X-Git-Url: https://git.saurik.com/apple/javascriptcore.git/blobdiff_plain/93a3786624b2768d89bfa27e46598dc64e2fb70a..ef99ff287df9046eb88937225e0554eabb00e33c:/ChangeLog diff --git a/ChangeLog b/ChangeLog index 799f50a..bbda15d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3565 +1,16168 @@ -2013-07-18 Andreas Kling +2014-12-10 Babak Shafiei - CodeBlock DFG entry list isn't getting shrunk-to-fit after linking. - - + Merge r176803. - Reviewed by Geoffrey Garen. + 2014-12-04 Oliver Hunt - Move the CodeBlock::shrinkToFit() call out of JITCompiler::link() and to the call sites - so SpeculativeJIT::linkOSREntries() can fill in CodeBlock::m_dfgData->osrEntry first. + Serialization of MapData object provides unsafe access to internal types + https://bugs.webkit.org/show_bug.cgi?id=138653 - 886 kB progression on + Reviewed by Geoffrey Garen. - * dfg/DFGJITCompiler.cpp: - (JSC::DFG::JITCompiler::link): - (JSC::DFG::JITCompiler::compile): - (JSC::DFG::JITCompiler::compileFunction): + Converting these ASSERTs into RELEASE_ASSERTs, as it is now obvious + that despite trying hard to be safe in all cases it's simply to easy + to use an iterator in an unsafe state. -2013-07-18 Andreas Kling + * runtime/MapData.h: + (JSC::MapData::const_iterator::key): + (JSC::MapData::const_iterator::value): - CodeBlock::m_argumentValueProfiles wastes a lot of memory. - - +2014-09-15 Babak Shafiei - Reviewed by Anders Carlsson. + Disable Web Timing on this branch. - Use Vector::resizeToFit() for CodeBlock::m_argumentValueProfiles. We don't need any padding - for growth, since we won't be appending to it anyway. + Reviewed originally by Sam Weinig. - 921 KB progression on + Disable: + - WEB_TIMING - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::setNumParameters): + * Configurations/FeatureDefines.xcconfig: -2013-07-16 Mark Hahnenberg +2014-08-03 Babak Shafiei - Remove reference to JSValueStructSupport.h from JSExport.h - https://bugs.webkit.org/show_bug.cgi?id=118746 + Merge patch for . + + 2014-07-30 Filip Pizlo - Reviewed by Filip Pizlo. + NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true) + https://bugs.webkit.org/show_bug.cgi?id=135430 - * API/JSExport.h: No such header exists, so it doesn't make sense to reference it. + Reviewed by Mark Hahnenberg. -2013-07-17 Lucas Forschler + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * tests/stress/new-function-expression-has-structures.js: Added. + (foo.f): + (foo.f.prototype.f): + (foo): - Rollout r152600 +2014-08-03 Babak Shafiei -2013-07-17 Lucas Forschler + Merge r171949. - Merge r152600 + 2014-08-01 Csaba Osztrogonác - 2013-07-12 Brent Fulgham + URTBF after r171946 to fix non-Apple builds. - [Windows] Build correction after r152573/r152577. - https://bugs.webkit.org/show_bug.cgi?id=118610 + * bytecode/InlineCallFrameSet.cpp: - Reviewed by Oliver Hunt. +2014-08-03 Babak Shafiei - * jit/JITThunks.cpp: - (JSC::JITThunks::hostFunctionStub): Hand-feed MSVC++ the fact that we want the second - argument of the make_pair to be a function pointer. + Merge r171946. -2013-07-17 Lucas Forschler + 2014-08-01 Mark Hahnenberg - Merge r152742 + CodeBlock fails to visit the Executables of its InlineCallFrames + https://bugs.webkit.org/show_bug.cgi?id=135471 - 2013-07-16 Filip Pizlo + Reviewed by Geoffrey Garen. - MakeRope fixup shouldn't lead to an Identity without kids - https://bugs.webkit.org/show_bug.cgi?id=118745 + CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they + can be prematurely collected and cause crashes. - Reviewed by Mark Hahnenberg. + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::stronglyVisitStrongReferences): + * bytecode/CodeOrigin.h: + (JSC::InlineCallFrame::visitAggregate): + * bytecode/InlineCallFrameSet.cpp: + (JSC::InlineCallFrameSet::visitAggregate): + * bytecode/InlineCallFrameSet.h: + +2014-07-29 Matthew Hanson + + Merge r171689. + + 2014-07-28 Filip Pizlo + + Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch + https://bugs.webkit.org/show_bug.cgi?id=135350 + + + Reviewed by Mark Hahnenberg and Oliver Hunt. + + If we have an exiting node that uses a conversion node, then that exiting node + needs to have a Phantom after it for the the original node. But we can't do that + for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::clearPhantomsAtEnd): + * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added. + (foo): + (test): + * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added. + (foo): + (test): + +2014-07-29 Matthew Hanson - Make the empty string pruning part of fixupMakeRope() stop if it's on the last child. + Merge r171688. - Make Node::convertToIdentity release-assert that it has exactly one kid. + 2014-07-28 Joseph Pecoraro + + JSContext Inspector: crash when using step-into + https://bugs.webkit.org/show_bug.cgi?id=135345 + + Reviewed by Timothy Hatcher. + + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::stepInto): + Null check m_listener since it may not be set. + +2014-07-25 Lucas Forschler - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupMakeRope): - * dfg/DFGNode.h: - (JSC::DFG::Node::convertToIdentity): + Merge r171578 -2013-07-15 Lucas Forschler + 2014-07-24 Brent Fulgham - Merge r152613 + [Win] Correct build order in JavaScriptCore.submit.sln + https://bugs.webkit.org/show_bug.cgi?id=135282 + - 2013-07-13 Commit Queue + Unreviewed build fix. - Unreviewed, rolling out r151978. - http://trac.webkit.org/changeset/151978 - https://bugs.webkit.org/show_bug.cgi?id=118651 + * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order + such that LLIntDesiredOffset is built prior to the rest of JSC. - Caused regressions at least 3 websites (Requested by rniwa on - #webkit). +2014-07-24 Lucas Forschler - * runtime/JSCJSValue.h: - * runtime/JSString.h: + Merge r171564 -2013-07-15 Lucas Forschler + 2014-07-24 Mark Lam - Merge r152577 + JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed. + - 2013-07-11 Oliver Hunt + Reviewed by Mark Hahnenberg. - Attempt to fix the windows build. + Where needed, we cache the prototype object pointer in a stack local var. + This allows it to be scanned by the GC, and hence be kept alive until + we use it. The constructor object will in turn be kept alive by the + prototype object. - * jit/JITThunks.cpp: - (JSC::JITThunks::hostFunctionStub): - * jit/JITThunks.h: + Also added some comments to warn against future code additions that could + regress this issue. -2013-07-15 Lucas Forschler + * API/JSWrapperMap.mm: + (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): + (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): + (-[JSObjCClassInfo wrapperForObject:]): + (-[JSObjCClassInfo constructor]): - Merge r152573 +2014-07-24 Lucas Forschler - 2013-07-10 Oliver Hunt + Merge r171558 - NativeExecutable cache needs to use both call and construct functions for key - https://bugs.webkit.org/show_bug.cgi?id=118545 + 2014-07-24 Joseph Pecoraro - Reviewed by Geoffrey Garen. + JSLock release should only modify the AtomicStringTable if it modified in acquire + https://bugs.webkit.org/show_bug.cgi?id=135143 - Make the native executable cache make use a key pair so we don't decide to - treat all subsequent functions as not being constructors. - - * jit/JITThunks.cpp: - (JSC::JITThunks::hostFunctionStub): - * jit/JITThunks.h: - * runtime/JSBoundFunction.cpp: - (JSC::JSBoundFunction::create): - * runtime/JSCell.cpp: - (JSC::JSCell::getCallData): - (JSC::JSCell::getConstructData): - -2013-07-09 Lucas Forschler - - Merge r152497 - - 2013-07-09 Mark Lam - - Gardening to unbreak builds on the Windows bot. - - Not reviewed. - - * parser/ParserTokens.h: - -2013-07-09 Lucas Forschler - - Merge r152494 - - 2013-07-09 Mark Lam - - Fix 30% JSBench regression (caused by adding column numbers to stack traces). - https://bugs.webkit.org/show_bug.cgi?id=118481. - - Reviewed by Mark Hahnenberg and Geoffrey Garen. - - Previously, we already capture ExpressionRangeInfo that provides a divot for - each bytecode that can potentially throw an exception (and therefore generate - a stack trace). On first attempt to compute column numbers, we then do a walk - of the source string to record all line start positions in a table associated - with the SourceProvider. The column number can then be computed as - divot - lineStartFor(bytecodeOffset). - - The computation of this lineStarts table is the source of the 30% JSBench - performance regression. - - The new code now records lineStarts as the lexer and parser scans the source - code. These lineStarts are then used to compute the column number for the - given divot, and stored in the ExpressionRangeInfo. Similarly, we also capture - the line number at the divot point and store that in the ExpressionRangeInfo. - Hence, to look up line and column numbers, we now lookup the ExpressionRangeInfo - for the bytecodeOffset, and then compute the line and column from the values - stored in the expression info. - - The strategy: - 1. We want to minimize perturbations to the lexer and parser. Specifically, - the changes added should not change how it scans code, and generate bytecode. - 2. We regard the divot as the source character position we are interested - in. As such, we'll capture line and lineStart (for column) at the point - when we capture the divot information. This ensures that the 3 values are - consistent. - - How the change is done: - 1. Change the lexer to track lineStarts. - 2. Change the parser to capture line and lineStarts at the point of capturing - divots. - 3. Change the parser and associated code to plumb these values all the way to - the point that the correspoinding ExpressionRangeInfo is emitted. - 4. Propagate and record SourceCode firstLine and firstLineColumnOffset to the - the necessary places so that we can add them as needed when reifying - UnlinkedCodeBlocks into CodeBlocks. - 5. Compress the line and column number values in the ExpressionRangeInfo. In - practice, we seldom have both large line and column numbers. Hence, we can - encode both in an uint32_t most of the time. For the times when we encounter - both large line and column numbers, we have a fallback to store the "fat" - position info. - 6. Emit an ExpressionRangeInfo for UnaryOp nodes to get more line and column - number coverage. - 7. Change the interpreter to use the new way of computing line and column. - 8. Delete old line and column computation code that is now unused. - - Misc details: - - the old lexer was tracking both a startOffset and charPosition where - charPosition equals startOffset - SourceCode.startOffset. We now use - startOffset exclusively throughout the system for consistency. - All offset values (including lineStart) are relative to the start of the - SourceProvider string. These values will only be converted to be relative - to the SourceCode.startOffset at the very last minute i.e. when the divot - is stored into the ExpressionRangeInfo. - - This change to use the same offset system everywhere reduces confusion - from having to convert back and forth between the 2 systems. It also - enables a lot of assertions to be used. - - - Also fixed some bugs in the choice of divot positions to use. For example, - both Eval and Function expressions previously used column numbers from - the start of the expression but used the line number at the end of the - expression. This is now fixed to use either the start or end positions - as appropriate, but not a mix of line and columns from both. - - - Why use ints instead of unsigneds for offsets and lineStarts inside the - lexer and parser? - Some tests (e.g. fast/js/call-base-resolution.html and - fast/js/eval-cross-window.html) has shown that lineStart offsets can be - prior to the SourceCode.startOffset. Keeping the lexer offsets as ints - simplifies computations and makes it easier to maintain the assertions - that (startOffset >= lineStartOffset). - - However, column and line numbers are always unsigned when we publish - them to the ExpressionRangeInfo. The ints are only used inside the - lexer and parser ... well, and bytecode generator. - - - For all cases, lineStart is always captured where the divot is captured. - However, some sputnik conformance tests have shown that we cannot honor - line breaks for assignment statements like the following: - - eval("x\u000A*=\u000A-1;"); - - In this case, the lineStart is expected to be captured at the start of - the assignment expression instead of at the divot point in the middle. - The assignment expression is the only special case for this. - - This patch has been tested against the full layout tests both with release - and debug builds with no regression. - - * API/JSContextRef.cpp: - (JSContextCreateBacktrace): - - Updated to use the new StackFrame::computeLineAndColumn(). - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::CodeBlock): - - Added m_firstLineColumnOffset initialization. - - Plumbed the firstLineColumnOffset into the SourceCode. - - Initialized column for op_debug using the new way. - (JSC::CodeBlock::lineNumberForBytecodeOffset): - - Changed to compute line number using the ExpressionRangeInfo. - (JSC::CodeBlock::columnNumberForBytecodeOffset): Added - - Changed to compute column number using the ExpressionRangeInfo. - (JSC::CodeBlock::expressionRangeForBytecodeOffset): - * bytecode/CodeBlock.h: - (JSC::CodeBlock::firstLineColumnOffset): - (JSC::GlobalCodeBlock::GlobalCodeBlock): - - Plumbed firstLineColumnOffset through to the super class. - (JSC::ProgramCodeBlock::ProgramCodeBlock): - - Plumbed firstLineColumnOffset through to the super class. - (JSC::EvalCodeBlock::EvalCodeBlock): - - Plumbed firstLineColumnOffset through to the super class. - But for EvalCodeBlocks, the firstLineColumnOffset is always 1 - because we're starting with a new source string with no start - offset. - (JSC::FunctionCodeBlock::FunctionCodeBlock): - - Plumbed firstLineColumnOffset through to the super class. - - * bytecode/ExpressionRangeInfo.h: - - Added modes for encoding line and column into a single 30-bit - unsigned. The encoding is in 1 of 3 modes: - 1. FatLineMode: 22-bit line, 8-bit column - 2. FatColumnMode: 8-bit line, 22-bit column - 3. FatLineAndColumnMode: 32-bit line, 32-bit column - (JSC::ExpressionRangeInfo::encodeFatLineMode): Added. - - Encodes line and column into the 30-bit position using FatLine mode. - (JSC::ExpressionRangeInfo::encodeFatColumnMode): Added. - - Encodes line and column into the 30-bit position using FatColumn mode. - (JSC::ExpressionRangeInfo::decodeFatLineMode): Added. - - Decodes the FatLine mode 30-bit position into line and column. - (JSC::ExpressionRangeInfo::decodeFatColumnMode): Added. - - Decodes the FatColumn mode 30-bit position into line and column. - - * bytecode/UnlinkedCodeBlock.cpp: - (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): - - Plumbed startColumn through. - (JSC::UnlinkedFunctionExecutable::link): - - Plumbed startColumn through. - (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): - - Computes a line number using the new way. - (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): - - Added decoding of line and column. - - Added handling of the case when we do not find a fitting expression - range info for a specified bytecodeOffset. This only happens if the - bytecodeOffset is below the first expression range info. In that - case, we'll use the first expression range info entry. - (JSC::UnlinkedCodeBlock::addExpressionInfo): - - Added encoding of line and column. - - * bytecode/UnlinkedCodeBlock.h: - - Added m_expressionInfoFatPositions in RareData. - (JSC::UnlinkedFunctionExecutable::functionStartColumn): - (JSC::UnlinkedCodeBlock::shrinkToFit): - - Removed obsoleted m_lineInfo. - * bytecompiler/BytecodeGenerator.cpp: - (JSC::BytecodeGenerator::emitCall): Plumbed line and lineStart through. - (JSC::BytecodeGenerator::emitCallEval): Plumbed line and lineStart through. - (JSC::BytecodeGenerator::emitCallVarargs): Plumbed line and lineStart through. - (JSC::BytecodeGenerator::emitConstruct): Plumbed line and lineStart through. - (JSC::BytecodeGenerator::emitDebugHook): Plumbed lineStart through. - * bytecompiler/BytecodeGenerator.h: - (JSC::BytecodeGenerator::emitNode): - (JSC::BytecodeGenerator::emitNodeInConditionContext): - - Removed obsoleted m_lineInfo. - (JSC::BytecodeGenerator::emitExpressionInfo): - - Plumbed line and lineStart through. - - Compute the line and column to be added to the expression range info. - * bytecompiler/NodesCodegen.cpp: - (JSC::ThrowableExpressionData::emitThrowReferenceError): - (JSC::ResolveNode::emitBytecode): - (JSC::ArrayNode::toArgumentList): - (JSC::BracketAccessorNode::emitBytecode): - (JSC::DotAccessorNode::emitBytecode): - (JSC::NewExprNode::emitBytecode): - (JSC::EvalFunctionCallNode::emitBytecode): - (JSC::FunctionCallValueNode::emitBytecode): - (JSC::FunctionCallResolveNode::emitBytecode): - (JSC::FunctionCallBracketNode::emitBytecode): - (JSC::FunctionCallDotNode::emitBytecode): - (JSC::CallFunctionCallDotNode::emitBytecode): - (JSC::ApplyFunctionCallDotNode::emitBytecode): - (JSC::PostfixNode::emitResolve): - (JSC::PostfixNode::emitBracket): - (JSC::PostfixNode::emitDot): - (JSC::DeleteResolveNode::emitBytecode): - (JSC::DeleteBracketNode::emitBytecode): - (JSC::DeleteDotNode::emitBytecode): - (JSC::PrefixNode::emitResolve): - (JSC::PrefixNode::emitBracket): - (JSC::PrefixNode::emitDot): - - Plumbed line and lineStart through the above as needed. - - (JSC::UnaryOpNode::emitBytecode): - - Added emission of an ExpressionRangeInfo for the UnaryOp node. - - (JSC::BinaryOpNode::emitStrcat): - (JSC::ThrowableBinaryOpNode::emitBytecode): - (JSC::InstanceOfNode::emitBytecode): - (JSC::emitReadModifyAssignment): - (JSC::ReadModifyResolveNode::emitBytecode): - (JSC::AssignResolveNode::emitBytecode): - (JSC::AssignDotNode::emitBytecode): - (JSC::ReadModifyDotNode::emitBytecode): - (JSC::AssignBracketNode::emitBytecode): - (JSC::ReadModifyBracketNode::emitBytecode): - - Plumbed line and lineStart through the above as needed. - - (JSC::ConstStatementNode::emitBytecode): - (JSC::EmptyStatementNode::emitBytecode): - (JSC::DebuggerStatementNode::emitBytecode): - (JSC::ExprStatementNode::emitBytecode): - (JSC::VarStatementNode::emitBytecode): - (JSC::IfElseNode::emitBytecode): - (JSC::DoWhileNode::emitBytecode): - (JSC::WhileNode::emitBytecode): - (JSC::ForNode::emitBytecode): - (JSC::ForInNode::emitBytecode): - (JSC::ContinueNode::emitBytecode): - (JSC::BreakNode::emitBytecode): - (JSC::ReturnNode::emitBytecode): - (JSC::WithNode::emitBytecode): - (JSC::SwitchNode::emitBytecode): - (JSC::LabelNode::emitBytecode): - (JSC::ThrowNode::emitBytecode): - (JSC::TryNode::emitBytecode): - (JSC::ProgramNode::emitBytecode): - (JSC::EvalNode::emitBytecode): - (JSC::FunctionBodyNode::emitBytecode): - - Plumbed line and lineStart through the above as needed. + Reviewed by Darin Adler. - * interpreter/Interpreter.cpp: - (JSC::appendSourceToError): - - Added line and column arguments for expressionRangeForBytecodeOffset(). - (JSC::StackFrame::computeLineAndColumn): - - Replaces StackFrame::line() and StackFrame::column(). - (JSC::StackFrame::expressionInfo): - - Added line and column arguments. - (JSC::StackFrame::toString): - - Changed to use the new StackFrame::computeLineAndColumn(). - (JSC::Interpreter::getStackTrace): - - Added the needed firstLineColumnOffset arg for the StackFrame. - - * interpreter/Interpreter.h: - * parser/ASTBuilder.h: - (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo): - (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo): - (JSC::ASTBuilder::createResolve): - (JSC::ASTBuilder::createBracketAccess): - (JSC::ASTBuilder::createDotAccess): - (JSC::ASTBuilder::createRegExp): - (JSC::ASTBuilder::createNewExpr): - (JSC::ASTBuilder::createAssignResolve): - (JSC::ASTBuilder::createFunctionExpr): - (JSC::ASTBuilder::createFunctionBody): - (JSC::ASTBuilder::createGetterOrSetterProperty): - (JSC::ASTBuilder::createFuncDeclStatement): - (JSC::ASTBuilder::createBlockStatement): - (JSC::ASTBuilder::createExprStatement): - (JSC::ASTBuilder::createIfStatement): - (JSC::ASTBuilder::createForLoop): - (JSC::ASTBuilder::createForInLoop): - (JSC::ASTBuilder::createVarStatement): - (JSC::ASTBuilder::createReturnStatement): - (JSC::ASTBuilder::createBreakStatement): - (JSC::ASTBuilder::createContinueStatement): - (JSC::ASTBuilder::createTryStatement): - (JSC::ASTBuilder::createSwitchStatement): - (JSC::ASTBuilder::createWhileStatement): - (JSC::ASTBuilder::createDoWhileStatement): - (JSC::ASTBuilder::createLabelStatement): - (JSC::ASTBuilder::createWithStatement): - (JSC::ASTBuilder::createThrowStatement): - (JSC::ASTBuilder::createDebugger): - (JSC::ASTBuilder::createConstStatement): - (JSC::ASTBuilder::appendBinaryExpressionInfo): - (JSC::ASTBuilder::appendUnaryToken): - (JSC::ASTBuilder::unaryTokenStackLastStart): - (JSC::ASTBuilder::unaryTokenStackLastLineStartPosition): Added. - (JSC::ASTBuilder::assignmentStackAppend): - (JSC::ASTBuilder::createAssignment): - (JSC::ASTBuilder::setExceptionLocation): - (JSC::ASTBuilder::makeDeleteNode): - (JSC::ASTBuilder::makeFunctionCallNode): - (JSC::ASTBuilder::makeBinaryNode): - (JSC::ASTBuilder::makeAssignNode): - (JSC::ASTBuilder::makePrefixNode): - (JSC::ASTBuilder::makePostfixNode):. - - Plumbed line, lineStart, and startColumn through the above as needed. - - * parser/Lexer.cpp: - (JSC::::currentSourcePtr): - (JSC::::setCode): - - Added tracking for sourceoffset and lineStart. - (JSC::::internalShift): - (JSC::::parseIdentifier): - - Added tracking for lineStart. - (JSC::::parseIdentifierSlowCase): - (JSC::::parseString): - - Added tracking for lineStart. - (JSC::::parseStringSlowCase): - (JSC::::lex): - - Added tracking for sourceoffset. - (JSC::::sourceCode): - * parser/Lexer.h: - (JSC::Lexer::currentOffset): - (JSC::Lexer::currentLineStartOffset): - (JSC::Lexer::setOffset): - - Added tracking for lineStart. - (JSC::Lexer::offsetFromSourcePtr): Added. conversion function. - (JSC::Lexer::sourcePtrFromOffset): Added. conversion function. - (JSC::Lexer::setOffsetFromSourcePtr): - (JSC::::lexExpectIdentifier): - - Added tracking for sourceoffset and lineStart. - - * parser/NodeConstructors.h: - (JSC::Node::Node): - (JSC::ResolveNode::ResolveNode): - (JSC::EvalFunctionCallNode::EvalFunctionCallNode): - (JSC::FunctionCallValueNode::FunctionCallValueNode): - (JSC::FunctionCallResolveNode::FunctionCallResolveNode): - (JSC::FunctionCallBracketNode::FunctionCallBracketNode): - (JSC::FunctionCallDotNode::FunctionCallDotNode): - (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode): - (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode): - (JSC::PostfixNode::PostfixNode): - (JSC::DeleteResolveNode::DeleteResolveNode): - (JSC::DeleteBracketNode::DeleteBracketNode): - (JSC::DeleteDotNode::DeleteDotNode): - (JSC::PrefixNode::PrefixNode): - (JSC::ReadModifyResolveNode::ReadModifyResolveNode): - (JSC::ReadModifyBracketNode::ReadModifyBracketNode): - (JSC::AssignBracketNode::AssignBracketNode): - (JSC::AssignDotNode::AssignDotNode): - (JSC::ReadModifyDotNode::ReadModifyDotNode): - (JSC::AssignErrorNode::AssignErrorNode): - (JSC::WithNode::WithNode): - (JSC::ForInNode::ForInNode): - - Plumbed line and lineStart through the above as needed. - * parser/Nodes.cpp: - (JSC::StatementNode::setLoc): Plumbed lineStart. - (JSC::ScopeNode::ScopeNode): Plumbed lineStart. - (JSC::ProgramNode::ProgramNode): Plumbed startColumn. - (JSC::ProgramNode::create): Plumbed startColumn. - (JSC::EvalNode::create): - (JSC::FunctionBodyNode::FunctionBodyNode): Plumbed startColumn. - (JSC::FunctionBodyNode::create): Plumbed startColumn. - * parser/Nodes.h: - (JSC::Node::startOffset): - (JSC::Node::lineStartOffset): Added. - (JSC::StatementNode::firstLine): - (JSC::StatementNode::lastLine): - (JSC::ThrowableExpressionData::ThrowableExpressionData): - (JSC::ThrowableExpressionData::setExceptionSourceCode): - (JSC::ThrowableExpressionData::divotStartOffset): - (JSC::ThrowableExpressionData::divotEndOffset): - (JSC::ThrowableExpressionData::divotLine): - (JSC::ThrowableExpressionData::divotLineStart): - (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData): - (JSC::ThrowableSubExpressionData::setSubexpressionInfo): - (JSC::ThrowableSubExpressionData::subexpressionDivot): - (JSC::ThrowableSubExpressionData::subexpressionStartOffset): - (JSC::ThrowableSubExpressionData::subexpressionEndOffset): - (JSC::ThrowableSubExpressionData::subexpressionLine): - (JSC::ThrowableSubExpressionData::subexpressionLineStart): - (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData): - (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo): - (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot): - (JSC::ThrowablePrefixedSubExpressionData::subexpressionStartOffset): - (JSC::ThrowablePrefixedSubExpressionData::subexpressionEndOffset): - (JSC::ThrowablePrefixedSubExpressionData::subexpressionLine): - (JSC::ThrowablePrefixedSubExpressionData::subexpressionLineStart): - (JSC::ScopeNode::startStartOffset): - (JSC::ScopeNode::startLineStartOffset): - (JSC::ProgramNode::startColumn): - (JSC::EvalNode::startColumn): - (JSC::FunctionBodyNode::startColumn): - - Plumbed line and lineStart through the above as needed. - * parser/Parser.cpp: - (JSC::::Parser): - (JSC::::parseSourceElements): - (JSC::::parseVarDeclarationList): - (JSC::::parseConstDeclarationList): - (JSC::::parseForStatement): - (JSC::::parseBreakStatement): - (JSC::::parseContinueStatement): - (JSC::::parseReturnStatement): - (JSC::::parseThrowStatement): - (JSC::::parseWithStatement): - - Plumbed line and lineStart through the above as needed. - (JSC::::parseFunctionBody): - - Plumbed startColumn. - (JSC::::parseFunctionInfo): - (JSC::::parseFunctionDeclaration): - (JSC::LabelInfo::LabelInfo): - (JSC::::parseExpressionOrLabelStatement): - (JSC::::parseAssignmentExpression): - (JSC::::parseBinaryExpression): - (JSC::::parseProperty): - (JSC::::parseObjectLiteral): - (JSC::::parsePrimaryExpression): - (JSC::::parseMemberExpression): - (JSC::::parseUnaryExpression): - - Plumbed line, lineStart, startColumn through the above as needed. - * parser/Parser.h: - (JSC::Parser::next): - (JSC::Parser::nextExpectIdentifier): - (JSC::Parser::tokenStart): - (JSC::Parser::tokenColumn): - (JSC::Parser::tokenEnd): - (JSC::Parser::tokenLineStart): - (JSC::Parser::lastTokenLine): - (JSC::Parser::lastTokenLineStart): - (JSC::::parse): - * parser/ParserTokens.h: - (JSC::JSTokenLocation::JSTokenLocation): - - Plumbed lineStart. - (JSC::JSTokenLocation::lineStartPosition): - (JSC::JSTokenLocation::startPosition): - (JSC::JSTokenLocation::endPosition): - * parser/SourceCode.h: - (JSC::SourceCode::SourceCode): - (JSC::SourceCode::startColumn): - (JSC::makeSource): - (JSC::SourceCode::subExpression): - * parser/SourceProvider.cpp: delete old code. - * parser/SourceProvider.h: delete old code. - * parser/SourceProviderCacheItem.h: - (JSC::SourceProviderCacheItem::closeBraceToken): - (JSC::SourceProviderCacheItem::SourceProviderCacheItem): - - Plumbed lineStart. - * parser/SyntaxChecker.h: - (JSC::SyntaxChecker::makeFunctionCallNode): - (JSC::SyntaxChecker::makeAssignNode): - (JSC::SyntaxChecker::makePrefixNode): - (JSC::SyntaxChecker::makePostfixNode): - (JSC::SyntaxChecker::makeDeleteNode): - (JSC::SyntaxChecker::createResolve): - (JSC::SyntaxChecker::createBracketAccess): - (JSC::SyntaxChecker::createDotAccess): - (JSC::SyntaxChecker::createRegExp): - (JSC::SyntaxChecker::createNewExpr): - (JSC::SyntaxChecker::createAssignResolve): - (JSC::SyntaxChecker::createFunctionExpr): - (JSC::SyntaxChecker::createFunctionBody): - (JSC::SyntaxChecker::createFuncDeclStatement): - (JSC::SyntaxChecker::createForInLoop): - (JSC::SyntaxChecker::createReturnStatement): - (JSC::SyntaxChecker::createBreakStatement): - (JSC::SyntaxChecker::createContinueStatement): - (JSC::SyntaxChecker::createWithStatement): - (JSC::SyntaxChecker::createLabelStatement): - (JSC::SyntaxChecker::createThrowStatement): - (JSC::SyntaxChecker::createGetterOrSetterProperty): - (JSC::SyntaxChecker::appendBinaryExpressionInfo): - (JSC::SyntaxChecker::operatorStackPop): - - Made SyntaxChecker prototype changes to match ASTBuilder due to new - args added for plumbing line, lineStart, and startColumn. - * runtime/CodeCache.cpp: - (JSC::CodeCache::generateBytecode): - (JSC::CodeCache::getCodeBlock): - - Plumbed startColumn. - * runtime/Executable.cpp: - (JSC::FunctionExecutable::FunctionExecutable): - (JSC::ProgramExecutable::compileInternal): - (JSC::FunctionExecutable::produceCodeBlockFor): - (JSC::FunctionExecutable::fromGlobalCode): - - Plumbed startColumn. - * runtime/Executable.h: - (JSC::ScriptExecutable::startColumn): - (JSC::ScriptExecutable::recordParse): - (JSC::FunctionExecutable::create): - - Plumbed startColumn. - -2013-07-08 Lucas Forschler - - Merge r152052 - - 2013-06-26 Anders Carlsson - - Add JSStringCreateWithCharactersNoCopy SPI - https://bugs.webkit.org/show_bug.cgi?id=118074 - + * runtime/JSLock.cpp: + (JSC::JSLock::JSLock): + Initialize the member variable to nullptr. - Reviewed by Geoffrey Garen. + (JSC::JSLock::willDestroyVM): + Update style to use nullptr instead of 0. - * API/JSStringRef.cpp: - (JSStringCreateWithCharactersNoCopy): - Create a new OpaqueJSString, using the newly added StringImpl::createWithoutCopying function. + (JSC::JSLock::willReleaseLock): + We should only reset the thread data's atomic string table if + didAcquireLock changed it. m_entryAtomicStringTable will have + been set by didAcquireLock if it changed, or nullptr if it didn't. + This way we are sure we are balanced, regardless of m_vm changes. - * API/JSStringRefPrivate.h: Added. - Add a home for the JSStringCreateWithCharactersNoCopy function. +2014-07-24 Lucas Forschler - * API/OpaqueJSString.h: - (OpaqueJSString::OpaqueJSString): - Just call isolatedCopy on the passed in string. + Merge r171543 - * API/tests/testapi.c: - Add an API test for JSStringCreateWithCharactersNoCopy. + 2014-07-24 Mark Hahnenberg + + Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype + https://bugs.webkit.org/show_bug.cgi?id=135250 + Reviewed by Geoffrey Garen. + + JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its + JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype + chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change + the JSProxy's prototype fixes the issue. + + * API/JSValueRef.cpp: + (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef + would claim it wasn't of the specified class, even if the target was of the specified class. + * API/tests/CustomGlobalObjectClassTest.c: Added. + (jsDoSomething): + (customGlobalObjectClassTest): + * API/tests/CustomGlobalObjectClassTest.h: Added. + * API/tests/testapi.c: + (assertTrue): + (main): + * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: + * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: - Add new files. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::resetPrototype): -2013-07-08 Lucas Forschler +2014-07-24 Lucas Forschler - Merge r152314 + Merge r171395 - 2013-07-02 Mark Hahnenberg + 2014-07-22 Brent Fulgham - Replace RELEASE_ASSERT with ASSERT in CodeBlock:: bytecodeOffsetForCallAtIndex - https://bugs.webkit.org/show_bug.cgi?id=118316 + Build fix for non-clang compile. - Reviewed by Geoffrey Garen. + * jsc.cpp: + (WTF::RuntimeArray::put): Remove incorrect return statement + I added. - This is causing some crashiness in release builds. We should replace it with an ASSERT - until we track down all the places that need fixing in bug 118315. +2014-07-24 Lucas Forschler - * bytecode/CodeBlock.h: - (JSC::CodeBlock::bytecodeOffsetForCallAtIndex): + Merge r171393 -2013-07-01 Lucas Forschler + 2014-07-22 Brent Fulgham - Merge r152091 + Build fix for non-clang compile. - 2013-06-27 Timothy Hatcher + * jsc.cpp: + (WTF::RuntimeArray::deleteProperty): Need (fake) return + value when NO_RETURN_DUE_TO_CRASH is not defined. - Notify the debugger about functions created from source code via new Function() or WebCore::JSLazyEventListener. +2014-07-24 Lucas Forschler - https://bugs.webkit.org/show_bug.cgi?id=118063 + Merge r171390 + + 2014-07-22 Mark Lam + + Array.concat() should work on runtime arrays too. + Reviewed by Geoffrey Garen. - * bytecode/UnlinkedCodeBlock.cpp: - (JSC::UnlinkedFunctionExecutable::fromGlobalCode): Call Debugger::sourceParsed. + * jsc.cpp: + (WTF::RuntimeArray::create): + (WTF::RuntimeArray::~RuntimeArray): + (WTF::RuntimeArray::destroy): + (WTF::RuntimeArray::getOwnPropertySlot): + (WTF::RuntimeArray::getOwnPropertySlotByIndex): + (WTF::RuntimeArray::put): + (WTF::RuntimeArray::deleteProperty): + (WTF::RuntimeArray::getLength): + (WTF::RuntimeArray::createPrototype): + (WTF::RuntimeArray::createStructure): + (WTF::RuntimeArray::finishCreation): + (WTF::RuntimeArray::RuntimeArray): + (WTF::RuntimeArray::lengthGetter): + (GlobalObject::finishCreation): + (functionCreateRuntimeArray): + - Added support to create a runtime array for testing purpose. + * runtime/ArrayPrototype.cpp: + (JSC::getLength): + - Added fast case for when the array object is a JSArray. + (JSC::arrayProtoFuncJoin): + - Added a needed but missing exception check. + (JSC::arrayProtoFuncConcat): + - Use getLength() to compute the array length instead of assuming that + the array is a JSArray instance. + * tests/stress/regexp-matches-array.js: Added. + (testArrayConcat): + * tests/stress/runtime-array.js: Added. + (testArrayConcat): + +2014-07-24 Lucas Forschler + + Merge r171328 + + 2014-07-21 Mark Lam + + Refactor ArrayPrototype to use getLength() and putLength() utility functions. + https://bugs.webkit.org/show_bug.cgi?id=135139. -2013-07-01 Lucas Forschler + Reviewed by Oliver Hunt. - Merge r151978 + - Specialize putProperty() to putLength() because it is only used for setting + the length property. + - Added a getLength() utility function to get the value of the length property. + - Use these getLength() and putLength() functions instead of the existing code + to get and put the length property. Less code to read, easier to understand. - 2013-06-25 Ryosuke Niwa + * runtime/ArrayPrototype.cpp: + (JSC::getLength): + (JSC::putLength): + (JSC::arrayProtoFuncToString): + (JSC::arrayProtoFuncToLocaleString): + (JSC::arrayProtoFuncJoin): + (JSC::arrayProtoFuncPop): + (JSC::arrayProtoFuncPush): + (JSC::arrayProtoFuncReverse): + (JSC::arrayProtoFuncShift): + (JSC::arrayProtoFuncSlice): + (JSC::arrayProtoFuncSort): + (JSC::arrayProtoFuncSplice): + (JSC::arrayProtoFuncUnShift): + (JSC::arrayProtoFuncReduce): + (JSC::arrayProtoFuncReduceRight): + (JSC::arrayProtoFuncIndexOf): + (JSC::arrayProtoFuncLastIndexOf): + (JSC::putProperty): Deleted. - JSString should remember AtomicString - https://bugs.webkit.org/show_bug.cgi?id=117386 +2014-07-23 Matthew Hanson - Reviewed by Geoffrey Garen. + Merge r171474 (rollout r171367 from trunk) - Added JSValue::toAtomicString and JSString::atomicString. These two functions allow WebCore to update - JSString's m_value to set isAtomic flag and avoid the AtomicStringTable lookups in subsequent attempts - to obtain the AtomicString of the same value. +2014-07-23 Lucas Forschler - * runtime/JSCJSValue.h: - * runtime/JSString.h: - (JSC::JSString::atomicString): - (JSC::JSValue::toAtomicString): + Merge r171367 -2013-06-25 Lucas Forschler + 2014-07-22 Joseph Pecoraro - Merge r151786 + JSLock release should only modify the AtomicStringTable if it modified in acquire + https://bugs.webkit.org/show_bug.cgi?id=135143 - 2013-06-20 Mark Hahnenberg + Reviewed by Pratik Solanki. - Improper deallocation of JSManagedValue causes crashes during autorelease pool draining - https://bugs.webkit.org/show_bug.cgi?id=117840 + * runtime/JSLock.cpp: + (JSC::JSLock::willDestroyVM): + (JSC::JSLock::willReleaseLock): + Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock. - Reviewed by Geoffrey Garen. +2014-07-23 Lucas Forschler - Improperly managing a JSManagedValue can cause a crash when the JSC::Weak inside the - JSManagedValue is destroyed upon deallocation. We would rather have improperly maintained - JSManagedValues cause memory leaks than take down the whole app. + Merge r171355 - The fix is to use the callback to the JSC::Weak on the destruction of the VM so that we - can safely null it out. This will prevent ~Weak from crashing. + 2014-07-21 Sam Weinig - * API/JSManagedValue.mm: - (-[JSManagedValue JSC::JSC::]): - (JSManagedValueHandleOwner::finalize): - * API/tests/testapi.mm: Added a test that crashed prior to this fix due to a leaked - managed reference. Also fixed a small style nit I noticed in another test. + [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating + https://bugs.webkit.org/show_bug.cgi?id=135148 -2013-06-25 Lucas Forschler + Reviewed by Geoffrey Garen. - Merge r151923 + * runtime/CommonIdentifiers.h: + Add a common identifier for the string "webkit". - 2013-06-24 Roger Fong +2014-07-23 Lucas Forschler - Unreviewed. Makefile build fix for AppleWindows. + Merge r171354 - * JavaScriptCore.vcxproj/JavaScriptCore.make: + 2014-07-22 Filip Pizlo -2013-06-21 Lucas Forschler + ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell + https://bugs.webkit.org/show_bug.cgi?id=135155 + - Merge r151787 + Reviewed by Oliver Hunt. - 2013-06-20 Roger Fong + The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a + contradiction, and that this is OK. In this case, we were speculating cell on an int. + + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + * tests/stress/regress-135155.js: Added. + (run.t.length): + (run): + +2014-07-22 Dana Burkart + + Merge r171228. + + 2014-07-18 Filip Pizlo + + Fix cloop build. + + * jsc.cpp: + (jscmain): + +2014-07-22 Dana Burkart + + Merge r171213. + + 2014-07-15 Filip Pizlo + + Need ability to fuzz exception throwing + https://bugs.webkit.org/show_bug.cgi?id=134945 + + + Reviewed by Sam Weinig. + + Adds the ability to instrument exception checks, and to force some random + exception check to artificially throw an exception. Also adds new tests that + are suitable for testing this. Note that this is closely tied to the Tools + directory changes that are also part of this changeset. + + This also fixes an activation tear-off bug that arises if we ever throw an + exception from operationOptimize, or if due to some other bug it's only due + to the operationOptimize exception check that we realize that there is an + exception to be thrown. + + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::fastExceptionCheck): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::callCheck): + * interpreter/Interpreter.cpp: + (JSC::unwindCallFrame): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::callExceptionFuzz): + (JSC::AssemblyHelpers::emitExceptionCheck): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::emitExceptionCheck): Deleted. + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_enter): + * jit/JITOperations.cpp: + (JSC::numberOfExceptionFuzzChecks): + * jit/JITOperations.h: + * jsc.cpp: + (jscmain): + * runtime/Options.h: + * runtime/TestRunnerUtils.h: + * tests/exceptionFuzz.yaml: Added. + * tests/exceptionFuzz: Added. + * tests/exceptionFuzz/3d-cube.js: Added. + * tests/exceptionFuzz/date-format-xparb.js: Added. + * tests/exceptionFuzz/earley-boyer.js: Added. + +2014-07-22 Dana Burkart + + Merge r171204. + + 2014-07-17 Joseph Pecoraro + + Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html + + Rubber-stamped by Alexey Proskuryakov. + + Null / empty titles should be fine. Tests pass in release builds + which allowed empty titles, and it looks like the LegacyProfiler + stopProfiling handles empty titles as expected already. + + * profiler/LegacyProfiler.cpp: + (JSC::LegacyProfiler::startProfiling): + +2014-07-22 Dana Burkart + + Merge r171190. + + 2014-07-16 Filip Pizlo + + DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw + https://bugs.webkit.org/show_bug.cgi?id=134988 + - Make Windows makefile copy build output to a different folder. - . + Reviewed by Oliver Hunt. + + Luckily, we also don't need this optimization to be super powerful: the only place + where it really matters is for getting rid of the redundancy between op_enter and + op_init_lazy_reg, and in that case, there is a small set of possible nodes between the + two things. This change updates the store eliminator to know about only that small, + obviously safe, set of nodes over which we can store-eliminate. + + This shouldn't have any performance impact in the DFG because this optimization kicks + in relatively rarely already. And once we tier up into the FTL, we get a much better + store elimination over LLVM IR, so this really shouldn't matter at all. + + The tricky part of this patch is that there is a close relative of this optimization, + for uncaptured variables that got flushed. This happens for arguments to inlined calls. + I make this work by splitting it into two different store eliminators. + + Note that in the process of crafting the tests, I realized that we were incorrectly + DCEing NewArrayWithSize. That's not cool, since that can throw an exception for + negative array sizes. If we ever did want to DCE this node, we'd need to lower the node + to a check node followed by the actual allocation. + + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination): + (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination): + (JSC::DFG::CSEPhase::setLocalStoreElimination): + (JSC::DFG::CSEPhase::performNodeCSE): + (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted. + * dfg/DFGNodeType.h: + * tests/stress/capture-escape-and-throw.js: Added. + (foo.f): + (foo): + * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added. + (foo): + (bar): + +2014-07-17 Dean Jackson + + Disable some features on this branch. + + Reviewed originally by Simon Fraser. + + Disable: + - CSS_EXCLUSIONS + - CSS_GRID_LAYOUT + - INPUT_TYPE_COLOR + - INPUT_TYPE_COLOR_POPUP + - CANVAS_PATH + - CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED + - INDIE_UI + - SHARED_WORKERS + - NAVIGATOR_HWCONCURRENCY + - GAMEPAD + - PICTURE_SIZES + - CSS3_CONDITIONAL_RULES + - WILL_REVEAL_EDGE_EVENTS - * JavaScriptCore.vcxproj/JavaScriptCore.make: + * Configurations/FeatureDefines.xcconfig: -2013-06-18 Roger Fong +2014-07-15 Benjamin Poulain - Disable some feature flags. - . + Reduce the overhead of updating the AssemblerBuffer + https://bugs.webkit.org/show_bug.cgi?id=134659 - Rubberstamped by Jon Lee. + Reviewed by Gavin Barraclough. - * Configurations/FeatureDefines.xcconfig: + In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler. + That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly + there. -2013-06-18 Oliver Hunt + On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able + to get the real address of a lable. That is done by reusing the memory of AssemblerData. - Going to google.com/trends causes a crash - https://bugs.webkit.org/show_bug.cgi?id=117602 + To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into + a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough + to make clang give up a bunch of optimizations. - Reviewed by Geoffrey Garen. + This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures. + In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used. - When handling op_throw, etc we need to flush the variables and arguments - for the entire inline stack, not just the top frame. + Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of + the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very + specific way that would make it unusable for the Assembler. - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::flushAllArgumentsAndCapturedVariablesInInlineStack): - (JSC::DFG::ByteCodeParser::parseBlock): + -- Technical details -- -2013-06-18 Roger Fong + From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything + into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode(). + To make this easier to work with, I changed all the assembler specific function to be static. This way we know + exactly what code access the Assembler instance. The code that does access the instance is then moved + at the beginning, before we modify anything. - Replace tools32 folder with tools and update WebKit Windows solution accordingly. - . + The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly + to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific + to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()). - Rubberstamped by Brent Fulgham. + -- Perf impact -- - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: - * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: - * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: - * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: - * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: - * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: - * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: - * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: - * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: - * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: - * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props: - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: - * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: - * JavaScriptCore.vcxproj/jsc/jscDebug.props: - * JavaScriptCore.vcxproj/jsc/jscProduction.props: - * JavaScriptCore.vcxproj/jsc/jscRelease.props: - * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: - * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: - * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props: - * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: - * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: - * JavaScriptCore.vcxproj/testapi/testapiDebug.props: - * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props: - * JavaScriptCore.vcxproj/testapi/testapiProduction.props: - * JavaScriptCore.vcxproj/testapi/testapiRelease.props: - * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props: - -2013-06-17 Roger Fong - - Modify Windows makefiles to copy some bin output into Program Files. - https://bugs.webkit.org/show_bug.cgi?id=117714. - + This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close. + On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation + time by ~20%. - Reviewed by Brent Fulgham. + I could not measure any difference on x86_64. - * JavaScriptCore.vcxproj/JavaScriptCore.make: + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::jumpSizeDelta): + (JSC::ARM64Assembler::canCompact): + (JSC::ARM64Assembler::computeJumpType): + (JSC::ARM64Assembler::link): + (JSC::ARM64Assembler::recordLinkOffsets): Deleted. + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::ifThenElseConditionBit): + (JSC::ARMv7Assembler::ifThenElse): + (JSC::ARMv7Assembler::jumpSizeDelta): + (JSC::ARMv7Assembler::canCompact): + (JSC::ARMv7Assembler::computeJumpType): + (JSC::ARMv7Assembler::link): + (JSC::ARMv7Assembler::linkJumpT1): + (JSC::ARMv7Assembler::linkJumpT3): + (JSC::ARMv7Assembler::linkConditionalJumpT4): + (JSC::ARMv7Assembler::linkConditionalBX): + (JSC::ARMv7Assembler::recordLinkOffsets): Deleted. + * assembler/AssemblerBuffer.h: + (JSC::AssemblerData::AssemblerData): + (JSC::AssemblerData::operator=): + (JSC::AssemblerData::~AssemblerData): + (JSC::AssemblerData::buffer): + (JSC::AssemblerData::capacity): + (JSC::AssemblerData::grow): + (JSC::AssemblerBuffer::AssemblerBuffer): + (JSC::AssemblerBuffer::isAvailable): + (JSC::AssemblerBuffer::data): + (JSC::AssemblerBuffer::releaseAssemblerData): + (JSC::AssemblerBuffer::putIntegral): + (JSC::AssemblerBuffer::putIntegralUnchecked): + (JSC::AssemblerBuffer::append): + (JSC::AssemblerBuffer::grow): + (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted. + (JSC::AssemblerBuffer::storage): Deleted. + * assembler/LinkBuffer.cpp: + (JSC::recordLinkOffsets): + (JSC::LinkBuffer::copyCompactAndLinkCode): + * assembler/LinkBuffer.h: + (JSC::LinkBuffer::LinkBuffer): + (JSC::LinkBuffer::executableOffsetFor): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::canCompact): + (JSC::MacroAssemblerARM64::computeJumpType): + (JSC::MacroAssemblerARM64::jumpSizeDelta): + (JSC::MacroAssemblerARM64::link): + (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted. + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::canCompact): + (JSC::MacroAssemblerARMv7::computeJumpType): + (JSC::MacroAssemblerARMv7::jumpSizeDelta): + (JSC::MacroAssemblerARMv7::link): + (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted. -2013-06-14 Ryosuke Niwa +2014-07-15 Mark Hahnenberg - Function names on Object.prototype should be common identifiers - https://bugs.webkit.org/show_bug.cgi?id=117614 + Stores to PropertyTable use the Structure as the owner + https://bugs.webkit.org/show_bug.cgi?id=134595 Reviewed by Darin Adler. - Patch written by Sam Weinig. Make Object's prototype function names common identififers since they're used frequently. + Since PropertyTable is the object that does the marking of these references, it should be the owner. - * runtime/CommonIdentifiers.h: - * runtime/FunctionConstructor.cpp: - (JSC::constructFunction): - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::reset): - * runtime/JSObject.h: + Also removed some unused parameters to other methods that historically used the Structure as the owner. + + * runtime/JSPropertyNameIterator.h: + (JSC::StructureRareData::setEnumerationCache): * runtime/ObjectPrototype.cpp: - (JSC::ObjectPrototype::finishCreation): - * runtime/StringPrototype.cpp: - (JSC::StringPrototype::finishCreation): + (JSC::objectProtoFuncToString): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::copy): + * runtime/PropertyTable.cpp: + (JSC::PropertyTable::clone): + (JSC::PropertyTable::PropertyTable): + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyMap): + (JSC::Structure::addPropertyTransition): + (JSC::Structure::changePrototypeTransition): + (JSC::Structure::despecifyFunctionTransition): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::takePropertyTableOrCloneIfPinned): + (JSC::Structure::nonPropertyTransition): + (JSC::Structure::copyPropertyTable): + (JSC::Structure::copyPropertyTableForPinning): + (JSC::Structure::putSpecificValue): + * runtime/Structure.h: + (JSC::Structure::setObjectToStringValue): + (JSC::Structure::setPreviousID): + * runtime/StructureInlines.h: + (JSC::Structure::setEnumerationCache): + * runtime/StructureRareData.h: + * runtime/StructureRareDataInlines.h: + (JSC::StructureRareData::setPreviousID): + (JSC::StructureRareData::setObjectToStringValue): + +2014-07-15 Mark Hahnenberg + + ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks + https://bugs.webkit.org/show_bug.cgi?id=134928 -2013-06-13 Ryosuke Niwa + Reviewed by Andreas Kling. - Remove LiteralIdentifierTable - https://bugs.webkit.org/show_bug.cgi?id=117613 + * bytecode/CodeBlock.h: + (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock. - Reviewed by Geoffrey Garen. +2014-07-15 Eva Balazsfalvi - Removed LiteralIdentifierTable since it doesn't seem to have any perf. impact now. + Buildfix if LLINT_SLOW_PATH_TRACING is enabled + https://bugs.webkit.org/show_bug.cgi?id=133790 - * runtime/Identifier.cpp: - (JSC::Identifier::add): + Reviewed by Mark Lam. + + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): -2013-06-12 Conrad Shultz +2014-07-14 Filip Pizlo - JSExport header documentation substitutes "semicolon" for "colon" - https://bugs.webkit.org/show_bug.cgi?id=117552 + Allow for Int52Rep to see things other than Int32, and make this testable + https://bugs.webkit.org/show_bug.cgi?id=134873 + - Reviewed by Mark Hahnenberg. + Reviewed by Geoffrey Garen and Mark Hahnenberg. + + A major premise of our type inference is that prediction propagation can say whatever it + wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s. + We required some kind of agreement between prediction propagation and fixup over which + data flow paths were Int52 and which weren't. + + It turns out that we basically had such an agreement, with the exception of code that was + unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It + might be nice to fix that bug - but it's only in the case of Int52 that such a thing would + be a bug! Normally, we allow sloppiness in prediction propagation. + + This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the + ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see + int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly + empowered Int52Rep is actually correct - in case we end up using it on paths other than + ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces + us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress + this intrinsic. This means that we're now stressing Int52Rep more so than ever before! + + Note that it would still be a bug for prediction propagation to ever cause us to create an + Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than + a crash bug. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::fixTypeForRepresentation): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::isMachineIntConstant): + * dfg/DFGNode.h: + (JSC::DFG::Node::isMachineIntConstant): + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::speculate): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::callOperation): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::convertMachineInt): + (JSC::DFG::SpeculativeJIT::speculateMachineInt): + (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt): + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + (JSC::DFG::isNumerical): + (JSC::DFG::isDouble): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileInt52Rep): + (JSC::FTL::LowerDFGToLLVM::doubleToInt32): + (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): + (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52): + (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): + (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt): + * jit/JITOperations.h: + * jsc.cpp: + (GlobalObject::finishCreation): + (functionIdentity): + * runtime/Intrinsic.h: + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::tryConvertToInt52): + (JSC::isInt52): + (JSC::JSValue::isMachineInt): + * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added. + (foo): + * tests/stress/dead-fiat-double-to-int52.js: Added. + (foo): + * tests/stress/dead-fiat-int32-to-int52.js: Added. + (foo): + * tests/stress/dead-fiat-value-to-int52-double-path.js: Added. + (foo): + (bar): + * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added. + (foo): + (bar): + * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added. + (foo): + (bar): + * tests/stress/dead-fiat-value-to-int52.js: Added. + (foo): + (bar): + * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added. + (foo): + * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added. + (foo): + * tests/stress/fiat-double-to-int52-then-fold.js: Added. + (foo): + * tests/stress/fiat-double-to-int52.js: Added. + (foo): + * tests/stress/fiat-int32-to-int52.js: Added. + (foo): + * tests/stress/fiat-value-to-int52-double-path.js: Added. + (foo): + (bar): + * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added. + (foo): + (bar): + * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added. + (foo): + (bar): + * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added. + (foo): + * tests/stress/fiat-value-to-int52-then-fold.js: Added. + (foo): + * tests/stress/fiat-value-to-int52.js: Added. + (foo): + (bar): + * tests/stress/int52-force-osr-exit-path.js: Added. + (foo): + +2014-07-14 Mark Hahnenberg + + Flattening dictionaries with oversize backing stores can cause crashes + https://bugs.webkit.org/show_bug.cgi?id=134906 - * API/JSExport.h: - Fix a couple typos. + Reviewed by Filip Pizlo. -2013-06-10 Raphael Kubo da Costa + The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB + of the CopiedBlock header. This was always the case except for when flattening a dictionary + caused the size of the Butterfly to decrease. This was equivalent to moving the base of the + Butterfly to higher addresses. If the object was reduced sufficiently in size, the base + would no longer be within the first 32 KB of the CopiedBlock and the next collection would + choke on the Butterfly pointer. - [JSC] Remove a vestige of wxWidgets support. - https://bugs.webkit.org/show_bug.cgi?id=117419 + This patch fixes this issue by detect this situation during flattening and memmove-ing + the Butterfly down to where the old base was. - Reviewed by Benjamin Poulain. + * runtime/JSObject.cpp: + (JSC::JSObject::shiftButterflyAfterFlattening): + * runtime/JSObject.h: + (JSC::JSObject::butterflyPreCapacity): + (JSC::JSObject::butterflyTotalSize): + * runtime/Structure.cpp: + (JSC::Structure::flattenDictionaryStructure): + * tests/stress/flatten-oversize-dictionary-object.js: Added. + (foo): + +2014-07-14 Benjamin Poulain - * runtime/JSExportMacros.h: Remove a check for BUILDING_WX__ that - seems to have gone unnoticed when the wxWidgets port was removed. + Remove some dead code from FTLJITFinalizer + https://bugs.webkit.org/show_bug.cgi?id=134874 -2013-06-06 Roger Fong + Reviewed by Geoffrey Garen. - Stop copying AAS binaries into build folder. - https://bugs.webkit.org/show_bug.cgi?id=117319. + Not sure what that code was for...but it does not do anything :) - Rubberstamped by Darin Adler. + * ftl/FTLJITFinalizer.cpp: + (JSC::FTL::JITFinalizer::finalizeFunction): + The pointer of the label is computed but never used. - * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: - * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: - * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: - * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: - * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: - * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: + * ftl/FTLJITFinalizer.h: + * ftl/FTLLink.cpp: + (JSC::FTL::link): + The label is never set to anything. -2013-06-05 Filip Pizlo +2014-07-14 Bear Travis - DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray - https://bugs.webkit.org/show_bug.cgi?id=117279 - + [Feature Queries] Enable Feature Queries on Mac + https://bugs.webkit.org/show_bug.cgi?id=134404 - Reviewed by Mark Hahnenberg. + Reviewed by Antti Koivisto. - * dfg/DFGAbstractValue.h: - (JSC::DFG::AbstractValue::filterArrayModesByType): + Enable Feature Queries on Mac and resume running the + feature tests. -2013-06-05 Michael Saboff + * Configurations/FeatureDefines.xcconfig: Turn on + ENABLE_CSS3_CONDITIONAL_RULES. - JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com - https://bugs.webkit.org/show_bug.cgi?id=117280 +2014-07-11 Joseph Pecoraro - Reviewed by Filip Pizlo. + Web Inspector: Debugger Pause button does not work + https://bugs.webkit.org/show_bug.cgi?id=134785 - Updated the merging of VariableAccessData nodes in ArgumentPosition lists - to find the unified VariableAccessData node that is the root of the - current node instead of using the current node directly when merging - attributes. - Added new dump code to dump the ArgumentPosition list. + Reviewed by Timothy Hatcher. - * dfg/DFGArgumentPosition.h: - (JSC::DFG::rgumentPosition::mergeArgumentPredictionAwareness): - (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness): - (JSC::DFG::ArgumentPosition::dump): - * dfg/DFGGraph.cpp: - (JSC::DFG::Graph::dump): + * CMakeLists.txt: + * DerivedSources.make: + Minification strips the sourceURL command. Add it back with minification. -2013-06-05 Bear Travis +2014-07-11 peavo@outlook.com - [CSS Exclusions][CSS Shapes] Split CSS Exclusions & Shapes compile & runtime flags - https://bugs.webkit.org/show_bug.cgi?id=117172 + [Win] Enable DFG JIT. + https://bugs.webkit.org/show_bug.cgi?id=123615 - Reviewed by Alexandru Chiculita. + Reviewed by Mark Lam. - Adding the CSS_SHAPES compile flag. + When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType), + the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case. + Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers, + since the register allocation differs on 64-bit Windows. - * Configurations/FeatureDefines.xcconfig: + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit. + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments. + (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method. + * jit/JIT.h: + (JSC::JIT::appendCallWithSlowPathReturnType): Added method. + * jit/JITInlines.h: + (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method. + (JSC::JIT::callOperation): Call new method. -2013-06-05 Balazs Kilvady +2014-07-09 Benjamin Poulain - JSC Assertion tests failures on MIPS. - https://bugs.webkit.org/show_bug.cgi?id=116552 + Use 16bits instructions for push/pop on ARMv7 when possible + https://bugs.webkit.org/show_bug.cgi?id=134753 Reviewed by Geoffrey Garen. - Fix condition handlig in branchAdd32 implemetations. + The patch r170839 mixed the code for push/pop pair and single push/pop. + That part was reverted in r170909. - * assembler/MacroAssemblerMIPS.h: - (JSC::MacroAssemblerMIPS::branchAdd32): + This patch puts the code back but specialized for single push/pop. -2013-06-04 Julien Brianceau + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::pop): + (JSC::ARMv7Assembler::push): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::pop): + (JSC::MacroAssemblerARMv7::push): - [sh4] Add floating point absolute function support in baseline JIT. - https://bugs.webkit.org/show_bug.cgi?id=117147 +2014-07-09 Brent Fulgham - Reviewed by Geoffrey Garen. + [Win] Remove uses of 'bash' in build system + https://bugs.webkit.org/show_bug.cgi?id=134782 + - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::supportsFloatingPointAbs): - (JSC::MacroAssemblerSH4::absDouble): - * assembler/SH4Assembler.h: - (JSC::SH4Assembler::dabs): - (JSC::SH4Assembler::printInstr): + Reviewed by Dean Jackson. -2013-06-04 Zan Dobersek + Remove uses of 'bash' by replacing Windows-specific bash scripts + with Perl equivalents. - [JSC] Test262 15.5.4.9_3 test is failing - https://bugs.webkit.org/show_bug.cgi?id=116789 + * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: + * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: + * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh. + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed. + * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: + * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: + * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh. + * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed. + * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh. + * JavaScriptCore.vcxproj/build-generated-files.sh: Removed. + * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: + * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: + * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: - Reviewed by Geoffrey Garen. +2014-07-09 Brent Fulgham - Bring the String.prototype.localeCompare behavior in line wit ES5 15.9.4.9. - If method is not given enough arguments, the minimal amount of arguments must be assumed, with their value being undefined. - The first argument to localeCompare, in its string form, is used as the 'that' string that's used in the comparison. - Therefor, when calling str.localeCompare() or str.localeCompare(undefined), the first argument is `undefined` and the - string "undefined" is used as the string to which value of str is compared. + [Win] Remove use of 'grep' in build steps + https://bugs.webkit.org/show_bug.cgi?id=134770 + - * runtime/StringPrototype.cpp: - (JSC::stringProtoFuncLocaleCompare): Remove the early return in case of no given arguments to achieve the desired behavior. + Reviewed by Tim Horton. -2013-06-03 Hojong Han + Replace uses of the grep command in Windows builds with the equivalent + Perl program. - [EFL] Implement GCActivityCallback - https://bugs.webkit.org/show_bug.cgi?id=95923 + * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: + * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: + * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: + * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: - Reviewed by Geoffrey Garen. +2014-07-08 Benjamin Poulain - Implements the activity triggered garbage collector. - Additional GCs can be triggered by platfrom timer. - It has sort of compaction effect not to make JSC heap grow fast - so that memory usage becomes lower than usual. + Restore the assertion changed with 170839 - * PlatformEfl.cmake: Added. - * heap/HeapTimer.cpp: - (JSC): - (JSC::HeapTimer::HeapTimer): - (JSC::HeapTimer::~HeapTimer): - (JSC::HeapTimer::add): - (JSC::HeapTimer::stop): - (JSC::HeapTimer::timerEvent): - * heap/HeapTimer.h: - (HeapTimer): - * jsc.cpp: - (main): - * runtime/GCActivityCallback.cpp: - (JSC): - (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback): - (JSC::DefaultGCActivityCallback::scheduleTimer): - (JSC::DefaultGCActivityCallback::cancelTimer): - (JSC::DefaultGCActivityCallback::didAllocate): - * runtime/GCActivityCallback.h: - (GCActivityCallback): - (JSC::GCActivityCallback::GCActivityCallback): - (DefaultGCActivityCallback): - -2013-06-03 Roger Fong - - Nuke VS2005 files from the tree. - . - - Rubberstamped by Brent Fulgham. - - * JavaScriptCore.vcproj: Removed. - * JavaScriptCore.vcproj/JavaScriptCore: Removed. - * JavaScriptCore.vcproj/JavaScriptCore.make: Removed. - * JavaScriptCore.vcproj/JavaScriptCore.resources: Removed. - * JavaScriptCore.vcproj/JavaScriptCore.resources/Info.plist: Removed. - * JavaScriptCore.vcproj/JavaScriptCore.sln: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCF.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCFLite.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebug.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugAll.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugCairoCFLite.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedCommon.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebug.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugAll.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugCairoCFLite.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedProduction.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedRelease.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleaseCairoCFLite.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleasePGO.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePGOOptimize.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePostBuild.cmd: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePreBuild.cmd: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePreLink.cmd: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreProduction.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreRelease.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleaseCairoCFLite.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/build-generated-files.sh: Removed. - * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: Removed. - * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Removed. - * JavaScriptCore.vcproj/LLIntAssembly: Removed. - * JavaScriptCore.vcproj/LLIntAssembly/LLIntAssembly.make: Removed. - * JavaScriptCore.vcproj/LLIntAssembly/LLIntAssembly.vcproj: Removed. - * JavaScriptCore.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed. - * JavaScriptCore.vcproj/LLIntDesiredOffsets: Removed. - * JavaScriptCore.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed. - * JavaScriptCore.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcproj: Removed. - * JavaScriptCore.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed. - * JavaScriptCore.vcproj/LLIntOffsetsExtractor: Removed. - * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcproj: Removed. - * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.vsprops: Removed. - * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.vsprops: Removed. - * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebugAll.vsprops: Removed. - * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebugCairoCFLite.vsprops: Removed. - * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.vsprops: Removed. - * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.vsprops: Removed. - * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorReleaseCairoCFLite.vsprops: Removed. - * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorReleasePGO.vsprops: Removed. - * JavaScriptCore.vcproj/jsc: Removed. - * JavaScriptCore.vcproj/jsc/jsc.vcproj: Removed. - * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: Removed. - * JavaScriptCore.vcproj/jsc/jscDebug.vsprops: Removed. - * JavaScriptCore.vcproj/jsc/jscDebugAll.vsprops: Removed. - * JavaScriptCore.vcproj/jsc/jscDebugCairoCFLite.vsprops: Removed. - * JavaScriptCore.vcproj/jsc/jscPostBuild.cmd: Removed. - * JavaScriptCore.vcproj/jsc/jscPreBuild.cmd: Removed. - * JavaScriptCore.vcproj/jsc/jscPreLink.cmd: Removed. - * JavaScriptCore.vcproj/jsc/jscProduction.vsprops: Removed. - * JavaScriptCore.vcproj/jsc/jscRelease.vsprops: Removed. - * JavaScriptCore.vcproj/jsc/jscReleaseCairoCFLite.vsprops: Removed. - * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops: Removed. - * JavaScriptCore.vcproj/testRegExp: Removed. - * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj: Removed. - * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Removed. - * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops: Removed. - * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops: Removed. - * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops: Removed. - * JavaScriptCore.vcproj/testRegExp/testRegExpPostBuild.cmd: Removed. - * JavaScriptCore.vcproj/testRegExp/testRegExpPreBuild.cmd: Removed. - * JavaScriptCore.vcproj/testRegExp/testRegExpPreLink.cmd: Removed. - * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops: Removed. - * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops: Removed. - * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops: Removed. - * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops: Removed. - * JavaScriptCore.vcproj/testapi: Removed. - * JavaScriptCore.vcproj/testapi/testapi.vcproj: Removed. - * JavaScriptCore.vcproj/testapi/testapiCommon.vsprops: Removed. - * JavaScriptCore.vcproj/testapi/testapiDebug.vsprops: Removed. - * JavaScriptCore.vcproj/testapi/testapiDebugAll.vsprops: Removed. - * JavaScriptCore.vcproj/testapi/testapiDebugCairoCFLite.vsprops: Removed. - * JavaScriptCore.vcproj/testapi/testapiPostBuild.cmd: Removed. - * JavaScriptCore.vcproj/testapi/testapiPreBuild.cmd: Removed. - * JavaScriptCore.vcproj/testapi/testapiPreLink.cmd: Removed. - * JavaScriptCore.vcproj/testapi/testapiProduction.vsprops: Removed. - * JavaScriptCore.vcproj/testapi/testapiRelease.vsprops: Removed. - * JavaScriptCore.vcproj/testapi/testapiReleaseCairoCFLite.vsprops: Removed. - -2013-05-31 Filip Pizlo - - Incorrect assertion in DFG::Graph::uncheckedActivationRegisterFor() - + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::pop): + (JSC::ARMv7Assembler::push): + Revert the Assembler part of 170839. The assertions do not match both encoding. - Rubber stamped by Mark Hahnenberg. - - This has a bogus assertion that checks that the passed CodeOrigin doesn't have - an inline call frame. This was well intentioned in the sense that it is true - that inlined call frames wouldn't have an activation register. But that doesn't - mean that people won't ask. Removing the assertion fixes a debug-only crash and - has no impact on production code. This change adds a comment to that effect. + I'll add specific version of push and pop instead. - * dfg/DFGGraph.h: - (JSC::DFG::Graph::uncheckedActivationRegisterFor): +2014-07-08 Jon Honeycutt -2013-05-31 Julien Brianceau + RemoteInspector::shared() should not call WTF::initializeMainThread() + + - [sh4] Fix Overflow case of branchMul32 in baseline JIT. - https://bugs.webkit.org/show_bug.cgi?id=117057 + Reviewed by Joseph Pecoraro. - Reviewed by Oliver Hunt. + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::shared): + Don't call WTF::initializeMainThread(). WTF threading is initialized by + JSC::initializeThreading(). - Current implementation of Overflow case in branchMul32 performs an - unsigned multiplication whereas a signed multiplication is expected. +2014-07-08 Andreas Kling - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::branchMul32): + VM::lastCachedString should be a Strong, not a Weak. + -2013-05-31 Julien Brianceau + Using Weak for this regressed some of our bindings perf tests + due to Weak having to allocate a new WeakImpl every time the last cached + string changed. Make it a Strong instead should make that problem go away. - [sh4] Fix floating point comparisons in baseline JIT. - https://bugs.webkit.org/show_bug.cgi?id=117066. + Reviewed by Geoffrey Garen. - Reviewed by Oliver Hunt. + * runtime/JSString.cpp: + (JSC::jsStringWithCacheSlowCase): + * runtime/VM.h: - Current implementation of branchDouble function in baseline JIT is wrong - for some conditions and overkill for others. For instance: - - With DoubleGreaterThanOrEqual condition, branch will be taken if either - operand is NaN with current implementation whereras it should not. - - With DoubleNotEqualOrUnordered condition, performed NaN checks are - useless (because comparison result is false if either operand is NaN). +2014-07-07 Benjamin Poulain - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::branchDouble): + Fix the build after r170876 -2013-05-31 Julien Brianceau + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::linkCode): - [sh4] Fix double floating point transfer in baseline JIT. - https://bugs.webkit.org/show_bug.cgi?id=117054 +2014-07-07 Benjamin Poulain - Reviewed by Oliver Hunt. + LinkBuffer should not keep a reference to the MacroAssembler + https://bugs.webkit.org/show_bug.cgi?id=134668 - In current implementation, dmovRegReg function transfers only one single - FPRegister as PR=1 and SZ=0 in floating point status/control register. - Double transfers must be performed with two fmov.s opcodes. + Reviewed by Geoffrey Garen. - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::moveDouble): - (JSC::MacroAssemblerSH4::addDouble): Handle (op2==dest) case properly. - (JSC::MacroAssemblerSH4::sqrtDouble): - * assembler/SH4Assembler.h: - (JSC::SH4Assembler::fmovsRegReg): + In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation. + When that happens, the pointer m_assembler points to released memory. That was not causing + issues because the attribute is not used after linking, but that was not particularily + future proof. + + This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed + as a reference, it is used for linking but no reference is ever stored with the LinkBuffer. + + While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included + everywhere. I refactored some #include to avoid that. + + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::copyCompactAndLinkCode): + (JSC::LinkBuffer::linkCode): + * assembler/LinkBuffer.h: + (JSC::LinkBuffer::LinkBuffer): + * bytecode/Watchpoint.cpp: + * dfg/DFGDisassembler.cpp: + * dfg/DFGDisassembler.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + (JSC::DFG::JITCompiler::linkFunction): + * dfg/DFGOSRExitCompiler.cpp: + * dfg/DFGPlan.cpp: + * dfg/DFGThunks.cpp: + (JSC::DFG::osrExitGenerationThunkGenerator): + (JSC::DFG::osrEntryThunkGenerator): + * ftl/FTLCompile.cpp: + (JSC::FTL::generateICFastPath): + (JSC::FTL::fixFunctionBasedOnStackMaps): + * ftl/FTLJSCall.cpp: + * ftl/FTLJSCall.h: + * ftl/FTLLink.cpp: + (JSC::FTL::link): + * ftl/FTLLowerDFGToLLVM.cpp: + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * ftl/FTLThunks.cpp: + (JSC::FTL::osrExitGenerationThunkGenerator): + (JSC::FTL::slowPathCallThunkGenerator): + * jit/ArityCheckFailReturnThunks.cpp: + (JSC::ArityCheckFailReturnThunks::returnPCsFor): + * jit/JIT.cpp: + (JSC::JIT::privateCompile): + * jit/JITCall.cpp: + (JSC::JIT::privateCompileClosureCall): + * jit/JITCall32_64.cpp: + (JSC::JIT::privateCompileClosureCall): + * jit/JITDisassembler.cpp: + * jit/JITDisassembler.h: + * jit/JITOpcodes.cpp: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::stringGetByValStubGenerator): + (JSC::JIT::privateCompileGetByVal): + (JSC::JIT::privateCompilePutByVal): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::stringGetByValStubGenerator): + * jit/RegisterPreservationWrapperGenerator.cpp: + (JSC::generateRegisterPreservationWrapper): + (JSC::registerRestorationThunkGenerator): + * jit/Repatch.cpp: + (JSC::generateByIdStub): + (JSC::tryCacheGetByID): + (JSC::emitPutReplaceStub): + (JSC::emitPutTransitionStub): + (JSC::tryRepatchIn): + (JSC::linkClosureCall): + * jit/SpecializedThunkJIT.h: + (JSC::SpecializedThunkJIT::finalize): + * jit/ThunkGenerators.cpp: + (JSC::throwExceptionFromCallSlowPathGenerator): + (JSC::linkForThunkGenerator): + (JSC::linkClosureCallForThunkGenerator): + (JSC::virtualForThunkGenerator): + (JSC::nativeForGenerator): + (JSC::arityFixup): + * llint/LLIntThunks.cpp: + (JSC::LLInt::generateThunkWithJumpTo): + * yarr/YarrJIT.cpp: + (JSC::Yarr::YarrGenerator::compile): + +2014-07-07 Andreas Kling + + Fast path for jsStringWithCache() when asked for the same string repeatedly. + -2013-05-31 Julien Brianceau + Reviewed by Darin Adler. - [sh4] Handle branchType properly in branchTruncateDoubleToInt32. - https://bugs.webkit.org/show_bug.cgi?id=117062 + Follow-up to r170818 addressing a review comment by Geoff Garen. - Reviewed by Oliver Hunt. + * runtime/JSString.cpp: + (JSC::jsStringWithCacheSlowCase): - Current implementation of branchTruncateDoubleToInt32 is incorrect - when branchType == BranchIfTruncateSuccessful in sh4 baseline JIT. +2014-07-07 Tibor Meszaros - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::branchTruncateDoubleToInt32): + Add missing ENABLE(FTL_JIT) guards + https://bugs.webkit.org/show_bug.cgi?id=134680 + + Reviewed by Darin Adler. + + * ftl/FTLDWARFDebugLineInfo.cpp: + * ftl/FTLDWARFDebugLineInfo.h: + * ftl/FTLGeneratedFunction.h: + +2014-07-07 Zan Dobersek + + Enable ARMv7 disassembler for the GTK port + https://bugs.webkit.org/show_bug.cgi?id=134676 + + Reviewed by Benjamin Poulain. -2013-05-31 Brent Fulgham + * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build. + * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen(). - [Windows] Unreviewed build fix for VS2005 builders. +2014-07-06 Benjamin Poulain - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Add - missing export for WTF::SHA1::computeHexDigest + [ARMv7] Use 16 bits instructions for push/pop when possible + https://bugs.webkit.org/show_bug.cgi?id=134656 -2013-05-30 David Farler + Reviewed by Andreas Kling. + + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::pop): + (JSC::ARMv7Assembler::push): + (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9): + Add the 16 bits version of push and pop. + + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::pop): + (JSC::MacroAssemblerARMv7::push): + Use the new push/pop instead of a regular load/store. + + * disassembler/ARMv7/ARMv7DOpcode.cpp: + (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList): + * disassembler/ARMv7/ARMv7DOpcode.h: + (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask): + Fix the disassembler for push/pop: + -The register mask was on 7 bits for some reason. + -The code printing the registers was comparing a register ID with a register + mask. - Fix jscore-test when not using --sdk option with jsDriver.pl - https://bugs.webkit.org/show_bug.cgi?id=116339 +2014-07-06 Yoav Weiss - Reviewed by Joe Pecoraro. + Turn on img@sizes compile flag + https://bugs.webkit.org/show_bug.cgi?id=134634 - * tests/mozilla/jsDriver.pl: - (execute_tests): - With each test, the shell_command needs to be started from scratch. + Reviewed by Benjamin Poulain. - This fix will clear the shell_command and start over as before with - the opt_arch option when not using --sdk with jsDriver.pl. + * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order. -2013-05-30 Roger Fong +2014-07-06 Daewoong Jang - Get rid of JavaScript exports file on AppleWin port. - https://bugs.webkit.org/show_bug.cgi?id=117050. + Flags value of SourceCodeKey should be unique for each case. + https://bugs.webkit.org/show_bug.cgi?id=134435 Reviewed by Darin Adler. - Delete the JavaScriptCoreExportGenerator folder and remove dependencies. - Start linking in WTF.lib now that it's a shared library. + Different combinations of CodeType and JSParserStrictness could generate same m_flags value because + the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable. + Shift the value of CodeType one bit farther to the left so those values don't overlap. - * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator: Removed. - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: Removed. - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: Removed. - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: Removed. - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: Removed. - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: Removed. - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: Removed. - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: Removed. - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props: Removed. - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: Removed. - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Removed. - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/make-export-file-generator: Removed. - * JavaScriptCore.vcxproj/jsc/jscCommon.props: - * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: - * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: - * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: - * JavaScriptCore.vcxproj/testapi/testapiCommon.props: + * runtime/CodeCache.h: + (JSC::SourceCodeKey::SourceCodeKey): -2013-05-22 David Farler +2014-07-04 Andreas Kling - Add --sdk option to jsDriver.pl to run with iOS Simulator - https://bugs.webkit.org/show_bug.cgi?id=116339 + Fast path for jsStringWithCache() when asked for the same string repeatedly. + - Reviewed by David Kilzer. + Also moved the whole thing from WebCore to JavaScriptCore since it + makes more sense here, and inline the lightweight checks, leaving only + the hashmap stuff out of line. - * tests/mozilla/jsDriver.pl: - (execute_tests): - Prefix shell command with the path to the "sim" tool. - (parse_args): - Add -d / --sdk option. - (usage): - Help message for -d / --sdk option. + Reviewed by Darin Adler. -2013-05-30 Julien Brianceau + * runtime/JSString.cpp: + (JSC::jsStringWithCacheSlowCase): + * runtime/JSString.h: + (JSC::jsStringWithCache): + * runtime/VM.h: - [sh4] Optimize NaN checks in LLINT for floating point comparisons. - https://bugs.webkit.org/show_bug.cgi?id=117049 +2014-07-03 Daniel Bates - Reviewed by Oliver Hunt. + Add WTF::move() + https://bugs.webkit.org/show_bug.cgi?id=134500 - Use the fcmp/eq opcode in sh4 LLINT to test if a double is NaN. - This is more efficient, doesn't require two tmp registers and requires - less code than current implementation (which converts double to float, - then checks 'E = Emax + 1' and 'f != 0'). + Rubber-stamped by Anders Carlsson. - * offlineasm/sh4.rb: + Substitute WTF::move() for std::move(). -2013-05-30 Oliver Hunt + * bytecode/CodeBlock.h: + * bytecode/UnlinkedCodeBlock.cpp: + * bytecompiler/BytecodeGenerator.cpp: + * dfg/DFGGraph.cpp: + * dfg/DFGJITCompiler.cpp: + * dfg/DFGStackLayoutPhase.cpp: + * dfg/DFGWorklist.cpp: + * heap/DelayedReleaseScope.h: + * heap/HeapInlines.h: + [...] - JSCallbackObject does not correctly initialise the PropertySlot for getOwnPropertyDescriptor - https://bugs.webkit.org/show_bug.cgi?id=117053 +2014-07-03 Filip Pizlo - Reviewed by Mark Hahnenberg. + SSA DCE should process blocks in forward order + https://bugs.webkit.org/show_bug.cgi?id=134611 - Set appropriate thisValue on the PropertySlot + Reviewed by Andreas Kling. - * API/JSCallbackObjectFunctions.h: - (JSC::::getOwnPropertyDescriptor): - * API/tests/testapi.mm: + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::run): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): + * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added. + (foo): -2013-05-29 Jeffrey Pfau +2014-07-03 Filip Pizlo - [Mac] Enable cache partitioning and the public suffix list on 10.8 - + JSActivation::symbolTablePut() should invalidate variable watchpoints + https://bugs.webkit.org/show_bug.cgi?id=134602 - Rubber-stamped by David Kilzer. + Reviewed by Oliver Hunt. + + Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so + during linking - we essentially assume that if it's at all possible for an inner function to store to a + variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e. + JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates + JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code + duplicated, but fixes JSActivation::symbolTablePut() to do the right thing. - * Configurations/FeatureDefines.xcconfig: + * runtime/JSActivation.cpp: + (JSC::JSActivation::symbolTablePut): + * runtime/JSSymbolTableObject.h: + (JSC::symbolTablePut): + * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added. + (.): -2013-05-28 Brent Fulgham +2014-07-01 Mark Lam - [Windows] Put correct byteCompile symbol in file. Previous version - had an extra 'i' appended to the end. + Debugger's breakpoint list should not be a Vector. + - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: + Reviewed by Geoffrey Garen. -2013-05-28 Brent Fulgham + The debugger currently stores breakpoint data as entries in a Vector (see + BreakpointsInLine). It also keeps a fast map look up of breakpoint IDs to + the breakpoint data (see m_breakpointIDToBreakpoint). Because a Vector can + compact or reallocate its backing store, this can causes all sorts of havoc. + The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't + move in memory. - [Windows] Unreviewed build fix. Remove ?byteCompile symbol that - is no longer accessible during link. + The fix is to replace the BreakpointsInLine Vector with a BreakpointsList + doubly linked list. - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: + * debugger/Breakpoint.h: + (JSC::Breakpoint::Breakpoint): + (JSC::BreakpointsList::~BreakpointsList): + * debugger/Debugger.cpp: + (JSC::Debugger::setBreakpoint): + (JSC::Debugger::removeBreakpoint): + (JSC::Debugger::hasBreakpoint): + * debugger/Debugger.h: -2013-05-28 Gavin Barraclough +2014-06-30 Michael Saboff - String(new Date(2010,10,1)) is wrong in KRAT, YAKT - https://bugs.webkit.org/show_bug.cgi?id=106750 + Add option to run-jsc-stress-testes to filter out tests that use large heaps + https://bugs.webkit.org/show_bug.cgi?id=134458 - Reviewed by Darin Adler. + Reviewed by Filip Pizlo. - * runtime/JSDateMath.cpp: - (JSC::msToGregorianDateTime): - - Additional review comment fix. + Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device. -2013-05-28 Brent Fulgham + * tests/mozilla/mozilla-tests.yaml: - [Windows] Unreviewed build fix after r150833 +2014-06-30 Daniel Bates - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: - A CR/LF combination was lost in the file, combining two symbols. + Avoid copying closed variables vector; actually use move semantics -2013-05-27 Gavin Barraclough + Rubber-stamped by Oliver Hunt. - String(new Date(2010,10,1)) is wrong in KRAT, YAKT - https://bugs.webkit.org/show_bug.cgi?id=106750 + Currently we always copy the closed variables vector passed by Parser::closedVariables() + to ProgramNode::setClosedVariables() because these member functions return and take a const + rvalue reference, respectively. Instead, these member functions should take an return a non- + constant rvalue reference so that we actually move the closed variables vector from the Parser + object to the Node object. - Reviewed by Darin Adler. + * parser/Nodes.cpp: + (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument. + * parser/Nodes.h: + (JSC::ScopeNode::setClosedVariables): Ditto. + * parser/Parser.h: + (JSC::Parser::closedVariables): Remove const qualifier on return type. + (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here + because Parser::closedVariables() returns an rvalue reference. - First part of a fix, simplfy date handling code, instead of operating separately - on the UTC-standard and standard-DST offsets, just generate a combined UTC-local - offset (this is what we actually need, and what the OS gives us). +2014-06-30 Joseph Pecoraro - * runtime/JSDateMath.cpp: - (JSC::getLocalTimeOffset): - - removed getUTCOffset, converted getDSTOffset -> getLocalTimeOffset - (JSC::gregorianDateTimeToMS): - (JSC::msToGregorianDateTime): - (JSC::parseDateFromNullTerminatedCharacters): - - call getLocalTimeOffset instead of getUTCOffset/getDSTOffset - * runtime/VM.cpp: - (JSC::VM::resetDateCache): - - removed cachedUTCOffset, converted DSTOffsetCache -> LocalTimeOffsetCache - * runtime/VM.h: - (JSC::LocalTimeOffsetCache::LocalTimeOffsetCache): - (JSC::LocalTimeOffsetCache::reset): - (LocalTimeOffsetCache): - - removed cachedUTCOffset, converted DSTOffsetCache -> LocalTimeOffsetCache + JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations + https://bugs.webkit.org/show_bug.cgi?id=134371 -2013-05-28 Mark Hahnenberg + Reviewed by Timothy Hatcher. - r150199 is very wrong - https://bugs.webkit.org/show_bug.cgi?id=116876 + * API/JSContextPrivate.h: + * API/JSContext.mm: + (-[JSContext _debuggerRunLoop]): + (-[JSContext _setDebuggerRunLoop:]): + Private API for setting the CFRunLoop for a debugger to evaluate in. + + * API/JSContextRefInternal.h: Added. + * API/JSContextRef.cpp: + (JSGlobalContextGetDebuggerRunLoop): + (JSGlobalContextSetDebuggerRunLoop): + Internal API for setting a CFRunLoop on a JSContextRef. + Set this on the debuggable. + + * inspector/remote/RemoteInspectorDebuggable.h: + * inspector/remote/RemoteInspectorDebuggableConnection.h: + (Inspector::RemoteInspectorBlock::RemoteInspectorBlock): + (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock): + (Inspector::RemoteInspectorBlock::operator=): + (Inspector::RemoteInspectorBlock::operator()): + Moved into the header. - JSValue needs to protect its internal JSValueRef. + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::inspectorDebuggable): + Lets store the RunLoop on the debuggable instead of this core + platform agnostic class, so expose the debuggable. - Reviewed by Darin Adler. + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorHandleRunSourceGlobal): + (Inspector::RemoteInspectorQueueTaskOnGlobalQueue): + (Inspector::RemoteInspectorInitializeGlobalQueue): + Rename the global functions for clarity. - * API/JSValue.mm: - (-[JSValue initWithValue:inContext:]): - (-[JSValue dealloc]): - * API/tests/testapi.mm: Added a simple test to make sure that we protect the - underlying JavaScript value across garbage collections. + (Inspector::RemoteInspectorHandleRunSourceWithInfo): + Handler for private run loops. -2013-05-27 Patrick Gansterer + (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection): + (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection): + (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable): + (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop): + (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop): + (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop): + Setup and teardown and use private run loop sources if the debuggable needs it. - Use ICU_INCLUDE_DIRS in BlackBerry CMake files - https://bugs.webkit.org/show_bug.cgi?id=116210 +2014-06-30 Tibor Meszaros - Reviewed by Rob Buis. + Add missing ENABLE(DFG_JIT) guards + https://bugs.webkit.org/show_bug.cgi?id=134444 - Set and use the ICU_INCLUDE_DIRS variable to avoid - duplicated adding of the ICU include directory. + Reviewed by Darin Adler. - * PlatformBlackBerry.cmake: + * dfg/DFGFunctionWhitelist.cpp: + * dfg/DFGFunctionWhitelist.h: -2013-05-27 Gabor Rapcsanyi +2014-06-29 Yoav Weiss - MacroAssemblerARM should use xor to swap registers instead of move - https://bugs.webkit.org/show_bug.cgi?id=116306 + Add support for HTMLImageElement's sizes attribute + https://bugs.webkit.org/show_bug.cgi?id=133620 - Reviewed by Zoltan Herczeg. + Reviewed by Dean Jackson. - Change register swapping to xor from move and this way we don't need - temporary register anymore. + Added an ENABLE_PICTURE_SIZES compile flag. - * assembler/MacroAssemblerARM.h: - (JSC::MacroAssemblerARM::swap): + * Configurations/FeatureDefines.xcconfig: -2013-05-25 Filip Pizlo +2014-06-27 Filip Pizlo - We broke (-2^31/-1)|0 in the DFG - https://bugs.webkit.org/show_bug.cgi?id=116767 + Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep + https://bugs.webkit.org/show_bug.cgi?id=134412 - Reviewed by Andreas Kling. - - The bug is that we were assuming that in the -2^31 case, we already had -2^31 - in the result register. This was a wrong assumption. + Reviewed by Mark Hahnenberg. - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::setReplacement): + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added. + (foo): + (bar): + (baz): + +2014-06-27 Peyton Randolph + + Add feature flag for link long-press gesture. + https://bugs.webkit.org/show_bug.cgi?id=134262 + + Reviewed by Enrica Casucci. + + * Configurations/FeatureDefines.xcconfig: + Add ENABLE_LINK_LONG_PRESS. + +2014-06-27 László Langó + + [JavaScriptCore] FTL buildfix for EFL platform. + https://bugs.webkit.org/show_bug.cgi?id=133546 -2013-05-24 Filip Pizlo + Reviewed by Darin Adler. - We broke !(0/0) - https://bugs.webkit.org/show_bug.cgi?id=116736 + * ftl/FTLAbstractHeap.cpp: + (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap): + * ftl/FTLLocation.cpp: + (JSC::FTL::Location::forStackmaps): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::opposite): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * ftl/FTLStackMaps.cpp: + (JSC::FTL::StackMaps::Constant::dump): + * llvm/InitializeLLVMPOSIX.cpp: + (JSC::initializeLLVMPOSIX): - Reviewed by Gavin Barraclough. +2014-06-26 Benjamin Poulain - * parser/ASTBuilder.h: - (JSC::ASTBuilder::createLogicalNot): - * runtime/JSCJSValueInlines.h: - (JSC::JSValue::pureToBoolean): + iOS 8 beta 2 ES6 'Set' clear() broken + https://bugs.webkit.org/show_bug.cgi?id=134346 -2013-05-24 Julien Brianceau + Reviewed by Oliver Hunt. - [sh4] Optimize LLINT generated code and fix few bugs in baseline JIT. - https://bugs.webkit.org/show_bug.cgi?id=116716 + The object map was not cleared :(. - Reviewed by Geoffrey Garen. + Kudos to Ashley Gullen for tracking this and making a regression test. + Credit to Oliver for finding the missing code. - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::mul32): Cosmetic changes. - (JSC::MacroAssemblerSH4::convertInt32ToDouble): Absolute address was not dereferenced. - (JSC::MacroAssemblerSH4::branch32): Absolute address was not dereferenced. - (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch): Use all 32 bits of pointer for revertJump call. - * assembler/SH4Assembler.h: - (JSC::SH4Assembler::revertJump): Use changePCrelativeAddress to patch the whole pointer. - (JSC::SH4Assembler::linkJump): Cosmetic change. - * offlineasm/sh4.rb: Optimize LLINT generated code. + * runtime/MapData.h: + (JSC::MapData::clear): -2013-05-23 Peter Wang +2014-06-25 Brent Fulgham - CLoop llint backend should not use the d8 register as scratch register - https://bugs.webkit.org/show_bug.cgi?id=116019 + [Win] Expose Cache Information to WinLauncher + https://bugs.webkit.org/show_bug.cgi?id=134318 - Reviewed by Csaba Osztrogonác. + Reviewed by Dean Jackson. - * offlineasm/cloop.rb: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing + MemoryStatistics files to the WIndows build. + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: -2013-05-22 Peter Wang +2014-06-26 David Kilzer - Use uninitialized register in "JIT::emit_op_neq_null" and "emit_op_eq_null" - https://bugs.webkit.org/show_bug.cgi?id=116593 + DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file + + - Reviewed by Filip Pizlo. + Reviewed by Michael Saboff. - Generated instructions using uninitialized register. It's caused by a mistake of r126494. + * dfg/DFGFunctionWhitelist.cpp: + (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile): + Close the file handle, and log an error on failure. - * jit/JITOpcodes32_64.cpp: - (JSC::JIT::emit_op_eq_null): - (JSC::JIT::emit_op_neq_null): +2014-06-25 Dana Burkart -2013-05-22 Filip Pizlo + Add support for 5-tuple versioning. - Fix indentation of CodeBlock.h + Reviewed by David Farler. - Rubber stampted by Mark Hahnenberg. + * Configurations/Version.xcconfig: - * bytecode/CodeBlock.h: +2014-06-25 Geoffrey Garen -2013-05-22 Julien Brianceau + Build fix. - [sh4] Remove MacroAssemblerSH4.cpp file. - https://bugs.webkit.org/show_bug.cgi?id=116596. + Unreviewed. - Reviewed by Geoffrey Garen. + * runtime/JSDateMath.cpp: + (JSC::parseDateFromNullTerminatedCharacters): + * runtime/VM.cpp: + (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN + constant since that constant doesn't exist anymore. - Move linkCall and repatchCall implementations from MacroAssemblerSH4.cpp - to MacroAssemblerSH4.h and remove MacroAssemblerSH4.cpp, as it is done - for other architectures. +2014-06-25 Geoffrey Garen - * GNUmakefile.list.am: - * JavaScriptCore.xcodeproj/project.pbxproj: - * Target.pri: - * assembler/MacroAssemblerSH4.cpp: Removed. - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::linkCall): - (MacroAssemblerSH4): - (JSC::MacroAssemblerSH4::repatchCall): + Unreviewed, rolling out r166876. -2013-05-21 Brent Fulgham + Caused some ECMA test262 failures - [Windows] Unreviewed speculative fix for test-bots. + Reverted changeset: - Add export declaration for WTFInvokeCrashHook to avoid runtime - load error on test bots. + "Date object needs to check for ES5 15.9.1.14 TimeClip limit." + https://bugs.webkit.org/show_bug.cgi?id=131248 + http://trac.webkit.org/changeset/166876 - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: +2014-06-25 Brent Fulgham -2013-05-21 Mark Lam + [Win] Unreviewed gardening. - Added missing assert condition for PositiveOrZero in ARM branch32(). - https://bugs.webkit.org/show_bug.cgi?id=116538. + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to + put various files in proper IDE categories. - Reviewed by Geoffrey Garen. +2014-06-25 peavo@outlook.com - * assembler/MacroAssemblerARM.h: - (JSC::MacroAssemblerARM::branchAdd32): + [Win64] ASM LLINT is not enabled. + https://bugs.webkit.org/show_bug.cgi?id=130638 -2013-05-20 Mark Hahnenberg + This patch adds a new LLINT assembler backend for Win64, and implements it. + It makes adjustments to follow the Win64 ABI spec. where it's found to be needed. + Also, LLINT and JIT is enabled for Win64. - Disable SuperRegion - https://bugs.webkit.org/show_bug.cgi?id=116362 + Reviewed by Mark Lam. - Rubber stamped by Geoff Garen. + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm. + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. + * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests. + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64. + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec. + * jit/JITStubsMSVC64.asm: Added. + * jit/Repatch.cpp: + (JSC::emitPutTransitionStub): Compile fix. + * jit/ThunkGenerators.cpp: + (JSC::nativeForGenerator): Follow Win64 ABI spec. + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): Ditto. + * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64. + * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec. + * llint/LowLevelInterpreter64.asm: Ditto. + * offlineasm/asm.rb: Compile fix. + * offlineasm/backends.rb: Add new llint backend for Win64. + * offlineasm/settings.rb: Compile fix. + * offlineasm/x86.rb: Implement new llint Win64 backend. + +2014-06-25 Laszlo Gombos + + Remove build guard for progress element + https://bugs.webkit.org/show_bug.cgi?id=134292 - * heap/Region.h: + Reviewed by Benjamin Poulain. -2013-05-20 Oliver Hunt + * Configurations/FeatureDefines.xcconfig: - Make C API more robust against null contexts - https://bugs.webkit.org/show_bug.cgi?id=116462 +2014-06-24 Michael Saboff - Reviewed by Anders Carlsson. + Add support routines to provide descriptive JavaScript backtraces + https://bugs.webkit.org/show_bug.cgi?id=134278 - Handle null contexts in a non-crashy way. It's a bug to ever call the - API with a null context, and the absence of a context means we can't - produce a meaningful result, so we still assert in debug builds. + Reviewed by Mark Lam. - Now where possible we detect and early return, returning null for any - pointer type, NaN for doubles, and false for any boolean result. + * interpreter/CallFrame.cpp: + (JSC::CallFrame::dump): + (JSC::CallFrame::describeFrame): + * interpreter/CallFrame.h: + * runtime/JSCJSValue.cpp: + (JSC::JSValue::dumpForBacktrace): + * runtime/JSCJSValue.h: - * API/JSBase.cpp: - (JSEvaluateScript): - (JSCheckScriptSyntax): - (JSReportExtraMemoryCost): - * API/JSContextRef.cpp: - (JSContextGetGlobalObject): - (JSContextGetGroup): - (JSContextGetGlobalContext): - (JSContextCreateBacktrace): - * API/JSObjectRef.cpp: - (JSObjectMake): - (JSObjectMakeFunctionWithCallback): - (JSObjectMakeConstructor): - (JSObjectMakeFunction): - (JSObjectMakeArray): - (JSObjectMakeDate): - (JSObjectMakeError): - (JSObjectMakeRegExp): - (JSObjectGetPrototype): - (JSObjectSetPrototype): - (JSObjectHasProperty): - (JSObjectGetProperty): - (JSObjectSetProperty): - (JSObjectGetPropertyAtIndex): - (JSObjectSetPropertyAtIndex): - (JSObjectDeleteProperty): - (JSObjectCopyPropertyNames): - * API/JSValueRef.cpp: - (JSValueGetType): - (JSValueIsUndefined): - (JSValueIsNull): - (JSValueIsBoolean): - (JSValueIsNumber): - (JSValueIsString): - (JSValueIsObject): - (JSValueIsObjectOfClass): - (JSValueIsEqual): - (JSValueIsStrictEqual): - (JSValueIsInstanceOfConstructor): - (JSValueMakeUndefined): - (JSValueMakeNull): - (JSValueMakeBoolean): - (JSValueMakeNumber): - (JSValueMakeString): - (JSValueMakeFromJSONString): - (JSValueCreateJSONString): - (JSValueToBoolean): - (JSValueToNumber): - (JSValueToStringCopy): - (JSValueToObject): - (JSValueProtect): - * API/JSWeakObjectMapRefPrivate.cpp: +2014-06-24 Brady Eidson + + Enable GAMEPAD in the Mac build, but disabled at runtime. + https://bugs.webkit.org/show_bug.cgi?id=134255 -2013-05-20 David Kilzer + Reviewed by Dean Jackson. - Synchronize FeatureDefines.xcconfig + * Configurations/FeatureDefines.xcconfig: - * Configurations/FeatureDefines.xcconfig: Remove - ENABLE_LINK_PRERENDER. This was missed in r150356. + * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling + functions at runtime. -2013-05-19 Anders Carlsson +2014-06-24 Mark Hahnenberg - Remove link prerendering code - https://bugs.webkit.org/show_bug.cgi?id=116415 + REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty + https://bugs.webkit.org/show_bug.cgi?id=134046 - Reviewed by Darin Adler. + Reviewed by Filip Pizlo. - This code was only used by Chromium and is dead now. + * runtime/GetterSetter.h: + (JSC::asGetterSetter): + * runtime/JSObject.cpp: + (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as + a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter, + and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties. - * Configurations/FeatureDefines.xcconfig: +2014-06-24 Brent Fulgham -2013-05-18 Patrick Gansterer + [Win] MSVC mishandles enums in bitfields + https://bugs.webkit.org/show_bug.cgi?id=134237 - [CMake] Replace *_LIBRARY_NAME with *_OUTPUT_NAME - https://bugs.webkit.org/show_bug.cgi?id=114554 + Reviewed by Michael Saboff. - Reviewed by Gyuyoung Kim. + Replace uses of enum types in bit fields with unsigned to + avoid losing a bit to hold the sign value. This can result + in Windows interpreting the value of the field improperly. - Using variables as target names is very uncommon in CMake. - The usual way to specify the name of the resulting binary - is to set the OUTPUT_NAME target property. + * bytecode/StructureStubInfo.h: + * parser/Nodes.h: - * CMakeLists.txt: - * shell/CMakeLists.txt: +2014-06-23 Andreas Kling -2013-05-17 Patrick Gansterer + Inline the UnlinkedInstructionStream::Reader logic. + - [CMake] Remove invalid include paths - https://bugs.webkit.org/show_bug.cgi?id=116213 + This class is only used by CodeBlock to unpack the unlinked instructions, + and we were spending 0.5% of total time on PLT calling Reader::next(). + Move the logic to the header file and mark it ALWAYS_INLINE. - Reviewed by Gyuyoung Kim. + Reviewed by Geoffrey Garen. - Since "${JAVASCRIPTCORE_DIR}/wtf" does not exist, it is safe - to remove them from the list of include directories. + * bytecode/UnlinkedInstructionStream.cpp: + * bytecode/UnlinkedInstructionStream.h: + (JSC::UnlinkedInstructionStream::Reader::Reader): + (JSC::UnlinkedInstructionStream::Reader::read8): + (JSC::UnlinkedInstructionStream::Reader::read32): + (JSC::UnlinkedInstructionStream::Reader::next): - * PlatformEfl.cmake: Removed. - * PlatformGTK.cmake: Removed. +2014-06-20 Sam Weinig -2013-05-16 Patrick Gansterer + Remove static tables for bindings that use eager reification + https://bugs.webkit.org/show_bug.cgi?id=134126 - Consolidate lists in JavaScriptCore CMake files - https://bugs.webkit.org/show_bug.cgi?id=115992 + Reviewed by Oliver Hunt. - Reviewed by Gyuyoung Kim. + * runtime/JSObject.cpp: + (JSC::JSObject::putDirectCustomAccessor): + * runtime/Structure.h: + (JSC::Structure::setHasCustomGetterSetterProperties): + Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set + the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__. + Without this, JSObject::put() won't think there are any setters on the prototype chain of an + object that has no static lookup table and uses eagerly reified custom getter/setter properties. - Move common files into the CMakeLists.txt to avoid duplicating the list of files. - Also rebase the recently added GTK files to match the other CMake ports, since - the submitted patch was based on an older version of the source tree. +2014-06-21 Brady Eidson - * CMakeLists.txt: - * PlatformEfl.cmake: - * PlatformGTK.cmake: - * shell/CMakeLists.txt: - * shell/PlatformEfl.cmake: - * shell/PlatformGTK.cmake: + Gamepad API - Deprecate the existing implementation + https://bugs.webkit.org/show_bug.cgi?id=134108 -2013-05-16 Geoffrey Garen + Reviewed by Timothy Hatcher. - JSValue shouldn't protect/unprotect its context - https://bugs.webkit.org/show_bug.cgi?id=116234 + -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it + -Move some implementation files into a "deprecated" subdirectory. - Reviewed by Mark Hahnenberg. + * Configurations/FeatureDefines.xcconfig: - Our retain on _context is sufficient. +2014-06-21 Commit Queue - * API/JSValue.mm: - (-[JSValue initWithValue:inContext:]): - (-[JSValue dealloc]): + Unreviewed, rolling out r170244. + https://bugs.webkit.org/show_bug.cgi?id=134157 -2013-05-15 Ryosuke Niwa + GTK/EFL bindings generator works differently, making this + patch not work there. Will fix entire patch after a rollout. + (Requested by bradee-oh on #webkit). - Another Windows build fix attempt after r150160. + Reverted changeset: - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: + "Gamepad API - Deprecate the existing implementation" + https://bugs.webkit.org/show_bug.cgi?id=134108 + http://trac.webkit.org/changeset/170244 -2013-05-15 Oliver Hunt +2014-06-21 Brady Eidson - RefCountedArray needs to use vector initialisers for its backing store - https://bugs.webkit.org/show_bug.cgi?id=116194 + Gamepad API - Deprecate the existing implementation + https://bugs.webkit.org/show_bug.cgi?id=134108 + + Reviewed by Timothy Hatcher. + + -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it + -Add the "Deprecated" suffix to some implementation files + + * Configurations/FeatureDefines.xcconfig: + +2014-06-21 Eva Balazsfalvi + + Removing PAGE_VISIBILITY_API compile guard. + https://bugs.webkit.org/show_bug.cgi?id=133844 Reviewed by Gavin Barraclough. - Use an out of line function to clear the exception stack to avoid - needing to include otherwise unnecessary headers all over the place. + * Configurations/FeatureDefines.xcconfig: - Everything else is just being updated to use that. +2014-06-21 Eva Balazsfalvi - * bytecompiler/BytecodeGenerator.cpp: - * interpreter/CallFrame.h: - (JSC::ExecState::clearSupplementaryExceptionInfo): - * interpreter/Interpreter.cpp: - (JSC::Interpreter::addStackTraceIfNecessary): - (JSC::Interpreter::throwException): - * runtime/JSGlobalObject.cpp: - (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): - * runtime/VM.cpp: - (JSC): - (JSC::VM::clearExceptionStack): - * runtime/VM.h: - (VM): - (JSC::VM::exceptionStack): + ARM traditional buildfix after r169942. + https://bugs.webkit.org/show_bug.cgi?id=134100 -2013-05-15 Commit Queue + Reviewed by Zoltan Herczeg. - Unreviewed, rolling out r150051. - http://trac.webkit.org/changeset/150051 - https://bugs.webkit.org/show_bug.cgi?id=116186 + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::abortWithReason): Added. - Broke all JSC tests on Mac and the author is unresponsive - (Requested by rniwa on #webkit). +2014-06-20 Andreas Kling - * JavaScriptCore.xcodeproj/project.pbxproj: + [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure. + -2013-05-15 Julien Brianceau + Reviewed by Mark Hahnenberg. - Remove savedTimeoutReg from JITStackFrame for sh4 base JIT. - https://bugs.webkit.org/show_bug.cgi?id=116143 + * heap/BlockAllocator.h: - Reviewed by Geoffrey Garen. +2014-06-19 Alex Christensen - Since r148119, timeoutCheckRegister is removed from baseline JIT. - So we don't need to save r8 register in JITStackFrame anymore for sh4. + Unreviewed fix after r170130. - * jit/JITStubs.cpp: - * jit/JITStubs.h: - (JITStackFrame): + * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: + Corrected directory so it can find common.props when opening Visual Studio. -2013-05-15 Nico Weber +2014-06-19 Dániel Bátyai - WebKit doesn't support MSVS2003 any more, remove preprocessor checks for older versions. - https://bugs.webkit.org/show_bug.cgi?id=116157 + Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards + https://bugs.webkit.org/show_bug.cgi?id=130389 - Reviewed by Anders Carlsson. + Reviewed by Mark Lam. - Also remove a gcc3.2 workaround. + Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP) + into !ENABLE(JIT) since they are mutually exclusive. - Merges parts of these two commits by the talented Nico Weber: - https://chromium.googlesource.com/chromium/blink/+/3677e2f47348daeff405a40b6f90fbdf0654c2f5 - https://chromium.googlesource.com/chromium/blink/+/0fcd96c448dc30be1416dcc15713c53710c1a312 + * CMakeLists.txt: + * assembler/MacroAssemblerCodeRef.h: + (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): + (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): + * assembler/MaxFrameExtentForSlowPathCall.h: + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFromLLInt): + * bytecode/CodeBlock.cpp: + (JSC::dumpStructure): + (JSC::CodeBlock::printGetByIdCacheStatus): + (JSC::CodeBlock::printCallOp): + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::~CodeBlock): + (JSC::CodeBlock::propagateTransitions): + (JSC::CodeBlock::finalizeUnconditionally): + (JSC::CodeBlock::unlinkCalls): + (JSC::CodeBlock::unlinkIncomingCalls): + (JSC::CodeBlock::linkIncomingCall): + (JSC::CodeBlock::frameRegisterCount): + * bytecode/CodeBlock.h: + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeFromLLInt): + * bytecode/Opcode.h: + (JSC::padOpcodeName): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFromLLInt): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitCall): + (JSC::BytecodeGenerator::emitConstruct): + * heap/Heap.cpp: + (JSC::Heap::gatherJSStackRoots): + * interpreter/Interpreter.cpp: + (JSC::Interpreter::initialize): + (JSC::Interpreter::isOpcode): + * interpreter/Interpreter.h: + (JSC::Interpreter::getOpcodeID): + * interpreter/JSStack.cpp: + (JSC::JSStack::JSStack): + (JSC::JSStack::committedByteCount): + * interpreter/JSStack.h: + * interpreter/JSStackInlines.h: + (JSC::JSStack::ensureCapacityFor): + (JSC::JSStack::topOfFrameFor): + (JSC::JSStack::setStackLimit): + * jit/ExecutableAllocatorFixedVMPool.cpp: + (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): + * jit/JIT.h: + (JSC::JIT::compileCTINativeCall): + * jit/JITExceptions.h: + * jit/JITThunks.cpp: + (JSC::JITThunks::ctiNativeCall): + (JSC::JITThunks::ctiNativeConstruct): + * llint/LLIntCLoop.cpp: + * llint/LLIntCLoop.h: + * llint/LLIntData.cpp: + (JSC::LLInt::initialize): + (JSC::LLInt::Data::performAssertions): + * llint/LLIntData.h: + (JSC::LLInt::Data::performAssertions): Deleted. + * llint/LLIntEntrypoint.cpp: + * llint/LLIntEntrypoint.h: + * llint/LLIntExceptions.cpp: + * llint/LLIntExceptions.h: + * llint/LLIntOfflineAsmConfig.h: + * llint/LLIntOffsetsExtractor.cpp: + (JSC::LLIntOffsetsExtractor::dummy): + * llint/LLIntOpcode.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LLIntSlowPaths.h: + * llint/LLIntThunks.cpp: + * llint/LLIntThunks.h: + * llint/LowLevelInterpreter.cpp: + * llint/LowLevelInterpreter.h: + * runtime/CommonSlowPaths.cpp: + * runtime/CommonSlowPaths.h: + * runtime/ErrorHandlingScope.cpp: + (JSC::ErrorHandlingScope::ErrorHandlingScope): + (JSC::ErrorHandlingScope::~ErrorHandlingScope): + * runtime/Executable.cpp: + (JSC::setupLLInt): + * runtime/InitializeThreading.cpp: + (JSC::initializeThreading): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::sanitizeStackForVM): + * runtime/VM.h: + (JSC::VM::canUseJIT): Deleted. - * os-win32/inttypes.h: +2014-06-18 Alex Christensen -2013-05-13 Alvaro Lopez Ortega + Add FTL to Windows build. + https://bugs.webkit.org/show_bug.cgi?id=134015 - Nightly build's jsc doesn't work without DYLD_FRAMEWORK... - https://bugs.webkit.org/show_bug.cgi?id=79065 + Reviewed by Filip Pizlo. - Reviewed by Darin Adler. + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + Added ftl source files. + * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: + Added ftl and llvm directories to include path. + * JavaScriptCore.vcxproj/libllvmForJSC: Added. + * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added. + * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added. + * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added. + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): + MSVC doesn't like to divide by zero while compiling. Use std::nan instead. + * llvm/InitializeLLVMWin.cpp: Added. + (JSC::initializeLLVMImpl): + Implemented dynamic loading and linking for Windows. + +2014-06-18 Alex Christensen + + Unreviewed build fix after r170107. - Fixes the build process so the depencencies of the jsc binary are - modified before its copied to its target directory. In this way - jsc should always use relative reference to the JavaScriptCore - libraries. + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileArithMod): + Use non-template sub for armv7s. - * JavaScriptCore.xcodeproj/project.pbxproj: Fixes the commands in - the "Copy Into Framework" target. +2014-06-18 David Kilzer -2013-05-13 Mark Hahnenberg + -[JSContext setName:] leaks NSString + - Objective-C API: scanExternalObjectGraph should not create new JSVirtualMachine wrappers - https://bugs.webkit.org/show_bug.cgi?id=116074 + Reviewed by Joseph Pecoraro. - If scanExternalObjectGraph creates a new JSVirtualMachine wrapper during collection, when the - scanExternalObjectGraph call finishes and the autorelease pool is drained we will dealloc the - JSVirtualMachine which will cause us to try to take the API lock for the corresponding VM. - If this happens on a GC thread other than the "main" thread, we will deadlock. The solution - is to just check the VM cache, and if there is no JSVirtualMachine wrapper, return early. + Fixes the following static analyzer warning: - Reviewed by Darin Adler. + JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object + JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr; + ^ - * API/JSVirtualMachine.mm: - (scanExternalObjectGraph): + * API/JSContext.mm: + (-[JSContext setName:]): Autorelease the copy of |name|. -2013-05-13 Benjamin Poulain +2014-06-18 Mark Lam - Improve stringProtoFuncLastIndexOf for the prefix case - https://bugs.webkit.org/show_bug.cgi?id=115952 + DFGGraph::m_doubleConstantMap will not map 0 values correctly. + Reviewed by Geoffrey Garen. - * runtime/StringPrototype.cpp: - (JSC::stringProtoFuncLastIndexOf): - Use the optimized string search when possible. + DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap, + because it means two unfortunate things: + - It will probably break for zero. + - It will think that -0 is the same as +0 under some circumstances, size + -0==+0 even though they are distinct values (for example 1/-0 != 1/+0). - On Joseph Pecoraro's tests, this gives a ~30% speed improvement. + The fix is to use std::unordered_map which does not require special empty + and deleted values, and to use the raw bits instead of the double value as + the key. -2013-05-13 Zalan Bujtas + * dfg/DFGGraph.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::addressOfDoubleConstant): - WebProcess consuming very high CPU on linkedin.com - https://bugs.webkit.org/show_bug.cgi?id=115601 +2014-06-18 Alex Christensen - Reviewed by Andreas Kling. + Remove duplicate code using sdiv. + https://bugs.webkit.org/show_bug.cgi?id=133764 - Disable WEB_TIMING_MINIMAL. - Turn off window.performance and performance.now(). Some JS frameworks expect - additional Web Timing APIs, when performance.now() is available. + Reviewed by Daniel Bates. - * Configurations/FeatureDefines.xcconfig: + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::sdiv): + Make sdiv a template to match arm64. + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileArithDiv): + (JSC::DFG::SpeculativeJIT::compileArithMod): + Remove duplicate code that was identical except for sdiv not being a template. -2013-05-12 Anders Carlsson +2014-06-17 Commit Queue - Stop including UnusedParam.h - https://bugs.webkit.org/show_bug.cgi?id=116003 + Unreviewed, rolling out r170082. + https://bugs.webkit.org/show_bug.cgi?id=134006 - Reviewed by Sam Weinig. + Breaks build. (Requested by mlam on #webkit). - UnusedParam.h is empty now so there's no need to include it anymore. + Reverted changeset: - * API/APICast.h: - * API/tests/JSNode.c: - * API/tests/JSNodeList.c: - * API/tests/minidom.c: - * API/tests/testapi.c: - * assembler/AbstractMacroAssembler.h: - * assembler/MacroAssemblerCodeRef.h: - * bytecode/CodeBlock.cpp: - * heap/HandleStack.h: - * interpreter/JSStackInlines.h: - * jit/CompactJITCodeMap.h: - * jit/ExecutableAllocator.h: - * parser/SourceProvider.h: - * runtime/DatePrototype.cpp: - * runtime/JSNotAnObject.cpp: - * runtime/JSSegmentedVariableObject.h: - * runtime/JSVariableObject.h: - * runtime/Options.cpp: - * runtime/PropertyOffset.h: + "DFGGraph::m_doubleConstantMap will not map 0 values + correctly." + https://bugs.webkit.org/show_bug.cgi?id=133994 + http://trac.webkit.org/changeset/170082 + +2014-06-17 Mark Lam -2013-05-11 Martin Robinson + DFGGraph::m_doubleConstantMap will not map 0 values correctly. + - [GTK] Add a basic cmake build for WTF and JavaScriptCore - https://bugs.webkit.org/show_bug.cgi?id=115967 + Reviewed by Geoffrey Garen. - Reviewed by Laszlo Gombos. + DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap, + because it means two unfortunate things: + - It will probably break for zero. + - It will think that -0 is the same as +0 under some circumstances, size + -0==+0 even though they are distinct values (for example 1/-0 != 1/+0). - * PlatformGTK.cmake: Added. - * shell/PlatformGTK.cmake: Added. + The fix is to use std::unordered_map which does not require special empty + and deleted values, and to use the raw bits instead of the double value as + the key. -2013-05-10 Laszlo Gombos + * dfg/DFGGraph.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::addressOfDoubleConstant): - Remove USE(OS_RANDOMNESS) - https://bugs.webkit.org/show_bug.cgi?id=108095 +2014-06-17 Oliver Hunt - Reviewed by Darin Adler. + Fix error messages for incorrect hex literals + https://bugs.webkit.org/show_bug.cgi?id=133998 - Remove the USE(OS_RANDOMNESS) guard as it is turned on for all - ports. + Reviewed by Mark Lam. - * jit/JIT.cpp: - (JSC::JIT::JIT): + Ensure that the error messages for bogus hex literals actually + make sense. -2013-05-10 Mark Hahnenberg + * parser/Lexer.cpp: + (JSC::Lexer::lex): + * parser/ParserTokens.h: - Rename StructureCheckHoistingPhase to TypeCheckHoistingPhase - https://bugs.webkit.org/show_bug.cgi?id=115938 +2014-06-17 Matthew Mirman - We're going to add some more types of check hoisting soon, so let's have the right name here. + Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. + https://bugs.webkit.org/show_bug.cgi?id=133814 - Rubber stamped by Filip Pizlo. + Reviewed by Filip Pizlo. - * CMakeLists.txt: - * GNUmakefile.list.am: - * JavaScriptCore.xcodeproj/project.pbxproj: - * Target.pri: - * dfg/DFGDriver.cpp: - (JSC::DFG::compile): - * dfg/DFGStructureCheckHoistingPhase.cpp: Removed. - * dfg/DFGStructureCheckHoistingPhase.h: Removed. - * dfg/DFGTypeCheckHoistingPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp. - (JSC::DFG::TypeCheckHoistingPhase::TypeCheckHoistingPhase): - (JSC::DFG::performTypeCheckHoisting): - * dfg/DFGTypeCheckHoistingPhase.h: Copied from Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.h. + Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell + script from using "*.o" as a file when no other files in the directory exist. + + * build-symbol-table-index.sh: Added license. + * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line. -2013-05-09 Christophe Dumez +2014-06-16 Sam Weinig - Unreviewed build fix after r149836. + Move forward declaration of bindings static functions into their implementation files + https://bugs.webkit.org/show_bug.cgi?id=133943 - It broke at least EFL and GTK builds. Move new static members initialization - outside the class. Those need to have a definition outside the class because - their address is used (e.g. CodeCacheMap::nonGlobalWorkingSetMaxEntries). + Reviewed by Geoffrey Garen. - * runtime/CodeCache.cpp: - (JSC): - * runtime/CodeCache.h: - (CodeCacheMap): + * runtime/CommonIdentifiers.h: + Add a few identifiers that are needed by the DOM. -2013-05-08 Oliver Hunt +2014-06-16 Mark Lam - Code cache stores bogus var references for functions in eval code - https://bugs.webkit.org/show_bug.cgi?id=115747 + Parser statementDepth accounting needs to account for when a function body excludes its braces. + - Reviewed by Mark Hahnenberg. + Reviewed by Oliver Hunt. - Non-global eval now uses a per-CodeBlock cache, and only use it - when we're at the top of a function's scope. This means that we - will no longer cache the parsing of a single string across - multiple functions, and we won't cache when we're nested inside - constructs like |with| and |catch| where previously we would, which - is good because caching in those cases is unsound. + In some cases (e.g. when a Function object is instantiated from a string), the + function body source may not include its braces. The parser needs to account + for this when calculating its statementDepth. - * bytecode/EvalCodeCache.h: - (JSC): - (JSC::EvalCodeCache::getSlow): - (JSC::EvalCodeCache::get): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::generateFunctionCodeBlock): + (JSC::UnlinkedFunctionExecutable::codeBlockFor): * bytecode/UnlinkedCodeBlock.h: - (JSC::UnlinkedCodeBlock::codeCacheForEval): - (UnlinkedCodeBlock): - (RareData): - * debugger/Debugger.cpp: - (JSC::evaluateInGlobalCallFrame): - * debugger/DebuggerCallFrame.cpp: - (JSC::DebuggerCallFrame::evaluate): - * interpreter/Interpreter.cpp: - (JSC::eval): - * runtime/CodeCache.cpp: - (JSC::CodeCache::CodeCache): - (JSC::CodeCache::generateBytecode): - (JSC): - (JSC::CodeCache::getCodeBlock): - * runtime/CodeCache.h: - (JSC::CodeCacheMap::CodeCacheMap): - (CodeCacheMap): - (JSC::CodeCacheMap::canPruneQuickly): - (JSC::CodeCacheMap::prune): - (JSC::CodeCache::create): - (CodeCache): + * parser/Parser.cpp: + (JSC::Parser::parseStatement): + - Also fixed the error message for declaring nested functions in strict mode + to be more accurate. + * parser/Parser.h: + (JSC::Parser::parse): + (JSC::parse): * runtime/Executable.cpp: - (JSC::EvalExecutable::EvalExecutable): - (JSC::EvalExecutable::compileInternal): - * runtime/Executable.h: - (JSC::EvalExecutable::create): - (EvalExecutable): - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::createEvalCodeBlock): - * runtime/JSGlobalObject.h: - (JSGlobalObject): - * runtime/JSGlobalObjectFunctions.cpp: - (JSC::globalFuncEval): - * runtime/VM.cpp: - (JSC::VM::VM): - * runtime/VM.h: - (VM): + (JSC::ScriptExecutable::newCodeBlockFor): -2013-05-08 Mark Hahnenberg +2014-06-16 Juergen Ributzka - DFGArrayMode::fromObserved is too liberal when it sees different Array and NonArray shapes - https://bugs.webkit.org/show_bug.cgi?id=115805 + Change the order of the alias analysis passes to align with the opt pipeline of LLVM + https://bugs.webkit.org/show_bug.cgi?id=133753 Reviewed by Geoffrey Garen. - It checks the observed ArrayModes to see if we have seen any ArrayWith* first. If so, it assumes it's - an Array::Array, even if we've also observed any NonArrayWith* in the ArrayProfile. This leads to the - code generated by jumpSlowForUnwantedArrayMode to check the indexing type against (shape | IsArray) - instead of just shape, which can cause us to exit a lot in the case that we saw a NonArray. + The order in which the alias analysis passes are added affects also the + order in which they are utilized. Change the order to align with the + one use by LLVM itself. The last alias analysis pass added will be + evaluated first. With this change we first perform a basic alias + analysis and then use the type-based alias analysis (if required). - To fix this we need to add a case that checks for both ArrayWith* and NonArrayWith* cases first, which - should then use Array::PossiblyArray, then do the checks we were already doing. - - * bytecode/ArrayProfile.h: - (JSC::hasSeenArray): - (JSC::hasSeenNonArray): - * dfg/DFGArrayMode.cpp: - (JSC::DFG::ArrayMode::fromObserved): + * ftl/FTLCompile.cpp: + (JSC::FTL::compile): -2013-05-09 Joe Mason +2014-06-16 Juergen Ributzka - [BlackBerry] Set up logging buffer on start of jsc executable - https://bugs.webkit.org/show_bug.cgi?id=114688 + Fix the arguments passed to the LLVM dylib + https://bugs.webkit.org/show_bug.cgi?id=133757 - Reviewed by Rob Buis. + Reviewed by Geoffrey Garen. - Internal PR: 322715 - Internally Reviewed By: Jeff Rogers + The LLVM command line argument parser assumes that the first argument + is the program name. We need to add a fake program name, otherwise the + first argument will be parsed as program name and ignored. - * jsc.cpp: - (main): call BB::Platform::setupApplicationLogging + * llvm/library/LLVMExports.cpp: + (initializeAndGetJSCLLVMAPI): -2013-05-08 Michael Saboff +2014-06-16 Michael Saboff - JSC: There should be a disassembler for ARM Thumb 2 - https://bugs.webkit.org/show_bug.cgi?id=115827 + Convert ASSERT in inlineFunctionForCapabilityLevel to early return + https://bugs.webkit.org/show_bug.cgi?id=133903 - Reviewed by Filip Pizlo. + Reviewed by Mark Hahnenberg. - Added a new disassembler for ARMv7 Thumb2 instructions for use by the JSC debugging - and profiling code. The opcode coverage is currently not complete. It covers all - of the integer instructions JSC currently emits, but only a limited number of - floating point opcodes. Currently that is just the 64 bit vmov and vmsr instructions. - - The disassembler is structured as a base opcode class ARMv7DOpcode with sub-classes - for each instruction group. There is a public format method that does the bulk of - the disassembly work. There are two broad sub-classes, ARMv7D16BitOpcode and - ARMv7D32BitOpcode, for the 16 bit and 32 bit opcodes. There are sub-classes under - those two classes for individual and related groups of opcodes. Instructions are - "dispatched" to the right subclass via two arrays of linked lists in the inner classes - OpcodeGroup. There is one such inner class for each ARMv7D16BitOpcode and ARMv7D32BitOpcode. - Each OpcodeGroup has a mask and a pattern that it applies to the instruction to determine - that it matches a particular group. OpcodeGroup uses a static method to reinterpret_cast - the Opcode object to the right base class for the instruction group for formatting. - The cast eliminates the need of allocating an object for each decoded instruction. - Unknown instructions are formatted as ".word 1234" or ".long 12345678" depending whether - the instruction is 16 or 32 bit. + Hardened code by Converting ASSERT to return CannotCompile. - * JavaScriptCore.xcodeproj/project.pbxproj: - * disassembler/ARMv7: Added. - * disassembler/ARMv7/ARMv7DOpcode.cpp: Added. - (ARMv7Disassembler): - (OpcodeGroupInitializer): - (JSC::ARMv7Disassembler::ARMv7DOpcode::init): - (JSC::ARMv7Disassembler::ARMv7DOpcode::startITBlock): - (JSC::ARMv7Disassembler::ARMv7DOpcode::saveITConditionAt): - (JSC::ARMv7Disassembler::ARMv7DOpcode::fetchOpcode): - (JSC::ARMv7Disassembler::ARMv7DOpcode::disassemble): - (JSC::ARMv7Disassembler::ARMv7DOpcode::bufferPrintf): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendInstructionName): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterName): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendFPRegisterName): - (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::init): - (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::doDisassemble): - (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::defaultFormat): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchT2::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT1::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscBreakpointT1::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::format): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::init): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::doDisassemble): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::defaultFormat): - (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::appendModifiedImmediate): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::appendImmShift): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::appendFPRegister): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegShift::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegParallel::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegMisc::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadRegister::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadUnsignedImmediate::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate12::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleRegister::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::format): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::format): - * disassembler/ARMv7/ARMv7DOpcode.h: Added. - (ARMv7Disassembler): - (ARMv7DOpcode): - (JSC::ARMv7Disassembler::ARMv7DOpcode::ARMv7DOpcode): - (JSC::ARMv7Disassembler::ARMv7DOpcode::is32BitInstruction): - (JSC::ARMv7Disassembler::ARMv7DOpcode::isFPInstruction): - (JSC::ARMv7Disassembler::ARMv7DOpcode::conditionName): - (JSC::ARMv7Disassembler::ARMv7DOpcode::shiftName): - (JSC::ARMv7Disassembler::ARMv7DOpcode::inITBlock): - (JSC::ARMv7Disassembler::ARMv7DOpcode::startingITBlock): - (JSC::ARMv7Disassembler::ARMv7DOpcode::endITBlock): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendInstructionNameNoITBlock): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendSeparator): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendCharacter): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendString): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendShiftType): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendSignedImmediate): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendUnsignedImmediate): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendPCRelativeOffset): - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendShiftAmount): - (ARMv7D16BitOpcode): - (OpcodeGroup): - (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::OpcodeGroup): - (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::setNext): - (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::next): - (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::matches): - (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::format): - (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::rm): - (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::rd): - (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::opcodeGroupNumber): - (ARMv7DOpcodeAddRegisterT2): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::rdn): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::rm): - (ARMv7DOpcodeAddSPPlusImmediate): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::rd): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::immediate8): - (ARMv7DOpcodeAddSubtract): - (ARMv7DOpcodeAddSubtractT1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::rm): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::rn): - (ARMv7DOpcodeAddSubtractImmediate3): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::immediate3): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::rn): - (ARMv7DOpcodeAddSubtractImmediate8): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::rdn): - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::immediate8): - (ARMv7DOpcodeBranchConditionalT1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::condition): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::offset): - (ARMv7DOpcodeBranchExchangeT1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::rm): - (ARMv7DOpcodeBranchT2): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchT2::immediate11): - (ARMv7DOpcodeCompareImmediateT1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::rn): - (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::immediate8): - (ARMv7DOpcodeCompareRegisterT1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT1::rn): - (ARMv7DOpcodeCompareRegisterT2): - (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::rn): - (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::rm): - (ARMv7DOpcodeDataProcessingRegisterT1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::rm): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::rdn): - (ARMv7DOpcodeGeneratePCRelativeAddress): - (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::rd): - (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::immediate8): - (ARMv7DOpcodeLoadFromLiteralPool): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::rt): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::immediate8): - (ARMv7DOpcodeLoadStoreRegisterImmediate): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::immediate5): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::rn): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::rt): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale): - (ARMv7DOpcodeLoadStoreRegisterImmediateWordAndByte): - (ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord): - (ARMv7DOpcodeLoadStoreRegisterOffsetT1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::opB): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rm): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rn): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rt): - (ARMv7DOpcodeLoadStoreRegisterSPRelative): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::rt): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::immediate8): - (ARMv7DOpcodeLogicalImmediateT1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::immediate5): - (ARMv7DOpcodeMiscAddSubSP): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::immediate7): - (ARMv7DOpcodeMiscByteHalfwordOps): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::op): - (ARMv7DOpcodeMiscBreakpointT1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscBreakpointT1::immediate8): - (ARMv7DOpcodeMiscCompareAndBranch): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::immediate6): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::rn): - (ARMv7DOpcodeMiscHint16): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::opA): - (ARMv7DOpcodeMiscIfThenT1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::firstCondition): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::mask): - (ARMv7DOpcodeMiscPushPop): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask): - (ARMv7DOpcodeMoveImmediateT1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::rd): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::immediate8): - (ARMv7DOpcodeMoveRegisterT1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::rd): - (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::rm): - (ARMv7D32BitOpcode): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::OpcodeGroup): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::setNext): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::next): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::matches): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::format): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rd): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rm): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rn): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rt): - (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::opcodeGroupNumber): - (ARMv7DOpcodeBranchRelative): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::sBit): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::j1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::j2): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::immediate11): - (ARMv7DOpcodeConditionalBranchT3): - (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::offset): - (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::condition): - (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::immediate6): - (ARMv7DOpcodeBranchOrBranchLink): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::offset): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::immediate10): - (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::isBL): - (ARMv7DOpcodeDataProcessingLogicalAndRithmetic): - (ARMv7DOpcodeDataProcessingModifiedImmediate): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::sBit): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::immediate12): - (ARMv7DOpcodeDataProcessingShiftedReg): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::sBit): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::immediate5): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::type): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::tbBit): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::tBit): - (ARMv7DOpcodeDataProcessingReg): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingReg::op1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingReg::op2): - (ARMv7DOpcodeDataProcessingRegShift): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegShift::opName): - (ARMv7DOpcodeDataProcessingRegExtend): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::opExtendName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::opExtendAndAddName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::rotate): - (ARMv7DOpcodeDataProcessingRegParallel): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegParallel::opName): - (ARMv7DOpcodeDataProcessingRegMisc): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegMisc::opName): - (ARMv7DOpcodeHint32): - (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::isDebugHint): - (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::debugOption): - (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::op): - (ARMv7DOpcodeFPTransfer): - (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opH): - (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opL): - (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::rt): - (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opC): - (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opB): - (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::vd): - (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::vn): - (ARMv7DOpcodeDataLoad): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataLoad::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataLoad::op): - (ARMv7DOpcodeLoadRegister): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadRegister::immediate2): - (ARMv7DOpcodeLoadSignedImmediate): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::pBit): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::uBit): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::wBit): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::immediate8): - (ARMv7DOpcodeLoadUnsignedImmediate): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadUnsignedImmediate::immediate12): - (ARMv7DOpcodeLongMultipleDivide): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlalOpName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlaldOpName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlsldOpName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::rdLo): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::rdHi): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::op1): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::op2): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::nBit): - (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::mBit): - (ARMv7DOpcodeDataPushPopSingle): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::op): - (ARMv7DOpcodeDataStoreSingle): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataStoreSingle::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeDataStoreSingle::op): - (ARMv7DOpcodeStoreSingleImmediate12): - (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate12::immediate12): - (ARMv7DOpcodeStoreSingleImmediate8): - (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::pBit): - (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::uBit): - (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::wBit): - (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::immediate8): - (ARMv7DOpcodeStoreSingleRegister): - (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleRegister::immediate2): - (ARMv7DOpcodeUnmodifiedImmediate): - (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::opName): - (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::shBit): - (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::bitNumOrSatImmediate): - (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate5): - (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate12): - (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate16): - (ARMv7DOpcodeVMOVDoublePrecision): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt2): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::vm): - (ARMv7DOpcodeVMOVSinglePrecision): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::op): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt2): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::vm): - (ARMv7DOpcodeVMSR): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::opL): - (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::rt): - * disassembler/ARMv7Disassembler.cpp: Added. - (JSC::tryToDisassemble): + * dfg/DFGCapabilities.h: + (JSC::DFG::inlineFunctionForCapabilityLevel): -2013-05-07 Julien Brianceau +2014-06-13 Sam Weinig - Take advantage of pre-decrement and post-increment opcodes for sh4 base JIT. - https://bugs.webkit.org/show_bug.cgi?id=115722 + Store DOM constants directly in the JS object rather than jumping through a custom accessor + https://bugs.webkit.org/show_bug.cgi?id=133898 Reviewed by Oliver Hunt. - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::load8PostInc): - (MacroAssemblerSH4): - (JSC::MacroAssemblerSH4::load16Unaligned): - (JSC::MacroAssemblerSH4::load16PostInc): - (JSC::MacroAssemblerSH4::storeDouble): - (JSC::MacroAssemblerSH4::load32WithUnalignedHalfWords): - * assembler/SH4Assembler.h: - (JSC::SH4Assembler::movwMemRegIn): - (SH4Assembler): - (JSC::SH4Assembler::movbMemRegIn): - (JSC::SH4Assembler::printInstr): - -2013-05-07 Anders Carlsson - - Remove AlwaysInline.h from WTF - https://bugs.webkit.org/show_bug.cgi?id=115727 + * runtime/Lookup.h: + (JSC::HashTableValue::attributes): + Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use + and will make adding more flags possibles. - Reviewed by Brent Fulgham. + (JSC::HashTableValue::propertyGetter): + (JSC::HashTableValue::propertyPutter): + Change assertion to use BuiltinOrFunctionOrConstant. - The macro that used to be in AlwaysInline.h is now in Compiler.h so there's no reason - to keep AlwaysInline.h around anymore. + (JSC::HashTableValue::constantInteger): + Added. - * jit/JSInterfaceJIT.h: - * parser/Lexer.h: - * runtime/JSCJSValue.h: - * runtime/SymbolTable.h: + (JSC::getStaticPropertySlot): + (JSC::getStaticValueSlot): + Use PropertySlot::setValue() for constants during static lookup. -2013-05-07 Mikhail Pozdnyakov + (JSC::reifyStaticProperties): + Put the constant directly on the object when eagerly reifying. - HashTraits >::PeekType should be raw pointer for better performance - https://bugs.webkit.org/show_bug.cgi?id=115646 + * runtime/PropertySlot.h: + Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper. - Reviewed by Darin Adler. +2014-06-14 Michael Saboff - * bytecompiler/StaticPropertyAnalyzer.h: - (JSC::StaticPropertyAnalyzer::putById): - Updated accordingly to new HashMap<.., RefPtr>::get() semantics. + operationCreateArguments could cause a GC during OSR exit + https://bugs.webkit.org/show_bug.cgi?id=133905 -2013-05-06 Julien Brianceau + Reviewed by Filip Pizlo. - Misc bugfix and cleaning in sh4 base JIT. - https://bugs.webkit.org/show_bug.cgi?id=115627 + Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments + for use by OSR exit stubs. - Reviewed by Oliver Hunt. + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * jit/JITOperations.cpp: + * jit/JITOperations.h: - Get rid of loadX(RegisterID r0, RegisterID src, RegisterID dest) functions. - Remove misplaced extuw() implementation from MacroAssemblerSH4. - Add movbRegMemr0 and movwRegMemr0 functions in SH4Assembler. +2014-06-13 Mark Hahnenberg - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::add32): Skip operation when first operand is a zero immediate. - (JSC::MacroAssemblerSH4::sub32): Skip operation when first operand is a zero immediate. - (JSC::MacroAssemblerSH4::load32): Fix wrong usage of r0 register. - (JSC::MacroAssemblerSH4::load8Signed): Handle "base == r0" case. - (MacroAssemblerSH4): - (JSC::MacroAssemblerSH4::load16): Handle "base == r0" case. - (JSC::MacroAssemblerSH4::load16Unaligned): Use extuw() implementation from SH4Assembler. - (JSC::MacroAssemblerSH4::load16Signed): Cosmetic change. - (JSC::MacroAssemblerSH4::store8): Fix unhandled BaseIndex offset and handle (base == r0) case. - (JSC::MacroAssemblerSH4::store16): Fix unhandled BaseIndex offset and handle (base == r0) case. - (JSC::MacroAssemblerSH4::store32): - * assembler/SH4Assembler.h: - (JSC::SH4Assembler::movwRegMemr0): - (SH4Assembler): - (JSC::SH4Assembler::movbRegMemr0): - (JSC::SH4Assembler::placeConstantPoolBarrier): Cosmetic change. - (JSC::SH4Assembler::maxJumpReplacementSize): - (JSC::SH4Assembler::replaceWithJump): Correct branch range and save an opcode. - (JSC::SH4Assembler::printInstr): - -2013-05-06 Anders Carlsson - - Stop using WTF::deleteAllValues in JavaScriptCore - https://bugs.webkit.org/show_bug.cgi?id=115670 + OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit + https://bugs.webkit.org/show_bug.cgi?id=133880 - Reviewed by Oliver Hunt. + Reviewed by Filip Pizlo. - Change the Vectors used to Vectors of OwnPtrs instead. + We could have exited due to a value received from an inlined block that's no longer on + the stack, so we should just barrier all InlineCallFrames. - * heap/DFGCodeBlocks.cpp: - (JSC::DFGCodeBlocks::~DFGCodeBlocks): - (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::adjustAndJumpToTarget): -2013-05-06 Andras Becsi +2014-06-13 Alex Christensen - Build with GCC 4.8 fails because of -Wmaybe-uninitialized - https://bugs.webkit.org/show_bug.cgi?id=115648 + Make css jit compile for armv7. + https://bugs.webkit.org/show_bug.cgi?id=133596 - Reviewed by Michael Saboff. + Reviewed by Benjamin Poulain. - Initialize values in Options::setOption since from - there we end up calling OptionRange::init with - uninitialized members. + * assembler/MacroAssembler.h: + Use branchPtr on ARM_THUMB2. + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::addPtrNoFlags): + (JSC::MacroAssemblerARMv7::or32): + (JSC::MacroAssemblerARMv7::test32): + (JSC::MacroAssemblerARMv7::branch): + (JSC::MacroAssemblerARMv7::branchPtr): + Added macros necessary for css jit. - * runtime/Options.cpp: +2014-06-13 Filip Pizlo -2013-05-06 Gabor Rapcsanyi + Unreviewed, fix ARMv7. - JSC ARM traditional failing on Octane NavierStokes test - https://bugs.webkit.org/show_bug.cgi?id=115626 + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::abortWithReason): - Reviewed by Zoltan Herczeg. +2014-06-12 Filip Pizlo - Change the ARM traditional assembler to use double precision on value - conversions. + Even better diagnostics from DFG traps + https://bugs.webkit.org/show_bug.cgi?id=133836 - * assembler/ARMAssembler.h: + Reviewed by Oliver Hunt. + + We now stuff the DFG::NodeType into a register before bailing. Also made the + DFGBailed abort reason a bit more specific. As planned, the new abort reasons use + different numbers than any previous abort reasons. -2013-05-03 Michael Saboff + * assembler/AbortReason.h: + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::abortWithReason): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::abortWithReason): + * assembler/MacroAssemblerX86.h: + (JSC::MacroAssemblerX86::abortWithReason): + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::abortWithReason): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::SpeculativeJIT): + (JSC::DFG::SpeculativeJIT::bail): + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + * dfg/DFGSpeculativeJIT.h: - There should be a runtime option to constrain what functions get DFG compiled - https://bugs.webkit.org/show_bug.cgi?id=115576 +2014-06-12 Simon Fraser - Reviewed by Mark Hahnenberg. + Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner + https://bugs.webkit.org/show_bug.cgi?id=133840 - Added OptionRange to Options to allow checking that something is within an option - or not. The new OptionClass supports range strings in the form of [!][:]. - If only one value is given, then it will be used for both low and high. A leading - '!' inverts the check. If no range is given, then checking for a value within a range - will always return true. Added the option "bytecodeRangeToDFGCompile" that takes an - OptionRange string to select the bytecode range of code blocks to DFG compile. + Reviewed by Filip Pizlo. + + Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline() + when running DFG tests. - * dfg/DFGDriver.cpp: - (JSC::DFG::compile): Added new check for bytecode count within bytecodeRangeToDFGCompile - range. - * runtime/Options.cpp: - (JSC::parse): Added overloaded parse() for OptionRange. - (JSC::OptionRange::init): Parse range string and then initialize the range. - (JSC::OptionRange::isInRange): Function used by consumer to check if a value is within - the specified range. - (JSC::Options::dumpOption): Added code to dump OptionRange options. - * runtime/Options.h: - (OptionRange): New class. - (JSC::OptionRange::operator= ): This is really used as a default ctor for use within - the Option static array initialization. - (JSC::OptionRange::rangeString): This is used for debug. It assumes that the char* - passed into OptionRange::init is valid when this function is called. + * API/JSCTestRunnerUtils.cpp: + (JSC::numberOfDFGCompiles): + (JSC::setNeverInline): -2013-05-02 Oliver Hunt +2014-06-12 Brent Fulgham - Fix potential bug in lookup logic - https://bugs.webkit.org/show_bug.cgi?id=115522 + [Win] Avoid fork bomb during build + https://bugs.webkit.org/show_bug.cgi?id=133837 + - Reviewed by Mark Hahnenberg. + Reviewed by Tim Horton. - Though not a problem in practise, it is technically possible - to inject an un-proxied global object into the scope chain - via the C API. This change makes sure that the scope walk - in BytecodeGenerator actually limits itself to scopes that - are statically bindable. + * JavaScriptCore.vcxproj/build-generated-files.sh: Use a + reasonable default value when the 'num-cpus' script is not available. - * bytecompiler/BytecodeGenerator.cpp: - (JSC::BytecodeGenerator::resolve): - * runtime/JSObject.h: - (JSObject): - (JSC): - (JSC::JSObject::isStaticScopeObject): +2014-06-12 Mark Lam -2013-05-01 Roger Fong + Remove some dead / unused code. + - Set Path in makefile for AppleWin. + Reviewed by Filip Pizlo. - * JavaScriptCore.vcxproj/JavaScriptCore.make: + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createBuiltinExecutable): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedFunctionExecutable::create): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::makeFunction): + * parser/Parser.h: + (JSC::DepthManager::DepthManager): Deleted. + (JSC::DepthManager::~DepthManager): Deleted. + * runtime/CodeCache.cpp: + (JSC::CodeCache::getFunctionExecutableFromGlobalCode): -2013-05-01 Benjamin Poulain +2014-06-12 Mark Hahnenberg - Remove the remaining wscript - https://bugs.webkit.org/show_bug.cgi?id=115459 + Move structureHasRareData out of TypeInfo + https://bugs.webkit.org/show_bug.cgi?id=133800 Reviewed by Andreas Kling. - * wscript: Removed. + StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, + but we have a few spare bits in Structure so it would be nice to remove this hack. + + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): + (JSC::TypeInfo::structureHasRareData): Deleted. + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::allocateRareData): + (JSC::Structure::cloneRareDataFrom): + * runtime/Structure.h: + (JSC::Structure::previousID): + (JSC::Structure::objectToStringValue): + (JSC::Structure::setObjectToStringValue): + (JSC::Structure::setPreviousID): + (JSC::Structure::clearPreviousID): + (JSC::Structure::previous): + (JSC::Structure::rareData): + * runtime/StructureInlines.h: + (JSC::Structure::setEnumerationCache): + (JSC::Structure::enumerationCache): + +2014-06-12 Zsolt Borbely + + Allow enum guards to be generated from the replay json files + https://bugs.webkit.org/show_bug.cgi?id=133399 -2013-04-30 Mark Lam + Reviewed by Csaba Osztrogonác. - JSContextGroupSetExecutionTimeLimit() should not pass a callback to the - VM watchdog if its client did not pass one in. - https://bugs.webkit.org/show_bug.cgi?id=115461. + * replay/scripts/CodeGeneratorReplayInputs.py: + (Type.__init__): + (InputsModel.parse_type_with_framework_name): + (Generator.generate_header): + (Generator.generate_implementation): + * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added. + (Test::HandleWheelEvent::HandleWheelEvent): + (Test::HandleWheelEvent::~HandleWheelEvent): + (JSC::InputTraits::type): + (JSC::InputTraits::encode): + (JSC::InputTraits::decode): + (JSC::EncodingTraits::encodeValue): + (JSC::EncodingTraits::decodeValue): + * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added. + (JSC::InputTraits::queue): + (Test::HandleWheelEvent::platformEvent): + * replay/scripts/tests/generate-enum-with-guard.json: Added. + +2014-06-12 Carlos Garcia Campos + + Unreviewed. Fix GTK+ build after r169823. + + Include StructureInlines.h in a few more files to fix linking + issues due to JSC::Structure::get undefined symbol. + + * runtime/ArrayIteratorConstructor.cpp: + * runtime/ArrayIteratorPrototype.cpp: + * runtime/JSConsole.cpp: + * runtime/JSMapIterator.cpp: + * runtime/JSSet.cpp: + * runtime/JSSetIterator.cpp: + * runtime/JSWeakMap.cpp: + * runtime/MapIteratorPrototype.cpp: + * runtime/MapPrototype.cpp: + * runtime/SetIteratorPrototype.cpp: + * runtime/SetPrototype.cpp: + * runtime/WeakMapPrototype.cpp: + +2014-06-12 Csaba Osztrogonác + + [EFL] One more URTBF after r169823 to make ARM64 build happy too. + + * runtime/JSMap.cpp: + +2014-06-11 Mark Hahnenberg + + Inline caching should try to flatten uncacheable dictionaries + https://bugs.webkit.org/show_bug.cgi?id=133683 Reviewed by Geoffrey Garen. - * API/JSContextRef.cpp: - (internalScriptTimeoutCallback): - (JSContextGroupSetExecutionTimeLimit): - * API/tests/testapi.c: - (main): - - Added test case when the time limit callback is 0. - - Also updated a check to verify that a TerminatedExecutionException is - thrown when the time out is cancelled. - - Also fixed some cosmetic typos. + There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), + which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. + If properties are deleted out of the object during its initialization, we can enable caching for that object by + attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we + performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary + state then we can just give up on caching that object. -2013-04-30 Geoffrey Garen + In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added + the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed + the other inline caching functions to return this enum rather than the opaque booleans that we were previously + returning. - Removed op_ensure_property_exists - https://bugs.webkit.org/show_bug.cgi?id=115460 + * jit/Repatch.cpp: + (JSC::actionForCell): + (JSC::tryCacheGetByID): + (JSC::repatchGetByID): + (JSC::tryBuildGetByIDList): + (JSC::buildGetByIDList): + (JSC::tryCachePutByID): + (JSC::repatchPutByID): + (JSC::tryBuildPutByIdList): + (JSC::buildPutByIdList): + (JSC::tryRepatchIn): + (JSC::repatchIn): + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::flattenDictionaryStructure): + * runtime/Structure.h: + (JSC::Structure::hasBeenFlattenedBefore): - Reviewed by Mark Hahnenberg. +2014-06-11 Csaba Osztrogonác - It was unused, and whatever it was once used for was not optimized. + [EFL] URTBF after r169823. - * JavaScriptCore.order: - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::dumpBytecode): - * bytecode/Opcode.h: - (JSC::padOpcodeName): - * jit/JIT.cpp: - (JSC::JIT::privateCompileMainPass): - * jit/JIT.h: - * jit/JITOpcodes.cpp: - * jit/JITOpcodes32_64.cpp: - * jit/JITStubs.cpp: - * jit/JITStubs.h: - * llint/LLIntSlowPaths.cpp: - * llint/LLIntSlowPaths.h: - * llint/LowLevelInterpreter.asm: + * bindings/ScriptValue.cpp: Missing include added. -2013-04-30 Oliver Hunt +2014-06-11 Ryosuke Niwa - JSC Stack walking logic craches in the face of inlined functions triggering VM re-entry - https://bugs.webkit.org/show_bug.cgi?id=115449 + Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot. - Reviewed by Geoffrey Garen. + Rubber-stamped by Andreas Kling. - Rename callframeishost to something that makes sense, and fix - getCallerInfo to correctly handle inline functions calling into - the VM. + * runtime/JSObject.h: + (JSC::JSObject::fastGetOwnPropertySlot): - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::codeOriginForReturn): - Make this more robust in the face of incorrect stack walking - * interpreter/CallFrame.cpp: - (JSC::CallFrame::trueCallerFrame): - Everyone has to perform a codeblock() check before calling this - so we might as well just do it here. - * interpreter/Interpreter.cpp: - (JSC::getCallerInfo): +2014-06-11 Ryosuke Niwa -2013-04-30 Julien Brianceau + Turning on DUMP_PROPERTYMAP_STATS causes a build failure + https://bugs.webkit.org/show_bug.cgi?id=133673 - Bug fixing in sh4 base JIT and LLINT. - https://bugs.webkit.org/show_bug.cgi?id=115420 + Reviewed by Andreas Kling. - Reviewed by Oliver Hunt. - - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::lshift32): - (JSC::MacroAssemblerSH4::rshift32): - (JSC::MacroAssemblerSH4::branchMul32): - (JSC::MacroAssemblerSH4::urshift32): - (JSC::MacroAssemblerSH4::replaceWithJump): - (JSC::MacroAssemblerSH4::maxJumpReplacementSize): - * assembler/SH4Assembler.h: - (JSC::SH4Assembler::shldRegReg): - (JSC::SH4Assembler::shadRegReg): - (JSC::SH4Assembler::shalImm8r): - (SH4Assembler): - (JSC::SH4Assembler::sharImm8r): - (JSC::SH4Assembler::maxJumpReplacementSize): - (JSC::SH4Assembler::replaceWithJump): - * offlineasm/sh4.rb: + Rewrote the property map statistics code because the old code wasn't building, + and it was also mixing numbers for lookups and insertions/removals. -2013-04-30 Geoffrey Garen + New logging code records the number of calls to PropertyTable::find (finds) and + PropertyTable::get/PropertyTable::findWithString separately so that we can quantify + the number of probing during updates and lookups. - Objective-C JavaScriptCore API should publicly support bridging to C - https://bugs.webkit.org/show_bug.cgi?id=115447 + * jsc.cpp: + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::find): + (JSC::PropertyTable::get): + (JSC::PropertyTable::findWithString): + (JSC::PropertyTable::add): + (JSC::PropertyTable::remove): + (JSC::PropertyTable::reinsert): + (JSC::PropertyTable::rehash): + * runtime/Structure.cpp: + (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger): + (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger): - Reviewed by Mark Hahnenberg. +2014-06-11 Andreas Kling - For consistency, I renamed + Always inline JSValue::get() and Structure::get(). + - +[JSValue valueWithValue:] => +[JSValue valueWithJSValueRef] - +[JSContext contextWithGlobalContextRef] => +[JSContext contextWithJSGlobalContextRef] - -[JSContext globalContext] => -[JSContext JSGlobalContextRef] + Reviewed by Ryosuke Niwa. - I searched svn to verify that these functions don't have clients yet, - so we won't break anything. + These functions get really hot, so ask the compiler to be more + aggressive about inlining them. - I also exported as public API + ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling + through GetByVal. - +[JSValue valueWithJSValueRef:] - +[JSContext contextWithJSGlobalContextRef:] + * runtime/JSArrayIterator.cpp: + * runtime/JSCJSValue.cpp: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::get): + * runtime/JSPromiseDeferred.cpp: + * runtime/StructureInlines.h: + (JSC::Structure::get): - It's hard to integrate with the C API without these. +2014-06-11 Ryosuke Niwa -2013-04-30 Commit Queue + Structure::get should instantiate DeferGC only when materializing property map + https://bugs.webkit.org/show_bug.cgi?id=133727 - Unreviewed, rolling out r149349 and r149354. - http://trac.webkit.org/changeset/149349 - http://trac.webkit.org/changeset/149354 - https://bugs.webkit.org/show_bug.cgi?id=115444 + Rubber-stamped by Andreas Kling. - The Thumb version of compileSoftModulo make invalid use of - registers (Requested by benjaminp on #webkit). + Make materializePropertyMapIfNecessary always inline. - * CMakeLists.txt: - * GNUmakefile.list.am: - * JavaScriptCore.xcodeproj/project.pbxproj: - * assembler/ARMv7Assembler.h: - (ARMv7Assembler): - * assembler/AbstractMacroAssembler.h: - (JSC::isARMv7s): - (JSC): - * assembler/MacroAssemblerARMv7.cpp: Removed. - * assembler/MacroAssemblerARMv7.h: - (MacroAssemblerARMv7): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - * dfg/DFGOperations.cpp: - * dfg/DFGOperations.h: - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileSoftModulo): - (DFG): - (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s): - * dfg/DFGSpeculativeJIT.h: - (JSC::DFG::SpeculativeJIT::callOperation): - (SpeculativeJIT): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): + This is ~12% improvement on the microbenchmark attached in the bug. -2013-04-30 Zalan Bujtas + * runtime/Structure.h: + (JSC::Structure::materializePropertyMapIfNecessary): + (JSC::Structure::materializePropertyMapIfNecessaryForPinning): - Animations fail to start on http://www.google.com/insidesearch/howsearchworks/thestory/ - https://bugs.webkit.org/show_bug.cgi?id=111244 +2014-06-11 Ryosuke Niwa - Reviewed by David Kilzer. - - Enable performance.now() as a minimal subset of Web Timing API. - It returns DOMHighResTimeStamp, a monotonically increasing value representing the - number of milliseconds from the start of the navigation of the current document. - JS libraries use this API to check against the requestAnimationFrame() timestamp. + Structure::get should instantiate DeferGC only when materializing property map + https://bugs.webkit.org/show_bug.cgi?id=133727 - * Configurations/FeatureDefines.xcconfig: + Reviewed by Geoffrey Garen. -2013-04-30 Zoltan Arvai + DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid + collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen + when GCSafeConcurrentJITLocker goes out of scope. - Unreviewed. Speculative build fix on Qt Arm and Mips after r149349. + However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck + in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap + and running a release assertion inside Heap::incrementDeferralDepth() is expensive. - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileSoftModulo): + Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap, + and immediately storing a pointer to the newly created property table in the stack before DeferGC + goes out of scope so that the property table will be marked. -2013-04-29 Cosmin Truta + This shows 13-16% improvement on the microbenchmark attached in the bug. - [ARM] Expand the use of integer division - https://bugs.webkit.org/show_bug.cgi?id=115138 + * runtime/JSCJSValue.cpp: + * runtime/JSObject.h: + (JSC::JSObject::fastGetOwnPropertySlot): + * runtime/Structure.h: + (JSC::Structure::materializePropertyMapIfNecessary): + * runtime/StructureInlines.h: + (JSC::Structure::get): - Reviewed by Benjamin Poulain. +2014-06-11 Andreas Kling - If availability of hardware integer division isn't known at compile - time, check the CPU flags and decide at runtime whether to fall back - to software. Currently, this OS-specific check is implemented on QNX. + Some JSValue::get() micro-optimzations. + - Moreover, use operator % instead of fmod() in the calculation of the - software modulo. Even when it's software-emulated, operator % is faster - than fmod(): on ARM v7 QNX, without hardware division, we noticed - >3% speedup on SunSpider. + Tighten some of the property lookup code to improve performance of the + eagerly reified prototype attributes: - * CMakeLists.txt: - * GNUmakefile.list.am: - * JavaScriptCore.xcodeproj/project.pbxproj: - * assembler/ARMv7Assembler.h: - (JSC::ARMv7Assembler::sdiv): Did not compile conditionally. - (JSC::ARMv7Assembler::udiv): Ditto. - * assembler/AbstractMacroAssembler.h: - (JSC::isARMv7s): Removed. - * assembler/MacroAssemblerARMv7.cpp: Added. - (JSC::isIntegerDivSupported): Added. - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::supportsIntegerDiv): Added. - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): Checked MacroAssembler::supportsIntegerDiv() in ArithDiv case. - * dfg/DFGOperations.cpp: - (JSC::DFG::operationModOnInts): Added. - * dfg/DFGOperations.h: - (JSC::DFG::Z_DFGOperation_ZZ): Added. - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileSoftModulo): Separated the X86-specific and ARM-specific codegen - from the common implementation; used operationModOnInts on ARM. - (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARM): Renamed from compileIntegerArithDivForARMv7. - (JSC::DFG::SpeculativeJIT::compileArithMod): Allowed run-time detection of integer div on ARM. - * dfg/DFGSpeculativeJIT.h: - (JSC::DFG::SpeculativeJIT::callOperation): Added overloads with Z_DFGOperation_ZZ arguments. - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): Used compileIntegerArithDivForARM. + - Instead of converting the property name to an integer at every step + in the prototype chain, move that to a separate pass at the end + since it should be a rare case. -2013-04-29 Benjamin Poulain + - Cache the StructureIDTable in a local instead of fetching it from + the Heap on every step. - Unify the data access of StringImpl members from JavaScriptCore - https://bugs.webkit.org/show_bug.cgi?id=115320 + - Make fillCustomGetterPropertySlot inline. It was out-of-lined based + on the assumption that clients would mostly be cacheable GetByIds, + and it gets pretty hot (~1%) in GetByVal. - Reviewed by Andreas Kling. + - Pass the Structure directly to fillCustomGetterPropertySlot instead + of refetching it from the StructureIDTable. - DFG accesses the member infos by directly calling the methods on StringImpl, - while the baseline JIT was using helper methods on ThunkHelpers. + Reviewed by Geoff Garen. - Cut the middle man, and use StringImpl directly everywhere. + * runtime/JSObject.cpp: + (JSC::JSObject::fillCustomGetterPropertySlot): Deleted. + * runtime/JSObject.h: + (JSC::JSObject::inlineGetOwnPropertySlot): + (JSC::JSObject::fillCustomGetterPropertySlot): + (JSC::JSObject::getOwnPropertySlot): + (JSC::JSObject::fastGetOwnPropertySlot): + (JSC::JSObject::getPropertySlot): + (JSC::JSObject::getOwnPropertySlotSlow): Deleted. - * jit/JITInlines.h: - (JSC::JIT::emitLoadCharacterString): - * jit/JITPropertyAccess.cpp: - (JSC::JIT::stringGetByValStubGenerator): - * jit/JITPropertyAccess32_64.cpp: - (JSC::JIT::stringGetByValStubGenerator): - * jit/JSInterfaceJIT.h: - * jit/ThunkGenerators.cpp: - (JSC::stringCharLoad): +2014-06-10 Sam Weinig -2013-04-29 Benjamin Poulain + Don't create a HashTable for JSObjects that use eager reification + https://bugs.webkit.org/show_bug.cgi?id=133705 - Use push and pop for iOS math function thunks - https://bugs.webkit.org/show_bug.cgi?id=115215 + Reviewed by Geoffrey Garen. - Reviewed by Filip Pizlo. + * runtime/Lookup.h: + (JSC::reifyStaticProperties): + Add a version of reifyStaticProperties that takes an array of HashTableValues + rather than a HashTable. - The iOS ABI is a little different than regular ARM ABI regarding stack alignment. - The requirement is 4 bytes: - "The ARM environment uses a stack that—at the point of function calls—is 4-byte aligned, - grows downward, and contains local variables and a function’s parameters." +2014-06-10 Filip Pizlo - Subsequently, we can just use push and pop to preserve the link register. + Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52 + https://bugs.webkit.org/show_bug.cgi?id=133698 - * jit/ThunkGenerators.cpp: + Reviewed by Geoffrey Garen and Mark Hahnenberg. -2013-04-29 Brent Fulgham + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52. + * dfg/DFGVariableAccessData.cpp: + (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52. + (JSC::DFG::VariableAccessData::couldRepresentInt52Impl): + (JSC::DFG::VariableAccessData::flushFormat): + * dfg/DFGVariableAccessData.h: + * tests/stress/int52-inlined-call-argument.js: Added. + (foo): + (bar): - [Windows, WinCairo] Get rid of last few pthread include/link references. - https://bugs.webkit.org/show_bug.cgi?id=115375 +2014-06-10 Mark Lam - Reviewed by Tim Horton. + Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234. + - * JavaScriptCore.vcproj/jsc/jscPostBuild.cmd: - * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: - * JavaScriptCore.vcxproj/jsc/jscCommon.props: - * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: - * JavaScriptCore.vcxproj/testapi/testapiCommon.props: + Reviewed by Mark Hahnenberg. -2013-04-29 Roger Fong + The root cause of this issue is that a nonPropertyTransition can transition + a pinned dictionary structure to an unpinned dictionary structure. The new + structure will get a copy of the property table from the original structure. + However, when a GC occurs, the property table in the new structure will be + cleared because it is unpinned. This leads to complications in subsequent + derivative structures when flattening occurs, which eventually leads to the + assertion failure in this bug. - Unreviewed. AppleWin VS2010 build fix. + The fix is to ensure that the new dictionary structure generated by the + nonPropertyTransition will have a copy of its predecessor's property table + and is pinned. - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: + * runtime/Structure.cpp: + (JSC::Structure::nonPropertyTransition): -2013-04-26 Mark Hahnenberg +2014-06-10 Michael Saboff - ~BlockAllocator should ASSERT that it has no more Regions left - https://bugs.webkit.org/show_bug.cgi?id=115287 + In a certain app state, Array.prototype.filter() returns incorrect results + https://bugs.webkit.org/show_bug.cgi?id=133577 - Reviewed by Andreas Kling. + Reviewed by Oliver Hunt. - * heap/BlockAllocator.cpp: - (JSC::BlockAllocator::~BlockAllocator): - (JSC::BlockAllocator::allRegionSetsAreEmpty): - * heap/BlockAllocator.h: - (RegionSet): - (JSC::BlockAllocator::RegionSet::isEmpty): - (BlockAllocator): + Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val. -2013-04-29 Mark Hahnenberg + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: - IndexingTypes should use hex - https://bugs.webkit.org/show_bug.cgi?id=115286 +2014-06-09 Mark Hahnenberg - Decimal is kind of confusing/hard to read because they're used as bit masks. Hex seems more appropriate. + Global HashTables contain references to atomic StringImpls + https://bugs.webkit.org/show_bug.cgi?id=133661 Reviewed by Geoffrey Garen. - * runtime/IndexingType.h: - -2013-04-29 Carlos Garcia Campos - - Unreviewed. Fix make distcheck. + This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables + cache their set of keys as StringImpls that are associated with a particular VM. This is obviously + incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to + change the "keys" field of the static HashTables to be char** instead of StringImpl**. - * GNUmakefile.list.am: Add missing headers files to compilation - and offlineasm/sh4.rb script. + * runtime/JSObject.cpp: + (JSC::getClassPropertyNames): + * runtime/Lookup.cpp: + (JSC::HashTable::createTable): + (JSC::HashTable::deleteTable): + * runtime/Lookup.h: + (JSC::HashTable::ConstIterator::key): + (JSC::HashTable::entry): -2013-04-28 Dean Jackson +2014-06-09 Mark Hahnenberg - [Mac] Disable canvas backing store scaling (HIGH_DPI_CANVAS) - https://bugs.webkit.org/show_bug.cgi?id=115310 + Build fix after r169703 - Reviewed by Simon Fraser. - - Remove ENABLE_HIGH_DPI_CANVAS_macosx. + * JavaScriptCore.xcodeproj/project.pbxproj: - * Configurations/FeatureDefines.xcconfig: +2014-06-05 Mark Hahnenberg -2013-04-27 Darin Adler + Eagerly reify DOM prototype attributes + https://bugs.webkit.org/show_bug.cgi?id=133558 - Move from constructor and member function adoptCF/NS to free function adoptCF/NS. - https://bugs.webkit.org/show_bug.cgi?id=115307 + Reviewed by Oliver Hunt. - Reviewed by Geoffrey Garen. + This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. + By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override + getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on + DOM wrappers. - * heap/HeapTimer.cpp: - (JSC::HeapTimer::HeapTimer): + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): + * llint/LowLevelInterpreter.asm: + * runtime/BatchedTransitionOptimizer.h: + (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): + * runtime/CustomGetterSetter.cpp: Added. + (JSC::callCustomSetter): + * runtime/CustomGetterSetter.h: Added. + (JSC::CustomGetterSetter::create): + (JSC::CustomGetterSetter::getter): + (JSC::CustomGetterSetter::setter): + (JSC::CustomGetterSetter::createStructure): + (JSC::CustomGetterSetter::CustomGetterSetter): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::putToPrimitive): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::isCustomGetterSetter): + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::isCustomGetterSetter): + (JSC::JSCell::canUseFastGetOwnProperty): + * runtime/JSFunction.cpp: + (JSC::JSFunction::isHostOrBuiltinFunction): Deleted. + (JSC::JSFunction::isBuiltinFunction): Deleted. + * runtime/JSFunction.h: + * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling. + (JSC::JSFunction::isBuiltinFunction): + (JSC::JSFunction::isHostOrBuiltinFunction): + * runtime/JSObject.cpp: + (JSC::JSObject::put): + (JSC::JSObject::putDirectCustomAccessor): + (JSC::JSObject::fillGetterPropertySlot): + (JSC::JSObject::fillCustomGetterPropertySlot): + (JSC::JSObject::getOwnPropertySlotSlow): Deleted. + * runtime/JSObject.h: + (JSC::JSObject::hasCustomGetterSetterProperties): + (JSC::JSObject::convertToDictionary): + (JSC::JSObject::inlineGetOwnPropertySlot): + (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling. + (JSC::JSObject::putOwnDataProperty): + (JSC::JSObject::putDirect): + (JSC::JSObject::putDirectWithoutTransition): + * runtime/JSType.h: + * runtime/Lookup.h: + (JSC::reifyStaticProperties): + * runtime/PropertyDescriptor.h: + (JSC::PropertyDescriptor::PropertyDescriptor): + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::nextOutOfLineStorageCapacity): Deleted. + (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted. + (JSC::Structure::get): Deleted. + * runtime/Structure.h: + (JSC::Structure::hasCustomGetterSetterProperties): + (JSC::Structure::setHasCustomGetterSetterProperties): + * runtime/StructureInlines.h: + (JSC::Structure::get): Inlined due to hotness. + (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness. + (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness. * runtime/VM.cpp: - (JSC::enableAssembler): - Use adoptCF free function. - -2013-04-27 Anders Carlsson + (JSC::VM::VM): + * runtime/VM.h: + * runtime/WriteBarrier.h: + (JSC::WriteBarrierBase::isCustomGetterSetter): - Try to fix the Windows build. +2014-06-07 Mark Lam - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: + Structure should initialize its previousID in its constructor. + -2013-04-25 Geoffrey Garen + Reviewed by Mark Hahnenberg. - Cleaned up pre/post inc/dec in bytecode - https://bugs.webkit.org/show_bug.cgi?id=115222 + Currently, the Structure constructor that takes a previous structure will + initialize its previousID to point to the previous structure's previousID. + This is incorrect. However, the caller of the Structure::create() factory + method (which instantiated the Structure) will later call setPreviousID() + to set the previousID to the correct previous structure. This makes the + code confusing to read and more error prone in that the structure relies + on client code to fix its invalid previousID. - Reviewed by Filip Pizlo. + This patch fixes this by making the Structure constructor initialize + previousID correctly. - A few related changes here: + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::addPropertyTransition): + (JSC::Structure::nonPropertyTransition): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::create): - (*) Removed post_inc and post_dec. The two-result form was awkward to - reason about. Being explicit about the intermediate mov and to_number - reduces DFG overhead, removes some fragile ASSERTs from the DFG, and - fixes a const bug. Plus, we get to blow away 262 lines of code. +2014-06-06 Andreas Kling - (*) Renamed pre_inc and pre_dec to inc and dec, since there's only one - version now. + Indexed getters should return values directly on the PropertySlot. + - (*) Renamed to_jsnumber to to_number, to match the ECMA name. + Remove PropertySlot's custom index mode. - (*) Tightened up the codegen and runtime support for to_number. + Reviewed by Darin Adler. + * runtime/JSObject.h: + (JSC::PropertySlot::getValue): + * runtime/PropertySlot.h: + (JSC::PropertySlot::setCustomIndex): Deleted. - * JavaScriptCore.order: Order! +2014-06-04 Timothy Horton - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::dumpBytecode): - * bytecode/Opcode.h: - (JSC::padOpcodeName): - * bytecompiler/BytecodeGenerator.cpp: - (JSC::BytecodeGenerator::emitInc): - (JSC::BytecodeGenerator::emitDec): - * bytecompiler/BytecodeGenerator.h: - (JSC::BytecodeGenerator::emitToNumber): - (BytecodeGenerator): Removed post_inc and post_dec. + iOS Debug build fix - * bytecompiler/NodesCodegen.cpp: - (JSC::emitPreIncOrDec): Updated for rename. + Rubber-stamped by Filip Pizlo. - (JSC::emitPostIncOrDec): Issue an explicit mov and to_number when needed. - These are rare, and they boil away in the DFG. + * Configurations/LLVMForJSC.xcconfig: + Dead-code strip the llvmForJSC library unconditionally, to work around . - (JSC::PostfixNode::emitResolve): - (JSC::PrefixNode::emitResolve): For const, use an explicit mov instead - of any special forms. This fixes a bug where we would do string - add/subtract instead of number. +2014-06-04 Oliver Hunt - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::parseBlock): - * dfg/DFGCapabilities.h: - (JSC::DFG::canCompileOpcode): - * jit/JIT.cpp: - (JSC::JIT::privateCompileMainPass): - (JSC::JIT::privateCompileSlowCases): - * jit/JIT.h: - * jit/JITArithmetic.cpp: - (JSC::JIT::emit_op_inc): - (JSC::JIT::emitSlow_op_inc): - (JSC::JIT::emit_op_dec): - (JSC::JIT::emitSlow_op_dec): - * jit/JITArithmetic32_64.cpp: - (JSC::JIT::emit_op_inc): - (JSC::JIT::emitSlow_op_inc): - (JSC::JIT::emit_op_dec): - (JSC::JIT::emitSlow_op_dec): Removed post_inc/dec, and updated for renames. + ArrayIterator should not be exposed in Safari 8 + https://bugs.webkit.org/show_bug.cgi?id=133494 - * jit/JITOpcodes.cpp: - (JSC::JIT::emit_op_to_number): - (JSC::JIT::emitSlow_op_to_number): Removed a test for number cells. There's - no such thing! + Reviewed by Michael Saboff. - * jit/JITOpcodes32_64.cpp: - (JSC::JIT::emit_op_to_number): Use LowestTag to avoid making assumptions - about the lowest valued tag. + Separate out types that require constructor objects, and don't + include the iterator types in that list. - (JSC::JIT::emitSlow_op_to_number): Updated for renames. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + * runtime/JSGlobalObject.h: - * jit/JITStubs.cpp: - (JSC::DEFINE_STUB_FUNCTION): - * jit/JITStubs.h: - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - * llint/LLIntSlowPaths.h: - * llint/LowLevelInterpreter32_64.asm: - * llint/LowLevelInterpreter64.asm: - * parser/NodeConstructors.h: - (JSC::UnaryPlusNode::UnaryPlusNode): Removed post_inc/dec, and updated for renames. +2014-06-04 Filip Pizlo - * runtime/Operations.cpp: - (JSC::jsIsObjectType): Removed a test for number cells. There's - no such thing! + DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race + https://bugs.webkit.org/show_bug.cgi?id=133525 + -2013-04-27 Julien Brianceau + Reviewed by Oliver Hunt. - REGRESSION(r149114): cache flush for SH4 arch may flush an extra page. - https://bugs.webkit.org/show_bug.cgi?id=115305 + * dfg/DFGSafepoint.cpp: + (JSC::DFG::Safepoint::begin): - Reviewed by Andreas Kling. +2014-06-03 Filip Pizlo - * assembler/SH4Assembler.h: - (JSC::SH4Assembler::cacheFlush): + LLVM soft-linking should be truly fail-silent + https://bugs.webkit.org/show_bug.cgi?id=133482 -2013-04-26 Geoffrey Garen + Reviewed by Mark Lam. - Re-landing + * llvm/InitializeLLVMPOSIX.cpp: + (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case. - Filled out more cases of branch folding in bytecode when emitting - expressions into a branching context - https://bugs.webkit.org/show_bug.cgi?id=115057 +2014-06-03 Eva Balazsfalvi - Reviewed by Phil Pizlo. + REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms + https://bugs.webkit.org/show_bug.cgi?id=133149 - We can't fold the number == 1 case to boolean because all non-zero numbers - down-cast to true, but only 1 is == to true. + Reviewed by Csaba Osztrogonác. -2013-04-26 Filip Pizlo + * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin. - Correct indentation of SymbolTable.h - - Rubber stamped by Mark Hahnenberg. +2014-05-31 Anders Carlsson - * runtime/SymbolTable.h: + Add a LazyNeverDestroyed class template and use it + https://bugs.webkit.org/show_bug.cgi?id=133425 -2013-04-26 Roger Fong + Reviewed by Darin Adler. - Make Apple Windows VS2010 build results into and get dependencies from __32 suffixed folders. - Make the DebugSuffix configuration use _debug dependencies. + * dfg/DFGFunctionWhitelist.cpp: + (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): + * dfg/DFGFunctionWhitelist.h: - * JavaScriptCore.vcxproj/JavaScriptCore.make: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: - * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: - * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: - * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: - * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: - * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: - * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: - * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: - * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: - * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: - * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: - * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: - * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: - * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: - * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: - * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: - * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: - * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: - * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: - * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props: - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: - * JavaScriptCore.vcxproj/build-generated-files.sh: - * JavaScriptCore.vcxproj/copy-files.cmd: - * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: - * JavaScriptCore.vcxproj/jsc/jscCommon.props: - * JavaScriptCore.vcxproj/jsc/jscDebug.props: - * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: - * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: - * JavaScriptCore.vcxproj/jsc/jscProduction.props: - * JavaScriptCore.vcxproj/jsc/jscRelease.props: - * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: - * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: - * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: - * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: - * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: - * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: - * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props: - * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: - * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: - * JavaScriptCore.vcxproj/testapi/testapiCommon.props: - * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: - * JavaScriptCore.vcxproj/testapi/testapiDebug.props: - * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props: - * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: - * JavaScriptCore.vcxproj/testapi/testapiProduction.props: - * JavaScriptCore.vcxproj/testapi/testapiRelease.props: - * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props: - -2013-04-26 Roger Fong - - Disable sub-pixel layout on mac. - https://bugs.webkit.org/show_bug.cgi?id=114999. +2014-05-28 Filip Pizlo - Reviewed by Simon Fraser. + DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays + https://bugs.webkit.org/show_bug.cgi?id=133368 - * Configurations/FeatureDefines.xcconfig: + Reviewed by Mark Lam. -2013-04-26 Oliver Hunt + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order. + * tests/stress/new-array-dead.js: Added. + (foo): - Make stack tracing more robust - https://bugs.webkit.org/show_bug.cgi?id=115272 +2014-05-28 Filip Pizlo - Reviewed by Geoffrey Garen. + Unreviewed, fix not-x86 32-bit. - CallFrame already handles stack walking confusion robustly, - so we should make sure that the actual walk handles that as well. + * llint/LowLevelInterpreter32_64.asm: - * interpreter/Interpreter.cpp: - (JSC::getCallerInfo): +2014-05-27 Filip Pizlo -2013-04-26 Mark Hahnenberg + Arrayify neglects to inform the clobberizer that it might fire watchpoints + https://bugs.webkit.org/show_bug.cgi?id=133340 - REGRESSION(r149165): It made many tests crash on 32 bit - https://bugs.webkit.org/show_bug.cgi?id=115227 + Reviewed by Mark Lam. - Reviewed by Csaba Osztrogonác. + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): Be honest. + * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure. + * tests/stress/arrayify-fires-watchpoint.js: Added. + (foo): + (test): + (makeObjectArray): + * tests/stress/arrayify-structure-bad-test.js: Added. + (foo): + (test): - m_reservation is uninitialized when ENABLE(SUPER_REGION) is false. +2014-05-27 Jon Lee - * heap/SuperRegion.cpp: - (JSC::SuperRegion::~SuperRegion): + Update ENABLE(MEDIA_SOURCE) on Mac + https://bugs.webkit.org/show_bug.cgi?id=133141 -2013-04-26 Julien Brianceau + Reviewed by Darin Adler. - Fix SH4 build broken since r149159. - https://bugs.webkit.org/show_bug.cgi?id=115229 + * Configurations/FeatureDefines.xcconfig: - Add BranchTruncateType enum in SH4 port and handle it in branchTruncateDoubleToInt32. +2014-05-27 Tibor Meszaros - Reviewed by Allan Sandfeld Jensen. + Remove BLOB guards + https://bugs.webkit.org/show_bug.cgi?id=132863 - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::branchTruncateDoubleToInt32): + Reviewed by Csaba Osztrogonác. -2013-04-25 Mark Hahnenberg + * Configurations/FeatureDefines.xcconfig: - SuperRegion doesn't call deallocate() on its PageReservation - https://bugs.webkit.org/show_bug.cgi?id=115208 +2014-05-27 Zsolt Borbely - Reviewed by Geoffrey Garen. + Allow building CMake based ports with WEB_REPLAY + https://bugs.webkit.org/show_bug.cgi?id=133154 - It should. This doesn't cause us to leak physical memory, but it does cause us to leak virtual - address space (and probably mach ports), which is also bad :-( FixedVMPoolExecutableAllocator - also has this bug, but it doesn't matter much because there's only one instance of that class - throughout the entire lifetime of the process, whereas each VM has its own SuperRegion. + Reviewed by Csaba Osztrogonác. - * heap/SuperRegion.cpp: - (JSC::SuperRegion::~SuperRegion): - * heap/SuperRegion.h: - (SuperRegion): - * jit/ExecutableAllocatorFixedVMPool.cpp: - (FixedVMPoolExecutableAllocator): - (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator): + * CMakeLists.txt: -2013-04-25 Filip Pizlo +2014-05-25 Filip Pizlo - DFG doesn't support to_jsnumber - https://bugs.webkit.org/show_bug.cgi?id=115129 + Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing + https://bugs.webkit.org/show_bug.cgi?id=133136 - Reviewed by Geoffrey Garen. - - Based on Oliver's patch. Implements to_jsnumber as Identity(Number:@thingy), and then does - an optimization in Fixup to turn Identity(Number:) into Identity(Int32:) if the predictions - tell us to. Identity is later turned into Phantom. - - Also fixed BackPropMask, which appeared to have NodeDoesNotExit included in it. That's - wrong; NodeDoesNotExit is not a backward propagation property. + Reviewed by Oliver Hunt. - Also fixed Identity to be marked as CanExit (i.e. not NodeDoesNotExit). + Some key concepts: + + - Except for the prediction propagation and type fixup phases, which are super early in + the pipeline, nobody has to know about the fact that booleans may flow into numerical + operations because there will just be a BooleanToNumber node that will take a value + and, if that value is a boolean, will convert it to the equivalent numerical value. It + will have a BooleanUse mode where it will also speculate that the input is a boolean + but it can also do UntypedUse in which case it will pass through any non-booleans. + This operation is very easy to model in all of the compiler tiers. + + - No changes to the baseline JIT. The Baseline JIT will still believe that boolean + inputs require taking the slow path and it will still report that it took slow path + for any such operations. The DFG will now be smart enough to ignore baseline JIT slow + path profiling on operations that were known to have had boolean inputs. That's a + little quirky, but it's probably easier than modifying the baseline JIT to track + booleans correctly. - This more than doubles the FPS on ammo. - - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::parseBlock): - * dfg/DFGCapabilities.h: - (JSC::DFG::canCompileOpcode): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - (FixupPhase): - (JSC::DFG::FixupPhase::observeUseKindOnNode): - (JSC::DFG::FixupPhase::observeUseKindOnEdge): - * dfg/DFGNodeFlags.h: - (DFG): - * dfg/DFGNodeType.h: - (DFG): - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - -2013-04-24 Oliver Hunt - - Add support for Math.imul - https://bugs.webkit.org/show_bug.cgi?id=115143 - - Reviewed by Filip Pizlo. - - Add support for Math.imul, a thunk generator for Math.imul, - and an intrinsic. - - Fairly self explanatory set of changes, DFG intrinsics simply - leverages the existing ValueToInt32 nodes. - - * create_hash_table: - * dfg/DFGAbstractState.cpp: - (JSC::DFG::AbstractState::executeEffects): - * dfg/DFGBackwardsPropagationPhase.cpp: - (JSC::DFG::BackwardsPropagationPhase::propagate): + 4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks. + + * bytecode/SpeculatedType.h: + (JSC::isInt32OrBooleanSpeculation): + (JSC::isInt32SpeculationForArithmetic): + (JSC::isInt32OrBooleanSpeculationForArithmetic): + (JSC::isInt32OrBooleanSpeculationExpectingDefined): + (JSC::isInt52Speculation): + (JSC::isMachineIntSpeculation): + (JSC::isFullNumberOrBooleanSpeculation): + (JSC::isFullNumberOrBooleanSpeculationExpectingDefined): + (JSC::isInt32SpeculationExpectingDefined): Deleted. + (JSC::isMachineIntSpeculationExpectingDefined): Deleted. + (JSC::isMachineIntSpeculationForArithmetic): Deleted. + (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted. + (JSC::isFullNumberSpeculationExpectingDefined): Deleted. + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAllocator.h: + (JSC::DFG::Allocator::indexOf): * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::makeSafe): + (JSC::DFG::ByteCodeParser::makeDivSafe): (JSC::DFG::ByteCodeParser::handleIntrinsic): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::performNodeCSE): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCommon.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixIntConvertingEdge): + (JSC::DFG::FixupPhase::fixIntOrBooleanEdge): + (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge): + (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): + (JSC::DFG::FixupPhase::fixIntEdge): Deleted. + * dfg/DFGGraph.h: + (JSC::DFG::Graph::addSpeculationMode): + (JSC::DFG::Graph::valueAddSpeculationMode): + (JSC::DFG::Graph::arithAddSpeculationMode): + (JSC::DFG::Graph::addShouldSpeculateInt32): + (JSC::DFG::Graph::mulShouldSpeculateInt32): + (JSC::DFG::Graph::mulShouldSpeculateMachineInt): + (JSC::DFG::Graph::negateShouldSpeculateInt32): + (JSC::DFG::Graph::negateShouldSpeculateMachineInt): + (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): + (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted. + * dfg/DFGNode.h: + (JSC::DFG::Node::sawBooleans): + (JSC::DFG::Node::shouldSpeculateInt32OrBoolean): + (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic): + (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic): + (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined): + (JSC::DFG::Node::shouldSpeculateMachineInt): + (JSC::DFG::Node::shouldSpeculateDouble): + (JSC::DFG::Node::shouldSpeculateNumberOrBoolean): + (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined): + (JSC::DFG::Node::shouldSpeculateNumber): + (JSC::DFG::Node::canSpeculateInt32): + (JSC::DFG::Node::canSpeculateInt52): + (JSC::DFG::Node::sourceFor): + (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted. + (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted. + (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted. + (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted. + (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted. + * dfg/DFGNodeFlags.cpp: + (JSC::DFG::dumpNodeFlags): + * dfg/DFGNodeFlags.h: + (JSC::DFG::nodeMayOverflow): + (JSC::DFG::nodeMayNegZero): + (JSC::DFG::nodeCanSpeculateInt32): + (JSC::DFG::nodeCanSpeculateInt52): * dfg/DFGNodeType.h: - (DFG): * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::run): + (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint): + (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction): (JSC::DFG::PredictionPropagationPhase::propagate): + (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileArithIMul): - * dfg/DFGSpeculativeJIT.h: - (SpeculativeJIT): + (JSC::DFG::SpeculativeJIT::compileValueToInt32): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): - * jit/ThunkGenerators.cpp: - (JSC::imulThunkGenerator): - (JSC): - * jit/ThunkGenerators.h: - (JSC): - * runtime/Intrinsic.h: - * runtime/MathObject.cpp: - (JSC): - (JSC::mathProtoFuncIMul): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): + (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::asInt32ForArithmetic): + * tests/stress/max-boolean-exit.js: Added. + (foo): + (test): + * tests/stress/mul-boolean-exit.js: Added. + (foo): + (test): + * tests/stress/plus-boolean-exit.js: Added. + (foo): + (test): + * tests/stress/plus-boolean-or-double.js: Added. + (foo): + (test): + * tests/stress/plus-boolean-or-int.js: Added. + (foo): + (test): + +2014-05-26 Zsolt Borbely + + Remove dead code from VM.cpp + https://bugs.webkit.org/show_bug.cgi?id=133284 + + Reviewed by Darin Adler. + + This workaround was added in r127505. Since the clang is the + only used compiler in this case, this workaround is obsolete. + * runtime/VM.cpp: - (JSC::thunkGeneratorForIntrinsic): + (JSC::enableAssembler): -2013-04-25 Filip Pizlo +2014-05-26 Eva Balazsfalvi - Unreviewed, roll out http://trac.webkit.org/changeset/148999 - It broke http://kripken.github.io/ammo.js/examples/new/ammo.html + JSC CLoop warning fix + https://bugs.webkit.org/show_bug.cgi?id=133259 - * JavaScriptCore.order: - * bytecompiler/BytecodeGenerator.cpp: - (JSC::BytecodeGenerator::emitNewArray): - (JSC::BytecodeGenerator::emitThrowReferenceError): - (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded): - * bytecompiler/BytecodeGenerator.h: - (JSC::BytecodeGenerator::shouldEmitProfileHooks): - (BytecodeGenerator): - * bytecompiler/NodesCodegen.cpp: - (JSC): - (JSC::NullNode::emitBytecode): - (JSC::BooleanNode::emitBytecode): - (JSC::NumberNode::emitBytecode): - (JSC::StringNode::emitBytecode): - (JSC::IfNode::emitBytecode): - (JSC::IfElseNode::emitBytecode): - * parser/ASTBuilder.h: - (JSC::ASTBuilder::createIfStatement): - (ASTBuilder): - * parser/NodeConstructors.h: - (JSC): - (JSC::NullNode::NullNode): - (JSC::BooleanNode::BooleanNode): - (JSC::NumberNode::NumberNode): - (JSC::StringNode::StringNode): - (JSC::IfNode::IfNode): - (JSC::IfElseNode::IfElseNode): - * parser/Nodes.h: - (JSC::ExpressionNode::isPure): - (JSC::ExpressionNode::isSubtract): - (StatementNode): - (NullNode): - (JSC::NullNode::isNull): - (BooleanNode): - (JSC::BooleanNode::isPure): - (NumberNode): - (JSC::NumberNode::value): - (JSC::NumberNode::isPure): - (StringNode): - (JSC::StringNode::isPure): - (JSC::StringNode::isString): - (BinaryOpNode): - (IfNode): - (JSC): - (IfElseNode): - (ContinueNode): - (BreakNode): - * parser/Parser.cpp: - (JSC::::parseIfStatement): - * parser/ResultType.h: - (ResultType): - * runtime/JSCJSValueInlines.h: - (JSC::JSValue::pureToBoolean): - * runtime/JSCell.h: - (JSCell): - * runtime/JSCellInlines.h: - (JSC): + Reviewed by Darin Adler. -2013-04-25 Filip Pizlo + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): - PreciseJumpTargets should treat loop_hint as a jump target - https://bugs.webkit.org/show_bug.cgi?id=115209 +2014-05-24 Andreas Kling - Reviewed by Mark Hahnenberg. - - I didn't add a test but I turned this into a release assertion. Running Octane is enough - to trigger it. + Object.prototype.toString() should use cached strings for null/undefined. + - * bytecode/PreciseJumpTargets.cpp: - (JSC::computePreciseJumpTargets): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::parseBlock): + Normally, when calling Object.prototype.toString() on a regular object, + we'd cache the result of the stringification on the object's structure, + making repeated calls fast. -2013-04-25 Roman Zhuykov + For null and undefined, we were not as smart. We'd instead construct a + new string with either "[object Null]" or "[object Undefined]" each time. - Fix problems with processing negative zero on DFG. - https://bugs.webkit.org/show_bug.cgi?id=113862 + This was exposed by Dromaeo's JS library tests, where some prototype.js + subtests generate millions of strings this way. - Reviewed by Filip Pizlo. + This patch adds two VM-permanent cached strings to the SmallStrings. + Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html - Fix NodeNeedsNegZero flag propagation in BackwardPropagationPhase. - Function arithNodeFlags should not mask NodeNeedsNegZero flag for ArithNegate and DoubleAsInt32 - nodes and this flag should be always used to decide where we need to generate nezative-zero checks. - Remove unnecessary negative-zero checks from integer ArithDiv on ARM. - Also remove such checks from integer ArithMod on ARM and X86, and make them always to - check not only "modulo_result == 0" but also "dividend < 0". - Generate faster code for case when ArithMod operation divisor is constant power of 2 on ARMv7 - in the same way as on ARMv7s, and add negative-zero checks into this code when needed. - Change speculationCheck ExitKind from Overflow to NegativeZero where applicable. - - This shows 30% speedup of math-spectral-norm, and 5% speedup - on SunSpider overall on ARMv7 Linux. + Reviewed by Darin Adler. - * assembler/MacroAssemblerARM.h: - (JSC::MacroAssemblerARM::branchConvertDoubleToInt32): - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32): - * assembler/MacroAssemblerMIPS.h: - (JSC::MacroAssemblerMIPS::branchConvertDoubleToInt32): - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::branchConvertDoubleToInt32): - * assembler/MacroAssemblerX86Common.h: - (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32): - * dfg/DFGBackwardsPropagationPhase.cpp: - (JSC::DFG::BackwardsPropagationPhase::isNotNegZero): - (JSC::DFG::BackwardsPropagationPhase::isNotPosZero): - (JSC::DFG::BackwardsPropagationPhase::propagate): - * dfg/DFGNode.h: - (JSC::DFG::Node::arithNodeFlags): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32): - (JSC::DFG::SpeculativeJIT::compileSoftModulo): - (JSC::DFG::SpeculativeJIT::compileArithNegate): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncToString): + * runtime/SmallStrings.cpp: + (JSC::SmallStrings::SmallStrings): + (JSC::SmallStrings::initializeCommonStrings): + (JSC::SmallStrings::visitStrongReferences): + * runtime/SmallStrings.h: + (JSC::SmallStrings::nullObjectString): + (JSC::SmallStrings::undefinedObjectString): -2013-04-25 Oliver Hunt +2014-05-23 Mark Hahnenberg - Stack guards are too conservative - https://bugs.webkit.org/show_bug.cgi?id=115147 + Remove operationCallGetter - Reviewed by Mark Hahnenberg. + Rubber stamped by Filip Pizlo. - Increase stack guard to closer to old size. + Nobody calls this function. - * interpreter/Interpreter.cpp: - (JSC::Interpreter::StackPolicy::StackPolicy): + * JavaScriptCore.order: + * jit/JITOperations.cpp: + * jit/JITOperations.h: + +2014-05-23 Andreas Kling -2013-04-25 Oliver Hunt + Templatize GC's destructor invocation for dtor type. + - Stack guards are too conservative - https://bugs.webkit.org/show_bug.cgi?id=115147 + Get rid of a branch in callDestructor() by templatizing it for + the DestructorType. Removed JSCell::methodTableForDestruction() + since this was the only call site and it was jumping through + a bunch of unnecessary hoops. Reviewed by Geoffrey Garen. - Reduce the limits and simplify the decision making. + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::callDestructor): + (JSC::MarkedBlock::specializedSweep): + * heap/MarkedBlock.h: + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::methodTableForDestruction): Deleted. - * interpreter/Interpreter.cpp: - (JSC::Interpreter::StackPolicy::StackPolicy): +2014-05-23 Andreas Kling + + Support inline caching of RegExpMatchesArray.length + -2013-04-25 Nick Diego Yamane + Give RegExpMatchesArray.length the same treatment as JSArray in + repatch so we don't have to go out of line on every access. - JSC: Fix interpreter misbehavior in builds with JIT disabled - https://bugs.webkit.org/show_bug.cgi?id=115190 + ~13% speed-up on Octane/regexp. + + Reviewed by Geoffrey Garen. + + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + * runtime/RegExpMatchesArray.h: + (JSC::isRegExpMatchesArray): + +2014-05-22 Mark Lam + + REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception. + Reviewed by Oliver Hunt. - Commit http://trac.webkit.org/changeset/147858 modified - some details on how JS stack traces are built. The method - "getLineNumberForCallFrame", renamed in that changeset to - "getBytecodeOffsetForCallFrame" is always returning `0' when - JIT is disabled + Before r154797, we used to clear the VM exception before calling into the + debugger. After r154797, we don't. This patch will restore this clearing + of the exception before calling into the debugger. - How to reproduce: - - Build webkit with JIT disabled - - Open MiniBrowser, for example, with http://google.com - - In a debug build, WebProcess will hit the following ASSERT: - Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:279 ASSERT(low); + Also added assertions after returning from calls into the debugger to + ensure that the debugger did not introduce any exceptions. * interpreter/Interpreter.cpp: - (JSC::getBytecodeOffsetForCallFrame): + (JSC::unwindCallFrame): + (JSC::Interpreter::unwind): + (JSC::Interpreter::debug): + - Fixed the assertion here. Interpreter::debug() should never be called + with a pending exception. Debugger callbacks for exceptions should be + handled by Interpreter::unwind() and Interpreter::unwindCallFrame(). -2013-04-25 Oliver Hunt +2014-05-21 Filip Pizlo - Make checkSyntax take a VM instead of an ExecState + Store barrier elision should run after DCE in both the DFG path and the FTL path + https://bugs.webkit.org/show_bug.cgi?id=129718 - RS=Tim + Rubber stamped by Mark Hahnenberg. - * jsc.cpp: - (runInteractive): - * runtime/Completion.cpp: - (JSC::checkSyntax): - * runtime/Completion.h: - (JSC): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): -2013-04-25 Michael Saboff +2014-05-21 Zsolt Borbely - 32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean - https://bugs.webkit.org/show_bug.cgi?id=115188 + [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled + https://bugs.webkit.org/show_bug.cgi?id=132907 - Reviewed by Geoffrey Garen. + Reviewed by Gyuyoung Kim. - Changed the RegExpTest node to set the AbstractValue to boolean, since that - what it is. + * CMakeLists.txt: - * dfg/DFGAbstractState.cpp: - (JSC::DFG::AbstractState::executeEffects): +2014-05-16 Martin Robinson -2013-04-25 Julien Brianceau + [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR + https://bugs.webkit.org/show_bug.cgi?id=132819 - REGRESSION(r137994): Random crashes occur with SH4 JSC. - https://bugs.webkit.org/show_bug.cgi?id=115167. + Reviewed by Carlos Garcia Campos. - Reviewed by Oliver Hunt. + * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables, + use the common CMake ones directly. - Since r137994, uncommited pages could be inside the area of memory in - parameter of the cacheFlush function. That's why we have to flush each - page separately to avoid a fail of the whole flush, if an uncommited page - is in the area. +2014-05-21 Filip Pizlo - This patch is very similar to changeset 145194 made for ARMv7 architecture, - see https://bugs.webkit.org/show_bug.cgi?id=111441 for further information. + Unreviewed, roll out http://trac.webkit.org/changeset/169159. + + This was a unilateral change and wasn't properly reviewed. - * assembler/SH4Assembler.h: - (JSC::SH4Assembler::cacheFlush): + * tests/mozilla/mozilla-tests.yaml: -2013-04-24 Mark Lam +2014-05-21 Antoine Quint - Add watchdog timer polling for the DFG. - https://bugs.webkit.org/show_bug.cgi?id=115134. + Array.prototype.find and findIndex should skip holes + https://bugs.webkit.org/show_bug.cgi?id=132658 Reviewed by Geoffrey Garen. - The strategy is to add a speculation check to the DFG generated code to - test if the watchdog timer has fired or not. If the watchdog timer has - fired, the generated code will do an OSR exit to the baseline JIT, and - let it handle servicing the watchdog timer. + Skip holes in the array when iterating such that callback isn't called. - If the watchdog is not enabled, this speculation check will not be - emitted. + * builtins/Array.prototype.js: + (find): + (findIndex): - * API/tests/testapi.c: - (currentCPUTime_callAsFunction): - (extendTerminateCallback): - (main): - - removed try/catch statements so that we can test the watchdog on the DFG. - - added JS bindings to a native currentCPUTime() function so that the timeout - tests can be more accurate. - - also shortened the time values so that the tests can complete sooner. - - * bytecode/ExitKind.h: - * dfg/DFGAbstractState.cpp: - (JSC::DFG::AbstractState::executeEffects): +2014-05-21 Eva Balazsfalvi + + REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly + https://bugs.webkit.org/show_bug.cgi?id=133149 + + Reviewed by Csaba Osztrogonác. + + * tests/mozilla/mozilla-tests.yaml: + +2014-05-20 Geoffrey Garen + + Rolled out + https://bugs.webkit.org/show_bug.cgi?id=133144 + + Reviewed by Gavin Barraclough. + + It caused a performance regression. + + * heap/BlockAllocator.cpp: + (JSC::BlockAllocator::blockFreeingThreadStartFunc): + +2014-05-20 Filip Pizlo + + DFG prediction propagation should agree with fixup phase over the return type of GetByVal + https://bugs.webkit.org/show_bug.cgi?id=133134 + + Reviewed by Mark Hahnenberg. + + Make prediction propagator use ArrayMode refinement to decide the return type. + + Also introduce a heap prediction intrinsic that allows us to test weird corner cases + like this. The only way we'll see a mismatch like this in the real world is probably + through a gnarly race condition. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * dfg/DFGNode.h: + (JSC::DFG::Node::setHeapPrediction): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * jsc.cpp: + (GlobalObject::finishCreation): + (functionFalse1): + (functionFalse2): + (functionUndefined1): + (functionUndefined2): + (functionFalse): Deleted. + (functionOtherFalse): Deleted. + (functionUndefined): Deleted. + * runtime/Intrinsic.h: + * tests/stress/get-by-val-double-predicted-int.js: Added. + (foo): + +2014-05-20 Mark Hahnenberg + + Watchdog timer should be lazily allocated + https://bugs.webkit.org/show_bug.cgi?id=133135 + + Reviewed by Geoffrey Garen. + + We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. + There is no reason to do this checking if we never activated the Watchdog, which can only be done through + JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. + + By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use + these two API functions (which is true of most clients). + + * API/JSContextRef.cpp: + (JSContextGroupSetExecutionTimeLimit): + (JSContextGroupClearExecutionTimeLimit): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * interpreter/Interpreter.cpp: + (JSC::Interpreter::execute): + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_loop_hint): + (JSC::JIT::emitSlow_op_loop_hint): + * jit/JITOperations.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/VM.h: + * runtime/Watchdog.cpp: + (JSC::Watchdog::Scope::Scope): Deleted. + (JSC::Watchdog::Scope::~Scope): Deleted. + * runtime/Watchdog.h: + (JSC::Watchdog::Scope::Scope): + (JSC::Watchdog::Scope::~Scope): + +2014-05-19 Mark Hahnenberg + + JSArray::shiftCountWith* could be more efficient + https://bugs.webkit.org/show_bug.cgi?id=133011 + + Reviewed by Geoffrey Garen. + + Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage + are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling + them to correctly handle holes, thus avoiding the slowest of slow paths in most cases. + + * runtime/ArrayStorage.h: + (JSC::ArrayStorage::indexingHeader): + (JSC::ArrayStorage::length): + (JSC::ArrayStorage::hasHoles): + * runtime/IndexingHeader.h: + (JSC::IndexingHeader::publicLength): + (JSC::IndexingHeader::from): + * runtime/JSArray.cpp: + (JSC::JSArray::shiftCountWithArrayStorage): + (JSC::JSArray::shiftCountWithAnyIndexingType): + (JSC::JSArray::unshiftCountWithArrayStorage): + * runtime/JSArray.h: + (JSC::JSArray::shiftCountForShift): + (JSC::JSArray::shiftCountForSplice): + (JSC::JSArray::shiftCount): + * runtime/Structure.cpp: + (JSC::Structure::holesRequireSpecialBehavior): + * runtime/Structure.h: + +2014-05-19 Filip Pizlo + + Test gardening: skip some failing tests on not-X86. + + * tests/mozilla/mozilla-tests.yaml: + +2014-05-19 Mark Lam + + operationOptimize() should defer the GC for a while. + + + Reviewed by Filip Pizlo. + + Currently, operationOptimize() only defers the GC until its end. As a result, + a GC may be triggered just before we return from operationOptimize(), and it may + jettison the optimize codeBlock that we're planning to OSR enter into when we + return from this function. This is because the OSR entry on-ramp code hasn't + been executed yet, and hence, there is not yet a reference to this new codeBlock + from the stack, and there won't be until we've had a chance to return out of + operationOptimize() to run the OSR entry on-ramp code. + + This issue is now fixed by using DeferGCForAWhile instead of DeferGC. This + ensures that the GC will be deferred until after the OSR entry on-ramp can be + executed. + + * jit/JITOperations.cpp: + +2014-05-19 Filip Pizlo + + Take care of some ARM64 test failures + https://bugs.webkit.org/show_bug.cgi?id=133090 + + Reviewed by Geoffrey Garen. + + Constant blinding on ARM64 cannot use the scratch register. + + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::convertInt32ToDouble): + (JSC::MacroAssembler::branchPtr): + (JSC::MacroAssembler::storePtr): + (JSC::MacroAssembler::store64): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::scratchRegisterForBlinding): + +2014-05-19 Tanay C + + Removing some check-webkit-style warnings from ./dfg + https://bugs.webkit.org/show_bug.cgi?id=132854 + + Reviewed by Darin Adler. + + * dfg/DFGAbstractInterpreter.h: + * dfg/DFGAbstractValue.h: + * dfg/DFGBlockInsertionSet.h: + * dfg/DFGCommonData.h: + * dfg/DFGDominators.h: + * dfg/DFGGraph.h: + * dfg/DFGInPlaceAbstractState.h: + * dfg/DFGPredictionPropagationPhase.h: + +2014-05-18 Filip Pizlo + + Unreviewed, remove bogus comment. We already made the FTL use our calling convention. + That was a long time ago. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileReturn): + +2014-05-18 Rik Cabanier + + support for navigator.hardwareConcurrency + https://bugs.webkit.org/show_bug.cgi?id=132588 + + Reviewed by Filip Pizlo. + + * Configurations/FeatureDefines.xcconfig: + +2014-05-16 Michael Saboff + + Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9 + https://bugs.webkit.org/show_bug.cgi?id=133009 + + Reviewed by Oliver Hunt. + + If we determine that any alternative requires a minumum match size greater than + INT_MAX, we handle the match in the interpreter. + + Check to see if the pattern has unsigned lengths before invoking YARR JIT. + * runtime/RegExp.cpp: + (JSC::RegExp::compile): + (JSC::RegExp::compileMatchOnly): + + * tests/stress/large-regexp.js: New test added. + + Set m_containsUnsignedLengthPattern flag if any alternative's minimum length + doesn't fit in an int. + * yarr/YarrPattern.cpp: + (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): + + Clear new m_containsUnsignedLengthPattern flag. + * yarr/YarrPattern.cpp: + (JSC::Yarr::YarrPattern::YarrPattern): + * yarr/YarrPattern.h: + (JSC::Yarr::YarrPattern::reset): + (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern): + +2014-05-15 Mark Hahnenberg + + JSDOMWindow should not claim HasImpureGetOwnPropertySlot + https://bugs.webkit.org/show_bug.cgi?id=132918 + + Reviewed by Geoffrey Garen. + + * jit/Repatch.cpp: + (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in". + +2014-05-15 Alex Christensen + + Add pointer lock to features without enabling it. + https://bugs.webkit.org/show_bug.cgi?id=132961 + + Reviewed by Sam Weinig. + + * Configurations/FeatureDefines.xcconfig: + Added ENABLE_POINTER_LOCK to list of features. + +2014-05-14 Mark Hahnenberg + + Inline caching for proxies clobbers baseGPR too early + https://bugs.webkit.org/show_bug.cgi?id=132916 + + Reviewed by Filip Pizlo. + + We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path + gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR + until we know the inline cache is going to succeed. + + * jit/Repatch.cpp: + (JSC::generateByIdStub): + +2014-05-14 Brent Fulgham + + [Win] Unreviewed build fix. + + * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution + was missing commands to build LLInt portions of JSC. + * llint/LLIntData.cpp: 64-bit build fix. + +2014-05-14 Martin Hodovan + + ARM Traditional buildfix after r168776. + https://bugs.webkit.org/show_bug.cgi?id=132903 + + Reviewed by Darin Adler. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::abortWithReason): Added. + +2014-05-14 Tibor Meszaros + + Remove CSS_STICKY_POSITION guards + https://bugs.webkit.org/show_bug.cgi?id=132676 + + Reviewed by Simon Fraser. + + * Configurations/FeatureDefines.xcconfig: + +2014-05-13 Filip Pizlo + + JIT breakpoints should be more informative + https://bugs.webkit.org/show_bug.cgi?id=132882 + + Reviewed by Oliver Hunt. + + Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion + failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look + at that platform's abort reason register (r11 on X86-64 for example). + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/AbortReason.h: Added. + * assembler/AbstractMacroAssembler.h: + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::abortWithReason): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::abortWithReason): + * assembler/MacroAssemblerX86.h: + (JSC::MacroAssemblerX86::abortWithReason): + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::abortWithReason): + * dfg/DFGSlowPathGenerator.h: + (JSC::DFG::SlowPathGenerator::generate): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::bail): + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + (JSC::DFG::SpeculativeJIT::compileMakeRope): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGThunks.cpp: + (JSC::DFG::osrEntryThunkGenerator): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::jitAssertIsInt32): + (JSC::AssemblyHelpers::jitAssertIsJSInt32): + (JSC::AssemblyHelpers::jitAssertIsJSNumber): + (JSC::AssemblyHelpers::jitAssertIsJSDouble): + (JSC::AssemblyHelpers::jitAssertIsCell): + (JSC::AssemblyHelpers::jitAssertTagsInPlace): + (JSC::AssemblyHelpers::jitAssertHasValidCallFrame): + (JSC::AssemblyHelpers::jitAssertIsNull): + (JSC::AssemblyHelpers::jitAssertArgumentCountSane): + (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::checkStackPointerAlignment): + (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted. + * jit/JIT.h: + * jit/JITArithmetic.cpp: + (JSC::JIT::emitSlow_op_div): + * jit/JITOpcodes.cpp: + (JSC::JIT::emitSlow_op_loop_hint): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::privateCompileCTINativeCall): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::compileGetDirectOffset): + (JSC::JIT::addStructureTransitionCheck): Deleted. + (JSC::JIT::testPrototype): Deleted. + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::compileGetDirectOffset): + * jit/RegisterPreservationWrapperGenerator.cpp: + (JSC::generateRegisterRestoration): + * jit/Repatch.cpp: + (JSC::addStructureTransitionCheck): + (JSC::linkClosureCall): + * jit/ThunkGenerators.cpp: + (JSC::emitPointerValidation): + (JSC::nativeForGenerator): + * yarr/YarrJIT.cpp: + (JSC::Yarr::YarrGenerator::generate): + +2014-05-13 peavo@outlook.com + + [Win] Enum type with value zero is compatible with void*, potential cause of crashes. + https://bugs.webkit.org/show_bug.cgi?id=132772 + + Reviewed by Geoffrey Garen. + + Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example). + This has caused crashes on Windows on two occasions (bug 132683, and bug 121001). + This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*. + The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::loadDouble): + (JSC::MacroAssemblerARM::storeDouble): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::loadDouble): + (JSC::MacroAssemblerARM64::storeDouble): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::loadDouble): + (JSC::MacroAssemblerARMv7::storeDouble): + * assembler/MacroAssemblerMIPS.h: + (JSC::MacroAssemblerMIPS::loadDouble): + (JSC::MacroAssemblerMIPS::storeDouble): + * assembler/MacroAssemblerSH4.h: + (JSC::MacroAssemblerSH4::loadDouble): + (JSC::MacroAssemblerSH4::storeDouble): + * assembler/MacroAssemblerX86.h: + (JSC::MacroAssemblerX86::storeDouble): + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::absDouble): + (JSC::MacroAssemblerX86Common::negateDouble): + (JSC::MacroAssemblerX86Common::loadDouble): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentFill): + (JSC::DFG::compileClampDoubleToByte): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::compile): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::purifyNaN): + * jit/JITInlines.h: + (JSC::JIT::emitLoadDouble): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitFloatTypedArrayGetByVal): + * jit/ThunkGenerators.cpp: + (JSC::floorThunkGenerator): + (JSC::roundThunkGenerator): + (JSC::powThunkGenerator): + +2014-05-12 Commit Queue + + Unreviewed, rolling out r168642. + https://bugs.webkit.org/show_bug.cgi?id=132839 + + Broke ARM build (Requested by jpfau on #webkit). + + Reverted changeset: + + "[Win] Enum type with value zero is compatible with void*, + potential cause of crashes." + https://bugs.webkit.org/show_bug.cgi?id=132772 + http://trac.webkit.org/changeset/168642 + +2014-05-12 peavo@outlook.com + + [Win] Enum type with value zero is compatible with void*, potential cause of crashes. + https://bugs.webkit.org/show_bug.cgi?id=132772 + + Reviewed by Geoffrey Garen. + + Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example). + This has caused crashes on Windows on two occasions (bug 132683, and bug 121001). + This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*. + The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::loadDouble): + (JSC::MacroAssemblerARM::storeDouble): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::loadDouble): + (JSC::MacroAssemblerARM64::storeDouble): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::loadDouble): + (JSC::MacroAssemblerARMv7::storeDouble): + * assembler/MacroAssemblerMIPS.h: + (JSC::MacroAssemblerMIPS::loadDouble): + (JSC::MacroAssemblerMIPS::storeDouble): + * assembler/MacroAssemblerSH4.h: + (JSC::MacroAssemblerSH4::loadDouble): + (JSC::MacroAssemblerSH4::storeDouble): + * assembler/MacroAssemblerX86.h: + (JSC::MacroAssemblerX86::storeDouble): + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::absDouble): + (JSC::MacroAssemblerX86Common::negateDouble): + (JSC::MacroAssemblerX86Common::loadDouble): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentFill): + (JSC::DFG::compileClampDoubleToByte): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::compile): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::purifyNaN): + * jit/JITInlines.h: + (JSC::JIT::emitLoadDouble): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitFloatTypedArrayGetByVal): + * jit/ThunkGenerators.cpp: + (JSC::floorThunkGenerator): + (JSC::roundThunkGenerator): + (JSC::powThunkGenerator): + +2014-05-12 Andreas Kling + + 0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren(). + + + + Reviewed by Michael Saboff. + + * runtime/JSObject.cpp: + (JSC::JSObject::visitButterfly): + (JSC::JSObject::visitChildren): + + Use JSCell::structure(VM&) to reduce the number of hoops we jump + through to find Structures during marking. + +2014-05-12 László Langó + + [cmake] Add missing FTL source files to the build system. + + Reviewed by Csaba Osztrogonác. + + * CMakeLists.txt: + +2014-05-09 Joseph Pecoraro + + Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess + https://bugs.webkit.org/show_bug.cgi?id=132409 + + Reviewed by Timothy Hatcher. + + Proxy applications are applications which hold WebViews for other + applications. The WebProcess (Web Content Service) is a proxy application. + For legacy reasons we were supporting a scenario where proxy applications + could potentially host WebViews for more then one other application. That + was never the case for WebProcess and it is now a scenario we don't need + to worry about supporting. + + With this change, a proxy application more naturally only holds WebViews + for a single parent / host application. The proxy process can set the + parent pid / audit_token data on the RemoteInspector singleton, and + that data will be sent on to webinspectord later on to be validated. + In the WebProcess<->UIProcess relationship that information is known + and set immediately. In the Legacy iOS case that information is set + soon after, but not immediately known at the point the WebView is created. + + This allows us to simplify the RemoteInspectorDebuggable interface. + We no longer need a pid per-Debuggable. + + * inspector/remote/RemoteInspector.h: + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::RemoteInspector): + (Inspector::RemoteInspector::setParentProcessInformation): + (Inspector::RemoteInspector::xpcConnectionReceivedMessage): + (Inspector::RemoteInspector::listingForDebuggable): + (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage): + Handle new proxy application setup message, and provide an API + for a proxy application to set the parent process information. + + * inspector/remote/RemoteInspectorConstants.h: + New setup and response message for proxy applications to pass + their parent / host application information to webinspectord. + + * inspector/remote/RemoteInspectorDebuggable.cpp: + (Inspector::RemoteInspectorDebuggable::info): + * inspector/remote/RemoteInspectorDebuggable.h: + (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo): + (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted. + pid per debuggable is no longer needed. + +2014-05-09 Mark Hahnenberg + + JSDOMWindow should disable property caching after a certain point + https://bugs.webkit.org/show_bug.cgi?id=132751 + + Reviewed by Filip Pizlo. + + This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static + hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks + that it has provided a cacheable value. + + * runtime/PropertySlot.h: + (JSC::PropertySlot::PropertySlot): + (JSC::PropertySlot::isCacheable): + (JSC::PropertySlot::disableCaching): + +2014-05-09 Andreas Kling + + 8.8% spent in Object.prototype.hasOwnProperty() on sbperftest. + + + Leverage the fast-resolve-to-AtomicString optimization for JSRopeString + in Object.prototype.* by using JSString::toIdentifier() in the cases where + we are converting JSString -> String -> Identifier. + + This brings time spent in hasOwnProperty() from 8.8% to 1.3% on + "The Great HTML5 Gaming Performance Test: 2014 edition" + + + Reviewed by Oliver Hunt. + + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncHasOwnProperty): + (JSC::objectProtoFuncDefineGetter): + (JSC::objectProtoFuncDefineSetter): + (JSC::objectProtoFuncLookupGetter): + (JSC::objectProtoFuncLookupSetter): + +2014-05-08 Mark Hahnenberg + + JSDOMWindow should have a WatchpointSet to fire on window close + https://bugs.webkit.org/show_bug.cgi?id=132721 + + Reviewed by Filip Pizlo. + + This patch allows us to reset the inline caches that assumed they could skip + the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has + been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow. + + PropertySlot now accepts a WatchpointSet which the inline cache code can look for + to see if it should create a new Watchpoint for that particular inline cache site. + + * bytecode/Watchpoint.h: + * jit/Repatch.cpp: + (JSC::generateByIdStub): + (JSC::tryBuildGetByIDList): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * runtime/PropertySlot.h: + (JSC::PropertySlot::PropertySlot): + (JSC::PropertySlot::watchpointSet): + (JSC::PropertySlot::setWatchpointSet): + +2014-05-09 Tanay C + + Fix build warning (uninitialized variable) in DFGFixupPhase.cpp + https://bugs.webkit.org/show_bug.cgi?id=132331 + + Reviewed by Darin Adler. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + +2014-05-09 peavo@outlook.com + + [Win] Crash when enabling DFG JIT. + https://bugs.webkit.org/show_bug.cgi?id=132683 + + Reviewed by Geoffrey Garen. + + On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)), + results in a call to JIT::storeDouble(FPRegisterID src, const void* address), + where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows). + This causes the register to be written to address 0, hence the crash. + + * dfg/DFGOSRExitCompiler32_64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter. + * dfg/DFGOSRExitCompiler64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): Ditto. + +2014-05-09 Martin Hodovan + + REGRESSION(r167094): JSC crashes on ARM Traditional + https://bugs.webkit.org/show_bug.cgi?id=132738 + + Reviewed by Zoltan Herczeg. + + PC is two instructions ahead of the current instruction + on ARM Traditional, so the distance is 8 bytes not 2. + + * llint/LowLevelInterpreter.asm: + +2014-05-09 Alberto Garcia + + jsmin.py license header confusing, mentions non-free license + https://bugs.webkit.org/show_bug.cgi?id=123665 + + Reviewed by Darin Adler. + + Pull the most recent version from upstream, which has a clear + license. + + * inspector/scripts/jsmin.py: + +2014-05-08 Mark Hahnenberg + + Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot + https://bugs.webkit.org/show_bug.cgi?id=132695 + + Reviewed by Filip Pizlo. + + We check in the case where we're accessing something other than the base object (e.g. the prototype), + but we fail to do so for the base object. + + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + (JSC::tryBuildGetByIDList): + * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit + because all of the values that are returned that could be impure are set to uncacheable anyways. + (WTF::ImpureGetter::ImpureGetter): + (WTF::ImpureGetter::createStructure): + (WTF::ImpureGetter::create): + (WTF::ImpureGetter::finishCreation): + (WTF::ImpureGetter::getOwnPropertySlot): + (WTF::ImpureGetter::visitChildren): + (WTF::ImpureGetter::setDelegate): + (GlobalObject::finishCreation): + (functionCreateImpureGetter): + (functionSetImpureGetterDelegate): + * tests/stress/impure-get-own-property-slot-inline-cache.js: Added. + (foo): + +2014-05-08 Filip Pizlo + + deleteAllCompiledCode() shouldn't use the suspension worklist + https://bugs.webkit.org/show_bug.cgi?id=132708 + + Reviewed by Mark Hahnenberg. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::isStillValid): + * heap/Heap.cpp: + (JSC::Heap::deleteAllCompiledCode): + +2014-05-08 Filip Pizlo + + SSA conversion should delete PhantomLocals for captured variables + https://bugs.webkit.org/show_bug.cgi?id=132693 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGCommon.cpp: + (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash. + * dfg/DFGCommon.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround. + * dfg/DFGLivenessAnalysisPhase.cpp: + (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround. + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright. + * dfg/DFGValidate.cpp: Use the workaround. + * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added. + (foo): + (bar): + +2014-05-07 Commit Queue + + Unreviewed, rolling out r168451. + https://bugs.webkit.org/show_bug.cgi?id=132670 + + Not a speed-up, just do what other compilers do. (Requested by + kling on #webkit). + + Reverted changeset: + + "[X86] Emit BT instruction for single-bit tests." + https://bugs.webkit.org/show_bug.cgi?id=132650 + http://trac.webkit.org/changeset/168451 + +2014-05-07 Filip Pizlo + + Make Executable::clearCode() actually clear all of the entrypoints, and + clean up some other FTL-related calling convention stuff. + + + Rubber stamped by Mark Hahnenberg. + + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::Worklist): + (JSC::DFG::Worklist::finishCreation): + (JSC::DFG::Worklist::create): + (JSC::DFG::ensureGlobalDFGWorklist): + (JSC::DFG::ensureGlobalFTLWorklist): + * dfg/DFGWorklist.h: + * heap/CodeBlockSet.cpp: + (JSC::CodeBlockSet::dump): + * heap/CodeBlockSet.h: + * runtime/Executable.cpp: + (JSC::ExecutableBase::clearCode): + +2014-05-07 Andreas Kling + + [X86] Emit BT instruction for single-bit tests. + + + Implement test-bit-and-branch slightly more efficiently by using + BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for + a single bit. + + Reviewed by Michael Saboff. + + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::singleBitIndex): + (JSC::MacroAssemblerX86Common::branchTest32): + * assembler/X86Assembler.h: + (JSC::X86Assembler::bt_i8r): + (JSC::X86Assembler::bt_i8m): + +2014-05-07 Mark Lam + + REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly. + + + Reviewed by Geoffrey Garen. + + The issue is that GC needs to be made aware of writes to m_inferredValue + in the VariableWatchpointSet, but was not. As a result, if a JSCell* + is written to a VariableWatchpointSet m_inferredValue, and that JSCell + does not survive an eden GC shortly after, we will end up with a stale + JSCell pointer left in the m_inferredValue. + + This issue can be detected more easily by running Dromaeo/cssquery-dojo.html + using DumpRenderTree with the VM heap in zombie mode. + + The fix is to change VariableWatchpointSet m_inferredValue to type + WriteBarrier and ensure that VariableWatchpointSet::notifyWrite() + is executed by all the execution engines so that the WriteBarrier semantics + are honored. + + We still check if the value to be written is the same as the one in the + inferredValue. We'll by-pass calling the slow path notifyWrite() if the + values are the same. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + - need to pass the symbolTable to prepareToWatch() because it will be needed + for instantiating the VariableWatchpointSet in prepareToWatch(). + + * bytecode/VariableWatchpointSet.h: + (JSC::VariableWatchpointSet::VariableWatchpointSet): + - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue + write barrier, and yes, m_inferredValue is now of type WriteBarrier. + (JSC::VariableWatchpointSet::inferredValue): + (JSC::VariableWatchpointSet::invalidate): + (JSC::VariableWatchpointSet::finalizeUnconditionally): + (JSC::VariableWatchpointSet::addressOfInferredValue): + (JSC::VariableWatchpointSet::notifyWrite): Deleted. + * bytecode/VariableWatchpointSetInlines.h: Added. + (JSC::VariableWatchpointSet::notifyWrite): + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::cellConstant): + - Added an assert in case we try to make constants of zombified JSCells again. + + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::callOperation): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + - We now let the slow path handle the cases when the VariableWatchpointSet is + in state ClearWatchpoint and IsWatched, and the slow path will ensure that + we handle the needed write barrier semantics correctly. + We will by-pass the slow path if the value being written is the same as the + inferred value. + + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite): + - Let the slow path handle the cases when the VariableWatchpointSet is + in state ClearWatchpoint and IsWatched. + We will by-pass the slow path if the value being written is the same as the + inferred value. + + * heap/Heap.cpp: + (JSC::Zombify::operator()): + - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef + which is used everywhere else). + * heap/Heap.h: + (JSC::Heap::isZombified): + - Provide a convenience test function to check if JSCells are zombified. This is + currently only used in an assertion in the DFG bytecode parser, but the intent + it that we'll apply this test in other strategic places later to help with early + detection of usage of GC'ed objects when we run in zombie mode. + + * jit/JITOpcodes.cpp: + (JSC::JIT::emitSlow_op_captured_mov): + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitNotifyWrite): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitNotifyWrite): + (JSC::JIT::emitSlow_op_put_to_scope): + - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet + is in state ClearWatchpoint and IsWatched. + We will by-pass the slow path if the value being written is the same as the + inferred value. + + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet + is in state ClearWatchpoint and IsWatched. + We will by-pass the slow path if the value being written is the same as the + inferred value. + + * runtime/CommonSlowPaths.cpp: + + * runtime/JSCJSValue.h: Fixed some typos in the comments. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::addGlobalVar): + (JSC::JSGlobalObject::addFunction): + * runtime/JSSymbolTableObject.h: + (JSC::symbolTablePut): + (JSC::symbolTablePutWithAttributes): + * runtime/SymbolTable.cpp: + (JSC::SymbolTableEntry::prepareToWatch): + (JSC::SymbolTableEntry::notifyWriteSlow): + * runtime/SymbolTable.h: + (JSC::SymbolTableEntry::notifyWrite): + +2014-05-06 Michael Saboff + + Unreviewd build fix for C-LOOP after r168396. + + * runtime/TestRunnerUtils.cpp: + (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT) + +2014-05-06 Michael Saboff + + Add test for deleteAllCompiledCode + https://bugs.webkit.org/show_bug.cgi?id=132632 + + Reviewed by Phil Pizlo. + + Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and + the other to call CodeBlock::optimizeNextInvocation(). Used these two hooks + to write a test that will queue up loads of DFG compiles and then call + Heap::deleteAllCompiledCode() to make sure that it can handle compiled + code as well as code being compiled. + + * jsc.cpp: + (GlobalObject::finishCreation): + (functionDeleteAllCompiledCode): + (functionOptimizeNextInvocation): + * runtime/TestRunnerUtils.cpp: + (JSC::optimizeNextInvocation): + * runtime/TestRunnerUtils.h: + * tests/stress/deleteAllCompiledCode.js: Added. + (functionList): + (runTest): + +2014-05-06 Andreas Kling + + JSString::toAtomicString() should return AtomicString. + + + Remove premature optimization where I was trying to avoid refcount + churn when returning an already atomicized String. + + Instead of using reinterpret_cast to mangle the String member into + a const AtomicString& return value, just return AtomicString. + + Reviewed by Geoff Garen. + + * runtime/JSString.h: + (JSC::JSString::toAtomicString): + +2014-05-06 Mark Hahnenberg + + Roll out r167889 + + Rubber stamped by Geoff Garen. + + It broke some websites. + + * runtime/JSPropertyNameIterator.cpp: + (JSC::JSPropertyNameIterator::create): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::hasDeletedOffset): + (JSC::PropertyTable::hadDeletedOffset): Deleted. + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyMap): + (JSC::Structure::removePropertyTransition): + (JSC::Structure::changePrototypeTransition): + (JSC::Structure::despecifyFunctionTransition): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::addPropertyWithoutTransition): + (JSC::Structure::removePropertyWithoutTransition): + (JSC::Structure::pin): + (JSC::Structure::pinAndPreventTransitions): Deleted. + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::setEnumerationCache): + (JSC::Structure::propertyTable): + (JSC::Structure::checkOffsetConsistency): + (JSC::Structure::hadDeletedOffsets): Deleted. + * tests/stress/for-in-after-delete.js: + (foo): Deleted. + +2014-05-05 Andreas Kling + + Fix debug build. + + * runtime/JSCellInlines.h: + (JSC::JSCell::fastGetOwnProperty): + +2014-05-05 Andreas Kling + + Optimize GetByVal when subscript is a rope string. + + + Use JSString::toIdentifier() in the various GetByVal implementations + to try and avoid allocating extra strings. + + Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty() + in that, to avoid calling JSString::value() which always resolves ropes + into new strings and de-optimizes subsequent toIdentifier() calls. + + My iMac says ~9% progression on Dromaeo/dom-attr.html + + Reviewed by Phil Pizlo. + + * dfg/DFGOperations.cpp: + * jit/JITOperations.cpp: + (JSC::getByVal): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::getByVal): + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::fastGetOwnProperty): + (JSC::JSCell::canUseFastGetOwnProperty): + +2014-05-05 Andreas Kling + + REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article. + + + + Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not + clear the fibers. The caller takes care of this. + + Test: fast/dom/getElementById-with-rope-string-arg.html + + Reviewed by Geoffrey Garen. + + * runtime/JSString.cpp: + (JSC::JSRopeString::resolveRopeSlowCase8): + +2014-05-05 Michael Saboff + + REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com + https://bugs.webkit.org/show_bug.cgi?id=132581 + + Reviewed by Filip Pizlo. + + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we + started compiling for is still the same at the end of compilation. + Also did some minor restructuring. + +2014-05-05 Andreas Kling + + Optimize PutByVal when subscript is a rope string. + + + Add a JSString::toIdentifier() that is smarter when the JSString is + really a rope string. Use this in baseline & DFG's PutByVal to avoid + allocating new StringImpls that we immediately deduplicate anyway. + + Reviewed by Antti Koivisto. + + * dfg/DFGOperations.cpp: + (JSC::DFG::operationPutByValInternal): + * jit/JITOperations.cpp: + * runtime/JSString.h: + (JSC::JSString::toIdentifier): + +2014-05-05 Andreas Kling + + Remove two now-incorrect assertions after r168256. + + * runtime/JSString.cpp: + (JSC::JSRopeString::resolveRopeSlowCase8): + (JSC::JSRopeString::resolveRopeSlowCase): + +2014-05-04 Andreas Kling + + Optimize JSRopeString for resolving directly to AtomicString. + + + If we know that the JSRopeString we are resolving is going to be used + as an AtomicString, we can try to avoid creating a new string. + + We do this by first resolving the rope into a stack buffer, and using + that buffer as a key into the AtomicString table. If there is already + an AtomicString with the same characters, we reuse that instead of + constructing a new StringImpl. + + JSString gains these two public functions: + + - AtomicString toAtomicString() + + Returns an AtomicString, tries to avoid allocating a new string + if possible. + + - AtomicStringImpl* toExistingAtomicString() + + Returns a non-null AtomicStringImpl* if one already exists in the + AtomicString table. If none is found, the rope is left unresolved. + + Reviewed by Filip Pizlo. + + * runtime/JSString.cpp: + (JSC::JSRopeString::resolveRopeInternal8): + (JSC::JSRopeString::resolveRopeInternal16): + (JSC::JSRopeString::resolveRopeToAtomicString): + (JSC::JSRopeString::clearFibers): + (JSC::JSRopeString::resolveRopeToExistingAtomicString): + (JSC::JSRopeString::resolveRope): + (JSC::JSRopeString::outOfMemory): + * runtime/JSString.h: + (JSC::JSString::toAtomicString): + (JSC::JSString::toExistingAtomicString): + +2014-05-04 Andreas Kling + + Unreviewed, rolling out r168254. + + Very crashy on debug JSC tests. + + Reverted changeset: + + "jsSubstring() should be lazy" + https://bugs.webkit.org/show_bug.cgi?id=132556 + http://trac.webkit.org/changeset/168254 + +2014-05-04 Filip Pizlo + + jsSubstring() should be lazy + https://bugs.webkit.org/show_bug.cgi?id=132556 + + Reviewed by Andreas Kling. + + jsSubstring() is now lazy by using a special rope that is a substring instead of a + concatenation. To make this patch super simple, we require that a substring's base is + never a rope. Hence, when resolving a rope, we either go down a non-recursive substring + path, or we go down a concatenation path which may see exactly one level of substrings in + its fibers. + + This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp. + + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::specializedSweep): + * runtime/JSString.cpp: + (JSC::JSRopeString::visitFibers): + (JSC::JSRopeString::resolveRope): + (JSC::JSRopeString::resolveRopeSlowCase8): + (JSC::JSRopeString::resolveRopeSlowCase): + (JSC::JSRopeString::outOfMemory): + * runtime/JSString.h: + (JSC::JSRopeString::finishCreation): + (JSC::JSRopeString::append): + (JSC::JSRopeString::create): + (JSC::JSRopeString::offsetOfFibers): + (JSC::JSRopeString::fiber): + (JSC::JSRopeString::substringBase): + (JSC::JSRopeString::substringOffset): + (JSC::JSRopeString::substringSentinel): + (JSC::JSRopeString::isSubstring): + (JSC::jsSubstring): + * runtime/RegExpMatchesArray.cpp: + (JSC::RegExpMatchesArray::reifyAllProperties): + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncSubstring): + +2014-05-02 Michael Saboff + + "arm64 function not 4-byte aligned" warnings when building JSC + https://bugs.webkit.org/show_bug.cgi?id=132495 + + Reviewed by Geoffrey Garen. + + Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker. + + * llint/LowLevelInterpreter.cpp: + +2014-05-02 Mark Hahnenberg + + Fix cloop build after r168178 + + * bytecode/CodeBlock.cpp: + +2014-05-01 Mark Hahnenberg + + Add a DFG function whitelist + https://bugs.webkit.org/show_bug.cgi?id=132437 + + Reviewed by Geoffrey Garen. + + Often times when debugging, using bytecode ranges isn't enough to narrow down to the + particular DFG block that's causing issues. This patch adds the ability to whitelist + specific functions specified in a file to enable further filtering without having to recompile. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGCapabilities.cpp: + (JSC::DFG::isSupported): + (JSC::DFG::mightInlineFunctionForCall): + (JSC::DFG::mightInlineFunctionForClosureCall): + (JSC::DFG::mightInlineFunctionForConstruct): + * dfg/DFGFunctionWhitelist.cpp: Added. + (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): + (JSC::DFG::FunctionWhitelist::FunctionWhitelist): + (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile): + (JSC::DFG::FunctionWhitelist::contains): + * dfg/DFGFunctionWhitelist.h: Added. + * runtime/Options.cpp: + (JSC::parse): + (JSC::Options::dumpOption): + * runtime/Options.h: + +2014-05-02 Filip Pizlo + + DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s + https://bugs.webkit.org/show_bug.cgi?id=132446 + + Reviewed by Mark Hahnenberg. + + Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and + our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type + to indicate a bound on the value. This is useful for knowing, for example, that + Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also, + ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int. + But this means that all arithmetic operations must be careful to note that they may + turn Int32 inputs into an Int52 output or vice-versa, as these new tests show. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::makeSafe): + * tests/stress/int52-ai-add-then-filter-int32.js: Added. + (foo): + * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added. + (foo): + * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added. + (foo): + * tests/stress/int52-ai-mul-then-filter-int32.js: Added. + (foo): + * tests/stress/int52-ai-neg-then-filter-int32.js: Added. + (foo): + * tests/stress/int52-ai-sub-then-filter-int32.js: Added. + (foo): + +2014-05-01 Geoffrey Garen + + JavaScriptCore fails to build with some versions of clang + https://bugs.webkit.org/show_bug.cgi?id=132436 + + Reviewed by Anders Carlsson. + + * runtime/ArgumentsIteratorConstructor.cpp: Since we call + putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage, + and both are marked inline, it's valid for the compiler to decide + to inline both and emit neither in the binary. Therefore, we need + both inline definitions to be available in the translation unit at + compile time, or we'll try to link against a function that doesn't exist. + +2014-05-01 Commit Queue + + Unreviewed, rolling out r167964. + https://bugs.webkit.org/show_bug.cgi?id=132431 + + Memory improvements should not regress memory usage (Requested + by olliej on #webkit). + + Reverted changeset: + + "Don't hold on to parameter BindingNodes forever" + https://bugs.webkit.org/show_bug.cgi?id=132360 + http://trac.webkit.org/changeset/167964 + +2014-05-01 Filip Pizlo + + Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome + https://bugs.webkit.org/show_bug.cgi?id=132427 + + Reviewed by Mark Hahnenberg. + + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFor): + +2014-04-30 Simon Fraser + + Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO + https://bugs.webkit.org/show_bug.cgi?id=132396 + + Reviewed by Eric Carlson. + + Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code. + + * Configurations/FeatureDefines.xcconfig: + +2014-04-30 Filip Pizlo + + Argument flush formats should not be presumed to be JSValue since 'this' is weird + https://bugs.webkit.org/show_bug.cgi?id=132404 + + Reviewed by Michael Saboff. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead. + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments. + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): Ditto. + * dfg/DFGValueSource.cpp: + (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump. + * dfg/DFGValueSource.h: + (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands uses T::operator!(). + * ftl/FTLOSREntry.cpp: + (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'. + * tests/stress/strict-to-this-int.js: Added. + (foo): + (Number.prototype.valueOf): + (test): + +2014-04-29 Oliver Hunt + + Don't hold on to parameterBindingNodes forever + https://bugs.webkit.org/show_bug.cgi?id=132360 + + Reviewed by Geoffrey Garen. + + Don't keep the parameter nodes anymore. Instead we store the + original parameter string and reparse whenever we actually + need them. Because we only actually need them for compilation + this only results in a single extra parse. + + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::generateFunctionCodeBlock): + (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): + (JSC::UnlinkedFunctionExecutable::visitChildren): + (JSC::UnlinkedFunctionExecutable::finishCreation): + (JSC::UnlinkedFunctionExecutable::paramString): + (JSC::UnlinkedFunctionExecutable::parameters): + (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted. + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedFunctionExecutable::create): + (JSC::UnlinkedFunctionExecutable::parameterCount): + (JSC::UnlinkedFunctionExecutable::parameters): Deleted. + (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted. + * parser/ASTBuilder.h: + (JSC::ASTBuilder::ASTBuilder): + (JSC::ASTBuilder::setFunctionBodyParameters): + * parser/Nodes.h: + (JSC::FunctionBodyNode::parametersStartOffset): + (JSC::FunctionBodyNode::parametersEndOffset): + (JSC::FunctionBodyNode::setParameterLocation): + * parser/Parser.cpp: + (JSC::Parser::parseFunctionInfo): + (JSC::parseParameters): + * parser/Parser.h: + (JSC::parse): + * parser/SourceCode.h: + (JSC::SourceCode::subExpression): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::setFunctionBodyParameters): + +2014-04-29 Mark Hahnenberg + + JSProxies should be cacheable + https://bugs.webkit.org/show_bug.cgi?id=132351 + + Reviewed by Geoffrey Garen. + + Whenever we encounter a proxy in an inline cache we should try to cache on the + proxy's target instead of giving up. + + This patch adds support for a simple "recursive" inline cache if the base object + we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses + are the only ones to benefit from this right now. + + This is performance neutral on the benchmarks we track. Currently we won't + cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon. + + * jit/Repatch.cpp: + (JSC::generateByIdStub): + (JSC::tryBuildGetByIDList): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * jsc.cpp: + (GlobalObject::finishCreation): + (functionCreateProxy): + * runtime/IntendedStructureChain.cpp: + (JSC::IntendedStructureChain::isNormalized): + * runtime/JSCellInlines.h: + (JSC::JSCell::isProxy): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::finishCreation): + * runtime/JSProxy.h: + (JSC::JSProxy::createStructure): + (JSC::JSProxy::targetOffset): + * runtime/JSType.h: + * runtime/Operations.h: + (JSC::isPrototypeChainNormalized): + * runtime/Structure.h: + (JSC::Structure::isProxy): + * tests/stress/proxy-inline-cache.js: Added. + (cacheOnTarget.getX): + (cacheOnTarget): + (cacheOnPrototypeOfTarget.getX): + (cacheOnPrototypeOfTarget): + (dontCacheOnProxyInPrototypeChain.getX): + (dontCacheOnProxyInPrototypeChain): + (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX): + (dontCacheOnTargetOfProxyInPrototypeChainOfTarget): + +2014-04-29 Filip Pizlo + + Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT) + https://bugs.webkit.org/show_bug.cgi?id=112840 + + Rubber stamped by Geoffrey Garen. + + * Configurations/FeatureDefines.xcconfig: + +2014-04-29 Geoffrey Garen + + String.prototype.trim removes U+200B from strings. + https://bugs.webkit.org/show_bug.cgi?id=130184 + + Reviewed by Michael Saboff. + + * runtime/StringPrototype.cpp: + (JSC::trimString): + (JSC::isTrimWhitespace): Deleted. + +2014-04-29 Mark Lam + + Zombifying sweep should ignore retired blocks. + + + Reviewed by Mark Hahnenberg. + + By definition, retired blocks do not have "dead" objects, or at least + none that we know of yet until the next marking phase has been run + over it. So, we should not be sweeping them (even for zombie mode). + + * heap/Heap.cpp: + (JSC::Heap::zombifyDeadObjects): + * heap/MarkedSpace.cpp: + (JSC::MarkedSpace::zombifySweep): + * heap/MarkedSpace.h: + (JSC::ZombifySweep::operator()): + +2014-04-29 Mark Lam + + Fix bit rot in zombie mode heap code. + + + Reviewed by Mark Hahnenberg. + + Need to enter a DelayedReleaseScope before doing a sweep. + + * heap/Heap.cpp: + (JSC::Heap::zombifyDeadObjects): + +2014-04-29 Tomas Popela + + LLINT loadisFromInstruction doesn't need special case for big endians + https://bugs.webkit.org/show_bug.cgi?id=132330 + + Reviewed by Mark Lam. + + The change introduced in r167076 was wrong. We should not apply the offset + adjustment on loadisFromInstruction usage as the instruction + (UnlinkedInstruction) is declared as an union (i.e. with the int32_t + operand variable). The offset of the other union members will be the + same as the offset of the first one, that is 0. The behavior here is the + same on little and big endian architectures. Thus we don't need + special case for big endians. + + * llint/LowLevelInterpreter.asm: + +2014-04-28 Mark Hahnenberg + + Simplify tryCacheGetById + https://bugs.webkit.org/show_bug.cgi?id=132314 + + Reviewed by Oliver Hunt and Filip Pizlo. + + This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider. + + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time. + +2014-04-28 Michael Saboff + + REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables + https://bugs.webkit.org/show_bug.cgi?id=132315 + + Reviewed by Mark Hahnenberg. + + Used the StringImpl version of utf8() instead of creating a String first. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + +2014-04-28 Filip Pizlo + + The LLInt is awesome and it should get more of the action. + + Rubber stamped by Geoffrey Garen. + + 5% speed-up on JSBench and no meaningful regressions. Should be a PLT/DYE speed-up also. + + * runtime/Options.h: + +2014-04-27 Filip Pizlo + + GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated + https://bugs.webkit.org/show_bug.cgi?id=132166 + + Reviewed by Oliver Hunt and Mark Hahnenberg. + + The GC can aid type inference by removing structures that are dead and jettisoning + code that relies on those structures. This can dramatically accelerate type inference + for some tricky programs. + + Unfortunately, we previously pinned any structures that enqueued compilations depended + on. This means that if you're on a machine that only runs a single compilation thread + and where compilations are relatively slow, you have a high chance of large numbers of + structures being pinned during any GC since the compilation queue is likely to be full + of random stuff. + + This comprehensively fixes this issue by allowing the GC to remove compilation plans + if the things they depend on are dead, and to even cancel safepointed compilations. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): + (JSC::CodeBlock::isKnownToBeLiveDuringGC): + (JSC::CodeBlock::finalizeUnconditionally): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted. + * dfg/DFGDesiredIdentifiers.cpp: + (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers): + * dfg/DFGDesiredIdentifiers.h: + * dfg/DFGDesiredWatchpoints.h: + * dfg/DFGDesiredWeakReferences.cpp: + (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences): + * dfg/DFGDesiredWeakReferences.h: + * dfg/DFGGraphSafepoint.cpp: + (JSC::DFG::GraphSafepoint::GraphSafepoint): + * dfg/DFGGraphSafepoint.h: + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::Plan): + (JSC::DFG::Plan::compileInThread): + (JSC::DFG::Plan::compileInThreadImpl): + (JSC::DFG::Plan::notifyCompiling): + (JSC::DFG::Plan::notifyCompiled): + (JSC::DFG::Plan::notifyReady): + (JSC::DFG::Plan::checkLivenessAndVisitChildren): + (JSC::DFG::Plan::isKnownToBeLiveDuringGC): + (JSC::DFG::Plan::cancel): + (JSC::DFG::Plan::visitChildren): Deleted. + * dfg/DFGPlan.h: + * dfg/DFGSafepoint.cpp: + (JSC::DFG::Safepoint::Result::~Result): + (JSC::DFG::Safepoint::Result::didGetCancelled): + (JSC::DFG::Safepoint::Safepoint): + (JSC::DFG::Safepoint::~Safepoint): + (JSC::DFG::Safepoint::checkLivenessAndVisitChildren): + (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC): + (JSC::DFG::Safepoint::cancel): + (JSC::DFG::Safepoint::visitChildren): Deleted. + * dfg/DFGSafepoint.h: + (JSC::DFG::Safepoint::Result::Result): + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::compilationState): + (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady): + (JSC::DFG::Worklist::removeAllReadyPlansForVM): + (JSC::DFG::Worklist::completeAllReadyPlansForVM): + (JSC::DFG::Worklist::visitWeakReferences): + (JSC::DFG::Worklist::removeDeadPlans): + (JSC::DFG::Worklist::runThread): + (JSC::DFG::Worklist::visitChildren): Deleted. + * dfg/DFGWorklist.h: + * ftl/FTLCompile.cpp: + (JSC::FTL::compile): + * ftl/FTLCompile.h: + * heap/CodeBlockSet.cpp: + (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): + * heap/Heap.cpp: + (JSC::Heap::markRoots): + (JSC::Heap::visitCompilerWorklistWeakReferences): + (JSC::Heap::removeDeadCompilerWorklistEntries): + (JSC::Heap::visitWeakHandles): + (JSC::Heap::collect): + (JSC::Heap::visitCompilerWorklists): Deleted. + * heap/Heap.h: + +2014-04-28 Mark Hahnenberg + + Deleting properties poisons objects + https://bugs.webkit.org/show_bug.cgi?id=131551 + + Reviewed by Oliver Hunt. + + This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular. + + * runtime/JSPropertyNameIterator.cpp: + (JSC::JSPropertyNameIterator::create): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::hasDeletedOffset): + (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when + iterating properties because we're required to iterate properties in insertion order. + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map. + (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of + Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache + delete transitions, but we allow transitioning from them. + (JSC::Structure::changePrototypeTransition): + (JSC::Structure::despecifyFunctionTransition): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::addPropertyWithoutTransition): + (JSC::Structure::removePropertyWithoutTransition): + (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned. + (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing. + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::setEnumerationCache): + (JSC::Structure::hadDeletedOffsets): + (JSC::Structure::propertyTable): + (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible. + * tests/stress/for-in-after-delete.js: Added. + (foo): + +2014-04-25 Andreas Kling + + Inline (C++) GetByVal with numeric indices more aggressively. + + + We were already inlining the string indexed GetByVal path pretty well, + while the path for numeric indices got neglected. No more! + + ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP: + + Before: 199.50 runs/s + After: 218.58 runs/s + + Reviewed by Phil Pizlo. + + * dfg/DFGOperations.cpp: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::get): + + ALWAYS_INLINE all the things. + + * runtime/JSObject.h: + (JSC::JSObject::getPropertySlot): + + Avoid fetching the Structure more than once. We have the same + optimization in the string-indexed code path. + +2014-04-25 Oliver Hunt + + Need earlier cell test + https://bugs.webkit.org/show_bug.cgi?id=132211 + + Reviewed by Mark Lam. + + Move cell test to before the function call repatch + location, as the repatch logic for 32bit assumes that the + caller will already have performed a cell check. + + * jit/JITCall32_64.cpp: + (JSC::JIT::compileOpCall): + +2014-04-25 Andreas Kling + + Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood. + + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData): + (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted. + +2014-04-25 Andreas Kling + + Windows build fix attempt. + + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): + +2014-04-25 Mark Lam + + Refactor debugging code to use BreakpointActions instead of Vector. + + + Reviewed by Joseph Pecoraro. + + BreakpointActions is Vector. Let's just consistently use + BreakpointActions everywhere. + + * inspector/ScriptBreakpoint.h: + (Inspector::ScriptBreakpoint::ScriptBreakpoint): + * inspector/ScriptDebugServer.cpp: + (Inspector::ScriptDebugServer::setBreakpoint): + (Inspector::ScriptDebugServer::getActionsForBreakpoint): + * inspector/ScriptDebugServer.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol): + (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): + (Inspector::InspectorDebuggerAgent::setBreakpoint): + (Inspector::InspectorDebuggerAgent::removeBreakpoint): + * inspector/agents/InspectorDebuggerAgent.h: + +2014-04-24 Filip Pizlo + + DFG worklist scanning should not treat the key as a separate entity + https://bugs.webkit.org/show_bug.cgi?id=132167 + + Reviewed by Mark Hahnenberg. + + This simplifies the interface to the GC and will enable more optimizations. + + * dfg/DFGCompilationKey.cpp: + (JSC::DFG::CompilationKey::visitChildren): Deleted. + * dfg/DFGCompilationKey.h: + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::visitChildren): + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::visitChildren): + +2014-04-25 Oliver Hunt + + Remove unused parameter from codeblock linking function + https://bugs.webkit.org/show_bug.cgi?id=132199 + + Reviewed by Anders Carlsson. + + No change in behaviour. This is just a small change to make it + slightly easier to reason about what the offsets in UnlinkedFunctionExecutable + actually mean. + + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedFunctionExecutable::link): + * bytecode/UnlinkedCodeBlock.h: + * runtime/Executable.cpp: + (JSC::ProgramExecutable::initializeGlobalProperties): + +2014-04-25 Andreas Kling + + Mark some things with WTF_MAKE_FAST_ALLOCATED. + + + Use FastMalloc for more things. + + Reviewed by Anders Carlsson. + + * builtins/BuiltinExecutables.h: + * heap/GCThreadSharedData.h: + * inspector/JSConsoleClient.h: + * inspector/agents/InspectorAgent.h: + * runtime/CodeCache.h: + * runtime/JSGlobalObject.h: + * runtime/Lookup.cpp: + (JSC::HashTable::createTable): + (JSC::HashTable::deleteTable): + * runtime/WeakGCMap.h: + +2014-04-25 Antoine Quint + + Implement Array.prototype.find() + https://bugs.webkit.org/show_bug.cgi?id=130966 + + Reviewed by Oliver Hunt. + + Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec. + + * builtins/Array.prototype.js: + (find): + (findIndex): + * runtime/ArrayPrototype.cpp: + +2014-04-24 Brady Eidson + + Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS" + https://bugs.webkit.org/show_bug.cgi?id=132155 + + Reviewed by Tim Horton. + + * Configurations/FeatureDefines.xcconfig: + +2014-04-24 Michael Saboff + + REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices + https://bugs.webkit.org/show_bug.cgi?id=132147 + + Reviewed by Mark Lam. + + Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm. + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::or64): + (JSC::MacroAssemblerARM64::xor32): + (JSC::MacroAssemblerARM64::xor64): + * tests/stress/regress-132147.js: Added test. + +2014-04-24 Mark Lam + + Make slowPathAllocsBetweenGCs a runtime option. + + + Reviewed by Mark Hahnenberg. + + This will make it easier to more casually run tests with this configuration + as well as to reproduce issues (instead of requiring a code mod and rebuild). + We will now take --slowPathAllocsBetweenGCs=N where N is the number of + slow path allocations before we trigger a collection. + + The option defaults to 0, which is reserved to mean that we will not trigger + any collections there. + + * heap/Heap.h: + * heap/MarkedAllocator.cpp: + (JSC::MarkedAllocator::doTestCollectionsIfNeeded): + (JSC::MarkedAllocator::allocateSlowCase): + * heap/MarkedAllocator.h: + * runtime/Options.h: + +2014-04-23 Mark Lam + + The GC should only resume compiler threads that it suspended in the same GC pass. + + + Reviewed by Mark Hahnenberg. + + Previously, this scenario can occur: + 1. Thread 1 starts a GC and tries to suspend DFG worklist threads. However, + no worklists were created yet at the that time. + 2. Thread 2 starts to compile some functions and creates a DFG worklist, and + acquires the worklist thread's lock. + 3. Thread 1's GC completes and tries to resume suspended DFG worklist thread. + This time, it sees the worklist created by Thread 2 and ends up unlocking + the worklist thread's lock that is supposedly held by Thread 2. + Thereafter, chaos ensues. + + The fix is to cache the worklists that were actually suspended by each GC pass, + and only resume those when the GC is done. + + This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running + the fast/workers layout tests. + + * heap/Heap.cpp: + (JSC::Heap::visitCompilerWorklists): + (JSC::Heap::deleteAllCompiledCode): + (JSC::Heap::suspendCompilerThreads): + (JSC::Heap::resumeCompilerThreads): + * heap/Heap.h: + +2014-04-23 Mark Hahnenberg + + Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray + https://bugs.webkit.org/show_bug.cgi?id=132079 + + Reviewed by Michael Saboff. + + Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock. + + Also added a test that previously triggered this bug. + + * runtime/Arguments.cpp: + (JSC::Arguments::copyBackingStore): D'oh! + * tests/stress/arguments-copy-register-array-backing-store.js: Added. + (foo): + (bar): + +2014-04-23 Mark Rowe + + [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst + + + Reviewed by Dan Bernstein. + + * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside + the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument + from /bin/sh since that generates unnecessary output. + +2014-04-22 Mark Lam + + DFG::Worklist should acquire the m_lock before iterating DFG plans. + + + Reviewed by Filip Pizlo. + + Currently, there's a rightToRun mechanism that ensures that no compilation + threads are running when the GC is iterating through the DFG worklists. + However, this does not prevent a Worker thread from doing a DFG compilation + and modifying the plans in the worklists thereby invalidating the plan + iterator that the GC is using. This patch fixes the issue by acquiring + the worklist m_lock before iterating the worklist plans. + + This issue was uncovered by running the fast/workers layout tests with + COLLECT_ON_EVERY_ALLOCATION enabled. + + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::isActiveForVM): + (JSC::DFG::Worklist::visitChildren): + +2014-04-22 Brent Fulgham + + [Win] Support Python 2.7 in Cygwin + https://bugs.webkit.org/show_bug.cgi?id=132023 + + Reviewed by Michael Saboff. + + * DerivedSources.make: Use a conditional variable to define + the path to Python/Perl. + +2014-04-22 Filip Pizlo + + Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS + https://bugs.webkit.org/show_bug.cgi?id=130867 + + + Reviewed by Mark Hahnenberg. + + * Configurations/Base.xcconfig: + * Configurations/LLVMForJSC.xcconfig: + +2014-04-22 Alex Christensen + + [Win] Unreviewed build fix after my r167666. + + * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: + Added ../../../ again to include headers in Source/JavaScriptCore. + +2014-04-22 Alex Christensen + + Removed old stdbool and inttypes headers. + https://bugs.webkit.org/show_bug.cgi?id=131966 + + Reviewed by Brent Fulgham. + + * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: + * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: + Removed references to os-win32 directory. + * os-win32: Removed. + * os-win32/inttypes.h: Removed. + * os-win32/stdbool.h: Removed. + +2014-04-21 Filip Pizlo + + DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful + https://bugs.webkit.org/show_bug.cgi?id=131971 + + + Reviewed by Mark Lam. + + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + +2014-04-21 Filip Pizlo + + Switch statements that skip the baseline JIT should work + https://bugs.webkit.org/show_bug.cgi?id=131965 + + Reviewed by Mark Hahnenberg. + + * bytecode/JumpTable.h: + (JSC::SimpleJumpTable::ensureCTITable): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_switch_imm): + (JSC::JIT::emit_op_switch_char): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_switch_imm): + (JSC::JIT::emit_op_switch_char): + * tests/stress/inline-llint-with-switch.js: Added. + (foo): + (bar): + (test): + +2014-04-21 Mark Hahnenberg + + Arguments objects shouldn't need a destructor + https://bugs.webkit.org/show_bug.cgi?id=131899 + + Reviewed by Oliver Hunt. + + This patch rids Arguments objects of their destructors. It does this by + switching their backing stores to use CopiedSpace rather than malloc memory. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline + Arguments allocation so that it only emits an extra write for strict mode code rather + than unconditionally. + * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores. + * runtime/Arguments.cpp: + (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now. + (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores. + (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray. + (JSC::Arguments::deleteProperty): + (JSC::Arguments::defineOwnProperty): + (JSC::Arguments::allocateRegisterArray): + (JSC::Arguments::tearOff): + (JSC::Arguments::destroy): Deleted. We don't need the destructor any more. + * runtime/Arguments.h: + (JSC::Arguments::registerArraySizeInBytes): + (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated + in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace + allocation. + (JSC::Arguments::SlowArgumentData::slowArguments): + (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset): + (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset): + (JSC::Arguments::SlowArgumentData::sizeForNumArguments): + (JSC::Arguments::Arguments): + (JSC::Arguments::allocateSlowArguments): + (JSC::Arguments::tryDeleteArgument): + (JSC::Arguments::isDeletedArgument): + (JSC::Arguments::isArgument): + (JSC::Arguments::argument): + (JSC::Arguments::finishCreation): + * runtime/SymbolTable.h: + +2014-04-21 Eric Carlson + + [Mac] implement WebKitDataCue + https://bugs.webkit.org/show_bug.cgi?id=131799 + + Reviewed by Dean Jackson. + + * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE. + +2014-04-21 Filip Pizlo + + Unreviewed test gardening, run the repeat-out-of-bounds tests again. + + * tests/stress/float32-repeat-out-of-bounds.js: + * tests/stress/int8-repeat-out-of-bounds.js: + +2014-04-21 Filip Pizlo + + OSR exit should know about Int52 and Double constants + https://bugs.webkit.org/show_bug.cgi?id=131945 + + Reviewed by Oliver Hunt. + + The DFG OSR exit machinery's ignorance would lead to some constants becoming + jsUndefined() after OSR exit. + + The FTL OSR exit machinery's ignorance just meant that we would sometimes use a + stackmap constant rather than baking the constant into the OSRExit data structure. + So, not a big deal, but worth fixing. + + Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * dfg/DFGMinifiedNode.h: + (JSC::DFG::belongsInMinifiedGraph): + (JSC::DFG::MinifiedNode::hasConstantNumber): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): + * jsc.cpp: + (GlobalObject::finishCreation): + (functionOtherFalse): + (functionUndefined): + * runtime/Intrinsic.h: + * tests/stress/fold-to-double-constant-then-exit.js: Added. + (foo): + * tests/stress/fold-to-int52-constant-then-exit.js: Added. + (foo): + +2014-04-21 Filip Pizlo + + Provide feedback when we encounter an unrecognied node in the FTL backend. + + Rubber stamped by Alexey Proskuryakov. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + +2014-04-21 Andreas Kling + + Move the JSString cache from DOMWrapperWorld to VM. + + + Reviewed by Geoff Garen. + + * runtime/VM.h: + +2014-04-19 Filip Pizlo + + Take block execution count estimates into account when voting double + https://bugs.webkit.org/show_bug.cgi?id=131906 + + Reviewed by Geoffrey Garen. + + This was a drama in three acts. + + Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the + number of uses of a variable that want double or non-double. Easy as pie. This + gave me a huge speed-up on FloatMM and a huge slow-down on basically everything + else. + + Act II: Realize that there were some programs where our previous double voting was + just on the edge of disaster and making it more precise tipped it over. In + particular, if you had an integer variable that would infrequently be used in a + computation that resulted in a variable that was frequently used as an array index, + the outer infrequentness would be the thing we'd use in the vote. So, an array + index would become double. We fix this by reviving global backwards propagation + and introducing the concept of ReallyWantsInt, which is used just for array + indices. Any variable transitively flagged as ReallyWantsInt will never be forced + double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to + be set in bitops for RageConversion but using it for double forcing is too much. + Basically, it's cheaper to have to convert a double to an int for a bitop than it + is to convert a double to an int for an array index; also a variable being used as + an array index is a much stronger hint that it ought to be an int. This recovered + performance on everything except programs that used FTL OSR entry. + + Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution + count, which then completely pollutes the weighting - essentially all votes go + NaN. Fix this with some surgical defenses. Basically, any client of execution + counts should allow for them to be NaN and shouldn't completely fall off a cliff + when it happens. + + This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to + 7% speed-up on AsmBench and 2% speed-up on Kraken. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGBackwardsPropagationPhase.cpp: + (JSC::DFG::BackwardsPropagationPhase::run): + (JSC::DFG::BackwardsPropagationPhase::propagate): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dumpBlockHeader): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::voteNode): + (JSC::DFG::Graph::voteChildren): + * dfg/DFGNodeFlags.cpp: + (JSC::DFG::dumpNodeFlags): + * dfg/DFGNodeFlags.h: + * dfg/DFGOSREntrypointCreationPhase.cpp: + (JSC::DFG::OSREntrypointCreationPhase::run): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): + (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): + * dfg/DFGVariableAccessData.cpp: Added. + (JSC::DFG::VariableAccessData::VariableAccessData): + (JSC::DFG::VariableAccessData::mergeIsCaptured): + (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): + (JSC::DFG::VariableAccessData::predict): + (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): + (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): + (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): + (JSC::DFG::VariableAccessData::mergeDoubleFormatState): + (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): + (JSC::DFG::VariableAccessData::flushFormat): + * dfg/DFGVariableAccessData.h: + (JSC::DFG::VariableAccessData::vote): + (JSC::DFG::VariableAccessData::VariableAccessData): Deleted. + (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted. + (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted. + (JSC::DFG::VariableAccessData::predict): Deleted. + (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted. + (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted. + (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted. + (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted. + (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted. + (JSC::DFG::VariableAccessData::flushFormat): Deleted. + +2014-04-21 Michael Saboff + + REGRESSION(r167591): ARM64 and ARM traditional builds broken + https://bugs.webkit.org/show_bug.cgi?id=131935 + + Reviewed by Mark Hahnenberg. + + Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64 + macro assemblers. Added a new test for the original patch. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::store8): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::store8): + * tests/stress/dfg-create-arguments-inline-alloc.js: New test. + +2014-04-21 Mark Hahnenberg + + Inline allocate Arguments objects in the DFG + https://bugs.webkit.org/show_bug.cgi?id=131897 + + Reviewed by Geoffrey Garen. + + Many libraries/frameworks depend on the arguments object for overloaded API entry points. + This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create + for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitAllocateArguments): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * runtime/Arguments.h: + (JSC::Arguments::offsetOfActivation): + (JSC::Arguments::offsetOfOverrodeLength): + (JSC::Arguments::offsetOfIsStrictMode): + (JSC::Arguments::offsetOfRegisterArray): + (JSC::Arguments::offsetOfCallee): + (JSC::Arguments::allocationSize): + +2014-04-20 Andreas Kling + + Speed up jsStringWithCache() through WeakGCMap inlining. + + + Always inline WeakGCMap::add() but move the slow garbage collecting + path out-of-line. + + Reviewed by Darin Adler. + + * runtime/WeakGCMap.h: + (JSC::WeakGCMap::add): + (JSC::WeakGCMap::gcMap): + +2014-04-20 László Langó + + JavaScriptCore: ARM build fix after r167094. + https://bugs.webkit.org/show_bug.cgi?id=131612 + + Reviewed by Michael Saboff. + + After r167094 there are many build errors on ARM like these: + + /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup + /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup + /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup + /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup + + Problem is caused by the wrong generated assembly like: + "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741 + + `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts + the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't. + Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry + use case: move rn, (label1-label2) which is translated to movw and movt. + + * llint/LowLevelInterpreter.asm: + * offlineasm/arm.rb: + * offlineasm/instructions.rb: + +2014-04-20 Csaba Osztrogonác + + [ARM] Unreviewed build fix after r167336. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::branchAdd32): + +2014-04-20 Commit Queue + + Unreviewed, rolling out r167501. + https://bugs.webkit.org/show_bug.cgi?id=131913 + + It broke DYEBench (Requested by mhahnenberg on #webkit). + + Reverted changeset: + + "Deleting properties poisons objects" + https://bugs.webkit.org/show_bug.cgi?id=131551 + http://trac.webkit.org/changeset/167501 + +2014-04-19 Filip Pizlo + + It should be OK to store new fields into objects that have no prototypes + https://bugs.webkit.org/show_bug.cgi?id=131905 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitPrototypeChecks): + * tests/stress/put-by-id-transition-null-prototype.js: Added. + (foo): + +2014-04-19 Benjamin Poulain + + Make the CSS JIT compile for ARM64 + https://bugs.webkit.org/show_bug.cgi?id=131834 + + Reviewed by Gavin Barraclough. + + Extend the ARM64 MacroAssembler to support the code generation required by + the CSS JIT. + + * assembler/MacroAssembler.h: + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::addPtrNoFlags): + (JSC::MacroAssemblerARM64::or32): + (JSC::MacroAssemblerARM64::branchPtr): + (JSC::MacroAssemblerARM64::test32): + (JSC::MacroAssemblerARM64::branch): + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::test32): + +2014-04-19 Andreas Kling + + Two little shortcuts to the JSType. + + + Tweak two sites that take the long road through JSCell::structure()->typeInfo() + to look at data that's already in JSCell::type(). + + Reviewed by Darin Adler. + + * runtime/NameInstance.h: + (JSC::isName): + * runtime/NumberPrototype.cpp: + (JSC::toThisNumber): + +2014-04-19 Filip Pizlo + + Make it easier to check if an integer sum would overflow + https://bugs.webkit.org/show_bug.cgi?id=131900 + + Reviewed by Darin Adler. + + * dfg/DFGOperations.cpp: + * runtime/Operations.h: + (JSC::jsString): + +2014-04-19 Filip Pizlo + + Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684. + + * dfg/DFGOperations.cpp: + * runtime/JSString.h: + (JSC::JSRopeString::RopeBuilder::append): + +2014-04-18 Mark Lam + + REGRESSION(r164205): WebKit crash @StructureIDTable::get. + + + Reviewed by Geoffrey Garen. + + prepareOSREntry() prepares for OSR entry by first copying the local var + values from the baseline frame to a scartch buffer, which is then used + to fill in the locals in their new position in the DFG frame. Unfortunately, + prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame + size of the baseline frame. As a result, some values of locals in the + baseline frame were not saved off, and the DFG frame may get initialized + with random content that happened to be in the uninitialized (and possibly + unallocated) portions of the scratch buffer. + + The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the + number of locals in the baseline frame that we want to copy to the scratch + buffer. + + Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount + at offset 0 in the scratch buffer. So, we continue to write that value + there, not the baseline frame size. + + * dfg/DFGOSREntry.cpp: + (JSC::DFG::prepareOSREntry): + +2014-04-18 Timothy Hatcher + + Web Inspector: Move InspectorProfilerAgent to JavaScriptCore + https://bugs.webkit.org/show_bug.cgi?id=131673 + + Passes existing profiler and inspector tests. + + Reviewed by Joseph Pecoraro. + + * CMakeLists.txt: + * DerivedSources.make: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * inspector/JSConsoleClient.cpp: + (Inspector::JSConsoleClient::JSConsoleClient): + (Inspector::JSConsoleClient::profile): + (Inspector::JSConsoleClient::profileEnd): + (Inspector::JSConsoleClient::count): Deleted. + * inspector/JSConsoleClient.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + * inspector/agents/InspectorProfilerAgent.cpp: Added. + (Inspector::InspectorProfilerAgent::InspectorProfilerAgent): + (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent): + (Inspector::InspectorProfilerAgent::addProfile): + (Inspector::InspectorProfilerAgent::createProfileHeader): + (Inspector::InspectorProfilerAgent::enable): + (Inspector::InspectorProfilerAgent::disable): + (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName): + (Inspector::InspectorProfilerAgent::getProfileHeaders): + (Inspector::buildInspectorObject): + (Inspector::InspectorProfilerAgent::buildProfileInspectorObject): + (Inspector::InspectorProfilerAgent::getCPUProfile): + (Inspector::InspectorProfilerAgent::removeProfile): + (Inspector::InspectorProfilerAgent::reset): + (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend): + (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend): + (Inspector::InspectorProfilerAgent::start): + (Inspector::InspectorProfilerAgent::stop): + (Inspector::InspectorProfilerAgent::setRecordingProfile): + (Inspector::InspectorProfilerAgent::startProfiling): + (Inspector::InspectorProfilerAgent::stopProfiling): + * inspector/agents/InspectorProfilerAgent.h: Added. + * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl. + (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent): + (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState): + * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl. + * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json. + * profiler/Profile.h: + * runtime/ConsoleClient.h: + +2014-04-18 Commit Queue + + Unreviewed, rolling out r167527. + https://bugs.webkit.org/show_bug.cgi?id=131883 + + Broke 32-bit build (Requested by ap on #webkit). + + Reverted changeset: + + "[Mac] implement WebKitDataCue" + https://bugs.webkit.org/show_bug.cgi?id=131799 + http://trac.webkit.org/changeset/167527 + +2014-04-18 Eric Carlson + + [Mac] implement WebKitDataCue + https://bugs.webkit.org/show_bug.cgi?id=131799 + + Reviewed by Dean Jackson. + + * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE. + +2014-04-18 Filip Pizlo + + Actually address Mark's review feedback. + + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::handleExitCounts): + +2014-04-18 Filip Pizlo + + Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups + https://bugs.webkit.org/show_bug.cgi?id=131850 + + Reviewed by Mark Hahnenberg. + + Templatize ExecutionCounter to allow for two different styles of calculating the + checkpoint threshold. + + Appears to be a slight speed-up on DYEBench. + + * bytecode/CodeBlock.h: + (JSC::CodeBlock::llintExecuteCounter): + (JSC::CodeBlock::offsetOfJITExecuteCounter): + (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold): + (JSC::CodeBlock::offsetOfJITExecutionTotalCount): + (JSC::CodeBlock::jitExecuteCounter): + * bytecode/ExecutionCounter.cpp: + (JSC::ExecutionCounter::ExecutionCounter): + (JSC::ExecutionCounter::forceSlowPathConcurrently): + (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): + (JSC::ExecutionCounter::setNewThreshold): + (JSC::ExecutionCounter::deferIndefinitely): + (JSC::applyMemoryUsageHeuristics): + (JSC::applyMemoryUsageHeuristicsAndConvertToInt): + (JSC::ExecutionCounter::hasCrossedThreshold): + (JSC::ExecutionCounter::setThreshold): + (JSC::ExecutionCounter::reset): + (JSC::ExecutionCounter::dump): + (JSC::ExecutionCounter::ExecutionCounter): Deleted. + (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted. + (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted. + (JSC::ExecutionCounter::setNewThreshold): Deleted. + (JSC::ExecutionCounter::deferIndefinitely): Deleted. + (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted. + (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted. + (JSC::ExecutionCounter::hasCrossedThreshold): Deleted. + (JSC::ExecutionCounter::setThreshold): Deleted. + (JSC::ExecutionCounter::reset): Deleted. + (JSC::ExecutionCounter::dump): Deleted. + * bytecode/ExecutionCounter.h: + (JSC::formattedTotalExecutionCount): + (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints): + (JSC::ExecutionCounter::clippedThreshold): + (JSC::ExecutionCounter::formattedTotalCount): Deleted. + * dfg/DFGJITCode.h: + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::handleExitCounts): + * llint/LowLevelInterpreter.asm: + * runtime/Options.h: + +2014-04-17 Mark Hahnenberg + + Deleting properties poisons objects + https://bugs.webkit.org/show_bug.cgi?id=131551 + + Reviewed by Geoffrey Garen. + + This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular. + + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map. + (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of + Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache + delete transitions, but we allow transitioning from them. + (JSC::Structure::changePrototypeTransition): + (JSC::Structure::despecifyFunctionTransition): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::addPropertyWithoutTransition): + (JSC::Structure::removePropertyWithoutTransition): + (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned. + (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing. + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible. + +2014-04-17 Filip Pizlo + + InlineCallFrameSet should be refcounted + https://bugs.webkit.org/show_bug.cgi?id=131829 + + Reviewed by Geoffrey Garen. + + And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it + became owned by JITCode. Except that if we're "failing" to compile, JITCode may die. + Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning + the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet. + + So, just make the darn thing refcounted. + + * bytecode/InlineCallFrameSet.h: + * dfg/DFGArgumentsSimplificationPhase.cpp: + (JSC::DFG::ArgumentsSimplificationPhase::run): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + * dfg/DFGCommonData.h: + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::Graph): + (JSC::DFG::Graph::requiredRegisterCountForExit): + * dfg/DFGGraph.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::Plan): + * dfg/DFGPlan.h: + * dfg/DFGStackLayoutPhase.cpp: + (JSC::DFG::StackLayoutPhase::run): + * ftl/FTLFail.cpp: + (JSC::FTL::fail): + * ftl/FTLLink.cpp: + (JSC::FTL::link): + +2014-04-17 Filip Pizlo + + FTL::fail() should manage memory "correctly" + https://bugs.webkit.org/show_bug.cgi?id=131823 + + + Reviewed by Oliver Hunt. + + * ftl/FTLFail.cpp: + (JSC::FTL::fail): + +2014-04-17 Filip Pizlo + + Prediction propagator should correctly model Int52s flowing through arguments + https://bugs.webkit.org/show_bug.cgi?id=131822 + + + Reviewed by Oliver Hunt. + + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * tests/stress/int52-argument.js: Added. + (foo): + * tests/stress/int52-variable.js: Added. + (foo): + +2014-04-17 Filip Pizlo + + REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests + https://bugs.webkit.org/show_bug.cgi?id=131798 + + Reviewed by Alexey Proskuryakov. + + Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version + of this assertion can return. For now, it's not clear that the assertion is guarding + any truly undesirable behavior - so it should just go away and be replaced with a + FIXME. + + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + * runtime/Structure.h: + (JSC::Structure::takesSlowPathInDFGForImpureProperty): + +2014-04-17 David Kilzer + + Blind attempt to fix Windows build after r166837 + + + Hoping to fix this build error: + + warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result. The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste + boo-boo by changing the GCLogging.cpp ClCompile entry to a + GCLogging.h ClInclude entry. + +2014-04-16 Filip Pizlo + + AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone + https://bugs.webkit.org/show_bug.cgi?id=131764 + + Reviewed by Geoffrey Garen. + + The attached test case can be made to not crash by deleting old code. It used to be + the case that the DFG needed empty prediction guards, for shady reasons. We fixed that + long ago. At this point, these guards just make life difficult. So get rid of them. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * tests/stress/bug-131764.js: Added. + (test1): + (test2): + +2014-04-17 Darin Adler + + Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe + https://bugs.webkit.org/show_bug.cgi?id=131785 + rdar://problem/16003108 + + Reviewed by Brady Eidson. + + * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS. + +2014-04-16 Alexey Proskuryakov + + Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization) + + * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate): + +2014-04-16 Filip Pizlo + + Extra error reporting for invalid value conversions + https://bugs.webkit.org/show_bug.cgi?id=131786 + + Rubber stamped by Ryosuke Niwa. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + +2014-04-16 Filip Pizlo + + Sink NaN sanitization to uses and remove it when it's unnecessary + https://bugs.webkit.org/show_bug.cgi?id=131419 + + Reviewed by Oliver Hunt. + + This moves NaN purification to stores that could see an impure NaN. + + 5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM + though, because of the other bug that causes that benchmark to box doubles in a loop. + + * bytecode/SpeculatedType.h: + (JSC::isInt32SpeculationForArithmetic): + (JSC::isMachineIntSpeculationForArithmetic): + (JSC::isDoubleSpeculation): + (JSC::isDoubleSpeculationForArithmetic): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::fixTypeForRepresentation): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileValueRep): + (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileValueRep): + (JSC::FTL::LowerDFGToLLVM::compileGetByVal): + * runtime/PureNaN.h: + * tests/stress/float32-array-nan-inlined.js: Added. + (foo): + (test): + * tests/stress/float32-array-nan.js: Added. + (foo): + (test): + * tests/stress/float64-array-nan-inlined.js: Added. + (foo): + (isBigEndian): + (test): + * tests/stress/float64-array-nan.js: Added. + (foo): + (isBigEndian): + (test): + +2014-04-16 Brent Fulgham + + [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check + to 32-bit builds, and revise the comment to explain what we are + doing. + + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::isMachineInt): Provide motivation for the new + 'isinf' check for our 32-bit code path. + +2014-04-16 Juergen Ributzka + + Allocate the data section on the heap again for FTL on ARM64 + https://bugs.webkit.org/show_bug.cgi?id=130156 + + Reviewed by Geoffrey Garen and Filip Pizlo. + + * ftl/FTLCompile.cpp: + (JSC::FTL::mmAllocateDataSection): + * ftl/FTLDataSection.cpp: + (JSC::FTL::DataSection::DataSection): + (JSC::FTL::DataSection::~DataSection): + * ftl/FTLDataSection.h: + +2014-04-16 Mark Lam + + Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates. + + + Reviewed by Filip Pizlo. + + When the debugger is about to activate (e.g. enter stepping mode), it first + waits for all DFG compilations to complete. However, when the DFG completes, + if compilation is successful, it will install a new DFG codeBlock. The + CodeBlock installation process is required to register codeBlocks with the + debugger. Debugger::registerCodeBlock() will eventually call + CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're + trying to install. Thereafter, chaos ensues. + + This jettison'ing only happens because the debugger currently set its + m_steppingMode flag before waiting for compilation to complete. The fix is + simply to set that flag only after compilation is complete. + + * debugger/Debugger.cpp: + (JSC::Debugger::setSteppingMode): + (JSC::Debugger::registerCodeBlock): + +2014-04-16 Filip Pizlo + + Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging + https://bugs.webkit.org/show_bug.cgi?id=131420 + + Reviewed by Oliver Hunt. + + Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which + replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now + goes through the purifyNaN() API. + + SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN. + + Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't + have to be too cautious since most prediction-based logic only cares about whether or not + a value could be an integer. + + AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN + anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it + soundly and precisely. + + No performance change because this just unblocks + https://bugs.webkit.org/show_bug.cgi?id=131419. + + * API/JSValueRef.cpp: + (JSValueMakeNumber): + (JSValueToNumber): + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/SpeculatedType.cpp: + (JSC::dumpSpeculation): + (JSC::speculationFromValue): + (JSC::typeOfDoubleSum): + (JSC::typeOfDoubleDifference): + (JSC::typeOfDoubleProduct): + (JSC::polluteDouble): + (JSC::typeOfDoubleQuotient): + (JSC::typeOfDoubleMinMax): + (JSC::typeOfDoubleNegation): + (JSC::typeOfDoubleAbs): + (JSC::typeOfDoubleFRound): + (JSC::typeOfDoubleBinaryOp): + (JSC::typeOfDoubleUnaryOp): + * bytecode/SpeculatedType.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::parseCodeBlock): + * dfg/DFGCriticalEdgeBreakingPhase.cpp: + (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): + * dfg/DFGLoopPreHeaderCreationPhase.cpp: + (JSC::DFG::createPreHeader): + * dfg/DFGNode.h: + (JSC::DFG::BranchTarget::BranchTarget): + * dfg/DFGOSREntrypointCreationPhase.cpp: + (JSC::DFG::OSREntrypointCreationPhase::run): + * dfg/DFGOSRExitCompiler32_64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGOSRExitCompiler64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction): + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): + (JSC::DFG::SpeculativeJIT::compileValueToInt32): + (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGVariableAccessData.h: + (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileGetByVal): + (JSC::FTL::LowerDFGToLLVM::compilePutByVal): + (JSC::FTL::LowerDFGToLLVM::compileArrayPush): + (JSC::FTL::LowerDFGToLLVM::compileArrayPop): + (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize): + (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32): + (JSC::FTL::LowerDFGToLLVM::allocateJSArray): + * ftl/FTLValueFormat.cpp: + (JSC::FTL::reboxAccordingToFormat): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::purifyNaN): + (JSC::AssemblyHelpers::sanitizeDouble): Deleted. + * jit/AssemblyHelpers.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitFloatTypedArrayGetByVal): + * runtime/DateConstructor.cpp: + (JSC::constructDate): + * runtime/DateInstanceCache.h: + (JSC::DateInstanceData::DateInstanceData): + (JSC::DateInstanceCache::reset): + * runtime/ExceptionHelpers.cpp: + (JSC::TerminatedExecutionError::defaultValue): + * runtime/JSArray.cpp: + (JSC::JSArray::setLength): + (JSC::JSArray::pop): + (JSC::JSArray::shiftCountWithAnyIndexingType): + (JSC::JSArray::sortVector): + (JSC::JSArray::compactForSorting): + * runtime/JSArray.h: + (JSC::JSArray::create): + (JSC::JSArray::tryCreateUninitialized): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::toNumberSlowCase): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::jsNaN): + (JSC::JSValue::JSValue): + (JSC::JSValue::getPrimitiveNumber): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::parseInt): + (JSC::jsStrDecimalLiteral): + (JSC::toDouble): + (JSC::jsToNumber): + (JSC::parseFloat): + * runtime/JSObject.cpp: + (JSC::JSObject::createInitialDouble): + (JSC::JSObject::convertUndecidedToDouble): + (JSC::JSObject::convertInt32ToDouble): + (JSC::JSObject::deletePropertyByIndex): + (JSC::JSObject::ensureLengthSlow): + * runtime/MathObject.cpp: + (JSC::mathProtoFuncMax): + (JSC::mathProtoFuncMin): + * runtime/PureNaN.h: Added. + (JSC::pureNaN): + (JSC::isImpureNaN): + (JSC::purifyNaN): + * runtime/TypedArrayAdaptors.h: + (JSC::FloatTypedArrayAdaptor::toJSValue): + +2014-04-16 Juergen Ributzka + + Enable system library calls in FTL for ARM64 + https://bugs.webkit.org/show_bug.cgi?id=130154 + + Reviewed by Geoffrey Garen and Filip Pizlo. + + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLOutput.h: + (JSC::FTL::Output::doubleRem): + (JSC::FTL::Output::doubleSin): + (JSC::FTL::Output::doubleCos): + +2014-04-16 peavo@outlook.com + + Fix JSC Debug Regressions on Windows + https://bugs.webkit.org/show_bug.cgi?id=131182 + + Reviewed by Brent Fulgham. + + The cast static_cast(number) in JSValue::isMachineInt() can generate a floating point error, + and set the st floating point register tags, if the value of the number parameter is infinite. + If the st floating point register tags are not cleared, this can cause strange floating point behavior later on. + This can be avoided by checking for infinity first. + + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first. + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): Re-enable jit for Windows. + +2014-04-16 Oliver Hunt + + Simple ES6 feature:Array.prototype.fill + https://bugs.webkit.org/show_bug.cgi?id=131703 + + Reviewed by David Hyatt. + + Add support for Array.prototype.fill + + * builtins/Array.prototype.js: + (fill): + * runtime/ArrayPrototype.cpp: + +2014-04-16 Mark Hahnenberg + + [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore + https://bugs.webkit.org/show_bug.cgi?id=131728 + + Reviewed by Darin Adler. + + * runtime/JSObject.cpp: + (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the + path we expect to never take. Also shut up confused compilers about uninitialized things. + +2014-04-16 Filip Pizlo + + Unreviewed, ARMv7 build fix after r167336. + + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::branchAdd32): + +2014-04-16 Gabor Rapcsanyi + + Unreviewed, ARM64 buildfix after r167336. + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::branchAdd32): Add missing function. + +2014-04-15 Filip Pizlo + + Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + +2014-04-15 Filip Pizlo + + compileMakeRope does not emit necessary bounds checks + https://bugs.webkit.org/show_bug.cgi?id=130684 + + + Reviewed by Oliver Hunt. + + Add string length bounds checks in a bunch of places. We should never allow a string + to have a length greater than 2^31-1 because it's not clear that the language has + semantics for it and because there is code that assumes that this cannot happen. + + Also add a bunch of tests to that effect to cover the various ways in which this was + previously allowed to happen. + + * dfg/DFGOperations.cpp: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileMakeRope): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileMakeRope): + * runtime/JSString.cpp: + (JSC::JSRopeString::RopeBuilder::expand): + * runtime/JSString.h: + (JSC::JSString::create): + (JSC::JSRopeString::RopeBuilder::append): + (JSC::JSRopeString::RopeBuilder::release): + (JSC::JSRopeString::append): + * runtime/Operations.h: + (JSC::jsString): + (JSC::jsStringFromRegisterArray): + (JSC::jsStringFromArguments): + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncIndexOf): + (JSC::stringProtoFuncSlice): + (JSC::stringProtoFuncSubstring): + (JSC::stringProtoFuncToLowerCase): + * tests/stress/make-large-string-jit-strcat.js: Added. + (foo): + * tests/stress/make-large-string-jit.js: Added. + (foo): + * tests/stress/make-large-string-strcat.js: Added. + * tests/stress/make-large-string.js: Added. + +2014-04-15 Julien Brianceau + + Remove invalid sh4 specific code in JITInlines header. + https://bugs.webkit.org/show_bug.cgi?id=131692 + + Reviewed by Geoffrey Garen. + + * jit/JITInlines.h: + (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ + anymore since r160244, so the sh4 specific code is invalid now + and has to be removed. + +2014-04-15 Mark Hahnenberg + + Fix precedence issue in JSCell:setRemembered + + Rubber stamped by Filip Pizlo. + + * runtime/JSCell.h: + (JSC::JSCell::setRemembered): + +2014-04-15 Mark Hahnenberg + + Objective-C API external object graphs don't handle generational collection properly + https://bugs.webkit.org/show_bug.cgi?id=131634 + + Reviewed by Geoffrey Garen. + + If the set of Objective-C objects transitively reachable through an object changes, we + need to update the set of opaque roots accordingly. If we don't, the next EdenCollection + won't rescan the external object graph, which would lead us to consider a newly allocated + JSManagedValue to be dead. + + * API/JSBase.cpp: + (JSSynchronousEdenCollectForDebugging): + * API/JSVirtualMachine.mm: + (-[JSVirtualMachine initWithContextGroupRef:]): + (-[JSVirtualMachine dealloc]): + (-[JSVirtualMachine isOldExternalObject:]): + (-[JSVirtualMachine addExternalRememberedObject:]): + (-[JSVirtualMachine addManagedReference:withOwner:]): + (-[JSVirtualMachine removeManagedReference:withOwner:]): + (-[JSVirtualMachine externalRememberedSet]): + (scanExternalObjectGraph): + (scanExternalRememberedSet): + * API/JSVirtualMachineInternal.h: + * API/tests/testapi.mm: + * heap/Heap.cpp: + (JSC::Heap::markRoots): + * heap/Heap.h: + (JSC::Heap::slotVisitor): + * heap/SlotVisitor.h: + * heap/SlotVisitorInlines.h: + (JSC::SlotVisitor::containsOpaqueRoot): + (JSC::SlotVisitor::containsOpaqueRootTriState): + +2014-04-15 Filip Pizlo + + DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's + https://bugs.webkit.org/show_bug.cgi?id=131423 + + Reviewed by Geoffrey Garen. + + This introduces more static typing into DFG IR. Previously we just had the notion of + JSValues and Storage. This was weird because doubles weren't always convertible to + JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would + sort of insert explicit conversion nodes just for the places where we knew that an + implicit conversion wouldn't have been possible -- but there was no hard and fast rule so + we'd get bugs from forgetting to do the right conversion. + + This patch introduces a hard and fast rule: doubles can never be implicitly converted to + anything but doubles, and likewise Int52's can never be implicitly converted. Conversion + nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the + conversions. They are like Identity but return the same value using a different + representation. Likewise, constants may now be represented using either JSConstant, + Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well. + Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or + Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that + we speculate DoubleReal and expect Double representation. + + In addition to simplifying a bunch of rules in the IR and making the IR more verifiable, + this also makes it easier to introduce optimizations in the future. It's now possible for + AI to model when/how conversion take place. For example if doing a conversion results in + NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's + what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about. + + This was a big change, so I had to do some interesting things, like finally get rid of + the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also + the ByteCodeParser no longer emits Identity nodes since that was always pointless. + + No performance change because this mostly just rationalizes preexisting behavior. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/MacroAssemblerX86.h: + * bytecode/CodeBlock.cpp: + * bytecode/CodeBlock.h: + * dfg/DFGAbstractInterpreter.h: + (JSC::DFG::AbstractInterpreter::setBuiltInConstant): + (JSC::DFG::AbstractInterpreter::setConstant): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::set): + (JSC::DFG::AbstractValue::fixTypeForRepresentation): + (JSC::DFG::AbstractValue::checkConsistency): + * dfg/DFGAbstractValue.h: + * dfg/DFGBackwardsPropagationPhase.cpp: + (JSC::DFG::BackwardsPropagationPhase::propagate): + * dfg/DFGBasicBlock.h: + * dfg/DFGBasicBlockInlines.h: + (JSC::DFG::BasicBlock::appendNode): + (JSC::DFG::BasicBlock::appendNonTerminal): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::constantCSE): + (JSC::DFG::CSEPhase::performNodeCSE): + (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted. + * dfg/DFGCapabilities.h: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::fixupBlock): + * dfg/DFGEdge.h: + (JSC::DFG::Edge::willNotHaveCheck): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::run): + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock): + (JSC::DFG::FixupPhase::observeUseKindOnNode): + (JSC::DFG::FixupPhase::fixIntEdge): + (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): + (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): + (JSC::DFG::FixupPhase::tryToRelaxRepresentation): + (JSC::DFG::FixupPhase::fixEdgeRepresentation): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + (JSC::DFG::FixupPhase::addRequiredPhantom): + (JSC::DFG::FixupPhase::addPhantomsIfNecessary): + (JSC::DFG::FixupPhase::clearPhantomsAtEnd): + (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted. + * dfg/DFGFlushFormat.h: + (JSC::DFG::resultFor): + (JSC::DFG::useKindFor): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::addNode): + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::initialize): + * dfg/DFGInsertionSet.h: + (JSC::DFG::InsertionSet::insertNode): + (JSC::DFG::InsertionSet::insertConstant): + (JSC::DFG::InsertionSet::insertConstantForUse): + * dfg/DFGIntegerCheckCombiningPhase.cpp: + (JSC::DFG::IntegerCheckCombiningPhase::insertAdd): + (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd): + * dfg/DFGNode.cpp: + (JSC::DFG::Node::convertToIdentity): + (WTF::printInternal): + * dfg/DFGNode.h: + (JSC::DFG::Node::Node): + (JSC::DFG::Node::setResult): + (JSC::DFG::Node::result): + (JSC::DFG::Node::isConstant): + (JSC::DFG::Node::hasConstant): + (JSC::DFG::Node::convertToConstant): + (JSC::DFG::Node::valueOfJSConstant): + (JSC::DFG::Node::hasResult): + (JSC::DFG::Node::hasInt32Result): + (JSC::DFG::Node::hasInt52Result): + (JSC::DFG::Node::hasNumberResult): + (JSC::DFG::Node::hasDoubleResult): + (JSC::DFG::Node::hasJSResult): + (JSC::DFG::Node::hasBooleanResult): + (JSC::DFG::Node::hasStorageResult): + (JSC::DFG::Node::defaultUseKind): + (JSC::DFG::Node::defaultEdge): + (JSC::DFG::Node::convertToIdentity): Deleted. + * dfg/DFGNodeFlags.cpp: + (JSC::DFG::dumpNodeFlags): + * dfg/DFGNodeFlags.h: + (JSC::DFG::canonicalResultRepresentation): + * dfg/DFGNodeType.h: + * dfg/DFGOSRExitCompiler32_64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGOSRExitCompiler64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGResurrectionForValidationPhase.cpp: + (JSC::DFG::ResurrectionForValidationPhase::run): + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): + (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR): + (JSC::DFG::SpeculativeJIT::silentFill): + (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary): + (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary): + (JSC::DFG::JSValueRegsTemporary::regs): + (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): + (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): + (JSC::DFG::SpeculativeJIT::compileValueToInt32): + (JSC::DFG::SpeculativeJIT::compileDoubleRep): + (JSC::DFG::SpeculativeJIT::compileValueRep): + (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): + (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): + (JSC::DFG::SpeculativeJIT::compileAdd): + (JSC::DFG::SpeculativeJIT::compileArithSub): + (JSC::DFG::SpeculativeJIT::compileArithNegate): + (JSC::DFG::SpeculativeJIT::compileArithMul): + (JSC::DFG::SpeculativeJIT::compileArithDiv): + (JSC::DFG::SpeculativeJIT::compileArithMod): + (JSC::DFG::SpeculativeJIT::compare): + (JSC::DFG::SpeculativeJIT::compileStrictEq): + (JSC::DFG::SpeculativeJIT::speculateNumber): + (JSC::DFG::SpeculativeJIT::speculateDoubleReal): + (JSC::DFG::SpeculativeJIT::speculate): + (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted. + (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted. + (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted. + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::allocate): + (JSC::DFG::SpeculativeJIT::use): + (JSC::DFG::SpeculativeJIT::boxDouble): + (JSC::DFG::SpeculativeJIT::spill): + (JSC::DFG::SpeculativeJIT::jsValueResult): + (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand): + (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand): + (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand): + (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillJSValue): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + (JSC::DFG::SpeculativeJIT::compileLogicalNot): + (JSC::DFG::SpeculativeJIT::emitBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted. + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillJSValue): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + (JSC::DFG::SpeculativeJIT::compileLogicalNot): + (JSC::DFG::SpeculativeJIT::emitBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted. + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + (JSC::DFG::shouldNotHaveTypeCheck): + (JSC::DFG::mayHaveTypeCheck): + (JSC::DFG::isNumerical): + (JSC::DFG::isDouble): + (JSC::DFG::isCell): + (JSC::DFG::usesStructure): + (JSC::DFG::useKindForResult): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * dfg/DFGVariadicFunction.h: Removed. + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::createPhiVariables): + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileUpsilon): + (JSC::FTL::LowerDFGToLLVM::compilePhi): + (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant): + (JSC::FTL::LowerDFGToLLVM::compileInt52Constant): + (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): + (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): + (JSC::FTL::LowerDFGToLLVM::compileValueRep): + (JSC::FTL::LowerDFGToLLVM::compileInt52Rep): + (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): + (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): + (JSC::FTL::LowerDFGToLLVM::compileArithMul): + (JSC::FTL::LowerDFGToLLVM::compileArithDiv): + (JSC::FTL::LowerDFGToLLVM::compileArithMod): + (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): + (JSC::FTL::LowerDFGToLLVM::compileArithAbs): + (JSC::FTL::LowerDFGToLLVM::compileArithNegate): + (JSC::FTL::LowerDFGToLLVM::compilePutByVal): + (JSC::FTL::LowerDFGToLLVM::compileCompareEq): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::compare): + (JSC::FTL::LowerDFGToLLVM::boolify): + (JSC::FTL::LowerDFGToLLVM::lowInt52): + (JSC::FTL::LowerDFGToLLVM::lowStrictInt52): + (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52): + (JSC::FTL::LowerDFGToLLVM::lowDouble): + (JSC::FTL::LowerDFGToLLVM::lowJSValue): + (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble): + (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateNumber): + (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): + (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted. + (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted. + (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted. + (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted. + (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted. + * ftl/FTLValueFormat.cpp: + (JSC::FTL::reboxAccordingToFormat): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::sanitizeDouble): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::boxDouble): + +2014-04-15 Commit Queue + + Unreviewed, rolling out r167199 and r167251. + https://bugs.webkit.org/show_bug.cgi?id=131678 + + Caused a DYEBench regression and does not seem to improve perf + on relevant websites (Requested by rniwa on #webkit). + + Reverted changesets: + + "Rewrite Function.bind as a builtin" + https://bugs.webkit.org/show_bug.cgi?id=131083 + http://trac.webkit.org/changeset/167199 + + "Update test result" + http://trac.webkit.org/changeset/167251 + +2014-04-14 Commit Queue + + Unreviewed, rolling out r167272. + https://bugs.webkit.org/show_bug.cgi?id=131666 + + Broke multiple tests (Requested by ap on #webkit). + + Reverted changeset: + + "Function.bind itself is too slow" + https://bugs.webkit.org/show_bug.cgi?id=131636 + http://trac.webkit.org/changeset/167272 + +2014-04-14 Geoffrey Garen + + ASSERT when firing low memory warning + https://bugs.webkit.org/show_bug.cgi?id=131659 + + Reviewed by Mark Hahnenberg. + + * heap/Heap.cpp: + (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be + called when no GC is happening because that is what we do when a low + memory warning fires, and it is harmless. + +2014-04-14 Mark Hahnenberg + + emit_op_put_by_id should not emit a write barrier that filters on value + https://bugs.webkit.org/show_bug.cgi?id=131654 + + Reviewed by Filip Pizlo. + + The 32-bit implementation does this, and it can cause crashes if we later repatch the + code to allocate and store new Butterflies. + + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on + 32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag + load down into the if statement so that we don't do it if we're not filtering on the value. + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_put_by_id): + +2014-04-14 Oliver Hunt + + Function.bind itself is too slow + https://bugs.webkit.org/show_bug.cgi?id=131636 + + Reviewed by Geoffrey Garen. + + Rather than forcing creation of an activation, we now store + bound function properties directly on the returned closure. + This is necessary to deal with code that creates many function + bindings, but does not call them very often. + + This is a 60% speed up in the included js/regress test. + + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createBuiltinExecutable): + * builtins/Function.prototype.js: + (bind.bindingFunction): + (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk): + (bind.else.switch.case.1.bindingFunction): + (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk): + (bind.else.switch.case.2.bindingFunction): + (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk): + (bind.else.switch.case.3.bindingFunction): + (bind.else.switch.bindingFunction): + (bind): + (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted. + (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted. + (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted. + * runtime/CommonIdentifiers.h: + +2014-04-14 Julien Brianceau + + [sh4] Allow use of SubImmediates in LLINT. + https://bugs.webkit.org/show_bug.cgi?id=131608 + + Reviewed by Mark Lam. + + Allow use of SubImmediates with const pool so the sh4 architecture can + share the arm path for setEntryAddress macro. It reduces architecture + specific code and lead to a more optimal generated code for sh4. + + * llint/LowLevelInterpreter.asm: + * offlineasm/sh4.rb: + +2014-04-14 Andreas Kling + + Array.prototype.concat should allocate output storage only once. + + + Do a first pass across 'this' and any arguments to compute the + final size of the resulting array from Array.prototype.concat. + This avoids having to grow the output incrementally as we go. + + This also includes two other micro-optimizations: + + - Mark getProperty() with ALWAYS_INLINE. + + - Use JSArray::length() instead of taking the generic property + lookup path when we know an argument is an Array. + + My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery. + + Reviewed by Oliver & Darin. + + * runtime/ArrayPrototype.cpp: + (JSC::getProperty): + (JSC::arrayProtoFuncConcat): + +2014-04-14 Commit Queue + + Unreviewed, rolling out r167249. + https://bugs.webkit.org/show_bug.cgi?id=131621 + + broke 3 tests on cloop (Requested by kling on #webkit). + + Reverted changeset: + + "Array.prototype.concat should allocate output storage only + once." + https://bugs.webkit.org/show_bug.cgi?id=131609 + http://trac.webkit.org/changeset/167249 + +2014-04-14 Alex Christensen + + Fixed potential integer truncation. + https://bugs.webkit.org/show_bug.cgi?id=131615 + + Reviewed by Darin Adler. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::fillNops): + Truncate the size_t to an unsigned after it is limited to 15 instead of before. + +2014-04-14 Andreas Kling + + Array.prototype.concat should allocate output storage only once. + + + Do a first pass across 'this' and any arguments to compute the + final size of the resulting array from Array.prototype.concat. + This avoids having to grow the output incrementally as we go. + + This also includes two other micro-optimizations: + + - Mark getProperty() with ALWAYS_INLINE. + + - Use JSArray::length() instead of taking the generic property + lookup path when we know an argument is an Array. + + My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery. + + Reviewed by Darin Adler. + + * runtime/ArrayPrototype.cpp: + (JSC::getProperty): + (JSC::arrayProtoFuncConcat): + +2014-04-14 Benjamin Poulain + + [JSC] Improve the call site of string comparison in some hot path + https://bugs.webkit.org/show_bug.cgi?id=131605 + + Reviewed by Darin Adler. + + When resolved, the String of a JSString is never null. It can be empty but not null. + The null value is reserved for ropes but those would be resolved when getting the value. + + Consequently, we should use the equal() operation that do not handle null values. + Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason. + + * jit/JITOperations.cpp: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::equalSlowCaseInline): + (JSC::JSValue::strictEqualSlowCaseInline): + (JSC::JSValue::pureStrictEqual): + +2014-04-08 Oliver Hunt + + Rewrite Function.bind as a builtin + https://bugs.webkit.org/show_bug.cgi?id=131083 + + Reviewed by Geoffrey Garen. + + This change removes the existing function.bind implementation + entirely so JSBoundFunction is no more. + + Instead we just return a regular JS closure with a few + private properties hanging off it that allow us to perform + the necessary bound function fakery. While most of this is + simple, a couple of key changes: + + - The parser and lexer now directly track whether they're + parsing code for call or construct and convert the private + name @IsConstructor into TRUETOK or FALSETOK as appropriate. + This automatically gives us the ability to vary behaviour + from within the builtin. It also leaves a lot of headroom + for trivial future improvements. + - The instanceof operator now uses the prototypeForHasInstance + private name, and we have a helper function to ensure that + all objects that need to can update their magical 'prototype' + property pair correctly. + + * API/JSScriptRef.cpp: + (parseScript): + * JavaScriptCore.xcodeproj/project.pbxproj: + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createBuiltinExecutable): + * builtins/Function.prototype.js: + (bind.bindingFunction): + (bind.else.bindingFunction): + (bind): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::generateFunctionCodeBlock): + * bytecompiler/NodesCodegen.cpp: + (JSC::InstanceOfNode::emitBytecode): + * interpreter/Interpreter.cpp: + * parser/Lexer.cpp: + (JSC::Lexer::Lexer): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + * parser/Lexer.h: + * parser/Parser.cpp: + (JSC::Parser::Parser): + (JSC::Parser::parseInner): + * parser/Parser.h: + (JSC::parse): + * parser/ParserModes.h: + * runtime/CodeCache.cpp: + (JSC::CodeCache::getGlobalCodeBlock): + (JSC::CodeCache::getFunctionExecutableFromGlobalCode): + * runtime/CommonIdentifiers.h: + * runtime/Completion.cpp: + (JSC::checkSyntax): + * runtime/Executable.cpp: + (JSC::ProgramExecutable::checkSyntax): + * runtime/FunctionPrototype.cpp: + (JSC::FunctionPrototype::addFunctionProperties): + (JSC::functionProtoFuncBind): Deleted. + * runtime/JSBoundFunction.cpp: Removed. + * runtime/JSBoundFunction.h: Removed. + * runtime/JSFunction.cpp: + (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor): + (JSC::RetrieveCallerFunctionFunctor::operator()): + (JSC::retrieveCallerFunction): + (JSC::JSFunction::getOwnPropertySlot): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncSetTypeErrorAccessor): + * runtime/JSGlobalObjectFunctions.h: + * runtime/JSObject.h: + (JSC::JSObject::inlineGetOwnPropertySlot): + +2014-04-12 Filip Pizlo + + Math.fround() should be an intrinsic + https://bugs.webkit.org/show_bug.cgi?id=131583 + + Reviewed by Geoffrey Garen. + + Makes programs that use Math.fround() run up to 6x faster. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::performNodeCSE): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileArithFRound): + * runtime/Intrinsic.h: + * runtime/MathObject.cpp: + (JSC::MathObject::finishCreation): + +2014-04-12 Filip Pizlo + + FTL should use stackmap register liveness + https://bugs.webkit.org/show_bug.cgi?id=130791 + + Reviewed by Goeffrey Garen. + + Enable the stackmap register liveness support by fixing the two last bugs: + + - If everything is dead after the patchpoint - a good possibility for a put_by_id - + then we shouldn't crash due to a null scratch buffer. + + - Always consider callee-saves as if they were live. More precisely, we should + consider those callee-saves that are not saved by the enclosing function to be live. + For now we do the much simpler thing and consider callee-saves to be always live + since it has minimal impact on the scratch register allocator. It will know not to + preserve those for calls, anyway. + + I tried writing a test for the null scratch buffer thing, but failed. I will land the + test anyway since it seems useful. + + * ftl/FTLCompile.cpp: + (JSC::FTL::usedRegistersFor): + * jit/ScratchRegisterAllocator.cpp: + (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall): + (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall): + * runtime/Options.h: + * tests/stress/repeated-put-by-id-reallocating-transition.js: Added. + (foo): + +2014-04-11 Filip Pizlo + + DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled + https://bugs.webkit.org/show_bug.cgi?id=131424 + + Reviewed by Geoffrey Garen. + + This defers type conversion injection until we've decided on types. This makes the + process of deciding types a bit more flexible - for example we can naturally fixpoint + and change our minds. Only when things are settled do we actually insert conversions. + + This is a necessary prerequisite for keeping double, int52, and JSValue data flow + separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize + that there are typed uses. If we were eagerly inserting type conversions then we would + first insert a to/from-JSValue conversion in some cases only to then replace it by + the other conversions. It's probably trivial to remove those redundant conversions later + but I think it's better if we don't insert them to begin with. + + * bytecode/CodeOrigin.h: + (JSC::CodeOrigin::operator!): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::run): + (JSC::DFG::FixupPhase::fixupBlock): + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): + (JSC::DFG::FixupPhase::fixEdge): + (JSC::DFG::FixupPhase::fixIntEdge): + (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + (JSC::DFG::FixupPhase::addRequiredPhantom): + (JSC::DFG::FixupPhase::addPhantomsIfNecessary): + (JSC::DFG::FixupPhase::clearPhantomsAtEnd): + (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted. + (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted. + (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted. + +2014-04-11 Brian J. Burg + + Web Replay: code generator should consider enclosing class when computing duplicate type names + https://bugs.webkit.org/show_bug.cgi?id=131554 + + Reviewed by Timothy Hatcher. + + We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name + can coexist without triggering a "duplicate types" error. Now, such enums must be referenced + by the enclosing class and enum name. + + Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change. + + * replay/scripts/CodeGeneratorReplayInputs.py: + (Type.type_name): Prepend the enclosing class name. + (Type.type_name.is): + * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added. + * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added. + * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added. + * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline. + * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added. + * replay/scripts/tests/generate-enums-with-same-base-name.json: Added. + +2014-04-11 Gavin Barraclough + + Rollout - Rewrite Function.bind as a builtin + https://bugs.webkit.org/show_bug.cgi?id=131083 + + Unreviewed. + + Rolling out r167020 while investigating a performance regression. + + * API/JSObjectRef.cpp: + (JSObjectMakeConstructor): + * API/JSScriptRef.cpp: + (parseScript): + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createBuiltinExecutable): + * builtins/Function.prototype.js: + (apply): + (bind.bindingFunction): Deleted. + (bind.else.bindingFunction): Deleted. + (bind): Deleted. + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::generateFunctionCodeBlock): + * bytecompiler/NodesCodegen.cpp: + (JSC::InstanceOfNode::emitBytecode): + * interpreter/Interpreter.cpp: + * parser/Lexer.cpp: + (JSC::Lexer::Lexer): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + * parser/Lexer.h: + * parser/Parser.cpp: + (JSC::Parser::Parser): + (JSC::Parser::parseInner): + * parser/Parser.h: + (JSC::parse): + * parser/ParserModes.h: + * runtime/ArgumentsIteratorConstructor.cpp: + (JSC::ArgumentsIteratorConstructor::finishCreation): + * runtime/ArrayConstructor.cpp: + (JSC::ArrayConstructor::finishCreation): + * runtime/BooleanConstructor.cpp: + (JSC::BooleanConstructor::finishCreation): + * runtime/CodeCache.cpp: + (JSC::CodeCache::getGlobalCodeBlock): + (JSC::CodeCache::getFunctionExecutableFromGlobalCode): + * runtime/CommonIdentifiers.h: + * runtime/Completion.cpp: + (JSC::checkSyntax): + * runtime/DateConstructor.cpp: + (JSC::DateConstructor::finishCreation): + * runtime/ErrorConstructor.cpp: + (JSC::ErrorConstructor::finishCreation): + * runtime/Executable.cpp: + (JSC::ProgramExecutable::checkSyntax): + * runtime/FunctionConstructor.cpp: + (JSC::FunctionConstructor::finishCreation): + * runtime/FunctionPrototype.cpp: + (JSC::FunctionPrototype::addFunctionProperties): + (JSC::functionProtoFuncBind): + * runtime/JSArrayBufferConstructor.cpp: + (JSC::JSArrayBufferConstructor::finishCreation): + * runtime/JSBoundFunction.cpp: Added. + (JSC::boundFunctionCall): + (JSC::boundFunctionConstruct): + (JSC::JSBoundFunction::create): + (JSC::JSBoundFunction::destroy): + (JSC::JSBoundFunction::customHasInstance): + (JSC::JSBoundFunction::JSBoundFunction): + (JSC::JSBoundFunction::finishCreation): + (JSC::JSBoundFunction::visitChildren): + * runtime/JSBoundFunction.h: Added. + (JSC::JSBoundFunction::targetFunction): + (JSC::JSBoundFunction::boundThis): + (JSC::JSBoundFunction::boundArgs): + (JSC::JSBoundFunction::createStructure): + * runtime/JSFunction.cpp: + (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor): + (JSC::RetrieveCallerFunctionFunctor::operator()): + (JSC::retrieveCallerFunction): + (JSC::JSFunction::getOwnPropertySlot): + (JSC::JSFunction::getOwnNonIndexPropertyNames): + (JSC::JSFunction::put): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::JSGenericTypedArrayViewConstructor::finishCreation): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncSetTypeErrorAccessor): Deleted. + * runtime/JSGlobalObjectFunctions.h: + * runtime/JSObject.cpp: + (JSC::JSObject::putDirectPrototypeProperty): Deleted. + (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted. + * runtime/JSObject.h: + * runtime/JSPromiseConstructor.cpp: + (JSC::JSPromiseConstructor::finishCreation): + * runtime/MapConstructor.cpp: + (JSC::MapConstructor::finishCreation): + * runtime/MapIteratorConstructor.cpp: + (JSC::MapIteratorConstructor::finishCreation): + * runtime/NameConstructor.cpp: + (JSC::NameConstructor::finishCreation): + * runtime/NativeErrorConstructor.cpp: + (JSC::NativeErrorConstructor::finishCreation): + * runtime/NumberConstructor.cpp: + (JSC::NumberConstructor::finishCreation): + * runtime/ObjectConstructor.cpp: + (JSC::ObjectConstructor::finishCreation): + * runtime/RegExpConstructor.cpp: + (JSC::RegExpConstructor::finishCreation): + * runtime/SetConstructor.cpp: + (JSC::SetConstructor::finishCreation): + * runtime/SetIteratorConstructor.cpp: + (JSC::SetIteratorConstructor::finishCreation): + * runtime/StringConstructor.cpp: + (JSC::StringConstructor::finishCreation): + * runtime/WeakMapConstructor.cpp: + (JSC::WeakMapConstructor::finishCreation): + +2014-04-11 David Kilzer + + [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib + + + + Reviewed by Brent Fulgham. + + * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear + OTHER_LDFLAGS so the ASan build does not try to link to + libclang_rt.asan_osx_dynamic.dylib. + +2014-04-11 Mark Lam + + JSMainThreadExecState::call() should clear exceptions before returning. + + + Reviewed by Geoffrey Garen. + + Added a version of JSC::call() that return any uncaught exception instead + of leaving it pending in the VM. + + As part of this change, I updated various parts of the code base to use the + new API as needed. + + * bindings/ScriptFunctionCall.cpp: + (Deprecated::ScriptFunctionCall::call): + - ScriptFunctionCall::call() is only used by the inspector to inject scripts. + The injected scripts that will include Inspector scripts that should catch + and handle any exceptions that were thrown. We should not be seeing any + exceptions returned from this call. However, we do have checks for + exceptions in case there are bugs in the Inspector scripts which allowed + the exception to leak through. Hence, it is proper to clear the exception + here, and only record the fact that an exception was seen (if present). + + * bindings/ScriptFunctionCall.h: + * inspector/InspectorEnvironment.h: + * runtime/CallData.cpp: + (JSC::call): + * runtime/CallData.h: + +2014-04-11 Oliver Hunt + + Add BuiltinLog function to make debugging builtins easier + https://bugs.webkit.org/show_bug.cgi?id=131550 + + Reviewed by Andreas Kling. + + Add a logging function that builtins can use for debugging. + + * runtime/CommonIdentifiers.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncBuiltinLog): + * runtime/JSGlobalObjectFunctions.h: + +2014-04-11 Julien Brianceau + + Fix LLInt for sh4 architecture (broken since C stack merge). + https://bugs.webkit.org/show_bug.cgi?id=131532 + + Reviewed by Mark Lam. + + This patch fixes build and also implements sh4 parts for initPCRelative and + setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094. + + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * offlineasm/instructions.rb: + * offlineasm/sh4.rb: + +2014-04-10 Michael Saboff + + Crash beneath DFG JIT code @ video.disney.com + https://bugs.webkit.org/show_bug.cgi?id=131447 + + Reviewed by Geoffrey Garen. + + The 32-bit path of speculateMisc() uses an 'is not int32' check followed by + 'tag not less than Undefined' check. The first check was incorrectly elided if we + knew that the value *was* an int32, when it should have been elided if we already + knew that the value *was not* an int32. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::speculateMisc): + * tests/stress/test-spec-misc.js: Added test. + (getX): + (foo): + (bar): + +2014-04-08 Filip Pizlo + + Make room for additional types in SpeculatedType.h + https://bugs.webkit.org/show_bug.cgi?id=131422 + + Reviewed by Sam Weinig. + + This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN. + + * bytecode/SpeculatedType.h: + +2014-04-10 Alex Christensen + + Compile fix for Win64. + https://bugs.webkit.org/show_bug.cgi?id=131508 + + Reviewed by Geoffrey Garen. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::fillNops): + Added unsigned template parameter to distinguish between size_t and unsigned long. + +2014-04-10 Michael Saboff + + LLInt interpreter code should be generated as part of one function + https://bugs.webkit.org/show_bug.cgi?id=131205 + + Reviewed by Mark Lam. + + Changed the generation of llint opcodes so that they are all part of the same + global function, llint_entry. That function is used to fill in an entry point + table that includes each of the opcodes and helpers. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: + * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: + * JavaScriptCore.xcodeproj/project.pbxproj: + Added appropriate use of new -I option to offline assembler and offset + generator scripts. + + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter.cpp: + * llint/LowLevelInterpreter.h: + * offlineasm/arm.rb: + * offlineasm/arm64.rb: + * offlineasm/asm.rb: + * offlineasm/ast.rb: + * offlineasm/backends.rb: + * offlineasm/cloop.rb: + * offlineasm/generate_offset_extractor.rb: + * offlineasm/instructions.rb: + * offlineasm/parser.rb: + * offlineasm/registers.rb: + * offlineasm/self_hash.rb: + * offlineasm/settings.rb: + * offlineasm/transform.rb: + * offlineasm/x86.rb: + Added a new "global" keyword to the offline assembler that denotes a label that + should be exported. Added opcode and operand support to get the absolute + address of a local label using position independent calculations. Updated the + offline assembler to handle included files, both when generating the checksum + as well as including files from other than the local directory via a newly + added -I option. The offline assembler now automatically determines external + functions by keeping track of referenced functions that are defined within the + assembly source. This is used both for choosing the correct macro for external + references as well as generating the needed EXTERN directives for masm. + Updated the generation of the masm only .sym file to be written once at the end + of the offline assembler. + + * assembler/MacroAssemblerCodeRef.h: + (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): + (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeFromLLInt): + * bytecode/Opcode.h: + (JSC::padOpcodeName): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFromLLInt): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * jit/JITStubs.h: + * llint/LLIntCLoop.cpp: + (JSC::LLInt::initialize): + * llint/LLIntData.h: + (JSC::LLInt::getCodeFunctionPtr): + (JSC::LLInt::getOpcode): Deleted. + (JSC::LLInt::getCodePtr): Deleted. + * llint/LLIntOpcode.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LLIntThunks.cpp: + (JSC::LLInt::functionForCallEntryThunkGenerator): + (JSC::LLInt::functionForConstructEntryThunkGenerator): + (JSC::LLInt::functionForCallArityCheckThunkGenerator): + (JSC::LLInt::functionForConstructArityCheckThunkGenerator): + (JSC::LLInt::evalEntryThunkGenerator): + (JSC::LLInt::programEntryThunkGenerator): + * llint/LLIntThunks.h: + Changed references to llint helpers to go through the entry point table populated + by llint_entry. Added helpers to OpcodeID enum for all builds. + + * bytecode/BytecodeList.json: + * generate-bytecode-files: + * llint/LLIntCLoop.cpp: + (JSC::LLInt::CLoop::initialize): + Reordered sections to match the order that the functions are added to the entry point + table. Added new "asmPrefix" property for symbols that have one name but are generated + with a prefix, e.g. op_enter -> llint_op_enter. Eliminated the "emitDefineID" property + as we are using enums for all bytecode references. Changed the C Loop only + llint_c_loop_init to llint_entry. + +2014-04-10 Matthew Mirman + + WIP for inlining C++. Added a build target to produce LLVM IR. + https://bugs.webkit.org/show_bug.cgi?id=130523 + + Reviewed by Mark Rowe. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * build-symbol-table-index.py: Added. + * build-symbol-table-index.sh: Added. + * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added. + * copy-llvm-ir-to-derived-sources.sh: Added. + +2014-04-10 Brian J. Burg + + Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins + https://bugs.webkit.org/show_bug.cgi?id=131341 + + Reviewed by Timothy Hatcher. + + Add support for encoding/decoding unsigned long with EncodedValue. + It is a distinct type from uint32_t and uint64_t. + + * replay/EncodedValue.cpp: + (JSC::EncodedValue::convertTo): + * replay/EncodedValue.h: + +2014-04-10 Mark Lam + + LLINT loadisFromInstruction should handle the big endian case. + + + Reviewed by Mark Hahnenberg. + + The LLINT loadisFromInstruction macro aims to load the least significant + 32-bit word from the 64-bit bytecode instruction stream and sign extend + it. For big endian machines, the current implementation would load the + wrong 32-bit word. + + Without this fix, the JSC tests will crash on big endian machines. + Thanks to Tomas Popela for diagnosing this issue. + + * llint/LowLevelInterpreter.asm: + +2014-04-09 Mark Lam + + Temporarily disable the JIT for the Windows port. + + + Reviewed by Brent Fulgham. + + This is a temporary stop gap measure to green the Windows bots until + we have a fix for https://webkit.org/b/131182. + + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + +2014-04-09 Juergen Ributzka + + [FTL] Emit multibyte NOPs on X86-64 + https://bugs.webkit.org/show_bug.cgi?id=131394 + + Reviewed by Michael Saboff. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::fillNops): + +2014-04-09 Julien Brianceau + + Get rid of JITOperationWrappers.h header file. + https://bugs.webkit.org/show_bug.cgi?id=131450 + + Reviewed by Michael Saboff. + + JITOperationWrappers header file contains architecture specific code that is + not needed anymore, so get rid of it. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGOperations.cpp: + * jit/JITOperationWrappers.h: Removed. + * jit/JITOperations.cpp: + +2014-04-09 Mark Lam + + Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly. + + + Reviewed by Mark Hahnenberg. + + Change ProtoCallFrame::paddedArgCount to be of type uint32_t. The argCount + that it pads is of type int anyway. It doesn't need to be 64 bit. This + also makes it work with the LLINT which is loading it with a loadi + instruction. + + We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue + when loading the argCount. + + The paddedArgCount issue was causing failures when running the JSC tests on a + 64-bit big endian machine. In this case, the paddedArgCount in the + ProtoCallFrame has the value 2. However, because the paddedArgCount was stored + as a 64-bit size_t and the LLINT was loading only the low address 32-bits of + that field, the LLINT got a value of 0 instead of the expected 2. With this + patch, we now have a matching store and load of a 32-bit value, and endianness + no longer comes into play. + + As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in + the payload field of the Register. In the definition of EncodedValueDescriptor, + We already ensure that that the payload is in the least significant 32-bits for + little endian machines, and in the most significant 32-bits for big endian + machines. This means that there is no endianness bug when loading this value + using loadi. However, adding the PayLoadOffset clarifies the intent of the + code to load the payload part of the Register value. + + * interpreter/ProtoCallFrame.h: + (JSC::ProtoCallFrame::setPaddedArgCount): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2014-04-08 Oliver Hunt + + Rewrite Function.bind as a builtin + https://bugs.webkit.org/show_bug.cgi?id=131083 + + Reviewed by Geoffrey Garen. + + This change removes the existing function.bind implementation + entirely so JSBoundFunction is no more. + + Instead we just return a regular JS closure with a few + private properties hanging off it that allow us to perform + the necessary bound function fakery. While most of this is + simple, a couple of key changes: + + - The parser and lexer now directly track whether they're + parsing code for call or construct and convert the private + name @IsConstructor into TRUETOK or FALSETOK as appropriate. + This automatically gives us the ability to vary behaviour + from within the builtin. It also leaves a lot of headroom + for trivial future improvements. + - The instanceof operator now uses the prototypeForHasInstance + private name, and we have a helper function to ensure that + all objects that need to can update their magical 'prototype' + property pair correctly. + + * API/JSScriptRef.cpp: + (parseScript): + * JavaScriptCore.xcodeproj/project.pbxproj: + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createBuiltinExecutable): + * builtins/Function.prototype.js: + (bind.bindingFunction): + (bind.else.bindingFunction): + (bind): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::generateFunctionCodeBlock): + * bytecompiler/NodesCodegen.cpp: + (JSC::InstanceOfNode::emitBytecode): + * interpreter/Interpreter.cpp: + * parser/Lexer.cpp: + (JSC::Lexer::Lexer): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + * parser/Lexer.h: + * parser/Parser.cpp: + (JSC::Parser::Parser): + (JSC::Parser::parseInner): + * parser/Parser.h: + (JSC::parse): + * parser/ParserModes.h: + * runtime/CodeCache.cpp: + (JSC::CodeCache::getGlobalCodeBlock): + (JSC::CodeCache::getFunctionExecutableFromGlobalCode): + * runtime/CommonIdentifiers.h: + * runtime/Completion.cpp: + (JSC::checkSyntax): + * runtime/Executable.cpp: + (JSC::ProgramExecutable::checkSyntax): + * runtime/FunctionPrototype.cpp: + (JSC::FunctionPrototype::addFunctionProperties): + (JSC::functionProtoFuncBind): Deleted. + * runtime/JSBoundFunction.cpp: Removed. + * runtime/JSBoundFunction.h: Removed. + * runtime/JSFunction.cpp: + (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor): + (JSC::RetrieveCallerFunctionFunctor::operator()): + (JSC::retrieveCallerFunction): + (JSC::JSFunction::getOwnPropertySlot): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncSetTypeErrorAccessor): + * runtime/JSGlobalObjectFunctions.h: + * runtime/JSObject.h: + (JSC::JSObject::inlineGetOwnPropertySlot): + +2014-04-08 Jon Lee + + Turn MSE on by default + https://bugs.webkit.org/show_bug.cgi?id=131313 + + + Reviewed by Jer Noble. + + * Configurations/FeatureDefines.xcconfig: + +2014-04-08 Joseph Pecoraro + + Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message + https://bugs.webkit.org/show_bug.cgi?id=131406 + + Reviewed by Timothy Hatcher. + + * inspector/remote/RemoteInspector.h: + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::stop): + (Inspector::RemoteInspector::stopInternal): + (Inspector::RemoteInspector::xpcConnectionReceivedMessage): + Provide a way to stop externally and a path to stop when in + the middle of handling a message already with the locked mutex. + + * inspector/remote/RemoteInspectorXPCConnection.h: + * inspector/remote/RemoteInspectorXPCConnection.mm: + (Inspector::RemoteInspectorXPCConnection::close): + (Inspector::RemoteInspectorXPCConnection::closeFromMessage): + Provide a way to close externally and a path to close when in + the middle of handling a message already with a mutex. + +2014-04-08 Joseph Pecoraro + + Web Inspector: Address stale FIXMEs concerning console in JSContext inspection + https://bugs.webkit.org/show_bug.cgi?id=131398 + + Reviewed by Timothy Hatcher. + + * inspector/InjectedScriptSource.js: + The console object can be deleted from a page or JSContext, + so keep code that expects that it could have been deleted + to be resilient in those cases. + + * inspector/JSGlobalObjectScriptDebugServer.h: + * inspector/agents/JSGlobalObjectDebuggerAgent.h: + * inspector/agents/JSGlobalObjectRuntimeAgent.h: + Change the FIXMEs to NOTEs that explain why these functions + have empty implementations for JSContext inspection. + +2014-04-08 Filip Pizlo + + Unreviewed, fix a goofy assertion to fix debug. + + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::isSetter): + (JSC::PutByIdAccess::oldStructure): + (JSC::PutByIdAccess::chain): + (JSC::PutByIdAccess::stubRoutine): + (JSC::PutByIdAccess::customSetter): + +2014-04-08 Filip Pizlo + + Fail silently if the LLVM dylib isn't found + https://bugs.webkit.org/show_bug.cgi?id=131385 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * llvm/InitializeLLVM.cpp: + (JSC::initializeLLVM): + * llvm/InitializeLLVM.h: + * llvm/InitializeLLVMPOSIX.cpp: + (JSC::initializeLLVMPOSIX): + +2014-04-07 Filip Pizlo + + Repatch should support setters and plant calls to them directly + https://bugs.webkit.org/show_bug.cgi?id=130750 + + Reviewed by Geoffrey Garen. + + All of the infrastructure was in place so this just enables setter optimization. + + This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane. + + * bytecode/PolymorphicPutByIdList.cpp: + (JSC::PutByIdAccess::visitWeak): + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::setter): + (JSC::PutByIdAccess::customSetter): Deleted. + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + * jit/Repatch.cpp: + (JSC::toString): + (JSC::kindFor): + (JSC::customFor): + (JSC::generateByIdStub): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * runtime/JSObject.cpp: + (JSC::JSObject::put): + * runtime/Lookup.h: + (JSC::putEntry): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::setCacheableSetter): + (JSC::PutPropertySlot::isCacheableSetter): + (JSC::PutPropertySlot::isCacheableCustom): + (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted. + (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted. + * tests/stress/setter.js: Added. + (foo): + +2014-04-07 Filip Pizlo + + Setters are just getters that take an extra argument and don't return a value + https://bugs.webkit.org/show_bug.cgi?id=131336 + + Reviewed by Geoffrey Garen. + + Other than that, they're totally the same thing. + + This isn't as dumb as it sounds. + + Most of the work in calling an accessor has to do with emitting the necessary checks for + figuring out whether we're calling the accessor we expected, followed by the boilerplate + needed for setting up a call inside of a stub. It makes sense for the code to be totally + common. + + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::storeValue): + (JSC::AssemblyHelpers::moveTrustedValue): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupResults): + * jit/Repatch.cpp: + (JSC::kindFor): + (JSC::customFor): + (JSC::generateByIdStub): + (JSC::tryCacheGetByID): + (JSC::tryBuildGetByIDList): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + (JSC::generateGetByIdStub): Deleted. + (JSC::emitCustomSetterStub): Deleted. + * runtime/JSCJSValue.h: + (JSC::JSValue::asValue): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::cachedOffset): + +2014-04-07 Joseph Pecoraro + + Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied + https://bugs.webkit.org/show_bug.cgi?id=131321 + + Reviewed by Mark Rowe. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::xpcConnectionReceivedMessage): + Avoid attempting to take the same lock twice. Move the received message + lock grab after the WIRPermissionDenied branch, which takes the lock + inside RemoteInspector::stop. + +2014-04-07 Filip Pizlo + + Make it possible to disable some of the FTL's more interesting features + https://bugs.webkit.org/show_bug.cgi?id=131312 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::handlePutById): + (JSC::DFG::ByteCodeParser::parse): + * runtime/Options.h: + +2014-04-04 Mark Lam + + Date object needs to check for ES5 15.9.1.14 TimeClip limit. + + + Reviewed by Mark Hahnenberg. + + The current Date object code does not adequately check for the ES5 + 15.9.1.14 TimeClip limit. As a result, some calculations can underflow + / overflow and produce unexpected results. + + For example, we were getting an assertion failure in + WTF::equivalentYearForDST() due int underflows in this function, which + in turn were due to an int overflow in WTF::msToYear(). + + This patch adds the needed checks, and adds some assertions to ensure + that the used values are sane. + + The changes have no noticeable impact on benchmark results. + + * runtime/DateConstructor.cpp: + (JSC::callDate): + * runtime/JSDateMath.cpp: + (JSC::localTimeOffset): + (JSC::gregorianDateTimeToMS): + (JSC::msToGregorianDateTime): + (JSC::parseDateFromNullTerminatedCharacters): + (JSC::parseDate): + * runtime/JSDateMath.h: + - parseDateFromNullTerminatedCharacters() does not need to be public. + Made it a static function. + * runtime/VM.cpp: + (JSC::VM::resetDateCache): + - Changed cachedDateStringValue to use std::numeric_limits::quiet_NaN() + to be consistent with other Date code. + +2014-04-06 Csaba Osztrogonác + + Unreviewed speculative 32-bit buildfix after r166837. + + * heap/Heap.cpp: + (JSC::Heap::updateObjectCounts): + +2014-04-06 Dan Bernstein + + 32-bit build fix. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::setInputCursor): + +2014-04-04 Brian J. Burg + + Enable WEB_REPLAY for PLATFORM(MAC) + https://bugs.webkit.org/show_bug.cgi?id=130700 + + Reviewed by Timothy Hatcher. + + * Configurations/FeatureDefines.xcconfig: + +2014-04-05 Mark Hahnenberg + + Add missing files from r166837 + + * heap/GCLogging.cpp: Added. + (JSC::GCLogging::levelAsString): + (JSC::LoggingFunctor::LoggingFunctor): + (JSC::LoggingFunctor::~LoggingFunctor): + (JSC::LoggingFunctor::operator()): + (JSC::LoggingFunctor::log): + (JSC::LoggingFunctor::reviveCells): + (JSC::LoggingFunctor::returnValue): + (JSC::GCLogging::dumpObjectGraph): + * heap/GCLogging.h: Added. + +2014-04-04 Mark Hahnenberg + + Enhanced GC logging + https://bugs.webkit.org/show_bug.cgi?id=131246 + + Reviewed by Geoff Garen. + + Getting data on the state of the JSC Heap at runtime is currently in a sad state. + The OBJECT_MARK_LOGGING macro enables some basic GC logging, but it requires a full + recompile to turn it on. It would be nice if we could runtime enable our GC logging + infrastructure while incurring minimal cost when it is disabled. + + It would also be nice to get a complete view of the Heap. Currently OBJECT_MARK_LOGGING + provides us with the discovered roots along with parent-child relationships as objects + are scanned. However, once an object is scanned it will never be declared as the child + of another object during that collection. This gives us a tree-like view of the + Heap (i.e. each scanned node only reports having a single parent), where the actual + Heap can be an arbitrary graph. + + This patch replaces OBJECT_MARK_LOGGING and gives us these nice to haves. First it enhances + our logGC() runtime Option by changing it to be a tri-state value of None, Basic, or Verbose + logging levels. None means no logging is done, Basic is what logGC() = true would have done + prior to this patch, and Verbose logs all object relationships. + + JSCell has new dump/dumpToStream methods, the latter of which is "virtual" to allow + subclasses to override the default string representation that will be dumped. These + methods allow JSCells to be dumped using the standard dataLog() calls similar to much of + the logging infrastructure in our compilers. + + This patch also adds a GCLogging class that handles dumping the relationships between objects. + It does this by using the pre-existing visitChildren virtual methods to obtain the immediate + children of each live cell at the end of garbage collection. + + This change meets our goal of being neutral on the benchmarks we track. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * heap/GCLogging.cpp: Added. + (JSC::GCLogging::levelAsString): + (JSC::LoggingFunctor::LoggingFunctor): + (JSC::LoggingFunctor::operator()): + (JSC::LoggingFunctor::log): + (JSC::LoggingFunctor::reviveCells): + (JSC::LoggingFunctor::returnValue): + (JSC::GCLogging::dumpObjectGraph): + * heap/GCLogging.h: Added. + * heap/GCSegmentedArray.h: + (JSC::GCSegmentedArray::begin): + (JSC::GCSegmentedArray::end): + * heap/Heap.cpp: + (JSC::Heap::markRoots): + (JSC::Heap::visitSmallStrings): + (JSC::Heap::visitConservativeRoots): + (JSC::Heap::visitCompilerWorklists): + (JSC::Heap::visitProtectedObjects): + (JSC::Heap::visitTempSortVectors): + (JSC::Heap::visitArgumentBuffers): + (JSC::Heap::visitException): + (JSC::Heap::visitStrongHandles): + (JSC::Heap::visitHandleStack): + (JSC::Heap::traceCodeBlocksAndJITStubRoutines): + (JSC::Heap::visitWeakHandles): + (JSC::Heap::updateObjectCounts): + (JSC::Heap::collect): + (JSC::Heap::didFinishCollection): + * heap/Heap.h: + * heap/MarkStack.h: + * heap/SlotVisitor.cpp: + (JSC::SlotVisitor::dump): + * heap/SlotVisitor.h: + (JSC::SlotVisitor::markStack): + * heap/SlotVisitorInlines.h: + (JSC::SlotVisitor::internalAppend): + * runtime/ClassInfo.h: + * runtime/JSCell.cpp: + (JSC::JSCell::dump): + (JSC::JSCell::dumpToStream): + (JSC::JSCell::className): + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::visitChildren): + * runtime/JSString.cpp: + (JSC::JSString::dumpToStream): + (JSC::JSString::visitChildren): + * runtime/JSString.h: + (JSC::JSString::length): + (JSC::JSRopeString::RopeBuilder::length): + * runtime/Options.cpp: + (JSC::parse): + (JSC::Options::setOption): + (JSC::Options::dumpOption): + * runtime/Options.h: + +2014-04-05 Mark Hahnenberg + + Remove bogus ASSERT in -JSVirtualMachine scanObjectGraph + https://bugs.webkit.org/show_bug.cgi?id=131251 + + Reviewed by Geoffrey Garen. + + * API/JSVirtualMachine.mm: + (scanExternalObjectGraph): + * API/tests/testapi.mm: + +2014-04-03 Brian J. Burg + + Web Inspector: hook up probe samples to TimelineAgent's records + https://bugs.webkit.org/show_bug.cgi?id=131127 + + Reviewed by Timothy Hatcher. + + * inspector/ScriptDebugListener.h: Add a proper forward declaration for ScriptBreakpointAction. + +2014-04-04 Commit Queue + + Unreviewed, rolling out r166820. + https://bugs.webkit.org/show_bug.cgi?id=131256 + + Broke builds. (Requested by bdash on #webkit). + + Reverted changeset: + + "WIP for inlining C++. Added a build target to produce llvm + ir." + https://bugs.webkit.org/show_bug.cgi?id=130523 + http://trac.webkit.org/changeset/166820 + +2014-04-04 Matthew Mirman + + WIP for inlining C++. Added a build target to produce llvm ir. + https://bugs.webkit.org/show_bug.cgi?id=130523 + + Reviewed by Filip Pizlo. + + The llvm ir gets placed JavaScriptCoreRuntimeToLLVMir.build with the extension .o + + * JavaScriptCore.xcodeproj/project.pbxproj: + * build_index.py: Added. + * Configurations/CompileRuntimeToLLVMir.xcconfig: Added. + +2014-04-04 Joseph Pecoraro + + Web Inspector: Log JS Exceptions to System Console if JavaScriptCoreOutputConsoleMessagesToSystemConsole enabled + https://bugs.webkit.org/show_bug.cgi?id=131241 + + Reviewed by Timothy Hatcher. + + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + Log the exception to the system console if system console output is enabled. + +2014-04-04 Joseph Pecoraro + + Web Inspector: Provide a way for JSContext console to log to system console + https://bugs.webkit.org/show_bug.cgi?id=131050 + + Reviewed by Timothy Hatcher. + + Applications often re-expose some log -> NSLog functionality. + We already have the capability ourselves, which includes extra + information such as sourceURL:line:column, all arguments instead + of just one argument, and backtrace information on console.trace. + Therefore it would be convenient if developers could just use + the built-in console.log and get rich output in both the inspector + and the console, without writing their own logger. + + The logging will be enabled in debug builds by default, and can be enabled + otherwise by setting a user default before creating the first context. + + For example, in the application itself: + + [[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"JavaScriptCoreOutputConsoleMessagesToSystemConsole"]; + + Or from outside the application: + + shell> defaults write JavaScriptCoreOutputConsoleMessagesToSystemConsole -bool YES + + * inspector/JSConsoleClient.h: + * inspector/JSConsoleClient.cpp: + (Inspector::JSConsoleClient::logToSystemConsole): + (Inspector::JSConsoleClient::setLogToSystemConsole): + (Inspector::JSConsoleClient::initializeLogToSystemConsole): + (Inspector::JSConsoleClient::JSConsoleClient): + Global setting for logging to system console. Enabled on + debug builds, and by a user default on supported platforms. + + (Inspector::JSConsoleClient::messageWithTypeAndLevel): + Log to system console when the static setting is enabled. + + * runtime/ConsoleClient.h: + * runtime/ConsoleClient.cpp: + (JSC::appendURLAndPosition): + (JSC::appendMessagePrefix): + (JSC::ConsoleClient::printConsoleMessage): + (JSC::ConsoleClient::printConsoleMessageWithArguments): + Clean up printing. Build strings and use WTFLogAlways instead of printf + for consistant logging. + + * runtime/ConsoleClient.cpp: + (JSC::ConsoleClient::printConsoleMessageWithArguments): + Clean up printing. If there is no source URL, don't print a leading colon. + +2014-04-04 Mark Hahnenberg + + Use JSCell::indexingType instead of Structure::indexingType wherever possible + https://bugs.webkit.org/show_bug.cgi?id=131230 + + Reviewed by Mark Lam. + + Avoid the indirection through the Structure. + + * bytecode/ArrayAllocationProfile.cpp: + (JSC::ArrayAllocationProfile::updateIndexingType): + * bytecode/ArrayAllocationProfile.h: + (JSC::ArrayAllocationProfile::selectIndexingType): + * heap/HeapStatistics.cpp: + (JSC::StorageStatistics::operator()): + * runtime/ArrayPrototype.cpp: + (JSC::attemptFastSort): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::objectPrototypeIsSane): + (JSC::JSGlobalObject::arrayPrototypeChainIsSane): + (JSC::JSGlobalObject::stringPrototypeChainIsSane): + * runtime/JSPropertyNameIterator.cpp: + (JSC::JSPropertyNameIterator::create): + +2014-04-04 Mark Hahnenberg + + Use JSCell::type instead of TypeInfo::type wherever possible + https://bugs.webkit.org/show_bug.cgi?id=131229 + + Reviewed by Michael Saboff. + + Avoid going through the Structure and reifying the TypeInfo. + + * runtime/Executable.h: + (JSC::ExecutableBase::isEvalExecutable): + (JSC::ExecutableBase::isProgramExecutable): + +2014-04-03 Andreas Kling + + Fast-path for casting JS wrappers to JSNode. + + + Allow code outside of JSC (well, WebCore) to extend the JSType spectrum + a little bit. We do this by exposing a LastJSCObjectType constant so + WebCore can encode its own wrapper types after that. + + Reviewed by Mark Hahnenberg and Geoff Garen. + + * runtime/JSType.h: + + Added LastJSCObjectType for use by WebCore. + + * runtime/JSObject.h: + (JSC::JSObject::isVariableObject): + + Updated since this can no longer assume that types >= VariableObjectType + are all variable objects. + +2014-04-03 Mark Hahnenberg + + All Heap::writeBarriers should be inline + https://bugs.webkit.org/show_bug.cgi?id=131197 + + Reviewed by Mark Lam. + + One is in a JSCellInlines.h, another is in Heap.cpp. These are all critical + enough and small enough to belong in HeapInlines.h. Also added the proper + ENABLE(GGC) ifdefs to minimize the cost of C++ barriers for !ENABLE(GGC) builds. + + * heap/Heap.cpp: + (JSC::Heap::writeBarrier): Deleted. + * heap/Heap.h: + * heap/HeapInlines.h: + (JSC::Heap::writeBarrier): + * runtime/JSCellInlines.h: + (JSC::Heap::writeBarrier): Deleted. + +2014-04-03 Joseph Pecoraro + + Web Inspector: JSContext inspection provide a way to opt-out of including Native Call Stacks in Exception traces reported to Web Inspector + https://bugs.webkit.org/show_bug.cgi?id=131186 + + Reviewed by Geoffrey Garen. + + * API/JSContextPrivate.h: + * API/JSContext.mm: + (-[JSContext _includesNativeCallStackWhenReportingExceptions]): + (-[JSContext _setIncludesNativeCallStackWhenReportingExceptions:]): + JSContext ObjC SPI to opt-out of including native call stacks in exceptions. + + * API/JSContextRefPrivate.h: + * API/JSContextRef.cpp: + (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions): + (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions): + JSContext C SPI to opt-out of including native call stacks in exceptions. + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + Only include the native call stack if the setting is enabled. It is enabled by default. + +2014-04-03 Mark Lam + + Fix bit rot in ARMv7 JIT probe mechanism. + + + Reviewed by Geoffrey Garen. + + 1. The macro assembler does not support pushing the SP register. Worked + around this by pushing the LR register as a placeholder, and then + writing the original SP value to that slot. + 2. The CPUState field in the ProbeContext needs to be aligned on a 4 + byte boundary, not an 8 byte boundary. + + * assembler/MacroAssemblerARMv7.cpp: + (JSC::MacroAssemblerARMv7::probe): + * jit/JITStubsARMv7.h: + +2014-04-02 Mark Lam + + ARMv7 compare32() should not use TST to do CMP's job. + + + Reviewed by Geoffrey Garen. + + The ARMv7 implementation of "compare32(RegisterID left, TrustedImm32 right)" + was using "tst reg, reg" to implement "cmp reg, #0". Unfortunately, the tst + instruction doesn't set the Overflow (V) flag and this results in random + results depending on whether there was a preceeding instruction that did set + the Overflow (V) flag. This issue was causing emscripten-cube2hash to run + with a lot of OSR exits where not expected as well as producing wrong results. + + The fix is to use "cmp reg, #0" to do the job properly. + + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::compare32): + +2014-04-02 Mark Hahnenberg + + CodeBlockSet should be generational + https://bugs.webkit.org/show_bug.cgi?id=127152 + + Reviewed by Geoffrey Garen. + + During EdenCollections we now only visit those CodeBlocks that: + a) Are new since the last collection if they were somehow otherwise reachable. + b) Are reachable from an Executable that is part of the remembered set. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): Initialize uninitialized variables. + (JSC::CodeBlock::visitAggregate): Move the addition of the weak reference harvester after the + shouldImmediatelyAssumeLivenessDuringScan check since it's redundant if we assume liveness. + * bytecode/CodeBlock.h: + (JSC::CodeBlock::forEachRelatedCodeBlock): Executes a functor for each CodeBlock reachable from the current CodeBlock (including this). + We use this to clear marks for the CodeBlocks of remembered Executables (see: CodeBlockSet::clearMarksForEdenCollection). + (JSC::CodeBlockSet::mark): Also check the set of new CodeBlocks for memebership when doing conservative scanning. + (JSC::ScriptExecutable::forEachCodeBlock): Executes a functor for each of this Executable's CodeBlocks. + * heap/CodeBlockSet.cpp: + (JSC::CodeBlockSet::~CodeBlockSet): + (JSC::CodeBlockSet::add): + (JSC::CodeBlockSet::promoteYoungCodeBlocks): Moves all CodeBlocks currently in the set of new CodeBlocks into + the set of old CodeBlocks. + (JSC::CodeBlockSet::clearMarksForFullCollection): Clears the marks for all CodeBlocks. + (JSC::CodeBlockSet::clearMarksForEdenCollection): Clears the marks for CodeBlocks owned by Executables in the + remembered set. When an Executable is added to the remembered set it's typically because we need to do something + with its CodeBlock. + (JSC::CodeBlockSet::clearMarks): + (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Fixpoints over either just the new CodeBlocks or all CodeBlocks + to determine which CodeBlocks are dead and eagerly finalizes/deletes them. + (JSC::CodeBlockSet::remove): + (JSC::CodeBlockSet::traceMarked): Iterate only the currently executing CodeBlocks instead of all CodeBlocks. + (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): Clear m_mayBeExecuting for all currently executing + CodeBlocks because we no longer always do this at the beginning of EdenCollections. + * heap/CodeBlockSet.h: + (JSC::CodeBlockSet::iterate): + * heap/Heap.cpp: + (JSC::Heap::markRoots): + (JSC::Heap::deleteAllCompiledCode): + (JSC::Heap::deleteUnmarkedCompiledCode): + * runtime/Executable.cpp: + (JSC::ScriptExecutable::installCode): Write barrier code on installation. We do this due to the following situation: + a) A CodeBlock is created and is compiled on a DFG worker thread. + b) No GC happens. + c) The CodeBlock has finished being compiled and is installed in the Executable. + d) The function never executes before the next GC. + e) The next GC needs needs to visit the new CodeBlock but the Executable won't be revisited unless + it's added to the remembered set. + +2014-04-02 Mark Lam + + Added some more dataLog info for OSR exits. + + + Reviewed by Michael Saboff. + + Adding info about the OSR exit index, the bytecode index of the bytecode + that is OSR exiting, and the reason for the OSR exit. This change is + for debugging code which only comes into play when we use the + --printEachOSRExit option. + + * dfg/DFGOSRExit.h: + * dfg/DFGOSRExitCompiler32_64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGOSRExitCompiler64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGOperations.cpp: + +2014-04-02 Martin Robinson + + REGRESSION(r165704): [GTK] Inspector resources not correctly generated + https://bugs.webkit.org/show_bug.cgi?id=130343 + + Reviewed by Gustavo Noronha Silva. + + * CMakeLists.txt: We generate the inspector JavaScript file into a directory like the one + in which it should be distributed. This allows us to more easily package it for GTK+. + +2014-04-01 Timothy Hatcher + + Remove HeapProfiler from the Web Inspector protocol. + + https://bugs.webkit.org/show_bug.cgi?id=131070 + + Reviewed by Joseph Pecoraro. + + * inspector/agents/InspectorConsoleAgent.h: + * inspector/agents/JSGlobalObjectConsoleAgent.cpp: + (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): Deleted. + * inspector/agents/JSGlobalObjectConsoleAgent.h: + * inspector/protocol/Console.json: + +2014-03-31 Simon Fraser + + Enable WEB_TIMING on Mac and iOS + https://bugs.webkit.org/show_bug.cgi?id=128064 + + Reviewed by Sam Weinig, Brent Fulgham. + + Enable WEB_TIMING. + + * Configurations/FeatureDefines.xcconfig: + +2014-03-31 Michael Saboff + + REGRESSION(r166415): JSObject{Get,Set}Private() don't work with proxies objects + https://bugs.webkit.org/show_bug.cgi?id=130992 + + Reviewed by Mark Hahnenberg. + + Forward JSObjectGetPrivate() and JSObjectSetPrivate() to the wrapped object. + + * API/JSObjectRef.cpp: + (JSObjectGetPrivate): + (JSObjectSetPrivate): + * API/tests/testapi.c: + (main): Added new test case to validate we are properly foarwarding. + +2014-03-31 Mark Hahnenberg + + Improve GC_LOGGING + https://bugs.webkit.org/show_bug.cgi?id=130988 + + Reviewed by Geoffrey Garen. + + GC_LOGGING can be useful for diagnosing where we're spending our time during collection, + but it doesn't distinguish between Eden and Full collections in the data it gathers. This + patch updates it so that it can. It also adds the process ID to the beginning of each line + of input to be able to distinguish between the output of multiple processes exiting at the + same time. + + * heap/Heap.cpp: + (JSC::Heap::collect): + +2014-03-31 Dean Jackson + + Remove WEB_ANIMATIONS + https://bugs.webkit.org/show_bug.cgi?id=130989 + + Reviewed by Simon Fraser. + + Remove this feature flag until we plan to implement. + + * Configurations/FeatureDefines.xcconfig: + +2014-03-31 Filip Pizlo + + More validation for FTL inline caches + https://bugs.webkit.org/show_bug.cgi?id=130948 + + Reviewed by Geoffrey Garen. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::handlePutById): + * runtime/Options.h: + +2014-03-31 Filip Pizlo + + LLVM IR for store barriers should be nicely arranged and they don't need exception checks + https://bugs.webkit.org/show_bug.cgi?id=130950 + + Reviewed by Mark Hahnenberg. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): + +2014-03-31 Raphael Kubo da Costa + + [CMake] Stop checking for WTF_USE_ICU_UNICODE. + https://bugs.webkit.org/show_bug.cgi?id=130965 + + Reviewed by Martin Robinson. + + This is somewhat of a follow-up to r162782, which got rid of + WTF_USE_ICU_UNICODE in CMake but did not remove the check in JSC's + CMakeLists.txt. This meant the includes and libraries were not + being properly included since then. + + * CMakeLists.txt: + +2014-03-31 Dániel Bátyai + + Remove hostThisRegister() and hostThisValue() + https://bugs.webkit.org/show_bug.cgi?id=130895 + + Reviewed by Geoffrey Garen. + + Removed hostThisRegister() and hostThisValue() and instead use thisArgumentOffset() and thisValue() respectively. + + * API/APICallbackFunction.h: + (JSC::APICallbackFunction::call): + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::call): + * dfg/DFGOSREntry.cpp: + (JSC::DFG::prepareOSREntry): + * inspector/JSInjectedScriptHostPrototype.cpp: + (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate): + (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName): + (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection): + (Inspector::jsInjectedScriptHostPrototypeFunctionType): + (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails): + (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties): + * inspector/JSJavaScriptCallFramePrototype.cpp: + (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate): + (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType): + (Inspector::jsJavaScriptCallFrameAttributeCaller): + (Inspector::jsJavaScriptCallFrameAttributeSourceID): + (Inspector::jsJavaScriptCallFrameAttributeLine): + (Inspector::jsJavaScriptCallFrameAttributeColumn): + (Inspector::jsJavaScriptCallFrameAttributeFunctionName): + (Inspector::jsJavaScriptCallFrameAttributeScopeChain): + (Inspector::jsJavaScriptCallFrameAttributeThisObject): + (Inspector::jsJavaScriptCallFrameAttributeType): + * interpreter/CallFrame.h: + (JSC::ExecState::hostThisRegister): Deleted. + (JSC::ExecState::hostThisValue): Deleted. + * runtime/Arguments.cpp: + (JSC::argumentsFuncIterator): + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncToString): + (JSC::arrayProtoFuncToLocaleString): + (JSC::arrayProtoFuncJoin): + (JSC::arrayProtoFuncConcat): + (JSC::arrayProtoFuncPop): + (JSC::arrayProtoFuncPush): + (JSC::arrayProtoFuncReverse): + (JSC::arrayProtoFuncShift): + (JSC::arrayProtoFuncSlice): + (JSC::arrayProtoFuncSort): + (JSC::arrayProtoFuncSplice): + (JSC::arrayProtoFuncUnShift): + (JSC::arrayProtoFuncReduce): + (JSC::arrayProtoFuncReduceRight): + (JSC::arrayProtoFuncIndexOf): + (JSC::arrayProtoFuncLastIndexOf): + (JSC::arrayProtoFuncValues): + (JSC::arrayProtoFuncEntries): + (JSC::arrayProtoFuncKeys): + * runtime/BooleanPrototype.cpp: + (JSC::booleanProtoFuncToString): + (JSC::booleanProtoFuncValueOf): + * runtime/ConsolePrototype.cpp: + (JSC::consoleLogWithLevel): + (JSC::consoleProtoFuncClear): + (JSC::consoleProtoFuncDir): + (JSC::consoleProtoFuncDirXML): + (JSC::consoleProtoFuncTable): + (JSC::consoleProtoFuncTrace): + (JSC::consoleProtoFuncAssert): + (JSC::consoleProtoFuncCount): + (JSC::consoleProtoFuncProfile): + (JSC::consoleProtoFuncProfileEnd): + (JSC::consoleProtoFuncTime): + (JSC::consoleProtoFuncTimeEnd): + (JSC::consoleProtoFuncTimeStamp): + (JSC::consoleProtoFuncGroup): + (JSC::consoleProtoFuncGroupCollapsed): + (JSC::consoleProtoFuncGroupEnd): + * runtime/DatePrototype.cpp: + (JSC::formateDateInstance): + (JSC::dateProtoFuncToISOString): + (JSC::dateProtoFuncToLocaleString): + (JSC::dateProtoFuncToLocaleDateString): + (JSC::dateProtoFuncToLocaleTimeString): + (JSC::dateProtoFuncGetTime): + (JSC::dateProtoFuncGetFullYear): + (JSC::dateProtoFuncGetUTCFullYear): + (JSC::dateProtoFuncGetMonth): + (JSC::dateProtoFuncGetUTCMonth): + (JSC::dateProtoFuncGetDate): + (JSC::dateProtoFuncGetUTCDate): + (JSC::dateProtoFuncGetDay): + (JSC::dateProtoFuncGetUTCDay): + (JSC::dateProtoFuncGetHours): + (JSC::dateProtoFuncGetUTCHours): + (JSC::dateProtoFuncGetMinutes): + (JSC::dateProtoFuncGetUTCMinutes): + (JSC::dateProtoFuncGetSeconds): + (JSC::dateProtoFuncGetUTCSeconds): + (JSC::dateProtoFuncGetMilliSeconds): + (JSC::dateProtoFuncGetUTCMilliseconds): + (JSC::dateProtoFuncGetTimezoneOffset): + (JSC::dateProtoFuncSetTime): + (JSC::setNewValueFromTimeArgs): + (JSC::setNewValueFromDateArgs): + (JSC::dateProtoFuncSetYear): + (JSC::dateProtoFuncGetYear): + (JSC::dateProtoFuncToJSON): + * runtime/ErrorPrototype.cpp: + (JSC::errorProtoFuncToString): + * runtime/FunctionPrototype.cpp: + (JSC::functionProtoFuncToString): + (JSC::functionProtoFuncBind): + * runtime/NamePrototype.cpp: + (JSC::privateNameProtoFuncToString): + * runtime/NumberPrototype.cpp: + (JSC::numberProtoFuncToExponential): + (JSC::numberProtoFuncToFixed): + (JSC::numberProtoFuncToPrecision): + (JSC::numberProtoFuncClz): + (JSC::numberProtoFuncToString): + (JSC::numberProtoFuncToLocaleString): + (JSC::numberProtoFuncValueOf): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncValueOf): + (JSC::objectProtoFuncHasOwnProperty): + (JSC::objectProtoFuncIsPrototypeOf): + (JSC::objectProtoFuncDefineGetter): + (JSC::objectProtoFuncDefineSetter): + (JSC::objectProtoFuncLookupGetter): + (JSC::objectProtoFuncLookupSetter): + (JSC::objectProtoFuncPropertyIsEnumerable): + (JSC::objectProtoFuncToLocaleString): + (JSC::objectProtoFuncToString): + * runtime/RegExpPrototype.cpp: + (JSC::regExpProtoFuncTest): + (JSC::regExpProtoFuncExec): + (JSC::regExpProtoFuncCompile): + (JSC::regExpProtoFuncToString): + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncReplace): + (JSC::stringProtoFuncToString): + (JSC::stringProtoFuncCharAt): + (JSC::stringProtoFuncCharCodeAt): + (JSC::stringProtoFuncConcat): + (JSC::stringProtoFuncIndexOf): + (JSC::stringProtoFuncLastIndexOf): + (JSC::stringProtoFuncMatch): + (JSC::stringProtoFuncSearch): + (JSC::stringProtoFuncSlice): + (JSC::stringProtoFuncSplit): + (JSC::stringProtoFuncSubstr): + (JSC::stringProtoFuncSubstring): + (JSC::stringProtoFuncToLowerCase): + (JSC::stringProtoFuncToUpperCase): + (JSC::stringProtoFuncLocaleCompare): + (JSC::stringProtoFuncBig): + (JSC::stringProtoFuncSmall): + (JSC::stringProtoFuncBlink): + (JSC::stringProtoFuncBold): + (JSC::stringProtoFuncFixed): + (JSC::stringProtoFuncItalics): + (JSC::stringProtoFuncStrike): + (JSC::stringProtoFuncSub): + (JSC::stringProtoFuncSup): + (JSC::stringProtoFuncFontcolor): + (JSC::stringProtoFuncFontsize): + (JSC::stringProtoFuncAnchor): + (JSC::stringProtoFuncLink): + (JSC::stringProtoFuncTrim): + (JSC::stringProtoFuncTrimLeft): + (JSC::stringProtoFuncTrimRight): + +2014-03-28 Filip Pizlo + + Land the stackmap register liveness glue with the uses of the liveness disabled + https://bugs.webkit.org/show_bug.cgi?id=130924 + + Reviewed by Oliver Hunt. + + Add the liveness and fix other bugs I found. + + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFor): + * ftl/FTLCompile.cpp: + (JSC::FTL::usedRegistersFor): + (JSC::FTL::fixFunctionBasedOnStackMaps): + * ftl/FTLSlowPathCall.cpp: + * ftl/FTLSlowPathCallKey.cpp: + (JSC::FTL::SlowPathCallKey::dump): + * ftl/FTLSlowPathCallKey.h: + (JSC::FTL::SlowPathCallKey::SlowPathCallKey): + (JSC::FTL::SlowPathCallKey::argumentRegisters): + (JSC::FTL::SlowPathCallKey::withCallTarget): + * ftl/FTLStackMaps.cpp: + (JSC::FTL::StackMaps::Record::locationSet): + (JSC::FTL::StackMaps::Record::liveOutsSet): + (JSC::FTL::StackMaps::Record::usedRegisterSet): + * ftl/FTLStackMaps.h: + * ftl/FTLThunks.cpp: + (JSC::FTL::registerClobberCheck): + (JSC::FTL::slowPathCallThunkGenerator): + * jit/RegisterSet.cpp: + (JSC::RegisterSet::stackRegisters): + (JSC::RegisterSet::reservedHardwareRegisters): + (JSC::RegisterSet::runtimeRegisters): + (JSC::RegisterSet::specialRegisters): + (JSC::RegisterSet::dump): + * jit/RegisterSet.h: + (JSC::RegisterSet::RegisterSet): + (JSC::RegisterSet::setAny): + (JSC::RegisterSet::setMany): + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + (JSC::tryCachePutByID): + (JSC::tryRepatchIn): + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + * runtime/Options.h: + +2014-03-28 Mark Lam + + mandreel throws a checksum error on 32-bit x86. + + + Reviewed by Filip Pizlo. + + The 32-bit DFG can emit code that loads double constants from its + CodeBlock's m_constantRegisters vector. The emitted instruction will + embed the address of the constant from the vector's backing store. + Subsequently, while inserting new constants, the DFG may resize the + vector, thereby reallocating the backing store. This renders the + previously embedded constant addresses stale. + + The fix is to use a dedicated doubles constant pool stored in the DFG + CommonData instead. This constant pool won't be reallocated, and + hence will not manifest this issue. + + * dfg/DFGCommonData.h: + * dfg/DFGGraph.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + (JSC::DFG::JITCompiler::addressOfDoubleConstant): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted. + +2014-03-28 Joseph Pecoraro + + Web Inspector: console.warn is showing as error instead of warning + https://bugs.webkit.org/show_bug.cgi?id=130921 + + Reviewed by Timothy Hatcher. + + * runtime/ConsolePrototype.cpp: + (JSC::consoleProtoFuncWarn): + console.warn should be MessageLevel Warning, not Error. + +2014-03-28 Oliver Hunt + + Fix cloop build. + + * bytecode/BytecodeList.json: + +2014-03-28 Michael Saboff + + Unreviewed, rolling r166248 back in. + + Turns out r166070 didn't cause a 2% performance loss in page load times + + Reverted changeset: + + Unreviewed, rolling out r166126. + Rollout r166126 in prepartion to roll out prerequisite r166070 + +2014-03-27 Commit Queue + + Unreviewed, rolling out r166376. + https://bugs.webkit.org/show_bug.cgi?id=130887 + + This was a misguided optimization. (Requested by kling on + #webkit). + + Reverted changeset: + + "Avoid fetching JSObject::structure() repeatedly in + putDirectInternal." + https://bugs.webkit.org/show_bug.cgi?id=130857 + http://trac.webkit.org/changeset/166376 + +2014-03-27 Oliver Hunt + + Support spread operand in |new| expressions + https://bugs.webkit.org/show_bug.cgi?id=130877 + + Reviewed by Michael Saboff. + + Add support for the spread operator being applied in + |new| expressions. This required adding support for + a new opcode, op_construct_varargs. This is a relatively + simple refactoring of the call_varargs implementation. + + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::unlink): + * bytecode/CallLinkInfo.h: + (JSC::CallLinkInfo::callTypeFor): + (JSC::CallLinkInfo::specializationKind): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitCallVarargs): + (JSC::BytecodeGenerator::emitConstructVarargs): + (JSC::BytecodeGenerator::emitConstruct): + * bytecompiler/BytecodeGenerator.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/JITCall.cpp: + (JSC::JIT::compileOpCall): + (JSC::JIT::compileOpCallSlowCase): + (JSC::JIT::emit_op_construct_varargs): + (JSC::JIT::emitSlow_op_construct_varargs): + * jit/JITCall32_64.cpp: + (JSC::JIT::emitSlow_op_construct_varargs): + (JSC::JIT::emit_op_construct_varargs): + (JSC::JIT::compileOpCall): + (JSC::JIT::compileOpCallSlowCase): + * jit/JITOperations.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + * parser/Parser.cpp: + (JSC::Parser::parseMemberExpression): + +2014-03-27 Filip Pizlo + + Revert http://trac.webkit.org/changeset/166386 because it broke builds. + + * Configurations/Base.xcconfig: + * Configurations/LLVMForJSC.xcconfig: + +2014-03-27 Filip Pizlo + + Unreviewed, skip this test for now. + + * tests/stress/recurse-infinitely-on-getter.js: + +2014-03-27 Filip Pizlo + + Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS + https://bugs.webkit.org/show_bug.cgi?id=130867 + + + Reviewed by Mark Hahnenberg. + + * Configurations/Base.xcconfig: + * Configurations/LLVMForJSC.xcconfig: + +2014-03-27 Andreas Kling + + Avoid fetching JSObject::structure() repeatedly in putDirectInternal. + + + Use the cached Structure* instead of re-fetching it over and over since + that's a non-trivial operation these days. + + Reviewed by Mark Hahnenberg. + + * runtime/JSObject.h: + (JSC::JSObject::putDirectInternal): + +2014-03-27 Mark Hahnenberg + + Check the remembered set bit faster + https://bugs.webkit.org/show_bug.cgi?id=130860 + + Reviewed by Oliver Hunt. + + Currently we look up the remembered set bit in the MarkedBlock in C++ code, but + that bit is also stored in the object. We should look it up there whenever possible. + + * heap/CopiedBlockInlines.h: + (JSC::CopiedBlock::shouldReportLiveBytes): + * heap/Heap.cpp: + (JSC::Heap::addToRememberedSet): + * heap/Heap.h: + * heap/HeapInlines.h: Removed. + * heap/SlotVisitorInlines.h: + (JSC::SlotVisitor::reportExtraMemoryUsage): + +2014-03-27 Joseph Pecoraro + + Web Inspector: Provide SPI to disallow remote inspection of a JSContext + https://bugs.webkit.org/show_bug.cgi?id=130853 + + Reviewed by Timothy Hatcher. + + * API/JSContextPrivate.h: Added. + * API/JSContext.mm: + (-[JSContext _remoteInspectionEnabled]): + (-[JSContext _setRemoteInspectionEnabled:]): + ObjC SPI to enable/disable remote inspection. + + * API/JSContextRefPrivate.h: + * API/JSContextRef.cpp: + (JSGlobalContextGetRemoteInspectionEnabled): + (JSGlobalContextSetRemoteInspectionEnabled): + C SPI to enable/disable remote inspection. + + * JavaScriptCore.xcodeproj/project.pbxproj: + Add new private header, and export as a private header. + +2014-03-27 Mark Hahnenberg + + Clean up questionable style in ScriptExecutable::prepareForExecutionImpl + https://bugs.webkit.org/show_bug.cgi?id=130845 + + Reviewed by Filip Pizlo. + + There was a hack added to make sure C Loop LLInt worked which included overriding the + global Options::useLLInt setting, which makes no sense to do here. We should put the + update of the global setting in Options::recomputeDependentOptions along with the other + execution engine flags. + + * runtime/Executable.cpp: + (JSC::ScriptExecutable::prepareForExecutionImpl): + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + +2014-03-26 Filip Pizlo + + Enable LLVM stackmap liveOuts computation + https://bugs.webkit.org/show_bug.cgi?id=130821 + + Reviewed by Andy Estes and Sam Weinig. + + * ftl/FTLStackMaps.cpp: + (JSC::FTL::StackMaps::Record::dump): + * llvm/library/LLVMExports.cpp: + (initializeAndGetJSCLLVMAPI): + +2014-03-26 Filip Pizlo + + Parse stackmaps liveOuts + https://bugs.webkit.org/show_bug.cgi?id=130801 + + Reviewed by Geoffrey Garen. + + This just adds the code to parse them but doesn't do anything with them, yet. + + * ftl/FTLLocation.cpp: + (JSC::FTL::Location::forStackmaps): + * ftl/FTLLocation.h: + (JSC::FTL::Location::forRegister): + (JSC::FTL::Location::forIndirect): + * ftl/FTLStackMaps.cpp: + (JSC::FTL::StackMaps::Location::parse): + (JSC::FTL::StackMaps::Location::dump): + (JSC::FTL::StackMaps::LiveOut::parse): + (JSC::FTL::StackMaps::LiveOut::dump): + (JSC::FTL::StackMaps::Record::parse): + (JSC::FTL::StackMaps::Record::dump): + * ftl/FTLStackMaps.h: + +2014-03-26 Mark Lam + + Build fix after r166307. + + Not reviewed. + + * runtime/JSCell.h: + - The inline function isAPIValueWrapper() should not be exported. This + was causing a linkage error when building for 32-bit x86 on Mac. + +2014-03-26 Filip Pizlo + + Reasoning about DWARF register numbers should be moved out of FTL::Location + https://bugs.webkit.org/show_bug.cgi?id=130792 + + Reviewed by Oliver Hunt. + + Moving this code makes it possible for things other than FTL::Location to reason about + DWARF register encoding. This refactoring also appears to reduce some code duplication + and makes FTLLocation.cpp cleaner. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + * ftl/FTLDWARFRegister.cpp: Added. + (JSC::FTL::DWARFRegister::reg): + (JSC::FTL::DWARFRegister::dump): + * ftl/FTLDWARFRegister.h: Added. + (JSC::FTL::DWARFRegister::DWARFRegister): + (JSC::FTL::DWARFRegister::dwarfRegNum): + * ftl/FTLLocation.cpp: + (JSC::FTL::Location::dump): + (JSC::FTL::Location::isGPR): + (JSC::FTL::Location::gpr): + (JSC::FTL::Location::isFPR): + (JSC::FTL::Location::fpr): + * ftl/FTLLocation.h: + (JSC::FTL::Location::hasDwarfReg): + (JSC::FTL::Location::dwarfReg): + +2014-03-26 Brent Fulgham + + Unreviewed build fix. + + * runtime/JSCell.h: VS2013 confused about argument type. + +2014-03-26 Zoltan Horvath + + [CSS Shapes] Remove shape-inside support + https://bugs.webkit.org/show_bug.cgi?id=130698 + + Reviewed by David Hyatt. + + * Configurations/FeatureDefines.xcconfig: + +2014-03-26 Dániel Bátyai + + Rename hasFastArrayStorage to be more appropriate + https://bugs.webkit.org/show_bug.cgi?id=130773 + + Reviewed by Filip Pizlo. + + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::alreadyChecked): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGWatchpointCollectionPhase.cpp: + (JSC::DFG::WatchpointCollectionPhase::handle): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNewArray): + (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer): + (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize): + * runtime/ButterflyInlines.h: + (JSC::Butterfly::unshift): + (JSC::Butterfly::shift): + * runtime/IndexingHeaderInlines.h: + (JSC::IndexingHeader::preCapacity): + * runtime/IndexingType.h: + (JSC::hasArrayStorage): + (JSC::hasAnyArrayStorage): + (JSC::hasFastArrayStorage): Deleted. + * runtime/JSArray.cpp: + (JSC::JSArray::sortVector): + (JSC::JSArray::compactForSorting): + * runtime/JSArray.h: + (JSC::JSArray::create): + (JSC::JSArray::tryCreateUninitialized): + * runtime/JSGlobalObject.cpp: + * runtime/JSObject.cpp: + (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): + * runtime/JSObject.h: + (JSC::JSObject::ensureArrayStorage): + (JSC::JSObject::arrayStorage): + * runtime/StructureTransitionTable.h: + (JSC::newIndexingType): + +2014-03-26 Zan Dobersek + + Unreviewed. Removing the remaining Automake cruft. + + * GNUmakefile.list.am: Removed. + +2014-03-25 Filip Pizlo + + Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias + https://bugs.webkit.org/show_bug.cgi?id=130764 + + + Reviewed by Sam Weinig. + + Being an arguments alias just means that your OSR exit recovery should attempt arguments + creation. This is true of arguments locals. We had special cases that tried to make it not + true of arguments locals. The only consequence of those special cases was to cause crashes + in case of arguments that are also captured variables (i.e. we have SlowArguments). This + change just removes those special cases. + + This change means that the FTL will now see SetLocals with a FlushedArguments format. + Previously you wouldn't see them because previously only non-captured variable would be + arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals + left. Adding handling for FlushedArguments is a benign and simple change since its + behavior is identical to FlushedJSValue for that code's purposes. + + * dfg/DFGArgumentsSimplificationPhase.cpp: + (JSC::DFG::ArgumentsSimplificationPhase::run): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileSetLocal): + * tests/stress/captured-arguments-variable.js: Added. + (foo): + (noInline): + +2014-03-25 Mark Hahnenberg + + Add HeapInlines + https://bugs.webkit.org/show_bug.cgi?id=130759 + + Reviewed by Filip Pizlo. + + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * heap/Heap.cpp: + (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor): + (JSC::MarkedBlockSnapshotFunctor::operator()): + * heap/Heap.h: Also reindented while we're here. + (JSC::Heap::writeBarrierBuffer): + (JSC::Heap::vm): + (JSC::Heap::objectSpace): + (JSC::Heap::machineThreads): + (JSC::Heap::operationInProgress): + (JSC::Heap::allocatorForObjectWithoutDestructor): + (JSC::Heap::allocatorForObjectWithNormalDestructor): + (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): + (JSC::Heap::storageAllocator): + (JSC::Heap::notifyIsSafeToCollect): + (JSC::Heap::isSafeToCollect): + (JSC::Heap::handleSet): + (JSC::Heap::handleStack): + (JSC::Heap::lastFullGCLength): + (JSC::Heap::lastEdenGCLength): + (JSC::Heap::increaseLastFullGCLength): + (JSC::Heap::sizeBeforeLastEdenCollection): + (JSC::Heap::sizeAfterLastEdenCollection): + (JSC::Heap::sizeBeforeLastFullCollection): + (JSC::Heap::sizeAfterLastFullCollection): + (JSC::Heap::jitStubRoutines): + (JSC::Heap::isDeferred): + (JSC::Heap::structureIDTable): + (JSC::Heap::removeCodeBlock): + * heap/HeapInlines.h: Added. + (JSC::Heap::shouldCollect): + (JSC::Heap::isBusy): + (JSC::Heap::isCollecting): + (JSC::Heap::heap): + (JSC::Heap::isLive): + (JSC::Heap::isInRememberedSet): + (JSC::Heap::isMarked): + (JSC::Heap::testAndSetMarked): + (JSC::Heap::setMarked): + (JSC::Heap::isWriteBarrierEnabled): + (JSC::Heap::writeBarrier): + (JSC::Heap::reportExtraMemoryCost): + (JSC::Heap::forEachProtectedCell): + (JSC::Heap::forEachCodeBlock): + (JSC::Heap::allocateWithNormalDestructor): + (JSC::Heap::allocateWithImmortalStructureDestructor): + (JSC::Heap::allocateWithoutDestructor): + (JSC::Heap::tryAllocateStorage): + (JSC::Heap::tryReallocateStorage): + (JSC::Heap::ascribeOwner): + (JSC::Heap::blockAllocator): + (JSC::Heap::releaseSoon): + (JSC::Heap::incrementDeferralDepth): + (JSC::Heap::decrementDeferralDepth): + (JSC::Heap::collectIfNecessaryOrDefer): + (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): + (JSC::Heap::markListSet): + * runtime/JSCInlines.h: + +2014-03-25 Filip Pizlo + + DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush + https://bugs.webkit.org/show_bug.cgi?id=130760 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::setLocal): + (JSC::DFG::ByteCodeParser::setArgument): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::parseBlock): + * tests/stress/assign-argument-in-inlined-call.js: Added. + (f1): + (getF2Arguments): + (f2): + (f3): + * tests/stress/assign-captured-argument-in-inlined-call.js: Added. + (f1): + (f2): + (f3): + +2014-03-25 Filip Pizlo + + Fix 32-bit getter call alignment. + + Reviewed by Mark Hahnenberg. + + * jit/Repatch.cpp: + (JSC::generateGetByIdStub): + +2014-03-25 Filip Pizlo + + Repatch should plant calls to getters directly rather than through a C helper + https://bugs.webkit.org/show_bug.cgi?id=129589 + + Reviewed by Mark Hahnenberg. + + As the title says. All of the superstructure for this was already in place, so now it + was just a matter of actually emitting the call. + + 8x speed-up for getter microbenchmarks. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/PolymorphicGetByIdList.h: + (JSC::GetByIdAccess::doesCalls): + * jit/AccessorCallJITStubRoutine.cpp: Added. + (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine): + (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine): + (JSC::AccessorCallJITStubRoutine::visitWeak): + * jit/AccessorCallJITStubRoutine.h: Added. + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::storeCell): + * jit/GCAwareJITStubRoutine.h: + * jit/Repatch.cpp: + (JSC::generateGetByIdStub): + * runtime/GetterSetter.h: + (JSC::GetterSetter::offsetOfGetter): + (JSC::GetterSetter::offsetOfSetter): + +2014-03-25 Michael Saboff + + Unreviewed, rolling out r166126. + + Rollout r166126 in prepartion to roll out prerequisite r166070 + + Reverted changeset: + + "toThis() on a JSWorkerGlobalScope should return a JSProxy and + not undefined" + https://bugs.webkit.org/show_bug.cgi?id=130554 + http://trac.webkit.org/changeset/166126 + +2014-03-25 Oliver Hunt + + AST incorrectly conflates readable and writable locations + https://bugs.webkit.org/show_bug.cgi?id=130734 + + Reviewed by Filip Pizlo. + + We need to distinguish between "locations" that are valid for reading + and writing, vs those that may only be written. + + * bytecompiler/NodesCodegen.cpp: + (JSC::ForInNode::emitBytecode): + (JSC::ForOfNode::emitBytecode): + * parser/Nodes.h: + (JSC::ExpressionNode::isAssignmentLocation): + +2014-03-24 Oliver Hunt + + ASSERTION FAILED in Parser: dst != localReg + https://bugs.webkit.org/show_bug.cgi?id=130710 + + Reviewed by Filip Pizlo. + + Just make sure we don't try to write to a captured constant, + following the change to track captured variables separately. + + * bytecompiler/NodesCodegen.cpp: + (JSC::PostfixNode::emitResolve): + (JSC::PrefixNode::emitResolve): + +2014-03-25 Martin Robinson + + [GTK] Remove the autotools build + https://bugs.webkit.org/show_bug.cgi?id=130717 + + Reviewed by Anders Carlsson. + + * GNUmakefile.am: Removed. + * config.h: Remove references to the autotools configure file. + +2014-03-24 Filip Pizlo + + More scaffolding for a stub routine to have a stub recursively embedded inside it + https://bugs.webkit.org/show_bug.cgi?id=130770 + + Reviewed by Oliver Hunt. + + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::unlink): VM& argument is superfluous. + (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally(). + * bytecode/CallLinkInfo.h: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places. + (JSC::CodeBlock::unlinkCalls): + (JSC::CodeBlock::unlinkIncomingCalls): + * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak(). + (JSC::GetByIdAccess::visitWeak): + (JSC::PolymorphicGetByIdList::visitWeak): + * bytecode/PolymorphicGetByIdList.h: + * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak(). + (JSC::PutByIdAccess::visitWeak): + (JSC::PolymorphicPutByIdList::visitWeak): + * bytecode/PolymorphicPutByIdList.h: + * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through. + (JSC::StructureStubInfo::visitWeakReferences): + * bytecode/StructureStubInfo.h: + * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused. + (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine): + * jit/GCAwareJITStubRoutine.cpp: + (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine): + (JSC::createJITStubRoutine): + * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these. + (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted. + * jit/JITStubRoutine.cpp: + (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them. + * jit/JITStubRoutine.h: + * jit/Repatch.cpp: + (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware. + (JSC::emitCustomSetterStub): Clean up some code. + +2014-03-24 Geoffrey Garen + + Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage + when WebKit is compiled with fcatch-undefined-behavior + https://bugs.webkit.org/show_bug.cgi?id=130652 + + Reviewed by Mark Hahnenberg. + + Use a static member function because the butterfly we pass in might be + NULL, and passing NULL to a member function is undefined behavior. + + Stylistically, I think this new way reads a little more clearly, since it + matches createOrGrowArrayRight, and it helps to convey that m_butterfly + might not exist yet. + + * runtime/Butterfly.h: + * runtime/ButterflyInlines.h: + (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage + because we might create. Split out the create path to avoid using NULL + in a member function expression. + + Removed some unused versions of this function. + + * runtime/JSObject.cpp: + (JSC::JSObject::growOutOfLineStorage): Updated for interface change. + +2014-03-24 Oliver Hunt + + Strict mode destructuring assignment crashes the parser. + https://bugs.webkit.org/show_bug.cgi?id=130538 + + Reviewed by Michael Saboff. + + The SyntaxChecker mode always return 1 for success, except + for a small subset of functions where we needed exact information. + This ends up just being a poor design decision as it means + the parser can get confused between a function return 1, and + the Resolve constant which was also 1. So we now use a unique + type for every creation method. + + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::createSourceElements): + (JSC::SyntaxChecker::createFunctionBody): + (JSC::SyntaxChecker::createArguments): + (JSC::SyntaxChecker::createSpreadExpression): + (JSC::SyntaxChecker::createArgumentsList): + (JSC::SyntaxChecker::createPropertyList): + (JSC::SyntaxChecker::createElementList): + (JSC::SyntaxChecker::createFormalParameterList): + (JSC::SyntaxChecker::createClause): + (JSC::SyntaxChecker::createClauseList): + (JSC::SyntaxChecker::createFuncDeclStatement): + (JSC::SyntaxChecker::createBlockStatement): + (JSC::SyntaxChecker::createExprStatement): + (JSC::SyntaxChecker::createIfStatement): + (JSC::SyntaxChecker::createForLoop): + (JSC::SyntaxChecker::createForInLoop): + (JSC::SyntaxChecker::createForOfLoop): + (JSC::SyntaxChecker::createEmptyStatement): + (JSC::SyntaxChecker::createVarStatement): + (JSC::SyntaxChecker::createReturnStatement): + (JSC::SyntaxChecker::createBreakStatement): + (JSC::SyntaxChecker::createContinueStatement): + (JSC::SyntaxChecker::createTryStatement): + (JSC::SyntaxChecker::createSwitchStatement): + (JSC::SyntaxChecker::createWhileStatement): + (JSC::SyntaxChecker::createWithStatement): + (JSC::SyntaxChecker::createDoWhileStatement): + (JSC::SyntaxChecker::createLabelStatement): + (JSC::SyntaxChecker::createThrowStatement): + (JSC::SyntaxChecker::createDebugger): + (JSC::SyntaxChecker::createConstStatement): + (JSC::SyntaxChecker::appendConstDecl): + (JSC::SyntaxChecker::combineCommaNodes): + (JSC::SyntaxChecker::operatorStackPop): + +2014-03-24 Brent Fulgham + + Activate WebVTT Tests Once Merging is Complete + https://bugs.webkit.org/show_bug.cgi?id=130420 + + Reviewed by Eric Carlson. + + * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS) + +2014-03-24 Andreas Kling + + Stop pulling in all the macro assemblers from VM.h + + + Remove #include of "GPRInfo.h". This breaks WebCore's dependency + on macro assemblers headers and removes 8 includes from every + .cpp file in the JS bindings. + + Reviewed by Geoff Garen. + + * runtime/VM.h: + +2014-03-24 Gavin Barraclough + + Add support for thread QoS + https://bugs.webkit.org/show_bug.cgi?id=130688 + + Reviewed by Andreas Kling. + + * heap/BlockAllocator.cpp: + (JSC::BlockAllocator::blockFreeingThreadStartFunc): + - block freeing is a utility activity. + +2014-03-24 Filip Pizlo + + Unreviewed, fix CLOOP build. + + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFor): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printCallOp): + (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): + (JSC::CodeBlock::resetStubDuringGCInternal): Deleted. + * bytecode/CodeBlock.h: + (JSC::CodeBlock::callLinkInfosEnd): Deleted. + +2014-03-24 Gabor Rapcsanyi + + [ARM64] GNU assembler doesn't work with LLInt arm64 backend. + https://bugs.webkit.org/show_bug.cgi?id=130453 + + Reviewed by Filip Pizlo. + + Change fp and lr to x29 and x30. Add both operand kinds to emitARM64() + at sxtw and uxtw instructions. + + * offlineasm/arm64.rb: + +2014-03-23 Hyowon Kim + + Move all EFL typedefs into EflTypedefs.h. + https://bugs.webkit.org/show_bug.cgi?id=130511 + + Reviewed by Gyuyoung Kim + + * heap/HeapTimer.h: Remove EFL typedefs. + +2014-03-23 Filip Pizlo + + Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters + https://bugs.webkit.org/show_bug.cgi?id=130650 + + + Reviewed by Michael Saboff. + + Previously, it was only in the case of inlining that we would do SetLocal's beyond the + previously established numLocals limit. But then we added generalized op_call_varargs + handling, which results in us emitting SetLocals that didn't previously exist in the + bytecode. + + This factors out the inliner's ensureLocals loop and calls it from op_call_varargs. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::ensureLocals): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::parse): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): Make this do alignment correctly. + * runtime/Options.h: + * tests/stress/call-varargs-from-inlined-code.js: Added. + * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added. + +2014-03-22 Filip Pizlo + + Unreviewed, adjust sizes for ARM64. + + * ftl/FTLInlineCacheSize.cpp: + (JSC::FTL::sizeOfCall): + +2014-03-22 Filip Pizlo + + Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant + https://bugs.webkit.org/show_bug.cgi?id=130649 + + + Reviewed by Andreas Kling. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + * tests/stress/fuzz-bug-16399949.js: Added. + (tryItOut.f): + (tryItOut): + +2014-03-22 Filip Pizlo + + Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks + https://bugs.webkit.org/show_bug.cgi?id=130644 + + Reviewed by Andreas Kling. + + This is conceptually a really simple change but it involves the following: + + - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2. + + - CodeBlock uses a Bag of CallLinkInfos instead of a Vector. + + - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no + longer has a vector of slow path counts that shadows the CallLinkInfo vector. + + - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions + and not all relinking. + + This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since + the CallLinkInfo and the call IC slow paths no longer rely on the call being associated + with a op_call/op_construct instruction and a machine code return PC within such an + instruction. + + * bytecode/CallLinkInfo.h: + (JSC::getCallLinkInfoCodeOrigin): + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFor): + (JSC::CallLinkStatus::computeDFGStatuses): + * bytecode/CallLinkStatus.h: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printCallOp): + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::finalizeUnconditionally): + (JSC::CodeBlock::getCallLinkInfoMap): + (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): + (JSC::CodeBlock::addCallLinkInfo): + (JSC::CodeBlock::unlinkCalls): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::stubInfoBegin): + (JSC::CodeBlock::stubInfoEnd): + (JSC::CodeBlock::callLinkInfosBegin): + (JSC::CodeBlock::callLinkInfosEnd): + (JSC::CodeBlock::byValInfo): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleCall): + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + * dfg/DFGJITCode.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::addJSCall): + (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::reifyInlinedCallFrames): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + * ftl/FTLInlineCacheSize.cpp: + (JSC::FTL::sizeOfCall): + * ftl/FTLJSCall.cpp: + (JSC::FTL::JSCall::JSCall): + (JSC::FTL::JSCall::emit): + (JSC::FTL::JSCall::link): + * ftl/FTLJSCall.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + (JSC::JIT::privateCompile): + * jit/JIT.h: + * jit/JITCall.cpp: + (JSC::JIT::compileOpCall): + (JSC::JIT::compileOpCallSlowCase): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileOpCall): + (JSC::JIT::compileOpCallSlowCase): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + (JSC::operationLinkFor): + (JSC::operationVirtualFor): + (JSC::operationLinkClosureCallFor): + * jit/Repatch.cpp: + (JSC::linkClosureCall): + * jit/ThunkGenerators.cpp: + (JSC::slowPathFor): + (JSC::virtualForThunkGenerator): + * tests/stress/eval-that-is-not-eval.js: Added. + +2014-03-22 Filip Pizlo + + Unreviewed, fix mispelled test name. + + * tests/stress/constand-folding-osr-exit.js: Removed. + * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js. + +2014-03-22 Andreas Kling + + CREATE_DOM_WRAPPER doesn't need the ExecState. + + + Add a fast path from JSGlobalObject to the VM so we don't have + to dance via the Heap. + + Reviewed by Darin Adler. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::JSGlobalObject): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::vm): + +2014-03-22 Filip Pizlo + + Unreviewed, fix FTL build. + + * ftl/FTLJITFinalizer.cpp: + +2014-03-22 Michael Saboff + + toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined + https://bugs.webkit.org/show_bug.cgi?id=130554 + + Reviewed by Geoffrey Garen. + + Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject. + Did some cleanup as well. Moved the setting of the thisObject in a JSGlobalObject to + happen in finishCreation() so that it will also happen for other derived classes including + JSWorkerGlobalScopeBase. + + * API/JSContextRef.cpp: + (JSGlobalContextCreateInGroup): + * jsc.cpp: + (GlobalObject::create): + * API/tests/testapi.c: + (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches + the result from JSContextGetGlobalObject() as that will return the proxy. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since + we now call setGlobalThis in finishCreation(). + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::finishCreation): + (JSC::JSGlobalObject::setGlobalThis): Made this a private method. + +2014-03-22 Andreas Kling + + Fix debug build. + + * bytecode/CodeBlock.cpp: + * runtime/Executable.cpp: + +2014-03-22 Andreas Kling + + Cut down on JSC profiler includes in WebCore & co. + + + Most of WebKit was pulling in JSC's profiler headers via VM.h. + + Reviewed by Darin Adler. + + * dfg/DFGDisassembler.cpp: + * dfg/DFGDisassembler.h: + * dfg/DFGJITFinalizer.cpp: + * jsc.cpp: + * runtime/VM.cpp: + * runtime/VM.h: + +2014-03-22 Landry Breuil + + Use pthread_stackseg_np() to find the stack bounds on OpenBSD. + https://bugs.webkit.org/show_bug.cgi?id=129965 + + Reviewed By Anders Carlsson. + +2014-03-21 Mark Lam + + Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer. + + + Reviewed by Oliver Hunt. + + The issue is that BreakNode::emitBytecode() is holding onto a LabelScope + pointer from the BytecodeGenerator's m_localScopes vector, and then it + calls emitPopScopes(). emitPopScopes() may do finally clause handling + which will require the m_localScopes to be cloned so that it can change + the local scopes for the finally block, and then restore it after + handling the finally clause. These modifications of the m_localScopes + vector will result in the LabelScope pointer in BreakNode::emitBytecode() + becoming stale, thereby causing the crash. + + The same issue applies to the ContinueNode as well. + + The fix is to use the existing LabelScopePtr abstraction instead of raw + LabelScope pointers. The LabelScopePtr is resilient to the underlying + vector re-allocating its backing store. + + I also changed the LabelScopePtr constructor that takes a LabelScopeStore + to expect a reference to the owner store instead of a pointer because the + owner store should never be a null pointer. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::newLabelScope): + (JSC::BytecodeGenerator::breakTarget): + (JSC::BytecodeGenerator::continueTarget): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/LabelScope.h: + (JSC::LabelScopePtr::LabelScopePtr): + (JSC::LabelScopePtr::operator bool): + (JSC::LabelScopePtr::null): + * bytecompiler/NodesCodegen.cpp: + (JSC::ContinueNode::trivialTarget): + (JSC::ContinueNode::emitBytecode): + (JSC::BreakNode::trivialTarget): + (JSC::BreakNode::emitBytecode): + +2014-03-21 Mark Hahnenberg + + 6% SunSpider commandline regression due to r165940 + https://bugs.webkit.org/show_bug.cgi?id=130617 + + Reviewed by Michael Saboff. + + In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected + before. Some of the benchmarks are never running a single EdenCollection, which causes + them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer + slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of + magnitude more than we normally would. + + The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works. + + * heap/Heap.cpp: + (JSC::Heap::Heap): + +2014-03-21 Filip Pizlo + + Constants folded by DFG::ByteCodeParser should not be dead. + https://bugs.webkit.org/show_bug.cgi?id=130576 + + Reviewed by Mark Hahnenberg. + + This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This + reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one + or more folders in LLVM). Doing so has no performance impact since the other constant folders + already subsume this one. + + Also added a test case for the specific bug that instigated this. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::getJSConstantForValue): + (JSC::DFG::ByteCodeParser::getJSConstant): + (JSC::DFG::ByteCodeParser::inferredConstant): + (JSC::DFG::ByteCodeParser::handleIntrinsic): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGNode.h: + * dfg/DFGNodeFlags.h: + * tests/stress/constand-folding-osr-exit.js: Added. + (foo): + (test): + (.var): + +2014-03-21 Mark Lam + + StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal. + + + Reviewed by Filip Pizlo. + + * dfg/DFGStackLayoutPhase.cpp: + (JSC::DFG::StackLayoutPhase::run): + +2014-03-20 Filip Pizlo + + FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values + https://bugs.webkit.org/show_bug.cgi?id=130562 + + + Reviewed by Geoffrey Garen. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileGetByVal): + * tests/stress/uint32array-unsigned-load.js: Added. + (foo): + +2014-03-20 Brian Burg + + Web Inspector: add frontend controller and models for replay sessions + https://bugs.webkit.org/show_bug.cgi?id=130145 + + Reviewed by Joseph Pecoraro. + + * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain. + +2014-03-20 Filip Pizlo + + FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees + https://bugs.webkit.org/show_bug.cgi?id=130546 + + + Reviewed by Mark Hahnenberg. + + Make AI do a better job of folding this. + + Also made the FTL backend be more tolerant of data representations. In this case it + didn't know that "constant" was a valid representation. There is a finite set of + possible representations, but broadly, we don't write code that presumes anything + about the representation of an input; that's what methods like lowJSValue() are for. + ValueToInt32 was previously not relying on those methods at all because it had some + hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down + to lowJSValue(). + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): + (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32): + * tests/stress/value-to-int32-undefined-constant.js: Added. + (foo): + * tests/stress/value-to-int32-undefined.js: Added. + (foo): + +2014-03-20 Mark Hahnenberg + + Add some assertions back + https://bugs.webkit.org/show_bug.cgi?id=130531 + + Reviewed by Geoffrey Garen. + + We removed a useful set of assertions for verifying that MarkedBlocks were + in the state that we expected them to be in after clearing marks in the Heap. + We should add these back to catch bugs earlier. + + * heap/MarkedBlock.h: + * heap/MarkedSpace.cpp: + (JSC::VerifyMarkedOrRetired::operator()): + (JSC::MarkedSpace::clearMarks): + +2014-03-20 Filip Pizlo + + Implement stackmap header version check and support new stackmap formats + https://bugs.webkit.org/show_bug.cgi?id=130535 + + + Reviewed by Geoffrey Garen. + + Add the notion of versioning so that LLVMers can happily implement new stackmap formats + without worrying about WebKit getting version-locked to LLVM. In the future, we will have + to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have + to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be + happy to move backward in time to older versions of LLVM. + + * ftl/FTLStackMaps.cpp: + (JSC::FTL::readObject): + (JSC::FTL::StackMaps::Constant::parse): + (JSC::FTL::StackMaps::StackSize::parse): + (JSC::FTL::StackMaps::Location::parse): + (JSC::FTL::StackMaps::Record::parse): + (JSC::FTL::StackMaps::parse): + (JSC::FTL::StackMaps::dump): + (JSC::FTL::StackMaps::dumpMultiline): + * ftl/FTLStackMaps.h: + +2014-03-20 Filip Pizlo + + Crash beneath operationTearOffActivation running this JS compression demo + https://bugs.webkit.org/show_bug.cgi?id=130295 + + + Reviewed by Oliver Hunt. + + Make sure that we flush things as if we were at a terminal, if we are at a block with + no forward edges. This fixes infinitely loopy code with captured variables. + + Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block. + + Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed + it by itself. Now it's an artifact of CPS rethreading. + + Add a bunch of tests. All of them previously either crashed or returned bad output due + to memory corruption. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::isCaptured): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::flushForTerminal): + (JSC::DFG::ByteCodeParser::flushForReturn): + (JSC::DFG::ByteCodeParser::flushIfTerminal): + (JSC::DFG::ByteCodeParser::branchData): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCFGSimplificationPhase.cpp: + (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::run): + (JSC::DFG::CPSRethreadingPhase::computeIsFlushed): + (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp): + (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::performNodeCSE): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::clearFlagsOnAllNodes): + * dfg/DFGGraph.h: + * dfg/DFGNode.h: + * dfg/DFGNodeFlags.cpp: + (JSC::DFG::dumpNodeFlags): + * dfg/DFGNodeFlags.h: + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * tests/stress/activation-test-loop.js: Added. + (Inner.this.doStuff): + (Inner): + (foo.inner.isDone): + (foo): + * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added. + (bar): + (foo): + (noInline): + * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added. + (bar): + (foo): + (noInline): + * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added. + (bar): + (foo): + (noInline): + * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added. + (bar): + (foo): + (noInline): + * tests/stress/infinite-loop-that-uses-captured-variables.js: Added. + (bar): + (foo): + (noInline): + * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added. + (bar): + (fuzz): + (foo.f): + (foo): + * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added. + (bar): + (foo.f): + (foo): + * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added. + (bar): + (foo.f): + (foo): + * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added. + (bar): + (foo): + (noInline): + +2014-03-20 Oliver Hunt + + Incorrect behavior when mutating a typed array during set. + https://bugs.webkit.org/show_bug.cgi?id=130428 + + Reviewed by Geoffrey Garen. + + This fixes a null derefence that occurs if a typed array + is mutated during the set() operation. The patch gets rid + of the "Quickly" version of setIndex that is assigning + JSValues of unknown type, as the numeric conversion can trigger + side effects that lead to neutering, and so we deref null. + + * runtime/JSGenericTypedArrayView.h: + (JSC::JSGenericTypedArrayView::setIndex): + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::set): + (JSC::JSGenericTypedArrayView::putByIndex): + +2014-03-20 Gavin Barraclough + + Remove IdentifierTable typedef, isIdentifier() + https://bugs.webkit.org/show_bug.cgi?id=130533 + + Rubber stamped by Geoff Garen. + + Code should use AtomicStringTable, isAtomic() directly. + + * API/JSClassRef.cpp: + (OpaqueJSClass::~OpaqueJSClass): + (OpaqueJSClassContextData::OpaqueJSClassContextData): + (OpaqueJSClass::className): + * API/JSClassRef.h: + * bytecode/SpeculatedType.cpp: + (JSC::speculationFromCell): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIn): + (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::speculateStringIdent): + * heap/Heap.cpp: + (JSC::Heap::collect): + * interpreter/CallFrame.h: + (JSC::ExecState::atomicStringTable): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::addVar): + * parser/Parser.cpp: + (JSC::Parser::createBindingPattern): + * runtime/Completion.cpp: + (JSC::checkSyntax): + (JSC::evaluate): + * runtime/Identifier.cpp: + (JSC::Identifier::checkCurrentAtomicStringTable): + * runtime/Identifier.h: + (JSC::Identifier::Identifier): + * runtime/IdentifierInlines.h: + (JSC::Identifier::add): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::dumpInContext): + * runtime/JSLock.cpp: + (JSC::JSLock::didAcquireLock): + (JSC::JSLock::willReleaseLock): + (JSC::JSLock::DropAllLocks::DropAllLocks): + (JSC::JSLock::DropAllLocks::~DropAllLocks): + * runtime/JSLock.h: + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::find): + (JSC::PropertyTable::get): + (JSC::PropertyTable::findWithString): + * runtime/PropertyName.h: + (JSC::PropertyName::PropertyName): + * runtime/PropertyNameArray.cpp: + (JSC::PropertyNameArray::add): + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::~VM): + * runtime/VM.h: + (JSC::VM::atomicStringTable): + +2014-03-20 Gavin Barraclough + + Merge AtomicString, Identifier + https://bugs.webkit.org/show_bug.cgi?id=128624 + + Reviewed by Geoff Garen. + + WTF::StringImpl currently supports two uniquing mechanism - AtomicString and + Identifer - that is one too many. + + Remove Identifier in favour of AtomicString. Identifier had two interesting + mechanisms that we preserve. + + (1) JSC API VMs each get their own string table, switch the string table on + API entry/exit. + (2) JSC caches a pointer to the string table on the VM to avoid a thread + specific access. Adds a new AtomicString::add method to support this. + + * API/JSAPIWrapperObject.mm: + - updated includes. + * JavaScriptCore.xcodeproj/project.pbxproj: + - added IdentifierInlines.h. + * inspector/JSInjectedScriptHostPrototype.cpp: + * inspector/JSJavaScriptCallFramePrototype.cpp: + - updated includes. + * interpreter/CallFrame.h: + (JSC::ExecState::atomicStringTable): + - added, used via AtomicString::add to avoid thread-specific access. + * runtime/ConsolePrototype.cpp: + - updated includes. + * runtime/Identifier.cpp: + (JSC::Identifier::add): + (JSC::Identifier::add8): + - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add. + * runtime/Identifier.h: + (JSC::Identifier::Identifier): + - added ASSERTS. + (JSC::Identifier::add): + - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add. + * runtime/IdentifierInlines.h: Added. + (JSC::Identifier::add): + - moved from Identifier.h, use AtomicString::add. + * runtime/JSCInlines.h: + - added IdentifierInlines.h. + * runtime/JSLock.h: + - removed IdentifierTable. + * runtime/PropertyNameArray.cpp: + - updated includes. + * runtime/SmallStrings.cpp: + (JSC::SmallStringsStorage::SmallStringsStorage): + - ensure all single character strings are Atomic. + * runtime/VM.cpp: + (JSC::VM::VM): + - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data. + * runtime/VM.h: + (JSC::VM::atomicStringTable): + - added, used via AtomicString::add to avoid thread-specific access. + +2014-03-20 Gabor Rapcsanyi + + [ARM64] Fix assembler build issues and add cacheFlush support for Linux + https://bugs.webkit.org/show_bug.cgi?id=130502 + + Reviewed by Michael Saboff. + + Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t) + because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well. + Add cacheFlush support for Linux. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::linuxPageFlush): + (JSC::ARM64Assembler::cacheFlush): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch): + +2014-03-19 Gavin Barraclough + + https://bugs.webkit.org/show_bug.cgi?id=130494 + EmptyUnique strings are Identifiers/Atomic + + Reviewed by Geoff Garen. + + EmptyUnique strings should set the Identifier/Atomic flag. + + This fixes an unreproducible bug we believe exists in Identifier handling. + Expected behaviour is that while Identifiers may reference EmptyUniques + (StringImpls allocated as UIDs for PrivateNames), these are not created + through the main Identifier constructor, the Identifier flag is not set + on PrivateNames, and we should never lookup EmptyUnique strings in the + IdentifierTable. + + Unfortunately that was happening. Some tables used to implement property + access in the JIT hold StringImpl*s, and turn these back into Identifiers + using the identfiier constructor. Since the code generator will now plant + by-id (cachable) accesses to PrivateNames we can end up passing an + EmptyUnique to Identifier::add, potentially leading to PrivateNames being + uniqued together (though hard to prove, since the hash codes are random). + + * runtime/PropertyName.h: + (JSC::PropertyName::PropertyName): + (JSC::PropertyName::uid): + (JSC::PropertyName::publicName): + (JSC::PropertyName::asIndex): + - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique(). + * runtime/Structure.cpp: + (JSC::Structure::getPropertyNamesFromStructure): + - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique(). + +2014-03-19 Filip Pizlo + + Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional. + + * dfg/DFGCommon.h: + +2014-03-19 Mark Hahnenberg + + GC timer should intelligently choose between EdenCollections and FullCollections + https://bugs.webkit.org/show_bug.cgi?id=128261 + + Reviewed by Geoffrey Garen. + + Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer + always does FullCollections. To reduce the impact of the GC timer on the system this patch + changes Heap so that it has two timers, one for each type of collection. The FullCollection + timer is notified at the end of EdenCollections how much the Heap has grown since the last + FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't + be detected by an EdenCollection). + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * heap/EdenGCActivityCallback.cpp: Added. + (JSC::EdenGCActivityCallback::EdenGCActivityCallback): + (JSC::EdenGCActivityCallback::doCollection): + (JSC::EdenGCActivityCallback::lastGCLength): + (JSC::EdenGCActivityCallback::deathRate): + (JSC::EdenGCActivityCallback::gcTimeSlice): + * heap/EdenGCActivityCallback.h: Added. + (JSC::GCActivityCallback::createEdenTimer): + * heap/FullGCActivityCallback.cpp: Added. + (JSC::FullGCActivityCallback::FullGCActivityCallback): + (JSC::FullGCActivityCallback::doCollection): + (JSC::FullGCActivityCallback::lastGCLength): + (JSC::FullGCActivityCallback::deathRate): + (JSC::FullGCActivityCallback::gcTimeSlice): + * heap/FullGCActivityCallback.h: Added. + (JSC::GCActivityCallback::createFullTimer): + * heap/GCActivityCallback.cpp: + (JSC::GCActivityCallback::GCActivityCallback): + (JSC::GCActivityCallback::doWork): + (JSC::GCActivityCallback::scheduleTimer): + (JSC::GCActivityCallback::cancelTimer): + (JSC::GCActivityCallback::didAllocate): + (JSC::GCActivityCallback::willCollect): + (JSC::GCActivityCallback::cancel): + * heap/GCActivityCallback.h: + * heap/Heap.cpp: + (JSC::Heap::Heap): + (JSC::Heap::reportAbandonedObjectGraph): + (JSC::Heap::didAbandon): + (JSC::Heap::collectAllGarbage): + (JSC::Heap::collect): + (JSC::Heap::willStartCollection): + (JSC::Heap::updateAllocationLimits): + (JSC::Heap::didFinishCollection): + (JSC::Heap::setFullActivityCallback): + (JSC::Heap::setEdenActivityCallback): + (JSC::Heap::fullActivityCallback): + (JSC::Heap::edenActivityCallback): + (JSC::Heap::setGarbageCollectionTimerEnabled): + (JSC::Heap::didAllocate): + (JSC::Heap::shouldDoFullCollection): + * heap/Heap.h: + (JSC::Heap::lastFullGCLength): + (JSC::Heap::lastEdenGCLength): + (JSC::Heap::increaseLastFullGCLength): + (JSC::Heap::sizeBeforeLastEdenCollection): + (JSC::Heap::sizeAfterLastEdenCollection): + (JSC::Heap::sizeBeforeLastFullCollection): + (JSC::Heap::sizeAfterLastFullCollection): + * heap/HeapOperation.h: + * heap/HeapStatistics.cpp: + (JSC::HeapStatistics::showObjectStatistics): + * heap/HeapTimer.cpp: + (JSC::HeapTimer::timerDidFire): + * jsc.cpp: + (functionFullGC): + (functionEdenGC): + * runtime/Options.h: + +2014-03-19 Commit Queue + + Unreviewed, rolling out r165926. + https://bugs.webkit.org/show_bug.cgi?id=130488 + + broke the iOS build (Requested by estes on #webkit). + + Reverted changeset: + + "GC timer should intelligently choose between EdenCollections + and FullCollections" + https://bugs.webkit.org/show_bug.cgi?id=128261 + http://trac.webkit.org/changeset/165926 + +2014-03-13 Mark Hahnenberg + + GC timer should intelligently choose between EdenCollections and FullCollections + https://bugs.webkit.org/show_bug.cgi?id=128261 + + Reviewed by Geoffrey Garen. + + Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer + always does FullCollections. To reduce the impact of the GC timer on the system this patch + changes Heap so that it has two timers, one for each type of collection. The FullCollection + timer is notified at the end of EdenCollections how much the Heap has grown since the last + FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be + detected by an EdenCollection). + + * heap/GCActivityCallback.cpp: + (JSC::GCActivityCallback::GCActivityCallback): + (JSC::GCActivityCallback::doWork): + (JSC::FullGCActivityCallback::FullGCActivityCallback): + (JSC::FullGCActivityCallback::doCollection): + (JSC::EdenGCActivityCallback::EdenGCActivityCallback): + (JSC::EdenGCActivityCallback::doCollection): + (JSC::GCActivityCallback::scheduleTimer): + (JSC::GCActivityCallback::cancelTimer): + (JSC::GCActivityCallback::didAllocate): + (JSC::GCActivityCallback::willCollect): + (JSC::GCActivityCallback::cancel): + * heap/GCActivityCallback.h: + (JSC::GCActivityCallback::GCActivityCallback): + (JSC::GCActivityCallback::createFullTimer): + (JSC::GCActivityCallback::createEdenTimer): + * heap/Heap.cpp: + (JSC::Heap::Heap): + (JSC::Heap::didAbandon): + (JSC::Heap::willStartCollection): + (JSC::Heap::updateAllocationLimits): + (JSC::Heap::setFullActivityCallback): + (JSC::Heap::setEdenActivityCallback): + (JSC::Heap::fullActivityCallback): + (JSC::Heap::edenActivityCallback): + (JSC::Heap::setGarbageCollectionTimerEnabled): + (JSC::Heap::didAllocate): + * heap/Heap.h: + * heap/HeapTimer.cpp: + (JSC::HeapTimer::timerDidFire): + +2014-03-19 Filip Pizlo + + REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit + https://bugs.webkit.org/show_bug.cgi?id=130134 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers. + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1. + (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around. + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want. + * jit/JITInlineCacheGenerator.h: + * jit/Repatch.cpp: + (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem. + +2014-03-19 Mark Hahnenberg + + Normalize some of the older JSC options + https://bugs.webkit.org/show_bug.cgi?id=128753 + + Reviewed by Michael Saboff. + + * runtime/Options.cpp: + (JSC::Options::initialize): + +2014-03-12 Mark Lam + + Update type of local vars to match the type of String length. + + + Reviewed by Geoffrey Garen. + + * runtime/JSStringJoiner.cpp: + (JSC::JSStringJoiner::join): + +2014-03-18 Filip Pizlo + + Get rid of Flush in SSA + https://bugs.webkit.org/show_bug.cgi?id=130440 + + Reviewed by Sam Weinig. + + This is basically a red patch. We used to use backwards flow for determining what was + flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't + accomplish anything. Keeping them around in SSA can only make things hard. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::SSAData::SSAData): + * dfg/DFGBasicBlock.h: + * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed. + * dfg/DFGFlushLivenessAnalysisPhase.h: Removed. + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + +2014-03-18 Filip Pizlo + + Unreviewed, fix iOS production build. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2014-03-18 Michael Saboff + + Update RegExp Tracing code + https://bugs.webkit.org/show_bug.cgi?id=130381 + + Reviewed by Andreas Kling. + + Updated the regular expression tracing code for 8/16 bit JIT as + well as match only entry points. Also added average string length + metric. + + * runtime/RegExp.cpp: + (JSC::RegExp::RegExp): + (JSC::RegExp::match): + (JSC::RegExp::printTraceData): + * runtime/RegExp.h: + * runtime/VM.cpp: + (JSC::VM::addRegExpToTrace): + (JSC::VM::dumpRegExpTrace): + * runtime/VM.h: + * yarr/YarrJIT.h: + (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr): + (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr): + (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr): + (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr): + +2014-03-17 Filip Pizlo + + Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:) + https://bugs.webkit.org/show_bug.cgi?id=130300 + + Reviewed by Mark Hahnenberg. + + We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's. + This makes the DFG aware of this. + + Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to + the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL. + + This also gives the DFG some abstractions for checking something is a cell or is other. + This made this patch easier to write and also simplified a bunch of other stuff. + + 1% speed-up on Octane. + + * assembler/AbstractMacroAssembler.h: + (JSC::AbstractMacroAssembler::JumpList::JumpList): + * bytecode/SpeculatedType.h: + (JSC::isNotStringVarSpeculation): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::childFor): + (JSC::DFG::Node::shouldSpeculateNotStringVar): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIn): + (JSC::DFG::SpeculativeJIT::compileValueToInt32): + (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): + (JSC::DFG::SpeculativeJIT::compileInstanceOf): + (JSC::DFG::SpeculativeJIT::compileStrictEq): + (JSC::DFG::SpeculativeJIT::compileBooleanCompare): + (JSC::DFG::SpeculativeJIT::compileStringEquality): + (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality): + (JSC::DFG::SpeculativeJIT::compileStringIdentEquality): + (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality): + (JSC::DFG::SpeculativeJIT::compileStringZeroLength): + (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): + (JSC::DFG::SpeculativeJIT::speculateString): + (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): + (JSC::DFG::SpeculativeJIT::speculateNotStringVar): + (JSC::DFG::SpeculativeJIT::speculateNotCell): + (JSC::DFG::SpeculativeJIT::speculateOther): + (JSC::DFG::SpeculativeJIT::speculate): + (JSC::DFG::SpeculativeJIT::emitSwitchChar): + (JSC::DFG::SpeculativeJIT::emitSwitchString): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::blessedBooleanResult): + (JSC::DFG::SpeculativeJIT::unblessedBooleanResult): + (JSC::DFG::SpeculativeJIT::booleanResult): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): + (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::branchIsCell): + (JSC::DFG::branchNotCell): + (JSC::DFG::SpeculativeJIT::branchIsOther): + (JSC::DFG::SpeculativeJIT::branchNotOther): + (JSC::DFG::SpeculativeJIT::moveTrueTo): + (JSC::DFG::SpeculativeJIT::moveFalseTo): + (JSC::DFG::SpeculativeJIT::blessBoolean): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): + (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::writeBarrier): + (JSC::DFG::SpeculativeJIT::branchIsCell): + (JSC::DFG::SpeculativeJIT::branchNotCell): + (JSC::DFG::SpeculativeJIT::branchIsOther): + (JSC::DFG::SpeculativeJIT::branchNotOther): + (JSC::DFG::SpeculativeJIT::moveTrueTo): + (JSC::DFG::SpeculativeJIT::moveFalseTo): + (JSC::DFG::SpeculativeJIT::blessBoolean): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::lowString): + (JSC::FTL::LowerDFGToLLVM::lowStringIdent): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateString): + (JSC::FTL::LowerDFGToLLVM::speculateStringIdent): + (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar): + * runtime/JSCJSValue.h: + * tests/stress/string-ident-to-not-string-var-equality.js: Added. + (foo): + (bar): + (test): + +2014-03-18 Joseph Pecoraro + + Add Copyright to framework.sb + https://bugs.webkit.org/show_bug.cgi?id=130413 + + Reviewed by Timothy Hatcher. + + Other sb files got the copyright. Follow suit. + + * framework.sb: + +2014-03-18 Matthew Mirman + + Removed extra parens from if statement in a preprocessor define. + https://bugs.webkit.org/show_bug.cgi?id=130408 + + Reviewed by Filip Pizlo. + + * parser/Parser.cpp: + +2014-03-18 Filip Pizlo + + More FTL enabling. + + Rubber stamped by Dan Bernstein and Mark Hahnenberg. + + * Configurations/FeatureDefines.xcconfig: + * ftl/FTLCompile.cpp: + (JSC::FTL::compile): + +2014-03-17 Michael Saboff + + V8 regexp spends most of its time in operationGetById + https://bugs.webkit.org/show_bug.cgi?id=130380 + + Reviewed by Filip Pizlo. + + Added String.length case to tryCacheGetByID that will only help the BaseLine JIT. + When V8 regexp is run from the command line, this nets a 2% performance improvement. + When the test is run for a longer amount of time, there is much less benefit as the + DFG will emit the appropriate code for String.length. This does remove + operationGetById as the hottest function whne run from the command line. + + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + +2014-03-17 Andreas Kling + + Add one-deep cache to opaque roots hashset. + + + The vast majority of WebCore JS wrappers will have their Document* + as the root(). This change adds a simple optimization where we cache + the last lookup and avoid going to the hashset for repeated queries. + + Looks like 0.4% progression on DYEB on my MBP. + + Reviewed by Mark Hahnenberg. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * heap/OpaqueRootSet.h: Added. + (JSC::OpaqueRootSet::OpaqueRootSet): + (JSC::OpaqueRootSet::contains): + (JSC::OpaqueRootSet::isEmpty): + (JSC::OpaqueRootSet::clear): + (JSC::OpaqueRootSet::add): + (JSC::OpaqueRootSet::size): + (JSC::OpaqueRootSet::begin): + (JSC::OpaqueRootSet::end): + * heap/SlotVisitor.h: + +2014-03-17 Tibor Meszaros + + Implement Math.hypot + https://bugs.webkit.org/show_bug.cgi?id=129486 + + Reviewed by Darin Adler. + + * runtime/MathObject.cpp: + (JSC::MathObject::finishCreation): + (JSC::mathProtoFuncHypot): + +2014-03-17 Zsolt Borbely + + Fix the !ENABLE(PROMISES) build + https://bugs.webkit.org/show_bug.cgi?id=130328 + + Reviewed by Darin Adler. + + Add missing ENABLE(PROMISES) guards. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + * runtime/JSPromiseDeferred.cpp: + * runtime/JSPromiseDeferred.h: + * runtime/JSPromiseReaction.cpp: + * runtime/JSPromiseReaction.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2014-03-16 Andreas Kling + + REGRESSION(r165703): JSC tests crashing in StringImpl::destroy(). + + + Reviewed by Anders Carlsson. + + Unreviewed, restoring the old behavior of OpaqueJSString::identifier() + that doesn't put a potentially unwanted string into the Identifier table. + + * API/OpaqueJSString.cpp: + (OpaqueJSString::identifier): + +2014-03-16 Brian Burg + + Web Inspector: generated backend commands should reflect build system ENABLE settings + https://bugs.webkit.org/show_bug.cgi?id=130111 + + Reviewed by Timothy Hatcher. + + * CMakeLists.txt: + + Combine only the Inspector domains listed in INSPECTOR_DOMAINS, + instead of globbing any .json file. + + * DerivedSources.make: + + Force the combined inspector protocol file to be regenerated if + the content or list of domains itself changes. + +2014-03-16 Brian Burg + + Web Inspector: vended backend commands file should be generated as part of the build + https://bugs.webkit.org/show_bug.cgi?id=130110 + + Reviewed by Timothy Hatcher. + + * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the + private headers directory. + +2014-03-16 Darin Adler + + Remove all uses of deprecatedCharacters from JavaScriptCore + https://bugs.webkit.org/show_bug.cgi?id=130304 + + Reviewed by Anders Carlsson. + + * API/JSValueRef.cpp: + (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path. + * API/OpaqueJSString.cpp: + (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path. + (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and + juse use the standard one that takes a String. + (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a + hand-written alternative. + + * bindings/ScriptValue.cpp: + (Deprecated::jsToInspectorValue): Create InspectorString from String directly + instead of involving a character pointer. Use the String from Identifier + directly instead of making a new String. + + * inspector/ContentSearchUtilities.cpp: + (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder + instead of building a String a character at a time. This is still a very slow + way to do this. Also use strchr to search for a character instead of building + a String every time just to use find on it. + + * inspector/InspectorValues.cpp: + (Inspector::doubleQuoteString): Remove unnecessary trip through a + character pointer. This is still a really slow way to do this. + (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters + instead of String::deprecatedCharacters. Still slow to always upconvert. + + * runtime/DateConstructor.cpp: Removed unneeded include. + * runtime/DatePrototype.cpp: Ditto. + + * runtime/Identifier.h: Removed deprecatedCharacters function. + + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::encode): Added a type cast to avoid ambiguity with the two character- + appending functions from JSStringBuilder. Removed unneeded code duplicating + what JSStringBuilder already does in its character append function. + (JSC::decode): Deleted code that creates a JSStringBuilder that is never used. + (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that + is used outside this file have external linkage. Added a new overload that takes + a StringView. + (JSC::parseInt): Use StringView::substring to call parseIntOverflow. + (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a + single character. + + * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow. + + * runtime/JSStringBuilder.h: Marked this "lightly deprecated". + (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters. + Made one overload private. Fixed a performance bug where we would reserve capacity + in the 8-bit buffer but then append to the 16-bit buffer. + + * runtime/ObjectPrototype.cpp: Removed unneeded include. + + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert. + (JSC::stringProtoFuncLink): Ditto. + +2014-03-15 Filip Pizlo + + FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies + https://bugs.webkit.org/show_bug.cgi?id=130296 + + Reviewed by Andreas Kling. + + During the 32-bit structure ID work, the second load of the structure was removed. + That's wrong. The whole point of loading the structure ID again is that the structure + ID would have been changed by the arrayification call, and we're verifying that the + arrayification succeeded in changing the structure. If we check the old structure - as + the code was doing after the 32-bit structure ID work - then this check is guaranteed + to fail, causing a significant performance regression. + + It's actually amazing that the regression wasn't bigger. The reason is that if FTL + code pathologically exits but the equivalent DFG code doesn't, then the exponential + backoff almost perfectly guarantees that we just end up in the DFG. For this code, at + the time at least, the DFG wasn't much slower so this didn't cause too much pain. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): + +2014-03-15 Filip Pizlo + + FTL should support CheckHasInstance/InstanceOf + https://bugs.webkit.org/show_bug.cgi?id=130285 + + Reviewed by Sam Weinig. + + Fairly straightforward; I also discovered an inaccurate FIXME in the process. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance): + (JSC::FTL::LowerDFGToLLVM::compileInstanceOf): + * ftl/FTLOutput.h: + (JSC::FTL::Output::phi): + * tests/stress/instanceof.js: Added. + * tests/stress/instanceof-not-cell.js: Added. + +2014-03-15 Michael Saboff + + It should be possible to adjust DFG and FTL compiler thread priorities + https://bugs.webkit.org/show_bug.cgi?id=130288 + + Reviewed by Filip Pizlo. + + Added ability to change thread priorities relative to its current priority. + Created options to adjust the priority of the DFG and FTL compilation work thread + pools. For two core systems, there might be three runnable threads, the main thread, + the DFG compilation thread and the FTL compilation thread. With the same priority, + the scheduler is free to schedule whatever thread it wants. By lowering the + compilation threads, the main thread can run. Further tests may suggest better values + for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads. + + For a two-core device, this change has a net positive improvement of 1-3% across + SunSpider, Octane, Kraken and AsmBench. + + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::finishCreation): + (JSC::DFG::Worklist::create): + (JSC::DFG::ensureGlobalDFGWorklist): + (JSC::DFG::ensureGlobalFTLWorklist): + * dfg/DFGWorklist.h: + * runtime/Options.cpp: + (JSC::computePriorityDeltaOfWorkerThreads): + * runtime/Options.h: + +2014-03-15 David Kilzer + + [iOS] Define SYSTEM_VERSION_PREFIX consistently + + + + Reviewed by Dan Bernstein. + + * Configurations/Version.xcconfig: + (SYSTEM_VERSION_PREFIX_iphoneos): Sync with + Source/WebKit/mac/Version.xcconfig. + +2014-03-15 David Kilzer + + Fix build: using integer absolute value function 'abs' when argument is of floating point type + + + Reviewed by Filip Pizlo. + + Fixes the following build failure using trunk clang: + + JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value] + value = abs(value); + ^ + JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead + value = abs(value); + ^~~ + fabs + + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to + fabs(). + +2014-03-14 Oliver Hunt + + Reinstate intialiser syntax in for-in loops + https://bugs.webkit.org/show_bug.cgi?id=130269 + + Reviewed by Michael Saboff. + + Disallowing the initialiser broke some sites so this patch re-allows + the syntax. We still disallow the syntax in 'of' and pattern based + enumeration. + + * parser/ASTBuilder.h: + (JSC::ASTBuilder::isBindingNode): + * parser/Parser.cpp: + (JSC::Parser::parseVarDeclarationList): + (JSC::Parser::parseForStatement): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::operatorStackPop): + +2014-03-14 Mark Lam + + Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined. + + + Reviewed by Filip Pizlo. + + If neither the getter nor setter are defined, accessing __lookupGetter__ + and __lookupSetter__ will return undefined as expected. However, if the + getter is defined but the setter is not, accessing __lookupSetter__ will + crash the VM. Similarly, accessing __lookupGetter__ when only the setter + is defined will crash the VM. + + The reason is because objectProtoFuncLookupGetter() and + objectProtoFuncLookupSetter() did not check if the getter and setter + value is non-null before returning it as an EncodedJSValue. The fix is + to add the appropriate null checks. + + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncLookupGetter): + (JSC::objectProtoFuncLookupSetter): + +2014-03-14 Mark Rowe + + Fix the production build. + + Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't + be at the expected relative path when working from installed source. + + * Configurations/Base.xcconfig: + +2014-03-14 Maciej Stachowiak + + Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers + https://bugs.webkit.org/show_bug.cgi?id=130276 + + + Reviewed by Simon Fraser. + + * API/APICast.h: + * API/JSBase.cpp: + * API/JSBase.h: + * API/JSBasePrivate.h: + * API/JSCallbackConstructor.cpp: + * API/JSCallbackConstructor.h: + * API/JSCallbackFunction.cpp: + * API/JSCallbackFunction.h: + * API/JSCallbackObject.cpp: + * API/JSCallbackObject.h: + * API/JSCallbackObjectFunctions.h: + * API/JSClassRef.cpp: + * API/JSClassRef.h: + * API/JSContextRef.cpp: + * API/JSContextRef.h: + * API/JSContextRefPrivate.h: + * API/JSObjectRef.cpp: + * API/JSObjectRef.h: + * API/JSProfilerPrivate.cpp: + * API/JSProfilerPrivate.h: + * API/JSRetainPtr.h: + * API/JSStringRef.cpp: + * API/JSStringRef.h: + * API/JSStringRefBSTR.cpp: + * API/JSStringRefBSTR.h: + * API/JSStringRefCF.cpp: + * API/JSStringRefCF.h: + * API/JSValueRef.cpp: + * API/JSValueRef.h: + * API/JavaScript.h: + * API/JavaScriptCore.h: + * API/OpaqueJSString.cpp: + * API/OpaqueJSString.h: + * API/tests/JSNode.c: + * API/tests/JSNode.h: + * API/tests/JSNodeList.c: + * API/tests/JSNodeList.h: + * API/tests/Node.c: + * API/tests/Node.h: + * API/tests/NodeList.c: + * API/tests/NodeList.h: + * API/tests/minidom.c: + * API/tests/minidom.js: + * API/tests/testapi.c: + * API/tests/testapi.js: + * DerivedSources.make: + * bindings/ScriptValue.cpp: + * bytecode/CodeBlock.cpp: + * bytecode/CodeBlock.h: + * bytecode/EvalCodeCache.h: + * bytecode/Instruction.h: + * bytecode/JumpTable.cpp: + * bytecode/JumpTable.h: + * bytecode/Opcode.cpp: + * bytecode/Opcode.h: + * bytecode/SamplingTool.cpp: + * bytecode/SamplingTool.h: + * bytecode/SpeculatedType.cpp: + * bytecode/SpeculatedType.h: + * bytecode/ValueProfile.h: + * bytecompiler/BytecodeGenerator.cpp: + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/Label.h: + * bytecompiler/LabelScope.h: + * bytecompiler/RegisterID.h: + * debugger/DebuggerCallFrame.cpp: + * debugger/DebuggerCallFrame.h: + * dfg/DFGDesiredStructureChains.cpp: + * dfg/DFGDesiredStructureChains.h: + * heap/GCActivityCallback.cpp: + * heap/GCActivityCallback.h: + * inspector/ConsoleMessage.cpp: + * inspector/ConsoleMessage.h: + * inspector/IdentifiersFactory.cpp: + * inspector/IdentifiersFactory.h: + * inspector/InjectedScriptManager.cpp: + * inspector/InjectedScriptManager.h: + * inspector/InjectedScriptSource.js: + * inspector/ScriptBreakpoint.h: + * inspector/ScriptDebugListener.h: + * inspector/ScriptDebugServer.cpp: + * inspector/ScriptDebugServer.h: + * inspector/agents/InspectorAgent.cpp: + * inspector/agents/InspectorAgent.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + * inspector/agents/InspectorDebuggerAgent.h: + * interpreter/Interpreter.cpp: + * interpreter/Interpreter.h: + * interpreter/JSStack.cpp: + * interpreter/JSStack.h: + * interpreter/Register.h: + * jit/CompactJITCodeMap.h: + * jit/JITStubs.cpp: + * jit/JITStubs.h: + * jit/JITStubsARM.h: + * jit/JITStubsARMv7.h: + * jit/JITStubsX86.h: + * jit/JITStubsX86_64.h: + * os-win32/stdbool.h: + * parser/SourceCode.h: + * parser/SourceProvider.h: + * profiler/LegacyProfiler.cpp: + * profiler/LegacyProfiler.h: + * profiler/ProfileNode.cpp: + * profiler/ProfileNode.h: + * runtime/ArrayBufferView.cpp: + * runtime/ArrayBufferView.h: + * runtime/BatchedTransitionOptimizer.h: + * runtime/CallData.h: + * runtime/ConstructData.h: + * runtime/DumpContext.cpp: + * runtime/DumpContext.h: + * runtime/ExceptionHelpers.cpp: + * runtime/ExceptionHelpers.h: + * runtime/InitializeThreading.cpp: + * runtime/InitializeThreading.h: + * runtime/IntegralTypedArrayBase.h: + * runtime/IntendedStructureChain.cpp: + * runtime/IntendedStructureChain.h: + * runtime/JSActivation.cpp: + * runtime/JSActivation.h: + * runtime/JSExportMacros.h: + * runtime/JSGlobalObject.cpp: + * runtime/JSNotAnObject.cpp: + * runtime/JSNotAnObject.h: + * runtime/JSPropertyNameIterator.cpp: + * runtime/JSPropertyNameIterator.h: + * runtime/JSSegmentedVariableObject.cpp: + * runtime/JSSegmentedVariableObject.h: + * runtime/JSSymbolTableObject.cpp: + * runtime/JSSymbolTableObject.h: + * runtime/JSTypeInfo.h: + * runtime/JSVariableObject.cpp: + * runtime/JSVariableObject.h: + * runtime/PropertyTable.cpp: + * runtime/PutPropertySlot.h: + * runtime/SamplingCounter.cpp: + * runtime/SamplingCounter.h: + * runtime/Structure.cpp: + * runtime/Structure.h: + * runtime/StructureChain.cpp: + * runtime/StructureChain.h: + * runtime/StructureInlines.h: + * runtime/StructureTransitionTable.h: + * runtime/SymbolTable.cpp: + * runtime/SymbolTable.h: + * runtime/TypedArrayBase.h: + * runtime/TypedArrayType.cpp: + * runtime/TypedArrayType.h: + * runtime/VM.cpp: + * runtime/VM.h: + * yarr/RegularExpression.cpp: + * yarr/RegularExpression.h: + +2014-03-14 Filip Pizlo + + Final FTL iOS build magic + https://bugs.webkit.org/show_bug.cgi?id=130281 + + Reviewed by Michael Saboff. + + * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X. + * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/ + +2014-03-14 Joseph Pecoraro + + Web Inspector: Gracefully handle nil name -[JSContext setName:] + https://bugs.webkit.org/show_bug.cgi?id=130262 + + Reviewed by Mark Hahnenberg. + + * API/JSContext.mm: + (-[JSContext setName:]): + Gracefully handle nil input. + + * API/tests/testapi.c: + (globalContextNameTest): + * API/tests/testapi.mm: + Test for nil / NULL names in the ObjC and C APIs. + +2014-03-11 Oliver Hunt + + Improve dom error messages + https://bugs.webkit.org/show_bug.cgi?id=130103 + + Reviewed by Andreas Kling. + + Add new helper function. + + * runtime/Error.h: + (JSC::throwVMTypeError): + +2014-03-14 László Langó + + Remove unused method declaration. + https://bugs.webkit.org/show_bug.cgi?id=130238 + + Reviewed by Filip Pizlo. + + The implementation of CallFrame::dumpCaller was removed in + http://trac.webkit.org/changeset/153183, but the declaration of it was not. + + * interpreter/CallFrame.h: + Remove CallFrame::dumpCaller() method declaration. + +2014-03-12 Sergio Villar Senin + + Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL + https://bugs.webkit.org/show_bug.cgi?id=129612 + + Reviewed by Darin Adler. + + For new code use static NeverDestroyed instead. + + * API/JSAPIWrapperObject.mm: + (jsAPIWrapperObjectHandleOwner): + * API/JSManagedValue.mm: + (managedValueHandleOwner): + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::objectGroupForBreakpointAction): + * inspector/scripts/CodeGeneratorInspectorStrings.py: + * interpreter/JSStack.cpp: + (JSC::stackStatisticsMutex): + * jit/ExecutableAllocator.cpp: + (JSC::DemandExecutableAllocator::allocators): + +2014-03-12 Gavin Barraclough + + Reduce memory use for static property maps + https://bugs.webkit.org/show_bug.cgi?id=129986 + + Reviewed by Andreas Kling. + + Static property tables are currently duplicated on first use from read-only memory into dirty memory + in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse + (we use a custom hash table without a rehash) a lot of memory may be wasted. + + First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps + from string hashes to indicies into a densely packed array of values. Compute the index table at + compile time as a part of the derived sources step, such that this may be read-only data. + + Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer + directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the + keys, which are Identifiers. + + * create_hash_table: + - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep). + * parser/Lexer.cpp: + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifierSlowCase): + - HashEntry -> HashTableValue. + * parser/Lexer.h: + (JSC::Keywords::getKeyword): + - HashEntry -> HashTableValue. + * runtime/ClassInfo.h: + - removed HashEntry. + * runtime/JSObject.cpp: + (JSC::getClassPropertyNames): + - use HashTable::ConstIterator. + (JSC::JSObject::put): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::findPropertyHashEntry): + - HashEntry -> HashTableValue. + (JSC::JSObject::reifyStaticFunctionsForDelete): + - changed HashTable::ConstIterator interface. + * runtime/JSObject.h: + - HashEntry -> HashTableValue. + * runtime/Lookup.cpp: + (JSC::HashTable::createTable): + - table -> keys, keys array is now densely packed. + (JSC::HashTable::deleteTable): + - table -> keys. + (JSC::setUpStaticFunctionSlot): + - HashEntry -> HashTableValue. + * runtime/Lookup.h: + (JSC::HashTableValue::builtinGenerator): + (JSC::HashTableValue::function): + (JSC::HashTableValue::functionLength): + (JSC::HashTableValue::propertyGetter): + (JSC::HashTableValue::propertyPutter): + (JSC::HashTableValue::lexerValue): + - added accessor methods from HashEntry. + (JSC::HashTable::copy): + - fields changed. + (JSC::HashTable::initializeIfNeeded): + - table -> keys. + (JSC::HashTable::entry): + - HashEntry -> HashTableValue. + (JSC::HashTable::ConstIterator::ConstIterator): + - iterate packed value array, so no need to skipInvalidKeys(). + (JSC::HashTable::ConstIterator::value): + (JSC::HashTable::ConstIterator::key): + (JSC::HashTable::ConstIterator::operator->): + - accessors now get HashTableValue/StringImpl* separately. + (JSC::HashTable::ConstIterator::operator++): + - iterate packed value array, so no need to skipInvalidKeys(). + (JSC::HashTable::end): + - end is now size of dense not sparse array. + (JSC::getStaticPropertySlot): + (JSC::getStaticFunctionSlot): + (JSC::getStaticValueSlot): + (JSC::putEntry): + (JSC::lookupPut): + - HashEntry -> HashTableValue. + +2014-03-13 Filip Pizlo + + Unreviewed, fix Mac no-FTL build. + + * llvm/library/LLVMExports.cpp: + (initializeAndGetJSCLLVMAPI): + +2014-03-13 Juergen Ributzka + + Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib + https://bugs.webkit.org/show_bug.cgi?id=130224 + + Reviewed by Filip Pizlo. + + This limits the exported symbols to only initializeAndGetJSCLLVMAPI from + the LLVM dylib. This allows the dylib to be safely used with other LLVM + dylibs on the same system. It also reduces the dynamic linking overhead + and also reduces the size by 6MB, because the linker can now dead strip + many unused functions. + + * Configurations/LLVMForJSC.xcconfig: + +2014-03-13 Andreas Kling + + VM::discardAllCode() should clear the RegExp cache. + + + Reviewed by Michael Saboff. + + * runtime/VM.cpp: + (JSC::VM::discardAllCode): + +2014-03-13 Andreas Kling + + Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting." + + + This code path is not taken anymore on DYEB, and I can't explain why + it was showing up in my profiles. Backing it out per JoePeck's suggestion. + + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + +2014-03-13 Filip Pizlo + + FTL should support IsBlah + https://bugs.webkit.org/show_bug.cgi?id=130202 + + Reviewed by Geoffrey Garen. + + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileIsUndefined): + (JSC::FTL::LowerDFGToLLVM::compileIsBoolean): + (JSC::FTL::LowerDFGToLLVM::compileIsNumber): + (JSC::FTL::LowerDFGToLLVM::compileIsString): + (JSC::FTL::LowerDFGToLLVM::compileIsObject): + (JSC::FTL::LowerDFGToLLVM::compileIsFunction): + (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier): + (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck): + (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc): + (JSC::FTL::LowerDFGToLLVM::isNumber): + (JSC::FTL::LowerDFGToLLVM::isNotNumber): + (JSC::FTL::LowerDFGToLLVM::isBoolean): + * ftl/FTLOSRExitCompiler.cpp: + * tests/stress/is-undefined-exit-on-masquerader.js: Added. + (bar): + (foo): + (test): + * tests/stress/is-undefined-jettison-on-masquerader.js: Added. + (foo): + (test): + * tests/stress/is-undefined-masquerader.js: Added. + (foo): + (test): + +2014-03-13 Mark Lam + + JS benchmarks crash with a bus error on 32-bit x86. + + + Reviewed by Geoffrey Garen. + + The issue is that generateGetByIdStub() can potentially use the same register + for the JSValue base register and the target tag register. After loading the + tag value into the target tag register, the JSValue base address is lost. + The code then proceeds to load the payload value using the base register, and + this results in a crash. + + The fix is to check if the base register is the same as the target tag register. + If so, we should make a copy the base register first before loading the tag + value, and use the copy to load the payload value instead. + + * jit/Repatch.cpp: + (JSC::generateGetByIdStub): + +2014-03-12 Filip Pizlo + + WebKit shouldn't crash on uniprocessor machines + https://bugs.webkit.org/show_bug.cgi?id=130176 + + Reviewed by Michael Saboff. + + Previously the math for computing the number of JIT compiler threads would come up with + zero threads on uniprocessor machines, and then the Worklist code would assert. + + * runtime/Options.cpp: + (JSC::computeNumberOfWorkerThreads): + * runtime/Options.h: + +2014-03-13 Radu Stavila + + Webkit not building on XCode 5.1 due to garbage collection no longer being supported + https://bugs.webkit.org/show_bug.cgi?id=130087 + + Reviewed by Mark Rowe. + + Disable garbage collection on macosx when not using internal SDK. + + * Configurations/Base.xcconfig: + +2014-03-10 Darin Adler + + Avoid copy-prone idiom "for (auto item : collection)" + https://bugs.webkit.org/show_bug.cgi?id=129990 + + Reviewed by Geoffrey Garen. + + * heap/CodeBlockSet.h: + (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident. + * inspector/ScriptDebugServer.cpp: + (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to + make explicit that we are iterating through pointers. + (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto. + (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto. + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also + get rid of an unneeded local variable. + +2014-03-13 Brian Burg + + Web Inspector: Remove unused callId parameter from evaluateInWebInspector + https://bugs.webkit.org/show_bug.cgi?id=129744 + + Reviewed by Timothy Hatcher. + + * inspector/agents/InspectorAgent.cpp: + (Inspector::InspectorAgent::enable): + (Inspector::InspectorAgent::evaluateForTestInFrontend): + * inspector/agents/InspectorAgent.h: + * inspector/protocol/InspectorDomain.json: + +2014-03-11 Filip Pizlo + + ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument + https://bugs.webkit.org/show_bug.cgi?id=130069 + + Reviewed by Geoffrey Garen. + + This was a great assertion, and it represents our strictest interpretation of the rules of + our intermediate representation. However, fixing DCE to actually preserve the relevant + property would be hard, and it wouldn't have an observable effect right now because nobody + actually uses the propery of CPS that this assertion is checking for. + + In particular, we do always require, and rely on, the fact that non-captured variables + have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the + block assigns to the variable, a GetLocal if it only reads from it, and a Flush, + PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not + broken in this regard. But, in the strictest sense, CPS also means that for captured + variables, variablesAtTail also continues to point to the last relevant use of the + variable. In particular, if there are multiple GetLocals, then it should point to the last + one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured + variables, except to check the VariableAccessData; but in that case, we don't really need + the *last* relevant use of the variable - any node that mentions the same variable will do + just fine. + + So, this change loosens the assertion and adds a detailed FIXME describing what we would + have to do if we wanted to preserve the more strict property. + + This also makes changes to various debug printing paths so that validation doesn't crash + during graph dump. This also adds tests for the interesting cases of DCE failing to + preserve CPS in the strictest sense. This also attempts to win the record for longest test + name. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::hashAsStringIfPossible): + (JSC::CodeBlock::dumpAssumingJITType): + * bytecode/CodeBlock.h: + * bytecode/CodeOrigin.cpp: + (JSC::InlineCallFrame::hashAsStringIfPossible): + (JSC::InlineCallFrame::dumpBriefFunctionInformation): + * bytecode/CodeOrigin.h: + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::run): + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::cleanVariables): + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): + * runtime/FunctionExecutableDump.cpp: + (JSC::FunctionExecutableDump::dump): + * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added. + (foo): + * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added. + (foo): + +2014-03-12 Brian Burg + + Web Replay: add infrastructure for memoizing nondeterministic DOM APIs + https://bugs.webkit.org/show_bug.cgi?id=129445 + + Reviewed by Timothy Hatcher. + + There was a bug in the replay inputs code generator that would include + headers for definitions of enum classes, even though they can be safely + forward-declared. + + * replay/scripts/CodeGeneratorReplayInputs.py: + (Generator.generate_includes): Only include for copy constructor if the + type is a heavy scalar (i.e., String, URL), not a normal scalar + (i.e., int, double, enum classes). + + (Generator.generate_type_forward_declarations): Forward-declare scalars + that are enums or enum classes. + +2014-03-12 Joseph Pecoraro + + Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases + https://bugs.webkit.org/show_bug.cgi?id=130118 + + Reviewed by Timothy Hatcher. + + * Configurations/FeatureDefines.xcconfig: + +2014-03-12 Joseph Pecoraro + + Web Inspector: Hang in Remote Inspection triggering breakpoint from console + https://bugs.webkit.org/show_bug.cgi?id=130032 + + Reviewed by Timothy Hatcher. + + * inspector/EventLoop.h: + * inspector/EventLoop.cpp: + (Inspector::EventLoop::remoteInspectorRunLoopMode): + (Inspector::EventLoop::cycle): + Expose the run loop mode name so it can be used if needed by others. + + * inspector/remote/RemoteInspectorDebuggableConnection.h: + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorBlock::RemoteInspectorBlock): + (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock): + (Inspector::RemoteInspectorBlock::operator=): + (Inspector::RemoteInspectorBlock::operator()): + (Inspector::RemoteInspectorQueueTask): + Instead of a dispatch_queue, have our own static Vector of debugger tasks. + + (Inspector::RemoteInspectorHandleRunSource): + (Inspector::RemoteInspectorInitializeQueue): + Initialize the static queue and run loop source. When the run loop source + fires, it will exhaust the queue of debugger messages. + + (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection): + (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection): + When we get a debuggable connection add a run loop source for inspector commands. + + (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable): + (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend): + Enqueue blocks on our Vector instead of our dispatch_queue. + +2014-03-12 Commit Queue + + Unreviewed, rolling out r165482. + https://bugs.webkit.org/show_bug.cgi?id=130157 + + Broke the windows build; "error C2466: cannot allocate an + array of constant size 0" (Requested by jernoble on #webkit). + + Reverted changeset: + + "Reduce memory use for static property maps" + https://bugs.webkit.org/show_bug.cgi?id=129986 + http://trac.webkit.org/changeset/165482 + +2014-03-12 Mark Hahnenberg + + Remove HandleSet::m_nextToFinalize + https://bugs.webkit.org/show_bug.cgi?id=130109 + + Reviewed by Mark Lam. + + This is a remnant of when HandleSet contained things that needed to be finalized. + + * heap/HandleSet.cpp: + (JSC::HandleSet::HandleSet): + (JSC::HandleSet::writeBarrier): + * heap/HandleSet.h: + (JSC::HandleSet::allocate): + (JSC::HandleSet::deallocate): + +2014-03-12 Mark Hahnenberg + + Layout Test fast/workers/worker-gc.html is failing + https://bugs.webkit.org/show_bug.cgi?id=130135 + + Reviewed by Geoffrey Garen. + + When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's + main list of blocks, i.e. not in the retired list. When shutting down the VM this + wasn't always the case which was causing ASSERTs to fire. We should rearrange things + so that allocators are notified with lastChanceToFinalize. This will give them + the chance to move their retired blocks back into the main list before removing them all. + + * heap/MarkedAllocator.cpp: + (JSC::LastChanceToFinalize::operator()): + (JSC::MarkedAllocator::lastChanceToFinalize): + * heap/MarkedAllocator.h: + * heap/MarkedSpace.cpp: + (JSC::LastChanceToFinalize::operator()): + (JSC::MarkedSpace::lastChanceToFinalize): + +2014-03-12 Gavin Barraclough + + Reduce memory use for static property maps + https://bugs.webkit.org/show_bug.cgi?id=129986 + + Reviewed by Andreas Kling. + + Static property tables are currently duplicated on first use from read-only memory into dirty memory + in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse + (we use a custom hash table without a rehash) a lot of memory may be wasted. + + First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps + from string hashes to indicies into a densely packed array of values. Compute the index table at + compile time as a part of the derived sources step, such that this may be read-only data. + + Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer + directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the + keys, which are Identifiers. + + * create_hash_table: + - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep). + * parser/Lexer.cpp: + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifierSlowCase): + - HashEntry -> HashTableValue. + * parser/Lexer.h: + (JSC::Keywords::getKeyword): + - HashEntry -> HashTableValue. + * runtime/ClassInfo.h: + - removed HashEntry. + * runtime/JSObject.cpp: + (JSC::getClassPropertyNames): + - use HashTable::ConstIterator. + (JSC::JSObject::put): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::findPropertyHashEntry): + - HashEntry -> HashTableValue. + (JSC::JSObject::reifyStaticFunctionsForDelete): + - changed HashTable::ConstIterator interface. + * runtime/JSObject.h: + - HashEntry -> HashTableValue. + * runtime/Lookup.cpp: + (JSC::HashTable::createTable): + - table -> keys, keys array is now densely packed. + (JSC::HashTable::deleteTable): + - table -> keys. + (JSC::setUpStaticFunctionSlot): + - HashEntry -> HashTableValue. + * runtime/Lookup.h: + (JSC::HashTableValue::builtinGenerator): + (JSC::HashTableValue::function): + (JSC::HashTableValue::functionLength): + (JSC::HashTableValue::propertyGetter): + (JSC::HashTableValue::propertyPutter): + (JSC::HashTableValue::lexerValue): + - added accessor methods from HashEntry. + (JSC::HashTable::copy): + - fields changed. + (JSC::HashTable::initializeIfNeeded): + - table -> keys. + (JSC::HashTable::entry): + - HashEntry -> HashTableValue. + (JSC::HashTable::ConstIterator::ConstIterator): + - iterate packed value array, so no need to skipInvalidKeys(). + (JSC::HashTable::ConstIterator::value): + (JSC::HashTable::ConstIterator::key): + (JSC::HashTable::ConstIterator::operator->): + - accessors now get HashTableValue/StringImpl* separately. + (JSC::HashTable::ConstIterator::operator++): + - iterate packed value array, so no need to skipInvalidKeys(). + (JSC::HashTable::end): + - end is now size of dense not sparse array. + (JSC::getStaticPropertySlot): + (JSC::getStaticFunctionSlot): + (JSC::getStaticValueSlot): + (JSC::putEntry): + (JSC::lookupPut): + - HashEntry -> HashTableValue. + +2014-03-11 Filip Pizlo + + It should be possible to build WebKit with FTL on iOS + https://bugs.webkit.org/show_bug.cgi?id=130116 + + Reviewed by Dan Bernstein. + + * Configurations/Base.xcconfig: + +2014-03-10 Filip Pizlo + + GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList + https://bugs.webkit.org/show_bug.cgi?id=129778 + + Reviewed by Geoffrey Garen. + + Also deduplicate the GetById getter call caching. Also add some small tests for + get stubs. + + This change reduces the amount of code involved in GetById access caching and it + creates data structures that can serve as an elegant scaffold for introducing other + kinds of caches or improving current caching styles. It will definitely make getter + performance improvements easier to implement. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printGetByIdCacheStatus): + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/PolymorphicGetByIdList.cpp: Added. + (JSC::GetByIdAccess::GetByIdAccess): + (JSC::GetByIdAccess::~GetByIdAccess): + (JSC::GetByIdAccess::fromStructureStubInfo): + (JSC::GetByIdAccess::visitWeak): + (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList): + (JSC::PolymorphicGetByIdList::from): + (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList): + (JSC::PolymorphicGetByIdList::currentSlowPathTarget): + (JSC::PolymorphicGetByIdList::addAccess): + (JSC::PolymorphicGetByIdList::isFull): + (JSC::PolymorphicGetByIdList::isAlmostFull): + (JSC::PolymorphicGetByIdList::didSelfPatching): + (JSC::PolymorphicGetByIdList::visitWeak): + * bytecode/PolymorphicGetByIdList.h: Added. + (JSC::GetByIdAccess::GetByIdAccess): + (JSC::GetByIdAccess::isSet): + (JSC::GetByIdAccess::operator!): + (JSC::GetByIdAccess::type): + (JSC::GetByIdAccess::structure): + (JSC::GetByIdAccess::chain): + (JSC::GetByIdAccess::chainCount): + (JSC::GetByIdAccess::stubRoutine): + (JSC::GetByIdAccess::doesCalls): + (JSC::PolymorphicGetByIdList::isEmpty): + (JSC::PolymorphicGetByIdList::size): + (JSC::PolymorphicGetByIdList::at): + (JSC::PolymorphicGetByIdList::operator[]): + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::deref): + (JSC::StructureStubInfo::visitWeakReferences): + * bytecode/StructureStubInfo.h: + (JSC::isGetByIdAccess): + (JSC::StructureStubInfo::initGetByIdList): + * jit/Repatch.cpp: + (JSC::generateGetByIdStub): + (JSC::tryCacheGetByID): + (JSC::patchJumpToGetByIdStub): + (JSC::tryBuildGetByIDList): + (JSC::tryBuildPutByIdList): + * tests/stress/getter.js: Added. + (foo): + (.o): + * tests/stress/polymorphic-prototype-accesses.js: Added. + (Foo): + (Bar): + (foo): + * tests/stress/prototype-getter.js: Added. + (Foo): + (foo): + * tests/stress/simple-prototype-accesses.js: Added. + (Foo): + (foo): + +2014-03-11 Mark Hahnenberg + + MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections + https://bugs.webkit.org/show_bug.cgi?id=129920 + + Reviewed by Geoffrey Garen. + + This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock + when the amount of free space in a MarkedBlock drops below a certain threshold. + Retired blocks are not considered for sweeping. + + This is profitable because it reduces churn during sweeping. To build a free list, + we have to scan through each cell in a block. After a collection, all objects that + are live in the block will remain live until the next FullCollection, at which time + we un-retire all previously retired blocks. Thus, a small number of objects in a block + that die during each EdenCollection could cause us to do a disproportiante amount of + sweeping for how much free memory we get back. + + This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else. + + * heap/Heap.h: + (JSC::Heap::didRetireBlockWithFreeListSize): + * heap/MarkedAllocator.cpp: + (JSC::MarkedAllocator::tryAllocateHelper): + (JSC::MarkedAllocator::removeBlock): + (JSC::MarkedAllocator::reset): + * heap/MarkedAllocator.h: + (JSC::MarkedAllocator::MarkedAllocator): + (JSC::MarkedAllocator::forEachBlock): + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::sweepHelper): + (JSC::MarkedBlock::clearMarksWithCollectionType): + (JSC::MarkedBlock::didRetireBlock): + * heap/MarkedBlock.h: + (JSC::MarkedBlock::willRemoveBlock): + (JSC::MarkedBlock::isLive): + * heap/MarkedSpace.cpp: + (JSC::MarkedSpace::clearNewlyAllocated): + (JSC::MarkedSpace::clearMarks): + * runtime/Options.h: + +2014-03-11 Andreas Kling + + Streamline PropertyTable for lookup-only access. + + + The PropertyTable lookup algorithm was written to support both read + and write access. This wasn't actually needed in most places. + + This change adds a PropertyTable::get() that just returns the value + type (instead of an insertion iterator.) It also adds an early return + for empty tables. + + Finally, up the minimum table capacity from 8 to 16. It was lowered + to 8 in order to save memory, but that was before PropertyTables were + GC allocated. Nowadays we don't have nearly as many tables, since all + the unpinned transitions die off. + + Reviewed by Darin Adler. + + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::get): + * runtime/Structure.cpp: + (JSC::Structure::despecifyDictionaryFunction): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::get): + (JSC::Structure::despecifyFunction): + * runtime/StructureInlines.h: + (JSC::Structure::get): + +2014-03-10 Mark Hahnenberg + + REGRESSION(r165407): DoYouEvenBench crashes in DRT + https://bugs.webkit.org/show_bug.cgi?id=130066 + + Reviewed by Geoffrey Garen. + + The baseline JIT does a conditional store barrier for the put_by_id, but we need + an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub. + + * jit/JIT.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_put_by_id): + (JSC::JIT::emitWriteBarrier): + +2014-03-10 Mark Lam + + Resurrect bit-rotted JIT::probe() mechanism. + + + Reviewed by Geoffrey Garen. + + * jit/JITStubs.cpp: + - Added the needed #include . + +2014-03-10 Joseph Pecoraro + + Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos. + + Rubber-stamped by Dan Bernstein. + + * Configurations/JavaScriptCore.xcconfig: + +2014-03-10 Mark Lam + + r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330. + + + Reviewed by Michael Saboff. + + There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex() + being able to return InvalidIndex. Hence, the assertion is invalid. Ditto for + FPRInfo::toIndex(). + + The fix is to remove the "result != InvalidIndex" assertions. + + * jit/FPRInfo.h: + (JSC::FPRInfo::toIndex): + * jit/GPRInfo.h: + (JSC::GPRInfo::toIndex): + +2014-03-10 Mark Lam + + Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html. + + + Reviewed by Geoffrey Garen. + + The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes + stack memory every time it was called. This is now fixed. + + * jit/JITOperations.cpp: + +2014-03-10 Joseph Pecoraro + + Better JSContext API for named evaluations (other than //# sourceURL) + https://bugs.webkit.org/show_bug.cgi?id=129911 + + Reviewed by Geoffrey Garen. + + * API/JSBase.h: + * API/JSContext.h: + * API/JSContext.mm: + (-[JSContext evaluateScript:]): + (-[JSContext evaluateScript:withSourceURL:]): + Add new evaluateScript:withSourceURL:. + + * API/tests/testapi.c: + (main): + * API/tests/testapi.mm: + (testObjectiveCAPI): + Add tests for sourceURL in evaluate APIs. It should + affect the exception objects. + +2014-03-10 Filip Pizlo + + Repatch should save and restore all used registers - not just temp ones - when making a call + https://bugs.webkit.org/show_bug.cgi?id=130041 + + Reviewed by Geoffrey Garen and Mark Hahnenberg. + + The save/restore code was written back when the only client was the DFG, which only uses a + subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many + other registers, especially on ARM64. The fact that Repatch doesn't know to save those can + lead to data corruption on ARM64. + + * jit/RegisterSet.cpp: + (JSC::RegisterSet::calleeSaveRegisters): + (JSC::RegisterSet::numberOfSetGPRs): + (JSC::RegisterSet::numberOfSetFPRs): + * jit/RegisterSet.h: + * jit/Repatch.cpp: + (JSC::storeToWriteBarrierBuffer): + (JSC::emitPutTransitionStub): + * jit/ScratchRegisterAllocator.cpp: + (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator): + (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing): + (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping): + (JSC::ScratchRegisterAllocator::usedRegistersForCall): + (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall): + (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall): + (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall): + * jit/ScratchRegisterAllocator.h: + +2014-03-10 Mark Hahnenberg + + Remove ConditionalStore barrier + https://bugs.webkit.org/show_bug.cgi?id=130040 + + Reviewed by Geoffrey Garen. + + ConditionalStoreBarrier was created when barriers were much more expensive. Now that + they're cheap(er), we can get rid of them. This also allows us to get rid of the write + barrier logic in emitPutTransitionStub because we always will have executed a write barrier + on the base object in the case where we are allocating and storing a new Butterfly into it. + Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, + so we'd have to emit a write barrier in the transition case. + + This is performance neutral on the benchmarks we track. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::insertStoreBarrier): + * dfg/DFGNode.h: + (JSC::DFG::Node::isStoreBarrier): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStoreBarrier): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + * jit/Repatch.cpp: + (JSC::emitPutTransitionStub): + +2014-03-10 Filip Pizlo + + DFG and FTL should know that comparing anything to Misc is cheap and easy + https://bugs.webkit.org/show_bug.cgi?id=130001 + + Reviewed by Geoffrey Garen. + + - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the + comparison is just Untyped:. + + - This obviates the need for CompareStrictEqConstant, so remove it. + + - FTL had a thing called "Nully" which is really "Other". Rename it and add + OtherUse. + + 9% speed-up on box2d. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::isBinaryUseKind): + (JSC::DFG::Node::shouldSpeculateOther): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): + (JSC::DFG::SpeculativeJIT::compare): + (JSC::DFG::SpeculativeJIT::compileStrictEq): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCompareEq): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): + (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): + (JSC::FTL::LowerDFGToLLVM::isNotOther): + (JSC::FTL::LowerDFGToLLVM::isOther): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): + (JSC::FTL::LowerDFGToLLVM::speculateNotCell): + (JSC::FTL::LowerDFGToLLVM::speculateOther): + (JSC::FTL::LowerDFGToLLVM::speculateMisc): + * tests/stress/compare-strict-eq-integer-to-misc.js: Added. + +2014-03-10 Filip Pizlo + + Unreviewed, remove unintended change. + + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + +2014-03-10 Filip Pizlo + + jsc commandline shouldn't have a "console" because that confuses some tests into thinking + that they're running in the browser. + + Rubber stamped by Mark Hahnenberg. + + * jsc.cpp: + (GlobalObject::finishCreation): + +2014-03-10 Filip Pizlo + + Out-line ScratchRegisterAllocator + + Rubber stamped by Mark Hahnenberg. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * jit/ScratchRegisterAllocator.cpp: Added. + (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator): + (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator): + (JSC::ScratchRegisterAllocator::lock): + (JSC::ScratchRegisterAllocator::allocateScratch): + (JSC::ScratchRegisterAllocator::allocateScratchGPR): + (JSC::ScratchRegisterAllocator::allocateScratchFPR): + (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing): + (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping): + (JSC::ScratchRegisterAllocator::desiredScratchBufferSize): + (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer): + (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer): + * jit/ScratchRegisterAllocator.h: + +2014-03-10 Brent Fulgham + + [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages. + https://bugs.webkit.org/show_bug.cgi?id=130023 + + Reviewed by Dean Jackson. + + * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in + path names to avoid accidental escaping of later string substitutions. + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for testb_i8r when register is accumulator. + + + Generate the shorthand version of "test al, imm" when possible. + + Reviewed by Michael Saboff. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::testb_i8r): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for sub_ir when register is accumulator. + + + Generate the shorthand version of "sub eax, imm" when possible. + + Reviewed by Michael Saboff. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::subl_ir): + (JSC::X86Assembler::subq_ir): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for add_ir when register is accumulator. + + + Generate the shorthand version of "add eax, imm" when possible. + + Reviewed by Michael Saboff. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::addl_ir): + (JSC::X86Assembler::addq_ir): + +2014-03-10 Mark Hahnenberg + + writeBarrier in emitPutReplaceStub is unnecessary + https://bugs.webkit.org/show_bug.cgi?id=130030 + + Reviewed by Filip Pizlo. + + We already emit write barriers for each put-by-id when they're first compiled, so it's + redundant to emit a write barrier as part of the repatched code. + + * jit/Repatch.cpp: + (JSC::emitPutReplaceStub): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for xor_ir when register is accumulator. + + + Generate the shorthand version of "xor eax, imm" when possible. + + Reviewed by Benjamin Poulain. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::xorl_ir): + (JSC::X86Assembler::xorq_ir): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for or_ir when register is accumulator. + + + Generate the shorthand version of "or eax, imm" when possible. + + Reviewed by Benjamin Poulain. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::orl_ir): + (JSC::X86Assembler::orq_ir): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for test_ir when register is accumulator. + + + Generate the shorthand version of "test eax, imm" when possible. + + Reviewed by Benjamin Poulain. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::testl_i32r): + (JSC::X86Assembler::testq_i32r): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for cmp_ir when register is accumulator. + + + Generate the shorthand version of "cmp eax, imm" when possible. + + Reviewed by Benjamin Poulain. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::cmpl_ir): + (JSC::X86Assembler::cmpq_ir): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits. + + + Generate this: + + mov [address], imm32 + + Instead of this: + + mov scratchRegister, imm32 + mov [address], scratchRegister + + For store64(imm, address) where the 64-bit immediate can be passed as + a sign-extended 32-bit value. + + Reviewed by Benjamin Poulain. + + * assembler/MacroAssemblerX86_64.h: + (CAN_SIGN_EXTEND_32_64): + (JSC::MacroAssemblerX86_64::store64): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for xchg_rr when one register is accumulator. + + + Generate the 1-byte version of "xchg eax, reg" when possible. + + Reviewed by Benjamin Poulain. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::xchgl_rr): + (JSC::X86Assembler::xchgq_rr): + +2014-03-09 Filip Pizlo + + GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64 + https://bugs.webkit.org/show_bug.cgi?id=129998 + + Reviewed by Geoffrey Garen. + + Not only is that the established contract, but this is used to signal to + ScratchRegisterAllocator that the register doesn't need locking since it isn't a register + that this allocator would use. In the FTL, we may have an inline cache where LLVM had used + some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally + fine but previously it would have led to either an assertion failure, or data corruption, in + the ScratchRegisterAllocator. + + * jit/GPRInfo.h: + (JSC::GPRInfo::toIndex): + +2014-03-09 Filip Pizlo + + FTL fails the new equals-masquerader strictEqualConstant test + https://bugs.webkit.org/show_bug.cgi?id=129996 + + Reviewed by Mark Lam. + + It turns out that the FTL was trying to do the masquerading stuff for ===null. But + that's wrong since none of the other engines do it. The DFG even had an ancient + FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT + don't do it and JSValue::strictEqual() doesn't do it. + + Remove the FIXME and remove the extra checks in the FTL. + + This is a glorious patch: nothing but red and it fixes a test failure. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant): + +2014-03-09 Andreas Kling + + Short-circuit JSGlobalObjectInspectorController when not inspecting. + + + Add an early return in reportAPIException() when the console agent + is disabled. This avoids expensive symbolication during exceptions + if there's nobody expecting the fancy backtrace anyway. + + ~2% progression on DYEB on my MBP. + + Reviewed by Geoff Garen. + + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + +2014-03-09 Andreas Kling + + Inline the trivial parts of GC deferral. + + + Made most of the functions called by the DeferGC RAII object inline + to avoid function call overhead. + + Looks like ~1% progression on DYEB. + + Reviewed by Geoffrey Garen. + + * heap/Heap.cpp: + * heap/Heap.h: + (JSC::Heap::incrementDeferralDepth): + (JSC::Heap::decrementDeferralDepth): + (JSC::Heap::collectIfNecessaryOrDefer): + (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): + +2014-03-08 Mark Lam + + 32-bit x86 handleUncaughtException returns to wrong location after a stack overflow. + + + Reviewed by Geoffrey Garen. + + The 32-bit version of handleUncaughtException was missing the handling of an + edge case for stack overflows where the current frame may already be the + sentinel frame. This edge case was handled in the 64-bit version. The fix + is to bring the 32-bit version up to parity. + + * jit/JIT.cpp: + (JSC::JIT::privateCompile): + * llint/LowLevelInterpreter32_64.asm: + +2014-03-07 Mark Lam + + Fix bugs in 32-bit Structure implementation. + + + Reviewed by Mark Hahnenberg. + + Added the loading of the Structure (from the JSCell) before use that was + missing in a few places. Also added more test cases to equals-masquerader.js. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * llint/LowLevelInterpreter32_64.asm: + * tests/stress/equals-masquerader.js: + (equalsNull): + (notEqualsNull): + (strictEqualsNull): + (strictNotEqualsNull): + (equalsUndefined): + (notEqualsUndefined): + (strictEqualsUndefined): + (strictNotEqualsUndefined): + (isFalsey): + (test): + +2014-03-07 Andrew Trick + + Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953. + https://bugs.webkit.org/show_bug.cgi?id=129954 + + Reviewed by Filip Pizlo. + + * tests/stress/float32-repeat-out-of-bounds.js: + * tests/stress/int8-repeat-out-of-bounds.js: + +2014-03-07 Michael Saboff + + .cfi directives in LowLevelInterpreter.cpp are providing no benefit + https://bugs.webkit.org/show_bug.cgi?id=129945 + + Reviewed by Mark Lam. + + Removed .cfi directive. Verified that stack traces didn't regress in crash reporter + or in lldb. + + * llint/LowLevelInterpreter.cpp: + +2014-03-07 Oliver Hunt + + Continue hangs when performing for-of over arguments + https://bugs.webkit.org/show_bug.cgi?id=129915 + + Reviewed by Geoffrey Garen. + + Put the continue label in the right place + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitEnumeration): + +2014-03-07 peavo@outlook.com + + [Win64] Compile error after r165128. + https://bugs.webkit.org/show_bug.cgi?id=129807 + + Reviewed by Mark Lam. + + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: + Check platform environment variable to determine if an assembler file should be generated. + +2014-03-07 Michael Saboff + + Clarify how we deal with "special" registers + https://bugs.webkit.org/show_bug.cgi?id=129806 + + Already reviewed change being relanded. + + Relanding change set r165196 as it wasn't responsible for the breakage reported in + https://bugs.webkit.org/show_bug.cgi?id=129822. That appears to be a build or + + Reviewed by Michael Saboff. + configuration issue. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::lastRegister): + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::nextRegister): + * ftl/FTLLocation.cpp: + (JSC::FTL::Location::restoreInto): + * ftl/FTLSaveRestore.cpp: + (JSC::FTL::saveAllRegisters): + (JSC::FTL::restoreAllRegisters): + * ftl/FTLSlowPathCall.cpp: + * jit/RegisterSet.cpp: + (JSC::RegisterSet::reservedHardwareRegisters): + (JSC::RegisterSet::runtimeRegisters): + (JSC::RegisterSet::specialRegisters): + (JSC::RegisterSet::calleeSaveRegisters): + * jit/RegisterSet.h: + +2014-03-07 Mark Hahnenberg + + Move GCActivityCallback to heap + https://bugs.webkit.org/show_bug.cgi?id=129457 + + Reviewed by Geoffrey Garen. + + All the other GC timer related stuff is there already. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp. + * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h. + * runtime/GCActivityCallback.cpp: Removed. + * runtime/GCActivityCallback.h: Removed. + +2014-03-07 Andrew Trick + + Correct a comment typo from: + FLT should call fmod directly on platforms where LLVM cannot relocate the libcall + https://bugs.webkit.org/show_bug.cgi?id=129865 + + Reviewed by Mark Lam. + + * ftl/FTLOutput.h: + (JSC::FTL::Output::doubleRem): + +2014-03-07 Mark Hahnenberg + + Use OwnPtr in StructureIDTable + https://bugs.webkit.org/show_bug.cgi?id=129828 + + Reviewed by Geoffrey Garen. + + This reduces the amount of boilerplate and fixes a memory leak. + + * runtime/StructureIDTable.cpp: + (JSC::StructureIDTable::StructureIDTable): + (JSC::StructureIDTable::resize): + (JSC::StructureIDTable::flushOldTables): + (JSC::StructureIDTable::allocateID): + (JSC::StructureIDTable::deallocateID): + * runtime/StructureIDTable.h: + (JSC::StructureIDTable::table): + (JSC::StructureIDTable::get): + +2014-03-07 Andrew Trick + + FLT should call fmod directly on platforms where LLVM cannot relocate the libcall + https://bugs.webkit.org/show_bug.cgi?id=129865 + + Reviewed by Filip Pizlo. + + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLOutput.h: + (JSC::FTL::Output::doubleRem): + +2014-03-06 Filip Pizlo + + If the FTL is build-time enabled then it should be run-time enabled. + + Rubber stamped by Geoffrey Garen. + + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + * runtime/Options.h: + +2014-03-06 Joseph Pecoraro + + [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port + https://bugs.webkit.org/show_bug.cgi?id=129852 + + Reviewed by Geoffrey Garen. + + * framework.sb: Added. + Sandbox extension to allow access to "com.apple.webinspector". + + * JavaScriptCore.xcodeproj/project.pbxproj: + Add a Copy Resources build phase and include framework.sb. + + * Configurations/JavaScriptCore.xcconfig: + Do not copy framework.sb on iOS. + +2014-03-06 Mark Hahnenberg + + JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable + https://bugs.webkit.org/show_bug.cgi?id=129858 + + Reviewed by Mark Lam. + + It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, + but now it ends up overwriting the IdentifierTable that JSLock just restored. + + * API/JSContextRef.cpp: + (JSGlobalContextRelease): + +2014-03-06 Oliver Hunt + + Fix FTL build. + + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + +2014-03-06 Brent Fulgham + + Unreviewed build fix after r165128. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when + performing 'Production' and 'DebugSuffix' type builds. + +2014-03-06 Julien Brianceau + + Unreviewed, fix style in my previous commit. + https://bugs.webkit.org/show_bug.cgi?id=129833 + + * runtime/JSConsole.cpp: + +2014-03-06 Julien Brianceau + + Build fix: add missing include in JSConole.cpp. + https://bugs.webkit.org/show_bug.cgi?id=129833 + + Reviewed by Oliver Hunt. + + * runtime/JSConsole.cpp: + +2014-03-06 Oliver Hunt + + Fix ARMv7 + + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + +2014-03-06 Commit Queue + + Unreviewed, rolling out r165196. + http://trac.webkit.org/changeset/165196 + https://bugs.webkit.org/show_bug.cgi?id=129822 + + broke arm64 on hardware (Requested by bfulgham on #webkit). + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::lastRegister): + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::isStackRelated): + (JSC::MacroAssembler::firstRealRegister): + (JSC::MacroAssembler::nextRegister): + (JSC::MacroAssembler::secondRealRegister): + * ftl/FTLLocation.cpp: + (JSC::FTL::Location::restoreInto): + * ftl/FTLSaveRestore.cpp: + (JSC::FTL::saveAllRegisters): + (JSC::FTL::restoreAllRegisters): + * ftl/FTLSlowPathCall.cpp: + * jit/RegisterSet.cpp: + (JSC::RegisterSet::specialRegisters): + (JSC::RegisterSet::calleeSaveRegisters): + * jit/RegisterSet.h: + +2014-03-06 Mark Lam + + REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit). + + + Reviewed by Michael Saboff. + + Fixed broken C loop LLINT build. + + * llint/LowLevelInterpreter.cpp: + (JSC::CLoop::execute): + * offlineasm/cloop.rb: + +2014-03-03 Oliver Hunt + + Support caching of custom setters + https://bugs.webkit.org/show_bug.cgi?id=129519 + + Reviewed by Filip Pizlo. + + This patch adds caching of assignment to properties that + are backed by C functions. This provides most of the leg + work required to start supporting setters, and resolves + the remaining regressions from moving DOM properties up + the prototype chain. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/PolymorphicPutByIdList.cpp: + (JSC::PutByIdAccess::visitWeak): + (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): + (JSC::PolymorphicPutByIdList::from): + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::transition): + (JSC::PutByIdAccess::replace): + (JSC::PutByIdAccess::customSetter): + (JSC::PutByIdAccess::isCustom): + (JSC::PutByIdAccess::oldStructure): + (JSC::PutByIdAccess::chain): + (JSC::PutByIdAccess::stubRoutine): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + (JSC::PutByIdStatus::computeFor): + (JSC::PutByIdStatus::dump): + * bytecode/PutByIdStatus.h: + (JSC::PutByIdStatus::PutByIdStatus): + (JSC::PutByIdStatus::takesSlowPath): + (JSC::PutByIdStatus::makesCalls): + * bytecode/StructureStubInfo.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitPutById): + (JSC::DFG::ByteCodeParser::handlePutById): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCommon.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasIdentifier): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIn): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedPutById): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedPutById): + (JSC::DFG::SpeculativeJIT::compile): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITByIdGenerator::JITByIdGenerator): + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + * jit/JITInlineCacheGenerator.h: + (JSC::JITGetByIdGenerator::JITGetByIdGenerator): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_put_by_id): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_put_by_id): + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + (JSC::tryBuildGetByIDList): + (JSC::emitCustomSetterStub): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * jit/SpillRegistersMode.h: Added. + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/Lookup.h: + (JSC::putEntry): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::setCacheableCustomProperty): + (JSC::PutPropertySlot::customSetter): + (JSC::PutPropertySlot::isCacheablePut): + (JSC::PutPropertySlot::isCacheableCustomProperty): + (JSC::PutPropertySlot::cachedOffset): + +2014-03-06 Filip Pizlo + + FTL arity fixup should work on ARM64 + https://bugs.webkit.org/show_bug.cgi?id=129810 + + Reviewed by Michael Saboff. + + - Using regT5 to pass the thunk return address to arityFixup is shady since that's a + callee-save. + + - The FTL path was assuming X86 conventions for where SP points at the top of the prologue. + + This makes some more tests pass. + + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::compileFunction): + * ftl/FTLLink.cpp: + (JSC::FTL::link): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::prologueStackPointerDelta): + * jit/JIT.cpp: + (JSC::JIT::privateCompile): + * jit/ThunkGenerators.cpp: + (JSC::arityFixup): + * llint/LowLevelInterpreter64.asm: + * offlineasm/arm64.rb: + * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h. + +2014-03-06 Mark Hahnenberg + + Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128 + https://bugs.webkit.org/show_bug.cgi?id=129760 + + Reviewed by Geoffrey Garen. + + r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. + The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::writeBarrier): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::checkMarkByte): + * jit/JIT.h: + * jit/JITPropertyAccess.cpp: + * jit/Repatch.cpp: + (JSC::writeBarrier): + +2014-03-06 Joseph Pecoraro + + Web Inspector: Expose the console object in JSContexts to interact with Web Inspector + https://bugs.webkit.org/show_bug.cgi?id=127944 + + Reviewed by Geoffrey Garen. + + Always expose the Console object in JSContexts, just like we + do for web pages. The default behavior will route to an + attached JSContext inspector. This can be overriden by + setting the ConsoleClient on the JSGlobalObject, which WebCore + does to get slightly different behavior. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + Update build systems. + + * API/tests/testapi.js: + * API/tests/testapi.mm: + Test that "console" exists in C and ObjC contexts. + + * runtime/ConsoleClient.cpp: Added. + (JSC::ConsoleClient::printURLAndPosition): + (JSC::ConsoleClient::printMessagePrefix): + (JSC::ConsoleClient::printConsoleMessage): + (JSC::ConsoleClient::printConsoleMessageWithArguments): + (JSC::ConsoleClient::internalMessageWithTypeAndLevel): + (JSC::ConsoleClient::logWithLevel): + (JSC::ConsoleClient::clear): + (JSC::ConsoleClient::dir): + (JSC::ConsoleClient::dirXML): + (JSC::ConsoleClient::table): + (JSC::ConsoleClient::trace): + (JSC::ConsoleClient::assertCondition): + (JSC::ConsoleClient::group): + (JSC::ConsoleClient::groupCollapsed): + (JSC::ConsoleClient::groupEnd): + * runtime/ConsoleClient.h: Added. + (JSC::ConsoleClient::~ConsoleClient): + New private interface for handling the console object's methods. + A lot of the methods funnel through messageWithTypeAndLevel. + + * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h. + Moved to JSC namespace. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::JSGlobalObject): + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::reset): + (JSC::JSGlobalObject::visitChildren): + Create the "console" object when initializing the environment. + Also set the default console client to be the JS context inspector. + + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::setConsoleClient): + (JSC::JSGlobalObject::consoleClient): + Ability to change the console client, so WebCore can set a custom client. + + * runtime/ConsolePrototype.cpp: Added. + (JSC::ConsolePrototype::finishCreation): + (JSC::valueToStringWithUndefinedOrNullCheck): + (JSC::consoleLogWithLevel): + (JSC::consoleProtoFuncDebug): + (JSC::consoleProtoFuncError): + (JSC::consoleProtoFuncLog): + (JSC::consoleProtoFuncWarn): + (JSC::consoleProtoFuncClear): + (JSC::consoleProtoFuncDir): + (JSC::consoleProtoFuncDirXML): + (JSC::consoleProtoFuncTable): + (JSC::consoleProtoFuncTrace): + (JSC::consoleProtoFuncAssert): + (JSC::consoleProtoFuncCount): + (JSC::consoleProtoFuncProfile): + (JSC::consoleProtoFuncProfileEnd): + (JSC::consoleProtoFuncTime): + (JSC::consoleProtoFuncTimeEnd): + (JSC::consoleProtoFuncTimeStamp): + (JSC::consoleProtoFuncGroup): + (JSC::consoleProtoFuncGroupCollapsed): + (JSC::consoleProtoFuncGroupEnd): + * runtime/ConsolePrototype.h: Added. + (JSC::ConsolePrototype::create): + (JSC::ConsolePrototype::createStructure): + (JSC::ConsolePrototype::ConsolePrototype): + Define the console object interface. Parse out required / expected + arguments and throw expcetions when methods are misused. + + * runtime/JSConsole.cpp: Added. + * runtime/JSConsole.h: Added. + (JSC::JSConsole::createStructure): + (JSC::JSConsole::create): + (JSC::JSConsole::JSConsole): + Empty "console" object. Everything is in the prototype. + + * inspector/JSConsoleClient.cpp: Added. + (Inspector::JSConsoleClient::JSGlobalObjectConsole): + (Inspector::JSConsoleClient::count): + (Inspector::JSConsoleClient::profile): + (Inspector::JSConsoleClient::profileEnd): + (Inspector::JSConsoleClient::time): + (Inspector::JSConsoleClient::timeEnd): + (Inspector::JSConsoleClient::timeStamp): + (Inspector::JSConsoleClient::warnUnimplemented): + (Inspector::JSConsoleClient::internalAddMessage): + * inspector/JSConsoleClient.h: Added. + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::consoleClient): + * inspector/JSGlobalObjectInspectorController.h: + Default JSContext ConsoleClient implementation. Handle nearly + everything exception profile/profileEnd and timeStamp. + +2014-03-06 Andreas Kling + + Drop unlinked function code on memory pressure. + + + Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that + are not currently being compiled. + + 4.5 MB progression on Membuster. + + Reviewed by Geoffrey Garen. + + * heap/Heap.cpp: + (JSC::Heap::deleteAllUnlinkedFunctionCode): + * heap/Heap.h: + * runtime/VM.cpp: + (JSC::VM::discardAllCode): + +2014-03-06 Filip Pizlo + + Clarify how we deal with "special" registers + https://bugs.webkit.org/show_bug.cgi?id=129806 + + Reviewed by Michael Saboff. + + Previously we had two different places that defined what "stack" registers are, a thing + called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/ + "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by + one place and had a baked-in notion of what it meant for a register to be "real" or not. + + It's not cool to use words like "real" and "special" to describe registers, especially if you + fail to qualify what that means. This originally made sense on X86 - "real" registers were + the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64, + you also have to worry about the LR register, which we'd want to say is "not real" but it's + also not a "stack" register. This got super confusing. + + So, this patch removes any mention of "real" registers, consolidates the knowledge of what is + a "stack" register, and uses the word special only in places where it's clearly defined and + where no better word comes to mind. + + This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the + Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this + magically didn't break anything because you never need to save/restore either FP or Q0, but + it was still super weird. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::lastRegister): + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::nextRegister): + * ftl/FTLLocation.cpp: + (JSC::FTL::Location::restoreInto): + * ftl/FTLSaveRestore.cpp: + (JSC::FTL::saveAllRegisters): + (JSC::FTL::restoreAllRegisters): + * ftl/FTLSlowPathCall.cpp: + * jit/RegisterSet.cpp: + (JSC::RegisterSet::reservedHardwareRegisters): + (JSC::RegisterSet::runtimeRegisters): + (JSC::RegisterSet::specialRegisters): + (JSC::RegisterSet::calleeSaveRegisters): + * jit/RegisterSet.h: + +2014-03-06 Filip Pizlo + + Unreviewed, fix build. + + * disassembler/ARM64Disassembler.cpp: + +2014-03-06 Filip Pizlo + + Use the LLVM disassembler on ARM64 if we are enabling the FTL + https://bugs.webkit.org/show_bug.cgi?id=129785 + + Reviewed by Geoffrey Garen. + + Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler + is strictly more capable at this point. Use it if it's available. + + * disassembler/ARM64Disassembler.cpp: + (JSC::tryToDisassemble): + +2014-03-05 Joseph Pecoraro + + Web Inspector: Reduce RWI message frequency + https://bugs.webkit.org/show_bug.cgi?id=129767 + + Reviewed by Timothy Hatcher. + + This used to be 0.2s and changed by accident to 0.02s. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::pushListingSoon): + +2014-03-05 Commit Queue + + Unreviewed, rolling out r165141, r165157, and r165158. + http://trac.webkit.org/changeset/165141 + http://trac.webkit.org/changeset/165157 + http://trac.webkit.org/changeset/165158 + https://bugs.webkit.org/show_bug.cgi?id=129772 + + "broke ftl" (Requested by olliej_ on #webkit). + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/PolymorphicPutByIdList.cpp: + (JSC::PutByIdAccess::visitWeak): + (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): + (JSC::PolymorphicPutByIdList::from): + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::transition): + (JSC::PutByIdAccess::replace): + (JSC::PutByIdAccess::oldStructure): + (JSC::PutByIdAccess::chain): + (JSC::PutByIdAccess::stubRoutine): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + (JSC::PutByIdStatus::computeFor): + (JSC::PutByIdStatus::dump): + * bytecode/PutByIdStatus.h: + (JSC::PutByIdStatus::PutByIdStatus): + (JSC::PutByIdStatus::takesSlowPath): + * bytecode/StructureStubInfo.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitPutById): + (JSC::DFG::ByteCodeParser::handlePutById): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCommon.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasIdentifier): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIn): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedPutById): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedPutById): + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITByIdGenerator::JITByIdGenerator): + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + * jit/JITInlineCacheGenerator.h: + (JSC::JITGetByIdGenerator::JITGetByIdGenerator): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_put_by_id): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_put_by_id): + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + (JSC::tryBuildGetByIDList): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * jit/SpillRegistersMode.h: Removed. + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/Lookup.h: + (JSC::putEntry): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::isCacheable): + (JSC::PutPropertySlot::cachedOffset): + +2014-03-05 Joseph Pecoraro + + Web Inspector: Prevent possible deadlock in view indication + https://bugs.webkit.org/show_bug.cgi?id=129766 + + Reviewed by Geoffrey Garen. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::receivedIndicateMessage): + +2014-03-05 Mark Hahnenberg + + JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot + https://bugs.webkit.org/show_bug.cgi?id=129754 + + Reviewed by Geoffrey Garen. + + InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo. + + * runtime/JSCell.h: + (JSC::JSCell::inlineTypeFlags): + * runtime/JSObject.h: + (JSC::JSObject::fastGetOwnPropertySlot): + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::TypeInfo): + (JSC::TypeInfo::overridesGetOwnPropertySlot): + +2014-03-05 Joseph Pecoraro + + Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty() + https://bugs.webkit.org/show_bug.cgi?id=129763 + + Reviewed by Geoffrey Garen. + + Clear the list of all breakpoints, including unresolved breakpoints. + + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState): + +2014-03-05 Mark Lam + + llint_slow_path_check_has_instance() should not adjust PC before accessing operands. + + + Reviewed by Mark Hahnenberg. + + When evaluating "a instanceof b" where b is an object that ImplementsHasInstance + and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow + path llint_slow_path_check_has_instance(), and execute a code path that does the + following: + 1. Adjusts the byte code PC to the jump target PC. + 2. For the purpose of storing the result, get the result registerIndex from the + 1st operand using the PC as if the PC is still pointing to op_check_has_instance + bytecode. + + The result is that whatever value resides after where the jump target PC is will + be used as a result register value. Depending on what that value is, the result + can be: + 1. the code coincidently works correctly + 2. memory corruption + 3. crashes + + The fix is to only adjust the byte code PC after we have stored the result. + + * llint/LLIntSlowPaths.cpp: + (llint_slow_path_check_has_instance): + +2014-03-05 Ryosuke Niwa + + Another build fix attempt after r165141. + + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + +2014-03-05 Ryosuke Niwa + + FTL build fix attempt after r165141. + + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + +2014-03-05 Gavin Barraclough + + https://bugs.webkit.org/show_bug.cgi?id=128625 + Add fast mapping from StringImpl to JSString + + Unreviewed roll-out. + + Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right. + + * runtime/JSString.cpp: + * runtime/JSString.h: + * runtime/VM.cpp: + (JSC::VM::createLeaked): + * runtime/VM.h: + +2014-03-03 Oliver Hunt + + Support caching of custom setters + https://bugs.webkit.org/show_bug.cgi?id=129519 + + Reviewed by Filip Pizlo. + + This patch adds caching of assignment to properties that + are backed by C functions. This provides most of the leg + work required to start supporting setters, and resolves + the remaining regressions from moving DOM properties up + the prototype chain. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/PolymorphicPutByIdList.cpp: + (JSC::PutByIdAccess::visitWeak): + (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): + (JSC::PolymorphicPutByIdList::from): + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::transition): + (JSC::PutByIdAccess::replace): + (JSC::PutByIdAccess::customSetter): + (JSC::PutByIdAccess::isCustom): + (JSC::PutByIdAccess::oldStructure): + (JSC::PutByIdAccess::chain): + (JSC::PutByIdAccess::stubRoutine): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + (JSC::PutByIdStatus::computeFor): + (JSC::PutByIdStatus::dump): + * bytecode/PutByIdStatus.h: + (JSC::PutByIdStatus::PutByIdStatus): + (JSC::PutByIdStatus::takesSlowPath): + (JSC::PutByIdStatus::makesCalls): + * bytecode/StructureStubInfo.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitPutById): + (JSC::DFG::ByteCodeParser::handlePutById): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCommon.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasIdentifier): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIn): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedPutById): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedPutById): + (JSC::DFG::SpeculativeJIT::compile): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITByIdGenerator::JITByIdGenerator): + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + * jit/JITInlineCacheGenerator.h: + (JSC::JITGetByIdGenerator::JITGetByIdGenerator): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_put_by_id): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_put_by_id): + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + (JSC::tryBuildGetByIDList): + (JSC::emitCustomSetterStub): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * jit/SpillRegistersMode.h: Added. + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/Lookup.h: + (JSC::putEntry): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::setCacheableCustomProperty): + (JSC::PutPropertySlot::customSetter): + (JSC::PutPropertySlot::isCacheablePut): + (JSC::PutPropertySlot::isCacheableCustomProperty): + (JSC::PutPropertySlot::cachedOffset): + +2014-03-05 Mark Hahnenberg + + JSCell::m_gcData should encode its information differently + https://bugs.webkit.org/show_bug.cgi?id=129741 + + Reviewed by Geoffrey Garen. + + We want to keep track of three GC states for an object: + + 1. Not marked (which implies not in the remembered set) + 2. Marked but not in the remembered set + 3. Marked and in the remembered set + + Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write + barrier, we only want to take the slow path if the object being stored to is in state #2. + We'd like to make the test for state #2 as fast as possible, which means making it a + compare against 0. + + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::osrWriteBarrier): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::checkMarkByte): + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::writeBarrier): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::allocateCell): + (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): + * heap/Heap.cpp: + (JSC::Heap::clearRememberedSet): + (JSC::Heap::addToRememberedSet): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::checkMarkByte): + * jit/JIT.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::checkMarkByte): + (JSC::JIT::emitWriteBarrier): + * jit/Repatch.cpp: + (JSC::writeBarrier): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/JSCell.h: + (JSC::JSCell::mark): + (JSC::JSCell::remember): + (JSC::JSCell::forget): + (JSC::JSCell::isMarked): + (JSC::JSCell::isRemembered): + * runtime/JSCellInlines.h: + (JSC::JSCell::JSCell): + * runtime/StructureIDBlob.h: + (JSC::StructureIDBlob::StructureIDBlob): + +2014-03-05 Filip Pizlo + + More FTL ARM fixes + https://bugs.webkit.org/show_bug.cgi?id=129755 + + Reviewed by Geoffrey Garen. + + - Be more defensive about inline caches that have degenerate chains. + + - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86 + platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756 + + - Don't even emit intrinsic declarations on non-x86 platforms. + + - More debug printing support. + + - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time + but somehow it gets lucky on x86. + + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::appendVariant): + (JSC::GetByIdStatus::computeForChain): + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/GetByIdStatus.h: + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::appendVariant): + (JSC::PutByIdStatus::computeForStubInfo): + * bytecode/PutByIdStatus.h: + * bytecode/StructureSet.h: + (JSC::StructureSet::overlaps): + * ftl/FTLCompile.cpp: + (JSC::FTL::mmAllocateDataSection): + * ftl/FTLDataSection.cpp: + (JSC::FTL::DataSection::DataSection): + (JSC::FTL::DataSection::~DataSection): + * ftl/FTLDataSection.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::lower): + * ftl/FTLOutput.h: + (JSC::FTL::Output::doubleSin): + (JSC::FTL::Output::doubleCos): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::dumpInContext): + * runtime/JSCell.h: + (JSC::JSCell::structureID): + +2014-03-05 peavo@outlook.com + + [Win32][LLINT] Crash when running JSC stress tests. + https://bugs.webkit.org/show_bug.cgi?id=129429 + + On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory, + where the guard page is a barrier between committed and uncommitted memory. + When data from the guard page is read or written, the guard page is moved, and memory is committed. + This is how the system grows the stack. + When using the C stack on Windows we need to precommit the needed stack space. + Otherwise we might crash later if we access uncommitted stack memory. + This can happen if we allocate stack space larger than the page guard size (4K). + The system does not get the chance to move the guard page, and commit more memory, + and we crash if uncommitted memory is accessed. + The MSVC compiler fixes this by inserting a call to the _chkstk() function, + when needed, see http://support.microsoft.com/kb/100775. + + Reviewed by Geoffrey Garen. + + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT. + * jit/Repatch.cpp: + (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled. + * offlineasm/x86.rb: Compile fix, and small simplification. + * runtime/VM.cpp: + (JSC::preCommitStackMemory): Added function to precommit stack memory. + (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated. + +2014-03-05 Michael Saboff + + JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses + https://bugs.webkit.org/show_bug.cgi?id=129746 + + Reviewed by Filip Pizlo. + + Changed to use a union to manually assemble or disassemble the various types + from / to the corresponding bytes. All memory access is now done using + byte accesses. + + * runtime/JSDataViewPrototype.cpp: + (JSC::getData): + (JSC::setData): + +2014-03-05 Filip Pizlo + + FTL loadStructure always generates invalid IR + https://bugs.webkit.org/show_bug.cgi?id=129747 + + Reviewed by Mark Hahnenberg. + + As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion + of pointers. LLVM's notion of pointers tries to model C, in the sense that you have + to have a pointer to a type, and you can only load things of that type from that + pointer. Pointer arithmetic is basically not possible except through the bizarre + getelementptr operator. This doesn't fit with how the JS object model works since + the JS object model doesn't consist of nice and tidy C types placed in C arrays. + Also, it would be impossible to use getelementptr and LLVM pointers for accessing + any of JSC's C or C++ objects unless we went through the exercise of redeclaring + all of our fundamental data structures in LLVM IR as LLVM types. Clang could do + this for us, but that would require that to use the FTL, JSC itself would have to + be compiled with clang. Worse, it would have to be compiled with a clang that uses + a version of LLVM that is compatible with the one against which the FTL is linked. + Yuck! + + The solution is to NEVER use LLVM pointers. This has always been the case in the + FTL. But it causes some confusion. + + Not using LLVM pointers means that if the FTL has a "pointer", it's actually a + pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and + "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM + pointer that has the type that we want. The load and store operations over pointers + are called Output::load* and Output::store*, where * is one of "8", "16", "32", + "64", "Ptr", "Float", or "Double. + + There is unavoidable confusion here. It would be bizarre for the FTL to call its + "pointer-wide integers" anything other than "pointers", since they are, in all + respects that we care about, simply pointers. But they are *not* LLVM pointers and + they never will be that. + + There is one exception to this "no pointers" rule. The FTL does use actual LLVM + pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce + confusion, we call these "references". So an "FTL reference" is actually an "LLVM + pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have + methods for access called Output::get and Output::set. These lower to LLVM load + and store, since FTL references are just LLVM pointers. + + This confusion appears to have led to incorrect code in loadStructure(). + loadStructure() was using get() and set() to access FTL pointers. But those methods + don't work on FTL pointers and never will, since they are for FTL references. + + The worst part of this is that it was previously impossible to have test coverage + for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This + patch fixes this by introducing a Masquerader object to jsc.cpp. + + * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table. + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong. + * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set(). + * jsc.cpp: Give us the power to test for MasqueradesAsUndefined. + (WTF::Masquerader::Masquerader): + (WTF::Masquerader::create): + (WTF::Masquerader::createStructure): + (GlobalObject::finishCreation): + (functionMakeMasquerader): + * tests/stress/equals-masquerader.js: Added. + (foo): + (test): + +2014-03-05 Anders Carlsson + + Tweak after r165109 to avoid extra copies + https://bugs.webkit.org/show_bug.cgi?id=129745 + + Reviewed by Geoffrey Garen. + + * heap/Heap.cpp: + (JSC::Heap::visitProtectedObjects): + (JSC::Heap::visitTempSortVectors): + (JSC::Heap::clearRememberedSet): + * heap/Heap.h: + (JSC::Heap::forEachProtectedCell): + +2014-03-05 Mark Hahnenberg + + DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap() + https://bugs.webkit.org/show_bug.cgi?id=129717 + + Reviewed by Filip Pizlo. + + * dfg/DFGStoreBarrierElisionPhase.cpp: + (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase): + (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): + +2014-03-05 Mark Hahnenberg + + Use range-based loops where possible in Heap methods + https://bugs.webkit.org/show_bug.cgi?id=129513 + + Reviewed by Mark Lam. + + Replace old school iterator based loops with the new range-based loop hotness + for a better tomorrow. + + * heap/CodeBlockSet.cpp: + (JSC::CodeBlockSet::~CodeBlockSet): + (JSC::CodeBlockSet::clearMarks): + (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): + (JSC::CodeBlockSet::traceMarked): + * heap/Heap.cpp: + (JSC::Heap::visitProtectedObjects): + (JSC::Heap::visitTempSortVectors): + (JSC::Heap::clearRememberedSet): + * heap/Heap.h: + (JSC::Heap::forEachProtectedCell): + +2014-03-04 Filip Pizlo + + DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null) + https://bugs.webkit.org/show_bug.cgi?id=129563 + + Reviewed by Geoffrey Garen. + + Rolling this back in after fixing an assertion failure. speculateMisc() should have + said DFG_TYPE_CHECK instead of typeCheck. + + This adds a specialization of CompareStrictEq over Misc. I noticed the need for this + when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main + user of this was EarleyBoyer, and in that benchmark what it was really doing was + comparing undefined, null, and booleans to each other. + + This also adds support for miscellaneous things that I needed to make my various test + cases work. This includes comparison over booleans and the various Throw-related node + types. + + This also improves constant folding of CompareStrictEq and CompareEq. + + Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds + based on profiling, which caused some downstream badness. We don't actually support + compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just + emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it + shouldn't factor out the bounds check since the access is not InBounds but then the + backend would ignore the flag and assume that the bounds check was already emitted. + This showed up on an existing test but I added a test for this explicitly to have more + certain coverage. The fix is to not mark something as OutOfBounds if the semantics are + that we'll have a bounds check anyway. + + This is a 1% speed-up on Octane mostly because of raytrace, but also because of just + general progressions across the board. No speed-up yet on EarleyBoyer, since there is + still a lot more coverage work to be done there. + + * bytecode/SpeculatedType.cpp: + (JSC::speculationToAbbreviatedString): + (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations): + (JSC::valuesCouldBeEqual): + * bytecode/SpeculatedType.h: + (JSC::isMiscSpeculation): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::refine): + * dfg/DFGArrayMode.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength): + * dfg/DFGNode.h: + (JSC::DFG::Node::shouldSpeculateMisc): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStrictEq): + (JSC::DFG::SpeculativeJIT::speculateMisc): + (JSC::DFG::SpeculativeJIT::speculate): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCompareEq): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::compileThrow): + (JSC::FTL::LowerDFGToLLVM::isNotMisc): + (JSC::FTL::LowerDFGToLLVM::isMisc): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateMisc): + * tests/stress/float32-array-out-of-bounds.js: Added. + * tests/stress/weird-equality-folding-cases.js: Added. + +2014-03-04 Commit Queue + + Unreviewed, rolling out r165085. + http://trac.webkit.org/changeset/165085 + https://bugs.webkit.org/show_bug.cgi?id=129729 + + Broke imported/w3c/html-templates/template-element/template- + content.html (Requested by ap on #webkit). + + * bytecode/SpeculatedType.cpp: + (JSC::speculationToAbbreviatedString): + * bytecode/SpeculatedType.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::refine): + * dfg/DFGArrayMode.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength): + * dfg/DFGNode.h: + (JSC::DFG::Node::shouldSpeculateBoolean): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStrictEq): + (JSC::DFG::SpeculativeJIT::speculate): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + * dfg/DFGSpeculativeJIT64.cpp: + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCompareEq): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::speculate): + * tests/stress/float32-array-out-of-bounds.js: Removed. + * tests/stress/weird-equality-folding-cases.js: Removed. + +2014-03-04 Brian Burg + + Inspector does not restore breakpoints after a page reload + https://bugs.webkit.org/show_bug.cgi?id=129655 + + Reviewed by Joseph Pecoraro. + + Fix a regression introduced by r162096 that erroneously removed + the inspector backend's mapping of files to breakpoints whenever the + global object was cleared. + + The inspector's breakpoint mappings should only be cleared when the + debugger agent is disabled or destroyed. We should only clear the + debugger's breakpoint state when the global object is cleared. + + To make it clearer what state is being cleared, the two cases have + been split into separate methods. + + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::disable): + (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState): + (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): + (Inspector::InspectorDebuggerAgent::didClearGlobalObject): + * inspector/agents/InspectorDebuggerAgent.h: + +2014-03-04 Andreas Kling + + Streamline JSValue::get(). + + + Fetch each Structure and VM only once when walking the prototype chain + in JSObject::getPropertySlot(), then pass it along to the functions + we call from there, so they don't have to re-fetch it. + + Reviewed by Geoff Garen. + + * runtime/JSObject.h: + (JSC::JSObject::inlineGetOwnPropertySlot): + (JSC::JSObject::fastGetOwnPropertySlot): + (JSC::JSObject::getPropertySlot): + +2014-03-01 Filip Pizlo + + DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null) + https://bugs.webkit.org/show_bug.cgi?id=129563 + + Reviewed by Geoffrey Garen. + + This adds a specialization of CompareStrictEq over Misc. I noticed the need for this + when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main + user of this was EarleyBoyer, and in that benchmark what it was really doing was + comparing undefined, null, and booleans to each other. + + This also adds support for miscellaneous things that I needed to make my various test + cases work. This includes comparison over booleans and the various Throw-related node + types. + + This also improves constant folding of CompareStrictEq and CompareEq. + + Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds + based on profiling, which caused some downstream badness. We don't actually support + compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just + emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it + shouldn't factor out the bounds check since the access is not InBounds but then the + backend would ignore the flag and assume that the bounds check was already emitted. + This showed up on an existing test but I added a test for this explicitly to have more + certain coverage. The fix is to not mark something as OutOfBounds if the semantics are + that we'll have a bounds check anyway. + + This is a 1% speed-up on Octane mostly because of raytrace, but also because of just + general progressions across the board. No speed-up yet on EarleyBoyer, since there is + still a lot more coverage work to be done there. + + * bytecode/SpeculatedType.cpp: + (JSC::speculationToAbbreviatedString): + (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations): + (JSC::valuesCouldBeEqual): + * bytecode/SpeculatedType.h: + (JSC::isMiscSpeculation): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::shouldSpeculateMisc): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStrictEq): + (JSC::DFG::SpeculativeJIT::speculateMisc): + (JSC::DFG::SpeculativeJIT::speculate): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCompareEq): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::compileThrow): + (JSC::FTL::LowerDFGToLLVM::isNotMisc): + (JSC::FTL::LowerDFGToLLVM::isMisc): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateMisc): + * tests/stress/float32-array-out-of-bounds.js: Added. + * tests/stress/weird-equality-folding-cases.js: Added. + +2014-03-04 Andreas Kling + + Spam static branch prediction hints on JS bindings. + + + Add LIKELY hint to jsDynamicCast since it's always used in a context + where we expect it to succeed and takes an error path when it doesn't. + + Reviewed by Geoff Garen. + + * runtime/JSCell.h: + (JSC::jsDynamicCast): + +2014-03-04 Andreas Kling + + Get to Structures more efficiently in JSCell::methodTable(). + + + In JSCell::methodTable(), get the VM once and pass that along to + structure(VM&) instead of using the heavier structure(). + + In JSCell::methodTable(VM&), replace calls to structure() with + calls to structure(VM&). + + Reviewed by Mark Hahnenberg. + + * runtime/JSCellInlines.h: + (JSC::JSCell::methodTable): + +2014-03-04 Joseph Pecoraro + + Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref + https://bugs.webkit.org/show_bug.cgi?id=129697 + + Reviewed by Timothy Hatcher. + + * inspector/remote/RemoteInspectorXPCConnection.mm: + (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection): + (Inspector::RemoteInspectorXPCConnection::handleEvent): + +2014-03-04 Mark Hahnenberg + + Merge API shims and JSLock + https://bugs.webkit.org/show_bug.cgi?id=129650 + + Reviewed by Mark Lam. + + JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason + to take just the JSLock. Ditto for DropAllLocks and APICallbackShim. + + * API/APICallbackFunction.h: + (JSC::APICallbackFunction::call): + (JSC::APICallbackFunction::construct): + * API/APIShims.h: Removed. + * API/JSBase.cpp: + (JSEvaluateScript): + (JSCheckScriptSyntax): + (JSGarbageCollect): + (JSReportExtraMemoryCost): + (JSSynchronousGarbageCollectForDebugging): + * API/JSCallbackConstructor.cpp: + * API/JSCallbackFunction.cpp: + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::init): + (JSC::JSCallbackObject::getOwnPropertySlot): + (JSC::JSCallbackObject::put): + (JSC::JSCallbackObject::putByIndex): + (JSC::JSCallbackObject::deleteProperty): + (JSC::JSCallbackObject::construct): + (JSC::JSCallbackObject::customHasInstance): + (JSC::JSCallbackObject::call): + (JSC::JSCallbackObject::getOwnNonIndexPropertyNames): + (JSC::JSCallbackObject::getStaticValue): + (JSC::JSCallbackObject::callbackGetter): + * API/JSContext.mm: + (-[JSContext setException:]): + (-[JSContext wrapperForObjCObject:]): + (-[JSContext wrapperForJSObject:]): + * API/JSContextRef.cpp: + (JSContextGroupRelease): + (JSContextGroupSetExecutionTimeLimit): + (JSContextGroupClearExecutionTimeLimit): + (JSGlobalContextCreateInGroup): + (JSGlobalContextRetain): + (JSGlobalContextRelease): + (JSContextGetGlobalObject): + (JSContextGetGlobalContext): + (JSGlobalContextCopyName): + (JSGlobalContextSetName): + * API/JSManagedValue.mm: + (-[JSManagedValue value]): + * API/JSObjectRef.cpp: + (JSObjectMake): + (JSObjectMakeFunctionWithCallback): + (JSObjectMakeConstructor): + (JSObjectMakeFunction): + (JSObjectMakeArray): + (JSObjectMakeDate): + (JSObjectMakeError): + (JSObjectMakeRegExp): + (JSObjectGetPrototype): + (JSObjectSetPrototype): + (JSObjectHasProperty): + (JSObjectGetProperty): + (JSObjectSetProperty): + (JSObjectGetPropertyAtIndex): + (JSObjectSetPropertyAtIndex): + (JSObjectDeleteProperty): + (JSObjectGetPrivateProperty): + (JSObjectSetPrivateProperty): + (JSObjectDeletePrivateProperty): + (JSObjectIsFunction): + (JSObjectCallAsFunction): + (JSObjectCallAsConstructor): + (JSObjectCopyPropertyNames): + (JSPropertyNameArrayRelease): + (JSPropertyNameAccumulatorAddName): + * API/JSScriptRef.cpp: + * API/JSValue.mm: + (isDate): + (isArray): + (containerValueToObject): + (valueToArray): + (valueToDictionary): + (objectToValue): + * API/JSValueRef.cpp: + (JSValueGetType): + (JSValueIsUndefined): + (JSValueIsNull): + (JSValueIsBoolean): + (JSValueIsNumber): + (JSValueIsString): + (JSValueIsObject): + (JSValueIsObjectOfClass): + (JSValueIsEqual): + (JSValueIsStrictEqual): + (JSValueIsInstanceOfConstructor): + (JSValueMakeUndefined): + (JSValueMakeNull): + (JSValueMakeBoolean): + (JSValueMakeNumber): + (JSValueMakeString): + (JSValueMakeFromJSONString): + (JSValueCreateJSONString): + (JSValueToBoolean): + (JSValueToNumber): + (JSValueToStringCopy): + (JSValueToObject): + (JSValueProtect): + (JSValueUnprotect): + * API/JSVirtualMachine.mm: + (-[JSVirtualMachine addManagedReference:withOwner:]): + (-[JSVirtualMachine removeManagedReference:withOwner:]): + * API/JSWeakObjectMapRefPrivate.cpp: + * API/JSWrapperMap.mm: + (constructorHasInstance): + (makeWrapper): + (tryUnwrapObjcObject): + * API/ObjCCallbackFunction.mm: + (JSC::objCCallbackFunctionCallAsFunction): + (JSC::objCCallbackFunctionCallAsConstructor): + (objCCallbackFunctionForInvocation): + * CMakeLists.txt: + * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed. + * GNUmakefile.list.am: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGWorklist.cpp: + * heap/DelayedReleaseScope.h: + (JSC::DelayedReleaseScope::~DelayedReleaseScope): + * heap/HeapTimer.cpp: + (JSC::HeapTimer::timerDidFire): + (JSC::HeapTimer::timerEvent): + * heap/IncrementalSweeper.cpp: + * inspector/InjectedScriptModule.cpp: + (Inspector::InjectedScriptModule::ensureInjected): + * jsc.cpp: + (jscmain): + * runtime/GCActivityCallback.cpp: + (JSC::DefaultGCActivityCallback::doWork): + * runtime/JSGlobalObjectDebuggable.cpp: + (JSC::JSGlobalObjectDebuggable::connect): + (JSC::JSGlobalObjectDebuggable::disconnect): + (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend): + * runtime/JSLock.cpp: + (JSC::JSLock::lock): + (JSC::JSLock::didAcquireLock): + (JSC::JSLock::unlock): + (JSC::JSLock::willReleaseLock): + (JSC::JSLock::DropAllLocks::DropAllLocks): + (JSC::JSLock::DropAllLocks::~DropAllLocks): + * runtime/JSLock.h: + * testRegExp.cpp: + (realMain): + +2014-03-04 Commit Queue + + Unreviewed, rolling out r164812. + http://trac.webkit.org/changeset/164812 + https://bugs.webkit.org/show_bug.cgi?id=129699 + + it made things run slower (Requested by pizlo on #webkit). + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::execute): + * jsc.cpp: + (GlobalObject::finishCreation): + * runtime/BatchedTransitionOptimizer.h: + (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): + (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): + +2014-03-02 Filip Pizlo + + GetMyArgumentByVal in FTL + https://bugs.webkit.org/show_bug.cgi?id=128850 + + Reviewed by Oliver Hunt. + + This would have been easy if the OSR exit compiler's arity checks hadn't been wrong. + They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which + caused it to think that the arity check had failed if the caller had passed more + arguments than needed. This would cause the call frame copying to sort of go into + reverse (because the amount-by-which-we-failed-arity would have opposite sign, + throwing off a bunch of math) and the stack would end up being corrupted. + + The bug was revealed by two existing tests although as far as I could tell, neither + test was intending to cover this case directly. So, I added a new test. + + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): + (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): + (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): + (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * ftl/FTLState.h: + * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added. + * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added. + * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added. + * tests/stress/ftl-get-my-argument-by-val.js: Added. + +2014-03-04 Zan Dobersek + + [GTK] Build the Udis86 disassembler + https://bugs.webkit.org/show_bug.cgi?id=129679 + + Reviewed by Michael Saboff. + + * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files. + * GNUmakefile.list.am: Add the Udis86 disassembler files to the build. + +2014-03-04 Andreas Kling + + Fix too-narrow assertion I added in r165054. + + It's okay for a 1-character string to come in here. This will happen + if the VM small string optimization doesn't apply (ch > 0xFF) + + * runtime/JSString.h: + (JSC::jsStringWithWeakOwner): + +2014-03-04 Andreas Kling + + Micro-optimize Strings in JS bindings. + + + Make jsStringWithWeakOwner() take a StringImpl& instead of a String. + This avoids branches in length() and operator[]. + + Also call JSString::create() directly instead of jsString() and just + assert that the string length is >1. This way we don't duplicate the + optimizations for empty and single-character strings. + + Reviewed by Ryosuke Niwa. + + * runtime/JSString.h: + (JSC::jsStringWithWeakOwner): + +2014-03-04 Dániel Bátyai + + Implement Number.prototype.clz() + https://bugs.webkit.org/show_bug.cgi?id=129479 + + Reviewed by Oliver Hunt. + + Implemented Number.prototype.clz() as specified in the ES6 standard. + + * runtime/NumberPrototype.cpp: + (JSC::numberProtoFuncClz): + +2014-03-03 Joseph Pecoraro + + Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close + https://bugs.webkit.org/show_bug.cgi?id=129631 + + Reviewed by Timothy Hatcher. + + Avoid deref() too early if a client calls close(). The xpc_connection_close + will cause another XPC_ERROR event to come in from the queue, deref then. + Likewise, protect multithreaded access to m_client. If a client calls + close() we want to immediately clear the pointer to prevent calls to it. + + Overall the multi-threading aspects of RemoteInspectorXPCConnection are + growing too complicated for probably little benefit. We may want to + clean this up later. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::xpcConnectionFailed): + * inspector/remote/RemoteInspectorXPCConnection.h: + * inspector/remote/RemoteInspectorXPCConnection.mm: + (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection): + (Inspector::RemoteInspectorXPCConnection::close): + (Inspector::RemoteInspectorXPCConnection::closeOnQueue): + (Inspector::RemoteInspectorXPCConnection::deserializeMessage): + (Inspector::RemoteInspectorXPCConnection::handleEvent): + (Inspector::RemoteInspectorXPCConnection::sendMessage): + +2014-03-03 Michael Saboff + + AbstractMacroAssembler::CachedTempRegister should start out invalid + https://bugs.webkit.org/show_bug.cgi?id=129657 + + Reviewed by Filip Pizlo. + + * assembler/AbstractMacroAssembler.h: + (JSC::AbstractMacroAssembler::AbstractMacroAssembler): + - Invalidate all cached registers in constructor as we don't know the + contents of any register at the entry to the code we are going to + generate. + +2014-03-03 Andreas Kling + + StructureOrOffset should be fastmalloced. + + + Reviewed by Geoffrey Garen. + + * runtime/StructureIDTable.h: + +2014-03-03 Michael Saboff + + Crash in JIT code while watching a video @ storyboard.tumblr.com + https://bugs.webkit.org/show_bug.cgi?id=129635 + + Reviewed by Filip Pizlo. + + Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other) + construtor. + + * jit/TempRegisterSet.cpp: + (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it. + * jit/TempRegisterSet.h: + (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper. + (JSC::TempRegisterSet::clearAll): New private helper. + +2014-03-03 Benjamin Poulain + + [x86] Improve code generation of byte test + https://bugs.webkit.org/show_bug.cgi?id=129597 + + Reviewed by Geoffrey Garen. + + When possible, test the 8 bit register to itself instead of comparing it + to a literal. + + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::test32): + +2014-03-03 Mark Lam + + Web Inspector: debugger statements do not break. + + + Reviewed by Geoff Garen. + + Since we no longer call op_debug hooks unless there is a debugger request + made on the CodeBlock, the op_debug for the debugger statement never gets + serviced. + + With this fix, we check in the CodeBlock constructor if any debugger + statements are present. If so, we set a m_hasDebuggerStatement flag that + causes the CodeBlock to show as having debugger requests. Hence, + breaking at debugger statements is now restored. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::hasDebuggerRequests): + (JSC::CodeBlock::clearDebuggerRequests): + +2014-03-03 Mark Lam + + ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints. + + + Reviewed by Geoffrey Garen. + + The issue manifests because the debugger will iterate all CodeBlocks in + the heap when setting / clearing breakpoints, but it is possible for a + CodeBlock to have been instantiate but is not yet registered with the + debugger. This can happen because of the following: + + 1. DFG worklist compilation is still in progress, and the target + codeBlock is not ready for installation in its executable yet. + + 2. DFG compilation failed and we have a codeBlock that will never be + installed in its executable, and the codeBlock has not been cleaned + up by the GC yet. + + The code for installing the codeBlock in its executable is the same code + that registers it with the debugger. Hence, these codeBlocks are not + registered with the debugger, and any pending breakpoints that would map + to that CodeBlock is as yet unset or will never be set. As such, an + attempt to remove a breakpoint in that CodeBlock will fail that assertion. + + To fix this, we do the following: + + 1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL + compilation. This is achieved by providing a + DeferredCompilationCallback::compilationDidComplete() that does this + clean up, and have all sub classes call it at the end of their + compilationDidComplete() methods. + + 2. Before the debugger or profiler iterates CodeBlocks in the heap, they + will wait for all compilations to complete before proceeding. This + ensures that: + 1. any zombie CodeBlocks would have been cleaned up, and won't be + seen by the debugger or profiler. + 2. all CodeBlocks that the debugger and profiler needs to operate on + will be "ready" for whatever needs to be done to them e.g. + jettison'ing of DFG codeBlocks. + + * bytecode/DeferredCompilationCallback.cpp: + (JSC::DeferredCompilationCallback::compilationDidComplete): + * bytecode/DeferredCompilationCallback.h: + - Provide default implementation method to clean up zombie CodeBlocks. + + * debugger/Debugger.cpp: + (JSC::Debugger::forEachCodeBlock): + - Utility function to iterate CodeBlocks. It ensures that all compilations + are complete before proceeding. + (JSC::Debugger::setSteppingMode): + (JSC::Debugger::toggleBreakpoint): + (JSC::Debugger::recompileAllJSFunctions): + (JSC::Debugger::clearBreakpoints): + (JSC::Debugger::clearDebuggerRequests): + - Use the utility iterator function. + + * debugger/Debugger.h: + * dfg/DFGOperations.cpp: + - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up. + + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): + - Remove unneeded code (that was not the best solution anyway) for ensuring + that we don't generate new DFG codeBlocks after enabling the debugger or + profiler. Now that we wait for compilations to complete before proceeding + with debugger and profiler work, this scenario will never happen. + + * dfg/DFGToFTLDeferredCompilationCallback.cpp: + (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete): + - Call the super class method to clean up zombie codeBlocks. + + * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: + (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete): + - Call the super class method to clean up zombie codeBlocks. + + * heap/CodeBlockSet.cpp: + (JSC::CodeBlockSet::remove): + * heap/CodeBlockSet.h: + * heap/Heap.h: + (JSC::Heap::removeCodeBlock): + - New method to remove a codeBlock from the codeBlock set. + + * jit/JITOperations.cpp: + - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up. + + * jit/JITToDFGDeferredCompilationCallback.cpp: + (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete): + - Call the super class method to clean up zombie codeBlocks. + + * runtime/VM.cpp: + (JSC::VM::waitForCompilationsToComplete): + - Renamed from prepareToDiscardCode() to be clearer about what it does. + + (JSC::VM::discardAllCode): + (JSC::VM::releaseExecutableMemory): + (JSC::VM::setEnabledProfiler): + - Wait for compilation to complete before enabling the profiler. + + * runtime/VM.h: + +2014-03-03 Brian Burg + + Another unreviewed build fix attempt for Windows after r164986. + + We never told Visual Studio to copy over the web replay code generator scripts + and the generated headers for JavaScriptCore replay inputs as if they were + private headers. + + * JavaScriptCore.vcxproj/copy-files.cmd: + +2014-03-03 Brian Burg + + Web Replay: upstream input storage, capture/replay machinery, and inspector domain + https://bugs.webkit.org/show_bug.cgi?id=128782 + + Reviewed by Timothy Hatcher. + + Alter the replay inputs code generator so that it knows when it is necessary to + to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * replay/scripts/CodeGeneratorReplayInputs.py: + (Framework.fromString): + (Frameworks): Add WTF as an allowed framework for code generation. + (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file. + (Generator.generate_includes.declaration): + (Generator.generate_includes.or): + (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types. + +2014-03-02 Filip Pizlo + + PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint + https://bugs.webkit.org/show_bug.cgi?id=129591 + + Reviewed by Michael Saboff. + + * bytecode/PolymorphicPutByIdList.cpp: + (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself. + (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it. + (JSC::PolymorphicPutByIdList::from): + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::stubRoutine): + * jit/Repatch.cpp: + (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo. + +2014-03-02 Filip Pizlo + + Debugging improvements from my gbemu investigation session + https://bugs.webkit.org/show_bug.cgi?id=129599 + + Reviewed by Mark Lam. + + Various improvements from when I was investigating bug 129411. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier. + * jsc.cpp: + (GlobalObject::finishCreation): + (functionDescribe): Make describe() return a string rather than printing the string. + (functionDescribeArray): Like describe(), but prints details about arrays. + +2014-02-25 Andreas Kling + + JSDOMWindow::commonVM() should return a reference. + + + Added a DropAllLocks constructor that takes VM& without null checks. + + Reviewed by Geoff Garen. + +2014-03-02 Mark Lam + + CodeBlock::hasDebuggerRequests() should returning a bool instead of an int. + + + Reviewed by Darin Adler. + + * bytecode/CodeBlock.h: + (JSC::CodeBlock::hasDebuggerRequests): + +2014-03-02 Mark Lam + + Clean up use of Options::enableConcurrentJIT(). + + + Reviewed by Filip Pizlo. + + DFG Driver was conditionally checking Options::enableConcurrentJIT() + only if ENABLE(CONCURRENT_JIT). Otherwise, it bypasses it with a local + enableConcurrentJIT set to false. + + Instead we should configure Options::enableConcurrentJIT() to be false + in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always + check Options::enableConcurrentJIT(). This makes the code read a little + cleaner. + + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + +2014-03-01 Filip Pizlo + + This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC + stress tests. + + * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js. + +2014-03-01 Andreas Kling + + JSCell::fastGetOwnProperty() should get the Structure more efficiently. + + + Now that structure() is nontrivial and we have a faster structure(VM&), + make use of that in fastGetOwnProperty() since we already have VM. + + Reviewed by Sam Weinig. + + * runtime/JSCellInlines.h: + (JSC::JSCell::fastGetOwnProperty): + +2014-03-01 Andreas Kling + + Avoid going through ExecState for VM when we already have it (in some places.) + + + Tweak some places that jump through unnecessary hoops to get the VM. + There are many more like this. + + Reviewed by Sam Weinig. + + * runtime/JSObject.cpp: + (JSC::JSObject::putByIndexBeyondVectorLength): + (JSC::JSObject::putDirectIndexBeyondVectorLength): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncToString): + +2014-02-28 Filip Pizlo + + FTL should support PhantomArguments + https://bugs.webkit.org/show_bug.cgi?id=113986 + + Reviewed by Oliver Hunt. + + Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments + object into the FTL's OSR exit compiler. + + This isn't a speed-up yet, since there is still more to be done to fully support + all of the arguments craziness that our varargs benchmarks do. + + * dfg/DFGOSRExitCompiler32_64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp + * dfg/DFGOSRExitCompiler64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): + (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): + (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code + * dfg/DFGOSRExitCompilerCommon.h: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLExitValue.cpp: + (JSC::FTL::ExitValue::dumpInContext): + * ftl/FTLExitValue.h: + (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): + (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): + (JSC::FTL::ExitValue::valueFormat): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): + (JSC::FTL::LowerDFGToLLVM::buildExitArguments): + (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator + * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added. + * tests/stress/trivially-foldable-reflective-arguments-access.js: Added. + +2014-02-28 Filip Pizlo + + Unreviewed, uncomment some code. It wasn't meant to be commented in the first place. + + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): + +2014-02-28 Andreas Kling + + JSObject::findPropertyHashEntry() should take VM instead of ExecState. + + + Callers already have VM in a local, and findPropertyHashEntry() only + uses the VM, no need to go all the way through ExecState. + + Reviewed by Geoffrey Garen. + + * runtime/JSObject.cpp: + (JSC::JSObject::put): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::findPropertyHashEntry): + * runtime/JSObject.h: + +2014-02-28 Joseph Pecoraro + + Deadlock remotely inspecting iOS Simulator + https://bugs.webkit.org/show_bug.cgi?id=129511 + + Reviewed by Timothy Hatcher. + + Avoid synchronous setup. Do it asynchronously, and let + the RemoteInspector singleton know later if it failed. + + * inspector/remote/RemoteInspector.h: + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::setupFailed): + * inspector/remote/RemoteInspectorDebuggableConnection.h: + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorDebuggableConnection::setup): + +2014-02-28 Oliver Hunt + + REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms + https://bugs.webkit.org/show_bug.cgi?id=129488 + + Reviewed by Mark Lam. + + Whoops, modify the right register. + + * jit/JITCall32_64.cpp: + (JSC::JIT::compileLoadVarargs): + +2014-02-28 Filip Pizlo + + FTL should be able to call sin/cos directly on platforms where the intrinsic is busted + https://bugs.webkit.org/show_bug.cgi?id=129503 + + Reviewed by Mark Lam. + + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLOutput.h: + (JSC::FTL::Output::doubleSin): + (JSC::FTL::Output::doubleCos): + (JSC::FTL::Output::intrinsicOrOperation): + +2014-02-28 Mark Hahnenberg + + Fix !ENABLE(GGC) builds + + * heap/Heap.cpp: + (JSC::Heap::markRoots): + (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases. + +2014-02-27 Mark Hahnenberg + + Clean up Heap::collect and Heap::markRoots + https://bugs.webkit.org/show_bug.cgi?id=129464 + + Reviewed by Geoffrey Garen. + + These functions have built up a lot of cruft recently. + We should do a bit of cleanup to make them easier to grok. + + * heap/Heap.cpp: + (JSC::Heap::finalizeUnconditionalFinalizers): + (JSC::Heap::gatherStackRoots): + (JSC::Heap::gatherJSStackRoots): + (JSC::Heap::gatherScratchBufferRoots): + (JSC::Heap::clearLivenessData): + (JSC::Heap::visitSmallStrings): + (JSC::Heap::visitConservativeRoots): + (JSC::Heap::visitCompilerWorklists): + (JSC::Heap::markProtectedObjects): + (JSC::Heap::markTempSortVectors): + (JSC::Heap::markArgumentBuffers): + (JSC::Heap::visitException): + (JSC::Heap::visitStrongHandles): + (JSC::Heap::visitHandleStack): + (JSC::Heap::traceCodeBlocksAndJITStubRoutines): + (JSC::Heap::converge): + (JSC::Heap::visitWeakHandles): + (JSC::Heap::clearRememberedSet): + (JSC::Heap::updateObjectCounts): + (JSC::Heap::resetVisitors): + (JSC::Heap::markRoots): + (JSC::Heap::copyBackingStores): + (JSC::Heap::deleteUnmarkedCompiledCode): + (JSC::Heap::collect): + (JSC::Heap::collectIfNecessaryOrDefer): + (JSC::Heap::suspendCompilerThreads): + (JSC::Heap::willStartCollection): + (JSC::Heap::deleteOldCode): + (JSC::Heap::flushOldStructureIDTables): + (JSC::Heap::flushWriteBarrierBuffer): + (JSC::Heap::stopAllocation): + (JSC::Heap::reapWeakHandles): + (JSC::Heap::sweepArrayBuffers): + (JSC::Heap::snapshotMarkedSpace): + (JSC::Heap::deleteSourceProviderCaches): + (JSC::Heap::notifyIncrementalSweeper): + (JSC::Heap::rememberCurrentlyExecutingCodeBlocks): + (JSC::Heap::resetAllocators): + (JSC::Heap::updateAllocationLimits): + (JSC::Heap::didFinishCollection): + (JSC::Heap::resumeCompilerThreads): + * heap/Heap.h: + +2014-02-27 Ryosuke Niwa + + indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack + https://bugs.webkit.org/show_bug.cgi?id=129466 + + Reviewed by Michael Saboff. + + Refactored the code to avoid calling JSString::value when needle is longer than haystack. + + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncIndexOf): + (JSC::stringProtoFuncLastIndexOf): + +2014-02-27 Timothy Hatcher + + Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings. + + https://bugs.webkit.org/show_bug.cgi?id=129458 + + Reviewed by Joseph Pecoraro. + + * inspector/ContentSearchUtilities.cpp: + (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length. + (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about + line ending type and don't try to strip the line ending. Use size_t + (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines. + This will include the line ending in the lines, but that is okay. + (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t. + (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize. + +2014-02-27 Joseph Pecoraro + + [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent + https://bugs.webkit.org/show_bug.cgi?id=129446 + + Reviewed by Timothy Hatcher. + + Remove duplicate header entries in Copy Header build phase. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2014-02-27 Oliver Hunt + + Whoops, include all of last patch. + + * jit/JITCall32_64.cpp: + (JSC::JIT::compileLoadVarargs): + +2014-02-27 Oliver Hunt + + Slow cases for function.apply and function.call should not require vm re-entry + https://bugs.webkit.org/show_bug.cgi?id=129454 + + Reviewed by Geoffrey Garen. + + Implement call and apply using builtins. Happily the use + of @call and @apply don't perform function equality checks + and just plant direct var_args calls. This did expose a few + codegen issues, but they're all covered by existing tests + once call and apply are implemented in JS. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * builtins/Function.prototype.js: Added. + (call): + (apply): + * bytecompiler/NodesCodegen.cpp: + (JSC::CallFunctionCallDotNode::emitBytecode): + (JSC::ApplyFunctionCallDotNode::emitBytecode): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * interpreter/Interpreter.cpp: + (JSC::sizeFrameForVarargs): + (JSC::loadVarargs): + * interpreter/Interpreter.h: + * jit/JITCall.cpp: + (JSC::JIT::compileLoadVarargs): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::makeFunctionCallNode): + * parser/Lexer.cpp: + (JSC::isSafeBuiltinIdentifier): + * runtime/CommonIdentifiers.h: + * runtime/FunctionPrototype.cpp: + (JSC::FunctionPrototype::addFunctionProperties): + * runtime/JSObject.cpp: + (JSC::JSObject::putDirectBuiltinFunction): + (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition): + * runtime/JSObject.h: + +2014-02-27 Joseph Pecoraro + + Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue + https://bugs.webkit.org/show_bug.cgi?id=129443 + + Reviewed by Timothy Hatcher. + + This queue is specific to the JSContext debuggable connections, + there is no XPC involved. Give it a better name. + + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection): + +2014-02-27 David Kilzer + + Remove jsc symlink if it already exists + + This is a follow-up fix for: + + Create symlink to /usr/local/bin/jsc during installation + + + + * JavaScriptCore.xcodeproj/project.pbxproj: + (Create /usr/local/bin/jsc symlink): If a jsc symlink already + exists where we're about to create the symlink, remove the old + one first. + +2014-02-27 Michael Saboff + + Unreviewed build fix for Mac tools after r164814 + + * Configurations/ToolExecutable.xcconfig: + - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path. + * JavaScriptCore.xcodeproj/project.pbxproj: + - Changed productName to testRegExp for testRegExp target. + +2014-02-27 Joseph Pecoraro + + Web Inspector: JSContext inspection should report exceptions in the console + https://bugs.webkit.org/show_bug.cgi?id=128776 + + Reviewed by Timothy Hatcher. + + When JavaScript API functions have an exception, let the inspector + know so it can log the JavaScript and Native backtrace that caused + the exception. + + Include some clean up of ConsoleMessage and ScriptCallStack construction. + + * API/JSBase.cpp: + (JSEvaluateScript): + (JSCheckScriptSyntax): + * API/JSObjectRef.cpp: + (JSObjectMakeFunction): + (JSObjectMakeArray): + (JSObjectMakeDate): + (JSObjectMakeError): + (JSObjectMakeRegExp): + (JSObjectGetProperty): + (JSObjectSetProperty): + (JSObjectGetPropertyAtIndex): + (JSObjectSetPropertyAtIndex): + (JSObjectDeleteProperty): + (JSObjectCallAsFunction): + (JSObjectCallAsConstructor): + * API/JSValue.mm: + (reportExceptionToInspector): + (valueToArray): + (valueToDictionary): + * API/JSValueRef.cpp: + (JSValueIsEqual): + (JSValueIsInstanceOfConstructor): + (JSValueCreateJSONString): + (JSValueToNumber): + (JSValueToStringCopy): + (JSValueToObject): + When seeing an exception, let the inspector know there was an exception. + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + Log API exceptions by also grabbing the native backtrace. + + * inspector/ScriptCallStack.h: + * inspector/ScriptCallStack.cpp: + (Inspector::ScriptCallStack::firstNonNativeCallFrame): + (Inspector::ScriptCallStack::append): + Minor extensions to ScriptCallStack to make it easier to work with. + + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + Provide better default information if the first call frame was native. + + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::extractSourceInformationFromException): + (Inspector::createScriptCallStackFromException): + Perform the handling here of inserting a fake call frame for exceptions + if there was no call stack (e.g. a SyntaxError) or if the first call + frame had no information. + + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + * inspector/ConsoleMessage.h: + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::createScriptCallStackForConsole): + * inspector/ScriptCallStackFactory.h: + * inspector/agents/InspectorConsoleAgent.cpp: + (Inspector::InspectorConsoleAgent::enable): + (Inspector::InspectorConsoleAgent::addMessageToConsole): + (Inspector::InspectorConsoleAgent::count): + * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: + (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): + ConsoleMessage cleanup. + +2014-02-27 David Kilzer + + Create symlink to /usr/local/bin/jsc during installation + + + + Reviewed by Dan Bernstein. + + * JavaScriptCore.xcodeproj/project.pbxproj: + - Add "Create /usr/local/bin/jsc symlink" build phase script to + create the symlink during installation. + +2014-02-27 Tibor Meszaros + + Math.{max, min}() must not return after first NaN value + https://bugs.webkit.org/show_bug.cgi?id=104147 + + Reviewed by Oliver Hunt. + + According to the spec, ToNumber going to be called on each argument + even if a `NaN` value was already found + + * runtime/MathObject.cpp: + (JSC::mathProtoFuncMax): + (JSC::mathProtoFuncMin): + +2014-02-27 Gergo Balogh + + JSType upper limit (0xff) assertion can be removed. + https://bugs.webkit.org/show_bug.cgi?id=129424 + + Reviewed by Geoffrey Garen. + + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::TypeInfo): + +2014-02-26 Michael Saboff + + Auto generate bytecode information for bytecode parser and LLInt + https://bugs.webkit.org/show_bug.cgi?id=129181 + + Reviewed by Mark Lam. + + Added new bytecode/BytecodeList.json that contains a list of bytecodes and related + helpers. It also includes bytecode length and other information used to generate files. + Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm + in DerivedSources/JavaScriptCore/. + + Added the generation of these files to the "DerivedSource" build step. + Slighty changed the build order, since the Bytecodes.h file is needed by + JSCLLIntOffsetsExtractor. Moved the offline assembly to a separate step since it needs + to be run after JSCLLIntOffsetsExtractor. + + Made related changes to OPCODE macros and their use. + + Added JavaScriptCore.framework/PrivateHeaders to header file search path for building + jsc to resolve Mac build issue. + + * CMakeLists.txt: + * Configurations/JSC.xcconfig: + * DerivedSources.make: + * GNUmakefile.am: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.vcxproj/copy-files.cmd: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/Opcode.h: + (JSC::padOpcodeName): + * llint/LLIntCLoop.cpp: + (JSC::LLInt::CLoop::initialize): + * llint/LLIntCLoop.h: + * llint/LLIntData.cpp: + (JSC::LLInt::initialize): + * llint/LLIntOpcode.h: + * llint/LowLevelInterpreter.asm: + +2014-02-27 Julien Brianceau + + Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652. + https://bugs.webkit.org/show_bug.cgi?id=129420 + + Reviewed by Geoffrey Garen. + + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped. + Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips. + +2014-02-27 Filip Pizlo + + Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval + https://bugs.webkit.org/show_bug.cgi?id=129435 + + Reviewed by Oliver Hunt. + + This is a 5-10% speed-up on Octane/closure. + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::execute): + * jsc.cpp: + (GlobalObject::finishCreation): + (functionClearCodeCache): + * runtime/BatchedTransitionOptimizer.h: + (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): + (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): + +2014-02-27 Alexey Proskuryakov + + Added svn:ignore to two directories, so that .pyc files don't show up as unversioned. + + * inspector/scripts: Added property svn:ignore. + * replay/scripts: Added property svn:ignore. + +2014-02-27 Gabor Rapcsanyi + + r164764 broke the ARM build + https://bugs.webkit.org/show_bug.cgi?id=129415 + + Reviewed by Zoltan Herczeg. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast. + (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function. + (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function. + (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function. + +2014-02-27 Mark Hahnenberg + + r164764 broke the ARM build + https://bugs.webkit.org/show_bug.cgi?id=129415 + + Reviewed by Geoffrey Garen. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::moveWithPatch): + +2014-02-26 Mark Hahnenberg + + r164764 broke the ARM build + https://bugs.webkit.org/show_bug.cgi?id=129415 + + Reviewed by Geoffrey Garen. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function. + +2014-02-26 Mark Hahnenberg + + EFL build fix + + * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables. + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + +2014-02-25 Mark Hahnenberg + + Make JSCells have 32-bit Structure pointers + https://bugs.webkit.org/show_bug.cgi?id=123195 + + Reviewed by Filip Pizlo. + + This patch changes JSCells such that they no longer have a full 64-bit Structure + pointer in their header. Instead they now have a 32-bit index into + a per-VM table of Structure pointers. 32-bit platforms still use normal Structure + pointers. + + This change frees up an additional 32 bits of information in our object headers. + We then use this extra space to store the indexing type of the object, the JSType + of the object, some various type flags, and garbage collection data (e.g. mark bit). + Because this inline type information is now faster to read, it pays for the slowdown + incurred by having to perform an extra indirection through the StructureIDTable. + + This patch also threads a reference to the current VM through more of the C++ runtime + to offset the cost of having to look up the VM to get the actual Structure pointer. + + * API/JSContext.mm: + (-[JSContext setException:]): + (-[JSContext wrapperForObjCObject:]): + (-[JSContext wrapperForJSObject:]): + * API/JSContextRef.cpp: + (JSContextGroupRelease): + (JSGlobalContextRelease): + * API/JSObjectRef.cpp: + (JSObjectIsFunction): + (JSObjectCopyPropertyNames): + * API/JSValue.mm: + (containerValueToObject): + * API/JSWrapperMap.mm: + (tryUnwrapObjcObject): + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/AbstractMacroAssembler.h: + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::patchableBranch32WithPatch): + (JSC::MacroAssembler::patchableBranch32): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::branchPtrWithPatch): + (JSC::MacroAssemblerARM64::patchableBranch32WithPatch): + (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch): + (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress): + (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::store8): + (JSC::MacroAssemblerARMv7::branch32WithPatch): + (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch): + (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch): + (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress): + (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch): + * assembler/MacroAssemblerX86.h: + (JSC::MacroAssemblerX86::branch32WithPatch): + (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch): + (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress): + (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch): + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::store32): + (JSC::MacroAssemblerX86_64::moveWithPatch): + (JSC::MacroAssemblerX86_64::branch32WithPatch): + (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch): + (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister): + (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress): + (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch): + * assembler/RepatchBuffer.h: + (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress): + (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch): + * assembler/X86Assembler.h: + (JSC::X86Assembler::revertJumpTo_movq_i64r): + (JSC::X86Assembler::revertJumpTo_movl_i32r): + * bytecode/ArrayProfile.cpp: + (JSC::ArrayProfile::computeUpdatedPrediction): + * bytecode/ArrayProfile.h: + (JSC::ArrayProfile::ArrayProfile): + (JSC::ArrayProfile::addressOfLastSeenStructureID): + (JSC::ArrayProfile::observeStructure): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::heap): + * bytecode/UnlinkedCodeBlock.h: + * debugger/Debugger.h: + * dfg/DFGAbstractHeap.h: + * dfg/DFGArrayifySlowPathGenerator.h: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::branchWeakStructure): + (JSC::DFG::JITCompiler::branchStructurePtr): + * dfg/DFGOSRExitCompiler32_64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGOSRExitCompiler64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::osrWriteBarrier): + (JSC::DFG::adjustAndJumpToTarget): + * dfg/DFGOperations.cpp: + (JSC::DFG::putByVal): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::checkArray): + (JSC::DFG::SpeculativeJIT::arrayify): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): + (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): + (JSC::DFG::SpeculativeJIT::compileInstanceOf): + (JSC::DFG::SpeculativeJIT::compileToStringOnCell): + (JSC::DFG::SpeculativeJIT::speculateObject): + (JSC::DFG::SpeculativeJIT::speculateFinalObject): + (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): + (JSC::DFG::SpeculativeJIT::speculateString): + (JSC::DFG::SpeculativeJIT::speculateStringObject): + (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): + (JSC::DFG::SpeculativeJIT::emitSwitchChar): + (JSC::DFG::SpeculativeJIT::emitSwitchString): + (JSC::DFG::SpeculativeJIT::genericWriteBarrier): + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::emitAllocateJSCell): + (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): + (JSC::DFG::SpeculativeJIT::compileObjectEquality): + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): + (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): + (JSC::DFG::SpeculativeJIT::compileObjectEquality): + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): + (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGWorklist.cpp: + * ftl/FTLAbstractHeapRepository.cpp: + (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): + (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): + (JSC::FTL::LowerDFGToLLVM::compilePutStructure): + (JSC::FTL::LowerDFGToLLVM::compileToString): + (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): + (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): + (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject): + (JSC::FTL::LowerDFGToLLVM::allocateCell): + (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): + (JSC::FTL::LowerDFGToLLVM::isObject): + (JSC::FTL::LowerDFGToLLVM::isString): + (JSC::FTL::LowerDFGToLLVM::isArrayType): + (JSC::FTL::LowerDFGToLLVM::hasClassInfo): + (JSC::FTL::LowerDFGToLLVM::isType): + (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject): + (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell): + (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID): + (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject): + (JSC::FTL::LowerDFGToLLVM::loadMarkByte): + (JSC::FTL::LowerDFGToLLVM::loadStructure): + (JSC::FTL::LowerDFGToLLVM::weakStructure): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * ftl/FTLOutput.h: + (JSC::FTL::Output::store8): + * heap/GCAssertions.h: + * heap/Heap.cpp: + (JSC::Heap::getConservativeRegisterRoots): + (JSC::Heap::collect): + (JSC::Heap::writeBarrier): + * heap/Heap.h: + (JSC::Heap::structureIDTable): + * heap/MarkedSpace.h: + (JSC::MarkedSpace::forEachBlock): + * heap/SlotVisitorInlines.h: + (JSC::SlotVisitor::internalAppend): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::branchIfCellNotObject): + (JSC::AssemblyHelpers::genericWriteBarrier): + (JSC::AssemblyHelpers::emitLoadStructure): + (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): + * jit/JIT.h: + * jit/JITCall.cpp: + (JSC::JIT::compileOpCall): + (JSC::JIT::privateCompileClosureCall): + * jit/JITCall32_64.cpp: + (JSC::JIT::emit_op_ret_object_or_this): + (JSC::JIT::compileOpCall): + (JSC::JIT::privateCompileClosureCall): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITByIdGenerator::generateFastPathChecks): + * jit/JITInlineCacheGenerator.h: + * jit/JITInlines.h: + (JSC::JIT::emitLoadCharacterString): + (JSC::JIT::checkStructure): + (JSC::JIT::emitJumpIfCellNotObject): + (JSC::JIT::emitAllocateJSObject): + (JSC::JIT::emitArrayProfilingSiteWithCell): + (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell): + (JSC::JIT::branchStructure): + (JSC::branchStructure): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_check_has_instance): + (JSC::JIT::emit_op_instanceof): + (JSC::JIT::emit_op_is_undefined): + (JSC::JIT::emit_op_is_string): + (JSC::JIT::emit_op_ret_object_or_this): + (JSC::JIT::emit_op_to_primitive): + (JSC::JIT::emit_op_jeq_null): + (JSC::JIT::emit_op_jneq_null): + (JSC::JIT::emit_op_get_pnames): + (JSC::JIT::emit_op_next_pname): + (JSC::JIT::emit_op_eq_null): + (JSC::JIT::emit_op_neq_null): + (JSC::JIT::emit_op_to_this): + (JSC::JIT::emitSlow_op_to_this): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_check_has_instance): + (JSC::JIT::emit_op_instanceof): + (JSC::JIT::emit_op_is_undefined): + (JSC::JIT::emit_op_is_string): + (JSC::JIT::emit_op_to_primitive): + (JSC::JIT::emit_op_jeq_null): + (JSC::JIT::emit_op_jneq_null): + (JSC::JIT::emitSlow_op_eq): + (JSC::JIT::emitSlow_op_neq): + (JSC::JIT::compileOpStrictEq): + (JSC::JIT::emit_op_eq_null): + (JSC::JIT::emit_op_neq_null): + (JSC::JIT::emit_op_get_pnames): + (JSC::JIT::emit_op_next_pname): + (JSC::JIT::emit_op_to_this): + * jit/JITOperations.cpp: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::stringGetByValStubGenerator): + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emitSlow_op_get_by_val): + (JSC::JIT::emit_op_get_by_pname): + (JSC::JIT::emit_op_put_by_val): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emitLoadWithStructureCheck): + (JSC::JIT::emitSlow_op_get_from_scope): + (JSC::JIT::emitSlow_op_put_to_scope): + (JSC::JIT::checkMarkWord): + (JSC::JIT::emitWriteBarrier): + (JSC::JIT::addStructureTransitionCheck): + (JSC::JIT::emitIntTypedArrayGetByVal): + (JSC::JIT::emitFloatTypedArrayGetByVal): + (JSC::JIT::emitIntTypedArrayPutByVal): + (JSC::JIT::emitFloatTypedArrayPutByVal): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::stringGetByValStubGenerator): + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emitSlow_op_get_by_val): + (JSC::JIT::emit_op_put_by_val): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_get_by_pname): + (JSC::JIT::emitLoadWithStructureCheck): + * jit/JSInterfaceJIT.h: + (JSC::JSInterfaceJIT::emitJumpIfNotType): + * jit/Repatch.cpp: + (JSC::repatchByIdSelfAccess): + (JSC::addStructureTransitionCheck): + (JSC::replaceWithJump): + (JSC::generateProtoChainAccessStub): + (JSC::tryCacheGetByID): + (JSC::tryBuildGetByIDList): + (JSC::writeBarrier): + (JSC::emitPutReplaceStub): + (JSC::emitPutTransitionStub): + (JSC::tryBuildPutByIdList): + (JSC::tryRepatchIn): + (JSC::linkClosureCall): + (JSC::resetGetByID): + (JSC::resetPutByID): + * jit/SpecializedThunkJIT.h: + (JSC::SpecializedThunkJIT::loadJSStringArgument): + (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass): + * jit/ThunkGenerators.cpp: + (JSC::virtualForThunkGenerator): + (JSC::arrayIteratorNextThunkGenerator): + * jit/UnusedPointer.h: + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/Arguments.cpp: + (JSC::Arguments::createStrictModeCallerIfNecessary): + (JSC::Arguments::createStrictModeCalleeIfNecessary): + * runtime/Arguments.h: + (JSC::Arguments::createStructure): + * runtime/ArrayPrototype.cpp: + (JSC::shift): + (JSC::unshift): + (JSC::arrayProtoFuncToString): + (JSC::arrayProtoFuncPop): + (JSC::arrayProtoFuncReverse): + (JSC::performSlowSort): + (JSC::arrayProtoFuncSort): + (JSC::arrayProtoFuncSplice): + (JSC::arrayProtoFuncUnShift): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/Executable.h: + (JSC::ExecutableBase::isFunctionExecutable): + (JSC::ExecutableBase::clearCodeVirtual): + (JSC::ScriptExecutable::unlinkCalls): + * runtime/GetterSetter.cpp: + (JSC::callGetter): + (JSC::callSetter): + * runtime/InitializeThreading.cpp: + * runtime/JSArray.cpp: + (JSC::JSArray::unshiftCountSlowCase): + (JSC::JSArray::setLength): + (JSC::JSArray::pop): + (JSC::JSArray::push): + (JSC::JSArray::shiftCountWithArrayStorage): + (JSC::JSArray::shiftCountWithAnyIndexingType): + (JSC::JSArray::unshiftCountWithArrayStorage): + (JSC::JSArray::unshiftCountWithAnyIndexingType): + (JSC::JSArray::sortNumericVector): + (JSC::JSArray::sortNumeric): + (JSC::JSArray::sortCompactedVector): + (JSC::JSArray::sort): + (JSC::JSArray::sortVector): + (JSC::JSArray::fillArgList): + (JSC::JSArray::copyToArguments): + (JSC::JSArray::compactForSorting): + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::toThis): + (JSC::JSValue::put): + (JSC::JSValue::putByIndex): + (JSC::JSValue::equalSlowCaseInline): + * runtime/JSCell.cpp: + (JSC::JSCell::put): + (JSC::JSCell::putByIndex): + (JSC::JSCell::deleteProperty): + (JSC::JSCell::deletePropertyByIndex): + * runtime/JSCell.h: + (JSC::JSCell::clearStructure): + (JSC::JSCell::mark): + (JSC::JSCell::isMarked): + (JSC::JSCell::structureIDOffset): + (JSC::JSCell::typeInfoFlagsOffset): + (JSC::JSCell::typeInfoTypeOffset): + (JSC::JSCell::indexingTypeOffset): + (JSC::JSCell::gcDataOffset): + * runtime/JSCellInlines.h: + (JSC::JSCell::JSCell): + (JSC::JSCell::finishCreation): + (JSC::JSCell::type): + (JSC::JSCell::indexingType): + (JSC::JSCell::structure): + (JSC::JSCell::visitChildren): + (JSC::JSCell::isObject): + (JSC::JSCell::isString): + (JSC::JSCell::isGetterSetter): + (JSC::JSCell::isProxy): + (JSC::JSCell::isAPIValueWrapper): + (JSC::JSCell::setStructure): + (JSC::JSCell::methodTable): + (JSC::Heap::writeBarrier): + * runtime/JSDataView.cpp: + (JSC::JSDataView::createStructure): + * runtime/JSDestructibleObject.h: + (JSC::JSCell::classInfo): + * runtime/JSFunction.cpp: + (JSC::JSFunction::getOwnNonIndexPropertyNames): + (JSC::JSFunction::put): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSGenericTypedArrayView.h: + (JSC::JSGenericTypedArrayView::createStructure): + * runtime/JSObject.cpp: + (JSC::getCallableObjectSlow): + (JSC::JSObject::copyButterfly): + (JSC::JSObject::visitButterfly): + (JSC::JSFinalObject::visitChildren): + (JSC::JSObject::getOwnPropertySlotByIndex): + (JSC::JSObject::put): + (JSC::JSObject::putByIndex): + (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): + (JSC::JSObject::enterDictionaryIndexingMode): + (JSC::JSObject::notifyPresenceOfIndexedAccessors): + (JSC::JSObject::createInitialIndexedStorage): + (JSC::JSObject::createInitialUndecided): + (JSC::JSObject::createInitialInt32): + (JSC::JSObject::createInitialDouble): + (JSC::JSObject::createInitialContiguous): + (JSC::JSObject::createArrayStorage): + (JSC::JSObject::convertUndecidedToInt32): + (JSC::JSObject::convertUndecidedToDouble): + (JSC::JSObject::convertUndecidedToContiguous): + (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): + (JSC::JSObject::convertUndecidedToArrayStorage): + (JSC::JSObject::convertInt32ToDouble): + (JSC::JSObject::convertInt32ToContiguous): + (JSC::JSObject::convertInt32ToArrayStorage): + (JSC::JSObject::genericConvertDoubleToContiguous): + (JSC::JSObject::convertDoubleToArrayStorage): + (JSC::JSObject::convertContiguousToArrayStorage): + (JSC::JSObject::ensureInt32Slow): + (JSC::JSObject::ensureDoubleSlow): + (JSC::JSObject::ensureContiguousSlow): + (JSC::JSObject::ensureArrayStorageSlow): + (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode): + (JSC::JSObject::switchToSlowPutArrayStorage): + (JSC::JSObject::setPrototype): + (JSC::JSObject::setPrototypeWithCycleCheck): + (JSC::JSObject::putDirectNonIndexAccessor): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::hasOwnProperty): + (JSC::JSObject::deletePropertyByIndex): + (JSC::JSObject::getPrimitiveNumber): + (JSC::JSObject::hasInstance): + (JSC::JSObject::getPropertySpecificValue): + (JSC::JSObject::getPropertyNames): + (JSC::JSObject::getOwnPropertyNames): + (JSC::JSObject::getOwnNonIndexPropertyNames): + (JSC::JSObject::seal): + (JSC::JSObject::freeze): + (JSC::JSObject::preventExtensions): + (JSC::JSObject::reifyStaticFunctionsForDelete): + (JSC::JSObject::removeDirect): + (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): + (JSC::JSObject::putByIndexBeyondVectorLength): + (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): + (JSC::JSObject::putDirectIndexBeyondVectorLength): + (JSC::JSObject::getNewVectorLength): + (JSC::JSObject::countElements): + (JSC::JSObject::increaseVectorLength): + (JSC::JSObject::ensureLengthSlow): + (JSC::JSObject::growOutOfLineStorage): + (JSC::JSObject::getOwnPropertyDescriptor): + (JSC::putDescriptor): + (JSC::JSObject::defineOwnNonIndexProperty): + * runtime/JSObject.h: + (JSC::getJSFunction): + (JSC::JSObject::getArrayLength): + (JSC::JSObject::getVectorLength): + (JSC::JSObject::putByIndexInline): + (JSC::JSObject::canGetIndexQuickly): + (JSC::JSObject::getIndexQuickly): + (JSC::JSObject::tryGetIndexQuickly): + (JSC::JSObject::getDirectIndex): + (JSC::JSObject::canSetIndexQuickly): + (JSC::JSObject::canSetIndexQuicklyForPutDirect): + (JSC::JSObject::setIndexQuickly): + (JSC::JSObject::initializeIndex): + (JSC::JSObject::hasSparseMap): + (JSC::JSObject::inSparseIndexingMode): + (JSC::JSObject::getDirect): + (JSC::JSObject::getDirectOffset): + (JSC::JSObject::isSealed): + (JSC::JSObject::isFrozen): + (JSC::JSObject::flattenDictionaryObject): + (JSC::JSObject::ensureInt32): + (JSC::JSObject::ensureDouble): + (JSC::JSObject::ensureContiguous): + (JSC::JSObject::rageEnsureContiguous): + (JSC::JSObject::ensureArrayStorage): + (JSC::JSObject::arrayStorage): + (JSC::JSObject::arrayStorageOrNull): + (JSC::JSObject::ensureLength): + (JSC::JSObject::currentIndexingData): + (JSC::JSObject::getHolyIndexQuickly): + (JSC::JSObject::currentRelevantLength): + (JSC::JSObject::isGlobalObject): + (JSC::JSObject::isVariableObject): + (JSC::JSObject::isStaticScopeObject): + (JSC::JSObject::isNameScopeObject): + (JSC::JSObject::isActivationObject): + (JSC::JSObject::isErrorInstance): + (JSC::JSObject::inlineGetOwnPropertySlot): + (JSC::JSObject::fastGetOwnPropertySlot): + (JSC::JSObject::getPropertySlot): + (JSC::JSObject::putDirectInternal): + (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): + * runtime/JSPropertyNameIterator.h: + (JSC::JSPropertyNameIterator::createStructure): + * runtime/JSProxy.cpp: + (JSC::JSProxy::getOwnPropertySlot): + (JSC::JSProxy::getOwnPropertySlotByIndex): + (JSC::JSProxy::put): + (JSC::JSProxy::putByIndex): + (JSC::JSProxy::defineOwnProperty): + (JSC::JSProxy::deleteProperty): + (JSC::JSProxy::deletePropertyByIndex): + (JSC::JSProxy::getPropertyNames): + (JSC::JSProxy::getOwnPropertyNames): + * runtime/JSScope.cpp: + (JSC::JSScope::objectAtScope): + * runtime/JSString.h: + (JSC::JSString::createStructure): + (JSC::isJSString): + * runtime/JSType.h: + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::TypeInfo): + (JSC::TypeInfo::isObject): + (JSC::TypeInfo::structureIsImmortal): + (JSC::TypeInfo::zeroedGCDataOffset): + (JSC::TypeInfo::inlineTypeFlags): + * runtime/MapData.h: + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorGetOwnPropertyNames): + (JSC::objectConstructorKeys): + (JSC::objectConstructorDefineProperty): + (JSC::defineProperties): + (JSC::objectConstructorSeal): + (JSC::objectConstructorFreeze): + (JSC::objectConstructorIsSealed): + (JSC::objectConstructorIsFrozen): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncDefineGetter): + (JSC::objectProtoFuncDefineSetter): + (JSC::objectProtoFuncToString): + * runtime/Operations.cpp: + (JSC::jsTypeStringForValue): + (JSC::jsIsObjectType): + * runtime/Operations.h: + (JSC::normalizePrototypeChainForChainAccess): + (JSC::normalizePrototypeChain): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::createStructure): + * runtime/RegExp.h: + (JSC::RegExp::createStructure): + * runtime/SparseArrayValueMap.h: + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::~Structure): + (JSC::Structure::prototypeChainMayInterceptStoreTo): + * runtime/Structure.h: + (JSC::Structure::id): + (JSC::Structure::idBlob): + (JSC::Structure::objectInitializationFields): + (JSC::Structure::structureIDOffset): + * runtime/StructureChain.h: + (JSC::StructureChain::createStructure): + * runtime/StructureIDTable.cpp: Added. + (JSC::StructureIDTable::StructureIDTable): + (JSC::StructureIDTable::~StructureIDTable): + (JSC::StructureIDTable::resize): + (JSC::StructureIDTable::flushOldTables): + (JSC::StructureIDTable::allocateID): + (JSC::StructureIDTable::deallocateID): + * runtime/StructureIDTable.h: Added. + (JSC::StructureIDTable::base): + (JSC::StructureIDTable::get): + * runtime/SymbolTable.h: + * runtime/TypedArrayType.cpp: + (JSC::typeForTypedArrayType): + * runtime/TypedArrayType.h: + * runtime/WeakMapData.h: + +2014-02-26 Mark Hahnenberg + + Unconditional logging in compileFTLOSRExit + https://bugs.webkit.org/show_bug.cgi?id=129407 + + Reviewed by Michael Saboff. + + This was causing tests to fail with the FTL enabled. + + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileFTLOSRExit): + +2014-02-26 Oliver Hunt + + Remove unused access types + https://bugs.webkit.org/show_bug.cgi?id=129385 + + Reviewed by Filip Pizlo. + + Remove unused cruft. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printGetByIdCacheStatus): + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::deref): + * bytecode/StructureStubInfo.h: + (JSC::isGetByIdAccess): + (JSC::isPutByIdAccess): + +2014-02-26 Oliver Hunt + + Function.prototype.apply has a bad time with the spread operator + https://bugs.webkit.org/show_bug.cgi?id=129381 + + Reviewed by Mark Hahnenberg. + + Make sure our apply logic handle the spread operator correctly. + To do this we simply emit the enumeration logic that we'd normally + use for other enumerations, but only store the first two results + to registers. Then perform a varargs call. + + * bytecompiler/NodesCodegen.cpp: + (JSC::ApplyFunctionCallDotNode::emitBytecode): + +2014-02-26 Mark Lam + + Compilation policy management belongs in operationOptimize(), not the DFG Driver. + + + Reviewed by Filip Pizlo. + + By compilation policy, I mean the rules for determining whether to + compile, when to compile, when to attempt compilation again, etc. The + few of these policy decisions that were previously being made in the + DFG driver are now moved to operationOptimize() where we keep the rest + of the policy logic. Decisions that are based on the capabilities + supported by the DFG are moved to DFG capabiliityLevel(). + + I've run the following benchmarks: + 1. the collection of jsc benchmarks on the jsc executable vs. its + baseline. + 2. Octane 2.0 in browser without the WebInspector. + 3. Octane 2.0 in browser with the WebInspector open and a breakpoint + set somewhere where it won't break. + + In all of these, the results came out to be a wash as expected. + + * dfg/DFGCapabilities.cpp: + (JSC::DFG::isSupported): + (JSC::DFG::mightCompileEval): + (JSC::DFG::mightCompileProgram): + (JSC::DFG::mightCompileFunctionForCall): + (JSC::DFG::mightCompileFunctionForConstruct): + (JSC::DFG::mightInlineFunctionForCall): + (JSC::DFG::mightInlineFunctionForClosureCall): + (JSC::DFG::mightInlineFunctionForConstruct): + * dfg/DFGCapabilities.h: + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * jit/JITOperations.cpp: + +2014-02-26 Mark Lam + + ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*. + + + Reviewed by Alexey Proskuryakov. + + InjectedScriptModule::ensureInjected() needs an APIEntryShim. + + * inspector/InjectedScriptModule.cpp: + (Inspector::InjectedScriptModule::ensureInjected): + - Added the needed but missing APIEntryShim. + +2014-02-25 Mark Lam + + Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints. + + + Reviewed by Geoffrey Garen. + + Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT. + The reasoning is that we don't know of any clients that need unordered + re-entry into the VM from different threads. So, we're enforcing ordered + re-entry i.e. we must re-grab locks in the reverse order of dropping locks. + + The crash in this bug happened because we were allowing unordered re-entry, + and the following type of scenario occurred: + + 1. Thread T1 locks the VM, and enters the VM to execute some JS code. + 2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the + first time it entered the VM. + T1 sets VM::m_entryScope to T1's entryScope. + 3. T1 drops all locks. + + 4. Thread T2 locks the VM, and enters the VM to execute some JS code. + On entry, T2 sees that VM::m_entryScope is NOT null, and therefore + does not set the entryScope. + 5. T2 drops all locks. + + 6. T1 re-grabs locks. + 7. T1 returns all the way out of JS code. On exit from the outer most + JS function, T1 clears VM::m_entryScope (because T1 was the one who + set it). + 8. T1 unlocks the VM. + + 9. T2 re-grabs locks. + 10. T2 proceeds to execute some code and expects VM::m_entryScope to be + NOT null, but it turns out to be null. Assertion failures and + crashes ensue. + + With ordered re-entry, at step 6, T1 will loop and yield until T2 exits + the VM. Hence, the issue will no longer manifest. + + * runtime/JSLock.cpp: + (JSC::JSLock::dropAllLocks): + (JSC::JSLock::grabAllLocks): + * runtime/JSLock.h: + (JSC::JSLock::DropAllLocks::dropDepth): + +2014-02-25 Mark Lam + + Need to initialize VM stack data even when the VM is on an exclusive thread. + + + Not reviewed. + + Relanding r164627 now that is fixed. + + * API/APIShims.h: + (JSC::APIEntryShim::APIEntryShim): + (JSC::APICallbackShim::shouldDropAllLocks): + * heap/MachineStackMarker.cpp: + (JSC::MachineThreads::addCurrentThread): + * runtime/JSLock.cpp: + (JSC::JSLockHolder::JSLockHolder): + (JSC::JSLockHolder::init): + (JSC::JSLockHolder::~JSLockHolder): + (JSC::JSLock::JSLock): + (JSC::JSLock::setExclusiveThread): + (JSC::JSLock::lock): + (JSC::JSLock::unlock): + (JSC::JSLock::currentThreadIsHoldingLock): + (JSC::JSLock::dropAllLocks): + (JSC::JSLock::grabAllLocks): + * runtime/JSLock.h: + (JSC::JSLock::hasExclusiveThread): + (JSC::JSLock::exclusiveThread): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + (JSC::VM::hasExclusiveThread): + (JSC::VM::exclusiveThread): + (JSC::VM::setExclusiveThread): + (JSC::VM::currentThreadIsHoldingAPILock): + +2014-02-25 Filip Pizlo + + Inline caching in the FTL on ARM64 should "work" + https://bugs.webkit.org/show_bug.cgi?id=129334 + + Reviewed by Mark Hahnenberg. + + Gets us to the point where simple tests that use inline caching are passing. + + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::copyCompactAndLinkCode): + (JSC::LinkBuffer::shrink): + * ftl/FTLInlineCacheSize.cpp: + (JSC::FTL::sizeOfGetById): + (JSC::FTL::sizeOfPutById): + (JSC::FTL::sizeOfCall): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileFTLOSRExit): + * ftl/FTLThunks.cpp: + (JSC::FTL::osrExitGenerationThunkGenerator): + * jit/GPRInfo.h: + * offlineasm/arm64.rb: + +2014-02-25 Commit Queue + + Unreviewed, rolling out r164627. + http://trac.webkit.org/changeset/164627 + https://bugs.webkit.org/show_bug.cgi?id=129325 + + Broke SubtleCrypto tests (Requested by ap on #webkit). + + * API/APIShims.h: + (JSC::APIEntryShim::APIEntryShim): + (JSC::APICallbackShim::shouldDropAllLocks): + * heap/MachineStackMarker.cpp: + (JSC::MachineThreads::addCurrentThread): + * runtime/JSLock.cpp: + (JSC::JSLockHolder::JSLockHolder): + (JSC::JSLockHolder::init): + (JSC::JSLockHolder::~JSLockHolder): + (JSC::JSLock::JSLock): + (JSC::JSLock::lock): + (JSC::JSLock::unlock): + (JSC::JSLock::currentThreadIsHoldingLock): + (JSC::JSLock::dropAllLocks): + (JSC::JSLock::grabAllLocks): + * runtime/JSLock.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + (JSC::VM::currentThreadIsHoldingAPILock): + +2014-02-25 Filip Pizlo + + ARM64 rshift64 should be an arithmetic shift + https://bugs.webkit.org/show_bug.cgi?id=129323 + + Reviewed by Mark Hahnenberg. + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::rshift64): + +2014-02-25 Sergio Villar Senin + + [CSS Grid Layout] Add ENABLE flag + https://bugs.webkit.org/show_bug.cgi?id=129153 + + Reviewed by Simon Fraser. + + * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag. + +2014-02-25 Michael Saboff + + JIT Engines use the wrong stack limit for stack checks + https://bugs.webkit.org/show_bug.cgi?id=129314 + + Reviewed by Filip Pizlo. + + Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks. + + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::compileFunction): + * jit/JIT.cpp: + (JSC::JIT::privateCompile): + * jit/JITCall.cpp: + (JSC::JIT::compileLoadVarargs): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileLoadVarargs): + * runtime/VM.h: + (JSC::VM::addressOfStackLimit): + +2014-02-25 Filip Pizlo + + Unreviewed, roll out http://trac.webkit.org/changeset/164493. + + It causes crashes, apparently because it's removing too many barriers. I will investigate + later. + + * bytecode/SpeculatedType.cpp: + (JSC::speculationToAbbreviatedString): + * bytecode/SpeculatedType.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::insertStoreBarrier): + * dfg/DFGNode.h: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): + (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): + (JSC::FTL::LowerDFGToLLVM::isNotNully): + (JSC::FTL::LowerDFGToLLVM::isNully): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): + (JSC::FTL::LowerDFGToLLVM::speculateNotCell): + +2014-02-24 Oliver Hunt + + Fix build. + + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + +2014-02-24 Oliver Hunt + + Spread operator has a bad time when applied to call function + https://bugs.webkit.org/show_bug.cgi?id=128853 + + Reviewed by Geoffrey Garen. + + Follow on from the previous patch the added an extra slot to + op_call_varargs (and _call, _call_eval, _construct). We now + use the slot as an offset to in effect act as a 'slice' on + the spread subject. This allows us to automatically retain + all our existing argument and array optimisatons. Most of + this patch is simply threading the offset around. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitCall): + (JSC::BytecodeGenerator::emitCallVarargs): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::getArgumentByVal): + (JSC::CallFunctionCallDotNode::emitBytecode): + (JSC::ApplyFunctionCallDotNode::emitBytecode): + * interpreter/Interpreter.cpp: + (JSC::sizeFrameForVarargs): + (JSC::loadVarargs): + * interpreter/Interpreter.h: + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + * jit/JIT.h: + * jit/JITCall.cpp: + (JSC::JIT::compileLoadVarargs): + * jit/JITInlines.h: + (JSC::JIT::callOperation): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/Arguments.cpp: + (JSC::Arguments::copyToArguments): + * runtime/Arguments.h: + * runtime/JSArray.cpp: + (JSC::JSArray::copyToArguments): + * runtime/JSArray.h: + +2014-02-24 Mark Lam + + Need to initialize VM stack data even when the VM is on an exclusive thread. + + + Reviewed by Geoffrey Garen. + + We check VM::exclusiveThread as an optimization to forego the need to do + JSLock locking. However, we recently started piggy backing on JSLock's + lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry + and lastStackTop) to appropriate values for the current thread. This is + needed because we may be acquiring the lock to enter the VM on a different + thread. + + As a result, we ended up not initializing the VM stack data when + VM::exclusiveThread causes us to bypass the locking activity. Even though + the VM::exclusiveThread will not have to deal with the VM being entered + on a different thread, it still needs to initialize the VM stack data. + The VM relies on that data being initialized properly once it has been + entered. + + With this fix, we push the check for exclusiveThread down into the JSLock, + and handle the bypassing of unneeded locking activity there while still + executing the necessary the VM stack data initialization. + + * API/APIShims.h: + (JSC::APIEntryShim::APIEntryShim): + (JSC::APICallbackShim::shouldDropAllLocks): + * heap/MachineStackMarker.cpp: + (JSC::MachineThreads::addCurrentThread): + * runtime/JSLock.cpp: + (JSC::JSLockHolder::JSLockHolder): + (JSC::JSLockHolder::init): + (JSC::JSLockHolder::~JSLockHolder): + (JSC::JSLock::JSLock): + (JSC::JSLock::setExclusiveThread): + (JSC::JSLock::lock): + (JSLock::unlock): + (JSLock::currentThreadIsHoldingLock): + (JSLock::dropAllLocks): + (JSLock::grabAllLocks): + * runtime/JSLock.h: + (JSC::JSLock::exclusiveThread): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + (JSC::VM::exclusiveThread): + (JSC::VM::setExclusiveThread): + (JSC::VM::currentThreadIsHoldingAPILock): + +2014-02-24 Filip Pizlo + + FTL should do polymorphic PutById inlining + https://bugs.webkit.org/show_bug.cgi?id=129210 + + Reviewed by Mark Hahnenberg and Oliver Hunt. + + This makes PutByIdStatus inform us about polymorphic cases by returning an array of + PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a + selection of multiple inlined PutByIdVariants. + + MultiPutByOffset is almost identical to MultiGetByOffset, which we added in + http://trac.webkit.org/changeset/164207. + + This also does some FTL refactoring to make MultiPutByOffset share code with some nodes + that generate similar code. + + 1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it + sometimes swaps field insertion order, creating fake polymorphism. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFromLLInt): + (JSC::PutByIdStatus::computeFor): + (JSC::PutByIdStatus::computeForStubInfo): + (JSC::PutByIdStatus::dump): + * bytecode/PutByIdStatus.h: + (JSC::PutByIdStatus::PutByIdStatus): + (JSC::PutByIdStatus::isSimple): + (JSC::PutByIdStatus::numVariants): + (JSC::PutByIdStatus::variants): + (JSC::PutByIdStatus::at): + (JSC::PutByIdStatus::operator[]): + * bytecode/PutByIdVariant.cpp: Added. + (JSC::PutByIdVariant::dump): + (JSC::PutByIdVariant::dumpInContext): + * bytecode/PutByIdVariant.h: Added. + (JSC::PutByIdVariant::PutByIdVariant): + (JSC::PutByIdVariant::replace): + (JSC::PutByIdVariant::transition): + (JSC::PutByIdVariant::kind): + (JSC::PutByIdVariant::isSet): + (JSC::PutByIdVariant::operator!): + (JSC::PutByIdVariant::structure): + (JSC::PutByIdVariant::oldStructure): + (JSC::PutByIdVariant::newStructure): + (JSC::PutByIdVariant::structureChain): + (JSC::PutByIdVariant::offset): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitPrototypeChecks): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::emitPutById): + (JSC::DFG::ByteCodeParser::handlePutById): (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::checkStructureElimination): + (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): + (JSC::DFG::CSEPhase::putStructureStoreElimination): + (JSC::DFG::CSEPhase::getByOffsetLoadElimination): + (JSC::DFG::CSEPhase::putByOffsetStoreElimination): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + * dfg/DFGGraph.h: + * dfg/DFGNode.cpp: + (JSC::DFG::MultiPutByOffsetData::writesStructures): + (JSC::DFG::MultiPutByOffsetData::reallocatesStorage): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToPutByOffset): + (JSC::DFG::Node::hasMultiPutByOffsetData): + (JSC::DFG::Node::multiPutByOffsetData): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): - * runtime/Watchdog.cpp: - (JSC::Watchdog::setTimeLimit): + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compilePutStructure): + (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage): + (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage): + (JSC::FTL::LowerDFGToLLVM::compileGetByOffset): + (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): + (JSC::FTL::LowerDFGToLLVM::compilePutByOffset): + (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): + (JSC::FTL::LowerDFGToLLVM::loadProperty): + (JSC::FTL::LowerDFGToLLVM::storeProperty): + (JSC::FTL::LowerDFGToLLVM::addressOfProperty): + (JSC::FTL::LowerDFGToLLVM::storageForTransition): + (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage): + (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage): + (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): + * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added. + * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added. + * tests/stress/multi-put-by-offset-reallocation-cases.js: Added. + +2014-02-24 peavo@outlook.com + + JSC regressions after r164494 + https://bugs.webkit.org/show_bug.cgi?id=129272 + + Reviewed by Mark Lam. + + * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows. + +2014-02-24 Tamas Gergely + + Code cleanup: remove leftover ENABLE(WORKERS) macros and support. + https://bugs.webkit.org/show_bug.cgi?id=129255 -2013-04-24 Filip Pizlo + Reviewed by Csaba Osztrogonác. - Special thunks for math functions should work on ARMv7 - https://bugs.webkit.org/show_bug.cgi?id=115144 + ENABLE_WORKERS macro was removed in r159679. + Support is now also removed from xcconfig files. - Reviewed by Gavin Barraclough and Oliver Hunt. - - The only hard bit here was ensuring that we implemented the very special - "cheap C call" convention on ARMv7. + * Configurations/FeatureDefines.xcconfig: - * assembler/AbstractMacroAssembler.h: - (JSC::isARMv7s): - (JSC): - (JSC::isX86): - * dfg/DFGCommon.h: - * jit/SpecializedThunkJIT.h: - (SpecializedThunkJIT): - (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn): - * jit/ThunkGenerators.cpp: - (JSC::floorThunkGenerator): - (JSC::ceilThunkGenerator): - (JSC::roundThunkGenerator): - (JSC::expThunkGenerator): - (JSC::logThunkGenerator): +2014-02-24 David Kilzer -2013-04-24 Julien Brianceau + Remove redundant setting in FeatureDefines.xcconfig - Misc bugfix and cleaning in sh4 base JIT. - https://bugs.webkit.org/show_bug.cgi?id=115022. + * Configurations/FeatureDefines.xcconfig: - Reviewed by Oliver Hunt. +2014-02-23 Sam Weinig - Remove unused add32() and sub32() with scratchreg parameter to avoid - confusion as this function prototype means another behaviour. - Remove unused "void push(Address)" function which seems quite buggy. + Update FeatureDefines.xcconfig - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::and32): Cosmetic change. - (JSC::MacroAssemblerSH4::lshift32): Cosmetic change. - (JSC::MacroAssemblerSH4::or32): Cosmetic change. - (JSC::MacroAssemblerSH4::xor32): Cosmetic change. - (MacroAssemblerSH4): - (JSC::MacroAssemblerSH4::load32): Cosmetic change. - (JSC::MacroAssemblerSH4::load8Signed): Fix invalid offset upper limit - when using r0 register and cosmetic changes. - (JSC::MacroAssemblerSH4::load8): Reuse load8Signed to avoid duplication. - (JSC::MacroAssemblerSH4::load16): Fix invalid offset upper limit when - using r0 register, fix missing offset shift and cosmetic changes. - (JSC::MacroAssemblerSH4::store32): Cosmetic change. - (JSC::MacroAssemblerSH4::branchAdd32): Store result value before branch. - -2013-04-24 Patrick Gansterer - - [WIN] Remove pthread from Visual Studio files in JavaScriptCore - https://bugs.webkit.org/show_bug.cgi?id=114864 + Rubber-stamped by Anders Carlsson. - Reviewed by Brent Fulgham. + * Configurations/FeatureDefines.xcconfig: - * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops: - * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.vsprops: - * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: - * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: - * JavaScriptCore.vcproj/testapi/testapiCommon.vsprops: - * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: - * JavaScriptCore.vcxproj/jsc/jscCommon.props: - * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: - * JavaScriptCore.vcxproj/testapi/testapiCommon.props: - * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: +2014-02-23 Dean Jackson + + Sort the project file with sort-Xcode-project-file. + + Rubber-stamped by Sam Weinig. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2014-02-23 Sam Weinig + + Move telephone number detection behind its own ENABLE macro + https://bugs.webkit.org/show_bug.cgi?id=129236 + + Reviewed by Dean Jackson. -2013-04-24 Filip Pizlo + * Configurations/FeatureDefines.xcconfig: + Add ENABLE_TELEPHONE_NUMBER_DETECTION. + +2014-02-22 Filip Pizlo - DFG should keep the operand to create_this alive if it's emitting code for create_this - https://bugs.webkit.org/show_bug.cgi?id=115133 + Refine DFG+FTL inlining and compilation limits + https://bugs.webkit.org/show_bug.cgi?id=129212 Reviewed by Mark Hahnenberg. - The DFG must model bytecode liveness, or else OSR exit is going to have a really bad time. + Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation, + and set that limit quite high. Institute a limit on inlining-into. The idea here is + that large functions tend to be autogenerated, and code generators like emscripten + appear to leave few inlining opportunities anyway. Also, we don't want the code + size explosion that we would risk if we allowed compilation of a large function and + then inlined a ton of stuff into it. + + This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript + regression. This is a 9% speed-up on AsmBench. + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::noticeIncomingCall): * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::handleInlining): + * dfg/DFGCapabilities.h: + (JSC::DFG::isSmallEnoughToInlineCodeInto): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLState.h: + (JSC::FTL::shouldShowDisassembly): + * runtime/Options.h: -2013-04-24 Roger Fong +2014-02-22 Dan Bernstein - Have VS2010 WebKit solution look in WebKit_Libraries/lib32 for dependencies. + REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com + https://bugs.webkit.org/show_bug.cgi?id=129227 - * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: - * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: - * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: - * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: - * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: - * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: - * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: - * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: + Reviewed by Eric Carlson. -2013-04-24 Geoffrey Garen + Reverted r164507. - 32-bit build fix. + * API/JSBase.cpp: + (JSEvaluateScript): + (JSCheckScriptSyntax): + * API/JSObjectRef.cpp: + (JSObjectMakeFunction): + (JSObjectMakeArray): + (JSObjectMakeDate): + (JSObjectMakeError): + (JSObjectMakeRegExp): + (JSObjectGetProperty): + (JSObjectSetProperty): + (JSObjectGetPropertyAtIndex): + (JSObjectSetPropertyAtIndex): + (JSObjectDeleteProperty): + (JSObjectCallAsFunction): + (JSObjectCallAsConstructor): + * API/JSValue.mm: + (valueToArray): + (valueToDictionary): + * API/JSValueRef.cpp: + (JSValueIsEqual): + (JSValueIsInstanceOfConstructor): + (JSValueCreateJSONString): + (JSValueToNumber): + (JSValueToStringCopy): + (JSValueToObject): + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + * inspector/ConsoleMessage.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + * inspector/JSGlobalObjectInspectorController.h: + * inspector/ScriptCallStack.cpp: + * inspector/ScriptCallStack.h: + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::createScriptCallStackForConsole): + (Inspector::createScriptCallStackFromException): + * inspector/ScriptCallStackFactory.h: + * inspector/agents/InspectorConsoleAgent.cpp: + (Inspector::InspectorConsoleAgent::enable): + (Inspector::InspectorConsoleAgent::addMessageToConsole): + (Inspector::InspectorConsoleAgent::count): + * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: + (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): + +2014-02-22 Joseph Pecoraro + + Remove some unreachable code (-Wunreachable-code) + https://bugs.webkit.org/show_bug.cgi?id=129220 + + Reviewed by Eric Carlson. - Unreviewed. + * API/tests/testapi.c: + (EvilExceptionObject_convertToType): + * disassembler/udis86/udis86_decode.c: + (decode_operand): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch): Explicitly - truncate to 32-bit to avoid compiler warnings. It's safe to truncate - because the payload of a boolean is the low bits on both 64-bit and 32-bit. +2014-02-22 Filip Pizlo + + Unreviewed, ARMv7 build fix. + + * assembler/ARMv7Assembler.h: -2013-04-23 Geoffrey Garen +2014-02-21 Filip Pizlo - Filled out more cases of branch folding in the DFG - https://bugs.webkit.org/show_bug.cgi?id=115088 + It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful + https://bugs.webkit.org/show_bug.cgi?id=124733 Reviewed by Oliver Hunt. + + This also takes the opportunity to de-duplicate some branch compaction code. + + * assembler/ARM64Assembler.h: + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::buffer): + * assembler/AssemblerBuffer.h: + (JSC::AssemblerData::AssemblerData): + (JSC::AssemblerBuffer::AssemblerBuffer): + (JSC::AssemblerBuffer::storage): + (JSC::AssemblerBuffer::grow): + * assembler/LinkBuffer.h: + (JSC::LinkBuffer::LinkBuffer): + (JSC::LinkBuffer::executableOffsetFor): + (JSC::LinkBuffer::applyOffset): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::link): + * assembler/MacroAssemblerARMv7.h: - No change on the benchmarks we track, but a 3X speedup on a - microbenchmark that uses these techniques. +2014-02-21 Brent Fulgham + + Extend media support for WebVTT sources + https://bugs.webkit.org/show_bug.cgi?id=129156 + + Reviewed by Eric Carlson. + + * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS + +2014-02-21 Joseph Pecoraro + + Web Inspector: JSContext inspection should report exceptions in the console + https://bugs.webkit.org/show_bug.cgi?id=128776 + + Reviewed by Timothy Hatcher. + + When JavaScript API functions have an exception, let the inspector + know so it can log the JavaScript and Native backtrace that caused + the exception. + + Include some clean up of ConsoleMessage and ScriptCallStack construction. + + * API/JSBase.cpp: + (JSEvaluateScript): + (JSCheckScriptSyntax): + * API/JSObjectRef.cpp: + (JSObjectMakeFunction): + (JSObjectMakeArray): + (JSObjectMakeDate): + (JSObjectMakeError): + (JSObjectMakeRegExp): + (JSObjectGetProperty): + (JSObjectSetProperty): + (JSObjectGetPropertyAtIndex): + (JSObjectSetPropertyAtIndex): + (JSObjectDeleteProperty): + (JSObjectCallAsFunction): + (JSObjectCallAsConstructor): + * API/JSValue.mm: + (reportExceptionToInspector): + (valueToArray): + (valueToDictionary): + * API/JSValueRef.cpp: + (JSValueIsEqual): + (JSValueIsInstanceOfConstructor): + (JSValueCreateJSONString): + (JSValueToNumber): + (JSValueToStringCopy): + (JSValueToObject): + When seeing an exception, let the inspector know there was an exception. + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + Log API exceptions by also grabbing the native backtrace. + + * inspector/ScriptCallStack.h: + * inspector/ScriptCallStack.cpp: + (Inspector::ScriptCallStack::firstNonNativeCallFrame): + (Inspector::ScriptCallStack::append): + Minor extensions to ScriptCallStack to make it easier to work with. + + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + Provide better default information if the first call frame was native. + + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::extractSourceInformationFromException): + (Inspector::createScriptCallStackFromException): + Perform the handling here of inserting a fake call frame for exceptions + if there was no call stack (e.g. a SyntaxError) or if the first call + frame had no information. + + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + * inspector/ConsoleMessage.h: + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::createScriptCallStackForConsole): + * inspector/ScriptCallStackFactory.h: + * inspector/agents/InspectorConsoleAgent.cpp: + (Inspector::InspectorConsoleAgent::enable): + (Inspector::InspectorConsoleAgent::addMessageToConsole): + (Inspector::InspectorConsoleAgent::count): + * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: + (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): + ConsoleMessage cleanup. + +2014-02-21 Oliver Hunt + + Add extra space to op_call and related opcodes + https://bugs.webkit.org/show_bug.cgi?id=129170 + + Reviewed by Mark Lam. + + No change in behaviour, just some refactoring to add an extra + slot to the op_call instructions, and refactoring to make similar + changes easier in future. + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printCallOp): + * bytecode/Opcode.h: + (JSC::padOpcodeName): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitCall): + (JSC::BytecodeGenerator::emitCallVarargs): + (JSC::BytecodeGenerator::emitConstruct): * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::parseBlock): (!/=)= and (!/=)== can constant - fold all types, not just numbers, because true constants have no - side effects when type-converted at runtime. + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * jit/JITCall.cpp: + (JSC::JIT::compileOpCall): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileOpCall): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2014-02-21 Mark Lam + + gatherFromOtherThread() needs to align the sp before gathering roots. + + + Reviewed by Geoffrey Garen. + + The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread(). + gatherFromOtherThread() defines the range of the other thread's stack as + being bounded by the other thread's stack pointer and stack base. While + the stack base will always be aligned to sizeof(void*), the stack pointer + may not be. This is because the other thread may have just pushed a 32-bit + value on its stack before we suspended it for scanning. + + The fix is to round the stack pointer up to the next aligned address of + sizeof(void*) and start scanning from there. On 64-bit systems, we will + effectively ignore the 32-bit word at the bottom of the stack (top of the + stack for stacks growing up) because it cannot be a 64-bit pointer anyway. + 64-bit pointers should always be stored on 64-bit aligned boundaries (our + conservative scan algorithm already depends on this assumption). + + On 32-bit systems, the rounding is effectively a no-op. + + * heap/ConservativeRoots.cpp: + (JSC::ConservativeRoots::genericAddSpan): + - Hardened somne assertions so that we can catch misalignment issues on + release builds as well. + * heap/MachineStackMarker.cpp: + (JSC::MachineThreads::gatherFromOtherThread): + +2014-02-21 Matthew Mirman + Added a GetMyArgumentsLengthSafe and added a speculation check. + https://bugs.webkit.org/show_bug.cgi?id=129051 + + Reviewed by Filip Pizlo. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): + +2014-02-21 peavo@outlook.com + + [Win][LLINT] Many JSC stress test failures. + https://bugs.webkit.org/show_bug.cgi?id=129155 + + Reviewed by Michael Saboff. + + Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations. + Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack. + E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1). + + * offlineasm/x86.rb: Swap operand order on Windows. + +2014-02-21 Filip Pizlo + + DFG write barriers should do more speculations + https://bugs.webkit.org/show_bug.cgi?id=129160 + + Reviewed by Mark Hahnenberg. + + Replace ConditionalStoreBarrier with the cheapest speculation that you could do + instead. + + Miniscule speed-up on some things. It's a decent difference in code size, though. + + * bytecode/SpeculatedType.cpp: + (JSC::speculationToAbbreviatedString): + * bytecode/SpeculatedType.h: + (JSC::isNotCellSpeculation): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::insertStoreBarrier): + (JSC::DFG::FixupPhase::insertPhantomCheck): * dfg/DFGNode.h: - (JSC::DFG::Node::shouldSpeculateBoolean): Added support for fixing up - boolean uses, like we do for other types like number. + (JSC::DFG::Node::shouldSpeculateOther): + (JSC::DFG::Node::shouldSpeculateNotCell): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): + (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): + (JSC::FTL::LowerDFGToLLVM::isNotOther): + (JSC::FTL::LowerDFGToLLVM::isOther): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): + (JSC::FTL::LowerDFGToLLVM::speculateOther): + (JSC::FTL::LowerDFGToLLVM::speculateNotCell): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch): - (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): - (JSC::DFG::SpeculativeJIT::compare): - (JSC::DFG::SpeculativeJIT::compileStrictEq): - (JSC::DFG::SpeculativeJIT::compileBooleanCompare): Peephole fuse - boolean compare and/or compare-branch, now that we have the types for - them. +2014-02-21 Joseph Pecoraro + + Revert r164486, causing a number of test failures. + + Unreviewed rollout. + +2014-02-21 Filip Pizlo + + Revive SABI (aka shouldAlwaysBeInlined) + https://bugs.webkit.org/show_bug.cgi?id=129159 + + Reviewed by Mark Hahnenberg. + + This is a small Octane speed-up. + + * jit/Repatch.cpp: + (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs. + +2014-02-21 Joseph Pecoraro + + Web Inspector: JSContext inspection should report exceptions in the console + https://bugs.webkit.org/show_bug.cgi?id=128776 + + Reviewed by Timothy Hatcher. + + When JavaScript API functions have an exception, let the inspector + know so it can log the JavaScript and Native backtrace that caused + the exception. + + Include some clean up of ConsoleMessage and ScriptCallStack construction. + + * API/JSBase.cpp: + (JSEvaluateScript): + (JSCheckScriptSyntax): + * API/JSObjectRef.cpp: + (JSObjectMakeFunction): + (JSObjectMakeArray): + (JSObjectMakeDate): + (JSObjectMakeError): + (JSObjectMakeRegExp): + (JSObjectGetProperty): + (JSObjectSetProperty): + (JSObjectGetPropertyAtIndex): + (JSObjectSetPropertyAtIndex): + (JSObjectDeleteProperty): + (JSObjectCallAsFunction): + (JSObjectCallAsConstructor): + * API/JSValue.mm: + (reportExceptionToInspector): + (valueToArray): + (valueToDictionary): + * API/JSValueRef.cpp: + (JSValueIsEqual): + (JSValueIsInstanceOfConstructor): + (JSValueCreateJSONString): + (JSValueToNumber): + (JSValueToStringCopy): + (JSValueToObject): + When seeing an exception, let the inspector know there was an exception. + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + Log API exceptions by also grabbing the native backtrace. + + * inspector/ScriptCallStack.h: + * inspector/ScriptCallStack.cpp: + (Inspector::ScriptCallStack::firstNonNativeCallFrame): + (Inspector::ScriptCallStack::append): + Minor extensions to ScriptCallStack to make it easier to work with. + + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + Provide better default information if the first call frame was native. + + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::extractSourceInformationFromException): + (Inspector::createScriptCallStackFromException): + Perform the handling here of inserting a fake call frame for exceptions + if there was no call stack (e.g. a SyntaxError) or if the first call + frame had no information. + + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + * inspector/ConsoleMessage.h: + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::createScriptCallStackForConsole): + * inspector/ScriptCallStackFactory.h: + * inspector/agents/InspectorConsoleAgent.cpp: + (Inspector::InspectorConsoleAgent::enable): + (Inspector::InspectorConsoleAgent::addMessageToConsole): + (Inspector::InspectorConsoleAgent::count): + * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: + (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): + ConsoleMessage cleanup. + +2014-02-20 Anders Carlsson + + Modernize JSGlobalLock and JSLockHolder + https://bugs.webkit.org/show_bug.cgi?id=129105 + + Reviewed by Michael Saboff. + + Use std::mutex and std::thread::id where possible. + + * runtime/JSLock.cpp: + (JSC::GlobalJSLock::GlobalJSLock): + (JSC::GlobalJSLock::~GlobalJSLock): + (JSC::GlobalJSLock::initialize): + (JSC::JSLock::JSLock): + (JSC::JSLock::lock): + (JSC::JSLock::unlock): + (JSC::JSLock::currentThreadIsHoldingLock): + * runtime/JSLock.h: + +2014-02-20 Mark Lam + + virtualForWithFunction() should not throw an exception with a partially initialized frame. + + + Reviewed by Michael Saboff. + + Currently, when JITOperations.cpp's virtualForWithFunction() fails to + prepare the callee function for execution, it proceeds to throw the + exception using the callee frame which is only partially initialized + thus far. Instead, it should be throwing the exception using the caller + frame because: + 1. the error happened "in" the caller while preparing the callee for + execution i.e. the caller frame is the top fully initialized frame + on the stack. + 2. the callee frame is not fully initialized yet, and the unwind + mechanism cannot depend on the data in it. + + * jit/JITOperations.cpp: + +2014-02-20 Mark Lam + + DefaultGCActivityCallback::doWork() should reschedule if GC is deferred. + + + Reviewed by Mark Hahnenberg. + + Currently, DefaultGCActivityCallback::doWork() does not check if the GC + needs to be deferred before commencing. As a result, the GC may crash + and/or corrupt data because the VM is not in the consistent state needed + for the GC to run. With this fix, doWork() now checks if the GC is + supposed to be deferred and re-schedules if needed. It only commences + with GC'ing when it's safe to do so. + + * runtime/GCActivityCallback.cpp: + (JSC::DefaultGCActivityCallback::doWork): + +2014-02-20 Geoffrey Garen + + Math.imul gives wrong results + https://bugs.webkit.org/show_bug.cgi?id=126345 + + Reviewed by Mark Hahnenberg. + + Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works. + Instead, take a slow path that will do the right thing. + + * jit/ThunkGenerators.cpp: + (JSC::imulThunkGenerator): + +2014-02-20 Filip Pizlo + + DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints + https://bugs.webkit.org/show_bug.cgi?id=129129 + + Reviewed by Geoffrey Garen. + + We estimate execution counts based on loop depth, and then use those to estimate branch + weights. These weights then get carried all the way down to LLVM prof branch_weights + meta-data. + + This is better than letting LLVM do its own static estimates, since by the time we + generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of + course, it would be even better if we just slurped in some kind of execution counts + from profiling, but we don't do that, yet. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::BasicBlock): + * dfg/DFGBasicBlock.h: + * dfg/DFGBlockInsertionSet.cpp: + (JSC::DFG::BlockInsertionSet::insert): + (JSC::DFG::BlockInsertionSet::insertBefore): + * dfg/DFGBlockInsertionSet.h: + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::parseCodeBlock): + * dfg/DFGCriticalEdgeBreakingPhase.cpp: + (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): + * dfg/DFGLoopPreHeaderCreationPhase.cpp: + (JSC::DFG::createPreHeader): + * dfg/DFGNaturalLoops.h: + (JSC::DFG::NaturalLoops::loopDepth): + * dfg/DFGOSREntrypointCreationPhase.cpp: + (JSC::DFG::OSREntrypointCreationPhase::run): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added. + (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase): + (JSC::DFG::StaticExecutionCountEstimationPhase::run): + (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts): + (JSC::DFG::performStaticExecutionCountEstimation): + * dfg/DFGStaticExecutionCountEstimationPhase.h: Added. + +2014-02-20 Filip Pizlo + + FTL may not see a compact_unwind section if there weren't any stackmaps + https://bugs.webkit.org/show_bug.cgi?id=129125 + + Reviewed by Geoffrey Garen. + + It's OK to not have an unwind section, so long as the function also doesn't have any + OSR exits. - * dfg/DFGSpeculativeJIT.h: Updated declarations. + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + (JSC::FTL::compile): + * ftl/FTLUnwindInfo.cpp: + (JSC::FTL::UnwindInfo::parse): + * ftl/FTLUnwindInfo.h: -== Rolled over to ChangeLog-2013-04-24 == +== Rolled over to ChangeLog-2014-02-20 ==