REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2
3         REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
4         https://bugs.webkit.org/show_bug.cgi?id=133149
5
6         Reviewed by Csaba Osztrogonác.
7
8         * tests/mozilla/mozilla-tests.yaml:
9
10 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
11
12         Rolled out <http://trac.webkit.org/changeset/166184>
13         https://bugs.webkit.org/show_bug.cgi?id=133144
14
15         Reviewed by Gavin Barraclough.
16
17         It caused a performance regression.
18
19         * heap/BlockAllocator.cpp:
20         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
21
22 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
23
24         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
25         https://bugs.webkit.org/show_bug.cgi?id=133134
26
27         Reviewed by Mark Hahnenberg.
28         
29         Make prediction propagator use ArrayMode refinement to decide the return type.
30         
31         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
32         like this. The only way we'll see a mismatch like this in the real world is probably
33         through a gnarly race condition.
34
35         * dfg/DFGByteCodeParser.cpp:
36         (JSC::DFG::ByteCodeParser::handleIntrinsic):
37         * dfg/DFGNode.h:
38         (JSC::DFG::Node::setHeapPrediction):
39         * dfg/DFGPredictionPropagationPhase.cpp:
40         (JSC::DFG::PredictionPropagationPhase::propagate):
41         * jsc.cpp:
42         (GlobalObject::finishCreation):
43         (functionFalse1):
44         (functionFalse2):
45         (functionUndefined1):
46         (functionUndefined2):
47         (functionFalse): Deleted.
48         (functionOtherFalse): Deleted.
49         (functionUndefined): Deleted.
50         * runtime/Intrinsic.h:
51         * tests/stress/get-by-val-double-predicted-int.js: Added.
52         (foo):
53
54 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
55
56         Watchdog timer should be lazily allocated
57         https://bugs.webkit.org/show_bug.cgi?id=133135
58
59         Reviewed by Geoffrey Garen.
60
61         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
62         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
63         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
64
65         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
66         these two API functions (which is true of most clients).
67
68         * API/JSContextRef.cpp:
69         (JSContextGroupSetExecutionTimeLimit):
70         (JSContextGroupClearExecutionTimeLimit):
71         * dfg/DFGByteCodeParser.cpp:
72         (JSC::DFG::ByteCodeParser::parseBlock):
73         * dfg/DFGSpeculativeJIT32_64.cpp:
74         (JSC::DFG::SpeculativeJIT::compile):
75         * dfg/DFGSpeculativeJIT64.cpp:
76         (JSC::DFG::SpeculativeJIT::compile):
77         * interpreter/Interpreter.cpp:
78         (JSC::Interpreter::execute):
79         (JSC::Interpreter::executeCall):
80         (JSC::Interpreter::executeConstruct):
81         * jit/JITOpcodes.cpp:
82         (JSC::JIT::emit_op_loop_hint):
83         (JSC::JIT::emitSlow_op_loop_hint):
84         * jit/JITOperations.cpp:
85         * llint/LLIntSlowPaths.cpp:
86         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
87         * runtime/VM.h:
88         * runtime/Watchdog.cpp:
89         (JSC::Watchdog::Scope::Scope): Deleted.
90         (JSC::Watchdog::Scope::~Scope): Deleted.
91         * runtime/Watchdog.h:
92         (JSC::Watchdog::Scope::Scope):
93         (JSC::Watchdog::Scope::~Scope):
94
95 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
96
97         JSArray::shiftCountWith* could be more efficient
98         https://bugs.webkit.org/show_bug.cgi?id=133011
99
100         Reviewed by Geoffrey Garen.
101
102         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
103         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
104         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
105
106         * runtime/ArrayStorage.h:
107         (JSC::ArrayStorage::indexingHeader):
108         (JSC::ArrayStorage::length):
109         (JSC::ArrayStorage::hasHoles):
110         * runtime/IndexingHeader.h:
111         (JSC::IndexingHeader::publicLength):
112         (JSC::IndexingHeader::from):
113         * runtime/JSArray.cpp:
114         (JSC::JSArray::shiftCountWithArrayStorage):
115         (JSC::JSArray::shiftCountWithAnyIndexingType):
116         (JSC::JSArray::unshiftCountWithArrayStorage):
117         * runtime/JSArray.h:
118         (JSC::JSArray::shiftCountForShift):
119         (JSC::JSArray::shiftCountForSplice):
120         (JSC::JSArray::shiftCount):
121         * runtime/Structure.cpp:
122         (JSC::Structure::holesRequireSpecialBehavior):
123         * runtime/Structure.h:
124
125 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
126
127         Test gardening: skip some failing tests on not-X86.
128
129         * tests/mozilla/mozilla-tests.yaml:
130
131 2014-05-19  Mark Lam  <mark.lam@apple.com>
132
133         operationOptimize() should defer the GC for a while.
134         <https://webkit.org/b/133103>
135
136         Reviewed by Filip Pizlo.
137
138         Currently, operationOptimize() only defers the GC until its end.  As a result,
139         a GC may be triggered just before we return from operationOptimize(), and it may
140         jettison the optimize codeBlock that we're planning to OSR enter into when we
141         return from this function.  This is because the OSR entry on-ramp code hasn't
142         been executed yet, and hence, there is not yet a reference to this new codeBlock
143         from the stack, and there won't be until we've had a chance to return out of
144         operationOptimize() to run the OSR entry on-ramp code.
145
146         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
147         ensures that the GC will be deferred until after the OSR entry on-ramp can be
148         executed.
149
150         * jit/JITOperations.cpp:
151
152 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
153
154         Take care of some ARM64 test failures
155         https://bugs.webkit.org/show_bug.cgi?id=133090
156
157         Reviewed by Geoffrey Garen.
158         
159         Constant blinding on ARM64 cannot use the scratch register.
160
161         * assembler/MacroAssembler.h:
162         (JSC::MacroAssembler::convertInt32ToDouble):
163         (JSC::MacroAssembler::branchPtr):
164         (JSC::MacroAssembler::storePtr):
165         (JSC::MacroAssembler::store64):
166         * assembler/MacroAssemblerARM64.h:
167         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
168
169 2014-05-19  Tanay C  <tanay.c@samsung.com>
170
171         Removing some check-webkit-style warnings from ./dfg
172         https://bugs.webkit.org/show_bug.cgi?id=132854
173
174         Reviewed by Darin Adler.
175
176         * dfg/DFGAbstractInterpreter.h:
177         * dfg/DFGAbstractValue.h:
178         * dfg/DFGBlockInsertionSet.h:
179         * dfg/DFGCommonData.h:
180         * dfg/DFGDominators.h:
181         * dfg/DFGGraph.h:
182         * dfg/DFGInPlaceAbstractState.h:
183         * dfg/DFGPredictionPropagationPhase.h:
184
185 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
186
187         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
188         That was a long time ago.
189
190         * ftl/FTLLowerDFGToLLVM.cpp:
191         (JSC::FTL::LowerDFGToLLVM::compileReturn):
192
193 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
194
195         support for navigator.hardwareConcurrency
196         https://bugs.webkit.org/show_bug.cgi?id=132588
197
198         Reviewed by Filip Pizlo.
199
200         * Configurations/FeatureDefines.xcconfig:
201
202 2014-05-16  Michael Saboff  <msaboff@apple.com>
203
204         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
205         https://bugs.webkit.org/show_bug.cgi?id=133009
206
207         Reviewed by Oliver Hunt.
208
209         If we determine that any alternative requires a minumum match size greater than
210         INT_MAX, we handle the match in the interpreter.
211
212         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
213         * runtime/RegExp.cpp:
214         (JSC::RegExp::compile):
215         (JSC::RegExp::compileMatchOnly):
216
217         * tests/stress/large-regexp.js: New test added.
218
219         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
220         doesn't fit in an int.
221         * yarr/YarrPattern.cpp:
222         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
223
224         Clear new m_containsUnsignedLengthPattern flag.
225         * yarr/YarrPattern.cpp:
226         (JSC::Yarr::YarrPattern::YarrPattern):
227         * yarr/YarrPattern.h:
228         (JSC::Yarr::YarrPattern::reset):
229         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
230
231 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
232
233         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
234         https://bugs.webkit.org/show_bug.cgi?id=132918
235
236         Reviewed by Geoffrey Garen.
237
238         * jit/Repatch.cpp:
239         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
240
241 2014-05-15  Alex Christensen  <achristensen@webkit.org>
242
243         Add pointer lock to features without enabling it.
244         https://bugs.webkit.org/show_bug.cgi?id=132961
245
246         Reviewed by Sam Weinig.
247
248         * Configurations/FeatureDefines.xcconfig:
249         Added ENABLE_POINTER_LOCK to list of features.
250
251 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
252
253         Inline caching for proxies clobbers baseGPR too early
254         https://bugs.webkit.org/show_bug.cgi?id=132916
255
256         Reviewed by Filip Pizlo.
257
258         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
259         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
260         until we know the inline cache is going to succeed.
261
262         * jit/Repatch.cpp:
263         (JSC::generateByIdStub):
264
265 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
266
267         [Win] Unreviewed build fix.
268
269         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
270         was missing commands to build LLInt portions of JSC.
271         * llint/LLIntData.cpp: 64-bit build fix.
272
273 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
274
275         ARM Traditional buildfix after r168776.
276         https://bugs.webkit.org/show_bug.cgi?id=132903
277
278         Reviewed by Darin Adler.
279
280         * assembler/MacroAssemblerARM.h:
281         (JSC::MacroAssemblerARM::abortWithReason): Added.
282
283 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
284
285         Remove CSS_STICKY_POSITION guards
286         https://bugs.webkit.org/show_bug.cgi?id=132676
287
288         Reviewed by Simon Fraser.
289
290         * Configurations/FeatureDefines.xcconfig:
291
292 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
293
294         JIT breakpoints should be more informative
295         https://bugs.webkit.org/show_bug.cgi?id=132882
296
297         Reviewed by Oliver Hunt.
298         
299         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
300         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
301         at that platform's abort reason register (r11 on X86-64 for example).
302
303         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
304         * JavaScriptCore.xcodeproj/project.pbxproj:
305         * assembler/AbortReason.h: Added.
306         * assembler/AbstractMacroAssembler.h:
307         * assembler/MacroAssemblerARM64.h:
308         (JSC::MacroAssemblerARM64::abortWithReason):
309         * assembler/MacroAssemblerARMv7.h:
310         (JSC::MacroAssemblerARMv7::abortWithReason):
311         * assembler/MacroAssemblerX86.h:
312         (JSC::MacroAssemblerX86::abortWithReason):
313         * assembler/MacroAssemblerX86_64.h:
314         (JSC::MacroAssemblerX86_64::abortWithReason):
315         * dfg/DFGSlowPathGenerator.h:
316         (JSC::DFG::SlowPathGenerator::generate):
317         * dfg/DFGSpeculativeJIT.cpp:
318         (JSC::DFG::SpeculativeJIT::bail):
319         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
320         (JSC::DFG::SpeculativeJIT::compileMakeRope):
321         * dfg/DFGSpeculativeJIT.h:
322         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
323         * dfg/DFGSpeculativeJIT32_64.cpp:
324         (JSC::DFG::SpeculativeJIT::compile):
325         * dfg/DFGSpeculativeJIT64.cpp:
326         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
327         (JSC::DFG::SpeculativeJIT::compile):
328         * dfg/DFGThunks.cpp:
329         (JSC::DFG::osrEntryThunkGenerator):
330         * jit/AssemblyHelpers.cpp:
331         (JSC::AssemblyHelpers::jitAssertIsInt32):
332         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
333         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
334         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
335         (JSC::AssemblyHelpers::jitAssertIsCell):
336         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
337         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
338         (JSC::AssemblyHelpers::jitAssertIsNull):
339         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
340         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
341         * jit/AssemblyHelpers.h:
342         (JSC::AssemblyHelpers::checkStackPointerAlignment):
343         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
344         * jit/JIT.h:
345         * jit/JITArithmetic.cpp:
346         (JSC::JIT::emitSlow_op_div):
347         * jit/JITOpcodes.cpp:
348         (JSC::JIT::emitSlow_op_loop_hint):
349         * jit/JITOpcodes32_64.cpp:
350         (JSC::JIT::privateCompileCTINativeCall):
351         * jit/JITPropertyAccess.cpp:
352         (JSC::JIT::emit_op_get_by_val):
353         (JSC::JIT::compileGetDirectOffset):
354         (JSC::JIT::addStructureTransitionCheck): Deleted.
355         (JSC::JIT::testPrototype): Deleted.
356         * jit/JITPropertyAccess32_64.cpp:
357         (JSC::JIT::emit_op_get_by_val):
358         (JSC::JIT::compileGetDirectOffset):
359         * jit/RegisterPreservationWrapperGenerator.cpp:
360         (JSC::generateRegisterRestoration):
361         * jit/Repatch.cpp:
362         (JSC::addStructureTransitionCheck):
363         (JSC::linkClosureCall):
364         * jit/ThunkGenerators.cpp:
365         (JSC::emitPointerValidation):
366         (JSC::nativeForGenerator):
367         * yarr/YarrJIT.cpp:
368         (JSC::Yarr::YarrGenerator::generate):
369
370 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
371
372         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
373         https://bugs.webkit.org/show_bug.cgi?id=132772
374
375         Reviewed by Geoffrey Garen.
376
377         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
378         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
379         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
380         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
381
382         * assembler/MacroAssemblerARM.h:
383         (JSC::MacroAssemblerARM::loadDouble):
384         (JSC::MacroAssemblerARM::storeDouble):
385         * assembler/MacroAssemblerARM64.h:
386         (JSC::MacroAssemblerARM64::loadDouble):
387         (JSC::MacroAssemblerARM64::storeDouble):
388         * assembler/MacroAssemblerARMv7.h:
389         (JSC::MacroAssemblerARMv7::loadDouble):
390         (JSC::MacroAssemblerARMv7::storeDouble):
391         * assembler/MacroAssemblerMIPS.h:
392         (JSC::MacroAssemblerMIPS::loadDouble):
393         (JSC::MacroAssemblerMIPS::storeDouble):
394         * assembler/MacroAssemblerSH4.h:
395         (JSC::MacroAssemblerSH4::loadDouble):
396         (JSC::MacroAssemblerSH4::storeDouble):
397         * assembler/MacroAssemblerX86.h:
398         (JSC::MacroAssemblerX86::storeDouble):
399         * assembler/MacroAssemblerX86Common.h:
400         (JSC::MacroAssemblerX86Common::absDouble):
401         (JSC::MacroAssemblerX86Common::negateDouble):
402         (JSC::MacroAssemblerX86Common::loadDouble):
403         * dfg/DFGSpeculativeJIT.cpp:
404         (JSC::DFG::SpeculativeJIT::silentFill):
405         (JSC::DFG::compileClampDoubleToByte):
406         * dfg/DFGSpeculativeJIT32_64.cpp:
407         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
408         (JSC::DFG::SpeculativeJIT::compile):
409         * jit/AssemblyHelpers.cpp:
410         (JSC::AssemblyHelpers::purifyNaN):
411         * jit/JITInlines.h:
412         (JSC::JIT::emitLoadDouble):
413         * jit/JITPropertyAccess.cpp:
414         (JSC::JIT::emitFloatTypedArrayGetByVal):
415         * jit/ThunkGenerators.cpp:
416         (JSC::floorThunkGenerator):
417         (JSC::roundThunkGenerator):
418         (JSC::powThunkGenerator):
419
420 2014-05-12  Commit Queue  <commit-queue@webkit.org>
421
422         Unreviewed, rolling out r168642.
423         https://bugs.webkit.org/show_bug.cgi?id=132839
424
425         Broke ARM build (Requested by jpfau on #webkit).
426
427         Reverted changeset:
428
429         "[Win] Enum type with value zero is compatible with void*,
430         potential cause of crashes."
