Structure::get should instantiate DeferGC only when materializing property map
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
2
3         Structure::get should instantiate DeferGC only when materializing property map
4         https://bugs.webkit.org/show_bug.cgi?id=133727
5
6         Reviewed by Geoffrey Garen.
7
8         DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
9         collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
10         when GCSafeConcurrentJITLocker goes out of scope.
11
12         However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
13         in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
14         and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
15
16         Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
17         and immediately storing a pointer to the newly created property table in the stack before DeferGC
18         goes out of scope so that the property table will be marked.
19
20         This shows 13-16% improvement on the microbenchmark attached in the bug.
21
22         * runtime/JSCJSValue.cpp:
23         * runtime/JSObject.h:
24         (JSC::JSObject::fastGetOwnPropertySlot):
25         * runtime/Structure.h:
26         (JSC::Structure::materializePropertyMapIfNecessary):
27         * runtime/StructureInlines.h:
28         (JSC::Structure::get):
29
30 2014-06-11  Andreas Kling  <akling@apple.com>
31
32         Some JSValue::get() micro-optimzations.
33         <https://webkit.org/b/133739>
34
35         Tighten some of the property lookup code to improve performance of the
36         eagerly reified prototype attributes:
37
38         - Instead of converting the property name to an integer at every step
39           in the prototype chain, move that to a separate pass at the end
40           since it should be a rare case.
41
42         - Cache the StructureIDTable in a local instead of fetching it from
43           the Heap on every step.
44
45         - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
46           on the assumption that clients would mostly be cacheable GetByIds,
47           and it gets pretty hot (~1%) in GetByVal.
48
49         - Pass the Structure directly to fillCustomGetterPropertySlot instead
50           of refetching it from the StructureIDTable.
51
52         Reviewed by Geoff Garen.
53
54         * runtime/JSObject.cpp:
55         (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
56         * runtime/JSObject.h:
57         (JSC::JSObject::inlineGetOwnPropertySlot):
58         (JSC::JSObject::fillCustomGetterPropertySlot):
59         (JSC::JSObject::getOwnPropertySlot):
60         (JSC::JSObject::fastGetOwnPropertySlot):
61         (JSC::JSObject::getPropertySlot):
62         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
63
64 2014-06-10  Sam Weinig  <sam@webkit.org>
65
66         Don't create a HashTable for JSObjects that use eager reification
67         https://bugs.webkit.org/show_bug.cgi?id=133705
68
69         Reviewed by Geoffrey Garen.
70
71         * runtime/Lookup.h:
72         (JSC::reifyStaticProperties):
73         Add a version of reifyStaticProperties that takes an array of HashTableValues
74         rather than a HashTable.
75
76 2014-06-10  Filip Pizlo  <fpizlo@apple.com>
77
78         Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
79         https://bugs.webkit.org/show_bug.cgi?id=133698
80
81         Reviewed by Geoffrey Garen and Mark Hahnenberg.
82
83         * dfg/DFGPredictionPropagationPhase.cpp:
84         (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
85         * dfg/DFGVariableAccessData.cpp:
86         (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
87         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
88         (JSC::DFG::VariableAccessData::flushFormat):
89         * dfg/DFGVariableAccessData.h:
90         * tests/stress/int52-inlined-call-argument.js: Added.
91         (foo):
92         (bar):
93
94 2014-06-10  Mark Lam  <mark.lam@apple.com>
95
96         Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
97         <https://webkit.org/b/133356>
98
99         Reviewed by Mark Hahnenberg.
100
101         The root cause of this issue is that a nonPropertyTransition can transition
102         a pinned dictionary structure to an unpinned dictionary structure.  The new
103         structure will get a copy of the property table from the original structure.
104         However, when a GC occurs, the property table in the new structure will be
105         cleared because it is unpinned.  This leads to complications in subsequent
106         derivative structures when flattening occurs, which eventually leads to the
107         assertion failure in this bug.
108
109         The fix is to ensure that the new dictionary structure generated by the
110         nonPropertyTransition will have a copy of its predecessor's property table
111         and is pinned.
112
113         * runtime/Structure.cpp:
114         (JSC::Structure::nonPropertyTransition):
115
116 2014-06-10  Michael Saboff  <msaboff@apple.com>
117
118         In a certain app state, Array.prototype.filter() returns incorrect results
119         https://bugs.webkit.org/show_bug.cgi?id=133577
120
121         Reviewed by Oliver Hunt.
122
123         Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
124
125         * llint/LowLevelInterpreter32_64.asm:
126         * llint/LowLevelInterpreter64.asm:
127
128 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
129
130         Global HashTables contain references to atomic StringImpls
131         https://bugs.webkit.org/show_bug.cgi?id=133661
132
133         Reviewed by Geoffrey Garen.
134
135         This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables 
136         cache their set of keys as StringImpls that are associated with a particular VM.  This is obviously 
137         incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to 
138         change the "keys" field of the static HashTables to be char** instead of StringImpl**.
139
140         * runtime/JSObject.cpp:
141         (JSC::getClassPropertyNames):
142         * runtime/Lookup.cpp:
143         (JSC::HashTable::createTable):
144         (JSC::HashTable::deleteTable):
145         * runtime/Lookup.h:
146         (JSC::HashTable::ConstIterator::key):
147         (JSC::HashTable::entry):
148
149 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
150
151         Build fix after r169703
152
153         * JavaScriptCore.xcodeproj/project.pbxproj:
154
155 2014-06-05  Mark Hahnenberg  <mhahnenberg@apple.com>
156
157         Eagerly reify DOM prototype attributes
158         https://bugs.webkit.org/show_bug.cgi?id=133558
159
160         Reviewed by Oliver Hunt.
161
162         This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. 
163         By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override 
164         getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on 
165         DOM wrappers.
166
167         * CMakeLists.txt:
168         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
169         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
170         * JavaScriptCore.xcodeproj/project.pbxproj:
171         * llint/LLIntData.cpp:
172         (JSC::LLInt::Data::performAssertions):
173         * llint/LowLevelInterpreter.asm:
174         * runtime/BatchedTransitionOptimizer.h:
175         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
176         * runtime/CustomGetterSetter.cpp: Added.
177         (JSC::callCustomSetter):
178         * runtime/CustomGetterSetter.h: Added.
179         (JSC::CustomGetterSetter::create):
180         (JSC::CustomGetterSetter::getter):
181         (JSC::CustomGetterSetter::setter):
182         (JSC::CustomGetterSetter::createStructure):
183         (JSC::CustomGetterSetter::CustomGetterSetter):
184         * runtime/JSCJSValue.cpp:
185         (JSC::JSValue::putToPrimitive):
186         * runtime/JSCJSValue.h:
187         * runtime/JSCJSValueInlines.h:
188         (JSC::JSValue::isCustomGetterSetter):
189         * runtime/JSCell.h:
190         * runtime/JSCellInlines.h:
191         (JSC::JSCell::isCustomGetterSetter):
192         (JSC::JSCell::canUseFastGetOwnProperty):
193         * runtime/JSFunction.cpp:
194         (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
195         (JSC::JSFunction::isBuiltinFunction): Deleted.
196         * runtime/JSFunction.h:
197         * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
198         (JSC::JSFunction::isBuiltinFunction):
199         (JSC::JSFunction::isHostOrBuiltinFunction):
200         * runtime/JSObject.cpp:
201         (JSC::JSObject::put):
202         (JSC::JSObject::putDirectCustomAccessor):
203         (JSC::JSObject::fillGetterPropertySlot):
204         (JSC::JSObject::fillCustomGetterPropertySlot):
205         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
206         * runtime/JSObject.h:
207         (JSC::JSObject::hasCustomGetterSetterProperties):
208         (JSC::JSObject::convertToDictionary):
209         (JSC::JSObject::inlineGetOwnPropertySlot):
210         (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
211         (JSC::JSObject::putOwnDataProperty):
212         (JSC::JSObject::putDirect):
213         (JSC::JSObject::putDirectWithoutTransition):
214         * runtime/JSType.h:
215         * runtime/Lookup.h:
216         (JSC::reifyStaticProperties):
217         * runtime/PropertyDescriptor.h:
218         (JSC::PropertyDescriptor::PropertyDescriptor):
219         * runtime/Structure.cpp:
220         (JSC::Structure::Structure):
221         (JSC::nextOutOfLineStorageCapacity): Deleted.
222         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
223         (JSC::Structure::get): Deleted.
224         * runtime/Structure.h:
225         (JSC::Structure::hasCustomGetterSetterProperties):
226         (JSC::Structure::setHasCustomGetterSetterProperties):
227         * runtime/StructureInlines.h:
228         (JSC::Structure::get): Inlined due to hotness.
229         (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
230         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
231         * runtime/VM.cpp:
232         (JSC::VM::VM):
233         * runtime/VM.h:
234         * runtime/WriteBarrier.h:
235         (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
236
237 2014-06-07  Mark Lam  <mark.lam@apple.com>
238
239         Structure should initialize its previousID in its constructor.
240         <https://webkit.org/b/133606>
241
242         Reviewed by Mark Hahnenberg.
243
244         Currently, the Structure constructor that takes a previous structure will
245         initialize its previousID to point to the previous structure's previousID.
246         This is incorrect.  However, the caller of the Structure::create() factory
247         method (which instantiated the Structure) will later call setPreviousID()
248         to set the previousID to the correct previous structure.  This makes the
249         code confusing to read and more error prone in that the structure relies
250         on client code to fix its invalid previousID.
251
252         This patch fixes this by making the Structure constructor initialize
253         previousID correctly.
254
255         * runtime/Structure.cpp:
256         (JSC::Structure::Structure):
257         (JSC::Structure::addPropertyTransition):
258         (JSC::Structure::nonPropertyTransition):
259         * runtime/Structure.h:
260         * runtime/StructureInlines.h:
261         (JSC::Structure::create):
262
263 2014-06-06  Andreas Kling  <akling@apple.com>
264
265         Indexed getters should return values directly on the PropertySlot.
266         <https://webkit.org/b/133586>
267
268         Remove PropertySlot's custom index mode.
269
270         Reviewed by Darin Adler.
271
272         * runtime/JSObject.h:
273         (JSC::PropertySlot::getValue):
274         * runtime/PropertySlot.h:
275         (JSC::PropertySlot::setCustomIndex): Deleted.
276
277 2014-06-04  Timothy Horton  <timothy_horton@apple.com>
278
279         iOS Debug build fix
280
281         Rubber-stamped by Filip Pizlo.
282
283         * Configurations/LLVMForJSC.xcconfig:
284         Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
285
286 2014-06-04  Oliver Hunt  <oliver@apple.com>
287
288         ArrayIterator should not be exposed in Safari 8
289         https://bugs.webkit.org/show_bug.cgi?id=133494
290
291         Reviewed by Michael Saboff.
292
293         Separate out types that require constructor objects, and don't
294         include the iterator types in that list.
295
296         * runtime/JSGlobalObject.cpp:
297         (JSC::JSGlobalObject::reset):
298         * runtime/JSGlobalObject.h:
299
300 2014-06-04  Filip Pizlo  <fpizlo@apple.com>
301
302         DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
303         https://bugs.webkit.org/show_bug.cgi?id=133525
304         <rdar://problem/16790296>
305
306         Reviewed by Oliver Hunt.
307
308         * dfg/DFGSafepoint.cpp:
309         (JSC::DFG::Safepoint::begin):
310
311 2014-06-03  Filip Pizlo  <fpizlo@apple.com>
312
313         LLVM soft-linking should be truly fail-silent
314         https://bugs.webkit.org/show_bug.cgi?id=133482
315
316         Reviewed by Mark Lam.
317
318         * llvm/InitializeLLVMPOSIX.cpp:
319         (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
320
321 2014-06-03  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
322
323         REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
324         https://bugs.webkit.org/show_bug.cgi?id=133149
325
326         Reviewed by Csaba Osztrogonác.
327
328         * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
329
330 2014-05-31  Anders Carlsson  <andersca@apple.com>
331
332         Add a LazyNeverDestroyed class template and use it
333         https://bugs.webkit.org/show_bug.cgi?id=133425
334
335         Reviewed by Darin Adler.
336
337         * dfg/DFGFunctionWhitelist.cpp:
338         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
339         * dfg/DFGFunctionWhitelist.h:
340
341 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
342
343         DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
344         https://bugs.webkit.org/show_bug.cgi?id=133368
345
346         Reviewed by Mark Lam.
347
348         * dfg/DFGDCEPhase.cpp:
349         (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
350         * tests/stress/new-array-dead.js: Added.
351         (foo):
352
353 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
354
355         Unreviewed, fix not-x86 32-bit.
356
357         * llint/LowLevelInterpreter32_64.asm:
358
359 2014-05-27  Filip Pizlo  <fpizlo@apple.com>
360
361         Arrayify neglects to inform the clobberizer that it might fire watchpoints
362         https://bugs.webkit.org/show_bug.cgi?id=133340
363
364         Reviewed by Mark Lam.
365
366         * dfg/DFGClobberize.h:
367         (JSC::DFG::clobberize): Be honest.
368         * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
369         * tests/stress/arrayify-fires-watchpoint.js: Added.
370         (foo):
371         (test):
372         (makeObjectArray):
373         * tests/stress/arrayify-structure-bad-test.js: Added.
374         (foo):
375         (test):
376
377 2014-05-27  Jon Lee  <jonlee@apple.com>
378
379         Update ENABLE(MEDIA_SOURCE) on Mac
380         https://bugs.webkit.org/show_bug.cgi?id=133141
381
382         Reviewed by Darin Adler.
383
384         * Configurations/FeatureDefines.xcconfig:
385
386 2014-05-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
387
388         Remove BLOB guards
389         https://bugs.webkit.org/show_bug.cgi?id=132863
390
391         Reviewed by Csaba Osztrogonác.
392
393         * Configurations/FeatureDefines.xcconfig:
394
395 2014-05-27  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
396
397         Allow building CMake based ports with WEB_REPLAY
398         https://bugs.webkit.org/show_bug.cgi?id=133154
399
400         Reviewed by Csaba Osztrogonác.
401
402         * CMakeLists.txt:
403
404 2014-05-25  Filip Pizlo  <fpizlo@apple.com>
405
406         Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
407         https://bugs.webkit.org/show_bug.cgi?id=133136
408
409         Reviewed by Oliver Hunt.
410         
411         Some key concepts:
412
413         - Except for the prediction propagation and type fixup phases, which are super early in
414           the pipeline, nobody has to know about the fact that booleans may flow into numerical
415           operations because there will just be a BooleanToNumber node that will take a value
416           and, if that value is a boolean, will convert it to the equivalent numerical value. It
417           will have a BooleanUse mode where it will also speculate that the input is a boolean
418           but it can also do UntypedUse in which case it will pass through any non-booleans.
419           This operation is very easy to model in all of the compiler tiers.
420
421         - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
422           inputs require taking the slow path and it will still report that it took slow path
423           for any such operations.  The DFG will now be smart enough to ignore baseline JIT slow
424           path profiling on operations that were known to have had boolean inputs.  That's a
425           little quirky, but it's probably easier than modifying the baseline JIT to track
426           booleans correctly.
427         
428         4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
429
430         * bytecode/SpeculatedType.h:
431         (JSC::isInt32OrBooleanSpeculation):
432         (JSC::isInt32SpeculationForArithmetic):
433         (JSC::isInt32OrBooleanSpeculationForArithmetic):
434         (JSC::isInt32OrBooleanSpeculationExpectingDefined):
435         (JSC::isInt52Speculation):
436         (JSC::isMachineIntSpeculation):
437         (JSC::isFullNumberOrBooleanSpeculation):
438         (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
439         (JSC::isInt32SpeculationExpectingDefined): Deleted.
440         (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
441         (JSC::isMachineIntSpeculationForArithmetic): Deleted.
