<https://webkit.org/b/122836>

Reviewed by Geoffrey Garen.

Previously we gained back some performance (run at baseline JIT speeds)
when the WebInspector is opened provided no breakpoints are set. This
was achieved by simply skipping all op_debug callbacks to the debugger
if no breakpoints are set. If any breakpoints are set, the debugger will
set a m_needsOpDebugCallbacks flag which causes the callbacks to be
called, and we don't get the baseline JIT speeds anymore.

With this patch, we will now track the number of breakpoints set in the
CodeBlock that they are set in. The LLINT and baseline JIT code will
check CodeBlock::m_numBreakpoints to determine if the op_debug callbacks
need to be called. With this, we will only enable op_debug callbacks for
CodeBlocks that need it i.e. those with breakpoints set in them.

Debugger::m_needsOpDebugCallbacks is now obsoleted. The LLINT and baseline
JIT code still needs to check Debugger::m_shouldPause to determine if the
debugger is in stepping mode and hence, needs op_debug callbacks enabled
for everything until the debugger "continues" the run and exit stepping
mode.

Also in this patch, I fixed a regression in DOM breakpoints which relies
Debugger::breakProgram() to pause the debugger.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
- Missed accounting for op_debug's new hasBreakpointFlag operand here when
  it was added.
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::hasOpDebugForLineAndColumn):
- This is needed in Debugger::toggleBreakpoint() to determine if a
  breakpoint falls within a CodeBlock or not. Simply checking the bounds
  of the CodeBlock is insufficient. For example, let's say we have the
  following JS code:

      // begin global scope
      function f1() {
          function f2() {
             ... // set breakpoint here.
          }
      }
      // end global scope

  Using the CodeBlock bounds alone, the breakpoint above will to appear
  to be in the global program CodeBlock, and the CodeBlocks for function
  f1() and f2(). With CodeBlock::hasOpDebugForLineAndColumn() we can
  rule out the global program CodeBlock and f1(), and only apply the
  breakpoint to f2(0 where it belongs.

  CodeBlock::hasOpDebugForLineAndColumn() works by iterating over all
  the opcodes in the CodeBlock to look for op_debug's. For each op_debug,
  it calls CodeBlock::expressionRangeForBytecodeOffset() to do a binary
  seach to get the line and column info for that op_debug. This is a
  N * log(N) algorithm. However, a quick hands on test using the
  WebInspector (with this patch applied) to exercise setting, breaking
  on, and clearing breakpoints, as well as stepping through some code
  shows no noticeable degradation of the user experience compared to the
  baseline without this patch.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::numBreakpoints):
(JSC::CodeBlock::numBreakpointsOffset):
(JSC::CodeBlock::addBreakpoint):
(JSC::CodeBlock::removeBreakpoint):
(JSC::CodeBlock::clearAllBreakpoints):
* debugger/Breakpoint.h:
- defined Breakpoint::unspecifiedColumn so that we can explicitly indicate
  when the WebInspector was setting a line breakpoint and did not provide
  a column value. CodeBlock::hasOpDebugForLineAndColumn() needs this
  information in order to loosen its matching criteria for op_debug
  bytecodes for the specified breakpoint line and column values provided
  by the debugger.

  Previously, we just hijack a 0 value column as an unspecified column.
  However, the WebInspector operates on 0-based ints for column values.
  Hence, 0 should be a valid column value and should not be hijacked to
  mean an unspecified column.

* debugger/Debugger.cpp:
(JSC::Debugger::Debugger):
- added tracking of the VM that the debugger is used with. This is
  needed by Debugger::breakProgram().

  The VM pointer is attained from the first JSGlobalObject that the debugger
  attaches to. When the debugger detaches from the last JSGlobalObject, it
  will nullify its VM pointer to allow a new one to be set on the next
  attach.

  We were always only using each debugger instance with one VM. This change
  makes it explicit with an assert to ensure that all globalObjects that
  the debugger attaches to beongs to the same VM.

(JSC::Debugger::attach):
(JSC::Debugger::detach):
(JSC::Debugger::setShouldPause):

(JSC::Debugger::registerCodeBlock):
(JSC::Debugger::unregisterCodeBlock):
- registerCodeBlock() is responsible for applying pre-existing breakpoints
  to new CodeBlocks being installed. Similarly, unregisterCodeBlock()
  clears the breakpoints.

(JSC::Debugger::toggleBreakpoint):
- This is the workhorse function that checks if a breakpoint falls within
  a CodeBlock or not. If it does, then it can either enable or disable
  said breakpoint in the CodeBlock. In the current implementation,
  enabling/disabling the breakpoint simply means incrementing/decrementing
  the CodeBlock's m_numBreakpoints.

(JSC::Debugger::applyBreakpoints):

(JSC::Debugger::ToggleBreakpointFunctor::ToggleBreakpointFunctor):
(JSC::Debugger::ToggleBreakpointFunctor::operator()):
(JSC::Debugger::toggleBreakpoint):
- Iterates all relevant CodeBlocks and apply the specified breakpoint
  if appropriate. This is called when a new breakpoint is being defined
  by the WebInspector and needs to be applied to an already installed
  CodeBlock.

(JSC::Debugger::setBreakpoint):
(JSC::Debugger::removeBreakpoint):
(JSC::Debugger::hasBreakpoint):
(JSC::Debugger::ClearBreakpointsFunctor::ClearBreakpointsFunctor):
(JSC::Debugger::ClearBreakpointsFunctor::operator()):
(JSC::Debugger::clearBreakpoints):

(JSC::Debugger::breakProgram):
- Fixed a regression that broke DOM breakpoints. The issue is that with
  the skipping of op_debug callbacks, we don't always have an updated
  m_currentCallFrame. Normally, m_currentCallFrame is provided as arg
  in the op_debug callback. In this case, we can get the CallFrame* from
  m_vm->topCallFrame.

(JSC::Debugger::updateCallFrameAndPauseIfNeeded):
(JSC::Debugger::pauseIfNeeded):
(JSC::Debugger::willExecuteProgram):
* debugger/Debugger.h:
(JSC::Debugger::Debugger):
(JSC::Debugger::shouldPause):

* heap/CodeBlockSet.h:
(JSC::CodeBlockSet::iterate):
* heap/Heap.h:
(JSC::Heap::forEachCodeBlock):
- Added utility to iterate all CodeBlocks in the heap / VM.

* interpreter/Interpreter.cpp:
(JSC::Interpreter::debug):

* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_debug):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_debug):
* llint/LowLevelInterpreter.asm:
- These now checks CodeBlock::m_numBreakpoints and Debugger::m_shouldPause
  instead of Debugger::m_needsOpDebugCallbacks.

* runtime/Executable.cpp:
(JSC::ScriptExecutable::installCode):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@162598 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=127146

Reviewed by Alexey Proskuryakov.

This is simply a bogus assertion as we can't guarantee a bindings object
won't intercept assignment to .stack

* interpreter/Interpreter.cpp:
(JSC::Interpreter::unwind):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@162156 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=120954

Reviewed by Filip Pizlo.

Source/JavaScriptCore: 

Update Promises to the revised spec. Notable changes:
- JSPromiseResolver is gone.
- TaskContext has been renamed Microtask and now has a virtual run() function.
- Instead of using custom InternalFunction subclasses, JSFunctions are used
  with PrivateName properties for internal slots.

* CMakeLists.txt:
* DerivedSources.make:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* interpreter/CallFrame.h:
(JSC::ExecState::promiseConstructorTable):
* runtime/CommonIdentifiers.cpp:
(JSC::CommonIdentifiers::CommonIdentifiers):
* runtime/CommonIdentifiers.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
(JSC::JSGlobalObject::visitChildren):
(JSC::JSGlobalObject::queueMicrotask):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::promiseConstructor):
(JSC::JSGlobalObject::promisePrototype):
(JSC::JSGlobalObject::promiseStructure):
* runtime/JSPromise.cpp:
(JSC::JSPromise::create):
(JSC::JSPromise::JSPromise):
(JSC::JSPromise::finishCreation):
(JSC::JSPromise::visitChildren):
(JSC::JSPromise::reject):
(JSC::JSPromise::resolve):
(JSC::JSPromise::appendResolveReaction):
(JSC::JSPromise::appendRejectReaction):
(JSC::triggerPromiseReactions):
* runtime/JSPromise.h:
(JSC::JSPromise::status):
(JSC::JSPromise::result):
(JSC::JSPromise::constructor):
* runtime/JSPromiseCallback.cpp: Removed.
* runtime/JSPromiseCallback.h: Removed.
* runtime/JSPromiseConstructor.cpp:
(JSC::constructPromise):
(JSC::JSPromiseConstructor::getCallData):
(JSC::JSPromiseConstructorFuncCast):
(JSC::JSPromiseConstructorFuncResolve):
(JSC::JSPromiseConstructorFuncReject):
* runtime/JSPromiseConstructor.h:
* runtime/JSPromiseDeferred.cpp: Added.
(JSC::JSPromiseDeferred::create):
(JSC::JSPromiseDeferred::JSPromiseDeferred):
(JSC::JSPromiseDeferred::finishCreation):
(JSC::JSPromiseDeferred::visitChildren):
(JSC::createJSPromiseDeferredFromConstructor):
(JSC::updateDeferredFromPotentialThenable):
* runtime/JSPromiseDeferred.h: Added.
(JSC::JSPromiseDeferred::createStructure):
(JSC::JSPromiseDeferred::promise):
(JSC::JSPromiseDeferred::resolve):
(JSC::JSPromiseDeferred::reject):
* runtime/JSPromiseFunctions.cpp: Added.
(JSC::deferredConstructionFunction):
(JSC::createDeferredConstructionFunction):
(JSC::identifyFunction):
(JSC::createIdentifyFunction):
(JSC::promiseAllCountdownFunction):
(JSC::createPromiseAllCountdownFunction):
(JSC::promiseResolutionHandlerFunction):
(JSC::createPromiseResolutionHandlerFunction):
(JSC::rejectPromiseFunction):
(JSC::createRejectPromiseFunction):
(JSC::resolvePromiseFunction):
(JSC::createResolvePromiseFunction):
(JSC::throwerFunction):
(JSC::createThrowerFunction):
* runtime/JSPromiseFunctions.h: Added.
* runtime/JSPromisePrototype.cpp:
(JSC::JSPromisePrototypeFuncThen):
(JSC::JSPromisePrototypeFuncCatch):
* runtime/JSPromiseReaction.cpp: Added.
(JSC::createExecutePromiseReactionMicroTask):
(JSC::ExecutePromiseReactionMicroTask::run):
(JSC::JSPromiseReaction::create):
(JSC::JSPromiseReaction::JSPromiseReaction):
(JSC::JSPromiseReaction::finishCreation):
(JSC::JSPromiseReaction::visitChildren):
* runtime/JSPromiseReaction.h: Added.
(JSC::JSPromiseReaction::createStructure):
(JSC::JSPromiseReaction::deferred):
(JSC::JSPromiseReaction::handler):
* runtime/JSPromiseResolver.cpp: Removed.
* runtime/JSPromiseResolver.h: Removed.
* runtime/JSPromiseResolverConstructor.cpp: Removed.
* runtime/JSPromiseResolverConstructor.h: Removed.
* runtime/JSPromiseResolverPrototype.cpp: Removed.
* runtime/JSPromiseResolverPrototype.h: Removed.
* runtime/Microtask.h: Added.
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::~VM):
* runtime/VM.h:

Source/WebCore: 

* ForwardingHeaders/runtime/JSPromiseDeferred.h: Added.
* ForwardingHeaders/runtime/JSPromiseResolver.h: Removed.
* bindings/js/JSDOMGlobalObjectTask.cpp:
(WebCore::JSGlobalObjectTask::JSGlobalObjectTask):
* bindings/js/JSDOMGlobalObjectTask.h:
* bindings/js/JSDOMPromise.cpp:
(WebCore::DeferredWrapper::DeferredWrapper):
(WebCore::DeferredWrapper::promise):
(WebCore::DeferredWrapper::resolve):
(WebCore::DeferredWrapper::reject):
* bindings/js/JSDOMPromise.h:
(WebCore::DeferredWrapper::resolve):
(WebCore::DeferredWrapper::reject):
(WebCore::DeferredWrapper::resolve<String>):
(WebCore::DeferredWrapper::resolve<bool>):
(WebCore::char>>):
(WebCore::DeferredWrapper::reject<String>):
* bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::queueTaskToEventLoop):
* bindings/js/JSDOMWindowBase.h:
* bindings/js/JSSubtleCryptoCustom.cpp:
(WebCore::JSSubtleCrypto::encrypt):
(WebCore::JSSubtleCrypto::decrypt):
(WebCore::JSSubtleCrypto::sign):
(WebCore::JSSubtleCrypto::verify):
(WebCore::JSSubtleCrypto::digest):
(WebCore::JSSubtleCrypto::generateKey):
(WebCore::JSSubtleCrypto::importKey):
(WebCore::JSSubtleCrypto::exportKey):
(WebCore::JSSubtleCrypto::wrapKey):
(WebCore::JSSubtleCrypto::unwrapKey):
* bindings/js/JSWorkerGlobalScopeBase.cpp:
(WebCore::JSWorkerGlobalScopeBase::queueTaskToEventLoop):
* bindings/js/JSWorkerGlobalScopeBase.h:

LayoutTests: 

* crypto/subtle/argument-conversion.html:
* crypto/subtle/resources/common.js:
* crypto/subtle/sha-1.html:
* crypto/subtle/sha-224.html:
* crypto/subtle/sha-256.html:
* crypto/subtle/sha-384.html:
* crypto/subtle/sha-512.html:
* js/dom/Promise-already-fulfilled-expected.txt: Removed.
* js/dom/Promise-already-fulfilled.html: Removed.
* js/dom/Promise-already-rejected.html:
* js/dom/Promise-already-resolved.html:
* js/dom/Promise-catch-expected.txt:
* js/dom/Promise-catch-in-workers-expected.txt:
* js/dom/Promise-catch.html:
* js/dom/Promise-chain.html:
* js/dom/Promise-exception-expected.txt:
* js/dom/Promise-exception.html:
* js/dom/Promise-expected.txt:
* js/dom/Promise-fulfill-expected.txt: Removed.
* js/dom/Promise-fulfill-in-workers-expected.txt: Removed.
* js/dom/Promise-fulfill-in-workers.html: Removed.
* js/dom/Promise-fulfill.html: Removed.
* js/dom/Promise-init-callback-receiver-expected.txt: Added.
* js/dom/Promise-init-callback-receiver.html: Added.
* js/dom/Promise-init-expected.txt:
* js/dom/Promise-init-in-workers-expected.txt:
* js/dom/Promise-init.html:
* js/dom/Promise-onFulfilled-deep-expected.txt: Added.
* js/dom/Promise-onFulfilled-deep.html: Added.
* js/dom/Promise-onRejected-deep-expected.txt: Added.
* js/dom/Promise-onRejected-deep.html: Added.
* js/dom/Promise-reject.html:
* js/dom/Promise-resolve-chain.html:
* js/dom/Promise-resolve-expected.txt:
* js/dom/Promise-resolve-in-workers-expected.txt:
* js/dom/Promise-resolve-state-expected.txt: Added.
* js/dom/Promise-resolve-state-in-workers-expected.txt: Added.
* js/dom/Promise-resolve-state-in-workers.html: Added.
* js/dom/Promise-resolve-state.html: Added.
* js/dom/Promise-resolve-with-itself-expected.txt: Added.
* js/dom/Promise-resolve-with-itself.html: Added.
* js/dom/Promise-resolve-with-then-exception.html:
* js/dom/Promise-resolve-with-then-fulfill-expected.txt:
* js/dom/Promise-resolve-with-then-fulfill.html:
* js/dom/Promise-resolve-with-then-reject-expected.txt:
* js/dom/Promise-resolve-with-then-reject.html:
* js/dom/Promise-resolve.html:
* js/dom/Promise-simple-expected.txt:
* js/dom/Promise-simple-fulfill-expected.txt: Removed.
* js/dom/Promise-simple-fulfill-inside-callback-expected.txt: Removed.
* js/dom/Promise-simple-fulfill-inside-callback.html: Removed.
* js/dom/Promise-simple-fulfill.html: Removed.
* js/dom/Promise-simple-in-workers-expected.txt:
* js/dom/Promise-simple-resolve-expected.txt: Added.
* js/dom/Promise-simple-resolve.html: Added.
* js/dom/Promise-simple.html:
* js/dom/Promise-static-all-expected.txt: Added.
* js/dom/Promise-static-all.html: Added.
* js/dom/Promise-static-cast-expected.txt: Added.
* js/dom/Promise-static-cast.html: Added.
* js/dom/Promise-static-fulfill-expected.txt: Removed.
* js/dom/Promise-static-fulfill.html: Removed.
* js/dom/Promise-static-race-expected.txt: Added.
* js/dom/Promise-static-race.html: Added.
* js/dom/Promise-static-resolve.html:
* js/dom/Promise-then-callback-receiver-expected.txt: Added.
* js/dom/Promise-then-callback-receiver.html: Added.
* js/dom/Promise-then-expected.txt:
* js/dom/Promise-then-in-workers-expected.txt:
* js/dom/Promise-then-without-callbacks.html:
* js/dom/Promise-then.html:
* js/dom/Promise-types-expected.txt:
* js/dom/Promise-types.html:
* js/dom/Promise.html:
* js/resources/Promise-catch-in-workers.js:
* js/resources/Promise-fulfill-in-workers.js: Removed.
* js/resources/Promise-init-in-workers.js:
* js/resources/Promise-reject-in-workers.js:
* js/resources/Promise-resolve-in-workers.js:
* js/resources/Promise-resolve-state-in-workers.js: Added.
* js/resources/Promise-simple-in-workers.js:
* js/resources/Promise-then-in-workers.js:
* js/resources/Promise-then-without-callbacks-in-workers.js:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@161241 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=126187

Reviewed by Antti Koivisto.

