0cd05021af93eb9c19531feb3e640ff16c6b0782
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-10-01  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviewed, fix 32-bit.
4
5         * dfg/DFGSpeculativeJIT32_64.cpp:
6         (JSC::DFG::SpeculativeJIT::compile):
7
8 2014-09-30  Filip Pizlo  <fpizlo@apple.com>
9
10         DFG SSA should use PutLocal/KillLocal instead of SetLocal to communicate what is flushed to the stack and when
11         https://bugs.webkit.org/show_bug.cgi?id=137242
12
13         Reviewed by Geoffrey Garen.
14         
15         OSR availability has to do with telling you the various ways that you could go about getting
16         the value of a bytecode variable. It can give you two options: node availability means that
17         there is a node in the DFG IR that has the right value, and flush availability tells you
18         that the value was already stored to the stack. The clients of OSR availability would
19         typically prefer flush over node availability.
20         
21         Previously OSR availability was affected thusly by the various local-related nodes: SetLocal
22         set both the node and flush availability, MovHint set node availability and cleared flush
23         availability, GetArgument set both, and ZombieHint cleared both.
24         
25         A MovHint could be turned into a ZombieHint if its source value was DCEd.
26         
27         The fact that each node affected both node and flush availability caused weirdness. For
28         example it meant that we could not insert MovHints in areas of the CFG where a SetLocal's
29         variable was still live, because then those parts of the code would forget that they had an
30         availability flush. This meant that if a flush was available, we wouldn't insert MovHints,
31         and so we would forget that a node was in fact available. This kind of "either-or" picking
32         was not only hackish but it led to interesting problems for IR transformation: for example
33         if you tried to do any kind of code motion on SetLocals, you had to be super careful because
34         you might violate the rule that "MovHints must exist for a live local if a flush is
35         unavailable".
36         
37         The right thing to do is to have independent nodes for flushing and making nodes available.
38         They shouldn't interact with each other. This patch accomplishes this:
39         
40         - PutLocal means that that a value is to be stored to the stack. It makes a flush available.
41         - KillLocal means that the value stored to the stack is no longer available for the purposes
42           of OSR (i.e. it no longer accurately corresponds to what that actual bytecode variable
43           would have been, so you have to fall back on node availability).
44         - MovHint means that a node is available. It has no effect on flush availability.
45         - ZombieHint means that a node is not available. It has no effect on flush availability.
46         
47         This means that we will see a lot of KillLocals and MovHints right next to each other. It's
48         a bit verbose, but at least it's precise.
49
50         * dfg/DFGAbstractInterpreterInlines.h:
51         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
52         * dfg/DFGAvailability.h:
53         (JSC::DFG::Availability::setFlush):
54         (JSC::DFG::Availability::setNode):
55         (JSC::DFG::Availability::setNodeUnavailable):
56         * dfg/DFGClobberize.h:
57         (JSC::DFG::clobberize):
58         * dfg/DFGDoesGC.cpp:
59         (JSC::DFG::doesGC):
60         * dfg/DFGFixupPhase.cpp:
61         (JSC::DFG::FixupPhase::fixupNode):
62         * dfg/DFGNode.cpp:
63         (JSC::DFG::Node::hasVariableAccessData):
64         * dfg/DFGNode.h:
65         (JSC::DFG::Node::hasUnlinkedLocal):
66         (JSC::DFG::Node::willHaveCodeGenOrOSR):
67         * dfg/DFGNodeType.h:
68         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
69         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
70         * dfg/DFGPredictionPropagationPhase.cpp:
71         (JSC::DFG::PredictionPropagationPhase::propagate):
72         * dfg/DFGSSAConversionPhase.cpp:
73         (JSC::DFG::SSAConversionPhase::run):
74         * dfg/DFGSafeToExecute.h:
75         (JSC::DFG::safeToExecute):
76         * dfg/DFGSpeculativeJIT64.cpp:
77         (JSC::DFG::SpeculativeJIT::compile):
78         * dfg/DFGStackLayoutPhase.cpp:
79         (JSC::DFG::StackLayoutPhase::run):
80         * ftl/FTLCapabilities.cpp:
81         (JSC::FTL::canCompile):
82         * ftl/FTLLowerDFGToLLVM.cpp:
83         (JSC::FTL::LowerDFGToLLVM::compileNode):
84         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
85         (JSC::FTL::LowerDFGToLLVM::compileSetLocal): Deleted.
86
87 2014-10-01  Brent Fulgham  <bfulgham@apple.com>
88
89         [Win] 32-bit JavaScriptCore should limit itself to the C loop
90         https://bugs.webkit.org/show_bug.cgi?id=137304
91         <rdar://problem/18375370>
92
93         Reviewed by Michael Saboff.
94
95         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
96         Use the C loop for 32-bit builds.
97
98 2014-09-30  Brian J. Burg  <burg@cs.washington.edu>
99
100         Web Inspector: ErrorString should be passed by reference
101         https://bugs.webkit.org/show_bug.cgi?id=137257
102
103         Reviewed by Joseph Pecoraro.
104
105         Pass the leading ErrorString argument by reference, since it is always an out parameter.
106         Clean up callsites where the error message is written.
107
108         * inspector/InjectedScript.cpp:
109         (Inspector::InjectedScript::evaluate):
110         (Inspector::InjectedScript::callFunctionOn):
111         (Inspector::InjectedScript::evaluateOnCallFrame):
112         (Inspector::InjectedScript::getFunctionDetails):
113         (Inspector::InjectedScript::getProperties):
114         (Inspector::InjectedScript::getInternalProperties):
115         * inspector/InjectedScript.h:
116         * inspector/InjectedScriptBase.cpp:
117         (Inspector::InjectedScriptBase::makeEvalCall):
118         * inspector/InjectedScriptBase.h:
119         * inspector/agents/InspectorAgent.cpp:
120         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
121         (Inspector::InspectorAgent::enable):
122         (Inspector::InspectorAgent::disable):
123         (Inspector::InspectorAgent::initialized):
124         * inspector/agents/InspectorAgent.h:
125         * inspector/agents/InspectorConsoleAgent.cpp:
126         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
127         (Inspector::InspectorConsoleAgent::enable):
128         (Inspector::InspectorConsoleAgent::disable):
129         (Inspector::InspectorConsoleAgent::clearMessages):
130         (Inspector::InspectorConsoleAgent::reset):
131         (Inspector::InspectorConsoleAgent::addMessageToConsole):
132         * inspector/agents/InspectorConsoleAgent.h:
133         * inspector/agents/InspectorDebuggerAgent.cpp:
134         (Inspector::InspectorDebuggerAgent::enable):
135         (Inspector::InspectorDebuggerAgent::disable):
136         (Inspector::InspectorDebuggerAgent::setBreakpointsActive):
137         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
138         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
139         (Inspector::parseLocation):
140         (Inspector::InspectorDebuggerAgent::setBreakpoint):
141         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
142         (Inspector::InspectorDebuggerAgent::continueToLocation):
143         (Inspector::InspectorDebuggerAgent::searchInContent):
144         (Inspector::InspectorDebuggerAgent::getScriptSource):
145         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
146         (Inspector::InspectorDebuggerAgent::pause):
147         (Inspector::InspectorDebuggerAgent::resume):
148         (Inspector::InspectorDebuggerAgent::stepOver):
149         (Inspector::InspectorDebuggerAgent::stepInto):
150         (Inspector::InspectorDebuggerAgent::stepOut):
151         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
152         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
153         (Inspector::InspectorDebuggerAgent::setOverlayMessage):
154         (Inspector::InspectorDebuggerAgent::didParseSource):
155         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
156         (Inspector::InspectorDebuggerAgent::assertPaused):
157         * inspector/agents/InspectorDebuggerAgent.h:
158         * inspector/agents/InspectorRuntimeAgent.cpp:
159         (Inspector::InspectorRuntimeAgent::parse):
160         (Inspector::InspectorRuntimeAgent::evaluate):
161         (Inspector::InspectorRuntimeAgent::callFunctionOn):
162         (Inspector::InspectorRuntimeAgent::getProperties):
163         (Inspector::InspectorRuntimeAgent::releaseObject):
164         (Inspector::InspectorRuntimeAgent::releaseObjectGroup):
165         (Inspector::InspectorRuntimeAgent::run):
166         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
167         (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
168         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
169         * inspector/agents/InspectorRuntimeAgent.h:
170         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
171         (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
172         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
173         * inspector/agents/JSGlobalObjectConsoleAgent.h:
174         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
175         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
176         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
177         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
178         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
179         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
180         * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
181         (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
182         (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
183         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
184         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
185         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
186         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
187         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
188         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
189
190 2014-09-30  Mark Lam  <mark.lam@apple.com>
191
192         Label some asserts as having security implications.
193         <https://webkit.org/b/137260>
194
195         Reviewed by Filip Pizlo.
196
197         * dfg/DFGGraph.cpp:
198         (JSC::DFG::Graph::handleAssertionFailure):
199         * runtime/JSCell.h:
200         (JSC::jsCast):
201         * runtime/StructureIDTable.h:
202         (JSC::StructureIDTable::get):
203
204 2014-09-30  Filip Pizlo  <fpizlo@apple.com>
205
206         REGRESSION (r174025): Invalid cast in JSC::asString
207         https://bugs.webkit.org/show_bug.cgi?id=137224
208
209         Reviewed by Geoffrey Garen.
210         
211         Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
212         when we speak of "the value being stored" we are really referring to the right value.
213         
214         The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
215         child3. So we were incorrectly removing all barriers from PutClosureVar.
216
217         * dfg/DFGFixupPhase.cpp:
218         (JSC::DFG::FixupPhase::fixupNode):
219
220 2014-09-30  Brian J. Burg  <burg@cs.washington.edu>
221
222         Web Replay: use static Strings instead of AtomicStrings for replay input type tags
223         https://bugs.webkit.org/show_bug.cgi?id=137086
224
225         Reviewed by Joseph Pecoraro.
226
227         This pattern doesn't work when we want to define some inputs in WebKit2.
228         The ReplayInputTypes class was generated from WebCore inputs only. This
229         patch moves all input traits to use static local Strings as type tags.
230
231         * replay/scripts/CodeGeneratorReplayInputs.py: Remove configuration of how
232         type tags are generated, since all framework targets now generate the same code.
233
234         * replay/NondeterministicInput.h:
235         * replay/scripts/CodeGeneratorReplayInputs.py: Simplify and rebase test results.
236         (Generator.generate_input_trait_implementation):
237         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Simplify templates.
238
239         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
240         (JSC::InputTraits<Test::SavedMouseButton>::type):
241         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
242         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
243         (JSC::InputTraits<Test::SavedMouseButton>::type):
244         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
245         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
246         (JSC::InputTraits<Test::HandleWheelEvent>::type):
247         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
248         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
249         (JSC::InputTraits<Test::FormCombo>::type):
250         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
251         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp:
252         (JSC::InputTraits<Test::GetCurrentTime>::type):
253         (JSC::InputTraits<Test::SetRandomSeed>::type):
254         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
255         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
256         (JSC::InputTraits<Test::ArrayOfThings>::type):
257         (JSC::InputTraits<Test::SavedHistory>::type):
258         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
259         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp:
260         (JSC::InputTraits<Test::ScalarInput1>::type):
261         (JSC::InputTraits<Test::ScalarInput2>::type):
262         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
263         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
264         (JSC::InputTraits<Test::ScalarInput>::type):
265         (JSC::InputTraits<Test::MapInput>::type):
266         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
267
268 2014-09-30  Daniel Bates  <dabates@apple.com>
269
270         REGRESSION (r172532): JSBase.h declares NSMapTable functions that are SPI
271         https://bugs.webkit.org/show_bug.cgi?id=137170
272         <rdar://problem/18477384>
273
274         Reviewed by Geoffrey Garen.
275
276         Move conditional include of header Foundation/NSMapTablePriv.h and forward declarations
277         of NSMapTable SPI from file JavaScriptCore/API/JSBase.h to WTF/wtf/spi/cocoa/NSMapTableSPI.h.
278
279         * API/JSBase.h:
280         * API/JSManagedValue.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h.
281         * API/JSVirtualMachine.mm: Ditto.
282         * API/JSVirtualMachineInternal.h: Forward declare class NSMapTable.
283         * API/JSWrapperMap.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h. Also, order
284         #include directives such that they are sorted in alphabetical order.
285
286 2014-09-30  Oliver Hunt  <oliver@apple.com>
287
288         Fix C API header
289         https://bugs.webkit.org/show_bug.cgi?id=137254
290         <rdar://problem/18487528>
291
292         Build fix
293
294         Guard extern "C" behind __cplusplus ifdef
295
296         * API/JSBase.h:
297
298 2014-09-29  Brian J. Burg  <burg@cs.washington.edu>
299
300         Web Inspector: InjectedScripts should not be profiled or displayed in Timeline
301         https://bugs.webkit.org/show_bug.cgi?id=136806
302
303         Reviewed by Timothy Hatcher.
304
305         It doesn't make sense to show profile nodes for injected scripts when profiling user content.
306         For now, omit nodes by suspending profiling before and after executing injected scripts.
307
308         * profiler/LegacyProfiler.cpp:
309         (JSC::LegacyProfiler::suspendProfiling): Added.
310         (JSC::LegacyProfiler::unsuspendProfiling): Added.
311         * profiler/LegacyProfiler.h:
312         * profiler/ProfileGenerator.cpp: Add isSuspended() flag, remove unused typedef.
313         (JSC::ProfileGenerator::ProfileGenerator):
314         (JSC::ProfileGenerator::willExecute):
315         (JSC::ProfileGenerator::didExecute):
316         * profiler/ProfileGenerator.h:
317         (JSC::ProfileGenerator::setIsSuspended): Added.
318
319 2014-09-29  Brian J. Burg  <burg@cs.washington.edu>
320
321         Web Inspector: InspectorValues should use references for out parameters
322         https://bugs.webkit.org/show_bug.cgi?id=137190
323
324         Reviewed by Joseph Pecoraro.
325
326         Use references for out parameters in asType() and getType() methods.
327         Also convert to references in some miscellaneous code where we don't
328         expect or handle null values.
329
330         Remove variants of asObject() and asArray() that return a nullable RefPtr.
331         Now, client code is forced to use out parameters and check for cast failure.
332
333         Iron out control flow in some functions and fix some style issues.
334
335         * inspector/InjectedScript.cpp:
336         (Inspector::InjectedScript::getFunctionDetails):
337         (Inspector::InjectedScript::wrapObject):
338         (Inspector::InjectedScript::wrapTable):
339         * inspector/InjectedScriptBase.cpp:
340         (Inspector::InjectedScriptBase::makeEvalCall):
341         * inspector/InjectedScriptManager.cpp:
342         (Inspector::InjectedScriptManager::injectedScriptForObjectId): Simplify control flow.
343         * inspector/InspectorBackendDispatcher.cpp:
344         (Inspector::InspectorBackendDispatcher::dispatch):
345         (Inspector::getPropertyValue):
346         (Inspector::AsMethodBridges::asInteger):
347         (Inspector::AsMethodBridges::asDouble):
348         (Inspector::AsMethodBridges::asString):
349         (Inspector::AsMethodBridges::asBoolean):
350         (Inspector::AsMethodBridges::asObject):
351         (Inspector::AsMethodBridges::asArray):
352         * inspector/InspectorProtocolTypes.h:
353         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
354         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
355         * inspector/InspectorValues.cpp: Use more by-reference out parameters. Add more spacing.
356         (Inspector::InspectorValue::asBoolean):
357         (Inspector::InspectorValue::asDouble):
358         (Inspector::InspectorValue::asInteger):
359         (Inspector::InspectorValue::asString):
360         (Inspector::InspectorValue::asValue):
361         (Inspector::InspectorValue::asObject):
362         (Inspector::InspectorValue::asArray):
363         (Inspector::InspectorValue::parseJSON):
364         (Inspector::InspectorValue::toJSONString):
365         (Inspector::InspectorValue::writeJSON):
366         (Inspector::InspectorBasicValue::asBoolean):
367         (Inspector::InspectorBasicValue::asDouble):
368         (Inspector::InspectorBasicValue::asInteger):
369         (Inspector::InspectorBasicValue::writeJSON):
370         (Inspector::InspectorString::asString):
371         (Inspector::InspectorString::writeJSON):
372         (Inspector::InspectorObjectBase::asObject):
373         (Inspector::InspectorObjectBase::openAccessors):
374         (Inspector::InspectorObjectBase::getBoolean):
375         (Inspector::InspectorObjectBase::getString):
376         (Inspector::InspectorObjectBase::getObject):
377         (Inspector::InspectorObjectBase::getArray):
378         (Inspector::InspectorObjectBase::writeJSON):
379         (Inspector::InspectorArrayBase::asArray):
380         (Inspector::InspectorArrayBase::writeJSON):
381         * inspector/InspectorValues.h:
382         * inspector/agents/InspectorDebuggerAgent.cpp:
383         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
384         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
385         (Inspector::parseLocation):
386         (Inspector::InspectorDebuggerAgent::setBreakpoint):
387         (Inspector::InspectorDebuggerAgent::continueToLocation):
388         (Inspector::InspectorDebuggerAgent::didParseSource):
389         * inspector/agents/InspectorRuntimeAgent.cpp:
390         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
391         * inspector/scripts/codegen/generate_protocol_types_implementation.py:
392         (ProtocolTypesImplementationGenerator):
393         (ProtocolTypesImplementationGenerator._generate_assertion_for_enum):
394         * inspector/scripts/codegen/generator_templates.py:
395         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
396         * replay/EncodedValue.cpp:
397         (JSC::EncodedValue::asObject):
398         (JSC::EncodedValue::asArray):
399         (JSC::EncodedValue::convertTo<bool>):
400         (JSC::EncodedValue::convertTo<double>):
401         (JSC::EncodedValue::convertTo<float>):
402         (JSC::EncodedValue::convertTo<int32_t>):
403         (JSC::EncodedValue::convertTo<int64_t>):
404         (JSC::EncodedValue::convertTo<uint32_t>):
405         (JSC::EncodedValue::convertTo<uint64_t>):
406         (JSC::EncodedValue::convertTo<String>):
407
408 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
409
410         DFG HasStructureProperty codegen should use one fewer registers
411         https://bugs.webkit.org/show_bug.cgi?id=137235
412
413         Reviewed by Andreas Kling.
414         
415         This was an obvious source of inefficiency and it was causing us to run out of registers on
416         x86-32.
417
418         * dfg/DFGSpeculativeJIT32_64.cpp:
419         (JSC::DFG::SpeculativeJIT::compile):
420         * dfg/DFGSpeculativeJIT64.cpp:
421         (JSC::DFG::SpeculativeJIT::compile):
422
423 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
424
425         Don't use GPRResult unless you're flushing registers and making a runtime function call
426         https://bugs.webkit.org/show_bug.cgi?id=137234
427
428         Rubber stamped by Andreas Kling.
429
430         Rename GPRResult to GPRFlushedCallResult, in an attempt to dissuade people from using it for results in the
431         general case.
432         
433         Replace GPRResult with GPRTemporary in those places where it was causing bugs: particularly in GetDirectPname it
434         would cause us to spill the register that has the base, and the code was assuming (rightly) that the base and the
435         result were in different registers. That's a valid assumption when using GPRTemporary but not with GPRResult.
436         Also this code wasn't getting any benefit from using GPRResult because it wasn't doing flushRegisters().
437         
438         I don't know how to test this. A test would require setting up a particularly awkward register allocation state.
439         
440         * dfg/DFGSpeculativeJIT.cpp:
441         (JSC::DFG::SpeculativeJIT::compileIn):
442         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
443         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
444         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
445         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
446         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
447         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
448         * dfg/DFGSpeculativeJIT.h:
449         (JSC::DFG::GPRFlushedCallResult::GPRFlushedCallResult):
450         (JSC::DFG::GPRFlushedCallResult2::GPRFlushedCallResult2):
451         (JSC::DFG::GPRResult::GPRResult): Deleted.
452         (JSC::DFG::GPRResult2::GPRResult2): Deleted.
453         * dfg/DFGSpeculativeJIT32_64.cpp:
454         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
455         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
456         (JSC::DFG::SpeculativeJIT::emitCall):
457         (JSC::DFG::SpeculativeJIT::compile):
458         * dfg/DFGSpeculativeJIT64.cpp:
459         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
460         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
461         (JSC::DFG::SpeculativeJIT::emitCall):
462         (JSC::DFG::SpeculativeJIT::compile):
463         (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
464
465 2014-09-29  Diego Pino Garcia  <dpino@igalia.com>
466
467         Missing changes from r174049
468         https://bugs.webkit.org/show_bug.cgi?id=137206
469
470         Reviewed by Darin Adler.
471
472         * runtime/CommonIdentifiers.h:
473
474 2014-09-28  Diego Pino Garcia  <dpino@igalia.com>
475
476         Simple ES6 feature: Number constructor extras
477         https://bugs.webkit.org/show_bug.cgi?id=131707
478
479         Reviewed by Darin Adler.
480
481         * runtime/CommonIdentifiers.h:
482         * runtime/NumberConstructor.cpp:
483         (JSC::NumberConstructor::finishCreation): Setup constants and
484         functions.
485         (JSC::numberConstructorFuncIsFinite): Added.
486         (JSC::numberConstructorFuncIsInteger): Added.
487         (JSC::numberConstructorFuncIsNaN): Added.
488         (JSC::numberConstructorFuncIsSafeInteger): Added.
489         (JSC::NumberConstructor::getOwnPropertySlot): Deleted.