442         (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
443         (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
444         * dfg/DFGAbstractInterpreterInlines.h:
445         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
446         * dfg/DFGAllocator.h:
447         (JSC::DFG::Allocator<T>::indexOf):
448         * dfg/DFGByteCodeParser.cpp:
449         (JSC::DFG::ByteCodeParser::makeSafe):
450         (JSC::DFG::ByteCodeParser::makeDivSafe):
451         (JSC::DFG::ByteCodeParser::handleIntrinsic):
452         * dfg/DFGCSEPhase.cpp:
453         (JSC::DFG::CSEPhase::performNodeCSE):
454         * dfg/DFGClobberize.h:
455         (JSC::DFG::clobberize):
456         * dfg/DFGCommon.h:
457         * dfg/DFGConstantFoldingPhase.cpp:
458         (JSC::DFG::ConstantFoldingPhase::foldConstants):
459         * dfg/DFGFixupPhase.cpp:
460         (JSC::DFG::FixupPhase::fixupNode):
461         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
462         (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
463         (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
464         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
465         (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
466         * dfg/DFGGraph.h:
467         (JSC::DFG::Graph::addSpeculationMode):
468         (JSC::DFG::Graph::valueAddSpeculationMode):
469         (JSC::DFG::Graph::arithAddSpeculationMode):
470         (JSC::DFG::Graph::addShouldSpeculateInt32):
471         (JSC::DFG::Graph::mulShouldSpeculateInt32):
472         (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
473         (JSC::DFG::Graph::negateShouldSpeculateInt32):
474         (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
475         (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
476         (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
477         * dfg/DFGNode.h:
478         (JSC::DFG::Node::sawBooleans):
479         (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
480         (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
481         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
482         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
483         (JSC::DFG::Node::shouldSpeculateMachineInt):
484         (JSC::DFG::Node::shouldSpeculateDouble):
485         (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
486         (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
487         (JSC::DFG::Node::shouldSpeculateNumber):
488         (JSC::DFG::Node::canSpeculateInt32):
489         (JSC::DFG::Node::canSpeculateInt52):
490         (JSC::DFG::Node::sourceFor):
491         (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
492         (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
493         (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
494         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
495         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
496         * dfg/DFGNodeFlags.cpp:
497         (JSC::DFG::dumpNodeFlags):
498         * dfg/DFGNodeFlags.h:
499         (JSC::DFG::nodeMayOverflow):
500         (JSC::DFG::nodeMayNegZero):
501         (JSC::DFG::nodeCanSpeculateInt32):
502         (JSC::DFG::nodeCanSpeculateInt52):
503         * dfg/DFGNodeType.h:
504         * dfg/DFGPredictionPropagationPhase.cpp:
505         (JSC::DFG::PredictionPropagationPhase::run):
506         (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
507         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
508         (JSC::DFG::PredictionPropagationPhase::propagate):
509         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
510         * dfg/DFGSafeToExecute.h:
511         (JSC::DFG::safeToExecute):
512         * dfg/DFGSpeculativeJIT.cpp:
513         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
514         * dfg/DFGSpeculativeJIT32_64.cpp:
515         (JSC::DFG::SpeculativeJIT::compile):
516         * dfg/DFGSpeculativeJIT64.cpp:
517         (JSC::DFG::SpeculativeJIT::compile):
518         * ftl/FTLCapabilities.cpp:
519         (JSC::FTL::canCompile):
520         * ftl/FTLLowerDFGToLLVM.cpp:
521         (JSC::FTL::LowerDFGToLLVM::compileNode):
522         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
523         (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
524         * runtime/JSCJSValue.h:
525         * runtime/JSCJSValueInlines.h:
526         (JSC::JSValue::asInt32ForArithmetic):
527         * tests/stress/max-boolean-exit.js: Added.
528         (foo):
529         (test):
530         * tests/stress/mul-boolean-exit.js: Added.
531         (foo):
532         (test):
533         * tests/stress/plus-boolean-exit.js: Added.
534         (foo):
535         (test):
536         * tests/stress/plus-boolean-or-double.js: Added.
537         (foo):
538         (test):
539         * tests/stress/plus-boolean-or-int.js: Added.
540         (foo):
541         (test):
542
543 2014-05-26  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
544
545         Remove dead code from VM.cpp
546         https://bugs.webkit.org/show_bug.cgi?id=133284
547
548         Reviewed by Darin Adler.
549
550         This workaround was added in r127505. Since the clang is the
551         only used compiler in this case, this workaround is obsolete.
552
553         * runtime/VM.cpp:
554         (JSC::enableAssembler):
555
556 2014-05-26  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
557
558         JSC CLoop warning fix
559         https://bugs.webkit.org/show_bug.cgi?id=133259
560
561         Reviewed by Darin Adler.
562
563         * llint/LLIntSlowPaths.cpp:
564         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
565
566 2014-05-24  Andreas Kling  <akling@apple.com>
567
568         Object.prototype.toString() should use cached strings for null/undefined.
569         <https://webkit.org/b/133261>
570
571         Normally, when calling Object.prototype.toString() on a regular object,
572         we'd cache the result of the stringification on the object's structure,
573         making repeated calls fast.
574
575         For null and undefined, we were not as smart. We'd instead construct a
576         new string with either "[object Null]" or "[object Undefined]" each time.
577
578         This was exposed by Dromaeo's JS library tests, where some prototype.js
579         subtests generate millions of strings this way.
580
581         This patch adds two VM-permanent cached strings to the SmallStrings.
582         Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
583
584         Reviewed by Darin Adler.
585
586         * runtime/ObjectPrototype.cpp:
587         (JSC::objectProtoFuncToString):
588         * runtime/SmallStrings.cpp:
589         (JSC::SmallStrings::SmallStrings):
590         (JSC::SmallStrings::initializeCommonStrings):
591         (JSC::SmallStrings::visitStrongReferences):
592         * runtime/SmallStrings.h:
593         (JSC::SmallStrings::nullObjectString):
594         (JSC::SmallStrings::undefinedObjectString):
595
596 2014-05-23  Mark Hahnenberg  <mhahnenberg@apple.com>
597
598         Remove operationCallGetter
599
600         Rubber stamped by Filip Pizlo.
601
602         Nobody calls this function.
603
604         * JavaScriptCore.order:
605         * jit/JITOperations.cpp:
606         * jit/JITOperations.h:
607
608 2014-05-23  Andreas Kling  <akling@apple.com>
609
610         Templatize GC's destructor invocation for dtor type.
611         <https://webkit.org/b/133231>
612
613         Get rid of a branch in callDestructor() by templatizing it for
614         the DestructorType. Removed JSCell::methodTableForDestruction()
615         since this was the only call site and it was jumping through
616         a bunch of unnecessary hoops.
617
618         Reviewed by Geoffrey Garen.
619
620         * heap/MarkedBlock.cpp:
621         (JSC::MarkedBlock::callDestructor):
622         (JSC::MarkedBlock::specializedSweep):
623         * heap/MarkedBlock.h:
624         * runtime/JSCell.h:
625         * runtime/JSCellInlines.h:
626         (JSC::JSCell::methodTableForDestruction): Deleted.
627
628 2014-05-23  Andreas Kling  <akling@apple.com>
629
630         Support inline caching of RegExpMatchesArray.length
631         <https://webkit.org/b/133234>
632
633         Give RegExpMatchesArray.length the same treatment as JSArray in
634         repatch so we don't have to go out of line on every access.
635
636         ~13% speed-up on Octane/regexp.
637
638         Reviewed by Geoffrey Garen.
639
640         * jit/Repatch.cpp:
641         (JSC::tryCacheGetByID):
642         * runtime/RegExpMatchesArray.h:
643         (JSC::isRegExpMatchesArray):
644
645 2014-05-22  Mark Lam  <mark.lam@apple.com>
646
647         REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
648         <https://webkit.org/b/133182>
649
650         Reviewed by Oliver Hunt.
651
652         Before r154797, we used to clear the VM exception before calling into the
653         debugger.  After r154797, we don't.  This patch will restore this clearing
654         of the exception before calling into the debugger.
655
656         Also added assertions after returning from calls into the debugger to
657         ensure that the debugger did not introduce any exceptions.
658
659         * interpreter/Interpreter.cpp:
660         (JSC::unwindCallFrame):
661         (JSC::Interpreter::unwind):
662         (JSC::Interpreter::debug):
663         - Fixed the assertion here.  Interpreter::debug() should never be called
664           with a pending exception.  Debugger callbacks for exceptions should be
665           handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
666
667 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
668
669         Store barrier elision should run after DCE in both the DFG path and the FTL path
670         https://bugs.webkit.org/show_bug.cgi?id=129718
671
672         Rubber stamped by Mark Hahnenberg.
673
674         * dfg/DFGPlan.cpp:
675         (JSC::DFG::Plan::compileInThreadImpl):
676
677 2014-05-21  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
678
679         [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
680         https://bugs.webkit.org/show_bug.cgi?id=132907
681
682         Reviewed by Gyuyoung Kim.
683
684         * CMakeLists.txt:
685
686 2014-05-16  Martin Robinson  <mrobinson@igalia.com>
687
688         [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
689         https://bugs.webkit.org/show_bug.cgi?id=132819
690
691         Reviewed by Carlos Garcia Campos.
692
693         * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
694         use the common CMake ones directly.
695
696 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
697
698         Unreviewed, roll out http://trac.webkit.org/changeset/169159.
699         
700         This was a unilateral change and wasn't properly reviewed.
701
702         * tests/mozilla/mozilla-tests.yaml:
703
704 2014-05-21  Antoine Quint  <graouts@webkit.org>
705
706         Array.prototype.find and findIndex should skip holes
707         https://bugs.webkit.org/show_bug.cgi?id=132658
708
709         Reviewed by Geoffrey Garen.
710
711         Skip holes in the array when iterating such that callback isn't called.
712
713         * builtins/Array.prototype.js:
714         (find):
715         (findIndex):
716
717 2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
718
719         REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
720         https://bugs.webkit.org/show_bug.cgi?id=133149
721
722         Reviewed by Csaba Osztrogonác.
723
724         * tests/mozilla/mozilla-tests.yaml:
725
726 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
727
728         Rolled out <http://trac.webkit.org/changeset/166184>
729         https://bugs.webkit.org/show_bug.cgi?id=133144
730
731         Reviewed by Gavin Barraclough.
732
733         It caused a performance regression.
734
735         * heap/BlockAllocator.cpp:
736         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
737
738 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
739
740         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
741         https://bugs.webkit.org/show_bug.cgi?id=133134
742
743         Reviewed by Mark Hahnenberg.
744         
745         Make prediction propagator use ArrayMode refinement to decide the return type.
746         
747         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
748         like this. The only way we'll see a mismatch like this in the real world is probably
749         through a gnarly race condition.
750
751         * dfg/DFGByteCodeParser.cpp:
752         (JSC::DFG::ByteCodeParser::handleIntrinsic):
753         * dfg/DFGNode.h:
754         (JSC::DFG::Node::setHeapPrediction):
755         * dfg/DFGPredictionPropagationPhase.cpp:
756         (JSC::DFG::PredictionPropagationPhase::propagate):
757         * jsc.cpp:
758         (GlobalObject::finishCreation):
759         (functionFalse1):
760         (functionFalse2):
761         (functionUndefined1):
762         (functionUndefined2):
763         (functionFalse): Deleted.
764         (functionOtherFalse): Deleted.
765         (functionUndefined): Deleted.
766         * runtime/Intrinsic.h:
767         * tests/stress/get-by-val-double-predicted-int.js: Added.
768         (foo):
769
770 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
771
772         Watchdog timer should be lazily allocated
773         https://bugs.webkit.org/show_bug.cgi?id=133135
774
775         Reviewed by Geoffrey Garen.
776
777         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
778         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
779         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
780
781         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
782         these two API functions (which is true of most clients).
783
784         * API/JSContextRef.cpp:
785         (JSContextGroupSetExecutionTimeLimit):
786         (JSContextGroupClearExecutionTimeLimit):
787         * dfg/DFGByteCodeParser.cpp:
788         (JSC::DFG::ByteCodeParser::parseBlock):
789         * dfg/DFGSpeculativeJIT32_64.cpp:
790         (JSC::DFG::SpeculativeJIT::compile):
791         * dfg/DFGSpeculativeJIT64.cpp:
792         (JSC::DFG::SpeculativeJIT::compile):
793         * interpreter/Interpreter.cpp:
794         (JSC::Interpreter::execute):
795         (JSC::Interpreter::executeCall):
796         (JSC::Interpreter::executeConstruct):
797         * jit/JITOpcodes.cpp:
798         (JSC::JIT::emit_op_loop_hint):
799         (JSC::JIT::emitSlow_op_loop_hint):
800         * jit/JITOperations.cpp:
801         * llint/LLIntSlowPaths.cpp:
802         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
803         * runtime/VM.h:
804         * runtime/Watchdog.cpp:
805         (JSC::Watchdog::Scope::Scope): Deleted.
806         (JSC::Watchdog::Scope::~Scope): Deleted.
807         * runtime/Watchdog.h:
808         (JSC::Watchdog::Scope::Scope):
809         (JSC::Watchdog::Scope::~Scope):
810
811 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
812
813         JSArray::shiftCountWith* could be more efficient
814         https://bugs.webkit.org/show_bug.cgi?id=133011
815
816         Reviewed by Geoffrey Garen.
817
818         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
819         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
820         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
821
822         * runtime/ArrayStorage.h:
823         (JSC::ArrayStorage::indexingHeader):
824         (JSC::ArrayStorage::length):
825         (JSC::ArrayStorage::hasHoles):
826         * runtime/IndexingHeader.h:
827         (JSC::IndexingHeader::publicLength):
828         (JSC::IndexingHeader::from):
829         * runtime/JSArray.cpp:
830         (JSC::JSArray::shiftCountWithArrayStorage):
831         (JSC::JSArray::shiftCountWithAnyIndexingType):
832         (JSC::JSArray::unshiftCountWithArrayStorage):
833         * runtime/JSArray.h:
834         (JSC::JSArray::shiftCountForShift):
835         (JSC::JSArray::shiftCountForSplice):
836         (JSC::JSArray::shiftCount):
837         * runtime/Structure.cpp:
838         (JSC::Structure::holesRequireSpecialBehavior):
839         * runtime/Structure.h:
840
841 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
842
843         Test gardening: skip some failing tests on not-X86.
844
845         * tests/mozilla/mozilla-tests.yaml:
846
847 2014-05-19  Mark Lam  <mark.lam@apple.com>
848
849         operationOptimize() should defer the GC for a while.
850         <https://webkit.org/b/133103>
851
852         Reviewed by Filip Pizlo.
853
854         Currently, operationOptimize() only defers the GC until its end.  As a result,
855         a GC may be triggered just before we return from operationOptimize(), and it may
856         jettison the optimize codeBlock that we're planning to OSR enter into when we
857         return from this function.  This is because the OSR entry on-ramp code hasn't
858         been executed yet, and hence, there is not yet a reference to this new codeBlock
859         from the stack, and there won't be until we've had a chance to return out of
860         operationOptimize() to run the OSR entry on-ramp code.
861
862         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
863         ensures that the GC will be deferred until after the OSR entry on-ramp can be
864         executed.
865
866         * jit/JITOperations.cpp:
867
868 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
869
870         Take care of some ARM64 test failures
871         https://bugs.webkit.org/show_bug.cgi?id=133090
872
873         Reviewed by Geoffrey Garen.
874         
875         Constant blinding on ARM64 cannot use the scratch register.
876
877         * assembler/MacroAssembler.h:
878         (JSC::MacroAssembler::convertInt32ToDouble):
879         (JSC::MacroAssembler::branchPtr):
880         (JSC::MacroAssembler::storePtr):
881         (JSC::MacroAssembler::store64):
882         * assembler/MacroAssemblerARM64.h:
883         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
884
885 2014-05-19  Tanay C  <tanay.c@samsung.com>
886
887         Removing some check-webkit-style warnings from ./dfg
888         https://bugs.webkit.org/show_bug.cgi?id=132854
889
890         Reviewed by Darin Adler.
891
892         * dfg/DFGAbstractInterpreter.h:
893         * dfg/DFGAbstractValue.h:
894         * dfg/DFGBlockInsertionSet.h:
895         * dfg/DFGCommonData.h:
896         * dfg/DFGDominators.h:
897         * dfg/DFGGraph.h:
898         * dfg/DFGInPlaceAbstractState.h:
899         * dfg/DFGPredictionPropagationPhase.h:
900
901 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
902
903         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
904         That was a long time ago.
905
906         * ftl/FTLLowerDFGToLLVM.cpp:
907         (JSC::FTL::LowerDFGToLLVM::compileReturn):
908
909 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
910
911         support for navigator.hardwareConcurrency
912         https://bugs.webkit.org/show_bug.cgi?id=132588
913
914         Reviewed by Filip Pizlo.
915
916         * Configurations/FeatureDefines.xcconfig:
917
918 2014-05-16  Michael Saboff  <msaboff@apple.com>
919
920         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
921         https://bugs.webkit.org/show_bug.cgi?id=133009
922
923         Reviewed by Oliver Hunt.
924
925         If we determine that any alternative requires a minumum match size greater than
926         INT_MAX, we handle the match in the interpreter.
927
928         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
929         * runtime/RegExp.cpp:
930         (JSC::RegExp::compile):
931         (JSC::RegExp::compileMatchOnly):
932
933         * tests/stress/large-regexp.js: New test added.
934
935         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
936         doesn't fit in an int.
937         * yarr/YarrPattern.cpp:
938         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
939
940         Clear new m_containsUnsignedLengthPattern flag.
941         * yarr/YarrPattern.cpp:
942         (JSC::Yarr::YarrPattern::YarrPattern):
943         * yarr/YarrPattern.h:
944         (JSC::Yarr::YarrPattern::reset):
945         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
946
947 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
948
949         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
950         https://bugs.webkit.org/show_bug.cgi?id=132918
951
952         Reviewed by Geoffrey Garen.
953
954         * jit/Repatch.cpp:
955         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
956
957 2014-05-15  Alex Christensen  <achristensen@webkit.org>
958
959         Add pointer lock to features without enabling it.
960         https://bugs.webkit.org/show_bug.cgi?id=132961
961
962         Reviewed by Sam Weinig.
963
964         * Configurations/FeatureDefines.xcconfig:
965         Added ENABLE_POINTER_LOCK to list of features.
966
967 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
968
969         Inline caching for proxies clobbers baseGPR too early
970         https://bugs.webkit.org/show_bug.cgi?id=132916
971
972         Reviewed by Filip Pizlo.
973
974         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
975         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
976         until we know the inline cache is going to succeed.
977
978         * jit/Repatch.cpp:
979         (JSC::generateByIdStub):
980
981 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
982
983         [Win] Unreviewed build fix.
984
985         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
986         was missing commands to build LLInt portions of JSC.
987         * llint/LLIntData.cpp: 64-bit build fix.
988
989 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
990
991         ARM Traditional buildfix after r168776.
992         https://bugs.webkit.org/show_bug.cgi?id=132903
993
994         Reviewed by Darin Adler.
995
996         * assembler/MacroAssemblerARM.h:
997         (JSC::MacroAssemblerARM::abortWithReason): Added.
998
999 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1000
1001         Remove CSS_STICKY_POSITION guards
1002         https://bugs.webkit.org/show_bug.cgi?id=132676
1003
1004         Reviewed by Simon Fraser.
1005
1006         * Configurations/FeatureDefines.xcconfig:
1007
1008 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
1009
1010         JIT breakpoints should be more informative
1011         https://bugs.webkit.org/show_bug.cgi?id=132882
1012
1013         Reviewed by Oliver Hunt.
1014         
1015         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
1016         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
1017         at that platform's abort reason register (r11 on X86-64 for example).
1018
1019         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1020         * JavaScriptCore.xcodeproj/project.pbxproj:
1021         * assembler/AbortReason.h: Added.
1022         * assembler/AbstractMacroAssembler.h:
1023         * assembler/MacroAssemblerARM64.h:
1024         (JSC::MacroAssemblerARM64::abortWithReason):
1025         * assembler/MacroAssemblerARMv7.h:
1026         (JSC::MacroAssemblerARMv7::abortWithReason):
1027         * assembler/MacroAssemblerX86.h:
1028         (JSC::MacroAssemblerX86::abortWithReason):
1029         * assembler/MacroAssemblerX86_64.h:
1030         (JSC::MacroAssemblerX86_64::abortWithReason):
1031         * dfg/DFGSlowPathGenerator.h:
1032         (JSC::DFG::SlowPathGenerator::generate):
1033         * dfg/DFGSpeculativeJIT.cpp:
1034         (JSC::DFG::SpeculativeJIT::bail):
1035         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1036         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1037         * dfg/DFGSpeculativeJIT.h:
1038         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
1039         * dfg/DFGSpeculativeJIT32_64.cpp:
1040         (JSC::DFG::SpeculativeJIT::compile):
1041         * dfg/DFGSpeculativeJIT64.cpp:
1042         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1043         (JSC::DFG::SpeculativeJIT::compile):
1044         * dfg/DFGThunks.cpp:
1045         (JSC::DFG::osrEntryThunkGenerator):
1046         * jit/AssemblyHelpers.cpp:
1047         (JSC::AssemblyHelpers::jitAssertIsInt32):
1048         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
1049         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
1050         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
1051         (JSC::AssemblyHelpers::jitAssertIsCell):
1052         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
1053         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
1054         (JSC::AssemblyHelpers::jitAssertIsNull):
1055         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1056         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1057         * jit/AssemblyHelpers.h:
1058         (JSC::AssemblyHelpers::checkStackPointerAlignment):
1059         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
1060         * jit/JIT.h:
1061         * jit/JITArithmetic.cpp:
1062         (JSC::JIT::emitSlow_op_div):
1063         * jit/JITOpcodes.cpp:
1064         (JSC::JIT::emitSlow_op_loop_hint):
1065         * jit/JITOpcodes32_64.cpp:
1066         (JSC::JIT::privateCompileCTINativeCall):
1067         * jit/JITPropertyAccess.cpp:
1068         (JSC::JIT::emit_op_get_by_val):
1069         (JSC::JIT::compileGetDirectOffset):
1070         (JSC::JIT::addStructureTransitionCheck): Deleted.
1071         (JSC::JIT::testPrototype): Deleted.
1072         * jit/JITPropertyAccess32_64.cpp:
1073         (JSC::JIT::emit_op_get_by_val):
1074         (JSC::JIT::compileGetDirectOffset):
1075         * jit/RegisterPreservationWrapperGenerator.cpp:
1076         (JSC::generateRegisterRestoration):
1077         * jit/Repatch.cpp:
1078         (JSC::addStructureTransitionCheck):
1079         (JSC::linkClosureCall):
1080         * jit/ThunkGenerators.cpp:
1081         (JSC::emitPointerValidation):
1082         (JSC::nativeForGenerator):
1083         * yarr/YarrJIT.cpp:
1084         (JSC::Yarr::YarrGenerator::generate):
1085
1086 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
1087
1088         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
1089         https://bugs.webkit.org/show_bug.cgi?id=132772
1090
1091         Reviewed by Geoffrey Garen.
1092
1093         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
1094         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
1095         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
1096         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
1097
1098         * assembler/MacroAssemblerARM.h:
1099         (JSC::MacroAssemblerARM::loadDouble):
1100         (JSC::MacroAssemblerARM::storeDouble):
1101         * assembler/MacroAssemblerARM64.h:
1102         (JSC::MacroAssemblerARM64::loadDouble):
1103         (JSC::MacroAssemblerARM64::storeDouble):
1104         * assembler/MacroAssemblerARMv7.h:
1105         (JSC::MacroAssemblerARMv7::loadDouble):
1106         (JSC::MacroAssemblerARMv7::storeDouble):
1107         * assembler/MacroAssemblerMIPS.h:
1108         (JSC::MacroAssemblerMIPS::loadDouble):
1109         (JSC::MacroAssemblerMIPS::storeDouble):
1110         * assembler/MacroAssemblerSH4.h:
1111         (JSC::MacroAssemblerSH4::loadDouble):
1112         (JSC::MacroAssemblerSH4::storeDouble):
1113         * assembler/MacroAssemblerX86.h:
1114         (JSC::MacroAssemblerX86::storeDouble):
1115         * assembler/MacroAssemblerX86Common.h:
1116         (JSC::MacroAssemblerX86Common::absDouble):
1117         (JSC::MacroAssemblerX86Common::negateDouble):
1118         (JSC::MacroAssemblerX86Common::loadDouble):
1119         * dfg/DFGSpeculativeJIT.cpp:
1120         (JSC::DFG::SpeculativeJIT::silentFill):
1121         (JSC::DFG::compileClampDoubleToByte):
1122         * dfg/DFGSpeculativeJIT32_64.cpp:
1123         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1124         (JSC::DFG::SpeculativeJIT::compile):
1125         * jit/AssemblyHelpers.cpp:
1126         (JSC::AssemblyHelpers::purifyNaN):
1127         * jit/JITInlines.h:
1128         (JSC::JIT::emitLoadDouble):
1129         * jit/JITPropertyAccess.cpp:
1130         (JSC::JIT::emitFloatTypedArrayGetByVal):
1131         * jit/ThunkGenerators.cpp:
1132         (JSC::floorThunkGenerator):
1133         (JSC::roundThunkGenerator):
1134         (JSC::powThunkGenerator):
1135
1136 2014-05-12  Commit Queue  <commit-queue@webkit.org>
1137
1138         Unreviewed, rolling out r168642.
1139         https://bugs.webkit.org/show_bug.cgi?id=132839
1140
1141         Broke ARM build (Requested by jpfau on #webkit).
1142
1143         Reverted changeset:
1144
1145         "[Win] Enum type with value zero is compatible with void*,
1146         potential cause of crashes."
1147         https://bugs.webkit.org/show_bug.cgi?id=132772
1148         http://trac.webkit.org/changeset/168642
1149
1150 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
1151
1152         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
1153         https://bugs.webkit.org/show_bug.cgi?id=132772
1154
1155         Reviewed by Geoffrey Garen.
1156
1157         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
1158         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
1159         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
1160         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
1161
1162         * assembler/MacroAssemblerARM.h:
1163         (JSC::MacroAssemblerARM::loadDouble):
1164         (JSC::MacroAssemblerARM::storeDouble):
1165         * assembler/MacroAssemblerARM64.h:
1166         (JSC::MacroAssemblerARM64::loadDouble):
1167         (JSC::MacroAssemblerARM64::storeDouble):
1168         * assembler/MacroAssemblerARMv7.h:
1169         (JSC::MacroAssemblerARMv7::loadDouble):
1170         (JSC::MacroAssemblerARMv7::storeDouble):
1171         * assembler/MacroAssemblerMIPS.h:
1172         (JSC::MacroAssemblerMIPS::loadDouble):
1173         (JSC::MacroAssemblerMIPS::storeDouble):
1174         * assembler/MacroAssemblerSH4.h:
1175         (JSC::MacroAssemblerSH4::loadDouble):
1176         (JSC::MacroAssemblerSH4::storeDouble):
1177         * assembler/MacroAssemblerX86.h:
1178         (JSC::MacroAssemblerX86::storeDouble):
1179         * assembler/MacroAssemblerX86Common.h:
1180         (JSC::MacroAssemblerX86Common::absDouble):
1181         (JSC::MacroAssemblerX86Common::negateDouble):
1182         (JSC::MacroAssemblerX86Common::loadDouble):
1183         * dfg/DFGSpeculativeJIT.cpp:
1184         (JSC::DFG::SpeculativeJIT::silentFill):
1185         (JSC::DFG::compileClampDoubleToByte):
1186         * dfg/DFGSpeculativeJIT32_64.cpp:
1187         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1188         (JSC::DFG::SpeculativeJIT::compile):
1189         * jit/AssemblyHelpers.cpp:
1190         (JSC::AssemblyHelpers::purifyNaN):
1191         * jit/JITInlines.h:
1192         (JSC::JIT::emitLoadDouble):
1193         * jit/JITPropertyAccess.cpp:
1194         (JSC::JIT::emitFloatTypedArrayGetByVal):
1195         * jit/ThunkGenerators.cpp:
1196         (JSC::floorThunkGenerator):
1197         (JSC::roundThunkGenerator):
1198         (JSC::powThunkGenerator):
1199
1200 2014-05-12  Andreas Kling  <akling@apple.com>
1201
1202         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
1203         <https://webkit.org/b/132828>
1204         <rdar://problem/16886285>
1205
1206         Reviewed by Michael Saboff.
1207
1208         * runtime/JSObject.cpp:
1209         (JSC::JSObject::visitButterfly):
1210         (JSC::JSObject::visitChildren):
1211
1212             Use JSCell::structure(VM&) to reduce the number of hoops we jump
1213             through to find Structures during marking.
1214
1215 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
1216
1217         [cmake] Add missing FTL source files to the build system.
1218
1219         Reviewed by Csaba Osztrogonác.
1220
1221         * CMakeLists.txt:
1222
1223 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
1224
1225         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
1226         https://bugs.webkit.org/show_bug.cgi?id=132409
1227
1228         Reviewed by Timothy Hatcher.
1229
1230         Proxy applications are applications which hold WebViews for other
1231         applications. The WebProcess (Web Content Service) is a proxy application.
1232         For legacy reasons we were supporting a scenario where proxy applications
1233         could potentially host WebViews for more then one other application. That
1234         was never the case for WebProcess and it is now a scenario we don't need
1235         to worry about supporting.
1236
1237         With this change, a proxy application more naturally only holds WebViews
1238         for a single parent / host application. The proxy process can set the
1239         parent pid / audit_token data on the RemoteInspector singleton, and
1240         that data will be sent on to webinspectord later on to be validated.
1241         In the WebProcess<->UIProcess relationship that information is known
1242         and set immediately. In the Legacy iOS case that information is set
1243         soon after, but not immediately known at the point the WebView is created.
1244
1245         This allows us to simplify the RemoteInspectorDebuggable interface.
1246         We no longer need a pid per-Debuggable.
1247
1248         * inspector/remote/RemoteInspector.h:
1249         * inspector/remote/RemoteInspector.mm:
1250         (Inspector::RemoteInspector::RemoteInspector):
1251         (Inspector::RemoteInspector::setParentProcessInformation):
1252         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1253         (Inspector::RemoteInspector::listingForDebuggable):
1254         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
1255         Handle new proxy application setup message, and provide an API
1256         for a proxy application to set the parent process information.
1257
1258         * inspector/remote/RemoteInspectorConstants.h:
1259         New setup and response message for proxy applications to pass
1260         their parent / host application information to webinspectord.
1261
1262         * inspector/remote/RemoteInspectorDebuggable.cpp:
1263         (Inspector::RemoteInspectorDebuggable::info):
1264         * inspector/remote/RemoteInspectorDebuggable.h:
1265         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
1266         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
1267         pid per debuggable is no longer needed.
1268
1269 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
1270
1271         JSDOMWindow should disable property caching after a certain point
1272         https://bugs.webkit.org/show_bug.cgi?id=132751
1273
1274         Reviewed by Filip Pizlo.
1275
1276         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
1277         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
1278         that it has provided a cacheable value.
