Another build fix attempt after r165141.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
2
3         Another build fix attempt after r165141.
4
5         * ftl/FTLCompile.cpp:
6         (JSC::FTL::fixFunctionBasedOnStackMaps):
7
8 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
9
10         FTL build fix attempt after r165141.
11
12         * ftl/FTLCompile.cpp:
13         (JSC::FTL::fixFunctionBasedOnStackMaps):
14
15 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
16
17         https://bugs.webkit.org/show_bug.cgi?id=128625
18         Add fast mapping from StringImpl to JSString
19
20         Unreviewed roll-out.
21
22         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
23
24         * runtime/JSString.cpp:
25         * runtime/JSString.h:
26         * runtime/VM.cpp:
27         (JSC::VM::createLeaked):
28         * runtime/VM.h:
29
30 2014-03-03  Oliver Hunt  <oliver@apple.com>
31
32         Support caching of custom setters
33         https://bugs.webkit.org/show_bug.cgi?id=129519
34
35         Reviewed by Filip Pizlo.
36
37         This patch adds caching of assignment to properties that
38         are backed by C functions. This provides most of the leg
39         work required to start supporting setters, and resolves
40         the remaining regressions from moving DOM properties up
41         the prototype chain.
42
43         * JavaScriptCore.xcodeproj/project.pbxproj:
44         * bytecode/PolymorphicPutByIdList.cpp:
45         (JSC::PutByIdAccess::visitWeak):
46         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
47         (JSC::PolymorphicPutByIdList::from):
48         * bytecode/PolymorphicPutByIdList.h:
49         (JSC::PutByIdAccess::transition):
50         (JSC::PutByIdAccess::replace):
51         (JSC::PutByIdAccess::customSetter):
52         (JSC::PutByIdAccess::isCustom):
53         (JSC::PutByIdAccess::oldStructure):
54         (JSC::PutByIdAccess::chain):
55         (JSC::PutByIdAccess::stubRoutine):
56         * bytecode/PutByIdStatus.cpp:
57         (JSC::PutByIdStatus::computeForStubInfo):
58         (JSC::PutByIdStatus::computeFor):
59         (JSC::PutByIdStatus::dump):
60         * bytecode/PutByIdStatus.h:
61         (JSC::PutByIdStatus::PutByIdStatus):
62         (JSC::PutByIdStatus::takesSlowPath):
63         (JSC::PutByIdStatus::makesCalls):
64         * bytecode/StructureStubInfo.h:
65         * dfg/DFGAbstractInterpreterInlines.h:
66         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
67         * dfg/DFGByteCodeParser.cpp:
68         (JSC::DFG::ByteCodeParser::emitPutById):
69         (JSC::DFG::ByteCodeParser::handlePutById):
70         * dfg/DFGClobberize.h:
71         (JSC::DFG::clobberize):
72         * dfg/DFGCommon.h:
73         * dfg/DFGConstantFoldingPhase.cpp:
74         (JSC::DFG::ConstantFoldingPhase::foldConstants):
75         * dfg/DFGFixupPhase.cpp:
76         (JSC::DFG::FixupPhase::fixupNode):
77         * dfg/DFGNode.h:
78         (JSC::DFG::Node::hasIdentifier):
79         * dfg/DFGNodeType.h:
80         * dfg/DFGPredictionPropagationPhase.cpp:
81         (JSC::DFG::PredictionPropagationPhase::propagate):
82         * dfg/DFGSafeToExecute.h:
83         (JSC::DFG::safeToExecute):
84         * dfg/DFGSpeculativeJIT.cpp:
85         (JSC::DFG::SpeculativeJIT::compileIn):
86         * dfg/DFGSpeculativeJIT.h:
87         * dfg/DFGSpeculativeJIT32_64.cpp:
88         (JSC::DFG::SpeculativeJIT::cachedGetById):
89         (JSC::DFG::SpeculativeJIT::cachedPutById):
90         (JSC::DFG::SpeculativeJIT::compile):
91         * dfg/DFGSpeculativeJIT64.cpp:
92         (JSC::DFG::SpeculativeJIT::cachedGetById):
93         (JSC::DFG::SpeculativeJIT::cachedPutById):
94         (JSC::DFG::SpeculativeJIT::compile):
95         * jit/CCallHelpers.h:
96         (JSC::CCallHelpers::setupArgumentsWithExecState):
97         * jit/JITInlineCacheGenerator.cpp:
98         (JSC::JITByIdGenerator::JITByIdGenerator):
99         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
100         * jit/JITInlineCacheGenerator.h:
101         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
102         * jit/JITOperations.cpp:
103         * jit/JITOperations.h:
104         * jit/JITPropertyAccess.cpp:
105         (JSC::JIT::emit_op_get_by_id):
106         (JSC::JIT::emit_op_put_by_id):
107         * jit/JITPropertyAccess32_64.cpp:
108         (JSC::JIT::emit_op_get_by_id):
109         (JSC::JIT::emit_op_put_by_id):
110         * jit/Repatch.cpp:
111         (JSC::tryCacheGetByID):
112         (JSC::tryBuildGetByIDList):
113         (JSC::emitCustomSetterStub):
114         (JSC::tryCachePutByID):
115         (JSC::tryBuildPutByIdList):
116         * jit/SpillRegistersMode.h: Added.
117         * llint/LLIntSlowPaths.cpp:
118         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
119         * runtime/Lookup.h:
120         (JSC::putEntry):
121         * runtime/PutPropertySlot.h:
122         (JSC::PutPropertySlot::setCacheableCustomProperty):
123         (JSC::PutPropertySlot::customSetter):
124         (JSC::PutPropertySlot::isCacheablePut):
125         (JSC::PutPropertySlot::isCacheableCustomProperty):
126         (JSC::PutPropertySlot::cachedOffset):
127
128 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
129
130         JSCell::m_gcData should encode its information differently
131         https://bugs.webkit.org/show_bug.cgi?id=129741
132
133         Reviewed by Geoffrey Garen.
134
135         We want to keep track of three GC states for an object:
136
137         1. Not marked (which implies not in the remembered set)
138         2. Marked but not in the remembered set
139         3. Marked and in the remembered set
140         
141         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
142         barrier, we only want to take the slow path if the object being stored to is in state #2. 
143         We'd like to make the test for state #2 as fast as possible, which means making it a 
144         compare against 0.
145
146         * dfg/DFGOSRExitCompilerCommon.cpp:
147         (JSC::DFG::osrWriteBarrier):
148         * dfg/DFGSpeculativeJIT.cpp:
149         (JSC::DFG::SpeculativeJIT::checkMarkByte):
150         (JSC::DFG::SpeculativeJIT::writeBarrier):
151         * dfg/DFGSpeculativeJIT.h:
152         * dfg/DFGSpeculativeJIT32_64.cpp:
153         (JSC::DFG::SpeculativeJIT::writeBarrier):
154         * dfg/DFGSpeculativeJIT64.cpp:
155         (JSC::DFG::SpeculativeJIT::writeBarrier):
156         * ftl/FTLLowerDFGToLLVM.cpp:
157         (JSC::FTL::LowerDFGToLLVM::allocateCell):
158         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
159         * heap/Heap.cpp:
160         (JSC::Heap::clearRememberedSet):
161         (JSC::Heap::addToRememberedSet):
162         * jit/AssemblyHelpers.h:
163         (JSC::AssemblyHelpers::checkMarkByte):
164         * jit/JIT.h:
165         * jit/JITPropertyAccess.cpp:
166         (JSC::JIT::checkMarkByte):
167         (JSC::JIT::emitWriteBarrier):
168         * jit/Repatch.cpp:
169         (JSC::writeBarrier):
170         * llint/LowLevelInterpreter.asm:
171         * llint/LowLevelInterpreter32_64.asm:
172         * llint/LowLevelInterpreter64.asm:
173         * runtime/JSCell.h:
174         (JSC::JSCell::mark):
175         (JSC::JSCell::remember):
176         (JSC::JSCell::forget):
177         (JSC::JSCell::isMarked):
178         (JSC::JSCell::isRemembered):
179         * runtime/JSCellInlines.h:
180         (JSC::JSCell::JSCell):
181         * runtime/StructureIDBlob.h:
182         (JSC::StructureIDBlob::StructureIDBlob):
183
184 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
185
186         More FTL ARM fixes
187         https://bugs.webkit.org/show_bug.cgi?id=129755
188
189         Reviewed by Geoffrey Garen.
190         
191         - Be more defensive about inline caches that have degenerate chains.
192         
193         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
194           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
195         
196         - Don't even emit intrinsic declarations on non-x86 platforms.
197         
198         - More debug printing support.
199         
200         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
201           but somehow it gets lucky on x86.
202
203         * bytecode/GetByIdStatus.cpp:
204         (JSC::GetByIdStatus::appendVariant):
205         (JSC::GetByIdStatus::computeForChain):
206         (JSC::GetByIdStatus::computeForStubInfo):
207         * bytecode/GetByIdStatus.h:
208         * bytecode/PutByIdStatus.cpp:
209         (JSC::PutByIdStatus::appendVariant):
210         (JSC::PutByIdStatus::computeForStubInfo):
211         * bytecode/PutByIdStatus.h:
212         * bytecode/StructureSet.h:
213         (JSC::StructureSet::overlaps):
214         * ftl/FTLCompile.cpp:
215         (JSC::FTL::mmAllocateDataSection):
216         * ftl/FTLDataSection.cpp:
217         (JSC::FTL::DataSection::DataSection):
218         (JSC::FTL::DataSection::~DataSection):
219         * ftl/FTLDataSection.h:
220         * ftl/FTLLowerDFGToLLVM.cpp:
221         (JSC::FTL::LowerDFGToLLVM::lower):
222         * ftl/FTLOutput.h:
223         (JSC::FTL::Output::doubleSin):
224         (JSC::FTL::Output::doubleCos):
225         * runtime/JSCJSValue.cpp:
226         (JSC::JSValue::dumpInContext):
227         * runtime/JSCell.h:
228         (JSC::JSCell::structureID):
229
230 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
231
232         [Win32][LLINT] Crash when running JSC stress tests.
233         https://bugs.webkit.org/show_bug.cgi?id=129429
234
235         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
236         where the guard page is a barrier between committed and uncommitted memory.
237         When data from the guard page is read or written, the guard page is moved, and memory is committed.
238         This is how the system grows the stack.
239         When using the C stack on Windows we need to precommit the needed stack space.
240         Otherwise we might crash later if we access uncommitted stack memory.
241         This can happen if we allocate stack space larger than the page guard size (4K).
242         The system does not get the chance to move the guard page, and commit more memory,
243         and we crash if uncommitted memory is accessed.
244         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
245         when needed, see http://support.microsoft.com/kb/100775.
246
247         Reviewed by Geoffrey Garen.
248
249         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
250         * jit/Repatch.cpp:
251         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
252         * offlineasm/x86.rb: Compile fix, and small simplification.
253         * runtime/VM.cpp:
254         (JSC::preCommitStackMemory): Added function to precommit stack memory.
255         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
256
257 2014-03-05  Michael Saboff  <msaboff@apple.com>
258
259         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
260         https://bugs.webkit.org/show_bug.cgi?id=129746
261
262         Reviewed by Filip Pizlo.
263
264         Changed to use a union to manually assemble or disassemble the various types
265         from / to the corresponding bytes.  All memory access is now done using
266         byte accesses.
267
268         * runtime/JSDataViewPrototype.cpp:
269         (JSC::getData):
270         (JSC::setData):
271
272 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
273
274         FTL loadStructure always generates invalid IR
275         https://bugs.webkit.org/show_bug.cgi?id=129747
276
277         Reviewed by Mark Hahnenberg.
278
279         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
280         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
281         to have a pointer to a type, and you can only load things of that type from that
282         pointer. Pointer arithmetic is basically not possible except through the bizarre
283         getelementptr operator. This doesn't fit with how the JS object model works since
284         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
285         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
286         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
287         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
288         this for us, but that would require that to use the FTL, JSC itself would have to
289         be compiled with clang. Worse, it would have to be compiled with a clang that uses
290         a version of LLVM that is compatible with the one against which the FTL is linked.
291         Yuck!
292
293         The solution is to NEVER use LLVM pointers. This has always been the case in the
294         FTL. But it causes some confusion.
295         
296         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
297         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
298         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
299         pointer that has the type that we want. The load and store operations over pointers
300         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
301         "64", "Ptr", "Float", or "Double.
302         
303         There is unavoidable confusion here. It would be bizarre for the FTL to call its
304         "pointer-wide integers" anything other than "pointers", since they are, in all
305         respects that we care about, simply pointers. But they are *not* LLVM pointers and
306         they never will be that.
307         
308         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
309         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
310         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
311         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
312         methods for access called Output::get and Output::set. These lower to LLVM load
313         and store, since FTL references are just LLVM pointers.
314         
315         This confusion appears to have led to incorrect code in loadStructure().
316         loadStructure() was using get() and set() to access FTL pointers. But those methods
317         don't work on FTL pointers and never will, since they are for FTL references.
318         
319         The worst part of this is that it was previously impossible to have test coverage
320         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
321         patch fixes this by introducing a Masquerader object to jsc.cpp.
322         
323         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
324         * ftl/FTLLowerDFGToLLVM.cpp:
325         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
326         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
327         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
328         (WTF::Masquerader::Masquerader):
329         (WTF::Masquerader::create):
330         (WTF::Masquerader::createStructure):
331         (GlobalObject::finishCreation):
332         (functionMakeMasquerader):
333         * tests/stress/equals-masquerader.js: Added.
334         (foo):
335         (test):
336
337 2014-03-05  Anders Carlsson  <andersca@apple.com>
338
339         Tweak after r165109 to avoid extra copies
340         https://bugs.webkit.org/show_bug.cgi?id=129745
341
342         Reviewed by Geoffrey Garen.
343
344         * heap/Heap.cpp:
345         (JSC::Heap::visitProtectedObjects):
346         (JSC::Heap::visitTempSortVectors):
347         (JSC::Heap::clearRememberedSet):
348         * heap/Heap.h:
349         (JSC::Heap::forEachProtectedCell):
350
351 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
352
353         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
354         https://bugs.webkit.org/show_bug.cgi?id=129717
355
356         Reviewed by Filip Pizlo.
357
358         * dfg/DFGStoreBarrierElisionPhase.cpp:
359         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
360         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
361
362 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
363
364         Use range-based loops where possible in Heap methods
365         https://bugs.webkit.org/show_bug.cgi?id=129513
366
367         Reviewed by Mark Lam.
368
369         Replace old school iterator based loops with the new range-based loop hotness
370         for a better tomorrow.
371
372         * heap/CodeBlockSet.cpp:
373         (JSC::CodeBlockSet::~CodeBlockSet):
374         (JSC::CodeBlockSet::clearMarks):
375         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
376         (JSC::CodeBlockSet::traceMarked):
377         * heap/Heap.cpp:
378         (JSC::Heap::visitProtectedObjects):
379         (JSC::Heap::visitTempSortVectors):
380         (JSC::Heap::clearRememberedSet):
381         * heap/Heap.h:
382         (JSC::Heap::forEachProtectedCell):
383
384 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
385
386         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
387         https://bugs.webkit.org/show_bug.cgi?id=129563
388
389         Reviewed by Geoffrey Garen.
390         
391         Rolling this back in after fixing an assertion failure. speculateMisc() should have
392         said DFG_TYPE_CHECK instead of typeCheck.
393         
394         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
395         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
396         user of this was EarleyBoyer, and in that benchmark what it was really doing was
397         comparing undefined, null, and booleans to each other.
398         
399         This also adds support for miscellaneous things that I needed to make my various test
400         cases work. This includes comparison over booleans and the various Throw-related node
401         types.
402         
403         This also improves constant folding of CompareStrictEq and CompareEq.
404         
405         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
406         based on profiling, which caused some downstream badness. We don't actually support
407         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
408         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
409         shouldn't factor out the bounds check since the access is not InBounds but then the
410         backend would ignore the flag and assume that the bounds check was already emitted.
411         This showed up on an existing test but I added a test for this explicitly to have more
412         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
413         that we'll have a bounds check anyway.
414         
415         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
416         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
417         still a lot more coverage work to be done there.
418
419         * bytecode/SpeculatedType.cpp:
420         (JSC::speculationToAbbreviatedString):
421         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
422         (JSC::valuesCouldBeEqual):
423         * bytecode/SpeculatedType.h:
424         (JSC::isMiscSpeculation):
425         * dfg/DFGAbstractInterpreterInlines.h:
426         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
427         * dfg/DFGArrayMode.cpp:
428         (JSC::DFG::ArrayMode::refine):
429         * dfg/DFGArrayMode.h:
430         * dfg/DFGFixupPhase.cpp:
431         (JSC::DFG::FixupPhase::fixupNode):
432         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
433         * dfg/DFGNode.h:
434         (JSC::DFG::Node::shouldSpeculateMisc):
435         * dfg/DFGSafeToExecute.h:
436         (JSC::DFG::SafeToExecuteEdge::operator()):
437         * dfg/DFGSpeculativeJIT.cpp:
438         (JSC::DFG::SpeculativeJIT::compileStrictEq):
439         (JSC::DFG::SpeculativeJIT::speculateMisc):
440         (JSC::DFG::SpeculativeJIT::speculate):
441         * dfg/DFGSpeculativeJIT.h:
442         * dfg/DFGSpeculativeJIT32_64.cpp:
443         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
444         * dfg/DFGSpeculativeJIT64.cpp:
445         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
446         * dfg/DFGUseKind.cpp:
447         (WTF::printInternal):
448         * dfg/DFGUseKind.h:
449         (JSC::DFG::typeFilterFor):
450         * ftl/FTLCapabilities.cpp:
451         (JSC::FTL::canCompile):
452         * ftl/FTLLowerDFGToLLVM.cpp:
453         (JSC::FTL::LowerDFGToLLVM::compileNode):
454         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
455         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
456         (JSC::FTL::LowerDFGToLLVM::compileThrow):
457         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
458         (JSC::FTL::LowerDFGToLLVM::isMisc):
459         (JSC::FTL::LowerDFGToLLVM::speculate):
460         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
461         * tests/stress/float32-array-out-of-bounds.js: Added.
462         * tests/stress/weird-equality-folding-cases.js: Added.
463
464 2014-03-04  Commit Queue  <commit-queue@webkit.org>
465
466         Unreviewed, rolling out r165085.
467         http://trac.webkit.org/changeset/165085
468         https://bugs.webkit.org/show_bug.cgi?id=129729
469
470         Broke imported/w3c/html-templates/template-element/template-
471         content.html (Requested by ap on #webkit).
472
473         * bytecode/SpeculatedType.cpp:
474         (JSC::speculationToAbbreviatedString):
475         * bytecode/SpeculatedType.h:
476         * dfg/DFGAbstractInterpreterInlines.h:
477         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
478         * dfg/DFGArrayMode.cpp:
479         (JSC::DFG::ArrayMode::refine):
480         * dfg/DFGArrayMode.h:
481         * dfg/DFGFixupPhase.cpp:
482         (JSC::DFG::FixupPhase::fixupNode):
483         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
484         * dfg/DFGNode.h:
485         (JSC::DFG::Node::shouldSpeculateBoolean):
486         * dfg/DFGSafeToExecute.h:
487         (JSC::DFG::SafeToExecuteEdge::operator()):
488         * dfg/DFGSpeculativeJIT.cpp:
489         (JSC::DFG::SpeculativeJIT::compileStrictEq):
490         (JSC::DFG::SpeculativeJIT::speculate):
491         * dfg/DFGSpeculativeJIT.h:
492         * dfg/DFGSpeculativeJIT32_64.cpp:
493         * dfg/DFGSpeculativeJIT64.cpp:
494         * dfg/DFGUseKind.cpp:
495         (WTF::printInternal):
496         * dfg/DFGUseKind.h:
497         (JSC::DFG::typeFilterFor):
498         * ftl/FTLCapabilities.cpp:
499         (JSC::FTL::canCompile):
500         * ftl/FTLLowerDFGToLLVM.cpp:
501         (JSC::FTL::LowerDFGToLLVM::compileNode):
502         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
503         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
504         (JSC::FTL::LowerDFGToLLVM::speculate):
505         * tests/stress/float32-array-out-of-bounds.js: Removed.
506         * tests/stress/weird-equality-folding-cases.js: Removed.
507
508 2014-03-04  Brian Burg  <bburg@apple.com>
509
510         Inspector does not restore breakpoints after a page reload
511         https://bugs.webkit.org/show_bug.cgi?id=129655
512
513         Reviewed by Joseph Pecoraro.
514
515         Fix a regression introduced by r162096 that erroneously removed
516         the inspector backend's mapping of files to breakpoints whenever the
517         global object was cleared.
518
519         The inspector's breakpoint mappings should only be cleared when the
520         debugger agent is disabled or destroyed. We should only clear the
521         debugger's breakpoint state when the global object is cleared.
522
523         To make it clearer what state is being cleared, the two cases have
524         been split into separate methods.
525
526         * inspector/agents/InspectorDebuggerAgent.cpp:
527         (Inspector::InspectorDebuggerAgent::disable):
528         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
529         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
530         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
531         * inspector/agents/InspectorDebuggerAgent.h:
532
533 2014-03-04  Andreas Kling  <akling@apple.com>
534
535         Streamline JSValue::get().
536         <https://webkit.org/b/129720>
537
538         Fetch each Structure and VM only once when walking the prototype chain
539         in JSObject::getPropertySlot(), then pass it along to the functions
540         we call from there, so they don't have to re-fetch it.
541
542         Reviewed by Geoff Garen.
543
544         * runtime/JSObject.h:
545         (JSC::JSObject::inlineGetOwnPropertySlot):
546         (JSC::JSObject::fastGetOwnPropertySlot):
547         (JSC::JSObject::getPropertySlot):
548
549 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
550
551         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
552         https://bugs.webkit.org/show_bug.cgi?id=129563
553
554         Reviewed by Geoffrey Garen.
555         
556         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
557         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
558         user of this was EarleyBoyer, and in that benchmark what it was really doing was
559         comparing undefined, null, and booleans to each other.
560         
561         This also adds support for miscellaneous things that I needed to make my various test
562         cases work. This includes comparison over booleans and the various Throw-related node
563         types.
564         
565         This also improves constant folding of CompareStrictEq and CompareEq.
566         
567         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
568         based on profiling, which caused some downstream badness. We don't actually support
569         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
570         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
571         shouldn't factor out the bounds check since the access is not InBounds but then the
572         backend would ignore the flag and assume that the bounds check was already emitted.
573         This showed up on an existing test but I added a test for this explicitly to have more
574         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
575         that we'll have a bounds check anyway.
576         
577         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
578         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
579         still a lot more coverage work to be done there.
580
581         * bytecode/SpeculatedType.cpp:
582         (JSC::speculationToAbbreviatedString):
583         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
584         (JSC::valuesCouldBeEqual):
585         * bytecode/SpeculatedType.h:
586         (JSC::isMiscSpeculation):
587         * dfg/DFGAbstractInterpreterInlines.h:
588         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
589         * dfg/DFGFixupPhase.cpp:
590         (JSC::DFG::FixupPhase::fixupNode):
591         * dfg/DFGNode.h:
592         (JSC::DFG::Node::shouldSpeculateMisc):
593         * dfg/DFGSafeToExecute.h:
594         (JSC::DFG::SafeToExecuteEdge::operator()):
595         * dfg/DFGSpeculativeJIT.cpp:
596         (JSC::DFG::SpeculativeJIT::compileStrictEq):
597         (JSC::DFG::SpeculativeJIT::speculateMisc):
598         (JSC::DFG::SpeculativeJIT::speculate):
599         * dfg/DFGSpeculativeJIT.h:
600         * dfg/DFGSpeculativeJIT32_64.cpp:
601         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
602         * dfg/DFGSpeculativeJIT64.cpp:
603         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
604         * dfg/DFGUseKind.cpp:
605         (WTF::printInternal):
606         * dfg/DFGUseKind.h:
607         (JSC::DFG::typeFilterFor):
608         * ftl/FTLCapabilities.cpp:
609         (JSC::FTL::canCompile):
610         * ftl/FTLLowerDFGToLLVM.cpp:
611         (JSC::FTL::LowerDFGToLLVM::compileNode):
612         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
613         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
614         (JSC::FTL::LowerDFGToLLVM::compileThrow):
615         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
616         (JSC::FTL::LowerDFGToLLVM::isMisc):
617         (JSC::FTL::LowerDFGToLLVM::speculate):
618         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
619         * tests/stress/float32-array-out-of-bounds.js: Added.
620         * tests/stress/weird-equality-folding-cases.js: Added.
621
622 2014-03-04  Andreas Kling  <akling@apple.com>
623
624         Spam static branch prediction hints on JS bindings.
625         <https://webkit.org/b/129703>
626
627         Add LIKELY hint to jsDynamicCast since it's always used in a context
628         where we expect it to succeed and takes an error path when it doesn't.
629
630         Reviewed by Geoff Garen.
631
632         * runtime/JSCell.h:
633         (JSC::jsDynamicCast):
634
635 2014-03-04  Andreas Kling  <akling@apple.com>
636
637         Get to Structures more efficiently in JSCell::methodTable().
638         <https://webkit.org/b/129702>
639
640         In JSCell::methodTable(), get the VM once and pass that along to
641         structure(VM&) instead of using the heavier structure().
642
643         In JSCell::methodTable(VM&), replace calls to structure() with
644         calls to structure(VM&).
645
646         Reviewed by Mark Hahnenberg.
647
648         * runtime/JSCellInlines.h:
649         (JSC::JSCell::methodTable):
650
651 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
652
653         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
654         https://bugs.webkit.org/show_bug.cgi?id=129697
655
656         Reviewed by Timothy Hatcher.
657
658         * inspector/remote/RemoteInspectorXPCConnection.mm:
659         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
660         (Inspector::RemoteInspectorXPCConnection::handleEvent):
661
662 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
663
664         Merge API shims and JSLock
665         https://bugs.webkit.org/show_bug.cgi?id=129650
666
667         Reviewed by Mark Lam.
668
669         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
670         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
671
672         * API/APICallbackFunction.h:
673         (JSC::APICallbackFunction::call):
674         (JSC::APICallbackFunction::construct):
675         * API/APIShims.h: Removed.
676         * API/JSBase.cpp:
677         (JSEvaluateScript):
678         (JSCheckScriptSyntax):
679         (JSGarbageCollect):
680         (JSReportExtraMemoryCost):
681         (JSSynchronousGarbageCollectForDebugging):
682         * API/JSCallbackConstructor.cpp:
683         * API/JSCallbackFunction.cpp:
684         * API/JSCallbackObjectFunctions.h:
685         (JSC::JSCallbackObject<Parent>::init):
686         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
687         (JSC::JSCallbackObject<Parent>::put):
688         (JSC::JSCallbackObject<Parent>::putByIndex):
689         (JSC::JSCallbackObject<Parent>::deleteProperty):
690         (JSC::JSCallbackObject<Parent>::construct):
691         (JSC::JSCallbackObject<Parent>::customHasInstance):
692         (JSC::JSCallbackObject<Parent>::call):
693         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
694         (JSC::JSCallbackObject<Parent>::getStaticValue):
695         (JSC::JSCallbackObject<Parent>::callbackGetter):
696         * API/JSContext.mm:
697         (-[JSContext setException:]):
698         (-[JSContext wrapperForObjCObject:]):
699         (-[JSContext wrapperForJSObject:]):
700         * API/JSContextRef.cpp:
701         (JSContextGroupRelease):
702         (JSContextGroupSetExecutionTimeLimit):
703         (JSContextGroupClearExecutionTimeLimit):
704         (JSGlobalContextCreateInGroup):
705         (JSGlobalContextRetain):
706         (JSGlobalContextRelease):
707         (JSContextGetGlobalObject):
708         (JSContextGetGlobalContext):
709         (JSGlobalContextCopyName):
710         (JSGlobalContextSetName):
711         * API/JSManagedValue.mm:
712         (-[JSManagedValue value]):
713         * API/JSObjectRef.cpp:
714         (JSObjectMake):
715         (JSObjectMakeFunctionWithCallback):
716         (JSObjectMakeConstructor):
717         (JSObjectMakeFunction):
718         (JSObjectMakeArray):
719         (JSObjectMakeDate):
720         (JSObjectMakeError):
721         (JSObjectMakeRegExp):
722         (JSObjectGetPrototype):
723         (JSObjectSetPrototype):
724         (JSObjectHasProperty):
725         (JSObjectGetProperty):
726         (JSObjectSetProperty):
727         (JSObjectGetPropertyAtIndex):
728         (JSObjectSetPropertyAtIndex):
729         (JSObjectDeleteProperty):
730         (JSObjectGetPrivateProperty):
731         (JSObjectSetPrivateProperty):
732         (JSObjectDeletePrivateProperty):
733         (JSObjectIsFunction):
734         (JSObjectCallAsFunction):
735         (JSObjectCallAsConstructor):
736         (JSObjectCopyPropertyNames):
737         (JSPropertyNameArrayRelease):
738         (JSPropertyNameAccumulatorAddName):
739         * API/JSScriptRef.cpp:
740         * API/JSValue.mm:
741         (isDate):
742         (isArray):
743         (containerValueToObject):
744         (valueToArray):
745         (valueToDictionary):
746         (objectToValue):
747         * API/JSValueRef.cpp:
748         (JSValueGetType):
749         (JSValueIsUndefined):
750         (JSValueIsNull):
751         (JSValueIsBoolean):
752         (JSValueIsNumber):
753         (JSValueIsString):
754         (JSValueIsObject):
755         (JSValueIsObjectOfClass):
756         (JSValueIsEqual):
757         (JSValueIsStrictEqual):
758         (JSValueIsInstanceOfConstructor):
759         (JSValueMakeUndefined):
760         (JSValueMakeNull):
761         (JSValueMakeBoolean):
762         (JSValueMakeNumber):
763         (JSValueMakeString):
764         (JSValueMakeFromJSONString):
765         (JSValueCreateJSONString):
766         (JSValueToBoolean):
767         (JSValueToNumber):
768         (JSValueToStringCopy):
769         (JSValueToObject):
770         (JSValueProtect):
771         (JSValueUnprotect):
772         * API/JSVirtualMachine.mm:
773         (-[JSVirtualMachine addManagedReference:withOwner:]):
774         (-[JSVirtualMachine removeManagedReference:withOwner:]):
775         * API/JSWeakObjectMapRefPrivate.cpp:
776         * API/JSWrapperMap.mm:
777         (constructorHasInstance):
778         (makeWrapper):
779         (tryUnwrapObjcObject):
780         * API/ObjCCallbackFunction.mm:
781         (JSC::objCCallbackFunctionCallAsFunction):
782         (JSC::objCCallbackFunctionCallAsConstructor):
783         (objCCallbackFunctionForInvocation):
784         * CMakeLists.txt:
785         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
786         * GNUmakefile.list.am:
787         * JavaScriptCore.xcodeproj/project.pbxproj:
788         * dfg/DFGWorklist.cpp:
789         * heap/DelayedReleaseScope.h:
790         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
791         * heap/HeapTimer.cpp:
792         (JSC::HeapTimer::timerDidFire):
793         (JSC::HeapTimer::timerEvent):
794         * heap/IncrementalSweeper.cpp:
795         * inspector/InjectedScriptModule.cpp:
796         (Inspector::InjectedScriptModule::ensureInjected):
797         * jsc.cpp:
798         (jscmain):
799         * runtime/GCActivityCallback.cpp:
800         (JSC::DefaultGCActivityCallback::doWork):
801         * runtime/JSGlobalObjectDebuggable.cpp:
802         (JSC::JSGlobalObjectDebuggable::connect):
803         (JSC::JSGlobalObjectDebuggable::disconnect):
804         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
805         * runtime/JSLock.cpp:
806         (JSC::JSLock::lock):
807         (JSC::JSLock::didAcquireLock):
808         (JSC::JSLock::unlock):
809         (JSC::JSLock::willReleaseLock):
810         (JSC::JSLock::DropAllLocks::DropAllLocks):
811         (JSC::JSLock::DropAllLocks::~DropAllLocks):
812         * runtime/JSLock.h:
813         * testRegExp.cpp:
814         (realMain):
815
816 2014-03-04  Commit Queue  <commit-queue@webkit.org>
817
818         Unreviewed, rolling out r164812.
819         http://trac.webkit.org/changeset/164812
820         https://bugs.webkit.org/show_bug.cgi?id=129699
821
822         it made things run slower (Requested by pizlo on #webkit).
823
824         * interpreter/Interpreter.cpp:
825         (JSC::Interpreter::execute):
826         * jsc.cpp:
827         (GlobalObject::finishCreation):
828         * runtime/BatchedTransitionOptimizer.h:
829         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
830         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
831
832 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
833
834         GetMyArgumentByVal in FTL
835         https://bugs.webkit.org/show_bug.cgi?id=128850
836
837         Reviewed by Oliver Hunt.
838         
839         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
840         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
841         caused it to think that the arity check had failed if the caller had passed more
842         arguments than needed. This would cause the call frame copying to sort of go into
843         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
844         throwing off a bunch of math) and the stack would end up being corrupted.
845         
846         The bug was revealed by two existing tests although as far as I could tell, neither
847         test was intending to cover this case directly. So, I added a new test.
848
849         * ftl/FTLCapabilities.cpp:
850         (JSC::FTL::canCompile):
851         * ftl/FTLLowerDFGToLLVM.cpp:
852         (JSC::FTL::LowerDFGToLLVM::compileNode):
853         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
854         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
855         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
856         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
857         * ftl/FTLOSRExitCompiler.cpp:
858         (JSC::FTL::compileStub):
859         * ftl/FTLState.h:
860         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
861         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
862         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
863         * tests/stress/ftl-get-my-argument-by-val.js: Added.
864
865 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
866
867         [GTK] Build the Udis86 disassembler
868         https://bugs.webkit.org/show_bug.cgi?id=129679
869
870         Reviewed by Michael Saboff.
871
872         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
873         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
874
875 2014-03-04  Andreas Kling  <akling@apple.com>
876
877         Fix too-narrow assertion I added in r165054.
878
879         It's okay for a 1-character string to come in here. This will happen
880         if the VM small string optimization doesn't apply (ch > 0xFF)
881
882         * runtime/JSString.h:
883         (JSC::jsStringWithWeakOwner):
884
885 2014-03-04  Andreas Kling  <akling@apple.com>
886
887         Micro-optimize Strings in JS bindings.
888         <https://webkit.org/b/129673>
889
890         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
891         This avoids branches in length() and operator[].
892
893         Also call JSString::create() directly instead of jsString() and just
894         assert that the string length is >1. This way we don't duplicate the
895         optimizations for empty and single-character strings.
896
897         Reviewed by Ryosuke Niwa.
898
899         * runtime/JSString.h:
900         (JSC::jsStringWithWeakOwner):
901
902 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
903
904         Implement Number.prototype.clz()
905         https://bugs.webkit.org/show_bug.cgi?id=129479
906
907         Reviewed by Oliver Hunt.
908
909         Implemented Number.prototype.clz() as specified in the ES6 standard.
910
911         * runtime/NumberPrototype.cpp:
912         (JSC::numberProtoFuncClz):
913
914 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
915
916         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
917         https://bugs.webkit.org/show_bug.cgi?id=129631
918
919         Reviewed by Timothy Hatcher.
920
921         Avoid deref() too early if a client calls close(). The xpc_connection_close
922         will cause another XPC_ERROR event to come in from the queue, deref then.
923         Likewise, protect multithreaded access to m_client. If a client calls
924         close() we want to immediately clear the pointer to prevent calls to it.
925
926         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
927         growing too complicated for probably little benefit. We may want to
928         clean this up later.
929
930         * inspector/remote/RemoteInspector.mm:
931         (Inspector::RemoteInspector::xpcConnectionFailed):
932         * inspector/remote/RemoteInspectorXPCConnection.h:
933         * inspector/remote/RemoteInspectorXPCConnection.mm:
934         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
935         (Inspector::RemoteInspectorXPCConnection::close):
936         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
937         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
938         (Inspector::RemoteInspectorXPCConnection::handleEvent):
939         (Inspector::RemoteInspectorXPCConnection::sendMessage):
940
941 2014-03-03  Michael Saboff  <msaboff@apple.com>
942
943         AbstractMacroAssembler::CachedTempRegister should start out invalid
944         https://bugs.webkit.org/show_bug.cgi?id=129657
945
946         Reviewed by Filip Pizlo.
947
948         * assembler/AbstractMacroAssembler.h:
949         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
950         - Invalidate all cached registers in constructor as we don't know the
951           contents of any register at the entry to the code we are going to
952           generate.
953
954 2014-03-03  Andreas Kling  <akling@apple.com>
955
956         StructureOrOffset should be fastmalloced.
957         <https://webkit.org/b/129640>
958
959         Reviewed by Geoffrey Garen.
960
961         * runtime/StructureIDTable.h:
962
963 2014-03-03  Michael Saboff  <msaboff@apple.com>
964
965         Crash in JIT code while watching a video @ storyboard.tumblr.com
966         https://bugs.webkit.org/show_bug.cgi?id=129635
967
968         Reviewed by Filip Pizlo.
969
970         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
971         construtor.
972
973         * jit/TempRegisterSet.cpp:
974         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
975         * jit/TempRegisterSet.h:
976         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
977         (JSC::TempRegisterSet::clearAll): New private helper.
978
979 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
980
981         [x86] Improve code generation of byte test
982         https://bugs.webkit.org/show_bug.cgi?id=129597
983
984         Reviewed by Geoffrey Garen.
985
986         When possible, test the 8 bit register to itself instead of comparing it
987         to a literal.
988
989         * assembler/MacroAssemblerX86Common.h:
990         (JSC::MacroAssemblerX86Common::test32):
991
992 2014-03-03  Mark Lam  <mark.lam@apple.com>
993
994         Web Inspector: debugger statements do not break.
995         <https://webkit.org/b/129524>
996
997         Reviewed by Geoff Garen.
998
999         Since we no longer call op_debug hooks unless there is a debugger request
1000         made on the CodeBlock, the op_debug for the debugger statement never gets
1001         serviced.
1002
1003         With this fix, we check in the CodeBlock constructor if any debugger
1004         statements are present.  If so, we set a m_hasDebuggerStatement flag that
1005         causes the CodeBlock to show as having debugger requests.  Hence,
1006         breaking at debugger statements is now restored.
1007
1008         * bytecode/CodeBlock.cpp:
1009         (JSC::CodeBlock::CodeBlock):
1010         * bytecode/CodeBlock.h:
1011         (JSC::CodeBlock::hasDebuggerRequests):
1012         (JSC::CodeBlock::clearDebuggerRequests):
1013
1014 2014-03-03  Mark Lam  <mark.lam@apple.com>
1015
1016         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
1017         <https://webkit.org/b/129393>
1018
1019         Reviewed by Geoffrey Garen.
1020
1021         The issue manifests because the debugger will iterate all CodeBlocks in
1022         the heap when setting / clearing breakpoints, but it is possible for a
1023         CodeBlock to have been instantiate but is not yet registered with the
1024         debugger.  This can happen because of the following:
1025
1026         1. DFG worklist compilation is still in progress, and the target
1027            codeBlock is not ready for installation in its executable yet.
1028
1029         2. DFG compilation failed and we have a codeBlock that will never be
1030            installed in its executable, and the codeBlock has not been cleaned
1031            up by the GC yet.
1032
1033         The code for installing the codeBlock in its executable is the same code
1034         that registers it with the debugger.  Hence, these codeBlocks are not
1035         registered with the debugger, and any pending breakpoints that would map
1036         to that CodeBlock is as yet unset or will never be set.  As such, an
1037         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
1038
1039         To fix this, we do the following:
1040
1041         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
1042            compilation.  This is achieved by providing a
1043            DeferredCompilationCallback::compilationDidComplete() that does this
1044            clean up, and have all sub classes call it at the end of their
1045            compilationDidComplete() methods.
1046
1047         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
1048            will wait for all compilations to complete before proceeding.  This
1049            ensures that:
1050            1. any zombie CodeBlocks would have been cleaned up, and won't be
1051               seen by the debugger or profiler.
1052            2. all CodeBlocks that the debugger and profiler needs to operate on
1053               will be "ready" for whatever needs to be done to them e.g.
1054               jettison'ing of DFG codeBlocks.
1055
1056         * bytecode/DeferredCompilationCallback.cpp:
1057         (JSC::DeferredCompilationCallback::compilationDidComplete):
1058         * bytecode/DeferredCompilationCallback.h:
1059         - Provide default implementation method to clean up zombie CodeBlocks.
1060
1061         * debugger/Debugger.cpp:
1062         (JSC::Debugger::forEachCodeBlock):
1063         - Utility function to iterate CodeBlocks.  It ensures that all compilations
1064           are complete before proceeding.
1065         (JSC::Debugger::setSteppingMode):
1066         (JSC::Debugger::toggleBreakpoint):
1067         (JSC::Debugger::recompileAllJSFunctions):
1068         (JSC::Debugger::clearBreakpoints):
1069         (JSC::Debugger::clearDebuggerRequests):
1070         - Use the utility iterator function.
1071
1072         * debugger/Debugger.h:
1073         * dfg/DFGOperations.cpp:
1074         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
1075
1076         * dfg/DFGPlan.cpp:
1077         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1078         - Remove unneeded code (that was not the best solution anyway) for ensuring
1079           that we don't generate new DFG codeBlocks after enabling the debugger or
1080           profiler.  Now that we wait for compilations to complete before proceeding
1081           with debugger and profiler work, this scenario will never happen.
1082
1083         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1084         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1085         - Call the super class method to clean up zombie codeBlocks.
1086
1087         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1088         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
1089         - Call the super class method to clean up zombie codeBlocks.
1090
1091         * heap/CodeBlockSet.cpp:
1092         (JSC::CodeBlockSet::remove):
1093         * heap/CodeBlockSet.h:
1094         * heap/Heap.h:
1095         (JSC::Heap::removeCodeBlock):
1096         - New method to remove a codeBlock from the codeBlock set.
1097
1098         * jit/JITOperations.cpp:
1099         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
1100
1101         * jit/JITToDFGDeferredCompilationCallback.cpp:
1102         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1103         - Call the super class method to clean up zombie codeBlocks.
1104
1105         * runtime/VM.cpp:
1106         (JSC::VM::waitForCompilationsToComplete):
1107         - Renamed from prepareToDiscardCode() to be clearer about what it does.
1108
1109         (JSC::VM::discardAllCode):
1110         (JSC::VM::releaseExecutableMemory):
1111         (JSC::VM::setEnabledProfiler):
1112         - Wait for compilation to complete before enabling the profiler.
1113
1114         * runtime/VM.h:
1115
1116 2014-03-03  Brian Burg  <bburg@apple.com>
1117
1118         Another unreviewed build fix attempt for Windows after r164986.
1119
1120         We never told Visual Studio to copy over the web replay code generator scripts
1121         and the generated headers for JavaScriptCore replay inputs as if they were
1122         private headers.
1123
1124         * JavaScriptCore.vcxproj/copy-files.cmd:
1125
1126 2014-03-03  Brian Burg  <bburg@apple.com>
1127
1128         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
1129         https://bugs.webkit.org/show_bug.cgi?id=128782
1130
1131         Reviewed by Timothy Hatcher.
1132
1133         Alter the replay inputs code generator so that it knows when it is necessary to
1134         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
1135
1136         * JavaScriptCore.xcodeproj/project.pbxproj:
1137         * replay/scripts/CodeGeneratorReplayInputs.py:
1138         (Framework.fromString):
1139         (Frameworks): Add WTF as an allowed framework for code generation.
1140         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
1141         (Generator.generate_includes.declaration):
1142         (Generator.generate_includes.or):
1143         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
1144
1145 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1146
1147         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
1148         https://bugs.webkit.org/show_bug.cgi?id=129591
1149
1150         Reviewed by Michael Saboff.
1151
1152         * bytecode/PolymorphicPutByIdList.cpp:
1153         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
1154         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
1155         (JSC::PolymorphicPutByIdList::from):
1156         * bytecode/PolymorphicPutByIdList.h:
1157         (JSC::PutByIdAccess::stubRoutine):
1158         * jit/Repatch.cpp:
1159         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
1160
1161 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1162
1163         Debugging improvements from my gbemu investigation session
1164         https://bugs.webkit.org/show_bug.cgi?id=129599
1165
1166         Reviewed by Mark Lam.
1167         
1168         Various improvements from when I was investigating bug 129411.
1169
1170         * bytecode/CodeBlock.cpp:
1171         (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
1172         * jsc.cpp:
1173         (GlobalObject::finishCreation):
1174         (functionDescribe): Make describe() return a string rather than printing the string.
1175         (functionDescribeArray): Like describe(), but prints details about arrays.
1176
1177 2014-02-25  Andreas Kling  <akling@apple.com>
1178
1179         JSDOMWindow::commonVM() should return a reference.
1180         <https://webkit.org/b/129293>
1181
1182         Added a DropAllLocks constructor that takes VM& without null checks.
1183
1184         Reviewed by Geoff Garen.
1185
1186 2014-03-02  Mark Lam  <mark.lam@apple.com>
1187
1188         CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
1189         <https://webkit.org/b/129584>
1190
1191         Reviewed by Darin Adler.
1192
1193         * bytecode/CodeBlock.h:
1194         (JSC::CodeBlock::hasDebuggerRequests):
1195
1196 2014-03-02  Mark Lam  <mark.lam@apple.com>
1197
1198         Clean up use of Options::enableConcurrentJIT().
1199         <https://webkit.org/b/129582>
1200
1201         Reviewed by Filip Pizlo.
1202
1203         DFG Driver was conditionally checking Options::enableConcurrentJIT()
1204         only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
1205         enableConcurrentJIT set to false.
1206
1207         Instead we should configure Options::enableConcurrentJIT() to be false
1208         in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
1209         check Options::enableConcurrentJIT().  This makes the code read a little
1210         cleaner.
1211
1212         * dfg/DFGDriver.cpp:
1213         (JSC::DFG::compileImpl):
1214         * runtime/Options.cpp:
1215         (JSC::recomputeDependentOptions):
1216
1217 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
1218
1219         This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
1220         stress tests.
1221
1222         * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
1223
1224 2014-03-01  Andreas Kling  <akling@apple.com>
1225
1226         JSCell::fastGetOwnProperty() should get the Structure more efficiently.
1227         <https://webkit.org/b/129560>
1228
1229         Now that structure() is nontrivial and we have a faster structure(VM&),
1230         make use of that in fastGetOwnProperty() since we already have VM.
1231
1232         Reviewed by Sam Weinig.
1233
1234         * runtime/JSCellInlines.h:
1235         (JSC::JSCell::fastGetOwnProperty):
1236
1237 2014-03-01  Andreas Kling  <akling@apple.com>
1238
1239         Avoid going through ExecState for VM when we already have it (in some places.)
1240         <https://webkit.org/b/129554>
1241
1242         Tweak some places that jump through unnecessary hoops to get the VM.
1243         There are many more like this.
1244
1245         Reviewed by Sam Weinig.
1246
1247         * runtime/JSObject.cpp:
1248         (JSC::JSObject::putByIndexBeyondVectorLength):
1249         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1250         * runtime/ObjectPrototype.cpp:
1251         (JSC::objectProtoFuncToString):
1252
1253 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1254
1255         FTL should support PhantomArguments
1256         https://bugs.webkit.org/show_bug.cgi?id=113986
1257
1258         Reviewed by Oliver Hunt.
1259         
1260         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
1261         object into the FTL's OSR exit compiler.
1262         
1263         This isn't a speed-up yet, since there is still more to be done to fully support
1264         all of the arguments craziness that our varargs benchmarks do.
1265
1266         * dfg/DFGOSRExitCompiler32_64.cpp:
1267         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
1268         * dfg/DFGOSRExitCompiler64.cpp:
1269         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
1270         * dfg/DFGOSRExitCompilerCommon.cpp:
1271         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
1272         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
1273         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
1274         * dfg/DFGOSRExitCompilerCommon.h:
1275         * ftl/FTLCapabilities.cpp:
1276         (JSC::FTL::canCompile):
1277         * ftl/FTLExitValue.cpp:
1278         (JSC::FTL::ExitValue::dumpInContext):
1279         * ftl/FTLExitValue.h:
1280         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
1281         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
1282         (JSC::FTL::ExitValue::valueFormat):
1283         * ftl/FTLLowerDFGToLLVM.cpp:
1284         (JSC::FTL::LowerDFGToLLVM::compileNode):
1285         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
1286         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1287         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
1288         * ftl/FTLOSRExitCompiler.cpp:
1289         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
1290         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
1291         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
1292
1293 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1294
1295         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
1296
1297         * dfg/DFGCSEPhase.cpp:
1298         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1299
1300 2014-02-28  Andreas Kling  <akling@apple.com>
1301
1302         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
1303         <https://webkit.org/b/129529>
1304
1305         Callers already have VM in a local, and findPropertyHashEntry() only
1306         uses the VM, no need to go all the way through ExecState.
1307
1308         Reviewed by Geoffrey Garen.
1309
1310         * runtime/JSObject.cpp:
1311         (JSC::JSObject::put):
1312         (JSC::JSObject::deleteProperty):
1313         (JSC::JSObject::findPropertyHashEntry):
1314         * runtime/JSObject.h:
1315
1316 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
1317
1318         Deadlock remotely inspecting iOS Simulator
1319         https://bugs.webkit.org/show_bug.cgi?id=129511
1320
1321         Reviewed by Timothy Hatcher.
1322
1323         Avoid synchronous setup. Do it asynchronously, and let
1324         the RemoteInspector singleton know later if it failed.
1325
1326         * inspector/remote/RemoteInspector.h:
1327         * inspector/remote/RemoteInspector.mm:
1328         (Inspector::RemoteInspector::setupFailed):
1329         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1330         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1331         (Inspector::RemoteInspectorDebuggableConnection::setup):
1332
1333 2014-02-28  Oliver Hunt  <oliver@apple.com>
1334
1335         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
1336         https://bugs.webkit.org/show_bug.cgi?id=129488
1337
1338         Reviewed by Mark Lam.
1339
1340         Whoops, modify the right register.
1341
1342         * jit/JITCall32_64.cpp:
1343         (JSC::JIT::compileLoadVarargs):
1344
1345 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1346
1347         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
1348         https://bugs.webkit.org/show_bug.cgi?id=129503
1349
1350         Reviewed by Mark Lam.
1351
1352         * ftl/FTLIntrinsicRepository.h:
1353         * ftl/FTLOutput.h:
1354         (JSC::FTL::Output::doubleSin):
1355         (JSC::FTL::Output::doubleCos):
1356         (JSC::FTL::Output::intrinsicOrOperation):
1357
1358 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1359
1360         Fix !ENABLE(GGC) builds
1361
1362         * heap/Heap.cpp:
1363         (JSC::Heap::markRoots):
1364         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
1365
1366 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1367
1368         Clean up Heap::collect and Heap::markRoots
1369         https://bugs.webkit.org/show_bug.cgi?id=129464
1370
1371         Reviewed by Geoffrey Garen.
1372
1373         These functions have built up a lot of cruft recently. 
1374         We should do a bit of cleanup to make them easier to grok.
1375
1376         * heap/Heap.cpp:
1377         (JSC::Heap::finalizeUnconditionalFinalizers):
1378         (JSC::Heap::gatherStackRoots):
1379         (JSC::Heap::gatherJSStackRoots):
1380         (JSC::Heap::gatherScratchBufferRoots):
1381         (JSC::Heap::clearLivenessData):
1382         (JSC::Heap::visitSmallStrings):
1383         (JSC::Heap::visitConservativeRoots):
1384         (JSC::Heap::visitCompilerWorklists):
1385         (JSC::Heap::markProtectedObjects):
1386         (JSC::Heap::markTempSortVectors):
1387         (JSC::Heap::markArgumentBuffers):
1388         (JSC::Heap::visitException):
1389         (JSC::Heap::visitStrongHandles):
1390         (JSC::Heap::visitHandleStack):
1391         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1392         (JSC::Heap::converge):
1393         (JSC::Heap::visitWeakHandles):
1394         (JSC::Heap::clearRememberedSet):
1395         (JSC::Heap::updateObjectCounts):
1396         (JSC::Heap::resetVisitors):
1397         (JSC::Heap::markRoots):
1398         (JSC::Heap::copyBackingStores):
1399         (JSC::Heap::deleteUnmarkedCompiledCode):
1400         (JSC::Heap::collect):
1401         (JSC::Heap::collectIfNecessaryOrDefer):
1402         (JSC::Heap::suspendCompilerThreads):
1403         (JSC::Heap::willStartCollection):
1404         (JSC::Heap::deleteOldCode):
1405         (JSC::Heap::flushOldStructureIDTables):
1406         (JSC::Heap::flushWriteBarrierBuffer):
1407         (JSC::Heap::stopAllocation):
1408         (JSC::Heap::reapWeakHandles):
1409         (JSC::Heap::sweepArrayBuffers):
1410         (JSC::Heap::snapshotMarkedSpace):
1411         (JSC::Heap::deleteSourceProviderCaches):
1412         (JSC::Heap::notifyIncrementalSweeper):
1413         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
1414         (JSC::Heap::resetAllocators):
1415         (JSC::Heap::updateAllocationLimits):
1416         (JSC::Heap::didFinishCollection):
1417         (JSC::Heap::resumeCompilerThreads):
1418         * heap/Heap.h:
1419
1420 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
1421
1422         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
1423         https://bugs.webkit.org/show_bug.cgi?id=129466
1424
1425         Reviewed by Michael Saboff.
1426
1427         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
1428
1429         * runtime/StringPrototype.cpp:
1430         (JSC::stringProtoFuncIndexOf):
1431         (JSC::stringProtoFuncLastIndexOf):
1432
1433 2014-02-27  Timothy Hatcher  <timothy@apple.com>
1434
1435         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
1436
1437         https://bugs.webkit.org/show_bug.cgi?id=129458
1438
1439         Reviewed by Joseph Pecoraro.
1440
1441         * inspector/ContentSearchUtilities.cpp:
1442         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
1443         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
1444         line ending type and don't try to strip the line ending. Use size_t
1445         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
1446         This will include the line ending in the lines, but that is okay.
1447         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
1448         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
1449
1450 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1451
1452         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
1453         https://bugs.webkit.org/show_bug.cgi?id=129446
1454
1455         Reviewed by Timothy Hatcher.
1456
1457         Remove duplicate header entries in Copy Header build phase.
1458
1459         * JavaScriptCore.xcodeproj/project.pbxproj:
1460
1461 2014-02-27  Oliver Hunt  <oliver@apple.com>
1462
1463         Whoops, include all of last patch.
1464
1465         * jit/JITCall32_64.cpp:
1466         (JSC::JIT::compileLoadVarargs):
1467
1468 2014-02-27  Oliver Hunt  <oliver@apple.com>
1469
1470         Slow cases for function.apply and function.call should not require vm re-entry
1471         https://bugs.webkit.org/show_bug.cgi?id=129454
1472
1473         Reviewed by Geoffrey Garen.
1474
1475         Implement call and apply using builtins. Happily the use
1476         of @call and @apply don't perform function equality checks
1477         and just plant direct var_args calls. This did expose a few
1478         codegen issues, but they're all covered by existing tests
1479         once call and apply are implemented in JS.
1480
1481         * JavaScriptCore.xcodeproj/project.pbxproj:
1482         * builtins/Function.prototype.js: Added.
1483         (call):
1484         (apply):
1485         * bytecompiler/NodesCodegen.cpp:
1486         (JSC::CallFunctionCallDotNode::emitBytecode):
1487         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1488         * dfg/DFGCapabilities.cpp:
1489         (JSC::DFG::capabilityLevel):
1490         * interpreter/Interpreter.cpp:
1491         (JSC::sizeFrameForVarargs):
1492         (JSC::loadVarargs):
1493         * interpreter/Interpreter.h:
1494         * jit/JITCall.cpp:
1495         (JSC::JIT::compileLoadVarargs):
1496         * parser/ASTBuilder.h:
1497         (JSC::ASTBuilder::makeFunctionCallNode):
1498         * parser/Lexer.cpp:
1499         (JSC::isSafeBuiltinIdentifier):
1500         * runtime/CommonIdentifiers.h:
1501         * runtime/FunctionPrototype.cpp:
1502         (JSC::FunctionPrototype::addFunctionProperties):
1503         * runtime/JSObject.cpp:
1504         (JSC::JSObject::putDirectBuiltinFunction):
1505         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
1506         * runtime/JSObject.h:
1507
1508 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1509
1510         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
1511         https://bugs.webkit.org/show_bug.cgi?id=129443
1512
1513         Reviewed by Timothy Hatcher.
1514
1515         This queue is specific to the JSContext debuggable connections,
1516         there is no XPC involved. Give it a better name.
1517
1518         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1519         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
1520
1521 2014-02-27  David Kilzer  <ddkilzer@apple.com>
1522
1523         Remove jsc symlink if it already exists
1524
1525         This is a follow-up fix for:
1526
1527         Create symlink to /usr/local/bin/jsc during installation
1528         <http://webkit.org/b/129399>
1529         <rdar://problem/16168734>
1530
1531         * JavaScriptCore.xcodeproj/project.pbxproj:
1532         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
1533         exists where we're about to create the symlink, remove the old
1534         one first.
1535
1536 2014-02-27  Michael Saboff  <msaboff@apple.com>
1537
1538         Unreviewed build fix for Mac tools after r164814
1539
1540         * Configurations/ToolExecutable.xcconfig:
1541         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
1542         * JavaScriptCore.xcodeproj/project.pbxproj:
1543         - Changed productName to testRegExp for testRegExp target.
1544
1545 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1546
1547         Web Inspector: JSContext inspection should report exceptions in the console
1548         https://bugs.webkit.org/show_bug.cgi?id=128776
1549
1550         Reviewed by Timothy Hatcher.
1551
1552         When JavaScript API functions have an exception, let the inspector
1553         know so it can log the JavaScript and Native backtrace that caused
1554         the exception.
1555
1556         Include some clean up of ConsoleMessage and ScriptCallStack construction.
1557
1558         * API/JSBase.cpp:
1559         (JSEvaluateScript):
1560         (JSCheckScriptSyntax):
1561         * API/JSObjectRef.cpp:
1562         (JSObjectMakeFunction):
1563         (JSObjectMakeArray):
1564         (JSObjectMakeDate):
1565         (JSObjectMakeError):
1566         (JSObjectMakeRegExp):
1567         (JSObjectGetProperty):
1568         (JSObjectSetProperty):
1569         (JSObjectGetPropertyAtIndex):
1570         (JSObjectSetPropertyAtIndex):
1571         (JSObjectDeleteProperty):
1572         (JSObjectCallAsFunction):
1573         (JSObjectCallAsConstructor):
1574         * API/JSValue.mm:
1575         (reportExceptionToInspector):
1576         (valueToArray):
1577         (valueToDictionary):
1578         * API/JSValueRef.cpp:
1579         (JSValueIsEqual):
1580         (JSValueIsInstanceOfConstructor):
1581         (JSValueCreateJSONString):
1582         (JSValueToNumber):
1583         (JSValueToStringCopy):
1584         (JSValueToObject):
1585         When seeing an exception, let the inspector know there was an exception.
1586
1587         * inspector/JSGlobalObjectInspectorController.h:
1588         * inspector/JSGlobalObjectInspectorController.cpp:
1589         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1590         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1591         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1592         Log API exceptions by also grabbing the native backtrace.
1593
1594         * inspector/ScriptCallStack.h:
1595         * inspector/ScriptCallStack.cpp:
1596         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
1597         (Inspector::ScriptCallStack::append):
1598         Minor extensions to ScriptCallStack to make it easier to work with.
1599
1600         * inspector/ConsoleMessage.cpp:
1601         (Inspector::ConsoleMessage::ConsoleMessage):
1602         (Inspector::ConsoleMessage::autogenerateMetadata):
1603         Provide better default information if the first call frame was native.
1604
1605         * inspector/ScriptCallStackFactory.cpp:
1606         (Inspector::createScriptCallStack):
1607         (Inspector::extractSourceInformationFromException):
1608         (Inspector::createScriptCallStackFromException):
1609         Perform the handling here of inserting a fake call frame for exceptions
1610         if there was no call stack (e.g. a SyntaxError) or if the first call
1611         frame had no information.
1612
1613         * inspector/ConsoleMessage.cpp:
1614         (Inspector::ConsoleMessage::ConsoleMessage):
1615         (Inspector::ConsoleMessage::autogenerateMetadata):
1616         * inspector/ConsoleMessage.h:
1617         * inspector/ScriptCallStackFactory.cpp:
1618         (Inspector::createScriptCallStack):
1619         (Inspector::createScriptCallStackForConsole):
1620         * inspector/ScriptCallStackFactory.h:
1621         * inspector/agents/InspectorConsoleAgent.cpp:
1622         (Inspector::InspectorConsoleAgent::enable):
1623         (Inspector::InspectorConsoleAgent::addMessageToConsole):
1624         (Inspector::InspectorConsoleAgent::count):
1625         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1626         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
1627         ConsoleMessage cleanup.
1628
1629 2014-02-27  David Kilzer  <ddkilzer@apple.com>
1630
1631         Create symlink to /usr/local/bin/jsc during installation
1632         <http://webkit.org/b/129399>
1633         <rdar://problem/16168734>
1634
1635         Reviewed by Dan Bernstein.
1636
1637         * JavaScriptCore.xcodeproj/project.pbxproj:
1638         - Add "Create /usr/local/bin/jsc symlink" build phase script to
1639           create the symlink during installation.
1640
1641 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1642
1643         Math.{max, min}() must not return after first NaN value
1644         https://bugs.webkit.org/show_bug.cgi?id=104147
1645
1646         Reviewed by Oliver Hunt.
1647
1648         According to the spec, ToNumber going to be called on each argument
1649         even if a `NaN` value was already found
1650
1651         * runtime/MathObject.cpp:
1652         (JSC::mathProtoFuncMax):
1653         (JSC::mathProtoFuncMin):
1654
1655 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
1656
1657         JSType upper limit (0xff) assertion can be removed.
1658         https://bugs.webkit.org/show_bug.cgi?id=129424
1659
1660         Reviewed by Geoffrey Garen.
1661
1662         * runtime/JSTypeInfo.h:
1663         (JSC::TypeInfo::TypeInfo):
1664
1665 2014-02-26  Michael Saboff  <msaboff@apple.com>
1666
1667         Auto generate bytecode information for bytecode parser and LLInt
1668         https://bugs.webkit.org/show_bug.cgi?id=129181
1669
1670         Reviewed by Mark Lam.
1671
1672         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
1673         helpers.  It also includes bytecode length and other information used to generate files.
1674         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
1675         in DerivedSources/JavaScriptCore/.
1676
1677         Added the generation of these files to the "DerivedSource" build step.
1678         Slighty changed the build order, since the Bytecodes.h file is needed by
1679         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
1680         to be run after JSCLLIntOffsetsExtractor.
1681
1682         Made related changes to OPCODE macros and their use.
1683
1684         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
1685         jsc to resolve Mac build issue.
1686
1687         * CMakeLists.txt:
1688         * Configurations/JSC.xcconfig:
1689         * DerivedSources.make:
1690         * GNUmakefile.am:
1691         * GNUmakefile.list.am:
1692         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1693         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1694         * JavaScriptCore.vcxproj/copy-files.cmd:
1695         * JavaScriptCore.xcodeproj/project.pbxproj:
1696         * bytecode/Opcode.h:
1697         (JSC::padOpcodeName):
1698         * llint/LLIntCLoop.cpp:
1699         (JSC::LLInt::CLoop::initialize):
1700         * llint/LLIntCLoop.h:
1701         * llint/LLIntData.cpp:
1702         (JSC::LLInt::initialize):
1703         * llint/LLIntOpcode.h:
1704         * llint/LowLevelInterpreter.asm:
1705
1706 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
1707
1708         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
1709         https://bugs.webkit.org/show_bug.cgi?id=129420
1710
1711         Reviewed by Geoffrey Garen.
1712
1713         * dfg/DFGSpeculativeJIT.h:
1714         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
1715         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
1716
1717 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
1718
1719         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
1720         https://bugs.webkit.org/show_bug.cgi?id=129435
1721
1722         Reviewed by Oliver Hunt.
1723         
1724         This is a 5-10% speed-up on Octane/closure.
1725
1726         * interpreter/Interpreter.cpp:
1727         (JSC::Interpreter::execute):
1728         * jsc.cpp:
1729         (GlobalObject::finishCreation):
1730         (functionClearCodeCache):
1731         * runtime/BatchedTransitionOptimizer.h:
1732         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1733         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
1734
1735 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
1736
1737         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
1738
1739         * inspector/scripts: Added property svn:ignore.
1740         * replay/scripts: Added property svn:ignore.
1741
1742 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
1743
1744         r164764 broke the ARM build
1745         https://bugs.webkit.org/show_bug.cgi?id=129415
1746
1747         Reviewed by Zoltan Herczeg.
1748
1749         * assembler/MacroAssemblerARM.h:
1750         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
1751         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
1752         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
1753         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
1754
1755 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1756
1757         r164764 broke the ARM build
1758         https://bugs.webkit.org/show_bug.cgi?id=129415
1759
1760         Reviewed by Geoffrey Garen.
1761
1762         * assembler/MacroAssemblerARM.h:
1763         (JSC::MacroAssemblerARM::moveWithPatch):
1764
1765 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1766
1767         r164764 broke the ARM build
1768         https://bugs.webkit.org/show_bug.cgi?id=129415
1769
1770         Reviewed by Geoffrey Garen.
1771
1772         * assembler/MacroAssemblerARM.h:
1773         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
1774
1775 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1776
1777         EFL build fix
1778
1779         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
1780         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1781         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1782
1783 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1784
1785         Make JSCells have 32-bit Structure pointers
1786         https://bugs.webkit.org/show_bug.cgi?id=123195
1787
1788         Reviewed by Filip Pizlo.
1789
1790         This patch changes JSCells such that they no longer have a full 64-bit Structure
1791         pointer in their header. Instead they now have a 32-bit index into
1792         a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
1793         pointers.
1794
1795         This change frees up an additional 32 bits of information in our object headers.
1796         We then use this extra space to store the indexing type of the object, the JSType
1797         of the object, some various type flags, and garbage collection data (e.g. mark bit).
1798         Because this inline type information is now faster to read, it pays for the slowdown 
1799         incurred by having to perform an extra indirection through the StructureIDTable.
1800
1801         This patch also threads a reference to the current VM through more of the C++ runtime
1802         to offset the cost of having to look up the VM to get the actual Structure pointer.
1803
1804         * API/JSContext.mm:
1805         (-[JSContext setException:]):
1806         (-[JSContext wrapperForObjCObject:]):
1807         (-[JSContext wrapperForJSObject:]):
1808         * API/JSContextRef.cpp:
1809         (JSContextGroupRelease):
1810         (JSGlobalContextRelease):
1811         * API/JSObjectRef.cpp:
1812         (JSObjectIsFunction):
1813         (JSObjectCopyPropertyNames):
1814         * API/JSValue.mm:
1815         (containerValueToObject):
1816         * API/JSWrapperMap.mm:
1817         (tryUnwrapObjcObject):
1818         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1819         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1820         * JavaScriptCore.xcodeproj/project.pbxproj:
1821         * assembler/AbstractMacroAssembler.h:
1822         * assembler/MacroAssembler.h:
1823         (JSC::MacroAssembler::patchableBranch32WithPatch):
1824         (JSC::MacroAssembler::patchableBranch32):
1825         * assembler/MacroAssemblerARM64.h:
1826         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
1827         (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
1828         (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
1829         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
1830         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
1831         * assembler/MacroAssemblerARMv7.h:
1832         (JSC::MacroAssemblerARMv7::store8):
1833         (JSC::MacroAssemblerARMv7::branch32WithPatch):
1834         (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
1835         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
1836         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
1837         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
1838         * assembler/MacroAssemblerX86.h:
1839         (JSC::MacroAssemblerX86::branch32WithPatch):
1840         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
1841         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
1842         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
1843         * assembler/MacroAssemblerX86_64.h:
1844         (JSC::MacroAssemblerX86_64::store32):
1845         (JSC::MacroAssemblerX86_64::moveWithPatch):
1846         (JSC::MacroAssemblerX86_64::branch32WithPatch):
1847         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
1848         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
1849         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
1850         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
1851         * assembler/RepatchBuffer.h:
1852         (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
1853         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
1854         * assembler/X86Assembler.h:
1855         (JSC::X86Assembler::revertJumpTo_movq_i64r):
1856         (JSC::X86Assembler::revertJumpTo_movl_i32r):
1857         * bytecode/ArrayProfile.cpp:
1858         (JSC::ArrayProfile::computeUpdatedPrediction):
1859         * bytecode/ArrayProfile.h:
1860         (JSC::ArrayProfile::ArrayProfile):
1861         (JSC::ArrayProfile::addressOfLastSeenStructureID):
1862         (JSC::ArrayProfile::observeStructure):
1863         * bytecode/CodeBlock.h:
1864         (JSC::CodeBlock::heap):
1865         * bytecode/UnlinkedCodeBlock.h:
1866         * debugger/Debugger.h:
1867         * dfg/DFGAbstractHeap.h:
1868         * dfg/DFGArrayifySlowPathGenerator.h:
1869         * dfg/DFGClobberize.h:
1870         (JSC::DFG::clobberize):
1871         * dfg/DFGJITCompiler.h:
1872         (JSC::DFG::JITCompiler::branchWeakStructure):
1873         (JSC::DFG::JITCompiler::branchStructurePtr):
1874         * dfg/DFGOSRExitCompiler32_64.cpp:
1875         (JSC::DFG::OSRExitCompiler::compileExit):
1876         * dfg/DFGOSRExitCompiler64.cpp:
1877         (JSC::DFG::OSRExitCompiler::compileExit):
1878         * dfg/DFGOSRExitCompilerCommon.cpp:
1879         (JSC::DFG::osrWriteBarrier):
1880         (JSC::DFG::adjustAndJumpToTarget):
1881         * dfg/DFGOperations.cpp:
1882         (JSC::DFG::putByVal):
1883         * dfg/DFGSpeculativeJIT.cpp:
1884         (JSC::DFG::SpeculativeJIT::checkArray):
1885         (JSC::DFG::SpeculativeJIT::arrayify):
1886         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1887         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1888         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1889         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1890         (JSC::DFG::SpeculativeJIT::speculateObject):
1891         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
1892         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1893         (JSC::DFG::SpeculativeJIT::speculateString):
1894         (JSC::DFG::SpeculativeJIT::speculateStringObject):
1895         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
1896         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
1897         (JSC::DFG::SpeculativeJIT::emitSwitchString):
1898         (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
1899         (JSC::DFG::SpeculativeJIT::writeBarrier):
1900         * dfg/DFGSpeculativeJIT.h:
1901         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1902         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
1903         * dfg/DFGSpeculativeJIT32_64.cpp:
1904         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1905         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1906         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1907         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1908         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1909         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1910         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1911         (JSC::DFG::SpeculativeJIT::compile):
1912         (JSC::DFG::SpeculativeJIT::writeBarrier):
1913         * dfg/DFGSpeculativeJIT64.cpp:
1914         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1915         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1916         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1917         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1918         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1919         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1920         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1921         (JSC::DFG::SpeculativeJIT::compile):
1922         (JSC::DFG::SpeculativeJIT::writeBarrier):
1923         * dfg/DFGWorklist.cpp:
1924         * ftl/FTLAbstractHeapRepository.cpp:
1925         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1926         * ftl/FTLAbstractHeapRepository.h:
1927         * ftl/FTLLowerDFGToLLVM.cpp:
1928         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
1929         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1930         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1931         (JSC::FTL::LowerDFGToLLVM::compileToString):
1932         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1933         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1934         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1935         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1936         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1937         (JSC::FTL::LowerDFGToLLVM::isObject):
1938         (JSC::FTL::LowerDFGToLLVM::isString):
1939         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1940         (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
1941         (JSC::FTL::LowerDFGToLLVM::isType):
1942         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
1943         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
1944         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
1945         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
1946         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
1947         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1948         (JSC::FTL::LowerDFGToLLVM::weakStructure):
1949         * ftl/FTLOSRExitCompiler.cpp:
1950         (JSC::FTL::compileStub):
1951         * ftl/FTLOutput.h:
1952         (JSC::FTL::Output::store8):
1953         * heap/GCAssertions.h:
1954         * heap/Heap.cpp:
1955         (JSC::Heap::getConservativeRegisterRoots):
1956         (JSC::Heap::collect):
1957         (JSC::Heap::writeBarrier):
1958         * heap/Heap.h:
1959         (JSC::Heap::structureIDTable):
1960         * heap/MarkedSpace.h:
1961         (JSC::MarkedSpace::forEachBlock):
1962         * heap/SlotVisitorInlines.h:
1963         (JSC::SlotVisitor::internalAppend):
1964         * jit/AssemblyHelpers.h:
1965         (JSC::AssemblyHelpers::branchIfCellNotObject):
1966         (JSC::AssemblyHelpers::genericWriteBarrier):
1967         (JSC::AssemblyHelpers::emitLoadStructure):
1968         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1969         * jit/JIT.h:
1970         * jit/JITCall.cpp:
1971         (JSC::JIT::compileOpCall):
1972         (JSC::JIT::privateCompileClosureCall):
1973         * jit/JITCall32_64.cpp:
1974         (JSC::JIT::emit_op_ret_object_or_this):
1975         (JSC::JIT::compileOpCall):
1976         (JSC::JIT::privateCompileClosureCall):
1977         * jit/JITInlineCacheGenerator.cpp:
1978         (JSC::JITByIdGenerator::generateFastPathChecks):
1979         * jit/JITInlineCacheGenerator.h:
1980         * jit/JITInlines.h:
1981         (JSC::JIT::emitLoadCharacterString):
1982         (JSC::JIT::checkStructure):
1983         (JSC::JIT::emitJumpIfCellNotObject):
1984         (JSC::JIT::emitAllocateJSObject):
1985         (JSC::JIT::emitArrayProfilingSiteWithCell):
1986         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
1987         (JSC::JIT::branchStructure):
1988         (JSC::branchStructure):
1989         * jit/JITOpcodes.cpp:
1990         (JSC::JIT::emit_op_check_has_instance):
1991         (JSC::JIT::emit_op_instanceof):
1992         (JSC::JIT::emit_op_is_undefined):
1993         (JSC::JIT::emit_op_is_string):
1994         (JSC::JIT::emit_op_ret_object_or_this):
1995         (JSC::JIT::emit_op_to_primitive):
1996         (JSC::JIT::emit_op_jeq_null):
1997         (JSC::JIT::emit_op_jneq_null):
1998         (JSC::JIT::emit_op_get_pnames):
1999         (JSC::JIT::emit_op_next_pname):
2000         (JSC::JIT::emit_op_eq_null):
2001         (JSC::JIT::emit_op_neq_null):
2002         (JSC::JIT::emit_op_to_this):
2003         (JSC::JIT::emitSlow_op_to_this):
2004         * jit/JITOpcodes32_64.cpp:
2005         (JSC::JIT::emit_op_check_has_instance):
2006         (JSC::JIT::emit_op_instanceof):
2007         (JSC::JIT::emit_op_is_undefined):
2008         (JSC::JIT::emit_op_is_string):
2009         (JSC::JIT::emit_op_to_primitive):
2010         (JSC::JIT::emit_op_jeq_null):
2011         (JSC::JIT::emit_op_jneq_null):
2012         (JSC::JIT::emitSlow_op_eq):
2013         (JSC::JIT::emitSlow_op_neq):
2014         (JSC::JIT::compileOpStrictEq):
2015         (JSC::JIT::emit_op_eq_null):
2016         (JSC::JIT::emit_op_neq_null):
2017         (JSC::JIT::emit_op_get_pnames):
2018         (JSC::JIT::emit_op_next_pname):
2019         (JSC::JIT::emit_op_to_this):
2020         * jit/JITOperations.cpp:
2021         * jit/JITPropertyAccess.cpp:
2022         (JSC::JIT::stringGetByValStubGenerator):
2023         (JSC::JIT::emit_op_get_by_val):
2024         (JSC::JIT::emitSlow_op_get_by_val):
2025         (JSC::JIT::emit_op_get_by_pname):
2026         (JSC::JIT::emit_op_put_by_val):
2027         (JSC::JIT::emit_op_get_by_id):
2028         (JSC::JIT::emitLoadWithStructureCheck):
2029         (JSC::JIT::emitSlow_op_get_from_scope):
2030         (JSC::JIT::emitSlow_op_put_to_scope):
2031         (JSC::JIT::checkMarkWord):
2032         (JSC::JIT::emitWriteBarrier):
2033         (JSC::JIT::addStructureTransitionCheck):
2034         (JSC::JIT::emitIntTypedArrayGetByVal):
2035         (JSC::JIT::emitFloatTypedArrayGetByVal):
2036         (JSC::JIT::emitIntTypedArrayPutByVal):
2037         (JSC::JIT::emitFloatTypedArrayPutByVal):
2038         * jit/JITPropertyAccess32_64.cpp:
2039         (JSC::JIT::stringGetByValStubGenerator):
2040         (JSC::JIT::emit_op_get_by_val):
2041         (JSC::JIT::emitSlow_op_get_by_val):
2042         (JSC::JIT::emit_op_put_by_val):
2043         (JSC::JIT::emit_op_get_by_id):
2044         (JSC::JIT::emit_op_get_by_pname):
2045         (JSC::JIT::emitLoadWithStructureCheck):
2046         * jit/JSInterfaceJIT.h:
2047         (JSC::JSInterfaceJIT::emitJumpIfNotType):
2048         * jit/Repatch.cpp:
2049         (JSC::repatchByIdSelfAccess):
2050         (JSC::addStructureTransitionCheck):
2051         (JSC::replaceWithJump):
2052         (JSC::generateProtoChainAccessStub):
2053         (JSC::tryCacheGetByID):
2054         (JSC::tryBuildGetByIDList):
2055         (JSC::writeBarrier):
2056         (JSC::emitPutReplaceStub):
2057         (JSC::emitPutTransitionStub):
2058         (JSC::tryBuildPutByIdList):
2059         (JSC::tryRepatchIn):
2060         (JSC::linkClosureCall):
2061         (JSC::resetGetByID):
2062         (JSC::resetPutByID):
2063         * jit/SpecializedThunkJIT.h:
2064         (JSC::SpecializedThunkJIT::loadJSStringArgument):
2065         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2066         * jit/ThunkGenerators.cpp:
2067         (JSC::virtualForThunkGenerator):
2068         (JSC::arrayIteratorNextThunkGenerator):
2069         * jit/UnusedPointer.h:
2070         * llint/LowLevelInterpreter.asm:
2071         * llint/LowLevelInterpreter32_64.asm:
2072         * llint/LowLevelInterpreter64.asm:
2073         * runtime/Arguments.cpp:
2074         (JSC::Arguments::createStrictModeCallerIfNecessary):
2075         (JSC::Arguments::createStrictModeCalleeIfNecessary):
2076         * runtime/Arguments.h:
2077         (JSC::Arguments::createStructure):
2078         * runtime/ArrayPrototype.cpp:
2079         (JSC::shift):
2080         (JSC::unshift):
2081         (JSC::arrayProtoFuncToString):
2082         (JSC::arrayProtoFuncPop):
2083         (JSC::arrayProtoFuncReverse):
2084         (JSC::performSlowSort):
2085         (JSC::arrayProtoFuncSort):
2086         (JSC::arrayProtoFuncSplice):
2087         (JSC::arrayProtoFuncUnShift):
2088         * runtime/CommonSlowPaths.cpp:
2089         (JSC::SLOW_PATH_DECL):
2090         * runtime/Executable.h:
2091         (JSC::ExecutableBase::isFunctionExecutable):
2092         (JSC::ExecutableBase::clearCodeVirtual):
2093         (JSC::ScriptExecutable::unlinkCalls):
2094         * runtime/GetterSetter.cpp:
2095         (JSC::callGetter):
2096         (JSC::callSetter):
2097         * runtime/InitializeThreading.cpp:
2098         * runtime/JSArray.cpp:
2099         (JSC::JSArray::unshiftCountSlowCase):
2100         (JSC::JSArray::setLength):
2101         (JSC::JSArray::pop):
2102         (JSC::JSArray::push):
2103         (JSC::JSArray::shiftCountWithArrayStorage):
2104         (JSC::JSArray::shiftCountWithAnyIndexingType):
2105         (JSC::JSArray::unshiftCountWithArrayStorage):
2106         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2107         (JSC::JSArray::sortNumericVector):
2108         (JSC::JSArray::sortNumeric):
2109         (JSC::JSArray::sortCompactedVector):
2110         (JSC::JSArray::sort):
2111         (JSC::JSArray::sortVector):
2112         (JSC::JSArray::fillArgList):
2113         (JSC::JSArray::copyToArguments):
2114         (JSC::JSArray::compactForSorting):
2115         * runtime/JSCJSValueInlines.h:
2116         (JSC::JSValue::toThis):
2117         (JSC::JSValue::put):
2118         (JSC::JSValue::putByIndex):
2119         (JSC::JSValue::equalSlowCaseInline):
2120         * runtime/JSCell.cpp:
2121         (JSC::JSCell::put):
2122         (JSC::JSCell::putByIndex):
2123         (JSC::JSCell::deleteProperty):
2124         (JSC::JSCell::deletePropertyByIndex):
2125         * runtime/JSCell.h:
2126         (JSC::JSCell::clearStructure):
2127         (JSC::JSCell::mark):
2128         (JSC::JSCell::isMarked):
2129         (JSC::JSCell::structureIDOffset):
2130         (JSC::JSCell::typeInfoFlagsOffset):
2131         (JSC::JSCell::typeInfoTypeOffset):
2132         (JSC::JSCell::indexingTypeOffset):
2133         (JSC::JSCell::gcDataOffset):
2134         * runtime/JSCellInlines.h:
2135         (JSC::JSCell::JSCell):
2136         (JSC::JSCell::finishCreation):
2137         (JSC::JSCell::type):
2138         (JSC::JSCell::indexingType):
2139         (JSC::JSCell::structure):
2140         (JSC::JSCell::visitChildren):
2141         (JSC::JSCell::isObject):
2142         (JSC::JSCell::isString):
2143         (JSC::JSCell::isGetterSetter):
2144         (JSC::JSCell::isProxy):
2145         (JSC::JSCell::isAPIValueWrapper):
2146         (JSC::JSCell::setStructure):
2147         (JSC::JSCell::methodTable):
2148         (JSC::Heap::writeBarrier):
2149         * runtime/JSDataView.cpp:
2150         (JSC::JSDataView::createStructure):
2151         * runtime/JSDestructibleObject.h:
2152         (JSC::JSCell::classInfo):
2153         * runtime/JSFunction.cpp:
2154         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2155         (JSC::JSFunction::put):
2156         (JSC::JSFunction::defineOwnProperty):
2157         * runtime/JSGenericTypedArrayView.h:
2158         (JSC::JSGenericTypedArrayView::createStructure):
2159         * runtime/JSObject.cpp:
2160         (JSC::getCallableObjectSlow):
2161         (JSC::JSObject::copyButterfly):
2162         (JSC::JSObject::visitButterfly):
2163         (JSC::JSFinalObject::visitChildren):
2164         (JSC::JSObject::getOwnPropertySlotByIndex):
2165         (JSC::JSObject::put):
2166         (JSC::JSObject::putByIndex):
2167         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2168         (JSC::JSObject::enterDictionaryIndexingMode):
2169         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2170         (JSC::JSObject::createInitialIndexedStorage):
2171         (JSC::JSObject::createInitialUndecided):
2172         (JSC::JSObject::createInitialInt32):
2173         (JSC::JSObject::createInitialDouble):
2174         (JSC::JSObject::createInitialContiguous):
2175         (JSC::JSObject::createArrayStorage):
2176         (JSC::JSObject::convertUndecidedToInt32):
2177         (JSC::JSObject::convertUndecidedToDouble):
2178         (JSC::JSObject::convertUndecidedToContiguous):
2179         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2180         (JSC::JSObject::convertUndecidedToArrayStorage):
2181         (JSC::JSObject::convertInt32ToDouble):
2182         (JSC::JSObject::convertInt32ToContiguous):
2183         (JSC::JSObject::convertInt32ToArrayStorage):
2184         (JSC::JSObject::genericConvertDoubleToContiguous):
2185         (JSC::JSObject::convertDoubleToArrayStorage):
2186         (JSC::JSObject::convertContiguousToArrayStorage):
2187         (JSC::JSObject::ensureInt32Slow):
2188         (JSC::JSObject::ensureDoubleSlow):
2189         (JSC::JSObject::ensureContiguousSlow):
2190         (JSC::JSObject::ensureArrayStorageSlow):
2191         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2192         (JSC::JSObject::switchToSlowPutArrayStorage):
2193         (JSC::JSObject::setPrototype):
2194         (JSC::JSObject::setPrototypeWithCycleCheck):
2195         (JSC::JSObject::putDirectNonIndexAccessor):
2196         (JSC::JSObject::deleteProperty):
2197         (JSC::JSObject::hasOwnProperty):
2198         (JSC::JSObject::deletePropertyByIndex):
2199         (JSC::JSObject::getPrimitiveNumber):
2200         (JSC::JSObject::hasInstance):
2201         (JSC::JSObject::getPropertySpecificValue):
2202         (JSC::JSObject::getPropertyNames):
2203         (JSC::JSObject::getOwnPropertyNames):
2204         (JSC::JSObject::getOwnNonIndexPropertyNames):
2205         (JSC::JSObject::seal):
2206         (JSC::JSObject::freeze):
2207         (JSC::JSObject::preventExtensions):
2208         (JSC::JSObject::reifyStaticFunctionsForDelete):
2209         (JSC::JSObject::removeDirect):
2210         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2211         (JSC::JSObject::putByIndexBeyondVectorLength):
2212         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2213         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2214         (JSC::JSObject::getNewVectorLength):
2215         (JSC::JSObject::countElements):
2216         (JSC::JSObject::increaseVectorLength):
2217         (JSC::JSObject::ensureLengthSlow):
2218         (JSC::JSObject::growOutOfLineStorage):
2219         (JSC::JSObject::getOwnPropertyDescriptor):
2220         (JSC::putDescriptor):
2221         (JSC::JSObject::defineOwnNonIndexProperty):
2222         * runtime/JSObject.h:
2223         (JSC::getJSFunction):
2224         (JSC::JSObject::getArrayLength):
2225         (JSC::JSObject::getVectorLength):
2226         (JSC::JSObject::putByIndexInline):
2227         (JSC::JSObject::canGetIndexQuickly):
2228         (JSC::JSObject::getIndexQuickly):
2229         (JSC::JSObject::tryGetIndexQuickly):
2230         (JSC::JSObject::getDirectIndex):
2231         (JSC::JSObject::canSetIndexQuickly):
2232         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2233         (JSC::JSObject::setIndexQuickly):
2234         (JSC::JSObject::initializeIndex):
2235         (JSC::JSObject::hasSparseMap):
2236         (JSC::JSObject::inSparseIndexingMode):
2237         (JSC::JSObject::getDirect):
2238         (JSC::JSObject::getDirectOffset):
2239         (JSC::JSObject::isSealed):
2240         (JSC::JSObject::isFrozen):
2241         (JSC::JSObject::flattenDictionaryObject):
2242         (JSC::JSObject::ensureInt32):
2243         (JSC::JSObject::ensureDouble):
2244         (JSC::JSObject::ensureContiguous):
2245         (JSC::JSObject::rageEnsureContiguous):
2246         (JSC::JSObject::ensureArrayStorage):
2247         (JSC::JSObject::arrayStorage):
2248         (JSC::JSObject::arrayStorageOrNull):
2249         (JSC::JSObject::ensureLength):
2250         (JSC::JSObject::currentIndexingData):
2251         (JSC::JSObject::getHolyIndexQuickly):
2252         (JSC::JSObject::currentRelevantLength):
2253         (JSC::JSObject::isGlobalObject):
2254         (JSC::JSObject::isVariableObject):
2255         (JSC::JSObject::isStaticScopeObject):
2256         (JSC::JSObject::isNameScopeObject):
2257         (JSC::JSObject::isActivationObject):
2258         (JSC::JSObject::isErrorInstance):
2259         (JSC::JSObject::inlineGetOwnPropertySlot):
2260         (JSC::JSObject::fastGetOwnPropertySlot):
2261         (JSC::JSObject::getPropertySlot):
2262         (JSC::JSObject::putDirectInternal):
2263         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2264         * runtime/JSPropertyNameIterator.h:
2265         (JSC::JSPropertyNameIterator::createStructure):
2266         * runtime/JSProxy.cpp:
2267         (JSC::JSProxy::getOwnPropertySlot):
2268         (JSC::JSProxy::getOwnPropertySlotByIndex):
2269         (JSC::JSProxy::put):
2270         (JSC::JSProxy::putByIndex):
2271         (JSC::JSProxy::defineOwnProperty):
2272         (JSC::JSProxy::deleteProperty):
2273         (JSC::JSProxy::deletePropertyByIndex):
2274         (JSC::JSProxy::getPropertyNames):
2275         (JSC::JSProxy::getOwnPropertyNames):
2276         * runtime/JSScope.cpp:
2277         (JSC::JSScope::objectAtScope):
2278         * runtime/JSString.h:
2279         (JSC::JSString::createStructure):
2280         (JSC::isJSString):
2281         * runtime/JSType.h:
2282         * runtime/JSTypeInfo.h:
2283         (JSC::TypeInfo::TypeInfo):
2284         (JSC::TypeInfo::isObject):
2285         (JSC::TypeInfo::structureIsImmortal):
2286         (JSC::TypeInfo::zeroedGCDataOffset):
2287         (JSC::TypeInfo::inlineTypeFlags):
2288         * runtime/MapData.h:
2289         * runtime/ObjectConstructor.cpp:
2290         (JSC::objectConstructorGetOwnPropertyNames):
2291         (JSC::objectConstructorKeys):
2292         (JSC::objectConstructorDefineProperty):
2293         (JSC::defineProperties):
2294         (JSC::objectConstructorSeal):
2295         (JSC::objectConstructorFreeze):
2296         (JSC::objectConstructorIsSealed):
2297         (JSC::objectConstructorIsFrozen):
2298         * runtime/ObjectPrototype.cpp:
2299         (JSC::objectProtoFuncDefineGetter):
2300         (JSC::objectProtoFuncDefineSetter):
2301         (JSC::objectProtoFuncToString):
2302         * runtime/Operations.cpp:
2303         (JSC::jsTypeStringForValue):
2304         (JSC::jsIsObjectType):
2305         * runtime/Operations.h:
2306         (JSC::normalizePrototypeChainForChainAccess):
2307         (JSC::normalizePrototypeChain):
2308         * runtime/PropertyMapHashTable.h:
2309         (JSC::PropertyTable::createStructure):
2310         * runtime/RegExp.h:
2311         (JSC::RegExp::createStructure):
2312         * runtime/SparseArrayValueMap.h:
2313         * runtime/Structure.cpp:
2314         (JSC::Structure::Structure):
2315         (JSC::Structure::~Structure):
2316         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2317         * runtime/Structure.h:
2318         (JSC::Structure::id):
2319         (JSC::Structure::idBlob):
2320         (JSC::Structure::objectInitializationFields):
2321         (JSC::Structure::structureIDOffset):
2322         * runtime/StructureChain.h:
2323         (JSC::StructureChain::createStructure):
2324         * runtime/StructureIDTable.cpp: Added.
2325         (JSC::StructureIDTable::StructureIDTable):
2326         (JSC::StructureIDTable::~StructureIDTable):
2327         (JSC::StructureIDTable::resize):
2328         (JSC::StructureIDTable::flushOldTables):
2329         (JSC::StructureIDTable::allocateID):
2330         (JSC::StructureIDTable::deallocateID):
2331         * runtime/StructureIDTable.h: Added.
2332         (JSC::StructureIDTable::base):
2333         (JSC::StructureIDTable::get):
2334         * runtime/SymbolTable.h:
2335         * runtime/TypedArrayType.cpp:
2336         (JSC::typeForTypedArrayType):
2337         * runtime/TypedArrayType.h:
2338         * runtime/WeakMapData.h:
2339
2340 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2341
2342         Unconditional logging in compileFTLOSRExit
2343         https://bugs.webkit.org/show_bug.cgi?id=129407
2344
2345         Reviewed by Michael Saboff.
2346
2347         This was causing tests to fail with the FTL enabled.
2348
2349         * ftl/FTLOSRExitCompiler.cpp:
2350         (JSC::FTL::compileFTLOSRExit):
2351
2352 2014-02-26  Oliver Hunt  <oliver@apple.com>
2353
2354         Remove unused access types
2355         https://bugs.webkit.org/show_bug.cgi?id=129385
2356
2357         Reviewed by Filip Pizlo.
2358
2359         Remove unused cruft.
2360
2361         * bytecode/CodeBlock.cpp:
2362         (JSC::CodeBlock::printGetByIdCacheStatus):
2363         * bytecode/StructureStubInfo.cpp:
2364         (JSC::StructureStubInfo::deref):
2365         * bytecode/StructureStubInfo.h:
2366         (JSC::isGetByIdAccess):
2367         (JSC::isPutByIdAccess):
2368
2369 2014-02-26  Oliver Hunt  <oliver@apple.com>
2370
2371         Function.prototype.apply has a bad time with the spread operator
2372         https://bugs.webkit.org/show_bug.cgi?id=129381
2373
2374         Reviewed by Mark Hahnenberg.
2375
2376         Make sure our apply logic handle the spread operator correctly.
2377         To do this we simply emit the enumeration logic that we'd normally
2378         use for other enumerations, but only store the first two results
2379         to registers.  Then perform a varargs call.
2380
2381         * bytecompiler/NodesCodegen.cpp:
2382         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2383
2384 2014-02-26  Mark Lam  <mark.lam@apple.com>
2385
2386         Compilation policy management belongs in operationOptimize(), not the DFG Driver.
2387         <https://webkit.org/b/129355>
2388
2389         Reviewed by Filip Pizlo.
2390
2391         By compilation policy, I mean the rules for determining whether to
2392         compile, when to compile, when to attempt compilation again, etc.  The
2393         few of these policy decisions that were previously being made in the
2394         DFG driver are now moved to operationOptimize() where we keep the rest
2395         of the policy logic.  Decisions that are based on the capabilities
2396         supported by the DFG are moved to DFG capabiliityLevel().
2397
2398         I've run the following benchmarks:
2399         1. the collection of jsc benchmarks on the jsc executable vs. its
2400            baseline.
2401         2. Octane 2.0 in browser without the WebInspector.
2402         3. Octane 2.0 in browser with the WebInspector open and a breakpoint
2403            set somewhere where it won't break.
2404
2405         In all of these, the results came out to be a wash as expected.
2406
2407         * dfg/DFGCapabilities.cpp:
2408         (JSC::DFG::isSupported):
2409         (JSC::DFG::mightCompileEval):
2410         (JSC::DFG::mightCompileProgram):
2411         (JSC::DFG::mightCompileFunctionForCall):
2412         (JSC::DFG::mightCompileFunctionForConstruct):
2413         (JSC::DFG::mightInlineFunctionForCall):
2414         (JSC::DFG::mightInlineFunctionForClosureCall):
2415         (JSC::DFG::mightInlineFunctionForConstruct):
2416         * dfg/DFGCapabilities.h:
2417         * dfg/DFGDriver.cpp:
2418         (JSC::DFG::compileImpl):
2419         * jit/JITOperations.cpp:
2420
2421 2014-02-26  Mark Lam  <mark.lam@apple.com>
2422
2423         ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
2424         <https://webkit.org/b/129364>
2425
2426         Reviewed by Alexey Proskuryakov.
2427
2428         InjectedScriptModule::ensureInjected() needs an APIEntryShim.
2429
2430         * inspector/InjectedScriptModule.cpp:
2431         (Inspector::InjectedScriptModule::ensureInjected):
2432         - Added the needed but missing APIEntryShim. 
2433
2434 2014-02-25  Mark Lam  <mark.lam@apple.com>
2435
2436         Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
2437         <https://webkit.org/b/128766>
2438
2439         Reviewed by Geoffrey Garen.
2440
2441         Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
2442         The reasoning is that we don't know of any clients that need unordered
2443         re-entry into the VM from different threads. So, we're enforcing ordered
2444         re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
2445
2446         The crash in this bug happened because we were allowing unordered re-entry,
2447         and the following type of scenario occurred:
2448
2449         1. Thread T1 locks the VM, and enters the VM to execute some JS code.
2450         2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
2451            first time it entered the VM.
2452            T1 sets VM::m_entryScope to T1's entryScope.
2453         3. T1 drops all locks.
2454
2455         4. Thread T2 locks the VM, and enters the VM to execute some JS code.
2456            On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
2457            does not set the entryScope.
2458         5. T2 drops all locks.
2459
2460         6. T1 re-grabs locks.
2461         7. T1 returns all the way out of JS code. On exit from the outer most
2462            JS function, T1 clears VM::m_entryScope (because T1 was the one who
2463            set it).
2464         8. T1 unlocks the VM.
2465
2466         9. T2 re-grabs locks.
2467         10. T2 proceeds to execute some code and expects VM::m_entryScope to be
2468             NOT null, but it turns out to be null. Assertion failures and
2469             crashes ensue.
2470
2471         With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
2472         the VM. Hence, the issue will no longer manifest.
2473
2474         * runtime/JSLock.cpp:
2475         (JSC::JSLock::dropAllLocks):
2476         (JSC::JSLock::grabAllLocks):
2477         * runtime/JSLock.h:
2478         (JSC::JSLock::DropAllLocks::dropDepth):
2479
2480 2014-02-25  Mark Lam  <mark.lam@apple.com>
2481
2482         Need to initialize VM stack data even when the VM is on an exclusive thread.
2483         <https://webkit.org/b/129265>
2484
2485         Not reviewed.
2486
2487         Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
2488
2489         * API/APIShims.h:
2490         (JSC::APIEntryShim::APIEntryShim):
2491         (JSC::APICallbackShim::shouldDropAllLocks):
2492         * heap/MachineStackMarker.cpp:
2493         (JSC::MachineThreads::addCurrentThread):
2494         * runtime/JSLock.cpp:
2495         (JSC::JSLockHolder::JSLockHolder):
2496         (JSC::JSLockHolder::init):
2497         (JSC::JSLockHolder::~JSLockHolder):
2498         (JSC::JSLock::JSLock):
2499         (JSC::JSLock::setExclusiveThread):
2500         (JSC::JSLock::lock):
2501         (JSC::JSLock::unlock):
2502         (JSC::JSLock::currentThreadIsHoldingLock):
2503         (JSC::JSLock::dropAllLocks):
2504         (JSC::JSLock::grabAllLocks):
2505         * runtime/JSLock.h:
2506         (JSC::JSLock::hasExclusiveThread):
2507         (JSC::JSLock::exclusiveThread):
2508         * runtime/VM.cpp:
2509         (JSC::VM::VM):
2510         * runtime/VM.h:
2511         (JSC::VM::hasExclusiveThread):
2512         (JSC::VM::exclusiveThread):
2513         (JSC::VM::setExclusiveThread):
2514         (JSC::VM::currentThreadIsHoldingAPILock):
2515
2516 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2517
2518         Inline caching in the FTL on ARM64 should "work"
2519         https://bugs.webkit.org/show_bug.cgi?id=129334
2520
2521         Reviewed by Mark Hahnenberg.
2522         
2523         Gets us to the point where simple tests that use inline caching are passing.
2524
2525         * assembler/LinkBuffer.cpp:
2526         (JSC::LinkBuffer::copyCompactAndLinkCode):
2527         (JSC::LinkBuffer::shrink):
2528         * ftl/FTLInlineCacheSize.cpp:
2529         (JSC::FTL::sizeOfGetById):
2530         (JSC::FTL::sizeOfPutById):
2531         (JSC::FTL::sizeOfCall):
2532         * ftl/FTLOSRExitCompiler.cpp:
2533         (JSC::FTL::compileFTLOSRExit):
2534         * ftl/FTLThunks.cpp:
2535         (JSC::FTL::osrExitGenerationThunkGenerator):
2536         * jit/GPRInfo.h:
2537         * offlineasm/arm64.rb:
2538
2539 2014-02-25  Commit Queue  <commit-queue@webkit.org>
2540
2541         Unreviewed, rolling out r164627.
2542         http://trac.webkit.org/changeset/164627
2543         https://bugs.webkit.org/show_bug.cgi?id=129325
2544
2545         Broke SubtleCrypto tests (Requested by ap on #webkit).
2546
2547         * API/APIShims.h:
2548         (JSC::APIEntryShim::APIEntryShim):
2549         (JSC::APICallbackShim::shouldDropAllLocks):
2550         * heap/MachineStackMarker.cpp:
2551         (JSC::MachineThreads::addCurrentThread):
2552         * runtime/JSLock.cpp:
2553         (JSC::JSLockHolder::JSLockHolder):
2554         (JSC::JSLockHolder::init):
2555         (JSC::JSLockHolder::~JSLockHolder):
2556         (JSC::JSLock::JSLock):
2557         (JSC::JSLock::lock):
2558         (JSC::JSLock::unlock):
2559         (JSC::JSLock::currentThreadIsHoldingLock):
2560         (JSC::JSLock::dropAllLocks):
2561         (JSC::JSLock::grabAllLocks):
2562         * runtime/JSLock.h:
2563         * runtime/VM.cpp:
2564         (JSC::VM::VM):
2565         * runtime/VM.h:
2566         (JSC::VM::currentThreadIsHoldingAPILock):
2567
2568 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2569
2570         ARM64 rshift64 should be an arithmetic shift
2571         https://bugs.webkit.org/show_bug.cgi?id=129323
2572
2573         Reviewed by Mark Hahnenberg.
2574
2575         * assembler/MacroAssemblerARM64.h:
2576         (JSC::MacroAssemblerARM64::rshift64):
2577
2578 2014-02-25  Sergio Villar Senin  <svillar@igalia.com>
2579
2580         [CSS Grid Layout] Add ENABLE flag
2581         https://bugs.webkit.org/show_bug.cgi?id=129153
2582
2583         Reviewed by Simon Fraser.
2584
2585         * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
2586
2587 2014-02-25  Michael Saboff  <msaboff@apple.com>
2588
2589         JIT Engines use the wrong stack limit for stack checks
2590         https://bugs.webkit.org/show_bug.cgi?id=129314
2591
2592         Reviewed by Filip Pizlo.
2593
2594         Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
2595
2596         * dfg/DFGJITCompiler.cpp:
2597         (JSC::DFG::JITCompiler::compileFunction):
2598         * jit/JIT.cpp:
2599         (JSC::JIT::privateCompile):
2600         * jit/JITCall.cpp:
2601         (JSC::JIT::compileLoadVarargs):
2602         * jit/JITCall32_64.cpp:
2603         (JSC::JIT::compileLoadVarargs):
2604         * runtime/VM.h:
2605         (JSC::VM::addressOfStackLimit):
2606
2607 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2608
2609         Unreviewed, roll out http://trac.webkit.org/changeset/164493.
2610         
2611         It causes crashes, apparently because it's removing too many barriers. I will investigate
2612         later.
2613
2614         * bytecode/SpeculatedType.cpp:
2615         (JSC::speculationToAbbreviatedString):
2616         * bytecode/SpeculatedType.h:
2617         * dfg/DFGFixupPhase.cpp:
2618         (JSC::DFG::FixupPhase::fixupNode):
2619         (JSC::DFG::FixupPhase::insertStoreBarrier):
2620         * dfg/DFGNode.h:
2621         * ftl/FTLCapabilities.cpp:
2622         (JSC::FTL::canCompile):
2623         * ftl/FTLLowerDFGToLLVM.cpp:
2624         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2625         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2626         (JSC::FTL::LowerDFGToLLVM::isNotNully):
2627         (JSC::FTL::LowerDFGToLLVM::isNully):
2628         (JSC::FTL::LowerDFGToLLVM::speculate):
2629         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2630         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
2631
2632 2014-02-24  Oliver Hunt  <oliver@apple.com>
2633
2634         Fix build.
2635
2636         * jit/CCallHelpers.h:
2637         (JSC::CCallHelpers::setupArgumentsWithExecState):
2638
2639 2014-02-24  Oliver Hunt  <oliver@apple.com>
2640
2641         Spread operator has a bad time when applied to call function
2642         https://bugs.webkit.org/show_bug.cgi?id=128853
2643
2644         Reviewed by Geoffrey Garen.
2645
2646         Follow on from the previous patch the added an extra slot to
2647         op_call_varargs (and _call, _call_eval, _construct).  We now
2648         use the slot as an offset to in effect act as a 'slice' on
2649         the spread subject.  This allows us to automatically retain
2650         all our existing argument and array optimisatons.  Most of
2651         this patch is simply threading the offset around.
2652
2653         * bytecode/CodeBlock.cpp:
2654         (JSC::CodeBlock::dumpBytecode):
2655         * bytecompiler/BytecodeGenerator.cpp:
2656         (JSC::BytecodeGenerator::emitCall):
2657         (JSC::BytecodeGenerator::emitCallVarargs):
2658         * bytecompiler/BytecodeGenerator.h:
2659         * bytecompiler/NodesCodegen.cpp:
2660         (JSC::getArgumentByVal):
2661         (JSC::CallFunctionCallDotNode::emitBytecode):
2662         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2663         * interpreter/Interpreter.cpp:
2664         (JSC::sizeFrameForVarargs):
2665         (JSC::loadVarargs):
2666         * interpreter/Interpreter.h:
2667         * jit/CCallHelpers.h:
2668         (JSC::CCallHelpers::setupArgumentsWithExecState):
2669         * jit/JIT.h:
2670         * jit/JITCall.cpp:
2671         (JSC::JIT::compileLoadVarargs):
2672         * jit/JITInlines.h:
2673         (JSC::JIT::callOperation):
2674         * jit/JITOperations.cpp:
2675         * jit/JITOperations.h:
2676         * llint/LLIntSlowPaths.cpp:
2677         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2678         * runtime/Arguments.cpp:
2679         (JSC::Arguments::copyToArguments):
2680         * runtime/Arguments.h:
2681         * runtime/JSArray.cpp:
2682         (JSC::JSArray::copyToArguments):
2683         * runtime/JSArray.h:
2684
2685 2014-02-24  Mark Lam  <mark.lam@apple.com>
2686
2687         Need to initialize VM stack data even when the VM is on an exclusive thread.
2688         <https://webkit.org/b/129265>
2689
2690         Reviewed by Geoffrey Garen.
2691
2692         We check VM::exclusiveThread as an optimization to forego the need to do
2693         JSLock locking. However, we recently started piggy backing on JSLock's
2694         lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
2695         and lastStackTop) to appropriate values for the current thread. This is
2696         needed because we may be acquiring the lock to enter the VM on a different
2697         thread.
2698
2699         As a result, we ended up not initializing the VM stack data when
2700         VM::exclusiveThread causes us to bypass the locking activity. Even though
2701         the VM::exclusiveThread will not have to deal with the VM being entered
2702         on a different thread, it still needs to initialize the VM stack data.
2703         The VM relies on that data being initialized properly once it has been
2704         entered.
2705
2706         With this fix, we push the check for exclusiveThread down into the JSLock,
2707         and handle the bypassing of unneeded locking activity there while still
2708         executing the necessary the VM stack data initialization.
2709
2710         * API/APIShims.h:
2711         (JSC::APIEntryShim::APIEntryShim):
2712         (JSC::APICallbackShim::shouldDropAllLocks):
2713         * heap/MachineStackMarker.cpp:
2714         (JSC::MachineThreads::addCurrentThread):
2715         * runtime/JSLock.cpp:
2716         (JSC::JSLockHolder::JSLockHolder):
2717         (JSC::JSLockHolder::init):
2718         (JSC::JSLockHolder::~JSLockHolder):
2719         (JSC::JSLock::JSLock):
2720         (JSC::JSLock::setExclusiveThread):
2721         (JSC::JSLock::lock):
2722         (JSLock::unlock):
2723         (JSLock::currentThreadIsHoldingLock):
2724         (JSLock::dropAllLocks):
2725         (JSLock::grabAllLocks):
2726         * runtime/JSLock.h:
2727         (JSC::JSLock::exclusiveThread):
2728         * runtime/VM.cpp:
2729         (JSC::VM::VM):
2730         * runtime/VM.h:
2731         (JSC::VM::exclusiveThread):
2732         (JSC::VM::setExclusiveThread):
2733         (JSC::VM::currentThreadIsHoldingAPILock):
2734
2735 2014-02-24  Filip Pizlo  <fpizlo@apple.com>
2736
2737         FTL should do polymorphic PutById inlining
2738         https://bugs.webkit.org/show_bug.cgi?id=129210
2739
2740         Reviewed by Mark Hahnenberg and Oliver Hunt.
2741         
2742         This makes PutByIdStatus inform us about polymorphic cases by returning an array of
2743         PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
2744         selection of multiple inlined PutByIdVariants.
2745         
2746         MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
2747         http://trac.webkit.org/changeset/164207.
2748         
2749         This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
2750         that generate similar code.
2751         
2752         1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
2753         sometimes swaps field insertion order, creating fake polymorphism.
2754
2755         * CMakeLists.txt:
2756         * GNUmakefile.list.am:
2757         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2758         * JavaScriptCore.xcodeproj/project.pbxproj:
2759         * bytecode/PutByIdStatus.cpp:
2760         (JSC::PutByIdStatus::computeFromLLInt):
2761         (JSC::PutByIdStatus::computeFor):
2762         (JSC::PutByIdStatus::computeForStubInfo):
2763         (JSC::PutByIdStatus::dump):
2764         * bytecode/PutByIdStatus.h:
2765         (JSC::PutByIdStatus::PutByIdStatus):
2766         (JSC::PutByIdStatus::isSimple):
2767         (JSC::PutByIdStatus::numVariants):
2768         (JSC::PutByIdStatus::variants):
2769         (JSC::PutByIdStatus::at):
2770         (JSC::PutByIdStatus::operator[]):
2771         * bytecode/PutByIdVariant.cpp: Added.
2772         (JSC::PutByIdVariant::dump):
2773         (JSC::PutByIdVariant::dumpInContext):
2774         * bytecode/PutByIdVariant.h: Added.
2775         (JSC::PutByIdVariant::PutByIdVariant):
2776         (JSC::PutByIdVariant::replace):
2777         (JSC::PutByIdVariant::transition):
2778         (JSC::PutByIdVariant::kind):
2779         (JSC::PutByIdVariant::isSet):
2780         (JSC::PutByIdVariant::operator!):
2781         (JSC::PutByIdVariant::structure):
2782         (JSC::PutByIdVariant::oldStructure):
2783         (JSC::PutByIdVariant::newStructure):
2784         (JSC::PutByIdVariant::structureChain):
2785         (JSC::PutByIdVariant::offset):
2786         * dfg/DFGAbstractInterpreterInlines.h:
2787         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2788         * dfg/DFGByteCodeParser.cpp:
2789         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2790         (JSC::DFG::ByteCodeParser::handleGetById):
2791         (JSC::DFG::ByteCodeParser::emitPutById):
2792         (JSC::DFG::ByteCodeParser::handlePutById):
2793         (JSC::DFG::ByteCodeParser::parseBlock):
2794         * dfg/DFGCSEPhase.cpp:
2795         (JSC::DFG::CSEPhase::checkStructureElimination):
2796         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2797         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2798         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2799         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
2800         * dfg/DFGClobberize.h:
2801         (JSC::DFG::clobberize):
2802         * dfg/DFGConstantFoldingPhase.cpp:
2803         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2804         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2805         * dfg/DFGFixupPhase.cpp:
2806         (JSC::DFG::FixupPhase::fixupNode):
2807         * dfg/DFGGraph.cpp:
2808         (JSC::DFG::Graph::dump):
2809         * dfg/DFGGraph.h:
2810         * dfg/DFGNode.cpp:
2811         (JSC::DFG::MultiPutByOffsetData::writesStructures):
2812         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
2813         * dfg/DFGNode.h:
2814         (JSC::DFG::Node::convertToPutByOffset):
2815         (JSC::DFG::Node::hasMultiPutByOffsetData):
2816         (JSC::DFG::Node::multiPutByOffsetData):
2817         * dfg/DFGNodeType.h:
2818         * dfg/DFGPredictionPropagationPhase.cpp:
2819         (JSC::DFG::PredictionPropagationPhase::propagate):
2820         * dfg/DFGSafeToExecute.h:
2821         (JSC::DFG::safeToExecute):
2822         * dfg/DFGSpeculativeJIT32_64.cpp:
2823         (JSC::DFG::SpeculativeJIT::compile):
2824         * dfg/DFGSpeculativeJIT64.cpp:
2825         (JSC::DFG::SpeculativeJIT::compile):
2826         * dfg/DFGTypeCheckHoistingPhase.cpp:
2827         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2828         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2829         * ftl/FTLCapabilities.cpp:
2830         (JSC::FTL::canCompile):
2831         * ftl/FTLLowerDFGToLLVM.cpp:
2832         (JSC::FTL::LowerDFGToLLVM::compileNode):
2833         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
2834         (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
2835         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
2836         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
2837         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2838         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
2839         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2840         (JSC::FTL::LowerDFGToLLVM::loadProperty):
2841         (JSC::FTL::LowerDFGToLLVM::storeProperty):
2842         (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
2843         (JSC::FTL::LowerDFGToLLVM::storageForTransition):
2844         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
2845         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
2846         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2847         * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
2848         * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
2849         * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
2850
2851 2014-02-24  peavo@outlook.com  <peavo@outlook.com>
2852
2853         JSC regressions after r164494
2854         https://bugs.webkit.org/show_bug.cgi?id=129272
2855
2856         Reviewed by Mark Lam.
2857
2858         * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
2859
2860 2014-02-24  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
2861
2862         Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
2863         https://bugs.webkit.org/show_bug.cgi?id=129255
2864
2865         Reviewed by Csaba Osztrogonác.
2866
2867         ENABLE_WORKERS macro was removed in r159679.
2868         Support is now also removed from xcconfig files.
2869
2870         * Configurations/FeatureDefines.xcconfig:
2871
2872 2014-02-24  David Kilzer  <ddkilzer@apple.com>
2873
2874         Remove redundant setting in FeatureDefines.xcconfig
2875
2876         * Configurations/FeatureDefines.xcconfig:
2877
2878 2014-02-23  Sam Weinig  <sam@webkit.org>
2879
2880         Update FeatureDefines.xcconfig
2881
2882         Rubber-stamped by Anders Carlsson.
2883
2884         * Configurations/FeatureDefines.xcconfig:
2885
2886 2014-02-23  Dean Jackson  <dino@apple.com>
2887
2888         Sort the project file with sort-Xcode-project-file.
2889
2890         Rubber-stamped by Sam Weinig.
2891
2892         * JavaScriptCore.xcodeproj/project.pbxproj:
2893
2894 2014-02-23  Sam Weinig  <sam@webkit.org>
2895
2896         Move telephone number detection behind its own ENABLE macro
2897         https://bugs.webkit.org/show_bug.cgi?id=129236
2898
2899         Reviewed by Dean Jackson.
2900
2901         * Configurations/FeatureDefines.xcconfig:
2902         Add ENABLE_TELEPHONE_NUMBER_DETECTION.
2903
2904 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
2905
2906         Refine DFG+FTL inlining and compilation limits
2907         https://bugs.webkit.org/show_bug.cgi?id=129212
2908
2909         Reviewed by Mark Hahnenberg.
2910         
2911         Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
2912         and set that limit quite high. Institute a limit on inlining-into. The idea here is
2913         that large functions tend to be autogenerated, and code generators like emscripten
2914         appear to leave few inlining opportunities anyway. Also, we don't want the code
2915         size explosion that we would risk if we allowed compilation of a large function and
2916         then inlined a ton of stuff into it.
2917         
2918         This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
2919         regression. This is a 9% speed-up on AsmBench.
2920
2921         * bytecode/CodeBlock.cpp:
2922         (JSC::CodeBlock::noticeIncomingCall):
2923         * dfg/DFGByteCodeParser.cpp:
2924         (JSC::DFG::ByteCodeParser::handleInlining):
2925         * dfg/DFGCapabilities.h:
2926         (JSC::DFG::isSmallEnoughToInlineCodeInto):
2927         * ftl/FTLCapabilities.cpp:
2928         (JSC::FTL::canCompile):
2929         * ftl/FTLState.h:
2930         (JSC::FTL::shouldShowDisassembly):
2931         * runtime/Options.h:
2932
2933 2014-02-22  Dan Bernstein  <mitz@apple.com>
2934
2935         REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
2936         https://bugs.webkit.org/show_bug.cgi?id=129227
2937
2938         Reviewed by Eric Carlson.
2939
2940         Reverted r164507.
2941
2942         * API/JSBase.cpp:
2943         (JSEvaluateScript):
2944         (JSCheckScriptSyntax):
2945         * API/JSObjectRef.cpp:
2946         (JSObjectMakeFunction):
2947         (JSObjectMakeArray):
2948         (JSObjectMakeDate):
2949         (JSObjectMakeError):
2950         (JSObjectMakeRegExp):
2951         (JSObjectGetProperty):
2952         (JSObjectSetProperty):
2953         (JSObjectGetPropertyAtIndex):
2954         (JSObjectSetPropertyAtIndex):
2955         (JSObjectDeleteProperty):
2956         (JSObjectCallAsFunction):
2957         (JSObjectCallAsConstructor):
2958         * API/JSValue.mm:
2959         (valueToArray):
2960         (valueToDictionary):
2961         * API/JSValueRef.cpp:
2962         (JSValueIsEqual):
2963         (JSValueIsInstanceOfConstructor):
2964         (JSValueCreateJSONString):
2965         (JSValueToNumber):
2966         (JSValueToStringCopy):
2967         (JSValueToObject):
2968         * inspector/ConsoleMessage.cpp:
2969         (Inspector::ConsoleMessage::ConsoleMessage):
2970         (Inspector::ConsoleMessage::autogenerateMetadata):
2971         * inspector/ConsoleMessage.h:
2972         * inspector/JSGlobalObjectInspectorController.cpp:
2973         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2974         * inspector/JSGlobalObjectInspectorController.h:
2975         * inspector/ScriptCallStack.cpp:
2976         * inspector/ScriptCallStack.h:
2977         * inspector/ScriptCallStackFactory.cpp:
2978         (Inspector::createScriptCallStack):
2979         (Inspector::createScriptCallStackForConsole):
2980         (Inspector::createScriptCallStackFromException):
2981         * inspector/ScriptCallStackFactory.h:
2982         * inspector/agents/InspectorConsoleAgent.cpp:
2983         (Inspector::InspectorConsoleAgent::enable):
2984         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2985         (Inspector::InspectorConsoleAgent::count):
2986         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2987         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2988
2989 2014-02-22  Joseph Pecoraro  <pecoraro@apple.com>
2990
2991         Remove some unreachable code (-Wunreachable-code)
2992         https://bugs.webkit.org/show_bug.cgi?id=129220
2993
2994         Reviewed by Eric Carlson.
2995
2996         * API/tests/testapi.c:
2997         (EvilExceptionObject_convertToType):
2998         * disassembler/udis86/udis86_decode.c:
2999         (decode_operand):
3000
3001 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
3002
3003         Unreviewed, ARMv7 build fix.
3004
3005         * assembler/ARMv7Assembler.h:
3006
3007 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
3008
3009         It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
3010         https://bugs.webkit.org/show_bug.cgi?id=124733
3011
3012         Reviewed by Oliver Hunt.
3013         
3014         This also takes the opportunity to de-duplicate some branch compaction code.
3015
3016         * assembler/ARM64Assembler.h:
3017         * assembler/ARMv7Assembler.h:
3018         (JSC::ARMv7Assembler::buffer):
3019         * assembler/AssemblerBuffer.h:
3020         (JSC::AssemblerData::AssemblerData):
3021         (JSC::AssemblerBuffer::AssemblerBuffer):
3022         (JSC::AssemblerBuffer::storage):
3023         (JSC::AssemblerBuffer::grow):
3024         * assembler/LinkBuffer.h:
3025         (JSC::LinkBuffer::LinkBuffer):
3026         (JSC::LinkBuffer::executableOffsetFor):
3027         (JSC::LinkBuffer::applyOffset):
3028         * assembler/MacroAssemblerARM64.h:
3029         (JSC::MacroAssemblerARM64::link):
3030         * assembler/MacroAssemblerARMv7.h:
3031
3032 2014-02-21  Brent Fulgham  <bfulgham@apple.com>
3033
3034         Extend media support for WebVTT sources
3035         https://bugs.webkit.org/show_bug.cgi?id=129156
3036
3037         Reviewed by Eric Carlson.
3038
3039         * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
3040
3041 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3042
3043         Web Inspector: JSContext inspection should report exceptions in the console
3044         https://bugs.webkit.org/show_bug.cgi?id=128776
3045
3046         Reviewed by Timothy Hatcher.
3047
3048         When JavaScript API functions have an exception, let the inspector
3049         know so it can log the JavaScript and Native backtrace that caused
3050         the exception.
3051
3052         Include some clean up of ConsoleMessage and ScriptCallStack construction.
3053
3054         * API/JSBase.cpp:
3055         (JSEvaluateScript):
3056         (JSCheckScriptSyntax):
3057         * API/JSObjectRef.cpp:
3058         (JSObjectMakeFunction):
3059         (JSObjectMakeArray):
3060         (JSObjectMakeDate):
3061         (JSObjectMakeError):
3062         (JSObjectMakeRegExp):
3063         (JSObjectGetProperty):
3064         (JSObjectSetProperty):
3065         (JSObjectGetPropertyAtIndex):
3066         (JSObjectSetPropertyAtIndex):
3067         (JSObjectDeleteProperty):
3068         (JSObjectCallAsFunction):
3069         (JSObjectCallAsConstructor):
3070         * API/JSValue.mm:
3071         (reportExceptionToInspector):
3072         (valueToArray):
3073         (valueToDictionary):
3074         * API/JSValueRef.cpp:
3075         (JSValueIsEqual):
3076         (JSValueIsInstanceOfConstructor):
3077         (JSValueCreateJSONString):
3078         (JSValueToNumber):
3079         (JSValueToStringCopy):
3080         (JSValueToObject):
3081         When seeing an exception, let the inspector know there was an exception.
3082
3083         * inspector/JSGlobalObjectInspectorController.h:
3084         * inspector/JSGlobalObjectInspectorController.cpp:
3085         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3086         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3087         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3088         Log API exceptions by also grabbing the native backtrace.
3089
3090         * inspector/ScriptCallStack.h:
3091         * inspector/ScriptCallStack.cpp:
3092         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
3093         (Inspector::ScriptCallStack::append):
3094         Minor extensions to ScriptCallStack to make it easier to work with.
3095
3096         * inspector/ConsoleMessage.cpp:
3097         (Inspector::ConsoleMessage::ConsoleMessage):
3098         (Inspector::ConsoleMessage::autogenerateMetadata):
3099         Provide better default information if the first call frame was native.
3100
3101         * inspector/ScriptCallStackFactory.cpp:
3102         (Inspector::createScriptCallStack):
3103         (Inspector::extractSourceInformationFromException):
3104         (Inspector::createScriptCallStackFromException):
3105         Perform the handling here of inserting a fake call frame for exceptions
3106         if there was no call stack (e.g. a SyntaxError) or if the first call
3107         frame had no information.
3108
3109         * inspector/ConsoleMessage.cpp:
3110         (Inspector::ConsoleMessage::ConsoleMessage):
3111         (Inspector::ConsoleMessage::autogenerateMetadata):
3112         * inspector/ConsoleMessage.h:
3113         * inspector/ScriptCallStackFactory.cpp:
3114         (Inspector::createScriptCallStack):
3115         (Inspector::createScriptCallStackForConsole):
3116         * inspector/ScriptCallStackFactory.h:
3117         * inspector/agents/InspectorConsoleAgent.cpp:
3118         (Inspector::InspectorConsoleAgent::enable):
3119         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3120         (Inspector::InspectorConsoleAgent::count):
3121         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3122         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3123         ConsoleMessage cleanup.
3124
3125 2014-02-21  Oliver Hunt  <oliver@apple.com>
3126
3127         Add extra space to op_call and related opcodes
3128         https://bugs.webkit.org/show_bug.cgi?id=129170
3129
3130         Reviewed by Mark Lam.
3131
3132         No change in behaviour, just some refactoring to add an extra
3133         slot to the op_call instructions, and refactoring to make similar
3134         changes easier in future.
3135
3136         * bytecode/CodeBlock.cpp:
3137         (JSC::CodeBlock::printCallOp):
3138         * bytecode/Opcode.h:
3139         (JSC::padOpcodeName):
3140         * bytecompiler/BytecodeGenerator.cpp:
3141         (JSC::BytecodeGenerator::emitCall):
3142         (JSC::BytecodeGenerator::emitCallVarargs):
3143         (JSC::BytecodeGenerator::emitConstruct):
3144         * dfg/DFGByteCodeParser.cpp:
3145         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3146         * jit/JITCall.cpp:
3147         (JSC::JIT::compileOpCall):
3148         * jit/JITCall32_64.cpp:
3149         (JSC::JIT::compileOpCall):
3150         * llint/LowLevelInterpreter.asm:
3151         * llint/LowLevelInterpreter32_64.asm:
3152         * llint/LowLevelInterpreter64.asm:
3153
3154 2014-02-21  Mark Lam  <mark.lam@apple.com>
3155
3156         gatherFromOtherThread() needs to align the sp before gathering roots.
3157         <https://webkit.org/b/129169>
3158
3159         Reviewed by Geoffrey Garen.
3160
3161         The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
3162         gatherFromOtherThread() defines the range of the other thread's stack as
3163         being bounded by the other thread's stack pointer and stack base. While
3164         the stack base will always be aligned to sizeof(void*), the stack pointer
3165         may not be. This is because the other thread may have just pushed a 32-bit
3166         value on its stack before we suspended it for scanning.
3167
3168         The fix is to round the stack pointer up to the next aligned address of
3169         sizeof(void*) and start scanning from there. On 64-bit systems, we will
3170         effectively ignore the 32-bit word at the bottom of the stack (top of the
3171         stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
3172         64-bit pointers should always be stored on 64-bit aligned boundaries (our
3173         conservative scan algorithm already depends on this assumption).
3174
3175         On 32-bit systems, the rounding is effectively a no-op.
3176
3177         * heap/ConservativeRoots.cpp:
3178         (JSC::ConservativeRoots::genericAddSpan):
3179         - Hardened somne assertions so that we can catch misalignment issues on
3180           release builds as well.
3181         * heap/MachineStackMarker.cpp:
3182         (JSC::MachineThreads::gatherFromOtherThread):
3183
3184 2014-02-21  Matthew Mirman  <mmirman@apple.com>
3185
3186         Added a GetMyArgumentsLengthSafe and added a speculation check.
3187         https://bugs.webkit.org/show_bug.cgi?id=129051
3188
3189         Reviewed by Filip Pizlo.
3190
3191         * ftl/FTLLowerDFGToLLVM.cpp:
3192         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
3193
3194 2014-02-21  peavo@outlook.com  <peavo@outlook.com>
3195
3196         [Win][LLINT] Many JSC stress test failures.
3197         https://bugs.webkit.org/show_bug.cgi?id=129155
3198
3199         Reviewed by Michael Saboff.
3200
3201         Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
3202         Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
3203         E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
3204
3205         * offlineasm/x86.rb: Swap operand order on Windows.
3206
3207 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
3208
3209         DFG write barriers should do more speculations
3210         https://bugs.webkit.org/show_bug.cgi?id=129160
3211
3212         Reviewed by Mark Hahnenberg.
3213         
3214         Replace ConditionalStoreBarrier with the cheapest speculation that you could do
3215         instead.
3216         
3217         Miniscule speed-up on some things. It's a decent difference in code size, though.
3218
3219         * bytecode/SpeculatedType.cpp:
3220         (JSC::speculationToAbbreviatedString):
3221         * bytecode/SpeculatedType.h:
3222         (JSC::isNotCellSpeculation):
3223         * dfg/DFGFixupPhase.cpp:
3224         (JSC::DFG::FixupPhase::fixupNode):
3225         (JSC::DFG::FixupPhase::insertStoreBarrier):
3226         (JSC::DFG::FixupPhase::insertPhantomCheck):
3227         * dfg/DFGNode.h:
3228         (JSC::DFG::Node::shouldSpeculateOther):
3229         (JSC::DFG::Node::shouldSpeculateNotCell):
3230         * ftl/FTLCapabilities.cpp:
3231         (JSC::FTL::canCompile):
3232         * ftl/FTLLowerDFGToLLVM.cpp:
3233         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
3234         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3235         (JSC::FTL::LowerDFGToLLVM::isNotOther):
3236         (JSC::FTL::LowerDFGToLLVM::isOther):
3237         (JSC::FTL::LowerDFGToLLVM::speculate):
3238         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
3239         (JSC::FTL::LowerDFGToLLVM::speculateOther):
3240         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
3241
3242 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3243
3244         Revert r164486, causing a number of test failures.
3245
3246         Unreviewed rollout.
3247
3248 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
3249
3250         Revive SABI (aka shouldAlwaysBeInlined)
3251         https://bugs.webkit.org/show_bug.cgi?id=129159
3252
3253         Reviewed by Mark Hahnenberg.
3254         
3255         This is a small Octane speed-up.
3256
3257         * jit/Repatch.cpp:
3258         (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
3259
3260 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3261
3262         Web Inspector: JSContext inspection should report exceptions in the console
3263         https://bugs.webkit.org/show_bug.cgi?id=128776
3264
3265         Reviewed by Timothy Hatcher.
3266
3267         When JavaScript API functions have an exception, let the inspector
3268         know so it can log the JavaScript and Native backtrace that caused
3269         the exception.
3270
3271         Include some clean up of ConsoleMessage and ScriptCallStack construction.
3272
3273         * API/JSBase.cpp:
3274         (JSEvaluateScript):
3275         (JSCheckScriptSyntax):
3276         * API/JSObjectRef.cpp:
3277         (JSObjectMakeFunction):
3278         (JSObjectMakeArray):
3279         (JSObjectMakeDate):
3280         (JSObjectMakeError):
3281         (JSObjectMakeRegExp):
3282         (JSObjectGetProperty):
3283         (JSObjectSetProperty):
3284         (JSObjectGetPropertyAtIndex):
3285         (JSObjectSetPropertyAtIndex):
3286         (JSObjectDeleteProperty):
3287         (JSObjectCallAsFunction):
3288         (JSObjectCallAsConstructor):
3289         * API/JSValue.mm:
3290         (reportExceptionToInspector):
3291         (valueToArray):
3292         (valueToDictionary):
3293         * API/JSValueRef.cpp:
3294         (JSValueIsEqual):
3295         (JSValueIsInstanceOfConstructor):
3296         (JSValueCreateJSONString):
3297         (JSValueToNumber):
3298         (JSValueToStringCopy):
3299         (JSValueToObject):
3300         When seeing an exception, let the inspector know there was an exception.
3301
3302         * inspector/JSGlobalObjectInspectorController.h:
3303         * inspector/JSGlobalObjectInspectorController.cpp:
3304         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3305         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3306         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3307         Log API exceptions by also grabbing the native backtrace.
3308
3309         * inspector/ScriptCallStack.h:
3310         * inspector/ScriptCallStack.cpp:
3311         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
3312         (Inspector::ScriptCallStack::append):
3313         Minor extensions to ScriptCallStack to make it easier to work with.
3314
3315         * inspector/ConsoleMessage.cpp:
3316         (Inspector::ConsoleMessage::ConsoleMessage):
3317         (Inspector::ConsoleMessage::autogenerateMetadata):
3318         Provide better default information if the first call frame was native.
3319
3320         * inspector/ScriptCallStackFactory.cpp:
3321         (Inspector::createScriptCallStack):
3322         (Inspector::extractSourceInformationFromException):
3323         (Inspector::createScriptCallStackFromException):
3324         Perform the handling here of inserting a fake call frame for exceptions
3325         if there was no call stack (e.g. a SyntaxError) or if the first call
3326         frame had no information.
3327
3328         * inspector/ConsoleMessage.cpp:
3329         (Inspector::ConsoleMessage::ConsoleMessage):
3330         (Inspector::ConsoleMessage::autogenerateMetadata):
3331         * inspector/ConsoleMessage.h:
3332         * inspector/ScriptCallStackFactory.cpp:
3333         (Inspector::createScriptCallStack):
3334         (Inspector::createScriptCallStackForConsole):
3335         * inspector/ScriptCallStackFactory.h:
3336         * inspector/agents/InspectorConsoleAgent.cpp:
3337         (Inspector::InspectorConsoleAgent::enable):
3338         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3339         (Inspector::InspectorConsoleAgent::count):
3340         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3341         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3342         ConsoleMessage cleanup.
3343
3344 2014-02-20  Anders Carlsson  <andersca@apple.com>
3345
3346         Modernize JSGlobalLock and JSLockHolder
3347         https://bugs.webkit.org/show_bug.cgi?id=129105
3348
3349         Reviewed by Michael Saboff.
3350
3351         Use std::mutex and std::thread::id where possible.
3352
3353         * runtime/JSLock.cpp:
3354         (JSC::GlobalJSLock::GlobalJSLock):
3355         (JSC::GlobalJSLock::~GlobalJSLock):
3356         (JSC::GlobalJSLock::initialize):
3357         (JSC::JSLock::JSLock):
3358         (JSC::JSLock::lock):
3359         (JSC::JSLock::unlock):
3360         (JSC::JSLock::currentThreadIsHoldingLock):
3361         * runtime/JSLock.h:
3362
3363 2014-02-20  Mark Lam  <mark.lam@apple.com>
3364
3365         virtualForWithFunction() should not throw an exception with a partially initialized frame.
3366         <https://webkit.org/b/129134>
3367
3368         Reviewed by Michael Saboff.
3369
3370         Currently, when JITOperations.cpp's virtualForWithFunction() fails to
3371         prepare the callee function for execution, it proceeds to throw the
3372         exception using the callee frame which is only partially initialized
3373         thus far. Instead, it should be throwing the exception using the caller
3374         frame because:
3375         1. the error happened "in" the caller while preparing the callee for
3376            execution i.e. the caller frame is the top fully initialized frame
3377            on the stack.
3378         2. the callee frame is not fully initialized yet, and the unwind
3379            mechanism cannot depend on the data in it.
3380
3381         * jit/JITOperations.cpp:
3382
3383 2014-02-20  Mark Lam  <mark.lam@apple.com>
3384
3385         DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
3386         <https://webkit.org/b/129131>
3387
3388         Reviewed by Mark Hahnenberg.
3389
3390         Currently, DefaultGCActivityCallback::doWork() does not check if the GC
3391         needs to be deferred before commencing. As a result, the GC may crash
3392         and/or corrupt data because the VM is not in the consistent state needed
3393         for the GC to run. With this fix, doWork() now checks if the GC is
3394         supposed to be deferred and re-schedules if needed. It only commences
3395         with GC'ing when it's safe to do so.
3396
3397         * runtime/GCActivityCallback.cpp:
3398         (JSC::DefaultGCActivityCallback::doWork):
3399
3400 2014-02-20  Geoffrey Garen  <ggaren@apple.com>
3401
3402         Math.imul gives wrong results
3403         https://bugs.webkit.org/show_bug.cgi?id=126345
3404
3405         Reviewed by Mark Hahnenberg.
3406
3407         Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
3408         Instead, take a slow path that will do the right thing.
3409