431         https://bugs.webkit.org/show_bug.cgi?id=132772
432         http://trac.webkit.org/changeset/168642
433
434 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
435
436         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
437         https://bugs.webkit.org/show_bug.cgi?id=132772
438
439         Reviewed by Geoffrey Garen.
440
441         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
442         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
443         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
444         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
445
446         * assembler/MacroAssemblerARM.h:
447         (JSC::MacroAssemblerARM::loadDouble):
448         (JSC::MacroAssemblerARM::storeDouble):
449         * assembler/MacroAssemblerARM64.h:
450         (JSC::MacroAssemblerARM64::loadDouble):
451         (JSC::MacroAssemblerARM64::storeDouble):
452         * assembler/MacroAssemblerARMv7.h:
453         (JSC::MacroAssemblerARMv7::loadDouble):
454         (JSC::MacroAssemblerARMv7::storeDouble):
455         * assembler/MacroAssemblerMIPS.h:
456         (JSC::MacroAssemblerMIPS::loadDouble):
457         (JSC::MacroAssemblerMIPS::storeDouble):
458         * assembler/MacroAssemblerSH4.h:
459         (JSC::MacroAssemblerSH4::loadDouble):
460         (JSC::MacroAssemblerSH4::storeDouble):
461         * assembler/MacroAssemblerX86.h:
462         (JSC::MacroAssemblerX86::storeDouble):
463         * assembler/MacroAssemblerX86Common.h:
464         (JSC::MacroAssemblerX86Common::absDouble):
465         (JSC::MacroAssemblerX86Common::negateDouble):
466         (JSC::MacroAssemblerX86Common::loadDouble):
467         * dfg/DFGSpeculativeJIT.cpp:
468         (JSC::DFG::SpeculativeJIT::silentFill):
469         (JSC::DFG::compileClampDoubleToByte):
470         * dfg/DFGSpeculativeJIT32_64.cpp:
471         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
472         (JSC::DFG::SpeculativeJIT::compile):
473         * jit/AssemblyHelpers.cpp:
474         (JSC::AssemblyHelpers::purifyNaN):
475         * jit/JITInlines.h:
476         (JSC::JIT::emitLoadDouble):
477         * jit/JITPropertyAccess.cpp:
478         (JSC::JIT::emitFloatTypedArrayGetByVal):
479         * jit/ThunkGenerators.cpp:
480         (JSC::floorThunkGenerator):
481         (JSC::roundThunkGenerator):
482         (JSC::powThunkGenerator):
483
484 2014-05-12  Andreas Kling  <akling@apple.com>
485
486         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
487         <https://webkit.org/b/132828>
488         <rdar://problem/16886285>
489
490         Reviewed by Michael Saboff.
491
492         * runtime/JSObject.cpp:
493         (JSC::JSObject::visitButterfly):
494         (JSC::JSObject::visitChildren):
495
496             Use JSCell::structure(VM&) to reduce the number of hoops we jump
497             through to find Structures during marking.
498
499 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
500
501         [cmake] Add missing FTL source files to the build system.
502
503         Reviewed by Csaba Osztrogonác.
504
505         * CMakeLists.txt:
506
507 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
508
509         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
510         https://bugs.webkit.org/show_bug.cgi?id=132409
511
512         Reviewed by Timothy Hatcher.
513
514         Proxy applications are applications which hold WebViews for other
515         applications. The WebProcess (Web Content Service) is a proxy application.
516         For legacy reasons we were supporting a scenario where proxy applications
517         could potentially host WebViews for more then one other application. That
518         was never the case for WebProcess and it is now a scenario we don't need
519         to worry about supporting.
520
521         With this change, a proxy application more naturally only holds WebViews
522         for a single parent / host application. The proxy process can set the
523         parent pid / audit_token data on the RemoteInspector singleton, and
524         that data will be sent on to webinspectord later on to be validated.
525         In the WebProcess<->UIProcess relationship that information is known
526         and set immediately. In the Legacy iOS case that information is set
527         soon after, but not immediately known at the point the WebView is created.
528
529         This allows us to simplify the RemoteInspectorDebuggable interface.
530         We no longer need a pid per-Debuggable.
531
532         * inspector/remote/RemoteInspector.h:
533         * inspector/remote/RemoteInspector.mm:
534         (Inspector::RemoteInspector::RemoteInspector):
535         (Inspector::RemoteInspector::setParentProcessInformation):
536         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
537         (Inspector::RemoteInspector::listingForDebuggable):
538         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
539         Handle new proxy application setup message, and provide an API
540         for a proxy application to set the parent process information.
541
542         * inspector/remote/RemoteInspectorConstants.h:
543         New setup and response message for proxy applications to pass
544         their parent / host application information to webinspectord.
545
546         * inspector/remote/RemoteInspectorDebuggable.cpp:
547         (Inspector::RemoteInspectorDebuggable::info):
548         * inspector/remote/RemoteInspectorDebuggable.h:
549         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
550         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
551         pid per debuggable is no longer needed.
552
553 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
554
555         JSDOMWindow should disable property caching after a certain point
556         https://bugs.webkit.org/show_bug.cgi?id=132751
557
558         Reviewed by Filip Pizlo.
559
560         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
561         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
562         that it has provided a cacheable value.
563
564         * runtime/PropertySlot.h:
565         (JSC::PropertySlot::PropertySlot):
566         (JSC::PropertySlot::isCacheable):
567         (JSC::PropertySlot::disableCaching):
568
569 2014-05-09  Andreas Kling  <akling@apple.com>
570
571         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
572         <https://webkit.org/b/132749>
573
574         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
575         in Object.prototype.* by using JSString::toIdentifier() in the cases where
576         we are converting JSString -> String -> Identifier.
577
578         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
579         "The Great HTML5 Gaming Performance Test: 2014 edition"
580         <http://www.scirra.com/demos/c2/sbperftest/>
581
582         Reviewed by Oliver Hunt.
583
584         * runtime/ObjectPrototype.cpp:
585         (JSC::objectProtoFuncHasOwnProperty):
586         (JSC::objectProtoFuncDefineGetter):
587         (JSC::objectProtoFuncDefineSetter):
588         (JSC::objectProtoFuncLookupGetter):
589         (JSC::objectProtoFuncLookupSetter):
590
591 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
592
593         JSDOMWindow should have a WatchpointSet to fire on window close
594         https://bugs.webkit.org/show_bug.cgi?id=132721
595
596         Reviewed by Filip Pizlo.
597
598         This patch allows us to reset the inline caches that assumed they could skip 
599         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
600         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
601
602         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
603         to see if it should create a new Watchpoint for that particular inline cache site.
604
605         * bytecode/Watchpoint.h:
606         * jit/Repatch.cpp:
607         (JSC::generateByIdStub):
608         (JSC::tryBuildGetByIDList):
609         (JSC::tryCachePutByID):
610         (JSC::tryBuildPutByIdList):
611         * runtime/PropertySlot.h:
612         (JSC::PropertySlot::PropertySlot):
613         (JSC::PropertySlot::watchpointSet):
614         (JSC::PropertySlot::setWatchpointSet):
615
616 2014-05-09  Tanay C  <tanay.c@samsung.com>
617
618         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
619         https://bugs.webkit.org/show_bug.cgi?id=132331
620
621         Reviewed by Darin Adler.
622
623         * dfg/DFGFixupPhase.cpp:
624         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
625
626 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
627
628         [Win] Crash when enabling DFG JIT.
629         https://bugs.webkit.org/show_bug.cgi?id=132683
630
631         Reviewed by Geoffrey Garen.
632
633         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
634         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
635         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
636         This causes the register to be written to address 0, hence the crash.
637
638         * dfg/DFGOSRExitCompiler32_64.cpp:
639         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
640         * dfg/DFGOSRExitCompiler64.cpp:
641         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
642
643 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
644
645         REGRESSION(r167094): JSC crashes on ARM Traditional
646         https://bugs.webkit.org/show_bug.cgi?id=132738
647
648         Reviewed by Zoltan Herczeg.
649
650         PC is two instructions ahead of the current instruction
651         on ARM Traditional, so the distance is 8 bytes not 2.
652
653         * llint/LowLevelInterpreter.asm:
654
655 2014-05-09  Alberto Garcia  <berto@igalia.com>
656
657         jsmin.py license header confusing, mentions non-free license
658         https://bugs.webkit.org/show_bug.cgi?id=123665
659
660         Reviewed by Darin Adler.
661
662         Pull the most recent version from upstream, which has a clear
663         license.
664
665         * inspector/scripts/jsmin.py:
666
667 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
668
669         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
670         https://bugs.webkit.org/show_bug.cgi?id=132695
671
672         Reviewed by Filip Pizlo.
673
674         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
675         but we fail to do so for the base object.
676
677         * jit/Repatch.cpp:
678         (JSC::tryCacheGetByID):
679         (JSC::tryBuildGetByIDList):
680         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
681         because all of the values that are returned that could be impure are set to uncacheable anyways.
682         (WTF::ImpureGetter::ImpureGetter):
683         (WTF::ImpureGetter::createStructure):
684         (WTF::ImpureGetter::create):
685         (WTF::ImpureGetter::finishCreation):
686         (WTF::ImpureGetter::getOwnPropertySlot):
687         (WTF::ImpureGetter::visitChildren):
688         (WTF::ImpureGetter::setDelegate):
689         (GlobalObject::finishCreation):
690         (functionCreateImpureGetter):
691         (functionSetImpureGetterDelegate):
692         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
693         (foo):
694
695 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
696
697         deleteAllCompiledCode() shouldn't use the suspension worklist
698         https://bugs.webkit.org/show_bug.cgi?id=132708
699
700         Reviewed by Mark Hahnenberg.
701
702         * bytecode/CodeBlock.cpp:
703         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
704         * dfg/DFGPlan.cpp:
705         (JSC::DFG::Plan::isStillValid):
706         * heap/Heap.cpp:
707         (JSC::Heap::deleteAllCompiledCode):
708
709 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
710
711         SSA conversion should delete PhantomLocals for captured variables
712         https://bugs.webkit.org/show_bug.cgi?id=132693
713
714         Reviewed by Mark Hahnenberg.
715
716         * dfg/DFGCommon.cpp:
717         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
718         * dfg/DFGCommon.h:
719         * dfg/DFGFixupPhase.cpp:
720         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
721         * dfg/DFGLivenessAnalysisPhase.cpp:
722         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
723         * dfg/DFGSSAConversionPhase.cpp:
724         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
725         * dfg/DFGValidate.cpp: Use the workaround.
726         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
727         (foo):
728         (bar):
729
730 2014-05-07  Commit Queue  <commit-queue@webkit.org>
731
732         Unreviewed, rolling out r168451.
733         https://bugs.webkit.org/show_bug.cgi?id=132670
734
735         Not a speed-up, just do what other compilers do. (Requested by
736         kling on #webkit).
737
738         Reverted changeset:
739
740         "[X86] Emit BT instruction for single-bit tests."
741         https://bugs.webkit.org/show_bug.cgi?id=132650
742         http://trac.webkit.org/changeset/168451
743
744 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
745
746         Make Executable::clearCode() actually clear all of the entrypoints, and
747         clean up some other FTL-related calling convention stuff.
748         <rdar://problem/16720172>
749
750         Rubber stamped by Mark Hahnenberg.
751
752         * dfg/DFGOperations.cpp:
753         * dfg/DFGOperations.h:
754         * dfg/DFGWorklist.cpp:
755         (JSC::DFG::Worklist::Worklist):
756         (JSC::DFG::Worklist::finishCreation):
757         (JSC::DFG::Worklist::create):
758         (JSC::DFG::ensureGlobalDFGWorklist):
759         (JSC::DFG::ensureGlobalFTLWorklist):
760         * dfg/DFGWorklist.h:
761         * heap/CodeBlockSet.cpp:
762         (JSC::CodeBlockSet::dump):
763         * heap/CodeBlockSet.h:
764         * runtime/Executable.cpp:
765         (JSC::ExecutableBase::clearCode):
766
767 2014-05-07  Andreas Kling  <akling@apple.com>
768
769         [X86] Emit BT instruction for single-bit tests.
770         <https://webkit.org/b/132650>
771
772         Implement test-bit-and-branch slightly more efficiently by using
773         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
774         a single bit.
775
776         Reviewed by Michael Saboff.
777
778         * assembler/MacroAssemblerX86Common.h:
779         (JSC::MacroAssemblerX86Common::singleBitIndex):
780         (JSC::MacroAssemblerX86Common::branchTest32):
781         * assembler/X86Assembler.h:
782         (JSC::X86Assembler::bt_i8r):
783         (JSC::X86Assembler::bt_i8m):
784
785 2014-05-07  Mark Lam  <mark.lam@apple.com>
786
787         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
788         <https://webkit.org/b/131356>
789
790         Reviewed by Geoffrey Garen.
791
792         The issue is that GC needs to be made aware of writes to m_inferredValue
793         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
794         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
795         does not survive an eden GC shortly after, we will end up with a stale
796         JSCell pointer left in the m_inferredValue.
797
798         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
799         using DumpRenderTree with the VM heap in zombie mode.
800
801         The fix is to change VariableWatchpointSet m_inferredValue to type
802         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
803         is executed by all the execution engines so that the WriteBarrier semantics
804         are honored.
805
806         We still check if the value to be written is the same as the one in the
807         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
808         values are the same.        
809
810         * JavaScriptCore.xcodeproj/project.pbxproj:
811         * bytecode/CodeBlock.cpp:
812         (JSC::CodeBlock::CodeBlock):
813         - need to pass the symbolTable to prepareToWatch() because it will be needed
814           for instantiating the VariableWatchpointSet in prepareToWatch().
815
816         * bytecode/VariableWatchpointSet.h:
817         (JSC::VariableWatchpointSet::VariableWatchpointSet):
818         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
819           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
820         (JSC::VariableWatchpointSet::inferredValue):
821         (JSC::VariableWatchpointSet::invalidate):
822         (JSC::VariableWatchpointSet::finalizeUnconditionally):
823         (JSC::VariableWatchpointSet::addressOfInferredValue):
824         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
825         * bytecode/VariableWatchpointSetInlines.h: Added.
826         (JSC::VariableWatchpointSet::notifyWrite):
827
828         * dfg/DFGByteCodeParser.cpp:
829         (JSC::DFG::ByteCodeParser::cellConstant):
830         - Added an assert in case we try to make constants of zombified JSCells again.
831
832         * dfg/DFGOperations.cpp:
833         * dfg/DFGOperations.h:
834         * dfg/DFGSpeculativeJIT.h:
835         (JSC::DFG::SpeculativeJIT::callOperation):
836         * dfg/DFGSpeculativeJIT32_64.cpp:
837         (JSC::DFG::SpeculativeJIT::compile):
838         * dfg/DFGSpeculativeJIT64.cpp:
839         (JSC::DFG::SpeculativeJIT::compile):
840         - We now let the slow path handle the cases when the VariableWatchpointSet is
841           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
842           we handle the needed write barrier semantics correctly.
843           We will by-pass the slow path if the value being written is the same as the
844           inferred value.
845
846         * ftl/FTLIntrinsicRepository.h:
847         * ftl/FTLLowerDFGToLLVM.cpp:
848         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
849         - Let the slow path handle the cases when the VariableWatchpointSet is
850           in state ClearWatchpoint and IsWatched.
851           We will by-pass the slow path if the value being written is the same as the
852           inferred value.
853
854         * heap/Heap.cpp:
855         (JSC::Zombify::operator()):
856         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
857           which is used everywhere else).
858         * heap/Heap.h:
859         (JSC::Heap::isZombified):
860         - Provide a convenience test function to check if JSCells are zombified.  This is
861           currently only used in an assertion in the DFG bytecode parser, but the intent
862           it that we'll apply this test in other strategic places later to help with early
863           detection of usage of GC'ed objects when we run in zombie mode.
864
865         * jit/JITOpcodes.cpp:
866         (JSC::JIT::emitSlow_op_captured_mov):
867         * jit/JITOperations.h:
868         * jit/JITPropertyAccess.cpp:
869         (JSC::JIT::emitNotifyWrite):
870         * jit/JITPropertyAccess32_64.cpp:
871         (JSC::JIT::emitNotifyWrite):
872         (JSC::JIT::emitSlow_op_put_to_scope):
873         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
874           is in state ClearWatchpoint and IsWatched.
875           We will by-pass the slow path if the value being written is the same as the
876           inferred value.
877         
878         * llint/LowLevelInterpreter32_64.asm:
879         * llint/LowLevelInterpreter64.asm:
880         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
881           is in state ClearWatchpoint and IsWatched.
882           We will by-pass the slow path if the value being written is the same as the
883           inferred value.
884         
885         * runtime/CommonSlowPaths.cpp:
886
887         * runtime/JSCJSValue.h: Fixed some typos in the comments.
888         * runtime/JSGlobalObject.cpp:
889         (JSC::JSGlobalObject::addGlobalVar):
890         (JSC::JSGlobalObject::addFunction):
891         * runtime/JSSymbolTableObject.h:
892         (JSC::symbolTablePut):
893         (JSC::symbolTablePutWithAttributes):
894         * runtime/SymbolTable.cpp:
895         (JSC::SymbolTableEntry::prepareToWatch):
896         (JSC::SymbolTableEntry::notifyWriteSlow):
897         * runtime/SymbolTable.h:
898         (JSC::SymbolTableEntry::notifyWrite):
899
900 2014-05-06  Michael Saboff  <msaboff@apple.com>
901
902         Unreviewd build fix for C-LOOP after r168396.
903
904         * runtime/TestRunnerUtils.cpp:
905         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
906
907 2014-05-06  Michael Saboff  <msaboff@apple.com>
908
909         Add test for deleteAllCompiledCode
910         https://bugs.webkit.org/show_bug.cgi?id=132632
911
912         Reviewed by Phil Pizlo.
913
914         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
915         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
916         to write a test that will queue up loads of DFG compiles and then call
917         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
918         code as well as code being compiled.
919
920         * jsc.cpp:
921         (GlobalObject::finishCreation):
922         (functionDeleteAllCompiledCode):
923         (functionOptimizeNextInvocation):
924         * runtime/TestRunnerUtils.cpp:
925         (JSC::optimizeNextInvocation):
926         * runtime/TestRunnerUtils.h:
927         * tests/stress/deleteAllCompiledCode.js: Added.
928         (functionList):
929         (runTest):
930
931 2014-05-06  Andreas Kling  <akling@apple.com>
932
933         JSString::toAtomicString() should return AtomicString.
934         <https://webkit.org/b/132627>
935
936         Remove premature optimization where I was trying to avoid refcount
937         churn when returning an already atomicized String.
938
939         Instead of using reinterpret_cast to mangle the String member into
940         a const AtomicString& return value, just return AtomicString.
941
942         Reviewed by Geoff Garen.
943
944         * runtime/JSString.h:
945         (JSC::JSString::toAtomicString):
946
947 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
948
949         Roll out r167889
950
951         Rubber stamped by Geoff Garen.
952
953         It broke some websites.
954
955         * runtime/JSPropertyNameIterator.cpp:
956         (JSC::JSPropertyNameIterator::create):
957         * runtime/PropertyMapHashTable.h:
958         (JSC::PropertyTable::hasDeletedOffset):
959         (JSC::PropertyTable::hadDeletedOffset): Deleted.
960         * runtime/Structure.cpp:
961         (JSC::Structure::Structure):
962         (JSC::Structure::materializePropertyMap):
963         (JSC::Structure::removePropertyTransition):
964         (JSC::Structure::changePrototypeTransition):
965         (JSC::Structure::despecifyFunctionTransition):
966         (JSC::Structure::attributeChangeTransition):
967         (JSC::Structure::toDictionaryTransition):
968         (JSC::Structure::preventExtensionsTransition):
969         (JSC::Structure::addPropertyWithoutTransition):
970         (JSC::Structure::removePropertyWithoutTransition):
971         (JSC::Structure::pin):
972         (JSC::Structure::pinAndPreventTransitions): Deleted.
973         * runtime/Structure.h:
974         * runtime/StructureInlines.h:
975         (JSC::Structure::setEnumerationCache):
976         (JSC::Structure::propertyTable):
977         (JSC::Structure::checkOffsetConsistency):
978         (JSC::Structure::hadDeletedOffsets): Deleted.
979         * tests/stress/for-in-after-delete.js:
980         (foo): Deleted.
981
982 2014-05-05  Andreas Kling  <akling@apple.com>
983
984         Fix debug build.
985
986         * runtime/JSCellInlines.h:
987         (JSC::JSCell::fastGetOwnProperty):
988
989 2014-05-05  Andreas Kling  <akling@apple.com>
990
991         Optimize GetByVal when subscript is a rope string.
992         <https://webkit.org/b/132590>
993
994         Use JSString::toIdentifier() in the various GetByVal implementations
995         to try and avoid allocating extra strings.
996
997         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
998         in that, to avoid calling JSString::value() which always resolves ropes
999         into new strings and de-optimizes subsequent toIdentifier() calls.
1000
1001         My iMac says ~9% progression on Dromaeo/dom-attr.html
1002
1003         Reviewed by Phil Pizlo.
1004
1005         * dfg/DFGOperations.cpp:
1006         * jit/JITOperations.cpp:
1007         (JSC::getByVal):
1008         * llint/LLIntSlowPaths.cpp:
1009         (JSC::LLInt::getByVal):
1010         * runtime/JSCell.h:
1011         * runtime/JSCellInlines.h:
1012         (JSC::JSCell::fastGetOwnProperty):
1013         (JSC::JSCell::canUseFastGetOwnProperty):
1014
1015 2014-05-05  Andreas Kling  <akling@apple.com>
1016
1017         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
1018         <https://webkit.org/b/168256>
1019         <rdar://problem/16816316>
1020
1021         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
1022         clear the fibers. The caller takes care of this.
1023
1024         Test: fast/dom/getElementById-with-rope-string-arg.html
1025
1026         Reviewed by Geoffrey Garen.
1027
1028         * runtime/JSString.cpp:
1029         (JSC::JSRopeString::resolveRopeSlowCase8):
1030
1031 2014-05-05  Michael Saboff  <msaboff@apple.com>
1032
1033         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
1034         https://bugs.webkit.org/show_bug.cgi?id=132581
1035
1036         Reviewed by Filip Pizlo.
1037
1038         * dfg/DFGPlan.cpp:
1039         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
1040         started compiling for is still the same at the end of compilation.
1041         Also did some minor restructuring.
1042
1043 2014-05-05  Andreas Kling  <akling@apple.com>
1044
1045         Optimize PutByVal when subscript is a rope string.
1046         <https://webkit.org/b/132572>
1047
1048         Add a JSString::toIdentifier() that is smarter when the JSString is
1049         really a rope string. Use this in baseline & DFG's PutByVal to avoid
1050         allocating new StringImpls that we immediately deduplicate anyway.
1051
1052         Reviewed by Antti Koivisto.
1053
1054         * dfg/DFGOperations.cpp:
1055         (JSC::DFG::operationPutByValInternal):
1056         * jit/JITOperations.cpp:
1057         * runtime/JSString.h:
1058         (JSC::JSString::toIdentifier):
1059
1060 2014-05-05  Andreas Kling  <akling@apple.com>
1061
1062         Remove two now-incorrect assertions after r168256.
1063
1064         * runtime/JSString.cpp:
1065         (JSC::JSRopeString::resolveRopeSlowCase8):
1066         (JSC::JSRopeString::resolveRopeSlowCase):
1067
1068 2014-05-04  Andreas Kling  <akling@apple.com>
1069
1070         Optimize JSRopeString for resolving directly to AtomicString.
1071         <https://webkit.org/b/132548>
1072
1073         If we know that the JSRopeString we are resolving is going to be used
1074         as an AtomicString, we can try to avoid creating a new string.
1075
1076         We do this by first resolving the rope into a stack buffer, and using
1077         that buffer as a key into the AtomicString table. If there is already
1078         an AtomicString with the same characters, we reuse that instead of
1079         constructing a new StringImpl.
1080
1081         JSString gains these two public functions:
1082
1083         - AtomicString toAtomicString()
1084
1085             Returns an AtomicString, tries to avoid allocating a new string
1086             if possible.
1087
1088         - AtomicStringImpl* toExistingAtomicString()
1089
1090             Returns a non-null AtomicStringImpl* if one already exists in the
1091             AtomicString table. If none is found, the rope is left unresolved.
1092
1093         Reviewed by Filip Pizlo.
1094
1095         * runtime/JSString.cpp:
1096         (JSC::JSRopeString::resolveRopeInternal8):
1097         (JSC::JSRopeString::resolveRopeInternal16):
1098         (JSC::JSRopeString::resolveRopeToAtomicString):
1099         (JSC::JSRopeString::clearFibers):
1100         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
1101         (JSC::JSRopeString::resolveRope):
1102         (JSC::JSRopeString::outOfMemory):
1103         * runtime/JSString.h:
1104         (JSC::JSString::toAtomicString):
1105         (JSC::JSString::toExistingAtomicString):
1106
1107 2014-05-04  Andreas Kling  <akling@apple.com>
1108
1109         Unreviewed, rolling out r168254.
1110
1111         Very crashy on debug JSC tests.
1112
1113         Reverted changeset:
1114
1115         "jsSubstring() should be lazy"
1116         https://bugs.webkit.org/show_bug.cgi?id=132556
1117         http://trac.webkit.org/changeset/168254
1118
1119 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
1120
1121         jsSubstring() should be lazy
1122         https://bugs.webkit.org/show_bug.cgi?id=132556
1123
1124         Reviewed by Andreas Kling.
1125         
1126         jsSubstring() is now lazy by using a special rope that is a substring instead of a
1127         concatenation. To make this patch super simple, we require that a substring's base is
1128         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
1129         path, or we go down a concatenation path which may see exactly one level of substrings in
1130         its fibers.
1131         
1132         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
1133
1134         * heap/MarkedBlock.cpp:
1135         (JSC::MarkedBlock::specializedSweep):
1136         * runtime/JSString.cpp:
1137         (JSC::JSRopeString::visitFibers):
1138         (JSC::JSRopeString::resolveRope):
1139         (JSC::JSRopeString::resolveRopeSlowCase8):
1140         (JSC::JSRopeString::resolveRopeSlowCase):
1141         (JSC::JSRopeString::outOfMemory):
1142         * runtime/JSString.h:
1143         (JSC::JSRopeString::finishCreation):
1144         (JSC::JSRopeString::append):
1145         (JSC::JSRopeString::create):
1146         (JSC::JSRopeString::offsetOfFibers):
1147         (JSC::JSRopeString::fiber):
1148         (JSC::JSRopeString::substringBase):
1149         (JSC::JSRopeString::substringOffset):
1150         (JSC::JSRopeString::substringSentinel):
1151         (JSC::JSRopeString::isSubstring):
1152         (JSC::jsSubstring):
1153         * runtime/RegExpMatchesArray.cpp:
1154         (JSC::RegExpMatchesArray::reifyAllProperties):
1155         * runtime/StringPrototype.cpp:
1156         (JSC::stringProtoFuncSubstring):
1157
1158 2014-05-02  Michael Saboff  <msaboff@apple.com>
1159
1160         "arm64 function not 4-byte aligned" warnings when building JSC
1161         https://bugs.webkit.org/show_bug.cgi?id=132495
1162
1163         Reviewed by Geoffrey Garen.
1164
1165         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
1166
1167         * llint/LowLevelInterpreter.cpp:
1168
1169 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1170
1171         Fix cloop build after r168178
1172
1173         * bytecode/CodeBlock.cpp:
1174
1175 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
1176
1177         Add a DFG function whitelist
1178         https://bugs.webkit.org/show_bug.cgi?id=132437
1179
1180         Reviewed by Geoffrey Garen.
1181
1182         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
1183         particular DFG block that's causing issues. This patch adds the ability to whitelist 
1184         specific functions specified in a file to enable further filtering without having to recompile.
1185
1186         * CMakeLists.txt:
1187         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1188         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1189         * JavaScriptCore.xcodeproj/project.pbxproj:
1190         * dfg/DFGCapabilities.cpp:
1191         (JSC::DFG::isSupported):
1192         (JSC::DFG::mightInlineFunctionForCall):
1193         (JSC::DFG::mightInlineFunctionForClosureCall):
1194         (JSC::DFG::mightInlineFunctionForConstruct):
1195         * dfg/DFGFunctionWhitelist.cpp: Added.
1196         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1197         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
1198         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
1199         (JSC::DFG::FunctionWhitelist::contains):
1200         * dfg/DFGFunctionWhitelist.h: Added.
1201         * runtime/Options.cpp:
1202         (JSC::parse):
1203         (JSC::Options::dumpOption):
1204         * runtime/Options.h:
1205
1206 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
1207
1208         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
1209         https://bugs.webkit.org/show_bug.cgi?id=132446
1210
1211         Reviewed by Mark Hahnenberg.
1212         
1213         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
1214         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
1215         to indicate a bound on the value. This is useful for knowing, for example, that
1216         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
1217         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
1218         But this means that all arithmetic operations must be careful to note that they may
1219         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
1220
1221         * dfg/DFGAbstractInterpreterInlines.h:
1222         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1223         * dfg/DFGByteCodeParser.cpp:
1224         (JSC::DFG::ByteCodeParser::makeSafe):
1225         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
1226         (foo):
1227         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
1228         (foo):
1229         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
1230         (foo):
1231         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
1232         (foo):
1233         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
1234         (foo):
1235         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
1236         (foo):
1237
1238 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
1239
1240         JavaScriptCore fails to build with some versions of clang
1241         https://bugs.webkit.org/show_bug.cgi?id=132436
1242
1243         Reviewed by Anders Carlsson.
1244
1245         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
1246         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
1247         and both are marked inline, it's valid for the compiler to decide
1248         to inline both and emit neither in the binary. Therefore, we need
1249         both inline definitions to be available in the translation unit at
1250         compile time, or we'll try to link against a function that doesn't exist.
1251
1252 2014-05-01  Commit Queue  <commit-queue@webkit.org>
1253
1254         Unreviewed, rolling out r167964.
1255         https://bugs.webkit.org/show_bug.cgi?id=132431
1256
1257         Memory improvements should not regress memory usage (Requested
1258         by olliej on #webkit).
1259
1260         Reverted changeset:
1261
1262         "Don't hold on to parameter BindingNodes forever"
1263         https://bugs.webkit.org/show_bug.cgi?id=132360
1264         http://trac.webkit.org/changeset/167964
1265
1266 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
1267
1268         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
1269         https://bugs.webkit.org/show_bug.cgi?id=132427
1270
1271         Reviewed by Mark Hahnenberg.
1272
1273         * bytecode/CallLinkStatus.cpp:
1274         (JSC::CallLinkStatus::computeFor):
1275
1276 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
1277
1278         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
1279         https://bugs.webkit.org/show_bug.cgi?id=132396
1280
1281         Reviewed by Eric Carlson.
1282
1283         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
1284
1285         * Configurations/FeatureDefines.xcconfig:
1286
1287 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
1288
1289         Argument flush formats should not be presumed to be JSValue since 'this' is weird
1290         https://bugs.webkit.org/show_bug.cgi?id=132404
1291
1292         Reviewed by Michael Saboff.
1293
1294         * dfg/DFGSpeculativeJIT.cpp:
1295         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
1296         * dfg/DFGSpeculativeJIT32_64.cpp:
1297         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
1298         * dfg/DFGSpeculativeJIT64.cpp:
1299         (JSC::DFG::SpeculativeJIT::compile): Ditto.
1300         * dfg/DFGValueSource.cpp:
1301         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
1302         * dfg/DFGValueSource.h:
1303         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
1304         * ftl/FTLOSREntry.cpp:
1305         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
1306         * tests/stress/strict-to-this-int.js: Added.
1307         (foo):
1308         (Number.prototype.valueOf):
1309         (test):
1310
1311 2014-04-29  Oliver Hunt  <oliver@apple.com>
1312
1313         Don't hold on to parameterBindingNodes forever
1314         https://bugs.webkit.org/show_bug.cgi?id=132360
1315
1316         Reviewed by Geoffrey Garen.
1317
1318         Don't keep the parameter nodes anymore. Instead we store the
1319         original parameter string and reparse whenever we actually
1320         need them. Because we only actually need them for compilation
1321         this only results in a single extra parse.
1322
1323         * bytecode/UnlinkedCodeBlock.cpp:
1324         (JSC::generateFunctionCodeBlock):
1325         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1326         (JSC::UnlinkedFunctionExecutable::visitChildren):
1327         (JSC::UnlinkedFunctionExecutable::finishCreation):
1328         (JSC::UnlinkedFunctionExecutable::paramString):
1329         (JSC::UnlinkedFunctionExecutable::parameters):
1330         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
1331         * bytecode/UnlinkedCodeBlock.h:
1332         (JSC::UnlinkedFunctionExecutable::create):
1333         (JSC::UnlinkedFunctionExecutable::parameterCount):
1334         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
1335         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
1336         * parser/ASTBuilder.h:
1337         (JSC::ASTBuilder::ASTBuilder):
1338         (JSC::ASTBuilder::setFunctionBodyParameters):
1339         * parser/Nodes.h:
1340         (JSC::FunctionBodyNode::parametersStartOffset):
1341         (JSC::FunctionBodyNode::parametersEndOffset):
1342         (JSC::FunctionBodyNode::setParameterLocation):
1343         * parser/Parser.cpp:
1344         (JSC::Parser<LexerType>::parseFunctionInfo):
1345         (JSC::parseParameters):
1346         * parser/Parser.h:
1347         (JSC::parse):
1348         * parser/SourceCode.h:
1349         (JSC::SourceCode::subExpression):
1350         * parser/SyntaxChecker.h:
1351         (JSC::SyntaxChecker::setFunctionBodyParameters):
1352
1353 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
1354
1355         JSProxies should be cacheable
1356         https://bugs.webkit.org/show_bug.cgi?id=132351
1357
1358         Reviewed by Geoffrey Garen.
1359
1360         Whenever we encounter a proxy in an inline cache we should try to cache on the 
1361         proxy's target instead of giving up.
1362
1363         This patch adds support for a simple "recursive" inline cache if the base object
1364         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
1365         are the only ones to benefit from this right now.
1366
1367         This is performance neutral on the benchmarks we track. Currently we won't
1368         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
1369
1370         * jit/Repatch.cpp:
1371         (JSC::generateByIdStub):
1372         (JSC::tryBuildGetByIDList):
1373         (JSC::tryCachePutByID):
1374         (JSC::tryBuildPutByIdList):
1375         * jsc.cpp:
1376         (GlobalObject::finishCreation):
1377         (functionCreateProxy):
1378         * runtime/IntendedStructureChain.cpp:
1379         (JSC::IntendedStructureChain::isNormalized):
1380         * runtime/JSCellInlines.h:
1381         (JSC::JSCell::isProxy):
1382         * runtime/JSGlobalObject.h:
1383         (JSC::JSGlobalObject::finishCreation):
1384         * runtime/JSProxy.h:
1385         (JSC::JSProxy::createStructure):
1386         (JSC::JSProxy::targetOffset):
1387         * runtime/JSType.h:
1388         * runtime/Operations.h:
1389         (JSC::isPrototypeChainNormalized):
1390         * runtime/Structure.h:
1391         (JSC::Structure::isProxy):
1392         * tests/stress/proxy-inline-cache.js: Added.
1393         (cacheOnTarget.getX):
1394         (cacheOnTarget):
1395         (cacheOnPrototypeOfTarget.getX):
1396         (cacheOnPrototypeOfTarget):
1397         (dontCacheOnProxyInPrototypeChain.getX):
1398         (dontCacheOnProxyInPrototypeChain):
1399         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
1400         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
1401
1402 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
1403
1404         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
1405         https://bugs.webkit.org/show_bug.cgi?id=112840
1406
1407         Rubber stamped by Geoffrey Garen.
1408
1409         * Configurations/FeatureDefines.xcconfig:
1410
1411 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
1412
1413         String.prototype.trim removes U+200B from strings.
1414         https://bugs.webkit.org/show_bug.cgi?id=130184
1415
1416         Reviewed by Michael Saboff.
1417
1418         * runtime/StringPrototype.cpp:
1419         (JSC::trimString):
1420         (JSC::isTrimWhitespace): Deleted.
1421
1422 2014-04-29  Mark Lam  <mark.lam@apple.com>
1423
1424         Zombifying sweep should ignore retired blocks.
1425         <https://webkit.org/b/132344>
1426
1427         Reviewed by Mark Hahnenberg.
1428
1429         By definition, retired blocks do not have "dead" objects, or at least
1430         none that we know of yet until the next marking phase has been run
1431         over it.  So, we should not be sweeping them (even for zombie mode).
1432
1433         * heap/Heap.cpp:
1434         (JSC::Heap::zombifyDeadObjects):
1435         * heap/MarkedSpace.cpp:
1436         (JSC::MarkedSpace::zombifySweep):
1437         * heap/MarkedSpace.h:
1438         (JSC::ZombifySweep::operator()):
1439
1440 2014-04-29  Mark Lam  <mark.lam@apple.com>
1441
1442         Fix bit rot in zombie mode heap code.
1443         <https://webkit.org/b/132342>
1444
1445         Reviewed by Mark Hahnenberg.
1446
1447         Need to enter a DelayedReleaseScope before doing a sweep.
1448
1449         * heap/Heap.cpp:
1450         (JSC::Heap::zombifyDeadObjects):
1451
1452 2014-04-29  Tomas Popela  <tpopela@redhat.com>
1453
1454         LLINT loadisFromInstruction doesn't need special case for big endians
1455         https://bugs.webkit.org/show_bug.cgi?id=132330
1456
1457         Reviewed by Mark Lam.
1458
1459         The change introduced in r167076 was wrong. We should not apply the offset
1460         adjustment on loadisFromInstruction usage as the instruction
1461         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
1462         operand variable). The offset of the other union members will be the
1463         same as the offset of the first one, that is 0. The behavior here is the
1464         same on little and big endian architectures. Thus we don't need
1465         special case for big endians.
1466
1467         * llint/LowLevelInterpreter.asm:
1468
1469 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1470
1471         Simplify tryCacheGetById
1472         https://bugs.webkit.org/show_bug.cgi?id=132314
1473
1474         Reviewed by Oliver Hunt and Filip Pizlo.
1475
1476         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
1477
1478         * jit/Repatch.cpp:
1479         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
1480
1481 2014-04-28  Michael Saboff  <msaboff@apple.com>
1482
1483         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
1484         https://bugs.webkit.org/show_bug.cgi?id=132315
1485
1486         Reviewed by Mark Hahnenberg.
1487
1488         Used the StringImpl version of utf8() instead of creating a String first.
1489
1490         * bytecode/CodeBlock.cpp:
1491         (JSC::CodeBlock::dumpBytecode):
1492
1493 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
1494
1495         The LLInt is awesome and it should get more of the action.
1496
1497         Rubber stamped by Geoffrey Garen.
1498         
1499         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
1500
1501         * runtime/Options.h:
1502
1503 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
1504
1505         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
1506         https://bugs.webkit.org/show_bug.cgi?id=132166
1507
1508         Reviewed by Oliver Hunt and Mark Hahnenberg.
1509         
1510         The GC can aid type inference by removing structures that are dead and jettisoning
1511         code that relies on those structures. This can dramatically accelerate type inference
1512         for some tricky programs.
1513         
1514         Unfortunately, we previously pinned any structures that enqueued compilations depended
1515         on. This means that if you're on a machine that only runs a single compilation thread
1516         and where compilations are relatively slow, you have a high chance of large numbers of
1517         structures being pinned during any GC since the compilation queue is likely to be full
1518         of random stuff.
1519         
1520         This comprehensively fixes this issue by allowing the GC to remove compilation plans
1521         if the things they depend on are dead, and to even cancel safepointed compilations.
1522         
1523         * bytecode/CodeBlock.cpp:
1524         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
1525         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
1526         (JSC::CodeBlock::finalizeUnconditionally):
1527         * bytecode/CodeBlock.h:
1528         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
1529         * dfg/DFGDesiredIdentifiers.cpp:
1530         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
1531         * dfg/DFGDesiredIdentifiers.h:
1532         * dfg/DFGDesiredWatchpoints.h:
1533         * dfg/DFGDesiredWeakReferences.cpp:
1534         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1535         * dfg/DFGDesiredWeakReferences.h:
1536         * dfg/DFGGraphSafepoint.cpp:
1537         (JSC::DFG::GraphSafepoint::GraphSafepoint):
1538         * dfg/DFGGraphSafepoint.h:
1539         * dfg/DFGPlan.cpp:
1540         (JSC::DFG::Plan::Plan):
1541         (JSC::DFG::Plan::compileInThread):
1542         (JSC::DFG::Plan::compileInThreadImpl):
1543         (JSC::DFG::Plan::notifyCompiling):
1544         (JSC::DFG::Plan::notifyCompiled):
1545         (JSC::DFG::Plan::notifyReady):
1546         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1547         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
1548         (JSC::DFG::Plan::cancel):
1549         (JSC::DFG::Plan::visitChildren): Deleted.
1550         * dfg/DFGPlan.h:
1551         * dfg/DFGSafepoint.cpp:
1552         (JSC::DFG::Safepoint::Result::~Result):
1553         (JSC::DFG::Safepoint::Result::didGetCancelled):
1554         (JSC::DFG::Safepoint::Safepoint):
1555         (JSC::DFG::Safepoint::~Safepoint):
1556         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
1557         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
1558         (JSC::DFG::Safepoint::cancel):
1559         (JSC::DFG::Safepoint::visitChildren): Deleted.
1560         * dfg/DFGSafepoint.h:
1561         (JSC::DFG::Safepoint::Result::Result):
1562         * dfg/DFGWorklist.cpp:
1563         (JSC::DFG::Worklist::compilationState):
1564         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
1565         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
1566         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
1567         (JSC::DFG::Worklist::visitWeakReferences):
1568         (JSC::DFG::Worklist::removeDeadPlans):
1569         (JSC::DFG::Worklist::runThread):
1570         (JSC::DFG::Worklist::visitChildren): Deleted.
1571         * dfg/DFGWorklist.h:
1572         * ftl/FTLCompile.cpp:
1573         (JSC::FTL::compile):
1574         * ftl/FTLCompile.h:
1575         * heap/CodeBlockSet.cpp:
1576         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
1577         * heap/Heap.cpp:
1578         (JSC::Heap::markRoots):
1579         (JSC::Heap::visitCompilerWorklistWeakReferences):
1580         (JSC::Heap::removeDeadCompilerWorklistEntries):
1581         (JSC::Heap::visitWeakHandles):
1582         (JSC::Heap::collect):
1583         (JSC::Heap::visitCompilerWorklists): Deleted.
1584         * heap/Heap.h:
1585
1586 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1587
1588         Deleting properties poisons objects
1589         https://bugs.webkit.org/show_bug.cgi?id=131551
1590
1591         Reviewed by Oliver Hunt.
1592
1593         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
1594
1595         * runtime/JSPropertyNameIterator.cpp:
1596         (JSC::JSPropertyNameIterator::create):
1597         * runtime/PropertyMapHashTable.h:
1598         (JSC::PropertyTable::hasDeletedOffset):
1599         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
1600         iterating properties because we're required to iterate properties in insertion order.
1601         * runtime/Structure.cpp:
1602         (JSC::Structure::Structure):
1603         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
1604         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
1605         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
1606         delete transitions, but we allow transitioning from them.
1607         (JSC::Structure::changePrototypeTransition):
1608         (JSC::Structure::despecifyFunctionTransition):
1609         (JSC::Structure::attributeChangeTransition):
1610         (JSC::Structure::toDictionaryTransition):
1611         (JSC::Structure::preventExtensionsTransition):
1612         (JSC::Structure::addPropertyWithoutTransition):
1613         (JSC::Structure::removePropertyWithoutTransition):
1614         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
1615         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
1616         * runtime/Structure.h:
1617         * runtime/StructureInlines.h:
1618         (JSC::Structure::setEnumerationCache):
1619         (JSC::Structure::hadDeletedOffsets):
1620         (JSC::Structure::propertyTable):
1621         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
1622         * tests/stress/for-in-after-delete.js: Added.
1623         (foo):
1624
1625 2014-04-25  Andreas Kling  <akling@apple.com>
1626
1627         Inline (C++) GetByVal with numeric indices more aggressively.
1628         <https://webkit.org/b/132218>
1629
1630         We were already inlining the string indexed GetByVal path pretty well,
1631         while the path for numeric indices got neglected. No more!
1632
1633         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
1634
1635             Before: 199.50 runs/s
1636              After: 218.58 runs/s
1637
1638         Reviewed by Phil Pizlo.
1639
1640         * dfg/DFGOperations.cpp:
1641         * runtime/JSCJSValueInlines.h:
1642         (JSC::JSValue::get):
1643
1644             ALWAYS_INLINE all the things.
1645
1646         * runtime/JSObject.h:
1647         (JSC::JSObject::getPropertySlot):
1648
1649             Avoid fetching the Structure more than once. We have the same
1650             optimization in the string-indexed code path.
1651
1652 2014-04-25  Oliver Hunt  <oliver@apple.com>
1653
1654         Need earlier cell test
1655         https://bugs.webkit.org/show_bug.cgi?id=132211
1656
1657         Reviewed by Mark Lam.
1658
1659         Move cell test to before the function call repatch
1660         location, as the repatch logic for 32bit assumes that the
1661         caller will already have performed a cell check.
1662
1663         * jit/JITCall32_64.cpp:
1664         (JSC::JIT::compileOpCall):
1665
1666 2014-04-25  Andreas Kling  <akling@apple.com>
1667
1668         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
1669
1670         * runtime/JSGlobalObject.h:
1671         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
1672         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
1673
1674 2014-04-25  Andreas Kling  <akling@apple.com>
1675
1676         Windows build fix attempt.
1677
1678         * runtime/JSGlobalObject.h:
1679         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
1680
1681 2014-04-25  Mark Lam  <mark.lam@apple.com>
1682
1683         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
1684         <https://webkit.org/b/132201>
1685
1686         Reviewed by Joseph Pecoraro.
1687
1688         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
1689         BreakpointActions everywhere.
1690
1691         * inspector/ScriptBreakpoint.h:
1692         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
1693         * inspector/ScriptDebugServer.cpp:
1694         (Inspector::ScriptDebugServer::setBreakpoint):
1695         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
1696         * inspector/ScriptDebugServer.h:
1697         * inspector/agents/InspectorDebuggerAgent.cpp:
1698         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1699         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1700         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1701         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
1702         * inspector/agents/InspectorDebuggerAgent.h:
1703
1704 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
1705
1706         DFG worklist scanning should not treat the key as a separate entity
1707         https://bugs.webkit.org/show_bug.cgi?id=132167
1708
1709         Reviewed by Mark Hahnenberg.
1710         
1711         This simplifies the interface to the GC and will enable more optimizations.
1712
1713         * dfg/DFGCompilationKey.cpp:
1714         (JSC::DFG::CompilationKey::visitChildren): Deleted.
1715         * dfg/DFGCompilationKey.h:
1716         * dfg/DFGPlan.cpp:
1717         (JSC::DFG::Plan::visitChildren):
1718         * dfg/DFGWorklist.cpp:
1719         (JSC::DFG::Worklist::visitChildren):
1720
1721 2014-04-25  Oliver Hunt  <oliver@apple.com>
1722
1723         Remove unused parameter from codeblock linking function
1724         https://bugs.webkit.org/show_bug.cgi?id=132199
1725
1726         Reviewed by Anders Carlsson.
1727
1728         No change in behaviour. This is just a small change to make it
1729         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
1730         actually mean.
1731
1732         * bytecode/UnlinkedCodeBlock.cpp:
1733         (JSC::UnlinkedFunctionExecutable::link):
1734         * bytecode/UnlinkedCodeBlock.h:
1735         * runtime/Executable.cpp:
1736         (JSC::ProgramExecutable::initializeGlobalProperties):
1737
1738 2014-04-25  Andreas Kling  <akling@apple.com>
1739
1740         Mark some things with WTF_MAKE_FAST_ALLOCATED.
1741         <https://webkit.org/b/132198>
1742
1743         Use FastMalloc for more things.
1744
1745         Reviewed by Anders Carlsson.
1746
1747         * builtins/BuiltinExecutables.h:
1748         * heap/GCThreadSharedData.h:
1749         * inspector/JSConsoleClient.h:
1750         * inspector/agents/InspectorAgent.h:
1751         * runtime/CodeCache.h:
1752         * runtime/JSGlobalObject.h:
1753         * runtime/Lookup.cpp:
1754         (JSC::HashTable::createTable):
1755         (JSC::HashTable::deleteTable):
1756         * runtime/WeakGCMap.h:
1757
1758 2014-04-25  Antoine Quint  <graouts@webkit.org>
1759
1760         Implement Array.prototype.find()
1761         https://bugs.webkit.org/show_bug.cgi?id=130966
1762
1763         Reviewed by Oliver Hunt.
1764
1765         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
1766
1767         * builtins/Array.prototype.js:
1768         (find):
1769         (findIndex):
1770         * runtime/ArrayPrototype.cpp:
1771
1772 2014-04-24  Brady Eidson  <beidson@apple.com>
1773
1774         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
1775         https://bugs.webkit.org/show_bug.cgi?id=132155
1776
1777         Reviewed by Tim Horton.
1778
1779         * Configurations/FeatureDefines.xcconfig:
1780
1781 2014-04-24  Michael Saboff  <msaboff@apple.com>
1782
1783         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
1784         https://bugs.webkit.org/show_bug.cgi?id=132147
1785
1786         Reviewed by Mark Lam.
1787
1788         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
1789
1790         * assembler/MacroAssemblerARM64.h:
1791         (JSC::MacroAssemblerARM64::or64):
1792         (JSC::MacroAssemblerARM64::xor32):
1793         (JSC::MacroAssemblerARM64::xor64):
1794         * tests/stress/regress-132147.js: Added test.
1795
1796 2014-04-24  Mark Lam  <mark.lam@apple.com>
1797
1798         Make slowPathAllocsBetweenGCs a runtime option.
1799         <https://webkit.org/b/132137>
1800
1801         Reviewed by Mark Hahnenberg.
1802
1803         This will make it easier to more casually run tests with this configuration
1804         as well as to reproduce issues (instead of requiring a code mod and rebuild).
1805         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
1806         slow path allocations before we trigger a collection.
1807
1808         The option defaults to 0, which is reserved to mean that we will not trigger
1809         any collections there.
1810
1811         * heap/Heap.h:
1812         * heap/MarkedAllocator.cpp:
1813         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
1814         (JSC::MarkedAllocator::allocateSlowCase):
1815         * heap/MarkedAllocator.h:
1816         * runtime/Options.h:
1817
1818 2014-04-23  Mark Lam  <mark.lam@apple.com>
1819
1820         The GC should only resume compiler threads that it suspended in the same GC pass.
1821         <https://webkit.org/b/132088>
1822
1823         Reviewed by Mark Hahnenberg.
1824
1825         Previously, this scenario can occur:
1826         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
1827            no worklists were created yet at the that time.
1828         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
1829            acquires the worklist thread's lock.
1830         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
1831            This time, it sees the worklist created by Thread 2 and ends up unlocking
1832            the worklist thread's lock that is supposedly held by Thread 2.
1833         Thereafter, chaos ensues.
1834
1835         The fix is to cache the worklists that were actually suspended by each GC pass,
1836         and only resume those when the GC is done.
1837
1838         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
1839         the fast/workers layout tests.
1840
1841         * heap/Heap.cpp:
1842         (JSC::Heap::visitCompilerWorklists):
1843         (JSC::Heap::deleteAllCompiledCode):
1844         (JSC::Heap::suspendCompilerThreads):
1845         (JSC::Heap::resumeCompilerThreads):
1846         * heap/Heap.h:
1847
1848 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1849
1850         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
1851         https://bugs.webkit.org/show_bug.cgi?id=132079
1852
1853         Reviewed by Michael Saboff.
1854
1855         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
1856
1857         Also added a test that previously triggered this bug.
1858
1859         * runtime/Arguments.cpp:
1860         (JSC::Arguments::copyBackingStore): D'oh!
1861         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
1862         (foo):
1863         (bar):
1864
1865 2014-04-23  Mark Rowe  <mrowe@apple.com>
1866
1867         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
1868         <https://webkit.org/b/132053>
1869
1870         Reviewed by Dan Bernstein.
1871
1872         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
1873         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
1874         from /bin/sh since that generates unnecessary output.
1875
1876 2014-04-22  Mark Lam  <mark.lam@apple.com>
1877
1878         DFG::Worklist should acquire the m_lock before iterating DFG plans.
1879         <https://webkit.org/b/132032>
1880
1881         Reviewed by Filip Pizlo.
1882
1883         Currently, there's a rightToRun mechanism that ensures that no compilation
1884         threads are running when the GC is iterating through the DFG worklists.
1885         However, this does not prevent a Worker thread from doing a DFG compilation
1886         and modifying the plans in the worklists thereby invalidating the plan
1887         iterator that the GC is using.  This patch fixes the issue by acquiring
1888         the worklist m_lock before iterating the worklist plans.
1889
1890         This issue was uncovered by running the fast/workers layout tests with
1891         COLLECT_ON_EVERY_ALLOCATION enabled.
1892
1893         * dfg/DFGWorklist.cpp:
1894         (JSC::DFG::Worklist::isActiveForVM):
1895         (JSC::DFG::Worklist::visitChildren):
1896
1897 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
1898
1899         [Win] Support Python 2.7 in Cygwin
1900         https://bugs.webkit.org/show_bug.cgi?id=132023
1901
1902         Reviewed by Michael Saboff.
1903
1904         * DerivedSources.make: Use a conditional variable to define
1905         the path to Python/Perl.
1906
1907 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
1908
1909         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
1910         https://bugs.webkit.org/show_bug.cgi?id=130867
1911         <rdar://problem/16432456> 
1912
1913         Reviewed by Mark Hahnenberg.
1914
1915         * Configurations/Base.xcconfig:
1916         * Configurations/LLVMForJSC.xcconfig:
1917
1918 2014-04-22  Alex Christensen  <achristensen@webkit.org>
1919
1920         [Win] Unreviewed build fix after my r167666.
1921
1922         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1923         Added ../../../ again to include headers in Source/JavaScriptCore.
1924
1925 2014-04-22  Alex Christensen  <achristensen@webkit.org>
1926
1927         Removed old stdbool and inttypes headers.
1928         https://bugs.webkit.org/show_bug.cgi?id=131966
1929
1930         Reviewed by Brent Fulgham.
1931
1932         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1933         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
1934         Removed references to os-win32 directory.
1935         * os-win32: Removed.
1936         * os-win32/inttypes.h: Removed.
1937         * os-win32/stdbool.h: Removed.
1938
1939 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1940
1941         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
1942         https://bugs.webkit.org/show_bug.cgi?id=131971
1943         <rdar://problem/16676511>
1944
1945         Reviewed by Mark Lam.
1946
1947         * dfg/DFGClobberize.h:
1948         (JSC::DFG::clobberize):
1949
1950 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1951
1952         Switch statements that skip the baseline JIT should work
1953         https://bugs.webkit.org/show_bug.cgi?id=131965
1954
1955         Reviewed by Mark Hahnenberg.
1956
1957         * bytecode/JumpTable.h:
1958         (JSC::SimpleJumpTable::ensureCTITable):
1959         * dfg/DFGSpeculativeJIT.cpp:
1960         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1961         * jit/JITOpcodes.cpp:
1962         (JSC::JIT::emit_op_switch_imm):
1963         (JSC::JIT::emit_op_switch_char):
1964         * jit/JITOpcodes32_64.cpp:
1965         (JSC::JIT::emit_op_switch_imm):
1966         (JSC::JIT::emit_op_switch_char):
1967         * tests/stress/inline-llint-with-switch.js: Added.
1968         (foo):
1969         (bar):
1970         (test):
1971
1972 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1973
1974         Arguments objects shouldn't need a destructor
1975         https://bugs.webkit.org/show_bug.cgi?id=131899
1976
1977         Reviewed by Oliver Hunt.
1978
1979         This patch rids Arguments objects of their destructors. It does this by 
1980         switching their backing stores to use CopiedSpace rather than malloc memory.
1981
1982         * dfg/DFGSpeculativeJIT.cpp:
1983         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
1984         Arguments allocation so that it only emits an extra write for strict mode code rather
1985         than unconditionally.
1986         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
1987         * runtime/Arguments.cpp:
1988         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
1989         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
1990         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
1991         (JSC::Arguments::deleteProperty):
1992         (JSC::Arguments::defineOwnProperty):
1993         (JSC::Arguments::allocateRegisterArray):
1994         (JSC::Arguments::tearOff):
1995         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
1996         * runtime/Arguments.h:
1997         (JSC::Arguments::registerArraySizeInBytes):
1998         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
1999         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
2000         allocation.
2001         (JSC::Arguments::SlowArgumentData::slowArguments):
2002         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
2003         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
2004         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
2005         (JSC::Arguments::Arguments):
2006         (JSC::Arguments::allocateSlowArguments):
2007         (JSC::Arguments::tryDeleteArgument):
2008         (JSC::Arguments::isDeletedArgument):
2009         (JSC::Arguments::isArgument):
2010         (JSC::Arguments::argument):
2011         (JSC::Arguments::finishCreation):
2012         * runtime/SymbolTable.h:
2013
2014 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
2015
2016         [Mac] implement WebKitDataCue
2017         https://bugs.webkit.org/show_bug.cgi?id=131799
2018
2019         Reviewed by Dean Jackson.
2020
2021         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2022
2023 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2024
2025         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
2026
2027         * tests/stress/float32-repeat-out-of-bounds.js:
2028         * tests/stress/int8-repeat-out-of-bounds.js:
2029
2030 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2031
2032         OSR exit should know about Int52 and Double constants
2033         https://bugs.webkit.org/show_bug.cgi?id=131945
2034
2035         Reviewed by Oliver Hunt.
2036         
2037         The DFG OSR exit machinery's ignorance would lead to some constants becoming
2038         jsUndefined() after OSR exit.
2039         
2040         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
2041         stackmap constant rather than baking the constant into the OSRExit data structure.
2042         So, not a big deal, but worth fixing.
2043         
2044         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
2045
2046         * dfg/DFGByteCodeParser.cpp:
2047         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2048         * dfg/DFGMinifiedNode.h:
2049         (JSC::DFG::belongsInMinifiedGraph):
2050         (JSC::DFG::MinifiedNode::hasConstantNumber):
2051         * ftl/FTLLowerDFGToLLVM.cpp:
2052         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2053         * jsc.cpp:
2054         (GlobalObject::finishCreation):
2055         (functionOtherFalse):
2056         (functionUndefined):
2057         * runtime/Intrinsic.h:
2058         * tests/stress/fold-to-double-constant-then-exit.js: Added.
2059         (foo):
2060         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
2061         (foo):
2062
2063 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2064
2065         Provide feedback when we encounter an unrecognied node in the FTL backend.
2066
2067         Rubber stamped by Alexey Proskuryakov.
2068
2069         * ftl/FTLLowerDFGToLLVM.cpp:
2070         (JSC::FTL::LowerDFGToLLVM::compileNode):
2071
2072 2014-04-21  Andreas Kling  <akling@apple.com>
2073
2074         Move the JSString cache from DOMWrapperWorld to VM.
2075         <https://webkit.org/b/131940>
2076
2077         Reviewed by Geoff Garen.
2078
2079         * runtime/VM.h:
2080
2081 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2082
2083         Take block execution count estimates into account when voting double
2084         https://bugs.webkit.org/show_bug.cgi?id=131906
2085
2086         Reviewed by Geoffrey Garen.
2087         
2088         This was a drama in three acts.
2089         
2090         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
2091             number of uses of a variable that want double or non-double. Easy as pie. This
2092             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
2093             else.
2094         
2095         Act II: Realize that there were some programs where our previous double voting was
2096             just on the edge of disaster and making it more precise tipped it over. In
2097             particular, if you had an integer variable that would infrequently be used in a
2098             computation that resulted in a variable that was frequently used as an array index,
2099             the outer infrequentness would be the thing we'd use in the vote. So, an array
2100             index would become double. We fix this by reviving global backwards propagation
2101             and introducing the concept of ReallyWantsInt, which is used just for array
2102             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
2103             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
2104             be set in bitops for RageConversion but using it for double forcing is too much.
2105             Basically, it's cheaper to have to convert a double to an int for a bitop than it
2106             is to convert a double to an int for an array index; also a variable being used as
2107             an array index is a much stronger hint that it ought to be an int. This recovered
2108             performance on everything except programs that used FTL OSR entry.
2109         
2110         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
2111             count, which then completely pollutes the weighting - essentially all votes go
2112             NaN. Fix this with some surgical defenses. Basically, any client of execution
2113             counts should allow for them to be NaN and shouldn't completely fall off a cliff
2114             when it happens.
2115         
2116         This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
2117         7% speed-up on AsmBench and 2% speed-up on Kraken.
2118
2119         * CMakeLists.txt:
2120         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2121         * JavaScriptCore.xcodeproj/project.pbxproj:
2122         * dfg/DFGBackwardsPropagationPhase.cpp:
2123         (JSC::DFG::BackwardsPropagationPhase::run):
2124         (JSC::DFG::BackwardsPropagationPhase::propagate):
2125         * dfg/DFGGraph.cpp:
2126         (JSC::DFG::Graph::dumpBlockHeader):
2127         * dfg/DFGGraph.h:
2128         (JSC::DFG::Graph::voteNode):
2129         (JSC::DFG::Graph::voteChildren):
2130         * dfg/DFGNodeFlags.cpp:
2131         (JSC::DFG::dumpNodeFlags):
2132         * dfg/DFGNodeFlags.h:
2133         * dfg/DFGOSREntrypointCreationPhase.cpp:
2134         (JSC::DFG::OSREntrypointCreationPhase::run):
2135         * dfg/DFGPlan.cpp:
2136         (JSC::DFG::Plan::compileInThreadImpl):
2137         * dfg/DFGPredictionPropagationPhase.cpp:
2138         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2139         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2140         * dfg/DFGVariableAccessData.cpp: Added.
2141         (JSC::DFG::VariableAccessData::VariableAccessData):
2142         (JSC::DFG::VariableAccessData::mergeIsCaptured):
2143         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
2144         (JSC::DFG::VariableAccessData::predict):
2145         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
2146         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
2147         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
2148         (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
2149         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2150         (JSC::DFG::VariableAccessData::flushFormat):
2151         * dfg/DFGVariableAccessData.h:
2152         (JSC::DFG::VariableAccessData::vote):
2153         (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
2154         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2155         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
2156         (JSC::DFG::VariableAccessData::predict): Deleted.
2157         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
2158         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
2159         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
2160         (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
2161         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
2162         (JSC::DFG::VariableAccessData::flushFormat): Deleted.
2163
2164 2014-04-21  Michael Saboff  <msaboff@apple.com>
2165
2166         REGRESSION(r167591): ARM64 and ARM traditional builds broken
2167         https://bugs.webkit.org/show_bug.cgi?id=131935
2168
2169         Reviewed by Mark Hahnenberg.
2170
2171         Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
2172         macro assemblers.  Added a new test for the original patch.