1279
1280         * runtime/PropertySlot.h:
1281         (JSC::PropertySlot::PropertySlot):
1282         (JSC::PropertySlot::isCacheable):
1283         (JSC::PropertySlot::disableCaching):
1284
1285 2014-05-09  Andreas Kling  <akling@apple.com>
1286
1287         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
1288         <https://webkit.org/b/132749>
1289
1290         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
1291         in Object.prototype.* by using JSString::toIdentifier() in the cases where
1292         we are converting JSString -> String -> Identifier.
1293
1294         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
1295         "The Great HTML5 Gaming Performance Test: 2014 edition"
1296         <http://www.scirra.com/demos/c2/sbperftest/>
1297
1298         Reviewed by Oliver Hunt.
1299
1300         * runtime/ObjectPrototype.cpp:
1301         (JSC::objectProtoFuncHasOwnProperty):
1302         (JSC::objectProtoFuncDefineGetter):
1303         (JSC::objectProtoFuncDefineSetter):
1304         (JSC::objectProtoFuncLookupGetter):
1305         (JSC::objectProtoFuncLookupSetter):
1306
1307 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
1308
1309         JSDOMWindow should have a WatchpointSet to fire on window close
1310         https://bugs.webkit.org/show_bug.cgi?id=132721
1311
1312         Reviewed by Filip Pizlo.
1313
1314         This patch allows us to reset the inline caches that assumed they could skip 
1315         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
1316         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
1317
1318         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
1319         to see if it should create a new Watchpoint for that particular inline cache site.
1320
1321         * bytecode/Watchpoint.h:
1322         * jit/Repatch.cpp:
1323         (JSC::generateByIdStub):
1324         (JSC::tryBuildGetByIDList):
1325         (JSC::tryCachePutByID):
1326         (JSC::tryBuildPutByIdList):
1327         * runtime/PropertySlot.h:
1328         (JSC::PropertySlot::PropertySlot):
1329         (JSC::PropertySlot::watchpointSet):
1330         (JSC::PropertySlot::setWatchpointSet):
1331
1332 2014-05-09  Tanay C  <tanay.c@samsung.com>
1333
1334         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
1335         https://bugs.webkit.org/show_bug.cgi?id=132331
1336
1337         Reviewed by Darin Adler.
1338
1339         * dfg/DFGFixupPhase.cpp:
1340         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
1341
1342 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
1343
1344         [Win] Crash when enabling DFG JIT.
1345         https://bugs.webkit.org/show_bug.cgi?id=132683
1346
1347         Reviewed by Geoffrey Garen.
1348
1349         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
1350         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
1351         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
1352         This causes the register to be written to address 0, hence the crash.
1353
1354         * dfg/DFGOSRExitCompiler32_64.cpp:
1355         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
1356         * dfg/DFGOSRExitCompiler64.cpp:
1357         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
1358
1359 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
1360
1361         REGRESSION(r167094): JSC crashes on ARM Traditional
1362         https://bugs.webkit.org/show_bug.cgi?id=132738
1363
1364         Reviewed by Zoltan Herczeg.
1365
1366         PC is two instructions ahead of the current instruction
1367         on ARM Traditional, so the distance is 8 bytes not 2.
1368
1369         * llint/LowLevelInterpreter.asm:
1370
1371 2014-05-09  Alberto Garcia  <berto@igalia.com>
1372
1373         jsmin.py license header confusing, mentions non-free license
1374         https://bugs.webkit.org/show_bug.cgi?id=123665
1375
1376         Reviewed by Darin Adler.
1377
1378         Pull the most recent version from upstream, which has a clear
1379         license.
1380
1381         * inspector/scripts/jsmin.py:
1382
1383 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
1384
1385         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
1386         https://bugs.webkit.org/show_bug.cgi?id=132695
1387
1388         Reviewed by Filip Pizlo.
1389
1390         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
1391         but we fail to do so for the base object.
1392
1393         * jit/Repatch.cpp:
1394         (JSC::tryCacheGetByID):
1395         (JSC::tryBuildGetByIDList):
1396         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
1397         because all of the values that are returned that could be impure are set to uncacheable anyways.
1398         (WTF::ImpureGetter::ImpureGetter):
1399         (WTF::ImpureGetter::createStructure):
1400         (WTF::ImpureGetter::create):
1401         (WTF::ImpureGetter::finishCreation):
1402         (WTF::ImpureGetter::getOwnPropertySlot):
1403         (WTF::ImpureGetter::visitChildren):
1404         (WTF::ImpureGetter::setDelegate):
1405         (GlobalObject::finishCreation):
1406         (functionCreateImpureGetter):
1407         (functionSetImpureGetterDelegate):
1408         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
1409         (foo):
1410
1411 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
1412
1413         deleteAllCompiledCode() shouldn't use the suspension worklist
1414         https://bugs.webkit.org/show_bug.cgi?id=132708
1415
1416         Reviewed by Mark Hahnenberg.
1417
1418         * bytecode/CodeBlock.cpp:
1419         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
1420         * dfg/DFGPlan.cpp:
1421         (JSC::DFG::Plan::isStillValid):
1422         * heap/Heap.cpp:
1423         (JSC::Heap::deleteAllCompiledCode):
1424
1425 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
1426
1427         SSA conversion should delete PhantomLocals for captured variables
1428         https://bugs.webkit.org/show_bug.cgi?id=132693
1429
1430         Reviewed by Mark Hahnenberg.
1431
1432         * dfg/DFGCommon.cpp:
1433         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
1434         * dfg/DFGCommon.h:
1435         * dfg/DFGFixupPhase.cpp:
1436         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
1437         * dfg/DFGLivenessAnalysisPhase.cpp:
1438         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
1439         * dfg/DFGSSAConversionPhase.cpp:
1440         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
1441         * dfg/DFGValidate.cpp: Use the workaround.
1442         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
1443         (foo):
1444         (bar):
1445
1446 2014-05-07  Commit Queue  <commit-queue@webkit.org>
1447
1448         Unreviewed, rolling out r168451.
1449         https://bugs.webkit.org/show_bug.cgi?id=132670
1450
1451         Not a speed-up, just do what other compilers do. (Requested by
1452         kling on #webkit).
1453
1454         Reverted changeset:
1455
1456         "[X86] Emit BT instruction for single-bit tests."
1457         https://bugs.webkit.org/show_bug.cgi?id=132650
1458         http://trac.webkit.org/changeset/168451
1459
1460 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
1461
1462         Make Executable::clearCode() actually clear all of the entrypoints, and
1463         clean up some other FTL-related calling convention stuff.
1464         <rdar://problem/16720172>
1465
1466         Rubber stamped by Mark Hahnenberg.
1467
1468         * dfg/DFGOperations.cpp:
1469         * dfg/DFGOperations.h:
1470         * dfg/DFGWorklist.cpp:
1471         (JSC::DFG::Worklist::Worklist):
1472         (JSC::DFG::Worklist::finishCreation):
1473         (JSC::DFG::Worklist::create):
1474         (JSC::DFG::ensureGlobalDFGWorklist):
1475         (JSC::DFG::ensureGlobalFTLWorklist):
1476         * dfg/DFGWorklist.h:
1477         * heap/CodeBlockSet.cpp:
1478         (JSC::CodeBlockSet::dump):
1479         * heap/CodeBlockSet.h:
1480         * runtime/Executable.cpp:
1481         (JSC::ExecutableBase::clearCode):
1482
1483 2014-05-07  Andreas Kling  <akling@apple.com>
1484
1485         [X86] Emit BT instruction for single-bit tests.
1486         <https://webkit.org/b/132650>
1487
1488         Implement test-bit-and-branch slightly more efficiently by using
1489         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
1490         a single bit.
1491
1492         Reviewed by Michael Saboff.
1493
1494         * assembler/MacroAssemblerX86Common.h:
1495         (JSC::MacroAssemblerX86Common::singleBitIndex):
1496         (JSC::MacroAssemblerX86Common::branchTest32):
1497         * assembler/X86Assembler.h:
1498         (JSC::X86Assembler::bt_i8r):
1499         (JSC::X86Assembler::bt_i8m):
1500
1501 2014-05-07  Mark Lam  <mark.lam@apple.com>
1502
1503         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
1504         <https://webkit.org/b/131356>
1505
1506         Reviewed by Geoffrey Garen.
1507
1508         The issue is that GC needs to be made aware of writes to m_inferredValue
1509         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
1510         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
1511         does not survive an eden GC shortly after, we will end up with a stale
1512         JSCell pointer left in the m_inferredValue.
1513
1514         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
1515         using DumpRenderTree with the VM heap in zombie mode.
1516
1517         The fix is to change VariableWatchpointSet m_inferredValue to type
1518         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
1519         is executed by all the execution engines so that the WriteBarrier semantics
1520         are honored.
1521
1522         We still check if the value to be written is the same as the one in the
1523         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
1524         values are the same.        
1525
1526         * JavaScriptCore.xcodeproj/project.pbxproj:
1527         * bytecode/CodeBlock.cpp:
1528         (JSC::CodeBlock::CodeBlock):
1529         - need to pass the symbolTable to prepareToWatch() because it will be needed
1530           for instantiating the VariableWatchpointSet in prepareToWatch().
1531
1532         * bytecode/VariableWatchpointSet.h:
1533         (JSC::VariableWatchpointSet::VariableWatchpointSet):
1534         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
1535           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
1536         (JSC::VariableWatchpointSet::inferredValue):
1537         (JSC::VariableWatchpointSet::invalidate):
1538         (JSC::VariableWatchpointSet::finalizeUnconditionally):
1539         (JSC::VariableWatchpointSet::addressOfInferredValue):
1540         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
1541         * bytecode/VariableWatchpointSetInlines.h: Added.
1542         (JSC::VariableWatchpointSet::notifyWrite):
1543
1544         * dfg/DFGByteCodeParser.cpp:
1545         (JSC::DFG::ByteCodeParser::cellConstant):
1546         - Added an assert in case we try to make constants of zombified JSCells again.
1547
1548         * dfg/DFGOperations.cpp:
1549         * dfg/DFGOperations.h:
1550         * dfg/DFGSpeculativeJIT.h:
1551         (JSC::DFG::SpeculativeJIT::callOperation):
1552         * dfg/DFGSpeculativeJIT32_64.cpp:
1553         (JSC::DFG::SpeculativeJIT::compile):
1554         * dfg/DFGSpeculativeJIT64.cpp:
1555         (JSC::DFG::SpeculativeJIT::compile):
1556         - We now let the slow path handle the cases when the VariableWatchpointSet is
1557           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
1558           we handle the needed write barrier semantics correctly.
1559           We will by-pass the slow path if the value being written is the same as the
1560           inferred value.
1561
1562         * ftl/FTLIntrinsicRepository.h:
1563         * ftl/FTLLowerDFGToLLVM.cpp:
1564         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
1565         - Let the slow path handle the cases when the VariableWatchpointSet is
1566           in state ClearWatchpoint and IsWatched.
1567           We will by-pass the slow path if the value being written is the same as the
1568           inferred value.
1569
1570         * heap/Heap.cpp:
1571         (JSC::Zombify::operator()):
1572         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
1573           which is used everywhere else).
1574         * heap/Heap.h:
1575         (JSC::Heap::isZombified):
1576         - Provide a convenience test function to check if JSCells are zombified.  This is
1577           currently only used in an assertion in the DFG bytecode parser, but the intent
1578           it that we'll apply this test in other strategic places later to help with early
1579           detection of usage of GC'ed objects when we run in zombie mode.
1580
1581         * jit/JITOpcodes.cpp:
1582         (JSC::JIT::emitSlow_op_captured_mov):
1583         * jit/JITOperations.h:
1584         * jit/JITPropertyAccess.cpp:
1585         (JSC::JIT::emitNotifyWrite):
1586         * jit/JITPropertyAccess32_64.cpp:
1587         (JSC::JIT::emitNotifyWrite):
1588         (JSC::JIT::emitSlow_op_put_to_scope):
1589         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
1590           is in state ClearWatchpoint and IsWatched.
1591           We will by-pass the slow path if the value being written is the same as the
1592           inferred value.
1593         
1594         * llint/LowLevelInterpreter32_64.asm:
1595         * llint/LowLevelInterpreter64.asm:
1596         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
1597           is in state ClearWatchpoint and IsWatched.
1598           We will by-pass the slow path if the value being written is the same as the
1599           inferred value.
1600         
1601         * runtime/CommonSlowPaths.cpp:
1602
1603         * runtime/JSCJSValue.h: Fixed some typos in the comments.
1604         * runtime/JSGlobalObject.cpp:
1605         (JSC::JSGlobalObject::addGlobalVar):
1606         (JSC::JSGlobalObject::addFunction):
1607         * runtime/JSSymbolTableObject.h:
1608         (JSC::symbolTablePut):
1609         (JSC::symbolTablePutWithAttributes):
1610         * runtime/SymbolTable.cpp:
1611         (JSC::SymbolTableEntry::prepareToWatch):
1612         (JSC::SymbolTableEntry::notifyWriteSlow):
1613         * runtime/SymbolTable.h:
1614         (JSC::SymbolTableEntry::notifyWrite):
1615
1616 2014-05-06  Michael Saboff  <msaboff@apple.com>
1617
1618         Unreviewd build fix for C-LOOP after r168396.
1619
1620         * runtime/TestRunnerUtils.cpp:
1621         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
1622
1623 2014-05-06  Michael Saboff  <msaboff@apple.com>
1624
1625         Add test for deleteAllCompiledCode
1626         https://bugs.webkit.org/show_bug.cgi?id=132632
1627
1628         Reviewed by Phil Pizlo.
1629
1630         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
1631         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
1632         to write a test that will queue up loads of DFG compiles and then call
1633         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
1634         code as well as code being compiled.
1635
1636         * jsc.cpp:
1637         (GlobalObject::finishCreation):
1638         (functionDeleteAllCompiledCode):
1639         (functionOptimizeNextInvocation):
1640         * runtime/TestRunnerUtils.cpp:
1641         (JSC::optimizeNextInvocation):
1642         * runtime/TestRunnerUtils.h:
1643         * tests/stress/deleteAllCompiledCode.js: Added.
1644         (functionList):
1645         (runTest):
1646
1647 2014-05-06  Andreas Kling  <akling@apple.com>
1648
1649         JSString::toAtomicString() should return AtomicString.
1650         <https://webkit.org/b/132627>
1651
1652         Remove premature optimization where I was trying to avoid refcount
1653         churn when returning an already atomicized String.
1654
1655         Instead of using reinterpret_cast to mangle the String member into
1656         a const AtomicString& return value, just return AtomicString.
1657
1658         Reviewed by Geoff Garen.
1659
1660         * runtime/JSString.h:
1661         (JSC::JSString::toAtomicString):
1662
1663 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
1664
1665         Roll out r167889
1666
1667         Rubber stamped by Geoff Garen.
1668
1669         It broke some websites.
1670
1671         * runtime/JSPropertyNameIterator.cpp:
1672         (JSC::JSPropertyNameIterator::create):
1673         * runtime/PropertyMapHashTable.h:
1674         (JSC::PropertyTable::hasDeletedOffset):
1675         (JSC::PropertyTable::hadDeletedOffset): Deleted.
1676         * runtime/Structure.cpp:
1677         (JSC::Structure::Structure):
1678         (JSC::Structure::materializePropertyMap):
1679         (JSC::Structure::removePropertyTransition):
1680         (JSC::Structure::changePrototypeTransition):
1681         (JSC::Structure::despecifyFunctionTransition):
1682         (JSC::Structure::attributeChangeTransition):
1683         (JSC::Structure::toDictionaryTransition):
1684         (JSC::Structure::preventExtensionsTransition):
1685         (JSC::Structure::addPropertyWithoutTransition):
1686         (JSC::Structure::removePropertyWithoutTransition):
1687         (JSC::Structure::pin):
1688         (JSC::Structure::pinAndPreventTransitions): Deleted.
