Rename activation to be more in line with spec language
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-09-11  Oliver Hunt  <oliver@apple.com>
2
3         Rename activation to be more in line with spec language
4         https://bugs.webkit.org/show_bug.cgi?id=136721
5
6         Reviewed by Michael Saboff.
7
8         Somewhat bigger than the last one, but still just a rename.
9
10         * CMakeLists.txt:
11         * JavaScriptCore.order:
12         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14         * JavaScriptCore.xcodeproj/project.pbxproj:
15         * bytecode/BytecodeList.json:
16         * bytecode/BytecodeUseDef.h:
17         (JSC::computeUsesForBytecodeOffset):
18         (JSC::computeDefsForBytecodeOffset):
19         * bytecode/CallVariant.h:
20         * bytecode/CodeBlock.cpp:
21         (JSC::CodeBlock::dumpBytecode):
22         (JSC::CodeBlock::CodeBlock):
23         (JSC::CodeBlock::finalizeUnconditionally):
24         (JSC::CodeBlock::isCaptured):
25         (JSC::CodeBlock::nameForRegister):
26         * bytecode/CodeBlock.h:
27         (JSC::CodeBlock::setActivationRegister):
28         (JSC::CodeBlock::activationRegister):
29         (JSC::CodeBlock::uncheckedActivationRegister):
30         (JSC::CodeBlock::needsActivation):
31         * bytecode/Instruction.h:
32         * bytecode/UnlinkedCodeBlock.h:
33         (JSC::UnlinkedCodeBlock::setActivationRegister):
34         (JSC::UnlinkedCodeBlock::activationRegister):
35         (JSC::UnlinkedCodeBlock::hasActivationRegister):
36         * bytecompiler/BytecodeGenerator.cpp:
37         (JSC::BytecodeGenerator::BytecodeGenerator):
38         (JSC::BytecodeGenerator::emitReturn):
39         * bytecompiler/BytecodeGenerator.h:
40         * debugger/DebuggerCallFrame.cpp:
41         (JSC::DebuggerCallFrame::scope):
42         * debugger/DebuggerScope.cpp:
43         (JSC::DebuggerScope::isFunctionOrEvalScope):
44         * dfg/DFGByteCodeParser.cpp:
45         (JSC::DFG::ByteCodeParser::parseBlock):
46         * dfg/DFGCapabilities.cpp:
47         (JSC::DFG::capabilityLevel):
48         * dfg/DFGGraph.cpp:
49         (JSC::DFG::Graph::tryGetActivation):
50         (JSC::DFG::Graph::tryGetRegisters):
51         * dfg/DFGGraph.h:
52         * dfg/DFGNodeType.h:
53         * dfg/DFGOperations.cpp:
54         * dfg/DFGSpeculativeJIT32_64.cpp:
55         (JSC::DFG::SpeculativeJIT::compile):
56         * dfg/DFGSpeculativeJIT64.cpp:
57         (JSC::DFG::SpeculativeJIT::compile):
58         * interpreter/CallFrame.cpp:
59         (JSC::CallFrame::lexicalEnvironment):
60         (JSC::CallFrame::setActivation):
61         (JSC::CallFrame::activation): Deleted.
62         * interpreter/CallFrame.h:
63         * interpreter/Interpreter.cpp:
64         (JSC::unwindCallFrame):
65         * interpreter/Register.h:
66         * jit/JIT.cpp:
67         (JSC::JIT::privateCompileMainPass):
68         * jit/JIT.h:
69         * jit/JITOpcodes.cpp:
70         (JSC::JIT::emit_op_tear_off_lexical_environment):
71         (JSC::JIT::emit_op_tear_off_arguments):
72         (JSC::JIT::emit_op_create_lexical_environment):
73         (JSC::JIT::emit_op_tear_off_activation): Deleted.
74         (JSC::JIT::emit_op_create_activation): Deleted.
75         * jit/JITOpcodes32_64.cpp:
76         (JSC::JIT::emit_op_tear_off_lexical_environment):
77         (JSC::JIT::emit_op_tear_off_arguments):
78         (JSC::JIT::emit_op_create_lexical_environment):
79         (JSC::JIT::emit_op_tear_off_activation): Deleted.
80         (JSC::JIT::emit_op_create_activation): Deleted.
81         * jit/JITOperations.cpp:
82         * jit/JITOperations.h:
83         * llint/LLIntSlowPaths.cpp:
84         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
85         * llint/LLIntSlowPaths.h:
86         * llint/LowLevelInterpreter32_64.asm:
87         * llint/LowLevelInterpreter64.asm:
88         * runtime/Arguments.cpp:
89         (JSC::Arguments::visitChildren):
90         (JSC::Arguments::tearOff):
91         (JSC::Arguments::didTearOffActivation):
92         * runtime/Arguments.h:
93         (JSC::Arguments::offsetOfActivation):
94         (JSC::Arguments::argument):
95         (JSC::Arguments::finishCreation):
96         * runtime/CommonSlowPaths.cpp:
97         * runtime/JSFunction.h:
98         * runtime/JSGlobalObject.cpp:
99         (JSC::JSGlobalObject::reset):
100         (JSC::JSGlobalObject::visitChildren):
101         * runtime/JSGlobalObject.h:
102         (JSC::JSGlobalObject::activationStructure):
103         * runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp.
104         (JSC::JSLexicalEnvironment::visitChildren):
105         (JSC::JSLexicalEnvironment::symbolTableGet):
106         (JSC::JSLexicalEnvironment::symbolTablePut):
107         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
108         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
109         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
110         (JSC::JSLexicalEnvironment::put):
111         (JSC::JSLexicalEnvironment::deleteProperty):
112         (JSC::JSLexicalEnvironment::toThis):
113         (JSC::JSLexicalEnvironment::argumentsGetter):
114         * runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h.
115         (JSC::JSLexicalEnvironment::create):
116         (JSC::JSLexicalEnvironment::createStructure):
117         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
118         (JSC::asActivation):
119         (JSC::Register::lexicalEnvironment):
120         (JSC::JSLexicalEnvironment::registersOffset):
121         (JSC::JSLexicalEnvironment::tearOff):
122         (JSC::JSLexicalEnvironment::isTornOff):
123         (JSC::JSLexicalEnvironment::storageOffset):
124         (JSC::JSLexicalEnvironment::storage):
125         (JSC::JSLexicalEnvironment::allocationSize):
126         (JSC::JSLexicalEnvironment::isValidIndex):
127         (JSC::JSLexicalEnvironment::isValid):
128         (JSC::JSLexicalEnvironment::registerAt):
129         * runtime/JSObject.h:
130         * runtime/JSScope.cpp:
131         (JSC::abstractAccess):
132         * runtime/JSScope.h:
133         (JSC::ResolveOp::ResolveOp):
134         * runtime/JSSymbolTableObject.cpp:
135         * runtime/StrictEvalActivation.h:
136         (JSC::StrictEvalActivation::create):
137         * runtime/VM.cpp:
138
139 2014-09-11  László Langó  <llango.u-szeged@partner.samsung.com>
140
141         [JavaScriptCore] Fix FTL on platform EFL.
142         https://bugs.webkit.org/show_bug.cgi?id=133571
143
144         Reviewed by Filip Pizlo.
145
146         There are no compact_unwind sections on Linux systems so FTL crashes.
147         We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind
148         and get the information for stack unwinding from there.
149
150         * CMakeLists.txt: Revert r169181.
151         * ftl/FTLCompile.cpp:
152         Change section name literals to use SECTION_NAME macro, because of architecture differencies.
153         (JSC::FTL::mmAllocateCodeSection):
154         (JSC::FTL::mmAllocateDataSection):
155         (JSC::FTL::compile):
156         * ftl/FTLJITCode.h:
157         We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here.
158         * ftl/FTLLink.cpp:
159         (JSC::FTL::link):
160         * ftl/FTLState.h:
161         * ftl/FTLState.cpp:
162         (JSC::FTL::State::State):
163         * ftl/FTLUnwindInfo.h:
164         * ftl/FTLUnwindInfo.cpp:
165         Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes.
166         Parse eh_frame on Linux instead of compact_unwind.
167         (JSC::FTL::UnwindInfo::parse):
168
169 2014-09-10  Saam Barati  <saambarati1@gmail.com>
170
171         Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
172         https://bugs.webkit.org/show_bug.cgi?id=136500
173
174         Reviewed by Joseph Pecoraro.
175
176         This patch changes the type profiler protocol to the Web Inspector
177         by moving the work of calculating computed properties that effect the UI 
178         into the Web Inspector. This makes the Web Inspector have control over the 
179         strings it displays as UI elements representing type information to the user 
180         instead of JavaScriptCore deciding on a convention for these strings.
181         JavaScriptCore now sends enough information to the Web Inspector so that 
182         it can compute the properties JavaScriptCore used to compute.
183
184         * inspector/agents/InspectorRuntimeAgent.cpp:
185         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
186         * inspector/protocol/Runtime.json:
187         * runtime/TypeProfiler.cpp:
188         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
189         * runtime/TypeProfiler.h:
190         * runtime/TypeSet.cpp:
191         (JSC::TypeSet::inspectorTypeSet):
192         (JSC::StructureShape::leastCommonAncestor):
193         (JSC::StructureShape::inspectorRepresentation):
194         * runtime/TypeSet.h:
195
196 2014-09-10  Akos Kiss  <akiss@inf.u-szeged.hu>
197
198         Apply ARM64-specific lowering to load/store instructions in offlineasm
199         https://bugs.webkit.org/show_bug.cgi?id=136569
200
201         Reviewed by Michael Saboff.
202
203         The standard risc lowering of load/store instructions with base +
204         immediate offset addresses is to move the offset to a temporary, add the
205         base to the temporary, and then change the load/store to use the
206         temporary + 0 immediate offset address. However, on ARM64, base +
207         register offset addressing mode is available, so it is unnecessary to
208         perform explicit register additions but it is enough to change load/store
209         to use base + temporary as the address.
210
211         * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses
212
213 2014-09-10  Oliver Hunt  <oliver@apple.com>
214
215         Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
216         https://bugs.webkit.org/show_bug.cgi?id=136710
217
218         Reviewed by Anders Carlsson.
219
220         This is a trivial rename.
221
222         * CMakeLists.txt:
223         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
224         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
225         * JavaScriptCore.xcodeproj/project.pbxproj:
226         * dfg/DFGAbstractHeap.h:
227         * dfg/DFGClobberize.h:
228         (JSC::DFG::clobberize):
229         * dfg/DFGSpeculativeJIT32_64.cpp:
230         (JSC::DFG::SpeculativeJIT::compile):
231         * dfg/DFGSpeculativeJIT64.cpp:
232         (JSC::DFG::SpeculativeJIT::compile):
233         * ftl/FTLAbstractHeapRepository.cpp:
234         * ftl/FTLAbstractHeapRepository.h:
235         * ftl/FTLLowerDFGToLLVM.cpp:
236         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
237         * jit/JITOpcodes32_64.cpp:
238         * jit/JITPropertyAccess.cpp:
239         (JSC::JIT::emitGetClosureVar):
240         (JSC::JIT::emitPutClosureVar):
241         * jit/JITPropertyAccess32_64.cpp:
242         (JSC::JIT::emitGetClosureVar):
243         (JSC::JIT::emitPutClosureVar):
244         * llint/LLIntOffsetsExtractor.cpp:
245         * llint/LowLevelInterpreter32_64.asm:
246         * llint/LowLevelInterpreter64.asm:
247         * runtime/JSActivation.cpp:
248         (JSC::JSActivation::getOwnNonIndexPropertyNames):
249         * runtime/JSActivation.h:
250         * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
251         * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
252         (JSC::JSEnvironmentRecord::registers):
253         (JSC::JSEnvironmentRecord::registerAt):
254         (JSC::JSEnvironmentRecord::addressOfRegisters):
255         (JSC::JSEnvironmentRecord::offsetOfRegisters):
256         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
257         * runtime/JSNameScope.h:
258         * runtime/JSSegmentedVariableObject.h:
259
260 2014-09-10  Julien Brianceau   <jbriance@cisco.com>
261
262         [mips] Add missing parts and fix LLINT mips backend
263         https://bugs.webkit.org/show_bug.cgi?id=136706
264
265         Reviewed by Michael Saboff.
266
267         * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
268         Implement initPCRelative and setEntryAddress macros.
269         * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
270         doVMEntry macro.
271
272 2014-09-10  Saam Barati  <saambarati1@gmail.com>
273
274         TypeSet needs a mode where it no longer profiles structure shapes
275         https://bugs.webkit.org/show_bug.cgi?id=136263
276
277         Reviewed by Filip Pizlo.
278
279         The TypeSet data structure used to gather as many StructureShape
280         objects as it encountered during type profiling. But, this meant 
281         that there was no upper limit on how many objects it could allocate. 
282         This patch places a fixed upper bound on the number of StructureShapes
283         allocated per TypeSet to prevent using too much memory for little gain
284         in type profiling usefulness.
285
286         StructureShape objects are now also aware of when they are created
287         from Structures which are dictionaries.
288
289         In total, this patch lays the final groundwork needed in refactoring 
290         the inspector protocol for the type profiler.
291
292         * runtime/Structure.cpp:
293         (JSC::Structure::toStructureShape):
294         * runtime/TypeProfiler.cpp:
295         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
296         * runtime/TypeSet.cpp:
297         (JSC::TypeSet::TypeSet):
298         (JSC::TypeSet::addTypeInformation):
299         (JSC::StructureShape::StructureShape):
300         (JSC::StructureShape::toJSONString):
301         (JSC::StructureShape::enterDictionaryMode):
302         * runtime/TypeSet.h:
303         (JSC::TypeSet::isOverflown):
304         * tests/typeProfiler/dictionary-mode.js: Added.
305         (wrapper):
306         * tests/typeProfiler/driver/driver.js:
307         * tests/typeProfiler/overflow.js: Added.
308         (wrapper.Proto):
309         (wrapper):
310
311 2014-09-10  Peter Gal  <galpeter@inf.u-szeged.hu>
312
313         [MIPS] branch32WithPatch missing
314         https://bugs.webkit.org/show_bug.cgi?id=136696
315
316         Reviewed by Michael Saboff.
317
318         Added the missing branch32WithPatch. The implementation
319         is currently the same as the branchPtrithPatch because
320         the macro assembler supports only 32 bit MIPS.
321
322         * assembler/MacroAssemblerMIPS.h:
323         (JSC::MacroAssemblerMIPS::branch32WithPatch):
324
325 2014-09-10  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
326
327         Fix !ENABLE(DFG_JIT) build
328         https://bugs.webkit.org/show_bug.cgi?id=136702
329
330         Reviewed by Michael Saboff.
331
332         * bytecode/CallEdgeProfile.h:
333
334 2014-09-09  Benjamin Poulain  <bpoulain@apple.com>
335
336         Disable the "unreachable-code" warning
337         https://bugs.webkit.org/show_bug.cgi?id=136677
338
339         Reviewed by Darin Adler.
340
341         * Configurations/Base.xcconfig:
342
343 2014-09-08  Filip Pizlo  <fpizlo@apple.com>
344
345         DFG should have a reusable SSA builder
346         https://bugs.webkit.org/show_bug.cgi?id=136331
347
348         Reviewed by Oliver Hunt.
349         
350         We want to implement sophisticated SSA transformations like object allocation sinking
351         (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
352         updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
353         Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
354         implementation of this algorithm only worked when doing CPS->SSA conversion. The code
355         could not be reused for cases where some phase happens to know that it introduced a few
356         defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
357         the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
358         updates, since it requires first inserting maximal Phis. That scales well when the Phis
359         were already there (like in our CPS form) but otherwise it's quite unnatural and may be
360         difficult to make efficient.
361         
362         The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
363         algorithm based on dominance frontiers. For a while now, I've been working on creating a
364         Cytron-based SSA calculator that can be used both as a replacement for our current SSA
365         converter and as a reusable tool for any phase that needs to do SSA update. I previously
366         optimized our dominator calculation and representation to use dominator trees computed
367         using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
368         the set of blocks that dominate you or vice-versa, and then I implemented a dominance
369         frontier calculator. This patch implements the final step towards making SSA update
370         available to all SSA phases: it implements an SSACalculator that can tell you where Phis
371         go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
372         good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
373         SSA converter with one based on the SSACalculator.
374         
375         This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
376         But even better, it makes SSAConversionPhase have significantly less tricky logic. It
377         mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
378         just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
379         In fact, using the Cytron et al approach means that there isn't really any "smoke and
380         mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
381         iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
382         The complexity is mostly confined to Dominators, which computes various dominator-related
383         properties over the control flow graph. That class can be difficult to understand, but at
384         least it follows well-known graph theory wisdom.
385
386         * CMakeLists.txt:
387         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
388         * JavaScriptCore.xcodeproj/project.pbxproj:
389         * dfg/DFGAnalysis.h:
390         * dfg/DFGCSEPhase.cpp:
391         * dfg/DFGDCEPhase.cpp:
392         (JSC::DFG::DCEPhase::run):
393         * dfg/DFGDominators.h:
394         (JSC::DFG::Dominators::immediateDominatorOf):
395         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
396         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
397         * dfg/DFGGraph.cpp:
398         (JSC::DFG::Graph::dump):
399         (JSC::DFG::Graph::blocksInPreOrder):
400         (JSC::DFG::Graph::blocksInPostOrder):
401         (JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
402         (JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
403         * dfg/DFGGraph.h:
404         * dfg/DFGLICMPhase.cpp:
405         (JSC::DFG::LICMPhase::run):
406         * dfg/DFGNodeFlags.h:
407         * dfg/DFGPhase.cpp:
408         (JSC::DFG::Phase::beginPhase):
409         (JSC::DFG::Phase::endPhase):
410         * dfg/DFGPhase.h:
411         * dfg/DFGSSACalculator.cpp: Added.
412         (JSC::DFG::SSACalculator::Variable::dump):
413         (JSC::DFG::SSACalculator::Variable::dumpVerbose):
414         (JSC::DFG::SSACalculator::Def::dump):
415         (JSC::DFG::SSACalculator::SSACalculator):
416         (JSC::DFG::SSACalculator::~SSACalculator):
417         (JSC::DFG::SSACalculator::newVariable):
418         (JSC::DFG::SSACalculator::newDef):
419         (JSC::DFG::SSACalculator::nonLocalReachingDef):
420         (JSC::DFG::SSACalculator::reachingDefAtTail):
421         (JSC::DFG::SSACalculator::dump):
422         * dfg/DFGSSACalculator.h: Added.
423         (JSC::DFG::SSACalculator::Variable::index):
424         (JSC::DFG::SSACalculator::Variable::Variable):
425         (JSC::DFG::SSACalculator::Def::variable):
426         (JSC::DFG::SSACalculator::Def::block):
427         (JSC::DFG::SSACalculator::Def::value):
428         (JSC::DFG::SSACalculator::Def::Def):
429         (JSC::DFG::SSACalculator::variable):
430         (JSC::DFG::SSACalculator::computePhis):
431         (JSC::DFG::SSACalculator::phisForBlock):
432         (JSC::DFG::SSACalculator::reachingDefAtHead):
433         * dfg/DFGSSAConversionPhase.cpp:
434         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
435         (JSC::DFG::SSAConversionPhase::run):
436         (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
437         (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
438         (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
439         (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
440         * dfg/DFGSSAConversionPhase.h:
441         * dfg/DFGValidate.cpp:
442         (JSC::DFG::Validate::Validate):
443         (JSC::DFG::Validate::dumpGraphIfAppropriate):
444         (JSC::DFG::validate):
445         * dfg/DFGValidate.h:
446         * ftl/FTLLowerDFGToLLVM.cpp:
447         (JSC::FTL::LowerDFGToLLVM::lower):
448         * runtime/Options.h:
449
450 2014-09-08  Commit Queue  <commit-queue@webkit.org>
451
452         Unreviewed, rolling out r173402.
453         https://bugs.webkit.org/show_bug.cgi?id=136649
454
455         Breaking buildw with error "unable to restore file position to
456         0x00000c60 for section __DWARF.__debug_info (errno = 9)"
457         (Requested by mlam_ on #webkit).
458
459         Reverted changeset:
460
461         "Move CallFrame and Register inlines functions out of
462         JSScope.h."
463         https://bugs.webkit.org/show_bug.cgi?id=136579
464         http://trac.webkit.org/changeset/173402
465
466 2014-09-08  Mark Lam  <mark.lam@apple.com>
467
468         Move CallFrame and Register inlines functions out of JSScope.h.
469         <https://webkit.org/b/136579>
470
471         Reviewed by Geoffrey Garen.
472
473         This include fixing up some files to #include JSCInlines.h to pick up
474         these inline functions.  I also added JSCellInlines.h to JSCInlines.h
475         since it is included from many of the affected .cpp files.
476
477         * API/ObjCCallbackFunction.mm:
478         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
479         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
480         * JavaScriptCore.xcodeproj/project.pbxproj:
481         * bindings/ScriptValue.cpp:
482         * inspector/InjectedScriptHost.cpp:
483         * inspector/InjectedScriptManager.cpp:
484         * inspector/JSGlobalObjectInspectorController.cpp:
485         * inspector/JSJavaScriptCallFrame.cpp:
486         * inspector/ScriptDebugServer.cpp:
487         * interpreter/CallFrameInlines.h:
488         (JSC::CallFrame::vm):
489         (JSC::CallFrame::lexicalGlobalObject):
490         (JSC::CallFrame::globalThisValue):
491         * interpreter/RegisterInlines.h: Added.
492         (JSC::Register::operator=):
493         (JSC::Register::scope):
494         * runtime/ArgumentsIteratorConstructor.cpp:
495         * runtime/JSArrayIterator.cpp:
496         * runtime/JSCInlines.h:
497         * runtime/JSCJSValue.cpp:
498         * runtime/JSMapIterator.cpp:
499         * runtime/JSPromiseConstructor.cpp:
500         * runtime/JSPromiseDeferred.cpp:
501         * runtime/JSPromiseFunctions.cpp:
502         * runtime/JSPromisePrototype.cpp:
503         * runtime/JSPromiseReaction.cpp:
504         * runtime/JSScope.h:
505         (JSC::Register::operator=): Deleted.
506         (JSC::Register::scope): Deleted.
507         (JSC::ExecState::vm): Deleted.
508         (JSC::ExecState::lexicalGlobalObject): Deleted.
509         (JSC::ExecState::globalThisValue): Deleted.
510         * runtime/JSSetIterator.cpp:
511         * runtime/MapConstructor.cpp:
512         * runtime/MapData.cpp:
513         * runtime/MapIteratorPrototype.cpp:
514         * runtime/MapPrototype.cpp:
515         * runtime/SetConstructor.cpp:
516         * runtime/SetIteratorPrototype.cpp:
517         * runtime/SetPrototype.cpp:
518         * runtime/WeakMapConstructor.cpp:
519         * runtime/WeakMapPrototype.cpp:
520
521 2014-09-08  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
522
523         Remove FILTERS flag
524         https://bugs.webkit.org/show_bug.cgi?id=136571
525
526         Reviewed by Darin Adler.
527
528         * Configurations/FeatureDefines.xcconfig:
529
530 2014-09-08  Saam Barati  <saambarati1@gmail.com>
531
532         Merge StructureShapes that share the same prototype chain
533         https://bugs.webkit.org/show_bug.cgi?id=136549
534
535         Reviewed by Filip Pizlo.
536
537         Instead of keeping track of many discrete StructureShapes that share
538         the same prototype chain, TypeSet should merge StructureShapes that 
539         have the same prototype chain and provide a new member variable for 
540         optional structure fields. This provides a cleaner and more concise
541         interface for dealing with StructureShapes within TypeSet. Instead
542         of having many discrete shapes that are almost identical, almost 
543         identical shapes will be merged together with an interface for 
544         understanding what fields the shapes being merged together differ in.
545
546         * runtime/TypeSet.cpp:
547         (JSC::TypeSet::addTypeInformation):
548         (JSC::StructureShape::addProperty):
549         (JSC::StructureShape::toJSONString):
550         (JSC::StructureShape::inspectorRepresentation):
551         (JSC::StructureShape::hasSamePrototypeChain):
552         (JSC::StructureShape::merge):
553         * runtime/TypeSet.h:
554         * tests/typeProfiler/optional-fields.js: Added.
555         (wrapper.func):
556         (wrapper):
557
558 2014-09-08  Jessie Berlin  <jberlin@apple.com>
559
560         More 32-bit Release build fixes after r173364.
561
562         * dfg/DFGSpeculativeJIT32_64.cpp:
563         (JSC::DFG::SpeculativeJIT::compile):
564
565 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
566
567         Fix typos in last patch to fix build.
568
569         Unreviewed build fix.
570
571         * dfg/DFGSpeculativeJIT.cpp:
572         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
573         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
574
575 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
576
577         Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it
578         https://bugs.webkit.org/show_bug.cgi?id=136616
579
580         Reviewed by Darin Adler.
581         
582         Many compilers will analyze unrechable code paths (e.g. after an
583         unreachable code path), so sometimes they need dead code initializations.
584         But clang with suitable warnings will complain about unreachable code. So
585         use the quirk to include it conditionally.
586
587         * bytecode/CodeBlock.cpp:
588         (JSC::CodeBlock::printGetByIdOp):
589         * dfg/DFGOSRExitCompilerCommon.cpp:
590         (JSC::DFG::handleExitCounts):
591         * dfg/DFGPlan.cpp:
592         (JSC::DFG::Plan::compileInThread):
593         * dfg/DFGSpeculativeJIT.cpp:
594         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
595         * jsc.cpp:
596         * runtime/JSArray.cpp:
597         (JSC::JSArray::fillArgList):
598         (JSC::JSArray::copyToArguments):
599         * runtime/RegExp.cpp:
600         (JSC::RegExp::compile):
601         (JSC::RegExp::compileMatchOnly):
602
603 2014-09-06  Darin Adler  <darin@apple.com>
604
605         Make updates suggested by new version of Xcode
606         https://bugs.webkit.org/show_bug.cgi?id=136603
607
608         Reviewed by Mark Rowe.
609
610         * Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES,
611         and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check.
612
613         * JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck.
614
615         * dfg/DFGSpeculativeJIT.cpp:
616         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code
617         for clang, since it understands the code is unreachable.
618         * runtime/JSArray.cpp:
619         (JSC::JSArray::fillArgList): Ditto.
620         (JSC::JSArray::copyToArguments): Ditto.
621
622 2014-09-05  Matt Baker  <mattbaker@apple.com>
623
624         Web Inspector: breakpoint actions should work regardless of Content Security Policy
625         https://bugs.webkit.org/show_bug.cgi?id=136542
626
627         Reviewed by Mark Lam.
628
629         Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a 
630         JSGlobalObject for the duration of a scope, returning the eval enabled state to its
631         original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate 
632         to allow breakpoint actions to execute JS in pages with a Content Security Policy
633         that would normally prohibit this (such as Inspector's Main.html).
634
635         Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually
636         setting eval enabled and then resetting the original eval enabled state.
637
638         NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer
639         for null to be equivalent with the original code in Inspector::InjectedScriptBase.
640         InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which
641         can currently be null.
642
643         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
644         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
645         * JavaScriptCore.xcodeproj/project.pbxproj:
646         * debugger/DebuggerCallFrame.cpp:
647         (JSC::DebuggerCallFrame::evaluate):
648         * debugger/DebuggerEvalEnabler.h: Added.
649         (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
650         (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
651         * inspector/InjectedScriptBase.cpp:
652         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
653
654 2014-09-05  peavo@outlook.com  <peavo@outlook.com>
655
656         [WinCairo] jsc.exe won't run.
657         https://bugs.webkit.org/show_bug.cgi?id=136481
658
659         Reviewed by Alex Christensen.
660         
661         We need to define WIN_CAIRO to avoid looking for the AAS folder.
662
663         * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added.
664         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
665         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
666         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
667         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:
668
669 2014-09-05  David Kilzer  <ddkilzer@apple.com>
670
671         JavaScriptCore should build with newer clang
672         <http://webkit.org/b/136002>
673         <rdar://problem/18020616>
674
675         Reviewed by Geoffrey Garen.
676
677         Other than the JSC::SourceProvider::asID() change (which simply
678         removes code that the optimizing compiler would have discarded
679         in Release builds), we move the |this| checks in OpaqueJSString
680         to NULL checks in to JSBase, JSObjectRef, JSScriptRef,
681         JSStringRef{CF} and JSValueRef.
682
683         Note that the following function arguments are _not_ NULL-checked
684         since doing so would just cover up bugs (and were not needed to
685         prevent any tests from failing):
686         - |script| in JSEvaluateScript(), JSCheckScriptSyntax();
687         - |body| in JSObjectMakeFunction();
688         - |source| in JSScriptCreateReferencingImmortalASCIIText()
689           (which is a const char* anyway);
690         - |source| in JSScriptCreateFromString().
691
692         * API/JSBase.cpp:
693         (JSEvaluateScript): Add NULL check for |sourceURL|.
694         (JSCheckScriptSyntax): Ditto.
695         * API/JSObjectRef.cpp:
696         (JSObjectMakeFunction): Ditto.
697         * API/JSScriptRef.cpp:
698         (JSScriptCreateReferencingImmortalASCIIText): Ditto.
699         (JSScriptCreateFromString): Add NULL check for |url|.
700         * API/JSStringRef.cpp:
701         (JSStringGetLength): Return early if NULL pointer is passed in.
702         (JSStringGetCharactersPtr): Ditto.
703         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
704         * API/JSStringRefCF.cpp:
705         (JSStringCopyCFString): Ditto.
706         * API/JSValueRef.cpp:
707         (JSValueMakeString): Add NULL check for |string|.
708
709         * API/OpaqueJSString.cpp:
710         (OpaqueJSString::string): Remove code that checks |this|.
711         (OpaqueJSString::identifier): Ditto.
712         (OpaqueJSString::characters): Ditto.
713         * API/OpaqueJSString.h:
714         (OpaqueJSString::is8Bit): Remove code that checks |this|.
715         (OpaqueJSString::characters8): Ditto.
716         (OpaqueJSString::characters16): Ditto.
717         (OpaqueJSString::length): Ditto.
718
719         * parser/SourceProvider.h:
720         (JSC::SourceProvider::asID): Remove code that checks |this|.
721
722 2014-06-06  Jer Noble  <jer.noble@apple.com>
723
724         Refactoring: make MediaTime the primary time type for audiovisual times.
725         https://bugs.webkit.org/show_bug.cgi?id=133579
726
727         Reviewed by Eric Carlson.
728
729         Add a utility function which converts a MediaTime to a JSNumber.
730
731         * runtime/JSCJSValue.h:
732         (JSC::jsNumber):
733
734 2014-09-04  Michael Saboff  <msaboff@apple.com>
735
736         ARM: Add more coverage to ARMv7 disassembler
737         https://bugs.webkit.org/show_bug.cgi?id=136565
738
739         Reviewed by Mark Lam.
740
741         Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions
742         VCMP, VCVT[R] between floating point and integer, and VLDR.
743
744         * disassembler/ARMv7/ARMv7DOpcode.cpp:
745         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList):
746         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format):
747         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format):
748         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format):
749         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format):
750         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format):
751         * disassembler/ARMv7/ARMv7DOpcode.h:
752         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList):
753         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition):
754         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition):
755         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit):
756         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd):
757         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit):
758         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit):
759         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit):
760         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm):
761         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition):
762         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit):
763         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2):
764         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd):
765         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit):
766         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op):
767         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit):
768         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm):
769         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition):
770         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit):
771         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn):
772         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd):
773         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg):
774         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8):
775
776 2014-09-04  Mark Lam  <mark.lam@apple.com>
777
778         Move PropertySlot's inline functions back to PropertySlot.h.
779         <https://webkit.org/b/136547>
780
781         Reviewed by Filip Pizlo.
782
783         * runtime/JSObject.h:
784         (JSC::PropertySlot::getValue): Deleted.
785         * runtime/PropertySlot.h:
786         (JSC::PropertySlot::getValue):
787
788 2014-09-04  Filip Pizlo  <fpizlo@apple.com>
789
790         Make sure that deleting all code first processes the call edge log, and reenable call edge profiling.
791
792         Rubber stamped by Sam Weinig.
793
794         * debugger/Debugger.cpp:
795         (JSC::Debugger::forEachCodeBlock):
796         (JSC::Debugger::setSteppingMode):
797         (JSC::Debugger::recompileAllJSFunctions):
798         * inspector/agents/InspectorRuntimeAgent.cpp:
799         (Inspector::recompileAllJSFunctionsForTypeProfiling):
800         * runtime/Options.h: Reenable call edge profiling.
801         * runtime/VM.cpp:
802         (JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed.
803         (JSC::VM::discardAllCode):
804         (JSC::VM::releaseExecutableMemory):
805         (JSC::VM::setEnabledProfiler):
806         (JSC::VM::waitForCompilationsToComplete): Deleted.
807         * runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted.
808
809 2014-09-04  Akos Kiss  <akiss@inf.u-szeged.hu>
810
811         Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee
812         https://bugs.webkit.org/show_bug.cgi?id=136485
813
814         Reviewed by Michael Saboff.
815
816         Changed makeHostFunctionCall to keep the stack pointer above the call
817         frame set up by doVMEntry. Thus the callee will/can not override the top
818         of the call frame.
819
820         Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be
821         more alike to help future maintenance.
822
823         * llint/LowLevelInterpreter32_64.asm:
824         * llint/LowLevelInterpreter64.asm:
825
826 2014-09-04  Michael Saboff  <msaboff@apple.com>
827
828         REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux
829         https://bugs.webkit.org/show_bug.cgi?id=136436
830
831         Reviewed by Geoffrey Garen.
832
833         Instead of trying to calculate a stack pointer that allows for possible
834         stacked argument space, just use the "home" stack pointer location.
835         That stack pointer provides space for the worst case number of stacked
836         arguments on architectures that use stacked arguments.  It also provides
837         stack space so that the return PC and caller frame pointer that are stored
838         as part of making the call to operationCallEval will not override any part
839         of the callee frame created on the stack.
840
841         Changed compileCallEval() to use the stackPointer value of the calling
842         function.  That stack pointer is calculated to have enough space for
843         outgoing stacked arguments.  By moving the stack pointer to its "home"
844         position, the caller frame and return PC are not set as part of making
845         the call to operationCallEval().  Moved the explicit setting of the
846         callerFrame field of the callee CallFrame from operationCallEval() to
847         compileCallEval() since it has been the artifact of making a call for
848         most architectures.  Simplified the exception logic in compileCallEval()
849         as a result of the change.  To be compliant with the stack state
850         expected by virtualCallThunkGenerator(), moved the stack pointer to
851         point above the CallerFrameAndPC of the callee CallFrame.
852
853         * jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...)
854         to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception
855         check.
856         * jit/JITCall.cpp & jit/JITCall32_64.cpp:
857         (JSC::JIT::compileCallEval): Use the home stack pointer when making the call
858         to operationCallEval.  Since the stack pointer adjustment no longer needs
859         to be done after making the call to operationCallEval(), the exception check
860         logic can be simplified.
861         (JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point
862         to above the calleeFrame as this is what the generated thunk expects.
863         * jit/JITInlines.h:
864         (JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck
865         with the addition of a standard exception check.
866         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
867         * jit/JITOperations.cpp:
868         (JSC::operationCallEval): Eliminated the explicit setting of caller frame
869         as that is now done in the code generated by compileCallEval().
870
871 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
872
873         Beef up the DFG's CFG analyses to include iterated dominance frontiers and more user-friendly BlockSets
874         https://bugs.webkit.org/show_bug.cgi?id=136520
875
876         Reviewed by Geoffrey Garen.
877         
878         Add code to compute iterated dominance frontiers. This involves using BlockSet a lot, so
879         this patch also makes BlockSet a lot more user-friendly.
880
881         * CMakeLists.txt:
882         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
883         * JavaScriptCore.xcodeproj/project.pbxproj:
884         * dfg/DFGBasicBlock.h:
885         * dfg/DFGBlockSet.cpp: Added.
886         (JSC::DFG::BlockSet::dump):
887         * dfg/DFGBlockSet.h:
888         (JSC::DFG::BlockSet::iterator::iterator):
889         (JSC::DFG::BlockSet::iterator::operator++):
890         (JSC::DFG::BlockSet::iterator::operator==):
891         (JSC::DFG::BlockSet::iterator::operator!=):
892         (JSC::DFG::BlockSet::Iterable::Iterable):
893         (JSC::DFG::BlockSet::Iterable::begin):
894         (JSC::DFG::BlockSet::Iterable::end):
895         (JSC::DFG::BlockSet::iterable):
896         (JSC::DFG::BlockAdder::BlockAdder):
897         (JSC::DFG::BlockAdder::operator()):
898         * dfg/DFGBlockSetInlines.h: Added.
