[WTF] Add makeUnique<T>, which ensures T is fast-allocated, makeUnique / makeUniqueWi...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog-2014-10-07
1 2014-10-07  Oliver Hunt  <oliver@apple.com>
2
3         Remove op_new_captured_func
4         https://bugs.webkit.org/show_bug.cgi?id=137491
5
6         Reviewed by Mark Lam.
7
8         Removes the op_captured_new_func opcode as part of the work
9         towards having any magical opcodes that write directly to
10         named "registers" and then have a follow on op to ensure that
11         the environment record correctly represents the stack state.
12
13         For this we add a non-captured scratch register so we don't
14         have to have any kind of magic opcode, and instead simply
15         have sensible creation and move semantics for capturing new
16         functions.
17
18         * bytecode/BytecodeList.json:
19         * bytecode/BytecodeUseDef.h:
20         (JSC::computeUsesForBytecodeOffset):
21         (JSC::computeDefsForBytecodeOffset):
22         * bytecode/CodeBlock.cpp:
23         (JSC::CodeBlock::dumpBytecode):
24         (JSC::CodeBlock::CodeBlock):
25         * bytecompiler/BytecodeGenerator.cpp:
26         (JSC::BytecodeGenerator::BytecodeGenerator):
27         (JSC::BytecodeGenerator::emitNewFunction):
28         (JSC::BytecodeGenerator::emitLazyNewFunction):
29         (JSC::BytecodeGenerator::emitNewFunctionInternal):
30         * bytecompiler/BytecodeGenerator.h:
31         * dfg/DFGByteCodeParser.cpp:
32         (JSC::DFG::ByteCodeParser::parseBlock):
33         * dfg/DFGCapabilities.cpp:
34         (JSC::DFG::capabilityLevel):
35         * jit/JIT.cpp:
36         (JSC::JIT::privateCompileMainPass):
37         * jit/JIT.h:
38         * jit/JITOpcodes.cpp:
39         (JSC::JIT::emit_op_new_captured_func): Deleted.
40         * llint/LowLevelInterpreter32_64.asm:
41         * llint/LowLevelInterpreter64.asm:
42         * runtime/CommonSlowPaths.cpp:
43         (JSC::SLOW_PATH_DECL): Deleted.
44         * runtime/CommonSlowPaths.h:
45
46 2014-10-06  Andy Estes  <aestes@apple.com>
47
48         Objective-C objects must be fully defined when used in a WTF::Vector
49         https://bugs.webkit.org/show_bug.cgi?id=137479
50
51         Reviewed by Mark Rowe.
52
53         When compiling an Objective-C++ file under ARC, @class types are considered non-trivially destructable, so
54         Vector needs to see their definition in order to call their destructor.
55
56         See <http://clang.llvm.org/docs/AutomaticReferenceCounting.html#ownership-qualified-fields-of-structs-and-unions> for details.
57
58         * API/ObjcRuntimeExtras.h: Imported <objc/Protocol.h>.
59
60 2014-10-06  Brent Fulgham  <bfulgham@apple.com>
61
62         [Win] Use of 1-bit Enum type behaves improperly
63         https://bugs.webkit.org/show_bug.cgi?id=137471
64         <rdar://problem/18559172>
65
66         Reviewed by Mark Lam.
67
68         Represent 1-bit enum element as 'unsigned', as we have done elsewhere
69         in WebKit to avoid problems when building with MSVC.
70
71         * debugger/Debugger.h:
72
73 2014-10-06  Mark Lam  <mark.lam@apple.com>
74
75         Fixed compiler warnings on Windows build.
76         <https://webkit.org/b/135205>
77
78         Reviewed by Geoffrey Garen.
79
80         Benchmarking with jsc shows that perf is neutral with this change.
81
82         * assembler/MacroAssemblerX86_64.h:
83         (JSC::MacroAssemblerX86_64::call):
84         * bytecode/CodeBlock.cpp:
85         (JSC::CodeBlock::CodeBlock):
86         * dfg/DFGArgumentPosition.h:
87         (JSC::DFG::ArgumentPosition::mergeShouldNeverUnbox):
88         (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness):
89         * dfg/DFGEdge.h:
90         (JSC::DFG::Edge::makeWord):
91         * dfg/DFGNodeFlags.h:
92         (JSC::DFG::nodeMayOverflow):
93         (JSC::DFG::nodeMayNegZero):
94         * dfg/DFGOSRExitCompilerCommon.cpp:
95         (JSC::DFG::reifyInlinedCallFrames):
96         * dfg/DFGVariableAccessData.cpp:
97         (JSC::DFG::VariableAccessData::mergeIsCaptured):
98         * dfg/DFGVariableAccessData.h:
99         (JSC::DFG::VariableAccessData::mergeIsProfitableToUnbox):
100         (JSC::DFG::VariableAccessData::mergeStructureCheckHoistingFailed):
101         (JSC::DFG::VariableAccessData::mergeCheckArrayHoistingFailed):
102         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias):
103         (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
104         * runtime/JSDataViewPrototype.cpp:
105         (JSC::getData):
106
107 2014-10-06  Oliver Hunt  <oliver@apple.com>
108
109         Remove incorrect assertion.
110
111         * runtime/Arguments.cpp:
112         (JSC::Arguments::tearOff):
113
114 2014-10-06  Oliver Hunt  <oliver@apple.com>
115
116         Fix cloop build
117
118         * interpreter/Interpreter.cpp:
119         (JSC::unwindCallFrame):
120
121 2014-10-06  Mark Lam  <mark.lam@apple.com>
122
123         Unreviewed build fix.
124         <https://webkit.org/b/137279>
125
126         * jit/CCallHelpers.h:
127         (JSC::CCallHelpers::setupArgumentsWithExecState):
128
129 2014-10-06  Oliver Hunt  <oliver@apple.com>
130
131         REGRESSION(r174226): [JSC] Crash when running the perf test Speedometer/Full.html
132         https://bugs.webkit.org/show_bug.cgi?id=137404
133
134         Reviewed by Michael Saboff.
135
136         Update the Arguments object to recognise that it must always have an
137         environment record if the referenced callee has one, and if such is not
138         present it should not try to extract one from the callframe, as that
139         path leads to madness.
140
141         Happily this makes some of the other code more sensible, and removes a
142         bunch of unnecessary and icky logic.
143
144         * interpreter/Interpreter.cpp:
145         (JSC::unwindCallFrame):
146         * jit/JITOperations.cpp:
147         * llint/LLIntSlowPaths.cpp:
148         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
149         * runtime/Arguments.cpp:
150         (JSC::Arguments::tearOff):
151         (JSC::Arguments::didTearOffActivation): Deleted.
152         * runtime/Arguments.h:
153         (JSC::Arguments::argument):
154         (JSC::Arguments::finishCreation):
155
156 2014-10-04  Brian J. Burg  <burg@cs.washington.edu>
157
158         Unreviewed, rolling out r174319.
159
160         Causes assertions in fast/profiler tests. Needs nontrivial
161         investigation, will take offline.
162
163         Reverted changeset:
164
165         "Web Inspector: timelines should not count time elapsed while
166         paused in the debugger"
167         https://bugs.webkit.org/show_bug.cgi?id=136351
168         http://trac.webkit.org/changeset/174319
169
170 2014-10-04  Brian J. Burg  <burg@cs.washington.edu>
171
172         Web Inspector: timelines should not count time elapsed while paused in the debugger
173         https://bugs.webkit.org/show_bug.cgi?id=136351
174
175         Reviewed by Timothy Hatcher.
176
177         Now that we have a stopwatch to provide pause-aware timing data, we can remove the
178         profiler's handling of debugger pause/continue callbacks. The timeline agent accounts
179         for debugger pauses by pausing and resuming the stopwatch.
180
181         * API/JSProfilerPrivate.cpp:
182         (JSStartProfiling): Use a fresh stopwatch when profiling from the JSC API.
183         * inspector/ScriptDebugServer.cpp:
184         (Inspector::ScriptDebugServer::handlePause):
185         * profiler/LegacyProfiler.cpp:
186         (JSC::LegacyProfiler::profiler): Use nullptr.
187         (JSC::LegacyProfiler::startProfiling): Hand off a stopwatch to the profile generator.
188         (JSC::LegacyProfiler::stopProfiling): Use nullptr.
189         (JSC::LegacyProfiler::didPause): Deleted.
190         (JSC::LegacyProfiler::didContinue): Deleted.
191         * profiler/LegacyProfiler.h:
192         * profiler/ProfileGenerator.cpp: Remove debugger pause/continue callbacks and the
193         timestamp member that was used to track time elapsed by the debugger. Just use the
194         stopwatch's elapsed times to generate start/elapsed times for function calls.
195         (JSC::ProfileGenerator::create):
196         (JSC::ProfileGenerator::ProfileGenerator):
197         (JSC::ProfileGenerator::beginCallEntry):
198         (JSC::ProfileGenerator::endCallEntry):
199         (JSC::ProfileGenerator::didPause): Deleted.
200         (JSC::ProfileGenerator::didContinue): Deleted.
201         * profiler/ProfileGenerator.h:
202
203 2014-10-04  Filip Pizlo  <fpizlo@apple.com>
204
205         FTL should sink PutLocals
206         https://bugs.webkit.org/show_bug.cgi?id=137168
207
208         Reviewed by Oliver Hunt.
209         
210         We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we
211         "pass" arguments to an inlined function call, because we need to enable the runtime to grab
212         those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize
213         in that case but rather just relies on the arguments being flushed (i.e. a copy of their
214         values is spilled) at a well-known place in a well-known format.
215         
216         The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2)
217         they look like escaping sites and so they inhibit object allocation sinking.
218         
219         But in most cases, the PutLocals are unnecessary because the inlined code never performs any
220         side effect that could transitively lead to function.arguments. Even if the inlined code
221         could do such a side effect, it may be on a rare path so there is no need to penalize the
222         entire function.
223         
224         This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals
225         to the latest possible point. This is even more aggressive than the object allocation
226         sinking. That sinking algorithm avoids creating situations where an object could be
227         materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid
228         this at all - both to make the phase cheaper and simpler and to make it more aggressive.
229         Every PutLocal is sunk no matter what.
230         
231         The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past
232         their death", thus eliminating them completely. Others are sunk to rare paths. This enables a
233         lot of object allocation sinking and it removes a lot of pointless store instructions.
234         
235         It also has downsites. Sinking PutLocals increases register pressure because it increases the
236         live ranges of things like inlined arguments.
237         
238         This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2
239         progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench
240         regression. The biggest win is on Octane/raytrace, which improves by 27%.
241         
242         Relanding after fixing internal builds. We have to be careful about implicit casts from int64
243         to int32.
244
245         * CMakeLists.txt:
246         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
247         * JavaScriptCore.xcodeproj/project.pbxproj:
248         * bytecode/CodeBlock.h:
249         * bytecode/Operands.h:
250         (JSC::Operands::dump): Deleted.
251         * bytecode/OperandsInlines.h:
252         (JSC::Traits>::dump):
253         * bytecode/VirtualRegister.h:
254         (JSC::VirtualRegister::isHeader):
255         * dfg/DFGByteCodeParser.cpp:
256         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
257         * dfg/DFGClobberSet.h:
258         (JSC::DFG::ClobberSetAdd::operator()):
259         (JSC::DFG::ClobberSetOverlaps::operator()):
260         * dfg/DFGClobberize.h:
261         (JSC::DFG::clobberize):
262         (JSC::DFG::NoOpClobberize::operator()):
263         (JSC::DFG::CheckClobberize::operator()):
264         (JSC::DFG::AbstractHeapOverlaps::operator()):
265         (JSC::DFG::ReadMethodClobberize::operator()):
266         (JSC::DFG::WriteMethodClobberize::operator()):
267         (JSC::DFG::DefMethodClobberize::operator()):
268         * dfg/DFGFlushFormat.h:
269         (JSC::DFG::merge):
270         * dfg/DFGGraph.cpp:
271         (JSC::DFG::Graph::Graph):
272         * dfg/DFGGraph.h:
273         (JSC::DFG::Graph::capturedVarsFor):
274         * dfg/DFGObjectAllocationSinkingPhase.cpp:
275         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
276         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
277         * dfg/DFGPlan.cpp:
278         (JSC::DFG::Plan::compileInThreadImpl):
279         * dfg/DFGPreciseLocalClobberize.h: Added.
280         (JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
281         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
282         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
283         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
284         (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate):
285         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
286         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
287         (JSC::DFG::forEachLocalReadByUnwind):
288         (JSC::DFG::preciseLocalClobberize):
289         * dfg/DFGPutLocalSinkingPhase.cpp: Added.
290         (JSC::DFG::performPutLocalSinking):
291         * dfg/DFGPutLocalSinkingPhase.h: Added.
292         * dfg/DFGSSACalculator.h:
293         (JSC::DFG::SSACalculator::computePhis):
294         * dfg/DFGValidate.cpp:
295
296 2014-10-03  Michael Saboff  <msaboff@apple.com>
297
298         REGRESSION(r174216): CodeBlock::dumpByteCodes crashes on op_push_name_scope
299         https://bugs.webkit.org/show_bug.cgi?id=137412
300
301         Reviewed by Mark Lam.
302
303         Added support for the JSNameScope::type opcode parameter in dumpBytecode().
304
305         * bytecode/CodeBlock.cpp:
306         (JSC::CodeBlock::dumpBytecode):
307
308 2014-10-03  Saam Barati  <saambarati1@gmail.com>
309
310         Implement op_profile_type in the 32-bit baseline JIT
311         https://bugs.webkit.org/show_bug.cgi?id=137181
312
313         Reviewed by Michael Saboff.
314
315         Generate inline code to write to the TypeProfilerLog inside the 32-bit 
316         baseline JIT instead of unconditionally bailing out to the slow path 
317         for op_profile_type.
318
319         * jit/JITOpcodes32_64.cpp:
320         (JSC::JIT::emit_op_profile_type):
321
322 2014-10-03  Commit Queue  <commit-queue@webkit.org>
323
324         Unreviewed, rolling out r174275.
325         https://bugs.webkit.org/show_bug.cgi?id=137408
326
327         Build failures on the internal bots. (Requested by dethbakin
328         on #webkit).
329
330         Reverted changeset:
331
332         "FTL should sink PutLocals"
333         https://bugs.webkit.org/show_bug.cgi?id=137168
334         http://trac.webkit.org/changeset/174275
335
336 2014-10-03  Oliver Hunt  <oliver@apple.com>
337
338         tearoff_arguments should always refer to the unmodified arguments register
339         https://bugs.webkit.org/show_bug.cgi?id=137406
340
341         Reviewed by Michael Saboff.
342
343         To simplify subsequent work, and remove unnecessary work from
344         actual execution this patch simply ensures that tear_off_arguments
345         refers to the actual unmodified arguments register.
346
347         * bytecompiler/BytecodeGenerator.cpp:
348         (JSC::BytecodeGenerator::emitReturn):
349         * dfg/DFGByteCodeParser.cpp:
350         (JSC::DFG::ByteCodeParser::parseBlock):
351         * jit/JITOpcodes.cpp:
352         (JSC::JIT::emit_op_tear_off_arguments):
353         * jit/JITOpcodes32_64.cpp:
354         (JSC::JIT::emit_op_tear_off_arguments):
355         * llint/LLIntSlowPaths.cpp:
356         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
357         * llint/LowLevelInterpreter32_64.asm:
358         * llint/LowLevelInterpreter64.asm:
359
360 2014-10-03  Saam Barati  <saambarati1@gmail.com>
361
362         Web Inspector: Move the computation that results in UI strings from JSC to the Web Inspector
363         https://bugs.webkit.org/show_bug.cgi?id=137295
364
365         Reviewed by Timothy Hatcher.
366
367         Remove unnecessary functions and properties from JSC that are
368         now being computed inside the Web Inspector. 
369
370         * inspector/agents/InspectorRuntimeAgent.cpp:
371         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
372         * inspector/protocol/Runtime.json:
373         * runtime/TypeSet.cpp:
374         (JSC::TypeSet::allPrimitiveTypeNames): Deleted.
375         * runtime/TypeSet.h:
376
377 2014-10-02  Filip Pizlo  <fpizlo@apple.com>
378
379         FTL should sink PutLocals
380         https://bugs.webkit.org/show_bug.cgi?id=137168
381
382         Reviewed by Oliver Hunt.
383         
384         We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we
385         "pass" arguments to an inlined function call, because we need to enable the runtime to grab
386         those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize
387         in that case but rather just relies on the arguments being flushed (i.e. a copy of their
388         values is spilled) at a well-known place in a well-known format.
389         
390         The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2)
391         they look like escaping sites and so they inhibit object allocation sinking.
392         
393         But in most cases, the PutLocals are unnecessary because the inlined code never performs any
394         side effect that could transitively lead to function.arguments. Even if the inlined code
395         could do such a side effect, it may be on a rare path so there is no need to penalize the
396         entire function.
397         
398         This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals
399         to the latest possible point. This is even more aggressive than the object allocation
400         sinking. That sinking algorithm avoids creating situations where an object could be
401         materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid
402         this at all - both to make the phase cheaper and simpler and to make it more aggressive.
403         Every PutLocal is sunk no matter what.
404         
405         The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past
406         their death", thus eliminating them completely. Others are sunk to rare paths. This enables a
407         lot of object allocation sinking and it removes a lot of pointless store instructions.
408         
409         It also has downsites. Sinking PutLocals increases register pressure because it increases the
410         live ranges of things like inlined arguments.
411         
412         This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2
413         progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench
414         regression. The biggest win is on Octane/raytrace, which improves by 27%.
415
416         * CMakeLists.txt:
417         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
418         * JavaScriptCore.xcodeproj/project.pbxproj:
419         * bytecode/CodeBlock.h:
420         * bytecode/Operands.h:
421         (JSC::Operands::dump): Deleted.
422         * bytecode/OperandsInlines.h:
423         (JSC::Traits>::dump):
424         * bytecode/VirtualRegister.h:
425         (JSC::VirtualRegister::isHeader):
426         * dfg/DFGByteCodeParser.cpp:
427         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
428         * dfg/DFGClobberSet.h:
429         (JSC::DFG::ClobberSetAdd::operator()):
430         (JSC::DFG::ClobberSetOverlaps::operator()):
431         * dfg/DFGClobberize.h:
432         (JSC::DFG::clobberize):
433         (JSC::DFG::NoOpClobberize::operator()):
434         (JSC::DFG::CheckClobberize::operator()):
435         (JSC::DFG::AbstractHeapOverlaps::operator()):
436         (JSC::DFG::ReadMethodClobberize::operator()):
437         (JSC::DFG::WriteMethodClobberize::operator()):
438         (JSC::DFG::DefMethodClobberize::operator()):
439         * dfg/DFGFlushFormat.h:
440         (JSC::DFG::merge):
441         * dfg/DFGGraph.cpp:
442         (JSC::DFG::Graph::Graph):
443         * dfg/DFGGraph.h:
444         (JSC::DFG::Graph::capturedVarsFor):
445         * dfg/DFGObjectAllocationSinkingPhase.cpp:
446         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
447         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
448         * dfg/DFGPlan.cpp:
449         (JSC::DFG::Plan::compileInThreadImpl):
450         * dfg/DFGPreciseLocalClobberize.h: Added.
451         (JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
452         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
453         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
454         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
455         (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate):
456         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
457         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
458         (JSC::DFG::forEachLocalReadByUnwind):
459         (JSC::DFG::preciseLocalClobberize):
460         * dfg/DFGPutLocalSinkingPhase.cpp: Added.
461         (JSC::DFG::performPutLocalSinking):
462         * dfg/DFGPutLocalSinkingPhase.h: Added.
463         * dfg/DFGSSACalculator.h:
464         (JSC::DFG::SSACalculator::computePhis):
465         * dfg/DFGValidate.cpp:
466
467 2014-10-03  Saam Barati  <saambarati1@gmail.com>
468
469         Change how 32-bit JSValues check if they are a Boolean
470
471         Rubber stamped by Filip Pizlo.
472
473         32-bit JSValue::isBoolean can simply check if its tag corresponds 
474         to the boolean tag instead of checking if it's either true or false.
475
476         * runtime/JSCJSValueInlines.h:
477         (JSC::JSValue::isBoolean):
478
479 2014-10-01  Oliver Hunt  <oliver@apple.com>
480
481         Do all closed variable access through the local lexical object
482         https://bugs.webkit.org/show_bug.cgi?id=136869
483
484         Reviewed by Filip Pizlo.
485
486         This patch makes all reads and writes from captured registers
487         go through the lexical record, and by doing so removes the
488         need for record tearoff.
489
490         To keep the patch simple we still number variables as though
491         they are local stack allocated registers, but ::local() will
492         fail. When local fails we perform a generic resolve, and in
493         that resolve we now use a ResolveScopeInfo struct to pass
494         around information about whether a lookup is a statically
495         known captured variable, and its location in the activation.
496         To ensure correct behaviour during codeblock linking we also
497         add a LocalClosureVariable resolution type.
498
499         To ensure correct semantics for the Arguments object, we now
500         have to eagerly create the Arguments object for any function
501         that uses both the Arguments object and requires a lexical
502         record.
503
504         * bytecode/BytecodeList.json:
505         * bytecode/BytecodeUseDef.h:
506         (JSC::computeUsesForBytecodeOffset):
507         (JSC::computeDefsForBytecodeOffset):
508         * bytecode/CodeBlock.cpp:
509         (JSC::CodeBlock::dumpBytecode):
510         (JSC::CodeBlock::CodeBlock):
511         (JSC::CodeBlock::finalizeUnconditionally):
512         * bytecompiler/BytecodeGenerator.cpp:
513         (JSC::BytecodeGenerator::BytecodeGenerator):
514         (JSC::BytecodeGenerator::initializeCapturedVariable):
515           During the entry to a function we are not yet in a position
516           to allocate temporaries so we directly use the lexical
517           environment register.
518         (JSC::BytecodeGenerator::resolveCallee):
519         (JSC::BytecodeGenerator::emitMove):
520         (JSC::BytecodeGenerator::local):
521         (JSC::BytecodeGenerator::constLocal):
522         (JSC::BytecodeGenerator::emitResolveScope):
523         (JSC::BytecodeGenerator::emitResolveConstantLocal):
524           The two resolve scope operations could technically skip
525           the op_resolve_scope, and simply perform 
526               op_mov dst, recordRegister
527           but for now it seemed best to maintain the same basic
528           behaviour.
529         (JSC::BytecodeGenerator::emitGetFromScope):
530         (JSC::BytecodeGenerator::emitPutToScope):
531         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
532           If we have an environment we've already created Arguments
533           so no need to check again.
534         (JSC::BytecodeGenerator::emitReturn):
535           Don't need to emit tearoff_environment
536         * bytecompiler/BytecodeGenerator.h:
537         (JSC::Local::Local):
538         (JSC::Local::operator bool):
539         (JSC::Local::get):
540         (JSC::Local::isReadOnly):
541         (JSC::Local::isSpecial):
542         (JSC::ResolveScopeInfo::ResolveScopeInfo):
543         (JSC::ResolveScopeInfo::isLocal):
544         (JSC::ResolveScopeInfo::localIndex):
545         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly):
546         (JSC::Local::isCaptured): Deleted.
547         (JSC::Local::captureMode): Deleted.
548         * bytecompiler/NodesCodegen.cpp:
549         (JSC::ResolveNode::emitBytecode):
550         (JSC::EvalFunctionCallNode::emitBytecode):
551         (JSC::FunctionCallResolveNode::emitBytecode):
552         (JSC::PostfixNode::emitResolve):
553         (JSC::DeleteResolveNode::emitBytecode):
554         (JSC::TypeOfResolveNode::emitBytecode):
555         (JSC::PrefixNode::emitResolve):
556         (JSC::ReadModifyResolveNode::emitBytecode):
557         (JSC::AssignResolveNode::emitBytecode):
558         (JSC::ConstDeclNode::emitCodeSingle):
559         (JSC::EmptyVarExpression::emitBytecode):
560         (JSC::ForInNode::tryGetBoundLocal):
561         (JSC::ForInNode::emitLoopHeader):
562         (JSC::ForOfNode::emitBytecode):
563         (JSC::BindingNode::bindValue):
564         * dfg/DFGAbstractInterpreterInlines.h:
565         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
566         * dfg/DFGByteCodeParser.cpp:
567         (JSC::DFG::ByteCodeParser::parseBlock):
568         * dfg/DFGCapabilities.cpp:
569         (JSC::DFG::capabilityLevel):
570         * dfg/DFGClobberize.h:
571         (JSC::DFG::clobberize):
572         * dfg/DFGDoesGC.cpp:
573         (JSC::DFG::doesGC):
574         * dfg/DFGFixupPhase.cpp:
575         (JSC::DFG::FixupPhase::fixupNode):
576         * dfg/DFGGraph.cpp:
577         (JSC::DFG::Graph::tryGetRegisters):
578         * dfg/DFGNodeType.h:
579         * dfg/DFGPredictionPropagationPhase.cpp:
580         (JSC::DFG::PredictionPropagationPhase::propagate):
581         * dfg/DFGSafeToExecute.h:
582         (JSC::DFG::safeToExecute):
583         * dfg/DFGSpeculativeJIT32_64.cpp:
584         (JSC::DFG::SpeculativeJIT::compile):
585         * dfg/DFGSpeculativeJIT64.cpp:
586         (JSC::DFG::SpeculativeJIT::compile):
587         * ftl/FTLCapabilities.cpp:
588         (JSC::FTL::canCompile):
589         * interpreter/Interpreter.cpp:
590         (JSC::unwindCallFrame):
591         * jit/JIT.cpp:
592         (JSC::JIT::privateCompileMainPass):
593         (JSC::JIT::privateCompileSlowCases):
594         * jit/JIT.h:
595         * jit/JITOpcodes.cpp:
596         (JSC::JIT::emit_op_captured_mov): Deleted.
597         (JSC::JIT::emit_op_tear_off_lexical_environment): Deleted.
598         (JSC::JIT::emitSlow_op_captured_mov): Deleted.
599         * jit/JITOpcodes32_64.cpp:
600         (JSC::JIT::emit_op_captured_mov): Deleted.
601         (JSC::JIT::emit_op_tear_off_lexical_environment): Deleted.
602         * jit/JITOperations.cpp:
603         * jit/JITOperations.h:
604         * jit/JITPropertyAccess.cpp:
605         (JSC::JIT::emit_op_resolve_scope):
606         (JSC::JIT::emit_op_get_from_scope):
607         (JSC::JIT::emitPutClosureVar):
608         (JSC::JIT::emit_op_put_to_scope):
609         (JSC::JIT::emitSlow_op_put_to_scope):
610         * jit/JITPropertyAccess32_64.cpp:
611         (JSC::JIT::emit_op_resolve_scope):
612         (JSC::JIT::emit_op_get_from_scope):
613         (JSC::JIT::emitPutClosureVar):
614         (JSC::JIT::emit_op_put_to_scope):
615         (JSC::JIT::emitSlow_op_put_to_scope):
616         * llint/LLIntData.cpp:
617         (JSC::LLInt::Data::performAssertions):
618         * llint/LLIntSlowPaths.cpp:
619         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
620         * llint/LLIntSlowPaths.h:
621         * llint/LowLevelInterpreter.asm:
622         * llint/LowLevelInterpreter32_64.asm:
623         * llint/LowLevelInterpreter64.asm:
624         * runtime/Arguments.cpp:
625         (JSC::Arguments::tearOff):
626         * runtime/Arguments.h:
627         (JSC::Arguments::argument):
628         * runtime/CommonSlowPaths.cpp:
629         (JSC::SLOW_PATH_DECL): Deleted.
630         * runtime/CommonSlowPaths.h:
631         * runtime/JSLexicalEnvironment.cpp:
632         (JSC::JSLexicalEnvironment::visitChildren):
633         (JSC::JSLexicalEnvironment::symbolTableGet):
634         (JSC::JSLexicalEnvironment::symbolTablePut):
635         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
636         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
637         (JSC::JSLexicalEnvironment::argumentsGetter):
638         * runtime/JSLexicalEnvironment.h:
639         (JSC::JSLexicalEnvironment::create):
640         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
641         (JSC::JSLexicalEnvironment::tearOff): Deleted.
642         (JSC::JSLexicalEnvironment::isTornOff): Deleted.
643         * runtime/JSScope.cpp:
644         (JSC::resolveTypeName):
645         * runtime/JSScope.h:
646         (JSC::makeType):
647         (JSC::needsVarInjectionChecks):
648         * runtime/WriteBarrier.h:
649         (JSC::WriteBarrier<Unknown>::WriteBarrier):
650
651 2014-10-02  Filip Pizlo  <fpizlo@apple.com>
652
653         Object allocation sinking should have a sound story for picking materialization points
654         https://bugs.webkit.org/show_bug.cgi?id=137315
655
656         Reviewed by Oliver Hunt.
657         
658         The only missing piece was having the object allocation sinking phase locate materialization
659         points that were at CFG edges.
660         
661         The logic for how and why this "just works" relies on some properties of critical edge
662         breaking, so I was fairly careful in how I did this. Also, this requires inserting things at
663         the "first origin node" of a block - that is the first node in a block that has a NodeOrigin
664         and therefore is allowed to exit. We basically had support for such a notion before, but
665         didn't close the loop on it; this patch does that.
666         
667         Also I added the ability to provide a BasicBlock* as context for a DFG_ASSERT().
668
669         * dfg/DFGBasicBlock.cpp:
670         (JSC::DFG::BasicBlock::firstOriginNode):
671         (JSC::DFG::BasicBlock::firstOrigin):
672         * dfg/DFGBasicBlock.h:
673         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
674         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
675         * dfg/DFGGraph.cpp:
676         (JSC::DFG::crash):
677         (JSC::DFG::Graph::handleAssertionFailure):
678         * dfg/DFGGraph.h:
679         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
680         (JSC::DFG::createPreHeader):
681         * dfg/DFGNodeOrigin.h:
682         (JSC::DFG::NodeOrigin::isSet):
683         * dfg/DFGObjectAllocationSinkingPhase.cpp:
684         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
685         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
686         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
687         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
688         * dfg/DFGValidate.cpp:
689         (JSC::DFG::Validate::validate):
690         * runtime/Options.h:
691
692 2014-10-02  Daniel Bates  <dabates@apple.com>
693
694         Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header
695         https://bugs.webkit.org/show_bug.cgi?id=137277
696
697         Reviewed by Alexey Proskuryakov.
698
699         Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/
700         forward declaring XPC functions.
701
702         * inspector/remote/RemoteInspector.mm:
703         * inspector/remote/RemoteInspectorXPCConnection.h:
704         * inspector/remote/RemoteInspectorXPCConnection.mm:
705
706 2014-10-01  Anders Carlsson  <andersca@apple.com>
707
708         Use variadic templates for jsMakeNontrivialString
709         https://bugs.webkit.org/show_bug.cgi?id=137325
710
711         Reviewed by Sam Weinig.
712
713         * runtime/JSString.h:
714         (JSC::jsNontrivialString):
715         Add an overload that takes an rvalue reference to a String so we can transfer ownership easily.
716
717         * runtime/JSStringBuilder.h:
718         (JSC::jsMakeNontrivialString):
719         Make this a variadic function template, with a single-parameter version that can steal the string if it's OK to do so.
720
721 2014-10-02  Mark Lam  <mark.lam@apple.com>
722
723         Fixed the Inspector to be able to properly distinguish between scope types.
724         <https://webkit.org/b/137279>
725
726         Reviewed by Geoffrey Garen.
727
728         The pre-existing code incorrectly labels Catch Scopes and Function Name Scopes
729         as With Scopes.  This patch will fix this.
730
731         * bytecode/BytecodeList.json:
732         * bytecompiler/BytecodeGenerator.cpp:
733         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
734         (JSC::BytecodeGenerator::emitPushCatchScope):
735         - These now passes stores the desired JSNameScope::Type in a bytecode operand.
736         * debugger/DebuggerScope.cpp:
737         (JSC::DebuggerScope::isCatchScope):
738         (JSC::DebuggerScope::isFunctionNameScope):
739         - Added queries to be able to explicitly test if the scope is a CatchScope
740           or FunctionNameScope.  The FunctionNameScope is the case where the
741           NameScope is used to capture the function name of a function expression.
742         * debugger/DebuggerScope.h:
743         * inspector/InjectedScriptSource.js:
744         * inspector/JSJavaScriptCallFrame.cpp:
745         (Inspector::JSJavaScriptCallFrame::scopeType):
746         * inspector/JSJavaScriptCallFrame.h:
747         * inspector/JSJavaScriptCallFramePrototype.cpp:
748         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
749         (Inspector::jsJavaScriptCallFrameConstantFUNCTION_NAME_SCOPE):
750         * inspector/protocol/Debugger.json:
751         * jit/CCallHelpers.h:
752         (JSC::CCallHelpers::setupArgumentsWithExecState):
753         * jit/JIT.h:
754         * jit/JITInlines.h:
755         (JSC::JIT::callOperation):
756         * jit/JITOpcodes.cpp:
757         (JSC::JIT::emit_op_push_name_scope):
758         * jit/JITOpcodes32_64.cpp:
759         (JSC::JIT::emit_op_push_name_scope):
760         * jit/JITOperations.cpp:
761         * jit/JITOperations.h:
762         * llint/LLIntSlowPaths.cpp:
763         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
764         * llint/LowLevelInterpreter.asm:
765         * runtime/JSFunction.cpp:
766         (JSC::JSFunction::addNameScopeIfNeeded):
767         * runtime/JSNameScope.h:
768         (JSC::JSNameScope::create):
769         (JSC::JSNameScope::isFunctionNameScope):
770         (JSC::JSNameScope::isCatchScope):
771         (JSC::JSNameScope::JSNameScope):
772         - Now stores the JSNameScope::Type in a field.
773
774 2014-10-01  Commit Queue  <commit-queue@webkit.org>
775
776         Unreviewed, rolling out r174180, r174183, and r174186.
777         https://bugs.webkit.org/show_bug.cgi?id=137320
778
779         Broke the Mac MountainLion build. Will investigate offline.
780         (Requested by dydz on #webkit).
781
782         Reverted changesets:
783
784         "Clean up: Move XPC forward declarations in JavaScriptCore to
785         WTF SPI wrapper header"
786         https://bugs.webkit.org/show_bug.cgi?id=137277
787         http://trac.webkit.org/changeset/174180
788
789         "Attempt to fix the build after
790         <https://trac.webkit.org/changeset/174180>"
791         https://bugs.webkit.org/show_bug.cgi?id=137277
792         http://trac.webkit.org/changeset/174183
793
794         "Another attempt to fix the Mac build after
795         <https://trac.webkit.org/changeset/174180>"
796         https://bugs.webkit.org/show_bug.cgi?id=137277
797         http://trac.webkit.org/changeset/174186
798
799 2014-10-01  Daniel Bates  <dabates@apple.com>
800
801         Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header
802         https://bugs.webkit.org/show_bug.cgi?id=137277
803
804         Reviewed by Alexey Proskuryakov.
805
806         Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/
807         forward declaring XPC functions.
808
809         * inspector/remote/RemoteInspector.mm:
810         * inspector/remote/RemoteInspectorXPCConnection.h:
811         * inspector/remote/RemoteInspectorXPCConnection.mm:
812
813 2014-10-01  Brent Fulgham  <bfulgham@apple.com>
814
815         [Win] Unreviewed build gardening.
816
817         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Show files in the appropriate
818         folders in Visual Studio.
819
820 2014-10-01  Filip Pizlo  <fpizlo@apple.com>
821
822         Object allocation sinking is broken for escaping sites in loops
823         https://bugs.webkit.org/show_bug.cgi?id=137310
824
825         Reviewed by Michael Saboff.
826         
827         I tried to do this clever forward-flow based materialization point placement, and I messed up loops. Disabling
828         the phase for now and landing a test to demonstrate what it going on.
829
830         * dfg/DFGPlan.cpp:
831         (JSC::DFG::Plan::compileInThreadImpl):
832         * runtime/Options.h:
833         * tests/stress/object-escapes-in-loop.js: Added.
