b0c25dd424e23bc19e564eb0f089e06f59a39bd1
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-20  Mark Lam  <mark.lam@apple.com>
2
3         [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
4         <https://webkit.org/b/141809>
5
6         Reviewed by Geoffrey Garen.
7
8         A ObjC class that implement the JSExport protocol will have a JS prototype
9         chain and constructor automatically synthesized for its JS wrapper object.
10         However, if there are no more instances of that ObjC class reachable by a
11         JS GC root scan, then its synthesized prototype chain and constructors may
12         be released by the GC.  If a new instance of that ObjC class is subsequently
13         instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
14         should re-construct the prototype chain and constructor (if they were
15         previously released).  However, the current implementation only
16         re-constructs the immediate prototype, but not every other prototype
17         object upstream in the prototype chain.
18
19         To fix this, we do the following:
20         1. We no longer allocate the JSObjCClassInfo's prototype and constructor
21            eagerly.  Hence, -initWithContext:forClass: will no longer call
22            -allocateConstructorAndPrototypeWithSuperClassInfo:.
23         2. Instead, we'll always access the prototype and constructor thru
24            accessor methods.  The accessor methods will call
25            -allocateConstructorAndPrototype: if needed.
26         3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
27            from the JSWrapperMap itself.  This makes it so that we no longer
28            need to pass the superClassInfo all over.
29         4. -allocateConstructorAndPrototype: will get the super class prototype
30            by invoking -prototype: on the superClassInfo, thereby allowing the
31            super class to allocate its prototype and constructor if needed and
32            fixing the issue in this bug.
33
34         5. Also removed the GC warning comments, and ensured that needed JS
35            objects are kept alive by having a local var pointing to it from the
36            stack (which makes a GC root).
37
38         * API/JSWrapperMap.mm:
39         (-[JSObjCClassInfo initWithContext:forClass:]):
40         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
41         (-[JSObjCClassInfo wrapperForObject:]):
42         (-[JSObjCClassInfo constructor]):
43         (-[JSObjCClassInfo prototype]):
44         (-[JSWrapperMap classInfoForClass:]):
45         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
46         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
47         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
48         * API/tests/Regress141809.h: Added.
49         * API/tests/Regress141809.mm: Added.
50         (-[TestClassB name]):
51         (-[TestClassC name]):
52         (runRegress141809):
53         * API/tests/testapi.mm:
54         * JavaScriptCore.xcodeproj/project.pbxproj:
55
56 2015-02-20  Alexey Proskuryakov  <ap@apple.com>
57
58         Remove svn:keywords property.
59
60         As far as I can tell, the property had no effect on any of these files, but also,
61         when it has effect it's likely harmful.
62
63         * builtins/ArrayConstructor.js: Removed property svn:keywords.
64
65 2015-02-20  Michael Saboff  <msaboff@apple.com>
66
67         DFG JIT needs to check for stack overflow at the start of Program and Eval execution
68         https://bugs.webkit.org/show_bug.cgi?id=141676
69
70         Reviewed by Filip Pizlo.
71
72         Added stack check to the beginning of the code the DFG copmiler emits for Program and Eval nodes.
73         To aid in testing the code, I replaced the EvalCodeCache::maxCacheableSourceLength const
74         a options in runtime/Options.h.  The test script, run-jsc-stress-tests, sets that option
75         to a huge value when running with the "Eager" options.  This allows the updated test to 
76         reliably exercise the code in questions.
77
78         * dfg/DFGJITCompiler.cpp:
79         (JSC::DFG::JITCompiler::compile):
80         Added stack check.
81
82         * bytecode/EvalCodeCache.h:
83         (JSC::EvalCodeCache::tryGet):
84         (JSC::EvalCodeCache::getSlow):
85         * runtime/Options.h:
86         Replaced EvalCodeCache::imaxCacheableSourceLength with Options::maximumEvalCacheableSourceLength
87         so that it can be configured when running the related test.
88
89 2015-02-20  Eric Carlson  <eric.carlson@apple.com>
90
91         [iOS] cleanup AirPlay code
92         https://bugs.webkit.org/show_bug.cgi?id=141811
93
94         Reviewed by Jer Noble.
95
96         * Configurations/FeatureDefines.xcconfig: IOS_AIRPLAY -> WIRELESS_PLAYBACK_TARGET.
97
98 2015-02-19  Dean Jackson  <dino@apple.com>
99
100         ES6: Implement Array.from()
101         https://bugs.webkit.org/show_bug.cgi?id=141054
102         <rdar://problem/19654521>
103
104         Reviewed by Filip Pizlo.
105
106         Implement the Array.from() ES6 method
107         as defined in Section 22.1.2.1 of the specification.
108
109         Given that we can't rely on the built-in
110         global functions or objects to be untainted,
111         I had to expose a few of them directly to
112         the function via private names. In particular:
113         - Math.floor -> @floor
114         - Math.abs -> @abs
115         - Number -> @Number
116         - Array -> @Array
117         - isFinite -> @isFinite
118
119         * builtins/ArrayConstructor.js: Added.
120         (from): Implementation of Array.from in JavaScript.
121         * runtime/ArrayConstructor.cpp: Add "from" to the lookup
122         table for the constructor object.
123         * runtime/CommonIdentifiers.h: Add the private versions
124         of the identifiers listed above.
125         * runtime/JSGlobalObject.cpp: Add the implementations of
126         those identifiers to the global object (using their
127         private names).
128         (JSC::JSGlobalObject::init):
129         * runtime/JSGlobalObjectFunctions.cpp:
130         (JSC::globalPrivateFuncAbs): Implementation of the abs function.
131         (JSC::globalPrivateFuncFloor): Implementation of the floor function.
132         * runtime/JSGlobalObjectFunctions.h:
133
134 2015-02-19  Benjamin Poulain  <bpoulain@apple.com>
135
136         Refine the FTL part of ArithPow
137         https://bugs.webkit.org/show_bug.cgi?id=141792
138
139         Reviewed by Filip Pizlo.
140
141         This patch refines the FTL lowering of ArithPow. This was left out
142         of the original patch to keep it simpler.
143
144         * ftl/FTLLowerDFGToLLVM.cpp:
145         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
146         Two improvements here:
147         1) Do not generate the NaN check unless we know the exponent might be a NaN.
148         2) Use one BasicBlock per check with the appropriate weight. Now that we have
149            one branch per test, move the Infinity check before the check for 1 since
150            it is the less common case.
151
152         * tests/stress/math-pow-becomes-custom-function.js: Added.
153         Test for changing the Math.pow() function after it has been optimized.
154
155         * tests/stress/math-pow-nan-behaviors.js:
156         The previous tests were only going as far as the DFGAbstractInterpreter
157         were the operations were replaced by the equivalent constant.
158
159         I duplicated the test functions to also test the dynamic behavior of DFG
160         and FTL.
161
162         * tests/stress/math-pow-with-constants.js:
163         Add cases covering exponent constants. LLVM removes many value
164         checks for those.
165
166         * tests/stress/math-pow-with-never-NaN-exponent.js: Added.
167         Test for the new optimization removing the NaN check.
168
169 2015-02-19  Csaba Osztrogonác  <ossy@webkit.org>
170
171         REGRESSION(r180279): It broke 20 tests on ARM Linux
172         https://bugs.webkit.org/show_bug.cgi?id=141771
173
174         Reviewed by Filip Pizlo.
175
176         * dfg/DFGSpeculativeJIT.h:
177         (JSC::DFG::SpeculativeJIT::callOperation): Align 64-bit values to respect ARM EABI.
178
179 2015-02-18  Benjamin Poulain  <bpoulain@apple.com>
180
181         Remove BytecodeGenerator's numberMap, it is dead code
182         https://bugs.webkit.org/show_bug.cgi?id=141779
183
184         Reviewed by Filip Pizlo.
185
186         * bytecompiler/BytecodeGenerator.cpp:
187         (JSC::BytecodeGenerator::emitLoad): Deleted.
188         * bytecompiler/BytecodeGenerator.h:
189         The JSValueMap seems better in every way.
190
191         The emitLoad() taking a double was the only way to use numberMap
192         and that code has no caller.
193
194 2015-02-18  Michael Saboff  <msaboff@apple.com>
195
196         Rollout r180247 & r180249 from trunk
197         https://bugs.webkit.org/show_bug.cgi?id=141773
198
199         Reviewed by Filip Pizlo.
200
201         Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730
202         only for branches.  The change to fail the FTL compile but continue running is not comprehensive
203         enough for general use on trunk.
204
205         * dfg/DFGPlan.cpp:
206         (JSC::DFG::Plan::compileInThreadImpl):
207         * ftl/FTLLowerDFGToLLVM.cpp:
208         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
209         (JSC::FTL::LowerDFGToLLVM::lower):
210         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
211         (JSC::FTL::LowerDFGToLLVM::compileNode):
212         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
213         (JSC::FTL::LowerDFGToLLVM::compilePhi):
214         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
215         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
216         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
217         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
218         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
219         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
220         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
221         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
222         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
223         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
224         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
225         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
226         (JSC::FTL::LowerDFGToLLVM::compileGetById):
227         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
228         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
229         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
230         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
231         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
232         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
233         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
234         (JSC::FTL::LowerDFGToLLVM::compileToString):
235         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
236         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
237         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
238         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
239         (JSC::FTL::LowerDFGToLLVM::compare):
240         (JSC::FTL::LowerDFGToLLVM::boolify):
241         (JSC::FTL::LowerDFGToLLVM::opposite):
242         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
243         (JSC::FTL::LowerDFGToLLVM::speculate):
244         (JSC::FTL::LowerDFGToLLVM::isArrayType):
245         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
246         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
247         (JSC::FTL::LowerDFGToLLVM::setInt52):
248         (JSC::FTL::lowerDFGToLLVM):
249         (JSC::FTL::LowerDFGToLLVM::loweringFailed): Deleted.
250         * ftl/FTLLowerDFGToLLVM.h:
251
252 2015-02-18  Filip Pizlo  <fpizlo@apple.com>
253
254         DFG should really support varargs
255         https://bugs.webkit.org/show_bug.cgi?id=141332
256
257         Reviewed by Oliver Hunt.
258         
259         This adds comprehensive vararg call support to the DFG and FTL compilers. Previously, if a
260         function had a varargs call, then it could only be compiled if that varargs call was just
261         forwarding arguments and we were inlining the function rather than compiling it directly. Also,
262         only varargs calls were dealt with; varargs constructs were not.
263         
264         This lifts all of those restrictions. Every varargs call or construct can now be compiled by both
265         the DFG and the FTL. Those calls can also be inlined, too - provided that profiling gives us a
266         sensible bound on arguments list length. When we inline a varargs call, the act of loading the
267         varargs is now made explicit in IR. I believe that we have enough IR machinery in place that we
268         would be able to do the arguments forwarding optimization as an IR transformation. This patch
269         doesn't implement that yet, and keeps the old bytecode-based varargs argument forwarding
270         optimization for now.
271         
272         There are three major IR features introduced in this patch:
273         
274         CallVarargs/ConstructVarargs: these are like Call/Construct except that they take an arguments
275         array rather than a list of arguments. Currently, they splat this arguments array onto the stack
276         using the same basic technique as the baseline JIT has always done. Except, these nodes indicate
277         that we are not interested in doing the non-escaping "arguments" optimization.
278         
279         CallForwardVarargs: this is a form of CallVarargs that just does the non-escaping "arguments"
280         optimization, aka forwarding arguments. It's somewhat lazy that this doesn't include
281         ConstructForwardVarargs, but the reason is that once we eliminate the lazy tear-off for
282         arguments, this whole thing will have to be tweaked - and for now forwarding on construct is just
283         not important in benchmarks. ConstructVarargs will still do forwarding, just not inlined.
284         
285         LoadVarargs: loads all elements out of an array onto the stack in a manner suitable for a varargs
286         call. This is used only when a varargs call (or construct) was inlined. The bytecode parser will
287         make room on the stack for the arguments, and will use LoadVarars to put those arguments into
288         place.
289         
290         In the future, we can consider adding strength reductions like:
291         
292         - If CallVarargs/ConstructVarargs see an array of known size with known elements, turn them into
293           Call/Construct.
294         
295         - If CallVarargs/ConstructVarargs are passed an unmodified, unescaped Arguments object, then
296           turn them into CallForwardVarargs/ConstructForwardVarargs.
297         
298         - If LoadVarargs sees an array of known size, then turn it into a sequence of GetByVals and
299           PutLocals.
300         
301         - If LoadVarargs sees an unmodified, unescaped Arguments object, then turn it into something like
302           LoadForwardVarargs.
303         
304         - If CallVarargs/ConstructVarargs/LoadVarargs see the result of a splice (or other Array
305           prototype function), then do the splice and varargs loading in one go (maybe via a new node
306           type).
307
308         * CMakeLists.txt:
309         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
310         * JavaScriptCore.xcodeproj/project.pbxproj:
311         * assembler/MacroAssembler.h:
312         (JSC::MacroAssembler::rshiftPtr):
313         (JSC::MacroAssembler::urshiftPtr):
314         * assembler/MacroAssemblerARM64.h:
315         (JSC::MacroAssemblerARM64::urshift64):
316         * assembler/MacroAssemblerX86_64.h:
317         (JSC::MacroAssemblerX86_64::urshift64):
318         * assembler/X86Assembler.h:
319         (JSC::X86Assembler::shrq_i8r):
320         * bytecode/CallLinkInfo.h:
321         (JSC::CallLinkInfo::CallLinkInfo):
322         * bytecode/CallLinkStatus.cpp:
323         (JSC::CallLinkStatus::computeFor):
324         (JSC::CallLinkStatus::setProvenConstantCallee):
325         (JSC::CallLinkStatus::dump):
326         * bytecode/CallLinkStatus.h:
327         (JSC::CallLinkStatus::maxNumArguments):
328         (JSC::CallLinkStatus::setIsProved): Deleted.
329         * bytecode/CodeOrigin.cpp:
330         (WTF::printInternal):
331         * bytecode/CodeOrigin.h:
332         (JSC::InlineCallFrame::varargsKindFor):
333         (JSC::InlineCallFrame::specializationKindFor):
334         (JSC::InlineCallFrame::isVarargs):
335         (JSC::InlineCallFrame::isNormalCall): Deleted.
336         * bytecode/ExitKind.cpp:
337         (JSC::exitKindToString):
338         * bytecode/ExitKind.h:
339         * bytecode/ValueRecovery.cpp:
340         (JSC::ValueRecovery::dumpInContext):
341         * dfg/DFGAbstractInterpreterInlines.h:
342         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
343         * dfg/DFGArgumentsSimplificationPhase.cpp:
344         (JSC::DFG::ArgumentsSimplificationPhase::run):
345         * dfg/DFGByteCodeParser.cpp:
346         (JSC::DFG::ByteCodeParser::flush):
347         (JSC::DFG::ByteCodeParser::addCall):
348         (JSC::DFG::ByteCodeParser::handleCall):
349         (JSC::DFG::ByteCodeParser::handleVarargsCall):
350         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
351         (JSC::DFG::ByteCodeParser::inliningCost):
352         (JSC::DFG::ByteCodeParser::inlineCall):
353         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
354         (JSC::DFG::ByteCodeParser::handleInlining):
355         (JSC::DFG::ByteCodeParser::handleMinMax):
356         (JSC::DFG::ByteCodeParser::handleIntrinsic):
357         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
358         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
359         (JSC::DFG::ByteCodeParser::parseBlock):
360         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): Deleted.
361         (JSC::DFG::ByteCodeParser::undoFunctionChecks): Deleted.
362         * dfg/DFGCapabilities.cpp:
363         (JSC::DFG::capabilityLevel):
364         * dfg/DFGCapabilities.h:
365         (JSC::DFG::functionCapabilityLevel):
366         (JSC::DFG::mightCompileFunctionFor):
367         * dfg/DFGClobberize.h:
368         (JSC::DFG::clobberize):
369         * dfg/DFGCommon.cpp:
370         (WTF::printInternal):
371         * dfg/DFGCommon.h:
372         (JSC::DFG::canInline):
373         (JSC::DFG::leastUpperBound):
374         * dfg/DFGDoesGC.cpp:
375         (JSC::DFG::doesGC):
376         * dfg/DFGFixupPhase.cpp:
377         (JSC::DFG::FixupPhase::fixupNode):
378         * dfg/DFGGraph.cpp:
379         (JSC::DFG::Graph::dump):
380         (JSC::DFG::Graph::dumpBlockHeader):
381         (JSC::DFG::Graph::isLiveInBytecode):
382         (JSC::DFG::Graph::valueProfileFor):
383         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
384         * dfg/DFGGraph.h:
385         (JSC::DFG::Graph::valueProfileFor): Deleted.
386         (JSC::DFG::Graph::methodOfGettingAValueProfileFor): Deleted.
387         * dfg/DFGJITCompiler.cpp:
388         (JSC::DFG::JITCompiler::compileExceptionHandlers):
389         (JSC::DFG::JITCompiler::link):
390         * dfg/DFGMayExit.cpp:
391         (JSC::DFG::mayExit):
392         * dfg/DFGNode.h:
393         (JSC::DFG::Node::hasCallVarargsData):
394         (JSC::DFG::Node::callVarargsData):
395         (JSC::DFG::Node::hasLoadVarargsData):
396         (JSC::DFG::Node::loadVarargsData):
397         (JSC::DFG::Node::hasHeapPrediction):
398         * dfg/DFGNodeType.h:
399         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
400         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
401         * dfg/DFGOSRExitCompilerCommon.cpp:
402         (JSC::DFG::reifyInlinedCallFrames):
403         * dfg/DFGOperations.cpp:
404         * dfg/DFGOperations.h:
405         * dfg/DFGPlan.cpp:
406         (JSC::DFG::dumpAndVerifyGraph):
407         (JSC::DFG::Plan::compileInThreadImpl):
408         * dfg/DFGPreciseLocalClobberize.h:
409         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
410         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
411         * dfg/DFGPredictionPropagationPhase.cpp:
412         (JSC::DFG::PredictionPropagationPhase::propagate):
413         * dfg/DFGSSAConversionPhase.cpp:
414         * dfg/DFGSafeToExecute.h:
415         (JSC::DFG::safeToExecute):
416         * dfg/DFGSpeculativeJIT.h:
417         (JSC::DFG::SpeculativeJIT::isFlushed):
418         (JSC::DFG::SpeculativeJIT::callOperation):
419         * dfg/DFGSpeculativeJIT32_64.cpp:
420         (JSC::DFG::SpeculativeJIT::emitCall):
421         (JSC::DFG::SpeculativeJIT::compile):
422         * dfg/DFGSpeculativeJIT64.cpp:
423         (JSC::DFG::SpeculativeJIT::emitCall):
424         (JSC::DFG::SpeculativeJIT::compile):
425         * dfg/DFGStackLayoutPhase.cpp:
426         (JSC::DFG::StackLayoutPhase::run):
427         (JSC::DFG::StackLayoutPhase::assign):
428         * dfg/DFGStrengthReductionPhase.cpp:
429         (JSC::DFG::StrengthReductionPhase::handleNode):
430         * dfg/DFGTypeCheckHoistingPhase.cpp:
431         (JSC::DFG::TypeCheckHoistingPhase::run):
432         * dfg/DFGValidate.cpp:
433         (JSC::DFG::Validate::validateCPS):
434         * ftl/FTLAbbreviations.h:
435         (JSC::FTL::functionType):
436         (JSC::FTL::buildCall):
437         * ftl/FTLCapabilities.cpp:
438         (JSC::FTL::canCompile):
439         * ftl/FTLCompile.cpp:
440         (JSC::FTL::mmAllocateDataSection):
441         * ftl/FTLInlineCacheSize.cpp:
442         (JSC::FTL::sizeOfCall):
443         (JSC::FTL::sizeOfCallVarargs):
444         (JSC::FTL::sizeOfCallForwardVarargs):
445         (JSC::FTL::sizeOfConstructVarargs):
446         (JSC::FTL::sizeOfIn):
447         (JSC::FTL::sizeOfICFor):
448         (JSC::FTL::sizeOfCheckIn): Deleted.
449         * ftl/FTLInlineCacheSize.h:
450         * ftl/FTLIntrinsicRepository.h:
451         * ftl/FTLJSCall.cpp:
452         (JSC::FTL::JSCall::JSCall):
453         * ftl/FTLJSCallBase.cpp:
454         * ftl/FTLJSCallBase.h:
455         * ftl/FTLJSCallVarargs.cpp: Added.
