c2e13a966299ceb6313d2312645199966ba5eca8
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Deadlock remotely inspecting iOS Simulator
4         https://bugs.webkit.org/show_bug.cgi?id=129511
5
6         Reviewed by Timothy Hatcher.
7
8         Avoid synchronous setup. Do it asynchronously, and let
9         the RemoteInspector singleton know later if it failed.
10
11         * inspector/remote/RemoteInspector.h:
12         * inspector/remote/RemoteInspector.mm:
13         (Inspector::RemoteInspector::setupFailed):
14         * inspector/remote/RemoteInspectorDebuggableConnection.h:
15         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
16         (Inspector::RemoteInspectorDebuggableConnection::setup):
17
18 2014-02-28  Oliver Hunt  <oliver@apple.com>
19
20         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
21         https://bugs.webkit.org/show_bug.cgi?id=129488
22
23         Reviewed by Mark Lam.
24
25         Whoops, modify the right register.
26
27         * jit/JITCall32_64.cpp:
28         (JSC::JIT::compileLoadVarargs):
29
30 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
31
32         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
33         https://bugs.webkit.org/show_bug.cgi?id=129503
34
35         Reviewed by Mark Lam.
36
37         * ftl/FTLIntrinsicRepository.h:
38         * ftl/FTLOutput.h:
39         (JSC::FTL::Output::doubleSin):
40         (JSC::FTL::Output::doubleCos):
41         (JSC::FTL::Output::intrinsicOrOperation):
42
43 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
44
45         Fix !ENABLE(GGC) builds
46
47         * heap/Heap.cpp:
48         (JSC::Heap::markRoots):
49         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
50
51 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
52
53         Clean up Heap::collect and Heap::markRoots
54         https://bugs.webkit.org/show_bug.cgi?id=129464
55
56         Reviewed by Geoffrey Garen.
57
58         These functions have built up a lot of cruft recently. 
59         We should do a bit of cleanup to make them easier to grok.
60
61         * heap/Heap.cpp:
62         (JSC::Heap::finalizeUnconditionalFinalizers):
63         (JSC::Heap::gatherStackRoots):
64         (JSC::Heap::gatherJSStackRoots):
65         (JSC::Heap::gatherScratchBufferRoots):
66         (JSC::Heap::clearLivenessData):
67         (JSC::Heap::visitSmallStrings):
68         (JSC::Heap::visitConservativeRoots):
69         (JSC::Heap::visitCompilerWorklists):
70         (JSC::Heap::markProtectedObjects):
71         (JSC::Heap::markTempSortVectors):
72         (JSC::Heap::markArgumentBuffers):
73         (JSC::Heap::visitException):
74         (JSC::Heap::visitStrongHandles):
75         (JSC::Heap::visitHandleStack):
76         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
77         (JSC::Heap::converge):
78         (JSC::Heap::visitWeakHandles):
79         (JSC::Heap::clearRememberedSet):
80         (JSC::Heap::updateObjectCounts):
81         (JSC::Heap::resetVisitors):
82         (JSC::Heap::markRoots):
83         (JSC::Heap::copyBackingStores):
84         (JSC::Heap::deleteUnmarkedCompiledCode):
85         (JSC::Heap::collect):
86         (JSC::Heap::collectIfNecessaryOrDefer):
87         (JSC::Heap::suspendCompilerThreads):
88         (JSC::Heap::willStartCollection):
89         (JSC::Heap::deleteOldCode):
90         (JSC::Heap::flushOldStructureIDTables):
91         (JSC::Heap::flushWriteBarrierBuffer):
92         (JSC::Heap::stopAllocation):
93         (JSC::Heap::reapWeakHandles):
94         (JSC::Heap::sweepArrayBuffers):
95         (JSC::Heap::snapshotMarkedSpace):
96         (JSC::Heap::deleteSourceProviderCaches):
97         (JSC::Heap::notifyIncrementalSweeper):
98         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
99         (JSC::Heap::resetAllocators):
100         (JSC::Heap::updateAllocationLimits):
101         (JSC::Heap::didFinishCollection):
102         (JSC::Heap::resumeCompilerThreads):
103         * heap/Heap.h:
104
105 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
106
107         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
108         https://bugs.webkit.org/show_bug.cgi?id=129466
109
110         Reviewed by Michael Saboff.
111
112         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
113
114         * runtime/StringPrototype.cpp:
115         (JSC::stringProtoFuncIndexOf):
116         (JSC::stringProtoFuncLastIndexOf):
117
118 2014-02-27  Timothy Hatcher  <timothy@apple.com>
119
120         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
121
122         https://bugs.webkit.org/show_bug.cgi?id=129458
123
124         Reviewed by Joseph Pecoraro.
125
126         * inspector/ContentSearchUtilities.cpp:
127         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
128         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
129         line ending type and don't try to strip the line ending. Use size_t
130         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
131         This will include the line ending in the lines, but that is okay.
132         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
133         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
134
135 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
136
137         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
138         https://bugs.webkit.org/show_bug.cgi?id=129446
139
140         Reviewed by Timothy Hatcher.
141
142         Remove duplicate header entries in Copy Header build phase.
143
144         * JavaScriptCore.xcodeproj/project.pbxproj:
145
146 2014-02-27  Oliver Hunt  <oliver@apple.com>
147
148         Whoops, include all of last patch.
149
150         * jit/JITCall32_64.cpp:
151         (JSC::JIT::compileLoadVarargs):
152
153 2014-02-27  Oliver Hunt  <oliver@apple.com>
154
155         Slow cases for function.apply and function.call should not require vm re-entry
156         https://bugs.webkit.org/show_bug.cgi?id=129454
157
158         Reviewed by Geoffrey Garen.
159
160         Implement call and apply using builtins. Happily the use
161         of @call and @apply don't perform function equality checks
162         and just plant direct var_args calls. This did expose a few
163         codegen issues, but they're all covered by existing tests
164         once call and apply are implemented in JS.
165
166         * JavaScriptCore.xcodeproj/project.pbxproj:
167         * builtins/Function.prototype.js: Added.
168         (call):
169         (apply):
170         * bytecompiler/NodesCodegen.cpp:
171         (JSC::CallFunctionCallDotNode::emitBytecode):
172         (JSC::ApplyFunctionCallDotNode::emitBytecode):
173         * dfg/DFGCapabilities.cpp:
174         (JSC::DFG::capabilityLevel):
175         * interpreter/Interpreter.cpp:
176         (JSC::sizeFrameForVarargs):
177         (JSC::loadVarargs):
178         * interpreter/Interpreter.h:
179         * jit/JITCall.cpp:
180         (JSC::JIT::compileLoadVarargs):
181         * parser/ASTBuilder.h:
182         (JSC::ASTBuilder::makeFunctionCallNode):
183         * parser/Lexer.cpp:
184         (JSC::isSafeBuiltinIdentifier):
185         * runtime/CommonIdentifiers.h:
186         * runtime/FunctionPrototype.cpp:
187         (JSC::FunctionPrototype::addFunctionProperties):
188         * runtime/JSObject.cpp:
189         (JSC::JSObject::putDirectBuiltinFunction):
190         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
191         * runtime/JSObject.h:
192
193 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
194
195         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
196         https://bugs.webkit.org/show_bug.cgi?id=129443
197
198         Reviewed by Timothy Hatcher.
199
200         This queue is specific to the JSContext debuggable connections,
201         there is no XPC involved. Give it a better name.
202
203         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
204         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
205
206 2014-02-27  David Kilzer  <ddkilzer@apple.com>
207
208         Remove jsc symlink if it already exists
209
210         This is a follow-up fix for:
211
212         Create symlink to /usr/local/bin/jsc during installation
213         <http://webkit.org/b/129399>
214         <rdar://problem/16168734>
215
216         * JavaScriptCore.xcodeproj/project.pbxproj:
217         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
218         exists where we're about to create the symlink, remove the old
219         one first.
220
221 2014-02-27  Michael Saboff  <msaboff@apple.com>
222
223         Unreviewed build fix for Mac tools after r164814
224
225         * Configurations/ToolExecutable.xcconfig:
226         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
227         * JavaScriptCore.xcodeproj/project.pbxproj:
228         - Changed productName to testRegExp for testRegExp target.
229
230 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
231
232         Web Inspector: JSContext inspection should report exceptions in the console
233         https://bugs.webkit.org/show_bug.cgi?id=128776
234
235         Reviewed by Timothy Hatcher.
236
237         When JavaScript API functions have an exception, let the inspector
238         know so it can log the JavaScript and Native backtrace that caused
239         the exception.
240
241         Include some clean up of ConsoleMessage and ScriptCallStack construction.
242
243         * API/JSBase.cpp:
244         (JSEvaluateScript):
245         (JSCheckScriptSyntax):
246         * API/JSObjectRef.cpp:
247         (JSObjectMakeFunction):
248         (JSObjectMakeArray):
249         (JSObjectMakeDate):
250         (JSObjectMakeError):
251         (JSObjectMakeRegExp):
252         (JSObjectGetProperty):
253         (JSObjectSetProperty):
254         (JSObjectGetPropertyAtIndex):
255         (JSObjectSetPropertyAtIndex):
256         (JSObjectDeleteProperty):
257         (JSObjectCallAsFunction):
258         (JSObjectCallAsConstructor):
259         * API/JSValue.mm:
260         (reportExceptionToInspector):
261         (valueToArray):
262         (valueToDictionary):
263         * API/JSValueRef.cpp:
264         (JSValueIsEqual):
265         (JSValueIsInstanceOfConstructor):
266         (JSValueCreateJSONString):
267         (JSValueToNumber):
268         (JSValueToStringCopy):
269         (JSValueToObject):
270         When seeing an exception, let the inspector know there was an exception.
271
272         * inspector/JSGlobalObjectInspectorController.h:
273         * inspector/JSGlobalObjectInspectorController.cpp:
274         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
275         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
276         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
277         Log API exceptions by also grabbing the native backtrace.
278
279         * inspector/ScriptCallStack.h:
280         * inspector/ScriptCallStack.cpp:
281         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
282         (Inspector::ScriptCallStack::append):
283         Minor extensions to ScriptCallStack to make it easier to work with.
284
285         * inspector/ConsoleMessage.cpp:
286         (Inspector::ConsoleMessage::ConsoleMessage):
287         (Inspector::ConsoleMessage::autogenerateMetadata):
288         Provide better default information if the first call frame was native.
289
290         * inspector/ScriptCallStackFactory.cpp:
291         (Inspector::createScriptCallStack):
292         (Inspector::extractSourceInformationFromException):
293         (Inspector::createScriptCallStackFromException):
294         Perform the handling here of inserting a fake call frame for exceptions
295         if there was no call stack (e.g. a SyntaxError) or if the first call
296         frame had no information.
297
298         * inspector/ConsoleMessage.cpp:
299         (Inspector::ConsoleMessage::ConsoleMessage):
300         (Inspector::ConsoleMessage::autogenerateMetadata):
301         * inspector/ConsoleMessage.h:
302         * inspector/ScriptCallStackFactory.cpp:
303         (Inspector::createScriptCallStack):
304         (Inspector::createScriptCallStackForConsole):
305         * inspector/ScriptCallStackFactory.h:
306         * inspector/agents/InspectorConsoleAgent.cpp:
307         (Inspector::InspectorConsoleAgent::enable):
308         (Inspector::InspectorConsoleAgent::addMessageToConsole):
309         (Inspector::InspectorConsoleAgent::count):
310         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
311         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
312         ConsoleMessage cleanup.
313
314 2014-02-27  David Kilzer  <ddkilzer@apple.com>
315
316         Create symlink to /usr/local/bin/jsc during installation
317         <http://webkit.org/b/129399>
318         <rdar://problem/16168734>
319
320         Reviewed by Dan Bernstein.
321
322         * JavaScriptCore.xcodeproj/project.pbxproj:
323         - Add "Create /usr/local/bin/jsc symlink" build phase script to
324           create the symlink during installation.
325
326 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
327
328         Math.{max, min}() must not return after first NaN value
329         https://bugs.webkit.org/show_bug.cgi?id=104147
330
331         Reviewed by Oliver Hunt.
332
333         According to the spec, ToNumber going to be called on each argument
334         even if a `NaN` value was already found
335
336         * runtime/MathObject.cpp:
337         (JSC::mathProtoFuncMax):
338         (JSC::mathProtoFuncMin):
339
340 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
341
342         JSType upper limit (0xff) assertion can be removed.
343         https://bugs.webkit.org/show_bug.cgi?id=129424
344
345         Reviewed by Geoffrey Garen.
346
347         * runtime/JSTypeInfo.h:
348         (JSC::TypeInfo::TypeInfo):
349
350 2014-02-26  Michael Saboff  <msaboff@apple.com>
351
352         Auto generate bytecode information for bytecode parser and LLInt
353         https://bugs.webkit.org/show_bug.cgi?id=129181
354
355         Reviewed by Mark Lam.
356
357         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
358         helpers.  It also includes bytecode length and other information used to generate files.
359         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
360         in DerivedSources/JavaScriptCore/.
361
362         Added the generation of these files to the "DerivedSource" build step.
363         Slighty changed the build order, since the Bytecodes.h file is needed by
364         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
365         to be run after JSCLLIntOffsetsExtractor.
366
367         Made related changes to OPCODE macros and their use.
368
369         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
370         jsc to resolve Mac build issue.
371
372         * CMakeLists.txt:
373         * Configurations/JSC.xcconfig:
374         * DerivedSources.make:
375         * GNUmakefile.am:
376         * GNUmakefile.list.am:
377         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
378         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
379         * JavaScriptCore.vcxproj/copy-files.cmd:
380         * JavaScriptCore.xcodeproj/project.pbxproj:
381         * bytecode/Opcode.h:
382         (JSC::padOpcodeName):
383         * llint/LLIntCLoop.cpp:
384         (JSC::LLInt::CLoop::initialize):
385         * llint/LLIntCLoop.h:
386         * llint/LLIntData.cpp:
387         (JSC::LLInt::initialize):
388         * llint/LLIntOpcode.h:
389         * llint/LowLevelInterpreter.asm:
390
391 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
392
393         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
394         https://bugs.webkit.org/show_bug.cgi?id=129420
395
396         Reviewed by Geoffrey Garen.
397
398         * dfg/DFGSpeculativeJIT.h:
399         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
400         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
401
402 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
403
404         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
405         https://bugs.webkit.org/show_bug.cgi?id=129435
406
407         Reviewed by Oliver Hunt.
408         
409         This is a 5-10% speed-up on Octane/closure.
410
411         * interpreter/Interpreter.cpp:
412         (JSC::Interpreter::execute):
413         * jsc.cpp:
414         (GlobalObject::finishCreation):
415         (functionClearCodeCache):
416         * runtime/BatchedTransitionOptimizer.h:
417         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
418         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
419
420 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
421
422         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
423
424         * inspector/scripts: Added property svn:ignore.
425         * replay/scripts: Added property svn:ignore.
426
427 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
428
429         r164764 broke the ARM build
430         https://bugs.webkit.org/show_bug.cgi?id=129415
431
432         Reviewed by Zoltan Herczeg.
433
434         * assembler/MacroAssemblerARM.h:
435         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
436         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
437         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
438         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
439
440 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
441
442         r164764 broke the ARM build
443         https://bugs.webkit.org/show_bug.cgi?id=129415
444
445         Reviewed by Geoffrey Garen.
446
447         * assembler/MacroAssemblerARM.h:
448         (JSC::MacroAssemblerARM::moveWithPatch):
449
450 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
451
452         r164764 broke the ARM build
453         https://bugs.webkit.org/show_bug.cgi?id=129415
454
455         Reviewed by Geoffrey Garen.
456
457         * assembler/MacroAssemblerARM.h:
458         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
459
460 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
461
462         EFL build fix
463
464         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
465         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
466         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
467
468 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>
469
470         Make JSCells have 32-bit Structure pointers
471         https://bugs.webkit.org/show_bug.cgi?id=123195
472
473         Reviewed by Filip Pizlo.
474
475         This patch changes JSCells such that they no longer have a full 64-bit Structure
476         pointer in their header. Instead they now have a 32-bit index into
477         a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
478         pointers.
479
480         This change frees up an additional 32 bits of information in our object headers.
481         We then use this extra space to store the indexing type of the object, the JSType
482         of the object, some various type flags, and garbage collection data (e.g. mark bit).
483         Because this inline type information is now faster to read, it pays for the slowdown 
484         incurred by having to perform an extra indirection through the StructureIDTable.
485
486         This patch also threads a reference to the current VM through more of the C++ runtime
487         to offset the cost of having to look up the VM to get the actual Structure pointer.
488
489         * API/JSContext.mm:
490         (-[JSContext setException:]):
491         (-[JSContext wrapperForObjCObject:]):
492         (-[JSContext wrapperForJSObject:]):
493         * API/JSContextRef.cpp:
494         (JSContextGroupRelease):
495         (JSGlobalContextRelease):
496         * API/JSObjectRef.cpp:
497         (JSObjectIsFunction):
498         (JSObjectCopyPropertyNames):
499         * API/JSValue.mm:
500         (containerValueToObject):
501         * API/JSWrapperMap.mm:
502         (tryUnwrapObjcObject):
503         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
504         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
505         * JavaScriptCore.xcodeproj/project.pbxproj:
506         * assembler/AbstractMacroAssembler.h:
507         * assembler/MacroAssembler.h:
508         (JSC::MacroAssembler::patchableBranch32WithPatch):
509         (JSC::MacroAssembler::patchableBranch32):
510         * assembler/MacroAssemblerARM64.h:
511         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
512         (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
513         (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
514         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
515         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
516         * assembler/MacroAssemblerARMv7.h:
517         (JSC::MacroAssemblerARMv7::store8):
518         (JSC::MacroAssemblerARMv7::branch32WithPatch):
519         (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
520         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
521         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
522         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
523         * assembler/MacroAssemblerX86.h:
524         (JSC::MacroAssemblerX86::branch32WithPatch):
525         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
526         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
527         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
528         * assembler/MacroAssemblerX86_64.h:
529         (JSC::MacroAssemblerX86_64::store32):
530         (JSC::MacroAssemblerX86_64::moveWithPatch):
531         (JSC::MacroAssemblerX86_64::branch32WithPatch):
532         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
533         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
534         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
535         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
536         * assembler/RepatchBuffer.h:
537         (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
538         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
539         * assembler/X86Assembler.h:
540         (JSC::X86Assembler::revertJumpTo_movq_i64r):
541         (JSC::X86Assembler::revertJumpTo_movl_i32r):
542         * bytecode/ArrayProfile.cpp:
543         (JSC::ArrayProfile::computeUpdatedPrediction):
544         * bytecode/ArrayProfile.h:
545         (JSC::ArrayProfile::ArrayProfile):
546         (JSC::ArrayProfile::addressOfLastSeenStructureID):
547         (JSC::ArrayProfile::observeStructure):
548         * bytecode/CodeBlock.h:
549         (JSC::CodeBlock::heap):
550         * bytecode/UnlinkedCodeBlock.h:
551         * debugger/Debugger.h:
552         * dfg/DFGAbstractHeap.h:
553         * dfg/DFGArrayifySlowPathGenerator.h:
554         * dfg/DFGClobberize.h:
555         (JSC::DFG::clobberize):
556         * dfg/DFGJITCompiler.h:
557         (JSC::DFG::JITCompiler::branchWeakStructure):
558         (JSC::DFG::JITCompiler::branchStructurePtr):
559         * dfg/DFGOSRExitCompiler32_64.cpp:
560         (JSC::DFG::OSRExitCompiler::compileExit):
561         * dfg/DFGOSRExitCompiler64.cpp:
562         (JSC::DFG::OSRExitCompiler::compileExit):
563         * dfg/DFGOSRExitCompilerCommon.cpp:
564         (JSC::DFG::osrWriteBarrier):
565         (JSC::DFG::adjustAndJumpToTarget):
566         * dfg/DFGOperations.cpp:
567         (JSC::DFG::putByVal):
568         * dfg/DFGSpeculativeJIT.cpp:
569         (JSC::DFG::SpeculativeJIT::checkArray):
570         (JSC::DFG::SpeculativeJIT::arrayify):
571         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
572         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