899         (JSC::DFG::BlockSet::iterator::operator*):
900         * dfg/DFGDominators.cpp:
901         (JSC::DFG::Dominators::strictDominatorsOf):
902         (JSC::DFG::Dominators::dominatorsOf):
903         (JSC::DFG::Dominators::blocksStrictlyDominatedBy):
904         (JSC::DFG::Dominators::blocksDominatedBy):
905         (JSC::DFG::Dominators::dominanceFrontierOf):
906         (JSC::DFG::Dominators::iteratedDominanceFrontierOf):
907         * dfg/DFGDominators.h:
908         (JSC::DFG::Dominators::forAllStrictDominatorsOf):
909         (JSC::DFG::Dominators::forAllDominatorsOf):
910         (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy):
911         (JSC::DFG::Dominators::forAllBlocksDominatedBy):
912         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf):
913         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
914         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl):
915         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl):
916         * dfg/DFGGraph.cpp:
917         (JSC::DFG::Graph::dumpBlockHeader):
918         * dfg/DFGInvalidationPointInjectionPhase.cpp:
919         (JSC::DFG::InvalidationPointInjectionPhase::run):
920
921 2014-09-04  Mark Lam  <mark.lam@apple.com>
922
923         Fixed indentations and some style warnings in JavaScriptCore/runtime.
924         <https://webkit.org/b/136518>
925
926         Reviewed by Michael Saboff.
927
928         Also removed some superflous spaces.  There are no semantic changes.
929
930         * runtime/Completion.h:
931         * runtime/ConstructData.h:
932         * runtime/DateConstructor.h:
933         * runtime/DateInstance.h:
934         * runtime/DateInstanceCache.h:
935         * runtime/DatePrototype.h:
936         * runtime/Error.h:
937         * runtime/ErrorConstructor.h:
938         * runtime/ErrorInstance.h:
939         * runtime/ErrorPrototype.h:
940         * runtime/FunctionConstructor.h:
941         * runtime/FunctionPrototype.h:
942         * runtime/GetterSetter.h:
943         * runtime/Identifier.h:
944         * runtime/InitializeThreading.h:
945         * runtime/InternalFunction.h:
946         * runtime/JSAPIValueWrapper.h:
947         * runtime/JSFunction.h:
948         * runtime/JSLock.h:
949         * runtime/JSNotAnObject.h:
950         * runtime/JSONObject.h:
951         * runtime/JSString.h:
952         * runtime/JSTypeInfo.h:
953         * runtime/JSWrapperObject.h:
954         * runtime/Lookup.h:
955         * runtime/MathObject.h:
956         * runtime/NativeErrorConstructor.h:
957         * runtime/NativeErrorPrototype.h:
958         * runtime/NumberConstructor.h:
959         * runtime/NumberObject.h:
960         * runtime/NumberPrototype.h:
961         * runtime/NumericStrings.h:
962         * runtime/ObjectConstructor.h:
963         * runtime/ObjectPrototype.h:
964         * runtime/PropertyDescriptor.h:
965         * runtime/Protect.h:
966         * runtime/PutPropertySlot.h:
967         * runtime/RegExp.h:
968         * runtime/RegExpCachedResult.h:
969         * runtime/RegExpConstructor.h:
970         * runtime/RegExpMatchesArray.h:
971         * runtime/RegExpObject.h:
972         * runtime/RegExpPrototype.h:
973         * runtime/SmallStrings.h:
974         * runtime/StringConstructor.h:
975         * runtime/StringObject.h:
976         * runtime/StringPrototype.h:
977         * runtime/StructureChain.h:
978         * runtime/VM.h:
979
980 2014-09-04  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
981
982         Remove CSS_FILTERS flag
983         https://bugs.webkit.org/show_bug.cgi?id=136529
984
985         Reviewed by Dirk Schulze.
986
987         * Configurations/FeatureDefines.xcconfig:
988
989 2014-09-04  Commit Queue  <commit-queue@webkit.org>
990
991         Unreviewed, rolling out r173248.
992         https://bugs.webkit.org/show_bug.cgi?id=136536
993
994         call edge profiling and polymorphic call inlining are still
995         causing crashes (Requested by eric_carlson on #webkit).
996
997         Reverted changeset:
998
999         "Reenable call edge profiling and polymorphic call inlining,
1000         now that a bunch of the bugs"
1001         http://trac.webkit.org/changeset/173248
1002
1003 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
1004
1005         Web Inspector: the profiler should not accrue time to nodes while the debugger is paused
1006         https://bugs.webkit.org/show_bug.cgi?id=136352
1007
1008         Reviewed by Timothy Hatcher.
1009
1010         Hook up pause/continue events to the LegacyProfiler and any active
1011         ProfilerGenerators. If the debugger is paused, all intervening call
1012         entries will be created with totalTime as 0.0.
1013
1014         * inspector/ScriptDebugServer.cpp:
1015         (Inspector::ScriptDebugServer::handlePause):
1016         * profiler/LegacyProfiler.cpp: Move from typedef'd callbacks to using
1017         std::function. This allows callbacks to take different argument types.
1018
1019         (JSC::callFunctionForProfilesWithGroup):
1020         (JSC::LegacyProfiler::willExecute):
1021         (JSC::LegacyProfiler::didExecute):
1022         (JSC::LegacyProfiler::exceptionUnwind):
1023         (JSC::LegacyProfiler::didPause):
1024         (JSC::LegacyProfiler::didContinue):
1025         (JSC::dispatchFunctionToProfiles): Deleted.
1026         * profiler/LegacyProfiler.h:
1027         * profiler/ProfileGenerator.cpp:
1028         (JSC::ProfileGenerator::ProfileGenerator):
1029         (JSC::ProfileGenerator::endCallEntry):
1030         (JSC::ProfileGenerator::didExecute): Deleted.
1031         * profiler/ProfileGenerator.h:
1032         (JSC::ProfileGenerator::didPause):
1033         (JSC::ProfileGenerator::didContinue):
1034
1035 2014-09-04  Commit Queue  <commit-queue@webkit.org>
1036
1037         Unreviewed, rolling out r173245.
1038         https://bugs.webkit.org/show_bug.cgi?id=136533
1039
1040         Broke JSC tests. (Requested by ddkilzer on #webkit).
1041
1042         Reverted changeset:
1043
1044         "JavaScriptCore should build with newer clang"
1045         https://bugs.webkit.org/show_bug.cgi?id=136002
1046         http://trac.webkit.org/changeset/173245
1047
1048 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
1049
1050         LegacyProfiler: ProfileNodes should be used more like structs
1051         https://bugs.webkit.org/show_bug.cgi?id=136381
1052
1053         Reviewed by Timothy Hatcher.
1054
1055         Previously, both the profile generator and individual profile nodes
1056         were collectively responsible for creating new Call entries and
1057         maintaining data structure invariants. This complexity is unnecessary.
1058
1059         This patch centralizes profile data creation inside the profile generator.
1060         The profile nodes manage nextSibling and parent pointers, but do not
1061         collect the current time or create new Call entries themselves.
1062
1063         Since ProfileNode::nextSibling and its callers are only used within
1064         debug printing code, it should be compiled out for release builds.
1065
1066         * profiler/ProfileGenerator.cpp:
1067         (JSC::ProfileGenerator::ProfileGenerator):
1068         (JSC::AddParentForConsoleStartFunctor::operator()):
1069         (JSC::ProfileGenerator::beginCallEntry): create a new Call entry.
1070         (JSC::ProfileGenerator::endCallEntry): finish the last Call entry.
1071         (JSC::ProfileGenerator::willExecute): inline ProfileNode::willExecute()
1072         (JSC::ProfileGenerator::didExecute): inline ProfileNode::didExecute()
1073         (JSC::ProfileGenerator::stopProfiling): Only walk up the spine.
1074         (JSC::ProfileGenerator::removeProfileStart):
1075         (JSC::ProfileGenerator::removeProfileEnd):
1076         * profiler/ProfileGenerator.h:
1077         * profiler/ProfileNode.cpp:
1078         (JSC::ProfileNode::ProfileNode):
1079         (JSC::ProfileNode::addChild):
1080         (JSC::ProfileNode::removeChild):
1081         (JSC::ProfileNode::spliceNode): Renamed from insertNode.
1082         (JSC::ProfileNode::debugPrintRecursively):
1083         (JSC::ProfileNode::willExecute): Deleted.
1084         (JSC::ProfileNode::insertNode): Deleted.
1085         (JSC::ProfileNode::stopProfiling): Deleted.
1086         (JSC::ProfileNode::traverseNextNodePostOrder):
1087         (JSC::ProfileNode::endAndRecordCall): Deleted.
1088         (JSC::ProfileNode::debugPrintDataSampleStyle):
1089         * profiler/ProfileNode.h:
1090         (JSC::ProfileNode::Call::setStartTime):
1091         (JSC::ProfileNode::Call::setTotalTime):
1092         (JSC::ProfileNode::appendCall):
1093         (JSC::ProfileNode::firstChild):
1094         (JSC::ProfileNode::lastChild):
1095         (JSC::ProfileNode::nextSibling):
1096         (JSC::ProfileNode::setNextSibling):
1097
1098 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
1099
1100         Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient
1101         https://bugs.webkit.org/show_bug.cgi?id=136476
1102
1103         Reviewed by Timothy Hatcher.
1104
1105         * CMakeLists.txt:
1106         * JavaScriptCore.xcodeproj/project.pbxproj:
1107         * inspector/JSGlobalObjectConsoleClient.cpp: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.cpp.
1108         * inspector/JSGlobalObjectConsoleClient.h: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.h.
1109         * inspector/JSGlobalObjectInspectorController.cpp:
1110         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1111         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1112         * inspector/JSGlobalObjectInspectorController.h:
1113
1114 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
1115
1116         Reenable call edge profiling and polymorphic call inlining, now that a bunch of the bugs
1117         are fixed.
1118
1119         * runtime/Options.h:
1120
1121 2014-09-03  David Kilzer  <ddkilzer@apple.com>
1122
1123         JavaScriptCore should build with newer clang
1124         <http://webkit.org/b/136002>
1125         <rdar://problem/18020616>
1126
1127         Reviewed by Geoffrey Garen.
1128
1129         Other than the JSC::SourceProvider::asID() change (which simply
1130         removes code that the optimizing compiler would have discarded
1131         in Release builds), we move the |this| checks in OpaqueJSString
1132         to NULL checks in to JSBase, JSScriptRef, JSStringRef{CF} and
1133         JSValueRef.
1134
1135         * API/JSBase.cpp:
1136         (JSEvaluateScript): Use String() in case |script| or |sourceURL|
1137         are NULL.
1138         * API/JSScriptRef.cpp:
1139         (JSScriptCreateReferencingImmortalASCIIText): Use String() in
1140         case |url| is NULL.
1141         * API/JSStringRef.cpp:
1142         (JSStringGetLength): Return early if NULL pointer is passed in.
1143         (JSStringGetCharactersPtr): Ditto.
1144         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
1145         * API/JSStringRefCF.cpp:
1146         (JSStringCopyCFString): Ditto.
1147         * API/JSValueRef.cpp:
1148         (JSValueMakeString): Use String() in case |string| is NULL.
1149
1150         * API/OpaqueJSString.cpp:
1151         (OpaqueJSString::string): Remove code that checks |this|.
1152         (OpaqueJSString::identifier): Ditto.
1153         (OpaqueJSString::characters): Ditto.
1154         * API/OpaqueJSString.h:
1155         (OpaqueJSString::is8Bit): Remove code that checks |this|.
1156         (OpaqueJSString::characters8): Ditto.
1157         (OpaqueJSString::characters16): Ditto.
1158         (OpaqueJSString::length): Ditto.
1159
1160         * parser/SourceProvider.h:
1161         (JSC::SourceProvider::asID): Remove code that checks |this|.
1162
1163 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
1164
1165         CallEdgeProfile::visitWeak() shouldn't attempt to despecify empty profiles
1166         https://bugs.webkit.org/show_bug.cgi?id=136511
1167
1168         Reviewed by Geoffrey Garen.
1169
1170         * bytecode/CallEdgeProfile.cpp:
1171         (JSC::CallEdgeProfile::worthDespecifying):
1172         (JSC::CallEdgeProfile::visitWeak):
1173         (JSC::CallEdgeProfile::mergeBack):
1174
1175 2014-09-03  David Kilzer  <ddkilzer@apple.com>
1176
1177         REGRESSION (r167325): (null) entry added to Xcode project file when JSBoundFunction.h was removed
1178         <http://webkit.org/b/136509>
1179
1180         Reviewed by Daniel Bates.
1181
1182         * JavaScriptCore.xcodeproj/project.pbxproj: Remove the (null)
1183         entry left behind when JSBoundFunction.h was removed.
1184
1185 2014-09-03  Joseph Pecoraro  <pecoraro@apple.com>
1186
1187         Avoid warning if a process does not have access to com.apple.webinspector
1188         https://bugs.webkit.org/show_bug.cgi?id=136473
1189
1190         Reviewed by Alexey Proskuryakov.
1191
1192         Pre-check for access to the mach port to avoid emitting warnings
1193         in syslog for processes that do not have access.
1194
1195         * inspector/remote/RemoteInspector.mm:
1196         (Inspector::canAccessWebInspectorMachPort):
1197         (Inspector::RemoteInspector::shared):
1198
1199 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
1200
1201         Temporarily disable call edge profiling. It is causing crashes and I'm still investigating
1202         them.
1203
1204         * runtime/Options.h:
1205
1206 2014-09-03  Balazs Kilvady  <kilvadyb@homejinni.com>
1207
1208         [MIPS] Wrong register usage in LLInt op_catch.
1209         https://bugs.webkit.org/show_bug.cgi?id=125168
1210
1211         Reviewed by Geoffrey Garen.
1212
1213         Fix register usage and add PIC header to all the ops in LLInt.
1214
1215         * offlineasm/instructions.rb:
1216         * offlineasm/mips.rb:
1217
1218 2014-09-03  Saam Barati  <saambarati1@gmail.com>
1219
1220         Create tests for type profiling
1221         https://bugs.webkit.org/show_bug.cgi?id=136161
1222
1223         Reviewed by Geoffrey Garen.
1224
1225         The type profiler is now being tested. These are basic tests that don't 
1226         check every edge case, but will catch any major failures in the type profiler. 
1227         These tests cover:
1228         - The basic, inheritance-based type system in TypeSet.
1229         - Function return types.
1230         - Correct merging of types for multiple assignments to one variable.
1231
1232         This patch also provides an API for writing new tests for
1233         the type profiler. The API works by passing in a function and a 
1234         unique substring of an expression contained in that function, and 
1235         returns an object representing type information for that expression.
1236
1237         * jsc.cpp:
1238         (GlobalObject::finishCreation):
1239         (functionFindTypeForExpression):
1240         (functionReturnTypeFor):
1241         * runtime/TypeProfiler.cpp:
1242         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
1243         * runtime/TypeProfiler.h:
1244         * runtime/TypeProfilerLog.h:
1245         * runtime/TypeSet.cpp:
1246         (JSC::TypeSet::toJSONString):
1247         (JSC::StructureShape::toJSONString):
1248         * runtime/TypeSet.h:
1249         * tests/typeProfiler: Added.
1250         * tests/typeProfiler.yaml: Added.
1251         * tests/typeProfiler/basic.js: Added.
1252         (wrapper.foo):
1253         (wrapper):
1254         * tests/typeProfiler/captured.js: Added.
1255         (wrapper.changeFoo):
1256         (wrapper):
1257         * tests/typeProfiler/driver: Added.
1258         * tests/typeProfiler/driver/driver.js: Added.
1259         (assert):
1260         * tests/typeProfiler/inheritance.js: Added.
1261         (wrapper.A):
1262         (wrapper.B):
1263         (wrapper.C):
1264         (wrapper):
1265         * tests/typeProfiler/return.js: Added.
1266         (foo):
1267         (Ctor):
1268
1269 2014-09-03  Julien Brianceau   <jbriance@cisco.com>
1270
1271         Add missing implementations to fix build for sh4 architecture
1272         https://bugs.webkit.org/show_bug.cgi?id=136455
1273
1274         Reviewed by Geoffrey Garen.
1275
1276         * assembler/MacroAssemblerSH4.h:
1277         (JSC::MacroAssemblerSH4::store8):
1278         (JSC::MacroAssemblerSH4::moveWithPatch):
1279         (JSC::MacroAssemblerSH4::branchAdd32):
1280         (JSC::MacroAssemblerSH4::branch32WithPatch):
1281         (JSC::MacroAssemblerSH4::abortWithReason):
1282         (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch):
1283         (JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress):
1284         (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch):
1285         * jit/AssemblyHelpers.h:
1286         (JSC::AssemblyHelpers::emitFunctionPrologue):
1287         (JSC::AssemblyHelpers::emitFunctionEpilogue):
1288
1289 2014-09-03  Dan Bernstein  <mitz@apple.com>
1290
1291         Get rid of HIGH_DPI_CANVAS leftovers
1292         https://bugs.webkit.org/show_bug.cgi?id=136491
1293
1294         Reviewed by Benjamin Poulain.
1295
1296         * Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS
1297         and removed it from FEATURE_DEFINES.
1298
1299 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
1300
1301         CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
1302         https://bugs.webkit.org/show_bug.cgi?id=136490
1303
1304         Reviewed by Geoffrey Garen.
1305
1306         * bytecode/CallEdgeProfile.cpp:
1307         (JSC::CallEdgeProfile::visitWeak):
1308
1309 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
1310
1311         FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
1312         https://bugs.webkit.org/show_bug.cgi?id=136488
1313
1314         Reviewed by Mark Hahnenberg.
1315
1316         * ftl/FTLCompile.cpp:
1317         (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
1318         * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
1319         (foo):
1320
1321 2014-09-03  Akos Kiss  <akiss@inf.u-szeged.hu>
1322
1323         Don't generate superfluous mov instructions for move immediate on ARM64.
1324         https://bugs.webkit.org/show_bug.cgi?id=136435
1325
1326         Reviewed by Michael Saboff.
1327
1328         On ARM64, the size of an immediate operand for a mov instruction is 16
1329         bits. Thus, a move immediate offlineasm instruction may potentially be
1330         split up to several machine level instructions. The current
1331         implementation always emits a mov for the least significant 16 bits of
1332         the value. However, if any of the bits 63:16 are significant then the
1333         first emitted mov already filled bits 15:0 with zeroes (or ones, for
1334         negative values). So, if bits 15:0 of the value are all zeroes (or ones)
1335         then the last mov does not need to be emitted.
1336
1337         * offlineasm/arm64.rb:
1338
1339 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
1340
1341         LegacyProfiler: remove redundant ProfileNode members and other cleanup
1342         https://bugs.webkit.org/show_bug.cgi?id=136380
1343
1344         Reviewed by Timothy Hatcher.
1345
1346         ProfileNode's selfTime and totalTime members are redundant and only used
1347         for dumping profile data from debug-only code. Remove the members and compute
1348         the same data on-demand when necessary using a postorder traversal functor.
1349
1350         Remove ProfileNode.head since it is only used to calculate percentages for
1351         dumped profile data. This can be explicitly passed around when needed.
1352
1353         Rename Profile.head to Profile.rootNode, and other various renamings.
1354
1355         Rearrange some header includes so that touching LegacyProfiler-related headers
1356         will no longer cause a full rebuild.
1357
1358         * inspector/JSConsoleClient.cpp: Add header include.
1359         * inspector/agents/InspectorProfilerAgent.cpp:
1360         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
1361         * inspector/protocol/Profiler.json: Remove unused Profile.idleTime member.
1362         * jit/JIT.h: Remove header include.
1363         * jit/JITCode.h: Remove header include.
1364         * jit/JITOperations.cpp: Sort and add header include.
1365         * llint/LLIntSlowPaths.cpp: Sort and add header include.
1366         * profiler/Profile.cpp: Rename the debug dumping functions. Move the node
1367         postorder traversal code to ProfileNode so we can traverse any subtree.
1368         (JSC::Profile::Profile):
1369         (JSC::Profile::debugPrint):
1370         (JSC::Profile::debugPrintSampleStyle):
1371         (JSC::Profile::forEach): Deleted.
1372         (JSC::Profile::debugPrintData): Deleted.
1373         (JSC::Profile::debugPrintDataSampleStyle): Deleted.
1374         * profiler/Profile.h:
1375         * profiler/ProfileGenerator.cpp:
1376         (JSC::ProfileGenerator::ProfileGenerator):
1377         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
1378         (JSC::AddParentForConsoleStartFunctor::operator()):
1379         (JSC::ProfileGenerator::addParentForConsoleStart):
1380         (JSC::ProfileGenerator::didExecute):
1381         (JSC::StopProfilingFunctor::operator()):
1382         (JSC::ProfileGenerator::stopProfiling):
1383         (JSC::ProfileGenerator::removeProfileStart):
1384         (JSC::ProfileGenerator::removeProfileEnd):
1385         * profiler/ProfileGenerator.h:
1386         * profiler/ProfileNode.cpp:
1387         (JSC::ProfileNode::ProfileNode):
1388         (JSC::ProfileNode::willExecute):
1389         (JSC::ProfileNode::removeChild):
1390         (JSC::ProfileNode::stopProfiling):
1391         (JSC::ProfileNode::endAndRecordCall):
1392         (JSC::ProfileNode::debugPrint):
1393         (JSC::ProfileNode::debugPrintSampleStyle):
1394         (JSC::ProfileNode::debugPrintRecursively):
1395         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
1396         (JSC::ProfileNode::debugPrintData): Deleted.
1397         (JSC::ProfileNode::debugPrintDataSampleStyle): Deleted.
1398         * profiler/ProfileNode.h: Calculate per-node self and total times using a postorder traversal.
1399         The forEachNodePostorder functor traverses the subtree rooted at |this|.
1400         (JSC::ProfileNode::create):
1401         (JSC::ProfileNode::calls):
1402         (JSC::ProfileNode::forEachNodePostorder):
1403         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
1404         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
1405         (JSC::ProfileNode::head): Deleted.
1406         (JSC::ProfileNode::setHead): Deleted.
1407         (JSC::ProfileNode::totalTime): Deleted.
1408         (JSC::ProfileNode::setTotalTime): Deleted.
1409         (JSC::ProfileNode::selfTime): Deleted.
1410         (JSC::ProfileNode::setSelfTime): Deleted.
1411         (JSC::ProfileNode::totalPercent): Deleted.
1412         (JSC::ProfileNode::selfPercent): Deleted.
1413         * runtime/ConsoleClient.h: Remove header include.
1414
1415 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
1416
1417         Web Inspector: remove ProfilerAgent and legacy profiler files in the frontend
1418         https://bugs.webkit.org/show_bug.cgi?id=136462
1419
1420         Reviewed by Timothy Hatcher.
1421
1422         It's not used by the frontend anymore.
1423
1424         * CMakeLists.txt:
1425         * DerivedSources.make:
1426         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1427         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1428         * JavaScriptCore.xcodeproj/project.pbxproj:
1429
1430         * inspector/JSConsoleClient.cpp:
1431         (Inspector::JSConsoleClient::JSConsoleClient): Stub out console.profile/profileEnd
1432         methods since they didn't work for JSContexts anyway.
1433         (Inspector::JSConsoleClient::profile):
1434         (Inspector::JSConsoleClient::profileEnd):
1435         * inspector/JSConsoleClient.h:
1436
1437         * inspector/JSGlobalObjectInspectorController.cpp:
1438         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1439         * inspector/agents/InspectorProfilerAgent.cpp: Removed.
1440         * inspector/agents/InspectorProfilerAgent.h: Removed.
1441         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Removed.
1442         * inspector/agents/JSGlobalObjectProfilerAgent.h: Removed.
1443         * inspector/protocol/Profiler.json: Removed.
1444
1445 2014-09-02  Andreas Kling  <akling@apple.com>
1446
1447         Optimize own property GetByVals with rope string subscripts.
1448         <https://webkit.org/b/136458>
1449
1450         For simple JSObjects that don't override getOwnPropertySlot to implement
1451         custom properties, we have a fast path that grabs directly at the object
1452         property storage.
1453
1454         Make this fast path even faster when the property name is an unresolved
1455         rope string by using JSString::toExistingAtomicString(). This is faster
1456         because it avoids allocating a new StringImpl if the string is already
1457         a known Identifier, which is guaranteed to be the case if it's present
1458         as an own property on the object.)
1459
1460         ~10% speed-up on Dromaeo/dom-attr.html
1461
1462         Reviewed by Geoffrey Garen.
1463
1464         * dfg/DFGOperations.cpp:
1465         * jit/JITOperations.cpp:
1466         (JSC::getByVal):
1467         * llint/LLIntSlowPaths.cpp:
1468         (JSC::LLInt::getByVal):
1469
1470             When using the fastGetOwnProperty() optimization, get the String
1471             out of JSString by using toExistingAtomicString(). This avoids
1472             StringImpl allocation and lets us bypass the PropertyTable lookup
1473             entirely if no AtomicString is found.
1474
1475         * runtime/JSCell.h:
1476         * runtime/JSCellInlines.h:
1477         (JSC::JSCell::fastGetOwnProperty):
1478
1479             Make fastGetOwnProperty() take a PropertyName instead of a String.
1480             This avoids churning the ref count, since we don't need to create
1481             a temporary wrapper around the AtomicStringImpl* found in GetByVal.
1482
1483         * runtime/PropertyName.h:
1484         (JSC::PropertyName::PropertyName):
1485
1486             Add constructor: PropertyName(AtomicStringImpl*)
1487
1488         * runtime/PropertyMapHashTable.h:
1489         (JSC::PropertyTable::get):
1490         (JSC::PropertyTable::findWithString): Deleted.
1491         * runtime/Structure.h:
1492         * runtime/StructureInlines.h:
1493         (JSC::Structure::get):
1494
1495             Remove code for querying a PropertyTable with an unhashed string key
1496             since the only client is now gone.
1497
1498 2014-09-02  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1499
1500         [ARM] MacroAssembler generating incorrect code on ARM32 Traditional
1501         https://bugs.webkit.org/show_bug.cgi?id=136429
1502
1503         Reviewed by Csaba Osztrogonác.
1504
1505         Changed test32 to use tst to check if reg is zero, instead of cmp.
1506
1507         * assembler/MacroAssemblerARM.h:
1508         (JSC::MacroAssemblerARM::test32):
1509
1510 2014-09-02  Michael Saboff  <msaboff@apple.com>
1511
1512         Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute
1513         https://bugs.webkit.org/show_bug.cgi?id=136305
1514
1515         Reviewed by Filip Pizlo.
1516
1517         While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch
1518         and then JITCode::execute() calls the normal entrypoint.  This is incompatible
1519         with the expectation of FTL generated functions.  Changed ProtoCallFrame to not 
1520         perform the arity fix, but just flag an arity mismatch.  now JITCode::execute()
1521         uses that arity mismatch condition to select the normal or arity check
1522         entrypoint.  The entrypoint selection is only done for functions, programs
1523         and eval always have one parameter.
1524
1525         * interpreter/ProtoCallFrame.cpp:
1526         (JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it.
1527         * interpreter/ProtoCallFrame.h:
1528         (JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint
1529         should be called.
1530         * jit/JITCode.cpp:
1531         (JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate.
1532
1533 2014-09-02  peavo@outlook.com  <peavo@outlook.com>
1534
1535         [WinCairo] testapi.exe is not built.
1536         https://bugs.webkit.org/show_bug.cgi?id=136369
1537
1538         Reviewed by Alex Christensen.
1539
1540         The testapi project should be of type Application.
1541
1542         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Change project type to Application.
1543         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Ditto.
1544         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Compile and link fix.
1545         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Change project type to Application.
1546
1547 2014-09-01  Akos Kiss  <akiss@inf.u-szeged.hu>
1548
1549         [CMAKE] Add missing offlineasm dependencies
1550         https://bugs.webkit.org/show_bug.cgi?id=136437
1551
1552         Reviewed by Csaba Osztrogonác.
1553
1554         Add the ARM64, MIPS and SH4 backends to the dependencies.
1555
1556         * CMakeLists.txt:
1557
1558 2014-09-01  Brian J. Burg  <burg@cs.washington.edu>
1559
1560         Provide column numbers to DTrace willExecute/didExecute probes
1561         https://bugs.webkit.org/show_bug.cgi?id=136434
1562
1563         Reviewed by Antti Koivisto.
1564
1565         Provide the columnNumber and update stubs for !HAVE(DTRACE).
1566
1567         * profiler/ProfileGenerator.cpp:
1568         (JSC::ProfileGenerator::willExecute):
1569         (JSC::ProfileGenerator::didExecute):
1570         * runtime/Tracing.d:
1571         * runtime/Tracing.h:
1572
1573 2014-09-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1574
1575         [CMAKE] Build warning by INTERFACE_LINK_LIBRARIES
1576         https://bugs.webkit.org/show_bug.cgi?id=136194
1577
1578         Reviewed by Csaba Osztrogonác.
1579
1580         Set the LINK_INTERFACE_LIBRARIES target property on the top level CMakeLists.txt.
1581
1582         * CMakeLists.txt:
1583
1584 2014-08-26  Maciej Stachowiak  <mjs@apple.com>
1585
1586         Use RetainPtr::autorelease in some places where it seems appropriate
1587         https://bugs.webkit.org/show_bug.cgi?id=136280
1588
1589         Reviewed by Darin Adler.
1590
1591         * API/JSContext.mm:
1592         (-[JSContext name]): Use RetainPtr::autorelease() in place of ObjC autorelease.
1593         * API/JSValue.mm:
1594         (valueToString): Make appropriate use of RetainPtr
1595
1596 2014-08-29  Akos Kiss  <akiss@inf.u-szeged.hu>
1597
1598         Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
1599         https://bugs.webkit.org/show_bug.cgi?id=136391
1600
1601         Reviewed by Michael Saboff.
1602
1603         Do not rely on calling conventions to fill in the CallerFrame component
1604         of the ExecState* parameter of the called function.
1605
1606         * llint/LowLevelInterpreter32_64.asm:
1607         * llint/LowLevelInterpreter64.asm:
1608
1609 2014-08-29  Saam Barati  <sbarati@apple.com>
1610
1611         emit op_profile_type for deconstruction assignments
1612         https://bugs.webkit.org/show_bug.cgi?id=136274
1613
1614         Reviewed by Filip Pizlo.
1615
1616         Enable type profiling for ES6 deconstruction expressions.
1617
1618         * bytecompiler/NodesCodegen.cpp:
1619         (JSC::BindingNode::bindValue):
1620
1621 2014-08-29  Joseph Pecoraro  <pecoraro@apple.com>
1622
1623         JavaScriptCore: Use ASCIILiteral where possible
1624         https://bugs.webkit.org/show_bug.cgi?id=136179
1625
1626         Reviewed by Michael Saboff.
1627
1628         General string / character related changes. Use ASCIILiteral where
1629         possible, jsNontrivialString where possible, and replace string
1630         literals with character literals in some places.
1631
1632         No new tests, no changes to functionality.
1633
1634         * bytecode/CodeBlock.cpp:
1635         (JSC::CodeBlock::nameForRegister):
1636         * bytecompiler/NodesCodegen.cpp:
1637         (JSC::PostfixNode::emitBytecode):
1638         (JSC::PrefixNode::emitBytecode):
1639         (JSC::AssignErrorNode::emitBytecode):
1640         (JSC::ForInNode::emitMultiLoopBytecode):
1641         (JSC::ForOfNode::emitBytecode):
1642         (JSC::ObjectPatternNode::toString):
1643         * dfg/DFGFunctionWhitelist.cpp:
1644         (JSC::DFG::FunctionWhitelist::contains):
1645         * dfg/DFGOperations.cpp:
1646         (JSC::DFG::newTypedArrayWithSize):
1647         (JSC::DFG::newTypedArrayWithOneArgument):
1648         * inspector/ConsoleMessage.cpp:
1649         (Inspector::ConsoleMessage::addToFrontend):
1650         * inspector/InspectorBackendDispatcher.cpp:
1651         (Inspector::InspectorBackendDispatcher::dispatch):
1652         * inspector/ScriptCallStackFactory.cpp:
1653         (Inspector::extractSourceInformationFromException):
1654         * inspector/scripts/codegen/generator_templates.py:
1655         * interpreter/StackVisitor.cpp:
1656         (JSC::StackVisitor::Frame::functionName):
1657         (JSC::StackVisitor::Frame::sourceURL):
1658         * jit/JITOperations.cpp:
1659         * jsc.cpp:
1660         (functionDescribeArray):
1661         (functionRun):
1662         (functionLoad):
1663         (functionReadFile):
1664         (functionCheckSyntax):
1665         (functionTransferArrayBuffer):
1666         (runWithScripts):
1667         (runInteractive):
1668         * parser/Lexer.cpp:
1669         (JSC::Lexer<T>::invalidCharacterMessage):
1670         (JSC::Lexer<T>::parseString):
1671         (JSC::Lexer<T>::parseStringSlowCase):
1672         (JSC::Lexer<T>::lex):
1673         * profiler/Profile.cpp:
1674         (JSC::Profile::Profile):
1675         * runtime/Arguments.cpp:
1676         (JSC::argumentsFuncIterator):
1677         * runtime/ArrayPrototype.cpp:
1678         (JSC::performSlowSort):
1679         (JSC::arrayProtoFuncSort):
1680         * runtime/ExceptionHelpers.cpp:
1681         (JSC::createError):
1682         (JSC::createInvalidParameterError):
1683         (JSC::createNotAConstructorError):
1684         (JSC::createNotAFunctionError):
1685         (JSC::createNotAnObjectError):
1686         (JSC::createErrorForInvalidGlobalAssignment):
1687         * runtime/FunctionPrototype.cpp:
1688         (JSC::insertSemicolonIfNeeded):
1689         * runtime/JSArray.cpp:
1690         (JSC::JSArray::defineOwnProperty):
1691         (JSC::JSArray::pop):
1692         (JSC::JSArray::push):
1693         * runtime/JSArrayBufferConstructor.cpp:
1694         (JSC::JSArrayBufferConstructor::finishCreation):
1695         * runtime/JSArrayBufferPrototype.cpp:
1696         (JSC::arrayBufferProtoFuncSlice):
1697         * runtime/JSDataView.cpp:
1698         (JSC::JSDataView::create):
1699         * runtime/JSDataViewPrototype.cpp:
1700         (JSC::getData):
1701         (JSC::setData):
1702         * runtime/JSGlobalObject.cpp:
1703         (JSC::JSGlobalObject::reset):
1704         * runtime/JSGlobalObjectFunctions.cpp:
1705         (JSC::globalFuncProtoSetter):
1706         * runtime/JSPromiseConstructor.cpp:
1707         (JSC::JSPromiseConstructor::finishCreation):
1708         * runtime/LiteralParser.cpp:
1709         (JSC::LiteralParser<CharType>::Lexer::lex):
1710         (JSC::LiteralParser<CharType>::Lexer::lexString):
1711         (JSC::LiteralParser<CharType>::parse):
1712         * runtime/LiteralParser.h:
1713         (JSC::LiteralParser::getErrorMessage):
1714         * runtime/TypeSet.cpp:
1715         (JSC::TypeSet::seenTypes):
1716         (JSC::TypeSet::displayName):
1717         (JSC::TypeSet::allPrimitiveTypeNames):
1718         (JSC::StructureShape::propertyHash):
1719         (JSC::StructureShape::stringRepresentation):
1720
1721 2014-08-29  Csaba Osztrogonác  <ossy@webkit.org>
1722
1723         Unreviwed, remove empty directories.
1724
1725         * qt: Removed.
1726
1727 2014-08-28  Mark Lam  <mark.lam@apple.com>
1728
1729         DebuggerCallFrame::scope() should return a DebuggerScope.
1730         <https://webkit.org/b/134420>
1731
1732         Reviewed by Geoffrey Garen.
1733
1734         Rolling back in r170680 with the fix for <https://webkit.org/b/135656>.
1735
1736         Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
1737         peers) which the WebInspector will use to introspect CallFrame variables.
1738         Instead, we should be returning a DebuggerScope as an abstraction layer that
1739         provides the introspection functionality that the WebInspector needs.  This
1740         is the first step towards not forcing every frame to have a JSActivation
1741         object just because the debugger is enabled.
1742
1743         1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
1744            instead of the VM.  This allows JSObject::globalObject() to be able to
1745            return the global object for the DebuggerScope.
1746
1747         2. On the DebuggerScope's life-cycle management:
1748
1749            The DebuggerCallFrame is designed to be "valid" only during a debugging session
1750            (while the debugger is broken) through the use of a DebuggerCallFrameScope in
1751            Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
1752            DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
1753            We can't guarantee (from this code alone) that the Inspector code isn't still
1754            holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
1755            the frame will be invalidated, and any attempt to query it will return null values.
1756            This is pre-existing behavior.
1757
1758            Now, we're adding the DebuggerScope into the picture.  While a single debugger
1759            pause session is in progress, the Inspector may request the scope from the
1760            DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
1761            DebuggerCallFrame::scope() to always return the same DebuggerScope object.
1762            This is why we hold on to the DebuggerScope with a strong ref.
1763
1764            If we use a weak ref instead, the following cooky behavior can manifest:
1765            1. The Inspector calls Debugger::scope() to get the top scope.
1766            2. The Inspector iterates down the scope chain and is now only holding a
1767               reference to a parent scope.  It is no longer referencing the top scope.
1768            3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
1769               gets cleared.
1770            4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
1771               a different DebuggerScope instance.
1772            5. The Inspector iterates down the scope chain but never sees the parent scope
1773               instance that retained a ref to in step 2 above.  This is because when iterating
1774               this new DebuggerScope instance (which has no knowledge of the previous parent
1775               DebuggerScope instance), a new DebuggerScope instance will get created for the
1776               same parent scope. 
1777
1778            Since the DebuggerScope is a JSObject, its liveness is determined by its reachability.
1779            However, its "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
1780            When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
1781            instantiated) will also get invalidated.  This is why we need the
1782            DebuggerScope::invalidateChain() method.  The Inspector should not be using the
1783            DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
1784            those methods will do nothing or returned a failed status.