490         (JSC::numberConstructorNaNValue): Deleted.
491         (JSC::numberConstructorNegInfinity): Deleted.
492         (JSC::numberConstructorPosInfinity): Deleted.
493         (JSC::numberConstructorMaxValue): Deleted.
494         (JSC::numberConstructorMinValue): Deleted.
495         * runtime/NumberConstructor.h:
496
497 2014-09-26  Filip Pizlo  <fpizlo@apple.com>
498
499         Disable function.arguments
500         https://bugs.webkit.org/show_bug.cgi?id=137167
501
502         Rubber stamped by Geoffrey Garen.
503         
504         Add an option to disable function.arguments. Add a test for disabling it.
505         
506         Disabling function.arguments means that it returns an Arguments object that claims that
507         there were zero arguments. All other Arguments functionality still works, so any code
508         that tries to inspect this object will still think that it is looking at a perfectly
509         valid Arguments object.
510         
511         This also makes function.arguments disabled by default. Note that the RJST harness will
512         enable them by default, to continue to get test coverage for the code that implements
513         the feature.
514         
515         We will rip out that code once we're confident that it's really safe to remove this
516         feature. Only once we rip out that support will we be able to do optimizations to
517         leverage the lack of this feature. It's important to keep the support code, and the test
518         infrastructure, in place before we are confident. The logic to keep this working touches
519         the entire compiler and a large chunk of the runtime, so reimplementing it - or even
520         merging it back in - would be a nightmare. That's also basically the reason why we want
521         to rip it out if at all possible. It's a lot of terrible code.
522
523         * interpreter/StackVisitor.cpp:
524         (JSC::StackVisitor::Frame::createArguments):
525         * runtime/Arguments.h:
526         (JSC::Arguments::create):
527         (JSC::Arguments::finishCreation):
528         * runtime/Options.h:
529         * tests/stress/disable-function-dot-arguments.js: Added.
530         (foo):
531         (bar):
532
533 2014-09-26  Joseph Pecoraro  <pecoraro@apple.com>
534
535         Web Inspector: Automatic Inspection should continue once all breakpoints are loaded
536         https://bugs.webkit.org/show_bug.cgi?id=137038
537
538         Reviewed by Timothy Hatcher.
539
540         Add a new protocol command "Inspector.initialized" that signifies to the backend
541         when the frontend has sent all its initialization messages to the backend. This
542         can include information like breakpoints, which we would want to have loaded
543         before any JavaScript evaluates in the context.
544
545         * inspector/protocol/InspectorDomain.json:
546         New protocol command, Inspector.initialized.
547
548         * inspector/agents/InspectorAgent.h:
549         * inspector/agents/InspectorAgent.cpp:
550         (Inspector::InspectorAgent::InspectorAgent):
551         (Inspector::InspectorAgent::initialized):
552         Tell the InspectorEnvironment (the Controller) the frontend has initialized.
553
554         * inspector/InspectorEnvironment.h:
555         Abstract virtual method to handle frontend initialization. To be
556         implemented by all of the InspectorControllers.
557
558         * inspector/JSGlobalObjectInspectorController.h:
559         * inspector/JSGlobalObjectInspectorController.cpp:
560         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
561         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
562         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
563         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
564         When a frontend is initialized, if it was automatic inspection unpause the debuggable.
565
566         * inspector/remote/RemoteInspectorDebuggable.cpp:
567         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
568         Complete setup for this debuggable.
569
570         * inspector/remote/RemoteInspectorDebuggable.h:
571         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
572         (Inspector::RemoteInspectorDebuggableConnection::setup):
573         Move the setup complete to later, when the frontend sends an "initialized" message.
574
575         * inspector/remote/RemoteInspector.h:
576         * inspector/remote/RemoteInspector.mm:
577         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
578         Provide a longer timeout now that the frontend must send messages after the connection
579         has established. The longest I have seen in  600ms, but the average tends to be 200ms.
580         So bump the timeout to 800ms for a buffer.
581
582         (Inspector::RemoteInspector::setupSucceeded): Deleted.
583         (Inspector::RemoteInspector::setupCompleted):
584         Rename, as this happens at a slightly different time.
585
586 2014-09-26  Filip Pizlo  <fpizlo@apple.com>
587
588         DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell
589         https://bugs.webkit.org/show_bug.cgi?id=137161
590
591         Reviewed by Mark Hahnenberg.
592         
593         This looks like a 1% Octane speed-up.
594
595         * bytecode/SpeculatedType.h:
596         (JSC::isNotCellSpeculation):
597         * dfg/DFGFixupPhase.cpp:
598         (JSC::DFG::FixupPhase::fixupNode):
599         (JSC::DFG::FixupPhase::insertStoreBarrier):
600         (JSC::DFG::FixupPhase::insertCheck):
601         * dfg/DFGNode.h:
602         (JSC::DFG::Node::shouldSpeculateNotCell):
603
604 2014-09-26  Peter Varga  <pvarga@webkit.org>
605
606         Fix typo in YARR at BOL check
607         https://bugs.webkit.org/show_bug.cgi?id=137144
608
609         Reviewed by Darin Adler.
610
611         * yarr/YarrPattern.cpp: replace bitwise and operator by logical and
612         (JSC::Yarr::YarrPatternConstructor::assertionBOL):
613
614 2014-09-25  Saam Barati  <saambarati1@gmail.com>
615
616         Web Inspector: console.assert(bitString) TypeSet:50 
617         https://bugs.webkit.org/show_bug.cgi?id=137051
618
619         Reviewed by Joseph Pecoraro.
620
621         This patch creates stricter requirements on a TypeDescription
622         being valid. To be valid, a TypeDescription now ensures that 
623         the TypeSet it describes has non null type information.
624
625         * inspector/agents/InspectorRuntimeAgent.cpp:
626         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
627         * runtime/TypeSet.h:
628         (JSC::TypeSet::isEmpty):
629
630 2014-09-25  Filip Pizlo  <fpizlo@apple.com>
631
632         FTL should sink object allocations
633         https://bugs.webkit.org/show_bug.cgi?id=136330
634
635         Reviewed by Oliver Hunt.
636         
637         This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The
638         ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to
639         eliminate it completely. The way sinking reasons about the CFG means that it resembles a
640         partial escape analysis: we create paths through a function where some allocation(s) don't
641         have to be done at all even if there are other paths along which those allocations still have
642         to happen. But it also produces other side benefits. Even if an allocation isn't eliminated
643         along any path, the act of sinking reduces the number of barriers that have to execute.
644         
645         Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11
646         sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and
647         successors; and to add more functor goodness to allow for more lambdas.
648         
649         This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this
650         is a spectacular speed-up on microbenchmarks but it's still too limited to affect big
651         benchmarks. For example, doing o == p makes the sinking phase think that o and p escape.
652         That's just an omission and there are likely others; we can easily fix them. I think it's
653         best to land it in its current form and then to worry about the big benchmarks in subsequent
654         work (see bug 137126).
655
656         * CMakeLists.txt:
657         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
658         * JavaScriptCore.xcodeproj/project.pbxproj:
659         * bytecode/StructureSet.h:
660         (JSC::StructureSet::iterator::iterator):
661         (JSC::StructureSet::iterator::operator*):
662         (JSC::StructureSet::iterator::operator++):
663         (JSC::StructureSet::iterator::operator==):
664         (JSC::StructureSet::iterator::operator!=):
665         (JSC::StructureSet::begin):
666         (JSC::StructureSet::end):
667         * dfg/DFGAbstractInterpreter.h:
668         (JSC::DFG::AbstractInterpreter::phiChildren):
669         * dfg/DFGAbstractInterpreterInlines.h:
670         (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
671         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
672         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
673         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
674         * dfg/DFGAvailability.h:
675         (JSC::DFG::Availability::shouldUseNode):
676         (JSC::DFG::Availability::isFlushUseful):
677         (JSC::DFG::Availability::isDead):
678         (JSC::DFG::Availability::operator!=):
679         * dfg/DFGAvailabilityMap.cpp: Added.
680         (JSC::DFG::AvailabilityMap::prune):
681         (JSC::DFG::AvailabilityMap::clear):
682         (JSC::DFG::AvailabilityMap::dump):
683         (JSC::DFG::AvailabilityMap::operator==):
684         (JSC::DFG::AvailabilityMap::merge):
685         * dfg/DFGAvailabilityMap.h: Added.
686         (JSC::DFG::AvailabilityMap::forEachAvailability):
687         * dfg/DFGBasicBlock.cpp:
688         (JSC::DFG::BasicBlock::SSAData::SSAData):
689         * dfg/DFGBasicBlock.h:
690         (JSC::DFG::BasicBlock::begin):
691         (JSC::DFG::BasicBlock::end):
692         (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable):
693         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator):
694         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*):
695         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++):
696         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==):
697         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=):
698         (JSC::DFG::BasicBlock::SuccessorsIterable::begin):
699         (JSC::DFG::BasicBlock::SuccessorsIterable::end):
700         (JSC::DFG::BasicBlock::successors):
701         * dfg/DFGClobberize.h:
702         (JSC::DFG::clobberize):
703         * dfg/DFGConstantFoldingPhase.cpp:
704         (JSC::DFG::ConstantFoldingPhase::foldConstants):
705         * dfg/DFGDoesGC.cpp:
706         (JSC::DFG::doesGC):
707         * dfg/DFGFixupPhase.cpp:
708         (JSC::DFG::FixupPhase::fixupNode):
709         * dfg/DFGFlushedAt.cpp:
710         (JSC::DFG::FlushedAt::dump):
711         * dfg/DFGFlushedAt.h:
712         (JSC::DFG::FlushedAt::FlushedAt):
713         * dfg/DFGGraph.cpp:
714         (JSC::DFG::Graph::dump):
715         (JSC::DFG::Graph::dumpBlockHeader):
716         (JSC::DFG::Graph::mergeRelevantToOSR):
717         (JSC::DFG::Graph::invalidateCFG):
718         * dfg/DFGGraph.h:
719         (JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable):
720         (JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator):
721         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*):
722         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++):
723         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==):
724         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=):
725         (JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext):
726         (JSC::DFG::Graph::NaturalBlockIterable::begin):
727         (JSC::DFG::Graph::NaturalBlockIterable::end):
728         (JSC::DFG::Graph::blocksInNaturalOrder):
729         (JSC::DFG::Graph::doToChildrenWithNode):
730         (JSC::DFG::Graph::doToChildren):
731         * dfg/DFGHeapLocation.cpp:
732         (WTF::printInternal):
733         * dfg/DFGHeapLocation.h:
734         * dfg/DFGInsertOSRHintsForUpdate.cpp: Added.
735         (JSC::DFG::insertOSRHintsForUpdate):
736         * dfg/DFGInsertOSRHintsForUpdate.h: Added.
737         * dfg/DFGInsertionSet.h:
738         (JSC::DFG::InsertionSet::graph):
739         * dfg/DFGMayExit.cpp:
740         (JSC::DFG::mayExit):
741         * dfg/DFGNode.h:
742         (JSC::DFG::Node::convertToPutByOffsetHint):
743         (JSC::DFG::Node::convertToPutStructureHint):
744         (JSC::DFG::Node::convertToPhantomNewObject):
745         (JSC::DFG::Node::isCellConstant):
746         (JSC::DFG::Node::castConstant):
747         (JSC::DFG::Node::hasIdentifier):
748         (JSC::DFG::Node::hasStorageAccessData):
749         (JSC::DFG::Node::hasObjectMaterializationData):
750         (JSC::DFG::Node::objectMaterializationData):
751         (JSC::DFG::Node::isPhantomObjectAllocation):
752         * dfg/DFGNodeType.h:
753         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
754         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
755         (JSC::DFG::LocalOSRAvailabilityCalculator::endBlock):
756         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
757         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
758         * dfg/DFGObjectAllocationSinkingPhase.cpp: Added.
759         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase):
760         (JSC::DFG::ObjectAllocationSinkingPhase::run):
761         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
762         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
763         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
764         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
765         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
766         (JSC::DFG::ObjectAllocationSinkingPhase::resolve):
767         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
768         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
769         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
770         (JSC::DFG::performObjectAllocationSinking):
771         * dfg/DFGObjectAllocationSinkingPhase.h: Added.
772         * dfg/DFGObjectMaterializationData.cpp: Added.
773         (JSC::DFG::PhantomPropertyValue::dump):
774         (JSC::DFG::ObjectMaterializationData::dump):
775         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore):
776         (JSC::DFG::ObjectMaterializationData::similarityScore):
777         * dfg/DFGObjectMaterializationData.h: Added.
778         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue):
779         (JSC::DFG::PhantomPropertyValue::operator==):
780         * dfg/DFGPhantomCanonicalizationPhase.cpp:
781         (JSC::DFG::PhantomCanonicalizationPhase::run):
782         * dfg/DFGPhantomRemovalPhase.cpp:
783         (JSC::DFG::PhantomRemovalPhase::run):
784         * dfg/DFGPhiChildren.cpp: Added.
785         (JSC::DFG::PhiChildren::PhiChildren):
786         (JSC::DFG::PhiChildren::~PhiChildren):
787         (JSC::DFG::PhiChildren::upsilonsOf):
788         * dfg/DFGPhiChildren.h: Added.
789         (JSC::DFG::PhiChildren::forAllIncomingValues):
790         (JSC::DFG::PhiChildren::forAllTransitiveIncomingValues):
791         * dfg/DFGPlan.cpp:
792         (JSC::DFG::Plan::compileInThreadImpl):
793         * dfg/DFGPrePostNumbering.cpp: Added.
794         (JSC::DFG::PrePostNumbering::PrePostNumbering):
795         (JSC::DFG::PrePostNumbering::~PrePostNumbering):
796         (JSC::DFG::PrePostNumbering::compute):
797         (WTF::printInternal):
798         * dfg/DFGPrePostNumbering.h: Added.
799         (JSC::DFG::PrePostNumbering::preNumber):
800         (JSC::DFG::PrePostNumbering::postNumber):
801         (JSC::DFG::PrePostNumbering::isStrictAncestorOf):
802         (JSC::DFG::PrePostNumbering::isAncestorOf):
803         (JSC::DFG::PrePostNumbering::isStrictDescendantOf):
804         (JSC::DFG::PrePostNumbering::isDescendantOf):
805         (JSC::DFG::PrePostNumbering::edgeKind):
806         * dfg/DFGPredictionPropagationPhase.cpp:
807         (JSC::DFG::PredictionPropagationPhase::propagate):
808         * dfg/DFGPromoteHeapAccess.h: Added.
809         (JSC::DFG::promoteHeapAccess):
810         * dfg/DFGPromotedHeapLocation.cpp: Added.
811         (JSC::DFG::PromotedLocationDescriptor::dump):
812         (JSC::DFG::PromotedHeapLocation::createHint):
813         (JSC::DFG::PromotedHeapLocation::dump):
814         (WTF::printInternal):
815         * dfg/DFGPromotedHeapLocation.h: Added.
816         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
817         (JSC::DFG::PromotedLocationDescriptor::operator!):
818         (JSC::DFG::PromotedLocationDescriptor::kind):
819         (JSC::DFG::PromotedLocationDescriptor::info):
820         (JSC::DFG::PromotedLocationDescriptor::hash):
821         (JSC::DFG::PromotedLocationDescriptor::operator==):
822         (JSC::DFG::PromotedLocationDescriptor::operator!=):
823         (JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue):
824         (JSC::DFG::PromotedHeapLocation::PromotedHeapLocation):
825         (JSC::DFG::PromotedHeapLocation::operator!):
826         (JSC::DFG::PromotedHeapLocation::kind):
827         (JSC::DFG::PromotedHeapLocation::base):
828         (JSC::DFG::PromotedHeapLocation::info):
829         (JSC::DFG::PromotedHeapLocation::descriptor):
830         (JSC::DFG::PromotedHeapLocation::hash):
831         (JSC::DFG::PromotedHeapLocation::operator==):
832         (JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue):
833         (JSC::DFG::PromotedHeapLocationHash::hash):
834         (JSC::DFG::PromotedHeapLocationHash::equal):
835         * dfg/DFGSSACalculator.cpp:
836         (JSC::DFG::SSACalculator::reset):
837         * dfg/DFGSSACalculator.h:
838         * dfg/DFGSafeToExecute.h:
839         (JSC::DFG::safeToExecute):
840         * dfg/DFGSpeculativeJIT.cpp:
841         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
842         * dfg/DFGSpeculativeJIT32_64.cpp:
843         (JSC::DFG::SpeculativeJIT::compile):
844         * dfg/DFGSpeculativeJIT64.cpp:
845         (JSC::DFG::SpeculativeJIT::compile):
846         * dfg/DFGStructureRegistrationPhase.cpp:
847         (JSC::DFG::StructureRegistrationPhase::run):
848         * dfg/DFGValidate.cpp:
849         (JSC::DFG::Validate::validate):
850         * ftl/FTLCapabilities.cpp:
851         (JSC::FTL::canCompile):
852         * ftl/FTLExitPropertyValue.cpp: Added.
853         (JSC::FTL::ExitPropertyValue::dump):
854         * ftl/FTLExitPropertyValue.h: Added.
855         (JSC::FTL::ExitPropertyValue::ExitPropertyValue):
856         (JSC::FTL::ExitPropertyValue::operator!):
857         (JSC::FTL::ExitPropertyValue::location):
858         (JSC::FTL::ExitPropertyValue::value):
859         * ftl/FTLExitTimeObjectMaterialization.cpp: Added.
860         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
861         (JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization):
862         (JSC::FTL::ExitTimeObjectMaterialization::add):
863         (JSC::FTL::ExitTimeObjectMaterialization::get):
864         (JSC::FTL::ExitTimeObjectMaterialization::dump):
865         * ftl/FTLExitTimeObjectMaterialization.h: Added.
866         (JSC::FTL::ExitTimeObjectMaterialization::type):
867         (JSC::FTL::ExitTimeObjectMaterialization::properties):
868         * ftl/FTLExitValue.cpp:
869         (JSC::FTL::ExitValue::materializeNewObject):
870         (JSC::FTL::ExitValue::dumpInContext):
871         * ftl/FTLExitValue.h:
872         (JSC::FTL::ExitValue::isObjectMaterialization):
873         (JSC::FTL::ExitValue::objectMaterialization):
874         (JSC::FTL::ExitValue::withVirtualRegister):
875         (JSC::FTL::ExitValue::valueFormat):
876         * ftl/FTLLowerDFGToLLVM.cpp:
877         (JSC::FTL::LowerDFGToLLVM::compileNode):
878         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
879         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
880         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
881         (JSC::FTL::LowerDFGToLLVM::compileNewObject):
882         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
883         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
884         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
885         (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
886         (JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject):
887         (JSC::FTL::LowerDFGToLLVM::checkStructure):
888         (JSC::FTL::LowerDFGToLLVM::allocateCell):
889         (JSC::FTL::LowerDFGToLLVM::storeStructure):
890         (JSC::FTL::LowerDFGToLLVM::allocateObject):
891         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
892         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
893         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
894         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
895         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
896         (JSC::FTL::LowerDFGToLLVM::weakStructureID):
897         (JSC::FTL::LowerDFGToLLVM::weakStructure):
898         (JSC::FTL::LowerDFGToLLVM::availabilityMap):
899         (JSC::FTL::LowerDFGToLLVM::availability): Deleted.
900         * ftl/FTLOSRExit.h:
901         * ftl/FTLOSRExitCompiler.cpp:
902         (JSC::FTL::compileRecovery):
903         (JSC::FTL::compileStub):
904         * ftl/FTLOperations.cpp: Added.
905         (JSC::FTL::operationNewObjectWithButterfly):
906         (JSC::FTL::operationMaterializeObjectInOSR):
907         * ftl/FTLOperations.h: Added.
908         * ftl/FTLSwitchCase.h:
909         (JSC::FTL::SwitchCase::SwitchCase):
910         * runtime/JSObject.h:
911         (JSC::JSObject::finishCreation):
912         (JSC::JSFinalObject::JSFinalObject):
913         (JSC::JSFinalObject::create):
914         * runtime/Structure.cpp:
915         (JSC::Structure::canUseForAllocationsOf):
916         * runtime/Structure.h:
917         * tests/stress/elidable-new-object-roflcopter-then-exit.js: Added.
918         (sumOfArithSeries):
919         (foo):
920         * tests/stress/elide-new-object-dag-then-exit.js: Added.
921         (sumOfArithSeries):
922         (bar):
923         (verify):
924         (foo):
925         * tests/stress/obviously-elidable-new-object-then-exit.js: Added.
926         (sumOfArithSeries):
927         (foo):
928
929 2014-09-25  Brian J. Burg  <burg@cs.washington.edu>
930
931         Web Replay: Check event loop input extents during replaying too
932         https://bugs.webkit.org/show_bug.cgi?id=136316
933
934         Reviewed by Timothy Hatcher.
935
936         Sometimes we see different nondeterminism during capture and replay
937         executions, so we should add determinism checks during replay too.
938
939         Move the withinEventLoopInputExtent flag to the base class, and tighten
940         the assertion to address <http://webkit.org/b/133019>.
941
942         * replay/InputCursor.h:
943         (JSC::InputCursor::InputCursor):
944         (JSC::InputCursor::setWithinEventLoopInputExtent): Added.
945         This assertion is slightly wrong because it does not account for nested run loops.
946         We can be within two input extents when a nested run loop processes additional
947         user inputs while the debugger is paused.
948
949         This should only be the case when execution is being neither captured or
950         replayed. The debugger should not pause when capturing, and we should not replay
951         event loop inputs while in a nested run loop.
952
953         (JSC::InputCursor::withinEventLoopInputExtent): Added.
954
955 2014-09-25  Csaba Osztrogonác  <ossy@webkit.org>
956
957         Remove WinCE port from trunk
958         https://bugs.webkit.org/show_bug.cgi?id=136951
959
960         Reviewed by Alex Christensen.
961
962         * assembler/ARMAssembler.h:
963         (JSC::ARMAssembler::cacheFlush):
964         * assembler/ARMv7Assembler.h:
965         (JSC::ARMv7Assembler::cacheFlush):
966         * config.h:
967         * heap/MachineStackMarker.cpp:
968         (JSC::MachineThreads::gatherFromCurrentThread):
969         (JSC::MachineThreads::gatherFromOtherThread):
970         (JSC::swapIfBackwards): Deleted.
971         * jit/ExecutableAllocator.h:
972         * jsc.cpp:
973         (main):
974         * runtime/DateConstructor.cpp:
975         * runtime/Options.cpp:
976         (JSC::overrideOptionWithHeuristic):
977         * runtime/VM.cpp:
978         (JSC::VM::VM):
979         * testRegExp.cpp:
980         (main):
981         * tools/CodeProfiling.cpp:
982         (JSC::CodeProfiling::notifyAllocator):
983
984 2014-09-24  Brian J. Burg  <burg@cs.washington.edu>
985
986         Web Inspector: subtract elapsed time while debugger is paused from profile nodes
987         https://bugs.webkit.org/show_bug.cgi?id=136796
988
989         Reviewed by Timothy Hatcher.
990
991         Rather than accruing no time to any profile node created while the debugger is paused,
992         we can instead count a node's elapsed time and exclude time elapsed while paused.
993
994         Time for a node may elapse in a non-contiguous fashion depending on the interleaving of
995         didPause, didContinue, willExecute, and didExecute. A node's start time is set to the
996         start of the last such interval that accrues elapsed time.
997
998         * profiler/ProfileGenerator.cpp:
999         (JSC::ProfileGenerator::ProfileGenerator):
1000         (JSC::ProfileGenerator::beginCallEntry):
1001         (JSC::ProfileGenerator::endCallEntry):
1002         (JSC::ProfileGenerator::didPause): Added.
1003         (JSC::ProfileGenerator::didContinue): Added.
1004         * profiler/ProfileGenerator.h:
1005         (JSC::ProfileGenerator::didPause): Deleted.
1006         (JSC::ProfileGenerator::didContinue): Deleted.
1007         * profiler/ProfileNode.h: Rename totalTime to elapsedTime.
1008         (JSC::ProfileNode::Call::Call):
1009         (JSC::ProfileNode::Call::elapsedTime): Added.
1010         (JSC::ProfileNode::Call::setElapsedTime): Added.
1011         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
1012         (JSC::ProfileNode::Call::totalTime): Deleted.
1013         (JSC::ProfileNode::Call::setTotalTime): Deleted.
1014
1015 2014-09-24  Commit Queue  <commit-queue@webkit.org>
1016
1017         Unreviewed, rolling out r173839.
1018         https://bugs.webkit.org/show_bug.cgi?id=137062
1019
1020         NumberConstruct should no longer use static tables (Requested
1021         by dpino on #webkit).
1022
1023         Reverted changeset:
1024
1025         "Simple ES6 feature: Number constructor extras"
1026         https://bugs.webkit.org/show_bug.cgi?id=131707
1027         http://trac.webkit.org/changeset/173839
1028
1029 2014-09-23  Mark Lam  <mark.lam@apple.com>
1030
1031         DebuggerCallFrame::invalidate() should invalidate all DebuggerScope chains.
1032         <https://webkit.org/b/137045>
1033
1034         Reviewed by Geoffrey Garen.
1035
1036         DebuggerCallFrame::invalidate() currently invalidates all DebuggerCallFrames
1037         in the debugger stack, but only invalidates the DebuggerScope chain of the
1038         top most frame.  We should also invalidate all the DebuggerScope chains of
1039         the other frames in the debugger stack.
1040
1041         * debugger/DebuggerCallFrame.cpp:
1042         (JSC::DebuggerCallFrame::invalidate):
1043         * debugger/DebuggerScope.cpp:
1044         (JSC::DebuggerScope::invalidateChain):
1045
1046 2014-09-23  Mark Lam  <mark.lam@apple.com>
1047
1048         Renamed DebuggerCallFrameScope to DebuggerPausedScope.
1049         <https://webkit.org/b/137042>
1050
1051         Reviewed by Michael Saboff.
1052
1053         DebuggerPausedScope is a better name for this data structure because it
1054         is meant for tracking the period within which the debugger is paused,
1055         and doing clean ups after the pause ends.
1056
1057         * debugger/Debugger.cpp:
1058         (JSC::DebuggerPausedScope::DebuggerPausedScope):
1059         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
1060         (JSC::Debugger::pauseIfNeeded):
1061         (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): Deleted.
1062         (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): Deleted.
1063         * debugger/Debugger.h:
1064         * debugger/DebuggerCallFrame.h:
1065
1066 2014-09-23  Tomas Popela  <tpopela@redhat.com>
1067
1068         [CLoop] - Fix CLoop on the 32-bit Big-Endians
1069         https://bugs.webkit.org/show_bug.cgi?id=137020
1070
1071         Reviewed by Mark Lam.
1072
1073         * llint/LowLevelInterpreter.asm:
1074         * llint/LowLevelInterpreter32_64.asm:
1075
1076 2014-09-23  Joseph Pecoraro  <pecoraro@apple.com>
1077
1078         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
1079         https://bugs.webkit.org/show_bug.cgi?id=136893
1080
1081         Reviewed by Timothy Hatcher.
1082
1083         Adds new remote inspector protocol handling for automatic inspection.
1084         Debuggers can signal they have enabled automatic inspection, and
1085         when debuggables are created the current application will pause to
1086         see if the debugger will inspect or decline to inspect the debuggable.
1087
1088         * inspector/remote/RemoteInspectorConstants.h:
1089         * inspector/remote/RemoteInspector.h:
1090         * inspector/remote/RemoteInspector.mm:
1091         (Inspector::globalAutomaticInspectionState):
1092         (Inspector::RemoteInspector::RemoteInspector):
1093         (Inspector::RemoteInspector::start):
1094         When first starting, check the global "is there an auto-inspect" debugger state.
1095         This is necessary so that the current application knows if it should pause or
1096         not when a debuggable is created, even without having connected to webinspectord yet.
1097
1098         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1099         When a debuggable has enabled remote inspection, take this path to propose
1100         it as an automatic inspection candidate if there is an auto-inspect debugger.
1101
1102         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
1103         Send the automatic inspection candidate message.
1104
1105         (Inspector::RemoteInspector::receivedSetupMessage):
1106         (Inspector::RemoteInspector::setupFailed):
1107         (Inspector::RemoteInspector::setupSucceeded):
1108         After attempting to open an inspector, unpause if it was for the
1109         automatic inspection candidate.
1110
1111         (Inspector::RemoteInspector::waitingForAutomaticInspection):
1112         When running a nested runloop, check if we should remain paused.
1113
1114         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1115         If by the time we connect to webinspectord we have a candidate, then
1116         immediately send the candidate message.
1117
1118         (Inspector::RemoteInspector::stopInternal):
1119         (Inspector::RemoteInspector::xpcConnectionFailed):
1120         In error cases, clear our state.
1121
1122         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1123         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
1124         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
1125         Update state when receiving new messages.
1126
1127
1128         * inspector/remote/RemoteInspectorDebuggable.h:
1129         * inspector/remote/RemoteInspectorDebuggable.cpp:
1130         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
1131         Special case when a debuggable is newly allowed to be debuggable.
1132
1133         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
1134         Run a nested run loop while this is an automatic inspection candidate.
1135
1136         * inspector/JSGlobalObjectInspectorController.h:
1137         * inspector/JSGlobalObjectInspectorController.cpp:
1138         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1139         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1140         When the inspector starts via automatic inspection automatically pause.
1141         We plan on removing this condition by having the frontend signal to the
1142         backend when it is completely initialized.
1143         
1144         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1145         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1146         (Inspector::RemoteInspectorDebuggableConnection::setup):
1147         Pass on the flag of whether or not this was automatic inspection.
1148
1149         * runtime/JSGlobalObjectDebuggable.h:
1150         * runtime/JSGlobalObjectDebuggable.cpp:
1151         (JSC::JSGlobalObjectDebuggable::connect):
1152         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
1153         When pausing in a JSGlobalObject we need to release the API lock.
1154
1155 2014-09-22  Filip Pizlo  <fpizlo@apple.com>
1156
1157         FTL allocatePropertyStorage code should involve less copy-paste
1158         https://bugs.webkit.org/show_bug.cgi?id=137006
1159
1160         Reviewed by Michael Saboff.
1161
1162         * ftl/FTLLowerDFGToLLVM.cpp:
1163         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
1164         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
1165         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
1166
1167 2014-09-22  Diego Pino Garcia  <dpino@igalia.com>
1168
1169         Simple ES6 feature: Number constructor extras
1170         https://bugs.webkit.org/show_bug.cgi?id=131707
1171
1172         Reviewed by Darin Adler.
1173
1174         * runtime/CommonIdentifiers.h: Added new identifiers.
1175         * runtime/NumberConstructor.cpp:
1176         (JSC::NumberConstructor::getOwnPropertySlot):
1177         (JSC::NumberConstructor::isFunction): Added.
1178         (JSC::numberConstructorEpsilonValue): Added.
1179         (JSC::numberConstructorNegInfinity): Added.
1180         (JSC::numberConstructorPosInfinity): Added.
1181         (JSC::numberConstructorMaxValue): Added.
1182         (JSC::numberConstructorMinValue): Added.
1183         (JSC::numberConstructorMaxSafeInteger): Added.
1184         (JSC::numberConstructorMinSafeInteger): Added.
1185         (JSC::numberConstructorFuncIsFinite): Added.
1186         (JSC::numberConstructorFuncIsInteger): Added.
1187         (JSC::numberConstructorFuncIsNaN): Added.
1188         (JSC::numberConstructorFuncIsSafeInteger): Added.
1189         * runtime/NumberConstructor.h:
1190
1191 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
1192
1193         FTL should store the four bytes of the cell header using a 32-bit store rather than four 8-bit stores
1194         https://bugs.webkit.org/show_bug.cgi?id=136992
1195
1196         Reviewed by Sam Weinig.
1197         
1198         LLVM ought to be able to do this optimization for us given how the code was written, but
1199         any such lower-level attempts to optimize this would get into trouble with the weird
1200         object materialization logic I'll be introducing in bug 136330. So, this brings the
1201         merging of the byte stores into the FTL lowering so that we can control it explicitly.
1202
1203         * ftl/FTLAbstractHeap.h:
1204         (JSC::FTL::AbstractHeap::changeParent):
1205         * ftl/FTLAbstractHeapRepository.cpp:
1206         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1207         * ftl/FTLAbstractHeapRepository.h:
1208         * ftl/FTLLowerDFGToLLVM.cpp:
1209         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1210
1211 2014-09-21  Saam Barati  <saambarati1@gmail.com>
1212
1213         Web Inspector: fix TypeSet hierarchy in TypeTokenView
1214         https://bugs.webkit.org/show_bug.cgi?id=136982
1215
1216         Reviewed by Joseph Pecoraro.
1217
1218         TypeSet was computing the set of type booleans in the Inspector::Protocol::Runtime::TypeSet 
1219         object incorrectly because it was calling TypeSet::doesTypeConformTo(T) which checks if the 
1220         type set has only been of type T. It now checks '(m_seenTypes & T) != TypeNothing' to see 
1221         if type T is in the set of seen types, but not the entire set itself.
1222
1223         * runtime/TypeSet.cpp:
1224         (JSC::TypeSet::inspectorTypeSet):
1225
1226 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
1227
1228         Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste
1229         https://bugs.webkit.org/show_bug.cgi?id=136983
1230
1231         Reviewed by Mark Hahnenberg.
1232
1233         * runtime/PropertyMapHashTable.h:
1234         (JSC::PropertyMapEntry::PropertyMapEntry): Moved PropertyMapEntry struct to Structure.h so that Structure can refer to it.
1235         * runtime/Structure.cpp:
1236         (JSC::Structure::getConcurrently): Switch to using the new forEachPropertyConcurrently() method.
1237         (JSC::Structure::getPropertiesConcurrently): The subject of this patch. It will be useful for object allocation sinking (bug 136330).
1238         (JSC::Structure::dump): Switch to using the new forEachPropertyConcurrently() method.
1239         * runtime/Structure.h:
1240         (JSC::PropertyMapEntry::PropertyMapEntry): Moved from PropertyMapHashTable.h.
1241         * runtime/StructureInlines.h:
1242         (JSC::Structure::forEachPropertyConcurrently): Capture this very common concurrent structure iteration pattern into a template method.
1243
1244 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
1245
1246         Structure::getConcurrently() doesn't need to take a VM& argument.
1247
1248         Rubber stamped by Dan Bernstein.
1249         
1250         Removed the extra argument, and then removed similar arguments from other methods until
1251         I could build successfully again. It turned out that many methods took a VM& argument
1252         just for calling getConcurrently().
1253
1254         * bytecode/CodeBlock.cpp:
1255         (JSC::dumpStructure):
1256         (JSC::dumpChain):
1257         (JSC::CodeBlock::printGetByIdCacheStatus):
1258         (JSC::CodeBlock::printPutByIdCacheStatus):
1259         * bytecode/ComplexGetStatus.cpp:
1260         (JSC::ComplexGetStatus::computeFor):
1261         * bytecode/GetByIdStatus.cpp:
1262         (JSC::GetByIdStatus::computeFromLLInt):
1263         (JSC::GetByIdStatus::computeForStubInfo):
1264         (JSC::GetByIdStatus::computeFor):
1265         * bytecode/GetByIdStatus.h:
1266         * bytecode/PutByIdStatus.cpp:
1267         (JSC::PutByIdStatus::computeFromLLInt):
1268         (JSC::PutByIdStatus::computeForStubInfo):
1269         (JSC::PutByIdStatus::computeFor):
1270         * bytecode/PutByIdStatus.h:
1271         * dfg/DFGAbstractInterpreterInlines.h:
1272         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1273         * dfg/DFGByteCodeParser.cpp:
1274         (JSC::DFG::ByteCodeParser::parseBlock):
1275         * dfg/DFGConstantFoldingPhase.cpp:
1276         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1277         * dfg/DFGFixupPhase.cpp:
1278         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1279         * runtime/IntendedStructureChain.cpp:
1280         (JSC::IntendedStructureChain::mayInterceptStoreTo):
1281         * runtime/IntendedStructureChain.h:
1282         * runtime/Structure.cpp:
1283         (JSC::Structure::getConcurrently):
1284         * runtime/Structure.h:
1285         * runtime/StructureInlines.h:
1286         (JSC::Structure::getConcurrently):
1287
1288 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
1289
1290         FTL OSRExit construction should be based on methods that return ExitValues rather than methods that add ExitValues to OSRExit
1291         https://bugs.webkit.org/show_bug.cgi?id=136978
1292
1293         Reviewed by Dean Jackson.
1294
1295         * ftl/FTLLowerDFGToLLVM.cpp:
1296         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1297         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1298         (JSC::FTL::LowerDFGToLLVM::exitArgument):
1299         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): Deleted.
1300         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): Deleted.
1301         (JSC::FTL::LowerDFGToLLVM::addExitArgument): Deleted.
1302
1303 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
1304
1305         FTL OSR exit should do reboxing and value recovery in the same pass
1306         https://bugs.webkit.org/show_bug.cgi?id=136977
1307
1308         Reviewed by Oliver Hunt.
1309         
1310         It's conceptually simpler to have all of the logic in one place. After the
1311         recover-and-rebox loop is done, all of the exit values are in the form that the baseline
1312         JIT would want them to be in; the only remaining task is to move them into the right
1313         place on the stack after we do all of the necessary stack adjustments.
1314
1315         * ftl/FTLOSRExitCompiler.cpp:
1316         (JSC::FTL::compileStub):
1317
1318 2014-09-19  Filip Pizlo  <fpizlo@apple.com>
1319
1320         StorageAccessData should be referenced in a sensible way
1321         https://bugs.webkit.org/show_bug.cgi?id=136963
1322
1323         Reviewed and rubber stamped by Michael Saboff.
1324
1325         * dfg/DFGAbstractInterpreterInlines.h:
1326         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1327         * dfg/DFGByteCodeParser.cpp:
1328         (JSC::DFG::ByteCodeParser::handleGetByOffset):
1329         (JSC::DFG::ByteCodeParser::handlePutByOffset):
1330         (JSC::DFG::ByteCodeParser::handlePutById):
1331         * dfg/DFGClobberize.h:
1332         (JSC::DFG::clobberize):
1333         * dfg/DFGConstantFoldingPhase.cpp:
1334         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1335         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1336         * dfg/DFGGraph.cpp:
1337         (JSC::DFG::Graph::dump):
1338         * dfg/DFGGraph.h:
1339         * dfg/DFGNode.h:
1340         (JSC::DFG::Node::convertToGetByOffset):
1341         (JSC::DFG::Node::convertToPutByOffset):
1342         (JSC::DFG::Node::storageAccessData):
1343         (JSC::DFG::Node::storageAccessDataIndex): Deleted.
1344         * dfg/DFGSafeToExecute.h:
1345         (JSC::DFG::safeToExecute):
1346         * dfg/DFGSpeculativeJIT32_64.cpp:
1347         (JSC::DFG::SpeculativeJIT::compile):
1348         * dfg/DFGSpeculativeJIT64.cpp:
1349         (JSC::DFG::SpeculativeJIT::compile):
1350         * ftl/FTLLowerDFGToLLVM.cpp:
1351         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
1352         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
1353
1354 2014-09-19  Ryosuke Niwa  <rniwa@webkit.org>
1355
1356         Leak of mallocs under StructureSet::OutOfLineList::create
1357         https://bugs.webkit.org/show_bug.cgi?id=136970
1358
1359         Reviewed by Filip Pizlo.
1360
1361         addOutOfLine should free the old list when expanding the capacity.
1362
1363         * bytecode/StructureSet.cpp:
1364         (JSC::StructureSet::addOutOfLine):
1365
1366 2014-09-19  Daniel Bates  <dabates@apple.com>
1367
1368         Always assume internal SDK when building configuration Production
1369         https://bugs.webkit.org/show_bug.cgi?id=136925
1370         <rdar://problem/18362399>
1371
1372         Reviewed by Dan Bernstein.
1373
1374         As a side effect of this change we will always enable ENABLE_TOUCH_EVENTS, ENABLE_IOS_{GESTURE, TOUCH}_EVENTS,
1375         and ENABLE_XSLT when either building configuration Production or building with the Internal SDK.
1376
1377         * Configurations/Base.xcconfig:
1378
1379 2014-09-19  Diego Pino Garcia  <dpino@igalia.com>
1380
1381         Simple ES6 feature:String prototype additions
1382         https://bugs.webkit.org/show_bug.cgi?id=131704
1383
1384         Reviewed by Darin Adler.
1385
1386         * runtime/StringPrototype.cpp:
1387         (JSC::StringPrototype::finishCreation):
1388         (JSC::stringProtoFuncStartsWith): Added.
1389         (JSC::stringProtoFuncEndsWith): Added.
1390         (JSC::stringProtoFuncContains): Added.
1391
1392 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
1393
1394         Unreviewed rollout r173731. Broke multiple builds.
1395
1396         * inspector/JSGlobalObjectInspectorController.cpp:
1397         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1398         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1399         * inspector/JSGlobalObjectInspectorController.h:
1400         * inspector/remote/RemoteInspector.h:
1401         * inspector/remote/RemoteInspector.mm:
1402         (Inspector::RemoteInspector::RemoteInspector):
1403         (Inspector::RemoteInspector::setupFailed):
1404         (Inspector::RemoteInspector::start):
1405         (Inspector::RemoteInspector::stopInternal):
1406         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1407         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1408         (Inspector::RemoteInspector::xpcConnectionFailed):
1409         (Inspector::RemoteInspector::receivedSetupMessage):
1410         (Inspector::globalAutomaticInspectionState): Deleted.
1411         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): Deleted.
1412         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): Deleted.
1413         (Inspector::RemoteInspector::setupSucceeded): Deleted.
1414         (Inspector::RemoteInspector::waitingForAutomaticInspection): Deleted.
1415         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): Deleted.
1416         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): Deleted.
1417         * inspector/remote/RemoteInspectorConstants.h:
1418         * inspector/remote/RemoteInspectorDebuggable.cpp:
1419         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
1420         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): Deleted.
1421         * inspector/remote/RemoteInspectorDebuggable.h:
1422         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1423         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1424         (Inspector::RemoteInspectorDebuggableConnection::setup):
1425         * runtime/JSGlobalObjectDebuggable.cpp:
1426         (JSC::JSGlobalObjectDebuggable::connect):
1427         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): Deleted.
1428         * runtime/JSGlobalObjectDebuggable.h:
1429
1430 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
1431
1432         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
1433         https://bugs.webkit.org/show_bug.cgi?id=136893
1434
1435         Reviewed by Timothy Hatcher.
1436
1437         Adds new remote inspector protocol handling for automatic inspection.
1438         Debuggers can signal they have enabled automatic inspection, and
1439         when debuggables are created the current application will pause to
1440         see if the debugger will inspect or decline to inspect the debuggable.
1441
1442         * inspector/remote/RemoteInspectorConstants.h:
1443         * inspector/remote/RemoteInspector.h:
1444         * inspector/remote/RemoteInspector.mm:
1445         (Inspector::globalAutomaticInspectionState):
1446         (Inspector::RemoteInspector::RemoteInspector):
1447         (Inspector::RemoteInspector::start):
1448         When first starting, check the global "is there an auto-inspect" debugger state.
1449         This is necessary so that the current application knows if it should pause or
1450         not when a debuggable is created, even without having connected to webinspectord yet.
1451
1452         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1453         When a debuggable has enabled remote inspection, take this path to propose
1454         it as an automatic inspection candidate if there is an auto-inspect debugger.
1455
1456         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
1457         Send the automatic inspection candidate message.
1458
1459         (Inspector::RemoteInspector::receivedSetupMessage):
1460         (Inspector::RemoteInspector::setupFailed):
1461         (Inspector::RemoteInspector::setupSucceeded):
1462         After attempting to open an inspector, unpause if it was for the
1463         automatic inspection candidate.
1464
1465         (Inspector::RemoteInspector::waitingForAutomaticInspection):
1466         When running a nested runloop, check if we should remain paused.
1467
1468         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1469         If by the time we connect to webinspectord we have a candidate, then
1470         immediately send the candidate message.
1471
1472         (Inspector::RemoteInspector::stopInternal):
1473         (Inspector::RemoteInspector::xpcConnectionFailed):
1474         In error cases, clear our state.
1475
1476         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1477         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
1478         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
1479         Update state when receiving new messages.
1480
1481
1482         * inspector/remote/RemoteInspectorDebuggable.h:
1483         * inspector/remote/RemoteInspectorDebuggable.cpp:
1484         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
1485         Special case when a debuggable is newly allowed to be debuggable.
1486
1487         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
1488         Run a nested run loop while this is an automatic inspection candidate.
1489
1490         * inspector/JSGlobalObjectInspectorController.h:
1491         * inspector/JSGlobalObjectInspectorController.cpp:
1492         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1493         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1494         When the inspector starts via automatic inspection automatically pause.
1495         We plan on removing this condition by having the frontend signal to the
1496         backend when it is completely initialized.
1497         
1498         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1499         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1500         (Inspector::RemoteInspectorDebuggableConnection::setup):
1501         Pass on the flag of whether or not this was automatic inspection.
1502
1503         * runtime/JSGlobalObjectDebuggable.h:
1504         * runtime/JSGlobalObjectDebuggable.cpp:
1505         (JSC::JSGlobalObjectDebuggable::connect):
1506         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
1507         When pausing in a JSGlobalObject we need to release the API lock.
1508
1509 2014-09-18  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1510
1511         Fix "Tools/Scripts/build-webkit --efl --no-inspector" build
1512         https://bugs.webkit.org/show_bug.cgi?id=136912
1513
1514         Reviewed by Darin Adler.
1515
1516         * runtime/TypeSet.cpp:
1517         (JSC::TypeSet::leastCommonAncestor):
1518
1519 2014-09-17  Michael Saboff  <msaboff@apple.com>
1520
1521         Change CallFrame to use Callee instead of JSScope to implement vm()
1522         https://bugs.webkit.org/show_bug.cgi?id=136894
1523
1524         Reviewed by Geoffrey Garen.
1525
1526         Added JSCell::vm() method that can be used on any JSObject.  Changed CallFrame::vm() to
1527         use JSCell::vm with the Callee.  Made similar changes in the LLInt.
1528         In support of this, changed JSGlobalObject::init() to take a VM& parameter, as there is
1529         a chicken/egg problem with trying to use the Callee in the global exec before the Callee
1530         has been create.  Besides, the vm is readily available in finishCreation(), the caller of
1531         init().
1532
1533         * llint/LowLevelInterpreter32_64.asm:
1534         * llint/LowLevelInterpreter64.asm:
1535         Changed the calculation of CallFrame::VM to use the Callee instead of JSScope.
1536
1537         * runtime/JSCell.h:
1538         * runtime/JSCellInlines.h:
1539         (JSC::JSCell::vm): New method for getting VM from the pointer.
1540         (JSC::ExecState::vm): Moved this method from JSScope.h to here since this file
1541         contains the implementation of JSCell::vm(), this file is included by all users
1542         of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing
1543         many other .h files and possible the WebCore generator generate-bindings.pl.
1544
1545         * runtime/JSGlobalObject.cpp:
1546         (JSC::JSGlobalObject::init):
1547         * runtime/JSGlobalObject.h:
1548         (JSC::JSGlobalObject::finishCreation):
1549         Changed init() to take a VM parameter.
1550
1551         * runtime/JSScope.h:
1552         (JSC::ExecState::vm): Deleted.
1553
1554 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
1555
1556         Unreviewed, disable native inlining because it causes build failures.
1557
1558         * JavaScriptCore.xcodeproj/project.pbxproj:
1559
1560 2014-09-16  Joseph Pecoraro  <pecoraro@apple.com>
1561
1562         Web Inspector: Reduce a bit of churn setting initial remote inspection state
1563         https://bugs.webkit.org/show_bug.cgi?id=136875
1564
1565         Reviewed by Timothy Hatcher.
1566
1567         * API/JSContextRef.cpp:
1568         (JSGlobalContextCreateInGroup):
1569         Set the defaultl remote debuggable state at the API boundary.
1570
1571         * runtime/JSGlobalObject.cpp:
1572         (JSC::JSGlobalObject::init):
1573         Do not set remote debuggable state here. Let clients set it.
1574
1575 2014-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1576
1577         Promise: Drop Promise.cast
1578         https://bugs.webkit.org/show_bug.cgi?id=136222
1579
1580         Reviewed by Sam Weinig.
1581
1582         Promise.cast is dropped and Promise.resolve is replaced with old Promise.cast.
1583
1584         * runtime/CommonIdentifiers.h:
1585         * runtime/JSPromiseConstructor.cpp:
1586         (JSC::JSPromiseConstructorFuncResolve):
1587         (JSC::JSPromiseConstructorFuncRace):
1588         (JSC::JSPromiseConstructorFuncAll):
1589         (JSC::JSPromiseConstructorFuncCast): Deleted.
1590
1591 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
1592
1593         Local OSR availability calculation should be reusable
1594         https://bugs.webkit.org/show_bug.cgi?id=136860
1595
1596         Reviewed by Oliver Hunt.
1597         
1598         Previously, the FTL lowering repeated some of the logic of the OSR availability analysis
1599         phase. Humorously, it actually did this logic a bit differently; for example the phase
1600         would claim that a SetLocal makes both the flush and the node available while the FTL
1601         only claimed that the flush was available. This different was benign, but still: yuck!
1602         
1603         Also, previously if you wanted to use availability information then you'd have to repeat
1604         some of the logic that both the phase itself and the FTL lowering already had.
1605         Presumably, you could get epic style points for finding other benign ways in which to
1606         make your copy of the logic different from the other two!
1607         
1608         This reduces the amount of style points one could conceivably get in the future when
1609         hacking JSC, by creating a single reusable thingy for computing local OSR availability.
1610
1611         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1612         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1613         (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
1614         (JSC::DFG::LocalOSRAvailabilityCalculator::~LocalOSRAvailabilityCalculator):
1615         (JSC::DFG::LocalOSRAvailabilityCalculator::beginBlock):
1616         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1617         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1618         * ftl/FTLLowerDFGToLLVM.cpp:
1619         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1620         (JSC::FTL::LowerDFGToLLVM::compileBlock):
1621         (JSC::FTL::LowerDFGToLLVM::compileNode):
1622         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
1623         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
1624         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1625         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1626         (JSC::FTL::LowerDFGToLLVM::availability):
1627         (JSC::FTL::LowerDFGToLLVM::compileMovHint): Deleted.
1628         (JSC::FTL::LowerDFGToLLVM::compileZombieHint): Deleted.
1629         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): Deleted.
1630
1631 2014-09-16  Csaba Osztrogonác  <ossy@webkit.org>
1632
1633         JSC test gardening
1634         https://bugs.webkit.org/show_bug.cgi?id=136823
1635
1636         Reviewed by Geoffrey Garen.
1637
1638         * tests/mozilla/mozilla-tests.yaml: Unskip passing tests.
1639
1640 2014-09-15  Michael Saboff  <msaboff@apple.com>
1641
1642         Create a JSCallee for GlobalExec object
1643         https://bugs.webkit.org/show_bug.cgi?id=136840
1644
1645         Reviewed by Geoffrey Garen.
1646
1647         Added m_globalCallee, initialized it and then used it to set the globalExec's callee.
1648
1649         * runtime/JSGlobalObject.cpp:
1650         (JSC::JSGlobalObject::init):
1651         (JSC::JSGlobalObject::visitChildren):
1652         * runtime/JSGlobalObject.h:
1653
1654 2014-09-14  Filip Pizlo  <fpizlo@apple.com>
1655
1656         DFG ref count calculation should be reusable
1657         https://bugs.webkit.org/show_bug.cgi?id=136811
1658
1659         Reviewed by Oliver Hunt.
1660         
1661         Henceforth if you call Graph::computeRefCounts(), a nifty O(n) operation, every Node
1662         will be able to tell you how many places it is used from. Currently only DCE uses this,
1663         but it will be useful for https://bugs.webkit.org/show_bug.cgi?id=136330.
1664
1665         * dfg/DFGDCEPhase.cpp:
1666         (JSC::DFG::DCEPhase::run):
1667         (JSC::DFG::DCEPhase::findTypeCheckRoot): Deleted.
1668         (JSC::DFG::DCEPhase::countNode): Deleted.
1669         (JSC::DFG::DCEPhase::countEdge): Deleted.
1670         * dfg/DFGGraph.cpp:
1671         (JSC::DFG::Graph::computeRefCounts):
1672         * dfg/DFGGraph.h:
1673
1674 2014-09-12  Michael Saboff  <msaboff@apple.com>
1675
1676         Merge JSGlobalObject::reset() into ::init()
1677         https://bugs.webkit.org/show_bug.cgi?id=136800
1678
1679         Reviewed by Oliver Hunt.
1680
1681         Moved the contents of reset() into init().
1682         Note that the diff shows more changes.
1683
1684         * runtime/JSGlobalObject.cpp:
1685         (JSC::JSGlobalObject::init): Moved body of reset() into init.
1686         (JSC::JSGlobalObject::put):
1687         (JSC::JSGlobalObject::defineOwnProperty):
1688         (JSC::JSGlobalObject::addGlobalVar):
1689         (JSC::JSGlobalObject::addFunction):
1690         (JSC::lastInPrototypeChain):
1691         (JSC::JSGlobalObject::reset): Deleted.
1692         * runtime/JSGlobalObject.h:
1693
1694 2014-09-12  Michael Saboff  <msaboff@apple.com>
1695
1696         Add JSCallee to program and eval CallFrames
1697         https://bugs.webkit.org/show_bug.cgi?id=136785
1698
1699         Reviewed by Mark Lam.
1700
1701         Populated Callee slot for program and call eval CallFrames with a JSCallee objects.
1702         Made supporting changes including adding a JSCallee structure to global object and adding
1703         JSCallee::create() method.  Added code so that the newly added callee object won't be
1704         returned by Function.caller.  Changed null pointer checks of callee to check the if
1705         the type is JSFunction* or JSCallee*.
1706
1707         * debugger/DebuggerCallFrame.cpp:
1708         (JSC::DebuggerCallFrame::functionName):
1709         (JSC::DebuggerCallFrame::type):
1710         * profiler/LegacyProfiler.cpp:
1711         (JSC::LegacyProfiler::createCallIdentifier):
1712         * interpreter/Interpreter.cpp:
1713         (JSC::unwindCallFrame):
1714         Changed checks of callee is a JSFunction* or JSCallee* instead of just checking
1715         if it is null or not.
1716
1717         * interpreter/Interpreter.cpp:
1718         (JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...)
1719         and execute(ProgramExecutable, ...)
1720
1721         * jit/JITCode.cpp:
1722         (JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions.
1723
1724         * runtime/JSCallee.cpp:
1725         (JSC::JSCallee::create): Not used, therefore deleted.
1726
1727         * runtime/JSCallee.h:
1728         (JSC::JSCallee::create): Added.
1729
1730         * runtime/JSFunction.cpp:
1731         (JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't
1732         JSFunction's.  This can only be the case when the JSCallee comes from a program or
1733         call eval CallFrame.
1734
1735         * runtime/JSGlobalObject.cpp:
1736         (JSC::JSGlobalObject::reset):
1737         (JSC::JSGlobalObject::visitChildren):
1738         * runtime/JSGlobalObject.h:
1739         (JSC::JSGlobalObject::calleeStructure):
1740         Added new JSCallee structure.
1741
1742 2014-09-10  Jon Honeycutt  <jhoneycutt@apple.com>
1743
1744         Re-add the request autocomplete feature
1745
1746         <https://bugs.webkit.org/show_bug.cgi?id=136730>
1747
1748         This feature was rolled out in r148731 because it was only used by
1749         Chromium. As we consider supporting this feature, roll it back in, but
1750         leave it disabled.
1751
1752         This rolls out r148731 (which removed the feature) with small changes
1753         needed to make the code build in ToT, to match modern style, to make
1754         the tests run, and to remove unused code.
1755
1756         Reviewed by Andy Estes.
1757
1758         * Configurations/FeatureDefines.xcconfig:
1759
1760 2014-09-12  Julien Brianceau  <jbriance@cisco.com>
1761
1762         [x86] moveDoubleToInts() does not clobber its source register anymore
1763         https://bugs.webkit.org/show_bug.cgi?id=131690
1764
1765         Reviewed by Oliver Hunt.
1766
1767         * assembler/MacroAssemblerX86.h:
1768         (JSC::MacroAssemblerX86::moveDoubleToInts):
1769         * dfg/DFGSpeculativeJIT.cpp:
1770         (JSC::DFG::SpeculativeJIT::compileValueRep):
1771         * jit/SpecializedThunkJIT.h:
1772         (JSC::SpecializedThunkJIT::returnDouble):
1773
1774 2014-09-12  Mark Lam  <mark.lam@apple.com>
1775
1776         Unreviewed build fix for CLOOP build.
1777
1778         * runtime/JSCallee.h:
1779
1780 2014-09-12  Michael Saboff  <msaboff@apple.com>
1781
1782         Remove unneeded declarations from JSCallee.h
1783         https://bugs.webkit.org/show_bug.cgi?id=136783
1784
1785         Reviewed by Mark Lam.
1786
1787         * runtime/JSCallee.h:
1788         (JSCallee::name): Deleted.
1789         (JSCallee::displayName): Deleted.
1790         (JSCallee::calculatedDisplayName): Deleted.
1791
1792 2014-09-11  Brian J. Burg  <burg@cs.washington.edu>
1793
1794         Web Inspector: disambiguate double and integer primitive types in the protocol
1795         https://bugs.webkit.org/show_bug.cgi?id=136606
1796
1797         Reviewed by Timothy Hatcher.
1798
1799         Right now it's really easy to mix up doubles and integers when serializing or deserializing
1800         values for the inspector protocol. This patch disambiguates setting/getting doubles and integers
1801         so that it is clearer as to which type is intended.
1802
1803         A new InspectorValue::Type is added for Integer types, and the Number type is renamed to Double.
1804         The existing callsites for asNumber/getNumber/setNumber have been fixed.
1805
1806         Address various integration points to make sure the right type tag is assigned to InspectorValues.
1807
1808         * bindings/ScriptValue.cpp:
1809         (Deprecated::jsToInspectorValue): Make an Integer if the JSValue is Int52 or smaller.
1810         * inspector/InjectedScriptManager.cpp:
1811         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1812         * inspector/InspectorBackendDispatcher.cpp:
1813         (Inspector::InspectorBackendDispatcher::dispatch):
1814         (Inspector::InspectorBackendDispatcher::sendResponse):
1815         (Inspector::InspectorBackendDispatcher::reportProtocolError):
1816         (Inspector::AsMethodBridges::asInteger):
1817         (Inspector::AsMethodBridges::asDouble):
1818         (Inspector::InspectorBackendDispatcher::getInteger):
1819         (Inspector::InspectorBackendDispatcher::getDouble):
1820         (Inspector::AsMethodBridges::asInt): Deleted.
1821         (Inspector::InspectorBackendDispatcher::getInt): Deleted.
1822         * inspector/InspectorBackendDispatcher.h:
1823         * inspector/InspectorProtocolTypes.h: Remove the special case for checking int type tags.
1824         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw):
1825         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw):
1826         (Inspector::Protocol::BindingTraits<int>::assertValueHasExpectedType): Deleted.
1827         * inspector/InspectorValues.cpp: Allow integers and doubles to be convertible using asInteger/asDouble.
1828         (Inspector::InspectorValue::asDouble):
1829         (Inspector::InspectorValue::asInteger):
1830         (Inspector::InspectorBasicValue::asDouble):
1831         (Inspector::InspectorBasicValue::asInteger):
1832         (Inspector::InspectorBasicValue::writeJSON):
1833         (Inspector::InspectorValue::asNumber): Deleted.
1834         (Inspector::InspectorBasicValue::asNumber): Deleted.
1835         * inspector/InspectorValues.h:
1836         (Inspector::InspectorObjectBase::setInteger):
1837         (Inspector::InspectorObjectBase::setDouble):
1838         (Inspector::InspectorArrayBase::pushInteger):
1839         (Inspector::InspectorArrayBase::pushDouble):
1840         (Inspector::InspectorObjectBase::setNumber): Deleted.
1841         (Inspector::InspectorArrayBase::pushInt): Deleted.
1842         (Inspector::InspectorArrayBase::pushNumber): Deleted.
1843         * inspector/agents/InspectorDebuggerAgent.cpp:
1844         (Inspector::buildObjectForBreakpointCookie):
1845         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1846         (Inspector::parseLocation):
1847         (Inspector::InspectorDebuggerAgent::didParseSource):
1848         * inspector/agents/InspectorRuntimeAgent.cpp:
1849         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1850         * inspector/scripts/codegen/generator.py: Update emitted code and rebaseline test results.
1851         (Generator.keyed_get_method_for_type):
1852         (Generator.keyed_set_method_for_type):
1853         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1854         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1855         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1856         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1857         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1858         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1859         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1860         * replay/EncodedValue.cpp:
1861         (JSC::EncodedValue::convertTo<double>):
1862         (JSC::EncodedValue::convertTo<float>):
1863         (JSC::EncodedValue::convertTo<int32_t>):
1864         (JSC::EncodedValue::convertTo<int64_t>):
1865         (JSC::EncodedValue::convertTo<uint32_t>):
1866         (JSC::EncodedValue::convertTo<uint64_t>):
1867
1868 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
1869
1870         Web Inspector: Occasional ASSERT closing web inspector
1871         https://bugs.webkit.org/show_bug.cgi?id=136762
1872
1873         Reviewed by Timothy Hatcher.
1874
1875         It is harmless, and indeed possible to have an empty set of listeners
1876         now that each Page gets its own PageDebugServer instead of a shared
1877         global. So we should replace the null checks with isEmpty checks.
1878         Since nobody was ever returning null, convert to references as well.
1879
1880         * inspector/JSGlobalObjectScriptDebugServer.h:
1881         * inspector/ScriptDebugServer.cpp:
1882         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
1883         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
1884         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
1885         (Inspector::ScriptDebugServer::sourceParsed):
1886         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
1887         (Inspector::ScriptDebugServer::notifyDoneProcessingDebuggerEvents):
1888         (Inspector::ScriptDebugServer::handlePause):
1889         (Inspector::ScriptDebugServer::needPauseHandling): Deleted.
1890         * inspector/ScriptDebugServer.h:
1891
1892 2014-09-10  Michael Saboff  <msaboff@apple.com>
1893
1894         Move JSScope out of JSFunction into separate JSCallee class
1895         https://bugs.webkit.org/show_bug.cgi?id=136725
1896
1897         Reviewed by Oliver Hunt.
1898
1899         Created new JSCallee class that contains a JSScope*.  Changed JSFunction to inherit from
1900         JSCallee.
1901
1902         * CMakeLists.txt:
1903         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1904         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1905         * JavaScriptCore.xcodeproj/project.pbxproj:
1906         Build changes.  Added JSCallee.cpp and JSCallee.h.
1907
1908         * runtime/JSCallee.cpp: Added.
1909         (JSC::JSCallee::create):
1910         (JSC::JSCallee::destroy):
1911         (JSC::JSCallee::JSCallee):
1912         (JSC::JSCallee::finishCreation):
1913         (JSC::JSCallee::visitChildren):
1914         (JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function.
1915         (JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function.
1916         (JSC::JSCallee::put): Pass through wrapper function.
1917         (JSC::JSCallee::deleteProperty): Pass through wrapper function.
1918         (JSC::JSCallee::defineOwnProperty): Pass through wrapper function.
1919
1920         * runtime/JSCallee.h: Added.
1921         (JSC::JSCallee::scope):
1922         (JSC::JSCallee::scopeUnchecked):
1923         (JSC::JSCallee::setScope):
1924         (JSC::JSCallee::createStructure):
1925         (JSC::JSCallee::offsetOfScopeChain):
1926
1927         * runtime/JSFunction.cpp:
1928         (JSC::JSFunction::JSFunction):
1929         (JSC::JSFunction::addNameScopeIfNeeded):
1930         (JSC::JSFunction::visitChildren):
1931         * runtime/JSFunction.h:
1932         (JSC::JSFunction::scope): Deleted.
1933         (JSC::JSFunction::scopeUnchecked): Deleted.
1934         (JSC::JSFunction::setScope): Deleted.
1935         (JSC::JSFunction::offsetOfScopeChain): Deleted.
1936         * runtime/JSFunctionInlines.h:
1937         (JSC::JSFunction::JSFunction):
1938         Changed to reference JSCallee and its methods.
1939
1940         * runtime/JSType.h: Added JSCallee as a TypeEnum.
1941
1942 2014-09-11  Filip Pizlo  <fpizlo@apple.com>
1943
1944         REGRESSION (r172129): Vine pages load as blank
1945         https://bugs.webkit.org/show_bug.cgi?id=136655
1946         rdar://problem/18281215
1947
1948         Reviewed by Michael Saboff.
1949         
1950         If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
1951         that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
1952         Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
1953         conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
1954         reasonably compact; it's OK if we miss cases here.
1955
1956         * dfg/DFGPhantomRemovalPhase.cpp:
1957         (JSC::DFG::PhantomRemovalPhase::run):
1958         * tests/stress/remove-phantom-after-setlocal.js: Added.
1959
1960 2014-09-11  Bear Travis  <betravis@adobe.com>
1961
1962         [CSS Font Loading] Enable CSS Font Loading on Mac
1963         https://bugs.webkit.org/show_bug.cgi?id=135473
1964
1965         Reviewed by Antti Koivisto.
1966
1967         Enable CSS Font Loading in FeatureDefines.
1968
1969         * Configurations/FeatureDefines.xcconfig:
1970
1971 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
1972
1973         Unreviewed rebaseline of inspector generator test results after r173120.
1974
1975         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1976         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1977         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1978         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1979
1980 2014-09-11  Oliver Hunt  <oliver@apple.com>
1981
1982         Rename activation to be more in line with spec language
1983         https://bugs.webkit.org/show_bug.cgi?id=136721
1984
1985         Reviewed by Michael Saboff.
1986
1987         Somewhat bigger than the last one, but still just a rename.
1988
1989         * CMakeLists.txt:
1990         * JavaScriptCore.order:
1991         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1992         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1993         * JavaScriptCore.xcodeproj/project.pbxproj:
1994         * bytecode/BytecodeList.json:
1995         * bytecode/BytecodeUseDef.h:
1996         (JSC::computeUsesForBytecodeOffset):
1997         (JSC::computeDefsForBytecodeOffset):
1998         * bytecode/CallVariant.h:
1999         * bytecode/CodeBlock.cpp:
2000         (JSC::CodeBlock::dumpBytecode):
2001         (JSC::CodeBlock::CodeBlock):
2002         (JSC::CodeBlock::finalizeUnconditionally):
2003         (JSC::CodeBlock::isCaptured):
2004         (JSC::CodeBlock::nameForRegister):
2005         * bytecode/CodeBlock.h:
2006         (JSC::CodeBlock::setActivationRegister):
2007         (JSC::CodeBlock::activationRegister):
2008         (JSC::CodeBlock::uncheckedActivationRegister):
2009         (JSC::CodeBlock::needsActivation):
2010         * bytecode/Instruction.h:
2011         * bytecode/UnlinkedCodeBlock.h:
2012         (JSC::UnlinkedCodeBlock::setActivationRegister):
2013         (JSC::UnlinkedCodeBlock::activationRegister):
2014         (JSC::UnlinkedCodeBlock::hasActivationRegister):
2015         * bytecompiler/BytecodeGenerator.cpp:
2016         (JSC::BytecodeGenerator::BytecodeGenerator):
2017         (JSC::BytecodeGenerator::emitReturn):
2018         * bytecompiler/BytecodeGenerator.h:
2019         * debugger/DebuggerCallFrame.cpp:
2020         (JSC::DebuggerCallFrame::scope):
2021         * debugger/DebuggerScope.cpp:
2022         (JSC::DebuggerScope::isFunctionOrEvalScope):
2023         * dfg/DFGByteCodeParser.cpp:
2024         (JSC::DFG::ByteCodeParser::parseBlock):
2025         * dfg/DFGCapabilities.cpp:
2026         (JSC::DFG::capabilityLevel):
2027         * dfg/DFGGraph.cpp:
2028         (JSC::DFG::Graph::tryGetActivation):
2029         (JSC::DFG::Graph::tryGetRegisters):
2030         * dfg/DFGGraph.h:
2031         * dfg/DFGNodeType.h:
2032         * dfg/DFGOperations.cpp:
2033         * dfg/DFGSpeculativeJIT32_64.cpp:
2034         (JSC::DFG::SpeculativeJIT::compile):
2035         * dfg/DFGSpeculativeJIT64.cpp:
2036         (JSC::DFG::SpeculativeJIT::compile):
2037         * interpreter/CallFrame.cpp:
2038         (JSC::CallFrame::lexicalEnvironment):
2039         (JSC::CallFrame::setActivation):
2040         (JSC::CallFrame::activation): Deleted.
2041         * interpreter/CallFrame.h:
2042         * interpreter/Interpreter.cpp:
2043         (JSC::unwindCallFrame):
2044         * interpreter/Register.h:
2045         * jit/JIT.cpp:
2046         (JSC::JIT::privateCompileMainPass):
2047         * jit/JIT.h:
2048         * jit/JITOpcodes.cpp:
2049         (JSC::JIT::emit_op_tear_off_lexical_environment):
2050         (JSC::JIT::emit_op_tear_off_arguments):
2051         (JSC::JIT::emit_op_create_lexical_environment):
2052         (JSC::JIT::emit_op_tear_off_activation): Deleted.
2053         (JSC::JIT::emit_op_create_activation): Deleted.
2054         * jit/JITOpcodes32_64.cpp:
2055         (JSC::JIT::emit_op_tear_off_lexical_environment):
2056         (JSC::JIT::emit_op_tear_off_arguments):
2057         (JSC::JIT::emit_op_create_lexical_environment):
2058         (JSC::JIT::emit_op_tear_off_activation): Deleted.
2059         (JSC::JIT::emit_op_create_activation): Deleted.
2060         * jit/JITOperations.cpp:
2061         * jit/JITOperations.h:
2062         * llint/LLIntSlowPaths.cpp:
2063         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2064         * llint/LLIntSlowPaths.h:
2065         * llint/LowLevelInterpreter32_64.asm:
2066         * llint/LowLevelInterpreter64.asm:
2067         * runtime/Arguments.cpp:
2068         (JSC::Arguments::visitChildren):
2069         (JSC::Arguments::tearOff):
2070         (JSC::Arguments::didTearOffActivation):
2071         * runtime/Arguments.h:
2072         (JSC::Arguments::offsetOfActivation):
2073         (JSC::Arguments::argument):
2074         (JSC::Arguments::finishCreation):
2075         * runtime/CommonSlowPaths.cpp:
2076         * runtime/JSFunction.h:
2077         * runtime/JSGlobalObject.cpp:
2078         (JSC::JSGlobalObject::reset):
2079         (JSC::JSGlobalObject::visitChildren):
2080         * runtime/JSGlobalObject.h:
2081         (JSC::JSGlobalObject::activationStructure):
2082         * runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp.
2083         (JSC::JSLexicalEnvironment::visitChildren):
2084         (JSC::JSLexicalEnvironment::symbolTableGet):
2085         (JSC::JSLexicalEnvironment::symbolTablePut):
2086         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2087         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2088         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2089         (JSC::JSLexicalEnvironment::put):
2090         (JSC::JSLexicalEnvironment::deleteProperty):
2091         (JSC::JSLexicalEnvironment::toThis):
2092         (JSC::JSLexicalEnvironment::argumentsGetter):
2093         * runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h.
2094         (JSC::JSLexicalEnvironment::create):
2095         (JSC::JSLexicalEnvironment::createStructure):
2096         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2097         (JSC::asActivation):
2098         (JSC::Register::lexicalEnvironment):
2099         (JSC::JSLexicalEnvironment::registersOffset):
2100         (JSC::JSLexicalEnvironment::tearOff):
2101         (JSC::JSLexicalEnvironment::isTornOff):
2102         (JSC::JSLexicalEnvironment::storageOffset):
2103         (JSC::JSLexicalEnvironment::storage):
2104         (JSC::JSLexicalEnvironment::allocationSize):
2105         (JSC::JSLexicalEnvironment::isValidIndex):
2106         (JSC::JSLexicalEnvironment::isValid):
2107         (JSC::JSLexicalEnvironment::registerAt):
2108         * runtime/JSObject.h:
2109         * runtime/JSScope.cpp:
2110         (JSC::abstractAccess):
2111         * runtime/JSScope.h:
2112         (JSC::ResolveOp::ResolveOp):
2113         * runtime/JSSymbolTableObject.cpp:
2114         * runtime/StrictEvalActivation.h:
2115         (JSC::StrictEvalActivation::create):
2116         * runtime/VM.cpp:
2117
2118 2014-09-11  László Langó  <llango.u-szeged@partner.samsung.com>
2119
2120         [JavaScriptCore] Fix FTL on platform EFL.
2121         https://bugs.webkit.org/show_bug.cgi?id=133571
2122
2123         Reviewed by Filip Pizlo.
2124
2125         There are no compact_unwind sections on Linux systems so FTL crashes.
2126         We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind
2127         and get the information for stack unwinding from there.
2128
2129         * CMakeLists.txt: Revert r169181.
2130         * ftl/FTLCompile.cpp:
2131         Change section name literals to use SECTION_NAME macro, because of architecture differencies.
2132         (JSC::FTL::mmAllocateCodeSection):
2133         (JSC::FTL::mmAllocateDataSection):
2134         (JSC::FTL::compile):
2135         * ftl/FTLJITCode.h:
2136         We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here.
2137         * ftl/FTLLink.cpp:
2138         (JSC::FTL::link):
2139         * ftl/FTLState.h:
2140         * ftl/FTLState.cpp:
2141         (JSC::FTL::State::State):
2142         * ftl/FTLUnwindInfo.h:
2143         * ftl/FTLUnwindInfo.cpp:
2144         Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes.
2145         Parse eh_frame on Linux instead of compact_unwind.
2146         (JSC::FTL::UnwindInfo::parse):
2147
2148 2014-09-10  Saam Barati  <saambarati1@gmail.com>
2149
2150         Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
2151         https://bugs.webkit.org/show_bug.cgi?id=136500
2152
2153         Reviewed by Joseph Pecoraro.
2154
2155         This patch changes the type profiler protocol to the Web Inspector
2156         by moving the work of calculating computed properties that effect the UI 
2157         into the Web Inspector. This makes the Web Inspector have control over the 
2158         strings it displays as UI elements representing type information to the user 
2159         instead of JavaScriptCore deciding on a convention for these strings.
2160         JavaScriptCore now sends enough information to the Web Inspector so that 
2161         it can compute the properties JavaScriptCore used to compute.
2162
2163         * inspector/agents/InspectorRuntimeAgent.cpp:
2164         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2165         * inspector/protocol/Runtime.json:
2166         * runtime/TypeProfiler.cpp:
2167         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
2168         * runtime/TypeProfiler.h:
2169         * runtime/TypeSet.cpp:
2170         (JSC::TypeSet::inspectorTypeSet):
2171         (JSC::StructureShape::leastCommonAncestor):
2172         (JSC::StructureShape::inspectorRepresentation):
2173         * runtime/TypeSet.h:
2174
2175 2014-09-10  Akos Kiss  <akiss@inf.u-szeged.hu>
2176
2177         Apply ARM64-specific lowering to load/store instructions in offlineasm
2178         https://bugs.webkit.org/show_bug.cgi?id=136569
2179
2180         Reviewed by Michael Saboff.
2181
2182         The standard risc lowering of load/store instructions with base +
2183         immediate offset addresses is to move the offset to a temporary, add the
2184         base to the temporary, and then change the load/store to use the
2185         temporary + 0 immediate offset address. However, on ARM64, base +
2186         register offset addressing mode is available, so it is unnecessary to
2187         perform explicit register additions but it is enough to change load/store
2188         to use base + temporary as the address.
2189
2190         * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses
2191
2192 2014-09-10  Oliver Hunt  <oliver@apple.com>
2193
2194         Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
2195         https://bugs.webkit.org/show_bug.cgi?id=136710
2196
2197         Reviewed by Anders Carlsson.
2198
2199         This is a trivial rename.
2200
2201         * CMakeLists.txt:
2202         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2203         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2204         * JavaScriptCore.xcodeproj/project.pbxproj:
2205         * dfg/DFGAbstractHeap.h:
2206         * dfg/DFGClobberize.h:
2207         (JSC::DFG::clobberize):
2208         * dfg/DFGSpeculativeJIT32_64.cpp:
2209         (JSC::DFG::SpeculativeJIT::compile):
2210         * dfg/DFGSpeculativeJIT64.cpp:
2211         (JSC::DFG::SpeculativeJIT::compile):
2212         * ftl/FTLAbstractHeapRepository.cpp:
2213         * ftl/FTLAbstractHeapRepository.h:
2214         * ftl/FTLLowerDFGToLLVM.cpp:
2215         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
2216         * jit/JITOpcodes32_64.cpp:
2217         * jit/JITPropertyAccess.cpp:
2218         (JSC::JIT::emitGetClosureVar):
2219         (JSC::JIT::emitPutClosureVar):
2220         * jit/JITPropertyAccess32_64.cpp:
2221         (JSC::JIT::emitGetClosureVar):
2222         (JSC::JIT::emitPutClosureVar):
2223         * llint/LLIntOffsetsExtractor.cpp:
2224         * llint/LowLevelInterpreter32_64.asm:
2225         * llint/LowLevelInterpreter64.asm:
2226         * runtime/JSActivation.cpp:
2227         (JSC::JSActivation::getOwnNonIndexPropertyNames):
2228         * runtime/JSActivation.h:
2229         * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
2230         * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
2231         (JSC::JSEnvironmentRecord::registers):
2232         (JSC::JSEnvironmentRecord::registerAt):
2233         (JSC::JSEnvironmentRecord::addressOfRegisters):
2234         (JSC::JSEnvironmentRecord::offsetOfRegisters):
2235         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
2236         * runtime/JSNameScope.h:
2237         * runtime/JSSegmentedVariableObject.h:
2238
2239 2014-09-10  Julien Brianceau   <jbriance@cisco.com>
2240
2241         [mips] Add missing parts and fix LLINT mips backend
2242         https://bugs.webkit.org/show_bug.cgi?id=136706
2243
2244         Reviewed by Michael Saboff.
2245
2246         * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
2247         Implement initPCRelative and setEntryAddress macros.
2248         * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
2249         doVMEntry macro.
2250
2251 2014-09-10  Saam Barati  <saambarati1@gmail.com>
2252
2253         TypeSet needs a mode where it no longer profiles structure shapes
2254         https://bugs.webkit.org/show_bug.cgi?id=136263
2255
2256         Reviewed by Filip Pizlo.
2257
2258         The TypeSet data structure used to gather as many StructureShape
2259         objects as it encountered during type profiling. But, this meant 
2260         that there was no upper limit on how many objects it could allocate. 
2261         This patch places a fixed upper bound on the number of StructureShapes
2262         allocated per TypeSet to prevent using too much memory for little gain
2263         in type profiling usefulness.
2264
2265         StructureShape objects are now also aware of when they are created
2266         from Structures which are dictionaries.
2267
2268         In total, this patch lays the final groundwork needed in refactoring 
2269         the inspector protocol for the type profiler.
2270
2271         * runtime/Structure.cpp:
2272         (JSC::Structure::toStructureShape):
2273         * runtime/TypeProfiler.cpp:
2274         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
2275         * runtime/TypeSet.cpp:
2276         (JSC::TypeSet::TypeSet):
2277         (JSC::TypeSet::addTypeInformation):
2278         (JSC::StructureShape::StructureShape):
2279         (JSC::StructureShape::toJSONString):
2280         (JSC::StructureShape::enterDictionaryMode):
2281         * runtime/TypeSet.h:
2282         (JSC::TypeSet::isOverflown):
2283         * tests/typeProfiler/dictionary-mode.js: Added.
2284         (wrapper):
2285         * tests/typeProfiler/driver/driver.js:
2286         * tests/typeProfiler/overflow.js: Added.
2287         (wrapper.Proto):
2288         (wrapper):
2289
2290 2014-09-10  Peter Gal  <galpeter@inf.u-szeged.hu>
2291
2292         [MIPS] branch32WithPatch missing
2293         https://bugs.webkit.org/show_bug.cgi?id=136696
2294
2295         Reviewed by Michael Saboff.
2296
2297         Added the missing branch32WithPatch. The implementation
2298         is currently the same as the branchPtrithPatch because
2299         the macro assembler supports only 32 bit MIPS.
2300
2301         * assembler/MacroAssemblerMIPS.h:
2302         (JSC::MacroAssemblerMIPS::branch32WithPatch):
2303
2304 2014-09-10  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2305
2306         Fix !ENABLE(DFG_JIT) build
2307         https://bugs.webkit.org/show_bug.cgi?id=136702
2308
2309         Reviewed by Michael Saboff.
2310
2311         * bytecode/CallEdgeProfile.h:
2312
2313 2014-09-09  Benjamin Poulain  <bpoulain@apple.com>
2314
2315         Disable the "unreachable-code" warning
2316         https://bugs.webkit.org/show_bug.cgi?id=136677
2317
2318         Reviewed by Darin Adler.
2319
2320         * Configurations/Base.xcconfig:
2321
2322 2014-09-08  Filip Pizlo  <fpizlo@apple.com>
2323
2324         DFG should have a reusable SSA builder
2325         https://bugs.webkit.org/show_bug.cgi?id=136331
2326
2327         Reviewed by Oliver Hunt.
2328         
2329         We want to implement sophisticated SSA transformations like object allocation sinking
2330         (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
2331         updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
2332         Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
2333         implementation of this algorithm only worked when doing CPS->SSA conversion. The code
2334         could not be reused for cases where some phase happens to know that it introduced a few
2335         defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
2336         the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
2337         updates, since it requires first inserting maximal Phis. That scales well when the Phis
2338         were already there (like in our CPS form) but otherwise it's quite unnatural and may be
2339         difficult to make efficient.
2340         
2341         The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
2342         algorithm based on dominance frontiers. For a while now, I've been working on creating a
2343         Cytron-based SSA calculator that can be used both as a replacement for our current SSA
2344         converter and as a reusable tool for any phase that needs to do SSA update. I previously
2345         optimized our dominator calculation and representation to use dominator trees computed
2346         using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
2347         the set of blocks that dominate you or vice-versa, and then I implemented a dominance
2348         frontier calculator. This patch implements the final step towards making SSA update
2349         available to all SSA phases: it implements an SSACalculator that can tell you where Phis
2350         go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
2351         good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
2352         SSA converter with one based on the SSACalculator.
2353         
2354         This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
2355         But even better, it makes SSAConversionPhase have significantly less tricky logic. It
2356         mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
2357         just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
2358         In fact, using the Cytron et al approach means that there isn't really any "smoke and
2359         mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
2360         iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
2361         The complexity is mostly confined to Dominators, which computes various dominator-related
2362         properties over the control flow graph. That class can be difficult to understand, but at
2363         least it follows well-known graph theory wisdom.
2364
2365         * CMakeLists.txt:
2366         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2367         * JavaScriptCore.xcodeproj/project.pbxproj:
2368         * dfg/DFGAnalysis.h:
2369         * dfg/DFGCSEPhase.cpp:
2370         * dfg/DFGDCEPhase.cpp:
2371         (JSC::DFG::DCEPhase::run):
2372         * dfg/DFGDominators.h:
2373         (JSC::DFG::Dominators::immediateDominatorOf):
2374         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
2375         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
2376         * dfg/DFGGraph.cpp:
2377         (JSC::DFG::Graph::dump):
2378         (JSC::DFG::Graph::blocksInPreOrder):
2379         (JSC::DFG::Graph::blocksInPostOrder):
2380         (JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
2381         (JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
2382         * dfg/DFGGraph.h:
2383         * dfg/DFGLICMPhase.cpp:
2384         (JSC::DFG::LICMPhase::run):
2385         * dfg/DFGNodeFlags.h:
2386         * dfg/DFGPhase.cpp:
2387         (JSC::DFG::Phase::beginPhase):
2388         (JSC::DFG::Phase::endPhase):
2389         * dfg/DFGPhase.h:
2390         * dfg/DFGSSACalculator.cpp: Added.
2391         (JSC::DFG::SSACalculator::Variable::dump):
2392         (JSC::DFG::SSACalculator::Variable::dumpVerbose):
2393         (JSC::DFG::SSACalculator::Def::dump):
2394         (JSC::DFG::SSACalculator::SSACalculator):
2395         (JSC::DFG::SSACalculator::~SSACalculator):
2396         (JSC::DFG::SSACalculator::newVariable):
2397         (JSC::DFG::SSACalculator::newDef):
2398         (JSC::DFG::SSACalculator::nonLocalReachingDef):
2399         (JSC::DFG::SSACalculator::reachingDefAtTail):
2400         (JSC::DFG::SSACalculator::dump):
2401         * dfg/DFGSSACalculator.h: Added.