1689         * runtime/Structure.h:
1690         * runtime/StructureInlines.h:
1691         (JSC::Structure::setEnumerationCache):
1692         (JSC::Structure::propertyTable):
1693         (JSC::Structure::checkOffsetConsistency):
1694         (JSC::Structure::hadDeletedOffsets): Deleted.
1695         * tests/stress/for-in-after-delete.js:
1696         (foo): Deleted.
1697
1698 2014-05-05  Andreas Kling  <akling@apple.com>
1699
1700         Fix debug build.
1701
1702         * runtime/JSCellInlines.h:
1703         (JSC::JSCell::fastGetOwnProperty):
1704
1705 2014-05-05  Andreas Kling  <akling@apple.com>
1706
1707         Optimize GetByVal when subscript is a rope string.
1708         <https://webkit.org/b/132590>
1709
1710         Use JSString::toIdentifier() in the various GetByVal implementations
1711         to try and avoid allocating extra strings.
1712
1713         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
1714         in that, to avoid calling JSString::value() which always resolves ropes
1715         into new strings and de-optimizes subsequent toIdentifier() calls.
1716
1717         My iMac says ~9% progression on Dromaeo/dom-attr.html
1718
1719         Reviewed by Phil Pizlo.
1720
1721         * dfg/DFGOperations.cpp:
1722         * jit/JITOperations.cpp:
1723         (JSC::getByVal):
1724         * llint/LLIntSlowPaths.cpp:
1725         (JSC::LLInt::getByVal):
1726         * runtime/JSCell.h:
1727         * runtime/JSCellInlines.h:
1728         (JSC::JSCell::fastGetOwnProperty):
1729         (JSC::JSCell::canUseFastGetOwnProperty):
1730
1731 2014-05-05  Andreas Kling  <akling@apple.com>
1732
1733         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
1734         <https://webkit.org/b/168256>
1735         <rdar://problem/16816316>
1736
1737         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
1738         clear the fibers. The caller takes care of this.
1739
1740         Test: fast/dom/getElementById-with-rope-string-arg.html
1741
1742         Reviewed by Geoffrey Garen.
1743
1744         * runtime/JSString.cpp:
1745         (JSC::JSRopeString::resolveRopeSlowCase8):
1746
1747 2014-05-05  Michael Saboff  <msaboff@apple.com>
1748
1749         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
1750         https://bugs.webkit.org/show_bug.cgi?id=132581
1751
1752         Reviewed by Filip Pizlo.
1753
1754         * dfg/DFGPlan.cpp:
1755         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
1756         started compiling for is still the same at the end of compilation.
1757         Also did some minor restructuring.
1758
1759 2014-05-05  Andreas Kling  <akling@apple.com>
1760
1761         Optimize PutByVal when subscript is a rope string.
1762         <https://webkit.org/b/132572>
1763
1764         Add a JSString::toIdentifier() that is smarter when the JSString is
1765         really a rope string. Use this in baseline & DFG's PutByVal to avoid
1766         allocating new StringImpls that we immediately deduplicate anyway.
1767
1768         Reviewed by Antti Koivisto.
1769
1770         * dfg/DFGOperations.cpp:
1771         (JSC::DFG::operationPutByValInternal):
1772         * jit/JITOperations.cpp:
1773         * runtime/JSString.h:
1774         (JSC::JSString::toIdentifier):
1775
1776 2014-05-05  Andreas Kling  <akling@apple.com>
1777
1778         Remove two now-incorrect assertions after r168256.
1779
1780         * runtime/JSString.cpp:
1781         (JSC::JSRopeString::resolveRopeSlowCase8):
1782         (JSC::JSRopeString::resolveRopeSlowCase):
1783
1784 2014-05-04  Andreas Kling  <akling@apple.com>
1785
1786         Optimize JSRopeString for resolving directly to AtomicString.
1787         <https://webkit.org/b/132548>
1788
1789         If we know that the JSRopeString we are resolving is going to be used
1790         as an AtomicString, we can try to avoid creating a new string.
1791
1792         We do this by first resolving the rope into a stack buffer, and using
1793         that buffer as a key into the AtomicString table. If there is already
1794         an AtomicString with the same characters, we reuse that instead of
1795         constructing a new StringImpl.
1796
1797         JSString gains these two public functions:
1798
1799         - AtomicString toAtomicString()
1800
1801             Returns an AtomicString, tries to avoid allocating a new string
1802             if possible.
1803
1804         - AtomicStringImpl* toExistingAtomicString()
1805
1806             Returns a non-null AtomicStringImpl* if one already exists in the
1807             AtomicString table. If none is found, the rope is left unresolved.
1808
1809         Reviewed by Filip Pizlo.
1810
1811         * runtime/JSString.cpp:
1812         (JSC::JSRopeString::resolveRopeInternal8):
1813         (JSC::JSRopeString::resolveRopeInternal16):
1814         (JSC::JSRopeString::resolveRopeToAtomicString):
1815         (JSC::JSRopeString::clearFibers):
1816         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
1817         (JSC::JSRopeString::resolveRope):
1818         (JSC::JSRopeString::outOfMemory):
1819         * runtime/JSString.h:
1820         (JSC::JSString::toAtomicString):
1821         (JSC::JSString::toExistingAtomicString):
1822
1823 2014-05-04  Andreas Kling  <akling@apple.com>
1824
1825         Unreviewed, rolling out r168254.
1826
1827         Very crashy on debug JSC tests.
1828
1829         Reverted changeset:
1830
1831         "jsSubstring() should be lazy"
1832         https://bugs.webkit.org/show_bug.cgi?id=132556
1833         http://trac.webkit.org/changeset/168254
1834
1835 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
1836
1837         jsSubstring() should be lazy
1838         https://bugs.webkit.org/show_bug.cgi?id=132556
1839
1840         Reviewed by Andreas Kling.
1841         
1842         jsSubstring() is now lazy by using a special rope that is a substring instead of a
1843         concatenation. To make this patch super simple, we require that a substring's base is
1844         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
1845         path, or we go down a concatenation path which may see exactly one level of substrings in
1846         its fibers.
1847         
1848         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
1849
1850         * heap/MarkedBlock.cpp:
1851         (JSC::MarkedBlock::specializedSweep):
1852         * runtime/JSString.cpp:
1853         (JSC::JSRopeString::visitFibers):
1854         (JSC::JSRopeString::resolveRope):
1855         (JSC::JSRopeString::resolveRopeSlowCase8):
1856         (JSC::JSRopeString::resolveRopeSlowCase):
1857         (JSC::JSRopeString::outOfMemory):
1858         * runtime/JSString.h:
1859         (JSC::JSRopeString::finishCreation):
1860         (JSC::JSRopeString::append):
1861         (JSC::JSRopeString::create):
1862         (JSC::JSRopeString::offsetOfFibers):
1863         (JSC::JSRopeString::fiber):
1864         (JSC::JSRopeString::substringBase):
1865         (JSC::JSRopeString::substringOffset):
1866         (JSC::JSRopeString::substringSentinel):
1867         (JSC::JSRopeString::isSubstring):
1868         (JSC::jsSubstring):
1869         * runtime/RegExpMatchesArray.cpp:
1870         (JSC::RegExpMatchesArray::reifyAllProperties):
1871         * runtime/StringPrototype.cpp:
1872         (JSC::stringProtoFuncSubstring):
1873
1874 2014-05-02  Michael Saboff  <msaboff@apple.com>
1875
1876         "arm64 function not 4-byte aligned" warnings when building JSC
1877         https://bugs.webkit.org/show_bug.cgi?id=132495
1878
1879         Reviewed by Geoffrey Garen.
1880
1881         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
1882
1883         * llint/LowLevelInterpreter.cpp:
1884
1885 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1886
1887         Fix cloop build after r168178
1888
1889         * bytecode/CodeBlock.cpp:
1890
1891 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
1892
1893         Add a DFG function whitelist
1894         https://bugs.webkit.org/show_bug.cgi?id=132437
1895
1896         Reviewed by Geoffrey Garen.
1897
1898         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
1899         particular DFG block that's causing issues. This patch adds the ability to whitelist 
1900         specific functions specified in a file to enable further filtering without having to recompile.
1901
1902         * CMakeLists.txt:
1903         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1904         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1905         * JavaScriptCore.xcodeproj/project.pbxproj:
1906         * dfg/DFGCapabilities.cpp:
1907         (JSC::DFG::isSupported):
1908         (JSC::DFG::mightInlineFunctionForCall):
1909         (JSC::DFG::mightInlineFunctionForClosureCall):
1910         (JSC::DFG::mightInlineFunctionForConstruct):
1911         * dfg/DFGFunctionWhitelist.cpp: Added.
1912         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1913         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
1914         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
1915         (JSC::DFG::FunctionWhitelist::contains):
1916         * dfg/DFGFunctionWhitelist.h: Added.
1917         * runtime/Options.cpp:
1918         (JSC::parse):
1919         (JSC::Options::dumpOption):
1920         * runtime/Options.h:
1921
1922 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
1923
1924         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
1925         https://bugs.webkit.org/show_bug.cgi?id=132446
1926
1927         Reviewed by Mark Hahnenberg.
1928         
1929         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
1930         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
1931         to indicate a bound on the value. This is useful for knowing, for example, that
1932         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
1933         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
1934         But this means that all arithmetic operations must be careful to note that they may
1935         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
1936
1937         * dfg/DFGAbstractInterpreterInlines.h:
1938         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1939         * dfg/DFGByteCodeParser.cpp:
1940         (JSC::DFG::ByteCodeParser::makeSafe):
1941         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
1942         (foo):
1943         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
1944         (foo):
1945         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
1946         (foo):
1947         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
1948         (foo):
1949         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
1950         (foo):
1951         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
1952         (foo):
1953
1954 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
1955
1956         JavaScriptCore fails to build with some versions of clang
1957         https://bugs.webkit.org/show_bug.cgi?id=132436
1958
1959         Reviewed by Anders Carlsson.
1960
1961         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
1962         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
1963         and both are marked inline, it's valid for the compiler to decide
1964         to inline both and emit neither in the binary. Therefore, we need
1965         both inline definitions to be available in the translation unit at
1966         compile time, or we'll try to link against a function that doesn't exist.
1967
1968 2014-05-01  Commit Queue  <commit-queue@webkit.org>
1969
1970         Unreviewed, rolling out r167964.
1971         https://bugs.webkit.org/show_bug.cgi?id=132431
1972
1973         Memory improvements should not regress memory usage (Requested
1974         by olliej on #webkit).
1975
1976         Reverted changeset:
1977
1978         "Don't hold on to parameter BindingNodes forever"
1979         https://bugs.webkit.org/show_bug.cgi?id=132360
1980         http://trac.webkit.org/changeset/167964
1981
1982 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
1983
1984         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
1985         https://bugs.webkit.org/show_bug.cgi?id=132427
1986
1987         Reviewed by Mark Hahnenberg.
1988
1989         * bytecode/CallLinkStatus.cpp:
1990         (JSC::CallLinkStatus::computeFor):
1991
1992 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
1993
1994         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
1995         https://bugs.webkit.org/show_bug.cgi?id=132396
1996
1997         Reviewed by Eric Carlson.
1998
1999         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
2000
2001         * Configurations/FeatureDefines.xcconfig:
2002
2003 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
2004
2005         Argument flush formats should not be presumed to be JSValue since 'this' is weird
2006         https://bugs.webkit.org/show_bug.cgi?id=132404
2007
2008         Reviewed by Michael Saboff.
2009
2010         * dfg/DFGSpeculativeJIT.cpp:
2011         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
2012         * dfg/DFGSpeculativeJIT32_64.cpp:
2013         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
2014         * dfg/DFGSpeculativeJIT64.cpp:
2015         (JSC::DFG::SpeculativeJIT::compile): Ditto.
2016         * dfg/DFGValueSource.cpp:
2017         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
2018         * dfg/DFGValueSource.h:
2019         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
2020         * ftl/FTLOSREntry.cpp:
2021         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
2022         * tests/stress/strict-to-this-int.js: Added.
2023         (foo):
2024         (Number.prototype.valueOf):
2025         (test):
2026
2027 2014-04-29  Oliver Hunt  <oliver@apple.com>
2028
2029         Don't hold on to parameterBindingNodes forever
2030         https://bugs.webkit.org/show_bug.cgi?id=132360
2031
2032         Reviewed by Geoffrey Garen.
2033
2034         Don't keep the parameter nodes anymore. Instead we store the
2035         original parameter string and reparse whenever we actually
2036         need them. Because we only actually need them for compilation
2037         this only results in a single extra parse.
2038
2039         * bytecode/UnlinkedCodeBlock.cpp:
2040         (JSC::generateFunctionCodeBlock):
2041         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2042         (JSC::UnlinkedFunctionExecutable::visitChildren):
2043         (JSC::UnlinkedFunctionExecutable::finishCreation):
2044         (JSC::UnlinkedFunctionExecutable::paramString):
2045         (JSC::UnlinkedFunctionExecutable::parameters):
2046         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
2047         * bytecode/UnlinkedCodeBlock.h:
2048         (JSC::UnlinkedFunctionExecutable::create):
2049         (JSC::UnlinkedFunctionExecutable::parameterCount):
2050         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
2051         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
2052         * parser/ASTBuilder.h:
2053         (JSC::ASTBuilder::ASTBuilder):
2054         (JSC::ASTBuilder::setFunctionBodyParameters):
2055         * parser/Nodes.h:
2056         (JSC::FunctionBodyNode::parametersStartOffset):
2057         (JSC::FunctionBodyNode::parametersEndOffset):
2058         (JSC::FunctionBodyNode::setParameterLocation):
2059         * parser/Parser.cpp:
2060         (JSC::Parser<LexerType>::parseFunctionInfo):
2061         (JSC::parseParameters):
2062         * parser/Parser.h:
2063         (JSC::parse):
2064         * parser/SourceCode.h:
2065         (JSC::SourceCode::subExpression):
2066         * parser/SyntaxChecker.h:
2067         (JSC::SyntaxChecker::setFunctionBodyParameters):
2068
2069 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
2070
2071         JSProxies should be cacheable
2072         https://bugs.webkit.org/show_bug.cgi?id=132351
2073
2074         Reviewed by Geoffrey Garen.
2075
2076         Whenever we encounter a proxy in an inline cache we should try to cache on the 
2077         proxy's target instead of giving up.
2078
2079         This patch adds support for a simple "recursive" inline cache if the base object
2080         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
2081         are the only ones to benefit from this right now.
2082
2083         This is performance neutral on the benchmarks we track. Currently we won't
2084         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
2085
2086         * jit/Repatch.cpp:
2087         (JSC::generateByIdStub):
2088         (JSC::tryBuildGetByIDList):
2089         (JSC::tryCachePutByID):
2090         (JSC::tryBuildPutByIdList):
2091         * jsc.cpp:
2092         (GlobalObject::finishCreation):
2093         (functionCreateProxy):
2094         * runtime/IntendedStructureChain.cpp:
2095         (JSC::IntendedStructureChain::isNormalized):
2096         * runtime/JSCellInlines.h:
2097         (JSC::JSCell::isProxy):
2098         * runtime/JSGlobalObject.h:
2099         (JSC::JSGlobalObject::finishCreation):
2100         * runtime/JSProxy.h:
2101         (JSC::JSProxy::createStructure):
2102         (JSC::JSProxy::targetOffset):
2103         * runtime/JSType.h:
2104         * runtime/Operations.h:
2105         (JSC::isPrototypeChainNormalized):
2106         * runtime/Structure.h:
2107         (JSC::Structure::isProxy):
2108         * tests/stress/proxy-inline-cache.js: Added.
