Get rid of JSNameScope::m_type
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
2
3         Get rid of JSNameScope::m_type
4         https://bugs.webkit.org/show_bug.cgi?id=141851
5
6         Reviewed by Geoffrey Garen.
7         
8         This is a big step towards getting rid of JSEnvironmentRecord::m_registers. To do it we need
9         to ensure that subclasses of JSEnvironmentRecord never have additional C++ fields, so that
10         JSEnvironmentRecord can always place "registers" right after the end of itself.
11
12         * CMakeLists.txt:
13         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14         * JavaScriptCore.xcodeproj/project.pbxproj:
15         * debugger/DebuggerScope.cpp:
16         (JSC::DebuggerScope::isCatchScope):
17         (JSC::DebuggerScope::isFunctionNameScope):
18         * interpreter/Interpreter.cpp:
19         (JSC::Interpreter::execute):
20         * jit/JITOperations.cpp:
21         * llint/LLIntSlowPaths.cpp:
22         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
23         * runtime/JSCatchScope.cpp: Added.
24         * runtime/JSCatchScope.h: Added.
25         (JSC::JSCatchScope::JSCatchScope):
26         (JSC::JSCatchScope::create):
27         (JSC::JSCatchScope::createStructure):
28         * runtime/JSFunction.cpp:
29         (JSC::JSFunction::addNameScopeIfNeeded):
30         * runtime/JSFunctionNameScope.cpp: Added.
31         * runtime/JSFunctionNameScope.h: Added.
32         (JSC::JSFunctionNameScope::JSFunctionNameScope):
33         (JSC::JSFunctionNameScope::create):
34         (JSC::JSFunctionNameScope::createStructure):
35         * runtime/JSGlobalObject.cpp:
36         (JSC::JSGlobalObject::init):
37         (JSC::JSGlobalObject::visitChildren):
38         * runtime/JSGlobalObject.h:
39         (JSC::JSGlobalObject::catchScopeStructure):
40         (JSC::JSGlobalObject::functionNameScopeStructure):
41         (JSC::JSGlobalObject::nameScopeStructure): Deleted.
42         * runtime/JSNameScope.cpp:
43         (JSC::JSNameScope::create):
44         * runtime/JSNameScope.h:
45         (JSC::JSNameScope::create):
46         (JSC::JSNameScope::JSNameScope):
47         (JSC::JSNameScope::createStructure): Deleted.
48         (JSC::JSNameScope::isFunctionNameScope): Deleted.
49         (JSC::JSNameScope::isCatchScope): Deleted.
50         * runtime/JSObject.cpp:
51         (JSC::JSObject::isCatchScopeObject):
52         (JSC::JSObject::isFunctionNameScopeObject):
53         * runtime/JSObject.h:
54
55 2015-02-20  Mark Lam  <mark.lam@apple.com>
56
57         [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
58         <https://webkit.org/b/141809>
59
60         Reviewed by Geoffrey Garen.
61
62         A ObjC class that implement the JSExport protocol will have a JS prototype
63         chain and constructor automatically synthesized for its JS wrapper object.
64         However, if there are no more instances of that ObjC class reachable by a
65         JS GC root scan, then its synthesized prototype chain and constructors may
66         be released by the GC.  If a new instance of that ObjC class is subsequently
67         instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
68         should re-construct the prototype chain and constructor (if they were
69         previously released).  However, the current implementation only
70         re-constructs the immediate prototype, but not every other prototype
71         object upstream in the prototype chain.
72
73         To fix this, we do the following:
74         1. We no longer allocate the JSObjCClassInfo's prototype and constructor
75            eagerly.  Hence, -initWithContext:forClass: will no longer call
76            -allocateConstructorAndPrototypeWithSuperClassInfo:.
77         2. Instead, we'll always access the prototype and constructor thru
78            accessor methods.  The accessor methods will call
79            -allocateConstructorAndPrototype: if needed.
80         3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
81            from the JSWrapperMap itself.  This makes it so that we no longer
82            need to pass the superClassInfo all over.
83         4. -allocateConstructorAndPrototype: will get the super class prototype
84            by invoking -prototype: on the superClassInfo, thereby allowing the
85            super class to allocate its prototype and constructor if needed and
86            fixing the issue in this bug.
87
88         5. Also removed the GC warning comments, and ensured that needed JS
89            objects are kept alive by having a local var pointing to it from the
90            stack (which makes a GC root).
91
92         * API/JSWrapperMap.mm:
93         (-[JSObjCClassInfo initWithContext:forClass:]):
94         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
95         (-[JSObjCClassInfo wrapperForObject:]):
96         (-[JSObjCClassInfo constructor]):
97         (-[JSObjCClassInfo prototype]):
98         (-[JSWrapperMap classInfoForClass:]):
99         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
100         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
101         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
102         * API/tests/Regress141809.h: Added.
103         * API/tests/Regress141809.mm: Added.
104         (-[TestClassB name]):
105         (-[TestClassC name]):
106         (runRegress141809):
107         * API/tests/testapi.mm:
108         * JavaScriptCore.xcodeproj/project.pbxproj:
109
110 2015-02-20  Alexey Proskuryakov  <ap@apple.com>
111
112         Remove svn:keywords property.
113
114         As far as I can tell, the property had no effect on any of these files, but also,
115         when it has effect it's likely harmful.
116
117         * builtins/ArrayConstructor.js: Removed property svn:keywords.
118
119 2015-02-20  Michael Saboff  <msaboff@apple.com>
120
121         DFG JIT needs to check for stack overflow at the start of Program and Eval execution
122         https://bugs.webkit.org/show_bug.cgi?id=141676
123
124         Reviewed by Filip Pizlo.
125
126         Added stack check to the beginning of the code the DFG copmiler emits for Program and Eval nodes.
127         To aid in testing the code, I replaced the EvalCodeCache::maxCacheableSourceLength const
128         a options in runtime/Options.h.  The test script, run-jsc-stress-tests, sets that option
129         to a huge value when running with the "Eager" options.  This allows the updated test to 
130         reliably exercise the code in questions.
131
132         * dfg/DFGJITCompiler.cpp:
133         (JSC::DFG::JITCompiler::compile):
134         Added stack check.
135
136         * bytecode/EvalCodeCache.h:
137         (JSC::EvalCodeCache::tryGet):
138         (JSC::EvalCodeCache::getSlow):
139         * runtime/Options.h:
140         Replaced EvalCodeCache::imaxCacheableSourceLength with Options::maximumEvalCacheableSourceLength
141         so that it can be configured when running the related test.
142
143 2015-02-20  Eric Carlson  <eric.carlson@apple.com>
144
145         [iOS] cleanup AirPlay code
146         https://bugs.webkit.org/show_bug.cgi?id=141811
147
148         Reviewed by Jer Noble.
149
150         * Configurations/FeatureDefines.xcconfig: IOS_AIRPLAY -> WIRELESS_PLAYBACK_TARGET.
151
152 2015-02-19  Dean Jackson  <dino@apple.com>
153
154         ES6: Implement Array.from()
155         https://bugs.webkit.org/show_bug.cgi?id=141054
156         <rdar://problem/19654521>
157
158         Reviewed by Filip Pizlo.
159
160         Implement the Array.from() ES6 method
161         as defined in Section 22.1.2.1 of the specification.
162
163         Given that we can't rely on the built-in
164         global functions or objects to be untainted,
165         I had to expose a few of them directly to
166         the function via private names. In particular:
167         - Math.floor -> @floor
168         - Math.abs -> @abs
169         - Number -> @Number
170         - Array -> @Array
171         - isFinite -> @isFinite
172
173         * builtins/ArrayConstructor.js: Added.
174         (from): Implementation of Array.from in JavaScript.
175         * runtime/ArrayConstructor.cpp: Add "from" to the lookup
176         table for the constructor object.
177         * runtime/CommonIdentifiers.h: Add the private versions
178         of the identifiers listed above.
179         * runtime/JSGlobalObject.cpp: Add the implementations of
180         those identifiers to the global object (using their
181         private names).
182         (JSC::JSGlobalObject::init):
183         * runtime/JSGlobalObjectFunctions.cpp:
184         (JSC::globalPrivateFuncAbs): Implementation of the abs function.
185         (JSC::globalPrivateFuncFloor): Implementation of the floor function.
186         * runtime/JSGlobalObjectFunctions.h:
187
188 2015-02-19  Benjamin Poulain  <bpoulain@apple.com>
189
190         Refine the FTL part of ArithPow
191         https://bugs.webkit.org/show_bug.cgi?id=141792
192
193         Reviewed by Filip Pizlo.
194
195         This patch refines the FTL lowering of ArithPow. This was left out
196         of the original patch to keep it simpler.
197
198         * ftl/FTLLowerDFGToLLVM.cpp:
199         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
200         Two improvements here:
201         1) Do not generate the NaN check unless we know the exponent might be a NaN.
202         2) Use one BasicBlock per check with the appropriate weight. Now that we have
203            one branch per test, move the Infinity check before the check for 1 since
204            it is the less common case.
205
206         * tests/stress/math-pow-becomes-custom-function.js: Added.
207         Test for changing the Math.pow() function after it has been optimized.
208
209         * tests/stress/math-pow-nan-behaviors.js:
210         The previous tests were only going as far as the DFGAbstractInterpreter
211         were the operations were replaced by the equivalent constant.
212
213         I duplicated the test functions to also test the dynamic behavior of DFG
214         and FTL.
215
216         * tests/stress/math-pow-with-constants.js:
217         Add cases covering exponent constants. LLVM removes many value
218         checks for those.
219
220         * tests/stress/math-pow-with-never-NaN-exponent.js: Added.
221         Test for the new optimization removing the NaN check.
222
223 2015-02-19  Csaba Osztrogonác  <ossy@webkit.org>
224
225         REGRESSION(r180279): It broke 20 tests on ARM Linux
226         https://bugs.webkit.org/show_bug.cgi?id=141771
227
228         Reviewed by Filip Pizlo.
229
230         * dfg/DFGSpeculativeJIT.h:
231         (JSC::DFG::SpeculativeJIT::callOperation): Align 64-bit values to respect ARM EABI.
232
233 2015-02-18  Benjamin Poulain  <bpoulain@apple.com>
234
235         Remove BytecodeGenerator's numberMap, it is dead code
236         https://bugs.webkit.org/show_bug.cgi?id=141779
237
238         Reviewed by Filip Pizlo.
239
240         * bytecompiler/BytecodeGenerator.cpp:
241         (JSC::BytecodeGenerator::emitLoad): Deleted.
242         * bytecompiler/BytecodeGenerator.h:
243         The JSValueMap seems better in every way.
244
245         The emitLoad() taking a double was the only way to use numberMap
246         and that code has no caller.
247
248 2015-02-18  Michael Saboff  <msaboff@apple.com>
249
250         Rollout r180247 & r180249 from trunk
251         https://bugs.webkit.org/show_bug.cgi?id=141773
252
253         Reviewed by Filip Pizlo.
254
255         Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730
256         only for branches.  The change to fail the FTL compile but continue running is not comprehensive
257         enough for general use on trunk.
258
259         * dfg/DFGPlan.cpp:
260         (JSC::DFG::Plan::compileInThreadImpl):
261         * ftl/FTLLowerDFGToLLVM.cpp:
262         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
263         (JSC::FTL::LowerDFGToLLVM::lower):
264         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
265         (JSC::FTL::LowerDFGToLLVM::compileNode):
266         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
267         (JSC::FTL::LowerDFGToLLVM::compilePhi):
268         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
269         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
270         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
271         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
272         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
273         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
274         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
275         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
276         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
277         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
278         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
279         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
280         (JSC::FTL::LowerDFGToLLVM::compileGetById):
281         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
282         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
283         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
284         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
285         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
286         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
287         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
288         (JSC::FTL::LowerDFGToLLVM::compileToString):
289         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
290         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
291         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
292         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
293         (JSC::FTL::LowerDFGToLLVM::compare):
294         (JSC::FTL::LowerDFGToLLVM::boolify):
295         (JSC::FTL::LowerDFGToLLVM::opposite):
296         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
297         (JSC::FTL::LowerDFGToLLVM::speculate):
298         (JSC::FTL::LowerDFGToLLVM::isArrayType):
299         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
300         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
301         (JSC::FTL::LowerDFGToLLVM::setInt52):
302         (JSC::FTL::lowerDFGToLLVM):
303         (JSC::FTL::LowerDFGToLLVM::loweringFailed): Deleted.
304         * ftl/FTLLowerDFGToLLVM.h:
305
306 2015-02-18  Filip Pizlo  <fpizlo@apple.com>
307
308         DFG should really support varargs
309         https://bugs.webkit.org/show_bug.cgi?id=141332
310
311         Reviewed by Oliver Hunt.
312         
313         This adds comprehensive vararg call support to the DFG and FTL compilers. Previously, if a
314         function had a varargs call, then it could only be compiled if that varargs call was just
315         forwarding arguments and we were inlining the function rather than compiling it directly. Also,
316         only varargs calls were dealt with; varargs constructs were not.
317         
318         This lifts all of those restrictions. Every varargs call or construct can now be compiled by both
319         the DFG and the FTL. Those calls can also be inlined, too - provided that profiling gives us a
320         sensible bound on arguments list length. When we inline a varargs call, the act of loading the
321         varargs is now made explicit in IR. I believe that we have enough IR machinery in place that we
322         would be able to do the arguments forwarding optimization as an IR transformation. This patch
323         doesn't implement that yet, and keeps the old bytecode-based varargs argument forwarding
324         optimization for now.
325         
326         There are three major IR features introduced in this patch:
327         
328         CallVarargs/ConstructVarargs: these are like Call/Construct except that they take an arguments
329         array rather than a list of arguments. Currently, they splat this arguments array onto the stack
330         using the same basic technique as the baseline JIT has always done. Except, these nodes indicate
331         that we are not interested in doing the non-escaping "arguments" optimization.
332         
333         CallForwardVarargs: this is a form of CallVarargs that just does the non-escaping "arguments"
334         optimization, aka forwarding arguments. It's somewhat lazy that this doesn't include
335         ConstructForwardVarargs, but the reason is that once we eliminate the lazy tear-off for
336         arguments, this whole thing will have to be tweaked - and for now forwarding on construct is just
337         not important in benchmarks. ConstructVarargs will still do forwarding, just not inlined.
338         
339         LoadVarargs: loads all elements out of an array onto the stack in a manner suitable for a varargs
340         call. This is used only when a varargs call (or construct) was inlined. The bytecode parser will
341         make room on the stack for the arguments, and will use LoadVarars to put those arguments into
342         place.
343         
344         In the future, we can consider adding strength reductions like:
345         
346         - If CallVarargs/ConstructVarargs see an array of known size with known elements, turn them into
347           Call/Construct.
348         
349         - If CallVarargs/ConstructVarargs are passed an unmodified, unescaped Arguments object, then
350           turn them into CallForwardVarargs/ConstructForwardVarargs.
351         
352         - If LoadVarargs sees an array of known size, then turn it into a sequence of GetByVals and
353           PutLocals.
354         
355         - If LoadVarargs sees an unmodified, unescaped Arguments object, then turn it into something like
356           LoadForwardVarargs.
357         
358         - If CallVarargs/ConstructVarargs/LoadVarargs see the result of a splice (or other Array
359           prototype function), then do the splice and varargs loading in one go (maybe via a new node
360           type).
361
362         * CMakeLists.txt:
363         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
364         * JavaScriptCore.xcodeproj/project.pbxproj:
365         * assembler/MacroAssembler.h:
366         (JSC::MacroAssembler::rshiftPtr):
367         (JSC::MacroAssembler::urshiftPtr):
368         * assembler/MacroAssemblerARM64.h:
369         (JSC::MacroAssemblerARM64::urshift64):
370         * assembler/MacroAssemblerX86_64.h:
371         (JSC::MacroAssemblerX86_64::urshift64):
372         * assembler/X86Assembler.h:
373         (JSC::X86Assembler::shrq_i8r):
374         * bytecode/CallLinkInfo.h:
375         (JSC::CallLinkInfo::CallLinkInfo):
376         * bytecode/CallLinkStatus.cpp:
377         (JSC::CallLinkStatus::computeFor):
378         (JSC::CallLinkStatus::setProvenConstantCallee):
379         (JSC::CallLinkStatus::dump):
380         * bytecode/CallLinkStatus.h:
381         (JSC::CallLinkStatus::maxNumArguments):
382         (JSC::CallLinkStatus::setIsProved): Deleted.
383         * bytecode/CodeOrigin.cpp:
384         (WTF::printInternal):
385         * bytecode/CodeOrigin.h:
386         (JSC::InlineCallFrame::varargsKindFor):
387         (JSC::InlineCallFrame::specializationKindFor):
388         (JSC::InlineCallFrame::isVarargs):
389         (JSC::InlineCallFrame::isNormalCall): Deleted.
