43b97c9f9b0b538652576fedfd3080ae995e621c
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2014-02-19  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviewed, fix comment.
4
5         * ftl/FTLWeight.h:
6         (JSC::FTL::Weight::scaleToTotal):
7
8 2014-02-19  Anders Carlsson  <andersca@apple.com>
9
10         Add WTF_MAKE_FAST_ALLOCATED to more classes
11         https://bugs.webkit.org/show_bug.cgi?id=129064
12
13         Reviewed by Andreas Kling.
14
15         * dfg/DFGSpeculativeJIT.h:
16         * heap/CopyWorkList.h:
17         * heap/Region.h:
18         * runtime/Arguments.h:
19         * runtime/SymbolTable.h:
20         * runtime/WriteBarrier.h:
21
22 2014-02-19  Michael Saboff  <msaboff@apple.com>
23
24         Unreviewed build fix after r164374
25
26         * llint/LLIntOfflineAsmConfig.h: Added #define OFFLINE_ASM_X86_WIN 0 
27         for ENABLE(LLINT_C_LOOP).
28
29 2014-02-19  Filip Pizlo  <fpizlo@apple.com>
30
31         FTL should be able to convey branch weights to LLVM
32         https://bugs.webkit.org/show_bug.cgi?id=129054
33
34         Reviewed by Michael Saboff.
35         
36         This introduces a really nice way to convey branch weights to LLVM. The basic class
37         is Weight, which just wraps a float; NaN is used when you are not sure. You can
38         pass this alongside a LBasicBlock to branching instructions like condbr and switch.
39         But for simplicity, you can just pass a WeightedTarget, which is a tuple of the
40         two. And for even greater simplicity, you can create WeightedTargets from
41         LBasicBlocks by doing:
42         
43             usually(b)   => WeightedTarget(b, Weight(1))
44             rarely(b)    => WeightedTarget(b, Weight(0))
45             unsure(b)    => WeightedTarget(b, Weight()) or WeightedTarget(b, Weight(NaN))
46         
47         This allows for constructs like:
48         
49             m_out.branch(isCell(value), usually(isCellCase), rarely(slowCase));
50         
51         This was intended to be perf-neutral for now, but it did end up creating a ~1%
52         speed-up on V8v7 and Octane2.
53
54         * JavaScriptCore.xcodeproj/project.pbxproj:
55         * ftl/FTLAbbreviations.h:
56         (JSC::FTL::mdNode):
57         * ftl/FTLCommonValues.cpp:
58         (JSC::FTL::CommonValues::CommonValues):
59         * ftl/FTLCommonValues.h:
60         * ftl/FTLLowerDFGToLLVM.cpp:
61         (JSC::FTL::LowerDFGToLLVM::lower):
62         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
63         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
64         (JSC::FTL::LowerDFGToLLVM::compileToThis):
65         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
66         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
67         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
68         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
69         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
70         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
71         (JSC::FTL::LowerDFGToLLVM::compileGetById):
72         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
73         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
74         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
75         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
76         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
77         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
78         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
79         (JSC::FTL::LowerDFGToLLVM::compileToString):
80         (JSC::FTL::LowerDFGToLLVM::compileToPrimitive):
81         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
82         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
83         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
84         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
85         (JSC::FTL::LowerDFGToLLVM::compileBranch):
86         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
87         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
88         (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare):
89         (JSC::FTL::LowerDFGToLLVM::allocateCell):
90         (JSC::FTL::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
91         (JSC::FTL::LowerDFGToLLVM::boolify):
92         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
93         (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
94         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
95         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
96         (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
97         (JSC::FTL::LowerDFGToLLVM::lowDouble):
98         (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
99         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
100         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
101         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
102         (JSC::FTL::LowerDFGToLLVM::callCheck):
103         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
104         * ftl/FTLOutput.cpp:
105         (JSC::FTL::Output::initialize):
106         (JSC::FTL::Output::appendTo):
107         (JSC::FTL::Output::newBlock):
108         (JSC::FTL::Output::sensibleDoubleToInt):
109         (JSC::FTL::Output::load):
110         (JSC::FTL::Output::store):
111         (JSC::FTL::Output::baseIndex):
112         (JSC::FTL::Output::branch):
113         (JSC::FTL::Output::crashNonTerminal):
114         * ftl/FTLOutput.h:
115         (JSC::FTL::Output::branch):
116         (JSC::FTL::Output::switchInstruction):
117         * ftl/FTLSwitchCase.h:
118         (JSC::FTL::SwitchCase::SwitchCase):
119         (JSC::FTL::SwitchCase::weight):
120         * ftl/FTLWeight.h: Added.
121         (JSC::FTL::Weight::Weight):
122         (JSC::FTL::Weight::isSet):
123         (JSC::FTL::Weight::operator!):
124         (JSC::FTL::Weight::value):
125         (JSC::FTL::Weight::scaleToTotal):
126         * ftl/FTLWeightedTarget.h: Added.
127         (JSC::FTL::WeightedTarget::WeightedTarget):
128         (JSC::FTL::WeightedTarget::target):
129         (JSC::FTL::WeightedTarget::weight):
130         (JSC::FTL::usually):
131         (JSC::FTL::rarely):
132         (JSC::FTL::unsure):
133
134 2014-02-19  peavo@outlook.com  <peavo@outlook.com>
135
136         [Win][LLINT] Incorrect stack alignment.
137         https://bugs.webkit.org/show_bug.cgi?id=129045
138
139         Reviewed by Michael Saboff.
140
141         LLINT expects the stack to be 16 byte aligned, but with MSVC it is not.
142         To align the stack, a new backend, X86_WIN, is created.
143
144         * llint/LLIntOfflineAsmConfig.h: Use X86_WIN backend on Windows.
145         * llint/LowLevelInterpreter.asm: Align stack to 16 byte boundaries. Otherwise, use same implementation for X86_WIN as for X86.
146         * llint/LowLevelInterpreter32_64.asm: Adjust stack offset to retrieve function parameters now that the stack is aligned.
147         * offlineasm/backends.rb: Added X86_WIN backend.
148         * offlineasm/x86.rb: Fix crash caused by incorrect assembly code for double types.
149
150 2014-02-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
151
152         ASSERTION FAILED: (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) in WTF::dateToDaysFrom1970
153         https://bugs.webkit.org/show_bug.cgi?id=128740
154
155         Very large numbers could cause an overflow which resulted in the assertion failing in WTF::dateToDaysFrom1970
156         DateConstructor will now check if the number fits into an Int32 before casting
157
158         Reviewed by Geoffrey Garen.
159
160         * runtime/DateConstructor.cpp:
161         (JSC::constructDate):
162         (JSC::dateUTC):
163
164 2014-02-19  Mark Hahnenberg  <mhahnenberg@apple.com>
165
166         Dedicated worker crash caused by global DFG worklists + GC
167         https://bugs.webkit.org/show_bug.cgi?id=128537
168
169         Reviewed by Filip Pizlo.
170
171         The process-global DFG worklists were causing objects to participate in the garbage collections of VMs 
172         other than the one they were allocated in. This started manifesting in the worker tests because they're 
173         one of the few WebKit tests that do multithreaded JS.
174
175         The fix is to filter out Plans from other VMs during collection.
176
177         * dfg/DFGSafepoint.cpp:
178         (JSC::DFG::Safepoint::vm):
179         * dfg/DFGSafepoint.h:
180         * dfg/DFGWorklist.cpp:
181         (JSC::DFG::Worklist::isActiveForVM):
182         (JSC::DFG::Worklist::suspendAllThreads):
183         (JSC::DFG::Worklist::resumeAllThreads):
184         (JSC::DFG::Worklist::visitChildren):
185         * dfg/DFGWorklist.h:
186         * heap/Heap.cpp:
187         (JSC::Heap::deleteAllCompiledCode):
188         * heap/SlotVisitorInlines.h:
189         (JSC::SlotVisitor::copyLater):
190
191 2014-02-19  Brady Eidson  <beidson@apple.com>
192
193         Add FeatureDefines for image controls
194         https://bugs.webkit.org/show_bug.cgi?id=129022
195
196         Reviewed by Jer Noble.
197
198         * Configurations/FeatureDefines.xcconfig:
199
200 2014-02-19  Dan Bernstein  <mitz@apple.com>
201
202         Simplify PLATFORM(MAC) && !PLATFORM(IOS) and similar expressions
203         https://bugs.webkit.org/show_bug.cgi?id=129029
204
205         Reviewed by Mark Rowe.
206
207         * API/JSValueRef.cpp:
208         (JSValueUnprotect):
209         * jit/ExecutableAllocatorFixedVMPool.cpp:
210
211 2014-02-18  Filip Pizlo  <fpizlo@apple.com>
212
213         Correctly install libllvmForJSC.dylib in production builds
214         https://bugs.webkit.org/show_bug.cgi?id=129023
215
216         Reviewed by Mark Rowe.
217         
218         In non-production builds, we copy it as before. In production builds, we use the install
219         path.
220         
221         Also roll http://trac.webkit.org/changeset/164348 back in.
222
223         * Configurations/Base.xcconfig:
224         * Configurations/LLVMForJSC.xcconfig:
225         * JavaScriptCore.xcodeproj/project.pbxproj:
226
227 2014-02-18  Filip Pizlo  <fpizlo@apple.com>
228
229         Unreviewed, roll out http://trac.webkit.org/changeset/164348 because it broke some
230         builds.
231
232         * JavaScriptCore.xcodeproj/project.pbxproj:
233
234 2014-02-18  Filip Pizlo  <fpizlo@apple.com>
235
236         Don't call LLVMInitializeNativeTarget() because it can be all messed up if you cross-compile LLVM
237         https://bugs.webkit.org/show_bug.cgi?id=129020
238
239         Reviewed by Dan Bernstein.
240         
241         LLVMInitializeNativeTarget() is this super special inline function in llvm-c/Target.h that
242         depends on some #define's that come from some really weird magic in autoconf/configure.ac.
243         That magic fails miserably for cross-compiles. So, we need to manually initialize the things
244         that InitializeNativeTarget initializes.
245
246         * llvm/library/LLVMExports.cpp:
247         (initializeAndGetJSCLLVMAPI):
248
249 2014-02-18  Filip Pizlo  <fpizlo@apple.com>
250
251         The shell scripts in the Xcode build system should tell you when they failed
252         https://bugs.webkit.org/show_bug.cgi?id=129018
253
254         Reviewed by Mark Rowe.
255
256         * JavaScriptCore.xcodeproj/project.pbxproj:
257
258 2014-02-17  Gavin Barraclough  <barraclough@apple.com>
259
260         Add fast mapping from StringImpl to JSString
261         https://bugs.webkit.org/show_bug.cgi?id=128625
262
263         Reviewed by Geoff Garen & Andreas Kling.
264
265         * runtime/JSString.cpp:
266         (JSC::JSString::WeakOwner::finalize):
267             - once the JSString weakly owned by a StringImpl becomed unreachable remove the WeakImpl.
268         * runtime/JSString.h:
269         (JSC::jsStringWithWeakOwner):
270             - create a JSString wrapping a StringImpl, and weakly caches the JSString on the StringImpl.
271         * runtime/VM.cpp:
272         (JSC::VM::VM):
273             - initialize jsStringWeakOwner.
274         (JSC::VM::createLeakedForMainThread):
275             - initialize jsStringWeakOwner - the main thread gets to use the weak pointer
276               on StringImpl to cache a JSString wrapper.
277         * runtime/VM.h:
278             - renamed createLeaked -> createLeakedForMainThread to make it clear this
279               should only be used to cretae the main thread VM.
280
281 2014-02-18  Oliver Hunt  <oliver@apple.com>
282
283         Prevent builtin js named with C++ reserved words from breaking the build
284         https://bugs.webkit.org/show_bug.cgi?id=129017
285
286         Reviewed by Sam Weinig.
287
288         Simple change to a couple of macros to make sure we don't create functions
289         named using reserved words.
290
291         * builtins/BuiltinExecutables.cpp:
292         * builtins/BuiltinNames.h:
293
294 2014-02-18  Filip Pizlo  <fpizlo@apple.com>
295
296         FTL should build on ARM64
297         https://bugs.webkit.org/show_bug.cgi?id=129010
298
299         Reviewed by Sam Weinig.
300         
301         * disassembler/X86Disassembler.cpp: Just because we have the LLVM disassembler doesn't mean we're on X86.
302         * ftl/FTLLocation.cpp: DWARF parsing for ARM64 is super easy.
303         (JSC::FTL::Location::isGPR):
304         (JSC::FTL::Location::gpr):
305         (JSC::FTL::Location::isFPR):
306         (JSC::FTL::Location::fpr):
307         (JSC::FTL::Location::restoreInto): This function wasn't even X86-specific to begin with so move it out of the #if stuff.
308         * ftl/FTLUnwindInfo.cpp: They're called q not d.
309         (JSC::FTL::UnwindInfo::parse):
310         * jit/GPRInfo.h:
311         (JSC::GPRInfo::toArgumentRegister): Add this method; we alraedy had it on X86.
312
313 2014-02-18  Filip Pizlo  <fpizlo@apple.com>
314
315         FTL unwind parsing should handle ARM64
316         https://bugs.webkit.org/show_bug.cgi?id=128984
317
318         Reviewed by Oliver Hunt.
319         
320         This makes unwind parsing handle ARM64 and it makes all clients of unwind info capable of
321         dealing with that architecture.
322         
323         The big difference is that ARM64 has callee-save double registers. This is conceptually easy
324         to handle, but out code for dealing with callee-saves spoke of "GPRReg". We've been in this
325         situation before: code that needs to deal with either a GPRReg or a FPRReg. In the past we'd
326         hacked around the problem, but this time I decided to do a full frontal assault. This patch
327         adds a Reg class, which is a box for either GPRReg or FPRReg along with tools for iterating
328         over all possible registers. Then, I threaded this through SaveRestore, RegisterSet,
329         RegisterAtOffset, and UnwindInfo. With the help of Reg, it was easy to refactor the code to
330         handle FPRs in addition to GPRs.
331
332         * CMakeLists.txt:
333         * GNUmakefile.list.am:
334         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
335         * JavaScriptCore.xcodeproj/project.pbxproj:
336         * ftl/FTLOSRExitCompiler.cpp:
337         (JSC::FTL::compileStub):
338         * ftl/FTLRegisterAtOffset.cpp:
339         (JSC::FTL::RegisterAtOffset::dump):
340         * ftl/FTLRegisterAtOffset.h:
341         (JSC::FTL::RegisterAtOffset::RegisterAtOffset):
342         (JSC::FTL::RegisterAtOffset::operator!):
343         (JSC::FTL::RegisterAtOffset::reg):
344         (JSC::FTL::RegisterAtOffset::operator==):
345         (JSC::FTL::RegisterAtOffset::operator<):
346         (JSC::FTL::RegisterAtOffset::getReg):
347         * ftl/FTLSaveRestore.cpp:
348         (JSC::FTL::offsetOfReg):
349         * ftl/FTLSaveRestore.h:
350         * ftl/FTLUnwindInfo.cpp:
351         (JSC::FTL::UnwindInfo::parse):
352         (JSC::FTL::UnwindInfo::find):
353         (JSC::FTL::UnwindInfo::indexOf):
354         * ftl/FTLUnwindInfo.h:
355         * jit/Reg.cpp: Added.
356         (JSC::Reg::dump):
357         * jit/Reg.h: Added.
358         (JSC::Reg::Reg):
359         (JSC::Reg::fromIndex):
360         (JSC::Reg::first):
361         (JSC::Reg::last):
362         (JSC::Reg::next):
363         (JSC::Reg::index):
364         (JSC::Reg::isSet):
365         (JSC::Reg::operator!):
366         (JSC::Reg::isGPR):
367         (JSC::Reg::isFPR):
368         (JSC::Reg::gpr):
369         (JSC::Reg::fpr):
370         (JSC::Reg::operator==):
371         (JSC::Reg::operator!=):
372         (JSC::Reg::operator<):
373         (JSC::Reg::operator>):
374         (JSC::Reg::operator<=):
375         (JSC::Reg::operator>=):
376         (JSC::Reg::hash):
377         (JSC::Reg::invalid):
378         * jit/RegisterSet.h:
379         (JSC::RegisterSet::set):
380         (JSC::RegisterSet::clear):
381         (JSC::RegisterSet::get):
382
383 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
384
385         More ARM FTL glue
386         https://bugs.webkit.org/show_bug.cgi?id=128948
387
388         Reviewed by Sam Weinig.
389
390         * Configurations/Base.xcconfig: Allow for an header search directory for LLVM's generated files.
391         * Configurations/LLVMForJSC.xcconfig: Link the right things for ARM.
392         * assembler/ARM64Assembler.h: Builds fix.
393         (JSC::ARM64Assembler::fillNops):
394         * disassembler/LLVMDisassembler.cpp: Use the right target triples.
395         (JSC::tryToDisassembleWithLLVM):
396         * ftl/FTLCompile.cpp:
397         (JSC::FTL::fixFunctionBasedOnStackMaps): Build fix.
398         * jit/GPRInfo.h: Builds fix.
399         * llvm/library/LLVMExports.cpp: Link the right things.
400         (initializeAndGetJSCLLVMAPI):
401
402 2014-02-17  Anders Carlsson  <andersca@apple.com>
403
404         Remove ENABLE_GLOBAL_FASTMALLOC_NEW
405         https://bugs.webkit.org/show_bug.cgi?id=127067
406
407         Reviewed by Geoffrey Garen.
408
409         * parser/Nodes.h:
410
411 2014-02-17  Sergio Correia  <sergio.correia@openbossa.org>
412
413         Replace uses of PassOwnPtr/OwnPtr with std::unique_ptr in WebCore/inspector
414         https://bugs.webkit.org/show_bug.cgi?id=128681
415
416         Reviewed by Timothy Hatcher.
417
418         Another step towards getting rid of PassOwnPtr/OwnPtr, now targeting
419         WebCore/inspector/*. Besides files in there, a few other files in
420         JavaScriptCore/inspector, WebKit/, WebKit2/WebProcess/WebCoreSupport/
421         and WebCore/testing were touched.
422
423
424         * inspector/ContentSearchUtilities.cpp:
425         * inspector/ContentSearchUtilities.h:
426         * inspector/agents/InspectorConsoleAgent.cpp:
427         * inspector/agents/InspectorConsoleAgent.h:
428
429 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
430
431         FTL should support ToPrimitive and the DFG should fold it correctly
432         https://bugs.webkit.org/show_bug.cgi?id=128892
433
434         Reviewed by Geoffrey Garen.
435
436         * dfg/DFGAbstractInterpreterInlines.h:
437         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
438         * dfg/DFGConstantFoldingPhase.cpp:
439         (JSC::DFG::ConstantFoldingPhase::foldConstants):
440         * dfg/DFGSpeculativeJIT64.cpp:
441         (JSC::DFG::SpeculativeJIT::compile):
442         * ftl/FTLCapabilities.cpp:
443         (JSC::FTL::canCompile):
444         * ftl/FTLLowerDFGToLLVM.cpp:
445         (JSC::FTL::LowerDFGToLLVM::compileNode):
446         (JSC::FTL::LowerDFGToLLVM::compileToPrimitive):
447         * tests/stress/fold-to-primitive-in-cfa.js: Added.
448         (foo):
449         (.result.foo):
450         * tests/stress/fold-to-primitive-to-identity-in-cfa.js: Added.
451         (foo):
452         (.result.foo):
453
454 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
455
456         Register preservation wrapper should know about the possibility of callee-saved FPRs
457         https://bugs.webkit.org/show_bug.cgi?id=128923
458
459         Reviewed by Mark Hahnenberg.
460
461         * jit/RegisterPreservationWrapperGenerator.cpp:
462         (JSC::generateRegisterPreservationWrapper):
463         (JSC::generateRegisterRestoration):
464         * jit/RegisterSet.cpp:
465
466 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
467
468         lr is a special register on ARM64
469         https://bugs.webkit.org/show_bug.cgi?id=128922
470
471         Reviewed by Mark Hahnenberg.
472
473         * jit/RegisterSet.cpp:
474         (JSC::RegisterSet::specialRegisters):
475
476 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
477
478         Fix RegisterSet::calleeSaveRegisters() by making it correct on ARM64
479         https://bugs.webkit.org/show_bug.cgi?id=128921
480
481         Reviewed by Mark Hahnenberg.
482
483         * jit/RegisterSet.cpp:
484         (JSC::RegisterSet::calleeSaveRegisters):
485
486 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
487
488         RegisterSet::calleeSaveRegisters() should know about ARM64
489         https://bugs.webkit.org/show_bug.cgi?id=128918
490
491         Reviewed by Mark Hahnenberg.
492
493         * jit/RegisterSet.cpp:
494         (JSC::RegisterSet::calleeSaveRegisters):
495
496 2014-02-17  Csaba Osztrogonác  <ossy@webkit.org>
497
498         Move back primary header includes next to config.h
499         https://bugs.webkit.org/show_bug.cgi?id=128912
500
501         Reviewed by Alexey Proskuryakov.
502
503         * dfg/DFGAbstractHeap.cpp:
504         * dfg/DFGAbstractValue.cpp:
505         * dfg/DFGArgumentsSimplificationPhase.cpp:
506         * dfg/DFGArithMode.cpp:
507         * dfg/DFGArrayMode.cpp:
508         * dfg/DFGAtTailAbstractState.cpp:
509         * dfg/DFGAvailability.cpp:
510         * dfg/DFGBackwardsPropagationPhase.cpp:
511         * dfg/DFGBasicBlock.cpp:
512         * dfg/DFGBinarySwitch.cpp:
513         * dfg/DFGBlockInsertionSet.cpp:
514         * dfg/DFGByteCodeParser.cpp:
515         * dfg/DFGCFAPhase.cpp:
516         * dfg/DFGCFGSimplificationPhase.cpp:
517         * dfg/DFGCPSRethreadingPhase.cpp:
518         * dfg/DFGCSEPhase.cpp:
519         * dfg/DFGCapabilities.cpp:
520         * dfg/DFGClobberSet.cpp:
521         * dfg/DFGClobberize.cpp:
522         * dfg/DFGCommon.cpp:
523         * dfg/DFGCommonData.cpp:
524         * dfg/DFGCompilationKey.cpp:
525         * dfg/DFGCompilationMode.cpp:
526         * dfg/DFGConstantFoldingPhase.cpp:
527         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
528         * dfg/DFGDCEPhase.cpp:
529         * dfg/DFGDesiredIdentifiers.cpp:
530         * dfg/DFGDesiredStructureChains.cpp:
531         * dfg/DFGDesiredTransitions.cpp:
532         * dfg/DFGDesiredWatchpoints.cpp:
533         * dfg/DFGDesiredWeakReferences.cpp:
534         * dfg/DFGDesiredWriteBarriers.cpp:
535         * dfg/DFGDisassembler.cpp:
536         * dfg/DFGDominators.cpp:
537         * dfg/DFGEdge.cpp:
538         * dfg/DFGFailedFinalizer.cpp:
539         * dfg/DFGFinalizer.cpp:
540         * dfg/DFGFixupPhase.cpp:
541         * dfg/DFGFlushFormat.cpp:
542         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
543         * dfg/DFGFlushedAt.cpp:
544         * dfg/DFGGraph.cpp:
545         * dfg/DFGGraphSafepoint.cpp:
546         * dfg/DFGInPlaceAbstractState.cpp:
547         * dfg/DFGIntegerCheckCombiningPhase.cpp:
548         * dfg/DFGInvalidationPointInjectionPhase.cpp:
549         * dfg/DFGJITCode.cpp:
550         * dfg/DFGJITCompiler.cpp:
551         * dfg/DFGJITFinalizer.cpp:
552         * dfg/DFGJumpReplacement.cpp:
553         * dfg/DFGLICMPhase.cpp:
554         * dfg/DFGLazyJSValue.cpp:
555         * dfg/DFGLivenessAnalysisPhase.cpp:
556         * dfg/DFGLongLivedState.cpp:
557         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
558         * dfg/DFGMinifiedNode.cpp:
559         * dfg/DFGNaturalLoops.cpp:
560         * dfg/DFGNode.cpp:
561         * dfg/DFGNodeFlags.cpp:
562         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
563         * dfg/DFGOSREntry.cpp:
564         * dfg/DFGOSREntrypointCreationPhase.cpp:
565         * dfg/DFGOSRExit.cpp:
566         * dfg/DFGOSRExitBase.cpp:
567         * dfg/DFGOSRExitCompiler.cpp:
568         * dfg/DFGOSRExitCompiler32_64.cpp:
569         * dfg/DFGOSRExitCompiler64.cpp:
570         * dfg/DFGOSRExitCompilerCommon.cpp:
571         * dfg/DFGOSRExitJumpPlaceholder.cpp:
572         * dfg/DFGOSRExitPreparation.cpp:
573         * dfg/DFGPhase.cpp:
574         * dfg/DFGPlan.cpp:
575         * dfg/DFGPredictionInjectionPhase.cpp:
576         * dfg/DFGPredictionPropagationPhase.cpp:
577         * dfg/DFGResurrectionForValidationPhase.cpp:
578         * dfg/DFGSSAConversionPhase.cpp:
579         * dfg/DFGSSALoweringPhase.cpp:
580         * dfg/DFGSafepoint.cpp:
581         * dfg/DFGSpeculativeJIT.cpp:
582         * dfg/DFGSpeculativeJIT32_64.cpp:
583         * dfg/DFGSpeculativeJIT64.cpp:
584         * dfg/DFGStackLayoutPhase.cpp:
585         * dfg/DFGStoreBarrierElisionPhase.cpp:
586         * dfg/DFGStrengthReductionPhase.cpp:
587         * dfg/DFGThreadData.cpp:
588         * dfg/DFGThunks.cpp:
589         * dfg/DFGTierUpCheckInjectionPhase.cpp:
590         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
591         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
592         * dfg/DFGTypeCheckHoistingPhase.cpp:
593         * dfg/DFGUnificationPhase.cpp:
594         * dfg/DFGUseKind.cpp:
595         * dfg/DFGValidate.cpp:
596         * dfg/DFGValueSource.cpp:
597         * dfg/DFGVariableAccessDataDump.cpp:
598         * dfg/DFGVariableEvent.cpp:
599         * dfg/DFGVariableEventStream.cpp:
600         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
601         * dfg/DFGWatchpointCollectionPhase.cpp:
602         * dfg/DFGWorklist.cpp:
603         * heap/JITStubRoutineSet.cpp:
604         * jit/GCAwareJITStubRoutine.cpp:
605         * jit/JIT.cpp:
606         * jit/JITDisassembler.cpp:
607         * jit/JITOperations.cpp:
608         * jit/JITStubRoutine.cpp:
609         * jit/JITStubs.cpp:
610         * jit/TempRegisterSet.cpp:
611
612 2014-02-16  Filip Pizlo  <fpizlo@apple.com>
613
614         FTL OSR exit shouldn't make X86-specific assumptions
615         https://bugs.webkit.org/show_bug.cgi?id=128890
616
617         Reviewed by Mark Hahnenberg.
618
619         Mostly this is about not using push/pop, but instead using the more abstract pushToSave() and popToRestore() while reflecting on the stack alignment.
620
621         * assembler/MacroAssembler.h:
622         (JSC::MacroAssembler::pushToSaveImmediateWithoutTouchingRegisters):
623         (JSC::MacroAssembler::pushToSaveByteOffset):
624         * assembler/MacroAssemblerARM64.h:
625         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
626         (JSC::MacroAssemblerARM64::pushToSaveByteOffset):
627         * ftl/FTLExitThunkGenerator.cpp:
628         (JSC::FTL::ExitThunkGenerator::emitThunk):
629         * ftl/FTLOSRExitCompiler.cpp:
630         (JSC::FTL::compileStub):
631         * ftl/FTLThunks.cpp:
632         (JSC::FTL::osrExitGenerationThunkGenerator):
633
634 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
635
636         Unreviewed, make this test pass without DFG. It was assuming that you always have DFG
637         and that it would always tier-up to the DFG - both wrong assumptions.
638
639         * tests/stress/tricky-array-bounds-checks.js:
640         (foo):
641
642 2014-02-17  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
643
644         Fix the CLoop build after r163760
645         https://bugs.webkit.org/show_bug.cgi?id=128900
646
647         Reviewed by Csaba Osztrogonác.
648
649         * llint/LLIntThunks.cpp:
650
651 2014-02-17  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
652
653         CLoop buildfix after r164207
654         https://bugs.webkit.org/show_bug.cgi?id=128899
655
656         Reviewed by Csaba Osztrogonác.
657
658         * dfg/DFGCommon.h:
659         (JSC::DFG::shouldShowDisassembly):
660
661 2014-02-16  Filip Pizlo  <fpizlo@apple.com>
662
663         Unreviewed, 32-bit build fix.
664
665         * assembler/MacroAssembler.h:
666         (JSC::MacroAssembler::lshiftPtr):
667
668 2014-02-15  Filip Pizlo  <fpizlo@apple.com>
669
670         FTL should inline polymorphic heap accesses
671         https://bugs.webkit.org/show_bug.cgi?id=128795
672
673         Reviewed by Oliver Hunt.
674         
675         We now inline GetByIds that we know are pure but polymorphic. They manifest in DFG IR
676         as MultiGetByOffset, and in LLVM IR as a switch with a basic block for each kind of
677         read.
678         
679         2% speed-up on Octane mostly due to a 18% speed-up on deltablue.
680
681         * CMakeLists.txt:
682         * GNUmakefile.list.am:
683         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
684         * JavaScriptCore.xcodeproj/project.pbxproj:
685         * bytecode/CodeBlock.cpp:
686         (JSC::CodeBlock::dumpBytecode):
687         * bytecode/ExitingJITType.cpp: Added.
688         (WTF::printInternal):
689         * bytecode/ExitingJITType.h:
690         * bytecode/GetByIdStatus.cpp:
691         (JSC::GetByIdStatus::computeFromLLInt):
692         (JSC::GetByIdStatus::computeForChain):
693         (JSC::GetByIdStatus::computeForStubInfo):
694         (JSC::GetByIdStatus::computeFor):
695         (JSC::GetByIdStatus::dump):
696         * bytecode/GetByIdStatus.h:
697         (JSC::GetByIdStatus::GetByIdStatus):
698         (JSC::GetByIdStatus::numVariants):
699         (JSC::GetByIdStatus::variants):
700         (JSC::GetByIdStatus::at):
701         (JSC::GetByIdStatus::operator[]):
702         * bytecode/GetByIdVariant.cpp: Added.
703         (JSC::GetByIdVariant::dump):
704         (JSC::GetByIdVariant::dumpInContext):
705         * bytecode/GetByIdVariant.h: Added.
706         (JSC::GetByIdVariant::GetByIdVariant):
707         (JSC::GetByIdVariant::isSet):
708         (JSC::GetByIdVariant::operator!):
709         (JSC::GetByIdVariant::structureSet):
710         (JSC::GetByIdVariant::chain):
711         (JSC::GetByIdVariant::specificValue):
712         (JSC::GetByIdVariant::offset):
713         * dfg/DFGAbstractInterpreterInlines.h:
714         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
715         * dfg/DFGByteCodeParser.cpp:
716         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
717         (JSC::DFG::ByteCodeParser::handleGetById):
718         (JSC::DFG::ByteCodeParser::parseBlock):
719         * dfg/DFGCSEPhase.cpp:
720         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
721         (JSC::DFG::CSEPhase::performNodeCSE):
722         * dfg/DFGClobberize.h:
723         (JSC::DFG::clobberize):
724         * dfg/DFGCommon.h:
725         (JSC::DFG::verboseCompilationEnabled):
726         (JSC::DFG::logCompilationChanges):
727         (JSC::DFG::shouldShowDisassembly):
728         * dfg/DFGConstantFoldingPhase.cpp:
729         (JSC::DFG::ConstantFoldingPhase::foldConstants):
730         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
731         * dfg/DFGDriver.cpp:
732         (JSC::DFG::compileImpl):
733         * dfg/DFGFixupPhase.cpp:
734         (JSC::DFG::FixupPhase::fixupNode):
735         * dfg/DFGGraph.cpp:
736         (JSC::DFG::Graph::dump):
737         * dfg/DFGGraph.h:
738         (JSC::DFG::Graph::convertToConstant):
739         * dfg/DFGNode.h:
740         (JSC::DFG::Node::convertToGetByOffset):
741         (JSC::DFG::Node::hasHeapPrediction):
742         (JSC::DFG::Node::hasMultiGetByOffsetData):
743         (JSC::DFG::Node::multiGetByOffsetData):
744         * dfg/DFGNodeType.h:
745         * dfg/DFGPhase.h:
746         (JSC::DFG::Phase::graph):
747         (JSC::DFG::runAndLog):
748         * dfg/DFGPlan.cpp:
749         (JSC::DFG::dumpAndVerifyGraph):
750         (JSC::DFG::Plan::compileInThread):
751         (JSC::DFG::Plan::compileInThreadImpl):
752         * dfg/DFGPredictionPropagationPhase.cpp:
753         (JSC::DFG::PredictionPropagationPhase::propagate):
754         * dfg/DFGSafeToExecute.h:
755         (JSC::DFG::safeToExecute):
756         * dfg/DFGSpeculativeJIT32_64.cpp:
757         (JSC::DFG::SpeculativeJIT::compile):
758         * dfg/DFGSpeculativeJIT64.cpp:
759         (JSC::DFG::SpeculativeJIT::compile):
760         * dfg/DFGTypeCheckHoistingPhase.cpp:
761         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
762         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
763         * ftl/FTLCapabilities.cpp:
764         (JSC::FTL::canCompile):
765         * ftl/FTLCompile.cpp:
766         (JSC::FTL::fixFunctionBasedOnStackMaps):
767         (JSC::FTL::compile):
768         * ftl/FTLLowerDFGToLLVM.cpp:
769         (JSC::FTL::LowerDFGToLLVM::compileNode):
770         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
771         * ftl/FTLState.h:
772         (JSC::FTL::verboseCompilationEnabled):
773         (JSC::FTL::showDisassembly):
774         * jsc.cpp:
775         (GlobalObject::finishCreation):
776         (functionEffectful42):
777         * runtime/IntendedStructureChain.cpp:
778         (JSC::IntendedStructureChain::dump):
779         (JSC::IntendedStructureChain::dumpInContext):
780         * runtime/IntendedStructureChain.h:
781         * runtime/Options.cpp:
782         (JSC::recomputeDependentOptions):
783         * runtime/Options.h:
784         * tests/stress/fold-multi-get-by-offset-to-get-by-offset-with-watchpoint.js: Added.
785         (foo):
786         (bar):
787         * tests/stress/fold-multi-get-by-offset-to-get-by-offset.js: Added.
788         (foo):
789         (bar):
790         * tests/stress/multi-get-by-offset-proto-and-self.js: Added.
791         (foo):
792         (Foo):
793
794 2014-02-16  Filip Pizlo  <fpizlo@apple.com>
795
796         DFG::prepareOSREntry should be nice to the stack
797         https://bugs.webkit.org/show_bug.cgi?id=128883
798
799         Reviewed by Oliver Hunt.
800         
801         Previously OSR entry had some FIXME's and some really badly commented-out code for
802         clearing stack entries to help GC. It also did some permutations on a stack frame
803         above us, in such a way that it wasn't obviously that we wouldn't clobber our own
804         stack frame. This function also crashed in ASan.
805         
806         It just seems like there was too much badness to the whole idea of prepareOSREntry
807         directly editing the stack. So, I changed it to create a stack frame in a scratch
808         buffer on the side and then have some assembly code just copy it into place. This
809         works fine, fixes a FIXME, possibly fixes some stack clobbering, and might help us
810         make more progress with ASan.
811
812         * dfg/DFGOSREntry.cpp:
813         (JSC::DFG::prepareOSREntry):
814         * dfg/DFGOSREntry.h:
815         * dfg/DFGThunks.cpp:
816         (JSC::DFG::osrEntryThunkGenerator):
817         * dfg/DFGThunks.h:
818         * jit/JITOpcodes.cpp:
819         (JSC::JIT::emitSlow_op_loop_hint):
820         * jit/JITOperations.cpp:
821
822 2014-02-15  Filip Pizlo  <fpizlo@apple.com>
823
824         Vector with inline capacity should work with non-PODs
825         https://bugs.webkit.org/show_bug.cgi?id=128864
826
827         Reviewed by Michael Saboff.
828         
829         Deques no longer have inline capacity because it was broken, and we didn't need it
830         here anyway.
831
832         * dfg/DFGWorklist.h:
833
834 2014-02-15  Filip Pizlo  <fpizlo@apple.com>
835
836         Unreviewed, roll out r164166.
837
838         This broke three unique tests:
839
840         ** The following JSC stress test failures have been introduced:
841             regress/script-tests/variadic-closure-call.js.default-ftl
842             regress/script-tests/variadic-closure-call.js.ftl-no-cjit-validate
843             regress/script-tests/variadic-closure-call.js.ftl-no-cjit-osr-validation
844             regress/script-tests/variadic-closure-call.js.ftl-eager
845             regress/script-tests/variadic-closure-call.js.ftl-eager-no-cjit
846             regress/script-tests/variadic-closure-call.js.ftl-eager-no-cjit-osr-validation
847             jsc-layout-tests.yaml/js/script-tests/unmatching-argument-count.js.layout-ftl-eager-no-cjit
848             regress/script-tests/direct-arguments-getbyval.js.ftl-eager-no-cjit
849             regress/script-tests/direct-arguments-getbyval.js.ftl-eager-no-cjit-osr-validation
850
851         * bytecode/PolymorphicAccessStructureList.h:
852         * ftl/FTLCapabilities.cpp:
853         (JSC::FTL::canCompile):
854         * ftl/FTLLowerDFGToLLVM.cpp:
855         (JSC::FTL::LowerDFGToLLVM::compileNode):
856         * tests/stress/ftl-getbyval-arguments.js:
857
858 2014-02-15  Matthew Mirman  <mmirman@apple.com>
859
860         Added GetMyArgumentByVal to FTL
861         https://bugs.webkit.org/show_bug.cgi?id=128850
862
863         Reviewed by Filip Pizlo.
864
865         * ftl/FTLCapabilities.cpp:
866         (JSC::FTL::canCompile):
867         * ftl/FTLLowerDFGToLLVM.cpp:
868         (JSC::FTL::LowerDFGToLLVM::compileNode):
869         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
870         * tests/stress/ftl-getbyval-arguments.js: Added.
871         (foo):
872
873 2014-02-15  peavo@outlook.com  <peavo@outlook.com>
874
875         [Win] LLINT is not working.
876         https://bugs.webkit.org/show_bug.cgi?id=128115
877
878         Reviewed by Mark Lam.
879
880         This patch will generate assembly code with Intel syntax, which can be processed by the Microsoft assembler (MASM).
881         By creating an asm file instead of a header file with inline assembly, we can support 64-bit.
882         Only 32-bit compilation has been tested, not 64-bit.
883         The aim of this patch is to get LLINT up and running on Windows.
884
885         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added new files, and generated asm file.
886         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
887         * LLIntAssembly/build-LLIntAssembly.sh: Generate dummy asm file in case we're using C backend.
888         * bytecode/CallLinkStatus.cpp:
889         (JSC::CallLinkStatus::computeFor): Compile fix when DFG is disabled.
890         * bytecode/GetByIdStatus.cpp:
891         (JSC::GetByIdStatus::computeFor): Ditto.
892         * bytecode/GetByIdStatus.h: Ditto.
893         * bytecode/PutByIdStatus.cpp:
894         (JSC::PutByIdStatus::computeFor): Ditto.
895         * bytecode/PutByIdStatus.h: Ditto.
896         * llint/LLIntData.cpp:
897         (JSC::LLInt::initialize): Compile fix.
898         * llint/LLIntSlowPaths.h: Added llint_crash function.
899         * llint/LLIntSlowPaths.cpp: Ditto.        
900         * llint/LowLevelInterpreter.cpp: Disable code for Windows.
901         * llint/LowLevelInterpreter.asm: Remove instruction which generates incorrect assembly code on Windows (MOV 0xbbadbeef, register), call llint_crash instead.
902         Make local labels visible to MASM on Windows.
903         * llint/LowLevelInterpreter32_64.asm: Make local labels visible to MASM on Windows.
904         * offlineasm/asm.rb: Generate asm file with Intel assembly syntax.
905         * offlineasm/settings.rb: Ditto.
906         * offlineasm/x86.rb: Ditto.
907
908 2014-02-14  Joseph Pecoraro  <pecoraro@apple.com>
909
910         Web Inspector: CRASH when debugger closes while paused and remote inspecting a JSContext
911         https://bugs.webkit.org/show_bug.cgi?id=127757
912
913         Reviewed by Timothy Hatcher.
914
915         The problem was that the lifetime of the InspectorController and all agents
916         was tied to the remote inspector session. So, if a remote inspector was
917         disconnected while in the nested run loop, everything would get torn
918         down and when execution continued out of the nested runloop we would be
919         back in the original call stack of destroyed objects.
920
921         This patch changes the lifetime of the InspectorController and agents to
922         the JSGlobalObject. This way the agents are always alive, just the
923         frontend and backend channels are destroyed and recreated each remote
924         inspector session. This matches the agent lifetime for WebCore agents.
925         We can also later take advantage of the agents being alive before
926         and between inspector debug sessions to stash exception messages to
927         pass on to a debugger if a debugger is connected later.
928
929         * inspector/JSGlobalObjectInspectorController.h:
930         * inspector/JSGlobalObjectInspectorController.cpp:
931         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
932         Cleaner initialization of agents. Easier to follow.
933
934         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
935         Move InjectedScript disconnection only once the global object is destroyed.
936         This way if a developer has attached once and included an injected script,
937         we will keep it around with any state it might want to remember until
938         the global object is destroyed.
939
940         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
941         Disconnect agents and injected scripts when the global object is destroyed.
942
943         * inspector/InjectedScriptManager.cpp:
944         (Inspector::InjectedScriptManager::disconnect):
945         Now that the injected script manager is reused between remote
946         inspector sessions, don't clear the pointer on disconnect calls.
947         We now only call this once when the global object is getting
948         destroyed anyways so it doesn't matter. But if we wanted to call
949         disconnect multiple times, e.g. once per session, we could.
950
951         * inspector/ScriptDebugServer.cpp:
952         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
953         If the only listener was removed during the nested runloop, then when
954         we dispatch an event after the nested runloop the listener list will
955         be empty. Instead of asserting, just pass by an empty list.
956
957         * runtime/JSGlobalObject.h:
958         (JSC::JSGlobalObject::inspectorController):
959         Tie the inspector controller lifetime to the JSGlobalObject.
960
961         * runtime/JSGlobalObject.cpp:
962         (JSC::JSGlobalObject::~JSGlobalObject):
963         (JSC::JSGlobalObject::init):
964         Create the inspector controller, and eagerly signal teardown
965         in destruction.
966
967         * runtime/JSGlobalObjectDebuggable.h:
968         * runtime/JSGlobalObjectDebuggable.cpp:
969         (JSC::JSGlobalObjectDebuggable::connect):
970         (JSC::JSGlobalObjectDebuggable::disconnect):
971         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
972         Simplify by using the inspector controller on JSGlobalObject.
973
974 2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>
975
976         -[JSManagedValue value] needs to be protected by the API lock
977         https://bugs.webkit.org/show_bug.cgi?id=128857
978
979         Reviewed by Mark Lam.
980
981         * API/APICast.h:
982         (toRef): Added an ASSERT so that we can detect these sorts of errors earlier. On 32-bit, toRef
983         can allocate objects so we need to be holding the lock.
984         * API/APIShims.h: Removed outdated comments.
985         * API/JSManagedValue.mm: Added RefPtr<JSLock> to JSManagedValue.
986         (-[JSManagedValue initWithValue:]): Initialize the m_lock field.
987         (-[JSManagedValue value]): Lock the JSLock, check the VM*, return nil if invalid, take the APIEntryShim otherwise.
988         * runtime/JSLock.cpp: Bug fix in JSLock. We were assuming that the VM was always non-null in JSLock::lock.
989         (JSC::JSLock::lock):
990
991 2014-02-14  Oliver Hunt  <oliver@apple.com>
992
993         Implement a few more Array prototype functions in JS
994         https://bugs.webkit.org/show_bug.cgi?id=128788
995
996         Reviewed by Gavin Barraclough.
997
998         Remove a pile of awful C++, and rewrite in simple JS.
999
1000         Needed to make a few other changes to get fully builtins
1001         behavior to more accurately match a host function's.
1002
1003         * builtins/Array.prototype.js:
1004         (every):
1005         (forEach):
1006         (filter):
1007         (map):
1008         (some):
1009         * builtins/BuiltinExecutables.cpp:
1010         (JSC::BuiltinExecutables::BuiltinExecutables):
1011         (JSC::BuiltinExecutables::createBuiltinExecutable):
1012         * bytecompiler/BytecodeGenerator.cpp:
1013         (JSC::BytecodeGenerator::BytecodeGenerator):
1014         (JSC::BytecodeGenerator::emitPutByVal):
1015         * bytecompiler/BytecodeGenerator.h:
1016         (JSC::BytecodeGenerator::emitExpressionInfo):
1017         * interpreter/Interpreter.cpp:
1018         (JSC::GetStackTraceFunctor::operator()):
1019         * parser/Nodes.h:
1020         (JSC::FunctionBodyNode::overrideName):
1021         * profiler/LegacyProfiler.cpp:
1022         (JSC::createCallIdentifierFromFunctionImp):
1023         * runtime/ArrayPrototype.cpp:
1024         * runtime/JSFunction.cpp:
1025         (JSC::JSFunction::deleteProperty):
1026         * runtime/JSFunction.h:
1027
1028 2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1029
1030         ASSERT(isValidAllocation(bytes)) when ObjC API creates custom errors
1031         https://bugs.webkit.org/show_bug.cgi?id=128840
1032
1033         Reviewed by Joseph Pecoraro.
1034
1035         We need to add APIEntryShims around places where we allocate errors in JSC.
1036         Also converted some of the createTypeError call sites to use ASCIILiteral.
1037
1038         * API/JSValue.mm:
1039         (valueToArray):
1040         (valueToDictionary):
1041         * API/ObjCCallbackFunction.mm:
1042         (JSC::objCCallbackFunctionCallAsConstructor):
1043         (JSC::ObjCCallbackFunctionImpl::call):
1044         * API/tests/testapi.mm:
1045
1046 2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1047
1048         Baseline JIT should have a fast path to bypass the write barrier on op_enter
1049         https://bugs.webkit.org/show_bug.cgi?id=128832
1050
1051         Reviewed by Filip Pizlo.
1052
1053         * jit/JIT.h: Removed some random commented out functions.h
1054         * jit/JITOpcodes.cpp:
1055         (JSC::JIT::emit_op_enter):
1056         * jit/JITPropertyAccess.cpp:
1057         (JSC::JIT::emitWriteBarrier):
1058
1059 2014-02-14  Filip Pizlo  <fpizlo@apple.com>
1060
1061         Don't optimize variadic closure calls
1062         https://bugs.webkit.org/show_bug.cgi?id=128835
1063
1064         Reviewed by Gavin Barraclough.
1065         
1066         Read the check that had been in JITStubs.cpp, back in the day. This code came
1067         from the DFG and the DFG didn't need these checks.
1068
1069         * jit/JITOperations.cpp:
1070
1071 2014-02-14  David Kilzer  <ddkilzer@apple.com>
1072
1073         [ASan] Disable JSStack::sanitizeStack() to avoid false-positive stack-buffer-overflow errors
1074         <http://webkit.org/b/128819>
1075
1076         Reviewed by Filip Pizlo.
1077
1078         * interpreter/JSStack.cpp:
1079         (JSC::JSStack::sanitizeStack): When building with the clang
1080         address sanitizer, don't sanitize the stack since it will
1081         trigger false-positive stack-buffer-overflow errors.  Disabling
1082         this only results in a performance penalty, not a correctness
1083         penalty.
1084
1085 2014-02-14  Andres Gomez  <agomez@igalia.com>
1086
1087         Cleaning the JSStaticScopeObject files left behind after renaming their objects to JSNameScope
1088         https://bugs.webkit.org/show_bug.cgi?id=127595
1089
1090         Reviewed by Mario Sanchez Prada.
1091
1092         JSStaticScopeObject was renamed to JSNameScope and removed long
1093         ago but the files were left behind empty and the CMake compilation
1094         in need of its existance. Now, we are definitely getting rid of
1095         them.
1096
1097         * CMakeLists.txt:
1098         * runtime/JSStaticScopeObject.cpp: Removed.
1099         * runtime/JSStaticScopeObject.h: Removed.
1100
1101 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
1102
1103         Kill some of the last vestiges of the C++ interpreter's PICs
1104         https://bugs.webkit.org/show_bug.cgi?id=128796
1105
1106         Reviewed by Michael Saboff.
1107
1108         * bytecode/BytecodeUseDef.h:
1109         (JSC::computeUsesForBytecodeOffset):
1110         (JSC::computeDefsForBytecodeOffset):
1111         * bytecode/CodeBlock.cpp:
1112         (JSC::CodeBlock::printGetByIdOp):
1113         (JSC::CodeBlock::printGetByIdCacheStatus):
1114         (JSC::CodeBlock::dumpBytecode):
1115         (JSC::CodeBlock::CodeBlock):
1116         * bytecode/GetByIdStatus.cpp:
1117         (JSC::GetByIdStatus::computeForStubInfo):
1118         * bytecode/Opcode.h:
1119         (JSC::padOpcodeName):
1120         * bytecode/PolymorphicAccessStructureList.h:
1121         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo):
1122         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
1123         (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
1124         (JSC::PolymorphicAccessStructureList::visitWeak):
1125         * bytecode/StructureStubInfo.cpp:
1126         (JSC::StructureStubInfo::deref):
1127         (JSC::StructureStubInfo::visitWeakReferences):
1128         * bytecode/StructureStubInfo.h:
1129         (JSC::isGetByIdAccess):
1130         * jit/JIT.cpp:
1131         (JSC::JIT::privateCompileMainPass):
1132         * jit/Repatch.cpp:
1133         (JSC::getPolymorphicStructureList):
1134         (JSC::tryBuildGetByIDList):
1135         * llint/LowLevelInterpreter.asm:
1136
1137 2014-02-13  Mark Lam  <mark.lam@apple.com>
1138
1139         The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs. Part 2.
1140         <https://webkit.org/b/128764>
1141
1142         Reviewed by Mark Hahnenberg.
1143
1144         toJS() is the wrong cast function to use. We need to use toJSForGC() instead.
1145         Also we need to acquire the JSLock to prevent concurrent accesses to the
1146         Strong handle list.
1147
1148         * API/JSValue.mm:
1149         (JSContainerConvertor::add):
1150         (containerValueToObject):
1151         (ObjcContainerConvertor::add):
1152         (objectToValue):
1153
1154 2014-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1155
1156         JSManagedValue::dealloc modifies NSMapTable while iterating it
1157         https://bugs.webkit.org/show_bug.cgi?id=128713
1158
1159         Reviewed by Geoffrey Garen.
1160
1161         Having to write a test for this revealed a bug in how addManagedReference:withOwner:
1162         actually notifies JSManagedValues of new owners.
1163
1164         * API/JSManagedValue.mm:
1165         (-[JSManagedValue dealloc]):
1166         * API/JSVirtualMachine.mm:
1167         (-[JSVirtualMachine addManagedReference:withOwner:]):
1168         (-[JSVirtualMachine removeManagedReference:withOwner:]):
1169         * API/tests/testapi.mm:
1170         (testObjectiveCAPI):
1171
1172 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
1173
1174         Unreviewed, fix build.
1175
1176         * ftl/FTLLowerDFGToLLVM.cpp:
1177         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1178
1179 2014-02-13  Ryosuke Niwa  <rniwa@webkit.org>
1180
1181         Speculative Release build fix after r164077.
1182
1183         * API/JSValue.mm:
1184
1185 2014-02-13  Mark Lam  <mark.lam@apple.com>
1186
1187         The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs.
1188         <https://webkit.org/b/128764>
1189
1190         Reviewed by Mark Hahnenberg.
1191
1192         Added a vector of Strong<Unknown> references in the 2 containers, and append
1193         the newly created JSValues to those vectors. This will keep all those JS objects
1194         alive for the duration of the conversion.
1195
1196         * API/JSValue.mm:
1197         (JSContainerConvertor::add):
1198         (ObjcContainerConvertor::add):
1199
1200 2014-02-13  Matthew Mirman  <mmirman@apple.com>
1201
1202         Added GetMyArgumentsLength to FTL
1203         https://bugs.webkit.org/show_bug.cgi?id=128758
1204
1205         Reviewed by Filip Pizlo.
1206
1207         * ftl/FTLCapabilities.cpp:
1208         (JSC::FTL::canCompile):
1209         * ftl/FTLLowerDFGToLLVM.cpp:
1210         (JSC::FTL::LowerDFGToLLVM::compileNode):
1211         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1212         * tests/stress/ftl-getmyargumentslength.js: Added.
1213         (foo):
1214
1215 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
1216
1217         Unreviewed, roll out http://trac.webkit.org/changeset/164066.
1218         
1219         It broke tests and it was just plain wrong.
1220
1221         * bytecode/GetByIdStatus.cpp:
1222         (JSC::GetByIdStatus::computeFromLLInt):
1223         (JSC::GetByIdStatus::computeForStubInfo):
1224         * runtime/Structure.h:
1225         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
1226
1227 2014-02-13  Ryuan Choi  <ryuan.choi@samsung.com>
1228
1229         Unreviewed build fix.
1230
1231         Fixed typo.
1232
1233         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1234         (JSC::DFG::IntegerCheckCombiningPhase::run):
1235
1236 2014-02-13  Michael Saboff  <msaboff@apple.com>
1237
1238         Change FTL stack check to use VM's stackLimit
1239         https://bugs.webkit.org/show_bug.cgi?id=128561
1240
1241         Reviewed by Filip Pizlo.
1242
1243         Changes FTL function entry to check the call frame register against the FTL
1244         specific stack limit (VM::m_ftlStackLimit) and throw an exception if the
1245         stack limit has been exceeded.  Updated the exception handling code to have
1246         a second entry that will unroll the current frame to the caller, since that
1247         is where the exception should be processed.
1248
1249         * ftl/FTLCompile.cpp:
1250         (JSC::FTL::fixFunctionBasedOnStackMaps):
1251         * ftl/FTLIntrinsicRepository.h:
1252         * ftl/FTLLowerDFGToLLVM.cpp:
1253         (JSC::FTL::LowerDFGToLLVM::lower):
1254         * ftl/FTLState.h:
1255         * runtime/VM.h:
1256         (JSC::VM::addressOfFTLStackLimit):
1257
1258 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
1259
1260         GetByIdStatus shouldn't call takesSlowPathInDFGForImpureProperty() for self accesses, and calling that method should never assert about anything
1261         https://bugs.webkit.org/show_bug.cgi?id=128772
1262
1263         Reviewed by Mark Hahnenberg.
1264
1265         * bytecode/GetByIdStatus.cpp:
1266         (JSC::GetByIdStatus::computeFromLLInt):
1267         (JSC::GetByIdStatus::computeForStubInfo):
1268         * runtime/Structure.h:
1269         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
1270
1271 2014-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1272
1273         Add some RELEASE_ASSERTs to catch JSLock bugs earlier
1274         https://bugs.webkit.org/show_bug.cgi?id=128762
1275
1276         Reviewed by Mark Lam.
1277
1278         * interpreter/Interpreter.cpp:
1279         (JSC::Interpreter::execute):
1280         * runtime/JSLock.cpp:
1281         (JSC::JSLock::DropAllLocks::DropAllLocks):
1282
1283 2014-02-12  Filip Pizlo  <fpizlo@apple.com>
1284
1285         Hoist and combine array bounds checks
1286         https://bugs.webkit.org/show_bug.cgi?id=125433
1287
1288         Reviewed by Mark Hahnenberg.
1289         
1290         This adds a phase for reasoning about overflow checks and array bounds checks. It's
1291         block-local, and removes both overflow checks and bounds checks in one go.
1292         
1293         This also improves reasoning about commutative operations, and CSE between
1294         CheckOverflow and Unchecked arithmetic.
1295         
1296         This strangely uncovered a DFG backend bug where we were trying to extract an int32
1297         from a constant even when that constant was just simply a number. I fixed that bug.
1298
1299         * CMakeLists.txt:
1300         * GNUmakefile.list.am:
1301         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1302         * JavaScriptCore.xcodeproj/project.pbxproj:
1303         * dfg/DFGAbstractInterpreterInlines.h:
1304         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1305         * dfg/DFGAbstractValue.cpp:
1306         (JSC::DFG::AbstractValue::set):
1307         * dfg/DFGArgumentsSimplificationPhase.cpp:
1308         (JSC::DFG::ArgumentsSimplificationPhase::run):
1309         * dfg/DFGArithMode.h:
1310         (JSC::DFG::subsumes):
1311         * dfg/DFGByteCodeParser.cpp:
1312         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1313         * dfg/DFGCSEPhase.cpp:
1314         (JSC::DFG::CSEPhase::pureCSE):
1315         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
1316         (JSC::DFG::CSEPhase::performNodeCSE):
1317         * dfg/DFGClobberize.h:
1318         (JSC::DFG::clobberize):
1319         * dfg/DFGEdge.cpp:
1320         (JSC::DFG::Edge::dump):
1321         * dfg/DFGEdge.h:
1322         (JSC::DFG::Edge::sanitized):
1323         (JSC::DFG::Edge::hash):
1324         * dfg/DFGFixupPhase.cpp:
1325         (JSC::DFG::FixupPhase::fixupNode):
1326         * dfg/DFGGraph.h:
1327         (JSC::DFG::Graph::valueOfInt32Constant):
1328         * dfg/DFGInsertionSet.h:
1329         (JSC::DFG::InsertionSet::insertConstant):
1330         * dfg/DFGIntegerCheckCombiningPhase.cpp: Added.
1331         (JSC::DFG::IntegerCheckCombiningPhase::IntegerCheckCombiningPhase):
1332         (JSC::DFG::IntegerCheckCombiningPhase::run):
1333         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1334         (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
1335         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
1336         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
1337         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
1338         (JSC::DFG::performIntegerCheckCombining):
1339         * dfg/DFGIntegerCheckCombiningPhase.h: Added.
1340         * dfg/DFGNode.h:
1341         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1342         * dfg/DFGNodeType.h:
1343         * dfg/DFGPlan.cpp:
1344         (JSC::DFG::Plan::compileInThreadImpl):
1345         * dfg/DFGPredictionPropagationPhase.cpp:
1346         (JSC::DFG::PredictionPropagationPhase::propagate):
1347         * dfg/DFGSafeToExecute.h:
1348         (JSC::DFG::safeToExecute):
1349         * dfg/DFGSpeculativeJIT.cpp:
1350         (JSC::DFG::SpeculativeJIT::compileAdd):
1351         * dfg/DFGSpeculativeJIT32_64.cpp:
1352         (JSC::DFG::SpeculativeJIT::compile):
1353         * dfg/DFGSpeculativeJIT64.cpp:
1354         (JSC::DFG::SpeculativeJIT::compile):
1355         * dfg/DFGStrengthReductionPhase.cpp:
1356         (JSC::DFG::StrengthReductionPhase::handleNode):
1357         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1358         * dfg/DFGTypeCheckHoistingPhase.cpp:
1359         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1360         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1361         * ftl/FTLCapabilities.cpp:
1362         (JSC::FTL::canCompile):
1363         * ftl/FTLLowerDFGToLLVM.cpp:
1364         (JSC::FTL::LowerDFGToLLVM::compileNode):
1365         * jsc.cpp:
1366         (GlobalObject::finishCreation):
1367         (functionFalse):
1368         * runtime/Identifier.h:
1369         * runtime/Intrinsic.h:
1370         * runtime/JSObject.h:
1371         * tests/stress/get-by-id-untyped.js: Added.
1372         (foo):
1373         * tests/stress/inverted-additive-subsumption.js: Added.
1374         (foo):
1375         * tests/stress/redundant-add-overflow-checks.js: Added.
1376         (foo):
1377         * tests/stress/redundant-array-bounds-checks-addition-skip-first.js: Added.
1378         (foo):
1379         (arraycmp):
1380         * tests/stress/redundant-array-bounds-checks-addition.js: Added.
1381         (foo):
1382         (arraycmp):
1383         * tests/stress/redundant-array-bounds-checks-unchecked-addition.js: Added.
1384         (foo):
1385         (arraycmp):
1386         * tests/stress/redundant-array-bounds-checks.js: Added.
1387         (foo):
1388         (arraycmp):
1389         * tests/stress/tricky-array-bounds-checks.js: Added.
1390         (foo):
1391         (arraycmp):
1392
1393 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
1394
1395         FTL should be OK with __compact_unwind in a data section
1396         https://bugs.webkit.org/show_bug.cgi?id=128756
1397
1398         Reviewed by Mark Hahnenberg.
1399
1400         * ftl/FTLCompile.cpp:
1401         (JSC::FTL::mmAllocateCodeSection):
1402         (JSC::FTL::mmAllocateDataSection):
1403
1404 2014-02-13  Michael Saboff  <msaboff@apple.com>
1405
1406         CStack Branch: VM::currentReturnThunkPC appears to be unused and should be removed
1407         https://bugs.webkit.org/show_bug.cgi?id=127205
1408
1409         Reviewed by Geoffrey Garen.
1410
1411         Removed ununsed references to VM::currentReturnThunkPC.
1412
1413         * jit/ThunkGenerators.cpp:
1414         (JSC::arityFixup):
1415         * runtime/VM.h:
1416
1417 2014-02-13  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
1418
1419         Code cleanup: remove gcc<4.7 guards.
1420         https://bugs.webkit.org/show_bug.cgi?id=128729
1421
1422         Reviewed by Anders Carlsson.
1423
1424         Remove GCC_VERSION_AT_LEAST guards when it checks for pre-4.7 versions,
1425         as WK does not compile with earlier gcc versions.
1426
1427         * assembler/MIPSAssembler.h:
1428         (JSC::MIPSAssembler::cacheFlush):
1429         * interpreter/StackVisitor.cpp:
1430         (JSC::printif):
1431
1432 2014-02-12  Mark Lam  <mark.lam@apple.com>
1433
1434         No need to save reservedZoneSize when dropping the JSLock.
1435         <https://webkit.org/b/128719>
1436
1437         Reviewed by Geoffrey Garen.
1438
1439         The reservedZoneSize does not change due to the VM being run on a different
1440         thread. Hence, there is no need to save and restore its value. Instead of
1441         calling updateReservedZoneSize() to update the stack limit, we now call
1442         setStackPointerAtVMEntry() to do the job. setStackPointerAtVMEntry()
1443         will update the stackPointerAtVMEntry and delegate to updateStackLimit() to
1444         update the stack limit based on the new stackPointerAtVMEntry.
1445
1446         * runtime/ErrorHandlingScope.cpp:
1447         (JSC::ErrorHandlingScope::ErrorHandlingScope):
1448         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
1449         - Previously, we initialize stackPointerAtVMEntry in VMEntryScope. This
1450           means that the stackPointerAtVMEntry may not be initialize when we
1451           instantiate the ErrorHandlingScope. And so, we needed to initialize the
1452           stackPointerAtVMEntry in the ErrorHandlingScope constructor if it's not
1453           already initialized.
1454
1455           Now that we initialize the stackPointerAtVMEntry when we lock the VM JSLock,
1456           we are guaranteed that it will be initialized by the time we instantiate
1457           the ErrorHandlingScope. Hence, we can change the ErrorHandlingScope code
1458           to just assert that the stackPointerAtVMEntry is initialized instead.
1459
1460         * runtime/InitializeThreading.cpp:
1461         (JSC::initializeThreading):
1462         - We no longer need to save the reservedZoneSize. Remove the related code.
1463
1464         * runtime/JSLock.cpp:
1465         (JSC::JSLock::lock):
1466         - When we grab the JSLock mutex for the first time, there is no reason why
1467           the stackPointerAtVMEntry should be initialized. By definition, grabbing
1468           the lock for the first time equates to entering the VM for the first time.
1469           Hence, we can just assert that stackPointerAtVMEntry is uninitialized,
1470           and initialize it unconditionally.
1471
1472           The only exception to this is if we're locking to regrab the JSLock in
1473           grabAllLocks(), but grabAllLocks() will take care of restoring the
1474           stackPointerAtVMEntry in that case after lock() returns. stackPointerAtVMEntry
1475           should still be 0 when we've just locked the JSLock. So, the above assertion
1476           always holds true.
1477
1478           Note: VM::setStackPointerAtVMEntry() will take care of calling
1479           VM::updateStackLimit() based on the new stackPointerAtVMEntry.
1480
1481         - There is no need to save the reservedZoneSize. The reservedZoneSize is
1482           set to Options::reservedZoneSize() when the VM is initialized. Thereafter,
1483           the ErrorHandlingScope will change it to Options::errorModeReservedZoneSize()
1484           when we're handling an error, and it will restore it afterwards. There is
1485           no other reason we should be changing the reservedZoneSize. Hence, we can
1486           remove the unnecessary code to save it here.
1487
1488         (JSC::JSLock::unlock):
1489         - Similarly, when the lockCount reaches 0 in unlock(), it is synonymous with
1490           exiting the VM. Hence, we should just clear the stackPointerAtVMEntry and
1491           update the stackLimit. Exiting the VM should have no effect on the VM
1492           reservedZoneSize. Hence, we can remove the unnecessary code to "restore" it.
1493
1494         (JSC::JSLock::dropAllLocks):
1495         - When dropping locks, we do not need to save the reservedZoneSize because
1496           the reservedZoneSize should remain the same regardless of which thread
1497           we are executing JS on. Hence, we can remove the unnecessary code to save
1498           the reservedZoneSize here.
1499
1500         (JSC::JSLock::grabAllLocks):
1501         - When re-grabbing locks, restoring the stackPointerAtVMEntry via
1502           VM::setStackPointerAtVMEntry() will take care of updating the stack limit.
1503           As explained above, there's no need to save the reservedZoneSize. Hence,
1504           there's no need to "restore" it here.
1505
1506         * runtime/VM.cpp:
1507         (JSC::VM::VM):
1508         (JSC::VM::setStackPointerAtVMEntry):
1509         - Sets the stackPointerAtVMEntry and delegates to updateStackLimit() to update
1510           the stack limit based on the new stackPointerAtVMEntry.
1511         (JSC::VM::updateStackLimit):
1512         * runtime/VM.h:
1513         (JSC::VM::stackPointerAtVMEntry):
1514         - Renamed stackPointerAtVMEntry to m_stackPointerAtVMEntry and made it private.
1515           Added a stackPointerAtVMEntry() function to read the value.
1516
1517 2014-02-12  Mark Hahnenberg  <mhahnenberg@apple.com>
1518
1519         DelayedReleaseScope in MarkedAllocator::tryAllocateHelper is wrong
1520         https://bugs.webkit.org/show_bug.cgi?id=128641
1521
1522         Reviewed by Michael Saboff.
1523
1524         We were improperly handling the case where the DelayedReleaseScope 
1525         in tryAllocateHelper would cause us to drop the API lock, allowing 
1526         another thread to sneak in and allocate a new block after we had already 
1527         concluded that there were no more blocks to allocate out of.
1528
1529         The fix is to call tryAllocateHelper in a loop until we know for sure 
1530         that this did not happen.
1531
1532         There was also a race condition with the DelayedReleaseScope in addBlock.
1533         We would add the block to the MarkedBlock's list, sweep it, and then return,
1534         causing us to drop the API lock momentarily. Another thread could then 
1535         grab the lock, and allocate out of the new block to the point where the 
1536         free list was empty. Then we would return to the original thread, who thinks 
1537         it's impossible to not allocate successfully at this point. 
1538         Instead we should just let tryAllocate do all the hard work with correctly 
1539         sweeping and getting a valid result.
1540
1541         There was another race condition in didFinishIterating. We would call resumeAllocating,
1542         which would create a DelayedReleaseScope. The DelayedReleaseScope would then release 
1543         API lock before we set m_isIterating back to false, which would potentially confuse 
1544         other threads.
1545
1546         * heap/MarkedAllocator.cpp:
1547         (JSC::MarkedAllocator::tryAllocateHelper):
1548         (JSC::MarkedAllocator::tryPopFreeList):
1549         (JSC::MarkedAllocator::tryAllocate):
1550         (JSC::MarkedAllocator::addBlock):
1551         * heap/MarkedAllocator.h:
1552
1553 2014-02-12  Brian Burg  <bburg@apple.com>
1554
1555         Web Replay: capture and replay nondeterminism of Date.now() and Math.random()
1556         https://bugs.webkit.org/show_bug.cgi?id=128633
1557
1558         Reviewed by Filip Pizlo.
1559
1560         Upstream the only two sources of script-visible nondeterminism in JavaScriptCore.
1561
1562         The random seed for WeakRandom is memoized when the owning JSGlobalObject is
1563         constructed. It is deterministically initialized during replay before any
1564         scripts execute with the global object.
1565
1566         The implementations of `Date.now()` and `new Date()` eventually obtain the
1567         current time from jsCurrentTime(). When capturing, we save return values of
1568         jsCurrentTime() into the recording. When replaying, we use memoized values from
1569         the recording instead of obtaining values from the platform-specific currentTime()
1570         implementation. No other code calls jsCurrentTime().
