ad34fc244da686464b47fea0149b22a06d5357a9
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
2
3         https://bugs.webkit.org/show_bug.cgi?id=128625
4         Add fast mapping from StringImpl to JSString
5
6         Unreviewed roll-out.
7
8         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
9
10         * runtime/JSString.cpp:
11         * runtime/JSString.h:
12         * runtime/VM.cpp:
13         (JSC::VM::createLeaked):
14         * runtime/VM.h:
15
16 2014-03-03  Oliver Hunt  <oliver@apple.com>
17
18         Support caching of custom setters
19         https://bugs.webkit.org/show_bug.cgi?id=129519
20
21         Reviewed by Filip Pizlo.
22
23         This patch adds caching of assignment to properties that
24         are backed by C functions. This provides most of the leg
25         work required to start supporting setters, and resolves
26         the remaining regressions from moving DOM properties up
27         the prototype chain.
28
29         * JavaScriptCore.xcodeproj/project.pbxproj:
30         * bytecode/PolymorphicPutByIdList.cpp:
31         (JSC::PutByIdAccess::visitWeak):
32         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
33         (JSC::PolymorphicPutByIdList::from):
34         * bytecode/PolymorphicPutByIdList.h:
35         (JSC::PutByIdAccess::transition):
36         (JSC::PutByIdAccess::replace):
37         (JSC::PutByIdAccess::customSetter):
38         (JSC::PutByIdAccess::isCustom):
39         (JSC::PutByIdAccess::oldStructure):
40         (JSC::PutByIdAccess::chain):
41         (JSC::PutByIdAccess::stubRoutine):
42         * bytecode/PutByIdStatus.cpp:
43         (JSC::PutByIdStatus::computeForStubInfo):
44         (JSC::PutByIdStatus::computeFor):
45         (JSC::PutByIdStatus::dump):
46         * bytecode/PutByIdStatus.h:
47         (JSC::PutByIdStatus::PutByIdStatus):
48         (JSC::PutByIdStatus::takesSlowPath):
49         (JSC::PutByIdStatus::makesCalls):
50         * bytecode/StructureStubInfo.h:
51         * dfg/DFGAbstractInterpreterInlines.h:
52         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
53         * dfg/DFGByteCodeParser.cpp:
54         (JSC::DFG::ByteCodeParser::emitPutById):
55         (JSC::DFG::ByteCodeParser::handlePutById):
56         * dfg/DFGClobberize.h:
57         (JSC::DFG::clobberize):
58         * dfg/DFGCommon.h:
59         * dfg/DFGConstantFoldingPhase.cpp:
60         (JSC::DFG::ConstantFoldingPhase::foldConstants):
61         * dfg/DFGFixupPhase.cpp:
62         (JSC::DFG::FixupPhase::fixupNode):
63         * dfg/DFGNode.h:
64         (JSC::DFG::Node::hasIdentifier):
65         * dfg/DFGNodeType.h:
66         * dfg/DFGPredictionPropagationPhase.cpp:
67         (JSC::DFG::PredictionPropagationPhase::propagate):
68         * dfg/DFGSafeToExecute.h:
69         (JSC::DFG::safeToExecute):
70         * dfg/DFGSpeculativeJIT.cpp:
71         (JSC::DFG::SpeculativeJIT::compileIn):
72         * dfg/DFGSpeculativeJIT.h:
73         * dfg/DFGSpeculativeJIT32_64.cpp:
74         (JSC::DFG::SpeculativeJIT::cachedGetById):
75         (JSC::DFG::SpeculativeJIT::cachedPutById):
76         (JSC::DFG::SpeculativeJIT::compile):
77         * dfg/DFGSpeculativeJIT64.cpp:
78         (JSC::DFG::SpeculativeJIT::cachedGetById):
79         (JSC::DFG::SpeculativeJIT::cachedPutById):
80         (JSC::DFG::SpeculativeJIT::compile):
81         * jit/CCallHelpers.h:
82         (JSC::CCallHelpers::setupArgumentsWithExecState):
83         * jit/JITInlineCacheGenerator.cpp:
84         (JSC::JITByIdGenerator::JITByIdGenerator):
85         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
86         * jit/JITInlineCacheGenerator.h:
87         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
88         * jit/JITOperations.cpp:
89         * jit/JITOperations.h:
90         * jit/JITPropertyAccess.cpp:
91         (JSC::JIT::emit_op_get_by_id):
92         (JSC::JIT::emit_op_put_by_id):
93         * jit/JITPropertyAccess32_64.cpp:
94         (JSC::JIT::emit_op_get_by_id):
95         (JSC::JIT::emit_op_put_by_id):
96         * jit/Repatch.cpp:
97         (JSC::tryCacheGetByID):
98         (JSC::tryBuildGetByIDList):
99         (JSC::emitCustomSetterStub):
100         (JSC::tryCachePutByID):
101         (JSC::tryBuildPutByIdList):
102         * jit/SpillRegistersMode.h: Added.
103         * llint/LLIntSlowPaths.cpp:
104         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
105         * runtime/Lookup.h:
106         (JSC::putEntry):
107         * runtime/PutPropertySlot.h:
108         (JSC::PutPropertySlot::setCacheableCustomProperty):
109         (JSC::PutPropertySlot::customSetter):
110         (JSC::PutPropertySlot::isCacheablePut):
111         (JSC::PutPropertySlot::isCacheableCustomProperty):
112         (JSC::PutPropertySlot::cachedOffset):
113
114 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
115
116         JSCell::m_gcData should encode its information differently
117         https://bugs.webkit.org/show_bug.cgi?id=129741
118
119         Reviewed by Geoffrey Garen.
120
121         We want to keep track of three GC states for an object:
122
123         1. Not marked (which implies not in the remembered set)
124         2. Marked but not in the remembered set
125         3. Marked and in the remembered set
126         
127         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
128         barrier, we only want to take the slow path if the object being stored to is in state #2. 
129         We'd like to make the test for state #2 as fast as possible, which means making it a 
130         compare against 0.
131
132         * dfg/DFGOSRExitCompilerCommon.cpp:
133         (JSC::DFG::osrWriteBarrier):
134         * dfg/DFGSpeculativeJIT.cpp:
135         (JSC::DFG::SpeculativeJIT::checkMarkByte):
136         (JSC::DFG::SpeculativeJIT::writeBarrier):
137         * dfg/DFGSpeculativeJIT.h:
138         * dfg/DFGSpeculativeJIT32_64.cpp:
139         (JSC::DFG::SpeculativeJIT::writeBarrier):
140         * dfg/DFGSpeculativeJIT64.cpp:
141         (JSC::DFG::SpeculativeJIT::writeBarrier):
142         * ftl/FTLLowerDFGToLLVM.cpp:
143         (JSC::FTL::LowerDFGToLLVM::allocateCell):
144         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
145         * heap/Heap.cpp:
146         (JSC::Heap::clearRememberedSet):
147         (JSC::Heap::addToRememberedSet):
148         * jit/AssemblyHelpers.h:
149         (JSC::AssemblyHelpers::checkMarkByte):
150         * jit/JIT.h:
151         * jit/JITPropertyAccess.cpp:
152         (JSC::JIT::checkMarkByte):
153         (JSC::JIT::emitWriteBarrier):
154         * jit/Repatch.cpp:
155         (JSC::writeBarrier):
156         * llint/LowLevelInterpreter.asm:
157         * llint/LowLevelInterpreter32_64.asm:
158         * llint/LowLevelInterpreter64.asm:
159         * runtime/JSCell.h:
160         (JSC::JSCell::mark):
161         (JSC::JSCell::remember):
162         (JSC::JSCell::forget):
163         (JSC::JSCell::isMarked):
164         (JSC::JSCell::isRemembered):
165         * runtime/JSCellInlines.h:
166         (JSC::JSCell::JSCell):
167         * runtime/StructureIDBlob.h:
168         (JSC::StructureIDBlob::StructureIDBlob):
169
170 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
171
172         More FTL ARM fixes
173         https://bugs.webkit.org/show_bug.cgi?id=129755
174
175         Reviewed by Geoffrey Garen.
176         
177         - Be more defensive about inline caches that have degenerate chains.
178         
179         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
180           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
181         
182         - Don't even emit intrinsic declarations on non-x86 platforms.
183         
184         - More debug printing support.
185         
186         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
187           but somehow it gets lucky on x86.
188
189         * bytecode/GetByIdStatus.cpp:
190         (JSC::GetByIdStatus::appendVariant):
191         (JSC::GetByIdStatus::computeForChain):
192         (JSC::GetByIdStatus::computeForStubInfo):
193         * bytecode/GetByIdStatus.h:
194         * bytecode/PutByIdStatus.cpp:
195         (JSC::PutByIdStatus::appendVariant):
196         (JSC::PutByIdStatus::computeForStubInfo):
197         * bytecode/PutByIdStatus.h:
198         * bytecode/StructureSet.h:
199         (JSC::StructureSet::overlaps):
200         * ftl/FTLCompile.cpp:
201         (JSC::FTL::mmAllocateDataSection):
202         * ftl/FTLDataSection.cpp:
203         (JSC::FTL::DataSection::DataSection):
204         (JSC::FTL::DataSection::~DataSection):
205         * ftl/FTLDataSection.h:
206         * ftl/FTLLowerDFGToLLVM.cpp:
207         (JSC::FTL::LowerDFGToLLVM::lower):
208         * ftl/FTLOutput.h:
209         (JSC::FTL::Output::doubleSin):
210         (JSC::FTL::Output::doubleCos):
211         * runtime/JSCJSValue.cpp:
212         (JSC::JSValue::dumpInContext):
213         * runtime/JSCell.h:
214         (JSC::JSCell::structureID):
215
216 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
217
218         [Win32][LLINT] Crash when running JSC stress tests.
219         https://bugs.webkit.org/show_bug.cgi?id=129429
220
221         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
222         where the guard page is a barrier between committed and uncommitted memory.
223         When data from the guard page is read or written, the guard page is moved, and memory is committed.
224         This is how the system grows the stack.
225         When using the C stack on Windows we need to precommit the needed stack space.
226         Otherwise we might crash later if we access uncommitted stack memory.
227         This can happen if we allocate stack space larger than the page guard size (4K).
228         The system does not get the chance to move the guard page, and commit more memory,
229         and we crash if uncommitted memory is accessed.
230         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
231         when needed, see http://support.microsoft.com/kb/100775.
232
233         Reviewed by Geoffrey Garen.
234
235         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
236         * jit/Repatch.cpp:
237         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
238         * offlineasm/x86.rb: Compile fix, and small simplification.
239         * runtime/VM.cpp:
240         (JSC::preCommitStackMemory): Added function to precommit stack memory.
241         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
242
243 2014-03-05  Michael Saboff  <msaboff@apple.com>
244
245         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
246         https://bugs.webkit.org/show_bug.cgi?id=129746
247
248         Reviewed by Filip Pizlo.
249
250         Changed to use a union to manually assemble or disassemble the various types
251         from / to the corresponding bytes.  All memory access is now done using
252         byte accesses.
253
254         * runtime/JSDataViewPrototype.cpp:
255         (JSC::getData):
256         (JSC::setData):
257
258 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
259
260         FTL loadStructure always generates invalid IR
261         https://bugs.webkit.org/show_bug.cgi?id=129747
262
263         Reviewed by Mark Hahnenberg.
264
265         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
266         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
267         to have a pointer to a type, and you can only load things of that type from that
268         pointer. Pointer arithmetic is basically not possible except through the bizarre
269         getelementptr operator. This doesn't fit with how the JS object model works since
270         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
271         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
272         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
273         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
274         this for us, but that would require that to use the FTL, JSC itself would have to
275         be compiled with clang. Worse, it would have to be compiled with a clang that uses
276         a version of LLVM that is compatible with the one against which the FTL is linked.
277         Yuck!
278
279         The solution is to NEVER use LLVM pointers. This has always been the case in the
280         FTL. But it causes some confusion.
281         
282         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
283         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
284         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
285         pointer that has the type that we want. The load and store operations over pointers
286         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
287         "64", "Ptr", "Float", or "Double.
288         
289         There is unavoidable confusion here. It would be bizarre for the FTL to call its
290         "pointer-wide integers" anything other than "pointers", since they are, in all
291         respects that we care about, simply pointers. But they are *not* LLVM pointers and
292         they never will be that.
293         
294         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
295         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
296         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
297         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
298         methods for access called Output::get and Output::set. These lower to LLVM load
299         and store, since FTL references are just LLVM pointers.
300         
301         This confusion appears to have led to incorrect code in loadStructure().
302         loadStructure() was using get() and set() to access FTL pointers. But those methods
303         don't work on FTL pointers and never will, since they are for FTL references.
304         
305         The worst part of this is that it was previously impossible to have test coverage
306         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
307         patch fixes this by introducing a Masquerader object to jsc.cpp.
308         
309         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
310         * ftl/FTLLowerDFGToLLVM.cpp:
311         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
312         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
313         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
314         (WTF::Masquerader::Masquerader):
315         (WTF::Masquerader::create):
316         (WTF::Masquerader::createStructure):
317         (GlobalObject::finishCreation):
318         (functionMakeMasquerader):
319         * tests/stress/equals-masquerader.js: Added.
320         (foo):
321         (test):
322
323 2014-03-05  Anders Carlsson  <andersca@apple.com>
324
325         Tweak after r165109 to avoid extra copies
326         https://bugs.webkit.org/show_bug.cgi?id=129745
327
328         Reviewed by Geoffrey Garen.
329
330         * heap/Heap.cpp:
331         (JSC::Heap::visitProtectedObjects):
332         (JSC::Heap::visitTempSortVectors):
333         (JSC::Heap::clearRememberedSet):
334         * heap/Heap.h:
335         (JSC::Heap::forEachProtectedCell):
336
337 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
338
339         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
340         https://bugs.webkit.org/show_bug.cgi?id=129717
341
342         Reviewed by Filip Pizlo.
343
344         * dfg/DFGStoreBarrierElisionPhase.cpp:
345         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
346         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
347
348 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
349
350         Use range-based loops where possible in Heap methods
351         https://bugs.webkit.org/show_bug.cgi?id=129513
352
353         Reviewed by Mark Lam.
354
355         Replace old school iterator based loops with the new range-based loop hotness
356         for a better tomorrow.
357
358         * heap/CodeBlockSet.cpp:
359         (JSC::CodeBlockSet::~CodeBlockSet):
360         (JSC::CodeBlockSet::clearMarks):
361         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
362         (JSC::CodeBlockSet::traceMarked):
363         * heap/Heap.cpp:
364         (JSC::Heap::visitProtectedObjects):
365         (JSC::Heap::visitTempSortVectors):
366         (JSC::Heap::clearRememberedSet):
367         * heap/Heap.h:
368         (JSC::Heap::forEachProtectedCell):
369
370 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
371
372         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
373         https://bugs.webkit.org/show_bug.cgi?id=129563
374
375         Reviewed by Geoffrey Garen.
376         
377         Rolling this back in after fixing an assertion failure. speculateMisc() should have
378         said DFG_TYPE_CHECK instead of typeCheck.
379         
380         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
381         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
382         user of this was EarleyBoyer, and in that benchmark what it was really doing was
383         comparing undefined, null, and booleans to each other.
384         
385         This also adds support for miscellaneous things that I needed to make my various test
386         cases work. This includes comparison over booleans and the various Throw-related node
387         types.
388         
389         This also improves constant folding of CompareStrictEq and CompareEq.
390         
391         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
392         based on profiling, which caused some downstream badness. We don't actually support
393         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
394         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
395         shouldn't factor out the bounds check since the access is not InBounds but then the
396         backend would ignore the flag and assume that the bounds check was already emitted.
397         This showed up on an existing test but I added a test for this explicitly to have more
398         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
399         that we'll have a bounds check anyway.
400         
401         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
402         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
403         still a lot more coverage work to be done there.
404
405         * bytecode/SpeculatedType.cpp:
406         (JSC::speculationToAbbreviatedString):
407         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
408         (JSC::valuesCouldBeEqual):
409         * bytecode/SpeculatedType.h:
410         (JSC::isMiscSpeculation):
411         * dfg/DFGAbstractInterpreterInlines.h:
412         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
413         * dfg/DFGArrayMode.cpp:
414         (JSC::DFG::ArrayMode::refine):
415         * dfg/DFGArrayMode.h:
416         * dfg/DFGFixupPhase.cpp:
417         (JSC::DFG::FixupPhase::fixupNode):
418         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
419         * dfg/DFGNode.h:
420         (JSC::DFG::Node::shouldSpeculateMisc):
421         * dfg/DFGSafeToExecute.h:
422         (JSC::DFG::SafeToExecuteEdge::operator()):
423         * dfg/DFGSpeculativeJIT.cpp:
424         (JSC::DFG::SpeculativeJIT::compileStrictEq):
425         (JSC::DFG::SpeculativeJIT::speculateMisc):
426         (JSC::DFG::SpeculativeJIT::speculate):
427         * dfg/DFGSpeculativeJIT.h:
428         * dfg/DFGSpeculativeJIT32_64.cpp:
429         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
430         * dfg/DFGSpeculativeJIT64.cpp:
431         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
432         * dfg/DFGUseKind.cpp:
433         (WTF::printInternal):
434         * dfg/DFGUseKind.h:
435         (JSC::DFG::typeFilterFor):
436         * ftl/FTLCapabilities.cpp:
437         (JSC::FTL::canCompile):
438         * ftl/FTLLowerDFGToLLVM.cpp:
439         (JSC::FTL::LowerDFGToLLVM::compileNode):
440         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
441         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
442         (JSC::FTL::LowerDFGToLLVM::compileThrow):
443         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
444         (JSC::FTL::LowerDFGToLLVM::isMisc):
445         (JSC::FTL::LowerDFGToLLVM::speculate):
446         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
447         * tests/stress/float32-array-out-of-bounds.js: Added.
