Unreviewed, rolling out r161540.
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2014-01-09  Commit Queue  <commit-queue@webkit.org>
2
3         Unreviewed, rolling out r161540.
4         http://trac.webkit.org/changeset/161540
5         https://bugs.webkit.org/show_bug.cgi?id=126704
6
7         Caused assertion failures on multiple tests (Requested by ap
8         on #webkit).
9
10         * bytecode/CodeBlock.cpp:
11         (JSC::CodeBlock::visitAggregate):
12         * bytecode/CodeBlock.h:
13         (JSC::CodeBlockSet::mark):
14         * dfg/DFGOperations.cpp:
15         * heap/CodeBlockSet.cpp:
16         (JSC::CodeBlockSet::add):
17         (JSC::CodeBlockSet::traceMarked):
18         * heap/CodeBlockSet.h:
19         * heap/CopiedBlockInlines.h:
20         (JSC::CopiedBlock::reportLiveBytes):
21         * heap/CopiedSpace.cpp:
22         * heap/CopiedSpace.h:
23         * heap/Heap.cpp:
24         (JSC::Heap::Heap):
25         (JSC::Heap::didAbandon):
26         (JSC::Heap::markRoots):
27         (JSC::Heap::copyBackingStores):
28         (JSC::Heap::collectAllGarbage):
29         (JSC::Heap::collect):
30         (JSC::Heap::didAllocate):
31         * heap/Heap.h:
32         (JSC::Heap::shouldCollect):
33         (JSC::Heap::isCollecting):
34         (JSC::Heap::isWriteBarrierEnabled):
35         (JSC::Heap::writeBarrier):
36         * heap/HeapOperation.h:
37         * heap/MarkStack.cpp:
38         (JSC::MarkStackArray::~MarkStackArray):
39         * heap/MarkStack.h:
40         * heap/MarkedAllocator.cpp:
41         (JSC::MarkedAllocator::isPagedOut):
42         (JSC::MarkedAllocator::tryAllocateHelper):
43         (JSC::MarkedAllocator::addBlock):
44         (JSC::MarkedAllocator::removeBlock):
45         * heap/MarkedAllocator.h:
46         (JSC::MarkedAllocator::MarkedAllocator):
47         (JSC::MarkedAllocator::reset):
48         * heap/MarkedBlock.cpp:
49         * heap/MarkedBlock.h:
50         (JSC::MarkedBlock::lastChanceToFinalize):
51         (JSC::MarkedBlock::didConsumeEmptyFreeList):
52         (JSC::MarkedBlock::clearMarks):
53         * heap/MarkedSpace.cpp:
54         (JSC::MarkedSpace::~MarkedSpace):
55         (JSC::MarkedSpace::resetAllocators):
56         (JSC::MarkedSpace::visitWeakSets):
57         (JSC::MarkedSpace::reapWeakSets):
58         * heap/MarkedSpace.h:
59         (JSC::ClearMarks::operator()):
60         (JSC::MarkedSpace::clearMarks):
61         * heap/SlotVisitor.cpp:
62         (JSC::SlotVisitor::~SlotVisitor):
63         * heap/SlotVisitor.h:
64         (JSC::SlotVisitor::sharedData):
65         * heap/SlotVisitorInlines.h:
66         (JSC::SlotVisitor::internalAppend):
67         (JSC::SlotVisitor::copyLater):
68         (JSC::SlotVisitor::reportExtraMemoryUsage):
69         * jit/Repatch.cpp:
70         * runtime/JSGenericTypedArrayViewInlines.h:
71         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
72         * runtime/JSPropertyNameIterator.h:
73         (JSC::StructureRareData::setEnumerationCache):
74         * runtime/JSString.cpp:
75         (JSC::JSString::visitChildren):
76         * runtime/StructureRareDataInlines.h:
77         (JSC::StructureRareData::setPreviousID):
78         (JSC::StructureRareData::setObjectToStringValue):
79         * runtime/WeakMapData.cpp:
80         (JSC::WeakMapData::visitChildren):
81
82 2014-01-09  Andreas Kling  <akling@apple.com>
83
84         Shrink WatchpointSet.
85         <https://webkit.org/b/126694>
86
87         Reorder the members of WatchpointSet, shrinking it by 8 bytes.
88         767 kB progression on Membuster3.
89
90         Reviewed by Antti Koivisto.
91
92         * bytecode/Watchpoint.h:
93
94 2014-01-08  Mark Hahnenberg  <mhahnenberg@apple.com>
95
96         Reverting accidental GC logging
97
98         * heap/Heap.cpp:
99
100 2014-01-07  Mark Hahnenberg  <mhahnenberg@apple.com>
101
102         Marking should be generational
103         https://bugs.webkit.org/show_bug.cgi?id=126552
104
105         Reviewed by Geoffrey Garen.
106
107         Re-marking the same objects over and over is a waste of effort. This patch implements 
108         the sticky mark bit algorithm (along with our already-present write barriers) to reduce 
109         overhead during garbage collection caused by rescanning objects.
110
111         There are now two collection modes, EdenCollection and FullCollection. EdenCollections
112         only visit new objects or objects that were added to the remembered set by a write barrier.
113         FullCollections are normal collections that visit all objects regardless of their 
114         generation.
115
116         In this patch EdenCollections do not do anything in CopiedSpace. This will be fixed in 
117         https://bugs.webkit.org/show_bug.cgi?id=126555.
118
119         * bytecode/CodeBlock.cpp:
120         (JSC::CodeBlock::visitAggregate):
121         * bytecode/CodeBlock.h:
122         (JSC::CodeBlockSet::mark):
123         * dfg/DFGOperations.cpp:
124         * heap/CodeBlockSet.cpp:
125         (JSC::CodeBlockSet::add):
126         (JSC::CodeBlockSet::traceMarked):
127         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
128         * heap/CodeBlockSet.h:
129         * heap/CopiedBlockInlines.h:
130         (JSC::CopiedBlock::reportLiveBytes):
131         * heap/CopiedSpace.cpp:
132         (JSC::CopiedSpace::didStartFullCollection):
133         * heap/CopiedSpace.h:
134         (JSC::CopiedSpace::heap):
135         * heap/Heap.cpp:
136         (JSC::Heap::Heap):
137         (JSC::Heap::didAbandon):
138         (JSC::Heap::markRoots):
139         (JSC::Heap::copyBackingStores):
140         (JSC::Heap::addToRememberedSet):
141         (JSC::Heap::collectAllGarbage):
142         (JSC::Heap::collect):
143         (JSC::Heap::didAllocate):
144         (JSC::Heap::writeBarrier):
145         * heap/Heap.h:
146         (JSC::Heap::isInRememberedSet):
147         (JSC::Heap::operationInProgress):
148         (JSC::Heap::shouldCollect):
149         (JSC::Heap::isCollecting):
150         (JSC::Heap::isWriteBarrierEnabled):
151         (JSC::Heap::writeBarrier):
152         * heap/HeapOperation.h:
153         * heap/MarkStack.cpp:
154         (JSC::MarkStackArray::~MarkStackArray):
155         (JSC::MarkStackArray::clear):
156         (JSC::MarkStackArray::fillVector):
157         * heap/MarkStack.h:
158         * heap/MarkedAllocator.cpp:
159         (JSC::isListPagedOut):
160         (JSC::MarkedAllocator::isPagedOut):
161         (JSC::MarkedAllocator::tryAllocateHelper):
162         (JSC::MarkedAllocator::addBlock):
163         (JSC::MarkedAllocator::removeBlock):
164         (JSC::MarkedAllocator::reset):
165         * heap/MarkedAllocator.h:
166         (JSC::MarkedAllocator::MarkedAllocator):
167         * heap/MarkedBlock.cpp:
168         (JSC::MarkedBlock::clearMarks):
169         (JSC::MarkedBlock::clearRememberedSet):
170         (JSC::MarkedBlock::clearMarksWithCollectionType):
171         (JSC::MarkedBlock::lastChanceToFinalize):
172         * heap/MarkedBlock.h: Changed atomSize to 16 bytes because we have no objects smaller
173         than 16 bytes. This is also to pay for the additional Bitmap for the remembered set.
174         (JSC::MarkedBlock::didConsumeEmptyFreeList):
175         (JSC::MarkedBlock::setRemembered):
176         (JSC::MarkedBlock::clearRemembered):
177         (JSC::MarkedBlock::atomicClearRemembered):
178         (JSC::MarkedBlock::isRemembered):
179         * heap/MarkedSpace.cpp:
180         (JSC::MarkedSpace::~MarkedSpace):
181         (JSC::MarkedSpace::resetAllocators):
182         (JSC::MarkedSpace::visitWeakSets):
183         (JSC::MarkedSpace::reapWeakSets):
184         (JSC::VerifyMarked::operator()):
185         (JSC::MarkedSpace::clearMarks):
186         * heap/MarkedSpace.h:
187         (JSC::ClearMarks::operator()):
188         (JSC::ClearRememberedSet::operator()):
189         (JSC::MarkedSpace::didAllocateInBlock):
190         (JSC::MarkedSpace::clearRememberedSet):
191         * heap/SlotVisitor.cpp:
192         (JSC::SlotVisitor::~SlotVisitor):
193         (JSC::SlotVisitor::clearMarkStack):
194         * heap/SlotVisitor.h:
195         (JSC::SlotVisitor::markStack):
196         (JSC::SlotVisitor::sharedData):
197         * heap/SlotVisitorInlines.h:
198         (JSC::SlotVisitor::internalAppend):
199         (JSC::SlotVisitor::unconditionallyAppend):
200         (JSC::SlotVisitor::copyLater):
201         (JSC::SlotVisitor::reportExtraMemoryUsage):
202         (JSC::SlotVisitor::heap):
203         * jit/Repatch.cpp:
204         * runtime/JSGenericTypedArrayViewInlines.h:
205         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
206         * runtime/JSPropertyNameIterator.h:
207         (JSC::StructureRareData::setEnumerationCache):
208         * runtime/JSString.cpp:
209         (JSC::JSString::visitChildren):
210         * runtime/StructureRareDataInlines.h:
211         (JSC::StructureRareData::setPreviousID):
212         (JSC::StructureRareData::setObjectToStringValue):
213         * runtime/WeakMapData.cpp:
214         (JSC::WeakMapData::visitChildren):
215
216 2014-01-08  Sam Weinig  <sam@webkit.org>
217
218         [JS] Should be able to create a promise by calling the Promise constructor as a function
219         https://bugs.webkit.org/show_bug.cgi?id=126561
220
221         Reviewed by Geoffrey Garen.
222
223         * runtime/JSPromiseConstructor.cpp:
224         (JSC::JSPromiseConstructor::getCallData):
225         Add support for calling the Promise constructor as a function (e.g. var p = Promise(...), note
226         the missing "new").
227
228 2014-01-08  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
229
230         [EFL] Make FTL buildable
231         https://bugs.webkit.org/show_bug.cgi?id=125777
232
233         Reviewed by Csaba Osztrogonác.
234
235         * CMakeLists.txt:
236         * ftl/FTLOSREntry.cpp:
237         * ftl/FTLOSRExitCompiler.cpp:
238         * llvm/library/config_llvm.h:
239
240 2014-01-08  Zan Dobersek  <zdobersek@igalia.com>
241
242         [Automake] Scripts for generated build targets do not necessarily produce their output
243         https://bugs.webkit.org/show_bug.cgi?id=126378
244
245         Reviewed by Carlos Garcia Campos.
246
247         * GNUmakefile.am: Touch the build targets that are generated through helper scripts that don't
248         assure the output is generated every time the script is invoked, most commonly due to unchanged
249         input. This assures the build targets are up-to-date and can't be older that their dependencies,
250         which would result in constant regeneration at every build.
251
252 2014-01-07  Filip Pizlo  <fpizlo@apple.com>
253
254         DFG fixup phase should be responsible for inserting ValueToInt32's as needed and it should use Phantom to keep the original values alive in case of OSR exit
255         https://bugs.webkit.org/show_bug.cgi?id=126600
256
257         Reviewed by Michael Saboff.
258         
259         This fixes an embarrassing OSR exit liveness bug. It also simplifies the code. We were
260         already using FixupPhase as the place where conversion nodes get inserted. ValueToInt32
261         was the only exception to that rule, and that was one of the reasons why we had this bug.
262         
263         Henceforth ValueToInt32 is only inserted by FixupPhase, and only when it is necessary:
264         we have a BitOp that will want a ToInt32 conversion and the operand is not predicted to
265         already be an int32. If FixupPhase inserts any ValueToInt32's then the BitOp will no
266         longer appear to use the original operand, which will make OSR exit think that the
267         original operand is dead. We work around this they way we always do: insert a Phantom on
268         the original operands right after the BitOp. This ensures that any OSR exit in any of the
269         ValueToInt32's or in the BitOp itself will have values for the original inputs.
270
271         * dfg/DFGBackwardsPropagationPhase.cpp:
272         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
273         (JSC::DFG::BackwardsPropagationPhase::propagate):
274         * dfg/DFGByteCodeParser.cpp:
275         (JSC::DFG::ByteCodeParser::handleIntrinsic):
276         (JSC::DFG::ByteCodeParser::parseBlock):
277         * dfg/DFGFixupPhase.cpp:
278         (JSC::DFG::FixupPhase::fixupNode):
279         (JSC::DFG::FixupPhase::fixIntEdge):
280         (JSC::DFG::FixupPhase::fixBinaryIntEdges):
281         * dfg/DFGPredictionPropagationPhase.cpp:
282         (JSC::DFG::PredictionPropagationPhase::propagate):
283         * tests/stress/bit-op-value-to-int32-input-liveness.js: Added.
284         (foo):
285
286 2014-01-07  Mark Hahnenberg  <mhahnenberg@apple.com>
287
288         Repatch write barrier slow path call doesn't align the stack in the presence of saved registers
289         https://bugs.webkit.org/show_bug.cgi?id=126093
290
291         Reviewed by Geoffrey Garen.
292
293         * jit/Repatch.cpp: Reworked the stack alignment code for calling out to C code on the write barrier slow path.
294         We need to properly account for the number of reused registers that were saved to the stack, so we have to 
295         pass the ScratchRegisterAllocator around.
296         (JSC::storeToWriteBarrierBuffer):
297         (JSC::writeBarrier):
298         (JSC::emitPutReplaceStub):
299         (JSC::emitPutTransitionStub):
300         * jit/ScratchRegisterAllocator.h: Previously the ScratchRegisterAllocator only knew whether or not it had
301         reused registers, but not how many. In order to correctly align the stack for calls to C slow paths for 
302         the write barriers in inline caches we need to know how the stack is aligned. So now ScratchRegisterAllocator
303         tracks how many registers it has reused.
304         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
305         (JSC::ScratchRegisterAllocator::allocateScratch):
306         (JSC::ScratchRegisterAllocator::didReuseRegisters):
307         (JSC::ScratchRegisterAllocator::numberOfReusedRegisters):
308         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
309         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
310         * llint/LowLevelInterpreter64.asm: Random typo fix.
311
312 2014-01-07  Mark Lam  <mark.lam@apple.com>
313
314         r161364 caused JSC tests regression on non-DFG builds (e.g. C Loop and Windows).
315         https://bugs.webkit.org/show_bug.cgi?id=126589.
316
317         Reviewed by Filip Pizlo.
318
319         After the removal of ENABLE(VALUE_PROFILER), the LLINT is now expecting the
320         relevant opcode operands to point to ValueProfiler data structures and will
321         write profiling data into them. Hence, we need to allocate these data
322         structures even though the profiling data won't be used in non-DFG builds.
323
324         * bytecode/CodeBlock.cpp:
325         (JSC::CodeBlock::CodeBlock):
326
327 2014-01-07  Filip Pizlo  <fpizlo@apple.com>
328
329         ASSERT in compileArithNegate on pdfjs
330         https://bugs.webkit.org/show_bug.cgi?id=126584
331
332         Reviewed by Mark Hahnenberg.
333         
334         Check negative zero when we should check it, not when we shouldn't check it. :-/
335
336         * dfg/DFGSpeculativeJIT.cpp:
337         (JSC::DFG::SpeculativeJIT::compileArithNegate):
338
339 2014-01-07  Gabor Rapcsanyi  <rgabor@webkit.org>
340
341         pushFinallyContext saves wrong m_labelScopes size
342         https://bugs.webkit.org/show_bug.cgi?id=124529
343
344         Remove free label scopes before saving finally context.
345
346         Reviewed by Geoffrey Garen.
347
348         * bytecompiler/BytecodeGenerator.cpp:
349         (JSC::BytecodeGenerator::pushFinallyContext):
350
351 2014-01-06  Mark Hahnenberg  <mhahnenberg@apple.com>
352
353         Heap::collect shouldn't be responsible for sweeping
354         https://bugs.webkit.org/show_bug.cgi?id=126556
355
356         Reviewed by Geoffrey Garen.
357
358         Sweeping happens at an awkward time during collection due to the fact that destructors can 
359         cause arbitrary reentry into the VM. This patch separates collecting and sweeping, and delays 
360         sweeping until after collection has completely finished.
361
362         * heap/Heap.cpp:
363         (JSC::Heap::collectAllGarbage):
364         (JSC::Heap::collect):
365         (JSC::Heap::collectIfNecessaryOrDefer):
366         * heap/Heap.h:
367         * heap/MarkedSpace.cpp:
368         (JSC::MarkedSpace::sweep):
369         * runtime/GCActivityCallback.cpp:
370         (JSC::DefaultGCActivityCallback::doWork):
371
372 2014-01-07  Mark Rowe  <mrowe@apple.com>
373
374         <https://webkit.org/b/126567> Remove the legacy WebKit availability macros
375
376         They're no longer used.
377
378         Reviewed by Ryosuke Niwa.
379
380         * API/WebKitAvailability.h:
381
382 2014-01-07  Filip Pizlo  <fpizlo@apple.com>
383
384         SetLocal for a FlushedArguments should not claim that the dataFormat is DataFormatJS
385         https://bugs.webkit.org/show_bug.cgi?id=126563
386
387         Reviewed by Gavin Barraclough.
388         
389         This was a rookie arguments simplification mistake: the SetLocal needs to record the fact
390         that although it set JSValue(), OSR should think it set Arguments. DataFormatArguments
391         conveys this, and dataFormatFor(FlushFormat) will do the right thing.
392
393         * dfg/DFGSpeculativeJIT32_64.cpp:
394         (JSC::DFG::SpeculativeJIT::compile):
395         * dfg/DFGSpeculativeJIT64.cpp:
396         (JSC::DFG::SpeculativeJIT::compile):
397         * tests/stress/phantom-arguments-set-local-then-exit-in-same-block.js: Added.
398         (foo):
399
400 2014-01-06  Filip Pizlo  <fpizlo@apple.com>
401
402         Make the different flavors of integer arithmetic more explicit, and don't rely on (possibly stale) results of the backwards propagator to decide integer arithmetic semantics
403         https://bugs.webkit.org/show_bug.cgi?id=125519
404
405         Reviewed by Geoffrey Garen.
406         
407         Adds the Arith::Mode enum to arithmetic nodes, which makes it explicit what sorts of
408         checks and overflows the node should do. Previously this would be deduced from
409         backwards analysis results.
410         
411         This also makes "unchecked" variants really mean that you want the int32 wrapped
412         result, so ArithIMul is now done in terms of ArithMul(Unchecked). That means that the
413         constant folder needs to compute exactly the result implied by ArithMode, instead of
414         just folding the double result.
415
416         * CMakeLists.txt:
417         * GNUmakefile.list.am:
418         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
419         * JavaScriptCore.xcodeproj/project.pbxproj:
420         * dfg/DFGAbstractInterpreterInlines.h:
421         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
422         * dfg/DFGArithMode.cpp: Added.
423         (WTF::printInternal):
424         * dfg/DFGArithMode.h: Added.
425         (JSC::DFG::doesOverflow):
426         (JSC::DFG::shouldCheckOverflow):
427         (JSC::DFG::shouldCheckNegativeZero):
428         * dfg/DFGCSEPhase.cpp:
429         (JSC::DFG::CSEPhase::pureCSE):
430         (JSC::DFG::CSEPhase::performNodeCSE):
431         * dfg/DFGConstantFoldingPhase.cpp:
432         (JSC::DFG::ConstantFoldingPhase::foldConstants):
433         * dfg/DFGFixupPhase.cpp:
434         (JSC::DFG::FixupPhase::fixupNode):
435         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
436         * dfg/DFGGraph.cpp:
437         (JSC::DFG::Graph::dump):
438         * dfg/DFGNode.h:
439         (JSC::DFG::Node::Node):
440         (JSC::DFG::Node::hasArithMode):
441         (JSC::DFG::Node::arithMode):
442         (JSC::DFG::Node::setArithMode):
443         * dfg/DFGSpeculativeJIT.cpp:
444         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
445         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
446         (JSC::DFG::SpeculativeJIT::compileAdd):
447         (JSC::DFG::SpeculativeJIT::compileArithSub):
448         (JSC::DFG::SpeculativeJIT::compileArithNegate):
449         (JSC::DFG::SpeculativeJIT::compileArithMul):
450         (JSC::DFG::SpeculativeJIT::compileArithDiv):
451         (JSC::DFG::SpeculativeJIT::compileArithMod):
452         * dfg/DFGSpeculativeJIT.h:
453         * dfg/DFGSpeculativeJIT32_64.cpp:
454         (JSC::DFG::SpeculativeJIT::compile):
455         * dfg/DFGSpeculativeJIT64.cpp:
456         (JSC::DFG::SpeculativeJIT::compile):
457         * ftl/FTLLowerDFGToLLVM.cpp:
458         (JSC::FTL::LowerDFGToLLVM::compileAddSub):
459         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
460         (JSC::FTL::LowerDFGToLLVM::compileArithDivMod):
461         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
462         (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
463
464 2014-01-06  Mark Hahnenberg  <mhahnenberg@apple.com>
465
466         Add write barriers to the LLInt
467         https://bugs.webkit.org/show_bug.cgi?id=126527
468
469         Reviewed by Filip Pizlo.
470
471         This patch takes a similar approach to how write barriers work in the baseline JIT.
472         We execute the write barrier at the beginning of the opcode so we don't have to 
473         worry about saving and restoring live registers across write barrier slow path calls 
474         to C code.
475
476         * llint/LLIntOfflineAsmConfig.h:
477         * llint/LLIntSlowPaths.cpp:
478         (JSC::LLInt::llint_write_barrier_slow):
479         * llint/LLIntSlowPaths.h:
480         * llint/LowLevelInterpreter.asm:
481         * llint/LowLevelInterpreter32_64.asm:
482         * llint/LowLevelInterpreter64.asm:
483         * offlineasm/arm64.rb:
484         * offlineasm/instructions.rb:
485         * offlineasm/x86.rb:
486
487 2014-01-05  Sam Weinig  <sam@webkit.org>
488
489         [JS] Implement Promise.all()
490         https://bugs.webkit.org/show_bug.cgi?id=126510
491
492         Reviewed by Gavin Barraclough.
493
494         Add Promise.all() implementation and factor out performing resolves and rejects
495         on deferreds to share a bit of code. Also moves the abruptRejection helper to
496         JSPromiseDeferred so it can be used in JSPromiseFunctions.
497
498         * runtime/CommonIdentifiers.h:
499         * runtime/JSPromiseConstructor.cpp:
500         (JSC::JSPromiseConstructorFuncCast):
501         (JSC::JSPromiseConstructorFuncResolve):
502         (JSC::JSPromiseConstructorFuncReject):
503         (JSC::JSPromiseConstructorFuncAll):
504         * runtime/JSPromiseDeferred.cpp:
505         (JSC::updateDeferredFromPotentialThenable):
506         (JSC::performDeferredResolve):
507         (JSC::performDeferredReject):
508         (JSC::abruptRejection):
509         * runtime/JSPromiseDeferred.h:
510         * runtime/JSPromiseFunctions.cpp:
511         (JSC::promiseAllCountdownFunction):
512         (JSC::createPromiseAllCountdownFunction):
513         * runtime/JSPromiseFunctions.h:
514         * runtime/JSPromiseReaction.cpp:
515         (JSC::ExecutePromiseReactionMicrotask::run):
516
517 2014-01-06  Filip Pizlo  <fpizlo@apple.com>
518
519         Get rid of ENABLE(VALUE_PROFILER). It's on all the time now.
520
521         Rubber stamped by Mark Hahnenberg.
522
523         * bytecode/CallLinkStatus.cpp:
524         (JSC::CallLinkStatus::computeFor):
525         * bytecode/CodeBlock.cpp:
526         (JSC::CodeBlock::dumpValueProfiling):
527         (JSC::CodeBlock::dumpArrayProfiling):
528         (JSC::CodeBlock::dumpRareCaseProfile):
529         (JSC::CodeBlock::dumpBytecode):
530         (JSC::CodeBlock::CodeBlock):
531         (JSC::CodeBlock::setNumParameters):
532         (JSC::CodeBlock::shrinkToFit):
533         (JSC::CodeBlock::shouldOptimizeNow):
534         * bytecode/CodeBlock.h:
535         (JSC::CodeBlock::valueProfileForBytecodeOffset):
536         * bytecode/GetByIdStatus.cpp:
537         (JSC::GetByIdStatus::computeForChain):
538         (JSC::GetByIdStatus::computeFor):
539         * bytecode/LazyOperandValueProfile.cpp:
540         * bytecode/LazyOperandValueProfile.h:
541         * bytecode/PutByIdStatus.cpp:
542         (JSC::PutByIdStatus::computeFor):
543         * bytecode/ValueProfile.h:
544         * bytecompiler/BytecodeGenerator.cpp:
545         (JSC::BytecodeGenerator::newArrayProfile):
546         (JSC::BytecodeGenerator::newArrayAllocationProfile):
547         (JSC::BytecodeGenerator::emitProfiledOpcode):
548         * jit/GPRInfo.h:
549         * jit/JIT.cpp:
550         (JSC::JIT::JIT):
551         (JSC::JIT::privateCompileSlowCases):
552         (JSC::JIT::privateCompile):
553         * jit/JIT.h:
554         * jit/JITArithmetic.cpp:
555         (JSC::JIT::compileBinaryArithOp):
556         (JSC::JIT::emit_op_mul):
557         (JSC::JIT::emit_op_div):
558         * jit/JITArithmetic32_64.cpp:
559         (JSC::JIT::emitBinaryDoubleOp):
560         (JSC::JIT::emit_op_mul):
561         (JSC::JIT::emitSlow_op_mul):
562         (JSC::JIT::emit_op_div):
563         * jit/JITCall.cpp:
564         (JSC::JIT::emitPutCallResult):
565         * jit/JITCall32_64.cpp:
566         (JSC::JIT::emitPutCallResult):
567         * jit/JITInlines.h:
568         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
569         (JSC::JIT::emitValueProfilingSite):
570         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndex):
571         (JSC::JIT::emitArrayProfileStoreToHoleSpecialCase):
572         (JSC::JIT::emitArrayProfileOutOfBoundsSpecialCase):
573         (JSC::arrayProfileSaw):
574         (JSC::JIT::chooseArrayMode):
575         * jit/JITOpcodes.cpp:
576         (JSC::JIT::emit_op_get_argument_by_val):
577         * jit/JITOpcodes32_64.cpp:
578         (JSC::JIT::emit_op_get_argument_by_val):
579         * jit/JITPropertyAccess.cpp:
580         (JSC::JIT::emit_op_get_by_val):
581         (JSC::JIT::emitSlow_op_get_by_val):
582         (JSC::JIT::emit_op_get_by_id):
583         (JSC::JIT::emit_op_get_from_scope):
584         * jit/JITPropertyAccess32_64.cpp:
585         (JSC::JIT::emit_op_get_by_val):
586         (JSC::JIT::emitSlow_op_get_by_val):
587         (JSC::JIT::emit_op_get_by_id):
588         (JSC::JIT::emit_op_get_from_scope):
589         * llint/LLIntOfflineAsmConfig.h:
590         * llint/LLIntSlowPaths.cpp:
591         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
592         * llint/LowLevelInterpreter.asm:
593         * llint/LowLevelInterpreter32_64.asm:
594         * llint/LowLevelInterpreter64.asm:
595         * profiler/ProfilerBytecodeSequence.cpp:
596         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
597         * runtime/CommonSlowPaths.cpp:
598
599 2014-01-06  Filip Pizlo  <fpizlo@apple.com>
600
601         LLInt shouldn't check for ENABLE(JIT).
602
603         Rubber stamped by Mark Hahnenberg.
604
605         * llint/LLIntCommon.h:
606         * llint/LLIntOfflineAsmConfig.h:
607         * llint/LLIntSlowPaths.cpp:
608         (JSC::LLInt::entryOSR):
609         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
610         * llint/LowLevelInterpreter.asm:
611
612 2014-01-06  Filip Pizlo  <fpizlo@apple.com>
613
614         LLInt shouldnt check for ENABLE(JAVASCRIPT_DEBUGGER).
615
616         Rubber stamped by Mark Hahnenberg.
617
618         * debugger/Debugger.h:
619         (JSC::Debugger::Debugger):
620         * llint/LLIntOfflineAsmConfig.h:
621         * llint/LowLevelInterpreter.asm:
622
623 2014-01-05  Sam Weinig  <sam@webkit.org>
624
625         [JS] Implement Promise.race()
626         https://bugs.webkit.org/show_bug.cgi?id=126506
627
628         Reviewed by Oliver Hunt.
629
630         * runtime/CommonIdentifiers.h:
631         Add identifier for "cast".
632     
633         * runtime/JSPromiseConstructor.cpp:
634         (JSC::abruptRejection):
635         Helper for the RejectIfAbrupt abstract operation.
636   
637         (JSC::JSPromiseConstructorFuncRace):
638         Add implementation of Promise.race()
639
640 2014-01-05  Martin Robinson  <mrobinson@igalia.com>
641
642         [GTK] [CMake] Ensure that the autotools build and the CMake install the same files
643         https://bugs.webkit.org/show_bug.cgi?id=116379
644
645         Reviewed by Gustavo Noronha Silva.
646
647         * PlatformGTK.cmake: Install API headers, gir files, and the pkg-config file.
648
649 2014-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
650
651         Use Compiler macros instead of raw "final" and "override"
652         https://bugs.webkit.org/show_bug.cgi?id=126490
653
654         Reviewed by Sam Weinig.
655
656         * runtime/JSPromiseReaction.cpp:
657
658 2014-01-04  Martin Robinson  <mrobinson@igalia.com>
659
660         [GTK] [CMake] Improve the way we locate gobject-introspection
661         https://bugs.webkit.org/show_bug.cgi?id=126452
662
663         Reviewed by Philippe Normand.
664
665         * PlatformGTK.cmake: Use the new introspection variables.
666
667 2014-01-04  Zan Dobersek  <zdobersek@igalia.com>
668
669         Explicitly use the std:: nested name specifier when using std::pair, std::make_pair
670         https://bugs.webkit.org/show_bug.cgi?id=126439
671
672         Reviewed by Andreas Kling.
673
674         Instead of relying on std::pair and std::make_pair symbols being present in the current scope
675         through the pair and make_pair symbols, the std:: specifier should be used explicitly.
676
677         * bytecode/Opcode.cpp:
678         (JSC::compareOpcodePairIndices):
679         (JSC::OpcodeStats::~OpcodeStats):
680         * bytecompiler/BytecodeGenerator.cpp:
681         (JSC::BytecodeGenerator::BytecodeGenerator):
682         * parser/ASTBuilder.h:
683         (JSC::ASTBuilder::makeBinaryNode):
684         * parser/Parser.cpp:
685         (JSC::Parser<LexerType>::parseIfStatement):
686         * runtime/Structure.cpp:
687         (JSC::StructureTransitionTable::contains):
688         (JSC::StructureTransitionTable::get):
689         (JSC::StructureTransitionTable::add):
690
691 2014-01-03  David Farler  <dfarler@apple.com>
692
693         [super dealloc] missing in Source/JavaScriptCore/API/tests/testapi.mm, fails to build with -Werror,-Wobjc-missing-super-calls
694         https://bugs.webkit.org/show_bug.cgi?id=126454
695
696         Reviewed by Geoffrey Garen.
697
698         * API/tests/testapi.mm:
699         (-[TextXYZ dealloc]):
700         add [super dealloc]
701         (-[EvilAllocationObject dealloc]):
702         add [super dealloc]
703
704 2014-01-02  Carlos Garcia Campos  <cgarcia@igalia.com>
705
706         REGRESSION(r160304): [GTK] Disable libtool fast install
707         https://bugs.webkit.org/show_bug.cgi?id=126381
708
709         Reviewed by Martin Robinson.
710
711         Remove -no-fast-install ld flag since fast install is now disabled
712         globally.
713
714         * GNUmakefile.am:
715
716 2014-01-02  Sam Weinig  <sam@webkit.org>
717
718         Update Promises to the https://github.com/domenic/promises-unwrapping spec
719         https://bugs.webkit.org/show_bug.cgi?id=120954
720
721         Reviewed by Filip Pizlo.
722
723         Update Promises to the revised spec. Notable changes:
724         - JSPromiseResolver is gone.
725         - TaskContext has been renamed Microtask and now has a virtual run() function.
726         - Instead of using custom InternalFunction subclasses, JSFunctions are used
727           with PrivateName properties for internal slots.
728
729         * CMakeLists.txt:
730         * DerivedSources.make:
731         * GNUmakefile.list.am:
732         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
733         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
734         * JavaScriptCore.xcodeproj/project.pbxproj:
735         * interpreter/CallFrame.h:
736         (JSC::ExecState::promiseConstructorTable):
737         * runtime/CommonIdentifiers.cpp:
738         (JSC::CommonIdentifiers::CommonIdentifiers):
739         * runtime/CommonIdentifiers.h:
740         * runtime/JSGlobalObject.cpp:
741         (JSC::JSGlobalObject::reset):
742         (JSC::JSGlobalObject::visitChildren):
743         (JSC::JSGlobalObject::queueMicrotask):
744         * runtime/JSGlobalObject.h:
745         (JSC::JSGlobalObject::promiseConstructor):
746         (JSC::JSGlobalObject::promisePrototype):
747         (JSC::JSGlobalObject::promiseStructure):
748         * runtime/JSPromise.cpp:
749         (JSC::JSPromise::create):
750         (JSC::JSPromise::JSPromise):
751         (JSC::JSPromise::finishCreation):
752         (JSC::JSPromise::visitChildren):
753         (JSC::JSPromise::reject):
754         (JSC::JSPromise::resolve):
755         (JSC::JSPromise::appendResolveReaction):
756         (JSC::JSPromise::appendRejectReaction):
757         (JSC::triggerPromiseReactions):
758         * runtime/JSPromise.h:
759         (JSC::JSPromise::status):
760         (JSC::JSPromise::result):
761         (JSC::JSPromise::constructor):
762         * runtime/JSPromiseCallback.cpp: Removed.
763         * runtime/JSPromiseCallback.h: Removed.
764         * runtime/JSPromiseConstructor.cpp:
765         (JSC::constructPromise):
766         (JSC::JSPromiseConstructor::getCallData):
767         (JSC::JSPromiseConstructorFuncCast):
768         (JSC::JSPromiseConstructorFuncResolve):
769         (JSC::JSPromiseConstructorFuncReject):
770         * runtime/JSPromiseConstructor.h:
771         * runtime/JSPromiseDeferred.cpp: Added.
772         (JSC::JSPromiseDeferred::create):
773         (JSC::JSPromiseDeferred::JSPromiseDeferred):
774         (JSC::JSPromiseDeferred::finishCreation):
775         (JSC::JSPromiseDeferred::visitChildren):
776         (JSC::createJSPromiseDeferredFromConstructor):
777         (JSC::updateDeferredFromPotentialThenable):
778         * runtime/JSPromiseDeferred.h: Added.
779         (JSC::JSPromiseDeferred::createStructure):
780         (JSC::JSPromiseDeferred::promise):
781         (JSC::JSPromiseDeferred::resolve):
782         (JSC::JSPromiseDeferred::reject):
783         * runtime/JSPromiseFunctions.cpp: Added.
784         (JSC::deferredConstructionFunction):
785         (JSC::createDeferredConstructionFunction):
786         (JSC::identifyFunction):
787         (JSC::createIdentifyFunction):
788         (JSC::promiseAllCountdownFunction):
789         (JSC::createPromiseAllCountdownFunction):
790         (JSC::promiseResolutionHandlerFunction):
791         (JSC::createPromiseResolutionHandlerFunction):
792         (JSC::rejectPromiseFunction):
793         (JSC::createRejectPromiseFunction):
794         (JSC::resolvePromiseFunction):
795         (JSC::createResolvePromiseFunction):
796         (JSC::throwerFunction):
797         (JSC::createThrowerFunction):
798         * runtime/JSPromiseFunctions.h: Added.
799         * runtime/JSPromisePrototype.cpp:
800         (JSC::JSPromisePrototypeFuncThen):
801         (JSC::JSPromisePrototypeFuncCatch):
802         * runtime/JSPromiseReaction.cpp: Added.
803         (JSC::createExecutePromiseReactionMicroTask):
804         (JSC::ExecutePromiseReactionMicroTask::run):
805         (JSC::JSPromiseReaction::create):
806         (JSC::JSPromiseReaction::JSPromiseReaction):
807         (JSC::JSPromiseReaction::finishCreation):
808         (JSC::JSPromiseReaction::visitChildren):
809         * runtime/JSPromiseReaction.h: Added.
810         (JSC::JSPromiseReaction::createStructure):
811         (JSC::JSPromiseReaction::deferred):
812         (JSC::JSPromiseReaction::handler):
813         * runtime/JSPromiseResolver.cpp: Removed.
814         * runtime/JSPromiseResolver.h: Removed.
815         * runtime/JSPromiseResolverConstructor.cpp: Removed.
816         * runtime/JSPromiseResolverConstructor.h: Removed.
817         * runtime/JSPromiseResolverPrototype.cpp: Removed.
818         * runtime/JSPromiseResolverPrototype.h: Removed.
819         * runtime/Microtask.h: Added.
820         * runtime/VM.cpp:
821         (JSC::VM::VM):
822         (JSC::VM::~VM):
823         * runtime/VM.h:
824
825 2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>
826
827         Add support for StoreBarrier and friends to the FTL
828         https://bugs.webkit.org/show_bug.cgi?id=126040
829
830         Reviewed by Filip Pizlo.
831
832         * ftl/FTLAbstractHeapRepository.h:
833         * ftl/FTLCapabilities.cpp:
834         (JSC::FTL::canCompile):
835         * ftl/FTLIntrinsicRepository.h:
836         * ftl/FTLLowerDFGToLLVM.cpp:
837         (JSC::FTL::LowerDFGToLLVM::compileNode):
838         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
839         (JSC::FTL::LowerDFGToLLVM::compileConditionalStoreBarrier):
840         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
841         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
842         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
843         * heap/Heap.cpp:
844         (JSC::Heap::Heap):
845         * heap/Heap.h:
846         (JSC::Heap::writeBarrierBuffer):
847
848 2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>
849
850         Storing new CopiedSpace memory into a JSObject should fire a write barrier
851         https://bugs.webkit.org/show_bug.cgi?id=126025
852
853         Reviewed by Filip Pizlo.
854
855         Technically this is creating a pointer between a (potentially) old generation object and a young 
856         generation chunk of memory, thus there needs to be a barrier.
857
858         * JavaScriptCore.xcodeproj/project.pbxproj:
859         * dfg/DFGOperations.cpp:
860         * heap/CopyWriteBarrier.h: Added. This class functions similarly to the WriteBarrier class. It 
861         acts as a proxy for pointers to CopiedSpace. Assignments to the field cause a write barrier to 
862         fire for the object that is the owner of the CopiedSpace memory. This is to ensure during nursery 
863         collections that objects with new backing stores are visited, even if they are old generation objects. 
864         (JSC::CopyWriteBarrier::CopyWriteBarrier):
865         (JSC::CopyWriteBarrier::operator!):
866         (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*):
867         (JSC::CopyWriteBarrier::get):
868         (JSC::CopyWriteBarrier::operator*):
869         (JSC::CopyWriteBarrier::operator->):
870         (JSC::CopyWriteBarrier::set):
871         (JSC::CopyWriteBarrier::setWithoutWriteBarrier):
872         (JSC::CopyWriteBarrier::clear):
873         * heap/Heap.h:
874         * runtime/JSArray.cpp:
875         (JSC::JSArray::unshiftCountSlowCase):
876         (JSC::JSArray::shiftCountWithArrayStorage):
877         (JSC::JSArray::unshiftCountWithArrayStorage):
878         * runtime/JSCell.h:
879         (JSC::JSCell::unvalidatedStructure):
880         * runtime/JSGenericTypedArrayViewInlines.h:
881         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
882         * runtime/JSObject.cpp:
883         (JSC::JSObject::copyButterfly):
884         (JSC::JSObject::getOwnPropertySlotByIndex):
885         (JSC::JSObject::putByIndex):
886         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
887         (JSC::JSObject::createInitialIndexedStorage):
888         (JSC::JSObject::createArrayStorage):
889         (JSC::JSObject::deletePropertyByIndex):
890         (JSC::JSObject::getOwnPropertyNames):
891         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
892         (JSC::JSObject::countElements):
893         (JSC::JSObject::increaseVectorLength):
894         (JSC::JSObject::ensureLengthSlow):
895         * runtime/JSObject.h:
896         (JSC::JSObject::butterfly):
897         (JSC::JSObject::setStructureAndButterfly):
898         (JSC::JSObject::setButterflyWithoutChangingStructure):
899         (JSC::JSObject::JSObject):
900         (JSC::JSObject::putDirectInternal):
901         (JSC::JSObject::putDirectWithoutTransition):
902         * runtime/MapData.cpp:
903         (JSC::MapData::ensureSpaceForAppend):
904         * runtime/Structure.cpp:
905         (JSC::Structure::materializePropertyMap):
906
907 2013-12-23  Oliver Hunt  <oliver@apple.com>
908
909         Refactor PutPropertySlot to be aware of custom properties
910         https://bugs.webkit.org/show_bug.cgi?id=126187
911
912         Reviewed by Antti Koivisto.
913
914         Refactor PutPropertySlot, making the constructor take the thisValue
915         used as a target.  This results in a wide range of boilerplate changes
916         to pass the new parameter.
917
918         * API/JSObjectRef.cpp:
919         (JSObjectSetProperty):
920         * dfg/DFGOperations.cpp:
921         (JSC::DFG::operationPutByValInternal):
922         * interpreter/Interpreter.cpp:
923         (JSC::Interpreter::execute):
924         * jit/JITOperations.cpp:
925         * llint/LLIntSlowPaths.cpp:
926         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
927         * runtime/Arguments.cpp:
928         (JSC::Arguments::putByIndex):
929         * runtime/ArrayPrototype.cpp:
930         (JSC::putProperty):
931         (JSC::arrayProtoFuncPush):
932         * runtime/JSCJSValue.cpp:
933         (JSC::JSValue::putToPrimitiveByIndex):
934         * runtime/JSCell.cpp:
935         (JSC::JSCell::putByIndex):
936         * runtime/JSFunction.cpp:
937         (JSC::JSFunction::put):
938         * runtime/JSGenericTypedArrayViewInlines.h:
939         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
940         * runtime/JSONObject.cpp:
941         (JSC::Walker::walk):
942         * runtime/JSObject.cpp:
943         (JSC::JSObject::putByIndex):
944         (JSC::JSObject::putDirectNonIndexAccessor):
945         (JSC::JSObject::deleteProperty):
946         * runtime/JSObject.h:
947         (JSC::JSObject::putDirect):
948         * runtime/Lookup.h:
949         (JSC::putEntry):
950         (JSC::lookupPut):
951         * runtime/PutPropertySlot.h:
952         (JSC::PutPropertySlot::PutPropertySlot):
953         (JSC::PutPropertySlot::setCustomProperty):
954         (JSC::PutPropertySlot::thisValue):
955         (JSC::PutPropertySlot::isCacheable):
956
957 2014-01-01  Filip Pizlo  <fpizlo@apple.com>
958
959         Rationalize DFG DCE
960         https://bugs.webkit.org/show_bug.cgi?id=125523
961
962         Reviewed by Mark Hahnenberg.
963         
964         Adds the ability to DCE more things. It's now the case that if a node is completely
965         pure, we clear NodeMustGenerate and the node becomes a DCE candidate.
966
967         * dfg/DFGAbstractInterpreterInlines.h:
968         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
969         * dfg/DFGCSEPhase.cpp:
970         (JSC::DFG::CSEPhase::performNodeCSE):
971         * dfg/DFGClobberize.h:
972         (JSC::DFG::clobberize):
973         * dfg/DFGDCEPhase.cpp:
974         (JSC::DFG::DCEPhase::cleanVariables):
975         * dfg/DFGFixupPhase.cpp:
976         (JSC::DFG::FixupPhase::fixupNode):
977         * dfg/DFGGraph.h:
978         (JSC::DFG::Graph::clobbersWorld):
979         * dfg/DFGNodeType.h:
980         * dfg/DFGSpeculativeJIT.cpp:
981         (JSC::DFG::SpeculativeJIT::compileAdd):
982         * dfg/DFGSpeculativeJIT.h:
983         * dfg/DFGSpeculativeJIT32_64.cpp:
984         (JSC::DFG::SpeculativeJIT::compile):
985         * dfg/DFGSpeculativeJIT64.cpp:
986         (JSC::DFG::SpeculativeJIT::compile):
987         * ftl/FTLLowerDFGToLLVM.cpp:
988         (JSC::FTL::LowerDFGToLLVM::compileNode):
989         (JSC::FTL::LowerDFGToLLVM::compileValueAdd):
990
991 2014-01-02  Benjamin Poulain  <benjamin@webkit.org>
992
993         Attempt to fix the build of WebCore's code generator on CMake based system
994         https://bugs.webkit.org/show_bug.cgi?id=126271
995
996         Reviewed by Sam Weinig.
997
998         * CMakeLists.txt:
999
1000 2013-12-30  Commit Queue  <commit-queue@webkit.org>
1001
1002         Unreviewed, rolling out r161157, r161158, r161160, r161161,
1003         r161163, and r161165.
1004         http://trac.webkit.org/changeset/161157
1005         http://trac.webkit.org/changeset/161158
1006         http://trac.webkit.org/changeset/161160
1007         http://trac.webkit.org/changeset/161161
1008         http://trac.webkit.org/changeset/161163
1009         http://trac.webkit.org/changeset/161165
1010         https://bugs.webkit.org/show_bug.cgi?id=126332
1011
1012         Broke WebKit2 on Mountain Lion (Requested by ap on #webkit).
1013
1014         * heap/BlockAllocator.cpp:
1015         (JSC::BlockAllocator::~BlockAllocator):
1016         (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
1017         (JSC::BlockAllocator::waitForRelativeTime):
1018         (JSC::BlockAllocator::blockFreeingThreadMain):
1019         * heap/BlockAllocator.h:
1020         (JSC::BlockAllocator::deallocate):
1021
1022 2013-12-30  Anders Carlsson  <andersca@apple.com>
1023
1024         Fix build.
1025
1026         * heap/BlockAllocator.h:
1027
1028 2013-12-30  Anders Carlsson  <andersca@apple.com>
1029
1030         Stop using ThreadCondition in BlockAllocator
1031         https://bugs.webkit.org/show_bug.cgi?id=126313
1032
1033         Reviewed by Sam Weinig.
1034
1035         * heap/BlockAllocator.cpp:
1036         (JSC::BlockAllocator::~BlockAllocator):
1037         (JSC::BlockAllocator::waitForDuration):
1038         (JSC::BlockAllocator::blockFreeingThreadMain):
1039         * heap/BlockAllocator.h:
1040         (JSC::BlockAllocator::deallocate):
1041
1042 2013-12-30  Anders Carlsson  <andersca@apple.com>
1043
1044         Stop using ThreadCondition in jsc.cpp
1045         https://bugs.webkit.org/show_bug.cgi?id=126311
1046
1047         Reviewed by Sam Weinig.
1048
1049         * jsc.cpp:
1050         (timeoutThreadMain):
1051         (main):
1052
1053 2013-12-30  Anders Carlsson  <andersca@apple.com>
1054
1055         Replace WTF::ThreadingOnce with std::call_once
1056         https://bugs.webkit.org/show_bug.cgi?id=126215
1057
1058         Reviewed by Sam Weinig.
1059
1060         * dfg/DFGWorklist.cpp:
1061         (JSC::DFG::globalWorklist):
1062         * runtime/InitializeThreading.cpp:
1063         (JSC::initializeThreading):
1064
1065 2013-12-30  Martin Robinson  <mrobinson@igalia.com>
1066
1067         [CMake] [GTK] Add support for GObject introspection
1068         https://bugs.webkit.org/show_bug.cgi?id=126162
1069
1070         Reviewed by Daniel Bates.
1071
1072         * PlatformGTK.cmake: Add the GIR targets.
1073
1074 2013-12-28  Filip Pizlo  <fpizlo@apple.com>
1075
1076         Get rid of DFG forward exiting
1077         https://bugs.webkit.org/show_bug.cgi?id=125531
1078
1079         Reviewed by Oliver Hunt.
1080         
1081         This finally gets rid of forward exiting. Forward exiting was always a fragile concept
1082         since it involved the compiler trying to figure out how to "roll forward" the
1083         execution from some DFG node to the next bytecode index. It was always easy to find
1084         counterexamples where it broke, and it has always served as an obstacle to adding
1085         compiler improvements - the latest being http://webkit.org/b/125523, which tried to
1086         make DCE work for more things.
1087         
1088         This change finishes the work of removing forward exiting. A lot of forward exiting
1089         was already removed in some other bugs, but SetLocal still did forward exits. SetLocal
1090         is in many ways the hardest to remove, since the forward exiting of SetLocal also
1091         implied that any conversion nodes inserted before the SetLocal would then also be
1092         marked as forward-exiting. Hence SetLocal's forward-exiting made a bunch of other
1093         things also forward-exiting, and this was always a source of weirdo bugs.
1094         
1095         SetLocal must be able to exit in case it performs a hoisted type speculation. Nodes
1096         inserted just before SetLocal must also be able to exit - for example type check
1097         hoisting may insert a CheckStructure, or fixup phase may insert something like
1098         Int32ToDouble. But if any of those nodes tried to backward exit, then this could lead
1099         to the reexecution of a side-effecting operation, for example:
1100         
1101             a: Call(...)
1102             b: SetLocal(@a, r1)
1103         
1104         For a long time it seemed like SetLocal *had* to exit forward because of this. But
1105         this change side-steps the problem by changing the ByteCodeParser to always emit a
1106         kind of "two-phase commit" for stores to local variables. Now when the ByteCodeParser
1107         wishes to store to a local, it first emits a MovHint and then enqueues a SetLocal.
1108         The SetLocal isn't actually emitted until the beginning of the next bytecode
1109         instruction (which the exception of op_enter and op_ret, which emit theirs immediately
1110         since it's always safe to reexecute those bytecode instructions and since deferring
1111         SetLocals would be weird there - op_enter has many SetLocals and op_ret is a set
1112         followed by a jump in case of inlining, so we'd have to emit the SetLocal "after" the
1113         jump and that would be awkward). This means that the above IR snippet would look
1114         something like:
1115         
1116             a: Call(..., bc#42)
1117             b: MovHint(@a, r1, bc#42)
1118             c: SetLocal(@a, r1, bc#47)
1119         
1120         Where the SetLocal exits "backwards" but appears at the beginning of the next bytecode
1121         instruction. This means that by the time we get to that SetLocal, the OSR exit
1122         analysis already knows that r1 is associated with @a, and it means that the SetLocal
1123         or anything hoisted above it can exit backwards as normal.
1124         
1125         This change also means that the "forward rewiring" can be killed. Previously, we might
1126         have inserted a conversion node on SetLocal and then the SetLocal died (i.e. turned
1127         into a MovHint) and the conversion node either died completely or had its lifetime
1128         truncated to be less than the actual value's bytecode lifetime. This no longer happens
1129         since conversion nodes are only inserted at SetLocals.
1130         
1131         More precisely, this change introduces two laws that we were basically already
1132         following anyway:
1133         
1134         1) A MovHint's child should never be changed except if all other uses of that child
1135            are also replaced. Specifically, this prohibits insertion of conversion nodes at
1136            MovHints.
1137         
1138         2) Anytime any child is replaced with something else, and all other uses aren't also
1139            replaced, we must insert a Phantom use of the original child.
1140
1141         This is a slight compile-time regression but has no effect on code-gen. It unlocks a
1142         bunch of optimization opportunities so I think it's worth it.
1143
1144         * bytecode/CodeBlock.cpp:
1145         (JSC::CodeBlock::dumpAssumingJITType):
1146         * bytecode/CodeBlock.h:
1147         (JSC::CodeBlock::instructionCount):
1148         * dfg/DFGAbstractInterpreterInlines.h:
1149         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1150         * dfg/DFGArgumentsSimplificationPhase.cpp:
1151         (JSC::DFG::ArgumentsSimplificationPhase::run):
1152         * dfg/DFGArrayifySlowPathGenerator.h:
1153         (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
1154         * dfg/DFGBackwardsPropagationPhase.cpp:
1155         (JSC::DFG::BackwardsPropagationPhase::propagate):
1156         * dfg/DFGByteCodeParser.cpp:
1157         (JSC::DFG::ByteCodeParser::setDirect):
1158         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
1159         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
1160         (JSC::DFG::ByteCodeParser::handleInlining):
1161         (JSC::DFG::ByteCodeParser::parseBlock):
1162         * dfg/DFGCSEPhase.cpp:
1163         (JSC::DFG::CSEPhase::eliminate):
1164         * dfg/DFGClobberize.h:
1165         (JSC::DFG::clobberize):
1166         * dfg/DFGCommon.h:
1167         * dfg/DFGConstantFoldingPhase.cpp:
1168         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1169         * dfg/DFGDCEPhase.cpp:
1170         (JSC::DFG::DCEPhase::run):
1171         (JSC::DFG::DCEPhase::fixupBlock):
1172         (JSC::DFG::DCEPhase::cleanVariables):
1173         * dfg/DFGFixupPhase.cpp:
1174         (JSC::DFG::FixupPhase::fixupNode):
1175         (JSC::DFG::FixupPhase::fixEdge):
1176         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
1177         * dfg/DFGLICMPhase.cpp:
1178         (JSC::DFG::LICMPhase::run):
1179         (JSC::DFG::LICMPhase::attemptHoist):
1180         * dfg/DFGMinifiedNode.cpp:
1181         (JSC::DFG::MinifiedNode::fromNode):
1182         * dfg/DFGMinifiedNode.h:
1183         (JSC::DFG::belongsInMinifiedGraph):
1184         (JSC::DFG::MinifiedNode::constantNumber):
1185         (JSC::DFG::MinifiedNode::weakConstant):
1186         * dfg/DFGNode.cpp:
1187         (JSC::DFG::Node::hasVariableAccessData):
1188         * dfg/DFGNode.h:
1189         (JSC::DFG::Node::convertToPhantom):
1190         (JSC::DFG::Node::convertToPhantomUnchecked):
1191         (JSC::DFG::Node::convertToIdentity):
1192         (JSC::DFG::Node::containsMovHint):
1193         (JSC::DFG::Node::hasUnlinkedLocal):
1194         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1195         * dfg/DFGNodeFlags.cpp:
1196         (JSC::DFG::dumpNodeFlags):
1197         * dfg/DFGNodeFlags.h:
1198         * dfg/DFGNodeType.h:
1199         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1200         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1201         * dfg/DFGOSREntrypointCreationPhase.cpp:
1202         (JSC::DFG::OSREntrypointCreationPhase::run):
1203         * dfg/DFGOSRExit.cpp:
1204         * dfg/DFGOSRExit.h:
1205         * dfg/DFGOSRExitBase.cpp:
1206         * dfg/DFGOSRExitBase.h:
1207         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
1208         * dfg/DFGPredictionPropagationPhase.cpp:
1209         (JSC::DFG::PredictionPropagationPhase::propagate):
1210         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1211         * dfg/DFGSSAConversionPhase.cpp:
1212         (JSC::DFG::SSAConversionPhase::run):
1213         * dfg/DFGSafeToExecute.h:
1214         (JSC::DFG::safeToExecute):
1215         * dfg/DFGSpeculativeJIT.cpp:
1216         (JSC::DFG::SpeculativeJIT::speculationCheck):
1217         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
1218         (JSC::DFG::SpeculativeJIT::typeCheck):
1219         (JSC::DFG::SpeculativeJIT::compileMovHint):
1220         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1221         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1222         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
1223         * dfg/DFGSpeculativeJIT.h:
1224         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
1225         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
1226         * dfg/DFGSpeculativeJIT32_64.cpp:
1227         (JSC::DFG::SpeculativeJIT::compile):
1228         * dfg/DFGSpeculativeJIT64.cpp:
1229         (JSC::DFG::SpeculativeJIT::compile):
1230         * dfg/DFGTypeCheckHoistingPhase.cpp:
1231         (JSC::DFG::TypeCheckHoistingPhase::run):
1232         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1233         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1234         * dfg/DFGValidate.cpp:
1235         (JSC::DFG::Validate::validateCPS):
1236         * dfg/DFGVariableAccessData.h:
1237         (JSC::DFG::VariableAccessData::VariableAccessData):
1238         * dfg/DFGVariableEventStream.cpp:
1239         (JSC::DFG::VariableEventStream::reconstruct):
1240         * ftl/FTLCapabilities.cpp:
1241         (JSC::FTL::canCompile):
1242         * ftl/FTLLowerDFGToLLVM.cpp:
1243         (JSC::FTL::LowerDFGToLLVM::compileNode):
1244         (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
1245         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
1246         (JSC::FTL::LowerDFGToLLVM::compileMovHint):
1247         (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
1248         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
1249         (JSC::FTL::LowerDFGToLLVM::speculate):
1250         (JSC::FTL::LowerDFGToLLVM::typeCheck):
1251         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
1252         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1253         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1254         * ftl/FTLOSRExit.cpp:
1255         * ftl/FTLOSRExit.h:
1256         * tests/stress/dead-int32-to-double.js: Added.
1257         (foo):
1258         * tests/stress/dead-uint32-to-number.js: Added.
1259         (foo):
1260
1261 2013-12-25  Commit Queue  <commit-queue@webkit.org>
1262
1263         Unreviewed, rolling out r161033 and r161074.
1264         http://trac.webkit.org/changeset/161033
1265         http://trac.webkit.org/changeset/161074
1266         https://bugs.webkit.org/show_bug.cgi?id=126240
1267
1268         Oliver says that a rollout would be better (Requested by ap on
1269         #webkit).
1270
1271         * API/JSObjectRef.cpp:
1272         (JSObjectSetProperty):
1273         * dfg/DFGOperations.cpp:
1274         (JSC::DFG::operationPutByValInternal):
1275         * interpreter/Interpreter.cpp:
1276         (JSC::Interpreter::execute):
1277         * jit/JITOperations.cpp:
1278         * llint/LLIntSlowPaths.cpp:
1279         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1280         * runtime/Arguments.cpp:
1281         (JSC::Arguments::putByIndex):
1282         * runtime/ArrayPrototype.cpp:
1283         (JSC::putProperty):
1284         (JSC::arrayProtoFuncPush):
1285         * runtime/JSCJSValue.cpp:
1286         (JSC::JSValue::putToPrimitiveByIndex):
1287         * runtime/JSCell.cpp:
1288         (JSC::JSCell::putByIndex):
1289         * runtime/JSFunction.cpp:
1290         (JSC::JSFunction::put):
1291         * runtime/JSGenericTypedArrayViewInlines.h:
1292         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
1293         * runtime/JSONObject.cpp:
1294         (JSC::Walker::walk):
1295         * runtime/JSObject.cpp:
1296         (JSC::JSObject::putByIndex):
1297         (JSC::JSObject::putDirectNonIndexAccessor):
1298         (JSC::JSObject::deleteProperty):
1299         * runtime/JSObject.h:
1300         (JSC::JSObject::putDirect):
1301         * runtime/Lookup.h:
1302         (JSC::putEntry):
1303         (JSC::lookupPut):
1304         * runtime/PutPropertySlot.h:
1305         (JSC::PutPropertySlot::PutPropertySlot):
1306         (JSC::PutPropertySlot::setNewProperty):
1307         (JSC::PutPropertySlot::isCacheable):
1308
1309 2013-12-25  Filip Pizlo  <fpizlo@apple.com>
1310
1311         DFG PhantomArguments shouldn't rely on a dead Phi graph
1312         https://bugs.webkit.org/show_bug.cgi?id=126218
1313
1314         Reviewed by Oliver Hunt.
1315         
1316         This change dramatically rationalizes our handling of PhantomArguments (i.e.
1317         speculative elision of arguments object allocation).
1318         
1319         It's now the case that if we decide that we can elide arguments allocation, we just
1320         turn the arguments-creating node into a PhantomArguments and mark all locals that
1321         it's stored to as being arguments aliases. Being an arguments alias and being a
1322         PhantomArguments means basically the same thing: in DFG execution you have the empty
1323         value, on OSR exit an arguments object is allocated in your place, and all operations
1324         that use the value now just refer directly to the actual arguments in the call frame
1325         header (or the arguments we know that we passed to the call, in case of inlining).
1326         
1327         This means that we no longer have arguments simplification creating a dead Phi graph
1328         that then has to be interpreted by the OSR exit logic. That sort of never made any
1329         sense.
1330         
1331         This means that PhantomArguments now has a clear story in SSA: basically SSA just
1332         gets rid of the "locals" but everything else is the same.
1333         
1334         Finally, this means that we can more easily get rid of forward exiting. As I was
1335         working on the code to get rid of forward exiting, I realized that I'd have to
1336         carefully preserve the special meanings of MovHint and SetLocal in the case of
1337         PhantomArguments. It was really bizarre: even the semantics of MovHint were tied to
1338         our specific treatment of PhantomArguments. After this change this is no longer the
1339         case.
1340         
1341         One of the really cool things about this change is that arguments reification now
1342         just becomes a special kind of FlushFormat. This further unifies things: it means
1343         that a MovHint(PhantomArguments) and a SetLocal(PhantomArguments) both have the same
1344         meaning, since both of them dictate that the way we recover the local on exit is by
1345         reifying arguments. Previously, the SetLocal(PhantomArguments) case needed some
1346         special handling to accomplish this.
1347         
1348         A downside of this approach is that we will now emit code to store the empty value
1349         into aliased arguments variables, and we will even emit code to load that empty value
1350         as well. As far as I can tell this doesn't cost anything, since PhantomArguments are
1351         most profitable in cases where it allows us to simplify control flow and kill the
1352         arguments locals entirely. Of course, this isn't an issue in SSA form since SSA form
1353         also eliminates the locals.
1354
1355         * dfg/DFGArgumentsSimplificationPhase.cpp:
1356         (JSC::DFG::ArgumentsSimplificationPhase::run):
1357         (JSC::DFG::ArgumentsSimplificationPhase::detypeArgumentsReferencingPhantomChild):
1358         * dfg/DFGFlushFormat.cpp:
1359         (WTF::printInternal):
1360         * dfg/DFGFlushFormat.h:
1361         (JSC::DFG::resultFor):
1362         (JSC::DFG::useKindFor):
1363         (JSC::DFG::dataFormatFor):
1364         * dfg/DFGSpeculativeJIT.cpp:
1365         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1366         * dfg/DFGSpeculativeJIT32_64.cpp:
1367         (JSC::DFG::SpeculativeJIT::compile):
1368         * dfg/DFGSpeculativeJIT64.cpp:
1369         (JSC::DFG::SpeculativeJIT::compile):
1370         * dfg/DFGValueSource.h:
1371         (JSC::DFG::ValueSource::ValueSource):
1372         (JSC::DFG::ValueSource::forFlushFormat):
1373         * dfg/DFGVariableAccessData.h:
1374         (JSC::DFG::VariableAccessData::flushFormat):
1375         * ftl/FTLLowerDFGToLLVM.cpp:
1376         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1377
1378 2013-12-23  Oliver Hunt  <oliver@apple.com>
1379
1380         Refactor PutPropertySlot to be aware of custom properties
1381         https://bugs.webkit.org/show_bug.cgi?id=126187
1382
1383         Reviewed by msaboff.
1384
1385         Refactor PutPropertySlot, making the constructor take the thisValue
1386         used as a target.  This results in a wide range of boilerplate changes
1387         to pass the new parameter.
1388
1389         * API/JSObjectRef.cpp:
1390         (JSObjectSetProperty):
1391         * dfg/DFGOperations.cpp:
1392         (JSC::DFG::operationPutByValInternal):
1393         * interpreter/Interpreter.cpp:
1394         (JSC::Interpreter::execute):
1395         * jit/JITOperations.cpp:
1396         * llint/LLIntSlowPaths.cpp:
1397         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1398         * runtime/Arguments.cpp:
1399         (JSC::Arguments::putByIndex):
1400         * runtime/ArrayPrototype.cpp:
1401         (JSC::putProperty):
1402         (JSC::arrayProtoFuncPush):
1403         * runtime/JSCJSValue.cpp:
1404         (JSC::JSValue::putToPrimitiveByIndex):
1405         * runtime/JSCell.cpp:
1406         (JSC::JSCell::putByIndex):
1407         * runtime/JSFunction.cpp:
1408         (JSC::JSFunction::put):
1409         * runtime/JSGenericTypedArrayViewInlines.h:
1410         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
1411         * runtime/JSONObject.cpp:
1412         (JSC::Walker::walk):
1413         * runtime/JSObject.cpp:
1414         (JSC::JSObject::putByIndex):
1415         (JSC::JSObject::putDirectNonIndexAccessor):
1416         (JSC::JSObject::deleteProperty):
1417         * runtime/JSObject.h:
1418         (JSC::JSObject::putDirect):
1419         * runtime/Lookup.h:
1420         (JSC::putEntry):
1421         (JSC::lookupPut):
1422         * runtime/PutPropertySlot.h:
1423         (JSC::PutPropertySlot::PutPropertySlot):
1424         (JSC::PutPropertySlot::setCustomProperty):
1425         (JSC::PutPropertySlot::thisValue):
1426         (JSC::PutPropertySlot::isCacheable):
1427
1428 2013-12-23  Benjamin Poulain  <benjamin@webkit.org>
1429
1430         Add class matching to the Selector Code Generator
1431         https://bugs.webkit.org/show_bug.cgi?id=126176
1432
1433         Reviewed by Antti Koivisto and Oliver Hunt.
1434
1435         Add test and branch based on BaseIndex addressing for x86_64.
1436         Fast loops are needed to compete with clang on tight loops.
1437
1438         * assembler/MacroAssembler.h:
1439         * assembler/MacroAssemblerX86_64.h:
1440         (JSC::MacroAssemblerX86_64::branch64):
1441         (JSC::MacroAssemblerX86_64::branchPtr):
1442         * assembler/X86Assembler.h:
1443         (JSC::X86Assembler::cmpq_rm):
1444
1445 2013-12-23  Oliver Hunt  <oliver@apple.com>
1446
1447         Update custom setter implementations to perform type checks
1448         https://bugs.webkit.org/show_bug.cgi?id=126171
1449
1450         Reviewed by Daniel Bates.
1451
1452         Modify the setter function signature to take encoded values
1453         as we're changing the setter usage everywhere anyway.
1454
1455         * runtime/Lookup.h:
1456         (JSC::putEntry):
1457
1458 2013-12-23  Lucas Forschler  <lforschler@apple.com>
1459
1460         <rdar://problem/15682948> Update copyright strings
1461         
1462         Reviewed by Dan Bernstein.
1463
1464         * Info.plist:
1465         * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist:
1466
1467 2013-12-23  Zan Dobersek  <zdobersek@igalia.com>
1468
1469         [GTK] Clean up compiler optimizations flags for libWTF, libJSC
1470         https://bugs.webkit.org/show_bug.cgi?id=126157
1471
1472         Reviewed by Gustavo Noronha Silva.
1473
1474         * GNUmakefile.am: Remove the -fstrict-aliasing and -O3 compiler flags for libWTF.la. -O3 gets
1475         overridden by -O2 that's listed in CXXFLAGS (or -O0 in case of debug builds) and -fstrict-aliasing
1476         is enabled when -O2 is used (and shouldn't be enabled in debug builds anyway).
1477
1478 2013-12-22  Martin Robinson  <mrobinson@igalia.com>
1479
1480         [CMake] Fix typo from r160812
1481         https://bugs.webkit.org/show_bug.cgi?id=126145
1482
1483         Reviewed by Gustavo Noronha Silva.
1484
1485         * CMakeLists.txt: Fix typo when detecting the type of library.
1486
1487 2013-12-22  Martin Robinson  <mrobinson@igalia.com>
1488
1489         [GTK][CMake] libtool-compatible soversion calculation
1490         https://bugs.webkit.org/show_bug.cgi?id=125511
1491
1492         Reviewed by Gustavo Noronha Silva.
1493
1494         * CMakeLists.txt: Use the POPULATE_LIBRARY_VERSION macro and the
1495         library-specific version information.
1496
1497 2013-12-23  Gustavo Noronha Silva  <gns@gnome.org>
1498
1499         [GTK] [CMake] Generate pkg-config files
1500         https://bugs.webkit.org/show_bug.cgi?id=125685
1501
1502         Reviewed by Martin Robinson.
1503
1504         * PlatformGTK.cmake: Added. Generate javascriptcoregtk-3.0.pc.
1505
1506 2013-12-22  Benjamin Poulain  <benjamin@webkit.org>
1507
1508         Create a skeleton for CSS Selector code generation
1509         https://bugs.webkit.org/show_bug.cgi?id=126044
1510
1511         Reviewed by Antti Koivisto and Gavin Barraclough.
1512
1513         * assembler/LinkBuffer.h:
1514         Add a new owner UID for code compiled for CSS.
1515         Export the symbols needed to link code from WebCore.
1516
1517 2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1518
1519         Clean up DFG write barriers
1520         https://bugs.webkit.org/show_bug.cgi?id=126047
1521
1522         Reviewed by Filip Pizlo.
1523
1524         * dfg/DFGSpeculativeJIT.cpp:
1525         (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Use the register allocator to 
1526         determine which registers need saving instead of saving every single one of them.
1527         (JSC::DFG::SpeculativeJIT::osrWriteBarrier): We don't need to save live register state 
1528         because the write barriers during OSR execute when there are no live registers. Also we  
1529         don't need to use pushes to pad the stack pointer for pokes on x86; we can just use an add.
1530         (JSC::DFG::SpeculativeJIT::writeBarrier):
1531         * dfg/DFGSpeculativeJIT.h:
1532         * jit/Repatch.cpp:
1533         (JSC::emitPutReplaceStub):
1534         (JSC::emitPutTransitionStub):
1535         * runtime/VM.h: Get rid of writeBarrierRegisterBuffer since it's no longer used.
1536
1537 2013-12-20  Balazs Kilvady  <kilvadyb@homejinni.com>
1538
1539         [MIPS] Missing MacroAssemblerMIPS::branchTest8(ResultCondition, BaseIndex, TrustedImm32)
1540         https://bugs.webkit.org/show_bug.cgi?id=126062
1541
1542         Reviewed by Mark Hahnenberg.
1543
1544         * assembler/MacroAssemblerMIPS.h:
1545         (JSC::MacroAssemblerMIPS::branchTest8):
1546
1547 2013-12-20  Julien Brianceau  <jbriance@cisco.com>
1548
1549         [sh4] Add missing implementation in MacroAssembler to fix build.
1550         https://bugs.webkit.org/show_bug.cgi?id=126063
1551
1552         Reviewed by Mark Hahnenberg.
1553
1554         * assembler/MacroAssemblerSH4.h:
1555         (JSC::MacroAssemblerSH4::branchTest8):
1556
1557 2013-12-20  Julien Brianceau  <jbriance@cisco.com>
1558
1559         [arm] Add missing implementation in MacroAssembler to fix CPU(ARM_TRADITIONAL) build.
1560         https://bugs.webkit.org/show_bug.cgi?id=126064
1561
1562         Reviewed by Mark Hahnenberg.
1563
1564         * assembler/MacroAssemblerARM.h:
1565         (JSC::MacroAssemblerARM::branchTest8):
1566
1567 2013-12-19  Joseph Pecoraro  <pecoraro@apple.com>
1568
1569         Web Inspector: Add InspectorFrontendHost.debuggableType to let the frontend know it's backend is JavaScript or Web
1570         https://bugs.webkit.org/show_bug.cgi?id=126016
1571
1572         Reviewed by Timothy Hatcher.
1573
1574         * inspector/remote/RemoteInspector.mm:
1575         (Inspector::RemoteInspector::listingForDebuggable):
1576         * inspector/remote/RemoteInspectorConstants.h:
1577         Include a debuggable type identifier in the debuggable listing,
1578         so the remote frontend can know if it is debugging a Web Page
1579         or JS Context.
1580
1581 2013-12-19  Benjamin Poulain  <benjamin@webkit.org>
1582
1583         Add an utility class to simplify generating function calls
1584         https://bugs.webkit.org/show_bug.cgi?id=125972
1585
1586         Reviewed by Geoffrey Garen.
1587
1588         Split branchTest32 in two functions: test32AndSetFlags and branchOnFlags.
1589         This is done to allow code where the flags are set, multiple operation that
1590         do not modify the flags occur, then the flags are used.
1591
1592         This is used for function calls to test the return value while discarding the
1593         return register.
1594
1595         * assembler/MacroAssemblerX86Common.h:
1596         (JSC::MacroAssemblerX86Common::test32AndSetFlags):
1597         (JSC::MacroAssemblerX86Common::branchOnFlags):
1598         (JSC::MacroAssemblerX86Common::branchTest32):
1599
1600 2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1601
1602         Put write barriers in the right places in the baseline JIT
1603         https://bugs.webkit.org/show_bug.cgi?id=125975
1604
1605         Reviewed by Filip Pizlo.
1606
1607         * jit/JIT.cpp:
1608         (JSC::JIT::privateCompileSlowCases):
1609         * jit/JIT.h:
1610         * jit/JITInlines.h:
1611         (JSC::JIT::callOperation):
1612         (JSC::JIT::emitArrayProfilingSite):
1613         * jit/JITOpcodes.cpp:
1614         (JSC::JIT::emit_op_enter):
1615         (JSC::JIT::emitSlow_op_enter):
1616         * jit/JITOpcodes32_64.cpp:
1617         (JSC::JIT::emit_op_enter):
1618         (JSC::JIT::emitSlow_op_enter):
1619         * jit/JITPropertyAccess.cpp:
1620         (JSC::JIT::emit_op_put_by_val):
1621         (JSC::JIT::emitGenericContiguousPutByVal):
1622         (JSC::JIT::emitArrayStoragePutByVal):
1623         (JSC::JIT::emit_op_put_by_id):
1624         (JSC::JIT::emitPutGlobalProperty):
1625         (JSC::JIT::emitPutGlobalVar):
1626         (JSC::JIT::emitPutClosureVar):
1627         (JSC::JIT::emit_op_init_global_const):
1628         (JSC::JIT::checkMarkWord):
1629         (JSC::JIT::emitWriteBarrier):
1630         (JSC::JIT::privateCompilePutByVal):
1631         * jit/JITPropertyAccess32_64.cpp:
1632         (JSC::JIT::emitGenericContiguousPutByVal):
1633         (JSC::JIT::emitArrayStoragePutByVal):
1634         (JSC::JIT::emit_op_put_by_id):
1635         (JSC::JIT::emitSlow_op_put_by_id):
1636         (JSC::JIT::emitPutGlobalProperty):
1637         (JSC::JIT::emitPutGlobalVar):
1638         (JSC::JIT::emitPutClosureVar):
1639         (JSC::JIT::emit_op_init_global_const):
1640         * jit/Repatch.cpp:
1641         (JSC::emitPutReplaceStub):
1642         (JSC::emitPutTransitionStub):
1643         (JSC::repatchPutByID):
1644         * runtime/CommonSlowPaths.cpp:
1645         (JSC::SLOW_PATH_DECL):
1646         * runtime/CommonSlowPaths.h:
1647
1648 2013-12-19  Brent Fulgham  <bfulgham@apple.com>
1649
1650         Implement ArrayBuffer.isView
1651         https://bugs.webkit.org/show_bug.cgi?id=126004
1652
1653         Reviewed by Filip Pizlo.
1654
1655         Test coverage in webgl/1.0.2/resources/webgl_test_files/conformance/typedarrays/array-unit-tests.html
1656
1657         * runtime/JSArrayBufferConstructor.cpp:
1658         (JSC::JSArrayBufferConstructor::finishCreation): Add 'isView' to object constructor.
1659         (JSC::arrayBufferFuncIsView): New method.
1660
1661 2013-12-19  Mark Lam  <mark.lam@apple.com>
1662
1663         Fix broken C loop LLINT build.
1664         https://bugs.webkit.org/show_bug.cgi?id=126024.
1665
1666         Reviewed by Oliver Hunt.
1667
1668         * runtime/VM.h:
1669
1670 2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1671
1672         DelayedReleaseScope is in the wrong place
1673         https://bugs.webkit.org/show_bug.cgi?id=125876
1674
1675         Reviewed by Geoffrey Garen.
1676
1677         The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper. 
1678         This location gives us a good safe point between getting ready to allocate  (i.e. identifying a non-empty 
1679         free list) and doing the actual allocation (popping the free list).
1680
1681         * heap/MarkedAllocator.cpp:
1682         (JSC::MarkedAllocator::tryAllocateHelper):
1683         (JSC::MarkedAllocator::allocateSlowCase):
1684         (JSC::MarkedAllocator::addBlock):
1685         * runtime/JSCellInlines.h:
1686         (JSC::allocateCell):
1687
1688 2013-12-18  Gustavo Noronha Silva  <gns@gnome.org>
1689
1690         [GTK][CMake] make libjavascriptcoregtk a public shared library again
1691         https://bugs.webkit.org/show_bug.cgi?id=125512
1692
1693         Reviewed by Martin Robinson.
1694
1695         * CMakeLists.txt: use target type instead of SHARED_CORE to decide whether
1696         JavaScriptCore is a shared library, since it's always shared for GTK+ regardless
1697         of SHARED_CORE.
1698
1699 2013-12-18  Benjamin Poulain  <benjamin@webkit.org>
1700
1701         Add a simple stack abstraction for x86_64
1702         https://bugs.webkit.org/show_bug.cgi?id=125908
1703
1704         Reviewed by Geoffrey Garen.
1705
1706         * assembler/MacroAssemblerX86_64.h:
1707         (JSC::MacroAssemblerX86_64::addPtrNoFlags):
1708         Add an explicit abstraction for the "lea" instruction. This is needed
1709         by the experimental JIT to have add and substract without changing the flags.
1710
1711         This is useful for function calls to test the return value, restore the registers,
1712         then branch on the flags from the return value.
1713
1714 2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1715
1716         DFG should have a separate StoreBarrier node
1717         https://bugs.webkit.org/show_bug.cgi?id=125530
1718
1719         Reviewed by Filip Pizlo.
1720
1721         This is in preparation for GenGC. We use a separate StoreBarrier node instead of making them implicitly 
1722         part of other nodes so that it's easier to run analyses on them, e.g. for the StoreBarrierElisionPhase. 
1723         They are inserted during the fixup phase. Initially they do not generate any code.
1724
1725         * CMakeLists.txt:
1726         * GNUmakefile.list.am:
1727         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1728         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1729         * JavaScriptCore.xcodeproj/project.pbxproj:
1730         * dfg/DFGAbstractHeap.h:
1731         * dfg/DFGAbstractInterpreter.h:
1732         (JSC::DFG::AbstractInterpreter::isKnownNotCell):
1733         * dfg/DFGAbstractInterpreterInlines.h:
1734         (JSC::DFG::::executeEffects):
1735         * dfg/DFGClobberize.h:
1736         (JSC::DFG::clobberizeForAllocation):
1737         (JSC::DFG::clobberize):
1738         * dfg/DFGConstantFoldingPhase.cpp:
1739         (JSC::DFG::ConstantFoldingPhase::foldConstants): Whenever we insert new nodes that require StoreBarriers,
1740         we have to add those new StoreBarriers too. It's important to note that AllocatePropertyStorage and 
1741         ReallocatePropertyStorage nodes require their StoreBarriers to come after them since they allocate first,
1742         which could cause a GC, and then store the resulting buffer into their JSCell, which requires the barrier.
1743         If we ever require that write barriers occur before stores, we'll have to split these nodes into 
1744         AllocatePropertyStorage + StoreBarrier + PutPropertyStorage.
1745         * dfg/DFGFixupPhase.cpp:
1746         (JSC::DFG::FixupPhase::fixupNode):
1747         (JSC::DFG::FixupPhase::insertStoreBarrier):
1748         * dfg/DFGNode.h:
1749         (JSC::DFG::Node::isStoreBarrier):
1750         * dfg/DFGNodeType.h:
1751         * dfg/DFGOSRExitCompiler32_64.cpp:
1752         (JSC::DFG::OSRExitCompiler::compileExit):
1753         * dfg/DFGOSRExitCompiler64.cpp:
1754         (JSC::DFG::OSRExitCompiler::compileExit):
1755         * dfg/DFGPlan.cpp:
1756         (JSC::DFG::Plan::compileInThreadImpl):
1757         * dfg/DFGPredictionPropagationPhase.cpp:
1758         (JSC::DFG::PredictionPropagationPhase::propagate):
1759         * dfg/DFGSafeToExecute.h:
1760         (JSC::DFG::safeToExecute):
1761         * dfg/DFGSpeculativeJIT.cpp:
1762         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1763         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1764         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1765         (JSC::DFG::SpeculativeJIT::genericWriteBarrier): The fast path write barrier check. It loads the 
1766         byte that contains the mark bit of the object. 
1767         (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): If the fast path check fails we try to store the 
1768         cell in the WriteBarrierBuffer so as to avoid frequently flushing all registers in order to make a C call.
1769         (JSC::DFG::SpeculativeJIT::writeBarrier):
1770         (JSC::DFG::SpeculativeJIT::osrWriteBarrier): More barebones version of the write barrier to be executed 
1771         during an OSR exit into baseline code. We must do this so that the baseline JIT object and array profiles 
1772         are properly cleared during GC.
1773         * dfg/DFGSpeculativeJIT.h:
1774         (JSC::DFG::SpeculativeJIT::callOperation):
1775         * dfg/DFGSpeculativeJIT32_64.cpp:
1776         (JSC::DFG::SpeculativeJIT::cachedPutById):
1777         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
1778         (JSC::DFG::SpeculativeJIT::compile):
1779         (JSC::DFG::SpeculativeJIT::writeBarrier):
1780         * dfg/DFGSpeculativeJIT64.cpp:
1781         (JSC::DFG::SpeculativeJIT::cachedPutById):
1782         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
1783         (JSC::DFG::SpeculativeJIT::compile):
1784         (JSC::DFG::SpeculativeJIT::writeBarrier):
1785         * dfg/DFGStoreBarrierElisionPhase.cpp: Added. New DFG phase that does block-local elision of redundant
1786         StoreBarriers. Every time a StoreBarrier on a particular object is executed, a bit is set indicating that 
1787         that object doesn't need any more StoreBarriers. 
1788         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
1789         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Nodes that could cause a GC reset the bits for all of the 
1790         objects known in the current block. 
1791         (JSC::DFG::StoreBarrierElisionPhase::allocatesFreshObject): A node that creates a new object automatically 
1792         sets the bit for that object since if a GC occurred as the result of that object's allocation then that 
1793         object would not need a barrier since it would be guaranteed to be a young generation object until the 
1794         next GC point.
1795         (JSC::DFG::StoreBarrierElisionPhase::noticeFreshObject):
1796         (JSC::DFG::StoreBarrierElisionPhase::getBaseOfStore):
1797         (JSC::DFG::StoreBarrierElisionPhase::shouldBeElided):
1798         (JSC::DFG::StoreBarrierElisionPhase::elideBarrier):
1799         (JSC::DFG::StoreBarrierElisionPhase::handleNode):
1800         (JSC::DFG::StoreBarrierElisionPhase::handleBlock):
1801         (JSC::DFG::StoreBarrierElisionPhase::run):
1802         (JSC::DFG::performStoreBarrierElision):
1803         * dfg/DFGStoreBarrierElisionPhase.h: Added.
1804         * heap/Heap.cpp:
1805         (JSC::Heap::Heap):
1806         (JSC::Heap::flushWriteBarrierBuffer):
1807         * heap/Heap.h:
1808         (JSC::Heap::writeBarrier):
1809         * heap/MarkedBlock.h:
1810         (JSC::MarkedBlock::offsetOfMarks):
1811         * heap/WriteBarrierBuffer.cpp: Added. The WriteBarrierBuffer buffers a set of JSCells that are awaiting 
1812         a pending WriteBarrier. This buffer is used by the DFG to avoid the overhead of calling out to C repeatedly
1813         to invoke a write barrier on a single JSCell. Instead the DFG has inline code to fill the WriteBarrier buffer
1814         until its full, and then to call out to C to flush it. The WriteBarrierBuffer will also be flushed prior to 
1815         each EdenCollection.
1816         (JSC::WriteBarrierBuffer::WriteBarrierBuffer):
1817         (JSC::WriteBarrierBuffer::~WriteBarrierBuffer):
1818         (JSC::WriteBarrierBuffer::flush):
1819         (JSC::WriteBarrierBuffer::reset):
1820         (JSC::WriteBarrierBuffer::add):
1821         * heap/WriteBarrierBuffer.h: Added.
1822         (JSC::WriteBarrierBuffer::currentIndexOffset):
1823         (JSC::WriteBarrierBuffer::capacityOffset):
1824         (JSC::WriteBarrierBuffer::bufferOffset):
1825         * jit/JITOperations.cpp:
1826         * jit/JITOperations.h:
1827         * runtime/VM.h:
1828
1829 2013-12-18  Carlos Garcia Campos  <cgarcia@igalia.com>
1830
1831         Unreviewed. Fix make distcheck.
1832
1833         * GNUmakefile.am:
1834
1835 2013-12-17  Julien Brianceau  <jbriance@cisco.com>
1836
1837         Fix armv7 and sh4 builds.
1838         https://bugs.webkit.org/show_bug.cgi?id=125848
1839
1840         Reviewed by Csaba Osztrogonác.
1841
1842         * assembler/ARMv7Assembler.h: Include limits.h for INT_MIN.
1843         * assembler/SH4Assembler.h: Include limits.h for INT_MIN.
1844
1845 2013-12-16  Oliver Hunt  <oliver@apple.com>
1846
1847         Avoid indirect function calls for custom getters
1848         https://bugs.webkit.org/show_bug.cgi?id=125821
1849
1850         Reviewed by Mark Hahnenberg.
1851
1852         Rather than invoking a helper function to perform an indirect call
1853         through a function pointer, just have the JIT call the function directly.
1854
1855         Unfortunately this only works in JSVALUE64 at the moment as there
1856         is not an obvious way to pass two EncodedJSValues uniformly over
1857         the various effected JITs.
1858
1859         * jit/CCallHelpers.h:
1860         (JSC::CCallHelpers::setupArguments):
1861         * jit/Repatch.cpp:
1862         (JSC::generateProtoChainAccessStub):
1863         (JSC::tryBuildGetByIDList):
1864
1865 2013-12-16  Joseph Pecoraro  <pecoraro@apple.com>
1866
1867         Fix some whitespace issues in inspector code
1868         https://bugs.webkit.org/show_bug.cgi?id=125814
1869
1870         Reviewed by Darin Adler.
1871
1872         * inspector/protocol/Debugger.json:
1873         * inspector/protocol/Runtime.json:
1874         * inspector/scripts/CodeGeneratorInspector.py:
1875         (Generator.process_command):
1876
1877 2013-12-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1878
1879         Add some missing functions to MacroAssembler
1880         https://bugs.webkit.org/show_bug.cgi?id=125809
1881
1882         Reviewed by Oliver Hunt.
1883
1884         * assembler/AbstractMacroAssembler.h:
1885         * assembler/AssemblerBuffer.h:
1886         * assembler/LinkBuffer.cpp:
1887         * assembler/MacroAssembler.h:
1888         (JSC::MacroAssembler::storePtr):
1889         (JSC::MacroAssembler::andPtr):
1890         * assembler/MacroAssemblerARM64.h:
1891         (JSC::MacroAssemblerARM64::and64):
1892         (JSC::MacroAssemblerARM64::branchTest8):
1893         * assembler/MacroAssemblerARMv7.h:
1894         (JSC::MacroAssemblerARMv7::branchTest8):
1895         * assembler/X86Assembler.h:
1896
1897 2013-12-16  Brent Fulgham  <bfulgham@apple.com>
1898
1899         [Win] Remove dead code after conversion to VS2013
1900         https://bugs.webkit.org/show_bug.cgi?id=125795
1901
1902         Reviewed by Darin Adler.
1903
1904         * API/tests/testapi.c: Remove local nan implementation
1905
1906 2013-12-16  Oliver Hunt  <oliver@apple.com>
1907
1908         Cache getters and custom accessors on the prototype chain
1909         https://bugs.webkit.org/show_bug.cgi?id=125602
1910
1911         Reviewed by Michael Saboff.
1912
1913         Support caching of custom getters and accessors on the prototype chain.
1914         This is relatively trivial and just requires a little work compared to
1915         the direct access mode as we're under more register pressure.
1916
1917         * bytecode/StructureStubInfo.h:
1918           Removed the unsued initGetByIdProto as it was confusing to still have it present.
1919         * jit/Repatch.cpp:
1920         (JSC::generateProtoChainAccessStub):
1921         (JSC::tryCacheGetByID):
1922         (JSC::tryBuildGetByIDList):
1923
1924 2013-12-16  Mark Lam  <mark.lam@apple.com>
1925
1926         Change slow path result to take a void* instead of a ExecState*.
1927         https://bugs.webkit.org/show_bug.cgi?id=125802.
1928
1929         Reviewed by Filip Pizlo.
1930
1931         This is in preparation for C Stack OSR entry work that is coming soon.
1932         In the OSR entry case, we'll be returning a topOfFrame pointer value
1933         instead of the ExecState*.
1934
1935         * offlineasm/cloop.rb:
1936         * runtime/CommonSlowPaths.h:
1937         (JSC::encodeResult):
1938         (JSC::decodeResult):
1939
1940 2013-12-16  Alex Christensen  <achristensen@webkit.org>
1941
1942         Fixed Win64 build on VS2013.
1943         https://bugs.webkit.org/show_bug.cgi?id=125753
1944
1945         Reviewed by Brent Fulgham.
1946
1947         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1948         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
1949         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1950         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1951         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1952         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
1953         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
1954         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
1955         Added correct PlatformToolset for 64-bit builds.
1956
1957 2013-12-16  Peter Szanka  <h868064@stud.u-szeged.hu>
1958
1959         Delete RVCT related code parts.
1960         https://bugs.webkit.org/show_bug.cgi?id=125626
1961
1962         Reviewed by Darin Adler.
1963
1964         * assembler/ARMAssembler.cpp:
1965         * assembler/ARMAssembler.h:
1966         (JSC::ARMAssembler::cacheFlush):
1967         * assembler/MacroAssemblerARM.cpp:
1968         (JSC::isVFPPresent):
1969         * jit/JITStubsARM.h:
1970         * jit/JITStubsARMv7.h:
1971
1972 2013-12-15  Ryosuke Niwa  <rniwa@webkit.org>
1973
1974         REGRESSION: 2x regression on Dromaeo DOM query tests
1975         https://bugs.webkit.org/show_bug.cgi?id=125377
1976
1977         Reviewed by Filip Pizlo.
1978
1979         The bug was caused by JSC not JIT'ing property access on "document" due to its type info having
1980         HasImpureGetOwnPropertySlot flag.
1981
1982         Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline
1983         JIT to generate byte code for access properties on an object with named properties (a.k.a.
1984         custom name getter) in DOM. When a new named property appears on the object, VM is notified via
1985         VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch.
1986
1987         * bytecode/GetByIdStatus.cpp:
1988         (JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure
1989         properties in the prototype chain.
1990         (JSC::GetByIdStatus::computeForChain): Ditto.
1991
1992         * jit/Repatch.cpp:
1993         (JSC::repatchByIdSelfAccess): Throw away the byte code when a new impure property is added on any
1994         object in the prototype chain via StructureStubClearingWatchpoint.
1995         (JSC::generateProtoChainAccessStub): Ditto.
1996         (JSC::tryCacheGetByID):
1997         (JSC::tryBuildGetByIDList):
1998         (JSC::tryRepatchIn): Ditto.
1999
2000         * runtime/JSTypeInfo.h: Added NewImpurePropertyFiresWatchpoints.
2001         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): Added.
2002
2003         * runtime/Operations.h:
2004         (JSC::normalizePrototypeChainForChainAccess): Don't exit early if VM will be notified of new
2005         impure property even if the object had impure properties.
2006
2007         * runtime/Structure.h:
2008         (JSC::Structure::takesSlowPathInDFGForImpureProperty): Added. Wraps hasImpureGetOwnPropertySlot and
2009         asserts that newImpurePropertyFiresWatchpoints is true whenever hasImpureGetOwnPropertySlot is true.
2010
2011         * runtime/VM.cpp:
2012         (JSC::VM::registerWatchpointForImpureProperty): Added.
2013         (JSC::VM::addImpureProperty): Added. HTMLDocument calls it to notify JSC of a new impure property.
2014
2015         * runtime/VM.h:
2016
2017 2013-12-15  Andy Estes  <aestes@apple.com>
2018
2019         [iOS] Upstream changes to FeatureDefines.xcconfig
2020         https://bugs.webkit.org/show_bug.cgi?id=125742
2021
2022         Reviewed by Dan Bernstein.
2023
2024         * Configurations/FeatureDefines.xcconfig:
2025
2026 2013-12-14  Filip Pizlo  <fpizlo@apple.com>
2027
2028         FTL should *really* know when things are flushed
2029         https://bugs.webkit.org/show_bug.cgi?id=125747
2030
2031         Reviewed by Sam Weinig.
2032         
2033         Fix more codegen badness. This makes V8v7's crypto am3() function run faster in the FTL
2034         than in DFG. This means that even if we just compile those functions in V8v7 that don't
2035         make calls, the FTL gives us a 2% speed-up over the DFG. That's pretty good considering
2036         that we have still more optimizations to fix and we can make calls work.
2037
2038         * dfg/DFGSSAConversionPhase.cpp:
2039         (JSC::DFG::SSAConversionPhase::run):
2040         * ftl/FTLCompile.cpp:
2041         (JSC::FTL::fixFunctionBasedOnStackMaps):
2042
2043 2013-12-14  Andy Estes  <aestes@apple.com>
2044
2045         Unify FeatureDefines.xcconfig
2046         https://bugs.webkit.org/show_bug.cgi?id=125741
2047
2048         Rubber-stamped by Dan Bernstein.
2049
2050         * Configurations/FeatureDefines.xcconfig: Enable ENABLE_MEDIA_SOURCE.
2051
2052 2013-12-14  Mark Rowe  <mrowe@apple.com>
2053
2054         Build fix after r160557.
2055
2056         r160557 added the first generated header to JavaScriptCore that needs to be installed in to
2057         the framework wrapper. Sadly JavaScriptCore's Derived Sources target was not set to generate
2058         headers when invoked as part of the installhdrs action. This resulted in the build failing
2059         due to Xcode being unable to find the header file to install. The fix for this is to configure
2060         the Derived Sources target to use JavaScriptCore.xcconfig, which sets INSTALLHDRS_SCRIPT_PHASE
2061         to YES and allows Xcode to generate derived sources during the installhdrs action.
2062
2063         Enabling INSTALLHDRS_SCRIPT_PHASE required tweaking the Generate Derived Sources script build
2064         phase to skip running code related to offlineasm that depends on JSCLLIntOffsetExtractor
2065         having been compiled, which isn't the case at installhdrs time.
2066
2067         * JavaScriptCore.xcodeproj/project.pbxproj:
2068
2069 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
2070
2071         Some Set and Map prototype functions have incorrect function lengths
2072         https://bugs.webkit.org/show_bug.cgi?id=125732
2073
2074         Reviewed by Oliver Hunt.
2075
2076         * runtime/MapPrototype.cpp:
2077         (JSC::MapPrototype::finishCreation):
2078         * runtime/SetPrototype.cpp:
2079         (JSC::SetPrototype::finishCreation):
2080
2081 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
2082
2083         Web Inspector: Move Inspector and Debugger protocol domains into JavaScriptCore
2084         https://bugs.webkit.org/show_bug.cgi?id=125707
2085
2086         Reviewed by Timothy Hatcher.
2087
2088         * CMakeLists.txt:
2089         * DerivedSources.make:
2090         * GNUmakefile.am:
2091         * inspector/protocol/Debugger.json: Renamed from Source/WebCore/inspector/protocol/Debugger.json.
2092         * inspector/protocol/GenericTypes.json: Added.
2093         * inspector/protocol/InspectorDomain.json: Renamed from Source/WebCore/inspector/protocol/InspectorDomain.json.
2094         Add new files to inspector generation.
2095
2096         * inspector/scripts/CodeGeneratorInspector.py:
2097         (Generator.go):
2098         Only build TypeBuilder output if the domain only has types. Avoid
2099         backend/frontend dispatchers and backend commands.
2100
2101         (TypeBindings.create_type_declaration_.EnumBinding.get_setter_value_expression_pattern):
2102         (format_setter_value_expression):
2103         (Generator.process_command):
2104         (Generator.generate_send_method):
2105         * inspector/scripts/CodeGeneratorInspectorStrings.py:
2106         Export and name the get{JS,Web}EnumConstant function.
2107
2108 2013-12-11  Filip Pizlo  <fpizlo@apple.com>
2109
2110         Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction
2111         https://bugs.webkit.org/show_bug.cgi?id=125553
2112
2113         Reviewed by Oliver Hunt.
2114         
2115         UInt32ToNumber was a super complicated node because it had to do a speculation, but it
2116         would do it after we already had computed the urshift. It couldn't just back to the
2117         beginning of the urshift because the inputs to the urshift weren't necessarily live
2118         anymore. We couldn't jump forward to the beginning of the next instruction because the
2119         result of the urshift was not yet unsigned-converted.
2120         
2121         For a while we solved this by forward-exiting in UInt32ToNumber. But that's really
2122         gross and I want to get rid of all forward exits. They cause a lot of bugs.
2123         
2124         We could also have turned UInt32ToNumber to a backwards exit by forcing the inputs to
2125         the urshift to be live. I figure that this might be a bit too extreme.
2126         
2127         So, I just created a new place that we can exit to: I split op_urshift into op_urshift
2128         followed by op_unsigned. op_unsigned is an "unsigned cast" along the lines of what
2129         UInt32ToNumber does. This allows me to get rid of all of the nastyness in the DFG for
2130         forward exiting in UInt32ToNumber.
2131         
2132         This patch enables massive code carnage in the DFG and FTL, and brings us closer to
2133         eliminating one of the DFG's most confusing concepts. On the flipside, it does make the
2134         bytecode slightly more complex (one new instruction). This is a profitable trade. We
2135         want the DFG and FTL to trend towards simplicity, since they are both currently too
2136         complicated.
2137
2138         * bytecode/BytecodeUseDef.h:
2139         (JSC::computeUsesForBytecodeOffset):
2140         (JSC::computeDefsForBytecodeOffset):
2141         * bytecode/CodeBlock.cpp:
2142         (JSC::CodeBlock::dumpBytecode):
2143         * bytecode/Opcode.h:
2144         (JSC::padOpcodeName):
2145         * bytecode/ValueRecovery.cpp:
2146         (JSC::ValueRecovery::dumpInContext):
2147         * bytecode/ValueRecovery.h:
2148         (JSC::ValueRecovery::gpr):
2149         * bytecompiler/NodesCodegen.cpp:
2150         (JSC::BinaryOpNode::emitBytecode):
2151         (JSC::emitReadModifyAssignment):
2152         * dfg/DFGByteCodeParser.cpp:
2153         (JSC::DFG::ByteCodeParser::toInt32):
2154         (JSC::DFG::ByteCodeParser::parseBlock):
2155         * dfg/DFGClobberize.h:
2156         (JSC::DFG::clobberize):
2157         * dfg/DFGNodeType.h:
2158         * dfg/DFGOSRExitCompiler32_64.cpp:
2159         (JSC::DFG::OSRExitCompiler::compileExit):
2160         * dfg/DFGOSRExitCompiler64.cpp:
2161         (JSC::DFG::OSRExitCompiler::compileExit):
2162         * dfg/DFGSpeculativeJIT.cpp:
2163         (JSC::DFG::SpeculativeJIT::compileMovHint):
2164         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
2165         * dfg/DFGSpeculativeJIT.h:
2166         * dfg/DFGSpeculativeJIT32_64.cpp:
2167         * dfg/DFGSpeculativeJIT64.cpp:
2168         * dfg/DFGStrengthReductionPhase.cpp:
2169         (JSC::DFG::StrengthReductionPhase::handleNode):
2170         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
2171         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild1):
2172         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild2):
2173         * ftl/FTLFormattedValue.h:
2174         (JSC::FTL::int32Value):
2175         * ftl/FTLLowerDFGToLLVM.cpp:
2176         (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
2177         * ftl/FTLValueFormat.cpp:
2178         (JSC::FTL::reboxAccordingToFormat):
2179         (WTF::printInternal):
2180         * ftl/FTLValueFormat.h:
2181         * jit/JIT.cpp:
2182         (JSC::JIT::privateCompileMainPass):
2183         (JSC::JIT::privateCompileSlowCases):
2184         * jit/JIT.h:
2185         * jit/JITArithmetic.cpp:
2186         (JSC::JIT::emit_op_urshift):
2187         (JSC::JIT::emitSlow_op_urshift):
2188         (JSC::JIT::emit_op_unsigned):
2189         (JSC::JIT::emitSlow_op_unsigned):
2190         * jit/JITArithmetic32_64.cpp:
2191         (JSC::JIT::emitRightShift):
2192         (JSC::JIT::emitRightShiftSlowCase):
2193         (JSC::JIT::emit_op_unsigned):
2194         (JSC::JIT::emitSlow_op_unsigned):
2195         * llint/LowLevelInterpreter32_64.asm:
2196         * llint/LowLevelInterpreter64.asm:
2197         * runtime/CommonSlowPaths.cpp:
2198         (JSC::SLOW_PATH_DECL):
2199         * runtime/CommonSlowPaths.h:
2200
2201 2013-12-13  Mark Hahnenberg  <mhahnenberg@apple.com>
2202
2203         LLInt should not conditionally branch to to labels outside of its function
2204         https://bugs.webkit.org/show_bug.cgi?id=125713
2205
2206         Reviewed by Geoffrey Garen.
2207
2208         Conditional branches are insufficient for jumping to out-of-function labels.
2209         The fix is to use an unconditional jmp to the label combined with a conditional branch around the jmp.
2210
2211         * llint/LowLevelInterpreter32_64.asm:
2212         * llint/LowLevelInterpreter64.asm:
2213
2214 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
2215
2216         [GTK] Remove Warnings in building about duplicate INSPECTOR variables
2217         https://bugs.webkit.org/show_bug.cgi?id=125710
2218
2219         Reviewed by Tim Horton.
2220
2221         * GNUmakefile.am:
2222
2223 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
2224
2225         Cleanup CodeGeneratorInspectorStrings a bit
2226         https://bugs.webkit.org/show_bug.cgi?id=125705
2227
2228         Reviewed by Timothy Hatcher.
2229
2230         * inspector/scripts/CodeGeneratorInspectorStrings.py:
2231         Use ${foo} variable syntax and add an ASCIILiteral.
2232
2233 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
2234
2235         [Win] Unreviewed build fix after r160563
2236
2237         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Missed the Debug
2238         target in my last patch.
2239
2240 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
2241
2242         [Win] Unreviewed build fix after r160548
2243
2244         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Specify
2245         that we are using the vs12_xp target for Makefile-based projects.
2246         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Ditto
2247         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Ditto.
2248
2249 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
2250
2251         Make inspector folder groups smarter in JavaScriptCore.xcodeproj
2252         https://bugs.webkit.org/show_bug.cgi?id=125663
2253
2254         Reviewed by Darin Adler.
2255
2256         * JavaScriptCore.xcodeproj/project.pbxproj:
2257
2258 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
2259
2260         Web Inspector: Add Inspector Code Generation to JavaScriptCore for Runtime Domain
2261         https://bugs.webkit.org/show_bug.cgi?id=125595
2262
2263         Reviewed by Timothy Hatcher.
2264
2265           - Move CodeGeneration scripts from WebCore into JavaScriptCore/inspector/scripts
2266           - For ports that build WebKit frameworks separately, export the scripts as PrivateHeaders
2267           - Update CodeGeneratorInspector.py in a few ways:
2268             - output dynamic filenames, so JavaScriptCore generates InspectorJSFoo.* and WebCore generates InspectorWebFoo.*
2269             - take in more then one protocol JSON file. The first contains domains to generate, the others are dependencies
2270               that are generated elsewhere that we can depend on for Types.
2271           - Add DerivedSources build step to generate the Inspector Interfaces
2272
2273         * CMakeLists.txt:
2274         * DerivedSources.make:
2275         * GNUmakefile.am:
2276         * GNUmakefile.list.am:
2277         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2278         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2279         * JavaScriptCore.vcxproj/copy-files.cmd:
2280         * JavaScriptCore.xcodeproj/project.pbxproj:
2281         Add scripts and code generation.
2282
2283         * inspector/protocol/Runtime.json: Renamed from Source/WebCore/inspector/protocol/Runtime.json.
2284         Move protocol file into JavaScriptCore so its types will be generated in JavaScriptCore.
2285
2286         * inspector/scripts/CodeGeneratorInspector.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspector.py.
2287         Updates to the script as listed above.
2288
2289         * inspector/scripts/CodeGeneratorInspectorStrings.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspectorStrings.py.
2290         * inspector/scripts/generate-combined-inspector-json.py: Renamed from Source/WebCore/inspector/Scripts/generate-combined-inspector-json.py.
2291         Moved from WebCore into JavaScriptCore for code generation.
2292
2293 2013-12-13  Peter Szanka  <h868064@stud.u-szeged.hu>
2294
2295         Delete INTEL C compiler related code parts.
2296         https://bugs.webkit.org/show_bug.cgi?id=125625
2297
2298         Reviewed by Darin Adler.
2299
2300         * jsc.cpp:
2301         * testRegExp.cpp:
2302
2303 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
2304
2305         [Win] Switch WebKit solution to Visual Studio 2013
2306         https://bugs.webkit.org/show_bug.cgi?id=125192
2307
2308         Reviewed by Anders Carlsson.
2309
2310         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Update for VS2013
2311         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
2312         Ditto
2313         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto
2314         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto
2315         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto
2316
2317 2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>
2318
2319         Add a few more ASCIILiterals
2320         https://bugs.webkit.org/show_bug.cgi?id=125662
2321
2322         Reviewed by Darin Adler.
2323
2324         * inspector/InspectorBackendDispatcher.cpp:
2325         (Inspector::InspectorBackendDispatcher::dispatch):
2326
2327 2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>
2328
2329         Test new JSContext name APIs
2330         https://bugs.webkit.org/show_bug.cgi?id=125607
2331
2332         Reviewed by Darin Adler.
2333
2334         * API/JSContext.h:
2335         * API/JSContextRef.h:
2336         Fix whitespace issues.
2337
2338         * API/tests/testapi.c:
2339         (globalContextNameTest):
2340         (main):
2341         * API/tests/testapi.mm:
2342         Add tests for JSContext set/get name APIs.
2343
2344 2013-12-11  Filip Pizlo  <fpizlo@apple.com>
2345
2346         ARM64: Hang running pdfjs test, suspect DFG generated code for "in"
2347         https://bugs.webkit.org/show_bug.cgi?id=124727
2348         <rdar://problem/15566923>
2349
2350         Reviewed by Michael Saboff.
2351         
2352         Get rid of In's hackish use of StructureStubInfo. Previously it was using hotPathBegin,
2353         and it was the only IC that used that field, which was wasteful. Moreover, it used it
2354         to store two separate locations: the label for patching the jump and the label right
2355         after the jump. The code was relying on those two being the same label, which is true
2356         on X86 and some other platforms, but it isn't true on ARM64.
2357         
2358         This gets rid of hotPathBegin and makes In express those two locations as offsets from
2359         the callReturnLocation, which is analogous to what the other IC's do.
2360         
2361         This fixes a bug where any successful In patching would result in a trivially infinite
2362         loop - and hence a hang - on ARM64.
2363
2364         * bytecode/StructureStubInfo.h:
2365         * dfg/DFGJITCompiler.cpp:
2366         (JSC::DFG::JITCompiler::link):
2367         * dfg/DFGJITCompiler.h:
2368         (JSC::DFG::InRecord::InRecord):
2369         * dfg/DFGSpeculativeJIT.cpp:
2370         (JSC::DFG::SpeculativeJIT::compileIn):
2371         * jit/JITInlineCacheGenerator.cpp:
2372         (JSC::JITByIdGenerator::finalize):
2373         * jit/Repatch.cpp:
2374         (JSC::replaceWithJump):
2375         (JSC::patchJumpToGetByIdStub):
2376         (JSC::tryCachePutByID):
2377         (JSC::tryBuildPutByIdList):
2378         (JSC::tryRepatchIn):
2379         (JSC::resetGetByID):
2380         (JSC::resetPutByID):
2381         (JSC::resetIn):
2382
2383 2013-12-11  Joseph Pecoraro  <pecoraro@apple.com>
2384
2385         Web Inspector: Push More Inspector Required Classes Down into JavaScriptCore
2386         https://bugs.webkit.org/show_bug.cgi?id=125324
2387
2388         Reviewed by Timothy Hatcher.
2389
2390         * CMakeLists.txt:
2391         * GNUmakefile.am:
2392         * GNUmakefile.list.am:
2393         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2394         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2395         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2396         * JavaScriptCore.vcxproj/copy-files.cmd:
2397         * JavaScriptCore.xcodeproj/project.pbxproj:
2398         * bindings/ScriptFunctionCall.cpp: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.cpp.
2399         * bindings/ScriptFunctionCall.h: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.h.
2400         * bindings/ScriptObject.cpp: Copied from Source/WebCore/inspector/WorkerConsoleAgent.cpp.
2401         * bindings/ScriptObject.h: Renamed from Source/WebCore/inspector/InspectorBaseAgent.h.
2402         * bindings/ScriptValue.cpp: Renamed from Source/WebCore/bindings/js/ScriptValue.cpp.
2403         * bindings/ScriptValue.h: Renamed from Source/WebCore/bindings/js/ScriptValue.h.
2404         * inspector/InspectorAgentBase.h: Copied from Source/WebCore/inspector/InspectorAgentRegistry.h.
2405         * inspector/InspectorAgentRegistry.cpp: Renamed from Source/WebCore/inspector/InspectorAgentRegistry.cpp.
2406         * inspector/InspectorBackendDispatcher.h: Renamed from Source/WebCore/inspector/InspectorBackendDispatcher.h.
2407         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
2408         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher):
2409         * inspector/InspectorValues.cpp: Renamed from Source/WebCore/inspector/InspectorValues.cpp.
2410         * inspector/InspectorValues.h: Renamed from Source/WebCore/inspector/InspectorValues.h.
2411
2412 2013-12-11  Laszlo Vidacs  <lac@inf.u-szeged.hu>
2413
2414         Store SHA1 hash in std::array
2415         https://bugs.webkit.org/show_bug.cgi?id=125446
2416
2417         Reviewed by Darin Adler.
2418
2419         Change Vector to std::array and use typedef.
2420
2421         * bytecode/CodeBlockHash.cpp:
2422         (JSC::CodeBlockHash::CodeBlockHash):
2423
2424 2013-12-11  Mark Rowe  <mrowe@apple.com>
2425
2426         <https://webkit.org/b/125141> Modernize the JavaScriptCore API headers
2427         <rdar://problem/15540121>
2428
2429         This consists of three main changes:
2430         1) Converting the return type of initializer methods to instancetype.
2431         2) Declaring properties rather than getters and setters.
2432         3) Tagging C API methods with information about their memory management semantics.
2433
2434         Changing the declarations from getters and setters to properties also required
2435         updating the headerdoc in a number of places.
2436
2437         Reviewed by Anders Carlsson.
2438
2439         * API/JSContext.h:
2440         * API/JSContext.mm:
2441         * API/JSManagedValue.h:
2442         * API/JSManagedValue.mm:
2443         * API/JSStringRefCF.h:
2444         * API/JSValue.h:
2445         * API/JSVirtualMachine.h:
2446         * API/JSVirtualMachine.mm:
2447
2448 2013-12-11  Mark Rowe  <mrowe@apple.com>
2449
2450         <https://webkit.org/b/125559> Move JavaScriptCore off the legacy WebKit availability macros
2451
2452         The legacy WebKit availability macros are verbose, confusing, and provide no benefit over
2453         using the system availability macros directly. The original vision was that they'd serve
2454         a cross-platform purpose but that never came to be.
2455
2456         Map from WebKit version to OS X version based on the mapping in WebKitAvailability.h.
2457         All iOS versions are specified as 7.0 as that is when the JavaScriptCore C API was made
2458         public.
2459
2460         Part of <rdar://problem/15512304>.
2461
2462         Reviewed by Anders Carlsson.
2463
2464         * API/JSBasePrivate.h:
2465         * API/JSContextRef.h:
2466         * API/JSContextRefPrivate.h:
2467         * API/JSObjectRef.h:
2468         * API/JSValueRef.h:
2469
2470 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
2471
2472         Get rid of forward exit on DoubleAsInt32
2473         https://bugs.webkit.org/show_bug.cgi?id=125552
2474
2475         Reviewed by Oliver Hunt.
2476         
2477         The forward exit was just there so that we wouldn't have to keep the inputs alive up to
2478         the DoubleAsInt32. That's dumb. Forward exits are a complicated piece of machinery and
2479         we shouldn't have it just for a bit of liveness micro-optimization.
2480         
2481         Also add a bunch of machinery to test this case on X86.
2482
2483         * assembler/AbstractMacroAssembler.h:
2484         (JSC::optimizeForARMv7s):
2485         (JSC::optimizeForARM64):
2486         (JSC::optimizeForX86):
2487         * dfg/DFGFixupPhase.cpp:
2488         (JSC::DFG::FixupPhase::fixupNode):
2489         * dfg/DFGNodeType.h:
2490         * dfg/DFGSpeculativeJIT.cpp:
2491         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
2492         * runtime/Options.h:
2493         * tests/stress/double-as-int32.js: Added.
2494         (foo):
2495         (test):
2496
2497 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
2498
2499         Simplify CSE's treatment of NodeRelevantToOSR
2500         https://bugs.webkit.org/show_bug.cgi?id=125538
2501
2502         Reviewed by Oliver Hunt.
2503         
2504         Make the NodeRelevantToOSR thing obvious: if there is any MovHint on a node then the
2505         node is relevant to OSR.
2506
2507         * dfg/DFGCSEPhase.cpp:
2508         (JSC::DFG::CSEPhase::run):
2509         (JSC::DFG::CSEPhase::performNodeCSE):
2510         (JSC::DFG::CSEPhase::performBlockCSE):
2511
2512 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
2513
2514         Get rid of forward exit in GetByVal on Uint32Array
2515         https://bugs.webkit.org/show_bug.cgi?id=125543
2516
2517         Reviewed by Oliver Hunt.
2518
2519         * dfg/DFGSpeculativeJIT.cpp:
2520         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2521         * ftl/FTLLowerDFGToLLVM.cpp:
2522         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2523
2524 2013-12-10  Balazs Kilvady  <kilvadyb@homejinni.com>
2525
2526         [MIPS] Redundant instructions in code generated from offlineasm.
2527         https://bugs.webkit.org/show_bug.cgi?id=125528
2528
2529         Reviewed by Michael Saboff.
2530
2531         Optimize lowering of offlineasm BaseIndex Addresses.
2532
2533         * offlineasm/mips.rb:
2534
2535 2013-12-10  Oliver Hunt  <oliver@apple.com>
2536
2537         Reduce the mass templatizing of the JS parser
2538         https://bugs.webkit.org/show_bug.cgi?id=125535
2539
2540         Reviewed by Michael Saboff.
2541
2542         The various caches we have now have removed the need for many of
2543         the template vs. regular parameters.  This patch converts those
2544         template parameters to regular parameters and updates the call
2545         sites.  This reduces the code size of the parser by around 15%.
2546
2547         * parser/ASTBuilder.h:
2548         (JSC::ASTBuilder::createGetterOrSetterProperty):
2549         (JSC::ASTBuilder::createProperty):
2550         * parser/Parser.cpp:
2551         (JSC::::parseInner):
2552         (JSC::::parseSourceElements):
2553         (JSC::::parseVarDeclarationList):
2554         (JSC::::createBindingPattern):
2555         (JSC::::tryParseDeconstructionPatternExpression):
2556         (JSC::::parseDeconstructionPattern):
2557         (JSC::::parseSwitchClauses):
2558         (JSC::::parseSwitchDefaultClause):
2559         (JSC::::parseBlockStatement):
2560         (JSC::::parseFormalParameters):
2561         (JSC::::parseFunctionInfo):
2562         (JSC::::parseFunctionDeclaration):
2563         (JSC::::parseProperty):
2564         (JSC::::parseObjectLiteral):
2565         (JSC::::parseStrictObjectLiteral):
2566         (JSC::::parseMemberExpression):
2567         * parser/Parser.h:
2568         * parser/SyntaxChecker.h:
2569         (JSC::SyntaxChecker::createProperty):
2570         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2571
2572 2013-12-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2573
2574         ASSERT !heap.vm()->isInitializingObject() when finishing DFG compilation at beginning of GC
2575         https://bugs.webkit.org/show_bug.cgi?id=125472
2576
2577         Reviewed by Geoff Garen.
2578
2579         This patch makes it look like it's okay to allocate so that the DFG plan finalization stuff 
2580         can do what it needs to do. We already expected that we might do allocation during plan 
2581         finalization and we increased the deferral depth to handle this, but we need to fix this other 
2582         ASSERT stuff too.
2583
2584         * GNUmakefile.list.am:
2585         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2586         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2587         * JavaScriptCore.xcodeproj/project.pbxproj:
2588         * heap/Heap.cpp:
2589         (JSC::Heap::collect):
2590         * heap/Heap.h:
2591         * heap/RecursiveAllocationScope.h: Added.
2592         (JSC::RecursiveAllocationScope::RecursiveAllocationScope):
2593         (JSC::RecursiveAllocationScope::~RecursiveAllocationScope):
2594         * runtime/VM.h:
2595
2596 2013-12-09  Filip Pizlo  <fpizlo@apple.com>
2597
2598         Impose and enforce some basic rules of sanity for where Phi functions are allowed to occur and where their (optional) corresponding MovHints can be
2599         https://bugs.webkit.org/show_bug.cgi?id=125480
2600
2601         Reviewed by Geoffrey Garen.
2602         
2603         Previously, if you wanted to insert some speculation right after where a value was
2604         produced, you'd get super confused if that value was produced by a Phi node.  You can't
2605         necessarily insert speculations after a Phi node because Phi nodes appear in this
2606         special sequence of Phis and MovHints that establish the OSR exit state for a block.
2607         So, you'd probably want to search for the next place where it's safe to insert things.
2608         We already do this "search for beginning of next bytecode instruction" search by
2609         looking at the next node that has a different CodeOrigin.  But this would be hard for a
2610         Phi because those Phis and MovHints have basically random CodeOrigins and they can all
2611         have different CodeOrigins.
2612
2613         This change imposes some sanity for this situation:
2614
2615         - Phis must have unset CodeOrigins.
2616
2617         - In each basic block, all nodes that have unset CodeOrigins must come before all nodes
2618           that have set CodeOrigins.
2619
2620         This all ends up working out just great because prior to this change we didn't have a 
2621         use for unset CodeOrigins.  I think it's appropriate to make "unset CodeOrigin" mean
2622         that we're in the prologue of a basic block.
2623
2624         It's interesting what this means for block merging, which we don't yet do in SSA.
2625         Consider merging the edge A->B.  One possibility is that the block merger is now
2626         required to clean up Phi/Upsilons, and reascribe the MovHints to have the CodeOrigin of
2627         the A's block terminal.  But an answer that might be better is that the originless
2628         nodes at the top of the B are just given the origin of the terminal and we keep the
2629         Phis.  That would require changing the above rules.  We'll see how it goes, and what we
2630         end up picking...
2631
2632         Overall, this special-things-at-the-top rule is analogous to what other SSA-based
2633         compilers do.  For example, LLVM has rules mandating that Phis appear at the top of a
2634         block.
2635
2636         * bytecode/CodeOrigin.cpp:
2637         (JSC::CodeOrigin::dump):
2638         * dfg/DFGOSRExitBase.h:
2639         (JSC::DFG::OSRExitBase::OSRExitBase):
2640         * dfg/DFGSSAConversionPhase.cpp:
2641         (JSC::DFG::SSAConversionPhase::run):
2642         * dfg/DFGValidate.cpp:
2643         (JSC::DFG::Validate::validate):
2644         (JSC::DFG::Validate::validateSSA):
2645
2646 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2647
2648         Reveal array bounds checks in DFG IR
2649         https://bugs.webkit.org/show_bug.cgi?id=125253
2650
2651         Reviewed by Oliver Hunt and Mark Hahnenberg.
2652         
2653         In SSA mode, this reveals array bounds checks and the load of array length in DFG IR,
2654         making this a candidate for LICM.
2655
2656         This also fixes a long-standing performance bug where the JSObject slow paths would
2657         always create contiguous storage, rather than type-specialized storage, when doing a
2658         "storage creating" storage, like:
2659         
2660             var o = {};
2661             o[0] = 42;
2662
2663         * CMakeLists.txt:
2664         * GNUmakefile.list.am:
2665         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2666         * JavaScriptCore.xcodeproj/project.pbxproj:
2667         * bytecode/ExitKind.cpp:
2668         (JSC::exitKindToString):
2669         (JSC::exitKindIsCountable):
2670         * bytecode/ExitKind.h:
2671         * dfg/DFGAbstractInterpreterInlines.h:
2672         (JSC::DFG::::executeEffects):
2673         * dfg/DFGArrayMode.cpp:
2674         (JSC::DFG::permitsBoundsCheckLowering):
2675         (JSC::DFG::ArrayMode::permitsBoundsCheckLowering):
2676         * dfg/DFGArrayMode.h:
2677         (JSC::DFG::ArrayMode::lengthNeedsStorage):
2678         * dfg/DFGClobberize.h:
2679         (JSC::DFG::clobberize):
2680         * dfg/DFGConstantFoldingPhase.cpp:
2681         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2682         * dfg/DFGFixupPhase.cpp:
2683         (JSC::DFG::FixupPhase::fixupNode):
2684         * dfg/DFGNodeType.h:
2685         * dfg/DFGPlan.cpp:
2686         (JSC::DFG::Plan::compileInThreadImpl):
2687         * dfg/DFGPredictionPropagationPhase.cpp:
2688         (JSC::DFG::PredictionPropagationPhase::propagate):
2689         * dfg/DFGSSALoweringPhase.cpp: Added.
2690         (JSC::DFG::SSALoweringPhase::SSALoweringPhase):
2691         (JSC::DFG::SSALoweringPhase::run):
2692         (JSC::DFG::SSALoweringPhase::handleNode):
2693         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2694         (JSC::DFG::performSSALowering):
2695         * dfg/DFGSSALoweringPhase.h: Added.
2696         * dfg/DFGSafeToExecute.h:
2697         (JSC::DFG::safeToExecute):
2698         * dfg/DFGSpeculativeJIT.cpp:
2699         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2700         * dfg/DFGSpeculativeJIT32_64.cpp:
2701         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2702         (JSC::DFG::SpeculativeJIT::compile):
2703         * dfg/DFGSpeculativeJIT64.cpp:
2704         (JSC::DFG::SpeculativeJIT::compile):
2705         * ftl/FTLCapabilities.cpp:
2706         (JSC::FTL::canCompile):
2707         * ftl/FTLLowerDFGToLLVM.cpp:
2708         (JSC::FTL::LowerDFGToLLVM::compileNode):
2709         (JSC::FTL::LowerDFGToLLVM::compileCheckInBounds):
2710         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2711         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2712         (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
2713         * runtime/JSObject.cpp:
2714         (JSC::JSObject::convertUndecidedForValue):
2715         (JSC::JSObject::createInitialForValueAndSet):
2716         (JSC::JSObject::putByIndexBeyondVectorLength):
2717         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2718         * runtime/JSObject.h:
2719         * tests/stress/float32array-out-of-bounds.js: Added.
2720         (make):
2721         (foo):
2722         (test):
2723         * tests/stress/int32-object-out-of-bounds.js: Added.
2724         (make):
2725         (foo):
2726         (test):
2727         * tests/stress/int32-out-of-bounds.js: Added.
2728         (foo):
2729         (test):
2730
2731 2013-12-09  Sam Weinig  <sam@webkit.org>
2732
2733         Replace use of WTF::FixedArray with std::array
2734         https://bugs.webkit.org/show_bug.cgi?id=125475
2735
2736         Reviewed by Anders Carlsson.
2737
2738         * bytecode/CodeBlockHash.cpp:
2739         (JSC::CodeBlockHash::dump):
2740         * bytecode/Opcode.cpp:
2741         (JSC::OpcodeStats::~OpcodeStats):
2742         * dfg/DFGCSEPhase.cpp:
2743         * ftl/FTLAbstractHeap.h:
2744         * heap/MarkedSpace.h:
2745         * parser/ParserArena.h:
2746         * runtime/CodeCache.h:
2747         * runtime/DateInstanceCache.h:
2748         * runtime/JSGlobalObject.cpp:
2749         (JSC::JSGlobalObject::reset):
2750         * runtime/JSGlobalObject.h:
2751         * runtime/JSString.h:
2752         * runtime/LiteralParser.h:
2753         * runtime/NumericStrings.h:
2754         * runtime/RegExpCache.h:
2755         * runtime/SmallStrings.h:
2756
2757 2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>
2758
2759         Remove miscellaneous unnecessary build statements
2760         https://bugs.webkit.org/show_bug.cgi?id=125466
2761
2762         Reviewed by Darin Adler.
2763
2764         * DerivedSources.make:
2765         * JavaScriptCore.vcxproj/build-generated-files.sh:
2766         * JavaScriptCore.xcodeproj/project.pbxproj:
2767         * make-generated-sources.sh:
2768
2769 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2770
2771         CSE should work in SSA
2772         https://bugs.webkit.org/show_bug.cgi?id=125430
2773
2774         Reviewed by Oliver Hunt and Mark Hahnenberg.
2775
2776         * dfg/DFGCSEPhase.cpp:
2777         (JSC::DFG::CSEPhase::run):
2778         (JSC::DFG::CSEPhase::performNodeCSE):
2779         * dfg/DFGPlan.cpp:
2780         (JSC::DFG::Plan::compileInThreadImpl):
2781
2782 2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>
2783
2784         Remove docs/make-bytecode-docs.pl
2785         https://bugs.webkit.org/show_bug.cgi?id=125462
2786
2787         This sript is very old and no longer outputs useful data since the
2788         op code definitions have moved from Interpreter.cpp.
2789
2790         Reviewed by Darin Adler.
2791
2792         * DerivedSources.make:
2793         * docs/make-bytecode-docs.pl: Removed.
2794
2795 2013-12-09  Julien Brianceau  <jbriance@cisco.com>
2796
2797         Fix sh4 LLINT build.
2798         https://bugs.webkit.org/show_bug.cgi?id=125454
2799
2800         Reviewed by Michael Saboff.
2801
2802         In LLINT, sh4 backend implementation didn't handle properly conditional jumps using
2803         a LabelReference instance. This patch fixes it through sh4LowerMisplacedLabels phase.
2804         Also, to avoid the need of a 4th temporary gpr, this phase is triggered later in
2805         getModifiedListSH4.
2806
2807         * offlineasm/sh4.rb:
2808
2809 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2810
2811         Add the notion of ConstantStoragePointer to DFG IR
2812         https://bugs.webkit.org/show_bug.cgi?id=125395
2813
2814         Reviewed by Oliver Hunt.
2815         
2816         This pushes more typed array folding into StrengthReductionPhase, and enables CSE on
2817         storage pointers. Previously, you might have separate nodes for the same storage
2818         pointer and this would cause some bad register pressure in the DFG. Note that this
2819         was really a theoretical problem and not, to my knowledge a practical one - so this
2820         patch is basically just a clean-up.
2821
2822         * dfg/DFGAbstractInterpreterInlines.h:
2823         (JSC::DFG::::executeEffects):
2824         * dfg/DFGCSEPhase.cpp:
2825         (JSC::DFG::CSEPhase::constantStoragePointerCSE):
2826         (JSC::DFG::CSEPhase::performNodeCSE):
2827         * dfg/DFGClobberize.h:
2828         (JSC::DFG::clobberize):
2829         * dfg/DFGFixupPhase.cpp:
2830         (JSC::DFG::FixupPhase::fixupNode):
2831         * dfg/DFGGraph.cpp:
2832         (JSC::DFG::Graph::dump):
2833         * dfg/DFGNode.h:
2834         (JSC::DFG::Node::convertToConstantStoragePointer):
2835         (JSC::DFG::Node::hasStoragePointer):
2836         (JSC::DFG::Node::storagePointer):
2837         * dfg/DFGNodeType.h:
2838         * dfg/DFGPredictionPropagationPhase.cpp:
2839         (JSC::DFG::PredictionPropagationPhase::propagate):
2840         * dfg/DFGSafeToExecute.h:
2841         (JSC::DFG::safeToExecute):
2842         * dfg/DFGSpeculativeJIT.cpp:
2843         (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
2844         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2845         * dfg/DFGSpeculativeJIT.h:
2846         * dfg/DFGSpeculativeJIT32_64.cpp:
2847         (JSC::DFG::SpeculativeJIT::compile):
2848         * dfg/DFGSpeculativeJIT64.cpp:
2849         (JSC::DFG::SpeculativeJIT::compile):
2850         * dfg/DFGStrengthReductionPhase.cpp:
2851         (JSC::DFG::StrengthReductionPhase::handleNode):
2852         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
2853         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
2854         * dfg/DFGWatchpointCollectionPhase.cpp:
2855         (JSC::DFG::WatchpointCollectionPhase::handle):
2856         * ftl/FTLLowerDFGToLLVM.cpp:
2857         (JSC::FTL::LowerDFGToLLVM::compileNode):
2858         (JSC::FTL::LowerDFGToLLVM::compileConstantStoragePointer):
2859         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2860
2861 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2862
2863         FTL should support UntypedUse versions of Compare nodes
2864         https://bugs.webkit.org/show_bug.cgi?id=125426
2865
2866         Reviewed by Oliver Hunt.
2867         
2868         This adds UntypedUse versions of all comparisons except CompareStrictEq, which is
2869         sufficiently different that I thought I'd do it in another patch.
2870         
2871         This also extends our ability to abstract over comparison kind and removes a bunch of
2872         copy-paste code.
2873
2874         * dfg/DFGSpeculativeJIT64.cpp:
2875         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2876         * ftl/FTLCapabilities.cpp:
2877         (JSC::FTL::canCompile):
2878         * ftl/FTLIntrinsicRepository.h:
2879         * ftl/FTLLowerDFGToLLVM.cpp:
2880         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2881         (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
2882         (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
2883         (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
2884         (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
2885         (JSC::FTL::LowerDFGToLLVM::compare):
2886         (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare):
2887         * ftl/FTLOutput.h:
2888         (JSC::FTL::Output::icmp):
2889         (JSC::FTL::Output::equal):
2890         (JSC::FTL::Output::notEqual):
2891         (JSC::FTL::Output::above):
2892         (JSC::FTL::Output::aboveOrEqual):
2893         (JSC::FTL::Output::below):
2894         (JSC::FTL::Output::belowOrEqual):
2895         (JSC::FTL::Output::greaterThan):
2896         (JSC::FTL::Output::greaterThanOrEqual):
2897         (JSC::FTL::Output::lessThan):
2898         (JSC::FTL::Output::lessThanOrEqual):
2899         (JSC::FTL::Output::fcmp):
2900         (JSC::FTL::Output::doubleEqual):
2901         (JSC::FTL::Output::doubleNotEqualOrUnordered):
2902         (JSC::FTL::Output::doubleLessThan):
2903         (JSC::FTL::Output::doubleLessThanOrEqual):
2904         (JSC::FTL::Output::doubleGreaterThan):
2905         (JSC::FTL::Output::doubleGreaterThanOrEqual):
2906         (JSC::FTL::Output::doubleEqualOrUnordered):
2907         (JSC::FTL::Output::doubleNotEqual):
2908         (JSC::FTL::Output::doubleLessThanOrUnordered):
2909         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
2910         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
2911         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
2912         * tests/stress/untyped-equality.js: Added.
2913         (foo):
2914         * tests/stress/untyped-less-than.js: Added.
2915         (foo):
2916
2917 2013-12-07  Filip Pizlo  <fpizlo@apple.com>
2918
2919         Fold typedArray.length if typedArray is constant
2920         https://bugs.webkit.org/show_bug.cgi?id=125252
2921
2922         Reviewed by Sam Weinig.
2923         
2924         This was meant to be easy. The problem is that there was no good place for putting
2925         the folding of typedArray.length to a constant. You can't quite do it in the
2926         bytecode parser because at that point you don't yet know if typedArray is really
2927         a typed array. You can't do it as part of constant folding because the folder
2928         assumes that it can opportunistically forward-flow a constant value without changing
2929         the IR; this doesn't work since we need to first change the IR to register a
2930         desired watchpoint and only after that can we introduce that constant. We could have
2931         done it in Fixup but that would have been awkward since Fixup's code for turning a
2932         GetById of "length" into GetArrayLength is already somewhat complex. We could have
2933         done it in CSE but CSE is already fairly gnarly and will probably get rewritten.
2934         
2935         So I introduced a new phase, called StrengthReduction. This phase should have any
2936         transformations that don't requite CFA or CSE and that it would be weird to put into
2937         those other phases.
2938         
2939         I also took the opportunity to refactor some of the other folding code.
2940         
2941         This also adds a test, but the test couldn't quite be a LayoutTests/js/regress so I
2942         introduced the notion of JavaScriptCore/tests/stress.
2943         
2944         The goal of this patch isn't really to improve performance or anything like that.
2945         It adds an optimization for completeness, and in doing so it unlocks a bunch of new
2946         possibilities. The one that I'm most excited about is revealing array length checks
2947         in DFG IR, which will allow for array bounds check hoisting and elimination.
2948
2949         * CMakeLists.txt:
2950         * GNUmakefile.list.am:
2951         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2952         * JavaScriptCore.xcodeproj/project.pbxproj:
2953         * dfg/DFGAbstractInterpreterInlines.h:
2954         (JSC::DFG::::executeEffects):
2955         * dfg/DFGClobberize.h:
2956         (JSC::DFG::clobberize):
2957         * dfg/DFGFixupPhase.cpp:
2958         (JSC::DFG::FixupPhase::fixupNode):
2959         * dfg/DFGGraph.cpp:
2960         (JSC::DFG::Graph::tryGetFoldableView):
2961         (JSC::DFG::Graph::tryGetFoldableViewForChild1):
2962         * dfg/DFGGraph.h:
2963         * dfg/DFGNode.h:
2964         (JSC::DFG::Node::hasTypedArray):
2965         (JSC::DFG::Node::typedArray):
2966         * dfg/DFGNodeType.h:
2967         * dfg/DFGPlan.cpp:
2968         (JSC::DFG::Plan::compileInThreadImpl):
2969         * dfg/DFGPredictionPropagationPhase.cpp:
2970         (JSC::DFG::PredictionPropagationPhase::propagate):
2971         * dfg/DFGSafeToExecute.h:
2972         (JSC::DFG::safeToExecute):
2973         * dfg/DFGSpeculativeJIT.cpp:
2974         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2975         (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
2976         * dfg/DFGSpeculativeJIT32_64.cpp:
2977         (JSC::DFG::SpeculativeJIT::compile):
2978         * dfg/DFGSpeculativeJIT64.cpp:
2979         (JSC::DFG::SpeculativeJIT::compile):
2980         * dfg/DFGStrengthReductionPhase.cpp: Added.
2981         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
2982         (JSC::DFG::StrengthReductionPhase::run):
2983         (JSC::DFG::StrengthReductionPhase::handleNode):
2984         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
2985         (JSC::DFG::performStrengthReduction):
2986         * dfg/DFGStrengthReductionPhase.h: Added.
2987         * dfg/DFGWatchpointCollectionPhase.cpp:
2988         (JSC::DFG::WatchpointCollectionPhase::handle):
2989         * ftl/FTLCapabilities.cpp:
2990         (JSC::FTL::canCompile):
2991         * ftl/FTLLowerDFGToLLVM.cpp:
2992         (JSC::FTL::LowerDFGToLLVM::compileNode):
2993         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2994         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2995         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
2996         * jsc.cpp:
2997         (GlobalObject::finishCreation):
2998         (functionTransferArrayBuffer):
2999         * runtime/ArrayBufferView.h:
3000         * tests/stress: Added.
3001         * tests/stress/fold-typed-array-properties.js: Added.
3002         (foo):
3003
3004 2013-12-07  peavo@outlook.com  <peavo@outlook.com>
3005
3006         [Win][64-bit] Hitting breakpoint assembler instruction in callToJavaScript.
3007         https://bugs.webkit.org/show_bug.cgi?id=125382
3008
3009         Reviewed by Michael Saboff.
3010
3011         The WinCairo results from run-javascriptcore-tests are the same as the WinCairo 32-bits results, when removing these breakpoints.
3012
3013         * jit/JITStubsMSVC64.asm: Remove breakpoint instructions.
3014
3015 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
3016
3017         FTL should support all of Branch/LogicalNot
3018         https://bugs.webkit.org/show_bug.cgi?id=125370
3019
3020         Reviewed by Mark Hahnenberg.
3021
3022         * ftl/FTLCapabilities.cpp:
3023         (JSC::FTL::canCompile):
3024         * ftl/FTLIntrinsicRepository.h:
3025         * ftl/FTLLowerDFGToLLVM.cpp:
3026         (JSC::FTL::LowerDFGToLLVM::boolify):
3027
3028 2013-12-06  Roger Fong <roger_fong@apple.com> and Brent Fulgham  <bfulgham@apple.com>
3029
3030         [Win] Support compiling with VS2013
3031         https://bugs.webkit.org/show_bug.cgi?id=125353
3032
3033         Reviewed by Anders Carlsson.
3034
3035         * API/tests/testapi.c: Use C99 defines if available.
3036         * jit/JITOperations.cpp: Don't attempt to define C linkage when
3037         returning a C++ object.
3038
3039 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
3040
3041         FTL should support generic ByVal accesses
3042         https://bugs.webkit.org/show_bug.cgi?id=125368
3043
3044         Reviewed by Mark Hahnenberg.
3045
3046         * dfg/DFGGraph.h:
3047         (JSC::DFG::Graph::isStrictModeFor):
3048         (JSC::DFG::Graph::ecmaModeFor):
3049         * ftl/FTLCapabilities.cpp:
3050         (JSC::FTL::canCompile):
3051         * ftl/FTLIntrinsicRepository.h:
3052         * ftl/FTLLowerDFGToLLVM.cpp:
3053         (JSC::FTL::LowerDFGToLLVM::compileNode):
3054         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
3055         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3056
3057 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
3058
3059         FTL should support hole/OOB array accesses
3060         https://bugs.webkit.org/show_bug.cgi?id=118077
3061
3062         Reviewed by Oliver Hunt and Mark Hahnenberg.
3063
3064         * ftl/FTLCapabilities.cpp:
3065         (JSC::FTL::canCompile):
3066         * ftl/FTLIntrinsicRepository.h:
3067         * ftl/FTLLowerDFGToLLVM.cpp:
3068         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
3069         (JSC::FTL::LowerDFGToLLVM::baseIndex):
3070
3071 2013-12-06  Michael Saboff  <msaboff@apple.com>
3072
3073         Split sizing of VarArgs frames from loading arguments for the frame
3074         https://bugs.webkit.org/show_bug.cgi?id=125331
3075
3076         Reviewed by Filip Pizlo.
3077
3078         Split loadVarargs into sizeAndAllocFrameForVarargs() and loadVarargs() in
3079         preparation for moving onto the C stack.  sizeAndAllocFrameForVarargs() will
3080         compute the size of the callee frame and allocate it, while loadVarargs()
3081         actually loads the argument values.
3082
3083         As part of moving onto the C stack, sizeAndAllocFrameForVarargs() will be
3084         changed to a function that just computes the size.  The caller will use that
3085         size to allocate the new frame on the stack before calling loadVargs() and
3086         actually making the call.
3087
3088         * interpreter/Interpreter.cpp:
3089         (JSC::sizeAndAllocFrameForVarargs):
3090         (JSC::loadVarargs):
3091         * interpreter/Interpreter.h:
3092         * jit/JIT.h:
3093         * jit/JITCall.cpp:
3094         (JSC::JIT::compileLoadVarargs):
3095         * jit/JITCall32_64.cpp:
3096         (JSC::JIT::compileLoadVarargs):
3097         * jit/JITInlines.h:
3098         (JSC::JIT::callOperation):
3099         * jit/JITOperations.cpp:
3100         * jit/JITOperations.h:
3101         * llint/LLIntSlowPaths.cpp:
3102         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3103         * llint/LLIntSlowPaths.h:
3104         * llint/LowLevelInterpreter.asm:
3105         * llint/LowLevelInterpreter32_64.asm:
3106         * llint/LowLevelInterpreter64.asm:
3107         * runtime/VM.h:
3108
3109 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
3110
3111         FTL should support all of ValueToInt32
3112         https://bugs.webkit.org/show_bug.cgi?id=125283
3113
3114         Reviewed by Mark Hahnenberg.
3115
3116         * ftl/FTLCapabilities.cpp:
3117         (JSC::FTL::canCompile):
3118         * ftl/FTLLowerDFGToLLVM.cpp:
3119         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
3120         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3121         (JSC::FTL::LowerDFGToLLVM::lowCell):
3122         (JSC::FTL::LowerDFGToLLVM::isCell):
3123
3124 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
3125
3126         FTL shouldn't have a doubleToUInt32 path
3127         https://bugs.webkit.org/show_bug.cgi?id=125360
3128
3129         Reviewed by Mark Hahnenberg.
3130         
3131         This code existed because I incorrectly thought it was necessary. It's now basically
3132         dead.
3133
3134         * ftl/FTLLowerDFGToLLVM.cpp:
3135         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3136
3137 2013-12-06  Laszlo Vidacs  <lac@inf.u-szeged.hu>
3138
3139         Define SHA1 hash size in SHA1.h and use it at various places.
3140         https://bugs.webkit.org/show_bug.cgi?id=125345
3141
3142         Reviewed by Darin Adler.
3143
3144         Use SHA1::hashSize instead of local variables.
3145
3146         * bytecode/CodeBlockHash.cpp:
3147         (JSC::CodeBlockHash::CodeBlockHash): use SHA1::hashSize
3148
3149 2013-12-05  Michael Saboff  <msaboff@apple.com>
3150
3151         REGRESSION(r160213): Crash in js/dom/JSON-parse.html
3152         https://bugs.webkit.org/show_bug.cgi?id=125335
3153
3154         Reviewed by Mark Lam.
3155
3156         Changed _llint_op_catch to materialize the VM via the scope chain instead of 
3157         the CodeBlock.  CallFrames always have a scope chain, but may have a null CodeBlock.
3158
3159         * llint/LowLevelInterpreter32_64.asm:
3160         (_llint_op_catch):
3161         * llint/LowLevelInterpreter64.asm:
3162         (_llint_op_catch):
3163
3164 2013-12-05  Michael Saboff  <msaboff@apple.com>
3165
3166         JSC: Simplify interface between throw and catch handler
3167         https://bugs.webkit.org/show_bug.cgi?id=125328
3168
3169         Reviewed by Geoffrey Garen.
3170
3171         Simplified the throw - catch interface.  The throw side is only responsible for
3172         jumping to the appropriate op_catch handler or returnFromJavaScript for uncaught
3173         exceptions.  The handler uses the exception values like VM.callFrameForThrow
3174         as appropriate and no longer relies on the throw side putting anything in
3175         registers.
3176
3177         * jit/CCallHelpers.h:
3178         (JSC::CCallHelpers::jumpToExceptionHandler):
3179         * jit/JITOpcodes.cpp:
3180         (JSC::JIT::emit_op_catch):
3181         * jit/JITOpcodes32_64.cpp:
3182         (JSC::JIT::emit_op_catch):
3183         * llint/LowLevelInterpreter32_64.asm:
3184         (_llint_op_catch):
3185         (_llint_throw_from_slow_path_trampoline):
3186         * llint/LowLevelInterpreter64.asm:
3187         (_llint_op_catch):
3188         (_llint_throw_from_slow_path_trampoline):
3189
3190 2013-12-04  Oliver Hunt  <oliver@apple.com>
3191
3192         Refactor static getter function prototype to include thisValue in addition to the base object
3193         https://bugs.webkit.org/show_bug.cgi?id=124461
3194
3195         Reviewed by Geoffrey Garen.
3196
3197         Add thisValue parameter to static getter prototype, and switch
3198         from JSValue to EncodedJSValue for parameters and return value.
3199
3200         Currently none of the static getters use the thisValue, but
3201         separating out the refactoring will prevent future changes
3202         from getting lost in the noise of refactoring.  This means
3203         that this patch does not result in any change in behaviour.
3204
3205         * API/JSCallbackObject.h:
3206         * API/JSCallbackObjectFunctions.h:
3207         (JSC::::asCallbackObject):
3208         (JSC::::staticFunctionGetter):
3209         (JSC::::callbackGetter):
3210         * jit/JITOperations.cpp:
3211         * runtime/JSActivation.cpp:
3212         (JSC::JSActivation::argumentsGetter):
3213         * runtime/JSActivation.h:
3214         * runtime/JSFunction.cpp:
3215         (JSC::JSFunction::argumentsGetter):
3216         (JSC::JSFunction::callerGetter):
3217         (JSC::JSFunction::lengthGetter):
3218         (JSC::JSFunction::nameGetter):
3219         * runtime/JSFunction.h:
3220         * runtime/JSObject.h:
3221         (JSC::PropertySlot::getValue):
3222         * runtime/NumberConstructor.cpp:
3223         (JSC::numberConstructorNaNValue):
3224         (JSC::numberConstructorNegInfinity):
3225         (JSC::numberConstructorPosInfinity):
3226         (JSC::numberConstructorMaxValue):
3227         (JSC::numberConstructorMinValue):
3228         * runtime/PropertySlot.h:
3229         * runtime/RegExpConstructor.cpp:
3230         (JSC::asRegExpConstructor):
3231         (JSC::regExpConstructorDollar1):
3232         (JSC::regExpConstructorDollar2):
3233         (JSC::regExpConstructorDollar3):
3234         (JSC::regExpConstructorDollar4):
3235         (JSC::regExpConstructorDollar5):
3236         (JSC::regExpConstructorDollar6):
3237         (JSC::regExpConstructorDollar7):
3238         (JSC::regExpConstructorDollar8):
3239         (JSC::regExpConstructorDollar9):
3240         (JSC::regExpConstructorInput):
3241         (JSC::regExpConstructorMultiline):
3242         (JSC::regExpConstructorLastMatch):
3243         (JSC::regExpConstructorLastParen):
3244         (JSC::regExpConstructorLeftContext):
3245         (JSC::regExpConstructorRightContext):
3246         * runtime/RegExpObject.cpp:
3247         (JSC::asRegExpObject):
3248         (JSC::regExpObjectGlobal):
3249         (JSC::regExpObjectIgnoreCase):
3250         (JSC::regExpObjectMultiline):
3251         (JSC::regExpObjectSource):
3252
3253 2013-12-04  Filip Pizlo  <fpizlo@apple.com>
3254
3255         FTL should use cvttsd2si directly for double-to-int32 conversions
3256         https://bugs.webkit.org/show_bug.cgi?id=125275
3257
3258         Reviewed by Michael Saboff.
3259         
3260         Wow. This was an ordeal. Using cvttsd2si was actually easy, but I learned, and
3261         sometimes even fixed, some interesting things:
3262         
3263         - The llvm.x86.sse2.cvttsd2si intrinsic can actually result in LLVM emitting a
3264           vcvttsd2si. I guess the intrinsic doesn't actually imply the instruction.
3265         
3266         - That whole thing about branchTruncateDoubleToUint32? Yeah we don't need that. It's
3267           better to use branchTruncateDoubleToInt32 instead. It has the right semantics for
3268           all of its callers (err, its one-and-only caller), and it's more likely to take
3269           fast path. This patch kills branchTruncateDoubleToUint32.
3270         
3271         - "a[i] = v; v = a[i]". Does this change v? OK, assume that 'a[i]' is a pure-ish
3272           operation - like an array access with 'i' being an integer index and we're not
3273           having a bad time. Now does this change v? CSE assumes that it doesn't. That's
3274           wrong. If 'a' is a typed array - the most sensible and pure kind of array - then
3275           this can be a truncating cast. For example 'v' could be a double and 'a' could be
3276           an integer array.
3277         
3278         - "v1 = a[i]; v2 = a[i]". Is v1 === v2 assuming that 'a[i]' is pure-ish? The answer
3279           is no. You could have a different arrayMode in each access. I know this sounds
3280           weird, but with concurrent JIT that might happen.
3281         
3282         This patch adds tests for all of this stuff, except for the first issue (it's weird
3283         but probably doesn't matter) and the last issue (it's too much of a freakshow).
3284
3285         * assembler/MacroAssemblerARM64.h:
3286         * assembler/MacroAssemblerARMv7.h:
3287         * assembler/MacroAssemblerX86Common.h:
3288         * dfg/DFGCSEPhase.cpp:
3289         (JSC::DFG::CSEPhase::getByValLoadElimination):
3290         (JSC::DFG::CSEPhase::performNodeCSE):
3291         * dfg/DFGSpeculativeJIT.cpp:
3292         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3293         * ftl/FTLAbbreviations.h:
3294         (JSC::FTL::vectorType):
3295         (JSC::FTL::getUndef):
3296         (JSC::FTL::buildInsertElement):
3297         * ftl/FTLIntrinsicRepository.h:
3298         * ftl/FTLLowerDFGToLLVM.cpp:
3299         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
3300         (JSC::FTL::LowerDFGToLLVM::doubleToUInt32):
3301         (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
3302         * ftl/FTLOutput.h:
3303         (JSC::FTL::Output::insertElement):
3304         (JSC::FTL::Output::hasSensibleDoubleToInt):
3305         (JSC::FTL::Output::sensibleDoubleToInt):
3306
3307 2013-12-05  Commit Queue  <commit-queue@webkit.org>
3308
3309         Unreviewed, rolling out r160133.
3310         http://trac.webkit.org/changeset/160133
3311         https://bugs.webkit.org/show_bug.cgi?id=125325
3312
3313         broke bindings tests on all the bots (Requested by thorton on
3314         #webkit).
3315
3316         * API/JSCallbackObject.h:
3317         * API/JSCallbackObjectFunctions.h:
3318         (JSC::::staticFunctionGetter):
3319         (JSC::::callbackGetter):
3320         * jit/JITOperations.cpp:
3321         * runtime/JSActivation.cpp:
3322         (JSC::JSActivation::argumentsGetter):
3323         * runtime/JSActivation.h:
3324         * runtime/JSFunction.cpp:
3325         (JSC::JSFunction::argumentsGetter):
3326         (JSC::JSFunction::callerGetter):
3327         (JSC::JSFunction::lengthGetter):
3328         (JSC::JSFunction::nameGetter):
3329         * runtime/JSFunction.h:
3330         * runtime/JSObject.h:
3331         (JSC::PropertySlot::getValue):
3332         * runtime/NumberConstructor.cpp:
3333         (JSC::numberConstructorNaNValue):
3334         (JSC::numberConstructorNegInfinity):
3335         (JSC::numberConstructorPosInfinity):
3336         (JSC::numberConstructorMaxValue):
3337         (JSC::numberConstructorMinValue):
3338         * runtime/PropertySlot.h:
3339         * runtime/RegExpConstructor.cpp:
3340         (JSC::regExpConstructorDollar1):
3341         (JSC::regExpConstructorDollar2):
3342         (JSC::regExpConstructorDollar3):
3343         (JSC::regExpConstructorDollar4):
3344         (JSC::regExpConstructorDollar5):
3345         (JSC::regExpConstructorDollar6):
3346         (JSC::regExpConstructorDollar7):
3347         (JSC::regExpConstructorDollar8):
3348         (JSC::regExpConstructorDollar9):
3349         (JSC::regExpConstructorInput):
3350         (JSC::regExpConstructorMultiline):
3351         (JSC::regExpConstructorLastMatch):
3352         (JSC::regExpConstructorLastParen):
3353         (JSC::regExpConstructorLeftContext):
3354         (JSC::regExpConstructorRightContext):
3355         * runtime/RegExpObject.cpp:
3356         (JSC::regExpObjectGlobal):
3357         (JSC::regExpObjectIgnoreCase):
3358         (JSC::regExpObjectMultiline):
3359         (JSC::regExpObjectSource):
3360
3361 2013-12-05  Mark Lam  <mark.lam@apple.com>
3362
3363         Make the C Loop LLINT work with callToJavaScript.
3364         https://bugs.webkit.org/show_bug.cgi?id=125294.
3365
3366         Reviewed by Michael Saboff.
3367
3368         1. Changed the C Loop LLINT to dispatch to an Executable via its JITCode
3369            instance which is consistent with how the ASM LLINT works.
3370         2. Changed CLoop::execute() to take an Opcode instead of an OpcodeID.
3371            This makes it play nice with the use of JITCode for dispatching.
3372         3. Introduce a callToJavaScript and callToNativeFunction for the C Loop
3373            LLINT. These will call JSStack::pushFrame() and popFrame() to setup
3374            and teardown the CallFrame.
3375         4. Also introduced a C Loop returnFromJavaScript which is just a
3376            replacement for ctiOpThrowNotCaught which had the same function.
3377         5. Remove a lot of #if ENABLE(LLINT_C_LOOP) code now that the dispatch
3378            mechanism is consistent.
3379
3380         This patch has been tested with both configurations of COMPUTED_GOTOs
3381         on and off.
3382
3383         * interpreter/CachedCall.h:
3384         (JSC::CachedCall::CachedCall):
3385         (JSC::CachedCall::call):
3386         (JSC::CachedCall::setArgument):
3387         * interpreter/CallFrameClosure.h:
3388         (JSC::CallFrameClosure::setThis):
3389         (JSC::CallFrameClosure::setArgument):
3390         (JSC::CallFrameClosure::resetCallFrame):
3391         * interpreter/Interpreter.cpp:
3392         (JSC::Interpreter::execute):
3393         (JSC::Interpreter::executeCall):
3394         (JSC::Interpreter::executeConstruct):
3395         (JSC::Interpreter::prepareForRepeatCall):
3396         * interpreter/Interpreter.h:
3397         * interpreter/JSStack.h:
3398         * interpreter/JSStackInlines.h:
3399         (JSC::JSStack::pushFrame):
3400         * interpreter/ProtoCallFrame.h:
3401         (JSC::ProtoCallFrame::scope):
3402         (JSC::ProtoCallFrame::callee):
3403         (JSC::ProtoCallFrame::thisValue):
3404         (JSC::ProtoCallFrame::argument):
3405         (JSC::ProtoCallFrame::setArgument):
3406         * jit/JITCode.cpp:
3407         (JSC::JITCode::execute):
3408         * jit/JITCode.h:
3409         * jit/JITExceptions.cpp:
3410         (JSC::genericUnwind):
3411         * llint/LLIntCLoop.cpp:
3412         (JSC::LLInt::CLoop::initialize):
3413         * llint/LLIntCLoop.h:
3414         * llint/LLIntEntrypoint.cpp:
3415         (JSC::LLInt::setFunctionEntrypoint):
3416         (JSC::LLInt::setEvalEntrypoint):
3417         (JSC::LLInt::setProgramEntrypoint):
3418         - Inverted the check for vm.canUseJIT(). This allows the JIT case to be
3419           #if'd out nicely when building the C Loop LLINT.
3420         * llint/LLIntOpcode.h:
3421         * llint/LLIntThunks.cpp:
3422         (JSC::doCallToJavaScript):
3423         (JSC::executeJS):
3424         (JSC::callToJavaScript):
3425         (JSC::executeNative):
3426         (JSC::callToNativeFunction):
3427         * llint/LLIntThunks.h:
3428         * llint/LowLevelInterpreter.cpp:
3429         (JSC::CLoop::execute):
3430         * runtime/Executable.h:
3431         (JSC::ExecutableBase::offsetOfNumParametersFor):
3432         (JSC::ExecutableBase::hostCodeEntryFor):
3433         (JSC::ExecutableBase::jsCodeEntryFor):
3434         (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
3435         (JSC::NativeExecutable::create):
3436         (JSC::NativeExecutable::finishCreation):
3437         (JSC::ProgramExecutable::generatedJITCode):
3438         * runtime/JSArray.cpp:
3439         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
3440         * runtime/StringPrototype.cpp:
3441         (JSC::replaceUsingRegExpSearch):
3442         * runtime/VM.cpp:
3443         (JSC::VM::getHostFunction):
3444
3445 2013-12-05  Laszlo Vidacs  <lac@inf.u-szeged.hu>
3446
3447         Fix JavaScriptCore build if cloop is enabled after r160094
3448         https://bugs.webkit.org/show_bug.cgi?id=125292
3449
3450         Reviewed by Michael Saboff.
3451
3452         Move ProtoCallFrame outside the JIT guard.
3453
3454         * jit/JITCode.h:
3455
3456 2013-12-04  Filip Pizlo  <fpizlo@apple.com>
3457
3458         Fold constant typed arrays
3459         https://bugs.webkit.org/show_bug.cgi?id=125205
3460
3461         Reviewed by Oliver Hunt and Mark Hahnenberg.
3462         
3463         If by some other mechanism we have a typed array access on a compile-time constant
3464         typed array pointer, then fold: