2014-07-25 Lucas Forschler Merge r171578 2014-07-24 Brent Fulgham [Win] Correct build order in JavaScriptCore.submit.sln https://bugs.webkit.org/show_bug.cgi?id=135282 Unreviewed build fix. * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order such that LLIntDesiredOffset is built prior to the rest of JSC. 2014-07-24 Lucas Forschler Merge r171564 2014-07-24 Mark Lam JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed. Reviewed by Mark Hahnenberg. Where needed, we cache the prototype object pointer in a stack local var. This allows it to be scanned by the GC, and hence be kept alive until we use it. The constructor object will in turn be kept alive by the prototype object. Also added some comments to warn against future code additions that could regress this issue. * API/JSWrapperMap.mm: (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): (-[JSObjCClassInfo wrapperForObject:]): (-[JSObjCClassInfo constructor]): 2014-07-24 Lucas Forschler Merge r171558 2014-07-24 Joseph Pecoraro JSLock release should only modify the AtomicStringTable if it modified in acquire https://bugs.webkit.org/show_bug.cgi?id=135143 Reviewed by Darin Adler. * runtime/JSLock.cpp: (JSC::JSLock::JSLock): Initialize the member variable to nullptr. (JSC::JSLock::willDestroyVM): Update style to use nullptr instead of 0. (JSC::JSLock::willReleaseLock): We should only reset the thread data's atomic string table if didAcquireLock changed it. m_entryAtomicStringTable will have been set by didAcquireLock if it changed, or nullptr if it didn't. This way we are sure we are balanced, regardless of m_vm changes. 2014-07-24 Lucas Forschler Merge r171543 2014-07-24 Mark Hahnenberg Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype https://bugs.webkit.org/show_bug.cgi?id=135250 Reviewed by Geoffrey Garen. JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change the JSProxy's prototype fixes the issue. * API/JSValueRef.cpp: (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef would claim it wasn't of the specified class, even if the target was of the specified class. * API/tests/CustomGlobalObjectClassTest.c: Added. (jsDoSomething): (customGlobalObjectClassTest): * API/tests/CustomGlobalObjectClassTest.h: Added. * API/tests/testapi.c: (assertTrue): (main): * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::resetPrototype): 2014-07-24 Lucas Forschler Merge r171395 2014-07-22 Brent Fulgham Build fix for non-clang compile. * jsc.cpp: (WTF::RuntimeArray::put): Remove incorrect return statement I added. 2014-07-24 Lucas Forschler Merge r171393 2014-07-22 Brent Fulgham Build fix for non-clang compile. * jsc.cpp: (WTF::RuntimeArray::deleteProperty): Need (fake) return value when NO_RETURN_DUE_TO_CRASH is not defined. 2014-07-24 Lucas Forschler Merge r171390 2014-07-22 Mark Lam Array.concat() should work on runtime arrays too. Reviewed by Geoffrey Garen. * jsc.cpp: (WTF::RuntimeArray::create): (WTF::RuntimeArray::~RuntimeArray): (WTF::RuntimeArray::destroy): (WTF::RuntimeArray::getOwnPropertySlot): (WTF::RuntimeArray::getOwnPropertySlotByIndex): (WTF::RuntimeArray::put): (WTF::RuntimeArray::deleteProperty): (WTF::RuntimeArray::getLength): (WTF::RuntimeArray::createPrototype): (WTF::RuntimeArray::createStructure): (WTF::RuntimeArray::finishCreation): (WTF::RuntimeArray::RuntimeArray): (WTF::RuntimeArray::lengthGetter): (GlobalObject::finishCreation): (functionCreateRuntimeArray): - Added support to create a runtime array for testing purpose. * runtime/ArrayPrototype.cpp: (JSC::getLength): - Added fast case for when the array object is a JSArray. (JSC::arrayProtoFuncJoin): - Added a needed but missing exception check. (JSC::arrayProtoFuncConcat): - Use getLength() to compute the array length instead of assuming that the array is a JSArray instance. * tests/stress/regexp-matches-array.js: Added. (testArrayConcat): * tests/stress/runtime-array.js: Added. (testArrayConcat): 2014-07-24 Lucas Forschler Merge r171328 2014-07-21 Mark Lam Refactor ArrayPrototype to use getLength() and putLength() utility functions. https://bugs.webkit.org/show_bug.cgi?id=135139. Reviewed by Oliver Hunt. - Specialize putProperty() to putLength() because it is only used for setting the length property. - Added a getLength() utility function to get the value of the length property. - Use these getLength() and putLength() functions instead of the existing code to get and put the length property. Less code to read, easier to understand. * runtime/ArrayPrototype.cpp: (JSC::getLength): (JSC::putLength): (JSC::arrayProtoFuncToString): (JSC::arrayProtoFuncToLocaleString): (JSC::arrayProtoFuncJoin): (JSC::arrayProtoFuncPop): (JSC::arrayProtoFuncPush): (JSC::arrayProtoFuncReverse): (JSC::arrayProtoFuncShift): (JSC::arrayProtoFuncSlice): (JSC::arrayProtoFuncSort): (JSC::arrayProtoFuncSplice): (JSC::arrayProtoFuncUnShift): (JSC::arrayProtoFuncReduce): (JSC::arrayProtoFuncReduceRight): (JSC::arrayProtoFuncIndexOf): (JSC::arrayProtoFuncLastIndexOf): (JSC::putProperty): Deleted. 2014-07-23 Matthew Hanson Merge r171474 (rollout r171367 from trunk) 2014-07-23 Lucas Forschler Merge r171367 2014-07-22 Joseph Pecoraro JSLock release should only modify the AtomicStringTable if it modified in acquire https://bugs.webkit.org/show_bug.cgi?id=135143 Reviewed by Pratik Solanki. * runtime/JSLock.cpp: (JSC::JSLock::willDestroyVM): (JSC::JSLock::willReleaseLock): Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock. 2014-07-23 Lucas Forschler Merge r171355 2014-07-21 Sam Weinig [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating https://bugs.webkit.org/show_bug.cgi?id=135148 Reviewed by Geoffrey Garen. * runtime/CommonIdentifiers.h: Add a common identifier for the string "webkit". 2014-07-23 Lucas Forschler Merge r171354 2014-07-22 Filip Pizlo ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell https://bugs.webkit.org/show_bug.cgi?id=135155 Reviewed by Oliver Hunt. The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a contradiction, and that this is OK. In this case, we were speculating cell on an int. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateCell): * tests/stress/regress-135155.js: Added. (run.t.length): (run): 2014-07-22 Dana Burkart Merge r171228. 2014-07-18 Filip Pizlo Fix cloop build. * jsc.cpp: (jscmain): 2014-07-22 Dana Burkart Merge r171213. 2014-07-15 Filip Pizlo Need ability to fuzz exception throwing https://bugs.webkit.org/show_bug.cgi?id=134945 Reviewed by Sam Weinig. Adds the ability to instrument exception checks, and to force some random exception check to artificially throw an exception. Also adds new tests that are suitable for testing this. Note that this is closely tied to the Tools directory changes that are also part of this changeset. This also fixes an activation tear-off bug that arises if we ever throw an exception from operationOptimize, or if due to some other bug it's only due to the operationOptimize exception check that we realize that there is an exception to be thrown. * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::fastExceptionCheck): * ftl/FTLIntrinsicRepository.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::callCheck): * interpreter/Interpreter.cpp: (JSC::unwindCallFrame): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::callExceptionFuzz): (JSC::AssemblyHelpers::emitExceptionCheck): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::emitExceptionCheck): Deleted. * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_enter): * jit/JITOperations.cpp: (JSC::numberOfExceptionFuzzChecks): * jit/JITOperations.h: * jsc.cpp: (jscmain): * runtime/Options.h: * runtime/TestRunnerUtils.h: * tests/exceptionFuzz.yaml: Added. * tests/exceptionFuzz: Added. * tests/exceptionFuzz/3d-cube.js: Added. * tests/exceptionFuzz/date-format-xparb.js: Added. * tests/exceptionFuzz/earley-boyer.js: Added. 2014-07-22 Dana Burkart Merge r171204. 2014-07-17 Joseph Pecoraro Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html Rubber-stamped by Alexey Proskuryakov. Null / empty titles should be fine. Tests pass in release builds which allowed empty titles, and it looks like the LegacyProfiler stopProfiling handles empty titles as expected already. * profiler/LegacyProfiler.cpp: (JSC::LegacyProfiler::startProfiling): 2014-07-22 Dana Burkart Merge r171190. 2014-07-16 Filip Pizlo DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw https://bugs.webkit.org/show_bug.cgi?id=134988 Reviewed by Oliver Hunt. Luckily, we also don't need this optimization to be super powerful: the only place where it really matters is for getting rid of the redundancy between op_enter and op_init_lazy_reg, and in that case, there is a small set of possible nodes between the two things. This change updates the store eliminator to know about only that small, obviously safe, set of nodes over which we can store-eliminate. This shouldn't have any performance impact in the DFG because this optimization kicks in relatively rarely already. And once we tier up into the FTL, we get a much better store elimination over LLVM IR, so this really shouldn't matter at all. The tricky part of this patch is that there is a close relative of this optimization, for uncaptured variables that got flushed. This happens for arguments to inlined calls. I make this work by splitting it into two different store eliminators. Note that in the process of crafting the tests, I realized that we were incorrectly DCEing NewArrayWithSize. That's not cool, since that can throw an exception for negative array sizes. If we ever did want to DCE this node, we'd need to lower the node to a check node followed by the actual allocation. * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination): (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination): (JSC::DFG::CSEPhase::setLocalStoreElimination): (JSC::DFG::CSEPhase::performNodeCSE): (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted. * dfg/DFGNodeType.h: * tests/stress/capture-escape-and-throw.js: Added. (foo.f): (foo): * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added. (foo): (bar): 2014-07-17 Dean Jackson Disable some features on this branch. Reviewed originally by Simon Fraser. Disable: - CSS_EXCLUSIONS - CSS_GRID_LAYOUT - INPUT_TYPE_COLOR - INPUT_TYPE_COLOR_POPUP - CANVAS_PATH - CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED - INDIE_UI - SHARED_WORKERS - NAVIGATOR_HWCONCURRENCY - GAMEPAD - PICTURE_SIZES - CSS3_CONDITIONAL_RULES - WILL_REVEAL_EDGE_EVENTS * Configurations/FeatureDefines.xcconfig: 2014-07-15 Benjamin Poulain Reduce the overhead of updating the AssemblerBuffer https://bugs.webkit.org/show_bug.cgi?id=134659 Reviewed by Gavin Barraclough. In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler. That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly there. On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able to get the real address of a lable. That is done by reusing the memory of AssemblerData. To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough to make clang give up a bunch of optimizations. This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures. In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used. Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very specific way that would make it unusable for the Assembler. -- Technical details -- From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode(). To make this easier to work with, I changed all the assembler specific function to be static. This way we know exactly what code access the Assembler instance. The code that does access the instance is then moved at the beginning, before we modify anything. The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()). -- Perf impact -- This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close. On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation time by ~20%. I could not measure any difference on x86_64. * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::jumpSizeDelta): (JSC::ARM64Assembler::canCompact): (JSC::ARM64Assembler::computeJumpType): (JSC::ARM64Assembler::link): (JSC::ARM64Assembler::recordLinkOffsets): Deleted. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::ifThenElseConditionBit): (JSC::ARMv7Assembler::ifThenElse): (JSC::ARMv7Assembler::jumpSizeDelta): (JSC::ARMv7Assembler::canCompact): (JSC::ARMv7Assembler::computeJumpType): (JSC::ARMv7Assembler::link): (JSC::ARMv7Assembler::linkJumpT1): (JSC::ARMv7Assembler::linkJumpT3): (JSC::ARMv7Assembler::linkConditionalJumpT4): (JSC::ARMv7Assembler::linkConditionalBX): (JSC::ARMv7Assembler::recordLinkOffsets): Deleted. * assembler/AssemblerBuffer.h: (JSC::AssemblerData::AssemblerData): (JSC::AssemblerData::operator=): (JSC::AssemblerData::~AssemblerData): (JSC::AssemblerData::buffer): (JSC::AssemblerData::capacity): (JSC::AssemblerData::grow): (JSC::AssemblerBuffer::AssemblerBuffer): (JSC::AssemblerBuffer::isAvailable): (JSC::AssemblerBuffer::data): (JSC::AssemblerBuffer::releaseAssemblerData): (JSC::AssemblerBuffer::putIntegral): (JSC::AssemblerBuffer::putIntegralUnchecked): (JSC::AssemblerBuffer::append): (JSC::AssemblerBuffer::grow): (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted. (JSC::AssemblerBuffer::storage): Deleted. * assembler/LinkBuffer.cpp: (JSC::recordLinkOffsets): (JSC::LinkBuffer::copyCompactAndLinkCode): * assembler/LinkBuffer.h: (JSC::LinkBuffer::LinkBuffer): (JSC::LinkBuffer::executableOffsetFor): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::canCompact): (JSC::MacroAssemblerARM64::computeJumpType): (JSC::MacroAssemblerARM64::jumpSizeDelta): (JSC::MacroAssemblerARM64::link): (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::canCompact): (JSC::MacroAssemblerARMv7::computeJumpType): (JSC::MacroAssemblerARMv7::jumpSizeDelta): (JSC::MacroAssemblerARMv7::link): (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted. 2014-07-15 Mark Hahnenberg Stores to PropertyTable use the Structure as the owner https://bugs.webkit.org/show_bug.cgi?id=134595 Reviewed by Darin Adler. Since PropertyTable is the object that does the marking of these references, it should be the owner. Also removed some unused parameters to other methods that historically used the Structure as the owner. * runtime/JSPropertyNameIterator.h: (JSC::StructureRareData::setEnumerationCache): * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncToString): * runtime/PropertyMapHashTable.h: (JSC::PropertyTable::copy): * runtime/PropertyTable.cpp: (JSC::PropertyTable::clone): (JSC::PropertyTable::PropertyTable): * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::materializePropertyMap): (JSC::Structure::addPropertyTransition): (JSC::Structure::changePrototypeTransition): (JSC::Structure::despecifyFunctionTransition): (JSC::Structure::attributeChangeTransition): (JSC::Structure::toDictionaryTransition): (JSC::Structure::preventExtensionsTransition): (JSC::Structure::takePropertyTableOrCloneIfPinned): (JSC::Structure::nonPropertyTransition): (JSC::Structure::copyPropertyTable): (JSC::Structure::copyPropertyTableForPinning): (JSC::Structure::putSpecificValue): * runtime/Structure.h: (JSC::Structure::setObjectToStringValue): (JSC::Structure::setPreviousID): * runtime/StructureInlines.h: (JSC::Structure::setEnumerationCache): * runtime/StructureRareData.h: * runtime/StructureRareDataInlines.h: (JSC::StructureRareData::setPreviousID): (JSC::StructureRareData::setObjectToStringValue): 2014-07-15 Mark Hahnenberg ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks https://bugs.webkit.org/show_bug.cgi?id=134928 Reviewed by Andreas Kling. * bytecode/CodeBlock.h: (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock. 2014-07-15 Eva Balazsfalvi Buildfix if LLINT_SLOW_PATH_TRACING is enabled https://bugs.webkit.org/show_bug.cgi?id=133790 Reviewed by Mark Lam. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): 2014-07-14 Filip Pizlo Allow for Int52Rep to see things other than Int32, and make this testable https://bugs.webkit.org/show_bug.cgi?id=134873 Reviewed by Geoffrey Garen and Mark Hahnenberg. A major premise of our type inference is that prediction propagation can say whatever it wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s. We required some kind of agreement between prediction propagation and fixup over which data flow paths were Int52 and which weren't. It turns out that we basically had such an agreement, with the exception of code that was unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It might be nice to fix that bug - but it's only in the case of Int52 that such a thing would be a bug! Normally, we allow sloppiness in prediction propagation. This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly empowered Int52Rep is actually correct - in case we end up using it on paths other than ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress this intrinsic. This means that we're now stressing Int52Rep more so than ever before! Note that it would still be a bug for prediction propagation to ever cause us to create an Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than a crash bug. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::fixTypeForRepresentation): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsic): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): * dfg/DFGGraph.h: (JSC::DFG::Graph::isMachineIntConstant): * dfg/DFGNode.h: (JSC::DFG::Node::isMachineIntConstant): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::SafeToExecuteEdge::operator()): (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::convertMachineInt): (JSC::DFG::SpeculativeJIT::speculateMachineInt): (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt): * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): * dfg/DFGUseKind.cpp: (WTF::printInternal): * dfg/DFGUseKind.h: (JSC::DFG::typeFilterFor): (JSC::DFG::isNumerical): (JSC::DFG::isDouble): * dfg/DFGValidate.cpp: (JSC::DFG::Validate::validate): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLIntrinsicRepository.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileInt52Rep): (JSC::FTL::LowerDFGToLLVM::doubleToInt32): (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52): (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52): (JSC::FTL::LowerDFGToLLVM::speculate): (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt): * jit/JITOperations.h: * jsc.cpp: (GlobalObject::finishCreation): (functionIdentity): * runtime/Intrinsic.h: * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::tryConvertToInt52): (JSC::isInt52): (JSC::JSValue::isMachineInt): * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added. (foo): * tests/stress/dead-fiat-double-to-int52.js: Added. (foo): * tests/stress/dead-fiat-int32-to-int52.js: Added. (foo): * tests/stress/dead-fiat-value-to-int52-double-path.js: Added. (foo): (bar): * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added. (foo): (bar): * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added. (foo): (bar): * tests/stress/dead-fiat-value-to-int52.js: Added. (foo): (bar): * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added. (foo): * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added. (foo): * tests/stress/fiat-double-to-int52-then-fold.js: Added. (foo): * tests/stress/fiat-double-to-int52.js: Added. (foo): * tests/stress/fiat-int32-to-int52.js: Added. (foo): * tests/stress/fiat-value-to-int52-double-path.js: Added. (foo): (bar): * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added. (foo): (bar): * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added. (foo): (bar): * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added. (foo): * tests/stress/fiat-value-to-int52-then-fold.js: Added. (foo): * tests/stress/fiat-value-to-int52.js: Added. (foo): (bar): * tests/stress/int52-force-osr-exit-path.js: Added. (foo): 2014-07-14 Mark Hahnenberg Flattening dictionaries with oversize backing stores can cause crashes https://bugs.webkit.org/show_bug.cgi?id=134906 Reviewed by Filip Pizlo. The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB of the CopiedBlock header. This was always the case except for when flattening a dictionary caused the size of the Butterfly to decrease. This was equivalent to moving the base of the Butterfly to higher addresses. If the object was reduced sufficiently in size, the base would no longer be within the first 32 KB of the CopiedBlock and the next collection would choke on the Butterfly pointer. This patch fixes this issue by detect this situation during flattening and memmove-ing the Butterfly down to where the old base was. * runtime/JSObject.cpp: (JSC::JSObject::shiftButterflyAfterFlattening): * runtime/JSObject.h: (JSC::JSObject::butterflyPreCapacity): (JSC::JSObject::butterflyTotalSize): * runtime/Structure.cpp: (JSC::Structure::flattenDictionaryStructure): * tests/stress/flatten-oversize-dictionary-object.js: Added. (foo): 2014-07-14 Benjamin Poulain Remove some dead code from FTLJITFinalizer https://bugs.webkit.org/show_bug.cgi?id=134874 Reviewed by Geoffrey Garen. Not sure what that code was for...but it does not do anything :) * ftl/FTLJITFinalizer.cpp: (JSC::FTL::JITFinalizer::finalizeFunction): The pointer of the label is computed but never used. * ftl/FTLJITFinalizer.h: * ftl/FTLLink.cpp: (JSC::FTL::link): The label is never set to anything. 2014-07-14 Bear Travis [Feature Queries] Enable Feature Queries on Mac https://bugs.webkit.org/show_bug.cgi?id=134404 Reviewed by Antti Koivisto. Enable Feature Queries on Mac and resume running the feature tests. * Configurations/FeatureDefines.xcconfig: Turn on ENABLE_CSS3_CONDITIONAL_RULES. 2014-07-11 Joseph Pecoraro Web Inspector: Debugger Pause button does not work https://bugs.webkit.org/show_bug.cgi?id=134785 Reviewed by Timothy Hatcher. * CMakeLists.txt: * DerivedSources.make: Minification strips the sourceURL command. Add it back with minification. 2014-07-11 [email protected] [Win] Enable DFG JIT. https://bugs.webkit.org/show_bug.cgi?id=123615 Reviewed by Mark Lam. When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType), the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case. Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers, since the register allocation differs on 64-bit Windows. * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit. * jit/CCallHelpers.h: (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments. (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method. * jit/JIT.h: (JSC::JIT::appendCallWithSlowPathReturnType): Added method. * jit/JITInlines.h: (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method. (JSC::JIT::callOperation): Call new method. 2014-07-09 Benjamin Poulain Use 16bits instructions for push/pop on ARMv7 when possible https://bugs.webkit.org/show_bug.cgi?id=134753 Reviewed by Geoffrey Garen. The patch r170839 mixed the code for push/pop pair and single push/pop. That part was reverted in r170909. This patch puts the code back but specialized for single push/pop. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::pop): (JSC::ARMv7Assembler::push): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::pop): (JSC::MacroAssemblerARMv7::push): 2014-07-09 Brent Fulgham [Win] Remove uses of 'bash' in build system https://bugs.webkit.org/show_bug.cgi?id=134782 Reviewed by Dean Jackson. Remove uses of 'bash' by replacing Windows-specific bash scripts with Perl equivalents. * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh. * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed. * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh. * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed. * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh. * JavaScriptCore.vcxproj/build-generated-files.sh: Removed. * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: 2014-07-09 Brent Fulgham [Win] Remove use of 'grep' in build steps https://bugs.webkit.org/show_bug.cgi?id=134770 Reviewed by Tim Horton. Replace uses of the grep command in Windows builds with the equivalent Perl program. * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: 2014-07-08 Benjamin Poulain Restore the assertion changed with 170839 * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::pop): (JSC::ARMv7Assembler::push): Revert the Assembler part of 170839. The assertions do not match both encoding. I'll add specific version of push and pop instead. 2014-07-08 Jon Honeycutt RemoteInspector::shared() should not call WTF::initializeMainThread() Reviewed by Joseph Pecoraro. * inspector/remote/RemoteInspector.mm: (Inspector::RemoteInspector::shared): Don't call WTF::initializeMainThread(). WTF threading is initialized by JSC::initializeThreading(). 2014-07-08 Andreas Kling VM::lastCachedString should be a Strong, not a Weak. Using Weak for this regressed some of our bindings perf tests due to Weak having to allocate a new WeakImpl every time the last cached string changed. Make it a Strong instead should make that problem go away. Reviewed by Geoffrey Garen. * runtime/JSString.cpp: (JSC::jsStringWithCacheSlowCase): * runtime/VM.h: 2014-07-07 Benjamin Poulain Fix the build after r170876 * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::linkCode): 2014-07-07 Benjamin Poulain LinkBuffer should not keep a reference to the MacroAssembler https://bugs.webkit.org/show_bug.cgi?id=134668 Reviewed by Geoffrey Garen. In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation. When that happens, the pointer m_assembler points to released memory. That was not causing issues because the attribute is not used after linking, but that was not particularily future proof. This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed as a reference, it is used for linking but no reference is ever stored with the LinkBuffer. While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included everywhere. I refactored some #include to avoid that. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): (JSC::LinkBuffer::linkCode): * assembler/LinkBuffer.h: (JSC::LinkBuffer::LinkBuffer): * bytecode/Watchpoint.cpp: * dfg/DFGDisassembler.cpp: * dfg/DFGDisassembler.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): (JSC::DFG::JITCompiler::linkFunction): * dfg/DFGOSRExitCompiler.cpp: * dfg/DFGPlan.cpp: * dfg/DFGThunks.cpp: (JSC::DFG::osrExitGenerationThunkGenerator): (JSC::DFG::osrEntryThunkGenerator): * ftl/FTLCompile.cpp: (JSC::FTL::generateICFastPath): (JSC::FTL::fixFunctionBasedOnStackMaps): * ftl/FTLJSCall.cpp: * ftl/FTLJSCall.h: * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLLowerDFGToLLVM.cpp: * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): * ftl/FTLThunks.cpp: (JSC::FTL::osrExitGenerationThunkGenerator): (JSC::FTL::slowPathCallThunkGenerator): * jit/ArityCheckFailReturnThunks.cpp: (JSC::ArityCheckFailReturnThunks::returnPCsFor): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JITCall.cpp: (JSC::JIT::privateCompileClosureCall): * jit/JITCall32_64.cpp: (JSC::JIT::privateCompileClosureCall): * jit/JITDisassembler.cpp: * jit/JITDisassembler.h: * jit/JITOpcodes.cpp: * jit/JITPropertyAccess.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::privateCompileGetByVal): (JSC::JIT::privateCompilePutByVal): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::stringGetByValStubGenerator): * jit/RegisterPreservationWrapperGenerator.cpp: (JSC::generateRegisterPreservationWrapper): (JSC::registerRestorationThunkGenerator): * jit/Repatch.cpp: (JSC::generateByIdStub): (JSC::tryCacheGetByID): (JSC::emitPutReplaceStub): (JSC::emitPutTransitionStub): (JSC::tryRepatchIn): (JSC::linkClosureCall): * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::finalize): * jit/ThunkGenerators.cpp: (JSC::throwExceptionFromCallSlowPathGenerator): (JSC::linkForThunkGenerator): (JSC::linkClosureCallForThunkGenerator): (JSC::virtualForThunkGenerator): (JSC::nativeForGenerator): (JSC::arityFixup): * llint/LLIntThunks.cpp: (JSC::LLInt::generateThunkWithJumpTo): * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::compile): 2014-07-07 Andreas Kling Fast path for jsStringWithCache() when asked for the same string repeatedly. Reviewed by Darin Adler. Follow-up to r170818 addressing a review comment by Geoff Garen. * runtime/JSString.cpp: (JSC::jsStringWithCacheSlowCase): 2014-07-07 Tibor Meszaros Add missing ENABLE(FTL_JIT) guards https://bugs.webkit.org/show_bug.cgi?id=134680 Reviewed by Darin Adler. * ftl/FTLDWARFDebugLineInfo.cpp: * ftl/FTLDWARFDebugLineInfo.h: * ftl/FTLGeneratedFunction.h: 2014-07-07 Zan Dobersek Enable ARMv7 disassembler for the GTK port https://bugs.webkit.org/show_bug.cgi?id=134676 Reviewed by Benjamin Poulain. * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build. * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen(). 2014-07-06 Benjamin Poulain [ARMv7] Use 16 bits instructions for push/pop when possible https://bugs.webkit.org/show_bug.cgi?id=134656 Reviewed by Andreas Kling. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::pop): (JSC::ARMv7Assembler::push): (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9): Add the 16 bits version of push and pop. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::pop): (JSC::MacroAssemblerARMv7::push): Use the new push/pop instead of a regular load/store. * disassembler/ARMv7/ARMv7DOpcode.cpp: (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList): * disassembler/ARMv7/ARMv7DOpcode.h: (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask): Fix the disassembler for push/pop: -The register mask was on 7 bits for some reason. -The code printing the registers was comparing a register ID with a register mask. 2014-07-06 Yoav Weiss Turn on img@sizes compile flag https://bugs.webkit.org/show_bug.cgi?id=134634 Reviewed by Benjamin Poulain. * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order. 2014-07-06 Daewoong Jang Flags value of SourceCodeKey should be unique for each case. https://bugs.webkit.org/show_bug.cgi?id=134435 Reviewed by Darin Adler. Different combinations of CodeType and JSParserStrictness could generate same m_flags value because the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable. Shift the value of CodeType one bit farther to the left so those values don't overlap. * runtime/CodeCache.h: (JSC::SourceCodeKey::SourceCodeKey): 2014-07-04 Andreas Kling Fast path for jsStringWithCache() when asked for the same string repeatedly. Also moved the whole thing from WebCore to JavaScriptCore since it makes more sense here, and inline the lightweight checks, leaving only the hashmap stuff out of line. Reviewed by Darin Adler. * runtime/JSString.cpp: (JSC::jsStringWithCacheSlowCase): * runtime/JSString.h: (JSC::jsStringWithCache): * runtime/VM.h: 2014-07-03 Daniel Bates Add WTF::move() https://bugs.webkit.org/show_bug.cgi?id=134500 Rubber-stamped by Anders Carlsson. Substitute WTF::move() for std::move(). * bytecode/CodeBlock.h: * bytecode/UnlinkedCodeBlock.cpp: * bytecompiler/BytecodeGenerator.cpp: * dfg/DFGGraph.cpp: * dfg/DFGJITCompiler.cpp: * dfg/DFGStackLayoutPhase.cpp: * dfg/DFGWorklist.cpp: * heap/DelayedReleaseScope.h: * heap/HeapInlines.h: [...] 2014-07-03 Filip Pizlo SSA DCE should process blocks in forward order https://bugs.webkit.org/show_bug.cgi?id=134611 Reviewed by Andreas Kling. * dfg/DFGDCEPhase.cpp: (JSC::DFG::DCEPhase::run): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added. (foo): 2014-07-03 Filip Pizlo JSActivation::symbolTablePut() should invalidate variable watchpoints https://bugs.webkit.org/show_bug.cgi?id=134602 Reviewed by Oliver Hunt. Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so during linking - we essentially assume that if it's at all possible for an inner function to store to a variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e. JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code duplicated, but fixes JSActivation::symbolTablePut() to do the right thing. * runtime/JSActivation.cpp: (JSC::JSActivation::symbolTablePut): * runtime/JSSymbolTableObject.h: (JSC::symbolTablePut): * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added. (.): 2014-07-01 Mark Lam Debugger's breakpoint list should not be a Vector. Reviewed by Geoffrey Garen. The debugger currently stores breakpoint data as entries in a Vector (see BreakpointsInLine). It also keeps a fast map look up of breakpoint IDs to the breakpoint data (see m_breakpointIDToBreakpoint). Because a Vector can compact or reallocate its backing store, this can causes all sorts of havoc. The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't move in memory. The fix is to replace the BreakpointsInLine Vector with a BreakpointsList doubly linked list. * debugger/Breakpoint.h: (JSC::Breakpoint::Breakpoint): (JSC::BreakpointsList::~BreakpointsList): * debugger/Debugger.cpp: (JSC::Debugger::setBreakpoint): (JSC::Debugger::removeBreakpoint): (JSC::Debugger::hasBreakpoint): * debugger/Debugger.h: 2014-06-30 Michael Saboff Add option to run-jsc-stress-testes to filter out tests that use large heaps https://bugs.webkit.org/show_bug.cgi?id=134458 Reviewed by Filip Pizlo. Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device. * tests/mozilla/mozilla-tests.yaml: 2014-06-30 Daniel Bates Avoid copying closed variables vector; actually use move semantics Rubber-stamped by Oliver Hunt. Currently we always copy the closed variables vector passed by Parser::closedVariables() to ProgramNode::setClosedVariables() because these member functions return and take a const rvalue reference, respectively. Instead, these member functions should take an return a non- constant rvalue reference so that we actually move the closed variables vector from the Parser object to the Node object. * parser/Nodes.cpp: (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument. * parser/Nodes.h: (JSC::ScopeNode::setClosedVariables): Ditto. * parser/Parser.h: (JSC::Parser::closedVariables): Remove const qualifier on return type. (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here because Parser::closedVariables() returns an rvalue reference. 2014-06-30 Joseph Pecoraro JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations https://bugs.webkit.org/show_bug.cgi?id=134371 Reviewed by Timothy Hatcher. * API/JSContextPrivate.h: * API/JSContext.mm: (-[JSContext _debuggerRunLoop]): (-[JSContext _setDebuggerRunLoop:]): Private API for setting the CFRunLoop for a debugger to evaluate in. * API/JSContextRefInternal.h: Added. * API/JSContextRef.cpp: (JSGlobalContextGetDebuggerRunLoop): (JSGlobalContextSetDebuggerRunLoop): Internal API for setting a CFRunLoop on a JSContextRef. Set this on the debuggable. * inspector/remote/RemoteInspectorDebuggable.h: * inspector/remote/RemoteInspectorDebuggableConnection.h: (Inspector::RemoteInspectorBlock::RemoteInspectorBlock): (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock): (Inspector::RemoteInspectorBlock::operator=): (Inspector::RemoteInspectorBlock::operator()): Moved into the header. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::inspectorDebuggable): Lets store the RunLoop on the debuggable instead of this core platform agnostic class, so expose the debuggable. * inspector/remote/RemoteInspectorDebuggableConnection.mm: (Inspector::RemoteInspectorHandleRunSourceGlobal): (Inspector::RemoteInspectorQueueTaskOnGlobalQueue): (Inspector::RemoteInspectorInitializeGlobalQueue): Rename the global functions for clarity. (Inspector::RemoteInspectorHandleRunSourceWithInfo): Handler for private run loops. (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection): (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection): (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable): (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop): (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop): (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop): Setup and teardown and use private run loop sources if the debuggable needs it. 2014-06-30 Tibor Meszaros Add missing ENABLE(DFG_JIT) guards https://bugs.webkit.org/show_bug.cgi?id=134444 Reviewed by Darin Adler. * dfg/DFGFunctionWhitelist.cpp: * dfg/DFGFunctionWhitelist.h: 2014-06-29 Yoav Weiss Add support for HTMLImageElement's sizes attribute https://bugs.webkit.org/show_bug.cgi?id=133620 Reviewed by Dean Jackson. Added an ENABLE_PICTURE_SIZES compile flag. * Configurations/FeatureDefines.xcconfig: 2014-06-27 Filip Pizlo Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep https://bugs.webkit.org/show_bug.cgi?id=134412 Reviewed by Mark Hahnenberg. * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::setReplacement): * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): * dfg/DFGValidate.cpp: (JSC::DFG::Validate::validate): * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added. (foo): (bar): (baz): 2014-06-27 Peyton Randolph Add feature flag for link long-press gesture. https://bugs.webkit.org/show_bug.cgi?id=134262 Reviewed by Enrica Casucci. * Configurations/FeatureDefines.xcconfig: Add ENABLE_LINK_LONG_PRESS. 2014-06-27 LÃ¡szlÃ³ LangÃ³ [JavaScriptCore] FTL buildfix for EFL platform. https://bugs.webkit.org/show_bug.cgi?id=133546 Reviewed by Darin Adler. * ftl/FTLAbstractHeap.cpp: (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap): * ftl/FTLLocation.cpp: (JSC::FTL::Location::forStackmaps): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::opposite): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): * ftl/FTLStackMaps.cpp: (JSC::FTL::StackMaps::Constant::dump): * llvm/InitializeLLVMPOSIX.cpp: (JSC::initializeLLVMPOSIX): 2014-06-26 Benjamin Poulain iOS 8 beta 2 ES6 'Set' clear() broken https://bugs.webkit.org/show_bug.cgi?id=134346 Reviewed by Oliver Hunt. The object map was not cleared :(. Kudos to Ashley Gullen for tracking this and making a regression test. Credit to Oliver for finding the missing code. * runtime/MapData.h: (JSC::MapData::clear): 2014-06-25 Brent Fulgham [Win] Expose Cache Information to WinLauncher https://bugs.webkit.org/show_bug.cgi?id=134318 Reviewed by Dean Jackson. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing MemoryStatistics files to the WIndows build. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 2014-06-26 David Kilzer DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file Reviewed by Michael Saboff. * dfg/DFGFunctionWhitelist.cpp: (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile): Close the file handle, and log an error on failure. 2014-06-25 Dana Burkart Add support for 5-tuple versioning. Reviewed by David Farler. * Configurations/Version.xcconfig: 2014-06-25 Geoffrey Garen Build fix. Unreviewed. * runtime/JSDateMath.cpp: (JSC::parseDateFromNullTerminatedCharacters): * runtime/VM.cpp: (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN constant since that constant doesn't exist anymore. 2014-06-25 Geoffrey Garen Unreviewed, rolling out r166876. Caused some ECMA test262 failures Reverted changeset: "Date object needs to check for ES5 15.9.1.14 TimeClip limit." https://bugs.webkit.org/show_bug.cgi?id=131248 http://trac.webkit.org/changeset/166876 2014-06-25 Brent Fulgham [Win] Unreviewed gardening. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to put various files in proper IDE categories. 2014-06-25 [email protected] [Win64] ASM LLINT is not enabled. https://bugs.webkit.org/show_bug.cgi?id=130638 This patch adds a new LLINT assembler backend for Win64, and implements it. It makes adjustments to follow the Win64 ABI spec. where it's found to be needed. Also, LLINT and JIT is enabled for Win64. Reviewed by Mark Lam. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests. * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64. * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec. * jit/JITStubsMSVC64.asm: Added. * jit/Repatch.cpp: (JSC::emitPutTransitionStub): Compile fix. * jit/ThunkGenerators.cpp: (JSC::nativeForGenerator): Follow Win64 ABI spec. * llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions): Ditto. * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64. * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec. * llint/LowLevelInterpreter64.asm: Ditto. * offlineasm/asm.rb: Compile fix. * offlineasm/backends.rb: Add new llint backend for Win64. * offlineasm/settings.rb: Compile fix. * offlineasm/x86.rb: Implement new llint Win64 backend. 2014-06-25 Laszlo Gombos Remove build guard for progress element https://bugs.webkit.org/show_bug.cgi?id=134292 Reviewed by Benjamin Poulain. * Configurations/FeatureDefines.xcconfig: 2014-06-24 Michael Saboff Add support routines to provide descriptive JavaScript backtraces https://bugs.webkit.org/show_bug.cgi?id=134278 Reviewed by Mark Lam. * interpreter/CallFrame.cpp: (JSC::CallFrame::dump): (JSC::CallFrame::describeFrame): * interpreter/CallFrame.h: * runtime/JSCJSValue.cpp: (JSC::JSValue::dumpForBacktrace): * runtime/JSCJSValue.h: 2014-06-24 Brady Eidson Enable GAMEPAD in the Mac build, but disabled at runtime. https://bugs.webkit.org/show_bug.cgi?id=134255 Reviewed by Dean Jackson. * Configurations/FeatureDefines.xcconfig: * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling functions at runtime. 2014-06-24 Mark Hahnenberg REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty https://bugs.webkit.org/show_bug.cgi?id=134046 Reviewed by Filip Pizlo. * runtime/GetterSetter.h: (JSC::asGetterSetter): * runtime/JSObject.cpp: (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter, and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties. 2014-06-24 Brent Fulgham [Win] MSVC mishandles enums in bitfields https://bugs.webkit.org/show_bug.cgi?id=134237 Reviewed by Michael Saboff. Replace uses of enum types in bit fields with unsigned to avoid losing a bit to hold the sign value. This can result in Windows interpreting the value of the field improperly. * bytecode/StructureStubInfo.h: * parser/Nodes.h: 2014-06-23 Andreas Kling Inline the UnlinkedInstructionStream::Reader logic. This class is only used by CodeBlock to unpack the unlinked instructions, and we were spending 0.5% of total time on PLT calling Reader::next(). Move the logic to the header file and mark it ALWAYS_INLINE. Reviewed by Geoffrey Garen. * bytecode/UnlinkedInstructionStream.cpp: * bytecode/UnlinkedInstructionStream.h: (JSC::UnlinkedInstructionStream::Reader::Reader): (JSC::UnlinkedInstructionStream::Reader::read8): (JSC::UnlinkedInstructionStream::Reader::read32): (JSC::UnlinkedInstructionStream::Reader::next): 2014-06-20 Sam Weinig Remove static tables for bindings that use eager reification https://bugs.webkit.org/show_bug.cgi?id=134126 Reviewed by Oliver Hunt. * runtime/JSObject.cpp: (JSC::JSObject::putDirectCustomAccessor): * runtime/Structure.h: (JSC::Structure::setHasCustomGetterSetterProperties): Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__. Without this, JSObject::put() won't think there are any setters on the prototype chain of an object that has no static lookup table and uses eagerly reified custom getter/setter properties. 2014-06-21 Brady Eidson Gamepad API - Deprecate the existing implementation https://bugs.webkit.org/show_bug.cgi?id=134108 Reviewed by Timothy Hatcher. -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it -Move some implementation files into a "deprecated" subdirectory. * Configurations/FeatureDefines.xcconfig: 2014-06-21 Commit Queue Unreviewed, rolling out r170244. https://bugs.webkit.org/show_bug.cgi?id=134157 GTK/EFL bindings generator works differently, making this patch not work there. Will fix entire patch after a rollout. (Requested by bradee-oh on #webkit). Reverted changeset: "Gamepad API - Deprecate the existing implementation" https://bugs.webkit.org/show_bug.cgi?id=134108 http://trac.webkit.org/changeset/170244 2014-06-21 Brady Eidson Gamepad API - Deprecate the existing implementation https://bugs.webkit.org/show_bug.cgi?id=134108 Reviewed by Timothy Hatcher. -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it -Add the "Deprecated" suffix to some implementation files * Configurations/FeatureDefines.xcconfig: 2014-06-21 Eva Balazsfalvi Removing PAGE_VISIBILITY_API compile guard. https://bugs.webkit.org/show_bug.cgi?id=133844 Reviewed by Gavin Barraclough. * Configurations/FeatureDefines.xcconfig: 2014-06-21 Eva Balazsfalvi ARM traditional buildfix after r169942. https://bugs.webkit.org/show_bug.cgi?id=134100 Reviewed by Zoltan Herczeg. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::abortWithReason): Added. 2014-06-20 Andreas Kling [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure. Reviewed by Mark Hahnenberg. * heap/BlockAllocator.h: 2014-06-19 Alex Christensen Unreviewed fix after r170130. * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Corrected directory so it can find common.props when opening Visual Studio. 2014-06-19 DÃ¡niel BÃ¡tyai Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards https://bugs.webkit.org/show_bug.cgi?id=130389 Reviewed by Mark Lam. Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP) into !ENABLE(JIT) since they are mutually exclusive. * CMakeLists.txt: * assembler/MacroAssemblerCodeRef.h: (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): * assembler/MaxFrameExtentForSlowPathCall.h: * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeFromLLInt): * bytecode/CodeBlock.cpp: (JSC::dumpStructure): (JSC::CodeBlock::printGetByIdCacheStatus): (JSC::CodeBlock::printCallOp): (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::propagateTransitions): (JSC::CodeBlock::finalizeUnconditionally): (JSC::CodeBlock::unlinkCalls): (JSC::CodeBlock::unlinkIncomingCalls): (JSC::CodeBlock::linkIncomingCall): (JSC::CodeBlock::frameRegisterCount): * bytecode/CodeBlock.h: * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): * bytecode/Opcode.h: (JSC::padOpcodeName): * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeFromLLInt): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitCall): (JSC::BytecodeGenerator::emitConstruct): * heap/Heap.cpp: (JSC::Heap::gatherJSStackRoots): * interpreter/Interpreter.cpp: (JSC::Interpreter::initialize): (JSC::Interpreter::isOpcode): * interpreter/Interpreter.h: (JSC::Interpreter::getOpcodeID): * interpreter/JSStack.cpp: (JSC::JSStack::JSStack): (JSC::JSStack::committedByteCount): * interpreter/JSStack.h: * interpreter/JSStackInlines.h: (JSC::JSStack::ensureCapacityFor): (JSC::JSStack::topOfFrameFor): (JSC::JSStack::setStackLimit): * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): * jit/JIT.h: (JSC::JIT::compileCTINativeCall): * jit/JITExceptions.h: * jit/JITThunks.cpp: (JSC::JITThunks::ctiNativeCall): (JSC::JITThunks::ctiNativeConstruct): * llint/LLIntCLoop.cpp: * llint/LLIntCLoop.h: * llint/LLIntData.cpp: (JSC::LLInt::initialize): (JSC::LLInt::Data::performAssertions): * llint/LLIntData.h: (JSC::LLInt::Data::performAssertions): Deleted. * llint/LLIntEntrypoint.cpp: * llint/LLIntEntrypoint.h: * llint/LLIntExceptions.cpp: * llint/LLIntExceptions.h: * llint/LLIntOfflineAsmConfig.h: * llint/LLIntOffsetsExtractor.cpp: (JSC::LLIntOffsetsExtractor::dummy): * llint/LLIntOpcode.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LLIntSlowPaths.h: * llint/LLIntThunks.cpp: * llint/LLIntThunks.h: * llint/LowLevelInterpreter.cpp: * llint/LowLevelInterpreter.h: * runtime/CommonSlowPaths.cpp: * runtime/CommonSlowPaths.h: * runtime/ErrorHandlingScope.cpp: (JSC::ErrorHandlingScope::ErrorHandlingScope): (JSC::ErrorHandlingScope::~ErrorHandlingScope): * runtime/Executable.cpp: (JSC::setupLLInt): * runtime/InitializeThreading.cpp: (JSC::initializeThreading): * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: * runtime/Options.cpp: (JSC::recomputeDependentOptions): * runtime/VM.cpp: (JSC::VM::VM): (JSC::sanitizeStackForVM): * runtime/VM.h: (JSC::VM::canUseJIT): Deleted. 2014-06-18 Alex Christensen Add FTL to Windows build. https://bugs.webkit.org/show_bug.cgi?id=134015 Reviewed by Filip Pizlo. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added ftl source files. * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Added ftl and llvm directories to include path. * JavaScriptCore.vcxproj/libllvmForJSC: Added. * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added. * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added. * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): MSVC doesn't like to divide by zero while compiling. Use std::nan instead. * llvm/InitializeLLVMWin.cpp: Added. (JSC::initializeLLVMImpl): Implemented dynamic loading and linking for Windows. 2014-06-18 Alex Christensen Unreviewed build fix after r170107. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArithMod): Use non-template sub for armv7s. 2014-06-18 David Kilzer -[JSContext setName:] leaks NSString Reviewed by Joseph Pecoraro. Fixes the following static analyzer warning: JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr; ^ * API/JSContext.mm: (-[JSContext setName:]): Autorelease the copy of |name|. 2014-06-18 Mark Lam DFGGraph::m_doubleConstantMap will not map 0 values correctly. Reviewed by Geoffrey Garen. DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap, because it means two unfortunate things: - It will probably break for zero. - It will think that -0 is the same as +0 under some circumstances, size -0==+0 even though they are distinct values (for example 1/-0 != 1/+0). The fix is to use std::unordered_map which does not require special empty and deleted values, and to use the raw bits instead of the double value as the key. * dfg/DFGGraph.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::addressOfDoubleConstant): 2014-06-18 Alex Christensen Remove duplicate code using sdiv. https://bugs.webkit.org/show_bug.cgi?id=133764 Reviewed by Daniel Bates. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::sdiv): Make sdiv a template to match arm64. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArithDiv): (JSC::DFG::SpeculativeJIT::compileArithMod): Remove duplicate code that was identical except for sdiv not being a template. 2014-06-17 Commit Queue Unreviewed, rolling out r170082. https://bugs.webkit.org/show_bug.cgi?id=134006 Breaks build. (Requested by mlam on #webkit). Reverted changeset: "DFGGraph::m_doubleConstantMap will not map 0 values correctly." https://bugs.webkit.org/show_bug.cgi?id=133994 http://trac.webkit.org/changeset/170082 2014-06-17 Mark Lam DFGGraph::m_doubleConstantMap will not map 0 values correctly. Reviewed by Geoffrey Garen. DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap, because it means two unfortunate things: - It will probably break for zero. - It will think that -0 is the same as +0 under some circumstances, size -0==+0 even though they are distinct values (for example 1/-0 != 1/+0). The fix is to use std::unordered_map which does not require special empty and deleted values, and to use the raw bits instead of the double value as the key. * dfg/DFGGraph.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::addressOfDoubleConstant): 2014-06-17 Oliver Hunt Fix error messages for incorrect hex literals https://bugs.webkit.org/show_bug.cgi?id=133998 Reviewed by Mark Lam. Ensure that the error messages for bogus hex literals actually make sense. * parser/Lexer.cpp: (JSC::Lexer::lex): * parser/ParserTokens.h: 2014-06-17 Matthew Mirman Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. https://bugs.webkit.org/show_bug.cgi?id=133814 Reviewed by Filip Pizlo. Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell script from using "*.o" as a file when no other files in the directory exist. * build-symbol-table-index.sh: Added license. * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line. 2014-06-16 Sam Weinig Move forward declaration of bindings static functions into their implementation files https://bugs.webkit.org/show_bug.cgi?id=133943 Reviewed by Geoffrey Garen. * runtime/CommonIdentifiers.h: Add a few identifiers that are needed by the DOM. 2014-06-16 Mark Lam Parser statementDepth accounting needs to account for when a function body excludes its braces. Reviewed by Oliver Hunt. In some cases (e.g. when a Function object is instantiated from a string), the function body source may not include its braces. The parser needs to account for this when calculating its statementDepth. * bytecode/UnlinkedCodeBlock.cpp: (JSC::generateFunctionCodeBlock): (JSC::UnlinkedFunctionExecutable::codeBlockFor): * bytecode/UnlinkedCodeBlock.h: * parser/Parser.cpp: (JSC::Parser::parseStatement): - Also fixed the error message for declaring nested functions in strict mode to be more accurate. * parser/Parser.h: (JSC::Parser::parse): (JSC::parse): * runtime/Executable.cpp: (JSC::ScriptExecutable::newCodeBlockFor): 2014-06-16 Juergen Ributzka Change the order of the alias analysis passes to align with the opt pipeline of LLVM https://bugs.webkit.org/show_bug.cgi?id=133753 Reviewed by Geoffrey Garen. The order in which the alias analysis passes are added affects also the order in which they are utilized. Change the order to align with the one use by LLVM itself. The last alias analysis pass added will be evaluated first. With this change we first perform a basic alias analysis and then use the type-based alias analysis (if required). * ftl/FTLCompile.cpp: (JSC::FTL::compile): 2014-06-16 Juergen Ributzka Fix the arguments passed to the LLVM dylib https://bugs.webkit.org/show_bug.cgi?id=133757 Reviewed by Geoffrey Garen. The LLVM command line argument parser assumes that the first argument is the program name. We need to add a fake program name, otherwise the first argument will be parsed as program name and ignored. * llvm/library/LLVMExports.cpp: (initializeAndGetJSCLLVMAPI): 2014-06-16 Michael Saboff Convert ASSERT in inlineFunctionForCapabilityLevel to early return https://bugs.webkit.org/show_bug.cgi?id=133903 Reviewed by Mark Hahnenberg. Hardened code by Converting ASSERT to return CannotCompile. * dfg/DFGCapabilities.h: (JSC::DFG::inlineFunctionForCapabilityLevel): 2014-06-13 Sam Weinig Store DOM constants directly in the JS object rather than jumping through a custom accessor https://bugs.webkit.org/show_bug.cgi?id=133898 Reviewed by Oliver Hunt. * runtime/Lookup.h: (JSC::HashTableValue::attributes): Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use and will make adding more flags possibles. (JSC::HashTableValue::propertyGetter): (JSC::HashTableValue::propertyPutter): Change assertion to use BuiltinOrFunctionOrConstant. (JSC::HashTableValue::constantInteger): Added. (JSC::getStaticPropertySlot): (JSC::getStaticValueSlot): Use PropertySlot::setValue() for constants during static lookup. (JSC::reifyStaticProperties): Put the constant directly on the object when eagerly reifying. * runtime/PropertySlot.h: Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper. 2014-06-14 Michael Saboff operationCreateArguments could cause a GC during OSR exit https://bugs.webkit.org/show_bug.cgi?id=133905 Reviewed by Filip Pizlo. Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments for use by OSR exit stubs. * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * jit/JITOperations.cpp: * jit/JITOperations.h: 2014-06-13 Mark Hahnenberg OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit https://bugs.webkit.org/show_bug.cgi?id=133880 Reviewed by Filip Pizlo. We could have exited due to a value received from an inlined block that's no longer on the stack, so we should just barrier all InlineCallFrames. * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::adjustAndJumpToTarget): 2014-06-13 Alex Christensen Make css jit compile for armv7. https://bugs.webkit.org/show_bug.cgi?id=133596 Reviewed by Benjamin Poulain. * assembler/MacroAssembler.h: Use branchPtr on ARM_THUMB2. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::addPtrNoFlags): (JSC::MacroAssemblerARMv7::or32): (JSC::MacroAssemblerARMv7::test32): (JSC::MacroAssemblerARMv7::branch): (JSC::MacroAssemblerARMv7::branchPtr): Added macros necessary for css jit. 2014-06-13 Filip Pizlo Unreviewed, fix ARMv7. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::abortWithReason): 2014-06-12 Filip Pizlo Even better diagnostics from DFG traps https://bugs.webkit.org/show_bug.cgi?id=133836 Reviewed by Oliver Hunt. We now stuff the DFG::NodeType into a register before bailing. Also made the DFGBailed abort reason a bit more specific. As planned, the new abort reasons use different numbers than any previous abort reasons. * assembler/AbortReason.h: * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::abortWithReason): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::abortWithReason): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::abortWithReason): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::abortWithReason): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): (JSC::DFG::SpeculativeJIT::bail): (JSC::DFG::SpeculativeJIT::compileCurrentBlock): * dfg/DFGSpeculativeJIT.h: 2014-06-12 Simon Fraser Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner https://bugs.webkit.org/show_bug.cgi?id=133840 Reviewed by Filip Pizlo. Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline() when running DFG tests. * API/JSCTestRunnerUtils.cpp: (JSC::numberOfDFGCompiles): (JSC::setNeverInline): 2014-06-12 Brent Fulgham [Win] Avoid fork bomb during build https://bugs.webkit.org/show_bug.cgi?id=133837 Reviewed by Tim Horton. * JavaScriptCore.vcxproj/build-generated-files.sh: Use a reasonable default value when the 'num-cpus' script is not available. 2014-06-12 Mark Lam Remove some dead / unused code. Reviewed by Filip Pizlo. * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::createBuiltinExecutable): * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedFunctionExecutable::create): * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::makeFunction): * parser/Parser.h: (JSC::DepthManager::DepthManager): Deleted. (JSC::DepthManager::~DepthManager): Deleted. * runtime/CodeCache.cpp: (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 2014-06-12 Mark Hahnenberg Move structureHasRareData out of TypeInfo https://bugs.webkit.org/show_bug.cgi?id=133800 Reviewed by Andreas Kling. StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, but we have a few spare bits in Structure so it would be nice to remove this hack. * runtime/JSTypeInfo.h: (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): (JSC::TypeInfo::structureHasRareData): Deleted. * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::allocateRareData): (JSC::Structure::cloneRareDataFrom): * runtime/Structure.h: (JSC::Structure::previousID): (JSC::Structure::objectToStringValue): (JSC::Structure::setObjectToStringValue): (JSC::Structure::setPreviousID): (JSC::Structure::clearPreviousID): (JSC::Structure::previous): (JSC::Structure::rareData): * runtime/StructureInlines.h: (JSC::Structure::setEnumerationCache): (JSC::Structure::enumerationCache): 2014-06-12 Zsolt Borbely Allow enum guards to be generated from the replay json files https://bugs.webkit.org/show_bug.cgi?id=133399 Reviewed by Csaba OsztrogonÃ¡c. * replay/scripts/CodeGeneratorReplayInputs.py: (Type.__init__): (InputsModel.parse_type_with_framework_name): (Generator.generate_header): (Generator.generate_implementation): * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added. (Test::HandleWheelEvent::HandleWheelEvent): (Test::HandleWheelEvent::~HandleWheelEvent): (JSC::InputTraits<:handlewheelevent>::type): (JSC::InputTraits<:handlewheelevent>::encode): (JSC::InputTraits<:handlewheelevent>::decode): (JSC::EncodingTraits<:platformwheeleventphase>::encodeValue): (JSC::EncodingTraits<:platformwheeleventphase>::decodeValue): * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added. (JSC::InputTraits<:handlewheelevent>::queue): (Test::HandleWheelEvent::platformEvent): * replay/scripts/tests/generate-enum-with-guard.json: Added. 2014-06-12 Carlos Garcia Campos Unreviewed. Fix GTK+ build after r169823. Include StructureInlines.h in a few more files to fix linking issues due to JSC::Structure::get undefined symbol. * runtime/ArrayIteratorConstructor.cpp: * runtime/ArrayIteratorPrototype.cpp: * runtime/JSConsole.cpp: * runtime/JSMapIterator.cpp: * runtime/JSSet.cpp: * runtime/JSSetIterator.cpp: * runtime/JSWeakMap.cpp: * runtime/MapIteratorPrototype.cpp: * runtime/MapPrototype.cpp: * runtime/SetIteratorPrototype.cpp: * runtime/SetPrototype.cpp: * runtime/WeakMapPrototype.cpp: 2014-06-12 Csaba OsztrogonÃ¡c [EFL] One more URTBF after r169823 to make ARM64 build happy too. * runtime/JSMap.cpp: 2014-06-11 Mark Hahnenberg Inline caching should try to flatten uncacheable dictionaries https://bugs.webkit.org/show_bug.cgi?id=133683 Reviewed by Geoffrey Garen. There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. If properties are deleted out of the object during its initialization, we can enable caching for that object by attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary state then we can just give up on caching that object. In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed the other inline caching functions to return this enum rather than the opaque booleans that we were previously returning. * jit/Repatch.cpp: (JSC::actionForCell): (JSC::tryCacheGetByID): (JSC::repatchGetByID): (JSC::tryBuildGetByIDList): (JSC::buildGetByIDList): (JSC::tryCachePutByID): (JSC::repatchPutByID): (JSC::tryBuildPutByIdList): (JSC::buildPutByIdList): (JSC::tryRepatchIn): (JSC::repatchIn): * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::flattenDictionaryStructure): * runtime/Structure.h: (JSC::Structure::hasBeenFlattenedBefore): 2014-06-11 Csaba OsztrogonÃ¡c [EFL] URTBF after r169823. * bindings/ScriptValue.cpp: Missing include added. 2014-06-11 Ryosuke Niwa Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot. Rubber-stamped by Andreas Kling. * runtime/JSObject.h: (JSC::JSObject::fastGetOwnPropertySlot): 2014-06-11 Ryosuke Niwa Turning on DUMP_PROPERTYMAP_STATS causes a build failure https://bugs.webkit.org/show_bug.cgi?id=133673 Reviewed by Andreas Kling. Rewrote the property map statistics code because the old code wasn't building, and it was also mixing numbers for lookups and insertions/removals. New logging code records the number of calls to PropertyTable::find (finds) and PropertyTable::get/PropertyTable::findWithString separately so that we can quantify the number of probing during updates and lookups. * jsc.cpp: * runtime/PropertyMapHashTable.h: (JSC::PropertyTable::find): (JSC::PropertyTable::get): (JSC::PropertyTable::findWithString): (JSC::PropertyTable::add): (JSC::PropertyTable::remove): (JSC::PropertyTable::reinsert): (JSC::PropertyTable::rehash): * runtime/Structure.cpp: (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger): (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger): 2014-06-11 Andreas Kling Always inline JSValue::get() and Structure::get(). Reviewed by Ryosuke Niwa. These functions get really hot, so ask the compiler to be more aggressive about inlining them. ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling through GetByVal. * runtime/JSArrayIterator.cpp: * runtime/JSCJSValue.cpp: * runtime/JSCJSValueInlines.h: (JSC::JSValue::get): * runtime/JSPromiseDeferred.cpp: * runtime/StructureInlines.h: (JSC::Structure::get): 2014-06-11 Ryosuke Niwa Structure::get should instantiate DeferGC only when materializing property map https://bugs.webkit.org/show_bug.cgi?id=133727 Rubber-stamped by Andreas Kling. Make materializePropertyMapIfNecessary always inline. This is ~12% improvement on the microbenchmark attached in the bug. * runtime/Structure.h: (JSC::Structure::materializePropertyMapIfNecessary): (JSC::Structure::materializePropertyMapIfNecessaryForPinning): 2014-06-11 Ryosuke Niwa Structure::get should instantiate DeferGC only when materializing property map https://bugs.webkit.org/show_bug.cgi?id=133727 Reviewed by Geoffrey Garen. DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen when GCSafeConcurrentJITLocker goes out of scope. However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap and running a release assertion inside Heap::incrementDeferralDepth() is expensive. Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap, and immediately storing a pointer to the newly created property table in the stack before DeferGC goes out of scope so that the property table will be marked. This shows 13-16% improvement on the microbenchmark attached in the bug. * runtime/JSCJSValue.cpp: * runtime/JSObject.h: (JSC::JSObject::fastGetOwnPropertySlot): * runtime/Structure.h: (JSC::Structure::materializePropertyMapIfNecessary): * runtime/StructureInlines.h: (JSC::Structure::get): 2014-06-11 Andreas Kling Some JSValue::get() micro-optimzations. Tighten some of the property lookup code to improve performance of the eagerly reified prototype attributes: - Instead of converting the property name to an integer at every step in the prototype chain, move that to a separate pass at the end since it should be a rare case. - Cache the StructureIDTable in a local instead of fetching it from the Heap on every step. - Make fillCustomGetterPropertySlot inline. It was out-of-lined based on the assumption that clients would mostly be cacheable GetByIds, and it gets pretty hot (~1%) in GetByVal. - Pass the Structure directly to fillCustomGetterPropertySlot instead of refetching it from the StructureIDTable. Reviewed by Geoff Garen. * runtime/JSObject.cpp: (JSC::JSObject::fillCustomGetterPropertySlot): Deleted. * runtime/JSObject.h: (JSC::JSObject::inlineGetOwnPropertySlot): (JSC::JSObject::fillCustomGetterPropertySlot): (JSC::JSObject::getOwnPropertySlot): (JSC::JSObject::fastGetOwnPropertySlot): (JSC::JSObject::getPropertySlot): (JSC::JSObject::getOwnPropertySlotSlow): Deleted. 2014-06-10 Sam Weinig Don't create a HashTable for JSObjects that use eager reification https://bugs.webkit.org/show_bug.cgi?id=133705 Reviewed by Geoffrey Garen. * runtime/Lookup.h: (JSC::reifyStaticProperties): Add a version of reifyStaticProperties that takes an array of HashTableValues rather than a HashTable. 2014-06-10 Filip Pizlo Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52 https://bugs.webkit.org/show_bug.cgi?id=133698 Reviewed by Geoffrey Garen and Mark Hahnenberg. * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52. * dfg/DFGVariableAccessData.cpp: (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52. (JSC::DFG::VariableAccessData::couldRepresentInt52Impl): (JSC::DFG::VariableAccessData::flushFormat): * dfg/DFGVariableAccessData.h: * tests/stress/int52-inlined-call-argument.js: Added. (foo): (bar): 2014-06-10 Mark Lam Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234. Reviewed by Mark Hahnenberg. The root cause of this issue is that a nonPropertyTransition can transition a pinned dictionary structure to an unpinned dictionary structure. The new structure will get a copy of the property table from the original structure. However, when a GC occurs, the property table in the new structure will be cleared because it is unpinned. This leads to complications in subsequent derivative structures when flattening occurs, which eventually leads to the assertion failure in this bug. The fix is to ensure that the new dictionary structure generated by the nonPropertyTransition will have a copy of its predecessor's property table and is pinned. * runtime/Structure.cpp: (JSC::Structure::nonPropertyTransition): 2014-06-10 Michael Saboff In a certain app state, Array.prototype.filter() returns incorrect results https://bugs.webkit.org/show_bug.cgi?id=133577 Reviewed by Oliver Hunt. Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val. * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2014-06-09 Mark Hahnenberg Global HashTables contain references to atomic StringImpls https://bugs.webkit.org/show_bug.cgi?id=133661 Reviewed by Geoffrey Garen. This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables cache their set of keys as StringImpls that are associated with a particular VM. This is obviously incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to change the "keys" field of the static HashTables to be char** instead of StringImpl**. * runtime/JSObject.cpp: (JSC::getClassPropertyNames): * runtime/Lookup.cpp: (JSC::HashTable::createTable): (JSC::HashTable::deleteTable): * runtime/Lookup.h: (JSC::HashTable::ConstIterator::key): (JSC::HashTable::entry): 2014-06-09 Mark Hahnenberg Build fix after r169703 * JavaScriptCore.xcodeproj/project.pbxproj: 2014-06-05 Mark Hahnenberg Eagerly reify DOM prototype attributes https://bugs.webkit.org/show_bug.cgi?id=133558 Reviewed by Oliver Hunt. This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on DOM wrappers. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions): * llint/LowLevelInterpreter.asm: * runtime/BatchedTransitionOptimizer.h: (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): * runtime/CustomGetterSetter.cpp: Added. (JSC::callCustomSetter): * runtime/CustomGetterSetter.h: Added. (JSC::CustomGetterSetter::create): (JSC::CustomGetterSetter::getter): (JSC::CustomGetterSetter::setter): (JSC::CustomGetterSetter::createStructure): (JSC::CustomGetterSetter::CustomGetterSetter): * runtime/JSCJSValue.cpp: (JSC::JSValue::putToPrimitive): * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::isCustomGetterSetter): * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::isCustomGetterSetter): (JSC::JSCell::canUseFastGetOwnProperty): * runtime/JSFunction.cpp: (JSC::JSFunction::isHostOrBuiltinFunction): Deleted. (JSC::JSFunction::isBuiltinFunction): Deleted. * runtime/JSFunction.h: * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling. (JSC::JSFunction::isBuiltinFunction): (JSC::JSFunction::isHostOrBuiltinFunction): * runtime/JSObject.cpp: (JSC::JSObject::put): (JSC::JSObject::putDirectCustomAccessor): (JSC::JSObject::fillGetterPropertySlot): (JSC::JSObject::fillCustomGetterPropertySlot): (JSC::JSObject::getOwnPropertySlotSlow): Deleted. * runtime/JSObject.h: (JSC::JSObject::hasCustomGetterSetterProperties): (JSC::JSObject::convertToDictionary): (JSC::JSObject::inlineGetOwnPropertySlot): (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling. (JSC::JSObject::putOwnDataProperty): (JSC::JSObject::putDirect): (JSC::JSObject::putDirectWithoutTransition): * runtime/JSType.h: * runtime/Lookup.h: (JSC::reifyStaticProperties): * runtime/PropertyDescriptor.h: (JSC::PropertyDescriptor::PropertyDescriptor): * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::nextOutOfLineStorageCapacity): Deleted. (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted. (JSC::Structure::get): Deleted. * runtime/Structure.h: (JSC::Structure::hasCustomGetterSetterProperties): (JSC::Structure::setHasCustomGetterSetterProperties): * runtime/StructureInlines.h: (JSC::Structure::get): Inlined due to hotness. (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness. (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness. * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * runtime/WriteBarrier.h: (JSC::WriteBarrierBase::isCustomGetterSetter): 2014-06-07 Mark Lam Structure should initialize its previousID in its constructor. Reviewed by Mark Hahnenberg. Currently, the Structure constructor that takes a previous structure will initialize its previousID to point to the previous structure's previousID. This is incorrect. However, the caller of the Structure::create() factory method (which instantiated the Structure) will later call setPreviousID() to set the previousID to the correct previous structure. This makes the code confusing to read and more error prone in that the structure relies on client code to fix its invalid previousID. This patch fixes this by making the Structure constructor initialize previousID correctly. * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::addPropertyTransition): (JSC::Structure::nonPropertyTransition): * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::create): 2014-06-06 Andreas Kling Indexed getters should return values directly on the PropertySlot. Remove PropertySlot's custom index mode. Reviewed by Darin Adler. * runtime/JSObject.h: (JSC::PropertySlot::getValue): * runtime/PropertySlot.h: (JSC::PropertySlot::setCustomIndex): Deleted. 2014-06-04 Timothy Horton iOS Debug build fix Rubber-stamped by Filip Pizlo. * Configurations/LLVMForJSC.xcconfig: Dead-code strip the llvmForJSC library unconditionally, to work around . 2014-06-04 Oliver Hunt ArrayIterator should not be exposed in Safari 8 https://bugs.webkit.org/show_bug.cgi?id=133494 Reviewed by Michael Saboff. Separate out types that require constructor objects, and don't include the iterator types in that list. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): * runtime/JSGlobalObject.h: 2014-06-04 Filip Pizlo DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race https://bugs.webkit.org/show_bug.cgi?id=133525 Reviewed by Oliver Hunt. * dfg/DFGSafepoint.cpp: (JSC::DFG::Safepoint::begin): 2014-06-03 Filip Pizlo LLVM soft-linking should be truly fail-silent https://bugs.webkit.org/show_bug.cgi?id=133482 Reviewed by Mark Lam. * llvm/InitializeLLVMPOSIX.cpp: (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case. 2014-06-03 Eva Balazsfalvi REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms https://bugs.webkit.org/show_bug.cgi?id=133149 Reviewed by Csaba OsztrogonÃ¡c. * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin. 2014-05-31 Anders Carlsson Add a LazyNeverDestroyed class template and use it https://bugs.webkit.org/show_bug.cgi?id=133425 Reviewed by Darin Adler. * dfg/DFGFunctionWhitelist.cpp: (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): * dfg/DFGFunctionWhitelist.h: 2014-05-28 Filip Pizlo DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays https://bugs.webkit.org/show_bug.cgi?id=133368 Reviewed by Mark Lam. * dfg/DFGDCEPhase.cpp: (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order. * tests/stress/new-array-dead.js: Added. (foo): 2014-05-28 Filip Pizlo Unreviewed, fix not-x86 32-bit. * llint/LowLevelInterpreter32_64.asm: 2014-05-27 Filip Pizlo Arrayify neglects to inform the clobberizer that it might fire watchpoints https://bugs.webkit.org/show_bug.cgi?id=133340 Reviewed by Mark Lam. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): Be honest. * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure. * tests/stress/arrayify-fires-watchpoint.js: Added. (foo): (test): (makeObjectArray): * tests/stress/arrayify-structure-bad-test.js: Added. (foo): (test): 2014-05-27 Jon Lee Update ENABLE(MEDIA_SOURCE) on Mac https://bugs.webkit.org/show_bug.cgi?id=133141 Reviewed by Darin Adler. * Configurations/FeatureDefines.xcconfig: 2014-05-27 Tibor Meszaros Remove BLOB guards https://bugs.webkit.org/show_bug.cgi?id=132863 Reviewed by Csaba OsztrogonÃ¡c. * Configurations/FeatureDefines.xcconfig: 2014-05-27 Zsolt Borbely Allow building CMake based ports with WEB_REPLAY https://bugs.webkit.org/show_bug.cgi?id=133154 Reviewed by Csaba OsztrogonÃ¡c. * CMakeLists.txt: 2014-05-25 Filip Pizlo Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing https://bugs.webkit.org/show_bug.cgi?id=133136 Reviewed by Oliver Hunt. Some key concepts: - Except for the prediction propagation and type fixup phases, which are super early in the pipeline, nobody has to know about the fact that booleans may flow into numerical operations because there will just be a BooleanToNumber node that will take a value and, if that value is a boolean, will convert it to the equivalent numerical value. It will have a BooleanUse mode where it will also speculate that the input is a boolean but it can also do UntypedUse in which case it will pass through any non-booleans. This operation is very easy to model in all of the compiler tiers. - No changes to the baseline JIT. The Baseline JIT will still believe that boolean inputs require taking the slow path and it will still report that it took slow path for any such operations. The DFG will now be smart enough to ignore baseline JIT slow path profiling on operations that were known to have had boolean inputs. That's a little quirky, but it's probably easier than modifying the baseline JIT to track booleans correctly. 4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks. * bytecode/SpeculatedType.h: (JSC::isInt32OrBooleanSpeculation): (JSC::isInt32SpeculationForArithmetic): (JSC::isInt32OrBooleanSpeculationForArithmetic): (JSC::isInt32OrBooleanSpeculationExpectingDefined): (JSC::isInt52Speculation): (JSC::isMachineIntSpeculation): (JSC::isFullNumberOrBooleanSpeculation): (JSC::isFullNumberOrBooleanSpeculationExpectingDefined): (JSC::isInt32SpeculationExpectingDefined): Deleted. (JSC::isMachineIntSpeculationExpectingDefined): Deleted. (JSC::isMachineIntSpeculationForArithmetic): Deleted. (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted. (JSC::isFullNumberSpeculationExpectingDefined): Deleted. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGAllocator.h: (JSC::DFG::Allocator::indexOf): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::makeSafe): (JSC::DFG::ByteCodeParser::makeDivSafe): (JSC::DFG::ByteCodeParser::handleIntrinsic): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGCommon.h: * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixIntConvertingEdge): (JSC::DFG::FixupPhase::fixIntOrBooleanEdge): (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge): (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): (JSC::DFG::FixupPhase::fixIntEdge): Deleted. * dfg/DFGGraph.h: (JSC::DFG::Graph::addSpeculationMode): (JSC::DFG::Graph::valueAddSpeculationMode): (JSC::DFG::Graph::arithAddSpeculationMode): (JSC::DFG::Graph::addShouldSpeculateInt32): (JSC::DFG::Graph::mulShouldSpeculateInt32): (JSC::DFG::Graph::mulShouldSpeculateMachineInt): (JSC::DFG::Graph::negateShouldSpeculateInt32): (JSC::DFG::Graph::negateShouldSpeculateMachineInt): (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted. * dfg/DFGNode.h: (JSC::DFG::Node::sawBooleans): (JSC::DFG::Node::shouldSpeculateInt32OrBoolean): (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic): (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic): (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined): (JSC::DFG::Node::shouldSpeculateMachineInt): (JSC::DFG::Node::shouldSpeculateDouble): (JSC::DFG::Node::shouldSpeculateNumberOrBoolean): (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined): (JSC::DFG::Node::shouldSpeculateNumber): (JSC::DFG::Node::canSpeculateInt32): (JSC::DFG::Node::canSpeculateInt52): (JSC::DFG::Node::sourceFor): (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted. (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted. (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted. (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted. (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted. * dfg/DFGNodeFlags.cpp: (JSC::DFG::dumpNodeFlags): * dfg/DFGNodeFlags.h: (JSC::DFG::nodeMayOverflow): (JSC::DFG::nodeMayNegZero): (JSC::DFG::nodeCanSpeculateInt32): (JSC::DFG::nodeCanSpeculateInt52): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::run): (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint): (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction): (JSC::DFG::PredictionPropagationPhase::propagate): (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueToInt32): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber): * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::asInt32ForArithmetic): * tests/stress/max-boolean-exit.js: Added. (foo): (test): * tests/stress/mul-boolean-exit.js: Added. (foo): (test): * tests/stress/plus-boolean-exit.js: Added. (foo): (test): * tests/stress/plus-boolean-or-double.js: Added. (foo): (test): * tests/stress/plus-boolean-or-int.js: Added. (foo): (test): 2014-05-26 Zsolt Borbely Remove dead code from VM.cpp https://bugs.webkit.org/show_bug.cgi?id=133284 Reviewed by Darin Adler. This workaround was added in r127505. Since the clang is the only used compiler in this case, this workaround is obsolete. * runtime/VM.cpp: (JSC::enableAssembler): 2014-05-26 Eva Balazsfalvi JSC CLoop warning fix https://bugs.webkit.org/show_bug.cgi?id=133259 Reviewed by Darin Adler. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): 2014-05-24 Andreas Kling Object.prototype.toString() should use cached strings for null/undefined. Normally, when calling Object.prototype.toString() on a regular object, we'd cache the result of the stringification on the object's structure, making repeated calls fast. For null and undefined, we were not as smart. We'd instead construct a new string with either "[object Null]" or "[object Undefined]" each time. This was exposed by Dromaeo's JS library tests, where some prototype.js subtests generate millions of strings this way. This patch adds two VM-permanent cached strings to the SmallStrings. Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html Reviewed by Darin Adler. * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncToString): * runtime/SmallStrings.cpp: (JSC::SmallStrings::SmallStrings): (JSC::SmallStrings::initializeCommonStrings): (JSC::SmallStrings::visitStrongReferences): * runtime/SmallStrings.h: (JSC::SmallStrings::nullObjectString): (JSC::SmallStrings::undefinedObjectString): 2014-05-23 Mark Hahnenberg Remove operationCallGetter Rubber stamped by Filip Pizlo. Nobody calls this function. * JavaScriptCore.order: * jit/JITOperations.cpp: * jit/JITOperations.h: 2014-05-23 Andreas Kling Templatize GC's destructor invocation for dtor type. Get rid of a branch in callDestructor() by templatizing it for the DestructorType. Removed JSCell::methodTableForDestruction() since this was the only call site and it was jumping through a bunch of unnecessary hoops. Reviewed by Geoffrey Garen. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::callDestructor): (JSC::MarkedBlock::specializedSweep): * heap/MarkedBlock.h: * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::methodTableForDestruction): Deleted. 2014-05-23 Andreas Kling Support inline caching of RegExpMatchesArray.length Give RegExpMatchesArray.length the same treatment as JSArray in repatch so we don't have to go out of line on every access. ~13% speed-up on Octane/regexp. Reviewed by Geoffrey Garen. * jit/Repatch.cpp: (JSC::tryCacheGetByID): * runtime/RegExpMatchesArray.h: (JSC::isRegExpMatchesArray): 2014-05-22 Mark Lam REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception. Reviewed by Oliver Hunt. Before r154797, we used to clear the VM exception before calling into the debugger. After r154797, we don't. This patch will restore this clearing of the exception before calling into the debugger. Also added assertions after returning from calls into the debugger to ensure that the debugger did not introduce any exceptions. * interpreter/Interpreter.cpp: (JSC::unwindCallFrame): (JSC::Interpreter::unwind): (JSC::Interpreter::debug): - Fixed the assertion here. Interpreter::debug() should never be called with a pending exception. Debugger callbacks for exceptions should be handled by Interpreter::unwind() and Interpreter::unwindCallFrame(). 2014-05-21 Filip Pizlo Store barrier elision should run after DCE in both the DFG path and the FTL path https://bugs.webkit.org/show_bug.cgi?id=129718 Rubber stamped by Mark Hahnenberg. * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): 2014-05-21 Zsolt Borbely [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled https://bugs.webkit.org/show_bug.cgi?id=132907 Reviewed by Gyuyoung Kim. * CMakeLists.txt: 2014-05-16 Martin Robinson [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR https://bugs.webkit.org/show_bug.cgi?id=132819 Reviewed by Carlos Garcia Campos. * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables, use the common CMake ones directly. 2014-05-21 Filip Pizlo Unreviewed, roll out http://trac.webkit.org/changeset/169159. This was a unilateral change and wasn't properly reviewed. * tests/mozilla/mozilla-tests.yaml: 2014-05-21 Antoine Quint Array.prototype.find and findIndex should skip holes https://bugs.webkit.org/show_bug.cgi?id=132658 Reviewed by Geoffrey Garen. Skip holes in the array when iterating such that callback isn't called. * builtins/Array.prototype.js: (find): (findIndex): 2014-05-21 Eva Balazsfalvi REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly https://bugs.webkit.org/show_bug.cgi?id=133149 Reviewed by Csaba OsztrogonÃ¡c. * tests/mozilla/mozilla-tests.yaml: 2014-05-20 Geoffrey Garen Rolled out https://bugs.webkit.org/show_bug.cgi?id=133144 Reviewed by Gavin Barraclough. It caused a performance regression. * heap/BlockAllocator.cpp: (JSC::BlockAllocator::blockFreeingThreadStartFunc): 2014-05-20 Filip Pizlo DFG prediction propagation should agree with fixup phase over the return type of GetByVal https://bugs.webkit.org/show_bug.cgi?id=133134 Reviewed by Mark Hahnenberg. Make prediction propagator use ArrayMode refinement to decide the return type. Also introduce a heap prediction intrinsic that allows us to test weird corner cases like this. The only way we'll see a mismatch like this in the real world is probably through a gnarly race condition. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsic): * dfg/DFGNode.h: (JSC::DFG::Node::setHeapPrediction): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * jsc.cpp: (GlobalObject::finishCreation): (functionFalse1): (functionFalse2): (functionUndefined1): (functionUndefined2): (functionFalse): Deleted. (functionOtherFalse): Deleted. (functionUndefined): Deleted. * runtime/Intrinsic.h: * tests/stress/get-by-val-double-predicted-int.js: Added. (foo): 2014-05-20 Mark Hahnenberg Watchdog timer should be lazily allocated https://bugs.webkit.org/show_bug.cgi?id=133135 Reviewed by Geoffrey Garen. We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. There is no reason to do this checking if we never activated the Watchdog, which can only be done through JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use these two API functions (which is true of most clients). * API/JSContextRef.cpp: (JSContextGroupSetExecutionTimeLimit): (JSContextGroupClearExecutionTimeLimit): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_loop_hint): (JSC::JIT::emitSlow_op_loop_hint): * jit/JITOperations.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/VM.h: * runtime/Watchdog.cpp: (JSC::Watchdog::Scope::Scope): Deleted. (JSC::Watchdog::Scope::~Scope): Deleted. * runtime/Watchdog.h: (JSC::Watchdog::Scope::Scope): (JSC::Watchdog::Scope::~Scope): 2014-05-19 Mark Hahnenberg JSArray::shiftCountWith* could be more efficient https://bugs.webkit.org/show_bug.cgi?id=133011 Reviewed by Geoffrey Garen. Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling them to correctly handle holes, thus avoiding the slowest of slow paths in most cases. * runtime/ArrayStorage.h: (JSC::ArrayStorage::indexingHeader): (JSC::ArrayStorage::length): (JSC::ArrayStorage::hasHoles): * runtime/IndexingHeader.h: (JSC::IndexingHeader::publicLength): (JSC::IndexingHeader::from): * runtime/JSArray.cpp: (JSC::JSArray::shiftCountWithArrayStorage): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithArrayStorage): * runtime/JSArray.h: (JSC::JSArray::shiftCountForShift): (JSC::JSArray::shiftCountForSplice): (JSC::JSArray::shiftCount): * runtime/Structure.cpp: (JSC::Structure::holesRequireSpecialBehavior): * runtime/Structure.h: 2014-05-19 Filip Pizlo Test gardening: skip some failing tests on not-X86. * tests/mozilla/mozilla-tests.yaml: 2014-05-19 Mark Lam operationOptimize() should defer the GC for a while. Reviewed by Filip Pizlo. Currently, operationOptimize() only defers the GC until its end. As a result, a GC may be triggered just before we return from operationOptimize(), and it may jettison the optimize codeBlock that we're planning to OSR enter into when we return from this function. This is because the OSR entry on-ramp code hasn't been executed yet, and hence, there is not yet a reference to this new codeBlock from the stack, and there won't be until we've had a chance to return out of operationOptimize() to run the OSR entry on-ramp code. This issue is now fixed by using DeferGCForAWhile instead of DeferGC. This ensures that the GC will be deferred until after the OSR entry on-ramp can be executed. * jit/JITOperations.cpp: 2014-05-19 Filip Pizlo Take care of some ARM64 test failures https://bugs.webkit.org/show_bug.cgi?id=133090 Reviewed by Geoffrey Garen. Constant blinding on ARM64 cannot use the scratch register. * assembler/MacroAssembler.h: (JSC::MacroAssembler::convertInt32ToDouble): (JSC::MacroAssembler::branchPtr): (JSC::MacroAssembler::storePtr): (JSC::MacroAssembler::store64): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::scratchRegisterForBlinding): 2014-05-19 Tanay C Removing some check-webkit-style warnings from ./dfg https://bugs.webkit.org/show_bug.cgi?id=132854 Reviewed by Darin Adler. * dfg/DFGAbstractInterpreter.h: * dfg/DFGAbstractValue.h: * dfg/DFGBlockInsertionSet.h: * dfg/DFGCommonData.h: * dfg/DFGDominators.h: * dfg/DFGGraph.h: * dfg/DFGInPlaceAbstractState.h: * dfg/DFGPredictionPropagationPhase.h: 2014-05-18 Filip Pizlo Unreviewed, remove bogus comment. We already made the FTL use our calling convention. That was a long time ago. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileReturn): 2014-05-18 Rik Cabanier support for navigator.hardwareConcurrency https://bugs.webkit.org/show_bug.cgi?id=132588 Reviewed by Filip Pizlo. * Configurations/FeatureDefines.xcconfig: 2014-05-16 Michael Saboff Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9 https://bugs.webkit.org/show_bug.cgi?id=133009 Reviewed by Oliver Hunt. If we determine that any alternative requires a minumum match size greater than INT_MAX, we handle the match in the interpreter. Check to see if the pattern has unsigned lengths before invoking YARR JIT. * runtime/RegExp.cpp: (JSC::RegExp::compile): (JSC::RegExp::compileMatchOnly): * tests/stress/large-regexp.js: New test added. Set m_containsUnsignedLengthPattern flag if any alternative's minimum length doesn't fit in an int. * yarr/YarrPattern.cpp: (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): Clear new m_containsUnsignedLengthPattern flag. * yarr/YarrPattern.cpp: (JSC::Yarr::YarrPattern::YarrPattern): * yarr/YarrPattern.h: (JSC::Yarr::YarrPattern::reset): (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern): 2014-05-15 Mark Hahnenberg JSDOMWindow should not claim HasImpureGetOwnPropertySlot https://bugs.webkit.org/show_bug.cgi?id=132918 Reviewed by Geoffrey Garen. * jit/Repatch.cpp: (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in". 2014-05-15 Alex Christensen Add pointer lock to features without enabling it. https://bugs.webkit.org/show_bug.cgi?id=132961 Reviewed by Sam Weinig. * Configurations/FeatureDefines.xcconfig: Added ENABLE_POINTER_LOCK to list of features. 2014-05-14 Mark Hahnenberg Inline caching for proxies clobbers baseGPR too early https://bugs.webkit.org/show_bug.cgi?id=132916 Reviewed by Filip Pizlo. We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR until we know the inline cache is going to succeed. * jit/Repatch.cpp: (JSC::generateByIdStub): 2014-05-14 Brent Fulgham [Win] Unreviewed build fix. * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution was missing commands to build LLInt portions of JSC. * llint/LLIntData.cpp: 64-bit build fix. 2014-05-14 Martin Hodovan ARM Traditional buildfix after r168776. https://bugs.webkit.org/show_bug.cgi?id=132903 Reviewed by Darin Adler. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::abortWithReason): Added. 2014-05-14 Tibor Meszaros Remove CSS_STICKY_POSITION guards https://bugs.webkit.org/show_bug.cgi?id=132676 Reviewed by Simon Fraser. * Configurations/FeatureDefines.xcconfig: 2014-05-13 Filip Pizlo JIT breakpoints should be more informative https://bugs.webkit.org/show_bug.cgi?id=132882 Reviewed by Oliver Hunt. Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look at that platform's abort reason register (r11 on X86-64 for example). * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/AbortReason.h: Added. * assembler/AbstractMacroAssembler.h: * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::abortWithReason): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::abortWithReason): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::abortWithReason): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::abortWithReason): * dfg/DFGSlowPathGenerator.h: (JSC::DFG::SlowPathGenerator::generate): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::bail): (JSC::DFG::SpeculativeJIT::compileCurrentBlock): (JSC::DFG::SpeculativeJIT::compileMakeRope): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGThunks.cpp: (JSC::DFG::osrEntryThunkGenerator): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::jitAssertIsInt32): (JSC::AssemblyHelpers::jitAssertIsJSInt32): (JSC::AssemblyHelpers::jitAssertIsJSNumber): (JSC::AssemblyHelpers::jitAssertIsJSDouble): (JSC::AssemblyHelpers::jitAssertIsCell): (JSC::AssemblyHelpers::jitAssertTagsInPlace): (JSC::AssemblyHelpers::jitAssertHasValidCallFrame): (JSC::AssemblyHelpers::jitAssertIsNull): (JSC::AssemblyHelpers::jitAssertArgumentCountSane): (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::checkStackPointerAlignment): (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted. * jit/JIT.h: * jit/JITArithmetic.cpp: (JSC::JIT::emitSlow_op_div): * jit/JITOpcodes.cpp: (JSC::JIT::emitSlow_op_loop_hint): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileCTINativeCall): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::compileGetDirectOffset): (JSC::JIT::addStructureTransitionCheck): Deleted. (JSC::JIT::testPrototype): Deleted. * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::compileGetDirectOffset): * jit/RegisterPreservationWrapperGenerator.cpp: (JSC::generateRegisterRestoration): * jit/Repatch.cpp: (JSC::addStructureTransitionCheck): (JSC::linkClosureCall): * jit/ThunkGenerators.cpp: (JSC::emitPointerValidation): (JSC::nativeForGenerator): * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generate): 2014-05-13 [email protected] [Win] Enum type with value zero is compatible with void*, potential cause of crashes. https://bugs.webkit.org/show_bug.cgi?id=132772 Reviewed by Geoffrey Garen. Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example). This has caused crashes on Windows on two occasions (bug 132683, and bug 121001). This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*. The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::loadDouble): (JSC::MacroAssemblerARM::storeDouble): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::loadDouble): (JSC::MacroAssemblerARM64::storeDouble): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::loadDouble): (JSC::MacroAssemblerARMv7::storeDouble): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::loadDouble): (JSC::MacroAssemblerMIPS::storeDouble): * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::loadDouble): (JSC::MacroAssemblerSH4::storeDouble): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::storeDouble): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::absDouble): (JSC::MacroAssemblerX86Common::negateDouble): (JSC::MacroAssemblerX86Common::loadDouble): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::silentFill): (JSC::DFG::compileClampDoubleToByte): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::compile): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::purifyNaN): * jit/JITInlines.h: (JSC::JIT::emitLoadDouble): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitFloatTypedArrayGetByVal): * jit/ThunkGenerators.cpp: (JSC::floorThunkGenerator): (JSC::roundThunkGenerator): (JSC::powThunkGenerator): 2014-05-12 Commit Queue Unreviewed, rolling out r168642. https://bugs.webkit.org/show_bug.cgi?id=132839 Broke ARM build (Requested by jpfau on #webkit). Reverted changeset: "[Win] Enum type with value zero is compatible with void*, potential cause of crashes." https://bugs.webkit.org/show_bug.cgi?id=132772 http://trac.webkit.org/changeset/168642 2014-05-12 [email protected] [Win] Enum type with value zero is compatible with void*, potential cause of crashes. https://bugs.webkit.org/show_bug.cgi?id=132772 Reviewed by Geoffrey Garen. Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example). This has caused crashes on Windows on two occasions (bug 132683, and bug 121001). This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*. The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::loadDouble): (JSC::MacroAssemblerARM::storeDouble): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::loadDouble): (JSC::MacroAssemblerARM64::storeDouble): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::loadDouble): (JSC::MacroAssemblerARMv7::storeDouble): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::loadDouble): (JSC::MacroAssemblerMIPS::storeDouble): * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::loadDouble): (JSC::MacroAssemblerSH4::storeDouble): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::storeDouble): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::absDouble): (JSC::MacroAssemblerX86Common::negateDouble): (JSC::MacroAssemblerX86Common::loadDouble): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::silentFill): (JSC::DFG::compileClampDoubleToByte): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::compile): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::purifyNaN): * jit/JITInlines.h: (JSC::JIT::emitLoadDouble): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitFloatTypedArrayGetByVal): * jit/ThunkGenerators.cpp: (JSC::floorThunkGenerator): (JSC::roundThunkGenerator): (JSC::powThunkGenerator): 2014-05-12 Andreas Kling 0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren(). Reviewed by Michael Saboff. * runtime/JSObject.cpp: (JSC::JSObject::visitButterfly): (JSC::JSObject::visitChildren): Use JSCell::structure(VM&) to reduce the number of hoops we jump through to find Structures during marking. 2014-05-12 LÃ¡szlÃ³ LangÃ³ [cmake] Add missing FTL source files to the build system. Reviewed by Csaba OsztrogonÃ¡c. * CMakeLists.txt: 2014-05-09 Joseph Pecoraro Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess https://bugs.webkit.org/show_bug.cgi?id=132409 Reviewed by Timothy Hatcher. Proxy applications are applications which hold WebViews for other applications. The WebProcess (Web Content Service) is a proxy application. For legacy reasons we were supporting a scenario where proxy applications could potentially host WebViews for more then one other application. That was never the case for WebProcess and it is now a scenario we don't need to worry about supporting. With this change, a proxy application more naturally only holds WebViews for a single parent / host application. The proxy process can set the parent pid / audit_token data on the RemoteInspector singleton, and that data will be sent on to webinspectord later on to be validated. In the WebProcess<->UIProcess relationship that information is known and set immediately. In the Legacy iOS case that information is set soon after, but not immediately known at the point the WebView is created. This allows us to simplify the RemoteInspectorDebuggable interface. We no longer need a pid per-Debuggable. * inspector/remote/RemoteInspector.h: * inspector/remote/RemoteInspector.mm: (Inspector::RemoteInspector::RemoteInspector): (Inspector::RemoteInspector::setParentProcessInformation): (Inspector::RemoteInspector::xpcConnectionReceivedMessage): (Inspector::RemoteInspector::listingForDebuggable): (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage): Handle new proxy application setup message, and provide an API for a proxy application to set the parent process information. * inspector/remote/RemoteInspectorConstants.h: New setup and response message for proxy applications to pass their parent / host application information to webinspectord. * inspector/remote/RemoteInspectorDebuggable.cpp: (Inspector::RemoteInspectorDebuggable::info): * inspector/remote/RemoteInspectorDebuggable.h: (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo): (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted. pid per debuggable is no longer needed. 2014-05-09 Mark Hahnenberg JSDOMWindow should disable property caching after a certain point https://bugs.webkit.org/show_bug.cgi?id=132751 Reviewed by Filip Pizlo. This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks that it has provided a cacheable value. * runtime/PropertySlot.h: (JSC::PropertySlot::PropertySlot): (JSC::PropertySlot::isCacheable): (JSC::PropertySlot::disableCaching): 2014-05-09 Andreas Kling 8.8% spent in Object.prototype.hasOwnProperty() on sbperftest. Leverage the fast-resolve-to-AtomicString optimization for JSRopeString in Object.prototype.* by using JSString::toIdentifier() in the cases where we are converting JSString -> String -> Identifier. This brings time spent in hasOwnProperty() from 8.8% to 1.3% on "The Great HTML5 Gaming Performance Test: 2014 edition" Reviewed by Oliver Hunt. * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncHasOwnProperty): (JSC::objectProtoFuncDefineGetter): (JSC::objectProtoFuncDefineSetter): (JSC::objectProtoFuncLookupGetter): (JSC::objectProtoFuncLookupSetter): 2014-05-08 Mark Hahnenberg JSDOMWindow should have a WatchpointSet to fire on window close https://bugs.webkit.org/show_bug.cgi?id=132721 Reviewed by Filip Pizlo. This patch allows us to reset the inline caches that assumed they could skip the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow. PropertySlot now accepts a WatchpointSet which the inline cache code can look for to see if it should create a new Watchpoint for that particular inline cache site. * bytecode/Watchpoint.h: * jit/Repatch.cpp: (JSC::generateByIdStub): (JSC::tryBuildGetByIDList): (JSC::tryCachePutByID): (JSC::tryBuildPutByIdList): * runtime/PropertySlot.h: (JSC::PropertySlot::PropertySlot): (JSC::PropertySlot::watchpointSet): (JSC::PropertySlot::setWatchpointSet): 2014-05-09 Tanay C Fix build warning (uninitialized variable) in DFGFixupPhase.cpp https://bugs.webkit.org/show_bug.cgi?id=132331 Reviewed by Darin Adler. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): 2014-05-09 [email protected] [Win] Crash when enabling DFG JIT. https://bugs.webkit.org/show_bug.cgi?id=132683 Reviewed by Geoffrey Garen. On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)), results in a call to JIT::storeDouble(FPRegisterID src, const void* address), where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows). This causes the register to be written to address 0, hence the crash. * dfg/DFGOSRExitCompiler32_64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter. * dfg/DFGOSRExitCompiler64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): Ditto. 2014-05-09 Martin Hodovan REGRESSION(r167094): JSC crashes on ARM Traditional https://bugs.webkit.org/show_bug.cgi?id=132738 Reviewed by Zoltan Herczeg. PC is two instructions ahead of the current instruction on ARM Traditional, so the distance is 8 bytes not 2. * llint/LowLevelInterpreter.asm: 2014-05-09 Alberto Garcia jsmin.py license header confusing, mentions non-free license https://bugs.webkit.org/show_bug.cgi?id=123665 Reviewed by Darin Adler. Pull the most recent version from upstream, which has a clear license. * inspector/scripts/jsmin.py: 2014-05-08 Mark Hahnenberg Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot https://bugs.webkit.org/show_bug.cgi?id=132695 Reviewed by Filip Pizlo. We check in the case where we're accessing something other than the base object (e.g. the prototype), but we fail to do so for the base object. * jit/Repatch.cpp: (JSC::tryCacheGetByID): (JSC::tryBuildGetByIDList): * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit because all of the values that are returned that could be impure are set to uncacheable anyways. (WTF::ImpureGetter::ImpureGetter): (WTF::ImpureGetter::createStructure): (WTF::ImpureGetter::create): (WTF::ImpureGetter::finishCreation): (WTF::ImpureGetter::getOwnPropertySlot): (WTF::ImpureGetter::visitChildren): (WTF::ImpureGetter::setDelegate): (GlobalObject::finishCreation): (functionCreateImpureGetter): (functionSetImpureGetterDelegate): * tests/stress/impure-get-own-property-slot-inline-cache.js: Added. (foo): 2014-05-08 Filip Pizlo deleteAllCompiledCode() shouldn't use the suspension worklist https://bugs.webkit.org/show_bug.cgi?id=132708 Reviewed by Mark Hahnenberg. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): * dfg/DFGPlan.cpp: (JSC::DFG::Plan::isStillValid): * heap/Heap.cpp: (JSC::Heap::deleteAllCompiledCode): 2014-05-08 Filip Pizlo SSA conversion should delete PhantomLocals for captured variables https://bugs.webkit.org/show_bug.cgi?id=132693 Reviewed by Mark Hahnenberg. * dfg/DFGCommon.cpp: (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash. * dfg/DFGCommon.h: * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround. * dfg/DFGLivenessAnalysisPhase.cpp: (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround. * dfg/DFGSSAConversionPhase.cpp: (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright. * dfg/DFGValidate.cpp: Use the workaround. * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added. (foo): (bar): 2014-05-07 Commit Queue Unreviewed, rolling out r168451. https://bugs.webkit.org/show_bug.cgi?id=132670 Not a speed-up, just do what other compilers do. (Requested by kling on #webkit). Reverted changeset: "[X86] Emit BT instruction for single-bit tests." https://bugs.webkit.org/show_bug.cgi?id=132650 http://trac.webkit.org/changeset/168451 2014-05-07 Filip Pizlo Make Executable::clearCode() actually clear all of the entrypoints, and clean up some other FTL-related calling convention stuff.