456         (JSC::FTL::JSCallVarargs::JSCallVarargs):
457         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
458         (JSC::FTL::JSCallVarargs::emit):
459         (JSC::FTL::JSCallVarargs::link):
460         * ftl/FTLJSCallVarargs.h: Added.
461         (JSC::FTL::JSCallVarargs::node):
462         (JSC::FTL::JSCallVarargs::stackmapID):
463         (JSC::FTL::JSCallVarargs::operator<):
464         * ftl/FTLLowerDFGToLLVM.cpp:
465         (JSC::FTL::LowerDFGToLLVM::lower):
466         (JSC::FTL::LowerDFGToLLVM::compileNode):
467         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
468         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
469         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
470         (JSC::FTL::LowerDFGToLLVM::compileLoadVarargs):
471         (JSC::FTL::LowerDFGToLLVM::compileIn):
472         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
473         (JSC::FTL::LowerDFGToLLVM::vmCall):
474         (JSC::FTL::LowerDFGToLLVM::vmCallNoExceptions):
475         (JSC::FTL::LowerDFGToLLVM::callCheck):
476         * ftl/FTLOutput.h:
477         (JSC::FTL::Output::call):
478         * ftl/FTLState.cpp:
479         (JSC::FTL::State::State):
480         * ftl/FTLState.h:
481         * interpreter/Interpreter.cpp:
482         (JSC::sizeOfVarargs):
483         (JSC::sizeFrameForVarargs):
484         * interpreter/Interpreter.h:
485         * interpreter/StackVisitor.cpp:
486         (JSC::StackVisitor::readInlinedFrame):
487         * jit/AssemblyHelpers.cpp:
488         (JSC::AssemblyHelpers::emitExceptionCheck):
489         * jit/AssemblyHelpers.h:
490         (JSC::AssemblyHelpers::addressFor):
491         (JSC::AssemblyHelpers::calleeFrameSlot):
492         (JSC::AssemblyHelpers::calleeArgumentSlot):
493         (JSC::AssemblyHelpers::calleeFrameTagSlot):
494         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
495         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
496         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
497         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
498         (JSC::AssemblyHelpers::selectScratchGPR):
499         * jit/CCallHelpers.h:
500         (JSC::CCallHelpers::setupArgumentsWithExecState):
501         * jit/GPRInfo.h:
502         * jit/JIT.cpp:
503         (JSC::JIT::privateCompile):
504         * jit/JIT.h:
505         * jit/JITCall.cpp:
506         (JSC::JIT::compileSetupVarargsFrame):
507         (JSC::JIT::compileOpCall):
508         * jit/JITCall32_64.cpp:
509         (JSC::JIT::compileSetupVarargsFrame):
510         (JSC::JIT::compileOpCall):
511         * jit/JITOperations.h:
512         * jit/SetupVarargsFrame.cpp:
513         (JSC::emitSetupVarargsFrameFastCase):
514         * jit/SetupVarargsFrame.h:
515         * runtime/Arguments.h:
516         (JSC::Arguments::create):
517         (JSC::Arguments::registerArraySizeInBytes):
518         (JSC::Arguments::finishCreation):
519         * runtime/Options.h:
520         * tests/stress/construct-varargs-inline-smaller-Foo.js: Added.
521         (Foo):
522         (bar):
523         (checkEqual):
524         (test):
525         * tests/stress/construct-varargs-inline.js: Added.
526         (Foo):
527         (bar):
528         (checkEqual):
529         (test):
530         * tests/stress/construct-varargs-no-inline.js: Added.
531         (Foo):
532         (bar):
533         (checkEqual):
534         (test):
535         * tests/stress/get-argument-by-val-in-inlined-varargs-call-out-of-bounds.js: Added.
536         (foo):
537         (bar):
538         * tests/stress/get-argument-by-val-safe-in-inlined-varargs-call-out-of-bounds.js: Added.
539         (foo):
540         (bar):
541         * tests/stress/get-my-argument-by-val-creates-arguments.js: Added.
542         (blah):
543         (foo):
544         (bar):
545         (checkEqual):
546         (test):
547         * tests/stress/load-varargs-then-inlined-call-exit-in-foo.js: Added.
548         (foo):
549         (bar):
550         (checkEqual):
551         * tests/stress/load-varargs-then-inlined-call-inlined.js: Added.
552         (foo):
553         (bar):
554         (baz):
555         (checkEqual):
556         (test):
557         * tests/stress/load-varargs-then-inlined-call.js: Added.
558         (foo):
559         (bar):
560         (checkEqual):
561         (test):
562
563 2015-02-17  Michael Saboff  <msaboff@apple.com>
564
565         Unreviewed, Restoring the C LOOP insta-crash fix in r180184.
566
567         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
568         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
569
570         * llint/LowLevelInterpreter.asm: Fixed a typo.
571
572 2015-02-18  Csaba Osztrogonác  <ossy@webkit.org>
573
574         URTBF after r180258 to fix Windows build.
575
576         * runtime/MathCommon.cpp:
577         (JSC::mathPowInternal):
578
579 2015-02-18  Joseph Pecoraro  <pecoraro@apple.com>
580
581         REGRESSION(r180235): It broke the !ENABLE(PROMISES) build
582         https://bugs.webkit.org/show_bug.cgi?id=141746
583
584         Unreviewed build fix.
585
586         * inspector/JSInjectedScriptHost.cpp:
587         (Inspector::JSInjectedScriptHost::getInternalProperties):
588         Wrap JSPromise related code in ENABLE(PROMISES) guard.
589
590 2015-02-18  Benjamin Poulain  <benjamin@webkit.org>
591
592         Fix the C-Loop LLInt build
593         https://bugs.webkit.org/show_bug.cgi?id=141618
594
595         Reviewed by Filip Pizlo.
596
597         I broke C-Loop when moving the common code of pow()
598         to JITOperations because that file is #ifdefed out
599         when the JITs are disabled.
600
601         It would be weird to move it back to MathObject since
602         the function needs to know about the calling conventions.
603
604         To avoid making a mess, I just gave the function its own file
605         that is used by both the runtime and the JIT.
606
607         * CMakeLists.txt:
608         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
609         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
610         * JavaScriptCore.xcodeproj/project.pbxproj:
611         * dfg/DFGAbstractInterpreterInlines.h:
612         * jit/JITOperations.cpp:
613         * jit/JITOperations.h:
614         * runtime/MathCommon.cpp: Added.
615         (JSC::fdlibmScalbn):
616         (JSC::fdlibmPow):
617         (JSC::isDenormal):
618         (JSC::isEdgeCase):
619         (JSC::mathPowInternal):
620         (JSC::operationMathPow):
621         * runtime/MathCommon.h: Added.
622         * runtime/MathObject.cpp:
623
624 2015-02-17  Benjamin Poulain  <bpoulain@apple.com>
625
626         Clean up OSRExit's considerAddingAsFrequentExitSite()
627         https://bugs.webkit.org/show_bug.cgi?id=141690
628
629         Reviewed by Anders Carlsson.
630
631         Looks like some code was removed from CodeBlock::tallyFrequentExitSites()
632         and the OSRExit were left untouched.
633
634         This patch cleans up the two loops and remove the boolean return
635         on considerAddingAsFrequentExitSite().
636
637         * bytecode/CodeBlock.cpp:
638         (JSC::CodeBlock::tallyFrequentExitSites):
639         * dfg/DFGOSRExit.h:
640         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
641         * dfg/DFGOSRExitBase.cpp:
642         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
643         * dfg/DFGOSRExitBase.h:
644         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
645         * ftl/FTLOSRExit.h:
646         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
647
648 2015-02-17  Alexey Proskuryakov  <ap@apple.com>
649
650         Debug build fix after r180247.
651
652         * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::loweringFailed):
653
654 2015-02-17  Commit Queue  <commit-queue@webkit.org>
655
656         Unreviewed, rolling out r180184.
657         https://bugs.webkit.org/show_bug.cgi?id=141733
658
659         Caused infinite recursion on js/function-apply-aliased.html
660         (Requested by ap_ on #webkit).
661
662         Reverted changeset:
663
664         "REGRESSION(r180060): C Loop crashes"
665         https://bugs.webkit.org/show_bug.cgi?id=141671
666         http://trac.webkit.org/changeset/180184
667
668 2015-02-17  Michael Saboff  <msaboff@apple.com>
669
670         CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode
671         https://bugs.webkit.org/show_bug.cgi?id=141730
672
673         Reviewed by Geoffrey Garen.
674
675         Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures
676         while processing DFG lowering.  For debug builds, the failures are logged identical
677         to the way the DFG_CRASH() reports them.  For release builds, the failures are reported
678         and that FTL compilation is terminated, but the process is allowed to continue.
679         Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and
680         line number are reported at the point of the inconsistancy.
681
682         Converted instances of DFG_CRASH to LOWERING_FAILED.
683
684         * dfg/DFGPlan.cpp:
685         (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that
686         will fail the FTL compile.
687
688         * ftl/FTLLowerDFGToLLVM.cpp:
689         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
690         Added new member variable, m_loweringSucceeded, to stop compilation on the first
691         reported failure.
692
693         * ftl/FTLLowerDFGToLLVM.cpp:
694         (JSC::FTL::LowerDFGToLLVM::lower):
695         * ftl/FTLLowerDFGToLLVM.h:
696         Added check for compilation failures and now report those failures via a boolean
697         return value.
698
699         * ftl/FTLLowerDFGToLLVM.cpp:
700         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
701         (JSC::FTL::LowerDFGToLLVM::compileNode):
702         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
703         (JSC::FTL::LowerDFGToLLVM::compilePhi):
704         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
705         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
706         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
707         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
708         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
709         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
710         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
711         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
712         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
713         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
714         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
715         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
716         (JSC::FTL::LowerDFGToLLVM::compileGetById):
717         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
718         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
719         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
720         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
721         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
722         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
723         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
724         (JSC::FTL::LowerDFGToLLVM::compileToString):
725         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
726         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
727         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
728         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
729         (JSC::FTL::LowerDFGToLLVM::compare):
730         (JSC::FTL::LowerDFGToLLVM::boolify):
731         (JSC::FTL::LowerDFGToLLVM::opposite):
732         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
733         (JSC::FTL::LowerDFGToLLVM::speculate):
734         (JSC::FTL::LowerDFGToLLVM::isArrayType):
735         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
736         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
737         (JSC::FTL::LowerDFGToLLVM::setInt52):
738         Changed DFG_CRASH() to LOWERING_FAILED().  Updated related control flow as appropriate.
739
740         (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function.
741
742 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
743
744         StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
745         https://bugs.webkit.org/show_bug.cgi?id=141721
746         rdar://problem/17198633
747
748         Reviewed by Michael Saboff.
749         
750         I've seen cases where the two are out of sync.  We know we can trust the CodeBlock::usesArguments because
751         we use it everywhere else.
752         
753         No test because I could never reproduce the crash.
754
755         * dfg/DFGGraph.h:
756         (JSC::DFG::Graph::usesArguments):
757         * dfg/DFGStackLayoutPhase.cpp:
758         (JSC::DFG::StackLayoutPhase::run):
759
760 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
761
762         Web Inspector: Improved Console Support for Bound Functions
763         https://bugs.webkit.org/show_bug.cgi?id=141635
764
765         Reviewed by Timothy Hatcher.
766
767         * inspector/JSInjectedScriptHost.cpp:
768         (Inspector::JSInjectedScriptHost::getInternalProperties):
769         Expose internal properties of a JSBoundFunction.
770
771 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
772
773         Web Inspector: ES6: Improved Console Support for Promise Objects
774         https://bugs.webkit.org/show_bug.cgi?id=141634
775
776         Reviewed by Timothy Hatcher.
777
778         * inspector/InjectedScript.cpp:
779         (Inspector::InjectedScript::getInternalProperties):
780         * inspector/InjectedScriptSource.js:
781         Include internal properties in previews. Share code
782         with normal internal property handling.
783
784         * inspector/JSInjectedScriptHost.cpp:
785         (Inspector::constructInternalProperty):
786         (Inspector::JSInjectedScriptHost::getInternalProperties):
787         Provide internal state of Promises.
788
789         * inspector/protocol/Runtime.json:
790         Provide an optional field to distinguish if a PropertyPreview
791         is for an Internal property or not.
792
793 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
794
795         Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
796         https://bugs.webkit.org/show_bug.cgi?id=141717
797         rdar://problem/19863382
798
799         Reviewed by Geoffrey Garen.
800         
801         The best solution is to ensure that the engine catching an exception restores tag registers.
802         
803         Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
804
805         * jit/JITOpcodes.cpp:
806         (JSC::JIT::emit_op_catch):
807         * llint/LowLevelInterpreter.asm:
808         * llint/LowLevelInterpreter64.asm:
809         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
810         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
811         * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
812
813 2015-02-17  Csaba Osztrogonác  <ossy@webkit.org>
814
815         [ARM] Add the necessary setupArgumentsWithExecState after bug141332
816         https://bugs.webkit.org/show_bug.cgi?id=141714
817
818         Reviewed by Michael Saboff.
819
820         * jit/CCallHelpers.h:
821         (JSC::CCallHelpers::setupArgumentsWithExecState):
822
823 2015-02-15  Sam Weinig  <sam@webkit.org>
824
825         Add experimental <attachment> element support
826         https://bugs.webkit.org/show_bug.cgi?id=141626
827
828         Reviewed by Tim Horton.
829
830         * Configurations/FeatureDefines.xcconfig:
831
832 2015-02-16  Michael Saboff  <msaboff@apple.com>
833
834         REGRESSION(r180060): C Loop crashes
835         https://bugs.webkit.org/show_bug.cgi?id=141671
836
837         Reviewed by Geoffrey Garen.
838
839         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
840         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
841         Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
842         frame.  This isn't needed, since this helper is only called to check the stack on entry.  Any
843         exception will be handled by a call ancestor.
844
845         * llint/LLIntSlowPaths.cpp:
846         (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
847         * llint/LowLevelInterpreter.asm: Fixed a typo.
848
849 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
850
851         Web Inspector: Scope details sidebar should label objects with constructor names
852         https://bugs.webkit.org/show_bug.cgi?id=139449
853
854         Reviewed by Timothy Hatcher.
855
856         * inspector/JSInjectedScriptHost.cpp:
857         (Inspector::JSInjectedScriptHost::internalConstructorName):
858         * runtime/Structure.cpp:
859         (JSC::Structure::toStructureShape):
860         Share calculatedClassName.
861
862         * runtime/JSObject.h:        
863         * runtime/JSObject.cpp:
864         (JSC::JSObject::calculatedClassName):
865         Elaborate on a way to get an Object's class name.
866
867 2015-02-16  Filip Pizlo  <fpizlo@apple.com>
868
869         DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
870         https://bugs.webkit.org/show_bug.cgi?id=141623
871
872         Reviewed by Oliver Hunt.
873         
874         During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
875         needed to use GetArgument for loading something that has magically already appeared on the
876         stack, so currently trunk sort of allows this. But then I realized three things:
877         
878         - A GetArgument with a non-JSValue flush format means speculating that the value on the
879           stack obeys that format, rather than just assuming that that it already has that format.
880           In bug 141332, I want it to assume rather than speculate. That also happens to be more
881           intuitive; I don't think I was wrong to expect that.
882         
883         - The node I really want is GetLocal. I'm just getting the value of the local and I don't
884           want to do anything else.
885         
886         - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
887           use GetArgument.
888         
889         This changes the FTL to do argument speculations in the prologue just like the DFG does.
890         This brings some consistency to our system, and allows us to get rid of the GetArgument
891         node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
892         vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
893         dead we will still speculate. We already have safeguards to ensure we only speculate if
894         there are uses that benefit from speculation (which is a much more conservative criterion
895         than DCE).
896         
897         * dfg/DFGAbstractInterpreterInlines.h:
898         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
899         * dfg/DFGClobberize.h:
900         (JSC::DFG::clobberize):
901         * dfg/DFGDCEPhase.cpp:
902         (JSC::DFG::DCEPhase::run):
903         * dfg/DFGDoesGC.cpp:
904         (JSC::DFG::doesGC):
905         * dfg/DFGFixupPhase.cpp:
906         (JSC::DFG::FixupPhase::fixupNode):
907         * dfg/DFGFlushFormat.h:
908         (JSC::DFG::typeFilterFor):
909         * dfg/DFGGraph.cpp:
910         (JSC::DFG::Graph::dump):
911         * dfg/DFGGraph.h:
912         (JSC::DFG::Graph::valueProfileFor):
913         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
914         * dfg/DFGInPlaceAbstractState.cpp:
915         (JSC::DFG::InPlaceAbstractState::initialize):
916         * dfg/DFGNode.cpp:
917         (JSC::DFG::Node::hasVariableAccessData):
918         * dfg/DFGNodeType.h:
919         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
920         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
921         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
922         * dfg/DFGPredictionPropagationPhase.cpp:
923         (JSC::DFG::PredictionPropagationPhase::propagate):
924         * dfg/DFGPutLocalSinkingPhase.cpp:
925         * dfg/DFGSSAConversionPhase.cpp:
926         (JSC::DFG::SSAConversionPhase::run):
927         * dfg/DFGSafeToExecute.h:
928         (JSC::DFG::safeToExecute):
929         * dfg/DFGSpeculativeJIT32_64.cpp:
930         (JSC::DFG::SpeculativeJIT::compile):
931         * dfg/DFGSpeculativeJIT64.cpp:
932         (JSC::DFG::SpeculativeJIT::compile):
933         * ftl/FTLCapabilities.cpp:
934         (JSC::FTL::canCompile):
935         * ftl/FTLLowerDFGToLLVM.cpp:
936         (JSC::FTL::LowerDFGToLLVM::lower):
937         (JSC::FTL::LowerDFGToLLVM::compileNode):
938         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
939         (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
940         * tests/stress/dead-speculating-argument-use.js: Added.
941         (foo):
942         (o.valueOf):
943
944 2015-02-15  Filip Pizlo  <fpizlo@apple.com>
945
946         Rare case profiling should actually work
947         https://bugs.webkit.org/show_bug.cgi?id=141632
948
949         Reviewed by Michael Saboff.
950         
951         This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
952         heuristic has essentially stopped working because the typical execution count threshold for a
953         bytecode instruction is around 66 while the slow case threshold is 100: virtually
954         guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
955         case even if it took it every single time. So, this changes the slow case threshold to 20.
956         
957         I checked if we could lower this down further, like to 10. That is worse than 20, and about
958         as bad as 100.
959
960         * runtime/Options.h:
961
962 2015-02-15  Brian J. Burg  <burg@cs.washington.edu>
963
964         Web Inspector: remove unused XHR replay code
965         https://bugs.webkit.org/show_bug.cgi?id=141622
966
967         Reviewed by Timothy Hatcher.
968
969         * inspector/protocol/Network.json: remove XHR replay methods.
970
971 2015-02-15  David Kilzer  <ddkilzer@apple.com>
972
973         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
974         <http://webkit.org/b/141607>
975
976         More work towards fixing the Mavericks Debug build.
977
978         * inspector/ScriptDebugServer.h:
979         (Inspector::ScriptDebugServer::Task):
980         * inspector/agents/InspectorDebuggerAgent.h:
981         (Inspector::InspectorDebuggerAgent::Listener):
982         - Remove subclass exports. They did not help.
983
984         * runtime/JSCJSValue.h:
985         (JSC::JSValue::toFloat): Do not mark inline method for export.
986
987 2015-02-09  Brian J. Burg  <burg@cs.washington.edu>
988
989         Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
990         https://bugs.webkit.org/show_bug.cgi?id=141372
991
992         Reviewed by Joseph Pecoraro.
993
994         * inspector/ConsoleMessage.cpp:
995         (Inspector::ConsoleMessage::addToFrontend):
996         (Inspector::ConsoleMessage::updateRepeatCountInConsole):
997         * inspector/ConsoleMessage.h:
998         * inspector/InspectorAgentBase.h:
999         * inspector/InspectorAgentRegistry.cpp:
1000         (Inspector::AgentRegistry::AgentRegistry):
1001         (Inspector::AgentRegistry::append):
1002         (Inspector::AgentRegistry::appendExtraAgent):
1003         (Inspector::AgentRegistry::didCreateFrontendAndBackend):
1004         (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
1005         (Inspector::AgentRegistry::discardAgents):
1006         (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
1007         (Inspector::InspectorAgentRegistry::append): Deleted.
1008         (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
1009         (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
1010         (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
1011         (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
1012         * inspector/InspectorAgentRegistry.h:
1013         * inspector/InspectorBackendDispatcher.cpp:
1014         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
1015         (Inspector::BackendDispatcher::CallbackBase::isActive):
1016         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
1017         (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
1018         (Inspector::BackendDispatcher::create):
1019         (Inspector::BackendDispatcher::registerDispatcherForDomain):
1020         (Inspector::BackendDispatcher::dispatch):
1021         (Inspector::BackendDispatcher::sendResponse):
1022         (Inspector::BackendDispatcher::reportProtocolError):
1023         (Inspector::BackendDispatcher::getInteger):
1024         (Inspector::BackendDispatcher::getDouble):
1025         (Inspector::BackendDispatcher::getString):
1026         (Inspector::BackendDispatcher::getBoolean):
1027         (Inspector::BackendDispatcher::getObject):
1028         (Inspector::BackendDispatcher::getArray):
1029         (Inspector::BackendDispatcher::getValue):
1030         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
1031         (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
1032         (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
1033         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
1034         (Inspector::InspectorBackendDispatcher::create): Deleted.
1035         (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
1036         (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
1037         (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
1038         (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
1039         (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
1040         (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
1041         (Inspector::InspectorBackendDispatcher::getString): Deleted.
1042         (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
1043         (Inspector::InspectorBackendDispatcher::getObject): Deleted.
1044         (Inspector::InspectorBackendDispatcher::getArray): Deleted.
1045         (Inspector::InspectorBackendDispatcher::getValue): Deleted.
1046         * inspector/InspectorBackendDispatcher.h:
1047         (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
1048         (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
1049         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
1050         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
1051         * inspector/InspectorFrontendChannel.h:
1052         (Inspector::FrontendChannel::~FrontendChannel):
1053         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
1054         * inspector/JSGlobalObjectInspectorController.cpp:
1055         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1056         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
1057         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1058         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1059         (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
1060         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
1061         * inspector/JSGlobalObjectInspectorController.h:
1062         * inspector/agents/InspectorAgent.cpp:
1063         (Inspector::InspectorAgent::didCreateFrontendAndBackend):
1064         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
1065         * inspector/agents/InspectorAgent.h:
1066         * inspector/agents/InspectorConsoleAgent.cpp:
1067         (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
1068         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
1069         * inspector/agents/InspectorConsoleAgent.h:
1070         * inspector/agents/InspectorDebuggerAgent.cpp:
1071         (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
1072         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
1073         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
1074         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1075         (Inspector::InspectorDebuggerAgent::pause):
1076         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
1077         (Inspector::InspectorDebuggerAgent::didPause):
1078         (Inspector::InspectorDebuggerAgent::breakProgram):
1079         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
1080         * inspector/agents/InspectorDebuggerAgent.h:
1081         * inspector/agents/InspectorRuntimeAgent.cpp:
1082         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
1083         * inspector/agents/InspectorRuntimeAgent.h:
1084         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1085         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
1086         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
1087         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1088         * inspector/augmentable/AlternateDispatchableAgent.h:
1089         * inspector/augmentable/AugmentableInspectorController.h:
1090         * inspector/remote/RemoteInspectorDebuggable.h:
1091         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1092         * inspector/scripts/codegen/cpp_generator.py:
1093         (CppGenerator.cpp_type_for_formal_out_parameter):
1094         (CppGenerator.cpp_type_for_stack_out_parameter):
1095         * inspector/scripts/codegen/cpp_generator_templates.py:
1096         (AlternateBackendDispatcher):
1097         (Alternate):
1098         (void):
1099         (AlternateInspectorBackendDispatcher): Deleted.
1100         (AlternateInspector): Deleted.
1101         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1102         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
1103         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1104         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
1105         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1106         (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
1107         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
1108         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1109         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1110         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1111         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1112         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1113         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1114         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1115         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1116         * inspector/scripts/tests/expected/enum-values.json-result:
1117         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1118         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1119         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1120         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1121         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1122         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1123         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1124         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1125         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1126         * runtime/JSGlobalObjectDebuggable.cpp:
1127         (JSC::JSGlobalObjectDebuggable::connect):
1128         (JSC::JSGlobalObjectDebuggable::disconnect):
1129         * runtime/JSGlobalObjectDebuggable.h:
1130
1131 2015-02-14  David Kilzer  <ddkilzer@apple.com>
1132
1133         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
1134         <http://webkit.org/b/141607>
1135
1136         Work towards fixing the Mavericks Debug build.
1137
1138         * inspector/ScriptDebugServer.h:
1139         (Inspector::ScriptDebugServer::Task): Export class.
1140         * inspector/agents/InspectorDebuggerAgent.h:
1141         (Inspector::InspectorDebuggerAgent::Listener): Export class.
1142         * runtime/JSGlobalObject.h:
1143         (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
1144         method for export.
1145
1146 2015-02-14  Joseph Pecoraro  <pecoraro@apple.com>
1147
1148         Web Inspector: Symbol RemoteObject should not send sub-type
1149         https://bugs.webkit.org/show_bug.cgi?id=141604
1150
1151         Reviewed by Brian Burg.
1152
1153         * inspector/InjectedScriptSource.js:
1154
1155 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
1156
1157         Attempt to fix 32bits build after r180098
1158
1159         * jit/JITOperations.cpp:
1160         * jit/JITOperations.h:
1161         I copied the attribute from the MathObject version of that function when I moved
1162         it over. DFG has no version of a function call taking those attributes.
1163
1164 2015-02-13  Joseph Pecoraro  <pecoraro@apple.com>
1165
1166         JSContext Inspector: Do not stash console messages for non-debuggable JSContext
1167         https://bugs.webkit.org/show_bug.cgi?id=141589
1168
1169         Reviewed by Timothy Hatcher.
1170
1171         Consider developer extras disabled for JSContext inspection if the
1172         RemoteInspector server is not enabled (typically a non-debuggable
1173         process rejected by webinspectord) or if remote debugging on the
1174         JSContext was explicitly disabled via SPI.
1175
1176         When developer extras are disabled, console message will not be stashed.
1177
1178         * inspector/JSGlobalObjectInspectorController.cpp:
1179         (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
1180         * inspector/JSGlobalObjectInspectorController.h:
1181
1182 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
1183
1184         Add a DFG node for the Pow Intrinsics
1185         https://bugs.webkit.org/show_bug.cgi?id=141540
1186
1187         Reviewed by Filip Pizlo.
1188
1189         Add a DFG Node for PowIntrinsic. This patch covers the basic cases
1190         need to avoid massive regression. I will iterate over the node to cover
1191         the missing types.
1192
1193         With this patch I get the following progressions on benchmarks:
1194         -LongSpider's math-partial-sums: +5%.
1195         -Kraken's imaging-darkroom: +17%
1196         -AsmBench's cray.c: +6.6%
1197         -CompressionBench: +2.2% globally.
1198
1199         * dfg/DFGAbstractInterpreterInlines.h:
1200         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1201         Cover a couple of trivial cases:
1202         -If the exponent is zero, the result is always one, regardless of the base.
1203         -If both arguments are constants, compute the result at compile time.
1204
1205         * dfg/DFGByteCodeParser.cpp:
1206         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1207         * dfg/DFGClobberize.h:
1208         (JSC::DFG::clobberize):
1209         * dfg/DFGDoesGC.cpp:
1210         (JSC::DFG::doesGC):
1211
1212         * dfg/DFGFixupPhase.cpp:
1213         (JSC::DFG::FixupPhase::fixupNode):
1214         We only support 2 basic cases at this time:
1215         -Math.pow(double, int)
1216         -Math.pow(double, double).
1217
1218         I'll cover Math.pow(int, int) in a follow up.
1219
1220         * dfg/DFGNode.h:
1221         (JSC::DFG::Node::convertToArithSqrt):
1222         (JSC::DFG::Node::arithNodeFlags):
1223         * dfg/DFGNodeType.h:
1224         * dfg/DFGPredictionPropagationPhase.cpp:
1225         (JSC::DFG::PredictionPropagationPhase::propagate):
1226         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1227         * dfg/DFGSafeToExecute.h:
1228         (JSC::DFG::safeToExecute):
1229         * dfg/DFGSpeculativeJIT.cpp:
1230         (JSC::DFG::compileArithPowIntegerFastPath):
1231         (JSC::DFG::SpeculativeJIT::compileArithPow):
1232         * dfg/DFGSpeculativeJIT.h:
1233         * dfg/DFGSpeculativeJIT32_64.cpp:
1234         (JSC::DFG::SpeculativeJIT::compile):
1235         * dfg/DFGSpeculativeJIT64.cpp:
1236         (JSC::DFG::SpeculativeJIT::compile):
1237         * dfg/DFGStrengthReductionPhase.cpp:
1238         (JSC::DFG::StrengthReductionPhase::handleNode):
1239         * dfg/DFGValidate.cpp:
1240         (JSC::DFG::Validate::validate):
1241         * ftl/FTLCapabilities.cpp:
1242         (JSC::FTL::canCompile):
1243         * ftl/FTLIntrinsicRepository.h:
1244         * ftl/FTLLowerDFGToLLVM.cpp:
1245         (JSC::FTL::LowerDFGToLLVM::compileNode):
1246         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
1247         * ftl/FTLOutput.h:
1248         (JSC::FTL::Output::doublePow):
1249         (JSC::FTL::Output::doublePowi):
1250         * jit/JITOperations.cpp:
1251         * jit/JITOperations.h:
1252         * runtime/MathObject.cpp:
1253         (JSC::mathProtoFuncPow):
1254         (JSC::isDenormal): Deleted.
1255         (JSC::isEdgeCase): Deleted.
1256         (JSC::mathPow): Deleted.
1257
1258         * tests/stress/math-pow-basics.js: Added.
1259         * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
1260         * tests/stress/math-pow-nan-behaviors.js: Added.
1261         * tests/stress/math-pow-with-constants.js: Added.
1262         Start some basic testing of Math.pow().
1263         Due to the various transform, the value change when the code tiers up,
1264         I covered this by checking for approximate values.
1265
1266 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
1267
1268         ArithSqrt should not be conditional on supportsFloatingPointSqrt
1269         https://bugs.webkit.org/show_bug.cgi?id=141546
1270
1271         Reviewed by Geoffrey Garen and Filip Pizlo.
1272
1273         Just fallback to the function call in the DFG codegen.
1274
1275         * dfg/DFGByteCodeParser.cpp:
1276         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1277         * dfg/DFGSpeculativeJIT.cpp:
1278         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
1279         * dfg/DFGSpeculativeJIT.h:
1280         * dfg/DFGSpeculativeJIT32_64.cpp:
1281         (JSC::DFG::SpeculativeJIT::compile):
1282         * dfg/DFGSpeculativeJIT64.cpp:
1283         (JSC::DFG::SpeculativeJIT::compile):
1284         * tests/stress/math-sqrt-basics.js: Added.
1285         Basic coverage.
1286
1287         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
1288         Same tests but forcing the function call.
1289
1290 2015-02-13  Michael Saboff  <msaboff@apple.com>
1291
1292         REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
1293         https://bugs.webkit.org/show_bug.cgi?id=141577
1294
1295         Reviewed by Benjamin Poulain.
1296
1297         Changed the prologue of the baseline JIT to check for stack space for all
1298         types of code blocks.  Previously, it was only checking Function.  Now
1299         it checks Program and Eval as well.
1300
1301         * jit/JIT.cpp:
1302         (JSC::JIT::privateCompile):
1303
1304 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
1305
1306         Generate incq instead of addq when the immediate value is one
1307         https://bugs.webkit.org/show_bug.cgi?id=141548
1308
1309         Reviewed by Gavin Barraclough.
1310
1311         JSC emits "addq #1 (rXX)" *a lot*.
1312         This patch replace that by incq, which is one byte shorter
1313         and is the adviced form.
1314
1315         Sunspider: +0.47%
1316         Octane: +0.28%
1317         Kraken: +0.44%
1318         AsmBench, CompressionBench: neutral.
1319
1320         * assembler/MacroAssemblerX86_64.h:
1321         (JSC::MacroAssemblerX86_64::add64):
1322         * assembler/X86Assembler.h:
1323         (JSC::X86Assembler::incq_m):
1324
1325 2015-02-13  Benjamin Poulain  <benjamin@webkit.org>
1326
1327         Little clean up of Bytecode Generator's Label
1328         https://bugs.webkit.org/show_bug.cgi?id=141557
1329
1330         Reviewed by Michael Saboff.
1331
1332         * bytecompiler/BytecodeGenerator.h:
1333         * bytecompiler/BytecodeGenerator.cpp:
1334         Label was a friend of BytecodeGenerator in order to access
1335         m_instructions. There is no need for that, BytecodeGenerator
1336         has a public getter.
1337
1338         * bytecompiler/Label.h:
1339         (JSC::Label::Label):
1340         (JSC::Label::setLocation):
1341         (JSC::BytecodeGenerator::newLabel):
1342         Make it explicit that the generator must exist.
1343
1344 2015-02-13  Michael Saboff  <msaboff@apple.com>
1345
1346         Google doc spreadsheet reproducibly crashes when sorting
1347         https://bugs.webkit.org/show_bug.cgi?id=141098
1348
1349         Reviewed by Oliver Hunt.
1350
1351         Moved the stack check to before the callee registers are allocated in the
1352         prologue() by movving it from the functionInitialization() macro.  This
1353         way we can check the stack before moving the stack pointer, avoiding a
1354         crash during a "call" instruction.  Before this change, we weren't even
1355         checking the stack for program and eval execution.
1356
1357         Made a couple of supporting changes.
1358
1359         * llint/LLIntSlowPaths.cpp:
1360         (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
1361         may be processing an exception to an entry frame.
1362
1363         * llint/LowLevelInterpreter.asm:
1364
1365         * llint/LowLevelInterpreter32_64.asm:
1366         * llint/LowLevelInterpreter64.asm:
1367         (llint_throw_from_slow_path_trampoline): Changed method to get the vm
1368         from the code block to not use the codeBlock, since we may need to
1369         continue from an exception in a native function.
1370
1371 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
1372
1373         Simplify the initialization of BytecodeGenerator a bit
1374         https://bugs.webkit.org/show_bug.cgi?id=141505
1375
1376         Reviewed by Anders Carlsson.
1377
1378         * bytecompiler/BytecodeGenerator.cpp:
1379         (JSC::BytecodeGenerator::BytecodeGenerator):
1380         * bytecompiler/BytecodeGenerator.h:
1381         Setup the default initialization at the declaration level
1382         instead of the constructor.
1383
1384         Also made m_scopeNode and m_codeType const to make it explicit
1385         that they are invariant after construction.
1386
1387         * parser/Nodes.cpp:
1388         * runtime/Executable.cpp:
1389         Remove 2 useless #includes.
1390
1391 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
1392
1393         Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT
1394         https://bugs.webkit.org/show_bug.cgi?id=141506
1395
1396         Reviewed by Michael Saboff.
1397
1398         The generators for the nodes GetScope and SkipScope were
1399         completely identical between 32 and 64bits.
1400
1401         This patch moves the duplicated code to DFGSpeculativeJIT.
1402
1403         * dfg/DFGSpeculativeJIT.cpp:
1404         (JSC::DFG::SpeculativeJIT::compileGetScope):
1405         (JSC::DFG::SpeculativeJIT::compileSkipScope):
1406         * dfg/DFGSpeculativeJIT.h:
1407         * dfg/DFGSpeculativeJIT32_64.cpp:
1408         (JSC::DFG::SpeculativeJIT::compile):
1409         * dfg/DFGSpeculativeJIT64.cpp:
1410         (JSC::DFG::SpeculativeJIT::compile):
1411
1412 2015-02-11  Brent Fulgham  <bfulgham@apple.com>
1413
1414         [Win] [64-bit] Work around MSVC2013 Runtime Bug
1415         https://bugs.webkit.org/show_bug.cgi?id=141498
1416         <rdar://problem/19803642>
1417
1418         Reviewed by Anders Carlsson.
1419
1420         Disable FMA3 instruction use in the MSVC math library to
1421         work around a VS2013 runtime crash. We can remove this
1422         workaround when we switch to VS2015.
1423
1424         * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable
1425         FMA3 support.
1426         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files.
1427         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1428         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added.
1429         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0)
1430         to disable FMA3 support.
1431         * jsc.cpp: Ditto.
1432         * testRegExp.cpp: Ditto.
1433
1434 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
1435
1436         The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs
1437         https://bugs.webkit.org/show_bug.cgi?id=141493
1438
1439         Reviewed by Michael Saboff.
1440
1441         * dfg/DFGSpeculativeJIT.h:
1442         (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted.
1443         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted.
1444         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted.
1445         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted.
1446         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted.
1447         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted.
1448         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted.
1449         * dfg/DFGSpeculativeJIT32_64.cpp:
1450         (JSC::DFG::SpeculativeJIT::emitCall):
1451         * dfg/DFGSpeculativeJIT64.cpp:
1452         (JSC::DFG::SpeculativeJIT::emitCall):
1453         * jit/AssemblyHelpers.h:
1454         (JSC::AssemblyHelpers::calleeFrameSlot):
1455         (JSC::AssemblyHelpers::calleeArgumentSlot):
1456         (JSC::AssemblyHelpers::calleeFrameTagSlot):
1457         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
1458         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
1459         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
1460         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
1461
1462 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
1463
1464         SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame
1465         https://bugs.webkit.org/show_bug.cgi?id=141485
1466
1467         Reviewed by Oliver Hunt.
1468         
1469         The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for
1470         vararg calls from inlined code, but that doesn't work since the DFG inline call frame
1471         doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there
1472         is really no such thing as an inlineStackOffset except when we OSR exit; while the code is
1473         running the stack layout is compacted so that the stackOffset is not meaningful.
1474
1475         * jit/JITCall.cpp:
1476         (JSC::JIT::compileSetupVarargsFrame):
1477         * jit/JITCall32_64.cpp:
1478         (JSC::JIT::compileSetupVarargsFrame):
1479         * jit/SetupVarargsFrame.cpp:
1480         (JSC::emitSetupVarargsFrameFastCase):
1481         * jit/SetupVarargsFrame.h:
1482
1483 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
1484
1485         Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints
1486         https://bugs.webkit.org/show_bug.cgi?id=141455
1487
1488         Reviewed by Mark Lam.
1489         
1490         The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion
1491         of https://bugs.webkit.org/show_bug.cgi?id=141332.
1492
1493         * CMakeLists.txt:
1494         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1495         * JavaScriptCore.xcodeproj/project.pbxproj:
1496         * bytecode/CallLinkInfo.h:
1497         (JSC::CallLinkInfo::specializationKindFor):
1498         (JSC::CallLinkInfo::specializationKind):
1499         * ftl/FTLJSCall.cpp:
1500         (JSC::FTL::JSCall::JSCall):
1501         (JSC::FTL::JSCall::emit): Deleted.
1502         (JSC::FTL::JSCall::link): Deleted.
1503         * ftl/FTLJSCall.h:
1504         * ftl/FTLJSCallBase.cpp: Added.
1505         (JSC::FTL::JSCallBase::JSCallBase):
1506         (JSC::FTL::JSCallBase::emit):
1507         (JSC::FTL::JSCallBase::link):
1508         * ftl/FTLJSCallBase.h: Added.
1509
1510 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
1511
1512         Unreviewed, fix build.
1513
1514         * jit/CCallHelpers.h:
1515         (JSC::CCallHelpers::setupArgumentsWithExecState):
1516
1517 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
1518
1519         op_call_varargs should only load the length once
1520         https://bugs.webkit.org/show_bug.cgi?id=141440
1521         rdar://problem/19761683
1522
1523         Reviewed by Michael Saboff.
1524         
1525         Refactors the pair of calls that set up the varargs frame so that the first call returns the
1526         length, and the second call uses the length returned by the first one. It turns out that this
1527         gave me an opportunity to shorten a lot of the code.
1528
1529         * interpreter/Interpreter.cpp:
1530         (JSC::sizeFrameForVarargs):
1531         (JSC::loadVarargs):
1532         (JSC::setupVarargsFrame):
1533         (JSC::setupVarargsFrameAndSetThis):
1534         * interpreter/Interpreter.h:
1535         (JSC::calleeFrameForVarargs):
1536         * jit/CCallHelpers.h:
1537         (JSC::CCallHelpers::setupArgumentsWithExecState):
1538         * jit/JIT.h:
1539         * jit/JITCall.cpp:
1540         (JSC::JIT::compileSetupVarargsFrame):
1541         * jit/JITCall32_64.cpp:
1542         (JSC::JIT::compileSetupVarargsFrame):
1543         * jit/JITInlines.h:
1544         (JSC::JIT::callOperation):
1545         * jit/JITOperations.cpp:
1546         * jit/JITOperations.h:
1547         * jit/SetupVarargsFrame.cpp:
1548         (JSC::emitSetVarargsFrame):
1549         (JSC::emitSetupVarargsFrameFastCase):
1550         * jit/SetupVarargsFrame.h:
1551         * llint/LLIntSlowPaths.cpp:
1552         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1553         * runtime/Arguments.cpp:
1554         (JSC::Arguments::copyToArguments):
1555         * runtime/Arguments.h:
1556         * runtime/JSArray.cpp:
1557         (JSC::JSArray::copyToArguments):
1558         * runtime/JSArray.h:
1559         * runtime/VM.h:
1560         * tests/stress/call-varargs-length-effects.js: Added.
1561         (foo):
1562         (bar):
1563
1564 2015-02-10  Michael Saboff  <msaboff@apple.com>
1565
1566         Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
1567         https://bugs.webkit.org/show_bug.cgi?id=139398
1568
1569         Reviewed by Filip Pizlo.
1570
1571         Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
1572         was determined to be reachable.  When we go to lower to LLVM, the edges for the CompareStrictEq
1573         node are UntypedUse which we can't compile.  Fixed this by checking that the IR before
1574         lowering can still be handled by the FTL.
1575
1576         Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
1577         a SetArgument to a GetArgument.  Before this change FTL::canCompile() would never see a GetArgument
1578         node.  With the check right before lowering, we see this node.
1579
1580         * dfg/DFGPlan.cpp:
1581         (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
1582         to verify that after all the transformations we still have valid IR for the FTL.
1583         * ftl/FTLCapabilities.cpp:
1584         (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
1585
1586 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
1587
1588         Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
1589
1590         Rubber stamped by Michael Saboff.
1591         
1592         Not only was this not used, I believe that the math was wrong. The callee frame doesn't
1593         actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and
1594         that decision is made elsewhere. Also, it makes no sense to subtract 1 from
1595         m_nextMachineLocal when trying to deduce the number of in-use stack slots.
1596
1597         * dfg/DFGSpeculativeJIT.h:
1598         (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted.
1599
1600 2015-02-10  Saam Barati  <saambarati1@gmail.com>
1601
1602         Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier
1603         https://bugs.webkit.org/show_bug.cgi?id=141272
1604
1605         Reviewed by Oliver Hunt.
1606
1607         This patch fixes a bug where the wrong text location would be 
1608         assigned to a variable declaration inside a ForIn/ForOf loop. 
1609         It also fixes a bug in the type profiler where the type profiler 
1610         emits the wrong text offset for a ForIn loop's variable declarator 
1611         when it's not a pattern node.
1612
1613         * bytecompiler/NodesCodegen.cpp:
1614         (JSC::ForInNode::emitLoopHeader):
1615         * parser/Parser.cpp:
1616         (JSC::Parser<LexerType>::parseVarDeclarationList):
1617         * tests/typeProfiler/loop.js:
1618         (testForIn):
1619         (testForOf):
1620
1621 2015-02-09  Saam Barati  <saambarati1@gmail.com>
1622
1623         JSC's Type Profiler doesn't profile the type of the looping variable in ForOf/ForIn loops
1624         https://bugs.webkit.org/show_bug.cgi?id=141241
1625
1626         Reviewed by Filip Pizlo.
1627
1628         Type information is now recorded for ForIn and ForOf statements. 
1629         It was an oversight to not have these statements profiled before.
1630
1631         * bytecompiler/NodesCodegen.cpp:
1632         (JSC::ForInNode::emitLoopHeader):
1633         (JSC::ForOfNode::emitBytecode):
1634         * tests/typeProfiler/loop.js: Added.
1635         (testForIn):
1636         (testForOf):
1637
1638 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
1639
1640         DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid
1641         https://bugs.webkit.org/show_bug.cgi?id=141412
1642
1643         Reviewed by Michael Saboff.
1644         
1645         StackLayoutPhase was attempting to ensure that the register that
1646         CodeBlock::scopeRegister() points to is the right one for the DFG. But the DFG did nothing
1647         else to maintain the validity of the scopeRegister(). It wasn't captured as far as I can
1648         tell. StackLayoutPhase didn't explicitly mark it live. PreciseLocalClobberize didn't mark
1649         it as being live. So, by the time we got here the register referred to by
1650         CodeBlock::scopeRegister() would have been junk. Moreover, CodeBlock::scopeRegister() was
1651         not used for DFG code blocks, and was hardly ever used outside of bytecode generation.
1652         
1653         So, this patch just removes the code to manipulate this field and replaces it with an
1654         unconditional setScopeRegister(VirtualRegister()). Setting it to the invalid register
1655         ensures that any attempst to read the scopeRegister in a DFG or FTL frame immediately
1656         punts.
1657
1658         * dfg/DFGStackLayoutPhase.cpp:
1659         (JSC::DFG::StackLayoutPhase::run):
1660
1661 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
1662
1663         Varargs frame set-up should be factored out for use by other JITs
1664         https://bugs.webkit.org/show_bug.cgi?id=141388
1665
1666         Reviewed by Michael Saboff.
1667         
1668         Previously the code that dealt with varargs always assumed that we were setting up a varargs call
1669         frame by literally following the execution semantics of op_call_varargs. This isn't how it'll
1670         happen once the DFG and FTL do varargs calls, or when varargs calls get inlined. The DFG and FTL
1671         don't literally execute bytecode; for example their stack frame layout has absolutely nothing in
1672         common with what the bytecode says, and that will never change.
1673         
1674         This patch makes two changes:
1675         
1676         Setting up the varargs callee frame can be done in smaller steps: particularly in the case of a
1677         varargs call that gets inlined, we aren't going to actually want to set up a callee frame in
1678         full - we just want to put the arguments somewhere, and that place will not have much (if
1679         anything) in common with the call frame format. This patch factors that out into something called
1680         a loadVarargs. The thing we used to call loadVarargs is now called setupVarargsFrame. This patch
1681         also separates loading varargs from setting this, since the fact that those two things are done
1682         together is a detail made explicit in bytecode but it's not at all required in the higher-tier
1683         engines. In the process of factoring this code out, I found a bunch of off-by-one errors in the
1684         various calculations. I fixed them. The distance from the caller's frame pointer to the callee
1685         frame pointer is always:
1686         
1687             numUsedCallerSlots + argCount + 1 + CallFrameSize
1688         
1689         where numUsedCallerSlots is toLocal(firstFreeRegister) - 1, which simplifies down to just
1690         -firstFreeRegister. The code now speaks of numUsedCallerSlots rather than firstFreeRegister,
1691         since the latter is a bytecode peculiarity that doesn't apply in the DFG or FTL. In the DFG, the
1692         internally-computed frame size, minus the parameter slots, will be used for numUsedCallerSlots.
1693         In the FTL, we will essentially compute numUsedCallerSlots dynamically by subtracting SP from FP.
1694         Eventually, LLVM might give us some cleaner way of doing this, but it probably doesn't matter
1695         very much.
1696         
1697         The arguments forwarding optimization is factored out of the Baseline JIT: the DFG and FTL will
1698         want to do this optimization as well, but it involves quite a bit of code. So, this code is now
1699         factored out into SetupVarargsFrame.h|cpp, so that other JITs can use it. In the process of factoring
1700         this code out I noticed that the 32-bit and 64-bit code is nearly identical, so I combined them.
1701
1702         * CMakeLists.txt:
1703         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1704         * JavaScriptCore.xcodeproj/project.pbxproj:
1705         * bytecode/CodeBlock.h:
1706         (JSC::ExecState::r):
1707         (JSC::ExecState::uncheckedR):
1708         * bytecode/VirtualRegister.h:
1709         (JSC::VirtualRegister::operator+):
1710         (JSC::VirtualRegister::operator-):
1711         (JSC::VirtualRegister::operator+=):
1712         (JSC::VirtualRegister::operator-=):
1713         * interpreter/CallFrame.h:
1714         * interpreter/Interpreter.cpp:
1715         (JSC::sizeFrameForVarargs):
1716         (JSC::loadVarargs):
1717         (JSC::setupVarargsFrame):
1718         (JSC::setupVarargsFrameAndSetThis):
1719         * interpreter/Interpreter.h:
1720         * jit/AssemblyHelpers.h:
1721         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
1722         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
1723         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
1724         * jit/JIT.h:
1725         * jit/JITCall.cpp:
1726         (JSC::JIT::compileSetupVarargsFrame):
1727         * jit/JITCall32_64.cpp:
1728         (JSC::JIT::compileSetupVarargsFrame):
1729         * jit/JITInlines.h:
1730         (JSC::JIT::callOperation):
1731         (JSC::JIT::emitGetFromCallFrameHeaderPtr): Deleted.
1732         (JSC::JIT::emitGetFromCallFrameHeader32): Deleted.
1733         (JSC::JIT::emitGetFromCallFrameHeader64): Deleted.
1734         * jit/JITOperations.cpp:
1735         * jit/JITOperations.h:
1736         * jit/SetupVarargsFrame.cpp: Added.
1737         (JSC::emitSetupVarargsFrameFastCase):
1738         * jit/SetupVarargsFrame.h: Added.
1739         * llint/LLIntSlowPaths.cpp:
1740         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1741         * runtime/Arguments.cpp:
1742         (JSC::Arguments::copyToArguments):
1743         * runtime/Arguments.h:
1744         * runtime/JSArray.cpp:
1745         (JSC::JSArray::copyToArguments):
1746         * runtime/JSArray.h:
1747
1748 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
1749
1750         DFG call codegen should resolve the callee operand as late as possible
1751         https://bugs.webkit.org/show_bug.cgi?id=141398
1752
1753         Reviewed by Mark Lam.
1754         
1755         This is mostly a benign restructuring to help with the implementation of
1756         https://bugs.webkit.org/show_bug.cgi?id=141332.
1757
1758         * dfg/DFGSpeculativeJIT32_64.cpp:
1759         (JSC::DFG::SpeculativeJIT::emitCall):
1760         * dfg/DFGSpeculativeJIT64.cpp:
1761         (JSC::DFG::SpeculativeJIT::emitCall):
1762
1763 2015-02-08  Filip Pizlo  <fpizlo@apple.com>
1764
1765         DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three
1766         https://bugs.webkit.org/show_bug.cgi?id=141369
1767
1768         Reviewed by Michael Saboff.
1769
1770         We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe
1771         effectfulness.  Starting over a year ago, we introduced a more powerful mechanism - the
1772         DFG::clobberize() function.  Now we only have one remaining client of the old NodeFlags,
1773         and everyone else uses DFG::clobberize().  We should get rid of those NodeFlags and
1774         finally switch everyone over to DFG::clobberize().
1775         
1776         Unfortunately there is still another place where effectfulness of nodes is described: the
1777         AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for
1778         compile time performance and there are places where the AI is more precise than
1779         clobberize() because of its flow-sensitivity.
1780         
1781         This means that after this change there will be only two places, rather than three, where
1782         the effectfulness of a node has to be described:
1783
1784         - DFG::clobberize()
1785         - DFG::AbstractInterpreter
1786
1787         * dfg/DFGClobberize.cpp:
1788         (JSC::DFG::clobbersWorld):
1789         * dfg/DFGClobberize.h:
1790         * dfg/DFGDoesGC.cpp:
1791         (JSC::DFG::doesGC):
1792         * dfg/DFGFixupPhase.cpp:
1793         (JSC::DFG::FixupPhase::fixupNode):
1794         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
1795         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1796         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
1797         * dfg/DFGGraph.h:
1798         (JSC::DFG::Graph::isPredictedNumerical): Deleted.
1799         (JSC::DFG::Graph::byValIsPure): Deleted.
1800         (JSC::DFG::Graph::clobbersWorld): Deleted.
1801         * dfg/DFGNode.h:
1802         (JSC::DFG::Node::convertToConstant):
1803         (JSC::DFG::Node::convertToGetLocalUnlinked):
1804         (JSC::DFG::Node::convertToGetByOffset):
1805         (JSC::DFG::Node::convertToMultiGetByOffset):
1806         (JSC::DFG::Node::convertToPutByOffset):
1807         (JSC::DFG::Node::convertToMultiPutByOffset):
1808         * dfg/DFGNodeFlags.cpp:
1809         (JSC::DFG::dumpNodeFlags):
1810         * dfg/DFGNodeFlags.h:
1811         * dfg/DFGNodeType.h:
1812
1813 2015-02-09  Csaba Osztrogonác  <ossy@webkit.org>
1814
1815         Fix the !ENABLE(DFG_JIT) build
1816         https://bugs.webkit.org/show_bug.cgi?id=141387
1817
1818         Reviewed by Darin Adler.
1819
1820         * jit/Repatch.cpp:
1821
1822 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
1823
1824         Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase
1825         https://bugs.webkit.org/show_bug.cgi?id=141363
1826
1827         Reviewed by Darin Adler.
1828
1829         * dfg/DFGPredictionPropagationPhase.cpp:
1830         (JSC::DFG::PredictionPropagationPhase::propagate):
1831         Some blocks were duplicated, they probably evolved separately
1832         to the same state.
1833
1834 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
1835
1836         Remove useless declarations and a stale comment from DFGByteCodeParser.h
1837         https://bugs.webkit.org/show_bug.cgi?id=141361
1838
1839         Reviewed by Darin Adler.
1840
1841         The comment refers to the original form of the ByteCodeParser:
1842             parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex);
1843
1844         That form is long dead, the comment is more misleading than anything.
1845
1846         * dfg/DFGByteCodeParser.cpp:
1847         * dfg/DFGByteCodeParser.h:
1848
1849 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
1850
1851         Encapsulate DFG::Plan's beforeFTL timestamp
1852         https://bugs.webkit.org/show_bug.cgi?id=141360
1853
1854         Reviewed by Darin Adler.
1855
1856         Make the attribute private, it is an internal state.
1857
1858         Rename beforeFTL->timeBeforeFTL for readability.
1859
1860         * dfg/DFGPlan.cpp:
1861         (JSC::DFG::Plan::compileInThread):
1862         (JSC::DFG::Plan::compileInThreadImpl):
1863         * dfg/DFGPlan.h:
1864
1865 2015-02-08  Benjamin Poulain  <bpoulain@apple.com>
1866
1867         Remove DFGNode::hasArithNodeFlags()
1868         https://bugs.webkit.org/show_bug.cgi?id=141319
1869
1870         Reviewed by Michael Saboff.
1871
1872         * dfg/DFGNode.h:
1873         (JSC::DFG::Node::hasArithNodeFlags): Deleted.
1874         Unused code is unused.
1875
1876 2015-02-07  Chris Dumez  <cdumez@apple.com>
1877
1878         Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions
1879         https://bugs.webkit.org/show_bug.cgi?id=141321
1880
1881         Reviewed by Darin Adler.
1882
1883         Use new Vector::removeFirstMatching() / removeAllMatching() methods.
1884
1885 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
1886
1887         DFG SSA shouldn't have SetArgument nodes
1888         https://bugs.webkit.org/show_bug.cgi?id=141342
1889
1890         Reviewed by Mark Lam.
1891
1892         I was wondering why we kept the SetArgument around for captured
1893         variables. It turns out we did so because we thought we had to, even
1894         though we didn't have to. The node is meaningless in SSA.
1895
1896         * dfg/DFGSSAConversionPhase.cpp:
1897         (JSC::DFG::SSAConversionPhase::run):
1898         * ftl/FTLLowerDFGToLLVM.cpp:
1899         (JSC::FTL::LowerDFGToLLVM::compileNode):
1900
1901 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
1902
1903         It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band
1904         https://bugs.webkit.org/show_bug.cgi?id=141337
1905
1906         Reviewed by Mark Lam.
1907
1908         This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that
1909         are associated with the prologue.
1910
1911         * dfg/DFGCPSRethreadingPhase.cpp:
1912         (JSC::DFG::CPSRethreadingPhase::run):
1913         (JSC::DFG::CPSRethreadingPhase::canonicalizeSet):
1914         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1915         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
1916         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted.
1917         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted.
1918
1919 2015-02-06  Mark Lam  <mark.lam@apple.com>
1920
1921         MachineThreads should be ref counted.
1922         <https://webkit.org/b/141317>
1923
1924         Reviewed by Filip Pizlo.
1925
1926         The VM's MachineThreads registry object is being referenced from other
1927         threads as a raw pointer.  In a scenario where the VM is destructed on
1928         the main thread, there is no guarantee that another thread isn't still
1929         holding a reference to the registry and will eventually invoke
1930         removeThread() on it on thread exit.  Hence, there's a possible use
1931         after free scenario here.
1932
1933         The fix is to make MachineThreads ThreadSafeRefCounted, and have all
1934         threads that references keep a RefPtr to it to ensure that it stays
1935         alive until the very last thread is done with it.
1936
1937         * API/tests/testapi.mm:
1938         (useVMFromOtherThread): - Renamed to be more descriptive.
1939         (useVMFromOtherThreadAndOutliveVM):
1940         - Added a test that has another thread which uses the VM outlive the
1941           VM to confirm that there is no crash.
1942
1943           However, I was not actually able to get the VM to crash without this
1944           patch because I wasn't always able to the thread destructor to be
1945           called.  With this patch applied, I did verify with some logging that
1946           the MachineThreads registry is only destructed after all threads
1947           have removed themselves from it.
1948
1949         (threadMain): Deleted.
1950
1951         * heap/Heap.cpp:
1952         (JSC::Heap::Heap):
1953         (JSC::Heap::~Heap):
1954         (JSC::Heap::gatherStackRoots):
1955         * heap/Heap.h:
1956         (JSC::Heap::machineThreads):
1957         * heap/MachineStackMarker.cpp:
1958         (JSC::MachineThreads::Thread::Thread):
1959         (JSC::MachineThreads::addCurrentThread):
1960         (JSC::MachineThreads::removeCurrentThread):
1961         * heap/MachineStackMarker.h:
1962
1963 2015-02-06  Commit Queue  <commit-queue@webkit.org>
1964
1965         Unreviewed, rolling out r179743.
1966         https://bugs.webkit.org/show_bug.cgi?id=141335
1967
1968         caused missing symbols in non-WebKit clients of WTF::Vector
1969         (Requested by kling on #webkit).
1970
1971         Reverted changeset:
1972
1973         "Remove WTF::fastMallocGoodSize()."
1974         https://bugs.webkit.org/show_bug.cgi?id=141020
1975         http://trac.webkit.org/changeset/179743
1976
1977 2015-02-04  Filip Pizlo  <fpizlo@apple.com>
1978
1979         Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers
1980         https://bugs.webkit.org/show_bug.cgi?id=141211
1981
1982         Reviewed by Mark Lam.
1983
1984         Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime
1985         we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It
1986         would raise the refcount on the last (highest-numbered) variable created, and rely on
1987         the fact that register reclamation started at higher-numbered registers and worked its
1988         way down. So any retained register would block any lower-numbered registers from being
1989         reclaimed.
1990         
1991         Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused.
1992         
1993         This removes preserveLastVar() and makes addVar() retain each register it creates. This
1994         is more explicit, since addVar() is the mechanism for creating non-temporary registers.
1995         
1996         To make this work I had to remove an assertion that Register::setIndex() can only be
1997         called when the refcount is zero. This method might be called after a var is created to
1998         change its index. This previously worked because preserveLastVar() would be called after
1999         we had already made all index changes, so the vars would still have refcount zero. Now
2000         they have refcount 1. I think it's OK to lose this assertion; I can't remember this
2001         assertion ever firing in a way that alerted me to a serious issue.
2002         
2003         * bytecompiler/BytecodeGenerator.cpp:
2004         (JSC::BytecodeGenerator::BytecodeGenerator):
2005         (JSC::BytecodeGenerator::preserveLastVar): Deleted.
2006         * bytecompiler/BytecodeGenerator.h:
2007         (JSC::BytecodeGenerator::addVar):
2008         * bytecompiler/RegisterID.h:
2009         (JSC::RegisterID::setIndex):
2010
2011 2015-02-06  Andreas Kling  <akling@apple.com>
2012
2013         Remove WTF::fastMallocGoodSize().
2014         <https://webkit.org/b/141020>
2015
2016         Reviewed by Anders Carlsson.
2017
2018         * assembler/AssemblerBuffer.h:
2019         (JSC::AssemblerData::AssemblerData):
2020         (JSC::AssemblerData::grow):
2021
2022 2015-02-05  Michael Saboff  <msaboff@apple.com>
2023
2024         CodeCache is not thread safe when adding the same source from two different threads
2025         https://bugs.webkit.org/show_bug.cgi?id=141275
2026
2027         Reviewed by Mark Lam.
2028
2029         The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock,
2030         but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it
2031         will fill in later in the function.  During the body of that function, it allocates
2032         objects that may garbage collect.  During that garbage collection, we drop the all locks.
2033         While the locks are released by the first thread, another thread can enter the VM and might
2034         have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself.  When it
2035         looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType*
2036         and crashes.  This fixes the problem by not dropping the locks during garbage collection.
2037         There are other likely scenarios where we have a data structure like this code cache in an
2038         unsafe state for arbitrary reentrance.
2039
2040         Moved the functionality of DelayedReleaseScope directly into Heap.  Changed it into
2041         a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects.
2042         Now we accumulate objects to be released and release them when all locks are dropped or
2043         when destroying the Heap.  This eliminated the dropping and reaquiring of locks associated
2044         with the old scope form of this list.
2045
2046         Given that all functionality of DelayedReleaseScope is now used and referenced by Heap
2047         and the lock management no longer needs to be done, just made the list a member of Heap.
2048         We do need to guard against the case that releasing an object can create more objects
2049         by calling into JS.  That is why releaseDelayedReleasedObjects() is written to remove
2050         an object to release so that we aren't recursively in Vector code.  The other thing we
2051         do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using
2052         the m_delayedReleaseRecursionCount.  We only release at the first entry into the function.
2053         This case is already tested by testapi.mm.
2054
2055         * heap/DelayedReleaseScope.h: Removed file
2056
2057         * API/JSAPIWrapperObject.mm:
2058         * API/ObjCCallbackFunction.mm:
2059         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2060         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2061         * JavaScriptCore.xcodeproj/project.pbxproj:
2062         * heap/IncrementalSweeper.cpp:
2063         (JSC::IncrementalSweeper::doSweep):
2064         * heap/MarkedAllocator.cpp:
2065         (JSC::MarkedAllocator::tryAllocateHelper):
2066         (JSC::MarkedAllocator::tryAllocate):
2067         * heap/MarkedBlock.cpp:
2068         (JSC::MarkedBlock::sweep):
2069         * heap/MarkedSpace.cpp:
2070         (JSC::MarkedSpace::MarkedSpace):
2071         (JSC::MarkedSpace::lastChanceToFinalize):
2072         (JSC::MarkedSpace::didFinishIterating):
2073         * heap/MarkedSpace.h:
2074         * heap/Heap.cpp:
2075         (JSC::Heap::collectAllGarbage):
2076         (JSC::Heap::zombifyDeadObjects):
2077         Removed references to DelayedReleaseScope and DelayedReleaseScope.h.
2078
2079         * heap/Heap.cpp:
2080         (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount.
2081         (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away.
2082         (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated
2083         delayed release objects.
2084
2085         * heap/Heap.h:
2086         (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later.
2087         (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that
2088         releaseDelayedReleasedObjects is being called recursively.
2089         * heap/HeapInlines.h:
2090         (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects.
2091         
2092         * runtime/JSLock.cpp:
2093         (JSC::JSLock::willReleaseLock):
2094         Call Heap::releaseDelayedObjectsNow() when releasing the lock.
2095
2096 2015-02-05  Youenn Fablet  <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>
2097
2098         [Streams API] Implement a barebone ReadableStream interface
2099         https://bugs.webkit.org/show_bug.cgi?id=141045
2100
2101         Reviewed by Benjamin Poulain.
2102
2103         * Configurations/FeatureDefines.xcconfig:
2104
2105 2015-02-05  Saam Barati  <saambarati1@gmail.com>
2106
2107         Crash in uninitialized deconstructing variable.
2108         https://bugs.webkit.org/show_bug.cgi?id=141070
2109
2110         Reviewed by Michael Saboff.
2111
2112         According to the ES6 spec, when a destructuring pattern occurs
2113         as the left hand side of an assignment inside a var declaration 
2114         statement, the assignment must also have a right hand side value.
2115         "var {x} = {};" is a legal syntactic statement, but,
2116         "var {x};" is a syntactic error.
2117
2118         Section 13.2.2 of the latest draft ES6 spec specifies this requirement:
2119         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-variable-statement
2120
2121         * parser/Parser.cpp:
2122         (JSC::Parser<LexerType>::parseVarDeclaration):
2123         (JSC::Parser<LexerType>::parseVarDeclarationList):
2124         (JSC::Parser<LexerType>::parseForStatement):
2125         * parser/Parser.h:
2126
2127 2015-02-04  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
2128
2129         Unreviewed, fix a build break on EFL port since r179648.
2130
2131         * heap/MachineStackMarker.cpp: EFL port doesn't use previousThread variable. 
2132         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2133
2134 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
2135
2136         Web Inspector: ES6: Improved Console Support for Symbol Objects
2137         https://bugs.webkit.org/show_bug.cgi?id=141173
2138
2139         Reviewed by Timothy Hatcher.
2140
2141         * inspector/protocol/Runtime.json:
2142         New type, "symbol".
2143
2144         * inspector/InjectedScriptSource.js:
2145         Handle Symbol objects in a few places. They don't have properties
2146         and they cannot be implicitly converted to strings.
2147
2148 2015-02-04  Mark Lam  <mark.lam@apple.com>
2149
2150         Undo gardening: Restoring the expected ERROR message since that is not the cause of the bot unhappiness.
2151
2152         Not reviewed.
2153
2154         * heap/MachineStackMarker.cpp:
2155         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2156
2157 2015-02-04  Mark Lam  <mark.lam@apple.com>
2158
2159         Gardening: Changed expected ERROR message to WARNING to make test bots happy.
2160
2161         Rubber stamped by Simon Fraser.
2162
2163         * heap/MachineStackMarker.cpp:
2164         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2165
2166 2015-02-04  Mark Lam  <mark.lam@apple.com>
2167
2168         r179576 introduce a deadlock potential during GC thread suspension.
2169         <https://webkit.org/b/141268>
2170
2171         Reviewed by Michael Saboff.
2172
2173         http://trac.webkit.org/r179576 introduced a potential for deadlocking.
2174         In the GC thread suspension loop, we currently delete
2175         MachineThreads::Thread that we detect to be invalid.  This is unsafe
2176         because we may have already suspended some threads, and one of those
2177         suspended threads may still be holding the C heap lock which we need
2178         for deleting the invalid thread.
2179
2180         The fix is to put the invalid threads in a separate toBeDeleted list,
2181         and delete them only after GC has resumed all threads.
2182
2183         * heap/MachineStackMarker.cpp:
2184         (JSC::MachineThreads::removeCurrentThread):
2185         - Undo refactoring removeThreadWithLockAlreadyAcquired() out of
2186           removeCurrentThread() since it is no longer needed.
2187
2188         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2189         - Put invalid Threads on a threadsToBeDeleted list, and delete those
2190           Threads only after all threads have been resumed.
2191
2192         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted.
2193         * heap/MachineStackMarker.h:
2194
2195 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
2196
2197         Web Inspector: Clean up Object Property Descriptor Collection
2198         https://bugs.webkit.org/show_bug.cgi?id=141222
2199
2200         Reviewed by Timothy Hatcher.
2201
2202         * inspector/InjectedScriptSource.js:
2203         Use a list of options when determining which properties to collect
2204         instead of a few booleans with overlapping responsibilities.
2205
2206 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
2207
2208         Web Inspector: console.table with columnName filter for non-existent property should still show column
2209         https://bugs.webkit.org/show_bug.cgi?id=141066
2210
2211         Reviewed by Timothy Hatcher.
2212
2213         * inspector/ConsoleMessage.cpp:
2214         (Inspector::ConsoleMessage::addToFrontend):
2215         When a user provides a second argument, e.g. console.table(..., columnNames),
2216         then pass that second argument to the frontend.
2217
2218         * inspector/InjectedScriptSource.js:
2219         Add a FIXME about the old, unused path now.
2220
2221 2015-02-04  Saam Barati  <saambarati1@gmail.com>
2222
2223         TypeSet can use 1 byte instead of 4 bytes for its m_seenTypes member variable
2224         https://bugs.webkit.org/show_bug.cgi?id=141204
2225
2226         Reviewed by Darin Adler.
2227
2228         There is no need to use 32 bits to store a TypeSet::RuntimeType set 
2229         bit-vector when the largest value for a single TypeSet::RuntimeType 
2230         is 0x80. 8 bits is enough to represent the set of seen types.
2231
2232         * dfg/DFGFixupPhase.cpp:
2233         (JSC::DFG::FixupPhase::fixupNode):
2234         * runtime/TypeSet.cpp:
2235         (JSC::TypeSet::doesTypeConformTo):
2236         * runtime/TypeSet.h:
2237         (JSC::TypeSet::seenTypes):
2238
2239 2015-02-04  Mark Lam  <mark.lam@apple.com>
2240
2241         Remove concept of makeUsableFromMultipleThreads().
2242         <https://webkit.org/b/141221>
2243
2244         Reviewed by Mark Hahnenberg.
2245
2246         Currently, we rely on VM::makeUsableFromMultipleThreads() being called before we
2247         start acquiring the JSLock and entering the VM from different threads.
2248         Acquisition of the JSLock will register the acquiring thread with the VM's thread
2249         registry if not already registered.  However, it will only do this if the VM's
2250         thread specific key has been initialized by makeUsableFromMultipleThreads().
2251
2252         This is fragile, and also does not read intuitively because one would expect to
2253         acquire the JSLock before calling any methods on the VM.  This is exactly what
2254         JSGlobalContextCreateInGroup() did (i.e. acquire the lock before calling
2255         makeUsableFromMultipleThreads()), but is wrong.  The result is that the invoking
2256         thread will not have been registered with the VM during that first entry into
2257         the VM.
2258
2259         The fix is to make it so that we initialize the VM's thread specific key on
2260         construction of the VM's MachineThreads registry instead of relying on
2261         makeUsableFromMultipleThreads() being called.  With this, we can eliminate
2262         makeUsableFromMultipleThreads() altogether.
2263
2264         Performance results are neutral in aggregate.
2265
2266         * API/JSContextRef.cpp:
2267         (JSGlobalContextCreateInGroup):
2268         * heap/MachineStackMarker.cpp:
2269         (JSC::MachineThreads::MachineThreads):
2270         (JSC::MachineThreads::~MachineThreads):
2271         (JSC::MachineThreads::addCurrentThread):
2272         (JSC::MachineThreads::removeThread):
2273         (JSC::MachineThreads::gatherConservativeRoots):
2274         (JSC::MachineThreads::makeUsableFromMultipleThreads): Deleted.
2275         * heap/MachineStackMarker.h:
2276         * runtime/VM.cpp:
2277         (JSC::VM::sharedInstance):
2278         * runtime/VM.h:
2279         (JSC::VM::makeUsableFromMultipleThreads): Deleted.
2280
2281 2015-02-04  Chris Dumez  <cdumez@apple.com>
2282
2283         Add removeFirst(value) / removeAll(value) methods to WTF::Vector
2284         https://bugs.webkit.org/show_bug.cgi?id=141192
2285
2286         Reviewed by Benjamin Poulain.
2287
2288         Use new Vector::removeFirst(value) / removeAll(value) API to simplify the
2289         code a bit.
2290
2291         * inspector/InspectorValues.cpp:
2292         (Inspector::InspectorObjectBase::remove):
2293
2294 2015-02-03  Mark Lam  <mark.lam@apple.com>
2295
2296         Workaround a thread library bug where thread destructors may not get called.
2297         <https://webkit.org/b/141209>
2298
2299         Reviewed by Michael Saboff.
2300
2301         There's a bug where thread destructors may not get called.  As far as
2302         we know, this only manifests on darwin ports.  We will work around this
2303         by checking at GC time if the platform thread is still valid.  If not,
2304         we'll purge it from the VM's registeredThreads list before proceeding
2305         with thread scanning activity.
2306
2307         Note: it is important that we do this invalid thread detection during
2308         suspension, because the validity (and liveness) of the other thread is
2309         only guaranteed while it is suspended.
2310
2311         * API/tests/testapi.mm:
2312         (threadMain):
2313         - Added a test to enter the VM from another thread before we GC on
2314           the main thread.
2315
2316         * heap/MachineStackMarker.cpp:
2317         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired):
2318         (JSC::MachineThreads::removeCurrentThread):
2319         - refactored removeThreadWithLockAlreadyAcquired() out from
2320           removeCurrentThread() so that we can also call it for purging invalid
2321           threads.
2322         (JSC::suspendThread):
2323         - Added a return status to tell if the suspension succeeded or not.
2324         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2325         - Check if the suspension failed, and purge the thread if we can't
2326           suspend it.  Failure to suspend implies that the thread has
2327           terminated without calling its destructor.
2328         * heap/MachineStackMarker.h:
2329
2330 2015-02-03  Joseph Pecoraro  <pecoraro@apple.com>
2331
2332         Web Inspector: ASSERT mainThreadPthread launching remote debuggable JSContext app with Debug JavaScriptCore
2333         https://bugs.webkit.org/show_bug.cgi?id=141189
2334
2335         Reviewed by Michael Saboff.
2336
2337         * inspector/remote/RemoteInspector.mm:
2338         (Inspector::RemoteInspector::singleton):
2339         Ensure we call WTF::initializeMainThread() on the main thread so that
2340         we can perform automatic String <-> NSString conversions.
2341
2342 2015-02-03  Brent Fulgham  <bfulgham@apple.com>
2343
2344         [Win] Project file cleanups after r179429.
2345
2346         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2347         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2348
2349 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
2350
2351         arguments[-1] should have well-defined behavior
2352         https://bugs.webkit.org/show_bug.cgi?id=141183
2353
2354         Reviewed by Mark Lam.
2355         
2356         According to JSC's internal argument numbering, 0 is "this" and 1 is the first argument.
2357         In the "arguments[i]" expression, "this" is not accessible and i = 0 refers to the first
2358         argument. Previously we handled the bounds check in "arguments[i]" - where "arguments" is
2359         statically known to be the current function's arguments object - as follows:
2360         
2361             add 1, i
2362             branchAboveOrEqual i, callFrame.ArgumentCount, slowPath
2363         
2364         The problem with this is that if i = -1, this passes the test, and we end up accessing
2365         what would be the "this" argument slot. That's wrong, since we should really be bottoming
2366         out in arguments["-1"], which is usually undefined but could be anything. It's even worse
2367         if the function is inlined or if we're in a constructor - in that case the "this" slot
2368         could be garbage.
2369         
2370         It turns out that we had this bug in all of our engines.
2371         
2372         This fixes the issue by changing the algorithm to:
2373         
2374             load32 callFrame.ArgumentCount, tmp
2375             sub 1, tmp
2376             branchAboveOrEqual i, tmp, slowPath
2377         
2378         In some engines, we would have used the modified "i" (the one that had 1 added to it) for
2379         the subsequent argument load; since we don't do this anymore I also had to change some of
2380         the offsets on the BaseIndex arguments load.
2381         
2382         This also includes tests that are written in such a way as to get coverage on LLInt and
2383         Baseline JIT (get-my-argument-by-val-wrap-around-no-warm-up), DFG and FTL
2384         (get-my-argument-by-val-wrap-around), and DFG when we're being paranoid about the user
2385         overwriting the "arguments" variable (get-my-argument-by-val-safe-wrap-around). This also
2386         includes off-by-1 out-of-bounds tests for each of these cases, since in the process of
2387         writing the patch I broke the arguments[arguments.length] case in the DFG and didn't see
2388         any test failures.
2389
2390         * dfg/DFGSpeculativeJIT32_64.cpp:
2391         (JSC::DFG::SpeculativeJIT::compile):
2392         * dfg/DFGSpeculativeJIT64.cpp:
2393         (JSC::DFG::SpeculativeJIT::compile):
2394         * ftl/FTLLowerDFGToLLVM.cpp:
2395         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2396         * jit/AssemblyHelpers.h:
2397         (JSC::AssemblyHelpers::offsetOfArguments):
2398         (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis): Deleted.
2399         * jit/JITOpcodes.cpp:
2400         (JSC::JIT::emit_op_get_argument_by_val):
2401         * jit/JITOpcodes32_64.cpp:
2402         (JSC::JIT::emit_op_get_argument_by_val):
2403         * llint/LowLevelInterpreter.asm:
2404         * llint/LowLevelInterpreter32_64.asm:
2405         * llint/LowLevelInterpreter64.asm:
2406         * tests/stress/get-my-argument-by-val-out-of-bounds-no-warm-up.js: Added.
2407         (foo):
2408         * tests/stress/get-my-argument-by-val-out-of-bounds.js: Added.
2409         (foo):
2410         * tests/stress/get-my-argument-by-val-safe-out-of-bounds.js: Added.
2411         (foo):
2412         * tests/stress/get-my-argument-by-val-safe-wrap-around.js: Added.
2413         (foo):
2414         * tests/stress/get-my-argument-by-val-wrap-around-no-warm-up.js: Added.
2415         (foo):
2416         * tests/stress/get-my-argument-by-val-wrap-around.js: Added.
2417         (foo):
2418
2419 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
2420
2421         MultiGetByOffset should be marked NodeMustGenerate
2422         https://bugs.webkit.org/show_bug.cgi?id=140137
2423
2424         Reviewed by Michael Saboff.
2425
2426         * dfg/DFGNode.h:
2427         (JSC::DFG::Node::convertToGetByOffset): We were sloppy - we should also clear NodeMustGenerate once it's a GetByOffset.
2428         (JSC::DFG::Node::convertToMultiGetByOffset): Assert that we converted from something that already had NodeMustGenerate.
2429         * dfg/DFGNodeType.h: We shouldn't DCE a node that does checks and could be effectful in baseline. Making MultiGetByOffset as NodeMustGenerate prevents DCE. FTL could still DCE the actual loads, but the checks will stay.
2430         * tests/stress/multi-get-by-offset-dce.js: Added. This previously failed because the getter wasn't called.
2431         (foo):
2432
2433 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
2434
2435         [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
2436         https://bugs.webkit.org/show_bug.cgi?id=141180
2437         rdar://problem/19677552
2438
2439         Reviewed by Benjamin Poulain.
2440         
2441         If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
2442         bounds check already terminates execution. This means we can skip the part where we
2443         previously did an out-of-bound array access on the inlined call frame arguments vector.
2444
2445         * ftl/FTLLowerDFGToLLVM.cpp:
2446         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
2447         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2448         (JSC::FTL::LowerDFGToLLVM::terminate):
2449         (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
2450         (JSC::FTL::LowerDFGToLLVM::crash):
2451         * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
2452         (foo):
2453         (bar):
2454
2455 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
2456
2457         REGRESSION(r179477): arguments simplification no longer works
2458         https://bugs.webkit.org/show_bug.cgi?id=141169
2459
2460         Reviewed by Mark Lam.
2461         
2462         The operations involved in callee/scope access don't exit and shouldn't get in the way
2463         of strength-reducing a Flush to a PhantomLocal. Then the PhantomLocal shouldn't get in
2464         the way of further such strength-reduction. We also need to canonicalize PhantomLocal
2465         before running arguments simplification.
2466
2467         * dfg/DFGMayExit.cpp:
2468         (JSC::DFG::mayExit):
2469         * dfg/DFGPlan.cpp:
2470         (JSC::DFG::Plan::compileInThreadImpl):
2471         * dfg/DFGStrengthReductionPhase.cpp:
2472         (JSC::DFG::StrengthReductionPhase::handleNode):
2473
2474 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
2475
2476         VirtualRegister should really know how to dump itself
2477         https://bugs.webkit.org/show_bug.cgi?id=141171
2478
2479         Reviewed by Geoffrey Garen.
2480         
2481         Gives VirtualRegister a dump() method that pretty-prints the virtual register. The rest of
2482         the patch is all about using this new power.
2483
2484         * CMakeLists.txt:
2485         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2486         * JavaScriptCore.xcodeproj/project.pbxproj:
2487         * bytecode/CodeBlock.cpp:
2488         (JSC::constantName):
2489         (JSC::CodeBlock::registerName):
2490         * bytecode/CodeBlock.h:
2491         (JSC::missingThisObjectMarker): Deleted.
2492         * bytecode/VirtualRegister.cpp: Added.
2493         (JSC::VirtualRegister::dump):
2494         * bytecode/VirtualRegister.h:
2495         (WTF::printInternal): Deleted.
2496         * dfg/DFGArgumentPosition.h:
2497         (JSC::DFG::ArgumentPosition::dump):
2498         * dfg/DFGFlushedAt.cpp:
2499         (JSC::DFG::FlushedAt::dump):
2500         * dfg/DFGGraph.cpp:
2501         (JSC::DFG::Graph::dump):
2502         * dfg/DFGPutLocalSinkingPhase.cpp:
2503         * dfg/DFGSSAConversionPhase.cpp:
2504         (JSC::DFG::SSAConversionPhase::run):
2505         * dfg/DFGValidate.cpp:
2506         (JSC::DFG::Validate::reportValidationContext):
2507         * dfg/DFGValueSource.cpp:
2508         (JSC::DFG::ValueSource::dump):
2509         * dfg/DFGVariableEvent.cpp:
2510         (JSC::DFG::VariableEvent::dump):
2511         (JSC::DFG::VariableEvent::dumpSpillInfo):
2512         * ftl/FTLExitArgumentForOperand.cpp:
2513         (JSC::FTL::ExitArgumentForOperand::dump):
2514         * ftl/FTLExitValue.cpp:
2515         (JSC::FTL::ExitValue::dumpInContext):
2516         * profiler/ProfilerBytecodeSequence.cpp:
2517         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
2518
2519 2015-02-02  Geoffrey Garen  <ggaren@apple.com>
2520
2521         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
2522         https://bugs.webkit.org/show_bug.cgi?id=140900
2523
2524         Reviewed by Mark Hahnenberg.
2525
2526         Re-landing just the HandleBlock piece of this patch.
2527
2528         * heap/HandleBlock.h:
2529         * heap/HandleBlockInlines.h:
2530         (JSC::HandleBlock::create):
2531         (JSC::HandleBlock::destroy):
2532         (JSC::HandleBlock::HandleBlock):
2533         (JSC::HandleBlock::payloadEnd):
2534         * heap/HandleSet.cpp:
2535         (JSC::HandleSet::~HandleSet):
2536         (JSC::HandleSet::grow):
2537
2538 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
2539
2540         Web Inspector: Support console.table
2541         https://bugs.webkit.org/show_bug.cgi?id=141058
2542
2543         Reviewed by Timothy Hatcher.
2544
2545         * inspector/InjectedScriptSource.js:
2546         Include the firstLevelKeys filter when generating previews.
2547
2548         * runtime/ConsoleClient.cpp:
2549         (JSC::appendMessagePrefix):
2550         Differentiate console.table logs to system log.
2551
2552 2015-01-31  Filip Pizlo  <fpizlo@apple.com>
2553
2554         BinarySwitch should be faster on average
2555         https://bugs.webkit.org/show_bug.cgi?id=141046
2556
2557         Reviewed by Anders Carlsson.
2558         
2559         This optimizes our binary switch using math. It's strictly better than what we had before
2560         assuming we bottom out in some case (rather than fall through), assuming all cases get
2561         hit with equal probability. The difference is particularly large for large switch
2562         statements. For example, a switch statement with 1000 cases would previously require on
2563         average 13.207 branches to get to some case, while now it just requires 10.464.
2564         
2565         This is also a progression for the fall-through case, though we could shave off another
2566         1/6 branch on average if we wanted to - though it would regress taking a case (not falling
2567         through) by 1/6 branch. I believe it's better to bias the BinarySwitch for not falling
2568         through.
2569         
2570         This also adds some randomness to the algorithm to minimize the likelihood of us
2571         generating a switch statement that is always particularly bad for some input. Note that
2572         the randomness has no effect on average-case performance assuming all cases are equally
2573         likely.
2574         
2575         This ought to have no actual performance change because we don't rely on binary switches
2576         that much. The main reason why this change is interesting is that I'm finding myself
2577         increasingly relying on BinarySwitch, and I'd like to know that it's optimal.
2578
2579         * jit/BinarySwitch.cpp:
2580         (JSC::BinarySwitch::BinarySwitch):
2581         (JSC::BinarySwitch::~BinarySwitch):
2582         (JSC::BinarySwitch::build):
2583         * jit/BinarySwitch.h:
2584
2585 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
2586
2587         Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext
2588         https://bugs.webkit.org/show_bug.cgi?id=141064
2589
2590         Reviewed by Timothy Hatcher.
2591
2592         * inspector/protocol/CSS.json:
2593
2594 2015-02-02  Daniel Bates  <dabates@apple.com>
2595
2596         [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
2597         https://bugs.webkit.org/show_bug.cgi?id=141057
2598         <rdar://problem/19068790>
2599
2600         Reviewed by Alexey Proskuryakov.
2601
2602         * inspector/remote/RemoteInspector.mm:
2603         (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
2604         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
2605         WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
2606         and CryptoKeyRSA::generatePair().
2607
2608 2015-02-02  Saam Barati  <saambarati1@gmail.com>
2609
2610         Create tests for JSC's Control Flow Profiler
2611         https://bugs.webkit.org/show_bug.cgi?id=141123
2612
2613         Reviewed by Filip Pizlo.
2614
2615         This patch creates a control flow profiler testing API in jsc.cpp 
2616         that accepts a function and a string as arguments. The string must 
2617         be a substring of the text of the function argument. The API returns 
2618         a boolean indicating whether or not the basic block that encloses the 
2619         substring has executed.
2620
2621         This patch uses this API to test that the control flow profiler
2622         behaves as expected on basic block boundaries. These tests do not
2623         provide full coverage for all JavaScript statements that can create
2624         basic blocks boundaries. Full coverage will come in a later patch.
2625
2626         * jsc.cpp:
2627         (GlobalObject::finishCreation):
2628         (functionHasBasicBlockExecuted):
2629         * runtime/ControlFlowProfiler.cpp:
2630         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
2631         * runtime/ControlFlowProfiler.h:
2632         * tests/controlFlowProfiler: Added.
2633         * tests/controlFlowProfiler.yaml: Added.
2634         * tests/controlFlowProfiler/driver: Added.
2635         * tests/controlFlowProfiler/driver/driver.js: Added.
2636         (assert):
2637         * tests/controlFlowProfiler/if-statement.js: Added.
2638         (testIf):
2639         (noMatches):
2640         * tests/controlFlowProfiler/loop-statements.js: Added.
2641         (forRegular):
2642         (forIn):
2643         (forOf):
2644         (whileLoop):
2645         * tests/controlFlowProfiler/switch-statements.js: Added.
2646         (testSwitch):
2647         * tests/controlFlowProfiler/test-jit.js: Added.
2648         (tierUpToBaseline):
2649         (tierUpToDFG):
2650         (baselineTest):
2651         (dfgTest):
2652
2653 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
2654
2655         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
2656         https://bugs.webkit.org/show_bug.cgi?id=140660
2657
2658         Reviewed by Geoffrey Garen.
2659         
2660         When we first implemented polymorphic call inlining, we did the profiling based on a call
2661         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
2662         global log that was processed lazily. Processing the log would give precise counts of call
2663         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
2664         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
2665         nonetheless.
2666         
2667         Experience with this code shows three things. First, the call edge profiler is buggy and
2668         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
2669         overhead for latency code that we care deeply about. Third, it's not at all clear that
2670         having call edge counts for every possible callee is any better than just having call edge
2671         counts for the limited number of callees that an inline cache would catch.
2672         
2673         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
2674         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
2675         out-of-line stub that cases on the previously known callees. If that misses again, then we
2676         rewrite that stub to include the new callee. We do this up to some number of callees. If we
2677         hit the limit then we switch to using a plain virtual call.
2678         
2679         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
2680         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
2681         
2682         Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.
2683
2684         * CMakeLists.txt:
2685         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2686         * JavaScriptCore.xcodeproj/project.pbxproj:
2687         * bytecode/CallEdge.h:
2688         (JSC::CallEdge::count):
2689         (JSC::CallEdge::CallEdge):
2690         * bytecode/CallEdgeProfile.cpp: Removed.
2691         * bytecode/CallEdgeProfile.h: Removed.
2692         * bytecode/CallEdgeProfileInlines.h: Removed.
2693         * bytecode/CallLinkInfo.cpp:
2694         (JSC::CallLinkInfo::unlink):
2695         (JSC::CallLinkInfo::visitWeak):
2696         * bytecode/CallLinkInfo.h:
2697         * bytecode/CallLinkStatus.cpp:
2698         (JSC::CallLinkStatus::CallLinkStatus):
2699         (JSC::CallLinkStatus::computeFor):
2700         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2701         (JSC::CallLinkStatus::isClosureCall):
2702         (JSC::CallLinkStatus::makeClosureCall):
2703         (JSC::CallLinkStatus::dump):
2704         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
2705         * bytecode/CallLinkStatus.h:
2706         (JSC::CallLinkStatus::CallLinkStatus):
2707         (JSC::CallLinkStatus::isSet):
2708         (JSC::CallLinkStatus::variants):
2709         (JSC::CallLinkStatus::size):
2710         (JSC::CallLinkStatus::at):
2711         (JSC::CallLinkStatus::operator[]):
2712         (JSC::CallLinkStatus::canOptimize):
2713         (JSC::CallLinkStatus::edges): Deleted.
2714         (JSC::CallLinkStatus::canTrustCounts): Deleted.
2715         * bytecode/CallVariant.cpp:
2716         (JSC::variantListWithVariant):
2717         (JSC::despecifiedVariantList):
2718         * bytecode/CallVariant.h:
2719         * bytecode/CodeBlock.cpp:
2720         (JSC::CodeBlock::~CodeBlock):
2721         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2722         (JSC::CodeBlock::unlinkIncomingCalls):
2723         (JSC::CodeBlock::noticeIncomingCall):
2724         * bytecode/CodeBlock.h:
2725         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
2726         * dfg/DFGAbstractInterpreterInlines.h:
2727         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2728         * dfg/DFGByteCodeParser.cpp:
2729         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
2730         (JSC::DFG::ByteCodeParser::handleCall):
2731         (JSC::DFG::ByteCodeParser::handleInlining):
2732         * dfg/DFGClobberize.h:
2733         (JSC::DFG::clobberize):
2734         * dfg/DFGConstantFoldingPhase.cpp:
2735         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2736         * dfg/DFGDoesGC.cpp:
2737         (JSC::DFG::doesGC):
2738         * dfg/DFGDriver.cpp:
2739         (JSC::DFG::compileImpl):
2740         * dfg/DFGFixupPhase.cpp:
2741         (JSC::DFG::FixupPhase::fixupNode):
2742         * dfg/DFGNode.h:
2743         (JSC::DFG::Node::hasHeapPrediction):
2744         * dfg/DFGNodeType.h:
2745         * dfg/DFGOperations.cpp:
2746         * dfg/DFGPredictionPropagationPhase.cpp:
2747         (JSC::DFG::PredictionPropagationPhase::propagate):
2748         * dfg/DFGSafeToExecute.h:
2749         (JSC::DFG::safeToExecute):
2750         * dfg/DFGSpeculativeJIT32_64.cpp:
2751         (JSC::DFG::SpeculativeJIT::emitCall):
2752         (JSC::DFG::SpeculativeJIT::compile):
2753         * dfg/DFGSpeculativeJIT64.cpp:
2754         (JSC::DFG::SpeculativeJIT::emitCall):
2755         (JSC::DFG::SpeculativeJIT::compile):
2756         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2757         (JSC::DFG::TierUpCheckInjectionPhase::run):
2758         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
2759         * ftl/FTLCapabilities.cpp:
2760         (JSC::FTL::canCompile):
2761         * heap/Heap.cpp:
2762         (JSC::Heap::collect):
2763         * jit/BinarySwitch.h:
2764         * jit/ClosureCallStubRoutine.cpp: Removed.
2765         * jit/ClosureCallStubRoutine.h: Removed.
2766         * jit/JITCall.cpp:
2767         (JSC::JIT::compileOpCall):
2768         * jit/JITCall32_64.cpp:
2769         (JSC::JIT::compileOpCall):
2770         * jit/JITOperations.cpp:
2771         * jit/JITOperations.h:
2772         (JSC::operationLinkPolymorphicCallFor):
2773         (JSC::operationLinkClosureCallFor): Deleted.
2774         * jit/JITStubRoutine.h:
2775         * jit/JITWriteBarrier.h:
2776         * jit/PolymorphicCallStubRoutine.cpp: Added.
2777         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
2778         (JSC::PolymorphicCallNode::unlink):
2779         (JSC::PolymorphicCallCase::dump):
2780         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2781         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
2782         (JSC::PolymorphicCallStubRoutine::variants):
2783         (JSC::PolymorphicCallStubRoutine::edges):
2784         (JSC::PolymorphicCallStubRoutine::visitWeak):
2785         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
2786         * jit/PolymorphicCallStubRoutine.h: Added.
2787         (JSC::PolymorphicCallNode::PolymorphicCallNode):
2788         (JSC::PolymorphicCallCase::PolymorphicCallCase):
2789         (JSC::PolymorphicCallCase::variant):
2790         (JSC::PolymorphicCallCase::codeBlock):
2791         * jit/Repatch.cpp:
2792         (JSC::linkSlowFor):
2793         (JSC::linkFor):
2794         (JSC::revertCall):
2795         (JSC::unlinkFor):
2796         (JSC::linkVirtualFor):
2797         (JSC::linkPolymorphicCall):
2798         (JSC::linkClosureCall): Deleted.
2799         * jit/Repatch.h:
2800         * jit/ThunkGenerators.cpp:
2801         (JSC::linkPolymorphicCallForThunkGenerator):
2802         (JSC::linkPolymorphicCallThunkGenerator):
2803         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
2804         (JSC::linkClosureCallForThunkGenerator): Deleted.
2805         (JSC::linkClosureCallThunkGenerator): Deleted.
2806         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
2807         * jit/ThunkGenerators.h:
2808         (JSC::linkPolymorphicCallThunkGeneratorFor):
2809         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
2810         * llint/LLIntSlowPaths.cpp:
2811         (JSC::LLInt::jitCompileAndSetHeuristics):
2812         * runtime/Options.h:
2813         * runtime/VM.cpp:
2814         (JSC::VM::prepareToDiscardCode):
2815         (JSC::VM::ensureCallEdgeLog): Deleted.
2816         * runtime/VM.h:
2817
2818 2015-01-30  Filip Pizlo  <fpizlo@apple.com>
2819
2820         Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
2821         https://bugs.webkit.org/show_bug.cgi?id=141107
2822
2823         Reviewed by Michael Saboff.
2824         
2825         See the bugzilla for a discussion of the problem. This addresses the problem by ensuring
2826         that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini
2827         OSR availability analysis to determine the right MovHint value to use for the Phantom.
2828
2829         * dfg/DFGCPSRethreadingPhase.cpp:
2830         (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
2831         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2832         (JSC::DFG::CPSRethreadingPhase::clearVariables):
2833         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
2834         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2835         (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted.
2836         * dfg/DFGNode.h:
2837         (JSC::DFG::Node::convertPhantomToPhantomLocal):
2838         (JSC::DFG::Node::convertFlushToPhantomLocal):
2839         (JSC::DFG::Node::convertToPhantomLocal): Deleted.
2840         * dfg/DFGStrengthReductionPhase.cpp:
2841         (JSC::DFG::StrengthReductionPhase::handleNode):
2842         * tests/stress/inline-call-that-doesnt-use-all-args.js: Added.
2843         (foo):
2844         (bar):
2845         (baz):
2846
2847 2015-01-31  Michael Saboff  <msaboff@apple.com>
2848
2849         Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
2850         https://bugs.webkit.org/show_bug.cgi?id=141111
2851
2852         Reviewed by Filip Pizlo.
2853
2854         In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have
2855         exited, we don't need to process the OSR availability or abstract interpreter.
2856
2857         * ftl/FTLLowerDFGToLLVM.cpp:
2858         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate
2859         method since we need to call it at the top and near the bottom of compileNode().
2860         (JSC::FTL::LowerDFGToLLVM::compileNode):
2861
2862 2015-01-31  Sam Weinig  <sam@webkit.org>
2863
2864         Remove even more Mountain Lion support
2865         https://bugs.webkit.org/show_bug.cgi?id=141124
2866
2867         Reviewed by Alexey Proskuryakov.
2868
2869         * API/tests/DateTests.mm:
2870         * Configurations/Base.xcconfig:
2871         * Configurations/DebugRelease.xcconfig:
2872         * Configurations/FeatureDefines.xcconfig:
2873         * Configurations/Version.xcconfig:
2874         * jit/ExecutableAllocatorFixedVMPool.cpp:
2875
2876 2015-01-31  Commit Queue  <commit-queue@webkit.org>
2877
2878         Unreviewed, rolling out r179426.
2879         https://bugs.webkit.org/show_bug.cgi?id=141119
2880
2881         "caused a memory use regression" (Requested by Guest45 on
2882         #webkit).
2883
2884         Reverted changeset:
2885
2886         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
2887         pages"
2888         https://bugs.webkit.org/show_bug.cgi?id=140900
2889         http://trac.webkit.org/changeset/179426
2890
2891 2015-01-30  Daniel Bates  <dabates@apple.com>
2892
2893         Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h
2894         https://bugs.webkit.org/show_bug.cgi?id=141067
2895
2896         Reviewed by Timothy Hatcher.
2897
2898         Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we
2899         do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm
2900         and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via
2901         header RemoteInspectorDebuggableConnection.h.
2902
2903         * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>.
2904         * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>.
2905         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>.
2906
2907 2015-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2908
2909         Implement ES6 Symbol
2910         https://bugs.webkit.org/show_bug.cgi?id=140435
2911
2912         Reviewed by Geoffrey Garen.
2913
2914         This patch implements ES6 Symbol. In this patch, we don't support
2915         Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be
2916         supported in the subsequent patches.
2917
2918         Since ES6 Symbol is introduced as new primitive value, we implement
2919         Symbol as a derived class from JSCell. And now JSValue accepts Symbol*
2920         as a new primitive value.
2921
2922         Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer
2923         value represents the Symbol's identity. So don't compare Symbol's
2924         JSCell pointer value for comparison.
2925         This enables re-producing Symbol primitive value from StringImpl* uid
2926         by executing`Symbol::create(vm, uid)`. This is needed to produce
2927         Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`.
2928
2929         And Symbol.[[Description]] is folded into the string value of Symbol's uid.
2930         By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*.
2931
2932         * CMakeLists.txt:
2933         * DerivedSources.make:
2934         * JavaScriptCore.order:
2935         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2936         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2937         * JavaScriptCore.xcodeproj/project.pbxproj:
2938         * builtins/BuiltinExecutables.cpp:
2939         (JSC::BuiltinExecutables::createBuiltinExecutable):
2940         * builtins/BuiltinNames.h:
2941         * dfg/DFGOperations.cpp:
2942         (JSC::DFG::operationPutByValInternal):
2943         * inspector/JSInjectedScriptHost.cpp:
2944         (Inspector::JSInjectedScriptHost::subtype):
2945         * interpreter/Interpreter.cpp:
2946         * jit/JITOperations.cpp:
2947         (JSC::getByVal):
2948         * llint/LLIntData.cpp:
2949         (JSC::LLInt::Data::performAssertions):
2950         * llint/LLIntSlowPaths.cpp:
2951         (JSC::LLInt::getByVal):
2952         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2953         * llint/LowLevelInterpreter.asm:
2954         * runtime/CommonIdentifiers.h:
2955         * runtime/CommonSlowPaths.cpp:
2956         (JSC::SLOW_PATH_DECL):
2957         * runtime/CommonSlowPaths.h:
2958         (JSC::CommonSlowPaths::opIn):
2959         * runtime/ExceptionHelpers.cpp:
2960         (JSC::createUndefinedVariableError):
2961         * runtime/JSCJSValue.cpp:
2962         (JSC::JSValue::synthesizePrototype):
2963         (JSC::JSValue::dumpInContextAssumingStructure):
2964         (JSC::JSValue::toStringSlowCase):
2965         * runtime/JSCJSValue.h:
2966         * runtime/JSCJSValueInlines.h:
2967         (JSC::JSValue::isSymbol):
2968         (JSC::JSValue::isPrimitive):
2969         (JSC::JSValue::toPropertyKey):
2970
2971         It represents ToPropertyKey abstract operation in the ES6 spec.
2972         It cleans up the old implementation's `isName` checks.
2973         And to prevent performance regressions in
2974             js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html
2975             js/regress/fold-get-by-id-to-multi-get-by-offset.html
2976         we annnotate this function as ALWAYS_INLINE.
2977
2978         (JSC::JSValue::getPropertySlot):
2979         (JSC::JSValue::get):
2980         (JSC::JSValue::equalSlowCaseInline):
2981         (JSC::JSValue::strictEqualSlowCaseInline):
2982         * runtime/JSCell.cpp:
2983         (JSC::JSCell::put):
2984         (JSC::JSCell::putByIndex):
2985         (JSC::JSCell::toPrimitive):
2986         (JSC::JSCell::getPrimitiveNumber):
2987         (JSC::JSCell::toNumber):
2988         (JSC::JSCell::toObject):
2989         * runtime/JSCell.h:
2990         * runtime/JSCellInlines.h:
2991         (JSC::JSCell::isSymbol):
2992         (JSC::JSCell::toBoolean):
2993         (JSC::JSCell::pureToBoolean):
2994         * runtime/JSGlobalObject.cpp:
2995         (JSC::JSGlobalObject::init):
2996         (JSC::JSGlobalObject::visitChildren):
2997         * runtime/JSGlobalObject.h:
2998         (JSC::JSGlobalObject::symbolPrototype):
2999         (JSC::JSGlobalObject::symbolObjectStructure):
3000         * runtime/JSONObject.cpp:
3001         (JSC::Stringifier::Stringifier):
3002         * runtime/JSSymbolTableObject.cpp:
3003         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3004         * runtime/JSType.h:
3005         * runtime/JSTypeInfo.h:
3006         (JSC::TypeInfo::isName): Deleted.
3007         * runtime/MapData.cpp:
3008         (JSC::MapData::find):
3009         (JSC::MapData::add):
3010         (JSC::MapData::remove):
3011         (JSC::MapData::replaceAndPackBackingStore):
3012         * runtime/MapData.h:
3013         (JSC::MapData::clear):
3014         * runtime/NameInstance.h: Removed.
3015         * runtime/NamePrototype.cpp: Removed.
3016         * runtime/ObjectConstructor.cpp:
3017         (JSC::objectConstructorGetOwnPropertyDescriptor):
3018         (JSC::objectConstructorDefineProperty):
3019         * runtime/ObjectPrototype.cpp:
3020         (JSC::objectProtoFuncHasOwnProperty):
3021         (JSC::objectProtoFuncDefineGetter):
3022         (JSC::objectProtoFuncDefineSetter):
3023         (JSC::objectProtoFuncLookupGetter):
3024         (JSC::objectProtoFuncLookupSetter):
3025         (JSC::objectProtoFuncPropertyIsEnumerable):
3026         * runtime/Operations.cpp:
3027         (JSC::jsTypeStringForValue):
3028         (JSC::jsIsObjectType):
3029         * runtime/PrivateName.h:
3030         (JSC::PrivateName::PrivateName):
3031         (JSC::PrivateName::operator==):
3032         (JSC::PrivateName::operator!=):
3033         * runtime/PropertyMapHashTable.h:
3034         (JSC::PropertyTable::find):
3035         (JSC::PropertyTable::get):
3036         * runtime/PropertyName.h:
3037         (JSC::PropertyName::PropertyName):
3038         (JSC::PropertyName::publicName):
3039         * runtime/SmallStrings.h:
3040         * runtime/StringConstructor.cpp:
3041         (JSC::callStringConstructor):
3042
3043         In ES6, String constructor accepts Symbol to execute `String(symbol)`.
3044
3045         * runtime/Structure.cpp:
3046         (JSC::Structure::getPropertyNamesFromStructure):
3047         * runtime/StructureInlines.h:
3048         (JSC::Structure::prototypeForLookup):
3049         * runtime/Symbol.cpp: Added.
3050         (JSC::Symbol::Symbol):
3051         (JSC::SymbolObject::create):
3052         (JSC::Symbol::toPrimitive):
3053         (JSC::Symbol::toBoolean):
3054         (JSC::Symbol::getPrimitiveNumber):
3055         (JSC::Symbol::toObject):
3056         (JSC::Symbol::toNumber):
3057         (JSC::Symbol::destroy):
3058         (JSC::Symbol::descriptiveString):
3059         * runtime/Symbol.h: Added.
3060         (JSC::Symbol::createStructure):
3061         (JSC::Symbol::create):
3062         (JSC::Symbol::privateName):
3063         (JSC::Symbol::finishCreation):
3064         (JSC::asSymbol):
3065         * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp.
3066         (JSC::SymbolConstructor::SymbolConstructor):
3067         (JSC::SymbolConstructor::finishCreation):
3068         (JSC::callSymbol):
3069         (JSC::SymbolConstructor::getConstructData):
3070         (JSC::SymbolConstructor::getCallData):
3071         * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h.
3072         (JSC::SymbolConstructor::create):
3073         (JSC::SymbolConstructor::createStructure):
3074         * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp.
3075         (JSC::SymbolObject::SymbolObject):
3076         (JSC::SymbolObject::finishCreation):
3077         (JSC::SymbolObject::defaultValue):
3078
3079         Now JSC doesn't support @@toPrimitive. So instead of it, we implement
3080         Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]].
3081
3082         * runtime/SymbolObject.h: Added.
3083         (JSC::SymbolObject::create):
3084         (JSC::SymbolObject::internalValue):
3085         (JSC::SymbolObject::createStructure):
3086         * runtime/SymbolPrototype.cpp: Added.
3087         (JSC::SymbolPrototype::SymbolPrototype):
3088         (JSC::SymbolPrototype::finishCreation):
3089         (JSC::SymbolPrototype::getOwnPropertySlot):
3090         (JSC::symbolProtoFuncToString):
3091         (JSC::symbolProtoFuncValueOf):
3092         * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h.
3093         (JSC::SymbolPrototype::create):
3094         (JSC::SymbolPrototype::createStructure):
3095
3096         SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol.
3097         It is tested in js/symbol-prototype-is-ordinary-object.html.
3098
3099         * runtime/VM.cpp:
3100         (JSC::VM::VM):
3101         * runtime/VM.h:
3102
3103 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
3104
3105         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
3106         https://bugs.webkit.org/show_bug.cgi?id=140900
3107
3108         Reviewed by Mark Hahnenberg.
3109
3110         Re-landing just the HandleBlock piece of this patch.
3111
3112         * heap/HandleBlock.h:
3113         * heap/HandleBlockInlines.h:
3114         (JSC::HandleBlock::create):
3115         (JSC::HandleBlock::destroy):
3116         (JSC::HandleBlock::HandleBlock):
3117         (JSC::HandleBlock::payloadEnd):
3118         * heap/HandleSet.cpp:
3119         (JSC::HandleSet::~HandleSet):
3120         (JSC::HandleSet::grow):
3121
3122 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
3123
3124         GC marking threads should clear malloc caches
3125         https://bugs.webkit.org/show_bug.cgi?id=141097
3126
3127         Reviewed by Sam Weinig.
3128
3129         Follow-up based on Mark Hahnenberg's review: Release after the copy
3130         phase, rather than after any phase, since we'd rather not release
3131         between marking and copying.
3132
3133         * heap/GCThread.cpp:
3134         (JSC::GCThread::waitForNextPhase):
3135         (JSC::GCThread::gcThreadMain):
3136
3137 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
3138
3139         GC marking threads should clear malloc caches
3140         https://bugs.webkit.org/show_bug.cgi?id=141097
3141
3142         Reviewed by Andreas Kling.
3143
3144         This is an attempt to ameliorate a potential memory use regression
3145         caused by https://bugs.webkit.org/show_bug.cgi?id=140900
3146         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages.
3147
3148         FastMalloc may accumulate a per-thread cache on each of the 8-ish
3149         GC marking threads, which can be expensive.
3150
3151         * heap/GCThread.cpp:
3152         (JSC::GCThread::waitForNextPhase): Scavenge the current thread before
3153         going to sleep. There's probably not too much value to keeping our
3154         per-thread cache between GCs, and it has some memory footprint.
3155
3156 2015-01-30  Chris Dumez  <cdumez@apple.com>
3157
3158         Rename shared() static member functions to singleton() for singleton classes.
3159         https://bugs.webkit.org/show_bug.cgi?id=141088
3160
3161         Reviewed by Ryosuke Niwa and Benjamin Poulain.
3162
3163         Rename shared() static member functions to singleton() for singleton
3164         classes as per the recent coding style change.
3165
3166         * inspector/remote/RemoteInspector.h:
3167         * inspector/remote/RemoteInspector.mm:
3168         (Inspector::RemoteInspector::singleton):
3169         (Inspector::RemoteInspector::start):
3170         (Inspector::RemoteInspector::shared): Deleted.
3171         * inspector/remote/RemoteInspectorDebuggable.cpp:
3172         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
3173         (Inspector::RemoteInspectorDebuggable::init):
3174         (Inspector::RemoteInspectorDebuggable::update):
3175         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
3176         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
3177         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
3178         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3179         (Inspector::RemoteInspectorDebuggableConnection::setup):
3180         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
3181
3182 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
3183
3184         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
3185         https://bugs.webkit.org/show_bug.cgi?id=140900
3186
3187         Reviewed by Mark Hahnenberg.
3188
3189         Re-landing just the CopyWorkListSegment piece of this patch.
3190
3191         * heap/CopiedBlockInlines.h:
3192         (JSC::CopiedBlock::reportLiveBytes):
3193         * heap/CopyWorkList.h:
3194         (JSC::CopyWorkListSegment::create):
3195         (JSC::CopyWorkListSegment::destroy):
3196         (JSC::CopyWorkListSegment::CopyWorkListSegment):
3197         (JSC::CopyWorkList::CopyWorkList):
3198         (JSC::CopyWorkList::~CopyWorkList):
3199         (JSC::CopyWorkList::append):
3200
3201 2015-01-29  Commit Queue  <commit-queue@webkit.org>
3202
3203         Unreviewed, rolling out r179357 and r179358.
3204         https://bugs.webkit.org/show_bug.cgi?id=141062
3205
3206         Suspect this caused WebGL tests to start flaking (Requested by
3207         kling on #webkit).
3208
3209         Reverted changesets:
3210
3211         "Polymorphic call inlining should be based on polymorphic call
3212         inline caching rather than logging"
3213         https://bugs.webkit.org/show_bug.cgi?id=140660
3214         http://trac.webkit.org/changeset/179357
3215
3216         "Unreviewed, fix no-JIT build."
3217         http://trac.webkit.org/changeset/179358
3218
3219 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
3220
3221         Removed op_ret_object_or_this
3222         https://bugs.webkit.org/show_bug.cgi?id=141048
3223
3224         Reviewed by Michael Saboff.
3225
3226         op_ret_object_or_this was one opcode that would keep us out of the
3227         optimizing compilers.
3228
3229         We don't need a special-purpose opcode; we can just use a branch.
3230
3231         * bytecode/BytecodeBasicBlock.cpp:
3232         (JSC::isTerminal): Removed.
3233         * bytecode/BytecodeList.json:
3234         * bytecode/BytecodeUseDef.h:
3235         (JSC::computeUsesForBytecodeOffset):
3236         (JSC::computeDefsForBytecodeOffset): Removed.
3237
3238         * bytecode/CodeBlock.cpp:
3239         (JSC::CodeBlock::dumpBytecode): Removed.
3240
3241         * bytecompiler/BytecodeGenerator.cpp:
3242         (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine
3243         if we need to substitute 'this' for the return value. Our engine no longer
3244         benefits from fused opcodes that dispatch less in the interpreter.
3245
3246         * jit/JIT.cpp:
3247         (JSC::JIT::privateCompileMainPass):
3248         * jit/JIT.h:
3249         * jit/JITCall32_64.cpp:
3250         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
3251         * jit/JITOpcodes.cpp:
3252         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
3253         * llint/LowLevelInterpreter32_64.asm:
3254         * llint/LowLevelInterpreter64.asm: Removed.
3255
3256 2015-01-29  Ryosuke Niwa  <rniwa@webkit.org>
3257
3258         Implement ES6 class syntax without inheritance support
3259         https://bugs.webkit.org/show_bug.cgi?id=140918
3260
3261         Reviewed by Geoffrey Garen.
3262
3263         Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like:
3264         class A {
3265             constructor() { }
3266             someMethod() { }
3267         }
3268
3269         We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches.
3270         We also don't support block scoping of a class declaration.
3271
3272         We support both class declaration and class expression. A class expression is implemented by the newly added
3273         ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around
3274         AssignResolveNode.
3275
3276         Tests: js/class-syntax-declaration.html
3277                js/class-syntax-expression.html
3278
3279         * bytecompiler/NodesCodegen.cpp:
3280         (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode.
3281         Also fixed the 5-space indentation.
3282         (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this.
3283         (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code.
3284         (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by
3285         emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way.
3286
3287         * parser/ASTBuilder.h:
3288         (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode.
3289         (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode.
3290
3291         * parser/NodeConstructors.h:
3292         (JSC::ClassDeclNode::ClassDeclNode): Added.
3293         (JSC::ClassExprNode::ClassExprNode): Added.
3294
3295         * parser/Nodes.h:
3296         (JSC::ClassExprNode): Added.
3297         (JSC::ClassDeclNode): Added.
3298
3299         * parser/Parser.cpp:
3300         (JSC::Parser<LexerType>::parseStatement): Added the support for class declaration.
3301         (JSC::stringForFunctionMode): Return "method" for MethodMode.
3302         (JSC::Parser<LexerType>::parseClassDeclaration): Added. Uses parseClass to create a class expression and wraps
3303         it with ClassDeclNode as described above.
3304         (JSC::Parser<LexerType>::parseClass): Parses a class expression.
3305         (JSC::Parser<LexerType>::parseProperty):
3306         (JSC::Parser<LexerType>::parseGetterSetter): Extracted from parseProperty to share the code between parseProperty
3307         and parseClass.
3308         (JSC::Parser<LexerType>::parsePrimaryExpression): Added the support for class expression.
3309
3310         * parser/Parser.h:
3311         (FunctionParseMode): Added MethodMode.
3312
3313         * parser/SyntaxChecker.h:
3314         (JSC::SyntaxChecker::createClassExpr): Added.
3315         (JSC::SyntaxChecker::createClassDeclStatement): Added.
3316
3317 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
3318
3319         Try to fix the Windows build.
3320
3321         Not reviewed.
3322
3323         * heap/WeakBlock.h: Use the fully qualified name when declaring our friend.
3324
3325 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
3326
3327         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
3328         https://bugs.webkit.org/show_bug.cgi?id=140900
3329
3330         Reviewed by Mark Hahnenberg.
3331
3332         Re-landing just the WeakBlock piece of this patch.
3333
3334         * heap/WeakBlock.cpp:
3335         (JSC::WeakBlock::create):
3336         (JSC::WeakBlock::destroy):
3337         (JSC::WeakBlock::WeakBlock):
3338         * heap/WeakBlock.h:
3339         * heap/WeakSet.cpp:
3340         (JSC::WeakSet::~WeakSet):
3341         (JSC::WeakSet::addAllocator):
3342         (JSC::WeakSet::removeAllocator):
3343
3344 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
3345
3346         Use Vector instead of GCSegmentedArray in CodeBlockSet
3347         https://bugs.webkit.org/show_bug.cgi?id=141044
3348
3349         Reviewed by Ryosuke Niwa.
3350
3351         This is allowed now that we've gotten rid of fastMallocForbid.
3352
3353         4kB was a bit overkill for just storing a few pointers.
3354
3355         * heap/CodeBlockSet.cpp:
3356         (JSC::CodeBlockSet::CodeBlockSet):
3357         * heap/CodeBlockSet.h:
3358         * heap/Heap.cpp:
3359         (JSC::Heap::Heap):
3360
3361 2015-01-29  Filip Pizlo  <fpizlo@apple.com>
3362
3363         Unreviewed, fix no-JIT build.
3364
3365         * jit/PolymorphicCallStubRoutine.cpp:
3366
3367 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
3368
3369         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
3370         https://bugs.webkit.org/show_bug.cgi?id=140660
3371
3372         Reviewed by Geoffrey Garen.
3373         
3374         When we first implemented polymorphic call inlining, we did the profiling based on a call
3375         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
3376         global log that was processed lazily. Processing the log would give precise counts of call
3377         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
3378         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
3379         nonetheless.
3380         
3381         Experience with this code shows three things. First, the call edge profiler is buggy and
3382         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
3383         overhead for latency code that we care deeply about. Third, it's not at all clear that
3384         having call edge counts for every possible callee is any better than just having call edge
3385         counts for the limited number of callees that an inline cache would catch.
3386         
3387         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
3388         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
3389         out-of-line stub that cases on the previously known callees. If that misses again, then we
3390         rewrite that stub to include the new callee. We do this up to some number of callees. If we
3391         hit the limit then we switch to using a plain virtual call.
3392         
3393         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
3394         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
3395
3396         * CMakeLists.txt:
3397         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3398         * JavaScriptCore.xcodeproj/project.pbxproj:
3399         * bytecode/CallEdge.h:
3400         (JSC::CallEdge::count):
3401         (JSC::CallEdge::CallEdge):
3402         * bytecode/CallEdgeProfile.cpp: Removed.
3403         * bytecode/CallEdgeProfile.h: Removed.
3404         * bytecode/CallEdgeProfileInlines.h: Removed.
3405         * bytecode/CallLinkInfo.cpp:
3406         (JSC::CallLinkInfo::unlink):
3407         (JSC::CallLinkInfo::visitWeak):
3408         * bytecode/CallLinkInfo.h:
3409         * bytecode/CallLinkStatus.cpp:
3410         (JSC::CallLinkStatus::CallLinkStatus):
3411         (JSC::CallLinkStatus::computeFor):
3412         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3413         (JSC::CallLinkStatus::isClosureCall):
3414         (JSC::CallLinkStatus::makeClosureCall):
3415         (JSC::CallLinkStatus::dump):
3416         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
3417         * bytecode/CallLinkStatus.h:
3418         (JSC::CallLinkStatus::CallLinkStatus):
3419         (JSC::CallLinkStatus::isSet):
3420         (JSC::CallLinkStatus::variants):
3421         (JSC::CallLinkStatus::size):
3422         (JSC::CallLinkStatus::at):
3423         (JSC::CallLinkStatus::operator[]):
3424         (JSC::CallLinkStatus::canOptimize):
3425         (JSC::CallLinkStatus::edges): Deleted.
3426         (JSC::CallLinkStatus::canTrustCounts): Deleted.
3427         * bytecode/CallVariant.cpp:
3428         (JSC::variantListWithVariant):
3429         (JSC::despecifiedVariantList):
3430         * bytecode/CallVariant.h:
3431         * bytecode/CodeBlock.cpp:
3432         (JSC::CodeBlock::~CodeBlock):
3433         (JSC::CodeBlock::linkIncomingPolymorphicCall):
3434         (JSC::CodeBlock::unlinkIncomingCalls):
3435         (JSC::CodeBlock::noticeIncomingCall):
3436         * bytecode/CodeBlock.h:
3437         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
3438         * dfg/DFGAbstractInterpreterInlines.h:
3439         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3440         * dfg/DFGByteCodeParser.cpp:
3441         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
3442         (JSC::DFG::ByteCodeParser::handleCall):
3443         (JSC::DFG::ByteCodeParser::handleInlining):
3444         * dfg/DFGClobberize.h:
3445         (JSC::DFG::clobberize):
3446         * dfg/DFGConstantFoldingPhase.cpp:
3447         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3448         * dfg/DFGDoesGC.cpp:
3449         (JSC::DFG::doesGC):
3450         * dfg/DFGDriver.cpp:
3451         (JSC::DFG::compileImpl):
3452         * dfg/DFGFixupPhase.cpp:
3453         (JSC::DFG::FixupPhase::fixupNode):
3454         * dfg/DFGNode.h:
3455         (JSC::DFG::Node::hasHeapPrediction):
3456         * dfg/DFGNodeType.h:
3457         * dfg/DFGOperations.cpp:
3458         * dfg/DFGPredictionPropagationPhase.cpp:
3459         (JSC::DFG::PredictionPropagationPhase::propagate):
3460         * dfg/DFGSafeToExecute.h:
3461         (JSC::DFG::safeToExecute):
3462         * dfg/DFGSpeculativeJIT32_64.cpp:
3463         (JSC::DFG::SpeculativeJIT::emitCall):
3464         (JSC::DFG::SpeculativeJIT::compile):
3465         * dfg/DFGSpeculativeJIT64.cpp:
3466         (JSC::DFG::SpeculativeJIT::emitCall):
3467         (JSC::DFG::SpeculativeJIT::compile):
3468         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3469         (JSC::DFG::TierUpCheckInjectionPhase::run):
3470         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
3471         * ftl/FTLCapabilities.cpp:
3472         (JSC::FTL::canCompile):
3473         * heap/Heap.cpp:
3474         (JSC::Heap::collect):
3475         * jit/BinarySwitch.h:
3476         * jit/ClosureCallStubRoutine.cpp: Removed.
3477         * jit/ClosureCallStubRoutine.h: Removed.
3478         * jit/JITCall.cpp:
3479         (JSC::JIT::compileOpCall):
3480         * jit/JITCall32_64.cpp:
3481         (JSC::JIT::compileOpCall):
3482         * jit/JITOperations.cpp:
3483         * jit/JITOperations.h:
3484         (JSC::operationLinkPolymorphicCallFor):
3485         (JSC::operationLinkClosureCallFor): Deleted.
3486         * jit/JITStubRoutine.h:
3487         * jit/JITWriteBarrier.h:
3488         * jit/PolymorphicCallStubRoutine.cpp: Added.
3489         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
3490         (JSC::PolymorphicCallNode::unlink):
3491         (JSC::PolymorphicCallCase::dump):
3492         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
3493         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
3494         (JSC::PolymorphicCallStubRoutine::variants):
3495         (JSC::PolymorphicCallStubRoutine::edges):
3496         (JSC::PolymorphicCallStubRoutine::visitWeak):
3497         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
3498         * jit/PolymorphicCallStubRoutine.h: Added.
3499         (JSC::PolymorphicCallNode::PolymorphicCallNode):
3500         (JSC::PolymorphicCallCase::PolymorphicCallCase):
3501         (JSC::PolymorphicCallCase::variant):
3502         (JSC::PolymorphicCallCase::codeBlock):
3503         * jit/Repatch.cpp:
3504         (JSC::linkSlowFor):
3505         (JSC::linkFor):
3506         (JSC::revertCall):
3507         (JSC::unlinkFor):
3508         (JSC::linkVirtualFor):
3509         (JSC::linkPolymorphicCall):
3510         (JSC::linkClosureCall): Deleted.
3511         * jit/Repatch.h:
3512         * jit/ThunkGenerators.cpp:
3513         (JSC::linkPolymorphicCallForThunkGenerator):
3514         (JSC::linkPolymorphicCallThunkGenerator):
3515         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
3516         (JSC::linkClosureCallForThunkGenerator): Deleted.
3517         (JSC::linkClosureCallThunkGenerator): Deleted.
3518         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
3519         * jit/ThunkGenerators.h:
3520         (JSC::linkPolymorphicCallThunkGeneratorFor):
3521         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
3522         * llint/LLIntSlowPaths.cpp:
3523         (JSC::LLInt::jitCompileAndSetHeuristics):
3524         * runtime/Options.h:
3525         * runtime/VM.cpp:
3526         (JSC::VM::prepareToDiscardCode):
3527         (JSC::VM::ensureCallEdgeLog): Deleted.
3528         * runtime/VM.h:
3529
3530 2015-01-29  Joseph Pecoraro  <pecoraro@apple.com>
3531
3532         Web Inspector: ES6: Improved Console Format for Set and Map Objects (like Arrays)
3533         https://bugs.webkit.org/show_bug.cgi?id=122867
3534
3535         Reviewed by Timothy Hatcher.
3536
3537         Add new Runtime.RemoteObject object subtypes for "map", "set", and "weakmap".
3538
3539         Upgrade Runtime.ObjectPreview to include type/subtype information. Now,
3540         an ObjectPreview can be used for any value, in place of a RemoteObject,
3541         and not capture / hold a reference to the value. The value will be in
3542         the string description.
3543
3544         Adding this information to ObjectPreview can duplicate some information
3545         in the protocol messages if a preview is provided, but simplifies
3546         previews, so that all the information you need for any RemoteObject
3547         preview is available. To slim messages further, make "overflow" and
3548         "properties" only available on previews that may contain properties.
3549         So, not primitives or null.
3550
3551         Finally, for "Map/Set/WeakMap" add an "entries" list to the preview
3552         that will return previews with "key" and "value" properties depending
3553         on the collection type. To get live, non-preview objects from a
3554         collection, use Runtime.getCollectionEntries.
3555
3556         In order to keep the WeakMap's values Weak the frontend may provide
3557         a unique object group name when getting collection entries. It may
3558         then release that object group, e.g. when not showing the WeakMap's
3559         values to the user, and thus remove the strong reference to the keys
3560         so they may be garbage collected.
3561
3562         * runtime/WeakMapData.h:
3563         (JSC::WeakMapData::begin):
3564         (JSC::WeakMapData::end):
3565         Expose iterators so the Inspector may access WeakMap keys/values.
3566
3567         * inspector/JSInjectedScriptHostPrototype.cpp:
3568         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
3569         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
3570         * inspector/JSInjectedScriptHost.h:
3571         * inspector/JSInjectedScriptHost.cpp:
3572         (Inspector::JSInjectedScriptHost::subtype):
3573         Discern "map", "set", and "weakmap" object subtypes.
3574
3575         (Inspector::JSInjectedScriptHost::weakMapEntries):
3576         Return a list of WeakMap entries. These are strong references
3577         that the Inspector code is responsible for releasing.
3578
3579         * inspector/protocol/Runtime.json:
3580         Update types and expose the new getCollectionEntries command.
3581
3582         * inspector/agents/InspectorRuntimeAgent.h:
3583         * inspector/agents/InspectorRuntimeAgent.cpp:
3584         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
3585         * inspector/InjectedScript.h:
3586         * inspector/InjectedScript.cpp:
3587         (Inspector::InjectedScript::getInternalProperties):
3588         (Inspector::InjectedScript::getCollectionEntries):
3589         Pass through to the InjectedScript and call getCollectionEntries.
3590
3591         * inspector/scripts/codegen/generator.py:
3592         Add another type with runtime casting.
3593
3594         * inspector/InjectedScriptSource.js:
3595         - Implement getCollectionEntries to get a range of values from a
3596         collection. The non-Weak collections have an order to their keys (in
3597         order of added) so range'd gets are okay. WeakMap does not have an
3598         order, so only allow fetching a number of values.
3599         - Update preview generation to address the Runtime.ObjectPreview
3600         type changes.
3601
3602 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
3603
3604         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
3605         https://bugs.webkit.org/show_bug.cgi?id=140900
3606
3607         Reviewed by Mark Hahnenberg.
3608
3609         Re-landing just the GCArraySegment piece of this patch.
3610
3611         * heap/CodeBlockSet.cpp:
3612         (JSC::CodeBlockSet::CodeBlockSet):
3613         * heap/CodeBlockSet.h:
3614         * heap/GCSegmentedArray.h:
3615         (JSC::GCArraySegment::GCArraySegment):
3616         * heap/GCSegmentedArrayInlines.h:
3617         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
3618         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
3619         (JSC::GCSegmentedArray<T>::clear):
3620         (JSC::GCSegmentedArray<T>::expand):
3621         (JSC::GCSegmentedArray<T>::refill):
3622         (JSC::GCArraySegment<T>::create):
3623         (JSC::GCArraySegment<T>::destroy):
3624         * heap/GCThreadSharedData.cpp:
3625         (JSC::GCThreadSharedData::GCThreadSharedData):
3626         * heap/Heap.cpp:
3627         (JSC::Heap::Heap):
3628         * heap/MarkStack.cpp:
3629         (JSC::MarkStackArray::MarkStackArray):
3630         * heap/MarkStack.h:
3631         * heap/SlotVisitor.cpp:
3632         (JSC::SlotVisitor::SlotVisitor):
3633
3634 2015-01-29  Csaba Osztrogonác  <ossy@webkit.org>
3635
3636         Move HAVE_DTRACE definition back to Platform.h
3637         https://bugs.webkit.org/show_bug.cgi?id=141033
3638
3639         Reviewed by Dan Bernstein.
3640
3641         * Configurations/Base.xcconfig:
3642         * JavaScriptCore.xcodeproj/project.pbxproj:
3643
3644 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
3645
3646         Removed fastMallocForbid / fastMallocAllow
3647         https://bugs.webkit.org/show_bug.cgi?id=141012
3648
3649         Reviewed by Mark Hahnenberg.
3650
3651         Copy non-current thread stacks before scanning them instead of scanning
3652         them in-place.
3653
3654         This operation is uncommon (i.e., never in the web content process),
3655         and even in a stress test with 4 threads it only copies about 27kB,
3656         so I think the performance cost is OK.
3657
3658         Scanning in-place requires a complex dance where we constrain our GC
3659         data structures not to use malloc, free, or any other interesting functions
3660         that might acquire locks. We've gotten this wrong many times in the past,
3661         and I just got it wrong again yesterday. Since this code path is rarely
3662         tested, I want it to just make sense, and not depend on or constrain the
3663         details of the rest of the GC heap's design.
3664
3665         * heap/MachineStackMarker.cpp:
3666         (JSC::otherThreadStack): Factored out a helper function for dealing with
3667         unaligned and/or backwards pointers.
3668
3669         (JSC::MachineThreads::tryCopyOtherThreadStack): This is now the only
3670         constrained function, and it only calls memcpy and low-level thread APIs.
3671
3672         (JSC::MachineThreads::tryCopyOtherThreadStacks): The design here is that
3673         you do one pass over all the threads to compute their combined size,
3674         and then a second pass to do all the copying. In theory, the threads may
3675         grow in between passes, in which case you'll continue until the threads
3676         stop growing. In practice, you never continue.
3677
3678         (JSC::growBuffer): Helper function for growing.
3679
3680         (JSC::MachineThreads::gatherConservativeRoots):
3681         (JSC::MachineThreads::gatherFromOtherThread): Deleted.
3682         * heap/MachineStackMarker.h: Updated for interface changes.
3683
3684 2015-01-28  Brian J. Burg  <burg@cs.washington.edu>
3685
3686         Web Inspector: remove CSS.setPropertyText, CSS.toggleProperty and related dead code
3687         https://bugs.webkit.org/show_bug.cgi?id=140961
3688
3689         Reviewed by Timothy Hatcher.
3690
3691         * inspector/protocol/CSS.json: Remove unused protocol methods.
3692
3693 2015-01-28  Dana Burkart  <dburkart@apple.com>
3694
3695         Move ASan flag settings from DebugRelease.xcconfig to Base.xcconfig
3696         https://bugs.webkit.org/show_bug.cgi?id=136765
3697
3698         Reviewed by Alexey Proskuryakov.
3699
3700         * Configurations/Base.xcconfig:
3701         * Configurations/DebugRelease.xcconfig:
3702
3703 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
3704
3705         ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath, which is more precise
3706         https://bugs.webkit.org/show_bug.cgi?id=140980
3707
3708         Reviewed by Oliver Hunt.
3709
3710         * bytecode/CallLinkStatus.cpp:
3711         (JSC::CallLinkStatus::computeFor):
3712
3713 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
3714
3715         Move DFGBinarySwitch out of the DFG so that all of the JITs can use it
3716         https://bugs.webkit.org/show_bug.cgi?id=140959
3717
3718         Rubber stamped by Geoffrey Garen.
3719         
3720         I want to use this for polymorphic stubs for https://bugs.webkit.org/show_bug.cgi?id=140660.
3721         This code no longer has DFG dependencies so this is a very clean move.
3722
3723         * CMakeLists.txt:
3724         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3725         * JavaScriptCore.xcodeproj/project.pbxproj:
3726         * dfg/DFGBinarySwitch.cpp: Removed.
3727         * dfg/DFGBinarySwitch.h: Removed.
3728         * dfg/DFGSpeculativeJIT.cpp:
3729         * jit/BinarySwitch.cpp: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.cpp.
3730         * jit/BinarySwitch.h: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.h.
3731
3732 2015-01-27  Commit Queue  <commit-queue@webkit.org>
3733
3734         Unreviewed, rolling out r179192.
3735         https://bugs.webkit.org/show_bug.cgi?id=140953
3736
3737         Caused numerous layout test failures (Requested by mattbaker_
3738         on #webkit).
3739
3740         Reverted changeset:
3741
3742         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
3743         pages"
3744         https://bugs.webkit.org/show_bug.cgi?id=140900
3745         http://trac.webkit.org/changeset/179192
3746
3747 2015-01-27  Michael Saboff  <msaboff@apple.com>
3748
3749         REGRESSION(r178591): 20% regression in Octane box2d
3750         https://bugs.webkit.org/show_bug.cgi?id=140948
3751
3752         Reviewed by Geoffrey Garen.
3753
3754         Added check that we have a lexical environment to the arguments is captured check.
3755         It doesn't make sense to resolve "arguments" when it really isn't captured.
3756
3757         * bytecompiler/BytecodeGenerator.cpp:
3758         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
3759
3760 2015-01-26  Geoffrey Garen  <ggaren@apple.com>
3761
3762         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
3763         https://bugs.webkit.org/show_bug.cgi?id=140900
3764
3765         Reviewed by Mark Hahnenberg.
3766
3767         Removes some more custom allocation code.
3768
3769         Looks like a speedup. (See results attached to bugzilla.)
3770
3771         Will hopefully reduce memory use by improving sharing between the GC and
3772         malloc heaps.
3773
3774         * API/JSBase.cpp:
3775         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3776         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3777         * JavaScriptCore.xcodeproj/project.pbxproj: Feed the compiler.
3778
3779         * heap/BlockAllocator.cpp: Removed.
3780         * heap/BlockAllocator.h: Removed. No need for a custom allocator anymore.
3781
3782         * heap/CodeBlockSet.cpp:
3783         (JSC::CodeBlockSet::CodeBlockSet):
3784         * heap/CodeBlockSet.h: Feed the compiler.
3785
3786         * heap/CopiedBlock.h:
3787         (JSC::CopiedBlock::createNoZeroFill):
3788         (JSC::CopiedBlock::create):
3789         (JSC::CopiedBlock::CopiedBlock):
3790         (JSC::CopiedBlock::isOversize):
3791         (JSC::CopiedBlock::payloadEnd):
3792         (JSC::CopiedBlock::capacity):
3793         * heap/CopiedBlockInlines.h:
3794         (JSC::CopiedBlock::reportLiveBytes): Each copied block now tracks its
3795         own size, since we can't rely on Region to tell us our size anymore.
3796
3797         * heap/CopiedSpace.cpp:
3798         (JSC::CopiedSpace::~CopiedSpace):
3799         (JSC::CopiedSpace::tryAllocateOversize):
3800         (JSC::CopiedSpace::tryReallocateOversize):
3801         * heap/CopiedSpaceInlines.h:
3802         (JSC::CopiedSpace::recycleEvacuatedBlock):
3803         (JSC::CopiedSpace::recycleBorrowedBlock):
3804         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
3805         (JSC::CopiedSpace::allocateBlock):
3806         (JSC::CopiedSpace::startedCopying): Deallocate blocks directly, rather
3807         than pushing them onto the block allocator's free list; the block
3808         allocator doesn't exist anymore.
3809
3810         * heap/CopyWorkList.h:
3811         (JSC::CopyWorkListSegment::create):
3812         (JSC::CopyWorkListSegment::CopyWorkListSegment):
3813         (JSC::CopyWorkList::~CopyWorkList):
3814         (JSC::CopyWorkList::append):
3815         (JSC::CopyWorkList::CopyWorkList): Deleted.
3816         * heap/GCSegmentedArray.h:
3817         (JSC::GCArraySegment::GCArraySegment):
3818         * heap/GCSegmentedArrayInlines.h:
3819         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
3820         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
3821         (JSC::GCSegmentedArray<T>::clear):
3822         (JSC::GCSegmentedArray<T>::expand):
3823         (JSC::GCSegmentedArray<T>::refill):
3824         (JSC::GCArraySegment<T>::create):
3825         * heap/GCThreadSharedData.cpp:
3826         (JSC::GCThreadSharedData::GCThreadSharedData):
3827         * heap/GCThreadSharedData.h: Feed the compiler.
3828
3829         * heap/HandleBlock.h:
3830         * heap/HandleBlockInlines.h:
3831         (JSC::HandleBlock::create):
3832         (JSC::HandleBlock::HandleBlock):
3833         (JSC::HandleBlock::payloadEnd):
3834         * heap/HandleSet.cpp:
3835         (JSC::HandleSet::~HandleSet):
3836         (JSC::HandleSet::grow): Same as above.
3837
3838         * heap/Heap.cpp:
3839         (JSC::Heap::Heap):
3840         * heap/Heap.h: Removed the block allocator since it is unused now.
3841
3842         * heap/HeapBlock.h:
3843         (JSC::HeapBlock::destroy):
3844         (JSC::HeapBlock::HeapBlock):
3845         (JSC::HeapBlock::region): Deleted. Removed the Region pointer from each
3846         HeapBlock since a HeapBlock is just a normal allocation now.
3847
3848         * heap/HeapInlines.h:
3849         (JSC::Heap::blockAllocator): Deleted.
3850
3851         * heap/HeapTimer.cpp:
3852         * heap/MarkStack.cpp:
3853         (JSC::MarkStackArray::MarkStackArray):
3854         * heap/MarkStack.h: Feed the compiler.
3855
3856         * heap/MarkedAllocator.cpp:
3857         (JSC::MarkedAllocator::allocateBlock): No need to use a custom code path
3858         based on size, since we use a general purpose allocator now.
3859
3860         * heap/MarkedBlock.cpp:
3861         (JSC::MarkedBlock::create):
3862         (JSC::MarkedBlock::destroy):
3863         (JSC::MarkedBlock::MarkedBlock):
3864         * heap/MarkedBlock.h:
3865         (JSC::MarkedBlock::capacity): Track block size explicitly, like CopiedBlock.
3866
3867         * heap/MarkedSpace.cpp:
3868         (JSC::MarkedSpace::freeBlock):
3869         * heap/MarkedSpace.h:
3870
3871         * heap/Region.h: Removed.
3872
3873         * heap/SlotVisitor.cpp:
3874         (JSC::SlotVisitor::SlotVisitor): Removed reference to block allocator.
3875
3876         * heap/SuperRegion.cpp: Removed.
3877         * heap/SuperRegion.h: Removed.
3878
3879         * heap/WeakBlock.cpp:
3880         (JSC::WeakBlock::create):
3881         (JSC::WeakBlock::WeakBlock):
3882         * heap/WeakBlock.h:
3883         * heap/WeakSet.cpp:
3884         (JSC::WeakSet::~WeakSet):
3885         (JSC::WeakSet::addAllocator):
3886         (JSC::WeakSet::removeAllocator): Removed reference to block allocator.
3887
3888 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
3889
3890         [ARM] Typo fix after r176083
3891         https://bugs.webkit.org/show_bug.cgi?id=140937
3892
3893         Reviewed by Anders Carlsson.
3894
3895         * assembler/ARMv7Assembler.h:
3896         (JSC::ARMv7Assembler::ldrh):
3897
3898 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
3899
3900         [Win] Unreviewed gardening, skip failing tests.
3901
3902         * tests/exceptionFuzz.yaml: Skip exception fuzz tests due to bug140928.
3903         * tests/mozilla/mozilla-tests.yaml: Skip ecma/Date/15.9.5.28-1.js due to bug140927.
3904
3905 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
3906
3907         [Win] Enable JSC stress tests by default
3908         https://bugs.webkit.org/show_bug.cgi?id=128307
3909
3910         Unreviewed typo fix after r179165.
3911
3912         * tests/mozilla/mozilla-tests.yaml:
3913
3914 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>