448         * tests/stress/weird-equality-folding-cases.js: Added.
449
450 2014-03-04  Commit Queue  <commit-queue@webkit.org>
451
452         Unreviewed, rolling out r165085.
453         http://trac.webkit.org/changeset/165085
454         https://bugs.webkit.org/show_bug.cgi?id=129729
455
456         Broke imported/w3c/html-templates/template-element/template-
457         content.html (Requested by ap on #webkit).
458
459         * bytecode/SpeculatedType.cpp:
460         (JSC::speculationToAbbreviatedString):
461         * bytecode/SpeculatedType.h:
462         * dfg/DFGAbstractInterpreterInlines.h:
463         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
464         * dfg/DFGArrayMode.cpp:
465         (JSC::DFG::ArrayMode::refine):
466         * dfg/DFGArrayMode.h:
467         * dfg/DFGFixupPhase.cpp:
468         (JSC::DFG::FixupPhase::fixupNode):
469         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
470         * dfg/DFGNode.h:
471         (JSC::DFG::Node::shouldSpeculateBoolean):
472         * dfg/DFGSafeToExecute.h:
473         (JSC::DFG::SafeToExecuteEdge::operator()):
474         * dfg/DFGSpeculativeJIT.cpp:
475         (JSC::DFG::SpeculativeJIT::compileStrictEq):
476         (JSC::DFG::SpeculativeJIT::speculate):
477         * dfg/DFGSpeculativeJIT.h:
478         * dfg/DFGSpeculativeJIT32_64.cpp:
479         * dfg/DFGSpeculativeJIT64.cpp:
480         * dfg/DFGUseKind.cpp:
481         (WTF::printInternal):
482         * dfg/DFGUseKind.h:
483         (JSC::DFG::typeFilterFor):
484         * ftl/FTLCapabilities.cpp:
485         (JSC::FTL::canCompile):
486         * ftl/FTLLowerDFGToLLVM.cpp:
487         (JSC::FTL::LowerDFGToLLVM::compileNode):
488         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
489         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
490         (JSC::FTL::LowerDFGToLLVM::speculate):
491         * tests/stress/float32-array-out-of-bounds.js: Removed.
492         * tests/stress/weird-equality-folding-cases.js: Removed.
493
494 2014-03-04  Brian Burg  <bburg@apple.com>
495
496         Inspector does not restore breakpoints after a page reload
497         https://bugs.webkit.org/show_bug.cgi?id=129655
498
499         Reviewed by Joseph Pecoraro.
500
501         Fix a regression introduced by r162096 that erroneously removed
502         the inspector backend's mapping of files to breakpoints whenever the
503         global object was cleared.
504
505         The inspector's breakpoint mappings should only be cleared when the
506         debugger agent is disabled or destroyed. We should only clear the
507         debugger's breakpoint state when the global object is cleared.
508
509         To make it clearer what state is being cleared, the two cases have
510         been split into separate methods.
511
512         * inspector/agents/InspectorDebuggerAgent.cpp:
513         (Inspector::InspectorDebuggerAgent::disable):
514         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
515         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
516         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
517         * inspector/agents/InspectorDebuggerAgent.h:
518
519 2014-03-04  Andreas Kling  <akling@apple.com>
520
521         Streamline JSValue::get().
522         <https://webkit.org/b/129720>
523
524         Fetch each Structure and VM only once when walking the prototype chain
525         in JSObject::getPropertySlot(), then pass it along to the functions
526         we call from there, so they don't have to re-fetch it.
527
528         Reviewed by Geoff Garen.
529
530         * runtime/JSObject.h:
531         (JSC::JSObject::inlineGetOwnPropertySlot):
532         (JSC::JSObject::fastGetOwnPropertySlot):
533         (JSC::JSObject::getPropertySlot):
534
535 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
536
537         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
538         https://bugs.webkit.org/show_bug.cgi?id=129563
539
540         Reviewed by Geoffrey Garen.
541         
542         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
543         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
544         user of this was EarleyBoyer, and in that benchmark what it was really doing was
545         comparing undefined, null, and booleans to each other.
546         
547         This also adds support for miscellaneous things that I needed to make my various test
548         cases work. This includes comparison over booleans and the various Throw-related node
549         types.
550         
551         This also improves constant folding of CompareStrictEq and CompareEq.
552         
553         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
554         based on profiling, which caused some downstream badness. We don't actually support
555         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
556         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
557         shouldn't factor out the bounds check since the access is not InBounds but then the
558         backend would ignore the flag and assume that the bounds check was already emitted.
559         This showed up on an existing test but I added a test for this explicitly to have more
560         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
561         that we'll have a bounds check anyway.
562         
563         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
564         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
565         still a lot more coverage work to be done there.
566
567         * bytecode/SpeculatedType.cpp:
568         (JSC::speculationToAbbreviatedString):
569         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
570         (JSC::valuesCouldBeEqual):
571         * bytecode/SpeculatedType.h:
572         (JSC::isMiscSpeculation):
573         * dfg/DFGAbstractInterpreterInlines.h:
574         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
575         * dfg/DFGFixupPhase.cpp:
576         (JSC::DFG::FixupPhase::fixupNode):
577         * dfg/DFGNode.h:
578         (JSC::DFG::Node::shouldSpeculateMisc):
579         * dfg/DFGSafeToExecute.h:
580         (JSC::DFG::SafeToExecuteEdge::operator()):
581         * dfg/DFGSpeculativeJIT.cpp:
582         (JSC::DFG::SpeculativeJIT::compileStrictEq):
583         (JSC::DFG::SpeculativeJIT::speculateMisc):
584         (JSC::DFG::SpeculativeJIT::speculate):
585         * dfg/DFGSpeculativeJIT.h:
586         * dfg/DFGSpeculativeJIT32_64.cpp:
587         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
588         * dfg/DFGSpeculativeJIT64.cpp:
589         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
590         * dfg/DFGUseKind.cpp:
591         (WTF::printInternal):
592         * dfg/DFGUseKind.h:
593         (JSC::DFG::typeFilterFor):
594         * ftl/FTLCapabilities.cpp:
595         (JSC::FTL::canCompile):
596         * ftl/FTLLowerDFGToLLVM.cpp:
597         (JSC::FTL::LowerDFGToLLVM::compileNode):
598         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
599         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
600         (JSC::FTL::LowerDFGToLLVM::compileThrow):
601         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
602         (JSC::FTL::LowerDFGToLLVM::isMisc):
603         (JSC::FTL::LowerDFGToLLVM::speculate):
604         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
605         * tests/stress/float32-array-out-of-bounds.js: Added.
606         * tests/stress/weird-equality-folding-cases.js: Added.
607
608 2014-03-04  Andreas Kling  <akling@apple.com>
609
610         Spam static branch prediction hints on JS bindings.
611         <https://webkit.org/b/129703>
612
613         Add LIKELY hint to jsDynamicCast since it's always used in a context
614         where we expect it to succeed and takes an error path when it doesn't.
615
616         Reviewed by Geoff Garen.
617
618         * runtime/JSCell.h:
619         (JSC::jsDynamicCast):
620
621 2014-03-04  Andreas Kling  <akling@apple.com>
622
623         Get to Structures more efficiently in JSCell::methodTable().
624         <https://webkit.org/b/129702>
625
626         In JSCell::methodTable(), get the VM once and pass that along to
627         structure(VM&) instead of using the heavier structure().
628
629         In JSCell::methodTable(VM&), replace calls to structure() with
630         calls to structure(VM&).
631
632         Reviewed by Mark Hahnenberg.
633
634         * runtime/JSCellInlines.h:
635         (JSC::JSCell::methodTable):
636
637 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
638
639         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
640         https://bugs.webkit.org/show_bug.cgi?id=129697
641
642         Reviewed by Timothy Hatcher.
643
644         * inspector/remote/RemoteInspectorXPCConnection.mm:
645         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
646         (Inspector::RemoteInspectorXPCConnection::handleEvent):
647
648 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
649
650         Merge API shims and JSLock
651         https://bugs.webkit.org/show_bug.cgi?id=129650
652
653         Reviewed by Mark Lam.
654
655         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
656         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
657
658         * API/APICallbackFunction.h:
659         (JSC::APICallbackFunction::call):
660         (JSC::APICallbackFunction::construct):
661         * API/APIShims.h: Removed.
662         * API/JSBase.cpp:
663         (JSEvaluateScript):
664         (JSCheckScriptSyntax):
665         (JSGarbageCollect):
666         (JSReportExtraMemoryCost):
667         (JSSynchronousGarbageCollectForDebugging):
668         * API/JSCallbackConstructor.cpp:
669         * API/JSCallbackFunction.cpp:
670         * API/JSCallbackObjectFunctions.h:
671         (JSC::JSCallbackObject<Parent>::init):
672         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
673         (JSC::JSCallbackObject<Parent>::put):
674         (JSC::JSCallbackObject<Parent>::putByIndex):
675         (JSC::JSCallbackObject<Parent>::deleteProperty):
676         (JSC::JSCallbackObject<Parent>::construct):
677         (JSC::JSCallbackObject<Parent>::customHasInstance):
678         (JSC::JSCallbackObject<Parent>::call):
679         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
680         (JSC::JSCallbackObject<Parent>::getStaticValue):
681         (JSC::JSCallbackObject<Parent>::callbackGetter):
682         * API/JSContext.mm:
683         (-[JSContext setException:]):
684         (-[JSContext wrapperForObjCObject:]):
685         (-[JSContext wrapperForJSObject:]):
686         * API/JSContextRef.cpp:
687         (JSContextGroupRelease):
688         (JSContextGroupSetExecutionTimeLimit):
689         (JSContextGroupClearExecutionTimeLimit):
690         (JSGlobalContextCreateInGroup):
691         (JSGlobalContextRetain):
692         (JSGlobalContextRelease):
693         (JSContextGetGlobalObject):
694         (JSContextGetGlobalContext):
695         (JSGlobalContextCopyName):
696         (JSGlobalContextSetName):
697         * API/JSManagedValue.mm:
698         (-[JSManagedValue value]):
699         * API/JSObjectRef.cpp:
700         (JSObjectMake):
701         (JSObjectMakeFunctionWithCallback):
702         (JSObjectMakeConstructor):
703         (JSObjectMakeFunction):
704         (JSObjectMakeArray):
705         (JSObjectMakeDate):
706         (JSObjectMakeError):
707         (JSObjectMakeRegExp):
708         (JSObjectGetPrototype):
709         (JSObjectSetPrototype):
710         (JSObjectHasProperty):
711         (JSObjectGetProperty):
712         (JSObjectSetProperty):
713         (JSObjectGetPropertyAtIndex):
714         (JSObjectSetPropertyAtIndex):
715         (JSObjectDeleteProperty):
716         (JSObjectGetPrivateProperty):
717         (JSObjectSetPrivateProperty):
718         (JSObjectDeletePrivateProperty):
719         (JSObjectIsFunction):
720         (JSObjectCallAsFunction):
721         (JSObjectCallAsConstructor):
722         (JSObjectCopyPropertyNames):
723         (JSPropertyNameArrayRelease):
724         (JSPropertyNameAccumulatorAddName):
725         * API/JSScriptRef.cpp:
726         * API/JSValue.mm:
727         (isDate):
728         (isArray):
729         (containerValueToObject):
730         (valueToArray):
731         (valueToDictionary):
732         (objectToValue):
733         * API/JSValueRef.cpp:
734         (JSValueGetType):
735         (JSValueIsUndefined):
736         (JSValueIsNull):
737         (JSValueIsBoolean):
738         (JSValueIsNumber):
739         (JSValueIsString):
740         (JSValueIsObject):
741         (JSValueIsObjectOfClass):
742         (JSValueIsEqual):
743         (JSValueIsStrictEqual):
744         (JSValueIsInstanceOfConstructor):
745         (JSValueMakeUndefined):
746         (JSValueMakeNull):
747         (JSValueMakeBoolean):
748         (JSValueMakeNumber):
749         (JSValueMakeString):
750         (JSValueMakeFromJSONString):
751         (JSValueCreateJSONString):
752         (JSValueToBoolean):
753         (JSValueToNumber):
754         (JSValueToStringCopy):
755         (JSValueToObject):
756         (JSValueProtect):
757         (JSValueUnprotect):
758         * API/JSVirtualMachine.mm:
759         (-[JSVirtualMachine addManagedReference:withOwner:]):
760         (-[JSVirtualMachine removeManagedReference:withOwner:]):
761         * API/JSWeakObjectMapRefPrivate.cpp:
762         * API/JSWrapperMap.mm:
763         (constructorHasInstance):
764         (makeWrapper):
765         (tryUnwrapObjcObject):
766         * API/ObjCCallbackFunction.mm:
767         (JSC::objCCallbackFunctionCallAsFunction):
768         (JSC::objCCallbackFunctionCallAsConstructor):
769         (objCCallbackFunctionForInvocation):
770         * CMakeLists.txt:
771         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
772         * GNUmakefile.list.am:
773         * JavaScriptCore.xcodeproj/project.pbxproj:
774         * dfg/DFGWorklist.cpp:
775         * heap/DelayedReleaseScope.h:
776         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
777         * heap/HeapTimer.cpp:
778         (JSC::HeapTimer::timerDidFire):
779         (JSC::HeapTimer::timerEvent):
780         * heap/IncrementalSweeper.cpp:
781         * inspector/InjectedScriptModule.cpp:
782         (Inspector::InjectedScriptModule::ensureInjected):
783         * jsc.cpp:
784         (jscmain):
785         * runtime/GCActivityCallback.cpp:
786         (JSC::DefaultGCActivityCallback::doWork):
787         * runtime/JSGlobalObjectDebuggable.cpp:
788         (JSC::JSGlobalObjectDebuggable::connect):
789         (JSC::JSGlobalObjectDebuggable::disconnect):
790         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
791         * runtime/JSLock.cpp:
792         (JSC::JSLock::lock):
793         (JSC::JSLock::didAcquireLock):
794         (JSC::JSLock::unlock):
795         (JSC::JSLock::willReleaseLock):
796         (JSC::JSLock::DropAllLocks::DropAllLocks):
797         (JSC::JSLock::DropAllLocks::~DropAllLocks):
798         * runtime/JSLock.h:
799         * testRegExp.cpp:
800         (realMain):
801
802 2014-03-04  Commit Queue  <commit-queue@webkit.org>
803
804         Unreviewed, rolling out r164812.
805         http://trac.webkit.org/changeset/164812
806         https://bugs.webkit.org/show_bug.cgi?id=129699
807
808         it made things run slower (Requested by pizlo on #webkit).
809
810         * interpreter/Interpreter.cpp:
811         (JSC::Interpreter::execute):
812         * jsc.cpp:
813         (GlobalObject::finishCreation):
814         * runtime/BatchedTransitionOptimizer.h:
815         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
816         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
817
818 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
819
820         GetMyArgumentByVal in FTL
821         https://bugs.webkit.org/show_bug.cgi?id=128850
822
823         Reviewed by Oliver Hunt.
824         
825         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
826         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
827         caused it to think that the arity check had failed if the caller had passed more
828         arguments than needed. This would cause the call frame copying to sort of go into
829         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
830         throwing off a bunch of math) and the stack would end up being corrupted.
831         
832         The bug was revealed by two existing tests although as far as I could tell, neither
833         test was intending to cover this case directly. So, I added a new test.
834
835         * ftl/FTLCapabilities.cpp:
836         (JSC::FTL::canCompile):
837         * ftl/FTLLowerDFGToLLVM.cpp:
838         (JSC::FTL::LowerDFGToLLVM::compileNode):
839         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
840         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
841         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
842         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
843         * ftl/FTLOSRExitCompiler.cpp:
844         (JSC::FTL::compileStub):
845         * ftl/FTLState.h:
846         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
847         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
848         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
849         * tests/stress/ftl-get-my-argument-by-val.js: Added.
850
851 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
852
853         [GTK] Build the Udis86 disassembler
854         https://bugs.webkit.org/show_bug.cgi?id=129679
855
856         Reviewed by Michael Saboff.
857
858         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
859         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
860
861 2014-03-04  Andreas Kling  <akling@apple.com>
862
863         Fix too-narrow assertion I added in r165054.
864
865         It's okay for a 1-character string to come in here. This will happen
866         if the VM small string optimization doesn't apply (ch > 0xFF)
867
868         * runtime/JSString.h:
869         (JSC::jsStringWithWeakOwner):
870
871 2014-03-04  Andreas Kling  <akling@apple.com>
872
873         Micro-optimize Strings in JS bindings.
874         <https://webkit.org/b/129673>
875
876         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
877         This avoids branches in length() and operator[].
878
879         Also call JSString::create() directly instead of jsString() and just
880         assert that the string length is >1. This way we don't duplicate the
881         optimizations for empty and single-character strings.
882
883         Reviewed by Ryosuke Niwa.
884
885         * runtime/JSString.h:
886         (JSC::jsStringWithWeakOwner):
887
888 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
889
890         Implement Number.prototype.clz()
891         https://bugs.webkit.org/show_bug.cgi?id=129479
892
893         Reviewed by Oliver Hunt.
894
895         Implemented Number.prototype.clz() as specified in the ES6 standard.
896
897         * runtime/NumberPrototype.cpp:
898         (JSC::numberProtoFuncClz):
899
900 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
901
902         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
903         https://bugs.webkit.org/show_bug.cgi?id=129631
904
905         Reviewed by Timothy Hatcher.
906
907         Avoid deref() too early if a client calls close(). The xpc_connection_close
908         will cause another XPC_ERROR event to come in from the queue, deref then.
909         Likewise, protect multithreaded access to m_client. If a client calls
910         close() we want to immediately clear the pointer to prevent calls to it.
911
912         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
913         growing too complicated for probably little benefit. We may want to
914         clean this up later.
915
916         * inspector/remote/RemoteInspector.mm:
917         (Inspector::RemoteInspector::xpcConnectionFailed):
918         * inspector/remote/RemoteInspectorXPCConnection.h:
919         * inspector/remote/RemoteInspectorXPCConnection.mm:
920         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
921         (Inspector::RemoteInspectorXPCConnection::close):
922         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
923         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
924         (Inspector::RemoteInspectorXPCConnection::handleEvent):
925         (Inspector::RemoteInspectorXPCConnection::sendMessage):
926
927 2014-03-03  Michael Saboff  <msaboff@apple.com>
928
929         AbstractMacroAssembler::CachedTempRegister should start out invalid
930         https://bugs.webkit.org/show_bug.cgi?id=129657
931
932         Reviewed by Filip Pizlo.
933
934         * assembler/AbstractMacroAssembler.h:
935         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
936         - Invalidate all cached registers in constructor as we don't know the
937           contents of any register at the entry to the code we are going to
938           generate.
939
940 2014-03-03  Andreas Kling  <akling@apple.com>
941
942         StructureOrOffset should be fastmalloced.
943         <https://webkit.org/b/129640>
944
945         Reviewed by Geoffrey Garen.
946
947         * runtime/StructureIDTable.h:
948
949 2014-03-03  Michael Saboff  <msaboff@apple.com>
950
951         Crash in JIT code while watching a video @ storyboard.tumblr.com
952         https://bugs.webkit.org/show_bug.cgi?id=129635
953
954         Reviewed by Filip Pizlo.
955
956         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
957         construtor.
958
959         * jit/TempRegisterSet.cpp:
960         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
961         * jit/TempRegisterSet.h:
962         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
963         (JSC::TempRegisterSet::clearAll): New private helper.
964
965 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
966
967         [x86] Improve code generation of byte test
968         https://bugs.webkit.org/show_bug.cgi?id=129597
969
970         Reviewed by Geoffrey Garen.
971
972         When possible, test the 8 bit register to itself instead of comparing it
973         to a literal.
974
975         * assembler/MacroAssemblerX86Common.h:
976         (JSC::MacroAssemblerX86Common::test32):
977
978 2014-03-03  Mark Lam  <mark.lam@apple.com>
979
980         Web Inspector: debugger statements do not break.
981         <https://webkit.org/b/129524>
982
983         Reviewed by Geoff Garen.
984
985         Since we no longer call op_debug hooks unless there is a debugger request
986         made on the CodeBlock, the op_debug for the debugger statement never gets
987         serviced.
988
989         With this fix, we check in the CodeBlock constructor if any debugger
990         statements are present.  If so, we set a m_hasDebuggerStatement flag that
991         causes the CodeBlock to show as having debugger requests.  Hence,
992         breaking at debugger statements is now restored.
993
994         * bytecode/CodeBlock.cpp:
995         (JSC::CodeBlock::CodeBlock):
996         * bytecode/CodeBlock.h:
997         (JSC::CodeBlock::hasDebuggerRequests):
998         (JSC::CodeBlock::clearDebuggerRequests):
999
1000 2014-03-03  Mark Lam  <mark.lam@apple.com>
1001
1002         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
1003         <https://webkit.org/b/129393>
1004
1005         Reviewed by Geoffrey Garen.
1006
1007         The issue manifests because the debugger will iterate all CodeBlocks in
1008         the heap when setting / clearing breakpoints, but it is possible for a
1009         CodeBlock to have been instantiate but is not yet registered with the
1010         debugger.  This can happen because of the following:
1011
1012         1. DFG worklist compilation is still in progress, and the target
1013            codeBlock is not ready for installation in its executable yet.
1014
1015         2. DFG compilation failed and we have a codeBlock that will never be
1016            installed in its executable, and the codeBlock has not been cleaned
1017            up by the GC yet.
1018
1019         The code for installing the codeBlock in its executable is the same code
1020         that registers it with the debugger.  Hence, these codeBlocks are not
1021         registered with the debugger, and any pending breakpoints that would map
1022         to that CodeBlock is as yet unset or will never be set.  As such, an
1023         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
1024
1025         To fix this, we do the following:
1026
1027         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
1028            compilation.  This is achieved by providing a
1029            DeferredCompilationCallback::compilationDidComplete() that does this
1030            clean up, and have all sub classes call it at the end of their
1031            compilationDidComplete() methods.
1032
1033         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
1034            will wait for all compilations to complete before proceeding.  This
1035            ensures that:
1036            1. any zombie CodeBlocks would have been cleaned up, and won't be
1037               seen by the debugger or profiler.
1038            2. all CodeBlocks that the debugger and profiler needs to operate on
1039               will be "ready" for whatever needs to be done to them e.g.
1040               jettison'ing of DFG codeBlocks.
1041
1042         * bytecode/DeferredCompilationCallback.cpp:
1043         (JSC::DeferredCompilationCallback::compilationDidComplete):
1044         * bytecode/DeferredCompilationCallback.h:
1045         - Provide default implementation method to clean up zombie CodeBlocks.
1046
1047         * debugger/Debugger.cpp:
1048         (JSC::Debugger::forEachCodeBlock):
1049         - Utility function to iterate CodeBlocks.  It ensures that all compilations
1050           are complete before proceeding.
1051         (JSC::Debugger::setSteppingMode):
1052         (JSC::Debugger::toggleBreakpoint):
1053         (JSC::Debugger::recompileAllJSFunctions):
1054         (JSC::Debugger::clearBreakpoints):
1055         (JSC::Debugger::clearDebuggerRequests):
1056         - Use the utility iterator function.
1057
1058         * debugger/Debugger.h:
1059         * dfg/DFGOperations.cpp:
1060         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
1061
1062         * dfg/DFGPlan.cpp:
1063         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1064         - Remove unneeded code (that was not the best solution anyway) for ensuring
1065           that we don't generate new DFG codeBlocks after enabling the debugger or
1066           profiler.  Now that we wait for compilations to complete before proceeding
1067           with debugger and profiler work, this scenario will never happen.
1068
1069         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1070         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1071         - Call the super class method to clean up zombie codeBlocks.
1072
1073         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1074         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
1075         - Call the super class method to clean up zombie codeBlocks.
1076
1077         * heap/CodeBlockSet.cpp:
1078         (JSC::CodeBlockSet::remove):
1079         * heap/CodeBlockSet.h:
1080         * heap/Heap.h:
1081         (JSC::Heap::removeCodeBlock):
1082         - New method to remove a codeBlock from the codeBlock set.
1083
1084         * jit/JITOperations.cpp:
1085         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
1086
1087         * jit/JITToDFGDeferredCompilationCallback.cpp:
1088         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1089         - Call the super class method to clean up zombie codeBlocks.
1090
1091         * runtime/VM.cpp:
1092         (JSC::VM::waitForCompilationsToComplete):
1093         - Renamed from prepareToDiscardCode() to be clearer about what it does.
1094
1095         (JSC::VM::discardAllCode):
1096         (JSC::VM::releaseExecutableMemory):
1097         (JSC::VM::setEnabledProfiler):
1098         - Wait for compilation to complete before enabling the profiler.
1099
1100         * runtime/VM.h:
1101
1102 2014-03-03  Brian Burg  <bburg@apple.com>
1103
1104         Another unreviewed build fix attempt for Windows after r164986.
1105
1106         We never told Visual Studio to copy over the web replay code generator scripts
1107         and the generated headers for JavaScriptCore replay inputs as if they were
1108         private headers.
1109
1110         * JavaScriptCore.vcxproj/copy-files.cmd:
1111
1112 2014-03-03  Brian Burg  <bburg@apple.com>
1113
1114         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
1115         https://bugs.webkit.org/show_bug.cgi?id=128782
1116
1117         Reviewed by Timothy Hatcher.
1118
1119         Alter the replay inputs code generator so that it knows when it is necessary to
1120         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
1121
1122         * JavaScriptCore.xcodeproj/project.pbxproj:
1123         * replay/scripts/CodeGeneratorReplayInputs.py:
1124         (Framework.fromString):
1125         (Frameworks): Add WTF as an allowed framework for code generation.
1126         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
1127         (Generator.generate_includes.declaration):
1128         (Generator.generate_includes.or):
1129         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
1130
1131 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1132
1133         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
1134         https://bugs.webkit.org/show_bug.cgi?id=129591
1135
1136         Reviewed by Michael Saboff.
1137
1138         * bytecode/PolymorphicPutByIdList.cpp:
1139         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
1140         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
1141         (JSC::PolymorphicPutByIdList::from):
1142         * bytecode/PolymorphicPutByIdList.h:
1143         (JSC::PutByIdAccess::stubRoutine):
1144         * jit/Repatch.cpp:
1145         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
1146
1147 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1148
1149         Debugging improvements from my gbemu investigation session
1150         https://bugs.webkit.org/show_bug.cgi?id=129599
1151
1152         Reviewed by Mark Lam.
1153         
1154         Various improvements from when I was investigating bug 129411.
1155
1156         * bytecode/CodeBlock.cpp:
1157         (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
1158         * jsc.cpp:
1159         (GlobalObject::finishCreation):
1160         (functionDescribe): Make describe() return a string rather than printing the string.
1161         (functionDescribeArray): Like describe(), but prints details about arrays.
1162
1163 2014-02-25  Andreas Kling  <akling@apple.com>
1164
1165         JSDOMWindow::commonVM() should return a reference.
1166         <https://webkit.org/b/129293>
1167
1168         Added a DropAllLocks constructor that takes VM& without null checks.
1169
1170         Reviewed by Geoff Garen.
1171
1172 2014-03-02  Mark Lam  <mark.lam@apple.com>
1173
1174         CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
1175         <https://webkit.org/b/129584>
1176
1177         Reviewed by Darin Adler.
1178
1179         * bytecode/CodeBlock.h:
1180         (JSC::CodeBlock::hasDebuggerRequests):
1181
1182 2014-03-02  Mark Lam  <mark.lam@apple.com>
1183
1184         Clean up use of Options::enableConcurrentJIT().
1185         <https://webkit.org/b/129582>
1186
1187         Reviewed by Filip Pizlo.
1188
1189         DFG Driver was conditionally checking Options::enableConcurrentJIT()
1190         only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
1191         enableConcurrentJIT set to false.
1192
1193         Instead we should configure Options::enableConcurrentJIT() to be false
1194         in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
1195         check Options::enableConcurrentJIT().  This makes the code read a little
1196         cleaner.
1197
1198         * dfg/DFGDriver.cpp:
1199         (JSC::DFG::compileImpl):
1200         * runtime/Options.cpp:
1201         (JSC::recomputeDependentOptions):
1202
1203 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
1204
1205         This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
1206         stress tests.
1207
1208         * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
1209
1210 2014-03-01  Andreas Kling  <akling@apple.com>
1211
1212         JSCell::fastGetOwnProperty() should get the Structure more efficiently.
1213         <https://webkit.org/b/129560>
1214
1215         Now that structure() is nontrivial and we have a faster structure(VM&),
1216         make use of that in fastGetOwnProperty() since we already have VM.
1217
1218         Reviewed by Sam Weinig.
1219
1220         * runtime/JSCellInlines.h:
1221         (JSC::JSCell::fastGetOwnProperty):
1222
1223 2014-03-01  Andreas Kling  <akling@apple.com>
1224
1225         Avoid going through ExecState for VM when we already have it (in some places.)
1226         <https://webkit.org/b/129554>
1227
1228         Tweak some places that jump through unnecessary hoops to get the VM.
1229         There are many more like this.
1230
1231         Reviewed by Sam Weinig.
1232
1233         * runtime/JSObject.cpp:
1234         (JSC::JSObject::putByIndexBeyondVectorLength):
1235         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1236         * runtime/ObjectPrototype.cpp:
1237         (JSC::objectProtoFuncToString):
1238
1239 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1240
1241         FTL should support PhantomArguments
1242         https://bugs.webkit.org/show_bug.cgi?id=113986
1243
1244         Reviewed by Oliver Hunt.
1245         
1246         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
1247         object into the FTL's OSR exit compiler.
1248         
1249         This isn't a speed-up yet, since there is still more to be done to fully support
1250         all of the arguments craziness that our varargs benchmarks do.
1251
1252         * dfg/DFGOSRExitCompiler32_64.cpp:
1253         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
1254         * dfg/DFGOSRExitCompiler64.cpp:
1255         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
1256         * dfg/DFGOSRExitCompilerCommon.cpp:
1257         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
1258         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
1259         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
1260         * dfg/DFGOSRExitCompilerCommon.h:
1261         * ftl/FTLCapabilities.cpp:
1262         (JSC::FTL::canCompile):
1263         * ftl/FTLExitValue.cpp:
1264         (JSC::FTL::ExitValue::dumpInContext):
1265         * ftl/FTLExitValue.h:
1266         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
1267         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
1268         (JSC::FTL::ExitValue::valueFormat):
1269         * ftl/FTLLowerDFGToLLVM.cpp:
1270         (JSC::FTL::LowerDFGToLLVM::compileNode):
1271         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
1272         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1273         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
1274         * ftl/FTLOSRExitCompiler.cpp:
1275         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
1276         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
1277         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
1278
1279 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1280
1281         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
1282
1283         * dfg/DFGCSEPhase.cpp:
1284         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1285
1286 2014-02-28  Andreas Kling  <akling@apple.com>
1287
1288         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
1289         <https://webkit.org/b/129529>
1290
1291         Callers already have VM in a local, and findPropertyHashEntry() only
1292         uses the VM, no need to go all the way through ExecState.
1293
1294         Reviewed by Geoffrey Garen.
1295
1296         * runtime/JSObject.cpp:
1297         (JSC::JSObject::put):
1298         (JSC::JSObject::deleteProperty):
1299         (JSC::JSObject::findPropertyHashEntry):
1300         * runtime/JSObject.h:
1301
1302 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
1303
1304         Deadlock remotely inspecting iOS Simulator
1305         https://bugs.webkit.org/show_bug.cgi?id=129511
1306
1307         Reviewed by Timothy Hatcher.
1308
1309         Avoid synchronous setup. Do it asynchronously, and let
1310         the RemoteInspector singleton know later if it failed.
1311
1312         * inspector/remote/RemoteInspector.h:
1313         * inspector/remote/RemoteInspector.mm:
1314         (Inspector::RemoteInspector::setupFailed):
1315         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1316         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1317         (Inspector::RemoteInspectorDebuggableConnection::setup):
1318
1319 2014-02-28  Oliver Hunt  <oliver@apple.com>
1320
1321         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
1322         https://bugs.webkit.org/show_bug.cgi?id=129488
1323
1324         Reviewed by Mark Lam.
1325
1326         Whoops, modify the right register.
1327
1328         * jit/JITCall32_64.cpp:
1329         (JSC::JIT::compileLoadVarargs):
1330
1331 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1332
1333         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
1334         https://bugs.webkit.org/show_bug.cgi?id=129503
1335
1336         Reviewed by Mark Lam.
1337
1338         * ftl/FTLIntrinsicRepository.h:
1339         * ftl/FTLOutput.h:
1340         (JSC::FTL::Output::doubleSin):
1341         (JSC::FTL::Output::doubleCos):
1342         (JSC::FTL::Output::intrinsicOrOperation):
1343
1344 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1345
1346         Fix !ENABLE(GGC) builds
1347
1348         * heap/Heap.cpp:
1349         (JSC::Heap::markRoots):
1350         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
1351
1352 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1353
1354         Clean up Heap::collect and Heap::markRoots
1355         https://bugs.webkit.org/show_bug.cgi?id=129464
1356
1357         Reviewed by Geoffrey Garen.
1358
1359         These functions have built up a lot of cruft recently. 
1360         We should do a bit of cleanup to make them easier to grok.
1361
1362         * heap/Heap.cpp:
1363         (JSC::Heap::finalizeUnconditionalFinalizers):
1364         (JSC::Heap::gatherStackRoots):
1365         (JSC::Heap::gatherJSStackRoots):
1366         (JSC::Heap::gatherScratchBufferRoots):
1367         (JSC::Heap::clearLivenessData):
1368         (JSC::Heap::visitSmallStrings):
1369         (JSC::Heap::visitConservativeRoots):
1370         (JSC::Heap::visitCompilerWorklists):
1371         (JSC::Heap::markProtectedObjects):
1372         (JSC::Heap::markTempSortVectors):
1373         (JSC::Heap::markArgumentBuffers):
1374         (JSC::Heap::visitException):
1375         (JSC::Heap::visitStrongHandles):
1376         (JSC::Heap::visitHandleStack):
1377         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1378         (JSC::Heap::converge):
1379         (JSC::Heap::visitWeakHandles):
1380         (JSC::Heap::clearRememberedSet):
1381         (JSC::Heap::updateObjectCounts):
1382         (JSC::Heap::resetVisitors):
1383         (JSC::Heap::markRoots):
1384         (JSC::Heap::copyBackingStores):
1385         (JSC::Heap::deleteUnmarkedCompiledCode):
1386         (JSC::Heap::collect):
1387         (JSC::Heap::collectIfNecessaryOrDefer):
1388         (JSC::Heap::suspendCompilerThreads):
1389         (JSC::Heap::willStartCollection):
1390         (JSC::Heap::deleteOldCode):
1391         (JSC::Heap::flushOldStructureIDTables):
1392         (JSC::Heap::flushWriteBarrierBuffer):
1393         (JSC::Heap::stopAllocation):
1394         (JSC::Heap::reapWeakHandles):
1395         (JSC::Heap::sweepArrayBuffers):
1396         (JSC::Heap::snapshotMarkedSpace):
1397         (JSC::Heap::deleteSourceProviderCaches):
1398         (JSC::Heap::notifyIncrementalSweeper):
1399         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
1400         (JSC::Heap::resetAllocators):
1401         (JSC::Heap::updateAllocationLimits):
1402         (JSC::Heap::didFinishCollection):
1403         (JSC::Heap::resumeCompilerThreads):
1404         * heap/Heap.h:
1405
1406 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
1407
1408         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
1409         https://bugs.webkit.org/show_bug.cgi?id=129466
1410
1411         Reviewed by Michael Saboff.
1412
1413         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
1414
1415         * runtime/StringPrototype.cpp:
1416         (JSC::stringProtoFuncIndexOf):
1417         (JSC::stringProtoFuncLastIndexOf):
1418
1419 2014-02-27  Timothy Hatcher  <timothy@apple.com>
1420
1421         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
1422
1423         https://bugs.webkit.org/show_bug.cgi?id=129458
1424
1425         Reviewed by Joseph Pecoraro.
1426
1427         * inspector/ContentSearchUtilities.cpp:
1428         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
1429         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
1430         line ending type and don't try to strip the line ending. Use size_t
1431         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
1432         This will include the line ending in the lines, but that is okay.
1433         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
1434         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
1435
1436 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1437
1438         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
1439         https://bugs.webkit.org/show_bug.cgi?id=129446
1440
1441         Reviewed by Timothy Hatcher.
1442
1443         Remove duplicate header entries in Copy Header build phase.
1444
1445         * JavaScriptCore.xcodeproj/project.pbxproj:
1446
1447 2014-02-27  Oliver Hunt  <oliver@apple.com>
1448
1449         Whoops, include all of last patch.
1450
1451         * jit/JITCall32_64.cpp:
1452         (JSC::JIT::compileLoadVarargs):
1453
1454 2014-02-27  Oliver Hunt  <oliver@apple.com>
1455
1456         Slow cases for function.apply and function.call should not require vm re-entry
1457         https://bugs.webkit.org/show_bug.cgi?id=129454
1458
1459         Reviewed by Geoffrey Garen.
1460
1461         Implement call and apply using builtins. Happily the use
1462         of @call and @apply don't perform function equality checks
1463         and just plant direct var_args calls. This did expose a few
1464         codegen issues, but they're all covered by existing tests
1465         once call and apply are implemented in JS.
1466
1467         * JavaScriptCore.xcodeproj/project.pbxproj:
1468         * builtins/Function.prototype.js: Added.
1469         (call):
1470         (apply):
1471         * bytecompiler/NodesCodegen.cpp:
1472         (JSC::CallFunctionCallDotNode::emitBytecode):
1473         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1474         * dfg/DFGCapabilities.cpp:
1475         (JSC::DFG::capabilityLevel):
1476         * interpreter/Interpreter.cpp:
1477         (JSC::sizeFrameForVarargs):
1478         (JSC::loadVarargs):
1479         * interpreter/Interpreter.h:
1480         * jit/JITCall.cpp:
1481         (JSC::JIT::compileLoadVarargs):
1482         * parser/ASTBuilder.h:
1483         (JSC::ASTBuilder::makeFunctionCallNode):
1484         * parser/Lexer.cpp:
1485         (JSC::isSafeBuiltinIdentifier):
1486         * runtime/CommonIdentifiers.h:
1487         * runtime/FunctionPrototype.cpp:
1488         (JSC::FunctionPrototype::addFunctionProperties):
1489         * runtime/JSObject.cpp:
1490         (JSC::JSObject::putDirectBuiltinFunction):
1491         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
1492         * runtime/JSObject.h:
1493
1494 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1495
1496         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
1497         https://bugs.webkit.org/show_bug.cgi?id=129443
1498
1499         Reviewed by Timothy Hatcher.
1500
1501         This queue is specific to the JSContext debuggable connections,
1502         there is no XPC involved. Give it a better name.
1503
1504         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1505         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
1506
1507 2014-02-27  David Kilzer  <ddkilzer@apple.com>
1508
1509         Remove jsc symlink if it already exists
1510
1511         This is a follow-up fix for:
1512
1513         Create symlink to /usr/local/bin/jsc during installation
1514         <http://webkit.org/b/129399>
1515         <rdar://problem/16168734>
1516
1517         * JavaScriptCore.xcodeproj/project.pbxproj:
1518         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
1519         exists where we're about to create the symlink, remove the old
1520         one first.
1521
1522 2014-02-27  Michael Saboff  <msaboff@apple.com>
1523
1524         Unreviewed build fix for Mac tools after r164814
1525
1526         * Configurations/ToolExecutable.xcconfig:
1527         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
1528         * JavaScriptCore.xcodeproj/project.pbxproj:
1529         - Changed productName to testRegExp for testRegExp target.
1530
1531 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1532
1533         Web Inspector: JSContext inspection should report exceptions in the console
1534         https://bugs.webkit.org/show_bug.cgi?id=128776
1535
1536         Reviewed by Timothy Hatcher.
1537
1538         When JavaScript API functions have an exception, let the inspector
1539         know so it can log the JavaScript and Native backtrace that caused
1540         the exception.
1541
1542         Include some clean up of ConsoleMessage and ScriptCallStack construction.
1543
1544         * API/JSBase.cpp:
1545         (JSEvaluateScript):
1546         (JSCheckScriptSyntax):
1547         * API/JSObjectRef.cpp:
1548         (JSObjectMakeFunction):
1549         (JSObjectMakeArray):
1550         (JSObjectMakeDate):
1551         (JSObjectMakeError):
1552         (JSObjectMakeRegExp):
1553         (JSObjectGetProperty):
1554         (JSObjectSetProperty):
1555         (JSObjectGetPropertyAtIndex):
1556         (JSObjectSetPropertyAtIndex):
1557         (JSObjectDeleteProperty):
1558         (JSObjectCallAsFunction):
1559         (JSObjectCallAsConstructor):
1560         * API/JSValue.mm:
1561         (reportExceptionToInspector):
1562         (valueToArray):
1563         (valueToDictionary):
1564         * API/JSValueRef.cpp:
1565         (JSValueIsEqual):
1566         (JSValueIsInstanceOfConstructor):
1567         (JSValueCreateJSONString):
1568         (JSValueToNumber):
1569         (JSValueToStringCopy):
1570         (JSValueToObject):
1571         When seeing an exception, let the inspector know there was an exception.
1572
1573         * inspector/JSGlobalObjectInspectorController.h:
1574         * inspector/JSGlobalObjectInspectorController.cpp:
1575         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1576         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1577         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1578         Log API exceptions by also grabbing the native backtrace.
1579
1580         * inspector/ScriptCallStack.h:
1581         * inspector/ScriptCallStack.cpp:
1582         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
1583         (Inspector::ScriptCallStack::append):
1584         Minor extensions to ScriptCallStack to make it easier to work with.
1585
1586         * inspector/ConsoleMessage.cpp:
1587         (Inspector::ConsoleMessage::ConsoleMessage):
1588         (Inspector::ConsoleMessage::autogenerateMetadata):
1589         Provide better default information if the first call frame was native.
1590
1591         * inspector/ScriptCallStackFactory.cpp:
1592         (Inspector::createScriptCallStack):
1593         (Inspector::extractSourceInformationFromException):
1594         (Inspector::createScriptCallStackFromException):
1595         Perform the handling here of inserting a fake call frame for exceptions
1596         if there was no call stack (e.g. a SyntaxError) or if the first call
1597         frame had no information.
1598
1599         * inspector/ConsoleMessage.cpp:
1600         (Inspector::ConsoleMessage::ConsoleMessage):
1601         (Inspector::ConsoleMessage::autogenerateMetadata):
1602         * inspector/ConsoleMessage.h:
1603         * inspector/ScriptCallStackFactory.cpp:
1604         (Inspector::createScriptCallStack):
1605         (Inspector::createScriptCallStackForConsole):
1606         * inspector/ScriptCallStackFactory.h:
1607         * inspector/agents/InspectorConsoleAgent.cpp:
1608         (Inspector::InspectorConsoleAgent::enable):
1609         (Inspector::InspectorConsoleAgent::addMessageToConsole):
1610         (Inspector::InspectorConsoleAgent::count):
1611         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1612         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
1613         ConsoleMessage cleanup.
1614
1615 2014-02-27  David Kilzer  <ddkilzer@apple.com>
1616
1617         Create symlink to /usr/local/bin/jsc during installation
1618         <http://webkit.org/b/129399>
1619         <rdar://problem/16168734>
1620
1621         Reviewed by Dan Bernstein.
1622
1623         * JavaScriptCore.xcodeproj/project.pbxproj:
1624         - Add "Create /usr/local/bin/jsc symlink" build phase script to
1625           create the symlink during installation.
1626
1627 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1628
1629         Math.{max, min}() must not return after first NaN value
1630         https://bugs.webkit.org/show_bug.cgi?id=104147
1631
1632         Reviewed by Oliver Hunt.
1633
1634         According to the spec, ToNumber going to be called on each argument
1635         even if a `NaN` value was already found
1636
1637         * runtime/MathObject.cpp:
1638         (JSC::mathProtoFuncMax):
1639         (JSC::mathProtoFuncMin):
1640
1641 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
1642
1643         JSType upper limit (0xff) assertion can be removed.
1644         https://bugs.webkit.org/show_bug.cgi?id=129424
1645
1646         Reviewed by Geoffrey Garen.
1647
1648         * runtime/JSTypeInfo.h:
1649         (JSC::TypeInfo::TypeInfo):
1650
1651 2014-02-26  Michael Saboff  <msaboff@apple.com>
1652
1653         Auto generate bytecode information for bytecode parser and LLInt
1654         https://bugs.webkit.org/show_bug.cgi?id=129181
1655
1656         Reviewed by Mark Lam.
1657
1658         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
1659         helpers.  It also includes bytecode length and other information used to generate files.
1660         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
1661         in DerivedSources/JavaScriptCore/.
1662
1663         Added the generation of these files to the "DerivedSource" build step.
1664         Slighty changed the build order, since the Bytecodes.h file is needed by
1665         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
1666         to be run after JSCLLIntOffsetsExtractor.
1667
1668         Made related changes to OPCODE macros and their use.
1669
1670         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
1671         jsc to resolve Mac build issue.
1672
1673         * CMakeLists.txt:
1674         * Configurations/JSC.xcconfig:
1675         * DerivedSources.make:
1676         * GNUmakefile.am:
1677         * GNUmakefile.list.am:
1678         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1679         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1680         * JavaScriptCore.vcxproj/copy-files.cmd:
1681         * JavaScriptCore.xcodeproj/project.pbxproj:
1682         * bytecode/Opcode.h:
1683         (JSC::padOpcodeName):
1684         * llint/LLIntCLoop.cpp:
1685         (JSC::LLInt::CLoop::initialize):
1686         * llint/LLIntCLoop.h:
1687         * llint/LLIntData.cpp:
1688         (JSC::LLInt::initialize):
1689         * llint/LLIntOpcode.h:
1690         * llint/LowLevelInterpreter.asm:
1691
1692 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
1693
1694         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
1695         https://bugs.webkit.org/show_bug.cgi?id=129420
1696
1697         Reviewed by Geoffrey Garen.
1698
1699         * dfg/DFGSpeculativeJIT.h:
1700         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
1701         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
1702
1703 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
1704
1705         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
1706         https://bugs.webkit.org/show_bug.cgi?id=129435
1707
1708         Reviewed by Oliver Hunt.
1709         
1710         This is a 5-10% speed-up on Octane/closure.
1711
1712         * interpreter/Interpreter.cpp:
1713         (JSC::Interpreter::execute):
1714         * jsc.cpp:
1715         (GlobalObject::finishCreation):
1716         (functionClearCodeCache):
1717         * runtime/BatchedTransitionOptimizer.h:
1718         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1719         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
1720
1721 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
1722
1723         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
1724
1725         * inspector/scripts: Added property svn:ignore.
1726         * replay/scripts: Added property svn:ignore.
1727
1728 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
1729
1730         r164764 broke the ARM build
1731         https://bugs.webkit.org/show_bug.cgi?id=129415
1732
1733         Reviewed by Zoltan Herczeg.
1734
1735         * assembler/MacroAssemblerARM.h:
1736         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
1737         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
1738         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
1739         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
1740
1741 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1742
1743         r164764 broke the ARM build
1744         https://bugs.webkit.org/show_bug.cgi?id=129415
1745
1746         Reviewed by Geoffrey Garen.
1747
1748         * assembler/MacroAssemblerARM.h:
1749         (JSC::MacroAssemblerARM::moveWithPatch):
1750
1751 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1752
1753         r164764 broke the ARM build
1754         https://bugs.webkit.org/show_bug.cgi?id=129415
1755
1756         Reviewed by Geoffrey Garen.
1757
1758         * assembler/MacroAssemblerARM.h:
1759         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
1760
1761 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1762
1763         EFL build fix
1764
1765         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
1766         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1767         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1768
1769 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1770
1771         Make JSCells have 32-bit Structure pointers
1772         https://bugs.webkit.org/show_bug.cgi?id=123195
1773
1774         Reviewed by Filip Pizlo.
1775
1776         This patch changes JSCells such that they no longer have a full 64-bit Structure
1777         pointer in their header. Instead they now have a 32-bit index into
1778         a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
1779         pointers.
1780
1781         This change frees up an additional 32 bits of information in our object headers.
1782         We then use this extra space to store the indexing type of the object, the JSType
1783         of the object, some various type flags, and garbage collection data (e.g. mark bit).
1784         Because this inline type information is now faster to read, it pays for the slowdown 
1785         incurred by having to perform an extra indirection through the StructureIDTable.
1786
1787         This patch also threads a reference to the current VM through more of the C++ runtime
1788         to offset the cost of having to look up the VM to get the actual Structure pointer.
1789
1790         * API/JSContext.mm:
1791         (-[JSContext setException:]):
1792         (-[JSContext wrapperForObjCObject:]):
1793         (-[JSContext wrapperForJSObject:]):
1794         * API/JSContextRef.cpp:
1795         (JSContextGroupRelease):
1796         (JSGlobalContextRelease):
1797         * API/JSObjectRef.cpp:
1798         (JSObjectIsFunction):
1799         (JSObjectCopyPropertyNames):
1800         * API/JSValue.mm:
1801         (containerValueToObject):
1802         * API/JSWrapperMap.mm:
1803         (tryUnwrapObjcObject):
1804         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1805         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1806         * JavaScriptCore.xcodeproj/project.pbxproj:
1807         * assembler/AbstractMacroAssembler.h:
1808         * assembler/MacroAssembler.h:
1809         (JSC::MacroAssembler::patchableBranch32WithPatch):
1810         (JSC::MacroAssembler::patchableBranch32):
1811         * assembler/MacroAssemblerARM64.h:
1812         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
1813         (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
1814         (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
1815         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
1816         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
1817         * assembler/MacroAssemblerARMv7.h:
1818         (JSC::MacroAssemblerARMv7::store8):
1819         (JSC::MacroAssemblerARMv7::branch32WithPatch):
1820         (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
1821         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
1822         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
1823         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
1824         * assembler/MacroAssemblerX86.h:
1825         (JSC::MacroAssemblerX86::branch32WithPatch):
1826         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
1827         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
1828         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
1829         * assembler/MacroAssemblerX86_64.h:
1830         (JSC::MacroAssemblerX86_64::store32):
1831         (JSC::MacroAssemblerX86_64::moveWithPatch):
1832         (JSC::MacroAssemblerX86_64::branch32WithPatch):
1833         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
1834         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
1835         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
1836         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
1837         * assembler/RepatchBuffer.h:
1838         (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
1839         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
1840         * assembler/X86Assembler.h:
1841         (JSC::X86Assembler::revertJumpTo_movq_i64r):
1842         (JSC::X86Assembler::revertJumpTo_movl_i32r):
1843         * bytecode/ArrayProfile.cpp:
1844         (JSC::ArrayProfile::computeUpdatedPrediction):
1845         * bytecode/ArrayProfile.h:
1846         (JSC::ArrayProfile::ArrayProfile):
1847         (JSC::ArrayProfile::addressOfLastSeenStructureID):
1848         (JSC::ArrayProfile::observeStructure):
1849         * bytecode/CodeBlock.h:
1850         (JSC::CodeBlock::heap):
1851         * bytecode/UnlinkedCodeBlock.h:
1852         * debugger/Debugger.h:
1853         * dfg/DFGAbstractHeap.h:
1854         * dfg/DFGArrayifySlowPathGenerator.h:
1855         * dfg/DFGClobberize.h:
1856         (JSC::DFG::clobberize):
1857         * dfg/DFGJITCompiler.h:
1858         (JSC::DFG::JITCompiler::branchWeakStructure):
1859         (JSC::DFG::JITCompiler::branchStructurePtr):
1860         * dfg/DFGOSRExitCompiler32_64.cpp:
1861         (JSC::DFG::OSRExitCompiler::compileExit):
1862         * dfg/DFGOSRExitCompiler64.cpp:
1863         (JSC::DFG::OSRExitCompiler::compileExit):
1864         * dfg/DFGOSRExitCompilerCommon.cpp:
1865         (JSC::DFG::osrWriteBarrier):
1866         (JSC::DFG::adjustAndJumpToTarget):
1867         * dfg/DFGOperations.cpp:
1868         (JSC::DFG::putByVal):
1869         * dfg/DFGSpeculativeJIT.cpp:
1870         (JSC::DFG::SpeculativeJIT::checkArray):
1871         (JSC::DFG::SpeculativeJIT::arrayify):
1872         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1873         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1874         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1875         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1876         (JSC::DFG::SpeculativeJIT::speculateObject):
1877         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
1878         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1879         (JSC::DFG::SpeculativeJIT::speculateString):
1880         (JSC::DFG::SpeculativeJIT::speculateStringObject):
1881         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
1882         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
1883         (JSC::DFG::SpeculativeJIT::emitSwitchString):
1884         (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
1885         (JSC::DFG::SpeculativeJIT::writeBarrier):
1886         * dfg/DFGSpeculativeJIT.h:
1887         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1888         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
1889         * dfg/DFGSpeculativeJIT32_64.cpp:
1890         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1891         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1892         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1893         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1894         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1895         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1896         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1897         (JSC::DFG::SpeculativeJIT::compile):
1898         (JSC::DFG::SpeculativeJIT::writeBarrier):
1899         * dfg/DFGSpeculativeJIT64.cpp:
1900         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1901         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1902         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1903         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1904         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1905         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1906         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1907         (JSC::DFG::SpeculativeJIT::compile):
1908         (JSC::DFG::SpeculativeJIT::writeBarrier):
1909         * dfg/DFGWorklist.cpp:
1910         * ftl/FTLAbstractHeapRepository.cpp:
1911         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1912         * ftl/FTLAbstractHeapRepository.h:
1913         * ftl/FTLLowerDFGToLLVM.cpp:
1914         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
1915         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1916         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1917         (JSC::FTL::LowerDFGToLLVM::compileToString):
1918         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1919         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1920         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1921         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1922         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1923         (JSC::FTL::LowerDFGToLLVM::isObject):
1924         (JSC::FTL::LowerDFGToLLVM::isString):
1925         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1926         (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
1927         (JSC::FTL::LowerDFGToLLVM::isType):
1928         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
1929         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
1930         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
1931         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
1932         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
1933         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1934         (JSC::FTL::LowerDFGToLLVM::weakStructure):
1935         * ftl/FTLOSRExitCompiler.cpp:
1936         (JSC::FTL::compileStub):
1937         * ftl/FTLOutput.h:
1938         (JSC::FTL::Output::store8):
1939         * heap/GCAssertions.h:
1940         * heap/Heap.cpp:
1941         (JSC::Heap::getConservativeRegisterRoots):
1942         (JSC::Heap::collect):
1943         (JSC::Heap::writeBarrier):
1944         * heap/Heap.h:
1945         (JSC::Heap::structureIDTable):
1946         * heap/MarkedSpace.h:
1947         (JSC::MarkedSpace::forEachBlock):
1948         * heap/SlotVisitorInlines.h:
1949         (JSC::SlotVisitor::internalAppend):
1950         * jit/AssemblyHelpers.h:
1951         (JSC::AssemblyHelpers::branchIfCellNotObject):
1952         (JSC::AssemblyHelpers::genericWriteBarrier):
1953         (JSC::AssemblyHelpers::emitLoadStructure):
1954         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1955         * jit/JIT.h:
1956         * jit/JITCall.cpp:
1957         (JSC::JIT::compileOpCall):
1958         (JSC::JIT::privateCompileClosureCall):
1959         * jit/JITCall32_64.cpp:
1960         (JSC::JIT::emit_op_ret_object_or_this):
1961         (JSC::JIT::compileOpCall):
1962         (JSC::JIT::privateCompileClosureCall):
1963         * jit/JITInlineCacheGenerator.cpp:
1964         (JSC::JITByIdGenerator::generateFastPathChecks):
1965         * jit/JITInlineCacheGenerator.h:
1966         * jit/JITInlines.h:
1967         (JSC::JIT::emitLoadCharacterString):
1968         (JSC::JIT::checkStructure):
1969         (JSC::JIT::emitJumpIfCellNotObject):
1970         (JSC::JIT::emitAllocateJSObject):
1971         (JSC::JIT::emitArrayProfilingSiteWithCell):
1972         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
1973         (JSC::JIT::branchStructure):
1974         (JSC::branchStructure):
1975         * jit/JITOpcodes.cpp:
1976         (JSC::JIT::emit_op_check_has_instance):
1977         (JSC::JIT::emit_op_instanceof):
1978         (JSC::JIT::emit_op_is_undefined):
1979         (JSC::JIT::emit_op_is_string):
1980         (JSC::JIT::emit_op_ret_object_or_this):
1981         (JSC::JIT::emit_op_to_primitive):
1982         (JSC::JIT::emit_op_jeq_null):
1983         (JSC::JIT::emit_op_jneq_null):
1984         (JSC::JIT::emit_op_get_pnames):
1985         (JSC::JIT::emit_op_next_pname):
1986         (JSC::JIT::emit_op_eq_null):
1987         (JSC::JIT::emit_op_neq_null):
1988         (JSC::JIT::emit_op_to_this):
1989         (JSC::JIT::emitSlow_op_to_this):
1990         * jit/JITOpcodes32_64.cpp:
1991         (JSC::JIT::emit_op_check_has_instance):
1992         (JSC::JIT::emit_op_instanceof):
1993         (JSC::JIT::emit_op_is_undefined):
1994         (JSC::JIT::emit_op_is_string):
1995         (JSC::JIT::emit_op_to_primitive):
1996         (JSC::JIT::emit_op_jeq_null):
1997         (JSC::JIT::emit_op_jneq_null):
1998         (JSC::JIT::emitSlow_op_eq):
1999         (JSC::JIT::emitSlow_op_neq):
2000         (JSC::JIT::compileOpStrictEq):
2001         (JSC::JIT::emit_op_eq_null):
2002         (JSC::JIT::emit_op_neq_null):
2003         (JSC::JIT::emit_op_get_pnames):
2004         (JSC::JIT::emit_op_next_pname):
2005         (JSC::JIT::emit_op_to_this):
2006         * jit/JITOperations.cpp:
2007         * jit/JITPropertyAccess.cpp:
2008         (JSC::JIT::stringGetByValStubGenerator):
2009         (JSC::JIT::emit_op_get_by_val):
2010         (JSC::JIT::emitSlow_op_get_by_val):
2011         (JSC::JIT::emit_op_get_by_pname):
2012         (JSC::JIT::emit_op_put_by_val):
2013         (JSC::JIT::emit_op_get_by_id):
2014         (JSC::JIT::emitLoadWithStructureCheck):
2015         (JSC::JIT::emitSlow_op_get_from_scope):
2016         (JSC::JIT::emitSlow_op_put_to_scope):
2017         (JSC::JIT::checkMarkWord):
2018         (JSC::JIT::emitWriteBarrier):
2019         (JSC::JIT::addStructureTransitionCheck):
2020         (JSC::JIT::emitIntTypedArrayGetByVal):
2021         (JSC::JIT::emitFloatTypedArrayGetByVal):
2022         (JSC::JIT::emitIntTypedArrayPutByVal):
2023         (JSC::JIT::emitFloatTypedArrayPutByVal):
2024         * jit/JITPropertyAccess32_64.cpp:
2025         (JSC::JIT::stringGetByValStubGenerator):
2026         (JSC::JIT::emit_op_get_by_val):
2027         (JSC::JIT::emitSlow_op_get_by_val):
2028         (JSC::JIT::emit_op_put_by_val):
2029         (JSC::JIT::emit_op_get_by_id):
2030         (JSC::JIT::emit_op_get_by_pname):
2031         (JSC::JIT::emitLoadWithStructureCheck):
2032         * jit/JSInterfaceJIT.h:
2033         (JSC::JSInterfaceJIT::emitJumpIfNotType):
2034         * jit/Repatch.cpp:
2035         (JSC::repatchByIdSelfAccess):
2036         (JSC::addStructureTransitionCheck):
2037         (JSC::replaceWithJump):
2038         (JSC::generateProtoChainAccessStub):
2039         (JSC::tryCacheGetByID):
2040         (JSC::tryBuildGetByIDList):
2041         (JSC::writeBarrier):
2042         (JSC::emitPutReplaceStub):
2043         (JSC::emitPutTransitionStub):
2044         (JSC::tryBuildPutByIdList):
2045         (JSC::tryRepatchIn):
2046         (JSC::linkClosureCall):
2047         (JSC::resetGetByID):
2048         (JSC::resetPutByID):
2049         * jit/SpecializedThunkJIT.h:
2050         (JSC::SpecializedThunkJIT::loadJSStringArgument):
2051         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2052         * jit/ThunkGenerators.cpp:
2053         (JSC::virtualForThunkGenerator):
2054         (JSC::arrayIteratorNextThunkGenerator):
2055         * jit/UnusedPointer.h:
2056         * llint/LowLevelInterpreter.asm:
2057         * llint/LowLevelInterpreter32_64.asm:
2058         * llint/LowLevelInterpreter64.asm:
2059         * runtime/Arguments.cpp:
2060         (JSC::Arguments::createStrictModeCallerIfNecessary):
2061         (JSC::Arguments::createStrictModeCalleeIfNecessary):
2062         * runtime/Arguments.h:
2063         (JSC::Arguments::createStructure):
2064         * runtime/ArrayPrototype.cpp:
2065         (JSC::shift):
2066         (JSC::unshift):
2067         (JSC::arrayProtoFuncToString):
2068         (JSC::arrayProtoFuncPop):
2069         (JSC::arrayProtoFuncReverse):
2070         (JSC::performSlowSort):
2071         (JSC::arrayProtoFuncSort):
2072         (JSC::arrayProtoFuncSplice):
2073         (JSC::arrayProtoFuncUnShift):
2074         * runtime/CommonSlowPaths.cpp:
2075         (JSC::SLOW_PATH_DECL):
2076         * runtime/Executable.h:
2077         (JSC::ExecutableBase::isFunctionExecutable):
2078         (JSC::ExecutableBase::clearCodeVirtual):
2079         (JSC::ScriptExecutable::unlinkCalls):
2080         * runtime/GetterSetter.cpp:
2081         (JSC::callGetter):
2082         (JSC::callSetter):
2083         * runtime/InitializeThreading.cpp:
2084         * runtime/JSArray.cpp:
2085         (JSC::JSArray::unshiftCountSlowCase):
2086         (JSC::JSArray::setLength):
2087         (JSC::JSArray::pop):
2088         (JSC::JSArray::push):
2089         (JSC::JSArray::shiftCountWithArrayStorage):
2090         (JSC::JSArray::shiftCountWithAnyIndexingType):
2091         (JSC::JSArray::unshiftCountWithArrayStorage):
2092         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2093         (JSC::JSArray::sortNumericVector):
2094         (JSC::JSArray::sortNumeric):
2095         (JSC::JSArray::sortCompactedVector):
2096         (JSC::JSArray::sort):
2097         (JSC::JSArray::sortVector):
2098         (JSC::JSArray::fillArgList):
2099         (JSC::JSArray::copyToArguments):
2100         (JSC::JSArray::compactForSorting):
2101         * runtime/JSCJSValueInlines.h:
2102         (JSC::JSValue::toThis):
2103         (JSC::JSValue::put):
2104         (JSC::JSValue::putByIndex):
2105         (JSC::JSValue::equalSlowCaseInline):
2106         * runtime/JSCell.cpp:
2107         (JSC::JSCell::put):
2108         (JSC::JSCell::putByIndex):
2109         (JSC::JSCell::deleteProperty):
2110         (JSC::JSCell::deletePropertyByIndex):
2111         * runtime/JSCell.h:
2112         (JSC::JSCell::clearStructure):
2113         (JSC::JSCell::mark):
2114         (JSC::JSCell::isMarked):
2115         (JSC::JSCell::structureIDOffset):
2116         (JSC::JSCell::typeInfoFlagsOffset):
2117         (JSC::JSCell::typeInfoTypeOffset):
2118         (JSC::JSCell::indexingTypeOffset):
2119         (JSC::JSCell::gcDataOffset):
2120         * runtime/JSCellInlines.h:
2121         (JSC::JSCell::JSCell):
2122         (JSC::JSCell::finishCreation):
2123         (JSC::JSCell::type):
2124         (JSC::JSCell::indexingType):
2125         (JSC::JSCell::structure):
2126         (JSC::JSCell::visitChildren):
2127         (JSC::JSCell::isObject):
2128         (JSC::JSCell::isString):
2129         (JSC::JSCell::isGetterSetter):
2130         (JSC::JSCell::isProxy):
2131         (JSC::JSCell::isAPIValueWrapper):
2132         (JSC::JSCell::setStructure):
2133         (JSC::JSCell::methodTable):
2134         (JSC::Heap::writeBarrier):
2135         * runtime/JSDataView.cpp:
2136         (JSC::JSDataView::createStructure):
2137         * runtime/JSDestructibleObject.h:
2138         (JSC::JSCell::classInfo):
2139         * runtime/JSFunction.cpp:
2140         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2141         (JSC::JSFunction::put):
2142         (JSC::JSFunction::defineOwnProperty):
2143         * runtime/JSGenericTypedArrayView.h:
2144         (JSC::JSGenericTypedArrayView::createStructure):
2145         * runtime/JSObject.cpp:
2146         (JSC::getCallableObjectSlow):
2147         (JSC::JSObject::copyButterfly):
2148         (JSC::JSObject::visitButterfly):
2149         (JSC::JSFinalObject::visitChildren):
2150         (JSC::JSObject::getOwnPropertySlotByIndex):
2151         (JSC::JSObject::put):
2152         (JSC::JSObject::putByIndex):
2153         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2154         (JSC::JSObject::enterDictionaryIndexingMode):
2155         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2156         (JSC::JSObject::createInitialIndexedStorage):
2157         (JSC::JSObject::createInitialUndecided):
2158         (JSC::JSObject::createInitialInt32):
2159         (JSC::JSObject::createInitialDouble):
2160         (JSC::JSObject::createInitialContiguous):
2161         (JSC::JSObject::createArrayStorage):
2162         (JSC::JSObject::convertUndecidedToInt32):
2163         (JSC::JSObject::convertUndecidedToDouble):
2164         (JSC::JSObject::convertUndecidedToContiguous):
2165         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2166         (JSC::JSObject::convertUndecidedToArrayStorage):
2167         (JSC::JSObject::convertInt32ToDouble):
2168         (JSC::JSObject::convertInt32ToContiguous):
2169         (JSC::JSObject::convertInt32ToArrayStorage):
2170         (JSC::JSObject::genericConvertDoubleToContiguous):
2171         (JSC::JSObject::convertDoubleToArrayStorage):
2172         (JSC::JSObject::convertContiguousToArrayStorage):
2173         (JSC::JSObject::ensureInt32Slow):
2174         (JSC::JSObject::ensureDoubleSlow):
2175         (JSC::JSObject::ensureContiguousSlow):
2176         (JSC::JSObject::ensureArrayStorageSlow):
2177         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2178         (JSC::JSObject::switchToSlowPutArrayStorage):
2179         (JSC::JSObject::setPrototype):
2180         (JSC::JSObject::setPrototypeWithCycleCheck):
2181         (JSC::JSObject::putDirectNonIndexAccessor):
2182         (JSC::JSObject::deleteProperty):
2183         (JSC::JSObject::hasOwnProperty):
2184         (JSC::JSObject::deletePropertyByIndex):
2185         (JSC::JSObject::getPrimitiveNumber):
2186         (JSC::JSObject::hasInstance):
2187         (JSC::JSObject::getPropertySpecificValue):
2188         (JSC::JSObject::getPropertyNames):
2189         (JSC::JSObject::getOwnPropertyNames):
2190         (JSC::JSObject::getOwnNonIndexPropertyNames):
2191         (JSC::JSObject::seal):
2192         (JSC::JSObject::freeze):
2193         (JSC::JSObject::preventExtensions):
2194         (JSC::JSObject::reifyStaticFunctionsForDelete):
2195         (JSC::JSObject::removeDirect):
2196         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2197         (JSC::JSObject::putByIndexBeyondVectorLength):
2198         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2199         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2200         (JSC::JSObject::getNewVectorLength):
2201         (JSC::JSObject::countElements):
2202         (JSC::JSObject::increaseVectorLength):
2203         (JSC::JSObject::ensureLengthSlow):
2204         (JSC::JSObject::growOutOfLineStorage):
2205         (JSC::JSObject::getOwnPropertyDescriptor):
2206         (JSC::putDescriptor):
2207         (JSC::JSObject::defineOwnNonIndexProperty):
2208         * runtime/JSObject.h:
2209         (JSC::getJSFunction):
2210         (JSC::JSObject::getArrayLength):
2211         (JSC::JSObject::getVectorLength):
2212         (JSC::JSObject::putByIndexInline):
2213         (JSC::JSObject::canGetIndexQuickly):
2214         (JSC::JSObject::getIndexQuickly):
2215         (JSC::JSObject::tryGetIndexQuickly):
2216         (JSC::JSObject::getDirectIndex):
2217         (JSC::JSObject::canSetIndexQuickly):
2218         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2219         (JSC::JSObject::setIndexQuickly):
2220         (JSC::JSObject::initializeIndex):
2221         (JSC::JSObject::hasSparseMap):
2222         (JSC::JSObject::inSparseIndexingMode):
2223         (JSC::JSObject::getDirect):
2224         (JSC::JSObject::getDirectOffset):
2225         (JSC::JSObject::isSealed):
2226         (JSC::JSObject::isFrozen):
2227         (JSC::JSObject::flattenDictionaryObject):
2228         (JSC::JSObject::ensureInt32):
2229         (JSC::JSObject::ensureDouble):
2230         (JSC::JSObject::ensureContiguous):
2231         (JSC::JSObject::rageEnsureContiguous):
2232         (JSC::JSObject::ensureArrayStorage):
2233         (JSC::JSObject::arrayStorage):
2234         (JSC::JSObject::arrayStorageOrNull):
2235         (JSC::JSObject::ensureLength):
2236         (JSC::JSObject::currentIndexingData):
2237         (JSC::JSObject::getHolyIndexQuickly):
2238         (JSC::JSObject::currentRelevantLength):
2239         (JSC::JSObject::isGlobalObject):
2240         (JSC::JSObject::isVariableObject):
2241         (JSC::JSObject::isStaticScopeObject):
2242         (JSC::JSObject::isNameScopeObject):
2243         (JSC::JSObject::isActivationObject):
2244         (JSC::JSObject::isErrorInstance):
2245         (JSC::JSObject::inlineGetOwnPropertySlot):
2246         (JSC::JSObject::fastGetOwnPropertySlot):
2247         (JSC::JSObject::getPropertySlot):
2248         (JSC::JSObject::putDirectInternal):
2249         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2250         * runtime/JSPropertyNameIterator.h:
2251         (JSC::JSPropertyNameIterator::createStructure):
2252         * runtime/JSProxy.cpp:
2253         (JSC::JSProxy::getOwnPropertySlot):
2254         (JSC::JSProxy::getOwnPropertySlotByIndex):
2255         (JSC::JSProxy::put):
2256         (JSC::JSProxy::putByIndex):
2257         (JSC::JSProxy::defineOwnProperty):
2258         (JSC::JSProxy::deleteProperty):
2259         (JSC::JSProxy::deletePropertyByIndex):
2260         (JSC::JSProxy::getPropertyNames):
2261         (JSC::JSProxy::getOwnPropertyNames):
2262         * runtime/JSScope.cpp:
2263         (JSC::JSScope::objectAtScope):
2264         * runtime/JSString.h:
2265         (JSC::JSString::createStructure):
2266         (JSC::isJSString):
2267         * runtime/JSType.h:
2268         * runtime/JSTypeInfo.h:
2269         (JSC::TypeInfo::TypeInfo):
2270         (JSC::TypeInfo::isObject):
2271         (JSC::TypeInfo::structureIsImmortal):
2272         (JSC::TypeInfo::zeroedGCDataOffset):
2273         (JSC::TypeInfo::inlineTypeFlags):
2274         * runtime/MapData.h:
2275         * runtime/ObjectConstructor.cpp:
2276         (JSC::objectConstructorGetOwnPropertyNames):
2277         (JSC::objectConstructorKeys):
2278         (JSC::objectConstructorDefineProperty):
2279         (JSC::defineProperties):
2280         (JSC::objectConstructorSeal):
2281         (JSC::objectConstructorFreeze):
2282         (JSC::objectConstructorIsSealed):
2283         (JSC::objectConstructorIsFrozen):
2284         * runtime/ObjectPrototype.cpp:
2285         (JSC::objectProtoFuncDefineGetter):
2286         (JSC::objectProtoFuncDefineSetter):
2287         (JSC::objectProtoFuncToString):
2288         * runtime/Operations.cpp:
2289         (JSC::jsTypeStringForValue):
2290         (JSC::jsIsObjectType):
2291         * runtime/Operations.h:
2292         (JSC::normalizePrototypeChainForChainAccess):
2293         (JSC::normalizePrototypeChain):
2294         * runtime/PropertyMapHashTable.h:
2295         (JSC::PropertyTable::createStructure):
2296         * runtime/RegExp.h:
2297         (JSC::RegExp::createStructure):
2298         * runtime/SparseArrayValueMap.h:
2299         * runtime/Structure.cpp:
2300         (JSC::Structure::Structure):
2301         (JSC::Structure::~Structure):
2302         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2303         * runtime/Structure.h:
2304         (JSC::Structure::id):
2305         (JSC::Structure::idBlob):
2306         (JSC::Structure::objectInitializationFields):
2307         (JSC::Structure::structureIDOffset):
2308         * runtime/StructureChain.h:
2309         (JSC::StructureChain::createStructure):
2310         * runtime/StructureIDTable.cpp: Added.
2311         (JSC::StructureIDTable::StructureIDTable):
2312         (JSC::StructureIDTable::~StructureIDTable):
2313         (JSC::StructureIDTable::resize):
2314         (JSC::StructureIDTable::flushOldTables):
2315         (JSC::StructureIDTable::allocateID):
2316         (JSC::StructureIDTable::deallocateID):
2317         * runtime/StructureIDTable.h: Added.
2318         (JSC::StructureIDTable::base):
2319         (JSC::StructureIDTable::get):
2320         * runtime/SymbolTable.h:
2321         * runtime/TypedArrayType.cpp:
2322         (JSC::typeForTypedArrayType):
2323         * runtime/TypedArrayType.h:
2324         * runtime/WeakMapData.h:
2325
2326 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2327
2328         Unconditional logging in compileFTLOSRExit
2329         https://bugs.webkit.org/show_bug.cgi?id=129407
2330
2331         Reviewed by Michael Saboff.
2332
2333         This was causing tests to fail with the FTL enabled.
2334
2335         * ftl/FTLOSRExitCompiler.cpp:
2336         (JSC::FTL::compileFTLOSRExit):
2337
2338 2014-02-26  Oliver Hunt  <oliver@apple.com>
2339
2340         Remove unused access types
2341         https://bugs.webkit.org/show_bug.cgi?id=129385
2342
2343         Reviewed by Filip Pizlo.
2344
2345         Remove unused cruft.
2346
2347         * bytecode/CodeBlock.cpp:
2348         (JSC::CodeBlock::printGetByIdCacheStatus):
2349         * bytecode/StructureStubInfo.cpp:
2350         (JSC::StructureStubInfo::deref):
2351         * bytecode/StructureStubInfo.h:
2352         (JSC::isGetByIdAccess):
2353         (JSC::isPutByIdAccess):
2354
2355 2014-02-26  Oliver Hunt  <oliver@apple.com>
2356
2357         Function.prototype.apply has a bad time with the spread operator
2358         https://bugs.webkit.org/show_bug.cgi?id=129381
2359
2360         Reviewed by Mark Hahnenberg.
2361
2362         Make sure our apply logic handle the spread operator correctly.
2363         To do this we simply emit the enumeration logic that we'd normally
2364         use for other enumerations, but only store the first two results
2365         to registers.  Then perform a varargs call.
2366
2367         * bytecompiler/NodesCodegen.cpp:
2368         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2369
2370 2014-02-26  Mark Lam  <mark.lam@apple.com>
2371
2372         Compilation policy management belongs in operationOptimize(), not the DFG Driver.
2373         <https://webkit.org/b/129355>
2374
2375         Reviewed by Filip Pizlo.
2376
2377         By compilation policy, I mean the rules for determining whether to
2378         compile, when to compile, when to attempt compilation again, etc.  The
2379         few of these policy decisions that were previously being made in the
2380         DFG driver are now moved to operationOptimize() where we keep the rest
2381         of the policy logic.  Decisions that are based on the capabilities
2382         supported by the DFG are moved to DFG capabiliityLevel().
2383
2384         I've run the following benchmarks:
2385         1. the collection of jsc benchmarks on the jsc executable vs. its
2386            baseline.
2387         2. Octane 2.0 in browser without the WebInspector.
2388         3. Octane 2.0 in browser with the WebInspector open and a breakpoint
2389            set somewhere where it won't break.
2390
2391         In all of these, the results came out to be a wash as expected.
2392
2393         * dfg/DFGCapabilities.cpp:
2394         (JSC::DFG::isSupported):
2395         (JSC::DFG::mightCompileEval):
2396         (JSC::DFG::mightCompileProgram):
2397         (JSC::DFG::mightCompileFunctionForCall):
2398         (JSC::DFG::mightCompileFunctionForConstruct):
2399         (JSC::DFG::mightInlineFunctionForCall):
2400         (JSC::DFG::mightInlineFunctionForClosureCall):
2401         (JSC::DFG::mightInlineFunctionForConstruct):
2402         * dfg/DFGCapabilities.h:
2403         * dfg/DFGDriver.cpp:
2404         (JSC::DFG::compileImpl):
2405         * jit/JITOperations.cpp:
2406
2407 2014-02-26  Mark Lam  <mark.lam@apple.com>
2408
2409         ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
2410         <https://webkit.org/b/129364>
2411
2412         Reviewed by Alexey Proskuryakov.
2413
2414         InjectedScriptModule::ensureInjected() needs an APIEntryShim.
2415
2416         * inspector/InjectedScriptModule.cpp:
2417         (Inspector::InjectedScriptModule::ensureInjected):
2418         - Added the needed but missing APIEntryShim. 
2419
2420 2014-02-25  Mark Lam  <mark.lam@apple.com>
2421
2422         Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
2423         <https://webkit.org/b/128766>
2424
2425         Reviewed by Geoffrey Garen.
2426
2427         Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
2428         The reasoning is that we don't know of any clients that need unordered
2429         re-entry into the VM from different threads. So, we're enforcing ordered
2430         re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
2431
2432         The crash in this bug happened because we were allowing unordered re-entry,
2433         and the following type of scenario occurred:
2434
2435         1. Thread T1 locks the VM, and enters the VM to execute some JS code.
2436         2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
2437            first time it entered the VM.
2438            T1 sets VM::m_entryScope to T1's entryScope.
2439         3. T1 drops all locks.
2440
2441         4. Thread T2 locks the VM, and enters the VM to execute some JS code.
2442            On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
2443            does not set the entryScope.
2444         5. T2 drops all locks.
2445
2446         6. T1 re-grabs locks.
2447         7. T1 returns all the way out of JS code. On exit from the outer most
2448            JS function, T1 clears VM::m_entryScope (because T1 was the one who
2449            set it).
2450         8. T1 unlocks the VM.
2451
2452         9. T2 re-grabs locks.
2453         10. T2 proceeds to execute some code and expects VM::m_entryScope to be
2454             NOT null, but it turns out to be null. Assertion failures and
2455             crashes ensue.
2456
2457         With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
2458         the VM. Hence, the issue will no longer manifest.
2459
2460         * runtime/JSLock.cpp:
2461         (JSC::JSLock::dropAllLocks):
2462         (JSC::JSLock::grabAllLocks):
2463         * runtime/JSLock.h:
2464         (JSC::JSLock::DropAllLocks::dropDepth):
2465
2466 2014-02-25  Mark Lam  <mark.lam@apple.com>
2467
2468         Need to initialize VM stack data even when the VM is on an exclusive thread.
2469         <https://webkit.org/b/129265>
2470
2471         Not reviewed.
2472
2473         Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
2474
2475         * API/APIShims.h:
2476         (JSC::APIEntryShim::APIEntryShim):
2477         (JSC::APICallbackShim::shouldDropAllLocks):
2478         * heap/MachineStackMarker.cpp:
2479         (JSC::MachineThreads::addCurrentThread):
2480         * runtime/JSLock.cpp:
2481         (JSC::JSLockHolder::JSLockHolder):
2482         (JSC::JSLockHolder::init):
2483         (JSC::JSLockHolder::~JSLockHolder):
2484         (JSC::JSLock::JSLock):
2485         (JSC::JSLock::setExclusiveThread):
2486         (JSC::JSLock::lock):
2487         (JSC::JSLock::unlock):
2488         (JSC::JSLock::currentThreadIsHoldingLock):
2489         (JSC::JSLock::dropAllLocks):
2490         (JSC::JSLock::grabAllLocks):
2491         * runtime/JSLock.h:
2492         (JSC::JSLock::hasExclusiveThread):
2493         (JSC::JSLock::exclusiveThread):
2494         * runtime/VM.cpp:
2495         (JSC::VM::VM):
2496         * runtime/VM.h:
2497         (JSC::VM::hasExclusiveThread):
2498         (JSC::VM::exclusiveThread):
2499         (JSC::VM::setExclusiveThread):
2500         (JSC::VM::currentThreadIsHoldingAPILock):
2501
2502 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2503
2504         Inline caching in the FTL on ARM64 should "work"
2505         https://bugs.webkit.org/show_bug.cgi?id=129334
2506
2507         Reviewed by Mark Hahnenberg.
2508         
2509         Gets us to the point where simple tests that use inline caching are passing.
2510
2511         * assembler/LinkBuffer.cpp:
2512         (JSC::LinkBuffer::copyCompactAndLinkCode):
2513         (JSC::LinkBuffer::shrink):
2514         * ftl/FTLInlineCacheSize.cpp:
2515         (JSC::FTL::sizeOfGetById):
2516         (JSC::FTL::sizeOfPutById):
2517         (JSC::FTL::sizeOfCall):
2518         * ftl/FTLOSRExitCompiler.cpp:
2519         (JSC::FTL::compileFTLOSRExit):
2520         * ftl/FTLThunks.cpp:
2521         (JSC::FTL::osrExitGenerationThunkGenerator):
2522         * jit/GPRInfo.h:
2523         * offlineasm/arm64.rb:
2524
2525 2014-02-25  Commit Queue  <commit-queue@webkit.org>
2526
2527         Unreviewed, rolling out r164627.
2528         http://trac.webkit.org/changeset/164627
2529         https://bugs.webkit.org/show_bug.cgi?id=129325
2530
2531         Broke SubtleCrypto tests (Requested by ap on #webkit).
2532
2533         * API/APIShims.h:
2534         (JSC::APIEntryShim::APIEntryShim):
2535         (JSC::APICallbackShim::shouldDropAllLocks):
2536         * heap/MachineStackMarker.cpp:
2537         (JSC::MachineThreads::addCurrentThread):
2538         * runtime/JSLock.cpp:
2539         (JSC::JSLockHolder::JSLockHolder):
2540         (JSC::JSLockHolder::init):
2541         (JSC::JSLockHolder::~JSLockHolder):
2542         (JSC::JSLock::JSLock):
2543         (JSC::JSLock::lock):
2544         (JSC::JSLock::unlock):
2545         (JSC::JSLock::currentThreadIsHoldingLock):
2546         (JSC::JSLock::dropAllLocks):
2547         (JSC::JSLock::grabAllLocks):
2548         * runtime/JSLock.h:
2549         * runtime/VM.cpp:
2550         (JSC::VM::VM):
2551         * runtime/VM.h:
2552         (JSC::VM::currentThreadIsHoldingAPILock):
2553
2554 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2555
2556         ARM64 rshift64 should be an arithmetic shift
2557         https://bugs.webkit.org/show_bug.cgi?id=129323
2558
2559         Reviewed by Mark Hahnenberg.
2560
2561         * assembler/MacroAssemblerARM64.h:
2562         (JSC::MacroAssemblerARM64::rshift64):
2563
2564 2014-02-25  Sergio Villar Senin  <svillar@igalia.com>
2565
2566         [CSS Grid Layout] Add ENABLE flag
2567         https://bugs.webkit.org/show_bug.cgi?id=129153
2568
2569         Reviewed by Simon Fraser.
2570
2571         * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
2572
2573 2014-02-25  Michael Saboff  <msaboff@apple.com>
2574
2575         JIT Engines use the wrong stack limit for stack checks
2576         https://bugs.webkit.org/show_bug.cgi?id=129314
2577
2578         Reviewed by Filip Pizlo.
2579
2580         Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
2581
2582         * dfg/DFGJITCompiler.cpp:
2583         (JSC::DFG::JITCompiler::compileFunction):
2584         * jit/JIT.cpp:
2585         (JSC::JIT::privateCompile):
2586         * jit/JITCall.cpp:
2587         (JSC::JIT::compileLoadVarargs):
2588         * jit/JITCall32_64.cpp:
2589         (JSC::JIT::compileLoadVarargs):
2590         * runtime/VM.h:
2591         (JSC::VM::addressOfStackLimit):
2592
2593 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2594
2595         Unreviewed, roll out http://trac.webkit.org/changeset/164493.
2596         
2597         It causes crashes, apparently because it's removing too many barriers. I will investigate
2598         later.
2599
2600         * bytecode/SpeculatedType.cpp:
2601         (JSC::speculationToAbbreviatedString):
2602         * bytecode/SpeculatedType.h:
2603         * dfg/DFGFixupPhase.cpp:
2604         (JSC::DFG::FixupPhase::fixupNode):
2605         (JSC::DFG::FixupPhase::insertStoreBarrier):
2606         * dfg/DFGNode.h:
2607         * ftl/FTLCapabilities.cpp:
2608         (JSC::FTL::canCompile):
2609         * ftl/FTLLowerDFGToLLVM.cpp:
2610         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2611         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2612         (JSC::FTL::LowerDFGToLLVM::isNotNully):
2613         (JSC::FTL::LowerDFGToLLVM::isNully):
2614         (JSC::FTL::LowerDFGToLLVM::speculate):
2615         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2616         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
2617
2618 2014-02-24  Oliver Hunt  <oliver@apple.com>
2619
2620         Fix build.
2621
2622         * jit/CCallHelpers.h:
2623         (JSC::CCallHelpers::setupArgumentsWithExecState):
2624
2625 2014-02-24  Oliver Hunt  <oliver@apple.com>
2626
2627         Spread operator has a bad time when applied to call function
2628         https://bugs.webkit.org/show_bug.cgi?id=128853
2629
2630         Reviewed by Geoffrey Garen.
2631
2632         Follow on from the previous patch the added an extra slot to
2633         op_call_varargs (and _call, _call_eval, _construct).  We now
2634         use the slot as an offset to in effect act as a 'slice' on
2635         the spread subject.  This allows us to automatically retain
2636         all our existing argument and array optimisatons.  Most of
2637         this patch is simply threading the offset around.
2638
2639         * bytecode/CodeBlock.cpp:
2640         (JSC::CodeBlock::dumpBytecode):
2641         * bytecompiler/BytecodeGenerator.cpp:
2642         (JSC::BytecodeGenerator::emitCall):
2643         (JSC::BytecodeGenerator::emitCallVarargs):
2644         * bytecompiler/BytecodeGenerator.h:
2645         * bytecompiler/NodesCodegen.cpp:
2646         (JSC::getArgumentByVal):
2647         (JSC::CallFunctionCallDotNode::emitBytecode):
2648         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2649         * interpreter/Interpreter.cpp:
2650         (JSC::sizeFrameForVarargs):
2651         (JSC::loadVarargs):
2652         * interpreter/Interpreter.h:
2653         * jit/CCallHelpers.h:
2654         (JSC::CCallHelpers::setupArgumentsWithExecState):
2655         * jit/JIT.h:
2656         * jit/JITCall.cpp:
2657         (JSC::JIT::compileLoadVarargs):
2658         * jit/JITInlines.h:
2659         (JSC::JIT::callOperation):
2660         * jit/JITOperations.cpp:
2661         * jit/JITOperations.h:
2662         * llint/LLIntSlowPaths.cpp:
2663         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2664         * runtime/Arguments.cpp:
2665         (JSC::Arguments::copyToArguments):
2666         * runtime/Arguments.h:
2667         * runtime/JSArray.cpp:
2668         (JSC::JSArray::copyToArguments):
2669         * runtime/JSArray.h:
2670
2671 2014-02-24  Mark Lam  <mark.lam@apple.com>
2672
2673         Need to initialize VM stack data even when the VM is on an exclusive thread.
2674         <https://webkit.org/b/129265>
2675
2676         Reviewed by Geoffrey Garen.
2677
2678         We check VM::exclusiveThread as an optimization to forego the need to do
2679         JSLock locking. However, we recently started piggy backing on JSLock's
2680         lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
2681         and lastStackTop) to appropriate values for the current thread. This is
2682         needed because we may be acquiring the lock to enter the VM on a different
2683         thread.
2684
2685         As a result, we ended up not initializing the VM stack data when
2686         VM::exclusiveThread causes us to bypass the locking activity. Even though
2687         the VM::exclusiveThread will not have to deal with the VM being entered
2688         on a different thread, it still needs to initialize the VM stack data.
2689         The VM relies on that data being initialized properly once it has been
2690         entered.
2691
2692         With this fix, we push the check for exclusiveThread down into the JSLock,
2693         and handle the bypassing of unneeded locking activity there while still
2694         executing the necessary the VM stack data initialization.
2695
2696         * API/APIShims.h:
2697         (JSC::APIEntryShim::APIEntryShim):
2698         (JSC::APICallbackShim::shouldDropAllLocks):
2699         * heap/MachineStackMarker.cpp:
2700         (JSC::MachineThreads::addCurrentThread):
2701         * runtime/JSLock.cpp:
2702         (JSC::JSLockHolder::JSLockHolder):
2703         (JSC::JSLockHolder::init):
2704         (JSC::JSLockHolder::~JSLockHolder):
2705         (JSC::JSLock::JSLock):
2706         (JSC::JSLock::setExclusiveThread):
2707         (JSC::JSLock::lock):
2708         (JSLock::unlock):
2709         (JSLock::currentThreadIsHoldingLock):
2710         (JSLock::dropAllLocks):
2711         (JSLock::grabAllLocks):
2712         * runtime/JSLock.h:
2713         (JSC::JSLock::exclusiveThread):
2714         * runtime/VM.cpp:
2715         (JSC::VM::VM):
2716         * runtime/VM.h:
2717         (JSC::VM::exclusiveThread):
2718         (JSC::VM::setExclusiveThread):
2719         (JSC::VM::currentThreadIsHoldingAPILock):
2720
2721 2014-02-24  Filip Pizlo  <fpizlo@apple.com>
2722
2723         FTL should do polymorphic PutById inlining
2724         https://bugs.webkit.org/show_bug.cgi?id=129210
2725
2726         Reviewed by Mark Hahnenberg and Oliver Hunt.
2727         
2728         This makes PutByIdStatus inform us about polymorphic cases by returning an array of
2729         PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
2730         selection of multiple inlined PutByIdVariants.
2731         
2732         MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
2733         http://trac.webkit.org/changeset/164207.
2734         
2735         This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
2736         that generate similar code.
2737         
2738         1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
2739         sometimes swaps field insertion order, creating fake polymorphism.
2740
2741         * CMakeLists.txt:
2742         * GNUmakefile.list.am:
2743         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2744         * JavaScriptCore.xcodeproj/project.pbxproj:
2745         * bytecode/PutByIdStatus.cpp:
2746         (JSC::PutByIdStatus::computeFromLLInt):
2747         (JSC::PutByIdStatus::computeFor):
2748         (JSC::PutByIdStatus::computeForStubInfo):
2749         (JSC::PutByIdStatus::dump):
2750         * bytecode/PutByIdStatus.h:
2751         (JSC::PutByIdStatus::PutByIdStatus):
2752         (JSC::PutByIdStatus::isSimple):
2753         (JSC::PutByIdStatus::numVariants):
2754         (JSC::PutByIdStatus::variants):
2755         (JSC::PutByIdStatus::at):
2756         (JSC::PutByIdStatus::operator[]):
2757         * bytecode/PutByIdVariant.cpp: Added.
2758         (JSC::PutByIdVariant::dump):
2759         (JSC::PutByIdVariant::dumpInContext):
2760         * bytecode/PutByIdVariant.h: Added.
2761         (JSC::PutByIdVariant::PutByIdVariant):
2762         (JSC::PutByIdVariant::replace):
2763         (JSC::PutByIdVariant::transition):
2764         (JSC::PutByIdVariant::kind):
2765         (JSC::PutByIdVariant::isSet):
2766         (JSC::PutByIdVariant::operator!):
2767         (JSC::PutByIdVariant::structure):
2768         (JSC::PutByIdVariant::oldStructure):
2769         (JSC::PutByIdVariant::newStructure):
2770         (JSC::PutByIdVariant::structureChain):
2771         (JSC::PutByIdVariant::offset):
2772         * dfg/DFGAbstractInterpreterInlines.h:
2773         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2774         * dfg/DFGByteCodeParser.cpp:
2775         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2776         (JSC::DFG::ByteCodeParser::handleGetById):
2777         (JSC::DFG::ByteCodeParser::emitPutById):
2778         (JSC::DFG::ByteCodeParser::handlePutById):
2779         (JSC::DFG::ByteCodeParser::parseBlock):
2780         * dfg/DFGCSEPhase.cpp:
2781         (JSC::DFG::CSEPhase::checkStructureElimination):
2782         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2783         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2784         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2785         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
2786         * dfg/DFGClobberize.h:
2787         (JSC::DFG::clobberize):
2788         * dfg/DFGConstantFoldingPhase.cpp:
2789         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2790         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2791         * dfg/DFGFixupPhase.cpp:
2792         (JSC::DFG::FixupPhase::fixupNode):
2793         * dfg/DFGGraph.cpp:
2794         (JSC::DFG::Graph::dump):
2795         * dfg/DFGGraph.h:
2796         * dfg/DFGNode.cpp:
2797         (JSC::DFG::MultiPutByOffsetData::writesStructures):
2798         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
2799         * dfg/DFGNode.h:
2800         (JSC::DFG::Node::convertToPutByOffset):
2801         (JSC::DFG::Node::hasMultiPutByOffsetData):
2802         (JSC::DFG::Node::multiPutByOffsetData):
2803         * dfg/DFGNodeType.h:
2804         * dfg/DFGPredictionPropagationPhase.cpp:
2805         (JSC::DFG::PredictionPropagationPhase::propagate):
2806         * dfg/DFGSafeToExecute.h:
2807         (JSC::DFG::safeToExecute):
2808         * dfg/DFGSpeculativeJIT32_64.cpp:
2809         (JSC::DFG::SpeculativeJIT::compile):
2810         * dfg/DFGSpeculativeJIT64.cpp:
2811         (JSC::DFG::SpeculativeJIT::compile):
2812         * dfg/DFGTypeCheckHoistingPhase.cpp:
2813         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2814         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2815         * ftl/FTLCapabilities.cpp:
2816         (JSC::FTL::canCompile):
2817         * ftl/FTLLowerDFGToLLVM.cpp:
2818         (JSC::FTL::LowerDFGToLLVM::compileNode):
2819         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
2820         (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
2821         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
2822         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
2823         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2824         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
2825         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2826         (JSC::FTL::LowerDFGToLLVM::loadProperty):
2827         (JSC::FTL::LowerDFGToLLVM::storeProperty):
2828         (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
2829         (JSC::FTL::LowerDFGToLLVM::storageForTransition):
2830         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
2831         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
2832         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2833         * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
2834         * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
2835         * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
2836
2837 2014-02-24  peavo@outlook.com  <peavo@outlook.com>
2838
2839         JSC regressions after r164494
2840         https://bugs.webkit.org/show_bug.cgi?id=129272
2841
2842         Reviewed by Mark Lam.
2843
2844         * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
2845
2846 2014-02-24  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
2847
2848         Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
2849         https://bugs.webkit.org/show_bug.cgi?id=129255
2850
2851         Reviewed by Csaba Osztrogonác.
2852
2853         ENABLE_WORKERS macro was removed in r159679.
2854         Support is now also removed from xcconfig files.
2855
2856         * Configurations/FeatureDefines.xcconfig:
2857
2858 2014-02-24  David Kilzer  <ddkilzer@apple.com>
2859
2860         Remove redundant setting in FeatureDefines.xcconfig
2861
2862         * Configurations/FeatureDefines.xcconfig:
2863
2864 2014-02-23  Sam Weinig  <sam@webkit.org>
2865
2866         Update FeatureDefines.xcconfig
2867
2868         Rubber-stamped by Anders Carlsson.
2869
2870         * Configurations/FeatureDefines.xcconfig:
2871
2872 2014-02-23  Dean Jackson  <dino@apple.com>
2873
2874         Sort the project file with sort-Xcode-project-file.
2875
2876         Rubber-stamped by Sam Weinig.
2877
2878         * JavaScriptCore.xcodeproj/project.pbxproj:
2879
2880 2014-02-23  Sam Weinig  <sam@webkit.org>
2881
2882         Move telephone number detection behind its own ENABLE macro
2883         https://bugs.webkit.org/show_bug.cgi?id=129236
2884
2885         Reviewed by Dean Jackson.
2886
2887         * Configurations/FeatureDefines.xcconfig:
2888         Add ENABLE_TELEPHONE_NUMBER_DETECTION.
2889
2890 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
2891
2892         Refine DFG+FTL inlining and compilation limits
2893         https://bugs.webkit.org/show_bug.cgi?id=129212
2894
2895         Reviewed by Mark Hahnenberg.
2896         
2897         Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
2898         and set that limit quite high. Institute a limit on inlining-into. The idea here is
2899         that large functions tend to be autogenerated, and code generators like emscripten
2900         appear to leave few inlining opportunities anyway. Also, we don't want the code
2901         size explosion that we would risk if we allowed compilation of a large function and
2902         then inlined a ton of stuff into it.
2903         
2904         This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
2905         regression. This is a 9% speed-up on AsmBench.
2906
2907         * bytecode/CodeBlock.cpp:
2908         (JSC::CodeBlock::noticeIncomingCall):
2909         * dfg/DFGByteCodeParser.cpp:
2910         (JSC::DFG::ByteCodeParser::handleInlining):
2911         * dfg/DFGCapabilities.h:
2912         (JSC::DFG::isSmallEnoughToInlineCodeInto):
2913         * ftl/FTLCapabilities.cpp:
2914         (JSC::FTL::canCompile):
2915         * ftl/FTLState.h:
2916         (JSC::FTL::shouldShowDisassembly):
2917         * runtime/Options.h:
2918
2919 2014-02-22  Dan Bernstein  <mitz@apple.com>
2920
2921         REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
2922         https://bugs.webkit.org/show_bug.cgi?id=129227
2923
2924         Reviewed by Eric Carlson.
2925
2926         Reverted r164507.
2927
2928         * API/JSBase.cpp:
2929         (JSEvaluateScript):
2930         (JSCheckScriptSyntax):
2931         * API/JSObjectRef.cpp:
2932         (JSObjectMakeFunction):
2933         (JSObjectMakeArray):
2934         (JSObjectMakeDate):
2935         (JSObjectMakeError):
2936         (JSObjectMakeRegExp):
2937         (JSObjectGetProperty):
2938         (JSObjectSetProperty):
2939         (JSObjectGetPropertyAtIndex):
2940         (JSObjectSetPropertyAtIndex):
2941         (JSObjectDeleteProperty):
2942         (JSObjectCallAsFunction):
2943         (JSObjectCallAsConstructor):
2944         * API/JSValue.mm:
2945         (valueToArray):
2946         (valueToDictionary):
2947         * API/JSValueRef.cpp:
2948         (JSValueIsEqual):
2949         (JSValueIsInstanceOfConstructor):
2950         (JSValueCreateJSONString):
2951         (JSValueToNumber):
2952         (JSValueToStringCopy):
2953         (JSValueToObject):
2954         * inspector/ConsoleMessage.cpp:
2955         (Inspector::ConsoleMessage::ConsoleMessage):
2956         (Inspector::ConsoleMessage::autogenerateMetadata):
2957         * inspector/ConsoleMessage.h:
2958         * inspector/JSGlobalObjectInspectorController.cpp:
2959         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2960         * inspector/JSGlobalObjectInspectorController.h:
2961         * inspector/ScriptCallStack.cpp:
2962         * inspector/ScriptCallStack.h:
2963         * inspector/ScriptCallStackFactory.cpp:
2964         (Inspector::createScriptCallStack):
2965         (Inspector::createScriptCallStackForConsole):
2966         (Inspector::createScriptCallStackFromException):
2967         * inspector/ScriptCallStackFactory.h:
2968         * inspector/agents/InspectorConsoleAgent.cpp:
2969         (Inspector::InspectorConsoleAgent::enable):
2970         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2971         (Inspector::InspectorConsoleAgent::count):
2972         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2973         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2974
2975 2014-02-22  Joseph Pecoraro  <pecoraro@apple.com>
2976
2977         Remove some unreachable code (-Wunreachable-code)
2978         https://bugs.webkit.org/show_bug.cgi?id=129220
2979
2980         Reviewed by Eric Carlson.
2981
2982         * API/tests/testapi.c:
2983         (EvilExceptionObject_convertToType):
2984         * disassembler/udis86/udis86_decode.c:
2985         (decode_operand):
2986
2987 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
2988
2989         Unreviewed, ARMv7 build fix.
2990
2991         * assembler/ARMv7Assembler.h:
2992
2993 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
2994
2995         It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
2996         https://bugs.webkit.org/show_bug.cgi?id=124733
2997
2998         Reviewed by Oliver Hunt.
2999         
3000         This also takes the opportunity to de-duplicate some branch compaction code.
3001
3002         * assembler/ARM64Assembler.h:
3003         * assembler/ARMv7Assembler.h:
3004         (JSC::ARMv7Assembler::buffer):
3005         * assembler/AssemblerBuffer.h:
3006         (JSC::AssemblerData::AssemblerData):
3007         (JSC::AssemblerBuffer::AssemblerBuffer):
3008         (JSC::AssemblerBuffer::storage):
3009         (JSC::AssemblerBuffer::grow):
3010         * assembler/LinkBuffer.h:
3011         (JSC::LinkBuffer::LinkBuffer):
3012         (JSC::LinkBuffer::executableOffsetFor):
3013         (JSC::LinkBuffer::applyOffset):
3014         * assembler/MacroAssemblerARM64.h:
3015         (JSC::MacroAssemblerARM64::link):
3016         * assembler/MacroAssemblerARMv7.h:
3017
3018 2014-02-21  Brent Fulgham  <bfulgham@apple.com>
3019
3020         Extend media support for WebVTT sources
3021         https://bugs.webkit.org/show_bug.cgi?id=129156
3022
3023         Reviewed by Eric Carlson.
3024
3025         * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
3026
3027 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3028
3029         Web Inspector: JSContext inspection should report exceptions in the console
3030         https://bugs.webkit.org/show_bug.cgi?id=128776
3031
3032         Reviewed by Timothy Hatcher.
3033
3034         When JavaScript API functions have an exception, let the inspector
3035         know so it can log the JavaScript and Native backtrace that caused
3036         the exception.
3037
3038         Include some clean up of ConsoleMessage and ScriptCallStack construction.
3039
3040         * API/JSBase.cpp:
3041         (JSEvaluateScript):
3042         (JSCheckScriptSyntax):
3043         * API/JSObjectRef.cpp:
3044         (JSObjectMakeFunction):
3045         (JSObjectMakeArray):
3046         (JSObjectMakeDate):
3047         (JSObjectMakeError):
3048         (JSObjectMakeRegExp):
3049         (JSObjectGetProperty):
3050         (JSObjectSetProperty):
3051         (JSObjectGetPropertyAtIndex):
3052         (JSObjectSetPropertyAtIndex):
3053         (JSObjectDeleteProperty):
3054         (JSObjectCallAsFunction):
3055         (JSObjectCallAsConstructor):
3056         * API/JSValue.mm:
3057         (reportExceptionToInspector):
3058         (valueToArray):
3059         (valueToDictionary):
3060         * API/JSValueRef.cpp:
3061         (JSValueIsEqual):
3062         (JSValueIsInstanceOfConstructor):
3063         (JSValueCreateJSONString):
3064         (JSValueToNumber):
3065         (JSValueToStringCopy):
3066         (JSValueToObject):
3067         When seeing an exception, let the inspector know there was an exception.
3068
3069         * inspector/JSGlobalObjectInspectorController.h:
3070         * inspector/JSGlobalObjectInspectorController.cpp:
3071         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3072         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3073         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3074         Log API exceptions by also grabbing the native backtrace.
3075
3076         * inspector/ScriptCallStack.h:
3077         * inspector/ScriptCallStack.cpp:
3078         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
3079         (Inspector::ScriptCallStack::append):
3080         Minor extensions to ScriptCallStack to make it easier to work with.
3081
3082         * inspector/ConsoleMessage.cpp:
3083         (Inspector::ConsoleMessage::ConsoleMessage):
3084         (Inspector::ConsoleMessage::autogenerateMetadata):
3085         Provide better default information if the first call frame was native.
3086
3087         * inspector/ScriptCallStackFactory.cpp:
3088         (Inspector::createScriptCallStack):
3089         (Inspector::extractSourceInformationFromException):
3090         (Inspector::createScriptCallStackFromException):
3091         Perform the handling here of inserting a fake call frame for exceptions
3092         if there was no call stack (e.g. a SyntaxError) or if the first call
3093         frame had no information.
3094
3095         * inspector/ConsoleMessage.cpp:
3096         (Inspector::ConsoleMessage::ConsoleMessage):
3097         (Inspector::ConsoleMessage::autogenerateMetadata):
3098         * inspector/ConsoleMessage.h:
3099         * inspector/ScriptCallStackFactory.cpp:
3100         (Inspector::createScriptCallStack):
3101         (Inspector::createScriptCallStackForConsole):
3102         * inspector/ScriptCallStackFactory.h:
3103         * inspector/agents/InspectorConsoleAgent.cpp:
3104         (Inspector::InspectorConsoleAgent::enable):
3105         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3106         (Inspector::InspectorConsoleAgent::count):
3107         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3108         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3109         ConsoleMessage cleanup.
3110
3111 2014-02-21  Oliver Hunt  <oliver@apple.com>
3112
3113         Add extra space to op_call and related opcodes
3114         https://bugs.webkit.org/show_bug.cgi?id=129170
3115
3116         Reviewed by Mark Lam.
3117
3118         No change in behaviour, just some refactoring to add an extra
3119         slot to the op_call instructions, and refactoring to make similar
3120         changes easier in future.
3121
3122         * bytecode/CodeBlock.cpp:
3123         (JSC::CodeBlock::printCallOp):
3124         * bytecode/Opcode.h:
3125         (JSC::padOpcodeName):
3126         * bytecompiler/BytecodeGenerator.cpp:
3127         (JSC::BytecodeGenerator::emitCall):
3128         (JSC::BytecodeGenerator::emitCallVarargs):
3129         (JSC::BytecodeGenerator::emitConstruct):
3130         * dfg/DFGByteCodeParser.cpp:
3131         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3132         * jit/JITCall.cpp:
3133         (JSC::JIT::compileOpCall):
3134         * jit/JITCall32_64.cpp:
3135         (JSC::JIT::compileOpCall):
3136         * llint/LowLevelInterpreter.asm:
3137         * llint/LowLevelInterpreter32_64.asm:
3138         * llint/LowLevelInterpreter64.asm:
3139
3140 2014-02-21  Mark Lam  <mark.lam@apple.com>
3141
3142         gatherFromOtherThread() needs to align the sp before gathering roots.
3143         <https://webkit.org/b/129169>
3144
3145         Reviewed by Geoffrey Garen.
3146
3147         The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
3148         gatherFromOtherThread() defines the range of the other thread's stack as
3149         being bounded by the other thread's stack pointer and stack base. While
3150         the stack base will always be aligned to sizeof(void*), the stack pointer
3151         may not be. This is because the other thread may have just pushed a 32-bit
3152         value on its stack before we suspended it for scanning.
3153
3154         The fix is to round the stack pointer up to the next aligned address of
3155         sizeof(void*) and start scanning from there. On 64-bit systems, we will
3156         effectively ignore the 32-bit word at the bottom of the stack (top of the
3157         stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
3158         64-bit pointers should always be stored on 64-bit aligned boundaries (our
3159         conservative scan algorithm already depends on this assumption).
3160
3161         On 32-bit systems, the rounding is effectively a no-op.
3162
3163         * heap/ConservativeRoots.cpp:
3164         (JSC::ConservativeRoots::genericAddSpan):
3165         - Hardened somne assertions so that we can catch misalignment issues on
3166           release builds as well.
3167         * heap/MachineStackMarker.cpp:
3168         (JSC::MachineThreads::gatherFromOtherThread):
3169
3170 2014-02-21  Matthew Mirman  <mmirman@apple.com>
3171
3172         Added a GetMyArgumentsLengthSafe and added a speculation check.
3173         https://bugs.webkit.org/show_bug.cgi?id=129051
3174
3175         Reviewed by Filip Pizlo.
3176
3177         * ftl/FTLLowerDFGToLLVM.cpp:
3178         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
3179
3180 2014-02-21  peavo@outlook.com  <peavo@outlook.com>
3181
3182         [Win][LLINT] Many JSC stress test failures.
3183         https://bugs.webkit.org/show_bug.cgi?id=129155
3184
3185         Reviewed by Michael Saboff.
3186
3187         Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
3188         Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
3189         E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
3190
3191         * offlineasm/x86.rb: Swap operand order on Windows.
3192
3193 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
3194
3195         DFG write barriers should do more speculations
3196         https://bugs.webkit.org/show_bug.cgi?id=129160
3197
3198         Reviewed by Mark Hahnenberg.
3199         
3200         Replace ConditionalStoreBarrier with the cheapest speculation that you could do
3201         instead.
3202         
3203         Miniscule speed-up on some things. It's a decent difference in code size, though.
3204
3205         * bytecode/SpeculatedType.cpp:
3206         (JSC::speculationToAbbreviatedString):
3207         * bytecode/SpeculatedType.h:
3208         (JSC::isNotCellSpeculation):
3209         * dfg/DFGFixupPhase.cpp:
3210         (JSC::DFG::FixupPhase::fixupNode):
3211         (JSC::DFG::FixupPhase::insertStoreBarrier):
3212         (JSC::DFG::FixupPhase::insertPhantomCheck):
3213         * dfg/DFGNode.h:
3214         (JSC::DFG::Node::shouldSpeculateOther):
3215         (JSC::DFG::Node::shouldSpeculateNotCell):
3216         * ftl/FTLCapabilities.cpp:
3217         (JSC::FTL::canCompile):
3218         * ftl/FTLLowerDFGToLLVM.cpp:
3219         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
3220         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3221         (JSC::FTL::LowerDFGToLLVM::isNotOther):
3222         (JSC::FTL::LowerDFGToLLVM::isOther):
3223         (JSC::FTL::LowerDFGToLLVM::speculate):
3224         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
3225         (JSC::FTL::LowerDFGToLLVM::speculateOther):
3226         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
3227
3228 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3229
3230         Revert r164486, causing a number of test failures.
3231
3232         Unreviewed rollout.
3233
3234 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
3235
3236         Revive SABI (aka shouldAlwaysBeInlined)
3237         https://bugs.webkit.org/show_bug.cgi?id=129159
3238
3239         Reviewed by Mark Hahnenberg.
3240         
3241         This is a small Octane speed-up.
3242
3243         * jit/Repatch.cpp:
3244         (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
3245
3246 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3247
3248         Web Inspector: JSContext inspection should report exceptions in the console
3249         https://bugs.webkit.org/show_bug.cgi?id=128776
3250
3251         Reviewed by Timothy Hatcher.
3252
3253         When JavaScript API functions have an exception, let the inspector
3254         know so it can log the JavaScript and Native backtrace that caused
3255         the exception.
3256
3257         Include some clean up of ConsoleMessage and ScriptCallStack construction.
3258
3259         * API/JSBase.cpp:
3260         (JSEvaluateScript):
3261         (JSCheckScriptSyntax):
3262         * API/JSObjectRef.cpp:
3263         (JSObjectMakeFunction):
3264         (JSObjectMakeArray):
3265         (JSObjectMakeDate):
3266         (JSObjectMakeError):
3267         (JSObjectMakeRegExp):
3268         (JSObjectGetProperty):
3269         (JSObjectSetProperty):
3270         (JSObjectGetPropertyAtIndex):
3271         (JSObjectSetPropertyAtIndex):
3272         (JSObjectDeleteProperty):
3273         (JSObjectCallAsFunction):
3274         (JSObjectCallAsConstructor):
3275         * API/JSValue.mm:
3276         (reportExceptionToInspector):
3277         (valueToArray):
3278         (valueToDictionary):
3279         * API/JSValueRef.cpp:
3280         (JSValueIsEqual):
3281         (JSValueIsInstanceOfConstructor):
3282         (JSValueCreateJSONString):
3283         (JSValueToNumber):
3284         (JSValueToStringCopy):
3285         (JSValueToObject):
3286         When seeing an exception, let the inspector know there was an exception.
3287
3288         * inspector/JSGlobalObjectInspectorController.h:
3289         * inspector/JSGlobalObjectInspectorController.cpp:
3290         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3291         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3292         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3293         Log API exceptions by also grabbing the native backtrace.
3294
3295         * inspector/ScriptCallStack.h:
3296         * inspector/ScriptCallStack.cpp:
3297         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
3298         (Inspector::ScriptCallStack::append):
3299         Minor extensions to ScriptCallStack to make it easier to work with.
3300
3301         * inspector/ConsoleMessage.cpp:
3302         (Inspector::ConsoleMessage::ConsoleMessage):
3303         (Inspector::ConsoleMessage::autogenerateMetadata):
3304         Provide better default information if the first call frame was native.
3305
3306         * inspector/ScriptCallStackFactory.cpp:
3307         (Inspector::createScriptCallStack):
3308         (Inspector::extractSourceInformationFromException):
3309         (Inspector::createScriptCallStackFromException):
3310         Perform the handling here of inserting a fake call frame for exceptions
3311         if there was no call stack (e.g. a SyntaxError) or if the first call
3312         frame had no information.
3313
3314         * inspector/ConsoleMessage.cpp:
3315         (Inspector::ConsoleMessage::ConsoleMessage):
3316         (Inspector::ConsoleMessage::autogenerateMetadata):
3317         * inspector/ConsoleMessage.h:
3318         * inspector/ScriptCallStackFactory.cpp:
3319         (Inspector::createScriptCallStack):
3320         (Inspector::createScriptCallStackForConsole):
3321         * inspector/ScriptCallStackFactory.h:
3322         * inspector/agents/InspectorConsoleAgent.cpp:
3323         (Inspector::InspectorConsoleAgent::enable):
3324         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3325         (Inspector::InspectorConsoleAgent::count):
3326         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3327         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3328         ConsoleMessage cleanup.
3329
3330 2014-02-20  Anders Carlsson  <andersca@apple.com>
3331
3332         Modernize JSGlobalLock and JSLockHolder
3333         https://bugs.webkit.org/show_bug.cgi?id=129105
3334
3335         Reviewed by Michael Saboff.
3336
3337         Use std::mutex and std::thread::id where possible.
3338
3339         * runtime/JSLock.cpp:
3340         (JSC::GlobalJSLock::GlobalJSLock):
3341         (JSC::GlobalJSLock::~GlobalJSLock):
3342         (JSC::GlobalJSLock::initialize):
3343         (JSC::JSLock::JSLock):
3344         (JSC::JSLock::lock):
3345         (JSC::JSLock::unlock):
3346         (JSC::JSLock::currentThreadIsHoldingLock):
3347         * runtime/JSLock.h:
3348
3349 2014-02-20  Mark Lam  <mark.lam@apple.com>
3350
3351         virtualForWithFunction() should not throw an exception with a partially initialized frame.
3352         <https://webkit.org/b/129134>
3353
3354         Reviewed by Michael Saboff.
3355
3356         Currently, when JITOperations.cpp's virtualForWithFunction() fails to
3357         prepare the callee function for execution, it proceeds to throw the
3358         exception using the callee frame which is only partially initialized
3359         thus far. Instead, it should be throwing the exception using the caller
3360         frame because:
3361         1. the error happened "in" the caller while preparing the callee for
3362            execution i.e. the caller frame is the top fully initialized frame
3363            on the stack.
3364         2. the callee frame is not fully initialized yet, and the unwind
3365            mechanism cannot depend on the data in it.
3366
3367         * jit/JITOperations.cpp:
3368
3369 2014-02-20  Mark Lam  <mark.lam@apple.com>
3370
3371         DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
3372         <https://webkit.org/b/129131>
3373
3374         Reviewed by Mark Hahnenberg.
3375
3376         Currently, DefaultGCActivityCallback::doWork() does not check if the GC
3377         needs to be deferred before commencing. As a result, the GC may crash
3378         and/or corrupt data because the VM is not in the consistent state needed
3379         for the GC to run. With this fix, doWork() now checks if the GC is
3380         supposed to be deferred and re-schedules if needed. It only commences
3381         with GC'ing when it's safe to do so.
3382
3383         * runtime/GCActivityCallback.cpp:
3384         (JSC::DefaultGCActivityCallback::doWork):
3385
3386 2014-02-20  Geoffrey Garen  <ggaren@apple.com>
3387
3388         Math.imul gives wrong results
3389         https://bugs.webkit.org/show_bug.cgi?id=126345
3390
3391         Reviewed by Mark Hahnenberg.
3392
3393         Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
3394         Instead, take a slow path that will do the right thing.
3395
3396         * jit/ThunkGenerators.cpp:
3397         (JSC::imulThunkGenerator):
3398
3399 2014-02-20  Filip Pizlo  <fpizlo@apple.com>
3400
3401         DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
3402         https://bugs.webkit.org/show_bug.cgi?id=129129
3403
3404         Reviewed by Geoffrey Garen.
3405         
3406         We estimate execution counts based on loop depth, and then use those to estimate branch
3407         weights. These weights then get carried all the way down to LLVM prof branch_weights
3408         meta-data.
3409         
3410         This is better than letting LLVM do its own static estimates, since by the time we
3411         generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
3412         course, it would be even better if we just slurped in some kind of execution counts
3413         from profiling, but we don't do that, yet.
3414
3415         * CMakeLists.txt:
3416         * GNUmakefile.list.am:
3417         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3418         * JavaScriptCore.xcodeproj/project.pbxproj:
3419         * dfg/DFGBasicBlock.cpp:
3420         (JSC::DFG::BasicBlock::BasicBlock):
3421         * dfg/DFGBasicBlock.h:
3422         * dfg/DFGBlockInsertionSet.cpp:
3423         (JSC::DFG::BlockInsertionSet::insert):
3424         (JSC::DFG::BlockInsertionSet::insertBefore):
3425         * dfg/DFGBlockInsertionSet.h:
3426         * dfg/DFGByteCodeParser.cpp:
3427         (JSC::DFG::ByteCodeParser::handleInlining):
3428         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3429         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3430         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
3431         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3432         (JSC::DFG::createPreHeader):
3433         * dfg/DFGNaturalLoops.h:
3434         (JSC::DFG::NaturalLoops::loopDepth):
3435         * dfg/DFGOSREntrypointCreationPhase.cpp:
3436         (JSC::DFG::OSREntrypointCreationPhase::run):
3437         * dfg/DFGPlan.cpp:
3438         (JSC::DFG::Plan::compileInThreadImpl):
3439         * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
3440         (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
3441         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
3442         (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
3443         (JSC::DFG::performStaticExecutionCountEstimation):
3444         * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.
3445
3446 2014-02-20  Filip Pizlo  <fpizlo@apple.com>
3447
3448         FTL may not see a compact_unwind section if there weren't any stackmaps
3449         https://bugs.webkit.org/show_bug.cgi?id=129125
3450
3451         Reviewed by Geoffrey Garen.
3452         
3453         It's OK to not have an unwind section, so long as the function also doesn't have any
3454         OSR exits.
3455
3456         * ftl/FTLCompile.cpp:
3457         (JSC::FTL::fixFunctionBasedOnStackMaps):
3458         (JSC::FTL::compile):
3459         * ftl/FTLUnwindInfo.cpp:
3460         (JSC::FTL::UnwindInfo::parse):
3461         * ftl/FTLUnwindInfo.h:
3462
3463 == Rolled over to ChangeLog-2014-02-20 ==