REGRESSION(r180595): construct varargs fails in FTL
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-25  Ryosuke Niwa  <rniwa@webkit.org>
2
3         REGRESSION(r180595): construct varargs fails in FTL
4         https://bugs.webkit.org/show_bug.cgi?id=142030
5
6         Reviewed by Geoffrey Garen.
7
8         The bug was caused by IC size being too small for construct_varargs even though we've added a new argument.
9         Fixed the bug by increasing the IC size to match call_varargs.
10
11         * ftl/FTLInlineCacheSize.cpp:
12         (JSC::FTL::sizeOfConstructVarargs):
13
14 2015-02-25  Mark Lam  <mark.lam@apple.com>
15
16         ASan does not like JSC::MachineThreads::tryCopyOtherThreadStack.
17         <https://webkit.org/b/141672>
18
19         Reviewed by Alexey Proskuryakov.
20
21         ASan does not like the fact that we memcpy the stack for GC scans.  So,
22         we're working around this by using our own memcpy (asanUnsafeMemcpy)
23         implementation that we can tell ASan to ignore.
24
25         * heap/MachineStackMarker.cpp:
26         (JSC::asanUnsafeMemcpy):
27
28 2015-02-25  Benjamin Poulain  <bpoulain@apple.com>
29
30         CodeBlock crashes when dumping op_push_name_scope
31         https://bugs.webkit.org/show_bug.cgi?id=141953
32
33         Reviewed by Filip Pizlo and Csaba Osztrogonác.
34
35         * bytecode/CodeBlock.cpp:
36         (JSC::CodeBlock::dumpBytecode):
37         * tests/stress/op-push-name-scope-crashes-profiler.js: Added.
38
39 2015-02-25  Benjamin Poulain  <benjamin@webkit.org>
40
41         Make ParserError immutable by design
42         https://bugs.webkit.org/show_bug.cgi?id=141955
43
44         Reviewed by Geoffrey Garen.
45
46         This patch enforce that no field of ParserError can
47         be modified after the constructor.
48
49         * parser/ParserError.h:
50         Move the attributes to pack the integer + 2 bytes together.
51         This is irrelevant for memory impact, it is to remve a load-store
52         when copying by value.
53
54         Also move the attributes to be private.
55
56         (JSC::ParserError::isValid):
57         To client of the interface cared about the type of the error,
58         the only information needed was: is there an error.
59
60         (JSC::ParserError::ParserError):
61         (JSC::ParserError::syntaxErrorType):
62         (JSC::ParserError::token):
63         (JSC::ParserError::message):
64         (JSC::ParserError::line):
65         (JSC::ParserError::toErrorObject):
66         * API/JSScriptRef.cpp:
67         * builtins/BuiltinExecutables.cpp:
68         (JSC::BuiltinExecutables::createBuiltinExecutable):
69         * bytecode/UnlinkedCodeBlock.cpp:
70         (JSC::generateFunctionCodeBlock):
71         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
72         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
73         * bytecode/UnlinkedCodeBlock.h:
74         * inspector/agents/InspectorRuntimeAgent.cpp:
75         (Inspector::InspectorRuntimeAgent::parse):
76         * jsc.cpp:
77         (runInteractive):
78         * parser/Parser.h:
79         (JSC::parse):
80         * runtime/CodeCache.cpp:
81         (JSC::CodeCache::getGlobalCodeBlock):
82         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
83         * runtime/CodeCache.h:
84         * runtime/Completion.h:
85         * runtime/Executable.cpp:
86         (JSC::ProgramExecutable::checkSyntax):
87         * runtime/JSGlobalObject.cpp:
88         (JSC::JSGlobalObject::createProgramCodeBlock):
89         (JSC::JSGlobalObject::createEvalCodeBlock):
90
91 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
92
93         Need to pass RTLD_DEEPBIND to dlopen() to ensure that our LLVMOverrides take effect on Linux
94         https://bugs.webkit.org/show_bug.cgi?id=142006
95
96         Reviewed by Csaba Osztrogonác.
97
98         This fixes hard-to-reproduce concurrency-related crashes when running stress tests with FTL and
99         concurrent JIT enabled.
100
101         * llvm/InitializeLLVMPOSIX.cpp:
102         (JSC::initializeLLVMPOSIX):
103
104 2015-02-24  Filip Pizlo  <fpizlo@apple.com>
105
106         CMake build of libllvmForJSC.so should limit its export list like the Xcode build does
107         https://bugs.webkit.org/show_bug.cgi?id=141989
108
109         Reviewed by Gyuyoung Kim.
110
111         * CMakeLists.txt:
112         * llvm/library/libllvmForJSC.version: Added.
113
114 2015-02-24  Alexey Proskuryakov  <ap@apple.com>
115
116         More iOS build fix after r180602.
117
118         * heap/Heap.h: Export Heap::machineThreads().
119
120 2015-02-24  Brent Fulgham  <bfulgham@apple.com>
121
122         Unreviewed build fix after r180602.
123
124         * heap/MachineStackMarker.h: Add missing 'no return'
125         declaration for Windows.
126
127 2015-02-24  Commit Queue  <commit-queue@webkit.org>
128
129         Unreviewed, rolling out r180599.
130         https://bugs.webkit.org/show_bug.cgi?id=141998
131
132         Lots of new test failures (Requested by smfr on #webkit).
133
134         Reverted changeset:
135
136         "Parsing support for -webkit-trailing-word"
137         https://bugs.webkit.org/show_bug.cgi?id=141939
138         http://trac.webkit.org/changeset/180599
139
140 2015-02-24  Mark Lam  <mark.lam@apple.com>
141
142         MachineThreads::Thread clean up has a use after free race condition.
143         <https://webkit.org/b/141990>
144
145         Reviewed by Michael Saboff.
146
147         MachineThreads::Thread clean up relies on the clean up mechanism
148         implemented in _pthread_tsd_cleanup_key(), which looks like this:
149
150         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
151         {
152             void (*destructor)(void *);
153             if (_pthread_key_get_destructor(key, &destructor)) {
154                 void **ptr = &self->tsd[key];
155                 void *value = *ptr;
156
157                 // At this point, this thread has cached "destructor" and "value"
158                 // (which is a MachineThreads*).  If the VM gets destructed (along
159                 // with its MachineThreads registry) by another thread, then this
160                 // thread will have no way of knowing that the MachineThreads* is
161                 // now pointing to freed memory.  Calling the destructor below will
162                 // therefore result in a use after free scenario when it tries to
163                 // access the MachineThreads' data members.
164
165                 if (value) {
166                     *ptr = NULL;
167                     if (destructor) {
168                         destructor(value);
169                     }
170                 }
171             }
172         }
173
174         The solution is simply to change MachineThreads from a per VM thread
175         registry to a process global singleton thread registry i.e. the
176         MachineThreads registry is now immortal and we cannot have a use after
177         free scenario since we never free it.
178
179         The cost of this change is that all VM instances will have to scan
180         stacks of all threads ever touched by a VM, and not just those that
181         touched a specific VM.  However, stacks tend to be shallow.  Hence,
182         those additional scans will tend to be cheap.
183
184         Secondly, it is not common for there to be multiple JSC VMs in use
185         concurrently on multiple threads.  Hence, this cost should rarely
186         manifest in real world applications.
187
188         * heap/Heap.cpp:
189         (JSC::Heap::Heap):
190         (JSC::Heap::machineThreads):
191         (JSC::Heap::gatherStackRoots):
192         * heap/Heap.h:
193         (JSC::Heap::machineThreads): Deleted.
194         * heap/MachineStackMarker.cpp:
195         (JSC::MachineThreads::MachineThreads):
196         (JSC::MachineThreads::~MachineThreads):
197         (JSC::MachineThreads::addCurrentThread):
198         * heap/MachineStackMarker.h:
199         * runtime/JSLock.cpp:
200         (JSC::JSLock::didAcquireLock):
201
202 2015-02-24  Myles C. Maxfield  <mmaxfield@apple.com>
203
204         [Mac] [iOS] Parsing support for -apple-trailing-word
205         https://bugs.webkit.org/show_bug.cgi?id=141939
206
207         Reviewed by Andreas Kling.
208
209         * Configurations/FeatureDefines.xcconfig:
210
211 2015-02-24  Ryosuke Niwa  <rniwa@webkit.org>
212
213         Use "this" instead of "callee" to get the constructor
214         https://bugs.webkit.org/show_bug.cgi?id=141019
215
216         Reviewed by Filip Pizlo.
217
218         This patch uses "this" register to pass the constructor (newTarget) to op_create_this from
219         op_construct or op_construct_varargs. This will allow future patches that implement ES6 class
220         to pass in the most derived class' constructor through "this" argument.
221
222         BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like
223         regular calls and emitCreateThis passes in this register to op_create_this as constructor.
224
225         The rest of the code change removes the code for special casing "this" register not being used
226         in call to construct.
227
228         * bytecode/BytecodeUseDef.h:
229         (JSC::computeUsesForBytecodeOffset):
230         * bytecompiler/BytecodeGenerator.cpp:
231         (JSC::BytecodeGenerator::emitCreateThis):
232         (JSC::BytecodeGenerator::emitConstructVarargs):
233         (JSC::BytecodeGenerator::emitConstruct):
234         * bytecompiler/BytecodeGenerator.h:
235         * bytecompiler/NodesCodegen.cpp:
236         (JSC::NewExprNode::emitBytecode):
237         * dfg/DFGByteCodeParser.cpp:
238         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
239         (JSC::DFG::ByteCodeParser::handleVarargsCall):
240         (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
241         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
242         (JSC::DFG::ByteCodeParser::handleInlining):
243         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
244         (JSC::DFG::ByteCodeParser::parseBlock):
245         * dfg/DFGJITCode.cpp:
246         (JSC::DFG::JITCode::reconstruct):
247         * dfg/DFGSpeculativeJIT32_64.cpp:
248         (JSC::DFG::SpeculativeJIT::emitCall):
249         * dfg/DFGSpeculativeJIT64.cpp:
250         (JSC::DFG::SpeculativeJIT::emitCall):
251         * ftl/FTLJSCallVarargs.cpp:
252         (JSC::FTL::JSCallVarargs::emit):
253         * ftl/FTLLowerDFGToLLVM.cpp:
254         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
255         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
256         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
257         * interpreter/Interpreter.cpp:
258         (JSC::Interpreter::executeConstruct):
259         * jit/JITOperations.cpp:
260
261 2015-02-24  Joseph Pecoraro  <pecoraro@apple.com>
262
263         Web Inspector: Make Getter/Setter RemoteObject property and ObjectPreview handling consistent
264         https://bugs.webkit.org/show_bug.cgi?id=141587
265
266         Reviewed by Timothy Hatcher.
267
268         Convert getProperties(ownAndGetterProperties) to getDisplayableProperties().
269         Mark PropertyDescriptors that are presumed to be native getters / bindings
270         separately so that the frontend may display them differently.
271
272         * inspector/InjectedScript.cpp:
273         (Inspector::InjectedScript::getProperties):
274         (Inspector::InjectedScript::getDisplayableProperties):
275         * inspector/InjectedScript.h:
276         * inspector/InjectedScriptSource.js:
277         * inspector/agents/InspectorRuntimeAgent.cpp:
278         (Inspector::InspectorRuntimeAgent::getProperties):
279         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
280         * inspector/agents/InspectorRuntimeAgent.h:
281         * inspector/protocol/Runtime.json:
282
283 2015-02-24  Mark Lam  <mark.lam@apple.com>
284
285         Rolling out r179753.  The fix was invalid.
286         <https://webkit.org/b/141990>
287
288         Not reviewed.
289
290         * API/tests/testapi.mm:
291         (threadMain):
292         (useVMFromOtherThread): Deleted.
293         (useVMFromOtherThreadAndOutliveVM): Deleted.
294         * heap/Heap.cpp:
295         (JSC::Heap::Heap):
296         (JSC::Heap::~Heap):
297         (JSC::Heap::gatherStackRoots):
298         * heap/Heap.h:
299         (JSC::Heap::machineThreads):
300         * heap/MachineStackMarker.cpp:
301         (JSC::MachineThreads::Thread::Thread):
302         (JSC::MachineThreads::MachineThreads):
303         (JSC::MachineThreads::~MachineThreads):
304         (JSC::MachineThreads::addCurrentThread):
305         (JSC::MachineThreads::removeThread):
306         (JSC::MachineThreads::removeCurrentThread):
307         * heap/MachineStackMarker.h:
308
309 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
310
311         Constructor returning null should construct an object instead of null
312         https://bugs.webkit.org/show_bug.cgi?id=141640
313
314         Reviewed by Filip Pizlo.
315
316         When constructor code doesn't return object, constructor should return `this` object instead.
317         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
318         it allows `null` as an object.
319         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
320         Instead, constructor uses simplified `is_object`.
321
322         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
323
324         1. LLInt and baseline JIT support `op_is_object` as a fast path.
325         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
326         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
327         4. FTL lowers DFG's IsObject into LLVM IR.
328
329         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
330         in LLInt, JIT, DFG and FTL.
331         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
332         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
333         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
334         So this patch stop using !isString as isObject.
335         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
336         we examine typeInfo in JSCell.
337
338         * JavaScriptCore.order:
339         * bytecode/BytecodeList.json:
340         * bytecode/BytecodeUseDef.h:
341         (JSC::computeUsesForBytecodeOffset):
342         (JSC::computeDefsForBytecodeOffset):
343         * bytecode/CodeBlock.cpp:
344         (JSC::CodeBlock::dumpBytecode):
345         * bytecode/PutByIdStatus.cpp:
346         (JSC::PutByIdStatus::computeFor):
347         * bytecompiler/BytecodeGenerator.cpp:
348         (JSC::BytecodeGenerator::emitEqualityOp):
349         (JSC::BytecodeGenerator::emitReturn):
350         * dfg/DFGAbstractInterpreterInlines.h:
351         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
352         * dfg/DFGByteCodeParser.cpp:
353         (JSC::DFG::ByteCodeParser::parseBlock):
354         * dfg/DFGCapabilities.cpp:
355         (JSC::DFG::capabilityLevel):
356         * dfg/DFGClobberize.h:
357         (JSC::DFG::clobberize):
358
359         IsObject operation only touches JSCell typeInfoType.
360         And this value would be changed through structure transition.
361         As a result, IsObject can report that it doesn't read any information.
362
363         * dfg/DFGConstantFoldingPhase.cpp:
364         (JSC::DFG::ConstantFoldingPhase::foldConstants):
365         * dfg/DFGDoesGC.cpp:
366         (JSC::DFG::doesGC):
367         * dfg/DFGFixupPhase.cpp:
368         (JSC::DFG::FixupPhase::fixupNode):
369
370         Just like IsString, IsObject is also fixed up.
371
372         * dfg/DFGHeapLocation.cpp:
373         (WTF::printInternal):
374         * dfg/DFGHeapLocation.h:
375         * dfg/DFGNodeType.h:
376         * dfg/DFGOperations.cpp:
377         * dfg/DFGOperations.h:
378         * dfg/DFGPredictionPropagationPhase.cpp:
379         (JSC::DFG::PredictionPropagationPhase::propagate):
380         * dfg/DFGSafeToExecute.h:
381         (JSC::DFG::safeToExecute):
382         * dfg/DFGSpeculativeJIT.cpp:
383         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
384         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
385         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
386         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
387         (JSC::DFG::SpeculativeJIT::speculateObject):
388         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
389         (JSC::DFG::SpeculativeJIT::speculateString):
390         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
391         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
392         (JSC::DFG::SpeculativeJIT::emitSwitchString):
393         (JSC::DFG::SpeculativeJIT::branchIsObject):
394         (JSC::DFG::SpeculativeJIT::branchNotObject):
395         (JSC::DFG::SpeculativeJIT::branchIsString):
396         (JSC::DFG::SpeculativeJIT::branchNotString):
397         * dfg/DFGSpeculativeJIT.h:
398         * dfg/DFGSpeculativeJIT32_64.cpp:
399         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
400         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
401         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
402         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
403         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
404         (JSC::DFG::SpeculativeJIT::compile):
405         * dfg/DFGSpeculativeJIT64.cpp:
406         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
407         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
408         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
409         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
410         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
411         (JSC::DFG::SpeculativeJIT::compile):
412         * ftl/FTLCapabilities.cpp:
413         (JSC::FTL::canCompile):
414         * ftl/FTLLowerDFGToLLVM.cpp:
415         (JSC::FTL::LowerDFGToLLVM::compileNode):
416         (JSC::FTL::LowerDFGToLLVM::compileToString):
417         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
418         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
419         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
420         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
421         (JSC::FTL::LowerDFGToLLVM::isObject):
422         (JSC::FTL::LowerDFGToLLVM::isNotObject):
423         (JSC::FTL::LowerDFGToLLVM::isNotString):
424         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
425         * jit/JIT.cpp:
426         (JSC::JIT::privateCompileMainPass):
427         * jit/JIT.h:
428         * jit/JITInlines.h:
429         (JSC::JIT::emitJumpIfCellObject):
430         * jit/JITOpcodes.cpp:
431         (JSC::JIT::emit_op_is_object):
432         (JSC::JIT::emit_op_to_primitive):
433         * jit/JITOpcodes32_64.cpp:
434         (JSC::JIT::emit_op_is_object):
435         (JSC::JIT::emit_op_to_primitive):
436         (JSC::JIT::compileOpStrictEq):
437         * llint/LowLevelInterpreter.asm:
438         * llint/LowLevelInterpreter32_64.asm:
439         * llint/LowLevelInterpreter64.asm:
440         * runtime/CommonSlowPaths.cpp:
441         (JSC::SLOW_PATH_DECL):
442         * runtime/CommonSlowPaths.h:
443         * runtime/Operations.cpp:
444         (JSC::jsIsObjectTypeOrNull):
445         (JSC::jsIsObjectType): Deleted.
446         * runtime/Operations.h:
447         * tests/stress/constructor-with-return.js: Added.
448         (Test):
449
450         When constructor doesn't return an object, `this` should be returned instead.
451         In this test, we check all primitives. And test object, array and wrappers.
452
453         * tests/stress/dfg-to-primitive-pass-symbol.js: Added.
454         (toPrimitiveTarget):
455         (doToPrimitive):
456
457         op_to_primitive operation passes Symbol in fast path.
458
459 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
460
461         REGRESSION(r179429): Can't type comments in Facebook
462         https://bugs.webkit.org/show_bug.cgi?id=141859
463
464         Reviewed by Brent Fulgham.
465
466         When window.Symbol is exposed to user-space pages,
467         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
468         However, to work with Symbols completely, it also requires
469         1) Object.getOwnPropertySymbols (for mixin including Symbols)
470         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
471         Since they are not landed yet, comments in Facebook don't work.
472
473         This patch introduces RuntimeFlags for JavaScriptCore.
474         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
475         And drop JavaScriptExperimentsEnabled flag
476         because it is no longer used and use case of this is duplicated to runtime flags.
477
478         * JavaScriptCore.order:
479         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
480         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
481         * JavaScriptCore.xcodeproj/project.pbxproj:
482         * jsc.cpp:
483         (GlobalObject::javaScriptRuntimeFlags):
484         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
485         * runtime/JSGlobalObject.cpp:
486         (JSC::JSGlobalObject::JSGlobalObject):
487         (JSC::JSGlobalObject::init):
488         * runtime/JSGlobalObject.h:
489         (JSC::JSGlobalObject::finishCreation):
490         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
491         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
492         * runtime/RuntimeFlags.h: Added.
493         (JSC::RuntimeFlags::RuntimeFlags):
494         (JSC::RuntimeFlags::createAllEnabled):
495
496 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
497
498         Our bizarre behavior on Arguments::defineOwnProperty should be deliberate rather than a spaghetti incident
499         https://bugs.webkit.org/show_bug.cgi?id=141951
500
501         Reviewed by Benjamin Poulain.
502         
503         This patch has no behavioral change, but it simplifies a bunch of wrong code. The code is
504         still wrong in exactly the same way, but at least it's obvious what's going on. The wrongness
505         is covered by this bug: https://bugs.webkit.org/show_bug.cgi?id=141952.
506
507         * runtime/Arguments.cpp:
508         (JSC::Arguments::copyBackingStore): We should only see the arguments token; assert otherwise. This works because if the GC sees the butterfly token it calls the JSObject::copyBackingStore method directly.
509         (JSC::Arguments::defineOwnProperty): Make our bizarre behavior deliberate rather than an accident of a decade of patches.
510         * tests/stress/arguments-bizarre-behavior.js: Added.
511         (foo):
512         * tests/stress/arguments-bizarre-behaviour-disable-enumerability.js: Added. My choice of spellings of the word "behavio[u]r" is almost as consistent as our implementation of arguments.
513         (foo):
514         * tests/stress/arguments-custom-properties-gc.js: Added. I added this test because at first I was unsure if we GCd arguments correctly.
515         (makeBaseArguments):
516         (makeArray):
517         (cons):
518
519 2015-02-23  Commit Queue  <commit-queue@webkit.org>
520
521         Unreviewed, rolling out r180547 and r180550.
522         https://bugs.webkit.org/show_bug.cgi?id=141957
523
524         Broke 10 Windows tests. (Requested by bfulgham_ on #webkit).
525
526         Reverted changesets:
527
528         "REGRESSION(r179429): Can't type comments in Facebook"
529         https://bugs.webkit.org/show_bug.cgi?id=141859
530         http://trac.webkit.org/changeset/180547
531
532         "Constructor returning null should construct an object instead
533         of null"
534         https://bugs.webkit.org/show_bug.cgi?id=141640
535         http://trac.webkit.org/changeset/180550
536
537 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
538
539         Constructor returning null should construct an object instead of null
540         https://bugs.webkit.org/show_bug.cgi?id=141640
541
542         Reviewed by Geoffrey Garen.
543
544         When constructor code doesn't return object, constructor should return `this` object instead.
545         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
546         it allows `null` as an object.
547         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
548         Instead, constructor uses simplified `is_object`.
549
550         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
551
552         1. LLInt and baseline JIT support `op_is_object` as a fast path.
553         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
554         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
555         4. FTL lowers DFG's IsObject into LLVM IR.
556
557         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
558         in LLInt, JIT, DFG and FTL.
559         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
560         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
561         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
562         So this patch stop using !isString as isObject.
563         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
564         we examine typeInfo in JSCell.
565
566         * JavaScriptCore.order:
567         * bytecode/BytecodeList.json:
568         * bytecode/BytecodeUseDef.h:
569         (JSC::computeUsesForBytecodeOffset):
570         (JSC::computeDefsForBytecodeOffset):
571         * bytecode/CodeBlock.cpp:
572         (JSC::CodeBlock::dumpBytecode):
573         * bytecode/PutByIdStatus.cpp:
574         (JSC::PutByIdStatus::computeFor):
575         * bytecompiler/BytecodeGenerator.cpp:
576         (JSC::BytecodeGenerator::emitEqualityOp):
577         (JSC::BytecodeGenerator::emitReturn):
578         * dfg/DFGAbstractInterpreterInlines.h:
579         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
580         * dfg/DFGByteCodeParser.cpp:
581         (JSC::DFG::ByteCodeParser::parseBlock):
582         * dfg/DFGCapabilities.cpp:
583         (JSC::DFG::capabilityLevel):
584         * dfg/DFGClobberize.h:
585         (JSC::DFG::clobberize):
586
587         IsObject operation only touches JSCell typeInfoType.
588         And this value would not be changed through structure transition.
589         As a result, IsObject can report that it doesn't read any information.
590
591         * dfg/DFGDoesGC.cpp:
592         (JSC::DFG::doesGC):
593         * dfg/DFGFixupPhase.cpp:
594         (JSC::DFG::FixupPhase::fixupNode):
595
596         Just like IsString, IsObject is also fixed up.
597
598         * dfg/DFGHeapLocation.cpp:
599         (WTF::printInternal):
600         * dfg/DFGHeapLocation.h:
601         * dfg/DFGNodeType.h:
602         * dfg/DFGOperations.cpp:
603         * dfg/DFGOperations.h:
604         * dfg/DFGPredictionPropagationPhase.cpp:
605         (JSC::DFG::PredictionPropagationPhase::propagate):
606         * dfg/DFGSafeToExecute.h:
607         (JSC::DFG::safeToExecute):
608         * dfg/DFGSpeculativeJIT.cpp:
609         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
610         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
611         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
612         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
613         (JSC::DFG::SpeculativeJIT::speculateObject):
614         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
615         (JSC::DFG::SpeculativeJIT::speculateString):
616         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
617         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
618         (JSC::DFG::SpeculativeJIT::emitSwitchString):
619         (JSC::DFG::SpeculativeJIT::branchIsObject):
620         (JSC::DFG::SpeculativeJIT::branchNotObject):
621         (JSC::DFG::SpeculativeJIT::branchIsString):
622         (JSC::DFG::SpeculativeJIT::branchNotString):
623         * dfg/DFGSpeculativeJIT.h:
624         * dfg/DFGSpeculativeJIT32_64.cpp:
625         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
626         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
627         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
628         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
629         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
630         (JSC::DFG::SpeculativeJIT::compile):
631         * dfg/DFGSpeculativeJIT64.cpp:
632         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
633         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
634         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
635         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
636         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
637         (JSC::DFG::SpeculativeJIT::compile):
638         * ftl/FTLCapabilities.cpp:
639         (JSC::FTL::canCompile):
640         * ftl/FTLLowerDFGToLLVM.cpp:
641         (JSC::FTL::LowerDFGToLLVM::compileNode):
642         (JSC::FTL::LowerDFGToLLVM::compileToString):
643         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
644         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
645         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
646         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
647         (JSC::FTL::LowerDFGToLLVM::isObject):
648         (JSC::FTL::LowerDFGToLLVM::isNotObject):
649         (JSC::FTL::LowerDFGToLLVM::isNotString):
650         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
651         * jit/JIT.cpp:
652         (JSC::JIT::privateCompileMainPass):
653         * jit/JIT.h:
654         * jit/JITInlines.h:
655         (JSC::JIT::emitJumpIfCellObject):
656         * jit/JITOpcodes.cpp:
657         (JSC::JIT::emit_op_is_object):
658         (JSC::JIT::emit_op_to_primitive):
659         * jit/JITOpcodes32_64.cpp:
660         (JSC::JIT::emit_op_is_object):
661         (JSC::JIT::emit_op_to_primitive):
662         (JSC::JIT::compileOpStrictEq):
663         * llint/LowLevelInterpreter.asm:
664         * llint/LowLevelInterpreter32_64.asm:
665         * llint/LowLevelInterpreter64.asm:
666         * runtime/CommonSlowPaths.cpp:
667         (JSC::SLOW_PATH_DECL):
668         * runtime/CommonSlowPaths.h:
669         * runtime/Operations.cpp:
670         (JSC::jsIsObjectTypeOrNull):
671         (JSC::jsIsObjectType): Deleted.
672         * runtime/Operations.h:
673
674 2015-02-23  Ryosuke Niwa  <rniwa@webkit.org>
675
676         Disable font loading events until our implementation gets updated to match the latest spec
677         https://bugs.webkit.org/show_bug.cgi?id=141938
678
679         Reviewed by Andreas Kling.
680
681         * Configurations/FeatureDefines.xcconfig:
682
683 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
684
685         REGRESSION(r179429): Can't type comments in Facebook
686         https://bugs.webkit.org/show_bug.cgi?id=141859
687
688         Reviewed by Geoffrey Garen.
689
690         When window.Symbol is exposed to user-space pages,
691         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
692         However, to work with Symbols completely, it also requires
693         1) Object.getOwnPropertySymbols (for mixin including Symbols)
694         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
695         Since they are not landed yet, comments in Facebook don't work.
696
697         This patch introduces RuntimeFlags for JavaScriptCore.
698         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
699         And drop JavaScriptExperimentsEnabled flag
700         because it is no longer used and use case of this is duplicated to runtime flags.
701
702         * JavaScriptCore.order:
703         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
704         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
705         * JavaScriptCore.xcodeproj/project.pbxproj:
706         * jsc.cpp:
707         (GlobalObject::javaScriptRuntimeFlags):
708         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
709         * runtime/JSGlobalObject.cpp:
710         (JSC::JSGlobalObject::JSGlobalObject):
711         (JSC::JSGlobalObject::init):
712         * runtime/JSGlobalObject.h:
713         (JSC::JSGlobalObject::finishCreation):
714         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
715         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
716         * runtime/RuntimeFlags.h: Added.
717         (JSC::RuntimeFlags::RuntimeFlags):
718         (JSC::RuntimeFlags::createAllEnabled):
719
720 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
721
722         Set the semantic origin of delayed SetLocal to the Bytecode that originated it
723         https://bugs.webkit.org/show_bug.cgi?id=141727
724
725         Reviewed by Filip Pizlo.
726
727         Previously, delayed SetLocals would have the NodeOrigin of the next
728         bytecode. This was because delayed SetLocal are...delayed... and
729         currentCodeOrigin() is the one where the node is emitted.
730
731         This made debugging a little awkward since the OSR exits on SetLocal
732         were reported for the next bytecode. This patch changes the semantic
733         origin to keep the original bytecode.
734
735         From benchmarks, this looks like it could be a tiny bit faster
736         but it likely just noise.
737
738         * dfg/DFGByteCodeParser.cpp:
739         (JSC::DFG::ByteCodeParser::setDirect):
740         (JSC::DFG::ByteCodeParser::setLocal):
741         (JSC::DFG::ByteCodeParser::setArgument):
742         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
743         (JSC::DFG::ByteCodeParser::addToGraph):
744         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
745         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
746
747 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
748
749         Remove DFGNode::predictHeap()
750         https://bugs.webkit.org/show_bug.cgi?id=141864
751
752         Reviewed by Geoffrey Garen.
753
754         * dfg/DFGNode.h:
755         (JSC::DFG::Node::predictHeap): Deleted.
756         Unused code.
757
758 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
759
760         Get rid of JSLexicalEnvironment::argumentsGetter
761         https://bugs.webkit.org/show_bug.cgi?id=141930
762
763         Reviewed by Mark Lam.
764         
765         This function is unused, and the way it's written is bizarre - it's a return statement that
766         dominates a bunch of dead code.
767
768         * runtime/JSLexicalEnvironment.cpp:
769         (JSC::JSLexicalEnvironment::argumentsGetter): Deleted.
770         * runtime/JSLexicalEnvironment.h:
771
772 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
773
774         Remove unused activationCount and allTheThingsCount variable declarations.
775
776         Rubber stamped by Mark Lam and Michael Saboff.
777
778         * runtime/JSLexicalEnvironment.h:
779
780 2015-02-23  Saam Barati  <saambarati1@gmail.com>
781
782         Adjust the ranges of basic block statements in JSC's control flow profiler to be mutually exclusive
783         https://bugs.webkit.org/show_bug.cgi?id=141095
784
785         Reviewed by Mark Lam.
786
787         Suppose the control flow of a program forms basic block A with successor block
788         B. A's end offset will be the *same* as B's start offset in the current architecture 
789         of the control flow profiler. This makes reasoning about the text offsets of
790         the control flow profiler unsound. To make reasoning about offsets sound, all 
791         basic block ranges should be mutually exclusive.  All calls to emitProfileControlFlow 
792         now pass in the *start* of a basic block as the text offset argument. This simplifies 
793         all calls to emitProfileControlFlow because the previous implementation had a
794         lot of edge cases for getting the desired basic block text boundaries.
795
796         This patch also ensures that the basic block boundary of a block statement 
797         is the exactly the block's open and close brace offsets (inclusive). For example,
798         in if/for/while statements. This also has the consequence that for statements 
799         like "if (cond) foo();", the whitespace preceding "foo()" is not part of 
800         the "foo()" basic block, but instead is part of the "if (cond) " basic block. 
801         This is okay because these text offsets aren't meant to be human readable.
802         Instead, they reflect the text offsets of JSC's AST nodes. The Web Inspector 
803         is the only client of this API and user of these text offsets and it is 
804         not negatively effected by this new behavior.
805
806         * bytecode/CodeBlock.cpp:
807         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
808         When computing basic block boundaries in CodeBlock, we ensure that every
809         block's end offset is one less than its successor's start offset to
810         maintain that boundaries' ranges should be mutually exclusive.
811
812         * bytecompiler/BytecodeGenerator.cpp:
813         (JSC::BytecodeGenerator::BytecodeGenerator):
814         Because the control flow profiler needs to know which functions
815         have executed, we can't lazily create functions. This was a bug 
816         from before that was hidden because the Type Profiler was always 
817         enabled when the control flow profiler was enabled when profiling 
818         was turned on from the Web Inspector. But, JSC allows for Control 
819         Flow profiling to be turned on without Type Profiling, so we need 
820         to ensure the Control Flow profiler has all the data it needs.
821
822         * bytecompiler/NodesCodegen.cpp:
823         (JSC::ConditionalNode::emitBytecode):
824         (JSC::IfElseNode::emitBytecode):
825         (JSC::WhileNode::emitBytecode):
826         (JSC::ForNode::emitBytecode):
827         (JSC::ForInNode::emitMultiLoopBytecode):
828         (JSC::ForOfNode::emitBytecode):
829         (JSC::TryNode::emitBytecode):
830         * jsc.cpp:
831         (functionHasBasicBlockExecuted):
832         We now assert that the substring argument is indeed a substring
833         of the function argument's text because subtle bugs could be
834         introduced otherwise.
835
836         * parser/ASTBuilder.h:
837         (JSC::ASTBuilder::setStartOffset):
838         * parser/Nodes.h:
839         (JSC::Node::setStartOffset):
840         * parser/Parser.cpp:
841         (JSC::Parser<LexerType>::parseBlockStatement):
842         (JSC::Parser<LexerType>::parseStatement):
843         (JSC::Parser<LexerType>::parseMemberExpression):
844         For the various function call AST nodes, their m_position member 
845         variable is now the start of the entire function call expression 
846         and not at the start of the open paren of the arguments list.
847
848         * runtime/BasicBlockLocation.cpp:
849         (JSC::BasicBlockLocation::getExecutedRanges):
850         * runtime/ControlFlowProfiler.cpp:
851         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
852         Function ranges inserted as gaps should follow the same criteria
853         that the bytecode generator uses to ensure that basic blocks
854         start and end offsets are mutually exclusive.
855
856         * tests/controlFlowProfiler/brace-location.js: Added.
857         (foo):
858         (bar):
859         (baz):
860         (testIf):
861         (testForRegular):
862         (testForIn):
863         (testForOf):
864         (testWhile):
865         (testIfNoBraces):
866         (testForRegularNoBraces):
867         (testForInNoBraces):
868         (testForOfNoBraces):
869         (testWhileNoBraces):
870         * tests/controlFlowProfiler/conditional-expression.js: Added.
871         (foo):
872         (bar):
873         (baz):
874         (testConditionalBasic):
875         (testConditionalFunctionCall):
876         * tests/controlFlowProfiler/driver/driver.js:
877         (checkBasicBlock):
878
879 2015-02-23  Matthew Mirman  <mmirman@apple.com>
880
881         r9 is volatile on ARMv7 for iOS 3 and up. 
882         https://bugs.webkit.org/show_bug.cgi?id=141489
883         rdar://problem/19432916
884
885         Reviewed by Michael Saboff.
886
887         * jit/RegisterSet.cpp: 
888         (JSC::RegisterSet::calleeSaveRegisters): removed r9 from the list of ARMv7 callee save registers.
889         * tests/stress/regress-141489.js: Added.
890         (foo):
891
892 2015-02-23  Csaba Osztrogonác  <ossy@webkit.org>
893
894         [ARM] Add the necessary setupArgumentsWithExecState after bug141915
895         https://bugs.webkit.org/show_bug.cgi?id=141921
896
897         Reviewed by Michael Saboff.
898
899         * jit/CCallHelpers.h:
900         (JSC::CCallHelpers::setupArgumentsWithExecState):
901
902 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
903
904         Scopes should always be created with a previously-created symbol table rather than creating one on the fly
905         https://bugs.webkit.org/show_bug.cgi?id=141915
906
907         Reviewed by Mark Lam.
908         
909         The main effect of this change is that pushing name scopes no longer requires creating symbol
910         tables on the fly.
911         
912         This also makes it so that JSEnvironmentRecords must always have an a priori symbol table.
913         
914         JSSegmentedVariableObject still does a hack where it creates a blank symbol table on-demand.
915         This is needed because that's what JSGlobalObject and all of its many subclasses want. That's
916         harmless; I mainly needed a prior symbol tables for JSEnvironmentRecords anyway.
917
918         * bytecode/BytecodeList.json:
919         * bytecompiler/BytecodeGenerator.cpp:
920         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
921         (JSC::BytecodeGenerator::emitPushCatchScope):
922         * jit/CCallHelpers.h:
923         (JSC::CCallHelpers::setupArgumentsWithExecState):
924         * jit/JIT.h:
925         * jit/JITInlines.h:
926         (JSC::JIT::callOperation):
927         * jit/JITOpcodes.cpp:
928         (JSC::JIT::emit_op_push_name_scope):
929         * jit/JITOpcodes32_64.cpp:
930         (JSC::JIT::emit_op_push_name_scope):
931         * jit/JITOperations.cpp:
932         (JSC::pushNameScope):
933         * jit/JITOperations.h:
934         * llint/LLIntSlowPaths.cpp:
935         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
936         * llint/LowLevelInterpreter.asm:
937         * runtime/Executable.cpp:
938         (JSC::ScriptExecutable::newCodeBlockFor):
939         * runtime/JSCatchScope.h:
940         (JSC::JSCatchScope::JSCatchScope):
941         (JSC::JSCatchScope::create):
942         * runtime/JSEnvironmentRecord.h:
943         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
944         * runtime/JSFunctionNameScope.h:
945         (JSC::JSFunctionNameScope::JSFunctionNameScope):
946         (JSC::JSFunctionNameScope::create):
947         * runtime/JSNameScope.cpp:
948         (JSC::JSNameScope::create):
949         * runtime/JSNameScope.h:
950         (JSC::JSNameScope::create):
951         (JSC::JSNameScope::finishCreation):
952         (JSC::JSNameScope::JSNameScope):
953         * runtime/JSSegmentedVariableObject.h:
954         (JSC::JSSegmentedVariableObject::finishCreation):
955         * runtime/JSSymbolTableObject.h:
956         (JSC::JSSymbolTableObject::JSSymbolTableObject):
957         (JSC::JSSymbolTableObject::finishCreation): Deleted.
958         * runtime/SymbolTable.h:
959         (JSC::SymbolTable::createNameScopeTable):
960
961 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
962
963         Add a comment to clarify that the test was taken from the bug report, in response to
964         feedback from Michael Saboff and Benjamin Poulain.
965         
966         * tests/stress/regress-141883.js:
967
968 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
969
970         Function name scope is only created on the function instance that triggered parsing rather than on every function instance that needs it
971         https://bugs.webkit.org/show_bug.cgi?id=141881
972
973         Reviewed by Michael Saboff.
974         
975         Previously we only created the function name scope in a way that made it visible to the
976         function that triggered parsing/linking of the executable/codeBlock, and to the linker for
977         that code block. This was sort of the bare minimum for the feature to appear to work right to
978         synthetic tests.
979
980         There are two valid "times" to create the function name scope. Either it's created for each
981         JSFunction instance that needs a name scope, or it's created for each execution of such a
982         JSFunction. This change chooses the latter, because it happens to be the easiest to implement
983         with what we have right now. I opened a bug for optimizing this if we ever need to:
984         https://bugs.webkit.org/show_bug.cgi?id=141887.
985         
986         * bytecompiler/BytecodeGenerator.cpp:
987         (JSC::BytecodeGenerator::BytecodeGenerator):
988         * interpreter/Interpreter.cpp:
989         (JSC::Interpreter::execute):
990         (JSC::Interpreter::executeCall):
991         (JSC::Interpreter::executeConstruct):
992         (JSC::Interpreter::prepareForRepeatCall):
993         * jit/JITOperations.cpp:
994         * llint/LLIntSlowPaths.cpp:
995         (JSC::LLInt::setUpCall):
996         * runtime/ArrayPrototype.cpp:
997         (JSC::isNumericCompareFunction):
998         * runtime/Executable.cpp:
999         (JSC::ScriptExecutable::newCodeBlockFor):
1000         (JSC::ScriptExecutable::prepareForExecutionImpl):
1001         (JSC::FunctionExecutable::FunctionExecutable):
1002         * runtime/Executable.h:
1003         (JSC::ScriptExecutable::prepareForExecution):
1004         * runtime/JSFunction.cpp:
1005         (JSC::JSFunction::addNameScopeIfNeeded): Deleted.
1006         * runtime/JSFunction.h:
1007         * tests/stress/function-name-scope.js: Added.
1008         (check.verify):
1009         (check):
1010
1011 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
1012
1013         Crash in DFGFrozenValue
1014         https://bugs.webkit.org/show_bug.cgi?id=141883
1015
1016         Reviewed by Benjamin Poulain.
1017         
1018         If a value might be a cell, then we have to have Graph freeze it rather than trying to
1019         create the FrozenValue directly. Creating it directly is just an optimization for when you
1020         know for sure that it cannot be a cell.
1021
1022         * dfg/DFGAbstractInterpreterInlines.h:
1023         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1024         * tests/stress/regress-141883.js: Added. Hacked the original test to be faster while still crashing before this fix.
1025
1026 2015-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1027
1028         Web Inspector: Generate Previews more often for RemoteObject interaction
1029         https://bugs.webkit.org/show_bug.cgi?id=141875
1030
1031         Reviewed by Timothy Hatcher.
1032
1033         * inspector/protocol/Runtime.json:
1034         Add generatePreview to getProperties.
1035
1036         * inspector/InjectedScript.cpp:
1037         (Inspector::InjectedScript::getProperties):
1038         (Inspector::InjectedScript::getInternalProperties):
1039         * inspector/InjectedScript.h:
1040         * inspector/agents/InspectorRuntimeAgent.cpp:
1041         (Inspector::InspectorRuntimeAgent::getProperties):
1042         * inspector/agents/InspectorRuntimeAgent.h:
1043         Plumb the generatePreview boolean through to the injected script.
1044
1045         * inspector/InjectedScriptSource.js:
1046         Add generatePreview for getProperties.
1047         Fix callFunctionOn to generatePreviews if asked.
1048
1049 2015-02-20  Mark Lam  <mark.lam@apple.com>
1050
1051         Refactor JSWrapperMap.mm to defer creation of the ObjC JSValue until the latest possible moment.
1052         <https://webkit.org/b/141856>
1053
1054         Reviewed by Geoffrey Garen.
1055
1056         1. Make JSObjCClassInfo's -constructor and -wrapperForObject return a
1057            JSC::JSObject* just like -prototype.
1058         2. Defer the creation of the ObjC JSValue from JSC::JSObject* until
1059            the latest moment when it is needed.  This allows us to not have to
1060            keep converting back to a JSC::JSObject* in intermediate code.
1061
1062         * API/JSWrapperMap.mm:
1063         (makeWrapper):
1064         (objectWithCustomBrand):
1065         (constructorWithCustomBrand):
1066         (allocateConstructorForCustomClass):
1067         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1068         (-[JSObjCClassInfo wrapperForObject:]):
1069         (-[JSObjCClassInfo constructor]):
1070         (-[JSWrapperMap jsWrapperForObject:]):
1071
1072 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1073
1074         Build fix for gcc.
1075
1076         * runtime/JSNameScope.cpp:
1077         (JSC::JSNameScope::create):
1078
1079 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1080
1081         Get rid of JSNameScope::m_type
1082         https://bugs.webkit.org/show_bug.cgi?id=141851
1083
1084         Reviewed by Geoffrey Garen.
1085         
1086         This is a big step towards getting rid of JSEnvironmentRecord::m_registers. To do it we need
1087         to ensure that subclasses of JSEnvironmentRecord never have additional C++ fields, so that
1088         JSEnvironmentRecord can always place "registers" right after the end of itself.
1089
1090         * CMakeLists.txt:
1091         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1092         * JavaScriptCore.xcodeproj/project.pbxproj:
1093         * debugger/DebuggerScope.cpp:
1094         (JSC::DebuggerScope::isCatchScope):
1095         (JSC::DebuggerScope::isFunctionNameScope):
1096         * interpreter/Interpreter.cpp:
1097         (JSC::Interpreter::execute):
1098         * jit/JITOperations.cpp:
1099         * llint/LLIntSlowPaths.cpp:
1100         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1101         * runtime/JSCatchScope.cpp: Added.
1102         * runtime/JSCatchScope.h: Added.
1103         (JSC::JSCatchScope::JSCatchScope):
1104         (JSC::JSCatchScope::create):
1105         (JSC::JSCatchScope::createStructure):
1106         * runtime/JSFunction.cpp:
1107         (JSC::JSFunction::addNameScopeIfNeeded):
1108         * runtime/JSFunctionNameScope.cpp: Added.
1109         * runtime/JSFunctionNameScope.h: Added.
1110         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1111         (JSC::JSFunctionNameScope::create):
1112         (JSC::JSFunctionNameScope::createStructure):
1113         * runtime/JSGlobalObject.cpp:
1114         (JSC::JSGlobalObject::init):
1115         (JSC::JSGlobalObject::visitChildren):
1116         * runtime/JSGlobalObject.h:
1117         (JSC::JSGlobalObject::catchScopeStructure):
1118         (JSC::JSGlobalObject::functionNameScopeStructure):
1119         (JSC::JSGlobalObject::nameScopeStructure): Deleted.
1120         * runtime/JSNameScope.cpp:
1121         (JSC::JSNameScope::create):
1122         * runtime/JSNameScope.h:
1123         (JSC::JSNameScope::create):
1124         (JSC::JSNameScope::JSNameScope):
1125         (JSC::JSNameScope::createStructure): Deleted.
1126         (JSC::JSNameScope::isFunctionNameScope): Deleted.
1127         (JSC::JSNameScope::isCatchScope): Deleted.
1128         * runtime/JSObject.cpp:
1129         (JSC::JSObject::isCatchScopeObject):
1130         (JSC::JSObject::isFunctionNameScopeObject):
1131         * runtime/JSObject.h:
1132
1133 2015-02-20  Mark Lam  <mark.lam@apple.com>
1134
1135         [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
1136         <https://webkit.org/b/141809>
1137
1138         Reviewed by Geoffrey Garen.
1139
1140         A ObjC class that implement the JSExport protocol will have a JS prototype
1141         chain and constructor automatically synthesized for its JS wrapper object.
1142         However, if there are no more instances of that ObjC class reachable by a
1143         JS GC root scan, then its synthesized prototype chain and constructors may
1144         be released by the GC.  If a new instance of that ObjC class is subsequently
1145         instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
1146         should re-construct the prototype chain and constructor (if they were
1147         previously released).  However, the current implementation only
1148         re-constructs the immediate prototype, but not every other prototype
1149         object upstream in the prototype chain.
1150
1151         To fix this, we do the following:
1152         1. We no longer allocate the JSObjCClassInfo's prototype and constructor
1153            eagerly.  Hence, -initWithContext:forClass: will no longer call
1154            -allocateConstructorAndPrototypeWithSuperClassInfo:.
1155         2. Instead, we'll always access the prototype and constructor thru
1156            accessor methods.  The accessor methods will call
1157            -allocateConstructorAndPrototype: if needed.
1158         3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
1159            from the JSWrapperMap itself.  This makes it so that we no longer
1160            need to pass the superClassInfo all over.
1161         4. -allocateConstructorAndPrototype: will get the super class prototype
1162            by invoking -prototype: on the superClassInfo, thereby allowing the
1163            super class to allocate its prototype and constructor if needed and
1164            fixing the issue in this bug.
1165
1166         5. Also removed the GC warning comments, and ensured that needed JS
1167            objects are kept alive by having a local var pointing to it from the
1168            stack (which makes a GC root).
1169
1170         * API/JSWrapperMap.mm:
1171         (-[JSObjCClassInfo initWithContext:forClass:]):
1172         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1173         (-[JSObjCClassInfo wrapperForObject:]):
1174         (-[JSObjCClassInfo constructor]):
1175         (-[JSObjCClassInfo prototype]):
1176         (-[JSWrapperMap classInfoForClass:]):
1177         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
1178         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
1179         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
1180         * API/tests/Regress141809.h: Added.
1181         * API/tests/Regress141809.mm: Added.
1182         (-[TestClassB name]):
1183         (-[TestClassC name]):
1184         (runRegress141809):
1185         * API/tests/testapi.mm:
1186         * JavaScriptCore.xcodeproj/project.pbxproj:
1187
1188 2015-02-20  Alexey Proskuryakov  <ap@apple.com>
1189
1190         Remove svn:keywords property.
1191
1192         As far as I can tell, the property had no effect on any of these files, but also,
1193         when it has effect it's likely harmful.
1194
1195         * builtins/ArrayConstructor.js: Removed property svn:keywords.
1196
1197 2015-02-20  Michael Saboff  <msaboff@apple.com>
1198
1199         DFG JIT needs to check for stack overflow at the start of Program and Eval execution
1200         https://bugs.webkit.org/show_bug.cgi?id=141676
1201
1202         Reviewed by Filip Pizlo.
1203
1204         Added stack check to the beginning of the code the DFG copmiler emits for Program and Eval nodes.
1205         To aid in testing the code, I replaced the EvalCodeCache::maxCacheableSourceLength const
1206         a options in runtime/Options.h.  The test script, run-jsc-stress-tests, sets that option
1207         to a huge value when running with the "Eager" options.  This allows the updated test to 
1208         reliably exercise the code in questions.
1209
1210         * dfg/DFGJITCompiler.cpp:
1211         (JSC::DFG::JITCompiler::compile):
1212         Added stack check.
1213
1214         * bytecode/EvalCodeCache.h:
1215         (JSC::EvalCodeCache::tryGet):
1216         (JSC::EvalCodeCache::getSlow):
1217         * runtime/Options.h:
1218         Replaced EvalCodeCache::imaxCacheableSourceLength with Options::maximumEvalCacheableSourceLength
1219         so that it can be configured when running the related test.
1220
1221 2015-02-20  Eric Carlson  <eric.carlson@apple.com>
1222
1223         [iOS] cleanup AirPlay code
1224         https://bugs.webkit.org/show_bug.cgi?id=141811
1225
1226         Reviewed by Jer Noble.
1227
1228         * Configurations/FeatureDefines.xcconfig: IOS_AIRPLAY -> WIRELESS_PLAYBACK_TARGET.
1229
1230 2015-02-19  Dean Jackson  <dino@apple.com>
1231
1232         ES6: Implement Array.from()
1233         https://bugs.webkit.org/show_bug.cgi?id=141054
1234         <rdar://problem/19654521>
1235
1236         Reviewed by Filip Pizlo.
1237
1238         Implement the Array.from() ES6 method
1239         as defined in Section 22.1.2.1 of the specification.
1240
1241         Given that we can't rely on the built-in
1242         global functions or objects to be untainted,
1243         I had to expose a few of them directly to
1244         the function via private names. In particular:
1245         - Math.floor -> @floor
1246         - Math.abs -> @abs
1247         - Number -> @Number
1248         - Array -> @Array
1249         - isFinite -> @isFinite
1250
1251         * builtins/ArrayConstructor.js: Added.
1252         (from): Implementation of Array.from in JavaScript.
1253         * runtime/ArrayConstructor.cpp: Add "from" to the lookup
1254         table for the constructor object.
1255         * runtime/CommonIdentifiers.h: Add the private versions
1256         of the identifiers listed above.
1257         * runtime/JSGlobalObject.cpp: Add the implementations of
1258         those identifiers to the global object (using their
1259         private names).
1260         (JSC::JSGlobalObject::init):
1261         * runtime/JSGlobalObjectFunctions.cpp:
1262         (JSC::globalPrivateFuncAbs): Implementation of the abs function.
1263         (JSC::globalPrivateFuncFloor): Implementation of the floor function.
1264         * runtime/JSGlobalObjectFunctions.h:
1265
1266 2015-02-19  Benjamin Poulain  <bpoulain@apple.com>
1267
1268         Refine the FTL part of ArithPow
1269         https://bugs.webkit.org/show_bug.cgi?id=141792
1270
1271         Reviewed by Filip Pizlo.
1272
1273         This patch refines the FTL lowering of ArithPow. This was left out
1274         of the original patch to keep it simpler.
1275
1276         * ftl/FTLLowerDFGToLLVM.cpp:
1277         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
1278         Two improvements here:
1279         1) Do not generate the NaN check unless we know the exponent might be a NaN.
1280         2) Use one BasicBlock per check with the appropriate weight. Now that we have
1281            one branch per test, move the Infinity check before the check for 1 since
1282            it is the less common case.
1283
1284         * tests/stress/math-pow-becomes-custom-function.js: Added.
1285         Test for changing the Math.pow() function after it has been optimized.
1286
1287         * tests/stress/math-pow-nan-behaviors.js:
1288         The previous tests were only going as far as the DFGAbstractInterpreter
1289         were the operations were replaced by the equivalent constant.
1290
1291         I duplicated the test functions to also test the dynamic behavior of DFG
1292         and FTL.
1293
1294         * tests/stress/math-pow-with-constants.js:
1295         Add cases covering exponent constants. LLVM removes many value
1296         checks for those.
1297
1298         * tests/stress/math-pow-with-never-NaN-exponent.js: Added.
1299         Test for the new optimization removing the NaN check.
1300
1301 2015-02-19  Csaba Osztrogonác  <ossy@webkit.org>
1302
1303         REGRESSION(r180279): It broke 20 tests on ARM Linux
1304         https://bugs.webkit.org/show_bug.cgi?id=141771
1305
1306         Reviewed by Filip Pizlo.
1307
1308         * dfg/DFGSpeculativeJIT.h:
1309         (JSC::DFG::SpeculativeJIT::callOperation): Align 64-bit values to respect ARM EABI.
1310
1311 2015-02-18  Benjamin Poulain  <bpoulain@apple.com>
1312
1313         Remove BytecodeGenerator's numberMap, it is dead code
1314         https://bugs.webkit.org/show_bug.cgi?id=141779
1315
1316         Reviewed by Filip Pizlo.
1317
1318         * bytecompiler/BytecodeGenerator.cpp:
1319         (JSC::BytecodeGenerator::emitLoad): Deleted.
1320         * bytecompiler/BytecodeGenerator.h:
1321         The JSValueMap seems better in every way.
1322
1323         The emitLoad() taking a double was the only way to use numberMap
1324         and that code has no caller.
1325
1326 2015-02-18  Michael Saboff  <msaboff@apple.com>
1327
1328         Rollout r180247 & r180249 from trunk
1329         https://bugs.webkit.org/show_bug.cgi?id=141773
1330
1331         Reviewed by Filip Pizlo.
1332
1333         Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730
1334         only for branches.  The change to fail the FTL compile but continue running is not comprehensive
1335         enough for general use on trunk.
1336
1337         * dfg/DFGPlan.cpp:
1338         (JSC::DFG::Plan::compileInThreadImpl):
1339         * ftl/FTLLowerDFGToLLVM.cpp:
1340         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1341         (JSC::FTL::LowerDFGToLLVM::lower):
1342         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
1343         (JSC::FTL::LowerDFGToLLVM::compileNode):
1344         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
1345         (JSC::FTL::LowerDFGToLLVM::compilePhi):
1346         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
1347         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
1348         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1349         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
1350         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
1351         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
1352         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
1353         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
1354         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1355         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
1356         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
1357         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1358         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1359         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1360         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1361         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1362         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1363         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1364         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1365         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
1366         (JSC::FTL::LowerDFGToLLVM::compileToString):
1367         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1368         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1369         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1370         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
1371         (JSC::FTL::LowerDFGToLLVM::compare):
1372         (JSC::FTL::LowerDFGToLLVM::boolify):
1373         (JSC::FTL::LowerDFGToLLVM::opposite):
1374         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1375         (JSC::FTL::LowerDFGToLLVM::speculate):
1376         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1377         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1378         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1379         (JSC::FTL::LowerDFGToLLVM::setInt52):
1380         (JSC::FTL::lowerDFGToLLVM):
1381         (JSC::FTL::LowerDFGToLLVM::loweringFailed): Deleted.
1382         * ftl/FTLLowerDFGToLLVM.h:
1383
1384 2015-02-18  Filip Pizlo  <fpizlo@apple.com>
1385
1386         DFG should really support varargs
1387         https://bugs.webkit.org/show_bug.cgi?id=141332
1388
1389         Reviewed by Oliver Hunt.
1390         
1391         This adds comprehensive vararg call support to the DFG and FTL compilers. Previously, if a
1392         function had a varargs call, then it could only be compiled if that varargs call was just
1393         forwarding arguments and we were inlining the function rather than compiling it directly. Also,
1394         only varargs calls were dealt with; varargs constructs were not.
1395         
1396         This lifts all of those restrictions. Every varargs call or construct can now be compiled by both
1397         the DFG and the FTL. Those calls can also be inlined, too - provided that profiling gives us a
1398         sensible bound on arguments list length. When we inline a varargs call, the act of loading the
1399         varargs is now made explicit in IR. I believe that we have enough IR machinery in place that we
1400         would be able to do the arguments forwarding optimization as an IR transformation. This patch
1401         doesn't implement that yet, and keeps the old bytecode-based varargs argument forwarding
1402         optimization for now.
1403         
1404         There are three major IR features introduced in this patch:
1405         
1406         CallVarargs/ConstructVarargs: these are like Call/Construct except that they take an arguments
1407         array rather than a list of arguments. Currently, they splat this arguments array onto the stack
1408         using the same basic technique as the baseline JIT has always done. Except, these nodes indicate
1409         that we are not interested in doing the non-escaping "arguments" optimization.
1410         
1411         CallForwardVarargs: this is a form of CallVarargs that just does the non-escaping "arguments"
1412         optimization, aka forwarding arguments. It's somewhat lazy that this doesn't include
1413         ConstructForwardVarargs, but the reason is that once we eliminate the lazy tear-off for
1414         arguments, this whole thing will have to be tweaked - and for now forwarding on construct is just
1415         not important in benchmarks. ConstructVarargs will still do forwarding, just not inlined.
1416         
1417         LoadVarargs: loads all elements out of an array onto the stack in a manner suitable for a varargs
1418         call. This is used only when a varargs call (or construct) was inlined. The bytecode parser will
1419         make room on the stack for the arguments, and will use LoadVarars to put those arguments into
1420         place.
1421         
1422         In the future, we can consider adding strength reductions like:
1423         
1424         - If CallVarargs/ConstructVarargs see an array of known size with known elements, turn them into
1425           Call/Construct.
1426         
1427         - If CallVarargs/ConstructVarargs are passed an unmodified, unescaped Arguments object, then
1428           turn them into CallForwardVarargs/ConstructForwardVarargs.
1429         
1430         - If LoadVarargs sees an array of known size, then turn it into a sequence of GetByVals and
1431           PutLocals.
1432         
1433         - If LoadVarargs sees an unmodified, unescaped Arguments object, then turn it into something like
1434           LoadForwardVarargs.
1435         
1436         - If CallVarargs/ConstructVarargs/LoadVarargs see the result of a splice (or other Array
1437           prototype function), then do the splice and varargs loading in one go (maybe via a new node
1438           type).
1439
1440         * CMakeLists.txt:
1441         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1442         * JavaScriptCore.xcodeproj/project.pbxproj:
1443         * assembler/MacroAssembler.h:
1444         (JSC::MacroAssembler::rshiftPtr):
1445         (JSC::MacroAssembler::urshiftPtr):
1446         * assembler/MacroAssemblerARM64.h:
1447         (JSC::MacroAssemblerARM64::urshift64):
1448         * assembler/MacroAssemblerX86_64.h:
1449         (JSC::MacroAssemblerX86_64::urshift64):
1450         * assembler/X86Assembler.h:
1451         (JSC::X86Assembler::shrq_i8r):
1452         * bytecode/CallLinkInfo.h:
1453         (JSC::CallLinkInfo::CallLinkInfo):
1454         * bytecode/CallLinkStatus.cpp:
1455         (JSC::CallLinkStatus::computeFor):
1456         (JSC::CallLinkStatus::setProvenConstantCallee):
1457         (JSC::CallLinkStatus::dump):
1458         * bytecode/CallLinkStatus.h:
1459         (JSC::CallLinkStatus::maxNumArguments):
1460         (JSC::CallLinkStatus::setIsProved): Deleted.
1461         * bytecode/CodeOrigin.cpp:
1462         (WTF::printInternal):
1463         * bytecode/CodeOrigin.h:
1464         (JSC::InlineCallFrame::varargsKindFor):
1465         (JSC::InlineCallFrame::specializationKindFor):
1466         (JSC::InlineCallFrame::isVarargs):
1467         (JSC::InlineCallFrame::isNormalCall): Deleted.
1468         * bytecode/ExitKind.cpp:
1469         (JSC::exitKindToString):
1470         * bytecode/ExitKind.h:
1471         * bytecode/ValueRecovery.cpp:
1472         (JSC::ValueRecovery::dumpInContext):
1473         * dfg/DFGAbstractInterpreterInlines.h:
1474         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1475         * dfg/DFGArgumentsSimplificationPhase.cpp:
1476         (JSC::DFG::ArgumentsSimplificationPhase::run):
1477         * dfg/DFGByteCodeParser.cpp:
1478         (JSC::DFG::ByteCodeParser::flush):
1479         (JSC::DFG::ByteCodeParser::addCall):
1480         (JSC::DFG::ByteCodeParser::handleCall):
1481         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1482         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
1483         (JSC::DFG::ByteCodeParser::inliningCost):
1484         (JSC::DFG::ByteCodeParser::inlineCall):
1485         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1486         (JSC::DFG::ByteCodeParser::handleInlining):
1487         (JSC::DFG::ByteCodeParser::handleMinMax):
1488         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1489         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1490         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1491         (JSC::DFG::ByteCodeParser::parseBlock):
1492         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): Deleted.
1493         (JSC::DFG::ByteCodeParser::undoFunctionChecks): Deleted.
1494         * dfg/DFGCapabilities.cpp:
1495         (JSC::DFG::capabilityLevel):
1496         * dfg/DFGCapabilities.h:
1497         (JSC::DFG::functionCapabilityLevel):
1498         (JSC::DFG::mightCompileFunctionFor):
1499         * dfg/DFGClobberize.h:
1500         (JSC::DFG::clobberize):
1501         * dfg/DFGCommon.cpp:
1502         (WTF::printInternal):
1503         * dfg/DFGCommon.h:
1504         (JSC::DFG::canInline):
1505         (JSC::DFG::leastUpperBound):
1506         * dfg/DFGDoesGC.cpp:
1507         (JSC::DFG::doesGC):
1508         * dfg/DFGFixupPhase.cpp:
1509         (JSC::DFG::FixupPhase::fixupNode):
1510         * dfg/DFGGraph.cpp:
1511         (JSC::DFG::Graph::dump):
1512         (JSC::DFG::Graph::dumpBlockHeader):
1513         (JSC::DFG::Graph::isLiveInBytecode):
1514         (JSC::DFG::Graph::valueProfileFor):
1515         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1516         * dfg/DFGGraph.h:
1517         (JSC::DFG::Graph::valueProfileFor): Deleted.
1518         (JSC::DFG::Graph::methodOfGettingAValueProfileFor): Deleted.
1519         * dfg/DFGJITCompiler.cpp:
1520         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1521         (JSC::DFG::JITCompiler::link):
1522         * dfg/DFGMayExit.cpp:
1523         (JSC::DFG::mayExit):
1524         * dfg/DFGNode.h:
1525         (JSC::DFG::Node::hasCallVarargsData):
1526         (JSC::DFG::Node::callVarargsData):
1527         (JSC::DFG::Node::hasLoadVarargsData):
1528         (JSC::DFG::Node::loadVarargsData):
1529         (JSC::DFG::Node::hasHeapPrediction):
1530         * dfg/DFGNodeType.h:
1531         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1532         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1533         * dfg/DFGOSRExitCompilerCommon.cpp:
1534         (JSC::DFG::reifyInlinedCallFrames):
1535         * dfg/DFGOperations.cpp:
1536         * dfg/DFGOperations.h:
1537         * dfg/DFGPlan.cpp:
1538         (JSC::DFG::dumpAndVerifyGraph):
1539         (JSC::DFG::Plan::compileInThreadImpl):
1540         * dfg/DFGPreciseLocalClobberize.h:
1541         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1542         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
1543         * dfg/DFGPredictionPropagationPhase.cpp:
1544         (JSC::DFG::PredictionPropagationPhase::propagate):
1545         * dfg/DFGSSAConversionPhase.cpp:
1546         * dfg/DFGSafeToExecute.h:
1547         (JSC::DFG::safeToExecute):
1548         * dfg/DFGSpeculativeJIT.h:
1549         (JSC::DFG::SpeculativeJIT::isFlushed):
1550         (JSC::DFG::SpeculativeJIT::callOperation):
1551         * dfg/DFGSpeculativeJIT32_64.cpp:
1552         (JSC::DFG::SpeculativeJIT::emitCall):
1553         (JSC::DFG::SpeculativeJIT::compile):
1554         * dfg/DFGSpeculativeJIT64.cpp:
1555         (JSC::DFG::SpeculativeJIT::emitCall):
1556         (JSC::DFG::SpeculativeJIT::compile):
1557         * dfg/DFGStackLayoutPhase.cpp:
1558         (JSC::DFG::StackLayoutPhase::run):
1559         (JSC::DFG::StackLayoutPhase::assign):
1560         * dfg/DFGStrengthReductionPhase.cpp:
1561         (JSC::DFG::StrengthReductionPhase::handleNode):
1562         * dfg/DFGTypeCheckHoistingPhase.cpp:
1563         (JSC::DFG::TypeCheckHoistingPhase::run):
1564         * dfg/DFGValidate.cpp:
1565         (JSC::DFG::Validate::validateCPS):
1566         * ftl/FTLAbbreviations.h:
1567         (JSC::FTL::functionType):
1568         (JSC::FTL::buildCall):
1569         * ftl/FTLCapabilities.cpp:
1570         (JSC::FTL::canCompile):
1571         * ftl/FTLCompile.cpp:
1572         (JSC::FTL::mmAllocateDataSection):
1573         * ftl/FTLInlineCacheSize.cpp:
1574         (JSC::FTL::sizeOfCall):
1575         (JSC::FTL::sizeOfCallVarargs):
1576         (JSC::FTL::sizeOfCallForwardVarargs):
1577         (JSC::FTL::sizeOfConstructVarargs):
1578         (JSC::FTL::sizeOfIn):
1579         (JSC::FTL::sizeOfICFor):
1580         (JSC::FTL::sizeOfCheckIn): Deleted.
1581         * ftl/FTLInlineCacheSize.h:
1582         * ftl/FTLIntrinsicRepository.h:
1583         * ftl/FTLJSCall.cpp:
1584         (JSC::FTL::JSCall::JSCall):
1585         * ftl/FTLJSCallBase.cpp:
1586         * ftl/FTLJSCallBase.h:
1587         * ftl/FTLJSCallVarargs.cpp: Added.
1588         (JSC::FTL::JSCallVarargs::JSCallVarargs):
1589         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
1590         (JSC::FTL::JSCallVarargs::emit):
1591         (JSC::FTL::JSCallVarargs::link):
1592         * ftl/FTLJSCallVarargs.h: Added.
1593         (JSC::FTL::JSCallVarargs::node):
1594         (JSC::FTL::JSCallVarargs::stackmapID):
1595         (JSC::FTL::JSCallVarargs::operator<):
1596         * ftl/FTLLowerDFGToLLVM.cpp:
1597         (JSC::FTL::LowerDFGToLLVM::lower):
1598         (JSC::FTL::LowerDFGToLLVM::compileNode):
1599         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1600         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1601         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1602         (JSC::FTL::LowerDFGToLLVM::compileLoadVarargs):
1603         (JSC::FTL::LowerDFGToLLVM::compileIn):
1604         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1605         (JSC::FTL::LowerDFGToLLVM::vmCall):
1606         (JSC::FTL::LowerDFGToLLVM::vmCallNoExceptions):
1607         (JSC::FTL::LowerDFGToLLVM::callCheck):
1608         * ftl/FTLOutput.h:
1609         (JSC::FTL::Output::call):
1610         * ftl/FTLState.cpp:
1611         (JSC::FTL::State::State):
1612         * ftl/FTLState.h:
1613         * interpreter/Interpreter.cpp:
1614         (JSC::sizeOfVarargs):
1615         (JSC::sizeFrameForVarargs):
1616         * interpreter/Interpreter.h:
1617         * interpreter/StackVisitor.cpp:
1618         (JSC::StackVisitor::readInlinedFrame):
1619         * jit/AssemblyHelpers.cpp:
1620         (JSC::AssemblyHelpers::emitExceptionCheck):
1621         * jit/AssemblyHelpers.h:
1622         (JSC::AssemblyHelpers::addressFor):
1623         (JSC::AssemblyHelpers::calleeFrameSlot):
1624         (JSC::AssemblyHelpers::calleeArgumentSlot):
1625         (JSC::AssemblyHelpers::calleeFrameTagSlot):
1626         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
1627         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
1628         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
1629         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
1630         (JSC::AssemblyHelpers::selectScratchGPR):
1631         * jit/CCallHelpers.h:
1632         (JSC::CCallHelpers::setupArgumentsWithExecState):
1633         * jit/GPRInfo.h:
1634         * jit/JIT.cpp:
1635         (JSC::JIT::privateCompile):
1636         * jit/JIT.h:
1637         * jit/JITCall.cpp:
1638         (JSC::JIT::compileSetupVarargsFrame):
1639         (JSC::JIT::compileOpCall):
1640         * jit/JITCall32_64.cpp:
1641         (JSC::JIT::compileSetupVarargsFrame):
1642         (JSC::JIT::compileOpCall):
1643         * jit/JITOperations.h:
1644         * jit/SetupVarargsFrame.cpp:
1645         (JSC::emitSetupVarargsFrameFastCase):
1646         * jit/SetupVarargsFrame.h:
1647         * runtime/Arguments.h:
1648         (JSC::Arguments::create):
1649         (JSC::Arguments::registerArraySizeInBytes):
1650         (JSC::Arguments::finishCreation):
1651         * runtime/Options.h:
1652         * tests/stress/construct-varargs-inline-smaller-Foo.js: Added.
1653         (Foo):
1654         (bar):
1655         (checkEqual):
1656         (test):
1657         * tests/stress/construct-varargs-inline.js: Added.
1658         (Foo):
1659         (bar):
1660         (checkEqual):
1661         (test):
1662         * tests/stress/construct-varargs-no-inline.js: Added.
1663         (Foo):
1664         (bar):
1665         (checkEqual):
1666         (test):
1667         * tests/stress/get-argument-by-val-in-inlined-varargs-call-out-of-bounds.js: Added.
1668         (foo):
1669         (bar):
1670         * tests/stress/get-argument-by-val-safe-in-inlined-varargs-call-out-of-bounds.js: Added.
1671         (foo):
1672         (bar):
1673         * tests/stress/get-my-argument-by-val-creates-arguments.js: Added.
1674         (blah):
1675         (foo):
1676         (bar):
1677         (checkEqual):
1678         (test):
1679         * tests/stress/load-varargs-then-inlined-call-exit-in-foo.js: Added.
1680         (foo):
1681         (bar):
1682         (checkEqual):
1683         * tests/stress/load-varargs-then-inlined-call-inlined.js: Added.
1684         (foo):
1685         (bar):
1686         (baz):
1687         (checkEqual):
1688         (test):
1689         * tests/stress/load-varargs-then-inlined-call.js: Added.
1690         (foo):
1691         (bar):
1692         (checkEqual):
1693         (test):
1694
1695 2015-02-17  Michael Saboff  <msaboff@apple.com>
1696
1697         Unreviewed, Restoring the C LOOP insta-crash fix in r180184.
1698
1699         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
1700         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
1701
1702         * llint/LowLevelInterpreter.asm: Fixed a typo.
1703
1704 2015-02-18  Csaba Osztrogonác  <ossy@webkit.org>
1705
1706         URTBF after r180258 to fix Windows build.
1707
1708         * runtime/MathCommon.cpp:
1709         (JSC::mathPowInternal):
1710
1711 2015-02-18  Joseph Pecoraro  <pecoraro@apple.com>
1712
1713         REGRESSION(r180235): It broke the !ENABLE(PROMISES) build
1714         https://bugs.webkit.org/show_bug.cgi?id=141746
1715
1716         Unreviewed build fix.
1717
1718         * inspector/JSInjectedScriptHost.cpp:
1719         (Inspector::JSInjectedScriptHost::getInternalProperties):
1720         Wrap JSPromise related code in ENABLE(PROMISES) guard.
1721
1722 2015-02-18  Benjamin Poulain  <benjamin@webkit.org>
1723
1724         Fix the C-Loop LLInt build
1725         https://bugs.webkit.org/show_bug.cgi?id=141618
1726
1727         Reviewed by Filip Pizlo.
1728
1729         I broke C-Loop when moving the common code of pow()
1730         to JITOperations because that file is #ifdefed out
1731         when the JITs are disabled.
1732
1733         It would be weird to move it back to MathObject since
1734         the function needs to know about the calling conventions.
1735
1736         To avoid making a mess, I just gave the function its own file
1737         that is used by both the runtime and the JIT.
1738
1739         * CMakeLists.txt:
1740         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1741         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1742         * JavaScriptCore.xcodeproj/project.pbxproj:
1743         * dfg/DFGAbstractInterpreterInlines.h:
1744         * jit/JITOperations.cpp:
1745         * jit/JITOperations.h:
1746         * runtime/MathCommon.cpp: Added.
1747         (JSC::fdlibmScalbn):
1748         (JSC::fdlibmPow):
1749         (JSC::isDenormal):
1750         (JSC::isEdgeCase):
1751         (JSC::mathPowInternal):
1752         (JSC::operationMathPow):
1753         * runtime/MathCommon.h: Added.
1754         * runtime/MathObject.cpp:
1755
1756 2015-02-17  Benjamin Poulain  <bpoulain@apple.com>
1757
1758         Clean up OSRExit's considerAddingAsFrequentExitSite()
1759         https://bugs.webkit.org/show_bug.cgi?id=141690
1760
1761         Reviewed by Anders Carlsson.
1762
1763         Looks like some code was removed from CodeBlock::tallyFrequentExitSites()
1764         and the OSRExit were left untouched.
1765
1766         This patch cleans up the two loops and remove the boolean return
1767         on considerAddingAsFrequentExitSite().
1768
1769         * bytecode/CodeBlock.cpp:
1770         (JSC::CodeBlock::tallyFrequentExitSites):
1771         * dfg/DFGOSRExit.h:
1772         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1773         * dfg/DFGOSRExitBase.cpp:
1774         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
1775         * dfg/DFGOSRExitBase.h:
1776         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
1777         * ftl/FTLOSRExit.h:
1778         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
1779
1780 2015-02-17  Alexey Proskuryakov  <ap@apple.com>
1781
1782         Debug build fix after r180247.
1783
1784         * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::loweringFailed):
1785
1786 2015-02-17  Commit Queue  <commit-queue@webkit.org>
1787
1788         Unreviewed, rolling out r180184.
1789         https://bugs.webkit.org/show_bug.cgi?id=141733
1790
1791         Caused infinite recursion on js/function-apply-aliased.html
1792         (Requested by ap_ on #webkit).
1793
1794         Reverted changeset:
1795
1796         "REGRESSION(r180060): C Loop crashes"
1797         https://bugs.webkit.org/show_bug.cgi?id=141671
1798         http://trac.webkit.org/changeset/180184
1799
1800 2015-02-17  Michael Saboff  <msaboff@apple.com>
1801
1802         CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode
1803         https://bugs.webkit.org/show_bug.cgi?id=141730
1804
1805         Reviewed by Geoffrey Garen.
1806
1807         Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures
1808         while processing DFG lowering.  For debug builds, the failures are logged identical
1809         to the way the DFG_CRASH() reports them.  For release builds, the failures are reported
1810         and that FTL compilation is terminated, but the process is allowed to continue.
1811         Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and
1812         line number are reported at the point of the inconsistancy.
1813
1814         Converted instances of DFG_CRASH to LOWERING_FAILED.
1815
1816         * dfg/DFGPlan.cpp:
1817         (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that
1818         will fail the FTL compile.
1819
1820         * ftl/FTLLowerDFGToLLVM.cpp:
1821         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1822         Added new member variable, m_loweringSucceeded, to stop compilation on the first
1823         reported failure.
1824
1825         * ftl/FTLLowerDFGToLLVM.cpp:
1826         (JSC::FTL::LowerDFGToLLVM::lower):
1827         * ftl/FTLLowerDFGToLLVM.h:
1828         Added check for compilation failures and now report those failures via a boolean
1829         return value.
1830
1831         * ftl/FTLLowerDFGToLLVM.cpp:
1832         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
1833         (JSC::FTL::LowerDFGToLLVM::compileNode):
1834         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
1835         (JSC::FTL::LowerDFGToLLVM::compilePhi):
1836         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
1837         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
1838         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1839         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
1840         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
1841         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
1842         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
1843         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
1844         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1845         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
1846         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
1847         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1848         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1849         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1850         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1851         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1852         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1853         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1854         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1855         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
1856         (JSC::FTL::LowerDFGToLLVM::compileToString):
1857         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1858         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1859         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1860         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
1861         (JSC::FTL::LowerDFGToLLVM::compare):
1862         (JSC::FTL::LowerDFGToLLVM::boolify):
1863         (JSC::FTL::LowerDFGToLLVM::opposite):
1864         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1865         (JSC::FTL::LowerDFGToLLVM::speculate):
1866         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1867         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1868         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1869         (JSC::FTL::LowerDFGToLLVM::setInt52):
1870         Changed DFG_CRASH() to LOWERING_FAILED().  Updated related control flow as appropriate.
1871
1872         (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function.
1873
1874 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
1875
1876         StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
1877         https://bugs.webkit.org/show_bug.cgi?id=141721
1878         rdar://problem/17198633
1879
1880         Reviewed by Michael Saboff.
1881         
1882         I've seen cases where the two are out of sync.  We know we can trust the CodeBlock::usesArguments because
1883         we use it everywhere else.
1884         
1885         No test because I could never reproduce the crash.
1886
1887         * dfg/DFGGraph.h:
1888         (JSC::DFG::Graph::usesArguments):
1889         * dfg/DFGStackLayoutPhase.cpp:
1890         (JSC::DFG::StackLayoutPhase::run):
1891
1892 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
1893
1894         Web Inspector: Improved Console Support for Bound Functions
1895         https://bugs.webkit.org/show_bug.cgi?id=141635
1896
1897         Reviewed by Timothy Hatcher.
1898
1899         * inspector/JSInjectedScriptHost.cpp:
1900         (Inspector::JSInjectedScriptHost::getInternalProperties):
1901         Expose internal properties of a JSBoundFunction.
1902
1903 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
1904
1905         Web Inspector: ES6: Improved Console Support for Promise Objects
1906         https://bugs.webkit.org/show_bug.cgi?id=141634
1907
1908         Reviewed by Timothy Hatcher.
1909
1910         * inspector/InjectedScript.cpp:
1911         (Inspector::InjectedScript::getInternalProperties):
1912         * inspector/InjectedScriptSource.js:
1913         Include internal properties in previews. Share code
1914         with normal internal property handling.
1915
1916         * inspector/JSInjectedScriptHost.cpp:
1917         (Inspector::constructInternalProperty):
1918         (Inspector::JSInjectedScriptHost::getInternalProperties):
1919         Provide internal state of Promises.
1920
1921         * inspector/protocol/Runtime.json:
1922         Provide an optional field to distinguish if a PropertyPreview
1923         is for an Internal property or not.
1924
1925 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
1926
1927         Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
1928         https://bugs.webkit.org/show_bug.cgi?id=141717
1929         rdar://problem/19863382
1930
1931         Reviewed by Geoffrey Garen.
1932         
1933         The best solution is to ensure that the engine catching an exception restores tag registers.
1934         
1935         Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
1936
1937         * jit/JITOpcodes.cpp:
1938         (JSC::JIT::emit_op_catch):
1939         * llint/LowLevelInterpreter.asm:
1940         * llint/LowLevelInterpreter64.asm:
1941         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
1942         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
1943         * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
1944
1945 2015-02-17  Csaba Osztrogonác  <ossy@webkit.org>
1946
1947         [ARM] Add the necessary setupArgumentsWithExecState after bug141332
1948         https://bugs.webkit.org/show_bug.cgi?id=141714
1949
1950         Reviewed by Michael Saboff.
1951
1952         * jit/CCallHelpers.h:
1953         (JSC::CCallHelpers::setupArgumentsWithExecState):
1954
1955 2015-02-15  Sam Weinig  <sam@webkit.org>
1956
1957         Add experimental <attachment> element support
1958         https://bugs.webkit.org/show_bug.cgi?id=141626
1959
1960         Reviewed by Tim Horton.
1961
1962         * Configurations/FeatureDefines.xcconfig:
1963
1964 2015-02-16  Michael Saboff  <msaboff@apple.com>
1965
1966         REGRESSION(r180060): C Loop crashes
1967         https://bugs.webkit.org/show_bug.cgi?id=141671
1968
1969         Reviewed by Geoffrey Garen.
1970
1971         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
1972         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
1973         Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
1974         frame.  This isn't needed, since this helper is only called to check the stack on entry.  Any
1975         exception will be handled by a call ancestor.
1976
1977         * llint/LLIntSlowPaths.cpp:
1978         (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
1979         * llint/LowLevelInterpreter.asm: Fixed a typo.
1980
1981 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
1982
1983         Web Inspector: Scope details sidebar should label objects with constructor names
1984         https://bugs.webkit.org/show_bug.cgi?id=139449
1985
1986         Reviewed by Timothy Hatcher.
1987
1988         * inspector/JSInjectedScriptHost.cpp:
1989         (Inspector::JSInjectedScriptHost::internalConstructorName):
1990         * runtime/Structure.cpp:
1991         (JSC::Structure::toStructureShape):
1992         Share calculatedClassName.
1993
1994         * runtime/JSObject.h:        
1995         * runtime/JSObject.cpp:
1996         (JSC::JSObject::calculatedClassName):
1997         Elaborate on a way to get an Object's class name.
1998
1999 2015-02-16  Filip Pizlo  <fpizlo@apple.com>
2000
2001         DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
2002         https://bugs.webkit.org/show_bug.cgi?id=141623
2003
2004         Reviewed by Oliver Hunt.
2005         
2006         During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
2007         needed to use GetArgument for loading something that has magically already appeared on the
2008         stack, so currently trunk sort of allows this. But then I realized three things:
2009         
2010         - A GetArgument with a non-JSValue flush format means speculating that the value on the
2011           stack obeys that format, rather than just assuming that that it already has that format.
2012           In bug 141332, I want it to assume rather than speculate. That also happens to be more
2013           intuitive; I don't think I was wrong to expect that.
2014         
2015         - The node I really want is GetLocal. I'm just getting the value of the local and I don't
2016           want to do anything else.
2017         
2018         - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
2019           use GetArgument.
2020         
2021         This changes the FTL to do argument speculations in the prologue just like the DFG does.
2022         This brings some consistency to our system, and allows us to get rid of the GetArgument
2023         node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
2024         vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
2025         dead we will still speculate. We already have safeguards to ensure we only speculate if
2026         there are uses that benefit from speculation (which is a much more conservative criterion
2027         than DCE).
2028         
2029         * dfg/DFGAbstractInterpreterInlines.h:
2030         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2031         * dfg/DFGClobberize.h:
2032         (JSC::DFG::clobberize):
2033         * dfg/DFGDCEPhase.cpp:
2034         (JSC::DFG::DCEPhase::run):
2035         * dfg/DFGDoesGC.cpp:
2036         (JSC::DFG::doesGC):
2037         * dfg/DFGFixupPhase.cpp:
2038         (JSC::DFG::FixupPhase::fixupNode):
2039         * dfg/DFGFlushFormat.h:
2040         (JSC::DFG::typeFilterFor):
2041         * dfg/DFGGraph.cpp:
2042         (JSC::DFG::Graph::dump):
2043         * dfg/DFGGraph.h:
2044         (JSC::DFG::Graph::valueProfileFor):
2045         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2046         * dfg/DFGInPlaceAbstractState.cpp:
2047         (JSC::DFG::InPlaceAbstractState::initialize):
2048         * dfg/DFGNode.cpp:
2049         (JSC::DFG::Node::hasVariableAccessData):
2050         * dfg/DFGNodeType.h:
2051         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2052         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2053         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2054         * dfg/DFGPredictionPropagationPhase.cpp:
2055         (JSC::DFG::PredictionPropagationPhase::propagate):
2056         * dfg/DFGPutLocalSinkingPhase.cpp:
2057         * dfg/DFGSSAConversionPhase.cpp:
2058         (JSC::DFG::SSAConversionPhase::run):
2059         * dfg/DFGSafeToExecute.h:
2060         (JSC::DFG::safeToExecute):
2061         * dfg/DFGSpeculativeJIT32_64.cpp:
2062         (JSC::DFG::SpeculativeJIT::compile):
2063         * dfg/DFGSpeculativeJIT64.cpp:
2064         (JSC::DFG::SpeculativeJIT::compile):
2065         * ftl/FTLCapabilities.cpp:
2066         (JSC::FTL::canCompile):
2067         * ftl/FTLLowerDFGToLLVM.cpp:
2068         (JSC::FTL::LowerDFGToLLVM::lower):
2069         (JSC::FTL::LowerDFGToLLVM::compileNode):
2070         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
2071         (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
2072         * tests/stress/dead-speculating-argument-use.js: Added.
2073         (foo):
2074         (o.valueOf):
2075
2076 2015-02-15  Filip Pizlo  <fpizlo@apple.com>
2077
2078         Rare case profiling should actually work
2079         https://bugs.webkit.org/show_bug.cgi?id=141632
2080
2081         Reviewed by Michael Saboff.
2082         
2083         This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
2084         heuristic has essentially stopped working because the typical execution count threshold for a
2085         bytecode instruction is around 66 while the slow case threshold is 100: virtually
2086         guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
2087         case even if it took it every single time. So, this changes the slow case threshold to 20.
2088         
2089         I checked if we could lower this down further, like to 10. That is worse than 20, and about
2090         as bad as 100.
2091
2092         * runtime/Options.h:
2093
2094 2015-02-15  Brian J. Burg  <burg@cs.washington.edu>
2095
2096         Web Inspector: remove unused XHR replay code
2097         https://bugs.webkit.org/show_bug.cgi?id=141622
2098
2099         Reviewed by Timothy Hatcher.
2100
2101         * inspector/protocol/Network.json: remove XHR replay methods.
2102
2103 2015-02-15  David Kilzer  <ddkilzer@apple.com>
2104
2105         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2106         <http://webkit.org/b/141607>
2107
2108         More work towards fixing the Mavericks Debug build.
2109
2110         * inspector/ScriptDebugServer.h:
2111         (Inspector::ScriptDebugServer::Task):
2112         * inspector/agents/InspectorDebuggerAgent.h:
2113         (Inspector::InspectorDebuggerAgent::Listener):
2114         - Remove subclass exports. They did not help.
2115
2116         * runtime/JSCJSValue.h:
2117         (JSC::JSValue::toFloat): Do not mark inline method for export.
2118
2119 2015-02-09  Brian J. Burg  <burg@cs.washington.edu>
2120
2121         Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
2122         https://bugs.webkit.org/show_bug.cgi?id=141372
2123
2124         Reviewed by Joseph Pecoraro.
2125
2126         * inspector/ConsoleMessage.cpp:
2127         (Inspector::ConsoleMessage::addToFrontend):
2128         (Inspector::ConsoleMessage::updateRepeatCountInConsole):
2129         * inspector/ConsoleMessage.h:
2130         * inspector/InspectorAgentBase.h:
2131         * inspector/InspectorAgentRegistry.cpp:
2132         (Inspector::AgentRegistry::AgentRegistry):
2133         (Inspector::AgentRegistry::append):
2134         (Inspector::AgentRegistry::appendExtraAgent):
2135         (Inspector::AgentRegistry::didCreateFrontendAndBackend):
2136         (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
2137         (Inspector::AgentRegistry::discardAgents):
2138         (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
2139         (Inspector::InspectorAgentRegistry::append): Deleted.
2140         (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
2141         (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
2142         (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
2143         (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
2144         * inspector/InspectorAgentRegistry.h:
2145         * inspector/InspectorBackendDispatcher.cpp:
2146         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
2147         (Inspector::BackendDispatcher::CallbackBase::isActive):
2148         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
2149         (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
2150         (Inspector::BackendDispatcher::create):
2151         (Inspector::BackendDispatcher::registerDispatcherForDomain):
2152         (Inspector::BackendDispatcher::dispatch):
2153         (Inspector::BackendDispatcher::sendResponse):
2154         (Inspector::BackendDispatcher::reportProtocolError):
2155         (Inspector::BackendDispatcher::getInteger):
2156         (Inspector::BackendDispatcher::getDouble):
2157         (Inspector::BackendDispatcher::getString):
2158         (Inspector::BackendDispatcher::getBoolean):
2159         (Inspector::BackendDispatcher::getObject):
2160         (Inspector::BackendDispatcher::getArray):
2161         (Inspector::BackendDispatcher::getValue):
2162         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
2163         (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
2164         (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
2165         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
2166         (Inspector::InspectorBackendDispatcher::create): Deleted.
2167         (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
2168         (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
2169         (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
2170         (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
2171         (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
2172         (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
2173         (Inspector::InspectorBackendDispatcher::getString): Deleted.
2174         (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
2175         (Inspector::InspectorBackendDispatcher::getObject): Deleted.
2176         (Inspector::InspectorBackendDispatcher::getArray): Deleted.
2177         (Inspector::InspectorBackendDispatcher::getValue): Deleted.
2178         * inspector/InspectorBackendDispatcher.h:
2179         (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
2180         (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
2181         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
2182         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
2183         * inspector/InspectorFrontendChannel.h:
2184         (Inspector::FrontendChannel::~FrontendChannel):
2185         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
2186         * inspector/JSGlobalObjectInspectorController.cpp:
2187         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2188         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
2189         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2190         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
2191         (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
2192         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
2193         * inspector/JSGlobalObjectInspectorController.h:
2194         * inspector/agents/InspectorAgent.cpp:
2195         (Inspector::InspectorAgent::didCreateFrontendAndBackend):
2196         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
2197         * inspector/agents/InspectorAgent.h:
2198         * inspector/agents/InspectorConsoleAgent.cpp:
2199         (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
2200         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
2201         * inspector/agents/InspectorConsoleAgent.h:
2202         * inspector/agents/InspectorDebuggerAgent.cpp:
2203         (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
2204         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
2205         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
2206         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2207         (Inspector::InspectorDebuggerAgent::pause):
2208         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
2209         (Inspector::InspectorDebuggerAgent::didPause):
2210         (Inspector::InspectorDebuggerAgent::breakProgram):
2211         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
2212         * inspector/agents/InspectorDebuggerAgent.h:
2213         * inspector/agents/InspectorRuntimeAgent.cpp:
2214         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
2215         * inspector/agents/InspectorRuntimeAgent.h:
2216         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2217         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
2218         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
2219         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2220         * inspector/augmentable/AlternateDispatchableAgent.h:
2221         * inspector/augmentable/AugmentableInspectorController.h:
2222         * inspector/remote/RemoteInspectorDebuggable.h:
2223         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2224         * inspector/scripts/codegen/cpp_generator.py:
2225         (CppGenerator.cpp_type_for_formal_out_parameter):
2226         (CppGenerator.cpp_type_for_stack_out_parameter):
2227         * inspector/scripts/codegen/cpp_generator_templates.py:
2228         (AlternateBackendDispatcher):
2229         (Alternate):
2230         (void):
2231         (AlternateInspectorBackendDispatcher): Deleted.
2232         (AlternateInspector): Deleted.
2233         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2234         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
2235         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2236         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
2237         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2238         (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
2239         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
2240         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2241         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2242         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2243         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2244         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2245         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2246         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2247         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2248         * inspector/scripts/tests/expected/enum-values.json-result:
2249         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2250         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2251         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2252         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2253         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2254         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2255         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2256         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2257         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2258         * runtime/JSGlobalObjectDebuggable.cpp:
2259         (JSC::JSGlobalObjectDebuggable::connect):
2260         (JSC::JSGlobalObjectDebuggable::disconnect):
2261         * runtime/JSGlobalObjectDebuggable.h:
2262
2263 2015-02-14  David Kilzer  <ddkilzer@apple.com>
2264
2265         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2266         <http://webkit.org/b/141607>
2267
2268         Work towards fixing the Mavericks Debug build.
2269
2270         * inspector/ScriptDebugServer.h:
2271         (Inspector::ScriptDebugServer::Task): Export class.
2272         * inspector/agents/InspectorDebuggerAgent.h:
2273         (Inspector::InspectorDebuggerAgent::Listener): Export class.
2274         * runtime/JSGlobalObject.h:
2275         (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
2276         method for export.
2277
2278 2015-02-14  Joseph Pecoraro  <pecoraro@apple.com>
2279
2280         Web Inspector: Symbol RemoteObject should not send sub-type
2281         https://bugs.webkit.org/show_bug.cgi?id=141604
2282
2283         Reviewed by Brian Burg.
2284
2285         * inspector/InjectedScriptSource.js:
2286
2287 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2288
2289         Attempt to fix 32bits build after r180098
2290
2291         * jit/JITOperations.cpp:
2292         * jit/JITOperations.h:
2293         I copied the attribute from the MathObject version of that function when I moved
2294         it over. DFG has no version of a function call taking those attributes.
2295
2296 2015-02-13  Joseph Pecoraro  <pecoraro@apple.com>
2297
2298         JSContext Inspector: Do not stash console messages for non-debuggable JSContext
2299         https://bugs.webkit.org/show_bug.cgi?id=141589
2300
2301         Reviewed by Timothy Hatcher.
2302
2303         Consider developer extras disabled for JSContext inspection if the
2304         RemoteInspector server is not enabled (typically a non-debuggable
2305         process rejected by webinspectord) or if remote debugging on the
2306         JSContext was explicitly disabled via SPI.
2307
2308         When developer extras are disabled, console message will not be stashed.
2309
2310         * inspector/JSGlobalObjectInspectorController.cpp:
2311         (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
2312         * inspector/JSGlobalObjectInspectorController.h:
2313
2314 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2315
2316         Add a DFG node for the Pow Intrinsics
2317         https://bugs.webkit.org/show_bug.cgi?id=141540
2318
2319         Reviewed by Filip Pizlo.
2320
2321         Add a DFG Node for PowIntrinsic. This patch covers the basic cases
2322         need to avoid massive regression. I will iterate over the node to cover
2323         the missing types.
2324
2325         With this patch I get the following progressions on benchmarks:
2326         -LongSpider's math-partial-sums: +5%.
2327         -Kraken's imaging-darkroom: +17%
2328         -AsmBench's cray.c: +6.6%
2329         -CompressionBench: +2.2% globally.
2330
2331         * dfg/DFGAbstractInterpreterInlines.h:
2332         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2333         Cover a couple of trivial cases:
2334         -If the exponent is zero, the result is always one, regardless of the base.
2335         -If both arguments are constants, compute the result at compile time.
2336
2337         * dfg/DFGByteCodeParser.cpp:
2338         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2339         * dfg/DFGClobberize.h:
2340         (JSC::DFG::clobberize):
2341         * dfg/DFGDoesGC.cpp:
2342         (JSC::DFG::doesGC):
2343
2344         * dfg/DFGFixupPhase.cpp:
2345         (JSC::DFG::FixupPhase::fixupNode):
2346         We only support 2 basic cases at this time:
2347         -Math.pow(double, int)
2348         -Math.pow(double, double).
2349
2350         I'll cover Math.pow(int, int) in a follow up.
2351
2352         * dfg/DFGNode.h:
2353         (JSC::DFG::Node::convertToArithSqrt):
2354         (JSC::DFG::Node::arithNodeFlags):
2355         * dfg/DFGNodeType.h:
2356         * dfg/DFGPredictionPropagationPhase.cpp:
2357         (JSC::DFG::PredictionPropagationPhase::propagate):
2358         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2359         * dfg/DFGSafeToExecute.h:
2360         (JSC::DFG::safeToExecute):
2361         * dfg/DFGSpeculativeJIT.cpp:
2362         (JSC::DFG::compileArithPowIntegerFastPath):
2363         (JSC::DFG::SpeculativeJIT::compileArithPow):
2364         * dfg/DFGSpeculativeJIT.h:
2365         * dfg/DFGSpeculativeJIT32_64.cpp:
2366         (JSC::DFG::SpeculativeJIT::compile):
2367         * dfg/DFGSpeculativeJIT64.cpp:
2368         (JSC::DFG::SpeculativeJIT::compile):
2369         * dfg/DFGStrengthReductionPhase.cpp:
2370         (JSC::DFG::StrengthReductionPhase::handleNode):
2371         * dfg/DFGValidate.cpp:
2372         (JSC::DFG::Validate::validate):
2373         * ftl/FTLCapabilities.cpp:
2374         (JSC::FTL::canCompile):
2375         * ftl/FTLIntrinsicRepository.h:
2376         * ftl/FTLLowerDFGToLLVM.cpp:
2377         (JSC::FTL::LowerDFGToLLVM::compileNode):
2378         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
2379         * ftl/FTLOutput.h:
2380         (JSC::FTL::Output::doublePow):
2381         (JSC::FTL::Output::doublePowi):
2382         * jit/JITOperations.cpp:
2383         * jit/JITOperations.h:
2384         * runtime/MathObject.cpp:
2385         (JSC::mathProtoFuncPow):
2386         (JSC::isDenormal): Deleted.
2387         (JSC::isEdgeCase): Deleted.
2388         (JSC::mathPow): Deleted.
2389
2390         * tests/stress/math-pow-basics.js: Added.
2391         * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
2392         * tests/stress/math-pow-nan-behaviors.js: Added.
2393         * tests/stress/math-pow-with-constants.js: Added.
2394         Start some basic testing of Math.pow().
2395         Due to the various transform, the value change when the code tiers up,
2396         I covered this by checking for approximate values.
2397
2398 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2399
2400         ArithSqrt should not be conditional on supportsFloatingPointSqrt
2401         https://bugs.webkit.org/show_bug.cgi?id=141546
2402
2403         Reviewed by Geoffrey Garen and Filip Pizlo.
2404
2405         Just fallback to the function call in the DFG codegen.
2406
2407         * dfg/DFGByteCodeParser.cpp:
2408         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2409         * dfg/DFGSpeculativeJIT.cpp:
2410         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
2411         * dfg/DFGSpeculativeJIT.h:
2412         * dfg/DFGSpeculativeJIT32_64.cpp:
2413         (JSC::DFG::SpeculativeJIT::compile):
2414         * dfg/DFGSpeculativeJIT64.cpp:
2415         (JSC::DFG::SpeculativeJIT::compile):
2416         * tests/stress/math-sqrt-basics.js: Added.
2417         Basic coverage.
2418
2419         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
2420         Same tests but forcing the function call.
2421
2422 2015-02-13  Michael Saboff  <msaboff@apple.com>
2423
2424         REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
2425         https://bugs.webkit.org/show_bug.cgi?id=141577
2426
2427         Reviewed by Benjamin Poulain.
2428
2429         Changed the prologue of the baseline JIT to check for stack space for all
2430         types of code blocks.  Previously, it was only checking Function.  Now
2431         it checks Program and Eval as well.
2432
2433         * jit/JIT.cpp:
2434         (JSC::JIT::privateCompile):
2435
2436 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2437
2438         Generate incq instead of addq when the immediate value is one
2439         https://bugs.webkit.org/show_bug.cgi?id=141548
2440
2441         Reviewed by Gavin Barraclough.
2442
2443         JSC emits "addq #1 (rXX)" *a lot*.
2444         This patch replace that by incq, which is one byte shorter
2445         and is the adviced form.
2446
2447         Sunspider: +0.47%
2448         Octane: +0.28%
2449         Kraken: +0.44%
2450         AsmBench, CompressionBench: neutral.
2451
2452         * assembler/MacroAssemblerX86_64.h:
2453         (JSC::MacroAssemblerX86_64::add64):
2454         * assembler/X86Assembler.h:
2455         (JSC::X86Assembler::incq_m):
2456
2457 2015-02-13  Benjamin Poulain  <benjamin@webkit.org>
2458
2459         Little clean up of Bytecode Generator's Label
2460         https://bugs.webkit.org/show_bug.cgi?id=141557
2461
2462         Reviewed by Michael Saboff.
2463
2464         * bytecompiler/BytecodeGenerator.h:
2465         * bytecompiler/BytecodeGenerator.cpp:
2466         Label was a friend of BytecodeGenerator in order to access
2467         m_instructions. There is no need for that, BytecodeGenerator
2468         has a public getter.
2469
2470         * bytecompiler/Label.h:
2471         (JSC::Label::Label):
2472         (JSC::Label::setLocation):
2473         (JSC::BytecodeGenerator::newLabel):
2474         Make it explicit that the generator must exist.
2475
2476 2015-02-13  Michael Saboff  <msaboff@apple.com>
2477
2478         Google doc spreadsheet reproducibly crashes when sorting
2479         https://bugs.webkit.org/show_bug.cgi?id=141098
2480
2481         Reviewed by Oliver Hunt.
2482
2483         Moved the stack check to before the callee registers are allocated in the
2484         prologue() by movving it from the functionInitialization() macro.  This
2485         way we can check the stack before moving the stack pointer, avoiding a
2486         crash during a "call" instruction.  Before this change, we weren't even
2487         checking the stack for program and eval execution.
2488
2489         Made a couple of supporting changes.
2490
2491         * llint/LLIntSlowPaths.cpp:
2492         (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
2493         may be processing an exception to an entry frame.
2494
2495         * llint/LowLevelInterpreter.asm:
2496
2497         * llint/LowLevelInterpreter32_64.asm:
2498         * llint/LowLevelInterpreter64.asm:
2499         (llint_throw_from_slow_path_trampoline): Changed method to get the vm
2500         from the code block to not use the codeBlock, since we may need to
2501         continue from an exception in a native function.
2502
2503 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
2504
2505         Simplify the initialization of BytecodeGenerator a bit
2506         https://bugs.webkit.org/show_bug.cgi?id=141505
2507
2508         Reviewed by Anders Carlsson.
2509
2510         * bytecompiler/BytecodeGenerator.cpp:
2511         (JSC::BytecodeGenerator::BytecodeGenerator):
2512         * bytecompiler/BytecodeGenerator.h:
2513         Setup the default initialization at the declaration level
2514         instead of the constructor.
2515
2516         Also made m_scopeNode and m_codeType const to make it explicit
2517         that they are invariant after construction.
2518
2519         * parser/Nodes.cpp:
2520         * runtime/Executable.cpp:
2521         Remove 2 useless #includes.
2522
2523 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
2524
2525         Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT
2526         https://bugs.webkit.org/show_bug.cgi?id=141506
2527
2528         Reviewed by Michael Saboff.
2529
2530         The generators for the nodes GetScope and SkipScope were
2531         completely identical between 32 and 64bits.
2532
2533         This patch moves the duplicated code to DFGSpeculativeJIT.
2534
2535         * dfg/DFGSpeculativeJIT.cpp:
2536         (JSC::DFG::SpeculativeJIT::compileGetScope):
2537         (JSC::DFG::SpeculativeJIT::compileSkipScope):
2538         * dfg/DFGSpeculativeJIT.h:
2539         * dfg/DFGSpeculativeJIT32_64.cpp:
2540         (JSC::DFG::SpeculativeJIT::compile):
2541         * dfg/DFGSpeculativeJIT64.cpp:
2542         (JSC::DFG::SpeculativeJIT::compile):
2543
2544 2015-02-11  Brent Fulgham  <bfulgham@apple.com>
2545
2546         [Win] [64-bit] Work around MSVC2013 Runtime Bug
2547         https://bugs.webkit.org/show_bug.cgi?id=141498
2548         <rdar://problem/19803642>
2549
2550         Reviewed by Anders Carlsson.
2551
2552         Disable FMA3 instruction use in the MSVC math library to
2553         work around a VS2013 runtime crash. We can remove this
2554         workaround when we switch to VS2015.
2555
2556         * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable
2557         FMA3 support.
2558         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files.
2559         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2560         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added.
2561         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0)
2562         to disable FMA3 support.
2563         * jsc.cpp: Ditto.
2564         * testRegExp.cpp: Ditto.
2565
2566 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
2567
2568         The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs
2569         https://bugs.webkit.org/show_bug.cgi?id=141493
2570
2571         Reviewed by Michael Saboff.
2572
2573         * dfg/DFGSpeculativeJIT.h:
2574         (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted.
2575         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted.
2576         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted.
2577         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted.
2578         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted.
2579         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted.
2580         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted.
2581         * dfg/DFGSpeculativeJIT32_64.cpp:
2582         (JSC::DFG::SpeculativeJIT::emitCall):
2583         * dfg/DFGSpeculativeJIT64.cpp:
2584         (JSC::DFG::SpeculativeJIT::emitCall):
2585         * jit/AssemblyHelpers.h:
2586         (JSC::AssemblyHelpers::calleeFrameSlot):
2587         (JSC::AssemblyHelpers::calleeArgumentSlot):
2588         (JSC::AssemblyHelpers::calleeFrameTagSlot):
2589         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
2590         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
2591         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
2592         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
2593
2594 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
2595
2596         SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame
2597         https://bugs.webkit.org/show_bug.cgi?id=141485
2598
2599         Reviewed by Oliver Hunt.
2600         
2601         The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for
2602         vararg calls from inlined code, but that doesn't work since the DFG inline call frame
2603         doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there
2604         is really no such thing as an inlineStackOffset except when we OSR exit; while the code is
2605         running the stack layout is compacted so that the stackOffset is not meaningful.
2606
2607         * jit/JITCall.cpp:
2608         (JSC::JIT::compileSetupVarargsFrame):
2609         * jit/JITCall32_64.cpp:
2610         (JSC::JIT::compileSetupVarargsFrame):
2611         * jit/SetupVarargsFrame.cpp:
2612         (JSC::emitSetupVarargsFrameFastCase):
2613         * jit/SetupVarargsFrame.h:
2614
2615 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2616
2617         Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints
2618         https://bugs.webkit.org/show_bug.cgi?id=141455
2619
2620         Reviewed by Mark Lam.
2621         
2622         The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion
2623         of https://bugs.webkit.org/show_bug.cgi?id=141332.
2624
2625         * CMakeLists.txt:
2626         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2627         * JavaScriptCore.xcodeproj/project.pbxproj:
2628         * bytecode/CallLinkInfo.h:
2629         (JSC::CallLinkInfo::specializationKindFor):
2630         (JSC::CallLinkInfo::specializationKind):
2631         * ftl/FTLJSCall.cpp:
2632         (JSC::FTL::JSCall::JSCall):
2633         (JSC::FTL::JSCall::emit): Deleted.
2634         (JSC::FTL::JSCall::link): Deleted.
2635         * ftl/FTLJSCall.h:
2636         * ftl/FTLJSCallBase.cpp: Added.
2637         (JSC::FTL::JSCallBase::JSCallBase):
2638         (JSC::FTL::JSCallBase::emit):
2639         (JSC::FTL::JSCallBase::link):
2640         * ftl/FTLJSCallBase.h: Added.
2641
2642 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2643
2644         Unreviewed, fix build.
2645
2646         * jit/CCallHelpers.h:
2647         (JSC::CCallHelpers::setupArgumentsWithExecState):
2648
2649 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2650
2651         op_call_varargs should only load the length once
2652         https://bugs.webkit.org/show_bug.cgi?id=141440
2653         rdar://problem/19761683
2654
2655         Reviewed by Michael Saboff.
2656         
2657         Refactors the pair of calls that set up the varargs frame so that the first call returns the
2658         length, and the second call uses the length returned by the first one. It turns out that this
2659         gave me an opportunity to shorten a lot of the code.
2660
2661         * interpreter/Interpreter.cpp:
2662         (JSC::sizeFrameForVarargs):
2663         (JSC::loadVarargs):
2664         (JSC::setupVarargsFrame):
2665         (JSC::setupVarargsFrameAndSetThis):
2666         * interpreter/Interpreter.h:
2667         (JSC::calleeFrameForVarargs):
2668         * jit/CCallHelpers.h:
2669         (JSC::CCallHelpers::setupArgumentsWithExecState):
2670         * jit/JIT.h:
2671         * jit/JITCall.cpp:
2672         (JSC::JIT::compileSetupVarargsFrame):
2673         * jit/JITCall32_64.cpp:
2674         (JSC::JIT::compileSetupVarargsFrame):
2675         * jit/JITInlines.h:
2676         (JSC::JIT::callOperation):
2677         * jit/JITOperations.cpp:
2678         * jit/JITOperations.h:
2679         * jit/SetupVarargsFrame.cpp:
2680         (JSC::emitSetVarargsFrame):
2681         (JSC::emitSetupVarargsFrameFastCase):
2682         * jit/SetupVarargsFrame.h:
2683         * llint/LLIntSlowPaths.cpp:
2684         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2685         * runtime/Arguments.cpp:
2686         (JSC::Arguments::copyToArguments):
2687         * runtime/Arguments.h:
2688         * runtime/JSArray.cpp:
2689         (JSC::JSArray::copyToArguments):
2690         * runtime/JSArray.h:
2691         * runtime/VM.h:
2692         * tests/stress/call-varargs-length-effects.js: Added.
2693         (foo):
2694         (bar):
2695
2696 2015-02-10  Michael Saboff  <msaboff@apple.com>
2697
2698         Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
2699         https://bugs.webkit.org/show_bug.cgi?id=139398
2700
2701         Reviewed by Filip Pizlo.
2702
2703         Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
2704         was determined to be reachable.  When we go to lower to LLVM, the edges for the CompareStrictEq
2705         node are UntypedUse which we can't compile.  Fixed this by checking that the IR before
2706         lowering can still be handled by the FTL.
2707
2708         Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
2709         a SetArgument to a GetArgument.  Before this change FTL::canCompile() would never see a GetArgument
2710         node.  With the check right before lowering, we see this node.
2711
2712         * dfg/DFGPlan.cpp:
2713         (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
2714         to verify that after all the transformations we still have valid IR for the FTL.
2715         * ftl/FTLCapabilities.cpp:
2716         (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
2717
2718 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2719
2720         Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
2721
2722         Rubber stamped by Michael Saboff.
2723         
2724         Not only was this not used, I believe that the math was wrong. The callee frame doesn't
2725         actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and
2726         that decision is made elsewhere. Also, it makes no sense to subtract 1 from
2727         m_nextMachineLocal when trying to deduce the number of in-use stack slots.
2728
2729         * dfg/DFGSpeculativeJIT.h:
2730         (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted.
2731
2732 2015-02-10  Saam Barati  <saambarati1@gmail.com>
2733
2734         Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier
2735         https://bugs.webkit.org/show_bug.cgi?id=141272
2736
2737         Reviewed by Oliver Hunt.
2738
2739         This patch fixes a bug where the wrong text location would be 
2740         assigned to a variable declaration inside a ForIn/ForOf loop. 
2741         It also fixes a bug in the type profiler where the type profiler 
2742         emits the wrong text offset for a ForIn loop's variable declarator 
2743         when it's not a pattern node.
2744
2745         * bytecompiler/NodesCodegen.cpp:
2746         (JSC::ForInNode::emitLoopHeader):
2747         * parser/Parser.cpp:
2748         (JSC::Parser<LexerType>::parseVarDeclarationList):
2749         * tests/typeProfiler/loop.js:
2750         (testForIn):
2751         (testForOf):
2752
2753 2015-02-09  Saam Barati  <saambarati1@gmail.com>
2754
2755         JSC's Type Profiler doesn't profile the type of the looping variable in ForOf/ForIn loops
2756         https://bugs.webkit.org/show_bug.cgi?id=141241
2757
2758         Reviewed by Filip Pizlo.
2759
2760         Type information is now recorded for ForIn and ForOf statements. 
2761         It was an oversight to not have these statements profiled before.
2762
2763         * bytecompiler/NodesCodegen.cpp:
2764         (JSC::ForInNode::emitLoopHeader):
2765         (JSC::ForOfNode::emitBytecode):
2766         * tests/typeProfiler/loop.js: Added.
2767         (testForIn):
2768         (testForOf):
2769
2770 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
2771
2772         DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid
2773         https://bugs.webkit.org/show_bug.cgi?id=141412
2774
2775         Reviewed by Michael Saboff.
2776         
2777         StackLayoutPhase was attempting to ensure that the register that
2778         CodeBlock::scopeRegister() points to is the right one for the DFG. But the DFG did nothing
2779         else to maintain the validity of the scopeRegister(). It wasn't captured as far as I can
2780         tell. StackLayoutPhase didn't explicitly mark it live. PreciseLocalClobberize didn't mark
2781         it as being live. So, by the time we got here the register referred to by
2782         CodeBlock::scopeRegister() would have been junk. Moreover, CodeBlock::scopeRegister() was
2783         not used for DFG code blocks, and was hardly ever used outside of bytecode generation.
2784         
2785         So, this patch just removes the code to manipulate this field and replaces it with an
2786         unconditional setScopeRegister(VirtualRegister()). Setting it to the invalid register
2787         ensures that any attempst to read the scopeRegister in a DFG or FTL frame immediately
2788         punts.
2789
2790         * dfg/DFGStackLayoutPhase.cpp:
2791         (JSC::DFG::StackLayoutPhase::run):
2792
2793 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
2794
2795         Varargs frame set-up should be factored out for use by other JITs
2796         https://bugs.webkit.org/show_bug.cgi?id=141388
2797
2798         Reviewed by Michael Saboff.
2799         
2800         Previously the code that dealt with varargs always assumed that we were setting up a varargs call
2801         frame by literally following the execution semantics of op_call_varargs. This isn't how it'll
2802         happen once the DFG and FTL do varargs calls, or when varargs calls get inlined. The DFG and FTL
2803         don't literally execute bytecode; for example their stack frame layout has absolutely nothing in
2804         common with what the bytecode says, and that will never change.
2805         
2806         This patch makes two changes:
2807         
2808         Setting up the varargs callee frame can be done in smaller steps: particularly in the case of a
2809         varargs call that gets inlined, we aren't going to actually want to set up a callee frame in
2810         full - we just want to put the arguments somewhere, and that place will not have much (if
2811         anything) in common with the call frame format. This patch factors that out into something called
2812         a loadVarargs. The thing we used to call loadVarargs is now called setupVarargsFrame. This patch
2813         also separates loading varargs from setting this, since the fact that those two things are done
2814         together is a detail made explicit in bytecode but it's not at all required in the higher-tier
2815         engines. In the process of factoring this code out, I found a bunch of off-by-one errors in the
2816         various calculations. I fixed them. The distance from the caller's frame pointer to the callee
2817         frame pointer is always:
2818         
2819             numUsedCallerSlots + argCount + 1 + CallFrameSize
2820         
2821         where numUsedCallerSlots is toLocal(firstFreeRegister) - 1, which simplifies down to just
2822         -firstFreeRegister. The code now speaks of numUsedCallerSlots rather than firstFreeRegister,
2823         since the latter is a bytecode peculiarity that doesn't apply in the DFG or FTL. In the DFG, the
2824         internally-computed frame size, minus the parameter slots, will be used for numUsedCallerSlots.
2825         In the FTL, we will essentially compute numUsedCallerSlots dynamically by subtracting SP from FP.
2826         Eventually, LLVM might give us some cleaner way of doing this, but it probably doesn't matter
2827         very much.
2828         
2829         The arguments forwarding optimization is factored out of the Baseline JIT: the DFG and FTL will
2830         want to do this optimization as well, but it involves quite a bit of code. So, this code is now
2831         factored out into SetupVarargsFrame.h|cpp, so that other JITs can use it. In the process of factoring
2832         this code out I noticed that the 32-bit and 64-bit code is nearly identical, so I combined them.
2833
2834         * CMakeLists.txt:
2835         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2836         * JavaScriptCore.xcodeproj/project.pbxproj:
2837         * bytecode/CodeBlock.h:
2838         (JSC::ExecState::r):
2839         (JSC::ExecState::uncheckedR):
2840         * bytecode/VirtualRegister.h:
2841         (JSC::VirtualRegister::operator+):
2842         (JSC::VirtualRegister::operator-):
2843         (JSC::VirtualRegister::operator+=):
2844         (JSC::VirtualRegister::operator-=):
2845         * interpreter/CallFrame.h:
2846         * interpreter/Interpreter.cpp:
2847         (JSC::sizeFrameForVarargs):
2848         (JSC::loadVarargs):
2849         (JSC::setupVarargsFrame):
2850         (JSC::setupVarargsFrameAndSetThis):
2851         * interpreter/Interpreter.h:
2852         * jit/AssemblyHelpers.h:
2853         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
2854         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
2855         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
2856         * jit/JIT.h:
2857         * jit/JITCall.cpp:
2858         (JSC::JIT::compileSetupVarargsFrame):
2859         * jit/JITCall32_64.cpp:
2860         (JSC::JIT::compileSetupVarargsFrame):
2861         * jit/JITInlines.h:
2862         (JSC::JIT::callOperation):
2863         (JSC::JIT::emitGetFromCallFrameHeaderPtr): Deleted.
2864         (JSC::JIT::emitGetFromCallFrameHeader32): Deleted.
2865         (JSC::JIT::emitGetFromCallFrameHeader64): Deleted.
2866         * jit/JITOperations.cpp:
2867         * jit/JITOperations.h:
2868         * jit/SetupVarargsFrame.cpp: Added.
2869         (JSC::emitSetupVarargsFrameFastCase):
2870         * jit/SetupVarargsFrame.h: Added.
2871         * llint/LLIntSlowPaths.cpp:
2872         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2873         * runtime/Arguments.cpp:
2874         (JSC::Arguments::copyToArguments):
2875         * runtime/Arguments.h:
2876         * runtime/JSArray.cpp:
2877         (JSC::JSArray::copyToArguments):
2878         * runtime/JSArray.h:
2879
2880 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
2881
2882         DFG call codegen should resolve the callee operand as late as possible
2883         https://bugs.webkit.org/show_bug.cgi?id=141398
2884
2885         Reviewed by Mark Lam.
2886         
2887         This is mostly a benign restructuring to help with the implementation of
2888         https://bugs.webkit.org/show_bug.cgi?id=141332.
2889
2890         * dfg/DFGSpeculativeJIT32_64.cpp:
2891         (JSC::DFG::SpeculativeJIT::emitCall):
2892         * dfg/DFGSpeculativeJIT64.cpp:
2893         (JSC::DFG::SpeculativeJIT::emitCall):
2894
2895 2015-02-08  Filip Pizlo  <fpizlo@apple.com>
2896
2897         DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three
2898         https://bugs.webkit.org/show_bug.cgi?id=141369
2899
2900         Reviewed by Michael Saboff.
2901
2902         We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe
2903         effectfulness.  Starting over a year ago, we introduced a more powerful mechanism - the
2904         DFG::clobberize() function.  Now we only have one remaining client of the old NodeFlags,
2905         and everyone else uses DFG::clobberize().  We should get rid of those NodeFlags and
2906         finally switch everyone over to DFG::clobberize().
2907         
2908         Unfortunately there is still another place where effectfulness of nodes is described: the
2909         AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for
2910         compile time performance and there are places where the AI is more precise than
2911         clobberize() because of its flow-sensitivity.