573         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
574         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
575         (JSC::DFG::SpeculativeJIT::speculateObject):
576         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
577         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
578         (JSC::DFG::SpeculativeJIT::speculateString):
579         (JSC::DFG::SpeculativeJIT::speculateStringObject):
580         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
581         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
582         (JSC::DFG::SpeculativeJIT::emitSwitchString):
583         (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
584         (JSC::DFG::SpeculativeJIT::writeBarrier):
585         * dfg/DFGSpeculativeJIT.h:
586         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
587         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
588         * dfg/DFGSpeculativeJIT32_64.cpp:
589         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
590         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
591         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
592         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
593         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
594         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
595         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
596         (JSC::DFG::SpeculativeJIT::compile):
597         (JSC::DFG::SpeculativeJIT::writeBarrier):
598         * dfg/DFGSpeculativeJIT64.cpp:
599         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
600         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
601         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
602         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
603         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
604         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
605         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
606         (JSC::DFG::SpeculativeJIT::compile):
607         (JSC::DFG::SpeculativeJIT::writeBarrier):
608         * dfg/DFGWorklist.cpp:
609         * ftl/FTLAbstractHeapRepository.cpp:
610         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
611         * ftl/FTLAbstractHeapRepository.h:
612         * ftl/FTLLowerDFGToLLVM.cpp:
613         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
614         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
615         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
616         (JSC::FTL::LowerDFGToLLVM::compileToString):
617         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
618         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
619         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
620         (JSC::FTL::LowerDFGToLLVM::allocateCell):
621         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
622         (JSC::FTL::LowerDFGToLLVM::isObject):
623         (JSC::FTL::LowerDFGToLLVM::isString):
624         (JSC::FTL::LowerDFGToLLVM::isArrayType):
625         (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
626         (JSC::FTL::LowerDFGToLLVM::isType):
627         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
628         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
629         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
630         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
631         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
632         (JSC::FTL::LowerDFGToLLVM::loadStructure):
633         (JSC::FTL::LowerDFGToLLVM::weakStructure):
634         * ftl/FTLOSRExitCompiler.cpp:
635         (JSC::FTL::compileStub):
636         * ftl/FTLOutput.h:
637         (JSC::FTL::Output::store8):
638         * heap/GCAssertions.h:
639         * heap/Heap.cpp:
640         (JSC::Heap::getConservativeRegisterRoots):
641         (JSC::Heap::collect):
642         (JSC::Heap::writeBarrier):
643         * heap/Heap.h:
644         (JSC::Heap::structureIDTable):
645         * heap/MarkedSpace.h:
646         (JSC::MarkedSpace::forEachBlock):
647         * heap/SlotVisitorInlines.h:
648         (JSC::SlotVisitor::internalAppend):
649         * jit/AssemblyHelpers.h:
650         (JSC::AssemblyHelpers::branchIfCellNotObject):
651         (JSC::AssemblyHelpers::genericWriteBarrier):
652         (JSC::AssemblyHelpers::emitLoadStructure):
653         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
654         * jit/JIT.h:
655         * jit/JITCall.cpp:
656         (JSC::JIT::compileOpCall):
657         (JSC::JIT::privateCompileClosureCall):
658         * jit/JITCall32_64.cpp:
659         (JSC::JIT::emit_op_ret_object_or_this):
660         (JSC::JIT::compileOpCall):
661         (JSC::JIT::privateCompileClosureCall):
662         * jit/JITInlineCacheGenerator.cpp:
663         (JSC::JITByIdGenerator::generateFastPathChecks):
664         * jit/JITInlineCacheGenerator.h:
665         * jit/JITInlines.h:
666         (JSC::JIT::emitLoadCharacterString):
667         (JSC::JIT::checkStructure):
668         (JSC::JIT::emitJumpIfCellNotObject):
669         (JSC::JIT::emitAllocateJSObject):
670         (JSC::JIT::emitArrayProfilingSiteWithCell):
671         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
672         (JSC::JIT::branchStructure):
673         (JSC::branchStructure):
674         * jit/JITOpcodes.cpp:
675         (JSC::JIT::emit_op_check_has_instance):
676         (JSC::JIT::emit_op_instanceof):
677         (JSC::JIT::emit_op_is_undefined):
678         (JSC::JIT::emit_op_is_string):
679         (JSC::JIT::emit_op_ret_object_or_this):
680         (JSC::JIT::emit_op_to_primitive):
681         (JSC::JIT::emit_op_jeq_null):
682         (JSC::JIT::emit_op_jneq_null):
683         (JSC::JIT::emit_op_get_pnames):
684         (JSC::JIT::emit_op_next_pname):
685         (JSC::JIT::emit_op_eq_null):
686         (JSC::JIT::emit_op_neq_null):
687         (JSC::JIT::emit_op_to_this):
688         (JSC::JIT::emitSlow_op_to_this):
689         * jit/JITOpcodes32_64.cpp:
690         (JSC::JIT::emit_op_check_has_instance):
691         (JSC::JIT::emit_op_instanceof):
692         (JSC::JIT::emit_op_is_undefined):
693         (JSC::JIT::emit_op_is_string):
694         (JSC::JIT::emit_op_to_primitive):
695         (JSC::JIT::emit_op_jeq_null):
696         (JSC::JIT::emit_op_jneq_null):
697         (JSC::JIT::emitSlow_op_eq):
698         (JSC::JIT::emitSlow_op_neq):
699         (JSC::JIT::compileOpStrictEq):
700         (JSC::JIT::emit_op_eq_null):
701         (JSC::JIT::emit_op_neq_null):
702         (JSC::JIT::emit_op_get_pnames):
703         (JSC::JIT::emit_op_next_pname):
704         (JSC::JIT::emit_op_to_this):
705         * jit/JITOperations.cpp:
706         * jit/JITPropertyAccess.cpp:
707         (JSC::JIT::stringGetByValStubGenerator):
708         (JSC::JIT::emit_op_get_by_val):
709         (JSC::JIT::emitSlow_op_get_by_val):
710         (JSC::JIT::emit_op_get_by_pname):
711         (JSC::JIT::emit_op_put_by_val):
712         (JSC::JIT::emit_op_get_by_id):
713         (JSC::JIT::emitLoadWithStructureCheck):
714         (JSC::JIT::emitSlow_op_get_from_scope):
715         (JSC::JIT::emitSlow_op_put_to_scope):
716         (JSC::JIT::checkMarkWord):
717         (JSC::JIT::emitWriteBarrier):
718         (JSC::JIT::addStructureTransitionCheck):
719         (JSC::JIT::emitIntTypedArrayGetByVal):
720         (JSC::JIT::emitFloatTypedArrayGetByVal):
721         (JSC::JIT::emitIntTypedArrayPutByVal):
722         (JSC::JIT::emitFloatTypedArrayPutByVal):
723         * jit/JITPropertyAccess32_64.cpp:
724         (JSC::JIT::stringGetByValStubGenerator):
725         (JSC::JIT::emit_op_get_by_val):
726         (JSC::JIT::emitSlow_op_get_by_val):
727         (JSC::JIT::emit_op_put_by_val):
728         (JSC::JIT::emit_op_get_by_id):
729         (JSC::JIT::emit_op_get_by_pname):
730         (JSC::JIT::emitLoadWithStructureCheck):
731         * jit/JSInterfaceJIT.h:
732         (JSC::JSInterfaceJIT::emitJumpIfNotType):
733         * jit/Repatch.cpp:
734         (JSC::repatchByIdSelfAccess):
735         (JSC::addStructureTransitionCheck):
736         (JSC::replaceWithJump):
737         (JSC::generateProtoChainAccessStub):
738         (JSC::tryCacheGetByID):
739         (JSC::tryBuildGetByIDList):
740         (JSC::writeBarrier):
741         (JSC::emitPutReplaceStub):
742         (JSC::emitPutTransitionStub):
743         (JSC::tryBuildPutByIdList):
744         (JSC::tryRepatchIn):
745         (JSC::linkClosureCall):
746         (JSC::resetGetByID):
747         (JSC::resetPutByID):
748         * jit/SpecializedThunkJIT.h:
749         (JSC::SpecializedThunkJIT::loadJSStringArgument):
750         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
751         * jit/ThunkGenerators.cpp:
752         (JSC::virtualForThunkGenerator):
753         (JSC::arrayIteratorNextThunkGenerator):
754         * jit/UnusedPointer.h:
755         * llint/LowLevelInterpreter.asm:
756         * llint/LowLevelInterpreter32_64.asm:
757         * llint/LowLevelInterpreter64.asm:
758         * runtime/Arguments.cpp:
759         (JSC::Arguments::createStrictModeCallerIfNecessary):
760         (JSC::Arguments::createStrictModeCalleeIfNecessary):
761         * runtime/Arguments.h:
762         (JSC::Arguments::createStructure):
763         * runtime/ArrayPrototype.cpp:
764         (JSC::shift):
765         (JSC::unshift):
766         (JSC::arrayProtoFuncToString):
767         (JSC::arrayProtoFuncPop):
768         (JSC::arrayProtoFuncReverse):
769         (JSC::performSlowSort):
770         (JSC::arrayProtoFuncSort):
771         (JSC::arrayProtoFuncSplice):
772         (JSC::arrayProtoFuncUnShift):
773         * runtime/CommonSlowPaths.cpp:
774         (JSC::SLOW_PATH_DECL):
775         * runtime/Executable.h:
776         (JSC::ExecutableBase::isFunctionExecutable):
777         (JSC::ExecutableBase::clearCodeVirtual):
778         (JSC::ScriptExecutable::unlinkCalls):
779         * runtime/GetterSetter.cpp:
780         (JSC::callGetter):
781         (JSC::callSetter):
782         * runtime/InitializeThreading.cpp:
783         * runtime/JSArray.cpp:
784         (JSC::JSArray::unshiftCountSlowCase):
785         (JSC::JSArray::setLength):
786         (JSC::JSArray::pop):
787         (JSC::JSArray::push):
788         (JSC::JSArray::shiftCountWithArrayStorage):
789         (JSC::JSArray::shiftCountWithAnyIndexingType):
790         (JSC::JSArray::unshiftCountWithArrayStorage):
791         (JSC::JSArray::unshiftCountWithAnyIndexingType):
792         (JSC::JSArray::sortNumericVector):
793         (JSC::JSArray::sortNumeric):
794         (JSC::JSArray::sortCompactedVector):
795         (JSC::JSArray::sort):
796         (JSC::JSArray::sortVector):
797         (JSC::JSArray::fillArgList):
798         (JSC::JSArray::copyToArguments):
799         (JSC::JSArray::compactForSorting):
800         * runtime/JSCJSValueInlines.h:
801         (JSC::JSValue::toThis):
802         (JSC::JSValue::put):
803         (JSC::JSValue::putByIndex):
804         (JSC::JSValue::equalSlowCaseInline):
805         * runtime/JSCell.cpp:
806         (JSC::JSCell::put):
807         (JSC::JSCell::putByIndex):
808         (JSC::JSCell::deleteProperty):
809         (JSC::JSCell::deletePropertyByIndex):
810         * runtime/JSCell.h:
811         (JSC::JSCell::clearStructure):
812         (JSC::JSCell::mark):
813         (JSC::JSCell::isMarked):
814         (JSC::JSCell::structureIDOffset):
815         (JSC::JSCell::typeInfoFlagsOffset):
816         (JSC::JSCell::typeInfoTypeOffset):
817         (JSC::JSCell::indexingTypeOffset):
818         (JSC::JSCell::gcDataOffset):
819         * runtime/JSCellInlines.h:
820         (JSC::JSCell::JSCell):
821         (JSC::JSCell::finishCreation):
822         (JSC::JSCell::type):
823         (JSC::JSCell::indexingType):
824         (JSC::JSCell::structure):
825         (JSC::JSCell::visitChildren):
826         (JSC::JSCell::isObject):