2109         (cacheOnTarget.getX):
2110         (cacheOnTarget):
2111         (cacheOnPrototypeOfTarget.getX):
2112         (cacheOnPrototypeOfTarget):
2113         (dontCacheOnProxyInPrototypeChain.getX):
2114         (dontCacheOnProxyInPrototypeChain):
2115         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
2116         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
2117
2118 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
2119
2120         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
2121         https://bugs.webkit.org/show_bug.cgi?id=112840
2122
2123         Rubber stamped by Geoffrey Garen.
2124
2125         * Configurations/FeatureDefines.xcconfig:
2126
2127 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
2128
2129         String.prototype.trim removes U+200B from strings.
2130         https://bugs.webkit.org/show_bug.cgi?id=130184
2131
2132         Reviewed by Michael Saboff.
2133
2134         * runtime/StringPrototype.cpp:
2135         (JSC::trimString):
2136         (JSC::isTrimWhitespace): Deleted.
2137
2138 2014-04-29  Mark Lam  <mark.lam@apple.com>
2139
2140         Zombifying sweep should ignore retired blocks.
2141         <https://webkit.org/b/132344>
2142
2143         Reviewed by Mark Hahnenberg.
2144
2145         By definition, retired blocks do not have "dead" objects, or at least
2146         none that we know of yet until the next marking phase has been run
2147         over it.  So, we should not be sweeping them (even for zombie mode).
2148
2149         * heap/Heap.cpp:
2150         (JSC::Heap::zombifyDeadObjects):
2151         * heap/MarkedSpace.cpp:
2152         (JSC::MarkedSpace::zombifySweep):
2153         * heap/MarkedSpace.h:
2154         (JSC::ZombifySweep::operator()):
2155
2156 2014-04-29  Mark Lam  <mark.lam@apple.com>
2157
2158         Fix bit rot in zombie mode heap code.
2159         <https://webkit.org/b/132342>
2160
2161         Reviewed by Mark Hahnenberg.
2162
2163         Need to enter a DelayedReleaseScope before doing a sweep.
2164
2165         * heap/Heap.cpp:
2166         (JSC::Heap::zombifyDeadObjects):
2167
2168 2014-04-29  Tomas Popela  <tpopela@redhat.com>
2169
2170         LLINT loadisFromInstruction doesn't need special case for big endians
2171         https://bugs.webkit.org/show_bug.cgi?id=132330
2172
2173         Reviewed by Mark Lam.
2174
2175         The change introduced in r167076 was wrong. We should not apply the offset
2176         adjustment on loadisFromInstruction usage as the instruction
2177         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
2178         operand variable). The offset of the other union members will be the
2179         same as the offset of the first one, that is 0. The behavior here is the
2180         same on little and big endian architectures. Thus we don't need
2181         special case for big endians.
2182
2183         * llint/LowLevelInterpreter.asm:
2184
2185 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2186
2187         Simplify tryCacheGetById
2188         https://bugs.webkit.org/show_bug.cgi?id=132314
2189
2190         Reviewed by Oliver Hunt and Filip Pizlo.
2191
2192         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
2193
2194         * jit/Repatch.cpp:
2195         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
2196
2197 2014-04-28  Michael Saboff  <msaboff@apple.com>
2198
2199         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
2200         https://bugs.webkit.org/show_bug.cgi?id=132315
2201
2202         Reviewed by Mark Hahnenberg.
2203
2204         Used the StringImpl version of utf8() instead of creating a String first.
2205
2206         * bytecode/CodeBlock.cpp:
2207         (JSC::CodeBlock::dumpBytecode):
2208
2209 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
2210
2211         The LLInt is awesome and it should get more of the action.
2212
2213         Rubber stamped by Geoffrey Garen.
2214         
2215         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
2216
2217         * runtime/Options.h:
2218
2219 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
2220
2221         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
2222         https://bugs.webkit.org/show_bug.cgi?id=132166
2223
2224         Reviewed by Oliver Hunt and Mark Hahnenberg.
2225         
2226         The GC can aid type inference by removing structures that are dead and jettisoning
2227         code that relies on those structures. This can dramatically accelerate type inference
2228         for some tricky programs.
2229         
2230         Unfortunately, we previously pinned any structures that enqueued compilations depended
2231         on. This means that if you're on a machine that only runs a single compilation thread
2232         and where compilations are relatively slow, you have a high chance of large numbers of
2233         structures being pinned during any GC since the compilation queue is likely to be full
2234         of random stuff.
2235         
2236         This comprehensively fixes this issue by allowing the GC to remove compilation plans
2237         if the things they depend on are dead, and to even cancel safepointed compilations.
2238         
2239         * bytecode/CodeBlock.cpp:
2240         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
2241         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
2242         (JSC::CodeBlock::finalizeUnconditionally):
2243         * bytecode/CodeBlock.h:
2244         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
2245         * dfg/DFGDesiredIdentifiers.cpp:
2246         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
2247         * dfg/DFGDesiredIdentifiers.h:
2248         * dfg/DFGDesiredWatchpoints.h:
2249         * dfg/DFGDesiredWeakReferences.cpp:
2250         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
2251         * dfg/DFGDesiredWeakReferences.h:
2252         * dfg/DFGGraphSafepoint.cpp:
2253         (JSC::DFG::GraphSafepoint::GraphSafepoint):
2254         * dfg/DFGGraphSafepoint.h:
2255         * dfg/DFGPlan.cpp:
2256         (JSC::DFG::Plan::Plan):
2257         (JSC::DFG::Plan::compileInThread):
2258         (JSC::DFG::Plan::compileInThreadImpl):
2259         (JSC::DFG::Plan::notifyCompiling):
2260         (JSC::DFG::Plan::notifyCompiled):
2261         (JSC::DFG::Plan::notifyReady):
2262         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2263         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2264         (JSC::DFG::Plan::cancel):
2265         (JSC::DFG::Plan::visitChildren): Deleted.
2266         * dfg/DFGPlan.h:
2267         * dfg/DFGSafepoint.cpp:
2268         (JSC::DFG::Safepoint::Result::~Result):
2269         (JSC::DFG::Safepoint::Result::didGetCancelled):
2270         (JSC::DFG::Safepoint::Safepoint):
2271         (JSC::DFG::Safepoint::~Safepoint):
2272         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
2273         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
2274         (JSC::DFG::Safepoint::cancel):
2275         (JSC::DFG::Safepoint::visitChildren): Deleted.
2276         * dfg/DFGSafepoint.h:
2277         (JSC::DFG::Safepoint::Result::Result):
2278         * dfg/DFGWorklist.cpp:
2279         (JSC::DFG::Worklist::compilationState):
2280         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2281         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2282         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2283         (JSC::DFG::Worklist::visitWeakReferences):
2284         (JSC::DFG::Worklist::removeDeadPlans):
2285         (JSC::DFG::Worklist::runThread):
2286         (JSC::DFG::Worklist::visitChildren): Deleted.
2287         * dfg/DFGWorklist.h:
2288         * ftl/FTLCompile.cpp:
2289         (JSC::FTL::compile):
2290         * ftl/FTLCompile.h:
2291         * heap/CodeBlockSet.cpp:
2292         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
2293         * heap/Heap.cpp:
2294         (JSC::Heap::markRoots):
2295         (JSC::Heap::visitCompilerWorklistWeakReferences):
2296         (JSC::Heap::removeDeadCompilerWorklistEntries):
2297         (JSC::Heap::visitWeakHandles):
2298         (JSC::Heap::collect):
2299         (JSC::Heap::visitCompilerWorklists): Deleted.
2300         * heap/Heap.h:
2301
2302 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2303
2304         Deleting properties poisons objects
2305         https://bugs.webkit.org/show_bug.cgi?id=131551
2306
2307         Reviewed by Oliver Hunt.
2308
2309         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
2310
2311         * runtime/JSPropertyNameIterator.cpp:
2312         (JSC::JSPropertyNameIterator::create):
2313         * runtime/PropertyMapHashTable.h:
2314         (JSC::PropertyTable::hasDeletedOffset):
2315         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
2316         iterating properties because we're required to iterate properties in insertion order.
2317         * runtime/Structure.cpp:
2318         (JSC::Structure::Structure):
2319         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
2320         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
2321         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
2322         delete transitions, but we allow transitioning from them.
2323         (JSC::Structure::changePrototypeTransition):
2324         (JSC::Structure::despecifyFunctionTransition):
2325         (JSC::Structure::attributeChangeTransition):
2326         (JSC::Structure::toDictionaryTransition):
2327         (JSC::Structure::preventExtensionsTransition):
2328         (JSC::Structure::addPropertyWithoutTransition):
2329         (JSC::Structure::removePropertyWithoutTransition):
2330         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
2331         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
2332         * runtime/Structure.h:
2333         * runtime/StructureInlines.h:
2334         (JSC::Structure::setEnumerationCache):
2335         (JSC::Structure::hadDeletedOffsets):
2336         (JSC::Structure::propertyTable):
2337         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
2338         * tests/stress/for-in-after-delete.js: Added.
2339         (foo):
2340
2341 2014-04-25  Andreas Kling  <akling@apple.com>
2342
2343         Inline (C++) GetByVal with numeric indices more aggressively.
2344         <https://webkit.org/b/132218>
2345
2346         We were already inlining the string indexed GetByVal path pretty well,
2347         while the path for numeric indices got neglected. No more!
2348
2349         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
2350
2351             Before: 199.50 runs/s
2352              After: 218.58 runs/s
2353
2354         Reviewed by Phil Pizlo.
2355
2356         * dfg/DFGOperations.cpp:
2357         * runtime/JSCJSValueInlines.h:
2358         (JSC::JSValue::get):
2359
2360             ALWAYS_INLINE all the things.
2361
2362         * runtime/JSObject.h:
2363         (JSC::JSObject::getPropertySlot):
2364
2365             Avoid fetching the Structure more than once. We have the same
2366             optimization in the string-indexed code path.
2367
2368 2014-04-25  Oliver Hunt  <oliver@apple.com>
2369
2370         Need earlier cell test
2371         https://bugs.webkit.org/show_bug.cgi?id=132211
2372
2373         Reviewed by Mark Lam.
2374
2375         Move cell test to before the function call repatch
2376         location, as the repatch logic for 32bit assumes that the
2377         caller will already have performed a cell check.
2378
2379         * jit/JITCall32_64.cpp:
2380         (JSC::JIT::compileOpCall):
2381
2382 2014-04-25  Andreas Kling  <akling@apple.com>
2383
2384         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
2385
2386         * runtime/JSGlobalObject.h:
2387         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
2388         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
2389
2390 2014-04-25  Andreas Kling  <akling@apple.com>
2391
2392         Windows build fix attempt.
2393
2394         * runtime/JSGlobalObject.h:
2395         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
2396
2397 2014-04-25  Mark Lam  <mark.lam@apple.com>
2398
2399         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
2400         <https://webkit.org/b/132201>
2401
2402         Reviewed by Joseph Pecoraro.
2403
2404         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
2405         BreakpointActions everywhere.
2406
2407         * inspector/ScriptBreakpoint.h:
2408         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
2409         * inspector/ScriptDebugServer.cpp:
2410         (Inspector::ScriptDebugServer::setBreakpoint):
2411         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
2412         * inspector/ScriptDebugServer.h:
2413         * inspector/agents/InspectorDebuggerAgent.cpp:
2414         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2415         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2416         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2417         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
2418         * inspector/agents/InspectorDebuggerAgent.h:
2419
2420 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
2421
2422         DFG worklist scanning should not treat the key as a separate entity
2423         https://bugs.webkit.org/show_bug.cgi?id=132167
2424
2425         Reviewed by Mark Hahnenberg.
2426         
2427         This simplifies the interface to the GC and will enable more optimizations.
2428
2429         * dfg/DFGCompilationKey.cpp:
2430         (JSC::DFG::CompilationKey::visitChildren): Deleted.
2431         * dfg/DFGCompilationKey.h:
2432         * dfg/DFGPlan.cpp:
2433         (JSC::DFG::Plan::visitChildren):
2434         * dfg/DFGWorklist.cpp:
2435         (JSC::DFG::Worklist::visitChildren):
2436
2437 2014-04-25  Oliver Hunt  <oliver@apple.com>
2438
2439         Remove unused parameter from codeblock linking function
2440         https://bugs.webkit.org/show_bug.cgi?id=132199
2441
2442         Reviewed by Anders Carlsson.
2443
2444         No change in behaviour. This is just a small change to make it
2445         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
2446         actually mean.
2447
2448         * bytecode/UnlinkedCodeBlock.cpp:
2449         (JSC::UnlinkedFunctionExecutable::link):
2450         * bytecode/UnlinkedCodeBlock.h:
2451         * runtime/Executable.cpp:
2452         (JSC::ProgramExecutable::initializeGlobalProperties):
2453
2454 2014-04-25  Andreas Kling  <akling@apple.com>
2455
2456         Mark some things with WTF_MAKE_FAST_ALLOCATED.
2457         <https://webkit.org/b/132198>
2458
2459         Use FastMalloc for more things.
2460
2461         Reviewed by Anders Carlsson.
2462
2463         * builtins/BuiltinExecutables.h:
2464         * heap/GCThreadSharedData.h:
2465         * inspector/JSConsoleClient.h:
2466         * inspector/agents/InspectorAgent.h:
2467         * runtime/CodeCache.h:
2468         * runtime/JSGlobalObject.h:
2469         * runtime/Lookup.cpp:
2470         (JSC::HashTable::createTable):
2471         (JSC::HashTable::deleteTable):
2472         * runtime/WeakGCMap.h:
2473
2474 2014-04-25  Antoine Quint  <graouts@webkit.org>
2475
2476         Implement Array.prototype.find()
2477         https://bugs.webkit.org/show_bug.cgi?id=130966
2478
2479         Reviewed by Oliver Hunt.
2480
2481         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
2482
2483         * builtins/Array.prototype.js:
2484         (find):
2485         (findIndex):
2486         * runtime/ArrayPrototype.cpp:
2487
2488 2014-04-24  Brady Eidson  <beidson@apple.com>
2489
2490         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
2491         https://bugs.webkit.org/show_bug.cgi?id=132155
2492
2493         Reviewed by Tim Horton.
2494
2495         * Configurations/FeatureDefines.xcconfig:
2496
2497 2014-04-24  Michael Saboff  <msaboff@apple.com>
2498
2499         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
2500         https://bugs.webkit.org/show_bug.cgi?id=132147
2501
2502         Reviewed by Mark Lam.
2503
2504         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
2505
2506         * assembler/MacroAssemblerARM64.h:
2507         (JSC::MacroAssemblerARM64::or64):
2508         (JSC::MacroAssemblerARM64::xor32):
2509         (JSC::MacroAssemblerARM64::xor64):
2510         * tests/stress/regress-132147.js: Added test.
2511
2512 2014-04-24  Mark Lam  <mark.lam@apple.com>
2513
2514         Make slowPathAllocsBetweenGCs a runtime option.
2515         <https://webkit.org/b/132137>
2516
2517         Reviewed by Mark Hahnenberg.
2518
2519         This will make it easier to more casually run tests with this configuration
2520         as well as to reproduce issues (instead of requiring a code mod and rebuild).
2521         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
2522         slow path allocations before we trigger a collection.
2523
2524         The option defaults to 0, which is reserved to mean that we will not trigger
2525         any collections there.
2526
2527         * heap/Heap.h:
2528         * heap/MarkedAllocator.cpp:
2529         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
2530         (JSC::MarkedAllocator::allocateSlowCase):
2531         * heap/MarkedAllocator.h:
2532         * runtime/Options.h:
2533
2534 2014-04-23  Mark Lam  <mark.lam@apple.com>
2535
2536         The GC should only resume compiler threads that it suspended in the same GC pass.
2537         <https://webkit.org/b/132088>
2538
2539         Reviewed by Mark Hahnenberg.
2540
2541         Previously, this scenario can occur:
2542         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
2543            no worklists were created yet at the that time.
2544         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
2545            acquires the worklist thread's lock.
