Fix cloop build.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-28  Oliver Hunt  <oliver@apple.com>
2
3         Fix cloop build.
4
5         * bytecode/BytecodeList.json:
6
7 2014-03-28  Michael Saboff  <msaboff@apple.com>
8
9         Unreviewed, rolling r166248 back in.
10
11         Turns out r166070 didn't cause a 2% performance loss in page load times
12
13         Reverted changeset:
14
15         Unreviewed, rolling out r166126.
16         Rollout r166126 in prepartion to roll out prerequisite r166070
17
18 2014-03-27  Commit Queue  <commit-queue@webkit.org>
19
20         Unreviewed, rolling out r166376.
21         https://bugs.webkit.org/show_bug.cgi?id=130887
22
23         This was a misguided optimization. (Requested by kling on
24         #webkit).
25
26         Reverted changeset:
27
28         "Avoid fetching JSObject::structure() repeatedly in
29         putDirectInternal."
30         https://bugs.webkit.org/show_bug.cgi?id=130857
31         http://trac.webkit.org/changeset/166376
32
33 2014-03-27  Oliver Hunt  <oliver@apple.com>
34
35         Support spread operand in |new| expressions
36         https://bugs.webkit.org/show_bug.cgi?id=130877
37
38         Reviewed by Michael Saboff.
39
40         Add support for the spread operator being applied in
41         |new| expressions.  This required adding support for
42         a new opcode, op_construct_varargs.  This is a relatively
43         simple refactoring of the call_varargs implementation.
44
45         * bytecode/BytecodeList.json:
46         * bytecode/BytecodeUseDef.h:
47         (JSC::computeUsesForBytecodeOffset):
48         (JSC::computeDefsForBytecodeOffset):
49         * bytecode/CallLinkInfo.cpp:
50         (JSC::CallLinkInfo::unlink):
51         * bytecode/CallLinkInfo.h:
52         (JSC::CallLinkInfo::callTypeFor):
53         (JSC::CallLinkInfo::specializationKind):
54         * bytecode/CodeBlock.cpp:
55         (JSC::CodeBlock::dumpBytecode):
56         (JSC::CodeBlock::CodeBlock):
57         * bytecompiler/BytecodeGenerator.cpp:
58         (JSC::BytecodeGenerator::emitCallVarargs):
59         (JSC::BytecodeGenerator::emitConstructVarargs):
60         (JSC::BytecodeGenerator::emitConstruct):
61         * bytecompiler/BytecodeGenerator.h:
62         * jit/JIT.cpp:
63         (JSC::JIT::privateCompileMainPass):
64         (JSC::JIT::privateCompileSlowCases):
65         * jit/JIT.h:
66         * jit/JITCall.cpp:
67         (JSC::JIT::compileOpCall):
68         (JSC::JIT::compileOpCallSlowCase):
69         (JSC::JIT::emit_op_construct_varargs):
70         (JSC::JIT::emitSlow_op_construct_varargs):
71         * jit/JITCall32_64.cpp:
72         (JSC::JIT::emitSlow_op_construct_varargs):
73         (JSC::JIT::emit_op_construct_varargs):
74         (JSC::JIT::compileOpCall):
75         (JSC::JIT::compileOpCallSlowCase):
76         * jit/JITOperations.cpp:
77         * llint/LLIntSlowPaths.cpp:
78         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
79         * llint/LLIntSlowPaths.h:
80         * llint/LowLevelInterpreter.asm:
81         * parser/Parser.cpp:
82         (JSC::Parser<LexerType>::parseMemberExpression):
83
84 2014-03-27  Filip Pizlo  <fpizlo@apple.com>
85
86         Revert http://trac.webkit.org/changeset/166386 because it broke builds.
87
88         * Configurations/Base.xcconfig:
89         * Configurations/LLVMForJSC.xcconfig:
90
91 2014-03-27  Filip Pizlo  <fpizlo@apple.com>
92
93         Unreviewed, skip this test for now.
94
95         * tests/stress/recurse-infinitely-on-getter.js:
96
97 2014-03-27  Filip Pizlo  <fpizlo@apple.com>
98
99         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
100         https://bugs.webkit.org/show_bug.cgi?id=130867
101         <rdar://problem/16432456> 
102
103         Reviewed by Mark Hahnenberg.
104
105         * Configurations/Base.xcconfig:
106         * Configurations/LLVMForJSC.xcconfig:
107
108 2014-03-27  Andreas Kling  <akling@apple.com>
109
110         Avoid fetching JSObject::structure() repeatedly in putDirectInternal.
111         <https://webkit.org/b/130857>
112
113         Use the cached Structure* instead of re-fetching it over and over since
114         that's a non-trivial operation these days.
115
116         Reviewed by Mark Hahnenberg.
117
118         * runtime/JSObject.h:
119         (JSC::JSObject::putDirectInternal):
120
121 2014-03-27  Mark Hahnenberg  <mhahnenberg@apple.com>
122
123         Check the remembered set bit faster
124         https://bugs.webkit.org/show_bug.cgi?id=130860
125
126         Reviewed by Oliver Hunt.
127
128         Currently we look up the remembered set bit in the MarkedBlock in C++ code, but 
129         that bit is also stored in the object. We should look it up there whenever possible.
130
131         * heap/CopiedBlockInlines.h:
132         (JSC::CopiedBlock::shouldReportLiveBytes):
133         * heap/Heap.cpp:
134         (JSC::Heap::addToRememberedSet):
135         * heap/Heap.h:
136         * heap/HeapInlines.h: Removed.
137         * heap/SlotVisitorInlines.h:
138         (JSC::SlotVisitor::reportExtraMemoryUsage):
139
140 2014-03-27  Joseph Pecoraro  <pecoraro@apple.com>
141
142         Web Inspector: Provide SPI to disallow remote inspection of a JSContext
143         https://bugs.webkit.org/show_bug.cgi?id=130853
144
145         Reviewed by Timothy Hatcher.
146
147         * API/JSContextPrivate.h: Added.
148         * API/JSContext.mm:
149         (-[JSContext _remoteInspectionEnabled]):
150         (-[JSContext _setRemoteInspectionEnabled:]):
151         ObjC SPI to enable/disable remote inspection.
152
153         * API/JSContextRefPrivate.h:
154         * API/JSContextRef.cpp:
155         (JSGlobalContextGetRemoteInspectionEnabled):
156         (JSGlobalContextSetRemoteInspectionEnabled):
157         C SPI to enable/disable remote inspection.
158
159         * JavaScriptCore.xcodeproj/project.pbxproj:
160         Add new private header, and export as a private header.
161
162 2014-03-27  Mark Hahnenberg  <mhahnenberg@apple.com>
163
164         Clean up questionable style in ScriptExecutable::prepareForExecutionImpl
165         https://bugs.webkit.org/show_bug.cgi?id=130845
166
167         Reviewed by Filip Pizlo.
168
169         There was a hack added to make sure C Loop LLInt worked which included overriding the 
170         global Options::useLLInt setting, which makes no sense to do here. We should put the 
171         update of the global setting in Options::recomputeDependentOptions along with the other 
172         execution engine flags.
173
174         * runtime/Executable.cpp:
175         (JSC::ScriptExecutable::prepareForExecutionImpl):
176         * runtime/Options.cpp:
177         (JSC::recomputeDependentOptions):
178
179 2014-03-26  Filip Pizlo  <fpizlo@apple.com>
180
181         Enable LLVM stackmap liveOuts computation
182         https://bugs.webkit.org/show_bug.cgi?id=130821
183
184         Reviewed by Andy Estes and Sam Weinig.
185
186         * ftl/FTLStackMaps.cpp:
187         (JSC::FTL::StackMaps::Record::dump):
188         * llvm/library/LLVMExports.cpp:
189         (initializeAndGetJSCLLVMAPI):
190
191 2014-03-26  Filip Pizlo  <fpizlo@apple.com>
192
193         Parse stackmaps liveOuts
194         https://bugs.webkit.org/show_bug.cgi?id=130801
195
196         Reviewed by Geoffrey Garen.
197         
198         This just adds the code to parse them but doesn't do anything with them, yet.
199
200         * ftl/FTLLocation.cpp:
201         (JSC::FTL::Location::forStackmaps):
202         * ftl/FTLLocation.h:
203         (JSC::FTL::Location::forRegister):
204         (JSC::FTL::Location::forIndirect):
205         * ftl/FTLStackMaps.cpp:
206         (JSC::FTL::StackMaps::Location::parse):
207         (JSC::FTL::StackMaps::Location::dump):
208         (JSC::FTL::StackMaps::LiveOut::parse):
209         (JSC::FTL::StackMaps::LiveOut::dump):
210         (JSC::FTL::StackMaps::Record::parse):
211         (JSC::FTL::StackMaps::Record::dump):
212         * ftl/FTLStackMaps.h:
213
214 2014-03-26  Mark Lam  <mark.lam@apple.com>
215
216         Build fix after r166307.
217
218         Not reviewed.
219
220         * runtime/JSCell.h:
221         - The inline function isAPIValueWrapper() should not be exported.  This
222           was causing a linkage error when building for 32-bit x86 on Mac.
223
224 2014-03-26  Filip Pizlo  <fpizlo@apple.com>
225
226         Reasoning about DWARF register numbers should be moved out of FTL::Location
227         https://bugs.webkit.org/show_bug.cgi?id=130792
228
229         Reviewed by Oliver Hunt.
230         
231         Moving this code makes it possible for things other than FTL::Location to reason about
232         DWARF register encoding. This refactoring also appears to reduce some code duplication
233         and makes FTLLocation.cpp cleaner.
234
235         * JavaScriptCore.xcodeproj/project.pbxproj:
236         * ftl/FTLCompile.cpp:
237         (JSC::FTL::fixFunctionBasedOnStackMaps):
238         * ftl/FTLDWARFRegister.cpp: Added.
239         (JSC::FTL::DWARFRegister::reg):
240         (JSC::FTL::DWARFRegister::dump):
241         * ftl/FTLDWARFRegister.h: Added.
242         (JSC::FTL::DWARFRegister::DWARFRegister):
243         (JSC::FTL::DWARFRegister::dwarfRegNum):
244         * ftl/FTLLocation.cpp:
245         (JSC::FTL::Location::dump):
246         (JSC::FTL::Location::isGPR):
247         (JSC::FTL::Location::gpr):
248         (JSC::FTL::Location::isFPR):
249         (JSC::FTL::Location::fpr):
250         * ftl/FTLLocation.h:
251         (JSC::FTL::Location::hasDwarfReg):
252         (JSC::FTL::Location::dwarfReg):
253
254 2014-03-26  Brent Fulgham  <bfulgham@apple.com>
255
256         Unreviewed build fix.
257
258         * runtime/JSCell.h: VS2013 confused about argument type.
259
260 2014-03-26  Zoltan Horvath  <zoltan@webkit.org>
261
262         [CSS Shapes] Remove shape-inside support
263         https://bugs.webkit.org/show_bug.cgi?id=130698
264
265         Reviewed by David Hyatt.
266
267         * Configurations/FeatureDefines.xcconfig:
268
269 2014-03-26  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
270
271         Rename hasFastArrayStorage to be more appropriate
272         https://bugs.webkit.org/show_bug.cgi?id=130773
273
274         Reviewed by Filip Pizlo.
275
276         * dfg/DFGArrayMode.cpp:
277         (JSC::DFG::ArrayMode::alreadyChecked):
278         * dfg/DFGSpeculativeJIT32_64.cpp:
279         (JSC::DFG::SpeculativeJIT::compile):
280         * dfg/DFGSpeculativeJIT64.cpp:
281         (JSC::DFG::SpeculativeJIT::compile):
282         * dfg/DFGWatchpointCollectionPhase.cpp:
283         (JSC::DFG::WatchpointCollectionPhase::handle):
284         * ftl/FTLLowerDFGToLLVM.cpp:
285         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
286         (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
287         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
288         * runtime/ButterflyInlines.h:
289         (JSC::Butterfly::unshift):
290         (JSC::Butterfly::shift):
291         * runtime/IndexingHeaderInlines.h:
292         (JSC::IndexingHeader::preCapacity):
293         * runtime/IndexingType.h:
294         (JSC::hasArrayStorage):
295         (JSC::hasAnyArrayStorage):
296         (JSC::hasFastArrayStorage): Deleted.
297         * runtime/JSArray.cpp:
298         (JSC::JSArray::sortVector):
299         (JSC::JSArray::compactForSorting):
300         * runtime/JSArray.h:
301         (JSC::JSArray::create):
302         (JSC::JSArray::tryCreateUninitialized):
303         * runtime/JSGlobalObject.cpp:
304         * runtime/JSObject.cpp:
305         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
306         * runtime/JSObject.h:
307         (JSC::JSObject::ensureArrayStorage):
308         (JSC::JSObject::arrayStorage):
309         * runtime/StructureTransitionTable.h:
310         (JSC::newIndexingType):
311
312 2014-03-26  Zan Dobersek  <zdobersek@igalia.com>
313
314         Unreviewed. Removing the remaining Automake cruft.
315
316         * GNUmakefile.list.am: Removed.
317
318 2014-03-25  Filip Pizlo  <fpizlo@apple.com>
319
320         Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
321         https://bugs.webkit.org/show_bug.cgi?id=130764
322         <rdar://problem/16304788>
323
324         Reviewed by Sam Weinig.
325         
326         Being an arguments alias just means that your OSR exit recovery should attempt arguments
327         creation. This is true of arguments locals. We had special cases that tried to make it not
328         true of arguments locals. The only consequence of those special cases was to cause crashes
329         in case of arguments that are also captured variables (i.e. we have SlowArguments). This
330         change just removes those special cases.
331         
332         This change means that the FTL will now see SetLocals with a FlushedArguments format.
333         Previously you wouldn't see them because previously only non-captured variable would be
334         arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
335         left. Adding handling for FlushedArguments is a benign and simple change since its
336         behavior is identical to FlushedJSValue for that code's purposes.
337
338         * dfg/DFGArgumentsSimplificationPhase.cpp:
339         (JSC::DFG::ArgumentsSimplificationPhase::run):
340         * ftl/FTLLowerDFGToLLVM.cpp:
341         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
342         * tests/stress/captured-arguments-variable.js: Added.
343         (foo):
344         (noInline):
345
346 2014-03-25  Mark Hahnenberg  <mhahnenberg@apple.com>
347
348         Add HeapInlines
349         https://bugs.webkit.org/show_bug.cgi?id=130759
350
351         Reviewed by Filip Pizlo.
352
353         * GNUmakefile.list.am:
354         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
355         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
356         * JavaScriptCore.xcodeproj/project.pbxproj:
357         * heap/Heap.cpp:
358         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
359         (JSC::MarkedBlockSnapshotFunctor::operator()):
360         * heap/Heap.h: Also reindented while we're here.
361         (JSC::Heap::writeBarrierBuffer):
362         (JSC::Heap::vm):
363         (JSC::Heap::objectSpace):
364         (JSC::Heap::machineThreads):
365         (JSC::Heap::operationInProgress):
366         (JSC::Heap::allocatorForObjectWithoutDestructor):
367         (JSC::Heap::allocatorForObjectWithNormalDestructor):
368         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
369         (JSC::Heap::storageAllocator):
370         (JSC::Heap::notifyIsSafeToCollect):
371         (JSC::Heap::isSafeToCollect):
372         (JSC::Heap::handleSet):
373         (JSC::Heap::handleStack):
374         (JSC::Heap::lastFullGCLength):
375         (JSC::Heap::lastEdenGCLength):
376         (JSC::Heap::increaseLastFullGCLength):
377         (JSC::Heap::sizeBeforeLastEdenCollection):
378         (JSC::Heap::sizeAfterLastEdenCollection):
379         (JSC::Heap::sizeBeforeLastFullCollection):
380         (JSC::Heap::sizeAfterLastFullCollection):
381         (JSC::Heap::jitStubRoutines):
382         (JSC::Heap::isDeferred):
383         (JSC::Heap::structureIDTable):
384         (JSC::Heap::removeCodeBlock):
385         * heap/HeapInlines.h: Added.
386         (JSC::Heap::shouldCollect):
387         (JSC::Heap::isBusy):
388         (JSC::Heap::isCollecting):
389         (JSC::Heap::heap):
390         (JSC::Heap::isLive):
391         (JSC::Heap::isInRememberedSet):
392         (JSC::Heap::isMarked):
393         (JSC::Heap::testAndSetMarked):
394         (JSC::Heap::setMarked):
395         (JSC::Heap::isWriteBarrierEnabled):
396         (JSC::Heap::writeBarrier):
397         (JSC::Heap::reportExtraMemoryCost):
398         (JSC::Heap::forEachProtectedCell):
399         (JSC::Heap::forEachCodeBlock):
400         (JSC::Heap::allocateWithNormalDestructor):
401         (JSC::Heap::allocateWithImmortalStructureDestructor):
402         (JSC::Heap::allocateWithoutDestructor):
403         (JSC::Heap::tryAllocateStorage):
404         (JSC::Heap::tryReallocateStorage):
405         (JSC::Heap::ascribeOwner):
406         (JSC::Heap::blockAllocator):
407         (JSC::Heap::releaseSoon):
408         (JSC::Heap::incrementDeferralDepth):
409         (JSC::Heap::decrementDeferralDepth):
410         (JSC::Heap::collectIfNecessaryOrDefer):
411         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
412         (JSC::Heap::markListSet):
413         * runtime/JSCInlines.h:
414
415 2014-03-25  Filip Pizlo  <fpizlo@apple.com>
416
417         DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
418         https://bugs.webkit.org/show_bug.cgi?id=130760
419
420         Reviewed by Mark Hahnenberg.
421
422         * dfg/DFGByteCodeParser.cpp:
423         (JSC::DFG::ByteCodeParser::setLocal):
424         (JSC::DFG::ByteCodeParser::setArgument):
425         (JSC::DFG::ByteCodeParser::handleInlining):
426         (JSC::DFG::ByteCodeParser::parseBlock):
427         * tests/stress/assign-argument-in-inlined-call.js: Added.
