Web Inspector: CRASH when debugger closes while paused and remote inspecting a JSContext
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-02-14  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: CRASH when debugger closes while paused and remote inspecting a JSContext
4         https://bugs.webkit.org/show_bug.cgi?id=127757
5
6         Reviewed by Timothy Hatcher.
7
8         The problem was that the lifetime of the InspectorController and all agents
9         was tied to the remote inspector session. So, if a remote inspector was
10         disconnected while in the nested run loop, everything would get torn
11         down and when execution continued out of the nested runloop we would be
12         back in the original call stack of destroyed objects.
13
14         This patch changes the lifetime of the InspectorController and agents to
15         the JSGlobalObject. This way the agents are always alive, just the
16         frontend and backend channels are destroyed and recreated each remote
17         inspector session. This matches the agent lifetime for WebCore agents.
18         We can also later take advantage of the agents being alive before
19         and between inspector debug sessions to stash exception messages to
20         pass on to a debugger if a debugger is connected later.
21
22         * inspector/JSGlobalObjectInspectorController.h:
23         * inspector/JSGlobalObjectInspectorController.cpp:
24         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
25         Cleaner initialization of agents. Easier to follow.
26
27         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
28         Move InjectedScript disconnection only once the global object is destroyed.
29         This way if a developer has attached once and included an injected script,
30         we will keep it around with any state it might want to remember until
31         the global object is destroyed.
32
33         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
34         Disconnect agents and injected scripts when the global object is destroyed.
35
36         * inspector/InjectedScriptManager.cpp:
37         (Inspector::InjectedScriptManager::disconnect):
38         Now that the injected script manager is reused between remote
39         inspector sessions, don't clear the pointer on disconnect calls.
40         We now only call this once when the global object is getting
41         destroyed anyways so it doesn't matter. But if we wanted to call
42         disconnect multiple times, e.g. once per session, we could.
43
44         * inspector/ScriptDebugServer.cpp:
45         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
46         If the only listener was removed during the nested runloop, then when
47         we dispatch an event after the nested runloop the listener list will
48         be empty. Instead of asserting, just pass by an empty list.
49
50         * runtime/JSGlobalObject.h:
51         (JSC::JSGlobalObject::inspectorController):
52         Tie the inspector controller lifetime to the JSGlobalObject.
53
54         * runtime/JSGlobalObject.cpp:
55         (JSC::JSGlobalObject::~JSGlobalObject):
56         (JSC::JSGlobalObject::init):
57         Create the inspector controller, and eagerly signal teardown
58         in destruction.
59
60         * runtime/JSGlobalObjectDebuggable.h:
61         * runtime/JSGlobalObjectDebuggable.cpp:
62         (JSC::JSGlobalObjectDebuggable::connect):
63         (JSC::JSGlobalObjectDebuggable::disconnect):
64         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
65         Simplify by using the inspector controller on JSGlobalObject.
66
67 2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>
68
69         -[JSManagedValue value] needs to be protected by the API lock
70         https://bugs.webkit.org/show_bug.cgi?id=128857
71
72         Reviewed by Mark Lam.
73
74         * API/APICast.h:
75         (toRef): Added an ASSERT so that we can detect these sorts of errors earlier. On 32-bit, toRef
76         can allocate objects so we need to be holding the lock.
77         * API/APIShims.h: Removed outdated comments.
78         * API/JSManagedValue.mm: Added RefPtr<JSLock> to JSManagedValue.
79         (-[JSManagedValue initWithValue:]): Initialize the m_lock field.
80         (-[JSManagedValue value]): Lock the JSLock, check the VM*, return nil if invalid, take the APIEntryShim otherwise.
81         * runtime/JSLock.cpp: Bug fix in JSLock. We were assuming that the VM was always non-null in JSLock::lock.
82         (JSC::JSLock::lock):
83
84 2014-02-14  Oliver Hunt  <oliver@apple.com>
85
86         Implement a few more Array prototype functions in JS
87         https://bugs.webkit.org/show_bug.cgi?id=128788
88
89         Reviewed by Gavin Barraclough.
90
91         Remove a pile of awful C++, and rewrite in simple JS.
92
93         Needed to make a few other changes to get fully builtins
94         behavior to more accurately match a host function's.
95
96         * builtins/Array.prototype.js:
97         (every):
98         (forEach):
99         (filter):
100         (map):
101         (some):
102         * builtins/BuiltinExecutables.cpp:
103         (JSC::BuiltinExecutables::BuiltinExecutables):
104         (JSC::BuiltinExecutables::createBuiltinExecutable):
105         * bytecompiler/BytecodeGenerator.cpp:
106         (JSC::BytecodeGenerator::BytecodeGenerator):
107         (JSC::BytecodeGenerator::emitPutByVal):
108         * bytecompiler/BytecodeGenerator.h:
109         (JSC::BytecodeGenerator::emitExpressionInfo):
110         * interpreter/Interpreter.cpp:
111         (JSC::GetStackTraceFunctor::operator()):
112         * parser/Nodes.h:
113         (JSC::FunctionBodyNode::overrideName):
114         * profiler/LegacyProfiler.cpp:
115         (JSC::createCallIdentifierFromFunctionImp):
116         * runtime/ArrayPrototype.cpp:
117         * runtime/JSFunction.cpp:
118         (JSC::JSFunction::deleteProperty):
119         * runtime/JSFunction.h:
120
121 2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>
122
123         ASSERT(isValidAllocation(bytes)) when ObjC API creates custom errors
124         https://bugs.webkit.org/show_bug.cgi?id=128840
125
126         Reviewed by Joseph Pecoraro.
127
128         We need to add APIEntryShims around places where we allocate errors in JSC.
129         Also converted some of the createTypeError call sites to use ASCIILiteral.
130
131         * API/JSValue.mm:
132         (valueToArray):
133         (valueToDictionary):
134         * API/ObjCCallbackFunction.mm:
135         (JSC::objCCallbackFunctionCallAsConstructor):
136         (JSC::ObjCCallbackFunctionImpl::call):
137         * API/tests/testapi.mm:
138
139 2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>
140
141         Baseline JIT should have a fast path to bypass the write barrier on op_enter
142         https://bugs.webkit.org/show_bug.cgi?id=128832
143
144         Reviewed by Filip Pizlo.
145
146         * jit/JIT.h: Removed some random commented out functions.h
147         * jit/JITOpcodes.cpp:
148         (JSC::JIT::emit_op_enter):
149         * jit/JITPropertyAccess.cpp:
150         (JSC::JIT::emitWriteBarrier):
151
152 2014-02-14  Filip Pizlo  <fpizlo@apple.com>
153
154         Don't optimize variadic closure calls
155         https://bugs.webkit.org/show_bug.cgi?id=128835
156
157         Reviewed by Gavin Barraclough.
158         
159         Read the check that had been in JITStubs.cpp, back in the day. This code came
160         from the DFG and the DFG didn't need these checks.
161
162         * jit/JITOperations.cpp:
163
164 2014-02-14  David Kilzer  <ddkilzer@apple.com>
165
166         [ASan] Disable JSStack::sanitizeStack() to avoid false-positive stack-buffer-overflow errors
167         <http://webkit.org/b/128819>
168
169         Reviewed by Filip Pizlo.
170
171         * interpreter/JSStack.cpp:
172         (JSC::JSStack::sanitizeStack): When building with the clang
173         address sanitizer, don't sanitize the stack since it will
174         trigger false-positive stack-buffer-overflow errors.  Disabling
175         this only results in a performance penalty, not a correctness
176         penalty.
177
178 2014-02-14  Andres Gomez  <agomez@igalia.com>
179
180         Cleaning the JSStaticScopeObject files left behind after renaming their objects to JSNameScope
181         https://bugs.webkit.org/show_bug.cgi?id=127595
182
183         Reviewed by Mario Sanchez Prada.
184
185         JSStaticScopeObject was renamed to JSNameScope and removed long
186         ago but the files were left behind empty and the CMake compilation
187         in need of its existance. Now, we are definitely getting rid of
188         them.
189
190         * CMakeLists.txt:
191         * runtime/JSStaticScopeObject.cpp: Removed.
192         * runtime/JSStaticScopeObject.h: Removed.
193
194 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
195
196         Kill some of the last vestiges of the C++ interpreter's PICs
197         https://bugs.webkit.org/show_bug.cgi?id=128796
198
199         Reviewed by Michael Saboff.
200
201         * bytecode/BytecodeUseDef.h:
202         (JSC::computeUsesForBytecodeOffset):
203         (JSC::computeDefsForBytecodeOffset):
204         * bytecode/CodeBlock.cpp:
205         (JSC::CodeBlock::printGetByIdOp):
206         (JSC::CodeBlock::printGetByIdCacheStatus):
207         (JSC::CodeBlock::dumpBytecode):
208         (JSC::CodeBlock::CodeBlock):
209         * bytecode/GetByIdStatus.cpp:
210         (JSC::GetByIdStatus::computeForStubInfo):
211         * bytecode/Opcode.h:
212         (JSC::padOpcodeName):
213         * bytecode/PolymorphicAccessStructureList.h:
214         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo):
215         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
216         (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
217         (JSC::PolymorphicAccessStructureList::visitWeak):
218         * bytecode/StructureStubInfo.cpp:
219         (JSC::StructureStubInfo::deref):
220         (JSC::StructureStubInfo::visitWeakReferences):
221         * bytecode/StructureStubInfo.h:
222         (JSC::isGetByIdAccess):
223         * jit/JIT.cpp:
224         (JSC::JIT::privateCompileMainPass):
225         * jit/Repatch.cpp:
226         (JSC::getPolymorphicStructureList):
227         (JSC::tryBuildGetByIDList):
228         * llint/LowLevelInterpreter.asm:
229
230 2014-02-13  Mark Lam  <mark.lam@apple.com>
231
232         The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs. Part 2.
233         <https://webkit.org/b/128764>
234
235         Reviewed by Mark Hahnenberg.
236
237         toJS() is the wrong cast function to use. We need to use toJSForGC() instead.
238         Also we need to acquire the JSLock to prevent concurrent accesses to the
239         Strong handle list.
240
241         * API/JSValue.mm:
242         (JSContainerConvertor::add):
243         (containerValueToObject):
244         (ObjcContainerConvertor::add):
245         (objectToValue):
246
247 2014-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>
248
249         JSManagedValue::dealloc modifies NSMapTable while iterating it
250         https://bugs.webkit.org/show_bug.cgi?id=128713
251
252         Reviewed by Geoffrey Garen.
253
254         Having to write a test for this revealed a bug in how addManagedReference:withOwner:
255         actually notifies JSManagedValues of new owners.
256
257         * API/JSManagedValue.mm:
258         (-[JSManagedValue dealloc]):
259         * API/JSVirtualMachine.mm:
260         (-[JSVirtualMachine addManagedReference:withOwner:]):
261         (-[JSVirtualMachine removeManagedReference:withOwner:]):
262         * API/tests/testapi.mm:
263         (testObjectiveCAPI):
264
265 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
266
267         Unreviewed, fix build.
268
269         * ftl/FTLLowerDFGToLLVM.cpp:
270         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
271
272 2014-02-13  Ryosuke Niwa  <rniwa@webkit.org>
273
274         Speculative Release build fix after r164077.
275
276         * API/JSValue.mm:
277
278 2014-02-13  Mark Lam  <mark.lam@apple.com>
279
280         The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs.
281         <https://webkit.org/b/128764>
282
283         Reviewed by Mark Hahnenberg.
284
285         Added a vector of Strong<Unknown> references in the 2 containers, and append
286         the newly created JSValues to those vectors. This will keep all those JS objects
287         alive for the duration of the conversion.
288
289         * API/JSValue.mm:
290         (JSContainerConvertor::add):
291         (ObjcContainerConvertor::add):
292
293 2014-02-13  Matthew Mirman  <mmirman@apple.com>
294
295         Added GetMyArgumentsLength to FTL
296         https://bugs.webkit.org/show_bug.cgi?id=128758
297
298         Reviewed by Filip Pizlo.
299
300         * ftl/FTLCapabilities.cpp:
301         (JSC::FTL::canCompile):
302         * ftl/FTLLowerDFGToLLVM.cpp:
303         (JSC::FTL::LowerDFGToLLVM::compileNode):
304         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
305         * tests/stress/ftl-getmyargumentslength.js: Added.
306         (foo):
307
308 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
309
310         Unreviewed, roll out http://trac.webkit.org/changeset/164066.
311         
312         It broke tests and it was just plain wrong.
313
314         * bytecode/GetByIdStatus.cpp:
315         (JSC::GetByIdStatus::computeFromLLInt):
316         (JSC::GetByIdStatus::computeForStubInfo):
317         * runtime/Structure.h:
318         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
319
320 2014-02-13  Ryuan Choi  <ryuan.choi@samsung.com>
321
322         Unreviewed build fix.
323
324         Fixed typo.
325
326         * dfg/DFGIntegerCheckCombiningPhase.cpp:
327         (JSC::DFG::IntegerCheckCombiningPhase::run):
328
329 2014-02-13  Michael Saboff  <msaboff@apple.com>
330
331         Change FTL stack check to use VM's stackLimit
332         https://bugs.webkit.org/show_bug.cgi?id=128561
333
334         Reviewed by Filip Pizlo.
335
336         Changes FTL function entry to check the call frame register against the FTL
337         specific stack limit (VM::m_ftlStackLimit) and throw an exception if the
338         stack limit has been exceeded.  Updated the exception handling code to have
339         a second entry that will unroll the current frame to the caller, since that
340         is where the exception should be processed.
341
342         * ftl/FTLCompile.cpp:
343         (JSC::FTL::fixFunctionBasedOnStackMaps):
344         * ftl/FTLIntrinsicRepository.h:
345         * ftl/FTLLowerDFGToLLVM.cpp:
346         (JSC::FTL::LowerDFGToLLVM::lower):
347         * ftl/FTLState.h:
348         * runtime/VM.h:
349         (JSC::VM::addressOfFTLStackLimit):
350
351 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
352
353         GetByIdStatus shouldn't call takesSlowPathInDFGForImpureProperty() for self accesses, and calling that method should never assert about anything
354         https://bugs.webkit.org/show_bug.cgi?id=128772
355
356         Reviewed by Mark Hahnenberg.
357
358         * bytecode/GetByIdStatus.cpp:
359         (JSC::GetByIdStatus::computeFromLLInt):
360         (JSC::GetByIdStatus::computeForStubInfo):
361         * runtime/Structure.h:
362         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
363
364 2014-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>
365
366         Add some RELEASE_ASSERTs to catch JSLock bugs earlier
367         https://bugs.webkit.org/show_bug.cgi?id=128762
368
369         Reviewed by Mark Lam.
370
371         * interpreter/Interpreter.cpp:
372         (JSC::Interpreter::execute):
373         * runtime/JSLock.cpp:
374         (JSC::JSLock::DropAllLocks::DropAllLocks):
375
376 2014-02-12  Filip Pizlo  <fpizlo@apple.com>
377
378         Hoist and combine array bounds checks
379         https://bugs.webkit.org/show_bug.cgi?id=125433
380
381         Reviewed by Mark Hahnenberg.
382         
383         This adds a phase for reasoning about overflow checks and array bounds checks. It's
384         block-local, and removes both overflow checks and bounds checks in one go.
385         
386         This also improves reasoning about commutative operations, and CSE between
387         CheckOverflow and Unchecked arithmetic.
388         
389         This strangely uncovered a DFG backend bug where we were trying to extract an int32
390         from a constant even when that constant was just simply a number. I fixed that bug.
391
392         * CMakeLists.txt:
393         * GNUmakefile.list.am:
394         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
395         * JavaScriptCore.xcodeproj/project.pbxproj:
396         * dfg/DFGAbstractInterpreterInlines.h:
397         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
398         * dfg/DFGAbstractValue.cpp:
399         (JSC::DFG::AbstractValue::set):
400         * dfg/DFGArgumentsSimplificationPhase.cpp:
401         (JSC::DFG::ArgumentsSimplificationPhase::run):
402         * dfg/DFGArithMode.h:
403         (JSC::DFG::subsumes):
404         * dfg/DFGByteCodeParser.cpp:
405         (JSC::DFG::ByteCodeParser::handleIntrinsic):
406         * dfg/DFGCSEPhase.cpp:
407         (JSC::DFG::CSEPhase::pureCSE):
408         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
409         (JSC::DFG::CSEPhase::performNodeCSE):
410         * dfg/DFGClobberize.h:
411         (JSC::DFG::clobberize):
412         * dfg/DFGEdge.cpp:
413         (JSC::DFG::Edge::dump):
414         * dfg/DFGEdge.h:
415         (JSC::DFG::Edge::sanitized):
416         (JSC::DFG::Edge::hash):
417         * dfg/DFGFixupPhase.cpp:
418         (JSC::DFG::FixupPhase::fixupNode):
419         * dfg/DFGGraph.h:
420         (JSC::DFG::Graph::valueOfInt32Constant):
421         * dfg/DFGInsertionSet.h:
422         (JSC::DFG::InsertionSet::insertConstant):
423         * dfg/DFGIntegerCheckCombiningPhase.cpp: Added.
424         (JSC::DFG::IntegerCheckCombiningPhase::IntegerCheckCombiningPhase):
425         (JSC::DFG::IntegerCheckCombiningPhase::run):
426         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
427         (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
428         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
429         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
430         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
431         (JSC::DFG::performIntegerCheckCombining):
432         * dfg/DFGIntegerCheckCombiningPhase.h: Added.
433         * dfg/DFGNode.h:
434         (JSC::DFG::Node::willHaveCodeGenOrOSR):
435         * dfg/DFGNodeType.h:
436         * dfg/DFGPlan.cpp:
437         (JSC::DFG::Plan::compileInThreadImpl):
438         * dfg/DFGPredictionPropagationPhase.cpp:
439         (JSC::DFG::PredictionPropagationPhase::propagate):
440         * dfg/DFGSafeToExecute.h:
441         (JSC::DFG::safeToExecute):
442         * dfg/DFGSpeculativeJIT.cpp:
443         (JSC::DFG::SpeculativeJIT::compileAdd):
444         * dfg/DFGSpeculativeJIT32_64.cpp:
445         (JSC::DFG::SpeculativeJIT::compile):
446         * dfg/DFGSpeculativeJIT64.cpp:
447         (JSC::DFG::SpeculativeJIT::compile):
448         * dfg/DFGStrengthReductionPhase.cpp:
449         (JSC::DFG::StrengthReductionPhase::handleNode):
450         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
451         * dfg/DFGTypeCheckHoistingPhase.cpp:
452         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
453         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
454         * ftl/FTLCapabilities.cpp:
455         (JSC::FTL::canCompile):
456         * ftl/FTLLowerDFGToLLVM.cpp:
457         (JSC::FTL::LowerDFGToLLVM::compileNode):
458         * jsc.cpp:
459         (GlobalObject::finishCreation):
460         (functionFalse):
461         * runtime/Identifier.h:
462         * runtime/Intrinsic.h:
463         * runtime/JSObject.h:
464         * tests/stress/get-by-id-untyped.js: Added.
465         (foo):
466         * tests/stress/inverted-additive-subsumption.js: Added.
467         (foo):
468         * tests/stress/redundant-add-overflow-checks.js: Added.
469         (foo):
470         * tests/stress/redundant-array-bounds-checks-addition-skip-first.js: Added.