2546         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
2547            This time, it sees the worklist created by Thread 2 and ends up unlocking
2548            the worklist thread's lock that is supposedly held by Thread 2.
2549         Thereafter, chaos ensues.
2550
2551         The fix is to cache the worklists that were actually suspended by each GC pass,
2552         and only resume those when the GC is done.
2553
2554         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
2555         the fast/workers layout tests.
2556
2557         * heap/Heap.cpp:
2558         (JSC::Heap::visitCompilerWorklists):
2559         (JSC::Heap::deleteAllCompiledCode):
2560         (JSC::Heap::suspendCompilerThreads):
2561         (JSC::Heap::resumeCompilerThreads):
2562         * heap/Heap.h:
2563
2564 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
2565
2566         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
2567         https://bugs.webkit.org/show_bug.cgi?id=132079
2568
2569         Reviewed by Michael Saboff.
2570
2571         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
2572
2573         Also added a test that previously triggered this bug.
2574
2575         * runtime/Arguments.cpp:
2576         (JSC::Arguments::copyBackingStore): D'oh!
2577         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
2578         (foo):
2579         (bar):
2580
2581 2014-04-23  Mark Rowe  <mrowe@apple.com>
2582
2583         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
2584         <https://webkit.org/b/132053>
2585
2586         Reviewed by Dan Bernstein.
2587
2588         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
2589         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
2590         from /bin/sh since that generates unnecessary output.
2591
2592 2014-04-22  Mark Lam  <mark.lam@apple.com>
2593
2594         DFG::Worklist should acquire the m_lock before iterating DFG plans.
2595         <https://webkit.org/b/132032>
2596
2597         Reviewed by Filip Pizlo.
2598
2599         Currently, there's a rightToRun mechanism that ensures that no compilation
2600         threads are running when the GC is iterating through the DFG worklists.
2601         However, this does not prevent a Worker thread from doing a DFG compilation
2602         and modifying the plans in the worklists thereby invalidating the plan
2603         iterator that the GC is using.  This patch fixes the issue by acquiring
2604         the worklist m_lock before iterating the worklist plans.
2605
2606         This issue was uncovered by running the fast/workers layout tests with
2607         COLLECT_ON_EVERY_ALLOCATION enabled.
2608
2609         * dfg/DFGWorklist.cpp:
2610         (JSC::DFG::Worklist::isActiveForVM):
2611         (JSC::DFG::Worklist::visitChildren):
2612
2613 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
2614
2615         [Win] Support Python 2.7 in Cygwin
2616         https://bugs.webkit.org/show_bug.cgi?id=132023
2617
2618         Reviewed by Michael Saboff.
2619
2620         * DerivedSources.make: Use a conditional variable to define
2621         the path to Python/Perl.
2622
2623 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
2624
2625         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
2626         https://bugs.webkit.org/show_bug.cgi?id=130867
2627         <rdar://problem/16432456> 
2628
2629         Reviewed by Mark Hahnenberg.
2630
2631         * Configurations/Base.xcconfig:
2632         * Configurations/LLVMForJSC.xcconfig:
2633
2634 2014-04-22  Alex Christensen  <achristensen@webkit.org>
2635
2636         [Win] Unreviewed build fix after my r167666.
2637
2638         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2639         Added ../../../ again to include headers in Source/JavaScriptCore.
2640
2641 2014-04-22  Alex Christensen  <achristensen@webkit.org>
2642
2643         Removed old stdbool and inttypes headers.
2644         https://bugs.webkit.org/show_bug.cgi?id=131966
2645
2646         Reviewed by Brent Fulgham.
2647
2648         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2649         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
2650         Removed references to os-win32 directory.
2651         * os-win32: Removed.
2652         * os-win32/inttypes.h: Removed.
2653         * os-win32/stdbool.h: Removed.
2654
2655 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2656
2657         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
2658         https://bugs.webkit.org/show_bug.cgi?id=131971
2659         <rdar://problem/16676511>
2660
2661         Reviewed by Mark Lam.
2662
2663         * dfg/DFGClobberize.h:
2664         (JSC::DFG::clobberize):
2665
2666 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2667
2668         Switch statements that skip the baseline JIT should work
2669         https://bugs.webkit.org/show_bug.cgi?id=131965
2670
2671         Reviewed by Mark Hahnenberg.
2672
2673         * bytecode/JumpTable.h:
2674         (JSC::SimpleJumpTable::ensureCTITable):
2675         * dfg/DFGSpeculativeJIT.cpp:
2676         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2677         * jit/JITOpcodes.cpp:
2678         (JSC::JIT::emit_op_switch_imm):
2679         (JSC::JIT::emit_op_switch_char):
2680         * jit/JITOpcodes32_64.cpp:
2681         (JSC::JIT::emit_op_switch_imm):
2682         (JSC::JIT::emit_op_switch_char):
2683         * tests/stress/inline-llint-with-switch.js: Added.
2684         (foo):
2685         (bar):
2686         (test):
2687
2688 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2689
2690         Arguments objects shouldn't need a destructor
2691         https://bugs.webkit.org/show_bug.cgi?id=131899
2692
2693         Reviewed by Oliver Hunt.
2694
2695         This patch rids Arguments objects of their destructors. It does this by 
2696         switching their backing stores to use CopiedSpace rather than malloc memory.
2697
2698         * dfg/DFGSpeculativeJIT.cpp:
2699         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
2700         Arguments allocation so that it only emits an extra write for strict mode code rather
2701         than unconditionally.
2702         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
2703         * runtime/Arguments.cpp:
2704         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
2705         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
2706         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
2707         (JSC::Arguments::deleteProperty):
2708         (JSC::Arguments::defineOwnProperty):
2709         (JSC::Arguments::allocateRegisterArray):
2710         (JSC::Arguments::tearOff):
2711         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
2712         * runtime/Arguments.h:
2713         (JSC::Arguments::registerArraySizeInBytes):
2714         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
2715         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
2716         allocation.
2717         (JSC::Arguments::SlowArgumentData::slowArguments):
2718         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
2719         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
2720         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
2721         (JSC::Arguments::Arguments):
2722         (JSC::Arguments::allocateSlowArguments):
2723         (JSC::Arguments::tryDeleteArgument):
2724         (JSC::Arguments::isDeletedArgument):
2725         (JSC::Arguments::isArgument):
2726         (JSC::Arguments::argument):
2727         (JSC::Arguments::finishCreation):
2728         * runtime/SymbolTable.h:
2729
2730 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
2731
2732         [Mac] implement WebKitDataCue
2733         https://bugs.webkit.org/show_bug.cgi?id=131799
2734
2735         Reviewed by Dean Jackson.
2736
2737         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2738
2739 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2740
2741         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
2742
2743         * tests/stress/float32-repeat-out-of-bounds.js:
2744         * tests/stress/int8-repeat-out-of-bounds.js:
2745
2746 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2747
2748         OSR exit should know about Int52 and Double constants
2749         https://bugs.webkit.org/show_bug.cgi?id=131945
2750
2751         Reviewed by Oliver Hunt.
2752         
2753         The DFG OSR exit machinery's ignorance would lead to some constants becoming
2754         jsUndefined() after OSR exit.
2755         
2756         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
2757         stackmap constant rather than baking the constant into the OSRExit data structure.
2758         So, not a big deal, but worth fixing.
2759         
2760         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
2761
2762         * dfg/DFGByteCodeParser.cpp:
2763         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2764         * dfg/DFGMinifiedNode.h:
2765         (JSC::DFG::belongsInMinifiedGraph):
2766         (JSC::DFG::MinifiedNode::hasConstantNumber):
2767         * ftl/FTLLowerDFGToLLVM.cpp:
2768         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2769         * jsc.cpp:
2770         (GlobalObject::finishCreation):
2771         (functionOtherFalse):
2772         (functionUndefined):
2773         * runtime/Intrinsic.h:
2774         * tests/stress/fold-to-double-constant-then-exit.js: Added.
2775         (foo):
2776         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
2777         (foo):
2778
2779 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2780
2781         Provide feedback when we encounter an unrecognied node in the FTL backend.
2782
2783         Rubber stamped by Alexey Proskuryakov.
2784
2785         * ftl/FTLLowerDFGToLLVM.cpp:
2786         (JSC::FTL::LowerDFGToLLVM::compileNode):
2787
2788 2014-04-21  Andreas Kling  <akling@apple.com>
2789
2790         Move the JSString cache from DOMWrapperWorld to VM.
2791         <https://webkit.org/b/131940>
2792
2793         Reviewed by Geoff Garen.
2794
2795         * runtime/VM.h:
2796
2797 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2798
2799         Take block execution count estimates into account when voting double
2800         https://bugs.webkit.org/show_bug.cgi?id=131906
2801
2802         Reviewed by Geoffrey Garen.
2803         
2804         This was a drama in three acts.
2805         
2806         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
2807             number of uses of a variable that want double or non-double. Easy as pie. This
2808             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
2809             else.
2810         
2811         Act II: Realize that there were some programs where our previous double voting was
2812             just on the edge of disaster and making it more precise tipped it over. In
2813             particular, if you had an integer variable that would infrequently be used in a
2814             computation that resulted in a variable that was frequently used as an array index,
2815             the outer infrequentness would be the thing we'd use in the vote. So, an array
2816             index would become double. We fix this by reviving global backwards propagation
2817             and introducing the concept of ReallyWantsInt, which is used just for array
2818             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
2819             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
2820             be set in bitops for RageConversion but using it for double forcing is too much.
2821             Basically, it's cheaper to have to convert a double to an int for a bitop than it
2822             is to convert a double to an int for an array index; also a variable being used as
2823             an array index is a much stronger hint that it ought to be an int. This recovered
2824             performance on everything except programs that used FTL OSR entry.
2825         
2826         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
2827             count, which then completely pollutes the weighting - essentially all votes go
2828             NaN. Fix this with some surgical defenses. Basically, any client of execution
2829             counts should allow for them to be NaN and shouldn't completely fall off a cliff
2830             when it happens.
2831         
2832         This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
2833         7% speed-up on AsmBench and 2% speed-up on Kraken.
2834
2835         * CMakeLists.txt:
2836         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2837         * JavaScriptCore.xcodeproj/project.pbxproj:
2838         * dfg/DFGBackwardsPropagationPhase.cpp:
2839         (JSC::DFG::BackwardsPropagationPhase::run):
2840         (JSC::DFG::BackwardsPropagationPhase::propagate):
2841         * dfg/DFGGraph.cpp:
2842         (JSC::DFG::Graph::dumpBlockHeader):
2843         * dfg/DFGGraph.h:
2844         (JSC::DFG::Graph::voteNode):
2845         (JSC::DFG::Graph::voteChildren):
2846         * dfg/DFGNodeFlags.cpp:
2847         (JSC::DFG::dumpNodeFlags):
2848         * dfg/DFGNodeFlags.h:
2849         * dfg/DFGOSREntrypointCreationPhase.cpp:
2850         (JSC::DFG::OSREntrypointCreationPhase::run):
2851         * dfg/DFGPlan.cpp:
2852         (JSC::DFG::Plan::compileInThreadImpl):
2853         * dfg/DFGPredictionPropagationPhase.cpp:
2854         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2855         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2856         * dfg/DFGVariableAccessData.cpp: Added.
2857         (JSC::DFG::VariableAccessData::VariableAccessData):
2858         (JSC::DFG::VariableAccessData::mergeIsCaptured):
2859         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
2860         (JSC::DFG::VariableAccessData::predict):
2861         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
2862         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
2863         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
2864         (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
2865         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2866         (JSC::DFG::VariableAccessData::flushFormat):
2867         * dfg/DFGVariableAccessData.h:
2868         (JSC::DFG::VariableAccessData::vote):
2869         (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
2870         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2871         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
2872         (JSC::DFG::VariableAccessData::predict): Deleted.
2873         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
2874         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
2875         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
2876         (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
2877         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
2878         (JSC::DFG::VariableAccessData::flushFormat): Deleted.
2879
2880 2014-04-21  Michael Saboff  <msaboff@apple.com>
2881
2882         REGRESSION(r167591): ARM64 and ARM traditional builds broken
2883         https://bugs.webkit.org/show_bug.cgi?id=131935
2884
2885         Reviewed by Mark Hahnenberg.
2886
2887         Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
2888         macro assemblers.  Added a new test for the original patch.
2889
2890         * assembler/MacroAssemblerARM.h:
2891         (JSC::MacroAssemblerARM::store8):
2892         * assembler/MacroAssemblerARM64.h:
2893         (JSC::MacroAssemblerARM64::store8):
2894         * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
2895
2896 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2897
2898         Inline allocate Arguments objects in the DFG
2899         https://bugs.webkit.org/show_bug.cgi?id=131897
2900
2901         Reviewed by Geoffrey Garen.
2902
2903         Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
2904         This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
2905         for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
2906
2907         * dfg/DFGSpeculativeJIT.cpp:
2908         (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
2909         * dfg/DFGSpeculativeJIT.h:
2910         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
2911         * dfg/DFGSpeculativeJIT32_64.cpp:
2912         (JSC::DFG::SpeculativeJIT::compile):
2913         * dfg/DFGSpeculativeJIT64.cpp:
2914         (JSC::DFG::SpeculativeJIT::compile):
2915         * runtime/Arguments.h:
2916         (JSC::Arguments::offsetOfActivation):
2917         (JSC::Arguments::offsetOfOverrodeLength):
2918         (JSC::Arguments::offsetOfIsStrictMode):
2919         (JSC::Arguments::offsetOfRegisterArray):
2920         (JSC::Arguments::offsetOfCallee):
2921         (JSC::Arguments::allocationSize):
2922
2923 2014-04-20  Andreas Kling  <akling@apple.com>
2924
2925         Speed up jsStringWithCache() through WeakGCMap inlining.
2926         <https://webkit.org/b/131923>
2927
2928         Always inline WeakGCMap::add() but move the slow garbage collecting
2929         path out-of-line.
2930
2931         Reviewed by Darin Adler.
2932
2933         * runtime/WeakGCMap.h:
2934         (JSC::WeakGCMap::add):
2935         (JSC::WeakGCMap::gcMap):
2936
2937 2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>
2938
2939         JavaScriptCore: ARM build fix after r167094.
2940         https://bugs.webkit.org/show_bug.cgi?id=131612
2941
2942         Reviewed by Michael Saboff.
2943
2944         After r167094 there are many build errors on ARM like these:
2945
2946             /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
2947             /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
2948             /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
2949             /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
2950
2951         Problem is caused by the wrong generated assembly like:
2952             "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
2953
2954         `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
2955         the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
2956         Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
2957         use case: move rn, (label1-label2) which is translated to movw and movt.
2958
2959         * llint/LowLevelInterpreter.asm:
2960         * offlineasm/arm.rb:
2961         * offlineasm/instructions.rb:
2962
2963 2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>
2964
2965         [ARM] Unreviewed build fix after r167336.
2966
2967         * assembler/MacroAssemblerARM.h:
2968         (JSC::MacroAssemblerARM::branchAdd32):
2969
2970 2014-04-20  Commit Queue  <commit-queue@webkit.org>
2971
2972         Unreviewed, rolling out r167501.
2973         https://bugs.webkit.org/show_bug.cgi?id=131913
2974
2975         It broke DYEBench (Requested by mhahnenberg on #webkit).
2976
2977         Reverted changeset:
2978
2979         "Deleting properties poisons objects"
2980         https://bugs.webkit.org/show_bug.cgi?id=131551
2981         http://trac.webkit.org/changeset/167501
2982
2983 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2984
2985         It should be OK to store new fields into objects that have no prototypes
2986         https://bugs.webkit.org/show_bug.cgi?id=131905
2987
2988         Reviewed by Mark Hahnenberg.
2989
2990         * dfg/DFGByteCodeParser.cpp:
2991         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2992         * tests/stress/put-by-id-transition-null-prototype.js: Added.