834         (foo):
835         (bar):
836
837 2014-10-01  Saam Barati  <saambarati1@gmail.com>
838
839         Support the type profiler in the DFG
840         https://bugs.webkit.org/show_bug.cgi?id=136712
841
842         Reviewed by Filip Pizlo.
843
844         This patch implements op_profile_type inside the DFG as the node: ProfileType.
845         The DFG will convert the ProfileType node into a Check node in the cases where
846         passing a type check is equivalent to writing to the TypeProfilerLog. This
847         gives the DFG the potential to optimize out multiple ProfileType nodes into
848         a single Check node.
849
850         When the DFG doesn't convert ProfileType into a Check node, it will generate
851         the same inline code as the baseline JIT does for writing an entry to the
852         TypeProfilerLog.
853
854         * dfg/DFGAbstractInterpreterInlines.h:
855         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
856         * dfg/DFGByteCodeParser.cpp:
857         (JSC::DFG::ByteCodeParser::parseBlock):
858         * dfg/DFGCapabilities.cpp:
859         (JSC::DFG::capabilityLevel):
860         * dfg/DFGClobberize.h:
861         (JSC::DFG::clobberize):
862         * dfg/DFGDoesGC.cpp:
863         (JSC::DFG::doesGC):
864         * dfg/DFGDriver.cpp:
865         (JSC::DFG::compileImpl):
866         * dfg/DFGFixupPhase.cpp:
867         (JSC::DFG::FixupPhase::fixupNode):
868         * dfg/DFGNode.h:
869         (JSC::DFG::Node::typeLocation):
870         * dfg/DFGNodeType.h:
871         * dfg/DFGOperations.cpp:
872         * dfg/DFGOperations.h:
873         * dfg/DFGPredictionPropagationPhase.cpp:
874         (JSC::DFG::PredictionPropagationPhase::propagate):
875         * dfg/DFGSafeToExecute.h:
876         (JSC::DFG::safeToExecute):
877         * dfg/DFGSpeculativeJIT.h:
878         (JSC::DFG::SpeculativeJIT::callOperation):
879         * dfg/DFGSpeculativeJIT32_64.cpp:
880         (JSC::DFG::SpeculativeJIT::compile):
881         * dfg/DFGSpeculativeJIT64.cpp:
882         (JSC::DFG::SpeculativeJIT::compile):
883         * runtime/TypeProfiler.cpp:
884         (JSC::TypeProfiler::logTypesForTypeLocation):
885         * runtime/TypeSet.cpp:
886         (JSC::TypeSet::dumpTypes):
887         (JSC::TypeSet::doesTypeConformTo):
888         Make this method public so others can reason about the types a TypeSet has seen.
889         (JSC::TypeSet::seenTypes): Deleted.
890         (JSC::TypeSet::dumpSeenTypes): Deleted.
891         Renamed to dumpTypes so the method seenTypes can be used as a public getter.
892         * runtime/TypeSet.h:
893         (JSC::TypeSet::seenTypes):
894         * tests/typeProfiler/dfg-jit-optimizations.js: Added.
895         (tierUpToDFG):
896         (funcs):
897         (.return):
898
899 2014-10-01  Filip Pizlo  <fpizlo@apple.com>
900
901         Unreviewed, fix 32-bit.
902
903         * dfg/DFGSpeculativeJIT32_64.cpp:
904         (JSC::DFG::SpeculativeJIT::compile):
905
906 2014-09-30  Filip Pizlo  <fpizlo@apple.com>
907
908         DFG SSA should use PutLocal/KillLocal instead of SetLocal to communicate what is flushed to the stack and when
909         https://bugs.webkit.org/show_bug.cgi?id=137242
910
911         Reviewed by Geoffrey Garen.
912         
913         OSR availability has to do with telling you the various ways that you could go about getting
914         the value of a bytecode variable. It can give you two options: node availability means that
915         there is a node in the DFG IR that has the right value, and flush availability tells you
916         that the value was already stored to the stack. The clients of OSR availability would
917         typically prefer flush over node availability.
918         
919         Previously OSR availability was affected thusly by the various local-related nodes: SetLocal
920         set both the node and flush availability, MovHint set node availability and cleared flush
921         availability, GetArgument set both, and ZombieHint cleared both.
922         
923         A MovHint could be turned into a ZombieHint if its source value was DCEd.
924         
925         The fact that each node affected both node and flush availability caused weirdness. For
926         example it meant that we could not insert MovHints in areas of the CFG where a SetLocal's
927         variable was still live, because then those parts of the code would forget that they had an
928         availability flush. This meant that if a flush was available, we wouldn't insert MovHints,
929         and so we would forget that a node was in fact available. This kind of "either-or" picking
930         was not only hackish but it led to interesting problems for IR transformation: for example
931         if you tried to do any kind of code motion on SetLocals, you had to be super careful because
932         you might violate the rule that "MovHints must exist for a live local if a flush is
933         unavailable".
934         
935         The right thing to do is to have independent nodes for flushing and making nodes available.
936         They shouldn't interact with each other. This patch accomplishes this:
937         
938         - PutLocal means that that a value is to be stored to the stack. It makes a flush available.
939         - KillLocal means that the value stored to the stack is no longer available for the purposes
940           of OSR (i.e. it no longer accurately corresponds to what that actual bytecode variable
941           would have been, so you have to fall back on node availability).
942         - MovHint means that a node is available. It has no effect on flush availability.
943         - ZombieHint means that a node is not available. It has no effect on flush availability.
944         
945         This means that we will see a lot of KillLocals and MovHints right next to each other. It's
946         a bit verbose, but at least it's precise.
947
948         * dfg/DFGAbstractInterpreterInlines.h:
949         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
950         * dfg/DFGAvailability.h:
951         (JSC::DFG::Availability::setFlush):
952         (JSC::DFG::Availability::setNode):
953         (JSC::DFG::Availability::setNodeUnavailable):
954         * dfg/DFGClobberize.h:
955         (JSC::DFG::clobberize):
956         * dfg/DFGDoesGC.cpp:
957         (JSC::DFG::doesGC):
958         * dfg/DFGFixupPhase.cpp:
959         (JSC::DFG::FixupPhase::fixupNode):
960         * dfg/DFGNode.cpp:
961         (JSC::DFG::Node::hasVariableAccessData):
962         * dfg/DFGNode.h:
963         (JSC::DFG::Node::hasUnlinkedLocal):
964         (JSC::DFG::Node::willHaveCodeGenOrOSR):
965         * dfg/DFGNodeType.h:
966         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
967         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
968         * dfg/DFGPredictionPropagationPhase.cpp:
969         (JSC::DFG::PredictionPropagationPhase::propagate):
970         * dfg/DFGSSAConversionPhase.cpp:
971         (JSC::DFG::SSAConversionPhase::run):
972         * dfg/DFGSafeToExecute.h:
973         (JSC::DFG::safeToExecute):
974         * dfg/DFGSpeculativeJIT64.cpp:
975         (JSC::DFG::SpeculativeJIT::compile):
976         * dfg/DFGStackLayoutPhase.cpp:
977         (JSC::DFG::StackLayoutPhase::run):
978         * ftl/FTLCapabilities.cpp:
979         (JSC::FTL::canCompile):
980         * ftl/FTLLowerDFGToLLVM.cpp:
981         (JSC::FTL::LowerDFGToLLVM::compileNode):
982         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
983         (JSC::FTL::LowerDFGToLLVM::compileSetLocal): Deleted.
984
985 2014-10-01  Brent Fulgham  <bfulgham@apple.com>
986
987         [Win] 32-bit JavaScriptCore should limit itself to the C loop
988         https://bugs.webkit.org/show_bug.cgi?id=137304
989         <rdar://problem/18375370>
990
991         Reviewed by Michael Saboff.
992
993         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
994         Use the C loop for 32-bit builds.
995
996 2014-09-30  Brian J. Burg  <burg@cs.washington.edu>
997
998         Web Inspector: ErrorString should be passed by reference
999         https://bugs.webkit.org/show_bug.cgi?id=137257
1000
1001         Reviewed by Joseph Pecoraro.
1002
1003         Pass the leading ErrorString argument by reference, since it is always an out parameter.
1004         Clean up callsites where the error message is written.
1005
1006         * inspector/InjectedScript.cpp:
1007         (Inspector::InjectedScript::evaluate):
1008         (Inspector::InjectedScript::callFunctionOn):
1009         (Inspector::InjectedScript::evaluateOnCallFrame):
1010         (Inspector::InjectedScript::getFunctionDetails):
1011         (Inspector::InjectedScript::getProperties):
1012         (Inspector::InjectedScript::getInternalProperties):
1013         * inspector/InjectedScript.h:
1014         * inspector/InjectedScriptBase.cpp:
1015         (Inspector::InjectedScriptBase::makeEvalCall):
1016         * inspector/InjectedScriptBase.h:
1017         * inspector/agents/InspectorAgent.cpp:
1018         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
1019         (Inspector::InspectorAgent::enable):
1020         (Inspector::InspectorAgent::disable):
1021         (Inspector::InspectorAgent::initialized):
1022         * inspector/agents/InspectorAgent.h:
1023         * inspector/agents/InspectorConsoleAgent.cpp:
1024         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
1025         (Inspector::InspectorConsoleAgent::enable):
1026         (Inspector::InspectorConsoleAgent::disable):
1027         (Inspector::InspectorConsoleAgent::clearMessages):
1028         (Inspector::InspectorConsoleAgent::reset):
1029         (Inspector::InspectorConsoleAgent::addMessageToConsole):
1030         * inspector/agents/InspectorConsoleAgent.h:
1031         * inspector/agents/InspectorDebuggerAgent.cpp:
1032         (Inspector::InspectorDebuggerAgent::enable):
1033         (Inspector::InspectorDebuggerAgent::disable):
1034         (Inspector::InspectorDebuggerAgent::setBreakpointsActive):
1035         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1036         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1037         (Inspector::parseLocation):
1038         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1039         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
1040         (Inspector::InspectorDebuggerAgent::continueToLocation):
1041         (Inspector::InspectorDebuggerAgent::searchInContent):
1042         (Inspector::InspectorDebuggerAgent::getScriptSource):
1043         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1044         (Inspector::InspectorDebuggerAgent::pause):
1045         (Inspector::InspectorDebuggerAgent::resume):
1046         (Inspector::InspectorDebuggerAgent::stepOver):
1047         (Inspector::InspectorDebuggerAgent::stepInto):
1048         (Inspector::InspectorDebuggerAgent::stepOut):
1049         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
1050         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1051         (Inspector::InspectorDebuggerAgent::setOverlayMessage):
1052         (Inspector::InspectorDebuggerAgent::didParseSource):
1053         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
1054         (Inspector::InspectorDebuggerAgent::assertPaused):
1055         * inspector/agents/InspectorDebuggerAgent.h:
1056         * inspector/agents/InspectorRuntimeAgent.cpp:
1057         (Inspector::InspectorRuntimeAgent::parse):
1058         (Inspector::InspectorRuntimeAgent::evaluate):
1059         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1060         (Inspector::InspectorRuntimeAgent::getProperties):
1061         (Inspector::InspectorRuntimeAgent::releaseObject):
1062         (Inspector::InspectorRuntimeAgent::releaseObjectGroup):
1063         (Inspector::InspectorRuntimeAgent::run):
1064         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1065         (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
1066         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
1067         * inspector/agents/InspectorRuntimeAgent.h:
1068         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
1069         (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
1070         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
1071         * inspector/agents/JSGlobalObjectConsoleAgent.h:
1072         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1073         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
1074         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
1075         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1076         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
1077         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1078         * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
1079         (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1080         (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
1081         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
1082         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1083         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1084         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1085         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1086         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1087
1088 2014-09-30  Mark Lam  <mark.lam@apple.com>
1089
1090         Label some asserts as having security implications.
1091         <https://webkit.org/b/137260>
1092
1093         Reviewed by Filip Pizlo.
1094
1095         * dfg/DFGGraph.cpp:
1096         (JSC::DFG::Graph::handleAssertionFailure):
1097         * runtime/JSCell.h:
1098         (JSC::jsCast):
1099         * runtime/StructureIDTable.h:
1100         (JSC::StructureIDTable::get):
1101
1102 2014-09-30  Filip Pizlo  <fpizlo@apple.com>
1103
1104         REGRESSION (r174025): Invalid cast in JSC::asString
1105         https://bugs.webkit.org/show_bug.cgi?id=137224
1106
1107         Reviewed by Geoffrey Garen.
1108         
1109         Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
1110         when we speak of "the value being stored" we are really referring to the right value.
1111         
1112         The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
1113         child3. So we were incorrectly removing all barriers from PutClosureVar.
1114
1115         * dfg/DFGFixupPhase.cpp:
1116         (JSC::DFG::FixupPhase::fixupNode):
1117
1118 2014-09-30  Brian J. Burg  <burg@cs.washington.edu>
1119
1120         Web Replay: use static Strings instead of AtomicStrings for replay input type tags
1121         https://bugs.webkit.org/show_bug.cgi?id=137086
1122
1123         Reviewed by Joseph Pecoraro.
1124
1125         This pattern doesn't work when we want to define some inputs in WebKit2.
1126         The ReplayInputTypes class was generated from WebCore inputs only. This
1127         patch moves all input traits to use static local Strings as type tags.
1128
1129         * replay/scripts/CodeGeneratorReplayInputs.py: Remove configuration of how
1130         type tags are generated, since all framework targets now generate the same code.
1131
1132         * replay/NondeterministicInput.h:
1133         * replay/scripts/CodeGeneratorReplayInputs.py: Simplify and rebase test results.
1134         (Generator.generate_input_trait_implementation):
1135         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Simplify templates.
1136
1137         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
1138         (JSC::InputTraits<Test::SavedMouseButton>::type):
1139         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
1140         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
1141         (JSC::InputTraits<Test::SavedMouseButton>::type):
1142         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
1143         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
1144         (JSC::InputTraits<Test::HandleWheelEvent>::type):
1145         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
1146         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
1147         (JSC::InputTraits<Test::FormCombo>::type):
1148         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
1149         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp:
1150         (JSC::InputTraits<Test::GetCurrentTime>::type):
1151         (JSC::InputTraits<Test::SetRandomSeed>::type):
1152         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
1153         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
1154         (JSC::InputTraits<Test::ArrayOfThings>::type):
1155         (JSC::InputTraits<Test::SavedHistory>::type):
1156         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
1157         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp:
1158         (JSC::InputTraits<Test::ScalarInput1>::type):
1159         (JSC::InputTraits<Test::ScalarInput2>::type):
1160         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
1161         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
1162         (JSC::InputTraits<Test::ScalarInput>::type):
1163         (JSC::InputTraits<Test::MapInput>::type):
1164         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
1165
1166 2014-09-30  Daniel Bates  <dabates@apple.com>
1167
1168         REGRESSION (r172532): JSBase.h declares NSMapTable functions that are SPI
1169         https://bugs.webkit.org/show_bug.cgi?id=137170
1170         <rdar://problem/18477384>
1171
1172         Reviewed by Geoffrey Garen.
1173
1174         Move conditional include of header Foundation/NSMapTablePriv.h and forward declarations
1175         of NSMapTable SPI from file JavaScriptCore/API/JSBase.h to WTF/wtf/spi/cocoa/NSMapTableSPI.h.
1176
1177         * API/JSBase.h:
1178         * API/JSManagedValue.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h.
1179         * API/JSVirtualMachine.mm: Ditto.
1180         * API/JSVirtualMachineInternal.h: Forward declare class NSMapTable.
1181         * API/JSWrapperMap.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h. Also, order
1182         #include directives such that they are sorted in alphabetical order.
1183
1184 2014-09-30  Oliver Hunt  <oliver@apple.com>
1185
1186         Fix C API header
1187         https://bugs.webkit.org/show_bug.cgi?id=137254
1188         <rdar://problem/18487528>
1189
1190         Build fix
1191
1192         Guard extern "C" behind __cplusplus ifdef
1193
1194         * API/JSBase.h:
1195
1196 2014-09-29  Brian J. Burg  <burg@cs.washington.edu>
1197
1198         Web Inspector: InjectedScripts should not be profiled or displayed in Timeline
1199         https://bugs.webkit.org/show_bug.cgi?id=136806
1200
1201         Reviewed by Timothy Hatcher.
1202
1203         It doesn't make sense to show profile nodes for injected scripts when profiling user content.
1204         For now, omit nodes by suspending profiling before and after executing injected scripts.
1205
1206         * profiler/LegacyProfiler.cpp:
1207         (JSC::LegacyProfiler::suspendProfiling): Added.
1208         (JSC::LegacyProfiler::unsuspendProfiling): Added.
1209         * profiler/LegacyProfiler.h:
1210         * profiler/ProfileGenerator.cpp: Add isSuspended() flag, remove unused typedef.
1211         (JSC::ProfileGenerator::ProfileGenerator):
1212         (JSC::ProfileGenerator::willExecute):
1213         (JSC::ProfileGenerator::didExecute):
1214         * profiler/ProfileGenerator.h:
1215         (JSC::ProfileGenerator::setIsSuspended): Added.
1216
1217 2014-09-29  Brian J. Burg  <burg@cs.washington.edu>
1218
1219         Web Inspector: InspectorValues should use references for out parameters
1220         https://bugs.webkit.org/show_bug.cgi?id=137190
1221
1222         Reviewed by Joseph Pecoraro.
1223
1224         Use references for out parameters in asType() and getType() methods.
1225         Also convert to references in some miscellaneous code where we don't
1226         expect or handle null values.
1227
1228         Remove variants of asObject() and asArray() that return a nullable RefPtr.
1229         Now, client code is forced to use out parameters and check for cast failure.
1230
1231         Iron out control flow in some functions and fix some style issues.
1232
1233         * inspector/InjectedScript.cpp:
1234         (Inspector::InjectedScript::getFunctionDetails):
1235         (Inspector::InjectedScript::wrapObject):
1236         (Inspector::InjectedScript::wrapTable):
1237         * inspector/InjectedScriptBase.cpp:
1238         (Inspector::InjectedScriptBase::makeEvalCall):
1239         * inspector/InjectedScriptManager.cpp:
1240         (Inspector::InjectedScriptManager::injectedScriptForObjectId): Simplify control flow.
1241         * inspector/InspectorBackendDispatcher.cpp:
1242         (Inspector::InspectorBackendDispatcher::dispatch):
1243         (Inspector::getPropertyValue):
1244         (Inspector::AsMethodBridges::asInteger):
1245         (Inspector::AsMethodBridges::asDouble):
1246         (Inspector::AsMethodBridges::asString):
1247         (Inspector::AsMethodBridges::asBoolean):
1248         (Inspector::AsMethodBridges::asObject):
1249         (Inspector::AsMethodBridges::asArray):
1250         * inspector/InspectorProtocolTypes.h:
1251         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1252         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1253         * inspector/InspectorValues.cpp: Use more by-reference out parameters. Add more spacing.
1254         (Inspector::InspectorValue::asBoolean):
1255         (Inspector::InspectorValue::asDouble):
1256         (Inspector::InspectorValue::asInteger):
1257         (Inspector::InspectorValue::asString):
1258         (Inspector::InspectorValue::asValue):
1259         (Inspector::InspectorValue::asObject):
1260         (Inspector::InspectorValue::asArray):
1261         (Inspector::InspectorValue::parseJSON):
1262         (Inspector::InspectorValue::toJSONString):
1263         (Inspector::InspectorValue::writeJSON):
1264         (Inspector::InspectorBasicValue::asBoolean):
1265         (Inspector::InspectorBasicValue::asDouble):
1266         (Inspector::InspectorBasicValue::asInteger):
1267         (Inspector::InspectorBasicValue::writeJSON):
1268         (Inspector::InspectorString::asString):
1269         (Inspector::InspectorString::writeJSON):
1270         (Inspector::InspectorObjectBase::asObject):
1271         (Inspector::InspectorObjectBase::openAccessors):
1272         (Inspector::InspectorObjectBase::getBoolean):
1273         (Inspector::InspectorObjectBase::getString):
1274         (Inspector::InspectorObjectBase::getObject):
1275         (Inspector::InspectorObjectBase::getArray):
1276         (Inspector::InspectorObjectBase::writeJSON):
1277         (Inspector::InspectorArrayBase::asArray):
1278         (Inspector::InspectorArrayBase::writeJSON):
1279         * inspector/InspectorValues.h:
1280         * inspector/agents/InspectorDebuggerAgent.cpp:
1281         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1282         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1283         (Inspector::parseLocation):
1284         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1285         (Inspector::InspectorDebuggerAgent::continueToLocation):
1286         (Inspector::InspectorDebuggerAgent::didParseSource):
1287         * inspector/agents/InspectorRuntimeAgent.cpp:
1288         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1289         * inspector/scripts/codegen/generate_protocol_types_implementation.py:
1290         (ProtocolTypesImplementationGenerator):
1291         (ProtocolTypesImplementationGenerator._generate_assertion_for_enum):
1292         * inspector/scripts/codegen/generator_templates.py:
1293         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1294         * replay/EncodedValue.cpp:
1295         (JSC::EncodedValue::asObject):
1296         (JSC::EncodedValue::asArray):
1297         (JSC::EncodedValue::convertTo<bool>):
1298         (JSC::EncodedValue::convertTo<double>):
1299         (JSC::EncodedValue::convertTo<float>):
1300         (JSC::EncodedValue::convertTo<int32_t>):
1301         (JSC::EncodedValue::convertTo<int64_t>):
1302         (JSC::EncodedValue::convertTo<uint32_t>):
1303         (JSC::EncodedValue::convertTo<uint64_t>):
1304         (JSC::EncodedValue::convertTo<String>):
1305
1306 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
1307
1308         DFG HasStructureProperty codegen should use one fewer registers
1309         https://bugs.webkit.org/show_bug.cgi?id=137235
1310
1311         Reviewed by Andreas Kling.
1312         
1313         This was an obvious source of inefficiency and it was causing us to run out of registers on
1314         x86-32.
1315
1316         * dfg/DFGSpeculativeJIT32_64.cpp:
1317         (JSC::DFG::SpeculativeJIT::compile):
1318         * dfg/DFGSpeculativeJIT64.cpp:
1319         (JSC::DFG::SpeculativeJIT::compile):
1320
1321 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
1322
1323         Don't use GPRResult unless you're flushing registers and making a runtime function call
1324         https://bugs.webkit.org/show_bug.cgi?id=137234
1325
1326         Rubber stamped by Andreas Kling.
1327
1328         Rename GPRResult to GPRFlushedCallResult, in an attempt to dissuade people from using it for results in the
1329         general case.
1330         
1331         Replace GPRResult with GPRTemporary in those places where it was causing bugs: particularly in GetDirectPname it
1332         would cause us to spill the register that has the base, and the code was assuming (rightly) that the base and the
1333         result were in different registers. That's a valid assumption when using GPRTemporary but not with GPRResult.
1334         Also this code wasn't getting any benefit from using GPRResult because it wasn't doing flushRegisters().
1335         
1336         I don't know how to test this. A test would require setting up a particularly awkward register allocation state.
1337         
1338         * dfg/DFGSpeculativeJIT.cpp:
1339         (JSC::DFG::SpeculativeJIT::compileIn):
1340         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
1341         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
1342         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1343         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1344         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1345         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1346         * dfg/DFGSpeculativeJIT.h:
1347         (JSC::DFG::GPRFlushedCallResult::GPRFlushedCallResult):
1348         (JSC::DFG::GPRFlushedCallResult2::GPRFlushedCallResult2):
1349         (JSC::DFG::GPRResult::GPRResult): Deleted.
1350         (JSC::DFG::GPRResult2::GPRResult2): Deleted.
1351         * dfg/DFGSpeculativeJIT32_64.cpp:
1352         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1353         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1354         (JSC::DFG::SpeculativeJIT::emitCall):
1355         (JSC::DFG::SpeculativeJIT::compile):
1356         * dfg/DFGSpeculativeJIT64.cpp:
1357         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1358         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1359         (JSC::DFG::SpeculativeJIT::emitCall):
1360         (JSC::DFG::SpeculativeJIT::compile):
1361         (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
1362
1363 2014-09-29  Diego Pino Garcia  <dpino@igalia.com>
1364
1365         Missing changes from r174049
1366         https://bugs.webkit.org/show_bug.cgi?id=137206
1367
1368         Reviewed by Darin Adler.
1369
1370         * runtime/CommonIdentifiers.h:
1371
1372 2014-09-28  Diego Pino Garcia  <dpino@igalia.com>
1373
1374         Simple ES6 feature: Number constructor extras
1375         https://bugs.webkit.org/show_bug.cgi?id=131707
1376
1377         Reviewed by Darin Adler.
1378
1379         * runtime/CommonIdentifiers.h:
1380         * runtime/NumberConstructor.cpp:
1381         (JSC::NumberConstructor::finishCreation): Setup constants and
1382         functions.
1383         (JSC::numberConstructorFuncIsFinite): Added.
1384         (JSC::numberConstructorFuncIsInteger): Added.
1385         (JSC::numberConstructorFuncIsNaN): Added.
1386         (JSC::numberConstructorFuncIsSafeInteger): Added.
1387         (JSC::NumberConstructor::getOwnPropertySlot): Deleted.
1388         (JSC::numberConstructorNaNValue): Deleted.
1389         (JSC::numberConstructorNegInfinity): Deleted.
1390         (JSC::numberConstructorPosInfinity): Deleted.
1391         (JSC::numberConstructorMaxValue): Deleted.
1392         (JSC::numberConstructorMinValue): Deleted.
1393         * runtime/NumberConstructor.h:
1394
1395 2014-09-26  Filip Pizlo  <fpizlo@apple.com>
1396
1397         Disable function.arguments
1398         https://bugs.webkit.org/show_bug.cgi?id=137167
1399
1400         Rubber stamped by Geoffrey Garen.
1401         
1402         Add an option to disable function.arguments. Add a test for disabling it.
1403         
1404         Disabling function.arguments means that it returns an Arguments object that claims that
1405         there were zero arguments. All other Arguments functionality still works, so any code
1406         that tries to inspect this object will still think that it is looking at a perfectly
1407         valid Arguments object.
1408         
1409         This also makes function.arguments disabled by default. Note that the RJST harness will
1410         enable them by default, to continue to get test coverage for the code that implements
1411         the feature.
1412         
1413         We will rip out that code once we're confident that it's really safe to remove this
1414         feature. Only once we rip out that support will we be able to do optimizations to
1415         leverage the lack of this feature. It's important to keep the support code, and the test
1416         infrastructure, in place before we are confident. The logic to keep this working touches
1417         the entire compiler and a large chunk of the runtime, so reimplementing it - or even
1418         merging it back in - would be a nightmare. That's also basically the reason why we want
1419         to rip it out if at all possible. It's a lot of terrible code.
1420
1421         * interpreter/StackVisitor.cpp:
1422         (JSC::StackVisitor::Frame::createArguments):
1423         * runtime/Arguments.h:
1424         (JSC::Arguments::create):
1425         (JSC::Arguments::finishCreation):
1426         * runtime/Options.h:
1427         * tests/stress/disable-function-dot-arguments.js: Added.
1428         (foo):
1429         (bar):
1430
1431 2014-09-26  Joseph Pecoraro  <pecoraro@apple.com>
1432
1433         Web Inspector: Automatic Inspection should continue once all breakpoints are loaded
1434         https://bugs.webkit.org/show_bug.cgi?id=137038
1435
1436         Reviewed by Timothy Hatcher.
1437
1438         Add a new protocol command "Inspector.initialized" that signifies to the backend
1439         when the frontend has sent all its initialization messages to the backend. This
1440         can include information like breakpoints, which we would want to have loaded
1441         before any JavaScript evaluates in the context.
1442
1443         * inspector/protocol/InspectorDomain.json:
1444         New protocol command, Inspector.initialized.
1445
1446         * inspector/agents/InspectorAgent.h:
1447         * inspector/agents/InspectorAgent.cpp:
1448         (Inspector::InspectorAgent::InspectorAgent):
1449         (Inspector::InspectorAgent::initialized):
1450         Tell the InspectorEnvironment (the Controller) the frontend has initialized.
1451
1452         * inspector/InspectorEnvironment.h:
1453         Abstract virtual method to handle frontend initialization. To be
1454         implemented by all of the InspectorControllers.
1455
1456         * inspector/JSGlobalObjectInspectorController.h:
1457         * inspector/JSGlobalObjectInspectorController.cpp:
1458         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1459         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1460         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1461         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
1462         When a frontend is initialized, if it was automatic inspection unpause the debuggable.
1463
1464         * inspector/remote/RemoteInspectorDebuggable.cpp:
1465         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
1466         Complete setup for this debuggable.
1467
1468         * inspector/remote/RemoteInspectorDebuggable.h:
1469         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1470         (Inspector::RemoteInspectorDebuggableConnection::setup):
1471         Move the setup complete to later, when the frontend sends an "initialized" message.
1472
1473         * inspector/remote/RemoteInspector.h:
1474         * inspector/remote/RemoteInspector.mm:
1475         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1476         Provide a longer timeout now that the frontend must send messages after the connection
1477         has established. The longest I have seen in  600ms, but the average tends to be 200ms.
1478         So bump the timeout to 800ms for a buffer.
1479
1480         (Inspector::RemoteInspector::setupSucceeded): Deleted.
1481         (Inspector::RemoteInspector::setupCompleted):
1482         Rename, as this happens at a slightly different time.
1483
1484 2014-09-26  Filip Pizlo  <fpizlo@apple.com>
1485
1486         DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell
1487         https://bugs.webkit.org/show_bug.cgi?id=137161
1488
1489         Reviewed by Mark Hahnenberg.
1490         
1491         This looks like a 1% Octane speed-up.
1492
1493         * bytecode/SpeculatedType.h:
1494         (JSC::isNotCellSpeculation):
1495         * dfg/DFGFixupPhase.cpp:
1496         (JSC::DFG::FixupPhase::fixupNode):
1497         (JSC::DFG::FixupPhase::insertStoreBarrier):
1498         (JSC::DFG::FixupPhase::insertCheck):
1499         * dfg/DFGNode.h:
1500         (JSC::DFG::Node::shouldSpeculateNotCell):
1501
1502 2014-09-26  Peter Varga  <pvarga@webkit.org>
1503
1504         Fix typo in YARR at BOL check
1505         https://bugs.webkit.org/show_bug.cgi?id=137144
1506
1507         Reviewed by Darin Adler.
1508
1509         * yarr/YarrPattern.cpp: replace bitwise and operator by logical and
1510         (JSC::Yarr::YarrPatternConstructor::assertionBOL):
1511
1512 2014-09-25  Saam Barati  <saambarati1@gmail.com>
1513
1514         Web Inspector: console.assert(bitString) TypeSet:50 
1515         https://bugs.webkit.org/show_bug.cgi?id=137051
1516
1517         Reviewed by Joseph Pecoraro.
1518
1519         This patch creates stricter requirements on a TypeDescription
1520         being valid. To be valid, a TypeDescription now ensures that 
1521         the TypeSet it describes has non null type information.
1522
1523         * inspector/agents/InspectorRuntimeAgent.cpp:
1524         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1525         * runtime/TypeSet.h:
1526         (JSC::TypeSet::isEmpty):
1527
1528 2014-09-25  Filip Pizlo  <fpizlo@apple.com>
1529
1530         FTL should sink object allocations
1531         https://bugs.webkit.org/show_bug.cgi?id=136330
1532
1533         Reviewed by Oliver Hunt.
1534         
1535         This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The
1536         ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to
1537         eliminate it completely. The way sinking reasons about the CFG means that it resembles a
1538         partial escape analysis: we create paths through a function where some allocation(s) don't
1539         have to be done at all even if there are other paths along which those allocations still have
1540         to happen. But it also produces other side benefits. Even if an allocation isn't eliminated
1541         along any path, the act of sinking reduces the number of barriers that have to execute.
1542         
1543         Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11
1544         sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and
1545         successors; and to add more functor goodness to allow for more lambdas.
1546         
1547         This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this
1548         is a spectacular speed-up on microbenchmarks but it's still too limited to affect big
1549         benchmarks. For example, doing o == p makes the sinking phase think that o and p escape.
1550         That's just an omission and there are likely others; we can easily fix them. I think it's
1551         best to land it in its current form and then to worry about the big benchmarks in subsequent
1552         work (see bug 137126).
1553
1554         * CMakeLists.txt:
1555         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1556         * JavaScriptCore.xcodeproj/project.pbxproj:
1557         * bytecode/StructureSet.h:
1558         (JSC::StructureSet::iterator::iterator):
1559         (JSC::StructureSet::iterator::operator*):
1560         (JSC::StructureSet::iterator::operator++):
1561         (JSC::StructureSet::iterator::operator==):
1562         (JSC::StructureSet::iterator::operator!=):
1563         (JSC::StructureSet::begin):
1564         (JSC::StructureSet::end):
1565         * dfg/DFGAbstractInterpreter.h:
1566         (JSC::DFG::AbstractInterpreter::phiChildren):
1567         * dfg/DFGAbstractInterpreterInlines.h:
1568         (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
1569         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
1570         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1571         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1572         * dfg/DFGAvailability.h:
1573         (JSC::DFG::Availability::shouldUseNode):
1574         (JSC::DFG::Availability::isFlushUseful):
1575         (JSC::DFG::Availability::isDead):
1576         (JSC::DFG::Availability::operator!=):
1577         * dfg/DFGAvailabilityMap.cpp: Added.
1578         (JSC::DFG::AvailabilityMap::prune):
1579         (JSC::DFG::AvailabilityMap::clear):
1580         (JSC::DFG::AvailabilityMap::dump):
1581         (JSC::DFG::AvailabilityMap::operator==):
1582         (JSC::DFG::AvailabilityMap::merge):
1583         * dfg/DFGAvailabilityMap.h: Added.
1584         (JSC::DFG::AvailabilityMap::forEachAvailability):
1585         * dfg/DFGBasicBlock.cpp:
1586         (JSC::DFG::BasicBlock::SSAData::SSAData):
1587         * dfg/DFGBasicBlock.h:
1588         (JSC::DFG::BasicBlock::begin):
1589         (JSC::DFG::BasicBlock::end):
1590         (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable):
1591         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator):
1592         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*):
1593         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++):
1594         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==):
1595         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=):
1596         (JSC::DFG::BasicBlock::SuccessorsIterable::begin):
1597         (JSC::DFG::BasicBlock::SuccessorsIterable::end):
1598         (JSC::DFG::BasicBlock::successors):
1599         * dfg/DFGClobberize.h:
1600         (JSC::DFG::clobberize):
1601         * dfg/DFGConstantFoldingPhase.cpp:
1602         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1603         * dfg/DFGDoesGC.cpp:
1604         (JSC::DFG::doesGC):
1605         * dfg/DFGFixupPhase.cpp:
1606         (JSC::DFG::FixupPhase::fixupNode):
1607         * dfg/DFGFlushedAt.cpp:
1608         (JSC::DFG::FlushedAt::dump):
1609         * dfg/DFGFlushedAt.h:
1610         (JSC::DFG::FlushedAt::FlushedAt):
1611         * dfg/DFGGraph.cpp:
1612         (JSC::DFG::Graph::dump):
1613         (JSC::DFG::Graph::dumpBlockHeader):
1614         (JSC::DFG::Graph::mergeRelevantToOSR):
1615         (JSC::DFG::Graph::invalidateCFG):
1616         * dfg/DFGGraph.h:
1617         (JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable):
1618         (JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator):
1619         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*):
1620         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++):
1621         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==):
1622         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=):
1623         (JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext):
1624         (JSC::DFG::Graph::NaturalBlockIterable::begin):
1625         (JSC::DFG::Graph::NaturalBlockIterable::end):
1626         (JSC::DFG::Graph::blocksInNaturalOrder):
1627         (JSC::DFG::Graph::doToChildrenWithNode):
1628         (JSC::DFG::Graph::doToChildren):
1629         * dfg/DFGHeapLocation.cpp:
1630         (WTF::printInternal):
1631         * dfg/DFGHeapLocation.h:
1632         * dfg/DFGInsertOSRHintsForUpdate.cpp: Added.
1633         (JSC::DFG::insertOSRHintsForUpdate):
1634         * dfg/DFGInsertOSRHintsForUpdate.h: Added.
1635         * dfg/DFGInsertionSet.h:
1636         (JSC::DFG::InsertionSet::graph):
1637         * dfg/DFGMayExit.cpp:
1638         (JSC::DFG::mayExit):
1639         * dfg/DFGNode.h:
1640         (JSC::DFG::Node::convertToPutByOffsetHint):
1641         (JSC::DFG::Node::convertToPutStructureHint):
1642         (JSC::DFG::Node::convertToPhantomNewObject):
1643         (JSC::DFG::Node::isCellConstant):
1644         (JSC::DFG::Node::castConstant):
1645         (JSC::DFG::Node::hasIdentifier):
1646         (JSC::DFG::Node::hasStorageAccessData):
1647         (JSC::DFG::Node::hasObjectMaterializationData):
1648         (JSC::DFG::Node::objectMaterializationData):
1649         (JSC::DFG::Node::isPhantomObjectAllocation):
1650         * dfg/DFGNodeType.h:
1651         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1652         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1653         (JSC::DFG::LocalOSRAvailabilityCalculator::endBlock):
1654         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1655         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1656         * dfg/DFGObjectAllocationSinkingPhase.cpp: Added.
1657         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase):
1658         (JSC::DFG::ObjectAllocationSinkingPhase::run):
1659         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
1660         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
1661         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
1662         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
1663         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
1664         (JSC::DFG::ObjectAllocationSinkingPhase::resolve):
1665         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
1666         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
1667         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
1668         (JSC::DFG::performObjectAllocationSinking):
1669         * dfg/DFGObjectAllocationSinkingPhase.h: Added.
1670         * dfg/DFGObjectMaterializationData.cpp: Added.
1671         (JSC::DFG::PhantomPropertyValue::dump):
1672         (JSC::DFG::ObjectMaterializationData::dump):
1673         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore):
1674         (JSC::DFG::ObjectMaterializationData::similarityScore):
1675         * dfg/DFGObjectMaterializationData.h: Added.
1676         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue):
1677         (JSC::DFG::PhantomPropertyValue::operator==):
1678         * dfg/DFGPhantomCanonicalizationPhase.cpp:
1679         (JSC::DFG::PhantomCanonicalizationPhase::run):
1680         * dfg/DFGPhantomRemovalPhase.cpp:
1681         (JSC::DFG::PhantomRemovalPhase::run):
1682         * dfg/DFGPhiChildren.cpp: Added.
1683         (JSC::DFG::PhiChildren::PhiChildren):
1684         (JSC::DFG::PhiChildren::~PhiChildren):
1685         (JSC::DFG::PhiChildren::upsilonsOf):
1686         * dfg/DFGPhiChildren.h: Added.
1687         (JSC::DFG::PhiChildren::forAllIncomingValues):
1688         (JSC::DFG::PhiChildren::forAllTransitiveIncomingValues):
1689         * dfg/DFGPlan.cpp:
1690         (JSC::DFG::Plan::compileInThreadImpl):
1691         * dfg/DFGPrePostNumbering.cpp: Added.
1692         (JSC::DFG::PrePostNumbering::PrePostNumbering):
1693         (JSC::DFG::PrePostNumbering::~PrePostNumbering):
1694         (JSC::DFG::PrePostNumbering::compute):
1695         (WTF::printInternal):
1696         * dfg/DFGPrePostNumbering.h: Added.
1697         (JSC::DFG::PrePostNumbering::preNumber):
1698         (JSC::DFG::PrePostNumbering::postNumber):
1699         (JSC::DFG::PrePostNumbering::isStrictAncestorOf):
1700         (JSC::DFG::PrePostNumbering::isAncestorOf):
1701         (JSC::DFG::PrePostNumbering::isStrictDescendantOf):
1702         (JSC::DFG::PrePostNumbering::isDescendantOf):
1703         (JSC::DFG::PrePostNumbering::edgeKind):
1704         * dfg/DFGPredictionPropagationPhase.cpp:
1705         (JSC::DFG::PredictionPropagationPhase::propagate):
1706         * dfg/DFGPromoteHeapAccess.h: Added.
1707         (JSC::DFG::promoteHeapAccess):
1708         * dfg/DFGPromotedHeapLocation.cpp: Added.
1709         (JSC::DFG::PromotedLocationDescriptor::dump):
1710         (JSC::DFG::PromotedHeapLocation::createHint):
1711         (JSC::DFG::PromotedHeapLocation::dump):
1712         (WTF::printInternal):
1713         * dfg/DFGPromotedHeapLocation.h: Added.
1714         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
1715         (JSC::DFG::PromotedLocationDescriptor::operator!):
1716         (JSC::DFG::PromotedLocationDescriptor::kind):
1717         (JSC::DFG::PromotedLocationDescriptor::info):
1718         (JSC::DFG::PromotedLocationDescriptor::hash):
1719         (JSC::DFG::PromotedLocationDescriptor::operator==):
1720         (JSC::DFG::PromotedLocationDescriptor::operator!=):
1721         (JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue):
1722         (JSC::DFG::PromotedHeapLocation::PromotedHeapLocation):
1723         (JSC::DFG::PromotedHeapLocation::operator!):
1724         (JSC::DFG::PromotedHeapLocation::kind):
1725         (JSC::DFG::PromotedHeapLocation::base):
1726         (JSC::DFG::PromotedHeapLocation::info):
1727         (JSC::DFG::PromotedHeapLocation::descriptor):
1728         (JSC::DFG::PromotedHeapLocation::hash):
1729         (JSC::DFG::PromotedHeapLocation::operator==):
1730         (JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue):
1731         (JSC::DFG::PromotedHeapLocationHash::hash):
1732         (JSC::DFG::PromotedHeapLocationHash::equal):
1733         * dfg/DFGSSACalculator.cpp:
1734         (JSC::DFG::SSACalculator::reset):
1735         * dfg/DFGSSACalculator.h:
1736         * dfg/DFGSafeToExecute.h:
1737         (JSC::DFG::safeToExecute):
1738         * dfg/DFGSpeculativeJIT.cpp:
1739         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1740         * dfg/DFGSpeculativeJIT32_64.cpp:
1741         (JSC::DFG::SpeculativeJIT::compile):
1742         * dfg/DFGSpeculativeJIT64.cpp:
1743         (JSC::DFG::SpeculativeJIT::compile):
1744         * dfg/DFGStructureRegistrationPhase.cpp:
1745         (JSC::DFG::StructureRegistrationPhase::run):
1746         * dfg/DFGValidate.cpp:
1747         (JSC::DFG::Validate::validate):
1748         * ftl/FTLCapabilities.cpp:
1749         (JSC::FTL::canCompile):
1750         * ftl/FTLExitPropertyValue.cpp: Added.
1751         (JSC::FTL::ExitPropertyValue::dump):
1752         * ftl/FTLExitPropertyValue.h: Added.
1753         (JSC::FTL::ExitPropertyValue::ExitPropertyValue):
1754         (JSC::FTL::ExitPropertyValue::operator!):
1755         (JSC::FTL::ExitPropertyValue::location):
1756         (JSC::FTL::ExitPropertyValue::value):
1757         * ftl/FTLExitTimeObjectMaterialization.cpp: Added.
1758         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
1759         (JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization):
1760         (JSC::FTL::ExitTimeObjectMaterialization::add):
1761         (JSC::FTL::ExitTimeObjectMaterialization::get):
1762         (JSC::FTL::ExitTimeObjectMaterialization::dump):
1763         * ftl/FTLExitTimeObjectMaterialization.h: Added.
1764         (JSC::FTL::ExitTimeObjectMaterialization::type):
1765         (JSC::FTL::ExitTimeObjectMaterialization::properties):
1766         * ftl/FTLExitValue.cpp:
1767         (JSC::FTL::ExitValue::materializeNewObject):
1768         (JSC::FTL::ExitValue::dumpInContext):
1769         * ftl/FTLExitValue.h:
1770         (JSC::FTL::ExitValue::isObjectMaterialization):
1771         (JSC::FTL::ExitValue::objectMaterialization):
1772         (JSC::FTL::ExitValue::withVirtualRegister):
1773         (JSC::FTL::ExitValue::valueFormat):
1774         * ftl/FTLLowerDFGToLLVM.cpp:
1775         (JSC::FTL::LowerDFGToLLVM::compileNode):
1776         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
1777         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1778         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1779         (JSC::FTL::LowerDFGToLLVM::compileNewObject):
1780         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1781         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1782         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
1783         (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
1784         (JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject):
1785         (JSC::FTL::LowerDFGToLLVM::checkStructure):
1786         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1787         (JSC::FTL::LowerDFGToLLVM::storeStructure):
1788         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1789         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
1790         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1791         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1792         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1793         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1794         (JSC::FTL::LowerDFGToLLVM::weakStructureID):
1795         (JSC::FTL::LowerDFGToLLVM::weakStructure):
1796         (JSC::FTL::LowerDFGToLLVM::availabilityMap):
1797         (JSC::FTL::LowerDFGToLLVM::availability): Deleted.
1798         * ftl/FTLOSRExit.h:
1799         * ftl/FTLOSRExitCompiler.cpp:
1800         (JSC::FTL::compileRecovery):
1801         (JSC::FTL::compileStub):
1802         * ftl/FTLOperations.cpp: Added.
1803         (JSC::FTL::operationNewObjectWithButterfly):
1804         (JSC::FTL::operationMaterializeObjectInOSR):
1805         * ftl/FTLOperations.h: Added.
1806         * ftl/FTLSwitchCase.h:
1807         (JSC::FTL::SwitchCase::SwitchCase):
1808         * runtime/JSObject.h:
1809         (JSC::JSObject::finishCreation):
1810         (JSC::JSFinalObject::JSFinalObject):
1811         (JSC::JSFinalObject::create):
1812         * runtime/Structure.cpp:
1813         (JSC::Structure::canUseForAllocationsOf):
1814         * runtime/Structure.h:
1815         * tests/stress/elidable-new-object-roflcopter-then-exit.js: Added.
1816         (sumOfArithSeries):
1817         (foo):
1818         * tests/stress/elide-new-object-dag-then-exit.js: Added.
1819         (sumOfArithSeries):
1820         (bar):
1821         (verify):
1822         (foo):
1823         * tests/stress/obviously-elidable-new-object-then-exit.js: Added.
1824         (sumOfArithSeries):
1825         (foo):
1826
1827 2014-09-25  Brian J. Burg  <burg@cs.washington.edu>
1828
1829         Web Replay: Check event loop input extents during replaying too
1830         https://bugs.webkit.org/show_bug.cgi?id=136316
1831
1832         Reviewed by Timothy Hatcher.
1833
1834         Sometimes we see different nondeterminism during capture and replay
1835         executions, so we should add determinism checks during replay too.
1836
1837         Move the withinEventLoopInputExtent flag to the base class, and tighten
1838         the assertion to address <http://webkit.org/b/133019>.
1839
1840         * replay/InputCursor.h:
1841         (JSC::InputCursor::InputCursor):
1842         (JSC::InputCursor::setWithinEventLoopInputExtent): Added.
1843         This assertion is slightly wrong because it does not account for nested run loops.
1844         We can be within two input extents when a nested run loop processes additional
1845         user inputs while the debugger is paused.
1846
1847         This should only be the case when execution is being neither captured or
1848         replayed. The debugger should not pause when capturing, and we should not replay
1849         event loop inputs while in a nested run loop.
1850
1851         (JSC::InputCursor::withinEventLoopInputExtent): Added.
1852
1853 2014-09-25  Csaba Osztrogonác  <ossy@webkit.org>
1854
1855         Remove WinCE port from trunk
1856         https://bugs.webkit.org/show_bug.cgi?id=136951
1857
1858         Reviewed by Alex Christensen.
1859
1860         * assembler/ARMAssembler.h:
1861         (JSC::ARMAssembler::cacheFlush):
1862         * assembler/ARMv7Assembler.h:
1863         (JSC::ARMv7Assembler::cacheFlush):
1864         * config.h:
1865         * heap/MachineStackMarker.cpp:
1866         (JSC::MachineThreads::gatherFromCurrentThread):
1867         (JSC::MachineThreads::gatherFromOtherThread):
1868         (JSC::swapIfBackwards): Deleted.
1869         * jit/ExecutableAllocator.h:
1870         * jsc.cpp:
1871         (main):
1872         * runtime/DateConstructor.cpp:
1873         * runtime/Options.cpp:
1874         (JSC::overrideOptionWithHeuristic):
1875         * runtime/VM.cpp:
1876         (JSC::VM::VM):
1877         * testRegExp.cpp:
1878         (main):
1879         * tools/CodeProfiling.cpp:
1880         (JSC::CodeProfiling::notifyAllocator):
1881
1882 2014-09-24  Brian J. Burg  <burg@cs.washington.edu>
1883
1884         Web Inspector: subtract elapsed time while debugger is paused from profile nodes
1885         https://bugs.webkit.org/show_bug.cgi?id=136796
1886
1887         Reviewed by Timothy Hatcher.
1888
1889         Rather than accruing no time to any profile node created while the debugger is paused,
1890         we can instead count a node's elapsed time and exclude time elapsed while paused.
1891
1892         Time for a node may elapse in a non-contiguous fashion depending on the interleaving of
1893         didPause, didContinue, willExecute, and didExecute. A node's start time is set to the
1894         start of the last such interval that accrues elapsed time.
1895
1896         * profiler/ProfileGenerator.cpp:
1897         (JSC::ProfileGenerator::ProfileGenerator):
1898         (JSC::ProfileGenerator::beginCallEntry):
1899         (JSC::ProfileGenerator::endCallEntry):
1900         (JSC::ProfileGenerator::didPause): Added.
1901         (JSC::ProfileGenerator::didContinue): Added.
1902         * profiler/ProfileGenerator.h:
1903         (JSC::ProfileGenerator::didPause): Deleted.
1904         (JSC::ProfileGenerator::didContinue): Deleted.
1905         * profiler/ProfileNode.h: Rename totalTime to elapsedTime.
1906         (JSC::ProfileNode::Call::Call):
1907         (JSC::ProfileNode::Call::elapsedTime): Added.
1908         (JSC::ProfileNode::Call::setElapsedTime): Added.
1909         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
1910         (JSC::ProfileNode::Call::totalTime): Deleted.
1911         (JSC::ProfileNode::Call::setTotalTime): Deleted.
1912
1913 2014-09-24  Commit Queue  <commit-queue@webkit.org>
1914
1915         Unreviewed, rolling out r173839.
1916         https://bugs.webkit.org/show_bug.cgi?id=137062
1917
1918         NumberConstruct should no longer use static tables (Requested
1919         by dpino on #webkit).
1920
1921         Reverted changeset:
1922
1923         "Simple ES6 feature: Number constructor extras"
1924         https://bugs.webkit.org/show_bug.cgi?id=131707
1925         http://trac.webkit.org/changeset/173839
1926
1927 2014-09-23  Mark Lam  <mark.lam@apple.com>
1928
1929         DebuggerCallFrame::invalidate() should invalidate all DebuggerScope chains.
1930         <https://webkit.org/b/137045>
1931
1932         Reviewed by Geoffrey Garen.
1933
1934         DebuggerCallFrame::invalidate() currently invalidates all DebuggerCallFrames
1935         in the debugger stack, but only invalidates the DebuggerScope chain of the
1936         top most frame.  We should also invalidate all the DebuggerScope chains of
1937         the other frames in the debugger stack.
1938
1939         * debugger/DebuggerCallFrame.cpp:
1940         (JSC::DebuggerCallFrame::invalidate):
1941         * debugger/DebuggerScope.cpp:
1942         (JSC::DebuggerScope::invalidateChain):
1943
1944 2014-09-23  Mark Lam  <mark.lam@apple.com>
1945
1946         Renamed DebuggerCallFrameScope to DebuggerPausedScope.
1947         <https://webkit.org/b/137042>
1948
1949         Reviewed by Michael Saboff.
1950
1951         DebuggerPausedScope is a better name for this data structure because it
1952         is meant for tracking the period within which the debugger is paused,
1953         and doing clean ups after the pause ends.
1954
1955         * debugger/Debugger.cpp:
1956         (JSC::DebuggerPausedScope::DebuggerPausedScope):
1957         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
1958         (JSC::Debugger::pauseIfNeeded):
1959         (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): Deleted.
1960         (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): Deleted.
1961         * debugger/Debugger.h:
1962         * debugger/DebuggerCallFrame.h:
1963
1964 2014-09-23  Tomas Popela  <tpopela@redhat.com>
1965
1966         [CLoop] - Fix CLoop on the 32-bit Big-Endians
1967         https://bugs.webkit.org/show_bug.cgi?id=137020
1968
1969         Reviewed by Mark Lam.
1970
1971         * llint/LowLevelInterpreter.asm:
1972         * llint/LowLevelInterpreter32_64.asm:
1973
1974 2014-09-23  Joseph Pecoraro  <pecoraro@apple.com>
1975
1976         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
1977         https://bugs.webkit.org/show_bug.cgi?id=136893
1978
1979         Reviewed by Timothy Hatcher.
1980
1981         Adds new remote inspector protocol handling for automatic inspection.
1982         Debuggers can signal they have enabled automatic inspection, and
1983         when debuggables are created the current application will pause to
1984         see if the debugger will inspect or decline to inspect the debuggable.
1985
1986         * inspector/remote/RemoteInspectorConstants.h:
1987         * inspector/remote/RemoteInspector.h:
1988         * inspector/remote/RemoteInspector.mm:
1989         (Inspector::globalAutomaticInspectionState):
1990         (Inspector::RemoteInspector::RemoteInspector):
1991         (Inspector::RemoteInspector::start):
1992         When first starting, check the global "is there an auto-inspect" debugger state.
1993         This is necessary so that the current application knows if it should pause or
1994         not when a debuggable is created, even without having connected to webinspectord yet.
1995
1996         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1997         When a debuggable has enabled remote inspection, take this path to propose
1998         it as an automatic inspection candidate if there is an auto-inspect debugger.
1999
2000         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
2001         Send the automatic inspection candidate message.
2002
2003         (Inspector::RemoteInspector::receivedSetupMessage):
2004         (Inspector::RemoteInspector::setupFailed):
2005         (Inspector::RemoteInspector::setupSucceeded):
2006         After attempting to open an inspector, unpause if it was for the
2007         automatic inspection candidate.
2008
2009         (Inspector::RemoteInspector::waitingForAutomaticInspection):
2010         When running a nested runloop, check if we should remain paused.
2011
2012         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2013         If by the time we connect to webinspectord we have a candidate, then
2014         immediately send the candidate message.
2015
2016         (Inspector::RemoteInspector::stopInternal):
2017         (Inspector::RemoteInspector::xpcConnectionFailed):
2018         In error cases, clear our state.
2019
2020         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2021         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
2022         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
2023         Update state when receiving new messages.
2024
2025
2026         * inspector/remote/RemoteInspectorDebuggable.h:
2027         * inspector/remote/RemoteInspectorDebuggable.cpp:
2028         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
2029         Special case when a debuggable is newly allowed to be debuggable.
2030
2031         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
2032         Run a nested run loop while this is an automatic inspection candidate.
2033
2034         * inspector/JSGlobalObjectInspectorController.h:
2035         * inspector/JSGlobalObjectInspectorController.cpp:
2036         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2037         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2038         When the inspector starts via automatic inspection automatically pause.
2039         We plan on removing this condition by having the frontend signal to the
2040         backend when it is completely initialized.
2041         
2042         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2043         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2044         (Inspector::RemoteInspectorDebuggableConnection::setup):
2045         Pass on the flag of whether or not this was automatic inspection.
2046
2047         * runtime/JSGlobalObjectDebuggable.h:
2048         * runtime/JSGlobalObjectDebuggable.cpp:
2049         (JSC::JSGlobalObjectDebuggable::connect):
2050         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
2051         When pausing in a JSGlobalObject we need to release the API lock.
2052
2053 2014-09-22  Filip Pizlo  <fpizlo@apple.com>
2054
2055         FTL allocatePropertyStorage code should involve less copy-paste
2056         https://bugs.webkit.org/show_bug.cgi?id=137006
2057
2058         Reviewed by Michael Saboff.
2059
2060         * ftl/FTLLowerDFGToLLVM.cpp:
2061         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
2062         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
2063         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
2064
2065 2014-09-22  Diego Pino Garcia  <dpino@igalia.com>
2066
2067         Simple ES6 feature: Number constructor extras
2068         https://bugs.webkit.org/show_bug.cgi?id=131707
2069
2070         Reviewed by Darin Adler.
2071
2072         * runtime/CommonIdentifiers.h: Added new identifiers.
2073         * runtime/NumberConstructor.cpp:
2074         (JSC::NumberConstructor::getOwnPropertySlot):
2075         (JSC::NumberConstructor::isFunction): Added.
2076         (JSC::numberConstructorEpsilonValue): Added.
2077         (JSC::numberConstructorNegInfinity): Added.
2078         (JSC::numberConstructorPosInfinity): Added.
2079         (JSC::numberConstructorMaxValue): Added.
2080         (JSC::numberConstructorMinValue): Added.
2081         (JSC::numberConstructorMaxSafeInteger): Added.
2082         (JSC::numberConstructorMinSafeInteger): Added.
2083         (JSC::numberConstructorFuncIsFinite): Added.
2084         (JSC::numberConstructorFuncIsInteger): Added.
2085         (JSC::numberConstructorFuncIsNaN): Added.
2086         (JSC::numberConstructorFuncIsSafeInteger): Added.
2087         * runtime/NumberConstructor.h:
2088
2089 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
2090
2091         FTL should store the four bytes of the cell header using a 32-bit store rather than four 8-bit stores
2092         https://bugs.webkit.org/show_bug.cgi?id=136992
2093
2094         Reviewed by Sam Weinig.
2095         
2096         LLVM ought to be able to do this optimization for us given how the code was written, but
2097         any such lower-level attempts to optimize this would get into trouble with the weird
2098         object materialization logic I'll be introducing in bug 136330. So, this brings the
2099         merging of the byte stores into the FTL lowering so that we can control it explicitly.
2100
2101         * ftl/FTLAbstractHeap.h:
2102         (JSC::FTL::AbstractHeap::changeParent):
2103         * ftl/FTLAbstractHeapRepository.cpp:
2104         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2105         * ftl/FTLAbstractHeapRepository.h:
2106         * ftl/FTLLowerDFGToLLVM.cpp:
2107         (JSC::FTL::LowerDFGToLLVM::allocateCell):
2108
2109 2014-09-21  Saam Barati  <saambarati1@gmail.com>
2110
2111         Web Inspector: fix TypeSet hierarchy in TypeTokenView
2112         https://bugs.webkit.org/show_bug.cgi?id=136982
2113
2114         Reviewed by Joseph Pecoraro.
2115
2116         TypeSet was computing the set of type booleans in the Inspector::Protocol::Runtime::TypeSet 
2117         object incorrectly because it was calling TypeSet::doesTypeConformTo(T) which checks if the 
2118         type set has only been of type T. It now checks '(m_seenTypes & T) != TypeNothing' to see 
2119         if type T is in the set of seen types, but not the entire set itself.
2120
2121         * runtime/TypeSet.cpp:
2122         (JSC::TypeSet::inspectorTypeSet):
2123
2124 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
2125
2126         Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste
2127         https://bugs.webkit.org/show_bug.cgi?id=136983
2128
2129         Reviewed by Mark Hahnenberg.
2130
2131         * runtime/PropertyMapHashTable.h:
2132         (JSC::PropertyMapEntry::PropertyMapEntry): Moved PropertyMapEntry struct to Structure.h so that Structure can refer to it.
2133         * runtime/Structure.cpp:
2134         (JSC::Structure::getConcurrently): Switch to using the new forEachPropertyConcurrently() method.
2135         (JSC::Structure::getPropertiesConcurrently): The subject of this patch. It will be useful for object allocation sinking (bug 136330).
2136         (JSC::Structure::dump): Switch to using the new forEachPropertyConcurrently() method.
2137         * runtime/Structure.h:
2138         (JSC::PropertyMapEntry::PropertyMapEntry): Moved from PropertyMapHashTable.h.
2139         * runtime/StructureInlines.h:
2140         (JSC::Structure::forEachPropertyConcurrently): Capture this very common concurrent structure iteration pattern into a template method.
2141
2142 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
2143
2144         Structure::getConcurrently() doesn't need to take a VM& argument.
2145
2146         Rubber stamped by Dan Bernstein.
2147         
2148         Removed the extra argument, and then removed similar arguments from other methods until
2149         I could build successfully again. It turned out that many methods took a VM& argument
2150         just for calling getConcurrently().
2151
2152         * bytecode/CodeBlock.cpp:
2153         (JSC::dumpStructure):
2154         (JSC::dumpChain):
2155         (JSC::CodeBlock::printGetByIdCacheStatus):
2156         (JSC::CodeBlock::printPutByIdCacheStatus):
2157         * bytecode/ComplexGetStatus.cpp:
2158         (JSC::ComplexGetStatus::computeFor):
2159         * bytecode/GetByIdStatus.cpp:
2160         (JSC::GetByIdStatus::computeFromLLInt):
2161         (JSC::GetByIdStatus::computeForStubInfo):
2162         (JSC::GetByIdStatus::computeFor):
2163         * bytecode/GetByIdStatus.h:
2164         * bytecode/PutByIdStatus.cpp:
2165         (JSC::PutByIdStatus::computeFromLLInt):
2166         (JSC::PutByIdStatus::computeForStubInfo):
2167         (JSC::PutByIdStatus::computeFor):
2168         * bytecode/PutByIdStatus.h:
2169         * dfg/DFGAbstractInterpreterInlines.h:
2170         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2171         * dfg/DFGByteCodeParser.cpp:
2172         (JSC::DFG::ByteCodeParser::parseBlock):
2173         * dfg/DFGConstantFoldingPhase.cpp:
2174         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2175         * dfg/DFGFixupPhase.cpp:
2176         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
2177         * runtime/IntendedStructureChain.cpp:
2178         (JSC::IntendedStructureChain::mayInterceptStoreTo):
2179         * runtime/IntendedStructureChain.h:
2180         * runtime/Structure.cpp:
2181         (JSC::Structure::getConcurrently):
2182         * runtime/Structure.h:
2183         * runtime/StructureInlines.h:
2184         (JSC::Structure::getConcurrently):
2185
2186 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
2187
2188         FTL OSRExit construction should be based on methods that return ExitValues rather than methods that add ExitValues to OSRExit
2189         https://bugs.webkit.org/show_bug.cgi?id=136978
2190
2191         Reviewed by Dean Jackson.
2192
2193         * ftl/FTLLowerDFGToLLVM.cpp:
2194         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2195         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2196         (JSC::FTL::LowerDFGToLLVM::exitArgument):
2197         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): Deleted.
2198         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): Deleted.
2199         (JSC::FTL::LowerDFGToLLVM::addExitArgument): Deleted.
2200
2201 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
2202
2203         FTL OSR exit should do reboxing and value recovery in the same pass
2204         https://bugs.webkit.org/show_bug.cgi?id=136977
2205
2206         Reviewed by Oliver Hunt.
2207         
2208         It's conceptually simpler to have all of the logic in one place. After the
2209         recover-and-rebox loop is done, all of the exit values are in the form that the baseline
2210         JIT would want them to be in; the only remaining task is to move them into the right
2211         place on the stack after we do all of the necessary stack adjustments.
2212
2213         * ftl/FTLOSRExitCompiler.cpp:
2214         (JSC::FTL::compileStub):
2215
2216 2014-09-19  Filip Pizlo  <fpizlo@apple.com>
2217
2218         StorageAccessData should be referenced in a sensible way
2219         https://bugs.webkit.org/show_bug.cgi?id=136963
2220
2221         Reviewed and rubber stamped by Michael Saboff.
2222
2223         * dfg/DFGAbstractInterpreterInlines.h:
2224         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2225         * dfg/DFGByteCodeParser.cpp:
2226         (JSC::DFG::ByteCodeParser::handleGetByOffset):
2227         (JSC::DFG::ByteCodeParser::handlePutByOffset):
2228         (JSC::DFG::ByteCodeParser::handlePutById):
2229         * dfg/DFGClobberize.h:
2230         (JSC::DFG::clobberize):
2231         * dfg/DFGConstantFoldingPhase.cpp:
2232         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2233         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2234         * dfg/DFGGraph.cpp:
2235         (JSC::DFG::Graph::dump):
2236         * dfg/DFGGraph.h:
2237         * dfg/DFGNode.h:
2238         (JSC::DFG::Node::convertToGetByOffset):
2239         (JSC::DFG::Node::convertToPutByOffset):
2240         (JSC::DFG::Node::storageAccessData):
2241         (JSC::DFG::Node::storageAccessDataIndex): Deleted.
2242         * dfg/DFGSafeToExecute.h:
2243         (JSC::DFG::safeToExecute):
2244         * dfg/DFGSpeculativeJIT32_64.cpp:
2245         (JSC::DFG::SpeculativeJIT::compile):
2246         * dfg/DFGSpeculativeJIT64.cpp:
2247         (JSC::DFG::SpeculativeJIT::compile):
2248         * ftl/FTLLowerDFGToLLVM.cpp:
2249         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
2250         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
2251
2252 2014-09-19  Ryosuke Niwa  <rniwa@webkit.org>
2253
2254         Leak of mallocs under StructureSet::OutOfLineList::create
2255         https://bugs.webkit.org/show_bug.cgi?id=136970
2256
2257         Reviewed by Filip Pizlo.
2258
2259         addOutOfLine should free the old list when expanding the capacity.
2260
2261         * bytecode/StructureSet.cpp:
2262         (JSC::StructureSet::addOutOfLine):
2263
2264 2014-09-19  Daniel Bates  <dabates@apple.com>
2265
2266         Always assume internal SDK when building configuration Production
2267         https://bugs.webkit.org/show_bug.cgi?id=136925
2268         <rdar://problem/18362399>
2269
2270         Reviewed by Dan Bernstein.
2271
2272         As a side effect of this change we will always enable ENABLE_TOUCH_EVENTS, ENABLE_IOS_{GESTURE, TOUCH}_EVENTS,
2273         and ENABLE_XSLT when either building configuration Production or building with the Internal SDK.
2274
2275         * Configurations/Base.xcconfig:
2276
2277 2014-09-19  Diego Pino Garcia  <dpino@igalia.com>
2278
2279         Simple ES6 feature:String prototype additions
2280         https://bugs.webkit.org/show_bug.cgi?id=131704
2281
2282         Reviewed by Darin Adler.
2283
2284         * runtime/StringPrototype.cpp:
2285         (JSC::StringPrototype::finishCreation):
2286         (JSC::stringProtoFuncStartsWith): Added.
2287         (JSC::stringProtoFuncEndsWith): Added.
2288         (JSC::stringProtoFuncContains): Added.
2289
2290 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
2291
2292         Unreviewed rollout r173731. Broke multiple builds.
2293
2294         * inspector/JSGlobalObjectInspectorController.cpp:
2295         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2296         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2297         * inspector/JSGlobalObjectInspectorController.h:
2298         * inspector/remote/RemoteInspector.h:
2299         * inspector/remote/RemoteInspector.mm:
2300         (Inspector::RemoteInspector::RemoteInspector):
2301         (Inspector::RemoteInspector::setupFailed):
2302         (Inspector::RemoteInspector::start):
2303         (Inspector::RemoteInspector::stopInternal):
2304         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2305         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2306         (Inspector::RemoteInspector::xpcConnectionFailed):
2307         (Inspector::RemoteInspector::receivedSetupMessage):
2308         (Inspector::globalAutomaticInspectionState): Deleted.
2309         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): Deleted.
2310         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): Deleted.
2311         (Inspector::RemoteInspector::setupSucceeded): Deleted.
2312         (Inspector::RemoteInspector::waitingForAutomaticInspection): Deleted.
2313         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): Deleted.
2314         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): Deleted.
2315         * inspector/remote/RemoteInspectorConstants.h:
2316         * inspector/remote/RemoteInspectorDebuggable.cpp:
2317         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
2318         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): Deleted.
2319         * inspector/remote/RemoteInspectorDebuggable.h:
2320         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2321         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2322         (Inspector::RemoteInspectorDebuggableConnection::setup):
2323         * runtime/JSGlobalObjectDebuggable.cpp:
2324         (JSC::JSGlobalObjectDebuggable::connect):
2325         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): Deleted.
2326         * runtime/JSGlobalObjectDebuggable.h:
2327
2328 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
2329
2330         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
2331         https://bugs.webkit.org/show_bug.cgi?id=136893
2332
2333         Reviewed by Timothy Hatcher.
2334
2335         Adds new remote inspector protocol handling for automatic inspection.
2336         Debuggers can signal they have enabled automatic inspection, and
2337         when debuggables are created the current application will pause to
2338         see if the debugger will inspect or decline to inspect the debuggable.
2339
2340         * inspector/remote/RemoteInspectorConstants.h:
2341         * inspector/remote/RemoteInspector.h:
2342         * inspector/remote/RemoteInspector.mm:
2343         (Inspector::globalAutomaticInspectionState):
2344         (Inspector::RemoteInspector::RemoteInspector):
2345         (Inspector::RemoteInspector::start):
2346         When first starting, check the global "is there an auto-inspect" debugger state.
2347         This is necessary so that the current application knows if it should pause or
2348         not when a debuggable is created, even without having connected to webinspectord yet.
2349
2350         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
2351         When a debuggable has enabled remote inspection, take this path to propose
2352         it as an automatic inspection candidate if there is an auto-inspect debugger.
2353
2354         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
2355         Send the automatic inspection candidate message.
2356
2357         (Inspector::RemoteInspector::receivedSetupMessage):
2358         (Inspector::RemoteInspector::setupFailed):
2359         (Inspector::RemoteInspector::setupSucceeded):
2360         After attempting to open an inspector, unpause if it was for the
2361         automatic inspection candidate.
2362
2363         (Inspector::RemoteInspector::waitingForAutomaticInspection):
2364         When running a nested runloop, check if we should remain paused.
2365
2366         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2367         If by the time we connect to webinspectord we have a candidate, then
2368         immediately send the candidate message.
2369
2370         (Inspector::RemoteInspector::stopInternal):
2371         (Inspector::RemoteInspector::xpcConnectionFailed):
2372         In error cases, clear our state.
2373
2374         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2375         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
2376         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
2377         Update state when receiving new messages.
2378
2379
2380         * inspector/remote/RemoteInspectorDebuggable.h:
2381         * inspector/remote/RemoteInspectorDebuggable.cpp:
2382         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
2383         Special case when a debuggable is newly allowed to be debuggable.
2384
2385         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
2386         Run a nested run loop while this is an automatic inspection candidate.
2387
2388         * inspector/JSGlobalObjectInspectorController.h:
2389         * inspector/JSGlobalObjectInspectorController.cpp:
2390         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2391         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2392         When the inspector starts via automatic inspection automatically pause.
2393         We plan on removing this condition by having the frontend signal to the
2394         backend when it is completely initialized.
2395         
2396         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2397         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2398         (Inspector::RemoteInspectorDebuggableConnection::setup):
2399         Pass on the flag of whether or not this was automatic inspection.
2400
2401         * runtime/JSGlobalObjectDebuggable.h:
2402         * runtime/JSGlobalObjectDebuggable.cpp:
2403         (JSC::JSGlobalObjectDebuggable::connect):
2404         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
2405         When pausing in a JSGlobalObject we need to release the API lock.
2406
2407 2014-09-18  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2408
2409         Fix "Tools/Scripts/build-webkit --efl --no-inspector" build
2410         https://bugs.webkit.org/show_bug.cgi?id=136912
2411
2412         Reviewed by Darin Adler.
2413
2414         * runtime/TypeSet.cpp:
2415         (JSC::TypeSet::leastCommonAncestor):
2416
2417 2014-09-17  Michael Saboff  <msaboff@apple.com>
2418
2419         Change CallFrame to use Callee instead of JSScope to implement vm()
2420         https://bugs.webkit.org/show_bug.cgi?id=136894
2421
2422         Reviewed by Geoffrey Garen.
2423
2424         Added JSCell::vm() method that can be used on any JSObject.  Changed CallFrame::vm() to
2425         use JSCell::vm with the Callee.  Made similar changes in the LLInt.
2426         In support of this, changed JSGlobalObject::init() to take a VM& parameter, as there is
2427         a chicken/egg problem with trying to use the Callee in the global exec before the Callee
2428         has been create.  Besides, the vm is readily available in finishCreation(), the caller of
2429         init().
2430
2431         * llint/LowLevelInterpreter32_64.asm:
2432         * llint/LowLevelInterpreter64.asm:
2433         Changed the calculation of CallFrame::VM to use the Callee instead of JSScope.
2434
2435         * runtime/JSCell.h:
2436         * runtime/JSCellInlines.h:
2437         (JSC::JSCell::vm): New method for getting VM from the pointer.
2438         (JSC::ExecState::vm): Moved this method from JSScope.h to here since this file
2439         contains the implementation of JSCell::vm(), this file is included by all users
2440         of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing
2441         many other .h files and possible the WebCore generator generate-bindings.pl.
2442
2443         * runtime/JSGlobalObject.cpp:
2444         (JSC::JSGlobalObject::init):
2445         * runtime/JSGlobalObject.h:
2446         (JSC::JSGlobalObject::finishCreation):
2447         Changed init() to take a VM parameter.
2448
2449         * runtime/JSScope.h:
2450         (JSC::ExecState::vm): Deleted.
2451
2452 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
2453
2454         Unreviewed, disable native inlining because it causes build failures.
2455
2456         * JavaScriptCore.xcodeproj/project.pbxproj:
2457
2458 2014-09-16  Joseph Pecoraro  <pecoraro@apple.com>
2459
2460         Web Inspector: Reduce a bit of churn setting initial remote inspection state
2461         https://bugs.webkit.org/show_bug.cgi?id=136875
2462
2463         Reviewed by Timothy Hatcher.
2464
2465         * API/JSContextRef.cpp:
2466         (JSGlobalContextCreateInGroup):
2467         Set the defaultl remote debuggable state at the API boundary.
2468
2469         * runtime/JSGlobalObject.cpp:
2470         (JSC::JSGlobalObject::init):
2471         Do not set remote debuggable state here. Let clients set it.
2472
2473 2014-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2474
2475         Promise: Drop Promise.cast
2476         https://bugs.webkit.org/show_bug.cgi?id=136222
2477
2478         Reviewed by Sam Weinig.
2479
2480         Promise.cast is dropped and Promise.resolve is replaced with old Promise.cast.
2481
2482         * runtime/CommonIdentifiers.h:
2483         * runtime/JSPromiseConstructor.cpp:
2484         (JSC::JSPromiseConstructorFuncResolve):
2485         (JSC::JSPromiseConstructorFuncRace):
2486         (JSC::JSPromiseConstructorFuncAll):
2487         (JSC::JSPromiseConstructorFuncCast): Deleted.
2488
2489 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
2490
2491         Local OSR availability calculation should be reusable
2492         https://bugs.webkit.org/show_bug.cgi?id=136860
2493
2494         Reviewed by Oliver Hunt.
2495         
2496         Previously, the FTL lowering repeated some of the logic of the OSR availability analysis
2497         phase. Humorously, it actually did this logic a bit differently; for example the phase
2498         would claim that a SetLocal makes both the flush and the node available while the FTL
2499         only claimed that the flush was available. This different was benign, but still: yuck!
2500         
2501         Also, previously if you wanted to use availability information then you'd have to repeat
2502         some of the logic that both the phase itself and the FTL lowering already had.
2503         Presumably, you could get epic style points for finding other benign ways in which to
2504         make your copy of the logic different from the other two!
2505         
2506         This reduces the amount of style points one could conceivably get in the future when
2507         hacking JSC, by creating a single reusable thingy for computing local OSR availability.
2508
2509         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2510         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2511         (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
2512         (JSC::DFG::LocalOSRAvailabilityCalculator::~LocalOSRAvailabilityCalculator):
2513         (JSC::DFG::LocalOSRAvailabilityCalculator::beginBlock):
2514         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2515         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2516         * ftl/FTLLowerDFGToLLVM.cpp:
2517         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
2518         (JSC::FTL::LowerDFGToLLVM::compileBlock):
2519         (JSC::FTL::LowerDFGToLLVM::compileNode):
2520         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
2521         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
2522         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2523         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2524         (JSC::FTL::LowerDFGToLLVM::availability):
2525         (JSC::FTL::LowerDFGToLLVM::compileMovHint): Deleted.
2526         (JSC::FTL::LowerDFGToLLVM::compileZombieHint): Deleted.
2527         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): Deleted.
2528
2529 2014-09-16  Csaba Osztrogonác  <ossy@webkit.org>
2530
2531         JSC test gardening
2532         https://bugs.webkit.org/show_bug.cgi?id=136823
2533
2534         Reviewed by Geoffrey Garen.
2535
2536         * tests/mozilla/mozilla-tests.yaml: Unskip passing tests.
2537
2538 2014-09-15  Michael Saboff  <msaboff@apple.com>
2539
2540         Create a JSCallee for GlobalExec object
2541         https://bugs.webkit.org/show_bug.cgi?id=136840
2542
2543         Reviewed by Geoffrey Garen.
2544
2545         Added m_globalCallee, initialized it and then used it to set the globalExec's callee.
2546
2547         * runtime/JSGlobalObject.cpp:
2548         (JSC::JSGlobalObject::init):
2549         (JSC::JSGlobalObject::visitChildren):
2550         * runtime/JSGlobalObject.h:
2551
2552 2014-09-14  Filip Pizlo  <fpizlo@apple.com>
2553
2554         DFG ref count calculation should be reusable
2555         https://bugs.webkit.org/show_bug.cgi?id=136811
2556
2557         Reviewed by Oliver Hunt.
2558         
2559         Henceforth if you call Graph::computeRefCounts(), a nifty O(n) operation, every Node
2560         will be able to tell you how many places it is used from. Currently only DCE uses this,
2561         but it will be useful for https://bugs.webkit.org/show_bug.cgi?id=136330.
2562
2563         * dfg/DFGDCEPhase.cpp:
2564         (JSC::DFG::DCEPhase::run):
2565         (JSC::DFG::DCEPhase::findTypeCheckRoot): Deleted.
2566         (JSC::DFG::DCEPhase::countNode): Deleted.
2567         (JSC::DFG::DCEPhase::countEdge): Deleted.
2568         * dfg/DFGGraph.cpp:
2569         (JSC::DFG::Graph::computeRefCounts):
2570         * dfg/DFGGraph.h:
2571
2572 2014-09-12  Michael Saboff  <msaboff@apple.com>
2573
2574         Merge JSGlobalObject::reset() into ::init()
2575         https://bugs.webkit.org/show_bug.cgi?id=136800
2576
2577         Reviewed by Oliver Hunt.
2578
2579         Moved the contents of reset() into init().
2580         Note that the diff shows more changes.
2581
2582         * runtime/JSGlobalObject.cpp:
2583         (JSC::JSGlobalObject::init): Moved body of reset() into init.
2584         (JSC::JSGlobalObject::put):
2585         (JSC::JSGlobalObject::defineOwnProperty):
2586         (JSC::JSGlobalObject::addGlobalVar):
2587         (JSC::JSGlobalObject::addFunction):
2588         (JSC::lastInPrototypeChain):
2589         (JSC::JSGlobalObject::reset): Deleted.
2590         * runtime/JSGlobalObject.h:
2591
2592 2014-09-12  Michael Saboff  <msaboff@apple.com>
2593
2594         Add JSCallee to program and eval CallFrames
2595         https://bugs.webkit.org/show_bug.cgi?id=136785
2596
2597         Reviewed by Mark Lam.
2598
2599         Populated Callee slot for program and call eval CallFrames with a JSCallee objects.
2600         Made supporting changes including adding a JSCallee structure to global object and adding
2601         JSCallee::create() method.  Added code so that the newly added callee object won't be
2602         returned by Function.caller.  Changed null pointer checks of callee to check the if
2603         the type is JSFunction* or JSCallee*.
2604
2605         * debugger/DebuggerCallFrame.cpp:
2606         (JSC::DebuggerCallFrame::functionName):
2607         (JSC::DebuggerCallFrame::type):
2608         * profiler/LegacyProfiler.cpp:
2609         (JSC::LegacyProfiler::createCallIdentifier):
2610         * interpreter/Interpreter.cpp:
2611         (JSC::unwindCallFrame):
2612         Changed checks of callee is a JSFunction* or JSCallee* instead of just checking
2613         if it is null or not.
2614
2615         * interpreter/Interpreter.cpp:
2616         (JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...)
2617         and execute(ProgramExecutable, ...)
2618
2619         * jit/JITCode.cpp:
2620         (JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions.
2621
2622         * runtime/JSCallee.cpp:
2623         (JSC::JSCallee::create): Not used, therefore deleted.
2624
2625         * runtime/JSCallee.h:
2626         (JSC::JSCallee::create): Added.
2627
2628         * runtime/JSFunction.cpp:
2629         (JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't
2630         JSFunction's.  This can only be the case when the JSCallee comes from a program or
2631         call eval CallFrame.
2632
2633         * runtime/JSGlobalObject.cpp:
2634         (JSC::JSGlobalObject::reset):
2635         (JSC::JSGlobalObject::visitChildren):
2636         * runtime/JSGlobalObject.h:
2637         (JSC::JSGlobalObject::calleeStructure):
2638         Added new JSCallee structure.
2639
2640 2014-09-10  Jon Honeycutt  <jhoneycutt@apple.com>
2641
2642         Re-add the request autocomplete feature
2643
2644         <https://bugs.webkit.org/show_bug.cgi?id=136730>
2645
2646         This feature was rolled out in r148731 because it was only used by
2647         Chromium. As we consider supporting this feature, roll it back in, but
2648         leave it disabled.
2649
2650         This rolls out r148731 (which removed the feature) with small changes
2651         needed to make the code build in ToT, to match modern style, to make
2652         the tests run, and to remove unused code.
2653
2654         Reviewed by Andy Estes.
2655
2656         * Configurations/FeatureDefines.xcconfig:
2657
2658 2014-09-12  Julien Brianceau  <jbriance@cisco.com>
2659
2660         [x86] moveDoubleToInts() does not clobber its source register anymore
2661         https://bugs.webkit.org/show_bug.cgi?id=131690
2662
2663         Reviewed by Oliver Hunt.
2664
2665         * assembler/MacroAssemblerX86.h:
2666         (JSC::MacroAssemblerX86::moveDoubleToInts):
2667         * dfg/DFGSpeculativeJIT.cpp:
2668         (JSC::DFG::SpeculativeJIT::compileValueRep):
2669         * jit/SpecializedThunkJIT.h:
2670         (JSC::SpecializedThunkJIT::returnDouble):
2671
2672 2014-09-12  Mark Lam  <mark.lam@apple.com>
2673
2674         Unreviewed build fix for CLOOP build.
2675
2676         * runtime/JSCallee.h:
2677
2678 2014-09-12  Michael Saboff  <msaboff@apple.com>
2679
2680         Remove unneeded declarations from JSCallee.h
2681         https://bugs.webkit.org/show_bug.cgi?id=136783
2682
2683         Reviewed by Mark Lam.
2684
2685         * runtime/JSCallee.h:
2686         (JSCallee::name): Deleted.
2687         (JSCallee::displayName): Deleted.
2688         (JSCallee::calculatedDisplayName): Deleted.
2689
2690 2014-09-11  Brian J. Burg  <burg@cs.washington.edu>
2691
2692         Web Inspector: disambiguate double and integer primitive types in the protocol
2693         https://bugs.webkit.org/show_bug.cgi?id=136606
2694
2695         Reviewed by Timothy Hatcher.
2696
2697         Right now it's really easy to mix up doubles and integers when serializing or deserializing
2698         values for the inspector protocol. This patch disambiguates setting/getting doubles and integers
2699         so that it is clearer as to which type is intended.
2700
2701         A new InspectorValue::Type is added for Integer types, and the Number type is renamed to Double.
2702         The existing callsites for asNumber/getNumber/setNumber have been fixed.
2703
2704         Address various integration points to make sure the right type tag is assigned to InspectorValues.
2705
2706         * bindings/ScriptValue.cpp:
2707         (Deprecated::jsToInspectorValue): Make an Integer if the JSValue is Int52 or smaller.
2708         * inspector/InjectedScriptManager.cpp:
2709         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2710         * inspector/InspectorBackendDispatcher.cpp:
2711         (Inspector::InspectorBackendDispatcher::dispatch):
2712         (Inspector::InspectorBackendDispatcher::sendResponse):
2713         (Inspector::InspectorBackendDispatcher::reportProtocolError):
2714         (Inspector::AsMethodBridges::asInteger):
2715         (Inspector::AsMethodBridges::asDouble):
2716         (Inspector::InspectorBackendDispatcher::getInteger):
2717         (Inspector::InspectorBackendDispatcher::getDouble):
2718         (Inspector::AsMethodBridges::asInt): Deleted.
2719         (Inspector::InspectorBackendDispatcher::getInt): Deleted.
2720         * inspector/InspectorBackendDispatcher.h:
2721         * inspector/InspectorProtocolTypes.h: Remove the special case for checking int type tags.
2722         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw):
2723         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw):
2724         (Inspector::Protocol::BindingTraits<int>::assertValueHasExpectedType): Deleted.
2725         * inspector/InspectorValues.cpp: Allow integers and doubles to be convertible using asInteger/asDouble.
2726         (Inspector::InspectorValue::asDouble):
2727         (Inspector::InspectorValue::asInteger):
2728         (Inspector::InspectorBasicValue::asDouble):
2729         (Inspector::InspectorBasicValue::asInteger):
2730         (Inspector::InspectorBasicValue::writeJSON):
2731         (Inspector::InspectorValue::asNumber): Deleted.
2732         (Inspector::InspectorBasicValue::asNumber): Deleted.
2733         * inspector/InspectorValues.h:
2734         (Inspector::InspectorObjectBase::setInteger):
2735         (Inspector::InspectorObjectBase::setDouble):
2736         (Inspector::InspectorArrayBase::pushInteger):
2737         (Inspector::InspectorArrayBase::pushDouble):
2738         (Inspector::InspectorObjectBase::setNumber): Deleted.
2739         (Inspector::InspectorArrayBase::pushInt): Deleted.
2740         (Inspector::InspectorArrayBase::pushNumber): Deleted.
2741         * inspector/agents/InspectorDebuggerAgent.cpp:
2742         (Inspector::buildObjectForBreakpointCookie):
2743         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2744         (Inspector::parseLocation):
2745         (Inspector::InspectorDebuggerAgent::didParseSource):
2746         * inspector/agents/InspectorRuntimeAgent.cpp:
2747         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2748         * inspector/scripts/codegen/generator.py: Update emitted code and rebaseline test results.
2749         (Generator.keyed_get_method_for_type):
2750         (Generator.keyed_set_method_for_type):
2751         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2752         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2753         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2754         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2755         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2756         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2757         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2758         * replay/EncodedValue.cpp:
2759         (JSC::EncodedValue::convertTo<double>):
2760         (JSC::EncodedValue::convertTo<float>):
2761         (JSC::EncodedValue::convertTo<int32_t>):
2762         (JSC::EncodedValue::convertTo<int64_t>):
2763         (JSC::EncodedValue::convertTo<uint32_t>):
2764         (JSC::EncodedValue::convertTo<uint64_t>):
2765
2766 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
2767
2768         Web Inspector: Occasional ASSERT closing web inspector
2769         https://bugs.webkit.org/show_bug.cgi?id=136762
2770
2771         Reviewed by Timothy Hatcher.
2772
2773         It is harmless, and indeed possible to have an empty set of listeners
2774         now that each Page gets its own PageDebugServer instead of a shared
2775         global. So we should replace the null checks with isEmpty checks.
2776         Since nobody was ever returning null, convert to references as well.
2777
2778         * inspector/JSGlobalObjectScriptDebugServer.h:
2779         * inspector/ScriptDebugServer.cpp:
2780         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
2781         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
2782         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
2783         (Inspector::ScriptDebugServer::sourceParsed):
2784         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
2785         (Inspector::ScriptDebugServer::notifyDoneProcessingDebuggerEvents):
2786         (Inspector::ScriptDebugServer::handlePause):
2787         (Inspector::ScriptDebugServer::needPauseHandling): Deleted.
2788         * inspector/ScriptDebugServer.h:
2789
2790 2014-09-10  Michael Saboff  <msaboff@apple.com>
2791
2792         Move JSScope out of JSFunction into separate JSCallee class
2793         https://bugs.webkit.org/show_bug.cgi?id=136725
2794
2795         Reviewed by Oliver Hunt.
2796
2797         Created new JSCallee class that contains a JSScope*.  Changed JSFunction to inherit from
2798         JSCallee.
2799
2800         * CMakeLists.txt:
2801         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2802         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2803         * JavaScriptCore.xcodeproj/project.pbxproj:
2804         Build changes.  Added JSCallee.cpp and JSCallee.h.
2805
2806         * runtime/JSCallee.cpp: Added.
2807         (JSC::JSCallee::create):
2808         (JSC::JSCallee::destroy):
2809         (JSC::JSCallee::JSCallee):
2810         (JSC::JSCallee::finishCreation):
2811         (JSC::JSCallee::visitChildren):
2812         (JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function.
2813         (JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function.
2814         (JSC::JSCallee::put): Pass through wrapper function.
2815         (JSC::JSCallee::deleteProperty): Pass through wrapper function.
2816         (JSC::JSCallee::defineOwnProperty): Pass through wrapper function.
2817
2818         * runtime/JSCallee.h: Added.
2819         (JSC::JSCallee::scope):
2820         (JSC::JSCallee::scopeUnchecked):
2821         (JSC::JSCallee::setScope):
2822         (JSC::JSCallee::createStructure):
2823         (JSC::JSCallee::offsetOfScopeChain):
2824
2825         * runtime/JSFunction.cpp:
2826         (JSC::JSFunction::JSFunction):
2827         (JSC::JSFunction::addNameScopeIfNeeded):
2828         (JSC::JSFunction::visitChildren):
2829         * runtime/JSFunction.h:
2830         (JSC::JSFunction::scope): Deleted.
2831         (JSC::JSFunction::scopeUnchecked): Deleted.
2832         (JSC::JSFunction::setScope): Deleted.
2833         (JSC::JSFunction::offsetOfScopeChain): Deleted.
2834         * runtime/JSFunctionInlines.h:
2835         (JSC::JSFunction::JSFunction):
2836         Changed to reference JSCallee and its methods.
2837
2838         * runtime/JSType.h: Added JSCallee as a TypeEnum.
2839
2840 2014-09-11  Filip Pizlo  <fpizlo@apple.com>
2841
2842         REGRESSION (r172129): Vine pages load as blank
2843         https://bugs.webkit.org/show_bug.cgi?id=136655
2844         rdar://problem/18281215
2845
2846         Reviewed by Michael Saboff.
2847         
2848         If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
2849         that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
2850         Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
2851         conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
2852         reasonably compact; it's OK if we miss cases here.
2853
2854         * dfg/DFGPhantomRemovalPhase.cpp:
2855         (JSC::DFG::PhantomRemovalPhase::run):
2856         * tests/stress/remove-phantom-after-setlocal.js: Added.
2857
2858 2014-09-11  Bear Travis  <betravis@adobe.com>
2859
2860         [CSS Font Loading] Enable CSS Font Loading on Mac
2861         https://bugs.webkit.org/show_bug.cgi?id=135473
2862
2863         Reviewed by Antti Koivisto.
2864
2865         Enable CSS Font Loading in FeatureDefines.
2866
2867         * Configurations/FeatureDefines.xcconfig:
2868
2869 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
2870
2871         Unreviewed rebaseline of inspector generator test results after r173120.
2872
2873         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2874         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2875         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2876         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2877
2878 2014-09-11  Oliver Hunt  <oliver@apple.com>
2879
2880         Rename activation to be more in line with spec language
2881         https://bugs.webkit.org/show_bug.cgi?id=136721
2882
2883         Reviewed by Michael Saboff.
2884
2885         Somewhat bigger than the last one, but still just a rename.
2886
2887         * CMakeLists.txt:
2888         * JavaScriptCore.order:
2889         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2890         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2891         * JavaScriptCore.xcodeproj/project.pbxproj:
2892         * bytecode/BytecodeList.json:
2893         * bytecode/BytecodeUseDef.h:
2894         (JSC::computeUsesForBytecodeOffset):
2895         (JSC::computeDefsForBytecodeOffset):
2896         * bytecode/CallVariant.h:
2897         * bytecode/CodeBlock.cpp:
2898         (JSC::CodeBlock::dumpBytecode):
2899         (JSC::CodeBlock::CodeBlock):
2900         (JSC::CodeBlock::finalizeUnconditionally):
2901         (JSC::CodeBlock::isCaptured):
2902         (JSC::CodeBlock::nameForRegister):
2903         * bytecode/CodeBlock.h:
2904         (JSC::CodeBlock::setActivationRegister):
2905         (JSC::CodeBlock::activationRegister):
2906         (JSC::CodeBlock::uncheckedActivationRegister):
2907         (JSC::CodeBlock::needsActivation):
2908         * bytecode/Instruction.h:
2909         * bytecode/UnlinkedCodeBlock.h:
2910         (JSC::UnlinkedCodeBlock::setActivationRegister):
2911         (JSC::UnlinkedCodeBlock::activationRegister):
2912         (JSC::UnlinkedCodeBlock::hasActivationRegister):
2913         * bytecompiler/BytecodeGenerator.cpp:
2914         (JSC::BytecodeGenerator::BytecodeGenerator):
2915         (JSC::BytecodeGenerator::emitReturn):
2916         * bytecompiler/BytecodeGenerator.h:
2917         * debugger/DebuggerCallFrame.cpp:
2918         (JSC::DebuggerCallFrame::scope):
2919         * debugger/DebuggerScope.cpp:
2920         (JSC::DebuggerScope::isFunctionOrEvalScope):
2921         * dfg/DFGByteCodeParser.cpp:
2922         (JSC::DFG::ByteCodeParser::parseBlock):
2923         * dfg/DFGCapabilities.cpp:
2924         (JSC::DFG::capabilityLevel):
2925         * dfg/DFGGraph.cpp:
2926         (JSC::DFG::Graph::tryGetActivation):
2927         (JSC::DFG::Graph::tryGetRegisters):
2928         * dfg/DFGGraph.h:
2929         * dfg/DFGNodeType.h:
2930         * dfg/DFGOperations.cpp:
2931         * dfg/DFGSpeculativeJIT32_64.cpp:
2932         (JSC::DFG::SpeculativeJIT::compile):
2933         * dfg/DFGSpeculativeJIT64.cpp:
2934         (JSC::DFG::SpeculativeJIT::compile):
2935         * interpreter/CallFrame.cpp:
2936         (JSC::CallFrame::lexicalEnvironment):
2937         (JSC::CallFrame::setActivation):
2938         (JSC::CallFrame::activation): Deleted.
2939         * interpreter/CallFrame.h:
2940         * interpreter/Interpreter.cpp:
2941         (JSC::unwindCallFrame):
2942         * interpreter/Register.h:
2943         * jit/JIT.cpp:
2944         (JSC::JIT::privateCompileMainPass):
2945         * jit/JIT.h:
2946         * jit/JITOpcodes.cpp:
2947         (JSC::JIT::emit_op_tear_off_lexical_environment):
2948         (JSC::JIT::emit_op_tear_off_arguments):
2949         (JSC::JIT::emit_op_create_lexical_environment):
2950         (JSC::JIT::emit_op_tear_off_activation): Deleted.
2951         (JSC::JIT::emit_op_create_activation): Deleted.
2952         * jit/JITOpcodes32_64.cpp:
2953         (JSC::JIT::emit_op_tear_off_lexical_environment):
2954         (JSC::JIT::emit_op_tear_off_arguments):
2955         (JSC::JIT::emit_op_create_lexical_environment):
2956         (JSC::JIT::emit_op_tear_off_activation): Deleted.
2957         (JSC::JIT::emit_op_create_activation): Deleted.
2958         * jit/JITOperations.cpp:
2959         * jit/JITOperations.h:
2960         * llint/LLIntSlowPaths.cpp:
2961         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2962         * llint/LLIntSlowPaths.h:
2963         * llint/LowLevelInterpreter32_64.asm:
2964         * llint/LowLevelInterpreter64.asm:
2965         * runtime/Arguments.cpp:
2966         (JSC::Arguments::visitChildren):
2967         (JSC::Arguments::tearOff):
2968         (JSC::Arguments::didTearOffActivation):
2969         * runtime/Arguments.h:
2970         (JSC::Arguments::offsetOfActivation):
2971         (JSC::Arguments::argument):
2972         (JSC::Arguments::finishCreation):
2973         * runtime/CommonSlowPaths.cpp:
2974         * runtime/JSFunction.h:
2975         * runtime/JSGlobalObject.cpp:
2976         (JSC::JSGlobalObject::reset):
2977         (JSC::JSGlobalObject::visitChildren):
2978         * runtime/JSGlobalObject.h:
2979         (JSC::JSGlobalObject::activationStructure):
2980         * runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp.
2981         (JSC::JSLexicalEnvironment::visitChildren):
2982         (JSC::JSLexicalEnvironment::symbolTableGet):
2983         (JSC::JSLexicalEnvironment::symbolTablePut):
2984         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2985         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2986         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2987         (JSC::JSLexicalEnvironment::put):
2988         (JSC::JSLexicalEnvironment::deleteProperty):
2989         (JSC::JSLexicalEnvironment::toThis):
2990         (JSC::JSLexicalEnvironment::argumentsGetter):
2991         * runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h.
2992         (JSC::JSLexicalEnvironment::create):
2993         (JSC::JSLexicalEnvironment::createStructure):
2994         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2995         (JSC::asActivation):
2996         (JSC::Register::lexicalEnvironment):
2997         (JSC::JSLexicalEnvironment::registersOffset):
2998         (JSC::JSLexicalEnvironment::tearOff):
2999         (JSC::JSLexicalEnvironment::isTornOff):
3000         (JSC::JSLexicalEnvironment::storageOffset):
3001         (JSC::JSLexicalEnvironment::storage):
3002         (JSC::JSLexicalEnvironment::allocationSize):
3003         (JSC::JSLexicalEnvironment::isValidIndex):
3004         (JSC::JSLexicalEnvironment::isValid):
3005         (JSC::JSLexicalEnvironment::registerAt):
3006         * runtime/JSObject.h:
3007         * runtime/JSScope.cpp:
3008         (JSC::abstractAccess):
3009         * runtime/JSScope.h:
3010         (JSC::ResolveOp::ResolveOp):
3011         * runtime/JSSymbolTableObject.cpp:
3012         * runtime/StrictEvalActivation.h:
3013         (JSC::StrictEvalActivation::create):
3014         * runtime/VM.cpp:
3015
3016 2014-09-11  László Langó  <llango.u-szeged@partner.samsung.com>
3017
3018         [JavaScriptCore] Fix FTL on platform EFL.
3019         https://bugs.webkit.org/show_bug.cgi?id=133571
3020
3021         Reviewed by Filip Pizlo.
3022
3023         There are no compact_unwind sections on Linux systems so FTL crashes.
3024         We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind
3025         and get the information for stack unwinding from there.
3026
3027         * CMakeLists.txt: Revert r169181.
3028         * ftl/FTLCompile.cpp:
3029         Change section name literals to use SECTION_NAME macro, because of architecture differencies.
3030         (JSC::FTL::mmAllocateCodeSection):
3031         (JSC::FTL::mmAllocateDataSection):
3032         (JSC::FTL::compile):
3033         * ftl/FTLJITCode.h:
3034         We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here.
3035         * ftl/FTLLink.cpp:
3036         (JSC::FTL::link):
3037         * ftl/FTLState.h:
3038         * ftl/FTLState.cpp:
3039         (JSC::FTL::State::State):
3040         * ftl/FTLUnwindInfo.h:
3041         * ftl/FTLUnwindInfo.cpp:
3042         Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes.
3043         Parse eh_frame on Linux instead of compact_unwind.
3044         (JSC::FTL::UnwindInfo::parse):
3045
3046 2014-09-10  Saam Barati  <saambarati1@gmail.com>
3047
3048         Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
3049         https://bugs.webkit.org/show_bug.cgi?id=136500
3050
3051         Reviewed by Joseph Pecoraro.
3052
3053         This patch changes the type profiler protocol to the Web Inspector
3054         by moving the work of calculating computed properties that effect the UI 
3055         into the Web Inspector. This makes the Web Inspector have control over the 
3056         strings it displays as UI elements representing type information to the user 
3057         instead of JavaScriptCore deciding on a convention for these strings.
3058         JavaScriptCore now sends enough information to the Web Inspector so that 
3059         it can compute the properties JavaScriptCore used to compute.
3060
3061         * inspector/agents/InspectorRuntimeAgent.cpp:
3062         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3063         * inspector/protocol/Runtime.json:
3064         * runtime/TypeProfiler.cpp:
3065         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
3066         * runtime/TypeProfiler.h:
3067         * runtime/TypeSet.cpp:
3068         (JSC::TypeSet::inspectorTypeSet):
3069         (JSC::StructureShape::leastCommonAncestor):
3070         (JSC::StructureShape::inspectorRepresentation):
3071         * runtime/TypeSet.h:
3072
3073 2014-09-10  Akos Kiss  <akiss@inf.u-szeged.hu>
3074
3075         Apply ARM64-specific lowering to load/store instructions in offlineasm
3076         https://bugs.webkit.org/show_bug.cgi?id=136569
3077
3078         Reviewed by Michael Saboff.
3079
3080         The standard risc lowering of load/store instructions with base +
3081         immediate offset addresses is to move the offset to a temporary, add the
3082         base to the temporary, and then change the load/store to use the
3083         temporary + 0 immediate offset address. However, on ARM64, base +
3084         register offset addressing mode is available, so it is unnecessary to
3085         perform explicit register additions but it is enough to change load/store
3086         to use base + temporary as the address.
3087
3088         * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses
3089
3090 2014-09-10  Oliver Hunt  <oliver@apple.com>
3091
3092         Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
3093         https://bugs.webkit.org/show_bug.cgi?id=136710
3094
3095         Reviewed by Anders Carlsson.
3096
3097         This is a trivial rename.
3098
3099         * CMakeLists.txt:
3100         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3101         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3102         * JavaScriptCore.xcodeproj/project.pbxproj:
3103         * dfg/DFGAbstractHeap.h:
3104         * dfg/DFGClobberize.h:
3105         (JSC::DFG::clobberize):
3106         * dfg/DFGSpeculativeJIT32_64.cpp:
3107         (JSC::DFG::SpeculativeJIT::compile):
3108         * dfg/DFGSpeculativeJIT64.cpp:
3109         (JSC::DFG::SpeculativeJIT::compile):
3110         * ftl/FTLAbstractHeapRepository.cpp:
3111         * ftl/FTLAbstractHeapRepository.h:
3112         * ftl/FTLLowerDFGToLLVM.cpp:
3113         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
3114         * jit/JITOpcodes32_64.cpp:
3115         * jit/JITPropertyAccess.cpp:
3116         (JSC::JIT::emitGetClosureVar):
3117         (JSC::JIT::emitPutClosureVar):
3118         * jit/JITPropertyAccess32_64.cpp:
3119         (JSC::JIT::emitGetClosureVar):
3120         (JSC::JIT::emitPutClosureVar):
3121         * llint/LLIntOffsetsExtractor.cpp:
3122         * llint/LowLevelInterpreter32_64.asm:
3123         * llint/LowLevelInterpreter64.asm:
3124         * runtime/JSActivation.cpp:
3125         (JSC::JSActivation::getOwnNonIndexPropertyNames):
3126         * runtime/JSActivation.h:
3127         * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
3128         * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
3129         (JSC::JSEnvironmentRecord::registers):
3130         (JSC::JSEnvironmentRecord::registerAt):
3131         (JSC::JSEnvironmentRecord::addressOfRegisters):
3132         (JSC::JSEnvironmentRecord::offsetOfRegisters):
3133         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
3134         * runtime/JSNameScope.h:
3135         * runtime/JSSegmentedVariableObject.h:
3136
3137 2014-09-10  Julien Brianceau   <jbriance@cisco.com>
3138
3139         [mips] Add missing parts and fix LLINT mips backend
3140         https://bugs.webkit.org/show_bug.cgi?id=136706
3141
3142         Reviewed by Michael Saboff.
3143
3144         * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
3145         Implement initPCRelative and setEntryAddress macros.
3146         * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
3147         doVMEntry macro.
3148
3149 2014-09-10  Saam Barati  <saambarati1@gmail.com>
3150
3151         TypeSet needs a mode where it no longer profiles structure shapes
3152         https://bugs.webkit.org/show_bug.cgi?id=136263
3153
3154         Reviewed by Filip Pizlo.
3155
3156         The TypeSet data structure used to gather as many StructureShape
3157         objects as it encountered during type profiling. But, this meant 
3158         that there was no upper limit on how many objects it could allocate. 
3159         This patch places a fixed upper bound on the number of StructureShapes
3160         allocated per TypeSet to prevent using too much memory for little gain
3161         in type profiling usefulness.
3162
3163         StructureShape objects are now also aware of when they are created
3164         from Structures which are dictionaries.
3165
3166         In total, this patch lays the final groundwork needed in refactoring 
3167         the inspector protocol for the type profiler.
3168
3169         * runtime/Structure.cpp:
3170         (JSC::Structure::toStructureShape):
3171         * runtime/TypeProfiler.cpp:
3172         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
3173         * runtime/TypeSet.cpp:
3174         (JSC::TypeSet::TypeSet):
3175         (JSC::TypeSet::addTypeInformation):
3176         (JSC::StructureShape::StructureShape):
3177         (JSC::StructureShape::toJSONString):
3178         (JSC::StructureShape::enterDictionaryMode):
3179         * runtime/TypeSet.h:
3180         (JSC::TypeSet::isOverflown):
3181         * tests/typeProfiler/dictionary-mode.js: Added.
3182         (wrapper):
3183         * tests/typeProfiler/driver/driver.js:
3184         * tests/typeProfiler/overflow.js: Added.
3185         (wrapper.Proto):
3186         (wrapper):
3187
3188 2014-09-10  Peter Gal  <galpeter@inf.u-szeged.hu>
3189
3190         [MIPS] branch32WithPatch missing
3191         https://bugs.webkit.org/show_bug.cgi?id=136696
3192
3193         Reviewed by Michael Saboff.
3194
3195         Added the missing branch32WithPatch. The implementation
3196         is currently the same as the branchPtrithPatch because
3197         the macro assembler supports only 32 bit MIPS.
3198
3199         * assembler/MacroAssemblerMIPS.h:
3200         (JSC::MacroAssemblerMIPS::branch32WithPatch):
3201
3202 2014-09-10  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
3203
3204         Fix !ENABLE(DFG_JIT) build
3205         https://bugs.webkit.org/show_bug.cgi?id=136702
3206
3207         Reviewed by Michael Saboff.
3208
3209         * bytecode/CallEdgeProfile.h:
3210
3211 2014-09-09  Benjamin Poulain  <bpoulain@apple.com>
3212
3213         Disable the "unreachable-code" warning
3214         https://bugs.webkit.org/show_bug.cgi?id=136677
3215
3216         Reviewed by Darin Adler.
3217
3218         * Configurations/Base.xcconfig:
3219
3220 2014-09-08  Filip Pizlo  <fpizlo@apple.com>
3221
3222         DFG should have a reusable SSA builder
3223         https://bugs.webkit.org/show_bug.cgi?id=136331
3224
3225         Reviewed by Oliver Hunt.
3226         
3227         We want to implement sophisticated SSA transformations like object allocation sinking
3228         (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
3229         updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
3230         Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
3231         implementation of this algorithm only worked when doing CPS->SSA conversion. The code
3232         could not be reused for&