390         * bytecode/ExitKind.cpp:
391         (JSC::exitKindToString):
392         * bytecode/ExitKind.h:
393         * bytecode/ValueRecovery.cpp:
394         (JSC::ValueRecovery::dumpInContext):
395         * dfg/DFGAbstractInterpreterInlines.h:
396         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
397         * dfg/DFGArgumentsSimplificationPhase.cpp:
398         (JSC::DFG::ArgumentsSimplificationPhase::run):
399         * dfg/DFGByteCodeParser.cpp:
400         (JSC::DFG::ByteCodeParser::flush):
401         (JSC::DFG::ByteCodeParser::addCall):
402         (JSC::DFG::ByteCodeParser::handleCall):
403         (JSC::DFG::ByteCodeParser::handleVarargsCall):
404         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
405         (JSC::DFG::ByteCodeParser::inliningCost):
406         (JSC::DFG::ByteCodeParser::inlineCall):
407         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
408         (JSC::DFG::ByteCodeParser::handleInlining):
409         (JSC::DFG::ByteCodeParser::handleMinMax):
410         (JSC::DFG::ByteCodeParser::handleIntrinsic):
411         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
412         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
413         (JSC::DFG::ByteCodeParser::parseBlock):
414         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): Deleted.
415         (JSC::DFG::ByteCodeParser::undoFunctionChecks): Deleted.
416         * dfg/DFGCapabilities.cpp:
417         (JSC::DFG::capabilityLevel):
418         * dfg/DFGCapabilities.h:
419         (JSC::DFG::functionCapabilityLevel):
420         (JSC::DFG::mightCompileFunctionFor):
421         * dfg/DFGClobberize.h:
422         (JSC::DFG::clobberize):
423         * dfg/DFGCommon.cpp:
424         (WTF::printInternal):
425         * dfg/DFGCommon.h:
426         (JSC::DFG::canInline):
427         (JSC::DFG::leastUpperBound):
428         * dfg/DFGDoesGC.cpp:
429         (JSC::DFG::doesGC):
430         * dfg/DFGFixupPhase.cpp:
431         (JSC::DFG::FixupPhase::fixupNode):
432         * dfg/DFGGraph.cpp:
433         (JSC::DFG::Graph::dump):
434         (JSC::DFG::Graph::dumpBlockHeader):
435         (JSC::DFG::Graph::isLiveInBytecode):
436         (JSC::DFG::Graph::valueProfileFor):
437         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
438         * dfg/DFGGraph.h:
439         (JSC::DFG::Graph::valueProfileFor): Deleted.
440         (JSC::DFG::Graph::methodOfGettingAValueProfileFor): Deleted.
441         * dfg/DFGJITCompiler.cpp:
442         (JSC::DFG::JITCompiler::compileExceptionHandlers):
443         (JSC::DFG::JITCompiler::link):
444         * dfg/DFGMayExit.cpp:
445         (JSC::DFG::mayExit):
446         * dfg/DFGNode.h:
447         (JSC::DFG::Node::hasCallVarargsData):
448         (JSC::DFG::Node::callVarargsData):
449         (JSC::DFG::Node::hasLoadVarargsData):
450         (JSC::DFG::Node::loadVarargsData):
451         (JSC::DFG::Node::hasHeapPrediction):
452         * dfg/DFGNodeType.h:
453         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
454         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
455         * dfg/DFGOSRExitCompilerCommon.cpp:
456         (JSC::DFG::reifyInlinedCallFrames):
457         * dfg/DFGOperations.cpp:
458         * dfg/DFGOperations.h:
459         * dfg/DFGPlan.cpp:
460         (JSC::DFG::dumpAndVerifyGraph):
461         (JSC::DFG::Plan::compileInThreadImpl):
462         * dfg/DFGPreciseLocalClobberize.h:
463         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
464         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
465         * dfg/DFGPredictionPropagationPhase.cpp:
466         (JSC::DFG::PredictionPropagationPhase::propagate):
467         * dfg/DFGSSAConversionPhase.cpp:
468         * dfg/DFGSafeToExecute.h:
469         (JSC::DFG::safeToExecute):
470         * dfg/DFGSpeculativeJIT.h:
471         (JSC::DFG::SpeculativeJIT::isFlushed):
472         (JSC::DFG::SpeculativeJIT::callOperation):
473         * dfg/DFGSpeculativeJIT32_64.cpp:
474         (JSC::DFG::SpeculativeJIT::emitCall):
475         (JSC::DFG::SpeculativeJIT::compile):
476         * dfg/DFGSpeculativeJIT64.cpp:
477         (JSC::DFG::SpeculativeJIT::emitCall):
478         (JSC::DFG::SpeculativeJIT::compile):
479         * dfg/DFGStackLayoutPhase.cpp:
480         (JSC::DFG::StackLayoutPhase::run):
481         (JSC::DFG::StackLayoutPhase::assign):
482         * dfg/DFGStrengthReductionPhase.cpp:
483         (JSC::DFG::StrengthReductionPhase::handleNode):
484         * dfg/DFGTypeCheckHoistingPhase.cpp:
485         (JSC::DFG::TypeCheckHoistingPhase::run):
486         * dfg/DFGValidate.cpp:
487         (JSC::DFG::Validate::validateCPS):
488         * ftl/FTLAbbreviations.h:
489         (JSC::FTL::functionType):
490         (JSC::FTL::buildCall):
491         * ftl/FTLCapabilities.cpp:
492         (JSC::FTL::canCompile):
493         * ftl/FTLCompile.cpp:
494         (JSC::FTL::mmAllocateDataSection):
495         * ftl/FTLInlineCacheSize.cpp:
496         (JSC::FTL::sizeOfCall):
497         (JSC::FTL::sizeOfCallVarargs):
498         (JSC::FTL::sizeOfCallForwardVarargs):
499         (JSC::FTL::sizeOfConstructVarargs):
500         (JSC::FTL::sizeOfIn):
501         (JSC::FTL::sizeOfICFor):
502         (JSC::FTL::sizeOfCheckIn): Deleted.
503         * ftl/FTLInlineCacheSize.h:
504         * ftl/FTLIntrinsicRepository.h:
505         * ftl/FTLJSCall.cpp:
506         (JSC::FTL::JSCall::JSCall):
507         * ftl/FTLJSCallBase.cpp:
508         * ftl/FTLJSCallBase.h:
509         * ftl/FTLJSCallVarargs.cpp: Added.
510         (JSC::FTL::JSCallVarargs::JSCallVarargs):
511         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
512         (JSC::FTL::JSCallVarargs::emit):
513         (JSC::FTL::JSCallVarargs::link):
514         * ftl/FTLJSCallVarargs.h: Added.
515         (JSC::FTL::JSCallVarargs::node):
516         (JSC::FTL::JSCallVarargs::stackmapID):
517         (JSC::FTL::JSCallVarargs::operator<):
518         * ftl/FTLLowerDFGToLLVM.cpp:
519         (JSC::FTL::LowerDFGToLLVM::lower):
520         (JSC::FTL::LowerDFGToLLVM::compileNode):
521         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
522         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
523         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
524         (JSC::FTL::LowerDFGToLLVM::compileLoadVarargs):
525         (JSC::FTL::LowerDFGToLLVM::compileIn):
526         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
527         (JSC::FTL::LowerDFGToLLVM::vmCall):
528         (JSC::FTL::LowerDFGToLLVM::vmCallNoExceptions):
529         (JSC::FTL::LowerDFGToLLVM::callCheck):
530         * ftl/FTLOutput.h:
531         (JSC::FTL::Output::call):
532         * ftl/FTLState.cpp:
533         (JSC::FTL::State::State):
534         * ftl/FTLState.h:
535         * interpreter/Interpreter.cpp:
536         (JSC::sizeOfVarargs):
537         (JSC::sizeFrameForVarargs):
538         * interpreter/Interpreter.h:
539         * interpreter/StackVisitor.cpp:
540         (JSC::StackVisitor::readInlinedFrame):
541         * jit/AssemblyHelpers.cpp:
542         (JSC::AssemblyHelpers::emitExceptionCheck):
543         * jit/AssemblyHelpers.h:
544         (JSC::AssemblyHelpers::addressFor):
545         (JSC::AssemblyHelpers::calleeFrameSlot):
546         (JSC::AssemblyHelpers::calleeArgumentSlot):
547         (JSC::AssemblyHelpers::calleeFrameTagSlot):
548         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
549         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
550         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
551         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
552         (JSC::AssemblyHelpers::selectScratchGPR):
553         * jit/CCallHelpers.h:
554         (JSC::CCallHelpers::setupArgumentsWithExecState):
555         * jit/GPRInfo.h:
556         * jit/JIT.cpp:
557         (JSC::JIT::privateCompile):
558         * jit/JIT.h:
559         * jit/JITCall.cpp:
560         (JSC::JIT::compileSetupVarargsFrame):
561         (JSC::JIT::compileOpCall):
562         * jit/JITCall32_64.cpp:
563         (JSC::JIT::compileSetupVarargsFrame):
564         (JSC::JIT::compileOpCall):
565         * jit/JITOperations.h:
566         * jit/SetupVarargsFrame.cpp:
567         (JSC::emitSetupVarargsFrameFastCase):
568         * jit/SetupVarargsFrame.h:
569         * runtime/Arguments.h:
570         (JSC::Arguments::create):
571         (JSC::Arguments::registerArraySizeInBytes):
572         (JSC::Arguments::finishCreation):
573         * runtime/Options.h:
574         * tests/stress/construct-varargs-inline-smaller-Foo.js: Added.
575         (Foo):
576         (bar):
577         (checkEqual):
578         (test):
579         * tests/stress/construct-varargs-inline.js: Added.
580         (Foo):
581         (bar):
582         (checkEqual):
583         (test):
584         * tests/stress/construct-varargs-no-inline.js: Added.
585         (Foo):
586         (bar):
587         (checkEqual):
588         (test):
589         * tests/stress/get-argument-by-val-in-inlined-varargs-call-out-of-bounds.js: Added.
590         (foo):
591         (bar):
592         * tests/stress/get-argument-by-val-safe-in-inlined-varargs-call-out-of-bounds.js: Added.
593         (foo):
594         (bar):
595         * tests/stress/get-my-argument-by-val-creates-arguments.js: Added.
596         (blah):
597         (foo):
598         (bar):
599         (checkEqual):
600         (test):
601         * tests/stress/load-varargs-then-inlined-call-exit-in-foo.js: Added.
602         (foo):
603         (bar):
604         (checkEqual):
605         * tests/stress/load-varargs-then-inlined-call-inlined.js: Added.
606         (foo):
607         (bar):
608         (baz):
609         (checkEqual):
610         (test):
611         * tests/stress/load-varargs-then-inlined-call.js: Added.
612         (foo):
613         (bar):
614         (checkEqual):
615         (test):
616
617 2015-02-17  Michael Saboff  <msaboff@apple.com>
618
619         Unreviewed, Restoring the C LOOP insta-crash fix in r180184.
620
621         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
622         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
623
624         * llint/LowLevelInterpreter.asm: Fixed a typo.
625
626 2015-02-18  Csaba Osztrogonác  <ossy@webkit.org>
627
628         URTBF after r180258 to fix Windows build.
629
630         * runtime/MathCommon.cpp:
631         (JSC::mathPowInternal):
632
633 2015-02-18  Joseph Pecoraro  <pecoraro@apple.com>
634
635         REGRESSION(r180235): It broke the !ENABLE(PROMISES) build
636         https://bugs.webkit.org/show_bug.cgi?id=141746
637
638         Unreviewed build fix.
639
640         * inspector/JSInjectedScriptHost.cpp:
641         (Inspector::JSInjectedScriptHost::getInternalProperties):
642         Wrap JSPromise related code in ENABLE(PROMISES) guard.
643
644 2015-02-18  Benjamin Poulain  <benjamin@webkit.org>
645
646         Fix the C-Loop LLInt build
647         https://bugs.webkit.org/show_bug.cgi?id=141618
648
649         Reviewed by Filip Pizlo.
650
651         I broke C-Loop when moving the common code of pow()
652         to JITOperations because that file is #ifdefed out
653         when the JITs are disabled.
654
655         It would be weird to move it back to MathObject since
656         the function needs to know about the calling conventions.
657
658         To avoid making a mess, I just gave the function its own file
659         that is used by both the runtime and the JIT.
660
661         * CMakeLists.txt:
662         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
663         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
664         * JavaScriptCore.xcodeproj/project.pbxproj:
665         * dfg/DFGAbstractInterpreterInlines.h:
666         * jit/JITOperations.cpp:
667         * jit/JITOperations.h:
668         * runtime/MathCommon.cpp: Added.
669         (JSC::fdlibmScalbn):
670         (JSC::fdlibmPow):
671         (JSC::isDenormal):
672         (JSC::isEdgeCase):
673         (JSC::mathPowInternal):
674         (JSC::operationMathPow):
675         * runtime/MathCommon.h: Added.
676         * runtime/MathObject.cpp:
677
678 2015-02-17  Benjamin Poulain  <bpoulain@apple.com>
679
680         Clean up OSRExit's considerAddingAsFrequentExitSite()
681         https://bugs.webkit.org/show_bug.cgi?id=141690
682
683         Reviewed by Anders Carlsson.
684
685         Looks like some code was removed from CodeBlock::tallyFrequentExitSites()
686         and the OSRExit were left untouched.
687
688         This patch cleans up the two loops and remove the boolean return
689         on considerAddingAsFrequentExitSite().
690
691         * bytecode/CodeBlock.cpp:
692         (JSC::CodeBlock::tallyFrequentExitSites):
693         * dfg/DFGOSRExit.h:
694         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
695         * dfg/DFGOSRExitBase.cpp:
696         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
697         * dfg/DFGOSRExitBase.h:
698         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
699         * ftl/FTLOSRExit.h:
700         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
701
702 2015-02-17  Alexey Proskuryakov  <ap@apple.com>
703
704         Debug build fix after r180247.
705
706         * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::loweringFailed):
707
708 2015-02-17  Commit Queue  <commit-queue@webkit.org>
709
710         Unreviewed, rolling out r180184.
711         https://bugs.webkit.org/show_bug.cgi?id=141733
712
713         Caused infinite recursion on js/function-apply-aliased.html
714         (Requested by ap_ on #webkit).
715
716         Reverted changeset:
717
718         "REGRESSION(r180060): C Loop crashes"
719         https://bugs.webkit.org/show_bug.cgi?id=141671
720         http://trac.webkit.org/changeset/180184
721
722 2015-02-17  Michael Saboff  <msaboff@apple.com>
723
724         CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode
725         https://bugs.webkit.org/show_bug.cgi?id=141730
726
727         Reviewed by Geoffrey Garen.
728
729         Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures
730         while processing DFG lowering.  For debug builds, the failures are logged identical
731         to the way the DFG_CRASH() reports them.  For release builds, the failures are reported
732         and that FTL compilation is terminated, but the process is allowed to continue.
733         Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and
734         line number are reported at the point of the inconsistancy.
735
736         Converted instances of DFG_CRASH to LOWERING_FAILED.
737
738         * dfg/DFGPlan.cpp:
739         (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that
740         will fail the FTL compile.
741
742         * ftl/FTLLowerDFGToLLVM.cpp:
743         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
744         Added new member variable, m_loweringSucceeded, to stop compilation on the first
745         reported failure.
746
747         * ftl/FTLLowerDFGToLLVM.cpp:
748         (JSC::FTL::LowerDFGToLLVM::lower):
749         * ftl/FTLLowerDFGToLLVM.h:
750         Added check for compilation failures and now report those failures via a boolean
751         return value.
752
753         * ftl/FTLLowerDFGToLLVM.cpp:
754         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
755         (JSC::FTL::LowerDFGToLLVM::compileNode):
756         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
757         (JSC::FTL::LowerDFGToLLVM::compilePhi):
758         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
759         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
760         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
761         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
762         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
763         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
764         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
765         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
766         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
767         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
768         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
769         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
770         (JSC::FTL::LowerDFGToLLVM::compileGetById):
771         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
772         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
773         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
774         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
775         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
776         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
777         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
778         (JSC::FTL::LowerDFGToLLVM::compileToString):
779         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
780         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
781         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
782         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
783         (JSC::FTL::LowerDFGToLLVM::compare):
784         (JSC::FTL::LowerDFGToLLVM::boolify):
785         (JSC::FTL::LowerDFGToLLVM::opposite):
786         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
787         (JSC::FTL::LowerDFGToLLVM::speculate):
788         (JSC::FTL::LowerDFGToLLVM::isArrayType):
789         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
790         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
791         (JSC::FTL::LowerDFGToLLVM::setInt52):
792         Changed DFG_CRASH() to LOWERING_FAILED().  Updated related control flow as appropriate.
793
794         (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function.
795
796 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
797
798         StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
799         https://bugs.webkit.org/show_bug.cgi?id=141721
800         rdar://problem/17198633
801
802         Reviewed by Michael Saboff.
803         
804         I've seen cases where the two are out of sync.  We know we can trust the CodeBlock::usesArguments because
805         we use it everywhere else.
806         
807         No test because I could never reproduce the crash.
808
809         * dfg/DFGGraph.h:
810         (JSC::DFG::Graph::usesArguments):
811         * dfg/DFGStackLayoutPhase.cpp:
812         (JSC::DFG::StackLayoutPhase::run):
813
814 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
815
816         Web Inspector: Improved Console Support for Bound Functions
817         https://bugs.webkit.org/show_bug.cgi?id=141635
818
819         Reviewed by Timothy Hatcher.
820
821         * inspector/JSInjectedScriptHost.cpp:
822         (Inspector::JSInjectedScriptHost::getInternalProperties):
823         Expose internal properties of a JSBoundFunction.
824
825 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
826
827         Web Inspector: ES6: Improved Console Support for Promise Objects
828         https://bugs.webkit.org/show_bug.cgi?id=141634
829
830         Reviewed by Timothy Hatcher.
831
832         * inspector/InjectedScript.cpp:
833         (Inspector::InjectedScript::getInternalProperties):
834         * inspector/InjectedScriptSource.js:
835         Include internal properties in previews. Share code
836         with normal internal property handling.
837
838         * inspector/JSInjectedScriptHost.cpp:
839         (Inspector::constructInternalProperty):
840         (Inspector::JSInjectedScriptHost::getInternalProperties):
841         Provide internal state of Promises.
842
843         * inspector/protocol/Runtime.json:
844         Provide an optional field to distinguish if a PropertyPreview
845         is for an Internal property or not.
846
847 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
848
849         Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
850         https://bugs.webkit.org/show_bug.cgi?id=141717
851         rdar://problem/19863382
852
853         Reviewed by Geoffrey Garen.
854         
855         The best solution is to ensure that the engine catching an exception restores tag registers.
856         
857         Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
858
859         * jit/JITOpcodes.cpp:
860         (JSC::JIT::emit_op_catch):
861         * llint/LowLevelInterpreter.asm:
862         * llint/LowLevelInterpreter64.asm:
863         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
864         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
865         * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
866
867 2015-02-17  Csaba Osztrogonác  <ossy@webkit.org>
868
869         [ARM] Add the necessary setupArgumentsWithExecState after bug141332
870         https://bugs.webkit.org/show_bug.cgi?id=141714
871
872         Reviewed by Michael Saboff.
873
874         * jit/CCallHelpers.h:
875         (JSC::CCallHelpers::setupArgumentsWithExecState):
876
877 2015-02-15  Sam Weinig  <sam@webkit.org>
878
879         Add experimental <attachment> element support
880         https://bugs.webkit.org/show_bug.cgi?id=141626
881
882         Reviewed by Tim Horton.
883
884         * Configurations/FeatureDefines.xcconfig:
885
886 2015-02-16  Michael Saboff  <msaboff@apple.com>
887
888         REGRESSION(r180060): C Loop crashes
889         https://bugs.webkit.org/show_bug.cgi?id=141671
890
891         Reviewed by Geoffrey Garen.
892
893         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
894         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
895         Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
896         frame.  This isn't needed, since this helper is only called to check the stack on entry.  Any
897         exception will be handled by a call ancestor.
898
899         * llint/LLIntSlowPaths.cpp:
900         (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
901         * llint/LowLevelInterpreter.asm: Fixed a typo.
902
903 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
904
905         Web Inspector: Scope details sidebar should label objects with constructor names
906         https://bugs.webkit.org/show_bug.cgi?id=139449
907
908         Reviewed by Timothy Hatcher.
909
910         * inspector/JSInjectedScriptHost.cpp:
911         (Inspector::JSInjectedScriptHost::internalConstructorName):
912         * runtime/Structure.cpp:
913         (JSC::Structure::toStructureShape):
914         Share calculatedClassName.
915
916         * runtime/JSObject.h:        
917         * runtime/JSObject.cpp:
918         (JSC::JSObject::calculatedClassName):
919         Elaborate on a way to get an Object's class name.
920
921 2015-02-16  Filip Pizlo  <fpizlo@apple.com>
922
923         DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
924         https://bugs.webkit.org/show_bug.cgi?id=141623
925
926         Reviewed by Oliver Hunt.
927         
928         During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
929         needed to use GetArgument for loading something that has magically already appeared on the
930         stack, so currently trunk sort of allows this. But then I realized three things:
931         
932         - A GetArgument with a non-JSValue flush format means speculating that the value on the
933           stack obeys that format, rather than just assuming that that it already has that format.
934           In bug 141332, I want it to assume rather than speculate. That also happens to be more
935           intuitive; I don't think I was wrong to expect that.
936         
937         - The node I really want is GetLocal. I'm just getting the value of the local and I don't
938           want to do anything else.
939         
940         - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
941           use GetArgument.
942         
943         This changes the FTL to do argument speculations in the prologue just like the DFG does.
944         This brings some consistency to our system, and allows us to get rid of the GetArgument
945         node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
946         vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
947         dead we will still speculate. We already have safeguards to ensure we only speculate if
948         there are uses that benefit from speculation (which is a much more conservative criterion
949         than DCE).
950         
951         * dfg/DFGAbstractInterpreterInlines.h:
952         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
953         * dfg/DFGClobberize.h:
954         (JSC::DFG::clobberize):
955         * dfg/DFGDCEPhase.cpp:
956         (JSC::DFG::DCEPhase::run):
957         * dfg/DFGDoesGC.cpp:
958         (JSC::DFG::doesGC):
959         * dfg/DFGFixupPhase.cpp:
960         (JSC::DFG::FixupPhase::fixupNode):
961         * dfg/DFGFlushFormat.h:
962         (JSC::DFG::typeFilterFor):
963         * dfg/DFGGraph.cpp:
964         (JSC::DFG::Graph::dump):
965         * dfg/DFGGraph.h:
966         (JSC::DFG::Graph::valueProfileFor):
967         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
968         * dfg/DFGInPlaceAbstractState.cpp:
969         (JSC::DFG::InPlaceAbstractState::initialize):
970         * dfg/DFGNode.cpp:
971         (JSC::DFG::Node::hasVariableAccessData):
972         * dfg/DFGNodeType.h:
973         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
974         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
975         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
976         * dfg/DFGPredictionPropagationPhase.cpp:
977         (JSC::DFG::PredictionPropagationPhase::propagate):
978         * dfg/DFGPutLocalSinkingPhase.cpp:
979         * dfg/DFGSSAConversionPhase.cpp:
980         (JSC::DFG::SSAConversionPhase::run):
981         * dfg/DFGSafeToExecute.h:
982         (JSC::DFG::safeToExecute):
983         * dfg/DFGSpeculativeJIT32_64.cpp:
984         (JSC::DFG::SpeculativeJIT::compile):
985         * dfg/DFGSpeculativeJIT64.cpp:
986         (JSC::DFG::SpeculativeJIT::compile):
987         * ftl/FTLCapabilities.cpp:
988         (JSC::FTL::canCompile):
989         * ftl/FTLLowerDFGToLLVM.cpp:
990         (JSC::FTL::LowerDFGToLLVM::lower):
991         (JSC::FTL::LowerDFGToLLVM::compileNode):
992         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
993         (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
994         * tests/stress/dead-speculating-argument-use.js: Added.
995         (foo):
996         (o.valueOf):
997
998 2015-02-15  Filip Pizlo  <fpizlo@apple.com>
999
1000         Rare case profiling should actually work
1001         https://bugs.webkit.org/show_bug.cgi?id=141632
1002
1003         Reviewed by Michael Saboff.
1004         
1005         This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
1006         heuristic has essentially stopped working because the typical execution count threshold for a
1007         bytecode instruction is around 66 while the slow case threshold is 100: virtually
1008         guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
1009         case even if it took it every single time. So, this changes the slow case threshold to 20.
1010         
1011         I checked if we could lower this down further, like to 10. That is worse than 20, and about
1012         as bad as 100.
1013
1014         * runtime/Options.h:
1015
1016 2015-02-15  Brian J. Burg  <burg@cs.washington.edu>
1017
1018         Web Inspector: remove unused XHR replay code
1019         https://bugs.webkit.org/show_bug.cgi?id=141622
1020
1021         Reviewed by Timothy Hatcher.
1022
1023         * inspector/protocol/Network.json: remove XHR replay methods.
1024
1025 2015-02-15  David Kilzer  <ddkilzer@apple.com>
1026
1027         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
1028         <http://webkit.org/b/141607>
1029
1030         More work towards fixing the Mavericks Debug build.
1031
1032         * inspector/ScriptDebugServer.h:
1033         (Inspector::ScriptDebugServer::Task):
1034         * inspector/agents/InspectorDebuggerAgent.h:
1035         (Inspector::InspectorDebuggerAgent::Listener):
1036         - Remove subclass exports. They did not help.
1037
1038         * runtime/JSCJSValue.h:
1039         (JSC::JSValue::toFloat): Do not mark inline method for export.
1040
1041 2015-02-09  Brian J. Burg  <burg@cs.washington.edu>
1042
1043         Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
1044         https://bugs.webkit.org/show_bug.cgi?id=141372
1045
1046         Reviewed by Joseph Pecoraro.
1047
1048         * inspector/ConsoleMessage.cpp:
1049         (Inspector::ConsoleMessage::addToFrontend):
1050         (Inspector::ConsoleMessage::updateRepeatCountInConsole):
1051         * inspector/ConsoleMessage.h:
1052         * inspector/InspectorAgentBase.h:
1053         * inspector/InspectorAgentRegistry.cpp:
1054         (Inspector::AgentRegistry::AgentRegistry):
1055         (Inspector::AgentRegistry::append):
1056         (Inspector::AgentRegistry::appendExtraAgent):
1057         (Inspector::AgentRegistry::didCreateFrontendAndBackend):
1058         (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
1059         (Inspector::AgentRegistry::discardAgents):
1060         (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
1061         (Inspector::InspectorAgentRegistry::append): Deleted.
1062         (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
1063         (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
1064         (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
1065         (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
1066         * inspector/InspectorAgentRegistry.h:
1067         * inspector/InspectorBackendDispatcher.cpp:
1068         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
1069         (Inspector::BackendDispatcher::CallbackBase::isActive):
1070         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
1071         (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
1072         (Inspector::BackendDispatcher::create):
1073         (Inspector::BackendDispatcher::registerDispatcherForDomain):
1074         (Inspector::BackendDispatcher::dispatch):
1075         (Inspector::BackendDispatcher::sendResponse):
1076         (Inspector::BackendDispatcher::reportProtocolError):
1077         (Inspector::BackendDispatcher::getInteger):
1078         (Inspector::BackendDispatcher::getDouble):
1079         (Inspector::BackendDispatcher::getString):
1080         (Inspector::BackendDispatcher::getBoolean):
1081         (Inspector::BackendDispatcher::getObject):
1082         (Inspector::BackendDispatcher::getArray):
1083         (Inspector::BackendDispatcher::getValue):
1084         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
1085         (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
1086         (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
1087         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
1088         (Inspector::InspectorBackendDispatcher::create): Deleted.
1089         (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
1090         (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
1091         (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
1092         (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
1093         (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
1094         (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
1095         (Inspector::InspectorBackendDispatcher::getString): Deleted.
1096         (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
1097         (Inspector::InspectorBackendDispatcher::getObject): Deleted.
1098         (Inspector::InspectorBackendDispatcher::getArray): Deleted.
1099         (Inspector::InspectorBackendDispatcher::getValue): Deleted.
1100         * inspector/InspectorBackendDispatcher.h:
1101         (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
1102         (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
1103         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
1104         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
1105         * inspector/InspectorFrontendChannel.h:
1106         (Inspector::FrontendChannel::~FrontendChannel):
1107         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
1108         * inspector/JSGlobalObjectInspectorController.cpp:
1109         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1110         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
1111         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1112         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1113         (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
1114         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
1115         * inspector/JSGlobalObjectInspectorController.h:
1116         * inspector/agents/InspectorAgent.cpp:
1117         (Inspector::InspectorAgent::didCreateFrontendAndBackend):
1118         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
1119         * inspector/agents/InspectorAgent.h:
1120         * inspector/agents/InspectorConsoleAgent.cpp:
1121         (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
1122         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
1123         * inspector/agents/InspectorConsoleAgent.h:
1124         * inspector/agents/InspectorDebuggerAgent.cpp:
1125         (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
1126         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
1127         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
1128         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1129         (Inspector::InspectorDebuggerAgent::pause):
1130         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
1131         (Inspector::InspectorDebuggerAgent::didPause):
1132         (Inspector::InspectorDebuggerAgent::breakProgram):
1133         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
1134         * inspector/agents/InspectorDebuggerAgent.h:
1135         * inspector/agents/InspectorRuntimeAgent.cpp:
1136         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
1137         * inspector/agents/InspectorRuntimeAgent.h:
1138         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1139         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
1140         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
1141         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1142         * inspector/augmentable/AlternateDispatchableAgent.h:
1143         * inspector/augmentable/AugmentableInspectorController.h:
1144         * inspector/remote/RemoteInspectorDebuggable.h:
1145         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1146         * inspector/scripts/codegen/cpp_generator.py:
1147         (CppGenerator.cpp_type_for_formal_out_parameter):
1148         (CppGenerator.cpp_type_for_stack_out_parameter):
1149         * inspector/scripts/codegen/cpp_generator_templates.py:
1150         (AlternateBackendDispatcher):
1151         (Alternate):
1152         (void):
1153         (AlternateInspectorBackendDispatcher): Deleted.
1154         (AlternateInspector): Deleted.
1155         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1156         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
1157         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1158         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
1159         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1160         (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
1161         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
1162         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1163         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1164         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1165         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1166         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1167         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1168         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1169         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1170         * inspector/scripts/tests/expected/enum-values.json-result:
1171         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1172         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1173         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1174         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1175         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1176         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1177         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1178         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1179         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1180         * runtime/JSGlobalObjectDebuggable.cpp:
1181         (JSC::JSGlobalObjectDebuggable::connect):
1182         (JSC::JSGlobalObjectDebuggable::disconnect):
1183         * runtime/JSGlobalObjectDebuggable.h:
1184
1185 2015-02-14  David Kilzer  <ddkilzer@apple.com>
1186
1187         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
1188         <http://webkit.org/b/141607>
1189
1190         Work towards fixing the Mavericks Debug build.
1191
1192         * inspector/ScriptDebugServer.h:
1193         (Inspector::ScriptDebugServer::Task): Export class.
1194         * inspector/agents/InspectorDebuggerAgent.h:
1195         (Inspector::InspectorDebuggerAgent::Listener): Export class.
1196         * runtime/JSGlobalObject.h:
1197         (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
1198         method for export.
1199
1200 2015-02-14  Joseph Pecoraro  <pecoraro@apple.com>
1201
1202         Web Inspector: Symbol RemoteObject should not send sub-type
1203         https://bugs.webkit.org/show_bug.cgi?id=141604
1204
1205         Reviewed by Brian Burg.
1206
1207         * inspector/InjectedScriptSource.js:
1208
1209 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
1210
1211         Attempt to fix 32bits build after r180098
1212
1213         * jit/JITOperations.cpp:
1214         * jit/JITOperations.h:
1215         I copied the attribute from the MathObject version of that function when I moved
1216         it over. DFG has no version of a function call taking those attributes.
1217
1218 2015-02-13  Joseph Pecoraro  <pecoraro@apple.com>
1219
1220         JSContext Inspector: Do not stash console messages for non-debuggable JSContext
1221         https://bugs.webkit.org/show_bug.cgi?id=141589
1222
1223         Reviewed by Timothy Hatcher.
1224
1225         Consider developer extras disabled for JSContext inspection if the
1226         RemoteInspector server is not enabled (typically a non-debuggable
1227         process rejected by webinspectord) or if remote debugging on the
1228         JSContext was explicitly disabled via SPI.
1229
1230         When developer extras are disabled, console message will not be stashed.
1231
1232         * inspector/JSGlobalObjectInspectorController.cpp:
1233         (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
1234         * inspector/JSGlobalObjectInspectorController.h:
1235
1236 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
1237
1238         Add a DFG node for the Pow Intrinsics
1239         https://bugs.webkit.org/show_bug.cgi?id=141540
1240
1241         Reviewed by Filip Pizlo.
1242
1243         Add a DFG Node for PowIntrinsic. This patch covers the basic cases
1244         need to avoid massive regression. I will iterate over the node to cover
1245         the missing types.
1246
1247         With this patch I get the following progressions on benchmarks:
1248         -LongSpider's math-partial-sums: +5%.
1249         -Kraken's imaging-darkroom: +17%
1250         -AsmBench's cray.c: +6.6%
1251         -CompressionBench: +2.2% globally.
1252
1253         * dfg/DFGAbstractInterpreterInlines.h:
1254         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1255         Cover a couple of trivial cases:
1256         -If the exponent is zero, the result is always one, regardless of the base.
1257         -If both arguments are constants, compute the result at compile time.
1258
1259         * dfg/DFGByteCodeParser.cpp:
1260         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1261         * dfg/DFGClobberize.h:
1262         (JSC::DFG::clobberize):
1263         * dfg/DFGDoesGC.cpp:
1264         (JSC::DFG::doesGC):
1265
1266         * dfg/DFGFixupPhase.cpp:
1267         (JSC::DFG::FixupPhase::fixupNode):
1268         We only support 2 basic cases at this time:
1269         -Math.pow(double, int)
1270         -Math.pow(double, double).
1271
1272         I'll cover Math.pow(int, int) in a follow up.
1273
1274         * dfg/DFGNode.h:
1275         (JSC::DFG::Node::convertToArithSqrt):
1276         (JSC::DFG::Node::arithNodeFlags):
1277         * dfg/DFGNodeType.h:
1278         * dfg/DFGPredictionPropagationPhase.cpp:
1279         (JSC::DFG::PredictionPropagationPhase::propagate):
1280         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1281         * dfg/DFGSafeToExecute.h:
1282         (JSC::DFG::safeToExecute):
1283         * dfg/DFGSpeculativeJIT.cpp:
1284         (JSC::DFG::compileArithPowIntegerFastPath):
1285         (JSC::DFG::SpeculativeJIT::compileArithPow):
1286         * dfg/DFGSpeculativeJIT.h:
1287         * dfg/DFGSpeculativeJIT32_64.cpp:
1288         (JSC::DFG::SpeculativeJIT::compile):
1289         * dfg/DFGSpeculativeJIT64.cpp:
1290         (JSC::DFG::SpeculativeJIT::compile):
1291         * dfg/DFGStrengthReductionPhase.cpp:
1292         (JSC::DFG::StrengthReductionPhase::handleNode):
1293         * dfg/DFGValidate.cpp:
1294         (JSC::DFG::Validate::validate):
1295         * ftl/FTLCapabilities.cpp:
1296         (JSC::FTL::canCompile):
1297         * ftl/FTLIntrinsicRepository.h:
1298         * ftl/FTLLowerDFGToLLVM.cpp:
1299         (JSC::FTL::LowerDFGToLLVM::compileNode):
1300         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
1301         * ftl/FTLOutput.h:
1302         (JSC::FTL::Output::doublePow):
1303         (JSC::FTL::Output::doublePowi):
1304         * jit/JITOperations.cpp:
1305         * jit/JITOperations.h:
1306         * runtime/MathObject.cpp:
1307         (JSC::mathProtoFuncPow):
1308         (JSC::isDenormal): Deleted.
1309         (JSC::isEdgeCase): Deleted.
1310         (JSC::mathPow): Deleted.
1311
1312         * tests/stress/math-pow-basics.js: Added.
1313         * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
1314         * tests/stress/math-pow-nan-behaviors.js: Added.
1315         * tests/stress/math-pow-with-constants.js: Added.
1316         Start some basic testing of Math.pow().
1317         Due to the various transform, the value change when the code tiers up,
1318         I covered this by checking for approximate values.
1319
1320 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
1321
1322         ArithSqrt should not be conditional on supportsFloatingPointSqrt
1323         https://bugs.webkit.org/show_bug.cgi?id=141546
1324
1325         Reviewed by Geoffrey Garen and Filip Pizlo.
1326
1327         Just fallback to the function call in the DFG codegen.
1328
1329         * dfg/DFGByteCodeParser.cpp:
1330         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1331         * dfg/DFGSpeculativeJIT.cpp:
1332         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
1333         * dfg/DFGSpeculativeJIT.h:
1334         * dfg/DFGSpeculativeJIT32_64.cpp:
1335         (JSC::DFG::SpeculativeJIT::compile):
1336         * dfg/DFGSpeculativeJIT64.cpp:
1337         (JSC::DFG::SpeculativeJIT::compile):
1338         * tests/stress/math-sqrt-basics.js: Added.
1339         Basic coverage.
1340
1341         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
1342         Same tests but forcing the function call.
1343
1344 2015-02-13  Michael Saboff  <msaboff@apple.com>
1345
1346         REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
1347         https://bugs.webkit.org/show_bug.cgi?id=141577
1348
1349         Reviewed by Benjamin Poulain.
1350
1351         Changed the prologue of the baseline JIT to check for stack space for all
1352         types of code blocks.  Previously, it was only checking Function.  Now
1353         it checks Program and Eval as well.
1354
1355         * jit/JIT.cpp:
1356         (JSC::JIT::privateCompile):
1357
1358 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
1359
1360         Generate incq instead of addq when the immediate value is one
1361         https://bugs.webkit.org/show_bug.cgi?id=141548
1362
1363         Reviewed by Gavin Barraclough.
1364
1365         JSC emits "addq #1 (rXX)" *a lot*.
1366         This patch replace that by incq, which is one byte shorter
1367         and is the adviced form.
1368
1369         Sunspider: +0.47%
1370         Octane: +0.28%
1371         Kraken: +0.44%
1372         AsmBench, CompressionBench: neutral.
1373
1374         * assembler/MacroAssemblerX86_64.h:
1375         (JSC::MacroAssemblerX86_64::add64):
1376         * assembler/X86Assembler.h:
1377         (JSC::X86Assembler::incq_m):
1378
1379 2015-02-13  Benjamin Poulain  <benjamin@webkit.org>
1380
1381         Little clean up of Bytecode Generator's Label
1382         https://bugs.webkit.org/show_bug.cgi?id=141557
1383
1384         Reviewed by Michael Saboff.
1385
1386         * bytecompiler/BytecodeGenerator.h:
1387         * bytecompiler/BytecodeGenerator.cpp:
1388         Label was a friend of BytecodeGenerator in order to access
1389         m_instructions. There is no need for that, BytecodeGenerator
1390         has a public getter.
1391
1392         * bytecompiler/Label.h:
1393         (JSC::Label::Label):
1394         (JSC::Label::setLocation):
1395         (JSC::BytecodeGenerator::newLabel):
1396         Make it explicit that the generator must exist.
1397
1398 2015-02-13  Michael Saboff  <msaboff@apple.com>
1399
1400         Google doc spreadsheet reproducibly crashes when sorting
1401         https://bugs.webkit.org/show_bug.cgi?id=141098
1402
1403         Reviewed by Oliver Hunt.
1404
1405         Moved the stack check to before the callee registers are allocated in the
1406         prologue() by movving it from the functionInitialization() macro.  This
1407         way we can check the stack before moving the stack pointer, avoiding a
1408         crash during a "call" instruction.  Before this change, we weren't even
1409         checking the stack for program and eval execution.
1410
1411         Made a couple of supporting changes.
1412
1413         * llint/LLIntSlowPaths.cpp:
1414         (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
1415         may be processing an exception to an entry frame.
1416
1417         * llint/LowLevelInterpreter.asm:
1418
1419         * llint/LowLevelInterpreter32_64.asm:
1420         * llint/LowLevelInterpreter64.asm:
1421         (llint_throw_from_slow_path_trampoline): Changed method to get the vm
1422         from the code block to not use the codeBlock, since we may need to
1423         continue from an exception in a native function.
1424
1425 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
1426
1427         Simplify the initialization of BytecodeGenerator a bit
1428         https://bugs.webkit.org/show_bug.cgi?id=141505
1429
1430         Reviewed by Anders Carlsson.
1431
1432         * bytecompiler/BytecodeGenerator.cpp:
1433         (JSC::BytecodeGenerator::BytecodeGenerator):
1434         * bytecompiler/BytecodeGenerator.h:
1435         Setup the default initialization at the declaration level
1436         instead of the constructor.
1437
1438         Also made m_scopeNode and m_codeType const to make it explicit
1439         that they are invariant after construction.
1440
1441         * parser/Nodes.cpp:
1442         * runtime/Executable.cpp:
1443         Remove 2 useless #includes.
1444
1445 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
1446
1447         Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT
1448         https://bugs.webkit.org/show_bug.cgi?id=141506
1449
1450         Reviewed by Michael Saboff.
1451
1452         The generators for the nodes GetScope and SkipScope were
1453         completely identical between 32 and 64bits.
1454
1455         This patch moves the duplicated code to DFGSpeculativeJIT.
1456
1457         * dfg/DFGSpeculativeJIT.cpp:
1458         (JSC::DFG::SpeculativeJIT::compileGetScope):
1459         (JSC::DFG::SpeculativeJIT::compileSkipScope):
1460         * dfg/DFGSpeculativeJIT.h:
1461         * dfg/DFGSpeculativeJIT32_64.cpp:
1462         (JSC::DFG::SpeculativeJIT::compile):
1463         * dfg/DFGSpeculativeJIT64.cpp:
1464         (JSC::DFG::SpeculativeJIT::compile):
1465
1466 2015-02-11  Brent Fulgham  <bfulgham@apple.com>
1467
1468         [Win] [64-bit] Work around MSVC2013 Runtime Bug
1469         https://bugs.webkit.org/show_bug.cgi?id=141498
1470         <rdar://problem/19803642>
1471
1472         Reviewed by Anders Carlsson.
1473
1474         Disable FMA3 instruction use in the MSVC math library to
1475         work around a VS2013 runtime crash. We can remove this
1476         workaround when we switch to VS2015.
1477
1478         * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable
1479         FMA3 support.
1480         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files.
1481         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1482         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added.
1483         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0)
1484         to disable FMA3 support.
1485         * jsc.cpp: Ditto.
1486         * testRegExp.cpp: Ditto.
1487
1488 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
1489
1490         The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs
1491         https://bugs.webkit.org/show_bug.cgi?id=141493
1492
1493         Reviewed by Michael Saboff.
1494
1495         * dfg/DFGSpeculativeJIT.h:
1496         (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted.
1497         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted.
1498         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted.
1499         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted.
1500         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted.
1501         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted.
1502         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted.
1503         * dfg/DFGSpeculativeJIT32_64.cpp:
1504         (JSC::DFG::SpeculativeJIT::emitCall):
1505         * dfg/DFGSpeculativeJIT64.cpp:
1506         (JSC::DFG::SpeculativeJIT::emitCall):
1507         * jit/AssemblyHelpers.h:
1508         (JSC::AssemblyHelpers::calleeFrameSlot):
1509         (JSC::AssemblyHelpers::calleeArgumentSlot):
1510         (JSC::AssemblyHelpers::calleeFrameTagSlot):
1511         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
1512         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
1513         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
1514         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
1515
1516 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
1517
1518         SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame
1519         https://bugs.webkit.org/show_bug.cgi?id=141485
1520
1521         Reviewed by Oliver Hunt.
1522         
1523         The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for
1524         vararg calls from inlined code, but that doesn't work since the DFG inline call frame
1525         doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there
1526         is really no such thing as an inlineStackOffset except when we OSR exit; while the code is
1527         running the stack layout is compacted so that the stackOffset is not meaningful.
1528
1529         * jit/JITCall.cpp:
1530         (JSC::JIT::compileSetupVarargsFrame):
1531         * jit/JITCall32_64.cpp:
1532         (JSC::JIT::compileSetupVarargsFrame):
1533         * jit/SetupVarargsFrame.cpp:
1534         (JSC::emitSetupVarargsFrameFastCase):
1535         * jit/SetupVarargsFrame.h:
1536
1537 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
1538
1539         Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints
1540         https://bugs.webkit.org/show_bug.cgi?id=141455
1541
1542         Reviewed by Mark Lam.
1543         
1544         The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion
1545         of https://bugs.webkit.org/show_bug.cgi?id=141332.
1546
1547         * CMakeLists.txt:
1548         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1549         * JavaScriptCore.xcodeproj/project.pbxproj:
1550         * bytecode/CallLinkInfo.h:
1551         (JSC::CallLinkInfo::specializationKindFor):
1552         (JSC::CallLinkInfo::specializationKind):
1553         * ftl/FTLJSCall.cpp:
1554         (JSC::FTL::JSCall::JSCall):
1555         (JSC::FTL::JSCall::emit): Deleted.
1556         (JSC::FTL::JSCall::link): Deleted.
1557         * ftl/FTLJSCall.h:
1558         * ftl/FTLJSCallBase.cpp: Added.
1559         (JSC::FTL::JSCallBase::JSCallBase):
1560         (JSC::FTL::JSCallBase::emit):
1561         (JSC::FTL::JSCallBase::link):
1562         * ftl/FTLJSCallBase.h: Added.
1563
1564 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
1565
1566         Unreviewed, fix build.
1567
1568         * jit/CCallHelpers.h:
1569         (JSC::CCallHelpers::setupArgumentsWithExecState):
1570
1571 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
1572
1573         op_call_varargs should only load the length once
1574         https://bugs.webkit.org/show_bug.cgi?id=141440
1575         rdar://problem/19761683
1576
1577         Reviewed by Michael Saboff.
1578         
1579         Refactors the pair of calls that set up the varargs frame so that the first call returns the
1580         length, and the second call uses the length returned by the first one. It turns out that this
1581         gave me an opportunity to shorten a lot of the code.
1582
1583         * interpreter/Interpreter.cpp:
1584         (JSC::sizeFrameForVarargs):
1585         (JSC::loadVarargs):
1586         (JSC::setupVarargsFrame):
1587         (JSC::setupVarargsFrameAndSetThis):
1588         * interpreter/Interpreter.h:
1589         (JSC::calleeFrameForVarargs):
1590         * jit/CCallHelpers.h:
1591         (JSC::CCallHelpers::setupArgumentsWithExecState):
1592         * jit/JIT.h:
1593         * jit/JITCall.cpp:
1594         (JSC::JIT::compileSetupVarargsFrame):
1595         * jit/JITCall32_64.cpp:
1596         (JSC::JIT::compileSetupVarargsFrame):
1597         * jit/JITInlines.h:
1598         (JSC::JIT::callOperation):
1599         * jit/JITOperations.cpp:
1600         * jit/JITOperations.h:
1601         * jit/SetupVarargsFrame.cpp:
1602         (JSC::emitSetVarargsFrame):
1603         (JSC::emitSetupVarargsFrameFastCase):
1604         * jit/SetupVarargsFrame.h:
1605         * llint/LLIntSlowPaths.cpp:
1606         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1607         * runtime/Arguments.cpp:
1608         (JSC::Arguments::copyToArguments):
1609         * runtime/Arguments.h:
1610         * runtime/JSArray.cpp:
1611         (JSC::JSArray::copyToArguments):
1612         * runtime/JSArray.h:
1613         * runtime/VM.h:
1614         * tests/stress/call-varargs-length-effects.js: Added.
1615         (foo):
1616         (bar):
1617
1618 2015-02-10  Michael Saboff  <msaboff@apple.com>
1619
1620         Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
1621         https://bugs.webkit.org/show_bug.cgi?id=139398
1622
1623         Reviewed by Filip Pizlo.
1624
1625         Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
1626         was determined to be reachable.  When we go to lower to LLVM, the edges for the CompareStrictEq
1627         node are UntypedUse which we can't compile.  Fixed this by checking that the IR before
1628         lowering can still be handled by the FTL.
1629
1630         Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
1631         a SetArgument to a GetArgument.  Before this change FTL::canCompile() would never see a GetArgument
1632         node.  With the check right before lowering, we see this node.
1633
1634         * dfg/DFGPlan.cpp:
1635         (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
1636         to verify that after all the transformations we still have valid IR for the FTL.
1637         * ftl/FTLCapabilities.cpp:
1638         (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
1639
1640 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
1641
1642         Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
1643
1644         Rubber stamped by Michael Saboff.
1645         
1646         Not only was this not used, I believe that the math was wrong. The callee frame doesn't
1647         actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and
1648         that decision is made elsewhere. Also, it makes no sense to subtract 1 from
1649         m_nextMachineLocal when trying to deduce the number of in-use stack slots.
1650
1651         * dfg/DFGSpeculativeJIT.h:
1652         (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted.
1653
1654 2015-02-10  Saam Barati  <saambarati1@gmail.com>
1655
1656         Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier
1657         https://bugs.webkit.org/show_bug.cgi?id=141272
1658
1659         Reviewed by Oliver Hunt.
1660
1661         This patch fixes a bug where the wrong text location would be 
1662         assigned to a variable declaration inside a ForIn/ForOf loop. 
1663         It also fixes a bug in the type profiler where the type profiler 
1664         emits the wrong text offset for a ForIn loop's variable declarator 
1665         when it's not a pattern node.
1666
1667         * bytecompiler/NodesCodegen.cpp:
1668         (JSC::ForInNode::emitLoopHeader):
1669         * parser/Parser.cpp:
1670         (JSC::Parser<LexerType>::parseVarDeclarationList):
1671         * tests/typeProfiler/loop.js:
1672         (testForIn):
1673         (testForOf):
1674
1675 2015-02-09  Saam Barati  <saambarati1@gmail.com>
1676
1677         JSC's Type Profiler doesn't profile the type of the looping variable in ForOf/ForIn loops
1678         https://bugs.webkit.org/show_bug.cgi?id=141241
1679
1680         Reviewed by Filip Pizlo.
1681
1682         Type information is now recorded for ForIn and ForOf statements. 
1683         It was an oversight to not have these statements profiled before.
1684
1685         * bytecompiler/NodesCodegen.cpp:
1686         (JSC::ForInNode::emitLoopHeader):
1687         (JSC::ForOfNode::emitBytecode):
1688         * tests/typeProfiler/loop.js: Added.
1689         (testForIn):
1690         (testForOf):
1691
1692 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
1693
1694         DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid
1695         https://bugs.webkit.org/show_bug.cgi?id=141412
1696
1697         Reviewed by Michael Saboff.
1698         
1699         StackLayoutPhase was attempting to ensure that the register that
1700         CodeBlock::scopeRegister() points to is the right one for the DFG. But the DFG did nothing
1701         else to maintain the validity of the scopeRegister(). It wasn't captured as far as I can
1702         tell. StackLayoutPhase didn't explicitly mark it live. PreciseLocalClobberize didn't mark
1703         it as being live. So, by the time we got here the register referred to by
1704         CodeBlock::scopeRegister() would have been junk. Moreover, CodeBlock::scopeRegister() was
1705         not used for DFG code blocks, and was hardly ever used outside of bytecode generation.
1706         
1707         So, this patch just removes the code to manipulate this field and replaces it with an
1708         unconditional setScopeRegister(VirtualRegister()). Setting it to the invalid register
1709         ensures that any attempst to read the scopeRegister in a DFG or FTL frame immediately
1710         punts.
1711
1712         * dfg/DFGStackLayoutPhase.cpp:
1713         (JSC::DFG::StackLayoutPhase::run):
1714
1715 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
1716
1717         Varargs frame set-up should be factored out for use by other JITs
1718         https://bugs.webkit.org/show_bug.cgi?id=141388
1719
1720         Reviewed by Michael Saboff.
1721         
1722         Previously the code that dealt with varargs always assumed that we were setting up a varargs call
1723         frame by literally following the execution semantics of op_call_varargs. This isn't how it'll
1724         happen once the DFG and FTL do varargs calls, or when varargs calls get inlined. The DFG and FTL
1725         don't literally execute bytecode; for example their stack frame layout has absolutely nothing in
1726         common with what the bytecode says, and that will never change.
1727         
1728         This patch makes two changes:
1729         
1730         Setting up the varargs callee frame can be done in smaller steps: particularly in the case of a
1731         varargs call that gets inlined, we aren't going to actually want to set up a callee frame in
1732         full - we just want to put the arguments somewhere, and that place will not have much (if
1733         anything) in common with the call frame format. This patch factors that out into something called
1734         a loadVarargs. The thing we used to call loadVarargs is now called setupVarargsFrame. This patch
1735         also separates loading varargs from setting this, since the fact that those two things are done
1736         together is a detail made explicit in bytecode but it's not at all required in the higher-tier
1737         engines. In the process of factoring this code out, I found a bunch of off-by-one errors in the
1738         various calculations. I fixed them. The distance from the caller's frame pointer to the callee
1739         frame pointer is always:
1740         
1741             numUsedCallerSlots + argCount + 1 + CallFrameSize
1742         
1743         where numUsedCallerSlots is toLocal(firstFreeRegister) - 1, which simplifies down to just
1744         -firstFreeRegister. The code now speaks of numUsedCallerSlots rather than firstFreeRegister,
1745         since the latter is a bytecode peculiarity that doesn't apply in the DFG or FTL. In the DFG, the
1746         internally-computed frame size, minus the parameter slots, will be used for numUsedCallerSlots.
1747         In the FTL, we will essentially compute numUsedCallerSlots dynamically by subtracting SP from FP.
1748         Eventually, LLVM might give us some cleaner way of doing this, but it probably doesn't matter
1749         very much.
1750         
1751         The arguments forwarding optimization is factored out of the Baseline JIT: the DFG and FTL will
1752         want to do this optimization as well, but it involves quite a bit of code. So, this code is now
1753         factored out into SetupVarargsFrame.h|cpp, so that other JITs can use it. In the process of factoring
1754         this code out I noticed that the 32-bit and 64-bit code is nearly identical, so I combined them.
1755
1756         * CMakeLists.txt:
1757         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1758         * JavaScriptCore.xcodeproj/project.pbxproj:
1759         * bytecode/CodeBlock.h:
1760         (JSC::ExecState::r):
1761         (JSC::ExecState::uncheckedR):
1762         * bytecode/VirtualRegister.h:
1763         (JSC::VirtualRegister::operator+):
1764         (JSC::VirtualRegister::operator-):
1765         (JSC::VirtualRegister::operator+=):
1766         (JSC::VirtualRegister::operator-=):
1767         * interpreter/CallFrame.h:
1768         * interpreter/Interpreter.cpp:
1769         (JSC::sizeFrameForVarargs):
1770         (JSC::loadVarargs):
1771         (JSC::setupVarargsFrame):
1772         (JSC::setupVarargsFrameAndSetThis):
1773         * interpreter/Interpreter.h:
1774         * jit/AssemblyHelpers.h:
1775         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
1776         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
1777         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
1778         * jit/JIT.h:
1779         * jit/JITCall.cpp:
1780         (JSC::JIT::compileSetupVarargsFrame):
1781         * jit/JITCall32_64.cpp:
1782         (JSC::JIT::compileSetupVarargsFrame):
1783         * jit/JITInlines.h:
1784         (JSC::JIT::callOperation):
1785         (JSC::JIT::emitGetFromCallFrameHeaderPtr): Deleted.
1786         (JSC::JIT::emitGetFromCallFrameHeader32): Deleted.
1787         (JSC::JIT::emitGetFromCallFrameHeader64): Deleted.
1788         * jit/JITOperations.cpp:
1789         * jit/JITOperations.h:
1790         * jit/SetupVarargsFrame.cpp: Added.
1791         (JSC::emitSetupVarargsFrameFastCase):
1792         * jit/SetupVarargsFrame.h: Added.
1793         * llint/LLIntSlowPaths.cpp:
1794         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1795         * runtime/Arguments.cpp:
1796         (JSC::Arguments::copyToArguments):
1797         * runtime/Arguments.h:
1798         * runtime/JSArray.cpp:
1799         (JSC::JSArray::copyToArguments):
1800         * runtime/JSArray.h:
1801
1802 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
1803
1804         DFG call codegen should resolve the callee operand as late as possible
1805         https://bugs.webkit.org/show_bug.cgi?id=141398
1806
1807         Reviewed by Mark Lam.
1808         
1809         This is mostly a benign restructuring to help with the implementation of
1810         https://bugs.webkit.org/show_bug.cgi?id=141332.
1811
1812         * dfg/DFGSpeculativeJIT32_64.cpp:
1813         (JSC::DFG::SpeculativeJIT::emitCall):
1814         * dfg/DFGSpeculativeJIT64.cpp:
1815         (JSC::DFG::SpeculativeJIT::emitCall):
1816
1817 2015-02-08  Filip Pizlo  <fpizlo@apple.com>
1818
1819         DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three
1820         https://bugs.webkit.org/show_bug.cgi?id=141369
1821
1822         Reviewed by Michael Saboff.
1823
1824         We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe
1825         effectfulness.  Starting over a year ago, we introduced a more powerful mechanism - the
1826         DFG::clobberize() function.  Now we only have one remaining client of the old NodeFlags,
1827         and everyone else uses DFG::clobberize().  We should get rid of those NodeFlags and
1828         finally switch everyone over to DFG::clobberize().
1829         
1830         Unfortunately there is still another place where effectfulness of nodes is described: the
1831         AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for
1832         compile time performance and there are places where the AI is more precise than
1833         clobberize() because of its flow-sensitivity.
1834         
1835         This means that after this change there will be only two places, rather than three, where
1836         the effectfulness of a node has to be described:
1837
1838         - DFG::clobberize()
1839         - DFG::AbstractInterpreter
1840
1841         * dfg/DFGClobberize.cpp:
1842         (JSC::DFG::clobbersWorld):
1843         * dfg/DFGClobberize.h:
1844         * dfg/DFGDoesGC.cpp:
1845         (JSC::DFG::doesGC):
1846         * dfg/DFGFixupPhase.cpp:
1847         (JSC::DFG::FixupPhase::fixupNode):
1848         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
1849         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1850         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
1851         * dfg/DFGGraph.h:
1852         (JSC::DFG::Graph::isPredictedNumerical): Deleted.
1853         (JSC::DFG::Graph::byValIsPure): Deleted.
1854         (JSC::DFG::Graph::clobbersWorld): Deleted.
1855         * dfg/DFGNode.h:
1856         (JSC::DFG::Node::convertToConstant):
1857         (JSC::DFG::Node::convertToGetLocalUnlinked):
1858         (JSC::DFG::Node::convertToGetByOffset):
1859         (JSC::DFG::Node::convertToMultiGetByOffset):
1860         (JSC::DFG::Node::convertToPutByOffset):
1861         (JSC::DFG::Node::convertToMultiPutByOffset):
1862         * dfg/DFGNodeFlags.cpp:
1863         (JSC::DFG::dumpNodeFlags):
1864         * dfg/DFGNodeFlags.h:
1865         * dfg/DFGNodeType.h:
1866
1867 2015-02-09  Csaba Osztrogonác  <ossy@webkit.org>
1868
1869         Fix the !ENABLE(DFG_JIT) build
1870         https://bugs.webkit.org/show_bug.cgi?id=141387
1871
1872         Reviewed by Darin Adler.
1873
1874         * jit/Repatch.cpp:
1875
1876 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
1877
1878         Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase
1879         https://bugs.webkit.org/show_bug.cgi?id=141363
1880
1881         Reviewed by Darin Adler.
1882
1883         * dfg/DFGPredictionPropagationPhase.cpp:
1884         (JSC::DFG::PredictionPropagationPhase::propagate):
1885         Some blocks were duplicated, they probably evolved separately
1886         to the same state.
1887
1888 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
1889
1890         Remove useless declarations and a stale comment from DFGByteCodeParser.h
1891         https://bugs.webkit.org/show_bug.cgi?id=141361
1892
1893         Reviewed by Darin Adler.
1894
1895         The comment refers to the original form of the ByteCodeParser:
1896             parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex);
1897
1898         That form is long dead, the comment is more misleading than anything.
1899
1900         * dfg/DFGByteCodeParser.cpp:
1901         * dfg/DFGByteCodeParser.h:
1902
1903 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
1904
1905         Encapsulate DFG::Plan's beforeFTL timestamp
1906         https://bugs.webkit.org/show_bug.cgi?id=141360
1907
1908         Reviewed by Darin Adler.
1909
1910         Make the attribute private, it is an internal state.
1911
1912         Rename beforeFTL->timeBeforeFTL for readability.
1913
1914         * dfg/DFGPlan.cpp:
1915         (JSC::DFG::Plan::compileInThread):
1916         (JSC::DFG::Plan::compileInThreadImpl):
1917         * dfg/DFGPlan.h:
1918
1919 2015-02-08  Benjamin Poulain  <bpoulain@apple.com>
1920
1921         Remove DFGNode::hasArithNodeFlags()
1922         https://bugs.webkit.org/show_bug.cgi?id=141319
1923
1924         Reviewed by Michael Saboff.
1925
1926         * dfg/DFGNode.h:
1927         (JSC::DFG::Node::hasArithNodeFlags): Deleted.
1928         Unused code is unused.
1929
1930 2015-02-07  Chris Dumez  <cdumez@apple.com>
1931
1932         Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions
1933         https://bugs.webkit.org/show_bug.cgi?id=141321
1934
1935         Reviewed by Darin Adler.
1936
1937         Use new Vector::removeFirstMatching() / removeAllMatching() methods.
1938
1939 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
1940
1941         DFG SSA shouldn't have SetArgument nodes
1942         https://bugs.webkit.org/show_bug.cgi?id=141342
1943
1944         Reviewed by Mark Lam.
1945
1946         I was wondering why we kept the SetArgument around for captured
1947         variables. It turns out we did so because we thought we had to, even
1948         though we didn't have to. The node is meaningless in SSA.
1949
1950         * dfg/DFGSSAConversionPhase.cpp:
1951         (JSC::DFG::SSAConversionPhase::run):
1952         * ftl/FTLLowerDFGToLLVM.cpp:
1953         (JSC::FTL::LowerDFGToLLVM::compileNode):
1954
1955 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
1956
1957         It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band
1958         https://bugs.webkit.org/show_bug.cgi?id=141337
1959
1960         Reviewed by Mark Lam.
1961
1962         This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that
1963         are associated with the prologue.
1964
1965         * dfg/DFGCPSRethreadingPhase.cpp:
1966         (JSC::DFG::CPSRethreadingPhase::run):
1967         (JSC::DFG::CPSRethreadingPhase::canonicalizeSet):
1968         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1969         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
1970         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted.
1971         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted.
1972
1973 2015-02-06  Mark Lam  <mark.lam@apple.com>
1974
1975         MachineThreads should be ref counted.
1976         <https://webkit.org/b/141317>
1977
1978         Reviewed by Filip Pizlo.
1979
1980         The VM's MachineThreads registry object is being referenced from other
1981         threads as a raw pointer.  In a scenario where the VM is destructed on
1982         the main thread, there is no guarantee that another thread isn't still
1983         holding a reference to the registry and will eventually invoke
1984         removeThread() on it on thread exit.  Hence, there's a possible use
1985         after free scenario here.
1986
1987         The fix is to make MachineThreads ThreadSafeRefCounted, and have all
1988         threads that references keep a RefPtr to it to ensure that it stays
1989         alive until the very last thread is done with it.
1990
1991         * API/tests/testapi.mm:
1992         (useVMFromOtherThread): - Renamed to be more descriptive.
1993         (useVMFromOtherThreadAndOutliveVM):
1994         - Added a test that has another thread which uses the VM outlive the
1995           VM to confirm that there is no crash.
1996
1997           However, I was not actually able to get the VM to crash without this
1998           patch because I wasn't always able to the thread destructor to be
1999           called.  With this patch applied, I did verify with some logging that
2000           the MachineThreads registry is only destructed after all threads
2001           have removed themselves from it.
2002
2003         (threadMain): Deleted.
2004
2005         * heap/Heap.cpp:
2006         (JSC::Heap::Heap):
2007         (JSC::Heap::~Heap):
2008         (JSC::Heap::gatherStackRoots):
2009         * heap/Heap.h:
2010         (JSC::Heap::machineThreads):
2011         * heap/MachineStackMarker.cpp:
2012         (JSC::MachineThreads::Thread::Thread):
2013         (JSC::MachineThreads::addCurrentThread):
2014         (JSC::MachineThreads::removeCurrentThread):
2015         * heap/MachineStackMarker.h:
2016
2017 2015-02-06  Commit Queue  <commit-queue@webkit.org>
2018
2019         Unreviewed, rolling out r179743.
2020         https://bugs.webkit.org/show_bug.cgi?id=141335
2021
2022         caused missing symbols in non-WebKit clients of WTF::Vector
2023         (Requested by kling on #webkit).
2024
2025         Reverted changeset:
2026
2027         "Remove WTF::fastMallocGoodSize()."
2028         https://bugs.webkit.org/show_bug.cgi?id=141020
2029         http://trac.webkit.org/changeset/179743
2030
2031 2015-02-04  Filip Pizlo  <fpizlo@apple.com>
2032
2033         Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers
2034         https://bugs.webkit.org/show_bug.cgi?id=141211
2035
2036         Reviewed by Mark Lam.
2037
2038         Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime
2039         we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It
2040         would raise the refcount on the last (highest-numbered) variable created, and rely on
2041         the fact that register reclamation started at higher-numbered registers and worked its
2042         way down. So any retained register would block any lower-numbered registers from being
2043         reclaimed.
2044         
2045         Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused.
2046         
2047         This removes preserveLastVar() and makes addVar() retain each register it creates. This
2048         is more explicit, since addVar() is the mechanism for creating non-temporary registers.
2049         
2050         To make this work I had to remove an assertion that Register::setIndex() can only be
2051         called when the refcount is zero. This method might be called after a var is created to
2052         change its index. This previously worked because preserveLastVar() would be called after
2053         we had already made all index changes, so the vars would still have refcount zero. Now
2054         they have refcount 1. I think it's OK to lose this assertion; I can't remember this
2055         assertion ever firing in a way that alerted me to a serious issue.
2056         
2057         * bytecompiler/BytecodeGenerator.cpp:
2058         (JSC::BytecodeGenerator::BytecodeGenerator):
2059         (JSC::BytecodeGenerator::preserveLastVar): Deleted.
2060         * bytecompiler/BytecodeGenerator.h:
2061         (JSC::BytecodeGenerator::addVar):
2062         * bytecompiler/RegisterID.h:
2063         (JSC::RegisterID::setIndex):
2064
2065 2015-02-06  Andreas Kling  <akling@apple.com>
2066
2067         Remove WTF::fastMallocGoodSize().
2068         <https://webkit.org/b/141020>
2069
2070         Reviewed by Anders Carlsson.
2071
2072         * assembler/AssemblerBuffer.h:
2073         (JSC::AssemblerData::AssemblerData):
2074         (JSC::AssemblerData::grow):
2075
2076 2015-02-05  Michael Saboff  <msaboff@apple.com>
2077
2078         CodeCache is not thread safe when adding the same source from two different threads
2079         https://bugs.webkit.org/show_bug.cgi?id=141275
2080
2081         Reviewed by Mark Lam.
2082
2083         The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock,
2084         but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it
2085         will fill in later in the function.  During the body of that function, it allocates
2086         objects that may garbage collect.  During that garbage collection, we drop the all locks.
2087         While the locks are released by the first thread, another thread can enter the VM and might
2088         have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself.  When it
2089         looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType*
2090         and crashes.  This fixes the problem by not dropping the locks during garbage collection.
2091         There are other likely scenarios where we have a data structure like this code cache in an
2092         unsafe state for arbitrary reentrance.
2093
2094         Moved the functionality of DelayedReleaseScope directly into Heap.  Changed it into
2095         a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects.
2096         Now we accumulate objects to be released and release them when all locks are dropped or
2097         when destroying the Heap.  This eliminated the dropping and reaquiring of locks associated
2098         with the old scope form of this list.
2099
2100         Given that all functionality of DelayedReleaseScope is now used and referenced by Heap
2101         and the lock management no longer needs to be done, just made the list a member of Heap.
2102         We do need to guard against the case that releasing an object can create more objects
2103         by calling into JS.  That is why releaseDelayedReleasedObjects() is written to remove
2104         an object to release so that we aren't recursively in Vector code.  The other thing we
2105         do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using
2106         the m_delayedReleaseRecursionCount.  We only release at the first entry into the function.
2107         This case is already tested by testapi.mm.
2108
2109         * heap/DelayedReleaseScope.h: Removed file
2110
2111         * API/JSAPIWrapperObject.mm:
2112         * API/ObjCCallbackFunction.mm:
2113         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2114         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2115         * JavaScriptCore.xcodeproj/project.pbxproj:
2116         * heap/IncrementalSweeper.cpp:
2117         (JSC::IncrementalSweeper::doSweep):
2118         * heap/MarkedAllocator.cpp:
2119         (JSC::MarkedAllocator::tryAllocateHelper):
2120         (JSC::MarkedAllocator::tryAllocate):
2121         * heap/MarkedBlock.cpp:
2122         (JSC::MarkedBlock::sweep):
2123         * heap/MarkedSpace.cpp:
2124         (JSC::MarkedSpace::MarkedSpace):
2125         (JSC::MarkedSpace::lastChanceToFinalize):
2126         (JSC::MarkedSpace::didFinishIterating):
2127         * heap/MarkedSpace.h:
2128         * heap/Heap.cpp:
2129         (JSC::Heap::collectAllGarbage):
2130         (JSC::Heap::zombifyDeadObjects):
2131         Removed references to DelayedReleaseScope and DelayedReleaseScope.h.
2132
2133         * heap/Heap.cpp:
2134         (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount.
2135         (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away.
2136         (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated
2137         delayed release objects.
2138
2139         * heap/Heap.h:
2140         (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later.
2141         (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that
2142         releaseDelayedReleasedObjects is being called recursively.
2143         * heap/HeapInlines.h:
2144         (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects.
2145         
2146         * runtime/JSLock.cpp:
2147         (JSC::JSLock::willReleaseLock):
2148         Call Heap::releaseDelayedObjectsNow() when releasing the lock.
2149
2150 2015-02-05  Youenn Fablet  <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>
2151
2152         [Streams API] Implement a barebone ReadableStream interface
2153         https://bugs.webkit.org/show_bug.cgi?id=141045
2154
2155         Reviewed by Benjamin Poulain.
2156
2157         * Configurations/FeatureDefines.xcconfig:
2158
2159 2015-02-05  Saam Barati  <saambarati1@gmail.com>
2160
2161         Crash in uninitialized deconstructing variable.
2162         https://bugs.webkit.org/show_bug.cgi?id=141070
2163
2164         Reviewed by Michael Saboff.
2165
2166         According to the ES6 spec, when a destructuring pattern occurs
2167         as the left hand side of an assignment inside a var declaration 
2168         statement, the assignment must also have a right hand side value.
2169         "var {x} = {};" is a legal syntactic statement, but,
2170         "var {x};" is a syntactic error.
2171
2172         Section 13.2.2 of the latest draft ES6 spec specifies this requirement:
2173         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-variable-statement
2174
2175         * parser/Parser.cpp:
2176         (JSC::Parser<LexerType>::parseVarDeclaration):
2177         (JSC::Parser<LexerType>::parseVarDeclarationList):
2178         (JSC::Parser<LexerType>::parseForStatement):
2179         * parser/Parser.h:
2180
2181 2015-02-04  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
2182
2183         Unreviewed, fix a build break on EFL port since r179648.
2184
2185         * heap/MachineStackMarker.cpp: EFL port doesn't use previousThread variable. 
2186         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2187
2188 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
2189
2190         Web Inspector: ES6: Improved Console Support for Symbol Objects
2191         https://bugs.webkit.org/show_bug.cgi?id=141173
2192
2193         Reviewed by Timothy Hatcher.
2194
2195         * inspector/protocol/Runtime.json:
2196         New type, "symbol".
2197
2198         * inspector/InjectedScriptSource.js:
2199         Handle Symbol objects in a few places. They don't have properties
2200         and they cannot be implicitly converted to strings.
2201
2202 2015-02-04  Mark Lam  <mark.lam@apple.com>
2203
2204         Undo gardening: Restoring the expected ERROR message since that is not the cause of the bot unhappiness.
2205
2206         Not reviewed.
2207
2208         * heap/MachineStackMarker.cpp:
2209         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2210
2211 2015-02-04  Mark Lam  <mark.lam@apple.com>
2212
2213         Gardening: Changed expected ERROR message to WARNING to make test bots happy.
2214
2215         Rubber stamped by Simon Fraser.
2216
2217         * heap/MachineStackMarker.cpp:
2218         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2219
2220 2015-02-04  Mark Lam  <mark.lam@apple.com>
2221
2222         r179576 introduce a deadlock potential during GC thread suspension.
2223         <https://webkit.org/b/141268>
2224
2225         Reviewed by Michael Saboff.
2226
2227         http://trac.webkit.org/r179576 introduced a potential for deadlocking.
2228         In the GC thread suspension loop, we currently delete
2229         MachineThreads::Thread that we detect to be invalid.  This is unsafe
2230         because we may have already suspended some threads, and one of those
2231         suspended threads may still be holding the C heap lock which we need
2232         for deleting the invalid thread.
2233
2234         The fix is to put the invalid threads in a separate toBeDeleted list,
2235         and delete them only after GC has resumed all threads.
2236
2237         * heap/MachineStackMarker.cpp:
2238         (JSC::MachineThreads::removeCurrentThread):
2239         - Undo refactoring removeThreadWithLockAlreadyAcquired() out of
2240           removeCurrentThread() since it is no longer needed.
2241
2242         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2243         - Put invalid Threads on a threadsToBeDeleted list, and delete those
2244           Threads only after all threads have been resumed.
2245
2246         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted.
2247         * heap/MachineStackMarker.h:
2248
2249 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
2250
2251         Web Inspector: Clean up Object Property Descriptor Collection
2252         https://bugs.webkit.org/show_bug.cgi?id=141222
2253
2254         Reviewed by Timothy Hatcher.
2255
2256         * inspector/InjectedScriptSource.js:
2257         Use a list of options when determining which properties to collect
2258         instead of a few booleans with overlapping responsibilities.
2259
2260 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
2261
2262         Web Inspector: console.table with columnName filter for non-existent property should still show column
2263         https://bugs.webkit.org/show_bug.cgi?id=141066
2264
2265         Reviewed by Timothy Hatcher.
2266
2267         * inspector/ConsoleMessage.cpp:
2268         (Inspector::ConsoleMessage::addToFrontend):
2269         When a user provides a second argument, e.g. console.table(..., columnNames),
2270         then pass that second argument to the frontend.
2271
2272         * inspector/InjectedScriptSource.js:
2273         Add a FIXME about the old, unused path now.
2274
2275 2015-02-04  Saam Barati  <saambarati1@gmail.com>
2276
2277         TypeSet can use 1 byte instead of 4 bytes for its m_seenTypes member variable
2278         https://bugs.webkit.org/show_bug.cgi?id=141204
2279
2280         Reviewed by Darin Adler.
2281
2282         There is no need to use 32 bits to store a TypeSet::RuntimeType set 
2283         bit-vector when the largest value for a single TypeSet::RuntimeType 
2284         is 0x80. 8 bits is enough to represent the set of seen types.
2285
2286         * dfg/DFGFixupPhase.cpp:
2287         (JSC::DFG::FixupPhase::fixupNode):
2288         * runtime/TypeSet.cpp:
2289         (JSC::TypeSet::doesTypeConformTo):
2290         * runtime/TypeSet.h:
2291         (JSC::TypeSet::seenTypes):
2292
2293 2015-02-04  Mark Lam  <mark.lam@apple.com>
2294
2295         Remove concept of makeUsableFromMultipleThreads().
2296         <https://webkit.org/b/141221>
2297
2298         Reviewed by Mark Hahnenberg.
2299
2300         Currently, we rely on VM::makeUsableFromMultipleThreads() being called before we
2301         start acquiring the JSLock and entering the VM from different threads.
2302         Acquisition of the JSLock will register the acquiring thread with the VM's thread
2303         registry if not already registered.  However, it will only do this if the VM's
2304         thread specific key has been initialized by makeUsableFromMultipleThreads().
2305
2306         This is fragile, and also does not read intuitively because one would expect to
2307         acquire the JSLock before calling any methods on the VM.  This is exactly what
2308         JSGlobalContextCreateInGroup() did (i.e. acquire the lock before calling
2309         makeUsableFromMultipleThreads()), but is wrong.  The result is that the invoking
2310         thread will not have been registered with the VM during that first entry into
2311         the VM.
2312
2313         The fix is to make it so that we initialize the VM's thread specific key on
2314         construction of the VM's MachineThreads registry instead of relying on
2315         makeUsableFromMultipleThreads() being called.  With this, we can eliminate
2316         makeUsableFromMultipleThreads() altogether.
2317
2318         Performance results are neutral in aggregate.
2319
2320         * API/JSContextRef.cpp:
2321         (JSGlobalContextCreateInGroup):
2322         * heap/MachineStackMarker.cpp:
2323         (JSC::MachineThreads::MachineThreads):
2324         (JSC::MachineThreads::~MachineThreads):
2325         (JSC::MachineThreads::addCurrentThread):
2326         (JSC::MachineThreads::removeThread):
2327         (JSC::MachineThreads::gatherConservativeRoots):
2328         (JSC::MachineThreads::makeUsableFromMultipleThreads): Deleted.
2329         * heap/MachineStackMarker.h:
2330         * runtime/VM.cpp:
2331         (JSC::VM::sharedInstance):
2332         * runtime/VM.h:
2333         (JSC::VM::makeUsableFromMultipleThreads): Deleted.
2334
2335 2015-02-04  Chris Dumez  <cdumez@apple.com>
2336
2337         Add removeFirst(value) / removeAll(value) methods to WTF::Vector
2338         https://bugs.webkit.org/show_bug.cgi?id=141192
2339
2340         Reviewed by Benjamin Poulain.
2341
2342         Use new Vector::removeFirst(value) / removeAll(value) API to simplify the
2343         code a bit.
2344
2345         * inspector/InspectorValues.cpp:
2346         (Inspector::InspectorObjectBase::remove):
2347
2348 2015-02-03  Mark Lam  <mark.lam@apple.com>
2349
2350         Workaround a thread library bug where thread destructors may not get called.
2351         <https://webkit.org/b/141209>
2352
2353         Reviewed by Michael Saboff.
2354
2355         There's a bug where thread destructors may not get called.  As far as
2356         we know, this only manifests on darwin ports.  We will work around this
2357         by checking at GC time if the platform thread is still valid.  If not,
2358         we'll purge it from the VM's registeredThreads list before proceeding
2359         with thread scanning activity.
2360
2361         Note: it is important that we do this invalid thread detection during
2362         suspension, because the validity (and liveness) of the other thread is
2363         only guaranteed while it is suspended.
2364
2365         * API/tests/testapi.mm:
2366         (threadMain):
2367         - Added a test to enter the VM from another thread before we GC on
2368           the main thread.
2369
2370         * heap/MachineStackMarker.cpp:
2371         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired):
2372         (JSC::MachineThreads::removeCurrentThread):
2373         - refactored removeThreadWithLockAlreadyAcquired() out from
2374           removeCurrentThread() so that we can also call it for purging invalid
2375           threads.
2376         (JSC::suspendThread):
2377         - Added a return status to tell if the suspension succeeded or not.
2378         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2379         - Check if the suspension failed, and purge the thread if we can't
2380           suspend it.  Failure to suspend implies that the thread has
2381           terminated without calling its destructor.
2382         * heap/MachineStackMarker.h:
2383
2384 2015-02-03  Joseph Pecoraro  <pecoraro@apple.com>
2385
2386         Web Inspector: ASSERT mainThreadPthread launching remote debuggable JSContext app with Debug JavaScriptCore
2387         https://bugs.webkit.org/show_bug.cgi?id=141189
2388
2389         Reviewed by Michael Saboff.
2390
2391         * inspector/remote/RemoteInspector.mm:
2392         (Inspector::RemoteInspector::singleton):
2393         Ensure we call WTF::initializeMainThread() on the main thread so that
2394         we can perform automatic String <-> NSString conversions.
2395
2396 2015-02-03  Brent Fulgham  <bfulgham@apple.com>
2397
2398         [Win] Project file cleanups after r179429.
2399
2400         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2401         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2402
2403 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
2404
2405         arguments[-1] should have well-defined behavior
2406         https://bugs.webkit.org/show_bug.cgi?id=141183
2407
2408         Reviewed by Mark Lam.
2409         
2410         According to JSC's internal argument numbering, 0 is "this" and 1 is the first argument.
2411         In the "arguments[i]" expression, "this" is not accessible and i = 0 refers to the first
2412         argument. Previously we handled the bounds check in "arguments[i]" - where "arguments" is
2413         statically known to be the current function's arguments object - as follows:
2414         
2415             add 1, i
2416             branchAboveOrEqual i, callFrame.ArgumentCount, slowPath
2417         
2418         The problem with this is that if i = -1, this passes the test, and we end up accessing
2419         what would be the "this" argument slot. That's wrong, since we should really be bottoming
2420         out in arguments["-1"], which is usually undefined but could be anything. It's even worse
2421         if the function is inlined or if we're in a constructor - in that case the "this" slot
2422         could be garbage.
2423         
2424         It turns out that we had this bug in all of our engines.
2425         
2426         This fixes the issue by changing the algorithm to:
2427         
2428             load32 callFrame.ArgumentCount, tmp
2429             sub 1, tmp
2430             branchAboveOrEqual i, tmp, slowPath
2431         
2432         In some engines, we would have used the modified "i" (the one that had 1 added to it) for
2433         the subsequent argument load; since we don't do this anymore I also had to change some of
2434         the offsets on the BaseIndex arguments load.
2435         
2436         This also includes tests that are written in such a way as to get coverage on LLInt and
2437         Baseline JIT (get-my-argument-by-val-wrap-around-no-warm-up), DFG and FTL
2438         (get-my-argument-by-val-wrap-around), and DFG when we're being paranoid about the user
2439         overwriting the "arguments" variable (get-my-argument-by-val-safe-wrap-around). This also
2440         includes off-by-1 out-of-bounds tests for each of these cases, since in the process of
2441         writing the patch I broke the arguments[arguments.length] case in the DFG and didn't see
2442         any test failures.
2443
2444         * dfg/DFGSpeculativeJIT32_64.cpp:
2445         (JSC::DFG::SpeculativeJIT::compile):
2446         * dfg/DFGSpeculativeJIT64.cpp:
2447         (JSC::DFG::SpeculativeJIT::compile):
2448         * ftl/FTLLowerDFGToLLVM.cpp:
2449         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2450         * jit/AssemblyHelpers.h:
2451         (JSC::AssemblyHelpers::offsetOfArguments):
2452         (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis): Deleted.
2453         * jit/JITOpcodes.cpp:
2454         (JSC::JIT::emit_op_get_argument_by_val):
2455         * jit/JITOpcodes32_64.cpp:
2456         (JSC::JIT::emit_op_get_argument_by_val):
2457         * llint/LowLevelInterpreter.asm:
2458         * llint/LowLevelInterpreter32_64.asm:
2459         * llint/LowLevelInterpreter64.asm:
2460         * tests/stress/get-my-argument-by-val-out-of-bounds-no-warm-up.js: Added.
2461         (foo):
2462         * tests/stress/get-my-argument-by-val-out-of-bounds.js: Added.
2463         (foo):
2464         * tests/stress/get-my-argument-by-val-safe-out-of-bounds.js: Added.
2465         (foo):
2466         * tests/stress/get-my-argument-by-val-safe-wrap-around.js: Added.
2467         (foo):
2468         * tests/stress/get-my-argument-by-val-wrap-around-no-warm-up.js: Added.
2469         (foo):
2470         * tests/stress/get-my-argument-by-val-wrap-around.js: Added.
2471         (foo):
2472
2473 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
2474
2475         MultiGetByOffset should be marked NodeMustGenerate
2476         https://bugs.webkit.org/show_bug.cgi?id=140137
2477
2478         Reviewed by Michael Saboff.
2479
2480         * dfg/DFGNode.h:
2481         (JSC::DFG::Node::convertToGetByOffset): We were sloppy - we should also clear NodeMustGenerate once it's a GetByOffset.
2482         (JSC::DFG::Node::convertToMultiGetByOffset): Assert that we converted from something that already had NodeMustGenerate.
2483         * dfg/DFGNodeType.h: We shouldn't DCE a node that does checks and could be effectful in baseline. Making MultiGetByOffset as NodeMustGenerate prevents DCE. FTL could still DCE the actual loads, but the checks will stay.
2484         * tests/stress/multi-get-by-offset-dce.js: Added. This previously failed because the getter wasn't called.
2485         (foo):
2486
2487 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
2488
2489         [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
2490         https://bugs.webkit.org/show_bug.cgi?id=141180
2491         rdar://problem/19677552
2492
2493         Reviewed by Benjamin Poulain.
2494         
2495         If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
2496         bounds check already terminates execution. This means we can skip the part where we
2497         previously did an out-of-bound array access on the inlined call frame arguments vector.
2498
2499         * ftl/FTLLowerDFGToLLVM.cpp:
2500         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
2501         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2502         (JSC::FTL::LowerDFGToLLVM::terminate):
2503         (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
2504         (JSC::FTL::LowerDFGToLLVM::crash):
2505         * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
2506         (foo):
2507         (bar):
2508
2509 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
2510
2511         REGRESSION(r179477): arguments simplification no longer works
2512         https://bugs.webkit.org/show_bug.cgi?id=141169
2513
2514         Reviewed by Mark Lam.
2515         
2516         The operations involved in callee/scope access don't exit and shouldn't get in the way
2517         of strength-reducing a Flush to a PhantomLocal. Then the PhantomLocal shouldn't get in
2518         the way of further such strength-reduction. We also need to canonicalize PhantomLocal
2519         before running arguments simplification.
2520
2521         * dfg/DFGMayExit.cpp:
2522         (JSC::DFG::mayExit):
2523         * dfg/DFGPlan.cpp:
2524         (JSC::DFG::Plan::compileInThreadImpl):
2525         * dfg/DFGStrengthReductionPhase.cpp:
2526         (JSC::DFG::StrengthReductionPhase::handleNode):
2527
2528 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
2529
2530         VirtualRegister should really know how to dump itself
2531         https://bugs.webkit.org/show_bug.cgi?id=141171
2532
2533         Reviewed by Geoffrey Garen.
2534         
2535         Gives VirtualRegister a dump() method that pretty-prints the virtual register. The rest of
2536         the patch is all about using this new power.
2537
2538         * CMakeLists.txt:
2539         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2540         * JavaScriptCore.xcodeproj/project.pbxproj:
2541         * bytecode/CodeBlock.cpp:
2542         (JSC::constantName):
2543         (JSC::CodeBlock::registerName):
2544         * bytecode/CodeBlock.h:
2545         (JSC::missingThisObjectMarker): Deleted.
2546         * bytecode/VirtualRegister.cpp: Added.
2547         (JSC::VirtualRegister::dump):
2548         * bytecode/VirtualRegister.h:
2549         (WTF::printInternal): Deleted.
2550         * dfg/DFGArgumentPosition.h:
2551         (JSC::DFG::ArgumentPosition::dump):
2552         * dfg/DFGFlushedAt.cpp:
2553         (JSC::DFG::FlushedAt::dump):
2554         * dfg/DFGGraph.cpp:
2555         (JSC::DFG::Graph::dump):
2556         * dfg/DFGPutLocalSinkingPhase.cpp:
2557         * dfg/DFGSSAConversionPhase.cpp:
2558         (JSC::DFG::SSAConversionPhase::run):
2559         * dfg/DFGValidate.cpp:
2560         (JSC::DFG::Validate::reportValidationContext):
2561         * dfg/DFGValueSource.cpp:
2562         (JSC::DFG::ValueSource::dump):
2563         * dfg/DFGVariableEvent.cpp:
2564         (JSC::DFG::VariableEvent::dump):
2565         (JSC::DFG::VariableEvent::dumpSpillInfo):
2566         * ftl/FTLExitArgumentForOperand.cpp:
2567         (JSC::FTL::ExitArgumentForOperand::dump):
2568         * ftl/FTLExitValue.cpp:
2569         (JSC::FTL::ExitValue::dumpInContext):
2570         * profiler/ProfilerBytecodeSequence.cpp:
2571         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
2572
2573 2015-02-02  Geoffrey Garen  <ggaren@apple.com>
2574
2575         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
2576         https://bugs.webkit.org/show_bug.cgi?id=140900
2577
2578         Reviewed by Mark Hahnenberg.
2579
2580         Re-landing just the HandleBlock piece of this patch.
2581
2582         * heap/HandleBlock.h:
2583         * heap/HandleBlockInlines.h:
2584         (JSC::HandleBlock::create):
2585         (JSC::HandleBlock::destroy):
2586         (JSC::HandleBlock::HandleBlock):
2587         (JSC::HandleBlock::payloadEnd):
2588         * heap/HandleSet.cpp:
2589         (JSC::HandleSet::~HandleSet):
2590         (JSC::HandleSet::grow):
2591
2592 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
2593
2594         Web Inspector: Support console.table
2595         https://bugs.webkit.org/show_bug.cgi?id=141058
2596
2597         Reviewed by Timothy Hatcher.
2598
2599         * inspector/InjectedScriptSource.js:
2600         Include the firstLevelKeys filter when generating previews.
2601
2602         * runtime/ConsoleClient.cpp:
2603         (JSC::appendMessagePrefix):
2604         Differentiate console.table logs to system log.
2605
2606 2015-01-31  Filip Pizlo  <fpizlo@apple.com>
2607
2608         BinarySwitch should be faster on average
2609         https://bugs.webkit.org/show_bug.cgi?id=141046
2610
2611         Reviewed by Anders Carlsson.
2612         
2613         This optimizes our binary switch using math. It's strictly better than what we had before
2614         assuming we bottom out in some case (rather than fall through), assuming all cases get
2615         hit with equal probability. The difference is particularly large for large switch
2616         statements. For example, a switch statement with 1000 cases would previously require on
2617         average 13.207 branches to get to some case, while now it just requires 10.464.
2618         
2619         This is also a progression for the fall-through case, though we could shave off another
2620         1/6 branch on average if we wanted to - though it would regress taking a case (not falling
2621         through) by 1/6 branch. I believe it's better to bias the BinarySwitch for not falling
2622         through.
2623         
2624         This also adds some randomness to the algorithm to minimize the likelihood of us
2625         generating a switch statement that is always particularly bad for some input. Note that
2626         the randomness has no effect on average-case performance assuming all cases are equally
2627         likely.
2628         
2629         This ought to have no actual performance change because we don't rely on binary switches
2630         that much. The main reason why this change is interesting is that I'm finding myself
2631         increasingly relying on BinarySwitch, and I'd like to know that it's optimal.
2632
2633         * jit/BinarySwitch.cpp:
2634         (JSC::BinarySwitch::BinarySwitch):
2635         (JSC::BinarySwitch::~BinarySwitch):
2636         (JSC::BinarySwitch::build):
2637         * jit/BinarySwitch.h:
2638
2639 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
2640
2641         Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext
2642         https://bugs.webkit.org/show_bug.cgi?id=141064
2643
2644         Reviewed by Timothy Hatcher.
2645
2646         * inspector/protocol/CSS.json:
2647
2648 2015-02-02  Daniel Bates  <dabates@apple.com>
2649
2650         [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
2651         https://bugs.webkit.org/show_bug.cgi?id=141057
2652         <rdar://problem/19068790>
2653
2654         Reviewed by Alexey Proskuryakov.
2655
2656         * inspector/remote/RemoteInspector.mm:
2657         (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
2658         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
2659         WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
2660         and CryptoKeyRSA::generatePair().
2661
2662 2015-02-02  Saam Barati  <saambarati1@gmail.com>
2663
2664         Create tests for JSC's Control Flow Profiler
2665         https://bugs.webkit.org/show_bug.cgi?id=141123
2666
2667         Reviewed by Filip Pizlo.
2668
2669         This patch creates a control flow profiler testing API in jsc.cpp 
2670         that accepts a function and a string as arguments. The string must 
2671         be a substring of the text of the function argument. The API returns 
2672         a boolean indicating whether or not the basic block that encloses the 
2673         substring has executed.
2674
2675         This patch uses this API to test that the control flow profiler
2676         behaves as expected on basic block boundaries. These tests do not
2677         provide full coverage for all JavaScript statements that can create
2678         basic blocks boundaries. Full coverage will come in a later patch.
2679
2680         * jsc.cpp:
2681         (GlobalObject::finishCreation):
2682         (functionHasBasicBlockExecuted):
2683         * runtime/ControlFlowProfiler.cpp:
2684         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
2685         * runtime/ControlFlowProfiler.h:
2686         * tests/controlFlowProfiler: Added.
2687         * tests/controlFlowProfiler.yaml: Added.
2688         * tests/controlFlowProfiler/driver: Added.
2689         * tests/controlFlowProfiler/driver/driver.js: Added.
2690         (assert):
2691         * tests/controlFlowProfiler/if-statement.js: Added.
2692         (testIf):
2693         (noMatches):
2694         * tests/controlFlowProfiler/loop-statements.js: Added.
2695         (forRegular):
2696         (forIn):
2697         (forOf):
2698         (whileLoop):
2699         * tests/controlFlowProfiler/switch-statements.js: Added.
2700         (testSwitch):
2701         * tests/controlFlowProfiler/test-jit.js: Added.
2702         (tierUpToBaseline):
2703         (tierUpToDFG):
2704         (baselineTest):
2705         (dfgTest):
2706
2707 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
2708
2709         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
2710         https://bugs.webkit.org/show_bug.cgi?id=140660
2711
2712         Reviewed by Geoffrey Garen.
2713         
2714         When we first implemented polymorphic call inlining, we did the profiling based on a call
2715         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
2716         global log that was processed lazily. Processing the log would give precise counts of call
2717         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
2718         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
2719         nonetheless.
2720         
2721         Experience with this code shows three things. First, the call edge profiler is buggy and
2722         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
2723         overhead for latency code that we care deeply about. Third, it's not at all clear that
2724         having call edge counts for every possible callee is any better than just having call edge
2725         counts for the limited number of callees that an inline cache would catch.
2726         
2727         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
2728         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
2729         out-of-line stub that cases on the previously known callees. If that misses again, then we
2730         rewrite that stub to include the new callee. We do this up to some number of callees. If we
2731         hit the limit then we switch to using a plain virtual call.
2732         
2733         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
2734         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
2735         
2736         Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.
2737
2738         * CMakeLists.txt:
2739         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2740         * JavaScriptCore.xcodeproj/project.pbxproj:
2741         * bytecode/CallEdge.h:
2742         (JSC::CallEdge::count):
2743         (JSC::CallEdge::CallEdge):
2744         * bytecode/CallEdgeProfile.cpp: Removed.
2745         * bytecode/CallEdgeProfile.h: Removed.
2746         * bytecode/CallEdgeProfileInlines.h: Removed.
2747         * bytecode/CallLinkInfo.cpp:
2748         (JSC::CallLinkInfo::unlink):
2749         (JSC::CallLinkInfo::visitWeak):
2750         * bytecode/CallLinkInfo.h:
2751         * bytecode/CallLinkStatus.cpp:
2752         (JSC::CallLinkStatus::CallLinkStatus):
2753         (JSC::CallLinkStatus::computeFor):
2754         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2755         (JSC::CallLinkStatus::isClosureCall):
2756         (JSC::CallLinkStatus::makeClosureCall):
2757         (JSC::CallLinkStatus::dump):
2758         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
2759         * bytecode/CallLinkStatus.h:
2760         (JSC::CallLinkStatus::CallLinkStatus):
2761         (JSC::CallLinkStatus::isSet):
2762         (JSC::CallLinkStatus::variants):
2763         (JSC::CallLinkStatus::size):
2764         (JSC::CallLinkStatus::at):
2765         (JSC::CallLinkStatus::operator[]):
2766         (JSC::CallLinkStatus::canOptimize):
2767         (JSC::CallLinkStatus::edges): Deleted.
2768         (JSC::CallLinkStatus::canTrustCounts): Deleted.
2769         * bytecode/CallVariant.cpp:
2770         (JSC::variantListWithVariant):
2771         (JSC::despecifiedVariantList):
2772         * bytecode/CallVariant.h:
2773         * bytecode/CodeBlock.cpp:
2774         (JSC::CodeBlock::~CodeBlock):
2775         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2776         (JSC::CodeBlock::unlinkIncomingCalls):
2777         (JSC::CodeBlock::noticeIncomingCall):
2778         * bytecode/CodeBlock.h:
2779         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
2780         * dfg/DFGAbstractInterpreterInlines.h:
2781         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2782         * dfg/DFGByteCodeParser.cpp:
2783         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
2784         (JSC::DFG::ByteCodeParser::handleCall):
2785         (JSC::DFG::ByteCodeParser::handleInlining):
2786         * dfg/DFGClobberize.h:
2787         (JSC::DFG::clobberize):
2788         * dfg/DFGConstantFoldingPhase.cpp:
2789         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2790         * dfg/DFGDoesGC.cpp:
2791         (JSC::DFG::doesGC):
2792         * dfg/DFGDriver.cpp:
2793         (JSC::DFG::compileImpl):
2794         * dfg/DFGFixupPhase.cpp:
2795         (JSC::DFG::FixupPhase::fixupNode):
2796         * dfg/DFGNode.h:
2797         (JSC::DFG::Node::hasHeapPrediction):
2798         * dfg/DFGNodeType.h:
2799         * dfg/DFGOperations.cpp:
2800         * dfg/DFGPredictionPropagationPhase.cpp:
2801         (JSC::DFG::PredictionPropagationPhase::propagate):
2802         * dfg/DFGSafeToExecute.h:
2803         (JSC::DFG::safeToExecute):
2804         * dfg/DFGSpeculativeJIT32_64.cpp:
2805         (JSC::DFG::SpeculativeJIT::emitCall):
2806         (JSC::DFG::SpeculativeJIT::compile):
2807         * dfg/DFGSpeculativeJIT64.cpp:
2808         (JSC::DFG::SpeculativeJIT::emitCall):
2809         (JSC::DFG::SpeculativeJIT::compile):
2810         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2811         (JSC::DFG::TierUpCheckInjectionPhase::run):
2812         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
2813         * ftl/FTLCapabilities.cpp:
2814         (JSC::FTL::canCompile):
2815         * heap/Heap.cpp:
2816         (JSC::Heap::collect):
2817         * jit/BinarySwitch.h:
2818         * jit/ClosureCallStubRoutine.cpp: Removed.
2819         * jit/ClosureCallStubRoutine.h: Removed.
2820         * jit/JITCall.cpp:
2821         (JSC::JIT::compileOpCall):
2822         * jit/JITCall32_64.cpp:
2823         (JSC::JIT::compileOpCall):
2824         * jit/JITOperations.cpp:
2825         * jit/JITOperations.h:
2826         (JSC::operationLinkPolymorphicCallFor):
2827         (JSC::operationLinkClosureCallFor): Deleted.
2828         * jit/JITStubRoutine.h:
2829         * jit/JITWriteBarrier.h:
2830         * jit/PolymorphicCallStubRoutine.cpp: Added.
2831         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
2832         (JSC::PolymorphicCallNode::unlink):
2833         (JSC::PolymorphicCallCase::dump):
2834         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2835         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
2836         (JSC::PolymorphicCallStubRoutine::variants):
2837         (JSC::PolymorphicCallStubRoutine::edges):
2838         (JSC::PolymorphicCallStubRoutine::visitWeak):
2839         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
2840         * jit/PolymorphicCallStubRoutine.h: Added.
2841         (JSC::PolymorphicCallNode::PolymorphicCallNode):
2842         (JSC::PolymorphicCallCase::PolymorphicCallCase):
2843         (JSC::PolymorphicCallCase::variant):
2844         (JSC::PolymorphicCallCase::codeBlock):
2845         * jit/Repatch.cpp:
2846         (JSC::linkSlowFor):
2847         (JSC::linkFor):
2848         (JSC::revertCall):
2849         (JSC::unlinkFor):
2850         (JSC::linkVirtualFor):
2851         (JSC::linkPolymorphicCall):
2852         (JSC::linkClosureCall): Deleted.
2853         * jit/Repatch.h:
2854         * jit/ThunkGenerators.cpp:
2855         (JSC::linkPolymorphicCallForThunkGenerator):
2856         (JSC::linkPolymorphicCallThunkGenerator):
2857         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
2858         (JSC::linkClosureCallForThunkGenerator): Deleted.
2859         (JSC::linkClosureCallThunkGenerator): Deleted.
2860         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
2861         * jit/ThunkGenerators.h:
2862         (JSC::linkPolymorphicCallThunkGeneratorFor):
2863         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
2864         * llint/LLIntSlowPaths.cpp:
2865         (JSC::LLInt::jitCompileAndSetHeuristics):
2866         * runtime/Options.h:
2867         * runtime/VM.cpp:
2868         (JSC::VM::prepareToDiscardCode):
2869         (JSC::VM::ensureCallEdgeLog): Deleted.
2870         * runtime/VM.h:
2871
2872 2015-01-30  Filip Pizlo  <fpizlo@apple.com>
2873
2874         Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
2875         https://bugs.webkit.org/show_bug.cgi?id=141107
2876
2877         Reviewed by Michael Saboff.
2878         
2879         See the bugzilla for a discussion of the problem. This addresses the problem by ensuring
2880         that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini
2881         OSR availability analysis to determine the right MovHint value to use for the Phantom.
2882
2883         * dfg/DFGCPSRethreadingPhase.cpp:
2884         (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
2885         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2886         (JSC::DFG::CPSRethreadingPhase::clearVariables):
2887         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
2888         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2889         (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted.
2890         * dfg/DFGNode.h:
2891         (JSC::DFG::Node::convertPhantomToPhantomLocal):
2892         (JSC::DFG::Node::convertFlushToPhantomLocal):
2893         (JSC::DFG::Node::convertToPhantomLocal): Deleted.
2894         * dfg/DFGStrengthReductionPhase.cpp:
2895         (JSC::DFG::StrengthReductionPhase::handleNode):
2896         * tests/stress/inline-call-that-doesnt-use-all-args.js: Added.
2897         (foo):
2898         (bar):
2899         (baz):
2900
2901 2015-01-31  Michael Saboff  <msaboff@apple.com>
2902
2903         Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
2904         https://bugs.webkit.org/show_bug.cgi?id=141111
2905
2906         Reviewed by Filip Pizlo.
2907
2908         In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have
2909         exited, we don't need to process the OSR availability or abstract interpreter.
2910
2911         * ftl/FTLLowerDFGToLLVM.cpp:
2912         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate
2913         method since we need to call it at the top and near the bottom of compileNode().
2914         (JSC::FTL::LowerDFGToLLVM::compileNode):
2915
2916 2015-01-31  Sam Weinig  <sam@webkit.org>
2917
2918         Remove even more Mountain Lion support
2919         https://bugs.webkit.org/show_bug.cgi?id=141124
2920
2921         Reviewed by Alexey Proskuryakov.
2922
2923         * API/tests/DateTests.mm:
2924         * Configurations/Base.xcconfig:
2925         * Configurations/DebugRelease.xcconfig:
2926         * Configurations/FeatureDefines.xcconfig:
2927         * Configurations/Version.xcconfig:
2928         * jit/ExecutableAllocatorFixedVMPool.cpp:
2929
2930 2015-01-31  Commit Queue  <commit-queue@webkit.org>
2931
2932         Unreviewed, rolling out r179426.
2933         https://bugs.webkit.org/show_bug.cgi?id=141119
2934
2935         "caused a memory use regression" (Requested by Guest45 on
2936         #webkit).
2937
2938         Reverted changeset:
2939
2940         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
2941         pages"
2942         https://bugs.webkit.org/show_bug.cgi?id=140900
2943         http://trac.webkit.org/changeset/179426
2944
2945 2015-01-30  Daniel Bates  <dabates@apple.com>
2946
2947         Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h
2948         https://bugs.webkit.org/show_bug.cgi?id=141067
2949
2950         Reviewed by Timothy Hatcher.
2951
2952         Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we
2953         do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm
2954         and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via
2955         header RemoteInspectorDebuggableConnection.h.
2956
2957         * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>.
2958         * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>.
2959         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>.
2960
2961 2015-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2962
2963         Implement ES6 Symbol
2964         https://bugs.webkit.org/show_bug.cgi?id=140435
2965
2966         Reviewed by Geoffrey Garen.
2967
2968         This patch implements ES6 Symbol. In this patch, we don't support
2969         Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be
2970         supported in the subsequent patches.
2971
2972         Since ES6 Symbol is introduced as new primitive value, we implement
2973         Symbol as a derived class from JSCell. And now JSValue accepts Symbol*
2974         as a new primitive value.
2975
2976         Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer
2977         value represents the Symbol's identity. So don't compare Symbol's
2978         JSCell pointer value for comparison.
2979         This enables re-producing Symbol primitive value from StringImpl* uid
2980         by executing`Symbol::create(vm, uid)`. This is needed to produce
2981         Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`.
2982
2983         And Symbol.[[Description]] is folded into the string value of Symbol's uid.
2984         By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*.
2985
2986         * CMakeLists.txt:
2987         * DerivedSources.make:
2988         * JavaScriptCore.order:
2989         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2990         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2991         * JavaScriptCore.xcodeproj/project.pbxproj:
2992         * builtins/BuiltinExecutables.cpp:
2993         (JSC::BuiltinExecutables::createBuiltinExecutable):
2994         * builtins/BuiltinNames.h:
2995         * dfg/DFGOperations.cpp:
2996         (JSC::DFG::operationPutByValInternal):
2997         * inspector/JSInjectedScriptHost.cpp:
2998         (Inspector::JSInjectedScriptHost::subtype):
2999         * interpreter/Interpreter.cpp:
3000         * jit/JITOperations.cpp:
3001         (JSC::getByVal):
3002         * llint/LLIntData.cpp:
3003         (JSC::LLInt::Data::performAssertions):
3004         * llint/LLIntSlowPaths.cpp:
3005         (JSC::LLInt::getByVal):
3006         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3007         * llint/LowLevelInterpreter.asm:
3008         * runtime/CommonIdentifiers.h:
3009         * runtime/CommonSlowPaths.cpp:
3010         (JSC::SLOW_PATH_DECL):
3011         * runtime/CommonSlowPaths.h:
3012         (JSC::CommonSlowPaths::opIn):
3013         * runtime/ExceptionHelpers.cpp:
3014         (JSC::createUndefinedVariableError):
3015         * runtime/JSCJSValue.cpp:
3016         (JSC::JSValue::synthesizePrototype):
3017         (JSC::JSValue::dumpInContextAssumingStructure):
3018         (JSC::JSValue::toStringSlowCase):
3019         * runtime/JSCJSValue.h:
3020         * runtime/JSCJSValueInlines.h:
3021         (JSC::JSValue::isSymbol):
3022         (JSC::JSValue::isPrimitive):
3023         (JSC::JSValue::toPropertyKey):
3024
3025         It represents ToPropertyKey abstract operation in the ES6 spec.
3026         It cleans up the old implementation's `isName` checks.
3027         And to prevent performance regressions in
3028             js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html
3029             js/regress/fold-get-by-id-to-multi-get-by-offset.html
3030         we annnotate this function as ALWAYS_INLINE.
3031
3032         (JSC::JSValue::getPropertySlot):
3033         (JSC::JSValue::get):
3034         (JSC::JSValue::equalSlowCaseInline):
3035         (JSC::JSValue::strictEqualSlowCaseInline):
3036         * runtime/JSCell.cpp:
3037         (JSC::JSCell::put):
3038         (JSC::JSCell::putByIndex):
3039         (JSC::JSCell::toPrimitive):
3040         (JSC::JSCell::getPrimitiveNumber):
3041         (JSC::JSCell::toNumber):
3042         (JSC::JSCell::toObject):
3043         * runtime/JSCell.h:
3044         * runtime/JSCellInlines.h:
3045         (JSC::JSCell::isSymbol):
3046         (JSC::JSCell::toBoolean):
3047         (JSC::JSCell::pureToBoolean):
3048         * runtime/JSGlobalObject.cpp:
3049         (JSC::JSGlobalObject::init):
3050         (JSC::JSGlobalObject::visitChildren):
3051         * runtime/JSGlobalObject.h:
3052         (JSC::JSGlobalObject::symbolPrototype):
3053         (JSC::JSGlobalObject::symbolObjectStructure):
3054         * runtime/JSONObject.cpp:
3055         (JSC::Stringifier::Stringifier):
3056         * runtime/JSSymbolTableObject.cpp:
3057         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3058         * runtime/JSType.h:
3059         * runtime/JSTypeInfo.h:
3060         (JSC::TypeInfo::isName): Deleted.
3061         * runtime/MapData.cpp:
3062         (JSC::MapData::find):
3063         (JSC::MapData::add):
3064         (JSC::MapData::remove):
3065         (JSC::MapData::replaceAndPackBackingStore):
3066         * runtime/MapData.h:
3067         (JSC::MapData::clear):
3068         * runtime/NameInstance.h: Removed.
3069         * runtime/NamePrototype.cpp: Removed.
3070         * runtime/ObjectConstructor.cpp:
3071         (JSC::objectConstructorGetOwnPropertyDescriptor):
3072         (JSC::objectConstructorDefineProperty):
3073         * runtime/ObjectPrototype.cpp:
3074         (JSC::objectProtoFuncHasOwnProperty):
3075         (JSC::objectProtoFuncDefineGetter):
3076         (JSC::objectProtoFuncDefineSetter):
3077         (JSC::objectProtoFuncLookupGetter):
3078         (JSC::objectProtoFuncLookupSetter):
3079         (JSC::objectProtoFuncPropertyIsEnumerable):
3080         * runtime/Operations.cpp:
3081         (JSC::jsTypeStringForValue):
3082         (JSC::jsIsObjectType):
3083         * runtime/PrivateName.h:
3084         (JSC::PrivateName::PrivateName):
3085         (JSC::PrivateName::operator==):
3086         (JSC::PrivateName::operator!=):
3087         * runtime/PropertyMapHashTable.h:
3088         (JSC::PropertyTable::find):
3089         (JSC::PropertyTable::get):
3090         * runtime/PropertyName.h:
3091         (JSC::PropertyName::PropertyName):
3092         (JSC::PropertyName::publicName):
3093         * runtime/SmallStrings.h:
3094         * runtime/StringConstructor.cpp:
3095         (JSC::callStringConstructor):
3096
3097         In ES6, String constructor accepts Symbol to execute `String(symbol)`.
3098
3099         * runtime/Structure.cpp:
3100         (JSC::Structure::getPropertyNamesFromStructure):
3101         * runtime/StructureInlines.h:
3102         (JSC::Structure::prototypeForLookup):
3103         * runtime/Symbol.cpp: Added.
3104         (JSC::Symbol::Symbol):
3105         (JSC::SymbolObject::create):
3106         (JSC::Symbol::toPrimitive):
3107         (JSC::Symbol::toBoolean):
3108         (JSC::Symbol::getPrimitiveNumber):
3109         (JSC::Symbol::toObject):
3110         (JSC::Symbol::toNumber):
3111         (JSC::Symbol::destroy):
3112         (JSC::Symbol::descriptiveString):
3113         * runtime/Symbol.h: Added.
3114         (JSC::Symbol::createStructure):
3115         (JSC::Symbol::create):
3116         (JSC::Symbol::privateName):
3117         (JSC::Symbol::finishCreation):
3118         (JSC::asSymbol):
3119         * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp.
3120         (JSC::SymbolConstructor::SymbolConstructor):
3121         (JSC::SymbolConstructor::finishCreation):
3122         (JSC::callSymbol):
3123         (JSC::SymbolConstructor::getConstructData):
3124         (JSC::SymbolConstructor::getCallData):
3125         * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h.
3126         (JSC::SymbolConstructor::create):
3127         (JSC::SymbolConstructor::createStructure):
3128         * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp.
3129         (JSC::SymbolObject::SymbolObject):
3130         (JSC::SymbolObject::finishCreation):
3131         (JSC::SymbolObject::defaultValue):
3132
3133         Now JSC doesn't support @@toPrimitive. So instead of it, we implement
3134         Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]].
3135
3136         * runtime/SymbolObject.h: Added.
3137         (JSC::SymbolObject::create):
3138         (JSC::SymbolObject::internalValue):
3139         (JSC::SymbolObject::createStructure):
3140         * runtime/SymbolPrototype.cpp: Added.
3141         (JSC::SymbolPrototype::SymbolPrototype):
3142         (JSC::SymbolPrototype::finishCreation):
3143         (JSC::SymbolPrototype::getOwnPropertySlot):
3144         (JSC::symbolProtoFuncToString):
3145         (JSC::symbolProtoFuncValueOf):
3146         * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h.
3147         (JSC::SymbolPrototype::create):
3148         (JSC::SymbolPrototype::createStructure):
3149
3150         SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol.
3151         It is tested in js/symbol-prototype-is-ordinary-object.html.
3152
3153         * runtime/VM.cpp:
3154         (JSC::VM::VM):
3155         * runtime/VM.h:
3156
3157 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
3158
3159         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
3160         https://bugs.webkit.org/show_bug.cgi?id=140900
3161
3162         Reviewed by Mark Hahnenberg.
3163
3164         Re-landing just the HandleBlock piece of this patch.
3165
3166         * heap/HandleBlock.h:
3167         * heap/HandleBlockInlines.h:
3168         (JSC::HandleBlock::create):
3169         (JSC::HandleBlock::destroy):
3170         (JSC::HandleBlock::HandleBlock):
3171         (JSC::HandleBlock::payloadEnd):
3172         * heap/HandleSet.cpp:
3173         (JSC::HandleSet::~HandleSet):
3174         (JSC::HandleSet::grow):
3175
3176 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
3177
3178         GC marking threads should clear malloc caches
3179         https://bugs.webkit.org/show_bug.cgi?id=141097
3180
3181         Reviewed by Sam Weinig.
3182
3183         Follow-up based on Mark Hahnenberg's review: Release after the copy
3184         phase, rather than after any phase, since we'd rather not release
3185         between marking and copying.
3186
3187         * heap/GCThread.cpp:
3188         (JSC::GCThread::waitForNextPhase):
3189         (JSC::GCThread::gcThreadMain):
3190
3191 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
3192
3193         GC marking threads should clear malloc caches
3194         https://bugs.webkit.org/show_bug.cgi?id=141097
3195
3196         Reviewed by Andreas Kling.
3197
3198         This is an attempt to ameliorate a potential memory use regression
3199         caused by https://bugs.webkit.org/show_bug.cgi?id=140900
3200         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages.
3201
3202         FastMalloc may accumulate a per-thread cache on each of the 8-ish
3203         GC marking threads, which can be expensive.
3204
3205         * heap/GCThread.cpp:
3206         (JSC::GCThread::waitForNextPhase): Scavenge the current thread before
3207         going to sleep. There's probably not too much value to keeping our
3208         per-thread cache between GCs, and it has some memory footprint.
3209
3210 2015-01-30  Chris Dumez  <cdumez@apple.com>
3211
3212         Rename shared() static member functions to singleton() for singleton classes.
3213         https://bugs.webkit.org/show_bug.cgi?id=141088
3214
3215         Reviewed by Ryosuke Niwa and Benjamin Poulain.
3216
3217         Rename shared() static member functions to singleton() for singleton
3218         classes as per the recent coding style change.
3219
3220         * inspector/remote/RemoteInspector.h:
3221         * inspector/remote/RemoteInspector.mm:
3222         (Inspector::RemoteInspector::singleton):
3223         (Inspector::RemoteInspector::start):
3224         (Inspector::RemoteInspector::shared): Deleted.
3225         * inspector/remote/RemoteInspectorDebuggable.cpp:
3226         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
3227         (Inspector::RemoteInspectorDebuggable::init):
3228         (Inspector::RemoteInspectorDebuggable::update):
3229         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
3230         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
3231         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
3232         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3233         (Inspector::RemoteInspectorDebuggableConnection::setup):
3234         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
3235
3236 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
3237
3238         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
3239         https://bugs.webkit.org/show_bug.cgi?id=140900
3240
3241         Reviewed by Mark Hahnenberg.
3242
3243         Re-landing just the CopyWorkListSegment piece of this patch.
3244
3245         * heap/CopiedBlockInlines.h:
3246         (JSC::CopiedBlock::reportLiveBytes):
3247         * heap/CopyWorkList.h:
3248         (JSC::CopyWorkListSegment::create):
3249         (JSC::CopyWorkListSegment::destroy):
3250         (JSC::CopyWorkListSegment::CopyWorkListSegment):
3251         (JSC::CopyWorkList::CopyWorkList):
3252         (JSC::CopyWorkList::~CopyWorkList):
3253         (JSC::CopyWorkList::append):
3254
3255 2015-01-29  Commit Queue  <commit-queue@webkit.org>
3256
3257         Unreviewed, rolling out r179357 and r179358.
3258         https://bugs.webkit.org/show_bug.cgi?id=141062
3259
3260         Suspect this caused WebGL tests to start flaking (Requested by
3261         kling on #webkit).
3262
3263         Reverted changesets:
3264
3265         "Polymorphic call inlining should be based on polymorphic call
3266         inline caching rather than logging"
3267         https://bugs.webkit.org/show_bug.cgi?id=140660
3268         http://trac.webkit.org/changeset/179357
3269
3270         "Unreviewed, fix no-JIT build."
3271         http://trac.webkit.org/changeset/179358
3272
3273 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
3274
3275         Removed op_ret_object_or_this
3276         https://bugs.webkit.org/show_bug.cgi?id=141048
3277
3278         Reviewed by Michael Saboff.
3279
3280         op_ret_object_or_this was one opcode that would keep us out of the
3281         optimizing compilers.
3282
3283         We don't need a special-purpose opcode; we can just use a branch.
3284
3285         * bytecode/BytecodeBasicBlock.cpp:
3286         (JSC::isTerminal): Removed.
3287         * bytecode/BytecodeList.json:
3288         * bytecode/BytecodeUseDef.h:
3289         (JSC::computeUsesForBytecodeOffset):
3290         (JSC::computeDefsForBytecodeOffset): Removed.
3291
3292         * bytecode/CodeBlock.cpp:
3293         (JSC::CodeBlock::dumpBytecode): Removed.
3294
3295         * bytecompiler/BytecodeGenerator.cpp:
3296         (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine
3297         if we need to substitute 'this' for the return value. Our engine no longer
3298         benefits from fused opcodes that dispatch less in the interpreter.
3299
3300         * jit/JIT.cpp:
3301         (JSC::JIT::privateCompileMainPass):
3302         * jit/JIT.h:
3303         * jit/JITCall32_64.cpp:
3304         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
3305         * jit/JITOpcodes.cpp:
3306         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
3307         * llint/LowLevelInterpreter32_64.asm:
3308         * llint/LowLevelInterpreter64.asm: Removed.
3309
3310 2015-01-29  Ryosuke Niwa  <rniwa@webkit.org>
3311
3312         Implement ES6 class syntax without inheritance support
3313         https://bugs.webkit.org/show_bug.cgi?id=140918
3314
3315         Reviewed by Geoffrey Garen.
3316
3317         Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like:
3318         class A {
3319             constructor() { }
3320             someMethod() { }
3321         }
3322
3323         We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches.
3324         We also don't support block scoping of a class declaration.
3325
3326         We support both class declaration and class expression. A class expression is implemented by the newly added
3327         ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around
3328         AssignResolveNode.
3329
3330         Tests: js/class-syntax-declaration.html
3331                js/class-syntax-expression.html
3332
3333         * bytecompiler/NodesCodegen.cpp:
3334         (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode.
3335         Also fixed the 5-space indentation.
3336         (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this.
3337         (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code.
3338         (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by
3339         emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way.
3340
3341         * parser/ASTBuilder.h:
3342         (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode.
3343         (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode.
3344
3345         * parser/NodeConstructors.h:
3346         (JSC::ClassDeclNode::ClassDeclNode): Added.
3347         (JSC::ClassExprNode::ClassExprNode): Added.
3348
3349         * parser/Nodes.h:
3350