Out of bounds read in IdentifierArena::makeIdentifier
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-01-12  Geoffrey Garen  <ggaren@apple.com>
2
3         Out of bounds read in IdentifierArena::makeIdentifier
4         https://bugs.webkit.org/show_bug.cgi?id=140376
5
6         Patch by Alexey Proskuryakov.
7
8         Reviewed and ChangeLogged by Geoffrey Garen.
9
10         No test, since this is a small past-the-end read, which is very
11         difficult to turn into a reproducible failing test -- and existing tests
12         crash reliably using ASan.
13
14         * parser/ParserArena.h:
15         (JSC::IdentifierArena::makeIdentifier):
16         (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
17         zero-length string input, like we do in the literal parser, since it is
18         not valid to dereference characters in a zero-length string.
19
20         A zero-length string is allowed in JavaScript -- for example, "".
21
22 2015-01-11  Sam Weinig  <sam@webkit.org>
23
24         Remove support for SharedWorkers
25         https://bugs.webkit.org/show_bug.cgi?id=140344
26
27         Reviewed by Anders Carlsson.
28
29         * Configurations/FeatureDefines.xcconfig:
30
31 2015-01-12  Myles C. Maxfield  <mmaxfield@apple.com>
32
33         Allow targetting the SVG->OTF font converter with ENABLE(SVG_OTF_CONVERTER)
34         https://bugs.webkit.org/show_bug.cgi?id=136769
35
36         Reviewed by Antti Koivisto.
37
38         * Configurations/FeatureDefines.xcconfig:
39
40 2015-01-12  Commit Queue  <commit-queue@webkit.org>
41
42         Unreviewed, rolling out r178266.
43         https://bugs.webkit.org/show_bug.cgi?id=140363
44
45         Broke a JSC test (Requested by ap on #webkit).
46
47         Reverted changeset:
48
49         "Local JSArray* "keys" in objectConstructorKeys() is not
50         marked during garbage collection"
51         https://bugs.webkit.org/show_bug.cgi?id=140348
52         http://trac.webkit.org/changeset/178266
53
54 2015-01-12  Michael Saboff  <msaboff@apple.com>
55
56         Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
57         https://bugs.webkit.org/show_bug.cgi?id=140348
58
59         Reviewed by Mark Lam.
60
61         Move the address of the local variable that is used to demarcate the top of the stack for 
62         conservative roots down to MachineThreads::gatherFromCurrentThread() since it also gets
63         the register values using setjmp().  That way we don't lose any callee save register
64         contents between Heap::markRoots(), where it was set, and gatherFromCurrentThread().
65         If we lose any JSObject* that are only in callee save registers, they will be GC'ed
66         erroneously.
67
68         * heap/Heap.cpp:
69         (JSC::Heap::markRoots):
70         (JSC::Heap::gatherStackRoots):
71         * heap/Heap.h:
72         * heap/MachineStackMarker.cpp:
73         (JSC::MachineThreads::gatherFromCurrentThread):
74         (JSC::MachineThreads::gatherConservativeRoots):
75         * heap/MachineStackMarker.h:
76
77 2015-01-11  Eric Carlson  <eric.carlson@apple.com>
78
79         Fix typo in testate.c error messages
80         https://bugs.webkit.org/show_bug.cgi?id=140305
81
82         Reviewed by Geoffrey Garen.
83
84         * API/tests/testapi.c:
85         (main): "... script did not timed out ..." -> "... script did not time out ..."
86
87 2015-01-09  Michael Saboff  <msaboff@apple.com>
88
89         Breakpoint doesn't fire in this HTML5 game
90         https://bugs.webkit.org/show_bug.cgi?id=140269
91
92         Reviewed by Mark Lam.
93
94         When parsing a single line cached function, use the lineStartOffset of the
95         location where we found the cached function instead of the cached lineStartOffset.
96         The cache location's lineStartOffset has not been adjusted for any possible
97         containing functions.
98
99         This change is not needed for multi-line cached functions.  Consider the
100         single line source:
101
102         function outer(){function inner1(){doStuff();}; (function inner2() {doMoreStuff()})()}
103
104         The first parser pass, we parse and cache inner1() and inner2() with a lineStartOffset
105         of 0.  Later when we parse outer() and find inner1() in the cache, SourceCode start
106         character is at outer()'s outermost open brace.  That is what we should use for
107         lineStartOffset for inner1().  When done parsing inner1() we set the parsing token
108         to the saved location for inner1(), including the lineStartOffset of 0.  We need
109         to use the value of lineStartOffset before we started parsing inner1().  That is
110         what the fix does.  When we parse inner2() the lineStartOffset will be correct.
111
112         For a multi-line function, the close brace is guaranteed to be on a different line
113         than the open brace.  Hence, its lineStartOffset will not change with the change of
114         the SourceCode start character
115
116         * parser/Parser.cpp:
117         (JSC::Parser<LexerType>::parseFunctionInfo):
118
119 2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>
120
121         Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint
122         https://bugs.webkit.org/show_bug.cgi?id=140279
123         rdar://problem/19422299
124
125         Reviewed by Oliver Hunt.
126
127         * runtime/MapData.cpp:
128         (JSC::MapData::replaceAndPackBackingStore):
129         The cell table also needs to have its values fixed.
130
131 2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>
132
133         Web Inspector: Remove or use TimelineAgent Resource related event types
134         https://bugs.webkit.org/show_bug.cgi?id=140155
135
136         Reviewed by Timothy Hatcher.
137
138         Remove unused / stale Timeline event types.
139
140         * inspector/protocol/Timeline.json:
141
142 2015-01-09  Csaba Osztrogonác  <ossy@webkit.org>
143
144         REGRESSION(r177925): It broke the !ENABLE(INSPECTOR) build
145         https://bugs.webkit.org/show_bug.cgi?id=140098
146
147         Reviewed by Brian Burg.
148
149         * inspector/InspectorBackendDispatcher.h: Missing ENABLE(INSPECTOR) guard added.
150
151 2015-01-08  Mark Lam  <mark.lam@apple.com>
152
153         Argument object created by "Function dot arguments" should use a clone of the argument values.
154         <https://webkit.org/b/140093>
155
156         Reviewed by Geoffrey Garen.
157
158         After the change in <https://webkit.org/b/139827>, the dfg-tear-off-arguments-not-activation.js
159         test will crash.  The relevant code which manifests the issue is as follows:
160
161             function bar() {
162                 return foo.arguments;
163             }
164
165             function foo(p) {
166                 var x = 42;
167                 if (p)
168                     return (function() { return x; });
169                 else
170                     return bar();
171             }
172
173         In this case, foo() has no knowledge of bar() needing its LexicalEnvironment and
174         has dead code eliminated the SetLocal that stores it into its designated local.
175         In bar(), the factory for the Arguments object (for creating foo.arguments) tries
176         to read foo's LexicalEnvironment from its designated lexicalEnvironment local,
177         but instead, finds it to be uninitialized.  This results in a null pointer access
178         which causes a crash.
179
180         This can be resolved by having bar() instantiate a clone of the Arguments object
181         instead, and populate its elements with values fetched directly from foo's frame.
182         There's no need to reference foo's LexicalEnvironment (whether present or not).
183
184         * interpreter/StackVisitor.cpp:
185         (JSC::StackVisitor::Frame::createArguments):
186         * runtime/Arguments.h:
187         (JSC::Arguments::finishCreation):
188
189 2015-01-08  Mark Lam  <mark.lam@apple.com>
190
191         Make the LLINT and Baseline JIT's op_create_arguments and op_get_argument_by_val use their lexicalEnvironment operand.
192         <https://webkit.org/b/140236>
193
194         Reviewed by Geoffrey Garen.
195
196         Will change the DFG to use the operand on a subsequent pass.  For now,
197         the DFG uses a temporary thunk (operationCreateArgumentsForDFG()) to
198         retain the old behavior of getting the lexicalEnviroment from the
199         ExecState.
200
201         * bytecompiler/BytecodeGenerator.cpp:
202         (JSC::BytecodeGenerator::BytecodeGenerator):
203         (JSC::BytecodeGenerator::emitGetArgumentByVal):
204         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
205         - When the lexicalEnvironment is not available, pass the invalid VirtualRegister
206           instead of an empty JSValue as the lexicalEnvironment operand.
207
208         * dfg/DFGOperations.cpp:
209         - Use the lexicalEnvironment from the ExecState for now.
210
211         * dfg/DFGSpeculativeJIT32_64.cpp:
212         (JSC::DFG::SpeculativeJIT::compile):
213         * dfg/DFGSpeculativeJIT64.cpp:
214         (JSC::DFG::SpeculativeJIT::compile):
215         - Use the operationCreateArgumentsForDFG() thunk for now.
216
217         * interpreter/CallFrame.cpp:
218         (JSC::CallFrame::lexicalEnvironmentOrNullptr):
219         * interpreter/CallFrame.h:
220         - Added this convenience function to return either the
221           lexicalEnvironment or a nullptr so that we don't need to do a
222           conditional check on codeBlock->needsActivation() at multiple sites.
223
224         * interpreter/StackVisitor.cpp:
225         (JSC::StackVisitor::Frame::createArguments):
226         * jit/JIT.h:
227         * jit/JITInlines.h:
228         (JSC::JIT::callOperation):
229         * jit/JITOpcodes.cpp:
230         (JSC::JIT::emit_op_create_arguments):
231         (JSC::JIT::emitSlow_op_get_argument_by_val):
232         * jit/JITOpcodes32_64.cpp:
233         (JSC::JIT::emit_op_create_arguments):
234         (JSC::JIT::emitSlow_op_get_argument_by_val):
235         * jit/JITOperations.cpp:
236         * jit/JITOperations.h:
237         * llint/LLIntSlowPaths.cpp:
238         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
239         * runtime/Arguments.h:
240         (JSC::Arguments::create):
241         (JSC::Arguments::finishCreation):
242         * runtime/CommonSlowPaths.cpp:
243         (JSC::SLOW_PATH_DECL):
244         * runtime/JSLexicalEnvironment.cpp:
245         (JSC::JSLexicalEnvironment::argumentsGetter):
246
247 2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>
248
249         Web Inspector: Pause Reason Improvements (Breakpoint, Debugger Statement, Pause on Next Statement)
250         https://bugs.webkit.org/show_bug.cgi?id=138991
251
252         Reviewed by Timothy Hatcher.
253
254         * debugger/Debugger.cpp:
255         (JSC::Debugger::Debugger):
256         (JSC::Debugger::pauseIfNeeded):
257         (JSC::Debugger::didReachBreakpoint):
258         When actually pausing, if we hit a breakpoint ensure the reason
259         is PausedForBreakpoint, otherwise use the current reason.
260
261         * debugger/Debugger.h:
262         Make pause reason and pausing breakpoint ID public.
263
264         * inspector/agents/InspectorDebuggerAgent.h:
265         * inspector/agents/InspectorDebuggerAgent.cpp:
266         (Inspector::buildAssertPauseReason):
267         (Inspector::buildCSPViolationPauseReason):
268         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
269         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
270         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
271         (Inspector::buildObjectForBreakpointCookie):
272         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
273         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
274         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
275         (Inspector::InspectorDebuggerAgent::pause):
276         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
277         (Inspector::InspectorDebuggerAgent::currentCallFrames):
278         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
279         Clean up creation of pause reason objects and other cleanup
280         of PassRefPtr use and InjectedScript use.
281
282         (Inspector::InspectorDebuggerAgent::didPause):
283         Clean up so that we first check for an Exception, and then fall
284         back to including a Pause Reason derived from the Debugger.
285
286         * inspector/protocol/Debugger.json:
287         Add new DebuggerStatement, Breakpoint, and PauseOnNextStatement reasons.
288
289 2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>
290
291         Web Inspector: Type check NSArray's in ObjC Interfaces have the right object types
292         https://bugs.webkit.org/show_bug.cgi?id=140209
293
294         Reviewed by Timothy Hatcher.
295
296         Check the types of objects in NSArrays for all interfaces (commands, events, types)
297         when the user can set an array of objects. Previously we were only type checking
298         they were RWIJSONObjects, now we add an explicit check for the exact object type.
299
300         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
301         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
302         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
303         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
304         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
305         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
306         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
307         * inspector/scripts/codegen/objc_generator.py:
308         (ObjCGenerator.objc_class_for_array_type):
309         (ObjCGenerator):
310
311 2015-01-07  Mark Lam  <mark.lam@apple.com>
312
313         Add the lexicalEnvironment as an operand to op_get_argument_by_val.
314         <https://webkit.org/b/140233>
315
316         Reviewed by Filip Pizlo.
317
318         This patch only adds the operand to the bytecode.  It is not in use yet.
319
320         * bytecode/BytecodeList.json:
321         * bytecode/BytecodeUseDef.h:
322         (JSC::computeUsesForBytecodeOffset):
323         * bytecode/CodeBlock.cpp:
324         (JSC::CodeBlock::dumpBytecode):
325         * bytecompiler/BytecodeGenerator.cpp:
326         (JSC::BytecodeGenerator::emitGetArgumentByVal):
327         * llint/LowLevelInterpreter32_64.asm:
328         * llint/LowLevelInterpreter64.asm:
329
330 2015-01-07  Yusuke Suzuki  <utatane.tea@gmail.com>
331
332         Investigate the character type of repeated string instead of checking is8Bit flag
333         https://bugs.webkit.org/show_bug.cgi?id=140139
334
335         Reviewed by Darin Adler.
336
337         Instead of checking is8Bit flag of the repeated string, investigate
338         the actual value of the repeated character since i8Bit flag give a false negative case.
339
340         * runtime/StringPrototype.cpp:
341         (JSC::repeatCharacter):
342         (JSC::stringProtoFuncRepeat):
343         (JSC::repeatSmallString): Deleted.
344
345 2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>
346
347         Web Inspector: ObjC Generate types from the GenericTypes domain
348         https://bugs.webkit.org/show_bug.cgi?id=140229
349
350         Reviewed by Timothy Hatcher.
351
352         Generate types from the GenericTypes domain, as they are expected
353         by other domains (like Page domain). Also, don't include the @protocol
354         forward declaration for a domain if it doesn't have any commands.
355
356         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
357         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
358         (ObjCBackendDispatcherHeaderGenerator): Deleted.
359         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations_for_domains): Deleted.
360         * inspector/scripts/codegen/objc_generator.py:
361         (ObjCGenerator):
362         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
363         * inspector/scripts/tests/expected/enum-values.json-result:
364         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
365         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
366         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
367         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
368         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
369         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
370         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
371         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
372         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
373
374 2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>
375
376         Web Inspector: Remove unnecessary copyRef for paramsObject in generated dispatchers
377         https://bugs.webkit.org/show_bug.cgi?id=140228
378
379         Reviewed by Timothy Hatcher.
380
381         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
382         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
383         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
384         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
385         * inspector/scripts/tests/expected/enum-values.json-result:
386         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
387
388 2015-01-07  Saam Barati  <saambarati1@gmail.com>
389
390         interpret op_profile_type in the LLInt instead of unconditionally calling into the slow path
391         https://bugs.webkit.org/show_bug.cgi?id=140165
392
393         Reviewed by Michael Saboff.
394
395         Inlining the functionality of TypeProfilerLog::recordTypeInformationForLocation
396         into the LLInt speeds up type profiling.
397
398         * llint/LLIntOffsetsExtractor.cpp:
399         * llint/LowLevelInterpreter.asm:
400         * llint/LowLevelInterpreter32_64.asm:
401         * llint/LowLevelInterpreter64.asm:
402         * runtime/CommonSlowPaths.cpp:
403         (JSC::SLOW_PATH_DECL):
404         * runtime/CommonSlowPaths.h:
405         * runtime/TypeProfilerLog.h:
406         (JSC::TypeProfilerLog::recordTypeInformationForLocation): Deleted.
407
408 2015-01-07  Brian J. Burg  <burg@cs.washington.edu>
409
410         Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
411         https://bugs.webkit.org/show_bug.cgi?id=140053
412
413         Reviewed by Andreas Kling.
414
415         This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
416         related to Web Inspector. It also converts many uses of RefPtr to Ref where
417         references are always non-null. These two refactorings have been combined since
418         they tend to require similar changes to the code.
419
420         Creation methods for subclasses of InspectorValue now return a Ref, and callsites
421         have been updated to take a Ref instead of RefPtr.
422
423         Builders for typed protocol objects now return a Ref. Since there is no implicit
424         call to operator&, callsites now must explicitly call .release() to convert a
425         builder object into the corresponding protocol object once required fields are set.
426         Update callsites and use auto to eliminate repetition of longwinded protocol types.
427
428         Tests for inspector protocol and replay inputs have been rebaselined.
429
430         * bindings/ScriptValue.cpp:
431         (Deprecated::jsToInspectorValue):
432         (Deprecated::ScriptValue::toInspectorValue):
433         * bindings/ScriptValue.h:
434         * inspector/ConsoleMessage.cpp:
435         (Inspector::ConsoleMessage::addToFrontend):
436         * inspector/ContentSearchUtilities.cpp:
437         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
438         (Inspector::ContentSearchUtilities::searchInTextByLines):
439         * inspector/ContentSearchUtilities.h:
440         * inspector/InjectedScript.cpp:
441         (Inspector::InjectedScript::getFunctionDetails):
442         (Inspector::InjectedScript::getProperties):
443         (Inspector::InjectedScript::getInternalProperties):
444         (Inspector::InjectedScript::wrapCallFrames):
445         (Inspector::InjectedScript::wrapObject):
446         (Inspector::InjectedScript::wrapTable):
447         * inspector/InjectedScript.h:
448         * inspector/InjectedScriptBase.cpp:
449         (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits.
450         * inspector/InspectorBackendDispatcher.cpp:
451         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase):
452         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive):
453         (Inspector::InspectorBackendDispatcher::create):
454         (Inspector::InspectorBackendDispatcher::dispatch):
455         (Inspector::InspectorBackendDispatcher::sendResponse):
456         (Inspector::InspectorBackendDispatcher::reportProtocolError):
457         (Inspector::getPropertyValue): Add a comment to clarify what this clever code does.
458         (Inspector::InspectorBackendDispatcher::getInteger):
459         (Inspector::InspectorBackendDispatcher::getDouble):
460         (Inspector::InspectorBackendDispatcher::getString):
461         (Inspector::InspectorBackendDispatcher::getBoolean):
462         (Inspector::InspectorBackendDispatcher::getObject):
463         (Inspector::InspectorBackendDispatcher::getArray):
464         (Inspector::InspectorBackendDispatcher::getValue):
465         * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect
466         protocol error strings.
467         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
468         Convert the supplemental dispatcher's reference to Ref since it is never null.
469         * inspector/InspectorEnvironment.h:
470         * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and
471         StructItemTraits. Add more versions of addItem to handle pushing various types.
472         (Inspector::Protocol::Array::openAccessors):
473         (Inspector::Protocol::Array::addItem):
474         (Inspector::Protocol::Array::create):
475         (Inspector::Protocol::StructItemTraits::push):
476         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument.
477         (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted.
478         (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted.
479         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted.
480         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted.
481         (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted.
482         (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted.
483         (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted.
484         (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted.
485         (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted.
486         * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have
487         the same call signature as other getters. Use Ref where possible.
488         (Inspector::InspectorObjectBase::getBoolean):
489         (Inspector::InspectorObjectBase::getString):
490         (Inspector::InspectorObjectBase::getObject):
491         (Inspector::InspectorObjectBase::getArray):
492         (Inspector::InspectorObjectBase::getValue):
493         (Inspector::InspectorObjectBase::writeJSON):
494         (Inspector::InspectorArrayBase::get):
495         (Inspector::InspectorObject::create):
496         (Inspector::InspectorArray::create):
497         (Inspector::InspectorValue::null):
498         (Inspector::InspectorString::create):
499         (Inspector::InspectorBasicValue::create):
500         (Inspector::InspectorObjectBase::get): Deleted.
501         * inspector/InspectorValues.h:
502         (Inspector::InspectorObjectBase::setValue):
503         (Inspector::InspectorObjectBase::setObject):
504         (Inspector::InspectorObjectBase::setArray):
505         (Inspector::InspectorArrayBase::pushValue):
506         (Inspector::InspectorArrayBase::pushObject):
507         (Inspector::InspectorArrayBase::pushArray):
508         * inspector/JSGlobalObjectConsoleClient.cpp:
509         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
510         (Inspector::JSGlobalObjectConsoleClient::count):
511         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
512         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
513         * inspector/JSGlobalObjectConsoleClient.h:
514         * inspector/JSGlobalObjectInspectorController.cpp:
515         (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
516         * inspector/JSGlobalObjectInspectorController.h:
517         * inspector/ScriptCallFrame.cpp:
518         (Inspector::ScriptCallFrame::buildInspectorObject):
519         * inspector/ScriptCallFrame.h:
520         * inspector/ScriptCallStack.cpp:
521         (Inspector::ScriptCallStack::create):
522         (Inspector::ScriptCallStack::buildInspectorArray):
523         * inspector/ScriptCallStack.h:
524         * inspector/agents/InspectorAgent.cpp:
525         (Inspector::InspectorAgent::enable):
526         (Inspector::InspectorAgent::inspect):
527         (Inspector::InspectorAgent::activateExtraDomain):
528         * inspector/agents/InspectorAgent.h:
529         * inspector/agents/InspectorDebuggerAgent.cpp:
530         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
531         (Inspector::buildObjectForBreakpointCookie):
532         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
533         (Inspector::InspectorDebuggerAgent::setBreakpoint):
534         (Inspector::InspectorDebuggerAgent::continueToLocation):
535         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
536         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
537         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
538         (Inspector::InspectorDebuggerAgent::currentCallFrames):
539         (Inspector::InspectorDebuggerAgent::didParseSource):
540         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
541         (Inspector::InspectorDebuggerAgent::breakProgram):
542         * inspector/agents/InspectorDebuggerAgent.h:
543         * inspector/agents/InspectorRuntimeAgent.cpp:
544         (Inspector::buildErrorRangeObject):
545         (Inspector::InspectorRuntimeAgent::callFunctionOn):
546         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
547         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
548         * inspector/agents/InspectorRuntimeAgent.h:
549         * inspector/scripts/codegen/cpp_generator.py:
550         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
551         (CppGenerator.cpp_type_for_type_with_name):
552         (CppGenerator.cpp_type_for_formal_async_parameter):
553         (CppGenerator.should_use_references_for_type):
554         (CppGenerator):
555         * inspector/scripts/codegen/cpp_generator_templates.py:
556         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
557         (CppBackendDispatcherHeaderGenerator.generate_output):
558         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
559         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
560         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
561         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
562         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
563         (CppFrontendDispatcherHeaderGenerator.generate_output):
564         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
565         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
566         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
567         (CppProtocolTypesHeaderGenerator.generate_output):
568         (_generate_class_for_object_declaration):
569         (_generate_unchecked_setter_for_member):
570         (_generate_forward_declarations_for_binding_traits):
571         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
572         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
573         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
574         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
575         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
576         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
577         (ObjCProtocolTypesImplementationGenerator.generate_output):
578         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
579         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
580         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
581         * inspector/scripts/tests/expected/enum-values.json-result:
582         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
583         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
584         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
585         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
586         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
587         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
588         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
589         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
590         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
591         * replay/EncodedValue.cpp:
592         (JSC::EncodedValue::asObject):
593         (JSC::EncodedValue::asArray):
594         (JSC::EncodedValue::put<EncodedValue>):
595         (JSC::EncodedValue::append<EncodedValue>):
596         (JSC::EncodedValue::get<EncodedValue>):
597         * replay/EncodedValue.h:
598         * replay/scripts/CodeGeneratorReplayInputs.py:
599         (Type.borrow_type):
600         (Type.argument_type):
601         (Generator.generate_member_move_expression):
602         * runtime/ConsoleClient.cpp:
603         (JSC::ConsoleClient::printConsoleMessageWithArguments):
604         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
605         (JSC::ConsoleClient::logWithLevel):
606         (JSC::ConsoleClient::clear):
607         (JSC::ConsoleClient::dir):
608         (JSC::ConsoleClient::dirXML):
609         (JSC::ConsoleClient::table):
610         (JSC::ConsoleClient::trace):
611         (JSC::ConsoleClient::assertCondition):
612         (JSC::ConsoleClient::group):
613         (JSC::ConsoleClient::groupCollapsed):
614         (JSC::ConsoleClient::groupEnd):
615         * runtime/ConsoleClient.h:
616         * runtime/TypeSet.cpp:
617         (JSC::TypeSet::allStructureRepresentations):
618         (JSC::TypeSet::inspectorTypeSet):
619         (JSC::StructureShape::inspectorRepresentation):
620         * runtime/TypeSet.h:
621
622 2015-01-07  Commit Queue  <commit-queue@webkit.org>
623
624         Unreviewed, rolling out r178039.
625         https://bugs.webkit.org/show_bug.cgi?id=140187
626
627         Breaks ObjC Inspector Protocol (Requested by JoePeck on
628         #webkit).
629
630         Reverted changeset:
631
632         "Web Inspector: purge PassRefPtr from Inspector code and use
633         Ref for typed and untyped protocol objects"
634         https://bugs.webkit.org/show_bug.cgi?id=140053
635         http://trac.webkit.org/changeset/178039
636
637 2015-01-06  Brian J. Burg  <burg@cs.washington.edu>
638
639         Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
640         https://bugs.webkit.org/show_bug.cgi?id=140053
641
642         Reviewed by Andreas Kling.
643
644         This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
645         related to Web Inspector. It also converts many uses of RefPtr to Ref where
646         references are always non-null. These two refactorings have been combined since
647         they tend to require similar changes to the code.
648
649         Creation methods for subclasses of InspectorValue now return a Ref, and callsites
650         have been updated to take a Ref instead of RefPtr.
651
652         Builders for typed protocol objects now return a Ref. Since there is no implicit
653         call to operator&, callsites now must explicitly call .release() to convert a
654         builder object into the corresponding protocol object once required fields are set.
655         Update callsites and use auto to eliminate repetition of longwinded protocol types.
656
657         Tests for inspector protocol and replay inputs have been rebaselined.
658
659         * bindings/ScriptValue.cpp:
660         (Deprecated::jsToInspectorValue):
661         (Deprecated::ScriptValue::toInspectorValue):
662         * bindings/ScriptValue.h:
663         * inspector/ConsoleMessage.cpp:
664         (Inspector::ConsoleMessage::addToFrontend):
665         * inspector/ContentSearchUtilities.cpp:
666         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
667         (Inspector::ContentSearchUtilities::searchInTextByLines):
668         * inspector/ContentSearchUtilities.h:
669         * inspector/InjectedScript.cpp:
670         (Inspector::InjectedScript::getFunctionDetails):
671         (Inspector::InjectedScript::getProperties):
672         (Inspector::InjectedScript::getInternalProperties):
673         (Inspector::InjectedScript::wrapCallFrames):
674         (Inspector::InjectedScript::wrapObject):
675         (Inspector::InjectedScript::wrapTable):
676         * inspector/InjectedScript.h:
677         * inspector/InjectedScriptBase.cpp:
678         (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits.
679         * inspector/InspectorBackendDispatcher.cpp:
680         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase):
681         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive):
682         (Inspector::InspectorBackendDispatcher::create):
683         (Inspector::InspectorBackendDispatcher::dispatch):
684         (Inspector::InspectorBackendDispatcher::sendResponse):
685         (Inspector::InspectorBackendDispatcher::reportProtocolError):
686         (Inspector::getPropertyValue): Add a comment to clarify what this clever code does.
687         (Inspector::InspectorBackendDispatcher::getInteger):
688         (Inspector::InspectorBackendDispatcher::getDouble):
689         (Inspector::InspectorBackendDispatcher::getString):
690         (Inspector::InspectorBackendDispatcher::getBoolean):
691         (Inspector::InspectorBackendDispatcher::getObject):
692         (Inspector::InspectorBackendDispatcher::getArray):
693         (Inspector::InspectorBackendDispatcher::getValue):
694         * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect
695         protocol error strings.
696         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
697         Convert the supplemental dispatcher's reference to Ref since it is never null.
698         * inspector/InspectorEnvironment.h:
699         * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and
700         StructItemTraits. Add more versions of addItem to handle pushing various types.
701         (Inspector::Protocol::Array::openAccessors):
702         (Inspector::Protocol::Array::addItem):
703         (Inspector::Protocol::Array::create):
704         (Inspector::Protocol::StructItemTraits::push):
705         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument.
706         (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted.
707         (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted.
708         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted.
709         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted.
710         (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted.
711         (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted.
712         (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted.
713         (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted.
714         (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted.
715         * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have
716         the same call signature as other getters. Use Ref where possible.
717         (Inspector::InspectorObjectBase::getBoolean):
718         (Inspector::InspectorObjectBase::getString):
719         (Inspector::InspectorObjectBase::getObject):
720         (Inspector::InspectorObjectBase::getArray):
721         (Inspector::InspectorObjectBase::getValue):
722         (Inspector::InspectorObjectBase::writeJSON):
723         (Inspector::InspectorArrayBase::get):
724         (Inspector::InspectorObject::create):
725         (Inspector::InspectorArray::create):
726         (Inspector::InspectorValue::null):
727         (Inspector::InspectorString::create):
728         (Inspector::InspectorBasicValue::create):
729         (Inspector::InspectorObjectBase::get): Deleted.
730         * inspector/InspectorValues.h:
731         (Inspector::InspectorObjectBase::setValue):
732         (Inspector::InspectorObjectBase::setObject):
733         (Inspector::InspectorObjectBase::setArray):
734         (Inspector::InspectorArrayBase::pushValue):
735         (Inspector::InspectorArrayBase::pushObject):
736         (Inspector::InspectorArrayBase::pushArray):
737         * inspector/JSGlobalObjectConsoleClient.cpp:
738         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
739         (Inspector::JSGlobalObjectConsoleClient::count):
740         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
741         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
742         * inspector/JSGlobalObjectConsoleClient.h:
743         * inspector/JSGlobalObjectInspectorController.cpp:
744         (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
745         * inspector/JSGlobalObjectInspectorController.h:
746         * inspector/ScriptCallFrame.cpp:
747         (Inspector::ScriptCallFrame::buildInspectorObject):
748         * inspector/ScriptCallFrame.h:
749         * inspector/ScriptCallStack.cpp:
750         (Inspector::ScriptCallStack::create):
751         (Inspector::ScriptCallStack::buildInspectorArray):
752         * inspector/ScriptCallStack.h:
753         * inspector/agents/InspectorAgent.cpp:
754         (Inspector::InspectorAgent::enable):
755         (Inspector::InspectorAgent::inspect):
756         (Inspector::InspectorAgent::activateExtraDomain):
757         * inspector/agents/InspectorAgent.h:
758         * inspector/agents/InspectorDebuggerAgent.cpp:
759         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
760         (Inspector::buildObjectForBreakpointCookie):
761         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
762         (Inspector::InspectorDebuggerAgent::setBreakpoint):
763         (Inspector::InspectorDebuggerAgent::continueToLocation):
764         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
765         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
766         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
767         (Inspector::InspectorDebuggerAgent::currentCallFrames):
768         (Inspector::InspectorDebuggerAgent::didParseSource):
769         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
770         (Inspector::InspectorDebuggerAgent::breakProgram):
771         * inspector/agents/InspectorDebuggerAgent.h:
772         * inspector/agents/InspectorRuntimeAgent.cpp:
773         (Inspector::buildErrorRangeObject):
774         (Inspector::InspectorRuntimeAgent::callFunctionOn):
775         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
776         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
777         * inspector/agents/InspectorRuntimeAgent.h:
778         * inspector/scripts/codegen/cpp_generator.py:
779         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
780         (CppGenerator.cpp_type_for_type_with_name):
781         (CppGenerator.cpp_type_for_formal_async_parameter):
782         (CppGenerator.should_use_references_for_type):
783         (CppGenerator):
784         * inspector/scripts/codegen/cpp_generator_templates.py:
785         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
786         (CppBackendDispatcherHeaderGenerator.generate_output):
787         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
788         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
789         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
790         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
791         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
792         (CppFrontendDispatcherHeaderGenerator.generate_output):
793         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
794         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
795         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
796         (CppProtocolTypesHeaderGenerator.generate_output):
797         (_generate_class_for_object_declaration):
798         (_generate_unchecked_setter_for_member):
799         (_generate_forward_declarations_for_binding_traits):
800         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
801         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
802         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
803         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
804         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
805         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
806         (ObjCProtocolTypesImplementationGenerator.generate_output):
807         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
808         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
809         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
810         * inspector/scripts/tests/expected/enum-values.json-result:
811         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
812         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
813         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
814         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
815         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
816         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
817         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
818         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
819         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
820         * replay/EncodedValue.cpp:
821         (JSC::EncodedValue::asObject):
822         (JSC::EncodedValue::asArray):
823         (JSC::EncodedValue::put<EncodedValue>):
824         (JSC::EncodedValue::append<EncodedValue>):
825         (JSC::EncodedValue::get<EncodedValue>):
826         * replay/EncodedValue.h:
827         * replay/scripts/CodeGeneratorReplayInputs.py:
828         (Type.borrow_type):
829         (Type.argument_type):
830         (Generator.generate_member_move_expression):
831         * runtime/ConsoleClient.cpp:
832         (JSC::ConsoleClient::printConsoleMessageWithArguments):
833         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
834         (JSC::ConsoleClient::logWithLevel):
835         (JSC::ConsoleClient::clear):
836         (JSC::ConsoleClient::dir):
837         (JSC::ConsoleClient::dirXML):
838         (JSC::ConsoleClient::table):
839         (JSC::ConsoleClient::trace):
840         (JSC::ConsoleClient::assertCondition):
841         (JSC::ConsoleClient::group):
842         (JSC::ConsoleClient::groupCollapsed):
843         (JSC::ConsoleClient::groupEnd):
844         * runtime/ConsoleClient.h:
845         * runtime/TypeSet.cpp:
846         (JSC::TypeSet::allStructureRepresentations):
847         (JSC::TypeSet::inspectorTypeSet):
848         (JSC::StructureShape::inspectorRepresentation):
849         * runtime/TypeSet.h:
850
851 2015-01-06  Chris Dumez  <cdumez@apple.com>
852
853         Drop ResourceResponseBase::connectionID and connectionReused members
854         https://bugs.webkit.org/show_bug.cgi?id=140158
855
856         Reviewed by Sam Weinig.
857
858         Drop ResourceResponseBase::connectionID and connectionReused members.
859         Those were needed by the Chromium port but are no longer used.
860
861         * inspector/protocol/Network.json:
862
863 2015-01-06  Mark Lam  <mark.lam@apple.com>
864
865         Add the lexicalEnvironment as an operand to op_create_arguments.
866         <https://webkit.org/b/140148>
867
868         Reviewed by Geoffrey Garen.
869
870         This patch only adds the operand to the bytecode.  It is not in use yet.
871
872         * bytecode/BytecodeList.json:
873         * bytecode/BytecodeUseDef.h:
874         (JSC::computeUsesForBytecodeOffset):
875         * bytecode/CodeBlock.cpp:
876         (JSC::CodeBlock::dumpBytecode):
877         * bytecompiler/BytecodeGenerator.cpp:
878         (JSC::BytecodeGenerator::BytecodeGenerator):
879         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
880         - Adds the lexicalEnvironment register (if present) as an operand to
881           op_create_arguments.  Else, adds a constant empty JSValue.
882         * llint/LowLevelInterpreter32_64.asm:
883         * llint/LowLevelInterpreter64.asm:
884
885 2015-01-06  Alexey Proskuryakov  <ap@apple.com>
886
887         ADDRESS_SANITIZER macro is overloaded
888         https://bugs.webkit.org/show_bug.cgi?id=140130
889
890         Reviewed by Anders Carlsson.
891
892         * interpreter/JSStack.cpp: (JSC::JSStack::sanitizeStack): Use the new macro.
893         This code is nearly unused (only compiled in when JIT is disabled at build time),
894         however I've been told that it's best to keep it.
895
896 2015-01-06  Mark Lam  <mark.lam@apple.com>
897
898         Fix Use details for op_create_arguments.
899         <https://webkit.org/b/140110>
900
901         Rubber stamped by Filip Pizlo.
902
903         The previous patch was wrong about op_create_arguments not using its 1st operand.
904         It does read from it (hence, used) to check if the Arguments object has already
905         been created or not.  This patch reverts the change for op_create_arguments.
906
907         * bytecode/BytecodeUseDef.h:
908         (JSC::computeUsesForBytecodeOffset):
909
910 2015-01-06  Mark Lam  <mark.lam@apple.com>
911
912         Fix Use details for op_create_lexical_environment and op_create_arguments.
913         <https://webkit.org/b/140110>
914
915         Reviewed by Filip Pizlo.
916
917         The current "Use" details for op_create_lexical_environment and
918         op_create_arguments are wrong.  op_create_argument uses nothing instead of the
919         1st operand (the output local).  op_create_lexical_environment uses its 2nd
920         operand (the scope chain) instead of the 1st (the output local).
921         This patch fixes them to specify the proper uses.
922
923         * bytecode/BytecodeUseDef.h:
924         (JSC::computeUsesForBytecodeOffset):
925
926 2015-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
927
928         Implement ES6 String.prototype.repeat(count)
929         https://bugs.webkit.org/show_bug.cgi?id=140047
930
931         Reviewed by Darin Adler.
932
933         Introducing ES6 String.prototype.repeat(count) function.
934
935         * runtime/JSString.h:
936         * runtime/StringPrototype.cpp:
937         (JSC::StringPrototype::finishCreation):
938         (JSC::repeatSmallString):
939         (JSC::stringProtoFuncRepeat):
940
941 2015-01-03  Michael Saboff  <msaboff@apple.com>
942
943         Crash in operationNewFunction when scrolling on Google+
944         https://bugs.webkit.org/show_bug.cgi?id=140033
945
946         Reviewed by Oliver Hunt.
947
948         In DFG code, the scope register can be eliminated because all uses have been
949         dead code eliminated.  In the case where one of the uses was creating a function
950         that is never used, the baseline code will still create the function.  If we OSR
951         exit to a path where that function gets created, check the scope register value
952         and set the new, but dead, function to undefined instead of creating a new function.
953
954         * jit/JITOpcodes.cpp:
955         (JSC::JIT::emit_op_new_func_exp):
956
957 2015-01-01  Yusuke Suzuki  <utatane.tea@gmail.com>
958
959         String includes methods perform toString on searchString before toInt32 on a offset
960         https://bugs.webkit.org/show_bug.cgi?id=140031
961
962         Reviewed by Darin Adler.
963
964         * runtime/StringPrototype.cpp:
965         (JSC::stringProtoFuncStartsWith):
966         (JSC::stringProtoFuncEndsWith):
967         (JSC::stringProtoFuncIncludes):
968
969 2015-01-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
970
971         Change to return std::unique_ptr<> in fooCreate()
972         https://bugs.webkit.org/show_bug.cgi?id=139983
973
974         Reviewed by Darin Adler.
975
976         To avoid unnecessary std::unique_ptr<> casting, fooCreate() returns std::unique_ptr<> directly.
977
978         * create_regex_tables:
979         * yarr/YarrPattern.h:
980         (JSC::Yarr::YarrPattern::reset):
981         (JSC::Yarr::YarrPattern::newlineCharacterClass):
982         (JSC::Yarr::YarrPattern::digitsCharacterClass):
983         (JSC::Yarr::YarrPattern::spacesCharacterClass):
984         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
985         (JSC::Yarr::YarrPattern::nondigitsCharacterClass):
986         (JSC::Yarr::YarrPattern::nonspacesCharacterClass):
987         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
988
989 2015-01-01  Jeff Miller  <jeffm@apple.com>
990
991         Update user-visible copyright strings to include 2015
992         https://bugs.webkit.org/show_bug.cgi?id=139880
993
994         Reviewed by Darin Adler.
995
996         * Info.plist:
997
998 2015-01-01  Darin Adler  <darin@apple.com>
999
1000         We often misspell identifier as "identifer"
1001         https://bugs.webkit.org/show_bug.cgi?id=140025
1002
1003         Reviewed by Michael Saboff.
1004
1005         * runtime/ArrayConventions.h: Fix it.
1006
1007 2014-12-29  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1008
1009         Move JavaScriptCore/yarr to std::unique_ptr
1010         https://bugs.webkit.org/show_bug.cgi?id=139621
1011
1012         Reviewed by Anders Carlsson.
1013
1014         Final clean up OwnPtr|PassOwnPtr in JavaScriptCore/yarr.
1015
1016         * yarr/YarrInterpreter.cpp:
1017         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
1018         * yarr/YarrInterpreter.h:
1019         (JSC::Yarr::BytecodePattern::BytecodePattern):
1020         * yarr/YarrJIT.cpp:
1021         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1022         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
1023         (JSC::Yarr::YarrGenerator::opCompileBody):
1024         * yarr/YarrPattern.cpp:
1025         (JSC::Yarr::CharacterClassConstructor::charClass):
1026         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
1027         (JSC::Yarr::YarrPatternConstructor::reset):
1028         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
1029         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
1030         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
1031         (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
1032         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
1033         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
1034         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
1035         * yarr/YarrPattern.h:
1036         (JSC::Yarr::PatternDisjunction::addNewAlternative):
1037         (JSC::Yarr::YarrPattern::newlineCharacterClass):
1038         (JSC::Yarr::YarrPattern::digitsCharacterClass):
1039         (JSC::Yarr::YarrPattern::spacesCharacterClass):
1040         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
1041         (JSC::Yarr::YarrPattern::nondigitsCharacterClass):
1042         (JSC::Yarr::YarrPattern::nonspacesCharacterClass):
1043         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
1044
1045 2014-12-26  Dan Bernstein  <mitz@apple.com>
1046
1047         <rdar://problem/19348208> REGRESSION (r177027): iOS builds use the wrong toolchain
1048         https://bugs.webkit.org/show_bug.cgi?id=139950
1049
1050         Reviewed by David Kilzer.
1051
1052         * Configurations/Base.xcconfig: Only define TOOLCHAINS when building for OS X, doing so
1053         in a manner that works with Xcode 5.1.1.
1054
1055 2014-12-22  Mark Lam  <mark.lam@apple.com>
1056
1057         Use ctiPatchCallByReturnAddress() in JITOperations.cpp.
1058         <https://webkit.org/b/139892>
1059
1060         Reviewed by Michael Saboff.
1061
1062         The code in JITOperations.cpp sometimes calls RepatchBuffer::relinkCallerToFunction()
1063         directly, and sometimes uses a helper function, ctiPatchCallByReturnAddress().
1064         This patch changes it to use the helper function consistently.
1065
1066         * jit/JITOperations.cpp:
1067
1068 2014-12-22  Mark Lam  <mark.lam@apple.com>
1069
1070         Fix some typos in a comment.
1071         <https://webkit.org/b/139882>
1072
1073         Reviewed by Michael Saboff.
1074
1075         * jit/JITPropertyAccess.cpp:
1076         (JSC::JIT::emit_op_get_by_val):
1077
1078 2014-12-22  Mark Lam  <mark.lam@apple.com>
1079
1080         Assert that Array elements not copied when changing shape to ArrayStorage type are indeed holes.
1081         <https://webkit.org/b/138118>
1082
1083         Reviewed by Michael Saboff.
1084
1085         * runtime/JSObject.cpp:
1086         (JSC::JSObject::convertInt32ToArrayStorage):
1087         (JSC::JSObject::convertDoubleToArrayStorage):
1088         (JSC::JSObject::convertContiguousToArrayStorage):
1089
1090 2014-12-20  Eric Carlson  <eric.carlson@apple.com>
1091
1092         [iOS] add optimized fullscreen API
1093         https://bugs.webkit.org/show_bug.cgi?id=139833
1094         <rdar://problem/18844486>
1095
1096         Reviewed by Simon Fraser.
1097
1098         * Configurations/FeatureDefines.xcconfig: Add ENABLE_VIDEO_PRESENTATION_MODE.
1099
1100 2014-12-20  David Kilzer  <ddkilzer@apple.com>
1101
1102         Switch from using PLATFORM_NAME to SDK selectors in WebCore, WebInspectorUI, WebKit, WebKit2
1103         <http://webkit.org/b/139463>
1104
1105         Reviewed by Mark Rowe.
1106
1107         * Configurations/JavaScriptCore.xcconfig:
1108         - Simplify SECTORDER_FLAGS.
1109
1110 2014-12-19  Andreas Kling  <akling@apple.com>
1111
1112         Plug leak below LLVMCopyStringRepOfTargetData().
1113         <https://webkit.org/b/139832>
1114
1115         Reviewed by Michael Saboff.
1116
1117         LLVMCopyStringRepOfTargetData() returns a strdup()'ed string, so make sure
1118         to free() it after we're done using it.
1119
1120         * ftl/FTLCompile.cpp:
1121         (JSC::FTL::mmAllocateDataSection):
1122
1123 2014-12-19  Joseph Pecoraro  <pecoraro@apple.com>
1124
1125         Web Inspector: CRASH inspector-protocol/debugger/breakpoint-action-detach.html
1126         https://bugs.webkit.org/show_bug.cgi?id=139797
1127
1128         Reviewed by Mark Lam.
1129
1130         * debugger/Debugger.h:
1131         * debugger/Debugger.cpp:
1132         (JSC::Debugger::isAttached):
1133         Check if we are the debugger for a particular global object.
1134         (JSC::Debugger::pauseIfNeeded):
1135         Pass the global object on when hitting a brekapoint.
1136
1137         * inspector/ScriptDebugServer.h:
1138         * inspector/ScriptDebugServer.cpp:
1139         (Inspector::ScriptDebugServer::handleBreakpointHit):
1140         Stop evaluting breakpoint actions if a previous action caused the
1141         debugger to detach from this global object.
1142         (Inspector::ScriptDebugServer::handlePause):
1143         Standardize on passing JSGlobalObject parameter first.
1144
1145 2014-12-19  Mark Lam  <mark.lam@apple.com>
1146
1147         [Win] Endless compiler warnings created by DFGEdge.h.
1148         <https://webkit.org/b/139801>
1149
1150         Reviewed by Brent Fulgham.
1151
1152         Add a cast to fix the type just the way the 64-bit version does.
1153
1154         * dfg/DFGEdge.h:
1155         (JSC::DFG::Edge::makeWord):
1156
1157 2014-12-19  Commit Queue  <commit-queue@webkit.org>
1158
1159         Unreviewed, rolling out r177574.
1160         https://bugs.webkit.org/show_bug.cgi?id=139821
1161
1162         "Broke Production builds by installing
1163         libWebCoreTestSupport.dylib in the wrong directory" (Requested
1164         by ddkilzer on #webkit).
1165
1166         Reverted changeset:
1167
1168         "Switch from using PLATFORM_NAME to SDK selectors in WebCore,
1169         WebInspectorUI, WebKit, WebKit2"
1170         https://bugs.webkit.org/show_bug.cgi?id=139463
1171         http://trac.webkit.org/changeset/177574
1172
1173 2014-12-19  Michael Saboff  <msaboff@apple.com>
1174
1175         REGRESSION(174226): Captured arguments in a using function compiled by the DFG have the initial value when the closure was invoked
1176         https://bugs.webkit.org/show_bug.cgi?id=139808
1177
1178         Reviewed by Oliver Hunt.
1179
1180         There are three changes here.
1181         1) Create a VariableWatchpointSet for captured arguments variables.
1182         2) Properly use the VariableWatchpointSet* found in op_put_to_scope in the 64 bit LLInt code.
1183         3) Add the same putLocalClosureVar path to the 32 bit LLInt code that exists in the 64 bit version.
1184
1185         * bytecompiler/BytecodeGenerator.cpp:
1186         (JSC::BytecodeGenerator::BytecodeGenerator):
1187         * llint/LowLevelInterpreter32_64.asm:
1188         * llint/LowLevelInterpreter64.asm:
1189
1190 2014-12-19  David Kilzer  <ddkilzer@apple.com>
1191
1192         Switch from using PLATFORM_NAME to SDK selectors in WebCore, WebInspectorUI, WebKit, WebKit2
1193         <http://webkit.org/b/139463>
1194
1195         Reviewed by Mark Rowe.
1196
1197         * Configurations/JavaScriptCore.xcconfig:
1198         - Simplify SECTORDER_FLAGS.
1199
1200 2014-12-18  Brent Fulgham  <bfulgham@apple.com>
1201
1202         Unreviewed build fix.
1203
1204         * jsc.cpp: Remove typo.
1205
1206 2014-12-17  Michael Saboff  <msaboff@apple.com>
1207
1208         Tests with infinite recursion frequently crash
1209         https://bugs.webkit.org/show_bug.cgi?id=139548
1210
1211         Reviewed by Geoffrey Garen.
1212
1213         While unwinding, if the call frame doesn't have a codeblock, then we
1214         are in native code, handle appropriately.
1215
1216         * interpreter/Interpreter.cpp:
1217         (JSC::unwindCallFrame):
1218         (JSC::UnwindFunctor::operator()):
1219         Added checks for null CodeBlock.
1220
1221         (JSC::Interpreter::unwind): Removed wrong ASSERT.
1222
1223 2014-12-17  Chris Dumez  <cdumez@apple.com>
1224
1225         [iOS] Make it possible to toggle FeatureCounter support at runtime
1226         https://bugs.webkit.org/show_bug.cgi?id=139688
1227         <rdar://problem/19266254>
1228
1229         Reviewed by Andreas Kling.
1230
1231         Stop linking against AppSupport framework as the functionality is no
1232         longer in WTF (it was moved to WebCore).
1233
1234         * Configurations/JavaScriptCore.xcconfig:
1235
1236 2014-12-17  Brent Fulgham  <bfulgham@apple.com>
1237
1238         [Win] Correct DebugSuffix builds under MSBuild
1239         https://bugs.webkit.org/show_bug.cgi?id=139733
1240         <rdar://problem/19276880>
1241
1242         Reviewed by Simon Fraser.
1243
1244         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Make sure to use the
1245         '_debug' suffix when building the DebugSuffix target.
1246
1247 2014-12-16  Enrica Casucci  <enrica@apple.com>
1248
1249         Fix iOS builders for 8.0
1250         https://bugs.webkit.org/show_bug.cgi?id=139495
1251
1252         Reviewed by Michael Saboff.
1253
1254         * Configurations/LLVMForJSC.xcconfig:
1255         * llvm/library/LLVMExports.cpp:
1256         (initializeAndGetJSCLLVMAPI):
1257
1258 2014-12-16  Commit Queue  <commit-queue@webkit.org>
1259
1260         Unreviewed, rolling out r177380.
1261         https://bugs.webkit.org/show_bug.cgi?id=139707
1262
1263         "Breaks js/regres/elidable-new-object-* tests" (Requested by
1264         msaboff_ on #webkit).
1265
1266         Reverted changeset:
1267
1268         "Fixes operationPutByIdOptimizes such that they check that the
1269         put didn't"
1270         https://bugs.webkit.org/show_bug.cgi?id=139500
1271         http://trac.webkit.org/changeset/177380
1272
1273 2014-12-16  Matthew Mirman  <mmirman@apple.com>
1274
1275         Fixes operationPutByIdOptimizes such that they check that the put didn't
1276         change the structure of the object who's property access is being
1277         cached.
1278         https://bugs.webkit.org/show_bug.cgi?id=139500
1279
1280         Reviewed by Geoffrey Garen.
1281
1282         * jit/JITOperations.cpp:
1283         (JSC::operationPutByIdStrictOptimize): saved the structure before the put.
1284         (JSC::operationPutByIdNonStrictOptimize): ditto.
1285         (JSC::operationPutByIdDirectStrictOptimize): ditto.
1286         (JSC::operationPutByIdDirectNonStrictOptimize): ditto.
1287         * jit/Repatch.cpp:
1288         (JSC::tryCachePutByID): Added argument for the old structure
1289         (JSC::repatchPutByID): Added argument for the old structure
1290         * jit/Repatch.h:
1291         * tests/stress/put-by-id-build-list-order-recurse.js: 
1292         Added test that fails without this patch.
1293
1294 2014-12-15  Chris Dumez  <cdumez@apple.com>
1295
1296         [iOS] Add feature counting support
1297         https://bugs.webkit.org/show_bug.cgi?id=139652
1298         <rdar://problem/19255690>
1299
1300         Reviewed by Gavin Barraclough.
1301
1302         Link against AppSupport framework on iOS as we need it to implement
1303         the new FeatureCounter API in WTF.
1304
1305         * Configurations/JavaScriptCore.xcconfig:
1306
1307 2014-12-15  Commit Queue  <commit-queue@webkit.org>
1308
1309         Unreviewed, rolling out r177284.
1310         https://bugs.webkit.org/show_bug.cgi?id=139658
1311
1312         "Breaks API tests and LayoutTests on Yosemite Debug"
1313         (Requested by msaboff on #webkit).
1314
1315         Reverted changeset:
1316
1317         "Make sure range based iteration of Vector<> still receives
1318         bounds checking"
1319         https://bugs.webkit.org/show_bug.cgi?id=138821
1320         http://trac.webkit.org/changeset/177284
1321
1322 2014-12-15  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1323
1324         [EFL] FTL JIT not working on ARM64
1325         https://bugs.webkit.org/show_bug.cgi?id=139295
1326
1327         Reviewed by Michael Saboff.
1328
1329         Added the missing code for stack unwinding and some additional small fixes
1330         to get FTL working correctly.
1331
1332         * ftl/FTLCompile.cpp:
1333         (JSC::FTL::mmAllocateDataSection):
1334         * ftl/FTLUnwindInfo.cpp:
1335         (JSC::FTL::UnwindInfo::parse):
1336
1337 2014-12-15  Oliver Hunt  <oliver@apple.com>
1338
1339         Make sure range based iteration of Vector<> still receives bounds checking
1340         https://bugs.webkit.org/show_bug.cgi?id=138821
1341
1342         Reviewed by Mark Lam.
1343
1344         Update code to deal with slightly changed iterator semantics.
1345
1346         * bytecode/UnlinkedCodeBlock.cpp:
1347         (JSC::UnlinkedCodeBlock::visitChildren):
1348         * bytecompiler/BytecodeGenerator.cpp:
1349         (JSC::BytecodeGenerator::emitComplexPopScopes):
1350         * dfg/DFGSpeculativeJIT.cpp:
1351         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1352         * ftl/FTLAbbreviations.h:
1353         (JSC::FTL::mdNode):
1354         (JSC::FTL::buildCall):
1355         * llint/LLIntData.cpp:
1356         (JSC::LLInt::Data::performAssertions):
1357         * parser/Parser.h:
1358         (JSC::Scope::Scope):
1359         * runtime/JSArray.cpp:
1360         (JSC::JSArray::setLengthWithArrayStorage):
1361         (JSC::JSArray::sortCompactedVector):
1362         * tools/ProfileTreeNode.h:
1363         (JSC::ProfileTreeNode::dumpInternal):
1364         * yarr/YarrJIT.cpp:
1365         (JSC::Yarr::YarrGenerator::matchCharacterClass):
1366
1367 2014-12-14  Filip Pizlo  <fpizlo@apple.com>
1368
1369         PutLocalSinkingPhase has an invalid assertion about incoming values, because both liveness and deferral analyses are conservative
1370         https://bugs.webkit.org/show_bug.cgi?id=139630
1371
1372         Reviewed by Oliver Hunt.
1373         
1374         Replaces a faulty assertion with code to handle an awesome special case. Also adds a lot of
1375         comments that reconstruct my reasoning about this code. I had to work hard to remember how
1376         deferral worked so I wrote my discoveries down.
1377
1378         * dfg/DFGInsertionSet.h:
1379         (JSC::DFG::InsertionSet::insertBottomConstantForUse):
1380         * dfg/DFGPutLocalSinkingPhase.cpp:
1381         * tests/stress/put-local-conservative.js: Added.
1382         (foo):
1383         (.result):
1384         (bar):
1385
1386 2014-12-14  Andreas Kling  <akling@apple.com>
1387
1388         Replace PassRef with Ref/Ref&& across the board.
1389         <https://webkit.org/b/139587>
1390
1391         Reviewed by Darin Adler.
1392
1393         * runtime/Identifier.cpp:
1394         (JSC::Identifier::add):
1395         (JSC::Identifier::add8):
1396         * runtime/Identifier.h:
1397         (JSC::Identifier::add):
1398         * runtime/IdentifierInlines.h:
1399         (JSC::Identifier::add):
1400
1401 2014-12-12  Matthew Mirman  <mmirman@apple.com>
1402
1403         shiftCountWithArrayStorage should exit to slow path if the object has a sparse map.
1404         https://bugs.webkit.org/show_bug.cgi?id=139598
1405         <rdar://problem/18779367>
1406
1407         Reviewed by Filip Pizlo.
1408
1409         * runtime/JSArray.cpp:
1410         (JSC::JSArray::shiftCountWithArrayStorage): Added check for object having a sparse map.
1411         * tests/stress/sparse_splice.js: Added.
1412
1413 2014-12-12  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1414
1415         Final clean up OwnPtr in JSC - runtime, ftl, and tool directories
1416         https://bugs.webkit.org/show_bug.cgi?id=139532
1417
1418         Reviewed by Mark Lam.
1419
1420         Final remove OwnPtr, PassOwnPtr in runtime, ftl, and tools directories of JSC.
1421
1422         * builtins/BuiltinExecutables.h:
1423         * bytecode/CodeBlock.h:
1424         * bytecode/UnlinkedCodeBlock.cpp:
1425         (JSC::generateFunctionCodeBlock):
1426         * ftl/FTLAbstractHeap.cpp:
1427         (JSC::FTL::IndexedAbstractHeap::atSlow):
1428         * ftl/FTLAbstractHeap.h:
1429         * ftl/FTLCompile.cpp:
1430         (JSC::FTL::mmAllocateDataSection):
1431         * ftl/FTLJITFinalizer.h:
1432         * jsc.cpp:
1433         (jscmain):
1434         * parser/Lexer.h:
1435         * runtime/PropertyMapHashTable.h:
1436         (JSC::PropertyTable::clearDeletedOffsets):
1437         (JSC::PropertyTable::addDeletedOffset):
1438         * runtime/PropertyTable.cpp:
1439         (JSC::PropertyTable::PropertyTable):
1440         * runtime/RegExpObject.cpp:
1441         * runtime/SmallStrings.cpp:
1442         * runtime/Structure.cpp:
1443         * runtime/StructureIDTable.cpp:
1444         (JSC::StructureIDTable::StructureIDTable):
1445         (JSC::StructureIDTable::resize):
1446         * runtime/StructureIDTable.h:
1447         * runtime/StructureTransitionTable.h:
1448         * runtime/VM.cpp:
1449         (JSC::VM::VM):
1450         (JSC::VM::~VM):
1451         * runtime/VM.h:
1452         * tools/CodeProfile.h:
1453         (JSC::CodeProfile::CodeProfile):
1454         (JSC::CodeProfile::addChild):
1455
1456 2014-12-11  Dan Bernstein  <mitz@apple.com>
1457
1458         iOS Simulator production build fix.
1459
1460         * Configurations/JavaScriptCore.xcconfig: Don’t use an order file when building for the iOS
1461         Simulator, as we did prior to 177027.
1462
1463 2014-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1464
1465         Explicitly export somre more RWIProtocol classes.
1466         rdar://problem/19220408
1467
1468         Unreviewed build fix.
1469
1470         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1471         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1472         * inspector/scripts/codegen/generate_objc_header.py:
1473         (ObjCHeaderGenerator._generate_event_interfaces):
1474         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1475         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1476         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1477         * inspector/scripts/tests/expected/enum-values.json-result:
1478         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1479         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1480         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1481         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1482         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1483         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1484         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1485         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1486         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1487
1488 2014-12-11  Alexey Proskuryakov  <ap@apple.com>
1489
1490         Explicitly export some RWIProtocol classes
1491         rdar://problem/19220408
1492
1493         * inspector/scripts/codegen/generate_objc_header.py:
1494         (ObjCHeaderGenerator._generate_type_interface):
1495         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1496         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1497         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1498         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1499         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1500         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1501         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1502
1503 2014-12-11  Mark Lam  <mark.lam@apple.com>
1504
1505         Fix broken build after r177146.
1506         https://bugs.webkit.org/show_bug.cgi?id=139533 
1507
1508         Not reviewed.
1509
1510         * interpreter/CallFrame.h:
1511         (JSC::ExecState::init):
1512         - Restored CallFrame::init() minus the unused JSScope* arg.
1513         * runtime/JSGlobalObject.cpp:
1514         (JSC::JSGlobalObject::init):
1515         - Remove JSScope* arg when calling CallFrame::init().
1516
1517 2014-12-11  Michael Saboff  <msaboff@apple.com>
1518
1519         REGRESSION: Use of undefined CallFrame::ScopeChain value
1520         https://bugs.webkit.org/show_bug.cgi?id=139533
1521
1522         Reviewed by Mark Lam.
1523
1524         Removed CallFrame::scope() and CallFrame::setScope() and eliminated or changed
1525         all usages of these funcitons.  In some cases the scope is passed in or determined
1526         another way.  In some cases the scope is used to calculate other values.  Lastly
1527         were places where these functions where used that are no longer needed.  For
1528         example when making a call, the caller's ScopeChain was copied to the callee's
1529         ScopeChain.  This change no longer uses the ScopeChain call frame header slot.
1530         That slot will be removed in a future patch.
1531
1532         * dfg/DFGByteCodeParser.cpp:
1533         (JSC::DFG::ByteCodeParser::parseBlock):
1534         * dfg/DFGSpeculativeJIT32_64.cpp:
1535         (JSC::DFG::SpeculativeJIT::compile):
1536         * dfg/DFGSpeculativeJIT64.cpp:
1537         (JSC::DFG::SpeculativeJIT::compile):
1538         * dfg/DFGSpeculativeJIT.h:
1539         (JSC::DFG::SpeculativeJIT::callOperation):
1540         * jit/JIT.h:
1541         * jit/JITInlines.h:
1542         (JSC::JIT::callOperation):
1543         * runtime/JSLexicalEnvironment.h:
1544         (JSC::JSLexicalEnvironment::create):
1545         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
1546         * jit/JITOpcodes.cpp:
1547         (JSC::JIT::emit_op_create_lexical_environment):
1548         * jit/JITOpcodes32_64.cpp:
1549         (JSC::JIT::emit_op_create_lexical_environment):
1550         * jit/JITOperations.cpp:
1551         * jit/JITOperations.h:
1552         * llint/LLIntSlowPaths.cpp:
1553         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1554         (JSC::LLInt::handleHostCall):
1555         (JSC::LLInt::setUpCall):
1556         (JSC::LLInt::llint_throw_stack_overflow_error):
1557         Pass the current scope value to the helper operationCreateActivation() and
1558         the call to JSLexicalEnvironment::create() instead of using the stack frame
1559         scope chain value.
1560
1561         * dfg/DFGFixupPhase.cpp:
1562         (JSC::DFG::FixupPhase::fixupNode):
1563         CreateActivation now has a second child, the scope.
1564
1565         * interpreter/CallFrame.h:
1566         (JSC::ExecState::init): Deleted.  This is dead code.
1567         (JSC::ExecState::scope): Deleted.
1568         (JSC::ExecState::setScope): Deleted.
1569
1570         * interpreter/Interpreter.cpp:
1571         (JSC::Interpreter::dumpRegisters): Changed so we didn't access the scope
1572         chain slot.  
1573         
1574         (JSC::Interpreter::execute):
1575         (JSC::Interpreter::executeCall):
1576         (JSC::Interpreter::executeConstruct):
1577         Changed process to find JSScope values on the stack or by some other means.
1578
1579         * runtime/JSWithScope.h:
1580         (JSC::JSWithScope::JSWithScope): Deleted.
1581         Eliminated unused constructor.
1582
1583         * runtime/StrictEvalActivation.cpp:
1584         (JSC::StrictEvalActivation::StrictEvalActivation):
1585         * runtime/StrictEvalActivation.h:
1586         (JSC::StrictEvalActivation::create):
1587         Changed to pass in the current scope.
1588
1589 2014-12-10  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1590
1591         Use std::unique_ptr instead of OwnPtr in JSC - heap, jit, runtime, and parser directories
1592         https://bugs.webkit.org/show_bug.cgi?id=139351
1593
1594         Reviewed by Filip Pizlo.
1595
1596         As a step to use std::unique_ptr<>, this cleans up OwnPtr and PassOwnPtr.
1597
1598         * bytecode/SamplingTool.h:
1599         (JSC::SamplingTool::SamplingTool):
1600         * heap/CopiedBlock.h:
1601         (JSC::CopiedBlock::didSurviveGC):
1602         (JSC::CopiedBlock::pin):
1603         * heap/CopiedBlockInlines.h:
1604         (JSC::CopiedBlock::reportLiveBytes):
1605         * heap/GCActivityCallback.h:
1606         * heap/GCThread.cpp:
1607         * heap/Heap.h:
1608         * heap/HeapInlines.h:
1609         (JSC::Heap::markListSet):
1610         * jit/ExecutableAllocator.cpp:
1611         * jit/JIT.cpp:
1612         (JSC::JIT::privateCompile):
1613         * jit/JIT.h:
1614         * jit/JITThunks.cpp:
1615         (JSC::JITThunks::JITThunks):
1616         (JSC::JITThunks::clearHostFunctionStubs):
1617         * jit/JITThunks.h:
1618         * parser/Parser.cpp:
1619         (JSC::Parser<LexerType>::Parser):
1620         * parser/Parser.h:
1621         (JSC::Scope::Scope):
1622         (JSC::Scope::pushLabel):
1623         * parser/ParserArena.cpp:
1624         * parser/ParserArena.h:
1625         (JSC::ParserArena::identifierArena):
1626         * parser/SourceProviderCache.h:
1627         * runtime/CodeCache.h:
1628         * runtime/Executable.h:
1629         * runtime/JSArray.cpp:
1630         (JSC::JSArray::sortVector):
1631         * runtime/JSGlobalObject.h:
1632
1633 2014-12-10  Geoffrey Garen  <ggaren@apple.com>
1634
1635         Please disable the webkitFirstVersionWithInitConstructorSupport check on Apple TV
1636         https://bugs.webkit.org/show_bug.cgi?id=139501
1637
1638         Reviewed by Gavin Barraclough.
1639
1640         NSVersionOfLinkTimeLibrary only works if you link directly against
1641         JavaScriptCore, which is a bit awkward for our Apple TV client to do.
1642
1643         It's easy enough just to disable this check on Apple TV, since it has no
1644         backwards compatibility requirement.
1645
1646         * API/JSWrapperMap.mm:
1647         (supportsInitMethodConstructors):
1648
1649 2014-12-10  Matthew Mirman  <mmirman@apple.com>
1650
1651         Fixes operationPutByIds such that they check that the put didn't
1652         change the structure of the object who's property access is being
1653         cached.
1654         https://bugs.webkit.org/show_bug.cgi?id=139196
1655
1656         Reviewed by Filip Pizlo.
1657
1658         * jit/JITOperations.cpp:
1659         (JSC::operationGetByIdOptimize): changed get to getPropertySlot
1660         (JSC::operationPutByIdStrictBuildList): saved the structure before the put.
1661         (JSC::operationPutByIdNonStrictBuildList): ditto.
1662         (JSC::operationPutByIdDirectStrictBuildList): ditto.
1663         (JSC::operationPutByIdDirectNonStrictBuildList): ditto.
1664         * jit/Repatch.cpp:
1665         (JSC::tryCachePutByID): fixed structure() to use the existant vm. 
1666         (JSC::tryBuildPutByIdList): Added a check that the old structure's id 
1667         is the same as the new.
1668         (JSC::buildPutByIdList): Added an argument
1669         * jit/Repatch.h: 
1670         (JSC::buildPutByIdList): Added an argument
1671         * tests/stress/put-by-id-strict-build-list-order.js: Added.
1672
1673 2014-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1674
1675         URTBF after r177030.
1676
1677         Fix linking failure occured on ARM buildbots:
1678         lib/libjavascriptcore_efl.so.1.11.0: undefined reference to `JSC::Structure::get(JSC::VM&, JSC::PropertyName, unsigned int&)'
1679
1680         * runtime/NullGetterFunction.cpp:
1681
1682 2014-12-09  Michael Saboff  <msaboff@apple.com>
1683
1684         DFG Tries using an inner object's getter/setter when one hasn't been defined
1685         https://bugs.webkit.org/show_bug.cgi?id=139229
1686
1687         Reviewed by Filip Pizlo.
1688
1689         Added a new NullGetterFunction singleton class to use for getters and setters that
1690         haven't been set to a user defined value.  The NullGetterFunction callReturnUndefined()
1691         and createReturnUndefined() methods return undefined.  Changed all null checks of the
1692         getter and setter pointers to the newly added isGetterNull() and isSetterNull()
1693         helper methods.  
1694
1695         * CMakeLists.txt:
1696         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1697         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1698         * JavaScriptCore.xcodeproj/project.pbxproj:
1699         Added NullGetterFunction.cpp & .h to build files.
1700
1701         * dfg/DFGAbstractInterpreterInlines.h:
1702         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1703         * runtime/ObjectPrototype.cpp:
1704         (JSC::objectProtoFuncLookupGetter):
1705         (JSC::objectProtoFuncLookupSetter):
1706         * runtime/PropertyDescriptor.cpp:
1707         (JSC::PropertyDescriptor::setDescriptor):
1708         (JSC::PropertyDescriptor::setAccessorDescriptor):
1709         Changed checking getter and setter to null to use new isGetterNull() and isSetterNull()
1710         helpers.
1711
1712         * inspector/JSInjectedScriptHostPrototype.cpp:
1713         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1714         * inspector/JSJavaScriptCallFramePrototype.cpp:
1715         * jit/JITOperations.cpp:
1716         * llint/LLIntSlowPaths.cpp:
1717         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1718         * runtime/JSObject.cpp:
1719         (JSC::JSObject::putIndexedDescriptor):
1720         (JSC::putDescriptor):
1721         (JSC::JSObject::defineOwnNonIndexProperty):
1722         * runtime/MapPrototype.cpp:
1723         (JSC::MapPrototype::finishCreation):
1724         * runtime/SetPrototype.cpp:
1725         (JSC::SetPrototype::finishCreation):
1726         Updated calls to GetterSetter::create(), setGetter(), setSetter(), withGetter()
1727         and withSetter() to provide a global object.
1728
1729         * runtime/GetterSetter.cpp:
1730         (JSC::GetterSetter::withGetter):
1731         (JSC::GetterSetter::withSetter):
1732         (JSC::callGetter):
1733         (JSC::callSetter):
1734         * runtime/GetterSetter.h:
1735         (JSC::GetterSetter::GetterSetter):
1736         (JSC::GetterSetter::create):
1737         (JSC::GetterSetter::isGetterNull):
1738         (JSC::GetterSetter::isSetterNull):
1739         (JSC::GetterSetter::setGetter):
1740         (JSC::GetterSetter::setSetter):
1741         Changed to use NullGetterFunction for unspecified getters / setters.
1742
1743         * runtime/JSGlobalObject.cpp:
1744         (JSC::JSGlobalObject::init):
1745         (JSC::JSGlobalObject::createThrowTypeError):
1746         (JSC::JSGlobalObject::visitChildren):
1747         * runtime/JSGlobalObject.h:
1748         (JSC::JSGlobalObject::nullGetterFunction):
1749         (JSC::JSGlobalObject::evalFunction):
1750         Added m_nullGetterFunction singleton.  Updated calls to GetterSetter::create(),
1751         setGetter() and setSetter() to provide a global object.
1752
1753         * runtime/NullGetterFunction.cpp: Added.
1754         (JSC::callReturnUndefined):
1755         (JSC::constructReturnUndefined):
1756         (JSC::NullGetterFunction::getCallData):
1757         (JSC::NullGetterFunction::getConstructData):
1758         * runtime/NullGetterFunction.h: Added.
1759         (JSC::NullGetterFunction::create):
1760         (JSC::NullGetterFunction::createStructure):
1761         (JSC::NullGetterFunction::NullGetterFunction):
1762         New singleton class that returns undefined when called.
1763
1764 2014-12-09  Geoffrey Garen  <ggaren@apple.com>
1765
1766         Re-enable function.arguments
1767         https://bugs.webkit.org/show_bug.cgi?id=139452
1768         <rdar://problem/18848149>
1769
1770         Reviewed by Sam Weinig.
1771
1772         Disabling function.arguments broke a few websites, and we don't have
1773         time right now to work through the details.
1774
1775         I'm re-enabling function.arguments but leaving in the infrastructure
1776         to re-disable it, so we can try this experiment again in the future.
1777
1778         * runtime/Options.h:
1779
1780 2014-12-09  David Kilzer  <ddkilzer@apple.com>
1781
1782         Switch from using PLATFORM_NAME to SDK selectors in ANGLE, bmalloc, gtest, JavaScriptCore, WTF
1783         <http://webkit.org/b/139212>
1784
1785         Reviewed by Joseph Pecoraro.
1786
1787         * Configurations/Base.xcconfig:
1788         - Only set GCC_ENABLE_OBJC_GC, GCC_MODEL_TUNING and TOOLCHAINS
1789           on OS X.
1790         - Only set LLVM_LOCAL_HEADER_PATH and LLVM_SYSTEM_HEADER_PATH on
1791           OS X.
1792         - Set JAVASCRIPTCORE_CONTENTS_DIR and
1793           JAVASCRIPTCORE_FRAMEWORKS_DIR separately for iOS and OS X.
1794
1795         * Configurations/DebugRelease.xcconfig:
1796         - Only set MACOSX_DEPLOYMENT_TARGET and SDKROOT on OS X.
1797
1798         * Configurations/JSC.xcconfig:
1799         - Only set CODE_SIGN_ENTITLEMENTS for iOS hardware builds.
1800
1801         * Configurations/JavaScriptCore.xcconfig:
1802         - Set OTHER_LDFLAGS separately for iOS and OS X.
1803         - Set SECTORDER_FLAGS separately for iOS and OS X, but only for
1804           Production builds.
1805         - Only set EXCLUDED_SOURCE_FILE_NAMES for iOS.
1806
1807         * Configurations/LLVMForJSC.xcconfig:
1808         - Rename LLVM_LIBS_iphoneos to LLVM_LIBS_ios.
1809         - Set LLVM_LIBRARY_PATHS and OTHER_LDFLAGS_LLVM_ENABLE_FTL_JIT
1810           separately for iOS hardware and OS X.
1811         - Fix curly braces in LIBRARY_SEARCH_PATHS.
1812         - Merge OTHER_LDFLAGS_BASE into OTHER_LDFLAGS. (Could have been
1813           done before this patch.)
1814
1815         * Configurations/ToolExecutable.xcconfig:
1816         - Only set CODE_SIGN_ENTITLEMENTS for iOS, per target.
1817         - Only set CLANG_ENABLE_OBJC_ARC for i386 on the iOS Simulator.
1818         - Add missing newline.
1819
1820         * Configurations/Version.xcconfig:
1821         - Set SYSTEM_VERSION_PREFIX separately for iOS and OS X.
1822
1823 2014-12-08  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1824
1825         Fix EFL build fix since r177001
1826         https://bugs.webkit.org/show_bug.cgi?id=139428
1827
1828         Unreviewed, EFL build fix.
1829
1830         Do not inherit duplicated class. ExpressionNode is already
1831         child of ParserArenaFreeable class.
1832
1833         * parser/Nodes.h:
1834
1835 2014-12-08  Shivakumar JM  <shiva.jm@samsung.com>
1836
1837         Fix Build Warning in JavaScriptCore ControlFlowProfiler::dumpData() api.
1838         https://bugs.webkit.org/show_bug.cgi?id=139384
1839
1840         Reviewed by Mark Lam.
1841
1842         Fix Build Warning by using dataLog() function instead of dataLogF() function.
1843
1844         * runtime/ControlFlowProfiler.cpp:
1845         (JSC::ControlFlowProfiler::dumpData):
1846
1847 2014-12-08  Saam Barati  <saambarati1@gmail.com>
1848
1849         Web Inspector: Enable runtime API for JSC's control flow profiler
1850         https://bugs.webkit.org/show_bug.cgi?id=139346
1851
1852         Reviewed by Joseph Pecoraro.
1853
1854         This patch creates an API that the Web Inspector can use
1855         to get information about which basic blocks have exectued
1856         from JSC's control flow profiler.
1857
1858         * inspector/agents/InspectorRuntimeAgent.cpp:
1859         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1860         * inspector/agents/InspectorRuntimeAgent.h:
1861         * inspector/protocol/Runtime.json:
1862
1863 2014-12-08  Geoffrey Garen  <ggaren@apple.com>
1864
1865         Removed some allocation and cruft from the parser
1866         https://bugs.webkit.org/show_bug.cgi?id=139416
1867
1868         Reviewed by Mark Lam.
1869
1870         Now, the only AST nodes that require a destructor are the ones that
1871         relate to pickling a function's arguments -- which will required some
1872         deeper thinking to resolve.
1873
1874         This is a < 1% parser speedup.
1875
1876         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1877         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1878         * JavaScriptCore.xcodeproj/project.pbxproj: Removed NodeInfo because it
1879         was unused.
1880
1881         * bytecompiler/NodesCodegen.cpp:
1882         (JSC::CommaNode::emitBytecode):
1883         (JSC::SourceElements::lastStatement):
1884         (JSC::SourceElements::emitBytecode): Updated for interface change to linked list.
1885
1886         * parser/ASTBuilder.h:
1887         (JSC::ASTBuilder::ASTBuilder):
1888         (JSC::ASTBuilder::varDeclarations):
1889         (JSC::ASTBuilder::funcDeclarations):
1890         (JSC::ASTBuilder::createFuncDeclStatement):
1891         (JSC::ASTBuilder::addVar): Removed the ParserArenaData abstraction because
1892         it wasn't buying us anything. We can just use Vector directly.
1893
1894         (JSC::ASTBuilder::createCommaExpr):
1895         (JSC::ASTBuilder::appendToCommaExpr): Changed to use a linked list instead
1896         of a vector, to avoid allocating a vector with inline capacity in the
1897         common case in which an expression is not followed by a vector.
1898
1899         (JSC::ASTBuilder::Scope::Scope): Use Vector directly to avoid new'ing
1900         up a Vector*.
1901
1902         (JSC::ASTBuilder::appendToComma): Deleted.
1903         (JSC::ASTBuilder::combineCommaNodes): Deleted.
1904
1905         * parser/Lexer.cpp:
1906
1907         * parser/NodeConstructors.h:
1908         (JSC::StatementNode::StatementNode):
1909         (JSC::CommaNode::CommaNode):
1910         (JSC::SourceElements::SourceElements): Updated for interface change to linked list.
1911
1912         * parser/NodeInfo.h: Removed.
1913
1914         * parser/Nodes.cpp:
1915         (JSC::SourceElements::append):
1916         (JSC::SourceElements::singleStatement): Use a linked list instead of a
1917         vector to track the statements in a list. This removes some allocation
1918         and it means that we don't need a destructor anymore.
1919
1920         (JSC::ScopeNode::ScopeNode):
1921         (JSC::ProgramNode::ProgramNode):
1922         (JSC::EvalNode::EvalNode):
1923         (JSC::FunctionNode::FunctionNode): Updated for interface change to reference,
1924         since these values are never null.
1925
1926         * parser/Nodes.h:
1927         (JSC::StatementNode::next):
1928         (JSC::StatementNode::setNext):
1929         (JSC::CommaNode::append): Deleted. Updated for interface change to linked list.
1930
1931         * parser/Parser.cpp:
1932         (JSC::Parser<LexerType>::didFinishParsing): Updated for interface change to reference.
1933
1934         (JSC::Parser<LexerType>::parseVarDeclarationList):
1935         (JSC::Parser<LexerType>::parseExpression): Track comma expressions as
1936         an explicit list of CommaNodes, removing a use of vector and a destructor.
1937
1938         * parser/Parser.h:
1939         (JSC::Parser<LexerType>::parse):
1940         * parser/SyntaxChecker.h:
1941         (JSC::SyntaxChecker::createCommaExpr):
1942         (JSC::SyntaxChecker::appendToCommaExpr):
1943         (JSC::SyntaxChecker::appendToComma): Deleted. Updated for interface changes.
1944
1945 2014-12-08  Commit Queue  <commit-queue@webkit.org>
1946
1947         Unreviewed, rolling out r176979.
1948         https://bugs.webkit.org/show_bug.cgi?id=139424
1949
1950         "New JSC test in this patch is failing" (Requested by mlam on
1951         #webkit).
1952
1953         Reverted changeset:
1954
1955         "Fixes operationPutByIds such that they check that the put
1956         didn't"
1957         https://bugs.webkit.org/show_bug.cgi?id=139196
1958         http://trac.webkit.org/changeset/176979
1959
1960 2014-12-08  Matthew Mirman  <mmirman@apple.com>
1961
1962         Fixes operationPutByIds such that they check that the put didn't
1963         change the structure of the object who's property access is being
1964         cached.
1965         https://bugs.webkit.org/show_bug.cgi?id=139196
1966
1967         Reviewed by Filip Pizlo.
1968
1969         * jit/JITOperations.cpp:
1970         (JSC::operationGetByIdOptimize): changed get to getPropertySlot
1971         (JSC::operationPutByIdStrictBuildList): saved the structure before the put.
1972         (JSC::operationPutByIdNonStrictBuildList): ditto.
1973         (JSC::operationPutByIdDirectStrictBuildList): ditto.
1974         (JSC::operationPutByIdDirectNonStrictBuildList): ditto.
1975         * jit/Repatch.cpp:
1976         (JSC::tryCachePutByID): fixed structure() to use the existant vm. 
1977         (JSC::tryBuildPutByIdList): Added a check that the old structure's id 
1978         is the same as the new.
1979         (JSC::buildPutByIdList): Added an argument
1980         * jit/Repatch.h: 
1981         (JSC::buildPutByIdList): Added an argument
1982         * tests/stress/put-by-id-build-list-order-recurse.js: Test that failed before the change
1983         * tests/stress/put-by-id-strict-build-list-order.js: Added.
1984
1985  
1986 2014-12-08  Anders Carlsson  <andersca@apple.com>
1987
1988         Change WTF::currentCPUTime to return std::chrono::microseconds and get rid of currentCPUTimeMS
1989         https://bugs.webkit.org/show_bug.cgi?id=139410
1990
1991         Reviewed by Andreas Kling.
1992
1993         * API/JSContextRef.cpp:
1994         (JSContextGroupSetExecutionTimeLimit):
1995         (JSContextGroupClearExecutionTimeLimit):
1996         * runtime/Watchdog.cpp:
1997         (JSC::Watchdog::setTimeLimit):
1998         (JSC::Watchdog::didFire):
1999         (JSC::Watchdog::startCountdownIfNeeded):
2000         (JSC::Watchdog::startCountdown):
2001         * runtime/Watchdog.h:
2002         * runtime/WatchdogMac.cpp:
2003         (JSC::Watchdog::startTimer):
2004
2005 2014-12-08  Mark Lam  <mark.lam@apple.com>
2006
2007         CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays.
2008         <https://webkit.org/b/139327>
2009
2010         Reviewed by Michael Saboff.
2011
2012         The code generator and runtime slow paths expects otherwise.  This patch fixes
2013         CFA to match the code generator's expectation.
2014
2015         * dfg/DFGArrayMode.h:
2016         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
2017         (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes):
2018
2019 2014-12-08  Chris Dumez  <cdumez@apple.com>
2020
2021         Revert r176293 & r176275
2022
2023         Unreviewed, revert r176293 & r176275 changing the Vector API to use unsigned type
2024         instead of size_t. There is some disagreement regarding the long-term direction
2025         of the API and we shouldn’t leave the API partly transitioned to unsigned type
2026         while making a decision.
2027
2028         * bytecode/PreciseJumpTargets.cpp:
2029         * replay/EncodedValue.h:
2030
2031 2014-12-07  Csaba Osztrogonác  <ossy@webkit.org>
2032
2033         Remove the unused WTF_USE_GCC_COMPUTED_GOTO_WORKAROUND after r129453.
2034         https://bugs.webkit.org/show_bug.cgi?id=139373
2035
2036         Reviewed by Sam Weinig.
2037
2038         * interpreter/Interpreter.cpp:
2039
2040 2014-12-06  Anders Carlsson  <andersca@apple.com>
2041
2042         Fix build with newer versions of clang.
2043         rdar://problem/18978716
2044
2045         * ftl/FTLJITCode.h:
2046         Add missing overrides.
2047
2048 2014-12-05  Roger Fong  <roger_fong@apple.com>
2049
2050         [Win] proj files copying over too many resources..
2051         https://bugs.webkit.org/show_bug.cgi?id=139315.
2052         <rdar://problem/19148278>
2053
2054         Reviewed by Brent Fulgham.
2055
2056         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Only copy resource folders and JavaScriptCore.dll.
2057
2058 2014-12-05  Juergen Ributzka  <juergen@apple.com>
2059
2060         [JSC][FTL] Add the data layout to the module and fix the pass order.
2061         https://bugs.webkit.org/show_bug.cgi?id=138748
2062
2063         Reviewed by Oliver Hunt.
2064
2065         This adds the data layout to the module, so it can be used by all
2066         optimization passes in the LLVM optimizer pipeline. This also allows
2067         FastISel to select more instructions, because less non-legal types are
2068         generated.
2069         
2070         Also fix the order of the alias analysis passes in the optimization
2071         pipeline.
2072
2073         * ftl/FTLCompile.cpp:
2074         (JSC::FTL::mmAllocateDataSection):
2075
2076 2014-12-05  Geoffrey Garen  <ggaren@apple.com>
2077
2078         Removed an unused function.
2079
2080         Reviewed by Michael Saboff.
2081
2082         Broken out from https://bugs.webkit.org/show_bug.cgi?id=139305.
2083
2084         * parser/ParserArena.h:
2085
2086 2014-12-05  David Kilzer  <ddkilzer@apple.com>
2087
2088         FeatureDefines.xcconfig: Workaround bug in Xcode 5.1.1 when defining ENABLE_WEB_REPLAY
2089         <http://webkit.org/b/139286>
2090
2091         Reviewed by Daniel Bates.
2092
2093         * Configurations/FeatureDefines.xcconfig: Switch back to using
2094         PLATFORM_NAME to workaround a bug in Xcode 5.1.1 on 10.8.
2095
2096 2014-12-04  Mark Rowe  <mrowe@apple.com>
2097
2098         Build fix after r176836.
2099
2100         Reviewed by Mark Lam.
2101
2102         * runtime/VM.h:
2103         (JSC::VM::controlFlowProfiler): Don't try to export an inline function.
2104         Doing so results in a weak external symbol being generated.
2105
2106 2014-12-04  Saam Barati  <saambarati1@gmail.com>
2107
2108         JavaScript Control Flow Profiler
2109         https://bugs.webkit.org/show_bug.cgi?id=137785
2110
2111         Reviewed by Filip Pizlo.
2112
2113         This patch introduces a mechanism for JavaScriptCore to profile
2114         which basic blocks have executed. This mechanism will then be
2115         used by the Web Inspector to indicate which basic blocks
2116         have and have not executed.
2117         
2118         The profiling works by compiling in an op_profile_control_flow
2119         at the start of every basic block. Then, whenever this op code 
2120         executes, we know that a particular basic block has executed.
2121         
2122         When we tier up a CodeBlock that contains an op_profile_control_flow
2123         that corresponds to an already executed basic block, we don't
2124         have to emit code for that particular op_profile_control_flow
2125         because the internal data structures used to keep track of 
2126         basic block locations has already recorded that the corresponding
2127         op_profile_control_flow has executed.
2128
2129         * CMakeLists.txt:
2130         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2131         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2132         * JavaScriptCore.xcodeproj/project.pbxproj:
2133         * bytecode/BytecodeList.json:
2134         * bytecode/BytecodeUseDef.h:
2135         (JSC::computeUsesForBytecodeOffset):
2136         (JSC::computeDefsForBytecodeOffset):
2137         * bytecode/CodeBlock.cpp:
2138         (JSC::CodeBlock::dumpBytecode):
2139         (JSC::CodeBlock::CodeBlock):
2140         * bytecode/Instruction.h:
2141         * bytecode/UnlinkedCodeBlock.cpp:
2142         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2143         * bytecode/UnlinkedCodeBlock.h:
2144         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
2145         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
2146         * bytecompiler/BytecodeGenerator.cpp:
2147         (JSC::BytecodeGenerator::emitProfileControlFlow):
2148         * bytecompiler/BytecodeGenerator.h:
2149         * bytecompiler/NodesCodegen.cpp:
2150         (JSC::ConditionalNode::emitBytecode):
2151         (JSC::IfElseNode::emitBytecode):
2152         (JSC::WhileNode::emitBytecode):
2153         (JSC::ForNode::emitBytecode):
2154         (JSC::ContinueNode::emitBytecode):
2155         (JSC::BreakNode::emitBytecode):
2156         (JSC::ReturnNode::emitBytecode):
2157         (JSC::CaseClauseNode::emitBytecode):
2158         (JSC::SwitchNode::emitBytecode):
2159         (JSC::ThrowNode::emitBytecode):
2160         (JSC::TryNode::emitBytecode):
2161         (JSC::ProgramNode::emitBytecode):
2162         (JSC::FunctionNode::emitBytecode):
2163         * dfg/DFGAbstractInterpreterInlines.h:
2164         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2165         * dfg/DFGByteCodeParser.cpp:
2166         (JSC::DFG::ByteCodeParser::parseBlock):
2167         * dfg/DFGCapabilities.cpp:
2168         (JSC::DFG::capabilityLevel):
2169         * dfg/DFGClobberize.h:
2170         (JSC::DFG::clobberize):
2171         * dfg/DFGDoesGC.cpp:
2172         (JSC::DFG::doesGC):
2173         * dfg/DFGFixupPhase.cpp:
2174         (JSC::DFG::FixupPhase::fixupNode):
2175         * dfg/DFGNode.h:
2176         (JSC::DFG::Node::basicBlockLocation):
2177         * dfg/DFGNodeType.h:
2178         * dfg/DFGPredictionPropagationPhase.cpp:
2179         (JSC::DFG::PredictionPropagationPhase::propagate):
2180         * dfg/DFGSafeToExecute.h:
2181         (JSC::DFG::safeToExecute):
2182         * dfg/DFGSpeculativeJIT32_64.cpp:
2183         (JSC::DFG::SpeculativeJIT::compile):
2184         * dfg/DFGSpeculativeJIT64.cpp:
2185         (JSC::DFG::SpeculativeJIT::compile):
2186         * inspector/agents/InspectorRuntimeAgent.cpp:
2187         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2188         * jit/JIT.cpp:
2189         (JSC::JIT::privateCompileMainPass):
2190         * jit/JIT.h:
2191         * jit/JITOpcodes.cpp:
2192         (JSC::JIT::emit_op_profile_control_flow):
2193         * jit/JITOpcodes32_64.cpp:
2194         (JSC::JIT::emit_op_profile_control_flow):
2195         * jsc.cpp:
2196         (GlobalObject::finishCreation):
2197         (functionFindTypeForExpression):
2198         (functionReturnTypeFor):
2199         (functionDumpBasicBlockExecutionRanges):
2200         * llint/LowLevelInterpreter.asm:
2201         * parser/ASTBuilder.h:
2202         (JSC::ASTBuilder::createFunctionExpr):
2203         (JSC::ASTBuilder::createGetterOrSetterProperty):
2204         (JSC::ASTBuilder::createFuncDeclStatement):
2205         (JSC::ASTBuilder::endOffset):
2206         (JSC::ASTBuilder::setStartOffset):
2207         * parser/NodeConstructors.h:
2208         (JSC::Node::Node):
2209         * parser/Nodes.h:
2210         (JSC::CaseClauseNode::setStartOffset):
2211         * parser/Parser.cpp:
2212         (JSC::Parser<LexerType>::parseSwitchClauses):
2213         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
2214         (JSC::Parser<LexerType>::parseBlockStatement):
2215         (JSC::Parser<LexerType>::parseStatement):
2216         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2217         (JSC::Parser<LexerType>::parseIfStatement):
2218         (JSC::Parser<LexerType>::parseExpression):
2219         (JSC::Parser<LexerType>::parseConditionalExpression):
2220         (JSC::Parser<LexerType>::parseProperty):
2221         (JSC::Parser<LexerType>::parseMemberExpression):
2222         * parser/SyntaxChecker.h:
2223         (JSC::SyntaxChecker::createFunctionExpr):
2224         (JSC::SyntaxChecker::createFuncDeclStatement):
2225         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2226         (JSC::SyntaxChecker::operatorStackPop):
2227         * runtime/BasicBlockLocation.cpp: Added.
2228         (JSC::BasicBlockLocation::BasicBlockLocation):
2229         (JSC::BasicBlockLocation::insertGap):
2230         (JSC::BasicBlockLocation::getExecutedRanges):
2231         (JSC::BasicBlockLocation::dumpData):
2232         (JSC::BasicBlockLocation::emitExecuteCode):
2233         * runtime/BasicBlockLocation.h: Added.
2234         (JSC::BasicBlockLocation::startOffset):
2235         (JSC::BasicBlockLocation::endOffset):
2236         (JSC::BasicBlockLocation::setStartOffset):
2237         (JSC::BasicBlockLocation::setEndOffset):
2238         (JSC::BasicBlockLocation::hasExecuted):
2239         * runtime/CodeCache.cpp:
2240         (JSC::CodeCache::getGlobalCodeBlock):
2241         * runtime/ControlFlowProfiler.cpp: Added.
2242         (JSC::ControlFlowProfiler::~ControlFlowProfiler):
2243         (JSC::ControlFlowProfiler::getBasicBlockLocation):
2244         (JSC::ControlFlowProfiler::dumpData):
2245         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
2246         * runtime/ControlFlowProfiler.h: Added. This class is in 
2247         charge of generating BasicBlockLocations and also
2248         providing an interface that the Web Inspector can use to ping
2249         which basic blocks have executed based on the source id of a script.
2250
2251         (JSC::BasicBlockKey::BasicBlockKey):
2252         (JSC::BasicBlockKey::isHashTableDeletedValue):
2253         (JSC::BasicBlockKey::operator==):
2254         (JSC::BasicBlockKey::hash):
2255         (JSC::BasicBlockKeyHash::hash):
2256         (JSC::BasicBlockKeyHash::equal):
2257         * runtime/Executable.cpp:
2258         (JSC::ProgramExecutable::ProgramExecutable):
2259         (JSC::ProgramExecutable::initializeGlobalProperties):
2260         * runtime/FunctionHasExecutedCache.cpp:
2261         (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges):
2262         * runtime/FunctionHasExecutedCache.h:
2263         * runtime/Options.h:
2264         * runtime/TypeProfiler.cpp:
2265         (JSC::TypeProfiler::logTypesForTypeLocation):
2266         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
2267         (JSC::TypeProfiler::findLocation):
2268         (JSC::TypeProfiler::dumpTypeProfilerData):
2269         * runtime/TypeProfiler.h:
2270         (JSC::TypeProfiler::functionHasExecutedCache): Deleted.
2271         * runtime/VM.cpp:
2272         (JSC::VM::VM):
2273         (JSC::enableProfilerWithRespectToCount):
2274         (JSC::disableProfilerWithRespectToCount):
2275         (JSC::VM::enableTypeProfiler):
2276         (JSC::VM::disableTypeProfiler):
2277         (JSC::VM::enableControlFlowProfiler):
2278         (JSC::VM::disableControlFlowProfiler):
2279         (JSC::VM::dumpTypeProfilerData):
2280         * runtime/VM.h:
2281         (JSC::VM::functionHasExecutedCache):
2282         (JSC::VM::controlFlowProfiler):
2283
2284 2014-12-04  Filip Pizlo  <fpizlo@apple.com>
2285
2286         printInternal(PrintStream& out, JSC::JITCode::JITType type) ends up dumping a literal %s
2287         https://bugs.webkit.org/show_bug.cgi?id=139274
2288
2289         Reviewed by Geoffrey Garen.
2290
2291         * jit/JITCode.cpp:
2292         (WTF::printInternal):
2293
2294 2014-12-04  Geoffrey Garen  <ggaren@apple.com>
2295
2296         Removed the concept of ParserArenaRefCounted
2297         https://bugs.webkit.org/show_bug.cgi?id=139277
2298
2299         Reviewed by Oliver Hunt.
2300
2301         This is a step toward a parser speedup.
2302
2303         Now that we have a clear root node type for each parse tree, there's no
2304         need to have a concept for "I might be refcounted or arena allocated".
2305         Instead, we can just use unique_ptr to manage the tree as a whole.
2306
2307         * API/JSScriptRef.cpp:
2308         (parseScript):
2309         * builtins/BuiltinExecutables.cpp:
2310         (JSC::BuiltinExecutables::createBuiltinExecutable): Updated for type change.
2311
2312         * bytecode/UnlinkedCodeBlock.cpp:
2313         (JSC::generateFunctionCodeBlock): Use unique_ptr. No need to call
2314         destroyData() explicitly: the unique_ptr destructor will do everything
2315         we need, as Bjarne intended.
2316
2317         * parser/NodeConstructors.h:
2318         (JSC::ParserArenaRoot::ParserArenaRoot):
2319         (JSC::ParserArenaRefCounted::ParserArenaRefCounted): Deleted.
2320
2321         * parser/Nodes.cpp:
2322         (JSC::ScopeNode::ScopeNode):
2323         (JSC::ProgramNode::ProgramNode):
2324         (JSC::EvalNode::EvalNode):
2325         (JSC::FunctionNode::FunctionNode):
2326         (JSC::ProgramNode::create): Deleted.
2327         (JSC::EvalNode::create): Deleted.
2328         (JSC::FunctionNode::create): Deleted. All special create semantics can
2329         just go away now that we play by C++ constructor / destructor rules.
2330
2331         * parser/Nodes.h:
2332         (JSC::ParserArenaRoot::parserArena):
2333         (JSC::ParserArenaRoot::~ParserArenaRoot): Just a normal class now, which
2334         holds onto the whole parse tree by virtue of owning the arena in which
2335         all the parsed nodes (except for itself) were allocated.
2336
2337         (JSC::ProgramNode::closedVariables):
2338         (JSC::ParserArenaRefCounted::~ParserArenaRefCounted): Deleted.
2339
2340         (JSC::ScopeNode::destroyData): Deleted. No need to destroy anything
2341         explicitly anymore -- we can just rely on destructors.
2342
2343         (JSC::ScopeNode::parserArena): Deleted.
2344
2345         * parser/Parser.h:
2346         (JSC::Parser<LexerType>::parse):
2347         (JSC::parse): unique_ptr all the things.
2348
2349         * parser/ParserArena.cpp:
2350         (JSC::ParserArena::reset):
2351         (JSC::ParserArena::isEmpty):
2352         (JSC::ParserArena::contains): Deleted.
2353         (JSC::ParserArena::last): Deleted.
2354         (JSC::ParserArena::removeLast): Deleted.
2355         (JSC::ParserArena::derefWithArena): Deleted.
2356         * parser/ParserArena.h:
2357         (JSC::ParserArena::swap): Much delete. Such wow.
2358
2359         * runtime/CodeCache.cpp:
2360         (JSC::CodeCache::getGlobalCodeBlock):
2361         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2362         * runtime/Completion.cpp:
2363         (JSC::checkSyntax):
2364         * runtime/Executable.cpp:
2365         (JSC::ProgramExecutable::checkSyntax): unique_ptr all the things.
2366
2367 2014-12-04  Andreas Kling  <akling@apple.com>
2368
2369         REGRESSION(r173188): Text inserted when trying to delete a word from the Twitter message box.
2370         <https://webkit.org/b/139076>
2371
2372         Reviewed by Geoffrey Garen.
2373
2374         The StringImpl* -> Weak<JSString> cache used by the DOM bindings
2375         had a bug where the key could become a stale pointer if the cached
2376         JSString had its internal StringImpl atomicized.
2377
2378         If a new StringImpl was then later constructed at the exact same
2379         address as the stale key, before the Weak<JSString> got booted out
2380         of the string cache, we'd now have a situation where asking the
2381         string cache for that key would return the old JSString.
2382
2383         Solve this by not allowing JSString::toExistingAtomicString() to
2384         change the JSString's internal StringImpl unless it's resolving a
2385         rope string. (The StringImpl nullity determines rope state.)
2386
2387         This means that calling toExistingAtomicString() may now have to
2388         query the AtomicString table on each call rather than just once.
2389         All clients of this API would be forced to do this regardless,
2390         since they return value will be used to key into containers with
2391         AtomicStringImpl* keys.
2392
2393         No test because this relies on malloc putting two StringImpls
2394         at the same address at different points in time and we have no
2395         mechanism to reliably test that.
2396
2397         * runtime/JSString.h:
2398         (JSC::JSString::toExistingAtomicString):
2399
2400 2014-12-04  Geoffrey Garen  <ggaren@apple.com>
2401
2402         Marked some final things final.
2403
2404         Reviewed by Andreas Kling.
2405
2406         * parser/Nodes.h:
2407
2408 2014-12-04  Geoffrey Garen  <ggaren@apple.com>
2409
2410         Split out FunctionNode from FunctionBodyNode
2411         https://bugs.webkit.org/show_bug.cgi?id=139273
2412
2413         Reviewed by Andreas Kling.
2414
2415         This is step toward a parser speedup.
2416
2417         We used to use FunctionBodyNode for two different purposes:
2418
2419         (1) "I am the root function you are currently parsing";
2420
2421         (2) "I am a lazy record of a nested function, which you will parse later".
2422
2423         This made for awkward lifetime semantics and interfaces.
2424
2425         Now, case (1) is handled by FunctionBodyNode, and case (2) is handled by
2426         a new node named FunctionNode.
2427
2428         Since case (1) no longer needs to handle being the root of the parse
2429         tree, FunctionBodyNode can be a normal arena-allocated node.
2430
2431         * bytecode/UnlinkedCodeBlock.cpp:
2432         (JSC::generateFunctionCodeBlock): Use FunctionNode instead of
2433         FunctionBodyNode, since we are producing the root of the function parse
2434         tree.
2435
2436         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): Removed
2437         some unused data, and default-initialized other data, which isn't filled
2438         in meaningfully until recordParse() is called. (The previous values were
2439         incorrect / meaningless, since the FunctionBodyNode didn't have
2440         meaningful values in this case.)
2441
2442         * bytecode/UnlinkedCodeBlock.h: Ditto.
2443
2444         (JSC::UnlinkedFunctionExecutable::forceUsesArguments): Deleted.
2445
2446         * bytecompiler/BytecodeGenerator.cpp:
2447         (JSC::BytecodeGenerator::BytecodeGenerator): Use FunctionNode instead of
2448         FunctionBodyNode, since we are generating code starting at the root of
2449         the parse tree.
2450
2451         (JSC::BytecodeGenerator::resolveCallee):
2452         (JSC::BytecodeGenerator::addCallee):
2453         * bytecompiler/BytecodeGenerator.h: Ditto.
2454
2455         * bytecompiler/NodesCodegen.cpp:
2456         (JSC::FunctionBodyNode::emitBytecode):
2457         (JSC::FunctionNode::emitBytecode): Moved the emitBytecode implementation
2458         to FunctionNode, since we never generate code for FunctionBodyNode,
2459         since it's just a placeholder in the AST.
2460
2461         * parser/ASTBuilder.h:
2462         (JSC::ASTBuilder::createFunctionBody):
2463         (JSC::ASTBuilder::setUsesArguments): Deleted. Updated for interface
2464         changes.
2465
2466         * parser/Nodes.cpp:
2467         (JSC::FunctionBodyNode::FunctionBodyNode):
2468         (JSC::FunctionBodyNode::finishParsing):
2469         (JSC::FunctionBodyNode::setEndPosition):
2470         (JSC::FunctionNode::FunctionNode):
2471         (JSC::FunctionNode::create):
2472         (JSC::FunctionNode::finishParsing):
2473         (JSC::FunctionBodyNode::create): Deleted.
2474
2475         * parser/Nodes.h:
2476         (JSC::FunctionBodyNode::parameters):
2477         (JSC::FunctionBodyNode::source):
2478         (JSC::FunctionBodyNode::startStartOffset):
2479         (JSC::FunctionBodyNode::isInStrictContext):
2480         (JSC::FunctionNode::parameters):
2481         (JSC::FunctionNode::ident):
2482         (JSC::FunctionNode::functionMode):
2483         (JSC::FunctionNode::startColumn):
2484         (JSC::FunctionNode::endColumn):
2485         (JSC::ScopeNode::setSource): Deleted.
2486         (JSC::FunctionBodyNode::parameterCount): Deleted. Split out the differences
2487         between FunctionNode and FunctionBodyNode.
2488
2489         * parser/SyntaxChecker.h:
2490         (JSC::SyntaxChecker::createClauseList):
2491         (JSC::SyntaxChecker::setUsesArguments): Deleted. Removed setUsesArguments
2492         since it wasn't used.
2493
2494         * runtime/Executable.cpp:
2495         (JSC::ProgramExecutable::checkSyntax): Removed a branch that was always
2496         false.
2497
2498 2014-12-02  Brian J. Burg  <burg@cs.washington.edu>
2499
2500         Web Inspector: timeline probe records have inaccurate per-probe hit counts
2501         https://bugs.webkit.org/show_bug.cgi?id=138976
2502
2503         Reviewed by Joseph Pecoraro.
2504
2505         Previously, the DebuggerAgent was responsible for assigning unique ids to samples.
2506         However, this makes it impossible for the frontend's Timeline manager to associate
2507         a Probe Sample timeline record with the corresponding probe sample data. The record
2508         only included the probe batchId (misnamed as hitCount in ScriptDebugServer).
2509
2510         This patch moves both the batchId and sampleId counters into ScriptDebugServer, so
2511         any client of ScriptDebugListener will get the correct sampleId for each sample.
2512
2513         * inspector/ScriptDebugListener.h:
2514         * inspector/ScriptDebugServer.cpp:
2515         (Inspector::ScriptDebugServer::ScriptDebugServer):
2516         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
2517         (Inspector::ScriptDebugServer::handleBreakpointHit):
2518         * inspector/ScriptDebugServer.h:
2519         * inspector/agents/InspectorDebuggerAgent.cpp:
2520         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
2521         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2522         * inspector/agents/InspectorDebuggerAgent.h:
2523
2524 2014-12-04  Oliver Hunt  <oliver@apple.com>
2525
2526         Serialization of MapData object provides unsafe access to internal types
2527         https://bugs.webkit.org/show_bug.cgi?id=138653
2528
2529         Reviewed by Geoffrey Garen.
2530
2531         Converting these ASSERTs into RELEASE_ASSERTs, as it is now obvious
2532         that despite trying hard to be safe in all cases it's simply to easy
2533         to use an iterator in an unsafe state.
2534
2535         * runtime/MapData.h:
2536         (JSC::MapData::const_iterator::key):
2537         (JSC::MapData::const_iterator::value):
2538
2539 2014-12-03  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
2540
2541         Move JavaScriptCore/dfg to std::unique_ptr
2542         https://bugs.webkit.org/show_bug.cgi?id=139169
2543
2544         Reviewed by Filip Pizlo.
2545
2546         Use std::unique_ptr<>|std::make_unique<> in JavaScriptCore/dfg directory.
2547
2548         * dfg/DFGBasicBlock.h:
2549         * dfg/DFGJITCompiler.cpp:
2550         (JSC::DFG::JITCompiler::JITCompiler):
2551         (JSC::DFG::JITCompiler::compile):
2552         (JSC::DFG::JITCompiler::link):
2553         (JSC::DFG::JITCompiler::compileFunction):
2554         (JSC::DFG::JITCompiler::linkFunction):
2555         * dfg/DFGJITCompiler.h:
2556         * dfg/DFGPlan.cpp:
2557         (JSC::DFG::Plan::compileInThreadImpl):
2558         (JSC::DFG::Plan::cancel):
2559         * dfg/DFGPlan.h:
2560         * dfg/DFGSlowPathGenerator.h:
2561         * dfg/DFGWorklist.h:
2562         * ftl/FTLFail.cpp:
2563         (JSC::FTL::fail):
2564         * ftl/FTLState.cpp:
2565         (JSC::FTL::State::State):
2566
2567 2014-12-03  Michael Saboff  <msaboff@apple.com>
2568
2569         REGRESSION (r176479): DFG ASSERTION beneath emitOSRExitCall running Kraken/imaging-gaussian-blur.js.ftl-no-cjit-osr-validation and other tests
2570         https://bugs.webkit.org/show_bug.cgi?id=139246
2571
2572         Reviewed by Geoffrey Garen.
2573
2574         * ftl/FTLLowerDFGToLLVM.cpp:
2575         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2576         The DFG_ASSERT that checks liveness at exit time doesn't properly
2577         handle the case where the local is not available at OSR exit time,
2578         but the local is live in the bytecode.  This now happens with the
2579         allocated scope register when we are compiling for FTLForOSREntryMode
2580         due to DCE done when the control flow was changed and a new entrypoint
2581         was added in the OSR entrypoint creation phase.  Therefore we silence
2582         the assert when compiling for FTLForOSREntryMode.
2583
2584 2014-12-03  Geoffrey Garen  <ggaren@apple.com>
2585
2586         Removed the global parser arena
2587         https://bugs.webkit.org/show_bug.cgi?id=139236
2588
2589         Reviewed by Sam Weinig.
2590
2591         Simplifies parser lifetime logic.
2592
2593         There's no need to keep a global arena. We can create a new arena
2594         each time we parse.
2595
2596         * bytecompiler/BytecodeGenerator.h: Global replace to pass around a
2597         ParserArena instead of VM*, since the VM no longer owns the arena.
2598         (JSC::BytecodeGenerator::parserArena):
2599
2600         * bytecompiler/NodesCodegen.cpp: Ditto.
2601         (JSC::ArrayNode::toArgumentList):
2602         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2603         * parser/ASTBuilder.h: Ditto.
2604         (JSC::ASTBuilder::ASTBuilder):
2605         (JSC::ASTBuilder::createSourceElements):
2606         (JSC::ASTBuilder::createCommaExpr):
2607         (JSC::ASTBuilder::createLogicalNot):
2608         (JSC::ASTBuilder::createUnaryPlus):
2609         (JSC::ASTBuilder::createVoid):
2610         (JSC::ASTBuilder::thisExpr):
2611         (JSC::ASTBuilder::createResolve):
2612         (JSC::ASTBuilder::createObjectLiteral):
2613         (JSC::ASTBuilder::createArray):
2614         (JSC::ASTBuilder::createNumberExpr):
2615         (JSC::ASTBuilder::createString):
2616         (JSC::ASTBuilder::createBoolean):
2617         (JSC::ASTBuilder::createNull):
2618         (JSC::ASTBuilder::createBracketAccess):
2619         (JSC::ASTBuilder::createDotAccess):
2620         (JSC::ASTBuilder::createSpreadExpression):
2621         (JSC::ASTBuilder::createRegExp):
2622         (JSC::ASTBuilder::createNewExpr):
2623         (JSC::ASTBuilder::createConditionalExpr):
2624         (JSC::ASTBuilder::createAssignResolve):
2625         (JSC::ASTBuilder::createFunctionExpr):
2626         (JSC::ASTBuilder::createFunctionBody):
2627         (JSC::ASTBuilder::createGetterOrSetterProperty):
2628         (JSC::ASTBuilder::createArguments):
2629         (JSC::ASTBuilder::createArgumentsList):
2630         (JSC::ASTBuilder::createProperty):
2631         (JSC::ASTBuilder::createPropertyList):
2632         (JSC::ASTBuilder::createElementList):
2633         (JSC::ASTBuilder::createFormalParameterList):
2634         (JSC::ASTBuilder::createClause):
2635         (JSC::ASTBuilder::createClauseList):
2636         (JSC::ASTBuilder::createFuncDeclStatement):
2637         (JSC::ASTBuilder::createBlockStatement):
2638         (JSC::ASTBuilder::createExprStatement):
2639         (JSC::ASTBuilder::createIfStatement):
2640         (JSC::ASTBuilder::createForLoop):
2641         (JSC::ASTBuilder::createForInLoop):
2642         (JSC::ASTBuilder::createForOfLoop):
2643         (JSC::ASTBuilder::createEmptyStatement):
2644         (JSC::ASTBuilder::createVarStatement):
2645         (JSC::ASTBuilder::createEmptyVarExpression):
2646         (JSC::ASTBuilder::createReturnStatement):
2647         (JSC::ASTBuilder::createBreakStatement):
2648         (JSC::ASTBuilder::createContinueStatement):
2649         (JSC::ASTBuilder::createTryStatement):
2650         (JSC::ASTBuilder::createSwitchStatement):
2651         (JSC::ASTBuilder::createWhileStatement):
2652         (JSC::ASTBuilder::createDoWhileStatement):
2653         (JSC::ASTBuilder::createLabelStatement):
2654         (JSC::ASTBuilder::createWithStatement):
2655         (JSC::ASTBuilder::createThrowStatement):
2656         (JSC::ASTBuilder::createDebugger):
2657         (JSC::ASTBuilder::createConstStatement):
2658         (JSC::ASTBuilder::appendConstDecl):
2659         (JSC::ASTBuilder::combineCommaNodes):
2660         (JSC::ASTBuilder::createDeconstructingAssignment):
2661         (JSC::ASTBuilder::Scope::Scope):
2662         (JSC::ASTBuilder::createNumber):
2663         (JSC::ASTBuilder::makeTypeOfNode):
2664         (JSC::ASTBuilder::makeDeleteNode):
2665         (JSC::ASTBuilder::makeNegateNode):
2666         (JSC::ASTBuilder::makeBitwiseNotNode):
2667         (JSC::ASTBuilder::makeMultNode):
2668         (JSC::ASTBuilder::makeDivNode):
2669         (JSC::ASTBuilder::makeModNode):
2670         (JSC::ASTBuilder::makeAddNode):
2671         (JSC::ASTBuilder::makeSubNode):
2672         (JSC::ASTBuilder::makeLeftShiftNode):
2673         (JSC::ASTBuilder::makeRightShiftNode):
2674         (JSC::ASTBuilder::makeURightShiftNode):
2675         (JSC::ASTBuilder::makeBitOrNode):
2676         (JSC::ASTBuilder::makeBitAndNode):
2677         (JSC::ASTBuilder::makeBitXOrNode):
2678         (JSC::ASTBuilder::makeFunctionCallNode):
2679         (JSC::ASTBuilder::makeBinaryNode):
2680         (JSC::ASTBuilder::makeAssignNode):
2681         (JSC::ASTBuilder::makePrefixNode):
2682         (JSC::ASTBuilder::makePostfixNode):
2683
2684         * parser/NodeConstructors.h: Ditto.
2685         (JSC::ParserArenaFreeable::operator new):
2686         (JSC::ParserArenaDeletable::operator new):
2687         (JSC::ParserArenaRefCounted::ParserArenaRefCounted):
2688
2689         * parser/Nodes.cpp: Ditto.
2690         (JSC::ScopeNode::ScopeNode):
2691         (JSC::ProgramNode::ProgramNode):
2692         (JSC::ProgramNode::create):
2693         (JSC::EvalNode::EvalNode):
2694         (JSC::EvalNode::create):
2695         (JSC::FunctionBodyNode::FunctionBodyNode):
2696         (JSC::FunctionBodyNode::create):
2697
2698         * parser/Nodes.h: Ditto.
2699         (JSC::ScopeNode::parserArena):
2700
2701         * parser/Parser.cpp:
2702         (JSC::Parser<LexerType>::Parser):
2703         (JSC::Parser<LexerType>::parseInner):
2704         (JSC::Parser<LexerType>::parseProperty): The parser now owns its own
2705         arena, and transfers ownership of its contents when invoking the ScopeNode
2706         constructor.
2707
2708         * parser/Parser.h:
2709         (JSC::Parser<LexerType>::parse): No need to explicitly reset the arena,
2710         since its lifetime is tied to the parser's lifetime now.
2711
2712         * parser/SyntaxChecker.h:
2713         (JSC::SyntaxChecker::createProperty):
2714         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2715
2716         * runtime/VM.cpp:
2717         (JSC::VM::VM):
2718         * runtime/VM.h: The point of the patch: no more global.
2719
2720 2014-12-03  Geoffrey Garen  <ggaren@apple.com>
2721
2722         The parser should allocate all pieces of the AST
2723         https://bugs.webkit.org/show_bug.cgi?id=139230
2724
2725         Reviewed by Oliver Hunt.
2726
2727         This is a step toward a 14% parsing speedup.
2728
2729         Previously, allocation was split between the parser and certain node
2730         constructor functions. This made for some duplicated code and circular
2731         dependencies.
2732
2733         * parser/ASTBuilder.h:
2734         (JSC::ASTBuilder::createGetterOrSetterProperty): No need to pass through
2735         the VM, since our callee no longer needs to allocate anything.
2736
2737         (JSC::ASTBuilder::createProperty): Allocate the identifier for our
2738         callee, since that is simpler than requiring our callee to notice that
2739         we didn't do so, and do it for us.
2740
2741         (JSC::ASTBuilder::createForInLoop): Allocate the DeconstructingAssignmentNode
2742         for our callee, since that is simpler than requiring our callee to notice
2743         that we didn't do so, and do it for us.
2744
2745         Also, reuse some code instead of duplicating it.
2746
2747         (JSC::ASTBuilder::createForOfLoop): Ditto.
2748
2749         (JSC::ASTBuilder::createArrayPattern):
2750         (JSC::ASTBuilder::createObjectPattern):
2751         (JSC::ASTBuilder::createBindingLocation): No need to pass through a VM
2752         pointer, since our callee no longer needs to allocate anything.
2753
2754         (JSC::ASTBuilder::createBreakStatement): Deleted.
2755         (JSC::ASTBuilder::createContinueStatement): Deleted.
2756
2757         * parser/NodeConstructors.h:
2758         (JSC::PropertyNode::PropertyNode):
2759         (JSC::DeconstructionPatternNode::DeconstructionPatternNode):
2760         (JSC::ArrayPatternNode::ArrayPatternNode):
2761         (JSC::ArrayPatternNode::create):
2762         (JSC::ObjectPatternNode::ObjectPatternNode):
2763         (JSC::ObjectPatternNode::create):
2764         (JSC::BindingNode::create):
2765         (JSC::BindingNode::BindingNode):
2766         (JSC::ContinueNode::ContinueNode): Deleted.
2767         (JSC::BreakNode::BreakNode): Deleted.
2768         (JSC::EnumerationNode::EnumerationNode): Deleted.
2769         (JSC::ForInNode::ForInNode): Deleted.
2770         (JSC::ForOfNode::ForOfNode): Deleted. Deleted a bunch of special cases
2771         that don't exist anymore, now that the parser allocates all pieces of
2772         the AST unconditionally.
2773
2774         * parser/Nodes.h: Ditto.
2775
2776         * parser/Parser.cpp:
2777         (JSC::Parser<LexerType>::parseBreakStatement):
2778         (JSC::Parser<LexerType>::parseContinueStatement): Allocate the null
2779         identifier for our callee, since that is simpler than requiring our
2780         callee to notice that we didn't do so, and do it for us.
2781
2782         (JSC::Parser<LexerType>::parseProperty):
2783         * parser/SyntaxChecker.h:
2784         (JSC::SyntaxChecker::createProperty): No need to pass through a VM
2785         pointer, since our callee no longer needs to allocate anything.
2786
2787 2014-12-03  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
2788
2789         Remove unused JSC runtime options
2790         https://bugs.webkit.org/show_bug.cgi?id=133070
2791
2792         Reviewed by Csaba Osztrogonác.
2793
2794         * runtime/Options.h:
2795
2796 2014-12-02  Mark Lam  <mark.lam@apple.com>
2797
2798         Rolling out r176592, r176603, r176616, and r176705 until build and perf issues are resolved.
2799         https://bugs.webkit.org/show_bug.cgi?id=138821
2800
2801         Not reviewed.
2802
2803         * bytecode/UnlinkedCodeBlock.cpp:
2804         (JSC::UnlinkedCodeBlock::visitChildren):
2805         * bytecompiler/BytecodeGenerator.cpp:
2806         (JSC::BytecodeGenerator::emitComplexPopScopes):
2807         * dfg/DFGSpeculativeJIT.cpp:
2808         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2809         * ftl/FTLAbbreviations.h:
2810         (JSC::FTL::mdNode):
2811         (JSC::FTL::buildCall):
2812         * llint/LLIntData.cpp:
2813         (JSC::LLInt::Data::performAssertions):
2814         * parser/Parser.h:
2815         (JSC::Scope::Scope):
2816         * runtime/JSArray.cpp:
2817         (JSC::JSArray::setLengthWithArrayStorage):
2818         (JSC::JSArray::sortCompactedVector):
2819         * tools/ProfileTreeNode.h:
2820         (JSC::ProfileTreeNode::dumpInternal):
2821         * yarr/YarrJIT.cpp:
2822         (JSC::Yarr::YarrGenerator::matchCharacterClass):
2823
2824 2014-12-02  Michael Saboff  <msaboff@apple.com>
2825
2826         Change CallFrame::globalThisValue() to not use CallFrame::scope()
2827         https://bugs.webkit.org/show_bug.cgi?id=139202
2828
2829         Reviewed by Mark Lam.
2830
2831         Changed to use the globalThis() on the globalObject associated with the
2832         callee.  Moved the inline definition to JSGlobalObject.h instead of
2833         including JSGlobalObject.h in JSScope.h.  Also moved it as JSScope
2834         objects are no longer involved in getting the value.
2835
2836         * runtime/JSGlobalObject.h:
2837         (JSC::ExecState::globalThisValue):
2838         * runtime/JSScope.h:
2839         (JSC::ExecState::globalThisValue): Deleted.
2840
2841 2014-12-02  Matthew Mirman  <mmirman@apple.com>
2842
2843         Fixes inline cache fast path accessing nonexistant getters.
2844         <rdar://problem/18416918>
2845         https://bugs.webkit.org/show_bug.cgi?id=136961
2846
2847         Reviewed by Filip Pizlo.
2848
2849         Fixes a bug in inline caching where getters would have been able to 
2850         modify the property they are getting during 
2851         building the inline cache and then accessing that 
2852         property through the inline cache site causing a recursive 
2853         inline cache building and allowing the fast path of the cache to 
2854         try to load a getter for the property that no longer exists.
2855                 
2856         * jit/JITOperations.cpp: Switched use of get to getPropertySlot.
2857         * runtime/JSCJSValue.h: 
2858         added getPropertySlot for when you don't want to perform the get quite yet but want 
2859         to fill out the slot.
2860         * runtime/JSCJSValueInlines.h: Added implementation for getPropertySlot
2861         (JSC::JSValue::get): changed to simply call getPropertySlot
2862         (JSC::JSValue::getPropertySlot): added.
2863         * tests/stress/recursive_property_redefine_during_inline_caching.js: Added test case for bug.
2864         (test):
2865         
2866 2014-12-01  Michael Saboff  <msaboff@apple.com>
2867
2868         Remove GetMyScope node from DFG
2869         https://bugs.webkit.org/show_bug.cgi?id=139166
2870
2871         Reviewed by Oliver Hunt.
2872
2873         Eliminated GetMyScope DFG node type.
2874
2875         * dfg/DFGAbstractInterpreterInlines.h:
2876         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2877         * dfg/DFGClobberize.h:
2878         (JSC::DFG::clobberize):
2879         * dfg/DFGDoesGC.cpp:
2880         (JSC::DFG::doesGC):
2881         * dfg/DFGFixupPhase.cpp:
2882         (JSC::DFG::FixupPhase::fixupNode):
2883         * dfg/DFGGraph.cpp:
2884         (JSC::DFG::Graph::isLiveInBytecode):
2885         * dfg/DFGNodeType.h:
2886         * dfg/DFGPredictionPropagationPhase.cpp:
2887         (JSC::DFG::PredictionPropagationPhase::propagate):
2888         * dfg/DFGSafeToExecute.h:
2889         (JSC::DFG::safeToExecute):
2890         * dfg/DFGSpeculativeJIT32_64.cpp:
2891         (JSC::DFG::SpeculativeJIT::compile):
2892         * dfg/DFGSpeculativeJIT64.cpp:
2893         (JSC::DFG::SpeculativeJIT::compile):
2894         * ftl/FTLCapabilities.cpp:
2895         (JSC::FTL::canCompile):
2896         * ftl/FTLLowerDFGToLLVM.cpp:
2897         (JSC::FTL::LowerDFGToLLVM::compileNode):
2898         (JSC::FTL::LowerDFGToLLVM::compileGetMyScope): Deleted.
2899
2900 2014-12-01  Michael Saboff  <msaboff@apple.com>
2901
2902         Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com
2903         https://bugs.webkit.org/show_bug.cgi?id=139165
2904
2905         Reviewed by Oliver Hunt.
2906
2907         If we don't have any getById or putById variants, emit non-cached versions of these operations.
2908
2909         * dfg/DFGByteCodeParser.cpp:
2910         (JSC::DFG::ByteCodeParser::handleGetById):
2911         (JSC::DFG::ByteCodeParser::handlePutById):
2912
2913 2014-12-01  Andreas Kling  <akling@apple.com>
2914
2915         Optimize constructing JSC::Identifier from AtomicString.
2916         <https://webkit.org/b/139157>
2917
2918         Reviewed by Michael Saboff.
2919
2920         Add constructors for Identifier taking AtomicString and AtomicStringImpl.
2921         This avoids branching on the string's isAtomic flag, which is obviously
2922         always true for AtomicString & AtomicStringImpl.
2923
2924         Had to add a Identifier(const char*) constructor to resolve implicit
2925         ambiguity between String / AtomicString.
2926
2927         Also made PrivateName::uid() return AtomicStringImpl* to take advantage
2928         of the new constructor in a few places.
2929
2930         * runtime/Identifier.h:
2931         (JSC::Identifier::Identifier):
2932         * runtime/IdentifierInlines.h:
2933         (JSC::Identifier::Identifier):
2934         * runtime/PrivateName.h:
2935         (JSC::PrivateName::uid):
2936
2937 2014-12-01  Alexey Proskuryakov  <ap@apple.com>
2938
2939         Several JavaScriptCore date tests are flaky, because they expect time to be frozen during execution
2940         https://bugs.webkit.org/show_bug.cgi?id=139138
2941
2942         Reviewed by Mark Lam.
2943
2944         Merged a fix by Bob Clary.
2945
2946         * tests/mozilla/ecma/Date/15.9.1.1-1.js:
2947         * tests/mozilla/ecma/Date/15.9.1.1-2.js:
2948         * tests/mozilla/ecma/Date/15.9.2.1.js:
2949         * tests/mozilla/ecma/Date/15.9.2.2-1.js:
2950         * tests/mozilla/ecma/Date/15.9.2.2-2.js:
2951         * tests/mozilla/ecma/Date/15.9.2.2-3.js:
2952         * tests/mozilla/ecma/Date/15.9.2.2-4.js:
2953         * tests/mozilla/ecma/Date/15.9.2.2-5.js:
2954         * tests/mozilla/ecma/Date/15.9.2.2-6.js:
2955
2956 2014-11-17  Oliver Hunt  <oliver@apple.com>
2957
2958         Make sure range based iteration of Vector<> still receives bounds checking
2959         https://bugs.webkit.org/show_bug.cgi?id=138821
2960
2961         Reviewed by Mark Lam.
2962
2963         There are a few uses of begin()/end() that explicitly require pointers,
2964         so we use getPtr() to extract the underlying pointer generically.
2965
2966         * bytecode/UnlinkedCodeBlock.cpp:
2967         (JSC::UnlinkedCodeBlock::visitChildren):
2968         * bytecompiler/BytecodeGenerator.cpp:
2969         (JSC::BytecodeGenerator::emitComplexPopScopes):
2970         * dfg/DFGSpeculativeJIT.cpp:
2971         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2972         * ftl/FTLAbbreviations.h:
2973         (JSC::FTL::mdNode):
2974         (JSC::FTL::buildCall):
2975         * llint/LLIntData.cpp:
2976         (JSC::LLInt::Data::performAssertions):
2977         * parser/Parser.h:
2978         (JSC::Scope::Scope):
2979         * profiler/ProfileNode.cpp:
2980         (JSC::ProfileNode::debugPrintRecursively):
2981         * runtime/JSArray.cpp:
2982         (JSC::JSArray::setLengthWithArrayStorage):
2983         (JSC::JSArray::sortCompactedVector):
2984         * tools/ProfileTreeNode.h:
2985         (JSC::ProfileTreeNode::dumpInternal):
2986         * yarr/YarrJIT.cpp:
2987         (JSC::Yarr::YarrGenerator::matchCharacterClass):
2988
2989 2014-11-29  Andreas Kling  <akling@apple.com>
2990
2991         PropertyTable keys should be AtomicStringImpl.
2992         <https://webkit.org/b/139096>
2993
2994         Reviewed by Sam Weinig.
2995
2996         Since PropertyTable keys are really always Identifiers, switch the key
2997         type from StringImpl* to AtomicStringImpl*.
2998
2999         We have code in the GetByVal opcode implementations that assumes things
3000         about this, so this change adds confidence to those algorithms.
3001
3002         * bytecode/ComplexGetStatus.cpp:
3003         (JSC::ComplexGetStatus::computeFor):
3004         * bytecode/ComplexGetStatus.h:
3005         * bytecode/GetByIdStatus.cpp:
3006         (JSC::GetByIdStatus::computeFromLLInt):
3007         (JSC::GetByIdStatus::computeFor):
3008         (JSC::GetByIdStatus::computeForStubInfo):
3009         * bytecode/GetByIdStatus.h:
3010         * bytecode/PutByIdStatus.cpp:
3011         (JSC::PutByIdStatus::computeFromLLInt):
3012         (JSC::PutByIdStatus::computeFor):
3013         (JSC::PutByIdStatus::computeForStubInfo):
3014         * bytecode/PutByIdStatus.h:
3015         * dfg/DFGByteCodeParser.cpp:
3016         (JSC::DFG::ByteCodeParser::parseBlock):
3017         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3018         * dfg/DFGDesiredIdentifiers.cpp:
3019         (JSC::DFG::DesiredIdentifiers::addLazily):
3020         (JSC::DFG::DesiredIdentifiers::at):
3021         * dfg/DFGDesiredIdentifiers.h:
3022         (JSC::DFG::DesiredIdentifiers::operator[]):
3023         * dfg/DFGFixupPhase.cpp:
3024         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
3025         * runtime/Identifier.h:
3026         (JSC::Identifier::impl):
3027         * runtime/IntendedStructureChain.cpp:
3028         (JSC::IntendedStructureChain::mayInterceptStoreTo):
3029         * runtime/IntendedStructureChain.h:
3030         * runtime/PropertyMapHashTable.h:
3031         * runtime/Structure.cpp:
3032         (JSC::StructureTransitionTable::contains):
3033         (JSC::StructureTransitionTable::get):
3034         (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
3035         (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
3036         (JSC::Structure::getConcurrently):
3037         (JSC::Structure::add):
3038         (JSC::Structure::remove):
3039         * runtime/Structure.h:
3040         (JSC::PropertyMapEntry::PropertyMapEntry):
3041         * runtime/StructureInlines.h:
3042         (JSC::Structure::getConcurrently):
3043         * runtime/StructureTransitionTable.h:
3044         (JSC::StructureTransitionTable::Hash::hash):
3045
3046 2014-11-28  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3047
3048         Use std::unique_ptr<>|make_unique<> in ftl, bytecode of JSC
3049         https://bugs.webkit.org/show_bug.cgi?id=139063
3050
3051         Reviewed by Andreas Kling.
3052
3053         Clean up OwnPtr and PassOwnPtr in JSC.
3054
3055         * bytecode/StructureStubClearingWatchpoint.cpp:
3056         (JSC::StructureStubClearingWatchpoint::push):
3057         * bytecode/StructureStubClearingWatchpoint.h:
3058         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
3059         * ftl/FTLCompile.cpp:
3060         (JSC::FTL::mmAllocateDataSection):
3061         * ftl/FTLJITFinalizer.h:
3062         * ftl/FTLLink.cpp:
3063         (JSC::FTL::link):
3064         * parser/SourceProviderCacheItem.h:
3065
3066 2014-11-27  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3067
3068         Use std::unique_ptr instead of OwnPtr in JSC classes
3069         https://bugs.webkit.org/show_bug.cgi?id=139009
3070
3071         Reviewed by Filip Pizlo.
3072
3073         As a step of using std::unique_ptr<>, this patch replaces OwnPtr with
3074         std::unique_ptr<>|std::make_unique<>.
3075
3076         * bytecode/DFGExitProfile.cpp:
3077         (JSC::DFG::ExitProfile::add):
3078         * bytecode/DFGExitProfile.h:
3079         * bytecode/LazyOperandValueProfile.cpp:
3080         (JSC::CompressedLazyOperandValueProfileHolder::add):
3081         * bytecode/LazyOperandValueProfile.h:
3082         * heap/MarkedBlock.cpp:
3083         (JSC::MarkedBlock::specializedSweep):
3084         (JSC::MarkedBlock::stopAllocating):
3085         * heap/MarkedBlock.h:
3086         (JSC::MarkedBlock::clearNewlyAllocated):
3087         * inspector/ContentSearchUtilities.cpp:
3088         (Inspector::ContentSearchUtilities::findMagicComment):
3089         * runtime/RegExp.cpp:
3090         (JSC::RegExp::invalidateCode):
3091         * runtime/RegExp.h:
3092         * yarr/RegularExpression.cpp:
3093         (JSC::Yarr::RegularExpression::Private::compile):
3094         (JSC::Yarr::RegularExpression::isValid):
3095         * yarr/YarrInterpreter.cpp:
3096         (JSC::Yarr::ByteCompiler::compile):
3097         (JSC::Yarr::ByteCompiler::regexBegin):
3098         (JSC::Yarr::byteCompile):
3099         * yarr/YarrInterpreter.h:
3100         (JSC::Yarr::BytecodePattern::BytecodePattern):
3101
3102 2014-11-24  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3103
3104         Clean up OwnPtr and PassOwnPtr in JSC - bytecode, jit, inspector, and interpreter
3105         https://bugs.webkit.org/show_bug.cgi?id=139022
3106
3107         Reviewed by Filip Pizlo.
3108
3109         As a step of using std::unique_ptr<>, this patch replaces OwnPtr with
3110         std::unique_ptr<>|std::make_unique<>.
3111
3112         * bytecode/DFGExitProfile.cpp:
3113         (JSC::DFG::ExitProfile::add):
3114         * bytecode/DFGExitProfile.h:
3115         * dfg/DFGJITCompiler.cpp:
3116         (JSC::DFG::JITCompiler::link):
3117         (JSC::DFG::JITCompiler::linkFunction):
3118         * dfg/DFGJITFinalizer.cpp:
3119         (JSC::DFG::JITFinalizer::JITFinalizer):
3120         * dfg/DFGJITFinalizer.h:
3121         * heap/IncrementalSweeper.h:
3122         * inspector/ContentSearchUtilities.cpp:
3123         (Inspector::ContentSearchUtilities::findMagicComment):
3124         * inspector/agents/InspectorDebuggerAgent.h:
3125         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3126         * interpreter/Interpreter.cpp:
3127         (JSC::Interpreter::enableSampler):
3128         * interpreter/Interpreter.h:
3129         * jit/ExecutableAllocator.cpp:
3130         (JSC::ExecutableAllocator::ExecutableAllocator):
3131         * jit/ExecutableAllocator.h:
3132
3133 2014-11-22  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3134
3135         Clean up OwnPtr and PassOwnPtr in some of JS classes
3136         https://bugs.webkit.org/show_bug.cgi?id=138724
3137
3138         Reviewed by Filip Pizlo.
3139
3140         As a step to use std::unique_ptr<> and std::make_unique<>, this patch replaces
3141         OwnPtr with std::unique_ptr<>. Besides create() factory function is removed as well.
3142
3143         * builtins/BuiltinExecutables.h:
3144         (JSC::BuiltinExecutables::create): Deleted.
3145         * bytecode/CodeBlock.h:
3146         (JSC::CodeBlock::createRareDataIfNecessary):
3147         * bytecode/StructureStubInfo.h:
3148         * bytecode/UnlinkedCodeBlock.h:
3149         (JSC::UnlinkedCodeBlock::hasRareData):
3150         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary):
3151         * runtime/CodeCache.cpp:
3152         (JSC::CodeCache::getGlobalCodeBlock):
3153         * runtime/CodeCache.h:
3154         (JSC::CodeCache::create): Deleted.
3155         * runtime/JSGlobalObject.cpp:
3156         (JSC::JSGlobalObject::clearRareData):
3157         * runtime/JSGlobalObject.h:
3158         (JSC::JSGlobalObject::createRareDataIfNeeded):
3159         * runtime/RegExpConstructor.h:
3160         * runtime/SmallStrings.cpp:
3161         (JSC::SmallStrings::createSingleCharacterString):
3162         (JSC::SmallStrings::singleCharacterStringRep):
3163         * runtime/SmallStrings.h:
3164         * runtime/VM.cpp:
3165         (JSC::VM::VM):
3166         * runtime/VM.h:
3167
3168 2014-11-21  Michael Saboff  <msaboff@apple.com>
3169
3170         r176455: ASSERT(!m_vector.isEmpty()) in IntendedStructureChain.cpp(143)
3171         https://bugs.webkit.org/show_bug.cgi?id=139000
3172
3173         Reviewed by Darin Adler.
3174
3175         Check that the chainCount is non-zero before using a StructureChain.
3176
3177         * bytecode/ComplexGetStatus.cpp:
3178         (JSC::ComplexGetStatus::computeFor):
3179
3180 2014-11-21  Michael Saboff  <msaboff@apple.com>
3181
3182         Allocate local ScopeChain register
3183         https://bugs.webkit.org/show_bug.cgi?id=138793
3184
3185         Reviewed by Geoffrey Garen.
3186
3187         Now we allocate the scope register as a local.  The allocated register is stored in the 
3188         CodeBlock for use by other components.  Update the DFG to work with a local scope register.
3189         Changed usage of JSStack::ScopeChain access to the CallFrame header to use the allocated
3190         local register.
3191
3192         * bytecode/BytecodeUseDef.h:
3193         (JSC::computeUsesForBytecodeOffset):
3194         (JSC::computeDefsForBytecodeOffset):
3195         Updated to properly represent the operand inputs and bytecode result.
3196
3197         * bytecode/CodeBlock.cpp:
3198         (JSC::CodeBlock::CodeBlock):
3199         * bytecode/CodeBlock.h:
3200         (JSC::CodeBlock::setScopeRegister):
3201         (JSC::CodeBlock::scopeRegister):
3202         * bytecode/UnlinkedCodeBlock.h:
3203         (JSC::UnlinkedCodeBlock::setScopeRegister):
3204         (JSC::UnlinkedCodeBlock::scopeRegister):
3205         Added scope register member and accessors.
3206
3207         * bytecompiler/BytecodeGenerator.cpp:
3208         (JSC::BytecodeGenerator::BytecodeGenerator):
3209         (JSC::BytecodeGenerator::allocateAndEmitScope):
3210         * bytecompiler/BytecodeGenerator.h:
3211         (JSC::BytecodeGenerator::scopeRegister):
3212         Change m_scopeRegister to an allocated register.  Added allocateAndEmitScope helper to
3213         allocate the scope register, set the CodeBlock with its value and emit op_get_scope.
3214
3215         * debugger/DebuggerCallFrame.cpp:
3216         (JSC::DebuggerCallFrame::scope): Changed to access the scope using the new convention.
3217
3218         * dfg/DFGByteCodeParser.cpp:
3219         (JSC::DFG::ByteCodeParser::get):
3220         (JSC::DFG::ByteCodeParser::flush):
3221         (JSC::DFG::ByteCodeParser::inlineCall):
3222         (JSC::DFG::ByteCodeParser::parseBlock):
3223         Changed op_create_lexical_environment to set the scope VirtualRegister operand.
3224         Filled out op_get_scope processing to emit a GetScope node putting the result in
3225         the scope VirtualRegister result operand.
3226         Added Phantoms where appropriate to keep the Scope register alive in places where
3227         it use is optimized away, but where the baseline JIT would need to use its value.
3228         Eliminated uses of JSStack::ScopeChain.
3229
3230         * dfg/DFGStackLayoutPhase.cpp:
3231         (JSC::DFG::StackLayoutPhase::run):
3232         Make sure that the scope register stack location is allocated using the same place
3233         that the codeBlock expects. 
3234
3235         * dfg/DFGStrengthReductionPhase.cpp:
3236         (JSC::DFG::StrengthReductionPhase::handleNode):
3237         Allow strength reduction of Flush to skip of GetScope nodes looking for a prior
3238         corresponding SetLocal.
3239
3240         * interpreter/CallFrame.h:
3241         (JSC::ExecState::scope):
3242         (JSC::ExecState::setScope):
3243         Added new scope() and setScope() helpers that take a VirtualRegister offset.
3244
3245         * interpreter/Interpreter.cpp:
3246         (JSC::eval):
3247         Changed eval() to get the scope from the caller's scope register instead of from the
3248         temporary frame created for eval.
3249
3250         * interpreter/Interpreter.cpp:
3251         (JSC::Interpreter::unwind):
3252         Changed unwind() to manipulate the scope n the allocated register instead of from the
3253         call frame slot.
3254
3255         * interpreter/StackVisitor.cpp:
3256         (JSC::StackVisitor::readNonInlinedFrame):
3257         (JSC::StackVisitor::readInlinedFrame):
3258         * interpreter/StackVisitor.h:
3259         (JSC::StackVisitor::Frame::callee):
3260         (JSC::StackVisitor::Frame::scope): Deleted.
3261         Eliminated the scope member as it needed to change and no StackVisitor users use it.
3262
3263         * jit/JITOperations.cpp:
3264         (JSC::operationPushNameScope):
3265         (JSC::operationPushWithScope):
3266         * runtime/JSNameScope.h:
3267         (JSC::JSNameScope::create):
3268         * runtime/JSWithScope.h:
3269         (JSC::JSWithScope::create): Deleted.
3270         * llint/LLIntSlowPaths.cpp:
3271         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3272         Deleted JSNameScope::create() and JSWithScope::create() flavors tht used the ScopeChain slot
3273         in the CallFrame header.  Changed the only user of these function, op_push_name_scope and
3274         op_push_with_scope helpers, to use the remaining create variants that require explicit scope.  
3275         Those operations get the scope from the register pointed to by their scope operands.
3276
3277         * llint/LowLevelInterpreter32_64.asm:
3278         * llint/LowLevelInterpreter64.asm:
3279         Changed resolveScope to use the allocated register.
3280
3281 2014-11-21  Csaba Osztrogonác  <ossy@webkit.org>
3282
3283         [JSC] Disable verifyHeap
3284         https://bugs.webkit.org/show_bug.cgi?id=138962
3285
3286         Reviewed by Mark Lam.
3287
3288         * runtime/Options.h:
3289
3290 2014-11-20  Mark Lam  <mark.lam@apple.com>
3291
3292         Add some comments to describe the DFG UseKind representations.
3293         <https://webkit.org/b/138934>
3294
3295         Reviewed by Filip Pizlo.
3296
3297         * dfg/DFGUseKind.h:
3298         - Also regrouped the UseKind enums by representation to be more readable.
3299
3300 2014-11-20  Mark Lam  <mark.lam@apple.com>
3301
3302         Add Heap verification infrastructure.
3303         <https://webkit.org/b/138851>
3304
3305         Reviewed by Geoffrey Garen.
3306
3307         The verification infrastructure code is always built in but disabled by
3308         default.  When disabled, the cost is minimal:
3309         1. Heap has a m_verifier field.
3310         2. GC does a few "if (m_verifier)" checks that should fail.
3311         3. HeapVerifier takes up code space though not used.
3312
3313         When enabled:
3314         1. The HeapVerifier will keep N number of GC cycle data.
3315            Each GC cycle will contain a "before marking" and "after marking" live
3316            object list.
3317            The GC cycles is a circular buffer.  Only data for the last N GC cycles
3318            will be retained.
3319         2. During GC, the current GC cycle's live objects lists will be populated
3320            before and after marking.
3321         3. The current GC cycle's live object lists will be validated before GC,
3322            after marking, and after GC.
3323
3324         Currently, the only validation being done is to verify that object
3325         butterflies are allocated from valid blocks in the Storage (aka Copied)
3326         space.
3327
3328         * CMakeLists.txt:
3329         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3330         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3331         * JavaScriptCore.xcodeproj/project.pbxproj:
3332         * heap/Heap.cpp:
3333         (JSC::Heap::Heap):
3334         (JSC::Heap::collect):
3335         * heap/Heap.h:
3336         * heap/HeapVerifier.cpp: Added.
3337         (JSC::LiveObjectList::findObject):
3338         (JSC::HeapVerifier::HeapVerifier):
3339         (JSC::HeapVerifier::collectionTypeName):
3340         (JSC::HeapVerifier::phaseName):
3341         (JSC::getButterflyDetails):
3342         (JSC::HeapVerifier::initializeGCCycle):
3343         (JSC::GatherLiveObjFunctor::GatherLiveObjFunctor):
3344         (JSC::GatherLiveObjFunctor::operator()):
3345         (JSC::HeapVerifier::gatherLiveObjects):
3346         (JSC::HeapVerifier::liveObjectListForGathering):
3347         (JSC::trimDeadObjectsFromList):
3348         (JSC::HeapVerifier::trimDeadObjects):
3349         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
3350         (JSC::HeapVerifier::verify):
3351         (JSC::HeapVerifier::reportObject):
3352         (JSC::HeapVerifier::checkIfRecorded):
3353         * heap/HeapVerifier.h: Added.
3354         (JSC::LiveObjectData::LiveObjectData):
3355         (JSC::LiveObjectList::LiveObjectList):
3356         (JSC::LiveObjectList::reset):
3357         (JSC::HeapVerifier::GCCycle::GCCycle):
3358         (JSC::HeapVerifier::GCCycle::collectionTypeName):
3359         (JSC::HeapVerifier::incrementCycle):
3360         (JSC::HeapVerifier::currentCycle):
3361         (JSC::HeapVerifier::cycleForIndex):
3362         * runtime/Options.h:
3363
3364 2014-11-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3365
3366         Rename String.prototype.contains to String.prototype.includes
3367         https://bugs.webkit.org/show_bug.cgi?id=138923
3368
3369         As per the latest TC39 meeting[1, 2], String.prototype.contains is
3370         renamed to String.prototype.includes. This is because the name
3371         `contains` breaks the web since it conflicts with existing `contains`
3372         implementations in major libraries.
3373
3374         [1]: https://github.com/mathiasbynens/String.prototype.includes
3375         [2]: https://github.com/tc39/test262/pull/119
3376
3377         Reviewed by Geoffrey Garen.
3378
3379         * runtime/StringPrototype.cpp:
3380         (JSC::StringPrototype::finishCreation):
3381         (JSC::stringProtoFuncIncludes):
3382         (JSC::stringProtoFuncContains): Deleted.
3383
3384 2014-11-19  Mark Lam  <mark.lam@apple.com>
3385
3386         WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com.
3387         <https://webkit.org/b/137642>
3388
3389         Reviewed by Filip Pizlo.
3390
3391         In the DFG, we have a ConstantFolding phase that occurs after all LocalCSE
3392         phases have already transpired.  Hence, Identity nodes introduced in the
3393         ConstantFolding phase will be left in the node graph.  Subsequently, the
3394         DFG code generator asserts that CSE phases have consumed all Identity nodes.
3395         This turns out to not be true.  Hence, the crash.  We fix this by teaching
3396         the DFG code generator to emit code for Identity nodes.
3397
3398         Unlike the DFG, the FTL does not have this issue.  That is because the FTL
3399         plan has GlobalCSE phases that come after ConstantFolding and any other
3400         phases that can generate Identity nodes.  Hence, for the FTL, it is true that
3401         CSE will consume all Identity nodes, and the code generator should not see any
3402         Identity nodes.
3403
3404         * dfg/DFGSpeculativeJIT32_64.cpp:
3405         (JSC::DFG::SpeculativeJIT::compile):