From a7f2e6bf8c1bc569c56d713894f442c7fed63264 Mon Sep 17 00:00:00 2001
From: Oliver Hunt <oliver@apple.com>
Date: Wed, 11 Mar 2015 14:07:35 +0100
Subject: Incorrect type speculation reported by ToPrimitive
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://bugs.webkit.org/show_bug.cgi?id=119458

Reviewed by Mark Hahnenberg.

Make sure that we report the correct type possibilities for the output
from ToPrimitive

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153674 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Change-Id: I85d91598088ead350c89c4a9cc28a2bd866a2d22
Task-number: QTBUG-44912
Reviewed-by: Julien Brianceau <jbriance@cisco.com>
Reviewed-by: Michael Brüning <michael.bruning@theqtcompany.com>
---
 Source/JavaScriptCore/dfg/DFGAbstractState.cpp | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'Source/JavaScriptCore')

diff --git a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
index eff653636..594097d1b 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
+++ b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
@@ -1079,10 +1079,8 @@ bool AbstractState::executeEffects(unsigned indexInBlock, Node* node)
         clobberWorld(node->codeOrigin, indexInBlock);
         
         SpeculatedType type = source.m_type;
-        if (type & ~(SpecNumber | SpecString | SpecBoolean)) {
-            type &= (SpecNumber | SpecString | SpecBoolean);
-            type |= SpecString;
-        }
+        if (type & ~(SpecNumber | SpecString | SpecBoolean))
+            type = (SpecTop & ~SpecCell) | SpecString;
         destination.set(type);
         break;
     }
-- 
cgit v1.2.1


From 80471d52c85ab8edd1332e084b8bf46f44571c3b Mon Sep 17 00:00:00 2001
From: Julien Brianceau <jbriance@cisco.com>
Date: Wed, 1 Apr 2015 11:36:02 +0200
Subject: Fix crash in JIT::DFG::prepareOSREntry

While verifying predictions in prepareOSREntry, locals could lay
outside the stack in some cases. So we shouldn't retrieve jsValue
from locals when we don't have to.

Task-number: QTBUG-45299
Change-Id: I70003170348887128e11360fb501b69647194172
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>
---
 Source/JavaScriptCore/dfg/DFGOSREntry.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'Source/JavaScriptCore')

diff --git a/Source/JavaScriptCore/dfg/DFGOSREntry.cpp b/Source/JavaScriptCore/dfg/DFGOSREntry.cpp
index 5739593ee..9b75e70ab 100644
--- a/Source/JavaScriptCore/dfg/DFGOSREntry.cpp
+++ b/Source/JavaScriptCore/dfg/DFGOSREntry.cpp
@@ -118,7 +118,7 @@ void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIn
             }
             continue;
         }
-        if (!entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) {
+        if (!entry->m_expectedValues.local(local).isTop() && !entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) {
 #if ENABLE(JIT_VERBOSE_OSR)
             dataLog("    OSR failed because variable ", local, " is ", exec->registers()[local].jsValue(), ", expected ", entry->m_expectedValues.local(local), ".\n");
 #endif
-- 
cgit v1.2.1


From b653da9a88901fbc44114cac9232a6a332d2d0a7 Mon Sep 17 00:00:00 2001
From: Filip Pizlo <fpizlo@apple.com>
Date: Tue, 7 Apr 2015 13:20:07 +0200
Subject: DFG optimizes out strict mode arguments tear off
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://bugs.webkit.org/show_bug.cgi?id=119504

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg and Oliver Hunt.

Don't do the optimization for strict mode.

* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
(JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154217 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Change-Id: I68037df21deaa964ff18c4f168f465c2600627f7
Reviewed-by: Julien Brianceau <jbriance@cisco.com>
Reviewed-by: Michael Brüning <michael.bruning@theqtcompany.com>
---
 .../dfg/DFGArgumentsSimplificationPhase.cpp             | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

(limited to 'Source/JavaScriptCore')

diff --git a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
index cbab4e8c8..ec7515eec 100644
--- a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
@@ -123,12 +123,9 @@ public:
         bool changed = false;
         
         // Record which arguments are known to escape no matter what.
-        for (unsigned i = codeBlock()->inlineCallFrames().size(); i--;) {
-            InlineCallFrame* inlineCallFrame = &codeBlock()->inlineCallFrames()[i];
-            if (m_graph.m_executablesWhoseArgumentsEscaped.contains(
-                    m_graph.executableFor(inlineCallFrame)))
-                m_createsArguments.add(inlineCallFrame);
-        }
+        for (unsigned i = codeBlock()->inlineCallFrames().size(); i--;)
+            pruneObviousArgumentCreations(&codeBlock()->inlineCallFrames()[i]);
+        pruneObviousArgumentCreations(0); // the machine call frame.
         
         // Create data for variable access datas that we will want to analyze.
         for (unsigned i = m_graph.m_variableAccessData.size(); i--;) {
@@ -700,6 +697,14 @@ private:
             NullableHashTraits<VariableAccessData*> > m_argumentsAliasing;
     HashSet<VariableAccessData*> m_isLive;
 
+    void pruneObviousArgumentCreations(InlineCallFrame* inlineCallFrame)
+    {
+        ScriptExecutable* executable = jsCast<ScriptExecutable*>(m_graph.executableFor(inlineCallFrame));
+        if (m_graph.m_executablesWhoseArgumentsEscaped.contains(executable)
+            || executable->isStrictMode())
+            m_createsArguments.add(inlineCallFrame);
+    }
+
     void observeBadArgumentsUse(Node* node)
     {
         if (!node)
-- 
cgit v1.2.1


From 540119ba890eb25836980c433d041b687428fdb2 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>
Date: Fri, 29 May 2015 11:03:26 +0200
Subject: Support MSVC 2015

Fixes building qtwebkit with MSVC 2015

Change-Id: I94b085ab822b3cdfa911814467e051c11c93d79e
Task-number: QTBUG-46344
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@theqtcompany.com>
Reviewed-by: Simon Hausmann <simon.hausmann@theqtcompany.com>
---
 Source/JavaScriptCore/jsc.pro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'Source/JavaScriptCore')

diff --git a/Source/JavaScriptCore/jsc.pro b/Source/JavaScriptCore/jsc.pro
index dfd73e825..91ebcc2a0 100644
--- a/Source/JavaScriptCore/jsc.pro
+++ b/Source/JavaScriptCore/jsc.pro
@@ -13,7 +13,7 @@ QT -= gui
 
 win32-*: CONFIG += console
 win32-msvc*: CONFIG += exceptions_off stl_off
-win32-msvc*|win32-icc: INCLUDEPATH += $$ROOT_WEBKIT_DIR/Source/JavaScriptCore/os-win32
+win32-msvc2005|win32-msvc2008|win32-msvc2010|win32-msvc2012|win32-msvc2013|win32-icc: INCLUDEPATH += $$ROOT_WEBKIT_DIR/Source/JavaScriptCore/os-win32
 
 WEBKIT += javascriptcore wtf
 
-- 
cgit v1.2.1