2912         
2913         This means that after this change there will be only two places, rather than three, where
2914         the effectfulness of a node has to be described:
2915
2916         - DFG::clobberize()
2917         - DFG::AbstractInterpreter
2918
2919         * dfg/DFGClobberize.cpp:
2920         (JSC::DFG::clobbersWorld):
2921         * dfg/DFGClobberize.h:
2922         * dfg/DFGDoesGC.cpp:
2923         (JSC::DFG::doesGC):
2924         * dfg/DFGFixupPhase.cpp:
2925         (JSC::DFG::FixupPhase::fixupNode):
2926         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2927         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2928         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
2929         * dfg/DFGGraph.h:
2930         (JSC::DFG::Graph::isPredictedNumerical): Deleted.
2931         (JSC::DFG::Graph::byValIsPure): Deleted.
2932         (JSC::DFG::Graph::clobbersWorld): Deleted.
2933         * dfg/DFGNode.h:
2934         (JSC::DFG::Node::convertToConstant):
2935         (JSC::DFG::Node::convertToGetLocalUnlinked):
2936         (JSC::DFG::Node::convertToGetByOffset):
2937         (JSC::DFG::Node::convertToMultiGetByOffset):
2938         (JSC::DFG::Node::convertToPutByOffset):
2939         (JSC::DFG::Node::convertToMultiPutByOffset):
2940         * dfg/DFGNodeFlags.cpp:
2941         (JSC::DFG::dumpNodeFlags):
2942         * dfg/DFGNodeFlags.h:
2943         * dfg/DFGNodeType.h:
2944
2945 2015-02-09  Csaba Osztrogonác  <ossy@webkit.org>
2946
2947         Fix the !ENABLE(DFG_JIT) build
2948         https://bugs.webkit.org/show_bug.cgi?id=141387
2949
2950         Reviewed by Darin Adler.
2951
2952         * jit/Repatch.cpp:
2953
2954 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
2955
2956         Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase
2957         https://bugs.webkit.org/show_bug.cgi?id=141363
2958
2959         Reviewed by Darin Adler.
2960
2961         * dfg/DFGPredictionPropagationPhase.cpp:
2962         (JSC::DFG::PredictionPropagationPhase::propagate):
2963         Some blocks were duplicated, they probably evolved separately
2964         to the same state.
2965
2966 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
2967
2968         Remove useless declarations and a stale comment from DFGByteCodeParser.h
2969         https://bugs.webkit.org/show_bug.cgi?id=141361
2970
2971         Reviewed by Darin Adler.
2972
2973         The comment refers to the original form of the ByteCodeParser:
2974             parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex);
2975
2976         That form is long dead, the comment is more misleading than anything.
2977
2978         * dfg/DFGByteCodeParser.cpp:
2979         * dfg/DFGByteCodeParser.h:
2980
2981 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
2982
2983         Encapsulate DFG::Plan's beforeFTL timestamp
2984         https://bugs.webkit.org/show_bug.cgi?id=141360
2985
2986         Reviewed by Darin Adler.
2987
2988         Make the attribute private, it is an internal state.
2989
2990         Rename beforeFTL->timeBeforeFTL for readability.
2991
2992         * dfg/DFGPlan.cpp:
2993         (JSC::DFG::Plan::compileInThread):
2994         (JSC::DFG::Plan::compileInThreadImpl):
2995         * dfg/DFGPlan.h:
2996
2997 2015-02-08  Benjamin Poulain  <bpoulain@apple.com>
2998
2999         Remove DFGNode::hasArithNodeFlags()
3000         https://bugs.webkit.org/show_bug.cgi?id=141319
3001
3002         Reviewed by Michael Saboff.
3003
3004         * dfg/DFGNode.h:
3005         (JSC::DFG::Node::hasArithNodeFlags): Deleted.
3006         Unused code is unused.
3007
3008 2015-02-07  Chris Dumez  <cdumez@apple.com>
3009
3010         Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions
3011         https://bugs.webkit.org/show_bug.cgi?id=141321
3012
3013         Reviewed by Darin Adler.
3014
3015         Use new Vector::removeFirstMatching() / removeAllMatching() methods.
3016
3017 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
3018
3019         DFG SSA shouldn't have SetArgument nodes
3020         https://bugs.webkit.org/show_bug.cgi?id=141342
3021
3022         Reviewed by Mark Lam.
3023
3024         I was wondering why we kept the SetArgument around for captured
3025         variables. It turns out we did so because we thought we had to, even
3026         though we didn't have to. The node is meaningless in SSA.
3027
3028         * dfg/DFGSSAConversionPhase.cpp:
3029         (JSC::DFG::SSAConversionPhase::run):
3030         * ftl/FTLLowerDFGToLLVM.cpp:
3031         (JSC::FTL::LowerDFGToLLVM::compileNode):
3032
3033 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
3034
3035         It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band
3036         https://bugs.webkit.org/show_bug.cgi?id=141337
3037
3038         Reviewed by Mark Lam.
3039
3040         This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that
3041         are associated with the prologue.
3042
3043         * dfg/DFGCPSRethreadingPhase.cpp:
3044         (JSC::DFG::CPSRethreadingPhase::run):
3045         (JSC::DFG::CPSRethreadingPhase::canonicalizeSet):
3046         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3047         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
3048         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted.
3049         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted.
3050
3051 2015-02-06  Mark Lam  <mark.lam@apple.com>
3052
3053         MachineThreads should be ref counted.
3054         <https://webkit.org/b/141317>
3055
3056         Reviewed by Filip Pizlo.
3057
3058         The VM's MachineThreads registry object is being referenced from other
3059         threads as a raw pointer.  In a scenario where the VM is destructed on
3060         the main thread, there is no guarantee that another thread isn't still
3061         holding a reference to the registry and will eventually invoke
3062         removeThread() on it on thread exit.  Hence, there's a possible use
3063         after free scenario here.
3064
3065         The fix is to make MachineThreads ThreadSafeRefCounted, and have all
3066         threads that references keep a RefPtr to it to ensure that it stays
3067         alive until the very last thread is done with it.
3068
3069         * API/tests/testapi.mm:
3070         (useVMFromOtherThread): - Renamed to be more descriptive.
3071         (useVMFromOtherThreadAndOutliveVM):
3072         - Added a test that has another thread which uses the VM outlive the
3073           VM to confirm that there is no crash.
3074
3075           However, I was not actually able to get the VM to crash without this
3076           patch because I wasn't always able to the thread destructor to be
3077           called.  With this patch applied, I did verify with some logging that
3078           the MachineThreads registry is only destructed after all threads
3079           have removed themselves from it.
3080
3081         (threadMain): Deleted.
3082
3083         * heap/Heap.cpp:
3084         (JSC::Heap::Heap):
3085         (JSC::Heap::~Heap):
3086         (JSC::Heap::gatherStackRoots):
3087         * heap/Heap.h:
3088         (JSC::Heap::machineThreads):
3089         * heap/MachineStackMarker.cpp:
3090         (JSC::MachineThreads::Thread::Thread):
3091         (JSC::MachineThreads::addCurrentThread):
3092         (JSC::MachineThreads::removeCurrentThread):
3093         * heap/MachineStackMarker.h:
3094
3095 2015-02-06  Commit Queue  <commit-queue@webkit.org>
3096
3097         Unreviewed, rolling out r179743.
3098         https://bugs.webkit.org/show_bug.cgi?id=141335
3099
3100         caused missing symbols in non-WebKit clients of WTF::Vector
3101         (Requested by kling on #webkit).
3102
3103         Reverted changeset:
3104
3105         "Remove WTF::fastMallocGoodSize()."
3106         https://bugs.webkit.org/show_bug.cgi?id=141020
3107         http://trac.webkit.org/changeset/179743
3108
3109 2015-02-04  Filip Pizlo  <fpizlo@apple.com>
3110
3111         Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers
3112         https://bugs.webkit.org/show_bug.cgi?id=141211
3113
3114         Reviewed by Mark Lam.
3115
3116         Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime
3117         we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It
3118         would raise the refcount on the last (highest-numbered) variable created, and rely on
3119         the fact that register reclamation started at higher-numbered registers and worked its
3120         way down. So any retained register would block any lower-numbered registers from being
3121         reclaimed.
3122         
3123         Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused.
3124         
3125         This removes preserveLastVar() and makes addVar() retain each register it creates. This
3126         is more explicit, since addVar() is the mechanism for creating non-temporary registers.
3127         
3128         To make this work I had to remove an assertion that Register::setIndex() can only be
3129         called when the refcount is zero. This method might be called after a var is created to
3130         change its index. This previously worked because preserveLastVar() would be called after
3131         we had already made all index changes, so the vars would still have refcount zero. Now
3132         they have refcount 1. I think it's OK to lose this assertion; I can't remember this
3133         assertion ever firing in a way that alerted me to a serious issue.
3134         
3135         * bytecompiler/BytecodeGenerator.cpp:
3136         (JSC::BytecodeGenerator::BytecodeGenerator):
3137         (JSC::BytecodeGenerator::preserveLastVar): Deleted.
3138         * bytecompiler/BytecodeGenerator.h:
3139         (JSC::BytecodeGenerator::addVar):
3140         * bytecompiler/RegisterID.h:
3141         (JSC::RegisterID::setIndex):
3142
3143 2015-02-06  Andreas Kling  <akling@apple.com>
3144
3145         Remove WTF::fastMallocGoodSize().
3146         <https://webkit.org/b/141020>
3147
3148         Reviewed by Anders Carlsson.
3149
3150         * assembler/AssemblerBuffer.h:
3151         (JSC::AssemblerData::AssemblerData):
3152         (JSC::AssemblerData::grow):
3153
3154 2015-02-05  Michael Saboff  <msaboff@apple.com>
3155
3156         CodeCache is not thread safe when adding the same source from two different threads
3157         https://bugs.webkit.org/show_bug.cgi?id=141275
3158
3159         Reviewed by Mark Lam.
3160
3161         The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock,
3162         but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it
3163         will fill in later in the function.  During the body of that function, it allocates
3164         objects that may garbage collect.  During that garbage collection, we drop the all locks.
3165         While the locks are released by the first thread, another thread can enter the VM and might
3166         have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself.  When it
3167         looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType*
3168         and crashes.  This fixes the problem by not dropping the locks during garbage collection.
3169         There are other likely scenarios where we have a data structure like this code cache in an
3170         unsafe state for arbitrary reentrance.
3171
3172         Moved the functionality of DelayedReleaseScope directly into Heap.  Changed it into
3173         a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects.
3174         Now we accumulate objects to be released and release them when all locks are dropped or
3175         when destroying the Heap.  This eliminated the dropping and reaquiring of locks associated
3176         with the old scope form of this list.
3177
3178         Given that all functionality of DelayedReleaseScope is now used and referenced by Heap
3179         and the lock management no longer needs to be done, just made the list a member of Heap.
3180         We do need to guard against the case that releasing an object can create more objects
3181         by calling into JS.  That is why releaseDelayedReleasedObjects() is written to remove
3182         an object to release so that we aren't recursively in Vector code.  The other thing we
3183         do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using
3184         the m_delayedReleaseRecursionCount.  We only release at the first entry into the function.
3185         This case is already tested by testapi.mm.
3186
3187         * heap/DelayedReleaseScope.h: Removed file
3188
3189         * API/JSAPIWrapperObject.mm:
3190         * API/ObjCCallbackFunction.mm:
3191         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3192         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3193         * JavaScriptCore.xcodeproj/project.pbxproj:
3194         * heap/IncrementalSweeper.cpp:
3195         (JSC::IncrementalSweeper::doSweep):
3196         * heap/MarkedAllocator.cpp:
3197         (JSC::MarkedAllocator::tryAllocateHelper):
3198         (JSC::MarkedAllocator::tryAllocate):
3199         * heap/MarkedBlock.cpp:
3200         (JSC::MarkedBlock::sweep):
3201         * heap/MarkedSpace.cpp:
3202         (JSC::MarkedSpace::MarkedSpace):
3203         (JSC::MarkedSpace::lastChanceToFinalize):
3204         (JSC::MarkedSpace::didFinishIterating):
3205         * heap/MarkedSpace.h:
3206         * heap/Heap.cpp:
3207         (JSC::Heap::collectAllGarbage):
3208         (JSC::Heap::zombifyDeadObjects):
3209         Removed references to DelayedReleaseScope and DelayedReleaseScope.h.
3210
3211         * heap/Heap.cpp:
3212         (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount.
3213         (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away.
3214         (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated
3215         delayed release objects.
3216
3217         * heap/Heap.h:
3218         (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later.
3219         (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that
3220         releaseDelayedReleasedObjects is being called recursively.
3221         * heap/HeapInlines.h:
3222         (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects.
3223         
3224         * runtime/JSLock.cpp:
3225         (JSC::JSLock::willReleaseLock):
3226         Call Heap::releaseDelayedObjectsNow() when releasing the lock.
3227
3228 2015-02-05  Youenn Fablet  <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>
3229
3230         [Streams API] Implement a barebone ReadableStream interface
3231         https://bugs.webkit.org/show_bug.cgi?id=141045
3232
3233         Reviewed by Benjamin Poulain.
3234
3235         * Configurations/FeatureDefines.xcconfig:
3236
3237 2015-02-05  Saam Barati  <saambarati1@gmail.com>
3238
3239         Crash in uninitialized deconstructing variable.
3240         https://bugs.webkit.org/show_bug.cgi?id=141070
3241
3242         Reviewed by Michael Saboff.
3243
3244         According to the ES6 spec, when a destructuring pattern occurs
3245         as the left hand side of an assignment inside a var declaration 
3246         statement, the assignment must also have a right hand side value.
3247         "var {x} = {};" is a legal syntactic statement, but,
3248         "var {x};" is a syntactic error.
3249
3250         Section 13.2.2 of the latest draft ES6 spec specifies this requirement:
3251         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-variable-statement
3252
3253         * parser/Parser.cpp:
3254         (JSC::Parser<LexerType>::parseVarDeclaration):
3255         (JSC::Parser<LexerType>::parseVarDeclarationList):
3256         (JSC::Parser<LexerType>::parseForStatement):
3257         * parser/Parser.h:
3258
3259 2015-02-04  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3260
3261         Unreviewed, fix a build break on EFL port since r179648.
3262
3263         * heap/MachineStackMarker.cpp: EFL port doesn't use previousThread variable. 
3264         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3265
3266 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
3267
3268         Web Inspector: ES6: Improved Console Support for Symbol Objects
3269         https://bugs.webkit.org/show_bug.cgi?id=141173
3270
3271         Reviewed by Timothy Hatcher.
3272
3273         * inspector/protocol/Runtime.json:
3274         New type, "symbol".
3275
3276         * inspector/InjectedScriptSource.js:
3277         Handle Symbol objects in a few places. They don't have properties
3278         and they cannot be implicitly converted to strings.
3279
3280 2015-02-04  Mark Lam  <mark.lam@apple.com>
3281
3282         Undo gardening: Restoring the expected ERROR message since that is not the cause of the bot unhappiness.
3283
3284         Not reviewed.
3285
3286         * heap/MachineStackMarker.cpp:
3287         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3288
3289 2015-02-04  Mark Lam  <mark.lam@apple.com>
3290
3291         Gardening: Changed expected ERROR message to WARNING to make test bots happy.
3292
3293         Rubber stamped by Simon Fraser.
3294
3295         * heap/MachineStackMarker.cpp:
3296         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3297
3298 2015-02-04  Mark Lam  <mark.lam@apple.com>
3299
3300         r179576 introduce a deadlock potential during GC thread suspension.
3301         <https://webkit.org/b/141268>
3302
3303         Reviewed by Michael Saboff.
3304
3305         http://trac.webkit.org/r179576 introduced a potential for deadlocking.
3306         In the GC thread suspension loop, we currently delete
3307         MachineThreads::Thread that we detect to be invalid.  This is unsafe
3308         because we may have already suspended some threads, and one of those
3309         suspended threads may still be holding the C heap lock which we need
3310         for deleting the invalid thread.
3311
3312         The fix is to put the invalid threads in a separate toBeDeleted list,
3313         and delete them only after GC has resumed all threads.
3314
3315         * heap/MachineStackMarker.cpp:
3316         (JSC::MachineThreads::removeCurrentThread):
3317         - Undo refactoring removeThreadWithLockAlreadyAcquired() out of
3318           removeCurrentThread() since it is no longer needed.
3319
3320         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3321         - Put invalid Threads on a threadsToBeDeleted list, and delete those
3322           Threads only after all threads have been resumed.
3323
3324         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted.
3325         * heap/MachineStackMarker.h:
3326
3327 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
3328
3329         Web Inspector: Clean up Object Property Descriptor Collection
3330         https://bugs.webkit.org/show_bug.cgi?id=141222
3331
3332         Reviewed by Timothy Hatcher.
3333
3334         * inspector/InjectedScriptSource.js:
3335         Use a list of options when determining which properties to collect
3336         instead of a few booleans with overlapping responsibilities.
3337
3338 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
3339
3340         Web Inspector: console.table with columnName filter for non-existent property should still show column
3341         https://bugs.webkit.org/show_bug.cgi?id=141066
3342
3343         Reviewed by Timothy Hatcher.
3344
3345         * inspector/ConsoleMessage.cpp:
3346         (Inspector::ConsoleMessage::addToFrontend):
3347         When a user provides a second argument, e.g. console.table(..., columnNames),
3348         then pass that second argument to the frontend.
3349
3350         * inspector/InjectedScriptSource.js: