7a4505b9ba9923ea1c26af6fd46e8277c72d9c32
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-01  Andreas Kling  <akling@apple.com>
2
3         Avoid going through ExecState for VM when we already have it (in some places.)
4         <https://webkit.org/b/129554>
5
6         Tweak some places that jump through unnecessary hoops to get the VM.
7         There are many more like this.
8
9         Reviewed by Sam Weinig.
10
11         * runtime/JSObject.cpp:
12         (JSC::JSObject::putByIndexBeyondVectorLength):
13         (JSC::JSObject::putDirectIndexBeyondVectorLength):
14         * runtime/ObjectPrototype.cpp:
15         (JSC::objectProtoFuncToString):
16
17 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
18
19         FTL should support PhantomArguments
20         https://bugs.webkit.org/show_bug.cgi?id=113986
21
22         Reviewed by Oliver Hunt.
23         
24         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
25         object into the FTL's OSR exit compiler.
26         
27         This isn't a speed-up yet, since there is still more to be done to fully support
28         all of the arguments craziness that our varargs benchmarks do.
29
30         * dfg/DFGOSRExitCompiler32_64.cpp:
31         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
32         * dfg/DFGOSRExitCompiler64.cpp:
33         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
34         * dfg/DFGOSRExitCompilerCommon.cpp:
35         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
36         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
37         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
38         * dfg/DFGOSRExitCompilerCommon.h:
39         * ftl/FTLCapabilities.cpp:
40         (JSC::FTL::canCompile):
41         * ftl/FTLExitValue.cpp:
42         (JSC::FTL::ExitValue::dumpInContext):
43         * ftl/FTLExitValue.h:
44         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
45         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
46         (JSC::FTL::ExitValue::valueFormat):
47         * ftl/FTLLowerDFGToLLVM.cpp:
48         (JSC::FTL::LowerDFGToLLVM::compileNode):
49         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
50         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
51         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
52         * ftl/FTLOSRExitCompiler.cpp:
53         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
54         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
55         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
56
57 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
58
59         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
60
61         * dfg/DFGCSEPhase.cpp:
62         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
63
64 2014-02-28  Andreas Kling  <akling@apple.com>
65
66         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
67         <https://webkit.org/b/129529>
68
69         Callers already have VM in a local, and findPropertyHashEntry() only
70         uses the VM, no need to go all the way through ExecState.
71
72         Reviewed by Geoffrey Garen.
73
74         * runtime/JSObject.cpp:
75         (JSC::JSObject::put):
76         (JSC::JSObject::deleteProperty):
77         (JSC::JSObject::findPropertyHashEntry):
78         * runtime/JSObject.h:
79
80 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
81
82         Deadlock remotely inspecting iOS Simulator
83         https://bugs.webkit.org/show_bug.cgi?id=129511
84
85         Reviewed by Timothy Hatcher.
86
87         Avoid synchronous setup. Do it asynchronously, and let
88         the RemoteInspector singleton know later if it failed.
89
90         * inspector/remote/RemoteInspector.h:
91         * inspector/remote/RemoteInspector.mm:
92         (Inspector::RemoteInspector::setupFailed):
93         * inspector/remote/RemoteInspectorDebuggableConnection.h:
94         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
95         (Inspector::RemoteInspectorDebuggableConnection::setup):
96
97 2014-02-28  Oliver Hunt  <oliver@apple.com>
98
99         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
100         https://bugs.webkit.org/show_bug.cgi?id=129488
101
102         Reviewed by Mark Lam.
103
104         Whoops, modify the right register.
105
106         * jit/JITCall32_64.cpp:
107         (JSC::JIT::compileLoadVarargs):
108
109 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
110
111         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
112         https://bugs.webkit.org/show_bug.cgi?id=129503
113
114         Reviewed by Mark Lam.
115
116         * ftl/FTLIntrinsicRepository.h:
117         * ftl/FTLOutput.h:
118         (JSC::FTL::Output::doubleSin):
119         (JSC::FTL::Output::doubleCos):
120         (JSC::FTL::Output::intrinsicOrOperation):
121
122 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
123
124         Fix !ENABLE(GGC) builds
125
126         * heap/Heap.cpp:
127         (JSC::Heap::markRoots):
128         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
129
130 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
131
132         Clean up Heap::collect and Heap::markRoots
133         https://bugs.webkit.org/show_bug.cgi?id=129464
134
135         Reviewed by Geoffrey Garen.
136
137         These functions have built up a lot of cruft recently. 
138         We should do a bit of cleanup to make them easier to grok.
139
140         * heap/Heap.cpp:
141         (JSC::Heap::finalizeUnconditionalFinalizers):
142         (JSC::Heap::gatherStackRoots):
143         (JSC::Heap::gatherJSStackRoots):
144         (JSC::Heap::gatherScratchBufferRoots):
145         (JSC::Heap::clearLivenessData):
146         (JSC::Heap::visitSmallStrings):
147         (JSC::Heap::visitConservativeRoots):
148         (JSC::Heap::visitCompilerWorklists):
149         (JSC::Heap::markProtectedObjects):
150         (JSC::Heap::markTempSortVectors):
151         (JSC::Heap::markArgumentBuffers):
152         (JSC::Heap::visitException):
153         (JSC::Heap::visitStrongHandles):
154         (JSC::Heap::visitHandleStack):
155         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
156         (JSC::Heap::converge):
157         (JSC::Heap::visitWeakHandles):
158         (JSC::Heap::clearRememberedSet):
159         (JSC::Heap::updateObjectCounts):
160         (JSC::Heap::resetVisitors):
161         (JSC::Heap::markRoots):
162         (JSC::Heap::copyBackingStores):
163         (JSC::Heap::deleteUnmarkedCompiledCode):
164         (JSC::Heap::collect):
165         (JSC::Heap::collectIfNecessaryOrDefer):
166         (JSC::Heap::suspendCompilerThreads):
167         (JSC::Heap::willStartCollection):
168         (JSC::Heap::deleteOldCode):
169         (JSC::Heap::flushOldStructureIDTables):
170         (JSC::Heap::flushWriteBarrierBuffer):
171         (JSC::Heap::stopAllocation):
172         (JSC::Heap::reapWeakHandles):
173         (JSC::Heap::sweepArrayBuffers):
174         (JSC::Heap::snapshotMarkedSpace):
175         (JSC::Heap::deleteSourceProviderCaches):
176         (JSC::Heap::notifyIncrementalSweeper):
177         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
178         (JSC::Heap::resetAllocators):
179         (JSC::Heap::updateAllocationLimits):
180         (JSC::Heap::didFinishCollection):
181         (JSC::Heap::resumeCompilerThreads):
182         * heap/Heap.h:
183
184 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
185
186         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
187         https://bugs.webkit.org/show_bug.cgi?id=129466
188
189         Reviewed by Michael Saboff.
190
191         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
192
193         * runtime/StringPrototype.cpp:
194         (JSC::stringProtoFuncIndexOf):
195         (JSC::stringProtoFuncLastIndexOf):
196
197 2014-02-27  Timothy Hatcher  <timothy@apple.com>
198
199         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
200
201         https://bugs.webkit.org/show_bug.cgi?id=129458
202
203         Reviewed by Joseph Pecoraro.
204
205         * inspector/ContentSearchUtilities.cpp:
206         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
207         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
208         line ending type and don't try to strip the line ending. Use size_t
209         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
210         This will include the line ending in the lines, but that is okay.
211         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
212         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
213
214 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
215
216         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
217         https://bugs.webkit.org/show_bug.cgi?id=129446
218
219         Reviewed by Timothy Hatcher.
220
221         Remove duplicate header entries in Copy Header build phase.
222
223         * JavaScriptCore.xcodeproj/project.pbxproj:
224
225 2014-02-27  Oliver Hunt  <oliver@apple.com>
226
227         Whoops, include all of last patch.
228
229         * jit/JITCall32_64.cpp:
230         (JSC::JIT::compileLoadVarargs):
231
232 2014-02-27  Oliver Hunt  <oliver@apple.com>
233
234         Slow cases for function.apply and function.call should not require vm re-entry
235         https://bugs.webkit.org/show_bug.cgi?id=129454
236
237         Reviewed by Geoffrey Garen.
238
239         Implement call and apply using builtins. Happily the use
240         of @call and @apply don't perform function equality checks
241         and just plant direct var_args calls. This did expose a few
242         codegen issues, but they're all covered by existing tests
243         once call and apply are implemented in JS.
244
245         * JavaScriptCore.xcodeproj/project.pbxproj:
246         * builtins/Function.prototype.js: Added.
247         (call):
248         (apply):
249         * bytecompiler/NodesCodegen.cpp:
250         (JSC::CallFunctionCallDotNode::emitBytecode):
251         (JSC::ApplyFunctionCallDotNode::emitBytecode):
252         * dfg/DFGCapabilities.cpp:
253         (JSC::DFG::capabilityLevel):
254         * interpreter/Interpreter.cpp:
255         (JSC::sizeFrameForVarargs):
256         (JSC::loadVarargs):
257         * interpreter/Interpreter.h:
258         * jit/JITCall.cpp:
259         (JSC::JIT::compileLoadVarargs):
260         * parser/ASTBuilder.h:
261         (JSC::ASTBuilder::makeFunctionCallNode):
262         * parser/Lexer.cpp:
263         (JSC::isSafeBuiltinIdentifier):
264         * runtime/CommonIdentifiers.h:
265         * runtime/FunctionPrototype.cpp:
266         (JSC::FunctionPrototype::addFunctionProperties):
267         * runtime/JSObject.cpp:
268         (JSC::JSObject::putDirectBuiltinFunction):
269         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
270         * runtime/JSObject.h:
271
272 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
273
274         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
275         https://bugs.webkit.org/show_bug.cgi?id=129443
276
277         Reviewed by Timothy Hatcher.
278
279         This queue is specific to the JSContext debuggable connections,
280         there is no XPC involved. Give it a better name.
281
282         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
283         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
284
285 2014-02-27  David Kilzer  <ddkilzer@apple.com>
286
287         Remove jsc symlink if it already exists
288
289         This is a follow-up fix for:
290
291         Create symlink to /usr/local/bin/jsc during installation
292         <http://webkit.org/b/129399>
293         <rdar://problem/16168734>
294
295         * JavaScriptCore.xcodeproj/project.pbxproj:
296         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
297         exists where we're about to create the symlink, remove the old
298         one first.
299
300 2014-02-27  Michael Saboff  <msaboff@apple.com>
301
302         Unreviewed build fix for Mac tools after r164814
303
304         * Configurations/ToolExecutable.xcconfig:
305         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
306         * JavaScriptCore.xcodeproj/project.pbxproj:
307         - Changed productName to testRegExp for testRegExp target.
308
309 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
310
311         Web Inspector: JSContext inspection should report exceptions in the console
312         https://bugs.webkit.org/show_bug.cgi?id=128776
313
314         Reviewed by Timothy Hatcher.
315
316         When JavaScript API functions have an exception, let the inspector
317         know so it can log the JavaScript and Native backtrace that caused
318         the exception.