471         (foo):
472         (arraycmp):
473         * tests/stress/redundant-array-bounds-checks-addition.js: Added.
474         (foo):
475         (arraycmp):
476         * tests/stress/redundant-array-bounds-checks-unchecked-addition.js: Added.
477         (foo):
478         (arraycmp):
479         * tests/stress/redundant-array-bounds-checks.js: Added.
480         (foo):
481         (arraycmp):
482         * tests/stress/tricky-array-bounds-checks.js: Added.
483         (foo):
484         (arraycmp):
485
486 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
487
488         FTL should be OK with __compact_unwind in a data section
489         https://bugs.webkit.org/show_bug.cgi?id=128756
490
491         Reviewed by Mark Hahnenberg.
492
493         * ftl/FTLCompile.cpp:
494         (JSC::FTL::mmAllocateCodeSection):
495         (JSC::FTL::mmAllocateDataSection):
496
497 2014-02-13  Michael Saboff  <msaboff@apple.com>
498
499         CStack Branch: VM::currentReturnThunkPC appears to be unused and should be removed
500         https://bugs.webkit.org/show_bug.cgi?id=127205
501
502         Reviewed by Geoffrey Garen.
503
504         Removed ununsed references to VM::currentReturnThunkPC.
505
506         * jit/ThunkGenerators.cpp:
507         (JSC::arityFixup):
508         * runtime/VM.h:
509
510 2014-02-13  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
511
512         Code cleanup: remove gcc<4.7 guards.
513         https://bugs.webkit.org/show_bug.cgi?id=128729
514
515         Reviewed by Anders Carlsson.
516
517         Remove GCC_VERSION_AT_LEAST guards when it checks for pre-4.7 versions,
518         as WK does not compile with earlier gcc versions.
519
520         * assembler/MIPSAssembler.h:
521         (JSC::MIPSAssembler::cacheFlush):
522         * interpreter/StackVisitor.cpp:
523         (JSC::printif):
524
525 2014-02-12  Mark Lam  <mark.lam@apple.com>
526
527         No need to save reservedZoneSize when dropping the JSLock.
528         <https://webkit.org/b/128719>
529
530         Reviewed by Geoffrey Garen.
531
532         The reservedZoneSize does not change due to the VM being run on a different
533         thread. Hence, there is no need to save and restore its value. Instead of
534         calling updateReservedZoneSize() to update the stack limit, we now call
535         setStackPointerAtVMEntry() to do the job. setStackPointerAtVMEntry()
536         will update the stackPointerAtVMEntry and delegate to updateStackLimit() to
537         update the stack limit based on the new stackPointerAtVMEntry.
538
539         * runtime/ErrorHandlingScope.cpp:
540         (JSC::ErrorHandlingScope::ErrorHandlingScope):
541         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
542         - Previously, we initialize stackPointerAtVMEntry in VMEntryScope. This
543           means that the stackPointerAtVMEntry may not be initialize when we
544           instantiate the ErrorHandlingScope. And so, we needed to initialize the
545           stackPointerAtVMEntry in the ErrorHandlingScope constructor if it's not
546           already initialized.
547
548           Now that we initialize the stackPointerAtVMEntry when we lock the VM JSLock,
549           we are guaranteed that it will be initialized by the time we instantiate
550           the ErrorHandlingScope. Hence, we can change the ErrorHandlingScope code
551           to just assert that the stackPointerAtVMEntry is initialized instead.
552
553         * runtime/InitializeThreading.cpp:
554         (JSC::initializeThreading):
555         - We no longer need to save the reservedZoneSize. Remove the related code.
556
557         * runtime/JSLock.cpp:
558         (JSC::JSLock::lock):
559         - When we grab the JSLock mutex for the first time, there is no reason why
560           the stackPointerAtVMEntry should be initialized. By definition, grabbing
561           the lock for the first time equates to entering the VM for the first time.
562           Hence, we can just assert that stackPointerAtVMEntry is uninitialized,
563           and initialize it unconditionally.
564
565           The only exception to this is if we're locking to regrab the JSLock in
566           grabAllLocks(), but grabAllLocks() will take care of restoring the
567           stackPointerAtVMEntry in that case after lock() returns. stackPointerAtVMEntry
568           should still be 0 when we've just locked the JSLock. So, the above assertion
569           always holds true.
570
571           Note: VM::setStackPointerAtVMEntry() will take care of calling
572           VM::updateStackLimit() based on the new stackPointerAtVMEntry.
573
574         - There is no need to save the reservedZoneSize. The reservedZoneSize is
575           set to Options::reservedZoneSize() when the VM is initialized. Thereafter,
576           the ErrorHandlingScope will change it to Options::errorModeReservedZoneSize()
577           when we're handling an error, and it will restore it afterwards. There is
578           no other reason we should be changing the reservedZoneSize. Hence, we can
579           remove the unnecessary code to save it here.
580
581         (JSC::JSLock::unlock):
582         - Similarly, when the lockCount reaches 0 in unlock(), it is synonymous with
583           exiting the VM. Hence, we should just clear the stackPointerAtVMEntry and
584           update the stackLimit. Exiting the VM should have no effect on the VM
585           reservedZoneSize. Hence, we can remove the unnecessary code to "restore" it.
586
587         (JSC::JSLock::dropAllLocks):
588         - When dropping locks, we do not need to save the reservedZoneSize because
589           the reservedZoneSize should remain the same regardless of which thread
590           we are executing JS on. Hence, we can remove the unnecessary code to save
591           the reservedZoneSize here.
592
593         (JSC::JSLock::grabAllLocks):
594         - When re-grabbing locks, restoring the stackPointerAtVMEntry via
595           VM::setStackPointerAtVMEntry() will take care of updating the stack limit.
596           As explained above, there's no need to save the reservedZoneSize. Hence,
597           there's no need to "restore" it here.
598
599         * runtime/VM.cpp:
600         (JSC::VM::VM):
601         (JSC::VM::setStackPointerAtVMEntry):
602         - Sets the stackPointerAtVMEntry and delegates to updateStackLimit() to update
603           the stack limit based on the new stackPointerAtVMEntry.
604         (JSC::VM::updateStackLimit):
605         * runtime/VM.h:
606         (JSC::VM::stackPointerAtVMEntry):
607         - Renamed stackPointerAtVMEntry to m_stackPointerAtVMEntry and made it private.
608           Added a stackPointerAtVMEntry() function to read the value.
609
610 2014-02-12  Mark Hahnenberg  <mhahnenberg@apple.com>
611
612         DelayedReleaseScope in MarkedAllocator::tryAllocateHelper is wrong
613         https://bugs.webkit.org/show_bug.cgi?id=128641
614
615         Reviewed by Michael Saboff.
616
617         We were improperly handling the case where the DelayedReleaseScope 
618         in tryAllocateHelper would cause us to drop the API lock, allowing 
619         another thread to sneak in and allocate a new block after we had already 
620         concluded that there were no more blocks to allocate out of.
621
622         The fix is to call tryAllocateHelper in a loop until we know for sure 
623         that this did not happen.
624
625         There was also a race condition with the DelayedReleaseScope in addBlock.
626         We would add the block to the MarkedBlock's list, sweep it, and then return,
627         causing us to drop the API lock momentarily. Another thread could then 
628         grab the lock, and allocate out of the new block to the point where the 
629         free list was empty. Then we would return to the original thread, who thinks 
630         it's impossible to not allocate successfully at this point. 
631         Instead we should just let tryAllocate do all the hard work with correctly 
632         sweeping and getting a valid result.
633
634         There was another race condition in didFinishIterating. We would call resumeAllocating,
635         which would create a DelayedReleaseScope. The DelayedReleaseScope would then release 
636         API lock before we set m_isIterating back to false, which would potentially confuse 
637         other threads.
638
639         * heap/MarkedAllocator.cpp:
640         (JSC::MarkedAllocator::tryAllocateHelper):
641         (JSC::MarkedAllocator::tryPopFreeList):
642         (JSC::MarkedAllocator::tryAllocate):
643         (JSC::MarkedAllocator::addBlock):
644         * heap/MarkedAllocator.h:
645
646 2014-02-12  Brian Burg  <bburg@apple.com>
647
648         Web Replay: capture and replay nondeterminism of Date.now() and Math.random()
649         https://bugs.webkit.org/show_bug.cgi?id=128633
650
651         Reviewed by Filip Pizlo.
652
653         Upstream the only two sources of script-visible nondeterminism in JavaScriptCore.
654
655         The random seed for WeakRandom is memoized when the owning JSGlobalObject is
656         constructed. It is deterministically initialized during replay before any
657         scripts execute with the global object.
658
659         The implementations of `Date.now()` and `new Date()` eventually obtain the
660         current time from jsCurrentTime(). When capturing, we save return values of
661         jsCurrentTime() into the recording. When replaying, we use memoized values from
662         the recording instead of obtaining values from the platform-specific currentTime()
663         implementation. No other code calls jsCurrentTime().
664
665         * DerivedSources.make: Add rules to make JSReplayInputs.h from JSInputs.json.
666         * JavaScriptCore.xcodeproj/project.pbxproj:
667         * replay/JSInputs.json: Added. Includes specifications for replay inputs
668         "GetCurrentTime" and "SetRandomSeed". Tests will be added for both input
669         cases once sufficient replay machinery has been added.
670
671         * replay/NondeterministicInput.h: NondeterministicInput should not have
672         been marked 'final'.
673
674         * runtime/DateConstructor.cpp:
675         (JSC::deterministicCurrentTime): Added. Load or store the current time depending
676         on what kind of InputCursor is attached to the JSGlobalObject.
677
678         (JSC::constructDate): Use deterministicCurrentTime().
679         (JSC::dateNow): Use deterministicCurrentTime().
680         * runtime/JSGlobalObject.cpp:
681         (JSC::JSGlobalObject::setInputCursor): When setting a non-empty input cursor,
682         immediately store or load the "SetRandomSeed" input and initialize WeakRandom's
683         random seed with it. The input cursor (and thus random seed) must be set before
684         any scripts are evaluated with this JSGlobalObject.
685
686         * runtime/WeakRandom.h:
687         (JSC::WeakRandom::WeakRandom): Add JSGlobalObject as a friend class.
688         (JSC::WeakRandom::initializeSeed): Extract the seed initialization into a
689         separate method so it can be called outside of the JSGlobalObject constructor.
690
691 2014-02-12  Joseph Pecoraro  <pecoraro@apple.com>
692
693         Web Inspector: Cleanup JavaScriptCore/inspector
694         https://bugs.webkit.org/show_bug.cgi?id=128662
695
696         Reviewed by Timothy Hatcher.
697
698         Now that the code has settled, do a cleanup pass.
699
700         * inspector/ContentSearchUtilities.cpp:
701         * inspector/InspectorValues.cpp:
702         (Inspector::InspectorValue::asObject):
703         (Inspector::InspectorValue::asArray):
704         (Inspector::InspectorValue::parseJSON):
705         (Inspector::InspectorObjectBase::getObject):
706         (Inspector::InspectorObjectBase::getArray):
707         (Inspector::InspectorObjectBase::get):
708         * inspector/ScriptCallStackFactory.cpp:
709         * inspector/ScriptDebugServer.cpp:
710         * inspector/agents/JSGlobalObjectConsoleAgent.h:
711
712 2014-02-12  Ryosuke Niwa  <rniwa@webkit.org>
713
714         Windows build fix attempt after r163960.
715
716         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
717         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
718
719 2014-02-12  Michael Saboff  <msaboff@apple.com>
720
721         Adjust VM::stackLimit based on the size of the largest FTL stack produced
722         https://bugs.webkit.org/show_bug.cgi?id=128562
723
724         Reviewed by Mark Lam.
725
726         Added VM::m_largestFTLStackSize to track the largest stack size of an FTL compiled
727         function. Added VM::m_ftlStackLimit for FTL functions stack limit.  Renamed
728         VM::updateStackLimitWithReservedZoneSize to VM::updateReservedZoneSize.  Renamed
729         VM::setStackLimit to VM::updateStackLimit and changed it to do the updating of the
730         stack limits, including taking into account m_largestFTLStackSize.
731
732         * ftl/FTLJITFinalizer.cpp:
733         (JSC::FTL::JITFinalizer::finalizeFunction):
734         * runtime/ErrorHandlingScope.cpp:
735         (JSC::ErrorHandlingScope::ErrorHandlingScope):
736         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
737         * runtime/JSLock.cpp:
738         (JSC::JSLock::lock):
739         (JSC::JSLock::unlock):
740         (JSC::JSLock::grabAllLocks):
741         * runtime/VM.cpp:
742         (JSC::VM::VM):
743         (JSC::VM::updateReservedZoneSize):
744         (JSC::VM::updateStackLimit):
745         (JSC::VM::updateFTLLargestStackSize):
746         * runtime/VM.h:
747
748 2014-02-11  Oliver Hunt  <oliver@apple.com>
749
750         Make it possible to implement JS builtins in JS
751         https://bugs.webkit.org/show_bug.cgi?id=127887
752
753         Reviewed by Michael Saboff.
754
755         This patch makes it possible to write builtin functions in JS.
756         The bindings, generators, and definitions are all created automatically
757         based on js files in the builtins/ directory.  This patch includes one
758         such case: Array.prototype.js with an implementation of every().
759
760         There's a lot of refactoring to make it possible for CommonIdentifiers
761         to include the output of the generated files (DerivedSources/JSCBuiltins.{h,cpp})
762         without breaking the offset extractor. The result of this refactoring
763         is that CommonIdentifiers, and a few other miscellaneous headers now
764         need to be included directly as they were formerly captured through other
765         paths.
766
767         In addition this adds a flag to the Lookup table's hashentry to indicate
768         that a static function is actually backed by JS. There is then a lot of
769         logic to thread the special nature of the functon to where it matters.
770         This allows toString(), .caller, etc to mimic the behaviour of a host
771         function.
772
773         Notes on writing builtins:
774          - Each function is compiled independently of the others, and those
775            implementations cannot currently capture all global properties (as
776            that could be potentially unsafe). If a function does capture a
777            global we will deliberately crash.
778          - For those "global" properties that we do want access to, we use
779            the @ prefix, e.g. Object(this) becomes @Object(this). The @ identifiers
780            are private names, and behave just like regular properties, only
781            without the risk of adulteration. Again, in the @Object case, we
782            explicitly duplicate the ObjectConstructor reference on the GlobalObject
783            so that we have guaranteed access to the original version of the
784            constructor.
785          - call, apply, eval, and Function are all rejected identifiers, again
786            to prevent anything from accidentally using an adulterated object.
787            Instead @call and @apply are available, and happily they completely
788            drop the neq_ptr instruction as they're defined as always being the
789            original call/apply functions.
790
791         These restrictions are just intended to make it harder to accidentally
792         make changes that are incorrect (for instance calling whatever has been
793         assigned to global.Object, instead of the original constructor function).
794         However, making a mistake like this should result in a purely semantic
795         error as fundamentally these functions are treated as though they were
796         regular JS code in the host global, and have no more privileges than
797         any other JS.
798
799         The initial proof of concept is Array.prototype.every, this shows a 65%
800         performance improvement, and that improvement is significantly hurt by
801         our poor optimisation of op_in.
802
803         As this is such a limited function, we have not yet exported all symbols
804         that we could possibly need, but as we implement more, the likelihood
805         of encountering missing features will reduce.
806
807
808         * API/JSCallbackObjectFunctions.h:
809         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
810         (JSC::JSCallbackObject<Parent>::put):
811         (JSC::JSCallbackObject<Parent>::deleteProperty):
812         (JSC::JSCallbackObject<Parent>::getStaticValue):
813         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
814         (JSC::JSCallbackObject<Parent>::callbackGetter):
815         * CMakeLists.txt:
816         * DerivedSources.make:
817         * GNUmakefile.am:
818         * GNUmakefile.list.am:
819         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
820         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
821         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
822         * JavaScriptCore.vcxproj/copy-files.cmd:
823         * JavaScriptCore.xcodeproj/project.pbxproj:
824         * builtins/Array.prototype.js:
825         (every):
826         * builtins/BuiltinExecutables.cpp: Added.
827         (JSC::BuiltinExecutables::BuiltinExecutables):
828         (JSC::BuiltinExecutables::createBuiltinExecutable):
829         * builtins/BuiltinExecutables.h:
830         (JSC::BuiltinExecutables::create):
831         * builtins/BuiltinNames.h: Added.
832         (JSC::BuiltinNames::BuiltinNames):
833         (JSC::BuiltinNames::getPrivateName):
834         (JSC::BuiltinNames::getPublicName):
835         * bytecode/CodeBlock.cpp:
836         (JSC::CodeBlock::CodeBlock):
837         * bytecode/UnlinkedCodeBlock.cpp:
838         (JSC::generateFunctionCodeBlock):
839         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
840         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
841         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
842         * bytecode/UnlinkedCodeBlock.h:
843         (JSC::ExecutableInfo::ExecutableInfo):
844         (JSC::UnlinkedFunctionExecutable::create):
845         (JSC::UnlinkedFunctionExecutable::toStrictness):
846         (JSC::UnlinkedFunctionExecutable::isBuiltinFunction):
847         (JSC::UnlinkedCodeBlock::isBuiltinFunction):
848         * bytecompiler/BytecodeGenerator.cpp:
849         (JSC::BytecodeGenerator::BytecodeGenerator):
850         * bytecompiler/BytecodeGenerator.h:
851         (JSC::BytecodeGenerator::isBuiltinFunction):
852         (JSC::BytecodeGenerator::makeFunction):
853         * bytecompiler/NodesCodegen.cpp:
854         (JSC::CallFunctionCallDotNode::emitBytecode):
855         (JSC::ApplyFunctionCallDotNode::emitBytecode):
856         * create_hash_table:
857         * generate-js-builtins: Added.