Source/JavaScriptCore:

Refactor PutPropertySlot, making the constructor take the thisValue
used as a target.  This results in a wide range of boilerplate changes
to pass the new parameter.

* API/JSObjectRef.cpp:
(JSObjectSetProperty):
* dfg/DFGOperations.cpp:
(JSC::DFG::operationPutByValInternal):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/Arguments.cpp:
(JSC::Arguments::putByIndex):
* runtime/ArrayPrototype.cpp:
(JSC::putProperty):
(JSC::arrayProtoFuncPush):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitiveByIndex):
* runtime/JSCell.cpp:
(JSC::JSCell::putByIndex):
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
* runtime/JSONObject.cpp:
(JSC::Walker::walk):
* runtime/JSObject.cpp:
(JSC::JSObject::putByIndex):
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::deleteProperty):
* runtime/JSObject.h:
(JSC::JSObject::putDirect):
* runtime/Lookup.h:
(JSC::putEntry):
(JSC::lookupPut):
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::PutPropertySlot):
(JSC::PutPropertySlot::setCustomProperty):
(JSC::PutPropertySlot::thisValue):
(JSC::PutPropertySlot::isCacheable):

Source/WebCore:

Update the bindings code generation and custom objects
to the new function signatures

* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::put):
* bindings/objc/WebScriptObject.mm:
(-[WebScriptObject setValue:forKey:]):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
* bindings/scripts/test/JS/JSTestInterface.cpp:
(WebCore::JSTestInterface::putByIndex):
* bridge/NP_jsobject.cpp:
(_NPN_SetProperty):

Source/WebKit/mac:

Update for new method signatures.

* Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::setProperty):

Source/WebKit2:

Update for new method signatures.

* WebProcess/Plugins/Netscape/NPJSObject.cpp:
(WebKit::NPJSObject::setProperty):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@161220 268f45cc-cd09-0410-ab3c-d52691b4dbfc

http://trac.webkit.org/changeset/161033
http://trac.webkit.org/changeset/161074
https://bugs.webkit.org/show_bug.cgi?id=126240

Oliver says that a rollout would be better (Requested by ap on
#webkit).

Source/JavaScriptCore:

* API/JSObjectRef.cpp:
(JSObjectSetProperty):
* dfg/DFGOperations.cpp:
(JSC::DFG::operationPutByValInternal):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/Arguments.cpp:
(JSC::Arguments::putByIndex):
* runtime/ArrayPrototype.cpp:
(JSC::putProperty):
(JSC::arrayProtoFuncPush):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitiveByIndex):
* runtime/JSCell.cpp:
(JSC::JSCell::putByIndex):
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
* runtime/JSONObject.cpp:
(JSC::Walker::walk):
* runtime/JSObject.cpp:
(JSC::JSObject::putByIndex):
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::deleteProperty):
* runtime/JSObject.h:
(JSC::JSObject::putDirect):
* runtime/Lookup.h:
(JSC::putEntry):
(JSC::lookupPut):
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::PutPropertySlot):
(JSC::PutPropertySlot::setNewProperty):
(JSC::PutPropertySlot::isCacheable):

Source/WebCore:

* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::put):
* bindings/objc/WebScriptObject.mm:
(-[WebScriptObject setValue:forKey:]):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
* bindings/scripts/test/JS/JSTestInterface.cpp:
(WebCore::JSTestInterface::putByIndex):
* bridge/NP_jsobject.cpp:
(_NPN_SetProperty):

Source/WebKit/mac:

* Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::setProperty):

Source/WebKit2:

* WebProcess/Plugins/Netscape/NPJSObject.cpp:
(WebKit::NPJSObject::setProperty):

LayoutTests:

* TestExpectations:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@161077 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=126187

Reviewed by msaboff.

Source/JavaScriptCore:

Refactor PutPropertySlot, making the constructor take the thisValue
used as a target.  This results in a wide range of boilerplate changes
to pass the new parameter.

* API/JSObjectRef.cpp:
(JSObjectSetProperty):
* dfg/DFGOperations.cpp:
(JSC::DFG::operationPutByValInternal):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/Arguments.cpp:
(JSC::Arguments::putByIndex):
* runtime/ArrayPrototype.cpp:
(JSC::putProperty):
(JSC::arrayProtoFuncPush):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitiveByIndex):
* runtime/JSCell.cpp:
(JSC::JSCell::putByIndex):
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
* runtime/JSONObject.cpp:
(JSC::Walker::walk):
* runtime/JSObject.cpp:
(JSC::JSObject::putByIndex):
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::deleteProperty):
* runtime/JSObject.h:
(JSC::JSObject::putDirect):
* runtime/Lookup.h:
(JSC::putEntry):
(JSC::lookupPut):
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::PutPropertySlot):
(JSC::PutPropertySlot::setCustomProperty):
(JSC::PutPropertySlot::thisValue):
(JSC::PutPropertySlot::isCacheable):

Source/WebCore:

Update the bindings code generation and custom objects
to the new function signatures

* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::put):
* bindings/objc/WebScriptObject.mm:
(-[WebScriptObject setValue:forKey:]):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
* bindings/scripts/test/JS/JSTestInterface.cpp:
(WebCore::JSTestInterface::putByIndex):
* bridge/NP_jsobject.cpp:
(_NPN_SetProperty):

Source/WebKit/mac:

Update for new method signatures.

* Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::setProperty):

Source/WebKit2:

Update for new method signatures.

* WebProcess/Plugins/Netscape/NPJSObject.cpp:
(WebKit::NPJSObject::setProperty):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@161033 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=125331

Reviewed by Filip Pizlo.

Split loadVarargs into sizeAndAllocFrameForVarargs() and loadVarargs() in
preparation for moving onto the C stack.  sizeAndAllocFrameForVarargs() will
compute the size of the callee frame and allocate it, while loadVarargs()
actually loads the argument values.

As part of moving onto the C stack, sizeAndAllocFrameForVarargs() will be
changed to a function that just computes the size.  The caller will use that
size to allocate the new frame on the stack before calling loadVargs() and
actually making the call.

* interpreter/Interpreter.cpp:
(JSC::sizeAndAllocFrameForVarargs):
(JSC::loadVarargs):
* interpreter/Interpreter.h:
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::compileLoadVarargs):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileLoadVarargs):
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/VM.h:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160244 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=125294.

Reviewed by Michael Saboff.

1. Changed the C Loop LLINT to dispatch to an Executable via its JITCode
   instance which is consistent with how the ASM LLINT works.
2. Changed CLoop::execute() to take an Opcode instead of an OpcodeID.
   This makes it play nice with the use of JITCode for dispatching.
3. Introduce a callToJavaScript and callToNativeFunction for the C Loop
   LLINT. These will call JSStack::pushFrame() and popFrame() to setup
   and teardown the CallFrame.
4. Also introduced a C Loop returnFromJavaScript which is just a
   replacement for ctiOpThrowNotCaught which had the same function.
5. Remove a lot of #if ENABLE(LLINT_C_LOOP) code now that the dispatch
   mechanism is consistent.

This patch has been tested with both configurations of COMPUTED_GOTOs
on and off.

* interpreter/CachedCall.h:
(JSC::CachedCall::CachedCall):
(JSC::CachedCall::call):
(JSC::CachedCall::setArgument):
* interpreter/CallFrameClosure.h:
(JSC::CallFrameClosure::setThis):
(JSC::CallFrameClosure::setArgument):
(JSC::CallFrameClosure::resetCallFrame):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::prepareForRepeatCall):
* interpreter/Interpreter.h:
* interpreter/JSStack.h:
* interpreter/JSStackInlines.h:
(JSC::JSStack::pushFrame):
* interpreter/ProtoCallFrame.h:
(JSC::ProtoCallFrame::scope):
(JSC::ProtoCallFrame::callee):
(JSC::ProtoCallFrame::thisValue):
(JSC::ProtoCallFrame::argument):
(JSC::ProtoCallFrame::setArgument):
* jit/JITCode.cpp:
(JSC::JITCode::execute):
* jit/JITCode.h:
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
* llint/LLIntCLoop.cpp:
(JSC::LLInt::CLoop::initialize):
* llint/LLIntCLoop.h:
* llint/LLIntEntrypoint.cpp:
(JSC::LLInt::setFunctionEntrypoint):
(JSC::LLInt::setEvalEntrypoint):
(JSC::LLInt::setProgramEntrypoint):
- Inverted the check for vm.canUseJIT(). This allows the JIT case to be
  #if'd out nicely when building the C Loop LLINT.
* llint/LLIntOpcode.h:
* llint/LLIntThunks.cpp:
(JSC::doCallToJavaScript):
(JSC::executeJS):
(JSC::callToJavaScript):
(JSC::executeNative):
(JSC::callToNativeFunction):
* llint/LLIntThunks.h:
* llint/LowLevelInterpreter.cpp:
(JSC::CLoop::execute):
* runtime/Executable.h:
(JSC::ExecutableBase::offsetOfNumParametersFor):
(JSC::ExecutableBase::hostCodeEntryFor):
(JSC::ExecutableBase::jsCodeEntryFor):
(JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
(JSC::NativeExecutable::create):
(JSC::NativeExecutable::finishCreation):
(JSC::ProgramExecutable::generatedJITCode):
* runtime/JSArray.cpp:
(JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
* runtime/VM.cpp:
(JSC::VM::getHostFunction):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160186 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=123999

Reviewed by Filip Pizlo.

Changed LLInt and/or JIT enabled ports to allocate the stack frame in the
callToJavaScript stub.  Added an additional stub, callToNativeFunction that
allocates a stack frame in a similar way for calling native entry points
that take a single ExecState* argument.  These stubs are implemented
using common macros in LowLevelInterpreter{32_64,64}.asm.  There are also
Windows X86 and X86-64 versions in the corresponding JitStubsXX.h.
The stubs allocate and create a sentinel frame, then create the callee's
frame, populating  the header and arguments from the passed in ProtoCallFrame*.
It is assumed that the caller of either stub does a check for enough stack space
via JSStack::entryCheck().

For ports using the C-Loop interpreter, the prior method for allocating stack
frame and invoking functions is used, namely with JSStack::pushFrame() and
::popFrame().

Made spelling changes "sentinal" -> "sentinel".

* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* interpreter/CachedCall.h:
(JSC::CachedCall::CachedCall):
(JSC::CachedCall::setThis):
(JSC::CachedCall::setArgument):
* interpreter/CallFrameClosure.h:
(JSC::CallFrameClosure::resetCallFrame):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::prepareForRepeatCall):
* interpreter/Interpreter.h:
* interpreter/JSStack.h:
* interpreter/JSStackInlines.h:
(JSC::JSStack::entryCheck):
(JSC::JSStack::pushFrame):
(JSC::JSStack::popFrame):
* interpreter/ProtoCallFrame.cpp: Added.
(JSC::ProtoCallFrame::init):
* interpreter/ProtoCallFrame.h: Added.
(JSC::ProtoCallFrame::codeBlock):
(JSC::ProtoCallFrame::setCodeBlock):
(JSC::ProtoCallFrame::setScope):
(JSC::ProtoCallFrame::setCallee):
(JSC::ProtoCallFrame::argumentCountIncludingThis):
(JSC::ProtoCallFrame::argumentCount):
(JSC::ProtoCallFrame::setArgumentCountIncludingThis):
(JSC::ProtoCallFrame::setPaddedArgsCount):
(JSC::ProtoCallFrame::clearCurrentVPC):
(JSC::ProtoCallFrame::setThisValue):
(JSC::ProtoCallFrame::setArgument):
* jit/JITCode.cpp:
(JSC::JITCode::execute):
* jit/JITCode.h:
* jit/JITOperations.cpp:
* jit/JITStubs.h:
* jit/JITStubsMSVC64.asm:
* jit/JITStubsX86.h:
* llint/LLIntOffsetsExtractor.cpp:
* llint/LLIntThunks.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ArgList.h:
(JSC::ArgList::data):
* runtime/JSArray.cpp:
(JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160094 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=125220

Patch by László Langó <lango@inf.u-szeged.hu> on 2013-12-04
Reviewed by Michael Saboff.

* interpreter/VMInspector.cpp:
* jit/JITArithmetic.cpp:
* jit/JITArithmetic32_64.cpp:
* jit/JITCall.cpp:
* jit/JITCall32_64.cpp:
* jit/JITPropertyAccess.cpp:
* jit/JITPropertyAccess32_64.cpp:
* runtime/Completion.cpp:
* runtime/IndexingType.cpp:
* runtime/Lookup.h:
* runtime/Operations.cpp:
* runtime/Options.cpp:
* runtime/RegExp.cpp:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160092 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121972.

Reviewed by Brent Fulgham.

Source/JavaScriptCore: 

* interpreter/JSStack.cpp:
(JSC::JSStack::~JSStack):
- Reverting the change from r160004 since it's better to fix OSAllocatorWin
  to be consistent with OSAllocatorPosix.

Source/WTF: 

* wtf/OSAllocatorWin.cpp:
(WTF::OSAllocator::decommit):
(WTF::OSAllocator::releaseDecommitted):
- Added a check to ensure that the bytes to decommit / release is not 0.
  On Windows, a 0 length passed to VirtualFree() has a special meaning,
  and it's not "decommit / release nothing" as one would expect. Adding
  this check makes OSAllocatorWin consistent with OSAllocatorPosix for
  these 2 functions.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160063 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121972

Patch by peavo@outlook.com <peavo@outlook.com> on 2013-12-03
Reviewed by Michael Saboff.

The reason for the crash is that the wrong memory block is decommitted.
This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed.
In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero.
If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block,
if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash.

* interpreter/JSStack.cpp:
(JSC::JSStack::~JSStack): Don't decommit memory if nothing has been committed.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160004 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124951

Reviewed by Mark Hahnenberg.
        
Sanitize the stack (i.e. zero parts of it known to be dead) at three key points:
        
- GC.
        
- At beginning of OSR entry.
        
- Just as we finish preparing OSR entry. This clears those slots on the stack that
  could have been live in baseline but that are known to be dead in DFG.
        
This is as much as a 2x speed-up on splay if you run it in certain modes, and run it
for a long enough interval. It appears to fix all instances of the dreaded exponential
heap growth that splay gets into when some stale pointer stays around.
        
This doesn't have much of an effect on real-world programs. This bug has only ever
manifested in splay and for that reason we thus far opted against fixing it. But splay
is, for what it's worth, the premiere GC stress test in JavaScript - so making sure we
can run it without pathologies - even when you tweak its configuration - is probably
fairly important.

* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntry.h:
* heap/Heap.cpp:
(JSC::Heap::markRoots):
* interpreter/JSStack.cpp:
(JSC::JSStack::JSStack):
(JSC::JSStack::sanitizeStack):
* interpreter/JSStack.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159826 268f45cc-cd09-0410-ab3c-d52691b4dbfc

CodeBlock::m_numCalleeRegisters shouldn't also mean frame size, frame size needed for exit, or any other unrelated things
https://bugs.webkit.org/show_bug.cgi?id=124793

Reviewed by Mark Hahnenberg.
        
Now m_numCalleeRegisters always refers to the number of locals that the attached
bytecode uses. It never means anything else.
        
For frame size, we now have it lazily computed from m_numCalleeRegisters for the
baseline engines and we have it stored in DFG::CommonData for the optimizing JITs.
        
For frame-size-needed-at-exit, we store that in DFG::CommonData, too.
        
The code no longer implies that there is any arithmetic relationship between
m_numCalleeRegisters and frameSize. Previously it implied that the latter is greater
than the former.
        
The code no longer implies that there is any arithmetic relationship between the
frame Size and the frame-size-needed-at-exit. Previously it implied that the latter
is greater that the former.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::frameRegisterCount):
* bytecode/CodeBlock.h:
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::CommonData):
(JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::frameRegisterCount):
(JSC::DFG::Graph::requiredRegisterCountForExit):
(JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
* dfg/DFGGraph.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
* ftl/FTLOSREntry.cpp:
(JSC::FTL::prepareOSREntry):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::frameExtentInternal):
* interpreter/JSStackInlines.h:
(JSC::JSStack::pushFrame):
* jit/JIT.h:
(JSC::JIT::frameRegisterCountFor):
* jit/JITOperations.cpp:
* llint/LLIntEntrypoint.cpp:
(JSC::LLInt::frameRegisterCountFor):
* llint/LLIntEntrypoint.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159721 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124787.

Reviewed by Filip Pizlo.

* JavaScriptCore.order:
* interpreter/CallFrame.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159709 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124634.

Reviewed by Geoffrey Garen.

Source/JavaScriptCore: 

1. Introduced USE(SEPARATE_C_AND_JS_STACK) (defined in Platform.h).
   Currently, it is hardcoded to use separate C and JS stacks. Once we
   switch to using the C stack for JS frames, we'll need to fix this to
   only be enabled when ENABLE(LLINT_C_LOOP).

2. Stack limits are now tracked in the VM.

   Logically, there are 2 stack limits:
   a. m_stackLimit for the native C stack, and
   b. m_jsStackLimit for the JS stack.

   If USE(SEPARATE_C_AND_JS_STACK), then the 2 limits are the same
   value, and are implemented as 2 fields in a union.

3. The VM native stackLimit is set as follows:
   a. Initially, the VM sets it to the limit of the stack of the thread that
      instantiated the VM. This allows the parser and bytecode generator to
      run before we enter the VM to execute JS code.

   b. Upon entry into the VM to execute JS code (via one of the
      Interpreter::execute...() functions), we instantiate a VMEntryScope
      that sets the VM's stackLimit to the limit of the current thread's
      stack. The VMEntryScope will automatically restore the previous
      entryScope and stack limit upon destruction.

   If USE(SEPARATE_C_AND_JS_STACK), the JSStack's methods will set the VM's
   jsStackLimit whenever it grows or shrinks.

4. The VM now provides a isSafeToRecurse() function that compares the
   current stack pointer against its native stackLimit. This subsumes and
   obsoletes the VMStackBounds class.

5. The VMEntryScope class also subsumes DynamicGlobalObjectScope for
   tracking the JSGlobalObject that we last entered the VM with.

6. Renamed dynamicGlobalObject() to vmEntryGlobalObject() since that is
   the value that the function retrieves.

7. Changed JIT and LLINT code to do stack checks against the jsStackLimit
   in the VM class instead of the JSStack.

* API/JSBase.cpp:
(JSEvaluateScript):
(JSCheckScriptSyntax):
* API/JSContextRef.cpp:
(JSGlobalContextRetain):
(JSGlobalContextRelease):
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitNode):
(JSC::BytecodeGenerator::emitNodeInConditionContext):
* debugger/Debugger.cpp:
(JSC::Debugger::detach):
(JSC::Debugger::recompileAllJSFunctions):
(JSC::Debugger::pauseIfNeeded):
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::vmEntryGlobalObject):
* debugger/DebuggerCallFrame.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGOSREntry.cpp:
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLOSREntry.cpp:
* heap/Heap.cpp:
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::deleteAllCompiledCode):
* interpreter/CachedCall.h:
(JSC::CachedCall::CachedCall):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::vmEntryGlobalObject):
* interpreter/CallFrame.h:
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
(JSC::Interpreter::unwind):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::prepareForRepeatCall):
(JSC::Interpreter::debug):
* interpreter/JSStack.cpp:
(JSC::JSStack::JSStack):
(JSC::JSStack::growSlowCase):
* interpreter/JSStack.h:
* interpreter/JSStackInlines.h:
(JSC::JSStack::shrink):
(JSC::JSStack::grow):
- Moved these inlined functions here from JSStack.h. It reduces some
  #include dependencies of JSSTack.h which had previously resulted
  in some EWS bots' unhappiness with this patch.
(JSC::JSStack::updateStackLimit):
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
* jit/JITCall.cpp:
(JSC::JIT::compileLoadVarargs):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileLoadVarargs):
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
* llint/LowLevelInterpreter.asm:
* parser/Parser.cpp:
(JSC::::Parser):
* parser/Parser.h:
(JSC::Parser::canRecurse):
* runtime/CommonSlowPaths.h:
* runtime/Completion.cpp:
(JSC::evaluate):
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/JSGlobalObject.cpp:
* runtime/JSGlobalObject.h:
* runtime/StringRecursionChecker.h:
(JSC::StringRecursionChecker::performCheck):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::releaseExecutableMemory):
(JSC::VM::throwException):
* runtime/VM.h:
(JSC::VM::addressOfJSStackLimit):
(JSC::VM::jsStackLimit):
(JSC::VM::setJSStackLimit):
(JSC::VM::stackLimit):
(JSC::VM::setStackLimit):
(JSC::VM::isSafeToRecurse):
* runtime/VMEntryScope.cpp: Added.
(JSC::VMEntryScope::VMEntryScope):
(JSC::VMEntryScope::~VMEntryScope):
(JSC::VMEntryScope::requiredCapacity):
* runtime/VMEntryScope.h: Added.
(JSC::VMEntryScope::globalObject):
* runtime/VMStackBounds.h: Removed.

Source/WebCore: 

No new tests.

Renamed dynamicGlobalObject() to vmEntryGlobalObject().
Replaced uses of DynamicGlobalObjectScope with VMEntryScope.

* ForwardingHeaders/runtime/VMEntryScope.h: Added.
* WebCore.vcxproj/WebCore.vcxproj:
* WebCore.vcxproj/WebCore.vcxproj.filters:
* bindings/js/JSCryptoAlgorithmBuilder.cpp:
(WebCore::JSCryptoAlgorithmBuilder::add):
* bindings/js/JSCustomXPathNSResolver.cpp:
(WebCore::JSCustomXPathNSResolver::create):
* bindings/js/JSDOMBinding.cpp:
(WebCore::firstDOMWindow):
* bindings/js/JSErrorHandler.cpp:
(WebCore::JSErrorHandler::handleEvent):
* bindings/js/JSEventListener.cpp:
(WebCore::JSEventListener::handleEvent):
* bindings/js/JavaScriptCallFrame.h:
(WebCore::JavaScriptCallFrame::vmEntryGlobalObject):
* bindings/js/PageScriptDebugServer.cpp:
(WebCore::PageScriptDebugServer::recompileAllJSFunctions):
* bindings/js/ScriptDebugServer.cpp:
(WebCore::ScriptDebugServer::evaluateBreakpointAction):
(WebCore::ScriptDebugServer::handlePause):
* bindings/js/WorkerScriptDebugServer.cpp:
(WebCore::WorkerScriptDebugServer::recompileAllJSFunctions):
* bindings/objc/WebScriptObject.mm:
(WebCore::addExceptionToConsole):
* bridge/c/c_utility.cpp:
(JSC::Bindings::convertValueToNPVariant):
* bridge/objc/objc_instance.mm:
(ObjcInstance::moveGlobalExceptionToExecState):
* bridge/objc/objc_runtime.mm:
(JSC::Bindings::convertValueToObjcObject):
* bridge/objc/objc_utility.mm:
(JSC::Bindings::convertValueToObjcValue):

Source/WebKit/mac: 

* WebView/WebScriptDebugger.mm:
(WebScriptDebugger::sourceParsed):

Source/WTF: 

* wtf/Platform.h:
* wtf/StackBounds.h:
(WTF::StackBounds::StackBounds):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159605 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124609

Source/JavaScriptCore: 

Rubber stamped by Mark Lam.
        
notifyWrite() is a thing that SymbolTable does. WatchpointSet uses that terminology
because it was original designed to match exactly SymbolTable's semantics. But now
it's a confusing term.

* bytecode/Watchpoint.cpp:
(JSC::WatchpointSet::fireAllSlow):
* bytecode/Watchpoint.h:
(JSC::WatchpointSet::fireAll):
(JSC::InlineWatchpointSet::fireAll):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::haveABadTime):
* runtime/Structure.h:
(JSC::Structure::notifyTransitionFromThisStructure):
* runtime/SymbolTable.cpp:
(JSC::SymbolTableEntry::notifyWriteSlow):

Source/WebCore: 

Rubber stamped by Mark Lam.

No new tests because no new behavior.

* bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):
* bindings/scripts/test/JS/JSTestEventTarget.h:
(WebCore::JSTestEventTarget::create):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159528 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=123765

Source/JavaScriptCore: 

We were leaving a hole of one slot above a new frame when pushing the new frame on
the stack with pushFrame().  This unused slot can contain residual values that will
be marked during GC.

Reviewed by Filip Pizlo.

* interpreter/JSStackInlines.h:
(JSC::JSStack::pushFrame):

LayoutTests: 

Reviewed by Filip Pizlo.

Reverted the test expectation changes after fixing the underlying issue.

* TestExpectations:
* platform/wk2/TestExpectations:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158648 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=123642

Reviewed by Geoffrey Garen.

Source/JavaScriptCore: 

Replace the HostCallFrame bit or'ed to the CallerFrame value in a CallFrame with
a VM entry sentinel CallFrame.  Logically, the VM entry sentinel call frame is
pushed on the stack before the callee frame when calling from native to JavaScript
code.  The callee frame's CallerFrame points at the VM entry sentinel call frame
and the VM entry sentinel call frame's CallerFrame points to the real caller.
The VM entry sentinel call frame has a sentinel (1) in the CodeBlock to indicate
its a VM entry sentinel call frame.  It's ScopeChain has vm.topCallFrame at the
time of the call.  This allows for a complete stack walk as well as walking just
the contiguous JS frames.

The VM entry sentinel call frame and callee frame are currently allocated and
initialized in ExecState::init(), but this initialization will be moved to
ctiTrampoline when we actually move onto the native stack.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::noticeIncomingCall):
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::callerFrame):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileExceptionHandlers):
* interpreter/CallFrame.h:
(JSC::ExecState::frameExtent):
(JSC::ExecState::currentVPC):
(JSC::ExecState::setCurrentVPC):
(JSC::ExecState::init):
(JSC::ExecState::noCaller):
(JSC::ExecState::isVMEntrySentinel):
(JSC::ExecState::vmEntrySentinelCallerFrame):
(JSC::ExecState::initializeVMEntrySentinelFrame):
(JSC::ExecState::callerFrameSkippingVMEntrySentinel):
(JSC::ExecState::vmEntrySentinelCodeBlock):
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
(JSC::Interpreter::getStackTrace):
* interpreter/Interpreter.h:
(JSC::TopCallFrameSetter::TopCallFrameSetter):
(JSC::TopCallFrameSetter::~TopCallFrameSetter):
(JSC::NativeCallFrameTracer::NativeCallFrameTracer):
* interpreter/JSStack.cpp:
(JSC::JSStack::~JSStack):
* interpreter/JSStackInlines.h:
(JSC::JSStack::getStartOfFrame):
(JSC::JSStack::pushFrame):
(JSC::JSStack::popFrame):
* interpreter/Register.h:
(JSC::Register::operator=):
(JSC::Register::callFrame):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::readFrame):
(JSC::StackVisitor::readNonInlinedFrame):
(JSC::StackVisitor::readInlinedFrame):
(JSC::StackVisitor::Frame::print):
* interpreter/VMInspector.cpp:
(JSC::VMInspector::countFrames):
* jit/JIT.cpp:
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JITOperations.cpp:
* jit/JITStubsARM.h:
(JSC::ctiTrampoline):
* jit/JITStubsARM64.h:
* jit/JITStubsARMv7.h:
(JSC::ctiTrampoline):
* jit/JITStubsMIPS.h:
* jit/JITStubsMSVC64.asm:
* jit/JITStubsSH4.h:
* jit/JITStubsX86.h:
* jit/JITStubsX86_64.h:
* jsc.cpp:
(functionDumpCallFrame):
* llint/LowLevelInterpreter.cpp:
(JSC::CLoop::execute):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::throwException):

Source/WebCore: 

Updated JavaScript stack walking as a result of the corresponding changes made in
JavaScriptCore.

* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy):
* bindings/js/ScriptDebugServer.cpp:
(WebCore::ScriptDebugServer::stepOutOfFunction):
(WebCore::ScriptDebugServer::returnEvent):
(WebCore::ScriptDebugServer::didExecuteProgram):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158586 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=123444.

Reviewed by Geoffrey Garen.

- Introduced an explicit CallerFrameAndPC struct.
- A CallFrame is expected to start with a CallerFrameAndPC struct. 
- The Register class no longer supports CallFrame* and Instruction*.

  These hides the differences between JSVALUE32_64 and JSVALUE64 in
  terms of managing the callerFrame() and returnPC() values.

- Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
  go through CallFrame to access the appropriate values and offsets.
  CallFrame, in turn, will access the callerFrame and returnPC via
  the CallerFrameAndPC struct.

- InlineCallFrame will provide offsets for its callerFrame and
  returnPC. It will make use of CallFrame::callerFrameOffset() and
  CallerFrame::returnPCOffset() to compute these.

* bytecode/CodeOrigin.h:
(JSC::InlineCallFrame::callerFrameOffset):
(JSC::InlineCallFrame::returnPCOffset):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileEntry):
(JSC::DFG::JITCompiler::compileExceptionHandlers):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::calleeFrameSlot):
(JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
(JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
(JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
(JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
(JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
- Prefixed all the above with callee since they apply to the callee frame.
(JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
- Added to set the callerFrame pointer in the callee frame.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLink.cpp:
(JSC::FTL::compileEntry):
(JSC::FTL::link):
* interpreter/CallFrame.h:
(JSC::ExecState::callerFrame):
(JSC::ExecState::callerFrameOffset):
(JSC::ExecState::returnPC):
(JSC::ExecState::hasReturnPC):
(JSC::ExecState::clearReturnPC):
(JSC::ExecState::returnPCOffset):
(JSC::ExecState::setCallerFrame):
(JSC::ExecState::setReturnPC):
(JSC::ExecState::callerFrameAndPC):
* interpreter/JSStack.h:
* interpreter/Register.h:
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitPutToCallFrameHeader):
- Convert to using storePtr() here and simplify the code.
(JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
(JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
(JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
(JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
- Helpers to emit gets/puts of the callerFrame and returnPC.
(JSC::AssemblyHelpers::addressForByteOffset):
* jit/JIT.cpp:
(JSC::JIT::JIT):
(JSC::JIT::privateCompile):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JITCall.cpp:
(JSC::JIT::compileCallEval):
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::emit_op_ret):
(JSC::JIT::emit_op_ret_object_or_this):
(JSC::JIT::compileCallEval):
(JSC::JIT::compileOpCall):
* jit/JITInlines.h:
(JSC::JIT::unmap):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_end):
(JSC::JIT::emit_op_ret):
(JSC::JIT::emit_op_ret_object_or_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileCTINativeCall):
(JSC::JIT::emit_op_end):
* jit/JITOperations.cpp:
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::returnJSValue):
(JSC::SpecializedThunkJIT::returnDouble):
(JSC::SpecializedThunkJIT::returnInt32):
(JSC::SpecializedThunkJIT::returnJSCell):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::slowPathFor):
(JSC::nativeForGenerator):

* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter.asm:
- Updated offsets and asserts to match the new CallFrame layout.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158315 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=123182

Reviewed by Geoffrey Garen.

