bcb2c203772abc1ef57dd290cbe7a65177289233
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
2
3         Rolled out <http://trac.webkit.org/changeset/166184>
4         https://bugs.webkit.org/show_bug.cgi?id=133144
5
6         Reviewed by Gavin Barraclough.
7
8         It caused a performance regression.
9
10         * heap/BlockAllocator.cpp:
11         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
12
13 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
14
15         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
16         https://bugs.webkit.org/show_bug.cgi?id=133134
17
18         Reviewed by Mark Hahnenberg.
19         
20         Make prediction propagator use ArrayMode refinement to decide the return type.
21         
22         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
23         like this. The only way we'll see a mismatch like this in the real world is probably
24         through a gnarly race condition.
25
26         * dfg/DFGByteCodeParser.cpp:
27         (JSC::DFG::ByteCodeParser::handleIntrinsic):
28         * dfg/DFGNode.h:
29         (JSC::DFG::Node::setHeapPrediction):
30         * dfg/DFGPredictionPropagationPhase.cpp:
31         (JSC::DFG::PredictionPropagationPhase::propagate):
32         * jsc.cpp:
33         (GlobalObject::finishCreation):
34         (functionFalse1):
35         (functionFalse2):
36         (functionUndefined1):
37         (functionUndefined2):
38         (functionFalse): Deleted.
39         (functionOtherFalse): Deleted.
40         (functionUndefined): Deleted.
41         * runtime/Intrinsic.h:
42         * tests/stress/get-by-val-double-predicted-int.js: Added.
43         (foo):
44
45 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
46
47         Watchdog timer should be lazily allocated
48         https://bugs.webkit.org/show_bug.cgi?id=133135
49
50         Reviewed by Geoffrey Garen.
51
52         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
53         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
54         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
55
56         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
57         these two API functions (which is true of most clients).
58
59         * API/JSContextRef.cpp:
60         (JSContextGroupSetExecutionTimeLimit):
61         (JSContextGroupClearExecutionTimeLimit):
62         * dfg/DFGByteCodeParser.cpp:
63         (JSC::DFG::ByteCodeParser::parseBlock):
64         * dfg/DFGSpeculativeJIT32_64.cpp:
65         (JSC::DFG::SpeculativeJIT::compile):
66         * dfg/DFGSpeculativeJIT64.cpp:
67         (JSC::DFG::SpeculativeJIT::compile):
68         * interpreter/Interpreter.cpp:
69         (JSC::Interpreter::execute):
70         (JSC::Interpreter::executeCall):
71         (JSC::Interpreter::executeConstruct):
72         * jit/JITOpcodes.cpp:
73         (JSC::JIT::emit_op_loop_hint):
74         (JSC::JIT::emitSlow_op_loop_hint):
75         * jit/JITOperations.cpp:
76         * llint/LLIntSlowPaths.cpp:
77         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
78         * runtime/VM.h:
79         * runtime/Watchdog.cpp:
80         (JSC::Watchdog::Scope::Scope): Deleted.
81         (JSC::Watchdog::Scope::~Scope): Deleted.
82         * runtime/Watchdog.h:
83         (JSC::Watchdog::Scope::Scope):
84         (JSC::Watchdog::Scope::~Scope):
85
86 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
87
88         JSArray::shiftCountWith* could be more efficient
89         https://bugs.webkit.org/show_bug.cgi?id=133011
90
91         Reviewed by Geoffrey Garen.
92
93         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
94         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
95         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
96
97         * runtime/ArrayStorage.h:
98         (JSC::ArrayStorage::indexingHeader):
99         (JSC::ArrayStorage::length):
100         (JSC::ArrayStorage::hasHoles):
101         * runtime/IndexingHeader.h:
102         (JSC::IndexingHeader::publicLength):
103         (JSC::IndexingHeader::from):
104         * runtime/JSArray.cpp:
105         (JSC::JSArray::shiftCountWithArrayStorage):
106         (JSC::JSArray::shiftCountWithAnyIndexingType):
107         (JSC::JSArray::unshiftCountWithArrayStorage):
108         * runtime/JSArray.h:
109         (JSC::JSArray::shiftCountForShift):
110         (JSC::JSArray::shiftCountForSplice):
111         (JSC::JSArray::shiftCount):
112         * runtime/Structure.cpp:
113         (JSC::Structure::holesRequireSpecialBehavior):
114         * runtime/Structure.h:
115
116 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
117
118         Test gardening: skip some failing tests on not-X86.
119
120         * tests/mozilla/mozilla-tests.yaml:
121
122 2014-05-19  Mark Lam  <mark.lam@apple.com>
123
124         operationOptimize() should defer the GC for a while.
125         <https://webkit.org/b/133103>
126
127         Reviewed by Filip Pizlo.
128
129         Currently, operationOptimize() only defers the GC until its end.  As a result,
130         a GC may be triggered just before we return from operationOptimize(), and it may
131         jettison the optimize codeBlock that we're planning to OSR enter into when we
132         return from this function.  This is because the OSR entry on-ramp code hasn't
133         been executed yet, and hence, there is not yet a reference to this new codeBlock
134         from the stack, and there won't be until we've had a chance to return out of
135         operationOptimize() to run the OSR entry on-ramp code.
136
137         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
138         ensures that the GC will be deferred until after the OSR entry on-ramp can be
139         executed.
140
141         * jit/JITOperations.cpp:
142
143 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
144
145         Take care of some ARM64 test failures
146         https://bugs.webkit.org/show_bug.cgi?id=133090
147
148         Reviewed by Geoffrey Garen.
149         
150         Constant blinding on ARM64 cannot use the scratch register.
151
152         * assembler/MacroAssembler.h:
153         (JSC::MacroAssembler::convertInt32ToDouble):
154         (JSC::MacroAssembler::branchPtr):
155         (JSC::MacroAssembler::storePtr):
156         (JSC::MacroAssembler::store64):
157         * assembler/MacroAssemblerARM64.h:
158         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
159
160 2014-05-19  Tanay C  <tanay.c@samsung.com>
161
162         Removing some check-webkit-style warnings from ./dfg
163         https://bugs.webkit.org/show_bug.cgi?id=132854
164
165         Reviewed by Darin Adler.
166
167         * dfg/DFGAbstractInterpreter.h:
168         * dfg/DFGAbstractValue.h:
169         * dfg/DFGBlockInsertionSet.h:
170         * dfg/DFGCommonData.h:
171         * dfg/DFGDominators.h:
172         * dfg/DFGGraph.h:
173         * dfg/DFGInPlaceAbstractState.h:
174         * dfg/DFGPredictionPropagationPhase.h:
175
176 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
177
178         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
179         That was a long time ago.
180
181         * ftl/FTLLowerDFGToLLVM.cpp:
182         (JSC::FTL::LowerDFGToLLVM::compileReturn):
183
184 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
185
186         support for navigator.hardwareConcurrency
187         https://bugs.webkit.org/show_bug.cgi?id=132588
188
189         Reviewed by Filip Pizlo.
190
191         * Configurations/FeatureDefines.xcconfig:
192
193 2014-05-16  Michael Saboff  <msaboff@apple.com>
194
195         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
196         https://bugs.webkit.org/show_bug.cgi?id=133009
197
198         Reviewed by Oliver Hunt.
199
200         If we determine that any alternative requires a minumum match size greater than
201         INT_MAX, we handle the match in the interpreter.
202
203         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
204         * runtime/RegExp.cpp:
205         (JSC::RegExp::compile):
206         (JSC::RegExp::compileMatchOnly):
207
208         * tests/stress/large-regexp.js: New test added.
209
210         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
211         doesn't fit in an int.
212         * yarr/YarrPattern.cpp:
213         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
214
215         Clear new m_containsUnsignedLengthPattern flag.
216         * yarr/YarrPattern.cpp:
217         (JSC::Yarr::YarrPattern::YarrPattern):
218         * yarr/YarrPattern.h:
219         (JSC::Yarr::YarrPattern::reset):
220         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
221
222 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
223
224         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
225         https://bugs.webkit.org/show_bug.cgi?id=132918
226
227         Reviewed by Geoffrey Garen.
228
229         * jit/Repatch.cpp:
230         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
231
232 2014-05-15  Alex Christensen  <achristensen@webkit.org>
233
234         Add pointer lock to features without enabling it.
235         https://bugs.webkit.org/show_bug.cgi?id=132961
236
237         Reviewed by Sam Weinig.
238
239         * Configurations/FeatureDefines.xcconfig:
240         Added ENABLE_POINTER_LOCK to list of features.
241
242 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
243
244         Inline caching for proxies clobbers baseGPR too early
245         https://bugs.webkit.org/show_bug.cgi?id=132916
246
247         Reviewed by Filip Pizlo.
248
249         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
250         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
251         until we know the inline cache is going to succeed.
252
253         * jit/Repatch.cpp:
254         (JSC::generateByIdStub):
255
256 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
257
258         [Win] Unreviewed build fix.
259
260         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
261         was missing commands to build LLInt portions of JSC.
262         * llint/LLIntData.cpp: 64-bit build fix.
263
264 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
265
266         ARM Traditional buildfix after r168776.
267         https://bugs.webkit.org/show_bug.cgi?id=132903
268
269         Reviewed by Darin Adler.
270
271         * assembler/MacroAssemblerARM.h:
272         (JSC::MacroAssemblerARM::abortWithReason): Added.
273
274 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
275
276         Remove CSS_STICKY_POSITION guards
277         https://bugs.webkit.org/show_bug.cgi?id=132676
278
279         Reviewed by Simon Fraser.
280
281         * Configurations/FeatureDefines.xcconfig:
282
283 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
284
285         JIT breakpoints should be more informative
286         https://bugs.webkit.org/show_bug.cgi?id=132882
287
288         Reviewed by Oliver Hunt.
289         
290         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
291         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
292         at that platform's abort reason register (r11 on X86-64 for example).
293
294         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
295         * JavaScriptCore.xcodeproj/project.pbxproj:
296         * assembler/AbortReason.h: Added.
297         * assembler/AbstractMacroAssembler.h:
298         * assembler/MacroAssemblerARM64.h:
299         (JSC::MacroAssemblerARM64::abortWithReason):
300         * assembler/MacroAssemblerARMv7.h:
301         (JSC::MacroAssemblerARMv7::abortWithReason):
302         * assembler/MacroAssemblerX86.h:
303         (JSC::MacroAssemblerX86::abortWithReason):
304         * assembler/MacroAssemblerX86_64.h:
305         (JSC::MacroAssemblerX86_64::abortWithReason):
306         * dfg/DFGSlowPathGenerator.h:
307         (JSC::DFG::SlowPathGenerator::generate):
308         * dfg/DFGSpeculativeJIT.cpp:
309         (JSC::DFG::SpeculativeJIT::bail):
310         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
311         (JSC::DFG::SpeculativeJIT::compileMakeRope):
312         * dfg/DFGSpeculativeJIT.h:
313         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
314         * dfg/DFGSpeculativeJIT32_64.cpp:
315         (JSC::DFG::SpeculativeJIT::compile):
316         * dfg/DFGSpeculativeJIT64.cpp:
317         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
318         (JSC::DFG::SpeculativeJIT::compile):
319         * dfg/DFGThunks.cpp:
320         (JSC::DFG::osrEntryThunkGenerator):
321         * jit/AssemblyHelpers.cpp:
322         (JSC::AssemblyHelpers::jitAssertIsInt32):
323         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
324         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
325         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
326         (JSC::AssemblyHelpers::jitAssertIsCell):
327         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
328         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
329         (JSC::AssemblyHelpers::jitAssertIsNull):
330         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
331         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
332         * jit/AssemblyHelpers.h:
333         (JSC::AssemblyHelpers::checkStackPointerAlignment):
334         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
335         * jit/JIT.h:
336         * jit/JITArithmetic.cpp:
337         (JSC::JIT::emitSlow_op_div):
338         * jit/JITOpcodes.cpp:
339         (JSC::JIT::emitSlow_op_loop_hint):
340         * jit/JITOpcodes32_64.cpp:
341         (JSC::JIT::privateCompileCTINativeCall):
342         * jit/JITPropertyAccess.cpp:
343         (JSC::JIT::emit_op_get_by_val):
344         (JSC::JIT::compileGetDirectOffset):
345         (JSC::JIT::addStructureTransitionCheck): Deleted.
346         (JSC::JIT::testPrototype): Deleted.
347         * jit/JITPropertyAccess32_64.cpp:
348         (JSC::JIT::emit_op_get_by_val):
349         (JSC::JIT::compileGetDirectOffset):
350         * jit/RegisterPreservationWrapperGenerator.cpp:
351         (JSC::generateRegisterRestoration):
352         * jit/Repatch.cpp:
353         (JSC::addStructureTransitionCheck):
354         (JSC::linkClosureCall):
355         * jit/ThunkGenerators.cpp:
356         (JSC::emitPointerValidation):
357         (JSC::nativeForGenerator):
358         * yarr/YarrJIT.cpp:
359         (JSC::Yarr::YarrGenerator::generate):
360
361 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
362
363         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
364         https://bugs.webkit.org/show_bug.cgi?id=132772
365
366         Reviewed by Geoffrey Garen.
367
368         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
369         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
370         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
371         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
372
373         * assembler/MacroAssemblerARM.h:
374         (JSC::MacroAssemblerARM::loadDouble):
375         (JSC::MacroAssemblerARM::storeDouble):
376         * assembler/MacroAssemblerARM64.h:
377         (JSC::MacroAssemblerARM64::loadDouble):
378         (JSC::MacroAssemblerARM64::storeDouble):
379         * assembler/MacroAssemblerARMv7.h:
380         (JSC::MacroAssemblerARMv7::loadDouble):
381         (JSC::MacroAssemblerARMv7::storeDouble):
382         * assembler/MacroAssemblerMIPS.h:
383         (JSC::MacroAssemblerMIPS::loadDouble):
384         (JSC::MacroAssemblerMIPS::storeDouble):
385         * assembler/MacroAssemblerSH4.h:
386         (JSC::MacroAssemblerSH4::loadDouble):
387         (JSC::MacroAssemblerSH4::storeDouble):
388         * assembler/MacroAssemblerX86.h:
389         (JSC::MacroAssemblerX86::storeDouble):
390         * assembler/MacroAssemblerX86Common.h:
391         (JSC::MacroAssemblerX86Common::absDouble):
392         (JSC::MacroAssemblerX86Common::negateDouble):
393         (JSC::MacroAssemblerX86Common::loadDouble):
394         * dfg/DFGSpeculativeJIT.cpp:
395         (JSC::DFG::SpeculativeJIT::silentFill):
396         (JSC::DFG::compileClampDoubleToByte):
397         * dfg/DFGSpeculativeJIT32_64.cpp:
398         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
399         (JSC::DFG::SpeculativeJIT::compile):
400         * jit/AssemblyHelpers.cpp:
401         (JSC::AssemblyHelpers::purifyNaN):
402         * jit/JITInlines.h:
403         (JSC::JIT::emitLoadDouble):
404         * jit/JITPropertyAccess.cpp:
405         (JSC::JIT::emitFloatTypedArrayGetByVal):
406         * jit/ThunkGenerators.cpp:
407         (JSC::floorThunkGenerator):
408         (JSC::roundThunkGenerator):
409         (JSC::powThunkGenerator):
410
411 2014-05-12  Commit Queue  <commit-queue@webkit.org>
412
413         Unreviewed, rolling out r168642.
414         https://bugs.webkit.org/show_bug.cgi?id=132839
415
416         Broke ARM build (Requested by jpfau on #webkit).
417
418         Reverted changeset:
419
420         "[Win] Enum type with value zero is compatible with void*,
421         potential cause of crashes."
422         https://bugs.webkit.org/show_bug.cgi?id=132772
423         http://trac.webkit.org/changeset/168642
424
425 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
426
427         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
428         https://bugs.webkit.org/show_bug.cgi?id=132772
429
430         Reviewed by Geoffrey Garen.
431
432         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
433         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
434         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
435         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
436
437         * assembler/MacroAssemblerARM.h:
438         (JSC::MacroAssemblerARM::loadDouble):
439         (JSC::MacroAssemblerARM::storeDouble):
440         * assembler/MacroAssemblerARM64.h:
441         (JSC::MacroAssemblerARM64::loadDouble):
442         (JSC::MacroAssemblerARM64::storeDouble):
443         * assembler/MacroAssemblerARMv7.h:
444         (JSC::MacroAssemblerARMv7::loadDouble):
445         (JSC::MacroAssemblerARMv7::storeDouble):
446         * assembler/MacroAssemblerMIPS.h:
447         (JSC::MacroAssemblerMIPS::loadDouble):
448         (JSC::MacroAssemblerMIPS::storeDouble):
449         * assembler/MacroAssemblerSH4.h:
450         (JSC::MacroAssemblerSH4::loadDouble):
451         (JSC::MacroAssemblerSH4::storeDouble):
452         * assembler/MacroAssemblerX86.h:
453         (JSC::MacroAssemblerX86::storeDouble):
454         * assembler/MacroAssemblerX86Common.h:
455         (JSC::MacroAssemblerX86Common::absDouble):
456         (JSC::MacroAssemblerX86Common::negateDouble):
457         (JSC::MacroAssemblerX86Common::loadDouble):
458         * dfg/DFGSpeculativeJIT.cpp:
459         (JSC::DFG::SpeculativeJIT::silentFill):
460         (JSC::DFG::compileClampDoubleToByte):
461         * dfg/DFGSpeculativeJIT32_64.cpp:
462         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
463         (JSC::DFG::SpeculativeJIT::compile):
464         * jit/AssemblyHelpers.cpp:
465         (JSC::AssemblyHelpers::purifyNaN):
466         * jit/JITInlines.h:
467         (JSC::JIT::emitLoadDouble):
468         * jit/JITPropertyAccess.cpp:
469         (JSC::JIT::emitFloatTypedArrayGetByVal):
470         * jit/ThunkGenerators.cpp:
471         (JSC::floorThunkGenerator):
472         (JSC::roundThunkGenerator):
473         (JSC::powThunkGenerator):
474
475 2014-05-12  Andreas Kling  <akling@apple.com>
476
477         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
478         <https://webkit.org/b/132828>
479         <rdar://problem/16886285>
480
481         Reviewed by Michael Saboff.
482
483         * runtime/JSObject.cpp:
484         (JSC::JSObject::visitButterfly):
485         (JSC::JSObject::visitChildren):
486
487             Use JSCell::structure(VM&) to reduce the number of hoops we jump
488             through to find Structures during marking.
489
490 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
491
492         [cmake] Add missing FTL source files to the build system.
493
494         Reviewed by Csaba Osztrogonác.
495
496         * CMakeLists.txt:
497
498 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
499
500         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
501         https://bugs.webkit.org/show_bug.cgi?id=132409
502
503         Reviewed by Timothy Hatcher.
504
505         Proxy applications are applications which hold WebViews for other
506         applications. The WebProcess (Web Content Service) is a proxy application.
507         For legacy reasons we were supporting a scenario where proxy applications
508         could potentially host WebViews for more then one other application. That
509         was never the case for WebProcess and it is now a scenario we don't need
510         to worry about supporting.
511
512         With this change, a proxy application more naturally only holds WebViews
513         for a single parent / host application. The proxy process can set the
514         parent pid / audit_token data on the RemoteInspector singleton, and
515         that data will be sent on to webinspectord later on to be validated.
516         In the WebProcess<->UIProcess relationship that information is known
517         and set immediately. In the Legacy iOS case that information is set
518         soon after, but not immediately known at the point the WebView is created.
519
520         This allows us to simplify the RemoteInspectorDebuggable interface.
521         We no longer need a pid per-Debuggable.
522
523         * inspector/remote/RemoteInspector.h:
524         * inspector/remote/RemoteInspector.mm:
525         (Inspector::RemoteInspector::RemoteInspector):
526         (Inspector::RemoteInspector::setParentProcessInformation):
527         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
528         (Inspector::RemoteInspector::listingForDebuggable):
529         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
530         Handle new proxy application setup message, and provide an API
531         for a proxy application to set the parent process information.
532
533         * inspector/remote/RemoteInspectorConstants.h:
534         New setup and response message for proxy applications to pass
535         their parent / host application information to webinspectord.
536
537         * inspector/remote/RemoteInspectorDebuggable.cpp:
538         (Inspector::RemoteInspectorDebuggable::info):
539         * inspector/remote/RemoteInspectorDebuggable.h:
540         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
541         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
542         pid per debuggable is no longer needed.
543
544 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
545
546         JSDOMWindow should disable property caching after a certain point
547         https://bugs.webkit.org/show_bug.cgi?id=132751
548
549         Reviewed by Filip Pizlo.
550
551         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
552         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
553         that it has provided a cacheable value.
554
555         * runtime/PropertySlot.h:
556         (JSC::PropertySlot::PropertySlot):
557         (JSC::PropertySlot::isCacheable):
558         (JSC::PropertySlot::disableCaching):
559
560 2014-05-09  Andreas Kling  <akling@apple.com>
561
562         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
563         <https://webkit.org/b/132749>
564
565         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
566         in Object.prototype.* by using JSString::toIdentifier() in the cases where
567         we are converting JSString -> String -> Identifier.
568
569         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
570         "The Great HTML5 Gaming Performance Test: 2014 edition"
571         <http://www.scirra.com/demos/c2/sbperftest/>
572
573         Reviewed by Oliver Hunt.
574
575         * runtime/ObjectPrototype.cpp:
576         (JSC::objectProtoFuncHasOwnProperty):
577         (JSC::objectProtoFuncDefineGetter):
578         (JSC::objectProtoFuncDefineSetter):
579         (JSC::objectProtoFuncLookupGetter):
580         (JSC::objectProtoFuncLookupSetter):
581
582 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
583
584         JSDOMWindow should have a WatchpointSet to fire on window close
585         https://bugs.webkit.org/show_bug.cgi?id=132721
586
587         Reviewed by Filip Pizlo.
588
589         This patch allows us to reset the inline caches that assumed they could skip 
590         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
591         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
592
593         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
594         to see if it should create a new Watchpoint for that particular inline cache site.
595
596         * bytecode/Watchpoint.h:
597         * jit/Repatch.cpp:
598         (JSC::generateByIdStub):
599         (JSC::tryBuildGetByIDList):
600         (JSC::tryCachePutByID):
601         (JSC::tryBuildPutByIdList):
602         * runtime/PropertySlot.h:
603         (JSC::PropertySlot::PropertySlot):
604         (JSC::PropertySlot::watchpointSet):
605         (JSC::PropertySlot::setWatchpointSet):
606
607 2014-05-09  Tanay C  <tanay.c@samsung.com>
608
609         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
610         https://bugs.webkit.org/show_bug.cgi?id=132331
611
612         Reviewed by Darin Adler.
613
614         * dfg/DFGFixupPhase.cpp:
615         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
616
617 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
618
619         [Win] Crash when enabling DFG JIT.
620         https://bugs.webkit.org/show_bug.cgi?id=132683
621
622         Reviewed by Geoffrey Garen.
623
624         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
625         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
626         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
627         This causes the register to be written to address 0, hence the crash.
628
629         * dfg/DFGOSRExitCompiler32_64.cpp:
630         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
631         * dfg/DFGOSRExitCompiler64.cpp:
632         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
633
634 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
635
636         REGRESSION(r167094): JSC crashes on ARM Traditional
637         https://bugs.webkit.org/show_bug.cgi?id=132738
638
639         Reviewed by Zoltan Herczeg.
640
641         PC is two instructions ahead of the current instruction
642         on ARM Traditional, so the distance is 8 bytes not 2.
643
644         * llint/LowLevelInterpreter.asm:
645
646 2014-05-09  Alberto Garcia  <berto@igalia.com>
647
648         jsmin.py license header confusing, mentions non-free license
649         https://bugs.webkit.org/show_bug.cgi?id=123665
650
651         Reviewed by Darin Adler.
652
653         Pull the most recent version from upstream, which has a clear
654         license.
655
656         * inspector/scripts/jsmin.py:
657
658 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
659
660         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
661         https://bugs.webkit.org/show_bug.cgi?id=132695
662
663         Reviewed by Filip Pizlo.
664
665         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
666         but we fail to do so for the base object.
667
668         * jit/Repatch.cpp:
669         (JSC::tryCacheGetByID):
670         (JSC::tryBuildGetByIDList):
671         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
672         because all of the values that are returned that could be impure are set to uncacheable anyways.
673         (WTF::ImpureGetter::ImpureGetter):
674         (WTF::ImpureGetter::createStructure):
675         (WTF::ImpureGetter::create):
676         (WTF::ImpureGetter::finishCreation):
677         (WTF::ImpureGetter::getOwnPropertySlot):
678         (WTF::ImpureGetter::visitChildren):
679         (WTF::ImpureGetter::setDelegate):
680         (GlobalObject::finishCreation):
681         (functionCreateImpureGetter):
682         (functionSetImpureGetterDelegate):
683         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
684         (foo):
685
686 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
687
688         deleteAllCompiledCode() shouldn't use the suspension worklist
689         https://bugs.webkit.org/show_bug.cgi?id=132708
690
691         Reviewed by Mark Hahnenberg.
692
693         * bytecode/CodeBlock.cpp:
694         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
695         * dfg/DFGPlan.cpp:
696         (JSC::DFG::Plan::isStillValid):
697         * heap/Heap.cpp:
698         (JSC::Heap::deleteAllCompiledCode):
699
700 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
701
702         SSA conversion should delete PhantomLocals for captured variables
703         https://bugs.webkit.org/show_bug.cgi?id=132693
704
705         Reviewed by Mark Hahnenberg.
706
707         * dfg/DFGCommon.cpp:
708         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
709         * dfg/DFGCommon.h:
710         * dfg/DFGFixupPhase.cpp:
711         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
712         * dfg/DFGLivenessAnalysisPhase.cpp:
713         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
714         * dfg/DFGSSAConversionPhase.cpp:
715         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
716         * dfg/DFGValidate.cpp: Use the workaround.
717         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
718         (foo):
719         (bar):
720
721 2014-05-07  Commit Queue  <commit-queue@webkit.org>
722
723         Unreviewed, rolling out r168451.
724         https://bugs.webkit.org/show_bug.cgi?id=132670
725
726         Not a speed-up, just do what other compilers do. (Requested by
727         kling on #webkit).
728
729         Reverted changeset:
730
731         "[X86] Emit BT instruction for single-bit tests."
732         https://bugs.webkit.org/show_bug.cgi?id=132650
733         http://trac.webkit.org/changeset/168451
734
735 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
736
737         Make Executable::clearCode() actually clear all of the entrypoints, and
738         clean up some other FTL-related calling convention stuff.
739         <rdar://problem/16720172>
740
741         Rubber stamped by Mark Hahnenberg.
742
743         * dfg/DFGOperations.cpp:
744         * dfg/DFGOperations.h:
745         * dfg/DFGWorklist.cpp:
746         (JSC::DFG::Worklist::Worklist):
747         (JSC::DFG::Worklist::finishCreation):
748         (JSC::DFG::Worklist::create):
749         (JSC::DFG::ensureGlobalDFGWorklist):
750         (JSC::DFG::ensureGlobalFTLWorklist):
751         * dfg/DFGWorklist.h:
752         * heap/CodeBlockSet.cpp:
753         (JSC::CodeBlockSet::dump):
754         * heap/CodeBlockSet.h:
755         * runtime/Executable.cpp:
756         (JSC::ExecutableBase::clearCode):
757
758 2014-05-07  Andreas Kling  <akling@apple.com>
759
760         [X86] Emit BT instruction for single-bit tests.
761         <https://webkit.org/b/132650>
762
763         Implement test-bit-and-branch slightly more efficiently by using
764         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
765         a single bit.
766
767         Reviewed by Michael Saboff.
768
769         * assembler/MacroAssemblerX86Common.h:
770         (JSC::MacroAssemblerX86Common::singleBitIndex):
771         (JSC::MacroAssemblerX86Common::branchTest32):
772         * assembler/X86Assembler.h:
773         (JSC::X86Assembler::bt_i8r):
774         (JSC::X86Assembler::bt_i8m):
775
776 2014-05-07  Mark Lam  <mark.lam@apple.com>
777
778         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
779         <https://webkit.org/b/131356>
780
781         Reviewed by Geoffrey Garen.
782
783         The issue is that GC needs to be made aware of writes to m_inferredValue
784         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
785         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
786         does not survive an eden GC shortly after, we will end up with a stale
787         JSCell pointer left in the m_inferredValue.
788
789         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
790         using DumpRenderTree with the VM heap in zombie mode.
791
792         The fix is to change VariableWatchpointSet m_inferredValue to type
793         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
794         is executed by all the execution engines so that the WriteBarrier semantics
795         are honored.
796
797         We still check if the value to be written is the same as the one in the
798         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
799         values are the same.        
800
801         * JavaScriptCore.xcodeproj/project.pbxproj:
802         * bytecode/CodeBlock.cpp:
803         (JSC::CodeBlock::CodeBlock):
804         - need to pass the symbolTable to prepareToWatch() because it will be needed
805           for instantiating the VariableWatchpointSet in prepareToWatch().
806
807         * bytecode/VariableWatchpointSet.h:
808         (JSC::VariableWatchpointSet::VariableWatchpointSet):
809         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
810           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
811         (JSC::VariableWatchpointSet::inferredValue):
812         (JSC::VariableWatchpointSet::invalidate):
813         (JSC::VariableWatchpointSet::finalizeUnconditionally):
814         (JSC::VariableWatchpointSet::addressOfInferredValue):
815         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
816         * bytecode/VariableWatchpointSetInlines.h: Added.
817         (JSC::VariableWatchpointSet::notifyWrite):
818
819         * dfg/DFGByteCodeParser.cpp:
820         (JSC::DFG::ByteCodeParser::cellConstant):
821         - Added an assert in case we try to make constants of zombified JSCells again.
822
823         * dfg/DFGOperations.cpp:
824         * dfg/DFGOperations.h:
825         * dfg/DFGSpeculativeJIT.h:
826         (JSC::DFG::SpeculativeJIT::callOperation):
827         * dfg/DFGSpeculativeJIT32_64.cpp:
828         (JSC::DFG::SpeculativeJIT::compile):
829         * dfg/DFGSpeculativeJIT64.cpp:
830         (JSC::DFG::SpeculativeJIT::compile):
831         - We now let the slow path handle the cases when the VariableWatchpointSet is
832           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
833           we handle the needed write barrier semantics correctly.
834           We will by-pass the slow path if the value being written is the same as the
835           inferred value.
836
837         * ftl/FTLIntrinsicRepository.h:
838         * ftl/FTLLowerDFGToLLVM.cpp:
839         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
840         - Let the slow path handle the cases when the VariableWatchpointSet is
841           in state ClearWatchpoint and IsWatched.
842           We will by-pass the slow path if the value being written is the same as the
843           inferred value.
844
845         * heap/Heap.cpp:
846         (JSC::Zombify::operator()):
847         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
848           which is used everywhere else).
849         * heap/Heap.h:
850         (JSC::Heap::isZombified):
851         - Provide a convenience test function to check if JSCells are zombified.  This is
852           currently only used in an assertion in the DFG bytecode parser, but the intent
853           it that we'll apply this test in other strategic places later to help with early
854           detection of usage of GC'ed objects when we run in zombie mode.
855
856         * jit/JITOpcodes.cpp:
857         (JSC::JIT::emitSlow_op_captured_mov):
858         * jit/JITOperations.h:
859         * jit/JITPropertyAccess.cpp:
860         (JSC::JIT::emitNotifyWrite):
861         * jit/JITPropertyAccess32_64.cpp:
862         (JSC::JIT::emitNotifyWrite):
863         (JSC::JIT::emitSlow_op_put_to_scope):
864         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
865           is in state ClearWatchpoint and IsWatched.
866           We will by-pass the slow path if the value being written is the same as the
867           inferred value.
868         
869         * llint/LowLevelInterpreter32_64.asm:
870         * llint/LowLevelInterpreter64.asm:
871         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
872           is in state ClearWatchpoint and IsWatched.
873           We will by-pass the slow path if the value being written is the same as the
874           inferred value.
875         
876         * runtime/CommonSlowPaths.cpp:
877
878         * runtime/JSCJSValue.h: Fixed some typos in the comments.
879         * runtime/JSGlobalObject.cpp:
880         (JSC::JSGlobalObject::addGlobalVar):
881         (JSC::JSGlobalObject::addFunction):
882         * runtime/JSSymbolTableObject.h:
883         (JSC::symbolTablePut):
884         (JSC::symbolTablePutWithAttributes):
885         * runtime/SymbolTable.cpp:
886         (JSC::SymbolTableEntry::prepareToWatch):
887         (JSC::SymbolTableEntry::notifyWriteSlow):
888         * runtime/SymbolTable.h:
889         (JSC::SymbolTableEntry::notifyWrite):
890
891 2014-05-06  Michael Saboff  <msaboff@apple.com>
892
893         Unreviewd build fix for C-LOOP after r168396.
894
895         * runtime/TestRunnerUtils.cpp:
896         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
897
898 2014-05-06  Michael Saboff  <msaboff@apple.com>
899
900         Add test for deleteAllCompiledCode
901         https://bugs.webkit.org/show_bug.cgi?id=132632
902
903         Reviewed by Phil Pizlo.
904
905         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
906         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
907         to write a test that will queue up loads of DFG compiles and then call
908         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
909         code as well as code being compiled.
910
911         * jsc.cpp:
912         (GlobalObject::finishCreation):
913         (functionDeleteAllCompiledCode):
914         (functionOptimizeNextInvocation):
915         * runtime/TestRunnerUtils.cpp:
916         (JSC::optimizeNextInvocation):
917         * runtime/TestRunnerUtils.h:
918         * tests/stress/deleteAllCompiledCode.js: Added.
919         (functionList):
920         (runTest):
921
922 2014-05-06  Andreas Kling  <akling@apple.com>
923
924         JSString::toAtomicString() should return AtomicString.
925         <https://webkit.org/b/132627>
926
927         Remove premature optimization where I was trying to avoid refcount
928         churn when returning an already atomicized String.
929
930         Instead of using reinterpret_cast to mangle the String member into
931         a const AtomicString& return value, just return AtomicString.
932
933         Reviewed by Geoff Garen.
934
935         * runtime/JSString.h:
936         (JSC::JSString::toAtomicString):
937
938 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
939
940         Roll out r167889
941
942         Rubber stamped by Geoff Garen.
943
944         It broke some websites.
945
946         * runtime/JSPropertyNameIterator.cpp:
947         (JSC::JSPropertyNameIterator::create):
948         * runtime/PropertyMapHashTable.h:
949         (JSC::PropertyTable::hasDeletedOffset):
950         (JSC::PropertyTable::hadDeletedOffset): Deleted.
951         * runtime/Structure.cpp:
952         (JSC::Structure::Structure):
953         (JSC::Structure::materializePropertyMap):
954         (JSC::Structure::removePropertyTransition):
955         (JSC::Structure::changePrototypeTransition):
956         (JSC::Structure::despecifyFunctionTransition):
957         (JSC::Structure::attributeChangeTransition):
958         (JSC::Structure::toDictionaryTransition):
959         (JSC::Structure::preventExtensionsTransition):
960         (JSC::Structure::addPropertyWithoutTransition):
961         (JSC::Structure::removePropertyWithoutTransition):
962         (JSC::Structure::pin):
963         (JSC::Structure::pinAndPreventTransitions): Deleted.
964         * runtime/Structure.h:
965         * runtime/StructureInlines.h:
966         (JSC::Structure::setEnumerationCache):
967         (JSC::Structure::propertyTable):
968         (JSC::Structure::checkOffsetConsistency):
969         (JSC::Structure::hadDeletedOffsets): Deleted.
970         * tests/stress/for-in-after-delete.js:
971         (foo): Deleted.
972
973 2014-05-05  Andreas Kling  <akling@apple.com>
974
975         Fix debug build.
976
977         * runtime/JSCellInlines.h:
978         (JSC::JSCell::fastGetOwnProperty):
979
980 2014-05-05  Andreas Kling  <akling@apple.com>
981
982         Optimize GetByVal when subscript is a rope string.
983         <https://webkit.org/b/132590>
984
985         Use JSString::toIdentifier() in the various GetByVal implementations
986         to try and avoid allocating extra strings.
987
988         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
989         in that, to avoid calling JSString::value() which always resolves ropes
990         into new strings and de-optimizes subsequent toIdentifier() calls.
991
992         My iMac says ~9% progression on Dromaeo/dom-attr.html
993
994         Reviewed by Phil Pizlo.
995
996         * dfg/DFGOperations.cpp:
997         * jit/JITOperations.cpp:
998         (JSC::getByVal):
999         * llint/LLIntSlowPaths.cpp:
1000         (JSC::LLInt::getByVal):
1001         * runtime/JSCell.h:
1002         * runtime/JSCellInlines.h:
1003         (JSC::JSCell::fastGetOwnProperty):
1004         (JSC::JSCell::canUseFastGetOwnProperty):
1005
1006 2014-05-05  Andreas Kling  <akling@apple.com>
1007
1008         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
1009         <https://webkit.org/b/168256>
1010         <rdar://problem/16816316>
1011
1012         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
1013         clear the fibers. The caller takes care of this.
1014
1015         Test: fast/dom/getElementById-with-rope-string-arg.html
1016
1017         Reviewed by Geoffrey Garen.
1018
1019         * runtime/JSString.cpp:
1020         (JSC::JSRopeString::resolveRopeSlowCase8):
1021
1022 2014-05-05  Michael Saboff  <msaboff@apple.com>
1023
1024         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
1025         https://bugs.webkit.org/show_bug.cgi?id=132581
1026
1027         Reviewed by Filip Pizlo.
1028
1029         * dfg/DFGPlan.cpp:
1030         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
1031         started compiling for is still the same at the end of compilation.
1032         Also did some minor restructuring.
1033
1034 2014-05-05  Andreas Kling  <akling@apple.com>
1035
1036         Optimize PutByVal when subscript is a rope string.
1037         <https://webkit.org/b/132572>
1038
1039         Add a JSString::toIdentifier() that is smarter when the JSString is
1040         really a rope string. Use this in baseline & DFG's PutByVal to avoid
1041         allocating new StringImpls that we immediately deduplicate anyway.
1042
1043         Reviewed by Antti Koivisto.
1044
1045         * dfg/DFGOperations.cpp:
1046         (JSC::DFG::operationPutByValInternal):
1047         * jit/JITOperations.cpp:
1048         * runtime/JSString.h:
1049         (JSC::JSString::toIdentifier):
1050
1051 2014-05-05  Andreas Kling  <akling@apple.com>
1052
1053         Remove two now-incorrect assertions after r168256.
1054
1055         * runtime/JSString.cpp:
1056         (JSC::JSRopeString::resolveRopeSlowCase8):
1057         (JSC::JSRopeString::resolveRopeSlowCase):
1058
1059 2014-05-04  Andreas Kling  <akling@apple.com>
1060
1061         Optimize JSRopeString for resolving directly to AtomicString.
1062         <https://webkit.org/b/132548>
1063
1064         If we know that the JSRopeString we are resolving is going to be used
1065         as an AtomicString, we can try to avoid creating a new string.
1066
1067         We do this by first resolving the rope into a stack buffer, and using
1068         that buffer as a key into the AtomicString table. If there is already
1069         an AtomicString with the same characters, we reuse that instead of
1070         constructing a new StringImpl.
1071
1072         JSString gains these two public functions:
1073
1074         - AtomicString toAtomicString()
1075
1076             Returns an AtomicString, tries to avoid allocating a new string
1077             if possible.
1078
1079         - AtomicStringImpl* toExistingAtomicString()
1080
1081             Returns a non-null AtomicStringImpl* if one already exists in the
1082             AtomicString table. If none is found, the rope is left unresolved.
1083
1084         Reviewed by Filip Pizlo.
1085
1086         * runtime/JSString.cpp:
1087         (JSC::JSRopeString::resolveRopeInternal8):
1088         (JSC::JSRopeString::resolveRopeInternal16):
1089         (JSC::JSRopeString::resolveRopeToAtomicString):
1090         (JSC::JSRopeString::clearFibers):
1091         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
1092         (JSC::JSRopeString::resolveRope):
1093         (JSC::JSRopeString::outOfMemory):
1094         * runtime/JSString.h:
1095         (JSC::JSString::toAtomicString):
1096         (JSC::JSString::toExistingAtomicString):
1097
1098 2014-05-04  Andreas Kling  <akling@apple.com>
1099
1100         Unreviewed, rolling out r168254.
1101
1102         Very crashy on debug JSC tests.
1103
1104         Reverted changeset:
1105
1106         "jsSubstring() should be lazy"
1107         https://bugs.webkit.org/show_bug.cgi?id=132556
1108         http://trac.webkit.org/changeset/168254
1109
1110 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
1111
1112         jsSubstring() should be lazy
1113         https://bugs.webkit.org/show_bug.cgi?id=132556
1114
1115         Reviewed by Andreas Kling.
1116         
1117         jsSubstring() is now lazy by using a special rope that is a substring instead of a
1118         concatenation. To make this patch super simple, we require that a substring's base is
1119         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
1120         path, or we go down a concatenation path which may see exactly one level of substrings in
1121         its fibers.
1122         
1123         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
1124
1125         * heap/MarkedBlock.cpp:
1126         (JSC::MarkedBlock::specializedSweep):
1127         * runtime/JSString.cpp:
1128         (JSC::JSRopeString::visitFibers):
1129         (JSC::JSRopeString::resolveRope):
1130         (JSC::JSRopeString::resolveRopeSlowCase8):
1131         (JSC::JSRopeString::resolveRopeSlowCase):
1132         (JSC::JSRopeString::outOfMemory):
1133         * runtime/JSString.h:
1134         (JSC::JSRopeString::finishCreation):
1135         (JSC::JSRopeString::append):
1136         (JSC::JSRopeString::create):
1137         (JSC::JSRopeString::offsetOfFibers):
1138         (JSC::JSRopeString::fiber):
1139         (JSC::JSRopeString::substringBase):
1140         (JSC::JSRopeString::substringOffset):
1141         (JSC::JSRopeString::substringSentinel):
1142         (JSC::JSRopeString::isSubstring):
1143         (JSC::jsSubstring):
1144         * runtime/RegExpMatchesArray.cpp:
1145         (JSC::RegExpMatchesArray::reifyAllProperties):
1146         * runtime/StringPrototype.cpp:
1147         (JSC::stringProtoFuncSubstring):
1148
1149 2014-05-02  Michael Saboff  <msaboff@apple.com>
1150
1151         "arm64 function not 4-byte aligned" warnings when building JSC
1152         https://bugs.webkit.org/show_bug.cgi?id=132495
1153
1154         Reviewed by Geoffrey Garen.
1155
1156         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
1157
1158         * llint/LowLevelInterpreter.cpp:
1159
1160 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1161
1162         Fix cloop build after r168178
1163
1164         * bytecode/CodeBlock.cpp:
1165
1166 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
1167
1168         Add a DFG function whitelist
1169         https://bugs.webkit.org/show_bug.cgi?id=132437
1170
1171         Reviewed by Geoffrey Garen.
1172
1173         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
1174         particular DFG block that's causing issues. This patch adds the ability to whitelist 
1175         specific functions specified in a file to enable further filtering without having to recompile.
1176
1177         * CMakeLists.txt:
1178         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1179         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1180         * JavaScriptCore.xcodeproj/project.pbxproj:
1181         * dfg/DFGCapabilities.cpp:
1182         (JSC::DFG::isSupported):
1183         (JSC::DFG::mightInlineFunctionForCall):
1184         (JSC::DFG::mightInlineFunctionForClosureCall):
1185         (JSC::DFG::mightInlineFunctionForConstruct):
1186         * dfg/DFGFunctionWhitelist.cpp: Added.
1187         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1188         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
1189         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
1190         (JSC::DFG::FunctionWhitelist::contains):
1191         * dfg/DFGFunctionWhitelist.h: Added.
1192         * runtime/Options.cpp:
1193         (JSC::parse):
1194         (JSC::Options::dumpOption):
1195         * runtime/Options.h:
1196
1197 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
1198
1199         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
1200         https://bugs.webkit.org/show_bug.cgi?id=132446
1201
1202         Reviewed by Mark Hahnenberg.
1203         
1204         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
1205         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
1206         to indicate a bound on the value. This is useful for knowing, for example, that
1207         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
1208         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
1209         But this means that all arithmetic operations must be careful to note that they may
1210         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
1211
1212         * dfg/DFGAbstractInterpreterInlines.h:
1213         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1214         * dfg/DFGByteCodeParser.cpp:
1215         (JSC::DFG::ByteCodeParser::makeSafe):
1216         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
1217         (foo):
1218         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
1219         (foo):
1220         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
1221         (foo):
1222         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
1223         (foo):
1224         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
1225         (foo):
1226         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
1227         (foo):
1228
1229 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
1230
1231         JavaScriptCore fails to build with some versions of clang
1232         https://bugs.webkit.org/show_bug.cgi?id=132436
1233
1234         Reviewed by Anders Carlsson.
1235
1236         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
1237         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
1238         and both are marked inline, it's valid for the compiler to decide
1239         to inline both and emit neither in the binary. Therefore, we need
1240         both inline definitions to be available in the translation unit at
1241         compile time, or we'll try to link against a function that doesn't exist.
1242
1243 2014-05-01  Commit Queue  <commit-queue@webkit.org>
1244
1245         Unreviewed, rolling out r167964.
1246         https://bugs.webkit.org/show_bug.cgi?id=132431
1247
1248         Memory improvements should not regress memory usage (Requested
1249         by olliej on #webkit).
1250
1251         Reverted changeset:
1252
1253         "Don't hold on to parameter BindingNodes forever"
1254         https://bugs.webkit.org/show_bug.cgi?id=132360
1255         http://trac.webkit.org/changeset/167964
1256
1257 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
1258
1259         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
1260         https://bugs.webkit.org/show_bug.cgi?id=132427
1261
1262         Reviewed by Mark Hahnenberg.
1263
1264         * bytecode/CallLinkStatus.cpp:
1265         (JSC::CallLinkStatus::computeFor):
1266
1267 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
1268
1269         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
1270         https://bugs.webkit.org/show_bug.cgi?id=132396
1271
1272         Reviewed by Eric Carlson.
1273
1274         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
1275
1276         * Configurations/FeatureDefines.xcconfig:
1277
1278 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
1279
1280         Argument flush formats should not be presumed to be JSValue since 'this' is weird
1281         https://bugs.webkit.org/show_bug.cgi?id=132404
1282
1283         Reviewed by Michael Saboff.
1284
1285         * dfg/DFGSpeculativeJIT.cpp:
1286         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
1287         * dfg/DFGSpeculativeJIT32_64.cpp:
1288         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
1289         * dfg/DFGSpeculativeJIT64.cpp:
1290         (JSC::DFG::SpeculativeJIT::compile): Ditto.
1291         * dfg/DFGValueSource.cpp:
1292         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
1293         * dfg/DFGValueSource.h:
1294         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
1295         * ftl/FTLOSREntry.cpp:
1296         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
1297         * tests/stress/strict-to-this-int.js: Added.
1298         (foo):
1299         (Number.prototype.valueOf):
1300         (test):
1301
1302 2014-04-29  Oliver Hunt  <oliver@apple.com>
1303
1304         Don't hold on to parameterBindingNodes forever
1305         https://bugs.webkit.org/show_bug.cgi?id=132360
1306
1307         Reviewed by Geoffrey Garen.
1308
1309         Don't keep the parameter nodes anymore. Instead we store the
1310         original parameter string and reparse whenever we actually
1311         need them. Because we only actually need them for compilation
1312         this only results in a single extra parse.
1313
1314         * bytecode/UnlinkedCodeBlock.cpp:
1315         (JSC::generateFunctionCodeBlock):
1316         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1317         (JSC::UnlinkedFunctionExecutable::visitChildren):
1318         (JSC::UnlinkedFunctionExecutable::finishCreation):
1319         (JSC::UnlinkedFunctionExecutable::paramString):
1320         (JSC::UnlinkedFunctionExecutable::parameters):
1321         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
1322         * bytecode/UnlinkedCodeBlock.h:
1323         (JSC::UnlinkedFunctionExecutable::create):
1324         (JSC::UnlinkedFunctionExecutable::parameterCount):
1325         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
1326         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
1327         * parser/ASTBuilder.h:
1328         (JSC::ASTBuilder::ASTBuilder):
1329         (JSC::ASTBuilder::setFunctionBodyParameters):
1330         * parser/Nodes.h:
1331         (JSC::FunctionBodyNode::parametersStartOffset):
1332         (JSC::FunctionBodyNode::parametersEndOffset):
1333         (JSC::FunctionBodyNode::setParameterLocation):
1334         * parser/Parser.cpp:
1335         (JSC::Parser<LexerType>::parseFunctionInfo):
1336         (JSC::parseParameters):
1337         * parser/Parser.h:
1338         (JSC::parse):
1339         * parser/SourceCode.h:
1340         (JSC::SourceCode::subExpression):
1341         * parser/SyntaxChecker.h:
1342         (JSC::SyntaxChecker::setFunctionBodyParameters):
1343
1344 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
1345
1346         JSProxies should be cacheable
1347         https://bugs.webkit.org/show_bug.cgi?id=132351
1348
1349         Reviewed by Geoffrey Garen.
1350
1351         Whenever we encounter a proxy in an inline cache we should try to cache on the 
1352         proxy's target instead of giving up.
1353
1354         This patch adds support for a simple "recursive" inline cache if the base object
1355         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
1356         are the only ones to benefit from this right now.
1357
1358         This is performance neutral on the benchmarks we track. Currently we won't
1359         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
1360
1361         * jit/Repatch.cpp:
1362         (JSC::generateByIdStub):
1363         (JSC::tryBuildGetByIDList):
1364         (JSC::tryCachePutByID):
1365         (JSC::tryBuildPutByIdList):
1366         * jsc.cpp:
1367         (GlobalObject::finishCreation):
1368         (functionCreateProxy):
1369         * runtime/IntendedStructureChain.cpp:
1370         (JSC::IntendedStructureChain::isNormalized):
1371         * runtime/JSCellInlines.h:
1372         (JSC::JSCell::isProxy):
1373         * runtime/JSGlobalObject.h:
1374         (JSC::JSGlobalObject::finishCreation):
1375         * runtime/JSProxy.h:
1376         (JSC::JSProxy::createStructure):
1377         (JSC::JSProxy::targetOffset):
1378         * runtime/JSType.h:
1379         * runtime/Operations.h:
1380         (JSC::isPrototypeChainNormalized):
1381         * runtime/Structure.h:
1382         (JSC::Structure::isProxy):
1383         * tests/stress/proxy-inline-cache.js: Added.
1384         (cacheOnTarget.getX):
1385         (cacheOnTarget):
1386         (cacheOnPrototypeOfTarget.getX):
1387         (cacheOnPrototypeOfTarget):
1388         (dontCacheOnProxyInPrototypeChain.getX):
1389         (dontCacheOnProxyInPrototypeChain):
1390         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
1391         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
1392
1393 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
1394
1395         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
1396         https://bugs.webkit.org/show_bug.cgi?id=112840
1397
1398         Rubber stamped by Geoffrey Garen.
1399
1400         * Configurations/FeatureDefines.xcconfig:
1401
1402 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
1403
1404         String.prototype.trim removes U+200B from strings.
1405         https://bugs.webkit.org/show_bug.cgi?id=130184
1406
1407         Reviewed by Michael Saboff.
1408
1409         * runtime/StringPrototype.cpp:
1410         (JSC::trimString):
1411         (JSC::isTrimWhitespace): Deleted.
1412
1413 2014-04-29  Mark Lam  <mark.lam@apple.com>
1414
1415         Zombifying sweep should ignore retired blocks.
1416         <https://webkit.org/b/132344>
1417
1418         Reviewed by Mark Hahnenberg.
1419
1420         By definition, retired blocks do not have "dead" objects, or at least
1421         none that we know of yet until the next marking phase has been run
1422         over it.  So, we should not be sweeping them (even for zombie mode).
1423
1424         * heap/Heap.cpp:
1425         (JSC::Heap::zombifyDeadObjects):
1426         * heap/MarkedSpace.cpp:
1427         (JSC::MarkedSpace::zombifySweep):
1428         * heap/MarkedSpace.h:
1429         (JSC::ZombifySweep::operator()):
1430
1431 2014-04-29  Mark Lam  <mark.lam@apple.com>
1432
1433         Fix bit rot in zombie mode heap code.
1434         <https://webkit.org/b/132342>
1435
1436         Reviewed by Mark Hahnenberg.
1437
1438         Need to enter a DelayedReleaseScope before doing a sweep.
1439
1440         * heap/Heap.cpp:
1441         (JSC::Heap::zombifyDeadObjects):
1442
1443 2014-04-29  Tomas Popela  <tpopela@redhat.com>
1444
1445         LLINT loadisFromInstruction doesn't need special case for big endians
1446         https://bugs.webkit.org/show_bug.cgi?id=132330
1447
1448         Reviewed by Mark Lam.
1449
1450         The change introduced in r167076 was wrong. We should not apply the offset
1451         adjustment on loadisFromInstruction usage as the instruction
1452         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
1453         operand variable). The offset of the other union members will be the
1454         same as the offset of the first one, that is 0. The behavior here is the
1455         same on little and big endian architectures. Thus we don't need
1456         special case for big endians.
1457
1458         * llint/LowLevelInterpreter.asm:
1459
1460 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1461
1462         Simplify tryCacheGetById
1463         https://bugs.webkit.org/show_bug.cgi?id=132314
1464
1465         Reviewed by Oliver Hunt and Filip Pizlo.
1466
1467         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
1468
1469         * jit/Repatch.cpp:
1470         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
1471
1472 2014-04-28  Michael Saboff  <msaboff@apple.com>
1473
1474         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
1475         https://bugs.webkit.org/show_bug.cgi?id=132315
1476
1477         Reviewed by Mark Hahnenberg.
1478
1479         Used the StringImpl version of utf8() instead of creating a String first.
1480
1481         * bytecode/CodeBlock.cpp:
1482         (JSC::CodeBlock::dumpBytecode):
1483
1484 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
1485
1486         The LLInt is awesome and it should get more of the action.
1487
1488         Rubber stamped by Geoffrey Garen.
1489         
1490         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
1491
1492         * runtime/Options.h:
1493
1494 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
1495
1496         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
1497         https://bugs.webkit.org/show_bug.cgi?id=132166
1498
1499         Reviewed by Oliver Hunt and Mark Hahnenberg.
1500         
1501         The GC can aid type inference by removing structures that are dead and jettisoning
1502         code that relies on those structures. This can dramatically accelerate type inference
1503         for some tricky programs.
1504         
1505         Unfortunately, we previously pinned any structures that enqueued compilations depended
1506         on. This means that if you're on a machine that only runs a single compilation thread
1507         and where compilations are relatively slow, you have a high chance of large numbers of
1508         structures being pinned during any GC since the compilation queue is likely to be full
1509         of random stuff.
1510         
1511         This comprehensively fixes this issue by allowing the GC to remove compilation plans
1512         if the things they depend on are dead, and to even cancel safepointed compilations.
1513         
1514         * bytecode/CodeBlock.cpp:
1515         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
1516         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
1517         (JSC::CodeBlock::finalizeUnconditionally):
1518         * bytecode/CodeBlock.h:
1519         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
1520         * dfg/DFGDesiredIdentifiers.cpp:
1521         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
1522         * dfg/DFGDesiredIdentifiers.h:
1523         * dfg/DFGDesiredWatchpoints.h:
1524         * dfg/DFGDesiredWeakReferences.cpp:
1525         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1526         * dfg/DFGDesiredWeakReferences.h:
1527         * dfg/DFGGraphSafepoint.cpp:
1528         (JSC::DFG::GraphSafepoint::GraphSafepoint):
1529         * dfg/DFGGraphSafepoint.h:
1530         * dfg/DFGPlan.cpp:
1531         (JSC::DFG::Plan::Plan):
1532         (JSC::DFG::Plan::compileInThread):
1533         (JSC::DFG::Plan::compileInThreadImpl):
1534         (JSC::DFG::Plan::notifyCompiling):
1535         (JSC::DFG::Plan::notifyCompiled):
1536         (JSC::DFG::Plan::notifyReady):
1537         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1538         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
1539         (JSC::DFG::Plan::cancel):
1540         (JSC::DFG::Plan::visitChildren): Deleted.
1541         * dfg/DFGPlan.h:
1542         * dfg/DFGSafepoint.cpp:
1543         (JSC::DFG::Safepoint::Result::~Result):
1544         (JSC::DFG::Safepoint::Result::didGetCancelled):
1545         (JSC::DFG::Safepoint::Safepoint):
1546         (JSC::DFG::Safepoint::~Safepoint):
1547         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
1548         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
1549         (JSC::DFG::Safepoint::cancel):
1550         (JSC::DFG::Safepoint::visitChildren): Deleted.
1551         * dfg/DFGSafepoint.h:
1552         (JSC::DFG::Safepoint::Result::Result):
1553         * dfg/DFGWorklist.cpp:
1554         (JSC::DFG::Worklist::compilationState):
1555         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
1556         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
1557         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
1558         (JSC::DFG::Worklist::visitWeakReferences):
1559         (JSC::DFG::Worklist::removeDeadPlans):
1560         (JSC::DFG::Worklist::runThread):
1561         (JSC::DFG::Worklist::visitChildren): Deleted.
1562         * dfg/DFGWorklist.h:
1563         * ftl/FTLCompile.cpp:
1564         (JSC::FTL::compile):
1565         * ftl/FTLCompile.h:
1566         * heap/CodeBlockSet.cpp:
1567         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
1568         * heap/Heap.cpp:
1569         (JSC::Heap::markRoots):
1570         (JSC::Heap::visitCompilerWorklistWeakReferences):
1571         (JSC::Heap::removeDeadCompilerWorklistEntries):
1572         (JSC::Heap::visitWeakHandles):
1573         (JSC::Heap::collect):
1574         (JSC::Heap::visitCompilerWorklists): Deleted.
1575         * heap/Heap.h:
1576
1577 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1578
1579         Deleting properties poisons objects
1580         https://bugs.webkit.org/show_bug.cgi?id=131551
1581
1582         Reviewed by Oliver Hunt.
1583
1584         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
1585
1586         * runtime/JSPropertyNameIterator.cpp:
1587         (JSC::JSPropertyNameIterator::create):
1588         * runtime/PropertyMapHashTable.h:
1589         (JSC::PropertyTable::hasDeletedOffset):
1590         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
1591         iterating properties because we're required to iterate properties in insertion order.
1592         * runtime/Structure.cpp:
1593         (JSC::Structure::Structure):
1594         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
1595         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
1596         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
1597         delete transitions, but we allow transitioning from them.
1598         (JSC::Structure::changePrototypeTransition):
1599         (JSC::Structure::despecifyFunctionTransition):
1600         (JSC::Structure::attributeChangeTransition):
1601         (JSC::Structure::toDictionaryTransition):
1602         (JSC::Structure::preventExtensionsTransition):
1603         (JSC::Structure::addPropertyWithoutTransition):
1604         (JSC::Structure::removePropertyWithoutTransition):
1605         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
1606         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
1607         * runtime/Structure.h:
1608         * runtime/StructureInlines.h:
1609         (JSC::Structure::setEnumerationCache):
1610         (JSC::Structure::hadDeletedOffsets):
1611         (JSC::Structure::propertyTable):
1612         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
1613         * tests/stress/for-in-after-delete.js: Added.
1614         (foo):
1615
1616 2014-04-25  Andreas Kling  <akling@apple.com>
1617
1618         Inline (C++) GetByVal with numeric indices more aggressively.
1619         <https://webkit.org/b/132218>
1620
1621         We were already inlining the string indexed GetByVal path pretty well,
1622         while the path for numeric indices got neglected. No more!
1623
1624         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
1625
1626             Before: 199.50 runs/s
1627              After: 218.58 runs/s
1628
1629         Reviewed by Phil Pizlo.
1630
1631         * dfg/DFGOperations.cpp:
1632         * runtime/JSCJSValueInlines.h:
1633         (JSC::JSValue::get):
1634
1635             ALWAYS_INLINE all the things.
1636
1637         * runtime/JSObject.h:
1638         (JSC::JSObject::getPropertySlot):
1639
1640             Avoid fetching the Structure more than once. We have the same
1641             optimization in the string-indexed code path.
1642
1643 2014-04-25  Oliver Hunt  <oliver@apple.com>
1644
1645         Need earlier cell test
1646         https://bugs.webkit.org/show_bug.cgi?id=132211
1647
1648         Reviewed by Mark Lam.
1649
1650         Move cell test to before the function call repatch
1651         location, as the repatch logic for 32bit assumes that the
1652         caller will already have performed a cell check.
1653
1654         * jit/JITCall32_64.cpp:
1655         (JSC::JIT::compileOpCall):
1656
1657 2014-04-25  Andreas Kling  <akling@apple.com>
1658
1659         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
1660
1661         * runtime/JSGlobalObject.h:
1662         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
1663         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
1664
1665 2014-04-25  Andreas Kling  <akling@apple.com>
1666
1667         Windows build fix attempt.
1668
1669         * runtime/JSGlobalObject.h:
1670         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
1671
1672 2014-04-25  Mark Lam  <mark.lam@apple.com>
1673
1674         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
1675         <https://webkit.org/b/132201>
1676
1677         Reviewed by Joseph Pecoraro.
1678
1679         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
1680         BreakpointActions everywhere.
1681
1682         * inspector/ScriptBreakpoint.h:
1683         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
1684         * inspector/ScriptDebugServer.cpp:
1685         (Inspector::ScriptDebugServer::setBreakpoint):
1686         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
1687         * inspector/ScriptDebugServer.h:
1688         * inspector/agents/InspectorDebuggerAgent.cpp:
1689         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1690         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1691         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1692         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
1693         * inspector/agents/InspectorDebuggerAgent.h:
1694
1695 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
1696
1697         DFG worklist scanning should not treat the key as a separate entity
1698         https://bugs.webkit.org/show_bug.cgi?id=132167
1699
1700         Reviewed by Mark Hahnenberg.
1701         
1702         This simplifies the interface to the GC and will enable more optimizations.
1703
1704         * dfg/DFGCompilationKey.cpp:
1705         (JSC::DFG::CompilationKey::visitChildren): Deleted.
1706         * dfg/DFGCompilationKey.h:
1707         * dfg/DFGPlan.cpp:
1708         (JSC::DFG::Plan::visitChildren):
1709         * dfg/DFGWorklist.cpp:
1710         (JSC::DFG::Worklist::visitChildren):
1711
1712 2014-04-25  Oliver Hunt  <oliver@apple.com>
1713
1714         Remove unused parameter from codeblock linking function
1715         https://bugs.webkit.org/show_bug.cgi?id=132199
1716
1717         Reviewed by Anders Carlsson.
1718
1719         No change in behaviour. This is just a small change to make it
1720         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
1721         actually mean.
1722
1723         * bytecode/UnlinkedCodeBlock.cpp:
1724         (JSC::UnlinkedFunctionExecutable::link):
1725         * bytecode/UnlinkedCodeBlock.h:
1726         * runtime/Executable.cpp:
1727         (JSC::ProgramExecutable::initializeGlobalProperties):
1728
1729 2014-04-25  Andreas Kling  <akling@apple.com>
1730
1731         Mark some things with WTF_MAKE_FAST_ALLOCATED.
1732         <https://webkit.org/b/132198>
1733
1734         Use FastMalloc for more things.
1735
1736         Reviewed by Anders Carlsson.
1737
1738         * builtins/BuiltinExecutables.h:
1739         * heap/GCThreadSharedData.h:
1740         * inspector/JSConsoleClient.h:
1741         * inspector/agents/InspectorAgent.h:
1742         * runtime/CodeCache.h:
1743         * runtime/JSGlobalObject.h:
1744         * runtime/Lookup.cpp:
1745         (JSC::HashTable::createTable):
1746         (JSC::HashTable::deleteTable):
1747         * runtime/WeakGCMap.h:
1748
1749 2014-04-25  Antoine Quint  <graouts@webkit.org>
1750
1751         Implement Array.prototype.find()
1752         https://bugs.webkit.org/show_bug.cgi?id=130966
1753
1754         Reviewed by Oliver Hunt.
1755
1756         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
1757
1758         * builtins/Array.prototype.js:
1759         (find):
1760         (findIndex):
1761         * runtime/ArrayPrototype.cpp:
1762
1763 2014-04-24  Brady Eidson  <beidson@apple.com>
1764
1765         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
1766         https://bugs.webkit.org/show_bug.cgi?id=132155
1767
1768         Reviewed by Tim Horton.
1769
1770         * Configurations/FeatureDefines.xcconfig:
1771
1772 2014-04-24  Michael Saboff  <msaboff@apple.com>
1773
1774         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
1775         https://bugs.webkit.org/show_bug.cgi?id=132147
1776
1777         Reviewed by Mark Lam.
1778
1779         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
1780
1781         * assembler/MacroAssemblerARM64.h:
1782         (JSC::MacroAssemblerARM64::or64):
1783         (JSC::MacroAssemblerARM64::xor32):
1784         (JSC::MacroAssemblerARM64::xor64):
1785         * tests/stress/regress-132147.js: Added test.
1786
1787 2014-04-24  Mark Lam  <mark.lam@apple.com>
1788
1789         Make slowPathAllocsBetweenGCs a runtime option.
1790         <https://webkit.org/b/132137>
1791
1792         Reviewed by Mark Hahnenberg.
1793
1794         This will make it easier to more casually run tests with this configuration
1795         as well as to reproduce issues (instead of requiring a code mod and rebuild).
1796         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
1797         slow path allocations before we trigger a collection.
1798
1799         The option defaults to 0, which is reserved to mean that we will not trigger
1800         any collections there.
1801
1802         * heap/Heap.h:
1803         * heap/MarkedAllocator.cpp:
1804         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
1805         (JSC::MarkedAllocator::allocateSlowCase):
1806         * heap/MarkedAllocator.h:
1807         * runtime/Options.h:
1808
1809 2014-04-23  Mark Lam  <mark.lam@apple.com>
1810
1811         The GC should only resume compiler threads that it suspended in the same GC pass.
1812         <https://webkit.org/b/132088>
1813
1814         Reviewed by Mark Hahnenberg.
1815
1816         Previously, this scenario can occur:
1817         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
1818            no worklists were created yet at the that time.
1819         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
1820            acquires the worklist thread's lock.
1821         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
1822            This time, it sees the worklist created by Thread 2 and ends up unlocking
1823            the worklist thread's lock that is supposedly held by Thread 2.
1824         Thereafter, chaos ensues.
1825
1826         The fix is to cache the worklists that were actually suspended by each GC pass,
1827         and only resume those when the GC is done.
1828
1829         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
1830         the fast/workers layout tests.
1831
1832         * heap/Heap.cpp:
1833         (JSC::Heap::visitCompilerWorklists):
1834         (JSC::Heap::deleteAllCompiledCode):
1835         (JSC::Heap::suspendCompilerThreads):
1836         (JSC::Heap::resumeCompilerThreads):
1837         * heap/Heap.h:
1838
1839 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1840
1841         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
1842         https://bugs.webkit.org/show_bug.cgi?id=132079
1843
1844         Reviewed by Michael Saboff.
1845
1846         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
1847
1848         Also added a test that previously triggered this bug.
1849
1850         * runtime/Arguments.cpp:
1851         (JSC::Arguments::copyBackingStore): D'oh!
1852         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
1853         (foo):
1854         (bar):
1855
1856 2014-04-23  Mark Rowe  <mrowe@apple.com>
1857
1858         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
1859         <https://webkit.org/b/132053>
1860
1861         Reviewed by Dan Bernstein.
1862
1863         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
1864         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
1865         from /bin/sh since that generates unnecessary output.
1866
1867 2014-04-22  Mark Lam  <mark.lam@apple.com>
1868
1869         DFG::Worklist should acquire the m_lock before iterating DFG plans.
1870         <https://webkit.org/b/132032>
1871
1872         Reviewed by Filip Pizlo.
1873
1874         Currently, there's a rightToRun mechanism that ensures that no compilation
1875         threads are running when the GC is iterating through the DFG worklists.
1876         However, this does not prevent a Worker thread from doing a DFG compilation
1877         and modifying the plans in the worklists thereby invalidating the plan
1878         iterator that the GC is using.  This patch fixes the issue by acquiring
1879         the worklist m_lock before iterating the worklist plans.
1880
1881         This issue was uncovered by running the fast/workers layout tests with
1882         COLLECT_ON_EVERY_ALLOCATION enabled.
1883
1884         * dfg/DFGWorklist.cpp:
1885         (JSC::DFG::Worklist::isActiveForVM):
1886         (JSC::DFG::Worklist::visitChildren):
1887
1888 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
1889
1890         [Win] Support Python 2.7 in Cygwin
1891         https://bugs.webkit.org/show_bug.cgi?id=132023
1892
1893         Reviewed by Michael Saboff.
1894
1895         * DerivedSources.make: Use a conditional variable to define
1896         the path to Python/Perl.
1897
1898 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
1899
1900         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
1901         https://bugs.webkit.org/show_bug.cgi?id=130867
1902         <rdar://problem/16432456> 
1903
1904         Reviewed by Mark Hahnenberg.
1905
1906         * Configurations/Base.xcconfig:
1907         * Configurations/LLVMForJSC.xcconfig:
1908
1909 2014-04-22  Alex Christensen  <achristensen@webkit.org>
1910
1911         [Win] Unreviewed build fix after my r167666.
1912
1913         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1914         Added ../../../ again to include headers in Source/JavaScriptCore.
1915
1916 2014-04-22  Alex Christensen  <achristensen@webkit.org>
1917
1918         Removed old stdbool and inttypes headers.
1919         https://bugs.webkit.org/show_bug.cgi?id=131966
1920
1921         Reviewed by Brent Fulgham.
1922
1923         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1924         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
1925         Removed references to os-win32 directory.
1926         * os-win32: Removed.
1927         * os-win32/inttypes.h: Removed.
1928         * os-win32/stdbool.h: Removed.
1929
1930 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1931
1932         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
1933         https://bugs.webkit.org/show_bug.cgi?id=131971
1934         <rdar://problem/16676511>
1935
1936         Reviewed by Mark Lam.
1937
1938         * dfg/DFGClobberize.h:
1939         (JSC::DFG::clobberize):
1940
1941 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1942
1943         Switch statements that skip the baseline JIT should work
1944         https://bugs.webkit.org/show_bug.cgi?id=131965
1945
1946         Reviewed by Mark Hahnenberg.
1947
1948         * bytecode/JumpTable.h:
1949         (JSC::SimpleJumpTable::ensureCTITable):
1950         * dfg/DFGSpeculativeJIT.cpp:
1951         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1952         * jit/JITOpcodes.cpp:
1953         (JSC::JIT::emit_op_switch_imm):
1954         (JSC::JIT::emit_op_switch_char):
1955         * jit/JITOpcodes32_64.cpp:
1956         (JSC::JIT::emit_op_switch_imm):
1957         (JSC::JIT::emit_op_switch_char):
1958         * tests/stress/inline-llint-with-switch.js: Added.
1959         (foo):
1960         (bar):
1961         (test):
1962
1963 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1964
1965         Arguments objects shouldn't need a destructor
1966         https://bugs.webkit.org/show_bug.cgi?id=131899
1967
1968         Reviewed by Oliver Hunt.
1969
1970         This patch rids Arguments objects of their destructors. It does this by 
1971         switching their backing stores to use CopiedSpace rather than malloc memory.
1972
1973         * dfg/DFGSpeculativeJIT.cpp:
1974         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
1975         Arguments allocation so that it only emits an extra write for strict mode code rather
1976         than unconditionally.
1977         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
1978         * runtime/Arguments.cpp:
1979         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
1980         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
1981         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
1982         (JSC::Arguments::deleteProperty):
1983         (JSC::Arguments::defineOwnProperty):
1984         (JSC::Arguments::allocateRegisterArray):
1985         (JSC::Arguments::tearOff):
1986         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
1987         * runtime/Arguments.h:
1988         (JSC::Arguments::registerArraySizeInBytes):
1989         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
1990         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
1991         allocation.
1992         (JSC::Arguments::SlowArgumentData::slowArguments):
1993         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
1994         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
1995         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
1996         (JSC::Arguments::Arguments):
1997         (JSC::Arguments::allocateSlowArguments):
1998         (JSC::Arguments::tryDeleteArgument):
1999         (JSC::Arguments::isDeletedArgument):
2000         (JSC::Arguments::isArgument):
2001         (JSC::Arguments::argument):
2002         (JSC::Arguments::finishCreation):
2003         * runtime/SymbolTable.h:
2004
2005 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
2006
2007         [Mac] implement WebKitDataCue
2008         https://bugs.webkit.org/show_bug.cgi?id=131799
2009
2010         Reviewed by Dean Jackson.
2011
2012         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2013
2014 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2015
2016         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
2017
2018         * tests/stress/float32-repeat-out-of-bounds.js:
2019         * tests/stress/int8-repeat-out-of-bounds.js:
2020
2021 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2022
2023         OSR exit should know about Int52 and Double constants
2024         https://bugs.webkit.org/show_bug.cgi?id=131945
2025
2026         Reviewed by Oliver Hunt.
2027         
2028         The DFG OSR exit machinery's ignorance would lead to some constants becoming
2029         jsUndefined() after OSR exit.
2030         
2031         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
2032         stackmap constant rather than baking the constant into the OSRExit data structure.
2033         So, not a big deal, but worth fixing.
2034         
2035         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
2036
2037         * dfg/DFGByteCodeParser.cpp:
2038         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2039         * dfg/DFGMinifiedNode.h:
2040         (JSC::DFG::belongsInMinifiedGraph):
2041         (JSC::DFG::MinifiedNode::hasConstantNumber):
2042         * ftl/FTLLowerDFGToLLVM.cpp:
2043         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2044         * jsc.cpp:
2045         (GlobalObject::finishCreation):
2046         (functionOtherFalse):
2047         (functionUndefined):
2048         * runtime/Intrinsic.h:
2049         * tests/stress/fold-to-double-constant-then-exit.js: Added.
2050         (foo):
2051         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
2052         (foo):
2053
2054 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2055
2056         Provide feedback when we encounter an unrecognied node in the FTL backend.
2057
2058         Rubber stamped by Alexey Proskuryakov.
2059
2060         * ftl/FTLLowerDFGToLLVM.cpp:
2061         (JSC::FTL::LowerDFGToLLVM::compileNode):
2062
2063 2014-04-21  Andreas Kling  <akling@apple.com>
2064
2065         Move the JSString cache from DOMWrapperWorld to VM.
2066         <https://webkit.org/b/131940>
2067
2068         Reviewed by Geoff Garen.
2069
2070         * runtime/VM.h:
2071
2072 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2073
2074         Take block execution count estimates into account when voting double
2075         https://bugs.webkit.org/show_bug.cgi?id=131906
2076
2077         Reviewed by Geoffrey Garen.
2078         
2079         This was a drama in three acts.
2080         
2081         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
2082             number of uses of a variable that want double or non-double. Easy as pie. This
2083             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
2084             else.
2085         
2086         Act II: Realize that there were some programs where our previous double voting was
2087             just on the edge of disaster and making it more precise tipped it over. In
2088             particular, if you had an integer variable that would infrequently be used in a
2089             computation that resulted in a variable that was frequently used as an array index,
2090             the outer infrequentness would be the thing we'd use in the vote. So, an array
2091             index would become double. We fix this by reviving global backwards propagation
2092             and introducing the concept of ReallyWantsInt, which is used just for array
2093             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
2094             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
2095             be set in bitops for RageConversion but using it for double forcing is too much.
2096             Basically, it's cheaper to have to convert a double to an int for a bitop than it
2097             is to convert a double to an int for an array index; also a variable being used as
2098             an array index is a much stronger hint that it ought to be an int. This recovered
2099             performance on everything except programs that used FTL OSR entry.
2100         
2101         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
2102             count, which then completely pollutes the weighting - essentially all votes go
2103             NaN. Fix this with some surgical defenses. Basically, any client of execution
2104             counts should allow for them to be NaN and shouldn't completely fall off a cliff
2105             when it happens.
2106         
2107         This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
2108         7% speed-up on AsmBench and 2% speed-up on Kraken.
2109
2110         * CMakeLists.txt:
2111         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2112         * JavaScriptCore.xcodeproj/project.pbxproj:
2113         * dfg/DFGBackwardsPropagationPhase.cpp:
2114         (JSC::DFG::BackwardsPropagationPhase::run):
2115         (JSC::DFG::BackwardsPropagationPhase::propagate):
2116         * dfg/DFGGraph.cpp:
2117         (JSC::DFG::Graph::dumpBlockHeader):
2118         * dfg/DFGGraph.h:
2119         (JSC::DFG::Graph::voteNode):
2120         (JSC::DFG::Graph::voteChildren):
2121         * dfg/DFGNodeFlags.cpp:
2122         (JSC::DFG::dumpNodeFlags):
2123         * dfg/DFGNodeFlags.h:
2124         * dfg/DFGOSREntrypointCreationPhase.cpp:
2125         (JSC::DFG::OSREntrypointCreationPhase::run):
2126         * dfg/DFGPlan.cpp:
2127         (JSC::DFG::Plan::compileInThreadImpl):
2128         * dfg/DFGPredictionPropagationPhase.cpp:
2129         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2130         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2131         * dfg/DFGVariableAccessData.cpp: Added.
2132         (JSC::DFG::VariableAccessData::VariableAccessData):
2133         (JSC::DFG::VariableAccessData::mergeIsCaptured):
2134         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
2135         (JSC::DFG::VariableAccessData::predict):
2136         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
2137         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
2138         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
2139         (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
2140         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2141         (JSC::DFG::VariableAccessData::flushFormat):
2142         * dfg/DFGVariableAccessData.h:
2143         (JSC::DFG::VariableAccessData::vote):
2144         (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
2145         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2146         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
2147         (JSC::DFG::VariableAccessData::predict): Deleted.
2148         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
2149         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
2150         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
2151         (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
2152         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
2153         (JSC::DFG::VariableAccessData::flushFormat): Deleted.
2154
2155 2014-04-21  Michael Saboff  <msaboff@apple.com>
2156
2157         REGRESSION(r167591): ARM64 and ARM traditional builds broken
2158         https://bugs.webkit.org/show_bug.cgi?id=131935
2159
2160         Reviewed by Mark Hahnenberg.
2161
2162         Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
2163         macro assemblers.  Added a new test for the original patch.
2164
2165         * assembler/MacroAssemblerARM.h:
2166         (JSC::MacroAssemblerARM::store8):
2167         * assembler/MacroAssemblerARM64.h:
2168         (JSC::MacroAssemblerARM64::store8):
2169         * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
2170
2171 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2172
2173         Inline allocate Arguments objects in the DFG
2174         https://bugs.webkit.org/show_bug.cgi?id=131897
2175
2176         Reviewed by Geoffrey Garen.
2177
2178         Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
2179         This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
2180         for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
2181
2182         * dfg/DFGSpeculativeJIT.cpp:
2183         (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
2184         * dfg/DFGSpeculativeJIT.h:
2185         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
2186         * dfg/DFGSpeculativeJIT32_64.cpp:
2187         (JSC::DFG::SpeculativeJIT::compile):
2188         * dfg/DFGSpeculativeJIT64.cpp:
2189         (JSC::DFG::SpeculativeJIT::compile):
2190         * runtime/Arguments.h:
2191         (JSC::Arguments::offsetOfActivation):
2192         (JSC::Arguments::offsetOfOverrodeLength):
2193         (JSC::Arguments::offsetOfIsStrictMode):
2194         (JSC::Arguments::offsetOfRegisterArray):
2195         (JSC::Arguments::offsetOfCallee):
2196         (JSC::Arguments::allocationSize):
2197
2198 2014-04-20  Andreas Kling  <akling@apple.com>
2199
2200         Speed up jsStringWithCache() through WeakGCMap inlining.
2201         <https://webkit.org/b/131923>
2202
2203         Always inline WeakGCMap::add() but move the slow garbage collecting
2204         path out-of-line.
2205
2206         Reviewed by Darin Adler.
2207
2208         * runtime/WeakGCMap.h:
2209         (JSC::WeakGCMap::add):
2210         (JSC::WeakGCMap::gcMap):
2211
2212 2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>
2213
2214         JavaScriptCore: ARM build fix after r167094.
2215         https://bugs.webkit.org/show_bug.cgi?id=131612
2216
2217         Reviewed by Michael Saboff.
2218
2219         After r167094 there are many build errors on ARM like these:
2220
2221             /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
2222             /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
2223             /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
2224             /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
2225
2226         Problem is caused by the wrong generated assembly like:
2227             "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
2228
2229         `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
2230         the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
2231         Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
2232         use case: move rn, (label1-label2) which is translated to movw and movt.
2233
2234         * llint/LowLevelInterpreter.asm:
2235         * offlineasm/arm.rb:
2236         * offlineasm/instructions.rb:
2237
2238 2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>
2239
2240         [ARM] Unreviewed build fix after r167336.
2241
2242         * assembler/MacroAssemblerARM.h:
2243         (JSC::MacroAssemblerARM::branchAdd32):
2244
2245 2014-04-20  Commit Queue  <commit-queue@webkit.org>
2246
2247         Unreviewed, rolling out r167501.
2248         https://bugs.webkit.org/show_bug.cgi?id=131913
2249
2250         It broke DYEBench (Requested by mhahnenberg on #webkit).
2251
2252         Reverted changeset:
2253
2254         "Deleting properties poisons objects"
2255         https://bugs.webkit.org/show_bug.cgi?id=131551
2256         http://trac.webkit.org/changeset/167501
2257
2258 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2259
2260         It should be OK to store new fields into objects that have no prototypes
2261         https://bugs.webkit.org/show_bug.cgi?id=131905
2262
2263         Reviewed by Mark Hahnenberg.
2264
2265         * dfg/DFGByteCodeParser.cpp:
2266         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2267         * tests/stress/put-by-id-transition-null-prototype.js: Added.
2268         (foo):
2269
2270 2014-04-19  Benjamin Poulain  <bpoulain@apple.com>
2271
2272         Make the CSS JIT compile for ARM64
2273         https://bugs.webkit.org/show_bug.cgi?id=131834
2274
2275         Reviewed by Gavin Barraclough.
2276
2277         Extend the ARM64 MacroAssembler to support the code generation required by
2278         the CSS JIT.
2279
2280         * assembler/MacroAssembler.h:
2281         * assembler/MacroAssemblerARM64.h:
2282         (JSC::MacroAssemblerARM64::addPtrNoFlags):
2283         (JSC::MacroAssemblerARM64::or32):
2284         (JSC::MacroAssemblerARM64::branchPtr):
2285         (JSC::MacroAssemblerARM64::test32):
2286         (JSC::MacroAssemblerARM64::branch):
2287         * assembler/MacroAssemblerX86Common.h:
2288         (JSC::MacroAssemblerX86Common::test32):
2289
2290 2014-04-19  Andreas Kling  <akling@apple.com>
2291
2292         Two little shortcuts to the JSType.
2293         <https://webkit.org/b/131896>
2294
2295         Tweak two sites that take the long road through JSCell::structure()->typeInfo()
2296         to look at data that's already in JSCell::type().
2297
2298         Reviewed by Darin Adler.
2299
2300         * runtime/NameInstance.h:
2301         (JSC::isName):
2302         * runtime/NumberPrototype.cpp:
2303         (JSC::toThisNumber):
2304
2305 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2306
2307         Make it easier to check if an integer sum would overflow
2308         https://bugs.webkit.org/show_bug.cgi?id=131900
2309
2310         Reviewed by Darin Adler.
2311
2312         * dfg/DFGOperations.cpp:
2313         * runtime/Operations.h:
2314         (JSC::jsString):
2315
2316 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2317
2318         Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
2319
2320         * dfg/DFGOperations.cpp:
2321         * runtime/JSString.h:
2322         (JSC::JSRopeString::RopeBuilder::append):
2323
2324 2014-04-18  Mark Lam  <mark.lam@apple.com>
2325
2326         REGRESSION(r164205): WebKit crash @StructureIDTable::get.
2327         <https://webkit.org/b/130539>
2328
2329         Reviewed by Geoffrey Garen.
2330
2331         prepareOSREntry() prepares for OSR entry by first copying the local var
2332         values from the baseline frame to a scartch buffer, which is then used
2333         to fill in the locals in their new position in the DFG frame.  Unfortunately,
2334         prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
2335         size of the baseline frame.  As a result, some values of locals in the
2336         baseline frame were not saved off, and the DFG frame may get initialized
2337         with random content that happened to be in the uninitialized (and possibly
2338         unallocated) portions of the scratch buffer.
2339
2340         The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
2341         number of locals in the baseline frame that we want to copy to the scratch
2342         buffer.
2343
2344         Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
2345         at offset 0 in the scratch buffer.  So, we continue to write that value
2346         there, not the baseline frame size.
2347
2348         * dfg/DFGOSREntry.cpp:
2349         (JSC::DFG::prepareOSREntry):
2350
2351 2014-04-18  Timothy Hatcher  <timothy@apple.com>
2352
2353         Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
2354         https://bugs.webkit.org/show_bug.cgi?id=131673
2355
2356         Passes existing profiler and inspector tests.
2357
2358         Reviewed by Joseph Pecoraro.
2359
2360         * CMakeLists.txt:
2361         * DerivedSources.make:
2362         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2363         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2364         * JavaScriptCore.xcodeproj/project.pbxproj:
2365         * inspector/JSConsoleClient.cpp:
2366         (Inspector::JSConsoleClient::JSConsoleClient):
2367         (Inspector::JSConsoleClient::profile):
2368         (Inspector::JSConsoleClient::profileEnd):
2369         (Inspector::JSConsoleClient::count): Deleted.
2370         * inspector/JSConsoleClient.h:
2371         * inspector/JSGlobalObjectInspectorController.cpp:
2372         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2373         * inspector/agents/InspectorProfilerAgent.cpp: Added.
2374         (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
2375         (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
2376         (Inspector::InspectorProfilerAgent::addProfile):
2377         (Inspector::InspectorProfilerAgent::createProfileHeader):
2378         (Inspector::InspectorProfilerAgent::enable):
2379         (Inspector::InspectorProfilerAgent::disable):
2380         (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
2381         (Inspector::InspectorProfilerAgent::getProfileHeaders):
2382         (Inspector::buildInspectorObject):
2383         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
2384         (Inspector::InspectorProfilerAgent::getCPUProfile):
2385         (Inspector::InspectorProfilerAgent::removeProfile):
2386         (Inspector::InspectorProfilerAgent::reset):
2387         (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
2388         (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
2389         (Inspector::InspectorProfilerAgent::start):
2390         (Inspector::InspectorProfilerAgent::stop):
2391         (Inspector::InspectorProfilerAgent::setRecordingProfile):
2392         (Inspector::InspectorProfilerAgent::startProfiling):
2393         (Inspector::InspectorProfilerAgent::stopProfiling):
2394         * inspector/agents/InspectorProfilerAgent.h: Added.
2395         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
2396         (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
2397         (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
2398         * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
2399         * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
2400         * profiler/Profile.h:
2401         * runtime/ConsoleClient.h:
2402
2403 2014-04-18  Commit Queue  <commit-queue@webkit.org>
2404
2405         Unreviewed, rolling out r167527.
2406         https://bugs.webkit.org/show_bug.cgi?id=131883
2407
2408         Broke 32-bit build (Requested by ap on #webkit).
2409
2410         Reverted changeset:
2411
2412         "[Mac] implement WebKitDataCue"
2413         https://bugs.webkit.org/show_bug.cgi?id=131799
2414         http://trac.webkit.org/changeset/167527
2415
2416 2014-04-18  Eric Carlson  <eric.carlson@apple.com>
2417
2418         [Mac] implement WebKitDataCue
2419         https://bugs.webkit.org/show_bug.cgi?id=131799
2420
2421         Reviewed by Dean Jackson.
2422
2423         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2424
2425 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
2426
2427         Actually address Mark's review feedback.
2428
2429         * dfg/DFGOSRExitCompilerCommon.cpp:
2430         (JSC::DFG::handleExitCounts):
2431
2432 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
2433
2434         Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
2435         https://bugs.webkit.org/show_bug.cgi?id=131850
2436
2437         Reviewed by Mark Hahnenberg.
2438         
2439         Templatize ExecutionCounter to allow for two different styles of calculating the
2440         checkpoint threshold.
2441         
2442         Appears to be a slight speed-up on DYEBench.
2443
2444         * bytecode/CodeBlock.h:
2445         (JSC::CodeBlock::llintExecuteCounter):
2446         (JSC::CodeBlock::offsetOfJITExecuteCounter):
2447         (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
2448         (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
2449         (JSC::CodeBlock::jitExecuteCounter):
2450         * bytecode/ExecutionCounter.cpp:
2451         (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
2452         (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
2453         (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
2454         (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
2455         (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
2456         (JSC::applyMemoryUsageHeuristics):
2457         (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
2458         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
2459         (JSC::ExecutionCounter<countingVariant>::setThreshold):
2460         (JSC::ExecutionCounter<countingVariant>::reset):
2461         (JSC::ExecutionCounter<countingVariant>::dump):
2462         (JSC::ExecutionCounter::ExecutionCounter): Deleted.
2463         (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
2464         (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
2465         (JSC::ExecutionCounter::setNewThreshold): Deleted.
2466         (JSC::ExecutionCounter::deferIndefinitely): Deleted.
2467         (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
2468         (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
2469         (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
2470         (JSC::ExecutionCounter::setThreshold): Deleted.
2471         (JSC::ExecutionCounter::reset): Deleted.
2472         (JSC::ExecutionCounter::dump): Deleted.
2473         * bytecode/ExecutionCounter.h:
2474         (JSC::formattedTotalExecutionCount):
2475         (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
2476         (JSC::ExecutionCounter::clippedThreshold):
2477         (JSC::ExecutionCounter::formattedTotalCount): Deleted.
2478         * dfg/DFGJITCode.h:
2479         * dfg/DFGOSRExitCompilerCommon.cpp:
2480         (JSC::DFG::handleExitCounts):
2481         * llint/LowLevelInterpreter.asm:
2482         * runtime/Options.h:
2483
2484 2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2485
2486         Deleting properties poisons objects
2487         https://bugs.webkit.org/show_bug.cgi?id=131551
2488
2489         Reviewed by Geoffrey Garen.
2490
2491         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
2492
2493         * runtime/Structure.cpp:
2494         (JSC::Structure::Structure):
2495         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
2496         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
2497         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
2498         delete transitions, but we allow transitioning from them.
2499         (JSC::Structure::changePrototypeTransition):
2500         (JSC::Structure::despecifyFunctionTransition):
2501         (JSC::Structure::attributeChangeTransition):
2502         (JSC::Structure::toDictionaryTransition):
2503         (JSC::Structure::preventExtensionsTransition):
2504         (JSC::Structure::addPropertyWithoutTransition):
2505         (JSC::Structure::removePropertyWithoutTransition):
2506         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
2507         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
2508         * runtime/Structure.h:
2509         * runtime/StructureInlines.h:
2510         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
2511
2512 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2513
2514         InlineCallFrameSet should be refcounted
2515         https://bugs.webkit.org/show_bug.cgi?id=131829
2516
2517         Reviewed by Geoffrey Garen.
2518         
2519         And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
2520         became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
2521         Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
2522         the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
2523         
2524         So, just make the darn thing refcounted.
2525
2526         * bytecode/InlineCallFrameSet.h:
2527         * dfg/DFGArgumentsSimplificationPhase.cpp:
2528         (JSC::DFG::ArgumentsSimplificationPhase::run):
2529         * dfg/DFGByteCodeParser.cpp:
2530         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2531         * dfg/DFGCommonData.h:
2532         * dfg/DFGGraph.cpp:
2533         (JSC::DFG::Graph::Graph):
2534         (JSC::DFG::Graph::requiredRegisterCountForExit):
2535         * dfg/DFGGraph.h:
2536         * dfg/DFGJITCompiler.cpp:
2537         (JSC::DFG::JITCompiler::link):
2538         * dfg/DFGPlan.cpp:
2539         (JSC::DFG::Plan::Plan):
2540         * dfg/DFGPlan.h:
2541         * dfg/DFGStackLayoutPhase.cpp:
2542         (JSC::DFG::StackLayoutPhase::run):
2543         * ftl/FTLFail.cpp:
2544         (JSC::FTL::fail):
2545         * ftl/FTLLink.cpp:
2546         (JSC::FTL::link):
2547
2548 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2549
2550         FTL::fail() should manage memory "correctly"
2551         https://bugs.webkit.org/show_bug.cgi?id=131823
2552         <rdar://problem/16384297>
2553
2554         Reviewed by Oliver Hunt.
2555
2556         * ftl/FTLFail.cpp:
2557         (JSC::FTL::fail):
2558
2559 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2560
2561         Prediction propagator should correctly model Int52s flowing through arguments
2562         https://bugs.webkit.org/show_bug.cgi?id=131822
2563         <rdar://problem/16641408>
2564
2565         Reviewed by Oliver Hunt.
2566
2567         * dfg/DFGPredictionPropagationPhase.cpp:
2568         (JSC::DFG::PredictionPropagationPhase::propagate):
2569         * tests/stress/int52-argument.js: Added.
2570         (foo):
2571         * tests/stress/int52-variable.js: Added.
2572         (foo):
2573
2574 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2575
2576         REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
2577         https://bugs.webkit.org/show_bug.cgi?id=131798
2578
2579         Reviewed by Alexey Proskuryakov.
2580         
2581         Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
2582         of this assertion can return. For now, it's not clear that the assertion is guarding
2583         any truly undesirable behavior - so it should just go away and be replaced with a
2584         FIXME.
2585
2586         * bytecode/GetByIdStatus.cpp:
2587         (JSC::GetByIdStatus::computeForStubInfo):
2588         * runtime/Structure.h:
2589         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
2590
2591 2014-04-17  David Kilzer  <ddkilzer@apple.com>
2592
2593         Blind attempt to fix Windows build after r166837
2594         <http://webkit.org/b/131246>
2595
2596         Hoping to fix this build error:
2597
2598             warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
2599
2600         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
2601         boo-boo by changing the GCLogging.cpp ClCompile entry to a
2602         GCLogging.h ClInclude entry.
2603
2604 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2605
2606         AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
2607         https://bugs.webkit.org/show_bug.cgi?id=131764
2608
2609         Reviewed by Geoffrey Garen.
2610         
2611         The attached test case can be made to not crash by deleting old code. It used to be
2612         the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
2613         long ago. At this point, these guards just make life difficult. So get rid of them.
2614
2615         * dfg/DFGAbstractInterpreterInlines.h:
2616         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2617         * dfg/DFGSpeculativeJIT32_64.cpp:
2618         (JSC::DFG::SpeculativeJIT::compile):
2619         * dfg/DFGSpeculativeJIT64.cpp:
2620         (JSC::DFG::SpeculativeJIT::compile):
2621         * tests/stress/bug-131764.js: Added.
2622         (test1):
2623         (test2):
2624
2625 2014-04-17  Darin Adler  <darin@apple.com>
2626
2627         Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
2628         https://bugs.webkit.org/show_bug.cgi?id=131785
2629         rdar://problem/16003108
2630
2631         Reviewed by Brady Eidson.
2632
2633         * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
2634
2635 2014-04-16  Alexey Proskuryakov  <ap@apple.com>
2636
2637         Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
2638
2639         * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
2640
2641 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2642
2643         Extra error reporting for invalid value conversions
2644         https://bugs.webkit.org/show_bug.cgi?id=131786
2645
2646         Rubber stamped by Ryosuke Niwa.
2647
2648         * dfg/DFGFixupPhase.cpp:
2649         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2650
2651 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2652
2653         Sink NaN sanitization to uses and remove it when it's unnecessary
2654         https://bugs.webkit.org/show_bug.cgi?id=131419
2655
2656         Reviewed by Oliver Hunt.
2657         
2658         This moves NaN purification to stores that could see an impure NaN.
2659         
2660         5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
2661         though, because of the other bug that causes that benchmark to box doubles in a loop.
2662
2663         * bytecode/SpeculatedType.h:
2664         (JSC::isInt32SpeculationForArithmetic):
2665         (JSC::isMachineIntSpeculationForArithmetic):
2666         (JSC::isDoubleSpeculation):
2667         (JSC::isDoubleSpeculationForArithmetic):
2668         * dfg/DFGAbstractInterpreterInlines.h:
2669         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2670         * dfg/DFGAbstractValue.cpp:
2671         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2672         * dfg/DFGFixupPhase.cpp:
2673         (JSC::DFG::FixupPhase::fixupNode):
2674         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2675         * dfg/DFGInPlaceAbstractState.cpp:
2676         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2677         * dfg/DFGPredictionPropagationPhase.cpp:
2678         (JSC::DFG::PredictionPropagationPhase::propagate):
2679         * dfg/DFGSpeculativeJIT.cpp:
2680         (JSC::DFG::SpeculativeJIT::compileValueRep):
2681         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2682         * dfg/DFGUseKind.h:
2683         (JSC::DFG::typeFilterFor):
2684         * ftl/FTLLowerDFGToLLVM.cpp:
2685         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2686         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2687         * runtime/PureNaN.h:
2688         * tests/stress/float32-array-nan-inlined.js: Added.
2689         (foo):
2690         (test):
2691         * tests/stress/float32-array-nan.js: Added.
2692         (foo):
2693         (test):
2694         * tests/stress/float64-array-nan-inlined.js: Added.
2695         (foo):
2696         (isBigEndian):
2697         (test):
2698         * tests/stress/float64-array-nan.js: Added.
2699         (foo):
2700         (isBigEndian):
2701         (test):
2702
2703 2014-04-16  Brent Fulgham  <bfulgham@apple.com>
2704
2705         [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
2706         to 32-bit builds, and revise the comment to explain what we are
2707         doing.
2708
2709         * runtime/JSCJSValueInlines.h:
2710         (JSC::JSValue::isMachineInt): Provide motivation for the new
2711         'isinf' check for our 32-bit code path.
2712
2713 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2714
2715         Allocate the data section on the heap again for FTL on ARM64
2716         https://bugs.webkit.org/show_bug.cgi?id=130156
2717
2718         Reviewed by Geoffrey Garen and Filip Pizlo.
2719
2720         * ftl/FTLCompile.cpp:
2721         (JSC::FTL::mmAllocateDataSection):
2722         * ftl/FTLDataSection.cpp:
2723         (JSC::FTL::DataSection::DataSection):
2724         (JSC::FTL::DataSection::~DataSection):
2725         * ftl/FTLDataSection.h:
2726
2727 2014-04-16  Mark Lam  <mark.lam@apple.com>
2728
2729         Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
2730         <https://webkit.org/b/131747>
2731
2732         Reviewed by Filip Pizlo.
2733
2734         When the debugger is about to activate (e.g. enter stepping mode), it first
2735         waits for all DFG compilations to complete.  However, when the DFG completes,
2736         if compilation is successful, it will install a new DFG codeBlock.  The
2737         CodeBlock installation process is required to register codeBlocks with the
2738         debugger.  Debugger::registerCodeBlock() will eventually call
2739         CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
2740         trying to install.  Thereafter, chaos ensues.
2741
2742         This jettison'ing only happens because the debugger currently set its
2743         m_steppingMode flag before waiting for compilation to complete.  The fix is
2744         simply to set that flag only after compilation is complete.
2745
2746         * debugger/Debugger.cpp:
2747         (JSC::Debugger::setSteppingMode):
2748         (JSC::Debugger::registerCodeBlock):
2749
2750 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2751
2752         Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
2753         https://bugs.webkit.org/show_bug.cgi?id=131420
2754
2755         Reviewed by Oliver Hunt.
2756         
2757         Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
2758         replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
2759         goes through the purifyNaN() API.
2760         
2761         SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
2762         
2763         Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
2764         have to be too cautious since most prediction-based logic only cares about whether or not
2765         a value could be an integer.
2766         
2767         AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
2768         anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
2769         soundly and precisely.
2770         
2771         No performance change because this just unblocks
2772         https://bugs.webkit.org/show_bug.cgi?id=131419.
2773
2774         * API/JSValueRef.cpp:
2775         (JSValueMakeNumber):
2776         (JSValueToNumber):
2777         * JavaScriptCore.xcodeproj/project.pbxproj:
2778         * bytecode/SpeculatedType.cpp:
2779         (JSC::dumpSpeculation):
2780         (JSC::speculationFromValue):
2781         (JSC::typeOfDoubleSum):
2782         (JSC::typeOfDoubleDifference):
2783         (JSC::typeOfDoubleProduct):
2784         (JSC::polluteDouble):
2785         (JSC::typeOfDoubleQuotient):
2786         (JSC::typeOfDoubleMinMax):
2787         (JSC::typeOfDoubleNegation):
2788         (JSC::typeOfDoubleAbs):
2789         (JSC::typeOfDoubleFRound):
2790         (JSC::typeOfDoubleBinaryOp):
2791         (JSC::typeOfDoubleUnaryOp):
2792         * bytecode/SpeculatedType.h:
2793         * dfg/DFGAbstractInterpreterInlines.h:
2794         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2795         * dfg/DFGByteCodeParser.cpp:
2796         (JSC::DFG::ByteCodeParser::handleInlining):
2797         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2798         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2799         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2800         * dfg/DFGInPlaceAbstractState.cpp:
2801         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2802         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2803         (JSC::DFG::createPreHeader):
2804         * dfg/DFGNode.h:
2805         (JSC::DFG::BranchTarget::BranchTarget):
2806         * dfg/DFGOSREntrypointCreationPhase.cpp:
2807         (JSC::DFG::OSREntrypointCreationPhase::run):
2808         * dfg/DFGOSRExitCompiler32_64.cpp:
2809         (JSC::DFG::OSRExitCompiler::compileExit):
2810         * dfg/DFGOSRExitCompiler64.cpp:
2811         (JSC::DFG::OSRExitCompiler::compileExit):
2812         * dfg/DFGPredictionPropagationPhase.cpp:
2813         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
2814         (JSC::DFG::PredictionPropagationPhase::propagate):
2815         * dfg/DFGSpeculativeJIT.cpp:
2816         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2817         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2818         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2819         * dfg/DFGSpeculativeJIT32_64.cpp:
2820         (JSC::DFG::SpeculativeJIT::compile):
2821         * dfg/DFGSpeculativeJIT64.cpp:
2822         (JSC::DFG::SpeculativeJIT::compile):
2823         * dfg/DFGVariableAccessData.h:
2824         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2825         * ftl/FTLLowerDFGToLLVM.cpp:
2826         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2827         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2828         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2829         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2830         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
2831         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
2832         (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
2833         * ftl/FTLValueFormat.cpp:
2834         (JSC::FTL::reboxAccordingToFormat):
2835         * jit/AssemblyHelpers.cpp:
2836         (JSC::AssemblyHelpers::purifyNaN):
2837         (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
2838         * jit/AssemblyHelpers.h:
2839         * jit/JITPropertyAccess.cpp:
2840         (JSC::JIT::emitFloatTypedArrayGetByVal):
2841         * runtime/DateConstructor.cpp:
2842         (JSC::constructDate):
2843         * runtime/DateInstanceCache.h:
2844         (JSC::DateInstanceData::DateInstanceData):
2845         (JSC::DateInstanceCache::reset):
2846         * runtime/ExceptionHelpers.cpp:
2847         (JSC::TerminatedExecutionError::defaultValue):
2848         * runtime/JSArray.cpp:
2849         (JSC::JSArray::setLength):
2850         (JSC::JSArray::pop):
2851         (JSC::JSArray::shiftCountWithAnyIndexingType):
2852         (JSC::JSArray::sortVector):
2853         (JSC::JSArray::compactForSorting):
2854         * runtime/JSArray.h:
2855         (JSC::JSArray::create):
2856         (JSC::JSArray::tryCreateUninitialized):
2857         * runtime/JSCJSValue.cpp:
2858         (JSC::JSValue::toNumberSlowCase):
2859         * runtime/JSCJSValue.h:
2860         * runtime/JSCJSValueInlines.h:
2861         (JSC::jsNaN):
2862         (JSC::JSValue::JSValue):
2863         (JSC::JSValue::getPrimitiveNumber):
2864         * runtime/JSGlobalObjectFunctions.cpp:
2865         (JSC::parseInt):
2866         (JSC::jsStrDecimalLiteral):
2867         (JSC::toDouble):
2868         (JSC::jsToNumber):
2869         (JSC::parseFloat):
2870         * runtime/JSObject.cpp:
2871         (JSC::JSObject::createInitialDouble):
2872         (JSC::JSObject::convertUndecidedToDouble):
2873         (JSC::JSObject::convertInt32ToDouble):
2874         (JSC::JSObject::deletePropertyByIndex):
2875         (JSC::JSObject::ensureLengthSlow):
2876         * runtime/MathObject.cpp:
2877         (JSC::mathProtoFuncMax):
2878         (JSC::mathProtoFuncMin):
2879         * runtime/PureNaN.h: Added.
2880         (JSC::pureNaN):
2881         (JSC::isImpureNaN):
2882         (JSC::purifyNaN):
2883         * runtime/TypedArrayAdaptors.h:
2884         (JSC::FloatTypedArrayAdaptor::toJSValue):
2885
2886 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2887
2888         Enable system library calls in FTL for ARM64
2889         https://bugs.webkit.org/show_bug.cgi?id=130154
2890
2891         Reviewed by Geoffrey Garen and Filip Pizlo.
2892
2893         * ftl/FTLIntrinsicRepository.h:
2894         * ftl/FTLOutput.h:
2895         (JSC::FTL::Output::doubleRem):
2896         (JSC::FTL::Output::doubleSin):
2897         (JSC::FTL::Output::doubleCos):
2898
2899 2014-04-16  peavo@outlook.com  <peavo@outlook.com>
2900
2901         Fix JSC Debug Regressions on Windows
2902         https://bugs.webkit.org/show_bug.cgi?id=131182
2903
2904         Reviewed by Brent Fulgham.
2905
2906         The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
2907         and set the st floating point register tags, if the value of the number parameter is infinite.
2908         If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
2909         This can be avoided by checking for infinity first.
2910
2911         * runtime/JSCJSValueInlines.h:
2912         (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
2913         * runtime/Options.cpp:
2914         (JSC::recomputeDependentOptions): Re-enable jit for Windows.
2915
2916 2014-04-16  Oliver Hunt  <oliver@apple.com>
2917
2918         Simple ES6 feature:Array.prototype.fill
2919         https://bugs.webkit.org/show_bug.cgi?id=131703
2920
2921         Reviewed by David Hyatt.
2922
2923         Add support for Array.prototype.fill
2924
2925         * builtins/Array.prototype.js:
2926         (fill):
2927         * runtime/ArrayPrototype.cpp:
2928
2929 2014-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2930
2931         [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
2932         https://bugs.webkit.org/show_bug.cgi?id=131728
2933
2934         Reviewed by Darin Adler.
2935
2936         * runtime/JSObject.cpp:
2937         (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the 
2938         path we expect to never take. Also shut up confused compilers about uninitialized things.
2939
2940 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2941
2942         Unreviewed, ARMv7 build fix after r167336.
2943
2944         * assembler/MacroAssemblerARMv7.h:
2945         (JSC::MacroAssemblerARMv7::branchAdd32):
2946
2947 2014-04-16  Gabor Rapcsanyi  <rgabor@webkit.org>
2948
2949         Unreviewed, ARM64 buildfix after r167336.
2950
2951         * assembler/MacroAssemblerARM64.h:
2952         (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
2953
2954 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2955
2956         Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
2957
2958         * dfg/DFGAbstractInterpreterInlines.h:
2959         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2960
2961 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2962
2963         compileMakeRope does not emit necessary bounds checks
2964         https://bugs.webkit.org/show_bug.cgi?id=130684
2965         <rdar://problem/16398388>
2966
2967         Reviewed by Oliver Hunt.
2968         
2969         Add string length bounds checks in a bunch of places. We should never allow a string
2970         to have a length greater than 2^31-1 because it's not clear that the language has
2971         semantics for it and because there is code that assumes that this cannot happen.
2972         
2973         Also add a bunch of tests to that effect to cover the various ways in which this was
2974         previously allowed to happen.
2975
2976         * dfg/DFGOperations.cpp:
2977         * dfg/DFGSpeculativeJIT.cpp:
2978         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2979         * ftl/FTLLowerDFGToLLVM.cpp:
2980         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
2981         * runtime/JSString.cpp:
2982         (JSC::JSRopeString::RopeBuilder::expand):
2983         * runtime/JSString.h:
2984         (JSC::JSString::create):
2985         (JSC::JSRopeString::RopeBuilder::append):
2986         (JSC::JSRopeString::RopeBuilder::release):
2987         (JSC::JSRopeString::append):
2988         * runtime/Operations.h:
2989         (JSC::jsString):
2990         (JSC::jsStringFromRegisterArray):
2991         (JSC::jsStringFromArguments):
2992         * runtime/StringPrototype.cpp:
2993         (JSC::stringProtoFuncIndexOf):
2994         (JSC::stringProtoFuncSlice):
2995         (JSC::stringProtoFuncSubstring):
2996         (JSC::stringProtoFuncToLowerCase):
2997         * tests/stress/make-large-string-jit-strcat.js: Added.
2998         (foo):
2999         * tests/stress/make-large-string-jit.js: Added.
3000         (foo):
3001         * tests/stress/make-large-string-strcat.js: Added.
3002         * tests/stress/make-large-string.js: Added.
3003
3004 2014-04-15  Julien Brianceau  <jbriance@cisco.com>
3005
3006         Remove invalid sh4 specific code in JITInlines header.
3007         https://bugs.webkit.org/show_bug.cgi?id=131692
3008
3009         Reviewed by Geoffrey Garen.
3010
3011         * jit/JITInlines.h:
3012         (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
3013         anymore since r160244, so the sh4 specific code is invalid now
3014         and has to be removed.
3015
3016 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3017
3018         Fix precedence issue in JSCell:setRemembered
3019
3020         Rubber stamped by Filip Pizlo.
3021
3022         * runtime/JSCell.h:
3023         (JSC::JSCell::setRemembered):
3024
3025 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3026
3027         Objective-C API external object graphs don't handle generational collection properly
3028         https://bugs.webkit.org/show_bug.cgi?id=131634
3029
3030         Reviewed by Geoffrey Garen.
3031
3032         If the set of Objective-C objects transitively reachable through an object changes, we 
3033         need to update the set of opaque roots accordingly. If we don't, the next EdenCollection 
3034         won't rescan the external object graph, which would lead us to consider a newly allocated 
3035         JSManagedValue to be dead.
3036
3037         * API/JSBase.cpp:
3038         (JSSynchronousEdenCollectForDebugging):
3039         * API/JSVirtualMachine.mm:
3040         (-[JSVirtualMachine initWithContextGroupRef:]):
3041         (-[JSVirtualMachine dealloc]):
3042         (-[JSVirtualMachine isOldExternalObject:]):
3043         (-[JSVirtualMachine addExternalRememberedObject:]):
3044         (-[JSVirtualMachine addManagedReference:withOwner:]):
3045         (-[JSVirtualMachine removeManagedReference:withOwner:]):
3046         (-[JSVirtualMachine externalRememberedSet]):
3047         (scanExternalObjectGraph):
3048         (scanExternalRememberedSet):
3049         * API/JSVirtualMachineInternal.h:
3050         * API/tests/testapi.mm:
3051         * heap/Heap.cpp:
3052         (JSC::Heap::markRoots):
3053         * heap/Heap.h:
3054         (JSC::Heap::slotVisitor):
3055         * heap/SlotVisitor.h:
3056         * heap/SlotVisitorInlines.h:
3057         (JSC::SlotVisitor::containsOpaqueRoot):
3058         (JSC::SlotVisitor::containsOpaqueRootTriState):
3059
3060 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
3061
3062         DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
3063         https://bugs.webkit.org/show_bug.cgi?id=131423
3064
3065         Reviewed by Geoffrey Garen.
3066         
3067         This introduces more static typing into DFG IR. Previously we just had the notion of
3068         JSValues and Storage. This was weird because doubles weren't always convertible to
3069         JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
3070         sort of insert explicit conversion nodes just for the places where we knew that an
3071         implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
3072         we'd get bugs from forgetting to do the right conversion.