2402         (JSC::DFG::SSACalculator::Variable::index):
2403         (JSC::DFG::SSACalculator::Variable::Variable):
2404         (JSC::DFG::SSACalculator::Def::variable):
2405         (JSC::DFG::SSACalculator::Def::block):
2406         (JSC::DFG::SSACalculator::Def::value):
2407         (JSC::DFG::SSACalculator::Def::Def):
2408         (JSC::DFG::SSACalculator::variable):
2409         (JSC::DFG::SSACalculator::computePhis):
2410         (JSC::DFG::SSACalculator::phisForBlock):
2411         (JSC::DFG::SSACalculator::reachingDefAtHead):
2412         * dfg/DFGSSAConversionPhase.cpp:
2413         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
2414         (JSC::DFG::SSAConversionPhase::run):
2415         (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
2416         (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
2417         (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
2418         (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
2419         * dfg/DFGSSAConversionPhase.h:
2420         * dfg/DFGValidate.cpp:
2421         (JSC::DFG::Validate::Validate):
2422         (JSC::DFG::Validate::dumpGraphIfAppropriate):
2423         (JSC::DFG::validate):
2424         * dfg/DFGValidate.h:
2425         * ftl/FTLLowerDFGToLLVM.cpp:
2426         (JSC::FTL::LowerDFGToLLVM::lower):
2427         * runtime/Options.h:
2428
2429 2014-09-08  Commit Queue  <commit-queue@webkit.org>
2430
2431         Unreviewed, rolling out r173402.
2432         https://bugs.webkit.org/show_bug.cgi?id=136649
2433
2434         Breaking buildw with error "unable to restore file position to
2435         0x00000c60 for section __DWARF.__debug_info (errno = 9)"
2436         (Requested by mlam_ on #webkit).
2437
2438         Reverted changeset:
2439
2440         "Move CallFrame and Register inlines functions out of
2441         JSScope.h."
2442         https://bugs.webkit.org/show_bug.cgi?id=136579
2443         http://trac.webkit.org/changeset/173402
2444
2445 2014-09-08  Mark Lam  <mark.lam@apple.com>
2446
2447         Move CallFrame and Register inlines functions out of JSScope.h.
2448         <https://webkit.org/b/136579>
2449
2450         Reviewed by Geoffrey Garen.
2451
2452         This include fixing up some files to #include JSCInlines.h to pick up
2453         these inline functions.  I also added JSCellInlines.h to JSCInlines.h
2454         since it is included from many of the affected .cpp files.
2455
2456         * API/ObjCCallbackFunction.mm:
2457         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2458         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2459         * JavaScriptCore.xcodeproj/project.pbxproj:
2460         * bindings/ScriptValue.cpp:
2461         * inspector/InjectedScriptHost.cpp:
2462         * inspector/InjectedScriptManager.cpp:
2463         * inspector/JSGlobalObjectInspectorController.cpp:
2464         * inspector/JSJavaScriptCallFrame.cpp:
2465         * inspector/ScriptDebugServer.cpp:
2466         * interpreter/CallFrameInlines.h:
2467         (JSC::CallFrame::vm):
2468         (JSC::CallFrame::lexicalGlobalObject):
2469         (JSC::CallFrame::globalThisValue):
2470         * interpreter/RegisterInlines.h: Added.
2471         (JSC::Register::operator=):
2472         (JSC::Register::scope):
2473         * runtime/ArgumentsIteratorConstructor.cpp:
2474         * runtime/JSArrayIterator.cpp:
2475         * runtime/JSCInlines.h:
2476         * runtime/JSCJSValue.cpp:
2477         * runtime/JSMapIterator.cpp:
2478         * runtime/JSPromiseConstructor.cpp:
2479         * runtime/JSPromiseDeferred.cpp:
2480         * runtime/JSPromiseFunctions.cpp:
2481         * runtime/JSPromisePrototype.cpp:
2482         * runtime/JSPromiseReaction.cpp:
2483         * runtime/JSScope.h:
2484         (JSC::Register::operator=): Deleted.
2485         (JSC::Register::scope): Deleted.
2486         (JSC::ExecState::vm): Deleted.
2487         (JSC::ExecState::lexicalGlobalObject): Deleted.
2488         (JSC::ExecState::globalThisValue): Deleted.
2489         * runtime/JSSetIterator.cpp:
2490         * runtime/MapConstructor.cpp:
2491         * runtime/MapData.cpp:
2492         * runtime/MapIteratorPrototype.cpp:
2493         * runtime/MapPrototype.cpp:
2494         * runtime/SetConstructor.cpp:
2495         * runtime/SetIteratorPrototype.cpp:
2496         * runtime/SetPrototype.cpp:
2497         * runtime/WeakMapConstructor.cpp:
2498         * runtime/WeakMapPrototype.cpp:
2499
2500 2014-09-08  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2501
2502         Remove FILTERS flag
2503         https://bugs.webkit.org/show_bug.cgi?id=136571
2504
2505         Reviewed by Darin Adler.
2506
2507         * Configurations/FeatureDefines.xcconfig:
2508
2509 2014-09-08  Saam Barati  <saambarati1@gmail.com>
2510
2511         Merge StructureShapes that share the same prototype chain
2512         https://bugs.webkit.org/show_bug.cgi?id=136549
2513
2514         Reviewed by Filip Pizlo.
2515
2516         Instead of keeping track of many discrete StructureShapes that share
2517         the same prototype chain, TypeSet should merge StructureShapes that 
2518         have the same prototype chain and provide a new member variable for 
2519         optional structure fields. This provides a cleaner and more concise
2520         interface for dealing with StructureShapes within TypeSet. Instead
2521         of having many discrete shapes that are almost identical, almost 
2522         identical shapes will be merged together with an interface for 
2523         understanding what fields the shapes being merged together differ in.
2524
2525         * runtime/TypeSet.cpp:
2526         (JSC::TypeSet::addTypeInformation):
2527         (JSC::StructureShape::addProperty):
2528         (JSC::StructureShape::toJSONString):
2529         (JSC::StructureShape::inspectorRepresentation):
2530         (JSC::StructureShape::hasSamePrototypeChain):
2531         (JSC::StructureShape::merge):
2532         * runtime/TypeSet.h:
2533         * tests/typeProfiler/optional-fields.js: Added.
2534         (wrapper.func):
2535         (wrapper):
2536
2537 2014-09-08  Jessie Berlin  <jberlin@apple.com>
2538
2539         More 32-bit Release build fixes after r173364.
2540
2541         * dfg/DFGSpeculativeJIT32_64.cpp:
2542         (JSC::DFG::SpeculativeJIT::compile):
2543
2544 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
2545
2546         Fix typos in last patch to fix build.
2547
2548         Unreviewed build fix.
2549
2550         * dfg/DFGSpeculativeJIT.cpp:
2551         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2552         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2553
2554 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
2555
2556         Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it
2557         https://bugs.webkit.org/show_bug.cgi?id=136616
2558
2559         Reviewed by Darin Adler.
2560         
2561         Many compilers will analyze unrechable code paths (e.g. after an
2562         unreachable code path), so sometimes they need dead code initializations.
2563         But clang with suitable warnings will complain about unreachable code. So
2564         use the quirk to include it conditionally.
2565
2566         * bytecode/CodeBlock.cpp:
2567         (JSC::CodeBlock::printGetByIdOp):
2568         * dfg/DFGOSRExitCompilerCommon.cpp:
2569         (JSC::DFG::handleExitCounts):
2570         * dfg/DFGPlan.cpp:
2571         (JSC::DFG::Plan::compileInThread):
2572         * dfg/DFGSpeculativeJIT.cpp:
2573         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2574         * jsc.cpp:
2575         * runtime/JSArray.cpp:
2576         (JSC::JSArray::fillArgList):
2577         (JSC::JSArray::copyToArguments):
2578         * runtime/RegExp.cpp:
2579         (JSC::RegExp::compile):
2580         (JSC::RegExp::compileMatchOnly):
2581
2582 2014-09-06  Darin Adler  <darin@apple.com>
2583
2584         Make updates suggested by new version of Xcode
2585         https://bugs.webkit.org/show_bug.cgi?id=136603
2586
2587         Reviewed by Mark Rowe.
2588
2589         * Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES,
2590         and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check.
2591
2592         * JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck.
2593
2594         * dfg/DFGSpeculativeJIT.cpp:
2595         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code
2596         for clang, since it understands the code is unreachable.
2597         * runtime/JSArray.cpp:
2598         (JSC::JSArray::fillArgList): Ditto.
2599         (JSC::JSArray::copyToArguments): Ditto.
2600
2601 2014-09-05  Matt Baker  <mattbaker@apple.com>
2602
2603         Web Inspector: breakpoint actions should work regardless of Content Security Policy
2604         https://bugs.webkit.org/show_bug.cgi?id=136542
2605
2606         Reviewed by Mark Lam.
2607
2608         Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a 
2609         JSGlobalObject for the duration of a scope, returning the eval enabled state to its
2610         original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate 
2611         to allow breakpoint actions to execute JS in pages with a Content Security Policy
2612         that would normally prohibit this (such as Inspector's Main.html).
2613
2614         Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually
2615         setting eval enabled and then resetting the original eval enabled state.
2616
2617         NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer
2618         for null to be equivalent with the original code in Inspector::InjectedScriptBase.
2619         InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which
2620         can currently be null.
2621
2622         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2623         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2624         * JavaScriptCore.xcodeproj/project.pbxproj:
2625         * debugger/DebuggerCallFrame.cpp:
2626         (JSC::DebuggerCallFrame::evaluate):
2627         * debugger/DebuggerEvalEnabler.h: Added.
2628         (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
2629         (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
2630         * inspector/InjectedScriptBase.cpp:
2631         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2632
2633 2014-09-05  peavo@outlook.com  <peavo@outlook.com>
2634
2635         [WinCairo] jsc.exe won't run.
2636         https://bugs.webkit.org/show_bug.cgi?id=136481
2637
2638         Reviewed by Alex Christensen.
2639         
2640         We need to define WIN_CAIRO to avoid looking for the AAS folder.
2641
2642         * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added.
2643         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
2644         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
2645         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
2646         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:
2647
2648 2014-09-05  David Kilzer  <ddkilzer@apple.com>
2649
2650         JavaScriptCore should build with newer clang
2651         <http://webkit.org/b/136002>
2652         <rdar://problem/18020616>
2653
2654         Reviewed by Geoffrey Garen.
2655
2656         Other than the JSC::SourceProvider::asID() change (which simply
2657         removes code that the optimizing compiler would have discarded
2658         in Release builds), we move the |this| checks in OpaqueJSString
2659         to NULL checks in to JSBase, JSObjectRef, JSScriptRef,
2660         JSStringRef{CF} and JSValueRef.
2661
2662         Note that the following function arguments are _not_ NULL-checked
2663         since doing so would just cover up bugs (and were not needed to
2664         prevent any tests from failing):
2665         - |script| in JSEvaluateScript(), JSCheckScriptSyntax();
2666         - |body| in JSObjectMakeFunction();
2667         - |source| in JSScriptCreateReferencingImmortalASCIIText()
2668           (which is a const char* anyway);
2669         - |source| in JSScriptCreateFromString().
2670
2671         * API/JSBase.cpp:
2672         (JSEvaluateScript): Add NULL check for |sourceURL|.
2673         (JSCheckScriptSyntax): Ditto.
2674         * API/JSObjectRef.cpp:
2675         (JSObjectMakeFunction): Ditto.
2676         * API/JSScriptRef.cpp:
2677         (JSScriptCreateReferencingImmortalASCIIText): Ditto.
2678         (JSScriptCreateFromString): Add NULL check for |url|.
2679         * API/JSStringRef.cpp:
2680         (JSStringGetLength): Return early if NULL pointer is passed in.
2681         (JSStringGetCharactersPtr): Ditto.
2682         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
2683         * API/JSStringRefCF.cpp:
2684         (JSStringCopyCFString): Ditto.
2685         * API/JSValueRef.cpp:
2686         (JSValueMakeString): Add NULL check for |string|.
2687
2688         * API/OpaqueJSString.cpp:
2689         (OpaqueJSString::string): Remove code that checks |this|.
2690         (OpaqueJSString::identifier): Ditto.
2691         (OpaqueJSString::characters): Ditto.
2692         * API/OpaqueJSString.h:
2693         (OpaqueJSString::is8Bit): Remove code that checks |this|.
2694         (OpaqueJSString::characters8): Ditto.
2695         (OpaqueJSString::characters16): Ditto.
2696         (OpaqueJSString::length): Ditto.
2697
2698         * parser/SourceProvider.h:
2699         (JSC::SourceProvider::asID): Remove code that checks |this|.
2700
2701 2014-06-06  Jer Noble  <jer.noble@apple.com>
2702
2703         Refactoring: make MediaTime the primary time type for audiovisual times.
2704         https://bugs.webkit.org/show_bug.cgi?id=133579
2705
2706         Reviewed by Eric Carlson.
2707
2708         Add a utility function which converts a MediaTime to a JSNumber.
2709
2710         * runtime/JSCJSValue.h:
2711         (JSC::jsNumber):
2712
2713 2014-09-04  Michael Saboff  <msaboff@apple.com>
2714
2715         ARM: Add more coverage to ARMv7 disassembler
2716         https://bugs.webkit.org/show_bug.cgi?id=136565
2717
2718         Reviewed by Mark Lam.
2719
2720         Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions
2721         VCMP, VCVT[R] between floating point and integer, and VLDR.
2722
2723         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2724         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList):
2725         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format):
2726         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format):
2727         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format):
2728         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format):
2729         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format):
2730         * disassembler/ARMv7/ARMv7DOpcode.h:
2731         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList):
2732         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition):
2733         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition):
2734         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit):
2735         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd):
2736         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit):
2737         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit):
2738         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit):
2739         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm):
2740         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition):
2741         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit):
2742         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2):
2743         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd):
2744         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit):
2745         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op):
2746         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit):
2747         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm):
2748         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition):
2749         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit):
2750         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn):
2751         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd):
2752         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg):
2753         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8):
2754
2755 2014-09-04  Mark Lam  <mark.lam@apple.com>
2756
2757         Move PropertySlot's inline functions back to PropertySlot.h.
2758         <https://webkit.org/b/136547>
2759
2760         Reviewed by Filip Pizlo.
2761
2762         * runtime/JSObject.h:
2763         (JSC::PropertySlot::getValue): Deleted.
2764         * runtime/PropertySlot.h:
2765         (JSC::PropertySlot::getValue):
2766
2767 2014-09-04  Filip Pizlo  <fpizlo@apple.com>
2768
2769         Make sure that deleting all code first processes the call edge log, and reenable call edge profiling.
2770
2771         Rubber stamped by Sam Weinig.
2772
2773         * debugger/Debugger.cpp:
2774         (JSC::Debugger::forEachCodeBlock):
2775         (JSC::Debugger::setSteppingMode):
2776         (JSC::Debugger::recompileAllJSFunctions):
2777         * inspector/agents/InspectorRuntimeAgent.cpp:
2778         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2779         * runtime/Options.h: Reenable call edge profiling.
2780         * runtime/VM.cpp:
2781         (JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed.
2782         (JSC::VM::discardAllCode):
2783         (JSC::VM::releaseExecutableMemory):
2784         (JSC::VM::setEnabledProfiler):
2785         (JSC::VM::waitForCompilationsToComplete): Deleted.
2786         * runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted.
2787
2788 2014-09-04  Akos Kiss  <akiss@inf.u-szeged.hu>
2789
2790         Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee
2791         https://bugs.webkit.org/show_bug.cgi?id=136485
2792
2793         Reviewed by Michael Saboff.
2794
2795         Changed makeHostFunctionCall to keep the stack pointer above the call
2796         frame set up by doVMEntry. Thus the callee will/can not override the top
2797         of the call frame.
2798
2799         Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be
2800         more alike to help future maintenance.
2801
2802         * llint/LowLevelInterpreter32_64.asm:
2803         * llint/LowLevelInterpreter64.asm:
2804
2805 2014-09-04  Michael Saboff  <msaboff@apple.com>
2806
2807         REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux
2808         https://bugs.webkit.org/show_bug.cgi?id=136436
2809
2810         Reviewed by Geoffrey Garen.
2811
2812         Instead of trying to calculate a stack pointer that allows for possible
2813         stacked argument space, just use the "home" stack pointer location.
2814         That stack pointer provides space for the worst case number of stacked
2815         arguments on architectures that use stacked arguments.  It also provides
2816         stack space so that the return PC and caller frame pointer that are stored
2817         as part of making the call to operationCallEval will not override any part
2818         of the callee frame created on the stack.
2819
2820         Changed compileCallEval() to use the stackPointer value of the calling
2821         function.  That stack pointer is calculated to have enough space for
2822         outgoing stacked arguments.  By moving the stack pointer to its "home"
2823         position, the caller frame and return PC are not set as part of making
2824         the call to operationCallEval().  Moved the explicit setting of the
2825         callerFrame field of the callee CallFrame from operationCallEval() to
2826         compileCallEval() since it has been the artifact of making a call for
2827         most architectures.  Simplified the exception logic in compileCallEval()
2828         as a result of the change.  To be compliant with the stack state
2829         expected by virtualCallThunkGenerator(), moved the stack pointer to
2830         point above the CallerFrameAndPC of the callee CallFrame.
2831
2832         * jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...)
2833         to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception
2834         check.
2835         * jit/JITCall.cpp & jit/JITCall32_64.cpp:
2836         (JSC::JIT::compileCallEval): Use the home stack pointer when making the call
2837         to operationCallEval.  Since the stack pointer adjustment no longer needs
2838         to be done after making the call to operationCallEval(), the exception check
2839         logic can be simplified.
2840         (JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point
2841         to above the calleeFrame as this is what the generated thunk expects.
2842         * jit/JITInlines.h:
2843         (JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck
2844         with the addition of a standard exception check.
2845         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
2846         * jit/JITOperations.cpp:
2847         (JSC::operationCallEval): Eliminated the explicit setting of caller frame
2848         as that is now done in the code generated by compileCallEval().
2849
2850 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2851
2852         Beef up the DFG's CFG analyses to include iterated dominance frontiers and more user-friendly BlockSets
2853         https://bugs.webkit.org/show_bug.cgi?id=136520
2854
2855         Reviewed by Geoffrey Garen.
2856         
2857         Add code to compute iterated dominance frontiers. This involves using BlockSet a lot, so
2858         this patch also makes BlockSet a lot more user-friendly.
2859
2860         * CMakeLists.txt:
2861         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2862         * JavaScriptCore.xcodeproj/project.pbxproj:
2863         * dfg/DFGBasicBlock.h:
2864         * dfg/DFGBlockSet.cpp: Added.
2865         (JSC::DFG::BlockSet::dump):
2866         * dfg/DFGBlockSet.h:
2867         (JSC::DFG::BlockSet::iterator::iterator):
2868         (JSC::DFG::BlockSet::iterator::operator++):
2869         (JSC::DFG::BlockSet::iterator::operator==):
2870         (JSC::DFG::BlockSet::iterator::operator!=):
2871         (JSC::DFG::BlockSet::Iterable::Iterable):
2872         (JSC::DFG::BlockSet::Iterable::begin):
2873         (JSC::DFG::BlockSet::Iterable::end):
2874         (JSC::DFG::BlockSet::iterable):
2875         (JSC::DFG::BlockAdder::BlockAdder):
2876         (JSC::DFG::BlockAdder::operator()):
2877         * dfg/DFGBlockSetInlines.h: Added.
2878         (JSC::DFG::BlockSet::iterator::operator*):
2879         * dfg/DFGDominators.cpp:
2880         (JSC::DFG::Dominators::strictDominatorsOf):
2881         (JSC::DFG::Dominators::dominatorsOf):
2882         (JSC::DFG::Dominators::blocksStrictlyDominatedBy):
2883         (JSC::DFG::Dominators::blocksDominatedBy):
2884         (JSC::DFG::Dominators::dominanceFrontierOf):
2885         (JSC::DFG::Dominators::iteratedDominanceFrontierOf):
2886         * dfg/DFGDominators.h:
2887         (JSC::DFG::Dominators::forAllStrictDominatorsOf):
2888         (JSC::DFG::Dominators::forAllDominatorsOf):
2889         (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy):
2890         (JSC::DFG::Dominators::forAllBlocksDominatedBy):
2891         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf):
2892         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
2893         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl):
2894         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl):
2895         * dfg/DFGGraph.cpp:
2896         (JSC::DFG::Graph::dumpBlockHeader):
2897         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2898         (JSC::DFG::InvalidationPointInjectionPhase::run):
2899
2900 2014-09-04  Mark Lam  <mark.lam@apple.com>
2901
2902         Fixed indentations and some style warnings in JavaScriptCore/runtime.
2903         <https://webkit.org/b/136518>
2904
2905         Reviewed by Michael Saboff.
2906
2907         Also removed some superflous spaces.  There are no semantic changes.
2908
2909         * runtime/Completion.h:
2910         * runtime/ConstructData.h:
2911         * runtime/DateConstructor.h:
2912         * runtime/DateInstance.h:
2913         * runtime/DateInstanceCache.h:
2914         * runtime/DatePrototype.h:
2915         * runtime/Error.h:
2916         * runtime/ErrorConstructor.h:
2917         * runtime/ErrorInstance.h:
2918         * runtime/ErrorPrototype.h:
2919         * runtime/FunctionConstructor.h:
2920         * runtime/FunctionPrototype.h:
2921         * runtime/GetterSetter.h:
2922         * runtime/Identifier.h:
2923         * runtime/InitializeThreading.h:
2924         * runtime/InternalFunction.h:
2925         * runtime/JSAPIValueWrapper.h:
2926         * runtime/JSFunction.h:
2927         * runtime/JSLock.h:
2928         * runtime/JSNotAnObject.h:
2929         * runtime/JSONObject.h:
2930         * runtime/JSString.h:
2931         * runtime/JSTypeInfo.h:
2932         * runtime/JSWrapperObject.h:
2933         * runtime/Lookup.h:
2934         * runtime/MathObject.h:
2935         * runtime/NativeErrorConstructor.h:
2936         * runtime/NativeErrorPrototype.h:
2937         * runtime/NumberConstructor.h:
2938         * runtime/NumberObject.h:
2939         * runtime/NumberPrototype.h:
2940         * runtime/NumericStrings.h:
2941         * runtime/ObjectConstructor.h:
2942         * runtime/ObjectPrototype.h:
2943         * runtime/PropertyDescriptor.h:
2944         * runtime/Protect.h:
2945         * runtime/PutPropertySlot.h:
2946         * runtime/RegExp.h:
2947         * runtime/RegExpCachedResult.h:
2948         * runtime/RegExpConstructor.h:
2949         * runtime/RegExpMatchesArray.h:
2950         * runtime/RegExpObject.h:
2951         * runtime/RegExpPrototype.h:
2952         * runtime/SmallStrings.h:
2953         * runtime/StringConstructor.h:
2954         * runtime/StringObject.h:
2955         * runtime/StringPrototype.h:
2956         * runtime/StructureChain.h:
2957         * runtime/VM.h:
2958
2959 2014-09-04  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2960
2961         Remove CSS_FILTERS flag
2962         https://bugs.webkit.org/show_bug.cgi?id=136529
2963
2964         Reviewed by Dirk Schulze.
2965
2966         * Configurations/FeatureDefines.xcconfig:
2967
2968 2014-09-04  Commit Queue  <commit-queue@webkit.org>
2969
2970         Unreviewed, rolling out r173248.
2971         https://bugs.webkit.org/show_bug.cgi?id=136536
2972
2973         call edge profiling and polymorphic call inlining are still
2974         causing crashes (Requested by eric_carlson on #webkit).
2975
2976         Reverted changeset:
2977
2978         "Reenable call edge profiling and polymorphic call inlining,
2979         now that a bunch of the bugs"
2980         http://trac.webkit.org/changeset/173248
2981
2982 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
2983
2984         Web Inspector: the profiler should not accrue time to nodes while the debugger is paused
2985         https://bugs.webkit.org/show_bug.cgi?id=136352
2986
2987         Reviewed by Timothy Hatcher.
2988
2989         Hook up pause/continue events to the LegacyProfiler and any active
2990         ProfilerGenerators. If the debugger is paused, all intervening call
2991         entries will be created with totalTime as 0.0.
2992
2993         * inspector/ScriptDebugServer.cpp:
2994         (Inspector::ScriptDebugServer::handlePause):
2995         * profiler/LegacyProfiler.cpp: Move from typedef'd callbacks to using
2996         std::function. This allows callbacks to take different argument types.
2997
2998         (JSC::callFunctionForProfilesWithGroup):
2999         (JSC::LegacyProfiler::willExecute):
3000         (JSC::LegacyProfiler::didExecute):
3001         (JSC::LegacyProfiler::exceptionUnwind):
3002         (JSC::LegacyProfiler::didPause):
3003         (JSC::LegacyProfiler::didContinue):
3004         (JSC::dispatchFunctionToProfiles): Deleted.
3005         * profiler/LegacyProfiler.h:
3006         * profiler/ProfileGenerator.cpp:
3007         (JSC::ProfileGenerator::ProfileGenerator):
3008         (JSC::ProfileGenerator::endCallEntry):
3009         (JSC::ProfileGenerator::didExecute): Deleted.
3010         * profiler/ProfileGenerator.h:
3011         (JSC::ProfileGenerator::didPause):
3012         (JSC::ProfileGenerator::didContinue):
3013
3014 2014-09-04  Commit Queue  <commit-queue@webkit.org>
3015
3016         Unreviewed, rolling out r173245.
3017         https://bugs.webkit.org/show_bug.cgi?id=136533
3018
3019         Broke JSC tests. (Requested by ddkilzer on #webkit).
3020
3021         Reverted changeset:
3022
3023         "JavaScriptCore should build with newer clang"
3024         https://bugs.webkit.org/show_bug.cgi?id=136002
3025         http://trac.webkit.org/changeset/173245
3026
3027 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
3028
3029         LegacyProfiler: ProfileNodes should be used more like structs
3030         https://bugs.webkit.org/show_bug.cgi?id=136381
3031
3032         Reviewed by Timothy Hatcher.
3033
3034         Previously, both the profile generator and individual profile nodes
3035         were collectively responsible for creating new Call entries and
3036         maintaining data structure invariants. This complexity is unnecessary.
3037
3038         This patch centralizes profile data creation inside the profile generator.
3039         The profile nodes manage nextSibling and parent pointers, but do not
3040         collect the current time or create new Call entries themselves.
3041
3042         Since ProfileNode::nextSibling and its callers are only used within
3043         debug printing code, it should be compiled out for release builds.
3044
3045         * profiler/ProfileGenerator.cpp:
3046         (JSC::ProfileGenerator::ProfileGenerator):
3047         (JSC::AddParentForConsoleStartFunctor::operator()):
3048         (JSC::ProfileGenerator::beginCallEntry): create a new Call entry.
3049         (JSC::ProfileGenerator::endCallEntry): finish the last Call entry.
3050         (JSC::ProfileGenerator::willExecute): inline ProfileNode::willExecute()
3051         (JSC::ProfileGenerator::didExecute): inline ProfileNode::didExecute()
3052         (JSC::ProfileGenerator::stopProfiling): Only walk up the spine.
3053         (JSC::ProfileGenerator::removeProfileStart):
3054         (JSC::ProfileGenerator::removeProfileEnd):
3055         * profiler/ProfileGenerator.h:
3056         * profiler/ProfileNode.cpp:
3057         (JSC::ProfileNode::ProfileNode):
3058         (JSC::ProfileNode::addChild):
3059         (JSC::ProfileNode::removeChild):
3060         (JSC::ProfileNode::spliceNode): Renamed from insertNode.
3061         (JSC::ProfileNode::debugPrintRecursively):
3062         (JSC::ProfileNode::willExecute): Deleted.
3063         (JSC::ProfileNode::insertNode): Deleted.
3064         (JSC::ProfileNode::stopProfiling): Deleted.
3065         (JSC::ProfileNode::traverseNextNodePostOrder):
3066         (JSC::ProfileNode::endAndRecordCall): Deleted.
3067         (JSC::ProfileNode::debugPrintDataSampleStyle):
3068         * profiler/ProfileNode.h:
3069         (JSC::ProfileNode::Call::setStartTime):
3070         (JSC::ProfileNode::Call::setTotalTime):
3071         (JSC::ProfileNode::appendCall):
3072         (JSC::ProfileNode::firstChild):
3073         (JSC::ProfileNode::lastChild):
3074         (JSC::ProfileNode::nextSibling):
3075         (JSC::ProfileNode::setNextSibling):
3076
3077 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
3078
3079         Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient
3080         https://bugs.webkit.org/show_bug.cgi?id=136476
3081
3082         Reviewed by Timothy Hatcher.
3083
3084         * CMakeLists.txt:
3085         * JavaScriptCore.xcodeproj/project.pbxproj:
3086         * inspector/JSGlobalObjectConsoleClient.cpp: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.cpp.
3087         * inspector/JSGlobalObjectConsoleClient.h: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.h.
3088         * inspector/JSGlobalObjectInspectorController.cpp:
3089         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3090         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3091         * inspector/JSGlobalObjectInspectorController.h:
3092
3093 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
3094
3095         Reenable call edge profiling and polymorphic call inlining, now that a bunch of the bugs
3096         are fixed.
3097
3098         * runtime/Options.h:
3099
3100 2014-09-03  David Kilzer  <ddkilzer@apple.com>
3101
3102         JavaScriptCore should build with newer clang
3103         <http://webkit.org/b/136002>
3104         <rdar://problem/18020616>
3105
3106         Reviewed by Geoffrey Garen.
3107
3108         Other than the JSC::SourceProvider::asID() change (which simply
3109         removes code that the optimizing compiler would have discarded
3110         in Release builds), we move the |this| checks in OpaqueJSString
3111         to NULL checks in to JSBase, JSScriptRef, JSStringRef{CF} and
3112         JSValueRef.
3113
3114         * API/JSBase.cpp:
3115         (JSEvaluateScript): Use String() in case |script| or |sourceURL|
3116         are NULL.
3117         * API/JSScriptRef.cpp:
3118         (JSScriptCreateReferencingImmortalASCIIText): Use String() in
3119         case |url| is NULL.
3120         * API/JSStringRef.cpp:
3121         (JSStringGetLength): Return early if NULL pointer is passed in.
3122         (JSStringGetCharactersPtr): Ditto.
3123         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
3124         * API/JSStringRefCF.cpp:
3125         (JSStringCopyCFString): Ditto.
3126         * API/JSValueRef.cpp:
3127         (JSValueMakeString): Use String() in case |string| is NULL.
3128
3129         * API/OpaqueJSString.cpp:
3130         (OpaqueJSString::string): Remove code that checks |this|.
3131         (OpaqueJSString::identifier): Ditto.
3132         (OpaqueJSString::characters): Ditto.
3133         * API/OpaqueJSString.h:
3134         (OpaqueJSString::is8Bit): Remove code that checks |this|.
3135         (OpaqueJSString::characters8): Ditto.
3136         (OpaqueJSString::characters16): Ditto.
3137         (OpaqueJSString::length): Ditto.
3138
3139         * parser/SourceProvider.h:
3140         (JSC::SourceProvider::asID): Remove code that checks |this|.
3141
3142 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
3143
3144         CallEdgeProfile::visitWeak() shouldn't attempt to despecify empty profiles
3145         https://bugs.webkit.org/show_bug.cgi?id=136511
3146
3147         Reviewed by Geoffrey Garen.
3148
3149         * bytecode/CallEdgeProfile.cpp:
3150         (JSC::CallEdgeProfile::worthDespecifying):
3151         (JSC::CallEdgeProfile::visitWeak):
3152         (JSC::CallEdgeProfile::mergeBack):
3153
3154 2014-09-03  David Kilzer  <ddkilzer@apple.com>
3155
3156         REGRESSION (r167325): (null) entry added to Xcode project file when JSBoundFunction.h was removed
3157         <http://webkit.org/b/136509>
3158
3159         Reviewed by Daniel Bates.
3160
3161         * JavaScriptCore.xcodeproj/project.pbxproj: Remove the (null)
3162         entry left behind when JSBoundFunction.h was removed.
3163
3164 2014-09-03  Joseph Pecoraro  <pecoraro@apple.com>
3165
3166         Avoid warning if a process does not have access to com.apple.webinspector
3167         https://bugs.webkit.org/show_bug.cgi?id=136473
3168
3169         Reviewed by Alexey Proskuryakov.
3170
3171         Pre-check for access to the mach port to avoid emitting warnings
3172         in syslog for processes that do not have access.
3173
3174         * inspector/remote/RemoteInspector.mm:
3175         (Inspector::canAccessWebInspectorMachPort):
3176         (Inspector::RemoteInspector::shared):
3177
3178 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
3179
3180         Temporarily disable call edge profiling. It is causing crashes and I'm still investigating
3181         them.
3182
3183         * runtime/Options.h:
3184
3185 2014-09-03  Balazs Kilvady  <kilvadyb@homejinni.com>
3186
3187         [MIPS] Wrong register usage in LLInt op_catch.
3188         https://bugs.webkit.org/show_bug.cgi?id=125168
3189
3190         Reviewed by Geoffrey Garen.
3191
3192         Fix register usage and add PIC header to all the ops in LLInt.
3193
3194         * offlineasm/instructions.rb:
3195         * offlineasm/mips.rb:
3196
3197 2014-09-03  Saam Barati  <saambarati1@gmail.com>
3198
3199         Create tests for type profiling
3200         https://bugs.webkit.org/show_bug.cgi?id=136161
3201
3202         Reviewed by Geoffrey Garen.
3203
3204         The type profiler is now being tested. These are basic tests that don't 
3205         check every edge case, but will catch any major failures in the type profiler. 
3206         These tests cover:
3207         - The basic, inheritance-based type system in TypeSet.
3208         - Function return types.
3209         - Correct merging of types for multiple assignments to one variable.
3210
3211         This patch also provides an API for writing new tests for
3212         the type profiler. The API works by passing in a function and a 
3213         unique substring of an expression contained in that function, and 
3214         returns an object representing type information for that expression.
3215
3216         * jsc.cpp:
3217         (GlobalObject::finishCreation):
3218         (functionFindTypeForExpression):
3219         (functionReturnTypeFor):
3220         * runtime/TypeProfiler.cpp:
3221         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
3222         * runtime/TypeProfiler.h:
3223         * runtime/TypeProfilerLog.h:
3224         * runtime/TypeSet.cpp:
3225         (JSC::TypeSet::toJSONString):
3226         (JSC::StructureShape::toJSONString):
3227         * runtime/TypeSet.h:
3228         * tests/typeProfiler: Added.
3229         * tests/typeProfiler.yaml: Added.
3230         * tests/typeProfiler/basic.js: Added.
3231         (wrapper.foo):
3232         (wrapper):
3233         * tests/typeProfiler/captured.js: Added.
3234         (wrapper.changeFoo):
3235         (wrapper):
3236         * tests/typeProfiler/driver: Added.
3237         * tests/typeProfiler/driver/driver.js: Added.
3238         (assert):
3239         * tests/typeProfiler/inheritance.js: Added.
3240         (wrapper.A):
3241         (wrapper.B):
3242         (wrapper.C):
3243         (wrapper):
3244         * tests/typeProfiler/return.js: Added.
3245         (foo):
3246         (Ctor):
3247
3248 2014-09-03  Julien Brianceau   <jbriance@cisco.com>
3249
3250         Add missing implementations to fix build for sh4 architecture
3251         https://bugs.webkit.org/show_bug.cgi?id=136455
3252
3253         Reviewed by Geoffrey Garen.
3254
3255         * assembler/MacroAssemblerSH4.h:
3256         (JSC::MacroAssemblerSH4::store8):
3257         (JSC::MacroAssemblerSH4::moveWithPatch):
3258         (JSC::MacroAssemblerSH4::branchAdd32):
3259         (JSC::MacroAssemblerSH4::branch32WithPatch):
3260         (JSC::MacroAssemblerSH4::abortWithReason):
3261         (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch):
3262         (JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress):
3263         (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch):
3264         * jit/AssemblyHelpers.h:
3265         (JSC::AssemblyHelpers::emitFunctionPrologue):
3266         (JSC::AssemblyHelpers::emitFunctionEpilogue):
3267
3268 2014-09-03  Dan Bernstein  <mitz@apple.com>
3269
3270         Get rid of HIGH_DPI_CANVAS leftovers
3271         https://bugs.webkit.org/show_bug.cgi?id=136491
3272
3273         Reviewed by Benjamin Poulain.
3274
3275         * Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS
3276         and removed it from FEATURE_DEFINES.
3277
3278 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
3279
3280         CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
3281         https://bugs.webkit.org/show_bug.cgi?id=136490
3282
3283         Reviewed by Geoffrey Garen.
3284
3285         * bytecode/CallEdgeProfile.cpp:
3286         (JSC::CallEdgeProfile::visitWeak):
3287
3288 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
3289
3290         FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
3291         https://bugs.webkit.org/show_bug.cgi?id=136488
3292
3293         Reviewed by Mark Hahnenberg.
3294
3295         * ftl/FTLCompile.cpp:
3296         (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
3297         * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
3298         (foo):
3299
3300 2014-09-03  Akos Kiss  <akiss@inf.u-szeged.hu>
3301
3302         Don't generate superfluous mov instructions for move immediate on ARM64.
3303         https://bugs.webkit.org/show_bug.cgi?id=136435
3304
3305         Reviewed by Michael Saboff.
3306
3307         On ARM64, the size of an immediate operand for a mov instruction is 16
3308         bits. Thus, a move immediate offlineasm instruction may potentially be
3309         split up to several machine level instructions. The current
3310         implementation always emits a mov for the least significant 16 bits of
3311         the value. However, if any of the bits 63:16 are significant then the
3312         first emitted mov already filled bits 15:0 with zeroes (or ones, for
3313         negative values). So, if bits 15:0 of the value are all zeroes (or ones)
3314         then the last mov does not need to be emitted.
3315
3316         * offlineasm/arm64.rb:
3317
3318 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
3319
3320         LegacyProfiler: remove redundant ProfileNode members and other cleanup
3321         https://bugs.webkit.org/show_bug.cgi?id=136380
3322
3323         Reviewed by Timothy Hatcher.
3324
3325         ProfileNode's selfTime and totalTime members are redundant and only used
3326         for dumping profile data from debug-only code. Remove the members and compute
3327         the same data on-demand when necessary using a postorder traversal functor.
3328
3329         Remove ProfileNode.head since it is only used to calculate percentages for
3330         dumped profile data. This can be explicitly passed around when needed.
3331
3332         Rename Profile.head to Profile.rootNode, and other various renamings.
3333
3334         Rearrange some header includes so that touching LegacyProfiler-related headers
3335         will no longer cause a full rebuild.
3336
3337         * inspector/JSConsoleClient.cpp: Add header include.
3338         * inspector/agents/InspectorProfilerAgent.cpp:
3339         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
3340         * inspector/protocol/Profiler.json: Remove unused Profile.idleTime member.
3341         * jit/JIT.h: Remove header include.
3342         * jit/JITCode.h: Remove header include.
3343         * jit/JITOperations.cpp: Sort and add header include.
3344         * llint/LLIntSlowPaths.cpp: Sort and add header include.
3345         * profiler/Profile.cpp: Rename the debug dumping functions. Move the node
3346         postorder traversal code to ProfileNode so we can traverse any subtree.
3347         (JSC::Profile::Profile):
3348         (JSC::Profile::debugPrint):
3349         (JSC::Profile::debugPrintSampleStyle):
3350         (JSC::Profile::forEach): Deleted.
3351         (JSC::Profile::debugPrintData): Deleted.
3352         (JSC::Profile::debugPrintDataSampleStyle): Deleted.
3353         * profiler/Profile.h:
3354         * profiler/ProfileGenerator.cpp:
3355         (JSC::ProfileGenerator::ProfileGenerator):
3356         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
3357         (JSC::AddParentForConsoleStartFunctor::operator()):
3358         (JSC::ProfileGenerator::addParentForConsoleStart):
3359         (JSC::ProfileGenerator::didExecute):
3360         (JSC::StopProfilingFunctor::operator()):
3361         (JSC::ProfileGenerator::stopProfiling):
3362         (JSC::ProfileGenerator::removeProfileStart):
3363         (JSC::ProfileGenerator::removeProfileEnd):
3364         * profiler/ProfileGenerator.h:
3365         * profiler/ProfileNode.cpp:
3366         (JSC::ProfileNode::ProfileNode):
3367         (JSC::ProfileNode::willExecute):
3368         (JSC::ProfileNode::removeChild):
3369         (JSC::ProfileNode::stopProfiling):
3370         (JSC::ProfileNode::endAndRecordCall):
3371         (JSC::ProfileNode::debugPrint):
3372         (JSC::ProfileNode::debugPrintSampleStyle):
3373         (JSC::ProfileNode::debugPrintRecursively):
3374         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
3375         (JSC::ProfileNode::debugPrintData): Deleted.
3376         (JSC::ProfileNode::debugPrintDataSampleStyle): Deleted.
3377         * profiler/ProfileNode.h: Calculate per-node self and total times using a postorder traversal.
3378         The forEachNodePostorder functor traverses the subtree rooted at |this|.
3379         (JSC::ProfileNode::create):
3380         (JSC::ProfileNode::calls):
3381         (JSC::ProfileNode::forEachNodePostorder):
3382         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
3383         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
3384         (JSC::ProfileNode::head): Deleted.
3385         (JSC::ProfileNode::setHead): Deleted.
3386         (JSC::ProfileNode::totalTime): Deleted.
3387         (JSC::ProfileNode::setTotalTime): Deleted.
3388         (JSC::ProfileNode::selfTime): Deleted.
3389         (JSC::ProfileNode::setSelfTime): Deleted.
3390         (JSC::ProfileNode::totalPercent): Deleted.
3391         (JSC::ProfileNode::selfPercent): Deleted.
3392         * runtime/ConsoleClient.h: Remove header include.
3393
3394 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
3395
3396         Web Inspector: remove ProfilerAgent and legacy profiler files in the frontend
3397         https://bugs.webkit.org/show_bug.cgi?id=136462
3398
3399         Reviewed by Timothy Hatcher.
3400
3401         It's not used by the frontend anymore.
3402
3403         * CMakeLists.txt:
3404         * DerivedSources.make:
3405         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3406         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3407         * JavaScriptCore.xcodeproj/project.pbxproj:
3408
3409         * inspector/JSConsoleClient.cpp:
3410         (Inspector::JSConsoleClient::JSConsoleClient): Stub out console.profile/profileEnd
3411         methods since they didn't work for JSContexts anyway.
3412         (Inspector::JSConsoleClient::profile):
3413         (Inspector::JSConsoleClient::profileEnd):
3414         * inspector/JSConsoleClient.h:
3415
3416         * inspector/JSGlobalObjectInspectorController.cpp:
3417         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3418         * inspector/agents/InspectorProfilerAgent.cpp: Removed.
3419         * inspector/agents/InspectorProfilerAgent.h: Removed.
3420         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Removed.
3421         * inspector/agents/JSGlobalObjectProfilerAgent.h: Removed.
3422         * inspector/protocol/Profiler.json: Removed.
3423
3424 2014-09-02  Andreas Kling  <akling@apple.com>
3425
3426         Optimize own property GetByVals with rope string subscripts.
3427         <https://webkit.org/b/136458>
3428
3429         For simple JSObjects that don't override getOwnPropertySlot to implement
3430         custom properties, we have a fast path that grabs directly at the object
3431         property storage.
3432
3433         Make this fast path even faster when the property name is an unresolved
3434         rope string by using JSString::toExistingAtomicString(). This is faster
3435         because it avoids allocating a new StringImpl if the string is already
3436         a known Identifier, which is guaranteed to be the case if it's present
3437         as an own property on the object.)
3438
3439         ~10% speed-up on Dromaeo/dom-attr.html
3440
3441         Reviewed by Geoffrey Garen.
3442
3443         * dfg/DFGOperations.cpp:
3444         * jit/JITOperations.cpp:
3445         (JSC::getByVal):
3446         * llint/LLIntSlowPaths.cpp:
3447         (JSC::LLInt::getByVal):
3448
3449             When using the fastGetOwnProperty() optimization, get the String
3450             out of JSString by using toExistingAtomicString(). This avoids
3451             StringImpl allocation and lets us bypass the PropertyTable lookup
3452             entirely if no AtomicString is found.
3453
3454         * runtime/JSCell.h:
3455         * runtime/JSCellInlines.h:
3456         (JSC::JSCell::fastGetOwnProperty):
3457
3458             Make fastGetOwnProperty() take a PropertyName instead of a String.
3459             This avoids churning the ref count, since we don't need to create
3460             a temporary wrapper around the AtomicStringImpl* found in GetByVal.
3461
3462         * runtime/PropertyName.h:
3463         (JSC::PropertyName::PropertyName):
3464
3465             Add constructor: PropertyName(AtomicStringImpl*)
3466
3467         * runtime/PropertyMapHashTable.h:
3468         (JSC::PropertyTable::get):
3469         (JSC::PropertyTable::findWithString): Deleted.
3470         * runtime/Structure.h:
3471         * runtime/StructureInlines.h:
3472         (JSC::Structure::get):
3473
3474             Remove code for querying a PropertyTable with an unhashed string key
3475             since the only client is now gone.
3476
3477 2014-09-02  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
3478
3479         [ARM] MacroAssembler generating incorrect code on ARM32 Traditional
3480         https://bugs.webkit.org/show_bug.cgi?id=136429
3481
3482         Reviewed by Csaba Osztrogonác.
3483
3484         Changed test32 to use tst to check if reg is zero, instead of cmp.
3485
3486         * assembler/MacroAssemblerARM.h:
3487         (JSC::MacroAssemblerARM::test32):
3488
3489 2014-09-02  Michael Saboff  <msaboff@apple.com>
3490
3491         Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute
3492         https://bugs.webkit.org/show_bug.cgi?id=136305
3493
3494         Reviewed by Filip Pizlo.
3495
3496         While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch
3497         and then JITCode::execute() calls the normal entrypoint.  This is incompatible
3498         with the expectation of FTL generated functions.  Changed ProtoCallFrame to not 
3499         perform the arity fix, but just flag an arity mismatch.  now JITCode::execute()
3500         uses that arity mismatch condition to select the normal or arity check
3501         entrypoint.  The entrypoint selection is only done for functions, programs
3502         and eval always have one parameter.
3503
3504         * interpreter/ProtoCallFrame.cpp:
3505         (JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it.
3506         * interpreter/ProtoCallFrame.h:
3507         (JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint
3508         should be called.
3509         * jit/JITCode.cpp:
3510         (JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate.
3511
3512 2014-09-02  peavo@outlook.com  <peavo@outlook.com>
3513
3514         [WinCairo] testapi.exe is not built.
3515         https://bugs.webkit.org/show_bug.cgi?id=136369
3516
3517         Reviewed by Alex Christensen.
3518
3519         The testapi project should be of type Application.
3520
3521         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Change project type to Application.
3522         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Ditto.
3523         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Compile and link fix.
3524         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Change project type to Application.
3525
3526 2014-09-01  Akos Kiss  <akiss@inf.u-szeged.hu>
3527
3528         [CMAKE] Add missing offlineasm dependencies
3529         https://bugs.webkit.org/show_bug.cgi?id=136437
3530
3531         Reviewed by Csaba Osztrogonác.
3532
3533         Add the ARM64, MIPS and SH4 backends to the dependencies.
3534
3535         * CMakeLists.txt:
3536
3537 2014-09-01  Brian J. Burg  <burg@cs.washington.edu>
3538
3539         Provide column numbers to DTrace willExecute/didExecute probes
3540         https://bugs.webkit.org/show_bug.cgi?id=136434
3541
3542         Reviewed by Antti Koivisto.
3543
3544         Provide the columnNumber and update stubs for !HAVE(DTRACE).
3545
3546         * profiler/ProfileGenerator.cpp:
3547         (JSC::ProfileGenerator::willExecute):
3548         (JSC::ProfileGenerator::didExecute):
3549         * runtime/Tracing.d:
3550         * runtime/Tracing.h:
3551
3552 2014-09-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3553
3554         [CMAKE] Build warning by INTERFACE_LINK_LIBRARIES
3555         https://bugs.webkit.org/show_bug.cgi?id=136194
3556
3557         Reviewed by Csaba Osztrogonác.
3558
3559         Set the LINK_INTERFACE_LIBRARIES target property on the top level CMakeLists.txt.
3560
3561         * CMakeLists.txt:
3562
3563 2014-08-26  Maciej Stachowiak  <mjs@apple.com>
3564
3565         Use RetainPtr::autorelease in some places where it seems appropriate
3566         https://bugs.webkit.org/show_bug.cgi?id=136280
3567
3568         Reviewed by Darin Adler.
3569
3570         * API/JSContext.mm:
3571         (-[JSContext name]): Use RetainPtr::autorelease() in place of ObjC autorelease.
3572         * API/JSValue.mm:
3573         (valueToString): Make appropriate use of RetainPtr
3574
3575 2014-08-29  Akos Kiss  <akiss@inf.u-szeged.hu>
3576
3577         Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
3578         https://bugs.webkit.org/show_bug.cgi?id=136391
3579
3580         Reviewed by Michael Saboff.
3581
3582         Do not rely on calling conventions to fill in the CallerFrame component
3583         of the ExecState* parameter of the called function.
3584
3585         * llint/LowLevelInterpreter32_64.asm:
3586         * llint/LowLevelInterpreter64.asm:
3587
3588 2014-08-29  Saam Barati  <sbarati@apple.com>
3589
3590         emit op_profile_type for deconstruction assignments
3591         https://bugs.webkit.org/show_bug.cgi?id=136274
3592
3593         Reviewed by Filip Pizlo.
3594
3595         Enable type profiling for ES6 deconstruction expressions.
3596
3597         * bytecompiler/NodesCodegen.cpp:
3598         (JSC::BindingNode::bindValue):
3599
3600 2014-08-29  Joseph Pecoraro  <pecoraro@apple.com>
3601
3602         JavaScriptCore: Use ASCIILiteral where possible
3603         https://bugs.webkit.org/show_bug.cgi?id=136179
3604
3605         Reviewed by Michael Saboff.
3606
3607         General string / character related changes. Use ASCIILiteral where
3608         possible, jsNontrivialString where possible, and replace string
3609         literals with character literals in some places.
3610
3611         No new tests, no changes to functionality.
3612
3613         * bytecode/CodeBlock.cpp:
3614         (JSC::CodeBlock::nameForRegister):
3615         * bytecompiler/NodesCodegen.cpp:
3616         (JSC::PostfixNode::emitBytecode):
3617         (JSC::PrefixNode::emitBytecode):
3618         (JSC::AssignErrorNode::emitBytecode):
3619         (JSC::ForInNode::emitMultiLoopBytecode):
3620         (JSC::ForOfNode::emitBytecode):
3621         (JSC::ObjectPatternNode::toString):
3622         * dfg/DFGFunctionWhitelist.cpp:
3623         (JSC::DFG::FunctionWhitelist::contains):
3624         * dfg/DFGOperations.cpp:
3625         (JSC::DFG::newTypedArrayWithSize):
3626         (JSC::DFG::newTypedArrayWithOneArgument):
3627         * inspector/ConsoleMessage.cpp:
3628         (Inspector::ConsoleMessage::addToFrontend):
3629         * inspector/InspectorBackendDispatcher.cpp:
3630         (Inspector::InspectorBackendDispatcher::dispatch):
3631         * inspector/ScriptCallStackFactory.cpp:
3632         (Inspector::extractSourceInformationFromException):
3633         * inspector/scripts/codegen/generator_templates.py:
3634         * interpreter/StackVisitor.cpp:
3635         (JSC::StackVisitor::Frame::functionName):
3636         (JSC::StackVisitor::Frame::sourceURL):
3637         * jit/JITOperations.cpp:
3638         * jsc.cpp:
3639         (functionDescribeArray):
3640         (functionRun):
3641         (functionLoad):
3642         (functionReadFile):
3643         (functionCheckSyntax):
3644         (functionTransferArrayBuffer):
3645         (runWithScripts):
3646         (runInteractive):
3647         * parser/Lexer.cpp:
3648         (JSC::Lexer<T>::invalidCharacterMessage):
3649         (JSC::Lexer<T>::parseString):
3650         (JSC::Lexer<T>::parseStringSlowCase):
3651         (JSC::Lexer<T>::lex):
3652         * profiler/Profile.cpp:
3653         (JSC::Profile::Profile):
3654         * runtime/Arguments.cpp:
3655         (JSC::argumentsFuncIterator):
3656         * runtime/ArrayPrototype.cpp:
3657         (JSC::performSlowSort):
3658         (JSC::arrayProtoFuncSort):
3659         * runtime/ExceptionHelpers.cpp:
3660         (JSC::createError):
3661         (JSC::createInvalidParameterError):
3662         (JSC::createNotAConstructorError):
3663         (JSC::createNotAFunctionError):
3664         (JSC::createNotAnObjectError):
3665         (JSC::createErrorForInvalidGlobalAssignment):
3666         * runtime/FunctionPrototype.cpp:
3667         (JSC::insertSemicolonIfNeeded):
3668         * runtime/JSArray.cpp:
3669         (JSC::JSArray::defineOwnProperty):
3670         (JSC::JSArray::pop):
3671         (JSC::JSArray::push):
3672         * runtime/JSArrayBufferConstructor.cpp:
3673         (JSC::JSArrayBufferConstructor::finishCreation):
3674         * runtime/JSArrayBufferPrototype.cpp:
3675         (JSC::arrayBufferProtoFuncSlice):
3676         * runtime/JSDataView.cpp:
3677         (JSC::JSDataView::create):
3678         * runtime/JSDataViewPrototype.cpp:
3679         (JSC::getData):
3680         (JSC::setData):
3681         * runtime/JSGlobalObject.cpp:
3682         (JSC::JSGlobalObject::reset):
3683         * runtime/JSGlobalObjectFunctions.cpp:
3684         (JSC::globalFuncProtoSetter):
3685         * runtime/JSPromiseConstructor.cpp:
3686         (JSC::JSPromiseConstructor::finishCreation):
3687         * runtime/LiteralParser.cpp:
3688         (JSC::LiteralParser<CharType>::Lexer::lex):
3689         (JSC::LiteralParser<CharType>::Lexer::lexString):
3690         (JSC::LiteralParser<CharType>::parse):
3691         * runtime/LiteralParser.h:
3692         (JSC::LiteralParser::getErrorMessage):
3693         * runtime/TypeSet.cpp:
3694         (JSC::TypeSet::seenTypes):
3695         (JSC::TypeSet::displayName):
3696         (JSC::TypeSet::allPrimitiveTypeNames):
3697         (JSC::StructureShape::propertyHash):
3698         (JSC::StructureShape::stringRepresentation):
3699
3700 2014-08-29  Csaba Osztrogonác  <ossy@webkit.org>
3701
3702         Unreviwed, remove empty directories.
3703
3704         * qt: Removed.
3705
3706 2014-08-28  Mark Lam  <mark.lam@apple.com>
3707
3708         DebuggerCallFrame::scope() should return a DebuggerScope.
3709         <https://webkit.org/b/134420>
3710
3711         Reviewed by Geoffrey Garen.
3712
3713         Rolling back in r170680 with the fix for <https://webkit.org/b/135656>.
3714
3715         Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
3716         peers) which the WebInspector will use to introspect CallFrame variables.
3717         Instead, we should be returning a DebuggerScope as an abstraction layer that
3718         provides the introspection functionality that the WebInspector needs.  This
3719         is the first step towards not forcing every frame to have a JSActivation
3720         object just because the debugger is enabled.
3721
3722         1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
3723            instead of the VM.  This allows JSObject::globalObject() to be able to
3724            return the global object for the DebuggerScope.
3725
3726         2. On the DebuggerScope's life-cycle management:
3727
3728            The DebuggerCallFrame is designed to be "valid" only during a debugging session
3729            (while the debugger is broken) through the use of a DebuggerCallFrameScope in
3730            Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
3731            DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
3732            We can't guarantee (from this code alone) that the Inspector code isn't still
3733            holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
3734            the frame will be invalidated, and any attempt to query it will return null values.
3735            This is pre-existing behavior.
3736
3737            Now, we're adding the DebuggerScope into the picture.  While a single debugger
3738            pause session is in progress, the Inspector may request the scope from the
3739            DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
3740            DebuggerCallFrame::scope() to always return the same DebuggerScope object.
3741            This is why we hold on to the DebuggerScope with a strong ref.
3742
3743            If we use a weak ref instead, the following cooky behavior can manifest:
3744            1. The Inspector calls Debugger::scope() to get the top scope.
3745            2. The Inspector iterates down the scope chain and is now only holding a
3746               reference to a parent scope.  It is no longer referencing the top scope.
3747            3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
3748               gets cleared.
3749            4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
3750               a different DebuggerScope instance.
3751            5. The Inspector iterates down the scope chain but never sees the parent scope
3752               instance that retained a ref to in step 2 above.  This is because when iterating
3753               this new DebuggerScope instance (which has no knowledge of the previous parent
3754               DebuggerScope instance), a new DebuggerScope instance will get created for the
3755               same parent scope. 
3756
3757            Since the DebuggerScope is a JSObject, its liveness is determined by its reachability.
3758            However, its "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
3759            When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
3760            instantiated) will also get invalidated.  This is why we need the
3761            DebuggerScope::invalidateChain() method.  The Inspector should not be using the
3762            DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
3763            those methods will do nothing or returned a failed status.
3764
3765         Fix for <https://webkit.org/b/135656>:
3766         3. DebuggerScope::getOwnPropertySlot() and DebuggerScope::put() need to set
3767            m_thisValue in the returned slot to the wrapped scope object.  Previously,
3768            it was pointing to the DebuggerScope though the rest of the fields in the
3769            returned slot will be set to data pertaining the wrapped scope object.
3770
3771         4. DebuggerScope::getOwnPropertySlot() will invoke getPropertySlot() on its
3772            wrapped scope.  This is because JSObject::getPropertySlot() cannot be
3773            overridden, and when called on a DebuggerScope, will not know to look in
3774            the ptototype chain of the DebuggerScope's wrapped scope.  Hence, we'll
3775            treat all properties in the wrapped scope as own properties in the
3776            DebuggerScope.  This is fine because the WebInspector does not presently
3777            care about where in the prototype chain the scope property comes from.
3778
3779            Note that the DebuggerScope and the JSActivation objects that it wraps do
3780            not have prototypes.  They are always jsNull().  This works perfectly with
3781            the above change to use getPropertySlot() instead of getOwnPropertySlot().
3782            To make this an explicit invariant, I also changed DebuggerScope::createStructure()
3783            and JSActivation::createStructure() to not take a prototype argument, and
3784            to always use jsNull() for their prototype value.
3785
3786         * debugger/Debugger.h:
3787         * debugger/DebuggerCallFrame.cpp:
3788         (JSC::DebuggerCallFrame::scope):
3789         (JSC::DebuggerCallFrame::evaluate):
3790         (JSC::DebuggerCallFrame::invalidate):
3791         * debugger/DebuggerCallFrame.h:
3792         * debugger/DebuggerScope.cpp:
3793         (JSC::DebuggerScope::DebuggerScope):
3794         (JSC::DebuggerScope::finishCreation):
3795         (JSC::DebuggerScope::visitChildren):
3796         (JSC::DebuggerScope::className):
3797         (JSC::DebuggerScope::getOwnPropertySlot):
3798         (JSC::DebuggerScope::put):
3799         (JSC::DebuggerScope::deleteProperty):
3800         (JSC::DebuggerScope::getOwnPropertyNames):
3801         (JSC::DebuggerScope::defineOwnProperty):
3802         (JSC::DebuggerScope::next):
3803         (JSC::DebuggerScope::invalidateChain):
3804         (JSC::DebuggerScope::isWithScope):
3805         (JSC::DebuggerScope::isGlobalScope):
3806         (JSC::DebuggerScope::isFunctionOrEvalScope):
3807         * debugger/DebuggerScope.h:
3808         (JSC::DebuggerScope::create):
3809         (JSC::DebuggerScope::createStructure):
3810         (JSC::DebuggerScope::iterator::iterator):
3811         (JSC::DebuggerScope::iterator::get):
3812         (JSC::DebuggerScope::iterator::operator++):
3813         (JSC::DebuggerScope::iterator::operator==):
3814         (JSC::DebuggerScope::iterator::operator!=):
3815         (JSC::DebuggerScope::isValid):
3816         (JSC::DebuggerScope::jsScope):
3817         (JSC::DebuggerScope::begin):
3818         (JSC::DebuggerScope::end):
3819         * inspector/JSJavaScriptCallFrame.cpp:
3820         (Inspector::JSJavaScriptCallFrame::scopeType):
3821         (Inspector::JSJavaScriptCallFrame::scopeChain):
3822         * inspector/JavaScriptCallFrame.h:
3823         (Inspector::JavaScriptCallFrame::scopeChain):
3824         * inspector/ScriptDebugServer.cpp:
3825         * runtime/JSActivation.h:
3826         (JSC::JSActivation::createStructure):
3827         * runtime/JSGlobalObject.cpp:
3828         (JSC::JSGlobalObject::reset):
3829         (JSC::JSGlobalObject::visitChildren):
3830         * runtime/JSGlobalObject.h:
3831         (JSC::JSGlobalObject::debuggerScopeStructure):
3832         * runtime/JSObject.cpp:
3833         * runtime/JSObject.h:
3834         (JSC::JSObject::isWithScope):
3835         * runtime/JSScope.h:
3836         * runtime/PropertySlot.h:
3837         (JSC::PropertySlot::setThisValue):
3838         * runtime/PutPropertySlot.h:
3839         (JSC::PutPropertySlot::setThisValue):
3840         * runtime/VM.cpp:
3841         (JSC::VM::VM):
3842         * runtime/VM.h:
3843
3844 2014-08-28  Andreas Kling  <akling@apple.com>
3845
3846         Use JSString::toIdentifier() in more places.
3847         <https://webkit.org/b/136348>
3848
3849         Call sites that grab the WTF::String from a JSString using value() can
3850         use the more efficient toIdentifier() if the string is going to be used
3851         to construct an Identifier.
3852
3853         If the JSString is a rope that resolves to something that is already
3854         present in the VM's Identifier table, using toIdentifier() can avoid
3855         allocating a new StringImpl.
3856
3857         Reviewed by Geoffrey Garen.
3858
3859         * jit/JITOperations.cpp:
3860         * llint/LLIntSlowPaths.cpp:
3861         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3862         * runtime/CommonSlowPaths.cpp:
3863         (JSC::SLOW_PATH_DECL):
3864         * runtime/CommonSlowPaths.h:
3865         (JSC::CommonSlowPaths::opIn):
3866         * runtime/JSONObject.cpp:
3867         (JSC::Stringifier::Stringifier):
3868         * runtime/ObjectConstructor.cpp:
3869         (JSC::objectConstructorGetOwnPropertyDescriptor):
3870         (JSC::objectConstructorDefineProperty):
3871         * runtime/ObjectPrototype.cpp:
3872         (JSC::objectProtoFuncPropertyIsEnumerable):
3873
3874 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
3875
3876         DFG should compute immediate dominators using the O(n log n) form of Lengauer and Tarjan's "A Fast Algorithm for Finding Dominators in a Flowgraph"
3877         https://bugs.webkit.org/show_bug.cgi?id=93361
3878
3879         Reviewed by Mark Hahnenberg.
3880         
3881         This patch also adds some new utilities for reasoning about block-keyed maps, block sets,
3882         and block worklists. It changes preexisting code to use these abstractions.
3883         
3884         The main effect of this code is that all current clients of dominators end up using the
3885         results of the new idom calculation. We convert the dom tree to a dominance test using
3886         Dietz's pre/post number range check trick.
3887
3888         * CMakeLists.txt:
3889         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3890         * JavaScriptCore.xcodeproj/project.pbxproj:
3891         * dfg/DFGAnalysis.h:
3892         (JSC::DFG::Analysis::computeIfNecessary):
3893         (JSC::DFG::Analysis::computeDependencies):
3894         * dfg/DFGBlockMap.h: Added.
3895         (JSC::DFG::BlockMap::BlockMap):
3896         (JSC::DFG::BlockMap::size):
3897         (JSC::DFG::BlockMap::atIndex):
3898         (JSC::DFG::BlockMap::operator[]):