1785
1786         Fix for <https://webkit.org/b/135656>:
1787         3. DebuggerScope::getOwnPropertySlot() and DebuggerScope::put() need to set
1788            m_thisValue in the returned slot to the wrapped scope object.  Previously,
1789            it was pointing to the DebuggerScope though the rest of the fields in the
1790            returned slot will be set to data pertaining the wrapped scope object.
1791
1792         4. DebuggerScope::getOwnPropertySlot() will invoke getPropertySlot() on its
1793            wrapped scope.  This is because JSObject::getPropertySlot() cannot be
1794            overridden, and when called on a DebuggerScope, will not know to look in
1795            the ptototype chain of the DebuggerScope's wrapped scope.  Hence, we'll
1796            treat all properties in the wrapped scope as own properties in the
1797            DebuggerScope.  This is fine because the WebInspector does not presently
1798            care about where in the prototype chain the scope property comes from.
1799
1800            Note that the DebuggerScope and the JSActivation objects that it wraps do
1801            not have prototypes.  They are always jsNull().  This works perfectly with
1802            the above change to use getPropertySlot() instead of getOwnPropertySlot().
1803            To make this an explicit invariant, I also changed DebuggerScope::createStructure()
1804            and JSActivation::createStructure() to not take a prototype argument, and
1805            to always use jsNull() for their prototype value.
1806
1807         * debugger/Debugger.h:
1808         * debugger/DebuggerCallFrame.cpp:
1809         (JSC::DebuggerCallFrame::scope):
1810         (JSC::DebuggerCallFrame::evaluate):
1811         (JSC::DebuggerCallFrame::invalidate):
1812         * debugger/DebuggerCallFrame.h:
1813         * debugger/DebuggerScope.cpp:
1814         (JSC::DebuggerScope::DebuggerScope):
1815         (JSC::DebuggerScope::finishCreation):
1816         (JSC::DebuggerScope::visitChildren):
1817         (JSC::DebuggerScope::className):
1818         (JSC::DebuggerScope::getOwnPropertySlot):
1819         (JSC::DebuggerScope::put):
1820         (JSC::DebuggerScope::deleteProperty):
1821         (JSC::DebuggerScope::getOwnPropertyNames):
1822         (JSC::DebuggerScope::defineOwnProperty):
1823         (JSC::DebuggerScope::next):
1824         (JSC::DebuggerScope::invalidateChain):
1825         (JSC::DebuggerScope::isWithScope):
1826         (JSC::DebuggerScope::isGlobalScope):
1827         (JSC::DebuggerScope::isFunctionOrEvalScope):
1828         * debugger/DebuggerScope.h:
1829         (JSC::DebuggerScope::create):
1830         (JSC::DebuggerScope::createStructure):
1831         (JSC::DebuggerScope::iterator::iterator):
1832         (JSC::DebuggerScope::iterator::get):
1833         (JSC::DebuggerScope::iterator::operator++):
1834         (JSC::DebuggerScope::iterator::operator==):
1835         (JSC::DebuggerScope::iterator::operator!=):
1836         (JSC::DebuggerScope::isValid):
1837         (JSC::DebuggerScope::jsScope):
1838         (JSC::DebuggerScope::begin):
1839         (JSC::DebuggerScope::end):
1840         * inspector/JSJavaScriptCallFrame.cpp:
1841         (Inspector::JSJavaScriptCallFrame::scopeType):
1842         (Inspector::JSJavaScriptCallFrame::scopeChain):
1843         * inspector/JavaScriptCallFrame.h:
1844         (Inspector::JavaScriptCallFrame::scopeChain):
1845         * inspector/ScriptDebugServer.cpp:
1846         * runtime/JSActivation.h:
1847         (JSC::JSActivation::createStructure):
1848         * runtime/JSGlobalObject.cpp:
1849         (JSC::JSGlobalObject::reset):
1850         (JSC::JSGlobalObject::visitChildren):
1851         * runtime/JSGlobalObject.h:
1852         (JSC::JSGlobalObject::debuggerScopeStructure):
1853         * runtime/JSObject.cpp:
1854         * runtime/JSObject.h:
1855         (JSC::JSObject::isWithScope):
1856         * runtime/JSScope.h:
1857         * runtime/PropertySlot.h:
1858         (JSC::PropertySlot::setThisValue):
1859         * runtime/PutPropertySlot.h:
1860         (JSC::PutPropertySlot::setThisValue):
1861         * runtime/VM.cpp:
1862         (JSC::VM::VM):
1863         * runtime/VM.h:
1864
1865 2014-08-28  Andreas Kling  <akling@apple.com>
1866
1867         Use JSString::toIdentifier() in more places.
1868         <https://webkit.org/b/136348>
1869
1870         Call sites that grab the WTF::String from a JSString using value() can
1871         use the more efficient toIdentifier() if the string is going to be used
1872         to construct an Identifier.
1873
1874         If the JSString is a rope that resolves to something that is already
1875         present in the VM's Identifier table, using toIdentifier() can avoid
1876         allocating a new StringImpl.
1877
1878         Reviewed by Geoffrey Garen.
1879
1880         * jit/JITOperations.cpp:
1881         * llint/LLIntSlowPaths.cpp:
1882         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1883         * runtime/CommonSlowPaths.cpp:
1884         (JSC::SLOW_PATH_DECL):
1885         * runtime/CommonSlowPaths.h:
1886         (JSC::CommonSlowPaths::opIn):
1887         * runtime/JSONObject.cpp:
1888         (JSC::Stringifier::Stringifier):
1889         * runtime/ObjectConstructor.cpp:
1890         (JSC::objectConstructorGetOwnPropertyDescriptor):
1891         (JSC::objectConstructorDefineProperty):
1892         * runtime/ObjectPrototype.cpp:
1893         (JSC::objectProtoFuncPropertyIsEnumerable):
1894
1895 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
1896
1897         DFG should compute immediate dominators using the O(n log n) form of Lengauer and Tarjan's "A Fast Algorithm for Finding Dominators in a Flowgraph"
1898         https://bugs.webkit.org/show_bug.cgi?id=93361
1899
1900         Reviewed by Mark Hahnenberg.
1901         
1902         This patch also adds some new utilities for reasoning about block-keyed maps, block sets,
1903         and block worklists. It changes preexisting code to use these abstractions.
1904         
1905         The main effect of this code is that all current clients of dominators end up using the
1906         results of the new idom calculation. We convert the dom tree to a dominance test using
1907         Dietz's pre/post number range check trick.
1908
1909         * CMakeLists.txt:
1910         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1911         * JavaScriptCore.xcodeproj/project.pbxproj:
1912         * dfg/DFGAnalysis.h:
1913         (JSC::DFG::Analysis::computeIfNecessary):
1914         (JSC::DFG::Analysis::computeDependencies):
1915         * dfg/DFGBlockMap.h: Added.
1916         (JSC::DFG::BlockMap::BlockMap):
1917         (JSC::DFG::BlockMap::size):
1918         (JSC::DFG::BlockMap::atIndex):
1919         (JSC::DFG::BlockMap::operator[]):
1920         * dfg/DFGBlockMapInlines.h: Added.
1921         (JSC::DFG::BlockMap<T>::BlockMap):
1922         * dfg/DFGBlockSet.h: Added.
1923         (JSC::DFG::BlockSet::BlockSet):
1924         (JSC::DFG::BlockSet::add):
1925         (JSC::DFG::BlockSet::contains):
1926         * dfg/DFGBlockWorklist.cpp: Added.
1927         (JSC::DFG::BlockWorklist::BlockWorklist):
1928         (JSC::DFG::BlockWorklist::~BlockWorklist):
1929         (JSC::DFG::BlockWorklist::push):
1930         (JSC::DFG::BlockWorklist::pop):
1931         (JSC::DFG::PostOrderBlockWorklist::PostOrderBlockWorklist):
1932         (JSC::DFG::PostOrderBlockWorklist::~PostOrderBlockWorklist):
1933         (JSC::DFG::PostOrderBlockWorklist::pushPre):
1934         (JSC::DFG::PostOrderBlockWorklist::pushPost):
1935         (JSC::DFG::PostOrderBlockWorklist::pop):
1936         * dfg/DFGBlockWorklist.h: Added.
1937         (JSC::DFG::BlockWorklist::notEmpty):
1938         (JSC::DFG::BlockWith::BlockWith):
1939         (JSC::DFG::BlockWith::operator UnspecifiedBoolType*):
1940         (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist):
1941         (JSC::DFG::ExtendedBlockWorklist::forcePush):
1942         (JSC::DFG::ExtendedBlockWorklist::push):
1943         (JSC::DFG::ExtendedBlockWorklist::notEmpty):
1944         (JSC::DFG::ExtendedBlockWorklist::pop):
1945         (JSC::DFG::BlockWithOrder::BlockWithOrder):
1946         (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*):
1947         (JSC::DFG::PostOrderBlockWorklist::push):
1948         (JSC::DFG::PostOrderBlockWorklist::notEmpty):
1949         * dfg/DFGCSEPhase.cpp:
1950         * dfg/DFGDominators.cpp:
1951         (JSC::DFG::Dominators::compute):
1952         (JSC::DFG::Dominators::naiveDominates):
1953         (JSC::DFG::Dominators::dump):
1954         (JSC::DFG::Dominators::pruneDominators): Deleted.
1955         * dfg/DFGDominators.h:
1956         (JSC::DFG::Dominators::strictlyDominates):
1957         (JSC::DFG::Dominators::dominates):
1958         (JSC::DFG::Dominators::BlockData::BlockData):
1959         * dfg/DFGGraph.cpp:
1960         (JSC::DFG::Graph::dumpBlockHeader):
1961         (JSC::DFG::Graph::getBlocksInPreOrder):
1962         (JSC::DFG::Graph::getBlocksInPostOrder):
1963         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1964         (JSC::DFG::InvalidationPointInjectionPhase::run):
1965         * dfg/DFGNaiveDominators.cpp: Added.
1966         (JSC::DFG::NaiveDominators::NaiveDominators):
1967         (JSC::DFG::NaiveDominators::~NaiveDominators):
1968         (JSC::DFG::NaiveDominators::compute):
1969         (JSC::DFG::NaiveDominators::pruneDominators):
1970         (JSC::DFG::NaiveDominators::dump):
1971         * dfg/DFGNaiveDominators.h: Added.
1972         (JSC::DFG::NaiveDominators::dominates):
1973         * dfg/DFGNaturalLoops.cpp:
1974         (JSC::DFG::NaturalLoops::computeDependencies):
1975         (JSC::DFG::NaturalLoops::compute):
1976         * dfg/DFGNaturalLoops.h:
1977
1978 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
1979
1980         FTL should be able to do polymorphic call inlining
1981         https://bugs.webkit.org/show_bug.cgi?id=135145
1982
1983         Reviewed by Geoffrey Garen.
1984         
1985         Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
1986         baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
1987         inlining sites use the call edge profile if it is available, but they will still fall back
1988         on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
1989         multiple possible callees can be inlined with a switch to guard them. The slow path may
1990         either be an OSR exit or a virtual call.
1991         
1992         The call edge profiling added in this patch is very precise - it will tell you about every
1993         call that has ever happened. It took some effort to reduce the overhead of this profiling.
1994         This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
1995         in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
1996         it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
1997         I also experimented with reducing the precision of the profiling. This led to a significant
1998         reduction in the speed-up, so I avoided this approach. I also explored making log processing
1999         concurrent, but that didn't help. Also, I tested the overhead of the log processing and
2000         found that most of the overhead of this profiling is actually in putting things into the log
2001         rather than in processing the log - that part appears to be surprisingly cheap.
2002         
2003         Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
2004         and if we guarded such inlining sites with some profiling mechanism to detect
2005         polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
2006         it's actually monomorphic).
2007         
2008         This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
2009         other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
2010         on anything we care about. Some aggregates, like V8Spider, see a regression. This is
2011         highlighting the increase in profiling overhead. But since this doesn't show up on any major
2012         score (code-load or SunSpider), it's probably not relevant.
2013         
2014         Relanding after fixing debug assertions in fast/storage/serialized-script-value.html.
2015
2016         * CMakeLists.txt:
2017         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2018         * JavaScriptCore.xcodeproj/project.pbxproj:
2019         * bytecode/CallEdge.cpp: Added.
2020         (JSC::CallEdge::dump):
2021         * bytecode/CallEdge.h: Added.
2022         (JSC::CallEdge::operator!):
2023         (JSC::CallEdge::callee):
2024         (JSC::CallEdge::count):
2025         (JSC::CallEdge::despecifiedClosure):
2026         (JSC::CallEdge::CallEdge):
2027         * bytecode/CallEdgeProfile.cpp: Added.
2028         (JSC::CallEdgeProfile::callEdges):
2029         (JSC::CallEdgeProfile::numCallsToKnownCells):
2030         (JSC::worthDespecifying):
2031         (JSC::CallEdgeProfile::worthDespecifying):
2032         (JSC::CallEdgeProfile::visitWeak):
2033         (JSC::CallEdgeProfile::addSlow):
2034         (JSC::CallEdgeProfile::mergeBack):
2035         (JSC::CallEdgeProfile::fadeByHalf):
2036         (JSC::CallEdgeLog::CallEdgeLog):
2037         (JSC::CallEdgeLog::~CallEdgeLog):
2038         (JSC::CallEdgeLog::isEnabled):
2039         (JSC::operationProcessCallEdgeLog):
2040         (JSC::CallEdgeLog::emitLogCode):
2041         (JSC::CallEdgeLog::processLog):
2042         * bytecode/CallEdgeProfile.h: Added.
2043         (JSC::CallEdgeProfile::numCallsToNotCell):
2044         (JSC::CallEdgeProfile::numCallsToUnknownCell):
2045         (JSC::CallEdgeProfile::totalCalls):
2046         * bytecode/CallEdgeProfileInlines.h: Added.
2047         (JSC::CallEdgeProfile::CallEdgeProfile):
2048         (JSC::CallEdgeProfile::add):
2049         * bytecode/CallLinkInfo.cpp:
2050         (JSC::CallLinkInfo::visitWeak):
2051         * bytecode/CallLinkInfo.h:
2052         * bytecode/CallLinkStatus.cpp:
2053         (JSC::CallLinkStatus::CallLinkStatus):
2054         (JSC::CallLinkStatus::computeFromLLInt):
2055         (JSC::CallLinkStatus::computeFor):
2056         (JSC::CallLinkStatus::computeExitSiteData):
2057         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2058         (JSC::CallLinkStatus::computeFromCallEdgeProfile):
2059         (JSC::CallLinkStatus::computeDFGStatuses):
2060         (JSC::CallLinkStatus::isClosureCall):
2061         (JSC::CallLinkStatus::makeClosureCall):
2062         (JSC::CallLinkStatus::dump):
2063         (JSC::CallLinkStatus::function): Deleted.
2064         (JSC::CallLinkStatus::internalFunction): Deleted.
2065         (JSC::CallLinkStatus::intrinsicFor): Deleted.
2066         * bytecode/CallLinkStatus.h:
2067         (JSC::CallLinkStatus::CallLinkStatus):
2068         (JSC::CallLinkStatus::isSet):
2069         (JSC::CallLinkStatus::couldTakeSlowPath):
2070         (JSC::CallLinkStatus::edges):
2071         (JSC::CallLinkStatus::size):
2072         (JSC::CallLinkStatus::at):
2073         (JSC::CallLinkStatus::operator[]):
2074         (JSC::CallLinkStatus::canOptimize):
2075         (JSC::CallLinkStatus::canTrustCounts):
2076         (JSC::CallLinkStatus::isClosureCall): Deleted.
2077         (JSC::CallLinkStatus::callTarget): Deleted.
2078         (JSC::CallLinkStatus::executable): Deleted.
2079         (JSC::CallLinkStatus::makeClosureCall): Deleted.
2080         * bytecode/CallVariant.cpp: Added.
2081         (JSC::CallVariant::dump):
2082         * bytecode/CallVariant.h: Added.
2083         (JSC::CallVariant::CallVariant):
2084         (JSC::CallVariant::operator!):
2085         (JSC::CallVariant::despecifiedClosure):
2086         (JSC::CallVariant::rawCalleeCell):
2087         (JSC::CallVariant::internalFunction):
2088         (JSC::CallVariant::function):
2089         (JSC::CallVariant::isClosureCall):
2090         (JSC::CallVariant::executable):
2091         (JSC::CallVariant::nonExecutableCallee):
2092         (JSC::CallVariant::intrinsicFor):
2093         (JSC::CallVariant::functionExecutable):
2094         (JSC::CallVariant::isHashTableDeletedValue):
2095         (JSC::CallVariant::operator==):
2096         (JSC::CallVariant::operator!=):
2097         (JSC::CallVariant::operator<):
2098         (JSC::CallVariant::operator>):
2099         (JSC::CallVariant::operator<=):
2100         (JSC::CallVariant::operator>=):
2101         (JSC::CallVariant::hash):
2102         (JSC::CallVariant::deletedToken):
2103         (JSC::CallVariantHash::hash):
2104         (JSC::CallVariantHash::equal):
2105         * bytecode/CodeOrigin.h:
2106         (JSC::InlineCallFrame::isNormalCall):
2107         * bytecode/ExitKind.cpp:
2108         (JSC::exitKindToString):
2109         * bytecode/ExitKind.h:
2110         * bytecode/GetByIdStatus.cpp:
2111         (JSC::GetByIdStatus::computeForStubInfo):
2112         * bytecode/PutByIdStatus.cpp:
2113         (JSC::PutByIdStatus::computeForStubInfo):
2114         * dfg/DFGAbstractInterpreterInlines.h:
2115         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2116         * dfg/DFGBackwardsPropagationPhase.cpp:
2117         (JSC::DFG::BackwardsPropagationPhase::propagate):
2118         * dfg/DFGBasicBlock.cpp:
2119         (JSC::DFG::BasicBlock::~BasicBlock):
2120         * dfg/DFGBasicBlock.h:
2121         (JSC::DFG::BasicBlock::takeLast):
2122         (JSC::DFG::BasicBlock::didLink):
2123         * dfg/DFGByteCodeParser.cpp:
2124         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2125         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
2126         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
2127         (JSC::DFG::ByteCodeParser::addCall):
2128         (JSC::DFG::ByteCodeParser::handleCall):
2129         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2130         (JSC::DFG::ByteCodeParser::undoFunctionChecks):
2131         (JSC::DFG::ByteCodeParser::inliningCost):
2132         (JSC::DFG::ByteCodeParser::inlineCall):
2133         (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
2134         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2135         (JSC::DFG::ByteCodeParser::handleInlining):
2136         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2137         (JSC::DFG::ByteCodeParser::prepareToParseBlock):
2138         (JSC::DFG::ByteCodeParser::clearCaches):
2139         (JSC::DFG::ByteCodeParser::parseBlock):
2140         (JSC::DFG::ByteCodeParser::linkBlock):
2141         (JSC::DFG::ByteCodeParser::linkBlocks):
2142         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2143         * dfg/DFGCPSRethreadingPhase.cpp:
2144         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2145         * dfg/DFGClobberize.h:
2146         (JSC::DFG::clobberize):
2147         * dfg/DFGCommon.h:
2148         * dfg/DFGConstantFoldingPhase.cpp:
2149         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2150         * dfg/DFGDoesGC.cpp:
2151         (JSC::DFG::doesGC):
2152         * dfg/DFGDriver.cpp:
2153         (JSC::DFG::compileImpl):
2154         * dfg/DFGFixupPhase.cpp:
2155         (JSC::DFG::FixupPhase::fixupNode):
2156         * dfg/DFGGraph.cpp:
2157         (JSC::DFG::Graph::dump):
2158         (JSC::DFG::Graph::getBlocksInPreOrder):
2159         (JSC::DFG::Graph::visitChildren):
2160         * dfg/DFGJITCompiler.cpp:
2161         (JSC::DFG::JITCompiler::link):
2162         * dfg/DFGLazyJSValue.cpp:
2163         (JSC::DFG::LazyJSValue::switchLookupValue):
2164         * dfg/DFGLazyJSValue.h:
2165         (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
2166         * dfg/DFGNode.cpp:
2167         (WTF::printInternal):
2168         * dfg/DFGNode.h:
2169         (JSC::DFG::OpInfo::OpInfo):
2170         (JSC::DFG::Node::hasHeapPrediction):
2171         (JSC::DFG::Node::hasCellOperand):
2172         (JSC::DFG::Node::cellOperand):
2173         (JSC::DFG::Node::setCellOperand):
2174         (JSC::DFG::Node::canBeKnownFunction): Deleted.
2175         (JSC::DFG::Node::hasKnownFunction): Deleted.
2176         (JSC::DFG::Node::knownFunction): Deleted.
2177         (JSC::DFG::Node::giveKnownFunction): Deleted.
2178         (JSC::DFG::Node::hasFunction): Deleted.
2179         (JSC::DFG::Node::function): Deleted.
2180         (JSC::DFG::Node::hasExecutable): Deleted.
2181         (JSC::DFG::Node::executable): Deleted.
2182         * dfg/DFGNodeType.h:
2183         * dfg/DFGPhantomCanonicalizationPhase.cpp:
2184         (JSC::DFG::PhantomCanonicalizationPhase::run):
2185         * dfg/DFGPhantomRemovalPhase.cpp:
2186         (JSC::DFG::PhantomRemovalPhase::run):
2187         * dfg/DFGPredictionPropagationPhase.cpp:
2188         (JSC::DFG::PredictionPropagationPhase::propagate):
2189         * dfg/DFGSafeToExecute.h:
2190         (JSC::DFG::safeToExecute):
2191         * dfg/DFGSpeculativeJIT.cpp:
2192         (JSC::DFG::SpeculativeJIT::emitSwitch):
2193         * dfg/DFGSpeculativeJIT32_64.cpp:
2194         (JSC::DFG::SpeculativeJIT::emitCall):
2195         (JSC::DFG::SpeculativeJIT::compile):
2196         * dfg/DFGSpeculativeJIT64.cpp:
2197         (JSC::DFG::SpeculativeJIT::emitCall):
2198         (JSC::DFG::SpeculativeJIT::compile):
2199         * dfg/DFGStructureRegistrationPhase.cpp:
2200         (JSC::DFG::StructureRegistrationPhase::run):
2201         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2202         (JSC::DFG::TierUpCheckInjectionPhase::run):
2203         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
2204         * dfg/DFGValidate.cpp:
2205         (JSC::DFG::Validate::validate):
2206         * dfg/DFGWatchpointCollectionPhase.cpp:
2207         (JSC::DFG::WatchpointCollectionPhase::handle):
2208         * ftl/FTLCapabilities.cpp:
2209         (JSC::FTL::canCompile):
2210         * ftl/FTLLowerDFGToLLVM.cpp:
2211         (JSC::FTL::ftlUnreachable):
2212         (JSC::FTL::LowerDFGToLLVM::lower):
2213         (JSC::FTL::LowerDFGToLLVM::compileNode):
2214         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
2215         (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
2216         (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
2217         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
2218         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2219         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
2220         (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
2221         (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
2222         * heap/Heap.cpp:
2223         (JSC::Heap::collect):
2224         * jit/AssemblyHelpers.h:
2225         (JSC::AssemblyHelpers::storeValue):
2226         (JSC::AssemblyHelpers::loadValue):
2227         * jit/CCallHelpers.h:
2228         (JSC::CCallHelpers::setupArguments):
2229         * jit/GPRInfo.h:
2230         (JSC::JSValueRegs::uses):
2231         * jit/JITCall.cpp:
2232         (JSC::JIT::compileOpCall):
2233         * jit/JITCall32_64.cpp:
2234         (JSC::JIT::compileOpCall):
2235         * runtime/Options.h:
2236         * runtime/VM.cpp:
2237         (JSC::VM::ensureCallEdgeLog):
2238         * runtime/VM.h:
2239         * tests/stress/fold-profiled-call-to-call.js: Added. This test pinpoints the problem we saw in fast/storage/serialized-script-value.html.
2240         * tests/stress/new-array-then-exit.js: Added.
2241         * tests/stress/poly-call-exit-this.js: Added.
2242         * tests/stress/poly-call-exit.js: Added.
2243
2244 2014-08-28  Julien Brianceau   <jbriance@cisco.com>
2245
2246         Correct GC length unit and prevent division by 0 in showObjectStatistics.
2247         https://bugs.webkit.org/show_bug.cgi?id=136340
2248
2249         Reviewed by Mark Hahnenberg.
2250
2251         * heap/HeapStatistics.cpp:
2252         (JSC::HeapStatistics::showObjectStatistics):
2253
2254 2014-08-27  Akos Kiss  <akiss@inf.u-szeged.hu>
2255
2256         Ensure that the call frame passed from JIT code via JSC::operationCallEval to JSC::eval always contains the valid scope chain.
2257         https://bugs.webkit.org/show_bug.cgi?id=136313
2258
2259         Reviewed by Michael Saboff.
2260
2261         Do not rely on calling conventions to fill in the CallerFrame component
2262         of the execCallee parameter of JSC::operationCallEval.
2263
2264         * jit/JITOperations.cpp:
2265
2266 2014-08-27  Saam Barati  <sbarati@apple.com>
2267
2268         Deconstruction object pattern node emits the wrong start/end text positions
2269         https://bugs.webkit.org/show_bug.cgi?id=136304
2270
2271         Reviewed by Geoffrey Garen.
2272
2273         Object pattern nodes that used the syntactic sugar binding: 
2274         'var {foo} = {foo:20}' instead of 'var {foo:foo} = {foo:20}' 
2275         would get the wrong text position for variable 'foo'. The position 
2276         would be placed on the comma(s)/closing brace instead of the identifier. 
2277         This patch fixes this bug by caching the identifier's JSToken before 
2278         trying to parse an optional colon.
2279
2280         * parser/Parser.cpp:
2281         (JSC::Parser<LexerType>::parseVarDeclarationList):
2282         (JSC::Parser<LexerType>::createBindingPattern):
2283         (JSC::Parser<LexerType>::parseDeconstructionPattern):
2284         * parser/Parser.h:
2285
2286 2014-08-27  Brent Fulgham  <bfulgham@apple.com>
2287
2288         [Win] Build fix after last commit.
2289
2290         Check in new DLLLauncherMain.cpp file.
2291
2292         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Added.
2293         (enableTerminationOnHeapCorruption):
2294         (getStringValue):
2295         (applePathFromRegistry):
2296         (appleApplicationSupportDirectory):
2297         (copyEnvironmentVariable):
2298         (prependPath):
2299         (fatalError):
2300         (directoryExists):
2301         (modifyPath):
2302         (getLastErrorString):
2303         (wWinMain):
2304
2305 2014-08-27  Brent Fulgham  <bfulgham@apple.com>
2306
2307         [Win] testapi and testRegExp need to find support libraries.
2308         https://bugs.webkit.org/show_bug.cgi?id=136008.
2309
2310         Reviewed by Dean Jackson.
2311
2312         Revise the Windows build of jsc, testapi, and testRegExp so that they
2313         find and use the proper runtime support libraries.
2314
2315         These locations vary between the Apple Windows build and WinCairo, and
2316         are generally not in the system PATH environment setting. Consequently,
2317         these applications fail on launch unless the user modifies their
2318         PATH.
2319
2320         This patch revises these tools to work like WinLauncher and DumpRenderTree
2321         so that they run reliably.
2322
2323         * API/tests/testapi.c:
2324         (dllLauncherEntryPoint): Added.
2325         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Add new build projects and
2326           provide proper dependencies with existing projects.
2327         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Ditto.
2328         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Switch to build
2329           a DLL, rather than an executable.
2330         * JavaScriptCore.vcxproj/jsc/jscCommon.props: Add shlwapi.lib
2331           to the list of libraries needed at link-time, and to use
2332           the DLL/Console combination entry point.
2333         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Added.
2334         * JavaScriptCore.vcxproj/jsc/jscLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd.
2335         * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd.
2336         * JavaScriptCore.vcxproj/jsc/jscLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreLink.cmd.
2337         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Switch to build
2338           a DLL, rather than an executable.
2339         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Add shlwapi.lib
2340           to the list of libraries needed at link-time, and to use
2341           the DLL/Console combination entry point.
2342         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Added.
2343         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
2344         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
2345         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
2346         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Switch to build
2347           a DLL, rather than an executable.
2348         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Added.
2349         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Add shlwapi.lib
2350           to the list of libraries needed at link-time, and to use
2351           the DLL/Console combination entry point.
2352         * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
2353         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
2354         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
2355         * jsc.cpp:
2356         (dllLauncherEntryPoint): Added.
2357         * testRegExp.cpp:
2358         (dllLauncherEntryPoint): Added.
2359
2360 2014-08-27  Julien Brianceau   <jbriance@cisco.com>
2361
2362         Take advantage of 3 parameters or32() calls
2363         https://bugs.webkit.org/show_bug.cgi?id=136287
2364
2365         Reviewed by Michael Saboff.
2366
2367         For specific architectures (arm and mips for instance), or32() calls
2368         with 3 parameters are likely to produce a single instruction.
2369
2370         * dfg/DFGSpeculativeJIT32_64.cpp:
2371         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2372         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2373         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2374         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2375         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2376         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2377         (JSC::DFG::SpeculativeJIT::branchIsOther):
2378         (JSC::DFG::SpeculativeJIT::branchNotOther):
2379
2380 2014-08-26  Brian J. Burg  <burg@cs.washington.edu>
2381
2382         Web Inspector: put feature flags for Inspector domains in the protocol specification
2383         https://bugs.webkit.org/show_bug.cgi?id=136027
2384
2385         Reviewed by Timothy Hatcher.
2386
2387         Remove the hardcoded map of domains to feature guards, and instead parse it from the specification.
2388
2389         Test: inspector/scripts/tests/generate-domains-with-feature-guards.json
2390
2391         * inspector/scripts/codegen/generator.py:
2392         (Generator.wrap_with_guard_for_domain):
2393         * inspector/scripts/codegen/models.py:
2394         (Protocol.parse_domain):
2395         (Domain.__init__):
2396         (Domains):
2397         * inspector/scripts/tests/generate-domains-with-feature-guards.json: Added.
2398         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2399         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2400         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2401         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2402         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2403
2404 2014-08-26  Andy Estes  <aestes@apple.com>
2405
2406         [Cocoa] Some projects are incorrectly installed to $BUILT_PRODUCTS_DIR
2407         https://bugs.webkit.org/show_bug.cgi?id=136267
2408
2409         Reviewed by Dan Bernstein.
2410
2411         INSTALL_PATH was set to $BUILT_PRODUCTS_DIR for engineering configurations in r20225 as part of a build fix.
2412         Not only is this no longer necessary to build, but it causes built products to be incorrectly installed in
2413         engineering configurations.
2414
2415         Remove the setting of INSTALL_PATH from the pbxproj file so that the value specified in the xcconfig files is
2416         used instead.
2417
2418         * JavaScriptCore.xcodeproj/project.pbxproj:
2419
2420 2014-08-26  Michael Saboff  <msaboff@apple.com>
2421
2422         [Win] 64-bit JavaScriptCore crashes on launch
2423         https://bugs.webkit.org/show_bug.cgi?id=136241
2424
2425         Reviewed by Mark Lam.
2426
2427         * llint/LowLevelInterpreter.asm:
2428         (vmEntryRecord): X86_64_WIN doesn't use "a0" (rax) for the first argument, it uses
2429         "t2" (rcx).  Changed to get the input parameter using the correct register.
2430
2431 2014-08-26  Saam Barati  <sbarati@apple.com>
2432
2433         TypeSet caches structureIDs even after the corresponding Structure could be GCed
2434         https://bugs.webkit.org/show_bug.cgi?id=136178
2435
2436         Reviewed by Geoffrey Garen.
2437
2438         Currently, TypeSet will never remove StructureIDs from its cache,
2439         even after the corresponding Structures could be garbage collected.
2440         Now, when the Garbage Collector collects, and type profiling is 
2441         enabled, the Garbage Collector will invalidate all TypeSet caches.
2442
2443         * heap/Heap.cpp:
2444         (JSC::Heap::collect):
2445         * runtime/TypeSet.cpp:
2446         (JSC::TypeSet::addTypeInformation):
2447         (JSC::TypeSet::invalidateCache):
2448         * runtime/TypeSet.h:
2449         * runtime/VM.cpp:
2450         (JSC::VM::invalidateTypeSetCache):
2451         * runtime/VM.h:
2452
2453 2014-08-26  Michael Saboff  <msaboff@apple.com>
2454
2455         REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result
2456         https://bugs.webkit.org/show_bug.cgi?id=136187
2457
2458         Reviewed by Mark Hahnenberg.
2459
2460         Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that
2461         doesn't require a tag for the second argument, instead it fills in a CellTag.  This is
2462         used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we
2463         haven't set up a register with a tag and we know that argument 2 is a cell.
2464
2465         * dfg/DFGSpeculativeJIT.h:
2466         (JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag.
2467         * dfg/DFGSpeculativeJIT32_64.cpp:
2468         (JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR
2469         with CellTag as it wasn't in the control flow for the slow path that needed the tag.
2470         Instead changed to calling new version of callOperation with an implicit CellTag.
2471
2472 2014-08-26  Commit Queue  <commit-queue@webkit.org>
2473
2474         Unreviewed, rolling out r172940.
2475         https://bugs.webkit.org/show_bug.cgi?id=136256
2476
2477         Caused assertions on fast/storage/serialized-script-
2478         value.html, and possibly flakiness on more tests (Requested by
2479         ap on #webkit).
2480
2481         Reverted changeset:
2482
2483         "FTL should be able to do polymorphic call inlining"
2484         https://bugs.webkit.org/show_bug.cgi?id=135145
2485         http://trac.webkit.org/changeset/172940
2486
2487 2014-08-26  Michael Saboff  <msaboff@apple.com>
2488
2489         REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests.
2490         https://bugs.webkit.org/show_bug.cgi?id=136165
2491
2492         Reviewed by Mark Hahnenberg.
2493
2494         Changed switch case GetDirectPname: to always use the slow path for X86 since it only has
2495         6 registers available, but the code requires 7.
2496
2497         * dfg/DFGSpeculativeJIT32_64.cpp:
2498         (JSC::DFG::SpeculativeJIT::compile):
2499
2500 2014-08-25  Saam Barati  <sbarati@apple.com>
2501
2502         TypeProfiler search breaks on return statements
2503         https://bugs.webkit.org/show_bug.cgi?id=136201
2504
2505         Reviewed by Filip Pizlo.
2506
2507         Searching for return statements in the TypeProfiler currently 
2508         breaks down because it expected to see the search descriptor 
2509         TypeProfilerSearchDescriptorFunctionReturn when looking for 
2510         return statements in the actual source code of the program. 
2511         But, TypeProfilerSearchDescriptorFunctionReturn search descriptor 
2512         is reserved for looking for return statements that aren't in the 
2513         actual source code of the program, but when asking for the 
2514         aggregate return type of a function. Now, searching for 
2515         return statements in the actual source code of the program will 
2516         work when passing in the search descriptor TypeProfilerSearchDescriptorNormal.  
2517
2518         * bytecode/CodeBlock.cpp:
2519         (JSC::CodeBlock::CodeBlock):
2520         * runtime/TypeProfiler.cpp:
2521         (JSC::TypeProfiler::findLocation):
2522         (JSC::descriptorMatchesTypeLocation): Deleted.
2523
2524 2014-08-25  Saam Barati  <sbarati@apple.com>
2525
2526         Return statement TypeSet's might be duplicated
2527         https://bugs.webkit.org/show_bug.cgi?id=136200
2528
2529         Reviewed by Filip Pizlo.
2530
2531         Currently, the globalTypeSet that converges the types of all 
2532         return statements in a function lives off of CodeBlock. It lives 
2533         off CodeBlock because of a faulty assumption that CodeBlock 
2534         will have a one to one mapping with a function in the source 
2535         text of the program. (Currently, there isn't an actual bug 
2536         with this design because TypeLocationCache will hash cons to 
2537         the same TypeLocation, but this is still an incorrect design). 
2538         In this patch, the globalTypeSet for function return statements  
2539         is moved to the FunctionExecutable object which does have a one 
2540         to one mapping with functions in the source text of a program.
2541
2542         * bytecode/CodeBlock.cpp:
2543         (JSC::CodeBlock::CodeBlock):
2544         * bytecode/CodeBlock.h:
2545         (JSC::CodeBlock::returnStatementTypeSet): Deleted.
2546         * runtime/Executable.h:
2547         (JSC::FunctionExecutable::returnStatementTypeSet):
2548
2549 2014-08-24  Filip Pizlo  <fpizlo@apple.com>
2550
2551         FTL should be able to do polymorphic call inlining
2552         https://bugs.webkit.org/show_bug.cgi?id=135145
2553
2554         Reviewed by Geoffrey Garen.
2555         
2556         Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
2557         baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
2558         inlining sites use the call edge profile if it is available, but they will still fall back
2559         on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
2560         multiple possible callees can be inlined with a switch to guard them. The slow path may
2561         either be an OSR exit or a virtual call.
2562         
2563         The call edge profiling added in this patch is very precise - it will tell you about every
2564         call that has ever happened. It took some effort to reduce the overhead of this profiling.
2565         This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
2566         in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
2567         it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
2568         I also experimented with reducing the precision of the profiling. This led to a significant
2569         reduction in the speed-up, so I avoided this approach. I also explored making log processing
2570         concurrent, but that didn't help. Also, I tested the overhead of the log processing and
2571         found that most of the overhead of this profiling is actually in putting things into the log
2572         rather than in processing the log - that part appears to be surprisingly cheap.
2573         
2574         Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
2575         and if we guarded such inlining sites with some profiling mechanism to detect
2576         polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
2577         it's actually monomorphic).
2578         
2579         This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
2580         other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
2581         on anything we care about. Some aggregates, like V8Spider, see a regression. This is
2582         highlighting the increase in profiling overhead. But since this doesn't show up on any major
2583         score (code-load or SunSpider), it's probably not relevant.
2584         
2585         * CMakeLists.txt:
2586         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2587         * JavaScriptCore.xcodeproj/project.pbxproj:
2588         * bytecode/CallEdge.cpp: Added.
2589         (JSC::CallEdge::dump):
2590         * bytecode/CallEdge.h: Added.
2591         (JSC::CallEdge::operator!):
2592         (JSC::CallEdge::callee):
2593         (JSC::CallEdge::count):
2594         (JSC::CallEdge::despecifiedClosure):
2595         (JSC::CallEdge::CallEdge):
2596         * bytecode/CallEdgeProfile.cpp: Added.
2597         (JSC::CallEdgeProfile::callEdges):
2598         (JSC::CallEdgeProfile::numCallsToKnownCells):
2599         (JSC::worthDespecifying):
2600         (JSC::CallEdgeProfile::worthDespecifying):
2601         (JSC::CallEdgeProfile::visitWeak):
2602         (JSC::CallEdgeProfile::addSlow):
2603         (JSC::CallEdgeProfile::mergeBack):
2604         (JSC::CallEdgeProfile::fadeByHalf):
2605         (JSC::CallEdgeLog::CallEdgeLog):
2606         (JSC::CallEdgeLog::~CallEdgeLog):
2607         (JSC::CallEdgeLog::isEnabled):
2608         (JSC::operationProcessCallEdgeLog):
2609         (JSC::CallEdgeLog::emitLogCode):
2610         (JSC::CallEdgeLog::processLog):
2611         * bytecode/CallEdgeProfile.h: Added.
2612         (JSC::CallEdgeProfile::numCallsToNotCell):
2613         (JSC::CallEdgeProfile::numCallsToUnknownCell):
2614         (JSC::CallEdgeProfile::totalCalls):
2615         * bytecode/CallEdgeProfileInlines.h: Added.
2616         (JSC::CallEdgeProfile::CallEdgeProfile):
2617         (JSC::CallEdgeProfile::add):
2618         * bytecode/CallLinkInfo.cpp:
2619         (JSC::CallLinkInfo::visitWeak):
2620         * bytecode/CallLinkInfo.h:
2621         * bytecode/CallLinkStatus.cpp:
2622         (JSC::CallLinkStatus::CallLinkStatus):
2623         (JSC::CallLinkStatus::computeFromLLInt):
2624         (JSC::CallLinkStatus::computeFor):
2625         (JSC::CallLinkStatus::computeExitSiteData):
2626         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2627         (JSC::CallLinkStatus::computeFromCallEdgeProfile):
2628         (JSC::CallLinkStatus::computeDFGStatuses):
2629         (JSC::CallLinkStatus::isClosureCall):
2630         (JSC::CallLinkStatus::makeClosureCall):
2631         (JSC::CallLinkStatus::dump):
2632         (JSC::CallLinkStatus::function): Deleted.
2633         (JSC::CallLinkStatus::internalFunction): Deleted.
2634         (JSC::CallLinkStatus::intrinsicFor): Deleted.
2635         * bytecode/CallLinkStatus.h:
2636         (JSC::CallLinkStatus::CallLinkStatus):
2637         (JSC::CallLinkStatus::isSet):
2638         (JSC::CallLinkStatus::couldTakeSlowPath):
2639         (JSC::CallLinkStatus::edges):
2640         (JSC::CallLinkStatus::size):
2641         (JSC::CallLinkStatus::at):
2642         (JSC::CallLinkStatus::operator[]):
2643         (JSC::CallLinkStatus::canOptimize):
2644         (JSC::CallLinkStatus::canTrustCounts):
2645         (JSC::CallLinkStatus::isClosureCall): Deleted.
2646         (JSC::CallLinkStatus::callTarget): Deleted.
2647         (JSC::CallLinkStatus::executable): Deleted.
2648         (JSC::CallLinkStatus::makeClosureCall): Deleted.
2649         * bytecode/CallVariant.cpp: Added.
2650         (JSC::CallVariant::dump):
2651         * bytecode/CallVariant.h: Added.
2652         (JSC::CallVariant::CallVariant):
2653         (JSC::CallVariant::operator!):
2654         (JSC::CallVariant::despecifiedClosure):
2655         (JSC::CallVariant::rawCalleeCell):
2656         (JSC::CallVariant::internalFunction):
2657         (JSC::CallVariant::function):
2658         (JSC::CallVariant::isClosureCall):
2659         (JSC::CallVariant::executable):
2660         (JSC::CallVariant::nonExecutableCallee):
2661         (JSC::CallVariant::intrinsicFor):
2662         (JSC::CallVariant::functionExecutable):
2663         (JSC::CallVariant::isHashTableDeletedValue):
2664         (JSC::CallVariant::operator==):
2665         (JSC::CallVariant::operator!=):
2666         (JSC::CallVariant::operator<):
2667         (JSC::CallVariant::operator>):
2668         (JSC::CallVariant::operator<=):
2669         (JSC::CallVariant::operator>=):
2670         (JSC::CallVariant::hash):
2671         (JSC::CallVariant::deletedToken):
2672         (JSC::CallVariantHash::hash):
2673         (JSC::CallVariantHash::equal):
2674         * bytecode/CodeOrigin.h:
2675         (JSC::InlineCallFrame::isNormalCall):
2676         * bytecode/ExitKind.cpp:
2677         (JSC::exitKindToString):
2678         * bytecode/ExitKind.h:
2679         * bytecode/GetByIdStatus.cpp:
2680         (JSC::GetByIdStatus::computeForStubInfo):
2681         * bytecode/PutByIdStatus.cpp:
2682         (JSC::PutByIdStatus::computeForStubInfo):
2683         * dfg/DFGAbstractInterpreterInlines.h:
2684         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2685         * dfg/DFGBackwardsPropagationPhase.cpp:
2686         (JSC::DFG::BackwardsPropagationPhase::propagate):
2687         * dfg/DFGBasicBlock.cpp:
2688         (JSC::DFG::BasicBlock::~BasicBlock):
2689         * dfg/DFGBasicBlock.h:
2690         (JSC::DFG::BasicBlock::takeLast):
2691         (JSC::DFG::BasicBlock::didLink):
2692         * dfg/DFGByteCodeParser.cpp:
2693         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2694         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
2695         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
2696         (JSC::DFG::ByteCodeParser::addCall):
2697         (JSC::DFG::ByteCodeParser::handleCall):
2698         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2699         (JSC::DFG::ByteCodeParser::undoFunctionChecks):
2700         (JSC::DFG::ByteCodeParser::inliningCost):
2701         (JSC::DFG::ByteCodeParser::inlineCall):
2702         (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
2703         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2704         (JSC::DFG::ByteCodeParser::handleInlining):
2705         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2706         (JSC::DFG::ByteCodeParser::prepareToParseBlock):
2707         (JSC::DFG::ByteCodeParser::clearCaches):
2708         (JSC::DFG::ByteCodeParser::parseBlock):
2709         (JSC::DFG::ByteCodeParser::linkBlock):
2710         (JSC::DFG::ByteCodeParser::linkBlocks):
2711         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2712         * dfg/DFGCPSRethreadingPhase.cpp:
2713         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2714         * dfg/DFGClobberize.h:
2715         (JSC::DFG::clobberize):
2716         * dfg/DFGCommon.h:
2717         * dfg/DFGConstantFoldingPhase.cpp:
2718         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2719         * dfg/DFGDoesGC.cpp:
2720         (JSC::DFG::doesGC):
2721         * dfg/DFGDriver.cpp:
2722         (JSC::DFG::compileImpl):
2723         * dfg/DFGFixupPhase.cpp:
2724         (JSC::DFG::FixupPhase::fixupNode):
2725         * dfg/DFGGraph.cpp:
2726         (JSC::DFG::Graph::dump):
2727         (JSC::DFG::Graph::visitChildren):
2728         * dfg/DFGJITCompiler.cpp:
2729         (JSC::DFG::JITCompiler::link):
2730         * dfg/DFGLazyJSValue.cpp:
2731         (JSC::DFG::LazyJSValue::switchLookupValue):
2732         * dfg/DFGLazyJSValue.h:
2733         (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
2734         * dfg/DFGNode.cpp:
2735         (WTF::printInternal):
2736         * dfg/DFGNode.h:
2737         (JSC::DFG::OpInfo::OpInfo):
2738         (JSC::DFG::Node::hasHeapPrediction):
2739         (JSC::DFG::Node::hasCellOperand):
2740         (JSC::DFG::Node::cellOperand):
2741         (JSC::DFG::Node::setCellOperand):
2742         (JSC::DFG::Node::canBeKnownFunction): Deleted.
2743         (JSC::DFG::Node::hasKnownFunction): Deleted.
2744         (JSC::DFG::Node::knownFunction): Deleted.
2745         (JSC::DFG::Node::giveKnownFunction): Deleted.
2746         (JSC::DFG::Node::hasFunction): Deleted.
2747         (JSC::DFG::Node::function): Deleted.
2748         (JSC::DFG::Node::hasExecutable): Deleted.
2749         (JSC::DFG::Node::executable): Deleted.
2750         * dfg/DFGNodeType.h:
2751         * dfg/DFGPhantomCanonicalizationPhase.cpp:
2752         (JSC::DFG::PhantomCanonicalizationPhase::run):
2753         * dfg/DFGPhantomRemovalPhase.cpp:
2754         (JSC::DFG::PhantomRemovalPhase::run):
2755         * dfg/DFGPredictionPropagationPhase.cpp:
2756         (JSC::DFG::PredictionPropagationPhase::propagate):
2757         * dfg/DFGSafeToExecute.h:
2758         (JSC::DFG::safeToExecute):
2759         * dfg/DFGSpeculativeJIT.cpp:
2760         (JSC::DFG::SpeculativeJIT::emitSwitch):
2761         * dfg/DFGSpeculativeJIT32_64.cpp:
2762         (JSC::DFG::SpeculativeJIT::emitCall):
2763         (JSC::DFG::SpeculativeJIT::compile):
2764         * dfg/DFGSpeculativeJIT64.cpp:
2765         (JSC::DFG::SpeculativeJIT::emitCall):
2766         (JSC::DFG::SpeculativeJIT::compile):
2767         * dfg/DFGStructureRegistrationPhase.cpp:
2768         (JSC::DFG::StructureRegistrationPhase::run):
2769         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2770         (JSC::DFG::TierUpCheckInjectionPhase::run):
2771         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
2772         * dfg/DFGValidate.cpp:
2773         (JSC::DFG::Validate::validate):
2774         * dfg/DFGWatchpointCollectionPhase.cpp:
2775         (JSC::DFG::WatchpointCollectionPhase::handle):
2776         * ftl/FTLCapabilities.cpp:
2777         (JSC::FTL::canCompile):
2778         * ftl/FTLLowerDFGToLLVM.cpp:
2779         (JSC::FTL::ftlUnreachable):
2780         (JSC::FTL::LowerDFGToLLVM::lower):
2781         (JSC::FTL::LowerDFGToLLVM::compileNode):
2782         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
2783         (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
2784         (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
2785         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
2786         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2787         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
2788         (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
2789         (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
2790         * heap/Heap.cpp:
2791         (JSC::Heap::collect):
2792         * jit/AssemblyHelpers.h:
2793         (JSC::AssemblyHelpers::storeValue):
2794         (JSC::AssemblyHelpers::loadValue):
2795         * jit/CCallHelpers.h:
2796         (JSC::CCallHelpers::setupArguments):
2797         * jit/GPRInfo.h:
2798         (JSC::JSValueRegs::uses):
2799         * jit/JITCall.cpp:
2800         (JSC::JIT::compileOpCall):
2801         * jit/JITCall32_64.cpp:
2802         (JSC::JIT::compileOpCall):
2803         * runtime/Options.h:
2804         * runtime/VM.cpp:
2805         (JSC::VM::ensureCallEdgeLog):
2806         * runtime/VM.h:
2807         * tests/stress/new-array-then-exit.js: Added.
2808         (foo):
2809         * tests/stress/poly-call-exit-this.js: Added.
2810         * tests/stress/poly-call-exit.js: Added.
2811
2812 2014-08-22  Michael Saboff  <msaboff@apple.com>
2813
2814         After r172867 another crash in in js/dom/line-column-numbers.html
2815         https://bugs.webkit.org/show_bug.cgi?id=136192
2816
2817         Reviewed by Geoffrey Garen.
2818
2819         In lookupExceptionHandlerFromCallerFrame(), We need to use the caller's CallFrame
2820         and VMEntryFrame when calling genericUnwind().  NativeCallFrameTracerWithRestore()
2821         does that for us.
2822
2823         In general, NativeCallFrameTracerWithRestore(), restores the values because we may
2824         do more processing that requires the current callFrame and vmEntryFrame before we
2825         get to the catch handler where we change these to the catch values.  In this
2826         particular case, that restoration isn't currently needed, but we add complexity
2827         and possible future confusion if we create another NativeCallFrameTracerXXX()
2828         version that doesn't restore the values.
2829
2830         * jit/JITOperations.cpp:
2831         (JSC::lookupExceptionHandlerFromCallerFrame): Changed NativeCallFrameTracer() to
2832         NativeCallFrameTracerWithRestore() so that VM::topVMEntryFrame will be updated
2833         before calling genericUnwind().
2834
2835 2014-08-24  Brian J. Burg  <burg@cs.washington.edu>
2836
2837         Web Inspector: rename Inspector::TypeBuilder to Inspector::Protocol
2838         https://bugs.webkit.org/show_bug.cgi?id=136031
2839
2840         Reviewed by Timothy Hatcher.
2841
2842         Rename TypeBuilder namespace to Protocol. Disambiguate where
2843         necessary. Also rename InspectorTypeBuilder to ProtocolTypes.
2844
2845         * CMakeLists.txt:
2846         * DerivedSources.make:
2847         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2848         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2849         * JavaScriptCore.vcxproj/copy-files.cmd:
2850         * JavaScriptCore.xcodeproj/project.pbxproj:
2851         * inspector/ConsoleMessage.cpp:
2852         (Inspector::messageSourceValue):
2853         (Inspector::messageTypeValue):
2854         (Inspector::messageLevelValue):
2855         (Inspector::ConsoleMessage::addToFrontend):
2856         * inspector/ContentSearchUtilities.cpp:
2857         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
2858         (Inspector::ContentSearchUtilities::searchInTextByLines):
2859         * inspector/ContentSearchUtilities.h:
2860         * inspector/InjectedScript.cpp:
2861         (Inspector::InjectedScript::evaluate):
2862         (Inspector::InjectedScript::callFunctionOn):
2863         (Inspector::InjectedScript::evaluateOnCallFrame):
2864         (Inspector::InjectedScript::getFunctionDetails):
2865         (Inspector::InjectedScript::getProperties):
2866         (Inspector::InjectedScript::getInternalProperties):
2867         (Inspector::InjectedScript::wrapCallFrames):
2868         (Inspector::InjectedScript::wrapObject):
2869         (Inspector::InjectedScript::wrapTable):
2870         * inspector/InjectedScript.h:
2871         * inspector/InjectedScriptBase.cpp:
2872         (Inspector::InjectedScriptBase::makeEvalCall):
2873         * inspector/InjectedScriptBase.h:
2874         * inspector/InspectorTypeBuilder.h: Removed.
2875         * inspector/ScriptCallFrame.cpp:
2876         (Inspector::ScriptCallFrame::buildInspectorObject):
2877         * inspector/ScriptCallFrame.h:
2878         * inspector/ScriptCallStack.cpp:
2879         (Inspector::ScriptCallStack::buildInspectorArray):
2880         * inspector/ScriptCallStack.h:
2881         * inspector/agents/InspectorAgent.cpp:
2882         (Inspector::InspectorAgent::inspect):
2883         * inspector/agents/InspectorAgent.h:
2884         * inspector/agents/InspectorDebuggerAgent.cpp:
2885         (Inspector::breakpointActionTypeForString):
2886         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2887         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2888         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
2889         (Inspector::InspectorDebuggerAgent::searchInContent):
2890         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
2891         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
2892         (Inspector::InspectorDebuggerAgent::currentCallFrames):
2893         (Inspector::InspectorDebuggerAgent::didParseSource):
2894         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2895         * inspector/agents/InspectorDebuggerAgent.h:
2896         * inspector/agents/InspectorProfilerAgent.cpp:
2897         (Inspector::InspectorProfilerAgent::createProfileHeader):
2898         (Inspector::InspectorProfilerAgent::getProfileHeaders):
2899         (Inspector::buildInspectorObject):
2900         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
2901         (Inspector::InspectorProfilerAgent::getCPUProfile):
2902         * inspector/agents/InspectorProfilerAgent.h:
2903         * inspector/agents/InspectorRuntimeAgent.cpp:
2904         (Inspector::buildErrorRangeObject):
2905         (Inspector::InspectorRuntimeAgent::parse):
2906         (Inspector::InspectorRuntimeAgent::evaluate):
2907         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2908         (Inspector::InspectorRuntimeAgent::getProperties):
2909         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2910         * inspector/agents/InspectorRuntimeAgent.h:
2911         * inspector/scripts/codegen/__init__.py:
2912         * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
2913         (BackendDispatcherHeaderGenerator.generate_output):
2914         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
2915         (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
2916         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2917         * inspector/scripts/codegen/generate_frontend_dispatcher_header.py:
2918         (FrontendDispatcherHeaderGenerator.generate_output):
2919         * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py:
2920         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2921         * inspector/scripts/codegen/generate_type_builder_header.py: Removed.
2922         * inspector/scripts/codegen/generate_type_builder_implementation.py: Removed.
2923         * inspector/scripts/codegen/generator.py:
2924         (Generator.protocol_type_string_for_type):
2925         (Generator.protocol_type_string_for_type_member):
2926         (Generator.type_string_for_type_with_name):
2927         (Generator.type_string_for_formal_out_parameter):
2928         (Generator.type_string_for_formal_async_parameter):
2929         (Generator.type_string_for_stack_in_parameter):
2930         (Generator.type_string_for_stack_out_parameter):
2931         (Generator.assertion_method_for_type_member.assertion_method_for_type):
2932         (Generator.assertion_method_for_type_member):
2933         (Generator.type_builder_string_for_type): Deleted.
2934         (Generator.type_builder_string_for_type_member): Deleted.