2173
2174         * assembler/MacroAssemblerARM.h:
2175         (JSC::MacroAssemblerARM::store8):
2176         * assembler/MacroAssemblerARM64.h:
2177         (JSC::MacroAssemblerARM64::store8):
2178         * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
2179
2180 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2181
2182         Inline allocate Arguments objects in the DFG
2183         https://bugs.webkit.org/show_bug.cgi?id=131897
2184
2185         Reviewed by Geoffrey Garen.
2186
2187         Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
2188         This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
2189         for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
2190
2191         * dfg/DFGSpeculativeJIT.cpp:
2192         (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
2193         * dfg/DFGSpeculativeJIT.h:
2194         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
2195         * dfg/DFGSpeculativeJIT32_64.cpp:
2196         (JSC::DFG::SpeculativeJIT::compile):
2197         * dfg/DFGSpeculativeJIT64.cpp:
2198         (JSC::DFG::SpeculativeJIT::compile):
2199         * runtime/Arguments.h:
2200         (JSC::Arguments::offsetOfActivation):
2201         (JSC::Arguments::offsetOfOverrodeLength):
2202         (JSC::Arguments::offsetOfIsStrictMode):
2203         (JSC::Arguments::offsetOfRegisterArray):
2204         (JSC::Arguments::offsetOfCallee):
2205         (JSC::Arguments::allocationSize):
2206
2207 2014-04-20  Andreas Kling  <akling@apple.com>
2208
2209         Speed up jsStringWithCache() through WeakGCMap inlining.
2210         <https://webkit.org/b/131923>
2211
2212         Always inline WeakGCMap::add() but move the slow garbage collecting
2213         path out-of-line.
2214
2215         Reviewed by Darin Adler.
2216
2217         * runtime/WeakGCMap.h:
2218         (JSC::WeakGCMap::add):
2219         (JSC::WeakGCMap::gcMap):
2220
2221 2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>
2222
2223         JavaScriptCore: ARM build fix after r167094.
2224         https://bugs.webkit.org/show_bug.cgi?id=131612
2225
2226         Reviewed by Michael Saboff.
2227
2228         After r167094 there are many build errors on ARM like these:
2229
2230             /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
2231             /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
2232             /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
2233             /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
2234
2235         Problem is caused by the wrong generated assembly like:
2236             "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
2237
2238         `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
2239         the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
2240         Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
2241         use case: move rn, (label1-label2) which is translated to movw and movt.
2242
2243         * llint/LowLevelInterpreter.asm:
2244         * offlineasm/arm.rb:
2245         * offlineasm/instructions.rb:
2246
2247 2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>
2248
2249         [ARM] Unreviewed build fix after r167336.
2250
2251         * assembler/MacroAssemblerARM.h:
2252         (JSC::MacroAssemblerARM::branchAdd32):
2253
2254 2014-04-20  Commit Queue  <commit-queue@webkit.org>
2255
2256         Unreviewed, rolling out r167501.
2257         https://bugs.webkit.org/show_bug.cgi?id=131913
2258
2259         It broke DYEBench (Requested by mhahnenberg on #webkit).
2260
2261         Reverted changeset:
2262
2263         "Deleting properties poisons objects"
2264         https://bugs.webkit.org/show_bug.cgi?id=131551
2265         http://trac.webkit.org/changeset/167501
2266
2267 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2268
2269         It should be OK to store new fields into objects that have no prototypes
2270         https://bugs.webkit.org/show_bug.cgi?id=131905
2271
2272         Reviewed by Mark Hahnenberg.
2273
2274         * dfg/DFGByteCodeParser.cpp:
2275         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2276         * tests/stress/put-by-id-transition-null-prototype.js: Added.
2277         (foo):
2278
2279 2014-04-19  Benjamin Poulain  <bpoulain@apple.com>
2280
2281         Make the CSS JIT compile for ARM64
2282         https://bugs.webkit.org/show_bug.cgi?id=131834
2283
2284         Reviewed by Gavin Barraclough.
2285
2286         Extend the ARM64 MacroAssembler to support the code generation required by
2287         the CSS JIT.
2288
2289         * assembler/MacroAssembler.h:
2290         * assembler/MacroAssemblerARM64.h:
2291         (JSC::MacroAssemblerARM64::addPtrNoFlags):
2292         (JSC::MacroAssemblerARM64::or32):
2293         (JSC::MacroAssemblerARM64::branchPtr):
2294         (JSC::MacroAssemblerARM64::test32):
2295         (JSC::MacroAssemblerARM64::branch):
2296         * assembler/MacroAssemblerX86Common.h:
2297         (JSC::MacroAssemblerX86Common::test32):
2298
2299 2014-04-19  Andreas Kling  <akling@apple.com>
2300
2301         Two little shortcuts to the JSType.
2302         <https://webkit.org/b/131896>
2303
2304         Tweak two sites that take the long road through JSCell::structure()->typeInfo()
2305         to look at data that's already in JSCell::type().
2306
2307         Reviewed by Darin Adler.
2308
2309         * runtime/NameInstance.h:
2310         (JSC::isName):
2311         * runtime/NumberPrototype.cpp:
2312         (JSC::toThisNumber):
2313
2314 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2315
2316         Make it easier to check if an integer sum would overflow
2317         https://bugs.webkit.org/show_bug.cgi?id=131900
2318
2319         Reviewed by Darin Adler.
2320
2321         * dfg/DFGOperations.cpp:
2322         * runtime/Operations.h:
2323         (JSC::jsString):
2324
2325 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2326
2327         Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
2328
2329         * dfg/DFGOperations.cpp:
2330         * runtime/JSString.h:
2331         (JSC::JSRopeString::RopeBuilder::append):
2332
2333 2014-04-18  Mark Lam  <mark.lam@apple.com>
2334
2335         REGRESSION(r164205): WebKit crash @StructureIDTable::get.
2336         <https://webkit.org/b/130539>
2337
2338         Reviewed by Geoffrey Garen.
2339
2340         prepareOSREntry() prepares for OSR entry by first copying the local var
2341         values from the baseline frame to a scartch buffer, which is then used
2342         to fill in the locals in their new position in the DFG frame.  Unfortunately,
2343         prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
2344         size of the baseline frame.  As a result, some values of locals in the
2345         baseline frame were not saved off, and the DFG frame may get initialized
2346         with random content that happened to be in the uninitialized (and possibly
2347         unallocated) portions of the scratch buffer.
2348
2349         The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
2350         number of locals in the baseline frame that we want to copy to the scratch
2351         buffer.
2352
2353         Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
2354         at offset 0 in the scratch buffer.  So, we continue to write that value
2355         there, not the baseline frame size.
2356
2357         * dfg/DFGOSREntry.cpp:
2358         (JSC::DFG::prepareOSREntry):
2359
2360 2014-04-18  Timothy Hatcher  <timothy@apple.com>
2361
2362         Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
2363         https://bugs.webkit.org/show_bug.cgi?id=131673
2364
2365         Passes existing profiler and inspector tests.
2366
2367         Reviewed by Joseph Pecoraro.
2368
2369         * CMakeLists.txt:
2370         * DerivedSources.make:
2371         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2372         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2373         * JavaScriptCore.xcodeproj/project.pbxproj:
2374         * inspector/JSConsoleClient.cpp:
2375         (Inspector::JSConsoleClient::JSConsoleClient):
2376         (Inspector::JSConsoleClient::profile):
2377         (Inspector::JSConsoleClient::profileEnd):
2378         (Inspector::JSConsoleClient::count): Deleted.
2379         * inspector/JSConsoleClient.h:
2380         * inspector/JSGlobalObjectInspectorController.cpp:
2381         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2382         * inspector/agents/InspectorProfilerAgent.cpp: Added.
2383         (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
2384         (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
2385         (Inspector::InspectorProfilerAgent::addProfile):
2386         (Inspector::InspectorProfilerAgent::createProfileHeader):
2387         (Inspector::InspectorProfilerAgent::enable):
2388         (Inspector::InspectorProfilerAgent::disable):
2389         (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
2390         (Inspector::InspectorProfilerAgent::getProfileHeaders):
2391         (Inspector::buildInspectorObject):
2392         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
2393         (Inspector::InspectorProfilerAgent::getCPUProfile):
2394         (Inspector::InspectorProfilerAgent::removeProfile):
2395         (Inspector::InspectorProfilerAgent::reset):
2396         (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
2397         (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
2398         (Inspector::InspectorProfilerAgent::start):
2399         (Inspector::InspectorProfilerAgent::stop):
2400         (Inspector::InspectorProfilerAgent::setRecordingProfile):
2401         (Inspector::InspectorProfilerAgent::startProfiling):
2402         (Inspector::InspectorProfilerAgent::stopProfiling):
2403         * inspector/agents/InspectorProfilerAgent.h: Added.
2404         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
2405         (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
2406         (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
2407         * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
2408         * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
2409         * profiler/Profile.h:
2410         * runtime/ConsoleClient.h:
2411
2412 2014-04-18  Commit Queue  <commit-queue@webkit.org>
2413
2414         Unreviewed, rolling out r167527.
2415         https://bugs.webkit.org/show_bug.cgi?id=131883
2416
2417         Broke 32-bit build (Requested by ap on #webkit).
2418
2419         Reverted changeset:
2420
2421         "[Mac] implement WebKitDataCue"
2422         https://bugs.webkit.org/show_bug.cgi?id=131799
2423         http://trac.webkit.org/changeset/167527
2424
2425 2014-04-18  Eric Carlson  <eric.carlson@apple.com>
2426
2427         [Mac] implement WebKitDataCue
2428         https://bugs.webkit.org/show_bug.cgi?id=131799
2429
2430         Reviewed by Dean Jackson.
2431
2432         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2433
2434 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
2435
2436         Actually address Mark's review feedback.
2437
2438         * dfg/DFGOSRExitCompilerCommon.cpp:
2439         (JSC::DFG::handleExitCounts):
2440
2441 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
2442
2443         Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
2444         https://bugs.webkit.org/show_bug.cgi?id=131850
2445
2446         Reviewed by Mark Hahnenberg.
2447         
2448         Templatize ExecutionCounter to allow for two different styles of calculating the
2449         checkpoint threshold.
2450         
2451         Appears to be a slight speed-up on DYEBench.
2452
2453         * bytecode/CodeBlock.h:
2454         (JSC::CodeBlock::llintExecuteCounter):
2455         (JSC::CodeBlock::offsetOfJITExecuteCounter):
2456         (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
2457         (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
2458         (JSC::CodeBlock::jitExecuteCounter):
2459         * bytecode/ExecutionCounter.cpp:
2460         (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
2461         (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
2462         (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
2463         (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
2464         (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
2465         (JSC::applyMemoryUsageHeuristics):
2466         (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
2467         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
2468         (JSC::ExecutionCounter<countingVariant>::setThreshold):
2469         (JSC::ExecutionCounter<countingVariant>::reset):
2470         (JSC::ExecutionCounter<countingVariant>::dump):
2471         (JSC::ExecutionCounter::ExecutionCounter): Deleted.
2472         (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
2473         (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
2474         (JSC::ExecutionCounter::setNewThreshold): Deleted.
2475         (JSC::ExecutionCounter::deferIndefinitely): Deleted.
2476         (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
2477         (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
2478         (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
2479         (JSC::ExecutionCounter::setThreshold): Deleted.
2480         (JSC::ExecutionCounter::reset): Deleted.
2481         (JSC::ExecutionCounter::dump): Deleted.
2482         * bytecode/ExecutionCounter.h:
2483         (JSC::formattedTotalExecutionCount):
2484         (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
2485         (JSC::ExecutionCounter::clippedThreshold):
2486         (JSC::ExecutionCounter::formattedTotalCount): Deleted.
2487         * dfg/DFGJITCode.h:
2488         * dfg/DFGOSRExitCompilerCommon.cpp:
2489         (JSC::DFG::handleExitCounts):
2490         * llint/LowLevelInterpreter.asm:
2491         * runtime/Options.h:
2492
2493 2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2494
2495         Deleting properties poisons objects
2496         https://bugs.webkit.org/show_bug.cgi?id=131551
2497
2498         Reviewed by Geoffrey Garen.
2499
2500         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
2501
2502         * runtime/Structure.cpp:
2503         (JSC::Structure::Structure):
2504         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
2505         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
2506         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
2507         delete transitions, but we allow transitioning from them.
2508         (JSC::Structure::changePrototypeTransition):
2509         (JSC::Structure::despecifyFunctionTransition):
2510         (JSC::Structure::attributeChangeTransition):
2511         (JSC::Structure::toDictionaryTransition):
2512         (JSC::Structure::preventExtensionsTransition):
2513         (JSC::Structure::addPropertyWithoutTransition):
2514         (JSC::Structure::removePropertyWithoutTransition):
2515         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
2516         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
2517         * runtime/Structure.h:
2518         * runtime/StructureInlines.h:
2519         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
2520
2521 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2522
2523         InlineCallFrameSet should be refcounted
2524         https://bugs.webkit.org/show_bug.cgi?id=131829
2525
2526         Reviewed by Geoffrey Garen.
2527         
2528         And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
2529         became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
2530         Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
2531         the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
2532         
2533         So, just make the darn thing refcounted.
2534
2535         * bytecode/InlineCallFrameSet.h:
2536         * dfg/DFGArgumentsSimplificationPhase.cpp:
2537         (JSC::DFG::ArgumentsSimplificationPhase::run):
2538         * dfg/DFGByteCodeParser.cpp:
2539         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2540         * dfg/DFGCommonData.h:
2541         * dfg/DFGGraph.cpp:
2542         (JSC::DFG::Graph::Graph):
2543         (JSC::DFG::Graph::requiredRegisterCountForExit):
2544         * dfg/DFGGraph.h:
2545         * dfg/DFGJITCompiler.cpp:
2546         (JSC::DFG::JITCompiler::link):
2547         * dfg/DFGPlan.cpp:
2548         (JSC::DFG::Plan::Plan):
2549         * dfg/DFGPlan.h:
2550         * dfg/DFGStackLayoutPhase.cpp:
2551         (JSC::DFG::StackLayoutPhase::run):
2552         * ftl/FTLFail.cpp:
2553         (JSC::FTL::fail):
2554         * ftl/FTLLink.cpp:
2555         (JSC::FTL::link):
2556
2557 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2558
2559         FTL::fail() should manage memory "correctly"
2560         https://bugs.webkit.org/show_bug.cgi?id=131823
2561         <rdar://problem/16384297>
2562
2563         Reviewed by Oliver Hunt.
2564
2565         * ftl/FTLFail.cpp:
2566         (JSC::FTL::fail):
2567
2568 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2569
2570         Prediction propagator should correctly model Int52s flowing through arguments
2571         https://bugs.webkit.org/show_bug.cgi?id=131822
2572         <rdar://problem/16641408>
2573
2574         Reviewed by Oliver Hunt.
2575
2576         * dfg/DFGPredictionPropagationPhase.cpp:
2577         (JSC::DFG::PredictionPropagationPhase::propagate):
2578         * tests/stress/int52-argument.js: Added.
2579         (foo):
2580         * tests/stress/int52-variable.js: Added.
2581         (foo):
2582
2583 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2584
2585         REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
2586         https://bugs.webkit.org/show_bug.cgi?id=131798
2587
2588         Reviewed by Alexey Proskuryakov.
2589         
2590         Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
2591         of this assertion can return. For now, it's not clear that the assertion is guarding
2592         any truly undesirable behavior - so it should just go away and be replaced with a
2593         FIXME.
2594
2595         * bytecode/GetByIdStatus.cpp:
2596         (JSC::GetByIdStatus::computeForStubInfo):
2597         * runtime/Structure.h:
2598         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
2599
2600 2014-04-17  David Kilzer  <ddkilzer@apple.com>
2601
2602         Blind attempt to fix Windows build after r166837
2603         <http://webkit.org/b/131246>
2604
2605         Hoping to fix this build error:
2606
2607             warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
2608
2609         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
2610         boo-boo by changing the GCLogging.cpp ClCompile entry to a
2611         GCLogging.h ClInclude entry.
2612
2613 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2614
2615         AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
2616         https://bugs.webkit.org/show_bug.cgi?id=131764
2617
2618         Reviewed by Geoffrey Garen.
2619         
2620         The attached test case can be made to not crash by deleting old code. It used to be
2621         the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
2622         long ago. At this point, these guards just make life difficult. So get rid of them.
2623
2624         * dfg/DFGAbstractInterpreterInlines.h:
2625         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2626         * dfg/DFGSpeculativeJIT32_64.cpp:
2627         (JSC::DFG::SpeculativeJIT::compile):
2628         * dfg/DFGSpeculativeJIT64.cpp:
2629         (JSC::DFG::SpeculativeJIT::compile):
2630         * tests/stress/bug-131764.js: Added.
2631         (test1):
2632         (test2):
2633
2634 2014-04-17  Darin Adler  <darin@apple.com>
2635
2636         Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
2637         https://bugs.webkit.org/show_bug.cgi?id=131785
2638         rdar://problem/16003108
2639
2640         Reviewed by Brady Eidson.
2641
2642         * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
2643
2644 2014-04-16  Alexey Proskuryakov  <ap@apple.com>
2645
2646         Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
2647
2648         * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
2649
2650 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2651
2652         Extra error reporting for invalid value conversions
2653         https://bugs.webkit.org/show_bug.cgi?id=131786
2654
2655         Rubber stamped by Ryosuke Niwa.
2656
2657         * dfg/DFGFixupPhase.cpp:
2658         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2659
2660 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2661
2662         Sink NaN sanitization to uses and remove it when it's unnecessary
2663         https://bugs.webkit.org/show_bug.cgi?id=131419
2664
2665         Reviewed by Oliver Hunt.
2666         
2667         This moves NaN purification to stores that could see an impure NaN.
2668         
2669         5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
2670         though, because of the other bug that causes that benchmark to box doubles in a loop.
2671
2672         * bytecode/SpeculatedType.h:
2673         (JSC::isInt32SpeculationForArithmetic):
2674         (JSC::isMachineIntSpeculationForArithmetic):
2675         (JSC::isDoubleSpeculation):
2676         (JSC::isDoubleSpeculationForArithmetic):
2677         * dfg/DFGAbstractInterpreterInlines.h:
2678         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2679         * dfg/DFGAbstractValue.cpp:
2680         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2681         * dfg/DFGFixupPhase.cpp:
2682         (JSC::DFG::FixupPhase::fixupNode):
2683         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2684         * dfg/DFGInPlaceAbstractState.cpp:
2685         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2686         * dfg/DFGPredictionPropagationPhase.cpp:
2687         (JSC::DFG::PredictionPropagationPhase::propagate):
2688         * dfg/DFGSpeculativeJIT.cpp:
2689         (JSC::DFG::SpeculativeJIT::compileValueRep):
2690         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2691         * dfg/DFGUseKind.h:
2692         (JSC::DFG::typeFilterFor):
2693         * ftl/FTLLowerDFGToLLVM.cpp:
2694         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2695         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2696         * runtime/PureNaN.h:
2697         * tests/stress/float32-array-nan-inlined.js: Added.
2698         (foo):
2699         (test):
2700         * tests/stress/float32-array-nan.js: Added.
2701         (foo):
2702         (test):
2703         * tests/stress/float64-array-nan-inlined.js: Added.
2704         (foo):
2705         (isBigEndian):
2706         (test):
2707         * tests/stress/float64-array-nan.js: Added.
2708         (foo):
2709         (isBigEndian):
2710         (test):
2711
2712 2014-04-16  Brent Fulgham  <bfulgham@apple.com>
2713
2714         [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
2715         to 32-bit builds, and revise the comment to explain what we are
2716         doing.
2717
2718         * runtime/JSCJSValueInlines.h:
2719         (JSC::JSValue::isMachineInt): Provide motivation for the new
2720         'isinf' check for our 32-bit code path.
2721
2722 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2723
2724         Allocate the data section on the heap again for FTL on ARM64
2725         https://bugs.webkit.org/show_bug.cgi?id=130156
2726
2727         Reviewed by Geoffrey Garen and Filip Pizlo.
2728
2729         * ftl/FTLCompile.cpp:
2730         (JSC::FTL::mmAllocateDataSection):
2731         * ftl/FTLDataSection.cpp:
2732         (JSC::FTL::DataSection::DataSection):
2733         (JSC::FTL::DataSection::~DataSection):
2734         * ftl/FTLDataSection.h:
2735
2736 2014-04-16  Mark Lam  <mark.lam@apple.com>
2737
2738         Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
2739         <https://webkit.org/b/131747>
2740
2741         Reviewed by Filip Pizlo.
2742
2743         When the debugger is about to activate (e.g. enter stepping mode), it first
2744         waits for all DFG compilations to complete.  However, when the DFG completes,
2745         if compilation is successful, it will install a new DFG codeBlock.  The
2746         CodeBlock installation process is required to register codeBlocks with the
2747         debugger.  Debugger::registerCodeBlock() will eventually call
2748         CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
2749         trying to install.  Thereafter, chaos ensues.
2750
2751         This jettison'ing only happens because the debugger currently set its
2752         m_steppingMode flag before waiting for compilation to complete.  The fix is
2753         simply to set that flag only after compilation is complete.
2754
2755         * debugger/Debugger.cpp:
2756         (JSC::Debugger::setSteppingMode):
2757         (JSC::Debugger::registerCodeBlock):
2758
2759 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2760
2761         Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
2762         https://bugs.webkit.org/show_bug.cgi?id=131420
2763
2764         Reviewed by Oliver Hunt.
2765         
2766         Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
2767         replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
2768         goes through the purifyNaN() API.
2769         
2770         SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
2771         
2772         Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
2773         have to be too cautious since most prediction-based logic only cares about whether or not
2774         a value could be an integer.
2775         
2776         AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
2777         anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
2778         soundly and precisely.
2779         
2780         No performance change because this just unblocks
2781         https://bugs.webkit.org/show_bug.cgi?id=131419.
2782
2783         * API/JSValueRef.cpp:
2784         (JSValueMakeNumber):
2785         (JSValueToNumber):
2786         * JavaScriptCore.xcodeproj/project.pbxproj:
2787         * bytecode/SpeculatedType.cpp:
2788         (JSC::dumpSpeculation):
2789         (JSC::speculationFromValue):
2790         (JSC::typeOfDoubleSum):
2791         (JSC::typeOfDoubleDifference):
2792         (JSC::typeOfDoubleProduct):
2793         (JSC::polluteDouble):
2794         (JSC::typeOfDoubleQuotient):
2795         (JSC::typeOfDoubleMinMax):
2796         (JSC::typeOfDoubleNegation):
2797         (JSC::typeOfDoubleAbs):
2798         (JSC::typeOfDoubleFRound):
2799         (JSC::typeOfDoubleBinaryOp):
2800         (JSC::typeOfDoubleUnaryOp):
2801         * bytecode/SpeculatedType.h:
2802         * dfg/DFGAbstractInterpreterInlines.h:
2803         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2804         * dfg/DFGByteCodeParser.cpp:
2805         (JSC::DFG::ByteCodeParser::handleInlining):
2806         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2807         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2808         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2809         * dfg/DFGInPlaceAbstractState.cpp:
2810         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2811         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2812         (JSC::DFG::createPreHeader):
2813         * dfg/DFGNode.h:
2814         (JSC::DFG::BranchTarget::BranchTarget):
2815         * dfg/DFGOSREntrypointCreationPhase.cpp:
2816         (JSC::DFG::OSREntrypointCreationPhase::run):
2817         * dfg/DFGOSRExitCompiler32_64.cpp:
2818         (JSC::DFG::OSRExitCompiler::compileExit):
2819         * dfg/DFGOSRExitCompiler64.cpp:
2820         (JSC::DFG::OSRExitCompiler::compileExit):
2821         * dfg/DFGPredictionPropagationPhase.cpp:
2822         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
2823         (JSC::DFG::PredictionPropagationPhase::propagate):
2824         * dfg/DFGSpeculativeJIT.cpp:
2825         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2826         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2827         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2828         * dfg/DFGSpeculativeJIT32_64.cpp:
2829         (JSC::DFG::SpeculativeJIT::compile):
2830         * dfg/DFGSpeculativeJIT64.cpp:
2831         (JSC::DFG::SpeculativeJIT::compile):
2832         * dfg/DFGVariableAccessData.h:
2833         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2834         * ftl/FTLLowerDFGToLLVM.cpp:
2835         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2836         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2837         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2838         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2839         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
2840         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
2841         (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
2842         * ftl/FTLValueFormat.cpp:
2843         (JSC::FTL::reboxAccordingToFormat):
2844         * jit/AssemblyHelpers.cpp:
2845         (JSC::AssemblyHelpers::purifyNaN):
2846         (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
2847         * jit/AssemblyHelpers.h:
2848         * jit/JITPropertyAccess.cpp:
2849         (JSC::JIT::emitFloatTypedArrayGetByVal):
2850         * runtime/DateConstructor.cpp:
2851         (JSC::constructDate):
2852         * runtime/DateInstanceCache.h:
2853         (JSC::DateInstanceData::DateInstanceData):
2854         (JSC::DateInstanceCache::reset):
2855         * runtime/ExceptionHelpers.cpp:
2856         (JSC::TerminatedExecutionError::defaultValue):
2857         * runtime/JSArray.cpp:
2858         (JSC::JSArray::setLength):
2859         (JSC::JSArray::pop):
2860         (JSC::JSArray::shiftCountWithAnyIndexingType):
2861         (JSC::JSArray::sortVector):
2862         (JSC::JSArray::compactForSorting):
2863         * runtime/JSArray.h:
2864         (JSC::JSArray::create):
2865         (JSC::JSArray::tryCreateUninitialized):
2866         * runtime/JSCJSValue.cpp:
2867         (JSC::JSValue::toNumberSlowCase):
2868         * runtime/JSCJSValue.h:
2869         * runtime/JSCJSValueInlines.h:
2870         (JSC::jsNaN):
2871         (JSC::JSValue::JSValue):
2872         (JSC::JSValue::getPrimitiveNumber):
2873         * runtime/JSGlobalObjectFunctions.cpp:
2874         (JSC::parseInt):
2875         (JSC::jsStrDecimalLiteral):
2876         (JSC::toDouble):
2877         (JSC::jsToNumber):
2878         (JSC::parseFloat):
2879         * runtime/JSObject.cpp:
2880         (JSC::JSObject::createInitialDouble):
2881         (JSC::JSObject::convertUndecidedToDouble):
2882         (JSC::JSObject::convertInt32ToDouble):
2883         (JSC::JSObject::deletePropertyByIndex):
2884         (JSC::JSObject::ensureLengthSlow):
2885         * runtime/MathObject.cpp:
2886         (JSC::mathProtoFuncMax):
2887         (JSC::mathProtoFuncMin):
2888         * runtime/PureNaN.h: Added.
2889         (JSC::pureNaN):
2890         (JSC::isImpureNaN):
2891         (JSC::purifyNaN):
2892         * runtime/TypedArrayAdaptors.h:
2893         (JSC::FloatTypedArrayAdaptor::toJSValue):
2894
2895 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2896
2897         Enable system library calls in FTL for ARM64
2898         https://bugs.webkit.org/show_bug.cgi?id=130154
2899
2900         Reviewed by Geoffrey Garen and Filip Pizlo.
2901
2902         * ftl/FTLIntrinsicRepository.h:
2903         * ftl/FTLOutput.h:
2904         (JSC::FTL::Output::doubleRem):
2905         (JSC::FTL::Output::doubleSin):
2906         (JSC::FTL::Output::doubleCos):
2907
2908 2014-04-16  peavo@outlook.com  <peavo@outlook.com>
2909
2910         Fix JSC Debug Regressions on Windows
2911         https://bugs.webkit.org/show_bug.cgi?id=131182
2912
2913         Reviewed by Brent Fulgham.
2914
2915         The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
2916         and set the st floating point register tags, if the value of the number parameter is infinite.
2917         If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
2918         This can be avoided by checking for infinity first.
2919
2920         * runtime/JSCJSValueInlines.h:
2921         (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
2922         * runtime/Options.cpp:
2923         (JSC::recomputeDependentOptions): Re-enable jit for Windows.
2924
2925 2014-04-16  Oliver Hunt  <oliver@apple.com>
2926
2927         Simple ES6 feature:Array.prototype.fill
2928         https://bugs.webkit.org/show_bug.cgi?id=131703
2929
2930         Reviewed by David Hyatt.
2931
2932         Add support for Array.prototype.fill
2933
2934         * builtins/Array.prototype.js:
2935         (fill):
2936         * runtime/ArrayPrototype.cpp:
2937
2938 2014-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2939
2940         [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
2941         https://bugs.webkit.org/show_bug.cgi?id=131728
2942
2943         Reviewed by Darin Adler.
2944
2945         * runtime/JSObject.cpp:
2946         (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the 
2947         path we expect to never take. Also shut up confused compilers about uninitialized things.
2948
2949 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2950
2951         Unreviewed, ARMv7 build fix after r167336.
2952
2953         * assembler/MacroAssemblerARMv7.h:
2954         (JSC::MacroAssemblerARMv7::branchAdd32):
2955
2956 2014-04-16  Gabor Rapcsanyi  <rgabor@webkit.org>
2957
2958         Unreviewed, ARM64 buildfix after r167336.
2959
2960         * assembler/MacroAssemblerARM64.h:
2961         (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
2962
2963 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2964
2965         Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
2966
2967         * dfg/DFGAbstractInterpreterInlines.h:
2968         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2969
2970 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2971
2972         compileMakeRope does not emit necessary bounds checks
2973         https://bugs.webkit.org/show_bug.cgi?id=130684
2974         <rdar://problem/16398388>
2975
2976         Reviewed by Oliver Hunt.
2977         
2978         Add string length bounds checks in a bunch of places. We should never allow a string
2979         to have a length greater than 2^31-1 because it's not clear that the language has
2980         semantics for it and because there is code that assumes that this cannot happen.
2981         
2982         Also add a bunch of tests to that effect to cover the various ways in which this was
2983         previously allowed to happen.
2984
2985         * dfg/DFGOperations.cpp:
2986         * dfg/DFGSpeculativeJIT.cpp:
2987         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2988         * ftl/FTLLowerDFGToLLVM.cpp:
2989         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
2990         * runtime/JSString.cpp:
2991         (JSC::JSRopeString::RopeBuilder::expand):
2992         * runtime/JSString.h:
2993         (JSC::JSString::create):
2994         (JSC::JSRopeString::RopeBuilder::append):
2995         (JSC::JSRopeString::RopeBuilder::release):
2996         (JSC::JSRopeString::append):
2997         * runtime/Operations.h:
2998         (JSC::jsString):
2999         (JSC::jsStringFromRegisterArray):
3000         (JSC::jsStringFromArguments):
3001         * runtime/StringPrototype.cpp:
3002         (JSC::stringProtoFuncIndexOf):
3003         (JSC::stringProtoFuncSlice):
3004         (JSC::stringProtoFuncSubstring):
3005         (JSC::stringProtoFuncToLowerCase):
3006         * tests/stress/make-large-string-jit-strcat.js: Added.
3007         (foo):
3008         * tests/stress/make-large-string-jit.js: Added.
3009         (foo):
3010         * tests/stress/make-large-string-strcat.js: Added.
3011         * tests/stress/make-large-string.js: Added.
3012
3013 2014-04-15  Julien Brianceau  <jbriance@cisco.com>
3014
3015         Remove invalid sh4 specific code in JITInlines header.
3016         https://bugs.webkit.org/show_bug.cgi?id=131692
3017
3018         Reviewed by Geoffrey Garen.
3019
3020         * jit/JITInlines.h:
3021         (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
3022         anymore since r160244, so the sh4 specific code is invalid now
3023         and has to be removed.
3024
3025 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3026
3027         Fix precedence issue in JSCell:setRemembered
3028
3029         Rubber stamped by Filip Pizlo.
3030
3031         * runtime/JSCell.h:
3032         (JSC::JSCell::setRemembered):
3033
3034 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3035
3036         Objective-C API external object graphs don't handle generational collection properly
3037         https://bugs.webkit.org/show_bug.cgi?id=131634
3038
3039         Reviewed by Geoffrey Garen.
3040
3041         If the set of Objective-C objects transitively reachable through an object changes, we 
3042         need to update the set of opaque roots accordingly. If we don't, the next EdenCollection 
3043         won't rescan the external object graph, which would lead us to consider a newly allocated 
3044         JSManagedValue to be dead.
3045
3046         * API/JSBase.cpp:
3047         (JSSynchronousEdenCollectForDebugging):
3048         * API/JSVirtualMachine.mm:
3049         (-[JSVirtualMachine initWithContextGroupRef:]):
3050         (-[JSVirtualMachine dealloc]):
3051         (-[JSVirtualMachine isOldExternalObject:]):
3052         (-[JSVirtualMachine addExternalRememberedObject:]):
3053         (-[JSVirtualMachine addManagedReference:withOwner:]):
3054         (-[JSVirtualMachine removeManagedReference:withOwner:]):
3055         (-[JSVirtualMachine externalRememberedSet]):
3056         (scanExternalObjectGraph):
3057         (scanExternalRememberedSet):
3058         * API/JSVirtualMachineInternal.h:
3059         * API/tests/testapi.mm:
3060         * heap/Heap.cpp:
3061         (JSC::Heap::markRoots):
3062         * heap/Heap.h:
3063         (JSC::Heap::slotVisitor):
3064         * heap/SlotVisitor.h:
3065         * heap/SlotVisitorInlines.h:
3066         (JSC::SlotVisitor::containsOpaqueRoot):
3067         (JSC::SlotVisitor::containsOpaqueRootTriState):
3068
3069 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
3070
3071         DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
3072         https://bugs.webkit.org/show_bug.cgi?id=131423
3073
3074         Reviewed by Geoffrey Garen.
3075         
3076         This introduces more static typing into DFG IR. Previously we just had the notion of
3077         JSValues and Storage. This was weird because doubles weren't always convertible to
3078         JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
3079         sort of insert explicit conversion nodes just for the places where we knew that an
3080         implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
3081         we'd get bugs from forgetting to do the right conversion.
3082         
3083         This patch introduces a hard and fast rule: doubles can never be implicitly converted to
3084         anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
3085         nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
3086         conversions. They are like Identity but return the same value using a different
3087         representation. Likewise, constants may now be represented using either JSConstant,
3088         Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
3089         Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
3090         Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
3091         we speculate DoubleReal and expect Double representation.
3092         
3093         In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
3094         this also makes it easier to introduce optimizations in the future. It's now possible for
3095         AI to model when/how conversion take place. For example if doing a conversion results in
3096         NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
3097         what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
3098         
3099         This was a big change, so I had to do some interesting things, like finally get rid of
3100         the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
3101         the ByteCodeParser no longer emits Identity nodes since that was always pointless.
3102         
3103         No performance change because this mostly just rationalizes preexisting behavior.
3104
3105         * JavaScriptCore.xcodeproj/project.pbxproj:
3106         * assembler/MacroAssemblerX86.h:
3107         * bytecode/CodeBlock.cpp:
3108         * bytecode/CodeBlock.h:
3109         * dfg/DFGAbstractInterpreter.h:
3110         (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
3111         (JSC::DFG::AbstractInterpreter::setConstant):
3112         * dfg/DFGAbstractInterpreterInlines.h:
3113         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3114         * dfg/DFGAbstractValue.cpp:
3115         (JSC::DFG::AbstractValue::set):
3116         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
3117         (JSC::DFG::AbstractValue::checkConsistency):
3118         * dfg/DFGAbstractValue.h:
3119         * dfg/DFGBackwardsPropagationPhase.cpp:
3120         (JSC::DFG::BackwardsPropagationPhase::propagate):
3121         * dfg/DFGBasicBlock.h:
3122         * dfg/DFGBasicBlockInlines.h:
3123         (JSC::DFG::BasicBlock::appendNode):
3124         (JSC::DFG::BasicBlock::appendNonTerminal):
3125         * dfg/DFGByteCodeParser.cpp:
3126         (JSC::DFG::ByteCodeParser::parseBlock):
3127         * dfg/DFGCSEPhase.cpp:
3128         (JSC::DFG::CSEPhase::constantCSE):
3129         (JSC::DFG::CSEPhase::performNodeCSE):
3130         (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
3131         * dfg/DFGCapabilities.h:
3132         * dfg/DFGClobberize.h:
3133         (JSC::DFG::clobberize):
3134         * dfg/DFGConstantFoldingPhase.cpp:
3135         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3136         * dfg/DFGDCEPhase.cpp:
3137         (JSC::DFG::DCEPhase::fixupBlock):
3138         * dfg/DFGEdge.h:
3139         (JSC::DFG::Edge::willNotHaveCheck):
3140         * dfg/DFGFixupPhase.cpp:
3141         (JSC::DFG::FixupPhase::run):
3142         (JSC::DFG::FixupPhase::fixupNode):
3143         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
3144         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3145         (JSC::DFG::FixupPhase::fixIntEdge):
3146         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
3147         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
3148         (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
3149         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
3150         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3151         (JSC::DFG::FixupPhase::addRequiredPhantom):
3152         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
3153         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
3154         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
3155         * dfg/DFGFlushFormat.h:
3156         (JSC::DFG::resultFor):
3157         (JSC::DFG::useKindFor):
3158         * dfg/DFGGraph.cpp:
3159         (JSC::DFG::Graph::dump):
3160         * dfg/DFGGraph.h:
3161         (JSC::DFG::Graph::addNode):
3162         * dfg/DFGInPlaceAbstractState.cpp:
3163         (JSC::DFG::InPlaceAbstractState::initialize):
3164         * dfg/DFGInsertionSet.h:
3165         (JSC::DFG::InsertionSet::insertNode):
3166         (JSC::DFG::InsertionSet::insertConstant):
3167         (JSC::DFG::InsertionSet::insertConstantForUse):
3168         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3169         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
3170         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
3171         * dfg/DFGNode.cpp:
3172         (JSC::DFG::Node::convertToIdentity):
3173         (WTF::printInternal):
3174         * dfg/DFGNode.h:
3175         (JSC::DFG::Node::Node):
3176         (JSC::DFG::Node::setResult):
3177         (JSC::DFG::Node::result):
3178         (JSC::DFG::Node::isConstant):
3179         (JSC::DFG::Node::hasConstant):
3180         (JSC::DFG::Node::convertToConstant):
3181         (JSC::DFG::Node::valueOfJSConstant):
3182         (JSC::DFG::Node::hasResult):
3183         (JSC::DFG::Node::hasInt32Result):
3184         (JSC::DFG::Node::hasInt52Result):
3185         (JSC::DFG::Node::hasNumberResult):
3186         (JSC::DFG::Node::hasDoubleResult):
3187         (JSC::DFG::Node::hasJSResult):
3188         (JSC::DFG::Node::hasBooleanResult):
3189         (JSC::DFG::Node::hasStorageResult):
3190         (JSC::DFG::Node::defaultUseKind):
3191         (JSC::DFG::Node::defaultEdge):
3192         (JSC::DFG::Node::convertToIdentity): Deleted.
3193         * dfg/DFGNodeFlags.cpp:
3194         (JSC::DFG::dumpNodeFlags):
3195         * dfg/DFGNodeFlags.h:
3196         (JSC::DFG::canonicalResultRepresentation):
3197         * dfg/DFGNodeType.h:
3198         * dfg/DFGOSRExitCompiler32_64.cpp:
3199         (JSC::DFG::OSRExitCompiler::compileExit):
3200         * dfg/DFGOSRExitCompiler64.cpp:
3201         (JSC::DFG::OSRExitCompiler::compileExit):
3202         * dfg/DFGPredictionPropagationPhase.cpp:
3203         (JSC::DFG::PredictionPropagationPhase::propagate):
3204         * dfg/DFGResurrectionForValidationPhase.cpp:
3205         (JSC::DFG::ResurrectionForValidationPhase::run):
3206         * dfg/DFGSSAConversionPhase.cpp:
3207         (JSC::DFG::SSAConversionPhase::run):
3208         * dfg/DFGSafeToExecute.h:
3209         (JSC::DFG::SafeToExecuteEdge::operator()):
3210         (JSC::DFG::safeToExecute):
3211         * dfg/DFGSpeculativeJIT.cpp:
3212         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3213         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
3214         (JSC::DFG::SpeculativeJIT::silentFill):
3215         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
3216         (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
3217         (JSC::DFG::JSValueRegsTemporary::regs):
3218         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
3219         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3220         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3221         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3222         (JSC::DFG::SpeculativeJIT::compileValueRep):
3223         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3224         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3225         (JSC::DFG::SpeculativeJIT::compileAdd):
3226         (JSC::DFG::SpeculativeJIT::compileArithSub):
3227         (JSC::DFG::SpeculativeJIT::compileArithNegate):
3228         (JSC::DFG::SpeculativeJIT::compileArithMul):
3229         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3230         (JSC::DFG::SpeculativeJIT::compileArithMod):
3231         (JSC::DFG::SpeculativeJIT::compare):
3232         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3233         (JSC::DFG::SpeculativeJIT::speculateNumber):
3234         (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
3235         (JSC::DFG::SpeculativeJIT::speculate):
3236         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
3237         (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
3238         (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
3239         * dfg/DFGSpeculativeJIT.h:
3240         (JSC::DFG::SpeculativeJIT::allocate):
3241         (JSC::DFG::SpeculativeJIT::use):
3242         (JSC::DFG::SpeculativeJIT::boxDouble):
3243         (JSC::DFG::SpeculativeJIT::spill):
3244         (JSC::DFG::SpeculativeJIT::jsValueResult):
3245         (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
3246         (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
3247         (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
3248         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
3249         * dfg/DFGSpeculativeJIT32_64.cpp:
3250         (JSC::DFG::SpeculativeJIT::fillJSValue):
3251         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3252         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3253         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3254         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3255         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3256         (JSC::DFG::SpeculativeJIT::emitBranch):
3257         (JSC::DFG::SpeculativeJIT::compile):
3258         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
3259         * dfg/DFGSpeculativeJIT64.cpp:
3260         (JSC::DFG::SpeculativeJIT::fillJSValue):
3261         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3262         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3263         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3264         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3265         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3266         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3267         (JSC::DFG::SpeculativeJIT::emitBranch):
3268         (JSC::DFG::SpeculativeJIT::compile):
3269         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
3270         * dfg/DFGStrengthReductionPhase.cpp:
3271         (JSC::DFG::StrengthReductionPhase::handleNode):
3272         * dfg/DFGUseKind.cpp:
3273         (WTF::printInternal):
3274         * dfg/DFGUseKind.h:
3275         (JSC::DFG::typeFilterFor):
3276         (JSC::DFG::shouldNotHaveTypeCheck):
3277         (JSC::DFG::mayHaveTypeCheck):
3278         (JSC::DFG::isNumerical):
3279         (JSC::DFG::isDouble):
3280         (JSC::DFG::isCell):
3281         (JSC::DFG::usesStructure):
3282         (JSC::DFG::useKindForResult):
3283         * dfg/DFGValidate.cpp:
3284         (JSC::DFG::Validate::validate):
3285         * dfg/DFGVariadicFunction.h: Removed.
3286         * ftl/FTLCapabilities.cpp:
3287         (JSC::FTL::canCompile):
3288         * ftl/FTLLowerDFGToLLVM.cpp:
3289         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
3290         (JSC::FTL::LowerDFGToLLVM::compileNode):
3291         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
3292         (JSC::FTL::LowerDFGToLLVM::compilePhi):
3293         (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
3294         (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
3295         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
3296         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3297         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
3298         (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
3299         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
3300         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
3301         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
3302         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
3303         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
3304         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
3305         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
3306         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
3307         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3308         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
3309         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
3310         (JSC::FTL::LowerDFGToLLVM::compare):
3311         (JSC::FTL::LowerDFGToLLVM::boolify):
3312         (JSC::FTL::LowerDFGToLLVM::lowInt52):
3313         (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
3314         (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
3315         (JSC::FTL::LowerDFGToLLVM::lowDouble):
3316         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
3317         (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
3318         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
3319         (JSC::FTL::LowerDFGToLLVM::speculate):
3320         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3321         (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
3322         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
3323         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
3324         (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
3325         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
3326         (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
3327         * ftl/FTLValueFormat.cpp:
3328         (JSC::FTL::reboxAccordingToFormat):
3329         * jit/AssemblyHelpers.cpp:
3330         (JSC::AssemblyHelpers::sanitizeDouble):
3331         * jit/AssemblyHelpers.h:
3332         (JSC::AssemblyHelpers::boxDouble):
3333
3334 2014-04-15  Commit Queue  <commit-queue@webkit.org>
3335
3336         Unreviewed, rolling out r167199 and r167251.
3337         https://bugs.webkit.org/show_bug.cgi?id=131678
3338
3339         Caused a DYEBench regression and does not seem to improve perf
3340         on relevant websites (Requested by rniwa on #webkit).
3341
3342         Reverted changesets:
3343
3344         "Rewrite Function.bind as a builtin"
3345         https://bugs.webkit.org/show_bug.cgi?id=131083
3346         http://trac.webkit.org/changeset/167199
3347
3348         "Update test result"
3349         http://trac.webkit.org/changeset/167251
3350
3351 2014-04-14  Commit Queue  <commit-queue@webkit.org>
3352
3353         Unreviewed, rolling out r167272.
3354         https://bugs.webkit.org/show_bug.cgi?id=131666
3355
3356         Broke multiple tests (Requested by ap on #webkit).
3357
3358         Reverted changeset:
3359
3360         "Function.bind itself is too slow"
3361         https://bugs.webkit.org/show_bug.cgi?id=131636
3362         http://trac.webkit.org/changeset/167272
3363
3364 2014-04-14  Geoffrey Garen  <ggaren@apple.com>
3365
3366         ASSERT when firing low memory warning
3367         https://bugs.webkit.org/show_bug.cgi?id=131659
3368
3369         Reviewed by Mark Hahnenberg.
3370
3371         * heap/Heap.cpp:
3372         (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
3373         called when no GC is happening because that is what we do when a low
3374         memory warning fires, and it is harmless.
3375
3376 2014-04-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3377
3378         emit_op_put_by_id should not emit a write barrier that filters on value
3379         https://bugs.webkit.org/show_bug.cgi?id=131654
3380
3381         Reviewed by Filip Pizlo.
3382
3383         The 32-bit implementation does this, and it can cause crashes if we later repatch the 
3384         code to allocate and store new Butterflies.
3385
3386         * jit/JITPropertyAccess.cpp:
3387         (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on 
3388         32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag 
3389         load down into the if statement so that we don't do it if we're not filtering on the value.
3390         * jit/JITPropertyAccess32_64.cpp:
3391         (JSC::JIT::emit_op_put_by_id):
3392
3393 2014-04-14  Oliver Hunt  <oliver@apple.com>
3394
3395         Function.bind itself is too slow
3396         https://bugs.webkit.org/show_bug.cgi?id=131636
3397
3398         Reviewed by Geoffrey Garen.
3399
3400         Rather than forcing creation of an activation, we now store
3401         bound function properties directly on the returned closure.
3402         This is necessary to deal with code that creates many function
3403         bindings, but does not call them very often.
3404
3405         This is a 60% speed up in the included js/regress test.
3406
3407         * builtins/BuiltinExecutables.cpp:
3408         (JSC::BuiltinExecutables::createBuiltinExecutable):