[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2015-01-22  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r178894.
        https://bugs.webkit.org/show_bug.cgi?id=140775

        Broke JSC and bindings tests (Requested by ap_ on #webkit).

        Reverted changeset:

        "put_by_val_direct need to check the property is index or not
        for using putDirect / putDirectIndex"
        https://bugs.webkit.org/show_bug.cgi?id=140426
        http://trac.webkit.org/changeset/178894

2015-01-22  Mark Lam  <mark.lam@apple.com>

        BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
        <https://webkit.org/b/140743>

        Reviewed by Oliver Hunt.

        BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
        op_put_to_scope to an inappropriate value (i.e. 0).  As a result, the execution
        of put_to_scope could store a wrong inferred value into the VariableWatchpointSet
        for which ever captured variable is at local index 0.  In practice, this turns
        out to be the local for the Arguments object.  In this reproduction case in the
        bug, the wrong inferred value written there is the boolean true.

        Subsequently, DFG compilation occurs and CreateArguments is emitted to first do
        a check of the local for the Arguments object.  But because that local has a
        wrong inferred value, the check always discovers a non-null value and we never
        actually create the Arguments object.  Immediately after this, an OSR exit
        occurs leaving the Arguments object local uninitialized.  Later on at arguments
        tear off, we run into a boolean true where we had expected to find an Arguments
        object, which in turn, leads to the crash.

        The fix is to:
        1. In the case where the resolveModeType is LocalClosureVar, change the
           5th operand of op_put_to_scope to be a boolean.  True means that the
           local var is watchable.  False means it is not watchable.  We no longer
           pass the local index (instead of true) and UINT_MAX (instead of false).

           This allows us to express more clearer in the code what that value means,
           as well as remove the redundant way of getting the local's identifier.
           The identifier is always the one passed in the 2nd operand. 

        2. Previously, though intuitively, we know that the watchable variable
           identifier should be the same as the one that is passed in operand 2, this
           relationship was not clear in the code.  By code analysis, I confirmed that 
           the callers of BytecodeGenerator::emitPutToScope() always use the same
           identifier for operand 2 and for filling out the ResolveScopeInfo from
           which we get the watchable variable identifier later.  I've changed the
           code to make this clear now by always using the identifier passed in
           operand 2.

        3. In the case where the resolveModeType is LocalClosureVar,
           initializeCapturedVariable() and emitPutToScope() will now query
           hasWatchableVariable() to determine if the local is watchable or not.
           Accordingly, we pass the boolean result of hasWatchableVariable() as
           operand 5 of op_put_to_scope.

        Also added some assertions.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::initializeCapturedVariable):
        (JSC::BytecodeGenerator::hasConstant):
        (JSC::BytecodeGenerator::emitPutToScope):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::hasWatchableVariable):
        (JSC::BytecodeGenerator::watchableVariableIdentifier):
        (JSC::BytecodeGenerator::watchableVariable): Deleted.

2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>

        PropertyListNode::emitNode duplicates the code to put a constant property
        https://bugs.webkit.org/show_bug.cgi?id=140761

        Reviewed by Geoffrey Garen.

        Extracted PropertyListNode::emitPutConstantProperty to share the code.

        Also made PropertyListNode::emitBytecode private since nobody is calling this function directly.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):
        (JSC::PropertyListNode::emitPutConstantProperty): Added.
        * parser/Nodes.h:

2015-01-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
        https://bugs.webkit.org/show_bug.cgi?id=140426

        Reviewed by Geoffrey Garen.

        In the put_by_val_direct operation, we use JSObject::putDirect.
        However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
        This patch changes Identifier::asIndex() to return Optional<uint32_t>.
        It forces callers to check the value is index or not explicitly.
        Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDirectPutById):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * jit/JITOperations.cpp:
        * jit/Repatch.cpp:
        (JSC::emitPutTransitionStubAndGetOldStructure):
        * jsc.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlot):
        (JSC::Arguments::put):
        (JSC::Arguments::deleteProperty):
        (JSC::Arguments::defineOwnProperty):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
        (JSC::JSGenericTypedArrayView<Adaptor>::put):
        (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
        (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putDirectAccessor):
        (JSC::JSObject::putDirectCustomAccessor):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::putDirectMayBeIndex):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        (JSC::JSObject::getOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::putDirectInternal):
        * runtime/JSString.cpp:
        (JSC::JSString::getStringPropertyDescriptor):
        * runtime/JSString.h:
        (JSC::JSString::getStringPropertySlot):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::parse):
        * runtime/PropertyName.h:
        (JSC::toUInt32FromCharacters):
        (JSC::toUInt32FromStringImpl):
        (JSC::PropertyName::asIndex):
        * runtime/PropertyNameArray.cpp:
        (JSC::PropertyNameArray::add):
        * runtime/StringObject.cpp:
        (JSC::StringObject::deleteProperty):
        * runtime/Structure.cpp:
        (JSC::Structure::prototypeChainMayInterceptStoreTo):

2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>

        Consolidate out arguments of parseFunctionInfo into a struct
        https://bugs.webkit.org/show_bug.cgi?id=140754

        Reviewed by Oliver Hunt.

        Introduced ParserFunctionInfo for storing out arguments of parseFunctionInfo.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFunctionExpr):
        (JSC::ASTBuilder::createGetterOrSetterProperty): This one takes a property name in addition to
        ParserFunctionInfo since the property name and the function name could differ.
        (JSC::ASTBuilder::createFuncDeclStatement):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseFunctionDeclaration):
        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/Parser.h:
        * parser/ParserFunctionInfo.h: Added.
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createFunctionExpr):
        (JSC::SyntaxChecker::createFuncDeclStatement):
        (JSC::SyntaxChecker::createClassDeclStatement):
        (JSC::SyntaxChecker::createGetterOrSetterProperty):

2015-01-21  Mark Hahnenberg  <mhahnenb@gmail.com>

        Change Heap::m_compiledCode to use a Vector
        https://bugs.webkit.org/show_bug.cgi?id=140717

        Reviewed by Andreas Kling.

        Right now it's a DoublyLinkedList, which is iterated during each
        collection. This contributes to some of the longish Eden pause times.
        A Vector would be more appropriate and would also allow ExecutableBase
        to be 2 pointers smaller.

        * heap/Heap.cpp:
        (JSC::Heap::deleteAllCompiledCode):
        (JSC::Heap::deleteAllUnlinkedFunctionCode):
        (JSC::Heap::clearUnmarkedExecutables):
        * heap/Heap.h:
        * runtime/Executable.h: No longer need to inherit from DoublyLinkedListNode.

2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>

        BytecodeGenerator shouldn't expose all of its member variables
        https://bugs.webkit.org/show_bug.cgi?id=140752

        Reviewed by Mark Lam.

        Added "private:" and removed unused data members as detected by clang.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::lastOpcodeID): Added. Used in BinaryOpNode::emitBytecode.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BinaryOpNode::emitBytecode):

2015-01-21  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: ASSERT expanding objects in console PrimitiveBindingTraits<T>::assertValueHasExpectedType
        https://bugs.webkit.org/show_bug.cgi?id=140746

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptSource.js:
        Do not add impure properties to the descriptor object that will
        eventually be sent to the frontend.

2015-01-21  Matthew Mirman  <mmirman@apple.com>

        Updated split such that it does not include the empty end of input string match.
        https://bugs.webkit.org/show_bug.cgi?id=138129
        <rdar://problem/18807403>

        Reviewed by Filip Pizlo.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplit):
        * tests/stress/empty_eos_regex_split.js: Added.

2015-01-21  Michael Saboff  <msaboff@apple.com>

        Eliminate Scope slot from JavaScript CallFrame
        https://bugs.webkit.org/show_bug.cgi?id=136724

        Reviewed by Geoffrey Garen.

        This finishes the removal of the scope chain slot from the call frame header.

        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * dfg/DFGPreciseLocalClobberize.h:
        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * ftl/FTLJSCall.cpp:
        (JSC::FTL::JSCall::emit):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
        * interpreter/JSStack.h:
        * interpreter/VMInspector.cpp:
        (JSC::VMInspector::dumpFrame):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/Repatch.cpp:
        (JSC::generateByIdStub):
        (JSC::linkClosureCall):
        * jit/ThunkGenerators.cpp:
        (JSC::virtualForThunkGenerator):
        (JSC::nativeForGenerator):
        Deleted ScopeChain slot from JSStack.  Removed all code where ScopeChain was being
        read or set.  In most cases this was where we make JS calls.

        * interpreter/CallFrameClosure.h:
        (JSC::CallFrameClosure::setArgument):
        (JSC::CallFrameClosure::resetCallFrame): Deleted.
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * interpreter/ProtoCallFrame.cpp:
        (JSC::ProtoCallFrame::init):
        * interpreter/ProtoCallFrame.h:
        (JSC::ProtoCallFrame::scope): Deleted.
        (JSC::ProtoCallFrame::setScope): Deleted.
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter64.asm:
        Removed the related scopeChainValue member from ProtoCallFrame.  Reduced the number of
        registers that needed to be copied from the ProtoCallFrame to a callee's frame
        from 5 to 4.

        * llint/LowLevelInterpreter32_64.asm:
        In addition to the prior changes, also deleted the unused macro getDeBruijnScope.

2015-01-21  Michael Saboff  <msaboff@apple.com>

        Eliminate construct methods from NullGetterFunction and NullSetterFunction classes
        https://bugs.webkit.org/show_bug.cgi?id=140708

        Reviewed by Mark Lam.

        Eliminated construct methods and change getConstructData() for both classes to return
        ConstructTypeNone as they can never be called.

        * runtime/NullGetterFunction.cpp:
        (JSC::NullGetterFunction::getConstructData):
        (JSC::constructReturnUndefined): Deleted.
        * runtime/NullSetterFunction.cpp:
        (JSC::NullSetterFunction::getConstructData):
        (JSC::constructReturnUndefined): Deleted.

2015-01-21  Csaba Osztrogonác  <ossy@webkit.org>

        Remove ENABLE(INSPECTOR) ifdef guards
        https://bugs.webkit.org/show_bug.cgi?id=140668

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig:
        * bindings/ScriptValue.cpp:
        (Deprecated::ScriptValue::toInspectorValue):
        * bindings/ScriptValue.h:
        * inspector/ConsoleMessage.cpp:
        * inspector/ConsoleMessage.h:
        * inspector/ContentSearchUtilities.cpp:
        * inspector/ContentSearchUtilities.h:
        * inspector/IdentifiersFactory.cpp:
        * inspector/IdentifiersFactory.h:
        * inspector/InjectedScript.cpp:
        * inspector/InjectedScript.h:
        * inspector/InjectedScriptBase.cpp:
        * inspector/InjectedScriptBase.h:
        * inspector/InjectedScriptHost.cpp:
        * inspector/InjectedScriptHost.h:
        * inspector/InjectedScriptManager.cpp:
        * inspector/InjectedScriptManager.h:
        * inspector/InjectedScriptModule.cpp:
        * inspector/InjectedScriptModule.h:
        * inspector/InspectorAgentRegistry.cpp:
        * inspector/InspectorBackendDispatcher.cpp:
        * inspector/InspectorBackendDispatcher.h:
        * inspector/InspectorProtocolTypes.h:
        * inspector/JSGlobalObjectConsoleClient.cpp:
        * inspector/JSGlobalObjectInspectorController.cpp:
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectScriptDebugServer.cpp:
        * inspector/JSGlobalObjectScriptDebugServer.h:
        * inspector/JSInjectedScriptHost.cpp:
        * inspector/JSInjectedScriptHost.h:
        * inspector/JSInjectedScriptHostPrototype.cpp:
        * inspector/JSInjectedScriptHostPrototype.h:
        * inspector/JSJavaScriptCallFrame.cpp:
        * inspector/JSJavaScriptCallFrame.h:
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        * inspector/JSJavaScriptCallFramePrototype.h:
        * inspector/JavaScriptCallFrame.cpp:
        * inspector/JavaScriptCallFrame.h:
        * inspector/ScriptCallFrame.cpp:
        (Inspector::ScriptCallFrame::buildInspectorObject):
        * inspector/ScriptCallFrame.h:
        * inspector/ScriptCallStack.cpp:
        (Inspector::ScriptCallStack::buildInspectorArray):
        * inspector/ScriptCallStack.h:
        * inspector/ScriptDebugServer.cpp:
        * inspector/agents/InspectorAgent.cpp:
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
        * inspector/agents/JSGlobalObjectConsoleAgent.h:
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        * inspector/agents/JSGlobalObjectDebuggerAgent.h:
        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
        * inspector/scripts/codegen/cpp_generator_templates.py:
        (CppGeneratorTemplates):
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::inspectorTypeSet):
        (JSC::StructureShape::inspectorRepresentation):

2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Clean up InjectedScriptSource.js
        https://bugs.webkit.org/show_bug.cgi?id=140709

        Reviewed by Timothy Hatcher.

        This patch includes some relevant Blink patches and small changes.
        
        Patch by <aandrey@chromium.org>
        DevTools: Remove console last result $_ on console clear.
        https://src.chromium.org/viewvc/blink?revision=179179&view=revision

        Patch by <eustas@chromium.org>
        [Inspect DOM properties] incorrect CSS Selector Syntax
        https://src.chromium.org/viewvc/blink?revision=156903&view=revision

        * inspector/InjectedScriptSource.js:

2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Cleanup RuntimeAgent a bit
        https://bugs.webkit.org/show_bug.cgi?id=140706

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScript.h:
        * inspector/InspectorBackendDispatcher.h:
        * inspector/ScriptCallFrame.cpp:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::evaluate):
        (Inspector::InspectorRuntimeAgent::getProperties):
        (Inspector::InspectorRuntimeAgent::run):
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        (Inspector::recompileAllJSFunctionsForTypeProfiling):
        (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):

2015-01-20  Matthew Mirman  <mmirman@apple.com>

        Made Identity in the DFG allocate a new temp register and move 
        the old data to it.
        https://bugs.webkit.org/show_bug.cgi?id=140700
        <rdar://problem/19339106>

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): 
        Added scratch registers for Identity. 
        * tests/mozilla/mozilla-tests.yaml: enabled previously failing test

2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Expanding event objects in console shows undefined for most values, it should have real values
        https://bugs.webkit.org/show_bug.cgi?id=137306

        Reviewed by Timothy Hatcher.

        Provide another optional parameter to getProperties, to gather a list
        of all own and getter properties.

        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::getProperties):
        * inspector/InjectedScript.h:
        * inspector/InjectedScriptSource.js:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getProperties):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/protocol/Runtime.json:

2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Should show dynamic specificity values
        https://bugs.webkit.org/show_bug.cgi?id=140647

        Reviewed by Benjamin Poulain.

        * inspector/protocol/CSS.json:
        Clarify CSSSelector optional values and add "dynamic" property indicating
        if the selector can be dynamic based on the element it is matched against.

2015-01-20  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r178751.
        https://bugs.webkit.org/show_bug.cgi?id=140694

        Caused 32-bit JSC test failures (Requested by JoePeck on
        #webkit).

        Reverted changeset:

        "put_by_val_direct need to check the property is index or not
        for using putDirect / putDirectIndex"
        https://bugs.webkit.org/show_bug.cgi?id=140426
        http://trac.webkit.org/changeset/178751

2015-01-20  Yusuke Suzuki  <utatane.tea@gmail.com>

        put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
        https://bugs.webkit.org/show_bug.cgi?id=140426

        Reviewed by Geoffrey Garen.

        In the put_by_val_direct operation, we use JSObject::putDirect.
        However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
        This patch changes Identifier::asIndex() to return Optional<uint32_t>.
        It forces callers to check the value is index or not explicitly.
        Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDirectPutById):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * jit/JITOperations.cpp:
        * jit/Repatch.cpp:
        (JSC::emitPutTransitionStubAndGetOldStructure):
        * jsc.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlot):
        (JSC::Arguments::put):
        (JSC::Arguments::deleteProperty):
        (JSC::Arguments::defineOwnProperty):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
        (JSC::JSGenericTypedArrayView<Adaptor>::put):
        (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
        (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putDirectAccessor):
        (JSC::JSObject::putDirectCustomAccessor):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::putDirectMayBeIndex):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        (JSC::JSObject::getOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::putDirectInternal):
        * runtime/JSString.cpp:
        (JSC::JSString::getStringPropertyDescriptor):
        * runtime/JSString.h:
        (JSC::JSString::getStringPropertySlot):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::parse):
        * runtime/PropertyName.h:
        (JSC::toUInt32FromCharacters):
        (JSC::toUInt32FromStringImpl):
        (JSC::PropertyName::asIndex):
        * runtime/PropertyNameArray.cpp:
        (JSC::PropertyNameArray::add):
        * runtime/StringObject.cpp:
        (JSC::StringObject::deleteProperty):
        * runtime/Structure.cpp:
        (JSC::Structure::prototypeChainMayInterceptStoreTo):

2015-01-20  Michael Saboff  <msaboff@apple.com>

        REGRESSION(178696): Sporadic crashes while garbage collecting
        https://bugs.webkit.org/show_bug.cgi?id=140688

        Reviewed by Geoffrey Garen.

        Added missing visitor.append(&thisObject->m_nullSetterFunction).

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::visitChildren):

2015-01-19  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: code generator should take supplemental specifications and allow cross-framework references
        https://bugs.webkit.org/show_bug.cgi?id=136312

        Reviewed by Joseph Pecoraro.

        Some types are shared between replay inputs from different frameworks.
        Previously, these type declarations were duplicated in every input
        specification file in which they were used. This caused some type encoding
        traits to be emitted twice if used from WebCore inputs and WebKit2 inputs.

        This patch teaches the replay inputs code generator to accept multiple
        input specification files. Inputs can freely reference types from other
        frameworks without duplicating declarations.

        On the code generation side, the model could contain types and inputs from
        frameworks that are not the target framework. Only generate code for the
        target framework.

        To properly generate cross-framework type encoding traits, use
        Type.encoding_type_argument in more places, and add the export macro for WebCore
        and the Test framework.

        Adjust some tests so that enum coverage is preserved by moving the enum types
        into "Test" (the target framework for tests).

        * JavaScriptCore.vcxproj/copy-files.cmd:
        For Windows, copy over JSInputs.json as if it were a private header.

        * JavaScriptCore.xcodeproj/project.pbxproj: Make JSInputs.json a private header.
        * replay/JSInputs.json:
        Put all primitive types and WTF types in this specification file.

        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Input.__init__):
        (InputsModel.__init__): Keep track of the input's framework.
        (InputsModel.parse_specification): Parse the framework here. Adjust to new format,
        and allow either types or inputs to be missing from a single file.

        (InputsModel.parse_type_with_framework):
        (InputsModel.parse_input_with_framework):
        (Generator.should_generate_item): Added helper method.
        (Generator.generate_header): Filter inputs to generate.
        (Generator.generate_implementation): Filter inputs to generate.
        (Generator.generate_enum_trait_declaration): Filter enums to generate.
        Add WEBCORE_EXPORT macro to enum encoding traits.

        (Generator.generate_for_each_macro): Filter inputs to generate.
        (Generator.generate_enum_trait_implementation): Filter enums to generate.
        (generate_from_specifications): Added.
        (generate_from_specifications.parse_json_from_file):
        (InputsModel.parse_toplevel): Deleted.
        (InputsModel.parse_type_with_framework_name): Deleted.
        (InputsModel.parse_input): Deleted.
        (generate_from_specification): Deleted.
        * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
        * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-no-types.json-error: Removed.
        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
        * replay/scripts/tests/fail-on-c-style-enum-no-storage.json:
        * replay/scripts/tests/fail-on-duplicate-enum-type.json:
        * replay/scripts/tests/fail-on-duplicate-input-names.json:
        * replay/scripts/tests/fail-on-duplicate-type-names.json:
        * replay/scripts/tests/fail-on-enum-type-missing-values.json:
        * replay/scripts/tests/fail-on-missing-input-member-name.json:
        * replay/scripts/tests/fail-on-missing-input-name.json:
        * replay/scripts/tests/fail-on-missing-input-queue.json:
        * replay/scripts/tests/fail-on-missing-type-mode.json:
        * replay/scripts/tests/fail-on-missing-type-name.json:
        * replay/scripts/tests/fail-on-no-inputs.json:
        Removed, no longer required to be in a single file.

        * replay/scripts/tests/fail-on-no-types.json:
        Removed, no longer required to be in a single file.

        * replay/scripts/tests/fail-on-unknown-input-queue.json:
        * replay/scripts/tests/fail-on-unknown-member-type.json:
        * replay/scripts/tests/fail-on-unknown-type-mode.json:
        * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json:
        * replay/scripts/tests/generate-enum-encoding-helpers.json:
        * replay/scripts/tests/generate-enum-with-guard.json:
        Include enums that are and are not generated.

        * replay/scripts/tests/generate-enums-with-same-base-name.json:
        * replay/scripts/tests/generate-event-loop-shape-types.json:
        * replay/scripts/tests/generate-input-with-guard.json:
        * replay/scripts/tests/generate-input-with-vector-members.json:
        * replay/scripts/tests/generate-inputs-with-flags.json:
        * replay/scripts/tests/generate-memoized-type-modes.json:

2015-01-20  Tomas Popela  <tpopela@redhat.com>

        [GTK] Cannot compile 2.7.3 on PowerPC machines
        https://bugs.webkit.org/show_bug.cgi?id=140616

        Include climits for INT_MAX and wtf/DataLog.h for dataLogF

        Reviewed by Csaba Osztrogonác.

        * runtime/BasicBlockLocation.cpp:

2015-01-19  Michael Saboff  <msaboff@apple.com>

        A "cached" null setter should throw a TypeException when called in strict mode and doesn't
        https://bugs.webkit.org/show_bug.cgi?id=139418

        Reviewed by Filip Pizlo.

        Made a new NullSetterFunction class similar to NullGetterFunction.  The difference is that 
        NullSetterFunction will throw a TypeError per the ECMA262 spec for a strict mode caller.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Added new files NullSetterFunction.cpp and NullSetterFunction.h.

        * runtime/GetterSetter.h:
        (JSC::GetterSetter::GetterSetter):
        (JSC::GetterSetter::isSetterNull):
        (JSC::GetterSetter::setSetter):
        Change setter instances from using NullGetterFunction to using NullSetterFunction.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::nullSetterFunction):
        Added m_nullSetterFunction and accessor.

        * runtime/NullSetterFunction.cpp: Added.
        (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
        (JSC::GetCallerStrictnessFunctor::operator()):
        (JSC::GetCallerStrictnessFunctor::callerIsStrict):
        (JSC::callerIsStrict):
        Method to determine if the caller is in strict mode.

        (JSC::callReturnUndefined):
        (JSC::constructReturnUndefined):
        (JSC::NullSetterFunction::getCallData):
        (JSC::NullSetterFunction::getConstructData):
        * runtime/NullSetterFunction.h: Added.
        (JSC::NullSetterFunction::create):
        (JSC::NullSetterFunction::createStructure):
        (JSC::NullSetterFunction::NullSetterFunction):
        Class with handlers for a null setter.

2015-01-19  Saam Barati  <saambarati1@gmail.com>

        Web Inspector: Provide a front end for JSC's Control Flow Profiler
        https://bugs.webkit.org/show_bug.cgi?id=138454

        Reviewed by Timothy Hatcher.

        This patch puts the final touches on what JSC needs to provide
        for the Web Inspector to show a UI for the control flow profiler.

        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::recompileAllJSFunctionsForTypeProfiling):
        * runtime/ControlFlowProfiler.cpp:
        (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
        * runtime/FunctionHasExecutedCache.cpp:
        (JSC::FunctionHasExecutedCache::getFunctionRanges):
        (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges): Deleted.
        * runtime/FunctionHasExecutedCache.h:

2015-01-19  David Kilzer  <ddkilzer@apple.com>

        [iOS] Only use LLVM static library arguments on 64-bit builds of libllvmForJSC.dylib
        <http://webkit.org/b/140658>

        Reviewed by Filip Pizlo.

        * Configurations/LLVMForJSC.xcconfig: Set OTHER_LDFLAGS_LLVM
        only when building for 64-bit architectures.

2015-01-19  Filip Pizlo  <fpizlo@apple.com>

        ClosureCallStubRoutine no longer needs codeOrigin
        https://bugs.webkit.org/show_bug.cgi?id=140659

        Reviewed by Michael Saboff.
        
        Once upon a time, we would look for the CodeOrigin associated with a return PC. This search
        would start with the CodeBlock according to the caller frame's call frame header. But if the
        call was a closure call, the return PC would be inside some closure call stub. So if the
        CodeBlock search failed, we would search *all* closure call stub routines to see which one
        encompasses the return PC. Then, we would use the CodeOrigin stored in the stub routine
        object. This was all a bunch of madness, and we actually got rid of it - we now determine
        the CodeOrigin for a call frame using the encoded code origin bits inside the tag of the
        argument count.
        
        This patch removes the final vestiges of the madness:
        
        - Remove the totally unused method declaration for the thing that did the closure call stub
          search.
        
        - Remove the CodeOrigin field from the ClosureCallStubRoutine. Except for that crazy search
          that we no longer do, everyone else who finds a ClosureCallStubRoutine will find it via
          the CallLinkInfo. The CallLinkInfo also has the CodeOrigin, so we don't need this field
          anymore.

        * bytecode/CodeBlock.h:
        * jit/ClosureCallStubRoutine.cpp:
        (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
        * jit/ClosureCallStubRoutine.h:
        (JSC::ClosureCallStubRoutine::executable):
        (JSC::ClosureCallStubRoutine::codeOrigin): Deleted.
        * jit/Repatch.cpp:
        (JSC::linkClosureCall):

2015-01-19  Saam Barati  <saambarati1@gmail.com>

        Basic block start offsets should never be larger than end offsets in the control flow profiler
        https://bugs.webkit.org/show_bug.cgi?id=140377

        Reviewed by Filip Pizlo.

        The bytecode generator will emit code more than once for some AST nodes. For instance, 
        the finally block of TryNode will emit two code paths for its finally block: one for 
        the normal path, and another for the path where an exception is thrown in the catch block. 
        
        This repeated code emission of the same AST node previously broke how the control 
        flow profiler computed text ranges of basic blocks because when the same AST node 
        is emitted multiple times, there is a good chance that there are ranges that span 
        from the end offset of one of these duplicated nodes back to the start offset of 
        the same duplicated node. This caused a basic block range to report a larger start 
        offset than end offset. This was incorrect. Now, when this situation is encountered 
        while linking a CodeBlock, the faulty range in question is ignored.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
        * bytecode/CodeBlock.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitMultiLoopBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::TryNode::emitBytecode):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseConditionalExpression):
        * runtime/ControlFlowProfiler.cpp:
        (JSC::ControlFlowProfiler::ControlFlowProfiler):
        * runtime/ControlFlowProfiler.h:
        (JSC::ControlFlowProfiler::dummyBasicBlock):

2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>

        [SVG -> OTF Converter] Flip the switch on
        https://bugs.webkit.org/show_bug.cgi?id=140592

        Reviewed by Antti Koivisto.

        * Configurations/FeatureDefines.xcconfig:

2015-01-19  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: convert to is<T> and downcast<T> for decoding replay inputs
        https://bugs.webkit.org/show_bug.cgi?id=140512

        Reviewed by Chris Dumez.

        Generate a SPECIALIZE_TYPE_TRAITS_* chunk of code for each input. This cannot
        be done using REPLAY_INPUT_NAMES_FOR_EACH macro since that doesn't fully qualify
        input types, and the type traits macro is defined in namespace WTF.

        * replay/NondeterministicInput.h: Make overridden methods public.
        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Generator.generate_header):
        (Generator.qualified_input_name): Allow forcing qualification. WTF is never a target framework.
        (Generator.generate_input_type_trait_declaration): Added.
        * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Add a template.
        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:

2015-01-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r178653.
        https://bugs.webkit.org/show_bug.cgi?id=140634

        Broke multiple SVG tests on Mountain Lion (Requested by ap on
        #webkit).

        Reverted changeset:

        "[SVG -> OTF Converter] Flip the switch on"
        https://bugs.webkit.org/show_bug.cgi?id=140592
        http://trac.webkit.org/changeset/178653

2015-01-18  Dean Jackson  <dino@apple.com>

        ES6: Support Array.of construction
        https://bugs.webkit.org/show_bug.cgi?id=140605
        <rdar://problem/19513655>

        Reviewed by Geoffrey Garen.

        Add and implementation of Array.of, described in 22.1.2.3 of the ES6
        specification (15 Jan 2015). The Array.of() method creates a new Array
        instance with a variable number of arguments, regardless of number or type
        of the arguments.

        * runtime/ArrayConstructor.cpp:
        (JSC::arrayConstructorOf): Create a new empty Array, then iterate
        over the arguments, setting them to the appropriate index.

2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>

        [SVG -> OTF Converter] Flip the switch on
        https://bugs.webkit.org/show_bug.cgi?id=140592

        Reviewed by Antti Koivisto.

        * Configurations/FeatureDefines.xcconfig:

2015-01-17  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: highlight data for overlay should use protocol type builders
        https://bugs.webkit.org/show_bug.cgi?id=129441

        Reviewed by Timothy Hatcher.

        Add a new domain for overlay types.

        * CMakeLists.txt:
        * DerivedSources.make:
        * inspector/protocol/OverlayTypes.json: Added.

2015-01-17  Michael Saboff  <msaboff@apple.com>

        Crash in JSScope::resolve() on tools.ups.com
        https://bugs.webkit.org/show_bug.cgi?id=140579

        Reviewed by Geoffrey Garen.

        For op_resolve_scope of a global property or variable that needs to check for the var
        injection check watchpoint, we need to keep the scope around with a Phantom.  The
        baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint
        fired.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2015-01-16  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: code generator should introduce typedefs for protocol types that are arrays
        https://bugs.webkit.org/show_bug.cgi?id=140557

        Reviewed by Joseph Pecoraro.

        Currently, there is no generated type name for "array" type declarations such as Console.CallStack.
        This makes it longwinded and confusing to use the type in C++ code.

        This patch adds a typedef for array type declarations, so types such as Console::CallStack
        can be referred to directly, rather than using Inspector::Protocol::Array<Console::CallFrame>.

        Some tests were updated to cover array type declarations used as parameters and type members.

        * inspector/ScriptCallStack.cpp: Use the new typedef.
        (Inspector::ScriptCallStack::buildInspectorArray):
        * inspector/ScriptCallStack.h:
        * inspector/scripts/codegen/cpp_generator.py:
        (CppGenerator.cpp_protocol_type_for_type): If an ArrayType is nominal, use the typedef'd name instead.
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (_generate_typedefs_for_domain): Also generate typedefs for array type declarations.
        (_generate_typedefs_for_domain.Inspector):
        * inspector/scripts/codegen/models.py: Save the name of an ArrayType when it is a type declaration.
        (ArrayType.__init__):
        (Protocol.resolve_types):
        (Protocol.lookup_type_reference):
        * inspector/scripts/tests/commands-with-async-attribute.json:
        * inspector/scripts/tests/commands-with-optional-call-return-parameters.json:
        * inspector/scripts/tests/events-with-optional-parameters.json:
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/type-declaration-object-type.json:

2015-01-16  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: purge remaining PassRefPtr uses and minor cleanup
        https://bugs.webkit.org/show_bug.cgi?id=140456

        Reviewed by Andreas Kling.

        Get rid of PassRefPtr. Introduce default initializers where it makes sense.
        Remove mistaken uses of AtomicString that were not removed as part of r174113.

        * replay/EmptyInputCursor.h:
        * replay/InputCursor.h:
        (JSC::InputCursor::InputCursor):

2015-01-16  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: code generator should fail on duplicate parameter and member names
        https://bugs.webkit.org/show_bug.cgi?id=140555

        Reviewed by Timothy Hatcher.

        * inspector/scripts/codegen/models.py:
        (find_duplicates): Add a helper function to find duplicates in a list.
        (Protocol.parse_type_declaration):
        (Protocol.parse_command):
        (Protocol.parse_event):
        * inspector/scripts/tests/expected/fail-on-duplicate-command-call-parameter-names.json-error: Added.
        * inspector/scripts/tests/expected/fail-on-duplicate-command-return-parameter-names.json-error: Added.
        * inspector/scripts/tests/expected/fail-on-duplicate-event-parameter-names.json-error: Added.
        * inspector/scripts/tests/expected/fail-on-duplicate-type-member-names.json-error: Added.
        * inspector/scripts/tests/fail-on-duplicate-command-call-parameter-names.json: Added.
        * inspector/scripts/tests/fail-on-duplicate-command-return-parameter-names.json: Added.
        * inspector/scripts/tests/fail-on-duplicate-event-parameter-names.json: Added.
        * inspector/scripts/tests/fail-on-duplicate-type-member-names.json: Added.

2015-01-16  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r174226): Header on huffingtonpost.com is too large
        https://bugs.webkit.org/show_bug.cgi?id=140306

        Reviewed by Filip Pizlo.

        BytecodeGenerator::willResolveToArguments() is used to check to see if we can use the
        arguments register or whether we need to resolve "arguments".  If the arguments have
        been captured, then they are stored in the lexical environment and the arguments
        register is not used.

        Changed BytecodeGenerator::willResolveToArguments() to also check to see if the arguments
        register is captured.  Renamed the function to willResolveToArgumentsRegister() to
        better indicate what we are checking.

        Aligned 32 and 64 bit paths in ArgumentsRecoveryGenerator::generateFor() for creating
        an arguments object that was optimized out of an inlined callFrame.  The 32 bit path
        incorrectly calculated the location of the reified callee frame.  This alignment resulted
        in the removal of operationCreateInlinedArgumentsDuringOSRExit()

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
        (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::emitEnumeration):
        (JSC::BytecodeGenerator::willResolveToArguments): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BracketAccessorNode::emitBytecode):
        (JSC::DotAccessorNode::emitBytecode):
        (JSC::getArgumentByVal):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::ArrayPatternNode::emitDirectBinding):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
        * dfg/DFGOperations.cpp:
        (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
        * dfg/DFGOperations.h:
        (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.

2015-01-15  Csaba Osztrogonác  <ossy@webkit.org>

        Remove ENABLE(SQL_DATABASE) guards
        https://bugs.webkit.org/show_bug.cgi?id=140434

        Reviewed by Darin Adler.

        * CMakeLists.txt:
        * Configurations/FeatureDefines.xcconfig:
        * DerivedSources.make:
        * inspector/protocol/Database.json:

2015-01-14  Alexey Proskuryakov  <ap@apple.com>

        Web Inspector and regular console use different source code locations for messages
        https://bugs.webkit.org/show_bug.cgi?id=140478

        Reviewed by Brian Burg.

        * inspector/ConsoleMessage.h: Expose computed source location.

        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::addMessageToConsole):
        (Inspector::InspectorConsoleAgent::stopTiming):
        (Inspector::InspectorConsoleAgent::count):
        * inspector/agents/InspectorConsoleAgent.h:
        addMessageToConsole() now takes a pre-made ConsoleMessage object.

        * inspector/JSGlobalObjectConsoleClient.cpp:
        (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
        (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
        Updated for the above changes.

2015-01-15  Mark Lam  <mark.lam@apple.com>

        [Part 2] Argument object created by "Function dot arguments" should use a clone of argument values.
        <https://webkit.org/b/140093>

        Reviewed by Geoffrey Garen.

        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::createArguments):
        - We should not fetching the lexicalEnvironment here.  The reason we've
          introduced the ClonedArgumentsCreationMode is because the lexicalEnvironment
          may not be available to us at this point.  Instead, we'll just pass a nullptr.

        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOffForCloning):
        * runtime/Arguments.h:
        (JSC::Arguments::finishCreation):
        - Use the new tearOffForCloning() to tear off arguments right out of the values
          passed on the stack.  tearOff() is not appropriate for this purpose because
          it takes slowArgumentsData into account.

2015-01-14  Matthew Mirman  <mmirman@apple.com>

        Removed accidental commit of "invalid_array.js" 
        http://trac.webkit.org/changeset/178439

        * tests/stress/invalid_array.js: Removed.

2015-01-14  Matthew Mirman  <mmirman@apple.com>

        Fixes operationPutByIdOptimizes such that they check that the put didn't
        change the structure of the object who's property access is being
        cached.  Also removes uses of the new base value from the cache generation code.
        https://bugs.webkit.org/show_bug.cgi?id=139500

        Reviewed by Filip Pizlo.

        * jit/JITOperations.cpp:
        (JSC::operationPutByIdStrictOptimize): saved the structure before the put.
        (JSC::operationPutByIdNonStrictOptimize): ditto.
        (JSC::operationPutByIdDirectStrictOptimize): ditto.
        (JSC::operationPutByIdDirectNonStrictOptimize): ditto.
        * jit/Repatch.cpp:
        (JSC::generateByIdStub):
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStubAndGetOldStructure): Added.
        (JSC::tryCachePutByID):
        (JSC::repatchPutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::tryRepatchIn):
        (JSC::emitPutTransitionStub): Deleted.
        * jit/Repatch.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/JSPropertyNameEnumerator.h:
        (JSC::genericPropertyNameEnumerator):
        * runtime/Operations.h:
        (JSC::normalizePrototypeChainForChainAccess): restructured to not use the base value.
        (JSC::normalizePrototypeChain): restructured to not use the base value.
        * tests/mozilla/mozilla-tests.yaml:
        * tests/stress/proto-setter.js: Added.
        * tests/stress/put-by-id-build-list-order-recurse.js: Added.
        Added test that fails without this patch.

2015-01-13  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove unused ResizeImage and DecodeImageData timeline events
        https://bugs.webkit.org/show_bug.cgi?id=140404

        Reviewed by Timothy Hatcher.

        * inspector/protocol/Timeline.json:

2015-01-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        DFG can call PutByValDirect for generic arrays
        https://bugs.webkit.org/show_bug.cgi?id=140389

        Reviewed by Geoffrey Garen.

        Computed properties in object initializers (ES6) use the put_by_val_direct operation.
        However, current DFG asserts that put_by_val_direct is not used for the generic array,
        the assertion failure is raised.
        This patch allow DFG to use put_by_val_direct to generic arrays.

        And fix the DFG put_by_val_direct implementation for string properties.
        At first, put_by_val_direct is inteded to be used for spread elements.
        So the property keys were limited to numbers (indexes).
        But now, it's also used for computed properties in object initializers.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2015-01-13  Geoffrey Garen  <ggaren@apple.com>

        Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
        https://bugs.webkit.org/show_bug.cgi?id=140397

        Reviewed by Geoffrey Garen.

        Patch by Alexey Proskuryakov.

        Reviewed, performance tested, and ChangeLogged by Geoffrey Garen.

        No performance change.

        No test, since this is a small past-the-end read, which is very
        difficult to turn into a reproducible failing test -- and existing tests
        crash reliably using ASan.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::BracketAccessorNode::emitBytecode):
        (JSC::DotAccessorNode::emitBytecode):
        (JSC::FunctionCallBracketNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::DeleteBracketNode::emitBytecode):
        (JSC::DeleteDotNode::emitBytecode):
        (JSC::PrefixNode::emitResolve):
        (JSC::UnaryOpNode::emitBytecode):
        (JSC::BitwiseNotNode::emitBytecode):
        (JSC::BinaryOpNode::emitBytecode):
        (JSC::EqualNode::emitBytecode):
        (JSC::StrictEqualNode::emitBytecode):
        (JSC::ThrowableBinaryOpNode::emitBytecode):
        (JSC::AssignDotNode::emitBytecode):
        (JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any
        register used across a call to a function that might allocate a new
        temporary register must be held in a RefPtr.

2015-01-12  Michael Saboff  <msaboff@apple.com>

        Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
        https://bugs.webkit.org/show_bug.cgi?id=140348

        Reviewed by Mark Lam.

        We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late
        because those registers may have been spilled on the stack and replaced with other values by
        the time we call down to gatherFromCurrentThread().

        Now we get the register contents at the same place that we demarcate the current top of
        stack using the address of a local variable, in Heap::markRoots().  The register contents
        buffer is passed along with the demarcation pointer.  These need to be done at this level 
        in the call tree and no lower, as markRoots() calls various functions that visit object
        pointers that may be latter proven dead.  Any of those pointers that are left on the
        stack or in registers could be incorrectly marked as live if we scan the stack contents
        from a called function or one of its callees.  The stack demarcation pointer and register
        saving need to be done in the same function so that we have a consistent stack, active
        and spilled registers.

        Because we don't want to make unnecessary calls to get the register contents, we use
        a macro to allocated, and possibly align, the register structure and get the actual
        register contents.


        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::gatherStackRoots):
        * heap/Heap.h:
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::gatherFromCurrentThread):
        (JSC::MachineThreads::gatherConservativeRoots):
        * heap/MachineStackMarker.h:

2015-01-12  Benjamin Poulain  <benjamin@webkit.org>

        Add basic pattern matching support to the url filters
        https://bugs.webkit.org/show_bug.cgi?id=140283

        Reviewed by Andreas Kling.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        Make YarrParser.h private in order to use it from WebCore.

2015-01-12  Geoffrey Garen  <ggaren@apple.com>

        Out of bounds read in IdentifierArena::makeIdentifier
        https://bugs.webkit.org/show_bug.cgi?id=140376

        Patch by Alexey Proskuryakov.

        Reviewed and ChangeLogged by Geoffrey Garen.

        No test, since this is a small past-the-end read, which is very
        difficult to turn into a reproducible failing test -- and existing tests
        crash reliably using ASan.

        * parser/ParserArena.h:
        (JSC::IdentifierArena::makeIdentifier):
        (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
        zero-length string input, like we do in the literal parser, since it is
        not valid to dereference characters in a zero-length string.

        A zero-length string is allowed in JavaScript -- for example, "".

2015-01-11  Sam Weinig  <sam@webkit.org>

        Remove support for SharedWorkers
        https://bugs.webkit.org/show_bug.cgi?id=140344

        Reviewed by Anders Carlsson.

        * Configurations/FeatureDefines.xcconfig:

2015-01-12  Myles C. Maxfield  <mmaxfield@apple.com>

        Allow targetting the SVG->OTF font converter with ENABLE(SVG_OTF_CONVERTER)
        https://bugs.webkit.org/show_bug.cgi?id=136769

        Reviewed by Antti Koivisto.

        * Configurations/FeatureDefines.xcconfig:

2015-01-12  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r178266.
        https://bugs.webkit.org/show_bug.cgi?id=140363

        Broke a JSC test (Requested by ap on #webkit).

        Reverted changeset:

        "Local JSArray* "keys" in objectConstructorKeys() is not
        marked during garbage collection"
        https://bugs.webkit.org/show_bug.cgi?id=140348
        http://trac.webkit.org/changeset/178266

2015-01-12  Michael Saboff  <msaboff@apple.com>

        Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
        https://bugs.webkit.org/show_bug.cgi?id=140348

        Reviewed by Mark Lam.

        Move the address of the local variable that is used to demarcate the top of the stack for 
        conservative roots down to MachineThreads::gatherFromCurrentThread() since it also gets
        the register values using setjmp().  That way we don't lose any callee save register
        contents between Heap::markRoots(), where it was set, and gatherFromCurrentThread().
        If we lose any JSObject* that are only in callee save registers, they will be GC'ed
        erroneously.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::gatherStackRoots):
        * heap/Heap.h:
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::gatherFromCurrentThread):
        (JSC::MachineThreads::gatherConservativeRoots):
        * heap/MachineStackMarker.h:

2015-01-11  Eric Carlson  <eric.carlson@apple.com>

        Fix typo in testate.c error messages
        https://bugs.webkit.org/show_bug.cgi?id=140305

        Reviewed by Geoffrey Garen.

        * API/tests/testapi.c:
        (main): "... script did not timed out ..." -> "... script did not time out ..."

2015-01-09  Michael Saboff  <msaboff@apple.com>

        Breakpoint doesn't fire in this HTML5 game
        https://bugs.webkit.org/show_bug.cgi?id=140269

        Reviewed by Mark Lam.

        When parsing a single line cached function, use the lineStartOffset of the
        location where we found the cached function instead of the cached lineStartOffset.
        The cache location's lineStartOffset has not been adjusted for any possible
        containing functions.

        This change is not needed for multi-line cached functions.  Consider the
        single line source:

        function outer(){function inner1(){doStuff();}; (function inner2() {doMoreStuff()})()}

        The first parser pass, we parse and cache inner1() and inner2() with a lineStartOffset
        of 0.  Later when we parse outer() and find inner1() in the cache, SourceCode start
        character is at outer()'s outermost open brace.  That is what we should use for
        lineStartOffset for inner1().  When done parsing inner1() we set the parsing token
        to the saved location for inner1(), including the lineStartOffset of 0.  We need
        to use the value of lineStartOffset before we started parsing inner1().  That is
        what the fix does.  When we parse inner2() the lineStartOffset will be correct.

        For a multi-line function, the close brace is guaranteed to be on a different line
        than the open brace.  Hence, its lineStartOffset will not change with the change of
        the SourceCode start character

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):

2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint
        https://bugs.webkit.org/show_bug.cgi?id=140279
        rdar://problem/19422299

        Reviewed by Oliver Hunt.

        * runtime/MapData.cpp:
        (JSC::MapData::replaceAndPackBackingStore):
        The cell table also needs to have its values fixed.

2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove or use TimelineAgent Resource related event types
        https://bugs.webkit.org/show_bug.cgi?id=140155

        Reviewed by Timothy Hatcher.

        Remove unused / stale Timeline event types.

        * inspector/protocol/Timeline.json:

2015-01-09  Csaba Osztrogonác  <ossy@webkit.org>

        REGRESSION(r177925): It broke the !ENABLE(INSPECTOR) build
        https://bugs.webkit.org/show_bug.cgi?id=140098

        Reviewed by Brian Burg.

        * inspector/InspectorBackendDispatcher.h: Missing ENABLE(INSPECTOR) guard added.

2015-01-08  Mark Lam  <mark.lam@apple.com>

        Argument object created by "Function dot arguments" should use a clone of the argument values.
        <https://webkit.org/b/140093>

        Reviewed by Geoffrey Garen.

        After the change in <https://webkit.org/b/139827>, the dfg-tear-off-arguments-not-activation.js
        test will crash.  The relevant code which manifests the issue is as follows:

            function bar() {
                return foo.arguments;
            }

            function foo(p) {
                var x = 42;
                if (p)
                    return (function() { return x; });
                else
                    return bar();
            }

        In this case, foo() has no knowledge of bar() needing its LexicalEnvironment and
        has dead code eliminated the SetLocal that stores it into its designated local.
        In bar(), the factory for the Arguments object (for creating foo.arguments) tries
        to read foo's LexicalEnvironment from its designated lexicalEnvironment local,
        but instead, finds it to be uninitialized.  This results in a null pointer access
        which causes a crash.

        This can be resolved by having bar() instantiate a clone of the Arguments object
        instead, and populate its elements with values fetched directly from foo's frame.
        There's no need to reference foo's LexicalEnvironment (whether present or not).

        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::createArguments):
        * runtime/Arguments.h:
        (JSC::Arguments::finishCreation):

2015-01-08  Mark Lam  <mark.lam@apple.com>

        Make the LLINT and Baseline JIT's op_create_arguments and op_get_argument_by_val use their lexicalEnvironment operand.
        <https://webkit.org/b/140236>

        Reviewed by Geoffrey Garen.

        Will change the DFG to use the operand on a subsequent pass.  For now,
        the DFG uses a temporary thunk (operationCreateArgumentsForDFG()) to
        retain the old behavior of getting the lexicalEnviroment from the
        ExecState.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitGetArgumentByVal):
        (JSC::BytecodeGenerator::createArgumentsIfNecessary):
        - When the lexicalEnvironment is not available, pass the invalid VirtualRegister
          instead of an empty JSValue as the lexicalEnvironment operand.

        * dfg/DFGOperations.cpp:
        - Use the lexicalEnvironment from the ExecState for now.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        - Use the operationCreateArgumentsForDFG() thunk for now.

        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::lexicalEnvironmentOrNullptr):
        * interpreter/CallFrame.h:
        - Added this convenience function to return either the
          lexicalEnvironment or a nullptr so that we don't need to do a
          conditional check on codeBlock->needsActivation() at multiple sites.

        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::createArguments):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        (JSC::Arguments::finishCreation):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::argumentsGetter):

2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Pause Reason Improvements (Breakpoint, Debugger Statement, Pause on Next Statement)
        https://bugs.webkit.org/show_bug.cgi?id=138991

        Reviewed by Timothy Hatcher.

        * debugger/Debugger.cpp:
        (JSC::Debugger::Debugger):
        (JSC::Debugger::pauseIfNeeded):
        (JSC::Debugger::didReachBreakpoint):
        When actually pausing, if we hit a breakpoint ensure the reason
        is PausedForBreakpoint, otherwise use the current reason.

        * debugger/Debugger.h:
        Make pause reason and pausing breakpoint ID public.

        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::buildAssertPauseReason):
        (Inspector::buildCSPViolationPauseReason):
        (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
        (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
        (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
        (Inspector::buildObjectForBreakpointCookie):
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::InspectorDebuggerAgent::removeBreakpoint):
        (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
        (Inspector::InspectorDebuggerAgent::pause):
        (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
        (Inspector::InspectorDebuggerAgent::currentCallFrames):
        (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
        Clean up creation of pause reason objects and other cleanup
        of PassRefPtr use and InjectedScript use.

        (Inspector::InspectorDebuggerAgent::didPause):
        Clean up so that we first check for an Exception, and then fall
        back to including a Pause Reason derived from the Debugger.

        * inspector/protocol/Debugger.json:
        Add new DebuggerStatement, Breakpoint, and PauseOnNextStatement reasons.

2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Type check NSArray's in ObjC Interfaces have the right object types
        https://bugs.webkit.org/show_bug.cgi?id=140209

        Reviewed by Timothy Hatcher.

        Check the types of objects in NSArrays for all interfaces (commands, events, types)
        when the user can set an array of objects. Previously we were only type checking
        they were RWIJSONObjects, now we add an explicit check for the exact object type.

        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator._generate_event):
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
        (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
        * inspector/scripts/codegen/objc_generator.py:
        (ObjCGenerator.objc_class_for_array_type):
        (ObjCGenerator):

2015-01-07  Mark Lam  <mark.lam@apple.com>

        Add the lexicalEnvironment as an operand to op_get_argument_by_val.
        <https://webkit.org/b/140233>

        Reviewed by Filip Pizlo.

        This patch only adds the operand to the bytecode.  It is not in use yet.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetArgumentByVal):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2015-01-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        Investigate the character type of repeated string instead of checking is8Bit flag
        https://bugs.webkit.org/show_bug.cgi?id=140139

        Reviewed by Darin Adler.

        Instead of checking is8Bit flag of the repeated string, investigate
        the actual value of the repeated character since i8Bit flag give a false negative case.

        * runtime/StringPrototype.cpp:
        (JSC::repeatCharacter):
        (JSC::stringProtoFuncRepeat):
        (JSC::repeatSmallString): Deleted.

2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: ObjC Generate types from the GenericTypes domain
        https://bugs.webkit.org/show_bug.cgi?id=140229

        Reviewed by Timothy Hatcher.

        Generate types from the GenericTypes domain, as they are expected
        by other domains (like Page domain). Also, don't include the @protocol
        forward declaration for a domain if it doesn't have any commands.

        * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
        (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
        (ObjCBackendDispatcherHeaderGenerator): Deleted.
        (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations_for_domains): Deleted.
        * inspector/scripts/codegen/objc_generator.py:
        (ObjCGenerator):
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:

2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove unnecessary copyRef for paramsObject in generated dispatchers
        https://bugs.webkit.org/show_bug.cgi?id=140228

        Reviewed by Timothy Hatcher.

        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:

2015-01-07  Saam Barati  <saambarati1@gmail.com>

        interpret op_profile_type in the LLInt instead of unconditionally calling into the slow path
        https://bugs.webkit.org/show_bug.cgi?id=140165

        Reviewed by Michael Saboff.

        Inlining the functionality of TypeProfilerLog::recordTypeInformationForLocation
        into the LLInt speeds up type profiling.

        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/TypeProfilerLog.h:
        (JSC::TypeProfilerLog::recordTypeInformationForLocation): Deleted.

2015-01-07  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
        https://bugs.webkit.org/show_bug.cgi?id=140053

        Reviewed by Andreas Kling.

        This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
        related to Web Inspector. It also converts many uses of RefPtr to Ref where
        references are always non-null. These two refactorings have been combined since
        they tend to require similar changes to the code.

        Creation methods for subclasses of InspectorValue now return a Ref, and callsites
        have been updated to take a Ref instead of RefPtr.

        Builders for typed protocol objects now return a Ref. Since there is no implicit
        call to operator&, callsites now must explicitly call .release() to convert a
        builder object into the corresponding protocol object once required fields are set.
        Update callsites and use auto to eliminate repetition of longwinded protocol types.

        Tests for inspector protocol and replay inputs have been rebaselined.

        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue):
        (Deprecated::ScriptValue::toInspectorValue):
        * bindings/ScriptValue.h:
        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::addToFrontend):
        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
        (Inspector::ContentSearchUtilities::searchInTextByLines):
        * inspector/ContentSearchUtilities.h:
        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::getFunctionDetails):
        (Inspector::InjectedScript::getProperties):
        (Inspector::InjectedScript::getInternalProperties):
        (Inspector::InjectedScript::wrapCallFrames):
        (Inspector::InjectedScript::wrapObject):
        (Inspector::InjectedScript::wrapTable):
        * inspector/InjectedScript.h:
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits.
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase):
        (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive):
        (Inspector::InspectorBackendDispatcher::create):
        (Inspector::InspectorBackendDispatcher::dispatch):
        (Inspector::InspectorBackendDispatcher::sendResponse):
        (Inspector::InspectorBackendDispatcher::reportProtocolError):
        (Inspector::getPropertyValue): Add a comment to clarify what this clever code does.
        (Inspector::InspectorBackendDispatcher::getInteger):
        (Inspector::InspectorBackendDispatcher::getDouble):
        (Inspector::InspectorBackendDispatcher::getString):
        (Inspector::InspectorBackendDispatcher::getBoolean):
        (Inspector::InspectorBackendDispatcher::getObject):
        (Inspector::InspectorBackendDispatcher::getArray):
        (Inspector::InspectorBackendDispatcher::getValue):
        * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect
        protocol error strings.
        (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
        Convert the supplemental dispatcher's reference to Ref since it is never null.
        * inspector/InspectorEnvironment.h:
        * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and
        StructItemTraits. Add more versions of addItem to handle pushing various types.
        (Inspector::Protocol::Array::openAccessors):
        (Inspector::Protocol::Array::addItem):
        (Inspector::Protocol::Array::create):
        (Inspector::Protocol::StructItemTraits::push):
        (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument.
        (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted.
        (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted.
        (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted.
        (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted.
        (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted.
        (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted.
        (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted.
        (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted.
        (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted.
        * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have
        the same call signature as other getters. Use Ref where possible.
        (Inspector::InspectorObjectBase::getBoolean):
        (Inspector::InspectorObjectBase::getString):
        (Inspector::InspectorObjectBase::getObject):
        (Inspector::InspectorObjectBase::getArray):
        (Inspector::InspectorObjectBase::getValue):
        (Inspector::InspectorObjectBase::writeJSON):
        (Inspector::InspectorArrayBase::get):
        (Inspector::InspectorObject::create):
        (Inspector::InspectorArray::create):
        (Inspector::InspectorValue::null):
        (Inspector::InspectorString::create):
        (Inspector::InspectorBasicValue::create):
        (Inspector::InspectorObjectBase::get): Deleted.
        * inspector/InspectorValues.h:
        (Inspector::InspectorObjectBase::setValue):
        (Inspector::InspectorObjectBase::setObject):
        (Inspector::InspectorObjectBase::setArray):
        (Inspector::InspectorArrayBase::pushValue):
        (Inspector::InspectorArrayBase::pushObject):
        (Inspector::InspectorArrayBase::pushArray):
        * inspector/JSGlobalObjectConsoleClient.cpp:
        (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
        (Inspector::JSGlobalObjectConsoleClient::count):
        (Inspector::JSGlobalObjectConsoleClient::timeEnd):
        (Inspector::JSGlobalObjectConsoleClient::timeStamp):
        * inspector/JSGlobalObjectConsoleClient.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/ScriptCallFrame.cpp:
        (Inspector::ScriptCallFrame::buildInspectorObject):
        * inspector/ScriptCallFrame.h:
        * inspector/ScriptCallStack.cpp:
        (Inspector::ScriptCallStack::create):
        (Inspector::ScriptCallStack::buildInspectorArray):
        * inspector/ScriptCallStack.h:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::enable):
        (Inspector::InspectorAgent::inspect):
        (Inspector::InspectorAgent::activateExtraDomain):
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
        (Inspector::buildObjectForBreakpointCookie):
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::InspectorDebuggerAgent::setBreakpoint):
        (Inspector::InspectorDebuggerAgent::continueToLocation):
        (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
        (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
        (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
        (Inspector::InspectorDebuggerAgent::currentCallFrames):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
        (Inspector::InspectorDebuggerAgent::breakProgram):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::buildErrorRangeObject):
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        (Inspector::InspectorRuntimeAgent::getBasicBlocks):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/scripts/codegen/cpp_generator.py:
        (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
        (CppGenerator.cpp_type_for_type_with_name):
        (CppGenerator.cpp_type_for_formal_async_parameter):
        (CppGenerator.should_use_references_for_type):
        (CppGenerator):
        * inspector/scripts/codegen/cpp_generator_templates.py:
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
        (CppBackendDispatcherHeaderGenerator.generate_output):
        (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
        (CppFrontendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (CppProtocolTypesHeaderGenerator.generate_output):
        (_generate_class_for_object_declaration):
        (_generate_unchecked_setter_for_member):
        (_generate_forward_declarations_for_binding_traits):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator._generate_event):
        (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator.generate_output):
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
        * replay/EncodedValue.cpp:
        (JSC::EncodedValue::asObject):
        (JSC::EncodedValue::asArray):
        (JSC::EncodedValue::put<EncodedValue>):
        (JSC::EncodedValue::append<EncodedValue>):
        (JSC::EncodedValue::get<EncodedValue>):
        * replay/EncodedValue.h:
        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Type.borrow_type):
        (Type.argument_type):
        (Generator.generate_member_move_expression):
        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
        (JSC::ConsoleClient::logWithLevel):
        (JSC::ConsoleClient::clear):
        (JSC::ConsoleClient::dir):
        (JSC::ConsoleClient::dirXML):
        (JSC::ConsoleClient::table):
        (JSC::ConsoleClient::trace):
        (JSC::ConsoleClient::assertCondition):
        (JSC::ConsoleClient::group):
        (JSC::ConsoleClient::groupCollapsed):
        (JSC::ConsoleClient::groupEnd):
        * runtime/ConsoleClient.h:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::allStructureRepresentations):
        (JSC::TypeSet::inspectorTypeSet):
        (JSC::StructureShape::inspectorRepresentation):
        * runtime/TypeSet.h:

2015-01-07  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r178039.
        https://bugs.webkit.org/show_bug.cgi?id=140187

        Breaks ObjC Inspector Protocol (Requested by JoePeck on
        #webkit).

        Reverted changeset:

        "Web Inspector: purge PassRefPtr from Inspector code and use
        Ref for typed and untyped protocol objects"
        https://bugs.webkit.org/show_bug.cgi?id=140053
        http://trac.webkit.org/changeset/178039

2015-01-06  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
        https://bugs.webkit.org/show_bug.cgi?id=140053

        Reviewed by Andreas Kling.

        This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
        related to Web Inspector. It also converts many uses of RefPtr to Ref where
        references are always non-null. These two refactorings have been combined since
        they tend to require similar changes to the code.

        Creation methods for subclasses of InspectorValue now return a Ref, and callsites
        have been updated to take a Ref instead of RefPtr.

        Builders for typed protocol objects now return a Ref. Since there is no implicit
        call to operator&, callsites now must explicitly call .release() to convert a
        builder object into the corresponding protocol object once required fields are set.
        Update callsites and use auto to eliminate repetition of longwinded protocol types.

        Tests for inspector protocol and replay inputs have been rebaselined.

        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue):
        (Deprecated::ScriptValue::toInspectorValue):
        * bindings/ScriptValue.h:
        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::addToFrontend):
        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
        (Inspector::ContentSearchUtilities::searchInTextByLines):
        * inspector/ContentSearchUtilities.h:
        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::getFunctionDetails):
        (Inspector::InjectedScript::getProperties):
        (Inspector::InjectedScript::getInternalProperties):
        (Inspector::InjectedScript::wrapCallFrames):
        (Inspector::InjectedScript::wrapObject):
        (Inspector::InjectedScript::wrapTable):
        * inspector/InjectedScript.h:
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits.
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase):
        (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive):
        (Inspector::InspectorBackendDispatcher::create):
        (Inspector::InspectorBackendDispatcher::dispatch):
        (Inspector::InspectorBackendDispatcher::sendResponse):
        (Inspector::InspectorBackendDispatcher::reportProtocolError):
        (Inspector::getPropertyValue): Add a comment to clarify what this clever code does.
        (Inspector::InspectorBackendDispatcher::getInteger):
        (Inspector::InspectorBackendDispatcher::getDouble):
        (Inspector::InspectorBackendDispatcher::getString):
        (Inspector::InspectorBackendDispatcher::getBoolean):
        (Inspector::InspectorBackendDispatcher::getObject):
        (Inspector::InspectorBackendDispatcher::getArray):
        (Inspector::InspectorBackendDispatcher::getValue):
        * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect
        protocol error strings.
        (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
        Convert the supplemental dispatcher's reference to Ref since it is never null.
        * inspector/InspectorEnvironment.h:
        * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and
        StructItemTraits. Add more versions of addItem to handle pushing various types.
        (Inspector::Protocol::Array::openAccessors):
        (Inspector::Protocol::Array::addItem):
        (Inspector::Protocol::Array::create):
        (Inspector::Protocol::StructItemTraits::push):
        (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument.
        (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted.
        (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted.
        (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted.
        (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted.
        (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted.
        (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted.
        (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted.
        (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted.
        (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted.
        * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have
        the same call signature as other getters. Use Ref where possible.
        (Inspector::InspectorObjectBase::getBoolean):
        (Inspector::InspectorObjectBase::getString):
        (Inspector::InspectorObjectBase::getObject):
        (Inspector::InspectorObjectBase::getArray):
        (Inspector::InspectorObjectBase::getValue):
        (Inspector::InspectorObjectBase::writeJSON):
        (Inspector::InspectorArrayBase::get):
        (Inspector::InspectorObject::create):
        (Inspector::InspectorArray::create):
        (Inspector::InspectorValue::null):
        (Inspector::InspectorString::create):
        (Inspector::InspectorBasicValue::create):
        (Inspector::InspectorObjectBase::get): Deleted.
        * inspector/InspectorValues.h:
        (Inspector::InspectorObjectBase::setValue):
        (Inspector::InspectorObjectBase::setObject):
        (Inspector::InspectorObjectBase::setArray):
        (Inspector::InspectorArrayBase::pushValue):
        (Inspector::InspectorArrayBase::pushObject):
        (Inspector::InspectorArrayBase::pushArray):
        * inspector/JSGlobalObjectConsoleClient.cpp:
        (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
        (Inspector::JSGlobalObjectConsoleClient::count):
        (Inspector::JSGlobalObjectConsoleClient::timeEnd):
        (Inspector::JSGlobalObjectConsoleClient::timeStamp):
        * inspector/JSGlobalObjectConsoleClient.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/ScriptCallFrame.cpp:
        (Inspector::ScriptCallFrame::buildInspectorObject):
        * inspector/ScriptCallFrame.h:
        * inspector/ScriptCallStack.cpp:
        (Inspector::ScriptCallStack::create):
        (Inspector::ScriptCallStack::buildInspectorArray):
        * inspector/ScriptCallStack.h:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::enable):
        (Inspector::InspectorAgent::inspect):
        (Inspector::InspectorAgent::activateExtraDomain):
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
        (Inspector::buildObjectForBreakpointCookie):
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::InspectorDebuggerAgent::setBreakpoint):
        (Inspector::InspectorDebuggerAgent::continueToLocation):
        (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
        (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
        (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
        (Inspector::InspectorDebuggerAgent::currentCallFrames):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
        (Inspector::InspectorDebuggerAgent::breakProgram):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::buildErrorRangeObject):
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        (Inspector::InspectorRuntimeAgent::getBasicBlocks):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/scripts/codegen/cpp_generator.py:
        (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
        (CppGenerator.cpp_type_for_type_with_name):
        (CppGenerator.cpp_type_for_formal_async_parameter):
        (CppGenerator.should_use_references_for_type):
        (CppGenerator):
        * inspector/scripts/codegen/cpp_generator_templates.py:
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
        (CppBackendDispatcherHeaderGenerator.generate_output):
        (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
        (CppFrontendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (CppProtocolTypesHeaderGenerator.generate_output):
        (_generate_class_for_object_declaration):
        (_generate_unchecked_setter_for_member):
        (_generate_forward_declarations_for_binding_traits):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator._generate_event):
        (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator.generate_output):
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
        * replay/EncodedValue.cpp:
        (JSC::EncodedValue::asObject):
        (JSC::EncodedValue::asArray):
        (JSC::EncodedValue::put<EncodedValue>):
        (JSC::EncodedValue::append<EncodedValue>):
        (JSC::EncodedValue::get<EncodedValue>):
        * replay/EncodedValue.h:
        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Type.borrow_type):
        (Type.argument_type):
        (Generator.generate_member_move_expression):
        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
        (JSC::ConsoleClient::logWithLevel):
        (JSC::ConsoleClient::clear):
        (JSC::ConsoleClient::dir):
        (JSC::ConsoleClient::dirXML):
        (JSC::ConsoleClient::table):
        (JSC::ConsoleClient::trace):
        (JSC::ConsoleClient::assertCondition):
        (JSC::ConsoleClient::group):
        (JSC::ConsoleClient::groupCollapsed):
        (JSC::ConsoleClient::groupEnd):
        * runtime/ConsoleClient.h:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::allStructureRepresentations):
        (JSC::TypeSet::inspectorTypeSet):
        (JSC::StructureShape::inspectorRepresentation):
        * runtime/TypeSet.h:

2015-01-06  Chris Dumez  <cdumez@apple.com>

        Drop ResourceResponseBase::connectionID and connectionReused members
        https://bugs.webkit.org/show_bug.cgi?id=140158

        Reviewed by Sam Weinig.

        Drop ResourceResponseBase::connectionID and connectionReused members.
        Those were needed by the Chromium port but are no longer used.

        * inspector/protocol/Network.json:

2015-01-06  Mark Lam  <mark.lam@apple.com>

        Add the lexicalEnvironment as an operand to op_create_arguments.
        <https://webkit.org/b/140148>

        Reviewed by Geoffrey Garen.

        This patch only adds the operand to the bytecode.  It is not in use yet.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::createArgumentsIfNecessary):
        - Adds the lexicalEnvironment register (if present) as an operand to
          op_create_arguments.  Else, adds a constant empty JSValue.
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2015-01-06  Alexey Proskuryakov  <ap@apple.com>

        ADDRESS_SANITIZER macro is overloaded
        https://bugs.webkit.org/show_bug.cgi?id=140130

        Reviewed by Anders Carlsson.

        * interpreter/JSStack.cpp: (JSC::JSStack::sanitizeStack): Use the new macro.
        This code is nearly unused (only compiled in when JIT is disabled at build time),
        however I've been told that it's best to keep it.

2015-01-06  Mark Lam  <mark.lam@apple.com>

        Fix Use details for op_create_arguments.
        <https://webkit.org/b/140110>

        Rubber stamped by Filip Pizlo.

        The previous patch was wrong about op_create_arguments not using its 1st operand.
        It does read from it (hence, used) to check if the Arguments object has already
        been created or not.  This patch reverts the change for op_create_arguments.

        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):

2015-01-06  Mark Lam  <mark.lam@apple.com>

        Fix Use details for op_create_lexical_environment and op_create_arguments.
        <https://webkit.org/b/140110>

        Reviewed by Filip Pizlo.

        The current "Use" details for op_create_lexical_environment and
        op_create_arguments are wrong.  op_create_argument uses nothing instead of the
        1st operand (the output local).  op_create_lexical_environment uses its 2nd
        operand (the scope chain) instead of the 1st (the output local).
        This patch fixes them to specify the proper uses.

        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):

2015-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        Implement ES6 String.prototype.repeat(count)
        https://bugs.webkit.org/show_bug.cgi?id=140047

        Reviewed by Darin Adler.

        Introducing ES6 String.prototype.repeat(count) function.

        * runtime/JSString.h:
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::repeatSmallString):
        (JSC::stringProtoFuncRepeat):

2015-01-03  Michael Saboff  <msaboff@apple.com>

        Crash in operationNewFunction when scrolling on Google+
        https://bugs.webkit.org/show_bug.cgi?id=140033

        Reviewed by Oliver Hunt.

        In DFG code, the scope register can be eliminated because all uses have been
        dead code eliminated.  In the case where one of the uses was creating a function
        that is never used, the baseline code will still create the function.  If we OSR
        exit to a path where that function gets created, check the scope register value
        and set the new, but dead, function to undefined instead of creating a new function.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_func_exp):

2015-01-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        String includes methods perform toString on searchString before toInt32 on a offset
        https://bugs.webkit.org/show_bug.cgi?id=140031

        Reviewed by Darin Adler.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncStartsWith):
        (JSC::stringProtoFuncEndsWith):
        (JSC::stringProtoFuncIncludes):

2015-01-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        Change to return std::unique_ptr<> in fooCreate()
        https://bugs.webkit.org/show_bug.cgi?id=139983

        Reviewed by Darin Adler.

        To avoid unnecessary std::unique_ptr<> casting, fooCreate() returns std::unique_ptr<> directly.

        * create_regex_tables:
        * yarr/YarrPattern.h:
        (JSC::Yarr::YarrPattern::reset):
        (JSC::Yarr::YarrPattern::newlineCharacterClass):
        (JSC::Yarr::YarrPattern::digitsCharacterClass):
        (JSC::Yarr::YarrPattern::spacesCharacterClass):
        (JSC::Yarr::YarrPattern::wordcharCharacterClass):
        (JSC::Yarr::YarrPattern::nondigitsCharacterClass):
        (JSC::Yarr::YarrPattern::nonspacesCharacterClass):
        (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):

2015-01-01  Jeff Miller  <jeffm@apple.com>

        Update user-visible copyright strings to include 2015
        https://bugs.webkit.org/show_bug.cgi?id=139880

        Reviewed by Darin Adler.

        * Info.plist:

2015-01-01  Darin Adler  <darin@apple.com>

        We often misspell identifier as "identifer"
        https://bugs.webkit.org/show_bug.cgi?id=140025

        Reviewed by Michael Saboff.

        * runtime/ArrayConventions.h: Fix it.

2014-12-29  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        Move JavaScriptCore/yarr to std::unique_ptr
        https://bugs.webkit.org/show_bug.cgi?id=139621

        Reviewed by Anders Carlsson.

        Final clean up OwnPtr|PassOwnPtr in JavaScriptCore/yarr.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::BytecodePattern::BytecodePattern):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
        (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
        (JSC::Yarr::YarrGenerator::opCompileBody):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::charClass):
        (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
        (JSC::Yarr::YarrPatternConstructor::reset):
        (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
        (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
        (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
        (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
        (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
        (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
        (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
        * yarr/YarrPattern.h:
        (JSC::Yarr::PatternDisjunction::addNewAlternative):
        (JSC::Yarr::YarrPattern::newlineCharacterClass):
        (JSC::Yarr::YarrPattern::digitsCharacterClass):
        (JSC::Yarr::YarrPattern::spacesCharacterClass):
        (JSC::Yarr::YarrPattern::wordcharCharacterClass):
        (JSC::Yarr::YarrPattern::nondigitsCharacterClass):
        (JSC::Yarr::YarrPattern::nonspacesCharacterClass):
        (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):

2014-12-26  Dan Bernstein  <mitz@apple.com>

        <rdar://problem/19348208> REGRESSION (r177027): iOS builds use the wrong toolchain
        https://bugs.webkit.org/show_bug.cgi?id=139950

        Reviewed by David Kilzer.

        * Configurations/Base.xcconfig: Only define TOOLCHAINS when building for OS X, doing so
        in a manner that works with Xcode 5.1.1.

2014-12-22  Mark Lam  <mark.lam@apple.com>

        Use ctiPatchCallByReturnAddress() in JITOperations.cpp.
        <https://webkit.org/b/139892>

        Reviewed by Michael Saboff.

        The code in JITOperations.cpp sometimes calls RepatchBuffer::relinkCallerToFunction()
        directly, and sometimes uses a helper function, ctiPatchCallByReturnAddress().
        This patch changes it to use the helper function consistently.

        * jit/JITOperations.cpp:

2014-12-22  Mark Lam  <mark.lam@apple.com>

        Fix some typos in a comment.
        <https://webkit.org/b/139882>

        Reviewed by Michael Saboff.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):

2014-12-22  Mark Lam  <mark.lam@apple.com>

        Assert that Array elements not copied when changing shape to ArrayStorage type are indeed holes.
        <https://webkit.org/b/138118>

        Reviewed by Michael Saboff.

        * runtime/JSObject.cpp:
        (JSC::JSObject::convertInt32ToArrayStorage):
        (JSC::JSObject::convertDoubleToArrayStorage):
        (JSC::JSObject::convertContiguousToArrayStorage):

2014-12-20  Eric Carlson  <eric.carlson@apple.com>

        [iOS] add optimized fullscreen API
        https://bugs.webkit.org/show_bug.cgi?id=139833
        <rdar://problem/18844486>

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig: Add ENABLE_VIDEO_PRESENTATION_MODE.

2014-12-20  David Kilzer  <ddkilzer@apple.com>

        Switch from using PLATFORM_NAME to SDK selectors in WebCore, WebInspectorUI, WebKit, WebKit2
        <http://webkit.org/b/139463>

        Reviewed by Mark Rowe.

        * Configurations/JavaScriptCore.xcconfig:
        - Simplify SECTORDER_FLAGS.

2014-12-19  Andreas Kling  <akling@apple.com>

        Plug leak below LLVMCopyStringRepOfTargetData().
        <https://webkit.org/b/139832>

        Reviewed by Michael Saboff.

        LLVMCopyStringRepOfTargetData() returns a strdup()'ed string, so make sure
        to free() it after we're done using it.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):

2014-12-19  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: CRASH inspector-protocol/debugger/breakpoint-action-detach.html
        https://bugs.webkit.org/show_bug.cgi?id=139797

        Reviewed by Mark Lam.

        * debugger/Debugger.h:
        * debugger/Debugger.cpp:
        (JSC::Debugger::isAttached):
        Check if we are the debugger for a particular global object.
        (JSC::Debugger::pauseIfNeeded):
        Pass the global object on when hitting a brekapoint.

        * inspector/ScriptDebugServer.h:
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::handleBreakpointHit):
        Stop evaluting breakpoint actions if a previous action caused the
        debugger to detach from this global object.
        (Inspector::ScriptDebugServer::handlePause):
        Standardize on passing JSGlobalObject parameter first.

2014-12-19  Mark Lam  <mark.lam@apple.com>

        [Win] Endless compiler warnings created by DFGEdge.h.
        <https://webkit.org/b/139801>

        Reviewed by Brent Fulgham.

        Add a cast to fix the type just the way the 64-bit version does.

        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::makeWord):

2014-12-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r177574.
        https://bugs.webkit.org/show_bug.cgi?id=139821

        "Broke Production builds by installing
        libWebCoreTestSupport.dylib in the wrong directory" (Requested
        by ddkilzer on #webkit).

        Reverted changeset:

        "Switch from using PLATFORM_NAME to SDK selectors in WebCore,
        WebInspectorUI, WebKit, WebKit2"
        https://bugs.webkit.org/show_bug.cgi?id=139463
        http://trac.webkit.org/changeset/177574

2014-12-19  Michael Saboff  <msaboff@apple.com>

        REGRESSION(174226): Captured arguments in a using function compiled by the DFG have the initial value when the closure was invoked
        https://bugs.webkit.org/show_bug.cgi?id=139808

        Reviewed by Oliver Hunt.

        There are three changes here.
        1) Create a VariableWatchpointSet for captured arguments variables.
        2) Properly use the VariableWatchpointSet* found in op_put_to_scope in the 64 bit LLInt code.
        3) Add the same putLocalClosureVar path to the 32 bit LLInt code that exists in the 64 bit version.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-12-19  David Kilzer  <ddkilzer@apple.com>

        Switch from using PLATFORM_NAME to SDK selectors in WebCore, WebInspectorUI, WebKit, WebKit2
        <http://webkit.org/b/139463>

        Reviewed by Mark Rowe.

        * Configurations/JavaScriptCore.xcconfig:
        - Simplify SECTORDER_FLAGS.

2014-12-18  Brent Fulgham  <bfulgham@apple.com>

        Unreviewed build fix.

        * jsc.cpp: Remove typo.

2014-12-17  Michael Saboff  <msaboff@apple.com>

        Tests with infinite recursion frequently crash
        https://bugs.webkit.org/show_bug.cgi?id=139548

        Reviewed by Geoffrey Garen.

        While unwinding, if the call frame doesn't have a codeblock, then we
        are in native code, handle appropriately.

        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        (JSC::UnwindFunctor::operator()):
        Added checks for null CodeBlock.

        (JSC::Interpreter::unwind): Removed wrong ASSERT.

2014-12-17  Chris Dumez  <cdumez@apple.com>

        [iOS] Make it possible to toggle FeatureCounter support at runtime
        https://bugs.webkit.org/show_bug.cgi?id=139688
        <rdar://problem/19266254>

        Reviewed by Andreas Kling.

        Stop linking against AppSupport framework as the functionality is no
        longer in WTF (it was moved to WebCore).

        * Configurations/JavaScriptCore.xcconfig:

2014-12-17  Brent Fulgham  <bfulgham@apple.com>

        [Win] Correct DebugSuffix builds under MSBuild
        https://bugs.webkit.org/show_bug.cgi?id=139733
        <rdar://problem/19276880>

        Reviewed by Simon Fraser.

        * JavaScriptCore.vcxproj/JavaScriptCore.proj: Make sure to use the
        '_debug' suffix when building the DebugSuffix target.

2014-12-16  Enrica Casucci  <enrica@apple.com>

        Fix iOS builders for 8.0
        https://bugs.webkit.org/show_bug.cgi?id=139495

        Reviewed by Michael Saboff.

        * Configurations/LLVMForJSC.xcconfig:
        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2014-12-16  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r177380.
        https://bugs.webkit.org/show_bug.cgi?id=139707

        "Breaks js/regres/elidable-new-object-* tests" (Requested by
        msaboff_ on #webkit).

        Reverted changeset:

        "Fixes operationPutByIdOptimizes such that they check that the
        put didn't"
        https://bugs.webkit.org/show_bug.cgi?id=139500
        http://trac.webkit.org/changeset/177380

2014-12-16  Matthew Mirman  <mmirman@apple.com>

        Fixes operationPutByIdOptimizes such that they check that the put didn't
        change the structure of the object who's property access is being
        cached.
        https://bugs.webkit.org/show_bug.cgi?id=139500

        Reviewed by Geoffrey Garen.

        * jit/JITOperations.cpp:
        (JSC::operationPutByIdStrictOptimize): saved the structure before the put.
        (JSC::operationPutByIdNonStrictOptimize): ditto.
        (JSC::operationPutByIdDirectStrictOptimize): ditto.
        (JSC::operationPutByIdDirectNonStrictOptimize): ditto.
        * jit/Repatch.cpp:
        (JSC::tryCachePutByID): Added argument for the old structure
        (JSC::repatchPutByID): Added argument for the old structure
        * jit/Repatch.h:
        * tests/stress/put-by-id-build-list-order-recurse.js: 
        Added test that fails without this patch.

2014-12-15  Chris Dumez  <cdumez@apple.com>

        [iOS] Add feature counting support
        https://bugs.webkit.org/show_bug.cgi?id=139652
        <rdar://problem/19255690>

        Reviewed by Gavin Barraclough.

        Link against AppSupport framework on iOS as we need it to implement
        the new FeatureCounter API in WTF.

        * Configurations/JavaScriptCore.xcconfig:

2014-12-15  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r177284.
        https://bugs.webkit.org/show_bug.cgi?id=139658

        "Breaks API tests and LayoutTests on Yosemite Debug"
        (Requested by msaboff on #webkit).

        Reverted changeset:

        "Make sure range based iteration of Vector<> still receives
        bounds checking"
        https://bugs.webkit.org/show_bug.cgi?id=138821
        http://trac.webkit.org/changeset/177284

2014-12-15  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        [EFL] FTL JIT not working on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=139295

        Reviewed by Michael Saboff.

        Added the missing code for stack unwinding and some additional small fixes
        to get FTL working correctly.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLUnwindInfo.cpp:
        (JSC::FTL::UnwindInfo::parse):

2014-12-15  Oliver Hunt  <oliver@apple.com>

        Make sure range based iteration of Vector<> still receives bounds checking
        https://bugs.webkit.org/show_bug.cgi?id=138821

        Reviewed by Mark Lam.

        Update code to deal with slightly changed iterator semantics.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::visitChildren):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitComplexPopScopes):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::mdNode):
        (JSC::FTL::buildCall):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * parser/Parser.h:
        (JSC::Scope::Scope):
        * runtime/JSArray.cpp:
        (JSC::JSArray::setLengthWithArrayStorage):
        (JSC::JSArray::sortCompactedVector):
        * tools/ProfileTreeNode.h:
        (JSC::ProfileTreeNode::dumpInternal):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::matchCharacterClass):

2014-12-14  Filip Pizlo  <fpizlo@apple.com>

        PutLocalSinkingPhase has an invalid assertion about incoming values, because both liveness and deferral analyses are conservative
        https://bugs.webkit.org/show_bug.cgi?id=139630

        Reviewed by Oliver Hunt.
        
        Replaces a faulty assertion with code to handle an awesome special case. Also adds a lot of
        comments that reconstruct my reasoning about this code. I had to work hard to remember how
        deferral worked so I wrote my discoveries down.

        * dfg/DFGInsertionSet.h:
        (JSC::DFG::InsertionSet::insertBottomConstantForUse):
        * dfg/DFGPutLocalSinkingPhase.cpp:
        * tests/stress/put-local-conservative.js: Added.
        (foo):
        (.result):
        (bar):

2014-12-14  Andreas Kling  <akling@apple.com>

        Replace PassRef with Ref/Ref&& across the board.
        <https://webkit.org/b/139587>

        Reviewed by Darin Adler.

        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        (JSC::Identifier::add8):
        * runtime/Identifier.h:
        (JSC::Identifier::add):
        * runtime/IdentifierInlines.h:
        (JSC::Identifier::add):

2014-12-12  Matthew Mirman  <mmirman@apple.com>

        shiftCountWithArrayStorage should exit to slow path if the object has a sparse map.
        https://bugs.webkit.org/show_bug.cgi?id=139598
        <rdar://problem/18779367>

        Reviewed by Filip Pizlo.

        * runtime/JSArray.cpp:
        (JSC::JSArray::shiftCountWithArrayStorage): Added check for object having a sparse map.
        * tests/stress/sparse_splice.js: Added.

2014-12-12  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        Final clean up OwnPtr in JSC - runtime, ftl, and tool directories
        https://bugs.webkit.org/show_bug.cgi?id=139532

        Reviewed by Mark Lam.

        Final remove OwnPtr, PassOwnPtr in runtime, ftl, and tools directories of JSC.

        * builtins/BuiltinExecutables.h:
        * bytecode/CodeBlock.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        * ftl/FTLAbstractHeap.cpp:
        (JSC::FTL::IndexedAbstractHeap::atSlow):
        * ftl/FTLAbstractHeap.h:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLJITFinalizer.h:
        * jsc.cpp:
        (jscmain):
        * parser/Lexer.h:
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::clearDeletedOffsets):
        (JSC::PropertyTable::addDeletedOffset):
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::PropertyTable):
        * runtime/RegExpObject.cpp:
        * runtime/SmallStrings.cpp:
        * runtime/Structure.cpp:
        * runtime/StructureIDTable.cpp:
        (JSC::StructureIDTable::StructureIDTable):
        (JSC::StructureIDTable::resize):
        * runtime/StructureIDTable.h:
        * runtime/StructureTransitionTable.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:
        * tools/CodeProfile.h:
        (JSC::CodeProfile::CodeProfile):
        (JSC::CodeProfile::addChild):

2014-12-11  Dan Bernstein  <mitz@apple.com>

        iOS Simulator production build fix.

        * Configurations/JavaScriptCore.xcconfig: Don’t use an order file when building for the iOS
        Simulator, as we did prior to 177027.

2014-12-11  Joseph Pecoraro  <pecoraro@apple.com>

        Explicitly export somre more RWIProtocol classes.
        rdar://problem/19220408

        Unreviewed build fix.

        * inspector/scripts/codegen/generate_objc_configuration_header.py:
        (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator._generate_event_interfaces):
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:

2014-12-11  Alexey Proskuryakov  <ap@apple.com>

        Explicitly export some RWIProtocol classes
        rdar://problem/19220408

        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator._generate_type_interface):
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:

2014-12-11  Mark Lam  <mark.lam@apple.com>

        Fix broken build after r177146.
        https://bugs.webkit.org/show_bug.cgi?id=139533 

        Not reviewed.

        * interpreter/CallFrame.h:
        (JSC::ExecState::init):
        - Restored CallFrame::init() minus the unused JSScope* arg.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        - Remove JSScope* arg when calling CallFrame::init().

2014-12-11  Michael Saboff  <msaboff@apple.com>

        REGRESSION: Use of undefined CallFrame::ScopeChain value
        https://bugs.webkit.org/show_bug.cgi?id=139533

        Reviewed by Mark Lam.

        Removed CallFrame::scope() and CallFrame::setScope() and eliminated or changed
        all usages of these funcitons.  In some cases the scope is passed in or determined
        another way.  In some cases the scope is used to calculate other values.  Lastly
        were places where these functions where used that are no longer needed.  For
        example when making a call, the caller's ScopeChain was copied to the callee's
        ScopeChain.  This change no longer uses the ScopeChain call frame header slot.
        That slot will be removed in a future patch.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * runtime/JSLexicalEnvironment.h:
        (JSC::JSLexicalEnvironment::create):
        (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_lexical_environment):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_lexical_environment):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::handleHostCall):
        (JSC::LLInt::setUpCall):
        (JSC::LLInt::llint_throw_stack_overflow_error):
        Pass the current scope value to the helper operationCreateActivation() and
        the call to JSLexicalEnvironment::create() instead of using the stack frame
        scope chain value.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        CreateActivation now has a second child, the scope.

        * interpreter/CallFrame.h:
        (JSC::ExecState::init): Deleted.  This is dead code.
        (JSC::ExecState::scope): Deleted.
        (JSC::ExecState::setScope): Deleted.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters): Changed so we didn't access the scope
        chain slot.  
        
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        Changed process to find JSScope values on the stack or by some other means.

        * runtime/JSWithScope.h:
        (JSC::JSWithScope::JSWithScope): Deleted.
        Eliminated unused constructor.

        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::StrictEvalActivation):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::create):
        Changed to pass in the current scope.

2014-12-10  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        Use std::unique_ptr instead of OwnPtr in JSC - heap, jit, runtime, and parser directories
        https://bugs.webkit.org/show_bug.cgi?id=139351

        Reviewed by Filip Pizlo.

        As a step to use std::unique_ptr<>, this cleans up OwnPtr and PassOwnPtr.

        * bytecode/SamplingTool.h:
        (JSC::SamplingTool::SamplingTool):
        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::didSurviveGC):
        (JSC::CopiedBlock::pin):
        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::reportLiveBytes):
        * heap/GCActivityCallback.h:
        * heap/GCThread.cpp:
        * heap/Heap.h:
        * heap/HeapInlines.h:
        (JSC::Heap::markListSet):
        * jit/ExecutableAllocator.cpp:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITThunks.cpp:
        (JSC::JITThunks::JITThunks):
        (JSC::JITThunks::clearHostFunctionStubs):
        * jit/JITThunks.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        * parser/Parser.h:
        (JSC::Scope::Scope):
        (JSC::Scope::pushLabel):
        * parser/ParserArena.cpp:
        * parser/ParserArena.h:
        (JSC::ParserArena::identifierArena):
        * parser/SourceProviderCache.h:
        * runtime/CodeCache.h:
        * runtime/Executable.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::sortVector):
        * runtime/JSGlobalObject.h:

2014-12-10  Geoffrey Garen  <ggaren@apple.com>

        Please disable the webkitFirstVersionWithInitConstructorSupport check on Apple TV
        https://bugs.webkit.org/show_bug.cgi?id=139501

        Reviewed by Gavin Barraclough.

        NSVersionOfLinkTimeLibrary only works if you link directly against
        JavaScriptCore, which is a bit awkward for our Apple TV client to do.

        It's easy enough just to disable this check on Apple TV, since it has no
        backwards compatibility requirement.

        * API/JSWrapperMap.mm:
        (supportsInitMethodConstructors):

2014-12-10  Matthew Mirman  <mmirman@apple.com>

        Fixes operationPutByIds such that they check that the put didn't
        change the structure of the object who's property access is being
        cached.
        https://bugs.webkit.org/show_bug.cgi?id=139196

        Reviewed by Filip Pizlo.

        * jit/JITOperations.cpp:
        (JSC::operationGetByIdOptimize): changed get to getPropertySlot
        (JSC::operationPutByIdStrictBuildList): saved the structure before the put.
        (JSC::operationPutByIdNonStrictBuildList): ditto.
        (JSC::operationPutByIdDirectStrictBuildList): ditto.
        (JSC::operationPutByIdDirectNonStrictBuildList): ditto.
        * jit/Repatch.cpp:
        (JSC::tryCachePutByID): fixed structure() to use the existant vm. 
        (JSC::tryBuildPutByIdList): Added a check that the old structure's id 
        is the same as the new.
        (JSC::buildPutByIdList): Added an argument
        * jit/Repatch.h: 
        (JSC::buildPutByIdList): Added an argument
        * tests/stress/put-by-id-strict-build-list-order.js: Added.

2014-12-10  Csaba Osztrogonác  <ossy@webkit.org>

        URTBF after r177030.

        Fix linking failure occured on ARM buildbots:
        lib/libjavascriptcore_efl.so.1.11.0: undefined reference to `JSC::Structure::get(JSC::VM&, JSC::PropertyName, unsigned int&)'

        * runtime/NullGetterFunction.cpp:

2014-12-09  Michael Saboff  <msaboff@apple.com>

        DFG Tries using an inner object's getter/setter when one hasn't been defined
        https://bugs.webkit.org/show_bug.cgi?id=139229

        Reviewed by Filip Pizlo.

        Added a new NullGetterFunction singleton class to use for getters and setters that
        haven't been set to a user defined value.  The NullGetterFunction callReturnUndefined()
        and createReturnUndefined() methods return undefined.  Changed all null checks of the
        getter and setter pointers to the newly added isGetterNull() and isSetterNull()
        helper methods.  

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Added NullGetterFunction.cpp & .h to build files.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setDescriptor):
        (JSC::PropertyDescriptor::setAccessorDescriptor):
        Changed checking getter and setter to null to use new isGetterNull() and isSetterNull()
        helpers.

        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putIndexedDescriptor):
        (JSC::putDescriptor):
        (JSC::JSObject::defineOwnNonIndexProperty):
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):
        Updated calls to GetterSetter::create(), setGetter(), setSetter(), withGetter()
        and withSetter() to provide a global object.

        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::withGetter):
        (JSC::GetterSetter::withSetter):
        (JSC::callGetter):
        (JSC::callSetter):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::GetterSetter):
        (JSC::GetterSetter::create):
        (JSC::GetterSetter::isGetterNull):
        (JSC::GetterSetter::isSetterNull):
        (JSC::GetterSetter::setGetter):
        (JSC::GetterSetter::setSetter):
        Changed to use NullGetterFunction for unspecified getters / setters.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::createThrowTypeError):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::nullGetterFunction):
        (JSC::JSGlobalObject::evalFunction):
        Added m_nullGetterFunction singleton.  Updated calls to GetterSetter::create(),
        setGetter() and setSetter() to provide a global object.

        * runtime/NullGetterFunction.cpp: Added.
        (JSC::callReturnUndefined):
        (JSC::constructReturnUndefined):
        (JSC::NullGetterFunction::getCallData):
        (JSC::NullGetterFunction::getConstructData):
        * runtime/NullGetterFunction.h: Added.
        (JSC::NullGetterFunction::create):
        (JSC::NullGetterFunction::createStructure):
        (JSC::NullGetterFunction::NullGetterFunction):
        New singleton class that returns undefined when called.

2014-12-09  Geoffrey Garen  <ggaren@apple.com>

        Re-enable function.arguments
        https://bugs.webkit.org/show_bug.cgi?id=139452
        <rdar://problem/18848149>

        Reviewed by Sam Weinig.

        Disabling function.arguments broke a few websites, and we don't have
        time right now to work through the details.

        I'm re-enabling function.arguments but leaving in the infrastructure
        to re-disable it, so we can try this experiment again in the future.

        * runtime/Options.h:

2014-12-09  David Kilzer  <ddkilzer@apple.com>

        Switch from using PLATFORM_NAME to SDK selectors in ANGLE, bmalloc, gtest, JavaScriptCore, WTF
        <http://webkit.org/b/139212>

        Reviewed by Joseph Pecoraro.

        * Configurations/Base.xcconfig:
        - Only set GCC_ENABLE_OBJC_GC, GCC_MODEL_TUNING and TOOLCHAINS
          on OS X.
        - Only set LLVM_LOCAL_HEADER_PATH and LLVM_SYSTEM_HEADER_PATH on
          OS X.
        - Set JAVASCRIPTCORE_CONTENTS_DIR and
          JAVASCRIPTCORE_FRAMEWORKS_DIR separately for iOS and OS X.

        * Configurations/DebugRelease.xcconfig:
        - Only set MACOSX_DEPLOYMENT_TARGET and SDKROOT on OS X.

        * Configurations/JSC.xcconfig:
        - Only set CODE_SIGN_ENTITLEMENTS for iOS hardware builds.

        * Configurations/JavaScriptCore.xcconfig:
        - Set OTHER_LDFLAGS separately for iOS and OS X.
        - Set SECTORDER_FLAGS separately for iOS and OS X, but only for
          Production builds.
        - Only set EXCLUDED_SOURCE_FILE_NAMES for iOS.

        * Configurations/LLVMForJSC.xcconfig:
        - Rename LLVM_LIBS_iphoneos to LLVM_LIBS_ios.
        - Set LLVM_LIBRARY_PATHS and OTHER_LDFLAGS_LLVM_ENABLE_FTL_JIT
          separately for iOS hardware and OS X.
        - Fix curly braces in LIBRARY_SEARCH_PATHS.
        - Merge OTHER_LDFLAGS_BASE into OTHER_LDFLAGS. (Could have been
          done before this patch.)

        * Configurations/ToolExecutable.xcconfig:
        - Only set CODE_SIGN_ENTITLEMENTS for iOS, per target.
        - Only set CLANG_ENABLE_OBJC_ARC for i386 on the iOS Simulator.
        - Add missing newline.

        * Configurations/Version.xcconfig:
        - Set SYSTEM_VERSION_PREFIX separately for iOS and OS X.

2014-12-08  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        Fix EFL build fix since r177001
        https://bugs.webkit.org/show_bug.cgi?id=139428

        Unreviewed, EFL build fix.

        Do not inherit duplicated class. ExpressionNode is already
        child of ParserArenaFreeable class.

        * parser/Nodes.h:

2014-12-08  Shivakumar JM  <shiva.jm@samsung.com>

        Fix Build Warning in JavaScriptCore ControlFlowProfiler::dumpData() api.
        https://bugs.webkit.org/show_bug.cgi?id=139384

        Reviewed by Mark Lam.

        Fix Build Warning by using dataLog() function instead of dataLogF() function.

        * runtime/ControlFlowProfiler.cpp:
        (JSC::ControlFlowProfiler::dumpData):

2014-12-08  Saam Barati  <saambarati1@gmail.com>

        Web Inspector: Enable runtime API for JSC's control flow profiler
        https://bugs.webkit.org/show_bug.cgi?id=139346

        Reviewed by Joseph Pecoraro.

        This patch creates an API that the Web Inspector can use
        to get information about which basic blocks have exectued
        from JSC's control flow profiler.

        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getBasicBlocks):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/protocol/Runtime.json:

2014-12-08  Geoffrey Garen  <ggaren@apple.com>

        Removed some allocation and cruft from the parser
        https://bugs.webkit.org/show_bug.cgi?id=139416

        Reviewed by Mark Lam.

        Now, the only AST nodes that require a destructor are the ones that
        relate to pickling a function's arguments -- which will required some
        deeper thinking to resolve.

        This is a < 1% parser speedup.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj: Removed NodeInfo because it
        was unused.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::CommaNode::emitBytecode):
        (JSC::SourceElements::lastStatement):
        (JSC::SourceElements::emitBytecode): Updated for interface change to linked list.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::ASTBuilder):
        (JSC::ASTBuilder::varDeclarations):
        (JSC::ASTBuilder::funcDeclarations):
        (JSC::ASTBuilder::createFuncDeclStatement):
        (JSC::ASTBuilder::addVar): Removed the ParserArenaData abstraction because
        it wasn't buying us anything. We can just use Vector directly.

        (JSC::ASTBuilder::createCommaExpr):
        (JSC::ASTBuilder::appendToCommaExpr): Changed to use a linked list instead
        of a vector, to avoid allocating a vector with inline capacity in the
        common case in which an expression is not followed by a vector.

        (JSC::ASTBuilder::Scope::Scope): Use Vector directly to avoid new'ing
        up a Vector*.

        (JSC::ASTBuilder::appendToComma): Deleted.
        (JSC::ASTBuilder::combineCommaNodes): Deleted.

        * parser/Lexer.cpp:

        * parser/NodeConstructors.h:
        (JSC::StatementNode::StatementNode):
        (JSC::CommaNode::CommaNode):
        (JSC::SourceElements::SourceElements): Updated for interface change to linked list.

        * parser/NodeInfo.h: Removed.

        * parser/Nodes.cpp:
        (JSC::SourceElements::append):
        (JSC::SourceElements::singleStatement): Use a linked list instead of a
        vector to track the statements in a list. This removes some allocation
        and it means that we don't need a destructor anymore.

        (JSC::ScopeNode::ScopeNode):
        (JSC::ProgramNode::ProgramNode):
        (JSC::EvalNode::EvalNode):
        (JSC::FunctionNode::FunctionNode): Updated for interface change to reference,
        since these values are never null.

        * parser/Nodes.h:
        (JSC::StatementNode::next):
        (JSC::StatementNode::setNext):
        (JSC::CommaNode::append): Deleted. Updated for interface change to linked list.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::didFinishParsing): Updated for interface change to reference.

        (JSC::Parser<LexerType>::parseVarDeclarationList):
        (JSC::Parser<LexerType>::parseExpression): Track comma expressions as
        an explicit list of CommaNodes, removing a use of vector and a destructor.

        * parser/Parser.h:
        (JSC::Parser<LexerType>::parse):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createCommaExpr):
        (JSC::SyntaxChecker::appendToCommaExpr):
        (JSC::SyntaxChecker::appendToComma): Deleted. Updated for interface changes.

2014-12-08  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r176979.
        https://bugs.webkit.org/show_bug.cgi?id=139424

        "New JSC test in this patch is failing" (Requested by mlam on
        #webkit).

        Reverted changeset:

        "Fixes operationPutByIds such that they check that the put
        didn't"
        https://bugs.webkit.org/show_bug.cgi?id=139196
        http://trac.webkit.org/changeset/176979

2014-12-08  Matthew Mirman  <mmirman@apple.com>

        Fixes operationPutByIds such that they check that the put didn't
        change the structure of the object who's property access is being
        cached.
        https://bugs.webkit.org/show_bug.cgi?id=139196

        Reviewed by Filip Pizlo.

        * jit/JITOperations.cpp:
        (JSC::operationGetByIdOptimize): changed get to getPropertySlot
        (JSC::operationPutByIdStrictBuildList): saved the structure before the put.
        (JSC::operationPutByIdNonStrictBuildList): ditto.
        (JSC::operationPutByIdDirectStrictBuildList): ditto.
        (JSC::operationPutByIdDirectNonStrictBuildList): ditto.
        * jit/Repatch.cpp:
        (JSC::tryCachePutByID): fixed structure() to use the existant vm. 
        (JSC::tryBuildPutByIdList): Added a check that the old structure's id 
        is the same as the new.
        (JSC::buildPutByIdList): Added an argument
        * jit/Repatch.h: 
        (JSC::buildPutByIdList): Added an argument
        * tests/stress/put-by-id-build-list-order-recurse.js: Test that failed before the change
        * tests/stress/put-by-id-strict-build-list-order.js: Added.

 
2014-12-08  Anders Carlsson  <andersca@apple.com>

        Change WTF::currentCPUTime to return std::chrono::microseconds and get rid of currentCPUTimeMS
        https://bugs.webkit.org/show_bug.cgi?id=139410

        Reviewed by Andreas Kling.

        * API/JSContextRef.cpp:
        (JSContextGroupSetExecutionTimeLimit):
        (JSContextGroupClearExecutionTimeLimit):
        * runtime/Watchdog.cpp:
        (JSC::Watchdog::setTimeLimit):
        (JSC::Watchdog::didFire):
        (JSC::Watchdog::startCountdownIfNeeded):
        (JSC::Watchdog::startCountdown):
        * runtime/Watchdog.h:
        * runtime/WatchdogMac.cpp:
        (JSC::Watchdog::startTimer):

2014-12-08  Mark Lam  <mark.lam@apple.com>

        CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays.
        <https://webkit.org/b/139327>

        Reviewed by Michael Saboff.

        The code generator and runtime slow paths expects otherwise.  This patch fixes
        CFA to match the code generator's expectation.

        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
        (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes):

2014-12-08  Chris Dumez  <cdumez@apple.com>

        Revert r176293 & r176275

        Unreviewed, revert r176293 & r176275 changing the Vector API to use unsigned type
        instead of size_t. There is some disagreement regarding the long-term direction
        of the API and we shouldn’t leave the API partly transitioned to unsigned type
        while making a decision.

        * bytecode/PreciseJumpTargets.cpp:
        * replay/EncodedValue.h:

2014-12-07  Csaba Osztrogonác  <ossy@webkit.org>

        Remove the unused WTF_USE_GCC_COMPUTED_GOTO_WORKAROUND after r129453.
        https://bugs.webkit.org/show_bug.cgi?id=139373

        Reviewed by Sam Weinig.

        * interpreter/Interpreter.cpp:

2014-12-06  Anders Carlsson  <andersca@apple.com>

        Fix build with newer versions of clang.
        rdar://problem/18978716

        * ftl/FTLJITCode.h:
        Add missing overrides.

2014-12-05  Roger Fong  <roger_fong@apple.com>

        [Win] proj files copying over too many resources..
        https://bugs.webkit.org/show_bug.cgi?id=139315.
        <rdar://problem/19148278>

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCore.proj: Only copy resource folders and JavaScriptCore.dll.

2014-12-05  Juergen Ributzka  <juergen@apple.com>

        [JSC][FTL] Add the data layout to the module and fix the pass order.
        https://bugs.webkit.org/show_bug.cgi?id=138748

        Reviewed by Oliver Hunt.

        This adds the data layout to the module, so it can be used by all
        optimization passes in the LLVM optimizer pipeline. This also allows
        FastISel to select more instructions, because less non-legal types are
        generated.
        
        Also fix the order of the alias analysis passes in the optimization
        pipeline.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):

2014-12-05  Geoffrey Garen  <ggaren@apple.com>

        Removed an unused function.

        Reviewed by Michael Saboff.

        Broken out from https://bugs.webkit.org/show_bug.cgi?id=139305.

        * parser/ParserArena.h:

2014-12-05  David Kilzer  <ddkilzer@apple.com>

        FeatureDefines.xcconfig: Workaround bug in Xcode 5.1.1 when defining ENABLE_WEB_REPLAY
        <http://webkit.org/b/139286>

        Reviewed by Daniel Bates.

        * Configurations/FeatureDefines.xcconfig: Switch back to using
        PLATFORM_NAME to workaround a bug in Xcode 5.1.1 on 10.8.

2014-12-04  Mark Rowe  <mrowe@apple.com>

        Build fix after r176836.

        Reviewed by Mark Lam.

        * runtime/VM.h:
        (JSC::VM::controlFlowProfiler): Don't try to export an inline function.
        Doing so results in a weak external symbol being generated.

2014-12-04  Saam Barati  <saambarati1@gmail.com>

        JavaScript Control Flow Profiler
        https://bugs.webkit.org/show_bug.cgi?id=137785

        Reviewed by Filip Pizlo.

        This patch introduces a mechanism for JavaScriptCore to profile
        which basic blocks have executed. This mechanism will then be
        used by the Web Inspector to indicate which basic blocks
        have and have not executed.
        
        The profiling works by compiling in an op_profile_control_flow
        at the start of every basic block. Then, whenever this op code 
        executes, we know that a particular basic block has executed.
        
        When we tier up a CodeBlock that contains an op_profile_control_flow
        that corresponds to an already executed basic block, we don't
        have to emit code for that particular op_profile_control_flow
        because the internal data structures used to keep track of 
        basic block locations has already recorded that the corresponding
        op_profile_control_flow has executed.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/Instruction.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
        (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitProfileControlFlow):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ConditionalNode::emitBytecode):
        (JSC::IfElseNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::emitBytecode):
        (JSC::ReturnNode::emitBytecode):
        (JSC::CaseClauseNode::emitBytecode):
        (JSC::SwitchNode::emitBytecode):
        (JSC::ThrowNode::emitBytecode):
        (JSC::TryNode::emitBytecode):
        (JSC::ProgramNode::emitBytecode):
        (JSC::FunctionNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::basicBlockLocation):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_profile_control_flow):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_control_flow):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionFindTypeForExpression):
        (functionReturnTypeFor):
        (functionDumpBasicBlockExecutionRanges):
        * llint/LowLevelInterpreter.asm:
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFunctionExpr):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createFuncDeclStatement):
        (JSC::ASTBuilder::endOffset):
        (JSC::ASTBuilder::setStartOffset):
        * parser/NodeConstructors.h:
        (JSC::Node::Node):
        * parser/Nodes.h:
        (JSC::CaseClauseNode::setStartOffset):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseSwitchClauses):
        (JSC::Parser<LexerType>::parseSwitchDefaultClause):
        (JSC::Parser<LexerType>::parseBlockStatement):
        (JSC::Parser<LexerType>::parseStatement):
        (JSC::Parser<LexerType>::parseFunctionDeclaration):
        (JSC::Parser<LexerType>::parseIfStatement):
        (JSC::Parser<LexerType>::parseExpression):
        (JSC::Parser<LexerType>::parseConditionalExpression):
        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createFunctionExpr):
        (JSC::SyntaxChecker::createFuncDeclStatement):
        (JSC::SyntaxChecker::createGetterOrSetterProperty):
        (JSC::SyntaxChecker::operatorStackPop):
        * runtime/BasicBlockLocation.cpp: Added.
        (JSC::BasicBlockLocation::BasicBlockLocation):
        (JSC::BasicBlockLocation::insertGap):
        (JSC::BasicBlockLocation::getExecutedRanges):
        (JSC::BasicBlockLocation::dumpData):
        (JSC::BasicBlockLocation::emitExecuteCode):
        * runtime/BasicBlockLocation.h: Added.
        (JSC::BasicBlockLocation::startOffset):
        (JSC::BasicBlockLocation::endOffset):
        (JSC::BasicBlockLocation::setStartOffset):
        (JSC::BasicBlockLocation::setEndOffset):
        (JSC::BasicBlockLocation::hasExecuted):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        * runtime/ControlFlowProfiler.cpp: Added.
        (JSC::ControlFlowProfiler::~ControlFlowProfiler):
        (JSC::ControlFlowProfiler::getBasicBlockLocation):
        (JSC::ControlFlowProfiler::dumpData):
        (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
        * runtime/ControlFlowProfiler.h: Added. This class is in 
        charge of generating BasicBlockLocations and also
        providing an interface that the Web Inspector can use to ping
        which basic blocks have executed based on the source id of a script.

        (JSC::BasicBlockKey::BasicBlockKey):
        (JSC::BasicBlockKey::isHashTableDeletedValue):
        (JSC::BasicBlockKey::operator==):
        (JSC::BasicBlockKey::hash):
        (JSC::BasicBlockKeyHash::hash):
        (JSC::BasicBlockKeyHash::equal):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::ProgramExecutable):
        (JSC::ProgramExecutable::initializeGlobalProperties):
        * runtime/FunctionHasExecutedCache.cpp:
        (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges):
        * runtime/FunctionHasExecutedCache.h:
        * runtime/Options.h:
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::logTypesForTypeLocation):
        (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
        (JSC::TypeProfiler::findLocation):
        (JSC::TypeProfiler::dumpTypeProfilerData):
        * runtime/TypeProfiler.h:
        (JSC::TypeProfiler::functionHasExecutedCache): Deleted.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::enableProfilerWithRespectToCount):
        (JSC::disableProfilerWithRespectToCount):
        (JSC::VM::enableTypeProfiler):
        (JSC::VM::disableTypeProfiler):
        (JSC::VM::enableControlFlowProfiler):
        (JSC::VM::disableControlFlowProfiler):
        (JSC::VM::dumpTypeProfilerData):
        * runtime/VM.h:
        (JSC::VM::functionHasExecutedCache):
        (JSC::VM::controlFlowProfiler):

2014-12-04  Filip Pizlo  <fpizlo@apple.com>

        printInternal(PrintStream& out, JSC::JITCode::JITType type) ends up dumping a literal %s
        https://bugs.webkit.org/show_bug.cgi?id=139274

        Reviewed by Geoffrey Garen.

        * jit/JITCode.cpp:
        (WTF::printInternal):

2014-12-04  Geoffrey Garen  <ggaren@apple.com>

        Removed the concept of ParserArenaRefCounted
        https://bugs.webkit.org/show_bug.cgi?id=139277

        Reviewed by Oliver Hunt.

        This is a step toward a parser speedup.

        Now that we have a clear root node type for each parse tree, there's no
        need to have a concept for "I might be refcounted or arena allocated".
        Instead, we can just use unique_ptr to manage the tree as a whole.

        * API/JSScriptRef.cpp:
        (parseScript):
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable): Updated for type change.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock): Use unique_ptr. No need to call
        destroyData() explicitly: the unique_ptr destructor will do everything
        we need, as Bjarne intended.

        * parser/NodeConstructors.h:
        (JSC::ParserArenaRoot::ParserArenaRoot):
        (JSC::ParserArenaRefCounted::ParserArenaRefCounted): Deleted.

        * parser/Nodes.cpp:
        (JSC::ScopeNode::ScopeNode):
        (JSC::ProgramNode::ProgramNode):
        (JSC::EvalNode::EvalNode):
        (JSC::FunctionNode::FunctionNode):
        (JSC::ProgramNode::create): Deleted.
        (JSC::EvalNode::create): Deleted.
        (JSC::FunctionNode::create): Deleted. All special create semantics can
        just go away now that we play by C++ constructor / destructor rules.

        * parser/Nodes.h:
        (JSC::ParserArenaRoot::parserArena):
        (JSC::ParserArenaRoot::~ParserArenaRoot): Just a normal class now, which
        holds onto the whole parse tree by virtue of owning the arena in which
        all the parsed nodes (except for itself) were allocated.

        (JSC::ProgramNode::closedVariables):
        (JSC::ParserArenaRefCounted::~ParserArenaRefCounted): Deleted.

        (JSC::ScopeNode::destroyData): Deleted. No need to destroy anything
        explicitly anymore -- we can just rely on destructors.

        (JSC::ScopeNode::parserArena): Deleted.

        * parser/Parser.h:
        (JSC::Parser<LexerType>::parse):
        (JSC::parse): unique_ptr all the things.

        * parser/ParserArena.cpp:
        (JSC::ParserArena::reset):
        (JSC::ParserArena::isEmpty):
        (JSC::ParserArena::contains): Deleted.
        (JSC::ParserArena::last): Deleted.
        (JSC::ParserArena::removeLast): Deleted.
        (JSC::ParserArena::derefWithArena): Deleted.
        * parser/ParserArena.h:
        (JSC::ParserArena::swap): Much delete. Such wow.

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::checkSyntax): unique_ptr all the things.

2014-12-04  Andreas Kling  <akling@apple.com>

        REGRESSION(r173188): Text inserted when trying to delete a word from the Twitter message box.
        <https://webkit.org/b/139076>

        Reviewed by Geoffrey Garen.

        The StringImpl* -> Weak<JSString> cache used by the DOM bindings
        had a bug where the key could become a stale pointer if the cached
        JSString had its internal StringImpl atomicized.

        If a new StringImpl was then later constructed at the exact same
        address as the stale key, before the Weak<JSString> got booted out
        of the string cache, we'd now have a situation where asking the
        string cache for that key would return the old JSString.

        Solve this by not allowing JSString::toExistingAtomicString() to
        change the JSString's internal StringImpl unless it's resolving a
        rope string. (The StringImpl nullity determines rope state.)

        This means that calling toExistingAtomicString() may now have to
        query the AtomicString table on each call rather than just once.
        All clients of this API would be forced to do this regardless,
        since they return value will be used to key into containers with
        AtomicStringImpl* keys.

        No test because this relies on malloc putting two StringImpls
        at the same address at different points in time and we have no
        mechanism to reliably test that.

        * runtime/JSString.h:
        (JSC::JSString::toExistingAtomicString):

2014-12-04  Geoffrey Garen  <ggaren@apple.com>

        Marked some final things final.

        Reviewed by Andreas Kling.

        * parser/Nodes.h:

2014-12-04  Geoffrey Garen  <ggaren@apple.com>

        Split out FunctionNode from FunctionBodyNode
        https://bugs.webkit.org/show_bug.cgi?id=139273

        Reviewed by Andreas Kling.

        This is step toward a parser speedup.

        We used to use FunctionBodyNode for two different purposes:

        (1) "I am the root function you are currently parsing";

        (2) "I am a lazy record of a nested function, which you will parse later".

        This made for awkward lifetime semantics and interfaces.

        Now, case (1) is handled by FunctionBodyNode, and case (2) is handled by
        a new node named FunctionNode.

        Since case (1) no longer needs to handle being the root of the parse
        tree, FunctionBodyNode can be a normal arena-allocated node.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock): Use FunctionNode instead of
        FunctionBodyNode, since we are producing the root of the function parse
        tree.

        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): Removed
        some unused data, and default-initialized other data, which isn't filled
        in meaningfully until recordParse() is called. (The previous values were
        incorrect / meaningless, since the FunctionBodyNode didn't have
        meaningful values in this case.)

        * bytecode/UnlinkedCodeBlock.h: Ditto.

        (JSC::UnlinkedFunctionExecutable::forceUsesArguments): Deleted.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator): Use FunctionNode instead of
        FunctionBodyNode, since we are generating code starting at the root of
        the parse tree.

        (JSC::BytecodeGenerator::resolveCallee):
        (JSC::BytecodeGenerator::addCallee):
        * bytecompiler/BytecodeGenerator.h: Ditto.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionBodyNode::emitBytecode):
        (JSC::FunctionNode::emitBytecode): Moved the emitBytecode implementation
        to FunctionNode, since we never generate code for FunctionBodyNode,
        since it's just a placeholder in the AST.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::setUsesArguments): Deleted. Updated for interface
        changes.

        * parser/Nodes.cpp:
        (JSC::FunctionBodyNode::FunctionBodyNode):
        (JSC::FunctionBodyNode::finishParsing):
        (JSC::FunctionBodyNode::setEndPosition):
        (JSC::FunctionNode::FunctionNode):
        (JSC::FunctionNode::create):
        (JSC::FunctionNode::finishParsing):
        (JSC::FunctionBodyNode::create): Deleted.

        * parser/Nodes.h:
        (JSC::FunctionBodyNode::parameters):
        (JSC::FunctionBodyNode::source):
        (JSC::FunctionBodyNode::startStartOffset):
        (JSC::FunctionBodyNode::isInStrictContext):
        (JSC::FunctionNode::parameters):
        (JSC::FunctionNode::ident):
        (JSC::FunctionNode::functionMode):
        (JSC::FunctionNode::startColumn):
        (JSC::FunctionNode::endColumn):
        (JSC::ScopeNode::setSource): Deleted.
        (JSC::FunctionBodyNode::parameterCount): Deleted. Split out the differences
        between FunctionNode and FunctionBodyNode.

        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createClauseList):
        (JSC::SyntaxChecker::setUsesArguments): Deleted. Removed setUsesArguments
        since it wasn't used.

        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::checkSyntax): Removed a branch that was always
        false.

2014-12-02  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: timeline probe records have inaccurate per-probe hit counts
        https://bugs.webkit.org/show_bug.cgi?id=138976

        Reviewed by Joseph Pecoraro.

        Previously, the DebuggerAgent was responsible for assigning unique ids to samples.
        However, this makes it impossible for the frontend's Timeline manager to associate
        a Probe Sample timeline record with the corresponding probe sample data. The record
        only included the probe batchId (misnamed as hitCount in ScriptDebugServer).

        This patch moves both the batchId and sampleId counters into ScriptDebugServer, so
        any client of ScriptDebugListener will get the correct sampleId for each sample.

        * inspector/ScriptDebugListener.h:
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::ScriptDebugServer):
        (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
        (Inspector::ScriptDebugServer::handleBreakpointHit):
        * inspector/ScriptDebugServer.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
        (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
        * inspector/agents/InspectorDebuggerAgent.h:

2014-12-04  Oliver Hunt  <oliver@apple.com>

        Serialization of MapData object provides unsafe access to internal types
        https://bugs.webkit.org/show_bug.cgi?id=138653

        Reviewed by Geoffrey Garen.

        Converting these ASSERTs into RELEASE_ASSERTs, as it is now obvious
        that despite trying hard to be safe in all cases it's simply to easy
        to use an iterator in an unsafe state.

        * runtime/MapData.h:
        (JSC::MapData::const_iterator::key):
        (JSC::MapData::const_iterator::value):

2014-12-03  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        Move JavaScriptCore/dfg to std::unique_ptr
        https://bugs.webkit.org/show_bug.cgi?id=139169

        Reviewed by Filip Pizlo.

        Use std::unique_ptr<>|std::make_unique<> in JavaScriptCore/dfg directory.

        * dfg/DFGBasicBlock.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::linkFunction):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::cancel):
        * dfg/DFGPlan.h:
        * dfg/DFGSlowPathGenerator.h:
        * dfg/DFGWorklist.h:
        * ftl/FTLFail.cpp:
        (JSC::FTL::fail):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):

2014-12-03  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r176479): DFG ASSERTION beneath emitOSRExitCall running Kraken/imaging-gaussian-blur.js.ftl-no-cjit-osr-validation and other tests
        https://bugs.webkit.org/show_bug.cgi?id=139246

        Reviewed by Geoffrey Garen.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        The DFG_ASSERT that checks liveness at exit time doesn't properly
        handle the case where the local is not available at OSR exit time,
        but the local is live in the bytecode.  This now happens with the
        allocated scope register when we are compiling for FTLForOSREntryMode
        due to DCE done when the control flow was changed and a new entrypoint
        was added in the OSR entrypoint creation phase.  Therefore we silence
        the assert when compiling for FTLForOSREntryMode.

2014-12-03  Geoffrey Garen  <ggaren@apple.com>

        Removed the global parser arena
        https://bugs.webkit.org/show_bug.cgi?id=139236

        Reviewed by Sam Weinig.

        Simplifies parser lifetime logic.

        There's no need to keep a global arena. We can create a new arena
        each time we parse.

        * bytecompiler/BytecodeGenerator.h: Global replace to pass around a
        ParserArena instead of VM*, since the VM no longer owns the arena.
        (JSC::BytecodeGenerator::parserArena):

        * bytecompiler/NodesCodegen.cpp: Ditto.
        (JSC::ArrayNode::toArgumentList):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * parser/ASTBuilder.h: Ditto.
        (JSC::ASTBuilder::ASTBuilder):
        (JSC::ASTBuilder::createSourceElements):
        (JSC::ASTBuilder::createCommaExpr):
        (JSC::ASTBuilder::createLogicalNot):
        (JSC::ASTBuilder::createUnaryPlus):
        (JSC::ASTBuilder::createVoid):
        (JSC::ASTBuilder::thisExpr):
        (JSC::ASTBuilder::createResolve):
        (JSC::ASTBuilder::createObjectLiteral):
        (JSC::ASTBuilder::createArray):
        (JSC::ASTBuilder::createNumberExpr):
        (JSC::ASTBuilder::createString):
        (JSC::ASTBuilder::createBoolean):
        (JSC::ASTBuilder::createNull):
        (JSC::ASTBuilder::createBracketAccess):
        (JSC::ASTBuilder::createDotAccess):
        (JSC::ASTBuilder::createSpreadExpression):
        (JSC::ASTBuilder::createRegExp):
        (JSC::ASTBuilder::createNewExpr):
        (JSC::ASTBuilder::createConditionalExpr):
        (JSC::ASTBuilder::createAssignResolve):
        (JSC::ASTBuilder::createFunctionExpr):
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createArguments):
        (JSC::ASTBuilder::createArgumentsList):
        (JSC::ASTBuilder::createProperty):
        (JSC::ASTBuilder::createPropertyList):
        (JSC::ASTBuilder::createElementList):
        (JSC::ASTBuilder::createFormalParameterList):
        (JSC::ASTBuilder::createClause):
        (JSC::ASTBuilder::createClauseList):
        (JSC::ASTBuilder::createFuncDeclStatement):
        (JSC::ASTBuilder::createBlockStatement):
        (JSC::ASTBuilder::createExprStatement):
        (JSC::ASTBuilder::createIfStatement):
        (JSC::ASTBuilder::createForLoop):
        (JSC::ASTBuilder::createForInLoop):
        (JSC::ASTBuilder::createForOfLoop):
        (JSC::ASTBuilder::createEmptyStatement):
        (JSC::ASTBuilder::createVarStatement):
        (JSC::ASTBuilder::createEmptyVarExpression):
        (JSC::ASTBuilder::createReturnStatement):
        (JSC::ASTBuilder::createBreakStatement):
        (JSC::ASTBuilder::createContinueStatement):
        (JSC::ASTBuilder::createTryStatement):
        (JSC::ASTBuilder::createSwitchStatement):
        (JSC::ASTBuilder::createWhileStatement):
        (JSC::ASTBuilder::createDoWhileStatement):
        (JSC::ASTBuilder::createLabelStatement):
        (JSC::ASTBuilder::createWithStatement):
        (JSC::ASTBuilder::createThrowStatement):
        (JSC::ASTBuilder::createDebugger):
        (JSC::ASTBuilder::createConstStatement):
        (JSC::ASTBuilder::appendConstDecl):
        (JSC::ASTBuilder::combineCommaNodes):
        (JSC::ASTBuilder::createDeconstructingAssignment):
        (JSC::ASTBuilder::Scope::Scope):
        (JSC::ASTBuilder::createNumber):
        (JSC::ASTBuilder::makeTypeOfNode):
        (JSC::ASTBuilder::makeDeleteNode):
        (JSC::ASTBuilder::makeNegateNode):
        (JSC::ASTBuilder::makeBitwiseNotNode):