319
320         Include some clean up of ConsoleMessage and ScriptCallStack construction.
321
322         * API/JSBase.cpp:
323         (JSEvaluateScript):
324         (JSCheckScriptSyntax):
325         * API/JSObjectRef.cpp:
326         (JSObjectMakeFunction):
327         (JSObjectMakeArray):
328         (JSObjectMakeDate):
329         (JSObjectMakeError):
330         (JSObjectMakeRegExp):
331         (JSObjectGetProperty):
332         (JSObjectSetProperty):
333         (JSObjectGetPropertyAtIndex):
334         (JSObjectSetPropertyAtIndex):
335         (JSObjectDeleteProperty):
336         (JSObjectCallAsFunction):
337         (JSObjectCallAsConstructor):
338         * API/JSValue.mm:
339         (reportExceptionToInspector):
340         (valueToArray):
341         (valueToDictionary):
342         * API/JSValueRef.cpp:
343         (JSValueIsEqual):
344         (JSValueIsInstanceOfConstructor):
345         (JSValueCreateJSONString):
346         (JSValueToNumber):
347         (JSValueToStringCopy):
348         (JSValueToObject):
349         When seeing an exception, let the inspector know there was an exception.
350
351         * inspector/JSGlobalObjectInspectorController.h:
352         * inspector/JSGlobalObjectInspectorController.cpp:
353         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
354         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
355         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
356         Log API exceptions by also grabbing the native backtrace.
357
358         * inspector/ScriptCallStack.h:
359         * inspector/ScriptCallStack.cpp:
360         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
361         (Inspector::ScriptCallStack::append):
362         Minor extensions to ScriptCallStack to make it easier to work with.
363
364         * inspector/ConsoleMessage.cpp:
365         (Inspector::ConsoleMessage::ConsoleMessage):
366         (Inspector::ConsoleMessage::autogenerateMetadata):
367         Provide better default information if the first call frame was native.
368
369         * inspector/ScriptCallStackFactory.cpp:
370         (Inspector::createScriptCallStack):
371         (Inspector::extractSourceInformationFromException):
372         (Inspector::createScriptCallStackFromException):
373         Perform the handling here of inserting a fake call frame for exceptions
374         if there was no call stack (e.g. a SyntaxError) or if the first call
375         frame had no information.
376
377         * inspector/ConsoleMessage.cpp:
378         (Inspector::ConsoleMessage::ConsoleMessage):
379         (Inspector::ConsoleMessage::autogenerateMetadata):
380         * inspector/ConsoleMessage.h:
381         * inspector/ScriptCallStackFactory.cpp:
382         (Inspector::createScriptCallStack):
383         (Inspector::createScriptCallStackForConsole):
384         * inspector/ScriptCallStackFactory.h:
385         * inspector/agents/InspectorConsoleAgent.cpp:
386         (Inspector::InspectorConsoleAgent::enable):
387         (Inspector::InspectorConsoleAgent::addMessageToConsole):
388         (Inspector::InspectorConsoleAgent::count):
389         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
390         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
391         ConsoleMessage cleanup.
392
393 2014-02-27  David Kilzer  <ddkilzer@apple.com>
394
395         Create symlink to /usr/local/bin/jsc during installation
396         <http://webkit.org/b/129399>
397         <rdar://problem/16168734>
398
399         Reviewed by Dan Bernstein.
400
401         * JavaScriptCore.xcodeproj/project.pbxproj:
402         - Add "Create /usr/local/bin/jsc symlink" build phase script to
403           create the symlink during installation.
404
405 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
406
407         Math.{max, min}() must not return after first NaN value
408         https://bugs.webkit.org/show_bug.cgi?id=104147
409
410         Reviewed by Oliver Hunt.
411
412         According to the spec, ToNumber going to be called on each argument
413         even if a `NaN` value was already found
414
415         * runtime/MathObject.cpp:
416         (JSC::mathProtoFuncMax):
417         (JSC::mathProtoFuncMin):
418
419 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
420
421         JSType upper limit (0xff) assertion can be removed.
422         https://bugs.webkit.org/show_bug.cgi?id=129424
423
424         Reviewed by Geoffrey Garen.
425
426         * runtime/JSTypeInfo.h:
427         (JSC::TypeInfo::TypeInfo):
428
429 2014-02-26  Michael Saboff  <msaboff@apple.com>
430
431         Auto generate bytecode information for bytecode parser and LLInt
432         https://bugs.webkit.org/show_bug.cgi?id=129181
433
434         Reviewed by Mark Lam.
435
436         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
437         helpers.  It also includes bytecode length and other information used to generate files.
438         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
439         in DerivedSources/JavaScriptCore/.
440
441         Added the generation of these files to the "DerivedSource" build step.
442         Slighty changed the build order, since the Bytecodes.h file is needed by
443         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
444         to be run after JSCLLIntOffsetsExtractor.
445
446         Made related changes to OPCODE macros and their use.
447
448         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
449         jsc to resolve Mac build issue.
450
451         * CMakeLists.txt:
452         * Configurations/JSC.xcconfig:
453         * DerivedSources.make:
454         * GNUmakefile.am:
455         * GNUmakefile.list.am:
456         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
457         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
458         * JavaScriptCore.vcxproj/copy-files.cmd:
459         * JavaScriptCore.xcodeproj/project.pbxproj:
460         * bytecode/Opcode.h:
461         (JSC::padOpcodeName):
462         * llint/LLIntCLoop.cpp:
463         (JSC::LLInt::CLoop::initialize):
464         * llint/LLIntCLoop.h:
465         * llint/LLIntData.cpp:
466         (JSC::LLInt::initialize):
467         * llint/LLIntOpcode.h:
468         * llint/LowLevelInterpreter.asm:
469
470 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
471
472         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
473         https://bugs.webkit.org/show_bug.cgi?id=129420
474
475         Reviewed by Geoffrey Garen.
476
477         * dfg/DFGSpeculativeJIT.h:
478         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
479         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
480
481 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
482
483         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
484         https://bugs.webkit.org/show_bug.cgi?id=129435
485
486         Reviewed by Oliver Hunt.
487         
488         This is a 5-10% speed-up on Octane/closure.
489
490         * interpreter/Interpreter.cpp:
491         (JSC::Interpreter::execute):
492         * jsc.cpp:
493         (GlobalObject::finishCreation):
494         (functionClearCodeCache):
495         * runtime/BatchedTransitionOptimizer.h:
496         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
497         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
498
499 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
500
501         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
502
503         * inspector/scripts: Added property svn:ignore.
504         * replay/scripts: Added property svn:ignore.
505
506 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
507
508         r164764 broke the ARM build
509         https://bugs.webkit.org/show_bug.cgi?id=129415
510
511         Reviewed by Zoltan Herczeg.
512
513         * assembler/MacroAssemblerARM.h:
514         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
515         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
516         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
517         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
518
519 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
520
521         r164764 broke the ARM build
522         https://bugs.webkit.org/show_bug.cgi?id=129415
523
524         Reviewed by Geoffrey Garen.
525
526         * assembler/MacroAssemblerARM.h:
527         (JSC::MacroAssemblerARM::moveWithPatch):
528
529 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
530
531         r164764 broke the ARM build
532         https://bugs.webkit.org/show_bug.cgi?id=129415
533
534         Reviewed by Geoffrey Garen.
535
536         * assembler/MacroAssemblerARM.h:
537         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
538
539 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
540
541         EFL build fix
542
543         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
544         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
545         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
546
547 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>
548
549         Make JSCells have 32-bit Structure pointers
550         https://bugs.webkit.org/show_bug.cgi?id=123195
551
552         Reviewed by Filip Pizlo.
553
554         This patch changes JSCells such that they no longer have a full 64-bit Structure
555         pointer in their header. Instead they now have a 32-bit index into
556         a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
557         pointers.
558
559         This change frees up an additional 32 bits of information in our object headers.
560         We then use this extra space to store the indexing type of the object, the JSType
561         of the object, some various type flags, and garbage collection data (e.g. mark bit).
562         Because this inline type information is now faster to read, it pays for the slowdown 
563         incurred by having to perform an extra indirection through the StructureIDTable.
564
565         This patch also threads a reference to the current VM through more of the C++ runtime
566         to offset the cost of having to look up the VM to get the actual Structure pointer.
567
568         * API/JSContext.mm:
569         (-[JSContext setException:]):
570         (-[JSContext wrapperForObjCObject:]):
571         (-[JSContext wrapperForJSObject:]):
572         * API/JSContextRef.cpp:
573         (JSContextGroupRelease):
574         (JSGlobalContextRelease):
575         * API/JSObjectRef.cpp:
576         (JSObjectIsFunction):
577         (JSObjectCopyPropertyNames):
578         * API/JSValue.mm:
579         (containerValueToObject):
580         * API/JSWrapperMap.mm:
581         (tryUnwrapObjcObject):
582         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
583         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
584         * JavaScriptCore.xcodeproj/project.pbxproj:
585         * assembler/AbstractMacroAssembler.h:
586         * assembler/MacroAssembler.h:
587         (JSC::MacroAssembler::patchableBranch32WithPatch):
588         (JSC::MacroAssembler::patchableBranch32):
589         * assembler/MacroAssemblerARM64.h:
590         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
591         (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
592         (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
593         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
594         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
595         * assembler/MacroAssemblerARMv7.h:
596         (JSC::MacroAssemblerARMv7::store8):
597         (JSC::MacroAssemblerARMv7::branch32WithPatch):
598         (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
599         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
600         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
601         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
602         * assembler/MacroAssemblerX86.h:
603         (JSC::MacroAssemblerX86::branch32WithPatch):
604         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
605         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
606         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
607         * assembler/MacroAssemblerX86_64.h:
608         (JSC::MacroAssemblerX86_64::store32):
609         (JSC::MacroAssemblerX86_64::moveWithPatch):
610         (JSC::MacroAssemblerX86_64::branch32WithPatch):