2935         * inspector/scripts/codegen/generator_templates.py:
2936         (Inspector):
2937         * inspector/scripts/generate-inspector-protocol-bindings.py:
2938         (generate_from_specification):
2939         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2940         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2941         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2942         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2943         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2944         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2945         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2946         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2947         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2948         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2949         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2950         * runtime/HighFidelityTypeProfiler.cpp:
2951         (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
2952         * runtime/HighFidelityTypeProfiler.h:
2953         * runtime/TypeSet.cpp:
2954         (JSC::TypeSet::allPrimitiveTypeNames):
2955         (JSC::TypeSet::allStructureRepresentations):
2956         (JSC::StructureShape::inspectorRepresentation):
2957         * runtime/TypeSet.h:
2958
2959 2014-08-24  Brian J. Burg  <burg@cs.washington.edu>
2960
2961         Web Inspector: Rename DOM.RGBA and remove workarounds in the bindings generator
2962         https://bugs.webkit.org/show_bug.cgi?id=136025
2963
2964         Reviewed by Joseph Pecoraro.
2965
2966         This workaround can be removed since it is no longer necessary.
2967
2968         * inspector/scripts/codegen/models.py:
2969         (TypeReference.__init__):
2970         (Type.raw_name):
2971         (TypeDeclaration.__init__):
2972         * inspector/scripts/tests/type-declaration-object-type.json: Remove related test input.
2973         * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Rebaseline.
2974
2975 2014-08-23  Joseph Pecoraro  <pecoraro@apple.com>
2976
2977         Web Inspector: Do not copy large module source strings
2978         https://bugs.webkit.org/show_bug.cgi?id=136191
2979
2980         Reviewed by Benjamin Poulain.
2981
2982         * inspector/InjectedScriptManager.cpp:
2983         (Inspector::InjectedScriptManager::injectedScriptSource):
2984
2985 2014-08-21  Michael Saboff  <msaboff@apple.com>
2986
2987         REGRESSION(r163179): Sporadic crash in js/dom/line-column-numbers.html test
2988         https://bugs.webkit.org/show_bug.cgi?id=136111
2989
2990         Reviewed by Filip Pizlo.
2991
2992         The problem was that we weren't properly handling VM::topVMEntryFrame in two ways.
2993
2994         First in the case where we get an exception of a stack overflow during setup of the direct
2995         callee frame of a VM entry frame, we need to throw the exception in the caller's frame.
2996         This requires unrolling topVMEntryFrame while creating the exception object.  This is
2997         accomplished with the renamed NativeCallFrameTracerWithRestore object.  As part of this,
2998         split the JIT rollback exception handling to call a new helper,
2999         callLookupExceptionHandlerFromCallerFrame, which will unroll the callFrame and VMEntryFrame.
3000
3001         Second, when we unwind to find a handler, we also need to unwind topVMCallFrame for the
3002         case where we end up (re)throwing another exception after entering the catch block, but
3003         before another vmEntry call.  Added VM::vmEntryFrameForThrow as a way similar to
3004         VM::callFrameForThrow to pass the appropriate VMENtryFrame to the catch block.
3005
3006
3007         * dfg/DFGJITCompiler.cpp:
3008         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3009         * ftl/FTLCompile.cpp:
3010         (JSC::FTL::fixFunctionBasedOnStackMaps):
3011         * jit/JIT.cpp:
3012         (JSC::JIT::privateCompileExceptionHandlers):
3013         Split out the unroll cases to use the new helper callLookupExceptionHandlerFromCallerFrame()
3014         to unwind both the callFrame and topVMEntryFrame.
3015
3016         * interpreter/Interpreter.cpp:
3017         (JSC::UnwindFunctor::UnwindFunctor):
3018         (JSC::UnwindFunctor::operator()):
3019         (JSC::Interpreter::unwind):
3020         * jit/JITExceptions.cpp:
3021         (JSC::genericUnwind):
3022         Added VMEntryFrame as another component to unwind.
3023
3024         * interpreter/Interpreter.h:
3025         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
3026         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
3027         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
3028         Renamed and changed to save and restore topCallFrame and topVMEntryFrame around the setting of
3029         both values.
3030
3031         * interpreter/StackVisitor.cpp:
3032         (JSC::StackVisitor::gotoNextFrame):
3033         (JSC::StackVisitor::readNonInlinedFrame):
3034         * interpreter/StackVisitor.h:
3035         (JSC::StackVisitor::Frame::vmEntryFrame):
3036         Added code to unwind the VMEntryFrame.
3037
3038         * jit/CCallHelpers.h:
3039         (JSC::CCallHelpers::jumpToExceptionHandler): Updated comment to indicate that the value
3040         the handler should use for VM::topEntryFrame is in VM::vmEntryFrameForThrow.
3041
3042         * jit/JITOpcodes.cpp:
3043         (JSC::JIT::emit_op_catch):
3044         * jit/JITOpcodes32_64.cpp:
3045         (JSC::JIT::emit_op_catch):
3046         * llint/LowLevelInterpreter32_64.asm:
3047         * llint/LowLevelInterpreter64.asm:
3048         Added code to update VM::topVMEntryFrame from VM::vmEntryFrameForThrowOffset.
3049
3050         * jit/JITOperations.cpp:
3051         * jit/JITOperations.h:
3052         (JSC::operationThrowStackOverflowError):
3053         (JSC::operationCallArityCheck):
3054         (JSC::operationConstructArityCheck):
3055
3056         * runtime/VM.h:
3057         (JSC::VM::vmEntryFrameForThrowOffset):
3058         (JSC::VM::topVMEntryFrameOffset):
3059         Added as the side channel to return the topVMEntryFrame that the handler should use.
3060
3061 2014-08-22  Daniel Bates  <dabates@apple.com>
3062
3063         [iOS] Disable ENABLE_IOS_{GESTURE, TOUCH}_EVENTS, and temporarily disable ENABLE_TOUCH_EVENTS
3064         and ENABLE_XSLT when building with the iOS public SDK
3065         https://bugs.webkit.org/show_bug.cgi?id=135945
3066
3067         Reviewed by Andy Estes.
3068
3069         * Configurations/FeatureDefines.xcconfig:
3070
3071 2014-08-22  Jon Lee  <jonlee@apple.com>
3072
3073         Fix iOS build due to r172832 and move RUBBER_BANDING out of FeatureDefines.h
3074         https://bugs.webkit.org/show_bug.cgi?id=136157
3075
3076         Reviewed by Simon Fraser.
3077
3078         * Configurations/FeatureDefines.xcconfig: Add ENABLE(RUBBER_BANDING).
3079
3080 2014-08-21  Mark Lam  <mark.lam@apple.com>
3081
3082         r171362 accidentally increased the size of InlineCallFrame.
3083         <https://webkit.org/b/136141>
3084
3085         Reviewed by Filip Pizlo.
3086
3087         r171362 increased the size of InlineCallFrame::kind to 2 bits.  This increased
3088         the size of InlineCallFrame from 72 to 80 though not intentionally.  The fix
3089         is to reduce the size of InlineCallFrame::stackOffset to 29 bits.
3090
3091         Also added an assert to ensure that we never set a value that exceeds the size
3092         of InlineCallFrame::stackOffset.
3093
3094         * bytecode/CodeOrigin.h:
3095         (JSC::InlineCallFrame::setStackOffset):
3096         * dfg/DFGByteCodeParser.cpp:
3097         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3098
3099 2014-08-21  Joseph Pecoraro  <pecoraro@apple.com>
3100
3101         Web Inspector: RetainPtr misuse, CFRunLoopSource leak
3102         https://bugs.webkit.org/show_bug.cgi?id=136143
3103
3104         Reviewed by Timothy Hatcher.
3105
3106         Adopt a Create into the RetainPtr to avoid leaking.
3107
3108         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3109         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
3110
3111 2014-08-21  Mark Lam  <mark.lam@apple.com>
3112
3113         REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms.
3114         <https://webkit.org/b/136123>
3115
3116         Reviewed by Filip Pizlo.
3117
3118         The original patch in r172808 removed the code to skip the top scope in
3119         the 64-bit port of JIT::emitResolveClosure() but not in the 32-bit port.
3120         This patch fixes that and achieves parity.
3121
3122         * jit/JITPropertyAccess32_64.cpp:
3123         (JSC::JIT::emitResolveClosure):
3124
3125 2014-08-21  Zalan Bujtas  <zalan@apple.com>
3126
3127         Enable SATURATED_LAYOUT_ARITHMETIC.
3128         https://bugs.webkit.org/show_bug.cgi?id=136106
3129
3130         Reviewed by Simon Fraser.
3131
3132         SATURATED_LAYOUT_ARITHMETIC protects LayoutUnit against arithmetic overflow.
3133         (No measurable performance regression on Mac.)
3134
3135         * Configurations/FeatureDefines.xcconfig:
3136
3137 2014-08-20  Saam Barati  <sbarati@apple.com>
3138
3139         Fix how CodeBlock dumps the opcode op_profile_type
3140         https://bugs.webkit.org/show_bug.cgi?id=136088
3141
3142         Reviewed by Filip Pizlo.
3143
3144         op_profile_type was modified to receive two extra arguments,
3145         but its dump in CodeBlock::dumpBytecode wasn't changed to 
3146         account for this, so it broke CodeBlock::dumpBytecode when
3147         op_profile_type was in the stream of bytecode instructions.
3148         CodeBlock::dumpBytecode now accounts for the change in 
3149         op_profile_type's arity.
3150
3151         * bytecode/CodeBlock.cpp:
3152         (JSC::CodeBlock::dumpBytecode):
3153
3154 2014-08-20  Saam Barati  <sbarati@apple.com>
3155
3156         Rename HighFidelityTypeProfiling variables for more clarity
3157         https://bugs.webkit.org/show_bug.cgi?id=135899
3158
3159         Reviewed by Geoffrey Garen.
3160
3161         Many names that are used in the type profiling infrastructure
3162         prefix themselves with "HighFidelity" or include the words "high"
3163         and/or "fidelity" in some way. But the words "high" and "fidelity" don't 
3164         add anything descriptive to the names surrounding type profiling. 
3165         So this patch removes all uses of "HighFidelity" and its variants.
3166
3167         Most renamings change "HighFidelity*" to "TypeProfiler*" or simply 
3168         drop the prefix "HighFidelity" all together. Now, almost all names 
3169         in relation to type profiling contain in them "TypeProfiler" or 
3170         "TypeProfiling" or some combination of the words "type" and "profile".
3171
3172         This patch also changes how we check if type profiling is enabled:
3173         We no longer call vm::isProfilingTypesWithHighFidelity. We now just 
3174         check that vm::typeProfiler is not null.
3175
3176         This patch also changes all calls to TypeProfilerLog::processLogEntries
3177         to use ASCIILiteral to form WTFStrings instead of vanilla C string literals.
3178
3179         * CMakeLists.txt:
3180         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3181         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3182         * JavaScriptCore.xcodeproj/project.pbxproj:
3183         * bytecode/BytecodeList.json:
3184         * bytecode/BytecodeUseDef.h:
3185         (JSC::computeUsesForBytecodeOffset):
3186         (JSC::computeDefsForBytecodeOffset):
3187         * bytecode/CodeBlock.cpp:
3188         (JSC::CodeBlock::dumpBytecode):
3189         (JSC::CodeBlock::CodeBlock):
3190         * bytecode/TypeLocation.h:
3191         * bytecode/UnlinkedCodeBlock.cpp:
3192         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3193         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
3194         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
3195         (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset): Deleted.
3196         (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo): Deleted.
3197         * bytecode/UnlinkedCodeBlock.h:
3198         (JSC::UnlinkedFunctionExecutable::typeProfilingStartOffset):
3199         (JSC::UnlinkedFunctionExecutable::typeProfilingEndOffset):
3200         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): Deleted.
3201         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset): Deleted.
3202         * bytecompiler/BytecodeGenerator.cpp:
3203         (JSC::BytecodeGenerator::generate):
3204         (JSC::BytecodeGenerator::BytecodeGenerator):
3205         (JSC::BytecodeGenerator::emitMove):
3206         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
3207         (JSC::BytecodeGenerator::emitProfileType):
3208         (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
3209         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
3210         * bytecompiler/BytecodeGenerator.h:
3211         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
3212         * bytecompiler/NodesCodegen.cpp:
3213         (JSC::ThisNode::emitBytecode):
3214         (JSC::ResolveNode::emitBytecode):
3215         (JSC::BracketAccessorNode::emitBytecode):
3216         (JSC::DotAccessorNode::emitBytecode):
3217         (JSC::FunctionCallValueNode::emitBytecode):
3218         (JSC::FunctionCallResolveNode::emitBytecode):
3219         (JSC::FunctionCallBracketNode::emitBytecode):
3220         (JSC::FunctionCallDotNode::emitBytecode):
3221         (JSC::CallFunctionCallDotNode::emitBytecode):
3222         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3223         (JSC::PostfixNode::emitResolve):
3224         (JSC::PostfixNode::emitBracket):
3225         (JSC::PostfixNode::emitDot):
3226         (JSC::PrefixNode::emitResolve):
3227         (JSC::PrefixNode::emitBracket):
3228         (JSC::PrefixNode::emitDot):
3229         (JSC::ReadModifyResolveNode::emitBytecode):
3230         (JSC::AssignResolveNode::emitBytecode):
3231         (JSC::AssignDotNode::emitBytecode):
3232         (JSC::ReadModifyDotNode::emitBytecode):
3233         (JSC::AssignBracketNode::emitBytecode):
3234         (JSC::ReadModifyBracketNode::emitBytecode):
3235         (JSC::ConstDeclNode::emitCodeSingle):
3236         (JSC::EmptyVarExpression::emitBytecode):
3237         (JSC::ReturnNode::emitBytecode):
3238         (JSC::FunctionBodyNode::emitBytecode):
3239         * heap/Heap.cpp:
3240         (JSC::Heap::collect):
3241         * inspector/agents/InspectorRuntimeAgent.cpp:
3242         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3243         (Inspector::recompileAllJSFunctionsForTypeProfiling):
3244         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
3245         (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
3246         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
3247         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
3248         (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling): Deleted.
3249         (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling): Deleted.
3250         (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState): Deleted.
3251         * inspector/agents/InspectorRuntimeAgent.h:
3252         * inspector/protocol/Runtime.json:
3253         * jit/JIT.cpp:
3254         (JSC::JIT::privateCompileMainPass):
3255         (JSC::JIT::privateCompile):
3256         * jit/JIT.h:
3257         * jit/JITOpcodes.cpp:
3258         (JSC::JIT::emit_op_profile_type):
3259         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
3260         * jit/JITOpcodes32_64.cpp:
3261         (JSC::JIT::emit_op_profile_type):
3262         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
3263         * jit/JITOperations.cpp:
3264         * jsc.cpp:
3265         (functionDumpTypesForAllVariables):
3266         * llint/LLIntSlowPaths.cpp:
3267         * llint/LowLevelInterpreter.asm:
3268         * runtime/CodeCache.cpp:
3269         (JSC::CodeCache::getGlobalCodeBlock):
3270         * runtime/CommonSlowPaths.cpp:
3271         (JSC::SLOW_PATH_DECL):
3272         * runtime/CommonSlowPaths.h:
3273         * runtime/Executable.cpp:
3274         (JSC::ScriptExecutable::ScriptExecutable):
3275         (JSC::ProgramExecutable::ProgramExecutable):
3276         (JSC::FunctionExecutable::FunctionExecutable):
3277         (JSC::ProgramExecutable::initializeGlobalProperties):
3278         * runtime/Executable.h:
3279         (JSC::ScriptExecutable::typeProfilingStartOffset):
3280         (JSC::ScriptExecutable::typeProfilingEndOffset):
3281         (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): Deleted.
3282         (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset): Deleted.
3283         * runtime/HighFidelityLog.cpp: Removed.
3284         * runtime/HighFidelityLog.h: Removed.
3285         * runtime/HighFidelityTypeProfiler.cpp: Removed.
3286         * runtime/HighFidelityTypeProfiler.h: Removed.
3287         * runtime/Options.h:
3288         * runtime/SymbolTable.cpp:
3289         (JSC::SymbolTable::prepareForTypeProfiling):
3290         (JSC::SymbolTable::uniqueIDForVariable):
3291         (JSC::SymbolTable::uniqueIDForRegister):
3292         (JSC::SymbolTable::prepareForHighFidelityTypeProfiling): Deleted.
3293         * runtime/SymbolTable.h:
3294         * runtime/TypeProfiler.cpp: Added.
3295         (JSC::TypeProfiler::logTypesForTypeLocation):
3296         (JSC::TypeProfiler::insertNewLocation):
3297         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector):
3298         (JSC::descriptorMatchesTypeLocation):
3299         (JSC::TypeProfiler::findLocation):
3300         * runtime/TypeProfiler.h: Added.
3301         (JSC::QueryKey::QueryKey):
3302         (JSC::QueryKey::isHashTableDeletedValue):
3303         (JSC::QueryKey::operator==):
3304         (JSC::QueryKey::hash):
3305         (JSC::QueryKeyHash::hash):
3306         (JSC::QueryKeyHash::equal):
3307         (JSC::TypeProfiler::functionHasExecutedCache):
3308         (JSC::TypeProfiler::typeLocationCache):
3309         * runtime/TypeProfilerLog.cpp: Added.
3310         (JSC::TypeProfilerLog::initializeLog):
3311         (JSC::TypeProfilerLog::~TypeProfilerLog):
3312         (JSC::TypeProfilerLog::processLogEntries):
3313         * runtime/TypeProfilerLog.h: Added.
3314         (JSC::TypeProfilerLog::LogEntry::structureIDOffset):
3315         (JSC::TypeProfilerLog::LogEntry::valueOffset):
3316         (JSC::TypeProfilerLog::LogEntry::locationOffset):
3317         (JSC::TypeProfilerLog::TypeProfilerLog):
3318         (JSC::TypeProfilerLog::recordTypeInformationForLocation):
3319         (JSC::TypeProfilerLog::logEndPtr):
3320         (JSC::TypeProfilerLog::logStartOffset):
3321         (JSC::TypeProfilerLog::currentLogEntryOffset):
3322         * runtime/VM.cpp:
3323         (JSC::VM::VM):
3324         (JSC::VM::enableTypeProfiler):
3325         (JSC::VM::disableTypeProfiler):
3326         (JSC::VM::dumpTypeProfilerData):
3327         (JSC::VM::enableHighFidelityTypeProfiling): Deleted.
3328         (JSC::VM::disableHighFidelityTypeProfiling): Deleted.
3329         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
3330         * runtime/VM.h:
3331         (JSC::VM::typeProfilerLog):
3332         (JSC::VM::typeProfiler):
3333         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
3334         (JSC::VM::highFidelityLog): Deleted.
3335         (JSC::VM::highFidelityTypeProfiler): Deleted.
3336
3337 2014-08-20  Csaba Osztrogonác  <ossy@webkit.org>
3338
3339         URTBF after r172799.
3340
3341         * disassembler/ARM64/A64DOpcode.cpp:
3342         * disassembler/ARM64Disassembler.cpp: