https://bugs.webkit.org/show_bug.cgi?id=126527

Reviewed by Filip Pizlo.

This patch takes a similar approach to how write barriers work in the baseline JIT.
We execute the write barrier at the beginning of the opcode so we don't have to
worry about saving and restoring live registers across write barrier slow path calls
to C code.

* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::llint_write_barrier_slow):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm64.rb:
* offlineasm/instructions.rb:
* offlineasm/x86.rb:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@161377 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=125802.

Reviewed by Filip Pizlo.

This is in preparation for C Stack OSR entry work that is coming soon.
In the OSR entry case, we'll be returning a topOfFrame pointer value
instead of the ExecState*.

* offlineasm/cloop.rb:
* runtime/CommonSlowPaths.h:
(JSC::encodeResult):
(JSC::decodeResult):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160665 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=125528

Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-12-10
Reviewed by Michael Saboff.

Optimize lowering of offlineasm BaseIndex Addresses.

* offlineasm/mips.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160387 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=125454

Patch by Julien Brianceau <jbriance@cisco.com> on 2013-12-09
Reviewed by Michael Saboff.

In LLINT, sh4 backend implementation didn't handle properly conditional jumps using
a LabelReference instance. This patch fixes it through sh4LowerMisplacedLabels phase.
Also, to avoid the need of a 4th temporary gpr, this phase is triggered later in
getModifiedListSH4.

* offlineasm/sh4.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160315 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=125227

Patch by Julien Brianceau <jbriance@cisco.com> on 2013-12-04
Reviewed by Michael Saboff.

* llint/LowLevelInterpreter32_64.asm: Do not use t4 and t5 as they match a0 and a1.
* offlineasm/registers.rb: Add t7, t8 and t9 in register list for sh4 port.
* offlineasm/sh4.rb: Rearrange RegisterID list and add the missing ones.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160100 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=125215

Patch by László Langó <lango@inf.u-szeged.hu> on 2013-12-04
Reviewed by Michael Saboff.

When using cloop do not generate offsets additions for BaseIndex if the offset is zero.

* offlineasm/cloop.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160091 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124721

Reviewed by Filip Pizlo.

Added pushLRAndFP and popLRAndFP that push and pop the link register and frame pointer register.
These ops emit code just like what the compiler emits in the prologue and epilogue.  Also changed
pushCalleeSaves and popCalleeSaves to use the same store pair and load pair instructions to do
the actually pushing and popping.  Finally changed the implementation of push and pop to raise
an exception since we don't have (or need) a single register push or pop.

* llint/LowLevelInterpreter64.asm:
* offlineasm/arm64.rb:
* offlineasm/instructions.rb:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159655 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124749

Reviewed by Mark Hahnenberg.

Removed the unused, X86 only peekq and pokeq.

* offlineasm/instructions.rb:
* offlineasm/x86.rb:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159654 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124716

Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-11-21
Reviewed by Michael Saboff.

Add missing implementations in MacroAssembler and LLInt for MIPS.

* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::sync):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::store8):
(JSC::MacroAssemblerMIPS::memoryFence):
* offlineasm/mips.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159635 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124713

Patch by Julien Brianceau <jbriance@cisco.com> on 2013-11-21
Reviewed by Michael Saboff.

Add missing implementations in macro assembler and LLINT for sh4.

* assembler/MacroAssemblerSH4.h:
(JSC::MacroAssemblerSH4::load8):
(JSC::MacroAssemblerSH4::store8):
(JSC::MacroAssemblerSH4::memoryFence):
* assembler/SH4Assembler.h:
(JSC::SH4Assembler::synco):
* offlineasm/sh4.rb: Handle "memfence" opcode.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159629 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124464

Source/JavaScriptCore: 

Reviewed by Sam Weinig.
        
All global variables that are candidates for watchpoint-based constant inference (i.e.
not 'const' variables) will now have WatchpointSet's associated with them and those
are used to drive the inference by tracking three states of each variable:
        
Uninitialized: the variable's value is Undefined and the WatchpointSet state is
    ClearWatchpoint.
        
Initialized: the variable's value was set to something (could even be explicitly set
    to Undefined) and the WatchpointSet state is IsWatching.
        
Invalidated: the variable's value was set to something else (could even be the same
    thing as before but the point is that a put operation did execute again) and the
    WatchpointSet is IsInvalidated.
        
If the compiler tries to compile a GetGlobalVar and the WatchpointSet state is
IsWatching, then the current value of the variable can be folded in place of the get,
and a watchpoint on the variable can be registered.
        
We handle race conditions between the mutator and compiler by mandating that:
        
- The mutator changes the WatchpointSet state after executing the put.
        
- There is no opportunity to install code or call functions between when the mutator
  executes a put and changes the WatchpointSet state.
        
- The compiler checks the WatchpointSet state prior to reading the value.
        
The concrete algorithm used by the mutator is:
        
    1. Store the new value into the variable.
    --- Execute a store-store fence.
    2. Bump the state (ClearWatchpoing becomes IsWatching, IsWatching becomes
       IsInvalidated); the IsWatching->IsInvalidated transition may end up firing
       watchpoints.
        
The concrete algorithm that the compiler uses is:
        
    1. Load the state. If it's *not* IsWatching, then give up on constant inference.
    --- Execute a load-load fence.
    2. Load the value of the variable and use that for folding, while also registering
       a DesiredWatchpoint. The various parts of this step can be done in any order.
        
The desired watchpoint registration will fail if the watchpoint set is already
invalidated. Now consider the following interesting interleavings:
        
Uninitialized->M1->M2->C1->C2: Compiler sees IsWatching because of the mutator's store
    operation, and the variable is folded. The fencing ensures that C2 sees the value
    stored in M1 - i.e. we fold on the value that will actually be watchpointed. If
    before the compilation is installed the mutator executes another store then we
    will be sure that it will be a complete sequence of M1+M2 since compilations get
    installed at safepoints and never "in the middle" of a put_to_scope. Hence that
    compilation installation will be invalidated. If the M1+M2 sequence happens after
    the code is installed, then the code will be invalidated by triggering a jettison.
        
Uninitialized->M1->C1->C2->M2: Compiler sees Uninitialized and will not fold. This is
    a sensible outcome since if the compiler read the variable's value, it would have
    seen Undefined.
        
Uninitialized->C1->C2->M1->M2: Compiler sees Uninitialized and will not fold.
Uninitialized->C1->M1->C2->M2: Compiler sees Uninitialized and will not fold.
Uninitialized->C1->M1->M2->C2: Compiler sees Uninitialized and will not fold.
Uninitialized->M1->C1->M2->C2: Compiler sees Uninitialized and will not fold.
        
IsWatched->M1->M2->C1->C2: Compiler sees IsInvalidated and will not fold.
        
IsWatched->M1->C1->C2->M2: Compiler will fold, but will also register a desired
    watchpoint, and that watchpoint will get invalidated before the code is installed.
        
IsWatched->M1->C1->M2->C2: As above, will fold but the code will get invalidated.
IsWatched->C1->C2->M1->M2: As above, will fold but the code will get invalidated.
IsWatched->C1->M1->C2->M2: As above, will fold but the code will get invalidated.
IsWatched->C1->M1->M2->C2: As above, will fold but the code will get invalidated.
        
Note that this kind of reasoning shows why having the mutator first bump the state and
then store the new value would be wrong. If we had done that (M1 = bump state, M2 =
execute put) then we could have the following deadly interleavings:
        
Uninitialized->M1->C1->C2->M2:
Uninitialized->M1->C1->M2->C2: Mutator bumps the state to IsWatched and then the
    compiler folds Undefined, since M2 hasn't executed yet. Although C2 will set the
    watchpoint, M1 didn't notify it - it mearly initiated watching. M2 then stores a
    value other than Undefined, and you're toast.
        
You could fix this sort of thing by making the Desired Watchpoints machinery more
sophisticated, for example having it track the value that was folded; if the global
variable's value was later found to be different then we could invalidate the
compilation. You could also fix it by having the compiler also check that the value of
the variable is not Undefined before folding. While those all sound great, I decided
to instead just use the right interleaving since that results in less code and feels
more intuitive.
        
This is a 0.5% speed-up on SunSpider, mostly due to a 20% speed-up on math-cordic.
It's a 0.6% slow-down on LongSpider, mostly due to a 25% slow-down on 3d-cube. This is
because 3d-cube takes global variable assignment slow paths very often. Note that this
3d-cube slow-down doesn't manifest as much in SunSpider (only 6% there). This patch is
also a 1.5% speed-up on V8v7 and a 2.8% speed-up on Octane v1, mostly due to deltablue
(3.7%), richards (4%), and mandreel (26%). This is a 2% speed-up on Kraken, mostly due
to a 17.5% speed-up on imaging-gaussian-blur. Something that really illustrates the
slam-dunk-itude of this patch is the wide range of speed-ups on JSRegress. Casual JS
programming often leads to global-var-based idioms and those variables tend to be
assigned once, leading to excellent constant folding opportunities in an optimizing
JIT. This is very evident in the speed-ups on JSRegress.

* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::dmbSY):
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::dmbSY):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::memfence):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::load8):
(JSC::MacroAssemblerARMv7::memfence):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::load8):
(JSC::MacroAssemblerX86::store8):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::getUnusedRegister):
(JSC::MacroAssemblerX86Common::store8):
(JSC::MacroAssemblerX86Common::memoryFence):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::load8):
(JSC::MacroAssemblerX86_64::store8):
* assembler/X86Assembler.h:
(JSC::X86Assembler::movb_rm):
(JSC::X86Assembler::movzbl_mr):
(JSC::X86Assembler::mfence):
(JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
(JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* bytecode/Watchpoint.cpp:
(JSC::WatchpointSet::WatchpointSet):
(JSC::WatchpointSet::add):
(JSC::WatchpointSet::notifyWriteSlow):
* bytecode/Watchpoint.h:
(JSC::WatchpointSet::state):
(JSC::WatchpointSet::isStillValid):
(JSC::WatchpointSet::addressOfSetIsNotEmpty):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getJSConstantForValue):
(JSC::DFG::ByteCodeParser::getJSConstant):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::isStronglyProvedConstantIn):
(JSC::DFG::Node::hasIdentifierNumberForCheck):
(JSC::DFG::Node::hasRegisterPointer):
* dfg/DFGNodeFlags.h:
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNotifyPutGlobalVar):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLAbbreviatedTypes.h:
* ftl/FTLAbbreviations.h:
(JSC::FTL::buildFence):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileNotifyPutGlobalVar):
* ftl/FTLOutput.h:
(JSC::FTL::Output::fence):
* jit/JIT.h:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitPutGlobalVar):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitPutGlobalVar):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* llvm/LLVMAPIFunctions.h:
* offlineasm/arm.rb:
* offlineasm/arm64.rb:
* offlineasm/cloop.rb:
* offlineasm/instructions.rb:
* offlineasm/x86.rb:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::addGlobalVar):
(JSC::JSGlobalObject::addFunction):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::addVar):
(JSC::JSGlobalObject::addConst):
* runtime/JSScope.cpp:
(JSC::abstractAccess):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTablePut):
(JSC::symbolTablePutWithAttributes):
* runtime/SymbolTable.cpp:
(JSC::SymbolTableEntry::couldBeWatched):
(JSC::SymbolTableEntry::prepareToWatch):
(JSC::SymbolTableEntry::notifyWriteSlow):
* runtime/SymbolTable.h:

LayoutTests: 

Reviewed by Sam Weinig.

* js/regress/global-var-const-infer-expected.txt: Added.
* js/regress/global-var-const-infer-fire-from-opt-expected.txt: Added.
* js/regress/global-var-const-infer-fire-from-opt.html: Added.
* js/regress/global-var-const-infer.html: Added.
* js/regress/script-tests/global-var-const-infer-fire-from-opt.js: Added.
(foo):
(setA):
(setB):
(check):
* js/regress/script-tests/global-var-const-infer.js: Added.
(foo):
(check):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159545 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124501

Patch by Julien Brianceau <jbriance@cisco.com> on 2013-11-18
Reviewed by Michael Saboff.

* llint/LowLevelInterpreter.asm: Use generic path instead of sh4 specific code.
* llint/LowLevelInterpreter32_64.asm: Merge sh4/mips path with arm path. The
"move t0, a0" is not needed for arm because t0 == a0 with this architecture.
* offlineasm/sh4.rb: Handle move opcode with pr register.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159422 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124455

Patch by Julien Brianceau <jbriance@cisco.com> on 2013-11-16
Reviewed by Oliver Hunt.

Fix LLINT implementation for sh4 architecture to handle properly load and store operations with pr register.

* offlineasm/sh4.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159381 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124359

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Add --cloop to build-jsc, build-webkit and friends.

Also make CLoop build and work again - This meant adding a
couple of missing ENABLE(DFG_JIT) blocks, and fixing a few
other references.

* Configurations/FeatureDefines.xcconfig:
* bytecode/BytecodeLivenessAnalysis.cpp:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/DFGExitProfile.cpp:
* dfg/DFGCapabilities.cpp:
* dfg/DFGCompilationKey.cpp:
* dfg/DFGCompilationMode.cpp:
* jit/JITExceptions.cpp:
(JSC::genericUnwind):

Source/WebCore:

Add cloop configuration info to WebCore FeatureDefines
so that it's consistent with JSC

* Configurations/FeatureDefines.xcconfig:

Source/WTF:

Make building with the CLoop forcibly enabled manually
disable the JITs

* wtf/Platform.h:

Tools:

Add --cloop support to forcibly enable to CLoop build

* Scripts/build-jsc:
* Scripts/build-webkit:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159321 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124365

Reviewed by Oliver Hunt.

Crashes were caused by a mixup between regular registers and temporary registers in ARM_EXTRA_GPRS.

* llint/LowLevelInterpreter32_64.asm: Warning, t3 != a3. It's safer to use an implementation using aX
registers like the MIPS one for cCallX macros.
* offlineasm/arm.rb: Rearrange ARM_EXTRA_GPRS according to the new register distribution in LLINT.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159298 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124347

Patch by Julien Brianceau <jbriance@cisco.com> on 2013-11-14
Reviewed by Michael Saboff.

Since r159276, we have (t4 == a0 == r4) and (t5 == a1 == r5) in LLINT for sh4.
This leads to argument register trampling in cCallX macros, especially with cCall2
macro when arg1 == t4.

* llint/LowLevelInterpreter32_64.asm: Use a new "setargs" pseudo-op to setup arguments for sh4.
* offlineasm/instructions.rb:
* offlineasm/sh4.rb: Lower "setargs" pseudo-op to setup argument registers and prevent register trampling issues.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159288 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124344

Patch by Julien Brianceau <jbriance@cisco.com> on 2013-11-14
Reviewed by Csaba Osztrogonác.

* offlineasm/sh4.rb: There is no fp alias for r14 register for sh4.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159283 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124251

Reviewed by Geoffrey Garen.

Changed callToJavaScript and throwNotCaught into stubs generated by the offline assembler.
Added popCalleeSaves and pushCalleeSaves pseudo ops to the offline assembler to handle
the saving and restoring of callee save registers.  Fixed callFrameRegister differences
between arm traditional (r11) and arm Thumb2 (r7) in GPRInfo.h.  Also fixed implementation
of pop & push in arm.rb.

Since the offline assembler and therefore the LLInt don't work on Windows, the Windows stubs
are handled as inline assembly in JITStubsX86.h and JITStubsMSVC64.asm.

* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* jit/GPRInfo.h:
(JSC::GPRInfo::toIndex):
(JSC::GPRInfo::debugName):
* jit/JITCode.cpp:
(JSC::JITCode::execute):
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
* jit/JITStubs.h:
* jit/JITStubsMSVC64.asm:
* jit/JITStubsX86.h:
* jit/ThunkGenerators.cpp:
* jit/ThunkGenerators.h:
* llint/LLIntThunks.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm.rb:
* offlineasm/arm64.rb:
* offlineasm/instructions.rb:
* offlineasm/mips.rb:
* offlineasm/registers.rb:
* offlineasm/sh4.rb:
* offlineasm/x86.rb:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159276 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=123956

Reviewed by Geoffrey Garen.

Changed X86 and ARM variants as well as MIPS to use their respective architected
frame pointer registers.  The freed up callFrameRegisteris are made available to 
the DFG register allocator.  Modified the FTL OSR exit compiler to use a temporary
register as a stand in for the destination callFrameRegister since the FTL frame
pointer register is needed to extract values from the FTL stack.

Reviewed by Geoffrey Garen.

* assembler/ARMAssembler.h:
* assembler/ARMv7Assembler.h:
* assembler/MacroAssemblerMIPS.h:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::addressFor):
* jit/GPRInfo.h:
(JSC::GPRInfo::toRegister):
(JSC::GPRInfo::toIndex):
* jit/JITOperations.cpp:
* jit/JSInterfaceJIT.h:
* jit/ThunkGenerators.cpp:
(JSC::callToJavaScript):
* offlineasm/arm.rb:
* offlineasm/arm64.rb:
* offlineasm/mips.rb:
* offlineasm/x86.rb:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158883 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=123271.

Reviewed by Geoffrey Garen.

Undoing offline asm hackery.

* llint/LowLevelInterpreter.cpp:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/cloop.rb:
* offlineasm/instructions.rb:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157937 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=123271.

Reviewed by Michael Saboff.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
(JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
* bytecode/StructureStubInfo.h:
- Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
  in function prototypes even when !ENABLE(JIT). Rather that adding #if's
  in many places, we just provide a stub/placeholder implementation that
  is unused but keeps the compiler happy.
* jit/JITOperations.h: Added #if ENABLE(JIT).
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
- The putByVal() macro reifies a slow path which is never taken in one case.
  This translates into a label that is never used in the C Loop LLINT. The
  C++ compiler doesn't like unused labels. So, we fix this by adding a
  cloopUnusedLabel offline asm instruction that synthesizes the following:

      if (false) goto unusedLabel;

  This keeps the C++ compiler happy without changing code behavior.
* offlineasm/cloop.rb: Implementing cloopUnusedLabel.
* offlineasm/instructions.rb: Declaring cloopUnusedLabel.
* runtime/Executable.cpp:
(JSC::setupJIT): Added UNUSED_PARAM()s.
(JSC::ScriptExecutable::prepareForExecutionImpl):
- run-javascriptcore-tests have phases that forces the LLINT to be off
  which in turn asserts that the JIT is enabled. With the C Loop LLINT,
  this combination is illegal. So, we override the setup code here to
  always use the LLINT if !ENABLE(JIT) regardless of what options are
  passed in.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157932 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=122950.

Reviewed by Michael Saboff.

* jit/JITStubs.h:
* llint/LowLevelInterpreter.cpp:
(JSC::CLoop::execute):
* offlineasm/cloop.rb:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157572 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=122762

Source/JavaScriptCore:

Reviewed by Oliver Hunt and Filip Pizlo.

* Configurations/Base.xcconfig:
* Configurations/DebugRelease.xcconfig:
* Configurations/JavaScriptCore.xcconfig:
* Configurations/ToolExecutable.xcconfig:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/ARM64Assembler.h: Added.
* assembler/AbstractMacroAssembler.h:
(JSC::isARM64):
(JSC::AbstractMacroAssembler::Label::Label):
(JSC::AbstractMacroAssembler::Jump::Jump):
(JSC::AbstractMacroAssembler::Jump::link):
(JSC::AbstractMacroAssembler::Jump::linkTo):
(JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
(JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
(JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
(JSC::AbstractMacroAssembler::CachedTempRegister::value):
(JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
(JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
(JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
(JSC::AbstractMacroAssembler::isTempRegisterValid):
(JSC::AbstractMacroAssembler::clearTempRegisterValid):
(JSC::AbstractMacroAssembler::setTempRegisterValid):
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::copyCompactAndLinkCode):
(JSC::LinkBuffer::linkCode):
* assembler/LinkBuffer.h:
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::isPtrAlignedAddressOffset):
(JSC::MacroAssembler::pushToSave):
(JSC::MacroAssembler::popToRestore):
(JSC::MacroAssembler::patchableBranchTest32):
* assembler/MacroAssemblerARM64.h: Added.
* assembler/MacroAssemblerARMv7.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithDiv):
(JSC::DFG::SpeculativeJIT::compileArithMod):
* disassembler/ARM64/A64DOpcode.cpp: Added.
* disassembler/ARM64/A64DOpcode.h: Added.
* disassembler/ARM64Disassembler.cpp: Added.
* heap/MachineStackMarker.cpp:
(JSC::getPlatformThreadRegisters):
(JSC::otherThreadStackPointer):
* heap/Region.h:
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::debugCall):
* jit/CCallHelpers.h:
* jit/ExecutableAllocator.h:
* jit/FPRInfo.h:
(JSC::FPRInfo::toRegister):
(JSC::FPRInfo::toIndex):
(JSC::FPRInfo::debugName):
* jit/GPRInfo.h:
(JSC::GPRInfo::toRegister):
(JSC::GPRInfo::toIndex):
(JSC::GPRInfo::debugName):
* jit/JITInlines.h:
(JSC::JIT::restoreArgumentReferenceForTrampoline):
* jit/JITOperationWrappers.h:
* jit/JITOperations.cpp:
* jit/JITStubs.cpp:
(JSC::performPlatformSpecificJITAssertions):
(JSC::tryCachePutByID):
* jit/JITStubs.h:
(JSC::JITStackFrame::returnAddressSlot):
* jit/JITStubsARM64.h: Added.
* jit/JSInterfaceJIT.h:
* jit/Repatch.cpp:
(JSC::emitRestoreScratch):
(JSC::generateProtoChainAccessStub):
(JSC::tryCacheGetByID):
(JSC::emitPutReplaceStub):
(JSC::tryCachePutByID):
(JSC::tryRepatchIn):
* jit/ScratchRegisterAllocator.h:
(JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
(JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator):
(JSC::floorThunkGenerator):
(JSC::ceilThunkGenerator):
* jsc.cpp:
(main):
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::handleHostCall):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm.rb:
* offlineasm/arm64.rb: Added.
* offlineasm/backends.rb:
* offlineasm/instructions.rb:
* offlineasm/risc.rb:
* offlineasm/transform.rb:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
(JSC::Yarr::YarrGenerator::initCallFrame):
(JSC::Yarr::YarrGenerator::removeCallFrame):
(JSC::Yarr::YarrGenerator::generateEnter):
* yarr/YarrJIT.h:

Source/WTF:

Reviewed by Oliver Hunt.

* Configurations/Base.xcconfig:
* wtf/Atomics.h:
(WTF::weakCompareAndSwap):
(WTF::armV7_dmb):
* wtf/FastMalloc.cpp:
* wtf/Platform.h:
* wtf/dtoa.cpp:
* wtf/dtoa/utils.h:
* wtf/text/ASCIIFastPath.h:
(WTF::copyLCharsFromUCharSource):
* wtf/text/StringImpl.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157474 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=122866.

Reviewed by Geoffrey Garen.

* offlineasm/cloop.rb:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157473 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=122746

Patch by Julien Brianceau <jbriance@cisco.com> on 2013-10-15
Reviewed by Michael Saboff.

In current implementation of LLINT for sh4, immediate values outside range -128..127 are
loaded this way:

    mov.l .label, rx
    bra out
    nop
    .balign 4
    .label: .long immvalue
    out:

This change introduces const pools for sh4 implementation to avoid lots of useless branches
and reduce code size. It also removes lines of dirty code, like jmpf and callf.

* offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
* offlineasm/sh4.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157452 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121438

Patch by Julien Brianceau <jbriance@cisco.com> on 2013-09-16
Reviewed by Andreas Kling.

* offlineasm/sh4.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155876 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121412

Patch by Julien Brianceau <jbriance@cisco.com> on 2013-09-16
Reviewed by Andreas Kling.

* offlineasm/sh4.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155846 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=114913

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

The X87 register was not freed before some calls. Instead
of inserting resetX87Registers to the last call sites,
the two X87 registers are now freed in every call.

* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/instructions.rb:
* offlineasm/x86.rb:

LayoutTests:

Unskip the five tests now passsing again.

* platform/qt/TestExpectations:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154095 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=119804

Reviewed by Michael Saboff.

* offlineasm/cloop.rb: Added std:: before isnan.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154066 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=119755

Patch by Julien Brianceau <jbrianceau@nds.com> on 2013-08-13
Reviewed by Oliver Hunt.

* LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
* offlineasm/sh4.rb:
    - Handle storeb opcode.
    - Make relative jumps when possible using braf opcode.
    - Update bmulio implementation to be consistent with baseline JIT.
    - Remove useless code from leap opcode.
    - Fix incorrect comment.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154025 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=119152

Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-07-26
Reviewed by Oliver Hunt.

* offlineasm/mips.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153375 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=119079

Patch by Julien Brianceau <jbrianceau@nds.com> on 2013-07-25
Reviewed by Allan Sandfeld Jensen.

* offlineasm/sh4.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153317 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=119076

Patch by Julien Brianceau <jbrianceau@nds.com> on 2013-07-25
Reviewed by Allan Sandfeld Jensen.

* offlineasm/mips.rb:
* offlineasm/sh4.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153307 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=118144.

Reviewed by Mark Hahnenberg.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::jitType):
  - Fix the CodeBlock jitType to be InterpreterThunk when !ENABLE_JIT.
* bytecode/JumpTable.h:
(JSC::SimpleJumpTable::clear):
* interpreter/StackIterator.cpp:
(JSC::StackIterator::Frame::bytecodeOffset):
(JSC::StackIterator::Frame::print):
* jit/JITCode.cpp:
(JSC):
* jit/JITExceptions.cpp:
(JSC::getExceptionLocation):
* llint/LowLevelInterpreter.cpp:
* offlineasm/cloop.rb:
* runtime/Structure.cpp:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153273 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=117375

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

This patch has two goals:

(1) Simplicity.

    * Net removes 15 opcodes.
    * Net removes 2,000 lines of code.
    * Removes setPair() from the DFG: All DFG nodes have 1 result register now.

(2) Performance.

    * 2%-3% speedup on SunSpider (20% in LLInt and Baseline JIT)
    * 2% speedup on v8-spider
    * 10% speedup on js-regress-hashmap*
    * Amusing 2X speedup on js-regress-poly-stricteq

The bytecode now separates the scope chain resolution opcode from the
scope access opcode.

    OLD:
        get_scoped_var  r0, 1, 0
        inc             r0
        put_scoped_var  1, 0, r0

    NEW:
        resolve_scope   r0, x(@id0)
        get_from_scope  r1, r0, x(@id0)
        inc             r1
        put_to_scope    r0, x(@id0), r1

Also, we link non-local variable resolution opcodes at CodeBlock link
time instead of time of first opcode execution.

This means that we can represent all possible non-local variable
resolutions using just three opcodes, and any optimizations in these
opcodes naturally apply across-the-board.

* API/JSCTestRunnerUtils.cpp:
(JSC::numberOfDFGCompiles):
* GNUmakefile.list.am:
* JavaScriptCore.gypi:
* JavaScriptCore.order:
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri: Build!

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode): Updated for removed things.

(JSC::CodeBlock::CodeBlock): Always provide the full scope chain when
creating a CodeBlock, so we can perform non-local variable resolution.

Added code to perform linking for these opcodes. This is where we figure
out which non-local variable resolutions are optimizable, and how.

(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::noticeIncomingCall):
(JSC::CodeBlock::optimizeAfterWarmUp):
(JSC::CodeBlock::optimizeAfterLongWarmUp):
(JSC::CodeBlock::optimizeSoon): Updated for removed things.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::needsActivation):
(JSC::GlobalCodeBlock::GlobalCodeBlock):
(JSC::ProgramCodeBlock::ProgramCodeBlock):
(JSC::EvalCodeBlock::EvalCodeBlock):
(JSC::FunctionCodeBlock::FunctionCodeBlock):
* bytecode/EvalCodeCache.h:
(JSC::EvalCodeCache::getSlow): Updated for interface changes.

* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFor): Treat global object access as
optimizable even though the global object has a custom property access
callback. This is what we've always done since, otherwise, we can't
optimize globals. (In future, we probably want to figure out a more
targeted policy than "any property access callback means no
optimization".)

* bytecode/GlobalResolveInfo.h: Removed.
* bytecode/Instruction.h:
* bytecode/Opcode.h:
(JSC::padOpcodeName):

* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor): Like GetByIdStatus.

* bytecode/ResolveGlobalStatus.cpp: Removed.
* bytecode/ResolveGlobalStatus.h: Removed.
* bytecode/ResolveOperation.h: Removed.

* bytecode/UnlinkedCodeBlock.cpp:
(JSC::generateFunctionCodeBlock):
(JSC::UnlinkedFunctionExecutable::codeBlockFor):
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h: Don't provide a scope chain to unlinked
code blocks. Giving a scope to an unscoped compilation unit invites
programming errors.

* bytecode/Watchpoint.h:
(JSC::WatchpointSet::addressOfIsInvalidated):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::resolveCallee):
(JSC::BytecodeGenerator::local):
(JSC::BytecodeGenerator::constLocal):
(JSC::BytecodeGenerator::resolveType):
(JSC::BytecodeGenerator::emitResolveScope):
(JSC::BytecodeGenerator::emitGetFromScope):
(JSC::BytecodeGenerator::emitPutToScope):
(JSC::BytecodeGenerator::emitInstanceOf):
(JSC::BytecodeGenerator::emitPushWithScope):
(JSC::BytecodeGenerator::emitPopScope):
(JSC::BytecodeGenerator::pushFinallyContext):
(JSC::BytecodeGenerator::emitComplexPopScopes):
(JSC::BytecodeGenerator::popTryAndEmitCatch):
(JSC::BytecodeGenerator::emitPushNameScope):
(JSC::BytecodeGenerator::isArgumentNumber):
* bytecompiler/BytecodeGenerator.h:
(JSC::Local::Local):
(JSC::Local::operator bool):
(JSC::Local::get):
(JSC::Local::isReadOnly):
(JSC::BytecodeGenerator::scopeDepth):
(JSC::BytecodeGenerator::shouldOptimizeLocals):
(JSC::BytecodeGenerator::canOptimizeNonLocals): Refactored the bytecode
generator to resolve all variables within local scope, as if there
were no non-local scope. This helps provide a separation of concerns:
unlinked bytecode is always scope-free, and the linking stage links
in the provided scope.

* bytecompiler/NodesCodegen.cpp:
(JSC::ResolveNode::isPure):
(JSC::ResolveNode::emitBytecode):
(JSC::EvalFunctionCallNode::emitBytecode):
(JSC::FunctionCallResolveNode::emitBytecode):
(JSC::PostfixNode::emitResolve):
(JSC::DeleteResolveNode::emitBytecode):
(JSC::TypeOfResolveNode::emitBytecode):
(JSC::PrefixNode::emitResolve):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ConstDeclNode::emitCodeSingle):
(JSC::ForInNode::emitBytecode): A bunch of this codegen is no longer
necessary, since it's redundant with the linking stage.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::ByteCodeParser):
(JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
(JSC::DFG::ByteCodeParser::handlePutByOffset):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::parseBlock): Updated for interface changes.
Notably, we can reuse existing DFG nodes -- but the mapping between
bytecode and DFG nodes has changed, and some nodes and corner cases have
been removed.

* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::scopedVarLoadElimination):
(JSC::DFG::CSEPhase::varInjectionWatchpointElimination):
(JSC::DFG::CSEPhase::globalVarStoreElimination):
(JSC::DFG::CSEPhase::scopedVarStoreElimination):
(JSC::DFG::CSEPhase::getLocalLoadElimination):
(JSC::DFG::CSEPhase::setLocalStoreElimination):
(JSC::DFG::CSEPhase::performNodeCSE): Added CSE for var injection
watchpoints. Even though watchpoints are "free", they're quite common
inside code that's subject to var injection, so I figured we'd save a
little memory.

* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGCapabilities.h: Removed detection for old forms.

* dfg/DFGDriver.h:
(JSC::DFG::tryCompile):
(JSC::DFG::tryCompileFunction):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
* dfg/DFGJITCode.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToStructureTransitionWatchpoint):
(JSC::DFG::Node::hasVarNumber):
(JSC::DFG::Node::hasIdentifierNumberForCheck):
(JSC::DFG::Node::hasRegisterPointer):
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGRepatch.h:
(JSC::DFG::dfgResetGetByID):
(JSC::DFG::dfgResetPutByID):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation): Removed some unneeded things,
and updated for renames.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile): The two primary changes here are:

(1) Use a watchpoint for var injection instead of looping over the scope
chain and checking. This is more efficient and much easier to model in
code generation.

(2) I've eliminated the notion of an optimized global assignment that
needs to check for whether it should fire a watchpiont. Instead, we
fire pre-emptively at the point of optimization. This removes a bunch
of edge cases, and it seems like a more honest representation of
the fact that our new optimization contradicts our old one.

* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
* heap/DFGCodeBlocks.cpp:
(JSC::DFGCodeBlocks::jettison):
* interpreter/CallFrame.h:
(JSC::ExecState::trueCallFrame): Removed stuff that's unused now, and
fixed the build.

* interpreter/Interpreter.cpp:
(JSC::eval):
(JSC::getBytecodeOffsetForCallFrame):
(JSC::getCallerInfo):
(JSC::Interpreter::throwException): Updated exception scope tracking
to match the rest of our linking strategy: The unlinked bytecode compiles
exception scope as if non-local scope did not exist, and we add in
non-local scope at link time. This means that we can restore the right
scope depth based on a simple number, without checking the contents of
the scope chain.

(JSC::Interpreter::execute): Make sure to establish the full scope chain
before linking eval code. We now require the full scope chain at link
time, in order to link non-local variable resolution opcodes.

* jit/JIT.cpp:
(JSC::JIT::JIT):
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_op_add):
* jit/JITCode.cpp:
* jit/JITOpcodes.cpp:
(JSC::JIT::emitSlow_op_bitxor):
(JSC::JIT::emitSlow_op_bitor):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emitSlow_op_to_primitive):
(JSC::JIT::emit_op_strcat):
(JSC::JIT::emitSlow_op_create_this):
(JSC::JIT::emitSlow_op_to_this):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitVarInjectionCheck):
(JSC::JIT::emitResolveClosure):
(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::emitSlow_op_resolve_scope):
(JSC::JIT::emitLoadWithStructureCheck):
(JSC::JIT::emitGetGlobalProperty):
(JSC::JIT::emitGetGlobalVar):
(JSC::JIT::emitGetClosureVar):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emitPutGlobalProperty):
(JSC::JIT::emitPutGlobalVar):
(JSC::JIT::emitPutClosureVar):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
(JSC::JIT::emit_op_init_global_const):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitVarInjectionCheck):
(JSC::JIT::emitResolveClosure):
(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::emitSlow_op_resolve_scope):
(JSC::JIT::emitLoadWithStructureCheck):
(JSC::JIT::emitGetGlobalProperty):
(JSC::JIT::emitGetGlobalVar):
(JSC::JIT::emitGetClosureVar):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emitPutGlobalProperty):
(JSC::JIT::emitPutGlobalVar):
(JSC::JIT::emitPutClosureVar):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
(JSC::JIT::emit_op_init_global_const):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* jit/JITStubs.h: Re-wrote baseline JIT codegen for our new variable
resolution model.

* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntSlowPaths.cpp:
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter.cpp:
(JSC::CLoop::execute):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm: Ditto for LLInt.

* offlineasm/x86.rb: Fixed a pre-existing encoding bug for a syntactic
form that we never used before.

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncConcat):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSort):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncFilter):
(JSC::arrayProtoFuncMap):
(JSC::arrayProtoFuncEvery):
(JSC::arrayProtoFuncForEach):
(JSC::arrayProtoFuncSome):
(JSC::arrayProtoFuncReduce):
(JSC::arrayProtoFuncReduceRight):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf): Fixed some pre-existing bugs in
'this' value conversion, which I made much more common by removing
special cases in bytecode generation.

These functions need to invoke toThis() because they observe the 'this'
value. Also, toLocaleString() is specified to accept non-array 'this'
values.

(Most other host functions don't need this fix because they perform
strict 'this' checking, which never coerces unexpected types.)

* runtime/CodeCache.cpp:
(JSC::CodeCache::getCodeBlock):
(JSC::CodeCache::getProgramCodeBlock):
(JSC::CodeCache::getEvalCodeBlock):
* runtime/CodeCache.h: Don't supply a scope to the unlinked code cache.
Unlinked code is supposed to be scope-free, so let's have the compiler
help verify that.

* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
* runtime/Executable.cpp:
(JSC::EvalExecutable::create):
(JSC::EvalExecutable::compileInternal):
(JSC::ProgramExecutable::compileInternal):
(JSC::FunctionExecutable::produceCodeBlockFor):
(JSC::FunctionExecutable::compileForCallInternal):
(JSC::FunctionExecutable::compileForConstructInternal):
* runtime/Executable.h:
(JSC::EvalExecutable::numVariables):
(JSC::EvalExecutable::numberOfFunctionDecls):
* runtime/ExecutionHarness.h:
(JSC::prepareForExecutionImpl):
(JSC::prepareFunctionForExecutionImpl):
(JSC::installOptimizedCode): Fiddled with executable initialization so
that we can always generate a full scope chain before we go to link a
code block. We need this because code block linking now depends on the
scope chain to link non-local variable resolution opcodes.

* runtime/JSActivation.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::createEvalCodeBlock):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::varInjectionWatchpoint):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncEval):
* runtime/JSNameScope.h:
* runtime/JSScope.cpp:
(JSC::abstractAccess):
(JSC::JSScope::objectAtScope):
(JSC::JSScope::depth):
(JSC::JSScope::resolve):
(JSC::JSScope::abstractResolve): Updated to match changes explained above.

* runtime/JSScope.h:
(JSC::makeType):
(JSC::needsVarInjectionChecks):
(JSC::ResolveOp::ResolveOp):
(JSC::ResolveModeAndType::ResolveModeAndType):
(JSC::ResolveModeAndType::mode):
(JSC::ResolveModeAndType::type):
(JSC::ResolveModeAndType::operand): Removed the old variable resolution
state machine, since it's unused now. Added logic for performing abstract
variable resolution at link time. This is used by codeblock linking.

* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncValueOf):
(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncIsPrototypeOf):
(JSC::objectProtoFuncDefineGetter):
(JSC::objectProtoFuncDefineSetter):
(JSC::objectProtoFuncLookupGetter):
(JSC::objectProtoFuncLookupSetter):
(JSC::objectProtoFuncPropertyIsEnumerable):
(JSC::objectProtoFuncToLocaleString):
(JSC::objectProtoFuncToString): Fixed some pre-existing bugs in
'this' value conversion, which I made much more common by removing
special cases in bytecode generation.

These functions need to invoke toThis() because they observe the 'this'
value.

* runtime/StringPrototype.cpp:
(JSC::checkObjectCoercible):
(JSC::stringProtoFuncReplace):
(JSC::stringProtoFuncCharAt):
(JSC::stringProtoFuncCharCodeAt):
(JSC::stringProtoFuncConcat):
(JSC::stringProtoFuncIndexOf):
(JSC::stringProtoFuncLastIndexOf):
(JSC::stringProtoFuncMatch):
(JSC::stringProtoFuncSearch):
(JSC::stringProtoFuncSlice):
(JSC::stringProtoFuncSplit):
(JSC::stringProtoFuncSubstr):
(JSC::stringProtoFuncSubstring):
(JSC::stringProtoFuncToLowerCase):
(JSC::stringProtoFuncToUpperCase):
(JSC::stringProtoFuncLocaleCompare):
(JSC::stringProtoFuncBig):
(JSC::stringProtoFuncSmall):
(JSC::stringProtoFuncBlink):
(JSC::stringProtoFuncBold):
(JSC::stringProtoFuncFixed):
(JSC::stringProtoFuncItalics):
(JSC::stringProtoFuncStrike):
(JSC::stringProtoFuncSub):
(JSC::stringProtoFuncSup):
(JSC::stringProtoFuncFontcolor):
(JSC::stringProtoFuncFontsize):
(JSC::stringProtoFuncAnchor):
(JSC::stringProtoFuncLink):
(JSC::trimString): Fixed some pre-existing bugs in
'this' value conversion, which I made much more common by removing
special cases in bytecode generation.

These functions need to invoke toThis() because they observe the 'this'
value.

* runtime/StructureRareData.cpp:
* runtime/VM.cpp:
(JSC::VM::~VM):

* runtime/WriteBarrier.h:
(JSC::WriteBarrierBase::slot): Modified to reduce casting in client code.

LayoutTests:

This patch removed special-case 'this' resolution from bytecode, making
some pre-existing edge cases in 'this' value treatment much more common.

I updated the test results below, and added some tests, to match bug
fixes for these cases.

* fast/js/script-tests/array-functions-non-arrays.js:
* fast/js/array-functions-non-arrays-expected.txt: As specified, it's
not an error to pass a non-array to toLocaleString. Our new result
matches Firefox and Chrome.

* fast/js/array-prototype-properties-expected.txt: Updated for slightly
clearer error message.

* fast/js/basic-strict-mode-expected.txt: Updated for slightly more
standard error message.

* fast/js/object-prototype-toString-expected.txt: Added.
* fast/js/object-prototype-toString.html: Added. This test demonstrates
why we now fail a Sputnik test below, while Firefox and Chrome pass it.
(The test doesn't test what it thinks it tests, and this test verifies
that we get right what it does think it tests.)

* fast/js/string-prototype-function-this-expected.txt: Added.
* fast/js/string-prototype-function-this.html: Added. This test shows
that we CheckObjectCoercible in string prototype functions. (We used
to get this wrong, but Sputnik tests made it seem like we got it right
because they didn't test the dynamic scope case.)

* sputnik/Conformance/11_Expressions/11.1_Primary_Expressions/11.1.1_The_this_Keyword/S11.1.1_A2-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.3_Array_prototype_toLocaleString/S15.4.4.3_A2_T1-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.11_String.prototype.replace/S15.5.4.11_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt:

Updated to show failing results. Firefox and Chrome also fail these
tests, and the ES5 spec seems to mandate failure. Because these tests
resolve a String.prototype function at global scope, the 'this' value
for the call is an environment record. Logically, an environment record
converts to 'undefined' at the call site, and should then fail the
CheckObjectCoercible test.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153221 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=119065

Reviewed by Mark Hahnenberg.
        
Made the body of IndexingHeader be a union.
        
Modified the offlineasm so that you can say IndexingHeader::u.lengths.publicLength.
Previously those dots would cause parse errors. Now an identifier in offlineasm can
have a dot anywhere except the first character.

* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/parser.rb:
* runtime/IndexingHeader.h:
(JSC::IndexingHeader::offsetOfPublicLength):
(JSC::IndexingHeader::offsetOfVectorLength):
(JSC::IndexingHeader::IndexingHeader):
(JSC::IndexingHeader::vectorLength):
(JSC::IndexingHeader::setVectorLength):
(JSC::IndexingHeader::publicLength):
(JSC::IndexingHeader::setPublicLength):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153104 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=117049

Patch by Julien Brianceau <jbrianceau@nds.com> on 2013-05-30
Reviewed by Oliver Hunt.

Use the fcmp/eq opcode in sh4 LLINT to test if a double is NaN.
This is more efficient, doesn't require two tmp registers and requires
less code than current implementation (which converts double to float,
then checks 'E = Emax + 1' and 'f != 0').

* offlineasm/sh4.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@150992 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=116716

Patch by Julien Brianceau <jbrianceau@nds.com> on 2013-05-24
Reviewed by Geoffrey Garen.

* assembler/MacroAssemblerSH4.h:
(JSC::MacroAssemblerSH4::mul32): Cosmetic changes.
(JSC::MacroAssemblerSH4::convertInt32ToDouble): Absolute address was not dereferenced.
(JSC::MacroAssemblerSH4::branch32): Absolute address was not dereferenced.
(JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch): Use all 32 bits of pointer for revertJump call.
* assembler/SH4Assembler.h:
(JSC::SH4Assembler::revertJump): Use changePCrelativeAddress to patch the whole pointer.
(JSC::SH4Assembler::linkJump): Cosmetic change.
* offlineasm/sh4.rb: Optimize LLINT generated code.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@150644 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=116019

Patch by Peter Wang <peter.wang@torchmobile.com.cn> on 2013-05-23
Reviewed by Csaba Osztrogonác.

* offlineasm/cloop.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@150630 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=115420

Patch by Julien Brianceau <jbrianceau@nds.com> on 2013-04-30
Reviewed by Oliver Hunt.

* assembler/MacroAssemblerSH4.h:
(JSC::MacroAssemblerSH4::lshift32):
(JSC::MacroAssemblerSH4::rshift32):
(JSC::MacroAssemblerSH4::branchMul32):
(JSC::MacroAssemblerSH4::urshift32):
(JSC::MacroAssemblerSH4::replaceWithJump):
(JSC::MacroAssemblerSH4::maxJumpReplacementSize):
* assembler/SH4Assembler.h:
(JSC::SH4Assembler::shldRegReg):
(JSC::SH4Assembler::shadRegReg):
(JSC::SH4Assembler::shalImm8r):
(SH4Assembler):
(JSC::SH4Assembler::sharImm8r):
(JSC::SH4Assembler::maxJumpReplacementSize):
(JSC::SH4Assembler::replaceWithJump):
* offlineasm/sh4.rb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@149403 268f45cc-cd09-0410-ab3c-d52691b4dbfc