858         (getCopyright):
859         (getFunctions):
860         (generateCode):
861         (mangleName):
862         (FunctionExecutable):
863         (Identifier):
864         (JSGlobalObject):
865         (SourceCode):
866         (UnlinkedFunctionExecutable):
867         (VM):
868         * interpreter/CachedCall.h:
869         (JSC::CachedCall::CachedCall):
870         * parser/ASTBuilder.h:
871         (JSC::ASTBuilder::makeFunctionCallNode):
872         * parser/Lexer.cpp:
873         (JSC::Lexer<T>::Lexer):
874         (JSC::isSafeBuiltinIdentifier):
875         (JSC::Lexer<LChar>::parseIdentifier):
876         (JSC::Lexer<UChar>::parseIdentifier):
877         (JSC::Lexer<T>::lex):
878         * parser/Lexer.h:
879         (JSC::isSafeIdentifier):
880         (JSC::Lexer<T>::lexExpectIdentifier):
881         * parser/Nodes.cpp:
882         (JSC::ProgramNode::setClosedVariables):
883         * parser/Nodes.h:
884         (JSC::ScopeNode::capturedVariables):
885         (JSC::ScopeNode::setClosedVariables):
886         (JSC::ProgramNode::closedVariables):
887         * parser/Parser.cpp:
888         (JSC::Parser<LexerType>::Parser):
889         (JSC::Parser<LexerType>::parseInner):
890         (JSC::Parser<LexerType>::didFinishParsing):
891         (JSC::Parser<LexerType>::printUnexpectedTokenText):
892         * parser/Parser.h:
893         (JSC::Scope::getUsedVariables):
894         (JSC::Parser::closedVariables):
895         (JSC::parse):
896         * parser/ParserModes.h:
897         * parser/ParserTokens.h:
898         * runtime/ArrayPrototype.cpp:
899         * runtime/CodeCache.cpp:
900         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
901         * runtime/CommonIdentifiers.cpp:
902         (JSC::CommonIdentifiers::CommonIdentifiers):
903         (JSC::CommonIdentifiers::~CommonIdentifiers):
904         (JSC::CommonIdentifiers::getPrivateName):
905         (JSC::CommonIdentifiers::getPublicName):
906         * runtime/CommonIdentifiers.h:
907         (JSC::CommonIdentifiers::builtinNames):
908         * runtime/ExceptionHelpers.cpp:
909         (JSC::createUndefinedVariableError):
910         * runtime/Executable.h:
911         (JSC::EvalExecutable::executableInfo):
912         (JSC::ProgramExecutable::executableInfo):
913         (JSC::FunctionExecutable::isBuiltinFunction):
914         * runtime/FunctionPrototype.cpp:
915         (JSC::functionProtoFuncToString):
916         * runtime/JSActivation.cpp:
917         (JSC::JSActivation::symbolTableGet):
918         (JSC::JSActivation::symbolTablePut):
919         (JSC::JSActivation::symbolTablePutWithAttributes):
920         * runtime/JSFunction.cpp:
921         (JSC::JSFunction::createBuiltinFunction):
922         (JSC::JSFunction::calculatedDisplayName):
923         (JSC::JSFunction::sourceCode):
924         (JSC::JSFunction::isHostOrBuiltinFunction):
925         (JSC::JSFunction::isBuiltinFunction):
926         (JSC::JSFunction::callerGetter):
927         (JSC::JSFunction::getOwnPropertySlot):
928         (JSC::JSFunction::getOwnNonIndexPropertyNames):
929         (JSC::JSFunction::put):
930         (JSC::JSFunction::defineOwnProperty):
931         * runtime/JSFunction.h:
932         * runtime/JSFunctionInlines.h:
933         (JSC::JSFunction::nativeFunction):
934         (JSC::JSFunction::nativeConstructor):
935         (JSC::isHostFunction):
936         * runtime/JSGlobalObject.cpp:
937         (JSC::JSGlobalObject::reset):
938         (JSC::JSGlobalObject::visitChildren):
939         * runtime/JSGlobalObject.h:
940         (JSC::JSGlobalObject::objectConstructor):
941         (JSC::JSGlobalObject::symbolTableHasProperty):
942         * runtime/JSObject.cpp:
943         (JSC::getClassPropertyNames):
944         (JSC::JSObject::reifyStaticFunctionsForDelete):
945         (JSC::JSObject::putDirectBuiltinFunction):
946         * runtime/JSObject.h:
947         * runtime/JSSymbolTableObject.cpp:
948         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
949         * runtime/JSSymbolTableObject.h:
950         (JSC::symbolTableGet):
951         (JSC::symbolTablePut):
952         (JSC::symbolTablePutWithAttributes):
953         * runtime/Lookup.cpp:
954         (JSC::setUpStaticFunctionSlot):
955         * runtime/Lookup.h:
956         (JSC::HashEntry::builtinGenerator):
957         (JSC::HashEntry::propertyGetter):
958         (JSC::HashEntry::propertyPutter):
959         (JSC::HashTable::entry):
960         (JSC::getStaticPropertySlot):
961         (JSC::getStaticValueSlot):
962         (JSC::putEntry):
963         * runtime/NativeErrorConstructor.cpp:
964         (JSC::NativeErrorConstructor::finishCreation):
965         * runtime/NativeErrorConstructor.h:
966         * runtime/PropertySlot.h:
967         * runtime/VM.cpp:
968         (JSC::VM::VM):
969         * runtime/VM.h:
970         (JSC::VM::builtinExecutables):
971
972 2014-02-11  Brent Fulgham  <bfulgham@apple.com>
973
974         Remove some unintended copies in ranged for loops
975         https://bugs.webkit.org/show_bug.cgi?id=128644
976
977         Reviewed by Anders Carlsson.
978
979         * inspector/InjectedScriptHost.cpp:
980         (Inspector::InjectedScriptHost::clearAllWrappers): Avoid creating/destroying
981         a std::pair<> and pointer each loop iteration.
982         * parser/Parser.cpp:
983         (JSC::Parser<LexerType>::Parser): Avoid copying object containing a string
984         each loop iteration.
985
986 2014-02-11  Ryosuke Niwa  <rniwa@webkit.org>
987
988         Debug build fix after r163946.
989
990         * dfg/DFGByteCodeParser.cpp:
991         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
992
993 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
994
995         Inserting a node with a codeOrigin "like" another node should copy both the codeOrigin and codeOriginForExitTarget
996         https://bugs.webkit.org/show_bug.cgi?id=128635
997
998         Reviewed by Michael Saboff.
999         
1000         Originally nodes just had a codeOrigin. But then we started doing code motion, and we
1001         needed to separate the codeOrigin that designated where to exit from the codeOrigin
1002         that designated everything else. The "everything else" is actually pretty important:
1003         it includes profiling, exception handling, and the actual semantics of the node. For
1004         example some nodes use the origin's global object in some way.
1005         
1006         This all sort of worked except for one quirk: the facilities for creating nodes all
1007         assumed that there really was only one origin. LICM would work around this by setting
1008         the codeOriginForExitTarget manually. But, that means that:
1009         
1010         - If we did hoist a node twice, then the second time around, we would forget the node's
1011           original exit target.
1012         
1013         - If we did an insertNode() to insert a node before a hoisted node, the inserted node
1014           would have the wrong exit target.
1015         
1016         Most of the time, if we copy the code origin, we actually want to copy both origins.
1017         So, this patch introduces the notion of a NodeOrigin which has two CodeOrigins: a
1018         forExit code origin that says where to exit, and a semantic code origin for everything
1019         else.
1020         
1021         This also (annoyingly?) means that we are always more explicit about which code origin
1022         we refer to. That means that a lot of "node->codeOrigin" expressions had to change to
1023         "node->origin.semantic". This was partly a ploy on my part to ensure that this
1024         refactoring was complete: to get the code to compile I really had to audit all uses of
1025         CodeOrigin. If, in the future, we find that "node->origin.semantic" is too cumbersome
1026         then we can reintroduce the Node::codeOrigin field. For now I kinda like it though.
1027
1028         * GNUmakefile.list.am:
1029         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1030         * JavaScriptCore.xcodeproj/project.pbxproj:
1031         * dfg/DFGAbstractInterpreterInlines.h:
1032         (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
1033         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1034         * dfg/DFGArgumentsSimplificationPhase.cpp:
1035         (JSC::DFG::ArgumentsSimplificationPhase::run):
1036         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
1037         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
1038         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
1039         * dfg/DFGArrayMode.cpp:
1040         (JSC::DFG::ArrayMode::originalArrayStructure):
1041         (JSC::DFG::ArrayMode::alreadyChecked):
1042         * dfg/DFGByteCodeParser.cpp:
1043         (JSC::DFG::ByteCodeParser::addToGraph):
1044         * dfg/DFGCFGSimplificationPhase.cpp:
1045         (JSC::DFG::CFGSimplificationPhase::run):
1046         (JSC::DFG::CFGSimplificationPhase::convertToJump):
1047         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
1048         (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
1049         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1050         * dfg/DFGCPSRethreadingPhase.cpp:
1051         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
1052         (JSC::DFG::CPSRethreadingPhase::addPhi):
1053         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1054         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1055         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1056         * dfg/DFGCSEPhase.cpp:
1057         (JSC::DFG::CSEPhase::setLocalStoreElimination):
1058         * dfg/DFGClobberize.h:
1059         (JSC::DFG::clobberize):
1060         * dfg/DFGCommonData.cpp:
1061         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
1062         * dfg/DFGConstantFoldingPhase.cpp:
1063         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1064         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1065         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1066         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
1067         * dfg/DFGDCEPhase.cpp:
1068         (JSC::DFG::DCEPhase::fixupBlock):
1069         * dfg/DFGDisassembler.cpp:
1070         (JSC::DFG::Disassembler::createDumpList):
1071         * dfg/DFGFixupPhase.cpp:
1072         (JSC::DFG::FixupPhase::fixupNode):
1073         (JSC::DFG::FixupPhase::createToString):
1074         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
1075         (JSC::DFG::FixupPhase::convertStringAddUse):
1076         (JSC::DFG::FixupPhase::fixupToPrimitive):
1077         (JSC::DFG::FixupPhase::fixupToString):
1078         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1079         (JSC::DFG::FixupPhase::checkArray):
1080         (JSC::DFG::FixupPhase::blessArrayOperation):
1081         (JSC::DFG::FixupPhase::fixEdge):
1082         (JSC::DFG::FixupPhase::insertStoreBarrier):
1083         (JSC::DFG::FixupPhase::fixIntEdge):
1084         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
1085         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1086         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1087         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
1088         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1089         (JSC::DFG::FixupPhase::prependGetArrayLength):
1090         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
1091         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
1092         * dfg/DFGGraph.cpp:
1093         (JSC::DFG::Graph::dumpCodeOrigin):
1094         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
1095         (JSC::DFG::Graph::dump):
1096         (JSC::DFG::Graph::dumpBlockHeader):
1097         * dfg/DFGGraph.h:
1098         (JSC::DFG::Graph::hasExitSite):
1099         (JSC::DFG::Graph::valueProfileFor):
1100         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1101         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1102         (JSC::DFG::InvalidationPointInjectionPhase::handle):
1103         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
1104         * dfg/DFGLICMPhase.cpp:
1105         (JSC::DFG::LICMPhase::attemptHoist):
1106         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1107         (JSC::DFG::createPreHeader):
1108         * dfg/DFGNode.h:
1109         (JSC::DFG::Node::Node):
1110         (JSC::DFG::Node::isStronglyProvedConstantIn):
1111         * dfg/DFGNodeOrigin.h: Added.
1112         (JSC::DFG::NodeOrigin::NodeOrigin):
1113         (JSC::DFG::NodeOrigin::isSet):
1114         * dfg/DFGOSREntrypointCreationPhase.cpp:
1115         (JSC::DFG::OSREntrypointCreationPhase::run):
1116         * dfg/DFGResurrectionForValidationPhase.cpp:
1117         (JSC::DFG::ResurrectionForValidationPhase::run):
1118         * dfg/DFGSSAConversionPhase.cpp:
1119         (JSC::DFG::SSAConversionPhase::run):
1120         * dfg/DFGSSALoweringPhase.cpp:
1121         (JSC::DFG::SSALoweringPhase::handleNode):
1122         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1123         * dfg/DFGSpeculativeJIT.cpp:
1124         (JSC::DFG::SpeculativeJIT::compileIn):
1125         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1126         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1127         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1128         * dfg/DFGSpeculativeJIT.h:
1129         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
1130         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
1131         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1132         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1133         (JSC::DFG::SpeculativeJIT::appendCall):
1134         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
1135         * dfg/DFGSpeculativeJIT32_64.cpp:
1136         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1137         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1138         (JSC::DFG::SpeculativeJIT::emitCall):
1139         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1140         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1141         (JSC::DFG::SpeculativeJIT::compile):
1142         * dfg/DFGSpeculativeJIT64.cpp:
1143         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1144         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1145         (JSC::DFG::SpeculativeJIT::emitCall):
1146         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1147         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1148         (JSC::DFG::SpeculativeJIT::compile):
1149         * dfg/DFGStrengthReductionPhase.cpp:
1150         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
1151         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
1152         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1153         (JSC::DFG::TierUpCheckInjectionPhase::run):
1154         * dfg/DFGTypeCheckHoistingPhase.cpp:
1155         (JSC::DFG::TypeCheckHoistingPhase::run):
1156         * dfg/DFGValidate.cpp:
1157         (JSC::DFG::Validate::validateSSA):
1158         * dfg/DFGWatchpointCollectionPhase.cpp:
1159         (JSC::DFG::WatchpointCollectionPhase::handle):
1160         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
1161         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
1162         (JSC::DFG::WatchpointCollectionPhase::globalObject):
1163         * ftl/FTLJSCall.cpp:
1164         (JSC::FTL::JSCall::link):
1165         * ftl/FTLLink.cpp:
1166         (JSC::FTL::link):
1167         * ftl/FTLLowerDFGToLLVM.cpp:
1168         (JSC::FTL::LowerDFGToLLVM::compileNode):
1169         (JSC::FTL::LowerDFGToLLVM::compileToThis):
1170         (JSC::FTL::LowerDFGToLLVM::compilePutById):
1171         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1172         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
1173         (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
1174         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
1175         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
1176         (JSC::FTL::LowerDFGToLLVM::compileGetMyScope):
1177         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
1178         (JSC::FTL::LowerDFGToLLVM::getById):
1179         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1180         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructure):
1181         (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIsStillValid):
1182         (JSC::FTL::LowerDFGToLLVM::callPreflight):
1183
1184 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1185
1186         Fix assertions and incorrect codegen for CompareEq(ObjectOrOther:, Object:)
1187         https://bugs.webkit.org/show_bug.cgi?id=128648
1188
1189         Reviewed by Mark Lam.
1190         
1191         I did CompareEq(Object:, ObjectOrOther:) correctly but the flipped version wrong.
1192         That's what I get for running tests in release mode. It's hard to write a test for
1193         the incorrect codegen; that's kind of why the assertions are there.
1194
1195         * ftl/FTLLowerDFGToLLVM.cpp:
1196         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1197
1198 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1199
1200         Unreviewed, trivial change to silence FTL assertions
1201
1202         Normally, lowJSValue() should only be used for UntypedUse only. Here we are using it
1203         on ObjectOrOtherUse because we execute the speculation ourselves. The way you're
1204         supposed to do this is by passing ManualOperandSpeculation to tell lowJSValue() not
1205         to assert.
1206
1207         * ftl/FTLLowerDFGToLLVM.cpp:
1208         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
1209
1210 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1211
1212         Use LLVM's dead store elimination
1213         https://bugs.webkit.org/show_bug.cgi?id=128638
1214
1215         Reviewed by Mark Hahnenberg.
1216         
1217         DFG's store elimination was being run too soon for comfort on the FTL path. It's
1218         really only sound when run after all other optimizations. Remove it from the FTL
1219         path.
1220         
1221         Enable LLVM store elimination. It's both easier to reason about and more
1222         comprehensive.
1223
1224         * dfg/DFGPlan.cpp:
1225         (JSC::DFG::Plan::compileInThreadImpl):
1226         * ftl/FTLCompile.cpp:
1227         (JSC::FTL::compile):
1228
1229 2014-02-11  Brian Burg  <bburg@apple.com>
1230
1231         Web Replay: upstream replay input code generator and EncodedValue class
1232         https://bugs.webkit.org/show_bug.cgi?id=128215
1233
1234         Reviewed by Joseph Pecoraro.
1235
1236         Add the replay inputs code generator. Most features of the input generator are
1237         exercised by included generator regression tests, which produce useful but
1238         non-compilable test replay inputs.
1239
1240         Add EncodedValue, the main replay input serialization class that encodes and
1241         decodes inputs and their data between C++ types and the JSON-based replay recording
1242         format. EncodedValue uses EncodingTraits specializations for type-specific encoding.
1243         Relative to other WebKit marshalling mechanisms, EncodedValue is key/value based.
1244         EncodedValue uses InspectorValue subclasses as its backing data structure.
1245
1246         Add some missing numerical conversions to InspectorValue.
1247
1248         * JavaScriptCore.xcodeproj/project.pbxproj:
1249         * inspector/InspectorValues.cpp:
1250         (Inspector::InspectorValue::asNumber):
1251         (Inspector::InspectorBasicValue::asNumber):
1252         * inspector/InspectorValues.h:
1253         * replay/EncodedValue.cpp: Added.
1254         (JSC::EncodedValue::asObject):
1255         (JSC::EncodedValue::asArray):
1256         (JSC::ScalarEncodingTraits<bool>::encodeValue):
1257         (JSC::ScalarEncodingTraits<double>::encodeValue):
1258         (JSC::ScalarEncodingTraits<float>::encodeValue):
1259         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
1260         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
1261         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
1262         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
1263         (JSC::long>::encodeValue):
1264         (JSC::EncodedValue::convertTo<bool>):
1265         (JSC::EncodedValue::convertTo<double>):
1266         (JSC::EncodedValue::convertTo<float>):
1267         (JSC::EncodedValue::convertTo<int32_t>):
1268         (JSC::EncodedValue::convertTo<int64_t>):
1269         (JSC::EncodedValue::convertTo<uint32_t>):
1270         (JSC::EncodedValue::convertTo<uint64_t>):
1271         (JSC::long>):
1272         (JSC::EncodedValue::convertTo<String>):
1273         (JSC::EncodedValue::put<EncodedValue>):
1274         (JSC::EncodedValue::append<EncodedValue>):
1275         (JSC::EncodedValue::get<EncodedValue>):
1276         * replay/EncodedValue.h: Added.
1277         (JSC::EncodedValue::EncodedValue):
1278         (JSC::EncodedValue::createObject):
1279         (JSC::EncodedValue::createArray):
1280         (JSC::EncodedValue::createString):
1281         (JSC::EncodedValue::~EncodedValue):
1282         (JSC::ScalarEncodingTraits::decodeValue):
1283         (JSC::EncodingTraits<String>::encodeValue):
1284         (JSC::EncodedValue::put):
1285         (JSC::EncodedValue::append):
1286         (JSC::EncodedValue::get):
1287         * replay/scripts/CodeGeneratorReplayInputs.py: Added.
1288         (ParseException):
1289         (TypecheckException):
1290         (Framework):
1291         (Framework.__init__):
1292         (Framework.setting):
1293         (Framework.fromString):
1294         (Frameworks):
1295         (InputQueue):
1296         (InputQueue.__init__):
1297         (InputQueue.setting):
1298         (InputQueue.fromString):
1299         (InputQueues):
1300         (Input):
1301         (Input.__init__):
1302         (Input.setting):
1303         (InputMember):
1304         (InputMember.__init__):
1305         (InputMember.has_flag):
1306         (TypeMode):
1307         (TypeMode.__init__):
1308         (TypeMode.fromString):
1309         (TypeModes):
1310         (Type):
1311         (Type.__init__):
1312         (Type.__eq__):
1313         (Type.__hash__):
1314         (Type.has_flag):
1315         (Type.is_struct):
1316         (Type.is_enum):
1317         (Type.is_enum_class):
1318         (Type.declaration_kind):
1319         (Type.qualified_prefix):
1320         (Type.qualified_prefix.is):
1321         (Type.type_name):
1322         (Type.storage_type):
1323         (Type.borrow_type):
1324         (Type.argument_type):
1325         (check_properties):
1326         (VectorType):
1327         (VectorType.__init__):
1328         (VectorType.has_flag):
1329         (VectorType.is_struct):
1330         (VectorType.is_enum):
1331         (VectorType.is_enum_class):
1332         (VectorType.qualified_prefix):
1333         (VectorType.type_name):
1334         (VectorType.argument_type):
1335         (InputsModel):
1336         (InputsModel.__init__):
1337         (InputsModel.enum_types):
1338         (InputsModel.get_type_for_member):
1339         (InputsModel.parse_toplevel):
1340         (InputsModel.parse_type_with_framework_name):
1341         (InputsModel.parse_input):
1342         (InputsModel.typecheck):
1343         (InputsModel.typecheck_type):
1344         (InputsModel.typecheck_input):
1345         (InputsModel.typecheck_input_member):
1346         (IncrementalFileWriter):
1347         (IncrementalFileWriter.__init__):
1348         (IncrementalFileWriter.write):
1349         (IncrementalFileWriter.close):
1350         (lcfirst):
1351         (wrap_with_guard):
1352         (Generator):
1353         (Generator.__init__):
1354         (Generator.setting):
1355         (Generator.output_filename):
1356         (Generator.write_output_files):
1357         (Generator.generate_header):
1358         (Generator.generate_implementation):
1359         (Generator.generate_license):
1360         (Generator.generate_includes):
1361         (Generator.generate_includes.declaration):
1362         (Generator.generate_includes.declaration.is):
1363         (Generator.generate_type_forward_declarations):
1364         (Generator.generate_type_forward_declarations.is):
1365         (Generator.generate_class_declaration):
1366         (Generator.generate_input_constructor_declaration):
1367         (Generator.generate_input_destructor_declaration):
1368         (Generator.generate_input_member_getter):
1369         (Generator.generate_input_member_declaration):
1370         (Generator.generate_input_member_tuples):
1371         (Generator.qualified_input_name):
1372         (Generator.generate_input_trait_declaration):
1373         (Generator.generate_enum_trait_declaration):
1374         (Generator.generate_for_each_macro):
1375         (Generator.generate_class_implementation):
1376         (Generator.generate_enum_trait_implementation):
1377         (Generator.generate_enum_trait_implementation.is):
1378         (Generator.generate_input_trait_implementation):
1379         (Generator.generate_input_encode_implementation):
1380         (Generator.generate_input_decode_implementation):
1381         (Generator.generate_constructor_initializer_list):
1382         (Generator.generate_constructor_formals_list):
1383         (Generator.generate_member_borrow_expression):
1384         (Generator.generate_member_move_expression):
1385         (Generator.generate_constructor_arguments_list):
1386         (generate_from_specification):
1387         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Added.
1388         (Templates):
1389         * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.cpp: Added.
1390         * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.h: Added.
1391         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Added.
1392         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Added.
1393         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Added.
1394         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Added.
1395         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Added.
1396         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Added.
1397         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Added.
1398         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Added.
1399         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Added.
1400         * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Added.
1401         * replay/scripts/tests/expected/fail-on-no-types.json-error: Added.
1402         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Added.
1403         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Added.
1404         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Added.
1405         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Added.
1406         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Added.
1407         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Added.
1408         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Added.
1409         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-error: Added.
1410         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Added.
1411         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Added.
1412         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Added.
1413         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Added.
1414         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Added.
1415         * replay/scripts/tests/expected/generate-inputs-with-flags.json-error: Added.
1416         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Added.
1417         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Added.
1418         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Added.
1419         * replay/scripts/tests/fail-on-duplicate-input-names.json: Added.
1420         * replay/scripts/tests/fail-on-duplicate-type-names.json: Added.
1421         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Added.
1422         * replay/scripts/tests/fail-on-missing-input-member-name.json: Added.
1423         * replay/scripts/tests/fail-on-missing-input-name.json: Added.
1424         * replay/scripts/tests/fail-on-missing-input-queue.json: Added.
1425         * replay/scripts/tests/fail-on-missing-type-mode.json: Added.
1426         * replay/scripts/tests/fail-on-missing-type-name.json: Added.
1427         * replay/scripts/tests/fail-on-no-inputs.json: Added.
1428         * replay/scripts/tests/fail-on-no-types.json: Added.
1429         * replay/scripts/tests/fail-on-unknown-input-queue.json: Added.
1430         * replay/scripts/tests/fail-on-unknown-member-type.json: Added.
1431         * replay/scripts/tests/fail-on-unknown-type-mode.json: Added.
1432         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Added.
1433         * replay/scripts/tests/generate-enum-encoding-helpers.json: Added.
1434         * replay/scripts/tests/generate-event-loop-shape-types.json: Added.
1435         * replay/scripts/tests/generate-input-with-guard.json: Added.
1436         * replay/scripts/tests/generate-input-with-vector-members.json: Added.
1437         * replay/scripts/tests/generate-inputs-with-flags.json: Added.
1438         * replay/scripts/tests/generate-memoized-type-modes.json: Added.
1439
1440 2014-02-11  Joseph Pecoraro  <pecoraro@apple.com>
1441
1442         Add Availability Macros to new JSC APIs
1443         https://bugs.webkit.org/show_bug.cgi?id=128615
1444
1445         Reviewed by Mark Rowe.
1446
1447         * API/JSContext.h:
1448         * API/JSContextRef.h:
1449
1450 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1451
1452         FTL should support CompareEq(ObjectOrOther:, Object:)
1453         https://bugs.webkit.org/show_bug.cgi?id=127752
1454
1455         Reviewed by Oliver Hunt.
1456         
1457         Also introduce some helpers for reasoning about nullness and truthyness.
1458
1459         * ftl/FTLCapabilities.cpp:
1460         (JSC::FTL::canCompile):
1461         * ftl/FTLLowerDFGToLLVM.cpp:
1462         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1463         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
1464         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1465         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1466         (JSC::FTL::LowerDFGToLLVM::isNotNully):
1467         (JSC::FTL::LowerDFGToLLVM::isNully):
1468         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
1469         * tests/stress/compare-eq-object-or-other-to-object.js: Added.
1470         (foo):
1471         (test):
1472         * tests/stress/compare-eq-object-to-object-or-other.js: Added.
1473         (foo):
1474         (test):
1475
1476 2014-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1477
1478         32-bit LLInt writeBarrierOnGlobalObject is wrong
1479         https://bugs.webkit.org/show_bug.cgi?id=128556
1480
1481         Reviewed by Geoffrey Garen.
1482
1483         * llint/LowLevelInterpreter32_64.asm:
1484         * llint/LowLevelInterpreter64.asm: Also fixed the value check on 64-bit.
1485
1486 2014-02-11  Gabor Rapcsanyi  <rgabor@webkit.org>
1487
1488         LLInt typo error after r139004.
1489         https://bugs.webkit.org/show_bug.cgi?id=128592
1490
1491         Reviewed by Michael Saboff.
1492
1493         * offlineasm/arm.rb: change immediate to register in the condition
1494
1495 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
1496
1497         LICM should gracefully handle unprofiled code
1498         https://bugs.webkit.org/show_bug.cgi?id=127848
1499
1500         Reviewed by Mark Hahnenberg.
1501
1502         * dfg/DFGLICMPhase.cpp:
1503         (JSC::DFG::LICMPhase::run):
1504
1505 2014-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1506
1507         Obj-C API: JSExport doesn't work for methods that contain protocols in their type signature
1508         https://bugs.webkit.org/show_bug.cgi?id=128540
1509
1510         Reviewed by Oliver Hunt.
1511
1512         The bug is in parseObjCType in ObjcRuntimeExtras.h. When we see an '@' in the 
1513         type signature of a method, we assume that what follows the '@' is a class name, 
1514         so we call objc_getClass, and if that returns nil then we give up on the method 
1515         and don't export it.
1516
1517         This assumption doesn't work in the case of id<Protocol> because it's the name 
1518         of the protocol that follows the '@', not the name of a class. We should have 
1519         another fallback case for protocol names.
1520
1521         There's another case that also doesn't work, and that's the case of a named class 
1522         with a specified prototype in a method signature (e.g. NSObject<MyProtocol>). 
1523         There the substring of the type signature that represents the class is "NSObject<MyProtocol>", 
1524         which will also cause objc_getClass to return nil.
1525
1526         * API/ObjcRuntimeExtras.h:
1527         (parseObjCType):
1528         * API/tests/DateTests.mm: Also fixed an issue I noticed where we don't use an autorelease pool
1529         for the DateTests.
1530         * API/tests/JSExportTests.h: Added.
1531         * API/tests/JSExportTests.mm: Added.
1532         (-[TruthTeller returnTrue]):
1533         (-[ExportMethodWithIdProtocol methodWithIdProtocol:]):
1534         (-[ExportMethodWithClassProtocol methodWithClassProtocol:]):
1535         (+[JSExportTests exportInstanceMethodWithIdProtocolTest]):
1536         (+[JSExportTests exportInstanceMethodWithClassProtocolTest]):
1537         (runJSExportTests):
1538         * API/tests/testapi.mm:
1539         * JavaScriptCore.xcodeproj/project.pbxproj:
1540
1541 2014-02-10  Michael Saboff  <msaboff@apple.com>
1542
1543         Re-enable ARM Thumb2 disassembler
1544         https://bugs.webkit.org/show_bug.cgi?id=128577
1545
1546         Reviewed by Filip Pizlo.
1547
1548         Changed signature of tryToDisassemble() to match updates.
1549         Fixed typo in disassembler.
1550
1551         * disassembler/ARMv7/ARMv7DOpcode.cpp:
1552         * disassembler/ARMv7Disassembler.cpp:
1553         (JSC::tryToDisassemble):
1554
1555 2014-02-10  Mark Lam  <mark.lam@apple.com>
1556
1557         Removing limitation on JSLock's lockDropDepth.
1558         <https://webkit.org/b/128570>
1559
1560         Reviewed by Geoffrey Garen.
1561
1562         Now that we've switched to using the C stack, we no longer need to limit
1563         the JSLock::lockDropDepth to 2.
1564
1565         For C loop builds which still use the separate JSStack, the JSLock will
1566         enforce ordering for re-grabbing the lock after dropping it. Re-grabbing
1567         must occur in the reverse order of the dropping of the locks.
1568
1569         Ordering is achieved by JSLock::dropAllLocks() stashing away the
1570         JSLock:: m_lockDropDepth in its DropAllLocks instance's m_dropDepth
1571         before unlocking the lock. Subsequently, JSLock::grabAllLocks() will
1572         ensure that JSLocks::m_lockDropDepth equals its DropAllLocks instance's
1573         m_dropDepth before allowing the lock to be re-grabbed. Otherwise, it
1574         will yield execution and retry again later.
1575
1576         Note: because JSLocks::m_lockDropDepth is protected by the JSLock's
1577         mutex, grabAllLocks() will optimistically lock the JSLock before doing
1578         the check on m_lockDropDepth. If the check fails, it will unlock the
1579         JSLock, yield, and then relock it again later before retrying the check.
1580         This ensures that m_lockDropDepth remains under the protection of the
1581         JSLock's mutex.
1582
1583         * runtime/JSLock.cpp:
1584         (JSC::JSLock::dropAllLocks):
1585         (JSC::JSLock::grabAllLocks):
1586         (JSC::JSLock::DropAllLocks::DropAllLocks):
1587         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1588         * runtime/JSLock.h:
1589         (JSC::JSLock::DropAllLocks::setDropDepth):
1590         (JSC::JSLock::DropAllLocks::dropDepth):
1591
1592 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
1593
1594         FTL should support ToThis
1595         https://bugs.webkit.org/show_bug.cgi?id=127751
1596
1597         Reviewed by Oliver Hunt.
1598
1599         * ftl/FTLCapabilities.cpp:
1600         (JSC::FTL::canCompile):
1601         * ftl/FTLIntrinsicRepository.h:
1602         * ftl/FTLLowerDFGToLLVM.cpp:
1603         (JSC::FTL::LowerDFGToLLVM::compileNode):
1604         (JSC::FTL::LowerDFGToLLVM::compileToThis):
1605         * tests/stress/to-this-polymorphic.js: Added.
1606         (foo):
1607
1608 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
1609
1610         Rename Operations.h to JSCInlines.h
1611         https://bugs.webkit.org/show_bug.cgi?id=128543
1612
1613         Rubber stamped by Geoffrey Garen.
1614         
1615         Well, what this actually does is it splits Operations.h into a real Operations.h that
1616         actually contains "operations", and JSCInlines.h, which serves the role of being an
1617         inlines umbrella.
1618         
1619         * API/JSBase.cpp:
1620         * API/JSCTestRunnerUtils.cpp:
1621         * API/JSCallbackConstructor.cpp:
1622         * API/JSCallbackFunction.cpp:
1623         * API/JSCallbackObject.cpp:
1624         * API/JSClassRef.cpp:
1625         * API/JSContext.mm:
1626         * API/JSContextRef.cpp:
1627         * API/JSManagedValue.mm:
1628         * API/JSObjectRef.cpp:
1629         * API/JSScriptRef.cpp:
1630         * API/JSValue.mm:
1631         * API/JSValueRef.cpp:
1632         * API/JSWeakObjectMapRefPrivate.cpp:
1633         * API/JSWrapperMap.mm:
1634         * GNUmakefile.list.am:
1635         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1636         * JavaScriptCore.xcodeproj/project.pbxproj:
1637         * assembler/LinkBuffer.cpp:
1638         * bindings/ScriptFunctionCall.cpp:
1639         * bindings/ScriptObject.cpp:
1640         * bytecode/ArrayAllocationProfile.cpp:
1641         * bytecode/ArrayProfile.cpp:
1642         * bytecode/BytecodeBasicBlock.cpp:
1643         * bytecode/CallLinkInfo.cpp:
1644         * bytecode/CallLinkStatus.cpp:
1645         * bytecode/CodeBlock.cpp:
1646         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
1647         * bytecode/CodeOrigin.cpp:
1648         * bytecode/ExecutionCounter.cpp:
1649         * bytecode/GetByIdStatus.cpp:
1650         * bytecode/LazyOperandValueProfile.cpp:
1651         * bytecode/MethodOfGettingAValueProfile.cpp:
1652         * bytecode/PreciseJumpTargets.cpp:
1653         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
1654         * bytecode/PutByIdStatus.cpp:
1655         * bytecode/SamplingTool.cpp:
1656         * bytecode/SpecialPointer.cpp:
1657         * bytecode/SpeculatedType.cpp:
1658         * bytecode/StructureStubClearingWatchpoint.cpp:
1659         * bytecode/UnlinkedCodeBlock.cpp:
1660         * bytecode/ValueRecovery.cpp:
1661         * bytecompiler/BytecodeGenerator.cpp:
1662         * bytecompiler/NodesCodegen.cpp:
1663         * debugger/Debugger.cpp:
1664         * debugger/DebuggerActivation.cpp:
1665         * debugger/DebuggerCallFrame.cpp:
1666         * dfg/DFGAbstractHeap.cpp:
1667         * dfg/DFGAbstractValue.cpp:
1668         * dfg/DFGArgumentsSimplificationPhase.cpp:
1669         * dfg/DFGArithMode.cpp:
1670         * dfg/DFGArrayMode.cpp:
1671         * dfg/DFGAtTailAbstractState.cpp:
1672         * dfg/DFGAvailability.cpp:
1673         * dfg/DFGBackwardsPropagationPhase.cpp:
1674         * dfg/DFGBasicBlock.cpp:
1675         * dfg/DFGBinarySwitch.cpp:
1676         * dfg/DFGBlockInsertionSet.cpp:
1677         * dfg/DFGByteCodeParser.cpp:
1678         * dfg/DFGCFAPhase.cpp:
1679         * dfg/DFGCFGSimplificationPhase.cpp:
1680         * dfg/DFGCPSRethreadingPhase.cpp:
1681         * dfg/DFGCSEPhase.cpp:
1682         * dfg/DFGCapabilities.cpp:
1683         * dfg/DFGClobberSet.cpp:
1684         * dfg/DFGClobberize.cpp:
1685         * dfg/DFGCommon.cpp:
1686         * dfg/DFGCommonData.cpp:
1687         * dfg/DFGCompilationKey.cpp:
1688         * dfg/DFGCompilationMode.cpp:
1689         * dfg/DFGConstantFoldingPhase.cpp:
1690         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1691         * dfg/DFGDCEPhase.cpp:
1692         * dfg/DFGDesiredIdentifiers.cpp:
1693         * dfg/DFGDesiredStructureChains.cpp:
1694         * dfg/DFGDesiredTransitions.cpp:
1695         * dfg/DFGDesiredWatchpoints.cpp:
1696         * dfg/DFGDesiredWeakReferences.cpp:
1697         * dfg/DFGDesiredWriteBarriers.cpp:
1698         * dfg/DFGDisassembler.cpp:
1699         * dfg/DFGDominators.cpp:
1700         * dfg/DFGDriver.cpp:
1701         * dfg/DFGEdge.cpp:
1702         * dfg/DFGFailedFinalizer.cpp:
1703         * dfg/DFGFinalizer.cpp:
1704         * dfg/DFGFixupPhase.cpp:
1705         * dfg/DFGFlushFormat.cpp:
1706         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
1707         * dfg/DFGFlushedAt.cpp:
1708         * dfg/DFGGraph.cpp:
1709         * dfg/DFGGraphSafepoint.cpp:
1710         * dfg/DFGInPlaceAbstractState.cpp:
1711         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1712         * dfg/DFGJITCode.cpp:
1713         * dfg/DFGJITCompiler.cpp:
1714         * dfg/DFGJITFinalizer.cpp:
1715         * dfg/DFGJumpReplacement.cpp:
1716         * dfg/DFGLICMPhase.cpp:
1717         * dfg/DFGLazyJSValue.cpp:
1718         * dfg/DFGLivenessAnalysisPhase.cpp:
1719         * dfg/DFGLongLivedState.cpp:
1720         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1721         * dfg/DFGMinifiedNode.cpp:
1722         * dfg/DFGNaturalLoops.cpp:
1723         * dfg/DFGNode.cpp:
1724         * dfg/DFGNodeFlags.cpp:
1725         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1726         * dfg/DFGOSREntry.cpp:
1727         * dfg/DFGOSREntrypointCreationPhase.cpp:
1728         * dfg/DFGOSRExit.cpp:
1729         * dfg/DFGOSRExitBase.cpp:
1730         * dfg/DFGOSRExitCompiler.cpp:
1731         * dfg/DFGOSRExitCompiler32_64.cpp:
1732         * dfg/DFGOSRExitCompiler64.cpp:
1733         * dfg/DFGOSRExitCompilerCommon.cpp:
1734         * dfg/DFGOSRExitJumpPlaceholder.cpp:
1735         * dfg/DFGOSRExitPreparation.cpp:
1736         * dfg/DFGOperations.cpp:
1737         * dfg/DFGPhase.cpp:
1738         * dfg/DFGPlan.cpp:
1739         * dfg/DFGPredictionInjectionPhase.cpp:
1740         * dfg/DFGPredictionPropagationPhase.cpp:
1741         * dfg/DFGResurrectionForValidationPhase.cpp:
1742         * dfg/DFGSSAConversionPhase.cpp:
1743         * dfg/DFGSSALoweringPhase.cpp:
1744         * dfg/DFGSafepoint.cpp:
1745         * dfg/DFGSpeculativeJIT.cpp:
1746         * dfg/DFGSpeculativeJIT32_64.cpp:
1747         * dfg/DFGSpeculativeJIT64.cpp:
1748         * dfg/DFGStackLayoutPhase.cpp:
1749         * dfg/DFGStoreBarrierElisionPhase.cpp:
1750         * dfg/DFGStrengthReductionPhase.cpp:
1751         * dfg/DFGThreadData.cpp:
1752         * dfg/DFGThunks.cpp:
1753         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1754         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1755         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1756         * dfg/DFGTypeCheckHoistingPhase.cpp:
1757         * dfg/DFGUnificationPhase.cpp:
1758         * dfg/DFGUseKind.cpp:
1759         * dfg/DFGValidate.cpp:
1760         * dfg/DFGValueSource.cpp:
1761         * dfg/DFGVariableAccessDataDump.cpp:
1762         * dfg/DFGVariableEvent.cpp:
1763         * dfg/DFGVariableEventStream.cpp:
1764         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1765         * dfg/DFGWatchpointCollectionPhase.cpp:
1766         * dfg/DFGWorklist.cpp:
1767         * ftl/FTLAbstractHeap.cpp:
1768         * ftl/FTLAbstractHeapRepository.cpp:
1769         * ftl/FTLExitValue.cpp:
1770         * ftl/FTLLink.cpp:
1771         * ftl/FTLLowerDFGToLLVM.cpp:
1772         * ftl/FTLOSREntry.cpp:
1773         * ftl/FTLOSRExit.cpp:
1774         * ftl/FTLOSRExitCompiler.cpp:
1775         * ftl/FTLSlowPathCall.cpp:
1776         * heap/BlockAllocator.cpp:
1777         * heap/CodeBlockSet.cpp:
1778         * heap/ConservativeRoots.cpp:
1779         * heap/CopiedSpace.cpp:
1780         * heap/CopyVisitor.cpp:
1781         * heap/DeferGC.cpp:
1782         * heap/GCThread.cpp:
1783         * heap/GCThreadSharedData.cpp:
1784         * heap/HandleSet.cpp:
1785         * heap/HandleStack.cpp:
1786         * heap/Heap.cpp:
1787         * heap/HeapStatistics.cpp:
1788         * heap/HeapTimer.cpp:
1789         * heap/IncrementalSweeper.cpp:
1790         * heap/JITStubRoutineSet.cpp:
1791         * heap/MachineStackMarker.cpp:
1792         * heap/MarkStack.cpp:
1793         * heap/MarkedAllocator.cpp:
1794         * heap/MarkedBlock.cpp:
1795         * heap/MarkedSpace.cpp:
1796         * heap/SlotVisitor.cpp:
1797         * heap/SuperRegion.cpp:
1798         * heap/Weak.cpp:
1799         * heap/WeakBlock.cpp:
1800         * heap/WeakHandleOwner.cpp:
1801         * heap/WeakSet.cpp:
1802         * heap/WriteBarrierBuffer.cpp:
1803         * heap/WriteBarrierSupport.cpp:
1804         * inspector/InjectedScript.cpp:
1805         * inspector/InjectedScriptBase.cpp:
1806         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1807         * inspector/JSInjectedScriptHost.cpp:
1808         * inspector/ScriptArguments.cpp:
1809         * inspector/ScriptCallStackFactory.cpp:
1810         * interpreter/AbstractPC.cpp:
1811         * interpreter/CallFrame.cpp:
1812         * interpreter/Interpreter.cpp:
1813         * interpreter/JSStack.cpp:
1814         * interpreter/ProtoCallFrame.cpp:
1815         * interpreter/StackVisitor.cpp:
1816         * interpreter/VMInspector.cpp:
1817         * jit/ArityCheckFailReturnThunks.cpp:
1818         * jit/AssemblyHelpers.cpp:
1819         * jit/ClosureCallStubRoutine.cpp:
1820         * jit/ExecutableAllocator.cpp:
1821         * jit/ExecutableAllocatorFixedVMPool.cpp:
1822         * jit/GCAwareJITStubRoutine.cpp:
1823         * jit/HostCallReturnValue.cpp:
1824         * jit/JIT.cpp:
1825         * jit/JITArithmetic.cpp:
1826         * jit/JITArithmetic32_64.cpp:
1827         * jit/JITCall.cpp:
1828         * jit/JITCall32_64.cpp:
1829         * jit/JITCode.cpp:
1830         * jit/JITDisassembler.cpp:
1831         * jit/JITExceptions.cpp:
1832         * jit/JITInlineCacheGenerator.cpp:
1833         * jit/JITInlines.h:
1834         * jit/JITOperations.cpp:
1835         * jit/JITOperationsMSVC64.cpp:
1836         * jit/JITStubRoutine.cpp:
1837         * jit/JITStubs.cpp:
1838         * jit/JITThunks.cpp:
1839         * jit/JITToDFGDeferredCompilationCallback.cpp:
1840         * jit/RegisterPreservationWrapperGenerator.cpp:
1841         * jit/RegisterSet.cpp:
1842         * jit/Repatch.cpp:
1843         * jit/TempRegisterSet.cpp:
1844         * jit/ThunkGenerators.cpp:
1845         * jsc.cpp:
1846         * llint/LLIntExceptions.cpp:
1847         * llint/LLIntSlowPaths.cpp:
1848         * llint/LowLevelInterpreter.cpp:
1849         * parser/Lexer.cpp:
1850         * parser/Nodes.cpp:
1851         * parser/Parser.cpp:
1852         * parser/ParserArena.cpp:
1853         * parser/SourceCode.cpp:
1854         * parser/SourceProvider.cpp:
1855         * parser/SourceProviderCache.cpp:
1856         * profiler/LegacyProfiler.cpp:
1857         * profiler/ProfileGenerator.cpp:
1858         * profiler/ProfilerBytecode.cpp:
1859         * profiler/ProfilerBytecodeSequence.cpp:
1860         * profiler/ProfilerBytecodes.cpp:
1861         * profiler/ProfilerCompilation.cpp:
1862         * profiler/ProfilerCompiledBytecode.cpp:
1863         * profiler/ProfilerDatabase.cpp:
1864         * profiler/ProfilerOSRExit.cpp:
1865         * profiler/ProfilerOSRExitSite.cpp:
1866         * profiler/ProfilerOrigin.cpp:
1867         * profiler/ProfilerOriginStack.cpp:
1868         * profiler/ProfilerProfiledBytecodes.cpp:
1869         * runtime/ArgList.cpp:
1870         * runtime/Arguments.cpp:
1871         * runtime/ArgumentsIteratorPrototype.cpp:
1872         * runtime/ArrayBuffer.cpp:
1873         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1874         * runtime/ArrayConstructor.cpp:
1875         * runtime/ArrayPrototype.cpp:
1876         * runtime/BooleanConstructor.cpp:
1877         * runtime/BooleanObject.cpp:
1878         * runtime/BooleanPrototype.cpp:
1879         * runtime/CallData.cpp:
1880         * runtime/CodeCache.cpp:
1881         * runtime/CommonSlowPaths.cpp:
1882         * runtime/CommonSlowPathsExceptions.cpp:
1883         * runtime/Completion.cpp:
1884         * runtime/ConstructData.cpp:
1885         * runtime/DateConstructor.cpp:
1886         * runtime/DateInstance.cpp:
1887         * runtime/DatePrototype.cpp:
1888         * runtime/Error.cpp:
1889         * runtime/ErrorConstructor.cpp:
1890         * runtime/ErrorInstance.cpp:
1891         * runtime/ErrorPrototype.cpp:
1892         * runtime/ExceptionHelpers.cpp:
1893         * runtime/Executable.cpp:
1894         * runtime/FunctionConstructor.cpp:
1895         * runtime/FunctionPrototype.cpp:
1896         * runtime/GetterSetter.cpp:
1897         * runtime/Identifier.cpp:
1898         * runtime/IntendedStructureChain.cpp:
1899         * runtime/InternalFunction.cpp:
1900         * runtime/JSActivation.cpp:
1901         * runtime/JSArgumentsIterator.cpp:
1902         * runtime/JSArray.cpp:
1903         * runtime/JSArrayBuffer.cpp:
1904         * runtime/JSArrayBufferConstructor.cpp:
1905         * runtime/JSArrayBufferPrototype.cpp:
1906         * runtime/JSArrayBufferView.cpp:
1907         * runtime/JSBoundFunction.cpp:
1908         * runtime/JSCInlines.h: Copied from Source/JavaScriptCore/runtime/Operations.h.
1909         * runtime/JSCell.cpp:
1910         * runtime/JSDataView.cpp:
1911         * runtime/JSDataViewPrototype.cpp:
1912         * runtime/JSDateMath.cpp:
1913         * runtime/JSFunction.cpp:
1914         * runtime/JSGlobalObject.cpp:
1915         * runtime/JSGlobalObjectFunctions.cpp:
1916         * runtime/JSLock.cpp:
1917         * runtime/JSNameScope.cpp:
1918         * runtime/JSNotAnObject.cpp:
1919         * runtime/JSONObject.cpp:
1920         * runtime/JSObject.cpp:
1921         * runtime/JSPropertyNameIterator.cpp:
1922         * runtime/JSPropertyNameIterator.h:
1923         * runtime/JSProxy.cpp:
1924         * runtime/JSScope.cpp:
1925         * runtime/JSSegmentedVariableObject.cpp:
1926         * runtime/JSString.cpp:
1927         * runtime/JSStringJoiner.cpp:
1928         * runtime/JSSymbolTableObject.cpp:
1929         * runtime/JSTypedArrayConstructors.cpp:
1930         * runtime/JSTypedArrayPrototypes.cpp:
1931         * runtime/JSTypedArrays.cpp:
1932         * runtime/JSVariableObject.cpp:
1933         * runtime/JSWithScope.cpp:
1934         * runtime/JSWrapperObject.cpp:
1935         * runtime/LiteralParser.cpp:
1936         * runtime/Lookup.cpp:
1937         * runtime/MathObject.cpp:
1938         * runtime/NameConstructor.cpp:
1939         * runtime/NameInstance.cpp:
1940         * runtime/NamePrototype.cpp:
1941         * runtime/NativeErrorConstructor.cpp:
1942         * runtime/NativeErrorPrototype.cpp:
1943         * runtime/NumberConstructor.cpp:
1944         * runtime/NumberObject.cpp:
1945         * runtime/NumberPrototype.cpp:
1946         * runtime/ObjectConstructor.cpp:
1947         * runtime/ObjectPrototype.cpp:
1948         * runtime/Operations.cpp:
1949         * runtime/Operations.h:
1950         * runtime/PropertyDescriptor.cpp:
1951         * runtime/PrototypeMap.cpp:
1952         * runtime/RegExp.cpp:
1953         * runtime/RegExpCache.cpp:
1954         * runtime/RegExpCachedResult.cpp:
1955         * runtime/RegExpConstructor.cpp:
1956         * runtime/RegExpMatchesArray.cpp:
1957         * runtime/RegExpObject.cpp:
1958         * runtime/RegExpPrototype.cpp:
1959         * runtime/SimpleTypedArrayController.cpp:
1960         * runtime/SmallStrings.cpp:
1961         * runtime/SparseArrayValueMap.cpp:
1962         * runtime/StrictEvalActivation.cpp:
1963         * runtime/StringConstructor.cpp:
1964         * runtime/StringObject.cpp:
1965         * runtime/StringPrototype.cpp:
1966         * runtime/StringRecursionChecker.cpp:
1967         * runtime/Structure.cpp:
1968         * runtime/StructureChain.cpp:
1969         * runtime/StructureRareData.cpp:
1970         * runtime/SymbolTable.cpp:
1971         * runtime/TestRunnerUtils.cpp:
1972         * runtime/VM.cpp:
1973         * testRegExp.cpp:
1974
1975 2014-02-10  Matthew Mirman  <mmirman@apple.com>
1976
1977         Removes the inline assert from SpeculativeJIT's ReallocatePropertyStorage
1978         https://bugs.webkit.org/show_bug.cgi?id=128566
1979
1980         Reviewed by Filip Pizlo.
1981
1982         * dfg/DFGSpeculativeJIT.cpp:
1983         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1984
1985 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
1986
1987         Rename getRecordMap to computeRecordMap.
1988
1989         Rubber stamped by Michael Saboff.
1990         
1991         "get" is such a weird prefix. It implies a getter. We don't prefix our getters with
1992         anything in WebKit. Also, this isn't a getter. It actually does work to transform
1993         the stackmaps into a hashmap. So, computeRecordMap is a much better name.
1994
1995         * ftl/FTLCompile.cpp:
1996         (JSC::FTL::compile):
1997         * ftl/FTLJITFinalizer.cpp:
1998         (JSC::FTL::JITFinalizer::finalizeFunction):
1999         * ftl/FTLStackMaps.cpp:
2000         (JSC::FTL::StackMaps::computeRecordMap):
2001         * ftl/FTLStackMaps.h:
2002
2003 2014-02-10  Matthew Mirman  <mmirman@apple.com>
2004
2005         ReallocatePropertyStorage in FTL
2006         https://bugs.webkit.org/show_bug.cgi?id=128352
2007
2008         Reviewed by Filip Pizlo.
2009
2010         * ftl/FTLCapabilities.cpp:
2011         (JSC::FTL::canCompile):
2012         * ftl/FTLIntrinsicRepository.h:
2013         * ftl/FTLLowerDFGToLLVM.cpp:
2014         (JSC::FTL::LowerDFGToLLVM::compileNode):
2015         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
2016         * tests/stress/ftl-reallocatepropertystorage.js: Added.
2017         (foo):
2018
2019 2014-02-10  Michael Saboff  <msaboff@apple.com>
2020
2021         Fail FTL compilation if the required stack is too big
2022         https://bugs.webkit.org/show_bug.cgi?id=128560
2023
2024         Reviewed by Filip Pizlo.
2025
2026         Added StackSize struct to FTLStackMaps and populated it.  Added and updated
2027         related dump functions.  Use the stack size found at the end of the compilation
2028         to compare against the value of a new option, llvmMaxStackSize.  We fail the
2029         compile if the function's stack size is greater than llvmMaxStackSize.
2030
2031         * dfg/DFGPlan.cpp:
2032         (JSC::DFG::Plan::compileInThreadImpl):
2033         * ftl/FTLStackMaps.cpp:
2034         (JSC::FTL::StackMaps::StackSize::parse):
2035         (JSC::FTL::StackMaps::StackSize::dump):
2036         (JSC::FTL::StackMaps::parse):
2037         (JSC::FTL::StackMaps::dump):
2038         (JSC::FTL::StackMaps::dumpMultiline):
2039         (JSC::FTL::StackMaps::getStackSize):
2040         * ftl/FTLStackMaps.h:
2041         * runtime/Options.h:
2042
2043 2014-02-10  Mark Lam  <mark.lam@apple.com>
2044
2045         Change JSLock::dropAllLocks() and friends to use lock() and unlock().
2046         <https://webkit.org/b/128451>
2047
2048         Reviewed by Geoffrey Garen.
2049
2050         Currently, JSLock's dropAllLocks(), dropAllLocksUnconditionally(), and
2051         grabAllLocks() implement locking / unlocking by duplicating the code from
2052         lock() and unlock(). Instead, they should just call lock() and unlock().
2053
2054         * runtime/JSLock.cpp:
2055         (JSC::JSLock::lock):
2056         (JSC::JSLock::unlock):
2057         - Modified lock() and unlock() into a version that takes an entry count
2058           to lock / unlock. The previous lock() and unlock() now calls these
2059           new versions with an entry count of 1.
2060
2061         (JSC::JSLock::dropAllLocks):
2062         (JSC::JSLock::dropAllLocksUnconditionally):
2063         (JSC::JSLock::grabAllLocks):
2064         - Delegate to unlock() and lock() instead of duplicating the lock / unlock
2065           code.
2066         - There a some differences with calling lock() instead of duplicating its
2067           code in grabAllLock() i.e. lock() does the following additional work:
2068
2069           1. lock() does a re-entry check that is not needed by grabAllLocks().
2070              However, this is effectively a no-op since we never own the JSLock
2071              before calling grabAllLocks().
2072
2073           2. set VM stackPointerAtVMEntry.
2074           3. update VM stackLimit and reservedZoneSize.
2075           4. set VM lastStackTop.
2076              These 3 steps are just busy work which are also effective no-ops
2077              because immediately after lock() returns, grabAllLocks() will write
2078              over those values with their saved versions in the threadData.
2079
2080         * runtime/JSLock.h:
2081
2082 2014-02-10  Anders Carlsson  <andersca@apple.com>
2083
2084         Try to fix the Windows build.
2085
2086         * heap/UnconditionalFinalizer.h:
2087         * runtime/SymbolTable.h:
2088
2089 2014-02-10  Andreas Kling  <akling@apple.com>
2090
2091         Make the Identifier::add() family return PassRef<StringImpl>.
2092         <https://webkit.org/b/128542>
2093
2094         This knocks one branch off of creating an Identifier from another
2095         string source.
2096
2097         Reviewed by Oliver Hunt.
2098
2099         * runtime/Identifier.cpp:
2100         (JSC::Identifier::add):
2101         (JSC::Identifier::add8):
2102         (JSC::Identifier::addSlowCase):
2103         * runtime/Identifier.h:
2104         (JSC::Identifier::add):
2105         * runtime/Lookup.cpp:
2106         (JSC::HashTable::createTable):
2107
2108 2014-02-09  Mark Lam  <mark.lam@apple.com>
2109
2110         Remove unnecessary spinLock in JSLock.
2111         <https://webkit.org/b/128450>
2112
2113         Reviewed by Filip Pizlo.
2114
2115         The JSLock's mutex already provides protection for write access to
2116         JSLock's internal state. The only JSLock state that needs to be read
2117         from any thread including threads that don't own the JSLock is
2118         m_ownerThread, which is used in currentThreadIsHoldingLock() to do an
2119         ownership test on the lock.
2120
2121         It is safe for other threads to read from m_ownerThread because they
2122         only need to know whether its value matches their own thread id
2123         (provided by WTF::currentThread()).
2124
2125         Here are the scenarios for how the ownership test can go:
2126
2127         1. The JSLock has just been initialized and is not owned by any thread.
2128
2129            In this case, m_ownerThread will be 0 and will not match any thread's
2130            thread id. The checking thread will know that it needs to lock the
2131            JSLock before using the VM.
2132
2133         2. The JSLock was previously locked, but now is unlocked.
2134
2135            When we unlock it in JSLock::unlock(), the owner thread clears
2136            m_ownerThread to 0. Hence, this case is the same as (1) above.
2137
2138         3. The JSLock is locked by Thread A. Thread B is checking ownership.
2139
2140            In this case, m_ownerThread will contains the Thread A's thread id.
2141            Thread B will see that the thread id does not match its own and will
2142            proceed to block on the JSLock's mutex to wait for its turn to use
2143            the VM.
2144
2145            With Weak Memory Ordering architectures, Thread A's thread id may
2146            not get written out to memory before Thread B inspects m_ownerThread.
2147            However, though Thread B may not see Thread A's thread id in
2148            m_ownerThread, it will see 0 which is the last value written to it
2149            before the JSLock mutex was unlocked. The mutex unlock would have
2150            executed a memory fence which would have flushed the 0 to
2151            m_ownerThread in memory. Hence, Thread B will know that it does not
2152            own the lock.
2153
2154         Apart from removing the unneeded spin lock code, I also changed the
2155         JSLock code to use currentThreadIsHoldingLock() and setOwnerThread()
2156         instead of accessing m_ownerThread directly.
2157
2158         * runtime/JSLock.cpp:
2159         (JSC::JSLock::JSLock):
2160
2161         (JSC::JSLock::lock):
2162         - Removed spinLock but left the indentation as is to keep the diff to a
2163           minimum for better readability. Will unindent in a subsequent patch.
2164
2165         (JSC::JSLock::unlock):
2166         - Before unlocking the mutex, clear m_ownerThread to indicate that the
2167           lock is no longer owned.
2168
2169         (JSC::JSLock::currentThreadIsHoldingLock):
2170         - Removed the check of m_lockCount for determining ownership. Checking
2171           m_ownerThread is sufficient.
2172
2173         (JSC::JSLock::dropAllLocks):
2174         (JSC::JSLock::dropAllLocksUnconditionally):
2175         - Renamed local locksToDrop to the better name droppedLockCount.
2176         - Clear m_ownerThread since we're unlocking the JSLock.
2177
2178         (JSC::JSLock::grabAllLocks):
2179         - Removed unneeded lock ownership test for lock re-entry case because
2180           grabAllLocks() is never used to re-enter a locked JSLock.
2181
2182         (JSC::JSLock::DropAllLocks::DropAllLocks):
2183         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2184
2185         * runtime/JSLock.h:
2186         (JSC::JSLock::setOwnerThread):
2187
2188 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2189
2190         Unreviewed, roll out http://trac.webkit.org/changeset/163796
2191
2192         The change was not justified in any way and it has a net negative effect on the code.
2193
2194         * dfg/DFGAbstractInterpreter.h:
2195         * dfg/DFGAbstractValue.h:
2196         * dfg/DFGAdjacencyList.h:
2197         * dfg/DFGArgumentPosition.h:
2198         * dfg/DFGArgumentsSimplificationPhase.cpp:
2199         * dfg/DFGArrayMode.cpp:
2200         * dfg/DFGArrayifySlowPathGenerator.h:
2201         * dfg/DFGAtTailAbstractState.h:
2202         * dfg/DFGAvailability.h:
2203         * dfg/DFGBackwardsPropagationPhase.cpp:
2204         * dfg/DFGBasicBlock.h:
2205         * dfg/DFGBasicBlockInlines.h:
2206         * dfg/DFGByteCodeParser.cpp:
2207         * dfg/DFGCFAPhase.cpp:
2208         * dfg/DFGCFGSimplificationPhase.cpp:
2209         * dfg/DFGCPSRethreadingPhase.cpp:
2210         * dfg/DFGCSEPhase.cpp:
2211         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2212         * dfg/DFGCapabilities.cpp:
2213         * dfg/DFGCapabilities.h:
2214         * dfg/DFGClobberize.h:
2215         * dfg/DFGCommonData.cpp:
2216         * dfg/DFGConstantFoldingPhase.cpp:
2217         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2218         * dfg/DFGDCEPhase.cpp:
2219         * dfg/DFGDominators.h:
2220         * dfg/DFGDriver.cpp:
2221         * dfg/DFGDriver.h:
2222         * dfg/DFGFixupPhase.cpp:
2223         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2224         * dfg/DFGGenerationInfo.h:
2225         * dfg/DFGGraph.cpp:
2226         * dfg/DFGGraph.h:
2227         * dfg/DFGInPlaceAbstractState.cpp:
2228         * dfg/DFGInPlaceAbstractState.h:
2229         * dfg/DFGInlineCacheWrapperInlines.h:
2230         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2231         * dfg/DFGJITCode.h:
2232         * dfg/DFGJITCompiler.cpp:
2233         * dfg/DFGJITCompiler.h:
2234         * dfg/DFGJITFinalizer.cpp:
2235         * dfg/DFGJITFinalizer.h:
2236         * dfg/DFGLICMPhase.cpp:
2237         * dfg/DFGLivenessAnalysisPhase.cpp:
2238         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2239         * dfg/DFGMinifiedNode.h:
2240         * dfg/DFGNaturalLoops.h:
2241         * dfg/DFGNode.cpp:
2242         * dfg/DFGNode.h:
2243         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2244         * dfg/DFGOSREntry.cpp:
2245         * dfg/DFGOSREntrypointCreationPhase.cpp:
2246         * dfg/DFGOSRExit.cpp:
2247         * dfg/DFGOSRExit.h:
2248         * dfg/DFGOSRExitBase.cpp:
2249         * dfg/DFGOSRExitCompilationInfo.h:
2250         * dfg/DFGOSRExitCompiler.cpp:
2251         * dfg/DFGOSRExitCompiler32_64.cpp:
2252         * dfg/DFGOSRExitCompiler64.cpp:
2253         * dfg/DFGOSRExitJumpPlaceholder.cpp:
2254         * dfg/DFGOperations.cpp:
2255         * dfg/DFGPhase.h:
2256         * dfg/DFGPlan.h:
2257         * dfg/DFGPredictionInjectionPhase.cpp:
2258         * dfg/DFGPredictionPropagationPhase.cpp:
2259         * dfg/DFGResurrectionForValidationPhase.cpp:
2260         * dfg/DFGSSAConversionPhase.cpp:
2261         * dfg/DFGSSALoweringPhase.cpp:
2262         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2263         * dfg/DFGSlowPathGenerator.h:
2264         * dfg/DFGSpeculativeJIT.cpp:
2265         * dfg/DFGSpeculativeJIT.h:
2266         * dfg/DFGSpeculativeJIT32_64.cpp:
2267         * dfg/DFGSpeculativeJIT64.cpp:
2268         * dfg/DFGStackLayoutPhase.cpp:
2269         * dfg/DFGStoreBarrierElisionPhase.cpp:
2270         * dfg/DFGStrengthReductionPhase.cpp:
2271         * dfg/DFGThunks.cpp:
2272         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2273         * dfg/DFGTypeCheckHoistingPhase.cpp:
2274         * dfg/DFGUnificationPhase.cpp:
2275         * dfg/DFGValidate.h:
2276         * dfg/DFGValueSource.h:
2277         * dfg/DFGVariableAccessData.h:
2278         * dfg/DFGVariableAccessDataDump.cpp:
2279         * dfg/DFGVariableEvent.h:
2280         * dfg/DFGVariableEventStream.h:
2281         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2282         * dfg/DFGWatchpointCollectionPhase.cpp:
2283         * dfg/DFGWorklist.cpp:
2284
2285 2014-02-10  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com> 
2286  
2287         Remove extra includes from DFG 
2288         https://bugs.webkit.org/show_bug.cgi?id=126983 
2289  
2290         Reviewed by Andreas Kling. 
2291
2292         * dfg/DFGAbstractInterpreter.h:
2293         * dfg/DFGAbstractValue.h:
2294         * dfg/DFGAdjacencyList.h:
2295         * dfg/DFGArgumentPosition.h:
2296         * dfg/DFGArgumentsSimplificationPhase.cpp:
2297         * dfg/DFGArrayMode.cpp:
2298         * dfg/DFGArrayifySlowPathGenerator.h:
2299         * dfg/DFGAtTailAbstractState.h:
2300         * dfg/DFGAvailability.h:
2301         * dfg/DFGBackwardsPropagationPhase.cpp:
2302         * dfg/DFGBasicBlock.h:
2303         * dfg/DFGBasicBlockInlines.h:
2304         * dfg/DFGByteCodeParser.cpp:
2305         * dfg/DFGCFAPhase.cpp:
2306         * dfg/DFGCFGSimplificationPhase.cpp:
2307         * dfg/DFGCPSRethreadingPhase.cpp:
2308         * dfg/DFGCSEPhase.cpp:
2309         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2310         * dfg/DFGCapabilities.cpp:
2311         * dfg/DFGCapabilities.h:
2312         * dfg/DFGClobberize.h:
2313         * dfg/DFGCommonData.cpp:
2314         * dfg/DFGConstantFoldingPhase.cpp:
2315         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2316         * dfg/DFGDCEPhase.cpp:
2317         * dfg/DFGDominators.h:
2318         * dfg/DFGDriver.cpp:
2319         * dfg/DFGDriver.h:
2320         * dfg/DFGFixupPhase.cpp:
2321         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2322         * dfg/DFGGenerationInfo.h:
2323         * dfg/DFGGraph.cpp:
2324         * dfg/DFGGraph.h:
2325         * dfg/DFGInPlaceAbstractState.cpp:
2326         * dfg/DFGInPlaceAbstractState.h:
2327         * dfg/DFGInlineCacheWrapperInlines.h:
2328         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2329         * dfg/DFGJITCode.h:
2330         * dfg/DFGJITCompiler.cpp:
2331         * dfg/DFGJITCompiler.h:
2332         * dfg/DFGJITFinalizer.cpp:
2333         * dfg/DFGJITFinalizer.h:
2334         * dfg/DFGLICMPhase.cpp:
2335         * dfg/DFGLivenessAnalysisPhase.cpp:
2336         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2337         * dfg/DFGMinifiedNode.h:
2338         * dfg/DFGNaturalLoops.h:
2339         * dfg/DFGNode.cpp:
2340         * dfg/DFGNode.h:
2341         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2342         * dfg/DFGOSREntry.cpp:
2343         * dfg/DFGOSREntrypointCreationPhase.cpp:
2344         * dfg/DFGOSRExit.cpp:
2345         * dfg/DFGOSRExit.h:
2346         * dfg/DFGOSRExitBase.cpp:
2347         * dfg/DFGOSRExitCompilationInfo.h:
2348         * dfg/DFGOSRExitCompiler.cpp:
2349         * dfg/DFGOSRExitCompiler32_64.cpp:
2350         * dfg/DFGOSRExitCompiler64.cpp:
2351         * dfg/DFGOSRExitJumpPlaceholder.cpp:
2352         * dfg/DFGOperations.cpp:
2353         * dfg/DFGPhase.h:
2354         * dfg/DFGPlan.h:
2355         * dfg/DFGPredictionInjectionPhase.cpp:
2356         * dfg/DFGPredictionPropagationPhase.cpp:
2357         * dfg/DFGResurrectionForValidationPhase.cpp:
2358         * dfg/DFGSSAConversionPhase.cpp:
2359         * dfg/DFGSSALoweringPhase.cpp:
2360         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2361         * dfg/DFGSlowPathGenerator.h:
2362         * dfg/DFGSpeculativeJIT.cpp:
2363         * dfg/DFGSpeculativeJIT.h:
2364         * dfg/DFGSpeculativeJIT32_64.cpp:
2365         * dfg/DFGSpeculativeJIT64.cpp:
2366         * dfg/DFGStackLayoutPhase.cpp:
2367         * dfg/DFGStoreBarrierElisionPhase.cpp:
2368         * dfg/DFGStrengthReductionPhase.cpp:
2369         * dfg/DFGThunks.cpp:
2370         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2371         * dfg/DFGTypeCheckHoistingPhase.cpp:
2372         * dfg/DFGUnificationPhase.cpp:
2373         * dfg/DFGValidate.h:
2374         * dfg/DFGValueSource.h:
2375         * dfg/DFGVariableAccessData.h:
2376         * dfg/DFGVariableAccessDataDump.cpp:
2377         * dfg/DFGVariableEvent.h:
2378         * dfg/DFGVariableEventStream.h:
2379         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2380         * dfg/DFGWatchpointCollectionPhase.cpp:
2381         * dfg/DFGWorklist.cpp:
2382
2383 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2384
2385         JSC environment variables should override other mechanisms for setting options
2386         https://bugs.webkit.org/show_bug.cgi?id=128511
2387
2388         Reviewed by Geoffrey Garen.
2389
2390         * runtime/Options.cpp:
2391         (JSC::Options::setOption):
2392         * runtime/Options.h:
2393
2394 2014-02-10  Darin Adler  <darin@apple.com>
2395
2396         Stop using String::deprecatedCharacters to call WTF::Collator
2397         https://bugs.webkit.org/show_bug.cgi?id=128517
2398
2399         Reviewed by Alexey Proskuryakov.
2400
2401         * runtime/StringPrototype.cpp:
2402         (JSC::stringProtoFuncLocaleCompare): Use the default constructor for Collator, which now
2403         gives the default locale collation rules. Use the new arguments for Collator::collate, which
2404         are now StringView. These two changes together eliminate the need for a separate helper function.
2405
2406 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2407
2408         <1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError: undefined is not an object (evaluating 'c.isInput')
2409         https://bugs.webkit.org/show_bug.cgi?id=128278
2410
2411         Reviewed by Mark Hahnenberg.
2412         
2413         Fix another FTL flake due to bytecode liveness corner cases. Hopefully it's the last
2414         one.
2415
2416         * dfg/DFGByteCodeParser.cpp:
2417         (JSC::DFG::ByteCodeParser::parseBlock): Make sure that inside a constructor, the 'this' result is always set. This makes it easier to unify the treatment of 'this' for OSR exit: we just say that it's always live.
2418         * dfg/DFGGraph.cpp:
2419         (JSC::DFG::Graph::isLiveInBytecode): Assume that 'this' is live. We were already sort of doing this for calls because the callsite would claim it to be live. But we didn't do it for constructors. It's true that *at the callsite* 'this' won't be live, but inside the inlined constructor, it almost certainly will be.
2420         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2421         (JSC::DFG::TierUpCheckInjectionPhase::run): I just noticed this benign bug. We should only return 'true' if we actually injected checks.
2422         * ftl/FTLOSRExitCompiler.cpp:
2423         (JSC::FTL::compileStub): Make it easier to just dump disassembly for FTL OSR exits.
2424         * runtime/Options.h: Ditto.
2425         * tests/stress/inlined-constructor-this-liveness.js: Added.
2426         (Foo):
2427         (foo):
2428         * tests/stress/inlined-function-this-liveness.js: Added.
2429         (bar):
2430         (foo):
2431
2432 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2433
2434         Actually register those DFG::Safepoints
2435         https://bugs.webkit.org/show_bug.cgi?id=128521
2436
2437         Reviewed by Mark Hahnenberg.
2438         
2439         No test because GC + thread + JIT = ???.
2440
2441         * dfg/DFGSafepoint.cpp:
2442         (JSC::DFG::Safepoint::~Safepoint):
2443         (JSC::DFG::Safepoint::begin):
2444
2445 2014-02-10  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>
2446
2447         Fix EFL build with INSPECTOR disabled
2448         https://bugs.webkit.org/show_bug.cgi?id=125064
2449
2450         Reviewed by Csaba Osztrogon√°c.
2451
2452         * inspector/InjectedScriptManager.h:
2453         * inspector/ScriptDebugServer.cpp:
2454         * inspector/agents/InspectorAgent.h:
2455         * inspector/scripts/CodeGeneratorInspectorStrings.py:
2456         (Inspector):
2457
2458 2014-02-09  Filip Pizlo  <fpizlo@apple.com>
2459
2460         GC blocks on FTL and then badness
2461         https://bugs.webkit.org/show_bug.cgi?id=128291
2462
2463         Reviewed by Oliver Hunt.
2464         
2465         Introduce the notion of a DFG::Safepoint, which allows you to unlock the rightToRun
2466         mutex for your JIT thread, while supplying the GC with all of the information it would
2467         need to scan you at that moment in time. The default way of using this is
2468         DFG::GraphSafepoint, where you just supply the Graph. There's a lot of machinery in
2469         this patch just to make the Graph scannable.
2470         
2471         We then use DFG::GraphSafepoint in just two places for now: (1) while initializing LLVM
2472         and (2) while invoking LLVM' optimizer and backend.
2473         
2474         This is a 30% speed-up on Octane/typescript and a 10% speed-up on Octane/gbemu. 2-3%
2475         speed-up overall on Octane.
2476         
2477         * CMakeLists.txt:
2478         * GNUmakefile.list.am:
2479         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2480         * JavaScriptCore.xcodeproj/project.pbxproj:
2481         * dfg/DFGDriver.cpp:
2482         (JSC::DFG::compileImpl):
2483         * dfg/DFGGraph.cpp:
2484         (JSC::DFG::Graph::visitChildren):
2485         * dfg/DFGGraph.h:
2486         * dfg/DFGGraphSafepoint.cpp: Added.
2487         (JSC::DFG::GraphSafepoint::GraphSafepoint):
2488         (JSC::DFG::GraphSafepoint::~GraphSafepoint):
2489         * dfg/DFGGraphSafepoint.h: Added.
2490         * dfg/DFGOperations.h:
2491         * dfg/DFGPlan.cpp:
2492         (JSC::DFG::Plan::compileInThread):
2493         (JSC::DFG::Plan::compileInThreadImpl):
2494         * dfg/DFGPlan.h:
2495         * dfg/DFGSafepoint.cpp: Added.
2496         (JSC::DFG::Safepoint::Safepoint):
2497         (JSC::DFG::Safepoint::~Safepoint):
2498         (JSC::DFG::Safepoint::add):
2499         (JSC::DFG::Safepoint::begin):
2500         (JSC::DFG::Safepoint::visitChildren):
2501         * dfg/DFGSafepoint.h: Added.
2502         * dfg/DFGScannable.h: Added.
2503         (JSC::DFG::Scannable::Scannable):
2504         (JSC::DFG::Scannable::~Scannable):
2505         * dfg/DFGThreadData.cpp: Added.
2506         (JSC::DFG::ThreadData::ThreadData):
2507         (JSC::DFG::ThreadData::~ThreadData):
2508         * dfg/DFGThreadData.h: Added.
2509         * dfg/DFGWorklist.cpp:
2510         (JSC::DFG::Worklist::finishCreation):
2511         (JSC::DFG::Worklist::visitChildren):
2512         (JSC::DFG::Worklist::runThread):
2513         * dfg/DFGWorklist.h:
2514         * ftl/FTLCompile.cpp:
2515         (JSC::FTL::compile):
2516         * heap/SlotVisitor.h:
2517         * heap/SlotVisitorInlines.h:
2518         (JSC::SlotVisitor::appendUnbarrieredReadOnlyPointer):
2519         (JSC::SlotVisitor::appendUnbarrieredReadOnlyValue):
2520
2521 2014-02-09  Filip Pizlo  <fpizlo@apple.com>
2522
2523         Never include *Inlines.h files in interface headers, and never include *Inlines.h when you could include Operations.h instead
2524         https://bugs.webkit.org/show_bug.cgi?id=128505
2525
2526         Reviewed by Mark Hahnenberg and Oliver Hunt.
2527
2528         * API/JSContextRef.cpp:
2529         * assembler/LinkBuffer.cpp:
2530         * bytecode/ArrayProfile.cpp:
2531         * bytecode/BytecodeBasicBlock.cpp:
2532         * bytecode/BytecodeLivenessAnalysisInlines.h:
2533         * bytecode/CallLinkInfo.cpp:
2534         * bytecode/CodeBlock.cpp:
2535         * bytecode/CodeBlock.h:
2536         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2537         * bytecode/ExecutionCounter.cpp:
2538         * bytecode/MethodOfGettingAValueProfile.cpp:
2539         * bytecode/PreciseJumpTargets.cpp:
2540         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
2541         * bytecode/SamplingTool.cpp:
2542         * bytecode/SpecialPointer.cpp:
2543         * bytecode/StructureStubClearingWatchpoint.cpp:
2544         * debugger/DebuggerCallFrame.cpp:
2545         * dfg/DFGAbstractHeap.cpp:
2546         * dfg/DFGAbstractValue.cpp:
2547         * dfg/DFGArgumentsSimplificationPhase.cpp:
2548         * dfg/DFGArithMode.cpp:
2549         * dfg/DFGArrayMode.cpp:
2550         * dfg/DFGAtTailAbstractState.cpp:
2551         * dfg/DFGAvailability.cpp:
2552         * dfg/DFGBackwardsPropagationPhase.cpp:
2553         * dfg/DFGBasicBlock.cpp:
2554         * dfg/DFGBinarySwitch.cpp:
2555         * dfg/DFGBlockInsertionSet.cpp:
2556         * dfg/DFGByteCodeParser.cpp:
2557         * dfg/DFGCFAPhase.cpp:
2558         * dfg/DFGCFGSimplificationPhase.cpp:
2559         * dfg/DFGCPSRethreadingPhase.cpp:
2560         * dfg/DFGCSEPhase.cpp:
2561         * dfg/DFGCapabilities.cpp:
2562         * dfg/DFGClobberSet.cpp:
2563         * dfg/DFGClobberize.cpp:
2564         * dfg/DFGCommon.cpp:
2565         * dfg/DFGCommonData.cpp:
2566         * dfg/DFGCompilationKey.cpp:
2567         * dfg/DFGCompilationMode.cpp:
2568         * dfg/DFGConstantFoldingPhase.cpp:
2569         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2570         * dfg/DFGDCEPhase.cpp:
2571         * dfg/DFGDesiredIdentifiers.cpp:
2572         * dfg/DFGDesiredStructureChains.cpp:
2573         * dfg/DFGDesiredTransitions.cpp:
2574         * dfg/DFGDesiredWatchpoints.cpp:
2575         * dfg/DFGDisassembler.cpp:
2576         * dfg/DFGDisassembler.h:
2577         * dfg/DFGDominators.cpp:
2578         * dfg/DFGEdge.cpp:
2579         * dfg/DFGFailedFinalizer.cpp:
2580         * dfg/DFGFinalizer.cpp:
2581         * dfg/DFGFixupPhase.cpp:
2582         * dfg/DFGFlushFormat.cpp:
2583         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2584         * dfg/DFGFlushedAt.cpp:
2585         * dfg/DFGGraph.cpp:
2586         * dfg/DFGInPlaceAbstractState.cpp:
2587         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2588         * dfg/DFGJITCode.cpp:
2589         * dfg/DFGJITCompiler.cpp:
2590         * dfg/DFGJITCompiler.h:
2591         * dfg/DFGJITFinalizer.cpp:
2592         * dfg/DFGJumpReplacement.cpp:
2593         * dfg/DFGLICMPhase.cpp:
2594         * dfg/DFGLazyJSValue.cpp:
2595         * dfg/DFGLivenessAnalysisPhase.cpp:
2596         * dfg/DFGLongLivedState.cpp:
2597         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2598         * dfg/DFGMinifiedNode.cpp:
2599         * dfg/DFGNaturalLoops.cpp:
2600         * dfg/DFGNode.cpp:
2601         * dfg/DFGNodeFlags.cpp:
2602         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2603         * dfg/DFGOSREntry.cpp:
2604         * dfg/DFGOSREntrypointCreationPhase.cpp:
2605         * dfg/DFGOSRExit.cpp:
2606         * dfg/DFGOSRExitBase.cpp:
2607         * dfg/DFGOSRExitCompiler.cpp:
2608         * dfg/DFGOSRExitCompiler32_64.cpp:
2609         * dfg/DFGOSRExitCompiler64.cpp:
2610         * dfg/DFGOSRExitCompilerCommon.cpp:
2611         * dfg/DFGOSRExitJumpPlaceholder.cpp:
2612         * dfg/DFGOSRExitPreparation.cpp:
2613         * dfg/DFGOperations.cpp:
2614         * dfg/DFGOperations.h:
2615         * dfg/DFGPhase.cpp:
2616         * dfg/DFGPlan.cpp:
2617         * dfg/DFGPredictionInjectionPhase.cpp:
2618         * dfg/DFGPredictionPropagationPhase.cpp:
2619         * dfg/DFGResurrectionForValidationPhase.cpp:
2620         * dfg/DFGSSAConversionPhase.cpp:
2621         * dfg/DFGSSALoweringPhase.cpp:
2622         * dfg/DFGSpeculativeJIT.cpp:
2623         * dfg/DFGSpeculativeJIT32_64.cpp:
2624         * dfg/DFGSpeculativeJIT64.cpp:
2625         * dfg/DFGStackLayoutPhase.cpp:
2626         * dfg/DFGStoreBarrierElisionPhase.cpp:
2627         * dfg/DFGStrengthReductionPhase.cpp:
2628         * dfg/DFGThunks.cpp:
2629         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2630         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2631         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2632         * dfg/DFGTypeCheckHoistingPhase.cpp:
2633         * dfg/DFGUnificationPhase.cpp:
2634         * dfg/DFGUseKind.cpp:
2635         * dfg/DFGValidate.cpp:
2636         * dfg/DFGValueSource.cpp:
2637         * dfg/DFGVariableAccessDataDump.cpp:
2638         * dfg/DFGVariableEvent.cpp:
2639         * dfg/DFGVariableEventStream.cpp:
2640         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2641         * dfg/DFGWatchpointCollectionPhase.cpp:
2642         * dfg/DFGWorklist.cpp:
2643         * disassembler/Disassembler.cpp:
2644         * ftl/FTLLink.cpp:
2645         * ftl/FTLOSRExitCompiler.cpp:
2646         * ftl/FTLSlowPathCall.cpp:
2647         * ftl/FTLThunks.cpp:
2648         (JSC::FTL::slowPathCallThunkGenerator):
2649         * heap/BlockAllocator.cpp:
2650         * heap/CodeBlockSet.cpp:
2651         * heap/ConservativeRoots.cpp:
2652         * heap/DeferGC.cpp:
2653         * heap/GCThread.cpp:
2654         * heap/GCThreadSharedData.cpp:
2655         * heap/HeapTimer.cpp:
2656         * heap/IncrementalSweeper.cpp:
2657         * heap/JITStubRoutineSet.cpp:
2658         * heap/MachineStackMarker.cpp:
2659         * heap/MarkStack.cpp:
2660         * heap/MarkedAllocator.cpp:
2661         * heap/MarkedSpace.cpp:
2662         * heap/SuperRegion.cpp:
2663         * heap/Weak.cpp:
2664         * heap/WeakHandleOwner.cpp:
2665         * heap/WeakSet.cpp:
2666         * heap/WriteBarrierBuffer.cpp:
2667         * heap/WriteBarrierSupport.cpp:
2668         * inspector/ScriptCallStackFactory.cpp:
2669         * interpreter/AbstractPC.cpp:
2670         * interpreter/JSStack.cpp:
2671         * interpreter/ProtoCallFrame.cpp:
2672         * interpreter/VMInspector.cpp:
2673         * jit/ArityCheckFailReturnThunks.cpp:
2674         * jit/AssemblyHelpers.cpp:
2675         * jit/ExecutableAllocator.cpp:
2676         * jit/ExecutableAllocatorFixedVMPool.cpp:
2677         * jit/GCAwareJITStubRoutine.cpp:
2678         * jit/HostCallReturnValue.cpp:
2679         * jit/JITDisassembler.cpp:
2680         * jit/JITDisassembler.h:
2681         * jit/JITExceptions.cpp:
2682         * jit/JITInlines.h:
2683         * jit/JITOperations.cpp:
2684         * jit/JITOperationsMSVC64.cpp:
2685         * jit/JITStubRoutine.cpp:
2686         * jit/JITStubs.cpp:
2687         * jit/JITToDFGDeferredCompilationCallback.cpp:
2688         * jit/RegisterPreservationWrapperGenerator.cpp:
2689         * jit/RegisterSet.cpp:
2690         * jit/Repatch.cpp:
2691         * jit/TempRegisterSet.cpp:
2692         * jsc.cpp:
2693         * parser/Lexer.cpp:
2694         * parser/Parser.cpp:
2695         * parser/ParserArena.cpp:
2696         * parser/SourceCode.cpp:
2697         * parser/SourceProvider.cpp:
2698         * parser/SourceProviderCache.cpp:
2699         * profiler/ProfileGenerator.cpp:
2700         * runtime/Arguments.cpp:
2701         * runtime/ArgumentsIteratorPrototype.cpp:
2702         * runtime/CommonSlowPathsExceptions.cpp:
2703         * runtime/JSArgumentsIterator.cpp:
2704         * runtime/JSFunction.cpp:
2705         * runtime/JSGlobalObjectFunctions.cpp:
2706         * runtime/ObjectConstructor.cpp:
2707         * runtime/Operations.h:
2708         * runtime/VM.cpp:
2709
2710 2014-02-09  Filip Pizlo  <fpizlo@apple.com>
2711
2712         Unreviewed, don't mark isHostFunction() inline in the header file because that really confuses EFL.
2713
2714         * runtime/JSFunction.h:
2715
2716 2014-02-09  Anders Carlsson  <andersca@apple.com>
2717
2718         Add WTF_MAKE_FAST_ALLOCATED to more classes
2719         https://bugs.webkit.org/show_bug.cgi?id=128506
2720
2721         Reviewed by Andreas Kling.
2722
2723         * bytecode/UnlinkedInstructionStream.h:
2724         * runtime/SymbolTable.h:
2725         * runtime/WriteBarrier.h:
2726
2727 2014-02-09  Mark Hahnenberg  <mhahnenberg@apple.com>
2728
2729         Objective-C API NSDate conversion is off by 1000x (ms vs s)
2730         https://bugs.webkit.org/show_bug.cgi?id=128386
2731
2732         Reviewed by Michael Saboff.
2733
2734         * API/JSValue.mm:
2735         (valueToObjectWithoutCopy):
2736         (valueToDate):
2737         (objectToValueWithoutCopy):
2738         * API/tests/DateTests.h: Added.
2739         * API/tests/DateTests.mm: Added.
2740         (+[DateTests NSDateToJSDateTest]):
2741         (+[DateTests JSDateToNSDateTest]):
2742         (+[DateTests roundTripThroughJSDateTest]):
2743         (+[DateTests roundTripThroughObjCDateTest]):
2744         * API/tests/testapi.mm:
2745         (checkResult):
2746         * JavaScriptCore.xcodeproj/project.pbxproj:
2747
2748 2014-02-09  Andreas Kling  <akling@apple.com>
2749
2750         Pass VM instead of ExecState to JSCell::fastGetOwnProperty().
2751         <https://webkit.org/b/128497>
2752
2753         Knocks off a couple of instructions.
2754
2755         Reviewed by Anders Carlsson.
2756
2757         * dfg/DFGOperations.cpp:
2758         * jit/JITOperations.cpp:
2759         (JSC::getByVal):
2760         * llint/LLIntSlowPaths.cpp:
2761         (JSC::LLInt::getByVal):
2762         * runtime/JSCell.h:
2763         * runtime/JSCellInlines.h:
2764         (JSC::JSCell::fastGetOwnProperty):
2765
2766 2014-02-09  Anders Carlsson  <andersca@apple.com>
2767
2768         Convert some JSC code over to std::mutex
2769         https://bugs.webkit.org/show_bug.cgi?id=128500
2770
2771         Reviewed by Dan Bernstein.
2772
2773         * API/JSVirtualMachine.mm:
2774         (wrapperCacheMutex):
2775         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
2776         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
2777         * heap/GCThreadSharedData.h:
2778         * heap/SlotVisitor.cpp:
2779         (JSC::SlotVisitor::mergeOpaqueRoots):
2780         * heap/SlotVisitorInlines.h:
2781         (JSC::SlotVisitor::containsOpaqueRootTriState):
2782         * inspector/remote/RemoteInspector.h:
2783         * inspector/remote/RemoteInspector.mm:
2784         (Inspector::RemoteInspector::registerDebuggable):
2785         (Inspector::RemoteInspector::unregisterDebuggable):
2786         (Inspector::RemoteInspector::updateDebuggable):
2787         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
2788         (Inspector::RemoteInspector::start):
2789         (Inspector::RemoteInspector::stop):
2790         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2791         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2792         (Inspector::RemoteInspector::xpcConnectionFailed):
2793         (Inspector::RemoteInspector::pushListingSoon):
2794         (Inspector::RemoteInspector::receivedIndicateMessage):
2795         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2796         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2797         (Inspector::RemoteInspectorDebuggableConnection::setup):
2798         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
2799         (Inspector::RemoteInspectorDebuggableConnection::close):
2800         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
2801         * jit/ExecutableAllocator.cpp:
2802         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
2803         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
2804         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
2805         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
2806         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
2807         (JSC::DemandExecutableAllocator::allocatorsMutex):
2808
2809 2014-02-09  Commit Queue  <commit-queue@webkit.org>
2810
2811         Unreviewed, rolling out r163737.
2812         http://trac.webkit.org/changeset/163737
2813         https://bugs.webkit.org/show_bug.cgi?id=128491
2814
2815         Caused 8+ tests to fail on Mavericks and Mountain Lion bots
2816         (Requested by rniwa on #webkit).
2817
2818         * runtime/JSString.h:
2819         (JSC::jsSingleCharacterString):
2820         (JSC::jsSingleCharacterSubstring):
2821         (JSC::jsString):
2822         (JSC::jsSubstring8):
2823         * runtime/SmallStrings.cpp:
2824         (JSC::SmallStringsStorage::SmallStringsStorage):
2825         (JSC::SmallStrings::SmallStrings):
2826
2827 2014-02-08  Anders Carlsson  <andersca@apple.com>
2828
2829         Simplify single character substrings in JSC
2830         https://bugs.webkit.org/show_bug.cgi?id=128483
2831
2832         Reviewed by Andreas Kling.
2833
2834         With the recent work to make StringImpl occupy less space, it is actually more
2835         efficient to allocate a single character string that it is to use createSubstringSharingImpl!
2836         
2837         * runtime/JSString.h:
2838         (JSC::jsSingleCharacterString):
2839         (JSC::jsSingleCharacterSubstring):
2840         (JSC::jsString):
2841         (JSC::jsSubstring8):
2842         * runtime/SmallStrings.cpp:
2843         (JSC::SmallStringsStorage::SmallStringsStorage):
2844         (JSC::SmallStrings::SmallStrings):
2845
2846 2014-02-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2847
2848         Baseline JIT uses the wrong version of checkMarkWord in emitWriteBarrier
2849         https://bugs.webkit.org/show_bug.cgi?id=128474
2850
2851         Reviewed by Michael Saboff.
2852
2853         * jit/JITPropertyAccess.cpp:
2854         (JSC::JIT::emitWriteBarrier):
2855
2856 2014-02-08  Mark Lam  <mark.lam@apple.com>
2857
2858         Rename a field and some variables in JSLock to better describe what they contain.
2859         <https://webkit.org/b/128475>
2860
2861         Reviewed by Oliver Hunt.
2862
2863         * runtime/JSLock.cpp:
2864         (JSC::JSLock::dropAllLocks):
2865         (JSC::JSLock::dropAllLocksUnconditionally):
2866         (JSC::JSLock::grabAllLocks):
2867         (JSC::JSLock::DropAllLocks::DropAllLocks):
2868         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2869         * runtime/JSLock.h:
2870
2871 2014-02-08  Anders Carlsson  <andersca@apple.com>
2872
2873         Stop using getCharactersWithUpconvert in JavaScriptCore
2874         https://bugs.webkit.org/show_bug.cgi?id=128457
2875
2876         Reviewed by Andreas Kling.
2877
2878         Change substituteBackreferencesSlow to take StringViews and use a StringBuilder instead of upconverting
2879         if the source or replacement strings area 16-bit.
2880
2881         * runtime/StringPrototype.cpp:
2882         (JSC::substituteBackreferencesSlow):
2883         (JSC::substituteBackreferences):
2884
2885 2014-02-08  Mark Rowe  <mrowe@apple.com>
2886
2887         <https://webkit.org/b/128452> Don't duplicate the list of input files for postprocess-headers.sh
2888
2889         Reviewed by Dan Bernstein.
2890
2891         * postprocess-headers.sh: Pull the list of headers to process out of the environment.
2892
2893 2014-02-08  Mark Rowe  <mrowe@apple.com>
2894
2895         Fix the iOS build.
2896
2897         * API/WebKitAvailability.h: Skip the workarounds specific to OS X when we're building for iOS.
2898
2899 2014-02-07  Mark Rowe  <mrowe@apple.com>
2900
2901         <https://webkit.org/b/128448> Fix use of availability macros on recently-added APIs
2902
2903         Reviewed by Dan Bernstein.
2904
2905         * API/JSContext.h: Remove some #ifs.
2906         * API/JSManagedValue.h: Ditto.
2907         * API/WebKitAvailability.h: #define the macros that availability macros mentioning
2908         newer OS X versions would expand to when building on older OS versions.
2909         * JavaScriptCore.xcodeproj/project.pbxproj: Call the new postprocess-headers.sh.
2910         * postprocess-headers.sh: Extracted from the Xcode project. Updated to remove content
2911         from headers based on the __MAC_OS_X_VERSION_MIN_REQUIRED macro, and to
2912         process WebKitAvailability.h.
2913
2914 2014-02-07  Mark Lam  <mark.lam@apple.com>
2915
2916         JSLock should not "restore" VM stack values if it did not re-grab locks.
2917         <https://webkit.org/b/128447>
2918
2919         Reviewed by Geoffrey Garen.
2920
2921         In the existing code, if DropAllLocks is instantiate with DontAlwaysDropLocks
2922         in a thread that does not own the JSLock, then a bug will manifest where:
2923
2924         1. The DropAllLocks constructor will save the VM's stackPointerAtEntry,
2925            lastStackTop, and reservedZoneSize even though it will not drop the JSLock.
2926         2. The DropAllLocks destructor will restore those 3 values to the VM even
2927            though the JSLock will not grab its internal lock.
2928
2929         The former only causes busy work but does not impact correctness. The latter
2930         however, will corrupt those 3 VM values which belong to the thread that
2931         actually owns the JSLock.
2932
2933         The fix is to only save the values when the JSLock will actually drop its
2934         internal lock, and only restore the values if it did re-grab the internal lock.
2935
2936         * runtime/JSLock.cpp:
2937         (JSC::JSLock::dropAllLocks):
2938         (JSC::JSLock::dropAllLocksUnconditionally):
2939         (JSC::JSLock::grabAllLocks):
2940         (JSC::JSLock::DropAllLocks::DropAllLocks):
2941         - Moved the saving of VM stack values to dropAllLocks() and
2942           dropAllLocksUnconditionally().
2943         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2944         - Moved the restoring of VM stack values to grabAllLocks().
2945
2946 2014-02-07  Filip Pizlo  <fpizlo@apple.com>
2947
2948         Don't throw away code if there is code on the worklists
2949         https://bugs.webkit.org/show_bug.cgi?id=128443
2950
2951         Reviewed by Joseph Pecoraro.
2952         
2953         If we throw away compiled code and there is code currently being JITed then the JIT
2954         will get confused after it resumes: it will see a code block that had claimed to belong
2955         to an executable except that it doesn't belong to any executables anymore.
2956
2957         * dfg/DFGWorklist.h:
2958         (JSC::DFG::Worklist::isActive):
2959         * heap/Heap.cpp:
2960         (JSC::Heap::deleteAllCompiledCode):
2961
2962 2014-02-07  Filip Pizlo  <fpizlo@apple.com>
2963
2964         GC should safepoint the DFG worklist in a smarter way rather than just waiting for everything to complete
2965         https://bugs.webkit.org/show_bug.cgi?id=128297
2966
2967         Reviewed by Oliver Hunt.
2968         
2969         This makes DFG worklist threads have a rightToRun lock that gives them the ability to
2970         be safepointed by the GC in much the same way as you'd expect from a fully
2971         multithreaded VM.
2972         
2973         The idea is that the worklist threads's roots are the DFG::Plan. They only touch those
2974         roots when holding the rightToRun lock. They currently grab that lock to run the
2975         compiler, but relinquish it when accessing - and waiting on - the worklist.
2976
2977         * bytecode/CodeBlock.h:
2978         (JSC::CodeBlockSet::mark):
2979         * dfg/DFGCompilationKey.cpp:
2980         (JSC::DFG::CompilationKey::visitChildren):
2981         * dfg/DFGCompilationKey.h:
2982         * dfg/DFGDesiredStructureChains.cpp:
2983         (JSC::DFG::DesiredStructureChains::visitChildren):
2984         * dfg/DFGDesiredStructureChains.h:
2985         * dfg/DFGDesiredTransitions.cpp:
2986         (JSC::DFG::DesiredTransition::visitChildren):
2987         (JSC::DFG::DesiredTransitions::visitChildren):
2988         * dfg/DFGDesiredTransitions.h:
2989         * dfg/DFGDesiredWeakReferences.cpp:
2990         (JSC::DFG::DesiredWeakReferences::visitChildren):
2991         * dfg/DFGDesiredWeakReferences.h:
2992         * dfg/DFGDesiredWriteBarriers.cpp:
2993         (JSC::DFG::DesiredWriteBarrier::visitChildren):
2994         (JSC::DFG::DesiredWriteBarriers::visitChildren):
2995         * dfg/DFGDesiredWriteBarriers.h:
2996         * dfg/DFGPlan.cpp:
2997         (JSC::DFG::Plan::visitChildren):
2998         * dfg/DFGPlan.h:
2999         * dfg/DFGWorklist.cpp:
3000         (JSC::DFG::Worklist::~Worklist):
3001         (JSC::DFG::Worklist::finishCreation):
3002         (JSC::DFG::Worklist::suspendAllThreads):
3003         (JSC::DFG::Worklist::resumeAllThreads):
3004         (JSC::DFG::Worklist::visitChildren):
3005         (JSC::DFG::Worklist::runThread):
3006         (JSC::DFG::Worklist::threadFunction):
3007         * dfg/DFGWorklist.h:
3008         (JSC::DFG::numberOfWorklists):
3009         (JSC::DFG::worklistForIndexOrNull):
3010         * heap/CodeBlockSet.h:
3011         * heap/Heap.cpp:
3012         (JSC::Heap::markRoots):
3013         (JSC::Heap::collect):
3014         * runtime/IntendedStructureChain.cpp:
3015         (JSC::IntendedStructureChain::visitChildren):
3016         * runtime/IntendedStructureChain.h:
3017         * runtime/VM.cpp:
3018         (JSC::VM::~VM):
3019         (JSC::VM::prepareToDiscardCode):
3020
3021 2014-02-07  Mark Lam  <mark.lam@apple.com>
3022
3023         Unify JSLock implementation for iOS and non-iOS ports.
3024         <https://webkit.org/b/128409>
3025
3026         Reviewed by Michael Saboff.
3027
3028         The iOS and non-iOS implementations of dropAllLocks(),
3029         dropAllLocksUnconditionally(), and grabAllLocks() effectively do the
3030         same work. The main difference is that the iOS implementation acquires
3031         the JSLock spin lock in the DropAllLocks class while the other ports
3032         acquire it when it calls JSLock::lock() and unlock().
3033
3034         The other difference is that the iOS implementation will only increment
3035         m_locksDropDepth if it actually drops locks, whereas other ports will
3036         increment it unconditionally. Analogously, iOS decrements the depth only
3037         when needed while other ports will decrement it unconditionally when
3038         re-grabbing locks.
3039
3040         We can unify the 2 implementations by having both use the iOS
3041         implementation for a start.
3042
3043         * runtime/JSLock.cpp:
3044         (JSC::JSLock::dropAllLocks):
3045         (JSC::JSLock::dropAllLocksUnconditionally):
3046         (JSC::JSLock::grabAllLocks):
3047         (JSC::JSLock::DropAllLocks::DropAllLocks):
3048         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3049
3050 2014-02-06  Filip Pizlo  <fpizlo@apple.com>
3051
3052         More FTL build scaffolding
3053         https://bugs.webkit.org/show_bug.cgi?id=128330
3054
3055         Reviewed by Geoffrey Garen.
3056
3057         * Configurations/FeatureDefines.xcconfig:
3058         * llvm/library/LLVMAnchor.cpp:
3059
3060 2014-02-07  Mark Lam  <mark.lam@apple.com>
3061
3062         iOS port needs to clear VM::stackPointerAtVMEntry when it drops locks.
3063         <https://webkit.org/b/128424>
3064
3065         Reviewed by Geoffrey Garen.
3066
3067         The iOS code path for dropping locks differ from the non-iOS code path
3068         in that it (iOS) does not clear m_vm->stackPointerAtVMEntry nor reset the
3069         VM stack limit. This is now fixed by copying that snippit from
3070         JSLock::unlock().
3071
3072         * runtime/JSLock.cpp:
3073         (JSC::JSLock::dropAllLocks):
3074         (JSC::JSLock::dropAllLocksUnconditionally):
3075
3076 2014-02-07  Mark Lam  <mark.lam@apple.com>
3077
3078         Removed superflous JSLock::entryStackPointer field.
3079         <https://webkit.org/b/128413>
3080
3081         Reviewed by Geoffrey Garen.
3082
3083         * runtime/JSLock.cpp:
3084         (JSC::JSLock::lock):
3085         * runtime/JSLock.h:
3086
3087 2014-02-07  Mark Lam  <mark.lam@apple.com>
3088
3089         Revert workaround committed in http://trac.webkit.org/r163595.
3090         <https://webkit.org/b/128408>
3091
3092         Reviewed by Geoffrey Garen.
3093
3094         Now that we have fixed the bugs in JSLock's stack limit adjusments
3095         in https://bugs.webkit.org/show_bug.cgi?id=128406, we can revert the
3096         workaround in r163595.
3097
3098         * API/JSContextRef.cpp:
3099         (JSContextGroupCreate):
3100         (JSGlobalContextCreateInGroup):
3101         * API/tests/testapi.js:
3102         * runtime/VM.cpp:
3103         (JSC::VM::VM):
3104         (JSC::VM::updateStackLimitWithReservedZoneSize):
3105         * runtime/VM.h:
3106
3107 2014-02-07  Mark Lam  <mark.lam@apple.com>
3108
3109         Fix bug in stack limit adjustments in JSLock.
3110         <https://webkit.org/b/128406>
3111
3112         Reviewed by Geoffrey Garen.
3113
3114         1. JSLock::unlock() was only clearing the VM::stackPointerAtEntry when
3115            m_vm->stackPointerAtVMEntry == entryStackPointer. FYI,
3116            entryStackPointer is a field in JSLock.
3117
3118            When DropAllLocks::~DropAllLocks() will call JSLock::grabAllLocks()
3119            to relock the JSLock, JSLock::grabAllLocks() will set a new
3120            entryStackPointer value. Thereafter, DropAllLocks::~DropAllLocks() will
3121            restore the saved VM::stackPointerAtEntry, which will now defer from
3122            the JSLock's entryStackPointer value.
3123
3124            It turns out that when m_vm->stackPointerAtVMEntry was initialized,
3125            it was set to whatever value entryStackPointer is set to. At no time
3126            do we ever expect the 2 values to differ. The only time it differs is
3127            when this bug manifests.
3128
3129            The fix is to remove the entryStackPointer field in JSLock and its uses
3130            altogether.
3131
3132         2. DropAllLocks was unconditionally clearing VM::stackPointerAtEntry in
3133            its constructor instead of letting JSLock::unlock() do the clearing.
3134
3135            However, DropAllLocks will not actually drop locks if it isn't required
3136            to (e.g. when alwaysDropLocks is DontAlwaysDropLocks), and when we've
3137            already drop locks once (i.e. JSLock::m_lockDropDepth is not 0).
3138
3139            We should not have cleared VM::stackPointerAtEntry here if we don't
3140            actually drop the locks.
3141
3142         * runtime/JSLock.cpp:
3143         (JSC::JSLock::unlock):
3144         (JSC::JSLock::DropAllLocks::DropAllLocks):
3145
3146 2014-02-07  Joseph Pecoraro  <pecoraro@apple.com>
3147
3148         [iOS] Eliminate race between XPC connection queue and Notification queue
3149         https://bugs.webkit.org/show_bug.cgi?id=128384
3150
3151         Reviewed by Timothy Hatcher.
3152
3153         * inspector/remote/RemoteInspector.h:
3154         * inspector/remote/RemoteInspector.mm:
3155         (Inspector::RemoteInspector::RemoteInspector):
3156         (Inspector::RemoteInspector::start):
3157         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
3158         Create the queue to use for RemoteInspector xpc connection
3159         management and the connection itself.
3160
3161         * inspector/remote/RemoteInspectorXPCConnection.h:
3162         * inspector/remote/RemoteInspectorXPCConnection.mm:
3163         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
3164         Use the passed in queue instead of creating one for itself.
3165
3166 2014-02-07  Oliver Hunt  <oliver@apple.com>
3167
3168         REGRESSION (r160628): LLint does not appear to handle impure get own property properly
3169         https://bugs.webkit.org/show_bug.cgi?id=127943
3170
3171         Reviewed by Filip Pizlo.
3172
3173         Make sure the LLINT doesn't attempt to cache property
3174         access on structures with impureGetOwnPropertySlot set.
3175
3176         * llint/LLIntSlowPaths.cpp:
3177         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3178
3179 2014-02-06  Michael Saboff  <msaboff@apple.com>
3180
3181         Workaround REGRESSION(r163195-r163227): Crash beneath NSErrorUserInfoFromJSException when installing AppleInternal.mpkg
3182         https://bugs.webkit.org/show_bug.cgi?id=128347
3183
3184         Reviewed by Geoffrey Garen.
3185
3186         Added a flag to VM class called m_ignoreStackLimit that disables stack limit checks.
3187         We set this flag in JSContextGroupCreate() and JSGlobalContextCreateInGroup().
3188
3189         Disabled stack overflow tests in testapi.js since it uses these paths.
3190
3191         THis patch will be reverted as part of a comprehensive solution to the problem.
3192
3193         * API/JSContextRef.cpp:
3194         (JSContextGroupCreate):
3195         (JSGlobalContextCreateInGroup):
3196         * API/tests/testapi.js:
3197         * runtime/VM.cpp:
3198         (JSC::VM::VM):
3199         (JSC::VM::updateStackLimitWithReservedZoneSize):
3200         * runtime/VM.h:
3201         (JSC::VM::ignoreStackLimit):
3202
3203 2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3204
3205         +[JSContext currentCallee] should return the currently executing JS function
3206         https://bugs.webkit.org/show_bug.cgi?id=122621
3207
3208         Reviewed by Geoffrey Garen.
3209
3210         It would be useful if there was a +[JSContext currentObject] API which was 
3211         callable from ObjC API callbacks. Its purpose would be to allow convenient 
3212         access to the JSValue wrapper for the currently-executing block callback.
3213
3214         * API/JSContext.h:
3215         * API/JSContext.mm:
3216         (+[JSContext currentCallee]):
3217         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
3218         * API/JSContextInternal.h:
3219         * API/ObjCCallbackFunction.mm:
3220         (JSC::objCCallbackFunctionCallAsFunction):
3221         (JSC::objCCallbackFunctionCallAsConstructor):
3222         * API/tests/testapi.mm:
3223
3224 2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3225
3226         Fix iOS builds after r163574
3227
3228         * API/JSManagedValue.h:
3229
3230 2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3231
3232         Heap::writeBarrier shouldn't be static
3233         https://bugs.webkit.org/show_bug.cgi?id=127807
3234
3235         Reviewed by Geoffrey Garen.
3236
3237         Currently it looks up the Heap in which to fire the write barrier by using 
3238         the cell passed to it. Almost every call site already has a reference to the 
3239         VM or the Heap itself. It seems wasteful to look it up all over again.
3240
3241         * GNUmakefile.list.am:
3242         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3243         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3244         * JavaScriptCore.xcodeproj/project.pbxproj:
3245         * heap/CopyWriteBarrier.h:
3246         (JSC::CopyWriteBarrier::set):
3247         * heap/Heap.cpp:
3248         (JSC::Heap::writeBarrier):
3249         * heap/Heap.h:
3250         (JSC::Heap::writeBarrier):
3251         * jit/JITOperations.cpp:
3252         * jit/JITWriteBarrier.h:
3253         (JSC::JITWriteBarrierBase::set):
3254         * llint/LLIntSlowPaths.cpp:
3255         (JSC::LLInt::llint_write_barrier_slow):
3256         * runtime/Arguments.h:
3257         * runtime/JSWeakMap.cpp:
3258         * runtime/MapData.cpp:
3259         (JSC::MapData::ensureSpaceForAppend):
3260         * runtime/PropertyTable.cpp:
3261         (JSC::PropertyTable::PropertyTable):
3262         * runtime/Structure.h:
3263         * runtime/WriteBarrier.h:
3264         * runtime/WriteBarrierInlines.h: Added.
3265
3266 2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3267
3268         JSManagedValue should automatically call removeManagedReference:withOwner: upon dealloc
3269         https://bugs.webkit.org/show_bug.cgi?id=124053
3270
3271         Reviewed by Geoffrey Garen.
3272
3273         * API/JSManagedValue.h:
3274         * API/JSManagedValue.mm:
3275         (+[JSManagedValue managedValueWithValue:andOwner:]):
3276         (-[JSManagedValue initWithValue:]):
3277         (-[JSManagedValue dealloc]):
3278         (-[JSManagedValue didAddOwner:]):
3279         (-[JSManagedValue didRemoveOwner:]):
3280         * API/JSManagedValueInternal.h: Added.
3281         * API/JSVirtualMachine.mm:
3282         (-[JSVirtualMachine addManagedReference:withOwner:]):
3283         (-[JSVirtualMachine removeManagedReference:withOwner:]):
3284         * API/WebKitAvailability.h:
3285         * API/tests/testapi.mm:
3286         (-[TextXYZ click]):
3287         * JavaScriptCore.xcodeproj/project.pbxproj:
3288
3289 2014-02-06  Joseph Pecoraro  <pecoraro@apple.com>
3290
3291         Web Inspector: Add Console support to JSContext Inspection
3292         https://bugs.webkit.org/show_bug.cgi?id=127941
3293
3294         Reviewed by Geoffrey Garen.
3295
3296         * CMakeLists.txt:
3297         * DerivedSources.make:
3298         * GNUmakefile.am:
3299         * GNUmakefile.list.am:
3300         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3301         * JavaScriptCore.xcodeproj/project.pbxproj:
3302         Add new files.
3303
3304         * inspector/agents/InspectorConsoleAgent.cpp: Renamed from Source/WebCore/inspector/InspectorConsoleAgent.cpp.
3305         * inspector/agents/InspectorConsoleAgent.h: Added.
3306         New agent moved from WebCore. Rename a method to work in JS only context.
3307
3308         * inspector/JSGlobalObjectInspectorController.cpp:
3309         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3310         Instantiate ConsoleAgent.
3311
3312         * inspector/agents/JSGlobalObjectConsoleAgent.h: Copied from Source/WebCore/inspector/PageInjectedScriptHost.h.
3313         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Copied from Source/WebCore/inspector/PageInjectedScriptHost.h.
3314         (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
3315         (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
3316         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
3317         (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject):
3318         JSGlobalObject implementation.
3319
3320         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3321         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3322         (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent):
3323         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3324         Use ConsoleAgent to report logs.
3325
3326         * inspector/ConsoleMessage.cpp: Renamed from Source/WebCore/inspector/ConsoleMessage.cpp.
3327         * inspector/ConsoleMessage.h: Renamed from Source/WebCore/inspector/ConsoleMessage.h.
3328         * inspector/ConsoleTypes.h: Copied from Source/WebCore/inspector/ConsoleAPITypes.h.
3329         * inspector/IdentifiersFactory.cpp: Renamed from Source/WebCore/inspector/IdentifiersFactory.cpp.
3330         * inspector/IdentifiersFactory.h: Renamed from Source/WebCore/inspector/IdentifiersFactory.h.
3331         * inspector/ScriptArguments.cpp: Renamed from Source/WebCore/inspector/ScriptArguments.cpp.
3332         * inspector/ScriptArguments.h: Renamed from Source/WebCore/inspector/ScriptArguments.h.
3333         * inspector/ScriptCallFrame.cpp: Renamed from Source/WebCore/inspector/ScriptCallFrame.cpp.
3334         * inspector/ScriptCallFrame.h: Renamed from Source/WebCore/inspector/ScriptCallFrame.h.
3335         * inspector/ScriptCallStack.cpp: Renamed from Source/WebCore/inspector/ScriptCallStack.cpp.
3336         * inspector/ScriptCallStack.h: Renamed from Source/WebCore/inspector/ScriptCallStack.h.
3337         * inspector/ScriptCallStackFactory.cpp: Renamed from Source/WebCore/bindings/js/ScriptCallStackFactory.cpp.
3338         * inspector/ScriptCallStackFactory.h: Renamed from Source/WebCore/bindings/js/ScriptCallStackFactory.h.
3339         * inspector/protocol/Console.json: Renamed from Source/WebCore/inspector/protocol/Console.json.
3340         * inspector/scripts/generate-combined-inspector-json.py:
3341
3342 2014-02-06  Commit Queue  <commit-queue@webkit.org>
3343
3344         Unreviewed, rolling out r163542.
3345         http://trac.webkit.org/changeset/163542
3346         https://bugs.webkit.org/show_bug.cgi?id=128324
3347
3348         Caused many assertion failures (Requested by ap on #webkit).
3349
3350         * GNUmakefile.list.am:
3351         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3352         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3353         * JavaScriptCore.xcodeproj/project.pbxproj:
3354         * heap/CopyWriteBarrier.h:
3355         (JSC::CopyWriteBarrier::set):
3356         * heap/Heap.cpp:
3357         (JSC::Heap::writeBarrier):
3358         * heap/Heap.h:
3359         (JSC::Heap::writeBarrier):
3360         * jit/JITOperations.cpp:
3361         * jit/JITWriteBarrier.h:
3362         (JSC::JITWriteBarrierBase::set):
3363         * llint/LLIntSlowPaths.cpp:
3364         (JSC::LLInt::llint_write_barrier_slow):
3365         * runtime/Arguments.h:
3366         * runtime/JSWeakMap.cpp:
3367         * runtime/MapData.cpp:
3368         (JSC::MapData::ensureSpaceForAppend):
3369         * runtime/PropertyTable.cpp:
3370         (JSC::PropertyTable::PropertyTable):
3371         * runtime/Structure.h:
3372         * runtime/WriteBarrier.h:
3373         (JSC::WriteBarrierBase::set):
3374         (JSC::WriteBarrierBase::setMayBeNull):
3375         (JSC::WriteBarrierBase::setEarlyValue):
3376         (JSC::WriteBarrierBase<Unknown>::set):
3377         * runtime/WriteBarrierInlines.h: Removed.
3378
3379 2014-02-06  Oliver Hunt  <oliver@apple.com>
3380
3381       &