3073         
3074         This patch introduces a hard and fast rule: doubles can never be implicitly converted to
3075         anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
3076         nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
3077         conversions. They are like Identity but return the same value using a different
3078         representation. Likewise, constants may now be represented using either JSConstant,
3079         Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
3080         Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
3081         Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
3082         we speculate DoubleReal and expect Double representation.
3083         
3084         In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
3085         this also makes it easier to introduce optimizations in the future. It's now possible for
3086         AI to model when/how conversion take place. For example if doing a conversion results in
3087         NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
3088         what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
3089         
3090         This was a big change, so I had to do some interesting things, like finally get rid of
3091         the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
3092         the ByteCodeParser no longer emits Identity nodes since that was always pointless.
3093         
3094         No performance change because this mostly just rationalizes preexisting behavior.
3095
3096         * JavaScriptCore.xcodeproj/project.pbxproj:
3097         * assembler/MacroAssemblerX86.h:
3098         * bytecode/CodeBlock.cpp:
3099         * bytecode/CodeBlock.h:
3100         * dfg/DFGAbstractInterpreter.h:
3101         (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
3102         (JSC::DFG::AbstractInterpreter::setConstant):
3103         * dfg/DFGAbstractInterpreterInlines.h:
3104         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3105         * dfg/DFGAbstractValue.cpp:
3106         (JSC::DFG::AbstractValue::set):
3107         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
3108         (JSC::DFG::AbstractValue::checkConsistency):
3109         * dfg/DFGAbstractValue.h:
3110         * dfg/DFGBackwardsPropagationPhase.cpp:
3111         (JSC::DFG::BackwardsPropagationPhase::propagate):
3112         * dfg/DFGBasicBlock.h:
3113         * dfg/DFGBasicBlockInlines.h:
3114         (JSC::DFG::BasicBlock::appendNode):
3115         (JSC::DFG::BasicBlock::appendNonTerminal):
3116         * dfg/DFGByteCodeParser.cpp:
3117         (JSC::DFG::ByteCodeParser::parseBlock):
3118         * dfg/DFGCSEPhase.cpp:
3119         (JSC::DFG::CSEPhase::constantCSE):
3120         (JSC::DFG::CSEPhase::performNodeCSE):
3121         (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
3122         * dfg/DFGCapabilities.h:
3123         * dfg/DFGClobberize.h:
3124         (JSC::DFG::clobberize):
3125         * dfg/DFGConstantFoldingPhase.cpp:
3126         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3127         * dfg/DFGDCEPhase.cpp:
3128         (JSC::DFG::DCEPhase::fixupBlock):
3129         * dfg/DFGEdge.h:
3130         (JSC::DFG::Edge::willNotHaveCheck):
3131         * dfg/DFGFixupPhase.cpp:
3132         (JSC::DFG::FixupPhase::run):
3133         (JSC::DFG::FixupPhase::fixupNode):
3134         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
3135         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3136         (JSC::DFG::FixupPhase::fixIntEdge):
3137         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
3138         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
3139         (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
3140         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
3141         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3142         (JSC::DFG::FixupPhase::addRequiredPhantom):
3143         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
3144         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
3145         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
3146         * dfg/DFGFlushFormat.h:
3147         (JSC::DFG::resultFor):
3148         (JSC::DFG::useKindFor):
3149         * dfg/DFGGraph.cpp:
3150         (JSC::DFG::Graph::dump):
3151         * dfg/DFGGraph.h:
3152         (JSC::DFG::Graph::addNode):
3153         * dfg/DFGInPlaceAbstractState.cpp:
3154         (JSC::DFG::InPlaceAbstractState::initialize):
3155         * dfg/DFGInsertionSet.h:
3156         (JSC::DFG::InsertionSet::insertNode):
3157         (JSC::DFG::InsertionSet::insertConstant):
3158         (JSC::DFG::InsertionSet::insertConstantForUse):
3159         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3160         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
3161         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
3162         * dfg/DFGNode.cpp:
3163         (JSC::DFG::Node::convertToIdentity):
3164         (WTF::printInternal):
3165         * dfg/DFGNode.h:
3166         (JSC::DFG::Node::Node):
3167         (JSC::DFG::Node::setResult):
3168         (JSC::DFG::Node::result):
3169         (JSC::DFG::Node::isConstant):
3170         (JSC::DFG::Node::hasConstant):
3171         (JSC::DFG::Node::convertToConstant):
3172         (JSC::DFG::Node::valueOfJSConstant):
3173         (JSC::DFG::Node::hasResult):
3174         (JSC::DFG::Node::hasInt32Result):
3175         (JSC::DFG::Node::hasInt52Result):
3176         (JSC::DFG::Node::hasNumberResult):
3177         (JSC::DFG::Node::hasDoubleResult):
3178         (JSC::DFG::Node::hasJSResult):
3179         (JSC::DFG::Node::hasBooleanResult):
3180         (JSC::DFG::Node::hasStorageResult):
3181         (JSC::DFG::Node::defaultUseKind):
3182         (JSC::DFG::Node::defaultEdge):
3183         (JSC::DFG::Node::convertToIdentity): Deleted.
3184         * dfg/DFGNodeFlags.cpp:
3185         (JSC::DFG::dumpNodeFlags):
3186         * dfg/DFGNodeFlags.h:
3187         (JSC::DFG::canonicalResultRepresentation):
3188         * dfg/DFGNodeType.h:
3189         * dfg/DFGOSRExitCompiler32_64.cpp:
3190         (JSC::DFG::OSRExitCompiler::compileExit):
3191         * dfg/DFGOSRExitCompiler64.cpp:
3192         (JSC::DFG::OSRExitCompiler::compileExit):
3193         * dfg/DFGPredictionPropagationPhase.cpp:
3194         (JSC::DFG::PredictionPropagationPhase::propagate):
3195         * dfg/DFGResurrectionForValidationPhase.cpp:
3196         (JSC::DFG::ResurrectionForValidationPhase::run):
3197         * dfg/DFGSSAConversionPhase.cpp:
3198         (JSC::DFG::SSAConversionPhase::run):
3199         * dfg/DFGSafeToExecute.h:
3200         (JSC::DFG::SafeToExecuteEdge::operator()):
3201         (JSC::DFG::safeToExecute):
3202         * dfg/DFGSpeculativeJIT.cpp:
3203         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3204         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
3205         (JSC::DFG::SpeculativeJIT::silentFill):
3206         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
3207         (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
3208         (JSC::DFG::JSValueRegsTemporary::regs):
3209         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
3210         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3211         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3212         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3213         (JSC::DFG::SpeculativeJIT::compileValueRep):
3214         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3215         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3216         (JSC::DFG::SpeculativeJIT::compileAdd):
3217         (JSC::DFG::SpeculativeJIT::compileArithSub):
3218         (JSC::DFG::SpeculativeJIT::compileArithNegate):
3219         (JSC::DFG::SpeculativeJIT::compileArithMul):
3220         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3221         (JSC::DFG::SpeculativeJIT::compileArithMod):
3222         (JSC::DFG::SpeculativeJIT::compare):
3223         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3224         (JSC::DFG::SpeculativeJIT::speculateNumber):
3225         (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
3226         (JSC::DFG::SpeculativeJIT::speculate):
3227         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
3228         (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
3229         (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
3230         * dfg/DFGSpeculativeJIT.h:
3231         (JSC::DFG::SpeculativeJIT::allocate):
3232         (JSC::DFG::SpeculativeJIT::use):
3233         (JSC::DFG::SpeculativeJIT::boxDouble):
3234         (JSC::DFG::SpeculativeJIT::spill):
3235         (JSC::DFG::SpeculativeJIT::jsValueResult):
3236         (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
3237         (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
3238         (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
3239         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
3240         * dfg/DFGSpeculativeJIT32_64.cpp:
3241         (JSC::DFG::SpeculativeJIT::fillJSValue):
3242         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3243         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3244         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3245         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3246         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3247         (JSC::DFG::SpeculativeJIT::emitBranch):
3248         (JSC::DFG::SpeculativeJIT::compile):
3249         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
3250         * dfg/DFGSpeculativeJIT64.cpp:
3251         (JSC::DFG::SpeculativeJIT::fillJSValue):
3252         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3253         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3254         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3255         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3256         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3257         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3258         (JSC::DFG::SpeculativeJIT::emitBranch):
3259         (JSC::DFG::SpeculativeJIT::compile):
3260         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
3261         * dfg/DFGStrengthReductionPhase.cpp:
3262         (JSC::DFG::StrengthReductionPhase::handleNode):
3263         * dfg/DFGUseKind.cpp:
3264         (WTF::printInternal):
3265         * dfg/DFGUseKind.h:
3266         (JSC::DFG::typeFilterFor):
3267         (JSC::DFG::shouldNotHaveTypeCheck):
3268         (JSC::DFG::mayHaveTypeCheck):
3269         (JSC::DFG::isNumerical):
3270         (JSC::DFG::isDouble):
3271         (JSC::DFG::isCell):
3272         (JSC::DFG::usesStructure):
3273         (JSC::DFG::useKindForResult):
3274         * dfg/DFGValidate.cpp:
3275         (JSC::DFG::Validate::validate):
3276         * dfg/DFGVariadicFunction.h: Removed.
3277         * ftl/FTLCapabilities.cpp:
3278         (JSC::FTL::canCompile):
3279         * ftl/FTLLowerDFGToLLVM.cpp:
3280         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
3281         (JSC::FTL::LowerDFGToLLVM::compileNode):
3282         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
3283         (JSC::FTL::LowerDFGToLLVM::compilePhi):
3284         (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
3285         (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
3286         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
3287         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3288         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
3289         (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
3290         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
3291         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
3292         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
3293         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
3294         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
3295         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
3296         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
3297         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
3298         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3299         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
3300         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
3301         (JSC::FTL::LowerDFGToLLVM::compare):
3302         (JSC::FTL::LowerDFGToLLVM::boolify):
3303         (JSC::FTL::LowerDFGToLLVM::lowInt52):
3304         (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
3305         (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
3306         (JSC::FTL::LowerDFGToLLVM::lowDouble):
3307         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
3308         (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
3309         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
3310         (JSC::FTL::LowerDFGToLLVM::speculate):
3311         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3312         (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
3313         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
3314         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
3315         (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
3316         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
3317         (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
3318         * ftl/FTLValueFormat.cpp:
3319         (JSC::FTL::reboxAccordingToFormat):
3320         * jit/AssemblyHelpers.cpp:
3321         (JSC::AssemblyHelpers::sanitizeDouble):
3322         * jit/AssemblyHelpers.h:
3323         (JSC::AssemblyHelpers::boxDouble):
3324
3325 2014-04-15  Commit Queue  <commit-queue@webkit.org>
3326
3327         Unreviewed, rolling out r167199 and r167251.
3328         https://bugs.webkit.org/show_bug.cgi?id=131678
3329
3330         Caused a DYEBench regression and does not seem to improve perf
3331         on relevant websites (Requested by rniwa on #webkit).
3332
3333         Reverted changesets:
3334
3335         "Rewrite Function.bind as a builtin"
3336         https://bugs.webkit.org/show_bug.cgi?id=131083
3337         http://trac.webkit.org/changeset/167199
3338
3339         "Update test result"
3340         http://trac.webkit.org/changeset/167251
3341
3342 2014-04-14  Commit Queue  <commit-queue@webkit.org>
3343
3344         Unreviewed, rolling out r167272.
3345         https://bugs.webkit.org/show_bug.cgi?id=131666
3346
3347         Broke multiple tests (Requested by ap on #webkit).
3348
3349         Reverted changeset:
3350
3351         "Function.bind itself is too slow"
3352         https://bugs.webkit.org/show_bug.cgi?id=131636
3353         http://trac.webkit.org/changeset/167272
3354
3355 2014-04-14  Geoffrey Garen  <ggaren@apple.com>
3356
3357         ASSERT when firing low memory warning
3358         https://bugs.webkit.org/show_bug.cgi?id=131659
3359
3360         Reviewed by Mark Hahnenberg.
3361
3362         * heap/Heap.cpp:
3363         (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
3364         called when no GC is happening because that is what we do when a low
3365         memory warning fires, and it is harmless.
3366
3367 2014-04-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3368
3369         emit_op_put_by_id should not emit a write barrier that filters on value
3370         https://bugs.webkit.org/show_bug.cgi?id=131654
3371
3372         Reviewed by Filip Pizlo.
3373
3374         The 32-bit implementation does this, and it can cause crashes if we later repatch the 
3375         code to allocate and store new Butterflies.
3376
3377         * jit/JITPropertyAccess.cpp:
3378         (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on 
3379         32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag 
3380         load down into the if statement so that we don't do it if we're not filtering on the value.
3381         * jit/JITPropertyAccess32_64.cpp:
3382         (JSC::JIT::emit_op_put_by_id):
3383
3384 2014-04-14  Oliver Hunt  <oliver@apple.com>
3385
3386         Function.bind itself is too slow
3387         https://bugs.webkit.org/show_bug.cgi?id=131636
3388
3389         Reviewed by Geoffrey Garen.
3390
3391         Rather than forcing creation of an activation, we now store
3392         bound function properties directly on the returned closure.
3393         This is necessary to deal with code that creates many function
3394         bindings, but does not call them very often.
3395
3396         This is a 60% speed up in the included js/regress test.
3397
3398         * builtins/BuiltinExecutables.cpp:
3399         (JSC::BuiltinExecutables::createBuiltinExecutable):
3400         * builtins/Function.prototype.js:
3401         (bind.bindingFunction):
3402         (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
3403         (bind.else.switch.case.1.bindingFunction):
3404         (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
3405         (bind.else.switch.case.2.bindingFunction):
3406         (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
3407         (bind.else.switch.case.3.bindingFunction):
3408         (bind.else.switch.bindingFunction):
3409         (bind):
3410         (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
3411         (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
3412         (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
3413         * runtime/CommonIdentifiers.h:
3414
3415 2014-04-14  Julien Brianceau  <jbriance@cisco.com>
3416
3417         [sh4] Allow use of SubImmediates in LLINT.
3418         https://bugs.webkit.org/show_bug.cgi?id=131608
3419
3420         Reviewed by Mark Lam.
3421
3422         Allow use of SubImmediates with const pool so the sh4 architecture can
3423         share the arm path for setEntryAddress macro. It reduces architecture
3424         specific code and lead to a more optimal generated code for sh4.
3425
3426         * llint/LowLevelInterpreter.asm:
3427         * offlineasm/sh4.rb:
3428
3429 2014-04-14  Andreas Kling  <akling@apple.com>
3430
3431         Array.prototype.concat should allocate output storage only once.
3432         <https://webkit.org/b/131609>
3433
3434         Do a first pass across 'this' and any arguments to compute the
3435         final size of the resulting array from Array.prototype.concat.
3436         This avoids having to grow the output incrementally as we go.
3437
3438         This also includes two other micro-optimizations:
3439
3440         - Mark getProperty() with ALWAYS_INLINE.
3441
3442         - Use JSArray::length() instead of taking the generic property
3443           lookup path when we know an argument is an Array.
3444
3445         My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
3446
3447         Reviewed by Oliver & Darin.
3448
3449         * runtime/ArrayPrototype.cpp:
3450         (JSC::getProperty):
3451         (JSC::arrayProtoFuncConcat):
3452
3453 2014-04-14  Commit Queue  <commit-queue@webkit.org>
3454
3455         Unreviewed, rolling out r167249.
3456         https://bugs.webkit.org/show_bug.cgi?id=131621
3457
3458         broke 3 tests on cloop (Requested by kling on #webkit).
3459
3460         Reverted changeset:
3461
3462         "Array.prototype.concat should allocate output storage only
3463         once."
3464         https://bugs.webkit.org/show_bug.cgi?id=131609
3465         http://trac.webkit.org/changeset/167249
3466
3467 2014-04-14  Alex Christensen  <achristensen@webkit.org>
3468
3469         Fixed potential integer truncation.
3470         https://bugs.webkit.org/show_bug.cgi?id=131615
3471
3472         Reviewed by Darin Adler.
3473
3474         * assembler/X86Assembler.h:
3475         (JSC::X86Assembler::fillNops):
3476         Truncate the size_t to an unsigned after it is limited to 15 instead of before.
3477
3478 2014-04-14  Andreas Kling  <akling@apple.com>
3479
3480         Array.prototype.concat should allocate output storage only once.
3481         <https://webkit.org/b/131609>
3482
3483         Do a first pass across 'this' and any arguments to compute the
3484         final size of the resulting array from Array.prototype.concat.
3485         This avoids having to grow the output incrementally as we go.
3486
3487         This also includes two other micro-optimizations:
3488
3489         - Mark getProperty() with ALWAYS_INLINE.
3490
3491         - Use JSArray::length() instead of taking the generic property
3492           lookup path when we know an argument is an Array.
3493
3494         My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
3495
3496         Reviewed by Darin Adler.
3497
3498         * runtime/ArrayPrototype.cpp:
3499         (JSC::getProperty):
3500         (JSC::arrayProtoFuncConcat):
3501
3502 2014-04-14  Benjamin Poulain  <benjamin@webkit.org>
3503
3504         [JSC] Improve the call site of string comparison in some hot path
3505         https://bugs.webkit.org/show_bug.cgi?id=131605
3506
3507         Reviewed by Darin Adler.
3508
3509         When resolved, the String of a JSString is never null. It can be empty but not null.
3510         The null value is reserved for ropes but those would be resolved when getting the value.
3511
3512         Consequently, we should use the equal() operation that do not handle null values.
3513         Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
3514
3515         * jit/JITOperations.cpp:
3516         * runtime/JSCJSValueInlines.h:
3517         (JSC::JSValue::equalSlowCaseInline):
3518         (JSC::JSValue::strictEqualSlowCaseInline):
3519         (JSC::JSValue::pureStrictEqual):
3520
3521 2014-04-08  Oliver Hunt  <oliver@apple.com>
3522
3523         Rewrite Function.bind as a builtin
3524         https://bugs.webkit.org/show_bug.cgi?id=131083
3525
3526         Reviewed by Geoffrey Garen.
3527
3528         This change removes the existing function.bind implementation
3529         entirely so JSBoundFunction is no more.
3530
3531         Instead we just return a regular JS closure with a few
3532         private properties hanging off it that allow us to perform
3533         the necessary bound function fakery.  While most of this is
3534         simple, a couple of key changes:
3535
3536         - The parser and lexer now directly track whether they're
3537           parsing code for call or construct and convert the private
3538           name @IsConstructor into TRUETOK or FALSETOK as appropriate.
3539           This automatically gives us the ability to vary behaviour
3540           from within the builtin. It also leaves a lot of headroom
3541           for trivial future improvements.
3542         - The instanceof operator now uses the prototypeForHasInstance
3543           private name, and we have a helper function to ensure that
3544           all objects that need to can update their magical 'prototype'
3545           property pair correctly.
3546
3547         * API/JSScriptRef.cpp:
3548         (parseScript):
3549         * JavaScriptCore.xcodeproj/project.pbxproj:
3550         * builtins/BuiltinExecutables.cpp:
3551         (JSC::BuiltinExecutables::createBuiltinExecutable):
3552         * builtins/Function.prototype.js:
3553         (bind.bindingFunction):
3554         (bind.else.bindingFunction):
3555         (bind):
3556         * bytecode/UnlinkedCodeBlock.cpp:
3557         (JSC::generateFunctionCodeBlock):
3558         * bytecompiler/NodesCodegen.cpp:
3559         (JSC::InstanceOfNode::emitBytecode):
3560         * interpreter/Interpreter.cpp:
3561         * parser/Lexer.cpp:
3562         (JSC::Lexer<T>::Lexer):
3563         (JSC::Lexer<LChar>::parseIdentifier):
3564         (JSC::Lexer<UChar>::parseIdentifier):
3565         * parser/Lexer.h:
3566         * parser/Parser.cpp:
3567         (JSC::Parser<LexerType>::Parser):
3568         (JSC::Parser<LexerType>::parseInner):
3569         * parser/Parser.h:
3570         (JSC::parse):
3571         * parser/ParserModes.h:
3572         * runtime/CodeCache.cpp:
3573         (JSC::CodeCache::getGlobalCodeBlock):
3574         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3575         * runtime/CommonIdentifiers.h:
3576         * runtime/Completion.cpp:
3577         (JSC::checkSyntax):
3578         * runtime/Executable.cpp:
3579         (JSC::ProgramExecutable::checkSyntax):
3580         * runtime/FunctionPrototype.cpp:
3581         (JSC::FunctionPrototype::addFunctionProperties):
3582         (JSC::functionProtoFuncBind): Deleted.
3583         * runtime/JSBoundFunction.cpp: Removed.
3584         * runtime/JSBoundFunction.h: Removed.
3585         * runtime/JSFunction.cpp:
3586         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
3587         (JSC::RetrieveCallerFunctionFunctor::operator()):
3588         (JSC::retrieveCallerFunction):
3589         (JSC::JSFunction::getOwnPropertySlot):
3590         (JSC::JSFunction::defineOwnProperty):
3591         * runtime/JSGlobalObject.cpp:
3592         (JSC::JSGlobalObject::reset):
3593         * runtime/JSGlobalObjectFunctions.cpp:
3594         (JSC::globalFuncSetTypeErrorAccessor):
3595         * runtime/JSGlobalObjectFunctions.h:
3596         * runtime/JSObject.h:
3597         (JSC::JSObject::inlineGetOwnPropertySlot):
3598
3599 2014-04-12  Filip Pizlo  <fpizlo@apple.com>
3600
3601         Math.fround() should be an intrinsic
3602         https://bugs.webkit.org/show_bug.cgi?id=131583
3603
3604         Reviewed by Geoffrey Garen.
3605         
3606         Makes programs that use Math.fround() run up to 6x faster.
3607
3608         * dfg/DFGAbstractInterpreterInlines.h:
3609         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3610         * dfg/DFGByteCodeParser.cpp:
3611         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3612         * dfg/DFGCSEPhase.cpp:
3613         (JSC::DFG::CSEPhase::performNodeCSE):
3614         * dfg/DFGClobberize.h:
3615         (JSC::DFG::clobberize):
3616         * dfg/DFGFixupPhase.cpp:
3617         (JSC::DFG::FixupPhase::fixupNode):
3618         * dfg/DFGNodeType.h:
3619         * dfg/DFGPredictionPropagationPhase.cpp:
3620         (JSC::DFG::PredictionPropagationPhase::propagate):
3621         * dfg/DFGSafeToExecute.h:
3622         (JSC::DFG::safeToExecute):
3623         * dfg/DFGSpeculativeJIT32_64.cpp:
3624         (JSC::DFG::SpeculativeJIT::compile):
3625         * dfg/DFGSpeculativeJIT64.cpp:
3626         (JSC::DFG::SpeculativeJIT::compile):
3627         * ftl/FTLCapabilities.cpp:
3628         (JSC::FTL::canCompile):
3629         * ftl/FTLLowerDFGToLLVM.cpp:
3630         (JSC::FTL::LowerDFGToLLVM::compileNode):
3631         (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
3632         * runtime/Intrinsic.h:
3633         * runtime/MathObject.cpp:
3634         (JSC::MathObject::finishCreation):
3635
3636 2014-04-12  Filip Pizlo  <fpizlo@apple.com>
3637
3638         FTL should use stackmap register liveness
3639         https://bugs.webkit.org/show_bug.cgi?id=130791
3640
3641         Reviewed by Goeffrey Garen.
3642         
3643         Enable the stackmap register liveness support by fixing the two last bugs:
3644         
3645         - If everything is dead after the patchpoint - a good possibility for a put_by_id -
3646           then we shouldn't crash due to a null scratch buffer.
3647         
3648         - Always consider callee-saves as if they were live. More precisely, we should
3649           consider those callee-saves that are not saved by the enclosing function to be live.
3650           For now we do the much simpler thing and consider callee-saves to be always live
3651           since it has minimal impact on the scratch register allocator. It will know not to
3652           preserve those for calls, anyway.
3653         
3654         I tried writing a test for the null scratch buffer thing, but failed. I will land the
3655         test anyway since it seems useful.
3656
3657         * ftl/FTLCompile.cpp:
3658         (JSC::FTL::usedRegistersFor):
3659         * jit/ScratchRegisterAllocator.cpp:
3660         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
3661         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
3662         * runtime/Options.h:
3663         * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
3664         (foo):
3665
3666 2014-04-11  Filip Pizlo  <fpizlo@apple.com>
3667
3668         DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
3669         https://bugs.webkit.org/show_bug.cgi?id=131424
3670
3671         Reviewed by Geoffrey Garen.
3672         
3673         This defers type conversion injection until we've decided on types. This makes the
3674         process of deciding types a bit more flexible - for example we can naturally fixpoint
3675         and change our minds. Only when things are settled do we actually insert conversions.
3676         
3677         This is a necessary prerequisite for keeping double, int52, and JSValue data flow
3678         separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
3679         that there are typed uses. If we were eagerly inserting type conversions then we would
3680         first insert a to/from-JSValue conversion in some cases only to then replace it by
3681         the other conversions. It's probably trivial to remove those redundant conversions later
3682         but I think it's better if we don't insert them to begin with.
3683
3684         * bytecode/CodeOrigin.h:
3685         (JSC::CodeOrigin::operator!):
3686         * dfg/DFGFixupPhase.cpp:
3687         (JSC::DFG::FixupPhase::run):
3688         (JSC::DFG::FixupPhase::fixupBlock):
3689         (JSC::DFG::FixupPhase::fixupNode):
3690         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
3691         (JSC::DFG::FixupPhase::fixEdge):
3692         (JSC::DFG::FixupPhase::fixIntEdge):
3693         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
3694         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3695         (JSC::DFG::FixupPhase::addRequiredPhantom):
3696         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
3697         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
3698         (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
3699         (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
3700         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
3701
3702 2014-04-11  Brian J. Burg  <burg@cs.washington.edu>
3703
3704         Web Replay: code generator should consider enclosing class when computing duplicate type names
3705         https://bugs.webkit.org/show_bug.cgi?id=131554
3706
3707         Reviewed by Timothy Hatcher.
3708
3709         We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
3710         can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
3711         by the enclosing class and enum name.
3712
3713         Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
3714
3715         * replay/scripts/CodeGeneratorReplayInputs.py:
3716         (Type.type_name): Prepend the enclosing class name.
3717         (Type.type_name.is):
3718         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
3719         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
3720         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
3721         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
3722         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
3723         * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
3724
3725 2014-04-11  Gavin Barraclough  <baraclough@apple.com>
3726
3727         Rollout - Rewrite Function.bind as a builtin
3728         https://bugs.webkit.org/show_bug.cgi?id=131083
3729
3730         Unreviewed.
3731
3732         Rolling out r167020 while investigating a performance regression.
3733
3734         * API/JSObjectRef.cpp:
3735         (JSObjectMakeConstructor):
3736         * API/JSScriptRef.cpp:
3737         (parseScript):
3738         * CMakeLists.txt:
3739         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3740         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3741         * JavaScriptCore.xcodeproj/project.pbxproj:
3742         * builtins/BuiltinExecutables.cpp:
3743         (JSC::BuiltinExecutables::createBuiltinExecutable):
3744         * builtins/Function.prototype.js:
3745         (apply):
3746         (bind.bindingFunction): Deleted.
3747         (bind.else.bindingFunction): Deleted.
3748         (bind): Deleted.
3749         * bytecode/UnlinkedCodeBlock.cpp:
3750         (JSC::generateFunctionCodeBlock):
3751         * bytecompiler/NodesCodegen.cpp:
3752         (JSC::InstanceOfNode::emitBytecode):
3753         * interpreter/Interpreter.cpp:
3754         * parser/Lexer.cpp:
3755         (JSC::Lexer<T>::Lexer):
3756         (JSC::Lexer<LChar>::parseIdentifier):
3757         (JSC::Lexer<UChar>::parseIdentifier):
3758         * parser/Lexer.h:
3759         * parser/Parser.cpp:
3760         (JSC::Parser<LexerType>::Parser):
3761         (JSC::Parser<LexerType>::parseInner):
3762         * parser/Parser.h:
3763         (JSC::parse):
3764         * parser/ParserModes.h:
3765         * runtime/ArgumentsIteratorConstructor.cpp:
3766         (JSC::ArgumentsIteratorConstructor::finishCreation):
3767         * runtime/ArrayConstructor.cpp:
3768         (JSC::ArrayConstructor::finishCreation):
3769         * runtime/BooleanConstructor.cpp:
3770         (JSC::BooleanConstructor::finishCreation):
3771         * runtime/CodeCache.cpp:
3772         (JSC::CodeCache::getGlobalCodeBlock):
3773         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3774         * runtime/CommonIdentifiers.h:
3775         * runtime/Completion.cpp:
3776         (JSC::checkSyntax):
3777         * runtime/DateConstructor.cpp:
3778         (JSC::DateConstructor::finishCreation):
3779         * runtime/ErrorConstructor.cpp:
3780         (JSC::ErrorConstructor::finishCreation):
3781         * runtime/Executable.cpp:
3782         (JSC::ProgramExecutable::checkSyntax):
3783         * runtime/FunctionConstructor.cpp:
3784         (JSC::FunctionConstructor::finishCreation):
3785         * runtime/FunctionPrototype.cpp:
3786         (JSC::FunctionPrototype::addFunctionProperties):
3787         (JSC::functionProtoFuncBind):
3788         * runtime/JSArrayBufferConstructor.cpp:
3789         (JSC::JSArrayBufferConstructor::finishCreation):
3790         * runtime/JSBoundFunction.cpp: Added.
3791         (JSC::boundFunctionCall):
3792         (JSC::boundFunctionConstruct):
3793         (JSC::JSBoundFunction::create):
3794         (JSC::JSBoundFunction::destroy):
3795         (JSC::JSBoundFunction::customHasInstance):
3796         (JSC::JSBoundFunction::JSBoundFunction):
3797         (JSC::JSBoundFunction::finishCreation):
3798         (JSC::JSBoundFunction::visitChildren):
3799         * runtime/JSBoundFunction.h: Added.
3800         (JSC::JSBoundFunction::targetFunction):
3801         (JSC::JSBoundFunction::boundThis):
3802         (JSC::JSBoundFunction::boundArgs):
3803         (JSC::JSBoundFunction::createStructure):
3804         * runtime/JSFunction.cpp:
3805         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
3806         (JSC::RetrieveCallerFunctionFunctor::operator()):
3807         (JSC::retrieveCallerFunction):
3808         (JSC::JSFunction::getOwnPropertySlot):
3809         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3810         (JSC::JSFunction::put):
3811         (JSC::JSFunction::defineOwnProperty):
3812         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3813         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
3814         * runtime/JSGlobalObject.cpp:
3815         (JSC::JSGlobalObject::reset):
3816         * runtime/JSGlobalObjectFunctions.cpp:
3817         (JSC::globalFuncSetTypeErrorAccessor): Deleted.
3818         * runtime/JSGlobalObjectFunctions.h:
3819         * runtime/JSObject.cpp:
3820         (JSC::JSObject::putDirectPrototypeProperty): Deleted.
3821         (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
3822         * runtime/JSObject.h:
3823         * runtime/JSPromiseConstructor.cpp:
3824         (JSC::JSPromiseConstructor::finishCreation):
3825         * runtime/MapConstructor.cpp:
3826         (JSC::MapConstructor::finishCreation):
3827         * runtime/MapIteratorConstructor.cpp:
3828         (JSC::MapIteratorConstructor::finishCreation):
3829         * runtime/NameConstructor.cpp:
3830         (JSC::NameConstructor::finishCreation):
3831         * runtime/NativeErrorConstructor.cpp:
3832         (JSC::NativeErrorConstructor::finishCreation):
3833         * runtime/NumberConstructor.cpp:
3834         (JSC::NumberConstructor::finishCreation):
3835         * runtime/ObjectConstructor.cpp:
3836         (JSC::ObjectConstructor::finishCreation):
3837         * runtime/RegExpConstructor.cpp:
3838         (JSC::RegExpConstructor::finishCreation):
3839         * runtime/SetConstructor.cpp:
3840         (JSC::SetConstructor::finishCreation):
3841         * runtime/SetIteratorConstructor.cpp:
3842         (JSC::SetIteratorConstructor::finishCreation):
3843         * runtime/StringConstructor.cpp:
3844         (JSC::StringConstructor::finishCreation):
3845         * runtime/WeakMapConstructor.cpp:
3846         (JSC::WeakMapConstructor::finishCreation):
3847
3848 2014-04-11  David Kilzer  <ddkilzer@apple.com>
3849
3850         [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
3851         <http://webkit.org/b/131556>
3852         <rdar://problem/16591856>
3853
3854         Reviewed by Brent Fulgham.
3855
3856         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
3857         OTHER_LDFLAGS so the ASan build does not try to link to
3858         libclang_rt.asan_osx_dynamic.dylib.
3859
3860 2014-04-11  Mark Lam  <mark.lam@apple.com>
3861
3862         JSMainThreadExecState::call() should clear exceptions before returning.
3863         <https://webkit.org/b/131530>
3864
3865         Reviewed by Geoffrey Garen.
3866
3867         Added a version of JSC::call() that return any uncaught exception instead
3868         of leaving it pending in the VM.
3869
3870         As part of this change, I updated various parts of the code base to use the
3871         new API as needed.
3872
3873         * bindings/ScriptFunctionCall.cpp:
3874         (Deprecated::ScriptFunctionCall::call):
3875         - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
3876           The injected scripts that will include Inspector scripts that should catch
3877           and handle any exceptions that were thrown.  We should not be seeing any
3878           exceptions returned from this call.  However, we do have checks for
3879           exceptions in case there are bugs in the Inspector scripts which allowed
3880           the exception to leak through.  Hence, it is proper to clear the exception
3881           here, and only record the fact that an exception was seen (if present).
3882
3883         * bindings/ScriptFunctionCall.h:
3884         * inspector/InspectorEnvironment.h:
3885         * runtime/CallData.cpp:
3886         (JSC::call):
3887         * runtime/CallData.h:
3888
3889 2014-04-11  Oliver Hunt  <oliver@apple.com>
3890
3891         Add BuiltinLog function to make debugging builtins easier
3892         https://bugs.webkit.org/show_bug.cgi?id=131550
3893
3894         Reviewed by Andreas Kling.
3895
3896         Add a logging function that builtins can use for debugging.
3897
3898         * runtime/CommonIdentifiers.h:
3899         * runtime/JSGlobalObject.cpp:
3900         (JSC::JSGlobalObject::reset):
3901         * runtime/JSGlobalObjectFunctions.cpp:
3902         (JSC::globalFuncBuiltinLog):
3903         * runtime/JSGlobalObjectFunctions.h:
3904
3905 2014-04-11  Julien Brianceau  <jbriance@cisco.com>
3906
3907         Fix LLInt for sh4 architecture (broken since C stack merge).
3908         https://bugs.webkit.org/show_bug.cgi?id=131532
3909
3910         Reviewed by Mark Lam.
3911
3912         This patch fixes build and also implements sh4 parts for initPCRelative and
3913         setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.
3914
3915         * llint/LowLevelInterpreter.asm:
3916         * llint/LowLevelInterpreter32_64.asm:
3917         * offlineasm/instructions.rb:
3918         * offlineasm/sh4.rb:
3919
3920 2014-04-10  Michael Saboff  <msaboff@apple.com>
3921
3922         Crash beneath DFG JIT code @ video.disney.com
3923         https://bugs.webkit.org/show_bug.cgi?id=131447
3924
3925         Reviewed by Geoffrey Garen.
3926
3927         The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
3928         'tag not less than Undefined' check.  The first check was incorrectly elided if we
3929         knew that the value *was* an int32, when it should have been elided if we already
3930         knew that the value *was not* an int32.
3931
3932         * dfg/DFGSpeculativeJIT.cpp:
3933         (JSC::DFG::SpeculativeJIT::speculateMisc):
3934         * tests/stress/test-spec-misc.js: Added test.
3935         (getX):
3936         (foo):
3937         (bar):
3938
3939 2014-04-08  Filip Pizlo  <fpizlo@apple.com>
3940
3941         Make room for additional types in SpeculatedType.h
3942         https://bugs.webkit.org/show_bug.cgi?id=131422
3943
3944         Reviewed by Sam Weinig.
3945         
3946         This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.
3947
3948         * bytecode/SpeculatedType.h:
3949
3950 2014-04-10  Alex Christensen  <achristensen@webkit.org>
3951
3952         Compile fix for Win64.
3953         https://bugs.webkit.org/show_bug.cgi?id=131508
3954
3955         Reviewed by Geoffrey Garen.
3956
3957         * assembler/X86Assembler.h:
3958         (JSC::X86Assembler::fillNops):
3959         Added unsigned template parameter to distinguish between size_t and unsigned long.
3960
3961 2014-04-10  Michael Saboff  <msaboff@apple.com>
3962
3963         LLInt interpreter code should be generated as part of one function
3964         https://bugs.webkit.org/show_bug.cgi?id=131205
3965
3966         Reviewed by Mark Lam.
3967
3968         Changed the generation of llint opcodes so that they are all part of the same
3969         global function, llint_entry.  That function is used to fill in an entry point
3970         table that includes each of the opcodes and helpers.
3971
3972         * CMakeLists.txt:
3973         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
3974         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
3975         * JavaScriptCore.xcodeproj/project.pbxproj:
3976         Added appropriate use of new -I option to offline assembler and offset
3977         generator scripts.
3978
3979         * llint/LowLevelInterpreter.asm:
39