00608b50af160e9970d3384b7da42ea12826d823
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-07-30  Andreas Kling  <akling@apple.com>
2
3         PropertyName's internal string is always atomic.
4         <https://webkit.org/b/135451>
5
6         Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
7         we know that any string that's an Identifier is guaranteed to be atomic.
8
9         A PropertyName can be either an Identifier or a PrivateName, and the
10         private names are also guaranteed to be atomic internally.
11
12         Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
13
14         Reviewed by Benjamin Poulain.
15
16         * runtime/PropertyName.h:
17         (JSC::PropertyName::PropertyName):
18         (JSC::PropertyName::uid):
19         (JSC::PropertyName::publicName):
20
21 2014-07-30  Andy Estes  <aestes@apple.com>
22
23         USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
24         https://bugs.webkit.org/show_bug.cgi?id=135439
25
26         Reviewed by Tim Horton.
27
28         We now support two different platform content filters, and will soon support a mock content filter (as part of
29         webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
30         library. ENABLE() is the correct macro to use for such a feature.
31
32         * Configurations/FeatureDefines.xcconfig:
33
34 2014-07-30  Andreas Kling  <akling@apple.com>
35
36         Static hash tables no longer need to be coupled with a VM.
37         <https://webkit.org/b/135421>
38
39         Now that the static hash tables are using char** instead of StringImpl**,
40         it's no longer necessary to make them per-VM.
41
42         This patch removes the hook in ClassInfo for providing your own static
43         hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
44         Most of this patch is tweaking ClassInfo construction sites to pass one
45         less null pointer.
46
47         Also simplified Lookup.h to stop requiring ExecState/VM to access the
48         static hash tables.
49
50         Reviewed by Geoffrey Garen.
51
52         * API/JSAPIWrapperObject.mm:
53         * API/JSCallbackConstructor.cpp:
54         * API/JSCallbackFunction.cpp:
55         * API/JSCallbackObject.cpp:
56         * API/ObjCCallbackFunction.mm:
57         * bytecode/UnlinkedCodeBlock.cpp:
58         * create_hash_table:
59         * debugger/DebuggerScope.cpp:
60         * inspector/JSInjectedScriptHost.cpp:
61         * inspector/JSInjectedScriptHostPrototype.cpp:
62         * inspector/JSJavaScriptCallFrame.cpp:
63         * inspector/JSJavaScriptCallFramePrototype.cpp:
64         * interpreter/CallFrame.h:
65         (JSC::ExecState::arrayConstructorTable): Deleted.
66         (JSC::ExecState::arrayPrototypeTable): Deleted.
67         (JSC::ExecState::booleanPrototypeTable): Deleted.
68         (JSC::ExecState::dataViewTable): Deleted.
69         (JSC::ExecState::dateTable): Deleted.
70         (JSC::ExecState::dateConstructorTable): Deleted.
71         (JSC::ExecState::errorPrototypeTable): Deleted.
72         (JSC::ExecState::globalObjectTable): Deleted.
73         (JSC::ExecState::jsonTable): Deleted.
74         (JSC::ExecState::numberConstructorTable): Deleted.
75         (JSC::ExecState::numberPrototypeTable): Deleted.
76         (JSC::ExecState::objectConstructorTable): Deleted.
77         (JSC::ExecState::privateNamePrototypeTable): Deleted.
78         (JSC::ExecState::regExpTable): Deleted.
79         (JSC::ExecState::regExpConstructorTable): Deleted.
80         (JSC::ExecState::regExpPrototypeTable): Deleted.
81         (JSC::ExecState::stringConstructorTable): Deleted.
82         (JSC::ExecState::promisePrototypeTable): Deleted.
83         (JSC::ExecState::promiseConstructorTable): Deleted.
84         * jsc.cpp:
85         * parser/Lexer.h:
86         (JSC::Keywords::isKeyword):
87         (JSC::Keywords::getKeyword):
88         * runtime/Arguments.cpp:
89         * runtime/ArgumentsIteratorConstructor.cpp:
90         * runtime/ArgumentsIteratorPrototype.cpp:
91         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
92         * runtime/ArrayConstructor.cpp:
93         (JSC::ArrayConstructor::getOwnPropertySlot):
94         * runtime/ArrayIteratorConstructor.cpp:
95         * runtime/ArrayIteratorPrototype.cpp:
96         * runtime/ArrayPrototype.cpp:
97         (JSC::ArrayPrototype::getOwnPropertySlot):
98         * runtime/BooleanConstructor.cpp:
99         * runtime/BooleanObject.cpp:
100         * runtime/BooleanPrototype.cpp:
101         (JSC::BooleanPrototype::getOwnPropertySlot):
102         * runtime/ClassInfo.h:
103         (JSC::ClassInfo::hasStaticProperties):
104         (JSC::ClassInfo::propHashTable): Deleted.
105         * runtime/ConsolePrototype.cpp:
106         * runtime/CustomGetterSetter.cpp:
107         * runtime/DateConstructor.cpp:
108         (JSC::DateConstructor::getOwnPropertySlot):
109         * runtime/DateInstance.cpp:
110         * runtime/DatePrototype.cpp:
111         (JSC::DatePrototype::getOwnPropertySlot):
112         * runtime/Error.cpp:
113         * runtime/ErrorConstructor.cpp:
114         * runtime/ErrorInstance.cpp:
115         * runtime/ErrorPrototype.cpp:
116         (JSC::ErrorPrototype::getOwnPropertySlot):
117         * runtime/ExceptionHelpers.cpp:
118         * runtime/Executable.cpp:
119         * runtime/FunctionConstructor.cpp:
120         * runtime/FunctionPrototype.cpp:
121         * runtime/GetterSetter.cpp:
122         * runtime/InternalFunction.cpp:
123         * runtime/JSAPIValueWrapper.cpp:
124         * runtime/JSActivation.cpp:
125         * runtime/JSArgumentsIterator.cpp:
126         * runtime/JSArray.cpp:
127         * runtime/JSArrayBuffer.cpp:
128         * runtime/JSArrayBufferConstructor.cpp:
129         * runtime/JSArrayBufferPrototype.cpp:
130         * runtime/JSArrayBufferView.cpp:
131         * runtime/JSArrayIterator.cpp:
132         * runtime/JSBoundFunction.cpp:
133         * runtime/JSConsole.cpp:
134         * runtime/JSDataView.cpp:
135         * runtime/JSDataViewPrototype.cpp:
136         (JSC::JSDataViewPrototype::getOwnPropertySlot):
137         * runtime/JSFunction.cpp:
138         * runtime/JSGlobalObject.cpp:
139         (JSC::JSGlobalObject::getOwnPropertySlot):
140         * runtime/JSMap.cpp:
141         * runtime/JSMapIterator.cpp:
142         * runtime/JSNameScope.cpp:
143         * runtime/JSNotAnObject.cpp:
144         * runtime/JSONObject.cpp:
145         (JSC::JSONObject::getOwnPropertySlot):
146         * runtime/JSObject.cpp:
147         (JSC::getClassPropertyNames):
148         (JSC::JSObject::put):
149         (JSC::JSObject::deleteProperty):
150         (JSC::JSObject::findPropertyHashEntry):
151         (JSC::JSObject::reifyStaticFunctionsForDelete):
152         * runtime/JSObject.h:
153         * runtime/JSPromise.cpp:
154         * runtime/JSPromiseConstructor.cpp:
155         (JSC::JSPromiseConstructor::getOwnPropertySlot):
156         * runtime/JSPromiseDeferred.cpp:
157         * runtime/JSPromisePrototype.cpp:
158         (JSC::JSPromisePrototype::getOwnPropertySlot):
159         * runtime/JSPromiseReaction.cpp:
160         * runtime/JSPropertyNameIterator.cpp:
161         * runtime/JSProxy.cpp:
162         * runtime/JSSet.cpp:
163         * runtime/JSSetIterator.cpp:
164         * runtime/JSString.cpp:
165         * runtime/JSTypedArrayConstructors.cpp:
166         * runtime/JSTypedArrayPrototypes.cpp:
167         * runtime/JSTypedArrays.cpp:
168         * runtime/JSVariableObject.cpp:
169         * runtime/JSWeakMap.cpp:
170         * runtime/JSWithScope.cpp:
171         * runtime/Lookup.cpp:
172         (JSC::HashTable::createTable):
173         * runtime/Lookup.h:
174         (JSC::HashTable::initializeIfNeeded):
175         (JSC::HashTable::entry):
176         (JSC::HashTable::begin):
177         (JSC::HashTable::end):
178         (JSC::getStaticPropertySlot):
179         (JSC::getStaticFunctionSlot):
180         (JSC::getStaticValueSlot):
181         (JSC::lookupPut):
182         * runtime/MapConstructor.cpp:
183         * runtime/MapData.cpp:
184         * runtime/MapIteratorConstructor.cpp:
185         * runtime/MapIteratorPrototype.cpp:
186         * runtime/MapPrototype.cpp:
187         * runtime/MathObject.cpp:
188         * runtime/NameConstructor.cpp:
189         * runtime/NameInstance.cpp:
190         * runtime/NamePrototype.cpp:
191         (JSC::NamePrototype::getOwnPropertySlot):
192         * runtime/NativeErrorConstructor.cpp:
193         * runtime/NumberConstructor.cpp:
194         (JSC::NumberConstructor::getOwnPropertySlot):
195         * runtime/NumberObject.cpp:
196         * runtime/NumberPrototype.cpp:
197         (JSC::NumberPrototype::getOwnPropertySlot):
198         * runtime/ObjectConstructor.cpp:
199         (JSC::ObjectConstructor::getOwnPropertySlot):
200         * runtime/ObjectPrototype.cpp:
201         * runtime/PropertyTable.cpp:
202         * runtime/RegExp.cpp:
203         * runtime/RegExpConstructor.cpp:
204         (JSC::RegExpConstructor::getOwnPropertySlot):
205         * runtime/RegExpMatchesArray.cpp:
206         * runtime/RegExpObject.cpp:
207         (JSC::RegExpObject::getOwnPropertySlot):
208         * runtime/RegExpPrototype.cpp:
209         (JSC::RegExpPrototype::getOwnPropertySlot):
210         * runtime/SetConstructor.cpp:
211         * runtime/SetIteratorConstructor.cpp:
212         * runtime/SetIteratorPrototype.cpp:
213         * runtime/SetPrototype.cpp:
214         * runtime/SparseArrayValueMap.cpp:
215         * runtime/StrictEvalActivation.cpp:
216         * runtime/StringConstructor.cpp:
217         (JSC::StringConstructor::getOwnPropertySlot):
218         * runtime/StringObject.cpp:
219         * runtime/StringPrototype.cpp:
220         * runtime/Structure.cpp:
221         (JSC::Structure::Structure):
222         (JSC::Structure::freezeTransition):
223         (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
224         * runtime/StructureChain.cpp:
225         * runtime/StructureRareData.cpp:
226         * runtime/SymbolTable.cpp:
227         * runtime/VM.cpp:
228         (JSC::VM::VM):
229         (JSC::VM::~VM):
230         * runtime/VM.h:
231         * runtime/WeakMapConstructor.cpp:
232         * runtime/WeakMapData.cpp:
233         * runtime/WeakMapPrototype.cpp:
234         * testRegExp.cpp:
235
236 2014-07-29  Brent Fulgham  <bfulgham@apple.com>
237
238         [Win] Modify version numbering scheme to support 5-tuple versions
239         https://bugs.webkit.org/show_bug.cgi?id=135400
240         <rdar://problem/17849033>
241
242         Reviewed by David Kilzer.
243
244         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
245         new version-stamp.pl script to version JavaScriptCore.dll.
246
247 2014-07-29  Daniel Bates  <dabates@apple.com>
248
249         Use WTF::move() instead of std::move() to help ensure move semantics
250         https://bugs.webkit.org/show_bug.cgi?id=135351
251
252         Reviewed by Alexey Proskuryakov.
253
254         * bytecode/GetByIdStatus.cpp:
255         (JSC::GetByIdStatus::computeForStubInfo):
256         * bytecode/GetByIdVariant.cpp:
257         (JSC::GetByIdVariant::GetByIdVariant):
258
259 2014-07-28  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
260
261         BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
262         https://bugs.webkit.org/show_bug.cgi?id=135287
263
264         Reviewed by Darin Adler.
265
266         The set() method tries to use a part of the old value (the reservedFlag bit) which
267         was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
268
269         * bytecode/StructureSet.h:
270         (JSC::StructureSet::StructureSet):
271
272 2014-07-28  Benjamin Poulain  <bpoulain@apple.com>
273
274         [JSC] JIT::assertStackPointerOffset() crashes on ARM64
275         https://bugs.webkit.org/show_bug.cgi?id=135316
276
277         Reviewed by Geoffrey Garen.
278
279         JIT::assertStackPointerOffset() does a compare between an arbitrary register
280         and the stack pointer. This was not supported by the ARM64 assembler.
281
282         There are no variation that can take a stack pointer for Xd. There is one version of subs
283         that can take a stack pointer, but only for the Xn: the shift+extend one.
284         To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
285         the implementation of sub.
286
287         * assembler/ARM64Assembler.h:
288         (JSC::ARM64Assembler::sub):
289         In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
290         with either version of sub.
291
292         In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
293         the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
294         gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
295
296         Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
297         not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
298         the shift value must be zero, it is safe to call either variant.
299
300         * assembler/MacroAssemblerARM64.h:
301         (JSC::MacroAssemblerARM64::branch64):
302         With the changes described above, we can now use SP for the left register. What do we do if the rightmost
303         register is SP?
304
305         For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
306         we just switch the registers before generating the instruction.
307
308         For the generic case, just move the value of SP to a GPR before doing the CMP.
309
310 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
311
312         Unreviewed build fix after r171682.
313
314         * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
315         as an exported symbol.
316
317 2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
318
319         REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
320         https://bugs.webkit.org/show_bug.cgi?id=135322
321
322         Reviewed by Oliver Hunt.
323
324         The prototype chain of the JSProxy object should match that of the JSGlobalObject. 
325
326         This is a separate but related issue with JSObjectSetPrototype which doesn't correctly 
327         account for JSProxies. I also audited the rest of the C API to check that we correctly 
328         handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
329         and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when 
330         passed a JSProxy.
331
332         I also added some new tests for these cases.
333
334         * API/JSObjectRef.cpp:
335         (JSObjectSetPrototype):
336         (JSObjectGetPrivateProperty):
337         (JSObjectSetPrivateProperty):
338         (JSObjectDeletePrivateProperty):
339         * API/JSWeakObjectMapRefPrivate.cpp:
340         * API/tests/CustomGlobalObjectClassTest.c:
341         (globalObjectSetPrototypeTest):
342         (globalObjectPrivatePropertyTest):
343         * API/tests/CustomGlobalObjectClassTest.h:
344         * API/tests/testapi.c:
345         (main):
346
347 2014-07-28  Filip Pizlo  <fpizlo@apple.com>
348
349         Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
350         https://bugs.webkit.org/show_bug.cgi?id=135350
351         <rdar://problem/17509889>
352
353         Reviewed by Mark Hahnenberg and Oliver Hunt.
354         
355         If we have an exiting node that uses a conversion node, then that exiting node
356         needs to have a Phantom after it for the the original node. But we can't do that
357         for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
358
359         * dfg/DFGFixupPhase.cpp:
360         (JSC::DFG::FixupPhase::fixupNode):
361         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
362         * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
363         (foo):
364         (test):
365         * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
366         (foo):
367         (test):
368
369 2014-07-28  Joseph Pecoraro  <pecoraro@apple.com>
370
371         JSContext Inspector: crash when using step-into
372         https://bugs.webkit.org/show_bug.cgi?id=135345
373
374         Reviewed by Timothy Hatcher.
375
376         * inspector/agents/InspectorDebuggerAgent.cpp:
377         (Inspector::InspectorDebuggerAgent::stepInto):
378         Null check m_listener since it may not be set.
379
380 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
381
382         Web Replay: auto-decoding of parameterized vector's elements is incorrect
383         https://bugs.webkit.org/show_bug.cgi?id=135343
384
385         Reviewed by Timothy Hatcher.
386
387         Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
388         that was using the element's decoded type as the type parameter to
389         EncodedValue::append<T>. It should instead be the raw type T. This
390         causes problems when encoding Vector<RefPtr<T>>, as it later tries to
391         use encoding traits for RefPtr<T> rather than for T.
392
393         Fix incorrect generated encoding traits argument for vectors of
394         RefCounted objects. Updated test to cover this scenario.
395
396         * replay/scripts/CodeGeneratorReplayInputs.py:
397         (Type.encoding_type_argument):
398         (VectorType.type_name):
399         (VectorType):
400         (VectorType.encoding_type_argument):
401         (Generator.generate_input_encode_implementation):
402         (Generator.generate_input_decode_implementation):
403         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
404         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
405         * replay/scripts/tests/generate-input-with-vector-members.json: Updated.
406
407 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
408
409         Web Replay: incorrect serialization code generated for enum classes inside class scope
410         https://bugs.webkit.org/show_bug.cgi?id=135342
411
412         Reviewed by Timothy Hatcher.
413
414         If an enum class is defined inside of a class scope, then the enum class
415         cannot be forward-declared and the relevant header should be included.
416         Some generated code used incorrectly-scoped enum values in this situation.
417
418         * replay/scripts/CodeGeneratorReplayInputs.py:
419         (Generator.generate_includes.declaration.is):
420         (Generator.generate_enum_trait_implementation.is):
421         (Generator.generate_enum_trait_implementation):
422
423         Tests:
424
425         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
426         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
427         * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
428         class types to this test case.
429
430 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
431
432         Web Replay: vectors of characters should be base64-encoded
433         https://bugs.webkit.org/show_bug.cgi?id=135341
434
435         Reviewed by Timothy Hatcher.
436
437         Without this specialization, encode/decode methods try to create an
438         array of single characters in JSON, rather than treating the
439         vector as a binary blob.
440
441         * replay/EncodedValue.cpp:
442         (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
443         (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
444         * replay/EncodedValue.h:
445
446 2014-07-28  Brent Fulgham  <bfulgham@apple.com>
447
448         [Win] Unreviewed build fix.
449
450         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
451         builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
452
453 2014-07-27  Ryuan Choi  <ryuan.choi@samsung.com>
454
455         Unreviewed build fix on the EFL port
456
457         Build break because of -Werror=return-type
458
459         * bytecode/PutByIdVariant.cpp:
460         (JSC::PutByIdVariant::oldStructureForTransition):
461         * dfg/DFGValueStrength.h:
462         (JSC::DFG::merge):
463
464 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
465
466         [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
467         https://bugs.webkit.org/show_bug.cgi?id=135323
468
469         Reviewed by Oliver Hunt.
470         
471         SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
472         then it's a constant that can be represented using that node's current DataFormat.
473         This doesn't work if the constant had been filled as a JSValue, and then one of the
474         fillSpeculateBlah() methods had speculated that it's of some type that the constant
475         isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
476         a constant that claims to have a contradictory data format.
477         
478         This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
479         fillSpeculateCell() appears to not have this bug, but I added a similar defense
480         mechanism anyway just in case, since this is one of those mistakes that keeps
481         reappearing.
482
483         * dfg/DFGSpeculativeJIT.cpp:
484         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
485         * dfg/DFGSpeculativeJIT32_64.cpp:
486         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
487         * dfg/DFGSpeculativeJIT64.cpp:
488         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
489
490 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
491
492         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
493         
494         This fixes the previous mismerge and adds test coverage for the thing that went wrong.
495         
496         Additional changes listed here:
497
498         * jsc.cpp:
499         (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
500         * runtime/Structure.cpp:
501         (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
502         * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
503
504     2014-06-27  Michael Saboff  <msaboff@apple.com>
505     
506             Unreviewed build fix after r169795.
507     
508             Fixed ASSERT for 32 bit build.
509     
510             * dfg/DFGSpeculativeJIT.cpp:
511             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
512     
513     2014-06-24  Saam Barati  <sbarati@apple.com>
514     
515             Web Inspector: debugger should be able to show variable types
516             https://bugs.webkit.org/show_bug.cgi?id=133395
517     
518             Reviewed by Filip Pizlo.
519     
520             Increase the amount of type information the VM gathers when directed
521             to do so. This initial commit is working towards the goal of
522             capturing, and then showing (via the Web Inspector) type information for all
523             assignment and load operations. This patch doesn't have the feature fully 
524             implemented, but it ensures the VM has no performance regressions
525             unless the feature is specifically turned on.
526     
527             * JavaScriptCore.xcodeproj/project.pbxproj:
528             * bytecode/BytecodeList.json:
529             * bytecode/BytecodeUseDef.h:
530             (JSC::computeUsesForBytecodeOffset):
531             (JSC::computeDefsForBytecodeOffset):
532             * bytecode/CodeBlock.cpp:
533             (JSC::CodeBlock::dumpBytecode):
534             (JSC::CodeBlock::CodeBlock):
535             (JSC::CodeBlock::finalizeUnconditionally):
536             * bytecode/CodeBlock.h:
537             * bytecode/Instruction.h:
538             * bytecode/TypeLocation.h: Added.
539             (JSC::TypeLocation::TypeLocation):
540             * bytecompiler/BytecodeGenerator.cpp:
541             (JSC::BytecodeGenerator::emitMove):
542             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
543             (JSC::BytecodeGenerator::emitPutToScope):
544             (JSC::BytecodeGenerator::emitPutById):
545             (JSC::BytecodeGenerator::emitPutByVal):
546             * bytecompiler/BytecodeGenerator.h:
547             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
548             * bytecompiler/NodesCodegen.cpp:
549             (JSC::PostfixNode::emitResolve):
550             (JSC::PrefixNode::emitResolve):
551             (JSC::ReadModifyResolveNode::emitBytecode):
552             (JSC::AssignResolveNode::emitBytecode):
553             (JSC::ConstDeclNode::emitCodeSingle):
554             (JSC::ForInNode::emitBytecode):
555             * heap/Heap.cpp:
556             (JSC::Heap::collect):
557             * inspector/agents/InspectorRuntimeAgent.cpp:
558             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
559             * inspector/agents/InspectorRuntimeAgent.h:
560             * inspector/protocol/Runtime.json:
561             * jsc.cpp:
562             (GlobalObject::finishCreation):
563             (functionDumpTypesForAllVariables):
564             * llint/LLIntSlowPaths.cpp:
565             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
566             (JSC::LLInt::putToScopeCommon):
567             * llint/LLIntSlowPaths.h:
568             * llint/LowLevelInterpreter.asm:
569             * runtime/HighFidelityLog.cpp: Added.
570             (JSC::HighFidelityLog::initializeHighFidelityLog):
571             (JSC::HighFidelityLog::~HighFidelityLog):
572             (JSC::HighFidelityLog::recordTypeInformationForLocation):
573             (JSC::HighFidelityLog::processHighFidelityLog):
574             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
575             * runtime/HighFidelityLog.h: Added.
576             (JSC::HighFidelityLog::HighFidelityLog):
577             * runtime/HighFidelityTypeProfiler.cpp: Added.
578             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
579             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
580             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
581             (JSC::HighFidelityTypeProfiler::insertNewLocation):
582             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
583             * runtime/HighFidelityTypeProfiler.h: Added.
584             * runtime/Options.h:
585             * runtime/Structure.cpp:
586             (JSC::Structure::toStructureShape):
587             * runtime/Structure.h:
588             * runtime/SymbolTable.cpp:
589             (JSC::SymbolTable::SymbolTable):
590             (JSC::SymbolTable::cloneCapturedNames):
591             (JSC::SymbolTable::uniqueIDForVariable):
592             (JSC::SymbolTable::uniqueIDForRegister):
593             (JSC::SymbolTable::globalTypeSetForRegister):
594             (JSC::SymbolTable::globalTypeSetForVariable):
595             * runtime/SymbolTable.h:
596             (JSC::SymbolTable::add):
597             (JSC::SymbolTable::set):
598             * runtime/TypeSet.cpp: Added.
599             (JSC::TypeSet::TypeSet):
600             (JSC::TypeSet::getRuntimeTypeForValue):
601             (JSC::TypeSet::addTypeForValue):
602             (JSC::TypeSet::removeDuplicatesInStructureHistory):
603             (JSC::TypeSet::seenTypes):
604             (JSC::TypeSet::dumpSeenTypes):
605             (JSC::StructureShape::StructureShape):
606             (JSC::StructureShape::markAsFinal):
607             (JSC::StructureShape::addProperty):
608             (JSC::StructureShape::propertyHash):
609             (JSC::StructureShape::leastUpperBound):
610             (JSC::StructureShape::stringRepresentation):
611             * runtime/TypeSet.h: Added.
612             (JSC::StructureShape::create):
613             (JSC::TypeSet::create):
614             * runtime/VM.cpp:
615             (JSC::VM::VM):
616             (JSC::VM::getTypesForVariableInRange):
617             (JSC::VM::updateHighFidelityTypeProfileState):
618             (JSC::VM::dumpHighFidelityProfilingTypes):
619             * runtime/VM.h:
620             (JSC::VM::isProfilingTypesWithHighFidelity):
621             (JSC::VM::highFidelityLog):
622             (JSC::VM::highFidelityTypeProfiler):
623             (JSC::VM::nextLocation):
624             (JSC::VM::getNextUniqueVariableID):
625     
626     2014-06-26  Mark Lam  <mark.lam@apple.com>
627     
628             Remove unused instantiation of the WithScope structure.
629             <https://webkit.org/b/134331>
630     
631             Reviewed by Oliver Hunt.
632     
633             The WithScope structure instance is the VM is unused, and is now removed.
634     
635             * runtime/VM.cpp:
636             (JSC::VM::VM):
637             * runtime/VM.h:
638     
639     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
640     
641             Structure bit fields should have a consistent format
642             https://bugs.webkit.org/show_bug.cgi?id=134307
643     
644             Reviewed by Filip Pizlo.
645     
646             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
647             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
648             format to make it easy to load and test these variables in JIT code.
649     
650             * runtime/JSObject.cpp:
651             (JSC::JSObject::putDirectNonIndexAccessor):
652             (JSC::JSObject::reifyStaticFunctionsForDelete):
653             * runtime/Structure.cpp:
654             (JSC::StructureTransitionTable::contains):
655             (JSC::StructureTransitionTable::get):
656             (JSC::StructureTransitionTable::add):
657             (JSC::Structure::Structure):
658             (JSC::Structure::materializePropertyMap):
659             (JSC::Structure::addPropertyTransition):
660             (JSC::Structure::despecifyFunctionTransition):
661             (JSC::Structure::toDictionaryTransition):
662             (JSC::Structure::freezeTransition):
663             (JSC::Structure::preventExtensionsTransition):
664             (JSC::Structure::takePropertyTableOrCloneIfPinned):
665             (JSC::Structure::nonPropertyTransition):
666             (JSC::Structure::flattenDictionaryStructure):
667             (JSC::Structure::addPropertyWithoutTransition):
668             (JSC::Structure::pin):
669             (JSC::Structure::allocateRareData):
670             (JSC::Structure::cloneRareDataFrom):
671             (JSC::Structure::getConcurrently):
672             (JSC::Structure::putSpecificValue):
673             (JSC::Structure::getPropertyNamesFromStructure):
674             (JSC::Structure::visitChildren):
675             (JSC::Structure::checkConsistency):
676             * runtime/Structure.h:
677             (JSC::Structure::isExtensible):
678             (JSC::Structure::isDictionary):
679             (JSC::Structure::isUncacheableDictionary):
680             (JSC::Structure::propertyAccessesAreCacheable):
681             (JSC::Structure::previousID):
682             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
683             (JSC::Structure::setContainsReadOnlyProperties):
684             (JSC::Structure::disableSpecificFunctionTracking):
685             (JSC::Structure::objectToStringValue):
686             (JSC::Structure::setObjectToStringValue):
687             (JSC::Structure::setPreviousID):
688             (JSC::Structure::clearPreviousID):
689             (JSC::Structure::previous):
690             (JSC::Structure::rareData):
691             (JSC::Structure::didTransition): Deleted.
692             (JSC::Structure::hasGetterSetterProperties): Deleted.
693             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
694             (JSC::Structure::setHasGetterSetterProperties): Deleted.
695             (JSC::Structure::hasNonEnumerableProperties): Deleted.
696             (JSC::Structure::staticFunctionsReified): Deleted.
697             (JSC::Structure::setStaticFunctionsReified): Deleted.
698             * runtime/StructureInlines.h:
699             (JSC::Structure::setEnumerationCache):
700             (JSC::Structure::enumerationCache):
701             (JSC::Structure::checkOffsetConsistency):
702     
703     2014-06-24  Mark Lam  <mark.lam@apple.com>
704     
705             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
706             <https://webkit.org/b/134273>
707     
708             Reviewed by Michael Saboff.
709     
710             * CMakeLists.txt:
711             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
712             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
713             * JavaScriptCore.xcodeproj/project.pbxproj:
714             * debugger/DebuggerActivation.cpp: Removed.
715             * debugger/DebuggerActivation.h: Removed.
716             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
717             (JSC::DebuggerScope::DebuggerScope):
718             (JSC::DebuggerScope::finishCreation):
719             (JSC::DebuggerScope::visitChildren):
720             (JSC::DebuggerScope::className):
721             (JSC::DebuggerScope::getOwnPropertySlot):
722             (JSC::DebuggerScope::put):
723             (JSC::DebuggerScope::deleteProperty):
724             (JSC::DebuggerScope::getOwnPropertyNames):
725             (JSC::DebuggerScope::defineOwnProperty):
726             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
727             (JSC::DebuggerActivation::finishCreation): Deleted.
728             (JSC::DebuggerActivation::visitChildren): Deleted.
729             (JSC::DebuggerActivation::className): Deleted.
730             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
731             (JSC::DebuggerActivation::put): Deleted.
732             (JSC::DebuggerActivation::deleteProperty): Deleted.
733             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
734             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
735             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
736             (JSC::DebuggerScope::create):
737             (JSC::DebuggerActivation::create): Deleted.
738             * runtime/VM.cpp:
739             (JSC::VM::VM):
740             * runtime/VM.h:
741     
742     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
743     
744             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
745             https://bugs.webkit.org/show_bug.cgi?id=134265
746     
747             Reviewed by Geoffrey Garen.
748             
749             More assertion fallout from the PutById folding work.
750     
751             * dfg/DFGNode.h:
752             (JSC::DFG::Node::convertToPutByOffset):
753     
754     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
755     
756             [ftlopt] GC should notify us if it resets to_this
757             https://bugs.webkit.org/show_bug.cgi?id=128231
758     
759             Reviewed by Geoffrey Garen.
760     
761             * CMakeLists.txt:
762             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
763             * JavaScriptCore.xcodeproj/project.pbxproj:
764             * bytecode/BytecodeList.json:
765             * bytecode/CodeBlock.cpp:
766             (JSC::CodeBlock::dumpBytecode):
767             (JSC::CodeBlock::finalizeUnconditionally):
768             * bytecode/Instruction.h:
769             * bytecode/ToThisStatus.cpp: Added.
770             (JSC::merge):
771             (WTF::printInternal):
772             * bytecode/ToThisStatus.h: Added.
773             * bytecompiler/BytecodeGenerator.cpp:
774             (JSC::BytecodeGenerator::BytecodeGenerator):
775             * dfg/DFGByteCodeParser.cpp:
776             (JSC::DFG::ByteCodeParser::parseBlock):
777             * llint/LowLevelInterpreter32_64.asm:
778             * llint/LowLevelInterpreter64.asm:
779             * runtime/CommonSlowPaths.cpp:
780             (JSC::SLOW_PATH_DECL):
781     
782     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
783     
784             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
785             https://bugs.webkit.org/show_bug.cgi?id=134256
786     
787             Reviewed by Michael Saboff.
788             
789             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
790             point is to be able to precisely model what goes on in the snippets of code between a
791             side-effect and an InvalidationPoint.
792             
793             This patch also cleans up onlyStructure() by delegating more work to
794             StructureSet::onlyStructure().
795     
796             * dfg/DFGStructureAbstractValue.h:
797             (JSC::DFG::StructureAbstractValue::onlyStructure):
798     
799     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
800     
801             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
802             https://bugs.webkit.org/show_bug.cgi?id=134260
803     
804             Reviewed by Geoffrey Garen.
805             
806             This was causing loads of assertion failures in debug builds.
807     
808             * dfg/DFGAbstractInterpreterInlines.h:
809             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
810     
811     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
812     
813             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
814             https://bugs.webkit.org/show_bug.cgi?id=134090
815     
816             Reviewed by Oliver Hunt.
817             
818             This pretty much finishes off the work to eliminate the special-casing of singleton
819             structure sets by making it possible to fold GetById and PutById to various polymorphic
820             forms of the ByOffset nodes.
821             
822             * bytecode/GetByIdStatus.cpp:
823             (JSC::GetByIdStatus::computeForStubInfo):
824             (JSC::GetByIdStatus::computeFor):
825             * bytecode/GetByIdStatus.h:
826             * bytecode/PutByIdStatus.cpp:
827             (JSC::PutByIdStatus::computeFor):
828             * bytecode/PutByIdStatus.h:
829             * bytecode/PutByIdVariant.h:
830             (JSC::PutByIdVariant::constantChecks):
831             * dfg/DFGAbstractInterpreterInlines.h:
832             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
833             * dfg/DFGByteCodeParser.cpp:
834             (JSC::DFG::ByteCodeParser::parseBlock):
835             * dfg/DFGConstantFoldingPhase.cpp:
836             (JSC::DFG::ConstantFoldingPhase::foldConstants):
837             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
838             (JSC::DFG::ConstantFoldingPhase::addChecks):
839             * dfg/DFGNode.h:
840             (JSC::DFG::Node::convertToMultiGetByOffset):
841             (JSC::DFG::Node::convertToMultiPutByOffset):
842             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
843             (JSC::DFG::SpeculativeJIT::fillJSValue):
844             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
845             (JSC::DFG::SpeculativeJIT::emitCall):
846             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
847             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
848             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
849             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
850             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
851             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
852             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
853             (JSC::DFG::SpeculativeJIT::emitBranch):
854             (JSC::DFG::SpeculativeJIT::compile):
855             * dfg/DFGStructureAbstractValue.h:
856             (JSC::DFG::StructureAbstractValue::set):
857     
858     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
859     
860             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
861             https://bugs.webkit.org/show_bug.cgi?id=134077
862     
863             Reviewed by Sam Weinig.
864             
865             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
866             in the abstract interpreter.
867     
868             * bytecode/StructureSet.h:
869             (JSC::StructureSet::onlyStructure):
870     
871     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
872     
873             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
874             https://bugs.webkit.org/show_bug.cgi?id=133918
875     
876             Reviewed by Mark Hahnenberg.
877             
878             This also adds pruning of PutStructure, since I basically had no choice but
879             to implement such logic within MultiPutByOffset.
880             
881             Also adds a bunch of PutById cache status dumping to bytecode dumping.
882     
883             * bytecode/GetByIdVariant.cpp:
884             (JSC::GetByIdVariant::dumpInContext):
885             * bytecode/GetByIdVariant.h:
886             (JSC::GetByIdVariant::structureSet):
887             * bytecode/PutByIdVariant.h:
888             (JSC::PutByIdVariant::oldStructure):
889             * bytecode/StructureSet.cpp:
890             (JSC::StructureSet::filter):
891             (JSC::StructureSet::filterArrayModes):
892             * bytecode/StructureSet.h:
893             * dfg/DFGAbstractInterpreterInlines.h:
894             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
895             * dfg/DFGAbstractValue.cpp:
896             (JSC::DFG::AbstractValue::changeStructure):
897             (JSC::DFG::AbstractValue::contains):
898             * dfg/DFGAbstractValue.h:
899             (JSC::DFG::AbstractValue::couldBeType):
900             (JSC::DFG::AbstractValue::isType):
901             * dfg/DFGConstantFoldingPhase.cpp:
902             (JSC::DFG::ConstantFoldingPhase::foldConstants):
903             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
904             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
905             (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
906             * dfg/DFGGraph.cpp:
907             (JSC::DFG::Graph::freezeStrong):
908             * dfg/DFGGraph.h:
909             * dfg/DFGStructureAbstractValue.h:
910             (JSC::DFG::StructureAbstractValue::operator=):
911             * ftl/FTLLowerDFGToLLVM.cpp:
912             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
913             * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
914             (foo):
915             (fu):
916             (bar):
917             (baz):
918             (.bar):
919             (.baz):
920             * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
921             (foo):
922             (fu):
923             (bar):
924             (baz):
925             (.bar):
926             (.baz):
927             * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
928             (foo):
929             (fu):
930             (bar):
931             (baz):
932             (.bar):
933             (.baz):
934     
935     2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
936     
937             Remove CompoundType and LeafType
938             https://bugs.webkit.org/show_bug.cgi?id=134037
939     
940             Reviewed by Filip Pizlo.
941     
942             We don't use them for anything. We'll replace them with a generic CellType type for all 
943             the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
944             their JSType at runtime.
945     
946             * llint/LLIntData.cpp:
947             (JSC::LLInt::Data::performAssertions):
948             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
949             (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
950             * runtime/Executable.h:
951             (JSC::ExecutableBase::createStructure):
952             (JSC::NativeExecutable::createStructure):
953             * runtime/JSPromiseDeferred.h:
954             (JSC::JSPromiseDeferred::createStructure):
955             * runtime/JSPromiseReaction.h:
956             (JSC::JSPromiseReaction::createStructure):
957             * runtime/JSPropertyNameIterator.h:
958             (JSC::JSPropertyNameIterator::createStructure):
959             * runtime/JSType.h:
960             * runtime/JSTypeInfo.h:
961             (JSC::TypeInfo::TypeInfo):
962             * runtime/MapData.h:
963             (JSC::MapData::createStructure):
964             * runtime/PropertyMapHashTable.h:
965             (JSC::PropertyTable::createStructure):
966             * runtime/RegExp.h:
967             (JSC::RegExp::createStructure):
968             * runtime/SparseArrayValueMap.cpp:
969             (JSC::SparseArrayValueMap::createStructure):
970             * runtime/Structure.cpp:
971             (JSC::Structure::Structure):
972             * runtime/StructureChain.h:
973             (JSC::StructureChain::createStructure):
974             * runtime/StructureRareData.cpp:
975             (JSC::StructureRareData::createStructure):
976             * runtime/SymbolTable.h:
977             (JSC::SymbolTable::createStructure):
978             * runtime/WeakMapData.h:
979             (JSC::WeakMapData::createStructure):
980     
981     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
982     
983             [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
984             https://bugs.webkit.org/show_bug.cgi?id=134002
985     
986             Reviewed by Mark Hahnenberg.
987             
988             The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
989             JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
990             of the structure if that structure was watchable.
