40b5aaa5928034f1623ea2d0f41535cf79332619
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2
3         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
4         https://bugs.webkit.org/show_bug.cgi?id=122938
5
6         Reviewed by Sam Weinig.
7         
8         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
9
10         * jit/Repatch.cpp:
11         (JSC::tryBuildGetByIDList):
12
13 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
14
15         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
16         https://bugs.webkit.org/show_bug.cgi?id=122937
17
18         Reviewed by Geoffrey Garen.
19         
20         JITStubCall used to do it.
21         
22         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
23
24         * jit/JIT.h:
25         (JSC::JIT::appendCall):
26
27 2013-10-16  Michael Saboff  <msaboff@apple.com>
28
29         transition void cti_op_put_by_val* stubs to JIT operations
30         https://bugs.webkit.org/show_bug.cgi?id=122903
31
32         Reviewed by Geoffrey Garen.
33
34         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
35         operationPutByValGeneric.
36
37         * jit/CCallHelpers.h:
38         (JSC::CCallHelpers::setupArgumentsWithExecState):
39         * jit/JIT.h:
40         * jit/JITInlines.h:
41         (JSC::JIT::callOperation):
42         * jit/JITOperations.cpp:
43         * jit/JITOperations.h:
44         * jit/JITPropertyAccess.cpp:
45         (JSC::JIT::emitSlow_op_put_by_val):
46         (JSC::JIT::privateCompilePutByVal):
47         * jit/JITPropertyAccess32_64.cpp:
48         (JSC::JIT::emitSlow_op_put_by_val):
49         * jit/JITStubs.cpp:
50         * jit/JITStubs.h:
51         * jit/JSInterfaceJIT.h:
52
53 2013-10-16  Oliver Hunt  <oliver@apple.com>
54
55         Implement ES6 spread operator
56         https://bugs.webkit.org/show_bug.cgi?id=122911
57
58         Reviewed by Michael Saboff.
59
60         Implement the ES6 spread operator
61
62         This has a little bit of refactoring to move the enumeration logic out ForOfNode
63         and into BytecodeGenerator, and then adds the logic to make it nicely callback
64         driven.
65
66         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
67         and actually handling the spread.
68
69         * bytecompiler/BytecodeGenerator.cpp:
70         (JSC::BytecodeGenerator::emitNewArray):
71         (JSC::BytecodeGenerator::emitCall):
72         (JSC::BytecodeGenerator::emitEnumeration):
73         * bytecompiler/BytecodeGenerator.h:
74         * bytecompiler/NodesCodegen.cpp:
75         (JSC::ArrayNode::emitBytecode):
76         (JSC::ForOfNode::emitBytecode):
77         (JSC::SpreadExpressionNode::emitBytecode):
78         * parser/ASTBuilder.h:
79         (JSC::ASTBuilder::createSpreadExpression):
80         * parser/Lexer.cpp:
81         (JSC::::lex):
82         * parser/NodeConstructors.h:
83         (JSC::SpreadExpressionNode::SpreadExpressionNode):
84         * parser/Nodes.h:
85         (JSC::ExpressionNode::isSpreadExpression):
86         (JSC::SpreadExpressionNode::expression):
87         * parser/Parser.cpp:
88         (JSC::::parseArrayLiteral):
89         (JSC::::parseArguments):
90         (JSC::::parseMemberExpression):
91         * parser/Parser.h:
92         (JSC::Parser::getTokenName):
93         (JSC::Parser::updateErrorMessageSpecialCase):
94         * parser/ParserTokens.h:
95         * parser/SyntaxChecker.h:
96         (JSC::SyntaxChecker::createSpreadExpression):
97
98 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
99
100         Add a useLLInt option to jsc
101         https://bugs.webkit.org/show_bug.cgi?id=122930
102
103         Reviewed by Geoffrey Garen.
104
105         * runtime/Executable.cpp:
106         (JSC::setupLLInt):
107         (JSC::setupJIT):
108         (JSC::ScriptExecutable::prepareForExecutionImpl):
109         * runtime/Options.h:
110
111 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
112
113         Build fix.
114
115         Forgot to svn add DeferGC.cpp
116
117         * heap/DeferGC.cpp: Added.
118
119 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
120
121         r157411 fails run-javascriptcore-tests when run with Baseline JIT
122         https://bugs.webkit.org/show_bug.cgi?id=122902
123
124         Reviewed by Mark Hahnenberg.
125         
126         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
127         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
128         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
129         didn't. Turns out that there's even a helpful method,
130         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
131
132         * jit/Repatch.cpp:
133         (JSC::tryCachePutByID):
134
135 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
136
137         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
138         https://bugs.webkit.org/show_bug.cgi?id=122667
139
140         Reviewed by Geoffrey Garen.
141
142         The issue this patch is attempting to fix is that there are places in our codebase
143         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
144         operations that can initiate a garbage collection. Garbage collection then calls 
145         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
146         always necessarily run during garbage collection). This causes a deadlock.
147  
148         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
149         into a thread-local field that indicates that it is unsafe to perform any operation 
150         that could trigger garbage collection on the current thread. In debug builds, 
151         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
152         detect deadlocks.
153  
154         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
155         which uses the DeferGC mechanism to prevent collections from occurring while the 
156         lock is held.
157
158         * CMakeLists.txt:
159         * GNUmakefile.list.am:
160         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
161         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
162         * JavaScriptCore.xcodeproj/project.pbxproj:
163         * heap/DeferGC.h:
164         (JSC::DisallowGC::DisallowGC):
165         (JSC::DisallowGC::~DisallowGC):
166         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
167         (JSC::DisallowGC::initialize):
168         * jit/Repatch.cpp:
169         (JSC::repatchPutByID):
170         (JSC::buildPutByIdList):
171         * llint/LLIntSlowPaths.cpp:
172         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
173         * runtime/ConcurrentJITLock.h:
174         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
175         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
176         (JSC::ConcurrentJITLockerBase::unlockEarly):
177         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
178         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
179         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
180         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
181         * runtime/InitializeThreading.cpp:
182         (JSC::initializeThreadingOnce):
183         * runtime/JSCellInlines.h:
184         (JSC::allocateCell):
185         * runtime/JSSymbolTableObject.h:
186         (JSC::symbolTablePut):
187         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
188         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
189         before the caller has a chance to use the newly created PropertyTable. The garbage collection
190         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
191         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
192         the Structure.
193         (JSC::Structure::materializePropertyMap):
194         (JSC::Structure::despecifyDictionaryFunction):
195         (JSC::Structure::changePrototypeTransition):
196         (JSC::Structure::despecifyFunctionTransition):
197         (JSC::Structure::attributeChangeTransition):
198         (JSC::Structure::toDictionaryTransition):
199         (JSC::Structure::preventExtensionsTransition):
200         (JSC::Structure::takePropertyTableOrCloneIfPinned):
201         (JSC::Structure::isSealed):
202         (JSC::Structure::isFrozen):
203         (JSC::Structure::addPropertyWithoutTransition):
204         (JSC::Structure::removePropertyWithoutTransition):
205         (JSC::Structure::get):
206         (JSC::Structure::despecifyFunction):
207         (JSC::Structure::despecifyAllFunctions):
208         (JSC::Structure::putSpecificValue):
209         (JSC::Structure::createPropertyMap):
210         (JSC::Structure::getPropertyNamesFromStructure):
211         * runtime/Structure.h:
212         (JSC::Structure::materializePropertyMapIfNecessary):
213         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
214         * runtime/StructureInlines.h:
215         (JSC::Structure::get):
216         * runtime/SymbolTable.h:
217         (JSC::SymbolTable::find):
218         (JSC::SymbolTable::end):
219
220 2013-10-16  Daniel Bates  <dabates@apple.com>
221
222         Add SPI to disable the garbage collector timer
223         https://bugs.webkit.org/show_bug.cgi?id=122921
224
225         Reviewed by Geoffrey Garen.
226
227         Based on a patch by Mark Hahnenberg.
228
229         * API/JSBase.cpp:
230         (JSDisableGCTimer): Added; SPI function.
231         * API/JSBasePrivate.h:
232         * heap/BlockAllocator.cpp:
233         (JSC::createBlockFreeingThread): Added.
234         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
235         to conditionally create the "block freeing" thread depending on the value of
236         GCActivityCallback::s_shouldCreateGCTimer.
237         (JSC::BlockAllocator::~BlockAllocator):
238         * heap/BlockAllocator.h:
239         (JSC::BlockAllocator::deallocate):
240         * heap/Heap.cpp:
241         (JSC::Heap::didAbandon):
242         (JSC::Heap::collect):
243         (JSC::Heap::didAllocate):
244         * heap/HeapTimer.cpp:
245         (JSC::HeapTimer::timerDidFire):
246         * runtime/GCActivityCallback.cpp:
247         * runtime/GCActivityCallback.h:
248         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
249         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
250         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
251
252 2013-10-16  Commit Queue  <commit-queue@webkit.org>
253
254         Unreviewed, rolling out r157529.
255         http://trac.webkit.org/changeset/157529
256         https://bugs.webkit.org/show_bug.cgi?id=122919
257
258         Caused score test failures and some build failures. (Requested
259         by rfong on #webkit).
260
261         * bytecompiler/BytecodeGenerator.cpp:
262         (JSC::BytecodeGenerator::emitNewArray):
263         (JSC::BytecodeGenerator::emitCall):
264         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
265         * bytecompiler/BytecodeGenerator.h:
266         * bytecompiler/NodesCodegen.cpp:
267         (JSC::ArrayNode::emitBytecode):
268         (JSC::CallArguments::CallArguments):
269         (JSC::ForOfNode::emitBytecode):
270         (JSC::BindingNode::collectBoundIdentifiers):
271         * parser/ASTBuilder.h:
272         * parser/Lexer.cpp:
273         (JSC::::lex):
274         * parser/NodeConstructors.h:
275         (JSC::DotAccessorNode::DotAccessorNode):
276         * parser/Nodes.h:
277         * parser/Parser.cpp:
278         (JSC::::parseArrayLiteral):
279         (JSC::::parseArguments):
280         (JSC::::parseMemberExpression):
281         * parser/Parser.h:
282         (JSC::Parser::getTokenName):
283         (JSC::Parser::updateErrorMessageSpecialCase):
284         * parser/ParserTokens.h:
285         * parser/SyntaxChecker.h:
286
287 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
288
289         Remove useless architecture specific implementation in DFG.
290         https://bugs.webkit.org/show_bug.cgi?id=122917.
291
292         Reviewed by Michael Saboff.
293
294         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
295         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
296
297         * dfg/DFGSpeculativeJIT.h:
298
299 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
300
301         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
302         https://bugs.webkit.org/show_bug.cgi?id=122916.
303
304         Reviewed by Michael Saboff.
305
306         This architecture specific function is not used anymore, so get rid of it.
307
308         * jit/JIT.h:
309         * jit/JITInlines.h:
310
311 2013-10-16  Oliver Hunt  <oliver@apple.com>
312
313         Implement ES6 spread operator
314         https://bugs.webkit.org/show_bug.cgi?id=122911
315
316         Reviewed by Michael Saboff.
317
318         Implement the ES6 spread operator
319
320         This has a little bit of refactoring to move the enumeration logic out ForOfNode
321         and into BytecodeGenerator, and then adds the logic to make it nicely callback
322         driven.
323
324         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
325         and actually handling the spread.
326
327         * bytecompiler/BytecodeGenerator.cpp:
328         (JSC::BytecodeGenerator::emitNewArray):
329         (JSC::BytecodeGenerator::emitCall):
330         (JSC::BytecodeGenerator::emitEnumeration):
331         * bytecompiler/BytecodeGenerator.h:
332         * bytecompiler/NodesCodegen.cpp:
333         (JSC::ArrayNode::emitBytecode):
334         (JSC::ForOfNode::emitBytecode):
335         (JSC::SpreadExpressionNode::emitBytecode):
336         * parser/ASTBuilder.h:
337         (JSC::ASTBuilder::createSpreadExpression):
338         * parser/Lexer.cpp:
339         (JSC::::lex):
340         * parser/NodeConstructors.h:
341         (JSC::SpreadExpressionNode::SpreadExpressionNode):
342         * parser/Nodes.h:
343         (JSC::ExpressionNode::isSpreadExpression):
344         (JSC::SpreadExpressionNode::expression):
345         * parser/Parser.cpp:
346         (JSC::::parseArrayLiteral):
347         (JSC::::parseArguments):
348         (JSC::::parseMemberExpression):
349         * parser/Parser.h:
350         (JSC::Parser::getTokenName):
351         (JSC::Parser::updateErrorMessageSpecialCase):
352         * parser/ParserTokens.h:
353         * parser/SyntaxChecker.h:
354         (JSC::SyntaxChecker::createSpreadExpression):
355
356 2013-10-16  Mark Lam  <mark.lam@apple.com>
357
358         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
359         https://bugs.webkit.org/show_bug.cgi?id=122899.
360
361         Reviewed by Michael Saboff.
362
363         * jit/JITOpcodes32_64.cpp:
364         (JSC::JIT::emit_op_tear_off_activation):
365         (JSC::JIT::emit_op_tear_off_arguments):
366         * jit/JITStubs.cpp:
367         * jit/JITStubs.h:
368
369 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
370
371         Remove more of the UNINTERRUPTED_SEQUENCE thing
372         https://bugs.webkit.org/show_bug.cgi?id=122885
373
374         Reviewed by Andreas Kling.
375
376         It was not completely removed by r157481, leading to build failure for sh4 architecture.
377
378         * jit/JIT.h:
379         * jit/JITInlines.h:
380
381 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
382
383         Get rid of the StructureStubInfo::patch union
384         https://bugs.webkit.org/show_bug.cgi?id=122877
385
386         Reviewed by Sam Weinig.
387         
388         Just simplifying code by getting rid of data structures that ain't used no more.
389         
390         Note that I replace the patch union with a patch struct. This means we say things like
391         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
392         encapsulation makes the code more readable: the patch struct contains just those things
393         that you need to know to perform patching.
394
395         * bytecode/StructureStubInfo.h:
396         * dfg/DFGJITCompiler.cpp:
397         (JSC::DFG::JITCompiler::link):
398         * jit/JIT.cpp:
399         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
400         * jit/Repatch.cpp:
401         (JSC::repatchByIdSelfAccess):
402         (JSC::replaceWithJump):
403         (JSC::linkRestoreScratch):
404         (JSC::generateProtoChainAccessStub):
405         (JSC::tryCacheGetByID):
406         (JSC::getPolymorphicStructureList):
407         (JSC::patchJumpToGetByIdStub):
408         (JSC::tryBuildGetByIDList):
409         (JSC::emitPutReplaceStub):
410         (JSC::emitPutTransitionStub):
411         (JSC::tryCachePutByID):
412         (JSC::tryBuildPutByIdList):
413         (JSC::tryRepatchIn):
414         (JSC::resetGetByID):
415         (JSC::resetPutByID):
416         (JSC::resetIn):
417
418 2013-10-15  Nadav Rotem  <nrotem@apple.com>
419
420         FTL: add support for Int52ToValue and fix putByVal of int52s.
421         https://bugs.webkit.org/show_bug.cgi?id=122873
422
423         Reviewed by Filip Pizlo.
424
425         * ftl/FTLCapabilities.cpp:
426         (JSC::FTL::canCompile):
427         * ftl/FTLLowerDFGToLLVM.cpp:
428         (JSC::FTL::LowerDFGToLLVM::compileNode):
429         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
430         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
431
432 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
433
434         Get rid of the UNINTERRUPTED_SEQUENCE thing
435         https://bugs.webkit.org/show_bug.cgi?id=122876
436
437         Reviewed by Mark Hahnenberg.
438         
439         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
440         
441         Moreover, we should resist the temptation to bring anything like this back. We don't
442         want to have inline caches that only work if the assembler lays out code in a specific
443         predetermined way.
444
445         * jit/JIT.h:
446         * jit/JITCall.cpp:
447         (JSC::JIT::compileOpCall):
448         * jit/JITCall32_64.cpp:
449         (JSC::JIT::compileOpCall):
450
451 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
452
453         Baseline JIT should use the DFG GetById IC
454         https://bugs.webkit.org/show_bug.cgi?id=122861
455
456         Reviewed by Oliver Hunt.
457         
458         This mostly just kills a ton of code.
459         
460         Note that this doesn't yet do all of the simplifications that can be done, but it does
461         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
462
463         * bytecode/CodeBlock.cpp:
464         (JSC::CodeBlock::resetStubInternal):
465         * jit/JIT.cpp:
466         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
467         * jit/JIT.h:
468         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
469         * jit/JITInlines.h:
470         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
471         (JSC::JIT::callOperation):
472         * jit/JITPropertyAccess.cpp:
473         (JSC::JIT::compileGetByIdHotPath):
474         (JSC::JIT::emitSlow_op_get_by_id):
475         (JSC::JIT::emitSlow_op_get_from_scope):
476         * jit/JITPropertyAccess32_64.cpp:
477         (JSC::JIT::compileGetByIdHotPath):
478         (JSC::JIT::emitSlow_op_get_by_id):
479         (JSC::JIT::emitSlow_op_get_from_scope):
480         * jit/JITStubs.cpp:
481         * jit/JITStubs.h:
482         * jit/Repatch.cpp:
483         (JSC::repatchGetByID):
484         (JSC::buildGetByIDList):
485         * jit/ThunkGenerators.cpp:
486         * jit/ThunkGenerators.h:
487
488 2013-10-15  Dean Jackson  <dino@apple.com>
489
490         Add ENABLE_WEB_ANIMATIONS flag
491         https://bugs.webkit.org/show_bug.cgi?id=122871
492
493         Reviewed by Tim Horton.
494
495         Eventually might be http://dev.w3.org/fxtf/web-animations/
496         but this is just engine-internal work at the moment.
497
498         * Configurations/FeatureDefines.xcconfig:
499
500 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
501
502         [sh4] Some calls don't match sh4 ABI.
503         https://bugs.webkit.org/show_bug.cgi?id=122863
504
505         Reviewed by Michael Saboff.
506
507         * dfg/DFGSpeculativeJIT.h:
508         (JSC::DFG::SpeculativeJIT::callOperation):
509         * jit/CCallHelpers.h:
510         (JSC::CCallHelpers::setupArgumentsWithExecState):
511         * jit/JITInlines.h:
512         (JSC::JIT::callOperation):
513
514 2013-10-15  Daniel Bates  <dabates@apple.com>
515
516         [iOS] Upstream JavaScriptCore support for ARM64
517         https://bugs.webkit.org/show_bug.cgi?id=122762
518
519         Reviewed by Oliver Hunt and Filip Pizlo.
520
521         * Configurations/Base.xcconfig:
522         * Configurations/DebugRelease.xcconfig:
523         * Configurations/JavaScriptCore.xcconfig:
524         * Configurations/ToolExecutable.xcconfig:
525         * JavaScriptCore.xcodeproj/project.pbxproj:
526         * assembler/ARM64Assembler.h: Added.
527         * assembler/AbstractMacroAssembler.h:
528         (JSC::isARM64):
529         (JSC::AbstractMacroAssembler::Label::Label):
530         (JSC::AbstractMacroAssembler::Jump::Jump):
531         (JSC::AbstractMacroAssembler::Jump::link):
532         (JSC::AbstractMacroAssembler::Jump::linkTo):
533         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
534         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
535         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
536         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
537         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
538         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
539         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
540         (JSC::AbstractMacroAssembler::isTempRegisterValid):
541         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
542         (JSC::AbstractMacroAssembler::setTempRegisterValid):
543         * assembler/LinkBuffer.cpp:
544         (JSC::LinkBuffer::copyCompactAndLinkCode):
545         (JSC::LinkBuffer::linkCode):
546         * assembler/LinkBuffer.h:
547         * assembler/MacroAssembler.h:
548         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
549         (JSC::MacroAssembler::pushToSave):
550         (JSC::MacroAssembler::popToRestore):
551         (JSC::MacroAssembler::patchableBranchTest32):
552         * assembler/MacroAssemblerARM64.h: Added.
553         * assembler/MacroAssemblerARMv7.h:
554         * dfg/DFGFixupPhase.cpp:
555         (JSC::DFG::FixupPhase::fixupNode):
556         * dfg/DFGOSRExitCompiler32_64.cpp:
557         (JSC::DFG::OSRExitCompiler::compileExit):
558         * dfg/DFGOSRExitCompiler64.cpp:
559         (JSC::DFG::OSRExitCompiler::compileExit):
560         * dfg/DFGSpeculativeJIT.cpp:
561         (JSC::DFG::SpeculativeJIT::compileArithDiv):
562         (JSC::DFG::SpeculativeJIT::compileArithMod):
563         * disassembler/ARM64/A64DOpcode.cpp: Added.
564         * disassembler/ARM64/A64DOpcode.h: Added.
565         * disassembler/ARM64Disassembler.cpp: Added.
566         * heap/MachineStackMarker.cpp:
567         (JSC::getPlatformThreadRegisters):
568         (JSC::otherThreadStackPointer):
569         * heap/Region.h:
570         * jit/AssemblyHelpers.h:
571         (JSC::AssemblyHelpers::debugCall):
572         * jit/CCallHelpers.h:
573         * jit/ExecutableAllocator.h:
574         * jit/FPRInfo.h:
575         (JSC::FPRInfo::toRegister):
576         (JSC::FPRInfo::toIndex):
577         (JSC::FPRInfo::debugName):
578         * jit/GPRInfo.h:
579         (JSC::GPRInfo::toRegister):
580         (JSC::GPRInfo::toIndex):
581         (JSC::GPRInfo::debugName):
582         * jit/JITInlines.h:
583         (JSC::JIT::restoreArgumentReferenceForTrampoline):
584         * jit/JITOperationWrappers.h:
585         * jit/JITOperations.cpp:
586         * jit/JITStubs.cpp:
587         (JSC::performPlatformSpecificJITAssertions):
588         (JSC::tryCachePutByID):
589         * jit/JITStubs.h:
590         (JSC::JITStackFrame::returnAddressSlot):
591         * jit/JITStubsARM64.h: Added.
592         * jit/JSInterfaceJIT.h:
593         * jit/Repatch.cpp:
594         (JSC::emitRestoreScratch):
595         (JSC::generateProtoChainAccessStub):
596         (JSC::tryCacheGetByID):
597         (JSC::emitPutReplaceStub):
598         (JSC::tryCachePutByID):
599         (JSC::tryRepatchIn):
600         * jit/ScratchRegisterAllocator.h:
601         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
602         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
603         * jit/ThunkGenerators.cpp:
604         (JSC::nativeForGenerator):
605         (JSC::floorThunkGenerator):
606         (JSC::ceilThunkGenerator):
607         * jsc.cpp:
608         (main):
609         * llint/LLIntOfflineAsmConfig.h:
610         * llint/LLIntSlowPaths.cpp:
611         (JSC::LLInt::handleHostCall):
612         * llint/LowLevelInterpreter.asm:
613         * llint/LowLevelInterpreter64.asm:
614         * offlineasm/arm.rb:
615         * offlineasm/arm64.rb: Added.
616         * offlineasm/backends.rb:
617         * offlineasm/instructions.rb:
618         * offlineasm/risc.rb:
619         * offlineasm/transform.rb:
620         * yarr/YarrJIT.cpp:
621         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
622         (JSC::Yarr::YarrGenerator::initCallFrame):
623         (JSC::Yarr::YarrGenerator::removeCallFrame):
624         (JSC::Yarr::YarrGenerator::generateEnter):
625         * yarr/YarrJIT.h:
626
627 2013-10-15  Mark Lam  <mark.lam@apple.com>
628
629         Fix 3 operand sub operation in C loop LLINT.
630         https://bugs.webkit.org/show_bug.cgi?id=122866.
631
632         Reviewed by Geoffrey Garen.
633
634         * offlineasm/cloop.rb:
635
636 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
637
638         ObjCCallbackFunctionImpl shouldn't store a JSContext
639         https://bugs.webkit.org/show_bug.cgi?id=122531
640
641         Reviewed by Geoffrey Garen.
642
643         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
644         in the common case. It's also no longer necessary in that we can look up the current JSContext 
645         by looking using the globalObject of the callee when the function callback is invoked.
646  
647         Also added a new test that would cause us to crash previously. The test required making 
648         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
649         in C API callbacks.
650
651         * API/JSContextRef.h:
652         * API/JSContextRefPrivate.h:
653         * API/ObjCCallbackFunction.mm:
654         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
655         (JSC::objCCallbackFunctionCallAsFunction):
656         (objCCallbackFunctionForInvocation):
657         * API/WebKitAvailability.h:
658         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
659         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
660         (CallAsConstructor):
661         (ConstructorFinalize):
662         (ConstructorClass):
663         (+[JSValue valueWithConstructorDescriptor:inContext:]):
664         (-[JSContext valueWithConstructorDescriptor:]):
665         (currentThisInsideBlockGetterTest):
666         * API/tests/testapi.mm:
667         * JavaScriptCore.xcodeproj/project.pbxproj:
668         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
669
670 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
671
672         Fix build after r157457 for architecture with 4 argument registers.
673         https://bugs.webkit.org/show_bug.cgi?id=122860
674
675         Reviewed by Michael Saboff.
676
677         * jit/CCallHelpers.h:
678         (JSC::CCallHelpers::setupStubArguments134):
679
680 2013-10-14  Michael Saboff  <msaboff@apple.com>
681
682         transition void cti_op_* methods to JIT operations.
683         https://bugs.webkit.org/show_bug.cgi?id=122617
684
685         Reviewed by Geoffrey Garen.
686
687         Converted the follow stubs to JIT operations:
688             cti_handle_watchdog_timer
689             cti_op_debug
690             cti_op_pop_scope
691             cti_op_profile_did_call
692             cti_op_profile_will_call
693             cti_op_put_by_index
694             cti_op_put_getter_setter
695             cti_op_tear_off_activation
696             cti_op_tear_off_arguments
697             cti_op_throw_static_error
698             cti_optimize
699
700         * dfg/DFGOperations.cpp:
701         * dfg/DFGOperations.h:
702         * jit/CCallHelpers.h:
703         (JSC::CCallHelpers::setupArgumentsWithExecState):
704         (JSC::CCallHelpers::setupThreeStubArgsGPR):
705         (JSC::CCallHelpers::setupStubArguments):
706         (JSC::CCallHelpers::setupStubArguments134):
707         * jit/JIT.cpp:
708         (JSC::JIT::emitEnterOptimizationCheck):
709         * jit/JIT.h:
710         * jit/JITInlines.h:
711         (JSC::JIT::callOperation):
712         * jit/JITOpcodes.cpp:
713         (JSC::JIT::emit_op_tear_off_activation):
714         (JSC::JIT::emit_op_tear_off_arguments):
715         (JSC::JIT::emit_op_push_with_scope):
716         (JSC::JIT::emit_op_pop_scope):
717         (JSC::JIT::emit_op_push_name_scope):
718         (JSC::JIT::emit_op_throw_static_error):
719         (JSC::JIT::emit_op_debug):
720         (JSC::JIT::emit_op_profile_will_call):
721         (JSC::JIT::emit_op_profile_did_call):
722         (JSC::JIT::emitSlow_op_loop_hint):
723         * jit/JITOpcodes32_64.cpp:
724         (JSC::JIT::emit_op_push_with_scope):
725         (JSC::JIT::emit_op_pop_scope):
726         (JSC::JIT::emit_op_push_name_scope):
727         (JSC::JIT::emit_op_throw_static_error):
728         (JSC::JIT::emit_op_debug):
729         (JSC::JIT::emit_op_profile_will_call):
730         (JSC::JIT::emit_op_profile_did_call):
731         * jit/JITOperations.cpp:
732         * jit/JITOperations.h:
733         * jit/JITPropertyAccess.cpp:
734         (JSC::JIT::emit_op_put_by_index):
735         (JSC::JIT::emit_op_put_getter_setter):
736         * jit/JITPropertyAccess32_64.cpp:
737         (JSC::JIT::emit_op_put_by_index):
738         (JSC::JIT::emit_op_put_getter_setter):
739         * jit/JITStubs.cpp:
740         * jit/JITStubs.h:
741
742 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
743
744         [sh4] Introduce const pools in LLINT.
745         https://bugs.webkit.org/show_bug.cgi?id=122746
746
747         Reviewed by Michael Saboff.
748
749         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
750         loaded this way:
751
752             mov.l .label, rx
753             bra out
754             nop
755             .balign 4
756             .label: .long immvalue
757             out:
758
759         This change introduces const pools for sh4 implementation to avoid lots of useless branches
760         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
761
762         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
763         * offlineasm/sh4.rb:
764
765 2013-10-15  Mark Lam  <mark.lam@apple.com>
766
767         Fix broken C Loop LLINT build.
768         https://bugs.webkit.org/show_bug.cgi?id=122839.
769
770         Reviewed by Michael Saboff.
771
772         * dfg/DFGFlushedAt.cpp:
773         * jit/JITOperations.h:
774
775 2013-10-14  Mark Lam  <mark.lam@apple.com>
776
777         Transition *switch* and *scope* JITStubs to JIT operations.
778         https://bugs.webkit.org/show_bug.cgi?id=122757.
779
780         Reviewed by Geoffrey Garen.
781
782         Transitioning:
783             cti_op_switch_char
784             cti_op_switch_imm
785             cti_op_switch_string
786             cti_op_resolve_scope
787             cti_op_get_from_scope
788             cti_op_put_to_scope
789
790         * jit/JIT.h:
791         * jit/JITInlines.h:
792         (JSC::JIT::callOperation):
793         * jit/JITOpcodes.cpp:
794         (JSC::JIT::emit_op_switch_imm):
795         (JSC::JIT::emit_op_switch_char):
796         (JSC::JIT::emit_op_switch_string):
797         * jit/JITOpcodes32_64.cpp:
798         (JSC::JIT::emit_op_switch_imm):
799         (JSC::JIT::emit_op_switch_char):
800         (JSC::JIT::emit_op_switch_string):
801         * jit/JITOperations.cpp:
802         * jit/JITOperations.h:
803         * jit/JITPropertyAccess.cpp:
804         (JSC::JIT::emitSlow_op_resolve_scope):
805         (JSC::JIT::emitSlow_op_get_from_scope):
806         (JSC::JIT::emitSlow_op_put_to_scope):
807         * jit/JITPropertyAccess32_64.cpp:
808         (JSC::JIT::emitSlow_op_resolve_scope):
809         (JSC::JIT::emitSlow_op_get_from_scope):
810         (JSC::JIT::emitSlow_op_put_to_scope):
811         * jit/JITStubs.cpp:
812         * jit/JITStubs.h:
813
814 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
815
816         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
817         https://bugs.webkit.org/show_bug.cgi?id=122786
818
819         Reviewed by Mark Hahnenberg.
820
821         * bytecode/CodeBlock.cpp:
822         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
823         * jit/Repatch.cpp:
824         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
825         (JSC::buildPutByIdList): Ditto.
826
827 2013-10-14  Nadav Rotem  <nrotem@apple.com>
828
829         Add FTL support for LogicalNot(string)
830         https://bugs.webkit.org/show_bug.cgi?id=122765
831
832         Reviewed by Filip Pizlo.
833
834         This patch is tested by:
835         regress/script-tests/emscripten-cube2hash.js.ftl-eager
836
837         * ftl/FTLCapabilities.cpp:
838         (JSC::FTL::canCompile):
839         * ftl/FTLLowerDFGToLLVM.cpp:
840         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
841
842 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
843
844         [sh4] Fixes after r157404 and r157411.
845         https://bugs.webkit.org/show_bug.cgi?id=122782
846
847         Reviewed by Michael Saboff.
848
849         * dfg/DFGSpeculativeJIT.h:
850         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
851         * jit/CCallHelpers.h:
852         (JSC::CCallHelpers::setupArgumentsWithExecState):
853         * jit/JITInlines.h:
854         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
855         * jit/JITPropertyAccess32_64.cpp:
856         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
857
858 2013-10-14  Commit Queue  <commit-queue@webkit.org>
859
860         Unreviewed, rolling out r157413.
861         http://trac.webkit.org/changeset/157413
862         https://bugs.webkit.org/show_bug.cgi?id=122779
863
864         Appears to have caused frequent crashes (Requested by ap on
865         #webkit).
866
867         * CMakeLists.txt:
868         * GNUmakefile.list.am:
869         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
870         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
871         * JavaScriptCore.xcodeproj/project.pbxproj:
872         * heap/DeferGC.cpp: Removed.
873         * heap/DeferGC.h:
874         * jit/JITStubs.cpp:
875         (JSC::tryCacheGetByID):
876         (JSC::DEFINE_STUB_FUNCTION):
877         * llint/LLIntSlowPaths.cpp:
878         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
879         * runtime/ConcurrentJITLock.h:
880         * runtime/InitializeThreading.cpp:
881         (JSC::initializeThreadingOnce):
882         * runtime/JSCellInlines.h:
883         (JSC::allocateCell):
884         * runtime/Structure.cpp:
885         (JSC::Structure::materializePropertyMap):
886         (JSC::Structure::putSpecificValue):
887         (JSC::Structure::createPropertyMap):
888         * runtime/Structure.h:
889
890 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
891
892         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
893         https://bugs.webkit.org/show_bug.cgi?id=122652
894
895         Reviewed by Filip Pizlo.
896
897         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
898         so we would end up ASSERTing during garbage collection.
899
900         * heap/MarkedAllocator.cpp:
901         (JSC::MarkedAllocator::allocateSlowCase):
902
903 2013-10-11  Oliver Hunt  <oliver@apple.com>
904
905         Separate out array iteration intrinsics
906         https://bugs.webkit.org/show_bug.cgi?id=122656
907
908         Reviewed by Michael Saboff.
909
910         Separate out the intrinsics for key and values iteration
911         of arrays.
912
913         This requires moving moving array iteration into the iterator
914         instance, rather than the prototype, but this is essentially
915         unobservable so we'll live with it for now.
916
917         * jit/ThunkGenerators.cpp:
918         (JSC::arrayIteratorNextThunkGenerator):
919         (JSC::arrayIteratorNextKeyThunkGenerator):
920         (JSC::arrayIteratorNextValueThunkGenerator):
921         * jit/ThunkGenerators.h:
922         * runtime/ArrayIteratorPrototype.cpp:
923         (JSC::ArrayIteratorPrototype::finishCreation):
924         * runtime/Intrinsic.h:
925         * runtime/JSArrayIterator.cpp:
926         (JSC::JSArrayIterator::finishCreation):
927         (JSC::createIteratorResult):
928         (JSC::arrayIteratorNext):
929         (JSC::arrayIteratorNextKey):
930         (JSC::arrayIteratorNextValue):
931         (JSC::arrayIteratorNextGeneric):
932         * runtime/VM.cpp:
933         (JSC::thunkGeneratorForIntrinsic):
934
935 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
936
937         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
938         https://bugs.webkit.org/show_bug.cgi?id=122667
939
940         Reviewed by Filip Pizlo.
941
942         The issue this patch is attempting to fix is that there are places in our codebase
943         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
944         operations that can initiate a garbage collection. Garbage collection then calls 
945         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
946         always necessarily run during garbage collection). This causes a deadlock.
947
948         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
949         into a thread-local field that indicates that it is unsafe to perform any operation 
950         that could trigger garbage collection on the current thread. In debug builds, 
951         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
952         detect deadlocks.
953
954         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
955         which uses the DeferGC mechanism to prevent collections from occurring while the 
956         lock is held.
957
958         * CMakeLists.txt:
959         * GNUmakefile.list.am:
960         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
961         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
962         * JavaScriptCore.xcodeproj/project.pbxproj:
963         * heap/DeferGC.cpp: Added.
964         * heap/DeferGC.h:
965         (JSC::DisallowGC::DisallowGC):
966         (JSC::DisallowGC::~DisallowGC):
967         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
968         (JSC::DisallowGC::initialize):
969         * jit/JITStubs.cpp:
970         (JSC::tryCachePutByID):
971         (JSC::tryCacheGetByID):
972         (JSC::DEFINE_STUB_FUNCTION):
973         * llint/LLIntSlowPaths.cpp:
974         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
975         * runtime/ConcurrentJITLock.h:
976         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
977         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
978         (JSC::ConcurrentJITLockerBase::unlockEarly):
979         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
980         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
981         * runtime/InitializeThreading.cpp:
982         (JSC::initializeThreadingOnce):
983         * runtime/JSCellInlines.h:
984         (JSC::allocateCell):
985         * runtime/Structure.cpp:
986         (JSC::Structure::materializePropertyMap):
987         (JSC::Structure::putSpecificValue):
988         (JSC::Structure::createPropertyMap):
989         * runtime/Structure.h:
990
991 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
992
993         Baseline JIT should use the DFG's PutById IC
994         https://bugs.webkit.org/show_bug.cgi?id=122704
995
996         Reviewed by Mark Hahnenberg.
997         
998         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
999         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
1000         
1001         The only complicated part was that the PutById operations assumed that we first did a
1002         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
1003         slow paths to deal with EncodedJSValue's.
1004
1005         * bytecode/CodeBlock.cpp:
1006         (JSC::CodeBlock::resetStubInternal):
1007         * bytecode/PutByIdStatus.cpp:
1008         (JSC::PutByIdStatus::computeFor):
1009         * dfg/DFGSpeculativeJIT.h:
1010         (JSC::DFG::SpeculativeJIT::callOperation):
1011         * dfg/DFGSpeculativeJIT32_64.cpp:
1012         (JSC::DFG::SpeculativeJIT::cachedPutById):
1013         * dfg/DFGSpeculativeJIT64.cpp:
1014         (JSC::DFG::SpeculativeJIT::cachedPutById):
1015         * jit/CCallHelpers.h:
1016         (JSC::CCallHelpers::setupArgumentsWithExecState):
1017         * jit/JIT.cpp:
1018         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1019         * jit/JIT.h:
1020         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
1021         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
1022         * jit/JITInlines.h:
1023         (JSC::JIT::callOperation):
1024         * jit/JITOperationWrappers.h:
1025         * jit/JITOperations.cpp:
1026         * jit/JITOperations.h:
1027         * jit/JITPropertyAccess.cpp:
1028         (JSC::JIT::compileGetByIdHotPath):
1029         (JSC::JIT::compileGetByIdSlowCase):
1030         (JSC::JIT::emit_op_put_by_id):
1031         (JSC::JIT::emitSlow_op_put_by_id):
1032         * jit/JITPropertyAccess32_64.cpp:
1033         (JSC::JIT::compileGetByIdSlowCase):
1034         (JSC::JIT::emit_op_put_by_id):
1035         (JSC::JIT::emitSlow_op_put_by_id):
1036         * jit/JITStubs.cpp:
1037         * jit/JITStubs.h:
1038         * jit/Repatch.cpp:
1039         (JSC::appropriateGenericPutByIdFunction):
1040         (JSC::appropriateListBuildingPutByIdFunction):
1041         (JSC::resetPutByID):
1042
1043 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
1044
1045         FTL should have an inefficient but correct implementation of GetById
1046         https://bugs.webkit.org/show_bug.cgi?id=122740
1047
1048         Reviewed by Mark Hahnenberg.
1049         
1050         It took some effort to realize that the node->prediction() check in the DFG backends
1051         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
1052         if !prediction.
1053         
1054         But other than that this was an easy patch.
1055
1056         * dfg/DFGByteCodeParser.cpp:
1057         (JSC::DFG::ByteCodeParser::handleGetById):
1058         * dfg/DFGSpeculativeJIT32_64.cpp:
1059         (JSC::DFG::SpeculativeJIT::compile):
1060         * dfg/DFGSpeculativeJIT64.cpp:
1061         (JSC::DFG::SpeculativeJIT::compile):
1062         * ftl/FTLCapabilities.cpp:
1063         (JSC::FTL::canCompile):
1064         * ftl/FTLIntrinsicRepository.h:
1065         * ftl/FTLLowerDFGToLLVM.cpp:
1066         (JSC::FTL::LowerDFGToLLVM::compileNode):
1067         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1068
1069 2013-10-13  Mark Lam  <mark.lam@apple.com>
1070
1071         Transition misc cti_op_* JITStubs to JIT operations.
1072         https://bugs.webkit.org/show_bug.cgi?id=122645.
1073
1074         Reviewed by Michael Saboff.
1075
1076         Stubs converted:
1077             cti_op_check_has_instance
1078             cti_op_create_arguments
1079             cti_op_del_by_id
1080             cti_op_instanceof
1081             cti_to_object
1082             cti_op_push_activation
1083             cti_op_get_pnames
1084             cti_op_load_varargs
1085
1086         * dfg/DFGOperations.cpp:
1087         * dfg/DFGOperations.h:
1088         * jit/CCallHelpers.h:
1089         (JSC::CCallHelpers::setupArgumentsWithExecState):
1090         * jit/JIT.h:
1091         (JSC::JIT::emitStoreCell):
1092         * jit/JITCall.cpp:
1093         (JSC::JIT::compileLoadVarargs):
1094         * jit/JITCall32_64.cpp:
1095         (JSC::JIT::compileLoadVarargs):
1096         * jit/JITInlines.h:
1097         (JSC::JIT::callOperation):
1098         * jit/JITOpcodes.cpp:
1099         (JSC::JIT::emit_op_get_pnames):
1100         (JSC::JIT::emit_op_create_activation):
1101         (JSC::JIT::emit_op_create_arguments):
1102         (JSC::JIT::emitSlow_op_check_has_instance):
1103         (JSC::JIT::emitSlow_op_instanceof):
1104         (JSC::JIT::emitSlow_op_get_argument_by_val):
1105         * jit/JITOpcodes32_64.cpp:
1106         (JSC::JIT::emitSlow_op_check_has_instance):
1107         (JSC::JIT::emitSlow_op_instanceof):
1108         (JSC::JIT::emit_op_get_pnames):
1109         (JSC::JIT::emit_op_create_activation):
1110         (JSC::JIT::emit_op_create_arguments):
1111         (JSC::JIT::emitSlow_op_get_argument_by_val):
1112         * jit/JITOperations.cpp:
1113         * jit/JITOperations.h:
1114         * jit/JITPropertyAccess.cpp:
1115         (JSC::JIT::emit_op_del_by_id):
1116         * jit/JITPropertyAccess32_64.cpp:
1117         (JSC::JIT::emit_op_del_by_id):
1118         * jit/JITStubs.cpp:
1119         * jit/JITStubs.h:
1120
1121 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
1122
1123         FTL OSR exit should perform zero extension on values smaller than 64-bit
1124         https://bugs.webkit.org/show_bug.cgi?id=122688
1125
1126         Reviewed by Gavin Barraclough.
1127         
1128         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
1129         register will have zeros on the high bits.  In the few cases where the high bits are
1130         non-zero, the DFG sort of tells us this explicitly.
1131
1132         But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
1133         emit LLVM IR like:
1134
1135             %2 = trunc i64 %1 to i32
1136             stuff %2
1137             call @llvm.webkit.stackmap(...., %2)
1138
1139         LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
1140         many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
1141         bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
1142         from before truncation, and that register may have garbage in the high bits.
1143
1144         This means that on our end, if we want a 32-bit value and we want that value to be
1145         zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
1146         cheap, so we should just do it and not make it a requirement that LLVM does it on its
1147         end.
1148         
1149         This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
1150
1151         * ftl/FTLOSRExitCompiler.cpp:
1152         (JSC::FTL::compileStubWithOSRExitStackmap):
1153         * ftl/FTLValueFormat.cpp:
1154         (JSC::FTL::reboxAccordingToFormat):
1155
1156 == Rolled over to ChangeLog-2013-10-13 ==