611         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
612         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
613         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
614         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
615         * assembler/RepatchBuffer.h:
616         (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
617         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
618         * assembler/X86Assembler.h:
619         (JSC::X86Assembler::revertJumpTo_movq_i64r):
620         (JSC::X86Assembler::revertJumpTo_movl_i32r):
621         * bytecode/ArrayProfile.cpp:
622         (JSC::ArrayProfile::computeUpdatedPrediction):
623         * bytecode/ArrayProfile.h:
624         (JSC::ArrayProfile::ArrayProfile):
625         (JSC::ArrayProfile::addressOfLastSeenStructureID):
626         (JSC::ArrayProfile::observeStructure):
627         * bytecode/CodeBlock.h:
628         (JSC::CodeBlock::heap):
629         * bytecode/UnlinkedCodeBlock.h:
630         * debugger/Debugger.h:
631         * dfg/DFGAbstractHeap.h:
632         * dfg/DFGArrayifySlowPathGenerator.h:
633         * dfg/DFGClobberize.h:
634         (JSC::DFG::clobberize):
635         * dfg/DFGJITCompiler.h:
636         (JSC::DFG::JITCompiler::branchWeakStructure):
637         (JSC::DFG::JITCompiler::branchStructurePtr):
638         * dfg/DFGOSRExitCompiler32_64.cpp:
639         (JSC::DFG::OSRExitCompiler::compileExit):
640         * dfg/DFGOSRExitCompiler64.cpp:
641         (JSC::DFG::OSRExitCompiler::compileExit):
642         * dfg/DFGOSRExitCompilerCommon.cpp:
643         (JSC::DFG::osrWriteBarrier):
644         (JSC::DFG::adjustAndJumpToTarget):
645         * dfg/DFGOperations.cpp:
646         (JSC::DFG::putByVal):
647         * dfg/DFGSpeculativeJIT.cpp:
648         (JSC::DFG::SpeculativeJIT::checkArray):
649         (JSC::DFG::SpeculativeJIT::arrayify):
650         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
651         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
652         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
653         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
654         (JSC::DFG::SpeculativeJIT::speculateObject):
655         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
656         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
657         (JSC::DFG::SpeculativeJIT::speculateString):
658         (JSC::DFG::SpeculativeJIT::speculateStringObject):
659         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
660         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
661         (JSC::DFG::SpeculativeJIT::emitSwitchString):
662         (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
663         (JSC::DFG::SpeculativeJIT::writeBarrier):
664         * dfg/DFGSpeculativeJIT.h:
665         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
666         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
667         * dfg/DFGSpeculativeJIT32_64.cpp:
668         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
669         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
670         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
671         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
672         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
673         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
674         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
675         (JSC::DFG::SpeculativeJIT::compile):
676         (JSC::DFG::SpeculativeJIT::writeBarrier):
677         * dfg/DFGSpeculativeJIT64.cpp:
678         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
679         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
680         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
681         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
682         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
683         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
684         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
685         (JSC::DFG::SpeculativeJIT::compile):
686         (JSC::DFG::SpeculativeJIT::writeBarrier):
687         * dfg/DFGWorklist.cpp:
688         * ftl/FTLAbstractHeapRepository.cpp:
689         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
690         * ftl/FTLAbstractHeapRepository.h:
691         * ftl/FTLLowerDFGToLLVM.cpp:
692         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
693         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
694         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
695         (JSC::FTL::LowerDFGToLLVM::compileToString):
696         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
697         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
698         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
699         (JSC::FTL::LowerDFGToLLVM::allocateCell):
700         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
701         (JSC::FTL::LowerDFGToLLVM::isObject):
702         (JSC::FTL::LowerDFGToLLVM::isString):
703         (JSC::FTL::LowerDFGToLLVM::isArrayType):
704         (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
705         (JSC::FTL::LowerDFGToLLVM::isType):
706         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
707         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
708         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
709         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
710         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
711         (JSC::FTL::LowerDFGToLLVM::loadStructure):
712         (JSC::FTL::LowerDFGToLLVM::weakStructure):
713         * ftl/FTLOSRExitCompiler.cpp:
714         (JSC::FTL::compileStub):
715         * ftl/FTLOutput.h:
716         (JSC::FTL::Output::store8):
717         * heap/GCAssertions.h:
718         * heap/Heap.cpp:
719         (JSC::Heap::getConservativeRegisterRoots):
720         (JSC::Heap::collect):
721         (JSC::Heap::writeBarrier):
722         * heap/Heap.h:
723         (JSC::Heap::structureIDTable):
724         * heap/MarkedSpace.h:
725         (JSC::MarkedSpace::forEachBlock):
726         * heap/SlotVisitorInlines.h:
727         (JSC::SlotVisitor::internalAppend):
728         * jit/AssemblyHelpers.h:
729         (JSC::AssemblyHelpers::branchIfCellNotObject):
730         (JSC::AssemblyHelpers::genericWriteBarrier):
731         (JSC::AssemblyHelpers::emitLoadStructure):
732         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
733         * jit/JIT.h:
734         * jit/JITCall.cpp:
735         (JSC::JIT::compileOpCall):
736         (JSC::JIT::privateCompileClosureCall):
737         * jit/JITCall32_64.cpp:
738         (JSC::JIT::emit_op_ret_object_or_this):
739         (JSC::JIT::compileOpCall):
740         (JSC::JIT::privateCompileClosureCall):
741         * jit/JITInlineCacheGenerator.cpp:
742         (JSC::JITByIdGenerator::generateFastPathChecks):
743         * jit/JITInlineCacheGenerator.h:
744         * jit/JITInlines.h:
745         (JSC::JIT::emitLoadCharacterString):
746         (JSC::JIT::checkStructure):
747         (JSC::JIT::emitJumpIfCellNotObject):
748         (JSC::JIT::emitAllocateJSObject):
749         (JSC::JIT::emitArrayProfilingSiteWithCell):
750         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
751         (JSC::JIT::branchStructure):
752         (JSC::branchStructure):
753         * jit/JITOpcodes.cpp:
754         (JSC::JIT::emit_op_check_has_instance):
755         (JSC::JIT::emit_op_instanceof):
756         (JSC::JIT::emit_op_is_undefined):
757         (JSC::JIT::emit_op_is_string):
758         (JSC::JIT::emit_op_ret_object_or_this):
759         (JSC::JIT::emit_op_to_primitive):
760         (JSC::JIT::emit_op_jeq_null):
761         (JSC::JIT::emit_op_jneq_null):
762         (JSC::JIT::emit_op_get_pnames):
763         (JSC::JIT::emit_op_next_pname):
764         (JSC::JIT::emit_op_eq_null):
765         (JSC::JIT::emit_op_neq_null):
766         (JSC::JIT::emit_op_to_this):
767         (JSC::JIT::emitSlow_op_to_this):
768         * jit/JITOpcodes32_64.cpp:
769         (JSC::JIT::emit_op_check_has_instance):
770         (JSC::JIT::emit_op_instanceof):
771         (JSC::JIT::emit_op_is_undefined):
772         (JSC::JIT::emit_op_is_string):
773         (JSC::JIT::emit_op_to_primitive):
774         (JSC::JIT::emit_op_jeq_null):
775         (JSC::JIT::emit_op_jneq_null):
776         (JSC::JIT::emitSlow_op_eq):
777         (JSC::JIT::emitSlow_op_neq):
778         (JSC::JIT::compileOpStrictEq):
779         (JSC::JIT::emit_op_eq_null):
780         (JSC::JIT::emit_op_neq_null):
781         (JSC::JIT::emit_op_get_pnames):
782         (JSC::JIT::emit_op_next_pname):
783         (JSC::JIT::emit_op_to_this):
784         * jit/JITOperations.cpp:
785         * jit/JITPropertyAccess.cpp:
786         (JSC::JIT::stringGetByValStubGenerator):
787         (JSC::JIT::emit_op_get_by_val):
788         (JSC::JIT::emitSlow_op_get_by_val):
789         (JSC::JIT::emit_op_get_by_pname):
790         (JSC::JIT::emit_op_put_by_val):
791         (JSC::JIT::emit_op_get_by_id):
792         (JSC::JIT::emitLoadWithStructureCheck):
793         (JSC::JIT::emitSlow_op_get_from_scope):
794         (JSC::JIT::emitSlow_op_put_to_scope):
795         (JSC::JIT::checkMarkWord):
796         (JSC::JIT::emitWriteBarrier):
797         (JSC::JIT::addStructureTransitionCheck):
798         (JSC::JIT::emitIntTypedArrayGetByVal):
799         (JSC::JIT::emitFloatTypedArrayGetByVal):
800         (JSC::JIT::emitIntTypedArrayPutByVal):
801         (JSC::JIT::emitFloatTypedArrayPutByVal):
802         * jit/JITPropertyAccess32_64.cpp:
803         (JSC::JIT::stringGetByValStubGenerator):
804         (JSC::JIT::emit_op_get_by_val):
805         (JSC::JIT::emitSlow_op_get_by_val):
806         (JSC::JIT::emit_op_put_by_val):
807         (JSC::JIT::emit_op_get_by_id):
808         (JSC::JIT::emit_op_get_by_pname):
809         (JSC::JIT::emitLoadWithStructureCheck):
810         * jit/JSInterfaceJIT.h:
811         (JSC::JSInterfaceJIT::emitJumpIfNotType):
812         * jit/Repatch.cpp:
813         (JSC::repatchByIdSelfAccess):
814         (JSC::addStructureTransitionCheck):
815         (JSC::replaceWithJump):
816         (JSC::generateProtoChainAccessStub):
817         (JSC::tryCacheGetByID):
818         (JSC::tryBuildGetByIDList):
819         (JSC::writeBarrier):
820         (JSC::emitPutReplaceStub):
821         (JSC::emitPutTransitionStub):
822         (JSC::tryBuildPutByIdList):
823         (JSC::tryRepatchIn):
824         (JSC::linkClosureCall):
825         (JSC::resetGetByID):
826         (JSC::resetPutByID):
827         * jit/SpecializedThunkJIT.h:
828         (JSC::SpecializedThunkJIT::loadJSStringArgument):
829         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
830         * jit/ThunkGenerators.cpp:
831         (JSC::virtualForThunkGenerator):
832         (JSC::arrayIteratorNextThunkGenerator):
833         * jit/UnusedPointer.h:
834         * llint/LowLevelInterpreter.asm:
835         * llint/LowLevelInterpreter32_64.asm:
836         * llint/LowLevelInterpreter64.asm:
837         * runtime/Arguments.cpp:
838         (JSC::Arguments::createStrictModeCallerIfNecessary):
839         (JSC::Arguments::createStrictModeCalleeIfNecessary):
840         * runtime/Arguments.h:
841         (JSC::Arguments::createStructure):
842         * runtime/ArrayPrototype.cpp:
843         (JSC::shift):
844         (JSC::unshift):
845         (JSC::arrayProtoFuncToString):
846         (JSC::arrayProtoFuncPop):
847         (JSC::arrayProtoFuncReverse):
848         (JSC::performSlowSort):
849         (JSC::arrayProtoFuncSort):
850         (JSC::arrayProtoFuncSplice):
851         (JSC::arrayProtoFuncUnShift):
852         * runtime/CommonSlowPaths.cpp:
853         (JSC::SLOW_PATH_DECL):
854         * runtime/Executable.h:
855         (JSC::ExecutableBase::isFunctionExecutable):
856         (JSC::ExecutableBase::clearCodeVirtual):
857         (JSC::ScriptExecutable::unlinkCalls):
858         * runtime/GetterSetter.cpp:
859         (JSC::callGetter):
860         (JSC::callSetter):
861         * runtime/InitializeThreading.cpp:
862         * runtime/JSArray.cpp:
863         (JSC::JSArray::unshiftCountSlowCase):
864         (JSC::JSArray::setLength):
865         (JSC::JSArray::pop):
866         (JSC::JSArray::push):
867         (JSC::JSArray::shiftCountWithArrayStorage):
868         (JSC::JSArray::shiftCountWithAnyIndexingType):
869         (JSC::JSArray::unshiftCountWithArrayStorage):
870         (JSC::JSArray::unshiftCountWithAnyIndexingType):
871         (JSC::JSArray::sortNumericVector):
872         (JSC::JSArray::sortNumeric):
873         (JSC::JSArray::sortCompactedVector):
874         (JSC::JSArray::sort):
875         (JSC::JSArray::sortVector):
876         (JSC::JSArray::fillArgList):
877         (JSC::JSArray::copyToArguments):
878         (JSC::JSArray::compactForSorting):
879         * runtime/JSCJSValueInlines.h:
880         (JSC::JSValue::toThis):
881         (JSC::JSValue::put):
882         (JSC::JSValue::putByIndex):
883         (JSC::JSValue::equalSlowCaseInline):
884         * runtime/JSCell.cpp:
885         (JSC::JSCell::put):
886         (JSC::JSCell::putByIndex):
887         (JSC::JSCell::deleteProperty):
888         (JSC::JSCell::deletePropertyByIndex):
889         * runtime/JSCell.h:
890         (JSC::JSCell::clearStructure):
891         (JSC::JSCell::mark):
892         (JSC::JSCell::isMarked):
893         (JSC::JSCell::structureIDOffset):
894         (JSC::JSCell::typeInfoFlagsOffset):
895         (JSC::JSCell::typeInfoTypeOffset):
896         (JSC::JSCell::indexingTypeOffset):
897         (JSC::JSCell::gcDataOffset):
898         * runtime/JSCellInlines.h:
899         (JSC::JSCell::JSCell):
900         (JSC::JSCell::finishCreation):
901         (JSC::JSCell::type):
902         (JSC::JSCell::indexingType):
903         (JSC::JSCell::structure):
904         (JSC::JSCell::visitChildren):
905         (JSC::JSCell::isObject):
906         (JSC::JSCell::isString):
907         (JSC::JSCell::isGetterSetter):
908         (JSC::JSCell::isProxy):
909         (JSC::JSCell::isAPIValueWrapper):
910         (JSC::JSCell::setStructure):
911         (JSC::JSCell::methodTable):
912         (JSC::Heap::writeBarrier):
913         * runtime/JSDataView.cpp:
914         (JSC::JSDataView::createStructure):
915         * runtime/JSDestructibleObject.h:
916         (JSC::JSCell::classInfo):
917         * runtime/JSFunction.cpp:
918         (JSC::JSFunction::getOwnNonIndexPropertyNames):
919         (JSC::JSFunction::put):
920         (JSC::JSFunction::defineOwnProperty):
921         * runtime/JSGenericTypedArrayView.h:
922         (JSC::JSGenericTypedArrayView::createStructure):
923         * runtime/JSObject.cpp:
924         (JSC::getCallableObjectSlow):
925         (JSC::JSObject::copyButterfly):
926         (JSC::JSObject::visitButterfly):
927         (JSC::JSFinalObject::visitChildren):
928         (JSC::JSObject::getOwnPropertySlotByIndex):
929         (JSC::JSObject::put):
930         (JSC::JSObject::putByIndex):
931         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
932         (JSC::JSObject::enterDictionaryIndexingMode):
933         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
934         (JSC::JSObject::createInitialIndexedStorage):
935         (JSC::JSObject::createInitialUndecided):
936         (JSC::JSObject::createInitialInt32):
937         (JSC::JSObject::createInitialDouble):
938         (JSC::JSObject::createInitialContiguous):
939         (JSC::JSObject::createArrayStorage):
940         (JSC::JSObject::convertUndecidedToInt32):
941         (JSC::JSObject::convertUndecidedToDouble):
942         (JSC::JSObject::convertUndecidedToContiguous):
943         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
944         (JSC::JSObject::convertUndecidedToArrayStorage):
945         (JSC::JSObject::convertInt32ToDouble):
946         (JSC::JSObject::convertInt32ToContiguous):
947         (JSC::JSObject::convertInt32ToArrayStorage):
948         (JSC::JSObject::genericConvertDoubleToContiguous):
949         (JSC::JSObject::convertDoubleToArrayStorage):
950         (JSC::JSObject::convertContiguousToArrayStorage):
951         (JSC::JSObject::ensureInt32Slow):
952         (JSC::JSObject::ensureDoubleSlow):
953         (JSC::JSObject::ensureContiguousSlow):
954         (JSC::JSObject::ensureArrayStorageSlow):
955         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
956         (JSC::JSObject::switchToSlowPutArrayStorage):
957         (JSC::JSObject::setPrototype):
958         (JSC::JSObject::setPrototypeWithCycleCheck):
959         (JSC::JSObject::putDirectNonIndexAccessor):
960         (JSC::JSObject::deleteProperty):
961         (JSC::JSObject::hasOwnProperty):
962         (JSC::JSObject::deletePropertyByIndex):
963         (JSC::JSObject::getPrimitiveNumber):
964         (JSC::JSObject::hasInstance):
965         (JSC::JSObject::getPropertySpecificValue):
966         (JSC::JSObject::getPropertyNames):
967         (JSC::JSObject::getOwnPropertyNames):
968         (JSC::JSObject::getOwnNonIndexPropertyNames):
969         (JSC::JSObject::seal):
970         (JSC::JSObject::freeze):
971         (JSC::JSObject::preventExtensions):
972         (JSC::JSObject::reifyStaticFunctionsForDelete):
973         (JSC::JSObject::removeDirect):
974         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
975         (JSC::JSObject::putByIndexBeyondVectorLength):
976         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
977         (JSC::JSObject::putDirectIndexBeyondVectorLength):
978         (JSC::JSObject::getNewVectorLength):
979         (JSC::JSObject::countElements):
980         (JSC::JSObject::increaseVectorLength):
981         (JSC::JSObject::ensureLengthSlow):
982         (JSC::JSObject::growOutOfLineStorage):
983         (JSC::JSObject::getOwnPropertyDescriptor):
984         (JSC::putDescriptor):
985         (JSC::JSObject::defineOwnNonIndexProperty):
986         * runtime/JSObject.h:
987         (JSC::getJSFunction):
988         (JSC::JSObject::getArrayLength):
989         (JSC::JSObject::getVectorLength):
990         (JSC::JSObject::putByIndexInline):
991         (JSC::JSObject::canGetIndexQuickly):
992         (JSC::JSObject::getIndexQuickly):
993         (JSC::JSObject::tryGetIndexQuickly):
994         (JSC::JSObject::getDirectIndex):
995         (JSC::JSObject::canSetIndexQuickly):
996         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
997         (JSC::JSObject::setIndexQuickly):
998         (JSC::JSObject::initializeIndex):
999         (JSC::JSObject::hasSparseMap):
1000         (JSC::JSObject::inSparseIndexingMode):
1001         (JSC::JSObject::getDirect):
1002         (JSC::JSObject::getDirectOffset):
1003         (JSC::JSObject::isSealed):
1004         (JSC::JSObject::isFrozen):
1005         (JSC::JSObject::flattenDictionaryObject):
1006         (JSC::JSObject::ensureInt32):
1007         (JSC::JSObject::ensureDouble):
1008         (JSC::JSObject::ensureContiguous):
1009         (JSC::JSObject::rageEnsureContiguous):
1010         (JSC::JSObject::ensureArrayStorage):
1011         (JSC::JSObject::arrayStorage):
1012         (JSC::JSObject::arrayStorageOrNull):
1013         (JSC::JSObject::ensureLength):
1014         (JSC::JSObject::currentIndexingData):
1015         (JSC::JSObject::getHolyIndexQuickly):
1016         (JSC::JSObject::currentRelevantLength):
1017         (JSC::JSObject::isGlobalObject):
1018         (JSC::JSObject::isVariableObject):
1019         (JSC::JSObject::isStaticScopeObject):
1020         (JSC::JSObject::isNameScopeObject):
1021         (JSC::JSObject::isActivationObject):
1022         (JSC::JSObject::isErrorInstance):
1023         (JSC::JSObject::inlineGetOwnPropertySlot):
1024         (JSC::JSObject::fastGetOwnPropertySlot):
1025         (JSC::JSObject::getPropertySlot):
1026         (JSC::JSObject::putDirectInternal):
1027         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1028         * runtime/JSPropertyNameIterator.h:
1029         (JSC::JSPropertyNameIterator::createStructure):
1030         * runtime/JSProxy.cpp:
1031         (JSC::JSProxy::getOwnPropertySlot):
1032         (JSC::JSProxy::getOwnPropertySlotByIndex):
1033         (JSC::JSProxy::put):
1034         (JSC::JSProxy::putByIndex):
1035         (JSC::JSProxy::defineOwnProperty):
1036         (JSC::JSProxy::deleteProperty):
1037         (JSC::JSProxy::deletePropertyByIndex):
1038         (JSC::JSProxy::getPropertyNames):
1039         (JSC::JSProxy::getOwnPropertyNames):
1040         * runtime/JSScope.cpp:
1041         (JSC::JSScope::objectAtScope):
1042         * runtime/JSString.h:
1043         (JSC::JSString::createStructure):
1044         (JSC::isJSString):
1045         * runtime/JSType.h:
1046         * runtime/JSTypeInfo.h:
1047         (JSC::TypeInfo::TypeInfo):
1048         (JSC::TypeInfo::isObject):
1049         (JSC::TypeInfo::structureIsImmortal):
1050         (JSC::TypeInfo::zeroedGCDataOffset):
1051         (JSC::TypeInfo::inlineTypeFlags):
1052         * runtime/MapData.h:
1053         * runtime/ObjectConstructor.cpp:
1054         (JSC::objectConstructorGetOwnPropertyNames):
1055         (JSC::objectConstructorKeys):
1056         (JSC::objectConstructorDefineProperty):
1057         (JSC::defineProperties):
1058         (JSC::objectConstructorSeal):
1059         (JSC::objectConstructorFreeze):
1060         (JSC::objectConstructorIsSealed):
1061         (JSC::objectConstructorIsFrozen):
1062         * runtime/ObjectPrototype.cpp:
1063         (JSC::objectProtoFuncDefineGetter):
1064         (JSC::objectProtoFuncDefineSetter):
1065         (JSC::objectProtoFuncToString):
1066         * runtime/Operations.cpp:
1067         (JSC::jsTypeStringForValue):
1068         (JSC::jsIsObjectType):
1069         * runtime/Operations.h:
1070         (JSC::normalizePrototypeChainForChainAccess):
1071         (JSC::normalizePrototypeChain):
1072         * runtime/PropertyMapHashTable.h:
1073         (JSC::PropertyTable::createStructure):
1074         * runtime/RegExp.h:
1075         (JSC::RegExp::createStructure):
1076         * runtime/SparseArrayValueMap.h:
1077         * runtime/Structure.cpp:
1078         (JSC::Structure::Structure):
1079         (JSC::Structure::~Structure):
1080         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1081         * runtime/Structure.h:
1082         (JSC::Structure::id):
1083         (JSC::Structure::idBlob):
1084         (JSC::Structure::objectInitializationFields):
1085         (JSC::Structure::structureIDOffset):
1086         * runtime/StructureChain.h:
1087         (JSC::StructureChain::createStructure):
1088         * runtime/StructureIDTable.cpp: Added.
1089         (JSC::StructureIDTable::StructureIDTable):
1090         (JSC::StructureIDTable::~StructureIDTable):
1091         (JSC::StructureIDTable::resize):
1092         (JSC::StructureIDTable::flushOldTables):
1093         (JSC::StructureIDTable::allocateID):
1094         (JSC::StructureIDTable::deallocateID):
1095         * runtime/StructureIDTable.h: Added.
1096         (JSC::StructureIDTable::base):
1097         (JSC::StructureIDTable::get):
1098         * runtime/SymbolTable.h:
1099         * runtime/TypedArrayType.cpp:
1100         (JSC::typeForTypedArrayType):
1101         * runtime/TypedArrayType.h:
1102         * runtime/WeakMapData.h:
1103
1104 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1105
1106         Unconditional logging in compileFTLOSRExit
1107         https://bugs.webkit.org/show_bug.cgi?id=129407
1108
1109         Reviewed by Michael Saboff.
1110
1111         This was causing tests to fail with the FTL enabled.
1112
1113         * ftl/FTLOSRExitCompiler.cpp:
1114         (JSC::FTL::compileFTLOSRExit):
1115
1116 2014-02-26  Oliver Hunt  <oliver@apple.com>
1117
1118         Remove unused access types
1119         https://bugs.webkit.org/show_bug.cgi?id=129385
1120
1121         Reviewed by Filip Pizlo.
1122
1123         Remove unused cruft.
1124
1125         * bytecode/CodeBlock.cpp:
1126         (JSC::CodeBlock::printGetByIdCacheStatus):
1127         * bytecode/StructureStubInfo.cpp:
1128         (JSC::StructureStubInfo::deref):
1129         * bytecode/StructureStubInfo.h:
1130         (JSC::isGetByIdAccess):
1131         (JSC::isPutByIdAccess):
1132
1133 2014-02-26  Oliver Hunt  <oliver@apple.com>
1134
1135         Function.prototype.apply has a bad time with the spread operator
1136         https://bugs.webkit.org/show_bug.cgi?id=129381
1137
1138         Reviewed by Mark Hahnenberg.
1139
1140         Make sure our apply logic handle the spread operator correctly.
1141         To do this we simply emit the enumeration logic that we'd normally
1142         use for other enumerations, but only store the first two results
1143         to registers.  Then perform a varargs call.
1144
1145         * bytecompiler/NodesCodegen.cpp:
1146         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1147
1148 2014-02-26  Mark Lam  <mark.lam@apple.com>
1149
1150         Compilation policy management belongs in operationOptimize(), not the DFG Driver.
1151         <https://webkit.org/b/129355>
1152
1153         Reviewed by Filip Pizlo.
1154
1155         By compilation policy, I mean the rules for determining whether to
1156         compile, when to compile, when to attempt compilation again, etc.  The
1157         few of these policy decisions that were previously being made in the
1158         DFG driver are now moved to operationOptimize() where we keep the rest
1159         of the policy logic.  Decisions that are based on the capabilities
1160         supported by the DFG are moved to DFG capabiliityLevel().
1161
1162         I've run the following benchmarks:
1163         1. the collection of jsc benchmarks on the jsc executable vs. its
1164            baseline.
1165         2. Octane 2.0 in browser without the WebInspector.
1166         3. Octane 2.0 in browser with the WebInspector open and a breakpoint
1167            set somewhere where it won't break.
1168
1169         In all of these, the results came out to be a wash as expected.
1170
1171         * dfg/DFGCapabilities.cpp:
1172         (JSC::DFG::isSupported):
1173         (JSC::DFG::mightCompileEval):
1174         (JSC::DFG::mightCompileProgram):
1175         (JSC::DFG::mightCompileFunctionForCall):
1176         (JSC::DFG::mightCompileFunctionForConstruct):
1177         (JSC::DFG::mightInlineFunctionForCall):
1178         (JSC::DFG::mightInlineFunctionForClosureCall):
1179         (JSC::DFG::mightInlineFunctionForConstruct):
1180         * dfg/DFGCapabilities.h:
1181         * dfg/DFGDriver.cpp:
1182         (JSC::DFG::compileImpl):
1183         * jit/JITOperations.cpp:
1184
1185 2014-02-26  Mark Lam  <mark.lam@apple.com>
1186
1187         ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
1188         <https://webkit.org/b/129364>
1189
1190         Reviewed by Alexey Proskuryakov.
1191
1192         InjectedScriptModule::ensureInjected() needs an APIEntryShim.
1193
1194         * inspector/InjectedScriptModule.cpp:
1195         (Inspector::InjectedScriptModule::ensureInjected):
1196         - Added the needed but missing APIEntryShim. 
1197
1198 2014-02-25  Mark Lam  <mark.lam@apple.com>
1199
1200         Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
1201         <https://webkit.org/b/128766>
1202
1203         Reviewed by Geoffrey Garen.
1204
1205         Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
1206         The reasoning is that we don't know of any clients that need unordered
1207         re-entry into the VM from different threads. So, we're enforcing ordered
1208         re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
1209
1210         The crash in this bug happened because we were allowing unordered re-entry,
1211         and the following type of scenario occurred:
1212
1213         1. Thread T1 locks the VM, and enters the VM to execute some JS code.
1214         2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
1215            first time it entered the VM.
1216            T1 sets VM::m_entryScope to T1's entryScope.
1217         3. T1 drops all locks.
1218
1219         4. Thread T2 locks the VM, and enters the VM to execute some JS code.
1220            On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
1221            does not set the entryScope.
1222         5. T2 drops all locks.
1223
1224         6. T1 re-grabs locks.
1225         7. T1 returns all the way out of JS code. On exit from the outer most
1226            JS function, T1 clears VM::m_entryScope (because T1 was the one who
1227            set it).
1228         8. T1 unlocks the VM.
1229
1230         9. T2 re-grabs locks.
1231         10. T2 proceeds to execute some code and expects VM::m_entryScope to be
1232             NOT null, but it turns out to be null. Assertion failures and
1233             crashes ensue.
1234
1235         With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
1236         the VM. Hence, the issue will no longer manifest.
1237
1238         * runtime/JSLock.cpp:
1239         (JSC::JSLock::dropAllLocks):
1240         (JSC::JSLock::grabAllLocks):
1241         * runtime/JSLock.h:
1242         (JSC::JSLock::DropAllLocks::dropDepth):
1243
1244 2014-02-25  Mark Lam  <mark.lam@apple.com>
1245
1246         Need to initialize VM stack data even when the VM is on an exclusive thread.
1247         <https://webkit.org/b/129265>
1248
1249         Not reviewed.
1250
1251         Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
1252
1253         * API/APIShims.h:
1254         (JSC::APIEntryShim::APIEntryShim):
1255         (JSC::APICallbackShim::shouldDropAllLocks):
1256         * heap/MachineStackMarker.cpp:
1257         (JSC::MachineThreads::addCurrentThread):
1258         * runtime/JSLock.cpp:
1259         (JSC::JSLockHolder::JSLockHolder):
1260         (JSC::JSLockHolder::init):
1261         (JSC::JSLockHolder::~JSLockHolder):
1262         (JSC::JSLock::JSLock):
1263         (JSC::JSLock::setExclusiveThread):
1264         (JSC::JSLock::lock):
1265         (JSC::JSLock::unlock):
1266         (JSC::JSLock::currentThreadIsHoldingLock):
1267         (JSC::JSLock::dropAllLocks):
1268         (JSC::JSLock::grabAllLocks):
1269         * runtime/JSLock.h:
1270         (JSC::JSLock::hasExclusiveThread):
1271         (JSC::JSLock::exclusiveThread):
1272         * runtime/VM.cpp:
1273         (JSC::VM::VM):
1274         * runtime/VM.h:
1275         (JSC::VM::hasExclusiveThread):
1276         (JSC::VM::exclusiveThread):
1277         (JSC::VM::setExclusiveThread):
1278         (JSC::VM::currentThreadIsHoldingAPILock):
1279
1280 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
1281
1282         Inline caching in the FTL on ARM64 should "work"
1283         https://bugs.webkit.org/show_bug.cgi?id=129334
1284
1285         Reviewed by Mark Hahnenberg.
1286         
1287         Gets us to the point where simple tests that use inline caching are passing.
1288
1289         * assembler/LinkBuffer.cpp:
1290         (JSC::LinkBuffer::copyCompactAndLinkCode):
1291         (JSC::LinkBuffer::shrink):
1292         * ftl/FTLInlineCacheSize.cpp:
1293         (JSC::FTL::sizeOfGetById):
1294         (JSC::FTL::sizeOfPutById):
1295         (JSC::FTL::sizeOfCall):
1296         * ftl/FTLOSRExitCompiler.cpp:
1297         (JSC::FTL::compileFTLOSRExit):
1298         * ftl/FTLThunks.cpp:
1299         (JSC::FTL::osrExitGenerationThunkGenerator):
1300         * jit/GPRInfo.h:
1301         * offlineasm/arm64.rb:
1302
1303 2014-02-25  Commit Queue  <commit-queue@webkit.org>
1304
1305         Unreviewed, rolling out r164627.
1306         http://trac.webkit.org/changeset/164627
1307         https://bugs.webkit.org/show_bug.cgi?id=129325
1308
1309         Broke SubtleCrypto tests (Requested by ap on #webkit).
1310
1311         * API/APIShims.h:
1312         (JSC::APIEntryShim::APIEntryShim):
1313         (JSC::APICallbackShim::shouldDropAllLocks):
1314         * heap/MachineStackMarker.cpp:
1315         (JSC::MachineThreads::addCurrentThread):
1316         * runtime/JSLock.cpp:
1317         (JSC::JSLockHolder::JSLockHolder):
1318         (JSC::JSLockHolder::init):
1319         (JSC::JSLockHolder::~JSLockHolder):
1320         (JSC::JSLock::JSLock):
1321         (JSC::JSLock::lock):
1322         (JSC::JSLock::unlock):
1323         (JSC::JSLock::currentThreadIsHoldingLock):
1324         (JSC::JSLock::dropAllLocks):
1325         (JSC::JSLock::grabAllLocks):
1326         * runtime/JSLock.h:
1327         * runtime/VM.cpp:
1328         (JSC::VM::VM):
1329         * runtime/VM.h:
1330         (JSC::VM::currentThreadIsHoldingAPILock):
1331
1332 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
1333
1334         ARM64 rshift64 should be an arithmetic shift
1335         https://bugs.webkit.org/show_bug.cgi?id=129323
1336
1337         Reviewed by Mark Hahnenberg.
1338
1339         * assembler/MacroAssemblerARM64.h:
1340         (JSC::MacroAssemblerARM64::rshift64):
1341
1342 2014-02-25  Sergio Villar Senin  <svillar@igalia.com>
1343
1344         [CSS Grid Layout] Add ENABLE flag
1345         https://bugs.webkit.org/show_bug.cgi?id=129153
1346
1347         Reviewed by Simon Fraser.
1348
1349         * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
1350
1351 2014-02-25  Michael Saboff  <msaboff@apple.com>
1352
1353         JIT Engines use the wrong stack limit for stack checks
1354         https://bugs.webkit.org/show_bug.cgi?id=129314
1355
1356         Reviewed by Filip Pizlo.
1357
1358         Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
1359
1360         * dfg/DFGJITCompiler.cpp:
1361         (JSC::DFG::JITCompiler::compileFunction):
1362         * jit/JIT.cpp:
1363         (JSC::JIT::privateCompile):
1364         * jit/JITCall.cpp:
1365         (JSC::JIT::compileLoadVarargs):
1366         * jit/JITCall32_64.cpp:
1367         (JSC::JIT::compileLoadVarargs):
1368         * runtime/VM.h:
1369         (JSC::VM::addressOfStackLimit):
1370
1371 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
1372
1373         Unreviewed, roll out http://trac.webkit.org/changeset/164493.
1374         
1375         It causes crashes, apparently because it's removing too many barriers. I will investigate
1376         later.
1377
1378         * bytecode/SpeculatedType.cpp:
1379         (JSC::speculationToAbbreviatedString):
1380         * bytecode/SpeculatedType.h:
1381         * dfg/DFGFixupPhase.cpp:
1382         (JSC::DFG::FixupPhase::fixupNode):
1383         (JSC::DFG::FixupPhase::insertStoreBarrier):
1384         * dfg/DFGNode.h:
1385         * ftl/FTLCapabilities.cpp:
1386         (JSC::FTL::canCompile):
1387         * ftl/FTLLowerDFGToLLVM.cpp:
1388         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
1389         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1390         (JSC::FTL::LowerDFGToLLVM::isNotNully):
1391         (JSC::FTL::LowerDFGToLLVM::isNully):
1392         (JSC::FTL::LowerDFGToLLVM::speculate):
1393         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
1394         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
1395
1396 2014-02-24  Oliver Hunt  <oliver@apple.com>
1397
1398         Fix build.
1399
1400         * jit/CCallHelpers.h:
1401         (JSC::CCallHelpers::setupArgumentsWithExecState):
1402
1403 2014-02-24  Oliver Hunt  <oliver@apple.com>
1404
1405         Spread operator has a bad time when applied to call function
1406         https://bugs.webkit.org/show_bug.cgi?id=128853
1407
1408         Reviewed by Geoffrey Garen.
1409
1410         Follow on from the previous patch the added an extra slot to
1411         op_call_varargs (and _call, _call_eval, _construct).  We now
1412         use the slot as an offset to in effect act as a 'slice' on
1413         the spread subject.  This allows us to automatically retain
1414         all our existing argument and array optimisatons.  Most of
1415         this patch is simply threading the offset around.
1416
1417         * bytecode/CodeBlock.cpp:
1418         (JSC::CodeBlock::dumpBytecode):
1419         * bytecompiler/BytecodeGenerator.cpp:
1420         (JSC::BytecodeGenerator::emitCall):
1421         (JSC::BytecodeGenerator::emitCallVarargs):
1422         * bytecompiler/BytecodeGenerator.h:
1423         * bytecompiler/NodesCodegen.cpp:
1424         (JSC::getArgumentByVal):
1425         (JSC::CallFunctionCallDotNode::emitBytecode):
1426         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1427         * interpreter/Interpreter.cpp:
1428         (JSC::sizeFrameForVarargs):
1429         (JSC::loadVarargs):
1430         * interpreter/Interpreter.h:
1431         * jit/CCallHelpers.h:
1432         (JSC::CCallHelpers::setupArgumentsWithExecState):
1433         * jit/JIT.h:
1434         * jit/JITCall.cpp:
1435         (JSC::JIT::compileLoadVarargs):
1436         * jit/JITInlines.h:
1437         (JSC::JIT::callOperation):
1438         * jit/JITOperations.cpp:
1439         * jit/JITOperations.h:
1440         * llint/LLIntSlowPaths.cpp:
1441         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1442         * runtime/Arguments.cpp:
1443         (JSC::Arguments::copyToArguments):
1444         * runtime/Arguments.h:
1445         * runtime/JSArray.cpp:
1446         (JSC::JSArray::copyToArguments):
1447         * runtime/JSArray.h:
1448
1449 2014-02-24  Mark Lam  <mark.lam@apple.com>
1450
1451         Need to initialize VM stack data even when the VM is on an exclusive thread.
1452         <https://webkit.org/b/129265>
1453
1454         Reviewed by Geoffrey Garen.
1455
1456         We check VM::exclusiveThread as an optimization to forego the need to do
1457         JSLock locking. However, we recently started piggy backing on JSLock's
1458         lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
1459         and lastStackTop) to appropriate values for the current thread. This is
1460         needed because we may be acquiring the lock to enter the VM on a different
1461         thread.
1462
1463         As a result, we ended up not initializing the VM stack data when
1464         VM::exclusiveThread causes us to bypass the locking activity. Even though
1465         the VM::exclusiveThread will not have to deal with the VM being entered
1466         on a different thread, it still needs to initialize the VM stack data.
1467         The VM relies on that data being initialized properly once it has been
1468         entered.
1469
1470         With this fix, we push the check for exclusiveThread down into the JSLock,
1471         and handle the bypassing of unneeded locking activity there while still
1472         executing the necessary the VM stack data initialization.
1473
1474         * API/APIShims.h:
1475         (JSC::APIEntryShim::APIEntryShim):
1476         (JSC::APICallbackShim::shouldDropAllLocks):
1477         * heap/MachineStackMarker.cpp:
1478         (JSC::MachineThreads::addCurrentThread):
1479         * runtime/JSLock.cpp:
1480         (JSC::JSLockHolder::JSLockHolder):
1481         (JSC::JSLockHolder::init):
1482         (JSC::JSLockHolder::~JSLockHolder):
1483         (JSC::JSLock::JSLock):
1484         (JSC::JSLock::setExclusiveThread):
1485         (JSC::JSLock::lock):
1486         (JSLock::unlock):
1487         (JSLock::currentThreadIsHoldingLock):
1488         (JSLock::dropAllLocks):
1489         (JSLock::grabAllLocks):
1490         * runtime/JSLock.h:
1491         (JSC::JSLock::exclusiveThread):
1492         * runtime/VM.cpp:
1493         (JSC::VM::VM):
1494         * runtime/VM.h:
1495         (JSC::VM::exclusiveThread):
1496         (JSC::VM::setExclusiveThread):
1497         (JSC::VM::currentThreadIsHoldingAPILock):
1498
1499 2014-02-24  Filip Pizlo  <fpizlo@apple.com>
1500
1501         FTL should do polymorphic PutById inlining
1502         https://bugs.webkit.org/show_bug.cgi?id=129210
1503
1504         Reviewed by Mark Hahnenberg and Oliver Hunt.
1505         
1506         This makes PutByIdStatus inform us about polymorphic cases by returning an array of
1507         PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
1508         selection of multiple inlined PutByIdVariants.
1509         
1510         MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
1511         http://trac.webkit.org/changeset/164207.
1512         
1513         This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
1514         that generate similar code.
1515         
1516         1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
1517         sometimes swaps field insertion order, creating fake polymorphism.
1518
1519         * CMakeLists.txt:
1520         * GNUmakefile.list.am:
1521         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1522         * JavaScriptCore.xcodeproj/project.pbxproj:
1523         * bytecode/PutByIdStatus.cpp:
1524         (JSC::PutByIdStatus::computeFromLLInt):
1525         (JSC::PutByIdStatus::computeFor):
1526         (JSC::PutByIdStatus::computeForStubInfo):
1527         (JSC::PutByIdStatus::dump):
1528         * bytecode/PutByIdStatus.h:
1529         (JSC::PutByIdStatus::PutByIdStatus):
1530         (JSC::PutByIdStatus::isSimple):
1531         (JSC::PutByIdStatus::numVariants):
1532         (JSC::PutByIdStatus::variants):
1533         (JSC::PutByIdStatus::at):
1534         (JSC::PutByIdStatus::operator[]):
1535         * bytecode/PutByIdVariant.cpp: Added.
1536         (JSC::PutByIdVariant::dump):
1537         (JSC::PutByIdVariant::dumpInContext):
1538         * bytecode/PutByIdVariant.h: Added.
1539         (JSC::PutByIdVariant::PutByIdVariant):
1540         (JSC::PutByIdVariant::replace):
1541         (JSC::PutByIdVariant::transition):
1542         (JSC::PutByIdVariant::kind):
1543         (JSC::PutByIdVariant::isSet):
1544         (JSC::PutByIdVariant::operator!):
1545         (JSC::PutByIdVariant::structure):
1546         (JSC::PutByIdVariant::oldStructure):
1547         (JSC::PutByIdVariant::newStructure):
1548         (JSC::PutByIdVariant::structureChain):
1549         (JSC::PutByIdVariant::offset):
1550         * dfg/DFGAbstractInterpreterInlines.h:
1551         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1552         * dfg/DFGByteCodeParser.cpp:
1553         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
1554         (JSC::DFG::ByteCodeParser::handleGetById):
1555         (JSC::DFG::ByteCodeParser::emitPutById):
1556         (JSC::DFG::ByteCodeParser::handlePutById):
1557         (JSC::DFG::ByteCodeParser::parseBlock):
1558         * dfg/DFGCSEPhase.cpp:
1559         (JSC::DFG::CSEPhase::checkStructureElimination):
1560         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
1561         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1562         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1563         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
1564         * dfg/DFGClobberize.h:
1565         (JSC::DFG::clobberize):
1566         * dfg/DFGConstantFoldingPhase.cpp:
1567         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1568         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1569         * dfg/DFGFixupPhase.cpp:
1570         (JSC::DFG::FixupPhase::fixupNode):
1571         * dfg/DFGGraph.cpp:
1572         (JSC::DFG::Graph::dump):
1573         * dfg/DFGGraph.h:
1574         * dfg/DFGNode.cpp:
1575         (JSC::DFG::MultiPutByOffsetData::writesStructures):
1576         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1577         * dfg/DFGNode.h:
1578         (JSC::DFG::Node::convertToPutByOffset):
1579         (JSC::DFG::Node::hasMultiPutByOffsetData):
1580         (JSC::DFG::Node::multiPutByOffsetData):
1581         * dfg/DFGNodeType.h:
1582         * dfg/DFGPredictionPropagationPhase.cpp:
1583         (JSC::DFG::PredictionPropagationPhase::propagate):
1584         * dfg/DFGSafeToExecute.h:
1585         (JSC::DFG::safeToExecute):
1586         * dfg/DFGSpeculativeJIT32_64.cpp:
1587         (JSC::DFG::SpeculativeJIT::compile):
1588         * dfg/DFGSpeculativeJIT64.cpp:
1589         (JSC::DFG::SpeculativeJIT::compile):
1590         * dfg/DFGTypeCheckHoistingPhase.cpp:
1591         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1592         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1593         * ftl/FTLCapabilities.cpp:
1594         (JSC::FTL::canCompile):
1595         * ftl/FTLLowerDFGToLLVM.cpp:
1596         (JSC::FTL::LowerDFGToLLVM::compileNode):
1597         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1598         (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
1599         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
1600         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
1601         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1602         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
1603         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1604         (JSC::FTL::LowerDFGToLLVM::loadProperty):
1605         (JSC::FTL::LowerDFGToLLVM::storeProperty):
1606         (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
1607         (JSC::FTL::LowerDFGToLLVM::storageForTransition):
1608         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
1609         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
1610         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1611         * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
1612         * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
1613         * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
1614
1615 2014-02-24  peavo@outlook.com  <peavo@outlook.com>
1616
1617         JSC regressions after r164494
1618         https://bugs.webkit.org/show_bug.cgi?id=129272
1619
1620         Reviewed by Mark Lam.
1621
1622         * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
1623
1624 2014-02-24  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
1625
1626         Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
1627         https://bugs.webkit.org/show_bug.cgi?id=129255
1628
1629         Reviewed by Csaba Osztrogon√°c.
1630
1631         ENABLE_WORKERS macro was removed in r159679.
1632         Support is now also removed from xcconfig files.
1633
1634         * Configurations/FeatureDefines.xcconfig:
1635
1636 2014-02-24  David Kilzer  <ddkilzer@apple.com>
1637
1638         Remove redundant setting in FeatureDefines.xcconfig
1639
1640         * Configurations/FeatureDefines.xcconfig:
1641
1642 2014-02-23  Sam Weinig  <sam@webkit.org>
1643
1644         Update FeatureDefines.xcconfig
1645
1646         Rubber-stamped by Anders Carlsson.
1647
1648         * Configurations/FeatureDefines.xcconfig:
1649
1650 2014-02-23  Dean Jackson  <dino@apple.com>
1651
1652         Sort the project file with sort-Xcode-project-file.
1653
1654         Rubber-stamped by Sam Weinig.
1655
1656         * JavaScriptCore.xcodeproj/project.pbxproj:
1657
1658 2014-02-23  Sam Weinig  <sam@webkit.org>
1659
1660         Move telephone number detection behind its own ENABLE macro
1661         https://bugs.webkit.org/show_bug.cgi?id=129236
1662
1663         Reviewed by Dean Jackson.
1664
1665         * Configurations/FeatureDefines.xcconfig:
1666         Add ENABLE_TELEPHONE_NUMBER_DETECTION.
1667
1668 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
1669
1670         Refine DFG+FTL inlining and compilation limits
1671         https://bugs.webkit.org/show_bug.cgi?id=129212
1672
1673         Reviewed by Mark Hahnenberg.
1674         
1675         Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
1676         and set that limit quite high. Institute a limit on inlining-into. The idea here is
1677         that large functions tend to be autogenerated, and code generators like emscripten
1678         appear to leave few inlining opportunities anyway. Also, we don't want the code
1679         size explosion that we would risk if we allowed compilation of a large function and
1680         then inlined a ton of stuff into it.
1681         
1682         This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
1683         regression. This is a 9% speed-up on AsmBench.
1684
1685         * bytecode/CodeBlock.cpp:
1686         (JSC::CodeBlock::noticeIncomingCall):
1687         * dfg/DFGByteCodeParser.cpp:
1688         (JSC::DFG::ByteCodeParser::handleInlining):
1689         * dfg/DFGCapabilities.h:
1690         (JSC::DFG::isSmallEnoughToInlineCodeInto):
1691         * ftl/FTLCapabilities.cpp:
1692         (JSC::FTL::canCompile):
1693         * ftl/FTLState.h:
1694         (JSC::FTL::shouldShowDisassembly):
1695         * runtime/Options.h:
1696
1697 2014-02-22  Dan Bernstein  <mitz@apple.com>
1698
1699         REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
1700         https://bugs.webkit.org/show_bug.cgi?id=129227
1701
1702         Reviewed by Eric Carlson.
1703
1704         Reverted r164507.
1705
1706         * API/JSBase.cpp:
1707         (JSEvaluateScript):
1708         (JSCheckScriptSyntax):
1709         * API/JSObjectRef.cpp:
1710         (JSObjectMakeFunction):
1711         (JSObjectMakeArray):
1712         (JSObjectMakeDate):
1713         (JSObjectMakeError):
1714         (JSObjectMakeRegExp):
1715         (JSObjectGetProperty):
1716         (JSObjectSetProperty):
1717         (JSObjectGetPropertyAtIndex):
1718         (JSObjectSetPropertyAtIndex):
1719         (JSObjectDeleteProperty):
1720         (JSObjectCallAsFunction):
1721         (JSObjectCallAsConstructor):
1722         * API/JSValue.mm:
1723         (valueToArray):
1724         (valueToDictionary):
1725         * API/JSValueRef.cpp:
1726         (JSValueIsEqual):
1727         (JSValueIsInstanceOfConstructor):
1728         (JSValueCreateJSONString):
1729         (JSValueToNumber):
1730         (JSValueToStringCopy):
1731         (JSValueToObject):
1732         * inspector/ConsoleMessage.cpp:
1733         (Inspector::ConsoleMessage::ConsoleMessage):
1734         (Inspector::ConsoleMessage::autogenerateMetadata):
1735         * inspector/ConsoleMessage.h:
1736         * inspector/JSGlobalObjectInspectorController.cpp:
1737         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1738         * inspector/JSGlobalObjectInspectorController.h:
1739         * inspector/ScriptCallStack.cpp:
1740         * inspector/ScriptCallStack.h:
1741         * inspector/ScriptCallStackFactory.cpp:
1742         (Inspector::createScriptCallStack):
1743         (Inspector::createScriptCallStackForConsole):
1744         (Inspector::createScriptCallStackFromException):
1745         * inspector/ScriptCallStackFactory.h:
1746         * inspector/agents/InspectorConsoleAgent.cpp:
1747         (Inspector::InspectorConsoleAgent::enable):
1748         (Inspector::InspectorConsoleAgent::addMessageToConsole):
1749         (Inspector::InspectorConsoleAgent::count):
1750         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1751         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
1752
1753 2014-02-22  Joseph Pecoraro  <pecoraro@apple.com>
1754
1755         Remove some unreachable code (-Wunreachable-code)
1756         https://bugs.webkit.org/show_bug.cgi?id=129220
1757
1758         Reviewed by Eric Carlson.
1759
1760         * API/tests/testapi.c:
1761         (EvilExceptionObject_convertToType):
1762         * disassembler/udis86/udis86_decode.c:
1763         (decode_operand):
1764
1765 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
1766
1767         Unreviewed, ARMv7 build fix.
1768
1769         * assembler/ARMv7Assembler.h:
1770
1771 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
1772
1773         It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
1774         https://bugs.webkit.org/show_bug.cgi?id=124733
1775
1776         Reviewed by Oliver Hunt.
1777         
1778         This also takes the opportunity to de-duplicate some branch compaction code.
1779
1780         * assembler/ARM64Assembler.h:
1781         * assembler/ARMv7Assembler.h:
1782         (JSC::ARMv7Assembler::buffer):
1783         * assembler/AssemblerBuffer.h:
1784         (JSC::AssemblerData::AssemblerData):
1785         (JSC::AssemblerBuffer::AssemblerBuffer):
1786         (JSC::AssemblerBuffer::storage):
1787         (JSC::AssemblerBuffer::grow):
1788         * assembler/LinkBuffer.h:
1789         (JSC::LinkBuffer::LinkBuffer):
1790         (JSC::LinkBuffer::executableOffsetFor):
1791         (JSC::LinkBuffer::applyOffset):
1792         * assembler/MacroAssemblerARM64.h:
1793         (JSC::MacroAssemblerARM64::link):
1794         * assembler/MacroAssemblerARMv7.h:
1795
1796 2014-02-21  Brent Fulgham  <bfulgham@apple.com>
1797
1798         Extend media support for WebVTT sources
1799         https://bugs.webkit.org/show_bug.cgi?id=129156
1800
1801         Reviewed by Eric Carlson.
1802
1803         * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
1804
1805 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1806
1807         Web Inspector: JSContext inspection should report exceptions in the console
1808         https://bugs.webkit.org/show_bug.cgi?id=128776
1809
1810         Reviewed by Timothy Hatcher.
1811
1812         When JavaScript API functions have an exception, let the inspector
1813         know so it can log the JavaScript and Native backtrace that caused
1814         the exception.
1815
1816         Include some clean up of ConsoleMessage and ScriptCallStack construction.
1817
1818         * API/JSBase.cpp:
1819         (JSEvaluateScript):
1820         (JSCheckScriptSyntax):
1821         * API/JSObjectRef.cpp:
1822         (JSObjectMakeFunction):
1823         (JSObjectMakeArray):
1824         (JSObjectMakeDate):
1825         (JSObjectMakeError):
1826         (JSObjectMakeRegExp):
1827         (JSObjectGetProperty):
1828         (JSObjectSetProperty):
1829         (JSObjectGetPropertyAtIndex):
1830         (JSObjectSetPropertyAtIndex):
1831         (JSObjectDeleteProperty):
1832         (JSObjectCallAsFunction):
1833         (JSObjectCallAsConstructor):
1834         * API/JSValue.mm:
1835         (reportExceptionToInspector):
1836         (valueToArray):
1837         (valueToDictionary):
1838         * API/JSValueRef.cpp:
1839         (JSValueIsEqual):
1840         (JSValueIsInstanceOfConstructor):
1841         (JSValueCreateJSONString):
1842         (JSValueToNumber):
1843         (JSValueToStringCopy):
1844         (JSValueToObject):
1845         When seeing an exception, let the inspector know there was an exception.
1846
1847         * inspector/JSGlobalObjectInspectorController.h:
1848         * inspector/JSGlobalObjectInspectorController.cpp:
1849         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1850         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1851         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1852         Log API exceptions by also grabbing the native backtrace.
1853
1854         * inspector/ScriptCallStack.h:
1855         * inspector/ScriptCallStack.cpp:
1856         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
1857         (Inspector::ScriptCallStack::append):
1858         Minor extensions to ScriptCallStack to make it easier to work with.
1859
1860         * inspector/ConsoleMessage.cpp:
1861         (Inspector::ConsoleMessage::ConsoleMessage):
1862         (Inspector::ConsoleMessage::autogenerateMetadata):
1863         Provide better default information if the first call frame was native.
1864
1865         * inspector/ScriptCallStackFactory.cpp:
1866         (Inspector::createScriptCallStack):
1867         (Inspector::extractSourceInformationFromException):
1868         (Inspector::createScriptCallStackFromException):
1869         Perform the handling here of inserting a fake call frame for exceptions
1870         if there was no call stack (e.g. a SyntaxError) or if the first call
1871         frame had no information.
1872
1873         * inspector/ConsoleMessage.cpp:
1874         (Inspector::ConsoleMessage::ConsoleMessage):
1875         (Inspector::ConsoleMessage::autogenerateMetadata):
1876         * inspector/ConsoleMessage.h:
1877         * inspector/ScriptCallStackFactory.cpp:
1878         (Inspector::createScriptCallStack):
1879         (Inspector::createScriptCallStackForConsole):
1880         * inspector/ScriptCallStackFactory.h:
1881         * inspector/agents/InspectorConsoleAgent.cpp:
1882         (Inspector::InspectorConsoleAgent::enable):
1883         (Inspector::InspectorConsoleAgent::addMessageToConsole):
1884         (Inspector::InspectorConsoleAgent::count):
1885         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1886         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
1887         ConsoleMessage cleanup.
1888
1889 2014-02-21  Oliver Hunt  <oliver@apple.com>
1890
1891         Add extra space to op_call and related opcodes
1892         https://bugs.webkit.org/show_bug.cgi?id=129170
1893
1894         Reviewed by Mark Lam.
1895
1896         No change in behaviour, just some refactoring to add an extra
1897         slot to the op_call instructions, and refactoring to make similar
1898         changes easier in future.
1899
1900         * bytecode/CodeBlock.cpp:
1901         (JSC::CodeBlock::printCallOp):
1902         * bytecode/Opcode.h:
1903         (JSC::padOpcodeName):
1904         * bytecompiler/BytecodeGenerator.cpp:
1905         (JSC::BytecodeGenerator::emitCall):
1906         (JSC::BytecodeGenerator::emitCallVarargs):
1907         (JSC::BytecodeGenerator::emitConstruct):
1908         * dfg/DFGByteCodeParser.cpp:
1909         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1910         * jit/JITCall.cpp:
1911         (JSC::JIT::compileOpCall):
1912         * jit/JITCall32_64.cpp:
1913         (JSC::JIT::compileOpCall):
1914         * llint/LowLevelInterpreter.asm:
1915         * llint/LowLevelInterpreter32_64.asm:
1916         * llint/LowLevelInterpreter64.asm:
1917
1918 2014-02-21  Mark Lam  <mark.lam@apple.com>
1919
1920         gatherFromOtherThread() needs to align the sp before gathering roots.
1921         <https://webkit.org/b/129169>
1922
1923         Reviewed by Geoffrey Garen.
1924
1925         The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
1926         gatherFromOtherThread() defines the range of the other thread's stack as
1927         being bounded by the other thread's stack pointer and stack base. While
1928         the stack base will always be aligned to sizeof(void*), the stack pointer
1929         may not be. This is because the other thread may have just pushed a 32-bit
1930         value on its stack before we suspended it for scanning.
1931
1932         The fix is to round the stack pointer up to the next aligned address of
1933         sizeof(void*) and start scanning from there. On 64-bit systems, we will
1934         effectively ignore the 32-bit word at the bottom of the stack (top of the
1935         stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
1936         64-bit pointers should always be stored on 64-bit aligned boundaries (our
1937         conservative scan algorithm already depends on this assumption).
1938
1939         On 32-bit systems, the rounding is effectively a no-op.
1940
1941         * heap/ConservativeRoots.cpp:
1942         (JSC::ConservativeRoots::genericAddSpan):
1943         - Hardened somne assertions so that we can catch misalignment issues on
1944           release builds as well.
1945         * heap/MachineStackMarker.cpp:
1946         (JSC::MachineThreads::gatherFromOtherThread):
1947
1948 2014-02-21  Matthew Mirman  <mmirman@apple.com>
1949
1950         Added a GetMyArgumentsLengthSafe and added a speculation check.
1951         https://bugs.webkit.org/show_bug.cgi?id=129051
1952
1953         Reviewed by Filip Pizlo.
1954
1955         * ftl/FTLLowerDFGToLLVM.cpp:
1956         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1957
1958 2014-02-21  peavo@outlook.com  <peavo@outlook.com>
1959
1960         [Win][LLINT] Many JSC stress test failures.
1961         https://bugs.webkit.org/show_bug.cgi?id=129155
1962
1963         Reviewed by Michael Saboff.
1964
1965         Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
1966         Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
1967         E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
1968
1969         * offlineasm/x86.rb: Swap operand order on Windows.
1970
1971 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
1972
1973         DFG write barriers should do more speculations
1974         https://bugs.webkit.org/show_bug.cgi?id=129160
1975
1976         Reviewed by Mark Hahnenberg.
1977         
1978         Replace ConditionalStoreBarrier with the cheapest speculation that you could do
1979         instead.
1980         
1981         Miniscule speed-up on some things. It's a decent difference in code size, though.
1982
1983         * bytecode/SpeculatedType.cpp:
1984         (JSC::speculationToAbbreviatedString):
1985         * bytecode/SpeculatedType.h:
1986         (JSC::isNotCellSpeculation):
1987         * dfg/DFGFixupPhase.cpp:
1988         (JSC::DFG::FixupPhase::fixupNode):
1989         (JSC::DFG::FixupPhase::insertStoreBarrier):
1990         (JSC::DFG::FixupPhase::insertPhantomCheck):
1991         * dfg/DFGNode.h:
1992         (JSC::DFG::Node::shouldSpeculateOther):
1993         (JSC::DFG::Node::shouldSpeculateNotCell):
1994         * ftl/FTLCapabilities.cpp:
1995         (JSC::FTL::canCompile):
1996         * ftl/FTLLowerDFGToLLVM.cpp:
1997         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
1998         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1999         (JSC::FTL::LowerDFGToLLVM::isNotOther):
2000         (JSC::FTL::LowerDFGToLLVM::isOther):
2001         (JSC::FTL::LowerDFGToLLVM::speculate):
2002         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2003         (JSC::FTL::LowerDFGToLLVM::speculateOther):
2004         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
2005
2006 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
2007
2008         Revert r164486, causing a number of test failures.
2009
2010         Unreviewed rollout.
2011
2012 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
2013
2014         Revive SABI (aka shouldAlwaysBeInlined)
2015         https://bugs.webkit.org/show_bug.cgi?id=129159
2016
2017         Reviewed by Mark Hahnenberg.
2018         
2019         This is a small Octane speed-up.
2020
2021         * jit/Repatch.cpp:
2022         (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
2023
2024 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
2025
2026         Web Inspector: JSContext inspection should report exceptions in the console
2027         https://bugs.webkit.org/show_bug.cgi?id=128776
2028
2029         Reviewed by Timothy Hatcher.
2030
2031         When JavaScript API functions have an exception, let the inspector
2032         know so it can log the JavaScript and Native backtrace that caused
2033         the exception.
2034
2035         Include some clean up of ConsoleMessage and ScriptCallStack construction.
2036
2037         * API/JSBase.cpp:
2038         (JSEvaluateScript):
2039         (JSCheckScriptSyntax):
2040         * API/JSObjectRef.cpp:
2041         (JSObjectMakeFunction):
2042         (JSObjectMakeArray):
2043         (JSObjectMakeDate):
2044         (JSObjectMakeError):
2045         (JSObjectMakeRegExp):
2046         (JSObjectGetProperty):
2047         (JSObjectSetProperty):
2048         (JSObjectGetPropertyAtIndex):
2049         (JSObjectSetPropertyAtIndex):
2050         (JSObjectDeleteProperty):
2051         (JSObjectCallAsFunction):
2052         (JSObjectCallAsConstructor):
2053         * API/JSValue.mm:
2054         (reportExceptionToInspector):
2055         (valueToArray):
2056         (valueToDictionary):
2057         * API/JSValueRef.cpp:
2058         (JSValueIsEqual):
2059         (JSValueIsInstanceOfConstructor):
2060         (JSValueCreateJSONString):
2061         (JSValueToNumber):
2062         (JSValueToStringCopy):
2063         (JSValueToObject):
2064         When seeing an exception, let the inspector know there was an exception.
2065
2066         * inspector/JSGlobalObjectInspectorController.h:
2067         * inspector/JSGlobalObjectInspectorController.cpp:
2068         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2069         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2070         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2071         Log API exceptions by also grabbing the native backtrace.
2072
2073         * inspector/ScriptCallStack.h:
2074         * inspector/ScriptCallStack.cpp:
2075         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
2076         (Inspector::ScriptCallStack::append):
2077         Minor extensions to ScriptCallStack to make it easier to work with.
2078
2079         * inspector/ConsoleMessage.cpp:
2080         (Inspector::ConsoleMessage::ConsoleMessage):
2081         (Inspector::ConsoleMessage::autogenerateMetadata):
2082         Provide better default information if the first call frame was native.
2083
2084         * inspector/ScriptCallStackFactory.cpp:
2085         (Inspector::createScriptCallStack):
2086         (Inspector::extractSourceInformationFromException):
2087         (Inspector::createScriptCallStackFromException):
2088         Perform the handling here of inserting a fake call frame for exceptions
2089         if there was no call stack (e.g. a SyntaxError) or if the first call
2090         frame had no information.
2091
2092         * inspector/ConsoleMessage.cpp:
2093         (Inspector::ConsoleMessage::ConsoleMessage):
2094         (Inspector::ConsoleMessage::autogenerateMetadata):
2095         * inspector/ConsoleMessage.h:
2096         * inspector/ScriptCallStackFactory.cpp:
2097         (Inspector::createScriptCallStack):
2098         (Inspector::createScriptCallStackForConsole):
2099         * inspector/ScriptCallStackFactory.h:
2100         * inspector/agents/InspectorConsoleAgent.cpp:
2101         (Inspector::InspectorConsoleAgent::enable):
2102         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2103         (Inspector::InspectorConsoleAgent::count):
2104         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2105         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2106         ConsoleMessage cleanup.
2107
2108 2014-02-20  Anders Carlsson  <andersca@apple.com>
2109
2110         Modernize JSGlobalLock and JSLockHolder
2111         https://bugs.webkit.org/show_bug.cgi?id=129105
2112
2113         Reviewed by Michael Saboff.
2114
2115         Use std::mutex and std::thread::id where possible.
2116
2117         * runtime/JSLock.cpp:
2118         (JSC::GlobalJSLock::GlobalJSLock):
2119         (JSC::GlobalJSLock::~GlobalJSLock):
2120         (JSC::GlobalJSLock::initialize):
2121         (JSC::JSLock::JSLock):
2122         (JSC::JSLock::lock):
2123         (JSC::JSLock::unlock):
2124         (JSC::JSLock::currentThreadIsHoldingLock):
2125         * runtime/JSLock.h:
2126
2127 2014-02-20  Mark Lam  <mark.lam@apple.com>
2128
2129         virtualForWithFunction() should not throw an exception with a partially initialized frame.
2130         <https://webkit.org/b/129134>
2131
2132         Reviewed by Michael Saboff.
2133
2134         Currently, when JITOperations.cpp's virtualForWithFunction() fails to
2135         prepare the callee function for execution, it proceeds to throw the
2136         exception using the callee frame which is only partially initialized
2137         thus far. Instead, it should be throwing the exception using the caller
2138         frame because:
2139         1. the error happened "in" the caller while preparing the callee for
2140            execution i.e. the caller frame is the top fully initialized frame
2141            on the stack.
2142         2. the callee frame is not fully initialized yet, and the unwind
2143            mechanism cannot depend on the data in it.
2144
2145         * jit/JITOperations.cpp:
2146
2147 2014-02-20  Mark Lam  <mark.lam@apple.com>
2148
2149         DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
2150         <https://webkit.org/b/129131>
2151
2152         Reviewed by Mark Hahnenberg.
2153
2154         Currently, DefaultGCActivityCallback::doWork() does not check if the GC
2155         needs to be deferred before commencing. As a result, the GC may crash
2156         and/or corrupt data because the VM is not in the consistent state needed
2157         for the GC to run. With this fix, doWork() now checks if the GC is
2158         supposed to be deferred and re-schedules if needed. It only commences
2159         with GC'ing when it's safe to do so.
2160
2161         * runtime/GCActivityCallback.cpp:
2162         (JSC::DefaultGCActivityCallback::doWork):
2163
2164 2014-02-20  Geoffrey Garen  <ggaren@apple.com>
2165
2166         Math.imul gives wrong results
2167         https://bugs.webkit.org/show_bug.cgi?id=126345
2168
2169         Reviewed by Mark Hahnenberg.
2170
2171         Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
2172         Instead, take a slow path that will do the right thing.
2173
2174         * jit/ThunkGenerators.cpp:
2175         (JSC::imulThunkGenerator):
2176
2177 2014-02-20  Filip Pizlo  <fpizlo@apple.com>
2178
2179         DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
2180         https://bugs.webkit.org/show_bug.cgi?id=129129
2181
2182         Reviewed by Geoffrey Garen.
2183         
2184         We estimate execution counts based on loop depth, and then use those to estimate branch
2185         weights. These weights then get carried all the way down to LLVM prof branch_weights
2186         meta-data.
2187         
2188         This is better than letting LLVM do its own static estimates, since by the time we
2189         generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
2190         course, it would be even better if we just slurped in some kind of execution counts
2191         from profiling, but we don't do that, yet.
2192
2193         * CMakeLists.txt:
2194         * GNUmakefile.list.am:
2195         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2196         * JavaScriptCore.xcodeproj/project.pbxproj:
2197         * dfg/DFGBasicBlock.cpp:
2198         (JSC::DFG::BasicBlock::BasicBlock):
2199         * dfg/DFGBasicBlock.h:
2200         * dfg/DFGBlockInsertionSet.cpp:
2201         (JSC::DFG::BlockInsertionSet::insert):
2202         (JSC::DFG::BlockInsertionSet::insertBefore):
2203         * dfg/DFGBlockInsertionSet.h:
2204         * dfg/DFGByteCodeParser.cpp:
2205         (JSC::DFG::ByteCodeParser::handleInlining):
2206         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2207         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2208         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2209         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2210         (JSC::DFG::createPreHeader):
2211         * dfg/DFGNaturalLoops.h:
2212         (JSC::DFG::NaturalLoops::loopDepth):
2213         * dfg/DFGOSREntrypointCreationPhase.cpp:
2214         (JSC::DFG::OSREntrypointCreationPhase::run):
2215         * dfg/DFGPlan.cpp:
2216         (JSC::DFG::Plan::compileInThreadImpl):
2217         * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
2218         (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
2219         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
2220         (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
2221         (JSC::DFG::performStaticExecutionCountEstimation):
2222         * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.
2223
2224 2014-02-20  Filip Pizlo  <fpizlo@apple.com>
2225
2226         FTL may not see a compact_unwind section if there weren't any stackmaps
2227         https://bugs.webkit.org/show_bug.cgi?id=129125
2228
2229         Reviewed by Geoffrey Garen.
2230         
2231         It's OK to not have an unwind section, so long as the function also doesn't have any
2232         OSR exits.
2233
2234         * ftl/FTLCompile.cpp:
2235         (JSC::FTL::fixFunctionBasedOnStackMaps):
2236         (JSC::FTL::compile):
2237         * ftl/FTLUnwindInfo.cpp:
2238         (JSC::FTL::UnwindInfo::parse):
2239         * ftl/FTLUnwindInfo.h:
2240
2241 == Rolled over to ChangeLog-2014-02-20 ==