991             
992             Also kill PhantomPutStructure.
993     
994             * dfg/DFGAbstractInterpreterInlines.h:
995             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
996             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
997             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
998             * dfg/DFGClobberize.h:
999             (JSC::DFG::clobberize):
1000             * dfg/DFGDoesGC.cpp:
1001             (JSC::DFG::doesGC):
1002             * dfg/DFGFixupPhase.cpp:
1003             (JSC::DFG::FixupPhase::fixupNode):
1004             * dfg/DFGGraph.cpp:
1005             (JSC::DFG::Graph::visitChildren):
1006             * dfg/DFGNode.h:
1007             (JSC::DFG::Node::hasTransition):
1008             * dfg/DFGNodeType.h:
1009             * dfg/DFGPredictionPropagationPhase.cpp:
1010             (JSC::DFG::PredictionPropagationPhase::propagate):
1011             * dfg/DFGSafeToExecute.h:
1012             (JSC::DFG::safeToExecute):
1013             * dfg/DFGSpeculativeJIT32_64.cpp:
1014             (JSC::DFG::SpeculativeJIT::compile):
1015             * dfg/DFGSpeculativeJIT64.cpp:
1016             (JSC::DFG::SpeculativeJIT::compile):
1017             * dfg/DFGStructureAbstractValue.cpp:
1018             (JSC::DFG::StructureAbstractValue::observeTransition):
1019             (JSC::DFG::StructureAbstractValue::observeTransitions):
1020             * dfg/DFGValidate.cpp:
1021             (JSC::DFG::Validate::validate):
1022             * dfg/DFGWatchableStructureWatchingPhase.cpp:
1023             (JSC::DFG::WatchableStructureWatchingPhase::run):
1024             * ftl/FTLCapabilities.cpp:
1025             (JSC::FTL::canCompile):
1026             * ftl/FTLLowerDFGToLLVM.cpp:
1027             (JSC::FTL::LowerDFGToLLVM::compileNode):
1028             (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
1029     
1030     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
1031     
1032             [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
1033             https://bugs.webkit.org/show_bug.cgi?id=133964
1034     
1035             Reviewed by Mark Hahnenberg.
1036     
1037             * bytecode/PutByIdStatus.cpp:
1038             (JSC::PutByIdStatus::appendVariant):
1039             (JSC::PutByIdStatus::computeForStubInfo):
1040             * bytecode/PutByIdVariant.cpp:
1041             (JSC::PutByIdVariant::oldStructureForTransition):
1042             (JSC::PutByIdVariant::writesStructures):
1043             (JSC::PutByIdVariant::reallocatesStorage):
1044             (JSC::PutByIdVariant::attemptToMerge):
1045             (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
1046             (JSC::PutByIdVariant::dumpInContext):
1047             * bytecode/PutByIdVariant.h:
1048             (JSC::PutByIdVariant::PutByIdVariant):
1049             (JSC::PutByIdVariant::replace):
1050             (JSC::PutByIdVariant::transition):
1051             (JSC::PutByIdVariant::structure):
1052             (JSC::PutByIdVariant::oldStructure):
1053             * dfg/DFGAbstractInterpreterInlines.h:
1054             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1055             * dfg/DFGByteCodeParser.cpp:
1056             (JSC::DFG::ByteCodeParser::handlePutById):
1057             (JSC::DFG::ByteCodeParser::parseBlock):
1058             * dfg/DFGConstantFoldingPhase.cpp:
1059             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1060             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1061             * dfg/DFGGraph.cpp:
1062             (JSC::DFG::Graph::visitChildren):
1063             * dfg/DFGNode.cpp:
1064             (JSC::DFG::MultiPutByOffsetData::writesStructures):
1065             (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1066             * ftl/FTLAbbreviations.h:
1067             (JSC::FTL::getLinkage):
1068             * ftl/FTLLowerDFGToLLVM.cpp:
1069             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1070             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1071     
1072 2014-07-26  Filip Pizlo  <fpizlo@apple.com>
1073
1074         Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
1075         reland later.
1076
1077         * CMakeLists.txt:
1078         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1079         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1080         * JavaScriptCore.xcodeproj/project.pbxproj:
1081         * bytecode/BytecodeList.json:
1082         * bytecode/BytecodeUseDef.h:
1083         (JSC::computeUsesForBytecodeOffset):
1084         (JSC::computeDefsForBytecodeOffset):
1085         * bytecode/CodeBlock.cpp:
1086         (JSC::CodeBlock::dumpBytecode):
1087         (JSC::CodeBlock::CodeBlock):
1088         (JSC::CodeBlock::finalizeUnconditionally):
1089         (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
1090         * bytecode/CodeBlock.h:
1091         * bytecode/GetByIdStatus.cpp:
1092         (JSC::GetByIdStatus::computeForStubInfo):
1093         (JSC::GetByIdStatus::computeFor):
1094         * bytecode/GetByIdStatus.h:
1095         * bytecode/GetByIdVariant.cpp:
1096         (JSC::GetByIdVariant::dumpInContext):
1097         * bytecode/GetByIdVariant.h:
1098         (JSC::GetByIdVariant::structureSet):
1099         * bytecode/Instruction.h:
1100         * bytecode/PutByIdStatus.cpp:
1101         (JSC::PutByIdStatus::appendVariant):
1102         (JSC::PutByIdStatus::computeForStubInfo):
1103         (JSC::PutByIdStatus::computeFor):
1104         * bytecode/PutByIdStatus.h:
1105         * bytecode/PutByIdVariant.cpp:
1106         (JSC::PutByIdVariant::dumpInContext):
1107         (JSC::PutByIdVariant::oldStructureForTransition): Deleted.
1108         (JSC::PutByIdVariant::writesStructures): Deleted.
1109         (JSC::PutByIdVariant::reallocatesStorage): Deleted.
1110         (JSC::PutByIdVariant::attemptToMerge): Deleted.
1111         (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.
1112         * bytecode/PutByIdVariant.h:
1113         (JSC::PutByIdVariant::PutByIdVariant):
1114         (JSC::PutByIdVariant::replace):
1115         (JSC::PutByIdVariant::transition):
1116         (JSC::PutByIdVariant::structure):
1117         (JSC::PutByIdVariant::oldStructure):
1118         (JSC::PutByIdVariant::newStructure):
1119         (JSC::PutByIdVariant::constantChecks):
1120         * bytecode/StructureSet.cpp:
1121         (JSC::StructureSet::filter): Deleted.
1122         (JSC::StructureSet::filterArrayModes): Deleted.
1123         * bytecode/StructureSet.h:
1124         (JSC::StructureSet::onlyStructure):
1125         * bytecode/ToThisStatus.cpp: Removed.
1126         * bytecode/ToThisStatus.h: Removed.
1127         * bytecode/TypeLocation.h: Removed.
1128         * bytecompiler/BytecodeGenerator.cpp:
1129         (JSC::BytecodeGenerator::BytecodeGenerator):
1130         (JSC::BytecodeGenerator::emitMove):
1131         (JSC::BytecodeGenerator::emitPutToScope):
1132         (JSC::BytecodeGenerator::emitPutById):
1133         (JSC::BytecodeGenerator::emitPutByVal):
1134         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
1135         * bytecompiler/BytecodeGenerator.h:
1136         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
1137         * bytecompiler/NodesCodegen.cpp:
1138         (JSC::PostfixNode::emitResolve):
1139         (JSC::PrefixNode::emitResolve):
1140         (JSC::ReadModifyResolveNode::emitBytecode):
1141         (JSC::AssignResolveNode::emitBytecode):
1142         (JSC::ConstDeclNode::emitCodeSingle):
1143         (JSC::ForInNode::emitBytecode):
1144         * debugger/DebuggerActivation.cpp: Added.
1145         (JSC::DebuggerActivation::DebuggerActivation):
1146         (JSC::DebuggerActivation::finishCreation):
1147         (JSC::DebuggerActivation::visitChildren):
1148         (JSC::DebuggerActivation::className):
1149         (JSC::DebuggerActivation::getOwnPropertySlot):
1150         (JSC::DebuggerActivation::put):
1151         (JSC::DebuggerActivation::deleteProperty):
1152         (JSC::DebuggerActivation::getOwnPropertyNames):
1153         (JSC::DebuggerActivation::defineOwnProperty):
1154         * debugger/DebuggerActivation.h: Added.
1155         (JSC::DebuggerActivation::create):
1156         (JSC::DebuggerActivation::createStructure):
1157         * debugger/DebuggerScope.cpp: Removed.
1158         * debugger/DebuggerScope.h: Removed.
1159         * dfg/DFGAbstractInterpreterInlines.h:
1160         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1161         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1162         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1163         * dfg/DFGAbstractValue.cpp:
1164         (JSC::DFG::AbstractValue::changeStructure): Deleted.
1165         (JSC::DFG::AbstractValue::contains): Deleted.
1166         * dfg/DFGAbstractValue.h:
1167         (JSC::DFG::AbstractValue::couldBeType):
1168         (JSC::DFG::AbstractValue::isType):
1169         * dfg/DFGByteCodeParser.cpp:
1170         (JSC::DFG::ByteCodeParser::handlePutById):
1171         (JSC::DFG::ByteCodeParser::parseBlock):
1172         * dfg/DFGClobberize.h:
1173         (JSC::DFG::clobberize):
1174         * dfg/DFGConstantFoldingPhase.cpp:
1175         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1176         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1177         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1178         (JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
1179         (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
1180         * dfg/DFGDoesGC.cpp:
1181         (JSC::DFG::doesGC):
1182         * dfg/DFGFixupPhase.cpp:
1183         (JSC::DFG::FixupPhase::fixupNode):
1184         * dfg/DFGGraph.cpp:
1185         (JSC::DFG::Graph::visitChildren):
1186         (JSC::DFG::Graph::freezeStrong):
1187         * dfg/DFGGraph.h:
1188         * dfg/DFGNode.cpp:
1189         (JSC::DFG::MultiPutByOffsetData::writesStructures):
1190         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1191         * dfg/DFGNode.h:
1192         (JSC::DFG::Node::convertToPutByOffset):
1193         (JSC::DFG::Node::hasTransition):
1194         (JSC::DFG::Node::convertToMultiGetByOffset): Deleted.
1195         (JSC::DFG::Node::convertToMultiPutByOffset): Deleted.
1196         * dfg/DFGNodeType.h:
1197         * dfg/DFGPredictionPropagationPhase.cpp:
1198         (JSC::DFG::PredictionPropagationPhase::propagate):
1199         * dfg/DFGSafeToExecute.h:
1200         (JSC::DFG::safeToExecute):
1201         * dfg/DFGSpeculativeJIT.cpp:
1202         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1203         * dfg/DFGSpeculativeJIT32_64.cpp:
1204         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1205         (JSC::DFG::SpeculativeJIT::compile):
1206         * dfg/DFGSpeculativeJIT64.cpp:
1207         (JSC::DFG::SpeculativeJIT::fillJSValue):
1208         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1209         (JSC::DFG::SpeculativeJIT::emitCall):
1210         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1211         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1212         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1213         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1214         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1215         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1216         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1217         (JSC::DFG::SpeculativeJIT::emitBranch):
1218         (JSC::DFG::SpeculativeJIT::compile):
1219         * dfg/DFGStructureAbstractValue.cpp:
1220         (JSC::DFG::StructureAbstractValue::observeTransition):
1221         (JSC::DFG::StructureAbstractValue::observeTransitions):
1222         * dfg/DFGStructureAbstractValue.h:
1223         (JSC::DFG::StructureAbstractValue::onlyStructure):
1224         (JSC::DFG::StructureAbstractValue::operator=): Deleted.
1225         (JSC::DFG::StructureAbstractValue::set): Deleted.
1226         * dfg/DFGValidate.cpp:
1227         (JSC::DFG::Validate::validate):
1228         * dfg/DFGWatchableStructureWatchingPhase.cpp:
1229         (JSC::DFG::WatchableStructureWatchingPhase::run):
1230         * ftl/FTLAbbreviations.h:
1231         (JSC::FTL::getLinkage): Deleted.
1232         * ftl/FTLCapabilities.cpp:
1233         (JSC::FTL::canCompile):
1234         * ftl/FTLLowerDFGToLLVM.cpp:
1235         (JSC::FTL::LowerDFGToLLVM::compileNode):
1236         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1237         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1238         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1239         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1240         * heap/Heap.cpp:
1241         (JSC::Heap::collect):
1242         * inspector/agents/InspectorRuntimeAgent.cpp:
1243         (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
1244         * inspector/agents/InspectorRuntimeAgent.h:
1245         * inspector/protocol/Runtime.json:
1246         * jsc.cpp:
1247         (GlobalObject::finishCreation):
1248         (functionDumpTypesForAllVariables): Deleted.
1249         * llint/LLIntData.cpp:
1250         (JSC::LLInt::Data::performAssertions):
1251         * llint/LLIntSlowPaths.cpp:
1252         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1253         (JSC::LLInt::putToScopeCommon): Deleted.
1254         * llint/LLIntSlowPaths.h:
1255         * llint/LowLevelInterpreter.asm:
1256         * llint/LowLevelInterpreter32_64.asm:
1257         * llint/LowLevelInterpreter64.asm:
1258         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1259         (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
1260         * runtime/CommonSlowPaths.cpp:
1261         (JSC::SLOW_PATH_DECL):
1262         * runtime/Executable.h:
1263         (JSC::ExecutableBase::createStructure):
1264         (JSC::NativeExecutable::createStructure):
1265         * runtime/HighFidelityLog.cpp: Removed.
1266         * runtime/HighFidelityLog.h: Removed.
1267         * runtime/HighFidelityTypeProfiler.cpp: Removed.
1268         * runtime/HighFidelityTypeProfiler.h: Removed.
1269         * runtime/JSObject.cpp:
1270         (JSC::JSObject::putDirectCustomAccessor):
1271         (JSC::JSObject::putDirectNonIndexAccessor):
1272         (JSC::JSObject::reifyStaticFunctionsForDelete):
1273         * runtime/JSPromiseDeferred.h:
1274         (JSC::JSPromiseDeferred::createStructure):
1275         * runtime/JSPromiseReaction.h:
1276         (JSC::JSPromiseReaction::createStructure):
1277         * runtime/JSPropertyNameIterator.h:
1278         (JSC::JSPropertyNameIterator::createStructure):
1279         * runtime/JSType.h:
1280         * runtime/JSTypeInfo.h:
1281         (JSC::TypeInfo::TypeInfo):
1282         * runtime/MapData.h:
1283         (JSC::MapData::createStructure):
1284         * runtime/Options.h:
1285         * runtime/PropertyMapHashTable.h:
1286         (JSC::PropertyTable::createStructure):
1287         * runtime/RegExp.h:
1288         (JSC::RegExp::createStructure):
1289         * runtime/SparseArrayValueMap.cpp:
1290         (JSC::SparseArrayValueMap::createStructure):
1291         * runtime/Structure.cpp:
1292         (JSC::StructureTransitionTable::contains):
1293         (JSC::StructureTransitionTable::get):
1294         (JSC::StructureTransitionTable::add):
1295         (JSC::Structure::Structure):
1296         (JSC::Structure::materializePropertyMap):
1297         (JSC::Structure::addPropertyTransition):
1298         (JSC::Structure::despecifyFunctionTransition):
1299         (JSC::Structure::toDictionaryTransition):
1300         (JSC::Structure::freezeTransition):
1301         (JSC::Structure::preventExtensionsTransition):
1302         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1303         (JSC::Structure::nonPropertyTransition):
1304         (JSC::Structure::flattenDictionaryStructure):
1305         (JSC::Structure::addPropertyWithoutTransition):
1306         (JSC::Structure::pin):
1307         (JSC::Structure::allocateRareData):
1308         (JSC::Structure::cloneRareDataFrom):
1309         (JSC::Structure::getConcurrently):
1310         (JSC::Structure::putSpecificValue):
1311         (JSC::Structure::getPropertyNamesFromStructure):
1312         (JSC::Structure::visitChildren):
1313         (JSC::Structure::checkConsistency):
1314         (JSC::Structure::toStructureShape): Deleted.
1315         * runtime/Structure.h:
1316         (JSC::Structure::isExtensible):
1317         (JSC::Structure::didTransition):
1318         (JSC::Structure::isDictionary):
1319         (JSC::Structure::isUncacheableDictionary):
1320         (JSC::Structure::hasBeenFlattenedBefore):
1321         (JSC::Structure::propertyAccessesAreCacheable):
1322         (JSC::Structure::previousID):
1323         (JSC::Structure::hasGetterSetterProperties):
1324         (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
1325         (JSC::Structure::setHasGetterSetterProperties):
1326         (JSC::Structure::hasCustomGetterSetterProperties):
1327         (JSC::Structure::setHasCustomGetterSetterProperties):
1328         (JSC::Structure::setContainsReadOnlyProperties):
1329         (JSC::Structure::hasNonEnumerableProperties):
1330         (JSC::Structure::disableSpecificFunctionTracking):
1331         (JSC::Structure::objectToStringValue):
1332         (JSC::Structure::setObjectToStringValue):
1333         (JSC::Structure::staticFunctionsReified):
1334         (JSC::Structure::setStaticFunctionsReified):
1335         (JSC::Structure::transitionWatchpointSet):
1336         (JSC::Structure::setPreviousID):
1337         (JSC::Structure::clearPreviousID):
1338         (JSC::Structure::previous):
1339         (JSC::Structure::rareData):
1340         (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted.
1341         (JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted.
1342         * runtime/StructureChain.h:
1343         (JSC::StructureChain::createStructure):
1344         * runtime/StructureInlines.h:
1345         (JSC::Structure::setEnumerationCache):
1346         (JSC::Structure::enumerationCache):
1347         (JSC::Structure::checkOffsetConsistency):
1348         * runtime/StructureRareData.cpp:
1349         (JSC::StructureRareData::createStructure):
1350         * runtime/SymbolTable.cpp:
1351         (JSC::SymbolTable::SymbolTable):
1352         (JSC::SymbolTable::cloneCapturedNames):
1353         (JSC::SymbolTable::uniqueIDForVariable): Deleted.
1354         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
1355         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
1356         (JSC::SymbolTable::globalTypeSetForVariable): Deleted.
1357         * runtime/SymbolTable.h:
1358         (JSC::SymbolTable::createStructure):
1359         (JSC::SymbolTable::add):
1360         (JSC::SymbolTable::set):
1361         * runtime/TypeSet.cpp: Removed.
1362         * runtime/TypeSet.h: Removed.
1363         * runtime/VM.cpp:
1364         (JSC::VM::VM):
1365         (JSC::VM::getTypesForVariableInRange): Deleted.
1366         (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
1367         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
1368         * runtime/VM.h:
1369         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
1370         (JSC::VM::highFidelityLog): Deleted.
1371         (JSC::VM::highFidelityTypeProfiler): Deleted.
1372         (JSC::VM::nextLocation): Deleted.
1373         (JSC::VM::getNextUniqueVariableID): Deleted.
1374         * runtime/WeakMapData.h:
1375         (JSC::WeakMapData::createStructure):
1376         * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed.
1377         * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed.
1378         * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed.
1379
1380 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1381
1382         Attempt to fix non-Xcode platforms.
1383
1384         * CMakeLists.txt:
1385         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1386
1387 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1388
1389         Fix cloop.
1390
1391         * bytecode/CodeBlock.cpp:
1392         (JSC::dumpChain):
1393         (JSC::CodeBlock::printPutByIdCacheStatus):
1394         * bytecode/StructureSet.cpp:
1395         * bytecode/StructureSet.h:
1396
1397 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1398
1399         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
1400
1401     2014-06-27  Michael Saboff  <msaboff@apple.com>
1402     
1403             Unreviewed build fix after r169795.
1404     
1405             Fixed ASSERT for 32 bit build.
1406     
1407             * dfg/DFGSpeculativeJIT.cpp:
1408             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1409     
1410     2014-06-24  Saam Barati  <sbarati@apple.com>
1411     
1412             Web Inspector: debugger should be able to show variable types
1413             https://bugs.webkit.org/show_bug.cgi?id=133395
1414     
1415             Reviewed by Filip Pizlo.
1416     
1417             Increase the amount of type information the VM gathers when directed
1418             to do so. This initial commit is working towards the goal of
1419             capturing, and then showing (via the Web Inspector) type information for all
1420             assignment and load operations. This patch doesn't have the feature fully 
1421             implemented, but it ensures the VM has no performance regressions
1422             unless the feature is specifically turned on.
1423     
1424             * JavaScriptCore.xcodeproj/project.pbxproj:
1425             * bytecode/BytecodeList.json:
1426             * bytecode/BytecodeUseDef.h:
1427             (JSC::computeUsesForBytecodeOffset):
1428             (JSC::computeDefsForBytecodeOffset):
1429             * bytecode/CodeBlock.cpp:
1430             (JSC::CodeBlock::dumpBytecode):
1431             (JSC::CodeBlock::CodeBlock):
1432             (JSC::CodeBlock::finalizeUnconditionally):
1433             * bytecode/CodeBlock.h:
1434             * bytecode/Instruction.h:
1435             * bytecode/TypeLocation.h: Added.
1436             (JSC::TypeLocation::TypeLocation):
1437             * bytecompiler/BytecodeGenerator.cpp:
1438             (JSC::BytecodeGenerator::emitMove):
1439             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
1440             (JSC::BytecodeGenerator::emitPutToScope):
1441             (JSC::BytecodeGenerator::emitPutById):
1442             (JSC::BytecodeGenerator::emitPutByVal):
1443             * bytecompiler/BytecodeGenerator.h:
1444             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
1445             * bytecompiler/NodesCodegen.cpp:
1446             (JSC::PostfixNode::emitResolve):
1447             (JSC::PrefixNode::emitResolve):
1448             (JSC::ReadModifyResolveNode::emitBytecode):
1449             (JSC::AssignResolveNode::emitBytecode):
1450             (JSC::ConstDeclNode::emitCodeSingle):
1451             (JSC::ForInNode::emitBytecode):
1452             * heap/Heap.cpp:
1453             (JSC::Heap::collect):
1454             * inspector/agents/InspectorRuntimeAgent.cpp:
1455             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
1456             * inspector/agents/InspectorRuntimeAgent.h:
1457             * inspector/protocol/Runtime.json:
1458             * jsc.cpp:
1459             (GlobalObject::finishCreation):
1460             (functionDumpTypesForAllVariables):
1461             * llint/LLIntSlowPaths.cpp:
1462             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1463             (JSC::LLInt::putToScopeCommon):
1464             * llint/LLIntSlowPaths.h:
1465             * llint/LowLevelInterpreter.asm:
1466             * runtime/HighFidelityLog.cpp: Added.
1467             (JSC::HighFidelityLog::initializeHighFidelityLog):
1468             (JSC::HighFidelityLog::~HighFidelityLog):
1469             (JSC::HighFidelityLog::recordTypeInformationForLocation):
1470             (JSC::HighFidelityLog::processHighFidelityLog):
1471             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
1472             * runtime/HighFidelityLog.h: Added.
1473             (JSC::HighFidelityLog::HighFidelityLog):
1474             * runtime/HighFidelityTypeProfiler.cpp: Added.
1475             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
1476             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
1477             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
1478             (JSC::HighFidelityTypeProfiler::insertNewLocation):
1479             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
1480             * runtime/HighFidelityTypeProfiler.h: Added.
1481             * runtime/Options.h:
1482             * runtime/Structure.cpp:
1483             (JSC::Structure::toStructureShape):
1484             * runtime/Structure.h:
1485             * runtime/SymbolTable.cpp:
1486             (JSC::SymbolTable::SymbolTable):
1487             (JSC::SymbolTable::cloneCapturedNames):
1488             (JSC::SymbolTable::uniqueIDForVariable):
1489             (JSC::SymbolTable::uniqueIDForRegister):
1490             (JSC::SymbolTable::globalTypeSetForRegister):
1491             (JSC::SymbolTable::globalTypeSetForVariable):
1492             * runtime/SymbolTable.h:
1493             (JSC::SymbolTable::add):
1494             (JSC::SymbolTable::set):
1495             * runtime/TypeSet.cpp: Added.
1496             (JSC::TypeSet::TypeSet):
1497             (JSC::TypeSet::getRuntimeTypeForValue):
1498             (JSC::TypeSet::addTypeForValue):
1499             (JSC::TypeSet::removeDuplicatesInStructureHistory):
1500             (JSC::TypeSet::seenTypes):
1501             (JSC::TypeSet::dumpSeenTypes):
1502             (JSC::StructureShape::StructureShape):
1503             (JSC::StructureShape::markAsFinal):
1504             (JSC::StructureShape::addProperty):
1505             (JSC::StructureShape::propertyHash):
1506             (JSC::StructureShape::leastUpperBound):
1507             (JSC::StructureShape::stringRepresentation):
1508             * runtime/TypeSet.h: Added.
1509             (JSC::StructureShape::create):
1510             (JSC::TypeSet::create):
1511             * runtime/VM.cpp:
1512             (JSC::VM::VM):
1513             (JSC::VM::getTypesForVariableInRange):
1514             (JSC::VM::updateHighFidelityTypeProfileState):
1515             (JSC::VM::dumpHighFidelityProfilingTypes):
1516             * runtime/VM.h:
1517             (JSC::VM::isProfilingTypesWithHighFidelity):
1518             (JSC::VM::highFidelityLog):
1519             (JSC::VM::highFidelityTypeProfiler):
1520             (JSC::VM::nextLocation):
1521             (JSC::VM::getNextUniqueVariableID):
1522     
1523     2014-06-26  Mark Lam  <mark.lam@apple.com>
1524     
1525             Remove unused instantiation of the WithScope structure.
1526             <https://webkit.org/b/134331>
1527     
1528             Reviewed by Oliver Hunt.
1529     
1530             The WithScope structure instance is the VM is unused, and is now removed.
1531     
1532             * runtime/VM.cpp:
1533             (JSC::VM::VM):
1534             * runtime/VM.h:
1535     
1536     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1537     
1538             Structure bit fields should have a consistent format
1539             https://bugs.webkit.org/show_bug.cgi?id=134307
1540     
1541             Reviewed by Filip Pizlo.
1542     
1543             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
1544             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
1545             format to make it easy to load and test these variables in JIT code.
1546     
1547             * runtime/JSObject.cpp:
1548             (JSC::JSObject::putDirectNonIndexAccessor):
1549             (JSC::JSObject::reifyStaticFunctionsForDelete):
1550             * runtime/Structure.cpp:
1551             (JSC::StructureTransitionTable::contains):
1552             (JSC::StructureTransitionTable::get):
1553             (JSC::StructureTransitionTable::add):
1554             (JSC::Structure::Structure):
1555             (JSC::Structure::materializePropertyMap):
1556             (JSC::Structure::addPropertyTransition):
1557             (JSC::Structure::despecifyFunctionTransition):
1558             (JSC::Structure::toDictionaryTransition):
1559             (JSC::Structure::freezeTransition):
1560             (JSC::Structure::preventExtensionsTransition):
1561             (JSC::Structure::takePropertyTableOrCloneIfPinned):
1562             (JSC::Structure::nonPropertyTransition):
1563             (JSC::Structure::flattenDictionaryStructure):
1564             (JSC::Structure::addPropertyWithoutTransition):
1565             (JSC::Structure::pin):
1566             (JSC::Structure::allocateRareData):
1567             (JSC::Structure::cloneRareDataFrom):
1568             (JSC::Structure::getConcurrently):
1569             (JSC::Structure::putSpecificValue):
1570             (JSC::Structure::getPropertyNamesFromStructure):
1571             (JSC::Structure::visitChildren):
1572             (JSC::Structure::checkConsistency):
1573             * runtime/Structure.h:
1574             (JSC::Structure::isExtensible):
1575             (JSC::Structure::isDictionary):
1576             (JSC::Structure::isUncacheableDictionary):
1577             (JSC::Structure::propertyAccessesAreCacheable):
1578             (JSC::Structure::previousID):
1579             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
1580             (JSC::Structure::setContainsReadOnlyProperties):
1581             (JSC::Structure::disableSpecificFunctionTracking):
1582             (JSC::Structure::objectToStringValue):
1583             (JSC::Structure::setObjectToStringValue):
1584             (JSC::Structure::setPreviousID):
1585             (JSC::Structure::clearPreviousID):
1586             (JSC::Structure::previous):
1587             (JSC::Structure::rareData):
1588             (JSC::Structure::didTransition): Deleted.
1589             (JSC::Structure::hasGetterSetterProperties): Deleted.
1590             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
1591             (JSC::Structure::setHasGetterSetterProperties): Deleted.
1592             (JSC::Structure::hasNonEnumerableProperties): Deleted.
1593             (JSC::Structure::staticFunctionsReified): Deleted.
1594             (JSC::Structure::setStaticFunctionsReified): Deleted.
1595             * runtime/StructureInlines.h:
1596             (JSC::Structure::setEnumerationCache):
1597             (JSC::Structure::enumerationCache):
1598             (JSC::Structure::checkOffsetConsistency):
1599     
1600     2014-06-24  Mark Lam  <mark.lam@apple.com>
1601     
1602             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
1603             <https://webkit.org/b/134273>
1604     
1605             Reviewed by Michael Saboff.
1606     
1607             * CMakeLists.txt:
1608             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1609             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1610             * JavaScriptCore.xcodeproj/project.pbxproj:
1611             * debugger/DebuggerActivation.cpp: Removed.
1612             * debugger/DebuggerActivation.h: Removed.
1613             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
1614             (JSC::DebuggerScope::DebuggerScope):
1615             (JSC::DebuggerScope::finishCreation):
1616             (JSC::DebuggerScope::visitChildren):
1617             (JSC::DebuggerScope::className):
1618             (JSC::DebuggerScope::getOwnPropertySlot):
1619             (JSC::DebuggerScope::put):
1620             (JSC::DebuggerScope::deleteProperty):
1621             (JSC::DebuggerScope::getOwnPropertyNames):
1622             (JSC::DebuggerScope::defineOwnProperty):
1623             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
1624             (JSC::DebuggerActivation::finishCreation): Deleted.
1625             (JSC::DebuggerActivation::visitChildren): Deleted.
1626             (JSC::DebuggerActivation::className): Deleted.
1627             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
1628             (JSC::DebuggerActivation::put): Deleted.
1629             (JSC::DebuggerActivation::deleteProperty): Deleted.
1630             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
1631             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
1632             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
1633             (JSC::DebuggerScope::create):
1634             (JSC::DebuggerActivation::create): Deleted.
1635             * runtime/VM.cpp:
1636             (JSC::VM::VM):
1637             * runtime/VM.h:
1638     
1639     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1640     
1641             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
1642             https://bugs.webkit.org/show_bug.cgi?id=134265
1643     
1644             Reviewed by Geoffrey Garen.
1645             
1646             More assertion fallout from the PutById folding work.
1647     
1648             * dfg/DFGNode.h:
1649             (JSC::DFG::Node::convertToPutByOffset):
1650     
1651     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1652     
1653             [ftlopt] GC should notify us if it resets to_this
1654             https://bugs.webkit.org/show_bug.cgi?id=128231
1655     
1656             Reviewed by Geoffrey Garen.
1657     
1658             * CMakeLists.txt:
1659             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1660             * JavaScriptCore.xcodeproj/project.pbxproj:
1661             * bytecode/BytecodeList.json:
1662             * bytecode/CodeBlock.cpp:
1663             (JSC::CodeBlock::dumpBytecode):
1664             (JSC::CodeBlock::finalizeUnconditionally):
1665             * bytecode/Instruction.h:
1666             * bytecode/ToThisStatus.cpp: Added.
1667             (JSC::merge):
1668             (WTF::printInternal):
1669             * bytecode/ToThisStatus.h: Added.
1670             * bytecompiler/BytecodeGenerator.cpp:
1671             (JSC::BytecodeGenerator::BytecodeGenerator):
1672             * dfg/DFGByteCodeParser.cpp:
1673             (JSC::DFG::ByteCodeParser::parseBlock):
1674             * llint/LowLevelInterpreter32_64.asm:
1675             * llint/LowLevelInterpreter64.asm:
1676             * runtime/CommonSlowPaths.cpp:
1677             (JSC::SLOW_PATH_DECL):
1678     
1679     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1680     
1681             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
1682             https://bugs.webkit.org/show_bug.cgi?id=134256
1683     
1684             Reviewed by Michael Saboff.
1685             
1686             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
1687             point is to be able to precisely model what goes on in the snippets of code between a
1688             side-effect and an InvalidationPoint.
1689             
1690             This patch also cleans up onlyStructure() by delegating more work to
1691             StructureSet::onlyStructure().
1692     
1693             * dfg/DFGStructureAbstractValue.h:
1694             (JSC::DFG::StructureAbstractValue::onlyStructure):
1695     
1696     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1697     
1698             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
1699             https://bugs.webkit.org/show_bug.cgi?id=134260
1700     
1701             Reviewed by Geoffrey Garen.
1702             
1703             This was causing loads of assertion failures in debug builds.
1704     
1705             * dfg/DFGAbstractInterpreterInlines.h:
1706             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1707     
1708     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
1709     
1710             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
1711             https://bugs.webkit.org/show_bug.cgi?id=134090
1712     
1713             Reviewed by Oliver Hunt.
1714             
1715             This pretty much finishes off the work to eliminate the special-casing of singleton
1716             structure sets by making it possible to fold GetById and PutById to various polymorphic
1717             forms of the ByOffset nodes.
1718             
1719             * bytecode/GetByIdStatus.cpp:
1720             (JSC::GetByIdStatus::computeForStubInfo):
1721             (JSC::GetByIdStatus::computeFor):
1722             * bytecode/GetByIdStatus.h:
1723             * bytecode/PutByIdStatus.cpp:
1724             (JSC::PutByIdStatus::computeFor):
1725             * bytecode/PutByIdStatus.h:
1726             * bytecode/PutByIdVariant.h:
1727             (JSC::PutByIdVariant::constantChecks):
1728             * dfg/DFGAbstractInterpreterInlines.h:
1729             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1730             * dfg/DFGByteCodeParser.cpp:
1731             (JSC::DFG::ByteCodeParser::parseBlock):
1732             * dfg/DFGConstantFoldingPhase.cpp:
1733             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1734             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1735             (JSC::DFG::ConstantFoldingPhase::addChecks):
1736             * dfg/DFGNode.h:
1737             (JSC::DFG::Node::convertToMultiGetByOffset):
1738             (JSC::DFG::Node::convertToMultiPutByOffset):
1739             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
1740             (JSC::DFG::SpeculativeJIT::fillJSValue):
1741             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1742             (JSC::DFG::SpeculativeJIT::emitCall):
1743             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1744             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1745             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1746             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1747             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1748             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1749             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1750             (JSC::DFG::SpeculativeJIT::emitBranch):
1751             (JSC::DFG::SpeculativeJIT::compile):
1752             * dfg/DFGStructureAbstractValue.h:
1753             (JSC::DFG::StructureAbstractValue::set):
1754     
1755     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
1756     
1757             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
1758             https://bugs.webkit.org/show_bug.cgi?id=134077
1759     
1760             Reviewed by Sam Weinig.
1761             
1762             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
1763             in the abstract interpreter.
1764     
1765             * bytecode/StructureSet.h:
1766             (JSC::StructureSet::onlyStructure):
1767     
1768     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
1769     
1770             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
1771             https://bugs.webkit.org/show_bug.cgi?id=133918
1772     
1773             Reviewed by Mark Hahnenberg.
1774             
1775             This also adds pruning of PutStructure, since I basically had no choice but
1776             to implement such logic within MultiPutByOffset.
1777             
1778             Also adds a bunch of PutById cache status dumping to bytecode dumping.
1779     
1780             * bytecode/GetByIdVariant.cpp:
1781             (JSC::GetByIdVariant::dumpInContext):
1782             * bytecode/GetByIdVariant.h:
1783             (JSC::GetByIdVariant::structureSet):
1784             * bytecode/PutByIdVariant.h:
1785             (JSC::PutByIdVariant::oldStructure):
1786             * bytecode/StructureSet.cpp:
1787             (JSC::StructureSet::filter):
1788             (JSC::StructureSet::filterArrayModes):
1789             * bytecode/StructureSet.h:
1790             * dfg/DFGAbstractInterpreterInlines.h:
1791             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1792             * dfg/DFGAbstractValue.cpp:
1793             (JSC::DFG::AbstractValue::changeStructure):
1794             (JSC::DFG::AbstractValue::contains):
1795             * dfg/DFGAbstractValue.h:
1796             (JSC::DFG::AbstractValue::couldBeType):
1797             (JSC::DFG::AbstractValue::isType):
1798             * dfg/DFGConstantFoldingPhase.cpp:
1799             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1800             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1801             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1802             (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
1803             * dfg/DFGGraph.cpp:
1804             (JSC::DFG::Graph::freezeStrong):
1805             * dfg/DFGGraph.h:
1806             * dfg/DFGStructureAbstractValue.h:
1807             (JSC::DFG::StructureAbstractValue::operator=):
1808             * ftl/FTLLowerDFGToLLVM.cpp:
1809             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1810             * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
1811             (foo):
1812             (fu):
1813             (bar):
1814             (baz):
1815             (.bar):
1816             (.baz):
1817             * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
1818             (foo):
1819             (fu):
1820             (bar):
1821             (baz):
1822             (.bar):
1823             (.baz):
1824             * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
1825             (foo):
1826             (fu):
1827             (bar):
1828             (baz):
1829             (.bar):
1830             (.baz):
1831     
1832     2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1833     
1834             Remove CompoundType and LeafType
1835             https://bugs.webkit.org/show_bug.cgi?id=134037
1836     
1837             Reviewed by Filip Pizlo.
1838     
1839             We don't use them for anything. We'll replace them with a generic CellType type for all 
1840             the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
1841             their JSType at runtime.
1842     
1843             * llint/LLIntData.cpp:
1844             (JSC::LLInt::Data::performAssertions):
1845             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1846             (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
1847             * runtime/Executable.h:
1848             (JSC::ExecutableBase::createStructure):
1849             (JSC::NativeExecutable::createStructure):
1850             * runtime/JSPromiseDeferred.h:
1851             (JSC::JSPromiseDeferred::createStructure):
1852             * runtime/JSPromiseReaction.h:
1853             (JSC::JSPromiseReaction::createStructure):
1854             * runtime/JSPropertyNameIterator.h:
1855             (JSC::JSPropertyNameIterator::createStructure):
1856             * runtime/JSType.h:
1857             * runtime/JSTypeInfo.h:
1858             (JSC::TypeInfo::TypeInfo):
1859             * runtime/MapData.h:
1860             (JSC::MapData::createStructure):
1861             * runtime/PropertyMapHashTable.h:
1862             (JSC::PropertyTable::createStructure):
1863             * runtime/RegExp.h:
1864             (JSC::RegExp::createStructure):
1865             * runtime/SparseArrayValueMap.cpp:
1866             (JSC::SparseArrayValueMap::createStructure):
1867             * runtime/Structure.cpp:
1868             (JSC::Structure::Structure):
1869             * runtime/StructureChain.h:
1870             (JSC::StructureChain::createStructure):
1871             * runtime/StructureRareData.cpp:
1872             (JSC::StructureRareData::createStructure):
1873             * runtime/SymbolTable.h:
1874             (JSC::SymbolTable::createStructure):
1875             * runtime/WeakMapData.h:
1876             (JSC::WeakMapData::createStructure):
1877     
1878     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
1879     
1880             [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
1881             https://bugs.webkit.org/show_bug.cgi?id=134002
1882     
1883             Reviewed by Mark Hahnenberg.
1884             
1885             The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
1886             JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
1887             of the structure if that structure was watchable.
1888             
1889             Also kill PhantomPutStructure.
1890     
1891             * dfg/DFGAbstractInterpreterInlines.h:
1892             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1893             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1894             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1895             * dfg/DFGClobberize.h:
1896             (JSC::DFG::clobberize):
1897             * dfg/DFGDoesGC.cpp:
1898             (JSC::DFG::doesGC):
1899             * dfg/DFGFixupPhase.cpp:
1900             (JSC::DFG::FixupPhase::fixupNode):
1901             * dfg/DFGGraph.cpp:
1902             (JSC::DFG::Graph::visitChildren):
1903             * dfg/DFGNode.h:
1904             (JSC::DFG::Node::hasTransition):
1905             * dfg/DFGNodeType.h:
1906             * dfg/DFGPredictionPropagationPhase.cpp:
1907             (JSC::DFG::PredictionPropagationPhase::propagate):
1908             * dfg/DFGSafeToExecute.h:
1909             (JSC::DFG::safeToExecute):
1910             * dfg/DFGSpeculativeJIT32_64.cpp:
1911             (JSC::DFG::SpeculativeJIT::compile):
1912             * dfg/DFGSpeculativeJIT64.cpp:
1913             (JSC::DFG::SpeculativeJIT::compile):
1914             * dfg/DFGStructureAbstractValue.cpp:
1915             (JSC::DFG::StructureAbstractValue::observeTransition):
1916             (JSC::DFG::StructureAbstractValue::observeTransitions):
1917             * dfg/DFGValidate.cpp:
1918             (JSC::DFG::Validate::validate):
1919             * dfg/DFGWatchableStructureWatchingPhase.cpp:
1920             (JSC::DFG::WatchableStructureWatchingPhase::run):
1921             * ftl/FTLCapabilities.cpp:
1922             (JSC::FTL::canCompile):
1923             * ftl/FTLLowerDFGToLLVM.cpp:
1924             (JSC::FTL::LowerDFGToLLVM::compileNode):
1925             (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
1926     
1927     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
1928     
1929             [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
1930             https://bugs.webkit.org/show_bug.cgi?id=133964
1931     
1932             Reviewed by Mark Hahnenberg.
1933     
1934             * bytecode/PutByIdStatus.cpp:
1935             (JSC::PutByIdStatus::appendVariant):
1936             (JSC::PutByIdStatus::computeForStubInfo):
1937             * bytecode/PutByIdVariant.cpp:
1938             (JSC::PutByIdVariant::oldStructureForTransition):
1939             (JSC::PutByIdVariant::writesStructures):
1940             (JSC::PutByIdVariant::reallocatesStorage):
1941             (JSC::PutByIdVariant::attemptToMerge):
1942             (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
1943             (JSC::PutByIdVariant::dumpInContext):
1944             * bytecode/PutByIdVariant.h:
1945             (JSC::PutByIdVariant::PutByIdVariant):
1946             (JSC::PutByIdVariant::replace):
1947             (JSC::PutByIdVariant::transition):
1948             (JSC::PutByIdVariant::structure):
1949             (JSC::PutByIdVariant::oldStructure):
1950             * dfg/DFGAbstractInterpreterInlines.h:
1951             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1952             * dfg/DFGByteCodeParser.cpp:
1953             (JSC::DFG::ByteCodeParser::handlePutById):
1954             (JSC::DFG::ByteCodeParser::parseBlock):
1955             * dfg/DFGConstantFoldingPhase.cpp:
1956             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1957             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1958             * dfg/DFGGraph.cpp:
1959             (JSC::DFG::Graph::visitChildren):
1960             * dfg/DFGNode.cpp:
1961             (JSC::DFG::MultiPutByOffsetData::writesStructures):
1962             (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1963             * ftl/FTLAbbreviations.h:
1964             (JSC::FTL::getLinkage):
1965             * ftl/FTLLowerDFGToLLVM.cpp:
1966             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1967             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1968     
1969 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1970
1971         Add an option to disable native call inlining. Disable it for now to see how it
1972         affects the bots.
1973
1974         * dfg/DFGByteCodeParser.cpp:
1975         (JSC::DFG::ByteCodeParser::handleCall):
1976         * runtime/Options.h:
1977
1978 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1979
1980         Fix cloop.
1981
1982         * dfg/DFGMayExit.cpp:
1983
1984 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1985
1986         Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.
1987
1988     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
1989     
1990             [ftlopt] Fold constant Phis
1991             https://bugs.webkit.org/show_bug.cgi?id=133967
1992     
1993             Reviewed by Mark Hahnenberg.
1994             
1995             It's surprising but we didn't really do this before. Or, rather, we only did it
1996             incidentally when we would likely crash if it ever happened.
1997             
1998             Making this work required cleaning up the validater a bit, so I did that too. I also added
1999             mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
2000             the Phi header of basic blocks). But this required beefing up mayExit() a bit.
2001     
2002             * dfg/DFGAbstractInterpreterInlines.h:
2003             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2004             * dfg/DFGAdjacencyList.h:
2005             (JSC::DFG::AdjacencyList::isEmpty):
2006             * dfg/DFGConstantFoldingPhase.cpp:
2007             (JSC::DFG::ConstantFoldingPhase::run):
2008             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2009             (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
2010             * dfg/DFGInPlaceAbstractState.h:
2011             * dfg/DFGLICMPhase.cpp:
2012             (JSC::DFG::LICMPhase::run):
2013             (JSC::DFG::LICMPhase::attemptHoist):
2014             * dfg/DFGMayExit.cpp:
2015             (JSC::DFG::mayExit):
2016             * dfg/DFGValidate.cpp:
2017             (JSC::DFG::Validate::validate):
2018             (JSC::DFG::Validate::validateSSA):
2019     
2020     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2021     
2022             [ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
2023             https://bugs.webkit.org/show_bug.cgi?id=133985
2024     
2025             Reviewed by Michael Saboff and Mark Hahnenberg.
2026             
2027             Store elimination phase has never been very profitable, and now that LLVM can do dead
2028             store elimination for us, this phase is just completely pointless.
2029             
2030             This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
2031             computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
2032             maintain.
2033             
2034             This patch does introduce a new mayExit() calculator that is independent of the CFA and
2035             should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
2036             for assertions in the DFG backend, but we could use it if we ever brought back any of the
2037             other optimizations that previously relied upon NodeDoesNotExit.
2038             
2039             This is performance-neutral, except for SunSpider, where it's a speed-up.
2040     
2041             * CMakeLists.txt:
2042             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2043             * JavaScriptCore.xcodeproj/project.pbxproj:
2044             * dfg/DFGAbstractInterpreter.h:
2045             (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
2046             (JSC::DFG::AbstractInterpreter::filterByType):
2047             * dfg/DFGAbstractInterpreterInlines.h:
2048             (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2049             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2050             * dfg/DFGCSEPhase.cpp:
2051             (JSC::DFG::CSEPhase::CSEPhase):
2052             (JSC::DFG::CSEPhase::invalidationPointElimination):
2053             (JSC::DFG::CSEPhase::setLocalStoreElimination):
2054             (JSC::DFG::CSEPhase::performNodeCSE):
2055             (JSC::DFG::CSEPhase::performBlockCSE):
2056             (JSC::DFG::performCSE):
2057             (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted.
2058             (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted.
2059             (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted.
2060             (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted.
2061             (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
2062             (JSC::DFG::performStoreElimination): Deleted.
2063             * dfg/DFGCSEPhase.h:
2064             * dfg/DFGFixupPhase.cpp:
2065             (JSC::DFG::FixupPhase::fixupNode):
2066             * dfg/DFGGraph.cpp:
2067             (JSC::DFG::Graph::resetExitStates): Deleted.
2068             * dfg/DFGGraph.h:
2069             * dfg/DFGMayExit.cpp: Added.
2070             (JSC::DFG::mayExit):
2071             * dfg/DFGMayExit.h: Added.
2072             * dfg/DFGNode.h:
2073             (JSC::DFG::Node::mergeFlags):
2074             (JSC::DFG::Node::filterFlags):
2075             (JSC::DFG::Node::setCanExit): Deleted.
2076             (JSC::DFG::Node::canExit): Deleted.
2077             * dfg/DFGNodeFlags.cpp:
2078             (JSC::DFG::dumpNodeFlags):
2079             * dfg/DFGNodeFlags.h:
2080             * dfg/DFGNodeType.h:
2081             * dfg/DFGPlan.cpp:
2082             (JSC::DFG::Plan::compileInThreadImpl):
2083             * dfg/DFGSpeculativeJIT.cpp:
2084             (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2085             (JSC::DFG::SpeculativeJIT::bail):
2086             (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2087             * dfg/DFGSpeculativeJIT32_64.cpp:
2088             (JSC::DFG::SpeculativeJIT::compile):
2089             * dfg/DFGSpeculativeJIT64.cpp:
2090             (JSC::DFG::SpeculativeJIT::compile):
2091     
2092     2014-06-15  Filip Pizlo  <fpizlo@apple.com>
2093     
2094             [ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
2095             https://bugs.webkit.org/show_bug.cgi?id=133931
2096     
2097             Reviewed by Oliver Hunt.
2098     
2099             * dfg/DFGAbstractInterpreterInlines.h:
2100             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
2101             * dfg/DFGConstantFoldingPhase.cpp:
2102             (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
2103             * dfg/DFGPlan.cpp:
2104             (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.
2105     
2106     2014-06-15  Filip Pizlo  <fpizlo@apple.com>
2107     
2108             [ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
2109             https://bugs.webkit.org/show_bug.cgi?id=133935
2110     
2111             Reviewed by Oliver Hunt.
2112     
2113             * bytecode/Operands.h:
2114             (JSC::Operands::Operands):
2115             (JSC::Operands::ensureLocals):
2116             * dfg/DFGAbstractValue.cpp:
2117             (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
2118             * dfg/DFGAbstractValue.h:
2119             (JSC::DFG::AbstractValue::makeFullTop): Completeness.
2120             (JSC::DFG::AbstractValue::bytecodeTop): Completeness.
2121             (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
2122             * dfg/DFGBasicBlock.cpp:
2123             (JSC::DFG::BasicBlock::BasicBlock):
2124             (JSC::DFG::BasicBlock::ensureLocals):
2125             * dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
2126             * dfg/DFGCFAPhase.cpp:
2127             (JSC::DFG::CFAPhase::run): Compute the intersection.
2128             * dfg/DFGConstantFoldingPhase.cpp:
2129             (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
2130             * dfg/DFGGraph.cpp:
2131             (JSC::DFG::Graph::dumpBlockHeader): Better dumping.
2132             (JSC::DFG::Graph::dump): Better dumping.
2133             * dfg/DFGJITCompiler.h:
2134             (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
2135             * dfg/DFGSpeculativeJIT.cpp:
2136             (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.
2137     
2138     2014-06-12  Filip Pizlo  <fpizlo@apple.com>
2139     
2140             [ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
2141             https://bugs.webkit.org/show_bug.cgi?id=133821
2142     
2143             Reviewed by Mark Hahnenberg.
2144             
2145             This allows us to efficiently cache accesses that differ only in the prototypes on the path
2146             from the base to the prototype that has the field.
2147             
2148             It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
2149             data structure.
2150     
2151             * CMakeLists.txt:
2152             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2153             * JavaScriptCore.xcodeproj/project.pbxproj:
2154             * bytecode/ConstantStructureCheck.cpp: Added.
2155             (JSC::ConstantStructureCheck::dumpInContext):
2156             (JSC::ConstantStructureCheck::dump):
2157             (JSC::structureFor):
2158             (JSC::areCompatible):
2159             (JSC::mergeInto):
2160             * bytecode/ConstantStructureCheck.h: Added.
2161             (JSC::ConstantStructureCheck::ConstantStructureCheck):
2162             (JSC::ConstantStructureCheck::operator!):
2163             (JSC::ConstantStructureCheck::constant):
2164             (JSC::ConstantStructureCheck::structure):
2165             * bytecode/GetByIdStatus.cpp:
2166             (JSC::GetByIdStatus::computeForStubInfo):
2167             * bytecode/GetByIdVariant.cpp:
2168             (JSC::GetByIdVariant::GetByIdVariant):
2169             (JSC::GetByIdVariant::operator=):
2170             (JSC::GetByIdVariant::attemptToMerge):
2171             (JSC::GetByIdVariant::dumpInContext):
2172             * bytecode/GetByIdVariant.h:
2173             (JSC::GetByIdVariant::constantChecks):
2174             (JSC::GetByIdVariant::alternateBase):
2175             (JSC::GetByIdVariant::GetByIdVariant): Deleted.
2176             (JSC::GetByIdVariant::chain): Deleted.
2177             * bytecode/PutByIdVariant.cpp:
2178             (JSC::PutByIdVariant::dumpInContext):
2179             * bytecode/PutByIdVariant.h:
2180             (JSC::PutByIdVariant::transition):
2181             (JSC::PutByIdVariant::constantChecks):
2182             (JSC::PutByIdVariant::structureChain): Deleted.
2183             * dfg/DFGAbstractInterpreterInlines.h:
2184             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2185             * dfg/DFGByteCodeParser.cpp:
2186             (JSC::DFG::ByteCodeParser::emitChecks):
2187             (JSC::DFG::ByteCodeParser::handleGetById):
2188             (JSC::DFG::ByteCodeParser::handlePutById):
2189             (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted.
2190             (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted.
2191             (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
2192             * dfg/DFGConstantFoldingPhase.cpp:
2193             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2194             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2195             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2196             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2197             * dfg/DFGDesiredStructureChains.cpp: Removed.
2198             * dfg/DFGDesiredStructureChains.h: Removed.
2199             * dfg/DFGGraph.h:
2200             (JSC::DFG::Graph::watchpoints):
2201             (JSC::DFG::Graph::chains): Deleted.
2202             * dfg/DFGPlan.cpp:
2203             (JSC::DFG::Plan::isStillValid):
2204             (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2205             (JSC::DFG::Plan::cancel):
2206             * dfg/DFGPlan.h:
2207             * ftl/FTLLowerDFGToLLVM.cpp:
2208             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2209             * runtime/IntendedStructureChain.cpp:
2210             (JSC::IntendedStructureChain::gatherChecks):
2211             * runtime/IntendedStructureChain.h:
2212             (JSC::IntendedStructureChain::at):
2213             (JSC::IntendedStructureChain::operator[]):
2214     
2215     2014-06-12  Filip Pizlo  <fpizlo@apple.com>
2216     
2217             [ftlopt] Constant folding and strength reduction should work in SSA
2218             https://bugs.webkit.org/show_bug.cgi?id=133839
2219     
2220             Reviewed by Oliver Hunt.
2221     
2222             * dfg/DFGAtTailAbstractState.cpp:
2223             (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2224             (JSC::DFG::AtTailAbstractState::forNode):
2225             * dfg/DFGAtTailAbstractState.h:
2226             * dfg/DFGConstantFoldingPhase.cpp:
2227             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2228             * dfg/DFGGraph.cpp:
2229             (JSC::DFG::Graph::convertToConstant):
2230             * dfg/DFGIntegerCheckCombiningPhase.cpp:
2231             (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
2232             * dfg/DFGLICMPhase.cpp:
2233             (JSC::DFG::LICMPhase::LICMPhase):
2234             * dfg/DFGPlan.cpp:
2235             (JSC::DFG::Plan::compileInThreadImpl):
2236     
2237     2014-06-11  Filip Pizlo  <fpizlo@apple.com>
2238     
2239             [ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
2240             https://bugs.webkit.org/show_bug.cgi?id=133751
2241     
2242             Reviewed by Mark Hahnenberg.
2243     
2244             * bytecode/GetByIdStatus.cpp:
2245             (JSC::GetByIdStatus::appendVariant):
2246             (JSC::GetByIdStatus::computeForStubInfo):
2247             * bytecode/GetByIdVariant.cpp:
2248             (JSC::GetByIdVariant::attemptToMerge):
2249             * bytecode/GetByIdVariant.h:
2250             * bytecode/PutByIdStatus.cpp:
2251             (JSC::PutByIdStatus::computeFor):
2252             * dfg/DFGByteCodeParser.cpp:
2253             (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2254             (JSC::DFG::ByteCodeParser::handleGetById):
2255             (JSC::DFG::ByteCodeParser::handlePutById):
2256             * runtime/IntendedStructureChain.cpp:
2257             (JSC::IntendedStructureChain::IntendedStructureChain):
2258             (JSC::IntendedStructureChain::isStillValid):
2259             (JSC::IntendedStructureChain::isNormalized):
2260             (JSC::IntendedStructureChain::terminalPrototype):
2261             (JSC::IntendedStructureChain::operator==):
2262             (JSC::IntendedStructureChain::visitChildren):
2263             (JSC::IntendedStructureChain::dumpInContext):
2264             (JSC::IntendedStructureChain::chain): Deleted.
2265             * runtime/IntendedStructureChain.h:
2266             (JSC::IntendedStructureChain::prototype):
2267             (JSC::IntendedStructureChain::operator!=):
2268             (JSC::IntendedStructureChain::head): Deleted.
2269     
2270     2014-06-11  Matthew Mirman  <mmirman@apple.com>
2271     
2272            Readded native calling to the FTL and Split the DFG nodes 
2273            Call and Construct into NativeCall and NativeConstruct 
2274            to better represent their semantics.
2275            https://bugs.webkit.org/show_bug.cgi?id=133660
2276     
2277            Reviewed by Filip Pizlo.
2278     
2279            * dfg/DFGAbstractInterpreterInlines.h:
2280            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 
2281            Added NativeCall and NativeConstruct case
2282            * dfg/DFGByteCodeParser.cpp:
2283            (JSC::DFG::ByteCodeParser::addCall): added NativeCall case. 
2284            (JSC::DFG::ByteCodeParser::handleCall): 
2285            set to return NativeCall or NativeConstruct instead of Call or Construct
2286            in the presence of a native function.
2287            * dfg/DFGClobberize.h:
2288            (JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
2289            * dfg/DFGDoesGC.cpp:
2290            (JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
2291            * dfg/DFGFixupPhase.cpp:
2292            (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
2293            * dfg/DFGNode.h:
2294            (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case.
2295            (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct.
2296            (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
2297            * dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
2298            * dfg/DFGPredictionPropagationPhase.cpp:
2299            (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
2300            * dfg/DFGSafeToExecute.h:
2301            (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
2302            * dfg/DFGSpeculativeJIT32_64.cpp:
2303            (JSC::DFG::SpeculativeJIT::emitCall): ditto
2304            (JSC::DFG::SpeculativeJIT::compile): ditto
2305            * dfg/DFGSpeculativeJIT64.cpp:
2306            (JSC::DFG::SpeculativeJIT::emitCall): ditto
2307            (JSC::DFG::SpeculativeJIT::compile): ditto
2308            * ftl/FTLCapabilities.cpp:
2309            (JSC::FTL::canCompile): ditto
2310            * ftl/FTLLowerDFGToLLVM.cpp:  
2311            (JSC::FTL::LowerDFGToLLVM::lower): ditto
2312            (JSC::FTL::LowerDFGToLLVM::compileNode): ditto.
2313            (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added.
2314            (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality.
2315            (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
2316            * runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.
2317            
2318     2014-06-11  Matthew Mirman  <mmirman@apple.com>
2319     
2320             Ensured Native Calls and Construct and associated checks 
2321             are only emitted during ftl mode.
2322             https://bugs.webkit.org/show_bug.cgi?id=133718
2323             
2324             Reviewed by Filip Pizlo.
2325             
2326             * dfg/DFGByteCodeParser.cpp:
2327             (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode 
2328             before attaching the native function to Call or Construct.
2329             
2330     2014-06-10  Filip Pizlo  <fpizlo@apple.com>
2331     
2332             [ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
2333             https://bugs.webkit.org/show_bug.cgi?id=133426
2334     
2335             Reviewed by Geoffrey Garen.
2336             
2337             The impetus for this was to provide some sense and reason to race conditions arising from
2338             cell constants having their structure changed on the main thread - this is harmess because
2339             we defend against it, but when it goes wrong, it can be difficult to reproduce because it
2340             requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.
2341             
2342             But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
2343             about constants. It no longer relies on the CodeBlock constant pool at all, which allows
2344             for a more object-oriented approach: for example a Node that has a constant can tell you
2345             what constant it has without needing a CodeBlock.
2346     
2347             * CMakeLists.txt:
2348             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2349             * JavaScriptCore.xcodeproj/project.pbxproj:
2350             * bytecode/CallLinkStatus.cpp:
2351             (JSC::CallLinkStatus::computeExitSiteData):
2352             * bytecode/ExitKind.cpp:
2353             (JSC::exitKindToString):
2354             (JSC::exitKindIsCountable):
2355             * bytecode/ExitKind.h:
2356             (JSC::isWatchpoint): Deleted.
2357             * bytecode/GetByIdStatus.cpp:
2358             (JSC::GetByIdStatus::hasExitSite):
2359             * bytecode/PutByIdStatus.cpp:
2360             (JSC::PutByIdStatus::hasExitSite):
2361             * dfg/DFGAbstractInterpreter.h:
2362             (JSC::DFG::AbstractInterpreter::filterByValue):
2363             (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
2364             (JSC::DFG::AbstractInterpreter::setConstant):
2365             * dfg/DFGAbstractInterpreterInlines.h:
2366             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2367             (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
2368             * dfg/DFGAbstractValue.cpp:
2369             (JSC::DFG::AbstractValue::setOSREntryValue):
2370             (JSC::DFG::AbstractValue::set):
2371             (JSC::DFG::AbstractValue::filterByValue):
2372             (JSC::DFG::AbstractValue::setMostSpecific): Deleted.
2373             * dfg/DFGAbstractValue.h:
2374             * dfg/DFGArgumentsSimplificationPhase.cpp:
2375             (JSC::DFG::ArgumentsSimplificationPhase::run):
2376             * dfg/DFGBackwardsPropagationPhase.cpp:
2377             (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
2378             (JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
2379             (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
2380             (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
2381             * dfg/DFGByteCodeParser.cpp:
2382             (JSC::DFG::ByteCodeParser::ByteCodeParser):
2383             (JSC::DFG::ByteCodeParser::getDirect):
2384             (JSC::DFG::ByteCodeParser::get):
2385             (JSC::DFG::ByteCodeParser::getLocal):
2386             (JSC::DFG::ByteCodeParser::setLocal):
2387             (JSC::DFG::ByteCodeParser::setArgument):
2388             (JSC::DFG::ByteCodeParser::jsConstant):
2389             (JSC::DFG::ByteCodeParser::weakJSConstant):
2390             (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
2391             (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
2392             (JSC::DFG::ByteCodeParser::handleCall):
2393             (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2394             (JSC::DFG::ByteCodeParser::handleInlining):
2395             (JSC::DFG::ByteCodeParser::handleMinMax):
2396             (JSC::DFG::ByteCodeParser::handleIntrinsic):
2397             (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2398             (JSC::DFG::ByteCodeParser::handleGetById):
2399             (JSC::DFG::ByteCodeParser::prepareToParseBlock):
2400             (JSC::DFG::ByteCodeParser::parseBlock):
2401             (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
2402             (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2403             (JSC::DFG::ByteCodeParser::parseCodeBlock):
2404             (JSC::DFG::ByteCodeParser::addConstant): Deleted.
2405             (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted.
2406             (JSC::DFG::ByteCodeParser::getJSConstant): Deleted.
2407             (JSC::DFG::ByteCodeParser::isJSConstant): Deleted.
2408             (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted.
2409             (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted.
2410             (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted.
2411             (JSC::DFG::ByteCodeParser::constantUndefined): Deleted.
2412             (JSC::DFG::ByteCodeParser::constantNull): Deleted.
2413             (JSC::DFG::ByteCodeParser::one): Deleted.
2414             (JSC::DFG::ByteCodeParser::constantNaN): Deleted.
2415             (JSC::DFG::ByteCodeParser::cellConstant): Deleted.
2416             (JSC::DFG::ByteCodeParser::inferredConstant): Deleted.
2417             (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
2418             * dfg/DFGCFGSimplificationPhase.cpp:
2419             (JSC::DFG::CFGSimplificationPhase::run):
2420             * dfg/DFGCSEPhase.cpp:
2421             (JSC::DFG::CSEPhase::constantCSE):
2422             (JSC::DFG::CSEPhase::checkFunctionElimination):
2423             (JSC::DFG::CSEPhase::performNodeCSE):
2424             (JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
2425             * dfg/DFGClobberize.h:
2426             (JSC::DFG::clobberize):
2427             * dfg/DFGCommon.h:
2428             * dfg/DFGConstantFoldingPhase.cpp:
2429             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2430             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2431             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2432             * dfg/DFGDoesGC.cpp:
2433             (JSC::DFG::doesGC):
2434             * dfg/DFGFixupPhase.cpp:
2435             (JSC::DFG::FixupPhase::fixupNode):
2436             (JSC::DFG::FixupPhase::fixupMakeRope):
2437             (JSC::DFG::FixupPhase::truncateConstantToInt32):
2438             (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2439             (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2440             * dfg/DFGFrozenValue.cpp: Added.
2441             (JSC::DFG::FrozenValue::emptySingleton):
2442             (JSC::DFG::FrozenValue::dumpInContext):
2443             (JSC::DFG::FrozenValue::dump):
2444             * dfg/DFGFrozenValue.h: Added.
2445             (JSC::DFG::FrozenValue::FrozenValue):
2446             (JSC::DFG::FrozenValue::operator!):
2447             (JSC::DFG::FrozenValue::value):
2448             (JSC::DFG::FrozenValue::structure):
2449             (JSC::DFG::FrozenValue::strengthenTo):
2450             (JSC::DFG::FrozenValue::strength):
2451             (JSC::DFG::FrozenValue::freeze):
2452             * dfg/DFGGraph.cpp:
2453             (JSC::DFG::Graph::Graph):
2454             (JSC::DFG::Graph::dump):
2455             (JSC::DFG::Graph::tryGetActivation):
2456             (JSC::DFG::Graph::tryGetFoldableView):
2457             (JSC::DFG::Graph::registerFrozenValues):
2458             (JSC::DFG::Graph::visitChildren):
2459             (JSC::DFG::Graph::freezeFragile):
2460             (JSC::DFG::Graph::freeze):
2461             (JSC::DFG::Graph::freezeStrong):
2462             (JSC::DFG::Graph::convertToConstant):
2463             (JSC::DFG::Graph::convertToStrongConstant):
2464             (JSC::DFG::Graph::assertIsWatched):
2465             * dfg/DFGGraph.h:
2466             (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
2467             (JSC::DFG::Graph::convertToConstant): Deleted.
2468             (JSC::DFG::Graph::constantRegisterForConstant): Deleted.
2469             (JSC::DFG::Graph::getJSConstantSpeculation): Deleted.
2470             (JSC::DFG::Graph::isConstant): Deleted.
2471             (JSC::DFG::Graph::isJSConstant): Deleted.
2472             (JSC::DFG::Graph::isInt32Constant): Deleted.
2473             (JSC::DFG::Graph::isDoubleConstant): Deleted.
2474             (JSC::DFG::Graph::isNumberConstant): Deleted.
2475             (JSC::DFG::Graph::isBooleanConstant): Deleted.
2476             (JSC::DFG::Graph::isCellConstant): Deleted.
2477             (JSC::DFG::Graph::isFunctionConstant): Deleted.
2478             (JSC::DFG::Graph::isInternalFunctionConstant): Deleted.
2479             (JSC::DFG::Graph::valueOfJSConstant): Deleted.
2480             (JSC::DFG::Graph::valueOfInt32Constant): Deleted.
2481             (JSC::DFG::Graph::valueOfNumberConstant): Deleted.
2482             (JSC::DFG::Graph::valueOfBooleanConstant): Deleted.
2483             (JSC::DFG::Graph::valueOfFunctionConstant): Deleted.
2484             (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
2485             * dfg/DFGInPlaceAbstractState.cpp:
2486             (JSC::DFG::InPlaceAbstractState::initialize):
2487             * dfg/DFGInsertionSet.h:
2488             (JSC::DFG::InsertionSet::insertConstant):
2489             (JSC::DFG::InsertionSet::insertConstantForUse):
2490             * dfg/DFGIntegerCheckCombiningPhase.cpp:
2491             (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
2492             * dfg/DFGJITCompiler.cpp:
2493             (JSC::DFG::JITCompiler::link):
2494             * dfg/DFGLazyJSValue.cpp:
2495             (JSC::DFG::LazyJSValue::getValue):
2496             (JSC::DFG::LazyJSValue::strictEqual):
2497             (JSC::DFG::LazyJSValue::dumpInContext):
2498             * dfg/DFGLazyJSValue.h:
2499             (JSC::DFG::LazyJSValue::LazyJSValue):
2500             (JSC::DFG::LazyJSValue::tryGetValue):
2501             (JSC::DFG::LazyJSValue::value):
2502             (JSC::DFG::LazyJSValue::switchLookupValue):
2503             * dfg/DFGMinifiedNode.cpp:
2504             (JSC::DFG::MinifiedNode::fromNode):
2505             * dfg/DFGMinifiedNode.h:
2506             (JSC::DFG::belongsInMinifiedGraph):
2507             (JSC::DFG::MinifiedNode::hasConstant):
2508             (JSC::DFG::MinifiedNode::constant):
2509             (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted.
2510             (JSC::DFG::MinifiedNode::constantNumber): Deleted.
2511             (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted.
2512             (JSC::DFG::MinifiedNode::weakConstant): Deleted.
2513             * dfg/DFGNode.h:
2514             (JSC::DFG::Node::hasConstant):
2515             (JSC::DFG::Node::constant):
2516             (JSC::DFG::Node::convertToConstant):
2517             (JSC::DFG::Node::asJSValue):
2518             (JSC::DFG::Node::isInt32Constant):
2519             (JSC::DFG::Node::asInt32):
2520             (JSC::DFG::Node::asUInt32):
2521             (JSC::DFG::Node::isDoubleConstant):
2522             (JSC::DFG::Node::isNumberConstant):
2523             (JSC::DFG::Node::asNumber):
2524             (JSC::DFG::Node::isMachineIntConstant):
2525             (JSC::DFG::Node::asMachineInt):
2526             (JSC::DFG::Node::isBooleanConstant):
2527             (JSC::DFG::Node::asBoolean):
2528             (JSC::DFG::Node::isCellConstant):
2529             (JSC::DFG::Node::asCell):
2530             (JSC::DFG::Node::dynamicCastConstant):
2531             (JSC::DFG::Node::function):
2532             (JSC::DFG::Node::isWeakConstant): Deleted.
2533             (JSC::DFG::Node::constantNumber): Deleted.
2534             (JSC::DFG::Node::convertToWeakConstant): Deleted.
2535             (JSC::DFG::Node::weakConstant): Deleted.
2536             (JSC::DFG::Node::valueOfJSConstant): Deleted.
2537             * dfg/DFGNodeType.h:
2538             * dfg/DFGOSRExitCompiler.cpp:
2539             * dfg/DFGPredictionPropagationPhase.cpp:
2540             (JSC::DFG::PredictionPropagationPhase::propagate):
2541             * dfg/DFGSafeToExecute.h:
2542             (JSC::DFG::safeToExecute):
2543             * dfg/DFGSpeculativeJIT.cpp:
2544             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2545             (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
2546             (JSC::DFG::SpeculativeJIT::silentFill):
2547             (JSC::DFG::SpeculativeJIT::compileIn):
2548             (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
2549             (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
2550             (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2551             (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2552             (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2553             (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2554             (JSC::DFG::SpeculativeJIT::compileAdd):
2555             (JSC::DFG::SpeculativeJIT::compileArithSub):
2556             (JSC::DFG::SpeculativeJIT::compileArithMod):
2557             * dfg/DFGSpeculativeJIT.h:
2558             (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
2559             (JSC::DFG::SpeculativeJIT::initConstantInfo):
2560             (JSC::DFG::SpeculativeJIT::isConstant): Deleted.
2561             (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted.
2562             (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted.
2563             (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted.
2564             (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted.
2565             (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted.
2566             (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted.
2567             (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted.
2568             (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted.
2569             (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted.
2570             (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted.
2571             (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted.
2572             (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted.
2573             (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted.
2574             (JSC::DFG::SpeculativeJIT::isInteger): Deleted.
2575             * dfg/DFGSpeculativeJIT32_64.cpp:
2576             (JSC::DFG::SpeculativeJIT::fillJSValue):
2577             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2578             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2579             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2580             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2581             (JSC::DFG::SpeculativeJIT::compile):
2582             * dfg/DFGSpeculativeJIT64.cpp:
2583             (JSC::DFG::SpeculativeJIT::fillJSValue):
2584             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2585             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2586             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2587             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2588             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2589             (JSC::DFG::SpeculativeJIT::compile):
2590             * dfg/DFGStrengthReductionPhase.cpp:
2591             (JSC::DFG::StrengthReductionPhase::handleNode):
2592             * dfg/DFGValidate.cpp:
2593             (JSC::DFG::Validate::validate):
2594             * dfg/DFGValueStrength.cpp: Added.
2595             (WTF::printInternal):
2596             * dfg/DFGValueStrength.h: Added.
2597             (JSC::DFG::merge):
2598             * dfg/DFGVariableEventStream.cpp:
2599             (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2600             (JSC::DFG::VariableEventStream::reconstruct):
2601             * dfg/DFGVariableEventStream.h:
2602             * dfg/DFGWatchableStructureWatchingPhase.cpp:
2603             (JSC::DFG::WatchableStructureWatchingPhase::run):
2604             (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
2605             * dfg/DFGWatchpointCollectionPhase.cpp:
2606             (JSC::DFG::WatchpointCollectionPhase::handle):
2607             * ftl/FTLCapabilities.cpp:
2608             (JSC::FTL::canCompile):
2609             * ftl/FTLLink.cpp:
2610             (JSC::FTL::link):
2611             * ftl/FTLLowerDFGToLLVM.cpp:
2612             (JSC::FTL::LowerDFGToLLVM::compileNode):
2613             (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
2614             (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
2615             (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
2616             (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
2617             (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
2618             (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
2619             (JSC::FTL::LowerDFGToLLVM::lowInt32):
2620             (JSC::FTL::LowerDFGToLLVM::lowCell):
2621             (JSC::FTL::LowerDFGToLLVM::lowBoolean):
2622             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2623             (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2624             (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
2625             * ftl/FTLOSRExitCompiler.cpp:
2626             (JSC::FTL::compileStub):
2627             * runtime/JSCJSValue.cpp:
2628             (JSC::JSValue::dumpInContext):
2629             (JSC::JSValue::dumpInContextAssumingStructure):
2630             * runtime/JSCJSValue.h:
2631     
2632 2014-07-24  Brent Fulgham  <bfulgham@apple.com>
2633
2634         [Win] Correct build order in JavaScriptCore.submit.sln
2635         https://bugs.webkit.org/show_bug.cgi?id=135282
2636         <rdar://problem/17805592>
2637
2638         Unreviewed build fix.
2639
2640         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
2641         such that LLIntDesiredOffset is built prior to the rest of JSC.
2642
2643 2014-07-24  Mark Lam  <mark.lam@apple.com>
2644
2645         JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
2646         <https://webkit.org/b/135258>
2647
2648         Reviewed by Mark Hahnenberg.
2649
2650         Where needed, we cache the prototype object pointer in a stack local var.
2651         This allows it to be scanned by the GC, and hence be kept alive until
2652         we use it.  The constructor object will in turn be kept alive by the
2653         prototype object.
2654
2655         Also added some comments to warn against future code additions that could
2656         regress this issue.
2657
2658         * API/JSWrapperMap.mm:
2659         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
2660         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
2661         (-[JSObjCClassInfo wrapperForObject:]):
2662         (-[JSObjCClassInfo constructor]):
2663
2664 2014-07-24  Joseph Pecoraro  <pecoraro@apple.com>
2665
2666         JSLock release should only modify the AtomicStringTable if it modified in acquire
2667         https://bugs.webkit.org/show_bug.cgi?id=135143
2668
2669         Reviewed by Darin Adler.
2670
2671         * runtime/JSLock.cpp:
2672         (JSC::JSLock::JSLock):
2673         Initialize the member variable to nullptr.
2674
2675         (JSC::JSLock::willDestroyVM):
2676         Update style to use nullptr instead of 0.
2677
2678         (JSC::JSLock::willReleaseLock):
2679         We should only reset the thread data's atomic string table if
2680         didAcquireLock changed it. m_entryAtomicStringTable will have
2681         been set by didAcquireLock if it changed, or nullptr if it didn't.
2682         This way we are sure we are balanced, regardless of m_vm changes.
2683
2684 2014-07-24  Peyton Randolph  <prandolph@apple.com>
2685
2686         Rename feature flag for long-press gesture on Mac.                                                                   
2687         https://bugs.webkit.org/show_bug.cgi?id=135259                                                                 
2688
2689         Reviewed by Beth Dakin.
2690
2691         * Configurations/FeatureDefines.xcconfig:
2692         Rename LINK_LONG_PRESS to MAC_LONG_PRESS.
2693
2694 2014-07-24  Commit Queue  <commit-queue@webkit.org>
2695
2696         Unreviewed, rolling out r171527.
2697         https://bugs.webkit.org/show_bug.cgi?id=135265
2698
2699         Breaks JSC API tests (Requested by mlam on #webkit).
2700
2701         Reverted changeset:
2702
2703         "JSWrapperMap's jsWrapperForObject() needs to defer GC."
2704         https://bugs.webkit.org/show_bug.cgi?id=135258
2705         http://trac.webkit.org/changeset/171527
2706
2707 2014-07-24  Mark Hahnenberg  <mhahnenberg@apple.com>
2708
2709         Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
2710         https://bugs.webkit.org/show_bug.cgi?id=135250
2711
2712         Reviewed by Geoffrey Garen.
2713
2714         JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its 
2715         JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype 
2716         chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
2717         the JSProxy's prototype fixes the issue.
2718
2719         * API/JSValueRef.cpp:
2720         (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
2721         would claim it wasn't of the specified class, even if the target was of the specified class.
2722         * API/tests/CustomGlobalObjectClassTest.c: Added.
2723         (jsDoSomething):
2724         (customGlobalObjectClassTest):
2725         * API/tests/CustomGlobalObjectClassTest.h: Added.
2726         * API/tests/testapi.c:
2727         (assertTrue):
2728         (main):
2729         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
2730         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
2731         * JavaScriptCore.xcodeproj/project.pbxproj:
2732         * runtime/JSGlobalObject.cpp:
2733         (JSC::JSGlobalObject::resetPrototype):
2734
2735 2014-07-24  Brian J. Burg  <burg@cs.washington.edu>
2736
2737         Web Replay: don't encode/decode primitive types that lack explicit sizes
2738         https://bugs.webkit.org/show_bug.cgi?id=133430
2739
2740         Reviewed by Anders Carlsson.
2741
2742         Don't support encode/decode of unsigned long, since its size is compiler-dependent.
2743
2744         * replay/EncodedValue.cpp:
2745         (JSC::EncodedValue::convertTo<unsigned long>):
2746         (JSC::unsigned long>::encodeValue): Deleted.
2747         * replay/EncodedValue.h:
2748
2749 2014-07-24  Mark Lam  <mark.lam@apple.com>
2750
2751         JSWrapperMap's jsWrapperForObject() needs to defer GC.
2752         <https://webkit.org/b/135258>
2753
2754         Reviewed by Oliver Hunt.
2755
2756         In the process of creating a JS wrapper, jsWrapperForObject() will create
2757         the prototype and constructor of the corresponding ObjC class, as well as
2758         for classes in its inheritance chain.  These prototypes and constructors
2759         are stored in Weak references in the JSObjCClassInfo objects.  During all
2760         the allocation that is being done to create all the prototypes and
2761         constructors as well as the wrapper objects, a GC may occur thereby
2762         collecting one or more of these newly created prototype and constructor
2763         objects.
2764
2765         One example of where this problem can manifest is in wrapperForObject()
2766         which is called from jsWrapperForObject().  In wrapperFoObject(), we do
2767         the following steps:
2768
2769         1. reallocateConstructorAndOrPrototype() which creates the prototype
2770            object and store it in JSObjCClassInfo's m_prototype which is a Weak
2771            ref.
2772         2. makeWrapper() to create the wrapper object, which may trigger a GC.
2773            GC will collect the prototype object and nullify the corresponding
2774            JSObjCClassInfo's m_prototype Weak ref.
2775         3. call JSObjectSetPrototype() to set the JSObjCClassInfo's m_prototype
2776            in the newly created wrapper.  This results in the wrapper getting a
2777            jsNull as a prototype instead of the expected prototype object.
2778
2779         To ensure that the prototype and constructor objects are retained until
2780         they can be referenced properly from the wrapper object,
2781         jsWrapperForObject() should defer GC until it's done with its work.
2782
2783         * API/JSWrapperMap.mm:
2784         (-[JSWrapperMap jsWrapperForObject:]):
2785
2786 2014-07-23  Brent Fulgham  <bfulgham@apple.com>
2787
2788         Build fix after r171482.
2789
2790         Rubberstamped by Joe Pecoraro.
2791
2792         * runtime/Identifier.h: Make header declarations match
2793         implementation file.
2794
2795 2014-07-23  Brent Fulgham  <bfulgham@apple.com>
2796
2797         [Win] Use NO_RETURN_DUE_TO_CRASH on Windows
2798         https://bugs.webkit.org/show_bug.cgi?id=135199
2799
2800         Reviewed by Mark Lam.
2801
2802         * jsc.cpp:
2803         (WTF::RuntimeArray::deleteProperty): Stop using ugly
2804         compiler work-around on Windows; use NO_RETURN_DUE_TO_CRASH
2805         codepath instead.
2806         * runtime/Identifier.h: Add NO_RETURN_DUE_TO_CRASH
2807         to header so function declaration matches implementation.
2808
2809 2014-07-23  Bem Jones-Bey  <bjonesbe@adobe.com>
2810
2811         Remove CSS_EXCLUSIONS compile flag and leftover code
2812         https://bugs.webkit.org/show_bug.cgi?id=135175
2813
2814         Reviewed by Zoltan Horvath.
2815
2816         At this point, the CSS_EXCLUSIONS flag guards nothing but some useless
2817         stubs. This removes the flag and the useless code.
2818
2819         * Configurations/FeatureDefines.xcconfig:
2820
2821 2014-07-23  Commit Queue  <commit-queue@webkit.org>
2822
2823         Unreviewed, rolling out r171367.
2824         https://bugs.webkit.org/show_bug.cgi?id=135192
2825
2826         broke three API tests (Requested by thorton on #webkit).
2827
2828         Reverted changeset:
2829
2830         "JSLock release should only modify the AtomicStringTable if it
2831         modified in acquire"
2832         https://bugs.webkit.org/show_bug.cgi?id=135143
2833         http://trac.webkit.org/changeset/171367
2834
2835 2014-07-22  László Langó  <llango.u-szeged@partner.samsung.com>
2836
2837         [EFL] Build fix after the [ftlopt] branch merge.
2838
2839         Reviewed by Csaba Osztrogonác.
2840
2841         * dfg/DFGBranchDirection.h:
2842         (JSC::DFG::branchDirectionToString):
2843         * dfg/DFGStructureClobberState.h:
2844         (JSC::DFG::merge):
2845
2846 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
2847
2848         Build fix for non-clang compile.
2849
2850         * jsc.cpp:
2851         (WTF::RuntimeArray::put): Remove incorrect return statement
2852         I added.
2853
2854 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
2855
2856         Build fix for non-clang compile.
2857
2858         * jsc.cpp:
2859         (WTF::RuntimeArray::deleteProperty): Need (fake) return
2860         value when NO_RETURN_DUE_TO_CRASH is not defined.
2861
2862 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
2863
2864         Merge r169628 from ftlopt.
2865
2866     2014-06-04  Matthew Mirman  <mmirman@apple.com>
2867     
2868             Added system for inlining native functions via the FTL.
2869             https://bugs.webkit.org/show_bug.cgi?id=131515
2870     
2871             Reviewed by Filip Pizlo.
2872     
2873             Also fixed the build to not compress the bitcode and to 
2874             include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, 
2875             the produced bitcode files are a 100th the size they were before.  
2876             Now we can include all of the relevant runtime files with only a 3mb overhead. 
2877             This is the same overhead as for two compressed files before, 
2878             but done more efficiently (on both ends) and with less code.
2879             
2880             Deciding whether to inline native functions is left up to LLVM. 
2881             The entire module containing the function is linked into the current 
2882             compiled JS so that inlining the native functions shouldn't make them smaller.
2883             
2884             Rather than loading Runtime.symtbl at runtime FTLState.cpp now generates a file 
2885             InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.  
2886             
2887             * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
2888             * build-symbol-table-index.py: Changed bitcode suffix. 
2889             Added inclusion of only tested symbols.  
2890             Added output to InlineRuntimeSymbolTable.h. 
2891             * build-symbol-table-index.sh: Changed bitcode suffix.
2892             * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
2893             * tested-symbols.symlst: Added.
2894             * dfg/DFGByteCodeParser.cpp:
2895             (JSC::DFG::ByteCodeParser::handleCall):  
2896             Now sets the knownFunction of the call node if such a function exists 
2897             and emits a check that during runtime the callee is in fact known.
2898             * dfg/DFGNode.h:
2899             Added functions to set the known function of a call node.
2900             (JSC::DFG::Node::canBeKnownFunction): Added.
2901             (JSC::DFG::Node::hasKnownFunction): Added.
2902             (JSC::DFG::Node::knownFunction): Added.
2903             (JSC::DFG::Node::giveKnownFunction): Added.
2904             * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
2905             * ftl/FTLAbbreviations.h: Added some abbreviations.
2906             * ftl/FTLLowerDFGToLLVM.cpp:
2907             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
2908             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
2909             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
2910             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
2911             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):  
2912             Added call to possiblyCompileInlineableNativeCall
2913             * ftl/FTLOutput.h:
2914             (JSC::FTL::Output::allocaName):  Added. Useful for debugging.
2915             * ftl/FTLState.cpp:
2916             (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
2917             * ftl/FTLState.h: Added symbol table hash table.
2918             * ftl/FTLCompile.cpp:
2919             (JSC::FTL::compile): Added inlining and dead function elimination passes.
2920             * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
2921             * llvm/InitializeLLVMMac.mm: Deleted.
2922             * llvm/InitializeLLVMMac.cpp: Added.
2923             * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
2924             * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
2925             * runtime/BundlePath.h: Added.
2926             * runtime/BundlePath.mm: Added.
2927             * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
2928             * runtime/DateInstance.h: ditto.
2929             * runtime/DateConversion.h: ditto.
2930             * runtime/ExceptionHelpers.h: ditto.
2931             * runtime/JSCJSValue.h: ditto.
2932             * runtime/JSArray.h: ditto.
2933             * runtime/JSDateMath.h: ditto.
2934             * runtime/JSObject.h: ditto.
2935             * runtime/JSObject.h: ditto.
2936             * runtime/RegExp.h: ditto.
2937             * runtime/Structure.h: ditto.
2938             * runtime/Options.h:  Added maximumLLVMInstructionCountForNativeInlining.
2939     
2940 2014-07-22  Mark Lam  <mark.lam@apple.com>
2941
2942         Array.concat() should work on runtime arrays too.
2943         <https://webkit.org/b/135179>
2944
2945         Reviewed by Geoffrey Garen.
2946
2947         * jsc.cpp:
2948         (WTF::RuntimeArray::create):
2949         (WTF::RuntimeArray::~RuntimeArray):
2950         (WTF::RuntimeArray::destroy):
2951         (WTF::RuntimeArray::getOwnPropertySlot):
2952         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
2953         (WTF::RuntimeArray::put):
2954         (WTF::RuntimeArray::deleteProperty):
2955         (WTF::RuntimeArray::getLength):
2956         (WTF::RuntimeArray::createPrototype):
2957         (WTF::RuntimeArray::createStructure):
2958         (WTF::RuntimeArray::finishCreation):
2959         (WTF::RuntimeArray::RuntimeArray):
2960         (WTF::RuntimeArray::lengthGetter):
2961         (GlobalObject::finishCreation):
2962         (functionCreateRuntimeArray):
2963         - Added support to create a runtime array for testing purpose.
2964         * runtime/ArrayPrototype.cpp:
2965         (JSC::getLength):
2966         - Added fast case for when the array object is a JSArray.
2967         (JSC::arrayProtoFuncJoin):
2968         - Added a needed but missing exception check.
2969         (JSC::arrayProtoFuncConcat):
2970         - Use getLength() to compute the array length instead of assuming that
2971           the array is a JSArray instance.
2972         * tests/stress/regexp-matches-array.js: Added.
2973         (testArrayConcat):
2974         * tests/stress/runtime-array.js: Added.
2975         (testArrayConcat):
2976
2977 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
2978
2979         Fix Windows (return a value!)
2980
2981         * jsc.cpp:
2982         (functionQuit): Satisfy compiler's need for
2983         a return value.
2984
2985 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
2986
2987         Fix Windows (sleep -> Sleep)
2988
2989         * jsc.cpp:
2990         (WTF::jscExit):
2991
2992 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
2993
2994         Fix Windows.
2995
2996         * jsc.cpp:
2997         (WTF::jscExit):
2998
2999 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3000
3001         Fix 32-bit.
3002
3003         * dfg/DFGSpeculativeJIT32_64.cpp:
3004         (JSC::DFG::SpeculativeJIT::compile):
3005
3006 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3007
3008         Merge r169148, r169185, r169188, r169578, r169582, r169584, r169588, r169753 from ftlopt.
3009         
3010         Note that r169753 is merged out of order because it fixes a bug in r169588.
3011
3012     2014-06-10  Filip Pizlo  <fpizlo@apple.com>
3013     
3014             [ftlopt] Structure::dfgShouldWatchIfPossible() is unsound
3015             https://bugs.webkit.org/show_bug.cgi?id=133624
3016     
3017             Reviewed by Mark Hahnenberg.
3018     
3019             * runtime/Structure.h:
3020             (JSC::Structure::dfgShouldWatchIfPossible): Make it sound and add some verbiage.
3021     
3022     2014-06-04  Filip Pizlo  <fpizlo@apple.com>
3023     
3024             [ftlopt] AI should be able track structure sets larger than 1
3025             https://bugs.webkit.org/show_bug.cgi?id=128073
3026     
3027             Reviewed by Oliver Hunt.
3028             
3029             This makes two major changes to how AI (abstract interpreter) proves that a value has
3030             some structure:
3031             
3032             - StructureAbstractValue can now track an arbitrary number of structures. A set whose
3033               size is greater than one means that the value may have any of the structures, and we
3034               don't know which - but we do know that it cannot be any structure not in the set. The
3035               structure abstract value can still be TOP, which means the set of all structures. We
3036               artificially limit the set size to StructureAbstractValue::polymorphismLimit to guard
3037               memory explosion on pathological programs. This limit is big enough that it wouldn't
3038               kick in for normal code, since we have other heuristics that limit the number of
3039               structures that we would allow an inline cache to know about.
3040             
3041             - We eagerly set watchpoints on all watchable structures and then we assume that
3042               watchable structures are being watched, and that the watchpoint will jettison the code.
3043               This allows tracking of watchable structures to be far simpler than before. Previously,
3044               a structure being tracked as "future possible" was predicated on it being watchable but
3045               we might not actually watch it. This makes algebra over sets of future possible
3046               structures quite weird. But watching all watchable structures means that we simple say
3047               that a structure set can be in the following states: unclobbered, which means it's just
3048               a set of structures and it doesn't matter what is watchable or what isn't because we've
3049               proven that the value must have one of these structures right now; and clobbered, which
3050               means that we have a set of structures, plus all possible structures temporarily, with
3051               invalidation removing the "plus all possible structures". Clobbering a set means that
3052               if any of its structures are unwatchable, the set just becomes TOP; but if all
3053               structures in the set are watchable then we just set the clobbered bit to add the "plus
3054               all possible structures temporarily" thing. This precisely tracks the exact meaning of
3055               watchability and invalidation points.
3056             
3057             Slight SunSpider slow-down, neutral on Octane, slight AsmBench speed-up. I believe that
3058             we will ultimately undo the SunSpider slow-down by making further improvements to the set
3059             representation. I believe that Octane perfromance will ultimately improve once we remove
3060             remaining singleton special-cases. The ultimate goal of this is to remove the need to
3061             try quite so desperately hard to make everything monomorphic as we do currently.
3062     
3063             * CMakeLists.txt:
3064             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3065             * JavaScriptCore.xcodeproj/project.pbxproj:
3066             * bytecode/StructureSet.cpp:
3067             (JSC::StructureSet::clear):
3068             (JSC::StructureSet::remove):
3069             (JSC::StructureSet::filter):
3070             (JSC::StructureSet::copyFromOutOfLine):
3071             (JSC::StructureSet::StructureSet): Deleted.
3072             (JSC::StructureSet::operator=): Deleted.
3073             (JSC::StructureSet::copyFrom): Deleted.
3074             * bytecode/StructureSet.h:
3075             (JSC::StructureSet::StructureSet):
3076             (JSC::StructureSet::operator=):
3077             (JSC::StructureSet::isEmpty):
3078             (JSC::StructureSet::genericFilter):
3079             (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine):
3080             (JSC::StructureSet::ContainsOutOfLine::operator()):
3081             (JSC::StructureSet::copyFrom):
3082             (JSC::StructureSet::deleteStructureListIfNecessary):
3083             (JSC::StructureSet::setEmpty):
3084             (JSC::StructureSet::getReservedFlag):
3085             (JSC::StructureSet::setReservedFlag):
3086             * dfg/DFGAbstractInterpreter.h:
3087             (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
3088             * dfg/DFGAbstractInterpreterInlines.h:
3089             (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
3090             (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3091             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3092             (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars):
3093             (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
3094             (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
3095             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
3096             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
3097             (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber):
3098             (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
3099             * dfg/DFGAbstractValue.cpp:
3100             (JSC::DFG::AbstractValue::observeTransitions):
3101             (JSC::DFG::AbstractValue::setMostSpecific):
3102             (JSC::DFG::AbstractValue::set):
3103             (JSC::DFG::AbstractValue::filter):
3104             (JSC::DFG::AbstractValue::shouldBeClear):
3105             (JSC::DFG::AbstractValue::normalizeClarity):
3106             (JSC::DFG::AbstractValue::checkConsistency):
3107             (JSC::DFG::AbstractValue::assertIsWatched):
3108             (JSC::DFG::AbstractValue::dumpInContext):
3109             (JSC::DFG::AbstractValue::setFuturePossibleStructure): Deleted.
3110             * dfg/DFGAbstractValue.h:
3111             (JSC::DFG::AbstractValue::clear):
3112             (JSC::DFG::AbstractValue::clobberStructures):
3113             (JSC::DFG::AbstractValue::clobberStructuresFor):
3114             (JSC::DFG::AbstractValue::observeInvalidationPoint):
3115             (JSC::DFG::AbstractValue::observeInvalidationPointFor):
3116             (JSC::DFG::AbstractValue::observeTransition):
3117             (JSC::DFG::AbstractValue::TransitionObserver::TransitionObserver):
3118             (JSC::DFG::AbstractValue::TransitionObserver::operator()):
3119             (JSC::DFG::AbstractValue::TransitionsObserver::TransitionsObserver):
3120             (JSC::DFG::AbstractValue::TransitionsObserver::operator()):
3121             (JSC::DFG::AbstractValue::isHeapTop):
3122             (JSC::DFG::AbstractValue::setType):
3123             (JSC::DFG::AbstractValue::operator==):
3124             (JSC::DFG::AbstractValue::merge):
3125             (JSC::DFG::AbstractValue::validate):
3126             (JSC::DFG::AbstractValue::hasClobberableState):
3127             (JSC::DFG::AbstractValue::assertIsWatched):
3128             (JSC::DFG::AbstractValue::observeIndexingTypeTransition):
3129             (JSC::DFG::AbstractValue::makeTop):
3130             (JSC::DFG::AbstractValue::bestProvenStructure): Deleted.
3131             * dfg/DFGAllocator.h:
3132             * dfg/DFGArgumentsSimplificationPhase.cpp:
3133             (JSC::DFG::ArgumentsSimplificationPhase::run):
3134             * dfg/DFGArrayMode.cpp:
3135             (JSC::DFG::ArrayMode::alreadyChecked):
3136             * dfg/DFGAtTailAbstractState.h:
3137             (JSC::DFG::AtTailAbstractState::structureClobberState):
3138             (JSC::DFG::AtTailAbstractState::setStructureClobberState):
3139             (JSC::DFG::AtTailAbstractState::setFoundConstants):
3140             (JSC::DFG::AtTailAbstractState::haveStructures): Deleted.
3141             (JSC::DFG::AtTailAbstractState::setHaveStructures): Deleted.
3142             * dfg/DFGBasicBlock.cpp:
3143             (JSC::DFG::BasicBlock::BasicBlock):
3144             * dfg/DFGBasicBlock.h:
3145             * dfg/DFGBranchDirection.h:
3146             (JSC::DFG::branchDirectionToString):
3147             (WTF::printInternal):
3148             * dfg/DFGByteCodeParser.cpp:
3149             (JSC::DFG::ByteCodeParser::handlePutById):
3150             * dfg/DFGCFAPhase.cpp:
3151             (JSC::DFG::CFAPhase::performBlockCFA):
3152             * dfg/DFGCSEPhase.cpp:
3153             (JSC::DFG::CSEPhase::checkStructureElimination):
3154             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3155             (JSC::DFG::CSEPhase::performNodeCSE):
3156             * dfg/DFGClobberize.h:
3157             (JSC::DFG::clobberize):
3158             * dfg/DFGCommon.cpp:
3159             (JSC::DFG::startCrashing):
3160             (JSC::DFG::isCrashing):
3161             * dfg/DFGCommon.h:
3162             * dfg/DFGCommonData.cpp:
3163             (JSC::DFG::CommonData::notifyCompilingStructureTransition):
3164             * dfg/DFGConstantFoldingPhase.cpp:
3165             (JSC::DFG::ConstantFoldingPhase::foldConstants):
3166             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
3167             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3168             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
3169             * dfg/DFGDesiredWatchpoints.cpp:
3170             (JSC::DFG::DesiredWatchpoints::consider):
3171             (JSC::DFG::DesiredWatchpoints::addLazily): Deleted.
3172             * dfg/DFGDesiredWatchpoints.h:
3173             (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
3174             (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
3175             (JSC::DFG::GenericDesiredWatchpoints::isWatched):
3176             (JSC::DFG::DesiredWatchpoints::isWatched):
3177             (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet): Deleted.
3178             (JSC::DFG::GenericDesiredWatchpoints::addLazily): Deleted.
3179             (JSC::DFG::GenericDesiredWatchpoints::isStillValid): Deleted.
3180             (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): Deleted.
3181             (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed): Deleted.
3182             (JSC::DFG::DesiredWatchpoints::isStillValid): Deleted.
3183             (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState): Deleted.
3184             (JSC::DFG::DesiredWatchpoints::isValidOrMixed): Deleted.
3185             * dfg/DFGDoesGC.cpp:
3186             (JSC::DFG::doesGC):
3187             * dfg/DFGFixupPhase.cpp:
3188             (JSC::DFG::FixupPhase::fixupNode):
3189             (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
3190             (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3191             * dfg/DFGGraph.cpp:
3192             (JSC::DFG::Graph::~Graph):
3193             (JSC::DFG::Graph::dump):
3194             (JSC::DFG::Graph::dumpBlockHeader):
3195             (JSC::DFG::Graph::tryGetFoldableView):
3196             (JSC::DFG::Graph::visitChildren):
3197             (JSC::DFG::Graph::assertIsWatched):
3198             (JSC::DFG::Graph::handleAssertionFailure):
3199             * dfg/DFGGraph.h:
3200             (JSC::DFG::Graph::convertToConstant):
3201             (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
3202             (JSC::DFG::Graph::addStructureTransitionData): Deleted.
3203             * dfg/DFGInPlaceAbstractState.cpp:
3204             (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3205             (JSC::DFG::InPlaceAbstractState::initialize):
3206             (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3207             (JSC::DFG::InPlaceAbstractState::reset):
3208             (JSC::DFG::InPlaceAbstractState::merge):
3209             * dfg/DFGInPlaceAbstractState.h:
3210             (JSC::DFG::InPlaceAbstractState::structureClobberState):
3211             (JSC::DFG::InPlaceAbstractState::setStructureClobberState):
3212             (JSC::DFG::InPlaceAbstractState::setFoundConstants):
3213             (JSC::DFG::InPlaceAbstractState::haveStructures): Deleted.
3214             (JSC::DFG::InPlaceAbstractState::setHaveStructures): Deleted.
3215             * dfg/DFGLivenessAnalysisPhase.cpp:
3216             (JSC::DFG::LivenessAnalysisPhase::run):
3217             * dfg/DFGNode.h:
3218             (JSC::DFG::Node::hasTransition):
3219             (JSC::DFG::Node::transition):
3220             (JSC::DFG::Node::hasStructure):
3221             (JSC::DFG::StructureTransitionData::StructureTransitionData): Deleted.
3222             (JSC::DFG::Node::convertToStructureTransitionWatchpoint): Deleted.
3223             (JSC::DFG::Node::hasStructureTransitionData): Deleted.
3224             (JSC::DFG::Node::structureTransitionData): Deleted.
3225             * dfg/DFGNodeType.h:
3226             * dfg/DFGPlan.cpp:
3227             (JSC::DFG::Plan::compileInThreadImpl):
3228             * dfg/DFGPredictionPropagationPhase.cpp:
3229             (JSC::DFG::PredictionPropagationPhase::propagate):
3230             * dfg/DFGSafeToExecute.h:
3231             (JSC::DFG::safeToExecute):
3232             * dfg/DFGSpeculativeJIT.cpp:
3233             (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3234             (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3235             * dfg/DFGSpeculativeJIT.h:
3236             (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
3237             * dfg/DFGSpeculativeJIT32_64.cpp:
3238             (JSC::DFG::SpeculativeJIT::compile):
3239             * dfg/DFGSpeculativeJIT64.cpp:
3240             (JSC::DFG::SpeculativeJIT::compile):
3241             * dfg/DFGStructureAbstractValue.cpp: Added.
3242             (JSC::DFG::StructureAbstractValue::assertIsWatched):
3243             (JSC::DFG::StructureAbstractValue::clobber):
3244             (JSC::DFG::StructureAbstractValue::observeTransition):
3245             (JSC::DFG::StructureAbstractValue::observeTransitions):
3246             (JSC::DFG::StructureAbstractValue::add):
3247             (JSC::DFG::StructureAbstractValue::merge):
3248             (JSC::DFG::StructureAbstractValue::mergeSlow):
3249             (JSC::DFG::StructureAbstractValue::mergeNotTop):
3250             (JSC::DFG::StructureAbstractValue::filter):
3251             (JSC::DFG::StructureAbstractValue::filterSlow):
3252             (JSC::DFG::StructureAbstractValue::contains):
3253             (JSC::DFG::StructureAbstractValue::isSubsetOf):
3254             (JSC::DFG::StructureAbstractValue::isSupersetOf):
3255             (JSC::DFG::StructureAbstractValue::overlaps):
3256             (JSC::DFG::StructureAbstractValue::equalsSlow):
3257             (JSC::DFG::StructureAbstractValue::dumpInContext):
3258             (JSC::DFG::StructureAbstractValue::dump):
3259             * dfg/DFGStructureAbstractValue.h:
3260             (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
3261             (JSC::DFG::StructureAbstractValue::operator=):
3262             (JSC::DFG::StructureAbstractValue::clear):
3263             (JSC::DFG::StructureAbstractValue::makeTop):
3264             (JSC::DFG::StructureAbstractValue::assertIsWatched):
3265             (JSC::DFG::StructureAbstractValue::observeInvalidationPoint):
3266             (JSC::DFG::StructureAbstractValue::top):
3267             (JSC::DFG::StructureAbstractValue::isClear):
3268             (JSC::DFG::StructureAbstractValue::isTop):
3269             (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
3270             (JSC::DFG::StructureAbstractValue::isClobbered):
3271             (JSC::DFG::StructureAbstractValue::merge):
3272             (JSC::DFG::StructureAbstractValue::filter):
3273             (JSC::DFG::StructureAbstractValue::operator==):
3274             (JSC::DFG::StructureAbstractValue::size):
3275             (JSC::DFG::StructureAbstractValue::at):
3276             (JSC::DFG::StructureAbstractValue::operator[]):
3277             (JSC::DFG::StructureAbstractValue::onlyStructure):
3278             (JSC::DFG::StructureAbstractValue::isSupersetOf):
3279             (JSC::DFG::StructureAbstractValue::makeTopWhenThin):
3280             (JSC::DFG::StructureAbstractValue::setClobbered):
3281             (JSC::DFG::StructureAbstractValue::add): Deleted.
3282             (JSC::DFG::StructureAbstractValue::addAll): Deleted.
3283             (JSC::DFG::StructureAbstractValue::contains): Deleted.
3284             (JSC::DFG::StructureAbstractValue::isSubsetOf): Deleted.
3285             (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan): Deleted.
3286             (JSC::DFG::StructureAbstractValue::isClearOrTop): Deleted.
3287             (JSC::DFG::StructureAbstractValue::last): Deleted.
3288             (JSC::DFG::StructureAbstractValue::speculationFromStructures): Deleted.
3289             (JSC::DFG::StructureAbstractValue::isValidOffset): Deleted.
3290             (JSC::DFG::StructureAbstractValue::hasSingleton): Deleted.
3291             (JSC::DFG::StructureAbstractValue::singleton): Deleted.
3292             (JSC::DFG::StructureAbstractValue::dumpInContext): Deleted.
3293             (JSC::DFG::StructureAbstractValue::dump): Deleted.
3294             (JSC::DFG::StructureAbstractValue::topValue): Deleted.
3295             * dfg/DFGStructureClobberState.h: Added.
3296             (JSC::DFG::merge):
3297             (WTF::printInternal):
3298             * dfg/DFGTransition.cpp: Added.
3299             (JSC::DFG::Transition::dumpInContext):
3300             (JSC::DFG::Transition::dump):
3301             * dfg/DFGTransition.h: Added.
3302             (JSC::DFG::Transition::Transition):
3303             * dfg/DFGTypeCheckHoistingPhase.cpp:
3304             (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3305             (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3306             * dfg/DFGWatchableStructureWatchingPhase.cpp: Added.
3307             (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase):
3308             (JSC::DFG::WatchableStructureWatchingPhase::run):
3309             (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
3310             (JSC::DFG::performWatchableStructureWatching):
3311             * dfg/DFGWatchableStructureWatchingPhase.h: Added.
3312             * dfg/DFGWatchpointCollectionPhase.cpp:
3313             (JSC::DFG::WatchpointCollectionPhase::handle):
3314             (JSC::DFG::WatchpointCollectionPhase::handleEdge): Deleted.
3315             * ftl/FTLCapabilities.cpp:
3316             (JSC::FTL::canCompile):
3317             * ftl/FTLIntrinsicRepository.h:
3318             * ftl/FTLLowerDFGToLLVM.cpp:
3319             (JSC::FTL::ftlUnreachable):
3320             (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
3321             (JSC::FTL::LowerDFGToLLVM::compileBlock):
3322             (JSC::FTL::LowerDFGToLLVM::compileNode):
3323             (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
3324             (JSC::FTL::LowerDFGToLLVM::compilePhi):
3325             (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3326             (JSC::FTL::LowerDFGToLLVM::compileValueRep):
3327             (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
3328             (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
3329             (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
3330             (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
3331             (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
3332             (JSC::FTL::LowerDFGToLLVM::compileArithMul):
3333             (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
3334             (JSC::FTL::LowerDFGToLLVM::compileArithMod):
3335             (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
3336             (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
3337             (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
3338             (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
3339             (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
3340             (JSC::FTL::LowerDFGToLLVM::compileGetById):
3341             (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
3342             (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
3343             (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
3344             (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
3345             (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3346             (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
3347             (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
3348             (JSC::FTL::LowerDFGToLLVM::compileNewArray):
3349             (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
3350             (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
3351             (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
3352             (JSC::FTL::LowerDFGToLLVM::compileToString):
3353             (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
3354             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
3355             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
3356             (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
3357             (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
3358             (JSC::FTL::LowerDFGToLLVM::compileSwitch):
3359             (JSC::FTL::LowerDFGToLLVM::compare):
3360             (JSC::FTL::LowerDFGToLLVM::boolify):
3361             (JSC::FTL::LowerDFGToLLVM::terminate):
3362             (JSC::FTL::LowerDFGToLLVM::lowInt32):
3363             (JSC::FTL::LowerDFGToLLVM::lowInt52):
3364             (JSC::FTL::LowerDFGToLLVM::opposite):
3365             (JSC::FTL::LowerDFGToLLVM::lowCell):
3366             (JSC::FTL::LowerDFGToLLVM::lowBoolean):
3367             (JSC::FTL::LowerDFGToLLVM::lowDouble):
3368             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
3369             (JSC::FTL::LowerDFGToLLVM::speculate):
3370             (JSC::FTL::LowerDFGToLLVM::isArrayType):
3371             (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
3372             (JSC::FTL::LowerDFGToLLVM::callCheck):
3373             (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
3374             (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
3375             (JSC::FTL::LowerDFGToLLVM::setInt52):
3376             (JSC::FTL::LowerDFGToLLVM::crash):
3377             (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint): Deleted.
3378             * ftl/FTLOutput.cpp:
3379             (JSC::FTL::Output::crashNonTerminal): Deleted.
3380             * ftl/FTLOutput.h:
3381             (JSC::FTL::Output::crash): Deleted.
3382             * jit/JITOperations.h:
3383             * jsc.cpp:
3384             (WTF::jscExit):
3385             (functionQuit):
3386             (main):
3387             (printUsageStatement):
3388             (CommandLine::parseArguments):
3389             * runtime/Structure.h:
3390             (JSC::Structure::dfgShouldWatchIfPossible):
3391             (JSC::Structure::dfgShouldWatch):
3392             * tests/stress/arrayify-to-structure-contradiction.js: Added.
3393             (foo):
3394             * tests/stress/ftl-getmyargumentslength-inline.js: Added.
3395             (foo):
3396             * tests/stress/multi-put-by-offset-multiple-transitions.js: Added.
3397             (foo):
3398             (Foo):
3399             * tests/stress/throw-from-ftl-in-loop.js: Added.
3400             * tests/stress/throw-from-ftl.js: Added.
3401             (foo):
3402     
3403     2014-06-03  Filip Pizlo  <fpizlo@apple.com>
3404     
3405             [ftlopt] Unreviewed, roll out r169578. The build system needs some more love.
3406     
3407             * InlineRuntimeSymbolTable.h: Removed.
3408             * JavaScriptCore.xcodeproj/project.pbxproj:
3409             * build-symbol-table-index.py:
3410             * build-symbol-table-index.sh:
3411             * copy-llvm-ir-to-derived-sources.sh:
3412             * dfg/DFGByteCodeParser.cpp:
3413             (JSC::DFG::ByteCodeParser::handleCall):
3414             * dfg/DFGNode.h:
3415             (JSC::DFG::Node::canBeKnownFunction): Deleted.
3416             (JSC::DFG::Node::hasKnownFunction): Deleted.
3417             (JSC::DFG::Node::knownFunction): Deleted.
3418             (JSC::DFG::Node::giveKnownFunction): Deleted.
3419             * ftl/FTLAbbreviatedTypes.h:
3420             * ftl/FTLCompile.cpp:
3421             (JSC::FTL::compile):
3422             * ftl/FTLLowerDFGToLLVM.cpp:
3423             (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3424             (JSC::FTL::LowerDFGToLLVM::lower):
3425             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
3426             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Deleted.
3427             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
3428             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
3429             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Deleted.
3430             * ftl/FTLState.cpp:
3431             (JSC::FTL::State::State):
3432             * ftl/FTLState.h:
3433             * heap/HandleStack.h:
3434             * llvm/InitializeLLVM.h:
3435             * llvm/InitializeLLVMMac.cpp: Removed.
3436             * llvm/InitializeLLVMMac.mm: Added.
3437             (JSC::initializeLLVMImpl):
3438             * llvm/LLVMAPIFunctions.h:
3439             * llvm/LLVMHeaders.h:
3440             * runtime/BundlePath.h: Removed.
3441             * runtime/BundlePath.mm: Removed.
3442             * runtime/DateConversion.h:
3443             * runtime/DateInstance.h:
3444             * runtime/ExceptionHelpers.h:
3445             * runtime/JSArray.h:
3446             * runtime/JSCJSValue.h:
3447             (JSC::JSValue::toFloat):
3448             * runtime/JSDateMath.h:
3449             * runtime/JSObject.h:
3450             * runtime/JSWrapperObject.h:
3451             * runtime/Options.h:
3452             * runtime/RegExp.h:
3453             * runtime/StringObject.h:
3454             * runtime/Structure.h:
3455             * tested-symbols.symlst: Removed.
3456     
3457     2014-06-03  Filip Pizlo  <fpizlo@apple.com>
3458     
3459             [ftlopt] FTL native inlining tests take far too long
3460             https://bugs.webkit.org/show_bug.cgi?id=133498
3461     
3462             Unreviewed test gardening.
3463             
3464             Added a new exceptions test since the other one appears to not work.
3465     
3466             * tests/stress/ftl-library-exception.js:
3467             * tests/stress/ftl-library-inline-gettimezoneoffset.js: Added.
3468             (foo):
3469             * tests/stress/ftl-library-inlining-exceptions-dataview.js: Added.
3470             (foo):
3471             * tests/stress/ftl-library-inlining-exceptions.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-exceptions.js.
3472             * tests/stress/ftl-library-inlining-loops.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-loops.js.
3473             * tests/stress/ftl-library-inlining-random.js:
3474             * tests/stress/ftl-library-substring.js:
3475     
3476     2014-06-03  Matthew Mirman  <mmirman@apple.com>
3477     
3478             [ftlopt] Added system for inlining native functions via the FTL.
3479             https://bugs.webkit.org/show_bug.cgi?id=131515
3480     
3481             Reviewed by Filip Pizlo.
3482     
3483             Also fixed the build to not compress the bitcode and to 
3484             include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, 
3485             the produced bitcode files are a 100th the size they were before.  
3486             Now we can include all of the relevant runtime files with only a 3mb overhead. 
3487             This is the same overhead as for two compressed files before, 
3488             but done more efficiently (on both ends) and with less code.
3489             
3490             Deciding whether to inline native functions is left up to LLVM. 
3491             The entire module containing the function is linked into the current 
3492             compiled JS so that inlining the native functions shouldn't make them smaller.
3493             
3494             Rather than loading Runtime.symtbl at runtime FTLState.cpp now includes a file 
3495             InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.  
3496             Currently build-symbol-table-index.py updates this file from the 
3497             contents of tested-symbols.symlst when done building as a matter of convenience.  
3498             However, in order to include the new contents of the file in the build
3499             you'd need to build twice.  This will be fixed in future versions.
3500     
3501             * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
3502             * build-symbol-table-index.py: Changed bitcode suffix. 
3503             Added inclusion of only tested symbols.  
3504             Added output to InlineRuntimeSymbolTable.h. 
3505             * build-symbol-table-index.sh: Changed bitcode suffix.
3506             * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
3507             * tested-symbols.symlst: Added.
3508             * dfg/DFGByteCodeParser.cpp:
3509             (JSC::DFG::ByteCodeParser::handleCall):  
3510             Now sets the knownFunction of the call node if such a function exists 
3511             and emits a check that during runtime the callee is in fact known.
3512             * dfg/DFGNode.h:
3513             Added functions to set the known function of a call node.
3514             (JSC::DFG::Node::canBeKnownFunction): Added.
3515             (JSC::DFG::Node::hasKnownFunction): Added.
3516             (JSC::DFG::Node::knownFunction): Added.
3517             (JSC::DFG::Node::giveKnownFunction): Added.
3518             * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
3519             * ftl/FTLLowerDFGToLLVM.cpp:
3520             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
3521             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
3522             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
3523             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
3524             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):  
3525             Added call to possiblyCompileInlineableNativeCall
3526             * ftl/FTLOutput.h:
3527             (JSC::FTL::Output::allocaName):  Added. Useful for debugging.
3528             * ftl/FTLState.cpp:
3529             (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
3530             * ftl/FTLState.h: Added symbol table hash table.
3531             * ftl/FTLCompile.cpp:
3532             (JSC::FTL::compile): Added inlining and dead function elimination passes.
3533             * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
3534             * InlineRuntimeSymbolTable.h: Added.  
3535             * llvm/InitializeLLVMMac.mm: Deleted.
3536             * llvm/InitializeLLVMMac.cpp: Added.
3537             * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
3538             * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
3539             * runtime/BundlePath.h: Added.
3540             * runtime/BundlePath.mm: Added.
3541             * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
3542             * runtime/DateInstance.h: ditto.
3543             * runtime/DateConversion.h: ditto.
3544             * runtime/ExceptionHelpers.h: ditto.
3545             * runtime/JSCJSValue.h: ditto.
3546             * runtime/JSArray.h: ditto.
3547             * runtime/JSDateMath.h: ditto.
3548             * runtime/JSObject.h: ditto.
3549             * runtime/JSObject.h: ditto.
3550             * runtime/RegExp.h: ditto.
3551             * runtime/Structure.h: ditto.
3552             * runtime/Options.h:  Added maximumLLVMInstructionCountForNativeInlining.
3553             * tests/stress/ftl-library-inlining-random.js: Added.
3554             * tests/stress/ftl-library-substring.js: Added.
3555     
3556     2014-05-21  Filip Pizlo  <fpizlo@apple.com>
3557     
3558             [ftlopt] DFG::clobberize should be blind to the effects of GC
3559             https://bugs.webkit.org/show_bug.cgi?id=133166
3560     
3561             Reviewed by Goeffrey Garen.
3562             
3563             Move the computation of where GCs happen to DFG::doesGC().
3564             
3565             Large (>5x) speed-up on programs that do loop-invariant string concatenations.
3566     
3567             * CMakeLists.txt:
3568             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3569             * JavaScriptCore.xcodeproj/project.pbxproj:
3570             * dfg/DFGAbstractHeap.h:
3571             * dfg/DFGClobberize.h:
3572             (JSC::DFG::clobberize):
3573             (JSC::DFG::clobberizeForAllocation): Deleted.
3574             * dfg/DFGDoesGC.cpp: Added.
3575             (JSC::DFG::doesGC):
3576             * dfg/DFGDoesGC.h: Added.
3577             * dfg/DFGStoreBarrierElisionPhase.cpp:
3578             (JSC::DFG::StoreBarrierElisionPhase::handleNode):
3579             (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Deleted.
3580     
3581     2014-05-16  Filip Pizlo  <fpizlo@apple.com>
3582     
3583             [ftlopt] A StructureSet with one element should only require one word and no allocation
3584             https://bugs.webkit.org/show_bug.cgi?id=133014
3585     
3586             Reviewed by Oliver Hunt.
3587             
3588             This makes it more efficient to use StructureSet in situations where the common case is
3589             just one structure.
3590             
3591             I also took the opportunity to use the same set terminology we use in BitVector: merge,
3592             filter, exclude, contains, etc.
3593             
3594             Eventually, this will be used to implement StructureAbstractValue as well.
3595     
3596             * CMakeLists.txt:
3597             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3598             * JavaScriptCore.xcodeproj/project.pbxproj:
3599             * bytecode/StructureSet.cpp: Added.
3600             (JSC::StructureSet::StructureSet):
3601             (JSC::StructureSet::operator=):
3602             (JSC::StructureSet::clear):
3603             (JSC::StructureSet::add):
3604             (JSC::StructureSet::remove):
3605             (JSC::StructureSet::contains):
3606             (JSC::StructureSet::merge):
3607             (JSC::StructureSet::filter):
3608             (JSC::StructureSet::exclude):
3609             (JSC::StructureSet::isSubsetOf):
3610             (JSC::StructureSet::overlaps):
3611             (JSC::StructureSet::operator==):
3612             (JSC::StructureSet::speculationFromStructures):
3613             (JSC::StructureSet::arrayModesFromStructures):
3614             (JSC::StructureSet::dumpInContext):
3615             (JSC::StructureSet::dump):
3616             (JSC::StructureSet::addOutOfLine):
3617             (JSC::StructureSet::containsOutOfLine):
3618             (JSC::StructureSet::copyFrom):
3619             (JSC::StructureSet::OutOfLineList::create):
3620             (JSC::StructureSet::OutOfLineList::destroy):
3621             * bytecode/StructureSet.h:
3622             (JSC::StructureSet::StructureSet):
3623             (JSC::StructureSet::~StructureSet):
3624             (JSC::StructureSet::onlyStructure):
3625             (JSC::StructureSet::isEmpty):
3626             (JSC::StructureSet::size):
3627             (JSC::StructureSet::at):
3628             (JSC::StructureSet::operator[]):
3629             (JSC::StructureSet::last):
3630             (JSC::StructureSet::OutOfLineList::list):
3631             (JSC::StructureSet::OutOfLineList::OutOfLineList):
3632             (JSC::StructureSet::deleteStructureListIfNecessary):
3633             (JSC::StructureSet::isThin):
3634             (JSC::StructureSet::pointer):
3635             (JSC::StructureSet::singleStructure):
3636             (JSC::StructureSet::structureList):
3637             (JSC::StructureSet::set):
3638             (JSC::StructureSet::clear): Deleted.
3639             (JSC::StructureSet::add): Deleted.
3640             (JSC::StructureSet::addAll): Deleted.
3641             (JSC::StructureSet::remove): Deleted.
3642             (JSC::StructureSet::contains): Deleted.
3643             (JSC::StructureSet::containsOnly): Deleted.
3644             (JSC::StructureSet::isSubsetOf): Deleted.
3645             (JSC::StructureSet::overlaps): Deleted.
3646             (JSC::StructureSet::singletonStructure): Deleted.
3647             (JSC::StructureSet::speculationFromStructures): Deleted.
3648             (JSC::StructureSet::arrayModesFromStructures): Deleted.
3649             (JSC::StructureSet::operator==): Deleted.
3650             (JSC::StructureSet::dumpInContext): Deleted.
3651             (JSC::StructureSet::dump): Deleted.
3652             * dfg/DFGAbstractInterpreterInlines.h:
3653             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3654             * dfg/DFGByteCodeParser.cpp:
3655             (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
3656             (JSC::DFG::ByteCodeParser::handleGetById):
3657             (JSC::DFG::ByteCodeParser::parseBlock):
3658             * dfg/DFGCSEPhase.cpp:
3659             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3660             * dfg/DFGNode.h:
3661             (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
3662             * dfg/DFGTypeCheckHoistingPhase.cpp:
3663             (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
3664     
3665 2014-07-22  Ryuan Choi  <ryuan.choi@samsung.com>
3666
3667         Unreviewed build fix attempt on the EFL port after r171362.
3668
3669         Build break because of -Werror=return-type
3670
3671         * bytecode/GetByIdStatus.cpp:
3672         (JSC::GetByIdStatus::makesCalls):
3673
3674 2014-07-22  Joseph Pecoraro  <pecoraro@apple.com>
3675
3676         JSLock release should only modify the AtomicStringTable if it modified in acquire
3677         https://bugs.webkit.org/show_bug.cgi?id=135143
3678
3679         Reviewed by Pratik Solanki.
3680
3681         * runtime/JSLock.cpp:
3682         (JSC::JSLock::willDestroyVM):
3683         (JSC::JSLock::willReleaseLock):
3684         Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock.
3685