428         (f1):
429         (getF2Arguments):
430         (f2):
431         (f3):
432         * tests/stress/assign-captured-argument-in-inlined-call.js: Added.
433         (f1):
434         (f2):
435         (f3):
436
437 2014-03-25  Filip Pizlo  <fpizlo@apple.com>
438
439         Fix 32-bit getter call alignment.
440
441         Reviewed by Mark Hahnenberg.
442
443         * jit/Repatch.cpp:
444         (JSC::generateGetByIdStub):
445
446 2014-03-25  Filip Pizlo  <fpizlo@apple.com>
447
448         Repatch should plant calls to getters directly rather than through a C helper
449         https://bugs.webkit.org/show_bug.cgi?id=129589
450
451         Reviewed by Mark Hahnenberg.
452         
453         As the title says. All of the superstructure for this was already in place, so now it
454         was just a matter of actually emitting the call.
455         
456         8x speed-up for getter microbenchmarks. 
457
458         * CMakeLists.txt:
459         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
460         * JavaScriptCore.xcodeproj/project.pbxproj:
461         * bytecode/PolymorphicGetByIdList.h:
462         (JSC::GetByIdAccess::doesCalls):
463         * jit/AccessorCallJITStubRoutine.cpp: Added.
464         (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
465         (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
466         (JSC::AccessorCallJITStubRoutine::visitWeak):
467         * jit/AccessorCallJITStubRoutine.h: Added.
468         * jit/AssemblyHelpers.h:
469         (JSC::AssemblyHelpers::storeCell):
470         * jit/GCAwareJITStubRoutine.h:
471         * jit/Repatch.cpp:
472         (JSC::generateGetByIdStub):
473         * runtime/GetterSetter.h:
474         (JSC::GetterSetter::offsetOfGetter):
475         (JSC::GetterSetter::offsetOfSetter):
476
477 2014-03-25  Michael Saboff  <msaboff@apple.com>
478
479         Unreviewed, rolling out r166126.
480
481         Rollout r166126 in prepartion to roll out prerequisite r166070
482
483         Reverted changeset:
484
485         "toThis() on a JSWorkerGlobalScope should return a JSProxy and
486         not undefined"
487         https://bugs.webkit.org/show_bug.cgi?id=130554
488         http://trac.webkit.org/changeset/166126
489
490 2014-03-25  Oliver Hunt  <oliver@apple.com>
491
492         AST incorrectly conflates readable and writable locations
493         https://bugs.webkit.org/show_bug.cgi?id=130734
494
495         Reviewed by Filip Pizlo.
496
497         We need to distinguish between "locations" that are valid for reading
498         and writing, vs those that may only be written.
499
500         * bytecompiler/NodesCodegen.cpp:
501         (JSC::ForInNode::emitBytecode):
502         (JSC::ForOfNode::emitBytecode):
503         * parser/Nodes.h:
504         (JSC::ExpressionNode::isAssignmentLocation):
505
506 2014-03-24  Oliver Hunt  <oliver@apple.com>
507
508         ASSERTION FAILED in Parser: dst != localReg
509         https://bugs.webkit.org/show_bug.cgi?id=130710
510
511         Reviewed by Filip Pizlo.
512
513         Just make sure we don't try to write to a captured constant,
514         following the change to track captured variables separately.
515
516         * bytecompiler/NodesCodegen.cpp:
517         (JSC::PostfixNode::emitResolve):
518         (JSC::PrefixNode::emitResolve):
519
520 2014-03-25  Martin Robinson  <mrobinson@igalia.com>
521
522         [GTK] Remove the autotools build
523         https://bugs.webkit.org/show_bug.cgi?id=130717
524
525         Reviewed by Anders Carlsson.
526
527         * GNUmakefile.am: Removed.
528         * config.h: Remove references to the autotools configure file.
529
530 2014-03-24  Filip Pizlo  <fpizlo@apple.com>
531
532         More scaffolding for a stub routine to have a stub recursively embedded inside it
533         https://bugs.webkit.org/show_bug.cgi?id=130770
534
535         Reviewed by Oliver Hunt.
536
537         * bytecode/CallLinkInfo.cpp:
538         (JSC::CallLinkInfo::unlink): VM& argument is superfluous.
539         (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
540         * bytecode/CallLinkInfo.h:
541         * bytecode/CodeBlock.cpp:
542         (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
543         (JSC::CodeBlock::unlinkCalls):
544         (JSC::CodeBlock::unlinkIncomingCalls):
545         * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
546         (JSC::GetByIdAccess::visitWeak):
547         (JSC::PolymorphicGetByIdList::visitWeak):
548         * bytecode/PolymorphicGetByIdList.h:
549         * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
550         (JSC::PutByIdAccess::visitWeak):
551         (JSC::PolymorphicPutByIdList::visitWeak):
552         * bytecode/PolymorphicPutByIdList.h:
553         * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
554         (JSC::StructureStubInfo::visitWeakReferences):
555         * bytecode/StructureStubInfo.h:
556         * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
557         (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
558         * jit/GCAwareJITStubRoutine.cpp:
559         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
560         (JSC::createJITStubRoutine):
561         * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
562         (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
563         * jit/JITStubRoutine.cpp:
564         (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
565         * jit/JITStubRoutine.h:
566         * jit/Repatch.cpp:
567         (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
568         (JSC::emitCustomSetterStub): Clean up some code.
569
570 2014-03-24  Geoffrey Garen  <ggaren@apple.com>
571
572         Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
573         when WebKit is compiled with fcatch-undefined-behavior
574         https://bugs.webkit.org/show_bug.cgi?id=130652
575
576         Reviewed by Mark Hahnenberg.
577
578         Use a static member function because the butterfly we pass in might be
579         NULL, and passing NULL to a member function is undefined behavior.
580
581         Stylistically, I think this new way reads a little more clearly, since it
582         matches createOrGrowArrayRight, and it helps to convey that m_butterfly
583         might not exist yet.
584
585         * runtime/Butterfly.h:
586         * runtime/ButterflyInlines.h:
587         (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
588         because we might create. Split out the create path to avoid using NULL
589         in a member function expression.
590
591         Removed some unused versions of this function.
592
593         * runtime/JSObject.cpp:
594         (JSC::JSObject::growOutOfLineStorage): Updated for interface change.
595
596 2014-03-24  Oliver Hunt  <oliver@apple.com>
597
598         Strict mode destructuring assignment crashes the parser.
599         https://bugs.webkit.org/show_bug.cgi?id=130538
600
601         Reviewed by Michael Saboff.
602
603         The SyntaxChecker mode always return 1 for success, except
604         for a small subset of functions where we needed exact information.
605         This ends up just being a poor design decision as it means
606         the parser can get confused between a function return 1, and
607         the Resolve constant which was also 1. So we now use a unique
608         type for every creation method.
609
610         * parser/SyntaxChecker.h:
611         (JSC::SyntaxChecker::createSourceElements):
612         (JSC::SyntaxChecker::createFunctionBody):
613         (JSC::SyntaxChecker::createArguments):
614         (JSC::SyntaxChecker::createSpreadExpression):
615         (JSC::SyntaxChecker::createArgumentsList):
616         (JSC::SyntaxChecker::createPropertyList):
617         (JSC::SyntaxChecker::createElementList):
618         (JSC::SyntaxChecker::createFormalParameterList):
619         (JSC::SyntaxChecker::createClause):
620         (JSC::SyntaxChecker::createClauseList):
621         (JSC::SyntaxChecker::createFuncDeclStatement):
622         (JSC::SyntaxChecker::createBlockStatement):
623         (JSC::SyntaxChecker::createExprStatement):
624         (JSC::SyntaxChecker::createIfStatement):
625         (JSC::SyntaxChecker::createForLoop):
626         (JSC::SyntaxChecker::createForInLoop):
627         (JSC::SyntaxChecker::createForOfLoop):
628         (JSC::SyntaxChecker::createEmptyStatement):
629         (JSC::SyntaxChecker::createVarStatement):
630         (JSC::SyntaxChecker::createReturnStatement):
631         (JSC::SyntaxChecker::createBreakStatement):
632         (JSC::SyntaxChecker::createContinueStatement):
633         (JSC::SyntaxChecker::createTryStatement):
634         (JSC::SyntaxChecker::createSwitchStatement):
635         (JSC::SyntaxChecker::createWhileStatement):
636         (JSC::SyntaxChecker::createWithStatement):
637         (JSC::SyntaxChecker::createDoWhileStatement):
638         (JSC::SyntaxChecker::createLabelStatement):
639         (JSC::SyntaxChecker::createThrowStatement):
640         (JSC::SyntaxChecker::createDebugger):
641         (JSC::SyntaxChecker::createConstStatement):
642         (JSC::SyntaxChecker::appendConstDecl):
643         (JSC::SyntaxChecker::combineCommaNodes):
644         (JSC::SyntaxChecker::operatorStackPop):
645
646 2014-03-24  Brent Fulgham  <bfulgham@apple.com>
647
648         Activate WebVTT Tests Once Merging is Complete
649         https://bugs.webkit.org/show_bug.cgi?id=130420
650
651         Reviewed by Eric Carlson.
652
653         * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)
654
655 2014-03-24  Andreas Kling  <akling@apple.com>
656
657         Stop pulling in all the macro assemblers from VM.h
658         <https://webkit.org/b/130691>
659
660         Remove #include of "GPRInfo.h". This breaks WebCore's dependency
661         on macro assemblers headers and removes 8 includes from every
662         .cpp file in the JS bindings.
663
664         Reviewed by Geoff Garen.
665
666         * runtime/VM.h:
667
668 2014-03-24  Gavin Barraclough  <barraclough@apple.com>
669
670         Add support for thread QoS
671         https://bugs.webkit.org/show_bug.cgi?id=130688
672
673         Reviewed by Andreas Kling.
674
675         * heap/BlockAllocator.cpp:
676         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
677             - block freeing is a utility activity.
678
679 2014-03-24  Filip Pizlo  <fpizlo@apple.com>
680
681         Unreviewed, fix CLOOP build.
682
683         * bytecode/CallLinkStatus.cpp:
684         (JSC::CallLinkStatus::computeFor):
685         * bytecode/CodeBlock.cpp:
686         (JSC::CodeBlock::printCallOp):
687         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
688         (JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
689         * bytecode/CodeBlock.h:
690         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
691
692 2014-03-24  Gabor Rapcsanyi  <rgabor@webkit.org>
693
694         [ARM64] GNU assembler doesn't work with LLInt arm64 backend.
695         https://bugs.webkit.org/show_bug.cgi?id=130453
696         
697         Reviewed by Filip Pizlo.
698
699         Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
700         at sxtw and uxtw instructions.
701
702         * offlineasm/arm64.rb:
703
704 2014-03-23  Hyowon Kim  <hw1008.kim@samsung.com>
705
706         Move all EFL typedefs into EflTypedefs.h.
707         https://bugs.webkit.org/show_bug.cgi?id=130511
708
709         Reviewed by Gyuyoung Kim
710
711         * heap/HeapTimer.h: Remove EFL typedefs.
712
713 2014-03-23  Filip Pizlo  <fpizlo@apple.com>
714
715         Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
716         https://bugs.webkit.org/show_bug.cgi?id=130650
717         <rdar://problem/16122966>
718
719         Reviewed by Michael Saboff.
720         
721         Previously, it was only in the case of inlining that we would do SetLocal's beyond the
722         previously established numLocals limit. But then we added generalized op_call_varargs
723         handling, which results in us emitting SetLocals that didn't previously exist in the
724         bytecode.
725         
726         This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.
727
728         * dfg/DFGByteCodeParser.cpp:
729         (JSC::DFG::ByteCodeParser::ensureLocals):
730         (JSC::DFG::ByteCodeParser::handleInlining):
731         (JSC::DFG::ByteCodeParser::parseBlock):
732         (JSC::DFG::ByteCodeParser::parse):
733         * ftl/FTLOSRExitCompiler.cpp:
734         (JSC::FTL::compileStub): Make this do alignment correctly.
735         * runtime/Options.h:
736         * tests/stress/call-varargs-from-inlined-code.js: Added.
737         * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.
738
739 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
740
741         Unreviewed, adjust sizes for ARM64.
742
743         * ftl/FTLInlineCacheSize.cpp:
744         (JSC::FTL::sizeOfCall):
745
746 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
747
748         Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
749         https://bugs.webkit.org/show_bug.cgi?id=130649
750         <rdar://problem/16399949>
751
752         Reviewed by Andreas Kling.
753
754         * dfg/DFGSpeculativeJIT32_64.cpp:
755         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
756         * dfg/DFGSpeculativeJIT64.cpp:
757         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
758         * tests/stress/fuzz-bug-16399949.js: Added.
759         (tryItOut.f):
760         (tryItOut):
761
762 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
763
764         Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
765         https://bugs.webkit.org/show_bug.cgi?id=130644
766
767         Reviewed by Andreas Kling.
768         
769         This is conceptually a really simple change but it involves the following:
770         
771         - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
772         
773         - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
774         
775         - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
776           longer has a vector of slow path counts that shadows the CallLinkInfo vector.
777         
778         - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
779           and not all relinking.
780         
781         This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
782         the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
783         with a op_call/op_construct instruction and a machine code return PC within such an
784         instruction.
785
786         * bytecode/CallLinkInfo.h:
787         (JSC::getCallLinkInfoCodeOrigin):
788         * bytecode/CallLinkStatus.cpp:
789         (JSC::CallLinkStatus::computeFor):
790         (JSC::CallLinkStatus::computeDFGStatuses):
791         * bytecode/CallLinkStatus.h:
792         * bytecode/CodeBlock.cpp:
793         (JSC::CodeBlock::printCallOp):
794         (JSC::CodeBlock::dumpBytecode):
795         (JSC::CodeBlock::finalizeUnconditionally):
796         (JSC::CodeBlock::getCallLinkInfoMap):
797         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
798         (JSC::CodeBlock::addCallLinkInfo):
799         (JSC::CodeBlock::unlinkCalls):
800         * bytecode/CodeBlock.h:
801         (JSC::CodeBlock::stubInfoBegin):
802         (JSC::CodeBlock::stubInfoEnd):
803         (JSC::CodeBlock::callLinkInfosBegin):
804         (JSC::CodeBlock::callLinkInfosEnd):
805         (JSC::CodeBlock::byValInfo):
806         * dfg/DFGByteCodeParser.cpp:
807         (JSC::DFG::ByteCodeParser::handleCall):
808         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
809         * dfg/DFGJITCode.h:
810         * dfg/DFGJITCompiler.cpp:
811         (JSC::DFG::JITCompiler::link):
812         * dfg/DFGJITCompiler.h:
813         (JSC::DFG::JITCompiler::addJSCall):
814         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
815         * dfg/DFGOSRExitCompilerCommon.cpp:
816         (JSC::DFG::reifyInlinedCallFrames):
817         * dfg/DFGSpeculativeJIT.cpp:
818         (JSC::DFG::SpeculativeJIT::compile):
819         * dfg/DFGSpeculativeJIT.h:
820         * dfg/DFGSpeculativeJIT32_64.cpp:
821         (JSC::DFG::SpeculativeJIT::emitCall):
822         * dfg/DFGSpeculativeJIT64.cpp:
823         (JSC::DFG::SpeculativeJIT::emitCall):
824         * ftl/FTLCompile.cpp:
825         (JSC::FTL::fixFunctionBasedOnStackMaps):
826         * ftl/FTLInlineCacheSize.cpp:
827         (JSC::FTL::sizeOfCall):
828         * ftl/FTLJSCall.cpp:
829         (JSC::FTL::JSCall::JSCall):
830         (JSC::FTL::JSCall::emit):
831         (JSC::FTL::JSCall::link):
832         * ftl/FTLJSCall.h:
833         * jit/JIT.cpp:
834         (JSC::JIT::privateCompileMainPass):
835         (JSC::JIT::privateCompileSlowCases):
836         (JSC::JIT::privateCompile):
837         * jit/JIT.h:
838         * jit/JITCall.cpp:
839         (JSC::JIT::compileOpCall):
840         (JSC::JIT::compileOpCallSlowCase):
841         * jit/JITCall32_64.cpp:
842         (JSC::JIT::compileOpCall):
843         (JSC::JIT::compileOpCallSlowCase):
844         * jit/JITOperations.cpp:
845         * jit/JITOperations.h:
846         (JSC::operationLinkFor):
847         (JSC::operationVirtualFor):
848         (JSC::operationLinkClosureCallFor):
849         * jit/Repatch.cpp:
850         (JSC::linkClosureCall):
851         * jit/ThunkGenerators.cpp:
852         (JSC::slowPathFor):
853         (JSC::virtualForThunkGenerator):
854         * tests/stress/eval-that-is-not-eval.js: Added.
855
856 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
857
858         Unreviewed, fix mispelled test name.
859
860         * tests/stress/constand-folding-osr-exit.js: Removed.
861         * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.
862
863 2014-03-22  Andreas Kling  <akling@apple.com>
864
865         CREATE_DOM_WRAPPER doesn't need the ExecState.
866         <https://webkit.org/b/130648>
867
868         Add a fast path from JSGlobalObject to the VM so we don't have
869         to dance via the Heap.
870
871         Reviewed by Darin Adler.
872
873         * runtime/JSGlobalObject.cpp:
874         (JSC::JSGlobalObject::JSGlobalObject):
875         * runtime/JSGlobalObject.h:
876         (JSC::JSGlobalObject::vm):
877
878 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
879
880         Unreviewed, fix FTL build.
881
882         * ftl/FTLJITFinalizer.cpp:
883
884 2014-03-22  Michael Saboff  <msaboff@apple.com>
885
886         toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
887         https://bugs.webkit.org/show_bug.cgi?id=130554
888
889         Reviewed by Geoffrey Garen.
890
891         Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
892         Did some cleanup as well.  Moved the setting of the thisObject in a JSGlobalObject to
893         happen in finishCreation() so that it will also happen for other derived classes including
894         JSWorkerGlobalScopeBase.
895
896         * API/JSContextRef.cpp:
897         (JSGlobalContextCreateInGroup):
898         * jsc.cpp:
899         (GlobalObject::create):
900         * API/tests/testapi.c:
901         (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
902         the result from JSContextGetGlobalObject() as that will return the proxy.       
903         * runtime/JSGlobalObject.cpp:
904         (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
905         we now call setGlobalThis in finishCreation().
906         * runtime/JSGlobalObject.h:
907         (JSC::JSGlobalObject::finishCreation):
908         (JSC::JSGlobalObject::setGlobalThis): Made this a private method.
909
910 2014-03-22  Andreas Kling  <akling@apple.com>
911
912         Fix debug build.
913
914         * bytecode/CodeBlock.cpp:
915         * runtime/Executable.cpp:
916
917 2014-03-22  Andreas Kling  <akling@apple.com>
918
919         Cut down on JSC profiler includes in WebCore & co.
920         <https://webkit.org/b/130637>
921
922         Most of WebKit was pulling in JSC's profiler headers via VM.h.
923
924         Reviewed by Darin Adler.
925
926         * dfg/DFGDisassembler.cpp:
927         * dfg/DFGDisassembler.h:
928         * dfg/DFGJITFinalizer.cpp:
929         * jsc.cpp:
930         * runtime/VM.cpp:
931         * runtime/VM.h:
932
933 2014-03-22  Landry Breuil <landry@openbsd.org>
934
935         Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
936         https://bugs.webkit.org/show_bug.cgi?id=129965
937
938         Reviewed By Anders Carlsson.
939
940 2014-03-21  Mark Lam  <mark.lam@apple.com>
941
942         Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
943         <https://webkit.org/b/124508>
944
945         Reviewed by Oliver Hunt.
946
947         The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
948         pointer from the BytecodeGenerator's m_localScopes vector, and then it
949         calls emitPopScopes().  emitPopScopes() may do finally clause handling
950         which will require the m_localScopes to be cloned so that it can change
951         the local scopes for the finally block, and then restore it after
952         handling the finally clause.  These modifications of the m_localScopes
953         vector will result in the LabelScope pointer in BreakNode::emitBytecode()
954         becoming stale, thereby causing the crash.
955
956         The same issue applies to the ContinueNode as well.
957
958         The fix is to use the existing LabelScopePtr abstraction instead of raw
959         LabelScope pointers.  The LabelScopePtr is resilient to the underlying
960         vector re-allocating its backing store.
961
962         I also changed the LabelScopePtr constructor that takes a LabelScopeStore
963         to expect a reference to the owner store instead of a pointer because the
964         owner store should never be a null pointer.
965
966         * bytecompiler/BytecodeGenerator.cpp:
967         (JSC::BytecodeGenerator::newLabelScope):
968         (JSC::BytecodeGenerator::breakTarget):
969         (JSC::BytecodeGenerator::continueTarget):
970         * bytecompiler/BytecodeGenerator.h:
971         * bytecompiler/LabelScope.h:
972         (JSC::LabelScopePtr::LabelScopePtr):
973         (JSC::LabelScopePtr::operator bool):
974         (JSC::LabelScopePtr::null):
975         * bytecompiler/NodesCodegen.cpp:
976         (JSC::ContinueNode::trivialTarget):
977         (JSC::ContinueNode::emitBytecode):
978         (JSC::BreakNode::trivialTarget):
979         (JSC::BreakNode::emitBytecode):
980
981 2014-03-21  Mark Hahnenberg  <mhahnenberg@apple.com>
982
983         6% SunSpider commandline regression due to r165940
984         https://bugs.webkit.org/show_bug.cgi?id=130617
985
986         Reviewed by Michael Saboff.
987
988         In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected 
989         before. Some of the benchmarks are never running a single EdenCollection, which causes 
990         them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer 
991         slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of 
992         magnitude more than we normally would.
993
994         The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.
995
996         * heap/Heap.cpp:
997         (JSC::Heap::Heap):
998
999 2014-03-21  Filip Pizlo  <fpizlo@apple.com>
1000
1001         Constants folded by DFG::ByteCodeParser should not be dead.
1002         https://bugs.webkit.org/show_bug.cgi?id=130576
1003
1004         Reviewed by Mark Hahnenberg.
1005         
1006         This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
1007         reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
1008         or more folders in LLVM). Doing so has no performance impact since the other constant folders
1009         already subsume this one.
1010         
1011         Also added a test case for the specific bug that instigated this.
1012
1013         * dfg/DFGByteCodeParser.cpp:
1014         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
1015         (JSC::DFG::ByteCodeParser::getJSConstant):
1016         (JSC::DFG::ByteCodeParser::inferredConstant):
1017         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1018         (JSC::DFG::ByteCodeParser::parseBlock):
1019         * dfg/DFGNode.h:
1020         * dfg/DFGNodeFlags.h:
1021         * tests/stress/constand-folding-osr-exit.js: Added.
1022         (foo):
1023         (test):
1024         (.var):
1025
1026 2014-03-21  Mark Lam  <mark.lam@apple.com>
1027
1028         StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
1029         <https://webkit.org/b/130566>
1030
1031         Reviewed by Filip Pizlo.
1032
1033         * dfg/DFGStackLayoutPhase.cpp:
1034         (JSC::DFG::StackLayoutPhase::run):
1035
1036 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
1037
1038         FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
1039         https://bugs.webkit.org/show_bug.cgi?id=130562
1040         <rdar://problem/16382842>
1041
1042         Reviewed by Geoffrey Garen.
1043
1044         * ftl/FTLLowerDFGToLLVM.cpp:
1045         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1046         * tests/stress/uint32array-unsigned-load.js: Added.
1047         (foo):
1048
1049 2014-03-20  Brian Burg  <bburg@apple.com>
1050
1051         Web Inspector: add frontend controller and models for replay sessions
1052         https://bugs.webkit.org/show_bug.cgi?id=130145
1053
1054         Reviewed by Joseph Pecoraro.
1055
1056         * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.
1057
1058 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
1059
1060         FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
1061         https://bugs.webkit.org/show_bug.cgi?id=130546
1062         <rdar://problem/16383308>
1063
1064         Reviewed by Mark Hahnenberg.
1065         
1066         Make AI do a better job of folding this.
1067         
1068         Also made the FTL backend be more tolerant of data representations. In this case it
1069         didn't know that "constant" was a valid representation. There is a finite set of
1070         possible representations, but broadly, we don't write code that presumes anything
1071         about the representation of an input; that's what methods like lowJSValue() are for.
1072         ValueToInt32 was previously not relying on those methods at all because it had some
1073         hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
1074         to lowJSValue().
1075
1076         * dfg/DFGAbstractInterpreterInlines.h:
1077         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1078         * ftl/FTLLowerDFGToLLVM.cpp:
1079         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1080         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
1081         * tests/stress/value-to-int32-undefined-constant.js: Added.
1082         (foo):
1083         * tests/stress/value-to-int32-undefined.js: Added.
1084         (foo):
1085
1086 2014-03-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1087
1088         Add some assertions back
1089         https://bugs.webkit.org/show_bug.cgi?id=130531
1090
1091         Reviewed by Geoffrey Garen.
1092
1093         We removed a useful set of assertions for verifying that MarkedBlocks were 
1094         in the state that we expected them to be in after clearing marks in the Heap. 
1095         We should add these back to catch bugs earlier.
1096
1097         * heap/MarkedBlock.h:
1098         * heap/MarkedSpace.cpp:
1099         (JSC::VerifyMarkedOrRetired::operator()):
1100         (JSC::MarkedSpace::clearMarks):
1101
1102 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
1103
1104         Implement stackmap header version check and support new stackmap formats
1105         https://bugs.webkit.org/show_bug.cgi?id=130535
1106         <rdar://problem/16164284>
1107
1108         Reviewed by Geoffrey Garen.
1109         
1110         Add the notion of versioning so that LLVMers can happily implement new stackmap formats
1111         without worrying about WebKit getting version-locked to LLVM. In the future, we will have
1112         to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
1113         to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
1114         happy to move backward in time to older versions of LLVM.
1115
1116         * ftl/FTLStackMaps.cpp:
1117         (JSC::FTL::readObject):
1118         (JSC::FTL::StackMaps::Constant::parse):
1119         (JSC::FTL::StackMaps::StackSize::parse):
1120         (JSC::FTL::StackMaps::Location::parse):
1121         (JSC::FTL::StackMaps::Record::parse):
1122         (JSC::FTL::StackMaps::parse):
1123         (JSC::FTL::StackMaps::dump):
1124         (JSC::FTL::StackMaps::dumpMultiline):
1125         * ftl/FTLStackMaps.h:
1126
1127 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
1128
1129         Crash beneath operationTearOffActivation running this JS compression demo
1130         https://bugs.webkit.org/show_bug.cgi?id=130295
1131         <rdar://problem/16332337>
1132
1133         Reviewed by Oliver Hunt.
1134         
1135         Make sure that we flush things as if we were at a terminal, if we are at a block with
1136         no forward edges. This fixes infinitely loopy code with captured variables.
1137
1138         Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
1139         
1140         Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
1141         it by itself. Now it's an artifact of CPS rethreading.
1142         
1143         Add a bunch of tests. All of them previously either crashed or returned bad output due
1144         to memory corruption.
1145
1146         * bytecode/CodeBlock.cpp:
1147         (JSC::CodeBlock::isCaptured):
1148         * dfg/DFGByteCodeParser.cpp:
1149         (JSC::DFG::ByteCodeParser::flushForTerminal):
1150         (JSC::DFG::ByteCodeParser::flushForReturn):
1151         (JSC::DFG::ByteCodeParser::flushIfTerminal):
1152         (JSC::DFG::ByteCodeParser::branchData):
1153         (JSC::DFG::ByteCodeParser::parseBlock):
1154         * dfg/DFGCFGSimplificationPhase.cpp:
1155         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
1156         * dfg/DFGCPSRethreadingPhase.cpp:
1157         (JSC::DFG::CPSRethreadingPhase::run):
1158         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
1159         (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
1160         (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
1161         * dfg/DFGCSEPhase.cpp:
1162         (JSC::DFG::CSEPhase::performNodeCSE):
1163         * dfg/DFGGraph.cpp:
1164         (JSC::DFG::Graph::clearFlagsOnAllNodes):
1165         * dfg/DFGGraph.h:
1166         * dfg/DFGNode.h:
1167         * dfg/DFGNodeFlags.cpp:
1168         (JSC::DFG::dumpNodeFlags):
1169         * dfg/DFGNodeFlags.h:
1170         * dfg/DFGSSAConversionPhase.cpp:
1171         (JSC::DFG::SSAConversionPhase::run):
1172         * tests/stress/activation-test-loop.js: Added.
1173         (Inner.this.doStuff):
1174         (Inner):
1175         (foo.inner.isDone):
1176         (foo):
1177         * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
1178         (bar):
1179         (foo):
1180         (noInline):
1181         * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
1182         (bar):
1183         (foo):
1184         (noInline):
1185         * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
1186         (bar):
1187         (foo):
1188         (noInline):
1189         * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
1190         (bar):
1191         (foo):
1192         (noInline):
1193         * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
1194         (bar):
1195         (foo):
1196         (noInline):
1197         * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
1198         (bar):
1199         (fuzz):
1200         (foo.f):
1201         (foo):
1202         * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
1203         (bar):
1204         (foo.f):
1205         (foo):
1206         * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
1207         (bar):
1208         (foo.f):
1209         (foo):
1210         * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
1211         (bar):
1212         (foo):
1213         (noInline):
1214
1215 2014-03-20  Oliver Hunt  <oliver@apple.com>
1216
1217         Incorrect behavior when mutating a typed array during set.
1218         https://bugs.webkit.org/show_bug.cgi?id=130428
1219
1220         Reviewed by Geoffrey Garen.
1221
1222         This fixes a null derefence that occurs if a typed array
1223         is mutated during the set() operation. The patch gets rid
1224         of the "Quickly" version of setIndex that is assigning
1225         JSValues of unknown type, as the numeric conversion can trigger
1226         side effects that lead to neutering, and so we deref null.
1227
1228         * runtime/JSGenericTypedArrayView.h:
1229         (JSC::JSGenericTypedArrayView::setIndex):
1230         * runtime/JSGenericTypedArrayViewInlines.h:
1231         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1232         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
1233
1234 2014-03-20  Gavin Barraclough  <barraclough@apple.com>
1235
1236         Remove IdentifierTable typedef, isIdentifier()
1237         https://bugs.webkit.org/show_bug.cgi?id=130533
1238
1239         Rubber stamped by Geoff Garen.
1240
1241         Code should use AtomicStringTable, isAtomic() directly.
1242
1243         * API/JSClassRef.cpp:
1244         (OpaqueJSClass::~OpaqueJSClass):
1245         (OpaqueJSClassContextData::OpaqueJSClassContextData):
1246         (OpaqueJSClass::className):
1247         * API/JSClassRef.h:
1248         * bytecode/SpeculatedType.cpp:
1249         (JSC::speculationFromCell):
1250         * bytecompiler/BytecodeGenerator.cpp:
1251         (JSC::BytecodeGenerator::BytecodeGenerator):
1252         * dfg/DFGSpeculativeJIT.cpp:
1253         (JSC::DFG::SpeculativeJIT::compileIn):
1254         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
1255         * ftl/FTLLowerDFGToLLVM.cpp:
1256         (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
1257         * heap/Heap.cpp:
1258         (JSC::Heap::collect):
1259         * interpreter/CallFrame.h:
1260         (JSC::ExecState::atomicStringTable):
1261         * parser/ASTBuilder.h:
1262         (JSC::ASTBuilder::addVar):
1263         * parser/Parser.cpp:
1264         (JSC::Parser<LexerType>::createBindingPattern):
1265         * runtime/Completion.cpp:
1266         (JSC::checkSyntax):
1267         (JSC::evaluate):
1268         * runtime/Identifier.cpp:
1269         (JSC::Identifier::checkCurrentAtomicStringTable):
1270         * runtime/Identifier.h:
1271         (JSC::Identifier::Identifier):
1272         * runtime/IdentifierInlines.h:
1273         (JSC::Identifier::add):
1274         * runtime/JSCJSValue.cpp:
1275         (JSC::JSValue::dumpInContext):
1276         * runtime/JSLock.cpp:
1277         (JSC::JSLock::didAcquireLock):
1278         (JSC::JSLock::willReleaseLock):
1279         (JSC::JSLock::DropAllLocks::DropAllLocks):
1280         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1281         * runtime/JSLock.h:
1282         * runtime/PropertyMapHashTable.h:
1283         (JSC::PropertyTable::find):
1284         (JSC::PropertyTable::get):
1285         (JSC::PropertyTable::findWithString):
1286         * runtime/PropertyName.h:
1287         (JSC::PropertyName::PropertyName):
1288         * runtime/PropertyNameArray.cpp:
1289         (JSC::PropertyNameArray::add):
1290         * runtime/VM.cpp:
1291         (JSC::VM::VM):
1292         (JSC::VM::~VM):
1293         * runtime/VM.h:
1294         (JSC::VM::atomicStringTable):
1295
1296 2014-03-20  Gavin Barraclough  <barraclough@apple.com>
1297
1298         Merge AtomicString, Identifier
1299         https://bugs.webkit.org/show_bug.cgi?id=128624
1300
1301         Reviewed by Geoff Garen.
1302
1303         WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
1304         Identifer - that is one too many.
1305
1306         Remove Identifier in favour of AtomicString. Identifier had two interesting
1307         mechanisms that we preserve.
1308
1309         (1) JSC API VMs each get their own string table, switch the string table on
1310             API entry/exit.
1311         (2) JSC caches a pointer to the string table on the VM to avoid a thread
1312             specific access. Adds a new AtomicString::add method to support this.
1313
1314         * API/JSAPIWrapperObject.mm:
1315             - updated includes.
1316         * JavaScriptCore.xcodeproj/project.pbxproj:
1317             - added IdentifierInlines.h.
1318         * inspector/JSInjectedScriptHostPrototype.cpp:
1319         * inspector/JSJavaScriptCallFramePrototype.cpp:
1320             - updated includes.
1321         * interpreter/CallFrame.h:
1322         (JSC::ExecState::atomicStringTable):
1323             - added, used via AtomicString::add to avoid thread-specific access.
1324         * runtime/ConsolePrototype.cpp:
1325             - updated includes.
1326         * runtime/Identifier.cpp:
1327         (JSC::Identifier::add):
1328         (JSC::Identifier::add8):
1329             - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
1330         * runtime/Identifier.h:
1331         (JSC::Identifier::Identifier):
1332             - added ASSERTS.
1333         (JSC::Identifier::add):
1334             - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
1335         * runtime/IdentifierInlines.h: Added.
1336         (JSC::Identifier::add):
1337             - moved from Identifier.h, use AtomicString::add.
1338         * runtime/JSCInlines.h:
1339             - added IdentifierInlines.h.
1340         * runtime/JSLock.h:
1341             - removed IdentifierTable.
1342         * runtime/PropertyNameArray.cpp:
1343             - updated includes.
1344         * runtime/SmallStrings.cpp:
1345         (JSC::SmallStringsStorage::SmallStringsStorage):
1346             - ensure all single character strings are Atomic.
1347         * runtime/VM.cpp:
1348         (JSC::VM::VM):
1349             - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
1350         * runtime/VM.h:
1351         (JSC::VM::atomicStringTable):
1352             - added, used via AtomicString::add to avoid thread-specific access.
1353
1354 2014-03-20  Gabor Rapcsanyi  <rgabor@webkit.org>
1355
1356         [ARM64] Fix assembler build issues and add cacheFlush support for Linux
1357         https://bugs.webkit.org/show_bug.cgi?id=130502
1358
1359         Reviewed by Michael Saboff.
1360
1361         Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
1362         because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
1363         Add cacheFlush support for Linux.
1364
1365         * assembler/ARM64Assembler.h:
1366         (JSC::ARM64Assembler::linuxPageFlush):
1367         (JSC::ARM64Assembler::cacheFlush):
1368         * assembler/MacroAssemblerARM64.h:
1369         (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):
1370
1371 2014-03-19  Gavin Barraclough  <barraclough@apple.com>
1372
1373         https://bugs.webkit.org/show_bug.cgi?id=130494
1374         EmptyUnique strings are Identifiers/Atomic
1375
1376         Reviewed by Geoff Garen.
1377
1378         EmptyUnique strings should set the Identifier/Atomic flag.
1379
1380         This fixes an unreproducible bug we believe exists in Identifier handling.
1381         Expected behaviour is that while Identifiers may reference EmptyUniques
1382         (StringImpls allocated as UIDs for PrivateNames), these are not created
1383         through the main Identifier constructor, the Identifier flag is not set
1384         on PrivateNames, and we should never lookup EmptyUnique strings in the
1385         IdentifierTable.
1386
1387         Unfortunately that was happening. Some tables used to implement property
1388         access in the JIT hold StringImpl*s, and turn these back into Identifiers
1389         using the identfiier constructor. Since the code generator will now plant
1390         by-id (cachable) accesses to PrivateNames we can end up passing an
1391         EmptyUnique to Identifier::add, potentially leading to PrivateNames being
1392         uniqued together (though hard to prove, since the hash codes are random).
1393
1394         * runtime/PropertyName.h:
1395         (JSC::PropertyName::PropertyName):
1396         (JSC::PropertyName::uid):
1397         (JSC::PropertyName::publicName):
1398         (JSC::PropertyName::asIndex):
1399             - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
1400         * runtime/Structure.cpp:
1401         (JSC::Structure::getPropertyNamesFromStructure):
1402             - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
1403
1404 2014-03-19  Filip Pizlo  <fpizlo@apple.com>
1405
1406         Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.
1407
1408         * dfg/DFGCommon.h:
1409
1410 2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1411
1412         GC timer should intelligently choose between EdenCollections and FullCollections
1413         https://bugs.webkit.org/show_bug.cgi?id=128261
1414
1415         Reviewed by Geoffrey Garen.
1416
1417         Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
1418         always does FullCollections. To reduce the impact of the GC timer on the system this patch
1419         changes Heap so that it has two timers, one for each type of collection. The FullCollection
1420         timer is notified at the end of EdenCollections how much the Heap has grown since the last 
1421         FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't 
1422         be detected by an EdenCollection).
1423
1424         * CMakeLists.txt:
1425         * GNUmakefile.list.am:
1426         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1427         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1428         * JavaScriptCore.xcodeproj/project.pbxproj:
1429         * heap/EdenGCActivityCallback.cpp: Added.
1430         (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
1431         (JSC::EdenGCActivityCallback::doCollection):
1432         (JSC::EdenGCActivityCallback::lastGCLength):
1433         (JSC::EdenGCActivityCallback::deathRate):
1434         (JSC::EdenGCActivityCallback::gcTimeSlice):
1435         * heap/EdenGCActivityCallback.h: Added.
1436         (JSC::GCActivityCallback::createEdenTimer):
1437         * heap/FullGCActivityCallback.cpp: Added.
1438         (JSC::FullGCActivityCallback::FullGCActivityCallback):
1439         (JSC::FullGCActivityCallback::doCollection):
1440         (JSC::FullGCActivityCallback::lastGCLength):
1441         (JSC::FullGCActivityCallback::deathRate):
1442         (JSC::FullGCActivityCallback::gcTimeSlice):
1443         * heap/FullGCActivityCallback.h: Added.
1444         (JSC::GCActivityCallback::createFullTimer):
1445         * heap/GCActivityCallback.cpp:
1446         (JSC::GCActivityCallback::GCActivityCallback):
1447         (JSC::GCActivityCallback::doWork):
1448         (JSC::GCActivityCallback::scheduleTimer):
1449         (JSC::GCActivityCallback::cancelTimer):
1450         (JSC::GCActivityCallback::didAllocate):
1451         (JSC::GCActivityCallback::willCollect):
1452         (JSC::GCActivityCallback::cancel):
1453         * heap/GCActivityCallback.h:
1454         * heap/Heap.cpp:
1455         (JSC::Heap::Heap):
1456         (JSC::Heap::reportAbandonedObjectGraph):
1457         (JSC::Heap::didAbandon):
1458         (JSC::Heap::collectAllGarbage):
1459         (JSC::Heap::collect):
1460         (JSC::Heap::willStartCollection):
1461         (JSC::Heap::updateAllocationLimits):
1462         (JSC::Heap::didFinishCollection):
1463         (JSC::Heap::setFullActivityCallback):
1464         (JSC::Heap::setEdenActivityCallback):
1465         (JSC::Heap::fullActivityCallback):
1466         (JSC::Heap::edenActivityCallback):
1467         (JSC::Heap::setGarbageCollectionTimerEnabled):
1468         (JSC::Heap::didAllocate):
1469         (JSC::Heap::shouldDoFullCollection):
1470         * heap/Heap.h:
1471         (JSC::Heap::lastFullGCLength):
1472         (JSC::Heap::lastEdenGCLength):
1473         (JSC::Heap::increaseLastFullGCLength):
1474         (JSC::Heap::sizeBeforeLastEdenCollection):
1475         (JSC::Heap::sizeAfterLastEdenCollection):
1476         (JSC::Heap::sizeBeforeLastFullCollection):
1477         (JSC::Heap::sizeAfterLastFullCollection):
1478         * heap/HeapOperation.h:
1479         * heap/HeapStatistics.cpp:
1480         (JSC::HeapStatistics::showObjectStatistics):
1481         * heap/HeapTimer.cpp:
1482         (JSC::HeapTimer::timerDidFire):
1483         * jsc.cpp:
1484         (functionFullGC):
1485         (functionEdenGC):
1486         * runtime/Options.h:
1487
1488 2014-03-19  Commit Queue  <commit-queue@webkit.org>
1489
1490         Unreviewed, rolling out r165926.
1491         https://bugs.webkit.org/show_bug.cgi?id=130488
1492
1493         broke the iOS build (Requested by estes on #webkit).
1494
1495         Reverted changeset:
1496
1497         "GC timer should intelligently choose between EdenCollections
1498         and FullCollections"
1499         https://bugs.webkit.org/show_bug.cgi?id=128261
1500         http://trac.webkit.org/changeset/165926
1501
1502 2014-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1503
1504         GC timer should intelligently choose between EdenCollections and FullCollections
1505         https://bugs.webkit.org/show_bug.cgi?id=128261
1506
1507         Reviewed by Geoffrey Garen.
1508
1509         Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
1510         always does FullCollections. To reduce the impact of the GC timer on the system this patch
1511         changes Heap so that it has two timers, one for each type of collection. The FullCollection
1512         timer is notified at the end of EdenCollections how much the Heap has grown since the last 
1513         FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be 
1514         detected by an EdenCollection).
1515
1516         * heap/GCActivityCallback.cpp:
1517         (JSC::GCActivityCallback::GCActivityCallback):
1518         (JSC::GCActivityCallback::doWork):
1519         (JSC::FullGCActivityCallback::FullGCActivityCallback):
1520         (JSC::FullGCActivityCallback::doCollection):
1521         (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
1522         (JSC::EdenGCActivityCallback::doCollection):
1523         (JSC::GCActivityCallback::scheduleTimer):
1524         (JSC::GCActivityCallback::cancelTimer):
1525         (JSC::GCActivityCallback::didAllocate):
1526         (JSC::GCActivityCallback::willCollect):
1527         (JSC::GCActivityCallback::cancel):
1528         * heap/GCActivityCallback.h:
1529         (JSC::GCActivityCallback::GCActivityCallback):
1530         (JSC::GCActivityCallback::createFullTimer):
1531         (JSC::GCActivityCallback::createEdenTimer):
1532         * heap/Heap.cpp:
1533         (JSC::Heap::Heap):
1534         (JSC::Heap::didAbandon):
1535         (JSC::Heap::willStartCollection):
1536         (JSC::Heap::updateAllocationLimits):
1537         (JSC::Heap::setFullActivityCallback):
1538         (JSC::Heap::setEdenActivityCallback):
1539         (JSC::Heap::fullActivityCallback):
1540         (JSC::Heap::edenActivityCallback):
1541         (JSC::Heap::setGarbageCollectionTimerEnabled):
1542         (JSC::Heap::didAllocate):
1543         * heap/Heap.h:
1544         * heap/HeapTimer.cpp:
1545         (JSC::HeapTimer::timerDidFire):
1546
1547 2014-03-19  Filip Pizlo  <fpizlo@apple.com>
1548
1549         REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
1550         https://bugs.webkit.org/show_bug.cgi?id=130134
1551
1552         Reviewed by Mark Hahnenberg.
1553
1554         * dfg/DFGFixupPhase.cpp:
1555         (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
1556         * dfg/DFGSpeculativeJIT32_64.cpp:
1557         (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
1558         (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
1559         * jit/JITInlineCacheGenerator.cpp:
1560         (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
1561         * jit/JITInlineCacheGenerator.h:
1562         * jit/Repatch.cpp:
1563         (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.
1564
1565 2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1566
1567         Normalize some of the older JSC options
1568         https://bugs.webkit.org/show_bug.cgi?id=128753
1569
1570         Reviewed by Michael Saboff.
1571
1572         * runtime/Options.cpp:
1573         (JSC::Options::initialize):
1574
1575 2014-03-12  Mark Lam  <mark.lam@apple.com>
1576
1577         Update type of local vars to match the type of String length.
1578         <https://webkit.org/b/130077>
1579
1580         Reviewed by Geoffrey Garen.
1581
1582         * runtime/JSStringJoiner.cpp:
1583         (JSC::JSStringJoiner::join):
1584
1585 2014-03-18  Filip Pizlo  <fpizlo@apple.com>
1586
1587         Get rid of Flush in SSA
1588         https://bugs.webkit.org/show_bug.cgi?id=130440
1589
1590         Reviewed by Sam Weinig.
1591         
1592         This is basically a red patch. We used to use backwards flow for determining what was
1593         flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
1594         accomplish anything. Keeping them around in SSA can only make things hard.
1595
1596         * CMakeLists.txt:
1597         * GNUmakefile.list.am:
1598         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1599         * JavaScriptCore.xcodeproj/project.pbxproj:
1600         * dfg/DFGBasicBlock.cpp:
1601         (JSC::DFG::BasicBlock::SSAData::SSAData):
1602         * dfg/DFGBasicBlock.h:
1603         * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
1604         * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
1605         * dfg/DFGGraph.cpp:
1606         (JSC::DFG::Graph::dump):
1607         * dfg/DFGPlan.cpp:
1608         (JSC::DFG::Plan::compileInThreadImpl):
1609         * dfg/DFGSSAConversionPhase.cpp:
1610         (JSC::DFG::SSAConversionPhase::run):
1611         * ftl/FTLLowerDFGToLLVM.cpp:
1612         (JSC::FTL::LowerDFGToLLVM::compileNode):
1613
1614 2014-03-18  Filip Pizlo  <fpizlo@apple.com>
1615
1616         Unreviewed, fix iOS production build.
1617
1618         * JavaScriptCore.xcodeproj/project.pbxproj:
1619
1620 2014-03-18  Michael Saboff  <msaboff@apple.com>
1621
1622         Update RegExp Tracing code
1623         https://bugs.webkit.org/show_bug.cgi?id=130381
1624
1625         Reviewed by Andreas Kling.
1626
1627         Updated the regular expression tracing code for 8/16 bit JIT as
1628         well as match only entry points.  Also added average string length
1629         metric.
1630
1631         * runtime/RegExp.cpp:
1632         (JSC::RegExp::RegExp):
1633         (JSC::RegExp::match):
1634         (JSC::RegExp::printTraceData):
1635         * runtime/RegExp.h:
1636         * runtime/VM.cpp:
1637         (JSC::VM::addRegExpToTrace):
1638         (JSC::VM::dumpRegExpTrace):
1639         * runtime/VM.h:
1640         * yarr/YarrJIT.h:
1641         (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
1642         (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
1643         (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
1644         (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):
1645
1646 2014-03-17  Filip Pizlo  <fpizlo@apple.com>
1647
1648         Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
1649         https://bugs.webkit.org/show_bug.cgi?id=130300
1650
1651         Reviewed by Mark Hahnenberg.
1652         
1653         We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
1654         This makes the DFG aware of this.
1655         
1656         Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
1657         the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
1658         
1659         This also gives the DFG some abstractions for checking something is a cell or is other.
1660         This made this patch easier to write and also simplified a bunch of other stuff.
1661         
1662         1% speed-up on Octane.
1663
1664         * assembler/AbstractMacroAssembler.h:
1665         (JSC::AbstractMacroAssembler::JumpList::JumpList):
1666         * bytecode/SpeculatedType.h:
1667         (JSC::isNotStringVarSpeculation):
1668         * dfg/DFGFixupPhase.cpp:
1669         (JSC::DFG::FixupPhase::fixupNode):
1670         * dfg/DFGNode.h:
1671         (JSC::DFG::Node::childFor):
1672         (JSC::DFG::Node::shouldSpeculateNotStringVar):
1673         * dfg/DFGSafeToExecute.h:
1674         (JSC::DFG::SafeToExecuteEdge::operator()):
1675         * dfg/DFGSpeculativeJIT.cpp:
1676         (JSC::DFG::SpeculativeJIT::compileIn):
1677         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1678         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1679         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1680         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1681         (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
1682         (JSC::DFG::SpeculativeJIT::compileStringEquality):
1683         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
1684         (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
1685         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
1686         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
1687         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1688         (JSC::DFG::SpeculativeJIT::speculateString):
1689         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
1690         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
1691         (JSC::DFG::SpeculativeJIT::speculateNotCell):
1692         (JSC::DFG::SpeculativeJIT::speculateOther):
1693         (JSC::DFG::SpeculativeJIT::speculate):
1694         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
1695         (JSC::DFG::SpeculativeJIT::emitSwitchString):
1696         * dfg/DFGSpeculativeJIT.h:
1697         (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
1698         (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
1699         (JSC::DFG::SpeculativeJIT::booleanResult):
1700         * dfg/DFGSpeculativeJIT32_64.cpp:
1701         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1702         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1703         (JSC::DFG::SpeculativeJIT::emitCall):
1704         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1705         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1706         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1707         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1708         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1709         (JSC::DFG::SpeculativeJIT::compile):
1710         (JSC::DFG::branchIsCell):
1711         (JSC::DFG::branchNotCell):
1712         (JSC::DFG::SpeculativeJIT::branchIsOther):
1713         (JSC::DFG::SpeculativeJIT::branchNotOther):
1714         (JSC::DFG::SpeculativeJIT::moveTrueTo):
1715         (JSC::DFG::SpeculativeJIT::moveFalseTo):
1716         (JSC::DFG::SpeculativeJIT::blessBoolean):
1717         * dfg/DFGSpeculativeJIT64.cpp:
1718         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1719         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1720         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1721         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1722         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1723         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1724         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1725         (JSC::DFG::SpeculativeJIT::compile):
1726         (JSC::DFG::SpeculativeJIT::writeBarrier):
1727         (JSC::DFG::SpeculativeJIT::branchIsCell):
1728         (JSC::DFG::SpeculativeJIT::branchNotCell):
1729         (JSC::DFG::SpeculativeJIT::branchIsOther):
1730         (JSC::DFG::SpeculativeJIT::branchNotOther):
1731         (JSC::DFG::SpeculativeJIT::moveTrueTo):
1732         (JSC::DFG::SpeculativeJIT::moveFalseTo):
1733         (JSC::DFG::SpeculativeJIT::blessBoolean):
1734         * dfg/DFGUseKind.cpp:
1735         (WTF::printInternal):
1736         * dfg/DFGUseKind.h:
1737         (JSC::DFG::typeFilterFor):
1738         * ftl/FTLCapabilities.cpp:
1739         (JSC::FTL::canCompile):
1740         * ftl/FTLLowerDFGToLLVM.cpp:
1741         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1742         (JSC::FTL::LowerDFGToLLVM::lowString):
1743         (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
1744         (JSC::FTL::LowerDFGToLLVM::speculate):
1745         (JSC::FTL::LowerDFGToLLVM::speculateString):
1746         (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
1747         (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
1748         * runtime/JSCJSValue.h:
1749         * tests/stress/string-ident-to-not-string-var-equality.js: Added.
1750         (foo):
1751         (bar):
1752         (test):
1753
1754 2014-03-18  Joseph Pecoraro  <pecoraro@apple.com>
1755
1756         Add Copyright to framework.sb
1757         https://bugs.webkit.org/show_bug.cgi?id=130413
1758
1759         Reviewed by Timothy Hatcher.
1760
1761         Other sb files got the copyright. Follow suit.
1762
1763         * framework.sb:
1764
1765 2014-03-18  Matthew Mirman  <mmirman@apple.com>
1766
1767         Removed extra parens from if statement in a preprocessor define.
1768         https://bugs.webkit.org/show_bug.cgi?id=130408
1769
1770         Reviewed by Filip Pizlo.
1771
1772         * parser/Parser.cpp:
1773
1774 2014-03-18  Filip Pizlo  <fpizlo@apple.com>
1775
1776         More FTL enabling.
1777
1778         Rubber stamped by Dan Bernstein and Mark Hahnenberg.
1779
1780         * Configurations/FeatureDefines.xcconfig:
1781         * ftl/FTLCompile.cpp:
1782         (JSC::FTL::compile):
1783
1784 2014-03-17  Michael Saboff  <msaboff@apple.com>
1785
1786         V8 regexp spends most of its time in operationGetById
1787         https://bugs.webkit.org/show_bug.cgi?id=130380
1788
1789         Reviewed by Filip Pizlo.
1790
1791         Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
1792         When V8 regexp is run from the command line, this nets a 2% performance improvement.
1793         When the test is run for a longer amount of time, there is much less benefit as the
1794         DFG will emit the appropriate code for String.length.  This does remove
1795         operationGetById as the hottest function whne run from the command line.
1796
1797         * jit/Repatch.cpp:
1798         (JSC::tryCacheGetByID):
1799
1800 2014-03-17  Andreas Kling  <akling@apple.com>
1801
1802         Add one-deep cache to opaque roots hashset.
1803         <https://webkit.org/b/130357>
1804
1805         The vast majority of WebCore JS wrappers will have their Document*
1806         as the root(). This change adds a simple optimization where we cache
1807         the last lookup and avoid going to the hashset for repeated queries.
1808
1809         Looks like 0.4% progression on DYEB on my MBP.
1810
1811         Reviewed by Mark Hahnenberg.
1812
1813         * JavaScriptCore.xcodeproj/project.pbxproj:
1814         * heap/OpaqueRootSet.h: Added.
1815         (JSC::OpaqueRootSet::OpaqueRootSet):
1816         (JSC::OpaqueRootSet::contains):
1817         (JSC::OpaqueRootSet::isEmpty):
1818         (JSC::OpaqueRootSet::clear):
1819         (JSC::OpaqueRootSet::add):
1820         (JSC::OpaqueRootSet::size):
1821         (JSC::OpaqueRootSet::begin):
1822         (JSC::OpaqueRootSet::end):
1823         * heap/SlotVisitor.h:
1824
1825 2014-03-17  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1826
1827         Implement Math.hypot
1828         https://bugs.webkit.org/show_bug.cgi?id=129486
1829
1830         Reviewed by Darin Adler.
1831
1832         * runtime/MathObject.cpp:
1833         (JSC::MathObject::finishCreation):
1834         (JSC::mathProtoFuncHypot):
1835
1836 2014-03-17  Zsolt Borbely  <borbezs@inf.u-szeged.hu>
1837
1838         Fix the !ENABLE(PROMISES) build
1839         https://bugs.webkit.org/show_bug.cgi?id=130328
1840
1841         Reviewed by Darin Adler.
1842
1843         Add missing ENABLE(PROMISES) guards.
1844
1845         * runtime/JSGlobalObject.cpp:
1846         (JSC::JSGlobalObject::reset):
1847         (JSC::JSGlobalObject::visitChildren):
1848         * runtime/JSGlobalObject.h:
1849         * runtime/JSPromiseDeferred.cpp:
1850         * runtime/JSPromiseDeferred.h:
1851         * runtime/JSPromiseReaction.cpp:
1852         * runtime/JSPromiseReaction.h:
1853         * runtime/VM.cpp:
1854         (JSC::VM::VM):
1855         * runtime/VM.h:
1856
1857 2014-03-16  Andreas Kling  <akling@apple.com>
1858
1859         REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
1860         <https://webkit.org/b/130304>
1861
1862         Reviewed by Anders Carlsson.
1863
1864         Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
1865         that doesn't put a potentially unwanted string into the Identifier table.
1866
1867         * API/OpaqueJSString.cpp:
1868         (OpaqueJSString::identifier):
1869
1870 2014-03-16  Brian Burg  <bburg@apple.com>
1871
1872         Web Inspector: generated backend commands should reflect build system ENABLE settings
1873         https://bugs.webkit.org/show_bug.cgi?id=130111
1874
1875         Reviewed by Timothy Hatcher.
1876
1877         * CMakeLists.txt:
1878
1879         Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
1880         instead of globbing any .json file.
1881
1882         * DerivedSources.make:
1883
1884         Force the combined inspector protocol file to be regenerated if
1885         the content or list of domains itself changes.
1886
1887 2014-03-16  Brian Burg  <bburg@apple.com>
1888
1889         Web Inspector: vended backend commands file should be generated as part of the build
1890         https://bugs.webkit.org/show_bug.cgi?id=130110
1891
1892         Reviewed by Timothy Hatcher.
1893
1894         * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
1895         private headers directory.
1896
1897 2014-03-16  Darin Adler  <darin@apple.com>
1898
1899         Remove all uses of deprecatedCharacters from JavaScriptCore
1900         https://bugs.webkit.org/show_bug.cgi?id=130304
1901
1902         Reviewed by Anders Carlsson.
1903
1904         * API/JSValueRef.cpp:
1905         (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
1906         * API/OpaqueJSString.cpp:
1907         (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
1908         (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
1909         juse use the standard one that takes a String.
1910         (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
1911         hand-written alternative.
1912
1913         * bindings/ScriptValue.cpp:
1914         (Deprecated::jsToInspectorValue): Create InspectorString from String directly
1915         instead of involving a character pointer. Use the String from Identifier
1916         directly instead of making a new String.
1917
1918         * inspector/ContentSearchUtilities.cpp:
1919         (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
1920         instead of building a String a character at a time. This is still a very slow
1921         way to do this. Also use strchr to search for a character instead of building
1922         a String every time just to use find on it.
1923
1924         * inspector/InspectorValues.cpp:
1925         (Inspector::doubleQuoteString): Remove unnecessary trip through a
1926         character pointer. This is still a really slow way to do this.
1927         (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
1928         instead of String::deprecatedCharacters. Still slow to always upconvert.
1929
1930         * runtime/DateConstructor.cpp: Removed unneeded include.
1931         * runtime/DatePrototype.cpp: Ditto.
1932
1933         * runtime/Identifier.h: Removed deprecatedCharacters function.
1934
1935         * runtime/JSGlobalObjectFunctions.cpp:
1936         (JSC::encode): Added a type cast to avoid ambiguity with the two character-
1937         appending functions from JSStringBuilder. Removed unneeded code duplicating
1938         what JSStringBuilder already does in its character append function.
1939         (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
1940         (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
1941         is used outside this file have external linkage. Added a new overload that takes
1942         a StringView.
1943         (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
1944         (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
1945         single character.
1946
1947         * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.
1948
1949         * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
1950         (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
1951         Made one overload private. Fixed a performance bug where we would reserve capacity
1952         in the 8-bit buffer but then append to the 16-bit buffer.
1953
1954         * runtime/ObjectPrototype.cpp: Removed unneeded include.
1955
1956         * runtime/StringPrototype.cpp:
1957         (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
1958         (JSC::stringProtoFuncLink): Ditto.
1959
1960 2014-03-15  Filip Pizlo  <fpizlo@apple.com>
1961
1962         FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
1963         https://bugs.webkit.org/show_bug.cgi?id=130296
1964
1965         Reviewed by Andreas Kling.
1966         
1967         During the 32-bit structure ID work, the second load of the structure was removed.
1968         That's wrong. The whole point of loading the structure ID again is that the structure
1969         ID would have been changed by the arrayification call, and we're verifying that the
1970         arrayification succeeded in changing the structure. If we check the old structure - as
1971         the code was doing after the 32-bit structure ID work - then this check is guaranteed
1972         to fail, causing a significant performance regression.
1973         
1974         It's actually amazing that the regression wasn't bigger. The reason is that if FTL
1975         code pathologically exits but the equivalent DFG code doesn't, then the exponential
1976         backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
1977         the time at least, the DFG wasn't much slower so this didn't cause too much pain.
1978
1979         * ftl/FTLLowerDFGToLLVM.cpp:
1980         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1981
1982 2014-03-15  Filip Pizlo  <fpizlo@apple.com>
1983
1984         FTL should support CheckHasInstance/InstanceOf
1985         https://bugs.webkit.org/show_bug.cgi?id=130285
1986
1987         Reviewed by Sam Weinig.
1988         
1989         Fairly straightforward; I also discovered an inaccurate FIXME in the process.
1990
1991         * dfg/DFGFixupPhase.cpp:
1992         (JSC::DFG::FixupPhase::fixupNode):
1993         * ftl/FTLAbstractHeapRepository.h:
1994         * ftl/FTLCapabilities.cpp:
1995         (JSC::FTL::canCompile):
1996         * ftl/FTLLowerDFGToLLVM.cpp:
1997         (JSC::FTL::LowerDFGToLLVM::compileNode):
1998         (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
1999         (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
2000         * ftl/FTLOutput.h:
2001         (JSC::FTL::Output::phi):
2002         * tests/stress/instanceof.js: Added.
2003         * tests/stress/instanceof-not-cell.js: Added.
2004
2005 2014-03-15  Michael Saboff  <msaboff@apple.com>
2006
2007         It should be possible to adjust DFG and FTL compiler thread priorities
2008         https://bugs.webkit.org/show_bug.cgi?id=130288
2009
2010         Reviewed by Filip Pizlo.
2011
2012         Added ability to change thread priorities relative to its current priority.
2013         Created options to adjust the priority of the DFG and FTL compilation work thread
2014         pools.  For two core systems, there might be three runnable threads, the main thread,
2015         the DFG compilation thread and the FTL compilation thread.  With the same priority,
2016         the scheduler is free to schedule whatever thread it wants.  By lowering the
2017         compilation threads, the main thread can run.  Further tests may suggest better values
2018         for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.
2019
2020         For a two-core device, this change has a net positive improvement of 1-3% across
2021         SunSpider, Octane, Kraken and AsmBench.
2022
2023         * dfg/DFGWorklist.cpp:
2024         (JSC::DFG::Worklist::finishCreation):
2025         (JSC::DFG::Worklist::create):
2026         (JSC::DFG::ensureGlobalDFGWorklist):
2027         (JSC::DFG::ensureGlobalFTLWorklist):
2028         * dfg/DFGWorklist.h:
2029         * runtime/Options.cpp:
2030         (JSC::computePriorityDeltaOfWorkerThreads):
2031         * runtime/Options.h:
2032
2033 2014-03-15  David Kilzer  <ddkilzer@apple.com>
2034
2035         [iOS] Define SYSTEM_VERSION_PREFIX consistently
2036         <http://webkit.org/b/130293>
2037         <rdar://problem/15926359>
2038
2039         Reviewed by Dan Bernstein.
2040
2041         * Configurations/Version.xcconfig:
2042         (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
2043         Source/WebKit/mac/Version.xcconfig.
2044
2045 2014-03-15  David Kilzer  <ddkilzer@apple.com>
2046
2047         Fix build: using integer absolute value function 'abs' when argument is of floating point type
2048         <http://webkit.org/b/130286>
2049
2050         Reviewed by Filip Pizlo.
2051
2052         Fixes the following build failure using trunk clang:
2053
2054             JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
2055                     value = abs(value);
2056                             ^
2057             JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
2058                     value = abs(value);
2059                             ^~~
2060                             fabs
2061
2062         * assembler/MacroAssembler.h:
2063         (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
2064         fabs().
2065
2066 2014-03-14  Oliver Hunt  <oliver@apple.com>
2067
2068         Reinstate intialiser syntax in for-in loops
2069         https://bugs.webkit.org/show_bug.cgi?id=130269
2070
2071         Reviewed by Michael Saboff.
2072
2073         Disallowing the initialiser broke some sites so this patch re-allows
2074         the syntax.  We still disallow the syntax in 'of' and pattern based
2075         enumeration.
2076
2077         * parser/ASTBuilder.h:
2078         (JSC::ASTBuilder::isBindingNode):
2079         * parser/Parser.cpp:
2080         (JSC::Parser<LexerType>::parseVarDeclarationList):
2081         (JSC::Parser<LexerType>::parseForStatement):
2082         * parser/SyntaxChecker.h:
2083         (JSC::SyntaxChecker::operatorStackPop):
2084
2085 2014-03-14  Mark Lam  <mark.lam@apple.com>
2086
2087         Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
2088         <https://webkit.org/b/130279>
2089
2090         Reviewed by Filip Pizlo.
2091
2092         If neither the getter nor setter are defined, accessing __lookupGetter__
2093         and __lookupSetter__ will return undefined as expected.  However, if the
2094         getter is defined but the setter is not, accessing __lookupSetter__ will
2095         crash the VM.  Similarly, accessing __lookupGetter__ when only the setter
2096         is defined will crash the VM.
2097
2098         The reason is because objectProtoFuncLookupGetter() and
2099         objectProtoFuncLookupSetter() did not check if the getter and setter
2100         value is non-null before returning it as an EncodedJSValue.  The fix is
2101         to add the appropriate null checks.
2102
2103         * runtime/ObjectPrototype.cpp:
2104         (JSC::objectProtoFuncLookupGetter):
2105         (JSC::objectProtoFuncLookupSetter):
2106
2107 2014-03-14  Mark Rowe  <mrowe@apple.com>
2108
2109         Fix the production build.
2110
2111         Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
2112         be at the expected relative path when working from installed source.
2113
2114         * Configurations/Base.xcconfig:
2115
2116 2014-03-14  Maciej Stachowiak  <mjs@apple.com>
2117
2118         Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
2119         https://bugs.webkit.org/show_bug.cgi?id=130276
2120         <rdar://problem/16266927>
2121
2122         Reviewed by Simon Fraser.
2123
2124         * API/APICast.h:
2125         * API/JSBase.cpp:
2126         * API/JSBase.h:
2127         * API/JSBasePrivate.h:
2128         * API/JSCallbackConstructor.cpp:
2129         * API/JSCallbackConstructor.h:
2130         * API/JSCallbackFunction.cpp:
2131         * API/JSCallbackFunction.h:
2132         * API/JSCallbackObject.cpp:
2133         * API/JSCallbackObject.h:
2134         * API/JSCallbackObjectFunctions.h:
2135         * API/JSClassRef.cpp:
2136         * API/JSClassRef.h:
2137         * API/JSContextRef.cpp:
2138         * API/JSContextRef.h:
2139         * API/JSContextRefPrivate.h:
2140         * API/JSObjectRef.cpp:
2141         * API/JSObjectRef.h:
2142         * API/JSProfilerPrivate.cpp:
2143         * API/JSProfilerPrivate.h:
2144         * API/JSRetainPtr.h:
2145         * API/JSStringRef.cpp:
2146         * API/JSStringRef.h:
2147         * API/JSStringRefBSTR.cpp:
2148         * API/JSStringRefBSTR.h:
2149         * API/JSStringRefCF.cpp:
2150         * API/JSStringRefCF.h:
2151         * API/JSValueRef.cpp:
2152         * API/JSValueRef.h:
2153         * API/JavaScript.h:
2154         * API/JavaScriptCore.h:
2155         * API/OpaqueJSString.cpp:
2156         * API/OpaqueJSString.h:
2157         * API/tests/JSNode.c:
2158         * API/tests/JSNode.h:
2159         * API/tests/JSNodeList.c:
2160         * API/tests/JSNodeList.h:
2161         * API/tests/Node.c:
2162         * API/tests/Node.h:
2163         * API/tests/NodeList.c:
2164         * API/tests/NodeList.h:
2165         * API/tests/minidom.c:
2166         * API/tests/minidom.js:
2167         * API/tests/testapi.c:
2168         * API/tests/testapi.js:
2169         * DerivedSources.make:
2170         * bindings/ScriptValue.cpp:
2171         * bytecode/CodeBlock.cpp:
2172         * bytecode/CodeBlock.h:
2173         * bytecode/EvalCodeCache.h:
2174         * bytecode/Instruction.h:
2175         * bytecode/JumpTable.cpp:
2176         * bytecode/JumpTable.h:
2177         * bytecode/Opcode.cpp:
2178         * bytecode/Opcode.h:
2179         * bytecode/SamplingTool.cpp:
2180         * bytecode/SamplingTool.h:
2181         * bytecode/SpeculatedType.cpp:
2182         * bytecode/SpeculatedType.h:
2183         * bytecode/ValueProfile.h:
2184         * bytecompiler/BytecodeGenerator.cpp:
2185         * bytecompiler/BytecodeGenerator.h:
2186         * bytecompiler/Label.h:
2187         * bytecompiler/LabelScope.h:
2188         * bytecompiler/RegisterID.h:
2189         * debugger/DebuggerCallFrame.cpp:
2190         * debugger/DebuggerCallFrame.h:
2191         * dfg/DFGDesiredStructureChains.cpp:
2192         * dfg/DFGDesiredStructureChains.h:
2193         * heap/GCActivityCallback.cpp:
2194         * heap/GCActivityCallback.h:
2195         * inspector/ConsoleMessage.cpp:
2196         * inspector/ConsoleMessage.h:
2197         * inspector/IdentifiersFactory.cpp:
2198         * inspector/IdentifiersFactory.h:
2199         * inspector/InjectedScriptManager.cpp:
2200         * inspector/InjectedScriptManager.h:
2201         * inspector/InjectedScriptSource.js:
2202         * inspector/ScriptBreakpoint.h:
2203         * inspector/ScriptDebugListener.h:
2204         * inspector/ScriptDebugServer.cpp:
2205         * inspector/ScriptDebugServer.h:
2206         * inspector/agents/InspectorAgent.cpp:
2207         * inspector/agents/InspectorAgent.h:
2208         * inspector/agents/InspectorDebuggerAgent.cpp:
2209         * inspector/agents/InspectorDebuggerAgent.h:
2210         * interpreter/Interpreter.cpp:
2211         * interpreter/Interpreter.h:
2212         * interpreter/JSStack.cpp:
2213         * interpreter/JSStack.h:
2214         * interpreter/Register.h:
2215         * jit/CompactJITCodeMap.h:
2216         * jit/JITStubs.cpp:
2217         * jit/JITStubs.h:
2218         * jit/JITStubsARM.h:
2219         * jit/JITStubsARMv7.h:
2220         * jit/JITStubsX86.h:
2221         * jit/JITStubsX86_64.h:
2222         * os-win32/stdbool.h:
2223         * parser/SourceCode.h:
2224         * parser/SourceProvider.h:
2225         * profiler/LegacyProfiler.cpp:
2226         * profiler/LegacyProfiler.h:
2227         * profiler/ProfileNode.cpp:
2228         * profiler/ProfileNode.h:
2229         * runtime/ArrayBufferView.cpp:
2230         * runtime/ArrayBufferView.h:
2231         * runtime/BatchedTransitionOptimizer.h:
2232         * runtime/CallData.h:
2233         * runtime/ConstructData.h:
2234         * runtime/DumpContext.cpp:
2235         * runtime/DumpContext.h:
2236         * runtime/ExceptionHelpers.cpp:
2237         * runtime/ExceptionHelpers.h:
2238         * runtime/InitializeThreading.cpp:
2239         * runtime/InitializeThreading.h:
2240         * runtime/IntegralTypedArrayBase.h:
2241         * runtime/IntendedStructureChain.cpp:
2242         * runtime/IntendedStructureChain.h:
2243         * runtime/JSActivation.cpp:
2244         * runtime/JSActivation.h:
2245         * runtime/JSExportMacros.h:
2246         * runtime/JSGlobalObject.cpp:
2247         * runtime/JSNotAnObject.cpp:
2248         * runtime/JSNotAnObject.h:
2249         * runtime/JSPropertyNameIterator.cpp:
2250         * runtime/JSPropertyNameIterator.h:
2251         * runtime/JSSegmentedVariableObject.cpp:
2252         * runtime/JSSegmentedVariableObject.h:
2253         * runtime/JSSymbolTableObject.cpp:
2254         * runtime/JSSymbolTableObject.h:
2255         * runtime/JSTypeInfo.h:
2256         * runtime/JSVariableObject.cpp:
2257         * runtime/JSVariableObject.h:
2258         * runtime/PropertyTable.cpp:
2259         * runtime/PutPropertySlot.h:
2260         * runtime/SamplingCounter.cpp:
2261         * runtime/SamplingCounter.h:
2262         * runtime/Structure.cpp:
2263         * runtime/Structure.h:
2264         * runtime/StructureChain.cpp:
2265         * runtime/StructureChain.h:
2266         * runtime/StructureInlines.h:
2267         * runtime/StructureTransitionTable.h:
2268         * runtime/SymbolTable.cpp:
2269         * runtime/SymbolTable.h:
2270         * runtime/TypedArrayBase.h:
2271         * runtime/TypedArrayType.cpp:
2272         * runtime/TypedArrayType.h:
2273         * runtime/VM.cpp:
2274         * runtime/VM.h:
2275         * yarr/RegularExpression.cpp:
2276         * yarr/RegularExpression.h:
2277
2278 2014-03-14  Filip Pizlo  <fpizlo@apple.com>
2279
2280         Final FTL iOS build magic
2281         https://bugs.webkit.org/show_bug.cgi?id=130281
2282
2283         Reviewed by Michael Saboff.
2284
2285         * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
2286         * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
2287
2288 2014-03-14  Joseph Pecoraro  <pecoraro@apple.com>
2289
2290         Web Inspector: Gracefully handle nil name -[JSContext setName:]
2291         https://bugs.webkit.org/show_bug.cgi?id=130262
2292
2293         Reviewed by Mark Hahnenberg.
2294
2295         * API/JSContext.mm:
2296         (-[JSContext setName:]):
2297         Gracefully handle nil input.
2298
2299         * API/tests/testapi.c:
2300         (globalContextNameTest):
2301         * API/tests/testapi.mm:
2302         Test for nil / NULL names in the ObjC and C APIs.
2303
2304 2014-03-11  Oliver Hunt  <oliver@apple.com>
2305
2306         Improve dom error messages
2307         https://bugs.webkit.org/show_bug.cgi?id=130103
2308
2309         Reviewed by Andreas Kling.
2310
2311         Add new helper function.
2312
2313         * runtime/Error.h:
2314         (JSC::throwVMTypeError):
2315
2316 2014-03-14  László Langó  <llango.u-szeged@partner.samsung.com>
2317
2318         Remove unused method declaration.
2319         https://bugs.webkit.org/show_bug.cgi?id=130238
2320
2321         Reviewed by Filip Pizlo.
2322
2323         The implementation of CallFrame::dumpCaller was removed in
2324         http://trac.webkit.org/changeset/153183, but the declaration of it was not.
2325
2326         * interpreter/CallFrame.h:
2327         Remove CallFrame::dumpCaller() method declaration.
2328
2329 2014-03-12  Sergio Villar Senin  <svillar@igalia.com>
2330
2331         Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
2332         https://bugs.webkit.org/show_bug.cgi?id=129612
2333
2334         Reviewed by Darin Adler.
2335
2336         For new code use static NeverDestroyed<T> instead.
2337
2338         * API/JSAPIWrapperObject.mm:
2339         (jsAPIWrapperObjectHandleOwner):
2340         * API/JSManagedValue.mm:
2341         (managedValueHandleOwner):
2342         * inspector/agents/InspectorDebuggerAgent.cpp:
2343         (Inspector::objectGroupForBreakpointAction):
2344         * inspector/scripts/CodeGeneratorInspectorStrings.py:
2345         * interpreter/JSStack.cpp:
2346         (JSC::stackStatisticsMutex):
2347         * jit/ExecutableAllocator.cpp:
2348         (JSC::DemandExecutableAllocator::allocators):
2349
2350 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
2351
2352         Reduce memory use for static property maps
2353         https://bugs.webkit.org/show_bug.cgi?id=129986
2354
2355         Reviewed by Andreas Kling.
2356
2357         Static property tables are currently duplicated on first use from read-only memory into dirty memory
2358         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
2359         (we use a custom hash table without a rehash) a lot of memory may be wasted.
2360
2361         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
2362         from string hashes to indicies into a densely packed array of values. Compute the index table at
2363         compile time as a part of the derived sources step, such that this may be read-only data.
2364
2365         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
2366         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
2367         keys, which are Identifiers.
2368
2369         * create_hash_table:
2370             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
2371         * parser/Lexer.cpp:
2372         (JSC::Lexer<LChar>::parseIdentifier):
2373         (JSC::Lexer<UChar>::parseIdentifier):
2374         (JSC::Lexer<T>::parseIdentifierSlowCase):
2375             - HashEntry -> HashTableValue.
2376         * parser/Lexer.h:
2377         (JSC::Keywords::getKeyword):
2378             - HashEntry -> HashTableValue.
2379         * runtime/ClassInfo.h:
2380             - removed HashEntry.
2381         * runtime/JSObject.cpp:
2382         (JSC::getClassPropertyNames):
2383             - use HashTable::ConstIterator.
2384         (JSC::JSObject::put):
2385         (JSC::JSObject::deleteProperty):
2386         (JSC::JSObject::findPropertyHashEntry):
2387             - HashEntry -> HashTableValue.
2388         (JSC::JSObject::reifyStaticFunctionsForDelete):
2389             - changed HashTable::ConstIterator interface.
2390         * runtime/JSObject.h:
2391             - HashEntry -> HashTableValue.
2392         * runtime/Lookup.cpp:
2393         (JSC::HashTable::createTable):
2394             - table -> keys, keys array is now densely packed.
2395         (JSC::HashTable::deleteTable):
2396             - table -> keys.
2397         (JSC::setUpStaticFunctionSlot):
2398             - HashEntry -> HashTableValue.
2399         * runtime/Lookup.h:
2400         (JSC::HashTableValue::builtinGenerator):
2401         (JSC::HashTableValue::function):
2402         (JSC::HashTableValue::functionLength):
2403         (JSC::HashTableValue::propertyGetter):
2404         (JSC::HashTableValue::propertyPutter):
2405         (JSC::HashTableValue::lexerValue):
2406             - added accessor methods from HashEntry.
2407         (JSC::HashTable::copy):
2408             - fields changed.
2409         (JSC::HashTable::initializeIfNeeded):
2410             - table -> keys.
2411         (JSC::HashTable::entry):
2412             - HashEntry -> HashTableValue.
2413         (JSC::HashTable::ConstIterator::ConstIterator):
2414             - iterate packed value array, so no need to skipInvalidKeys().
2415         (JSC::HashTable::ConstIterator::value):
2416         (JSC::HashTable::ConstIterator::key):
2417         (JSC::HashTable::ConstIterator::operator->):
2418             - accessors now get HashTableValue/StringImpl* separately.
2419         (JSC::HashTable::ConstIterator::operator++):
2420             - iterate packed value array, so no need to skipInvalidKeys().
2421         (JSC::HashTable::end):
2422             - end is now size of dense not sparse array.
2423         (JSC::getStaticPropertySlot):
2424         (JSC::getStaticFunctionSlot):
2425         (JSC::getStaticValueSlot):
2426         (JSC::putEntry):
2427         (JSC::lookupPut):
2428             - HashEntry -> HashTableValue.
2429
2430 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
2431
2432         Unreviewed, fix Mac no-FTL build.
2433
2434         * llvm/library/LLVMExports.cpp:
2435         (initializeAndGetJSCLLVMAPI):
2436
2437 2014-03-13  Juergen Ributzka  <juergen@apple.com>
2438
2439         Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
2440         https://bugs.webkit.org/show_bug.cgi?id=130224
2441
2442         Reviewed by Filip Pizlo.
2443
2444         This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
2445         the LLVM dylib. This allows the dylib to be safely used with other LLVM
2446         dylibs on the same system. It also reduces the dynamic linking overhead
2447         and also reduces the size by 6MB, because the linker can now dead strip
2448         many unused functions.
2449
2450         * Configurations/LLVMForJSC.xcconfig:
2451
2452 2014-03-13  Andreas Kling  <akling@apple.com>
2453
2454         VM::discardAllCode() should clear the RegExp cache.
2455         <https://webkit.org/b/130144>
2456
2457         Reviewed by Michael Saboff.
2458
2459         * runtime/VM.cpp:
2460         (JSC::VM::discardAllCode):
2461
2462 2014-03-13  Andreas Kling  <akling@apple.com>
2463
2464         Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
2465         <https://webkit.org/b/129995>
2466
2467         This code path is not taken anymore on DYEB, and I can't explain why
2468         it was showing up in my profiles. Backing it out per JoePeck's suggestion.
2469
2470         * inspector/JSGlobalObjectInspectorController.cpp:
2471         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2472
2473 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
2474
2475         FTL should support IsBlah
2476         https://bugs.webkit.org/show_bug.cgi?id=130202
2477
2478         Reviewed by Geoffrey Garen.
2479
2480         * ftl/FTLCapabilities.cpp:
2481         (JSC::FTL::canCompile):
2482         * ftl/FTLIntrinsicRepository.h:
2483         * ftl/FTLLowerDFGToLLVM.cpp:
2484         (JSC::FTL::LowerDFGToLLVM::compileNode):
2485         (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
2486         (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
2487         (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
2488         (JSC::FTL::LowerDFGToLLVM::compileIsString):
2489         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
2490         (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
2491         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
2492         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
2493         (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
2494         (JSC::FTL::LowerDFGToLLVM::isNumber):
2495         (JSC::FTL::LowerDFGToLLVM::isNotNumber):
2496         (JSC::FTL::LowerDFGToLLVM::isBoolean):
2497         * ftl/FTLOSRExitCompiler.cpp:
2498         * tests/stress/is-undefined-exit-on-masquerader.js: Added.
2499         (bar):
2500         (foo):
2501         (test):
2502         * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
2503         (foo):
2504         (test):
2505         * tests/stress/is-undefined-masquerader.js: Added.
2506         (foo):
2507         (test):
2508
2509 2014-03-13  Mark Lam  <mark.lam@apple.com>
2510
2511         JS benchmarks crash with a bus error on 32-bit x86.
2512         <https://webkit.org/b/130203>
2513
2514         Reviewed by Geoffrey Garen.
2515
2516         The issue is that generateGetByIdStub() can potentially use the same register
2517         for the JSValue base register and the target tag register.  After loading the
2518         tag value into the target tag register, the JSValue base address is lost.
2519         The code then proceeds to load the payload value using the base register, and
2520         this results in a crash.
2521
2522         The fix is to check if the base register is the same as the target tag register.
2523         If so, we should make a copy the base register first before loading the tag
2524         value, and use the copy to load the payload value instead.
2525
2526         * jit/Repatch.cpp:
2527         (JSC::generateGetByIdStub):
2528
2529 2014-03-12  Filip Pizlo  <fpizlo@apple.com>
2530
2531         WebKit shouldn't crash on uniprocessor machines
2532         https://bugs.webkit.org/show_bug.cgi?id=130176
2533
2534         Reviewed by Michael Saboff.
2535         
2536         Previously the math for computing the number of JIT compiler threads would come up with
2537         zero threads on uniprocessor machines, and then the Worklist code would assert.
2538
2539         * runtime/Options.cpp:
2540         (JSC::computeNumberOfWorkerThreads):
2541         * runtime/Options.h:
2542
2543 2014-03-13  Radu Stavila  <stavila@adobe.com>
2544
2545         Webkit not building on XCode 5.1 due to garbage collection no longer being supported
2546         https://bugs.webkit.org/show_bug.cgi?id=130087
2547
2548         Reviewed by Mark Rowe.
2549
2550         Disable garbage collection on macosx when not using internal SDK.
2551
2552         * Configurations/Base.xcconfig:
2553
2554 2014-03-10  Darin Adler  <darin@apple.com>
2555
2556         Avoid copy-prone idiom "for (auto item : collection)"
2557         https://bugs.webkit.org/show_bug.cgi?id=129990
2558
2559         Reviewed by Geoffrey Garen.
2560
2561         * heap/CodeBlockSet.h:
2562         (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
2563         * inspector/ScriptDebugServer.cpp:
2564         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
2565         make explicit that we are iterating through pointers.
2566         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
2567         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
2568         * inspector/agents/InspectorDebuggerAgent.cpp:
2569         (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
2570         get rid of an unneeded local variable.
2571
2572 2014-03-13  Brian Burg  <bburg@apple.com>
2573
2574         Web Inspector: Remove unused callId parameter from evaluateInWebInspector
2575         https://bugs.webkit.org/show_bug.cgi?id=129744
2576
2577         Reviewed by Timothy Hatcher.
2578
2579         * inspector/agents/InspectorAgent.cpp:
2580         (Inspector::InspectorAgent::enable):
2581         (Inspector::InspectorAgent::evaluateForTestInFrontend):
2582         * inspector/agents/InspectorAgent.h:
2583         * inspector/protocol/InspectorDomain.json:
2584
2585 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
2586
2587         ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
2588         https://bugs.webkit.org/show_bug.cgi?id=130069
2589
2590         Reviewed by Geoffrey Garen.
2591         
2592         This was a great assertion, and it represents our strictest interpretation of the rules of
2593         our intermediate representation. However, fixing DCE to actually preserve the relevant
2594         property would be hard, and it wouldn't have an observable effect right now because nobody
2595         actually uses the propery of CPS that this assertion is checking for.
2596         
2597         In particular, we do always require, and rely on, the fact that non-captured variables
2598         have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
2599         block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
2600         PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
2601         broken in this regard. But, in the strictest sense, CPS also means that for captured
2602         variables, variablesAtTail also continues to point to the last relevant use of the
2603         variable. In particular, if there are multiple GetLocals, then it should point to the last
2604         one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
2605         variables, except to check the VariableAccessData; but in that case, we don't really need
2606         the *last* relevant use of the variable - any node that mentions the same variable will do
2607         just fine.
2608         
2609         So, this change loosens the assertion and adds a detailed FIXME describing what we would
2610         have to do if we wanted to preserve the more strict property.
2611         
2612         This also makes changes to various debug printing paths so that validation doesn't crash
2613         during graph dump. This also adds tests for the interesting cases of DCE failing to
2614         preserve CPS in the strictest sense. This also attempts to win the record for longest test
2615         name.
2616
2617         * bytecode/CodeBlock.cpp:
2618         (JSC::CodeBlock::hashAsStringIfPossible):
2619         (JSC::CodeBlock::dumpAssumingJITType):
2620         * bytecode/CodeBlock.h:
2621         * bytecode/CodeOrigin.cpp:
2622         (JSC::InlineCallFrame::hashAsStringIfPossible):
2623         (JSC::InlineCallFrame::dumpBriefFunctionInformation):
2624         * bytecode/CodeOrigin.h:
2625         * dfg/DFGCPSRethreadingPhase.cpp:
2626         (JSC::DFG::CPSRethreadingPhase::run):
2627         * dfg/DFGDCEPhase.cpp:
2628         (JSC::DFG::DCEPhase::cleanVariables):
2629         * dfg/DFGInPlaceAbstractState.cpp:
2630         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2631         * runtime/FunctionExecutableDump.cpp:
2632         (JSC::FunctionExecutableDump::dump):
2633         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
2634         (foo):
2635         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
2636         (foo):
2637
2638 2014-03-12  Brian Burg  <bburg@apple.com>
2639
2640         Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
2641         https://bugs.webkit.org/show_bug.cgi?id=129445
2642
2643         Reviewed by Timothy Hatcher.
2644
2645         There was a bug in the replay inputs code generator that would include
2646         headers for definitions of enum classes, even though they can be safely
2647         forward-declared.
2648
2649         * replay/scripts/CodeGeneratorReplayInputs.py:
2650         (Generator.generate_includes): Only include for copy constructor if the
2651         type is a heavy scalar (i.e., String, URL), not a normal scalar
2652         (i.e., int, double, enum classes).
2653
2654         (Generator.generate_type_forward_declarations): Forward-declare scalars
2655         that are enums or enum classes.
2656
2657 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
2658
2659         Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
2660         https://bugs.webkit.org/show_bug.cgi?id=130118
2661
2662         Reviewed by Timothy Hatcher.
2663
2664         * Configurations/FeatureDefines.xcconfig:
2665
2666 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
2667
2668         Web Inspector: Hang in Remote Inspection triggering breakpoint from console
2669         https://bugs.webkit.org/show_bug.cgi?id=130032
2670
2671         Reviewed by Timothy Hatcher.
2672
2673         * inspector/EventLoop.h:
2674         * inspector/EventLoop.cpp:
2675         (Inspector::EventLoop::remoteInspectorRunLoopMode):
2676         (Inspector::EventLoop::cycle):
2677         Expose the run loop mode name so it can be used if needed by others.
2678
2679         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2680         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2681         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
2682         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
2683         (Inspector::RemoteInspectorBlock::operator=):
2684         (Inspector::RemoteInspectorBlock::operator()):
2685         (Inspector::RemoteInspectorQueueTask):
2686         Instead of a dispatch_queue, have our own static Vector of debugger tasks.
2687
2688         (Inspector::RemoteInspectorHandleRunSource):
2689         (Inspector::RemoteInspectorInitializeQueue):
2690         Initialize the static queue and run loop source. When the run loop source
2691         fires, it will exhaust the queue of debugger messages.
2692
2693         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2694         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
2695         When we get a debuggable connection add a run loop source for inspector commands.
2696
2697         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
2698         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
2699         Enqueue blocks on our Vector instead of our dispatch_queue.
2700
2701 2014-03-12  Commit Queue  <commit-queue@webkit.org>
2702
2703         Unreviewed, rolling out r165482.
2704         https://bugs.webkit.org/show_bug.cgi?id=130157
2705
2706         Broke the windows build; "error C2466: cannot allocate an
2707         array of constant size 0" (Requested by jernoble on #webkit).
2708
2709         Reverted changeset:
2710
2711         "Reduce memory use for static property maps"
2712         https://bugs.webkit.org/show_bug.cgi?id=129986
2713         http://trac.webkit.org/changeset/165482
2714
2715 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
2716
2717         Remove HandleSet::m_nextToFinalize
2718         https://bugs.webkit.org/show_bug.cgi?id=130109
2719
2720         Reviewed by Mark Lam.
2721
2722         This is a remnant of when HandleSet contained things that needed to be finalized. 
2723
2724         * heap/HandleSet.cpp:
2725         (JSC::HandleSet::HandleSet):
2726         (JSC::HandleSet::writeBarrier):
2727         * heap/HandleSet.h:
2728         (JSC::HandleSet::allocate):
2729         (JSC::HandleSet::deallocate):
2730
2731 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
2732
2733         Layout Test fast/workers/worker-gc.html is failing
2734         https://bugs.webkit.org/show_bug.cgi?id=130135
2735
2736         Reviewed by Geoffrey Garen.
2737
2738         When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's 
2739         main list of blocks, i.e. not in the retired list. When shutting down the VM this
2740         wasn't always the case which was causing ASSERTs to fire. We should rearrange things 
2741         so that allocators are notified with lastChanceToFinalize. This will give them 
2742         the chance to move their retired blocks back into the main list before removing them all.
2743
2744         * heap/MarkedAllocator.cpp:
2745         (JSC::LastChanceToFinalize::operator()):
2746         (JSC::MarkedAllocator::lastChanceToFinalize):
2747         * heap/MarkedAllocator.h:
2748         * heap/MarkedSpace.cpp:
2749         (JSC::LastChanceToFinalize::operator()):
2750         (JSC::MarkedSpace::lastChanceToFinalize):
2751
2752 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
2753
2754         Reduce memory use for static property maps
2755         https://bugs.webkit.org/show_bug.cgi?id=129986
2756
2757         Reviewed by Andreas Kling.
2758
2759         Static property tables are currently duplicated on first use from read-only memory into dirty memory
2760         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
2761         (we use a custom hash table without a rehash) a lot of memory may be wasted.
2762
2763         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
2764         from string hashes to indicies into a densely packed array of values. Compute the index table at
2765         compile time as a part of the derived sources step, such that this may be read-only data.
2766
2767         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
2768         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
2769         keys, which are Identifiers.
2770
2771         * create_hash_table:
2772             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
2773         * parser/Lexer.cpp:
2774         (JSC::Lexer<LChar>::parseIdentifier):
2775         (JSC::Lexer<UChar>::parseIdentifier):
2776         (JSC::Lexer<T>::parseIdentifierSlowCase):
2777             - HashEntry -> HashTableValue.
2778         * parser/Lexer.h:
2779         (JSC::Keywords::getKeyword):
2780             - HashEntry -> HashTableValue.
2781         * runtime/ClassInfo.h:
2782             - removed HashEntry.
2783         * runtime/JSObject.cpp:
2784         (JSC::getClassPropertyNames):
2785             - use HashTable::ConstIterator.
2786         (JSC::JSObject::put):
2787         (JSC::JSObject::deleteProperty):
2788         (JSC::JSObject::findPropertyHashEntry):
2789             - HashEntry -> HashTableValue.
2790         (JSC::JSObject::reifyStaticFunctionsForDelete):
2791             - changed HashTable::ConstIterator interface.
2792         * runtime/JSObject.h:
2793             - HashEntry -> HashTableValue.
2794         * runtime/Lookup.cpp:
2795         (JSC::HashTable::createTable):
2796             - table -> keys, keys array is now densely packed.
2797         (JSC::HashTable::deleteTable):
2798             - table -> keys.
2799         (JSC::setUpStaticFunctionSlot):
2800             - HashEntry -> HashTableValue.
2801         * runtime/Lookup.h:
2802         (JSC::HashTableValue::builtinGenerator):
2803         (JSC::HashTableValue::function):
2804         (JSC::HashTableValue::functionLength):
2805         (JSC::HashTableValue::propertyGetter):
2806         (JSC::HashTableValue::propertyPutter):
2807         (JSC::HashTableValue::lexerValue):
2808             - added accessor methods from HashEntry.
2809         (JSC::HashTable::copy):
2810             - fields changed.
2811         (JSC::HashTable::initializeIfNeeded):
2812             - table -> keys.
2813         (JSC::HashTable::entry):
2814             - HashEntry -> HashTableValue.
2815         (JSC::HashTable::ConstIterator::ConstIterator):
2816             - iterate packed value array, so no need to skipInvalidKeys().
2817         (JSC::HashTable::ConstIterator::value):
2818         (JSC::HashTable::ConstIterator::key):
2819         (JSC::HashTable::ConstIterator::operator->):
2820             - accessors now get HashTableValue/StringImpl* separately.
2821         (JSC::HashTable::ConstIterator::operator++):
2822             - iterate packed value array, so no need to skipInvalidKeys().
2823         (JSC::HashTable::end):
2824             - end is now size of dense not sparse array.
2825         (JSC::getStaticPropertySlot):
2826         (JSC::getStaticFunctionSlot):
2827         (JSC::getStaticValueSlot):
2828         (JSC::putEntry):
2829         (JSC::lookupPut):
2830             - HashEntry -> HashTableValue.
2831
2832 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
2833
2834         It should be possible to build WebKit with FTL on iOS
2835         https://bugs.webkit.org/show_bug.cgi?id=130116
2836
2837         Reviewed by Dan Bernstein.
2838
2839         * Configurations/Base.xcconfig:
2840
2841 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2842
2843         GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
2844         https://bugs.webkit.org/show_bug.cgi?id=129778
2845
2846         Reviewed by Geoffrey Garen.
2847         
2848         Also deduplicate the GetById getter call caching. Also add some small tests for
2849         get stubs.
2850         
2851         This change reduces the amount of code involved in GetById access caching and it
2852         creates data structures that can serve as an elegant scaffold for introducing other
2853         kinds of caches or improving current caching styles. It will definitely make getter
2854         performance improvements easier to implement.
2855
2856         * CMakeLists.txt:
2857         * GNUmakefile.list.am:
2858         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2859         * JavaScriptCore.xcodeproj/project.pbxproj:
2860         * bytecode/CodeBlock.cpp:
2861         (JSC::CodeBlock::printGetByIdCacheStatus):
2862         * bytecode/GetByIdStatus.cpp:
2863         (JSC::GetByIdStatus::computeForStubInfo):
2864         * bytecode/PolymorphicGetByIdList.cpp: Added.
2865         (JSC::GetByIdAccess::GetByIdAccess):
2866         (JSC::GetByIdAccess::~GetByIdAccess):
2867         (JSC::GetByIdAccess::fromStructureStubInfo):
2868         (JSC::GetByIdAccess::visitWeak):
2869         (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
2870         (JSC::PolymorphicGetByIdList::from):
2871         (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
2872         (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
2873         (JSC::PolymorphicGetByIdList::addAccess):
2874         (JSC::PolymorphicGetByIdList::isFull):
2875         (JSC::PolymorphicGetByIdList::isAlmostFull):
2876         (JSC::PolymorphicGetByIdList::didSelfPatching):
2877         (JSC::PolymorphicGetByIdList::visitWeak):
2878         * bytecode/PolymorphicGetByIdList.h: Added.
2879         (JSC::GetByIdAccess::GetByIdAccess):
2880         (JSC::GetByIdAccess::isSet):
2881         (JSC::GetByIdAccess::operator!):
2882         (JSC::GetByIdAccess::type):
2883         (JSC::GetByIdAccess::structure):
2884         (JSC::GetByIdAccess::chain):
2885         (JSC::GetByIdAccess::chainCount):
2886         (JSC::GetByIdAccess::stubRoutine):
2887         (JSC::GetByIdAccess::doesCalls):
2888         (JSC::PolymorphicGetByIdList::isEmpty):
2889         (JSC::PolymorphicGetByIdList::size):
2890         (JSC::PolymorphicGetByIdList::at):
2891         (JSC::PolymorphicGetByIdList::operator[]):
2892         * bytecode/StructureStubInfo.cpp:
2893         (JSC::StructureStubInfo::deref):
2894         (JSC::StructureStubInfo::visitWeakReferences):
2895         * bytecode/StructureStubInfo.h:
2896         (JSC::isGetByIdAccess):
2897         (JSC::StructureStubInfo::initGetByIdList):
2898         * jit/Repatch.cpp:
2899         (JSC::generateGetByIdStub):
2900         (JSC::tryCacheGetByID):
2901         (JSC::patchJumpToGetByIdStub):
2902         (JSC::tryBuildGetByIDList):
2903         (JSC::tryBuildPutByIdList):
2904         * tests/stress/getter.js: Added.
2905         (foo):
2906         (.o):
2907         * tests/stress/polymorphic-prototype-accesses.js: Added.
2908         (Foo):
2909         (Bar):
2910         (foo):
2911         * tests/stress/prototype-getter.js: Added.
2912         (Foo):
2913         (foo):
2914         * tests/stress/simple-prototype-accesses.js: Added.
2915         (Foo):
2916         (foo):
2917
2918 2014-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2919
2920         MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
2921         https://bugs.webkit.org/show_bug.cgi?id=129920
2922
2923         Reviewed by Geoffrey Garen.
2924
2925         This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
2926         when the amount of free space in a MarkedBlock drops below a certain threshold.
2927         Retired blocks are not considered for sweeping.
2928
2929         This is profitable because it reduces churn during sweeping. To build a free list, 
2930         we have to scan through each cell in a block. After a collection, all objects that 
2931         are live in the block will remain live until the next FullCollection, at which time
2932         we un-retire all previously retired blocks. Thus, a small number of objects in a block
2933         that die during each EdenCollection could cause us to do a disproportiante amount of 
2934         sweeping for how much free memory we get back.
2935
2936         This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
2937
2938         * heap/Heap.h:
2939         (JSC::Heap::didRetireBlockWithFreeListSize):
2940         * heap/MarkedAllocator.cpp:
2941         (JSC::MarkedAllocator::tryAllocateHelper):
2942         (JSC::MarkedAllocator::removeBlock):
2943         (JSC::MarkedAllocator::reset):
2944         * heap/MarkedAllocator.h:
2945         (JSC::MarkedAllocator::MarkedAllocator):
2946         (JSC::MarkedAllocator::forEachBlock):
2947         * heap/MarkedBlock.cpp:
2948         (JSC::MarkedBlock::sweepHelper):
2949         (JSC::MarkedBlock::clearMarksWithCollectionType):
2950         (JSC::MarkedBlock::didRetireBlock):
2951         * heap/MarkedBlock.h:
2952         (JSC::MarkedBlock::willRemoveBlock):
2953         (JSC::MarkedBlock::isLive):
2954         * heap/MarkedSpace.cpp:
2955         (JSC::MarkedSpace::clearNewlyAllocated):
2956         (JSC::MarkedSpace::clearMarks):
2957         * runtime/Options.h:
2958
2959 2014-03-11  Andreas Kling  <akling@apple.com>
2960
2961         Streamline PropertyTable for lookup-only access.
2962         <https://webkit.org/b/130060>
2963
2964         The PropertyTable lookup algorithm was written to support both read
2965         and write access. This wasn't actually needed in most places.
2966
2967         This change adds a PropertyTable::get() that just returns the value
2968         type (instead of an insertion iterator.) It also adds an early return
2969         for empty tables.
2970
2971         Finally, up the minimum table capacity from 8 to 16. It was lowered
2972         to 8 in order to save memory, but that was before PropertyTables were
2973         GC allocated. Nowadays we don't have nearly as many tables, since all
2974         the unpinned transitions die off.
2975
2976         Reviewed by Darin Adler.
2977
2978         * runtime/PropertyMapHashTable.h:
2979         (JSC::PropertyTable::get):
2980         * runtime/Structure.cpp:
2981         (JSC::Structure::despecifyDictionaryFunction):
2982         (JSC::Structure::attributeChangeTransition):
2983         (JSC::Structure::get):
2984         (JSC::Structure::despecifyFunction):
2985         * runtime/StructureInlines.h:
2986         (JSC::Structure::get):
2987
2988 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2989
2990         REGRESSION(r165407): DoYouEvenBench crashes in DRT
2991         https://bugs.webkit.org/show_bug.cgi?id=130066
2992
2993         Reviewed by Geoffrey Garen.
2994
2995         The baseline JIT does a conditional store barrier for the put_by_id, but we need 
2996         an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
2997
2998         * jit/JIT.h:
2999         * jit/JITPropertyAccess.cpp:
3000         (JSC::JIT::emit_op_put_by_id):
3001         (JSC::JIT::emitWriteBarrier):
3002
3003 2014-03-10  Mark Lam  <mark.lam@apple.com>
3004
3005         Resurrect bit-rotted JIT::probe() mechanism.
3006         <https://webkit.org/b/130067>
3007
3008         Reviewed by Geoffrey Garen.
3009
3010         * jit/JITStubs.cpp:
3011         - Added the needed #include <wtf/InlineASM.h>.
3012
3013 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
3014
3015         Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
3016
3017         Rubber-stamped by Dan Bernstein.
3018
3019         * Configurations/JavaScriptCore.xcconfig:
3020
3021 2014-03-10  Mark Lam  <mark.lam@apple.com>
3022
3023         r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
3024         <https://webkit.org/b/130065>
3025
3026         Reviewed by Michael Saboff.
3027
3028         There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
3029         being able to return InvalidIndex.  Hence, the assertion is invalid.  Ditto for
3030         FPRInfo::toIndex().
3031
3032         The fix is to remove the "result != InvalidIndex" assertions.
3033
3034         * jit/FPRInfo.h:
3035         (JSC::FPRInfo::toIndex):
3036         * jit/GPRInfo.h:
3037         (JSC::GPRInfo::toIndex):
3038
3039 2014-03-10  Mark Lam  <mark.lam@apple.com>
3040
3041         Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
3042         <https://webkit.org/b/129955>
3043
3044         Reviewed by Geoffrey Garen.
3045
3046         The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
3047         stack memory every time it was called.  This is now fixed.
3048
3049         * jit/JITOperations.cpp:
3050
3051 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
3052
3053         Better JSContext API for named evaluations (other than //# sourceURL)
3054         https://bugs.webkit.org/show_bug.cgi?id=129911
3055
3056         Reviewed by Geoffrey Garen.
3057
3058         * API/JSBase.h:
3059         * API/JSContext.h:
3060         * API/JSContext.mm:
3061         (-[JSContext evaluateScript:]):
3062         (-[JSContext evaluateScript:withSourceURL:]):
3063         Add new evaluateScript:withSourceURL:.
3064
3065         * API/tests/testapi.c:
3066         (main):
3067         * API/tests/testapi.mm:
3068         (testObjectiveCAPI):
3069         Add tests for sourceURL in evaluate APIs. It should
3070         affect the exception objects.
3071
3072 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
3073
3074         Repatch should save and restore all used registers - not just temp ones - when making a call
3075         https://bugs.webkit.org/show_bug.cgi?id=130041
3076
3077         Reviewed by Geoffrey Garen and Mark Hahnenberg.
3078         
3079         The save/restore code was written back when the only client was the DFG, which only uses a
3080         subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
3081         other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
3082         lead to data corruption on ARM64. 
3083
3084         * jit/RegisterSet.cpp:
3085         (JSC::RegisterSet::calleeSaveRegisters):
3086         (JSC::RegisterSet::numberOfSetGPRs):
3087         (JSC::RegisterSet::numberOfSetFPRs):
3088         * jit/RegisterSet.h:
3089         * jit/Repatch.cpp:
3090         (JSC::storeToWriteBarrierBuffer):
3091         (JSC::emitPutTransitionStub):
3092         * jit/ScratchRegisterAllocator.cpp:
3093         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
3094         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3095         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3096         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
3097         (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
3098         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
3099         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
3100         * jit/ScratchRegisterAllocator.h:
3101
3102 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
3103
3104         Remove ConditionalStore barrier
3105         https://bugs.webkit.org/show_bug.cgi?id=130040
3106
3107         Reviewed by Geoffrey Garen.
3108
3109         ConditionalStoreBarrier was created when barriers were much more expensive. Now that 
3110         they're cheap(er), we can get rid of them. This also allows us to get rid of the write 
3111         barrier logic in emitPutTransitionStub because we always will have executed a write barrier 
3112         on the base object in the case where we are allocating and storing a new Butterfly into it. 
3113         Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, 
3114         so we'd have to emit a write barrier in the transition case.
3115
3116         This is performance neutral on the benchmarks we track.
3117
3118         * dfg/DFGAbstractInterpreterInlines.h:
3119         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3120         * dfg/DFGClobberize.h:
3121         (JSC::DFG::clobberize):
3122         * dfg/DFGConstantFoldingPhase.cpp:
3123         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3124         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3125         * dfg/DFGFixupPhase.cpp:
3126         (JSC::DFG::FixupPhase::fixupNode):
3127         (JSC::DFG::FixupPhase::insertStoreBarrier):
3128         * dfg/DFGNode.h:
3129         (JSC::DFG::Node::isStoreBarrier):
3130         * dfg/DFGNodeType.h:
3131         * dfg/DFGPredictionPropagationPhase.cpp:
3132         (JSC::DFG::PredictionPropagationPhase::propagate):
3133         * dfg/DFGSafeToExecute.h:
3134         (JSC::DFG::safeToExecute):
3135         * dfg/DFGSpeculativeJIT.cpp:
3136         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
3137         * dfg/DFGSpeculativeJIT32_64.cpp:
3138         (JSC::DFG::SpeculativeJIT::compile):
3139         * dfg/DFGSpeculativeJIT64.cpp:
3140         (JSC::DFG::SpeculativeJIT::compile):
3141         * ftl/FTLCapabilities.cpp:
3142         (JSC::FTL::canCompile):
3143         * ftl/FTLLowerDFGToLLVM.cpp:
3144         (JSC::FTL::LowerDFGToLLVM::compileNode):
3145         * jit/Repatch.cpp:
3146         (JSC::emitPutTransitionStub):
3147
3148 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
3149
3150         DFG and FTL should know that comparing anything to Misc is cheap and easy
3151         https://bugs.webkit.org/show_bug.cgi?id=130001
3152
3153         Reviewed by Geoffrey Garen.
3154         
3155         - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
3156           comparison is just Untyped:.
3157         
3158         - This obviates the need for CompareStrictEqConstant, so remove it.
3159         
3160         - FTL had a thing called "Nully" which is really "Other". Rename it and add
3161           OtherUse.
3162         
3163         9% speed-up on box2d.
3164
3165         * dfg/DFGAbstractInterpreterInlines.h:
3166         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3167         * dfg/DFGByteCodeParser.cpp:
3168         (JSC::DFG::ByteCodeParser::parseBlock):
3169         * dfg/DFGClobberize.h:
3170         (JSC::DFG::clobberize):
3171         * dfg/DFGFixupPhase.cpp:
3172         (JSC::DFG::FixupPhase::fixupNode):
3173         * dfg/DFGNode.h:
3174         (JSC::DFG::Node::isBinaryUseKind):
3175         (JSC::DFG::Node::shouldSpeculateOther):
3176         * dfg/DFGNodeType.h:
3177         * dfg/DFGPredictionPropagationPhase.cpp:
3178         (JSC::DFG::PredictionPropagationPhase::propagate):
3179         * dfg/DFGSafeToExecute.h:
3180         (JSC::DFG::safeToExecute):
3181         * dfg/DFGSpeculativeJIT.cpp:
3182         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
3183         (JSC::DFG::SpeculativeJIT::compare):
3184         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3185         * dfg/DFGSpeculativeJIT.h:
3186         * dfg/DFGSpeculativeJIT32_64.cpp:
3187         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
3188         (JSC::DFG::SpeculativeJIT::compile):
3189         * dfg/DFGSpeculativeJIT64.cpp:
3190         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
3191         (JSC::DFG::SpeculativeJIT::compile):
3192         * ftl/FTLCapabilities.cpp:
3193         (JSC::FTL::canCompile):
3194         * ftl/FTLLowerDFGToLLVM.cpp:
3195         (JSC::FTL::LowerDFGToLLVM::compileNode):
3196         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
3197         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
3198         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
3199         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3200         (JSC::FTL::LowerDFGToLLVM::isNotOther):
3201         (JSC::FTL::LowerDFGToLLVM::isOther):
3202         (JSC::FTL::LowerDFGToLLVM::speculate):
3203         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
3204         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
3205         (JSC::FTL::LowerDFGToLLVM::speculateOther):
3206         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
3207         * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
3208
3209 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
3210
3211         Unreviewed, remove unintended change.
3212
3213         * dfg/DFGDriver.cpp:
3214         (JSC::DFG::compileImpl):
3215
3216 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
3217
3218         jsc commandline shouldn't have a "console" because that confuses some tests into thinking
3219         that they're running in the browser.
3220
3221         Rubber stamped by Mark Hahnenberg.
3222
3223         * jsc.cpp:
3224         (GlobalObject::finishCreation):
3225
3226 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
3227
3228         Out-line ScratchRegisterAllocator
3229
3230         Rubber stamped by Mark Hahnenberg.
3231
3232         * CMakeLists.txt:
3233         * GNUmakefile.list.am:
3234         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3235         * JavaScriptCore.xcodeproj/project.pbxproj:
3236         * dfg/DFGDriver.cpp:
3237         (JSC::DFG::compileImpl):
3238         * jit/ScratchRegisterAllocator.cpp: Added.
3239         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
3240         (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
3241         (JSC::ScratchRegisterAllocator::lock):
3242         (JSC::ScratchRegisterAllocator::allocateScratch):
3243         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
3244         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
3245         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3246         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3247         (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
3248         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
3249         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
3250         * jit/ScratchRegisterAllocator.h:
3251
3252 2014-03-10  Brent Fulgham  <bfulgham@apple.com>
3253
3254         [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
3255         https://bugs.webkit.org/show_bug.cgi?id=130023
3256
3257         Reviewed by Dean Jackson.
3258
3259         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
3260         path names to avoid accidental escaping of later string substitutions.
3261
3262 2014-03-10  Andreas Kling  <akling@apple.com>
3263
3264         [X86_64] Smaller code for testb_i8r when register is accumulator.
3265         <https://webkit.org/b/130026>
3266
3267         Generate the shorthand version of "test al, imm" when possible.
3268
3269         Reviewed by Michael Saboff.
3270
3271         * assembler/X86Assembler.h:
3272         (JSC::X86Assembler::testb_i8r):
3273
3274 2014-03-10  Andreas Kling  <akling@apple.com>
3275
3276         [X86_64] Smaller code for sub_ir when register is accumulator.
3277         <https://webkit.org/b/130025>
3278
3279         Generate the shorthand version of "sub eax, imm" when possible.
3280
3281         Reviewed by Michael Saboff.
3282
3283         * assembler/X86Assembler.h:
3284         (JSC::X86Assembler::subl_ir):
3285         (JSC::X86Assembler::subq_ir):
3286
3287 2014-03-10  Andreas Kling  <akling@apple.com>
3288
3289         [X86_64] Smaller code for add_ir when register is accumulator.
3290         <https://webkit.org/b/130024>
3291
3292         Generate the shorthand version of "add eax, imm" when possible.
3293
3294         Reviewed by Michael Saboff.
3295
3296         * assembler/X86Assembler.h:
3297         (JSC::X86Assembler::addl_ir):
3298         (JSC::X86Assembler::addq_ir):
3299
3300 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
3301
3302         writeBarrier in emitPutReplaceStub is unnecessary
3303         https://bugs.webkit.org/show_bug.cgi?id=130030
3304
3305         Reviewed by Filip Pizlo.
3306
3307         We already emit write barriers for each put-by-id when they're first compiled, so it's 
3308         redundant to emit a write barrier as part of the repatched code.
3309
3310         * jit/Repatch.cpp:
3311         (JSC::emitPutReplaceStub):
3312
3313 2014-03-10  Andreas Kling  <akling@apple.com>
3314
3315         [X86_64] Smaller code for xor_ir when register is accumulator.
3316         <https://webkit.org/b/130008>
3317
3318         Generate the shorthand version of "xor eax, imm" when possible.
3319
3320         Reviewed by Benjamin Poulain.
3321
3322         * assembler/X86Assembler.h:
3323         (JSC::X86Assembler::xorl_ir):
3324         (JSC::X86Assembler::xorq_ir):
3325
3326 2014-03-10  Andreas Kling  <akling@apple.com>
3327
3328         [X86_64] Smaller code for or_ir when register is accumulator.
3329         <https://webkit.org/b/130007>
3330
3331         Generate the shorthand version of "or eax, imm" when possible.
3332
3333         Reviewed by Benjamin Poulain.
3334
3335         * assembler/X86Assembler.h:
3336         (JSC::X86Assembler::orl_ir):
3337         (JSC::X86Assembler::orq_ir):
3338
3339 2014-03-10  Andreas Kling  <akling@apple.com>
3340
3341         [X86_64] Smaller code for test_ir when register is accumulator.
3342         <https://webkit.org/b/130006>
3343
3344         Generate the shorthand version of "test eax, imm" when possible.
3345
3346         Reviewed by Benjamin Poulain.
3347
3348         * assembler/X86Assembler.h:
3349         (JSC::X86Assembler::testl_i32r):
3350         (JSC::X86Assembler::testq_i32r):
3351
3352 2014-03-10  Andreas Kling  <akling@apple.com>
3353
3354         [X86_64] Smaller code for cmp_ir when register is accumulator.
3355         <https://webkit.org/b/130005>
3356
3357         Generate the shorthand version of "cmp eax, imm" when possible.
3358
3359         Reviewed by Benjamin Poulain.
3360
3361         * assembler/X86Assembler.h:
3362         (JSC::X86Assembler::cmpl_ir):
3363         (JSC::X86Assembler::cmpq_ir):
3364
3365 2014-03-10  Andreas Kling  <akling@apple.com>
3366
3367         [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
3368         <https://webkit.org/b/130002>
3369
3370         Generate this:
3371
3372             mov [address], imm32
3373
3374         Instead of this:
3375
3376             mov scratchRegister, imm32
3377             mov [address], scratchRegister
3378
3379         For store64(imm, address) where the 64-bit immediate can be passed as
3380         a sign-extended 32-bit value.
3381
3382         Reviewed by Benjamin Poulain.
3383
3384         * assembler/MacroAssemblerX86_64.h:
3385         (CAN_SIGN_EXTEND_32_64):
3386         (JSC::MacroAssemblerX86_64::store64):
3387
3388 2014-03-10  Andreas Kling  <akling@apple.com>
3389
3390         [X86_64] Smaller code for xchg_rr when one register is accumulator.
3391         <https://webkit.org/b/130004>
3392
3393         Generate the 1-byte version of "xchg eax, reg" when possible.
3394
3395         Reviewed by Benjamin Poulain.
3396
3397         * assembler/X86Assembler.h:
3398         (JSC::X86Assembler::xchgl_rr):
3399         (JSC::X86Assembler::xchgq_rr):
3400
3401 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
3402
3403         GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
3404         https://bugs.webkit.org/show_bug.cgi?id=129998
3405
3406         Reviewed by Geoffrey Garen.
3407         
3408         Not only is that the established contract, but this is used to signal to
3409         ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
3410         that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
3411         some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
3412         fine but previously it would have led to either an assertion failure, or data corruption, in
3413         the ScratchRegisterAllocator.
3414
3415         * jit/GPRInfo.h:
3416         (JSC::GPRInfo::toIndex):
3417
3418 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
3419
3420         FTL fails the new equals-masquerader strictEqualConstant test
3421         https://bugs.webkit.org/show_bug.cgi?id=129996
3422