3029         * runtime/JSLock.h:
3030         * testRegExp.cpp:
3031         (realMain):
3032
3033 2014-03-04  Commit Queue  <commit-queue@webkit.org>
3034
3035         Unreviewed, rolling out r164812.
3036         http://trac.webkit.org/changeset/164812
3037         https://bugs.webkit.org/show_bug.cgi?id=129699
3038
3039         it made things run slower (Requested by pizlo on #webkit).
3040
3041         * interpreter/Interpreter.cpp:
3042         (JSC::Interpreter::execute):
3043         * jsc.cpp:
3044         (GlobalObject::finishCreation):
3045         * runtime/BatchedTransitionOptimizer.h:
3046         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
3047         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
3048
3049 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
3050
3051         GetMyArgumentByVal in FTL
3052         https://bugs.webkit.org/show_bug.cgi?id=128850
3053
3054         Reviewed by Oliver Hunt.
3055         
3056         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
3057         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
3058         caused it to think that the arity check had failed if the caller had passed more
3059         arguments than needed. This would cause the call frame copying to sort of go into
3060         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
3061         throwing off a bunch of math) and the stack would end up being corrupted.
3062         
3063         The bug was revealed by two existing tests although as far as I could tell, neither
3064         test was intending to cover this case directly. So, I added a new test.
3065
3066         * ftl/FTLCapabilities.cpp:
3067         (JSC::FTL::canCompile):
3068         * ftl/FTLLowerDFGToLLVM.cpp:
3069         (JSC::FTL::LowerDFGToLLVM::compileNode):
3070         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
3071         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
3072         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
3073         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
3074         * ftl/FTLOSRExitCompiler.cpp:
3075         (JSC::FTL::compileStub):
3076         * ftl/FTLState.h:
3077         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
3078         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
3079         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
3080         * tests/stress/ftl-get-my-argument-by-val.js: Added.
3081
3082 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
3083
3084         [GTK] Build the Udis86 disassembler
3085         https://bugs.webkit.org/show_bug.cgi?id=129679
3086
3087         Reviewed by Michael Saboff.
3088
3089         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
3090         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
3091
3092 2014-03-04  Andreas Kling  <akling@apple.com>
3093
3094         Fix too-narrow assertion I added in r165054.
3095
3096         It's okay for a 1-character string to come in here. This will happen
3097         if the VM small string optimization doesn't apply (ch > 0xFF)
3098
3099         * runtime/JSString.h:
3100         (JSC::jsStringWithWeakOwner):
3101
3102 2014-03-04  Andreas Kling  <akling@apple.com>
3103
3104         Micro-optimize Strings in JS bindings.
3105         <https://webkit.org/b/129673>
3106
3107         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
3108         This avoids branches in length() and operator[].
3109
3110         Also call JSString::create() directly instead of jsString() and just
3111         assert that the string length is >1. This way we don't duplicate the
3112         optimizations for empty and single-character strings.
3113
3114         Reviewed by Ryosuke Niwa.
3115
3116         * runtime/JSString.h:
3117         (JSC::jsStringWithWeakOwner):
3118
3119 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
3120
3121         Implement Number.prototype.clz()
3122         https://bugs.webkit.org/show_bug.cgi?id=129479
3123
3124         Reviewed by Oliver Hunt.
3125
3126         Implemented Number.prototype.clz() as specified in the ES6 standard.
3127
3128         * runtime/NumberPrototype.cpp:
3129         (JSC::numberProtoFuncClz):
3130
3131 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
3132
3133         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
3134         https://bugs.webkit.org/show_bug.cgi?id=129631
3135
3136         Reviewed by Timothy Hatcher.
3137
3138         Avoid deref() too early if a client calls close(). The xpc_connection_close
3139         will cause another XPC_ERROR event to come in from the queue, deref then.
3140         Likewise, protect multithreaded access to m_client. If a client calls
3141         close() we want to immediately clear the pointer to prevent calls to it.
3142
3143         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
3144         growing too complicated for probably little benefit. We may want to
3145         clean this up later.
3146
3147         * inspector/remote/RemoteInspector.mm:
3148         (Inspector::RemoteInspector::xpcConnectionFailed):
3149         * inspector/remote/RemoteInspectorXPCConnection.h:
3150         * inspector/remote/RemoteInspectorXPCConnection.mm:
3151         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
3152         (Inspector::RemoteInspectorXPCConnection::close):
3153         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
3154         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
3155         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3156         (Inspector::RemoteInspectorXPCConnection::sendMessage):
3157
3158 2014-03-03  Michael Saboff  <msaboff@apple.com>
3159
3160         AbstractMacroAssembler::CachedTempRegister should start out invalid
3161         https://bugs.webkit.org/show_bug.cgi?id=129657
3162
3163         Reviewed by Filip Pizlo.
3164
3165         * assembler/AbstractMacroAssembler.h:
3166         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
3167         - Invalidate all cached registers in constructor as we don't know the
3168           contents of any register at the entry to the code we are going to
3169           generate.
3170
3171 2014-03-03  Andreas Kling  <akling@apple.com>
3172
3173         StructureOrOffset should be fastmalloced.
3174         <https://webkit.org/b/129640>
3175
3176         Reviewed by Geoffrey Garen.
3177
3178         * runtime/StructureIDTable.h:
3179
3180 2014-03-03  Michael Saboff  <msaboff@apple.com>
3181
3182         Crash in JIT code while watching a video @ storyboard.tumblr.com
3183         https://bugs.webkit.org/show_bug.cgi?id=129635
3184
3185         Reviewed by Filip Pizlo.
3186
3187         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
3188         construtor.
3189
3190         * jit/TempRegisterSet.cpp:
3191         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
3192         * jit/TempRegisterSet.h:
3193         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
3194         (JSC::TempRegisterSet::clearAll): New private helper.
3195
3196 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
3197
3198         [x86] Improve code generation of byte test
3199         https://bugs.webkit.org/show_bug.cgi?id=129597
3200
3201         Reviewed by Geoffrey Garen.
3202
3203         When possible, test the 8 bit register to itself instead of comparing it
3204         to a literal.
3205
3206         * assembler/MacroAssemblerX86Common.h:
3207         (JSC::MacroAssemblerX86Common::test32):
3208
3209 2014-03-03  Mark Lam  <mark.lam@apple.com>
3210
3211         Web Inspector: debugger statements do not break.
3212         <https://webkit.org/b/129524>
3213
3214         Reviewed by Geoff Garen.
3215
3216         Since we no longer call op_debug hooks unless there is a debugger request
3217         made on the CodeBlock, the op_debug for the debugger statement never gets
3218         serviced.
3219
3220         With this fix, we check in the CodeBlock constructor if any debugger
3221         statements are present.  If so, we set a m_hasDebuggerStatement flag that
3222         causes the CodeBlock to show as having debugger requests.  Hence,
3223         breaking at debugger statements is now restored.
3224
3225         * bytecode/CodeBlock.cpp:
3226         (JSC::CodeBlock::CodeBlock):
3227         * bytecode/CodeBlock.h:
3228         (JSC::CodeBlock::hasDebuggerRequests):
3229         (JSC::CodeBlock::clearDebuggerRequests):
3230
3231 2014-03-03  Mark Lam  <mark.lam@apple.com>
3232
3233         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
3234         <https://webkit.org/b/129393>
3235
3236         Reviewed by Geoffrey Garen.
3237
3238         The issue manifests because the debugger will iterate all CodeBlocks in
3239         the heap when setting / clearing breakpoints, but it is possible for a
3240         CodeBlock to have been instantiate but is not yet registered with the
3241         debugger.  This can happen because of the following:
3242
3243         1. DFG worklist compilation is still in progress, and the target
3244            codeBlock is not ready for installation in its executable yet.
3245
3246         2. DFG compilation failed and we have a codeBlock that will never be
3247            installed in its executable, and the codeBlock has not been cleaned
3248            up by the GC yet.
3249
3250         The code for installing the codeBlock in its executable is the same code
3251         that registers it with the debugger.  Hence, these codeBlocks are not
3252         registered with the debugger, and any pending breakpoints that would map
3253         to that CodeBlock is as yet unset or will never be set.  As such, an
3254         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
3255
3256         To fix this, we do the following:
3257
3258         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
3259            compilation.  This is achieved by providing a
3260            DeferredCompilationCallback::compilationDidComplete() that does this
3261            clean up, and have all sub classes call it at the end of their
3262            compilationDidComplete() methods.
3263
3264         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
3265            will wait for all compilations to complete before proceeding.  This
3266            ensures that:
3267            1. any zombie CodeBlocks would have been cleaned up, and won't be
3268               seen by the debugger or profiler.
3269            2. all CodeBlocks that the debugger and profiler needs to operate on
3270               will be "ready" for whatever needs to be done to them e.g.
3271               jettison'ing of DFG codeBlocks.
3272
3273         * bytecode/DeferredCompilationCallback.cpp:
3274         (JSC::DeferredCompilationCallback::compilationDidComplete):
3275         * bytecode/DeferredCompilationCallback.h:
3276         - Provide default implementation method to clean up zombie CodeBlocks.
3277
3278         * debugger/Debugger.cpp:
3279         (JSC::Debugger::forEachCodeBlock):
3280         - Utility function to iterate CodeBlocks.  It ensures that all compilations
3281           are complete before proceeding.
3282         (JSC::Debugger::setSteppingMode):
3283         (JSC::Debugger::toggleBreakpoint):
3284         (JSC::Debugger::recompileAllJSFunctions):
3285         (JSC::Debugger::clearBreakpoints):
3286         (JSC::Debugger::clearDebuggerRequests):
3287         - Use the utility iterator function.
3288
3289         * debugger/Debugger.h:
3290         * dfg/DFGOperations.cpp:
3291         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
3292
3293         * dfg/DFGPlan.cpp:
3294         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
3295         - Remove unneeded code (that was not the best solution anyway) for ensuring
3296           that we don't generate new DFG codeBlocks after enabling the debugger or
3297           profiler.  Now that we wait for compilations to complete before proceeding
3298           with debugger and profiler work, this scenario will never happen.
3299
3300         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
3301         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
3302         - Call the super class method to clean up zombie codeBlocks.
3303
3304         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
3305         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
3306         - Call the super class method to clean up zombie codeBlocks.
3307
3308         * heap/CodeBlockSet.cpp:
3309         (JSC::CodeBlockSet::remove):
3310         * heap/CodeBlockSet.h:
3311         * heap/Heap.h:
3312         (JSC::Heap::removeCodeBlock):
3313         - New method to remove a codeBlock from the codeBlock set.
3314
3315         * jit/JITOperations.cpp:
3316         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
3317
3318         * jit/JITToDFGDeferredCompilationCallback.cpp:
3319         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
3320         - Call the super class method to clean up zombie codeBlocks.
3321
3322         * runtime/VM.cpp:
3323         (JSC::VM::waitForCompilationsToComplete):
3324         - Renamed from prepareToDiscardCode() to be clearer about what it does.
3325
3326         (JSC::VM::discardAllCode):
3327         (JSC::VM::releaseExecutableMemory):
3328         (JSC::VM::setEnabledProfiler):
3329         - Wait for compilation to complete before enabling the profiler.
3330
3331         * runtime/VM.h:
3332
3333 2014-03-03  Brian Burg  <bburg@apple.com>
3334
3335         Another unreviewed build fix attempt for Windows after r164986.
3336
3337         We never told Visual Studio to copy over the web replay code generator scripts
3338         and the generated headers for JavaScriptCore replay inputs as if they were
3339         private headers.
3340
3341         * JavaScriptCore.vcxproj/copy-files.cmd:
3342
3343 2014-03-03  Brian Burg  <bburg@apple.com>
3344
3345         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
3346         https://bugs.webkit.org/show_bug.cgi?id=128782
3347
3348         Reviewed by Timothy Hatcher.
3349
3350         Alter the replay inputs code generator so that it knows when it is necessary to
3351         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
3352
3353         * JavaScriptCore.xcodeproj/project.pbxproj:
3354         * replay/scripts/CodeGeneratorReplayInputs.py:
3355         (Framework.fromString):
3356         (Frameworks): Add WTF as an allowed framework for code generation.
3357         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
3358         (Generator.generate_includes.declaration):
3359         (Generator.generate_includes.or):
3360         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
3361
3362 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
3363
3364         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
3365         https://bugs.webkit.org/show_bug.cgi?id=129591
3366
3367         Reviewed by Michael Saboff.
3368
3369         * bytecode/PolymorphicPutByIdList.cpp:
3370         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
3371         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
3372         (JSC::PolymorphicPutByIdList::from):
3373         * bytecode/PolymorphicPutByIdList.h:
3374         (JSC::PutByIdAccess::stubRoutine):
3375         * jit/Repatch.cpp:
3376         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
3377
3378 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
3379
3380         Debugging improvements from my gbemu investigation session
3381         https://bugs.webkit.org/show_bug.cgi?id=129599
3382
3383         Reviewed by Mark Lam.
3384         
3385         Various improvements from when I was investigating bug 129411.
3386
3387         * bytecode/CodeBlock.cpp:
3388         (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
3389         * jsc.cpp:
3390         (GlobalObject::finishCreation):
3391         (functionDescribe): Make describe() return a string rather than printing the string.
3392         (functionDescribeArray): Like describe(), but prints details about arrays.
3393
3394 2014-02-25  Andreas Kling  <akling@apple.com>
3395
3396         JSDOMWindow::commonVM() should return a reference.
3397         <https://webkit.org/b/129293>
3398
3399         Added a DropAllLocks constructor that takes VM& without null checks.
3400
3401         Reviewed by Geoff Garen.
3402
3403 2014-03-02  Mark Lam  <mark.lam@apple.com>
3404
3405         CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
3406         <https://webkit.org/b/129584>
3407
3408         Reviewed by Darin Adler.
3409
3410         * bytecode/CodeBlock.h:
3411         (JSC::CodeBlock::hasDebuggerRequests):
3412
3413 2014-03-02  Mark Lam  <mark.lam@apple.com>
3414
3415         Clean up use of Options::enableConcurrentJIT().
3416         <https://webkit.org/b/129582>
3417
3418         Reviewed by Filip Pizlo.
3419
3420         DFG Driver was conditionally checking Options::enableConcurrentJIT()
3421         only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
3422         enableConcurrentJIT set to false.
3423
3424         Instead we should configure Options::enableConcurrentJIT() to be false
3425         in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
3426         check Options::enableConcurrentJIT().  This makes the code read a little
3427         cleaner.
3428
3429         * dfg/DFGDriver.cpp:
3430         (JSC::DFG::compileImpl):
3431         * runtime/Options.cpp:
3432         (JSC::recomputeDependentOptions):
3433
3434 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
3435
3436         This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
3437         stress tests.
3438
3439         * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
3440
3441 2014-03-01  Andreas Kling  <akling@apple.com>
3442
3443         JSCell::fastGetOwnProperty() should get the Structure more efficiently.
3444         <https://webkit.org/b/129560>
3445
3446         Now that structure() is nontrivial and we have a faster structure(VM&),
3447         make use of that in fastGetOwnProperty() since we already have VM.
3448
3449         Reviewed by Sam Weinig.
3450
3451         * runtime/JSCellInlines.h:
3452         (JSC::JSCell::fastGetOwnProperty):
3453
3454 2014-03-01  Andreas Kling  <akling@apple.com>
3455
3456         Avoid going through ExecState for VM when we already have it (in some places.)
3457         <https://webkit.org/b/129554>
3458
3459         Tweak some places that jump through unnecessary hoops to get the VM.
3460         There are many more like this.
3461
3462         Reviewed by Sam Weinig.
3463
3464         * runtime/JSObject.cpp:
3465         (JSC::JSObject::putByIndexBeyondVectorLength):
3466         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3467         * runtime/ObjectPrototype.cpp:
3468         (JSC::objectProtoFuncToString):
3469
3470 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
3471
3472         FTL should support PhantomArguments
3473         https://bugs.webkit.org/show_bug.cgi?id=113986
3474
3475         Reviewed by Oliver Hunt.
3476         
3477         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
3478         object into the FTL's OSR exit compiler.
3479         
3480         This isn't a speed-up yet, since there is still more to be done to fully support
3481         all of the arguments craziness that our varargs benchmarks do.
3482
3483         * dfg/DFGOSRExitCompiler32_64.cpp:
3484         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
3485         * dfg/DFGOSRExitCompiler64.cpp:
3486         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
3487         * dfg/DFGOSRExitCompilerCommon.cpp:
3488         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
3489         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
3490         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
3491         * dfg/DFGOSRExitCompilerCommon.h:
3492         * ftl/FTLCapabilities.cpp:
3493         (JSC::FTL::canCompile):
3494         * ftl/FTLExitValue.cpp:
3495         (JSC::FTL::ExitValue::dumpInContext):
3496         * ftl/FTLExitValue.h:
3497         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
3498         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
3499         (JSC::FTL::ExitValue::valueFormat):
3500         * ftl/FTLLowerDFGToLLVM.cpp:
3501         (JSC::FTL::LowerDFGToLLVM::compileNode):
3502         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
3503         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
3504         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
3505         * ftl/FTLOSRExitCompiler.cpp:
3506         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
3507         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
3508         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
3509
3510 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
3511
3512         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
3513
3514         * dfg/DFGCSEPhase.cpp:
3515         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
3516
3517 2014-02-28  Andreas Kling  <akling@apple.com>
3518
3519         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
3520         <https://webkit.org/b/129529>
3521
3522         Callers already have VM in a local, and findPropertyHashEntry() only
3523         uses the VM, no need to go all the way through ExecState.
3524
3525         Reviewed by Geoffrey Garen.
3526
3527         * runtime/JSObject.cpp:
3528         (JSC::JSObject::put):
3529         (JSC::JSObject::deleteProperty):
3530         (JSC::JSObject::findPropertyHashEntry):
3531         * runtime/JSObject.h:
3532
3533 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
3534
3535         Deadlock remotely inspecting iOS Simulator
3536         https://bugs.webkit.org/show_bug.cgi?id=129511
3537
3538         Reviewed by Timothy Hatcher.
3539
3540         Avoid synchronous setup. Do it asynchronously, and let
3541         the RemoteInspector singleton know later if it failed.
3542
3543         * inspector/remote/RemoteInspector.h:
3544         * inspector/remote/RemoteInspector.mm:
3545         (Inspector::RemoteInspector::setupFailed):
3546         * inspector/remote/RemoteInspectorDebuggableConnection.h:
3547         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3548         (Inspector::RemoteInspectorDebuggableConnection::setup):
3549
3550 2014-02-28  Oliver Hunt  <oliver@apple.com>
3551
3552         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
3553         https://bugs.webkit.org/show_bug.cgi?id=129488
3554
3555         Reviewed by Mark Lam.
3556
3557         Whoops, modify the right register.
3558
3559         * jit/JITCall32_64.cpp:
3560         (JSC::JIT::compileLoadVarargs):
3561
3562 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
3563
3564         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
3565         https://bugs.webkit.org/show_bug.cgi?id=129503
3566
3567         Reviewed by Mark Lam.
3568
3569         * ftl/FTLIntrinsicRepository.h:
3570         * ftl/FTLOutput.h:
3571         (JSC::FTL::Output::doubleSin):
3572         (JSC::FTL::Output::doubleCos):
3573         (JSC::FTL::Output::intrinsicOrOperation):
3574
3575 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
3576
3577         Fix !ENABLE(GGC) builds
3578
3579         * heap/Heap.cpp:
3580         (JSC::Heap::markRoots):
3581         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
3582
3583 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
3584
3585         Clean up Heap::collect and Heap::markRoots
3586         https://bugs.webkit.org/show_bug.cgi?id=129464
3587
3588         Reviewed by Geoffrey Garen.
3589
3590         These functions have built up a lot of cruft recently. 
3591         We should do a bit of cleanup to make them easier to grok.
3592
3593         * heap/Heap.cpp:
3594         (JSC::Heap::finalizeUnconditionalFinalizers):
3595         (JSC::Heap::gatherStackRoots):
3596         (JSC::Heap::gatherJSStackRoots):
3597         (JSC::Heap::gatherScratchBufferRoots):
3598         (JSC::Heap::clearLivenessData):
3599         (JSC::Heap::visitSmallStrings):
3600         (JSC::Heap::visitConservativeRoots):
3601         (JSC::Heap::visitCompilerWorklists):
3602         (JSC::Heap::markProtectedObjects):
3603         (JSC::Heap::markTempSortVectors):
3604         (JSC::Heap::markArgumentBuffers):
3605         (JSC::Heap::visitException):
3606         (JSC::Heap::visitStrongHandles):
3607         (JSC::Heap::visitHandleStack):
3608         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
3609         (JSC::Heap::converge):
3610         (JSC::Heap::visitWeakHandles):
3611         (JSC::Heap::clearRememberedSet):
3612         (JSC::Heap::updateObjectCounts):
3613         (JSC::Heap::resetVisitors):
3614         (JSC::Heap::markRoots):
3615         (JSC::Heap::copyBackingStores):
3616         (JSC::Heap::deleteUnmarkedCompiledCode):
3617         (JSC::Heap::collect):
3618         (JSC::Heap::collectIfNecessaryOrDefer):
3619         (JSC::Heap::suspendCompilerThreads):
3620         (JSC::Heap::willStartCollection):
3621         (JSC::Heap::deleteOldCode):
3622         (JSC::Heap::flushOldStructureIDTables):
3623         (JSC::Heap::flushWriteBarrierBuffer):
3624         (JSC::Heap::stopAllocation):
3625         (JSC::Heap::reapWeakHandles):
3626         (JSC::Heap::sweepArrayBuffers):
3627         (JSC::Heap::snapshotMarkedSpace):
3628         (JSC::Heap::deleteSourceProviderCaches):
3629         (JSC::Heap::notifyIncrementalSweeper):
3630         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
3631         (JSC::Heap::resetAllocators):
3632         (JSC::Heap::updateAllocationLimits):
3633         (JSC::Heap::didFinishCollection):
3634         (JSC::Heap::resumeCompilerThreads):
3635         * heap/Heap.h:
3636
3637 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
3638
3639         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
3640         https://bugs.webkit.org/show_bug.cgi?id=129466
3641
3642         Reviewed by Michael Saboff.
3643
3644         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
3645
3646         * runtime/StringPrototype.cpp:
3647         (JSC::stringProtoFuncIndexOf):
3648         (JSC::stringProtoFuncLastIndexOf):
3649
3650 2014-02-27  Timothy Hatcher  <timothy@apple.com>
3651
3652         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
3653
3654         https://bugs.webkit.org/show_bug.cgi?id=129458
3655
3656         Reviewed by Joseph Pecoraro.
3657
3658         * inspector/ContentSearchUtilities.cpp:
3659         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
3660         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
3661         line ending type and don't try to strip the line ending. Use size_t
3662         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
3663         This will include the line ending in the lines, but that is okay.
3664         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
3665         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
3666
3667 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
3668
3669         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
3670         https://bugs.webkit.org/show_bug.cgi?id=129446
3671
3672         Reviewed by Timothy Hatcher.
3673
3674         Remove duplicate header entries in Copy Header build phase.
3675
3676         * JavaScriptCore.xcodeproj/project.pbxproj:
3677
3678 2014-02-27  Oliver Hunt  <oliver@apple.com>
3679
3680         Whoops, include all of last patch.
3681
3682         * jit/JITCall32_64.cpp:
3683         (JSC::JIT::compileLoadVarargs):
3684
3685 2014-02-27  Oliver Hunt  <oliver@apple.com>
3686
3687         Slow cases for function.apply and function.call should not require vm re-entry
3688         https://bugs.webkit.org/show_bug.cgi?id=129454
3689
3690         Reviewed by Geoffrey Garen.
3691
3692         Implement call and apply using builtins. Happily the use
3693         of @call and @apply don't perform function equality checks
3694         and just plant direct var_args calls. This did expose a few
3695         codegen issues, but they're all covered by existing tests
3696         once call and apply are implemented in JS.
3697
3698         * JavaScriptCore.xcodeproj/project.pbxproj:
3699         * builtins/Function.prototype.js: Added.
3700         (call):
3701         (apply):
3702         * bytecompiler/NodesCodegen.cpp:
3703         (JSC::CallFunctionCallDotNode::emitBytecode):
3704         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3705         * dfg/DFGCapabilities.cpp:
3706         (JSC::DFG::capabilityLevel):
3707         * interpreter/Interpreter.cpp:
3708         (JSC::sizeFrameForVarargs):
3709         (JSC::loadVarargs):
3710         * interpreter/Interpreter.h:
3711         * jit/JITCall.cpp:
3712         (JSC::JIT::compileLoadVarargs):
3713         * parser/ASTBuilder.h:
3714         (JSC::ASTBuilder::makeFunctionCallNode):
3715         * parser/Lexer.cpp:
3716         (JSC::isSafeBuiltinIdentifier):
3717         * runtime/CommonIdentifiers.h:
3718         * runtime/FunctionPrototype.cpp:
3719         (JSC::FunctionPrototype::addFunctionProperties):
3720         * runtime/JSObject.cpp:
3721         (JSC::JSObject::putDirectBuiltinFunction):
3722         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
3723         * runtime/JSObject.h:
3724
3725 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
3726
3727         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
3728         https://bugs.webkit.org/show_bug.cgi?id=129443
3729
3730         Reviewed by Timothy Hatcher.
3731
3732         This queue is specific to the JSContext debuggable connections,
3733         there is no XPC involved. Give it a better name.
3734
3735         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3736         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
3737
3738 2014-02-27  David Kilzer  <ddkilzer@apple.com>
3739
3740         Remove jsc symlink if it already exists
3741
3742         This is a follow-up fix for:
3743
3744         Create symlink to /usr/local/bin/jsc during installation
3745         <http://webkit.org/b/129399>
3746         <rdar://problem/16168734>
3747
3748         * JavaScriptCore.xcodeproj/project.pbxproj:
3749         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
3750         exists where we're about to create the symlink, remove the old
3751         one first.
3752
3753 2014-02-27  Michael Saboff  <msaboff@apple.com>
3754
3755         Unreviewed build fix for Mac tools after r164814
3756
3757         * Configurations/ToolExecutable.xcconfig:
3758         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
3759         * JavaScriptCore.xcodeproj/project.pbxproj:
3760         - Changed productName to testRegExp for testRegExp target.
3761
3762 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
3763
3764         Web Inspector: JSContext inspection should report exceptions in the console
3765         https://bugs.webkit.org/show_bug.cgi?id=128776
3766
3767         Reviewed by Timothy Hatcher.
3768
3769         When JavaScript API functions have an exception, let the inspector
3770         know so it can log the JavaScript and Native backtrace that caused
3771         the exception.
3772
3773         Include some clean up of ConsoleMessage and ScriptCallStack construction.
3774
3775         * API/JSBase.cpp:
3776         (JSEvaluateScript):
3777         (JSCheckScriptSyntax):
3778         * API/JSObjectRef.cpp:
3779         (JSObjectMakeFunction):
3780         (JSObjectMakeArray):
3781         (JSObjectMakeDate):
3782         (JSObjectMakeError):
3783         (JSObjectMakeRegExp):
3784         (JSObjectGetProperty):
3785         (JSObjectSetProperty):
3786         (JSObjectGetPropertyAtIndex):
3787         (JSObjectSetPropertyAtIndex):
3788         (JSObjectDeleteProperty):
3789         (JSObjectCallAsFunction):
3790         (JSObjectCallAsConstructor):
3791         * API/JSValue.mm:
3792         (reportExceptionToInspector):
3793         (valueToArray):
3794         (valueToDictionary):
3795         * API/JSValueRef.cpp:
3796         (JSValueIsEqual):
3797         (JSValueIsInstanceOfConstructor):
3798         (JSValueCreateJSONString):
3799         (JSValueToNumber):
3800         (JSValueToStringCopy):
3801         (JSValueToObject):
3802         When seeing an exception, let the inspector know there was an exception.
3803
3804         * inspector/JSGlobalObjectInspectorController.h:
3805         * inspector/JSGlobalObjectInspectorController.cpp:
3806         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3807         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3808         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3809         Log API exceptions by also grabbing the native backtrace.
3810
3811         * inspector/ScriptCallStack.h:
3812         * inspector/ScriptCallStack.cpp:
3813         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
3814         (Inspector::ScriptCallStack::append):
3815         Minor extensions to ScriptCallStack to make it easier to work with.
3816
3817         * inspector/ConsoleMessage.cpp:
3818         (Inspector::ConsoleMessage::ConsoleMessage):
3819         (Inspector::ConsoleMessage::autogenerateMetadata):
3820         Provide better default information if the first call frame was native.
3821
3822         * inspector/ScriptCallStackFactory.cpp:
3823         (Inspector::createScriptCallStack):
3824         (Inspector::extractSourceInformationFromException):
3825         (Inspector::createScriptCallStackFromException):
3826         Perform the handling here of inserting a fake call frame for exceptions
3827         if there was no call stack (e.g. a SyntaxError) or if the first call
3828         frame had no information.
3829
3830         * inspector/ConsoleMessage.cpp:
3831         (Inspector::ConsoleMessage::ConsoleMessage):
3832         (Inspector::ConsoleMessage::autogenerateMetadata):
3833         * inspector/ConsoleMessage.h:
3834         * inspector/ScriptCallStackFactory.cpp:
3835         (Inspector::createScriptCallStack):
3836         (Inspector::createScriptCallStackForConsole):
3837         * inspector/ScriptCallStackFactory.h:
3838         * inspector/agents/InspectorConsoleAgent.cpp:
3839         (Inspector::InspectorConsoleAgent::enable):
3840         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3841         (Inspector::InspectorConsoleAgent::count):
3842         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3843         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3844         ConsoleMessage cleanup.
3845
3846 2014-02-27  David Kilzer  <ddkilzer@apple.com>
3847
3848         Create symlink to /usr/local/bin/jsc during installation
3849         <http://webkit.org/b/129399>
3850         <rdar://problem/16168734>
3851
3852         Reviewed by Dan Bernstein.
3853
3854         * JavaScriptCore.xcodeproj/project.pbxproj:
3855         - Add "Create /usr/local/bin/jsc symlink" build phase script to
3856           create the symlink during installation.
3857
3858 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
3859
3860         Math.{max, min}() must not return after first NaN value
3861         https://bugs.webkit.org/show_bug.cgi?id=104147
3862
3863         Reviewed by Oliver Hunt.
3864
3865         According to the spec, ToNumber going to be called on each argument
3866         even if a `NaN` value was already found
3867
3868         * runtime/MathObject.cpp:
3869         (JSC::mathProtoFuncMax):
3870         (JSC::mathProtoFuncMin):
3871
3872 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
3873
3874         JSType upper limit (0xff) assertion can be removed.
3875         https://bugs.webkit.org/show_bug.cgi?id=129424
3876
3877         Reviewed by Geoffrey Garen.
3878
3879         * runtime/JSTypeInfo.h:
3880         (JSC::TypeInfo::TypeInfo):
3881
3882 2014-02-26  Michael Saboff  <msaboff@apple.com>
3883
3884         Auto generate bytecode information for bytecode parser and LLInt
3885         https://bugs.webkit.org/show_bug.cgi?id=129181
3886
3887         Reviewed by Mark Lam.
3888
3889         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
3890         helpers.  It also includes bytecode length and other information used to generate files.
3891         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
3892         in DerivedSources/JavaScriptCore/.
3893
3894         Added the generation of these files to the "DerivedSource" build step.
3895         Slighty changed the build order, since the Bytecodes.h file is needed by
3896         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
3897         to be run after JSCLLIntOffsetsExtractor.
3898
3899         Made related changes to OPCODE macros and their use.
3900
3901         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
3902         jsc to resolve Mac build issue.
3903
3904         * CMakeLists.txt:
3905         * Configurations/JSC.xcconfig:
3906         * DerivedSources.make:
3907         * GNUmakefile.am:
3908         * GNUmakefile.list.am:
3909         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3910         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3911         * JavaScriptCore.vcxproj/copy-files.cmd:
3912         * JavaScriptCore.xcodeproj/project.pbxproj:
3913         * bytecode/Opcode.h:
3914         (JSC::padOpcodeName):
3915         * llint/LLIntCLoop.cpp:
3916         (JSC::LLInt::CLoop::initialize):
3917         * llint/LLIntCLoop.h:
3918         * llint/LLIntData.cpp:
3919         (JSC::LLInt::initialize):
3920         * llint/LLIntOpcode.h:
3921         * llint/LowLevelInterpreter.asm:
3922
3923 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
3924
3925         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
3926         https://bugs.webkit.org/show_bug.cgi?id=129420
3927
3928         Reviewed by Geoffrey Garen.
3929
3930         * dfg/DFGSpeculativeJIT.h:
3931         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
3932         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
3933
3934 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
3935
3936         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
3937         https://bugs.webkit.org/show_bug.cgi?id=129435
3938
3939         Reviewed by Oliver Hunt.
3940         
3941         This is a 5-10% speed-up on Octane/closure.
3942
3943         * interpreter/Interpreter.cpp:
3944         (JSC::Interpreter::execute):
3945         * jsc.cpp:
3946         (GlobalObject::finishCreation):
3947         (functionClearCodeCache):
3948         * runtime/BatchedTransitionOptimizer.h:
3949         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
3950         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
3951
3952 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
3953
3954         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
3955
3956         * inspector/scripts: Added property svn:ignore.
3957         * replay/scripts: Added property svn:ignore.
3958
3959 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
3960
3961         r164764 broke the ARM build
3962         https://bugs.webkit.org/show_bug.cgi?id=129415
3963
3964         Reviewed by Zoltan Herczeg.
3965
3966         * assembler/MacroAssemblerARM.h:
3967         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
3968         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
3969         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
3970         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
3971
3972 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
3973
3974         r164764 broke the ARM build
3975         https://bugs.webkit.org/show_bug.cgi?id=129415
3976
3977         Reviewed by Geoffrey Garen.
3978
3979         * assembler/MacroAssemblerARM.h:
3980         (JSC::MacroAssemblerARM::moveWithPatch):
3981
3982 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
3983
3984         r164764 broke the ARM build
3985         https://bugs.webkit.org/show_bug.cgi?id=129415
3986
3987         Reviewed by Geoffrey Garen.
3988
3989         * assembler/MacroAssemblerARM.h:
3990         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
3991
3992 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
3993
3994         EFL build fix
3995
3996         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
3997         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3998         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3999
4000 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>