Adjusted the virtual register mapping down by one slot.  Reduced
the CallFrame header slots offsets by one.  They now start at 0.
Changed arity fixup to no longer skip passed register slot 0 as this
is now part of the CallFrame header.

* bytecode/VirtualRegister.h:
(JSC::operandIsLocal):
(JSC::operandIsArgument):
(JSC::VirtualRegister::localToOperand):
(JSC::VirtualRegister::operandToLocal):
  Adjusted functions for shift in mapping from local to register offset.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
* interpreter/CallFrame.h:
(JSC::ExecState::frameExtent):
(JSC::ExecState::offsetFor):
* interpreter/Interpreter.cpp:
(JSC::loadVarargs):
(JSC::Interpreter::dumpRegisters):
(JSC::Interpreter::executeCall):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter.asm:
  Adjusted math to accomodate for shift in call frame slots.

* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::calleeFrameOffset):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::frameExtentInternal):
* interpreter/JSStackInlines.h:
(JSC::JSStack::pushFrame):
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::llint_slow_path_stack_check):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::arityCheckFor):
  Fixed offset calculation to use VirtualRegister and related calculation instead of
  doing seperate calculations.

* interpreter/JSStack.h:
  Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
  in the process of testing the fixes.

* jit/ThunkGenerators.cpp:
(JSC::arityFixup):
  Changed arity fixup to no longer skip passed register slot 0 as this
  is now part of the CallFrame header.

* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
  Changed arity fixup to no longer skip passed register slot 0 as this
  is now part of the CallFrame header.  Updated op_enter processing for
  the change in local registers.

* runtime/JSGlobalObject.h:
  Removed the now unneeded extra slot in the global callframe


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158237 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=123084.

Reviewed by Geoffrey Garen.

Source/JavaScriptCore: 

- If no breakpoints are set, we now avoid calling the debug hook callbacks.
- If no break on exception is set, we also avoid exception event debug callbacks.
- When we return from the ScriptDebugServer to the JSC::Debugger, we may no
  longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
  pointer in the ScriptDebugServer may become stale. To avoid this issue, before
  returning, the ScriptDebugServer will clear its m_currentCallFrame if
  needsOpDebugCallbacks() is false.

* debugger/Debugger.cpp:
(JSC::Debugger::Debugger):
(JSC::Debugger::setNeedsExceptionCallbacks):
(JSC::Debugger::setShouldPause):
(JSC::Debugger::updateNumberOfBreakpoints):
(JSC::Debugger::updateNeedForOpDebugCallbacks):
* debugger/Debugger.h:
* interpreter/Interpreter.cpp:
(JSC::Interpreter::unwind):
(JSC::Interpreter::debug):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_debug):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_debug):
* llint/LLIntOffsetsExtractor.cpp:
* llint/LowLevelInterpreter.asm:

Source/WebCore: 

No new tests.

- If no breakpoints are set, we now avoid calling the debug hook callbacks.
- If no break on exception is set, we also avoid exception event debug callbacks.
- When we return from the ScriptDebugServer to the JSC::Debugger, we may no
  longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
  pointer in the ScriptDebugServer may become stale. To avoid this issue, before
  returning, the ScriptDebugServer will clear its m_currentCallFrame if
  needsOpDebugCallbacks() is false.

* bindings/js/ScriptDebugServer.cpp:
(WebCore::ScriptDebugServer::setBreakpoint):
(WebCore::ScriptDebugServer::removeBreakpoint):
(WebCore::ScriptDebugServer::clearBreakpoints):
(WebCore::ScriptDebugServer::setPauseOnExceptionsState):
(WebCore::ScriptDebugServer::setPauseOnNextStatement):
(WebCore::ScriptDebugServer::breakProgram):
(WebCore::ScriptDebugServer::stepIntoStatement):
(WebCore::ScriptDebugServer::dispatchDidContinue):
(WebCore::ScriptDebugServer::exception):
(WebCore::ScriptDebugServer::didReachBreakpoint):
* inspector/InspectorDebuggerAgent.cpp:
(WebCore::InspectorDebuggerAgent::reset):

Source/WebKit/mac: 

* WebView/WebScriptDebugger.mm:
(WebScriptDebugger::WebScriptDebugger):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157746 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=122289

Reviewed by Filip Pizlo.

Replaced jit stubs cti_stack_check, cti_op_call_arityCheck and cti_op_construct_arityCheck with
jit operations operationStackCheck, operationCallArityCheck & operationConstructArityCheck.
Added new callOperationWithCallFrameRollbackOnException() in baseline and DFG JITs to call
these new functions.  Added code to unwind one frame in JIT::privateCompileExceptionHandlers() 
and JITCompiler::compileExceptionHandlers() for these cases that need to throw exceptions in
their caller frame when the stack is exhausted.

* assembler/MacroAssembler.h:
(JSC::MacroAssembler::andPtr): Added to handle masking a pointer with a literal.
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::and64): Added to handle masking a pointer with a literal.
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileExceptionHandlers):
(JSC::DFG::JITCompiler::compileFunction):
(JSC::DFG::JITCompiler::linkFunction):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
(JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
(JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
(JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
(JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* interpreter/CallFrame.h:
(JSC::ExecState::hostCallFrameFlag):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::jitAssertIsNull):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::jitAssertIsNull):
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
(JSC::JIT::exceptionCheckWithCallFrameRollback):
* jit/JITInlines.h:
(JSC::JIT::appendCallWithCallFrameRollbackOnException):
(JSC::JIT::callOperationWithCallFrameRollbackOnException):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITStubs.cpp:
* jit/JITStubs.h:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157050 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=122024

Reviewed by Oliver Hunt.
        
The DFG needs to be able to store things at a known offset from frame pointer so that
the runtime can read those things. Prior to this patch, the DFG would use the exact
offsets that the bytecode asked for, even in the case of inlining, where it would use
the callsite stack offset to shift all of the inlined function's variables over just as
they would have been if a bytecode interpreter had really made the call.
        
But this won't work once WebKit-LLVM integration is complete. LLVM has no notion of
storing things at a fixed offset from the frame pointer. We could try to hack LLVM to do
that, but it would seriously complicate LLVM's stack layout. But what we might be able
to do is have LLVM tell us (via an addressof intrinsic and a side-channel) where some
alloca landed relative to the frame pointer. Hence if the DFG can put all of its flushed
variables in a contiguous range that can be expressed to LLVM as a struct that we
alloca, then all of this can still work just fine.
        
Previously the flushed variables didn't fit in a contiguous range, but this patch makes
them contiguous by allowing the stack layout to be compressed.
        
What this really means is that there is now a distinction between where the DFG saw a
variable stored in bytecode and where it will actually store it in the resulting machine
code. Henceforth when the DFG says "local" or "virtual register" it means the variable
according to bytecode (with the stack offsetting for inlined code as before), but when
it says "machine local" or "machine virtual register" it means the actual place where it
will store things in the resulting machine code. All of the OSR exit, inlined arguments,
captured variables, and various stack unwinding machine now knows about all of this.
        
Note that the DFG's abstract interpretation still uses bytecode variables rather than
machine variables. Same for CSE and abstract heaps. This makes sense since it means that
we don't have to decide on machine variable allocation just to do those optimizations.
        
The decision of what a local's machine location becomes is deferred to very late in
compilation. We only need to assign machine locations to variables that must be stored
to the stack. It's now mandatory to run some kind of "stack layout phase" that makes the
decision and updates all data structures.
        
So far the way that this is being used is just to compress the DFG stack layout, which
is something that we should have done anyway, a long time ago. And the compression isn't
even that good - the current StackLayoutPhase just identifies local indices that are
unused in machine code and slides all other variables towards zero. This doesn't achieve
particularly good compression but it is better than nothing. Note that this phase makes
it seem like the bytecode-machine mapping is based on bytecode local indices; for
example if bytecode local 4 is mapped to machine local 3 then it always will be. That's
true for the current StackLayoutPhase but it _will not_ be true for all possible stack
layout phases and it would be incorrect to assume that it should be true. This is why
the current data structures have each VariableAccessData hold its own copy of the
machine virtual register, and also have each InlineCallFrame report their own machine
virtual registers for the various things. The DFG backend is likely to always use the
dumb StackLayoutPhase since it is very cheap to run, but the FTL backend is likely to
eventually get a better one, where we do some kind of constraint-based coloring: we
institute constraints where some VariableAccessData's must have the same indices as some
other ones, and also must be right next to some other ones; then we process all
VariableAccessData's and attempt to assign them machine locals while preserving those
constraints. This could lead to two VariableAccessDatas for the same bytecode local
ending up with different machine locals.

* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::isCaptured):
(JSC::CodeBlock::framePointerOffsetToGetActivationRegisters):
(JSC::CodeBlock::machineSlowArguments):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::hasSlowArguments):
* bytecode/CodeOrigin.cpp:
(JSC::CodeOrigin::dump):
(JSC::InlineCallFrame::calleeForCallFrame):
(JSC::InlineCallFrame::dumpInContext):
* bytecode/CodeOrigin.h:
(JSC::InlineCallFrame::InlineCallFrame):
(JSC::InlineCallFrame::calleeConstant):
* bytecode/Operands.h:
(JSC::Operands::indexForOperand):
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::SSAData::SSAData):
* dfg/DFGBasicBlock.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::ByteCodeParser):
(JSC::DFG::ByteCodeParser::get):
(JSC::DFG::ByteCodeParser::getLocal):
(JSC::DFG::ByteCodeParser::flushDirect):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGCommon.h:
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::CommonData):
* dfg/DFGDesiredWriteBarriers.cpp:
(JSC::DFG::DesiredWriteBarrier::trigger):
* dfg/DFGDesiredWriteBarriers.h:
* dfg/DFGFlushLivenessAnalysisPhase.cpp:
(JSC::DFG::FlushLivenessAnalysisPhase::run):
(JSC::DFG::FlushLivenessAnalysisPhase::process):
(JSC::DFG::FlushLivenessAnalysisPhase::reportError):
* dfg/DFGFlushedAt.cpp: Added.
(JSC::DFG::FlushedAt::dump):
(JSC::DFG::FlushedAt::dumpInContext):
* dfg/DFGFlushedAt.h: Added.
(JSC::DFG::FlushedAt::FlushedAt):
(JSC::DFG::FlushedAt::operator!):
(JSC::DFG::FlushedAt::format):
(JSC::DFG::FlushedAt::virtualRegister):
(JSC::DFG::FlushedAt::operator==):
(JSC::DFG::FlushedAt::operator!=):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::bytecodeRegisterForArgument):
(JSC::DFG::Graph::argumentsRegisterFor):
(JSC::DFG::Graph::machineArgumentsRegisterFor):
(JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
(JSC::DFG::Graph::activationRegister):
(JSC::DFG::Graph::uncheckedActivationRegister):
(JSC::DFG::Graph::machineActivationRegister):
(JSC::DFG::Graph::uncheckedMachineActivationRegister):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToGetLocalUnlinked):
(JSC::DFG::Node::convertToGetLocal):
(JSC::DFG::Node::machineLocal):
(JSC::DFG::Node::hasUnlinkedMachineLocal):
(JSC::DFG::Node::setUnlinkedMachineLocal):
(JSC::DFG::Node::unlinkedMachineLocal):
(JSC::DFG::Node::hasInlineStartData):
(JSC::DFG::Node::inlineStartData):
* dfg/DFGNodeFlags.cpp:
(JSC::DFG::dumpNodeFlags):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntry.h:
(JSC::DFG::OSREntryReshuffling::OSREntryReshuffling):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGScoreBoard.h:
(JSC::DFG::ScoreBoard::ScoreBoard):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::createOSREntries):
(JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::calleeFrameOffset):
(JSC::DFG::SpeculativeJIT::callFrameSlot):
(JSC::DFG::SpeculativeJIT::argumentSlot):
(JSC::DFG::SpeculativeJIT::callFrameTagSlot):
(JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
(JSC::DFG::SpeculativeJIT::argumentTagSlot):
(JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
(JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters):
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::recordSetLocal):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStackLayoutPhase.cpp: Added.
(JSC::DFG::StackLayoutPhase::StackLayoutPhase):
(JSC::DFG::StackLayoutPhase::run):
(JSC::DFG::performStackLayout):
* dfg/DFGStackLayoutPhase.h: Added.
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::machineLocal):
(JSC::DFG::VariableAccessData::flushedAt):
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
* ftl/FTLExitValue.h:
(JSC::FTL::ExitValue::inJSStack):
(JSC::FTL::ExitValue::inJSStackAsInt32):
(JSC::FTL::ExitValue::inJSStackAsInt52):
(JSC::FTL::ExitValue::inJSStackAsDouble):
(JSC::FTL::ExitValue::virtualRegister):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetArgument):
(JSC::FTL::LowerDFGToLLVM::compileGetLocal):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLValueSource.cpp:
(JSC::FTL::ValueSource::dump):
* ftl/FTLValueSource.h:
(JSC::FTL::ValueSource::ValueSource):
(JSC::FTL::ValueSource::kind):
(JSC::FTL::ValueSource::operator!):
(JSC::FTL::ValueSource::node):
(JSC::FTL::ValueSource::virtualRegister):
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::readInlinedFrame):
(JSC::StackVisitor::Frame::createArguments):
(JSC::StackVisitor::Frame::existingArguments):
* interpreter/StackVisitor.h:
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::addressFor):
(JSC::AssemblyHelpers::tagFor):
(JSC::AssemblyHelpers::payloadFor):
(JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis):
* runtime/Arguments.cpp:
(JSC::Arguments::tearOff):
* runtime/Arguments.h:
(JSC::Arguments::allocateSlowArguments):
(JSC::Arguments::tryDeleteArgument):
(JSC::Arguments::isDeletedArgument):
(JSC::Arguments::isArgument):
(JSC::Arguments::argument):
(JSC::Arguments::finishCreation):
* runtime/JSActivation.h:
(JSC::JSActivation::create):
(JSC::JSActivation::JSActivation):
* runtime/JSFunction.cpp:
(JSC::RetrieveArgumentsFunctor::operator()):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156984 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121969.

Reviewed by Geoffrey Garen.

Source/JavaScriptCore: 

1. Make JavaScriptCallFrame a thin shell around the DebuggerCallFrame.
   DebuggerCallFrame now tracks whether it is valid instead of needing
   JavaScriptCallFrame do it.
2. ScriptDebugServer now only instantiates an DebuggerCallFrame when needed
   just before it pauses and calls back to its client, and then invalidates
   it immediately when the callback returns. Every subsequent callback to
   the client will use a new instance of the DebuggerCallFrame.
3. Similarly, ScriptDebugServer now only creates a JavaScriptCallFrame when
   it "pauses".
4. DebuggerCallFrame only creates its caller DebuggerCallFrame when
   it is needed i.e. when the client calls callerFrame(). Similarly,
   JavaScriptCallFrame only creates its caller when it's requested.
5. DebuggerCallFrame's line() and column() now returns a base-zero int.
6. WebScriptDebugDelegate now only caches the functionName of the frame
   instead of the entire DebuggerCallFrame because that is all that is
   needed.
7. Also removed evaluateInGlobalCallFrame() which is not used anywhere.

* debugger/Debugger.cpp:
* debugger/Debugger.h:
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::DebuggerCallFrame):
(JSC::DebuggerCallFrame::callerFrame):
(JSC::DebuggerCallFrame::dynamicGlobalObject):
(JSC::DebuggerCallFrame::sourceId):
(JSC::DebuggerCallFrame::functionName):
(JSC::DebuggerCallFrame::scope):
(JSC::DebuggerCallFrame::type):
(JSC::DebuggerCallFrame::thisValue):
(JSC::DebuggerCallFrame::evaluate):
(JSC::DebuggerCallFrame::evaluateWithCallFrame):
(JSC::DebuggerCallFrame::invalidate):
(JSC::DebuggerCallFrame::positionForCallFrame):
(JSC::DebuggerCallFrame::sourceIdForCallFrame):
(JSC::DebuggerCallFrame::thisValueForCallFrame):
* debugger/DebuggerCallFrame.h:
(JSC::DebuggerCallFrame::create):
(JSC::DebuggerCallFrame::exec):
(JSC::DebuggerCallFrame::line):
(JSC::DebuggerCallFrame::column):
(JSC::DebuggerCallFrame::position):
(JSC::DebuggerCallFrame::isValid):
* interpreter/StackVisitor.cpp:

Source/WebCore: 

Tests: inspector-protocol/debugger/call-frame-function-name.html
       inspector-protocol/debugger/call-frame-this-host.html
       inspector-protocol/debugger/call-frame-this-nonstrict.html
       inspector-protocol/debugger/call-frame-this-strict.html

1. Make JavaScriptCallFrame a thin shell around the DebuggerCallFrame.
   DebuggerCallFrame now tracks whether it is valid instead of needing
   JavaScriptCallFrame do it.
2. ScriptDebugServer now only instantiates an DebuggerCallFrame when needed
   just before it pauses and calls back to its client, and then invalidates
   it immediately when the callback returns. Every subsequent callback to
   the client will use a new instance of the DebuggerCallFrame.
3. Similarly, ScriptDebugServer now only creates a JavaScriptCallFrame when
   it "pauses".
4. DebuggerCallFrame only creates its caller DebuggerCallFrame when
   it is needed i.e. when the client calls callerFrame(). Similarly,
   JavaScriptCallFrame only creates its caller when it's requested.
5. DebuggerCallFrame's line() and column() now returns a base-zero int.
6. WebScriptDebugDelegate now only caches the functionName of the frame
   instead of the entire DebuggerCallFrame because that is all that is
   needed.
7. Also removed evaluateInGlobalCallFrame() which is not used anywhere.

* bindings/js/JSJavaScriptCallFrameCustom.cpp:
(WebCore::JSJavaScriptCallFrame::thisObject):
* bindings/js/JavaScriptCallFrame.cpp:
(WebCore::JavaScriptCallFrame::JavaScriptCallFrame):
(WebCore::JavaScriptCallFrame::caller):
* bindings/js/JavaScriptCallFrame.h:
(WebCore::JavaScriptCallFrame::create):
(WebCore::JavaScriptCallFrame::sourceID):
(WebCore::JavaScriptCallFrame::position):
(WebCore::JavaScriptCallFrame::line):
(WebCore::JavaScriptCallFrame::column):
(WebCore::JavaScriptCallFrame::functionName):
(WebCore::JavaScriptCallFrame::type):
(WebCore::JavaScriptCallFrame::scopeChain):
(WebCore::JavaScriptCallFrame::dynamicGlobalObject):
(WebCore::JavaScriptCallFrame::thisValue):
(WebCore::JavaScriptCallFrame::evaluate):
* bindings/js/ScriptDebugServer.cpp:
(WebCore::DebuggerCallFrameScope::DebuggerCallFrameScope):
(WebCore::DebuggerCallFrameScope::~DebuggerCallFrameScope):
(WebCore::ScriptDebugServer::ScriptDebugServer):
(WebCore::ScriptDebugServer::setBreakpoint):
(WebCore::ScriptDebugServer::removeBreakpoint):
(WebCore::ScriptDebugServer::hasBreakpoint):
(WebCore::ScriptDebugServer::evaluateBreakpointAction):
(WebCore::ScriptDebugServer::breakProgram):
(WebCore::ScriptDebugServer::stepOverStatement):
(WebCore::ScriptDebugServer::stepOutOfFunction):
(WebCore::ScriptDebugServer::currentDebuggerCallFrame):
(WebCore::ScriptDebugServer::dispatchDidPause):
(WebCore::ScriptDebugServer::updateCallFrame):
(WebCore::ScriptDebugServer::updateCallFrameAndPauseIfNeeded):
(WebCore::ScriptDebugServer::pauseIfNeeded):
(WebCore::ScriptDebugServer::callEvent):
(WebCore::ScriptDebugServer::returnEvent):
(WebCore::ScriptDebugServer::willExecuteProgram):
(WebCore::ScriptDebugServer::didExecuteProgram):
* bindings/js/ScriptDebugServer.h:
* bindings/js/WorkerScriptDebugServer.cpp:
(WebCore::WorkerScriptDebugServer::willExecuteProgram):

Source/WebKit/mac: 

1. Make JavaScriptCallFrame a thin shell around the DebuggerCallFrame.
   DebuggerCallFrame now tracks whether it is valid instead of needing
   JavaScriptCallFrame do it.
2. ScriptDebugServer now only instantiates an DebuggerCallFrame when needed
   just before it pauses and calls back to its client, and then invalidates
   it immediately when the callback returns. Every subsequent callback to
   the client will use a new instance of the DebuggerCallFrame.
3. Similarly, ScriptDebugServer now only creates a JavaScriptCallFrame when
   it "pauses".
4. DebuggerCallFrame only creates its caller DebuggerCallFrame when
   it is needed i.e. when the client calls callerFrame(). Similarly,
   JavaScriptCallFrame only creates its caller when it's requested.
5. DebuggerCallFrame's line() and column() now returns a base-zero int.
6. WebScriptDebugDelegate now only caches the functionName of the frame
   instead of the entire DebuggerCallFrame because that is all that is
   needed.
7. Also removed evaluateInGlobalCallFrame() which is not used anywhere.

* WebView/WebScriptDebugDelegate.mm:
(-[WebScriptCallFramePrivate dealloc]):
(-[WebScriptCallFrame _initWithGlobalObject:functionName:exceptionValue:JSC::]):
(-[WebScriptCallFrame functionName]):
(-[WebScriptCallFrame exception]):
* WebView/WebScriptDebugger.mm:
(WebScriptDebugger::exception):

LayoutTests: 

* http/tests/inspector/debugger-test.js:
(initialize_DebuggerTest):
* inspector-protocol/debugger/call-frame-function-name-expected.txt: Added.
* inspector-protocol/debugger/call-frame-function-name.html: Added.
* inspector-protocol/debugger/call-frame-this-host-expected.txt: Added.
* inspector-protocol/debugger/call-frame-this-host.html: Added.
* inspector-protocol/debugger/call-frame-this-nonstrict-expected.txt: Added.
* inspector-protocol/debugger/call-frame-this-nonstrict.html: Added.
* inspector-protocol/debugger/call-frame-this-strict-expected.txt: Added.
* inspector-protocol/debugger/call-frame-this-strict.html: Added.
* inspector/debugger/pause-in-internal-script-expected.txt:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156936 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Get rid of the AlreadyInJSStack recoveries since they are totally redundant with the DisplacedInJSStack recoveries
https://bugs.webkit.org/show_bug.cgi?id=122065

Reviewed by Mark Hahnenberg.
        
This mostly just kills a bunch of code.
        
But incidentaly while killing that code, I uncovered a bug in our FTL OSR entrypoint
creation phase. The phase inserts a sequence of SetLocal(ExtractOSREntryLocal) nodes.
If we hoist some type check into the local, then we might inject a conversion node
between the ExtractOSREntryLocal and the SetLocal - for example we might put in a
Int32ToDouble node. But currently the FixupPhase will make all conversion nodes placed
on an edge of a SetLocal use forward exit. This then confuses the OSR exit machinery.
When OSR exit sees a forward exit, it tries to "roll forward" execution from the exiting
node to the first node that has a different CodeOrigin. This only works if the nodes
after the forward exit are MovHints or other tnings that the OSR exit compiler can
forward-execute. But here, it will see a bunch of SetLocal and ExtractOSREntryLocal
nodes for the same bytecode index. Two possible solutions exist. We could teach the
forward-execution logic how to deal with multiple SetLocals and ExtractOSREntryLocals.
This would be a lot of complexity; right now it just needs to deal with exactly one
SetLocal-like operation. The alternative is to make sure that the conversion node that
we inject ends up exiting *backward* rather than forward.
        
But making the conversion nodes exit backward is somewhat tricky. Before this patch,
conversion nodes always exit forward for SetLocals and backwards otherwise. It turns out
that the solution is to rationalize how we choose the speculation direciton for a
conversion node. The conversion node's speculation direction should be the same as the
speculation direction of the node for which it is doing a conversion. Since SetLocal's
already exit forward by default, this policy preserves our previous behavior. But it
also allows the OSR entrypoint creation phase to make its SetLocals exit backward
instead.
        
Of course, if the SetLocal(ExtractOSREntryLocal) sequences exit backward, then we need
to make sure that the OSR exit machine knows that the local variables are indeed live.
Consider that if we have:
        
    a: ExtractOSREntryLocal(loc1)
    b: SetLocal(@a, loc1)
    c: ExtractOSRentryLocal(loc2)
    d: SetLocal(@c, loc2)
        
Without additional magic, the exit at @b will think that loc2 is dead and the OSR exit
compiler will clobber loc2 with Undefined. So we need to make sure that we actually
emit code like:
        
    a: ExtractOSREntryLocal(loc1)
    b: ExtractOSREntryLocal(loc2)
    c: SetLocal(@a, loc1)
    d: SetLocal(@b, loc2)
    e: SetLocal(@a, loc1)
    f: SetLocal(@b, loc2)

* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri:
* bytecode/CodeOrigin.h:
* bytecode/ValueRecovery.cpp: Added.
(JSC::ValueRecovery::recover):
(JSC::ValueRecovery::dumpInContext):
(JSC::ValueRecovery::dump):
* bytecode/ValueRecovery.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
(JSC::DFG::FixupPhase::fixEdge):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::reconstruct):
* dfg/DFGNode.h:
(JSC::DFG::Node::speculationDirection):
(JSC::DFG::Node::setSpeculationDirection):
* dfg/DFGOSREntrypointCreationPhase.cpp:
(JSC::DFG::OSREntrypointCreationPhase::run):
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
* dfg/DFGValueSource.h:
(JSC::DFG::ValueSource::valueRecovery):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
* interpreter/Register.h:
(JSC::Register::unboxedStrictInt52):
* runtime/Arguments.cpp:
(JSC::Arguments::tearOff):
* runtime/Arguments.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156677 268f45cc-cd09-0410-ab3c-d52691b4dbfc

<https://webkit.org/b/122014>

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

JSFunction doesn't need the ExecState for anything during its
construction, so reduce the amount of loads by just passing the
VM around instead.

Factored out putDirectNonIndexAccessor() from the existing
putDirectAccessor() to avoid snowballing the patch (and because
it's kinda neat to avoid the extra branch.)

JSC release binary size -= 9680 bytes.

Source/WebCore:

Updated for new JSFunction::create() signature.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156602 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Reviewed by Sam Weinig.

* interpreter/Interpreter.cpp: Remove an unused function.
* parser/SourceProvider.cpp: Ditto.
* runtime/GCActivityCallback.cpp: #if a constant that's only used on non-CF platforms.
* runtime/JSCJSValue.cpp: Remove an unused constant.
* runtime/JSString.cpp: Ditto.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156597 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121732

Reviewed by Geoffrey Garen.

This is a refactoring change.  Changed VirtualRegister from an enum to a class.
Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand()
and the similar functions for locals to VirtualRegister class.

This is in preparation for changing the offset for the first local register from
0 to -1.  This is needed since most native calling conventions have the architected
frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame
pointer.  Local values start below that address.

* bytecode/CodeBlock.cpp:
* bytecode/CodeBlock.h:
* bytecode/Instruction.h:
* bytecode/LazyOperandValueProfile.h:
* bytecode/MethodOfGettingAValueProfile.cpp:
* bytecode/Operands.h:
* bytecode/UnlinkedCodeBlock.cpp:
* bytecode/UnlinkedCodeBlock.h:
* bytecode/ValueRecovery.h:
* bytecode/VirtualRegister.h:
* bytecompiler/BytecodeGenerator.cpp:
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/RegisterID.h:
* debugger/DebuggerCallFrame.cpp:
* dfg/DFGAbstractHeap.h:
* dfg/DFGAbstractInterpreterInlines.h:
* dfg/DFGArgumentPosition.h:
* dfg/DFGArgumentsSimplificationPhase.cpp:
* dfg/DFGByteCodeParser.cpp:
* dfg/DFGCFGSimplificationPhase.cpp:
* dfg/DFGCPSRethreadingPhase.cpp:
* dfg/DFGCapabilities.cpp:
* dfg/DFGConstantFoldingPhase.cpp:
* dfg/DFGFlushLivenessAnalysisPhase.cpp:
* dfg/DFGGraph.cpp:
* dfg/DFGGraph.h:
* dfg/DFGJITCode.cpp:
* dfg/DFGNode.h:
* dfg/DFGOSREntry.cpp:
* dfg/DFGOSREntrypointCreationPhase.cpp:
* dfg/DFGOSRExit.h:
* dfg/DFGOSRExitCompiler32_64.cpp:
* dfg/DFGOSRExitCompiler64.cpp:
* dfg/DFGRegisterBank.h:
* dfg/DFGScoreBoard.h:
* dfg/DFGSpeculativeJIT.cpp:
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
* dfg/DFGSpeculativeJIT64.cpp:
* dfg/DFGValidate.cpp:
* dfg/DFGValueRecoveryOverride.h:
* dfg/DFGVariableAccessData.h:
* dfg/DFGVariableEvent.h:
* dfg/DFGVariableEventStream.cpp:
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
* ftl/FTLExitArgumentForOperand.h:
* ftl/FTLLink.cpp:
* ftl/FTLLowerDFGToLLVM.cpp:
* ftl/FTLOSREntry.cpp:
* ftl/FTLOSRExit.cpp:
* ftl/FTLOSRExit.h:
* ftl/FTLOSRExitCompiler.cpp:
* interpreter/CallFrame.h:
* interpreter/Interpreter.cpp:
* jit/AssemblyHelpers.h:
* jit/JIT.h:
* jit/JITCall.cpp:
* jit/JITCall32_64.cpp:
* jit/JITInlines.h:
* jit/JITOpcodes.cpp:
* jit/JITOpcodes32_64.cpp:
* jit/JITPropertyAccess32_64.cpp:
* jit/JITStubs.cpp:
* llint/LLIntSlowPaths.cpp:
* profiler/ProfilerBytecodeSequence.cpp:
* runtime/CommonSlowPaths.cpp:
* runtime/JSActivation.cpp:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156511 268f45cc-cd09-0410-ab3c-d52691b4dbfc

http://trac.webkit.org/changeset/156474
https://bugs.webkit.org/show_bug.cgi?id=121966

Broke the builds. (Requested by xenon on #webkit).

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::registerName):
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::createActivation):
(JSC::CodeBlock::nameForRegister):
* bytecode/CodeBlock.h:
(JSC::unmodifiedArgumentsRegister):
(JSC::CodeBlock::isKnownNotImmediate):
(JSC::CodeBlock::setThisRegister):
(JSC::CodeBlock::thisRegister):
(JSC::CodeBlock::setArgumentsRegister):
(JSC::CodeBlock::argumentsRegister):
(JSC::CodeBlock::uncheckedArgumentsRegister):
(JSC::CodeBlock::setActivationRegister):
(JSC::CodeBlock::activationRegister):
(JSC::CodeBlock::uncheckedActivationRegister):
(JSC::CodeBlock::usesArguments):
(JSC::CodeBlock::isCaptured):
* bytecode/Instruction.h:
* bytecode/LazyOperandValueProfile.h:
(JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
(JSC::LazyOperandValueProfileKey::operator!):
(JSC::LazyOperandValueProfileKey::hash):
(JSC::LazyOperandValueProfileKey::operand):
(JSC::LazyOperandValueProfileKey::isHashTableDeletedValue):
(JSC::LazyOperandValueProfile::LazyOperandValueProfile):
* bytecode/MethodOfGettingAValueProfile.cpp:
(JSC::MethodOfGettingAValueProfile::fromLazyOperand):
(JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
* bytecode/Operands.h:
(JSC::localToOperand):
(JSC::operandIsLocal):
(JSC::operandToLocal):
(JSC::operandIsArgument):
(JSC::operandToArgument):
(JSC::argumentToOperand):
(JSC::Operands::operand):
(JSC::Operands::hasOperand):
(JSC::Operands::setOperand):
(JSC::Operands::operandForIndex):
(JSC::Operands::setOperandFirstTime):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::setThisRegister):
(JSC::UnlinkedCodeBlock::setActivationRegister):
(JSC::UnlinkedCodeBlock::setArgumentsRegister):
(JSC::UnlinkedCodeBlock::usesArguments):
(JSC::UnlinkedCodeBlock::argumentsRegister):
(JSC::UnlinkedCodeBlock::usesGlobalObject):
(JSC::UnlinkedCodeBlock::setGlobalObjectRegister):
(JSC::UnlinkedCodeBlock::globalObjectRegister):
(JSC::UnlinkedCodeBlock::thisRegister):
(JSC::UnlinkedCodeBlock::activationRegister):
* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::displacedInJSStack):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::dumpInContext):
* bytecode/VirtualRegister.h:
(WTF::printInternal):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::generate):
(JSC::BytecodeGenerator::addVar):
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::createLazyRegisterIfNecessary):
(JSC::BytecodeGenerator::newRegister):
(JSC::BytecodeGenerator::emitLoadGlobalObject):
(JSC::BytecodeGenerator::emitGetArgumentsLength):
(JSC::BytecodeGenerator::emitGetArgumentByVal):
(JSC::BytecodeGenerator::createArgumentsIfNecessary):
(JSC::BytecodeGenerator::emitReturn):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::registerFor):
* bytecompiler/RegisterID.h:
(JSC::RegisterID::RegisterID):
(JSC::RegisterID::setIndex):
(JSC::RegisterID::index):
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::thisObject):
* dfg/DFGAbstractHeap.h:
(JSC::DFG::AbstractHeap::Payload::Payload):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
(JSC::DFG::::clobberCapturedVars):
* dfg/DFGArgumentPosition.h:
(JSC::DFG::ArgumentPosition::dump):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
(JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
(JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::newVariableAccessData):
(JSC::DFG::ByteCodeParser::getDirect):
(JSC::DFG::ByteCodeParser::get):
(JSC::DFG::ByteCodeParser::setDirect):
(JSC::DFG::ByteCodeParser::set):
(JSC::DFG::ByteCodeParser::getLocal):
(JSC::DFG::ByteCodeParser::setLocal):
(JSC::DFG::ByteCodeParser::getArgument):
(JSC::DFG::ByteCodeParser::setArgument):
(JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
(JSC::DFG::ByteCodeParser::findArgumentPosition):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::flushDirect):
(JSC::DFG::ByteCodeParser::getToInt32):
(JSC::DFG::ByteCodeParser::getThis):
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::emitFunctionChecks):
(JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleMinMax):
(JSC::DFG::ByteCodeParser::handleIntrinsic):
(JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::handleGetByOffset):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGCFGSimplificationPhase.cpp:
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal):
(JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal):
(JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
* dfg/DFGFlushLivenessAnalysisPhase.cpp:
(JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::argumentsRegisterFor):
(JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
(JSC::DFG::Graph::uncheckedActivationRegisterFor):
(JSC::DFG::Graph::valueProfileFor):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::reconstruct):
* dfg/DFGNode.h:
(JSC::DFG::Node::Node):
(JSC::DFG::Node::convertToGetLocalUnlinked):
(JSC::DFG::Node::hasVirtualRegister):
(JSC::DFG::Node::virtualRegister):
(JSC::DFG::Node::setVirtualRegister):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntrypointCreationPhase.cpp:
(JSC::DFG::OSREntrypointCreationPhase::run):
* dfg/DFGOSRExit.h:
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGRegisterBank.h:
(JSC::DFG::RegisterBank::tryAllocate):
(JSC::DFG::RegisterBank::allocateSpecific):
(JSC::DFG::RegisterBank::retain):
(JSC::DFG::RegisterBank::isInUse):
(JSC::DFG::RegisterBank::dump):
(JSC::DFG::RegisterBank::releaseAtIndex):
(JSC::DFG::RegisterBank::allocateInternal):
(JSC::DFG::RegisterBank::MapEntry::MapEntry):
* dfg/DFGScoreBoard.h:
(JSC::DFG::ScoreBoard::allocate):
(JSC::DFG::ScoreBoard::use):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::checkConsistency):
(JSC::DFG::SpeculativeJIT::compileMovHint):
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::allocate):
(JSC::DFG::SpeculativeJIT::fprAllocate):
(JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
(JSC::DFG::SpeculativeJIT::flushRegisters):
(JSC::DFG::SpeculativeJIT::isFlushed):
(JSC::DFG::SpeculativeJIT::argumentSlot):
(JSC::DFG::SpeculativeJIT::argumentTagSlot):
(JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
(JSC::DFG::SpeculativeJIT::valueSourceForOperand):
(JSC::DFG::SpeculativeJIT::setNodeForOperand):
(JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand):
(JSC::DFG::SpeculativeJIT::recordSetLocal):
(JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
(JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
(JSC::DFG::Validate::validateCPS):
(JSC::DFG::Validate::checkOperand):
(JSC::DFG::Validate::reportValidationContext):
* dfg/DFGValueRecoveryOverride.h:
(JSC::DFG::ValueRecoveryOverride::ValueRecoveryOverride):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::operand):
(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
(JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
(JSC::DFG::VariableAccessData::flushFormat):
* dfg/DFGVariableEvent.h:
(JSC::DFG::VariableEvent::spill):
(JSC::DFG::VariableEvent::setLocal):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
* ftl/FTLExitArgumentForOperand.h:
(JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand):
(JSC::FTL::ExitArgumentForOperand::operand):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::compileGetArgument):
(JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
(JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
(JSC::FTL::LowerDFGToLLVM::appendOSRExit):
(JSC::FTL::LowerDFGToLLVM::observeMovHint):
(JSC::FTL::LowerDFGToLLVM::addressFor):
(JSC::FTL::LowerDFGToLLVM::payloadFor):
(JSC::FTL::LowerDFGToLLVM::tagFor):
* ftl/FTLOSREntry.cpp:
(JSC::FTL::prepareOSREntry):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::convertToForward):
* ftl/FTLOSRExit.h:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* interpreter/CallFrame.h:
* interpreter/Interpreter.cpp:
(JSC::Interpreter::dumpRegisters):
(JSC::unwindCallFrame):
(JSC::Interpreter::unwind):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::addressFor):
(JSC::AssemblyHelpers::tagFor):
(JSC::AssemblyHelpers::payloadFor):
(JSC::AssemblyHelpers::argumentsRegisterFor):
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::compileLoadVarargs):
* jit/JITInlines.h:
(JSC::JIT::emitGetVirtualRegister):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_tear_off_arguments):
(JSC::JIT::emit_op_get_pnames):
(JSC::JIT::emit_op_enter):
(JSC::JIT::emit_op_create_arguments):
(JSC::JIT::emitSlow_op_get_argument_by_val):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_enter):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* profiler/ProfilerBytecodeSequence.cpp:
(JSC::Profiler::BytecodeSequence::BytecodeSequence):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSActivation.cpp:
(JSC::JSActivation::argumentsGetter):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156482 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121732

Reviewed by Geoffrey Garen.

This is a refactoring change.  Changed VirtualRegister from an enum to a class.
Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand()
and the similar functions for locals to VirtualRegister class.

This is in preparation for changing the offset for the first local register from
0 to -1.  This is needed since most native calling conventions have the architected
frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame
pointer.  Local values start below that address.

* bytecode/CodeBlock.cpp:
* bytecode/CodeBlock.h:
* bytecode/Instruction.h:
* bytecode/LazyOperandValueProfile.h:
* bytecode/MethodOfGettingAValueProfile.cpp:
* bytecode/Operands.h:
* bytecode/UnlinkedCodeBlock.cpp:
* bytecode/UnlinkedCodeBlock.h:
* bytecode/ValueRecovery.h:
* bytecode/VirtualRegister.h:
* bytecompiler/BytecodeGenerator.cpp:
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/RegisterID.h:
* debugger/DebuggerCallFrame.cpp:
* dfg/DFGAbstractHeap.h:
* dfg/DFGAbstractInterpreterInlines.h:
* dfg/DFGArgumentPosition.h:
* dfg/DFGArgumentsSimplificationPhase.cpp:
* dfg/DFGByteCodeParser.cpp:
* dfg/DFGCFGSimplificationPhase.cpp:
* dfg/DFGCPSRethreadingPhase.cpp:
* dfg/DFGCapabilities.cpp:
* dfg/DFGConstantFoldingPhase.cpp:
* dfg/DFGFlushLivenessAnalysisPhase.cpp:
* dfg/DFGGraph.cpp:
* dfg/DFGGraph.h:
* dfg/DFGJITCode.cpp:
* dfg/DFGNode.h:
* dfg/DFGOSREntry.cpp:
* dfg/DFGOSREntrypointCreationPhase.cpp:
* dfg/DFGOSRExit.h:
* dfg/DFGOSRExitCompiler32_64.cpp:
* dfg/DFGOSRExitCompiler64.cpp:
* dfg/DFGRegisterBank.h:
* dfg/DFGScoreBoard.h:
* dfg/DFGSpeculativeJIT.cpp:
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
* dfg/DFGValidate.cpp:
* dfg/DFGValueRecoveryOverride.h:
* dfg/DFGVariableAccessData.h:
* dfg/DFGVariableEvent.h:
* dfg/DFGVariableEventStream.cpp:
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
* ftl/FTLExitArgumentForOperand.h:
* ftl/FTLLink.cpp:
* ftl/FTLLowerDFGToLLVM.cpp:
* ftl/FTLOSREntry.cpp:
* ftl/FTLOSRExit.cpp:
* ftl/FTLOSRExit.h:
* ftl/FTLOSRExitCompiler.cpp:
* interpreter/CallFrame.h:
* interpreter/Interpreter.cpp:
* jit/AssemblyHelpers.h:
* jit/JIT.h:
* jit/JITCall.cpp:
* jit/JITInlines.h:
* jit/JITOpcodes.cpp:
* jit/JITOpcodes32_64.cpp:
* jit/JITStubs.cpp:
* llint/LLIntSlowPaths.cpp:
* profiler/ProfilerBytecodeSequence.cpp:
* runtime/CommonSlowPaths.cpp:
* runtime/JSActivation.cpp:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156474 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121867.

Reviewed by Geoffrey Garen.

Source/JavaScriptCore: 

1. Removed the need for passing the line and column info to the debug hook
   callbacks. We now get the line and column info from the CallFrame.

2. Simplify BytecodeGenerator::emitDebugHook() to only take 1 line number
   argument. The caller can determine whether to pass in the first or last
   line number of the block of source code as appropriate.
   Note: we still need to pass in the line and column info to emitDebugHook()
   because it uses this info to emit expression info which is later used by
   the StackVisitor to determine the line and column info for its "pc".

3. Pass the exceptionValue explicitly to the exception() debug hook
   callback. It should not be embedded in the CallFrame / DebuggerCallFrame.

4. Change the op_debug opcode size to 2 (from 5) since we've removing 3 arg
   values. Update the LLINT and JIT code to handle this.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
* bytecode/Opcode.h:
(JSC::padOpcodeName):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitDebugHook):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ConstStatementNode::emitBytecode):
(JSC::EmptyStatementNode::emitBytecode):
(JSC::DebuggerStatementNode::emitBytecode):
(JSC::ExprStatementNode::emitBytecode):
(JSC::VarStatementNode::emitBytecode):
(JSC::IfElseNode::emitBytecode):
(JSC::DoWhileNode::emitBytecode):
(JSC::WhileNode::emitBytecode):
(JSC::ForNode::emitBytecode):
(JSC::ForInNode::emitBytecode):
(JSC::ContinueNode::emitBytecode):
(JSC::BreakNode::emitBytecode):
(JSC::ReturnNode::emitBytecode):
(JSC::WithNode::emitBytecode):
(JSC::SwitchNode::emitBytecode):
(JSC::LabelNode::emitBytecode):
(JSC::ThrowNode::emitBytecode):
(JSC::TryNode::emitBytecode):
(JSC::ProgramNode::emitBytecode):
(JSC::EvalNode::emitBytecode):
(JSC::FunctionBodyNode::emitBytecode):
* debugger/Debugger.h:
* debugger/DebuggerCallFrame.cpp:
(JSC::LineAndColumnFunctor::operator()):
(JSC::LineAndColumnFunctor::line):
(JSC::LineAndColumnFunctor::column):
(JSC::DebuggerCallFrame::DebuggerCallFrame):
(JSC::DebuggerCallFrame::clear):
* debugger/DebuggerCallFrame.h:
(JSC::DebuggerCallFrame::line):
(JSC::DebuggerCallFrame::column):
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
(JSC::UnwindFunctor::UnwindFunctor):
(JSC::UnwindFunctor::operator()):
(JSC::Interpreter::unwind):
(JSC::Interpreter::debug):
* interpreter/Interpreter.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_debug):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_debug):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter.asm:

Source/WebCore: 

No new tests.

* bindings/js/ScriptDebugServer.cpp:
(WebCore::ScriptDebugServer::createCallFrame):
(WebCore::ScriptDebugServer::updateCallFrameAndPauseIfNeeded):
(WebCore::ScriptDebugServer::callEvent):
(WebCore::ScriptDebugServer::atStatement):
(WebCore::ScriptDebugServer::returnEvent):
(WebCore::ScriptDebugServer::exception):
(WebCore::ScriptDebugServer::willExecuteProgram):
(WebCore::ScriptDebugServer::didExecuteProgram):
(WebCore::ScriptDebugServer::didReachBreakpoint):
* bindings/js/ScriptDebugServer.h:
* bindings/js/WorkerScriptDebugServer.cpp:
(WebCore::WorkerScriptDebugServer::willExecuteProgram):
* bindings/js/WorkerScriptDebugServer.h:

Source/WebKit/mac: 

* WebView/WebScriptDebugDelegate.mm:
(-[WebScriptCallFrame _initWithGlobalObject:debuggerCallFrame:exceptionValue:JSC::]):
(-[WebScriptCallFrame exception]):
* WebView/WebScriptDebugger.h:
* WebView/WebScriptDebugger.mm:
(WebScriptDebugger::exception):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156374 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121755

Reviewed by Oliver Hunt.
        
It was only using the bytecodeOffset for some debugger stuff, but the debugger could
just get the bytecodeOffset the same way the rest of the machinery does: by using the
CallFrame's location.
        
It turns out that a lot of really ugly code was in place just to supply this
bytecodeOffset. This patch kills most of that code, and allows us to kill even more
code in a future patch - though most likely that killage will involve further
refactorings as well, see https://bugs.webkit.org/show_bug.cgi?id=121734.

* dfg/DFGOperations.cpp:
* interpreter/CallFrame.cpp:
(JSC::CallFrame::bytecodeOffset):
(JSC::CallFrame::codeOrigin):
* interpreter/CallFrame.h:
* interpreter/Interpreter.cpp:
(JSC::Interpreter::unwind):
* interpreter/Interpreter.h:
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
* jit/JITExceptions.h:
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
(JSC::cti_vm_handle_exception):
* llint/LLIntExceptions.cpp:
(JSC::LLInt::doThrow):
(JSC::LLInt::returnToThrow):
(JSC::LLInt::callToThrow):
* llint/LLIntExceptions.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPathsExceptions.cpp:
(JSC::CommonSlowPaths::interpreterThrowInCaller):
* runtime/CommonSlowPathsExceptions.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156242 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121750

Reviewed by Andreas Kling.

Source/JavaScriptCore:

* interpreter/CallFrame.h:
(JSC::ExecState::uncheckedArgument): Added. Like argument, but with an
assertion rather than a runtime check.

* API/APICallbackFunction.h:
(JSC::APICallbackFunction::call): Use uncheckedArgument because we are
already in a loop over arguments, so don't need a range check.
* API/JSCallbackConstructor.cpp:
(JSC::constructJSCallback): Ditto.
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject::construct): Ditto.
(JSC::JSCallbackObject::call): Ditto.
* jsc.cpp:
(functionPrint): Ditto.
(functionRun): Ditto.
(functionSetSamplingFlags): Ditto.
(functionClearSamplingFlags): Ditto.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncConcat): Ditto.
(JSC::arrayProtoFuncPush): Use uncheckedArgument because there is already
code that explicitly checks argumentCount.
(JSC::arrayProtoFuncSplice): Ditto.
(JSC::arrayProtoFuncUnShift): Ditto.
(JSC::arrayProtoFuncReduce): Ditto.
(JSC::arrayProtoFuncReduceRight): Ditto.
(JSC::arrayProtoFuncLastIndexOf): Ditto.
* runtime/DatePrototype.cpp:
(JSC::fillStructuresUsingTimeArgs): Ditto.
(JSC::fillStructuresUsingDateArgs): Ditto.
* runtime/JSArrayBufferConstructor.cpp:
(JSC::constructArrayBuffer): Ditto.
* runtime/JSArrayBufferPrototype.cpp:
(JSC::arrayBufferProtoFuncSlice): Ditto.
* runtime/JSBoundFunction.cpp:
(JSC::boundFunctionCall): Ditto.
(JSC::boundFunctionConstruct): Ditto.
* runtime/JSDataViewPrototype.cpp:
(JSC::getData): Ditto.
(JSC::setData): Ditto.
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayView): Ditto.
* runtime/JSGenericTypedArrayViewPrototypeInlines.h:
(JSC::genericTypedArrayViewProtoFuncSet): Ditto.
(JSC::genericTypedArrayViewProtoFuncSubarray): Ditto.
* runtime/JSONObject.cpp:
(JSC::JSONProtoFuncParse): Ditto.
(JSC::JSONProtoFuncStringify): Ditto.
* runtime/JSPromiseConstructor.cpp:
(JSC::constructPromise): Ditto.
(JSC::JSPromiseConstructorFuncFulfill): Ditto.
(JSC::JSPromiseConstructorFuncResolve): Ditto.
(JSC::JSPromiseConstructorFuncReject): Ditto.
* runtime/MathObject.cpp:
(JSC::mathProtoFuncMax): Ditto.
(JSC::mathProtoFuncMin): Ditto.

* runtime/NameConstructor.cpp:
(JSC::constructPrivateName): Removed unneeded check of argumentCout
that simply repeats what argument already does.
* runtime/NativeErrorConstructor.cpp:
(JSC::Interpreter::constructWithNativeErrorConstructor): Ditto.
(JSC::Interpreter::callNativeErrorConstructor): Ditto.

* runtime/NumberConstructor.cpp:
(JSC::constructWithNumberConstructor): Use uncheckedArgument since
there is already code that explicitly checks argument count.
(JSC::callNumberConstructor): Ditto.

* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorCreate): Small refactoring to not call argument(0)
three times.

* runtime/SetConstructor.cpp:
(JSC::constructSet): Use uncheckedArgument since we are already in a loop
over arguments.

* runtime/StringConstructor.cpp:
(JSC::stringFromCharCodeSlowCase): In a loop.
(JSC::stringFromCharCode): Already checked count.
(JSC::constructWithStringConstructor): Ditto.
(JSC::callStringConstructor): Ditto.
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncConcat): Already checked count.
* runtime/TestRunnerUtils.cpp:
(JSC::numberOfDFGCompiles): Ditto.
(JSC::setNeverInline): Ditto.

Source/WebCore:

* bindings/js/JSHTMLCanvasElementCustom.cpp:
(WebCore::JSHTMLCanvasElement::probablySupportsContext): Already checked count.
(WebCore::JSHTMLCanvasElement::toDataURL): Ditto.
* bindings/js/JSHTMLDocumentCustom.cpp:
(WebCore::documentWrite): In a loop.
* bindings/js/JSInjectedScriptHostCustom.cpp:
(WebCore::JSInjectedScriptHost::inspectedObject): Already checked count.
(WebCore::JSInjectedScriptHost::internalConstructorName): Ditto.
(WebCore::JSInjectedScriptHost::isHTMLAllCollection): Ditto.
(WebCore::JSInjectedScriptHost::type): Ditto.
(WebCore::JSInjectedScriptHost::functionDetails): Ditto.
(WebCore::JSInjectedScriptHost::getEventListeners): Ditto.
(WebCore::JSInjectedScriptHost::inspect): Ditto.
(WebCore::JSInjectedScriptHost::databaseId): Ditto.
(WebCore::JSInjectedScriptHost::storageId): Ditto.
* bindings/js/JSSQLTransactionSyncCustom.cpp:
(WebCore::JSSQLTransactionSync::executeSql): Ditto.
* bindings/js/JSSVGLengthCustom.cpp:
(WebCore::JSSVGLength::convertToSpecifiedUnits): Ditto.
* bindings/js/JSSharedWorkerCustom.cpp:
(WebCore::JSSharedWorkerConstructor::constructJSSharedWorker): Ditto.

* bindings/js/JSWebGLRenderingContextCustom.cpp:
(WebCore::getObjectParameter): Already checked count.
(WebCore::JSWebGLRenderingContext::getAttachedShaders): Removed tortured code
to triply do the checking that the toWebGLProgram function already does, including
spurious exception checking in code that can't create an exception. Also count is
already checked.
(WebCore::JSWebGLRenderingContext::getExtension): More of the same.
(WebCore::JSWebGLRenderingContext::getFramebufferAttachmentParameter): Ditto.
(WebCore::JSWebGLRenderingContext::getParameter): Ditto.
(WebCore::JSWebGLRenderingContext::getProgramParameter): Ditto.
(WebCore::JSWebGLRenderingContext::getShaderParameter): Ditto.
(WebCore::JSWebGLRenderingContext::getUniform): Ditto.
(WebCore::dataFunctionf): Ditto.
(WebCore::dataFunctioni): Ditto.
(WebCore::dataFunctionMatrix): Ditto.

* bindings/js/JSWorkerGlobalScopeCustom.cpp:
(WebCore::JSWorkerGlobalScope::importScripts): In a loop.
* bindings/js/JSXMLHttpRequestCustom.cpp:
(WebCore::JSXMLHttpRequest::open): Already checked. Also removed some unneeded
argument count checks.
(WebCore::JSXMLHttpRequest::send): Removed unneeded special case for 0 argument
count that does the same thing as the undefined case, since asking for an
argument past the count yields undefined.

* bindings/js/JSXSLTProcessorCustom.cpp:
(WebCore::JSXSLTProcessor::setParameter): Already checked.
(WebCore::JSXSLTProcessor::getParameter): Already checked.
(WebCore::JSXSLTProcessor::removeParameter): Already checked.

* bindings/js/ScheduledAction.cpp:
(WebCore::ScheduledAction::ScheduledAction): In a loop.
* bindings/js/ScriptCallStackFactory.cpp:
(WebCore::createScriptArguments): Ditto.

* bindings/scripts/CodeGeneratorJS.pm:
(GenerateParametersCheck): Removed some excess argumentCount checks.
Used uncheckedArgument in a few places. More needs to be done, especially for
overloaded functions.

* bridge/c/c_instance.cpp:
(JSC::Bindings::CInstance::invokeMethod): In a loop.
(JSC::Bindings::CInstance::invokeDefaultMethod): Ditto.
* bridge/objc/objc_instance.mm:
(ObjcInstance::invokeObjcMethod): Ditto.
(ObjcInstance::invokeDefaultMethod): Ditto.

* bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp:
* bindings/scripts/test/JS/JSTestObj.cpp:
* bindings/scripts/test/JS/JSTestTypedefs.cpp:
Updated.

Source/WebKit2:

* WebProcess/Plugins/Netscape/JSNPObject.cpp:
(WebKit::JSNPObject::callMethod): In a loop.
(WebKit::JSNPObject::callObject): Ditto.
(WebKit::JSNPObject::callConstructor): Ditto.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156240 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Remove the notion that a CallFrame can have a pointer to an InlineCallFrame, since that doesn't happen anymore
https://bugs.webkit.org/show_bug.cgi?id=121753

Reviewed by Darin Adler.

* interpreter/CallFrame.cpp:
(JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex):
* interpreter/CallFrame.h:
* interpreter/Register.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156239 268f45cc-cd09-0410-ab3c-d52691b4dbfc

* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::r):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156233 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121737

Source/JavaScriptCore: 

Reviewed by Sam Weinig.
        
This was meant to be easy, but I kept wondering if it was safe to remove the
inline call frame check in Arguments::tearOff(). The check was clearly dead
since the bit wasn't being set anywhere.
        
It turns out that the unwindCallFrame() function was relying on tearOff()
doing the right thing for inlined code, but it wasn't even passing it an
inline call frame. I fixed this by having unwindCallFrame() inlining check,
while also making sure that the code uses the right operand index for the
arguments register.

* interpreter/CallFrame.h:
* interpreter/CallFrameInlines.h:
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::r):
* interpreter/StackVisitor.h:
* runtime/Arguments.cpp:
(JSC::Arguments::tearOff):

LayoutTests: 

Reviewed by Sam Weinig.

* js/dfg-inline-arguments-capture-throw-exception-expected.txt: Added.
* js/dfg-inline-arguments-capture-throw-exception.html: Added.
* js/script-tests/dfg-inline-arguments-capture-throw-exception.js: Added.
(foo):
(bar):
(makeF):
(recurse):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156229 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121064

Source/JavaScriptCore: 

Reviewed by Oliver Hunt.
        
This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
programs that have local int32 overflows but where a larger int representation can
prevent us from having to convert all the way up to double.
        
It's a small speed-up for now. But we're just supporting Int52 for a handful of
operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
the groundwork for adding Int52 to JSValue, which will probably be a bigger
speed-up.
        
The basic approach is:
        
- We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
  or HeapTop - i.e. it doesn't arise from JSValues.
        
- DFG treats Int52 as being part of its FullTop and will treat it as being a
  subtype of double unless instructed otherwise.
        
- Prediction propagator creates Int52s whenever we have a node going doubly but due
  to large values rather than fractional values, and that node is known to be able
  to produce Int52 natively in the DFG backend.
        
- Fixup phase converts edges to MachineIntUses in nodes that are known to be able
  to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
  input.
        
- The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
  are left-shifted by 16 (great for overflow checks) and ones that are
  sign-extended. Both backends know how to convert between Int52s and the other
  representations.

* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::rshift64):
(JSC::MacroAssemblerX86_64::mul64):
(JSC::MacroAssemblerX86_64::branchMul64):
(JSC::MacroAssemblerX86_64::branchNeg64):
(JSC::MacroAssemblerX86_64::convertInt64ToDouble):
* assembler/X86Assembler.h:
(JSC::X86Assembler::imulq_rr):
(JSC::X86Assembler::cvtsi2sdq_rr):
* bytecode/DataFormat.h:
(JSC::dataFormatToString):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* bytecode/OperandsInlines.h:
(JSC::::dumpInContext):
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromValue):
* bytecode/SpeculatedType.h:
(JSC::isInt32SpeculationForArithmetic):
(JSC::isInt52Speculation):
(JSC::isMachineIntSpeculationForArithmetic):
(JSC::isInt52AsDoubleSpeculation):
(JSC::isBytecodeRealNumberSpeculation):
(JSC::isFullRealNumberSpeculation):
(JSC::isBytecodeNumberSpeculation):
(JSC::isFullNumberSpeculation):
(JSC::isBytecodeNumberSpeculationExpectingDefined):
(JSC::isFullNumberSpeculationExpectingDefined):
* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
(JSC::ValueRecovery::inGPR):
(JSC::ValueRecovery::displacedInJSStack):
(JSC::ValueRecovery::isAlreadyInJSStack):
(JSC::ValueRecovery::gpr):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::dumpInContext):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::needsTypeCheck):
(JSC::DFG::AbstractInterpreter::filterByType):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::checkConsistency):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::couldBeType):
(JSC::DFG::AbstractValue::isType):
(JSC::DFG::AbstractValue::checkConsistency):
(JSC::DFG::AbstractValue::validateType):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* dfg/DFGAssemblyHelpers.h:
(JSC::DFG::AssemblyHelpers::boxInt52):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
(JSC::DFG::enableInt52):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::fixupBlock):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
(JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
* dfg/DFGFlushFormat.cpp:
(WTF::printInternal):
* dfg/DFGFlushFormat.h:
(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):
* dfg/DFGGenerationInfo.h:
(JSC::DFG::GenerationInfo::initInt52):
(JSC::DFG::GenerationInfo::initStrictInt52):
(JSC::DFG::GenerationInfo::isFormat):
(JSC::DFG::GenerationInfo::isInt52):
(JSC::DFG::GenerationInfo::isStrictInt52):
(JSC::DFG::GenerationInfo::fillInt52):
(JSC::DFG::GenerationInfo::fillStrictInt52):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addShouldSpeculateMachineInt):
(JSC::DFG::Graph::mulShouldSpeculateMachineInt):
(JSC::DFG::Graph::negateShouldSpeculateMachineInt):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::reconstruct):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGMinifiedNode.h:
(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasChild):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateNumber):
(JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
(JSC::DFG::Node::canSpeculateInt52):
* dfg/DFGNodeFlags.h:
(JSC::DFG::nodeCanSpeculateInt52):
* dfg/DFGNodeType.h:
(JSC::DFG::permitsOSRBackwardRewiring):
(JSC::DFG::forwardRewiringSelectionScore):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntry.h:
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSilentRegisterSavePlan.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateMachineInt):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::canReuse):
(JSC::DFG::SpeculativeJIT::isFilled):
(JSC::DFG::SpeculativeJIT::isFilledDouble):
(JSC::DFG::SpeculativeJIT::use):
(JSC::DFG::SpeculativeJIT::isKnownInteger):
(JSC::DFG::SpeculativeJIT::isKnownCell):
(JSC::DFG::SpeculativeJIT::isKnownNotNumber):
(JSC::DFG::SpeculativeJIT::int52Result):
(JSC::DFG::SpeculativeJIT::strictInt52Result):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::isInteger):
(JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
(JSC::DFG::SpeculativeJIT::generationInfo):
(JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
(JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
(JSC::DFG::SpeculateInt52Operand::edge):
(JSC::DFG::SpeculateInt52Operand::node):
(JSC::DFG::SpeculateInt52Operand::gpr):
(JSC::DFG::SpeculateInt52Operand::use):
(JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
(JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
(JSC::DFG::SpeculateStrictInt52Operand::edge):
(JSC::DFG::SpeculateStrictInt52Operand::node):
(JSC::DFG::SpeculateStrictInt52Operand::gpr):
(JSC::DFG::SpeculateStrictInt52Operand::use):
(JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
(JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
(JSC::DFG::SpeculateWhicheverInt52Operand::edge):
(JSC::DFG::SpeculateWhicheverInt52Operand::node):
(JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
(JSC::DFG::SpeculateWhicheverInt52Operand::use):
(JSC::DFG::SpeculateWhicheverInt52Operand::format):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::boxInt52):
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileInt52Compare):
(JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):
* dfg/DFGValueSource.cpp:
(JSC::DFG::ValueSource::dump):
* dfg/DFGValueSource.h:
(JSC::DFG::dataFormatToValueSourceKind):
(JSC::DFG::valueSourceKindToDataFormat):
(JSC::DFG::ValueSource::forFlushFormat):
(JSC::DFG::ValueSource::valueRecovery):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
(JSC::DFG::VariableAccessData::flushFormat):
* ftl/FTLCArgumentGetter.cpp:
(JSC::FTL::CArgumentGetter::loadNextAndBox):
* ftl/FTLCArgumentGetter.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dumpInContext):
* ftl/FTLExitValue.h:
(JSC::FTL::ExitValue::inJSStackAsInt52):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileAdd):
(JSC::FTL::LowerDFGToLLVM::compileArithSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareLess):
(JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowInt52):
(JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
(JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
(JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
(JSC::FTL::LowerDFGToLLVM::opposite):
(JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
(JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
(JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
(JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
(JSC::FTL::LowerDFGToLLVM::setInt52):
(JSC::FTL::LowerDFGToLLVM::setStrictInt52):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLOutput.h:
(JSC::FTL::Output::addWithOverflow64):
(JSC::FTL::Output::subWithOverflow64):
(JSC::FTL::Output::mulWithOverflow64):
* ftl/FTLValueFormat.cpp:
(WTF::printInternal):
* ftl/FTLValueFormat.h:
* ftl/FTLValueSource.cpp:
(JSC::FTL::ValueSource::dump):
* ftl/FTLValueSource.h:
* interpreter/Register.h:
(JSC::Register::unboxedInt52):
* runtime/Arguments.cpp:
(JSC::Arguments::tearOffForInlineCallFrame):
* runtime/IndexingType.cpp:
(JSC::leastUpperBoundOfIndexingTypeAndType):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::isMachineInt):
(JSC::JSValue::asMachineInt):

Source/WTF: 

Reviewed by Oliver Hunt.

* wtf/PrintStream.h:
(WTF::ValueIgnoringContext::ValueIgnoringContext):
(WTF::ValueIgnoringContext::dump):
(WTF::ignoringContext):

Tools: 

Reviewed by Oliver Hunt.

* Scripts/run-jsc-stress-tests:

LayoutTests: 

Reviewed by Oliver Hunt.

* js/dfg-int-overflow-large-constants-in-a-line-expected.txt:
* js/regress/large-int-captured-expected.txt: Added.
* js/regress/large-int-captured.html: Added.
* js/regress/large-int-expected.txt: Added.
* js/regress/large-int-neg-expected.txt: Added.
* js/regress/large-int-neg.html: Added.
* js/regress/large-int.html: Added.
* js/regress/marsaglia-larger-ints-expected.txt: Added.
* js/regress/marsaglia-larger-ints.html: Added.
* js/regress/script-tests/large-int-captured.js: Added.
(.bar):
(foo):
* js/regress/script-tests/large-int-neg.js: Added.
(foo):
* js/regress/script-tests/large-int.js: Added.
(foo):
* js/regress/script-tests/marsaglia-larger-ints.js: Added.
(uint):
(marsaglia):
* js/script-tests/dfg-int-overflow-large-constants-in-a-line.js:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156047 268f45cc-cd09-0410-ab3c-d52691b4dbfc

http://trac.webkit.org/changeset/156019
http://trac.webkit.org/changeset/156020
https://bugs.webkit.org/show_bug.cgi?id=121540

Broke tests (Requested by ap on #webkit).

Source/JavaScriptCore:

* assembler/MacroAssemblerX86_64.h:
* assembler/X86Assembler.h:
* bytecode/DataFormat.h:
(JSC::dataFormatToString):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* bytecode/OperandsInlines.h:
(JSC::::dumpInContext):
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromValue):
* bytecode/SpeculatedType.h:
(JSC::isInt32SpeculationForArithmetic):
(JSC::isInt48Speculation):
(JSC::isMachineIntSpeculationForArithmetic):
(JSC::isInt48AsDoubleSpeculation):
(JSC::isRealNumberSpeculation):
(JSC::isNumberSpeculation):
(JSC::isNumberSpeculationExpectingDefined):
* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::inGPR):
(JSC::ValueRecovery::displacedInJSStack):
(JSC::ValueRecovery::isAlreadyInJSStack):
(JSC::ValueRecovery::gpr):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::dumpInContext):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::needsTypeCheck):
(JSC::DFG::AbstractInterpreter::filterByType):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::checkConsistency):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::validateType):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* dfg/DFGAssemblyHelpers.h:
(JSC::DFG::AssemblyHelpers::unboxDouble):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::canonicalize):
(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
* dfg/DFGFlushFormat.cpp:
(WTF::printInternal):
* dfg/DFGFlushFormat.h:
(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):
* dfg/DFGGenerationInfo.h:
(JSC::DFG::GenerationInfo::initInt32):
(JSC::DFG::GenerationInfo::fillInt32):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addShouldSpeculateMachineInt):
(JSC::DFG::Graph::mulShouldSpeculateMachineInt):
(JSC::DFG::Graph::negateShouldSpeculateMachineInt):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::reconstruct):
* dfg/DFGMinifiedNode.h:
(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasChild):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateNumber):
(JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
(JSC::DFG::Node::canSpeculateInt48):
* dfg/DFGNodeFlags.h:
(JSC::DFG::nodeCanSpeculateInt48):
* dfg/DFGNodeType.h:
(JSC::DFG::forwardRewiringSelectionScore):
* dfg/DFGOSRExitCompiler.cpp:
(JSC::DFG::shortOperandsDump):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSilentRegisterSavePlan.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::canReuse):
(JSC::DFG::SpeculativeJIT::isFilled):
(JSC::DFG::SpeculativeJIT::isFilledDouble):
(JSC::DFG::SpeculativeJIT::use):
(JSC::DFG::SpeculativeJIT::boxDouble):
(JSC::DFG::SpeculativeJIT::isKnownInteger):
(JSC::DFG::SpeculativeJIT::isKnownCell):
(JSC::DFG::SpeculativeJIT::isKnownNotNumber):
(JSC::DFG::SpeculativeJIT::int32Result):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::isInteger):
(JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):
* dfg/DFGValueSource.cpp:
(JSC::DFG::ValueSource::dump):
* dfg/DFGValueSource.h:
(JSC::DFG::dataFormatToValueSourceKind):
(JSC::DFG::valueSourceKindToDataFormat):
(JSC::DFG::ValueSource::forFlushFormat):
(JSC::DFG::ValueSource::valueRecovery):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
(JSC::DFG::VariableAccessData::flushFormat):
* ftl/FTLCArgumentGetter.cpp:
(JSC::FTL::CArgumentGetter::loadNextAndBox):
* ftl/FTLCArgumentGetter.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dumpInContext):
* ftl/FTLExitValue.h:
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileAdd):
(JSC::FTL::LowerDFGToLLVM::compileArithSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareLess):
(JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
(JSC::FTL::LowerDFGToLLVM::setInt32):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLOutput.h:
(JSC::FTL::Output::mulWithOverflow32):
* ftl/FTLValueFormat.cpp:
(WTF::printInternal):
* ftl/FTLValueFormat.h:
* ftl/FTLValueSource.cpp:
(JSC::FTL::ValueSource::dump):
* ftl/FTLValueSource.h:
* interpreter/Register.h:
* runtime/Arguments.cpp:
(JSC::Arguments::tearOffForInlineCallFrame):
* runtime/IndexingType.cpp:
(JSC::leastUpperBoundOfIndexingTypeAndType):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:

Source/WTF:

* wtf/PrintStream.h:

Tools:

* Scripts/run-jsc-stress-tests:

LayoutTests:

* js/regress/large-int-captured-expected.txt: Removed.
* js/regress/large-int-captured.html: Removed.
* js/regress/large-int-expected.txt: Removed.
* js/regress/large-int-neg-expected.txt: Removed.
* js/regress/large-int-neg.html: Removed.
* js/regress/large-int.html: Removed.
* js/regress/marsaglia-larger-ints-expected.txt: Removed.
* js/regress/marsaglia-larger-ints.html: Removed.
* js/regress/script-tests/large-int-captured.js: Removed.
* js/regress/script-tests/large-int-neg.js: Removed.
* js/regress/script-tests/large-int.js: Removed.
* js/regress/script-tests/marsaglia-larger-ints.js: Removed.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156029 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121064

Source/JavaScriptCore: 

Reviewed by Oliver Hunt.
        
This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
programs that have local int32 overflows but where a larger int representation can
prevent us from having to convert all the way up to double.
        
It's a small speed-up for now. But we're just supporting Int52 for a handful of
operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
the groundwork for adding Int52 to JSValue, which will probably be a bigger
speed-up.
        
The basic approach is:
        
- We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
  or HeapTop - i.e. it doesn't arise from JSValues.
        
- DFG treats Int52 as being part of its FullTop and will treat it as being a
  subtype of double unless instructed otherwise.
        
- Prediction propagator creates Int52s whenever we have a node going doubly but due
  to large values rather than fractional values, and that node is known to be able
  to produce Int52 natively in the DFG backend.
        
- Fixup phase converts edges to MachineIntUses in nodes that are known to be able
  to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
  input.
        
- The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
  are left-shifted by 16 (great for overflow checks) and ones that are
  sign-extended. Both backends know how to convert between Int52s and the other
  representations.

* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::rshift64):
(JSC::MacroAssemblerX86_64::mul64):
(JSC::MacroAssemblerX86_64::branchMul64):
(JSC::MacroAssemblerX86_64::branchNeg64):
(JSC::MacroAssemblerX86_64::convertInt64ToDouble):
* assembler/X86Assembler.h:
(JSC::X86Assembler::imulq_rr):
(JSC::X86Assembler::cvtsi2sdq_rr):
* bytecode/DataFormat.h:
(JSC::dataFormatToString):
* bytecode/OperandsInlines.h:
(JSC::::dumpInContext):
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromValue):
* bytecode/SpeculatedType.h:
(JSC::isInt32SpeculationForArithmetic):
(JSC::isMachineIntSpeculationForArithmetic):
(JSC::isBytecodeRealNumberSpeculation):
(JSC::isFullRealNumberSpeculation):
(JSC::isBytecodeNumberSpeculation):
(JSC::isFullNumberSpeculation):
(JSC::isBytecodeNumberSpeculationExpectingDefined):
(JSC::isFullNumberSpeculationExpectingDefined):
* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
(JSC::ValueRecovery::inGPR):
(JSC::ValueRecovery::displacedInJSStack):
(JSC::ValueRecovery::isAlreadyInJSStack):
(JSC::ValueRecovery::gpr):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::dumpInContext):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::needsTypeCheck):
(JSC::DFG::AbstractInterpreter::filterByType):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::checkConsistency):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::couldBeType):
(JSC::DFG::AbstractValue::isType):
(JSC::DFG::AbstractValue::checkConsistency):
(JSC::DFG::AbstractValue::validateType):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* dfg/DFGAssemblyHelpers.h:
(JSC::DFG::AssemblyHelpers::boxInt52):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
(JSC::DFG::enableInt52):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
(JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
* dfg/DFGFlushFormat.cpp:
(WTF::printInternal):
* dfg/DFGFlushFormat.h:
(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):
* dfg/DFGGenerationInfo.h:
(JSC::DFG::GenerationInfo::initInt52):
(JSC::DFG::GenerationInfo::initStrictInt52):
(JSC::DFG::GenerationInfo::isFormat):
(JSC::DFG::GenerationInfo::isInt52):
(JSC::DFG::GenerationInfo::isStrictInt52):
(JSC::DFG::GenerationInfo::fillInt52):
(JSC::DFG::GenerationInfo::fillStrictInt52):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addShouldSpeculateMachineInt):
(JSC::DFG::Graph::mulShouldSpeculateMachineInt):
(JSC::DFG::Graph::negateShouldSpeculateMachineInt):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::reconstruct):
* dfg/DFGMinifiedNode.h:
(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasChild):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateNumber):
(JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
* dfg/DFGNodeFlags.h:
* dfg/DFGNodeType.h:
(JSC::DFG::forwardRewiringSelectionScore):
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSilentRegisterSavePlan.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateMachineInt):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::canReuse):
(JSC::DFG::SpeculativeJIT::isFilled):
(JSC::DFG::SpeculativeJIT::isFilledDouble):
(JSC::DFG::SpeculativeJIT::use):
(JSC::DFG::SpeculativeJIT::isKnownInteger):
(JSC::DFG::SpeculativeJIT::isKnownCell):
(JSC::DFG::SpeculativeJIT::isKnownNotNumber):
(JSC::DFG::SpeculativeJIT::int52Result):
(JSC::DFG::SpeculativeJIT::strictInt52Result):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::isInteger):
(JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
(JSC::DFG::SpeculativeJIT::generationInfo):
(JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
(JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
(JSC::DFG::SpeculateInt52Operand::edge):
(JSC::DFG::SpeculateInt52Operand::node):
(JSC::DFG::SpeculateInt52Operand::gpr):
(JSC::DFG::SpeculateInt52Operand::use):
(JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
(JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
(JSC::DFG::SpeculateStrictInt52Operand::edge):
(JSC::DFG::SpeculateStrictInt52Operand::node):
(JSC::DFG::SpeculateStrictInt52Operand::gpr):
(JSC::DFG::SpeculateStrictInt52Operand::use):
(JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
(JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
(JSC::DFG::SpeculateWhicheverInt52Operand::edge):
(JSC::DFG::SpeculateWhicheverInt52Operand::node):
(JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
(JSC::DFG::SpeculateWhicheverInt52Operand::use):
(JSC::DFG::SpeculateWhicheverInt52Operand::format):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::boxInt52):
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileInt52Compare):
(JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):
* dfg/DFGValueSource.cpp:
(JSC::DFG::ValueSource::dump):
* dfg/DFGValueSource.h:
(JSC::DFG::dataFormatToValueSourceKind):
(JSC::DFG::valueSourceKindToDataFormat):
(JSC::DFG::ValueSource::forFlushFormat):
(JSC::DFG::ValueSource::valueRecovery):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
(JSC::DFG::VariableAccessData::flushFormat):
* ftl/FTLCArgumentGetter.cpp:
(JSC::FTL::CArgumentGetter::loadNextAndBox):
* ftl/FTLCArgumentGetter.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dumpInContext):
* ftl/FTLExitValue.h:
(JSC::FTL::ExitValue::inJSStackAsInt52):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileAdd):
(JSC::FTL::LowerDFGToLLVM::compileArithSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareLess):
(JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowInt52):
(JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
(JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
(JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
(JSC::FTL::LowerDFGToLLVM::opposite):
(JSC::FTL::LowerDFGToLLVM::Int52s::operator[]):
(JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
(JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52s):
(JSC::FTL::LowerDFGToLLVM::lowOpposingInt52s):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
(JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
(JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
(JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
(JSC::FTL::LowerDFGToLLVM::setInt52):
(JSC::FTL::LowerDFGToLLVM::setStrictInt52):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLOutput.h:
(JSC::FTL::Output::addWithOverflow64):
(JSC::FTL::Output::subWithOverflow64):
(JSC::FTL::Output::mulWithOverflow64):
* ftl/FTLValueFormat.cpp:
(WTF::printInternal):
* ftl/FTLValueFormat.h:
* ftl/FTLValueSource.cpp:
(JSC::FTL::ValueSource::dump):
* ftl/FTLValueSource.h:
* interpreter/Register.h:
(JSC::Register::unboxedInt52):
* runtime/Arguments.cpp:
(JSC::Arguments::tearOffForInlineCallFrame):
* runtime/IndexingType.cpp:
(JSC::leastUpperBoundOfIndexingTypeAndType):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::isMachineInt):
(JSC::JSValue::asMachineInt):

Source/WTF: 

Reviewed by Oliver Hunt.

* wtf/PrintStream.h:
(WTF::ValueIgnoringContext::ValueIgnoringContext):
(WTF::ValueIgnoringContext::dump):
(WTF::ignoringContext):

Tools: 

Reviewed by Oliver Hunt.

* Scripts/run-jsc-stress-tests:

LayoutTests: 

Reviewed by Oliver Hunt.

* js/regress/large-int-captured-expected.txt: Added.
* js/regress/large-int-captured.html: Added.
* js/regress/large-int-expected.txt: Added.
* js/regress/large-int-neg-expected.txt: Added.
* js/regress/large-int-neg.html: Added.
* js/regress/large-int.html: Added.
* js/regress/marsaglia-larger-ints-expected.txt: Added.
* js/regress/marsaglia-larger-ints.html: Added.
* js/regress/script-tests/large-int-captured.js: Added.
(.bar):
(foo):
* js/regress/script-tests/large-int-neg.js: Added.
(foo):
* js/regress/script-tests/large-int.js: Added.
(foo):
* js/regress/script-tests/marsaglia-larger-ints.js: Added.
(uint):
(marsaglia):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156019 268f45cc-cd09-0410-ab3c-d52691b4dbfc