Web Inspector: Add Context Menus to Object Tree properties
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-02  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: Add Context Menus to Object Tree properties
4         https://bugs.webkit.org/show_bug.cgi?id=142125
5
6         Reviewed by Timothy Hatcher.
7
8         * inspector/JSInjectedScriptHost.cpp:
9         (Inspector::JSInjectedScriptHost::functionDetails):
10         Update to include columnNumber.
11
12 2015-03-01  Filip Pizlo  <fpizlo@apple.com>
13
14         BytecodeGenerator shouldn't emit op_resolve_scope as a roundabout way of returning the scopeRegister
15         https://bugs.webkit.org/show_bug.cgi?id=142153
16
17         Reviewed by Michael Saboff.
18         
19         We don't need a op_resolve_scope if we know that it will simply return the scope register.
20         This changes the BytecodeGenerator to use the scope register directly in those cases where
21         we know statically that we would just have returned that from op_resolve_scope.
22         
23         This doesn't appear to have a significant impact on performance.
24
25         * bytecode/CodeBlock.cpp:
26         (JSC::CodeBlock::CodeBlock):
27         * bytecompiler/BytecodeGenerator.cpp:
28         (JSC::BytecodeGenerator::emitResolveScope):
29         (JSC::BytecodeGenerator::emitReturn):
30         (JSC::BytecodeGenerator::emitGetOwnScope): Deleted.
31         * bytecompiler/BytecodeGenerator.h:
32         * bytecompiler/NodesCodegen.cpp:
33         (JSC::ResolveNode::emitBytecode):
34         (JSC::EvalFunctionCallNode::emitBytecode):
35         (JSC::FunctionCallResolveNode::emitBytecode):
36         (JSC::PostfixNode::emitResolve):
37         (JSC::DeleteResolveNode::emitBytecode):
38         (JSC::TypeOfResolveNode::emitBytecode):
39         (JSC::PrefixNode::emitResolve):
40         (JSC::ReadModifyResolveNode::emitBytecode):
41         (JSC::AssignResolveNode::emitBytecode):
42         (JSC::ConstDeclNode::emitCodeSingle):
43         (JSC::EmptyVarExpression::emitBytecode):
44         (JSC::ForInNode::emitLoopHeader):
45         (JSC::ForOfNode::emitBytecode):
46         (JSC::BindingNode::bindValue):
47
48 2015-02-27  Benjamin Poulain  <bpoulain@apple.com>
49
50         [JSC] Use the way number constants are written to help type speculation
51         https://bugs.webkit.org/show_bug.cgi?id=142072
52
53         Reviewed by Filip Pizlo.
54
55         This patch changes how we interpret numeric constant based on how they appear
56         in the source.
57
58         Constants that are integers but written with a decimal point now carry that information
59         to the optimizating tiers. From there, we use that to be more aggressive about typing
60         math operations toward double operations.
61
62         For example, in:
63             var a = x + 1.0;
64             var b = y + 1;
65         The Add for a would be biased toward doubles, the Add for b would speculate
66         integer as usual.
67
68
69         The gains are tiny but this is a prerequisite to make my next patch useful:
70         -SunSpider's access-fannkuch: definitely 1.0661x faster
71         -SunSpider's math-cordic: definitely 1.0266x slower
72             overal: might be 1.0066x slower.
73         -Kraken's imaging-darkroom: definitely 1.0333x faster.
74
75         * parser/Lexer.cpp:
76         (JSC::tokenTypeForIntegerLikeToken):
77         (JSC::Lexer<T>::lex):
78         The lexer now create two types of tokens for number: INTEGER and DOUBLE.
79         Those token types only carry information about how the values were
80         entered, an INTEGER does not have to be an integer, it is only written like one.
81         Large integer still end up represented as double in memory.
82
83         One trap I fell into was typing numbers like 12e3 as double. This kind of literal
84         is frequently used in integer-typed code, while 12.e3 would appear in double-typed
85         code.
86         Because of that, the only signals for double are: decimal point, negative zero,
87         and ridiculously large values.
88
89         * parser/NodeConstructors.h:
90         (JSC::DoubleNode::DoubleNode):
91         (JSC::IntegerNode::IntegerNode):
92         * parser/Nodes.h:
93         (JSC::NumberNode::value):
94         (JSC::NumberNode::setValue): Deleted.
95         Number get specialized in two new kind of nodes in the AST: IntegerNode and DoubleNode.
96
97         * bytecompiler/NodesCodegen.cpp:
98         (JSC::NumberNode::emitBytecode):
99
100         * parser/ASTBuilder.h:
101         (JSC::ASTBuilder::createDoubleExpr):
102         (JSC::ASTBuilder::createIntegerExpr):
103         (JSC::ASTBuilder::createIntegerLikeNumber):
104         (JSC::ASTBuilder::createDoubleLikeNumber):
105         (JSC::ASTBuilder::createNumberFromBinaryOperation):
106         (JSC::ASTBuilder::createNumberFromUnaryOperation):
107         (JSC::ASTBuilder::makeNegateNode):
108         (JSC::ASTBuilder::makeBitwiseNotNode):
109         (JSC::ASTBuilder::makeMultNode):
110         (JSC::ASTBuilder::makeDivNode):
111         (JSC::ASTBuilder::makeModNode):
112         (JSC::ASTBuilder::makeAddNode):
113         (JSC::ASTBuilder::makeSubNode):
114         (JSC::ASTBuilder::makeLeftShiftNode):
115         (JSC::ASTBuilder::makeRightShiftNode):
116         (JSC::ASTBuilder::makeURightShiftNode):
117         (JSC::ASTBuilder::makeBitOrNode):
118         (JSC::ASTBuilder::makeBitAndNode):
119         (JSC::ASTBuilder::makeBitXOrNode):
120         (JSC::ASTBuilder::createNumberExpr): Deleted.
121         (JSC::ASTBuilder::createNumber): Deleted.
122         The AST has some optimization to resolve constants before emitting bytecode.
123         In the new code, the intger representation is kept if both operands where
124         also represented as integers.
125
126         * parser/Parser.cpp:
127         (JSC::Parser<LexerType>::parseDeconstructionPattern):
128         (JSC::Parser<LexerType>::parseProperty):
129         (JSC::Parser<LexerType>::parseGetterSetter):
130         (JSC::Parser<LexerType>::parsePrimaryExpression):
131         (JSC::Parser<LexerType>::printUnexpectedTokenText):
132         * parser/ParserTokens.h:
133         * parser/SyntaxChecker.h:
134         (JSC::SyntaxChecker::createDoubleExpr):
135         (JSC::SyntaxChecker::createIntegerExpr):
136         (JSC::SyntaxChecker::createNumberExpr): Deleted.
137
138         * bytecode/CodeBlock.cpp:
139         (JSC::CodeBlock::registerName):
140         (JSC::CodeBlock::constantName):
141         Change constantName(r, getConstant(r)) -> constantName(r) to simplify
142         the dump code.
143
144         (JSC::CodeBlock::dumpBytecode):
145         Dump thre soure representation information we have with each constant.
146
147         (JSC::CodeBlock::CodeBlock):
148         (JSC::CodeBlock::shrinkToFit):
149         (JSC::constantName): Deleted.
150         * bytecode/CodeBlock.h:
151         (JSC::CodeBlock::constantsSourceCodeRepresentation):
152         (JSC::CodeBlock::addConstant):
153         (JSC::CodeBlock::addConstantLazily):
154         (JSC::CodeBlock::constantSourceCodeRepresentation):
155         (JSC::CodeBlock::setConstantRegisters):
156
157         * bytecode/UnlinkedCodeBlock.h:
158         (JSC::UnlinkedCodeBlock::addConstant):
159         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation):
160         (JSC::UnlinkedCodeBlock::shrinkToFit):
161
162         * bytecompiler/BytecodeGenerator.cpp:
163         (JSC::BytecodeGenerator::addConstantValue):
164         (JSC::BytecodeGenerator::emitLoad):
165         * bytecompiler/BytecodeGenerator.h:
166         We have to differentiate between constants that have the same values but are
167         represented differently in the source. Values like 1.0 and 1 now end up
168         as different constants.
169
170         * dfg/DFGByteCodeParser.cpp:
171         (JSC::DFG::ByteCodeParser::get):
172         (JSC::DFG::ByteCodeParser::addConstantToGraph):
173         * dfg/DFGGraph.cpp:
174         (JSC::DFG::Graph::registerFrozenValues):
175         * dfg/DFGGraph.h:
176         (JSC::DFG::Graph::addSpeculationMode):
177         (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
178         ArithAdd is very aggressive toward using Int52, which is quite useful
179         in many benchmarks.
180
181         Here we need to specialize to make sure we don't force our literals
182         to Int52 if there were represented as double.
183
184         There is one exception to that rule: when the other operand is guaranteed
185         to come from a NodeResultInt32. This is because there is some weird code
186         doing stuff like:
187             var b = a|0;
188             var c = b*2.0;
189
190         * dfg/DFGNode.h:
191         (JSC::DFG::Node::Node):
192         (JSC::DFG::Node::setOpAndDefaultFlags):
193         (JSC::DFG::Node::sourceCodeRepresentation):
194         * dfg/DFGPredictionPropagationPhase.cpp:
195         (JSC::DFG::PredictionPropagationPhase::propagate):
196         * runtime/JSCJSValue.h:
197         (JSC::EncodedJSValueWithRepresentationHashTraits::emptyValue):
198         (JSC::EncodedJSValueWithRepresentationHashTraits::constructDeletedValue):
199         (JSC::EncodedJSValueWithRepresentationHashTraits::isDeletedValue):
200         (JSC::EncodedJSValueWithRepresentationHash::hash):
201         (JSC::EncodedJSValueWithRepresentationHash::equal):
202         * tests/stress/arith-add-with-constants.js: Added.
203         * tests/stress/arith-mul-with-constants.js: Added.
204
205 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
206
207         Unreviewed, roll out r180723. It broke a bunch of tests.
208
209         * bytecompiler/BytecodeGenerator.cpp:
210         (JSC::BytecodeGenerator::constLocal):
211         * bytecompiler/BytecodeGenerator.h:
212         * bytecompiler/NodesCodegen.cpp:
213         (JSC::ConstDeclNode::emitCodeSingle):
214         * tests/stress/const-arguments.js: Removed.
215
216 2015-02-26  Mark Lam  <mark.lam@apple.com>
217
218         Assertion fix for r180711: The bool returning form of BytecodeGenerator::addVar() can be removed.
219         <https://webkit.org/b/142064>
220
221         Reviewed by Joseph Pecoraro.
222
223         * bytecompiler/BytecodeGenerator.cpp:
224         (JSC::BytecodeGenerator::addVar):
225
226 2015-02-26  Mark Lam  <mark.lam@apple.com>
227
228         MachineThreads::Thread clean up has a use after free race condition.
229         <https://webkit.org/b/141990>
230
231         Reviewed by Filip Pizlo.
232
233         MachineThreads::Thread clean up relies on the clean up mechanism
234         implemented in _pthread_tsd_cleanup_key(), which looks like this:
235
236         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
237         {
238             void (*destructor)(void *);
239             if (_pthread_key_get_destructor(key, &destructor)) {
240                 void **ptr = &self->tsd[key];
241                 void *value = *ptr;
242
243             // === Start of window for the bug to manifest =================
244
245                 // At this point, this thread has cached "destructor" and "value"
246                 // (which is a MachineThreads*).  If the VM gets destructed (along
247                 // with its MachineThreads registry) by another thread, then this
248                 // thread will have no way of knowing that the MachineThreads* is
249                 // now pointing to freed memory.  Calling the destructor below will
250                 // therefore result in a use after free scenario when it tries to
251                 // access the MachineThreads' data members.
252
253                 if (value) {
254                     *ptr = NULL;
255                     if (destructor) {
256
257             // === End of window for the bug to manifest ==================
258
259                         destructor(value);
260                     }
261                 }
262             }
263         }
264
265         The fix is to add each active MachineThreads to an ActiveMachineThreadsManager,
266         and always check if the manager still contains that MachineThreads object
267         before we call removeCurrentThread() on it.  When MachineThreads is destructed,
268         it will remove itself from the manager.  The add, remove, and checking
269         operations are all synchronized on the manager's lock, thereby ensuring that
270         the MachineThreads object, if found in the manager, will remain alive for the
271         duration of time we call removeCurrentThread() on it.
272
273         There's also possible for the MachineThreads object to already be destructed
274         and another one happened to have been instantiated at the same address.
275         Hence, we should only remove the exiting thread if it is found in the
276         MachineThreads object.
277
278         There is no test for this issue because this bug requires a race condition
279         between 2 threads where:
280         1. Thread B, which had previously used the VM, exiting and
281            getting to the bug window shown in _pthread_tsd_cleanup_key() above.
282         2. Thread A destructing the VM (and its MachineThreads object)
283            within that window of time before Thread B calls the destructor.
284
285         It is not possible to get a reliable test case without invasively
286         instrumenting _pthread_tsd_cleanup_key() or MachineThreads::removeCurrentThread()
287         to significantly increase that window of opportunity.
288
289         * heap/MachineStackMarker.cpp:
290         (JSC::ActiveMachineThreadsManager::Locker::Locker):
291         (JSC::ActiveMachineThreadsManager::add):
292         (JSC::ActiveMachineThreadsManager::remove):
293         (JSC::ActiveMachineThreadsManager::contains):
294         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
295         (JSC::activeMachineThreadsManager):
296         (JSC::MachineThreads::MachineThreads):
297         (JSC::MachineThreads::~MachineThreads):
298         (JSC::MachineThreads::removeThread):
299         (JSC::MachineThreads::removeThreadIfFound):
300         (JSC::MachineThreads::removeCurrentThread): Deleted.
301         * heap/MachineStackMarker.h:
302
303 2015-02-26  Joseph Pecoraro  <pecoraro@apple.com>
304
305         Web Inspector: Save Console Evaluations into Command Line variables $1-$99 ($n)
306         https://bugs.webkit.org/show_bug.cgi?id=142061
307
308         Reviewed by Timothy Hatcher.
309
310         * inspector/protocol/Debugger.json:
311         * inspector/protocol/Runtime.json:
312         Input flag "saveResult" on whether we should try to save a result.
313         Output int "savedResultIndex" to tell the frontend the saved state.
314
315         * inspector/InjectedScriptSource.js:
316         Handle saving and clearing $1-$99 values.
317         Include in BasicCommandLineAPI for JSContext inspection.
318
319         * inspector/InjectedScriptBase.cpp:
320         (Inspector::InjectedScriptBase::makeEvalCall):
321         * inspector/InjectedScriptBase.h:
322         Allow an optional "savedResultIndex" out value on evals.
323
324         * inspector/InjectedScript.cpp:
325         (Inspector::InjectedScript::evaluate):
326         (Inspector::InjectedScript::evaluateOnCallFrame):
327         * inspector/InjectedScript.h:
328         * inspector/agents/InspectorDebuggerAgent.cpp:
329         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
330         * inspector/agents/InspectorDebuggerAgent.h:
331         * inspector/agents/InspectorRuntimeAgent.cpp:
332         (Inspector::InspectorRuntimeAgent::evaluate):
333         * inspector/agents/InspectorRuntimeAgent.h:
334         Plumbing for new in and out parameters.
335
336 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
337
338         The bool returning form of BytecodeGenerator::addVar() can be removed
339         https://bugs.webkit.org/show_bug.cgi?id=142064
340
341         Reviewed by Mark Lam.
342         
343         It's easier to implement addVar() when you don't have to return whether it's a new
344         variable or not.
345
346         * bytecompiler/BytecodeGenerator.cpp:
347         (JSC::BytecodeGenerator::addVar):
348         * bytecompiler/BytecodeGenerator.h:
349         (JSC::BytecodeGenerator::addVar): Deleted.
350
351 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
352
353         Various array access corner cases should take OSR exit feedback
354         https://bugs.webkit.org/show_bug.cgi?id=142056
355
356         Reviewed by Geoffrey Garen.
357         
358         Two major changes here:
359         
360         - Don't keep converting GetById into GetArrayLength if we exited due to any kind of array
361           type check.
362         
363         - Use a generic form of GetByVal/PutByVal if we exited due to any kind of exotic checks,
364           like the Arguments safety checks. We use the "ExoticObjectMode" for out-of-bounds on
365           arguments for now, since it's a convenient way of forcing out-of-bounds to be handled by
366           the Generic array mode.
367
368         * bytecode/ExitKind.cpp:
369         (JSC::exitKindToString):
370         * bytecode/ExitKind.h:
371         * dfg/DFGArrayMode.cpp:
372         (JSC::DFG::ArrayMode::refine):
373         * dfg/DFGFixupPhase.cpp:
374         (JSC::DFG::FixupPhase::fixupNode):
375         * dfg/DFGSpeculativeJIT.cpp:
376         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
377         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
378         * tests/stress/array-length-array-storage-plain-object.js: Added.
379         (foo):
380         * tests/stress/array-length-plain-object.js: Added.
381         (foo):
382
383 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
384
385         DFG SSA stack accesses shouldn't speak of VariableAccessDatas
386         https://bugs.webkit.org/show_bug.cgi?id=142036
387
388         Reviewed by Michael Saboff.
389         
390         VariableAccessData is a useful thing in LoadStore and ThreadedCPS, but it's purely harmful in
391         SSA because you can't cook up new VariableAccessDatas. So, if you know that you want to load
392         or store to the stack, and you know what format to use as well as the location, then prior to
393         this patch you couldn't do it unless you found some existing VariableAccessData that matched
394         your requirements. That can be a hard task.
395         
396         It's better if SSA doesn't speak of VariableAccessDatas but instead just has stack accesses
397         that speak of the things that a stack access needs: local, machineLocal, and format. This
398         patch changes the SSA way of accessing the stack to do just that.
399         
400         Also add more IR validation.
401
402         * CMakeLists.txt:
403         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
404         * JavaScriptCore.xcodeproj/project.pbxproj:
405         * dfg/DFGAbstractInterpreterInlines.h:
406         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
407         * dfg/DFGClobberize.h:
408         (JSC::DFG::clobberize):
409         * dfg/DFGConstantFoldingPhase.cpp:
410         (JSC::DFG::ConstantFoldingPhase::foldConstants):
411         * dfg/DFGDoesGC.cpp:
412         (JSC::DFG::doesGC):
413         * dfg/DFGFixupPhase.cpp:
414         (JSC::DFG::FixupPhase::fixupNode):
415         * dfg/DFGFlushFormat.h:
416         (JSC::DFG::isConcrete):
417         * dfg/DFGGraph.cpp:
418         (JSC::DFG::Graph::dump):
419         * dfg/DFGGraph.h:
420         * dfg/DFGMayExit.cpp:
421         (JSC::DFG::mayExit):
422         * dfg/DFGNode.cpp:
423         (JSC::DFG::Node::hasVariableAccessData):
424         * dfg/DFGNode.h:
425         (JSC::DFG::StackAccessData::StackAccessData):
426         (JSC::DFG::StackAccessData::flushedAt):
427         (JSC::DFG::Node::convertToPutStack):
428         (JSC::DFG::Node::convertToGetStack):
429         (JSC::DFG::Node::hasUnlinkedLocal):
430         (JSC::DFG::Node::hasStackAccessData):
431         (JSC::DFG::Node::stackAccessData):
432         (JSC::DFG::Node::willHaveCodeGenOrOSR):
433         * dfg/DFGNodeType.h:
434         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
435         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
436         * dfg/DFGPlan.cpp:
437         (JSC::DFG::Plan::compileInThreadImpl):
438         * dfg/DFGPredictionPropagationPhase.cpp:
439         (JSC::DFG::PredictionPropagationPhase::propagate):
440         * dfg/DFGPutLocalSinkingPhase.cpp: Removed.
441         * dfg/DFGPutLocalSinkingPhase.h: Removed.
442         * dfg/DFGPutStackSinkingPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.cpp.
443         (JSC::DFG::performPutStackSinking):
444         (JSC::DFG::performPutLocalSinking): Deleted.
445         * dfg/DFGPutStackSinkingPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.h.
446         * dfg/DFGSSAConversionPhase.cpp:
447         (JSC::DFG::SSAConversionPhase::run):
448         * dfg/DFGSafeToExecute.h:
449         (JSC::DFG::safeToExecute):
450         * dfg/DFGSpeculativeJIT32_64.cpp:
451         (JSC::DFG::SpeculativeJIT::compile):
452         * dfg/DFGSpeculativeJIT64.cpp:
453         (JSC::DFG::SpeculativeJIT::compile):
454         * dfg/DFGStackLayoutPhase.cpp:
455         (JSC::DFG::StackLayoutPhase::run):
456         * dfg/DFGValidate.cpp:
457         (JSC::DFG::Validate::validate):
458         (JSC::DFG::Validate::validateCPS):
459         (JSC::DFG::Validate::validateSSA):
460         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
461         (JSC::DFG::VirtualRegisterAllocationPhase::run):
462         * ftl/FTLCapabilities.cpp:
463         (JSC::FTL::canCompile):
464         * ftl/FTLLowerDFGToLLVM.cpp:
465         (JSC::FTL::LowerDFGToLLVM::lower):
466         (JSC::FTL::LowerDFGToLLVM::compileNode):
467         (JSC::FTL::LowerDFGToLLVM::compileGetStack):
468         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
469         (JSC::FTL::LowerDFGToLLVM::compileGetLocal): Deleted.
470         (JSC::FTL::LowerDFGToLLVM::compilePutLocal): Deleted.
471         * ftl/FTLOSRExit.h:
472         * tests/stress/many-sunken-locals.js: Added. This failure mode was caught by some miscellaneous test, so I figured I should write an explicit test for it.
473         (foo):
474         (bar):
475         (baz):
476         (fuzz):
477         (buzz):
478
479 2015-02-26  Mark Lam  <mark.lam@apple.com>
480
481         Rolling out r180602, r180608, r180613, r180617, r180671.
482         <https://webkit.org/b/141990>
483
484         Not reviewed.
485
486         The r180602 solution does result in more work for GC when worker
487         threads are in use.  Filip is uncomfortable with that.
488         The EFL and GTK ports also seem to be unhappy with this change.
489         Rolling out while we investigate.
490
491         * heap/Heap.cpp:
492         (JSC::Heap::Heap):
493         (JSC::Heap::gatherStackRoots):
494         (JSC::Heap::machineThreads): Deleted.
495         * heap/Heap.h:
496         (JSC::Heap::machineThreads):
497         * heap/MachineStackMarker.cpp:
498         (JSC::MachineThreads::MachineThreads):
499         (JSC::MachineThreads::~MachineThreads):
500         (JSC::MachineThreads::addCurrentThread):
501         * heap/MachineStackMarker.h:
502         * runtime/JSLock.cpp:
503         (JSC::JSLock::didAcquireLock):
504
505 2015-02-26  Myles C. Maxfield  <mmaxfield@apple.com>
506
507         [Mac] [iOS] Parsing support for -apple-trailing-word
508         https://bugs.webkit.org/show_bug.cgi?id=141939
509
510         Reviewed by Andreas Kling.
511
512         * Configurations/FeatureDefines.xcconfig:
513
514 2015-02-26  Michael Saboff  <msaboff@apple.com>
515
516         [Win] Debug-only JavaScriptCore failures
517         https://bugs.webkit.org/show_bug.cgi?id=142045
518
519         Rubber stamped by Filip Pizlo.
520
521         Reduced loop count to a more reasonable value of 10,000.  This still gets us to tier up
522         to the FTL, but doesn't take too long to run.
523
524         * tests/stress/repeated-arity-check-fail.js:
525
526 2015-02-26  Brent Fulgham  <bfulgham@apple.com>
527
528         [Win] Make build logs more legible by reducing noise
529         https://bugs.webkit.org/show_bug.cgi?id=142034
530
531         Reviewed by Alexey Proskuryakov.
532
533         Modify batch files, makefiles, and DOS commands to remove
534         uninteresting/unhelpful output.
535
536         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
537         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
538         * JavaScriptCore.vcxproj/copy-files.cmd:
539         * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd:
540         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
541         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd:
542         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
543         * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd:
544         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd:
545         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd:
546         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
547
548 2015-02-26  Csaba Osztrogonác  <ossy@webkit.org>
549
550         Add calleeSaveRegisters() implementation for ARM Traditional
551         https://bugs.webkit.org/show_bug.cgi?id=141903
552
553         Reviewed by Darin Adler.
554
555         * jit/RegisterSet.cpp:
556         (JSC::RegisterSet::calleeSaveRegisters):
557
558 2015-02-25  Michael Saboff  <msaboff@apple.com>
559
560         Web Inspector: CRASH when debugger pauses inside a Promise handler
561         https://bugs.webkit.org/show_bug.cgi?id=141396
562
563         Reviewed by Mark Lam.
564
565         For frames that don't have a scope, typically native frames, use the lexicalGlobalObject to
566         create the DebuggerScope for that frame.
567
568         * debugger/DebuggerCallFrame.cpp:
569         (JSC::DebuggerCallFrame::scope):
570
571 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
572
573         DFG abstract heaps should respect the difference between heap and stack
574         https://bugs.webkit.org/show_bug.cgi?id=142022
575
576         Reviewed by Geoffrey Garen.
577         
578         We will soon (https://bugs.webkit.org/show_bug.cgi?id=141174) be in a world where a "world
579         clobbering" operation cannot write to our stack, but may be able to read from it. This
580         means that we need to change the DFG abstract heap hierarchy to have a notion of Heap that
581         subsumes all that World previously subsumed, and a new notion of Stack that is a subtype
582         of World and a sibling of Heap.
583
584         So, henceforth "clobbering the world" means reading World and writing Heap.
585         
586         This makes a bunch of changes to make this work, including changing the implementation of
587         disjointness in AbstractHeap to make it support a more general hierarchy. I was expecting
588         a slow-down, but I measured the heck out of this and found no perf difference.
589
590         * dfg/DFGAbstractHeap.cpp:
591         (JSC::DFG::AbstractHeap::dump):
592         * dfg/DFGAbstractHeap.h:
593         (JSC::DFG::AbstractHeap::supertype):
594         (JSC::DFG::AbstractHeap::isStrictSubtypeOf):
595         (JSC::DFG::AbstractHeap::isSubtypeOf):
596         (JSC::DFG::AbstractHeap::overlaps):
597         (JSC::DFG::AbstractHeap::isDisjoint):
598         * dfg/DFGClobberize.cpp:
599         (JSC::DFG::clobbersHeap):
600         (JSC::DFG::clobbersWorld): Deleted.
601         * dfg/DFGClobberize.h:
602         (JSC::DFG::clobberize):
603         * dfg/DFGDoesGC.cpp:
604         (JSC::DFG::doesGC):
605
606 2015-02-25  Ryosuke Niwa  <rniwa@webkit.org>
607
608         REGRESSION(r180595): construct varargs fails in FTL
609         https://bugs.webkit.org/show_bug.cgi?id=142030
610
611         Reviewed by Geoffrey Garen.
612
613         The bug was caused by IC size being too small for construct_varargs even though we've added a new argument.
614         Fixed the bug by increasing the IC size to match call_varargs.
615
616         * ftl/FTLInlineCacheSize.cpp:
617         (JSC::FTL::sizeOfConstructVarargs):
618
619 2015-02-25  Mark Lam  <mark.lam@apple.com>
620
621         ASan does not like JSC::MachineThreads::tryCopyOtherThreadStack.
622         <https://webkit.org/b/141672>
623
624         Reviewed by Alexey Proskuryakov.
625
626         ASan does not like the fact that we memcpy the stack for GC scans.  So,
627         we're working around this by using our own memcpy (asanUnsafeMemcpy)
628         implementation that we can tell ASan to ignore.
629
630         * heap/MachineStackMarker.cpp:
631         (JSC::asanUnsafeMemcpy):
632
633 2015-02-25  Benjamin Poulain  <bpoulain@apple.com>
634
635         CodeBlock crashes when dumping op_push_name_scope
636         https://bugs.webkit.org/show_bug.cgi?id=141953
637
638         Reviewed by Filip Pizlo and Csaba Osztrogonác.
639
640         * bytecode/CodeBlock.cpp:
641         (JSC::CodeBlock::dumpBytecode):
642         * tests/stress/op-push-name-scope-crashes-profiler.js: Added.
643
644 2015-02-25  Benjamin Poulain  <benjamin@webkit.org>
645
646         Make ParserError immutable by design
647         https://bugs.webkit.org/show_bug.cgi?id=141955
648
649         Reviewed by Geoffrey Garen.
650
651         This patch enforce that no field of ParserError can
652         be modified after the constructor.
653
654         * parser/ParserError.h:
655         Move the attributes to pack the integer + 2 bytes together.
656         This is irrelevant for memory impact, it is to remve a load-store
657         when copying by value.
658
659         Also move the attributes to be private.
660
661         (JSC::ParserError::isValid):
662         To client of the interface cared about the type of the error,
663         the only information needed was: is there an error.
664
665         (JSC::ParserError::ParserError):
666         (JSC::ParserError::syntaxErrorType):
667         (JSC::ParserError::token):
668         (JSC::ParserError::message):
669         (JSC::ParserError::line):
670         (JSC::ParserError::toErrorObject):
671         * API/JSScriptRef.cpp:
672         * builtins/BuiltinExecutables.cpp:
673         (JSC::BuiltinExecutables::createBuiltinExecutable):
674         * bytecode/UnlinkedCodeBlock.cpp:
675         (JSC::generateFunctionCodeBlock):
676         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
677         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
678         * bytecode/UnlinkedCodeBlock.h:
679         * inspector/agents/InspectorRuntimeAgent.cpp:
680         (Inspector::InspectorRuntimeAgent::parse):
681         * jsc.cpp:
682         (runInteractive):
683         * parser/Parser.h:
684         (JSC::parse):
685         * runtime/CodeCache.cpp:
686         (JSC::CodeCache::getGlobalCodeBlock):
687         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
688         * runtime/CodeCache.h:
689         * runtime/Completion.h:
690         * runtime/Executable.cpp:
691         (JSC::ProgramExecutable::checkSyntax):
692         * runtime/JSGlobalObject.cpp:
693         (JSC::JSGlobalObject::createProgramCodeBlock):
694         (JSC::JSGlobalObject::createEvalCodeBlock):
695
696 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
697
698         Need to pass RTLD_DEEPBIND to dlopen() to ensure that our LLVMOverrides take effect on Linux
699         https://bugs.webkit.org/show_bug.cgi?id=142006
700
701         Reviewed by Csaba Osztrogonác.
702
703         This fixes hard-to-reproduce concurrency-related crashes when running stress tests with FTL and
704         concurrent JIT enabled.
705
706         * llvm/InitializeLLVMPOSIX.cpp:
707         (JSC::initializeLLVMPOSIX):
708
709 2015-02-24  Filip Pizlo  <fpizlo@apple.com>
710
711         CMake build of libllvmForJSC.so should limit its export list like the Xcode build does
712         https://bugs.webkit.org/show_bug.cgi?id=141989
713
714         Reviewed by Gyuyoung Kim.
715
716         * CMakeLists.txt:
717         * llvm/library/libllvmForJSC.version: Added.
718
719 2015-02-24  Alexey Proskuryakov  <ap@apple.com>
720
721         More iOS build fix after r180602.
722
723         * heap/Heap.h: Export Heap::machineThreads().
724
725 2015-02-24  Brent Fulgham  <bfulgham@apple.com>
726
727         Unreviewed build fix after r180602.
728
729         * heap/MachineStackMarker.h: Add missing 'no return'
730         declaration for Windows.
731
732 2015-02-24  Commit Queue  <commit-queue@webkit.org>
733
734         Unreviewed, rolling out r180599.
735         https://bugs.webkit.org/show_bug.cgi?id=141998
736
737         Lots of new test failures (Requested by smfr on #webkit).
738
739         Reverted changeset:
740
741         "Parsing support for -webkit-trailing-word"
742         https://bugs.webkit.org/show_bug.cgi?id=141939
743         http://trac.webkit.org/changeset/180599
744
745 2015-02-24  Mark Lam  <mark.lam@apple.com>
746
747         MachineThreads::Thread clean up has a use after free race condition.
748         <https://webkit.org/b/141990>
749
750         Reviewed by Michael Saboff.
751
752         MachineThreads::Thread clean up relies on the clean up mechanism
753         implemented in _pthread_tsd_cleanup_key(), which looks like this:
754
755         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
756         {
757             void (*destructor)(void *);
758             if (_pthread_key_get_destructor(key, &destructor)) {
759                 void **ptr = &self->tsd[key];
760                 void *value = *ptr;
761
762                 // At this point, this thread has cached "destructor" and "value"
763                 // (which is a MachineThreads*).  If the VM gets destructed (along
764                 // with its MachineThreads registry) by another thread, then this
765                 // thread will have no way of knowing that the MachineThreads* is
766                 // now pointing to freed memory.  Calling the destructor below will
767                 // therefore result in a use after free scenario when it tries to
768                 // access the MachineThreads' data members.
769
770                 if (value) {
771                     *ptr = NULL;
772                     if (destructor) {
773                         destructor(value);
774                     }
775                 }
776             }
777         }
778
779         The solution is simply to change MachineThreads from a per VM thread
780         registry to a process global singleton thread registry i.e. the
781         MachineThreads registry is now immortal and we cannot have a use after
782         free scenario since we never free it.
783
784         The cost of this change is that all VM instances will have to scan
785         stacks of all threads ever touched by a VM, and not just those that
786         touched a specific VM.  However, stacks tend to be shallow.  Hence,
787         those additional scans will tend to be cheap.
788
789         Secondly, it is not common for there to be multiple JSC VMs in use
790         concurrently on multiple threads.  Hence, this cost should rarely
791         manifest in real world applications.
792
793         * heap/Heap.cpp:
794         (JSC::Heap::Heap):
795         (JSC::Heap::machineThreads):
796         (JSC::Heap::gatherStackRoots):
797         * heap/Heap.h:
798         (JSC::Heap::machineThreads): Deleted.
799         * heap/MachineStackMarker.cpp:
800         (JSC::MachineThreads::MachineThreads):
801         (JSC::MachineThreads::~MachineThreads):
802         (JSC::MachineThreads::addCurrentThread):
803         * heap/MachineStackMarker.h:
804         * runtime/JSLock.cpp:
805         (JSC::JSLock::didAcquireLock):
806
807 2015-02-24  Myles C. Maxfield  <mmaxfield@apple.com>
808
809         [Mac] [iOS] Parsing support for -apple-trailing-word
810         https://bugs.webkit.org/show_bug.cgi?id=141939
811
812         Reviewed by Andreas Kling.
813
814         * Configurations/FeatureDefines.xcconfig:
815
816 2015-02-24  Ryosuke Niwa  <rniwa@webkit.org>
817
818         Use "this" instead of "callee" to get the constructor
819         https://bugs.webkit.org/show_bug.cgi?id=141019
820
821         Reviewed by Filip Pizlo.
822
823         This patch uses "this" register to pass the constructor (newTarget) to op_create_this from
824         op_construct or op_construct_varargs. This will allow future patches that implement ES6 class
825         to pass in the most derived class' constructor through "this" argument.
826
827         BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like
828         regular calls and emitCreateThis passes in this register to op_create_this as constructor.
829
830         The rest of the code change removes the code for special casing "this" register not being used
831         in call to construct.
832
833         * bytecode/BytecodeUseDef.h:
834         (JSC::computeUsesForBytecodeOffset):
835         * bytecompiler/BytecodeGenerator.cpp:
836         (JSC::BytecodeGenerator::emitCreateThis):
837         (JSC::BytecodeGenerator::emitConstructVarargs):
838         (JSC::BytecodeGenerator::emitConstruct):
839         * bytecompiler/BytecodeGenerator.h:
840         * bytecompiler/NodesCodegen.cpp:
841         (JSC::NewExprNode::emitBytecode):
842         * dfg/DFGByteCodeParser.cpp:
843         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
844         (JSC::DFG::ByteCodeParser::handleVarargsCall):
845         (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
846         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
847         (JSC::DFG::ByteCodeParser::handleInlining):
848         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
849         (JSC::DFG::ByteCodeParser::parseBlock):
850         * dfg/DFGJITCode.cpp:
851         (JSC::DFG::JITCode::reconstruct):
852         * dfg/DFGSpeculativeJIT32_64.cpp:
853         (JSC::DFG::SpeculativeJIT::emitCall):
854         * dfg/DFGSpeculativeJIT64.cpp:
855         (JSC::DFG::SpeculativeJIT::emitCall):
856         * ftl/FTLJSCallVarargs.cpp:
857         (JSC::FTL::JSCallVarargs::emit):
858         * ftl/FTLLowerDFGToLLVM.cpp:
859         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
860         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
861         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
862         * interpreter/Interpreter.cpp:
863         (JSC::Interpreter::executeConstruct):
864         * jit/JITOperations.cpp:
865
866 2015-02-24  Joseph Pecoraro  <pecoraro@apple.com>
867
868         Web Inspector: Make Getter/Setter RemoteObject property and ObjectPreview handling consistent
869         https://bugs.webkit.org/show_bug.cgi?id=141587
870
871         Reviewed by Timothy Hatcher.
872
873         Convert getProperties(ownAndGetterProperties) to getDisplayableProperties().
874         Mark PropertyDescriptors that are presumed to be native getters / bindings
875         separately so that the frontend may display them differently.
876
877         * inspector/InjectedScript.cpp:
878         (Inspector::InjectedScript::getProperties):
879         (Inspector::InjectedScript::getDisplayableProperties):
880         * inspector/InjectedScript.h:
881         * inspector/InjectedScriptSource.js:
882         * inspector/agents/InspectorRuntimeAgent.cpp:
883         (Inspector::InspectorRuntimeAgent::getProperties):
884         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
885         * inspector/agents/InspectorRuntimeAgent.h:
886         * inspector/protocol/Runtime.json:
887
888 2015-02-24  Mark Lam  <mark.lam@apple.com>
889
890         Rolling out r179753.  The fix was invalid.
891         <https://webkit.org/b/141990>
892
893         Not reviewed.
894
895         * API/tests/testapi.mm:
896         (threadMain):
897         (useVMFromOtherThread): Deleted.
898         (useVMFromOtherThreadAndOutliveVM): Deleted.
899         * heap/Heap.cpp:
900         (JSC::Heap::Heap):
901         (JSC::Heap::~Heap):
902         (JSC::Heap::gatherStackRoots):
903         * heap/Heap.h:
904         (JSC::Heap::machineThreads):
905         * heap/MachineStackMarker.cpp:
906         (JSC::MachineThreads::Thread::Thread):
907         (JSC::MachineThreads::MachineThreads):
908         (JSC::MachineThreads::~MachineThreads):
909         (JSC::MachineThreads::addCurrentThread):
910         (JSC::MachineThreads::removeThread):
911         (JSC::MachineThreads::removeCurrentThread):
912         * heap/MachineStackMarker.h:
913
914 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
915
916         Constructor returning null should construct an object instead of null
917         https://bugs.webkit.org/show_bug.cgi?id=141640
918
919         Reviewed by Filip Pizlo.
920
921         When constructor code doesn't return object, constructor should return `this` object instead.
922         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
923         it allows `null` as an object.
924         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
925         Instead, constructor uses simplified `is_object`.
926
927         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
928
929         1. LLInt and baseline JIT support `op_is_object` as a fast path.
930         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
931         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
932         4. FTL lowers DFG's IsObject into LLVM IR.
933
934         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
935         in LLInt, JIT, DFG and FTL.
936         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
937         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
938         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
939         So this patch stop using !isString as isObject.
940         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
941         we examine typeInfo in JSCell.
942
943         * JavaScriptCore.order:
944         * bytecode/BytecodeList.json:
945         * bytecode/BytecodeUseDef.h:
946         (JSC::computeUsesForBytecodeOffset):
947         (JSC::computeDefsForBytecodeOffset):
948         * bytecode/CodeBlock.cpp:
949         (JSC::CodeBlock::dumpBytecode):
950         * bytecode/PutByIdStatus.cpp:
951         (JSC::PutByIdStatus::computeFor):
952         * bytecompiler/BytecodeGenerator.cpp:
953         (JSC::BytecodeGenerator::emitEqualityOp):
954         (JSC::BytecodeGenerator::emitReturn):
955         * dfg/DFGAbstractInterpreterInlines.h:
956         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
957         * dfg/DFGByteCodeParser.cpp:
958         (JSC::DFG::ByteCodeParser::parseBlock):
959         * dfg/DFGCapabilities.cpp:
960         (JSC::DFG::capabilityLevel):
961         * dfg/DFGClobberize.h:
962         (JSC::DFG::clobberize):
963
964         IsObject operation only touches JSCell typeInfoType.
965         And this value would be changed through structure transition.
966         As a result, IsObject can report that it doesn't read any information.
967
968         * dfg/DFGConstantFoldingPhase.cpp:
969         (JSC::DFG::ConstantFoldingPhase::foldConstants):
970         * dfg/DFGDoesGC.cpp:
971         (JSC::DFG::doesGC):
972         * dfg/DFGFixupPhase.cpp:
973         (JSC::DFG::FixupPhase::fixupNode):
974
975         Just like IsString, IsObject is also fixed up.
976
977         * dfg/DFGHeapLocation.cpp:
978         (WTF::printInternal):
979         * dfg/DFGHeapLocation.h:
980         * dfg/DFGNodeType.h:
981         * dfg/DFGOperations.cpp:
982         * dfg/DFGOperations.h:
983         * dfg/DFGPredictionPropagationPhase.cpp:
984         (JSC::DFG::PredictionPropagationPhase::propagate):
985         * dfg/DFGSafeToExecute.h:
986         (JSC::DFG::safeToExecute):
987         * dfg/DFGSpeculativeJIT.cpp:
988         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
989         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
990         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
991         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
992         (JSC::DFG::SpeculativeJIT::speculateObject):
993         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
994         (JSC::DFG::SpeculativeJIT::speculateString):
995         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
996         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
997         (JSC::DFG::SpeculativeJIT::emitSwitchString):
998         (JSC::DFG::SpeculativeJIT::branchIsObject):
999         (JSC::DFG::SpeculativeJIT::branchNotObject):
1000         (JSC::DFG::SpeculativeJIT::branchIsString):
1001         (JSC::DFG::SpeculativeJIT::branchNotString):
1002         * dfg/DFGSpeculativeJIT.h:
1003         * dfg/DFGSpeculativeJIT32_64.cpp:
1004         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1005         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1006         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1007         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1008         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1009         (JSC::DFG::SpeculativeJIT::compile):
1010         * dfg/DFGSpeculativeJIT64.cpp:
1011         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1012         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1013         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1014         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1015         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1016         (JSC::DFG::SpeculativeJIT::compile):
1017         * ftl/FTLCapabilities.cpp:
1018         (JSC::FTL::canCompile):
1019         * ftl/FTLLowerDFGToLLVM.cpp:
1020         (JSC::FTL::LowerDFGToLLVM::compileNode):
1021         (JSC::FTL::LowerDFGToLLVM::compileToString):
1022         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
1023         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
1024         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1025         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1026         (JSC::FTL::LowerDFGToLLVM::isObject):
1027         (JSC::FTL::LowerDFGToLLVM::isNotObject):
1028         (JSC::FTL::LowerDFGToLLVM::isNotString):
1029         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
1030         * jit/JIT.cpp:
1031         (JSC::JIT::privateCompileMainPass):
1032         * jit/JIT.h:
1033         * jit/JITInlines.h:
1034         (JSC::JIT::emitJumpIfCellObject):
1035         * jit/JITOpcodes.cpp:
1036         (JSC::JIT::emit_op_is_object):
1037         (JSC::JIT::emit_op_to_primitive):
1038         * jit/JITOpcodes32_64.cpp:
1039         (JSC::JIT::emit_op_is_object):
1040         (JSC::JIT::emit_op_to_primitive):
1041         (JSC::JIT::compileOpStrictEq):
1042         * llint/LowLevelInterpreter.asm:
1043         * llint/LowLevelInterpreter32_64.asm:
1044         * llint/LowLevelInterpreter64.asm:
1045         * runtime/CommonSlowPaths.cpp:
1046         (JSC::SLOW_PATH_DECL):
1047         * runtime/CommonSlowPaths.h:
1048         * runtime/Operations.cpp:
1049         (JSC::jsIsObjectTypeOrNull):
1050         (JSC::jsIsObjectType): Deleted.
1051         * runtime/Operations.h:
1052         * tests/stress/constructor-with-return.js: Added.
1053         (Test):
1054
1055         When constructor doesn't return an object, `this` should be returned instead.
1056         In this test, we check all primitives. And test object, array and wrappers.
1057
1058         * tests/stress/dfg-to-primitive-pass-symbol.js: Added.
1059         (toPrimitiveTarget):
1060         (doToPrimitive):
1061
1062         op_to_primitive operation passes Symbol in fast path.
1063
1064 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1065
1066         REGRESSION(r179429): Can't type comments in Facebook
1067         https://bugs.webkit.org/show_bug.cgi?id=141859
1068
1069         Reviewed by Brent Fulgham.
1070
1071         When window.Symbol is exposed to user-space pages,
1072         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
1073         However, to work with Symbols completely, it also requires
1074         1) Object.getOwnPropertySymbols (for mixin including Symbols)
1075         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
1076         Since they are not landed yet, comments in Facebook don't work.
1077
1078         This patch introduces RuntimeFlags for JavaScriptCore.
1079         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
1080         And drop JavaScriptExperimentsEnabled flag
1081         because it is no longer used and use case of this is duplicated to runtime flags.
1082
1083         * JavaScriptCore.order:
1084         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1085         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1086         * JavaScriptCore.xcodeproj/project.pbxproj:
1087         * jsc.cpp:
1088         (GlobalObject::javaScriptRuntimeFlags):
1089         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
1090         * runtime/JSGlobalObject.cpp:
1091         (JSC::JSGlobalObject::JSGlobalObject):
1092         (JSC::JSGlobalObject::init):
1093         * runtime/JSGlobalObject.h:
1094         (JSC::JSGlobalObject::finishCreation):
1095         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
1096         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
1097         * runtime/RuntimeFlags.h: Added.
1098         (JSC::RuntimeFlags::RuntimeFlags):
1099         (JSC::RuntimeFlags::createAllEnabled):
1100
1101 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1102
1103         Our bizarre behavior on Arguments::defineOwnProperty should be deliberate rather than a spaghetti incident
1104         https://bugs.webkit.org/show_bug.cgi?id=141951
1105
1106         Reviewed by Benjamin Poulain.
1107         
1108         This patch has no behavioral change, but it simplifies a bunch of wrong code. The code is
1109         still wrong in exactly the same way, but at least it's obvious what's going on. The wrongness
1110         is covered by this bug: https://bugs.webkit.org/show_bug.cgi?id=141952.
1111
1112         * runtime/Arguments.cpp:
1113         (JSC::Arguments::copyBackingStore): We should only see the arguments token; assert otherwise. This works because if the GC sees the butterfly token it calls the JSObject::copyBackingStore method directly.
1114         (JSC::Arguments::defineOwnProperty): Make our bizarre behavior deliberate rather than an accident of a decade of patches.
1115         * tests/stress/arguments-bizarre-behavior.js: Added.
1116         (foo):
1117         * tests/stress/arguments-bizarre-behaviour-disable-enumerability.js: Added. My choice of spellings of the word "behavio[u]r" is almost as consistent as our implementation of arguments.
1118         (foo):
1119         * tests/stress/arguments-custom-properties-gc.js: Added. I added this test because at first I was unsure if we GCd arguments correctly.
1120         (makeBaseArguments):
1121         (makeArray):
1122         (cons):
1123
1124 2015-02-23  Commit Queue  <commit-queue@webkit.org>
1125
1126         Unreviewed, rolling out r180547 and r180550.
1127         https://bugs.webkit.org/show_bug.cgi?id=141957
1128
1129         Broke 10 Windows tests. (Requested by bfulgham_ on #webkit).
1130
1131         Reverted changesets:
1132
1133         "REGRESSION(r179429): Can't type comments in Facebook"
1134         https://bugs.webkit.org/show_bug.cgi?id=141859
1135         http://trac.webkit.org/changeset/180547
1136
1137         "Constructor returning null should construct an object instead
1138         of null"
1139         https://bugs.webkit.org/show_bug.cgi?id=141640
1140         http://trac.webkit.org/changeset/180550
1141
1142 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1143
1144         Constructor returning null should construct an object instead of null
1145         https://bugs.webkit.org/show_bug.cgi?id=141640
1146
1147         Reviewed by Geoffrey Garen.
1148
1149         When constructor code doesn't return object, constructor should return `this` object instead.
1150         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
1151         it allows `null` as an object.
1152         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
1153         Instead, constructor uses simplified `is_object`.
1154
1155         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
1156
1157         1. LLInt and baseline JIT support `op_is_object` as a fast path.
1158         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
1159         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
1160         4. FTL lowers DFG's IsObject into LLVM IR.
1161
1162         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
1163         in LLInt, JIT, DFG and FTL.
1164         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
1165         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
1166         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
1167         So this patch stop using !isString as isObject.
1168         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
1169         we examine typeInfo in JSCell.
1170
1171         * JavaScriptCore.order:
1172         * bytecode/BytecodeList.json:
1173         * bytecode/BytecodeUseDef.h:
1174         (JSC::computeUsesForBytecodeOffset):
1175         (JSC::computeDefsForBytecodeOffset):
1176         * bytecode/CodeBlock.cpp:
1177         (JSC::CodeBlock::dumpBytecode):
1178         * bytecode/PutByIdStatus.cpp:
1179         (JSC::PutByIdStatus::computeFor):
1180         * bytecompiler/BytecodeGenerator.cpp:
1181         (JSC::BytecodeGenerator::emitEqualityOp):
1182         (JSC::BytecodeGenerator::emitReturn):
1183         * dfg/DFGAbstractInterpreterInlines.h:
1184         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1185         * dfg/DFGByteCodeParser.cpp:
1186         (JSC::DFG::ByteCodeParser::parseBlock):
1187         * dfg/DFGCapabilities.cpp:
1188         (JSC::DFG::capabilityLevel):
1189         * dfg/DFGClobberize.h:
1190         (JSC::DFG::clobberize):
1191
1192         IsObject operation only touches JSCell typeInfoType.
1193         And this value would not be changed through structure transition.
1194         As a result, IsObject can report that it doesn't read any information.
1195
1196         * dfg/DFGDoesGC.cpp:
1197         (JSC::DFG::doesGC):
1198         * dfg/DFGFixupPhase.cpp:
1199         (JSC::DFG::FixupPhase::fixupNode):
1200
1201         Just like IsString, IsObject is also fixed up.
1202
1203         * dfg/DFGHeapLocation.cpp:
1204         (WTF::printInternal):
1205         * dfg/DFGHeapLocation.h:
1206         * dfg/DFGNodeType.h:
1207         * dfg/DFGOperations.cpp:
1208         * dfg/DFGOperations.h:
1209         * dfg/DFGPredictionPropagationPhase.cpp:
1210         (JSC::DFG::PredictionPropagationPhase::propagate):
1211         * dfg/DFGSafeToExecute.h:
1212         (JSC::DFG::safeToExecute):
1213         * dfg/DFGSpeculativeJIT.cpp:
1214         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1215         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
1216         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
1217         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1218         (JSC::DFG::SpeculativeJIT::speculateObject):
1219         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1220         (JSC::DFG::SpeculativeJIT::speculateString):
1221         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
1222         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
1223         (JSC::DFG::SpeculativeJIT::emitSwitchString):
1224         (JSC::DFG::SpeculativeJIT::branchIsObject):
1225         (JSC::DFG::SpeculativeJIT::branchNotObject):
1226         (JSC::DFG::SpeculativeJIT::branchIsString):
1227         (JSC::DFG::SpeculativeJIT::branchNotString):
1228         * dfg/DFGSpeculativeJIT.h:
1229         * dfg/DFGSpeculativeJIT32_64.cpp:
1230         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1231         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1232         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1233         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1234         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1235         (JSC::DFG::SpeculativeJIT::compile):
1236         * dfg/DFGSpeculativeJIT64.cpp:
1237         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1238         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1239         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1240         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1241         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1242         (JSC::DFG::SpeculativeJIT::compile):
1243         * ftl/FTLCapabilities.cpp:
1244         (JSC::FTL::canCompile):
1245         * ftl/FTLLowerDFGToLLVM.cpp:
1246         (JSC::FTL::LowerDFGToLLVM::compileNode):
1247         (JSC::FTL::LowerDFGToLLVM::compileToString):
1248         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
1249         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
1250         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1251         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1252         (JSC::FTL::LowerDFGToLLVM::isObject):
1253         (JSC::FTL::LowerDFGToLLVM::isNotObject):
1254         (JSC::FTL::LowerDFGToLLVM::isNotString):
1255         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
1256         * jit/JIT.cpp:
1257         (JSC::JIT::privateCompileMainPass):
1258         * jit/JIT.h:
1259         * jit/JITInlines.h:
1260         (JSC::JIT::emitJumpIfCellObject):
1261         * jit/JITOpcodes.cpp:
1262         (JSC::JIT::emit_op_is_object):
1263         (JSC::JIT::emit_op_to_primitive):
1264         * jit/JITOpcodes32_64.cpp:
1265         (JSC::JIT::emit_op_is_object):
1266         (JSC::JIT::emit_op_to_primitive):
1267         (JSC::JIT::compileOpStrictEq):
1268         * llint/LowLevelInterpreter.asm:
1269         * llint/LowLevelInterpreter32_64.asm:
1270         * llint/LowLevelInterpreter64.asm:
1271         * runtime/CommonSlowPaths.cpp:
1272         (JSC::SLOW_PATH_DECL):
1273         * runtime/CommonSlowPaths.h:
1274         * runtime/Operations.cpp:
1275         (JSC::jsIsObjectTypeOrNull):
1276         (JSC::jsIsObjectType): Deleted.
1277         * runtime/Operations.h:
1278
1279 2015-02-23  Ryosuke Niwa  <rniwa@webkit.org>
1280
1281         Disable font loading events until our implementation gets updated to match the latest spec
1282         https://bugs.webkit.org/show_bug.cgi?id=141938
1283
1284         Reviewed by Andreas Kling.
1285
1286         * Configurations/FeatureDefines.xcconfig:
1287
1288 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1289
1290         REGRESSION(r179429): Can't type comments in Facebook
1291         https://bugs.webkit.org/show_bug.cgi?id=141859
1292
1293         Reviewed by Geoffrey Garen.
1294
1295         When window.Symbol is exposed to user-space pages,
1296         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
1297         However, to work with Symbols completely, it also requires
1298         1) Object.getOwnPropertySymbols (for mixin including Symbols)
1299         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
1300         Since they are not landed yet, comments in Facebook don't work.
1301
1302         This patch introduces RuntimeFlags for JavaScriptCore.
1303         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
1304         And drop JavaScriptExperimentsEnabled flag
1305         because it is no longer used and use case of this is duplicated to runtime flags.
1306
1307         * JavaScriptCore.order:
1308         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1309         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1310         * JavaScriptCore.xcodeproj/project.pbxproj:
1311         * jsc.cpp:
1312         (GlobalObject::javaScriptRuntimeFlags):
1313         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
1314         * runtime/JSGlobalObject.cpp:
1315         (JSC::JSGlobalObject::JSGlobalObject):
1316         (JSC::JSGlobalObject::init):
1317         * runtime/JSGlobalObject.h:
1318         (JSC::JSGlobalObject::finishCreation):
1319         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
1320         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
1321         * runtime/RuntimeFlags.h: Added.
1322         (JSC::RuntimeFlags::RuntimeFlags):
1323         (JSC::RuntimeFlags::createAllEnabled):
1324
1325 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
1326
1327         Set the semantic origin of delayed SetLocal to the Bytecode that originated it
1328         https://bugs.webkit.org/show_bug.cgi?id=141727
1329
1330         Reviewed by Filip Pizlo.
1331
1332         Previously, delayed SetLocals would have the NodeOrigin of the next
1333         bytecode. This was because delayed SetLocal are...delayed... and
1334         currentCodeOrigin() is the one where the node is emitted.
1335
1336         This made debugging a little awkward since the OSR exits on SetLocal
1337         were reported for the next bytecode. This patch changes the semantic
1338         origin to keep the original bytecode.
1339
1340         From benchmarks, this looks like it could be a tiny bit faster
1341         but it likely just noise.
1342
1343         * dfg/DFGByteCodeParser.cpp:
1344         (JSC::DFG::ByteCodeParser::setDirect):
1345         (JSC::DFG::ByteCodeParser::setLocal):
1346         (JSC::DFG::ByteCodeParser::setArgument):
1347         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
1348         (JSC::DFG::ByteCodeParser::addToGraph):
1349         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
1350         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
1351
1352 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
1353
1354         Remove DFGNode::predictHeap()
1355         https://bugs.webkit.org/show_bug.cgi?id=141864
1356
1357         Reviewed by Geoffrey Garen.
1358
1359         * dfg/DFGNode.h:
1360         (JSC::DFG::Node::predictHeap): Deleted.
1361         Unused code.
1362
1363 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1364
1365         Get rid of JSLexicalEnvironment::argumentsGetter
1366         https://bugs.webkit.org/show_bug.cgi?id=141930
1367
1368         Reviewed by Mark Lam.
1369         
1370         This function is unused, and the way it's written is bizarre - it's a return statement that
1371         dominates a bunch of dead code.
1372
1373         * runtime/JSLexicalEnvironment.cpp:
1374         (JSC::JSLexicalEnvironment::argumentsGetter): Deleted.
1375         * runtime/JSLexicalEnvironment.h:
1376
1377 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1378
1379         Remove unused activationCount and allTheThingsCount variable declarations.
1380
1381         Rubber stamped by Mark Lam and Michael Saboff.
1382
1383         * runtime/JSLexicalEnvironment.h:
1384
1385 2015-02-23  Saam Barati  <saambarati1@gmail.com>
1386
1387         Adjust the ranges of basic block statements in JSC's control flow profiler to be mutually exclusive
1388         https://bugs.webkit.org/show_bug.cgi?id=141095
1389
1390         Reviewed by Mark Lam.
1391
1392         Suppose the control flow of a program forms basic block A with successor block
1393         B. A's end offset will be the *same* as B's start offset in the current architecture 
1394         of the control flow profiler. This makes reasoning about the text offsets of
1395         the control flow profiler unsound. To make reasoning about offsets sound, all 
1396         basic block ranges should be mutually exclusive.  All calls to emitProfileControlFlow 
1397         now pass in the *start* of a basic block as the text offset argument. This simplifies 
1398         all calls to emitProfileControlFlow because the previous implementation had a
1399         lot of edge cases for getting the desired basic block text boundaries.
1400
1401         This patch also ensures that the basic block boundary of a block statement 
1402         is the exactly the block's open and close brace offsets (inclusive). For example,
1403         in if/for/while statements. This also has the consequence that for statements 
1404         like "if (cond) foo();", the whitespace preceding "foo()" is not part of 
1405         the "foo()" basic block, but instead is part of the "if (cond) " basic block. 
1406         This is okay because these text offsets aren't meant to be human readable.
1407         Instead, they reflect the text offsets of JSC's AST nodes. The Web Inspector 
1408         is the only client of this API and user of these text offsets and it is 
1409         not negatively effected by this new behavior.
1410
1411         * bytecode/CodeBlock.cpp:
1412         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1413         When computing basic block boundaries in CodeBlock, we ensure that every
1414         block's end offset is one less than its successor's start offset to
1415         maintain that boundaries' ranges should be mutually exclusive.
1416
1417         * bytecompiler/BytecodeGenerator.cpp:
1418         (JSC::BytecodeGenerator::BytecodeGenerator):
1419         Because the control flow profiler needs to know which functions
1420         have executed, we can't lazily create functions. This was a bug 
1421         from before that was hidden because the Type Profiler was always 
1422         enabled when the control flow profiler was enabled when profiling 
1423         was turned on from the Web Inspector. But, JSC allows for Control 
1424         Flow profiling to be turned on without Type Profiling, so we need 
1425         to ensure the Control Flow profiler has all the data it needs.
1426
1427         * bytecompiler/NodesCodegen.cpp:
1428         (JSC::ConditionalNode::emitBytecode):
1429         (JSC::IfElseNode::emitBytecode):
1430         (JSC::WhileNode::emitBytecode):
1431         (JSC::ForNode::emitBytecode):
1432         (JSC::ForInNode::emitMultiLoopBytecode):
1433         (JSC::ForOfNode::emitBytecode):
1434         (JSC::TryNode::emitBytecode):
1435         * jsc.cpp:
1436         (functionHasBasicBlockExecuted):
1437         We now assert that the substring argument is indeed a substring
1438         of the function argument's text because subtle bugs could be
1439         introduced otherwise.
1440
1441         * parser/ASTBuilder.h:
1442         (JSC::ASTBuilder::setStartOffset):
1443         * parser/Nodes.h:
1444         (JSC::Node::setStartOffset):
1445         * parser/Parser.cpp:
1446         (JSC::Parser<LexerType>::parseBlockStatement):
1447         (JSC::Parser<LexerType>::parseStatement):
1448         (JSC::Parser<LexerType>::parseMemberExpression):
1449         For the various function call AST nodes, their m_position member 
1450         variable is now the start of the entire function call expression 
1451         and not at the start of the open paren of the arguments list.
1452
1453         * runtime/BasicBlockLocation.cpp:
1454         (JSC::BasicBlockLocation::getExecutedRanges):
1455         * runtime/ControlFlowProfiler.cpp:
1456         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
1457         Function ranges inserted as gaps should follow the same criteria
1458         that the bytecode generator uses to ensure that basic blocks
1459         start and end offsets are mutually exclusive.
1460
1461         * tests/controlFlowProfiler/brace-location.js: Added.
1462         (foo):
1463         (bar):
1464         (baz):
1465         (testIf):
1466         (testForRegular):
1467         (testForIn):
1468         (testForOf):
1469         (testWhile):
1470         (testIfNoBraces):
1471         (testForRegularNoBraces):
1472         (testForInNoBraces):
1473         (testForOfNoBraces):
1474         (testWhileNoBraces):
1475         * tests/controlFlowProfiler/conditional-expression.js: Added.
1476         (foo):
1477         (bar):
1478         (baz):
1479         (testConditionalBasic):
1480         (testConditionalFunctionCall):
1481         * tests/controlFlowProfiler/driver/driver.js:
1482         (checkBasicBlock):
1483
1484 2015-02-23  Matthew Mirman  <mmirman@apple.com>
1485
1486         r9 is volatile on ARMv7 for iOS 3 and up. 
1487         https://bugs.webkit.org/show_bug.cgi?id=141489
1488         rdar://problem/19432916
1489
1490         Reviewed by Michael Saboff.
1491
1492         * jit/RegisterSet.cpp: 
1493         (JSC::RegisterSet::calleeSaveRegisters): removed r9 from the list of ARMv7 callee save registers.
1494         * tests/stress/regress-141489.js: Added.
1495         (foo):
1496
1497 2015-02-23  Csaba Osztrogonác  <ossy@webkit.org>
1498
1499         [ARM] Add the necessary setupArgumentsWithExecState after bug141915
1500         https://bugs.webkit.org/show_bug.cgi?id=141921
1501
1502         Reviewed by Michael Saboff.
1503
1504         * jit/CCallHelpers.h:
1505         (JSC::CCallHelpers::setupArgumentsWithExecState):
1506
1507 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1508
1509         Scopes should always be created with a previously-created symbol table rather than creating one on the fly
1510         https://bugs.webkit.org/show_bug.cgi?id=141915
1511
1512         Reviewed by Mark Lam.
1513         
1514         The main effect of this change is that pushing name scopes no longer requires creating symbol
1515         tables on the fly.
1516         
1517         This also makes it so that JSEnvironmentRecords must always have an a priori symbol table.
1518         
1519         JSSegmentedVariableObject still does a hack where it creates a blank symbol table on-demand.
1520         This is needed because that's what JSGlobalObject and all of its many subclasses want. That's
1521         harmless; I mainly needed a prior symbol tables for JSEnvironmentRecords anyway.
1522
1523         * bytecode/BytecodeList.json:
1524         * bytecompiler/BytecodeGenerator.cpp:
1525         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1526         (JSC::BytecodeGenerator::emitPushCatchScope):
1527         * jit/CCallHelpers.h:
1528         (JSC::CCallHelpers::setupArgumentsWithExecState):
1529         * jit/JIT.h:
1530         * jit/JITInlines.h:
1531         (JSC::JIT::callOperation):
1532         * jit/JITOpcodes.cpp:
1533         (JSC::JIT::emit_op_push_name_scope):
1534         * jit/JITOpcodes32_64.cpp:
1535         (JSC::JIT::emit_op_push_name_scope):
1536         * jit/JITOperations.cpp:
1537         (JSC::pushNameScope):
1538         * jit/JITOperations.h:
1539         * llint/LLIntSlowPaths.cpp:
1540         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1541         * llint/LowLevelInterpreter.asm:
1542         * runtime/Executable.cpp:
1543         (JSC::ScriptExecutable::newCodeBlockFor):
1544         * runtime/JSCatchScope.h:
1545         (JSC::JSCatchScope::JSCatchScope):
1546         (JSC::JSCatchScope::create):
1547         * runtime/JSEnvironmentRecord.h:
1548         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1549         * runtime/JSFunctionNameScope.h:
1550         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1551         (JSC::JSFunctionNameScope::create):
1552         * runtime/JSNameScope.cpp:
1553         (JSC::JSNameScope::create):
1554         * runtime/JSNameScope.h:
1555         (JSC::JSNameScope::create):
1556         (JSC::JSNameScope::finishCreation):
1557         (JSC::JSNameScope::JSNameScope):
1558         * runtime/JSSegmentedVariableObject.h:
1559         (JSC::JSSegmentedVariableObject::finishCreation):
1560         * runtime/JSSymbolTableObject.h:
1561         (JSC::JSSymbolTableObject::JSSymbolTableObject):
1562         (JSC::JSSymbolTableObject::finishCreation): Deleted.
1563         * runtime/SymbolTable.h:
1564         (JSC::SymbolTable::createNameScopeTable):
1565
1566 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1567
1568         Add a comment to clarify that the test was taken from the bug report, in response to
1569         feedback from Michael Saboff and Benjamin Poulain.
1570         
1571         * tests/stress/regress-141883.js:
1572
1573 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
1574
1575         Function name scope is only created on the function instance that triggered parsing rather than on every function instance that needs it
1576         https://bugs.webkit.org/show_bug.cgi?id=141881
1577
1578         Reviewed by Michael Saboff.
1579         
1580         Previously we only created the function name scope in a way that made it visible to the
1581         function that triggered parsing/linking of the executable/codeBlock, and to the linker for
1582         that code block. This was sort of the bare minimum for the feature to appear to work right to
1583         synthetic tests.
1584
1585         There are two valid "times" to create the function name scope. Either it's created for each
1586         JSFunction instance that needs a name scope, or it's created for each execution of such a
1587         JSFunction. This change chooses the latter, because it happens to be the easiest to implement
1588         with what we have right now. I opened a bug for optimizing this if we ever need to:
1589         https://bugs.webkit.org/show_bug.cgi?id=141887.
1590         
1591         * bytecompiler/BytecodeGenerator.cpp:
1592         (JSC::BytecodeGenerator::BytecodeGenerator):
1593         * interpreter/Interpreter.cpp:
1594         (JSC::Interpreter::execute):
1595         (JSC::Interpreter::executeCall):
1596         (JSC::Interpreter::executeConstruct):
1597         (JSC::Interpreter::prepareForRepeatCall):
1598         * jit/JITOperations.cpp:
1599         * llint/LLIntSlowPaths.cpp:
1600         (JSC::LLInt::setUpCall):
1601         * runtime/ArrayPrototype.cpp:
1602         (JSC::isNumericCompareFunction):
1603         * runtime/Executable.cpp:
1604         (JSC::ScriptExecutable::newCodeBlockFor):
1605         (JSC::ScriptExecutable::prepareForExecutionImpl):
1606         (JSC::FunctionExecutable::FunctionExecutable):
1607         * runtime/Executable.h:
1608         (JSC::ScriptExecutable::prepareForExecution):
1609         * runtime/JSFunction.cpp:
1610         (JSC::JSFunction::addNameScopeIfNeeded): Deleted.
1611         * runtime/JSFunction.h:
1612         * tests/stress/function-name-scope.js: Added.
1613         (check.verify):
1614         (check):
1615
1616 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
1617
1618         Crash in DFGFrozenValue
1619         https://bugs.webkit.org/show_bug.cgi?id=141883
1620
1621         Reviewed by Benjamin Poulain.
1622         
1623         If a value might be a cell, then we have to have Graph freeze it rather than trying to
1624         create the FrozenValue directly. Creating it directly is just an optimization for when you
1625         know for sure that it cannot be a cell.
1626
1627         * dfg/DFGAbstractInterpreterInlines.h:
1628         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1629         * tests/stress/regress-141883.js: Added. Hacked the original test to be faster while still crashing before this fix.
1630
1631 2015-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1632
1633         Web Inspector: Generate Previews more often for RemoteObject interaction
1634         https://bugs.webkit.org/show_bug.cgi?id=141875
1635
1636         Reviewed by Timothy Hatcher.
1637
1638         * inspector/protocol/Runtime.json:
1639         Add generatePreview to getProperties.
1640
1641         * inspector/InjectedScript.cpp:
1642         (Inspector::InjectedScript::getProperties):
1643         (Inspector::InjectedScript::getInternalProperties):
1644         * inspector/InjectedScript.h:
1645         * inspector/agents/InspectorRuntimeAgent.cpp:
1646         (Inspector::InspectorRuntimeAgent::getProperties):
1647         * inspector/agents/InspectorRuntimeAgent.h:
1648         Plumb the generatePreview boolean through to the injected script.
1649
1650         * inspector/InjectedScriptSource.js:
1651         Add generatePreview for getProperties.
1652         Fix callFunctionOn to generatePreviews if asked.
1653
1654 2015-02-20  Mark Lam  <mark.lam@apple.com>
1655
1656         Refactor JSWrapperMap.mm to defer creation of the ObjC JSValue until the latest possible moment.
1657         <https://webkit.org/b/141856>
1658
1659         Reviewed by Geoffrey Garen.
1660
1661         1. Make JSObjCClassInfo's -constructor and -wrapperForObject return a
1662            JSC::JSObject* just like -prototype.
1663         2. Defer the creation of the ObjC JSValue from JSC::JSObject* until
1664            the latest moment when it is needed.  This allows us to not have to
1665            keep converting back to a JSC::JSObject* in intermediate code.
1666
1667         * API/JSWrapperMap.mm:
1668         (makeWrapper):
1669         (objectWithCustomBrand):
1670         (constructorWithCustomBrand):
1671         (allocateConstructorForCustomClass):
1672         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1673         (-[JSObjCClassInfo wrapperForObject:]):
1674         (-[JSObjCClassInfo constructor]):
1675         (-[JSWrapperMap jsWrapperForObject:]):
1676
1677 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1678
1679         Build fix for gcc.
1680
1681         * runtime/JSNameScope.cpp:
1682         (JSC::JSNameScope::create):
1683
1684 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1685
1686         Get rid of JSNameScope::m_type
1687         https://bugs.webkit.org/show_bug.cgi?id=141851
1688
1689         Reviewed by Geoffrey Garen.
1690         
1691         This is a big step towards getting rid of JSEnvironmentRecord::m_registers. To do it we need
1692         to ensure that subclasses of JSEnvironmentRecord never have additional C++ fields, so that
1693         JSEnvironmentRecord can always place "registers" right after the end of itself.
1694
1695         * CMakeLists.txt:
1696         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1697         * JavaScriptCore.xcodeproj/project.pbxproj:
1698         * debugger/DebuggerScope.cpp:
1699         (JSC::DebuggerScope::isCatchScope):
1700         (JSC::DebuggerScope::isFunctionNameScope):
1701         * interpreter/Interpreter.cpp:
1702         (JSC::Interpreter::execute):
1703         * jit/JITOperations.cpp:
1704         * llint/LLIntSlowPaths.cpp:
1705         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1706         * runtime/JSCatchScope.cpp: Added.
1707         * runtime/JSCatchScope.h: Added.
1708         (JSC::JSCatchScope::JSCatchScope):
1709         (JSC::JSCatchScope::create):
1710         (JSC::JSCatchScope::createStructure):
1711         * runtime/JSFunction.cpp:
1712         (JSC::JSFunction::addNameScopeIfNeeded):
1713         * runtime/JSFunctionNameScope.cpp: Added.
1714         * runtime/JSFunctionNameScope.h: Added.
1715         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1716         (JSC::JSFunctionNameScope::create):
1717         (JSC::JSFunctionNameScope::createStructure):
1718         * runtime/JSGlobalObject.cpp:
1719         (JSC::JSGlobalObject::init):
1720         (JSC::JSGlobalObject::visitChildren):
1721         * runtime/JSGlobalObject.h:
1722         (JSC::JSGlobalObject::catchScopeStructure):
1723         (JSC::JSGlobalObject::functionNameScopeStructure):
1724         (JSC::JSGlobalObject::nameScopeStructure): Deleted.
1725         * runtime/JSNameScope.cpp:
1726         (JSC::JSNameScope::create):
1727         * runtime/JSNameScope.h:
1728         (JSC::JSNameScope::create):
1729         (JSC::JSNameScope::JSNameScope):
1730         (JSC::JSNameScope::createStructure): Deleted.
1731         (JSC::JSNameScope::isFunctionNameScope): Deleted.
1732         (JSC::JSNameScope::isCatchScope): Deleted.
1733         * runtime/JSObject.cpp:
1734         (JSC::JSObject::isCatchScopeObject):
1735         (JSC::JSObject::isFunctionNameScopeObject):
1736         * runtime/JSObject.h:
1737
1738 2015-02-20  Mark Lam  <mark.lam@apple.com>
1739
1740         [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
1741         <https://webkit.org/b/141809>
1742
1743         Reviewed by Geoffrey Garen.
1744
1745         A ObjC class that implement the JSExport protocol will have a JS prototype
1746         chain and constructor automatically synthesized for its JS wrapper object.
1747         However, if there are no more instances of that ObjC class reachable by a
1748         JS GC root scan, then its synthesized prototype chain and constructors may
1749         be released by the GC.  If a new instance of that ObjC class is subsequently
1750         instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
1751         should re-construct the prototype chain and constructor (if they were
1752         previously released).  However, the current implementation only
1753         re-constructs the immediate prototype, but not every other prototype
1754         object upstream in the prototype chain.
1755
1756         To fix this, we do the following:
1757         1. We no longer allocate the JSObjCClassInfo's prototype and constructor
1758            eagerly.  Hence, -initWithContext:forClass: will no longer call
1759            -allocateConstructorAndPrototypeWithSuperClassInfo:.
1760         2. Instead, we'll always access the prototype and constructor thru
1761            accessor methods.  The accessor methods will call
1762            -allocateConstructorAndPrototype: if needed.
1763         3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
1764            from the JSWrapperMap itself.  This makes it so that we no longer
1765            need to pass the superClassInfo all over.
1766         4. -allocateConstructorAndPrototype: will get the super class prototype
1767            by invoking -prototype: on the superClassInfo, thereby allowing the
1768            super class to allocate its prototype and constructor if needed and
1769            fixing the issue in this bug.
1770
1771         5. Also removed the GC warning comments, and ensured that needed JS
1772            objects are kept alive by having a local var pointing to it from the
1773            stack (which makes a GC root).
1774
1775         * API/JSWrapperMap.mm:
1776         (-[JSObjCClassInfo initWithContext:forClass:]):
1777         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1778         (-[JSObjCClassInfo wrapperForObject:]):
1779         (-[JSObjCClassInfo constructor]):
1780         (-[JSObjCClassInfo prototype]):
1781         (-[JSWrapperMap classInfoForClass:]):
1782         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
1783         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
1784         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
1785         * API/tests/Regress141809.h: Added.
1786         * API/tests/Regress141809.mm: Added.
1787         (-[TestClassB name]):
1788         (-[TestClassC name]):
1789         (runRegress141809):
1790         * API/tests/testapi.mm:
1791         * JavaScriptCore.xcodeproj/project.pbxproj:
1792
1793 2015-02-20  Alexey Proskuryakov  <ap@apple.com>
1794
1795         Remove svn:keywords property.
1796
1797         As far as I can tell, the property had no effect on any of these files, but also,
1798         when it has effect it's likely harmful.
1799
1800         * builtins/ArrayConstructor.js: Removed property svn:keywords.
1801
1802 2015-02-20  Michael Saboff  <msaboff@apple.com>
1803
1804         DFG JIT needs to check for stack overflow at the start of Program and Eval execution
1805         https://bugs.webkit.org/show_bug.cgi?id=141676
1806
1807         Reviewed by Filip Pizlo.
1808
1809         Added stack check to the beginning of the code the DFG copmiler emits for Program and Eval nodes.
1810         To aid in testing the code, I replaced the EvalCodeCache::maxCacheableSourceLength const
1811         a options in runtime/Options.h.  The test script, run-jsc-stress-tests, sets that option
1812         to a huge value when running with the "Eager" options.  This allows the updated test to 
1813         reliably exercise the code in questions.
1814
1815         * dfg/DFGJITCompiler.cpp:
1816         (JSC::DFG::JITCompiler::compile):
1817         Added stack check.
1818
1819         * bytecode/EvalCodeCache.h:
1820         (JSC::EvalCodeCache::tryGet):
1821         (JSC::EvalCodeCache::getSlow):
1822         * runtime/Options.h:
1823         Replaced EvalCodeCache::imaxCacheableSourceLength with Options::maximumEvalCacheableSourceLength
1824         so that it can be configured when running the related test.
1825
1826 2015-02-20  Eric Carlson  <eric.carlson@apple.com>
1827
1828         [iOS] cleanup AirPlay code
1829         https://bugs.webkit.org/show_bug.cgi?id=141811
1830
1831         Reviewed by Jer Noble.
1832
1833         * Configurations/FeatureDefines.xcconfig: IOS_AIRPLAY -> WIRELESS_PLAYBACK_TARGET.
1834
1835 2015-02-19  Dean Jackson  <dino@apple.com>
1836
1837         ES6: Implement Array.from()
1838         https://bugs.webkit.org/show_bug.cgi?id=141054
1839         <rdar://problem/19654521>
1840
1841         Reviewed by Filip Pizlo.
1842
1843         Implement the Array.from() ES6 method
1844         as defined in Section 22.1.2.1 of the specification.
1845
1846         Given that we can't rely on the built-in
1847         global functions or objects to be untainted,
1848         I had to expose a few of them directly to
1849         the function via private names. In particular:
1850         - Math.floor -> @floor
1851         - Math.abs -> @abs
1852         - Number -> @Number
1853         - Array -> @Array
1854         - isFinite -> @isFinite
1855
1856         * builtins/ArrayConstructor.js: Added.
1857         (from): Implementation of Array.from in JavaScript.
1858         * runtime/ArrayConstructor.cpp: Add "from" to the lookup
1859         table for the constructor object.
1860         * runtime/CommonIdentifiers.h: Add the private versions
1861         of the identifiers listed above.
1862         * runtime/JSGlobalObject.cpp: Add the implementations of
1863         those identifiers to the global object (using their
1864         private names).
1865         (JSC::JSGlobalObject::init):
1866         * runtime/JSGlobalObjectFunctions.cpp:
1867         (JSC::globalPrivateFuncAbs): Implementation of the abs function.
1868         (JSC::globalPrivateFuncFloor): Implementation of the floor function.
1869         * runtime/JSGlobalObjectFunctions.h:
1870
1871 2015-02-19  Benjamin Poulain  <bpoulain@apple.com>
1872
1873         Refine the FTL part of ArithPow
1874         https://bugs.webkit.org/show_bug.cgi?id=141792
1875
1876         Reviewed by Filip Pizlo.
1877
1878         This patch refines the FTL lowering of ArithPow. This was left out
1879         of the original patch to keep it simpler.
1880
1881         * ftl/FTLLowerDFGToLLVM.cpp:
1882         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
1883         Two improvements here:
1884         1) Do not generate the NaN check unless we know the exponent might be a NaN.
1885         2) Use one BasicBlock per check with the appropriate weight. Now that we have
1886            one branch per test, move the Infinity check before the check for 1 since
1887            it is the less common case.
1888
1889         * tests/stress/math-pow-becomes-custom-function.js: Added.
1890         Test for changing the Math.pow() function after it has been optimized.
1891
1892         * tests/stress/math-pow-nan-behaviors.js:
1893         The previous tests were only going as far as the DFGAbstractInterpreter
1894         were the operations were replaced by the equivalent constant.
1895
1896         I duplicated the test functions to also test the dynamic behavior of DFG
1897         and FTL.
1898
1899         * tests/stress/math-pow-with-constants.js:
1900         Add cases covering exponent constants. LLVM removes many value
1901         checks for those.
1902
1903         * tests/stress/math-pow-with-never-NaN-exponent.js: Added.
1904         Test for the new optimization removing the NaN check.
1905
1906 2015-02-19  Csaba Osztrogonác  <ossy@webkit.org>
1907
1908         REGRESSION(r180279): It broke 20 tests on ARM Linux
1909         https://bugs.webkit.org/show_bug.cgi?id=141771
1910
1911         Reviewed by Filip Pizlo.
1912
1913         * dfg/DFGSpeculativeJIT.h:
1914         (JSC::DFG::SpeculativeJIT::callOperation): Align 64-bit values to respect ARM EABI.
1915
1916 2015-02-18  Benjamin Poulain  <bpoulain@apple.com>
1917
1918         Remove BytecodeGenerator's numberMap, it is dead code
1919         https://bugs.webkit.org/show_bug.cgi?id=141779
1920
1921         Reviewed by Filip Pizlo.
1922
1923         * bytecompiler/BytecodeGenerator.cpp:
1924         (JSC::BytecodeGenerator::emitLoad): Deleted.
1925         * bytecompiler/BytecodeGenerator.h:
1926         The JSValueMap seems better in every way.
1927
1928         The emitLoad() taking a double was the only way to use numberMap
1929         and that code has no caller.
1930
1931 2015-02-18  Michael Saboff  <msaboff@apple.com>
1932
1933         Rollout r180247 & r180249 from trunk
1934         https://bugs.webkit.org/show_bug.cgi?id=141773
1935
1936         Reviewed by Filip Pizlo.
1937
1938         Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730
1939         only for branches.  The change to fail the FTL compile but continue running is not comprehensive
1940         enough for general use on trunk.
1941
1942         * dfg/DFGPlan.cpp:
1943         (JSC::DFG::Plan::compileInThreadImpl):
1944         * ftl/FTLLowerDFGToLLVM.cpp:
1945         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1946         (JSC::FTL::LowerDFGToLLVM::lower):
1947         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
1948         (JSC::FTL::LowerDFGToLLVM::compileNode):
1949         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
1950         (JSC::FTL::LowerDFGToLLVM::compilePhi):
1951         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
1952         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
1953         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1954         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
1955         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
1956         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
1957         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
1958         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
1959         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1960         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
1961         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
1962         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1963         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1964         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1965         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1966         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1967         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1968         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1969         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1970         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
1971         (JSC::FTL::LowerDFGToLLVM::compileToString):
1972         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1973         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1974         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1975         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
1976         (JSC::FTL::LowerDFGToLLVM::compare):
1977         (JSC::FTL::LowerDFGToLLVM::boolify):
1978         (JSC::FTL::LowerDFGToLLVM::opposite):
1979         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1980         (JSC::FTL::LowerDFGToLLVM::speculate):
1981         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1982         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1983         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1984         (JSC::FTL::LowerDFGToLLVM::setInt52):
1985         (JSC::FTL::lowerDFGToLLVM):
1986         (JSC::FTL::LowerDFGToLLVM::loweringFailed): Deleted.
1987         * ftl/FTLLowerDFGToLLVM.h:
1988
1989 2015-02-18  Filip Pizlo  <fpizlo@apple.com>
1990
1991         DFG should really support varargs
1992         https://bugs.webkit.org/show_bug.cgi?id=141332
1993
1994         Reviewed by Oliver Hunt.
1995         
1996         This adds comprehensive vararg call support to the DFG and FTL compilers. Previously, if a
1997         function had a varargs call, then it could only be compiled if that varargs call was just
1998         forwarding arguments and we were inlining the function rather than compiling it directly. Also,
1999         only varargs calls were dealt with; varargs constructs were not.
2000         
2001         This lifts all of those restrictions. Every varargs call or construct can now be compiled by both
2002         the DFG and the FTL. Those calls can also be inlined, too - provided that profiling gives us a
2003         sensible bound on arguments list length. When we inline a varargs call, the act of loading the
2004         varargs is now made explicit in IR. I believe that we have enough IR machinery in place that we
2005         would be able to do the arguments forwarding optimization as an IR transformation. This patch
2006         doesn't implement that yet, and keeps the old bytecode-based varargs argument forwarding
2007         optimization for now.
2008         
2009         There are three major IR features introduced in this patch:
2010         
2011         CallVarargs/ConstructVarargs: these are like Call/Construct except that they take an arguments
2012         array rather than a list of arguments. Currently, they splat this arguments array onto the stack
2013         using the same basic technique as the baseline JIT has always done. Except, these nodes indicate
2014         that we are not interested in doing the non-escaping "arguments" optimization.
2015         
2016         CallForwardVarargs: this is a form of CallVarargs that just does the non-escaping "arguments"
2017         optimization, aka forwarding arguments. It's somewhat lazy that this doesn't include
2018         ConstructForwardVarargs, but the reason is that once we eliminate the lazy tear-off for
2019         arguments, this whole thing will have to be tweaked - and for now forwarding on construct is just
2020         not important in benchmarks. ConstructVarargs will still do forwarding, just not inlined.
2021         
2022         LoadVarargs: loads all elements out of an array onto the stack in a manner suitable for a varargs
2023         call. This is used only when a varargs call (or construct) was inlined. The bytecode parser will
2024         make room on the stack for the arguments, and will use LoadVarars to put those arguments into
2025         place.
2026         
2027         In the future, we can consider adding strength reductions like:
2028         
2029         - If CallVarargs/ConstructVarargs see an array of known size with known elements, turn them into
2030           Call/Construct.
2031         
2032         - If CallVarargs/ConstructVarargs are passed an unmodified, unescaped Arguments object, then
2033           turn them into CallForwardVarargs/ConstructForwardVarargs.
2034         
2035         - If LoadVarargs sees an array of known size, then turn it into a sequence of GetByVals and
2036           PutLocals.
2037         
2038         - If LoadVarargs sees an unmodified, unescaped Arguments object, then turn it into something like
2039           LoadForwardVarargs.
2040         
2041         - If CallVarargs/ConstructVarargs/LoadVarargs see the result of a splice (or other Array
2042           prototype function), then do the splice and varargs loading in one go (maybe via a new node
2043           type).
2044
2045         * CMakeLists.txt:
2046         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2047         * JavaScriptCore.xcodeproj/project.pbxproj:
2048         * assembler/MacroAssembler.h:
2049         (JSC::MacroAssembler::rshiftPtr):
2050         (JSC::MacroAssembler::urshiftPtr):
2051         * assembler/MacroAssemblerARM64.h:
2052         (JSC::MacroAssemblerARM64::urshift64):
2053         * assembler/MacroAssemblerX86_64.h:
2054         (JSC::MacroAssemblerX86_64::urshift64):
2055         * assembler/X86Assembler.h:
2056         (JSC::X86Assembler::shrq_i8r):
2057         * bytecode/CallLinkInfo.h:
2058         (JSC::CallLinkInfo::CallLinkInfo):
2059         * bytecode/CallLinkStatus.cpp:
2060         (JSC::CallLinkStatus::computeFor):
2061         (JSC::CallLinkStatus::setProvenConstantCallee):
2062         (JSC::CallLinkStatus::dump):
2063         * bytecode/CallLinkStatus.h:
2064         (JSC::CallLinkStatus::maxNumArguments):
2065         (JSC::CallLinkStatus::setIsProved): Deleted.
2066         * bytecode/CodeOrigin.cpp:
2067         (WTF::printInternal):
2068         * bytecode/CodeOrigin.h:
2069         (JSC::InlineCallFrame::varargsKindFor):
2070         (JSC::InlineCallFrame::specializationKindFor):
2071         (JSC::InlineCallFrame::isVarargs):
2072         (JSC::InlineCallFrame::isNormalCall): Deleted.
2073         * bytecode/ExitKind.cpp:
2074         (JSC::exitKindToString):
2075         * bytecode/ExitKind.h:
2076         * bytecode/ValueRecovery.cpp:
2077         (JSC::ValueRecovery::dumpInContext):
2078         * dfg/DFGAbstractInterpreterInlines.h:
2079         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2080         * dfg/DFGArgumentsSimplificationPhase.cpp:
2081         (JSC::DFG::ArgumentsSimplificationPhase::run):
2082         * dfg/DFGByteCodeParser.cpp:
2083         (JSC::DFG::ByteCodeParser::flush):
2084         (JSC::DFG::ByteCodeParser::addCall):
2085         (JSC::DFG::ByteCodeParser::handleCall):
2086         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2087         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2088         (JSC::DFG::ByteCodeParser::inliningCost):
2089         (JSC::DFG::ByteCodeParser::inlineCall):
2090         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2091         (JSC::DFG::ByteCodeParser::handleInlining):
2092         (JSC::DFG::ByteCodeParser::handleMinMax):
2093         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2094         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
2095         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2096         (JSC::DFG::ByteCodeParser::parseBlock):
2097         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): Deleted.
2098         (JSC::DFG::ByteCodeParser::undoFunctionChecks): Deleted.
2099         * dfg/DFGCapabilities.cpp:
2100         (JSC::DFG::capabilityLevel):
2101         * dfg/DFGCapabilities.h:
2102         (JSC::DFG::functionCapabilityLevel):
2103         (JSC::DFG::mightCompileFunctionFor):
2104         * dfg/DFGClobberize.h:
2105         (JSC::DFG::clobberize):
2106         * dfg/DFGCommon.cpp:
2107         (WTF::printInternal):
2108         * dfg/DFGCommon.h:
2109         (JSC::DFG::canInline):
2110         (JSC::DFG::leastUpperBound):
2111         * dfg/DFGDoesGC.cpp:
2112         (JSC::DFG::doesGC):
2113         * dfg/DFGFixupPhase.cpp:
2114         (JSC::DFG::FixupPhase::fixupNode):
2115         * dfg/DFGGraph.cpp:
2116         (JSC::DFG::Graph::dump):
2117         (JSC::DFG::Graph::dumpBlockHeader):
2118         (JSC::DFG::Graph::isLiveInBytecode):
2119         (JSC::DFG::Graph::valueProfileFor):
2120         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2121         * dfg/DFGGraph.h:
2122         (JSC::DFG::Graph::valueProfileFor): Deleted.
2123         (JSC::DFG::Graph::methodOfGettingAValueProfileFor): Deleted.
2124         * dfg/DFGJITCompiler.cpp:
2125         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2126         (JSC::DFG::JITCompiler::link):
2127         * dfg/DFGMayExit.cpp:
2128         (JSC::DFG::mayExit):
2129         * dfg/DFGNode.h:
2130         (JSC::DFG::Node::hasCallVarargsData):
2131         (JSC::DFG::Node::callVarargsData):
2132         (JSC::DFG::Node::hasLoadVarargsData):
2133         (JSC::DFG::Node::loadVarargsData):
2134         (JSC::DFG::Node::hasHeapPrediction):
2135         * dfg/DFGNodeType.h:
2136         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2137         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2138         * dfg/DFGOSRExitCompilerCommon.cpp:
2139         (JSC::DFG::reifyInlinedCallFrames):
2140         * dfg/DFGOperations.cpp:
2141         * dfg/DFGOperations.h:
2142         * dfg/DFGPlan.cpp:
2143         (JSC::DFG::dumpAndVerifyGraph):
2144         (JSC::DFG::Plan::compileInThreadImpl):
2145         * dfg/DFGPreciseLocalClobberize.h:
2146         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2147         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
2148         * dfg/DFGPredictionPropagationPhase.cpp:
2149         (JSC::DFG::PredictionPropagationPhase::propagate):
2150         * dfg/DFGSSAConversionPhase.cpp:
2151         * dfg/DFGSafeToExecute.h:
2152         (JSC::DFG::safeToExecute):
2153         * dfg/DFGSpeculativeJIT.h:
2154         (JSC::DFG::SpeculativeJIT::isFlushed):
2155         (JSC::DFG::SpeculativeJIT::callOperation):
2156         * dfg/DFGSpeculativeJIT32_64.cpp:
2157         (JSC::DFG::SpeculativeJIT::emitCall):
2158         (JSC::DFG::SpeculativeJIT::compile):
2159         * dfg/DFGSpeculativeJIT64.cpp:
2160         (JSC::DFG::SpeculativeJIT::emitCall):
2161         (JSC::DFG::SpeculativeJIT::compile):
2162         * dfg/DFGStackLayoutPhase.cpp:
2163         (JSC::DFG::StackLayoutPhase::run):
2164         (JSC::DFG::StackLayoutPhase::assign):
2165         * dfg/DFGStrengthReductionPhase.cpp:
2166         (JSC::DFG::StrengthReductionPhase::handleNode):
2167         * dfg/DFGTypeCheckHoistingPhase.cpp:
2168         (JSC::DFG::TypeCheckHoistingPhase::run):
2169         * dfg/DFGValidate.cpp:
2170         (JSC::DFG::Validate::validateCPS):
2171         * ftl/FTLAbbreviations.h:
2172         (JSC::FTL::functionType):
2173         (JSC::FTL::buildCall):
2174         * ftl/FTLCapabilities.cpp:
2175         (JSC::FTL::canCompile):
2176         * ftl/FTLCompile.cpp:
2177         (JSC::FTL::mmAllocateDataSection):
2178         * ftl/FTLInlineCacheSize.cpp:
2179         (JSC::FTL::sizeOfCall):
2180         (JSC::FTL::sizeOfCallVarargs):
2181         (JSC::FTL::sizeOfCallForwardVarargs):
2182         (JSC::FTL::sizeOfConstructVarargs):
2183         (JSC::FTL::sizeOfIn):
2184         (JSC::FTL::sizeOfICFor):
2185         (JSC::FTL::sizeOfCheckIn): Deleted.
2186         * ftl/FTLInlineCacheSize.h:
2187         * ftl/FTLIntrinsicRepository.h:
2188         * ftl/FTLJSCall.cpp:
2189         (JSC::FTL::JSCall::JSCall):
2190         * ftl/FTLJSCallBase.cpp:
2191         * ftl/FTLJSCallBase.h:
2192         * ftl/FTLJSCallVarargs.cpp: Added.
2193         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2194         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
2195         (JSC::FTL::JSCallVarargs::emit):
2196         (JSC::FTL::JSCallVarargs::link):
2197         * ftl/FTLJSCallVarargs.h: Added.
2198         (JSC::FTL::JSCallVarargs::node):
2199         (JSC::FTL::JSCallVarargs::stackmapID):
2200         (JSC::FTL::JSCallVarargs::operator<):
2201         * ftl/FTLLowerDFGToLLVM.cpp:
2202         (JSC::FTL::LowerDFGToLLVM::lower):
2203         (JSC::FTL::LowerDFGToLLVM::compileNode):
2204         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
2205         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2206         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2207         (JSC::FTL::LowerDFGToLLVM::compileLoadVarargs):
2208         (JSC::FTL::LowerDFGToLLVM::compileIn):
2209         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2210         (JSC::FTL::LowerDFGToLLVM::vmCall):
2211         (JSC::FTL::LowerDFGToLLVM::vmCallNoExceptions):
2212         (JSC::FTL::LowerDFGToLLVM::callCheck):
2213         * ftl/FTLOutput.h:
2214         (JSC::FTL::Output::call):
2215         * ftl/FTLState.cpp:
2216         (JSC::FTL::State::State):
2217         * ftl/FTLState.h:
2218         * interpreter/Interpreter.cpp:
2219         (JSC::sizeOfVarargs):
2220         (JSC::sizeFrameForVarargs):
2221         * interpreter/Interpreter.h:
2222         * interpreter/StackVisitor.cpp:
2223         (JSC::StackVisitor::readInlinedFrame):
2224         * jit/AssemblyHelpers.cpp:
2225         (JSC::AssemblyHelpers::emitExceptionCheck):
2226         * jit/AssemblyHelpers.h:
2227         (JSC::AssemblyHelpers::addressFor):
2228         (JSC::AssemblyHelpers::calleeFrameSlot):
2229         (JSC::AssemblyHelpers::calleeArgumentSlot):
2230         (JSC::AssemblyHelpers::calleeFrameTagSlot):
2231         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
2232         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
2233         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
2234         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
2235         (JSC::AssemblyHelpers::selectScratchGPR):
2236         * jit/CCallHelpers.h:
2237         (JSC::CCallHelpers::setupArgumentsWithExecState):
2238         * jit/GPRInfo.h:
2239         * jit/JIT.cpp:
2240         (JSC::JIT::privateCompile):
2241         * jit/JIT.h:
2242         * jit/JITCall.cpp:
2243         (JSC::JIT::compileSetupVarargsFrame):
2244         (JSC::JIT::compileOpCall):
2245         * jit/JITCall32_64.cpp:
2246         (JSC::JIT::compileSetupVarargsFrame):
2247         (JSC::JIT::compileOpCall):
2248         * jit/JITOperations.h:
2249         * jit/SetupVarargsFrame.cpp:
2250         (JSC::emitSetupVarargsFrameFastCase):
2251         * jit/SetupVarargsFrame.h:
2252         * runtime/Arguments.h:
2253         (JSC::Arguments::create):
2254         (JSC::Arguments::registerArraySizeInBytes):
2255         (JSC::Arguments::finishCreation):
2256         * runtime/Options.h:
2257         * tests/stress/construct-varargs-inline-smaller-Foo.js: Added.
2258         (Foo):
2259         (bar):
2260         (checkEqual):
2261         (test):
2262         * tests/stress/construct-varargs-inline.js: Added.
2263         (Foo):
2264         (bar):
2265         (checkEqual):
2266         (test):
2267         * tests/stress/construct-varargs-no-inline.js: Added.
2268         (Foo):
2269         (bar):
2270         (checkEqual):
2271         (test):
2272         * tests/stress/get-argument-by-val-in-inlined-varargs-call-out-of-bounds.js: Added.
2273         (foo):
2274         (bar):
2275         * tests/stress/get-argument-by-val-safe-in-inlined-varargs-call-out-of-bounds.js: Added.
2276         (foo):
2277         (bar):
2278         * tests/stress/get-my-argument-by-val-creates-arguments.js: Added.
2279         (blah):
2280         (foo):
2281         (bar):
2282         (checkEqual):
2283         (test):
2284         * tests/stress/load-varargs-then-inlined-call-exit-in-foo.js: Added.
2285         (foo):
2286         (bar):
2287         (checkEqual):
2288         * tests/stress/load-varargs-then-inlined-call-inlined.js: Added.
2289         (foo):
2290         (bar):
2291         (baz):
2292         (checkEqual):
2293         (test):
2294         * tests/stress/load-varargs-then-inlined-call.js: Added.
2295         (foo):
2296         (bar):
2297         (checkEqual):
2298         (test):
2299
2300 2015-02-17  Michael Saboff  <msaboff@apple.com>
2301
2302         Unreviewed, Restoring the C LOOP insta-crash fix in r180184.
2303
2304         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
2305         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
2306
2307         * llint/LowLevelInterpreter.asm: Fixed a typo.
2308
2309 2015-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2310
2311         URTBF after r180258 to fix Windows build.
2312
2313         * runtime/MathCommon.cpp:
2314         (JSC::mathPowInternal):
2315
2316 2015-02-18  Joseph Pecoraro  <pecoraro@apple.com>
2317
2318         REGRESSION(r180235): It broke the !ENABLE(PROMISES) build
2319         https://bugs.webkit.org/show_bug.cgi?id=141746
2320
2321         Unreviewed build fix.
2322
2323         * inspector/JSInjectedScriptHost.cpp:
2324         (Inspector::JSInjectedScriptHost::getInternalProperties):
2325         Wrap JSPromise related code in ENABLE(PROMISES) guard.
2326
2327 2015-02-18  Benjamin Poulain  <benjamin@webkit.org>
2328
2329         Fix the C-Loop LLInt build
2330         https://bugs.webkit.org/show_bug.cgi?id=141618
2331
2332         Reviewed by Filip Pizlo.
2333
2334         I broke C-Loop when moving the common code of pow()
2335         to JITOperations because that file is #ifdefed out
2336         when the JITs are disabled.
2337
2338         It would be weird to move it back to MathObject since
2339         the function needs to know about the calling conventions.
2340
2341         To avoid making a mess, I just gave the function its own file
2342         that is used by both the runtime and the JIT.
2343
2344         * CMakeLists.txt:
2345         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2346         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2347         * JavaScriptCore.xcodeproj/project.pbxproj:
2348         * dfg/DFGAbstractInterpreterInlines.h:
2349         * jit/JITOperations.cpp:
2350         * jit/JITOperations.h:
2351         * runtime/MathCommon.cpp: Added.
2352         (JSC::fdlibmScalbn):
2353         (JSC::fdlibmPow):
2354         (JSC::isDenormal):
2355         (JSC::isEdgeCase):
2356         (JSC::mathPowInternal):
2357         (JSC::operationMathPow):
2358         * runtime/MathCommon.h: Added.
2359         * runtime/MathObject.cpp:
2360
2361 2015-02-17  Benjamin Poulain  <bpoulain@apple.com>
2362
2363         Clean up OSRExit's considerAddingAsFrequentExitSite()
2364         https://bugs.webkit.org/show_bug.cgi?id=141690
2365
2366         Reviewed by Anders Carlsson.
2367
2368         Looks like some code was removed from CodeBlock::tallyFrequentExitSites()
2369         and the OSRExit were left untouched.
2370
2371         This patch cleans up the two loops and remove the boolean return
2372         on considerAddingAsFrequentExitSite().
2373
2374         * bytecode/CodeBlock.cpp:
2375         (JSC::CodeBlock::tallyFrequentExitSites):
2376         * dfg/DFGOSRExit.h:
2377         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2378         * dfg/DFGOSRExitBase.cpp:
2379         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2380         * dfg/DFGOSRExitBase.h:
2381         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
2382         * ftl/FTLOSRExit.h:
2383         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2384
2385 2015-02-17  Alexey Proskuryakov  <ap@apple.com>
2386
2387         Debug build fix after r180247.
2388
2389         * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::loweringFailed):
2390
2391 2015-02-17  Commit Queue  <commit-queue@webkit.org>
2392
2393         Unreviewed, rolling out r180184.
2394         https://bugs.webkit.org/show_bug.cgi?id=141733
2395
2396         Caused infinite recursion on js/function-apply-aliased.html
2397         (Requested by ap_ on #webkit).
2398
2399         Reverted changeset:
2400
2401         "REGRESSION(r180060): C Loop crashes"
2402         https://bugs.webkit.org/show_bug.cgi?id=141671
2403         http://trac.webkit.org/changeset/180184
2404
2405 2015-02-17  Michael Saboff  <msaboff@apple.com>
2406
2407         CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode
2408         https://bugs.webkit.org/show_bug.cgi?id=141730
2409
2410         Reviewed by Geoffrey Garen.
2411
2412         Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures
2413         while processing DFG lowering.  For debug builds, the failures are logged identical
2414         to the way the DFG_CRASH() reports them.  For release builds, the failures are reported
2415         and that FTL compilation is terminated, but the process is allowed to continue.
2416         Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and
2417         line number are reported at the point of the inconsistancy.
2418
2419         Converted instances of DFG_CRASH to LOWERING_FAILED.
2420
2421         * dfg/DFGPlan.cpp:
2422         (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that
2423         will fail the FTL compile.
2424
2425         * ftl/FTLLowerDFGToLLVM.cpp:
2426         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
2427         Added new member variable, m_loweringSucceeded, to stop compilation on the first
2428         reported failure.
2429
2430         * ftl/FTLLowerDFGToLLVM.cpp:
2431         (JSC::FTL::LowerDFGToLLVM::lower):
2432         * ftl/FTLLowerDFGToLLVM.h:
2433         Added check for compilation failures and now report those failures via a boolean
2434         return value.
2435
2436         * ftl/FTLLowerDFGToLLVM.cpp:
2437         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
2438         (JSC::FTL::LowerDFGToLLVM::compileNode):
2439         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
2440         (JSC::FTL::LowerDFGToLLVM::compilePhi):
2441         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
2442         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2443         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2444         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
2445         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
2446         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2447         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
2448         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
2449         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2450         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
2451         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
2452         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2453         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2454         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2455         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2456         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2457         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2458         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2459         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2460         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
2461         (JSC::FTL::LowerDFGToLLVM::compileToString):
2462         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
2463         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2464         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2465         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2466         (JSC::FTL::LowerDFGToLLVM::compare):
2467         (JSC::FTL::LowerDFGToLLVM::boolify):
2468         (JSC::FTL::LowerDFGToLLVM::opposite):
2469         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2470         (JSC::FTL::LowerDFGToLLVM::speculate):
2471         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2472         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2473         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2474         (JSC::FTL::LowerDFGToLLVM::setInt52):
2475         Changed DFG_CRASH() to LOWERING_FAILED().  Updated related control flow as appropriate.
2476
2477         (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function.
2478
2479 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
2480
2481         StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
2482         https://bugs.webkit.org/show_bug.cgi?id=141721
2483         rdar://problem/17198633
2484
2485         Reviewed by Michael Saboff.
2486         
2487         I've seen cases where the two are out of sync.  We know we can trust the CodeBlock::usesArguments because
2488         we use it everywhere else.
2489         
2490         No test because I could never reproduce the crash.
2491
2492         * dfg/DFGGraph.h:
2493         (JSC::DFG::Graph::usesArguments):
2494         * dfg/DFGStackLayoutPhase.cpp:
2495         (JSC::DFG::StackLayoutPhase::run):
2496
2497 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
2498
2499         Web Inspector: Improved Console Support for Bound Functions
2500         https://bugs.webkit.org/show_bug.cgi?id=141635
2501
2502         Reviewed by Timothy Hatcher.
2503
2504         * inspector/JSInjectedScriptHost.cpp:
2505         (Inspector::JSInjectedScriptHost::getInternalProperties):
2506         Expose internal properties of a JSBoundFunction.
2507
2508 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
2509
2510         Web Inspector: ES6: Improved Console Support for Promise Objects
2511         https://bugs.webkit.org/show_bug.cgi?id=141634
2512
2513         Reviewed by Timothy Hatcher.
2514
2515         * inspector/InjectedScript.cpp:
2516         (Inspector::InjectedScript::getInternalProperties):
2517         * inspector/InjectedScriptSource.js:
2518         Include internal properties in previews. Share code
2519         with normal internal property handling.
2520
2521         * inspector/JSInjectedScriptHost.cpp:
2522         (Inspector::constructInternalProperty):
2523         (Inspector::JSInjectedScriptHost::getInternalProperties):
2524         Provide internal state of Promises.
2525
2526         * inspector/protocol/Runtime.json:
2527         Provide an optional field to distinguish if a PropertyPreview
2528         is for an Internal property or not.
2529
2530 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
2531
2532         Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
2533         https://bugs.webkit.org/show_bug.cgi?id=141717
2534         rdar://problem/19863382
2535
2536         Reviewed by Geoffrey Garen.
2537         
2538         The best solution is to ensure that the engine catching an exception restores tag registers.
2539         
2540         Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
2541
2542         * jit/JITOpcodes.cpp:
2543         (JSC::JIT::emit_op_catch):
2544         * llint/LowLevelInterpreter.asm:
2545         * llint/LowLevelInterpreter64.asm:
2546         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
2547         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
2548         * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
2549
2550 2015-02-17  Csaba Osztrogonác  <ossy@webkit.org>
2551
2552         [ARM] Add the necessary setupArgumentsWithExecState after bug141332
2553         https://bugs.webkit.org/show_bug.cgi?id=141714
2554
2555         Reviewed by Michael Saboff.
2556
2557         * jit/CCallHelpers.h:
2558         (JSC::CCallHelpers::setupArgumentsWithExecState):
2559
2560 2015-02-15  Sam Weinig  <sam@webkit.org>
2561
2562         Add experimental <attachment> element support
2563         https://bugs.webkit.org/show_bug.cgi?id=141626
2564
2565         Reviewed by Tim Horton.
2566
2567         * Configurations/FeatureDefines.xcconfig:
2568
2569 2015-02-16  Michael Saboff  <msaboff@apple.com>
2570
2571         REGRESSION(r180060): C Loop crashes
2572         https://bugs.webkit.org/show_bug.cgi?id=141671
2573
2574         Reviewed by Geoffrey Garen.
2575
2576         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
2577         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
2578         Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
2579         frame.  This isn't needed, since this helper is only called to check the stack on entry.  Any
2580         exception will be handled by a call ancestor.
2581
2582         * llint/LLIntSlowPaths.cpp:
2583         (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
2584         * llint/LowLevelInterpreter.asm: Fixed a typo.
2585
2586 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
2587
2588         Web Inspector: Scope details sidebar should label objects with constructor names
2589         https://bugs.webkit.org/show_bug.cgi?id=139449
2590
2591         Reviewed by Timothy Hatcher.
2592
2593         * inspector/JSInjectedScriptHost.cpp:
2594         (Inspector::JSInjectedScriptHost::internalConstructorName):
2595         * runtime/Structure.cpp:
2596         (JSC::Structure::toStructureShape):
2597         Share calculatedClassName.
2598
2599         * runtime/JSObject.h:        
2600         * runtime/JSObject.cpp:
2601         (JSC::JSObject::calculatedClassName):
2602         Elaborate on a way to get an Object's class name.
2603
2604 2015-02-16  Filip Pizlo  <fpizlo@apple.com>
2605
2606         DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
2607         https://bugs.webkit.org/show_bug.cgi?id=141623
2608
2609         Reviewed by Oliver Hunt.
2610         
2611         During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
2612         needed to use GetArgument for loading something that has magically already appeared on the
2613         stack, so currently trunk sort of allows this. But then I realized three things:
2614         
2615         - A GetArgument with a non-JSValue flush format means speculating that the value on the
2616           stack obeys that format, rather than just assuming that that it already has that format.
2617           In bug 141332, I want it to assume rather than speculate. That also happens to be more
2618           intuitive; I don't think I was wrong to expect that.
2619         
2620         - The node I really want is GetLocal. I'm just getting the value of the local and I don't
2621           want to do anything else.
2622         
2623         - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
2624           use GetArgument.
2625         
2626         This changes the FTL to do argument speculations in the prologue just like the DFG does.
2627         This brings some consistency to our system, and allows us to get rid of the GetArgument
2628         node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
2629         vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
2630         dead we will still speculate. We already have safeguards to ensure we only speculate if
2631         there are uses that benefit from speculation (which is a much more conservative criterion
2632         than DCE).
2633         
2634         * dfg/DFGAbstractInterpreterInlines.h:
2635         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2636         * dfg/DFGClobberize.h:
2637         (JSC::DFG::clobberize):
2638         * dfg/DFGDCEPhase.cpp:
2639         (JSC::DFG::DCEPhase::run):
2640         * dfg/DFGDoesGC.cpp:
2641         (JSC::DFG::doesGC):
2642         * dfg/DFGFixupPhase.cpp:
2643         (JSC::DFG::FixupPhase::fixupNode):
2644         * dfg/DFGFlushFormat.h:
2645         (JSC::DFG::typeFilterFor):
2646         * dfg/DFGGraph.cpp:
2647         (JSC::DFG::Graph::dump):
2648         * dfg/DFGGraph.h:
2649         (JSC::DFG::Graph::valueProfileFor):
2650         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2651         * dfg/DFGInPlaceAbstractState.cpp:
2652         (JSC::DFG::InPlaceAbstractState::initialize):
2653         * dfg/DFGNode.cpp:
2654         (JSC::DFG::Node::hasVariableAccessData):
2655         * dfg/DFGNodeType.h:
2656         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2657         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2658         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2659         * dfg/DFGPredictionPropagationPhase.cpp:
2660         (JSC::DFG::PredictionPropagationPhase::propagate):
2661         * dfg/DFGPutLocalSinkingPhase.cpp:
2662         * dfg/DFGSSAConversionPhase.cpp:
2663         (JSC::DFG::SSAConversionPhase::run):
2664         * dfg/DFGSafeToExecute.h:
2665         (JSC::DFG::safeToExecute):
2666         * dfg/DFGSpeculativeJIT32_64.cpp:
2667         (JSC::DFG::SpeculativeJIT::compile):
2668         * dfg/DFGSpeculativeJIT64.cpp:
2669         (JSC::DFG::SpeculativeJIT::compile):
2670         * ftl/FTLCapabilities.cpp:
2671         (JSC::FTL::canCompile):
2672         * ftl/FTLLowerDFGToLLVM.cpp:
2673         (JSC::FTL::LowerDFGToLLVM::lower):
2674         (JSC::FTL::LowerDFGToLLVM::compileNode):
2675         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
2676         (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
2677         * tests/stress/dead-speculating-argument-use.js: Added.
2678         (foo):
2679         (o.valueOf):
2680
2681 2015-02-15  Filip Pizlo  <fpizlo@apple.com>
2682
2683         Rare case profiling should actually work
2684         https://bugs.webkit.org/show_bug.cgi?id=141632
2685
2686         Reviewed by Michael Saboff.
2687         
2688         This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
2689         heuristic has essentially stopped working because the typical execution count threshold for a
2690         bytecode instruction is around 66 while the slow case threshold is 100: virtually
2691         guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
2692         case even if it took it every single time. So, this changes the slow case threshold to 20.
2693         
2694         I checked if we could lower this down further, like to 10. That is worse than 20, and about
2695         as bad as 100.
2696
2697         * runtime/Options.h:
2698
2699 2015-02-15  Brian J. Burg  <burg@cs.washington.edu>
2700
2701         Web Inspector: remove unused XHR replay code
2702         https://bugs.webkit.org/show_bug.cgi?id=141622
2703
2704         Reviewed by Timothy Hatcher.
2705
2706         * inspector/protocol/Network.json: remove XHR replay methods.
2707
2708 2015-02-15  David Kilzer  <ddkilzer@apple.com>
2709
2710         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2711         <http://webkit.org/b/141607>
2712
2713         More work towards fixing the Mavericks Debug build.
2714
2715         * inspector/ScriptDebugServer.h:
2716         (Inspector::ScriptDebugServer::Task):
2717         * inspector/agents/InspectorDebuggerAgent.h:
2718         (Inspector::InspectorDebuggerAgent::Listener):
2719         - Remove subclass exports. They did not help.
2720
2721         * runtime/JSCJSValue.h:
2722         (JSC::JSValue::toFloat): Do not mark inline method for export.
2723
2724 2015-02-09  Brian J. Burg  <burg@cs.washington.edu>
2725
2726         Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
2727         https://bugs.webkit.org/show_bug.cgi?id=141372
2728
2729         Reviewed by Joseph Pecoraro.
2730
2731         * inspector/ConsoleMessage.cpp:
2732         (Inspector::ConsoleMessage::addToFrontend):
2733         (Inspector::ConsoleMessage::updateRepeatCountInConsole):
2734         * inspector/ConsoleMessage.h:
2735         * inspector/InspectorAgentBase.h:
2736         * inspector/InspectorAgentRegistry.cpp:
2737         (Inspector::AgentRegistry::AgentRegistry):
2738         (Inspector::AgentRegistry::append):
2739         (Inspector::AgentRegistry::appendExtraAgent):
2740         (Inspector::AgentRegistry::didCreateFrontendAndBackend):
2741         (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
2742         (Inspector::AgentRegistry::discardAgents):
2743         (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
2744         (Inspector::InspectorAgentRegistry::append): Deleted.
2745         (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
2746         (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
2747         (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
2748         (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
2749         * inspector/InspectorAgentRegistry.h:
2750         * inspector/InspectorBackendDispatcher.cpp:
2751         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
2752         (Inspector::BackendDispatcher::CallbackBase::isActive):
2753         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
2754         (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
2755         (Inspector::BackendDispatcher::create):
2756         (Inspector::BackendDispatcher::registerDispatcherForDomain):
2757         (Inspector::BackendDispatcher::dispatch):
2758         (Inspector::BackendDispatcher::sendResponse):
2759         (Inspector::BackendDispatcher::reportProtocolError):
2760         (Inspector::BackendDispatcher::getInteger):
2761         (Inspector::BackendDispatcher::getDouble):
2762         (Inspector::BackendDispatcher::getString):
2763         (Inspector::BackendDispatcher::getBoolean):
2764         (Inspector::BackendDispatcher::getObject):
2765         (Inspector::BackendDispatcher::getArray):
2766         (Inspector::BackendDispatcher::getValue):
2767         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
2768         (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
2769         (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
2770         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
2771         (Inspector::InspectorBackendDispatcher::create): Deleted.
2772         (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
2773         (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
2774         (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
2775         (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
2776         (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
2777         (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
2778         (Inspector::InspectorBackendDispatcher::getString): Deleted.
2779         (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
2780         (Inspector::InspectorBackendDispatcher::getObject): Deleted.
2781         (Inspector::InspectorBackendDispatcher::getArray): Deleted.
2782         (Inspector::InspectorBackendDispatcher::getValue): Deleted.
2783         * inspector/InspectorBackendDispatcher.h:
2784         (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
2785         (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
2786         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
2787         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
2788         * inspector/InspectorFrontendChannel.h:
2789         (Inspector::FrontendChannel::~FrontendChannel):
2790         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
2791         * inspector/JSGlobalObjectInspectorController.cpp:
2792         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2793         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
2794         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2795         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
2796         (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
2797         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
2798         * inspector/JSGlobalObjectInspectorController.h:
2799         * inspector/agents/InspectorAgent.cpp:
2800         (Inspector::InspectorAgent::didCreateFrontendAndBackend):
2801         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
2802         * inspector/agents/InspectorAgent.h:
2803         * inspector/agents/InspectorConsoleAgent.cpp:
2804         (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
2805         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
2806         * inspector/agents/InspectorConsoleAgent.h:
2807         * inspector/agents/InspectorDebuggerAgent.cpp:
2808         (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
2809         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
2810         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
2811         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2812         (Inspector::InspectorDebuggerAgent::pause):
2813         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
2814         (Inspector::InspectorDebuggerAgent::didPause):
2815         (Inspector::InspectorDebuggerAgent::breakProgram):
2816         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
2817         * inspector/agents/InspectorDebuggerAgent.h:
2818         * inspector/agents/InspectorRuntimeAgent.cpp:
2819         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
2820         * inspector/agents/InspectorRuntimeAgent.h:
2821         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2822         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
2823         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
2824         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2825         * inspector/augmentable/AlternateDispatchableAgent.h:
2826         * inspector/augmentable/AugmentableInspectorController.h:
2827         * inspector/remote/RemoteInspectorDebuggable.h:
2828         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2829         * inspector/scripts/codegen/cpp_generator.py:
2830         (CppGenerator.cpp_type_for_formal_out_parameter):
2831         (CppGenerator.cpp_type_for_stack_out_parameter):
2832         * inspector/scripts/codegen/cpp_generator_templates.py:
2833         (AlternateBackendDispatcher):
2834         (Alternate):
2835         (void):
2836         (AlternateInspectorBackendDispatcher): Deleted.
2837         (AlternateInspector): Deleted.
2838         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2839         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
2840         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2841         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
2842         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2843         (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
2844         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
2845         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2846         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2847         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2848         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2849         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2850         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2851         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2852         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2853         * inspector/scripts/tests/expected/enum-values.json-result:
2854         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2855         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2856         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2857         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2858         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2859         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2860         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2861         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2862         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2863         * runtime/JSGlobalObjectDebuggable.cpp:
2864         (JSC::JSGlobalObjectDebuggable::connect):
2865         (JSC::JSGlobalObjectDebuggable::disconnect):
2866         * runtime/JSGlobalObjectDebuggable.h:
2867
2868 2015-02-14  David Kilzer  <ddkilzer@apple.com>
2869
2870         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2871         <http://webkit.org/b/141607>
2872
2873         Work towards fixing the Mavericks Debug build.
2874
2875         * inspector/ScriptDebugServer.h:
2876         (Inspector::ScriptDebugServer::Task): Export class.
2877         * inspector/agents/InspectorDebuggerAgent.h:
2878         (Inspector::InspectorDebuggerAgent::Listener): Export class.
2879         * runtime/JSGlobalObject.h:
2880         (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
2881         method for export.
2882
2883 2015-02-14  Joseph Pecoraro  <pecoraro@apple.com>
2884
2885         Web Inspector: Symbol RemoteObject should not send sub-type
2886         https://bugs.webkit.org/show_bug.cgi?id=141604
2887
2888         Reviewed by Brian Burg.
2889
2890         * inspector/InjectedScriptSource.js:
2891
2892 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2893
2894         Attempt to fix 32bits build after r180098
2895
2896         * jit/JITOperations.cpp:
2897         * jit/JITOperations.h:
2898         I copied the attribute from the MathObject version of that function when I moved
2899         it over. DFG has no version of a function call taking those attributes.
2900
2901 2015-02-13  Joseph Pecoraro  <pecoraro@apple.com>
2902
2903         JSContext Inspector: Do not stash console messages for non-debuggable JSContext
2904         https://bugs.webkit.org/show_bug.cgi?id=141589
2905
2906         Reviewed by Timothy Hatcher.
2907
2908         Consider developer extras disabled for JSContext inspection if the
2909         RemoteInspector server is not enabled (typically a non-debuggable
2910         process rejected by webinspectord) or if remote debugging on the
2911         JSContext was explicitly disabled via SPI.
2912
2913         When developer extras are disabled, console message will not be stashed.
2914
2915         * inspector/JSGlobalObjectInspectorController.cpp:
2916         (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
2917         * inspector/JSGlobalObjectInspectorController.h:
2918
2919 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2920
2921         Add a DFG node for the Pow Intrinsics
2922         https://bugs.webkit.org/show_bug.cgi?id=141540
2923
2924         Reviewed by Filip Pizlo.
2925
2926         Add a DFG Node for PowIntrinsic. This patch covers the basic cases
2927         need to avoid massive regression. I will iterate over the node to cover
2928         the missing types.
2929
2930         With this patch I get the following progressions on benchmarks:
2931         -LongSpider's math-partial-sums: +5%.
2932         -Kraken's imaging-darkroom: +17%
2933         -AsmBench's cray.c: +6.6%
2934         -CompressionBench: +2.2% globally.
2935
2936         * dfg/DFGAbstractInterpreterInlines.h:
2937         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2938         Cover a couple of trivial cases:
2939         -If the exponent is zero, the result is always one, regardless of the base.
2940         -If both arguments are constants, compute the result at compile time.
2941
2942         * dfg/DFGByteCodeParser.cpp:
2943         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2944         * dfg/DFGClobberize.h:
2945         (JSC::DFG::clobberize):
2946         * dfg/DFGDoesGC.cpp:
2947         (JSC::DFG::doesGC):
2948
2949         * dfg/DFGFixupPhase.cpp:
2950         (JSC::DFG::FixupPhase::fixupNode):
2951         We only support 2 basic cases at this time:
2952         -Math.pow(double, int)
2953         -Math.pow(double, double).
2954
2955         I'll cover Math.pow(int, int) in a follow up.
2956
2957         * dfg/DFGNode.h:
2958         (JSC::DFG::Node::convertToArithSqrt):
2959         (JSC::DFG::Node::arithNodeFlags):
2960         * dfg/DFGNodeType.h:
2961         * dfg/DFGPredictionPropagationPhase.cpp:
2962         (JSC::DFG::PredictionPropagationPhase::propagate):
2963         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2964         * dfg/DFGSafeToExecute.h:
2965         (JSC::DFG::safeToExecute):
2966         * dfg/DFGSpeculativeJIT.cpp:
2967         (JSC::DFG::compileArithPowIntegerFastPath):
2968         (JSC::DFG::SpeculativeJIT::compileArithPow):
2969         * dfg/DFGSpeculativeJIT.h:
2970         * dfg/DFGSpeculativeJIT32_64.cpp:
2971         (JSC::DFG::SpeculativeJIT::compile):
2972         * dfg/DFGSpeculativeJIT64.cpp:
2973         (JSC::DFG::SpeculativeJIT::compile):
2974         * dfg/DFGStrengthReductionPhase.cpp:
2975         (JSC::DFG::StrengthReductionPhase::handleNode):
2976         * dfg/DFGValidate.cpp:
2977         (JSC::DFG::Validate::validate):
2978         * ftl/FTLCapabilities.cpp:
2979         (JSC::FTL::canCompile):
2980         * ftl/FTLIntrinsicRepository.h:
2981         * ftl/FTLLowerDFGToLLVM.cpp:
2982         (JSC::FTL::LowerDFGToLLVM::compileNode):
2983         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
2984         * ftl/FTLOutput.h:
2985         (JSC::FTL::Output::doublePow):
2986         (JSC::FTL::Output::doublePowi):
2987         * jit/JITOperations.cpp:
2988         * jit/JITOperations.h:
2989         * runtime/MathObject.cpp:
2990         (JSC::mathProtoFuncPow):
2991         (JSC::isDenormal): Deleted.
2992         (JSC::isEdgeCase): Deleted.
2993         (JSC::mathPow): Deleted.
2994
2995         * tests/stress/math-pow-basics.js: Added.
2996         * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
2997         * tests/stress/math-pow-nan-behaviors.js: Added.
2998         * tests/stress/math-pow-with-constants.js: Added.
2999         Start some basic testing of Math.pow().
3000         Due to the various transform, the value change when the code tiers up,
3001         I covered this by checking for approximate values.
3002
3003 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
3004
3005         ArithSqrt should not be conditional on supportsFloatingPointSqrt
3006         https://bugs.webkit.org/show_bug.cgi?id=141546
3007
3008         Reviewed by Geoffrey Garen and Filip Pizlo.
3009
3010         Just fallback to the function call in the DFG codegen.
3011
3012         * dfg/DFGByteCodeParser.cpp:
3013         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3014         * dfg/DFGSpeculativeJIT.cpp:
3015         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
3016         * dfg/DFGSpeculativeJIT.h:
3017         * dfg/DFGSpeculativeJIT32_64.cpp:
3018         (JSC::DFG::SpeculativeJIT::compile):
3019         * dfg/DFGSpeculativeJIT64.cpp:
3020         (JSC::DFG::SpeculativeJIT::compile):
3021         * tests/stress/math-sqrt-basics.js: Added.
3022         Basic coverage.
3023
3024         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
3025         Same tests but forcing the function call.
3026
3027 2015-02-13  Michael Saboff  <msaboff@apple.com>
3028
3029         REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
3030         https://bugs.webkit.org/show_bug.cgi?id=141577
3031
3032         Reviewed by Benjamin Poulain.
3033
3034         Changed the prologue of the baseline JIT to check for stack space for all
3035         types of code blocks.  Previously, it was only checking Function.  Now
3036         it checks Program and Eval as well.
3037
3038         * jit/JIT.cpp:
3039         (JSC::JIT::privateCompile):
3040
3041 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
3042
3043         Generate incq instead of addq when the immediate value is one
3044         https://bugs.webkit.org/show_bug.cgi?id=141548
3045
3046         Reviewed by Gavin Barraclough.
3047
3048         JSC emits "addq #1 (rXX)" *a lot*.
3049         This patch replace that by incq, which is one byte shorter
3050         and is the adviced form.
3051
3052         Sunspider: +0.47%
3053         Octane: +0.28%
3054         Kraken: +0.44%
3055         AsmBench, CompressionBench: neutral.
3056
3057         * assembler/MacroAssemblerX86_64.h:
3058         (JSC::MacroAssemblerX86_64::add64):
3059         * assembler/X86Assembler.h:
3060         (JSC::X86Assembler::incq_m):
3061
3062 2015-02-13  Benjamin Poulain  <benjamin@webkit.org>
3063
3064         Little clean up of Bytecode Generator's Label
3065         https://bugs.webkit.org/show_bug.cgi?id=141557
3066
3067         Reviewed by Michael Saboff.
3068
3069         * bytecompiler/BytecodeGenerator.h:
3070         * bytecompiler/BytecodeGenerator.cpp:
3071         Label was a friend of BytecodeGenerator in order to access
3072         m_instructions. There is no need for that, BytecodeGenerator
3073         has a public getter.
3074
3075         * bytecompiler/Label.h:
3076         (JSC::Label::Label):
3077         (JSC::Label::setLocation):
3078         (JSC::BytecodeGenerator::newLabel):
3079         Make it explicit that the generator must exist.
3080
3081 2015-02-13  Michael Saboff  <msaboff@apple.com>
3082
3083         Google doc spreadsheet reproducibly crashes when sorting
3084         https://bugs.webkit.org/show_bug.cgi?id=141098
3085
3086         Reviewed by Oliver Hunt.
3087
3088         Moved the stack check to before the callee registers are allocated in the
3089         prologue() by movving it from the functionInitialization() macro.  This
3090         way we can check the stack before moving the stack pointer, avoiding a
3091         crash during a "call" instruction.  Before this change, we weren't even
3092         checking the stack for program and eval execution.
3093
3094         Made a couple of supporting changes.
3095
3096         * llint/LLIntSlowPaths.cpp:
3097         (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
3098         may be processing an exception to an entry frame.
3099
3100         * llint/LowLevelInterpreter.asm:
3101
3102         * llint/LowLevelInterpreter32_64.asm:
3103         * llint/LowLevelInterpreter64.asm:
3104         (llint_throw_from_slow_path_trampoline): Changed method to get the vm
3105         from the code block to not use the codeBlock, since we may need to
3106         continue from an exception in a native function.
3107
3108 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
3109
3110         Simplify the initialization of BytecodeGenerator a bit
3111         https://bugs.webkit.org/show_bug.cgi?id=141505
3112
3113         Reviewed by Anders Carlsson.
3114
3115         * bytecompiler/BytecodeGenerator.cpp:
3116         (JSC::BytecodeGenerator::BytecodeGenerator):
3117         * bytecompiler/BytecodeGenerator.h:
3118         Setup the default initialization at the declaration level
3119         instead of the constructor.
3120
3121         Also made m_scopeNode and m_codeType const to make it explicit
3122         that they are invariant after construction.
3123
3124         * parser/Nodes.cpp:
3125         * runtime/Executable.cpp:
3126         Remove 2 useless #includes.
3127
3128 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
3129
3130         Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT
3131         https://bugs.webkit.org/show_bug.cgi?id=141506
3132
3133         Reviewed by Michael Saboff.
3134
3135         The generators for the nodes GetScope and SkipScope were
3136         completely identical between 32 and 64bits.
3137
3138         This patch moves the duplicated code to DFGSpeculativeJIT.
3139
3140         * dfg/DFGSpeculativeJIT.cpp:
3141         (JSC::DFG::SpeculativeJIT::compileGetScope):
3142         (JSC::DFG::SpeculativeJIT::compileSkipScope):
3143         * dfg/DFGSpeculativeJIT.h:
3144         * dfg/DFGSpeculativeJIT32_64.cpp:
3145         (JSC::DFG::SpeculativeJIT::compile):
3146         * dfg/DFGSpeculativeJIT64.cpp:
3147         (JSC::DFG::SpeculativeJIT::compile):
3148
3149 2015-02-11  Brent Fulgham  <bfulgham@apple.com>
3150
3151         [Win] [64-bit] Work around MSVC2013 Runtime Bug
3152         https://bugs.webkit.org/show_bug.cgi?id=141498
3153         <rdar://problem/19803642>
3154
3155         Reviewed by Anders Carlsson.
3156
3157         Disable FMA3 instruction use in the MSVC math library to
3158         work around a VS2013 runtime crash. We can remove this
3159         workaround when we switch to VS2015.
3160
3161         * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable
3162         FMA3 support.
3163         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files.
3164         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3165         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added.
3166         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0)
3167         to disable FMA3 support.
3168         * jsc.cpp: Ditto.
3169         * testRegExp.cpp: Ditto.
3170
3171 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
3172
3173         The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs
3174         https://bugs.webkit.org/show_bug.cgi?id=141493
3175
3176         Reviewed by Michael Saboff.
3177
3178         * dfg/DFGSpeculativeJIT.h:
3179         (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted.
3180         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted.
3181         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted.
3182         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted.
3183         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted.
3184         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted.
3185         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted.
3186         * dfg/DFGSpeculativeJIT32_64.cpp:
3187         (JSC::DFG::SpeculativeJIT::emitCall):
3188         * dfg/DFGSpeculativeJIT64.cpp:
3189         (JSC::DFG::SpeculativeJIT::emitCall):
3190         * jit/AssemblyHelpers.h:
3191         (JSC::AssemblyHelpers::calleeFrameSlot):
3192         (JSC::AssemblyHelpers::calleeArgumentSlot):
3193         (JSC::AssemblyHelpers::calleeFrameTagSlot):
3194         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
3195         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
3196         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
3197         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
3198
3199 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
3200
3201         SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame
3202         https://bugs.webkit.org/show_bug.cgi?id=141485
3203
3204         Reviewed by Oliver Hunt.
3205         
3206         The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for
3207         vararg calls from inlined code, but that doesn't work since the DFG inline call frame
3208         doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there
3209         is really no such thing as an inlineStackOffset except when we OSR exit; while the code is
3210         running the stack layout is compacted so that the stackOffset is not meaningful.
3211
3212         * jit/JITCall.cpp:
3213         (JSC::JIT::compileSetupVarargsFrame):
3214         * jit/JITCall32_64.cpp:
3215         (JSC::JIT::compileSetupVarargsFrame):
3216         * jit/SetupVarargsFrame.cpp:
3217         (JSC::emitSetupVarargsFrameFastCase):
3218         * jit/SetupVarargsFrame.h:
3219
3220 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
3221
3222         Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints
3223         https://bugs.webkit.org/show_bug.cgi?id=141455
3224
3225         Reviewed by Mark Lam.
3226         
3227         The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion
3228         of https://bugs.webkit.org/show_bug.cgi?id=141332.
3229
3230         * CMakeLists.txt:
3231         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3232         * JavaScriptCore.xcodeproj/project.pbxproj:
3233         * bytecode/CallLinkInfo.h:
3234         (JSC::CallLinkInfo::specializationKindFor):
3235         (JSC::CallLinkInfo::specializationKind):
3236         * ftl/FTLJSCall.cpp:
3237         (JSC::FTL::JSCall::JSCall):
3238         (JSC::FTL::JSCall::emit): Deleted.
3239         (JSC::FTL::JSCall::link): Deleted.
3240         * ftl/FTLJSCall.h:
3241         * ftl/FTLJSCallBase.cpp: Added.
3242         (JSC::FTL::JSCallBase::JSCallBase):
3243         (JSC::FTL::JSCallBase::emit):
3244         (JSC::FTL::JSCallBase::link):
3245         * ftl/FTLJSCallBase.h: Added.
3246
3247 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
3248
3249         Unreviewed, fix build.
3250
3251         * jit/CCallHelpers.h:
3252         (JSC::CCallHelpers::setupArgumentsWithExecState):
3253
3254 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
3255
3256         op_call_varargs should only load the length once
3257         https://bugs.webkit.org/show_bug.cgi?id=141440
3258         rdar://problem/19761683
3259
3260         Reviewed by Michael Saboff.
3261         
3262         Refactors the pair of calls that set up the varargs frame so that the first call returns the
3263         length, and the second call uses the length returned by the first one. It turns out that this
3264         gave me an opportunity to shorten a lot of the code.
3265
3266         * interpreter/Interpreter.cpp:
3267         (JSC::sizeFrameForVarargs):
3268         (JSC::loadVarargs):
3269         (JSC::setupVarargsFrame):
3270         (JSC::setupVarargsFrameAndSetThis):
3271         * interpreter/Interpreter.h:
3272         (JSC::calleeFrameForVarargs):
3273         * jit/CCallHelpers.h:
3274         (JSC::CCallHelpers::setupArgumentsWithExecState):
3275         * jit/JIT.h:
3276         * jit/JITCall.cpp:
3277         (JSC::JIT::compileSetupVarargsFrame):
3278         * jit/JITCall32_64.cpp:
3279         (JSC::JIT::compileSetupVarargsFrame):
3280         * jit/JITInlines.h:
3281         (JSC::JIT::callOperation):
3282         * jit/JITOperations.cpp:
3283         * jit/JITOperations.h:
3284         * jit/SetupVarargsFrame.cpp:
3285         (JSC::emitSetVarargsFrame):
3286         (JSC::emitSetupVarargsFrameFastCase):
3287         * jit/SetupVarargsFrame.h:
3288         * llint/LLIntSlowPaths.cpp:
3289         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3290         * runtime/Arguments.cpp:
3291         (JSC::Arguments::copyToArguments):
3292         * runtime/Arguments.h:
3293         * runtime/JSArray.cpp:
3294         (JSC::JSArray::copyToArguments):
3295         * runtime/JSArray.h:
3296         * runtime/VM.h:
3297         * tests/stress/call-varargs-length-effects.js: Added.
3298         (foo):
3299         (bar):
3300
3301 2015-02-10  Michael Saboff  <msaboff@apple.com>
3302
3303         Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
3304         https://bugs.webkit.org/show_bug.cgi?id=139398
3305
3306         Reviewed by Filip Pizlo.
3307
3308         Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
3309         was determined to be reachable.  When we go to lower to LLVM, the edges for the CompareStrictEq
3310         node are UntypedUse which we can't compile.  Fixed this by checking that the IR before
3311         lowering can still be handled by the FTL.
3312
3313         Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
3314         a SetArgument to a GetArgument.  Before this change FTL::canCompile() would never see a GetArgument
3315         node.  With the check right before lowering, we see this node.
3316
3317         * dfg/DFGPlan.cpp:
3318         (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
3319         to verify that after all the transformations we still have valid IR for the FTL.
3320         * ftl/FTLCapabilities.cpp:
3321         (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
3322
3323 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
3324
3325         Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
3326
3327         Rubber stamped by Michael Saboff.
3328         
3329         Not only was this not used, I believe that the math was wrong. The callee frame doesn't
3330         actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and
3331         that decision is made elsewhere. Also, it makes no sense to subtract 1 from
3332         m_nextMachineLocal when trying to deduce the number of in-use stack slots.
3333
3334         * dfg/DFGSpeculativeJIT.h:
3335         (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted.
3336
3337 2015-02-10  Saam Barati  <saambarati1@gmail.com>
3338
3339         Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier
3340         https://bugs.webkit.org/show_bug.cgi?id=141272
3341
3342         Reviewed by Oliver Hunt.
3343
3344         This patch fixes a bug where the wrong text location would be 
3345         assigned to a variable declaration inside a ForIn/ForOf loop. 
3346         It also fixes a bug in the type profiler where the type profiler 
3347         emits the wrong text offset for a ForIn loop's variable declarator 
3348         when it's not a pattern node.
3349
3350         * bytecompiler/NodesCodegen.cpp:
3351         (JSC::ForInNode::emitLoopHeader):
3352         * parser/Parser.cpp:
3353         (JSC::Parser<LexerType>::parseVarDeclarationList):
3354         * tests/typeProfiler/loop.js:
3355         (testForIn):
3356    &nbs