e5acb3cbf4049122c8e275c542ff20623efb615e
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-01  Filip Pizlo  <fpizlo@apple.com>
2
3         BytecodeGenerator shouldn't emit op_resolve_scope as a roundabout way of returning the scopeRegister
4         https://bugs.webkit.org/show_bug.cgi?id=142153
5
6         Reviewed by Michael Saboff.
7         
8         We don't need a op_resolve_scope if we know that it will simply return the scope register.
9         This changes the BytecodeGenerator to use the scope register directly in those cases where
10         we know statically that we would just have returned that from op_resolve_scope.
11         
12         This doesn't appear to have a significant impact on performance.
13
14         * bytecode/CodeBlock.cpp:
15         (JSC::CodeBlock::CodeBlock):
16         * bytecompiler/BytecodeGenerator.cpp:
17         (JSC::BytecodeGenerator::emitResolveScope):
18         (JSC::BytecodeGenerator::emitReturn):
19         (JSC::BytecodeGenerator::emitGetOwnScope): Deleted.
20         * bytecompiler/BytecodeGenerator.h:
21         * bytecompiler/NodesCodegen.cpp:
22         (JSC::ResolveNode::emitBytecode):
23         (JSC::EvalFunctionCallNode::emitBytecode):
24         (JSC::FunctionCallResolveNode::emitBytecode):
25         (JSC::PostfixNode::emitResolve):
26         (JSC::DeleteResolveNode::emitBytecode):
27         (JSC::TypeOfResolveNode::emitBytecode):
28         (JSC::PrefixNode::emitResolve):
29         (JSC::ReadModifyResolveNode::emitBytecode):
30         (JSC::AssignResolveNode::emitBytecode):
31         (JSC::ConstDeclNode::emitCodeSingle):
32         (JSC::EmptyVarExpression::emitBytecode):
33         (JSC::ForInNode::emitLoopHeader):
34         (JSC::ForOfNode::emitBytecode):
35         (JSC::BindingNode::bindValue):
36
37 2015-02-27  Benjamin Poulain  <bpoulain@apple.com>
38
39         [JSC] Use the way number constants are written to help type speculation
40         https://bugs.webkit.org/show_bug.cgi?id=142072
41
42         Reviewed by Filip Pizlo.
43
44         This patch changes how we interpret numeric constant based on how they appear
45         in the source.
46
47         Constants that are integers but written with a decimal point now carry that information
48         to the optimizating tiers. From there, we use that to be more aggressive about typing
49         math operations toward double operations.
50
51         For example, in:
52             var a = x + 1.0;
53             var b = y + 1;
54         The Add for a would be biased toward doubles, the Add for b would speculate
55         integer as usual.
56
57
58         The gains are tiny but this is a prerequisite to make my next patch useful:
59         -SunSpider's access-fannkuch: definitely 1.0661x faster
60         -SunSpider's math-cordic: definitely 1.0266x slower
61             overal: might be 1.0066x slower.
62         -Kraken's imaging-darkroom: definitely 1.0333x faster.
63
64         * parser/Lexer.cpp:
65         (JSC::tokenTypeForIntegerLikeToken):
66         (JSC::Lexer<T>::lex):
67         The lexer now create two types of tokens for number: INTEGER and DOUBLE.
68         Those token types only carry information about how the values were
69         entered, an INTEGER does not have to be an integer, it is only written like one.
70         Large integer still end up represented as double in memory.
71
72         One trap I fell into was typing numbers like 12e3 as double. This kind of literal
73         is frequently used in integer-typed code, while 12.e3 would appear in double-typed
74         code.
75         Because of that, the only signals for double are: decimal point, negative zero,
76         and ridiculously large values.
77
78         * parser/NodeConstructors.h:
79         (JSC::DoubleNode::DoubleNode):
80         (JSC::IntegerNode::IntegerNode):
81         * parser/Nodes.h:
82         (JSC::NumberNode::value):
83         (JSC::NumberNode::setValue): Deleted.
84         Number get specialized in two new kind of nodes in the AST: IntegerNode and DoubleNode.
85
86         * bytecompiler/NodesCodegen.cpp:
87         (JSC::NumberNode::emitBytecode):
88
89         * parser/ASTBuilder.h:
90         (JSC::ASTBuilder::createDoubleExpr):
91         (JSC::ASTBuilder::createIntegerExpr):
92         (JSC::ASTBuilder::createIntegerLikeNumber):
93         (JSC::ASTBuilder::createDoubleLikeNumber):
94         (JSC::ASTBuilder::createNumberFromBinaryOperation):
95         (JSC::ASTBuilder::createNumberFromUnaryOperation):
96         (JSC::ASTBuilder::makeNegateNode):
97         (JSC::ASTBuilder::makeBitwiseNotNode):
98         (JSC::ASTBuilder::makeMultNode):
99         (JSC::ASTBuilder::makeDivNode):
100         (JSC::ASTBuilder::makeModNode):
101         (JSC::ASTBuilder::makeAddNode):
102         (JSC::ASTBuilder::makeSubNode):
103         (JSC::ASTBuilder::makeLeftShiftNode):
104         (JSC::ASTBuilder::makeRightShiftNode):
105         (JSC::ASTBuilder::makeURightShiftNode):
106         (JSC::ASTBuilder::makeBitOrNode):
107         (JSC::ASTBuilder::makeBitAndNode):
108         (JSC::ASTBuilder::makeBitXOrNode):
109         (JSC::ASTBuilder::createNumberExpr): Deleted.
110         (JSC::ASTBuilder::createNumber): Deleted.
111         The AST has some optimization to resolve constants before emitting bytecode.
112         In the new code, the intger representation is kept if both operands where
113         also represented as integers.
114
115         * parser/Parser.cpp:
116         (JSC::Parser<LexerType>::parseDeconstructionPattern):
117         (JSC::Parser<LexerType>::parseProperty):
118         (JSC::Parser<LexerType>::parseGetterSetter):
119         (JSC::Parser<LexerType>::parsePrimaryExpression):
120         (JSC::Parser<LexerType>::printUnexpectedTokenText):
121         * parser/ParserTokens.h:
122         * parser/SyntaxChecker.h:
123         (JSC::SyntaxChecker::createDoubleExpr):
124         (JSC::SyntaxChecker::createIntegerExpr):
125         (JSC::SyntaxChecker::createNumberExpr): Deleted.
126
127         * bytecode/CodeBlock.cpp:
128         (JSC::CodeBlock::registerName):
129         (JSC::CodeBlock::constantName):
130         Change constantName(r, getConstant(r)) -> constantName(r) to simplify
131         the dump code.
132
133         (JSC::CodeBlock::dumpBytecode):
134         Dump thre soure representation information we have with each constant.
135
136         (JSC::CodeBlock::CodeBlock):
137         (JSC::CodeBlock::shrinkToFit):
138         (JSC::constantName): Deleted.
139         * bytecode/CodeBlock.h:
140         (JSC::CodeBlock::constantsSourceCodeRepresentation):
141         (JSC::CodeBlock::addConstant):
142         (JSC::CodeBlock::addConstantLazily):
143         (JSC::CodeBlock::constantSourceCodeRepresentation):
144         (JSC::CodeBlock::setConstantRegisters):
145
146         * bytecode/UnlinkedCodeBlock.h:
147         (JSC::UnlinkedCodeBlock::addConstant):
148         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation):
149         (JSC::UnlinkedCodeBlock::shrinkToFit):
150
151         * bytecompiler/BytecodeGenerator.cpp:
152         (JSC::BytecodeGenerator::addConstantValue):
153         (JSC::BytecodeGenerator::emitLoad):
154         * bytecompiler/BytecodeGenerator.h:
155         We have to differentiate between constants that have the same values but are
156         represented differently in the source. Values like 1.0 and 1 now end up
157         as different constants.
158
159         * dfg/DFGByteCodeParser.cpp:
160         (JSC::DFG::ByteCodeParser::get):
161         (JSC::DFG::ByteCodeParser::addConstantToGraph):
162         * dfg/DFGGraph.cpp:
163         (JSC::DFG::Graph::registerFrozenValues):
164         * dfg/DFGGraph.h:
165         (JSC::DFG::Graph::addSpeculationMode):
166         (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
167         ArithAdd is very aggressive toward using Int52, which is quite useful
168         in many benchmarks.
169
170         Here we need to specialize to make sure we don't force our literals
171         to Int52 if there were represented as double.
172
173         There is one exception to that rule: when the other operand is guaranteed
174         to come from a NodeResultInt32. This is because there is some weird code
175         doing stuff like:
176             var b = a|0;
177             var c = b*2.0;
178
179         * dfg/DFGNode.h:
180         (JSC::DFG::Node::Node):
181         (JSC::DFG::Node::setOpAndDefaultFlags):
182         (JSC::DFG::Node::sourceCodeRepresentation):
183         * dfg/DFGPredictionPropagationPhase.cpp:
184         (JSC::DFG::PredictionPropagationPhase::propagate):
185         * runtime/JSCJSValue.h:
186         (JSC::EncodedJSValueWithRepresentationHashTraits::emptyValue):
187         (JSC::EncodedJSValueWithRepresentationHashTraits::constructDeletedValue):
188         (JSC::EncodedJSValueWithRepresentationHashTraits::isDeletedValue):
189         (JSC::EncodedJSValueWithRepresentationHash::hash):
190         (JSC::EncodedJSValueWithRepresentationHash::equal):
191         * tests/stress/arith-add-with-constants.js: Added.
192         * tests/stress/arith-mul-with-constants.js: Added.
193
194 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
195
196         Unreviewed, roll out r180723. It broke a bunch of tests.
197
198         * bytecompiler/BytecodeGenerator.cpp:
199         (JSC::BytecodeGenerator::constLocal):
200         * bytecompiler/BytecodeGenerator.h:
201         * bytecompiler/NodesCodegen.cpp:
202         (JSC::ConstDeclNode::emitCodeSingle):
203         * tests/stress/const-arguments.js: Removed.
204
205 2015-02-26  Mark Lam  <mark.lam@apple.com>
206
207         Assertion fix for r180711: The bool returning form of BytecodeGenerator::addVar() can be removed.
208         <https://webkit.org/b/142064>
209
210         Reviewed by Joseph Pecoraro.
211
212         * bytecompiler/BytecodeGenerator.cpp:
213         (JSC::BytecodeGenerator::addVar):
214
215 2015-02-26  Mark Lam  <mark.lam@apple.com>
216
217         MachineThreads::Thread clean up has a use after free race condition.
218         <https://webkit.org/b/141990>
219
220         Reviewed by Filip Pizlo.
221
222         MachineThreads::Thread clean up relies on the clean up mechanism
223         implemented in _pthread_tsd_cleanup_key(), which looks like this:
224
225         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
226         {
227             void (*destructor)(void *);
228             if (_pthread_key_get_destructor(key, &destructor)) {
229                 void **ptr = &self->tsd[key];
230                 void *value = *ptr;
231
232             // === Start of window for the bug to manifest =================
233
234                 // At this point, this thread has cached "destructor" and "value"
235                 // (which is a MachineThreads*).  If the VM gets destructed (along
236                 // with its MachineThreads registry) by another thread, then this
237                 // thread will have no way of knowing that the MachineThreads* is
238                 // now pointing to freed memory.  Calling the destructor below will
239                 // therefore result in a use after free scenario when it tries to
240                 // access the MachineThreads' data members.
241
242                 if (value) {
243                     *ptr = NULL;
244                     if (destructor) {
245
246             // === End of window for the bug to manifest ==================
247
248                         destructor(value);
249                     }
250                 }
251             }
252         }
253
254         The fix is to add each active MachineThreads to an ActiveMachineThreadsManager,
255         and always check if the manager still contains that MachineThreads object
256         before we call removeCurrentThread() on it.  When MachineThreads is destructed,
257         it will remove itself from the manager.  The add, remove, and checking
258         operations are all synchronized on the manager's lock, thereby ensuring that
259         the MachineThreads object, if found in the manager, will remain alive for the
260         duration of time we call removeCurrentThread() on it.
261
262         There's also possible for the MachineThreads object to already be destructed
263         and another one happened to have been instantiated at the same address.
264         Hence, we should only remove the exiting thread if it is found in the
265         MachineThreads object.
266
267         There is no test for this issue because this bug requires a race condition
268         between 2 threads where:
269         1. Thread B, which had previously used the VM, exiting and
270            getting to the bug window shown in _pthread_tsd_cleanup_key() above.
271         2. Thread A destructing the VM (and its MachineThreads object)
272            within that window of time before Thread B calls the destructor.
273
274         It is not possible to get a reliable test case without invasively
275         instrumenting _pthread_tsd_cleanup_key() or MachineThreads::removeCurrentThread()
276         to significantly increase that window of opportunity.
277
278         * heap/MachineStackMarker.cpp:
279         (JSC::ActiveMachineThreadsManager::Locker::Locker):
280         (JSC::ActiveMachineThreadsManager::add):
281         (JSC::ActiveMachineThreadsManager::remove):
282         (JSC::ActiveMachineThreadsManager::contains):
283         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
284         (JSC::activeMachineThreadsManager):
285         (JSC::MachineThreads::MachineThreads):
286         (JSC::MachineThreads::~MachineThreads):
287         (JSC::MachineThreads::removeThread):
288         (JSC::MachineThreads::removeThreadIfFound):
289         (JSC::MachineThreads::removeCurrentThread): Deleted.
290         * heap/MachineStackMarker.h:
291
292 2015-02-26  Joseph Pecoraro  <pecoraro@apple.com>
293
294         Web Inspector: Save Console Evaluations into Command Line variables $1-$99 ($n)
295         https://bugs.webkit.org/show_bug.cgi?id=142061
296
297         Reviewed by Timothy Hatcher.
298
299         * inspector/protocol/Debugger.json:
300         * inspector/protocol/Runtime.json:
301         Input flag "saveResult" on whether we should try to save a result.
302         Output int "savedResultIndex" to tell the frontend the saved state.
303
304         * inspector/InjectedScriptSource.js:
305         Handle saving and clearing $1-$99 values.
306         Include in BasicCommandLineAPI for JSContext inspection.
307
308         * inspector/InjectedScriptBase.cpp:
309         (Inspector::InjectedScriptBase::makeEvalCall):
310         * inspector/InjectedScriptBase.h:
311         Allow an optional "savedResultIndex" out value on evals.
312
313         * inspector/InjectedScript.cpp:
314         (Inspector::InjectedScript::evaluate):
315         (Inspector::InjectedScript::evaluateOnCallFrame):
316         * inspector/InjectedScript.h:
317         * inspector/agents/InspectorDebuggerAgent.cpp:
318         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
319         * inspector/agents/InspectorDebuggerAgent.h:
320         * inspector/agents/InspectorRuntimeAgent.cpp:
321         (Inspector::InspectorRuntimeAgent::evaluate):
322         * inspector/agents/InspectorRuntimeAgent.h:
323         Plumbing for new in and out parameters.
324
325 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
326
327         The bool returning form of BytecodeGenerator::addVar() can be removed
328         https://bugs.webkit.org/show_bug.cgi?id=142064
329
330         Reviewed by Mark Lam.
331         
332         It's easier to implement addVar() when you don't have to return whether it's a new
333         variable or not.
334
335         * bytecompiler/BytecodeGenerator.cpp:
336         (JSC::BytecodeGenerator::addVar):
337         * bytecompiler/BytecodeGenerator.h:
338         (JSC::BytecodeGenerator::addVar): Deleted.
339
340 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
341
342         Various array access corner cases should take OSR exit feedback
343         https://bugs.webkit.org/show_bug.cgi?id=142056
344
345         Reviewed by Geoffrey Garen.
346         
347         Two major changes here:
348         
349         - Don't keep converting GetById into GetArrayLength if we exited due to any kind of array
350           type check.
351         
352         - Use a generic form of GetByVal/PutByVal if we exited due to any kind of exotic checks,
353           like the Arguments safety checks. We use the "ExoticObjectMode" for out-of-bounds on
354           arguments for now, since it's a convenient way of forcing out-of-bounds to be handled by
355           the Generic array mode.
356
357         * bytecode/ExitKind.cpp:
358         (JSC::exitKindToString):
359         * bytecode/ExitKind.h:
360         * dfg/DFGArrayMode.cpp:
361         (JSC::DFG::ArrayMode::refine):
362         * dfg/DFGFixupPhase.cpp:
363         (JSC::DFG::FixupPhase::fixupNode):
364         * dfg/DFGSpeculativeJIT.cpp:
365         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
366         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
367         * tests/stress/array-length-array-storage-plain-object.js: Added.
368         (foo):
369         * tests/stress/array-length-plain-object.js: Added.
370         (foo):
371
372 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
373
374         DFG SSA stack accesses shouldn't speak of VariableAccessDatas
375         https://bugs.webkit.org/show_bug.cgi?id=142036
376
377         Reviewed by Michael Saboff.
378         
379         VariableAccessData is a useful thing in LoadStore and ThreadedCPS, but it's purely harmful in
380         SSA because you can't cook up new VariableAccessDatas. So, if you know that you want to load
381         or store to the stack, and you know what format to use as well as the location, then prior to
382         this patch you couldn't do it unless you found some existing VariableAccessData that matched
383         your requirements. That can be a hard task.
384         
385         It's better if SSA doesn't speak of VariableAccessDatas but instead just has stack accesses
386         that speak of the things that a stack access needs: local, machineLocal, and format. This
387         patch changes the SSA way of accessing the stack to do just that.
388         
389         Also add more IR validation.
390
391         * CMakeLists.txt:
392         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
393         * JavaScriptCore.xcodeproj/project.pbxproj:
394         * dfg/DFGAbstractInterpreterInlines.h:
395         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
396         * dfg/DFGClobberize.h:
397         (JSC::DFG::clobberize):
398         * dfg/DFGConstantFoldingPhase.cpp:
399         (JSC::DFG::ConstantFoldingPhase::foldConstants):
400         * dfg/DFGDoesGC.cpp:
401         (JSC::DFG::doesGC):
402         * dfg/DFGFixupPhase.cpp:
403         (JSC::DFG::FixupPhase::fixupNode):
404         * dfg/DFGFlushFormat.h:
405         (JSC::DFG::isConcrete):
406         * dfg/DFGGraph.cpp:
407         (JSC::DFG::Graph::dump):
408         * dfg/DFGGraph.h:
409         * dfg/DFGMayExit.cpp:
410         (JSC::DFG::mayExit):
411         * dfg/DFGNode.cpp:
412         (JSC::DFG::Node::hasVariableAccessData):
413         * dfg/DFGNode.h:
414         (JSC::DFG::StackAccessData::StackAccessData):
415         (JSC::DFG::StackAccessData::flushedAt):
416         (JSC::DFG::Node::convertToPutStack):
417         (JSC::DFG::Node::convertToGetStack):
418         (JSC::DFG::Node::hasUnlinkedLocal):
419         (JSC::DFG::Node::hasStackAccessData):
420         (JSC::DFG::Node::stackAccessData):
421         (JSC::DFG::Node::willHaveCodeGenOrOSR):
422         * dfg/DFGNodeType.h:
423         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
424         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
425         * dfg/DFGPlan.cpp:
426         (JSC::DFG::Plan::compileInThreadImpl):
427         * dfg/DFGPredictionPropagationPhase.cpp:
428         (JSC::DFG::PredictionPropagationPhase::propagate):
429         * dfg/DFGPutLocalSinkingPhase.cpp: Removed.
430         * dfg/DFGPutLocalSinkingPhase.h: Removed.
431         * dfg/DFGPutStackSinkingPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.cpp.
432         (JSC::DFG::performPutStackSinking):
433         (JSC::DFG::performPutLocalSinking): Deleted.
434         * dfg/DFGPutStackSinkingPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.h.
435         * dfg/DFGSSAConversionPhase.cpp:
436         (JSC::DFG::SSAConversionPhase::run):
437         * dfg/DFGSafeToExecute.h:
438         (JSC::DFG::safeToExecute):
439         * dfg/DFGSpeculativeJIT32_64.cpp:
440         (JSC::DFG::SpeculativeJIT::compile):
441         * dfg/DFGSpeculativeJIT64.cpp:
442         (JSC::DFG::SpeculativeJIT::compile):
443         * dfg/DFGStackLayoutPhase.cpp:
444         (JSC::DFG::StackLayoutPhase::run):
445         * dfg/DFGValidate.cpp:
446         (JSC::DFG::Validate::validate):
447         (JSC::DFG::Validate::validateCPS):
448         (JSC::DFG::Validate::validateSSA):
449         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
450         (JSC::DFG::VirtualRegisterAllocationPhase::run):
451         * ftl/FTLCapabilities.cpp:
452         (JSC::FTL::canCompile):
453         * ftl/FTLLowerDFGToLLVM.cpp:
454         (JSC::FTL::LowerDFGToLLVM::lower):
455         (JSC::FTL::LowerDFGToLLVM::compileNode):
456         (JSC::FTL::LowerDFGToLLVM::compileGetStack):
457         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
458         (JSC::FTL::LowerDFGToLLVM::compileGetLocal): Deleted.
459         (JSC::FTL::LowerDFGToLLVM::compilePutLocal): Deleted.
460         * ftl/FTLOSRExit.h:
461         * tests/stress/many-sunken-locals.js: Added. This failure mode was caught by some miscellaneous test, so I figured I should write an explicit test for it.
462         (foo):
463         (bar):
464         (baz):
465         (fuzz):
466         (buzz):
467
468 2015-02-26  Mark Lam  <mark.lam@apple.com>
469
470         Rolling out r180602, r180608, r180613, r180617, r180671.
471         <https://webkit.org/b/141990>
472
473         Not reviewed.
474
475         The r180602 solution does result in more work for GC when worker
476         threads are in use.  Filip is uncomfortable with that.
477         The EFL and GTK ports also seem to be unhappy with this change.
478         Rolling out while we investigate.
479
480         * heap/Heap.cpp:
481         (JSC::Heap::Heap):
482         (JSC::Heap::gatherStackRoots):
483         (JSC::Heap::machineThreads): Deleted.
484         * heap/Heap.h:
485         (JSC::Heap::machineThreads):
486         * heap/MachineStackMarker.cpp:
487         (JSC::MachineThreads::MachineThreads):
488         (JSC::MachineThreads::~MachineThreads):
489         (JSC::MachineThreads::addCurrentThread):
490         * heap/MachineStackMarker.h:
491         * runtime/JSLock.cpp:
492         (JSC::JSLock::didAcquireLock):
493
494 2015-02-26  Myles C. Maxfield  <mmaxfield@apple.com>
495
496         [Mac] [iOS] Parsing support for -apple-trailing-word
497         https://bugs.webkit.org/show_bug.cgi?id=141939
498
499         Reviewed by Andreas Kling.
500
501         * Configurations/FeatureDefines.xcconfig:
502
503 2015-02-26  Michael Saboff  <msaboff@apple.com>
504
505         [Win] Debug-only JavaScriptCore failures
506         https://bugs.webkit.org/show_bug.cgi?id=142045
507
508         Rubber stamped by Filip Pizlo.
509
510         Reduced loop count to a more reasonable value of 10,000.  This still gets us to tier up
511         to the FTL, but doesn't take too long to run.
512
513         * tests/stress/repeated-arity-check-fail.js:
514
515 2015-02-26  Brent Fulgham  <bfulgham@apple.com>
516
517         [Win] Make build logs more legible by reducing noise
518         https://bugs.webkit.org/show_bug.cgi?id=142034
519
520         Reviewed by Alexey Proskuryakov.
521
522         Modify batch files, makefiles, and DOS commands to remove
523         uninteresting/unhelpful output.
524
525         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
526         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
527         * JavaScriptCore.vcxproj/copy-files.cmd:
528         * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd:
529         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
530         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd:
531         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
532         * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd:
533         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd:
534         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd:
535         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
536
537 2015-02-26  Csaba Osztrogonác  <ossy@webkit.org>
538
539         Add calleeSaveRegisters() implementation for ARM Traditional
540         https://bugs.webkit.org/show_bug.cgi?id=141903
541
542         Reviewed by Darin Adler.
543
544         * jit/RegisterSet.cpp:
545         (JSC::RegisterSet::calleeSaveRegisters):
546
547 2015-02-25  Michael Saboff  <msaboff@apple.com>
548
549         Web Inspector: CRASH when debugger pauses inside a Promise handler
550         https://bugs.webkit.org/show_bug.cgi?id=141396
551
552         Reviewed by Mark Lam.
553
554         For frames that don't have a scope, typically native frames, use the lexicalGlobalObject to
555         create the DebuggerScope for that frame.
556
557         * debugger/DebuggerCallFrame.cpp:
558         (JSC::DebuggerCallFrame::scope):
559
560 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
561
562         DFG abstract heaps should respect the difference between heap and stack
563         https://bugs.webkit.org/show_bug.cgi?id=142022
564
565         Reviewed by Geoffrey Garen.
566         
567         We will soon (https://bugs.webkit.org/show_bug.cgi?id=141174) be in a world where a "world
568         clobbering" operation cannot write to our stack, but may be able to read from it. This
569         means that we need to change the DFG abstract heap hierarchy to have a notion of Heap that
570         subsumes all that World previously subsumed, and a new notion of Stack that is a subtype
571         of World and a sibling of Heap.
572
573         So, henceforth "clobbering the world" means reading World and writing Heap.
574         
575         This makes a bunch of changes to make this work, including changing the implementation of
576         disjointness in AbstractHeap to make it support a more general hierarchy. I was expecting
577         a slow-down, but I measured the heck out of this and found no perf difference.
578
579         * dfg/DFGAbstractHeap.cpp:
580         (JSC::DFG::AbstractHeap::dump):
581         * dfg/DFGAbstractHeap.h:
582         (JSC::DFG::AbstractHeap::supertype):
583         (JSC::DFG::AbstractHeap::isStrictSubtypeOf):
584         (JSC::DFG::AbstractHeap::isSubtypeOf):
585         (JSC::DFG::AbstractHeap::overlaps):
586         (JSC::DFG::AbstractHeap::isDisjoint):
587         * dfg/DFGClobberize.cpp:
588         (JSC::DFG::clobbersHeap):
589         (JSC::DFG::clobbersWorld): Deleted.
590         * dfg/DFGClobberize.h:
591         (JSC::DFG::clobberize):
592         * dfg/DFGDoesGC.cpp:
593         (JSC::DFG::doesGC):
594
595 2015-02-25  Ryosuke Niwa  <rniwa@webkit.org>
596
597         REGRESSION(r180595): construct varargs fails in FTL
598         https://bugs.webkit.org/show_bug.cgi?id=142030
599
600         Reviewed by Geoffrey Garen.
601
602         The bug was caused by IC size being too small for construct_varargs even though we've added a new argument.
603         Fixed the bug by increasing the IC size to match call_varargs.
604
605         * ftl/FTLInlineCacheSize.cpp:
606         (JSC::FTL::sizeOfConstructVarargs):
607
608 2015-02-25  Mark Lam  <mark.lam@apple.com>
609
610         ASan does not like JSC::MachineThreads::tryCopyOtherThreadStack.
611         <https://webkit.org/b/141672>
612
613         Reviewed by Alexey Proskuryakov.
614
615         ASan does not like the fact that we memcpy the stack for GC scans.  So,
616         we're working around this by using our own memcpy (asanUnsafeMemcpy)
617         implementation that we can tell ASan to ignore.
618
619         * heap/MachineStackMarker.cpp:
620         (JSC::asanUnsafeMemcpy):
621
622 2015-02-25  Benjamin Poulain  <bpoulain@apple.com>
623
624         CodeBlock crashes when dumping op_push_name_scope
625         https://bugs.webkit.org/show_bug.cgi?id=141953
626
627         Reviewed by Filip Pizlo and Csaba Osztrogonác.
628
629         * bytecode/CodeBlock.cpp:
630         (JSC::CodeBlock::dumpBytecode):
631         * tests/stress/op-push-name-scope-crashes-profiler.js: Added.
632
633 2015-02-25  Benjamin Poulain  <benjamin@webkit.org>
634
635         Make ParserError immutable by design
636         https://bugs.webkit.org/show_bug.cgi?id=141955
637
638         Reviewed by Geoffrey Garen.
639
640         This patch enforce that no field of ParserError can
641         be modified after the constructor.
642
643         * parser/ParserError.h:
644         Move the attributes to pack the integer + 2 bytes together.
645         This is irrelevant for memory impact, it is to remve a load-store
646         when copying by value.
647
648         Also move the attributes to be private.
649
650         (JSC::ParserError::isValid):
651         To client of the interface cared about the type of the error,
652         the only information needed was: is there an error.
653
654         (JSC::ParserError::ParserError):
655         (JSC::ParserError::syntaxErrorType):
656         (JSC::ParserError::token):
657         (JSC::ParserError::message):
658         (JSC::ParserError::line):
659         (JSC::ParserError::toErrorObject):
660         * API/JSScriptRef.cpp:
661         * builtins/BuiltinExecutables.cpp:
662         (JSC::BuiltinExecutables::createBuiltinExecutable):
663         * bytecode/UnlinkedCodeBlock.cpp:
664         (JSC::generateFunctionCodeBlock):
665         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
666         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
667         * bytecode/UnlinkedCodeBlock.h:
668         * inspector/agents/InspectorRuntimeAgent.cpp:
669         (Inspector::InspectorRuntimeAgent::parse):
670         * jsc.cpp:
671         (runInteractive):
672         * parser/Parser.h:
673         (JSC::parse):
674         * runtime/CodeCache.cpp:
675         (JSC::CodeCache::getGlobalCodeBlock):
676         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
677         * runtime/CodeCache.h:
678         * runtime/Completion.h:
679         * runtime/Executable.cpp:
680         (JSC::ProgramExecutable::checkSyntax):
681         * runtime/JSGlobalObject.cpp:
682         (JSC::JSGlobalObject::createProgramCodeBlock):
683         (JSC::JSGlobalObject::createEvalCodeBlock):
684
685 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
686
687         Need to pass RTLD_DEEPBIND to dlopen() to ensure that our LLVMOverrides take effect on Linux
688         https://bugs.webkit.org/show_bug.cgi?id=142006
689
690         Reviewed by Csaba Osztrogonác.
691
692         This fixes hard-to-reproduce concurrency-related crashes when running stress tests with FTL and
693         concurrent JIT enabled.
694
695         * llvm/InitializeLLVMPOSIX.cpp:
696         (JSC::initializeLLVMPOSIX):
697
698 2015-02-24  Filip Pizlo  <fpizlo@apple.com>
699
700         CMake build of libllvmForJSC.so should limit its export list like the Xcode build does
701         https://bugs.webkit.org/show_bug.cgi?id=141989
702
703         Reviewed by Gyuyoung Kim.
704
705         * CMakeLists.txt:
706         * llvm/library/libllvmForJSC.version: Added.
707
708 2015-02-24  Alexey Proskuryakov  <ap@apple.com>
709
710         More iOS build fix after r180602.
711
712         * heap/Heap.h: Export Heap::machineThreads().
713
714 2015-02-24  Brent Fulgham  <bfulgham@apple.com>
715
716         Unreviewed build fix after r180602.
717
718         * heap/MachineStackMarker.h: Add missing 'no return'
719         declaration for Windows.
720
721 2015-02-24  Commit Queue  <commit-queue@webkit.org>
722
723         Unreviewed, rolling out r180599.
724         https://bugs.webkit.org/show_bug.cgi?id=141998
725
726         Lots of new test failures (Requested by smfr on #webkit).
727
728         Reverted changeset:
729
730         "Parsing support for -webkit-trailing-word"
731         https://bugs.webkit.org/show_bug.cgi?id=141939
732         http://trac.webkit.org/changeset/180599
733
734 2015-02-24  Mark Lam  <mark.lam@apple.com>
735
736         MachineThreads::Thread clean up has a use after free race condition.
737         <https://webkit.org/b/141990>
738
739         Reviewed by Michael Saboff.
740
741         MachineThreads::Thread clean up relies on the clean up mechanism
742         implemented in _pthread_tsd_cleanup_key(), which looks like this:
743
744         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
745         {
746             void (*destructor)(void *);
747             if (_pthread_key_get_destructor(key, &destructor)) {
748                 void **ptr = &self->tsd[key];
749                 void *value = *ptr;
750
751                 // At this point, this thread has cached "destructor" and "value"
752                 // (which is a MachineThreads*).  If the VM gets destructed (along
753                 // with its MachineThreads registry) by another thread, then this
754                 // thread will have no way of knowing that the MachineThreads* is
755                 // now pointing to freed memory.  Calling the destructor below will
756                 // therefore result in a use after free scenario when it tries to
757                 // access the MachineThreads' data members.
758
759                 if (value) {
760                     *ptr = NULL;
761                     if (destructor) {
762                         destructor(value);
763                     }
764                 }
765             }
766         }
767
768         The solution is simply to change MachineThreads from a per VM thread
769         registry to a process global singleton thread registry i.e. the
770         MachineThreads registry is now immortal and we cannot have a use after
771         free scenario since we never free it.
772
773         The cost of this change is that all VM instances will have to scan
774         stacks of all threads ever touched by a VM, and not just those that
775         touched a specific VM.  However, stacks tend to be shallow.  Hence,
776         those additional scans will tend to be cheap.
777
778         Secondly, it is not common for there to be multiple JSC VMs in use
779         concurrently on multiple threads.  Hence, this cost should rarely
780         manifest in real world applications.
781
782         * heap/Heap.cpp:
783         (JSC::Heap::Heap):
784         (JSC::Heap::machineThreads):
785         (JSC::Heap::gatherStackRoots):
786         * heap/Heap.h:
787         (JSC::Heap::machineThreads): Deleted.
788         * heap/MachineStackMarker.cpp:
789         (JSC::MachineThreads::MachineThreads):
790         (JSC::MachineThreads::~MachineThreads):
791         (JSC::MachineThreads::addCurrentThread):
792         * heap/MachineStackMarker.h:
793         * runtime/JSLock.cpp:
794         (JSC::JSLock::didAcquireLock):
795
796 2015-02-24  Myles C. Maxfield  <mmaxfield@apple.com>
797
798         [Mac] [iOS] Parsing support for -apple-trailing-word
799         https://bugs.webkit.org/show_bug.cgi?id=141939
800
801         Reviewed by Andreas Kling.
802
803         * Configurations/FeatureDefines.xcconfig:
804
805 2015-02-24  Ryosuke Niwa  <rniwa@webkit.org>
806
807         Use "this" instead of "callee" to get the constructor
808         https://bugs.webkit.org/show_bug.cgi?id=141019
809
810         Reviewed by Filip Pizlo.
811
812         This patch uses "this" register to pass the constructor (newTarget) to op_create_this from
813         op_construct or op_construct_varargs. This will allow future patches that implement ES6 class
814         to pass in the most derived class' constructor through "this" argument.
815
816         BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like
817         regular calls and emitCreateThis passes in this register to op_create_this as constructor.
818
819         The rest of the code change removes the code for special casing "this" register not being used
820         in call to construct.
821
822         * bytecode/BytecodeUseDef.h:
823         (JSC::computeUsesForBytecodeOffset):
824         * bytecompiler/BytecodeGenerator.cpp:
825         (JSC::BytecodeGenerator::emitCreateThis):
826         (JSC::BytecodeGenerator::emitConstructVarargs):
827         (JSC::BytecodeGenerator::emitConstruct):
828         * bytecompiler/BytecodeGenerator.h:
829         * bytecompiler/NodesCodegen.cpp:
830         (JSC::NewExprNode::emitBytecode):
831         * dfg/DFGByteCodeParser.cpp:
832         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
833         (JSC::DFG::ByteCodeParser::handleVarargsCall):
834         (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
835         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
836         (JSC::DFG::ByteCodeParser::handleInlining):
837         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
838         (JSC::DFG::ByteCodeParser::parseBlock):
839         * dfg/DFGJITCode.cpp:
840         (JSC::DFG::JITCode::reconstruct):
841         * dfg/DFGSpeculativeJIT32_64.cpp:
842         (JSC::DFG::SpeculativeJIT::emitCall):
843         * dfg/DFGSpeculativeJIT64.cpp:
844         (JSC::DFG::SpeculativeJIT::emitCall):
845         * ftl/FTLJSCallVarargs.cpp:
846         (JSC::FTL::JSCallVarargs::emit):
847         * ftl/FTLLowerDFGToLLVM.cpp:
848         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
849         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
850         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
851         * interpreter/Interpreter.cpp:
852         (JSC::Interpreter::executeConstruct):
853         * jit/JITOperations.cpp:
854
855 2015-02-24  Joseph Pecoraro  <pecoraro@apple.com>
856
857         Web Inspector: Make Getter/Setter RemoteObject property and ObjectPreview handling consistent
858         https://bugs.webkit.org/show_bug.cgi?id=141587
859
860         Reviewed by Timothy Hatcher.
861
862         Convert getProperties(ownAndGetterProperties) to getDisplayableProperties().
863         Mark PropertyDescriptors that are presumed to be native getters / bindings
864         separately so that the frontend may display them differently.
865
866         * inspector/InjectedScript.cpp:
867         (Inspector::InjectedScript::getProperties):
868         (Inspector::InjectedScript::getDisplayableProperties):
869         * inspector/InjectedScript.h:
870         * inspector/InjectedScriptSource.js:
871         * inspector/agents/InspectorRuntimeAgent.cpp:
872         (Inspector::InspectorRuntimeAgent::getProperties):
873         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
874         * inspector/agents/InspectorRuntimeAgent.h:
875         * inspector/protocol/Runtime.json:
876
877 2015-02-24  Mark Lam  <mark.lam@apple.com>
878
879         Rolling out r179753.  The fix was invalid.
880         <https://webkit.org/b/141990>
881
882         Not reviewed.
883
884         * API/tests/testapi.mm:
885         (threadMain):
886         (useVMFromOtherThread): Deleted.
887         (useVMFromOtherThreadAndOutliveVM): Deleted.
888         * heap/Heap.cpp:
889         (JSC::Heap::Heap):
890         (JSC::Heap::~Heap):
891         (JSC::Heap::gatherStackRoots):
892         * heap/Heap.h:
893         (JSC::Heap::machineThreads):
894         * heap/MachineStackMarker.cpp:
895         (JSC::MachineThreads::Thread::Thread):
896         (JSC::MachineThreads::MachineThreads):
897         (JSC::MachineThreads::~MachineThreads):
898         (JSC::MachineThreads::addCurrentThread):
899         (JSC::MachineThreads::removeThread):
900         (JSC::MachineThreads::removeCurrentThread):
901         * heap/MachineStackMarker.h:
902
903 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
904
905         Constructor returning null should construct an object instead of null
906         https://bugs.webkit.org/show_bug.cgi?id=141640
907
908         Reviewed by Filip Pizlo.
909
910         When constructor code doesn't return object, constructor should return `this` object instead.
911         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
912         it allows `null` as an object.
913         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
914         Instead, constructor uses simplified `is_object`.
915
916         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
917
918         1. LLInt and baseline JIT support `op_is_object` as a fast path.
919         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
920         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
921         4. FTL lowers DFG's IsObject into LLVM IR.
922
923         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
924         in LLInt, JIT, DFG and FTL.
925         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
926         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
927         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
928         So this patch stop using !isString as isObject.
929         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
930         we examine typeInfo in JSCell.
931
932         * JavaScriptCore.order:
933         * bytecode/BytecodeList.json:
934         * bytecode/BytecodeUseDef.h:
935         (JSC::computeUsesForBytecodeOffset):
936         (JSC::computeDefsForBytecodeOffset):
937         * bytecode/CodeBlock.cpp:
938         (JSC::CodeBlock::dumpBytecode):
939         * bytecode/PutByIdStatus.cpp:
940         (JSC::PutByIdStatus::computeFor):
941         * bytecompiler/BytecodeGenerator.cpp:
942         (JSC::BytecodeGenerator::emitEqualityOp):
943         (JSC::BytecodeGenerator::emitReturn):
944         * dfg/DFGAbstractInterpreterInlines.h:
945         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
946         * dfg/DFGByteCodeParser.cpp:
947         (JSC::DFG::ByteCodeParser::parseBlock):
948         * dfg/DFGCapabilities.cpp:
949         (JSC::DFG::capabilityLevel):
950         * dfg/DFGClobberize.h:
951         (JSC::DFG::clobberize):
952
953         IsObject operation only touches JSCell typeInfoType.
954         And this value would be changed through structure transition.
955         As a result, IsObject can report that it doesn't read any information.
956
957         * dfg/DFGConstantFoldingPhase.cpp:
958         (JSC::DFG::ConstantFoldingPhase::foldConstants):
959         * dfg/DFGDoesGC.cpp:
960         (JSC::DFG::doesGC):
961         * dfg/DFGFixupPhase.cpp:
962         (JSC::DFG::FixupPhase::fixupNode):
963
964         Just like IsString, IsObject is also fixed up.
965
966         * dfg/DFGHeapLocation.cpp:
967         (WTF::printInternal):
968         * dfg/DFGHeapLocation.h:
969         * dfg/DFGNodeType.h:
970         * dfg/DFGOperations.cpp:
971         * dfg/DFGOperations.h:
972         * dfg/DFGPredictionPropagationPhase.cpp:
973         (JSC::DFG::PredictionPropagationPhase::propagate):
974         * dfg/DFGSafeToExecute.h:
975         (JSC::DFG::safeToExecute):
976         * dfg/DFGSpeculativeJIT.cpp:
977         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
978         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
979         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
980         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
981         (JSC::DFG::SpeculativeJIT::speculateObject):
982         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
983         (JSC::DFG::SpeculativeJIT::speculateString):
984         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
985         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
986         (JSC::DFG::SpeculativeJIT::emitSwitchString):
987         (JSC::DFG::SpeculativeJIT::branchIsObject):
988         (JSC::DFG::SpeculativeJIT::branchNotObject):
989         (JSC::DFG::SpeculativeJIT::branchIsString):
990         (JSC::DFG::SpeculativeJIT::branchNotString):
991         * dfg/DFGSpeculativeJIT.h:
992         * dfg/DFGSpeculativeJIT32_64.cpp:
993         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
994         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
995         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
996         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
997         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
998         (JSC::DFG::SpeculativeJIT::compile):
999         * dfg/DFGSpeculativeJIT64.cpp:
1000         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1001         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1002         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1003         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1004         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1005         (JSC::DFG::SpeculativeJIT::compile):
1006         * ftl/FTLCapabilities.cpp:
1007         (JSC::FTL::canCompile):
1008         * ftl/FTLLowerDFGToLLVM.cpp:
1009         (JSC::FTL::LowerDFGToLLVM::compileNode):
1010         (JSC::FTL::LowerDFGToLLVM::compileToString):
1011         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
1012         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
1013         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1014         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1015         (JSC::FTL::LowerDFGToLLVM::isObject):
1016         (JSC::FTL::LowerDFGToLLVM::isNotObject):
1017         (JSC::FTL::LowerDFGToLLVM::isNotString):
1018         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
1019         * jit/JIT.cpp:
1020         (JSC::JIT::privateCompileMainPass):
1021         * jit/JIT.h:
1022         * jit/JITInlines.h:
1023         (JSC::JIT::emitJumpIfCellObject):
1024         * jit/JITOpcodes.cpp:
1025         (JSC::JIT::emit_op_is_object):
1026         (JSC::JIT::emit_op_to_primitive):
1027         * jit/JITOpcodes32_64.cpp:
1028         (JSC::JIT::emit_op_is_object):
1029         (JSC::JIT::emit_op_to_primitive):
1030         (JSC::JIT::compileOpStrictEq):
1031         * llint/LowLevelInterpreter.asm:
1032         * llint/LowLevelInterpreter32_64.asm:
1033         * llint/LowLevelInterpreter64.asm:
1034         * runtime/CommonSlowPaths.cpp:
1035         (JSC::SLOW_PATH_DECL):
1036         * runtime/CommonSlowPaths.h:
1037         * runtime/Operations.cpp:
1038         (JSC::jsIsObjectTypeOrNull):
1039         (JSC::jsIsObjectType): Deleted.
1040         * runtime/Operations.h:
1041         * tests/stress/constructor-with-return.js: Added.
1042         (Test):
1043
1044         When constructor doesn't return an object, `this` should be returned instead.
1045         In this test, we check all primitives. And test object, array and wrappers.
1046
1047         * tests/stress/dfg-to-primitive-pass-symbol.js: Added.
1048         (toPrimitiveTarget):
1049         (doToPrimitive):
1050
1051         op_to_primitive operation passes Symbol in fast path.
1052
1053 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1054
1055         REGRESSION(r179429): Can't type comments in Facebook
1056         https://bugs.webkit.org/show_bug.cgi?id=141859
1057
1058         Reviewed by Brent Fulgham.
1059
1060         When window.Symbol is exposed to user-space pages,
1061         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
1062         However, to work with Symbols completely, it also requires
1063         1) Object.getOwnPropertySymbols (for mixin including Symbols)
1064         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
1065         Since they are not landed yet, comments in Facebook don't work.
1066
1067         This patch introduces RuntimeFlags for JavaScriptCore.
1068         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
1069         And drop JavaScriptExperimentsEnabled flag
1070         because it is no longer used and use case of this is duplicated to runtime flags.
1071
1072         * JavaScriptCore.order:
1073         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1074         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1075         * JavaScriptCore.xcodeproj/project.pbxproj:
1076         * jsc.cpp:
1077         (GlobalObject::javaScriptRuntimeFlags):
1078         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
1079         * runtime/JSGlobalObject.cpp:
1080         (JSC::JSGlobalObject::JSGlobalObject):
1081         (JSC::JSGlobalObject::init):
1082         * runtime/JSGlobalObject.h:
1083         (JSC::JSGlobalObject::finishCreation):
1084         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
1085         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
1086         * runtime/RuntimeFlags.h: Added.
1087         (JSC::RuntimeFlags::RuntimeFlags):
1088         (JSC::RuntimeFlags::createAllEnabled):
1089
1090 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1091
1092         Our bizarre behavior on Arguments::defineOwnProperty should be deliberate rather than a spaghetti incident
1093         https://bugs.webkit.org/show_bug.cgi?id=141951
1094
1095         Reviewed by Benjamin Poulain.
1096         
1097         This patch has no behavioral change, but it simplifies a bunch of wrong code. The code is
1098         still wrong in exactly the same way, but at least it's obvious what's going on. The wrongness
1099         is covered by this bug: https://bugs.webkit.org/show_bug.cgi?id=141952.
1100
1101         * runtime/Arguments.cpp:
1102         (JSC::Arguments::copyBackingStore): We should only see the arguments token; assert otherwise. This works because if the GC sees the butterfly token it calls the JSObject::copyBackingStore method directly.
1103         (JSC::Arguments::defineOwnProperty): Make our bizarre behavior deliberate rather than an accident of a decade of patches.
1104         * tests/stress/arguments-bizarre-behavior.js: Added.
1105         (foo):
1106         * tests/stress/arguments-bizarre-behaviour-disable-enumerability.js: Added. My choice of spellings of the word "behavio[u]r" is almost as consistent as our implementation of arguments.
1107         (foo):
1108         * tests/stress/arguments-custom-properties-gc.js: Added. I added this test because at first I was unsure if we GCd arguments correctly.
1109         (makeBaseArguments):
1110         (makeArray):
1111         (cons):
1112
1113 2015-02-23  Commit Queue  <commit-queue@webkit.org>
1114
1115         Unreviewed, rolling out r180547 and r180550.
1116         https://bugs.webkit.org/show_bug.cgi?id=141957
1117
1118         Broke 10 Windows tests. (Requested by bfulgham_ on #webkit).
1119
1120         Reverted changesets:
1121
1122         "REGRESSION(r179429): Can't type comments in Facebook"
1123         https://bugs.webkit.org/show_bug.cgi?id=141859
1124         http://trac.webkit.org/changeset/180547
1125
1126         "Constructor returning null should construct an object instead
1127         of null"
1128         https://bugs.webkit.org/show_bug.cgi?id=141640
1129         http://trac.webkit.org/changeset/180550
1130
1131 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1132
1133         Constructor returning null should construct an object instead of null
1134         https://bugs.webkit.org/show_bug.cgi?id=141640
1135
1136         Reviewed by Geoffrey Garen.
1137
1138         When constructor code doesn't return object, constructor should return `this` object instead.
1139         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
1140         it allows `null` as an object.
1141         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
1142         Instead, constructor uses simplified `is_object`.
1143
1144         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
1145
1146         1. LLInt and baseline JIT support `op_is_object` as a fast path.
1147         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
1148         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
1149         4. FTL lowers DFG's IsObject into LLVM IR.
1150
1151         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
1152         in LLInt, JIT, DFG and FTL.
1153         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
1154         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
1155         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
1156         So this patch stop using !isString as isObject.
1157         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
1158         we examine typeInfo in JSCell.
1159
1160         * JavaScriptCore.order:
1161         * bytecode/BytecodeList.json:
1162         * bytecode/BytecodeUseDef.h:
1163         (JSC::computeUsesForBytecodeOffset):
1164         (JSC::computeDefsForBytecodeOffset):
1165         * bytecode/CodeBlock.cpp:
1166         (JSC::CodeBlock::dumpBytecode):
1167         * bytecode/PutByIdStatus.cpp:
1168         (JSC::PutByIdStatus::computeFor):
1169         * bytecompiler/BytecodeGenerator.cpp:
1170         (JSC::BytecodeGenerator::emitEqualityOp):
1171         (JSC::BytecodeGenerator::emitReturn):
1172         * dfg/DFGAbstractInterpreterInlines.h:
1173         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1174         * dfg/DFGByteCodeParser.cpp:
1175         (JSC::DFG::ByteCodeParser::parseBlock):
1176         * dfg/DFGCapabilities.cpp:
1177         (JSC::DFG::capabilityLevel):
1178         * dfg/DFGClobberize.h:
1179         (JSC::DFG::clobberize):
1180
1181         IsObject operation only touches JSCell typeInfoType.
1182         And this value would not be changed through structure transition.
1183         As a result, IsObject can report that it doesn't read any information.
1184
1185         * dfg/DFGDoesGC.cpp:
1186         (JSC::DFG::doesGC):
1187         * dfg/DFGFixupPhase.cpp:
1188         (JSC::DFG::FixupPhase::fixupNode):
1189
1190         Just like IsString, IsObject is also fixed up.
1191
1192         * dfg/DFGHeapLocation.cpp:
1193         (WTF::printInternal):
1194         * dfg/DFGHeapLocation.h:
1195         * dfg/DFGNodeType.h:
1196         * dfg/DFGOperations.cpp:
1197         * dfg/DFGOperations.h:
1198         * dfg/DFGPredictionPropagationPhase.cpp:
1199         (JSC::DFG::PredictionPropagationPhase::propagate):
1200         * dfg/DFGSafeToExecute.h:
1201         (JSC::DFG::safeToExecute):
1202         * dfg/DFGSpeculativeJIT.cpp:
1203         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1204         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
1205         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
1206         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1207         (JSC::DFG::SpeculativeJIT::speculateObject):
1208         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1209         (JSC::DFG::SpeculativeJIT::speculateString):
1210         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
1211         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
1212         (JSC::DFG::SpeculativeJIT::emitSwitchString):
1213         (JSC::DFG::SpeculativeJIT::branchIsObject):
1214         (JSC::DFG::SpeculativeJIT::branchNotObject):
1215         (JSC::DFG::SpeculativeJIT::branchIsString):
1216         (JSC::DFG::SpeculativeJIT::branchNotString):
1217         * dfg/DFGSpeculativeJIT.h:
1218         * dfg/DFGSpeculativeJIT32_64.cpp:
1219         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1220         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1221         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1222         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1223         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1224         (JSC::DFG::SpeculativeJIT::compile):
1225         * dfg/DFGSpeculativeJIT64.cpp:
1226         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1227         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1228         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1229         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1230         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1231         (JSC::DFG::SpeculativeJIT::compile):
1232         * ftl/FTLCapabilities.cpp:
1233         (JSC::FTL::canCompile):
1234         * ftl/FTLLowerDFGToLLVM.cpp:
1235         (JSC::FTL::LowerDFGToLLVM::compileNode):
1236         (JSC::FTL::LowerDFGToLLVM::compileToString):
1237         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
1238         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
1239         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1240         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1241         (JSC::FTL::LowerDFGToLLVM::isObject):
1242         (JSC::FTL::LowerDFGToLLVM::isNotObject):
1243         (JSC::FTL::LowerDFGToLLVM::isNotString):
1244         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
1245         * jit/JIT.cpp:
1246         (JSC::JIT::privateCompileMainPass):
1247         * jit/JIT.h:
1248         * jit/JITInlines.h:
1249         (JSC::JIT::emitJumpIfCellObject):
1250         * jit/JITOpcodes.cpp:
1251         (JSC::JIT::emit_op_is_object):
1252         (JSC::JIT::emit_op_to_primitive):
1253         * jit/JITOpcodes32_64.cpp:
1254         (JSC::JIT::emit_op_is_object):
1255         (JSC::JIT::emit_op_to_primitive):
1256         (JSC::JIT::compileOpStrictEq):
1257         * llint/LowLevelInterpreter.asm:
1258         * llint/LowLevelInterpreter32_64.asm:
1259         * llint/LowLevelInterpreter64.asm:
1260         * runtime/CommonSlowPaths.cpp:
1261         (JSC::SLOW_PATH_DECL):
1262         * runtime/CommonSlowPaths.h:
1263         * runtime/Operations.cpp:
1264         (JSC::jsIsObjectTypeOrNull):
1265         (JSC::jsIsObjectType): Deleted.
1266         * runtime/Operations.h:
1267
1268 2015-02-23  Ryosuke Niwa  <rniwa@webkit.org>
1269
1270         Disable font loading events until our implementation gets updated to match the latest spec
1271         https://bugs.webkit.org/show_bug.cgi?id=141938
1272
1273         Reviewed by Andreas Kling.
1274
1275         * Configurations/FeatureDefines.xcconfig:
1276
1277 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1278
1279         REGRESSION(r179429): Can't type comments in Facebook
1280         https://bugs.webkit.org/show_bug.cgi?id=141859
1281
1282         Reviewed by Geoffrey Garen.
1283
1284         When window.Symbol is exposed to user-space pages,
1285         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
1286         However, to work with Symbols completely, it also requires
1287         1) Object.getOwnPropertySymbols (for mixin including Symbols)
1288         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
1289         Since they are not landed yet, comments in Facebook don't work.
1290
1291         This patch introduces RuntimeFlags for JavaScriptCore.
1292         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
1293         And drop JavaScriptExperimentsEnabled flag
1294         because it is no longer used and use case of this is duplicated to runtime flags.
1295
1296         * JavaScriptCore.order:
1297         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1298         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1299         * JavaScriptCore.xcodeproj/project.pbxproj:
1300         * jsc.cpp:
1301         (GlobalObject::javaScriptRuntimeFlags):
1302         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
1303         * runtime/JSGlobalObject.cpp:
1304         (JSC::JSGlobalObject::JSGlobalObject):
1305         (JSC::JSGlobalObject::init):
1306         * runtime/JSGlobalObject.h:
1307         (JSC::JSGlobalObject::finishCreation):
1308         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
1309         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
1310         * runtime/RuntimeFlags.h: Added.
1311         (JSC::RuntimeFlags::RuntimeFlags):
1312         (JSC::RuntimeFlags::createAllEnabled):
1313
1314 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
1315
1316         Set the semantic origin of delayed SetLocal to the Bytecode that originated it
1317         https://bugs.webkit.org/show_bug.cgi?id=141727
1318
1319         Reviewed by Filip Pizlo.
1320
1321         Previously, delayed SetLocals would have the NodeOrigin of the next
1322         bytecode. This was because delayed SetLocal are...delayed... and
1323         currentCodeOrigin() is the one where the node is emitted.
1324
1325         This made debugging a little awkward since the OSR exits on SetLocal
1326         were reported for the next bytecode. This patch changes the semantic
1327         origin to keep the original bytecode.
1328
1329         From benchmarks, this looks like it could be a tiny bit faster
1330         but it likely just noise.
1331
1332         * dfg/DFGByteCodeParser.cpp:
1333         (JSC::DFG::ByteCodeParser::setDirect):
1334         (JSC::DFG::ByteCodeParser::setLocal):
1335         (JSC::DFG::ByteCodeParser::setArgument):
1336         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
1337         (JSC::DFG::ByteCodeParser::addToGraph):
1338         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
1339         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
1340
1341 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
1342
1343         Remove DFGNode::predictHeap()
1344         https://bugs.webkit.org/show_bug.cgi?id=141864
1345
1346         Reviewed by Geoffrey Garen.
1347
1348         * dfg/DFGNode.h:
1349         (JSC::DFG::Node::predictHeap): Deleted.
1350         Unused code.
1351
1352 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1353
1354         Get rid of JSLexicalEnvironment::argumentsGetter
1355         https://bugs.webkit.org/show_bug.cgi?id=141930
1356
1357         Reviewed by Mark Lam.
1358         
1359         This function is unused, and the way it's written is bizarre - it's a return statement that
1360         dominates a bunch of dead code.
1361
1362         * runtime/JSLexicalEnvironment.cpp:
1363         (JSC::JSLexicalEnvironment::argumentsGetter): Deleted.
1364         * runtime/JSLexicalEnvironment.h:
1365
1366 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1367
1368         Remove unused activationCount and allTheThingsCount variable declarations.
1369
1370         Rubber stamped by Mark Lam and Michael Saboff.
1371
1372         * runtime/JSLexicalEnvironment.h:
1373
1374 2015-02-23  Saam Barati  <saambarati1@gmail.com>
1375
1376         Adjust the ranges of basic block statements in JSC's control flow profiler to be mutually exclusive
1377         https://bugs.webkit.org/show_bug.cgi?id=141095
1378
1379         Reviewed by Mark Lam.
1380
1381         Suppose the control flow of a program forms basic block A with successor block
1382         B. A's end offset will be the *same* as B's start offset in the current architecture 
1383         of the control flow profiler. This makes reasoning about the text offsets of
1384         the control flow profiler unsound. To make reasoning about offsets sound, all 
1385         basic block ranges should be mutually exclusive.  All calls to emitProfileControlFlow 
1386         now pass in the *start* of a basic block as the text offset argument. This simplifies 
1387         all calls to emitProfileControlFlow because the previous implementation had a
1388         lot of edge cases for getting the desired basic block text boundaries.
1389
1390         This patch also ensures that the basic block boundary of a block statement 
1391         is the exactly the block's open and close brace offsets (inclusive). For example,
1392         in if/for/while statements. This also has the consequence that for statements 
1393         like "if (cond) foo();", the whitespace preceding "foo()" is not part of 
1394         the "foo()" basic block, but instead is part of the "if (cond) " basic block. 
1395         This is okay because these text offsets aren't meant to be human readable.
1396         Instead, they reflect the text offsets of JSC's AST nodes. The Web Inspector 
1397         is the only client of this API and user of these text offsets and it is 
1398         not negatively effected by this new behavior.
1399
1400         * bytecode/CodeBlock.cpp:
1401         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1402         When computing basic block boundaries in CodeBlock, we ensure that every
1403         block's end offset is one less than its successor's start offset to
1404         maintain that boundaries' ranges should be mutually exclusive.
1405
1406         * bytecompiler/BytecodeGenerator.cpp:
1407         (JSC::BytecodeGenerator::BytecodeGenerator):
1408         Because the control flow profiler needs to know which functions
1409         have executed, we can't lazily create functions. This was a bug 
1410         from before that was hidden because the Type Profiler was always 
1411         enabled when the control flow profiler was enabled when profiling 
1412         was turned on from the Web Inspector. But, JSC allows for Control 
1413         Flow profiling to be turned on without Type Profiling, so we need 
1414         to ensure the Control Flow profiler has all the data it needs.
1415
1416         * bytecompiler/NodesCodegen.cpp:
1417         (JSC::ConditionalNode::emitBytecode):
1418         (JSC::IfElseNode::emitBytecode):
1419         (JSC::WhileNode::emitBytecode):
1420         (JSC::ForNode::emitBytecode):
1421         (JSC::ForInNode::emitMultiLoopBytecode):
1422         (JSC::ForOfNode::emitBytecode):
1423         (JSC::TryNode::emitBytecode):
1424         * jsc.cpp:
1425         (functionHasBasicBlockExecuted):
1426         We now assert that the substring argument is indeed a substring
1427         of the function argument's text because subtle bugs could be
1428         introduced otherwise.
1429
1430         * parser/ASTBuilder.h:
1431         (JSC::ASTBuilder::setStartOffset):
1432         * parser/Nodes.h:
1433         (JSC::Node::setStartOffset):
1434         * parser/Parser.cpp:
1435         (JSC::Parser<LexerType>::parseBlockStatement):
1436         (JSC::Parser<LexerType>::parseStatement):
1437         (JSC::Parser<LexerType>::parseMemberExpression):
1438         For the various function call AST nodes, their m_position member 
1439         variable is now the start of the entire function call expression 
1440         and not at the start of the open paren of the arguments list.
1441
1442         * runtime/BasicBlockLocation.cpp:
1443         (JSC::BasicBlockLocation::getExecutedRanges):
1444         * runtime/ControlFlowProfiler.cpp:
1445         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
1446         Function ranges inserted as gaps should follow the same criteria
1447         that the bytecode generator uses to ensure that basic blocks
1448         start and end offsets are mutually exclusive.
1449
1450         * tests/controlFlowProfiler/brace-location.js: Added.
1451         (foo):
1452         (bar):
1453         (baz):
1454         (testIf):
1455         (testForRegular):
1456         (testForIn):
1457         (testForOf):
1458         (testWhile):
1459         (testIfNoBraces):
1460         (testForRegularNoBraces):
1461         (testForInNoBraces):
1462         (testForOfNoBraces):
1463         (testWhileNoBraces):
1464         * tests/controlFlowProfiler/conditional-expression.js: Added.
1465         (foo):
1466         (bar):
1467         (baz):
1468         (testConditionalBasic):
1469         (testConditionalFunctionCall):
1470         * tests/controlFlowProfiler/driver/driver.js:
1471         (checkBasicBlock):
1472
1473 2015-02-23  Matthew Mirman  <mmirman@apple.com>
1474
1475         r9 is volatile on ARMv7 for iOS 3 and up. 
1476         https://bugs.webkit.org/show_bug.cgi?id=141489
1477         rdar://problem/19432916
1478
1479         Reviewed by Michael Saboff.
1480
1481         * jit/RegisterSet.cpp: 
1482         (JSC::RegisterSet::calleeSaveRegisters): removed r9 from the list of ARMv7 callee save registers.
1483         * tests/stress/regress-141489.js: Added.
1484         (foo):
1485
1486 2015-02-23  Csaba Osztrogonác  <ossy@webkit.org>
1487
1488         [ARM] Add the necessary setupArgumentsWithExecState after bug141915
1489         https://bugs.webkit.org/show_bug.cgi?id=141921
1490
1491         Reviewed by Michael Saboff.
1492
1493         * jit/CCallHelpers.h:
1494         (JSC::CCallHelpers::setupArgumentsWithExecState):
1495
1496 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1497
1498         Scopes should always be created with a previously-created symbol table rather than creating one on the fly
1499         https://bugs.webkit.org/show_bug.cgi?id=141915
1500
1501         Reviewed by Mark Lam.
1502         
1503         The main effect of this change is that pushing name scopes no longer requires creating symbol
1504         tables on the fly.
1505         
1506         This also makes it so that JSEnvironmentRecords must always have an a priori symbol table.
1507         
1508         JSSegmentedVariableObject still does a hack where it creates a blank symbol table on-demand.
1509         This is needed because that's what JSGlobalObject and all of its many subclasses want. That's
1510         harmless; I mainly needed a prior symbol tables for JSEnvironmentRecords anyway.
1511
1512         * bytecode/BytecodeList.json:
1513         * bytecompiler/BytecodeGenerator.cpp:
1514         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1515         (JSC::BytecodeGenerator::emitPushCatchScope):
1516         * jit/CCallHelpers.h:
1517         (JSC::CCallHelpers::setupArgumentsWithExecState):
1518         * jit/JIT.h:
1519         * jit/JITInlines.h:
1520         (JSC::JIT::callOperation):
1521         * jit/JITOpcodes.cpp:
1522         (JSC::JIT::emit_op_push_name_scope):
1523         * jit/JITOpcodes32_64.cpp:
1524         (JSC::JIT::emit_op_push_name_scope):
1525         * jit/JITOperations.cpp:
1526         (JSC::pushNameScope):
1527         * jit/JITOperations.h:
1528         * llint/LLIntSlowPaths.cpp:
1529         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1530         * llint/LowLevelInterpreter.asm:
1531         * runtime/Executable.cpp:
1532         (JSC::ScriptExecutable::newCodeBlockFor):
1533         * runtime/JSCatchScope.h:
1534         (JSC::JSCatchScope::JSCatchScope):
1535         (JSC::JSCatchScope::create):
1536         * runtime/JSEnvironmentRecord.h:
1537         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1538         * runtime/JSFunctionNameScope.h:
1539         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1540         (JSC::JSFunctionNameScope::create):
1541         * runtime/JSNameScope.cpp:
1542         (JSC::JSNameScope::create):
1543         * runtime/JSNameScope.h:
1544         (JSC::JSNameScope::create):
1545         (JSC::JSNameScope::finishCreation):
1546         (JSC::JSNameScope::JSNameScope):
1547         * runtime/JSSegmentedVariableObject.h:
1548         (JSC::JSSegmentedVariableObject::finishCreation):
1549         * runtime/JSSymbolTableObject.h:
1550         (JSC::JSSymbolTableObject::JSSymbolTableObject):
1551         (JSC::JSSymbolTableObject::finishCreation): Deleted.
1552         * runtime/SymbolTable.h:
1553         (JSC::SymbolTable::createNameScopeTable):
1554
1555 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1556
1557         Add a comment to clarify that the test was taken from the bug report, in response to
1558         feedback from Michael Saboff and Benjamin Poulain.
1559         
1560         * tests/stress/regress-141883.js:
1561
1562 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
1563
1564         Function name scope is only created on the function instance that triggered parsing rather than on every function instance that needs it
1565         https://bugs.webkit.org/show_bug.cgi?id=141881
1566
1567         Reviewed by Michael Saboff.
1568         
1569         Previously we only created the function name scope in a way that made it visible to the
1570         function that triggered parsing/linking of the executable/codeBlock, and to the linker for
1571         that code block. This was sort of the bare minimum for the feature to appear to work right to
1572         synthetic tests.
1573
1574         There are two valid "times" to create the function name scope. Either it's created for each
1575         JSFunction instance that needs a name scope, or it's created for each execution of such a
1576         JSFunction. This change chooses the latter, because it happens to be the easiest to implement
1577         with what we have right now. I opened a bug for optimizing this if we ever need to:
1578         https://bugs.webkit.org/show_bug.cgi?id=141887.
1579         
1580         * bytecompiler/BytecodeGenerator.cpp:
1581         (JSC::BytecodeGenerator::BytecodeGenerator):
1582         * interpreter/Interpreter.cpp:
1583         (JSC::Interpreter::execute):
1584         (JSC::Interpreter::executeCall):
1585         (JSC::Interpreter::executeConstruct):
1586         (JSC::Interpreter::prepareForRepeatCall):
1587         * jit/JITOperations.cpp:
1588         * llint/LLIntSlowPaths.cpp:
1589         (JSC::LLInt::setUpCall):
1590         * runtime/ArrayPrototype.cpp:
1591         (JSC::isNumericCompareFunction):
1592         * runtime/Executable.cpp:
1593         (JSC::ScriptExecutable::newCodeBlockFor):
1594         (JSC::ScriptExecutable::prepareForExecutionImpl):
1595         (JSC::FunctionExecutable::FunctionExecutable):
1596         * runtime/Executable.h:
1597         (JSC::ScriptExecutable::prepareForExecution):
1598         * runtime/JSFunction.cpp:
1599         (JSC::JSFunction::addNameScopeIfNeeded): Deleted.
1600         * runtime/JSFunction.h:
1601         * tests/stress/function-name-scope.js: Added.
1602         (check.verify):
1603         (check):
1604
1605 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
1606
1607         Crash in DFGFrozenValue
1608         https://bugs.webkit.org/show_bug.cgi?id=141883
1609
1610         Reviewed by Benjamin Poulain.
1611         
1612         If a value might be a cell, then we have to have Graph freeze it rather than trying to
1613         create the FrozenValue directly. Creating it directly is just an optimization for when you
1614         know for sure that it cannot be a cell.
1615
1616         * dfg/DFGAbstractInterpreterInlines.h:
1617         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1618         * tests/stress/regress-141883.js: Added. Hacked the original test to be faster while still crashing before this fix.
1619
1620 2015-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1621
1622         Web Inspector: Generate Previews more often for RemoteObject interaction
1623         https://bugs.webkit.org/show_bug.cgi?id=141875
1624
1625         Reviewed by Timothy Hatcher.
1626
1627         * inspector/protocol/Runtime.json:
1628         Add generatePreview to getProperties.
1629
1630         * inspector/InjectedScript.cpp:
1631         (Inspector::InjectedScript::getProperties):
1632         (Inspector::InjectedScript::getInternalProperties):
1633         * inspector/InjectedScript.h:
1634         * inspector/agents/InspectorRuntimeAgent.cpp:
1635         (Inspector::InspectorRuntimeAgent::getProperties):
1636         * inspector/agents/InspectorRuntimeAgent.h:
1637         Plumb the generatePreview boolean through to the injected script.
1638
1639         * inspector/InjectedScriptSource.js:
1640         Add generatePreview for getProperties.
1641         Fix callFunctionOn to generatePreviews if asked.
1642
1643 2015-02-20  Mark Lam  <mark.lam@apple.com>
1644
1645         Refactor JSWrapperMap.mm to defer creation of the ObjC JSValue until the latest possible moment.
1646         <https://webkit.org/b/141856>
1647
1648         Reviewed by Geoffrey Garen.
1649
1650         1. Make JSObjCClassInfo's -constructor and -wrapperForObject return a
1651            JSC::JSObject* just like -prototype.
1652         2. Defer the creation of the ObjC JSValue from JSC::JSObject* until
1653            the latest moment when it is needed.  This allows us to not have to
1654            keep converting back to a JSC::JSObject* in intermediate code.
1655
1656         * API/JSWrapperMap.mm:
1657         (makeWrapper):
1658         (objectWithCustomBrand):
1659         (constructorWithCustomBrand):
1660         (allocateConstructorForCustomClass):
1661         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1662         (-[JSObjCClassInfo wrapperForObject:]):
1663         (-[JSObjCClassInfo constructor]):
1664         (-[JSWrapperMap jsWrapperForObject:]):
1665
1666 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1667
1668         Build fix for gcc.
1669
1670         * runtime/JSNameScope.cpp:
1671         (JSC::JSNameScope::create):
1672
1673 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1674
1675         Get rid of JSNameScope::m_type
1676         https://bugs.webkit.org/show_bug.cgi?id=141851
1677
1678         Reviewed by Geoffrey Garen.
1679         
1680         This is a big step towards getting rid of JSEnvironmentRecord::m_registers. To do it we need
1681         to ensure that subclasses of JSEnvironmentRecord never have additional C++ fields, so that
1682         JSEnvironmentRecord can always place "registers" right after the end of itself.
1683
1684         * CMakeLists.txt:
1685         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1686         * JavaScriptCore.xcodeproj/project.pbxproj:
1687         * debugger/DebuggerScope.cpp:
1688         (JSC::DebuggerScope::isCatchScope):
1689         (JSC::DebuggerScope::isFunctionNameScope):
1690         * interpreter/Interpreter.cpp:
1691         (JSC::Interpreter::execute):
1692         * jit/JITOperations.cpp:
1693         * llint/LLIntSlowPaths.cpp:
1694         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1695         * runtime/JSCatchScope.cpp: Added.
1696         * runtime/JSCatchScope.h: Added.
1697         (JSC::JSCatchScope::JSCatchScope):
1698         (JSC::JSCatchScope::create):
1699         (JSC::JSCatchScope::createStructure):
1700         * runtime/JSFunction.cpp:
1701         (JSC::JSFunction::addNameScopeIfNeeded):
1702         * runtime/JSFunctionNameScope.cpp: Added.
1703         * runtime/JSFunctionNameScope.h: Added.
1704         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1705         (JSC::JSFunctionNameScope::create):
1706         (JSC::JSFunctionNameScope::createStructure):
1707         * runtime/JSGlobalObject.cpp:
1708         (JSC::JSGlobalObject::init):
1709         (JSC::JSGlobalObject::visitChildren):
1710         * runtime/JSGlobalObject.h:
1711         (JSC::JSGlobalObject::catchScopeStructure):
1712         (JSC::JSGlobalObject::functionNameScopeStructure):
1713         (JSC::JSGlobalObject::nameScopeStructure): Deleted.
1714         * runtime/JSNameScope.cpp:
1715         (JSC::JSNameScope::create):
1716         * runtime/JSNameScope.h:
1717         (JSC::JSNameScope::create):
1718         (JSC::JSNameScope::JSNameScope):
1719         (JSC::JSNameScope::createStructure): Deleted.
1720         (JSC::JSNameScope::isFunctionNameScope): Deleted.
1721         (JSC::JSNameScope::isCatchScope): Deleted.
1722         * runtime/JSObject.cpp:
1723         (JSC::JSObject::isCatchScopeObject):
1724         (JSC::JSObject::isFunctionNameScopeObject):
1725         * runtime/JSObject.h:
1726
1727 2015-02-20  Mark Lam  <mark.lam@apple.com>
1728
1729         [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
1730         <https://webkit.org/b/141809>
1731
1732         Reviewed by Geoffrey Garen.
1733
1734         A ObjC class that implement the JSExport protocol will have a JS prototype
1735         chain and constructor automatically synthesized for its JS wrapper object.
1736         However, if there are no more instances of that ObjC class reachable by a
1737         JS GC root scan, then its synthesized prototype chain and constructors may
1738         be released by the GC.  If a new instance of that ObjC class is subsequently
1739         instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
1740         should re-construct the prototype chain and constructor (if they were
1741         previously released).  However, the current implementation only
1742         re-constructs the immediate prototype, but not every other prototype
1743         object upstream in the prototype chain.
1744
1745         To fix this, we do the following:
1746         1. We no longer allocate the JSObjCClassInfo's prototype and constructor
1747            eagerly.  Hence, -initWithContext:forClass: will no longer call
1748            -allocateConstructorAndPrototypeWithSuperClassInfo:.
1749         2. Instead, we'll always access the prototype and constructor thru
1750            accessor methods.  The accessor methods will call
1751            -allocateConstructorAndPrototype: if needed.
1752         3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
1753            from the JSWrapperMap itself.  This makes it so that we no longer
1754            need to pass the superClassInfo all over.
1755         4. -allocateConstructorAndPrototype: will get the super class prototype
1756            by invoking -prototype: on the superClassInfo, thereby allowing the
1757            super class to allocate its prototype and constructor if needed and
1758            fixing the issue in this bug.
1759
1760         5. Also removed the GC warning comments, and ensured that needed JS
1761            objects are kept alive by having a local var pointing to it from the
1762            stack (which makes a GC root).
1763
1764         * API/JSWrapperMap.mm:
1765         (-[JSObjCClassInfo initWithContext:forClass:]):
1766         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1767         (-[JSObjCClassInfo wrapperForObject:]):
1768         (-[JSObjCClassInfo constructor]):
1769         (-[JSObjCClassInfo prototype]):
1770         (-[JSWrapperMap classInfoForClass:]):
1771         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
1772         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
1773         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
1774         * API/tests/Regress141809.h: Added.
1775         * API/tests/Regress141809.mm: Added.
1776         (-[TestClassB name]):
1777         (-[TestClassC name]):
1778         (runRegress141809):
1779         * API/tests/testapi.mm:
1780         * JavaScriptCore.xcodeproj/project.pbxproj:
1781
1782 2015-02-20  Alexey Proskuryakov  <ap@apple.com>
1783
1784         Remove svn:keywords property.
1785
1786         As far as I can tell, the property had no effect on any of these files, but also,
1787         when it has effect it's likely harmful.
1788
1789         * builtins/ArrayConstructor.js: Removed property svn:keywords.
1790
1791 2015-02-20  Michael Saboff  <msaboff@apple.com>
1792
1793         DFG JIT needs to check for stack overflow at the start of Program and Eval execution
1794         https://bugs.webkit.org/show_bug.cgi?id=141676
1795
1796         Reviewed by Filip Pizlo.
1797
1798         Added stack check to the beginning of the code the DFG copmiler emits for Program and Eval nodes.
1799         To aid in testing the code, I replaced the EvalCodeCache::maxCacheableSourceLength const
1800         a options in runtime/Options.h.  The test script, run-jsc-stress-tests, sets that option
1801         to a huge value when running with the "Eager" options.  This allows the updated test to 
1802         reliably exercise the code in questions.
1803
1804         * dfg/DFGJITCompiler.cpp:
1805         (JSC::DFG::JITCompiler::compile):
1806         Added stack check.
1807
1808         * bytecode/EvalCodeCache.h:
1809         (JSC::EvalCodeCache::tryGet):
1810         (JSC::EvalCodeCache::getSlow):
1811         * runtime/Options.h:
1812         Replaced EvalCodeCache::imaxCacheableSourceLength with Options::maximumEvalCacheableSourceLength
1813         so that it can be configured when running the related test.
1814
1815 2015-02-20  Eric Carlson  <eric.carlson@apple.com>
1816
1817         [iOS] cleanup AirPlay code
1818         https://bugs.webkit.org/show_bug.cgi?id=141811
1819
1820         Reviewed by Jer Noble.
1821
1822         * Configurations/FeatureDefines.xcconfig: IOS_AIRPLAY -> WIRELESS_PLAYBACK_TARGET.
1823
1824 2015-02-19  Dean Jackson  <dino@apple.com>
1825
1826         ES6: Implement Array.from()
1827         https://bugs.webkit.org/show_bug.cgi?id=141054
1828         <rdar://problem/19654521>
1829
1830         Reviewed by Filip Pizlo.
1831
1832         Implement the Array.from() ES6 method
1833         as defined in Section 22.1.2.1 of the specification.
1834
1835         Given that we can't rely on the built-in
1836         global functions or objects to be untainted,
1837         I had to expose a few of them directly to
1838         the function via private names. In particular:
1839         - Math.floor -> @floor
1840         - Math.abs -> @abs
1841         - Number -> @Number
1842         - Array -> @Array
1843         - isFinite -> @isFinite
1844
1845         * builtins/ArrayConstructor.js: Added.
1846         (from): Implementation of Array.from in JavaScript.
1847         * runtime/ArrayConstructor.cpp: Add "from" to the lookup
1848         table for the constructor object.
1849         * runtime/CommonIdentifiers.h: Add the private versions
1850         of the identifiers listed above.
1851         * runtime/JSGlobalObject.cpp: Add the implementations of
1852         those identifiers to the global object (using their
1853         private names).
1854         (JSC::JSGlobalObject::init):
1855         * runtime/JSGlobalObjectFunctions.cpp:
1856         (JSC::globalPrivateFuncAbs): Implementation of the abs function.
1857         (JSC::globalPrivateFuncFloor): Implementation of the floor function.
1858         * runtime/JSGlobalObjectFunctions.h:
1859
1860 2015-02-19  Benjamin Poulain  <bpoulain@apple.com>
1861
1862         Refine the FTL part of ArithPow
1863         https://bugs.webkit.org/show_bug.cgi?id=141792
1864
1865         Reviewed by Filip Pizlo.
1866
1867         This patch refines the FTL lowering of ArithPow. This was left out
1868         of the original patch to keep it simpler.
1869
1870         * ftl/FTLLowerDFGToLLVM.cpp:
1871         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
1872         Two improvements here:
1873         1) Do not generate the NaN check unless we know the exponent might be a NaN.
1874         2) Use one BasicBlock per check with the appropriate weight. Now that we have
1875            one branch per test, move the Infinity check before the check for 1 since
1876            it is the less common case.
1877
1878         * tests/stress/math-pow-becomes-custom-function.js: Added.
1879         Test for changing the Math.pow() function after it has been optimized.
1880
1881         * tests/stress/math-pow-nan-behaviors.js:
1882         The previous tests were only going as far as the DFGAbstractInterpreter
1883         were the operations were replaced by the equivalent constant.
1884
1885         I duplicated the test functions to also test the dynamic behavior of DFG
1886         and FTL.
1887
1888         * tests/stress/math-pow-with-constants.js:
1889         Add cases covering exponent constants. LLVM removes many value
1890         checks for those.
1891
1892         * tests/stress/math-pow-with-never-NaN-exponent.js: Added.
1893         Test for the new optimization removing the NaN check.
1894
1895 2015-02-19  Csaba Osztrogonác  <ossy@webkit.org>
1896
1897         REGRESSION(r180279): It broke 20 tests on ARM Linux
1898         https://bugs.webkit.org/show_bug.cgi?id=141771
1899
1900         Reviewed by Filip Pizlo.
1901
1902         * dfg/DFGSpeculativeJIT.h:
1903         (JSC::DFG::SpeculativeJIT::callOperation): Align 64-bit values to respect ARM EABI.
1904
1905 2015-02-18  Benjamin Poulain  <bpoulain@apple.com>
1906
1907         Remove BytecodeGenerator's numberMap, it is dead code
1908         https://bugs.webkit.org/show_bug.cgi?id=141779
1909
1910         Reviewed by Filip Pizlo.
1911
1912         * bytecompiler/BytecodeGenerator.cpp:
1913         (JSC::BytecodeGenerator::emitLoad): Deleted.
1914         * bytecompiler/BytecodeGenerator.h:
1915         The JSValueMap seems better in every way.
1916
1917         The emitLoad() taking a double was the only way to use numberMap
1918         and that code has no caller.
1919
1920 2015-02-18  Michael Saboff  <msaboff@apple.com>
1921
1922         Rollout r180247 & r180249 from trunk
1923         https://bugs.webkit.org/show_bug.cgi?id=141773
1924
1925         Reviewed by Filip Pizlo.
1926
1927         Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730
1928         only for branches.  The change to fail the FTL compile but continue running is not comprehensive
1929         enough for general use on trunk.
1930
1931         * dfg/DFGPlan.cpp:
1932         (JSC::DFG::Plan::compileInThreadImpl):
1933         * ftl/FTLLowerDFGToLLVM.cpp:
1934         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1935         (JSC::FTL::LowerDFGToLLVM::lower):
1936         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
1937         (JSC::FTL::LowerDFGToLLVM::compileNode):
1938         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
1939         (JSC::FTL::LowerDFGToLLVM::compilePhi):
1940         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
1941         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
1942         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1943         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
1944         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
1945         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
1946         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
1947         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
1948         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1949         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
1950         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
1951         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1952         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1953         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1954         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1955         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1956         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1957         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1958         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1959         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
1960         (JSC::FTL::LowerDFGToLLVM::compileToString):
1961         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1962         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1963         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1964         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
1965         (JSC::FTL::LowerDFGToLLVM::compare):
1966         (JSC::FTL::LowerDFGToLLVM::boolify):
1967         (JSC::FTL::LowerDFGToLLVM::opposite):
1968         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1969         (JSC::FTL::LowerDFGToLLVM::speculate):
1970         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1971         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1972         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1973         (JSC::FTL::LowerDFGToLLVM::setInt52):
1974         (JSC::FTL::lowerDFGToLLVM):
1975         (JSC::FTL::LowerDFGToLLVM::loweringFailed): Deleted.
1976         * ftl/FTLLowerDFGToLLVM.h:
1977
1978 2015-02-18  Filip Pizlo  <fpizlo@apple.com>
1979
1980         DFG should really support varargs
1981         https://bugs.webkit.org/show_bug.cgi?id=141332
1982
1983         Reviewed by Oliver Hunt.
1984         
1985         This adds comprehensive vararg call support to the DFG and FTL compilers. Previously, if a
1986         function had a varargs call, then it could only be compiled if that varargs call was just
1987         forwarding arguments and we were inlining the function rather than compiling it directly. Also,
1988         only varargs calls were dealt with; varargs constructs were not.
1989         
1990         This lifts all of those restrictions. Every varargs call or construct can now be compiled by both
1991         the DFG and the FTL. Those calls can also be inlined, too - provided that profiling gives us a
1992         sensible bound on arguments list length. When we inline a varargs call, the act of loading the
1993         varargs is now made explicit in IR. I believe that we have enough IR machinery in place that we
1994         would be able to do the arguments forwarding optimization as an IR transformation. This patch
1995         doesn't implement that yet, and keeps the old bytecode-based varargs argument forwarding
1996         optimization for now.
1997         
1998         There are three major IR features introduced in this patch:
1999         
2000         CallVarargs/ConstructVarargs: these are like Call/Construct except that they take an arguments
2001         array rather than a list of arguments. Currently, they splat this arguments array onto the stack
2002         using the same basic technique as the baseline JIT has always done. Except, these nodes indicate
2003         that we are not interested in doing the non-escaping "arguments" optimization.
2004         
2005         CallForwardVarargs: this is a form of CallVarargs that just does the non-escaping "arguments"
2006         optimization, aka forwarding arguments. It's somewhat lazy that this doesn't include
2007         ConstructForwardVarargs, but the reason is that once we eliminate the lazy tear-off for
2008         arguments, this whole thing will have to be tweaked - and for now forwarding on construct is just
2009         not important in benchmarks. ConstructVarargs will still do forwarding, just not inlined.
2010         
2011         LoadVarargs: loads all elements out of an array onto the stack in a manner suitable for a varargs
2012         call. This is used only when a varargs call (or construct) was inlined. The bytecode parser will
2013         make room on the stack for the arguments, and will use LoadVarars to put those arguments into
2014         place.
2015         
2016         In the future, we can consider adding strength reductions like:
2017         
2018         - If CallVarargs/ConstructVarargs see an array of known size with known elements, turn them into
2019           Call/Construct.
2020         
2021         - If CallVarargs/ConstructVarargs are passed an unmodified, unescaped Arguments object, then
2022           turn them into CallForwardVarargs/ConstructForwardVarargs.
2023         
2024         - If LoadVarargs sees an array of known size, then turn it into a sequence of GetByVals and
2025           PutLocals.
2026         
2027         - If LoadVarargs sees an unmodified, unescaped Arguments object, then turn it into something like
2028           LoadForwardVarargs.
2029         
2030         - If CallVarargs/ConstructVarargs/LoadVarargs see the result of a splice (or other Array
2031           prototype function), then do the splice and varargs loading in one go (maybe via a new node
2032           type).
2033
2034         * CMakeLists.txt:
2035         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2036         * JavaScriptCore.xcodeproj/project.pbxproj:
2037         * assembler/MacroAssembler.h:
2038         (JSC::MacroAssembler::rshiftPtr):
2039         (JSC::MacroAssembler::urshiftPtr):
2040         * assembler/MacroAssemblerARM64.h:
2041         (JSC::MacroAssemblerARM64::urshift64):
2042         * assembler/MacroAssemblerX86_64.h:
2043         (JSC::MacroAssemblerX86_64::urshift64):
2044         * assembler/X86Assembler.h:
2045         (JSC::X86Assembler::shrq_i8r):
2046         * bytecode/CallLinkInfo.h:
2047         (JSC::CallLinkInfo::CallLinkInfo):
2048         * bytecode/CallLinkStatus.cpp:
2049         (JSC::CallLinkStatus::computeFor):
2050         (JSC::CallLinkStatus::setProvenConstantCallee):
2051         (JSC::CallLinkStatus::dump):
2052         * bytecode/CallLinkStatus.h:
2053         (JSC::CallLinkStatus::maxNumArguments):
2054         (JSC::CallLinkStatus::setIsProved): Deleted.
2055         * bytecode/CodeOrigin.cpp:
2056         (WTF::printInternal):
2057         * bytecode/CodeOrigin.h:
2058         (JSC::InlineCallFrame::varargsKindFor):
2059         (JSC::InlineCallFrame::specializationKindFor):
2060         (JSC::InlineCallFrame::isVarargs):
2061         (JSC::InlineCallFrame::isNormalCall): Deleted.
2062         * bytecode/ExitKind.cpp:
2063         (JSC::exitKindToString):
2064         * bytecode/ExitKind.h:
2065         * bytecode/ValueRecovery.cpp:
2066         (JSC::ValueRecovery::dumpInContext):
2067         * dfg/DFGAbstractInterpreterInlines.h:
2068         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2069         * dfg/DFGArgumentsSimplificationPhase.cpp:
2070         (JSC::DFG::ArgumentsSimplificationPhase::run):
2071         * dfg/DFGByteCodeParser.cpp:
2072         (JSC::DFG::ByteCodeParser::flush):
2073         (JSC::DFG::ByteCodeParser::addCall):
2074         (JSC::DFG::ByteCodeParser::handleCall):
2075         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2076         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2077         (JSC::DFG::ByteCodeParser::inliningCost):
2078         (JSC::DFG::ByteCodeParser::inlineCall):
2079         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2080         (JSC::DFG::ByteCodeParser::handleInlining):
2081         (JSC::DFG::ByteCodeParser::handleMinMax):
2082         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2083         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
2084         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2085         (JSC::DFG::ByteCodeParser::parseBlock):
2086         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): Deleted.
2087         (JSC::DFG::ByteCodeParser::undoFunctionChecks): Deleted.
2088         * dfg/DFGCapabilities.cpp:
2089         (JSC::DFG::capabilityLevel):
2090         * dfg/DFGCapabilities.h:
2091         (JSC::DFG::functionCapabilityLevel):
2092         (JSC::DFG::mightCompileFunctionFor):
2093         * dfg/DFGClobberize.h:
2094         (JSC::DFG::clobberize):
2095         * dfg/DFGCommon.cpp:
2096         (WTF::printInternal):
2097         * dfg/DFGCommon.h:
2098         (JSC::DFG::canInline):
2099         (JSC::DFG::leastUpperBound):
2100         * dfg/DFGDoesGC.cpp:
2101         (JSC::DFG::doesGC):
2102         * dfg/DFGFixupPhase.cpp:
2103         (JSC::DFG::FixupPhase::fixupNode):
2104         * dfg/DFGGraph.cpp:
2105         (JSC::DFG::Graph::dump):
2106         (JSC::DFG::Graph::dumpBlockHeader):
2107         (JSC::DFG::Graph::isLiveInBytecode):
2108         (JSC::DFG::Graph::valueProfileFor):
2109         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2110         * dfg/DFGGraph.h:
2111         (JSC::DFG::Graph::valueProfileFor): Deleted.
2112         (JSC::DFG::Graph::methodOfGettingAValueProfileFor): Deleted.
2113         * dfg/DFGJITCompiler.cpp:
2114         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2115         (JSC::DFG::JITCompiler::link):
2116         * dfg/DFGMayExit.cpp:
2117         (JSC::DFG::mayExit):
2118         * dfg/DFGNode.h:
2119         (JSC::DFG::Node::hasCallVarargsData):
2120         (JSC::DFG::Node::callVarargsData):
2121         (JSC::DFG::Node::hasLoadVarargsData):
2122         (JSC::DFG::Node::loadVarargsData):
2123         (JSC::DFG::Node::hasHeapPrediction):
2124         * dfg/DFGNodeType.h:
2125         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2126         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2127         * dfg/DFGOSRExitCompilerCommon.cpp:
2128         (JSC::DFG::reifyInlinedCallFrames):
2129         * dfg/DFGOperations.cpp:
2130         * dfg/DFGOperations.h:
2131         * dfg/DFGPlan.cpp:
2132         (JSC::DFG::dumpAndVerifyGraph):
2133         (JSC::DFG::Plan::compileInThreadImpl):
2134         * dfg/DFGPreciseLocalClobberize.h:
2135         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2136         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
2137         * dfg/DFGPredictionPropagationPhase.cpp:
2138         (JSC::DFG::PredictionPropagationPhase::propagate):
2139         * dfg/DFGSSAConversionPhase.cpp:
2140         * dfg/DFGSafeToExecute.h:
2141         (JSC::DFG::safeToExecute):
2142         * dfg/DFGSpeculativeJIT.h:
2143         (JSC::DFG::SpeculativeJIT::isFlushed):
2144         (JSC::DFG::SpeculativeJIT::callOperation):
2145         * dfg/DFGSpeculativeJIT32_64.cpp:
2146         (JSC::DFG::SpeculativeJIT::emitCall):
2147         (JSC::DFG::SpeculativeJIT::compile):
2148         * dfg/DFGSpeculativeJIT64.cpp:
2149         (JSC::DFG::SpeculativeJIT::emitCall):
2150         (JSC::DFG::SpeculativeJIT::compile):
2151         * dfg/DFGStackLayoutPhase.cpp:
2152         (JSC::DFG::StackLayoutPhase::run):
2153         (JSC::DFG::StackLayoutPhase::assign):
2154         * dfg/DFGStrengthReductionPhase.cpp:
2155         (JSC::DFG::StrengthReductionPhase::handleNode):
2156         * dfg/DFGTypeCheckHoistingPhase.cpp:
2157         (JSC::DFG::TypeCheckHoistingPhase::run):
2158         * dfg/DFGValidate.cpp:
2159         (JSC::DFG::Validate::validateCPS):
2160         * ftl/FTLAbbreviations.h:
2161         (JSC::FTL::functionType):
2162         (JSC::FTL::buildCall):
2163         * ftl/FTLCapabilities.cpp:
2164         (JSC::FTL::canCompile):
2165         * ftl/FTLCompile.cpp:
2166         (JSC::FTL::mmAllocateDataSection):
2167         * ftl/FTLInlineCacheSize.cpp:
2168         (JSC::FTL::sizeOfCall):
2169         (JSC::FTL::sizeOfCallVarargs):
2170         (JSC::FTL::sizeOfCallForwardVarargs):
2171         (JSC::FTL::sizeOfConstructVarargs):
2172         (JSC::FTL::sizeOfIn):
2173         (JSC::FTL::sizeOfICFor):
2174         (JSC::FTL::sizeOfCheckIn): Deleted.
2175         * ftl/FTLInlineCacheSize.h:
2176         * ftl/FTLIntrinsicRepository.h:
2177         * ftl/FTLJSCall.cpp:
2178         (JSC::FTL::JSCall::JSCall):
2179         * ftl/FTLJSCallBase.cpp:
2180         * ftl/FTLJSCallBase.h:
2181         * ftl/FTLJSCallVarargs.cpp: Added.
2182         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2183         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
2184         (JSC::FTL::JSCallVarargs::emit):
2185         (JSC::FTL::JSCallVarargs::link):
2186         * ftl/FTLJSCallVarargs.h: Added.
2187         (JSC::FTL::JSCallVarargs::node):
2188         (JSC::FTL::JSCallVarargs::stackmapID):
2189         (JSC::FTL::JSCallVarargs::operator<):
2190         * ftl/FTLLowerDFGToLLVM.cpp:
2191         (JSC::FTL::LowerDFGToLLVM::lower):
2192         (JSC::FTL::LowerDFGToLLVM::compileNode):
2193         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
2194         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2195         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2196         (JSC::FTL::LowerDFGToLLVM::compileLoadVarargs):
2197         (JSC::FTL::LowerDFGToLLVM::compileIn):
2198         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2199         (JSC::FTL::LowerDFGToLLVM::vmCall):
2200         (JSC::FTL::LowerDFGToLLVM::vmCallNoExceptions):
2201         (JSC::FTL::LowerDFGToLLVM::callCheck):
2202         * ftl/FTLOutput.h:
2203         (JSC::FTL::Output::call):
2204         * ftl/FTLState.cpp:
2205         (JSC::FTL::State::State):
2206         * ftl/FTLState.h:
2207         * interpreter/Interpreter.cpp:
2208         (JSC::sizeOfVarargs):
2209         (JSC::sizeFrameForVarargs):
2210         * interpreter/Interpreter.h:
2211         * interpreter/StackVisitor.cpp:
2212         (JSC::StackVisitor::readInlinedFrame):
2213         * jit/AssemblyHelpers.cpp:
2214         (JSC::AssemblyHelpers::emitExceptionCheck):
2215         * jit/AssemblyHelpers.h:
2216         (JSC::AssemblyHelpers::addressFor):
2217         (JSC::AssemblyHelpers::calleeFrameSlot):
2218         (JSC::AssemblyHelpers::calleeArgumentSlot):
2219         (JSC::AssemblyHelpers::calleeFrameTagSlot):
2220         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
2221         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
2222         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
2223         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
2224         (JSC::AssemblyHelpers::selectScratchGPR):
2225         * jit/CCallHelpers.h:
2226         (JSC::CCallHelpers::setupArgumentsWithExecState):
2227         * jit/GPRInfo.h:
2228         * jit/JIT.cpp:
2229         (JSC::JIT::privateCompile):
2230         * jit/JIT.h:
2231         * jit/JITCall.cpp:
2232         (JSC::JIT::compileSetupVarargsFrame):
2233         (JSC::JIT::compileOpCall):
2234         * jit/JITCall32_64.cpp:
2235         (JSC::JIT::compileSetupVarargsFrame):
2236         (JSC::JIT::compileOpCall):
2237         * jit/JITOperations.h:
2238         * jit/SetupVarargsFrame.cpp:
2239         (JSC::emitSetupVarargsFrameFastCase):
2240         * jit/SetupVarargsFrame.h:
2241         * runtime/Arguments.h:
2242         (JSC::Arguments::create):
2243         (JSC::Arguments::registerArraySizeInBytes):
2244         (JSC::Arguments::finishCreation):
2245         * runtime/Options.h:
2246         * tests/stress/construct-varargs-inline-smaller-Foo.js: Added.
2247         (Foo):
2248         (bar):
2249         (checkEqual):
2250         (test):
2251         * tests/stress/construct-varargs-inline.js: Added.
2252         (Foo):
2253         (bar):
2254         (checkEqual):
2255         (test):
2256         * tests/stress/construct-varargs-no-inline.js: Added.
2257         (Foo):
2258         (bar):
2259         (checkEqual):
2260         (test):
2261         * tests/stress/get-argument-by-val-in-inlined-varargs-call-out-of-bounds.js: Added.
2262         (foo):
2263         (bar):
2264         * tests/stress/get-argument-by-val-safe-in-inlined-varargs-call-out-of-bounds.js: Added.
2265         (foo):
2266         (bar):
2267         * tests/stress/get-my-argument-by-val-creates-arguments.js: Added.
2268         (blah):
2269         (foo):
2270         (bar):
2271         (checkEqual):
2272         (test):
2273         * tests/stress/load-varargs-then-inlined-call-exit-in-foo.js: Added.
2274         (foo):
2275         (bar):
2276         (checkEqual):
2277         * tests/stress/load-varargs-then-inlined-call-inlined.js: Added.
2278         (foo):
2279         (bar):
2280         (baz):
2281         (checkEqual):
2282         (test):
2283         * tests/stress/load-varargs-then-inlined-call.js: Added.
2284         (foo):
2285         (bar):
2286         (checkEqual):
2287         (test):
2288
2289 2015-02-17  Michael Saboff  <msaboff@apple.com>
2290
2291         Unreviewed, Restoring the C LOOP insta-crash fix in r180184.
2292
2293         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
2294         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
2295
2296         * llint/LowLevelInterpreter.asm: Fixed a typo.
2297
2298 2015-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2299
2300         URTBF after r180258 to fix Windows build.
2301
2302         * runtime/MathCommon.cpp:
2303         (JSC::mathPowInternal):
2304
2305 2015-02-18  Joseph Pecoraro  <pecoraro@apple.com>
2306
2307         REGRESSION(r180235): It broke the !ENABLE(PROMISES) build
2308         https://bugs.webkit.org/show_bug.cgi?id=141746
2309
2310         Unreviewed build fix.
2311
2312         * inspector/JSInjectedScriptHost.cpp:
2313         (Inspector::JSInjectedScriptHost::getInternalProperties):
2314         Wrap JSPromise related code in ENABLE(PROMISES) guard.
2315
2316 2015-02-18  Benjamin Poulain  <benjamin@webkit.org>
2317
2318         Fix the C-Loop LLInt build
2319         https://bugs.webkit.org/show_bug.cgi?id=141618
2320
2321         Reviewed by Filip Pizlo.
2322
2323         I broke C-Loop when moving the common code of pow()
2324         to JITOperations because that file is #ifdefed out
2325         when the JITs are disabled.
2326
2327         It would be weird to move it back to MathObject since
2328         the function needs to know about the calling conventions.
2329
2330         To avoid making a mess, I just gave the function its own file
2331         that is used by both the runtime and the JIT.
2332
2333         * CMakeLists.txt:
2334         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2335         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2336         * JavaScriptCore.xcodeproj/project.pbxproj:
2337         * dfg/DFGAbstractInterpreterInlines.h:
2338         * jit/JITOperations.cpp:
2339         * jit/JITOperations.h:
2340         * runtime/MathCommon.cpp: Added.
2341         (JSC::fdlibmScalbn):
2342         (JSC::fdlibmPow):
2343         (JSC::isDenormal):
2344         (JSC::isEdgeCase):
2345         (JSC::mathPowInternal):
2346         (JSC::operationMathPow):
2347         * runtime/MathCommon.h: Added.
2348         * runtime/MathObject.cpp:
2349
2350 2015-02-17  Benjamin Poulain  <bpoulain@apple.com>
2351
2352         Clean up OSRExit's considerAddingAsFrequentExitSite()
2353         https://bugs.webkit.org/show_bug.cgi?id=141690
2354
2355         Reviewed by Anders Carlsson.
2356
2357         Looks like some code was removed from CodeBlock::tallyFrequentExitSites()
2358         and the OSRExit were left untouched.
2359
2360         This patch cleans up the two loops and remove the boolean return
2361         on considerAddingAsFrequentExitSite().
2362
2363         * bytecode/CodeBlock.cpp:
2364         (JSC::CodeBlock::tallyFrequentExitSites):
2365         * dfg/DFGOSRExit.h:
2366         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2367         * dfg/DFGOSRExitBase.cpp:
2368         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2369         * dfg/DFGOSRExitBase.h:
2370         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
2371         * ftl/FTLOSRExit.h:
2372         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2373
2374 2015-02-17  Alexey Proskuryakov  <ap@apple.com>
2375
2376         Debug build fix after r180247.
2377
2378         * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::loweringFailed):
2379
2380 2015-02-17  Commit Queue  <commit-queue@webkit.org>
2381
2382         Unreviewed, rolling out r180184.
2383         https://bugs.webkit.org/show_bug.cgi?id=141733
2384
2385         Caused infinite recursion on js/function-apply-aliased.html
2386         (Requested by ap_ on #webkit).
2387
2388         Reverted changeset:
2389
2390         "REGRESSION(r180060): C Loop crashes"
2391         https://bugs.webkit.org/show_bug.cgi?id=141671
2392         http://trac.webkit.org/changeset/180184
2393
2394 2015-02-17  Michael Saboff  <msaboff@apple.com>
2395
2396         CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode
2397         https://bugs.webkit.org/show_bug.cgi?id=141730
2398
2399         Reviewed by Geoffrey Garen.
2400
2401         Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures
2402         while processing DFG lowering.  For debug builds, the failures are logged identical
2403         to the way the DFG_CRASH() reports them.  For release builds, the failures are reported
2404         and that FTL compilation is terminated, but the process is allowed to continue.
2405         Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and
2406         line number are reported at the point of the inconsistancy.
2407
2408         Converted instances of DFG_CRASH to LOWERING_FAILED.
2409
2410         * dfg/DFGPlan.cpp:
2411         (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that
2412         will fail the FTL compile.
2413
2414         * ftl/FTLLowerDFGToLLVM.cpp:
2415         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
2416         Added new member variable, m_loweringSucceeded, to stop compilation on the first
2417         reported failure.
2418
2419         * ftl/FTLLowerDFGToLLVM.cpp:
2420         (JSC::FTL::LowerDFGToLLVM::lower):
2421         * ftl/FTLLowerDFGToLLVM.h:
2422         Added check for compilation failures and now report those failures via a boolean
2423         return value.
2424
2425         * ftl/FTLLowerDFGToLLVM.cpp:
2426         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
2427         (JSC::FTL::LowerDFGToLLVM::compileNode):
2428         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
2429         (JSC::FTL::LowerDFGToLLVM::compilePhi):
2430         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
2431         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2432         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2433         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
2434         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
2435         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2436         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
2437         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
2438         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2439         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
2440         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
2441         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2442         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2443         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2444         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2445         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2446         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2447         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2448         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2449         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
2450         (JSC::FTL::LowerDFGToLLVM::compileToString):
2451         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
2452         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2453         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2454         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2455         (JSC::FTL::LowerDFGToLLVM::compare):
2456         (JSC::FTL::LowerDFGToLLVM::boolify):
2457         (JSC::FTL::LowerDFGToLLVM::opposite):
2458         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2459         (JSC::FTL::LowerDFGToLLVM::speculate):
2460         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2461         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2462         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2463         (JSC::FTL::LowerDFGToLLVM::setInt52):
2464         Changed DFG_CRASH() to LOWERING_FAILED().  Updated related control flow as appropriate.
2465
2466         (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function.
2467
2468 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
2469
2470         StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
2471         https://bugs.webkit.org/show_bug.cgi?id=141721
2472         rdar://problem/17198633
2473
2474         Reviewed by Michael Saboff.
2475         
2476         I've seen cases where the two are out of sync.  We know we can trust the CodeBlock::usesArguments because
2477         we use it everywhere else.
2478         
2479         No test because I could never reproduce the crash.
2480
2481         * dfg/DFGGraph.h:
2482         (JSC::DFG::Graph::usesArguments):
2483         * dfg/DFGStackLayoutPhase.cpp:
2484         (JSC::DFG::StackLayoutPhase::run):
2485
2486 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
2487
2488         Web Inspector: Improved Console Support for Bound Functions
2489         https://bugs.webkit.org/show_bug.cgi?id=141635
2490
2491         Reviewed by Timothy Hatcher.
2492
2493         * inspector/JSInjectedScriptHost.cpp:
2494         (Inspector::JSInjectedScriptHost::getInternalProperties):
2495         Expose internal properties of a JSBoundFunction.
2496
2497 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
2498
2499         Web Inspector: ES6: Improved Console Support for Promise Objects
2500         https://bugs.webkit.org/show_bug.cgi?id=141634
2501
2502         Reviewed by Timothy Hatcher.
2503
2504         * inspector/InjectedScript.cpp:
2505         (Inspector::InjectedScript::getInternalProperties):
2506         * inspector/InjectedScriptSource.js:
2507         Include internal properties in previews. Share code
2508         with normal internal property handling.
2509
2510         * inspector/JSInjectedScriptHost.cpp:
2511         (Inspector::constructInternalProperty):
2512         (Inspector::JSInjectedScriptHost::getInternalProperties):
2513         Provide internal state of Promises.
2514
2515         * inspector/protocol/Runtime.json:
2516         Provide an optional field to distinguish if a PropertyPreview
2517         is for an Internal property or not.
2518
2519 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
2520
2521         Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
2522         https://bugs.webkit.org/show_bug.cgi?id=141717
2523         rdar://problem/19863382
2524
2525         Reviewed by Geoffrey Garen.
2526         
2527         The best solution is to ensure that the engine catching an exception restores tag registers.
2528         
2529         Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
2530
2531         * jit/JITOpcodes.cpp:
2532         (JSC::JIT::emit_op_catch):
2533         * llint/LowLevelInterpreter.asm:
2534         * llint/LowLevelInterpreter64.asm:
2535         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
2536         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
2537         * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
2538
2539 2015-02-17  Csaba Osztrogonác  <ossy@webkit.org>
2540
2541         [ARM] Add the necessary setupArgumentsWithExecState after bug141332
2542         https://bugs.webkit.org/show_bug.cgi?id=141714
2543
2544         Reviewed by Michael Saboff.
2545
2546         * jit/CCallHelpers.h:
2547         (JSC::CCallHelpers::setupArgumentsWithExecState):
2548
2549 2015-02-15  Sam Weinig  <sam@webkit.org>
2550
2551         Add experimental <attachment> element support
2552         https://bugs.webkit.org/show_bug.cgi?id=141626
2553
2554         Reviewed by Tim Horton.
2555
2556         * Configurations/FeatureDefines.xcconfig:
2557
2558 2015-02-16  Michael Saboff  <msaboff@apple.com>
2559
2560         REGRESSION(r180060): C Loop crashes
2561         https://bugs.webkit.org/show_bug.cgi?id=141671
2562
2563         Reviewed by Geoffrey Garen.
2564
2565         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
2566         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
2567         Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
2568         frame.  This isn't needed, since this helper is only called to check the stack on entry.  Any
2569         exception will be handled by a call ancestor.
2570
2571         * llint/LLIntSlowPaths.cpp:
2572         (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
2573         * llint/LowLevelInterpreter.asm: Fixed a typo.
2574
2575 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
2576
2577         Web Inspector: Scope details sidebar should label objects with constructor names
2578         https://bugs.webkit.org/show_bug.cgi?id=139449
2579
2580         Reviewed by Timothy Hatcher.
2581
2582         * inspector/JSInjectedScriptHost.cpp:
2583         (Inspector::JSInjectedScriptHost::internalConstructorName):
2584         * runtime/Structure.cpp:
2585         (JSC::Structure::toStructureShape):
2586         Share calculatedClassName.
2587
2588         * runtime/JSObject.h:        
2589         * runtime/JSObject.cpp:
2590         (JSC::JSObject::calculatedClassName):
2591         Elaborate on a way to get an Object's class name.
2592
2593 2015-02-16  Filip Pizlo  <fpizlo@apple.com>
2594
2595         DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
2596         https://bugs.webkit.org/show_bug.cgi?id=141623
2597
2598         Reviewed by Oliver Hunt.
2599         
2600         During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
2601         needed to use GetArgument for loading something that has magically already appeared on the
2602         stack, so currently trunk sort of allows this. But then I realized three things:
2603         
2604         - A GetArgument with a non-JSValue flush format means speculating that the value on the
2605           stack obeys that format, rather than just assuming that that it already has that format.
2606           In bug 141332, I want it to assume rather than speculate. That also happens to be more
2607           intuitive; I don't think I was wrong to expect that.
2608         
2609         - The node I really want is GetLocal. I'm just getting the value of the local and I don't
2610           want to do anything else.
2611         
2612         - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
2613           use GetArgument.
2614         
2615         This changes the FTL to do argument speculations in the prologue just like the DFG does.
2616         This brings some consistency to our system, and allows us to get rid of the GetArgument
2617         node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
2618         vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
2619         dead we will still speculate. We already have safeguards to ensure we only speculate if
2620         there are uses that benefit from speculation (which is a much more conservative criterion
2621         than DCE).
2622         
2623         * dfg/DFGAbstractInterpreterInlines.h:
2624         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2625         * dfg/DFGClobberize.h:
2626         (JSC::DFG::clobberize):
2627         * dfg/DFGDCEPhase.cpp:
2628         (JSC::DFG::DCEPhase::run):
2629         * dfg/DFGDoesGC.cpp:
2630         (JSC::DFG::doesGC):
2631         * dfg/DFGFixupPhase.cpp:
2632         (JSC::DFG::FixupPhase::fixupNode):
2633         * dfg/DFGFlushFormat.h:
2634         (JSC::DFG::typeFilterFor):
2635         * dfg/DFGGraph.cpp:
2636         (JSC::DFG::Graph::dump):
2637         * dfg/DFGGraph.h:
2638         (JSC::DFG::Graph::valueProfileFor):
2639         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2640         * dfg/DFGInPlaceAbstractState.cpp:
2641         (JSC::DFG::InPlaceAbstractState::initialize):
2642         * dfg/DFGNode.cpp:
2643         (JSC::DFG::Node::hasVariableAccessData):
2644         * dfg/DFGNodeType.h:
2645         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2646         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2647         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2648         * dfg/DFGPredictionPropagationPhase.cpp:
2649         (JSC::DFG::PredictionPropagationPhase::propagate):
2650         * dfg/DFGPutLocalSinkingPhase.cpp:
2651         * dfg/DFGSSAConversionPhase.cpp:
2652         (JSC::DFG::SSAConversionPhase::run):
2653         * dfg/DFGSafeToExecute.h:
2654         (JSC::DFG::safeToExecute):
2655         * dfg/DFGSpeculativeJIT32_64.cpp:
2656         (JSC::DFG::SpeculativeJIT::compile):
2657         * dfg/DFGSpeculativeJIT64.cpp:
2658         (JSC::DFG::SpeculativeJIT::compile):
2659         * ftl/FTLCapabilities.cpp:
2660         (JSC::FTL::canCompile):
2661         * ftl/FTLLowerDFGToLLVM.cpp:
2662         (JSC::FTL::LowerDFGToLLVM::lower):
2663         (JSC::FTL::LowerDFGToLLVM::compileNode):
2664         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
2665         (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
2666         * tests/stress/dead-speculating-argument-use.js: Added.
2667         (foo):
2668         (o.valueOf):
2669
2670 2015-02-15  Filip Pizlo  <fpizlo@apple.com>
2671
2672         Rare case profiling should actually work
2673         https://bugs.webkit.org/show_bug.cgi?id=141632
2674
2675         Reviewed by Michael Saboff.
2676         
2677         This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
2678         heuristic has essentially stopped working because the typical execution count threshold for a
2679         bytecode instruction is around 66 while the slow case threshold is 100: virtually
2680         guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
2681         case even if it took it every single time. So, this changes the slow case threshold to 20.
2682         
2683         I checked if we could lower this down further, like to 10. That is worse than 20, and about
2684         as bad as 100.
2685
2686         * runtime/Options.h:
2687
2688 2015-02-15  Brian J. Burg  <burg@cs.washington.edu>
2689
2690         Web Inspector: remove unused XHR replay code
2691         https://bugs.webkit.org/show_bug.cgi?id=141622
2692
2693         Reviewed by Timothy Hatcher.
2694
2695         * inspector/protocol/Network.json: remove XHR replay methods.
2696
2697 2015-02-15  David Kilzer  <ddkilzer@apple.com>
2698
2699         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2700         <http://webkit.org/b/141607>
2701
2702         More work towards fixing the Mavericks Debug build.
2703
2704         * inspector/ScriptDebugServer.h:
2705         (Inspector::ScriptDebugServer::Task):
2706         * inspector/agents/InspectorDebuggerAgent.h:
2707         (Inspector::InspectorDebuggerAgent::Listener):
2708         - Remove subclass exports. They did not help.
2709
2710         * runtime/JSCJSValue.h:
2711         (JSC::JSValue::toFloat): Do not mark inline method for export.
2712
2713 2015-02-09  Brian J. Burg  <burg@cs.washington.edu>
2714
2715         Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
2716         https://bugs.webkit.org/show_bug.cgi?id=141372
2717
2718         Reviewed by Joseph Pecoraro.
2719
2720         * inspector/ConsoleMessage.cpp:
2721         (Inspector::ConsoleMessage::addToFrontend):
2722         (Inspector::ConsoleMessage::updateRepeatCountInConsole):
2723         * inspector/ConsoleMessage.h:
2724         * inspector/InspectorAgentBase.h:
2725         * inspector/InspectorAgentRegistry.cpp:
2726         (Inspector::AgentRegistry::AgentRegistry):
2727         (Inspector::AgentRegistry::append):
2728         (Inspector::AgentRegistry::appendExtraAgent):
2729         (Inspector::AgentRegistry::didCreateFrontendAndBackend):
2730         (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
2731         (Inspector::AgentRegistry::discardAgents):
2732         (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
2733         (Inspector::InspectorAgentRegistry::append): Deleted.
2734         (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
2735         (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
2736         (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
2737         (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
2738         * inspector/InspectorAgentRegistry.h:
2739         * inspector/InspectorBackendDispatcher.cpp:
2740         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
2741         (Inspector::BackendDispatcher::CallbackBase::isActive):
2742         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
2743         (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
2744         (Inspector::BackendDispatcher::create):
2745         (Inspector::BackendDispatcher::registerDispatcherForDomain):
2746         (Inspector::BackendDispatcher::dispatch):
2747         (Inspector::BackendDispatcher::sendResponse):
2748         (Inspector::BackendDispatcher::reportProtocolError):
2749         (Inspector::BackendDispatcher::getInteger):
2750         (Inspector::BackendDispatcher::getDouble):
2751         (Inspector::BackendDispatcher::getString):
2752         (Inspector::BackendDispatcher::getBoolean):
2753         (Inspector::BackendDispatcher::getObject):
2754         (Inspector::BackendDispatcher::getArray):
2755         (Inspector::BackendDispatcher::getValue):
2756         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
2757         (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
2758         (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
2759         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
2760         (Inspector::InspectorBackendDispatcher::create): Deleted.
2761         (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
2762         (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
2763         (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
2764         (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
2765         (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
2766         (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
2767         (Inspector::InspectorBackendDispatcher::getString): Deleted.
2768         (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
2769         (Inspector::InspectorBackendDispatcher::getObject): Deleted.
2770         (Inspector::InspectorBackendDispatcher::getArray): Deleted.
2771         (Inspector::InspectorBackendDispatcher::getValue): Deleted.
2772         * inspector/InspectorBackendDispatcher.h:
2773         (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
2774         (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
2775         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
2776         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
2777         * inspector/InspectorFrontendChannel.h:
2778         (Inspector::FrontendChannel::~FrontendChannel):
2779         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
2780         * inspector/JSGlobalObjectInspectorController.cpp:
2781         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2782         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
2783         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2784         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
2785         (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
2786         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
2787         * inspector/JSGlobalObjectInspectorController.h:
2788         * inspector/agents/InspectorAgent.cpp:
2789         (Inspector::InspectorAgent::didCreateFrontendAndBackend):
2790         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
2791         * inspector/agents/InspectorAgent.h:
2792         * inspector/agents/InspectorConsoleAgent.cpp:
2793         (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
2794         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
2795         * inspector/agents/InspectorConsoleAgent.h:
2796         * inspector/agents/InspectorDebuggerAgent.cpp:
2797         (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
2798         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
2799         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
2800         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2801         (Inspector::InspectorDebuggerAgent::pause):
2802         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
2803         (Inspector::InspectorDebuggerAgent::didPause):
2804         (Inspector::InspectorDebuggerAgent::breakProgram):
2805         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
2806         * inspector/agents/InspectorDebuggerAgent.h:
2807         * inspector/agents/InspectorRuntimeAgent.cpp:
2808         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
2809         * inspector/agents/InspectorRuntimeAgent.h:
2810         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2811         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
2812         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
2813         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2814         * inspector/augmentable/AlternateDispatchableAgent.h:
2815         * inspector/augmentable/AugmentableInspectorController.h:
2816         * inspector/remote/RemoteInspectorDebuggable.h:
2817         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2818         * inspector/scripts/codegen/cpp_generator.py:
2819         (CppGenerator.cpp_type_for_formal_out_parameter):
2820         (CppGenerator.cpp_type_for_stack_out_parameter):
2821         * inspector/scripts/codegen/cpp_generator_templates.py:
2822         (AlternateBackendDispatcher):
2823         (Alternate):
2824         (void):
2825         (AlternateInspectorBackendDispatcher): Deleted.
2826         (AlternateInspector): Deleted.
2827         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2828         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
2829         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2830         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
2831         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2832         (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
2833         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
2834         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2835         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2836         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2837         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2838         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2839         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2840         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2841         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2842         * inspector/scripts/tests/expected/enum-values.json-result:
2843         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2844         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2845         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2846         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2847         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2848         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2849         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2850         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2851         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2852         * runtime/JSGlobalObjectDebuggable.cpp:
2853         (JSC::JSGlobalObjectDebuggable::connect):
2854         (JSC::JSGlobalObjectDebuggable::disconnect):
2855         * runtime/JSGlobalObjectDebuggable.h:
2856
2857 2015-02-14  David Kilzer  <ddkilzer@apple.com>
2858
2859         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2860         <http://webkit.org/b/141607>
2861
2862         Work towards fixing the Mavericks Debug build.
2863
2864         * inspector/ScriptDebugServer.h:
2865         (Inspector::ScriptDebugServer::Task): Export class.
2866         * inspector/agents/InspectorDebuggerAgent.h:
2867         (Inspector::InspectorDebuggerAgent::Listener): Export class.
2868         * runtime/JSGlobalObject.h:
2869         (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
2870         method for export.
2871
2872 2015-02-14  Joseph Pecoraro  <pecoraro@apple.com>
2873
2874         Web Inspector: Symbol RemoteObject should not send sub-type
2875         https://bugs.webkit.org/show_bug.cgi?id=141604
2876
2877         Reviewed by Brian Burg.
2878
2879         * inspector/InjectedScriptSource.js:
2880
2881 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2882
2883         Attempt to fix 32bits build after r180098
2884
2885         * jit/JITOperations.cpp:
2886         * jit/JITOperations.h:
2887         I copied the attribute from the MathObject version of that function when I moved
2888         it over. DFG has no version of a function call taking those attributes.
2889
2890 2015-02-13  Joseph Pecoraro  <pecoraro@apple.com>
2891
2892         JSContext Inspector: Do not stash console messages for non-debuggable JSContext
2893         https://bugs.webkit.org/show_bug.cgi?id=141589
2894
2895         Reviewed by Timothy Hatcher.
2896
2897         Consider developer extras disabled for JSContext inspection if the
2898         RemoteInspector server is not enabled (typically a non-debuggable
2899         process rejected by webinspectord) or if remote debugging on the
2900         JSContext was explicitly disabled via SPI.
2901
2902         When developer extras are disabled, console message will not be stashed.
2903
2904         * inspector/JSGlobalObjectInspectorController.cpp:
2905         (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
2906         * inspector/JSGlobalObjectInspectorController.h:
2907
2908 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2909
2910         Add a DFG node for the Pow Intrinsics
2911         https://bugs.webkit.org/show_bug.cgi?id=141540
2912
2913         Reviewed by Filip Pizlo.
2914
2915         Add a DFG Node for PowIntrinsic. This patch covers the basic cases
2916         need to avoid massive regression. I will iterate over the node to cover
2917         the missing types.
2918
2919         With this patch I get the following progressions on benchmarks:
2920         -LongSpider's math-partial-sums: +5%.
2921         -Kraken's imaging-darkroom: +17%
2922         -AsmBench's cray.c: +6.6%
2923         -CompressionBench: +2.2% globally.
2924
2925         * dfg/DFGAbstractInterpreterInlines.h:
2926         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2927         Cover a couple of trivial cases:
2928         -If the exponent is zero, the result is always one, regardless of the base.
2929         -If both arguments are constants, compute the result at compile time.
2930
2931         * dfg/DFGByteCodeParser.cpp:
2932         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2933         * dfg/DFGClobberize.h:
2934         (JSC::DFG::clobberize):
2935         * dfg/DFGDoesGC.cpp:
2936         (JSC::DFG::doesGC):
2937
2938         * dfg/DFGFixupPhase.cpp:
2939         (JSC::DFG::FixupPhase::fixupNode):
2940         We only support 2 basic cases at this time:
2941         -Math.pow(double, int)
2942         -Math.pow(double, double).
2943
2944         I'll cover Math.pow(int, int) in a follow up.
2945
2946         * dfg/DFGNode.h:
2947         (JSC::DFG::Node::convertToArithSqrt):
2948         (JSC::DFG::Node::arithNodeFlags):
2949         * dfg/DFGNodeType.h:
2950         * dfg/DFGPredictionPropagationPhase.cpp:
2951         (JSC::DFG::PredictionPropagationPhase::propagate):
2952         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2953         * dfg/DFGSafeToExecute.h:
2954         (JSC::DFG::safeToExecute):
2955         * dfg/DFGSpeculativeJIT.cpp:
2956         (JSC::DFG::compileArithPowIntegerFastPath):
2957         (JSC::DFG::SpeculativeJIT::compileArithPow):
2958         * dfg/DFGSpeculativeJIT.h:
2959         * dfg/DFGSpeculativeJIT32_64.cpp:
2960         (JSC::DFG::SpeculativeJIT::compile):
2961         * dfg/DFGSpeculativeJIT64.cpp:
2962         (JSC::DFG::SpeculativeJIT::compile):
2963         * dfg/DFGStrengthReductionPhase.cpp:
2964         (JSC::DFG::StrengthReductionPhase::handleNode):
2965         * dfg/DFGValidate.cpp:
2966         (JSC::DFG::Validate::validate):
2967         * ftl/FTLCapabilities.cpp:
2968         (JSC::FTL::canCompile):
2969         * ftl/FTLIntrinsicRepository.h:
2970         * ftl/FTLLowerDFGToLLVM.cpp:
2971         (JSC::FTL::LowerDFGToLLVM::compileNode):
2972         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
2973         * ftl/FTLOutput.h:
2974         (JSC::FTL::Output::doublePow):
2975         (JSC::FTL::Output::doublePowi):
2976         * jit/JITOperations.cpp:
2977         * jit/JITOperations.h:
2978         * runtime/MathObject.cpp:
2979         (JSC::mathProtoFuncPow):
2980         (JSC::isDenormal): Deleted.
2981         (JSC::isEdgeCase): Deleted.
2982         (JSC::mathPow): Deleted.
2983
2984         * tests/stress/math-pow-basics.js: Added.
2985         * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
2986         * tests/stress/math-pow-nan-behaviors.js: Added.
2987         * tests/stress/math-pow-with-constants.js: Added.
2988         Start some basic testing of Math.pow().
2989         Due to the various transform, the value change when the code tiers up,
2990         I covered this by checking for approximate values.
2991
2992 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2993
2994         ArithSqrt should not be conditional on supportsFloatingPointSqrt
2995         https://bugs.webkit.org/show_bug.cgi?id=141546
2996
2997         Reviewed by Geoffrey Garen and Filip Pizlo.
2998
2999         Just fallback to the function call in the DFG codegen.
3000
3001         * dfg/DFGByteCodeParser.cpp:
3002         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3003         * dfg/DFGSpeculativeJIT.cpp:
3004         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
3005         * dfg/DFGSpeculativeJIT.h:
3006         * dfg/DFGSpeculativeJIT32_64.cpp:
3007         (JSC::DFG::SpeculativeJIT::compile):
3008         * dfg/DFGSpeculativeJIT64.cpp:
3009         (JSC::DFG::SpeculativeJIT::compile):
3010         * tests/stress/math-sqrt-basics.js: Added.
3011         Basic coverage.
3012
3013         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
3014         Same tests but forcing the function call.
3015
3016 2015-02-13  Michael Saboff  <msaboff@apple.com>
3017
3018         REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
3019         https://bugs.webkit.org/show_bug.cgi?id=141577
3020
3021         Reviewed by Benjamin Poulain.
3022
3023         Changed the prologue of the baseline JIT to check for stack space for all
3024         types of code blocks.  Previously, it was only checking Function.  Now
3025         it checks Program and Eval as well.
3026
3027         * jit/JIT.cpp:
3028         (JSC::JIT::privateCompile):
3029
3030 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
3031
3032         Generate incq instead of addq when the immediate value is one
3033         https://bugs.webkit.org/show_bug.cgi?id=141548
3034
3035         Reviewed by Gavin Barraclough.
3036
3037         JSC emits "addq #1 (rXX)" *a lot*.
3038         This patch replace that by incq, which is one byte shorter
3039         and is the adviced form.
3040
3041         Sunspider: +0.47%
3042         Octane: +0.28%
3043         Kraken: +0.44%
3044         AsmBench, CompressionBench: neutral.
3045
3046         * assembler/MacroAssemblerX86_64.h:
3047         (JSC::MacroAssemblerX86_64::add64):
3048         * assembler/X86Assembler.h:
3049         (JSC::X86Assembler::incq_m):
3050
3051 2015-02-13  Benjamin Poulain  <benjamin@webkit.org>
3052
3053         Little clean up of Bytecode Generator's Label
3054         https://bugs.webkit.org/show_bug.cgi?id=141557
3055
3056         Reviewed by Michael Saboff.
3057
3058         * bytecompiler/BytecodeGenerator.h:
3059         * bytecompiler/BytecodeGenerator.cpp:
3060         Label was a friend of BytecodeGenerator in order to access
3061         m_instructions. There is no need for that, BytecodeGenerator
3062         has a public getter.
3063
3064         * bytecompiler/Label.h:
3065         (JSC::Label::Label):
3066         (JSC::Label::setLocation):
3067         (JSC::BytecodeGenerator::newLabel):
3068         Make it explicit that the generator must exist.
3069
3070 2015-02-13  Michael Saboff  <msaboff@apple.com>
3071
3072         Google doc spreadsheet reproducibly crashes when sorting
3073         https://bugs.webkit.org/show_bug.cgi?id=141098
3074
3075         Reviewed by Oliver Hunt.
3076
3077         Moved the stack check to before the callee registers are allocated in the
3078         prologue() by movving it from the functionInitialization() macro.  This
3079         way we can check the stack before moving the stack pointer, avoiding a
3080         crash during a "call" instruction.  Before this change, we weren't even
3081         checking the stack for program and eval execution.
3082
3083         Made a couple of supporting changes.
3084
3085         * llint/LLIntSlowPaths.cpp:
3086         (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
3087         may be processing an exception to an entry frame.
3088
3089         * llint/LowLevelInterpreter.asm:
3090
3091         * llint/LowLevelInterpreter32_64.asm:
3092         * llint/LowLevelInterpreter64.asm:
3093         (llint_throw_from_slow_path_trampoline): Changed method to get the vm
3094         from the code block to not use the codeBlock, since we may need to
3095         continue from an exception in a native function.
3096
3097 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
3098
3099         Simplify the initialization of BytecodeGenerator a bit
3100         https://bugs.webkit.org/show_bug.cgi?id=141505
3101
3102         Reviewed by Anders Carlsson.
3103
3104         * bytecompiler/BytecodeGenerator.cpp:
3105         (JSC::BytecodeGenerator::BytecodeGenerator):
3106         * bytecompiler/BytecodeGenerator.h:
3107         Setup the default initialization at the declaration level
3108         instead of the constructor.
3109
3110         Also made m_scopeNode and m_codeType const to make it explicit
3111         that they are invariant after construction.
3112
3113         * parser/Nodes.cpp:
3114         * runtime/Executable.cpp:
3115         Remove 2 useless #includes.
3116
3117 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
3118
3119         Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT
3120         https://bugs.webkit.org/show_bug.cgi?id=141506
3121
3122         Reviewed by Michael Saboff.
3123
3124         The generators for the nodes GetScope and SkipScope were
3125         completely identical between 32 and 64bits.
3126
3127         This patch moves the duplicated code to DFGSpeculativeJIT.
3128
3129         * dfg/DFGSpeculativeJIT.cpp:
3130         (JSC::DFG::SpeculativeJIT::compileGetScope):
3131         (JSC::DFG::SpeculativeJIT::compileSkipScope):
3132         * dfg/DFGSpeculativeJIT.h:
3133         * dfg/DFGSpeculativeJIT32_64.cpp:
3134         (JSC::DFG::SpeculativeJIT::compile):
3135         * dfg/DFGSpeculativeJIT64.cpp:
3136         (JSC::DFG::SpeculativeJIT::compile):
3137
3138 2015-02-11  Brent Fulgham  <bfulgham@apple.com>
3139
3140         [Win] [64-bit] Work around MSVC2013 Runtime Bug
3141         https://bugs.webkit.org/show_bug.cgi?id=141498
3142         <rdar://problem/19803642>
3143
3144         Reviewed by Anders Carlsson.
3145
3146         Disable FMA3 instruction use in the MSVC math library to
3147         work around a VS2013 runtime crash. We can remove this
3148         workaround when we switch to VS2015.
3149
3150         * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable
3151         FMA3 support.
3152         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files.
3153         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3154         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added.
3155         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0)
3156         to disable FMA3 support.
3157         * jsc.cpp: Ditto.
3158         * testRegExp.cpp: Ditto.
3159
3160 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
3161
3162         The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs
3163         https://bugs.webkit.org/show_bug.cgi?id=141493
3164
3165         Reviewed by Michael Saboff.
3166
3167         * dfg/DFGSpeculativeJIT.h:
3168         (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted.
3169         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted.
3170         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted.
3171         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted.
3172         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted.
3173         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted.
3174         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted.
3175         * dfg/DFGSpeculativeJIT32_64.cpp:
3176         (JSC::DFG::SpeculativeJIT::emitCall):
3177         * dfg/DFGSpeculativeJIT64.cpp:
3178         (JSC::DFG::SpeculativeJIT::emitCall):
3179         * jit/AssemblyHelpers.h:
3180         (JSC::AssemblyHelpers::calleeFrameSlot):
3181         (JSC::AssemblyHelpers::calleeArgumentSlot):
3182         (JSC::AssemblyHelpers::calleeFrameTagSlot):
3183         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
3184         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
3185         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
3186         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
3187
3188 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
3189
3190         SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame
3191         https://bugs.webkit.org/show_bug.cgi?id=141485
3192
3193         Reviewed by Oliver Hunt.
3194         
3195         The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for
3196         vararg calls from inlined code, but that doesn't work since the DFG inline call frame
3197         doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there
3198         is really no such thing as an inlineStackOffset except when we OSR exit; while the code is
3199         running the stack layout is compacted so that the stackOffset is not meaningful.
3200
3201         * jit/JITCall.cpp:
3202         (JSC::JIT::compileSetupVarargsFrame):
3203         * jit/JITCall32_64.cpp:
3204         (JSC::JIT::compileSetupVarargsFrame):
3205         * jit/SetupVarargsFrame.cpp:
3206         (JSC::emitSetupVarargsFrameFastCase):
3207         * jit/SetupVarargsFrame.h:
3208
3209 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
3210
3211         Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints
3212         https://bugs.webkit.org/show_bug.cgi?id=141455
3213
3214         Reviewed by Mark Lam.
3215         
3216         The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion
3217         of https://bugs.webkit.org/show_bug.cgi?id=141332.
3218
3219         * CMakeLists.txt:
3220         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3221         * JavaScriptCore.xcodeproj/project.pbxproj:
3222         * bytecode/CallLinkInfo.h:
3223         (JSC::CallLinkInfo::specializationKindFor):
3224         (JSC::CallLinkInfo::specializationKind):
3225         * ftl/FTLJSCall.cpp:
3226         (JSC::FTL::JSCall::JSCall):
3227         (JSC::FTL::JSCall::emit): Deleted.
3228         (JSC::FTL::JSCall::link): Deleted.
3229         * ftl/FTLJSCall.h:
3230         * ftl/FTLJSCallBase.cpp: Added.
3231         (JSC::FTL::JSCallBase::JSCallBase):
3232         (JSC::FTL::JSCallBase::emit):
3233         (JSC::FTL::JSCallBase::link):
3234         * ftl/FTLJSCallBase.h: Added.
3235
3236 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
3237
3238         Unreviewed, fix build.
3239
3240         * jit/CCallHelpers.h:
3241         (JSC::CCallHelpers::setupArgumentsWithExecState):
3242
3243 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
3244
3245         op_call_varargs should only load the length once
3246         https://bugs.webkit.org/show_bug.cgi?id=141440
3247         rdar://problem/19761683
3248
3249         Reviewed by Michael Saboff.
3250         
3251         Refactors the pair of calls that set up the varargs frame so that the first call returns the
3252         length, and the second call uses the length returned by the first one. It turns out that this
3253         gave me an opportunity to shorten a lot of the code.
3254
3255         * interpreter/Interpreter.cpp:
3256         (JSC::sizeFrameForVarargs):
3257         (JSC::loadVarargs):
3258         (JSC::setupVarargsFrame):
3259         (JSC::setupVarargsFrameAndSetThis):
3260         * interpreter/Interpreter.h:
3261         (JSC::calleeFrameForVarargs):
3262         * jit/CCallHelpers.h:
3263         (JSC::CCallHelpers::setupArgumentsWithExecState):
3264         * jit/JIT.h:
3265         * jit/JITCall.cpp:
3266         (JSC::JIT::compileSetupVarargsFrame):
3267         * jit/JITCall32_64.cpp:
3268         (JSC::JIT::compileSetupVarargsFrame):
3269         * jit/JITInlines.h:
3270         (JSC::JIT::callOperation):
3271         * jit/JITOperations.cpp:
3272         * jit/JITOperations.h:
3273         * jit/SetupVarargsFrame.cpp:
3274         (JSC::emitSetVarargsFrame):
3275         (JSC::emitSetupVarargsFrameFastCase):
3276         * jit/SetupVarargsFrame.h:
3277         * llint/LLIntSlowPaths.cpp:
3278         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3279         * runtime/Arguments.cpp:
3280         (JSC::Arguments::copyToArguments):
3281         * runtime/Arguments.h:
3282         * runtime/JSArray.cpp:
3283         (JSC::JSArray::copyToArguments):
3284         * runtime/JSArray.h:
3285         * runtime/VM.h:
3286         * tests/stress/call-varargs-length-effects.js: Added.
3287         (foo):
3288         (bar):
3289
3290 2015-02-10  Michael Saboff  <msaboff@apple.com>
3291
3292         Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
3293         https://bugs.webkit.org/show_bug.cgi?id=139398
3294
3295         Reviewed by Filip Pizlo.
3296
3297         Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
3298         was determined to be reachable.  When we go to lower to LLVM, the edges for the CompareStrictEq
3299         node are UntypedUse which we can't compile.  Fixed this by checking that the IR before
3300         lowering can still be handled by the FTL.
3301
3302         Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
3303         a SetArgument to a GetArgument.  Before this change FTL::canCompile() would never see a GetArgument
3304         node.  With the check right before lowering, we see this node.
3305
3306         * dfg/DFGPlan.cpp:
3307         (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
3308         to verify that after all the transformations we still have valid IR for the FTL.
3309         * ftl/FTLCapabilities.cpp:
3310         (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
3311
3312 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
3313
3314         Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
3315
3316         Rubber stamped by Michael Saboff.
3317         
3318         Not only was this not used, I believe that the math was wrong. The callee frame doesn't
3319         actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and
3320         that decision is made elsewhere. Also, it makes no sense to subtract 1 from
3321         m_nextMachineLocal when trying to deduce the number of in-use stack slots.
3322
3323         * dfg/DFGSpeculativeJIT.h:
3324         (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted.
3325
3326 2015-02-10  Saam Barati  <saambarati1@gmail.com>
3327
3328         Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier
3329         https://bugs.webkit.org/show_bug.cgi?id=141272
3330
3331         Reviewed by Oliver Hunt.
3332
3333         This patch fixes a bug where the wrong text location would be 
3334         assigned to a variable declaration inside a ForIn/ForOf loop. 
3335         It also fixes a bug in the type profiler where the type profiler 
3336         emits the wrong text offset for a ForIn loop's variable declarator 
3337         when it's not a pattern node.
3338
3339         * bytecompiler/NodesCodegen.cpp:
3340         (JSC::ForInNode::emitLoopHeader):
3341         * parser/Parser.cpp:
3342         (JSC::Parser<LexerType>::parseVarDeclarationList):
3343         * tests/typeProfiler/loop.js:
3344         (testForIn):
3345         (testForOf):
3346
3347 2015-02-09  Saam Barati  <saambarati1@gmail.com>
3348
3349         JSC's Type Profiler doesn't profile the type of the looping variable in ForOf/ForIn loops
3350         https://bugs.webkit.org/show_bug.cgi?id=141241
3351
3352         Reviewed by Filip Pizlo.
3353
3354         Type information is now recorded for ForIn and ForOf statements. 
3355         It was an oversight to not have these statements profiled before.
3356
3357         * bytecompiler/NodesCodegen.cpp:
3358         (JSC::ForInNode::emitLoopHeader):
3359         (JSC::ForOfNode::emitBytecode):
3360         * tests/typeProfiler/loop.js: Added.
3361         (testForIn):
3362         (testForOf):
3363
3364 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
3365
3366         DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid
3367         https://bugs.webkit.org/show_bug.cgi?id=141412
3368
3369         Reviewed by Michael Saboff.
3370         
3371         StackLayoutPhase was attempting to ensure that the register that
3372         CodeBlock::scopeRegister() points to is the right one for the DFG. But the DFG did nothing
3373         else to maintain the validity of the scopeRegister(). It wasn't captured as far as I can
3374         tell. StackLayoutPhase didn't explicitly mark it live. PreciseLocalClobberize didn't mark
3375         it as being live. So, by the time we got here the register referred to by
3376         CodeBlock::scopeRegister() would have been junk. Moreover, CodeBlock::scopeRegister() was
3377         not used for DFG code blocks, and was hardly ever used outside of bytecode generation.
3378         
3379         So, this patch just removes the code to manipulate this field and replaces it with an
3380         unconditional setScopeRegister(VirtualRegister()). Setting it to the invalid register
3381         ensures that any attempst to read the scopeRegister in a DFG or FTL frame immediately
3382         punts.
3383
3384         * dfg/DFGStackLayoutPhase.cpp:
3385         (JSC::DFG::StackLayoutPhase::run):
3386
3387 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
3388
3389         Varargs frame set-up should be factored out for use by other JITs
3390         https://bugs.webkit.org/show_bug.cgi?id=141388
3391
3392         Reviewed by Michael Saboff.
3393         
3394         Previously the code that dealt with varargs always assumed that we were setting up a varargs call
3395         frame by literally following the execution semantics of op_call_varargs. This isn't how it'll
3396         happen once the DFG and FTL do varargs calls, or when varargs calls get inlined. The DFG and FTL
3397         don't literally execute bytecode; for example their stack frame layout has absolutely nothing in
3398         common with what the bytecode says, and that will never change.
3399         
3400         This patch makes two changes:
3401         
3402         Setting up the varargs callee frame can be done in smaller steps: particularly in the case of a
3403         varargs call that gets inlined, we aren't going to actually want to set up a callee frame in
3404         full - we just want to put the arguments somewhere, and that place will not have much (if
3405         anything) in common with the call frame format. This patch factors that out into something called
3406         a loadVarargs. The thing we used to call loadVarargs is now called setupVarargsFrame. This patch
3407         also separates loading varargs from setting this, since the fact that those two things are done
3408         together is a detail made explicit in bytecode but it's not at all required in the higher-tier
3409         engines. In the process of factoring this code out, I found a bunch of off-by-one errors in the
3410         various calculations. I fixed them. The distance from the caller's frame pointer to the callee
3411         frame pointer is always:
3412         
3413             numUsedCallerSlots + argCount + 1 + CallFrameSize
3414         
3415         where numUsedCallerSlots is toLocal(firstFreeRegister) - 1, which simplifies down to just
3416         -firstFreeRegister. The code now speaks of numUsedCallerSlots rather than firstFreeRegister,
3417         since the latter is a bytecode peculiarity that doesn't apply in the DFG or FTL. In the DFG, the
3418         internally-computed frame size, minus the parameter slots, will be used for numUsedCallerSlots.
3419         In the FTL, we will essentially compute numUsedCallerSlots dynamically by subtracting SP from FP.
3420         Eventually, LLVM might give us some cleaner way of doing this, but it probably doesn't matter
3421         very much.
3422         
3423         The arguments forwarding optimization is factored out of the Baseline JIT: the DFG and FTL will
3424         want to do this optimization as well, but it involves quite a bit of code. So, this code is now
3425         factored out into SetupVarargsFrame.h|cpp, so that other JITs can use it. In the process of factoring
3426         this code out I noticed that the 32-bit and 64-bit code is nearly identical, so I combined them.
3427
3428         * CMakeLists.txt:
3429         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3430         * JavaScriptCore.xcodeproj/project.pbxproj:
3431         * bytecode/CodeBlock.h:
3432         (JSC::ExecState::r):
3433         (JSC::ExecState::uncheckedR):
3434         * bytecode/VirtualRegister.h:
3435         (JSC::VirtualRegister::operator+):
3436         (JSC::VirtualRegister::operator-):
3437         (JSC::VirtualRegister::operator+=):
3438         (JSC::VirtualRegister::operator-=):
3439         * interpreter/CallFrame.h:
3440         * interpreter/Interpreter.cpp:
3441         (JSC::sizeFrameForVarargs):
3442         (JSC::loadVarargs):
3443         (JSC::setupVarargsFrame):
3444         (JSC::setupVarargsFrameAndSetThis):
3445         * interpreter/Interpreter.h:
3446         * jit/AssemblyHelpers.h:
3447         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
3448         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
3449         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
3450         * jit/JIT.h:
3451         * jit/JITCall.cpp:
3452         (JSC::JIT::compileSetupVarargsFrame):
3453         * jit/JITCall32_64.cpp:
3454         (JSC::JIT::compileSetupVarargsFrame):
3455         * jit/JITInlines.h:
3456         (JSC::JIT::callOperation):
3457         (JSC::JIT::emitGetFromCallFrameHeaderPtr): Deleted.
3458         (JSC::JIT::emitGetFromCallFrameHeader32): Deleted.
3459         (JSC::JIT::emitGetFromCallFrameHeader64): Deleted.
3460         * jit/JITOperations.cpp:
3461         * jit/JITOperations.h:
3462         * jit/SetupVarargsFrame.cpp: Added.
3463         (JSC::emitSetupVarargsFrameFastCase):
3464         * jit/SetupVarargsFrame.h: Added.
3465         * llint/LLIntSlowPaths.cpp:
3466         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3467         * runtime/Arguments.cpp:
3468         (JSC::Arguments::copyToArguments):
3469         * runtime/Arguments.h:
3470         * runtime/JSArray.cpp:
3471         (JSC::JSArray::copyToArguments):
3472         * runtime/JSArray.h:
3473
3474 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
3475
3476         DFG call codegen should resolve the callee operand as late as possible
3477         https://bugs.webkit.org/show_bug.cgi?id=141398
3478
3479         Reviewed by Mark Lam.
3480         
3481         This is mostly a benign restructuring to help with the implementation of
3482         https://bugs.webkit.org/show_bug.cgi?id=141332.
3483
3484         * dfg/DFGSpeculativeJIT32_64.cpp:
3485         (JSC::DFG::SpeculativeJIT::emitCall):
3486         * dfg/DFGSpeculativeJIT64.cpp:
3487         (JSC::DFG::SpeculativeJIT::emitCall):
3488
3489 2015-02-08  Filip Pizlo  <fpizlo@apple.com>
3490
3491         DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three
3492         https://bugs.webkit.org/show_bug.cgi?id=141369
3493
3494         Reviewed by Michael Saboff.
3495
3496         We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe
3497         effectfulness.  Starting over a year ago, we introduced a more powerful mechanism - the
3498         DFG::clobberize() function.  Now we only have one remaining client of the old NodeFlags,
3499         and everyone else uses DFG::clobberize().  We should get rid of those NodeFlags and
3500         finally switch everyone over to DFG::clobberize().
3501         
3502         Unfortunately there is still another place where effectfulness of nodes is described: the
3503         AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for
3504         compile time performance and there are places where the AI is more precise than
3505         clobberize() because of its flow-sensitivity.
3506         
3507         This means that after this change there will be only two places, rather than three, where
3508         the effectfulness of a node has to be described:
3509
3510         - DFG::clobberize()
3511         - DFG::AbstractInterpreter
3512
3513         * dfg/DFGClobberize.cpp:
3514         (JSC::DFG::clobbersWorld):
3515         * dfg/DFGClobberize.h:
3516         * dfg/DFGDoesGC.cpp:
3517         (JSC::DFG::doesGC):
3518         * dfg/DFGFixupPhase.cpp:
3519         (JSC::DFG::FixupPhase::fixupNode):
3520         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
3521         (JSC::DFG::FixupPhase::convertToGetArrayLength):
3522         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
3523         * dfg/DFGGraph.h:
3524         (JSC::DFG::Graph::isPredictedNumerical): Deleted.
3525         (JSC::DFG::Graph::byValIsPure): Deleted.
3526         (JSC::DFG::Graph::clobbersWorld): Deleted.
3527         * dfg/DFGNode.h:
3528         (JSC::DFG::Node::convertToConstant):
3529         (JSC::DFG::Node::convertToGetLocalUnlinked):
3530         (JSC::DFG::Node::convertToGetByOffset):
3531         (JSC::DFG::Node::convertToMultiGetByOffset):
3532         (JSC::DFG::Node::convertToPutByOffset):
3533         (JSC::DFG::Node::convertToMultiPutByOffset):
3534         * dfg/DFGNodeFlags.cpp:
3535         (JSC::DFG::dumpNodeFlags):
3536         * dfg/DFGNodeFlags.h:
3537         * dfg/DFGNodeType.h:
3538
3539 2015-02-09  Csaba Osztrogonác  <ossy@webkit.org>
3540
3541         Fix the !ENABLE(DFG_JIT) build
3542         https://bugs.webkit.org/show_bug.cgi?id=141387
3543
3544         Reviewed by Darin Adler.
3545
3546         * jit/Repatch.cpp:
3547
3548 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
3549
3550         Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase
3551         https://bugs.webkit.org/show_bug.cgi?id=141363
3552
3553         Reviewed by Darin Adler.
3554
3555         * dfg/DFGPredictionPropagationPhase.cpp:
3556         (JSC::DFG::PredictionPropagationPhase::propagate):
3557         Some blocks were duplicated, they probably evolved separately
3558         to the same state.
3559
3560 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
3561
3562         Remove useless declarations and a stale comment from DFGByteCodeParser.h
3563         https://bugs.webkit.org/show_bug.cgi?id=141361
3564
3565         Reviewed by Darin Adler.
3566
3567         The comment refers to the original form of the ByteCodeParser:
3568             parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex);
3569
3570         That form is long dead, the comment is more misleading than anything.
3571
3572         * dfg/DFGByteCodeParser.cpp:
3573         * dfg/DFGByteCodeParser.h:
3574
3575 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
3576
3577         Encapsulate DFG::Plan's beforeFTL timestamp
3578         https://bugs.webkit.org/show_bug.cgi?id=141360
3579
3580         Reviewed by Darin Adler.
3581
3582         Make the attribute private, it is an internal state.
3583
3584         Rename beforeFTL->timeBeforeFTL for readability.
3585
3586         * dfg/DFGPlan.cpp:
3587         (JSC::DFG::Plan::compileInThread):
3588         (JSC::DFG::Plan::compileInThreadImpl):
3589         * dfg/DFGPlan.h:
3590
3591 2015-02-08  Benjamin Poulain  <bpoulain@apple.com>
3592
3593         Remove DFGNode::hasArithNodeFlags()
3594         https://bugs.webkit.org/show_bug.cgi?id=141319
3595
3596         Reviewed by Michael Saboff.
3597
3598         * dfg/DFGNode.h:
3599         (JSC::DFG::Node::hasArithNodeFlags): Deleted.
3600         Unused code is unused.
3601
3602 2015-02-07  Chris Dumez  <cdumez@apple.com>
3603
3604         Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions
3605         https://bugs.webkit.org/show_bug.cgi?id=141321
3606
3607         Reviewed by Darin Adler.
3608
3609         Use new Vector::removeFirstMatching() / removeAllMatching() methods.
3610
3611 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
3612
3613         DFG SSA shouldn't have SetArgument nodes
3614         https://bugs.webkit.org/show_bug.cgi?id=141342
3615
3616         Reviewed by Mark Lam.
3617
3618         I was wondering why we kept the SetArgument around for captured
3619         variables. It turns out we did so because we thought we had to, even
3620         though we didn't have to. The node is meaningless in SSA.
3621
3622         * dfg/DFGSSAConversionPhase.cpp:
3623         (JSC::DFG::SSAConversionPhase::run):
3624         * ftl/FTLLowerDFGToLLVM.cpp:
3625         (JSC::FTL::LowerDFGToLLVM::compileNode):
3626
3627 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
3628
3629         It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band
3630         https://bugs.webkit.org/show_bug.cgi?id=141337
3631
3632         Reviewed by Mark Lam.
3633
3634         This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that
3635         are associated with the prologue.
3636
3637         * dfg/DFGCPSRethreadingPhase.cpp:
3638         (JSC::DFG::CPSRethreadingPhase::run):
3639         (JSC::DFG::CPSRethreadingPhase::canonicalizeSet):
3640         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3641         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
3642         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted.
3643         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted.
3644
3645 2015-02-06  Mark Lam  <mark.lam@apple.com>
3646
3647         MachineThreads should be ref counted.
3648         <https://webkit.org/b/141317>
3649
3650         Reviewed by Filip Pizlo.
3651
3652         The VM's MachineThreads registry object is being referenced from other
3653         threads as a raw pointer.  In a scenario where the VM is destructed on
3654         the main thread, there is no guarantee that another thread isn't still
3655         holding a reference to the registry and will eventually invoke
3656         removeThread() on it on thread exit.  Hence, there's a possible use
3657         after free scenario here.
3658
3659         The fix is to make MachineThreads ThreadSafeRefCounted, and have all
3660         threads that references keep a RefPtr to it to ensure that it stays
3661         alive until the very last thread is done with it.
3662
3663         * API/tests/testapi.mm:
3664         (useVMFromOtherThread): - Renamed to be more descriptive.
3665         (useVMFromOtherThreadAndOutliveVM):
3666         - Added a test that has another thread which uses the VM outlive the
3667           VM to confirm that there is no crash.
3668
3669           However, I was not actually able to get the VM to crash without this
3670           patch because I wasn't always able to the thread destructor to be
3671           called.  With this patch applied, I did verify with some logging that
3672           the MachineThreads registry is only destructed after all threads
3673           have removed themselves from it.
3674
3675         (threadMain): Deleted.
3676
3677         * heap/Heap.cpp:
3678         (JSC::Heap::Heap):
3679         (JSC::Heap::~Heap):
3680         (JSC::Heap::gatherStackRoots):
3681         * heap/Heap.h:
3682         (JSC::Heap::machineThreads):
3683         * heap/MachineStackMarker.cpp:
3684         (JSC::MachineThreads::Thread::Thread):
3685         (JSC::MachineThreads::addCurrentThread):
3686         (JSC::MachineThreads::removeCurrentThread):
3687         * heap/MachineStackMarker.h:
3688
3689 2015-02-06  Commit Queue  <commit-queue@webkit.org>
3690
3691         Unreviewed, rolling out r179743.
3692         https://bugs.webkit.org/show_bug.cgi?id=141335
3693
3694         caused missing symbols in non-WebKit clients of WTF::Vector
3695         (Requested by kling on #webkit).
3696
3697         Reverted changeset:
3698
3699         "Remove WTF::fastMallocGoodSize()."
3700         https://bugs.webkit.org/show_bug.cgi?id=141020
3701         http://trac.webkit.org/changeset/179743
3702
3703 2015-02-04  Filip Pizlo  <fpizlo@apple.com>
3704
3705         Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers
3706         https://bugs.webkit.org/show_bug.cgi?id=141211
3707
3708         Reviewed by Mark Lam.
3709
3710         Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime
3711         we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It
3712         would raise the refcount on the last (highest-numbered) variable created, and rely on
3713         the fact that register reclamation started at higher-numbered registers and worked its
3714         way down. So any retained register would block any lower-numbered registers from being
3715         reclaimed.
3716         
3717         Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused.
3718         
3719         This removes preserveLastVar() and makes addVar() retain each register it creates. This
3720         is more explicit, since addVar() is the mechanism for creating non-temporary registers.
3721         
3722         To make this work I had to remove an assertion that Register::setIndex() can only be
3723         called when the refcount is zero. This method might be called after a var is created to
3724         change its index. This previously worked because preserveLastVar() would be called after
3725         we had already made all index changes, so the vars would still have refcount zero. Now
3726         they have refcount 1. I think it's OK to lose this assertion; I can't remember this
3727         assertion ever firing in a way that alerted me to a serious issue.
3728         
3729         * bytecompiler/BytecodeGenerator.cpp:
3730         (JSC::BytecodeGenerator::BytecodeGenerator):
3731         (JSC::BytecodeGenerator::preserveLastVar): Deleted.
3732         * bytecompiler/BytecodeGenerator.h:
3733         (JSC::BytecodeGenerator::addVar):
3734         * bytecompiler/RegisterID.h:
3735         (JSC::RegisterID::setIndex):
3736
3737 2015-02-06  Andreas Kling  <akling@apple.com>
3738
3739         Remove WTF::fastMallocGoodSize().
3740         <https://webkit.org/b/141020>
3741
3742         Reviewed by Anders Carlsson.
3743
3744         * assembler/AssemblerBuffer.h:
3745         (JSC::AssemblerData::AssemblerData):
3746         (JSC::AssemblerData::grow):
3747
3748 2015-02-05  Michael Saboff  <msaboff@apple.com>
3749
3750         CodeCache is not thread safe when adding the same source from two different threads
3751         https://bugs.webkit.org/show_bug.cgi?id=141275
3752
3753         Reviewed by Mark Lam.
3754
3755         The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock,
3756         but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it
3757         will fill in later in the function.  During the body of that function, it allocates
3758         objects that may garbage collect.  During that garbage collection, we drop the all locks.
3759         While the locks are released by the first thread, another thread can enter the VM and might
3760         have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself.  When it
3761         looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType*
3762         and crashes.  This fixes the problem by not dropping the locks during garbage collection.
3763         There are other likely scenarios where we have a data structure like this code cache in an
3764         unsafe state for arbitrary reentrance.
3765
3766         Moved the functionality of DelayedReleaseScope directly into Heap.  Changed it into
3767         a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects.
3768         Now we accumulate objects to be released and release them when all locks are dropped or
3769         when destroying the Heap.  This eliminated the dropping and reaquiring of locks associated
3770         with the old scope form of this list.
3771
3772         Given that all functionality of DelayedReleaseScope is now used and referenced by Heap
3773         and the lock management no longer needs to be done, just made the list a member of Heap.
3774         We do need to guard against the case that releasing an object can create more objects
3775         by calling into JS.  That is why releaseDelayedReleasedObjects() is written to remove
3776         an object to release so that we aren't recursively in Vector code.  The other thing we
3777         do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using
3778         the m_delayedReleaseRecursionCount.  We only release at the first entry into the function.
3779         This case is already tested by testapi.mm.
3780
3781         * heap/DelayedReleaseScope.h: Removed file
3782
3783         * API/JSAPIWrapperObject.mm:
3784         * API/ObjCCallbackFunction.mm:
3785         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3786         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3787         * JavaScriptCore.xcodeproj/project.pbxproj:
3788         * heap/IncrementalSweeper.cpp:
3789         (JSC::IncrementalSweeper::doSweep):
3790         * heap/MarkedAllocator.cpp:
3791         (JSC::MarkedAllocator::tryAllocateHelper):
3792         (JSC::MarkedAllocator::tryAllocate):
3793         * heap/MarkedBlock.cpp:
3794         (JSC::MarkedBlock::sweep):
3795         * heap/MarkedSpace.cpp:
3796         (JSC::MarkedSpace::MarkedSpace):
3797         (JSC::MarkedSpace::lastChanceToFinalize):
3798         (JSC::MarkedSpace::didFinishIterating):
3799         * heap/MarkedSpace.h:
3800         * heap/Heap.cpp:
3801         (JSC::Heap::collectAllGarbage):
3802         (JSC::Heap::zombifyDeadObjects):
3803         Removed references to DelayedReleaseScope and DelayedReleaseScope.h.
3804
3805         * heap/Heap.cpp:
3806         (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount.
3807         (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away.
3808         (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated
3809         delayed release objects.
3810
3811         * heap/Heap.h:
3812         (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later.
3813         (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that
3814         releaseDelayedReleasedObjects is being called recursively.
3815         * heap/HeapInlines.h:
3816         (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects.
3817         
3818         * runtime/JSLock.cpp:
3819         (JSC::JSLock::willReleaseLock):
3820         Call Heap::releaseDelayedObjectsNow() when releasing the lock.
3821
3822 2015-02-05  Youenn Fablet  <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>
3823
3824         [Streams API] Implement a barebone ReadableStream interface
3825         https://bugs.webkit.org/show_bug.cgi?id=141045
3826
3827         Reviewed by Benjamin Poulain.
3828
3829         * Configurations/FeatureDefines.xcconfig:
3830
3831 2015-02-05  Saam Barati  <saambarati1@gmail.com>
3832
3833         Crash in uninitialized deconstructing variable.
3834         https://bugs.webkit.org/show_bug.cgi?id=141070
3835
3836         Reviewed by Michael Saboff.
3837
3838         According to the ES6 spec, when a destructuring pattern occurs
3839         as the left hand side of an assignment inside a var declaration 
3840         statement, the assignment must also have a right hand side value.
3841         "var {x} = {};" is a legal syntactic statement, but,
3842         "var {x};" is a syntactic error.
3843
3844         Section 13.2.2 of the latest draft ES6 spec specifies this requirement:
3845         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-variable-statement
3846
3847         * parser/Parser.cpp:
3848         (JSC::Parser<LexerType>::parseVarDeclaration):
3849         (JSC::Parser<LexerType>::parseVarDeclarationList):
3850         (JSC::Parser<LexerType>::parseForStatement):
3851         * parser/Parser.h:
3852
3853 2015-02-04  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3854
3855         Unreviewed, fix a build break on EFL port since r179648.
3856
3857         * heap/MachineStackMarker.cpp: EFL port doesn't use previousThread variable. 
3858         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3859
3860 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
3861
3862         Web Inspector: ES6: Improved Console Support for Symbol Objects
3863         https://bugs.webkit.org/show_bug.cgi?id=141173
3864
3865         Reviewed by Timothy Hatcher.
3866
3867         * inspector/protocol/Runtime.json:
3868         New type, "symbol".
3869
3870         * inspector/InjectedScriptSource.js:
3871         Handle Symbol objects in a few places. They don't have properties
3872         and they cannot be implicitly converted to strings.
3873
3874 2015-02-04  Mark Lam  <mark.lam@apple.com>
3875
3876         Undo gardening: Restoring the expected ERROR message since that is not the cause of the bot unhappiness.
3877
3878         Not reviewed.
3879
3880         * heap/MachineStackMarker.cpp:
3881         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3882
3883 2015-02-04  Mark Lam  <mark.lam@apple.com>
3884
3885         Gardening: Changed expected ERROR message to WARNING to make test bots happy.
3886
3887         Rubber stamped by Simon Fraser.
3888
3889         * heap/MachineStackMarker.cpp:
3890         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3891
3892 2015-02-04  Mark Lam  <mark.lam@apple.com>
3893
3894         r179576 introduce a deadlock potential during GC thread suspension.
3895         <https://webkit.org/b/141268>
3896
3897         Reviewed by Michael Saboff.
3898
3899         http://trac.webkit.org/r179576 introduced a potential for deadlocking.
3900         In the GC thread suspension loop, we currently delete
3901         MachineThreads::Thread that we detect to be invalid.  This is unsafe
3902         because we may have already suspended some threads, and one of those