827         (JSC::JSCell::isString):
828         (JSC::JSCell::isGetterSetter):
829         (JSC::JSCell::isProxy):
830         (JSC::JSCell::isAPIValueWrapper):
831         (JSC::JSCell::setStructure):
832         (JSC::JSCell::methodTable):
833         (JSC::Heap::writeBarrier):
834         * runtime/JSDataView.cpp:
835         (JSC::JSDataView::createStructure):
836         * runtime/JSDestructibleObject.h:
837         (JSC::JSCell::classInfo):
838         * runtime/JSFunction.cpp:
839         (JSC::JSFunction::getOwnNonIndexPropertyNames):
840         (JSC::JSFunction::put):
841         (JSC::JSFunction::defineOwnProperty):
842         * runtime/JSGenericTypedArrayView.h:
843         (JSC::JSGenericTypedArrayView::createStructure):
844         * runtime/JSObject.cpp:
845         (JSC::getCallableObjectSlow):
846         (JSC::JSObject::copyButterfly):
847         (JSC::JSObject::visitButterfly):
848         (JSC::JSFinalObject::visitChildren):
849         (JSC::JSObject::getOwnPropertySlotByIndex):
850         (JSC::JSObject::put):
851         (JSC::JSObject::putByIndex):
852         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
853         (JSC::JSObject::enterDictionaryIndexingMode):
854         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
855         (JSC::JSObject::createInitialIndexedStorage):
856         (JSC::JSObject::createInitialUndecided):
857         (JSC::JSObject::createInitialInt32):
858         (JSC::JSObject::createInitialDouble):
859         (JSC::JSObject::createInitialContiguous):
860         (JSC::JSObject::createArrayStorage):
861         (JSC::JSObject::convertUndecidedToInt32):
862         (JSC::JSObject::convertUndecidedToDouble):
863         (JSC::JSObject::convertUndecidedToContiguous):
864         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
865         (JSC::JSObject::convertUndecidedToArrayStorage):
866         (JSC::JSObject::convertInt32ToDouble):
867         (JSC::JSObject::convertInt32ToContiguous):
868         (JSC::JSObject::convertInt32ToArrayStorage):
869         (JSC::JSObject::genericConvertDoubleToContiguous):
870         (JSC::JSObject::convertDoubleToArrayStorage):
871         (JSC::JSObject::convertContiguousToArrayStorage):
872         (JSC::JSObject::ensureInt32Slow):
873         (JSC::JSObject::ensureDoubleSlow):
874         (JSC::JSObject::ensureContiguousSlow):
875         (JSC::JSObject::ensureArrayStorageSlow):
876         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
877         (JSC::JSObject::switchToSlowPutArrayStorage):
878         (JSC::JSObject::setPrototype):
879         (JSC::JSObject::setPrototypeWithCycleCheck):
880         (JSC::JSObject::putDirectNonIndexAccessor):
881         (JSC::JSObject::deleteProperty):
882         (JSC::JSObject::hasOwnProperty):
883         (JSC::JSObject::deletePropertyByIndex):
884         (JSC::JSObject::getPrimitiveNumber):
885         (JSC::JSObject::hasInstance):
886         (JSC::JSObject::getPropertySpecificValue):
887         (JSC::JSObject::getPropertyNames):
888         (JSC::JSObject::getOwnPropertyNames):
889         (JSC::JSObject::getOwnNonIndexPropertyNames):
890         (JSC::JSObject::seal):
891         (JSC::JSObject::freeze):
892         (JSC::JSObject::preventExtensions):
893         (JSC::JSObject::reifyStaticFunctionsForDelete):
894         (JSC::JSObject::removeDirect):
895         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
896         (JSC::JSObject::putByIndexBeyondVectorLength):
897         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
898         (JSC::JSObject::putDirectIndexBeyondVectorLength):
899         (JSC::JSObject::getNewVectorLength):
900         (JSC::JSObject::countElements):
901         (JSC::JSObject::increaseVectorLength):
902         (JSC::JSObject::ensureLengthSlow):
903         (JSC::JSObject::growOutOfLineStorage):
904         (JSC::JSObject::getOwnPropertyDescriptor):
905         (JSC::putDescriptor):
906         (JSC::JSObject::defineOwnNonIndexProperty):
907         * runtime/JSObject.h:
908         (JSC::getJSFunction):
909         (JSC::JSObject::getArrayLength):
910         (JSC::JSObject::getVectorLength):
911         (JSC::JSObject::putByIndexInline):
912         (JSC::JSObject::canGetIndexQuickly):
913         (JSC::JSObject::getIndexQuickly):
914         (JSC::JSObject::tryGetIndexQuickly):
915         (JSC::JSObject::getDirectIndex):
916         (JSC::JSObject::canSetIndexQuickly):
917         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
918         (JSC::JSObject::setIndexQuickly):
919         (JSC::JSObject::initializeIndex):
920         (JSC::JSObject::hasSparseMap):
921         (JSC::JSObject::inSparseIndexingMode):
922         (JSC::JSObject::getDirect):
923         (JSC::JSObject::getDirectOffset):
924         (JSC::JSObject::isSealed):
925         (JSC::JSObject::isFrozen):
926         (JSC::JSObject::flattenDictionaryObject):
927         (JSC::JSObject::ensureInt32):
928         (JSC::JSObject::ensureDouble):
929         (JSC::JSObject::ensureContiguous):
930         (JSC::JSObject::rageEnsureContiguous):
931         (JSC::JSObject::ensureArrayStorage):
932         (JSC::JSObject::arrayStorage):
933         (JSC::JSObject::arrayStorageOrNull):
934         (JSC::JSObject::ensureLength):
935         (JSC::JSObject::currentIndexingData):
936         (JSC::JSObject::getHolyIndexQuickly):
937         (JSC::JSObject::currentRelevantLength):
938         (JSC::JSObject::isGlobalObject):
939         (JSC::JSObject::isVariableObject):
940         (JSC::JSObject::isStaticScopeObject):
941         (JSC::JSObject::isNameScopeObject):
942         (JSC::JSObject::isActivationObject):
943         (JSC::JSObject::isErrorInstance):
944         (JSC::JSObject::inlineGetOwnPropertySlot):
945         (JSC::JSObject::fastGetOwnPropertySlot):
946         (JSC::JSObject::getPropertySlot):
947         (JSC::JSObject::putDirectInternal):
948         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
949         * runtime/JSPropertyNameIterator.h:
950         (JSC::JSPropertyNameIterator::createStructure):
951         * runtime/JSProxy.cpp:
952         (JSC::JSProxy::getOwnPropertySlot):
953         (JSC::JSProxy::getOwnPropertySlotByIndex):
954         (JSC::JSProxy::put):
955         (JSC::JSProxy::putByIndex):
956         (JSC::JSProxy::defineOwnProperty):
957         (JSC::JSProxy::deleteProperty):
958         (JSC::JSProxy::deletePropertyByIndex):
959         (JSC::JSProxy::getPropertyNames):
960         (JSC::JSProxy::getOwnPropertyNames):
961         * runtime/JSScope.cpp:
962         (JSC::JSScope::objectAtScope):
963         * runtime/JSString.h:
964         (JSC::JSString::createStructure):
965         (JSC::isJSString):
966         * runtime/JSType.h:
967         * runtime/JSTypeInfo.h:
968         (JSC::TypeInfo::TypeInfo):
969         (JSC::TypeInfo::isObject):
970         (JSC::TypeInfo::structureIsImmortal):
971         (JSC::TypeInfo::zeroedGCDataOffset):
972         (JSC::TypeInfo::inlineTypeFlags):
973         * runtime/MapData.h:
974         * runtime/ObjectConstructor.cpp:
975         (JSC::objectConstructorGetOwnPropertyNames):
976         (JSC::objectConstructorKeys):
977         (JSC::objectConstructorDefineProperty):
978         (JSC::defineProperties):
979         (JSC::objectConstructorSeal):
980         (JSC::objectConstructorFreeze):
981         (JSC::objectConstructorIsSealed):
982         (JSC::objectConstructorIsFrozen):
983         * runtime/ObjectPrototype.cpp:
984         (JSC::objectProtoFuncDefineGetter):
985         (JSC::objectProtoFuncDefineSetter):
986         (JSC::objectProtoFuncToString):
987         * runtime/Operations.cpp:
988         (JSC::jsTypeStringForValue):
989         (JSC::jsIsObjectType):
990         * runtime/Operations.h:
991         (JSC::normalizePrototypeChainForChainAccess):
992         (JSC::normalizePrototypeChain):
993         * runtime/PropertyMapHashTable.h:
994         (JSC::PropertyTable::createStructure):
995         * runtime/RegExp.h:
996         (JSC::RegExp::createStructure):
997         * runtime/SparseArrayValueMap.h:
998         * runtime/Structure.cpp:
999         (JSC::Structure::Structure):
1000         (JSC::Structure::~Structure):
1001         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1002         * runtime/Structure.h:
1003         (JSC::Structure::id):
1004         (JSC::Structure::idBlob):
1005         (JSC::Structure::objectInitializationFields):
1006         (JSC::Structure::structureIDOffset):
1007         * runtime/StructureChain.h:
1008         (JSC::StructureChain::createStructure):
1009         * runtime/StructureIDTable.cpp: Added.
1010         (JSC::StructureIDTable::StructureIDTable):
1011         (JSC::StructureIDTable::~StructureIDTable):
1012         (JSC::StructureIDTable::resize):
1013         (JSC::StructureIDTable::flushOldTables):
1014         (JSC::StructureIDTable::allocateID):
1015         (JSC::StructureIDTable::deallocateID):
1016         * runtime/StructureIDTable.h: Added.
1017         (JSC::StructureIDTable::base):
1018         (JSC::StructureIDTable::get):
1019         * runtime/SymbolTable.h:
1020         * runtime/TypedArrayType.cpp:
1021         (JSC::typeForTypedArrayType):
1022         * runtime/TypedArrayType.h:
1023         * runtime/WeakMapData.h:
1024
1025 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1026
1027         Unconditional logging in compileFTLOSRExit
1028         https://bugs.webkit.org/show_bug.cgi?id=129407
1029
1030         Reviewed by Michael Saboff.
1031
1032         This was causing tests to fail with the FTL enabled.
1033
1034         * ftl/FTLOSRExitCompiler.cpp:
1035         (JSC::FTL::compileFTLOSRExit):
1036
1037 2014-02-26  Oliver Hunt  <oliver@apple.com>
1038
1039         Remove unused access types
1040         https://bugs.webkit.org/show_bug.cgi?id=129385
1041
1042         Reviewed by Filip Pizlo.
1043
1044         Remove unused cruft.
1045
1046         * bytecode/CodeBlock.cpp:
1047         (JSC::CodeBlock::printGetByIdCacheStatus):
1048         * bytecode/StructureStubInfo.cpp:
1049         (JSC::StructureStubInfo::deref):
1050         * bytecode/StructureStubInfo.h:
1051         (JSC::isGetByIdAccess):
1052         (JSC::isPutByIdAccess):
1053
1054 2014-02-26  Oliver Hunt  <oliver@apple.com>
1055
1056         Function.prototype.apply has a bad time with the spread operator
1057         https://bugs.webkit.org/show_bug.cgi?id=129381
1058
1059         Reviewed by Mark Hahnenberg.
1060
1061         Make sure our apply logic handle the spread operator correctly.
1062         To do this we simply emit the enumeration logic that we'd normally
1063         use for other enumerations, but only store the first two results
1064         to registers.  Then perform a varargs call.
1065
1066         * bytecompiler/NodesCodegen.cpp:
1067         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1068
1069 2014-02-26  Mark Lam  <mark.lam@apple.com>
1070
1071         Compilation policy management belongs in operationOptimize(), not the DFG Driver.
1072         <https://webkit.org/b/129355>
1073
1074         Reviewed by Filip Pizlo.
1075
1076         By compilation policy, I mean the rules for determining whether to
1077         compile, when to compile, when to attempt compilation again, etc.  The
1078         few of these policy decisions that were previously being made in the
1079         DFG driver are now moved to operationOptimize() where we keep the rest
1080         of the policy logic.  Decisions that are based on the capabilities
1081         supported by the DFG are moved to DFG capabiliityLevel().
1082
1083         I've run the following benchmarks:
1084         1. the collection of jsc benchmarks on the jsc executable vs. its
1085            baseline.
1086         2. Octane 2.0 in browser without the WebInspector.
1087         3. Octane 2.0 in browser with the WebInspector open and a breakpoint
1088            set somewhere where it won't break.
1089
1090         In all of these, the results came out to be a wash as expected.
1091
1092         * dfg/DFGCapabilities.cpp:
1093         (JSC::DFG::isSupported):
1094         (JSC::DFG::mightCompileEval):
1095         (JSC::DFG::mightCompileProgram):
1096         (JSC::DFG::mightCompileFunctionForCall):
1097         (JSC::DFG::mightCompileFunctionForConstruct):
1098         (JSC::DFG::mightInlineFunctionForCall):
1099         (JSC::DFG::mightInlineFunctionForClosureCall):
1100         (JSC::DFG::mightInlineFunctionForConstruct):
1101         * dfg/DFGCapabilities.h:
1102         * dfg/DFGDriver.cpp:
1103         (JSC::DFG::compileImpl):
1104         * jit/JITOperations.cpp:
1105
1106 2014-02-26  Mark Lam  <mark.lam@apple.com>
1107
1108         ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
1109         <https://webkit.org/b/129364>
1110
1111         Reviewed by Alexey Proskuryakov.
1112
1113         InjectedScriptModule::ensureInjected() needs an APIEntryShim.
1114
1115         * inspector/InjectedScriptModule.cpp:
1116         (Inspector::InjectedScriptModule::ensureInjected):
1117         - Added the needed but missing APIEntryShim. 
1118
1119 2014-02-25  Mark Lam  <mark.lam@apple.com>
1120
1121         Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
1122         <https://webkit.org/b/128766>
1123
1124         Reviewed by Geoffrey Garen.
1125
1126         Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
1127         The reasoning is that we don't know of any clients that need unordered
1128         re-entry into the VM from different threads. So, we're enforcing ordered
1129         re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
1130
1131         The crash in this bug happened because we were allowing unordered re-entry,
1132         and the following type of scenario occurred:
1133
1134         1. Thread T1 locks the VM, and enters the VM to execute some JS code.
1135         2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
1136            first time it entered the VM.
1137            T1 sets VM::m_entryScope to T1's entryScope.
1138         3. T1 drops all locks.
1139
1140         4. Thread T2 locks the VM, and enters the VM to execute some JS code.
1141            On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
1142            does not set the entryScope.
1143         5. T2 drops all locks.
1144
1145         6. T1 re-grabs locks.
1146         7. T1 returns all the way out of JS code. On exit from the outer most
1147            JS function, T1 clears VM::m_entryScope (because T1 was the one who
1148            set it).
1149         8. T1 unlocks the VM.
1150
1151         9. T2 re-grabs locks.
1152         10. T2 proceeds to execute some code and expects VM::m_entryScope to be
1153             NOT null, but it turns out to be null. Assertion failures and
1154             crashes ensue.
1155
1156         With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
1157         the VM. Hence, the issue will no longer manifest.
1158
1159         * runtime/JSLock.cpp:
1160         (JSC::JSLock::dropAllLocks):
1161         (JSC::JSLock::grabAllLocks):
1162         * runtime/JSLock.h:
1163         (JSC::JSLock::DropAllLocks::dropDepth):
1164
1165 2014-02-25  Mark Lam  <mark.lam@apple.com>
1166
1167         Need to initialize VM stack data even when the VM is on an exclusive thread.
1168         <https://webkit.org/b/129265>
1169
1170         Not reviewed.
1171
1172         Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
1173
1174         * API/APIShims.h:
1175         (JSC::APIEntryShim::APIEntryShim):
1176         (JSC::APICallbackShim::shouldDropAllLocks):
1177         * heap/MachineStackMarker.cpp:
1178         (JSC::MachineThreads::addCurrentThread):
1179         * runtime/JSLock.cpp:
1180         (JSC::JSLockHolder::JSLockHolder):
1181         (JSC::JSLockHolder::init):
1182         (JSC::JSLockHolder::~JSLockHolder):
1183         (JSC::JSLock::JSLock):
1184         (JSC::JSLock::setExclusiveThread):
1185         (JSC::JSLock::lock):
1186         (JSC::JSLock::unlock):
1187         (JSC::JSLock::currentThreadIsHoldingLock):
1188         (JSC::JSLock::dropAllLocks):
1189         (JSC::JSLock::grabAllLocks):
1190         * runtime/JSLock.h:
1191         (JSC::JSLock::hasExclusiveThread):
1192         (JSC::JSLock::exclusiveThread):
1193         * runtime/VM.cpp:
1194         (JSC::VM::VM):
1195         * runtime/VM.h:
1196         (JSC::VM::hasExclusiveThread):
1197         (JSC::VM::exclusiveThread):
1198         (JSC::VM::setExclusiveThread):
1199         (JSC::VM::currentThreadIsHoldingAPILock):
1200
1201 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
1202
1203         Inline caching in the FTL on ARM64 should "work"
1204         https://bugs.webkit.org/show_bug.cgi?id=129334
1205
1206         Reviewed by Mark Hahnenberg.
1207         
1208         Gets us to the point where simple tests that use inline caching are passing.
1209
1210         * assembler/LinkBuffer.cpp:
1211         (JSC::LinkBuffer::copyCompactAndLinkCode):
1212         (JSC::LinkBuffer::shrink):
1213         * ftl/FTLInlineCacheSize.cpp:
1214         (JSC::FTL::sizeOfGetById):
1215         (JSC::FTL::sizeOfPutById):
1216         (JSC::FTL::sizeOfCall):
1217         * ftl/FTLOSRExitCompiler.cpp:
1218         (JSC::FTL::compileFTLOSRExit):
1219         * ftl/FTLThunks.cpp:
1220         (JSC::FTL::osrExitGenerationThunkGenerator):
1221         * jit/GPRInfo.h:
1222         * offlineasm/arm64.rb:
1223
1224 2014-02-25  Commit Queue  <commit-queue@webkit.org>
1225
1226         Unreviewed, rolling out r164627.
1227         http://trac.webkit.org/changeset/164627
1228         https://bugs.webkit.org/show_bug.cgi?id=129325
1229
1230         Broke SubtleCrypto tests (Requested by ap on #webkit).
1231
1232         * API/APIShims.h:
1233         (JSC::APIEntryShim::APIEntryShim):
1234         (JSC::APICallbackShim::shouldDropAllLocks):
1235         * heap/MachineStackMarker.cpp:
1236         (JSC::MachineThreads::addCurrentThread):
1237         * runtime/JSLock.cpp:
1238         (JSC::JSLockHolder::JSLockHolder):
1239         (JSC::JSLockHolder::init):
1240         (JSC::JSLockHolder::~JSLockHolder):
1241         (JSC::JSLock::JSLock):
1242         (JSC::JSLock::lock):
1243         (JSC::JSLock::unlock):
1244         (JSC::JSLock::currentThreadIsHoldingLock):
1245         (JSC::JSLock::dropAllLocks):
1246         (JSC::JSLock::grabAllLocks):
1247         * runtime/JSLock.h:
1248         * runtime/VM.cpp:
1249         (JSC::VM::VM):
1250         * runtime/VM.h:
1251         (JSC::VM::currentThreadIsHoldingAPILock):
1252
1253 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
1254
1255         ARM64 rshift64 should be an arithmetic shift
1256         https://bugs.webkit.org/show_bug.cgi?id=129323
1257
1258         Reviewed by Mark Hahnenberg.
1259
1260         * assembler/MacroAssemblerARM64.h:
1261         (JSC::MacroAssemblerARM64::rshift64):
1262
1263 2014-02-25  Sergio Villar Senin  <svillar@igalia.com>
1264
1265         [CSS Grid Layout] Add ENABLE flag
1266         https://bugs.webkit.org/show_bug.cgi?id=129153
1267
1268         Reviewed by Simon Fraser.
1269
1270         * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
1271
1272 2014-02-25  Michael Saboff  <msaboff@apple.com>
1273
1274         JIT Engines use the wrong stack limit for stack checks
1275         https://bugs.webkit.org/show_bug.cgi?id=129314
1276
1277         Reviewed by Filip Pizlo.
1278
1279         Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
1280
1281         * dfg/DFGJITCompiler.cpp:
1282         (JSC::DFG::JITCompiler::compileFunction):
1283         * jit/JIT.cpp:
1284         (JSC::JIT::privateCompile):
1285         * jit/JITCall.cpp:
1286         (JSC::JIT::compileLoadVarargs):
1287         * jit/JITCall32_64.cpp:
1288         (JSC::JIT::compileLoadVarargs):
1289         * runtime/VM.h:
1290         (JSC::VM::addressOfStackLimit):
1291
1292 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
1293
1294         Unreviewed, roll out http://trac.webkit.org/changeset/164493.
1295         
1296         It causes crashes, apparently because it's removing too many barriers. I will investigate
1297         later.
1298
1299         * bytecode/SpeculatedType.cpp:
1300         (JSC::speculationToAbbreviatedString):
1301         * bytecode/SpeculatedType.h:
1302         * dfg/DFGFixupPhase.cpp:
1303         (JSC::DFG::FixupPhase::fixupNode):
1304         (JSC::DFG::FixupPhase::insertStoreBarrier):
1305         * dfg/DFGNode.h:
1306         * ftl/FTLCapabilities.cpp:
1307         (JSC::FTL::canCompile):
1308         * ftl/FTLLowerDFGToLLVM.cpp:
1309         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
1310         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1311         (JSC::FTL::LowerDFGToLLVM::isNotNully):
1312         (JSC::FTL::LowerDFGToLLVM::isNully):
1313         (JSC::FTL::LowerDFGToLLVM::speculate):
1314         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
1315         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
1316
1317 2014-02-24  Oliver Hunt  <oliver@apple.com>
1318
1319         Fix build.
1320
1321         * jit/CCallHelpers.h:
1322         (JSC::CCallHelpers::setupArgumentsWithExecState):
1323
1324 2014-02-24  Oliver Hunt  <oliver@apple.com>
1325
1326         Spread operator has a bad time when applied to call function
1327         https://bugs.webkit.org/show_bug.cgi?id=128853
1328
1329         Reviewed by Geoffrey Garen.
1330
1331         Follow on from the previous patch the added an extra slot to
1332         op_call_varargs (and _call, _call_eval, _construct).  We now
1333         use the slot as an offset to in effect act as a 'slice' on
1334         the spread subject.  This allows us to automatically retain
1335         all our existing argument and array optimisatons.  Most of
1336         this patch is simply threading the offset around.
1337
1338         * bytecode/CodeBlock.cpp:
1339         (JSC::CodeBlock::dumpBytecode):
1340         * bytecompiler/BytecodeGenerator.cpp:
1341         (JSC::BytecodeGenerator::emitCall):
1342         (JSC::BytecodeGenerator::emitCallVarargs):
1343         * bytecompiler/BytecodeGenerator.h:
1344         * bytecompiler/NodesCodegen.cpp:
1345         (JSC::getArgumentByVal):
1346         (JSC::CallFunctionCallDotNode::emitBytecode):
1347         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1348         * interpreter/Interpreter.cpp:
1349         (JSC::sizeFrameForVarargs):
1350         (JSC::loadVarargs):
1351         * interpreter/Interpreter.h:
1352         * jit/CCallHelpers.h:
1353         (JSC::CCallHelpers::setupArgumentsWithExecState):
1354         * jit/JIT.h:
1355         * jit/JITCall.cpp:
1356         (JSC::JIT::compileLoadVarargs):
1357         * jit/JITInlines.h:
1358         (JSC::JIT::callOperation):
1359         * jit/JITOperations.cpp:
1360         * jit/JITOperations.h:
1361         * llint/LLIntSlowPaths.cpp:
1362         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1363         * runtime/Arguments.cpp:
1364         (JSC::Arguments::copyToArguments):
1365         * runtime/Arguments.h:
1366         * runtime/JSArray.cpp:
1367         (JSC::JSArray::copyToArguments):
1368         * runtime/JSArray.h:
1369
1370 2014-02-24  Mark Lam  <mark.lam@apple.com>
1371
1372         Need to initialize VM stack data even when the VM is on an exclusive thread.
1373         <https://webkit.org/b/129265>
1374
1375         Reviewed by Geoffrey Garen.
1376
1377         We check VM::exclusiveThread as an optimization to forego the need to do
1378         JSLock locking. However, we recently started piggy backing on JSLock's
1379         lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
1380         and lastStackTop) to appropriate values for the current thread. This is
1381         needed because we may be acquiring the lock to enter the VM on a different
1382         thread.
1383
1384         As a result, we ended up not initializing the VM stack data when
1385         VM::exclusiveThread causes us to bypass the locking activity. Even though
1386         the VM::exclusiveThread will not have to deal with the VM being entered
1387         on a different thread, it still needs to initialize the VM stack data.
1388         The VM relies on that data being initialized properly once it has been
1389         entered.
1390
1391         With this fix, we push the check for exclusiveThread down into the JSLock,
1392         and handle the bypassing of unneeded locking activity there while still
1393         executing the necessary the VM stack data initialization.
1394
1395         * API/APIShims.h:
1396         (JSC::APIEntryShim::APIEntryShim):
1397         (JSC::APICallbackShim::shouldDropAllLocks):
1398         * heap/MachineStackMarker.cpp:
1399         (JSC::MachineThreads::addCurrentThread):
1400         * runtime/JSLock.cpp:
1401         (JSC::JSLockHolder::JSLockHolder):
1402         (JSC::JSLockHolder::init):
1403         (JSC::JSLockHolder::~JSLockHolder):
1404         (JSC::JSLock::JSLock):
1405         (JSC::JSLock::setExclusiveThread):
1406         (JSC::JSLock::lock):
1407         (JSLock::unlock):
1408         (JSLock::currentThreadIsHoldingLock):
1409         (JSLock::dropAllLocks):
1410         (JSLock::grabAllLocks):
1411         * runtime/JSLock.h:
1412         (JSC::JSLock::exclusiveThread):
1413         * runtime/VM.cpp:
1414         (JSC::VM::VM):
1415         * runtime/VM.h:
1416         (JSC::VM::exclusiveThread):
1417         (JSC::VM::setExclusiveThread):
1418         (JSC::VM::currentThreadIsHoldingAPILock):
1419
1420 2014-02-24  Filip Pizlo  <fpizlo@apple.com>
1421
1422         FTL should do polymorphic PutById inlining
1423         https://bugs.webkit.org/show_bug.cgi?id=129210
1424
1425         Reviewed by Mark Hahnenberg and Oliver Hunt.
1426         
1427         This makes PutByIdStatus inform us about polymorphic cases by returning an array of
1428         PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
1429         selection of multiple inlined PutByIdVariants.
1430         
1431         MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
1432         http://trac.webkit.org/changeset/164207.
1433         
1434         This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
1435         that generate similar code.
1436         
1437         1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
1438         sometimes swaps field insertion order, creating fake polymorphism.
1439
1440         * CMakeLists.txt:
1441         * GNUmakefile.list.am:
1442         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1443         * JavaScriptCore.xcodeproj/project.pbxproj:
1444         * bytecode/PutByIdStatus.cpp:
1445         (JSC::PutByIdStatus::computeFromLLInt):
1446         (JSC::PutByIdStatus::computeFor):
1447         (JSC::PutByIdStatus::computeForStubInfo):
1448         (JSC::PutByIdStatus::dump):
1449         * bytecode/PutByIdStatus.h:
1450         (JSC::PutByIdStatus::PutByIdStatus):
1451         (JSC::PutByIdStatus::isSimple):
1452         (JSC::PutByIdStatus::numVariants):
1453         (JSC::PutByIdStatus::variants):
1454         (JSC::PutByIdStatus::at):
1455         (JSC::PutByIdStatus::operator[]):
1456         * bytecode/PutByIdVariant.cpp: Added.
1457         (JSC::PutByIdVariant::dump):
1458         (JSC::PutByIdVariant::dumpInContext):
1459         * bytecode/PutByIdVariant.h: Added.
1460         (JSC::PutByIdVariant::PutByIdVariant):
1461         (JSC::PutByIdVariant::replace):
1462         (JSC::PutByIdVariant::transition):
1463         (JSC::PutByIdVariant::kind):
1464         (JSC::PutByIdVariant::isSet):
1465         (JSC::PutByIdVariant::operator!):
1466         (JSC::PutByIdVariant::structure):
1467         (JSC::PutByIdVariant::oldStructure):
1468         (JSC::PutByIdVariant::newStructure):
1469         (JSC::PutByIdVariant::structureChain):
1470         (JSC::PutByIdVariant::offset):
1471         * dfg/DFGAbstractInterpreterInlines.h:
1472         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1473         * dfg/DFGByteCodeParser.cpp:
1474         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
1475         (JSC::DFG::ByteCodeParser::handleGetById):
1476         (JSC::DFG::ByteCodeParser::emitPutById):
1477         (JSC::DFG::ByteCodeParser::handlePutById):
1478         (JSC::DFG::ByteCodeParser::parseBlock):
1479         * dfg/DFGCSEPhase.cpp:
1480         (JSC::DFG::CSEPhase::checkStructureElimination):
1481         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
1482         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1483         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1484         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
1485         * dfg/DFGClobberize.h:
1486         (JSC::DFG::clobberize):
1487         * dfg/DFGConstantFoldingPhase.cpp:
1488         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1489         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1490         * dfg/DFGFixupPhase.cpp:
1491         (JSC::DFG::FixupPhase::fixupNode):
1492         * dfg/DFGGraph.cpp:
1493         (JSC::DFG::Graph::dump):
1494         * dfg/DFGGraph.h:
1495         * dfg/DFGNode.cpp:
1496         (JSC::DFG::MultiPutByOffsetData::writesStructures):
1497         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1498         * dfg/DFGNode.h:
1499         (JSC::DFG::Node::convertToPutByOffset):
1500         (JSC::DFG::Node::hasMultiPutByOffsetData):
1501         (JSC::DFG::Node::multiPutByOffsetData):
1502         * dfg/DFGNodeType.h:
1503         * dfg/DFGPredictionPropagationPhase.cpp:
1504         (JSC::DFG::PredictionPropagationPhase::propagate):
1505         * dfg/DFGSafeToExecute.h:
1506         (JSC::DFG::safeToExecute):
1507         * dfg/DFGSpeculativeJIT32_64.cpp:
1508         (JSC::DFG::SpeculativeJIT::compile):
1509         * dfg/DFGSpeculativeJIT64.cpp:
1510         (JSC::DFG::SpeculativeJIT::compile):
1511         * dfg/DFGTypeCheckHoistingPhase.cpp:
1512         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1513         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1514         * ftl/FTLCapabilities.cpp:
1515         (JSC::FTL::canCompile):
1516         * ftl/FTLLowerDFGToLLVM.cpp:
1517         (JSC::FTL::LowerDFGToLLVM::compileNode):
1518         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1519         (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
1520         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
1521         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
1522         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1523         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
1524         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1525         (JSC::FTL::LowerDFGToLLVM::loadProperty):
1526         (JSC::FTL::LowerDFGToLLVM::storeProperty):
1527         (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
1528         (JSC::FTL::LowerDFGToLLVM::storageForTransition):
1529         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
1530         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
1531         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1532         * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
1533         * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
1534         * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
1535
1536 2014-02-24  peavo@outlook.com  <peavo@outlook.com>
1537
1538         JSC regressions after r164494
1539         https://bugs.webkit.org/show_bug.cgi?id=129272
1540
1541         Reviewed by Mark Lam.
1542
1543         * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
1544
1545 2014-02-24  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
1546
1547         Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
1548         https://bugs.webkit.org/show_bug.cgi?id=129255
1549
1550         Reviewed by Csaba Osztrogon√°c.
1551
1552         ENABLE_WORKERS macro was removed in r159679.
1553         Support is now also removed from xcconfig files.
1554
1555         * Configurations/FeatureDefines.xcconfig:
1556
1557 2014-02-24  David Kilzer  <ddkilzer@apple.com>
1558
1559         Remove redundant setting in FeatureDefines.xcconfig
1560
1561         * Configurations/FeatureDefines.xcconfig:
1562
1563 2014-02-23  Sam Weinig  <sam@webkit.org>
1564
1565         Update FeatureDefines.xcconfig
1566
1567         Rubber-stamped by Anders Carlsson.
1568
1569         * Configurations/FeatureDefines.xcconfig:
1570
1571 2014-02-23  Dean Jackson  <dino@apple.com>
1572
1573         Sort the project file with sort-Xcode-project-file.
1574
1575         Rubber-stamped by Sam Weinig.
1576
1577         * JavaScriptCore.xcodeproj/project.pbxproj:
1578
1579 2014-02-23  Sam Weinig  <sam@webkit.org>
1580
1581         Move telephone number detection behind its own ENABLE macro
1582         https://bugs.webkit.org/show_bug.cgi?id=129236
1583
1584         Reviewed by Dean Jackson.
1585
1586         * Configurations/FeatureDefines.xcconfig:
1587         Add ENABLE_TELEPHONE_NUMBER_DETECTION.
1588
1589 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
1590
1591         Refine DFG+FTL inlining and compilation limits
1592         https://bugs.webkit.org/show_bug.cgi?id=129212
1593
1594         Reviewed by Mark Hahnenberg.
1595         
1596         Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
1597         and set that limit quite high. Institute a limit on inlining-into. The idea here is
1598         that large functions tend to be autogenerated, and code generators like emscripten
1599         appear to leave few inlining opportunities anyway. Also, we don't want the code
1600         size explosion that we would risk if we allowed compilation of a large function and
1601         then inlined a ton of stuff into it.
1602         
1603         This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
1604         regression. This is a 9% speed-up on AsmBench.
1605
1606         * bytecode/CodeBlock.cpp:
1607         (JSC::CodeBlock::noticeIncomingCall):
1608         * dfg/DFGByteCodeParser.cpp:
1609         (JSC::DFG::ByteCodeParser::handleInlining):
1610         * dfg/DFGCapabilities.h:
1611         (JSC::DFG::isSmallEnoughToInlineCodeInto):
1612         * ftl/FTLCapabilities.cpp:
1613         (JSC::FTL::canCompile):
1614         * ftl/FTLState.h:
1615         (JSC::FTL::shouldShowDisassembly):
1616         * runtime/Options.h:
1617
1618 2014-02-22  Dan Bernstein  <mitz@apple.com>
1619
1620         REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
1621         https://bugs.webkit.org/show_bug.cgi?id=129227
1622
1623         Reviewed by Eric Carlson.
1624
1625         Reverted r164507.
1626
1627         * API/JSBase.cpp:
1628         (JSEvaluateScript):
1629         (JSCheckScriptSyntax):
1630         * API/JSObjectRef.cpp:
1631         (JSObjectMakeFunction):
1632         (JSObjectMakeArray):
1633         (JSObjectMakeDate):
1634         (JSObjectMakeError):
1635         (JSObjectMakeRegExp):
1636         (JSObjectGetProperty):
1637         (JSObjectSetProperty):
1638         (JSObjectGetPropertyAtIndex):
1639         (JSObjectSetPropertyAtIndex):
1640         (JSObjectDeleteProperty):
1641         (JSObjectCallAsFunction):
1642         (JSObjectCallAsConstructor):
1643         * API/JSValue.mm:
1644         (valueToArray):
1645         (valueToDictionary):
1646         * API/JSValueRef.cpp:
1647         (JSValueIsEqual):
1648         (JSValueIsInstanceOfConstructor):
1649         (JSValueCreateJSONString):
1650         (JSValueToNumber):
1651         (JSValueToStringCopy):
1652         (JSValueToObject):
1653         * inspector/ConsoleMessage.cpp:
1654         (Inspector::ConsoleMessage::ConsoleMessage):
1655         (Inspector::ConsoleMessage::autogenerateMetadata):
1656         * inspector/ConsoleMessage.h:
1657         * inspector/JSGlobalObjectInspectorController.cpp:
1658         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1659         * inspector/JSGlobalObjectInspectorController.h:
1660         * inspector/ScriptCallStack.cpp:
1661         * inspector/ScriptCallStack.h:
1662         * inspector/ScriptCallStackFactory.cpp:
1663         (Inspector::createScriptCallStack):
1664         (Inspector::createScriptCallStackForConsole):
1665         (Inspector::createScriptCallStackFromException):
1666         * inspector/ScriptCallStackFactory.h:
1667         * inspector/agents/InspectorConsoleAgent.cpp:
1668         (Inspector::InspectorConsoleAgent::enable):
1669         (Inspector::InspectorConsoleAgent::addMessageToConsole):
1670         (Inspector::InspectorConsoleAgent::count):
1671         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1672         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
1673
1674 2014-02-22  Joseph Pecoraro  <pecoraro@apple.com>
1675
1676         Remove some unreachable code (-Wunreachable-code)
1677         https://bugs.webkit.org/show_bug.cgi?id=129220
1678
1679         Reviewed by Eric Carlson.
1680
1681         * API/tests/testapi.c:
1682         (EvilExceptionObject_convertToType):
1683         * disassembler/udis86/udis86_decode.c:
1684         (decode_operand):
1685
1686 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
1687
1688         Unreviewed, ARMv7 build fix.
1689
1690         * assembler/ARMv7Assembler.h:
1691
1692 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
1693
1694         It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
1695         https://bugs.webkit.org/show_bug.cgi?id=124733
1696
1697         Reviewed by Oliver Hunt.
1698         
1699         This also takes the opportunity to de-duplicate some branch compaction code.
1700
1701         * assembler/ARM64Assembler.h:
1702         * assembler/ARMv7Assembler.h:
1703         (JSC::ARMv7Assembler::buffer):
1704         * assembler/AssemblerBuffer.h:
1705         (JSC::AssemblerData::AssemblerData):
1706         (JSC::AssemblerBuffer::AssemblerBuffer):
1707         (JSC::AssemblerBuffer::storage):
1708         (JSC::AssemblerBuffer::grow):
1709         * assembler/LinkBuffer.h:
1710         (JSC::LinkBuffer::LinkBuffer):
1711         (JSC::LinkBuffer::executableOffsetFor):
1712         (JSC::LinkBuffer::applyOffset):
1713         * assembler/MacroAssemblerARM64.h:
1714         (JSC::MacroAssemblerARM64::link):
1715         * assembler/MacroAssemblerARMv7.h:
1716
1717 2014-02-21  Brent Fulgham  <bfulgham@apple.com>
1718
1719         Extend media support for WebVTT sources
1720         https://bugs.webkit.org/show_bug.cgi?id=129156
1721
1722         Reviewed by Eric Carlson.
1723
1724         * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
1725
1726 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1727
1728         Web Inspector: JSContext inspection should report exceptions in the console
1729         https://bugs.webkit.org/show_bug.cgi?id=128776
1730
1731         Reviewed by Timothy Hatcher.
1732
1733         When JavaScript API functions have an exception, let the inspector
1734         know so it can log the JavaScript and Native backtrace that caused
1735         the exception.
1736
1737         Include some clean up of ConsoleMessage and ScriptCallStack construction.
1738
1739         * API/JSBase.cpp:
1740         (JSEvaluateScript):
1741         (JSCheckScriptSyntax):
1742         * API/JSObjectRef.cpp:
1743         (JSObjectMakeFunction):
1744         (JSObjectMakeArray):
1745         (JSObjectMakeDate):
1746         (JSObjectMakeError):
1747         (JSObjectMakeRegExp):
1748         (JSObjectGetProperty):
1749         (JSObjectSetProperty):
1750         (JSObjectGetPropertyAtIndex):
1751         (JSObjectSetPropertyAtIndex):
1752         (JSObjectDeleteProperty):
1753         (JSObjectCallAsFunction):
1754         (JSObjectCallAsConstructor):
1755         * API/JSValue.mm:
1756         (reportExceptionToInspector):
1757         (valueToArray):
1758         (valueToDictionary):
1759         * API/JSValueRef.cpp:
1760         (JSValueIsEqual):
1761         (JSValueIsInstanceOfConstructor):
1762         (JSValueCreateJSONString):
1763         (JSValueToNumber):
1764         (JSValueToStringCopy):
1765         (JSValueToObject):
1766         When seeing an exception, let the inspector know there was an exception.
1767
1768         * inspector/JSGlobalObjectInspectorController.h:
1769         * inspector/JSGlobalObjectInspectorController.cpp:
1770         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1771         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1772         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1773         Log API exceptions by also grabbing the native backtrace.
1774
1775         * inspector/ScriptCallStack.h:
1776         * inspector/ScriptCallStack.cpp:
1777         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
1778         (Inspector::ScriptCallStack::append):
1779         Minor extensions to ScriptCallStack to make it easier to work with.
1780
1781         * inspector/ConsoleMessage.cpp:
1782         (Inspector::ConsoleMessage::ConsoleMessage):
1783         (Inspector::ConsoleMessage::autogenerateMetadata):
1784         Provide better default information if the first call frame was native.
1785
1786         * inspector/ScriptCallStackFactory.cpp:
1787         (Inspector::createScriptCallStack):
1788         (Inspector::extractSourceInformationFromException):
1789         (Inspector::createScriptCallStackFromException):
1790         Perform the handling here of inserting a fake call frame for exceptions
1791         if there was no call stack (e.g. a SyntaxError) or if the first call
1792         frame had no information.
1793
1794         * inspector/ConsoleMessage.cpp:
1795         (Inspector::ConsoleMessage::ConsoleMessage):
1796         (Inspector::ConsoleMessage::autogenerateMetadata):
1797         * inspector/ConsoleMessage.h:
1798         * inspector/ScriptCallStackFactory.cpp:
1799         (Inspector::createScriptCallStack):
1800         (Inspector::createScriptCallStackForConsole):
1801         * inspector/ScriptCallStackFactory.h:
1802         * inspector/agents/InspectorConsoleAgent.cpp:
1803         (Inspector::InspectorConsoleAgent::enable):
1804         (Inspector::InspectorConsoleAgent::addMessageToConsole):
1805         (Inspector::InspectorConsoleAgent::count):
1806         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1807         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
1808         ConsoleMessage cleanup.
1809
1810 2014-02-21  Oliver Hunt  <oliver@apple.com>
1811
1812         Add extra space to op_call and related opcodes
1813         https://bugs.webkit.org/show_bug.cgi?id=129170
1814
1815         Reviewed by Mark Lam.
1816
1817         No change in behaviour, just some refactoring to add an extra
1818         slot to the op_call instructions, and refactoring to make similar
1819         changes easier in future.
1820
1821         * bytecode/CodeBlock.cpp:
1822         (JSC::CodeBlock::printCallOp):
1823         * bytecode/Opcode.h:
1824         (JSC::padOpcodeName):
1825         * bytecompiler/BytecodeGenerator.cpp:
1826         (JSC::BytecodeGenerator::emitCall):
1827         (JSC::BytecodeGenerator::emitCallVarargs):
1828         (JSC::BytecodeGenerator::emitConstruct):
1829         * dfg/DFGByteCodeParser.cpp:
1830         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1831         * jit/JITCall.cpp:
1832         (JSC::JIT::compileOpCall):
1833         * jit/JITCall32_64.cpp:
1834         (JSC::JIT::compileOpCall):
1835         * llint/LowLevelInterpreter.asm:
1836         * llint/LowLevelInterpreter32_64.asm:
1837         * llint/LowLevelInterpreter64.asm:
1838
1839 2014-02-21  Mark Lam  <mark.lam@apple.com>
1840
1841         gatherFromOtherThread() needs to align the sp before gathering roots.
1842         <https://webkit.org/b/129169>
1843
1844         Reviewed by Geoffrey Garen.
1845
1846         The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
1847         gatherFromOtherThread() defines the range of the other thread's stack as
1848         being bounded by the other thread's stack pointer and stack base. While
1849         the stack base will always be aligned to sizeof(void*), the stack pointer
1850         may not be. This is because the other thread may have just pushed a 32-bit
1851         value on its stack before we suspended it for scanning.
1852
1853         The fix is to round the stack pointer up to the next aligned address of
1854         sizeof(void*) and start scanning from there. On 64-bit systems, we will
1855         effectively ignore the 32-bit word at the bottom of the stack (top of the
1856         stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
1857         64-bit pointers should always be stored on 64-bit aligned boundaries (our
1858         conservative scan algorithm already depends on this assumption).
1859
1860         On 32-bit systems, the rounding is effectively a no-op.
1861
1862         * heap/ConservativeRoots.cpp:
1863         (JSC::ConservativeRoots::genericAddSpan):
1864         - Hardened somne assertions so that we can catch misalignment issues on
1865           release builds as well.
1866         * heap/MachineStackMarker.cpp:
1867         (JSC::MachineThreads::gatherFromOtherThread):
1868
1869 2014-02-21  Matthew Mirman  <mmirman@apple.com>
1870
1871         Added a GetMyArgumentsLengthSafe and added a speculation check.
1872         https://bugs.webkit.org/show_bug.cgi?id=129051
1873
1874         Reviewed by Filip Pizlo.
1875
1876         * ftl/FTLLowerDFGToLLVM.cpp:
1877         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1878
1879 2014-02-21  peavo@outlook.com  <peavo@outlook.com>
1880
1881         [Win][LLINT] Many JSC stress test failures.
1882         https://bugs.webkit.org/show_bug.cgi?id=129155
1883
1884         Reviewed by Michael Saboff.
1885
1886         Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
1887         Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
1888         E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
1889
1890         * offlineasm/x86.rb: Swap operand order on Windows.
1891
1892 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
1893
1894         DFG write barriers should do more speculations
1895         https://bugs.webkit.org/show_bug.cgi?id=129160
1896
1897         Reviewed by Mark Hahnenberg.
1898         
1899         Replace ConditionalStoreBarrier with the cheapest speculation that you could do
1900         instead.
1901         
1902         Miniscule speed-up on some things. It's a decent difference in code size, though.
1903
1904         * bytecode/SpeculatedType.cpp:
1905         (JSC::speculationToAbbreviatedString):
1906         * bytecode/SpeculatedType.h:
1907         (JSC::isNotCellSpeculation):
1908         * dfg/DFGFixupPhase.cpp:
1909         (JSC::DFG::FixupPhase::fixupNode):
1910         (JSC::DFG::FixupPhase::insertStoreBarrier):
1911         (JSC::DFG::FixupPhase::insertPhantomCheck):
1912         * dfg/DFGNode.h:
1913         (JSC::DFG::Node::shouldSpeculateOther):
1914         (JSC::DFG::Node::shouldSpeculateNotCell):
1915         * ftl/FTLCapabilities.cpp:
1916         (JSC::FTL::canCompile):
1917         * ftl/FTLLowerDFGToLLVM.cpp:
1918         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
1919         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1920         (JSC::FTL::LowerDFGToLLVM::isNotOther):
1921         (JSC::FTL::LowerDFGToLLVM::isOther):
1922         (JSC::FTL::LowerDFGToLLVM::speculate):
1923         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
1924         (JSC::FTL::LowerDFGToLLVM::speculateOther):
1925         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
1926
1927 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1928
1929         Revert r164486, causing a number of test failures.
1930
1931         Unreviewed rollout.
1932
1933 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
1934
1935         Revive SABI (aka shouldAlwaysBeInlined)
1936         https://bugs.webkit.org/show_bug.cgi?id=129159
1937
1938         Reviewed by Mark Hahnenberg.
1939         
1940         This is a small Octane speed-up.
1941
1942         * jit/Repatch.cpp:
1943         (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
1944
1945 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1946
1947         Web Inspector: JSContext inspection should report exceptions in the console
1948         https://bugs.webkit.org/show_bug.cgi?id=128776
1949
1950         Reviewed by Timothy Hatcher.
1951
1952         When JavaScript API functions have an exception, let the inspector
1953         know so it can log the JavaScript and Native backtrace that caused
1954         the exception.
1955
1956         Include some clean up of ConsoleMessage and ScriptCallStack construction.
1957
1958         * API/JSBase.cpp:
1959         (JSEvaluateScript):
1960         (JSCheckScriptSyntax):
1961         * API/JSObjectRef.cpp:
1962         (JSObjectMakeFunction):
1963         (JSObjectMakeArray):
1964         (JSObjectMakeDate):
1965         (JSObjectMakeError):
1966         (JSObjectMakeRegExp):
1967         (JSObjectGetProperty):
1968         (JSObjectSetProperty):
1969         (JSObjectGetPropertyAtIndex):
1970         (JSObjectSetPropertyAtIndex):
1971         (JSObjectDeleteProperty):
1972         (JSObjectCallAsFunction):
1973         (JSObjectCallAsConstructor):
1974         * API/JSValue.mm:
1975         (reportExceptionToInspector):
1976         (valueToArray):
1977         (valueToDictionary):
1978         * API/JSValueRef.cpp:
1979         (JSValueIsEqual):
1980         (JSValueIsInstanceOfConstructor):
1981         (JSValueCreateJSONString):
1982         (JSValueToNumber):
1983         (JSValueToStringCopy):
1984         (JSValueToObject):
1985         When seeing an exception, let the inspector know there was an exception.
1986
1987         * inspector/JSGlobalObjectInspectorController.h:
1988         * inspector/JSGlobalObjectInspectorController.cpp:
1989         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1990         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1991         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1992         Log API exceptions by also grabbing the native backtrace.
1993
1994         * inspector/ScriptCallStack.h:
1995         * inspector/ScriptCallStack.cpp:
1996         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
1997         (Inspector::ScriptCallStack::append):
1998         Minor extensions to ScriptCallStack to make it easier to work with.
1999
2000         * inspector/ConsoleMessage.cpp:
2001         (Inspector::ConsoleMessage::ConsoleMessage):
2002         (Inspector::ConsoleMessage::autogenerateMetadata):
2003         Provide better default information if the first call frame was native.
2004
2005         * inspector/ScriptCallStackFactory.cpp:
2006         (Inspector::createScriptCallStack):
2007         (Inspector::extractSourceInformationFromException):
2008         (Inspector::createScriptCallStackFromException):
2009         Perform the handling here of inserting a fake call frame for exceptions
2010         if there was no call stack (e.g. a SyntaxError) or if the first call
2011         frame had no information.
2012
2013         * inspector/ConsoleMessage.cpp:
2014         (Inspector::ConsoleMessage::ConsoleMessage):
2015         (Inspector::ConsoleMessage::autogenerateMetadata):
2016         * inspector/ConsoleMessage.h:
2017         * inspector/ScriptCallStackFactory.cpp:
2018         (Inspector::createScriptCallStack):
2019         (Inspector::createScriptCallStackForConsole):
2020         * inspector/ScriptCallStackFactory.h:
2021         * inspector/agents/InspectorConsoleAgent.cpp:
2022         (Inspector::InspectorConsoleAgent::enable):
2023         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2024         (Inspector::InspectorConsoleAgent::count):
2025         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2026         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2027         ConsoleMessage cleanup.
2028
2029 2014-02-20  Anders Carlsson  <andersca@apple.com>
2030
2031         Modernize JSGlobalLock and JSLockHolder
2032         https://bugs.webkit.org/show_bug.cgi?id=129105
2033
2034         Reviewed by Michael Saboff.
2035
2036         Use std::mutex and std::thread::id where possible.
2037
2038         * runtime/JSLock.cpp:
2039         (JSC::GlobalJSLock::GlobalJSLock):
2040         (JSC::GlobalJSLock::~GlobalJSLock):
2041         (JSC::GlobalJSLock::initialize):
2042         (JSC::JSLock::JSLock):
2043         (JSC::JSLock::lock):
2044         (JSC::JSLock::unlock):
2045         (JSC::JSLock::currentThreadIsHoldingLock):
2046         * runtime/JSLock.h:
2047
2048 2014-02-20  Mark Lam  <mark.lam@apple.com>
2049
2050         virtualForWithFunction() should not throw an exception with a partially initialized frame.
2051         <https://webkit.org/b/129134>
2052
2053         Reviewed by Michael Saboff.
2054
2055         Currently, when JITOperations.cpp's virtualForWithFunction() fails to
2056         prepare the callee function for execution, it proceeds to throw the
2057         exception using the callee frame which is only partially initialized
2058         thus far. Instead, it should be throwing the exception using the caller
2059         frame because:
2060         1. the error happened "in" the caller while preparing the callee for
2061            execution i.e. the caller frame is the top fully initialized frame
2062            on the stack.
2063         2. the callee frame is not fully initialized yet, and the unwind
2064            mechanism cannot depend on the data in it.
2065
2066         * jit/JITOperations.cpp:
2067
2068 2014-02-20  Mark Lam  <mark.lam@apple.com>
2069
2070         DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
2071         <https://webkit.org/b/129131>
2072
2073         Reviewed by Mark Hahnenberg.
2074
2075         Currently, DefaultGCActivityCallback::doWork() does not check if the GC
2076         needs to be deferred before commencing. As a result, the GC may crash
2077         and/or corrupt data because the VM is not in the consistent state needed
2078         for the GC to run. With this fix, doWork() now checks if the GC is
2079         supposed to be deferred and re-schedules if needed. It only commences
2080         with GC'ing when it's safe to do so.
2081
2082         * runtime/GCActivityCallback.cpp:
2083         (JSC::DefaultGCActivityCallback::doWork):
2084
2085 2014-02-20  Geoffrey Garen  <ggaren@apple.com>
2086
2087         Math.imul gives wrong results
2088         https://bugs.webkit.org/show_bug.cgi?id=126345
2089
2090         Reviewed by Mark Hahnenberg.
2091
2092         Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
2093         Instead, take a slow path that will do the right thing.
2094
2095         * jit/ThunkGenerators.cpp:
2096         (JSC::imulThunkGenerator):
2097
2098 2014-02-20  Filip Pizlo  <fpizlo@apple.com>
2099
2100         DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
2101         https://bugs.webkit.org/show_bug.cgi?id=129129
2102
2103         Reviewed by Geoffrey Garen.
2104         
2105         We estimate execution counts based on loop depth, and then use those to estimate branch
2106         weights. These weights then get carried all the way down to LLVM prof branch_weights
2107         meta-data.
2108         
2109         This is better than letting LLVM do its own static estimates, since by the time we
2110         generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
2111         course, it would be even better if we just slurped in some kind of execution counts
2112         from profiling, but we don't do that, yet.
2113
2114         * CMakeLists.txt:
2115         * GNUmakefile.list.am:
2116         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2117         * JavaScriptCore.xcodeproj/project.pbxproj:
2118         * dfg/DFGBasicBlock.cpp:
2119         (JSC::DFG::BasicBlock::BasicBlock):
2120         * dfg/DFGBasicBlock.h:
2121         * dfg/DFGBlockInsertionSet.cpp:
2122         (JSC::DFG::BlockInsertionSet::insert):
2123         (JSC::DFG::BlockInsertionSet::insertBefore):
2124         * dfg/DFGBlockInsertionSet.h:
2125         * dfg/DFGByteCodeParser.cpp:
2126         (JSC::DFG::ByteCodeParser::handleInlining):
2127         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2128         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2129         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2130         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2131         (JSC::DFG::createPreHeader):
2132         * dfg/DFGNaturalLoops.h:
2133         (JSC::DFG::NaturalLoops::loopDepth):
2134         * dfg/DFGOSREntrypointCreationPhase.cpp:
2135         (JSC::DFG::OSREntrypointCreationPhase::run):
2136         * dfg/DFGPlan.cpp:
2137         (JSC::DFG::Plan::compileInThreadImpl):
2138         * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
2139         (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
2140         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
2141         (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
2142         (JSC::DFG::performStaticExecutionCountEstimation):
2143         * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.
2144
2145 2014-02-20  Filip Pizlo  <fpizlo@apple.com>
2146
2147         FTL may not see a compact_unwind section if there weren't any stackmaps
2148         https://bugs.webkit.org/show_bug.cgi?id=129125
2149
2150         Reviewed by Geoffrey Garen.
2151         
2152         It's OK to not have an unwind section, so long as the function also doesn't have any
2153         OSR exits.
2154
2155         * ftl/FTLCompile.cpp:
2156         (JSC::FTL::fixFunctionBasedOnStackMaps):
2157         (JSC::FTL::compile):
2158         * ftl/FTLUnwindInfo.cpp:
2159         (JSC::FTL::UnwindInfo::parse):
2160         * ftl/FTLUnwindInfo.h:
2161
2162 == Rolled over to ChangeLog-2014-02-20 ==