2993         (foo):
2994
2995 2014-04-19  Benjamin Poulain  <bpoulain@apple.com>
2996
2997         Make the CSS JIT compile for ARM64
2998         https://bugs.webkit.org/show_bug.cgi?id=131834
2999
3000         Reviewed by Gavin Barraclough.
3001
3002         Extend the ARM64 MacroAssembler to support the code generation required by
3003         the CSS JIT.
3004
3005         * assembler/MacroAssembler.h:
3006         * assembler/MacroAssemblerARM64.h:
3007         (JSC::MacroAssemblerARM64::addPtrNoFlags):
3008         (JSC::MacroAssemblerARM64::or32):
3009         (JSC::MacroAssemblerARM64::branchPtr):
3010         (JSC::MacroAssemblerARM64::test32):
3011         (JSC::MacroAssemblerARM64::branch):
3012         * assembler/MacroAssemblerX86Common.h:
3013         (JSC::MacroAssemblerX86Common::test32):
3014
3015 2014-04-19  Andreas Kling  <akling@apple.com>
3016
3017         Two little shortcuts to the JSType.
3018         <https://webkit.org/b/131896>
3019
3020         Tweak two sites that take the long road through JSCell::structure()->typeInfo()
3021         to look at data that's already in JSCell::type().
3022
3023         Reviewed by Darin Adler.
3024
3025         * runtime/NameInstance.h:
3026         (JSC::isName):
3027         * runtime/NumberPrototype.cpp:
3028         (JSC::toThisNumber):
3029
3030 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
3031
3032         Make it easier to check if an integer sum would overflow
3033         https://bugs.webkit.org/show_bug.cgi?id=131900
3034
3035         Reviewed by Darin Adler.
3036
3037         * dfg/DFGOperations.cpp:
3038         * runtime/Operations.h:
3039         (JSC::jsString):
3040
3041 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
3042
3043         Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
3044
3045         * dfg/DFGOperations.cpp:
3046         * runtime/JSString.h:
3047         (JSC::JSRopeString::RopeBuilder::append):
3048
3049 2014-04-18  Mark Lam  <mark.lam@apple.com>
3050
3051         REGRESSION(r164205): WebKit crash @StructureIDTable::get.
3052         <https://webkit.org/b/130539>
3053
3054         Reviewed by Geoffrey Garen.
3055
3056         prepareOSREntry() prepares for OSR entry by first copying the local var
3057         values from the baseline frame to a scartch buffer, which is then used
3058         to fill in the locals in their new position in the DFG frame.  Unfortunately,
3059         prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
3060         size of the baseline frame.  As a result, some values of locals in the
3061         baseline frame were not saved off, and the DFG frame may get initialized
3062         with random content that happened to be in the uninitialized (and possibly
3063         unallocated) portions of the scratch buffer.
3064
3065         The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
3066         number of locals in the baseline frame that we want to copy to the scratch
3067         buffer.
3068
3069         Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
3070         at offset 0 in the scratch buffer.  So, we continue to write that value
3071         there, not the baseline frame size.
3072
3073         * dfg/DFGOSREntry.cpp:
3074         (JSC::DFG::prepareOSREntry):
3075
3076 2014-04-18  Timothy Hatcher  <timothy@apple.com>
3077
3078         Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
3079         https://bugs.webkit.org/show_bug.cgi?id=131673
3080
3081         Passes existing profiler and inspector tests.
3082
3083         Reviewed by Joseph Pecoraro.
3084
3085         * CMakeLists.txt:
3086         * DerivedSources.make:
3087         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3088         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3089         * JavaScriptCore.xcodeproj/project.pbxproj:
3090         * inspector/JSConsoleClient.cpp:
3091         (Inspector::JSConsoleClient::JSConsoleClient):
3092         (Inspector::JSConsoleClient::profile):
3093         (Inspector::JSConsoleClient::profileEnd):
3094         (Inspector::JSConsoleClient::count): Deleted.
3095         * inspector/JSConsoleClient.h:
3096         * inspector/JSGlobalObjectInspectorController.cpp:
3097         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3098         * inspector/agents/InspectorProfilerAgent.cpp: Added.
3099         (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
3100         (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
3101         (Inspector::InspectorProfilerAgent::addProfile):
3102         (Inspector::InspectorProfilerAgent::createProfileHeader):
3103         (Inspector::InspectorProfilerAgent::enable):
3104         (Inspector::InspectorProfilerAgent::disable):
3105         (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
3106         (Inspector::InspectorProfilerAgent::getProfileHeaders):
3107         (Inspector::buildInspectorObject):
3108         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
3109         (Inspector::InspectorProfilerAgent::getCPUProfile):
3110         (Inspector::InspectorProfilerAgent::removeProfile):
3111         (Inspector::InspectorProfilerAgent::reset):
3112         (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
3113         (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
3114         (Inspector::InspectorProfilerAgent::start):
3115         (Inspector::InspectorProfilerAgent::stop):
3116         (Inspector::InspectorProfilerAgent::setRecordingProfile):
3117         (Inspector::InspectorProfilerAgent::startProfiling):
3118         (Inspector::InspectorProfilerAgent::stopProfiling):
3119         * inspector/agents/InspectorProfilerAgent.h: Added.
3120         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
3121         (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
3122         (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
3123         * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
3124         * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
3125         * profiler/Profile.h:
3126         * runtime/ConsoleClient.h:
3127
3128 2014-04-18  Commit Queue  <commit-queue@webkit.org>
3129
3130         Unreviewed, rolling out r167527.
3131         https://bugs.webkit.org/show_bug.cgi?id=131883
3132
3133         Broke 32-bit build (Requested by ap on #webkit).
3134
3135         Reverted changeset:
3136
3137         "[Mac] implement WebKitDataCue"
3138         https://bugs.webkit.org/show_bug.cgi?id=131799
3139         http://trac.webkit.org/changeset/167527
3140
3141 2014-04-18  Eric Carlson  <eric.carlson@apple.com>
3142
3143         [Mac] implement WebKitDataCue
3144         https://bugs.webkit.org/show_bug.cgi?id=131799
3145
3146         Reviewed by Dean Jackson.
3147
3148         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
3149
3150 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
3151
3152         Actually address Mark's review feedback.
3153
3154         * dfg/DFGOSRExitCompilerCommon.cpp:
3155         (JSC::DFG::handleExitCounts):
3156
3157 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
3158
3159         Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
3160         https://bugs.webkit.org/show_bug.cgi?id=131850
3161
3162         Reviewed by Mark Hahnenberg.
3163         
3164         Templatize ExecutionCounter to allow for two different styles of calculating the
3165         checkpoint threshold.
3166         
3167         Appears to be a slight speed-up on DYEBench.
3168
3169         * bytecode/CodeBlock.h:
3170         (JSC::CodeBlock::llintExecuteCounter):
3171         (JSC::CodeBlock::offsetOfJITExecuteCounter):
3172         (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
3173         (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
3174         (JSC::CodeBlock::jitExecuteCounter):
3175         * bytecode/ExecutionCounter.cpp:
3176         (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
3177         (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
3178         (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
3179         (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
3180         (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
3181         (JSC::applyMemoryUsageHeuristics):
3182         (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
3183         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
3184         (JSC::ExecutionCounter<countingVariant>::setThreshold):
3185         (JSC::ExecutionCounter<countingVariant>::reset):
3186         (JSC::ExecutionCounter<countingVariant>::dump):
3187         (JSC::ExecutionCounter::ExecutionCounter): Deleted.
3188         (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
3189         (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
3190         (JSC::ExecutionCounter::setNewThreshold): Deleted.
3191         (JSC::ExecutionCounter::deferIndefinitely): Deleted.
3192         (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
3193         (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
3194         (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
3195         (JSC::ExecutionCounter::setThreshold): Deleted.
3196         (JSC::ExecutionCounter::reset): Deleted.
3197         (JSC::ExecutionCounter::dump): Deleted.
3198         * bytecode/ExecutionCounter.h:
3199         (JSC::formattedTotalExecutionCount):
3200         (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
3201         (JSC::ExecutionCounter::clippedThreshold):
3202         (JSC::ExecutionCounter::formattedTotalCount): Deleted.
3203         * dfg/DFGJITCode.h:
3204         * dfg/DFGOSRExitCompilerCommon.cpp:
3205         (JSC::DFG::handleExitCounts):
3206         * llint/LowLevelInterpreter.asm:
3207         * runtime/Options.h:
3208
3209 2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
3210
3211         Deleting properties poisons objects
3212         https://bugs.webkit.org/show_bug.cgi?id=131551
3213
3214         Reviewed by Geoffrey Garen.
3215
3216         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
3217
3218         * runtime/Structure.cpp:
3219         (JSC::Structure::Structure):
3220         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
3221         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
3222         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
3223         delete transitions, but we allow transitioning from them.
3224         (JSC::Structure::changePrototypeTransition):
3225         (JSC::Structure::despecifyFunctionTransition):
3226         (JSC::Structure::attributeChangeTransition):
3227         (JSC::Structure::toDictionaryTransition):
3228         (JSC::Structure::preventExtensionsTransition):
3229         (JSC::Structure::addPropertyWithoutTransition):
3230         (JSC::Structure::removePropertyWithoutTransition):
3231         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
3232         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
3233         * runtime/Structure.h:
3234         * runtime/StructureInlines.h:
3235         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
3236
3237 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
3238
3239         InlineCallFrameSet should be refcounted
3240         https://bugs.webkit.org/show_bug.cgi?id=131829
3241
3242         Reviewed by Geoffrey Garen.
3243         
3244         And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
3245         became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
3246         Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
3247         the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
3248         
3249         So, just make the darn thing refcounted.
3250
3251         * bytecode/InlineCallFrameSet.h:
3252         * dfg/DFGArgumentsSimplificationPhase.cpp:
3253         (JSC::DFG::ArgumentsSimplificationPhase::run):
3254         * dfg/DFGByteCodeParser.cpp:
3255         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3256         * dfg/DFGCommonData.h:
3257         * dfg/DFGGraph.cpp:
3258         (JSC::DFG::Graph::Graph):
3259         (JSC::DFG::Graph::requiredRegisterCountForExit):
3260         * dfg/DFGGraph.h:
3261         * dfg/DFGJITCompiler.cpp:
3262         (JSC::DFG::JITCompiler::link):
3263         * dfg/DFGPlan.cpp:
3264         (JSC::DFG::Plan::Plan):
3265         * dfg/DFGPlan.h:
3266         * dfg/DFGStackLayoutPhase.cpp:
3267         (JSC::DFG::StackLayoutPhase::run):
3268         * ftl/FTLFail.cpp:
3269         (JSC::FTL::fail):
3270         * ftl/FTLLink.cpp:
3271         (JSC::FTL::link):
3272
3273 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
3274
3275         FTL::fail() should manage memory "correctly"
3276         https://bugs.webkit.org/show_bug.cgi?id=131823
3277         <rdar://problem/16384297>
3278
3279         Reviewed by Oliver Hunt.
3280
3281         * ftl/FTLFail.cpp:
3282         (JSC::FTL::fail):
3283
3284 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
3285
3286         Prediction propagator should correctly model Int52s flowing through arguments
3287         https://bugs.webkit.org/show_bug.cgi?id=131822
3288         <rdar://problem/16641408>
3289
3290         Reviewed by Oliver Hunt.
3291
3292         * dfg/DFGPredictionPropagationPhase.cpp:
3293         (JSC::DFG::PredictionPropagationPhase::propagate):
3294         * tests/stress/int52-argument.js: Added.
3295         (foo):
3296         * tests/stress/int52-variable.js: Added.
3297         (foo):
3298
3299 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
3300
3301         REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
3302         https://bugs.webkit.org/show_bug.cgi?id=131798
3303
3304         Reviewed by Alexey Proskuryakov.
3305         
3306         Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
3307         of this assertion can return. For now, it's not clear that the assertion is guarding
3308         any truly undesirable behavior - so it should just go away and be replaced with a
3309         FIXME.
3310
3311         * bytecode/GetByIdStatus.cpp:
3312         (JSC::GetByIdStatus::computeForStubInfo):
3313         * runtime/Structure.h:
3314         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
3315
3316 2014-04-17  David Kilzer  <ddkilzer@apple.com>
3317
3318         Blind attempt to fix Windows build after r166837
3319         <http://webkit.org/b/131246>
3320
3321         Hoping to fix this build error:
3322
3323             warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
3324
3325         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
3326         boo-boo by changing the GCLogging.cpp ClCompile entry to a
3327         GCLogging.h ClInclude entry.
3328
3329 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
3330
3331         AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
3332         https://bugs.webkit.org/show_bug.cgi?id=131764
3333
3334         Reviewed by Geoffrey Garen.
3335         
3336         The attached test case can be made to not crash by deleting old code. It used to be
3337         the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
3338         long ago. At this point, these guards just make life difficult. So get rid of them.
3339
3340         * dfg/DFGAbstractInterpreterInlines.h:
3341         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3342         * dfg/DFGSpeculativeJIT32_64.cpp:
3343         (JSC::DFG::SpeculativeJIT::compile):
3344         * dfg/DFGSpeculativeJIT64.cpp:
3345         (JSC::DFG::SpeculativeJIT::compile):
3346         * tests/stress/bug-131764.js: Added.
3347         (test1):
3348         (test2):
3349
3350 2014-04-17  Darin Adler  <darin@apple.com>
3351
3352         Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
3353         https://bugs.webkit.org/show_bug.cgi?id=131785
3354         rdar://problem/16003108
3355
3356         Reviewed by Brady Eidson.
3357
3358         * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
3359
3360 2014-04-16  Alexey Proskuryakov  <ap@apple.com>
3361
3362         Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
3363
3364         * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
3365
3366 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
3367
3368         Extra error reporting for invalid value conversions
3369         https://bugs.webkit.org/show_bug.cgi?id=131786
3370
3371         Rubber stamped by Ryosuke Niwa.
3372
3373         * dfg/DFGFixupPhase.cpp:
3374         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3375
3376 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
3377
3378         Sink NaN sanitization to uses and remove it when it's unnecessary
3379         https://bugs.webkit.org/show_bug.cgi?id=131419
3380
3381         Reviewed by Oliver Hunt.
3382         
3383         This moves NaN purification to stores that could see an impure NaN.
3384         
3385         5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
3386         though, because of the other bug that causes that benchmark to box doubles in a loop.
3387
3388         * bytecode/SpeculatedType.h:
3389         (JSC::isInt32SpeculationForArithmetic):
3390         (JSC::isMachineIntSpeculationForArithmetic):
3391         (JSC::isDoubleSpeculation):
3392         (JSC::isDoubleSpeculationForArithmetic):
3393         * dfg/DFGAbstractInterpreterInlines.h:
3394         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3395         * dfg/DFGAbstractValue.cpp:
3396         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
3397         * dfg/DFGFixupPhase.cpp:
3398         (JSC::DFG::FixupPhase::fixupNode):
3399         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3400         * dfg/DFGInPlaceAbstractState.cpp:
3401         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3402         * dfg/DFGPredictionPropagationPhase.cpp:
3403         (JSC::DFG::PredictionPropagationPhase::propagate):
3404         * dfg/DFGSpeculativeJIT.cpp:
3405         (JSC::DFG::SpeculativeJIT::compileValueRep):
3406         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3407         * dfg/DFGUseKind.h:
3408         (JSC::DFG::typeFilterFor):
3409         * ftl/FTLLowerDFGToLLVM.cpp:
3410         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
3411         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
3412         * runtime/PureNaN.h:
3413         * tests/stress/float32-array-nan-inlined.js: Added.
3414         (foo):
3415         (test):
3416         * tests/stress/float32-array-nan.js: Added.
3417         (foo):
3418         (test):
3419         * tests/stress/float64-array-nan-inlined.js: Added.
3420         (foo):
3421         (isBigEndian):