1571
1572         * DerivedSources.make: Add rules to make JSReplayInputs.h from JSInputs.json.
1573         * JavaScriptCore.xcodeproj/project.pbxproj:
1574         * replay/JSInputs.json: Added. Includes specifications for replay inputs
1575         "GetCurrentTime" and "SetRandomSeed". Tests will be added for both input
1576         cases once sufficient replay machinery has been added.
1577
1578         * replay/NondeterministicInput.h: NondeterministicInput should not have
1579         been marked 'final'.
1580
1581         * runtime/DateConstructor.cpp:
1582         (JSC::deterministicCurrentTime): Added. Load or store the current time depending
1583         on what kind of InputCursor is attached to the JSGlobalObject.
1584
1585         (JSC::constructDate): Use deterministicCurrentTime().
1586         (JSC::dateNow): Use deterministicCurrentTime().
1587         * runtime/JSGlobalObject.cpp:
1588         (JSC::JSGlobalObject::setInputCursor): When setting a non-empty input cursor,
1589         immediately store or load the "SetRandomSeed" input and initialize WeakRandom's
1590         random seed with it. The input cursor (and thus random seed) must be set before
1591         any scripts are evaluated with this JSGlobalObject.
1592
1593         * runtime/WeakRandom.h:
1594         (JSC::WeakRandom::WeakRandom): Add JSGlobalObject as a friend class.
1595         (JSC::WeakRandom::initializeSeed): Extract the seed initialization into a
1596         separate method so it can be called outside of the JSGlobalObject constructor.
1597
1598 2014-02-12  Joseph Pecoraro  <pecoraro@apple.com>
1599
1600         Web Inspector: Cleanup JavaScriptCore/inspector
1601         https://bugs.webkit.org/show_bug.cgi?id=128662
1602
1603         Reviewed by Timothy Hatcher.
1604
1605         Now that the code has settled, do a cleanup pass.
1606
1607         * inspector/ContentSearchUtilities.cpp:
1608         * inspector/InspectorValues.cpp:
1609         (Inspector::InspectorValue::asObject):
1610         (Inspector::InspectorValue::asArray):
1611         (Inspector::InspectorValue::parseJSON):
1612         (Inspector::InspectorObjectBase::getObject):
1613         (Inspector::InspectorObjectBase::getArray):
1614         (Inspector::InspectorObjectBase::get):
1615         * inspector/ScriptCallStackFactory.cpp:
1616         * inspector/ScriptDebugServer.cpp:
1617         * inspector/agents/JSGlobalObjectConsoleAgent.h:
1618
1619 2014-02-12  Ryosuke Niwa  <rniwa@webkit.org>
1620
1621         Windows build fix attempt after r163960.
1622
1623         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1624         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1625
1626 2014-02-12  Michael Saboff  <msaboff@apple.com>
1627
1628         Adjust VM::stackLimit based on the size of the largest FTL stack produced
1629         https://bugs.webkit.org/show_bug.cgi?id=128562
1630
1631         Reviewed by Mark Lam.
1632
1633         Added VM::m_largestFTLStackSize to track the largest stack size of an FTL compiled
1634         function. Added VM::m_ftlStackLimit for FTL functions stack limit.  Renamed
1635         VM::updateStackLimitWithReservedZoneSize to VM::updateReservedZoneSize.  Renamed
1636         VM::setStackLimit to VM::updateStackLimit and changed it to do the updating of the
1637         stack limits, including taking into account m_largestFTLStackSize.
1638
1639         * ftl/FTLJITFinalizer.cpp:
1640         (JSC::FTL::JITFinalizer::finalizeFunction):
1641         * runtime/ErrorHandlingScope.cpp:
1642         (JSC::ErrorHandlingScope::ErrorHandlingScope):
1643         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
1644         * runtime/JSLock.cpp:
1645         (JSC::JSLock::lock):
1646         (JSC::JSLock::unlock):
1647         (JSC::JSLock::grabAllLocks):
1648         * runtime/VM.cpp:
1649         (JSC::VM::VM):
1650         (JSC::VM::updateReservedZoneSize):
1651         (JSC::VM::updateStackLimit):
1652         (JSC::VM::updateFTLLargestStackSize):
1653         * runtime/VM.h:
1654
1655 2014-02-11  Oliver Hunt  <oliver@apple.com>
1656
1657         Make it possible to implement JS builtins in JS
1658         https://bugs.webkit.org/show_bug.cgi?id=127887
1659
1660         Reviewed by Michael Saboff.
1661
1662         This patch makes it possible to write builtin functions in JS.
1663         The bindings, generators, and definitions are all created automatically
1664         based on js files in the builtins/ directory.  This patch includes one
1665         such case: Array.prototype.js with an implementation of every().
1666
1667         There's a lot of refactoring to make it possible for CommonIdentifiers
1668         to include the output of the generated files (DerivedSources/JSCBuiltins.{h,cpp})
1669         without breaking the offset extractor. The result of this refactoring
1670         is that CommonIdentifiers, and a few other miscellaneous headers now
1671         need to be included directly as they were formerly captured through other
1672         paths.
1673
1674         In addition this adds a flag to the Lookup table's hashentry to indicate
1675         that a static function is actually backed by JS. There is then a lot of
1676         logic to thread the special nature of the functon to where it matters.
1677         This allows toString(), .caller, etc to mimic the behaviour of a host
1678         function.
1679
1680         Notes on writing builtins:
1681          - Each function is compiled independently of the others, and those
1682            implementations cannot currently capture all global properties (as
1683            that could be potentially unsafe). If a function does capture a
1684            global we will deliberately crash.
1685          - For those "global" properties that we do want access to, we use
1686            the @ prefix, e.g. Object(this) becomes @Object(this). The @ identifiers
1687            are private names, and behave just like regular properties, only
1688            without the risk of adulteration. Again, in the @Object case, we
1689            explicitly duplicate the ObjectConstructor reference on the GlobalObject
1690            so that we have guaranteed access to the original version of the
1691            constructor.
1692          - call, apply, eval, and Function are all rejected identifiers, again
1693            to prevent anything from accidentally using an adulterated object.
1694            Instead @call and @apply are available, and happily they completely
1695            drop the neq_ptr instruction as they're defined as always being the
1696            original call/apply functions.
1697
1698         These restrictions are just intended to make it harder to accidentally
1699         make changes that are incorrect (for instance calling whatever has been
1700         assigned to global.Object, instead of the original constructor function).
1701         However, making a mistake like this should result in a purely semantic
1702         error as fundamentally these functions are treated as though they were
1703         regular JS code in the host global, and have no more privileges than
1704         any other JS.
1705
1706         The initial proof of concept is Array.prototype.every, this shows a 65%
1707         performance improvement, and that improvement is significantly hurt by
1708         our poor optimisation of op_in.
1709
1710         As this is such a limited function, we have not yet exported all symbols
1711         that we could possibly need, but as we implement more, the likelihood
1712         of encountering missing features will reduce.
1713
1714
1715         * API/JSCallbackObjectFunctions.h:
1716         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
1717         (JSC::JSCallbackObject<Parent>::put):
1718         (JSC::JSCallbackObject<Parent>::deleteProperty):
1719         (JSC::JSCallbackObject<Parent>::getStaticValue):
1720         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1721         (JSC::JSCallbackObject<Parent>::callbackGetter):
1722         * CMakeLists.txt:
1723         * DerivedSources.make:
1724         * GNUmakefile.am:
1725         * GNUmakefile.list.am:
1726         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1727         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1728         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1729         * JavaScriptCore.vcxproj/copy-files.cmd:
1730         * JavaScriptCore.xcodeproj/project.pbxproj:
1731         * builtins/Array.prototype.js:
1732         (every):
1733         * builtins/BuiltinExecutables.cpp: Added.
1734         (JSC::BuiltinExecutables::BuiltinExecutables):
1735         (JSC::BuiltinExecutables::createBuiltinExecutable):
1736         * builtins/BuiltinExecutables.h:
1737         (JSC::BuiltinExecutables::create):
1738         * builtins/BuiltinNames.h: Added.
1739         (JSC::BuiltinNames::BuiltinNames):
1740         (JSC::BuiltinNames::getPrivateName):
1741         (JSC::BuiltinNames::getPublicName):
1742         * bytecode/CodeBlock.cpp:
1743         (JSC::CodeBlock::CodeBlock):
1744         * bytecode/UnlinkedCodeBlock.cpp:
1745         (JSC::generateFunctionCodeBlock):
1746         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1747         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
1748         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1749         * bytecode/UnlinkedCodeBlock.h:
1750         (JSC::ExecutableInfo::ExecutableInfo):
1751         (JSC::UnlinkedFunctionExecutable::create):
1752         (JSC::UnlinkedFunctionExecutable::toStrictness):
1753         (JSC::UnlinkedFunctionExecutable::isBuiltinFunction):
1754         (JSC::UnlinkedCodeBlock::isBuiltinFunction):
1755         * bytecompiler/BytecodeGenerator.cpp:
1756         (JSC::BytecodeGenerator::BytecodeGenerator):
1757         * bytecompiler/BytecodeGenerator.h:
1758         (JSC::BytecodeGenerator::isBuiltinFunction):
1759         (JSC::BytecodeGenerator::makeFunction):
1760         * bytecompiler/NodesCodegen.cpp:
1761         (JSC::CallFunctionCallDotNode::emitBytecode):
1762         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1763         * create_hash_table:
1764         * generate-js-builtins: Added.
1765         (getCopyright):
1766         (getFunctions):
1767         (generateCode):
1768         (mangleName):
1769         (FunctionExecutable):
1770         (Identifier):
1771         (JSGlobalObject):
1772         (SourceCode):
1773         (UnlinkedFunctionExecutable):
1774         (VM):
1775         * interpreter/CachedCall.h:
1776         (JSC::CachedCall::CachedCall):
1777         * parser/ASTBuilder.h:
1778         (JSC::ASTBuilder::makeFunctionCallNode):
1779         * parser/Lexer.cpp:
1780         (JSC::Lexer<T>::Lexer):
1781         (JSC::isSafeBuiltinIdentifier):
1782         (JSC::Lexer<LChar>::parseIdentifier):
1783         (JSC::Lexer<UChar>::parseIdentifier):
1784         (JSC::Lexer<T>::lex):
1785         * parser/Lexer.h:
1786         (JSC::isSafeIdentifier):
1787         (JSC::Lexer<T>::lexExpectIdentifier):
1788         * parser/Nodes.cpp:
1789         (JSC::ProgramNode::setClosedVariables):
1790         * parser/Nodes.h:
1791         (JSC::ScopeNode::capturedVariables):
1792         (JSC::ScopeNode::setClosedVariables):
1793         (JSC::ProgramNode::closedVariables):
1794         * parser/Parser.cpp:
1795         (JSC::Parser<LexerType>::Parser):
1796         (JSC::Parser<LexerType>::parseInner):
1797         (JSC::Parser<LexerType>::didFinishParsing):
1798         (JSC::Parser<LexerType>::printUnexpectedTokenText):
1799         * parser/Parser.h:
1800         (JSC::Scope::getUsedVariables):
1801         (JSC::Parser::closedVariables):
1802         (JSC::parse):
1803         * parser/ParserModes.h:
1804         * parser/ParserTokens.h:
1805         * runtime/ArrayPrototype.cpp:
1806         * runtime/CodeCache.cpp:
1807         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1808         * runtime/CommonIdentifiers.cpp:
1809         (JSC::CommonIdentifiers::CommonIdentifiers):
1810         (JSC::CommonIdentifiers::~CommonIdentifiers):
1811         (JSC::CommonIdentifiers::getPrivateName):
1812         (JSC::CommonIdentifiers::getPublicName):
1813         * runtime/CommonIdentifiers.h:
1814         (JSC::CommonIdentifiers::builtinNames):
1815         * runtime/ExceptionHelpers.cpp:
1816         (JSC::createUndefinedVariableError):
1817         * runtime/Executable.h:
1818         (JSC::EvalExecutable::executableInfo):
1819         (JSC::ProgramExecutable::executableInfo):
1820         (JSC::FunctionExecutable::isBuiltinFunction):
1821         * runtime/FunctionPrototype.cpp:
1822         (JSC::functionProtoFuncToString):
1823         * runtime/JSActivation.cpp:
1824         (JSC::JSActivation::symbolTableGet):
1825         (JSC::JSActivation::symbolTablePut):
1826         (JSC::JSActivation::symbolTablePutWithAttributes):
1827         * runtime/JSFunction.cpp:
1828         (JSC::JSFunction::createBuiltinFunction):
1829         (JSC::JSFunction::calculatedDisplayName):
1830         (JSC::JSFunction::sourceCode):
1831         (JSC::JSFunction::isHostOrBuiltinFunction):
1832         (JSC::JSFunction::isBuiltinFunction):
1833         (JSC::JSFunction::callerGetter):
1834         (JSC::JSFunction::getOwnPropertySlot):
1835         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1836         (JSC::JSFunction::put):
1837         (JSC::JSFunction::defineOwnProperty):
1838         * runtime/JSFunction.h:
1839         * runtime/JSFunctionInlines.h:
1840         (JSC::JSFunction::nativeFunction):
1841         (JSC::JSFunction::nativeConstructor):
1842         (JSC::isHostFunction):
1843         * runtime/JSGlobalObject.cpp:
1844         (JSC::JSGlobalObject::reset):
1845         (JSC::JSGlobalObject::visitChildren):
1846         * runtime/JSGlobalObject.h:
1847         (JSC::JSGlobalObject::objectConstructor):
1848         (JSC::JSGlobalObject::symbolTableHasProperty):
1849         * runtime/JSObject.cpp:
1850         (JSC::getClassPropertyNames):
1851         (JSC::JSObject::reifyStaticFunctionsForDelete):
1852         (JSC::JSObject::putDirectBuiltinFunction):
1853         * runtime/JSObject.h:
1854         * runtime/JSSymbolTableObject.cpp:
1855         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1856         * runtime/JSSymbolTableObject.h:
1857         (JSC::symbolTableGet):
1858         (JSC::symbolTablePut):
1859         (JSC::symbolTablePutWithAttributes):
1860         * runtime/Lookup.cpp:
1861         (JSC::setUpStaticFunctionSlot):
1862         * runtime/Lookup.h:
1863         (JSC::HashEntry::builtinGenerator):
1864         (JSC::HashEntry::propertyGetter):
1865         (JSC::HashEntry::propertyPutter):
1866         (JSC::HashTable::entry):
1867         (JSC::getStaticPropertySlot):
1868         (JSC::getStaticValueSlot):
1869         (JSC::putEntry):
1870         * runtime/NativeErrorConstructor.cpp:
1871         (JSC::NativeErrorConstructor::finishCreation):
1872         * runtime/NativeErrorConstructor.h:
1873         * runtime/PropertySlot.h:
1874         * runtime/VM.cpp:
1875         (JSC::VM::VM):
1876         * runtime/VM.h:
1877         (JSC::VM::builtinExecutables):
1878
1879 2014-02-11  Brent Fulgham  <bfulgham@apple.com>
1880
1881         Remove some unintended copies in ranged for loops
1882         https://bugs.webkit.org/show_bug.cgi?id=128644
1883
1884         Reviewed by Anders Carlsson.
1885
1886         * inspector/InjectedScriptHost.cpp:
1887         (Inspector::InjectedScriptHost::clearAllWrappers): Avoid creating/destroying
1888         a std::pair<> and pointer each loop iteration.
1889         * parser/Parser.cpp:
1890         (JSC::Parser<LexerType>::Parser): Avoid copying object containing a string
1891         each loop iteration.
1892
1893 2014-02-11  Ryosuke Niwa  <rniwa@webkit.org>
1894
1895         Debug build fix after r163946.
1896
1897         * dfg/DFGByteCodeParser.cpp:
1898         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
1899
1900 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1901
1902         Inserting a node with a codeOrigin "like" another node should copy both the codeOrigin and codeOriginForExitTarget
1903         https://bugs.webkit.org/show_bug.cgi?id=128635
1904
1905         Reviewed by Michael Saboff.
1906         
1907         Originally nodes just had a codeOrigin. But then we started doing code motion, and we
1908         needed to separate the codeOrigin that designated where to exit from the codeOrigin
1909         that designated everything else. The "everything else" is actually pretty important:
1910         it includes profiling, exception handling, and the actual semantics of the node. For
1911         example some nodes use the origin's global object in some way.
1912         
1913         This all sort of worked except for one quirk: the facilities for creating nodes all
1914         assumed that there really was only one origin. LICM would work around this by setting
1915         the codeOriginForExitTarget manually. But, that means that:
1916         
1917         - If we did hoist a node twice, then the second time around, we would forget the node's
1918           original exit target.
1919         
1920         - If we did an insertNode() to insert a node before a hoisted node, the inserted node
1921           would have the wrong exit target.
1922         
1923         Most of the time, if we copy the code origin, we actually want to copy both origins.
1924         So, this patch introduces the notion of a NodeOrigin which has two CodeOrigins: a
1925         forExit code origin that says where to exit, and a semantic code origin for everything
1926         else.
1927         
1928         This also (annoyingly?) means that we are always more explicit about which code origin
1929         we refer to. That means that a lot of "node->codeOrigin" expressions had to change to
1930         "node->origin.semantic". This was partly a ploy on my part to ensure that this
1931         refactoring was complete: to get the code to compile I really had to audit all uses of
1932         CodeOrigin. If, in the future, we find that "node->origin.semantic" is too cumbersome
1933         then we can reintroduce the Node::codeOrigin field. For now I kinda like it though.
1934
1935         * GNUmakefile.list.am:
1936         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1937         * JavaScriptCore.xcodeproj/project.pbxproj:
1938         * dfg/DFGAbstractInterpreterInlines.h:
1939         (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
1940         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1941         * dfg/DFGArgumentsSimplificationPhase.cpp:
1942         (JSC::DFG::ArgumentsSimplificationPhase::run):
1943         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
1944         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
1945         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
1946         * dfg/DFGArrayMode.cpp:
1947         (JSC::DFG::ArrayMode::originalArrayStructure):
1948         (JSC::DFG::ArrayMode::alreadyChecked):
1949         * dfg/DFGByteCodeParser.cpp:
1950         (JSC::DFG::ByteCodeParser::addToGraph):
1951         * dfg/DFGCFGSimplificationPhase.cpp:
1952         (JSC::DFG::CFGSimplificationPhase::run):
1953         (JSC::DFG::CFGSimplificationPhase::convertToJump):
1954         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
1955         (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
1956         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1957         * dfg/DFGCPSRethreadingPhase.cpp:
1958         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
1959         (JSC::DFG::CPSRethreadingPhase::addPhi):
1960         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1961         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1962         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1963         * dfg/DFGCSEPhase.cpp:
1964         (JSC::DFG::CSEPhase::setLocalStoreElimination):
1965         * dfg/DFGClobberize.h:
1966         (JSC::DFG::clobberize):
1967         * dfg/DFGCommonData.cpp:
1968         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
1969         * dfg/DFGConstantFoldingPhase.cpp:
1970         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1971         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1972         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1973         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
1974         * dfg/DFGDCEPhase.cpp:
1975         (JSC::DFG::DCEPhase::fixupBlock):
1976         * dfg/DFGDisassembler.cpp:
1977         (JSC::DFG::Disassembler::createDumpList):
1978         * dfg/DFGFixupPhase.cpp:
1979         (JSC::DFG::FixupPhase::fixupNode):
1980         (JSC::DFG::FixupPhase::createToString):
1981         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
1982         (JSC::DFG::FixupPhase::convertStringAddUse):
1983         (JSC::DFG::FixupPhase::fixupToPrimitive):
1984         (JSC::DFG::FixupPhase::fixupToString):
1985         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1986         (JSC::DFG::FixupPhase::checkArray):
1987         (JSC::DFG::FixupPhase::blessArrayOperation):
1988         (JSC::DFG::FixupPhase::fixEdge):
1989         (JSC::DFG::FixupPhase::insertStoreBarrier):
1990         (JSC::DFG::FixupPhase::fixIntEdge):
1991         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
1992         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1993         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1994         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
1995         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1996         (JSC::DFG::FixupPhase::prependGetArrayLength):
1997         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
1998         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
1999         * dfg/DFGGraph.cpp:
2000         (JSC::DFG::Graph::dumpCodeOrigin):
2001         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
2002         (JSC::DFG::Graph::dump):
2003         (JSC::DFG::Graph::dumpBlockHeader):
2004         * dfg/DFGGraph.h:
2005         (JSC::DFG::Graph::hasExitSite):
2006         (JSC::DFG::Graph::valueProfileFor):
2007         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2008         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2009         (JSC::DFG::InvalidationPointInjectionPhase::handle):
2010         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
2011         * dfg/DFGLICMPhase.cpp:
2012         (JSC::DFG::LICMPhase::attemptHoist):
2013         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2014         (JSC::DFG::createPreHeader):
2015         * dfg/DFGNode.h:
2016         (JSC::DFG::Node::Node):
2017         (JSC::DFG::Node::isStronglyProvedConstantIn):
2018         * dfg/DFGNodeOrigin.h: Added.
2019         (JSC::DFG::NodeOrigin::NodeOrigin):
2020         (JSC::DFG::NodeOrigin::isSet):
2021         * dfg/DFGOSREntrypointCreationPhase.cpp:
2022         (JSC::DFG::OSREntrypointCreationPhase::run):
2023         * dfg/DFGResurrectionForValidationPhase.cpp:
2024         (JSC::DFG::ResurrectionForValidationPhase::run):
2025         * dfg/DFGSSAConversionPhase.cpp:
2026         (JSC::DFG::SSAConversionPhase::run):
2027         * dfg/DFGSSALoweringPhase.cpp:
2028         (JSC::DFG::SSALoweringPhase::handleNode):
2029         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2030         * dfg/DFGSpeculativeJIT.cpp:
2031         (JSC::DFG::SpeculativeJIT::compileIn):
2032         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2033         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2034         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2035         * dfg/DFGSpeculativeJIT.h:
2036         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
2037         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
2038         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
2039         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
2040         (JSC::DFG::SpeculativeJIT::appendCall):
2041         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
2042         * dfg/DFGSpeculativeJIT32_64.cpp:
2043         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2044         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2045         (JSC::DFG::SpeculativeJIT::emitCall):
2046         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2047         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2048         (JSC::DFG::SpeculativeJIT::compile):
2049         * dfg/DFGSpeculativeJIT64.cpp:
2050         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2051         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2052         (JSC::DFG::SpeculativeJIT::emitCall):
2053         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2054         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2055         (JSC::DFG::SpeculativeJIT::compile):
2056         * dfg/DFGStrengthReductionPhase.cpp:
2057         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
2058         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
2059         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2060         (JSC::DFG::TierUpCheckInjectionPhase::run):
2061         * dfg/DFGTypeCheckHoistingPhase.cpp:
2062         (JSC::DFG::TypeCheckHoistingPhase::run):
2063         * dfg/DFGValidate.cpp:
2064         (JSC::DFG::Validate::validateSSA):
2065         * dfg/DFGWatchpointCollectionPhase.cpp:
2066         (JSC::DFG::WatchpointCollectionPhase::handle):
2067         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
2068         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
2069         (JSC::DFG::WatchpointCollectionPhase::globalObject):
2070         * ftl/FTLJSCall.cpp:
2071         (JSC::FTL::JSCall::link):
2072         * ftl/FTLLink.cpp:
2073         (JSC::FTL::link):
2074         * ftl/FTLLowerDFGToLLVM.cpp:
2075         (JSC::FTL::LowerDFGToLLVM::compileNode):
2076         (JSC::FTL::LowerDFGToLLVM::compileToThis):
2077         (JSC::FTL::LowerDFGToLLVM::compilePutById):
2078         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2079         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
2080         (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
2081         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
2082         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
2083         (JSC::FTL::LowerDFGToLLVM::compileGetMyScope):
2084         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
2085         (JSC::FTL::LowerDFGToLLVM::getById):
2086         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2087         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructure):
2088         (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIsStillValid):
2089         (JSC::FTL::LowerDFGToLLVM::callPreflight):
2090
2091 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
2092
2093         Fix assertions and incorrect codegen for CompareEq(ObjectOrOther:, Object:)
2094         https://bugs.webkit.org/show_bug.cgi?id=128648
2095
2096         Reviewed by Mark Lam.
2097         
2098         I did CompareEq(Object:, ObjectOrOther:) correctly but the flipped version wrong.
2099         That's what I get for running tests in release mode. It's hard to write a test for
2100         the incorrect codegen; that's kind of why the assertions are there.
2101
2102         * ftl/FTLLowerDFGToLLVM.cpp:
2103         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2104
2105 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
2106
2107         Unreviewed, trivial change to silence FTL assertions
2108
2109         Normally, lowJSValue() should only be used for UntypedUse only. Here we are using it
2110         on ObjectOrOtherUse because we execute the speculation ourselves. The way you're
2111         supposed to do this is by passing ManualOperandSpeculation to tell lowJSValue() not
2112         to assert.
2113
2114         * ftl/FTLLowerDFGToLLVM.cpp:
2115         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2116
2117 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
2118
2119         Use LLVM's dead store elimination
2120         https://bugs.webkit.org/show_bug.cgi?id=128638
2121
2122         Reviewed by Mark Hahnenberg.
2123         
2124         DFG's store elimination was being run too soon for comfort on the FTL path. It's
2125         really only sound when run after all other optimizations. Remove it from the FTL
2126         path.
2127         
2128         Enable LLVM store elimination. It's both easier to reason about and more
2129         comprehensive.
2130
2131         * dfg/DFGPlan.cpp:
2132         (JSC::DFG::Plan::compileInThreadImpl):
2133         * ftl/FTLCompile.cpp:
2134         (JSC::FTL::compile):
2135
2136 2014-02-11  Brian Burg  <bburg@apple.com>
2137
2138         Web Replay: upstream replay input code generator and EncodedValue class
2139         https://bugs.webkit.org/show_bug.cgi?id=128215
2140
2141         Reviewed by Joseph Pecoraro.
2142
2143         Add the replay inputs code generator. Most features of the input generator are
2144         exercised by included generator regression tests, which produce useful but
2145         non-compilable test replay inputs.
2146
2147         Add EncodedValue, the main replay input serialization class that encodes and
2148         decodes inputs and their data between C++ types and the JSON-based replay recording
2149         format. EncodedValue uses EncodingTraits specializations for type-specific encoding.
2150         Relative to other WebKit marshalling mechanisms, EncodedValue is key/value based.
2151         EncodedValue uses InspectorValue subclasses as its backing data structure.
2152
2153         Add some missing numerical conversions to InspectorValue.
2154
2155         * JavaScriptCore.xcodeproj/project.pbxproj:
2156         * inspector/InspectorValues.cpp:
2157         (Inspector::InspectorValue::asNumber):
2158         (Inspector::InspectorBasicValue::asNumber):
2159         * inspector/InspectorValues.h:
2160         * replay/EncodedValue.cpp: Added.
2161         (JSC::EncodedValue::asObject):
2162         (JSC::EncodedValue::asArray):
2163         (JSC::ScalarEncodingTraits<bool>::encodeValue):
2164         (JSC::ScalarEncodingTraits<double>::encodeValue):
2165         (JSC::ScalarEncodingTraits<float>::encodeValue):
2166         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
2167         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
2168         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
2169         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
2170         (JSC::long>::encodeValue):
2171         (JSC::EncodedValue::convertTo<bool>):
2172         (JSC::EncodedValue::convertTo<double>):
2173         (JSC::EncodedValue::convertTo<float>):
2174         (JSC::EncodedValue::convertTo<int32_t>):
2175         (JSC::EncodedValue::convertTo<int64_t>):
2176         (JSC::EncodedValue::convertTo<uint32_t>):
2177         (JSC::EncodedValue::convertTo<uint64_t>):
2178         (JSC::long>):
2179         (JSC::EncodedValue::convertTo<String>):
2180         (JSC::EncodedValue::put<EncodedValue>):
2181         (JSC::EncodedValue::append<EncodedValue>):
2182         (JSC::EncodedValue::get<EncodedValue>):
2183         * replay/EncodedValue.h: Added.
2184         (JSC::EncodedValue::EncodedValue):
2185         (JSC::EncodedValue::createObject):
2186         (JSC::EncodedValue::createArray):
2187         (JSC::EncodedValue::createString):
2188         (JSC::EncodedValue::~EncodedValue):
2189         (JSC::ScalarEncodingTraits::decodeValue):
2190         (JSC::EncodingTraits<String>::encodeValue):
2191         (JSC::EncodedValue::put):
2192         (JSC::EncodedValue::append):
2193         (JSC::EncodedValue::get):
2194         * replay/scripts/CodeGeneratorReplayInputs.py: Added.
2195         (ParseException):
2196         (TypecheckException):
2197         (Framework):
2198         (Framework.__init__):
2199         (Framework.setting):
2200         (Framework.fromString):
2201         (Frameworks):
2202         (InputQueue):
2203         (InputQueue.__init__):
2204         (InputQueue.setting):
2205         (InputQueue.fromString):
2206         (InputQueues):
2207         (Input):
2208         (Input.__init__):
2209         (Input.setting):
2210         (InputMember):
2211         (InputMember.__init__):
2212         (InputMember.has_flag):
2213         (TypeMode):
2214         (TypeMode.__init__):
2215         (TypeMode.fromString):
2216         (TypeModes):
2217         (Type):
2218         (Type.__init__):
2219         (Type.__eq__):
2220         (Type.__hash__):
2221         (Type.has_flag):
2222         (Type.is_struct):
2223         (Type.is_enum):
2224         (Type.is_enum_class):
2225         (Type.declaration_kind):
2226         (Type.qualified_prefix):
2227         (Type.qualified_prefix.is):
2228         (Type.type_name):
2229         (Type.storage_type):
2230         (Type.borrow_type):
2231         (Type.argument_type):
2232         (check_properties):
2233         (VectorType):
2234         (VectorType.__init__):
2235         (VectorType.has_flag):
2236         (VectorType.is_struct):
2237         (VectorType.is_enum):
2238         (VectorType.is_enum_class):
2239         (VectorType.qualified_prefix):
2240         (VectorType.type_name):
2241         (VectorType.argument_type):
2242         (InputsModel):
2243         (InputsModel.__init__):
2244         (InputsModel.enum_types):
2245         (InputsModel.get_type_for_member):
2246         (InputsModel.parse_toplevel):
2247         (InputsModel.parse_type_with_framework_name):
2248         (InputsModel.parse_input):
2249         (InputsModel.typecheck):
2250         (InputsModel.typecheck_type):
2251         (InputsModel.typecheck_input):
2252         (InputsModel.typecheck_input_member):
2253         (IncrementalFileWriter):
2254         (IncrementalFileWriter.__init__):
2255         (IncrementalFileWriter.write):
2256         (IncrementalFileWriter.close):
2257         (lcfirst):
2258         (wrap_with_guard):
2259         (Generator):
2260         (Generator.__init__):
2261         (Generator.setting):
2262         (Generator.output_filename):
2263         (Generator.write_output_files):
2264         (Generator.generate_header):
2265         (Generator.generate_implementation):
2266         (Generator.generate_license):
2267         (Generator.generate_includes):
2268         (Generator.generate_includes.declaration):
2269         (Generator.generate_includes.declaration.is):
2270         (Generator.generate_type_forward_declarations):
2271         (Generator.generate_type_forward_declarations.is):
2272         (Generator.generate_class_declaration):
2273         (Generator.generate_input_constructor_declaration):
2274         (Generator.generate_input_destructor_declaration):
2275         (Generator.generate_input_member_getter):
2276         (Generator.generate_input_member_declaration):
2277         (Generator.generate_input_member_tuples):
2278         (Generator.qualified_input_name):
2279         (Generator.generate_input_trait_declaration):
2280         (Generator.generate_enum_trait_declaration):
2281         (Generator.generate_for_each_macro):
2282         (Generator.generate_class_implementation):
2283         (Generator.generate_enum_trait_implementation):
2284         (Generator.generate_enum_trait_implementation.is):
2285         (Generator.generate_input_trait_implementation):
2286         (Generator.generate_input_encode_implementation):
2287         (Generator.generate_input_decode_implementation):
2288         (Generator.generate_constructor_initializer_list):
2289         (Generator.generate_constructor_formals_list):
2290         (Generator.generate_member_borrow_expression):
2291         (Generator.generate_member_move_expression):
2292         (Generator.generate_constructor_arguments_list):
2293         (generate_from_specification):
2294         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Added.
2295         (Templates):
2296         * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.cpp: Added.
2297         * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.h: Added.
2298         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Added.
2299         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Added.
2300         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Added.
2301         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Added.
2302         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Added.
2303         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Added.
2304         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Added.
2305         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Added.
2306         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Added.
2307         * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Added.
2308         * replay/scripts/tests/expected/fail-on-no-types.json-error: Added.
2309         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Added.
2310         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Added.
2311         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Added.
2312         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Added.
2313         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Added.
2314         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Added.
2315         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Added.
2316         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-error: Added.
2317         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Added.
2318         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Added.
2319         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Added.
2320         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Added.
2321         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Added.
2322         * replay/scripts/tests/expected/generate-inputs-with-flags.json-error: Added.
2323         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Added.
2324         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Added.
2325         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Added.
2326         * replay/scripts/tests/fail-on-duplicate-input-names.json: Added.
2327         * replay/scripts/tests/fail-on-duplicate-type-names.json: Added.
2328         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Added.
2329         * replay/scripts/tests/fail-on-missing-input-member-name.json: Added.
2330         * replay/scripts/tests/fail-on-missing-input-name.json: Added.
2331         * replay/scripts/tests/fail-on-missing-input-queue.json: Added.
2332         * replay/scripts/tests/fail-on-missing-type-mode.json: Added.
2333         * replay/scripts/tests/fail-on-missing-type-name.json: Added.
2334         * replay/scripts/tests/fail-on-no-inputs.json: Added.
2335         * replay/scripts/tests/fail-on-no-types.json: Added.
2336         * replay/scripts/tests/fail-on-unknown-input-queue.json: Added.
2337         * replay/scripts/tests/fail-on-unknown-member-type.json: Added.
2338         * replay/scripts/tests/fail-on-unknown-type-mode.json: Added.
2339         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Added.
2340         * replay/scripts/tests/generate-enum-encoding-helpers.json: Added.
2341         * replay/scripts/tests/generate-event-loop-shape-types.json: Added.
2342         * replay/scripts/tests/generate-input-with-guard.json: Added.
2343         * replay/scripts/tests/generate-input-with-vector-members.json: Added.
2344         * replay/scripts/tests/generate-inputs-with-flags.json: Added.
2345         * replay/scripts/tests/generate-memoized-type-modes.json: Added.
2346
2347 2014-02-11  Joseph Pecoraro  <pecoraro@apple.com>
2348
2349         Add Availability Macros to new JSC APIs
2350         https://bugs.webkit.org/show_bug.cgi?id=128615
2351
2352         Reviewed by Mark Rowe.
2353
2354         * API/JSContext.h:
2355         * API/JSContextRef.h:
2356
2357 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
2358
2359         FTL should support CompareEq(ObjectOrOther:, Object:)
2360         https://bugs.webkit.org/show_bug.cgi?id=127752
2361
2362         Reviewed by Oliver Hunt.
2363         
2364         Also introduce some helpers for reasoning about nullness and truthyness.
2365
2366         * ftl/FTLCapabilities.cpp:
2367         (JSC::FTL::canCompile):
2368         * ftl/FTLLowerDFGToLLVM.cpp:
2369         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2370         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2371         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
2372         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2373         (JSC::FTL::LowerDFGToLLVM::isNotNully):
2374         (JSC::FTL::LowerDFGToLLVM::isNully):
2375         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2376         * tests/stress/compare-eq-object-or-other-to-object.js: Added.
2377         (foo):
2378         (test):
2379         * tests/stress/compare-eq-object-to-object-or-other.js: Added.
2380         (foo):
2381         (test):
2382
2383 2014-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2384
2385         32-bit LLInt writeBarrierOnGlobalObject is wrong
2386         https://bugs.webkit.org/show_bug.cgi?id=128556
2387
2388         Reviewed by Geoffrey Garen.
2389
2390         * llint/LowLevelInterpreter32_64.asm:
2391         * llint/LowLevelInterpreter64.asm: Also fixed the value check on 64-bit.
2392
2393 2014-02-11  Gabor Rapcsanyi  <rgabor@webkit.org>
2394
2395         LLInt typo error after r139004.
2396         https://bugs.webkit.org/show_bug.cgi?id=128592
2397
2398         Reviewed by Michael Saboff.
2399
2400         * offlineasm/arm.rb: change immediate to register in the condition
2401
2402 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2403
2404         LICM should gracefully handle unprofiled code
2405         https://bugs.webkit.org/show_bug.cgi?id=127848
2406
2407         Reviewed by Mark Hahnenberg.
2408
2409         * dfg/DFGLICMPhase.cpp:
2410         (JSC::DFG::LICMPhase::run):
2411
2412 2014-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2413
2414         Obj-C API: JSExport doesn't work for methods that contain protocols in their type signature
2415         https://bugs.webkit.org/show_bug.cgi?id=128540
2416
2417         Reviewed by Oliver Hunt.
2418
2419         The bug is in parseObjCType in ObjcRuntimeExtras.h. When we see an '@' in the 
2420         type signature of a method, we assume that what follows the '@' is a class name, 
2421         so we call objc_getClass, and if that returns nil then we give up on the method 
2422         and don't export it.
2423
2424         This assumption doesn't work in the case of id<Protocol> because it's the name 
2425         of the protocol that follows the '@', not the name of a class. We should have 
2426         another fallback case for protocol names.
2427
2428         There's another case that also doesn't work, and that's the case of a named class 
2429         with a specified prototype in a method signature (e.g. NSObject<MyProtocol>). 
2430         There the substring of the type signature that represents the class is "NSObject<MyProtocol>", 
2431         which will also cause objc_getClass to return nil.
2432
2433         * API/ObjcRuntimeExtras.h:
2434         (parseObjCType):
2435         * API/tests/DateTests.mm: Also fixed an issue I noticed where we don't use an autorelease pool
2436         for the DateTests.
2437         * API/tests/JSExportTests.h: Added.
2438         * API/tests/JSExportTests.mm: Added.
2439         (-[TruthTeller returnTrue]):
2440         (-[ExportMethodWithIdProtocol methodWithIdProtocol:]):
2441         (-[ExportMethodWithClassProtocol methodWithClassProtocol:]):
2442         (+[JSExportTests exportInstanceMethodWithIdProtocolTest]):
2443         (+[JSExportTests exportInstanceMethodWithClassProtocolTest]):
2444         (runJSExportTests):
2445         * API/tests/testapi.mm:
2446         * JavaScriptCore.xcodeproj/project.pbxproj:
2447
2448 2014-02-10  Michael Saboff  <msaboff@apple.com>
2449
2450         Re-enable ARM Thumb2 disassembler
2451         https://bugs.webkit.org/show_bug.cgi?id=128577
2452
2453         Reviewed by Filip Pizlo.
2454
2455         Changed signature of tryToDisassemble() to match updates.
2456         Fixed typo in disassembler.
2457
2458         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2459         * disassembler/ARMv7Disassembler.cpp:
2460         (JSC::tryToDisassemble):
2461
2462 2014-02-10  Mark Lam  <mark.lam@apple.com>
2463
2464         Removing limitation on JSLock's lockDropDepth.
2465         <https://webkit.org/b/128570>
2466
2467         Reviewed by Geoffrey Garen.
2468
2469         Now that we've switched to using the C stack, we no longer need to limit
2470         the JSLock::lockDropDepth to 2.
2471
2472         For C loop builds which still use the separate JSStack, the JSLock will
2473         enforce ordering for re-grabbing the lock after dropping it. Re-grabbing
2474         must occur in the reverse order of the dropping of the locks.
2475
2476         Ordering is achieved by JSLock::dropAllLocks() stashing away the
2477         JSLock:: m_lockDropDepth in its DropAllLocks instance's m_dropDepth
2478         before unlocking the lock. Subsequently, JSLock::grabAllLocks() will
2479         ensure that JSLocks::m_lockDropDepth equals its DropAllLocks instance's
2480         m_dropDepth before allowing the lock to be re-grabbed. Otherwise, it
2481         will yield execution and retry again later.
2482
2483         Note: because JSLocks::m_lockDropDepth is protected by the JSLock's
2484         mutex, grabAllLocks() will optimistically lock the JSLock before doing
2485         the check on m_lockDropDepth. If the check fails, it will unlock the
2486         JSLock, yield, and then relock it again later before retrying the check.
2487         This ensures that m_lockDropDepth remains under the protection of the
2488         JSLock's mutex.
2489
2490         * runtime/JSLock.cpp:
2491         (JSC::JSLock::dropAllLocks):
2492         (JSC::JSLock::grabAllLocks):
2493         (JSC::JSLock::DropAllLocks::DropAllLocks):
2494         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2495         * runtime/JSLock.h:
2496         (JSC::JSLock::DropAllLocks::setDropDepth):
2497         (JSC::JSLock::DropAllLocks::dropDepth):
2498
2499 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2500
2501         FTL should support ToThis
2502         https://bugs.webkit.org/show_bug.cgi?id=127751
2503
2504         Reviewed by Oliver Hunt.
2505
2506         * ftl/FTLCapabilities.cpp:
2507         (JSC::FTL::canCompile):
2508         * ftl/FTLIntrinsicRepository.h:
2509         * ftl/FTLLowerDFGToLLVM.cpp:
2510         (JSC::FTL::LowerDFGToLLVM::compileNode):
2511         (JSC::FTL::LowerDFGToLLVM::compileToThis):
2512         * tests/stress/to-this-polymorphic.js: Added.
2513         (foo):
2514
2515 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2516
2517         Rename Operations.h to JSCInlines.h
2518         https://bugs.webkit.org/show_bug.cgi?id=128543
2519
2520         Rubber stamped by Geoffrey Garen.
2521         
2522         Well, what this actually does is it splits Operations.h into a real Operations.h that
2523         actually contains "operations", and JSCInlines.h, which serves the role of being an
2524         inlines umbrella.
2525         
2526         * API/JSBase.cpp:
2527         * API/JSCTestRunnerUtils.cpp:
2528         * API/JSCallbackConstructor.cpp:
2529         * API/JSCallbackFunction.cpp:
2530         * API/JSCallbackObject.cpp:
2531         * API/JSClassRef.cpp:
2532         * API/JSContext.mm:
2533         * API/JSContextRef.cpp:
2534         * API/JSManagedValue.mm:
2535         * API/JSObjectRef.cpp:
2536         * API/JSScriptRef.cpp:
2537         * API/JSValue.mm:
2538         * API/JSValueRef.cpp:
2539         * API/JSWeakObjectMapRefPrivate.cpp:
2540         * API/JSWrapperMap.mm:
2541         * GNUmakefile.list.am:
2542         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2543         * JavaScriptCore.xcodeproj/project.pbxproj:
2544         * assembler/LinkBuffer.cpp:
2545         * bindings/ScriptFunctionCall.cpp:
2546         * bindings/ScriptObject.cpp:
2547         * bytecode/ArrayAllocationProfile.cpp:
2548         * bytecode/ArrayProfile.cpp:
2549         * bytecode/BytecodeBasicBlock.cpp:
2550         * bytecode/CallLinkInfo.cpp:
2551         * bytecode/CallLinkStatus.cpp:
2552         * bytecode/CodeBlock.cpp:
2553         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2554         * bytecode/CodeOrigin.cpp:
2555         * bytecode/ExecutionCounter.cpp:
2556         * bytecode/GetByIdStatus.cpp:
2557         * bytecode/LazyOperandValueProfile.cpp:
2558         * bytecode/MethodOfGettingAValueProfile.cpp:
2559         * bytecode/PreciseJumpTargets.cpp:
2560         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
2561         * bytecode/PutByIdStatus.cpp:
2562         * bytecode/SamplingTool.cpp:
2563         * bytecode/SpecialPointer.cpp:
2564         * bytecode/SpeculatedType.cpp:
2565         * bytecode/StructureStubClearingWatchpoint.cpp:
2566         * bytecode/UnlinkedCodeBlock.cpp:
2567         * bytecode/ValueRecovery.cpp:
2568         * bytecompiler/BytecodeGenerator.cpp:
2569         * bytecompiler/NodesCodegen.cpp:
2570         * debugger/Debugger.cpp:
2571         * debugger/DebuggerActivation.cpp:
2572         * debugger/DebuggerCallFrame.cpp:
2573         * dfg/DFGAbstractHeap.cpp:
2574         * dfg/DFGAbstractValue.cpp:
2575         * dfg/DFGArgumentsSimplificationPhase.cpp:
2576         * dfg/DFGArithMode.cpp:
2577         * dfg/DFGArrayMode.cpp:
2578         * dfg/DFGAtTailAbstractState.cpp:
2579         * dfg/DFGAvailability.cpp:
2580         * dfg/DFGBackwardsPropagationPhase.cpp:
2581         * dfg/DFGBasicBlock.cpp:
2582         * dfg/DFGBinarySwitch.cpp:
2583         * dfg/DFGBlockInsertionSet.cpp:
2584         * dfg/DFGByteCodeParser.cpp:
2585         * dfg/DFGCFAPhase.cpp:
2586         * dfg/DFGCFGSimplificationPhase.cpp:
2587         * dfg/DFGCPSRethreadingPhase.cpp:
2588         * dfg/DFGCSEPhase.cpp:
2589         * dfg/DFGCapabilities.cpp:
2590         * dfg/DFGClobberSet.cpp:
2591         * dfg/DFGClobberize.cpp:
2592         * dfg/DFGCommon.cpp:
2593         * dfg/DFGCommonData.cpp:
2594         * dfg/DFGCompilationKey.cpp:
2595         * dfg/DFGCompilationMode.cpp:
2596         * dfg/DFGConstantFoldingPhase.cpp:
2597         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2598         * dfg/DFGDCEPhase.cpp:
2599         * dfg/DFGDesiredIdentifiers.cpp:
2600         * dfg/DFGDesiredStructureChains.cpp:
2601         * dfg/DFGDesiredTransitions.cpp:
2602         * dfg/DFGDesiredWatchpoints.cpp:
2603         * dfg/DFGDesiredWeakReferences.cpp:
2604         * dfg/DFGDesiredWriteBarriers.cpp:
2605         * dfg/DFGDisassembler.cpp:
2606         * dfg/DFGDominators.cpp:
2607         * dfg/DFGDriver.cpp:
2608         * dfg/DFGEdge.cpp:
2609         * dfg/DFGFailedFinalizer.cpp:
2610         * dfg/DFGFinalizer.cpp:
2611         * dfg/DFGFixupPhase.cpp:
2612         * dfg/DFGFlushFormat.cpp:
2613         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2614         * dfg/DFGFlushedAt.cpp:
2615         * dfg/DFGGraph.cpp:
2616         * dfg/DFGGraphSafepoint.cpp:
2617         * dfg/DFGInPlaceAbstractState.cpp:
2618         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2619         * dfg/DFGJITCode.cpp:
2620         * dfg/DFGJITCompiler.cpp:
2621         * dfg/DFGJITFinalizer.cpp:
2622         * dfg/DFGJumpReplacement.cpp:
2623         * dfg/DFGLICMPhase.cpp:
2624         * dfg/DFGLazyJSValue.cpp:
2625         * dfg/DFGLivenessAnalysisPhase.cpp:
2626         * dfg/DFGLongLivedState.cpp:
2627         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2628         * dfg/DFGMinifiedNode.cpp:
2629         * dfg/DFGNaturalLoops.cpp:
2630         * dfg/DFGNode.cpp:
2631         * dfg/DFGNodeFlags.cpp:
2632         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2633         * dfg/DFGOSREntry.cpp:
2634         * dfg/DFGOSREntrypointCreationPhase.cpp:
2635         * dfg/DFGOSRExit.cpp:
2636         * dfg/DFGOSRExitBase.cpp:
2637         * dfg/DFGOSRExitCompiler.cpp:
2638         * dfg/DFGOSRExitCompiler32_64.cpp:
2639         * dfg/DFGOSRExitCompiler64.cpp:
2640         * dfg/DFGOSRExitCompilerCommon.cpp:
2641         * dfg/DFGOSRExitJumpPlaceholder.cpp:
2642         * dfg/DFGOSRExitPreparation.cpp:
2643         * dfg/DFGOperations.cpp:
2644         * dfg/DFGPhase.cpp:
2645         * dfg/DFGPlan.cpp:
2646         * dfg/DFGPredictionInjectionPhase.cpp:
2647         * dfg/DFGPredictionPropagationPhase.cpp:
2648         * dfg/DFGResurrectionForValidationPhase.cpp:
2649         * dfg/DFGSSAConversionPhase.cpp:
2650         * dfg/DFGSSALoweringPhase.cpp:
2651         * dfg/DFGSafepoint.cpp:
2652         * dfg/DFGSpeculativeJIT.cpp:
2653         * dfg/DFGSpeculativeJIT32_64.cpp:
2654         * dfg/DFGSpeculativeJIT64.cpp:
2655         * dfg/DFGStackLayoutPhase.cpp:
2656         * dfg/DFGStoreBarrierElisionPhase.cpp:
2657         * dfg/DFGStrengthReductionPhase.cpp:
2658         * dfg/DFGThreadData.cpp:
2659         * dfg/DFGThunks.cpp:
2660         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2661         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2662         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2663         * dfg/DFGTypeCheckHoistingPhase.cpp:
2664         * dfg/DFGUnificationPhase.cpp:
2665         * dfg/DFGUseKind.cpp:
2666         * dfg/DFGValidate.cpp:
2667         * dfg/DFGValueSource.cpp:
2668         * dfg/DFGVariableAccessDataDump.cpp:
2669         * dfg/DFGVariableEvent.cpp:
2670         * dfg/DFGVariableEventStream.cpp:
2671         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2672         * dfg/DFGWatchpointCollectionPhase.cpp:
2673         * dfg/DFGWorklist.cpp:
2674         * ftl/FTLAbstractHeap.cpp:
2675         * ftl/FTLAbstractHeapRepository.cpp:
2676         * ftl/FTLExitValue.cpp:
2677         * ftl/FTLLink.cpp:
2678         * ftl/FTLLowerDFGToLLVM.cpp:
2679         * ftl/FTLOSREntry.cpp:
2680         * ftl/FTLOSRExit.cpp:
2681         * ftl/FTLOSRExitCompiler.cpp:
2682         * ftl/FTLSlowPathCall.cpp:
2683         * heap/BlockAllocator.cpp:
2684         * heap/CodeBlockSet.cpp:
2685         * heap/ConservativeRoots.cpp:
2686         * heap/CopiedSpace.cpp:
2687         * heap/CopyVisitor.cpp:
2688         * heap/DeferGC.cpp:
2689         * heap/GCThread.cpp:
2690         * heap/GCThreadSharedData.cpp:
2691         * heap/HandleSet.cpp:
2692         * heap/HandleStack.cpp:
2693         * heap/Heap.cpp:
2694         * heap/HeapStatistics.cpp:
2695         * heap/HeapTimer.cpp:
2696         * heap/IncrementalSweeper.cpp:
2697         * heap/JITStubRoutineSet.cpp:
2698         * heap/MachineStackMarker.cpp:
2699         * heap/MarkStack.cpp:
2700         * heap/MarkedAllocator.cpp:
2701         * heap/MarkedBlock.cpp:
2702         * heap/MarkedSpace.cpp:
2703         * heap/SlotVisitor.cpp:
2704         * heap/SuperRegion.cpp:
2705         * heap/Weak.cpp:
2706         * heap/WeakBlock.cpp:
2707         * heap/WeakHandleOwner.cpp:
2708         * heap/WeakSet.cpp:
2709         * heap/WriteBarrierBuffer.cpp:
2710         * heap/WriteBarrierSupport.cpp:
2711         * inspector/InjectedScript.cpp:
2712         * inspector/InjectedScriptBase.cpp:
2713         * inspector/JSGlobalObjectScriptDebugServer.cpp:
2714         * inspector/JSInjectedScriptHost.cpp:
2715         * inspector/ScriptArguments.cpp:
2716         * inspector/ScriptCallStackFactory.cpp:
2717         * interpreter/AbstractPC.cpp:
2718         * interpreter/CallFrame.cpp:
2719         * interpreter/Interpreter.cpp:
2720         * interpreter/JSStack.cpp:
2721         * interpreter/ProtoCallFrame.cpp:
2722         * interpreter/StackVisitor.cpp:
2723         * interpreter/VMInspector.cpp:
2724         * jit/ArityCheckFailReturnThunks.cpp:
2725         * jit/AssemblyHelpers.cpp:
2726         * jit/ClosureCallStubRoutine.cpp:
2727         * jit/ExecutableAllocator.cpp:
2728         * jit/ExecutableAllocatorFixedVMPool.cpp:
2729         * jit/GCAwareJITStubRoutine.cpp:
2730         * jit/HostCallReturnValue.cpp:
2731         * jit/JIT.cpp:
2732         * jit/JITArithmetic.cpp:
2733         * jit/JITArithmetic32_64.cpp:
2734         * jit/JITCall.cpp:
2735         * jit/JITCall32_64.cpp:
2736         * jit/JITCode.cpp:
2737         * jit/JITDisassembler.cpp:
2738         * jit/JITExceptions.cpp:
2739         * jit/JITInlineCacheGenerator.cpp:
2740         * jit/JITInlines.h:
2741         * jit/JITOperations.cpp:
2742         * jit/JITOperationsMSVC64.cpp:
2743         * jit/JITStubRoutine.cpp:
2744         * jit/JITStubs.cpp:
2745         * jit/JITThunks.cpp:
2746         * jit/JITToDFGDeferredCompilationCallback.cpp:
2747         * jit/RegisterPreservationWrapperGenerator.cpp:
2748         * jit/RegisterSet.cpp:
2749         * jit/Repatch.cpp:
2750         * jit/TempRegisterSet.cpp:
2751         * jit/ThunkGenerators.cpp:
2752         * jsc.cpp:
2753         * llint/LLIntExceptions.cpp:
2754         * llint/LLIntSlowPaths.cpp:
2755         * llint/LowLevelInterpreter.cpp:
2756         * parser/Lexer.cpp:
2757         * parser/Nodes.cpp:
2758         * parser/Parser.cpp:
2759         * parser/ParserArena.cpp:
2760         * parser/SourceCode.cpp:
2761         * parser/SourceProvider.cpp:
2762         * parser/SourceProviderCache.cpp:
2763         * profiler/LegacyProfiler.cpp:
2764         * profiler/ProfileGenerator.cpp:
2765         * profiler/ProfilerBytecode.cpp:
2766         * profiler/ProfilerBytecodeSequence.cpp:
2767         * profiler/ProfilerBytecodes.cpp:
2768         * profiler/ProfilerCompilation.cpp:
2769         * profiler/ProfilerCompiledBytecode.cpp:
2770         * profiler/ProfilerDatabase.cpp:
2771         * profiler/ProfilerOSRExit.cpp:
2772         * profiler/ProfilerOSRExitSite.cpp:
2773         * profiler/ProfilerOrigin.cpp:
2774         * profiler/ProfilerOriginStack.cpp:
2775         * profiler/ProfilerProfiledBytecodes.cpp:
2776         * runtime/ArgList.cpp:
2777         * runtime/Arguments.cpp:
2778         * runtime/ArgumentsIteratorPrototype.cpp:
2779         * runtime/ArrayBuffer.cpp:
2780         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2781         * runtime/ArrayConstructor.cpp:
2782         * runtime/ArrayPrototype.cpp:
2783         * runtime/BooleanConstructor.cpp:
2784         * runtime/BooleanObject.cpp:
2785         * runtime/BooleanPrototype.cpp:
2786         * runtime/CallData.cpp:
2787         * runtime/CodeCache.cpp:
2788         * runtime/CommonSlowPaths.cpp:
2789         * runtime/CommonSlowPathsExceptions.cpp:
2790         * runtime/Completion.cpp:
2791         * runtime/ConstructData.cpp:
2792         * runtime/DateConstructor.cpp:
2793         * runtime/DateInstance.cpp:
2794         * runtime/DatePrototype.cpp:
2795         * runtime/Error.cpp:
2796         * runtime/ErrorConstructor.cpp:
2797         * runtime/ErrorInstance.cpp:
2798         * runtime/ErrorPrototype.cpp:
2799         * runtime/ExceptionHelpers.cpp:
2800         * runtime/Executable.cpp:
2801         * runtime/FunctionConstructor.cpp:
2802         * runtime/FunctionPrototype.cpp:
2803         * runtime/GetterSetter.cpp:
2804         * runtime/Identifier.cpp:
2805         * runtime/IntendedStructureChain.cpp:
2806         * runtime/InternalFunction.cpp:
2807         * runtime/JSActivation.cpp:
2808         * runtime/JSArgumentsIterator.cpp:
2809         * runtime/JSArray.cpp:
2810         * runtime/JSArrayBuffer.cpp:
2811         * runtime/JSArrayBufferConstructor.cpp:
2812         * runtime/JSArrayBufferPrototype.cpp:
2813         * runtime/JSArrayBufferView.cpp:
2814         * runtime/JSBoundFunction.cpp:
2815         * runtime/JSCInlines.h: Copied from Source/JavaScriptCore/runtime/Operations.h.
2816         * runtime/JSCell.cpp:
2817         * runtime/JSDataView.cpp:
2818         * runtime/JSDataViewPrototype.cpp:
2819         * runtime/JSDateMath.cpp:
2820         * runtime/JSFunction.cpp:
2821         * runtime/JSGlobalObject.cpp:
2822         * runtime/JSGlobalObjectFunctions.cpp:
2823         * runtime/JSLock.cpp:
2824         * runtime/JSNameScope.cpp:
2825         * runtime/JSNotAnObject.cpp:
2826         * runtime/JSONObject.cpp:
2827         * runtime/JSObject.cpp:
2828         * runtime/JSPropertyNameIterator.cpp:
2829         * runtime/JSPropertyNameIterator.h:
2830         * runtime/JSProxy.cpp:
2831         * runtime/JSScope.cpp:
2832         * runtime/JSSegmentedVariableObject.cpp:
2833         * runtime/JSString.cpp:
2834         * runtime/JSStringJoiner.cpp:
2835         * runtime/JSSymbolTableObject.cpp:
2836         * runtime/JSTypedArrayConstructors.cpp:
2837         * runtime/JSTypedArrayPrototypes.cpp:
2838         * runtime/JSTypedArrays.cpp:
2839         * runtime/JSVariableObject.cpp:
2840         * runtime/JSWithScope.cpp:
2841         * runtime/JSWrapperObject.cpp:
2842         * runtime/LiteralParser.cpp:
2843         * runtime/Lookup.cpp:
2844         * runtime/MathObject.cpp:
2845         * runtime/NameConstructor.cpp:
2846         * runtime/NameInstance.cpp:
2847         * runtime/NamePrototype.cpp:
2848         * runtime/NativeErrorConstructor.cpp:
2849         * runtime/NativeErrorPrototype.cpp:
2850         * runtime/NumberConstructor.cpp:
2851         * runtime/NumberObject.cpp:
2852         * runtime/NumberPrototype.cpp:
2853         * runtime/ObjectConstructor.cpp:
2854         * runtime/ObjectPrototype.cpp:
2855         * runtime/Operations.cpp:
2856         * runtime/Operations.h:
2857         * runtime/PropertyDescriptor.cpp:
2858         * runtime/PrototypeMap.cpp:
2859         * runtime/RegExp.cpp:
2860         * runtime/RegExpCache.cpp:
2861         * runtime/RegExpCachedResult.cpp:
2862         * runtime/RegExpConstructor.cpp:
2863         * runtime/RegExpMatchesArray.cpp:
2864         * runtime/RegExpObject.cpp:
2865         * runtime/RegExpPrototype.cpp:
2866         * runtime/SimpleTypedArrayController.cpp:
2867         * runtime/SmallStrings.cpp:
2868         * runtime/SparseArrayValueMap.cpp:
2869         * runtime/StrictEvalActivation.cpp:
2870         * runtime/StringConstructor.cpp:
2871         * runtime/StringObject.cpp:
2872         * runtime/StringPrototype.cpp:
2873         * runtime/StringRecursionChecker.cpp:
2874         * runtime/Structure.cpp:
2875         * runtime/StructureChain.cpp:
2876         * runtime/StructureRareData.cpp:
2877         * runtime/SymbolTable.cpp:
2878         * runtime/TestRunnerUtils.cpp:
2879         * runtime/VM.cpp:
2880         * testRegExp.cpp:
2881
2882 2014-02-10  Matthew Mirman  <mmirman@apple.com>
2883
2884         Removes the inline assert from SpeculativeJIT's ReallocatePropertyStorage
2885         https://bugs.webkit.org/show_bug.cgi?id=128566
2886
2887         Reviewed by Filip Pizlo.
2888
2889         * dfg/DFGSpeculativeJIT.cpp:
2890         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2891
2892 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2893
2894         Rename getRecordMap to computeRecordMap.
2895
2896         Rubber stamped by Michael Saboff.
2897         
2898         "get" is such a weird prefix. It implies a getter. We don't prefix our getters with
2899         anything in WebKit. Also, this isn't a getter. It actually does work to transform
2900         the stackmaps into a hashmap. So, computeRecordMap is a much better name.
2901
2902         * ftl/FTLCompile.cpp:
2903         (JSC::FTL::compile):
2904         * ftl/FTLJITFinalizer.cpp:
2905         (JSC::FTL::JITFinalizer::finalizeFunction):
2906         * ftl/FTLStackMaps.cpp:
2907         (JSC::FTL::StackMaps::computeRecordMap):
2908         * ftl/FTLStackMaps.h:
2909
2910 2014-02-10  Matthew Mirman  <mmirman@apple.com>
2911
2912         ReallocatePropertyStorage in FTL
2913         https://bugs.webkit.org/show_bug.cgi?id=128352
2914
2915         Reviewed by Filip Pizlo.
2916
2917         * ftl/FTLCapabilities.cpp:
2918         (JSC::FTL::canCompile):
2919         * ftl/FTLIntrinsicRepository.h:
2920         * ftl/FTLLowerDFGToLLVM.cpp:
2921         (JSC::FTL::LowerDFGToLLVM::compileNode):
2922         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
2923         * tests/stress/ftl-reallocatepropertystorage.js: Added.
2924         (foo):
2925
2926 2014-02-10  Michael Saboff  <msaboff@apple.com>
2927
2928         Fail FTL compilation if the required stack is too big
2929         https://bugs.webkit.org/show_bug.cgi?id=128560
2930
2931         Reviewed by Filip Pizlo.
2932
2933         Added StackSize struct to FTLStackMaps and populated it.  Added and updated
2934         related dump functions.  Use the stack size found at the end of the compilation
2935         to compare against the value of a new option, llvmMaxStackSize.  We fail the
2936         compile if the function's stack size is greater than llvmMaxStackSize.
2937
2938         * dfg/DFGPlan.cpp:
2939         (JSC::DFG::Plan::compileInThreadImpl):
2940         * ftl/FTLStackMaps.cpp:
2941         (JSC::FTL::StackMaps::StackSize::parse):
2942         (JSC::FTL::StackMaps::StackSize::dump):
2943         (JSC::FTL::StackMaps::parse):
2944         (JSC::FTL::StackMaps::dump):
2945         (JSC::FTL::StackMaps::dumpMultiline):
2946         (JSC::FTL::StackMaps::getStackSize):
2947         * ftl/FTLStackMaps.h:
2948         * runtime/Options.h:
2949
2950 2014-02-10  Mark Lam  <mark.lam@apple.com>
2951
2952         Change JSLock::dropAllLocks() and friends to use lock() and unlock().
2953         <https://webkit.org/b/128451>
2954
2955         Reviewed by Geoffrey Garen.
2956
2957         Currently, JSLock's dropAllLocks(), dropAllLocksUnconditionally(), and
2958         grabAllLocks() implement locking / unlocking by duplicating the code from
2959         lock() and unlock(). Instead, they should just call lock() and unlock().
2960
2961         * runtime/JSLock.cpp:
2962         (JSC::JSLock::lock):
2963         (JSC::JSLock::unlock):
2964         - Modified lock() and unlock() into a version that takes an entry count
2965           to lock / unlock. The previous lock() and unlock() now calls these
2966           new versions with an entry count of 1.
2967
2968         (JSC::JSLock::dropAllLocks):
2969         (JSC::JSLock::dropAllLocksUnconditionally):
2970         (JSC::JSLock::grabAllLocks):
2971         - Delegate to unlock() and lock() instead of duplicating the lock / unlock
2972           code.
2973         - There a some differences with calling lock() instead of duplicating its
2974           code in grabAllLock() i.e. lock() does the following additional work:
2975
2976           1. lock() does a re-entry check that is not needed by grabAllLocks().
2977              However, this is effectively a no-op since we never own the JSLock
2978              before calling grabAllLocks().
2979
2980           2. set VM stackPointerAtVMEntry.
2981           3. update VM stackLimit and reservedZoneSize.
2982           4. set VM lastStackTop.
2983              These 3 steps are just busy work which are also effective no-ops
2984              because immediately after lock() returns, grabAllLocks() will write
2985              over those values with their saved versions in the threadData.
2986
2987         * runtime/JSLock.h:
2988
2989 2014-02-10  Anders Carlsson  <andersca@apple.com>
2990
2991         Try to fix the Windows build.
2992
2993         * heap/UnconditionalFinalizer.h:
2994         * runtime/SymbolTable.h:
2995
2996 2014-02-10  Andreas Kling  <akling@apple.com>
2997
2998         Make the Identifier::add() family return PassRef<StringImpl>.
2999         <https://webkit.org/b/128542>
3000
3001         This knocks one branch off of creating an Identifier from another
3002         string source.
3003
3004         Reviewed by Oliver Hunt.
3005
3006         * runtime/Identifier.cpp:
3007         (JSC::Identifier::add):
3008         (JSC::Identifier::add8):
3009         (JSC::Identifier::addSlowCase):
3010         * runtime/Identifier.h:
3011         (JSC::Identifier::add):
3012         * runtime/Lookup.cpp:
3013         (JSC::HashTable::createTable):
3014
3015 2014-02-09  Mark Lam  <mark.lam@apple.com>
3016
3017         Remove unnecessary spinLock in JSLock.
3018         <https://webkit.org/b/128450>
3019
3020         Reviewed by Filip Pizlo.
3021
3022         The JSLock's mutex already provides protection for write access to
3023         JSLock's internal state. The only JSLock state that needs to be read
3024         from any thread including threads that don't own the JSLock is
3025         m_ownerThread, which is used in currentThreadIsHoldingLock() to do an
3026         ownership test on the lock.
3027
3028         It is safe for other threads to read from m_ownerThread because they
3029         only need to know whether its value matches their own thread id
3030         (provided by WTF::currentThread()).
3031
3032         Here are the scenarios for how the ownership test can go:
3033
3034         1. The JSLock has just been initialized and is not owned by any thread.
3035
3036            In this case, m_ownerThread will be 0 and will not match any thread's
3037            thread id. The checking thread will know that it needs to lock the
3038            JSLock before using the VM.
3039
3040         2. The JSLock was previously locked, but now is unlocked.
3041
3042            When we unlock it in JSLock::unlock(), the owner thread clears
3043            m_ownerThread to 0. Hence, this case is the same as (1) above.
3044
3045         3. The JSLock is locked by Thread A. Thread B is checking ownership.
3046
3047            In this case, m_ownerThread will contains the Thread A's thread id.
3048            Thread B will see that the thread id does not match its own and will
3049            proceed to block on the JSLock's mutex to wait for its turn to use
3050            the VM.
3051
3052            With Weak Memory Ordering architectures, Thread A's thread id may
3053            not get written out to memory before Thread B inspects m_ownerThread.
3054            However, though Thread B may not see Thread A's thread id in
3055            m_ownerThread, it will see 0 which is the last value written to it
3056            before the JSLock mutex was unlocked. The mutex unlock would have
3057            executed a memory fence which would have flushed the 0 to
3058            m_ownerThread in memory. Hence, Thread B will know that it does not
3059            own the lock.
3060
3061         Apart from removing the unneeded spin lock code, I also changed the
3062         JSLock code to use currentThreadIsHoldingLock() and setOwnerThread()
3063         instead of accessing m_ownerThread directly.
3064
3065         * runtime/JSLock.cpp:
3066         (JSC::JSLock::JSLock):
3067
3068         (JSC::JSLock::lock):
3069         - Removed spinLock but left the indentation as is to keep the diff to a
3070           minimum for better readability. Will unindent in a subsequent patch.
3071
3072         (JSC::JSLock::unlock):
3073         - Before unlocking the mutex, clear m_ownerThread to indicate that the
3074           lock is no longer owned.
3075
3076         (JSC::JSLock::currentThreadIsHoldingLock):
3077         - Removed the check of m_lockCount for determining ownership. Checking
3078           m_ownerThread is sufficient.
3079
3080         (JSC::JSLock::dropAllLocks):
3081         (JSC::JSLock::dropAllLocksUnconditionally):
3082         - Renamed local locksToDrop to the better name droppedLockCount.
3083         - Clear m_ownerThread since we're unlocking the JSLock.
3084
3085         (JSC::JSLock::grabAllLocks):
3086         - Removed unneeded lock ownership test for lock re-entry case because
3087           grabAllLocks() is never used to re-enter a locked JSLock.
3088
3089         (JSC::JSLock::DropAllLocks::DropAllLocks):
3090         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3091
3092         * runtime/JSLock.h:
3093         (JSC::JSLock::setOwnerThread):
3094
3095 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
3096
3097         Unreviewed, roll out http://trac.webkit.org/changeset/163796
3098
3099         The change was not justified in any way and it has a net negative effect on the code.
3100
3101         * dfg/DFGAbstractInterpreter.h:
3102         * dfg/DFGAbstractValue.h:
3103         * dfg/DFGAdjacencyList.h:
3104         * dfg/DFGArgumentPosition.h:
3105         * dfg/DFGArgumentsSimplificationPhase.cpp:
3106         * dfg/DFGArrayMode.cpp:
3107         * dfg/DFGArrayifySlowPathGenerator.h:
3108         * dfg/DFGAtTailAbstractState.h:
3109         * dfg/DFGAvailability.h:
3110         * dfg/DFGBackwardsPropagationPhase.cpp:
3111         * dfg/DFGBasicBlock.h:
3112         * dfg/DFGBasicBlockInlines.h:
3113         * dfg/DFGByteCodeParser.cpp:
3114         * dfg/DFGCFAPhase.cpp:
3115         * dfg/DFGCFGSimplificationPhase.cpp:
3116         * dfg/DFGCPSRethreadingPhase.cpp:
3117         * dfg/DFGCSEPhase.cpp:
3118         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3119         * dfg/DFGCapabilities.cpp:
3120         * dfg/DFGCapabilities.h:
3121         * dfg/DFGClobberize.h:
3122         * dfg/DFGCommonData.cpp:
3123         * dfg/DFGConstantFoldingPhase.cpp:
3124         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3125         * dfg/DFGDCEPhase.cpp:
3126         * dfg/DFGDominators.h:
3127         * dfg/DFGDriver.cpp:
3128         * dfg/DFGDriver.h:
3129         * dfg/DFGFixupPhase.cpp:
3130         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3131         * dfg/DFGGenerationInfo.h:
3132         * dfg/DFGGraph.cpp:
3133         * dfg/DFGGraph.h:
3134         * dfg/DFGInPlaceAbstractState.cpp:
3135         * dfg/DFGInPlaceAbstractState.h:
3136         * dfg/DFGInlineCacheWrapperInlines.h:
3137         * dfg/DFGInvalidationPointInjectionPhase.cpp:
3138         * dfg/DFGJITCode.h:
3139         * dfg/DFGJITCompiler.cpp:
3140         * dfg/DFGJITCompiler.h:
3141         * dfg/DFGJITFinalizer.cpp:
3142         * dfg/DFGJITFinalizer.h:
3143         * dfg/DFGLICMPhase.cpp:
3144         * dfg/DFGLivenessAnalysisPhase.cpp:
3145         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3146         * dfg/DFGMinifiedNode.h:
3147         * dfg/DFGNaturalLoops.h:
3148         * dfg/DFGNode.cpp:
3149         * dfg/DFGNode.h:
3150         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3151         * dfg/DFGOSREntry.cpp:
3152         * dfg/DFGOSREntrypointCreationPhase.cpp:
3153         * dfg/DFGOSRExit.cpp:
3154         * dfg/DFGOSRExit.h:
3155         * dfg/DFGOSRExitBase.cpp:
3156         * dfg/DFGOSRExitCompilationInfo.h:
3157         * dfg/DFGOSRExitCompiler.cpp:
3158         * dfg/DFGOSRExitCompiler32_64.cpp:
3159         * dfg/DFGOSRExitCompiler64.cpp:
3160         * dfg/DFGOSRExitJumpPlaceholder.cpp:
3161         * dfg/DFGOperations.cpp:
3162         * dfg/DFGPhase.h:
3163         * dfg/DFGPlan.h:
3164         * dfg/DFGPredictionInjectionPhase.cpp:
3165         * dfg/DFGPredictionPropagationPhase.cpp:
3166         * dfg/DFGResurrectionForValidationPhase.cpp:
3167         * dfg/DFGSSAConversionPhase.cpp:
3168         * dfg/DFGSSALoweringPhase.cpp:
3169         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
3170         * dfg/DFGSlowPathGenerator.h:
3171         * dfg/DFGSpeculativeJIT.cpp:
3172         * dfg/DFGSpeculativeJIT.h:
3173         * dfg/DFGSpeculativeJIT32_64.cpp:
3174         * dfg/DFGSpeculativeJIT64.cpp:
3175         * dfg/DFGStackLayoutPhase.cpp:
3176         * dfg/DFGStoreBarrierElisionPhase.cpp:
3177         * dfg/DFGStrengthReductionPhase.cpp:
3178         * dfg/DFGThunks.cpp:
3179         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3180         * dfg/DFGTypeCheckHoistingPhase.cpp:
3181         * dfg/DFGUnificationPhase.cpp:
3182         * dfg/DFGValidate.h:
3183         * dfg/DFGValueSource.h:
3184         * dfg/DFGVariableAccessData.h:
3185         * dfg/DFGVariableAccessDataDump.cpp:
3186         * dfg/DFGVariableEvent.h:
3187         * dfg/DFGVariableEventStream.h:
3188         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3189         * dfg/DFGWatchpointCollectionPhase.cpp:
3190         * dfg/DFGWorklist.cpp:
3191
3192 2014-02-10  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com> 
3193  
3194         Remove extra includes from DFG 
3195         https://bugs.webkit.org/show_bug.cgi?id=126983 
3196  
3197         Reviewed by Andreas Kling. 
3198
3199         * dfg/DFGAbstractInterpreter.h:
3200         * dfg/DFGAbstractValue.h:
3201         * dfg/DFGAdjacencyList.h:
3202         * dfg/DFGArgumentPosition.h:
3203         * dfg/DFGArgumentsSimplificationPhase.cpp:
3204         * dfg/DFGArrayMode.cpp:
3205         * dfg/DFGArrayifySlowPathGenerator.h:
3206         * dfg/DFGAtTailAbstractState.h:
3207         * dfg/DFGAvailability.h:
3208         * dfg/DFGBackwardsPropagationPhase.cpp:
3209         * dfg/DFGBasicBlock.h:
3210         * dfg/DFGBasicBlockInlines.h:
3211         * dfg/DFGByteCodeParser.cpp:
3212         * dfg/DFGCFAPhase.cpp:
3213         * dfg/DFGCFGSimplificationPhase.cpp:
3214         * dfg/DFGCPSRethreadingPhase.cpp:
3215         * dfg/DFGCSEPhase.cpp:
3216         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3217         * dfg/DFGCapabilities.cpp:
3218         * dfg/DFGCapabilities.h:
3219         * dfg/DFGClobberize.h:
3220         * dfg/DFGCommonData.cpp:
3221         * dfg/DFGConstantFoldingPhase.cpp:
3222         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3223         * dfg/DFGDCEPhase.cpp:
3224         * dfg/DFGDominators.h:
3225         * dfg/DFGDriver.cpp:
3226         * dfg/DFGDriver.h:
3227         * dfg/DFGFixupPhase.cpp:
3228         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3229         * dfg/DFGGenerationInfo.h:
3230         * dfg/DFGGraph.cpp:
3231         * dfg/DFGGraph.h:
3232         * dfg/DFGInPlaceAbstractState.cpp:
3233         * dfg/DFGInPlaceAbstractState.h:
3234         * dfg/DFGInlineCacheWrapperInlines.h:
3235         * dfg/DFGInvalidationPointInjectionPhase.cpp:
3236         * dfg/DFGJITCode.h:
3237         * dfg/DFGJITCompiler.cpp:
3238         * dfg/DFGJITCompiler.h:
3239         * dfg/DFGJITFinalizer.cpp:
3240         * dfg/DFGJITFinalizer.h:
3241         * dfg/DFGLICMPhase.cpp:
3242         * dfg/DFGLivenessAnalysisPhase.cpp:
3243         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3244         * dfg/DFGMinifiedNode.h:
3245         * dfg/DFGNaturalLoops.h:
3246         * dfg/DFGNode.cpp:
3247         * dfg/DFGNode.h:
3248         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3249         * dfg/DFGOSREntry.cpp:
3250         * dfg/DFGOSREntrypointCreationPhase.cpp:
3251         * dfg/DFGOSRExit.cpp:
3252         * dfg/DFGOSRExit.h:
3253         * dfg/DFGOSRExitBase.cpp:
3254         * dfg/DFGOSRExitCompilationInfo.h:
3255         * dfg/DFGOSRExitCompiler.cpp:
3256         * dfg/DFGOSRExitCompiler32_64.cpp:
3257         * dfg/DFGOSRExitCompiler64.cpp:
3258         * dfg/DFGOSRExitJumpPlaceholder.cpp:
3259         * dfg/DFGOperations.cpp:
3260         * dfg/DFGPhase.h:
3261         * dfg/DFGPlan.h:
3262         * dfg/DFGPredictionInjectionPhase.cpp:
3263         * dfg/DFGPredictionPropagationPhase.cpp:
3264         * dfg/DFGResurrectionForValidationPhase.cpp:
3265         * dfg/DFGSSAConversionPhase.cpp:
3266         * dfg/DFGSSALoweringPhase.cpp:
3267         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
3268         * dfg/DFGSlowPathGenerator.h:
3269         * dfg/DFGSpeculativeJIT.cpp:
3270         * dfg/DFGSpeculativeJIT.h:
3271         * dfg/DFGSpeculativeJIT32_64.cpp:
3272         * dfg/DFGSpeculativeJIT64.cpp:
3273         * dfg/DFGStackLayoutPhase.cpp:
3274         * dfg/DFGStoreBarrierElisionPhase.cpp:
3275         * dfg/DFGStrengthReductionPhase.cpp:
3276         * dfg/DFGThunks.cpp:
3277         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3278         * dfg/DFGTypeCheckHoistingPhase.cpp:
3279         * dfg/DFGUnificationPhase.cpp:
3280         * dfg/DFGValidate.h:
3281         * dfg/DFGValueSource.h:
3282         * dfg/DFGVariableAccessData.h:
3283         * dfg/DFGVariableAccessDataDump.cpp:
3284         * dfg/DFGVariableEvent.h:
3285         * dfg/DFGVariableEventStream.h:
3286         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3287         * dfg/DFGWatchpointCollectionPhase.cpp:
3288         * dfg/DFGWorklist.cpp:
3289
3290 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
3291
3292         JSC environment variables should override other mechanisms for setting options
3293         https://bugs.webkit.org/show_bug.cgi?id=128511
3294
3295         Reviewed by Geoffrey Garen.
3296
3297         * runtime/Options.cpp:
3298         (JSC::Options::setOption):
3299         * runtime/Options.h:
3300
3301 2014-02-10  Darin Adler  <darin@apple.com>
3302
3303         Stop using String::deprecatedCharacters to call WTF::Collator
3304         https://bugs.webkit.org/show_bug.cgi?id=128517
3305
3306         Reviewed by Alexey Proskuryakov.
3307
3308         * runtime/StringPrototype.cpp:
3309         (JSC::stringProtoFuncLocaleCompare): Use the default constructor for Collator, which now
3310         gives the default locale collation rules. Use the new arguments for Collator::collate, which
3311         are now StringView. These two changes together eliminate the need for a separate helper function.
3312
3313 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
3314
3315         <1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError: undefined is not an object (evaluating 'c.isInput')
3316         https://bugs.webkit.org/show_bug.cgi?id=128278
3317
3318         Reviewed by Mark Hahnenberg.
3319         
3320         Fix another FTL flake due to bytecode liveness corner cases. Hopefully it's the last
3321         one.
3322
3323         * dfg/DFGByteCodeParser.cpp:
3324         (JSC::DFG::ByteCodeParser::parseBlock): Make sure that inside a constructor, the 'this' result is always set. This makes it easier to unify the treatment of 'this' for OSR exit: we just say that it's always live.
3325         * dfg/DFGGraph.cpp:
3326         (JSC::DFG::Graph::isLiveInBytecode): Assume that 'this' is live. We were already sort of doing this for calls because the callsite would claim it to be live. But we didn't do it for constructors. It's true that *at the callsite* 'this' won't be live, but inside the inlined constructor, it almost certainly will be.
3327         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3328         (JSC::DFG::TierUpCheckInjectionPhase::run): I just noticed this benign bug. We should only return 'true' if we actually injected checks.
3329         * ftl/FTLOSRExitCompiler.cpp:
3330         (JSC::FTL::compileStub): Make it easier to just dump disassembly for FTL OSR exits.
3331         * runtime/Options.h: Ditto.
3332         * tests/stress/inlined-constructor-this-liveness.js: Added.
3333         (Foo):
3334         (foo):
3335         * tests/stress/inlined-function-this-liveness.js: Added.
3336         (bar):
3337         (foo):
3338
3339 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
3340
3341         Actually register those DFG::Safepoints
3342         https://bugs.webkit.org/show_bug.cgi?id=128521
3343
3344         Reviewed by Mark Hahnenberg.
3345         
3346         No test because GC + thread + JIT = ???.
3347
3348         * dfg/DFGSafepoint.cpp:
3349         (JSC::DFG::Safepoint::~Safepoint):
3350         (JSC::DFG::Safepoint::begin):
3351
3352 2014-02-10  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>
3353
3354         Fix EFL build with INSPECTOR disabled
3355         https://bugs.webkit.org/show_bug.cgi?id=125064
3356
3357         Reviewed by Csaba Osztrogonác.
3358
3359         * inspector/InjectedScriptManager.h:
3360         * inspector/ScriptDebugServer.cpp:
3361         * inspector/agents/InspectorAgent.h:
3362         * inspector/scripts/CodeGeneratorInspectorStrings.py:
3363         (Inspector):
3364
3365 2014-02-09  Filip Pizlo  <fpizlo@apple.com>
3366
3367         GC blocks on FTL and then badness
3368         https://bugs.webkit.org/show_bug.cgi?id=128291
3369
3370         Reviewed by Oliver Hunt.
3371         
3372         Introduce the notion of a DFG::Safepoint, which allows you to unlock the rightToRun
3373         mutex for your JIT thread, while supplying the GC with all of the information it would
3374         need to scan you at that moment in time. The default way of using this is
3375         DFG::GraphSafepoint, where you just supply the Graph. There's a lot of machinery in
3376         this patch just to make the Graph scannable.
3377         
3378         We then use DFG::GraphSafepoint in just two places for now: (1) while initializing LLVM
3379         and (2) while invoking LLVM' optimizer and backend.
3380         
3381         This is a 30% speed-up on Octane/typescript and a 10% speed-up on Octane/gbemu. 2-3%
3382         speed-up overall on Octane.
3383         
3384         * CMakeLists.txt:
3385         * GNUmakefile.list.am:
3386         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3387         * JavaScriptCore.xcodeproj/project.pbxproj:
3388         * dfg/DFGDriver.cpp:
3389         (JSC::DFG::compileImpl):
3390         * dfg/DFGGraph.cpp:
3391         (JSC::DFG::Graph::visitChildren):
3392         * dfg/DFGGraph.h:
3393         * dfg/DFGGraphSafepoint.cpp: Added.
3394         (JSC::DFG::GraphSafepoint::GraphSafepoint):
3395         (JSC::DFG::GraphSafepoint::~GraphSafepoint):
3396         * dfg/DFGGraphSafepoint.h: Added.
3397         * dfg/DFGOperations.h:
3398         * dfg/DFGPlan.cpp:
3399         (JSC::DFG::Plan::compileInThread):
3400         (JSC::DFG::Plan::compileInThreadImpl):
3401         * dfg/DFGPlan.h:
3402         * dfg/DFGSafepoint.cpp: Added.
3403         (JSC::DFG::Safepoint::Safepoint):
3404         (JSC::DFG::Safepoint::~Safepoint):
3405         (JSC::DFG::Safepoint::add):
3406         (JSC::DFG::Safepoint::begin):
3407         (JSC::DFG::Safepoint::visitChildren):
3408         * dfg/DFGSafepoint.h: Added.
3409         * dfg/DFGScannable.h: Added.
3410         (JSC::DFG::Scannable::Scannable):
3411         (JSC::DFG::Scannable::~Scannable):
3412         * dfg/DFGThreadData.cpp: Added.
3413         (JSC::DFG::ThreadData::ThreadData):
3414         (JSC::DFG::ThreadData::~ThreadData):
3415         * dfg/DFGThreadData.h: Added.
3416         * dfg/DFGWorklist.cpp:
3417         (JSC::DFG::Worklist::finishCreation):
3418         (JSC::DFG::Worklist::visitChildren):
3419         (JSC::DFG::Worklist::runThread):
3420         * dfg/DFGWorklist.h:
3421         * ftl/FTLCompile.cpp:
3422         (JSC::FTL::compile):
3423         * heap/SlotVisitor.h:
3424         * heap/SlotVisitorInlines.h:
3425         (JSC::SlotVisitor::appendUnbarrieredReadOnlyPointer):
3426         (JSC::SlotVisitor::appendUnbarrieredReadOnlyValue):
3427
3428 2014-02-09  Filip Pizlo  <fpizlo@apple.com>
3429
3430         Never include *Inlines.h files in interface headers, and never include *Inlines.h when you could include Operations.h instead
3431         https://bugs.webkit.org/show_bug.cgi?id=128505
3432
3433         Reviewed by Mark Hahnenberg and Oliver Hunt.
3434
3435         * API/JSContextRef.cpp:
3436         * assembler/LinkBuffer.cpp:
3437         * bytecode/ArrayProfile.cpp:
3438         * bytecode/BytecodeBasicBlock.cpp:
3439         * bytecode/BytecodeLivenessAnalysisInlines.h:
3440         * bytecode/CallLinkInfo.cpp:
3441         * bytecode/CodeBlock.cpp:
3442         * bytecode/CodeBlock.h:
3443         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
3444         * bytecode/ExecutionCounter.cpp:
3445         * bytecode/MethodOfGettingAValueProfile.cpp:
3446         * bytecode/PreciseJumpTargets.cpp:
3447         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
3448         * bytecode/SamplingTool.cpp:
3449         * bytecode/SpecialPointer.cpp:
3450         * bytecode/StructureStubClearingWatchpoint.cpp:
3451         * debugger/DebuggerCallFrame.cpp:
3452         * dfg/DFGAbstractHeap.cpp:
3453         * dfg/DFGAbstractValue.cpp:
3454         * dfg/DFGArgumentsSimplificationPhase.cpp:
3455         * dfg/DFGArithMode.cpp:
3456         * dfg/DFGArrayMode.cpp:
3457         * dfg/DFGAtTailAbstractState.cpp:
3458         * dfg/DFGAvailability.cpp:
3459         * dfg/DFGBackwardsPropagationPhase.cpp:
3460         * dfg/DFGBasicBlock.cpp:
3461         * dfg/DFGBinarySwitch.cpp:
3462         * dfg/DFGBlockInsertionSet.cpp:
3463         * dfg/DFGByteCodeParser.cpp:
3464         * dfg/DFGCFAPhase.cpp:
3465         * dfg/DFGCFGSimplificationPhase.cpp:
3466         * dfg/DFGCPSRethreadingPhase.cpp:
3467         * dfg/DFGCSEPhase.cpp:
3468         * dfg/DFGCapabilities.cpp:
3469         * dfg/DFGClobberSet.cpp:
3470         * dfg/DFGClobberize.cpp:
3471         * dfg/DFGCommon.cpp:
3472         * dfg/DFGCommonData.cpp:
3473         * dfg/DFGCompilationKey.cpp:
3474         * dfg/DFGCompilationMode.cpp:
3475         * dfg/DFGConstantFoldingPhase.cpp:
3476         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3477         * dfg/DFGDCEPhase.cpp:
3478         * dfg/DFGDesiredIdentifiers.cpp:
3479         * dfg/DFGDesiredStructureChains.cpp:
3480         * dfg/DFGDesiredTransitions.cpp:
3481         * dfg/DFGDesiredWatchpoints.cpp:
3482         * dfg/DFGDisassembler.cpp:
3483         * dfg/DFGDisassembler.h:
3484         * dfg/DFGDominators.cpp:
3485         * dfg/DFGEdge.cpp:
3486         * dfg/DFGFailedFinalizer.cpp:
3487         * dfg/DFGFinalizer.cpp:
3488         * dfg/DFGFixupPhase.cpp:
3489         * dfg/DFGFlushFormat.cpp:
3490         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3491         * dfg/DFGFlushedAt.cpp:
3492         * dfg/DFGGraph.cpp:
3493         * dfg/DFGInPlaceAbstractState.cpp:
3494         * dfg/DFGInvalidationPointInjectionPhase.cpp:
3495         * dfg/DFGJITCode.cpp:
3496         * dfg/DFGJITCompiler.cpp:
3497         * dfg/DFGJITCompiler.h:
3498         * dfg/DFGJITFinalizer.cpp:
3499         * dfg/DFGJumpReplacement.cpp:
3500         * dfg/DFGLICMPhase.cpp:
3501         * dfg/DFGLazyJSValue.cpp:
3502         * dfg/DFGLivenessAnalysisPhase.cpp:
3503         * dfg/DFGLongLivedState.cpp:
3504         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3505         * dfg/DFGMinifiedNode.cpp:
3506         * dfg/DFGNaturalLoops.cpp:
3507         * dfg/DFGNode.cpp:
3508         * dfg/DFGNodeFlags.cpp:
3509         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3510         * dfg/DFGOSREntry.cpp:
3511         * dfg/DFGOSREntrypointCreationPhase.cpp:
3512         * dfg/DFGOSRExit.cpp:
3513         * dfg/DFGOSRExitBase.cpp:
3514         * dfg/DFGOSRExitCompiler.cpp:
3515         * dfg/DFGOSRExitCompiler32_64.cpp:
3516         * dfg/DFGOSRExitCompiler64.cpp:
3517         * dfg/DFGOSRExitCompilerCommon.cpp:
3518         * dfg/DFGOSRExitJumpPlaceholder.cpp:
3519         * dfg/DFGOSRExitPreparation.cpp:
3520         * dfg/DFGOperations.cpp:
3521         * dfg/DFGOperations.h:
3522         * dfg/DFGPhase.cpp:
3523         * dfg/DFGPlan.cpp:
3524         * dfg/DFGPredictionInjectionPhase.cpp:
3525         * dfg/DFGPredictionPropagationPhase.cpp:
3526         * dfg/DFGResurrectionForValidationPhase.cpp:
3527         * dfg/DFGSSAConversionPhase.cpp:
3528         * dfg/DFGSSALoweringPhase.cpp:
3529         * dfg/DFGSpeculativeJIT.cpp:
3530         * dfg/DFGSpeculativeJIT32_64.cpp:
3531         * dfg/DFGSpeculativeJIT64.cpp:
3532         * dfg/DFGStackLayoutPhase.cpp:
3533         * dfg/DFGStoreBarrierElisionPhase.cpp:
3534         * dfg/DFGStrengthReductionPhase.cpp:
3535         * dfg/DFGThunks.cpp:
3536         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3537         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
3538         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
3539         * dfg/DFGTypeCheckHoistingPhase.cpp:
3540         * dfg/DFGUnificationPhase.cpp:
3541         * dfg/DFGUseKind.cpp:
3542         * dfg/DFGValidate.cpp:
3543         * dfg/DFGValueSource.cpp:
3544         * dfg/DFGVariableAccessDataDump.cpp:
3545         * dfg/DFGVariableEvent.cpp:
3546         * dfg/DFGVariableEventStream.cpp:
3547         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3548         * dfg/DFGWatchpointCollectionPhase.cpp:
3549         * dfg/DFGWorklist.cpp:
3550         * disassembler/Disassembler.cpp:
3551         * ftl/FTLLink.cpp:
3552         * ftl/FTLOSRExitCompiler.cpp:
3553         * ftl/FTLSlowPathCall.cpp:
3554         * ftl/FTLThunks.cpp:
3555         (JSC::FTL::slowPathCallThunkGenerator):
3556         * heap/BlockAllocator.cpp:
3557         * heap/CodeBlockSet.cpp:
3558         * heap/ConservativeRoots.cpp:
3559         * heap/DeferGC.cpp:
3560         * heap/GCThread.cpp:
3561         * heap/GCThreadSharedData.cpp:
3562         * heap/HeapTimer.cpp:
3563         * heap/IncrementalSweeper.cpp:
3564         * heap/JITStubRoutineSet.cpp:
3565         * heap/MachineStackMarker.cpp:
3566         * heap/MarkStack.cpp:
3567         * heap/MarkedAllocator.cpp:
3568         * heap/MarkedSpace.cpp:
3569         * heap/SuperRegion.cpp:
3570         * heap/Weak.cpp:
3571         * heap/WeakHandleOwner.cpp:
3572         * heap/WeakSet.cpp:
3573         * heap/WriteBarrierBuffer.cpp:
3574         * heap/WriteBarrierSupport.cpp:
3575         * inspector/ScriptCallStackFactory.cpp:
3576         * interpreter/AbstractPC.cpp:
3577         * interpreter/JSStack.cpp:
3578         * interpreter/ProtoCallFrame.cpp:
3579         * interpreter/VMInspector.cpp:
3580         * jit/ArityCheckFailReturnThunks.cpp:
3581         * jit/AssemblyHelpers.cpp:
3582         * jit/ExecutableAllocator.cpp:
3583         * jit/ExecutableAllocatorFixedVMPool.cpp:
3584         * jit/GCAwareJITStubRoutine.cpp:
3585         * jit/HostCallReturnValue.cpp:
3586         * jit/JITDisassembler.cpp:
3587         * jit/JITDisassembler.h:
3588         * jit/JITExceptions.cpp:
3589         * jit/JITInlines.h:
3590         * jit/JITOperations.cpp:
3591         * jit/JITOperationsMSVC64.cpp:
3592         * jit/JITStubRoutine.cpp:
3593         * jit/JITStubs.cpp:
3594         * jit/JITToDFGDeferredCompilationCallback.cpp:
3595         * jit/RegisterPreservationWrapperGenerator.cpp:
3596         * jit/RegisterSet.cpp:
3597         * jit/Repatch.cpp:
3598         * jit/TempRegisterSet.cpp:
3599         * jsc.cpp:
3600         * parser/Lexer.cpp:
3601         * parser/Parser.cpp:
3602         * parser/ParserArena.cpp:
3603         * parser/SourceCode.cpp:
3604         * parser/SourceProvider.cpp:
3605         * parser/SourceProviderCache.cpp:
3606         * profiler/ProfileGenerator.cpp:
3607         * runtime/Arguments.cpp:
3608         * runtime/ArgumentsIteratorPrototype.cpp:
3609         * runtime/CommonSlowPathsExceptions.cpp:
3610         * runtime/JSArgumentsIterator.cpp:
3611         * runtime/JSFunction.cpp:
3612         * runtime/JSGlobalObjectFunctions.cpp:
3613         * runtime/ObjectConstructor.cpp:
3614         * runtime/Operations.h:
3615         * runtime/VM.cpp:
3616
3617 2014-02-09  Filip Pizlo  <fpizlo@apple.com>
3618
3619         Unreviewed, don't mark isHostFunction() inline in the header file because that really confuses EFL.
3620
3621         * runtime/JSFunction.h:
3622
3623 2014-02-09  Anders Carlsson  <andersca@apple.com>
3624
3625         Add WTF_MAKE_FAST_ALLOCATED to more classes
3626         https://bugs.webkit.org/show_bug.cgi?id=128506
3627
3628         Reviewed by Andreas Kling.
3629
3630         * bytecode/UnlinkedInstructionStream.h:
3631         * runtime/SymbolTable.h:
3632         * runtime/WriteBarrier.h:
3633
3634 2014-02-09  Mark Hahnenberg  <mhahnenberg@apple.com>
3635
3636         Objective-C API NSDate conversion is off by 1000x (ms vs s)
3637         https://bugs.webkit.org/show_bug.cgi?id=128386
3638
3639         Reviewed by Michael Saboff.
3640
3641         * API/JSValue.mm:
3642         (valueToObjectWithoutCopy):
3643         (valueToDate):
3644         (objectToValueWithoutCopy):
3645         * API/tests/DateTests.h: Added.
3646         * API/tests/DateTests.mm: Added.
3647         (+[DateTests NSDateToJSDateTest]):
3648         (+[DateTests JSDateToNSDateTest]):
3649         (+[DateTests roundTripThroughJSDateTest]):
3650         (+[DateTests roundTripThroughObjCDateTest]):
3651         * API/tests/testapi.mm:
3652         (checkResult):
3653         * JavaScriptCore.xcodeproj/project.pbxproj:
3654
3655 2014-02-09  Andreas Kling  <akling@apple.com>
3656
3657         Pass VM instead of ExecState to JSCell::fastGetOwnProperty().
3658         <https://webkit.org/b/128497>
3659
3660         Knocks off a couple of instructions.
3661
3662         Reviewed by Anders Carlsson.
3663
3664         * dfg/DFGOperations.cpp:
3665         * jit/JITOperations.cpp:
3666         (JSC::getByVal):
3667         * llint/LLIntSlowPaths.cpp:
3668         (JSC::LLInt::getByVal):
3669         * runtime/JSCell.h:
3670         * runtime/JSCellInlines.h:
3671         (JSC::JSCell::fastGetOwnProperty):
3672
3673 2014-02-09  Anders Carlsson  <andersca@apple.com>
3674
3675         Convert some JSC code over to std::mutex
3676         https://bugs.webkit.org/show_bug.cgi?id=128500
3677
3678         Reviewed by Dan Bernstein.
3679
3680         * API/JSVirtualMachine.mm:
3681         (wrapperCacheMutex):
3682         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3683         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3684         * heap/GCThreadSharedData.h:
3685         * heap/SlotVisitor.cpp:
3686         (JSC::SlotVisitor::mergeOpaqueRoots):
3687         * heap/SlotVisitorInlines.h:
3688         (JSC::SlotVisitor::containsOpaqueRootTriState):
3689         * inspector/remote/RemoteInspector.h:
3690         * inspector/remote/RemoteInspector.mm:
3691         (Inspector::RemoteInspector::registerDebuggable):
3692         (Inspector::RemoteInspector::unregisterDebuggable):
3693         (Inspector::RemoteInspector::updateDebuggable):
3694         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
3695         (Inspector::RemoteInspector::start):
3696         (Inspector::RemoteInspector::stop):
3697         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
3698         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3699         (Inspector::RemoteInspector::xpcConnectionFailed):
3700         (Inspector::RemoteInspector::pushListingSoon):
3701         (Inspector::RemoteInspector::receivedIndicateMessage):
3702         * inspector/remote/RemoteInspectorDebuggableConnection.h:
3703         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3704         (Inspector::RemoteInspectorDebuggableConnection::setup):
3705         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
3706         (Inspector::RemoteInspectorDebuggableConnection::close):
3707         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
3708         * jit/ExecutableAllocator.cpp:
3709         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
3710         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
3711         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
3712         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
3713         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
3714         (JSC::DemandExecutableAllocator::allocatorsMutex):
3715
3716 2014-02-09  Commit Queue  <commit-queue@webkit.org>
3717
3718         Unreviewed, rolling out r163737.
3719         http://trac.webkit.org/changeset/163737
3720         https://bugs.webkit.org/show_bug.cgi?id=128491
3721
3722         Caused 8+ tests to fail on Mavericks and Mountain Lion bots
3723         (Requested by rniwa on #webkit).
3724
3725         * runtime/JSString.h:
3726         (JSC::jsSingleCharacterString):
3727         (JSC::jsSingleCharacterSubstring):
3728         (JSC::jsString):
3729         (JSC::jsSubstring8):
3730         * runtime/SmallStrings.cpp:
3731         (JSC::SmallStringsStorage::SmallStringsStorage):
3732         (JSC::SmallStrings::SmallStrings):
3733
3734 2014-02-08  Anders Carlsson  <andersca@apple.com>
3735
3736         Simplify single character substrings in JSC
3737         https://bugs.webkit.org/show_bug.cgi?id=128483
3738
3739         Reviewed by Andreas Kling.
3740
3741         With the recent work to make StringImpl occupy less space, it is actually more
3742         efficient to allocate a single character string that it is to use createSubstringSharingImpl!
3743         
3744         * runtime/JSString.h:
3745         (JSC::jsSingleCharacterString):
3746         (JSC::jsSingleCharacterSubstring):
3747         (JSC::jsString):
3748         (JSC::jsSubstring8):
3749         * runtime/SmallStrings.cpp:
3750         (JSC::SmallStringsStorage::SmallStringsStorage):
3751         (JSC::SmallStrings::SmallStrings):
3752
3753 2014-02-08  Mark Hahnenberg  <mhahnenberg@apple.com>
3754
3755         Baseline JIT uses the wrong version of checkMarkWord in emitWriteBarrier
3756         https://bugs.webkit.org/show_bug.cgi?id=128474
3757
3758         Reviewed by Michael Saboff.
3759
3760         * jit/JITPropertyAccess.cpp:
3761         (JSC::JIT::emitWriteBarrier):
3762
3763 2014-02-08  Mark Lam  <mark.lam@apple.com>
3764
3765         Rename a field and some variables in JSLock to better describe what they contain.
3766         <https://webkit.org/b/128475>
3767
3768         Reviewed by Oliver Hunt.
3769
3770         * runtime/JSLock.cpp:
3771         (JSC::JSLock::dropAllLocks):
3772         (JSC::JSLock::dropAllLocksUnconditionally):
3773         (JSC::JSLock::grabAllLocks):
3774         (JSC::JSLock::DropAllLocks::DropAllLocks):
3775         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3776         * runtime/JSLock.h:
3777
3778 2014-02-08  Anders Carlsson  <andersca@apple.com>
3779
3780         Stop using getCharactersWithUpconvert in JavaScriptCore
3781         https://bugs.webkit.org/show_bug.cgi?id=128457
3782
3783         Reviewed by Andreas Kling.
3784
3785         Change substituteBackreferencesSlow to take StringViews and use a StringBuilder instead of upconverting
3786         if the source or replacement strings area 16-bit.
3787
3788         * runtime/StringPrototype.cpp:
3789         (JSC::substituteBackreferencesSlow):
3790         (JSC::substituteBackreferences):
3791
3792 2014-02-08  Mark Rowe  <mrowe@apple.com>
3793
3794         <https://webkit.org/b/128452> Don't duplicate the list of input files for postprocess-headers.sh
3795
3796         Reviewed by Dan Bernstein.
3797
3798         * postprocess-headers.sh: Pull the list of headers to process out of the environment.
3799
3800 2014-02-08  Mark Rowe  <mrowe@apple.com>
3801
3802         Fix the iOS build.
3803
3804         * API/WebKitAvailability.h: Skip the workarounds specific to OS X when we're building for iOS.
3805
3806 2014-02-07  Mark Rowe  <mrowe@apple.com>
3807
3808         <https://webkit.org/b/128448> Fix use of availability macros on recently-added APIs
3809
3810         Reviewed by Dan Bernstein.
3811
3812         * API/JSContext.h: Remove some #ifs.
3813         * API/JSManagedValue.h: Ditto.
3814         * API/WebKitAvailability.h: #define the macros that availability macros mentioning
3815         newer OS X versions would expand to when building on older OS versions.
3816         * JavaScriptCore.xcodeproj/project.pbxproj: Call the new postprocess-headers.sh.
3817         * postprocess-headers.sh: Extracted from the Xcode project. Updated to remove content
3818         from headers based on the __MAC_OS_X_VERSION_MIN_REQUIRED macro, and to
3819         process WebKitAvailability.h.
3820
3821 2014-02-07  Mark Lam  <mark.lam@apple.com>
3822
3823         JSLock should not "restore" VM stack values if it did not re-grab locks.
3824         <https://webkit.org/b/128447>
3825
3826         Reviewed by Geoffrey Garen.
3827
3828         In the existing code, if DropAllLocks is instantiate with DontAlwaysDropLocks
3829         in a thread that does not own the JSLock, then a bug will manifest where:
3830
3831         1. The DropAllLocks constructor will save the VM's stackPointerAtEntry,
3832            lastStackTop, and reservedZoneSize even though it will not drop the JSLock.
3833         2. The DropAllLocks destructor will restore those 3 values to the VM even
3834            though the JSLock will not grab its internal lock.
3835
3836         The former only causes busy work but does not impact correctness. The latter
3837         however, will corrupt those 3 VM values which belong to the thread that
3838         actually owns the JSLock.
3839
3840         The fix is to only save the values when the JSLock will actually drop its
3841         internal lock, and only restore the values if it did re-grab the internal lock.
3842
3843         * runtime/JSLock.cpp:
3844         (JSC::JSLock::dropAllLocks):
3845         (JSC::JSLock::dropAllLocksUnconditionally):
3846         (JSC::JSLock::grabAllLocks):
3847         (JSC::JSLock::DropAllLocks::DropAllLocks):
3848         - Moved the saving of VM stack values to dropAllLocks() and
3849           dropAllLocksUnconditionally().
3850         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3851         - Moved the restoring of VM stack values to grabAllLocks().
3852
3853 2014-02-07  Filip Pizlo  <fpizlo@apple.com>
3854
3855         Don't throw away code if there is code on the worklists
3856         https://bugs.webkit.org/show_bug.cgi?id=128443
3857
3858         Reviewed by Joseph Pecoraro.
3859         
3860         If we throw away compiled code and there is code currently being JITed then the JIT
3861         will get confused after it resumes: it will see a code block that had claimed to belong
3862         to an executable except that it doesn't belong to any executables anymore.
3863
3864         * dfg/DFGWorklist.h:
3865         (JSC::DFG::Worklist::isActive):
3866         * heap/Heap.cpp:
3867         (JSC::Heap::deleteAllCompiledCode):
3868
3869 2014-02-07  Filip Pizlo  <fpizlo@apple.com>
3870
3871         GC should safepoint the DFG worklist in a smarter way rather than just waiting for everything to complete
3872         https://bugs.webkit.org/show_bug.cgi?id=128297
3873
3874         Reviewed by Oliver Hunt.
3875         
3876         This makes DFG worklist threads have a rightToRun lock that gives them the ability to
3877         be safepointed by the GC in much the same way as you'd expect from a fully
3878         multithreaded VM.
3879         
3880         The idea is that the worklist threads's roots are the DFG::Plan. They only touch those
3881         roots when holding the rightToRun lock. They currently grab that lock to run the
3882         compiler, but relinquish it when accessing - and waiting on - the worklist.
3883
3884         * bytecode/CodeBlock.h:
3885         (JSC::CodeBlockSet::mark):
3886         * dfg/DFGCompilationKey.cpp:
3887         (JSC::DFG::CompilationKey::visitChildren):
3888         * dfg/DFGCompilationKey.h:
3889         * dfg/DFGDesiredStructureChains.cpp:
3890         (JSC::DFG::DesiredStructureChains::visitChildren):
3891         * dfg/DFGDesiredStructureChains.h:
3892         * dfg/DFGDesiredTransitions.cpp:
3893         (JSC::DFG::DesiredTransition::visitChildren):
3894         (JSC::DFG::DesiredTransitions::visitChildren):
3895         * dfg/DFGDesiredTransitions.h:
3896         * dfg/DFGDesiredWeakReferences.cpp:
3897         (JSC::DFG::DesiredWeakReferences::visitChildren):
3898         * dfg/DFGDesiredWeakReferences.h:
3899         * dfg/DFGDesiredWriteBarriers.cpp:
3900         (JSC::DFG::DesiredWriteBarrier::visitChildren):
3901         (JSC::DFG::DesiredWriteBarriers::visitChildren):
3902         * dfg/DFGDesiredWriteBarriers.h:
3903         * dfg/DFGPlan.cpp:
3904         (JSC::DFG::Plan::visitChildren):
3905         * dfg/DFGPlan.h:
3906         * dfg/DFGWorklist.cpp:
3907         (JSC::DFG::Worklist::~Worklist):
3908         (JSC::DFG::Worklist::finishCreation):
3909         (JSC::DFG::Worklist::suspendAllThreads):
3910         (JSC::DFG::Worklist::resumeAllThreads):
3911         (JSC::DFG::Worklist::visitChildren):
3912         (JSC::DFG::Worklist::runThread):
3913         (JSC::DFG::Worklist::threadFunction):
3914         * dfg/DFGWorklist.h:
3915         (JSC::DFG::numberOfWorklists):
3916         (JSC::DFG::worklistForIndexOrNull):
3917         * heap/CodeBlockSet.h:
3918         * heap/Heap.cpp:
3919         (JSC::Heap::markRoots):
3920         (JSC::Heap::collect):
3921         * runtime/IntendedStructureChain.cpp:
3922         (JSC::IntendedStructureChain::visitChildren):
3923         * runtime/IntendedStructureChain.h:
3924         * runtime/VM.cpp:
3925         (JSC::VM::~VM):
3926         (JSC::VM::prepareToDiscardCode):
3927
3928 2014-02-07  Mark Lam  <mark.lam@apple.com>
3929
3930         Unify JSLock implementation for iOS and non-iOS ports.
3931         <https://webkit.org/b/128409>
3932
3933         Reviewed by Michael Saboff.
3934
3935         The iOS and non-iOS implementations of dropAllLocks(),
3936         dropAllLocksUnconditionally(), and grabAllLocks() effectively do the
3937         same work. The main difference is that the iOS implementation acquires
3938         the JSLock spin lock in the DropAllLocks class while the other ports
3939         acquire it when it calls JSLock::lock() and unlock().
3940
3941         The other difference is that the iOS implementation will only increment
3942         m_locksDropDepth if it actually drops locks, whereas other ports will
3943         increment it unconditionally. Analogously, iOS decrements the depth only
3944         when needed while other ports will decrement it unconditionally when
3945         re-grabbing locks.
3946
3947         We can unify the 2 implementations by having both use the iOS
3948         implementation for a start.
3949
3950         * runtime/JSLock.cpp:
3951         (JSC::JSLock::dropAllLocks):
3952         (JSC::JSLock::dropAllLocksUnconditionally):
3953         (JSC::JSLock::grabAllLocks):
3954         (JSC::JSLock::DropAllLocks::DropAllLocks):
3955         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3956
3957 2014-02-06  Filip Pizlo  <fpizlo@apple.com>
3958
3959         More FTL build scaffolding
3960         https://bugs.webkit.org/show_bug.cgi?id=128330
3961
3962         Reviewed by Geoffrey Garen.
3963
3964         * Configurations/FeatureDefines.xcconfig:
3965         * llvm/library/LLVMAnchor.cpp:
3966
3967 2014-02-07  Mark Lam  <mark.lam@apple.com>
3968
3969         iOS port needs to clear VM::stackPointerAtVMEntry when it drops locks.
3970         <https://webkit.org/b/128424>
3971
3972         Reviewed by Geoffrey Garen.
3973
3974         The iOS code path for dropping locks differ from the non-iOS code path
3975         in that it (iOS) does not clear m_vm->stackPointerAtVMEntry nor reset the
3976         VM stack limit. This is now fixed by copying that snippit from
3977         JSLock::unlock().
3978
3979         * runtime/JSLock.cpp:
3980         (JSC::JSLock::dropAllLocks):
3981         (JSC::JSLock::dropAllLocksUnconditionally):
3982
3983 2014-02-07  Mark Lam  <mark.lam@apple.com>
3984
3985         Removed superflous JSLock::entryStackPointer field.
3986         <https://webkit.org/b/128413>
3987
3988         Reviewed by Geoffrey Garen.
3989
3990         * runtime/JSLock.cpp:
3991         (JSC::JSLock::lock):
3992         * runtime/JSLock.h:
3993
3994 2014-02-07  Mark Lam  <mark.lam@apple.com>
3995
3996         Revert workaround committed in http://trac.webkit.org/r163595.
3997         <https://webkit.org/b/128408>
3998
3999         Reviewed by Geoffrey Garen.
4000
4001         Now that we have fixed the bugs in JSLock's stack limit adjusments
4002         in https://bugs.webkit.org/show_bug.cgi?id=128406, we can revert the
4003         workaround in r163595.
4004
4005         * API/JSContextRef.cpp:
4006         (JSContextGroupCreate):
4007         (JSGlobalContextCreateInGroup):
4008         * API/tests/testapi.js:
4009         * runtime/VM.cpp:
4010         (JSC::VM::VM):
4011         (JSC::VM::updateStackLimitWithReservedZoneSize):
4012         * runtime/VM.h:
4013
4014 2014-02-07  Mark Lam  <mark.lam@apple.com>
4015
4016         Fix bug in stack limit adjustments in JSLock.
4017         <https://webkit.org/b/128406>
4018
4019         Reviewed by Geoffrey Garen.
4020
4021         1. JSLock::unlock() was only clearing the VM::stackPointerAtEntry when
4022            m_vm->stackPointerAtVMEntry == entryStackPointer. FYI,
4023            entryStackPointer is a field in JSLock.
4024
4025            When DropAllLocks::~DropAllLocks() will call JSLock::grabAllLocks()
4026            to relock the JSLock, JSLock::grabAllLocks() will set a new
4027            entryStackPointer value. Thereafter, DropAllLocks::~DropAllLocks() will
4028            restore the saved VM::stackPointerAtEntry, which will now defer from
4029            the JSLock's entryStackPointer value.
4030
4031            It turns out that when m_vm->stackPointerAtVMEntry was initialized,
4032            it was set to whatever value entryStackPointer is set to. At no time
4033            do we ever expect the 2 values to differ. The only time it differs is
4034            when this bug manifests.
4035
4036            The fix is to remove the entryStackPointer field in JSLock and its uses
4037            altogether.
4038
4039         2. DropAllLocks was unconditionally clearing VM::stackPointerAtEntry in
4040            its constructor instead of letting JSLock::unlock() do the clearing.
4041
4042            However, DropAllLocks will not actually drop locks if it isn't required
4043            to (e.g. when alwaysDropLocks is DontAlwaysDropLocks), and when we've
4044            already drop locks once (i.e. JSLock::m_lockDropDepth is not 0).
4045
4046            We should not have cleared VM::stackPointerAtEntry here if we don't
4047            actually drop the locks.
4048
4049         * runtime/JSLock.cpp:
4050         (JSC::JSLock::unlock):
4051