Support the type profiler in the DFG
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-10-01  Saam Barati  <saambarati1@gmail.com>
2
3         Support the type profiler in the DFG
4         https://bugs.webkit.org/show_bug.cgi?id=136712
5
6         Reviewed by Filip Pizlo.
7
8         This patch implements op_profile_type inside the DFG as the node: ProfileType.
9         The DFG will convert the ProfileType node into a Check node in the cases where
10         passing a type check is equivalent to writing to the TypeProfilerLog. This
11         gives the DFG the potential to optimize out multiple ProfileType nodes into
12         a single Check node.
13
14         When the DFG doesn't convert ProfileType into a Check node, it will generate
15         the same inline code as the baseline JIT does for writing an entry to the
16         TypeProfilerLog.
17
18         * dfg/DFGAbstractInterpreterInlines.h:
19         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
20         * dfg/DFGByteCodeParser.cpp:
21         (JSC::DFG::ByteCodeParser::parseBlock):
22         * dfg/DFGCapabilities.cpp:
23         (JSC::DFG::capabilityLevel):
24         * dfg/DFGClobberize.h:
25         (JSC::DFG::clobberize):
26         * dfg/DFGDoesGC.cpp:
27         (JSC::DFG::doesGC):
28         * dfg/DFGDriver.cpp:
29         (JSC::DFG::compileImpl):
30         * dfg/DFGFixupPhase.cpp:
31         (JSC::DFG::FixupPhase::fixupNode):
32         * dfg/DFGNode.h:
33         (JSC::DFG::Node::typeLocation):
34         * dfg/DFGNodeType.h:
35         * dfg/DFGOperations.cpp:
36         * dfg/DFGOperations.h:
37         * dfg/DFGPredictionPropagationPhase.cpp:
38         (JSC::DFG::PredictionPropagationPhase::propagate):
39         * dfg/DFGSafeToExecute.h:
40         (JSC::DFG::safeToExecute):
41         * dfg/DFGSpeculativeJIT.h:
42         (JSC::DFG::SpeculativeJIT::callOperation):
43         * dfg/DFGSpeculativeJIT32_64.cpp:
44         (JSC::DFG::SpeculativeJIT::compile):
45         * dfg/DFGSpeculativeJIT64.cpp:
46         (JSC::DFG::SpeculativeJIT::compile):
47         * runtime/TypeProfiler.cpp:
48         (JSC::TypeProfiler::logTypesForTypeLocation):
49         * runtime/TypeSet.cpp:
50         (JSC::TypeSet::dumpTypes):
51         (JSC::TypeSet::doesTypeConformTo):
52         Make this method public so others can reason about the types a TypeSet has seen.
53         (JSC::TypeSet::seenTypes): Deleted.
54         (JSC::TypeSet::dumpSeenTypes): Deleted.
55         Renamed to dumpTypes so the method seenTypes can be used as a public getter.
56         * runtime/TypeSet.h:
57         (JSC::TypeSet::seenTypes):
58         * tests/typeProfiler/dfg-jit-optimizations.js: Added.
59         (tierUpToDFG):
60         (funcs):
61         (.return):
62
63 2014-10-01  Filip Pizlo  <fpizlo@apple.com>
64
65         Unreviewed, fix 32-bit.
66
67         * dfg/DFGSpeculativeJIT32_64.cpp:
68         (JSC::DFG::SpeculativeJIT::compile):
69
70 2014-09-30  Filip Pizlo  <fpizlo@apple.com>
71
72         DFG SSA should use PutLocal/KillLocal instead of SetLocal to communicate what is flushed to the stack and when
73         https://bugs.webkit.org/show_bug.cgi?id=137242
74
75         Reviewed by Geoffrey Garen.
76         
77         OSR availability has to do with telling you the various ways that you could go about getting
78         the value of a bytecode variable. It can give you two options: node availability means that
79         there is a node in the DFG IR that has the right value, and flush availability tells you
80         that the value was already stored to the stack. The clients of OSR availability would
81         typically prefer flush over node availability.
82         
83         Previously OSR availability was affected thusly by the various local-related nodes: SetLocal
84         set both the node and flush availability, MovHint set node availability and cleared flush
85         availability, GetArgument set both, and ZombieHint cleared both.
86         
87         A MovHint could be turned into a ZombieHint if its source value was DCEd.
88         
89         The fact that each node affected both node and flush availability caused weirdness. For
90         example it meant that we could not insert MovHints in areas of the CFG where a SetLocal's
91         variable was still live, because then those parts of the code would forget that they had an
92         availability flush. This meant that if a flush was available, we wouldn't insert MovHints,
93         and so we would forget that a node was in fact available. This kind of "either-or" picking
94         was not only hackish but it led to interesting problems for IR transformation: for example
95         if you tried to do any kind of code motion on SetLocals, you had to be super careful because
96         you might violate the rule that "MovHints must exist for a live local if a flush is
97         unavailable".
98         
99         The right thing to do is to have independent nodes for flushing and making nodes available.
100         They shouldn't interact with each other. This patch accomplishes this:
101         
102         - PutLocal means that that a value is to be stored to the stack. It makes a flush available.
103         - KillLocal means that the value stored to the stack is no longer available for the purposes
104           of OSR (i.e. it no longer accurately corresponds to what that actual bytecode variable
105           would have been, so you have to fall back on node availability).
106         - MovHint means that a node is available. It has no effect on flush availability.
107         - ZombieHint means that a node is not available. It has no effect on flush availability.
108         
109         This means that we will see a lot of KillLocals and MovHints right next to each other. It's
110         a bit verbose, but at least it's precise.
111
112         * dfg/DFGAbstractInterpreterInlines.h:
113         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
114         * dfg/DFGAvailability.h:
115         (JSC::DFG::Availability::setFlush):
116         (JSC::DFG::Availability::setNode):
117         (JSC::DFG::Availability::setNodeUnavailable):
118         * dfg/DFGClobberize.h:
119         (JSC::DFG::clobberize):
120         * dfg/DFGDoesGC.cpp:
121         (JSC::DFG::doesGC):
122         * dfg/DFGFixupPhase.cpp:
123         (JSC::DFG::FixupPhase::fixupNode):
124         * dfg/DFGNode.cpp:
125         (JSC::DFG::Node::hasVariableAccessData):
126         * dfg/DFGNode.h:
127         (JSC::DFG::Node::hasUnlinkedLocal):
128         (JSC::DFG::Node::willHaveCodeGenOrOSR):
129         * dfg/DFGNodeType.h:
130         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
131         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
132         * dfg/DFGPredictionPropagationPhase.cpp:
133         (JSC::DFG::PredictionPropagationPhase::propagate):
134         * dfg/DFGSSAConversionPhase.cpp:
135         (JSC::DFG::SSAConversionPhase::run):
136         * dfg/DFGSafeToExecute.h:
137         (JSC::DFG::safeToExecute):
138         * dfg/DFGSpeculativeJIT64.cpp:
139         (JSC::DFG::SpeculativeJIT::compile):
140         * dfg/DFGStackLayoutPhase.cpp:
141         (JSC::DFG::StackLayoutPhase::run):
142         * ftl/FTLCapabilities.cpp:
143         (JSC::FTL::canCompile):
144         * ftl/FTLLowerDFGToLLVM.cpp:
145         (JSC::FTL::LowerDFGToLLVM::compileNode):
146         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
147         (JSC::FTL::LowerDFGToLLVM::compileSetLocal): Deleted.
148
149 2014-10-01  Brent Fulgham  <bfulgham@apple.com>
150
151         [Win] 32-bit JavaScriptCore should limit itself to the C loop
152         https://bugs.webkit.org/show_bug.cgi?id=137304
153         <rdar://problem/18375370>
154
155         Reviewed by Michael Saboff.
156
157         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
158         Use the C loop for 32-bit builds.
159
160 2014-09-30  Brian J. Burg  <burg@cs.washington.edu>
161
162         Web Inspector: ErrorString should be passed by reference
163         https://bugs.webkit.org/show_bug.cgi?id=137257
164
165         Reviewed by Joseph Pecoraro.
166
167         Pass the leading ErrorString argument by reference, since it is always an out parameter.
168         Clean up callsites where the error message is written.
169
170         * inspector/InjectedScript.cpp:
171         (Inspector::InjectedScript::evaluate):
172         (Inspector::InjectedScript::callFunctionOn):
173         (Inspector::InjectedScript::evaluateOnCallFrame):
174         (Inspector::InjectedScript::getFunctionDetails):
175         (Inspector::InjectedScript::getProperties):
176         (Inspector::InjectedScript::getInternalProperties):
177         * inspector/InjectedScript.h:
178         * inspector/InjectedScriptBase.cpp:
179         (Inspector::InjectedScriptBase::makeEvalCall):
180         * inspector/InjectedScriptBase.h:
181         * inspector/agents/InspectorAgent.cpp:
182         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
183         (Inspector::InspectorAgent::enable):
184         (Inspector::InspectorAgent::disable):
185         (Inspector::InspectorAgent::initialized):
186         * inspector/agents/InspectorAgent.h:
187         * inspector/agents/InspectorConsoleAgent.cpp:
188         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
189         (Inspector::InspectorConsoleAgent::enable):
190         (Inspector::InspectorConsoleAgent::disable):
191         (Inspector::InspectorConsoleAgent::clearMessages):
192         (Inspector::InspectorConsoleAgent::reset):
193         (Inspector::InspectorConsoleAgent::addMessageToConsole):
194         * inspector/agents/InspectorConsoleAgent.h:
195         * inspector/agents/InspectorDebuggerAgent.cpp:
196         (Inspector::InspectorDebuggerAgent::enable):
197         (Inspector::InspectorDebuggerAgent::disable):
198         (Inspector::InspectorDebuggerAgent::setBreakpointsActive):
199         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
200         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
201         (Inspector::parseLocation):
202         (Inspector::InspectorDebuggerAgent::setBreakpoint):
203         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
204         (Inspector::InspectorDebuggerAgent::continueToLocation):
205         (Inspector::InspectorDebuggerAgent::searchInContent):
206         (Inspector::InspectorDebuggerAgent::getScriptSource):
207         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
208         (Inspector::InspectorDebuggerAgent::pause):
209         (Inspector::InspectorDebuggerAgent::resume):
210         (Inspector::InspectorDebuggerAgent::stepOver):
211         (Inspector::InspectorDebuggerAgent::stepInto):
212         (Inspector::InspectorDebuggerAgent::stepOut):
213         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
214         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
215         (Inspector::InspectorDebuggerAgent::setOverlayMessage):
216         (Inspector::InspectorDebuggerAgent::didParseSource):
217         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
218         (Inspector::InspectorDebuggerAgent::assertPaused):
219         * inspector/agents/InspectorDebuggerAgent.h:
220         * inspector/agents/InspectorRuntimeAgent.cpp:
221         (Inspector::InspectorRuntimeAgent::parse):
222         (Inspector::InspectorRuntimeAgent::evaluate):
223         (Inspector::InspectorRuntimeAgent::callFunctionOn):
224         (Inspector::InspectorRuntimeAgent::getProperties):
225         (Inspector::InspectorRuntimeAgent::releaseObject):
226         (Inspector::InspectorRuntimeAgent::releaseObjectGroup):
227         (Inspector::InspectorRuntimeAgent::run):
228         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
229         (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
230         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
231         * inspector/agents/InspectorRuntimeAgent.h:
232         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
233         (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
234         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
235         * inspector/agents/JSGlobalObjectConsoleAgent.h:
236         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
237         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
238         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
239         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
240         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
241         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
242         * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
243         (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
244         (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
245         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
246         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
247         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
248         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
249         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
250         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
251
252 2014-09-30  Mark Lam  <mark.lam@apple.com>
253
254         Label some asserts as having security implications.
255         <https://webkit.org/b/137260>
256
257         Reviewed by Filip Pizlo.
258
259         * dfg/DFGGraph.cpp:
260         (JSC::DFG::Graph::handleAssertionFailure):
261         * runtime/JSCell.h:
262         (JSC::jsCast):
263         * runtime/StructureIDTable.h:
264         (JSC::StructureIDTable::get):
265
266 2014-09-30  Filip Pizlo  <fpizlo@apple.com>
267
268         REGRESSION (r174025): Invalid cast in JSC::asString
269         https://bugs.webkit.org/show_bug.cgi?id=137224
270
271         Reviewed by Geoffrey Garen.
272         
273         Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
274         when we speak of "the value being stored" we are really referring to the right value.
275         
276         The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
277         child3. So we were incorrectly removing all barriers from PutClosureVar.
278
279         * dfg/DFGFixupPhase.cpp:
280         (JSC::DFG::FixupPhase::fixupNode):
281
282 2014-09-30  Brian J. Burg  <burg@cs.washington.edu>
283
284         Web Replay: use static Strings instead of AtomicStrings for replay input type tags
285         https://bugs.webkit.org/show_bug.cgi?id=137086
286
287         Reviewed by Joseph Pecoraro.
288
289         This pattern doesn't work when we want to define some inputs in WebKit2.
290         The ReplayInputTypes class was generated from WebCore inputs only. This
291         patch moves all input traits to use static local Strings as type tags.
292
293         * replay/scripts/CodeGeneratorReplayInputs.py: Remove configuration of how
294         type tags are generated, since all framework targets now generate the same code.
295
296         * replay/NondeterministicInput.h:
297         * replay/scripts/CodeGeneratorReplayInputs.py: Simplify and rebase test results.
298         (Generator.generate_input_trait_implementation):
299         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Simplify templates.
300
301         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
302         (JSC::InputTraits<Test::SavedMouseButton>::type):
303         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
304         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
305         (JSC::InputTraits<Test::SavedMouseButton>::type):
306         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
307         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
308         (JSC::InputTraits<Test::HandleWheelEvent>::type):
309         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
310         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
311         (JSC::InputTraits<Test::FormCombo>::type):
312         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
313         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp:
314         (JSC::InputTraits<Test::GetCurrentTime>::type):
315         (JSC::InputTraits<Test::SetRandomSeed>::type):
316         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
317         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
318         (JSC::InputTraits<Test::ArrayOfThings>::type):
319         (JSC::InputTraits<Test::SavedHistory>::type):
320         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
321         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp:
322         (JSC::InputTraits<Test::ScalarInput1>::type):
323         (JSC::InputTraits<Test::ScalarInput2>::type):
324         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
325         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
326         (JSC::InputTraits<Test::ScalarInput>::type):
327         (JSC::InputTraits<Test::MapInput>::type):
328         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
329
330 2014-09-30  Daniel Bates  <dabates@apple.com>
331
332         REGRESSION (r172532): JSBase.h declares NSMapTable functions that are SPI
333         https://bugs.webkit.org/show_bug.cgi?id=137170
334         <rdar://problem/18477384>
335
336         Reviewed by Geoffrey Garen.
337
338         Move conditional include of header Foundation/NSMapTablePriv.h and forward declarations
339         of NSMapTable SPI from file JavaScriptCore/API/JSBase.h to WTF/wtf/spi/cocoa/NSMapTableSPI.h.
340
341         * API/JSBase.h:
342         * API/JSManagedValue.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h.
343         * API/JSVirtualMachine.mm: Ditto.
344         * API/JSVirtualMachineInternal.h: Forward declare class NSMapTable.
345         * API/JSWrapperMap.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h. Also, order
346         #include directives such that they are sorted in alphabetical order.
347
348 2014-09-30  Oliver Hunt  <oliver@apple.com>
349
350         Fix C API header
351         https://bugs.webkit.org/show_bug.cgi?id=137254
352         <rdar://problem/18487528>
353
354         Build fix
355
356         Guard extern "C" behind __cplusplus ifdef
357
358         * API/JSBase.h:
359
360 2014-09-29  Brian J. Burg  <burg@cs.washington.edu>
361
362         Web Inspector: InjectedScripts should not be profiled or displayed in Timeline
363         https://bugs.webkit.org/show_bug.cgi?id=136806
364
365         Reviewed by Timothy Hatcher.
366
367         It doesn't make sense to show profile nodes for injected scripts when profiling user content.
368         For now, omit nodes by suspending profiling before and after executing injected scripts.
369
370         * profiler/LegacyProfiler.cpp:
371         (JSC::LegacyProfiler::suspendProfiling): Added.
372         (JSC::LegacyProfiler::unsuspendProfiling): Added.
373         * profiler/LegacyProfiler.h:
374         * profiler/ProfileGenerator.cpp: Add isSuspended() flag, remove unused typedef.
375         (JSC::ProfileGenerator::ProfileGenerator):
376         (JSC::ProfileGenerator::willExecute):
377         (JSC::ProfileGenerator::didExecute):
378         * profiler/ProfileGenerator.h:
379         (JSC::ProfileGenerator::setIsSuspended): Added.
380
381 2014-09-29  Brian J. Burg  <burg@cs.washington.edu>
382
383         Web Inspector: InspectorValues should use references for out parameters
384         https://bugs.webkit.org/show_bug.cgi?id=137190
385
386         Reviewed by Joseph Pecoraro.
387
388         Use references for out parameters in asType() and getType() methods.
389         Also convert to references in some miscellaneous code where we don't
390         expect or handle null values.
391
392         Remove variants of asObject() and asArray() that return a nullable RefPtr.
393         Now, client code is forced to use out parameters and check for cast failure.
394
395         Iron out control flow in some functions and fix some style issues.
396
397         * inspector/InjectedScript.cpp:
398         (Inspector::InjectedScript::getFunctionDetails):
399         (Inspector::InjectedScript::wrapObject):
400         (Inspector::InjectedScript::wrapTable):
401         * inspector/InjectedScriptBase.cpp:
402         (Inspector::InjectedScriptBase::makeEvalCall):
403         * inspector/InjectedScriptManager.cpp:
404         (Inspector::InjectedScriptManager::injectedScriptForObjectId): Simplify control flow.
405         * inspector/InspectorBackendDispatcher.cpp:
406         (Inspector::InspectorBackendDispatcher::dispatch):
407         (Inspector::getPropertyValue):
408         (Inspector::AsMethodBridges::asInteger):
409         (Inspector::AsMethodBridges::asDouble):
410         (Inspector::AsMethodBridges::asString):
411         (Inspector::AsMethodBridges::asBoolean):
412         (Inspector::AsMethodBridges::asObject):
413         (Inspector::AsMethodBridges::asArray):
414         * inspector/InspectorProtocolTypes.h:
415         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
416         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
417         * inspector/InspectorValues.cpp: Use more by-reference out parameters. Add more spacing.
418         (Inspector::InspectorValue::asBoolean):
419         (Inspector::InspectorValue::asDouble):
420         (Inspector::InspectorValue::asInteger):
421         (Inspector::InspectorValue::asString):
422         (Inspector::InspectorValue::asValue):
423         (Inspector::InspectorValue::asObject):
424         (Inspector::InspectorValue::asArray):
425         (Inspector::InspectorValue::parseJSON):
426         (Inspector::InspectorValue::toJSONString):
427         (Inspector::InspectorValue::writeJSON):
428         (Inspector::InspectorBasicValue::asBoolean):
429         (Inspector::InspectorBasicValue::asDouble):
430         (Inspector::InspectorBasicValue::asInteger):
431         (Inspector::InspectorBasicValue::writeJSON):
432         (Inspector::InspectorString::asString):
433         (Inspector::InspectorString::writeJSON):
434         (Inspector::InspectorObjectBase::asObject):
435         (Inspector::InspectorObjectBase::openAccessors):
436         (Inspector::InspectorObjectBase::getBoolean):
437         (Inspector::InspectorObjectBase::getString):
438         (Inspector::InspectorObjectBase::getObject):
439         (Inspector::InspectorObjectBase::getArray):
440         (Inspector::InspectorObjectBase::writeJSON):
441         (Inspector::InspectorArrayBase::asArray):
442         (Inspector::InspectorArrayBase::writeJSON):
443         * inspector/InspectorValues.h:
444         * inspector/agents/InspectorDebuggerAgent.cpp:
445         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
446         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
447         (Inspector::parseLocation):
448         (Inspector::InspectorDebuggerAgent::setBreakpoint):
449         (Inspector::InspectorDebuggerAgent::continueToLocation):
450         (Inspector::InspectorDebuggerAgent::didParseSource):
451         * inspector/agents/InspectorRuntimeAgent.cpp:
452         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
453         * inspector/scripts/codegen/generate_protocol_types_implementation.py:
454         (ProtocolTypesImplementationGenerator):
455         (ProtocolTypesImplementationGenerator._generate_assertion_for_enum):
456         * inspector/scripts/codegen/generator_templates.py:
457         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
458         * replay/EncodedValue.cpp:
459         (JSC::EncodedValue::asObject):
460         (JSC::EncodedValue::asArray):
461         (JSC::EncodedValue::convertTo<bool>):
462         (JSC::EncodedValue::convertTo<double>):
463         (JSC::EncodedValue::convertTo<float>):
464         (JSC::EncodedValue::convertTo<int32_t>):
465         (JSC::EncodedValue::convertTo<int64_t>):
466         (JSC::EncodedValue::convertTo<uint32_t>):
467         (JSC::EncodedValue::convertTo<uint64_t>):
468         (JSC::EncodedValue::convertTo<String>):
469
470 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
471
472         DFG HasStructureProperty codegen should use one fewer registers
473         https://bugs.webkit.org/show_bug.cgi?id=137235
474
475         Reviewed by Andreas Kling.
476         
477         This was an obvious source of inefficiency and it was causing us to run out of registers on
478         x86-32.
479
480         * dfg/DFGSpeculativeJIT32_64.cpp:
481         (JSC::DFG::SpeculativeJIT::compile):
482         * dfg/DFGSpeculativeJIT64.cpp:
483         (JSC::DFG::SpeculativeJIT::compile):
484
485 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
486
487         Don't use GPRResult unless you're flushing registers and making a runtime function call
488         https://bugs.webkit.org/show_bug.cgi?id=137234
489
490         Rubber stamped by Andreas Kling.
491
492         Rename GPRResult to GPRFlushedCallResult, in an attempt to dissuade people from using it for results in the
493         general case.
494         
495         Replace GPRResult with GPRTemporary in those places where it was causing bugs: particularly in GetDirectPname it
496         would cause us to spill the register that has the base, and the code was assuming (rightly) that the base and the
497         result were in different registers. That's a valid assumption when using GPRTemporary but not with GPRResult.
498         Also this code wasn't getting any benefit from using GPRResult because it wasn't doing flushRegisters().
499         
500         I don't know how to test this. A test would require setting up a particularly awkward register allocation state.
501         
502         * dfg/DFGSpeculativeJIT.cpp:
503         (JSC::DFG::SpeculativeJIT::compileIn):
504         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
505         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
506         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
507         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
508         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
509         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
510         * dfg/DFGSpeculativeJIT.h:
511         (JSC::DFG::GPRFlushedCallResult::GPRFlushedCallResult):
512         (JSC::DFG::GPRFlushedCallResult2::GPRFlushedCallResult2):
513         (JSC::DFG::GPRResult::GPRResult): Deleted.
514         (JSC::DFG::GPRResult2::GPRResult2): Deleted.
515         * dfg/DFGSpeculativeJIT32_64.cpp:
516         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
517         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
518         (JSC::DFG::SpeculativeJIT::emitCall):
519         (JSC::DFG::SpeculativeJIT::compile):
520         * dfg/DFGSpeculativeJIT64.cpp:
521         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
522         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
523         (JSC::DFG::SpeculativeJIT::emitCall):
524         (JSC::DFG::SpeculativeJIT::compile):
525         (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
526
527 2014-09-29  Diego Pino Garcia  <dpino@igalia.com>
528
529         Missing changes from r174049
530         https://bugs.webkit.org/show_bug.cgi?id=137206
531
532         Reviewed by Darin Adler.
533
534         * runtime/CommonIdentifiers.h:
535
536 2014-09-28  Diego Pino Garcia  <dpino@igalia.com>
537
538         Simple ES6 feature: Number constructor extras
539         https://bugs.webkit.org/show_bug.cgi?id=131707
540
541         Reviewed by Darin Adler.
542
543         * runtime/CommonIdentifiers.h:
544         * runtime/NumberConstructor.cpp:
545         (JSC::NumberConstructor::finishCreation): Setup constants and
546         functions.
547         (JSC::numberConstructorFuncIsFinite): Added.
548         (JSC::numberConstructorFuncIsInteger): Added.
549         (JSC::numberConstructorFuncIsNaN): Added.
550         (JSC::numberConstructorFuncIsSafeInteger): Added.
551         (JSC::NumberConstructor::getOwnPropertySlot): Deleted.
552         (JSC::numberConstructorNaNValue): Deleted.
553         (JSC::numberConstructorNegInfinity): Deleted.
554         (JSC::numberConstructorPosInfinity): Deleted.
555         (JSC::numberConstructorMaxValue): Deleted.
556         (JSC::numberConstructorMinValue): Deleted.
557         * runtime/NumberConstructor.h:
558
559 2014-09-26  Filip Pizlo  <fpizlo@apple.com>
560
561         Disable function.arguments
562         https://bugs.webkit.org/show_bug.cgi?id=137167
563
564         Rubber stamped by Geoffrey Garen.
565         
566         Add an option to disable function.arguments. Add a test for disabling it.
567         
568         Disabling function.arguments means that it returns an Arguments object that claims that
569         there were zero arguments. All other Arguments functionality still works, so any code
570         that tries to inspect this object will still think that it is looking at a perfectly
571         valid Arguments object.
572         
573         This also makes function.arguments disabled by default. Note that the RJST harness will
574         enable them by default, to continue to get test coverage for the code that implements
575         the feature.
576         
577         We will rip out that code once we're confident that it's really safe to remove this
578         feature. Only once we rip out that support will we be able to do optimizations to
579         leverage the lack of this feature. It's important to keep the support code, and the test
580         infrastructure, in place before we are confident. The logic to keep this working touches
581         the entire compiler and a large chunk of the runtime, so reimplementing it - or even
582         merging it back in - would be a nightmare. That's also basically the reason why we want
583         to rip it out if at all possible. It's a lot of terrible code.
584
585         * interpreter/StackVisitor.cpp:
586         (JSC::StackVisitor::Frame::createArguments):
587         * runtime/Arguments.h:
588         (JSC::Arguments::create):
589         (JSC::Arguments::finishCreation):
590         * runtime/Options.h:
591         * tests/stress/disable-function-dot-arguments.js: Added.
592         (foo):
593         (bar):
594
595 2014-09-26  Joseph Pecoraro  <pecoraro@apple.com>
596
597         Web Inspector: Automatic Inspection should continue once all breakpoints are loaded
598         https://bugs.webkit.org/show_bug.cgi?id=137038
599
600         Reviewed by Timothy Hatcher.
601
602         Add a new protocol command "Inspector.initialized" that signifies to the backend
603         when the frontend has sent all its initialization messages to the backend. This
604         can include information like breakpoints, which we would want to have loaded
605         before any JavaScript evaluates in the context.
606
607         * inspector/protocol/InspectorDomain.json:
608         New protocol command, Inspector.initialized.
609
610         * inspector/agents/InspectorAgent.h:
611         * inspector/agents/InspectorAgent.cpp:
612         (Inspector::InspectorAgent::InspectorAgent):
613         (Inspector::InspectorAgent::initialized):
614         Tell the InspectorEnvironment (the Controller) the frontend has initialized.
615
616         * inspector/InspectorEnvironment.h:
617         Abstract virtual method to handle frontend initialization. To be
618         implemented by all of the InspectorControllers.
619
620         * inspector/JSGlobalObjectInspectorController.h:
621         * inspector/JSGlobalObjectInspectorController.cpp:
622         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
623         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
624         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
625         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
626         When a frontend is initialized, if it was automatic inspection unpause the debuggable.
627
628         * inspector/remote/RemoteInspectorDebuggable.cpp:
629         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
630         Complete setup for this debuggable.
631
632         * inspector/remote/RemoteInspectorDebuggable.h:
633         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
634         (Inspector::RemoteInspectorDebuggableConnection::setup):
635         Move the setup complete to later, when the frontend sends an "initialized" message.
636
637         * inspector/remote/RemoteInspector.h:
638         * inspector/remote/RemoteInspector.mm:
639         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
640         Provide a longer timeout now that the frontend must send messages after the connection
641         has established. The longest I have seen in  600ms, but the average tends to be 200ms.
642         So bump the timeout to 800ms for a buffer.
643
644         (Inspector::RemoteInspector::setupSucceeded): Deleted.
645         (Inspector::RemoteInspector::setupCompleted):
646         Rename, as this happens at a slightly different time.
647
648 2014-09-26  Filip Pizlo  <fpizlo@apple.com>
649
650         DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell
651         https://bugs.webkit.org/show_bug.cgi?id=137161
652
653         Reviewed by Mark Hahnenberg.
654         
655         This looks like a 1% Octane speed-up.
656
657         * bytecode/SpeculatedType.h:
658         (JSC::isNotCellSpeculation):
659         * dfg/DFGFixupPhase.cpp:
660         (JSC::DFG::FixupPhase::fixupNode):
661         (JSC::DFG::FixupPhase::insertStoreBarrier):
662         (JSC::DFG::FixupPhase::insertCheck):
663         * dfg/DFGNode.h:
664         (JSC::DFG::Node::shouldSpeculateNotCell):
665
666 2014-09-26  Peter Varga  <pvarga@webkit.org>
667
668         Fix typo in YARR at BOL check
669         https://bugs.webkit.org/show_bug.cgi?id=137144
670
671         Reviewed by Darin Adler.
672
673         * yarr/YarrPattern.cpp: replace bitwise and operator by logical and
674         (JSC::Yarr::YarrPatternConstructor::assertionBOL):
675
676 2014-09-25  Saam Barati  <saambarati1@gmail.com>
677
678         Web Inspector: console.assert(bitString) TypeSet:50 
679         https://bugs.webkit.org/show_bug.cgi?id=137051
680
681         Reviewed by Joseph Pecoraro.
682
683         This patch creates stricter requirements on a TypeDescription
684         being valid. To be valid, a TypeDescription now ensures that 
685         the TypeSet it describes has non null type information.
686
687         * inspector/agents/InspectorRuntimeAgent.cpp:
688         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
689         * runtime/TypeSet.h:
690         (JSC::TypeSet::isEmpty):
691
692 2014-09-25  Filip Pizlo  <fpizlo@apple.com>
693
694         FTL should sink object allocations
695         https://bugs.webkit.org/show_bug.cgi?id=136330
696
697         Reviewed by Oliver Hunt.
698         
699         This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The
700         ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to
701         eliminate it completely. The way sinking reasons about the CFG means that it resembles a
702         partial escape analysis: we create paths through a function where some allocation(s) don't
703         have to be done at all even if there are other paths along which those allocations still have
704         to happen. But it also produces other side benefits. Even if an allocation isn't eliminated
705         along any path, the act of sinking reduces the number of barriers that have to execute.
706         
707         Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11
708         sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and
709         successors; and to add more functor goodness to allow for more lambdas.
710         
711         This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this
712         is a spectacular speed-up on microbenchmarks but it's still too limited to affect big
713         benchmarks. For example, doing o == p makes the sinking phase think that o and p escape.
714         That's just an omission and there are likely others; we can easily fix them. I think it's
715         best to land it in its current form and then to worry about the big benchmarks in subsequent
716         work (see bug 137126).
717
718         * CMakeLists.txt:
719         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
720         * JavaScriptCore.xcodeproj/project.pbxproj:
721         * bytecode/StructureSet.h:
722         (JSC::StructureSet::iterator::iterator):
723         (JSC::StructureSet::iterator::operator*):
724         (JSC::StructureSet::iterator::operator++):
725         (JSC::StructureSet::iterator::operator==):
726         (JSC::StructureSet::iterator::operator!=):
727         (JSC::StructureSet::begin):
728         (JSC::StructureSet::end):
729         * dfg/DFGAbstractInterpreter.h:
730         (JSC::DFG::AbstractInterpreter::phiChildren):
731         * dfg/DFGAbstractInterpreterInlines.h:
732         (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
733         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
734         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
735         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
736         * dfg/DFGAvailability.h:
737         (JSC::DFG::Availability::shouldUseNode):
738         (JSC::DFG::Availability::isFlushUseful):
739         (JSC::DFG::Availability::isDead):
740         (JSC::DFG::Availability::operator!=):
741         * dfg/DFGAvailabilityMap.cpp: Added.
742         (JSC::DFG::AvailabilityMap::prune):
743         (JSC::DFG::AvailabilityMap::clear):
744         (JSC::DFG::AvailabilityMap::dump):
745         (JSC::DFG::AvailabilityMap::operator==):
746         (JSC::DFG::AvailabilityMap::merge):
747         * dfg/DFGAvailabilityMap.h: Added.
748         (JSC::DFG::AvailabilityMap::forEachAvailability):
749         * dfg/DFGBasicBlock.cpp:
750         (JSC::DFG::BasicBlock::SSAData::SSAData):
751         * dfg/DFGBasicBlock.h:
752         (JSC::DFG::BasicBlock::begin):
753         (JSC::DFG::BasicBlock::end):
754         (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable):
755         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator):
756         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*):
757         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++):
758         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==):
759         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=):
760         (JSC::DFG::BasicBlock::SuccessorsIterable::begin):
761         (JSC::DFG::BasicBlock::SuccessorsIterable::end):
762         (JSC::DFG::BasicBlock::successors):
763         * dfg/DFGClobberize.h:
764         (JSC::DFG::clobberize):
765         * dfg/DFGConstantFoldingPhase.cpp:
766         (JSC::DFG::ConstantFoldingPhase::foldConstants):
767         * dfg/DFGDoesGC.cpp:
768         (JSC::DFG::doesGC):
769         * dfg/DFGFixupPhase.cpp:
770         (JSC::DFG::FixupPhase::fixupNode):
771         * dfg/DFGFlushedAt.cpp:
772         (JSC::DFG::FlushedAt::dump):
773         * dfg/DFGFlushedAt.h:
774         (JSC::DFG::FlushedAt::FlushedAt):
775         * dfg/DFGGraph.cpp:
776         (JSC::DFG::Graph::dump):
777         (JSC::DFG::Graph::dumpBlockHeader):
778         (JSC::DFG::Graph::mergeRelevantToOSR):
779         (JSC::DFG::Graph::invalidateCFG):
780         * dfg/DFGGraph.h:
781         (JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable):
782         (JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator):
783         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*):
784         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++):
785         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==):
786         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=):
787         (JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext):
788         (JSC::DFG::Graph::NaturalBlockIterable::begin):
789         (JSC::DFG::Graph::NaturalBlockIterable::end):
790         (JSC::DFG::Graph::blocksInNaturalOrder):
791         (JSC::DFG::Graph::doToChildrenWithNode):
792         (JSC::DFG::Graph::doToChildren):
793         * dfg/DFGHeapLocation.cpp:
794         (WTF::printInternal):
795         * dfg/DFGHeapLocation.h:
796         * dfg/DFGInsertOSRHintsForUpdate.cpp: Added.
797         (JSC::DFG::insertOSRHintsForUpdate):
798         * dfg/DFGInsertOSRHintsForUpdate.h: Added.
799         * dfg/DFGInsertionSet.h:
800         (JSC::DFG::InsertionSet::graph):
801         * dfg/DFGMayExit.cpp:
802         (JSC::DFG::mayExit):
803         * dfg/DFGNode.h:
804         (JSC::DFG::Node::convertToPutByOffsetHint):
805         (JSC::DFG::Node::convertToPutStructureHint):
806         (JSC::DFG::Node::convertToPhantomNewObject):
807         (JSC::DFG::Node::isCellConstant):
808         (JSC::DFG::Node::castConstant):
809         (JSC::DFG::Node::hasIdentifier):
810         (JSC::DFG::Node::hasStorageAccessData):
811         (JSC::DFG::Node::hasObjectMaterializationData):
812         (JSC::DFG::Node::objectMaterializationData):
813         (JSC::DFG::Node::isPhantomObjectAllocation):
814         * dfg/DFGNodeType.h:
815         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
816         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
817         (JSC::DFG::LocalOSRAvailabilityCalculator::endBlock):
818         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
819         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
820         * dfg/DFGObjectAllocationSinkingPhase.cpp: Added.
821         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase):
822         (JSC::DFG::ObjectAllocationSinkingPhase::run):
823         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
824         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
825         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
826         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
827         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
828         (JSC::DFG::ObjectAllocationSinkingPhase::resolve):
829         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
830         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
831         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
832         (JSC::DFG::performObjectAllocationSinking):
833         * dfg/DFGObjectAllocationSinkingPhase.h: Added.
834         * dfg/DFGObjectMaterializationData.cpp: Added.
835         (JSC::DFG::PhantomPropertyValue::dump):
836         (JSC::DFG::ObjectMaterializationData::dump):
837         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore):
838         (JSC::DFG::ObjectMaterializationData::similarityScore):
839         * dfg/DFGObjectMaterializationData.h: Added.
840         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue):
841         (JSC::DFG::PhantomPropertyValue::operator==):
842         * dfg/DFGPhantomCanonicalizationPhase.cpp:
843         (JSC::DFG::PhantomCanonicalizationPhase::run):
844         * dfg/DFGPhantomRemovalPhase.cpp:
845         (JSC::DFG::PhantomRemovalPhase::run):
846         * dfg/DFGPhiChildren.cpp: Added.
847         (JSC::DFG::PhiChildren::PhiChildren):
848         (JSC::DFG::PhiChildren::~PhiChildren):
849         (JSC::DFG::PhiChildren::upsilonsOf):
850         * dfg/DFGPhiChildren.h: Added.
851         (JSC::DFG::PhiChildren::forAllIncomingValues):
852         (JSC::DFG::PhiChildren::forAllTransitiveIncomingValues):
853         * dfg/DFGPlan.cpp:
854         (JSC::DFG::Plan::compileInThreadImpl):
855         * dfg/DFGPrePostNumbering.cpp: Added.
856         (JSC::DFG::PrePostNumbering::PrePostNumbering):
857         (JSC::DFG::PrePostNumbering::~PrePostNumbering):
858         (JSC::DFG::PrePostNumbering::compute):
859         (WTF::printInternal):
860         * dfg/DFGPrePostNumbering.h: Added.
861         (JSC::DFG::PrePostNumbering::preNumber):
862         (JSC::DFG::PrePostNumbering::postNumber):
863         (JSC::DFG::PrePostNumbering::isStrictAncestorOf):
864         (JSC::DFG::PrePostNumbering::isAncestorOf):
865         (JSC::DFG::PrePostNumbering::isStrictDescendantOf):
866         (JSC::DFG::PrePostNumbering::isDescendantOf):
867         (JSC::DFG::PrePostNumbering::edgeKind):
868         * dfg/DFGPredictionPropagationPhase.cpp:
869         (JSC::DFG::PredictionPropagationPhase::propagate):
870         * dfg/DFGPromoteHeapAccess.h: Added.
871         (JSC::DFG::promoteHeapAccess):
872         * dfg/DFGPromotedHeapLocation.cpp: Added.
873         (JSC::DFG::PromotedLocationDescriptor::dump):
874         (JSC::DFG::PromotedHeapLocation::createHint):
875         (JSC::DFG::PromotedHeapLocation::dump):
876         (WTF::printInternal):
877         * dfg/DFGPromotedHeapLocation.h: Added.
878         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
879         (JSC::DFG::PromotedLocationDescriptor::operator!):
880         (JSC::DFG::PromotedLocationDescriptor::kind):
881         (JSC::DFG::PromotedLocationDescriptor::info):
882         (JSC::DFG::PromotedLocationDescriptor::hash):
883         (JSC::DFG::PromotedLocationDescriptor::operator==):
884         (JSC::DFG::PromotedLocationDescriptor::operator!=):
885         (JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue):
886         (JSC::DFG::PromotedHeapLocation::PromotedHeapLocation):
887         (JSC::DFG::PromotedHeapLocation::operator!):
888         (JSC::DFG::PromotedHeapLocation::kind):
889         (JSC::DFG::PromotedHeapLocation::base):
890         (JSC::DFG::PromotedHeapLocation::info):
891         (JSC::DFG::PromotedHeapLocation::descriptor):
892         (JSC::DFG::PromotedHeapLocation::hash):
893         (JSC::DFG::PromotedHeapLocation::operator==):
894         (JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue):
895         (JSC::DFG::PromotedHeapLocationHash::hash):
896         (JSC::DFG::PromotedHeapLocationHash::equal):
897         * dfg/DFGSSACalculator.cpp:
898         (JSC::DFG::SSACalculator::reset):
899         * dfg/DFGSSACalculator.h:
900         * dfg/DFGSafeToExecute.h:
901         (JSC::DFG::safeToExecute):
902         * dfg/DFGSpeculativeJIT.cpp:
903         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
904         * dfg/DFGSpeculativeJIT32_64.cpp:
905         (JSC::DFG::SpeculativeJIT::compile):
906         * dfg/DFGSpeculativeJIT64.cpp:
907         (JSC::DFG::SpeculativeJIT::compile):
908         * dfg/DFGStructureRegistrationPhase.cpp:
909         (JSC::DFG::StructureRegistrationPhase::run):
910         * dfg/DFGValidate.cpp:
911         (JSC::DFG::Validate::validate):
912         * ftl/FTLCapabilities.cpp:
913         (JSC::FTL::canCompile):
914         * ftl/FTLExitPropertyValue.cpp: Added.
915         (JSC::FTL::ExitPropertyValue::dump):
916         * ftl/FTLExitPropertyValue.h: Added.
917         (JSC::FTL::ExitPropertyValue::ExitPropertyValue):
918         (JSC::FTL::ExitPropertyValue::operator!):
919         (JSC::FTL::ExitPropertyValue::location):
920         (JSC::FTL::ExitPropertyValue::value):
921         * ftl/FTLExitTimeObjectMaterialization.cpp: Added.
922         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
923         (JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization):
924         (JSC::FTL::ExitTimeObjectMaterialization::add):
925         (JSC::FTL::ExitTimeObjectMaterialization::get):
926         (JSC::FTL::ExitTimeObjectMaterialization::dump):
927         * ftl/FTLExitTimeObjectMaterialization.h: Added.
928         (JSC::FTL::ExitTimeObjectMaterialization::type):
929         (JSC::FTL::ExitTimeObjectMaterialization::properties):
930         * ftl/FTLExitValue.cpp:
931         (JSC::FTL::ExitValue::materializeNewObject):
932         (JSC::FTL::ExitValue::dumpInContext):
933         * ftl/FTLExitValue.h:
934         (JSC::FTL::ExitValue::isObjectMaterialization):
935         (JSC::FTL::ExitValue::objectMaterialization):
936         (JSC::FTL::ExitValue::withVirtualRegister):
937         (JSC::FTL::ExitValue::valueFormat):
938         * ftl/FTLLowerDFGToLLVM.cpp:
939         (JSC::FTL::LowerDFGToLLVM::compileNode):
940         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
941         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
942         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
943         (JSC::FTL::LowerDFGToLLVM::compileNewObject):
944         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
945         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
946         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
947         (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
948         (JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject):
949         (JSC::FTL::LowerDFGToLLVM::checkStructure):
950         (JSC::FTL::LowerDFGToLLVM::allocateCell):
951         (JSC::FTL::LowerDFGToLLVM::storeStructure):
952         (JSC::FTL::LowerDFGToLLVM::allocateObject):
953         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
954         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
955         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
956         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
957         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
958         (JSC::FTL::LowerDFGToLLVM::weakStructureID):
959         (JSC::FTL::LowerDFGToLLVM::weakStructure):
960         (JSC::FTL::LowerDFGToLLVM::availabilityMap):
961         (JSC::FTL::LowerDFGToLLVM::availability): Deleted.
962         * ftl/FTLOSRExit.h:
963         * ftl/FTLOSRExitCompiler.cpp:
964         (JSC::FTL::compileRecovery):
965         (JSC::FTL::compileStub):
966         * ftl/FTLOperations.cpp: Added.
967         (JSC::FTL::operationNewObjectWithButterfly):
968         (JSC::FTL::operationMaterializeObjectInOSR):
969         * ftl/FTLOperations.h: Added.
970         * ftl/FTLSwitchCase.h:
971         (JSC::FTL::SwitchCase::SwitchCase):
972         * runtime/JSObject.h:
973         (JSC::JSObject::finishCreation):
974         (JSC::JSFinalObject::JSFinalObject):
975         (JSC::JSFinalObject::create):
976         * runtime/Structure.cpp:
977         (JSC::Structure::canUseForAllocationsOf):
978         * runtime/Structure.h:
979         * tests/stress/elidable-new-object-roflcopter-then-exit.js: Added.
980         (sumOfArithSeries):
981         (foo):
982         * tests/stress/elide-new-object-dag-then-exit.js: Added.
983         (sumOfArithSeries):
984         (bar):
985         (verify):
986         (foo):
987         * tests/stress/obviously-elidable-new-object-then-exit.js: Added.
988         (sumOfArithSeries):
989         (foo):
990
991 2014-09-25  Brian J. Burg  <burg@cs.washington.edu>
992
993         Web Replay: Check event loop input extents during replaying too
994         https://bugs.webkit.org/show_bug.cgi?id=136316
995
996         Reviewed by Timothy Hatcher.
997
998         Sometimes we see different nondeterminism during capture and replay
999         executions, so we should add determinism checks during replay too.
1000
1001         Move the withinEventLoopInputExtent flag to the base class, and tighten
1002         the assertion to address <http://webkit.org/b/133019>.
1003
1004         * replay/InputCursor.h:
1005         (JSC::InputCursor::InputCursor):
1006         (JSC::InputCursor::setWithinEventLoopInputExtent): Added.
1007         This assertion is slightly wrong because it does not account for nested run loops.
1008         We can be within two input extents when a nested run loop processes additional
1009         user inputs while the debugger is paused.
1010
1011         This should only be the case when execution is being neither captured or
1012         replayed. The debugger should not pause when capturing, and we should not replay
1013         event loop inputs while in a nested run loop.
1014
1015         (JSC::InputCursor::withinEventLoopInputExtent): Added.
1016
1017 2014-09-25  Csaba Osztrogonác  <ossy@webkit.org>
1018
1019         Remove WinCE port from trunk
1020         https://bugs.webkit.org/show_bug.cgi?id=136951
1021
1022         Reviewed by Alex Christensen.
1023
1024         * assembler/ARMAssembler.h:
1025         (JSC::ARMAssembler::cacheFlush):
1026         * assembler/ARMv7Assembler.h:
1027         (JSC::ARMv7Assembler::cacheFlush):
1028         * config.h:
1029         * heap/MachineStackMarker.cpp:
1030         (JSC::MachineThreads::gatherFromCurrentThread):
1031         (JSC::MachineThreads::gatherFromOtherThread):
1032         (JSC::swapIfBackwards): Deleted.
1033         * jit/ExecutableAllocator.h:
1034         * jsc.cpp:
1035         (main):
1036         * runtime/DateConstructor.cpp:
1037         * runtime/Options.cpp:
1038         (JSC::overrideOptionWithHeuristic):
1039         * runtime/VM.cpp:
1040         (JSC::VM::VM):
1041         * testRegExp.cpp:
1042         (main):
1043         * tools/CodeProfiling.cpp:
1044         (JSC::CodeProfiling::notifyAllocator):
1045
1046 2014-09-24  Brian J. Burg  <burg@cs.washington.edu>
1047
1048         Web Inspector: subtract elapsed time while debugger is paused from profile nodes
1049         https://bugs.webkit.org/show_bug.cgi?id=136796
1050
1051         Reviewed by Timothy Hatcher.
1052
1053         Rather than accruing no time to any profile node created while the debugger is paused,
1054         we can instead count a node's elapsed time and exclude time elapsed while paused.
1055
1056         Time for a node may elapse in a non-contiguous fashion depending on the interleaving of
1057         didPause, didContinue, willExecute, and didExecute. A node's start time is set to the
1058         start of the last such interval that accrues elapsed time.
1059
1060         * profiler/ProfileGenerator.cpp:
1061         (JSC::ProfileGenerator::ProfileGenerator):
1062         (JSC::ProfileGenerator::beginCallEntry):
1063         (JSC::ProfileGenerator::endCallEntry):
1064         (JSC::ProfileGenerator::didPause): Added.
1065         (JSC::ProfileGenerator::didContinue): Added.
1066         * profiler/ProfileGenerator.h:
1067         (JSC::ProfileGenerator::didPause): Deleted.
1068         (JSC::ProfileGenerator::didContinue): Deleted.
1069         * profiler/ProfileNode.h: Rename totalTime to elapsedTime.
1070         (JSC::ProfileNode::Call::Call):
1071         (JSC::ProfileNode::Call::elapsedTime): Added.
1072         (JSC::ProfileNode::Call::setElapsedTime): Added.
1073         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
1074         (JSC::ProfileNode::Call::totalTime): Deleted.
1075         (JSC::ProfileNode::Call::setTotalTime): Deleted.
1076
1077 2014-09-24  Commit Queue  <commit-queue@webkit.org>
1078
1079         Unreviewed, rolling out r173839.
1080         https://bugs.webkit.org/show_bug.cgi?id=137062
1081
1082         NumberConstruct should no longer use static tables (Requested
1083         by dpino on #webkit).
1084
1085         Reverted changeset:
1086
1087         "Simple ES6 feature: Number constructor extras"
1088         https://bugs.webkit.org/show_bug.cgi?id=131707
1089         http://trac.webkit.org/changeset/173839
1090
1091 2014-09-23  Mark Lam  <mark.lam@apple.com>
1092
1093         DebuggerCallFrame::invalidate() should invalidate all DebuggerScope chains.
1094         <https://webkit.org/b/137045>
1095
1096         Reviewed by Geoffrey Garen.
1097
1098         DebuggerCallFrame::invalidate() currently invalidates all DebuggerCallFrames
1099         in the debugger stack, but only invalidates the DebuggerScope chain of the
1100         top most frame.  We should also invalidate all the DebuggerScope chains of
1101         the other frames in the debugger stack.
1102
1103         * debugger/DebuggerCallFrame.cpp:
1104         (JSC::DebuggerCallFrame::invalidate):
1105         * debugger/DebuggerScope.cpp:
1106         (JSC::DebuggerScope::invalidateChain):
1107
1108 2014-09-23  Mark Lam  <mark.lam@apple.com>
1109
1110         Renamed DebuggerCallFrameScope to DebuggerPausedScope.
1111         <https://webkit.org/b/137042>
1112
1113         Reviewed by Michael Saboff.
1114
1115         DebuggerPausedScope is a better name for this data structure because it
1116         is meant for tracking the period within which the debugger is paused,
1117         and doing clean ups after the pause ends.
1118
1119         * debugger/Debugger.cpp:
1120         (JSC::DebuggerPausedScope::DebuggerPausedScope):
1121         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
1122         (JSC::Debugger::pauseIfNeeded):
1123         (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): Deleted.
1124         (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): Deleted.
1125         * debugger/Debugger.h:
1126         * debugger/DebuggerCallFrame.h:
1127
1128 2014-09-23  Tomas Popela  <tpopela@redhat.com>
1129
1130         [CLoop] - Fix CLoop on the 32-bit Big-Endians
1131         https://bugs.webkit.org/show_bug.cgi?id=137020
1132
1133         Reviewed by Mark Lam.
1134
1135         * llint/LowLevelInterpreter.asm:
1136         * llint/LowLevelInterpreter32_64.asm:
1137
1138 2014-09-23  Joseph Pecoraro  <pecoraro@apple.com>
1139
1140         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
1141         https://bugs.webkit.org/show_bug.cgi?id=136893
1142
1143         Reviewed by Timothy Hatcher.
1144
1145         Adds new remote inspector protocol handling for automatic inspection.
1146         Debuggers can signal they have enabled automatic inspection, and
1147         when debuggables are created the current application will pause to
1148         see if the debugger will inspect or decline to inspect the debuggable.
1149
1150         * inspector/remote/RemoteInspectorConstants.h:
1151         * inspector/remote/RemoteInspector.h:
1152         * inspector/remote/RemoteInspector.mm:
1153         (Inspector::globalAutomaticInspectionState):
1154         (Inspector::RemoteInspector::RemoteInspector):
1155         (Inspector::RemoteInspector::start):
1156         When first starting, check the global "is there an auto-inspect" debugger state.
1157         This is necessary so that the current application knows if it should pause or
1158         not when a debuggable is created, even without having connected to webinspectord yet.
1159
1160         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1161         When a debuggable has enabled remote inspection, take this path to propose
1162         it as an automatic inspection candidate if there is an auto-inspect debugger.
1163
1164         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
1165         Send the automatic inspection candidate message.
1166
1167         (Inspector::RemoteInspector::receivedSetupMessage):
1168         (Inspector::RemoteInspector::setupFailed):
1169         (Inspector::RemoteInspector::setupSucceeded):
1170         After attempting to open an inspector, unpause if it was for the
1171         automatic inspection candidate.
1172
1173         (Inspector::RemoteInspector::waitingForAutomaticInspection):
1174         When running a nested runloop, check if we should remain paused.
1175
1176         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1177         If by the time we connect to webinspectord we have a candidate, then
1178         immediately send the candidate message.
1179
1180         (Inspector::RemoteInspector::stopInternal):
1181         (Inspector::RemoteInspector::xpcConnectionFailed):
1182         In error cases, clear our state.
1183
1184         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1185         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
1186         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
1187         Update state when receiving new messages.
1188
1189
1190         * inspector/remote/RemoteInspectorDebuggable.h:
1191         * inspector/remote/RemoteInspectorDebuggable.cpp:
1192         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
1193         Special case when a debuggable is newly allowed to be debuggable.
1194
1195         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
1196         Run a nested run loop while this is an automatic inspection candidate.
1197
1198         * inspector/JSGlobalObjectInspectorController.h:
1199         * inspector/JSGlobalObjectInspectorController.cpp:
1200         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1201         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1202         When the inspector starts via automatic inspection automatically pause.
1203         We plan on removing this condition by having the frontend signal to the
1204         backend when it is completely initialized.
1205         
1206         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1207         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1208         (Inspector::RemoteInspectorDebuggableConnection::setup):
1209         Pass on the flag of whether or not this was automatic inspection.
1210
1211         * runtime/JSGlobalObjectDebuggable.h:
1212         * runtime/JSGlobalObjectDebuggable.cpp:
1213         (JSC::JSGlobalObjectDebuggable::connect):
1214         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
1215         When pausing in a JSGlobalObject we need to release the API lock.
1216
1217 2014-09-22  Filip Pizlo  <fpizlo@apple.com>
1218
1219         FTL allocatePropertyStorage code should involve less copy-paste
1220         https://bugs.webkit.org/show_bug.cgi?id=137006
1221
1222         Reviewed by Michael Saboff.
1223
1224         * ftl/FTLLowerDFGToLLVM.cpp:
1225         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
1226         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
1227         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
1228
1229 2014-09-22  Diego Pino Garcia  <dpino@igalia.com>
1230
1231         Simple ES6 feature: Number constructor extras
1232         https://bugs.webkit.org/show_bug.cgi?id=131707
1233
1234         Reviewed by Darin Adler.
1235
1236         * runtime/CommonIdentifiers.h: Added new identifiers.
1237         * runtime/NumberConstructor.cpp:
1238         (JSC::NumberConstructor::getOwnPropertySlot):
1239         (JSC::NumberConstructor::isFunction): Added.
1240         (JSC::numberConstructorEpsilonValue): Added.
1241         (JSC::numberConstructorNegInfinity): Added.
1242         (JSC::numberConstructorPosInfinity): Added.
1243         (JSC::numberConstructorMaxValue): Added.
1244         (JSC::numberConstructorMinValue): Added.
1245         (JSC::numberConstructorMaxSafeInteger): Added.
1246         (JSC::numberConstructorMinSafeInteger): Added.
1247         (JSC::numberConstructorFuncIsFinite): Added.
1248         (JSC::numberConstructorFuncIsInteger): Added.
1249         (JSC::numberConstructorFuncIsNaN): Added.
1250         (JSC::numberConstructorFuncIsSafeInteger): Added.
1251         * runtime/NumberConstructor.h:
1252
1253 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
1254
1255         FTL should store the four bytes of the cell header using a 32-bit store rather than four 8-bit stores
1256         https://bugs.webkit.org/show_bug.cgi?id=136992
1257
1258         Reviewed by Sam Weinig.
1259         
1260         LLVM ought to be able to do this optimization for us given how the code was written, but
1261         any such lower-level attempts to optimize this would get into trouble with the weird
1262         object materialization logic I'll be introducing in bug 136330. So, this brings the
1263         merging of the byte stores into the FTL lowering so that we can control it explicitly.
1264
1265         * ftl/FTLAbstractHeap.h:
1266         (JSC::FTL::AbstractHeap::changeParent):
1267         * ftl/FTLAbstractHeapRepository.cpp:
1268         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1269         * ftl/FTLAbstractHeapRepository.h:
1270         * ftl/FTLLowerDFGToLLVM.cpp:
1271         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1272
1273 2014-09-21  Saam Barati  <saambarati1@gmail.com>
1274
1275         Web Inspector: fix TypeSet hierarchy in TypeTokenView
1276         https://bugs.webkit.org/show_bug.cgi?id=136982
1277
1278         Reviewed by Joseph Pecoraro.
1279
1280         TypeSet was computing the set of type booleans in the Inspector::Protocol::Runtime::TypeSet 
1281         object incorrectly because it was calling TypeSet::doesTypeConformTo(T) which checks if the 
1282         type set has only been of type T. It now checks '(m_seenTypes & T) != TypeNothing' to see 
1283         if type T is in the set of seen types, but not the entire set itself.
1284
1285         * runtime/TypeSet.cpp:
1286         (JSC::TypeSet::inspectorTypeSet):
1287
1288 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
1289
1290         Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste
1291         https://bugs.webkit.org/show_bug.cgi?id=136983
1292
1293         Reviewed by Mark Hahnenberg.
1294
1295         * runtime/PropertyMapHashTable.h:
1296         (JSC::PropertyMapEntry::PropertyMapEntry): Moved PropertyMapEntry struct to Structure.h so that Structure can refer to it.
1297         * runtime/Structure.cpp:
1298         (JSC::Structure::getConcurrently): Switch to using the new forEachPropertyConcurrently() method.
1299         (JSC::Structure::getPropertiesConcurrently): The subject of this patch. It will be useful for object allocation sinking (bug 136330).
1300         (JSC::Structure::dump): Switch to using the new forEachPropertyConcurrently() method.
1301         * runtime/Structure.h:
1302         (JSC::PropertyMapEntry::PropertyMapEntry): Moved from PropertyMapHashTable.h.
1303         * runtime/StructureInlines.h:
1304         (JSC::Structure::forEachPropertyConcurrently): Capture this very common concurrent structure iteration pattern into a template method.
1305
1306 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
1307
1308         Structure::getConcurrently() doesn't need to take a VM& argument.
1309
1310         Rubber stamped by Dan Bernstein.
1311         
1312         Removed the extra argument, and then removed similar arguments from other methods until
1313         I could build successfully again. It turned out that many methods took a VM& argument
1314         just for calling getConcurrently().
1315
1316         * bytecode/CodeBlock.cpp:
1317         (JSC::dumpStructure):
1318         (JSC::dumpChain):
1319         (JSC::CodeBlock::printGetByIdCacheStatus):
1320         (JSC::CodeBlock::printPutByIdCacheStatus):
1321         * bytecode/ComplexGetStatus.cpp:
1322         (JSC::ComplexGetStatus::computeFor):
1323         * bytecode/GetByIdStatus.cpp:
1324         (JSC::GetByIdStatus::computeFromLLInt):
1325         (JSC::GetByIdStatus::computeForStubInfo):
1326         (JSC::GetByIdStatus::computeFor):
1327         * bytecode/GetByIdStatus.h:
1328         * bytecode/PutByIdStatus.cpp:
1329         (JSC::PutByIdStatus::computeFromLLInt):
1330         (JSC::PutByIdStatus::computeForStubInfo):
1331         (JSC::PutByIdStatus::computeFor):
1332         * bytecode/PutByIdStatus.h:
1333         * dfg/DFGAbstractInterpreterInlines.h:
1334         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1335         * dfg/DFGByteCodeParser.cpp:
1336         (JSC::DFG::ByteCodeParser::parseBlock):
1337         * dfg/DFGConstantFoldingPhase.cpp:
1338         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1339         * dfg/DFGFixupPhase.cpp:
1340         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1341         * runtime/IntendedStructureChain.cpp:
1342         (JSC::IntendedStructureChain::mayInterceptStoreTo):
1343         * runtime/IntendedStructureChain.h:
1344         * runtime/Structure.cpp:
1345         (JSC::Structure::getConcurrently):
1346         * runtime/Structure.h:
1347         * runtime/StructureInlines.h:
1348         (JSC::Structure::getConcurrently):
1349
1350 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
1351
1352         FTL OSRExit construction should be based on methods that return ExitValues rather than methods that add ExitValues to OSRExit
1353         https://bugs.webkit.org/show_bug.cgi?id=136978
1354
1355         Reviewed by Dean Jackson.
1356
1357         * ftl/FTLLowerDFGToLLVM.cpp:
1358         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1359         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1360         (JSC::FTL::LowerDFGToLLVM::exitArgument):
1361         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): Deleted.
1362         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): Deleted.
1363         (JSC::FTL::LowerDFGToLLVM::addExitArgument): Deleted.
1364
1365 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
1366
1367         FTL OSR exit should do reboxing and value recovery in the same pass
1368         https://bugs.webkit.org/show_bug.cgi?id=136977
1369
1370         Reviewed by Oliver Hunt.
1371         
1372         It's conceptually simpler to have all of the logic in one place. After the
1373         recover-and-rebox loop is done, all of the exit values are in the form that the baseline
1374         JIT would want them to be in; the only remaining task is to move them into the right
1375         place on the stack after we do all of the necessary stack adjustments.
1376
1377         * ftl/FTLOSRExitCompiler.cpp:
1378         (JSC::FTL::compileStub):
1379
1380 2014-09-19  Filip Pizlo  <fpizlo@apple.com>
1381
1382         StorageAccessData should be referenced in a sensible way
1383         https://bugs.webkit.org/show_bug.cgi?id=136963
1384
1385         Reviewed and rubber stamped by Michael Saboff.
1386
1387         * dfg/DFGAbstractInterpreterInlines.h:
1388         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1389         * dfg/DFGByteCodeParser.cpp:
1390         (JSC::DFG::ByteCodeParser::handleGetByOffset):
1391         (JSC::DFG::ByteCodeParser::handlePutByOffset):
1392         (JSC::DFG::ByteCodeParser::handlePutById):
1393         * dfg/DFGClobberize.h:
1394         (JSC::DFG::clobberize):
1395         * dfg/DFGConstantFoldingPhase.cpp:
1396         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1397         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1398         * dfg/DFGGraph.cpp:
1399         (JSC::DFG::Graph::dump):
1400         * dfg/DFGGraph.h:
1401         * dfg/DFGNode.h:
1402         (JSC::DFG::Node::convertToGetByOffset):
1403         (JSC::DFG::Node::convertToPutByOffset):
1404         (JSC::DFG::Node::storageAccessData):
1405         (JSC::DFG::Node::storageAccessDataIndex): Deleted.
1406         * dfg/DFGSafeToExecute.h:
1407         (JSC::DFG::safeToExecute):
1408         * dfg/DFGSpeculativeJIT32_64.cpp:
1409         (JSC::DFG::SpeculativeJIT::compile):
1410         * dfg/DFGSpeculativeJIT64.cpp:
1411         (JSC::DFG::SpeculativeJIT::compile):
1412         * ftl/FTLLowerDFGToLLVM.cpp:
1413         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
1414         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
1415
1416 2014-09-19  Ryosuke Niwa  <rniwa@webkit.org>
1417
1418         Leak of mallocs under StructureSet::OutOfLineList::create
1419         https://bugs.webkit.org/show_bug.cgi?id=136970
1420
1421         Reviewed by Filip Pizlo.
1422
1423         addOutOfLine should free the old list when expanding the capacity.
1424
1425         * bytecode/StructureSet.cpp:
1426         (JSC::StructureSet::addOutOfLine):
1427
1428 2014-09-19  Daniel Bates  <dabates@apple.com>
1429
1430         Always assume internal SDK when building configuration Production
1431         https://bugs.webkit.org/show_bug.cgi?id=136925
1432         <rdar://problem/18362399>
1433
1434         Reviewed by Dan Bernstein.
1435
1436         As a side effect of this change we will always enable ENABLE_TOUCH_EVENTS, ENABLE_IOS_{GESTURE, TOUCH}_EVENTS,
1437         and ENABLE_XSLT when either building configuration Production or building with the Internal SDK.
1438
1439         * Configurations/Base.xcconfig:
1440
1441 2014-09-19  Diego Pino Garcia  <dpino@igalia.com>
1442
1443         Simple ES6 feature:String prototype additions
1444         https://bugs.webkit.org/show_bug.cgi?id=131704
1445
1446         Reviewed by Darin Adler.
1447
1448         * runtime/StringPrototype.cpp:
1449         (JSC::StringPrototype::finishCreation):
1450         (JSC::stringProtoFuncStartsWith): Added.
1451         (JSC::stringProtoFuncEndsWith): Added.
1452         (JSC::stringProtoFuncContains): Added.
1453
1454 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
1455
1456         Unreviewed rollout r173731. Broke multiple builds.
1457
1458         * inspector/JSGlobalObjectInspectorController.cpp:
1459         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1460         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1461         * inspector/JSGlobalObjectInspectorController.h:
1462         * inspector/remote/RemoteInspector.h:
1463         * inspector/remote/RemoteInspector.mm:
1464         (Inspector::RemoteInspector::RemoteInspector):
1465         (Inspector::RemoteInspector::setupFailed):
1466         (Inspector::RemoteInspector::start):
1467         (Inspector::RemoteInspector::stopInternal):
1468         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1469         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1470         (Inspector::RemoteInspector::xpcConnectionFailed):
1471         (Inspector::RemoteInspector::receivedSetupMessage):
1472         (Inspector::globalAutomaticInspectionState): Deleted.
1473         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): Deleted.
1474         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): Deleted.
1475         (Inspector::RemoteInspector::setupSucceeded): Deleted.
1476         (Inspector::RemoteInspector::waitingForAutomaticInspection): Deleted.
1477         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): Deleted.
1478         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): Deleted.
1479         * inspector/remote/RemoteInspectorConstants.h:
1480         * inspector/remote/RemoteInspectorDebuggable.cpp:
1481         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
1482         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): Deleted.
1483         * inspector/remote/RemoteInspectorDebuggable.h:
1484         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1485         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1486         (Inspector::RemoteInspectorDebuggableConnection::setup):
1487         * runtime/JSGlobalObjectDebuggable.cpp:
1488         (JSC::JSGlobalObjectDebuggable::connect):
1489         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): Deleted.
1490         * runtime/JSGlobalObjectDebuggable.h:
1491
1492 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
1493
1494         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
1495         https://bugs.webkit.org/show_bug.cgi?id=136893
1496
1497         Reviewed by Timothy Hatcher.
1498
1499         Adds new remote inspector protocol handling for automatic inspection.
1500         Debuggers can signal they have enabled automatic inspection, and
1501         when debuggables are created the current application will pause to
1502         see if the debugger will inspect or decline to inspect the debuggable.
1503
1504         * inspector/remote/RemoteInspectorConstants.h:
1505         * inspector/remote/RemoteInspector.h:
1506         * inspector/remote/RemoteInspector.mm:
1507         (Inspector::globalAutomaticInspectionState):
1508         (Inspector::RemoteInspector::RemoteInspector):
1509         (Inspector::RemoteInspector::start):
1510         When first starting, check the global "is there an auto-inspect" debugger state.
1511         This is necessary so that the current application knows if it should pause or
1512         not when a debuggable is created, even without having connected to webinspectord yet.
1513
1514         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1515         When a debuggable has enabled remote inspection, take this path to propose
1516         it as an automatic inspection candidate if there is an auto-inspect debugger.
1517
1518         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
1519         Send the automatic inspection candidate message.
1520
1521         (Inspector::RemoteInspector::receivedSetupMessage):
1522         (Inspector::RemoteInspector::setupFailed):
1523         (Inspector::RemoteInspector::setupSucceeded):
1524         After attempting to open an inspector, unpause if it was for the
1525         automatic inspection candidate.
1526
1527         (Inspector::RemoteInspector::waitingForAutomaticInspection):
1528         When running a nested runloop, check if we should remain paused.
1529
1530         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1531         If by the time we connect to webinspectord we have a candidate, then
1532         immediately send the candidate message.
1533
1534         (Inspector::RemoteInspector::stopInternal):
1535         (Inspector::RemoteInspector::xpcConnectionFailed):
1536         In error cases, clear our state.
1537
1538         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1539         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
1540         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
1541         Update state when receiving new messages.
1542
1543
1544         * inspector/remote/RemoteInspectorDebuggable.h:
1545         * inspector/remote/RemoteInspectorDebuggable.cpp:
1546         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
1547         Special case when a debuggable is newly allowed to be debuggable.
1548
1549         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
1550         Run a nested run loop while this is an automatic inspection candidate.
1551
1552         * inspector/JSGlobalObjectInspectorController.h:
1553         * inspector/JSGlobalObjectInspectorController.cpp:
1554         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1555         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1556         When the inspector starts via automatic inspection automatically pause.
1557         We plan on removing this condition by having the frontend signal to the
1558         backend when it is completely initialized.
1559         
1560         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1561         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1562         (Inspector::RemoteInspectorDebuggableConnection::setup):
1563         Pass on the flag of whether or not this was automatic inspection.
1564
1565         * runtime/JSGlobalObjectDebuggable.h:
1566         * runtime/JSGlobalObjectDebuggable.cpp:
1567         (JSC::JSGlobalObjectDebuggable::connect):
1568         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
1569         When pausing in a JSGlobalObject we need to release the API lock.
1570
1571 2014-09-18  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1572
1573         Fix "Tools/Scripts/build-webkit --efl --no-inspector" build
1574         https://bugs.webkit.org/show_bug.cgi?id=136912
1575
1576         Reviewed by Darin Adler.
1577
1578         * runtime/TypeSet.cpp:
1579         (JSC::TypeSet::leastCommonAncestor):
1580
1581 2014-09-17  Michael Saboff  <msaboff@apple.com>
1582
1583         Change CallFrame to use Callee instead of JSScope to implement vm()
1584         https://bugs.webkit.org/show_bug.cgi?id=136894
1585
1586         Reviewed by Geoffrey Garen.
1587
1588         Added JSCell::vm() method that can be used on any JSObject.  Changed CallFrame::vm() to
1589         use JSCell::vm with the Callee.  Made similar changes in the LLInt.
1590         In support of this, changed JSGlobalObject::init() to take a VM& parameter, as there is
1591         a chicken/egg problem with trying to use the Callee in the global exec before the Callee
1592         has been create.  Besides, the vm is readily available in finishCreation(), the caller of
1593         init().
1594
1595         * llint/LowLevelInterpreter32_64.asm:
1596         * llint/LowLevelInterpreter64.asm:
1597         Changed the calculation of CallFrame::VM to use the Callee instead of JSScope.
1598
1599         * runtime/JSCell.h:
1600         * runtime/JSCellInlines.h:
1601         (JSC::JSCell::vm): New method for getting VM from the pointer.
1602         (JSC::ExecState::vm): Moved this method from JSScope.h to here since this file
1603         contains the implementation of JSCell::vm(), this file is included by all users
1604         of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing
1605         many other .h files and possible the WebCore generator generate-bindings.pl.
1606
1607         * runtime/JSGlobalObject.cpp:
1608         (JSC::JSGlobalObject::init):
1609         * runtime/JSGlobalObject.h:
1610         (JSC::JSGlobalObject::finishCreation):
1611         Changed init() to take a VM parameter.
1612
1613         * runtime/JSScope.h:
1614         (JSC::ExecState::vm): Deleted.
1615
1616 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
1617
1618         Unreviewed, disable native inlining because it causes build failures.
1619
1620         * JavaScriptCore.xcodeproj/project.pbxproj:
1621
1622 2014-09-16  Joseph Pecoraro  <pecoraro@apple.com>
1623
1624         Web Inspector: Reduce a bit of churn setting initial remote inspection state
1625         https://bugs.webkit.org/show_bug.cgi?id=136875
1626
1627         Reviewed by Timothy Hatcher.
1628
1629         * API/JSContextRef.cpp:
1630         (JSGlobalContextCreateInGroup):
1631         Set the defaultl remote debuggable state at the API boundary.
1632
1633         * runtime/JSGlobalObject.cpp:
1634         (JSC::JSGlobalObject::init):
1635         Do not set remote debuggable state here. Let clients set it.
1636
1637 2014-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1638
1639         Promise: Drop Promise.cast
1640         https://bugs.webkit.org/show_bug.cgi?id=136222
1641
1642         Reviewed by Sam Weinig.
1643
1644         Promise.cast is dropped and Promise.resolve is replaced with old Promise.cast.
1645
1646         * runtime/CommonIdentifiers.h:
1647         * runtime/JSPromiseConstructor.cpp:
1648         (JSC::JSPromiseConstructorFuncResolve):
1649         (JSC::JSPromiseConstructorFuncRace):
1650         (JSC::JSPromiseConstructorFuncAll):
1651         (JSC::JSPromiseConstructorFuncCast): Deleted.
1652
1653 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
1654
1655         Local OSR availability calculation should be reusable
1656         https://bugs.webkit.org/show_bug.cgi?id=136860
1657
1658         Reviewed by Oliver Hunt.
1659         
1660         Previously, the FTL lowering repeated some of the logic of the OSR availability analysis
1661         phase. Humorously, it actually did this logic a bit differently; for example the phase
1662         would claim that a SetLocal makes both the flush and the node available while the FTL
1663         only claimed that the flush was available. This different was benign, but still: yuck!
1664         
1665         Also, previously if you wanted to use availability information then you'd have to repeat
1666         some of the logic that both the phase itself and the FTL lowering already had.
1667         Presumably, you could get epic style points for finding other benign ways in which to
1668         make your copy of the logic different from the other two!
1669         
1670         This reduces the amount of style points one could conceivably get in the future when
1671         hacking JSC, by creating a single reusable thingy for computing local OSR availability.
1672
1673         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1674         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1675         (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
1676         (JSC::DFG::LocalOSRAvailabilityCalculator::~LocalOSRAvailabilityCalculator):
1677         (JSC::DFG::LocalOSRAvailabilityCalculator::beginBlock):
1678         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1679         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1680         * ftl/FTLLowerDFGToLLVM.cpp:
1681         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1682         (JSC::FTL::LowerDFGToLLVM::compileBlock):
1683         (JSC::FTL::LowerDFGToLLVM::compileNode):
1684         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
1685         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
1686         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1687         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1688         (JSC::FTL::LowerDFGToLLVM::availability):
1689         (JSC::FTL::LowerDFGToLLVM::compileMovHint): Deleted.
1690         (JSC::FTL::LowerDFGToLLVM::compileZombieHint): Deleted.
1691         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): Deleted.
1692
1693 2014-09-16  Csaba Osztrogonác  <ossy@webkit.org>
1694
1695         JSC test gardening
1696         https://bugs.webkit.org/show_bug.cgi?id=136823
1697
1698         Reviewed by Geoffrey Garen.
1699
1700         * tests/mozilla/mozilla-tests.yaml: Unskip passing tests.
1701
1702 2014-09-15  Michael Saboff  <msaboff@apple.com>
1703
1704         Create a JSCallee for GlobalExec object
1705         https://bugs.webkit.org/show_bug.cgi?id=136840
1706
1707         Reviewed by Geoffrey Garen.
1708
1709         Added m_globalCallee, initialized it and then used it to set the globalExec's callee.
1710
1711         * runtime/JSGlobalObject.cpp:
1712         (JSC::JSGlobalObject::init):
1713         (JSC::JSGlobalObject::visitChildren):
1714         * runtime/JSGlobalObject.h:
1715
1716 2014-09-14  Filip Pizlo  <fpizlo@apple.com>
1717
1718         DFG ref count calculation should be reusable
1719         https://bugs.webkit.org/show_bug.cgi?id=136811
1720
1721         Reviewed by Oliver Hunt.
1722         
1723         Henceforth if you call Graph::computeRefCounts(), a nifty O(n) operation, every Node
1724         will be able to tell you how many places it is used from. Currently only DCE uses this,
1725         but it will be useful for https://bugs.webkit.org/show_bug.cgi?id=136330.
1726
1727         * dfg/DFGDCEPhase.cpp:
1728         (JSC::DFG::DCEPhase::run):
1729         (JSC::DFG::DCEPhase::findTypeCheckRoot): Deleted.
1730         (JSC::DFG::DCEPhase::countNode): Deleted.
1731         (JSC::DFG::DCEPhase::countEdge): Deleted.
1732         * dfg/DFGGraph.cpp:
1733         (JSC::DFG::Graph::computeRefCounts):
1734         * dfg/DFGGraph.h:
1735
1736 2014-09-12  Michael Saboff  <msaboff@apple.com>
1737
1738         Merge JSGlobalObject::reset() into ::init()
1739         https://bugs.webkit.org/show_bug.cgi?id=136800
1740
1741         Reviewed by Oliver Hunt.
1742
1743         Moved the contents of reset() into init().
1744         Note that the diff shows more changes.
1745
1746         * runtime/JSGlobalObject.cpp:
1747         (JSC::JSGlobalObject::init): Moved body of reset() into init.
1748         (JSC::JSGlobalObject::put):
1749         (JSC::JSGlobalObject::defineOwnProperty):
1750         (JSC::JSGlobalObject::addGlobalVar):
1751         (JSC::JSGlobalObject::addFunction):
1752         (JSC::lastInPrototypeChain):
1753         (JSC::JSGlobalObject::reset): Deleted.
1754         * runtime/JSGlobalObject.h:
1755
1756 2014-09-12  Michael Saboff  <msaboff@apple.com>
1757
1758         Add JSCallee to program and eval CallFrames
1759         https://bugs.webkit.org/show_bug.cgi?id=136785
1760
1761         Reviewed by Mark Lam.
1762
1763         Populated Callee slot for program and call eval CallFrames with a JSCallee objects.
1764         Made supporting changes including adding a JSCallee structure to global object and adding
1765         JSCallee::create() method.  Added code so that the newly added callee object won't be
1766         returned by Function.caller.  Changed null pointer checks of callee to check the if
1767         the type is JSFunction* or JSCallee*.
1768
1769         * debugger/DebuggerCallFrame.cpp:
1770         (JSC::DebuggerCallFrame::functionName):
1771         (JSC::DebuggerCallFrame::type):
1772         * profiler/LegacyProfiler.cpp:
1773         (JSC::LegacyProfiler::createCallIdentifier):
1774         * interpreter/Interpreter.cpp:
1775         (JSC::unwindCallFrame):
1776         Changed checks of callee is a JSFunction* or JSCallee* instead of just checking
1777         if it is null or not.
1778
1779         * interpreter/Interpreter.cpp:
1780         (JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...)
1781         and execute(ProgramExecutable, ...)
1782
1783         * jit/JITCode.cpp:
1784         (JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions.
1785
1786         * runtime/JSCallee.cpp:
1787         (JSC::JSCallee::create): Not used, therefore deleted.
1788
1789         * runtime/JSCallee.h:
1790         (JSC::JSCallee::create): Added.
1791
1792         * runtime/JSFunction.cpp:
1793         (JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't
1794         JSFunction's.  This can only be the case when the JSCallee comes from a program or
1795         call eval CallFrame.
1796
1797         * runtime/JSGlobalObject.cpp:
1798         (JSC::JSGlobalObject::reset):
1799         (JSC::JSGlobalObject::visitChildren):
1800         * runtime/JSGlobalObject.h:
1801         (JSC::JSGlobalObject::calleeStructure):
1802         Added new JSCallee structure.
1803
1804 2014-09-10  Jon Honeycutt  <jhoneycutt@apple.com>
1805
1806         Re-add the request autocomplete feature
1807
1808         <https://bugs.webkit.org/show_bug.cgi?id=136730>
1809
1810         This feature was rolled out in r148731 because it was only used by
1811         Chromium. As we consider supporting this feature, roll it back in, but
1812         leave it disabled.
1813
1814         This rolls out r148731 (which removed the feature) with small changes
1815         needed to make the code build in ToT, to match modern style, to make
1816         the tests run, and to remove unused code.
1817
1818         Reviewed by Andy Estes.
1819
1820         * Configurations/FeatureDefines.xcconfig:
1821
1822 2014-09-12  Julien Brianceau  <jbriance@cisco.com>
1823
1824         [x86] moveDoubleToInts() does not clobber its source register anymore
1825         https://bugs.webkit.org/show_bug.cgi?id=131690
1826
1827         Reviewed by Oliver Hunt.
1828
1829         * assembler/MacroAssemblerX86.h:
1830         (JSC::MacroAssemblerX86::moveDoubleToInts):
1831         * dfg/DFGSpeculativeJIT.cpp:
1832         (JSC::DFG::SpeculativeJIT::compileValueRep):
1833         * jit/SpecializedThunkJIT.h:
1834         (JSC::SpecializedThunkJIT::returnDouble):
1835
1836 2014-09-12  Mark Lam  <mark.lam@apple.com>
1837
1838         Unreviewed build fix for CLOOP build.
1839
1840         * runtime/JSCallee.h:
1841
1842 2014-09-12  Michael Saboff  <msaboff@apple.com>
1843
1844         Remove unneeded declarations from JSCallee.h
1845         https://bugs.webkit.org/show_bug.cgi?id=136783
1846
1847         Reviewed by Mark Lam.
1848
1849         * runtime/JSCallee.h:
1850         (JSCallee::name): Deleted.
1851         (JSCallee::displayName): Deleted.
1852         (JSCallee::calculatedDisplayName): Deleted.
1853
1854 2014-09-11  Brian J. Burg  <burg@cs.washington.edu>
1855
1856         Web Inspector: disambiguate double and integer primitive types in the protocol
1857         https://bugs.webkit.org/show_bug.cgi?id=136606
1858
1859         Reviewed by Timothy Hatcher.
1860
1861         Right now it's really easy to mix up doubles and integers when serializing or deserializing
1862         values for the inspector protocol. This patch disambiguates setting/getting doubles and integers
1863         so that it is clearer as to which type is intended.
1864
1865         A new InspectorValue::Type is added for Integer types, and the Number type is renamed to Double.
1866         The existing callsites for asNumber/getNumber/setNumber have been fixed.
1867
1868         Address various integration points to make sure the right type tag is assigned to InspectorValues.
1869
1870         * bindings/ScriptValue.cpp:
1871         (Deprecated::jsToInspectorValue): Make an Integer if the JSValue is Int52 or smaller.
1872         * inspector/InjectedScriptManager.cpp:
1873         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1874         * inspector/InspectorBackendDispatcher.cpp:
1875         (Inspector::InspectorBackendDispatcher::dispatch):
1876         (Inspector::InspectorBackendDispatcher::sendResponse):
1877         (Inspector::InspectorBackendDispatcher::reportProtocolError):
1878         (Inspector::AsMethodBridges::asInteger):
1879         (Inspector::AsMethodBridges::asDouble):
1880         (Inspector::InspectorBackendDispatcher::getInteger):
1881         (Inspector::InspectorBackendDispatcher::getDouble):
1882         (Inspector::AsMethodBridges::asInt): Deleted.
1883         (Inspector::InspectorBackendDispatcher::getInt): Deleted.
1884         * inspector/InspectorBackendDispatcher.h:
1885         * inspector/InspectorProtocolTypes.h: Remove the special case for checking int type tags.
1886         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw):
1887         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw):
1888         (Inspector::Protocol::BindingTraits<int>::assertValueHasExpectedType): Deleted.
1889         * inspector/InspectorValues.cpp: Allow integers and doubles to be convertible using asInteger/asDouble.
1890         (Inspector::InspectorValue::asDouble):
1891         (Inspector::InspectorValue::asInteger):
1892         (Inspector::InspectorBasicValue::asDouble):
1893         (Inspector::InspectorBasicValue::asInteger):
1894         (Inspector::InspectorBasicValue::writeJSON):
1895         (Inspector::InspectorValue::asNumber): Deleted.
1896         (Inspector::InspectorBasicValue::asNumber): Deleted.
1897         * inspector/InspectorValues.h:
1898         (Inspector::InspectorObjectBase::setInteger):
1899         (Inspector::InspectorObjectBase::setDouble):
1900         (Inspector::InspectorArrayBase::pushInteger):
1901         (Inspector::InspectorArrayBase::pushDouble):
1902         (Inspector::InspectorObjectBase::setNumber): Deleted.
1903         (Inspector::InspectorArrayBase::pushInt): Deleted.
1904         (Inspector::InspectorArrayBase::pushNumber): Deleted.
1905         * inspector/agents/InspectorDebuggerAgent.cpp:
1906         (Inspector::buildObjectForBreakpointCookie):
1907         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1908         (Inspector::parseLocation):
1909         (Inspector::InspectorDebuggerAgent::didParseSource):
1910         * inspector/agents/InspectorRuntimeAgent.cpp:
1911         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1912         * inspector/scripts/codegen/generator.py: Update emitted code and rebaseline test results.
1913         (Generator.keyed_get_method_for_type):
1914         (Generator.keyed_set_method_for_type):
1915         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1916         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1917         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1918         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1919         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1920         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1921         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1922         * replay/EncodedValue.cpp:
1923         (JSC::EncodedValue::convertTo<double>):
1924         (JSC::EncodedValue::convertTo<float>):
1925         (JSC::EncodedValue::convertTo<int32_t>):
1926         (JSC::EncodedValue::convertTo<int64_t>):
1927         (JSC::EncodedValue::convertTo<uint32_t>):
1928         (JSC::EncodedValue::convertTo<uint64_t>):
1929
1930 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
1931
1932         Web Inspector: Occasional ASSERT closing web inspector
1933         https://bugs.webkit.org/show_bug.cgi?id=136762
1934
1935         Reviewed by Timothy Hatcher.
1936
1937         It is harmless, and indeed possible to have an empty set of listeners
1938         now that each Page gets its own PageDebugServer instead of a shared
1939         global. So we should replace the null checks with isEmpty checks.
1940         Since nobody was ever returning null, convert to references as well.
1941
1942         * inspector/JSGlobalObjectScriptDebugServer.h:
1943         * inspector/ScriptDebugServer.cpp:
1944         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
1945         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
1946         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
1947         (Inspector::ScriptDebugServer::sourceParsed):
1948         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
1949         (Inspector::ScriptDebugServer::notifyDoneProcessingDebuggerEvents):
1950         (Inspector::ScriptDebugServer::handlePause):
1951         (Inspector::ScriptDebugServer::needPauseHandling): Deleted.
1952         * inspector/ScriptDebugServer.h:
1953
1954 2014-09-10  Michael Saboff  <msaboff@apple.com>
1955
1956         Move JSScope out of JSFunction into separate JSCallee class
1957         https://bugs.webkit.org/show_bug.cgi?id=136725
1958
1959         Reviewed by Oliver Hunt.
1960
1961         Created new JSCallee class that contains a JSScope*.  Changed JSFunction to inherit from
1962         JSCallee.
1963
1964         * CMakeLists.txt:
1965         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1966         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1967         * JavaScriptCore.xcodeproj/project.pbxproj:
1968         Build changes.  Added JSCallee.cpp and JSCallee.h.
1969
1970         * runtime/JSCallee.cpp: Added.
1971         (JSC::JSCallee::create):
1972         (JSC::JSCallee::destroy):
1973         (JSC::JSCallee::JSCallee):
1974         (JSC::JSCallee::finishCreation):
1975         (JSC::JSCallee::visitChildren):
1976         (JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function.
1977         (JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function.
1978         (JSC::JSCallee::put): Pass through wrapper function.
1979         (JSC::JSCallee::deleteProperty): Pass through wrapper function.
1980         (JSC::JSCallee::defineOwnProperty): Pass through wrapper function.
1981
1982         * runtime/JSCallee.h: Added.
1983         (JSC::JSCallee::scope):
1984         (JSC::JSCallee::scopeUnchecked):
1985         (JSC::JSCallee::setScope):
1986         (JSC::JSCallee::createStructure):
1987         (JSC::JSCallee::offsetOfScopeChain):
1988
1989         * runtime/JSFunction.cpp:
1990         (JSC::JSFunction::JSFunction):
1991         (JSC::JSFunction::addNameScopeIfNeeded):
1992         (JSC::JSFunction::visitChildren):
1993         * runtime/JSFunction.h:
1994         (JSC::JSFunction::scope): Deleted.
1995         (JSC::JSFunction::scopeUnchecked): Deleted.
1996         (JSC::JSFunction::setScope): Deleted.
1997         (JSC::JSFunction::offsetOfScopeChain): Deleted.
1998         * runtime/JSFunctionInlines.h:
1999         (JSC::JSFunction::JSFunction):
2000         Changed to reference JSCallee and its methods.
2001
2002         * runtime/JSType.h: Added JSCallee as a TypeEnum.
2003
2004 2014-09-11  Filip Pizlo  <fpizlo@apple.com>
2005
2006         REGRESSION (r172129): Vine pages load as blank
2007         https://bugs.webkit.org/show_bug.cgi?id=136655
2008         rdar://problem/18281215
2009
2010         Reviewed by Michael Saboff.
2011         
2012         If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
2013         that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
2014         Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
2015         conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
2016         reasonably compact; it's OK if we miss cases here.
2017
2018         * dfg/DFGPhantomRemovalPhase.cpp:
2019         (JSC::DFG::PhantomRemovalPhase::run):
2020         * tests/stress/remove-phantom-after-setlocal.js: Added.
2021
2022 2014-09-11  Bear Travis  <betravis@adobe.com>
2023
2024         [CSS Font Loading] Enable CSS Font Loading on Mac
2025         https://bugs.webkit.org/show_bug.cgi?id=135473
2026
2027         Reviewed by Antti Koivisto.
2028
2029         Enable CSS Font Loading in FeatureDefines.
2030
2031         * Configurations/FeatureDefines.xcconfig:
2032
2033 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
2034
2035         Unreviewed rebaseline of inspector generator test results after r173120.
2036
2037         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2038         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2039         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2040         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2041
2042 2014-09-11  Oliver Hunt  <oliver@apple.com>
2043
2044         Rename activation to be more in line with spec language
2045         https://bugs.webkit.org/show_bug.cgi?id=136721
2046
2047         Reviewed by Michael Saboff.
2048
2049         Somewhat bigger than the last one, but still just a rename.
2050
2051         * CMakeLists.txt:
2052         * JavaScriptCore.order:
2053         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2054         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2055         * JavaScriptCore.xcodeproj/project.pbxproj:
2056         * bytecode/BytecodeList.json:
2057         * bytecode/BytecodeUseDef.h:
2058         (JSC::computeUsesForBytecodeOffset):
2059         (JSC::computeDefsForBytecodeOffset):
2060         * bytecode/CallVariant.h:
2061         * bytecode/CodeBlock.cpp:
2062         (JSC::CodeBlock::dumpBytecode):
2063         (JSC::CodeBlock::CodeBlock):
2064         (JSC::CodeBlock::finalizeUnconditionally):
2065         (JSC::CodeBlock::isCaptured):
2066         (JSC::CodeBlock::nameForRegister):
2067         * bytecode/CodeBlock.h:
2068         (JSC::CodeBlock::setActivationRegister):
2069         (JSC::CodeBlock::activationRegister):
2070         (JSC::CodeBlock::uncheckedActivationRegister):
2071         (JSC::CodeBlock::needsActivation):
2072         * bytecode/Instruction.h:
2073         * bytecode/UnlinkedCodeBlock.h:
2074         (JSC::UnlinkedCodeBlock::setActivationRegister):
2075         (JSC::UnlinkedCodeBlock::activationRegister):
2076         (JSC::UnlinkedCodeBlock::hasActivationRegister):
2077         * bytecompiler/BytecodeGenerator.cpp:
2078         (JSC::BytecodeGenerator::BytecodeGenerator):
2079         (JSC::BytecodeGenerator::emitReturn):
2080         * bytecompiler/BytecodeGenerator.h:
2081         * debugger/DebuggerCallFrame.cpp:
2082         (JSC::DebuggerCallFrame::scope):
2083         * debugger/DebuggerScope.cpp:
2084         (JSC::DebuggerScope::isFunctionOrEvalScope):
2085         * dfg/DFGByteCodeParser.cpp:
2086         (JSC::DFG::ByteCodeParser::parseBlock):
2087         * dfg/DFGCapabilities.cpp:
2088         (JSC::DFG::capabilityLevel):
2089         * dfg/DFGGraph.cpp:
2090         (JSC::DFG::Graph::tryGetActivation):
2091         (JSC::DFG::Graph::tryGetRegisters):
2092         * dfg/DFGGraph.h:
2093         * dfg/DFGNodeType.h:
2094         * dfg/DFGOperations.cpp:
2095         * dfg/DFGSpeculativeJIT32_64.cpp:
2096         (JSC::DFG::SpeculativeJIT::compile):
2097         * dfg/DFGSpeculativeJIT64.cpp:
2098         (JSC::DFG::SpeculativeJIT::compile):
2099         * interpreter/CallFrame.cpp:
2100         (JSC::CallFrame::lexicalEnvironment):
2101         (JSC::CallFrame::setActivation):
2102         (JSC::CallFrame::activation): Deleted.
2103         * interpreter/CallFrame.h:
2104         * interpreter/Interpreter.cpp:
2105         (JSC::unwindCallFrame):
2106         * interpreter/Register.h:
2107         * jit/JIT.cpp:
2108         (JSC::JIT::privateCompileMainPass):
2109         * jit/JIT.h:
2110         * jit/JITOpcodes.cpp:
2111         (JSC::JIT::emit_op_tear_off_lexical_environment):
2112         (JSC::JIT::emit_op_tear_off_arguments):
2113         (JSC::JIT::emit_op_create_lexical_environment):
2114         (JSC::JIT::emit_op_tear_off_activation): Deleted.
2115         (JSC::JIT::emit_op_create_activation): Deleted.
2116         * jit/JITOpcodes32_64.cpp:
2117         (JSC::JIT::emit_op_tear_off_lexical_environment):
2118         (JSC::JIT::emit_op_tear_off_arguments):
2119         (JSC::JIT::emit_op_create_lexical_environment):
2120         (JSC::JIT::emit_op_tear_off_activation): Deleted.
2121         (JSC::JIT::emit_op_create_activation): Deleted.
2122         * jit/JITOperations.cpp:
2123         * jit/JITOperations.h:
2124         * llint/LLIntSlowPaths.cpp:
2125         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2126         * llint/LLIntSlowPaths.h:
2127         * llint/LowLevelInterpreter32_64.asm:
2128         * llint/LowLevelInterpreter64.asm:
2129         * runtime/Arguments.cpp:
2130         (JSC::Arguments::visitChildren):
2131         (JSC::Arguments::tearOff):
2132         (JSC::Arguments::didTearOffActivation):
2133         * runtime/Arguments.h:
2134         (JSC::Arguments::offsetOfActivation):
2135         (JSC::Arguments::argument):
2136         (JSC::Arguments::finishCreation):
2137         * runtime/CommonSlowPaths.cpp:
2138         * runtime/JSFunction.h:
2139         * runtime/JSGlobalObject.cpp:
2140         (JSC::JSGlobalObject::reset):
2141         (JSC::JSGlobalObject::visitChildren):
2142         * runtime/JSGlobalObject.h:
2143         (JSC::JSGlobalObject::activationStructure):
2144         * runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp.
2145         (JSC::JSLexicalEnvironment::visitChildren):
2146         (JSC::JSLexicalEnvironment::symbolTableGet):
2147         (JSC::JSLexicalEnvironment::symbolTablePut):
2148         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2149         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2150         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2151         (JSC::JSLexicalEnvironment::put):
2152         (JSC::JSLexicalEnvironment::deleteProperty):
2153         (JSC::JSLexicalEnvironment::toThis):
2154         (JSC::JSLexicalEnvironment::argumentsGetter):
2155         * runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h.
2156         (JSC::JSLexicalEnvironment::create):
2157         (JSC::JSLexicalEnvironment::createStructure):
2158         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2159         (JSC::asActivation):
2160         (JSC::Register::lexicalEnvironment):
2161         (JSC::JSLexicalEnvironment::registersOffset):
2162         (JSC::JSLexicalEnvironment::tearOff):
2163         (JSC::JSLexicalEnvironment::isTornOff):
2164         (JSC::JSLexicalEnvironment::storageOffset):
2165         (JSC::JSLexicalEnvironment::storage):
2166         (JSC::JSLexicalEnvironment::allocationSize):
2167         (JSC::JSLexicalEnvironment::isValidIndex):
2168         (JSC::JSLexicalEnvironment::isValid):
2169         (JSC::JSLexicalEnvironment::registerAt):
2170         * runtime/JSObject.h:
2171         * runtime/JSScope.cpp:
2172         (JSC::abstractAccess):
2173         * runtime/JSScope.h:
2174         (JSC::ResolveOp::ResolveOp):
2175         * runtime/JSSymbolTableObject.cpp:
2176         * runtime/StrictEvalActivation.h:
2177         (JSC::StrictEvalActivation::create):
2178         * runtime/VM.cpp:
2179
2180 2014-09-11  László Langó  <llango.u-szeged@partner.samsung.com>
2181
2182         [JavaScriptCore] Fix FTL on platform EFL.
2183         https://bugs.webkit.org/show_bug.cgi?id=133571
2184
2185         Reviewed by Filip Pizlo.
2186
2187         There are no compact_unwind sections on Linux systems so FTL crashes.
2188         We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind
2189         and get the information for stack unwinding from there.
2190
2191         * CMakeLists.txt: Revert r169181.
2192         * ftl/FTLCompile.cpp:
2193         Change section name literals to use SECTION_NAME macro, because of architecture differencies.
2194         (JSC::FTL::mmAllocateCodeSection):
2195         (JSC::FTL::mmAllocateDataSection):
2196         (JSC::FTL::compile):
2197         * ftl/FTLJITCode.h:
2198         We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here.
2199         * ftl/FTLLink.cpp:
2200         (JSC::FTL::link):
2201         * ftl/FTLState.h:
2202         * ftl/FTLState.cpp:
2203         (JSC::FTL::State::State):
2204         * ftl/FTLUnwindInfo.h:
2205         * ftl/FTLUnwindInfo.cpp:
2206         Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes.
2207         Parse eh_frame on Linux instead of compact_unwind.
2208         (JSC::FTL::UnwindInfo::parse):
2209
2210 2014-09-10  Saam Barati  <saambarati1@gmail.com>
2211
2212         Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
2213         https://bugs.webkit.org/show_bug.cgi?id=136500
2214
2215         Reviewed by Joseph Pecoraro.
2216
2217         This patch changes the type profiler protocol to the Web Inspector
2218         by moving the work of calculating computed properties that effect the UI 
2219         into the Web Inspector. This makes the Web Inspector have control over the 
2220         strings it displays as UI elements representing type information to the user 
2221         instead of JavaScriptCore deciding on a convention for these strings.
2222         JavaScriptCore now sends enough information to the Web Inspector so that 
2223         it can compute the properties JavaScriptCore used to compute.
2224
2225         * inspector/agents/InspectorRuntimeAgent.cpp:
2226         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2227         * inspector/protocol/Runtime.json:
2228         * runtime/TypeProfiler.cpp:
2229         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
2230         * runtime/TypeProfiler.h:
2231         * runtime/TypeSet.cpp:
2232         (JSC::TypeSet::inspectorTypeSet):
2233         (JSC::StructureShape::leastCommonAncestor):
2234         (JSC::StructureShape::inspectorRepresentation):
2235         * runtime/TypeSet.h:
2236
2237 2014-09-10  Akos Kiss  <akiss@inf.u-szeged.hu>
2238
2239         Apply ARM64-specific lowering to load/store instructions in offlineasm
2240         https://bugs.webkit.org/show_bug.cgi?id=136569
2241
2242         Reviewed by Michael Saboff.
2243
2244         The standard risc lowering of load/store instructions with base +
2245         immediate offset addresses is to move the offset to a temporary, add the
2246         base to the temporary, and then change the load/store to use the
2247         temporary + 0 immediate offset address. However, on ARM64, base +
2248         register offset addressing mode is available, so it is unnecessary to
2249         perform explicit register additions but it is enough to change load/store
2250         to use base + temporary as the address.
2251
2252         * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses
2253
2254 2014-09-10  Oliver Hunt  <oliver@apple.com>
2255
2256         Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
2257         https://bugs.webkit.org/show_bug.cgi?id=136710
2258
2259         Reviewed by Anders Carlsson.
2260
2261         This is a trivial rename.
2262
2263         * CMakeLists.txt:
2264         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2265         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2266         * JavaScriptCore.xcodeproj/project.pbxproj:
2267         * dfg/DFGAbstractHeap.h:
2268         * dfg/DFGClobberize.h:
2269         (JSC::DFG::clobberize):
2270         * dfg/DFGSpeculativeJIT32_64.cpp:
2271         (JSC::DFG::SpeculativeJIT::compile):
2272         * dfg/DFGSpeculativeJIT64.cpp:
2273         (JSC::DFG::SpeculativeJIT::compile):
2274         * ftl/FTLAbstractHeapRepository.cpp:
2275         * ftl/FTLAbstractHeapRepository.h:
2276         * ftl/FTLLowerDFGToLLVM.cpp:
2277         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
2278         * jit/JITOpcodes32_64.cpp:
2279         * jit/JITPropertyAccess.cpp:
2280         (JSC::JIT::emitGetClosureVar):
2281         (JSC::JIT::emitPutClosureVar):
2282         * jit/JITPropertyAccess32_64.cpp:
2283         (JSC::JIT::emitGetClosureVar):
2284         (JSC::JIT::emitPutClosureVar):
2285         * llint/LLIntOffsetsExtractor.cpp:
2286         * llint/LowLevelInterpreter32_64.asm:
2287         * llint/LowLevelInterpreter64.asm:
2288         * runtime/JSActivation.cpp:
2289         (JSC::JSActivation::getOwnNonIndexPropertyNames):
2290         * runtime/JSActivation.h:
2291         * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
2292         * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
2293         (JSC::JSEnvironmentRecord::registers):
2294         (JSC::JSEnvironmentRecord::registerAt):
2295         (JSC::JSEnvironmentRecord::addressOfRegisters):
2296         (JSC::JSEnvironmentRecord::offsetOfRegisters):
2297         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
2298         * runtime/JSNameScope.h:
2299         * runtime/JSSegmentedVariableObject.h:
2300
2301 2014-09-10  Julien Brianceau   <jbriance@cisco.com>
2302
2303         [mips] Add missing parts and fix LLINT mips backend
2304         https://bugs.webkit.org/show_bug.cgi?id=136706
2305
2306         Reviewed by Michael Saboff.
2307
2308         * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
2309         Implement initPCRelative and setEntryAddress macros.
2310         * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
2311         doVMEntry macro.
2312
2313 2014-09-10  Saam Barati  <saambarati1@gmail.com>
2314
2315         TypeSet needs a mode where it no longer profiles structure shapes
2316         https://bugs.webkit.org/show_bug.cgi?id=136263
2317
2318         Reviewed by Filip Pizlo.
2319
2320         The TypeSet data structure used to gather as many StructureShape
2321         objects as it encountered during type profiling. But, this meant 
2322         that there was no upper limit on how many objects it could allocate. 
2323         This patch places a fixed upper bound on the number of StructureShapes
2324         allocated per TypeSet to prevent using too much memory for little gain
2325         in type profiling usefulness.
2326
2327         StructureShape objects are now also aware of when they are created
2328         from Structures which are dictionaries.
2329
2330         In total, this patch lays the final groundwork needed in refactoring 
2331         the inspector protocol for the type profiler.
2332
2333         * runtime/Structure.cpp:
2334         (JSC::Structure::toStructureShape):
2335         * runtime/TypeProfiler.cpp:
2336         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
2337         * runtime/TypeSet.cpp:
2338         (JSC::TypeSet::TypeSet):
2339         (JSC::TypeSet::addTypeInformation):
2340         (JSC::StructureShape::StructureShape):
2341         (JSC::StructureShape::toJSONString):
2342         (JSC::StructureShape::enterDictionaryMode):
2343         * runtime/TypeSet.h:
2344         (JSC::TypeSet::isOverflown):
2345         * tests/typeProfiler/dictionary-mode.js: Added.
2346         (wrapper):
2347         * tests/typeProfiler/driver/driver.js:
2348         * tests/typeProfiler/overflow.js: Added.
2349         (wrapper.Proto):
2350         (wrapper):
2351
2352 2014-09-10  Peter Gal  <galpeter@inf.u-szeged.hu>
2353
2354         [MIPS] branch32WithPatch missing
2355         https://bugs.webkit.org/show_bug.cgi?id=136696
2356
2357         Reviewed by Michael Saboff.
2358
2359         Added the missing branch32WithPatch. The implementation
2360         is currently the same as the branchPtrithPatch because
2361         the macro assembler supports only 32 bit MIPS.
2362
2363         * assembler/MacroAssemblerMIPS.h:
2364         (JSC::MacroAssemblerMIPS::branch32WithPatch):
2365
2366 2014-09-10  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2367
2368         Fix !ENABLE(DFG_JIT) build
2369         https://bugs.webkit.org/show_bug.cgi?id=136702
2370
2371         Reviewed by Michael Saboff.
2372
2373         * bytecode/CallEdgeProfile.h:
2374
2375 2014-09-09  Benjamin Poulain  <bpoulain@apple.com>
2376
2377         Disable the "unreachable-code" warning
2378         https://bugs.webkit.org/show_bug.cgi?id=136677
2379
2380         Reviewed by Darin Adler.
2381
2382         * Configurations/Base.xcconfig:
2383
2384 2014-09-08  Filip Pizlo  <fpizlo@apple.com>
2385
2386         DFG should have a reusable SSA builder
2387         https://bugs.webkit.org/show_bug.cgi?id=136331
2388
2389         Reviewed by Oliver Hunt.
2390         
2391         We want to implement sophisticated SSA transformations like object allocation sinking
2392         (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
2393         updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
2394         Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
2395         implementation of this algorithm only worked when doing CPS->SSA conversion. The code
2396         could not be reused for cases where some phase happens to know that it introduced a few
2397         defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
2398         the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
2399         updates, since it requires first inserting maximal Phis. That scales well when the Phis
2400         were already there (like in our CPS form) but otherwise it's quite unnatural and may be
2401         difficult to make efficient.
2402         
2403         The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
2404         algorithm based on dominance frontiers. For a while now, I've been working on creating a
2405         Cytron-based SSA calculator that can be used both as a replacement for our current SSA
2406         converter and as a reusable tool for any phase that needs to do SSA update. I previously
2407         optimized our dominator calculation and representation to use dominator trees computed
2408         using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
2409         the set of blocks that dominate you or vice-versa, and then I implemented a dominance
2410         frontier calculator. This patch implements the final step towards making SSA update
2411         available to all SSA phases: it implements an SSACalculator that can tell you where Phis
2412         go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
2413         good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
2414         SSA converter with one based on the SSACalculator.
2415         
2416         This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
2417         But even better, it makes SSAConversionPhase have significantly less tricky logic. It
2418         mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
2419         just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
2420         In fact, using the Cytron et al approach means that there isn't really any "smoke and
2421         mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
2422         iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
2423         The complexity is mostly confined to Dominators, which computes various dominator-related
2424         properties over the control flow graph. That class can be difficult to understand, but at
2425         least it follows well-known graph theory wisdom.
2426
2427         * CMakeLists.txt:
2428         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2429         * JavaScriptCore.xcodeproj/project.pbxproj:
2430         * dfg/DFGAnalysis.h:
2431         * dfg/DFGCSEPhase.cpp:
2432         * dfg/DFGDCEPhase.cpp:
2433         (JSC::DFG::DCEPhase::run):
2434         * dfg/DFGDominators.h:
2435         (JSC::DFG::Dominators::immediateDominatorOf):
2436         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
2437         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
2438         * dfg/DFGGraph.cpp:
2439         (JSC::DFG::Graph::dump):
2440         (JSC::DFG::Graph::blocksInPreOrder):
2441         (JSC::DFG::Graph::blocksInPostOrder):
2442         (JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
2443         (JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
2444         * dfg/DFGGraph.h:
2445         * dfg/DFGLICMPhase.cpp:
2446         (JSC::DFG::LICMPhase::run):
2447         * dfg/DFGNodeFlags.h:
2448         * dfg/DFGPhase.cpp:
2449         (JSC::DFG::Phase::beginPhase):
2450         (JSC::DFG::Phase::endPhase):
2451         * dfg/DFGPhase.h:
2452         * dfg/DFGSSACalculator.cpp: Added.
2453         (JSC::DFG::SSACalculator::Variable::dump):
2454         (JSC::DFG::SSACalculator::Variable::dumpVerbose):
2455         (JSC::DFG::SSACalculator::Def::dump):
2456         (JSC::DFG::SSACalculator::SSACalculator):
2457         (JSC::DFG::SSACalculator::~SSACalculator):
2458         (JSC::DFG::SSACalculator::newVariable):
2459         (JSC::DFG::SSACalculator::newDef):
2460         (JSC::DFG::SSACalculator::nonLocalReachingDef):
2461         (JSC::DFG::SSACalculator::reachingDefAtTail):
2462         (JSC::DFG::SSACalculator::dump):
2463         * dfg/DFGSSACalculator.h: Added.
2464         (JSC::DFG::SSACalculator::Variable::index):
2465         (JSC::DFG::SSACalculator::Variable::Variable):
2466         (JSC::DFG::SSACalculator::Def::variable):
2467         (JSC::DFG::SSACalculator::Def::block):
2468         (JSC::DFG::SSACalculator::Def::value):
2469         (JSC::DFG::SSACalculator::Def::Def):
2470         (JSC::DFG::SSACalculator::variable):
2471         (JSC::DFG::SSACalculator::computePhis):
2472         (JSC::DFG::SSACalculator::phisForBlock):
2473         (JSC::DFG::SSACalculator::reachingDefAtHead):
2474         * dfg/DFGSSAConversionPhase.cpp:
2475         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
2476         (JSC::DFG::SSAConversionPhase::run):
2477         (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
2478         (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
2479         (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
2480         (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
2481         * dfg/DFGSSAConversionPhase.h:
2482         * dfg/DFGValidate.cpp:
2483         (JSC::DFG::Validate::Validate):
2484         (JSC::DFG::Validate::dumpGraphIfAppropriate):
2485         (JSC::DFG::validate):
2486         * dfg/DFGValidate.h:
2487         * ftl/FTLLowerDFGToLLVM.cpp:
2488         (JSC::FTL::LowerDFGToLLVM::lower):
2489         * runtime/Options.h:
2490
2491 2014-09-08  Commit Queue  <commit-queue@webkit.org>
2492
2493         Unreviewed, rolling out r173402.
2494         https://bugs.webkit.org/show_bug.cgi?id=136649
2495
2496         Breaking buildw with error "unable to restore file position to
2497         0x00000c60 for section __DWARF.__debug_info (errno = 9)"
2498         (Requested by mlam_ on #webkit).
2499
2500         Reverted changeset:
2501
2502         "Move CallFrame and Register inlines functions out of
2503         JSScope.h."
2504         https://bugs.webkit.org/show_bug.cgi?id=136579
2505         http://trac.webkit.org/changeset/173402
2506
2507 2014-09-08  Mark Lam  <mark.lam@apple.com>
2508
2509         Move CallFrame and Register inlines functions out of JSScope.h.
2510         <https://webkit.org/b/136579>
2511
2512         Reviewed by Geoffrey Garen.
2513
2514         This include fixing up some files to #include JSCInlines.h to pick up
2515         these inline functions.  I also added JSCellInlines.h to JSCInlines.h
2516         since it is included from many of the affected .cpp files.
2517
2518         * API/ObjCCallbackFunction.mm:
2519         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2520         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2521         * JavaScriptCore.xcodeproj/project.pbxproj:
2522         * bindings/ScriptValue.cpp:
2523         * inspector/InjectedScriptHost.cpp:
2524         * inspector/InjectedScriptManager.cpp:
2525         * inspector/JSGlobalObjectInspectorController.cpp:
2526         * inspector/JSJavaScriptCallFrame.cpp:
2527         * inspector/ScriptDebugServer.cpp:
2528         * interpreter/CallFrameInlines.h:
2529         (JSC::CallFrame::vm):
2530         (JSC::CallFrame::lexicalGlobalObject):
2531         (JSC::CallFrame::globalThisValue):
2532         * interpreter/RegisterInlines.h: Added.
2533         (JSC::Register::operator=):
2534         (JSC::Register::scope):
2535         * runtime/ArgumentsIteratorConstructor.cpp:
2536         * runtime/JSArrayIterator.cpp:
2537         * runtime/JSCInlines.h:
2538         * runtime/JSCJSValue.cpp:
2539         * runtime/JSMapIterator.cpp:
2540         * runtime/JSPromiseConstructor.cpp:
2541         * runtime/JSPromiseDeferred.cpp:
2542         * runtime/JSPromiseFunctions.cpp:
2543         * runtime/JSPromisePrototype.cpp:
2544         * runtime/JSPromiseReaction.cpp:
2545         * runtime/JSScope.h:
2546         (JSC::Register::operator=): Deleted.
2547         (JSC::Register::scope): Deleted.
2548         (JSC::ExecState::vm): Deleted.
2549         (JSC::ExecState::lexicalGlobalObject): Deleted.
2550         (JSC::ExecState::globalThisValue): Deleted.
2551         * runtime/JSSetIterator.cpp:
2552         * runtime/MapConstructor.cpp:
2553         * runtime/MapData.cpp:
2554         * runtime/MapIteratorPrototype.cpp:
2555         * runtime/MapPrototype.cpp:
2556         * runtime/SetConstructor.cpp:
2557         * runtime/SetIteratorPrototype.cpp:
2558         * runtime/SetPrototype.cpp:
2559         * runtime/WeakMapConstructor.cpp:
2560         * runtime/WeakMapPrototype.cpp:
2561
2562 2014-09-08  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2563
2564         Remove FILTERS flag
2565         https://bugs.webkit.org/show_bug.cgi?id=136571
2566
2567         Reviewed by Darin Adler.
2568
2569         * Configurations/FeatureDefines.xcconfig:
2570
2571 2014-09-08  Saam Barati  <saambarati1@gmail.com>
2572
2573         Merge StructureShapes that share the same prototype chain
2574         https://bugs.webkit.org/show_bug.cgi?id=136549
2575
2576         Reviewed by Filip Pizlo.
2577
2578         Instead of keeping track of many discrete StructureShapes that share
2579         the same prototype chain, TypeSet should merge StructureShapes that 
2580         have the same prototype chain and provide a new member variable for 
2581         optional structure fields. This provides a cleaner and more concise
2582         interface for dealing with StructureShapes within TypeSet. Instead
2583         of having many discrete shapes that are almost identical, almost 
2584         identical shapes will be merged together with an interface for 
2585         understanding what fields the shapes being merged together differ in.
2586
2587         * runtime/TypeSet.cpp:
2588         (JSC::TypeSet::addTypeInformation):
2589         (JSC::StructureShape::addProperty):
2590         (JSC::StructureShape::toJSONString):
2591         (JSC::StructureShape::inspectorRepresentation):
2592         (JSC::StructureShape::hasSamePrototypeChain):
2593         (JSC::StructureShape::merge):
2594         * runtime/TypeSet.h:
2595         * tests/typeProfiler/optional-fields.js: Added.
2596         (wrapper.func):
2597         (wrapper):
2598
2599 2014-09-08  Jessie Berlin  <jberlin@apple.com>
2600
2601         More 32-bit Release build fixes after r173364.
2602
2603         * dfg/DFGSpeculativeJIT32_64.cpp:
2604         (JSC::DFG::SpeculativeJIT::compile):
2605
2606 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
2607
2608         Fix typos in last patch to fix build.
2609
2610         Unreviewed build fix.
2611
2612         * dfg/DFGSpeculativeJIT.cpp:
2613         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2614         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2615
2616 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
2617
2618         Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it
2619         https://bugs.webkit.org/show_bug.cgi?id=136616
2620
2621         Reviewed by Darin Adler.
2622         
2623         Many compilers will analyze unrechable code paths (e.g. after an
2624         unreachable code path), so sometimes they need dead code initializations.
2625         But clang with suitable warnings will complain about unreachable code. So
2626         use the quirk to include it conditionally.
2627
2628         * bytecode/CodeBlock.cpp:
2629         (JSC::CodeBlock::printGetByIdOp):
2630         * dfg/DFGOSRExitCompilerCommon.cpp:
2631         (JSC::DFG::handleExitCounts):
2632         * dfg/DFGPlan.cpp:
2633         (JSC::DFG::Plan::compileInThread):
2634         * dfg/DFGSpeculativeJIT.cpp:
2635         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2636         * jsc.cpp:
2637         * runtime/JSArray.cpp:
2638         (JSC::JSArray::fillArgList):
2639         (JSC::JSArray::copyToArguments):
2640         * runtime/RegExp.cpp:
2641         (JSC::RegExp::compile):
2642         (JSC::RegExp::compileMatchOnly):
2643
2644 2014-09-06  Darin Adler  <darin@apple.com>
2645
2646         Make updates suggested by new version of Xcode
2647         https://bugs.webkit.org/show_bug.cgi?id=136603
2648
2649         Reviewed by Mark Rowe.
2650
2651         * Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES,
2652         and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check.
2653
2654         * JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck.
2655
2656         * dfg/DFGSpeculativeJIT.cpp:
2657         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code
2658         for clang, since it understands the code is unreachable.
2659         * runtime/JSArray.cpp:
2660         (JSC::JSArray::fillArgList): Ditto.
2661         (JSC::JSArray::copyToArguments): Ditto.
2662
2663 2014-09-05  Matt Baker  <mattbaker@apple.com>
2664
2665         Web Inspector: breakpoint actions should work regardless of Content Security Policy
2666         https://bugs.webkit.org/show_bug.cgi?id=136542
2667
2668         Reviewed by Mark Lam.
2669
2670         Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a 
2671         JSGlobalObject for the duration of a scope, returning the eval enabled state to its
2672         original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate 
2673         to allow breakpoint actions to execute JS in pages with a Content Security Policy
2674         that would normally prohibit this (such as Inspector's Main.html).
2675
2676         Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually
2677         setting eval enabled and then resetting the original eval enabled state.
2678
2679         NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer
2680         for null to be equivalent with the original code in Inspector::InjectedScriptBase.
2681         InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which
2682         can currently be null.
2683
2684         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2685         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2686         * JavaScriptCore.xcodeproj/project.pbxproj:
2687         * debugger/DebuggerCallFrame.cpp:
2688         (JSC::DebuggerCallFrame::evaluate):
2689         * debugger/DebuggerEvalEnabler.h: Added.
2690         (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
2691         (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
2692         * inspector/InjectedScriptBase.cpp:
2693         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2694
2695 2014-09-05  peavo@outlook.com  <peavo@outlook.com>
2696
2697         [WinCairo] jsc.exe won't run.
2698         https://bugs.webkit.org/show_bug.cgi?id=136481
2699
2700         Reviewed by Alex Christensen.
2701         
2702         We need to define WIN_CAIRO to avoid looking for the AAS folder.
2703
2704         * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added.
2705         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
2706         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
2707         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
2708         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:
2709
2710 2014-09-05  David Kilzer  <ddkilzer@apple.com>
2711
2712         JavaScriptCore should build with newer clang
2713         <http://webkit.org/b/136002>
2714         <rdar://problem/18020616>
2715
2716         Reviewed by Geoffrey Garen.
2717
2718         Other than the JSC::SourceProvider::asID() change (which simply
2719         removes code that the optimizing compiler would have discarded
2720         in Release builds), we move the |this| checks in OpaqueJSString
2721         to NULL checks in to JSBase, JSObjectRef, JSScriptRef,
2722         JSStringRef{CF} and JSValueRef.
2723
2724         Note that the following function arguments are _not_ NULL-checked
2725         since doing so would just cover up bugs (and were not needed to
2726         prevent any tests from failing):
2727         - |script| in JSEvaluateScript(), JSCheckScriptSyntax();
2728         - |body| in JSObjectMakeFunction();
2729         - |source| in JSScriptCreateReferencingImmortalASCIIText()
2730           (which is a const char* anyway);
2731         - |source| in JSScriptCreateFromString().
2732
2733         * API/JSBase.cpp:
2734         (JSEvaluateScript): Add NULL check for |sourceURL|.
2735         (JSCheckScriptSyntax): Ditto.
2736         * API/JSObjectRef.cpp:
2737         (JSObjectMakeFunction): Ditto.
2738         * API/JSScriptRef.cpp:
2739         (JSScriptCreateReferencingImmortalASCIIText): Ditto.
2740         (JSScriptCreateFromString): Add NULL check for |url|.
2741         * API/JSStringRef.cpp:
2742         (JSStringGetLength): Return early if NULL pointer is passed in.
2743         (JSStringGetCharactersPtr): Ditto.
2744         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
2745         * API/JSStringRefCF.cpp:
2746         (JSStringCopyCFString): Ditto.
2747         * API/JSValueRef.cpp:
2748         (JSValueMakeString): Add NULL check for |string|.
2749
2750         * API/OpaqueJSString.cpp:
2751         (OpaqueJSString::string): Remove code that checks |this|.
2752         (OpaqueJSString::identifier): Ditto.
2753         (OpaqueJSString::characters): Ditto.
2754         * API/OpaqueJSString.h:
2755         (OpaqueJSString::is8Bit): Remove code that checks |this|.
2756         (OpaqueJSString::characters8): Ditto.
2757         (OpaqueJSString::characters16): Ditto.
2758         (OpaqueJSString::length): Ditto.
2759
2760         * parser/SourceProvider.h:
2761         (JSC::SourceProvider::asID): Remove code that checks |this|.
2762
2763 2014-06-06  Jer Noble  <jer.noble@apple.com>
2764
2765         Refactoring: make MediaTime the primary time type for audiovisual times.
2766         https://bugs.webkit.org/show_bug.cgi?id=133579
2767
2768         Reviewed by Eric Carlson.
2769
2770         Add a utility function which converts a MediaTime to a JSNumber.
2771
2772         * runtime/JSCJSValue.h:
2773         (JSC::jsNumber):
2774
2775 2014-09-04  Michael Saboff  <msaboff@apple.com>
2776
2777         ARM: Add more coverage to ARMv7 disassembler
2778         https://bugs.webkit.org/show_bug.cgi?id=136565
2779
2780         Reviewed by Mark Lam.
2781
2782         Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions
2783         VCMP, VCVT[R] between floating point and integer, and VLDR.
2784
2785         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2786         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList):
2787         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format):
2788         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format):
2789         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format):
2790         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format):
2791         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format):
2792         * disassembler/ARMv7/ARMv7DOpcode.h:
2793         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList):
2794         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition):
2795         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition):
2796         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit):
2797         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd):
2798         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit):
2799         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit):
2800         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit):
2801         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm):
2802         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition):
2803         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit):
2804         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2):
2805         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd):
2806         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit):
2807         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op):
2808         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit):
2809         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm):
2810         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition):
2811         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit):
2812         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn):
2813         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd):
2814         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg):
2815         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8):
2816
2817 2014-09-04  Mark Lam  <mark.lam@apple.com>
2818
2819         Move PropertySlot's inline functions back to PropertySlot.h.
2820         <https://webkit.org/b/136547>
2821
2822         Reviewed by Filip Pizlo.
2823
2824         * runtime/JSObject.h:
2825         (JSC::PropertySlot::getValue): Deleted.
2826         * runtime/PropertySlot.h:
2827         (JSC::PropertySlot::getValue):
2828
2829 2014-09-04  Filip Pizlo  <fpizlo@apple.com>
2830
2831         Make sure that deleting all code first processes the call edge log, and reenable call edge profiling.
2832
2833         Rubber stamped by Sam Weinig.
2834
2835         * debugger/Debugger.cpp:
2836         (JSC::Debugger::forEachCodeBlock):
2837         (JSC::Debugger::setSteppingMode):
2838         (JSC::Debugger::recompileAllJSFunctions):
2839         * inspector/agents/InspectorRuntimeAgent.cpp:
2840         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2841         * runtime/Options.h: Reenable call edge profiling.
2842         * runtime/VM.cpp:
2843         (JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed.
2844         (JSC::VM::discardAllCode):
2845         (JSC::VM::releaseExecutableMemory):
2846         (JSC::VM::setEnabledProfiler):
2847         (JSC::VM::waitForCompilationsToComplete): Deleted.
2848         * runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted.
2849
2850 2014-09-04  Akos Kiss  <akiss@inf.u-szeged.hu>
2851
2852         Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee
2853         https://bugs.webkit.org/show_bug.cgi?id=136485
2854
2855         Reviewed by Michael Saboff.
2856
2857         Changed makeHostFunctionCall to keep the stack pointer above the call
2858         frame set up by doVMEntry. Thus the callee will/can not override the top
2859         of the call frame.
2860
2861         Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be
2862         more alike to help future maintenance.
2863
2864         * llint/LowLevelInterpreter32_64.asm:
2865         * llint/LowLevelInterpreter64.asm:
2866
2867 2014-09-04  Michael Saboff  <msaboff@apple.com>
2868
2869         REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux
2870         https://bugs.webkit.org/show_bug.cgi?id=136436
2871
2872         Reviewed by Geoffrey Garen.
2873
2874         Instead of trying to calculate a stack pointer that allows for possible
2875         stacked argument space, just use the "home" stack pointer location.
2876         That stack pointer provides space for the worst case number of stacked
2877         arguments on architectures that use stacked arguments.  It also provides
2878         stack space so that the return PC and caller frame pointer that are stored
2879         as part of making the call to operationCallEval will not override any part
2880         of the callee frame created on the stack.
2881
2882         Changed compileCallEval() to use the stackPointer value of the calling
2883         function.  That stack pointer is calculated to have enough space for
2884         outgoing stacked arguments.  By moving the stack pointer to its "home"
2885         position, the caller frame and return PC are not set as part of making
2886         the call to operationCallEval().  Moved the explicit setting of the
2887         callerFrame field of the callee CallFrame from operationCallEval() to
2888         compileCallEval() since it has been the artifact of making a call for
2889         most architectures.  Simplified the exception logic in compileCallEval()
2890         as a result of the change.  To be compliant with the stack state
2891         expected by virtualCallThunkGenerator(), moved the stack pointer to
2892         point above the CallerFrameAndPC of the callee CallFrame.
2893
2894         * jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...)
2895         to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception
2896         check.
2897         * jit/JITCall.cpp & jit/JITCall32_64.cpp:
2898         (JSC::JIT::compileCallEval): Use the home stack pointer when making the call
2899         to operationCallEval.  Since the stack pointer adjustment no longer needs
2900         to be done after making the call to operationCallEval(), the exception check
2901         logic can be simplified.
2902         (JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point
2903         to above the calleeFrame as this is what the generated thunk expects.
2904         * jit/JITInlines.h:
2905         (JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck
2906         with the addition of a standard exception check.
2907         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
2908         * jit/JITOperations.cpp:
2909         (JSC::operationCallEval): Eliminated the explicit setting of caller frame
2910         as that is now done in the code generated by compileCallEval().
2911
2912 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2913
2914         Beef up the DFG's CFG analyses to include iterated dominance frontiers and more user-friendly BlockSets
2915         https://bugs.webkit.org/show_bug.cgi?id=136520
2916
2917         Reviewed by Geoffrey Garen.
2918         
2919         Add code to compute iterated dominance frontiers. This involves using BlockSet a lot, so
2920         this patch also makes BlockSet a lot more user-friendly.
2921
2922         * CMakeLists.txt:
2923         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2924         * JavaScriptCore.xcodeproj/project.pbxproj:
2925         * dfg/DFGBasicBlock.h:
2926         * dfg/DFGBlockSet.cpp: Added.
2927         (JSC::DFG::BlockSet::dump):
2928         * dfg/DFGBlockSet.h:
2929         (JSC::DFG::BlockSet::iterator::iterator):
2930         (JSC::DFG::BlockSet::iterator::operator++):
2931         (JSC::DFG::BlockSet::iterator::operator==):
2932         (JSC::DFG::BlockSet::iterator::operator!=):
2933         (JSC::DFG::BlockSet::Iterable::Iterable):
2934         (JSC::DFG::BlockSet::Iterable::begin):
2935         (JSC::DFG::BlockSet::Iterable::end):
2936         (JSC::DFG::BlockSet::iterable):
2937         (JSC::DFG::BlockAdder::BlockAdder):
2938         (JSC::DFG::BlockAdder::operator()):
2939         * dfg/DFGBlockSetInlines.h: Added.
2940         (JSC::DFG::BlockSet::iterator::operator*):
2941         * dfg/DFGDominators.cpp:
2942         (JSC::DFG::Dominators::strictDominatorsOf):
2943         (JSC::DFG::Dominators::dominatorsOf):
2944         (JSC::DFG::Dominators::blocksStrictlyDominatedBy):
2945         (JSC::DFG::Dominators::blocksDominatedBy):
2946         (JSC::DFG::Dominators::dominanceFrontierOf):
2947         (JSC::DFG::Dominators::iteratedDominanceFrontierOf):
2948         * dfg/DFGDominators.h:
2949         (JSC::DFG::Dominators::forAllStrictDominatorsOf):
2950         (JSC::DFG::Dominators::forAllDominatorsOf):
2951         (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy):
2952         (JSC::DFG::Dominators::forAllBlocksDominatedBy):
2953         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf):
2954         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
2955         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl):
2956         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl):
2957         * dfg/DFGGraph.cpp:
2958         (JSC::DFG::Graph::dumpBlockHeader):
2959         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2960         (JSC::DFG::InvalidationPointInjectionPhase::run):
2961
2962 2014-09-04  Mark Lam  <mark.lam@apple.com>
2963
2964         Fixed indentations and some style warnings in JavaScriptCore/runtime.
2965         <https://webkit.org/b/136518>
2966
2967         Reviewed by Michael Saboff.
2968
2969         Also removed some superflous spaces.  There are no semantic changes.
2970
2971         * runtime/Completion.h:
2972         * runtime/ConstructData.h:
2973         * runtime/DateConstructor.h:
2974         * runtime/DateInstance.h:
2975         * runtime/DateInstanceCache.h:
2976         * runtime/DatePrototype.h:
2977         * runtime/Error.h:
2978         * runtime/ErrorConstructor.h:
2979         * runtime/ErrorInstance.h:
2980         * runtime/ErrorPrototype.h:
2981         * runtime/FunctionConstructor.h:
2982         * runtime/FunctionPrototype.h:
2983         * runtime/GetterSetter.h:
2984         * runtime/Identifier.h:
2985         * runtime/InitializeThreading.h:
2986         * runtime/InternalFunction.h:
2987         * runtime/JSAPIValueWrapper.h:
2988         * runtime/JSFunction.h:
2989         * runtime/JSLock.h:
2990         * runtime/JSNotAnObject.h:
2991         * runtime/JSONObject.h:
2992         * runtime/JSString.h:
2993         * runtime/JSTypeInfo.h:
2994         * runtime/JSWrapperObject.h:
2995         * runtime/Lookup.h:
2996         * runtime/MathObject.h:
2997         * runtime/NativeErrorConstructor.h:
2998         * runtime/NativeErrorPrototype.h:
2999         * runtime/NumberConstructor.h:
3000         * runtime/NumberObject.h:
3001         * runtime/NumberPrototype.h:
3002         * runtime/NumericStrings.h:
3003         * runtime/ObjectConstructor.h:
3004         * runtime/ObjectPrototype.h:
3005         * runtime/PropertyDescriptor.h:
3006         * runtime/Protect.h:
3007         * runtime/PutPropertySlot.h:
3008         * runtime/RegExp.h:
3009         * runtime/RegExpCachedResult.h:
3010         * runtime/RegExpConstructor.h:
3011         * runtime/RegExpMatchesArray.h:
3012         * runtime/RegExpObject.h:
3013         * runtime/RegExpPrototype.h:
3014         * runtime/SmallStrings.h:
3015         * runtime/StringConstructor.h:
3016         * runtime/StringObject.h:
3017         * runtime/StringPrototype.h:
3018         * runtime/StructureChain.h:
3019         * runtime/VM.h:
3020
3021 2014-09-04  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
3022
3023         Remove CSS_FILTERS flag
3024         https://bugs.webkit.org/show_bug.cgi?id=136529
3025
3026         Reviewed by Dirk Schulze.
3027
3028         * Configurations/FeatureDefines.xcconfig:
3029
3030 2014-09-04  Commit Queue  <commit-queue@webkit.org>
3031
3032         Unreviewed, rolling out r173248.
3033         https://bugs.webkit.org/show_bug.cgi?id=136536
3034
3035         call edge profiling and polymorphic call inlining are still
3036         causing crashes (Requested by eric_carlson on #webkit).
3037
3038         Reverted changeset:
3039
3040         "Reenable call edge profiling and polymorphic call inlining,
3041         now that a bunch of the bugs"
3042         http://trac.webkit.org/changeset/173248
3043
3044 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
3045
3046         Web Inspector: the profiler should not accrue time to nodes while the debugger is paused
3047         https://bugs.webkit.org/show_bug.cgi?id=136352
3048
3049         Reviewed by Timothy Hatcher.
3050
3051         Hook up pause/continue events to the LegacyProfiler and any active
3052         ProfilerGenerators. If the debugger is paused, all intervening call
3053         entries will be created with totalTime as 0.0.
3054
3055         * inspector/ScriptDebugServer.cpp:
3056         (Inspector::ScriptDebugServer::handlePause):
3057         * profiler/LegacyProfiler.cpp: Move from typedef'd callbacks to using
3058         std::function. This allows callbacks to take different argument types.
3059
3060         (JSC::callFunctionForProfilesWithGroup):
3061         (JSC::LegacyProfiler::willExecute):
3062         (JSC::LegacyProfiler::didExecute):
3063         (JSC::LegacyProfiler::exceptionUnwind):
3064         (JSC::LegacyProfiler::didPause):
3065         (JSC::LegacyProfiler::didContinue):
3066         (JSC::dispatchFunctionToProfiles): Deleted.
3067         * profiler/LegacyProfiler.h:
3068         * profiler/ProfileGenerator.cpp:
3069         (JSC::ProfileGenerator::ProfileGenerator):
3070         (JSC::ProfileGenerator::endCallEntry):
3071         (JSC::ProfileGenerator::didExecute): Deleted.
3072         * profiler/ProfileGenerator.h:
3073         (JSC::ProfileGenerator::didPause):
3074         (JSC::ProfileGenerator::didContinue):
3075
3076 2014-09-04  Commit Queue  <commit-queue@webkit.org>
3077
3078         Unreviewed, rolling out r173245.
3079         https://bugs.webkit.org/show_bug.cgi?id=136533
3080
3081         Broke JSC tests. (Requested by ddkilzer on #webkit).
3082
3083         Reverted changeset:
3084
3085         "JavaScriptCore should build with newer clang"
3086         https://bugs.webkit.org/show_bug.cgi?id=136002
3087         http://trac.webkit.org/changeset/173245
3088
3089 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
3090
3091         LegacyProfiler: ProfileNodes should be used more like structs
3092         https://bugs.webkit.org/show_bug.cgi?id=136381
3093
3094         Reviewed by Timothy Hatcher.
3095
3096         Previously, both the profile generator and individual profile nodes
3097         were collectively responsible for creating new Call entries and
3098         maintaining data structure invariants. This complexity is unnecessary.
3099
3100         This patch centralizes profile data creation inside the profile generator.
3101         The profile nodes manage nextSibling and parent pointers, but do not
3102         collect the current time or create new Call entries themselves.
3103
3104         Since ProfileNode::nextSibling and its callers are only used within
3105         debug printing code, it should be compiled out for release builds.
3106
3107         * profiler/ProfileGenerator.cpp:
3108         (JSC::ProfileGenerator::ProfileGenerator):
3109         (JSC::AddParentForConsoleStartFunctor::operator()):
3110         (JSC::ProfileGenerator::beginCallEntry): create a new Call entry.
3111         (JSC::ProfileGenerator::endCallEntry): finish the last Call entry.
3112         (JSC::ProfileGenerator::willExecute): inline ProfileNode::willExecute()
3113         (JSC::ProfileGenerator::didExecute): inline ProfileNode::didExecute()
3114         (JSC::ProfileGenerator::stopProfiling): Only walk up the spine.
3115         (JSC::ProfileGenerator::removeProfileStart):
3116         (JSC::ProfileGenerator::removeProfileEnd):
3117         * profiler/ProfileGenerator.h:
3118         * profiler/ProfileNode.cpp:
3119         (JSC::ProfileNode::ProfileNode):
3120         (JSC::ProfileNode::addChild):
3121         (JSC::ProfileNode::removeChild):
3122         (JSC::ProfileNode::spliceNode): Renamed from insertNode.
3123         (JSC::ProfileNode::debugPrintRecursively):
3124         (JSC::ProfileNode::willExecute): Deleted.
3125         (JSC::ProfileNode::insertNode): Deleted.
3126         (JSC::ProfileNode::stopProfiling): Deleted.
3127         (JSC::ProfileNode::traverseNextNodePostOrder):
3128         (JSC::ProfileNode::endAndRecordCall): Deleted.
3129         (JSC::ProfileNode::debugPrintDataSampleStyle):
3130         * profiler/ProfileNode.h:
3131         (JSC::ProfileNode::Call::setStartTime):
3132         (JSC::ProfileNode::Call::setTotalTime):
3133         (JSC::ProfileNode::appendCall):
3134         (JSC::ProfileNode::firstChild):
3135         (JSC::ProfileNode::lastChild):
3136         (JSC::ProfileNode::nextSibling):
3137         (JSC::ProfileNode::setNextSibling):
3138
3139 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
3140
3141         Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient
3142         https://bugs.webkit.org/show_bug.cgi?id=136476
3143
3144         Reviewed by Timothy Hatcher.
3145
3146         * CMakeLists.txt:
3147         * JavaScriptCore.xcodeproj/project.pbxproj:
3148         * inspector/JSGlobalObjectConsoleClient.cpp: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.cpp.
3149         * inspector/JSGlobalObjectConsoleClient.h: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.h.
3150         * inspector/JSGlobalObjectInspectorController.cpp:
3151         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3152         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3153         * inspector/JSGlobalObjectInspectorController.h:
3154
3155 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
3156
3157         Reenable call edge profiling and polymorphic call inlining, now that a bunch of the bugs
3158         are fixed.
3159
3160         * runtime/Options.h:
3161
3162 2014-09-03  David Kilzer  <ddkilzer@apple.com>
3163
3164         JavaScriptCore should build with newer clang
3165         <http://webkit.org/b/136002>
3166         <rdar://problem/18020616>
3167
3168         Reviewed by Geoffrey Garen.
3169
3170         Other than the JSC::SourceProvider::asID() change (which simply
3171         removes code that the optimizing compiler would have discarded
3172         in Release builds), we move the |this| checks in OpaqueJSString
3173         to NULL checks in to JSBase, JSScriptRef, JSStringRef{CF} and
3174         JSValueRef.
3175
3176         * API/JSBase.cpp:
3177         (JSEvaluateScript): Use String() in case |script| or |sourceURL|
3178         are NULL.
3179         * API/JSScriptRef.cpp:
3180         (JSScriptCreateReferencingImmortalASCIIText): Use String() in
3181         case |url| is NULL.
3182         * API/JSStringRef.cpp:
3183         (JSStringGetLength): Return early if NULL pointer is passed in.
3184         (JSStringGetCharactersPtr): Ditto.
3185         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
3186         * API/JSStringRefCF.cpp:
3187         (JSStringCopyCFString): Ditto.
3188         * API/JSValueRef.cpp:
3189         (JSValueMakeString): Use String() in case |string| is NULL.
3190
3191         * API/OpaqueJSString.cpp:
3192         (OpaqueJSString::string): Remove code that checks |this|.
3193         (OpaqueJSString::identifier): Ditto.
3194         (OpaqueJSString::characters): Ditto.
3195         * API/OpaqueJSString.h:
3196         (OpaqueJSString::is8Bit): Remove code that checks |this|.
3197         (OpaqueJSString::characters8): Ditto.
3198         (OpaqueJSString::characters16): Ditto.
3199         (OpaqueJSString::length): Ditto.
3200
3201         * parser/SourceProvider.h:
3202         (JSC::SourceProvider::asID): Remove code that checks |this|.
3203
3204 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
3205
3206         CallEdgeProfile::visitWeak() shouldn't attempt to despecify empty profiles
3207         https://bugs.webkit.org/show_bug.cgi?id=136511
3208
3209         Reviewed by Geoffrey Garen.
3210
3211         * bytecode/CallEdgeProfile.cpp:
3212         (JSC::CallEdgeProfile::worthDespecifying):
3213         (JSC::CallEdgeProfile::visitWeak):
3214         (JSC::CallEdgeProfile::mergeBack):
3215
3216 2014-09-03  David Kilzer  <ddkilzer@apple.com>
3217
3218         REGRESSION (r167325): (null) entry added to Xcode project file when JSBoundFunction.h was removed
3219         <http://webkit.org/b/136509>
3220
3221         Reviewed by Daniel Bates.
3222
3223         * JavaScriptCore.xcodeproj/project.pbxproj: Remove the (null)
3224         entry left behind when JSBoundFunction.h was removed.
3225
3226 2014-09-03  Joseph Pecoraro  <pecoraro@apple.com>
3227
3228         Avoid warning if a process does not have access to com.apple.webinspector
3229         https://bugs.webkit.org/show_bug.cgi?id=136473
3230
3231         Reviewed by Alexey Proskuryakov.
3232
3233         Pre-check for access to the mach port to avoid emitting warnings
3234         in syslog for processes that do not have access.
3235
3236         * inspector/remote/RemoteInspector.mm:
3237         (Inspector::canAccessWebInspectorMachPort):
3238         (Inspector::RemoteInspector::shared):
3239
3240 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
3241
3242         Temporarily disable call edge profiling. It is causing crashes and I'm still investigating
3243         them.
3244
3245         * runtime/Options.h:
3246
3247 2014-09-03  Balazs Kilvady  <kilvadyb@homejinni.com>
3248
3249         [MIPS] Wrong register usage in LLInt op_catch.
3250         https://bugs.webkit.org/show_bug.cgi?id=125168
3251
3252         Reviewed by Geoffrey Garen.
3253
3254         Fix register usage and add PIC header to all the ops in LLInt.
3255
3256         * offlineasm/instructions.rb:
3257         * offlineasm/mips.rb:
3258
3259 2014-09-03  Saam Barati  <saambarati1@gmail.com>
3260
3261         Create tests for type profiling
3262         https://bugs.webkit.org/show_bug.cgi?id=136161
3263
3264         Reviewed by Geoffrey Garen.
3265
3266         The type profiler is now being tested. These are basic tests that don't 
3267         check every edge case, but will catch any major failures in the type profiler. 
3268         These tests cover:
3269         - The basic, inheritance-based type system in TypeSet.
3270         - Function return types.
3271         - Correct merging of types for multiple assignments to one variable.
3272
3273         This patch also provides an API for writing new tests for
3274         the type profiler. The API works by passing in a function and a 
3275         unique substring of an expression contained in that function, and 
3276         returns an object representing type information for that expression.
3277
3278         * jsc.cpp:
3279         (GlobalObject::finishCreation):
3280         (functionFindTypeForExpression):
3281         (functionReturnTypeFor):
3282         * runtime/TypeProfiler.cpp:
3283         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
3284         * runtime/TypeProfiler.h:
3285         * runtime/TypeProfilerLog.h:
3286         * runtime/TypeSet.cpp:
3287         (JSC::TypeSet::toJSONString):
3288         (JSC::StructureShape::toJSONString):
3289         * runtime/TypeSet.h:
3290         * tests/typeProfiler: Added.
3291         * tests/typeProfiler.yaml: Added.
3292         * tests/typeProfiler/basic.js: Added.
3293         (wrapper.foo):
3294         (wrapper):
3295         * tests/typeProfiler/captured.js: Added.
3296         (wrapper.changeFoo):
3297         (wrapper):
3298         * tests/typeProfiler/driver: Added.
3299         * tests/typeProfiler/driver/driver.js: Added.
3300         (assert):
3301         * tests/typeProfiler/inheritance.js: Added.
3302         (wrapper.A):
3303         (wrapper.B):
3304         (wrapper.C):
3305         (wrapper):
3306         * tests/typeProfiler/return.js: Added.
3307         (foo):
3308         (Ctor):
3309
3310 2014-09-03  Julien Brianceau   <jbriance@cisco.com>
3311
3312         Add missing implementations to fix build for sh4 architecture
3313         https://bugs.webkit.org/show_bug.cgi?id=136455
3314
3315         Reviewed by Geoffrey Garen.
3316
3317         * assembler/MacroAssemblerSH4.h:
3318         (JSC::MacroAssemblerSH4::store8):
3319         (JSC::MacroAssemblerSH4::moveWithPatch):
3320         (JSC::MacroAssemblerSH4::branchAdd32):
3321         (JSC::MacroAssemblerSH4::branch32WithPatch):
3322         (JSC::MacroAssemblerSH4::abortWithReason):
3323         (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch):
3324         (JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress):
3325         (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch):
3326         * jit/AssemblyHelpers.h:
3327         (JSC::AssemblyHelpers::emitFunctionPrologue):
3328         (JSC::AssemblyHelpers::emitFunctionEpilogue):
3329
3330 2014-09-03  Dan Bernstein  <mitz@apple.com>
3331
3332         Get rid of HIGH_DPI_CANVAS leftovers
3333         https://bugs.webkit.org/show_bug.cgi?id=136491
3334
3335         Reviewed by Benjamin Poulain.
3336
3337         * Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS
3338         and removed it from FEATURE_DEFINES.
3339
3340 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
3341
3342         CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
3343         https://bugs.webkit.org/show_bug.cgi?id=136490
3344
3345         Reviewed by Geoffrey Garen.
3346
3347         * bytecode/CallEdgeProfile.cpp:
3348         (JSC::CallEdgeProfile::visitWeak):
3349
3350 2014-09-03  Filip Pizlo  <fpizlo@apple.com>