[iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestruc...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-02  Daniel Bates  <dabates@apple.com>
2
3         [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
4         https://bugs.webkit.org/show_bug.cgi?id=141057
5         <rdar://problem/19068790>
6
7         Reviewed by Alexey Proskuryakov.
8
9         * inspector/remote/RemoteInspector.mm:
10         (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
11         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
12         WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
13         and CryptoKeyRSA::generatePair().
14
15 2015-02-02  Saam Barati  <saambarati1@gmail.com>
16
17         Create tests for JSC's Control Flow Profiler
18         https://bugs.webkit.org/show_bug.cgi?id=141123
19
20         Reviewed by Filip Pizlo.
21
22         This patch creates a control flow profiler testing API in jsc.cpp 
23         that accepts a function and a string as arguments. The string must 
24         be a substring of the text of the function argument. The API returns 
25         a boolean indicating whether or not the basic block that encloses the 
26         substring has executed.
27
28         This patch uses this API to test that the control flow profiler
29         behaves as expected on basic block boundaries. These tests do not
30         provide full coverage for all JavaScript statements that can create
31         basic blocks boundaries. Full coverage will come in a later patch.
32
33         * jsc.cpp:
34         (GlobalObject::finishCreation):
35         (functionHasBasicBlockExecuted):
36         * runtime/ControlFlowProfiler.cpp:
37         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
38         * runtime/ControlFlowProfiler.h:
39         * tests/controlFlowProfiler: Added.
40         * tests/controlFlowProfiler.yaml: Added.
41         * tests/controlFlowProfiler/driver: Added.
42         * tests/controlFlowProfiler/driver/driver.js: Added.
43         (assert):
44         * tests/controlFlowProfiler/if-statement.js: Added.
45         (testIf):
46         (noMatches):
47         * tests/controlFlowProfiler/loop-statements.js: Added.
48         (forRegular):
49         (forIn):
50         (forOf):
51         (whileLoop):
52         * tests/controlFlowProfiler/switch-statements.js: Added.
53         (testSwitch):
54         * tests/controlFlowProfiler/test-jit.js: Added.
55         (tierUpToBaseline):
56         (tierUpToDFG):
57         (baselineTest):
58         (dfgTest):
59
60 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
61
62         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
63         https://bugs.webkit.org/show_bug.cgi?id=140660
64
65         Reviewed by Geoffrey Garen.
66         
67         When we first implemented polymorphic call inlining, we did the profiling based on a call
68         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
69         global log that was processed lazily. Processing the log would give precise counts of call
70         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
71         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
72         nonetheless.
73         
74         Experience with this code shows three things. First, the call edge profiler is buggy and
75         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
76         overhead for latency code that we care deeply about. Third, it's not at all clear that
77         having call edge counts for every possible callee is any better than just having call edge
78         counts for the limited number of callees that an inline cache would catch.
79         
80         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
81         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
82         out-of-line stub that cases on the previously known callees. If that misses again, then we
83         rewrite that stub to include the new callee. We do this up to some number of callees. If we
84         hit the limit then we switch to using a plain virtual call.
85         
86         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
87         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
88         
89         Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.
90
91         * CMakeLists.txt:
92         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
93         * JavaScriptCore.xcodeproj/project.pbxproj:
94         * bytecode/CallEdge.h:
95         (JSC::CallEdge::count):
96         (JSC::CallEdge::CallEdge):
97         * bytecode/CallEdgeProfile.cpp: Removed.
98         * bytecode/CallEdgeProfile.h: Removed.
99         * bytecode/CallEdgeProfileInlines.h: Removed.
100         * bytecode/CallLinkInfo.cpp:
101         (JSC::CallLinkInfo::unlink):
102         (JSC::CallLinkInfo::visitWeak):
103         * bytecode/CallLinkInfo.h:
104         * bytecode/CallLinkStatus.cpp:
105         (JSC::CallLinkStatus::CallLinkStatus):
106         (JSC::CallLinkStatus::computeFor):
107         (JSC::CallLinkStatus::computeFromCallLinkInfo):
108         (JSC::CallLinkStatus::isClosureCall):
109         (JSC::CallLinkStatus::makeClosureCall):
110         (JSC::CallLinkStatus::dump):
111         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
112         * bytecode/CallLinkStatus.h:
113         (JSC::CallLinkStatus::CallLinkStatus):
114         (JSC::CallLinkStatus::isSet):
115         (JSC::CallLinkStatus::variants):
116         (JSC::CallLinkStatus::size):
117         (JSC::CallLinkStatus::at):
118         (JSC::CallLinkStatus::operator[]):
119         (JSC::CallLinkStatus::canOptimize):
120         (JSC::CallLinkStatus::edges): Deleted.
121         (JSC::CallLinkStatus::canTrustCounts): Deleted.
122         * bytecode/CallVariant.cpp:
123         (JSC::variantListWithVariant):
124         (JSC::despecifiedVariantList):
125         * bytecode/CallVariant.h:
126         * bytecode/CodeBlock.cpp:
127         (JSC::CodeBlock::~CodeBlock):
128         (JSC::CodeBlock::linkIncomingPolymorphicCall):
129         (JSC::CodeBlock::unlinkIncomingCalls):
130         (JSC::CodeBlock::noticeIncomingCall):
131         * bytecode/CodeBlock.h:
132         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
133         * dfg/DFGAbstractInterpreterInlines.h:
134         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
135         * dfg/DFGByteCodeParser.cpp:
136         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
137         (JSC::DFG::ByteCodeParser::handleCall):
138         (JSC::DFG::ByteCodeParser::handleInlining):
139         * dfg/DFGClobberize.h:
140         (JSC::DFG::clobberize):
141         * dfg/DFGConstantFoldingPhase.cpp:
142         (JSC::DFG::ConstantFoldingPhase::foldConstants):
143         * dfg/DFGDoesGC.cpp:
144         (JSC::DFG::doesGC):
145         * dfg/DFGDriver.cpp:
146         (JSC::DFG::compileImpl):
147         * dfg/DFGFixupPhase.cpp:
148         (JSC::DFG::FixupPhase::fixupNode):
149         * dfg/DFGNode.h:
150         (JSC::DFG::Node::hasHeapPrediction):
151         * dfg/DFGNodeType.h:
152         * dfg/DFGOperations.cpp:
153         * dfg/DFGPredictionPropagationPhase.cpp:
154         (JSC::DFG::PredictionPropagationPhase::propagate):
155         * dfg/DFGSafeToExecute.h:
156         (JSC::DFG::safeToExecute):
157         * dfg/DFGSpeculativeJIT32_64.cpp:
158         (JSC::DFG::SpeculativeJIT::emitCall):
159         (JSC::DFG::SpeculativeJIT::compile):
160         * dfg/DFGSpeculativeJIT64.cpp:
161         (JSC::DFG::SpeculativeJIT::emitCall):
162         (JSC::DFG::SpeculativeJIT::compile):
163         * dfg/DFGTierUpCheckInjectionPhase.cpp:
164         (JSC::DFG::TierUpCheckInjectionPhase::run):
165         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
166         * ftl/FTLCapabilities.cpp:
167         (JSC::FTL::canCompile):
168         * heap/Heap.cpp:
169         (JSC::Heap::collect):
170         * jit/BinarySwitch.h:
171         * jit/ClosureCallStubRoutine.cpp: Removed.
172         * jit/ClosureCallStubRoutine.h: Removed.
173         * jit/JITCall.cpp:
174         (JSC::JIT::compileOpCall):
175         * jit/JITCall32_64.cpp:
176         (JSC::JIT::compileOpCall):
177         * jit/JITOperations.cpp:
178         * jit/JITOperations.h:
179         (JSC::operationLinkPolymorphicCallFor):
180         (JSC::operationLinkClosureCallFor): Deleted.
181         * jit/JITStubRoutine.h:
182         * jit/JITWriteBarrier.h:
183         * jit/PolymorphicCallStubRoutine.cpp: Added.
184         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
185         (JSC::PolymorphicCallNode::unlink):
186         (JSC::PolymorphicCallCase::dump):
187         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
188         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
189         (JSC::PolymorphicCallStubRoutine::variants):
190         (JSC::PolymorphicCallStubRoutine::edges):
191         (JSC::PolymorphicCallStubRoutine::visitWeak):
192         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
193         * jit/PolymorphicCallStubRoutine.h: Added.
194         (JSC::PolymorphicCallNode::PolymorphicCallNode):
195         (JSC::PolymorphicCallCase::PolymorphicCallCase):
196         (JSC::PolymorphicCallCase::variant):
197         (JSC::PolymorphicCallCase::codeBlock):
198         * jit/Repatch.cpp:
199         (JSC::linkSlowFor):
200         (JSC::linkFor):
201         (JSC::revertCall):
202         (JSC::unlinkFor):
203         (JSC::linkVirtualFor):
204         (JSC::linkPolymorphicCall):
205         (JSC::linkClosureCall): Deleted.
206         * jit/Repatch.h:
207         * jit/ThunkGenerators.cpp:
208         (JSC::linkPolymorphicCallForThunkGenerator):
209         (JSC::linkPolymorphicCallThunkGenerator):
210         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
211         (JSC::linkClosureCallForThunkGenerator): Deleted.
212         (JSC::linkClosureCallThunkGenerator): Deleted.
213         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
214         * jit/ThunkGenerators.h:
215         (JSC::linkPolymorphicCallThunkGeneratorFor):
216         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
217         * llint/LLIntSlowPaths.cpp:
218         (JSC::LLInt::jitCompileAndSetHeuristics):
219         * runtime/Options.h:
220         * runtime/VM.cpp:
221         (JSC::VM::prepareToDiscardCode):
222         (JSC::VM::ensureCallEdgeLog): Deleted.
223         * runtime/VM.h:
224
225 2015-01-30  Filip Pizlo  <fpizlo@apple.com>
226
227         Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
228         https://bugs.webkit.org/show_bug.cgi?id=141107
229
230         Reviewed by Michael Saboff.
231         
232         See the bugzilla for a discussion of the problem. This addresses the problem by ensuring
233         that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini
234         OSR availability analysis to determine the right MovHint value to use for the Phantom.
235
236         * dfg/DFGCPSRethreadingPhase.cpp:
237         (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
238         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
239         (JSC::DFG::CPSRethreadingPhase::clearVariables):
240         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
241         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
242         (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted.
243         * dfg/DFGNode.h:
244         (JSC::DFG::Node::convertPhantomToPhantomLocal):
245         (JSC::DFG::Node::convertFlushToPhantomLocal):
246         (JSC::DFG::Node::convertToPhantomLocal): Deleted.
247         * dfg/DFGStrengthReductionPhase.cpp:
248         (JSC::DFG::StrengthReductionPhase::handleNode):
249         * tests/stress/inline-call-that-doesnt-use-all-args.js: Added.
250         (foo):
251         (bar):
252         (baz):
253
254 2015-01-31  Michael Saboff  <msaboff@apple.com>
255
256         Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
257         https://bugs.webkit.org/show_bug.cgi?id=141111
258
259         Reviewed by Filip Pizlo.
260
261         In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have
262         exited, we don't need to process the OSR availability or abstract interpreter.
263
264         * ftl/FTLLowerDFGToLLVM.cpp:
265         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate
266         method since we need to call it at the top and near the bottom of compileNode().
267         (JSC::FTL::LowerDFGToLLVM::compileNode):
268
269 2015-01-31  Sam Weinig  <sam@webkit.org>
270
271         Remove even more Mountain Lion support
272         https://bugs.webkit.org/show_bug.cgi?id=141124
273
274         Reviewed by Alexey Proskuryakov.
275
276         * API/tests/DateTests.mm:
277         * Configurations/Base.xcconfig:
278         * Configurations/DebugRelease.xcconfig:
279         * Configurations/FeatureDefines.xcconfig:
280         * Configurations/Version.xcconfig:
281         * jit/ExecutableAllocatorFixedVMPool.cpp:
282
283 2015-01-31  Commit Queue  <commit-queue@webkit.org>
284
285         Unreviewed, rolling out r179426.
286         https://bugs.webkit.org/show_bug.cgi?id=141119
287
288         "caused a memory use regression" (Requested by Guest45 on
289         #webkit).
290
291         Reverted changeset:
292
293         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
294         pages"
295         https://bugs.webkit.org/show_bug.cgi?id=140900
296         http://trac.webkit.org/changeset/179426
297
298 2015-01-30  Daniel Bates  <dabates@apple.com>
299
300         Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h
301         https://bugs.webkit.org/show_bug.cgi?id=141067
302
303         Reviewed by Timothy Hatcher.
304
305         Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we
306         do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm
307         and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via
308         header RemoteInspectorDebuggableConnection.h.
309
310         * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>.
311         * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>.
312         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>.
313
314 2015-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
315
316         Implement ES6 Symbol
317         https://bugs.webkit.org/show_bug.cgi?id=140435
318
319         Reviewed by Geoffrey Garen.
320
321         This patch implements ES6 Symbol. In this patch, we don't support
322         Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be
323         supported in the subsequent patches.
324
325         Since ES6 Symbol is introduced as new primitive value, we implement
326         Symbol as a derived class from JSCell. And now JSValue accepts Symbol*
327         as a new primitive value.
328
329         Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer
330         value represents the Symbol's identity. So don't compare Symbol's
331         JSCell pointer value for comparison.
332         This enables re-producing Symbol primitive value from StringImpl* uid
333         by executing`Symbol::create(vm, uid)`. This is needed to produce
334         Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`.
335
336         And Symbol.[[Description]] is folded into the string value of Symbol's uid.
337         By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*.
338
339         * CMakeLists.txt:
340         * DerivedSources.make:
341         * JavaScriptCore.order:
342         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
343         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
344         * JavaScriptCore.xcodeproj/project.pbxproj:
345         * builtins/BuiltinExecutables.cpp:
346         (JSC::BuiltinExecutables::createBuiltinExecutable):
347         * builtins/BuiltinNames.h:
348         * dfg/DFGOperations.cpp:
349         (JSC::DFG::operationPutByValInternal):
350         * inspector/JSInjectedScriptHost.cpp:
351         (Inspector::JSInjectedScriptHost::subtype):
352         * interpreter/Interpreter.cpp:
353         * jit/JITOperations.cpp:
354         (JSC::getByVal):
355         * llint/LLIntData.cpp:
356         (JSC::LLInt::Data::performAssertions):
357         * llint/LLIntSlowPaths.cpp:
358         (JSC::LLInt::getByVal):
359         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
360         * llint/LowLevelInterpreter.asm:
361         * runtime/CommonIdentifiers.h:
362         * runtime/CommonSlowPaths.cpp:
363         (JSC::SLOW_PATH_DECL):
364         * runtime/CommonSlowPaths.h:
365         (JSC::CommonSlowPaths::opIn):
366         * runtime/ExceptionHelpers.cpp:
367         (JSC::createUndefinedVariableError):
368         * runtime/JSCJSValue.cpp:
369         (JSC::JSValue::synthesizePrototype):
370         (JSC::JSValue::dumpInContextAssumingStructure):
371         (JSC::JSValue::toStringSlowCase):
372         * runtime/JSCJSValue.h:
373         * runtime/JSCJSValueInlines.h:
374         (JSC::JSValue::isSymbol):
375         (JSC::JSValue::isPrimitive):
376         (JSC::JSValue::toPropertyKey):
377
378         It represents ToPropertyKey abstract operation in the ES6 spec.
379         It cleans up the old implementation's `isName` checks.
380         And to prevent performance regressions in
381             js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html
382             js/regress/fold-get-by-id-to-multi-get-by-offset.html
383         we annnotate this function as ALWAYS_INLINE.
384
385         (JSC::JSValue::getPropertySlot):
386         (JSC::JSValue::get):
387         (JSC::JSValue::equalSlowCaseInline):
388         (JSC::JSValue::strictEqualSlowCaseInline):
389         * runtime/JSCell.cpp:
390         (JSC::JSCell::put):
391         (JSC::JSCell::putByIndex):
392         (JSC::JSCell::toPrimitive):
393         (JSC::JSCell::getPrimitiveNumber):
394         (JSC::JSCell::toNumber):
395         (JSC::JSCell::toObject):
396         * runtime/JSCell.h:
397         * runtime/JSCellInlines.h:
398         (JSC::JSCell::isSymbol):
399         (JSC::JSCell::toBoolean):
400         (JSC::JSCell::pureToBoolean):
401         * runtime/JSGlobalObject.cpp:
402         (JSC::JSGlobalObject::init):
403         (JSC::JSGlobalObject::visitChildren):
404         * runtime/JSGlobalObject.h:
405         (JSC::JSGlobalObject::symbolPrototype):
406         (JSC::JSGlobalObject::symbolObjectStructure):
407         * runtime/JSONObject.cpp:
408         (JSC::Stringifier::Stringifier):
409         * runtime/JSSymbolTableObject.cpp:
410         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
411         * runtime/JSType.h:
412         * runtime/JSTypeInfo.h:
413         (JSC::TypeInfo::isName): Deleted.
414         * runtime/MapData.cpp:
415         (JSC::MapData::find):
416         (JSC::MapData::add):
417         (JSC::MapData::remove):
418         (JSC::MapData::replaceAndPackBackingStore):
419         * runtime/MapData.h:
420         (JSC::MapData::clear):
421         * runtime/NameInstance.h: Removed.
422         * runtime/NamePrototype.cpp: Removed.
423         * runtime/ObjectConstructor.cpp:
424         (JSC::objectConstructorGetOwnPropertyDescriptor):
425         (JSC::objectConstructorDefineProperty):
426         * runtime/ObjectPrototype.cpp:
427         (JSC::objectProtoFuncHasOwnProperty):
428         (JSC::objectProtoFuncDefineGetter):
429         (JSC::objectProtoFuncDefineSetter):
430         (JSC::objectProtoFuncLookupGetter):
431         (JSC::objectProtoFuncLookupSetter):
432         (JSC::objectProtoFuncPropertyIsEnumerable):
433         * runtime/Operations.cpp:
434         (JSC::jsTypeStringForValue):
435         (JSC::jsIsObjectType):
436         * runtime/PrivateName.h:
437         (JSC::PrivateName::PrivateName):
438         (JSC::PrivateName::operator==):
439         (JSC::PrivateName::operator!=):
440         * runtime/PropertyMapHashTable.h:
441         (JSC::PropertyTable::find):
442         (JSC::PropertyTable::get):
443         * runtime/PropertyName.h:
444         (JSC::PropertyName::PropertyName):
445         (JSC::PropertyName::publicName):
446         * runtime/SmallStrings.h:
447         * runtime/StringConstructor.cpp:
448         (JSC::callStringConstructor):
449
450         In ES6, String constructor accepts Symbol to execute `String(symbol)`.
451
452         * runtime/Structure.cpp:
453         (JSC::Structure::getPropertyNamesFromStructure):
454         * runtime/StructureInlines.h:
455         (JSC::Structure::prototypeForLookup):
456         * runtime/Symbol.cpp: Added.
457         (JSC::Symbol::Symbol):
458         (JSC::SymbolObject::create):
459         (JSC::Symbol::toPrimitive):
460         (JSC::Symbol::toBoolean):
461         (JSC::Symbol::getPrimitiveNumber):
462         (JSC::Symbol::toObject):
463         (JSC::Symbol::toNumber):
464         (JSC::Symbol::destroy):
465         (JSC::Symbol::descriptiveString):
466         * runtime/Symbol.h: Added.
467         (JSC::Symbol::createStructure):
468         (JSC::Symbol::create):
469         (JSC::Symbol::privateName):
470         (JSC::Symbol::finishCreation):
471         (JSC::asSymbol):
472         * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp.
473         (JSC::SymbolConstructor::SymbolConstructor):
474         (JSC::SymbolConstructor::finishCreation):
475         (JSC::callSymbol):
476         (JSC::SymbolConstructor::getConstructData):
477         (JSC::SymbolConstructor::getCallData):
478         * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h.
479         (JSC::SymbolConstructor::create):
480         (JSC::SymbolConstructor::createStructure):
481         * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp.
482         (JSC::SymbolObject::SymbolObject):
483         (JSC::SymbolObject::finishCreation):
484         (JSC::SymbolObject::defaultValue):
485
486         Now JSC doesn't support @@toPrimitive. So instead of it, we implement
487         Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]].
488
489         * runtime/SymbolObject.h: Added.
490         (JSC::SymbolObject::create):
491         (JSC::SymbolObject::internalValue):
492         (JSC::SymbolObject::createStructure):
493         * runtime/SymbolPrototype.cpp: Added.
494         (JSC::SymbolPrototype::SymbolPrototype):
495         (JSC::SymbolPrototype::finishCreation):
496         (JSC::SymbolPrototype::getOwnPropertySlot):
497         (JSC::symbolProtoFuncToString):
498         (JSC::symbolProtoFuncValueOf):
499         * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h.
500         (JSC::SymbolPrototype::create):
501         (JSC::SymbolPrototype::createStructure):
502
503         SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol.
504         It is tested in js/symbol-prototype-is-ordinary-object.html.
505
506         * runtime/VM.cpp:
507         (JSC::VM::VM):
508         * runtime/VM.h:
509
510 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
511
512         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
513         https://bugs.webkit.org/show_bug.cgi?id=140900
514
515         Reviewed by Mark Hahnenberg.
516
517         Re-landing just the HandleBlock piece of this patch.
518
519         * heap/HandleBlock.h:
520         * heap/HandleBlockInlines.h:
521         (JSC::HandleBlock::create):
522         (JSC::HandleBlock::destroy):
523         (JSC::HandleBlock::HandleBlock):
524         (JSC::HandleBlock::payloadEnd):
525         * heap/HandleSet.cpp:
526         (JSC::HandleSet::~HandleSet):
527         (JSC::HandleSet::grow):
528
529 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
530
531         GC marking threads should clear malloc caches
532         https://bugs.webkit.org/show_bug.cgi?id=141097
533
534         Reviewed by Sam Weinig.
535
536         Follow-up based on Mark Hahnenberg's review: Release after the copy
537         phase, rather than after any phase, since we'd rather not release
538         between marking and copying.
539
540         * heap/GCThread.cpp:
541         (JSC::GCThread::waitForNextPhase):
542         (JSC::GCThread::gcThreadMain):
543
544 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
545
546         GC marking threads should clear malloc caches
547         https://bugs.webkit.org/show_bug.cgi?id=141097
548
549         Reviewed by Andreas Kling.
550
551         This is an attempt to ameliorate a potential memory use regression
552         caused by https://bugs.webkit.org/show_bug.cgi?id=140900
553         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages.
554
555         FastMalloc may accumulate a per-thread cache on each of the 8-ish
556         GC marking threads, which can be expensive.
557
558         * heap/GCThread.cpp:
559         (JSC::GCThread::waitForNextPhase): Scavenge the current thread before
560         going to sleep. There's probably not too much value to keeping our
561         per-thread cache between GCs, and it has some memory footprint.
562
563 2015-01-30  Chris Dumez  <cdumez@apple.com>
564
565         Rename shared() static member functions to singleton() for singleton classes.
566         https://bugs.webkit.org/show_bug.cgi?id=141088
567
568         Reviewed by Ryosuke Niwa and Benjamin Poulain.
569
570         Rename shared() static member functions to singleton() for singleton
571         classes as per the recent coding style change.
572
573         * inspector/remote/RemoteInspector.h:
574         * inspector/remote/RemoteInspector.mm:
575         (Inspector::RemoteInspector::singleton):
576         (Inspector::RemoteInspector::start):
577         (Inspector::RemoteInspector::shared): Deleted.
578         * inspector/remote/RemoteInspectorDebuggable.cpp:
579         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
580         (Inspector::RemoteInspectorDebuggable::init):
581         (Inspector::RemoteInspectorDebuggable::update):
582         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
583         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
584         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
585         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
586         (Inspector::RemoteInspectorDebuggableConnection::setup):
587         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
588
589 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
590
591         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
592         https://bugs.webkit.org/show_bug.cgi?id=140900
593
594         Reviewed by Mark Hahnenberg.
595
596         Re-landing just the CopyWorkListSegment piece of this patch.
597
598         * heap/CopiedBlockInlines.h:
599         (JSC::CopiedBlock::reportLiveBytes):
600         * heap/CopyWorkList.h:
601         (JSC::CopyWorkListSegment::create):
602         (JSC::CopyWorkListSegment::destroy):
603         (JSC::CopyWorkListSegment::CopyWorkListSegment):
604         (JSC::CopyWorkList::CopyWorkList):
605         (JSC::CopyWorkList::~CopyWorkList):
606         (JSC::CopyWorkList::append):
607
608 2015-01-29  Commit Queue  <commit-queue@webkit.org>
609
610         Unreviewed, rolling out r179357 and r179358.
611         https://bugs.webkit.org/show_bug.cgi?id=141062
612
613         Suspect this caused WebGL tests to start flaking (Requested by
614         kling on #webkit).
615
616         Reverted changesets:
617
618         "Polymorphic call inlining should be based on polymorphic call
619         inline caching rather than logging"
620         https://bugs.webkit.org/show_bug.cgi?id=140660
621         http://trac.webkit.org/changeset/179357
622
623         "Unreviewed, fix no-JIT build."
624         http://trac.webkit.org/changeset/179358
625
626 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
627
628         Removed op_ret_object_or_this
629         https://bugs.webkit.org/show_bug.cgi?id=141048
630
631         Reviewed by Michael Saboff.
632
633         op_ret_object_or_this was one opcode that would keep us out of the
634         optimizing compilers.
635
636         We don't need a special-purpose opcode; we can just use a branch.
637
638         * bytecode/BytecodeBasicBlock.cpp:
639         (JSC::isTerminal): Removed.
640         * bytecode/BytecodeList.json:
641         * bytecode/BytecodeUseDef.h:
642         (JSC::computeUsesForBytecodeOffset):
643         (JSC::computeDefsForBytecodeOffset): Removed.
644
645         * bytecode/CodeBlock.cpp:
646         (JSC::CodeBlock::dumpBytecode): Removed.
647
648         * bytecompiler/BytecodeGenerator.cpp:
649         (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine
650         if we need to substitute 'this' for the return value. Our engine no longer
651         benefits from fused opcodes that dispatch less in the interpreter.
652
653         * jit/JIT.cpp:
654         (JSC::JIT::privateCompileMainPass):
655         * jit/JIT.h:
656         * jit/JITCall32_64.cpp:
657         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
658         * jit/JITOpcodes.cpp:
659         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
660         * llint/LowLevelInterpreter32_64.asm:
661         * llint/LowLevelInterpreter64.asm: Removed.
662
663 2015-01-29  Ryosuke Niwa  <rniwa@webkit.org>
664
665         Implement ES6 class syntax without inheritance support
666         https://bugs.webkit.org/show_bug.cgi?id=140918
667
668         Reviewed by Geoffrey Garen.
669
670         Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like:
671         class A {
672             constructor() { }
673             someMethod() { }
674         }
675
676         We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches.
677         We also don't support block scoping of a class declaration.
678
679         We support both class declaration and class expression. A class expression is implemented by the newly added
680         ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around
681         AssignResolveNode.
682
683         Tests: js/class-syntax-declaration.html
684                js/class-syntax-expression.html
685
686         * bytecompiler/NodesCodegen.cpp:
687         (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode.
688         Also fixed the 5-space indentation.
689         (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this.
690         (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code.
691         (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by
692         emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way.
693
694         * parser/ASTBuilder.h:
695         (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode.
696         (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode.
697
698         * parser/NodeConstructors.h:
699         (JSC::ClassDeclNode::ClassDeclNode): Added.
700         (JSC::ClassExprNode::ClassExprNode): Added.
701
702         * parser/Nodes.h:
703         (JSC::ClassExprNode): Added.
704         (JSC::ClassDeclNode): Added.
705
706         * parser/Parser.cpp:
707         (JSC::Parser<LexerType>::parseStatement): Added the support for class declaration.
708         (JSC::stringForFunctionMode): Return "method" for MethodMode.
709         (JSC::Parser<LexerType>::parseClassDeclaration): Added. Uses parseClass to create a class expression and wraps
710         it with ClassDeclNode as described above.
711         (JSC::Parser<LexerType>::parseClass): Parses a class expression.
712         (JSC::Parser<LexerType>::parseProperty):
713         (JSC::Parser<LexerType>::parseGetterSetter): Extracted from parseProperty to share the code between parseProperty
714         and parseClass.
715         (JSC::Parser<LexerType>::parsePrimaryExpression): Added the support for class expression.
716
717         * parser/Parser.h:
718         (FunctionParseMode): Added MethodMode.
719
720         * parser/SyntaxChecker.h:
721         (JSC::SyntaxChecker::createClassExpr): Added.
722         (JSC::SyntaxChecker::createClassDeclStatement): Added.
723
724 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
725
726         Try to fix the Windows build.
727
728         Not reviewed.
729
730         * heap/WeakBlock.h: Use the fully qualified name when declaring our friend.
731
732 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
733
734         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
735         https://bugs.webkit.org/show_bug.cgi?id=140900
736
737         Reviewed by Mark Hahnenberg.
738
739         Re-landing just the WeakBlock piece of this patch.
740
741         * heap/WeakBlock.cpp:
742         (JSC::WeakBlock::create):
743         (JSC::WeakBlock::destroy):
744         (JSC::WeakBlock::WeakBlock):
745         * heap/WeakBlock.h:
746         * heap/WeakSet.cpp:
747         (JSC::WeakSet::~WeakSet):
748         (JSC::WeakSet::addAllocator):
749         (JSC::WeakSet::removeAllocator):
750
751 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
752
753         Use Vector instead of GCSegmentedArray in CodeBlockSet
754         https://bugs.webkit.org/show_bug.cgi?id=141044
755
756         Reviewed by Ryosuke Niwa.
757
758         This is allowed now that we've gotten rid of fastMallocForbid.
759
760         4kB was a bit overkill for just storing a few pointers.
761
762         * heap/CodeBlockSet.cpp:
763         (JSC::CodeBlockSet::CodeBlockSet):
764         * heap/CodeBlockSet.h:
765         * heap/Heap.cpp:
766         (JSC::Heap::Heap):
767
768 2015-01-29  Filip Pizlo  <fpizlo@apple.com>
769
770         Unreviewed, fix no-JIT build.
771
772         * jit/PolymorphicCallStubRoutine.cpp:
773
774 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
775
776         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
777         https://bugs.webkit.org/show_bug.cgi?id=140660
778
779         Reviewed by Geoffrey Garen.
780         
781         When we first implemented polymorphic call inlining, we did the profiling based on a call
782         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
783         global log that was processed lazily. Processing the log would give precise counts of call
784         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
785         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
786         nonetheless.
787         
788         Experience with this code shows three things. First, the call edge profiler is buggy and
789         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
790         overhead for latency code that we care deeply about. Third, it's not at all clear that
791         having call edge counts for every possible callee is any better than just having call edge
792         counts for the limited number of callees that an inline cache would catch.
793         
794         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
795         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
796         out-of-line stub that cases on the previously known callees. If that misses again, then we
797         rewrite that stub to include the new callee. We do this up to some number of callees. If we
798         hit the limit then we switch to using a plain virtual call.
799         
800         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
801         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
802
803         * CMakeLists.txt:
804         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
805         * JavaScriptCore.xcodeproj/project.pbxproj:
806         * bytecode/CallEdge.h:
807         (JSC::CallEdge::count):
808         (JSC::CallEdge::CallEdge):
809         * bytecode/CallEdgeProfile.cpp: Removed.
810         * bytecode/CallEdgeProfile.h: Removed.
811         * bytecode/CallEdgeProfileInlines.h: Removed.
812         * bytecode/CallLinkInfo.cpp:
813         (JSC::CallLinkInfo::unlink):
814         (JSC::CallLinkInfo::visitWeak):
815         * bytecode/CallLinkInfo.h:
816         * bytecode/CallLinkStatus.cpp:
817         (JSC::CallLinkStatus::CallLinkStatus):
818         (JSC::CallLinkStatus::computeFor):
819         (JSC::CallLinkStatus::computeFromCallLinkInfo):
820         (JSC::CallLinkStatus::isClosureCall):
821         (JSC::CallLinkStatus::makeClosureCall):
822         (JSC::CallLinkStatus::dump):
823         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
824         * bytecode/CallLinkStatus.h:
825         (JSC::CallLinkStatus::CallLinkStatus):
826         (JSC::CallLinkStatus::isSet):
827         (JSC::CallLinkStatus::variants):
828         (JSC::CallLinkStatus::size):
829         (JSC::CallLinkStatus::at):
830         (JSC::CallLinkStatus::operator[]):
831         (JSC::CallLinkStatus::canOptimize):
832         (JSC::CallLinkStatus::edges): Deleted.
833         (JSC::CallLinkStatus::canTrustCounts): Deleted.
834         * bytecode/CallVariant.cpp:
835         (JSC::variantListWithVariant):
836         (JSC::despecifiedVariantList):
837         * bytecode/CallVariant.h:
838         * bytecode/CodeBlock.cpp:
839         (JSC::CodeBlock::~CodeBlock):
840         (JSC::CodeBlock::linkIncomingPolymorphicCall):
841         (JSC::CodeBlock::unlinkIncomingCalls):
842         (JSC::CodeBlock::noticeIncomingCall):
843         * bytecode/CodeBlock.h:
844         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
845         * dfg/DFGAbstractInterpreterInlines.h:
846         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
847         * dfg/DFGByteCodeParser.cpp:
848         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
849         (JSC::DFG::ByteCodeParser::handleCall):
850         (JSC::DFG::ByteCodeParser::handleInlining):
851         * dfg/DFGClobberize.h:
852         (JSC::DFG::clobberize):
853         * dfg/DFGConstantFoldingPhase.cpp:
854         (JSC::DFG::ConstantFoldingPhase::foldConstants):
855         * dfg/DFGDoesGC.cpp:
856         (JSC::DFG::doesGC):
857         * dfg/DFGDriver.cpp:
858         (JSC::DFG::compileImpl):
859         * dfg/DFGFixupPhase.cpp:
860         (JSC::DFG::FixupPhase::fixupNode):
861         * dfg/DFGNode.h:
862         (JSC::DFG::Node::hasHeapPrediction):
863         * dfg/DFGNodeType.h:
864         * dfg/DFGOperations.cpp:
865         * dfg/DFGPredictionPropagationPhase.cpp:
866         (JSC::DFG::PredictionPropagationPhase::propagate):
867         * dfg/DFGSafeToExecute.h:
868         (JSC::DFG::safeToExecute):
869         * dfg/DFGSpeculativeJIT32_64.cpp:
870         (JSC::DFG::SpeculativeJIT::emitCall):
871         (JSC::DFG::SpeculativeJIT::compile):
872         * dfg/DFGSpeculativeJIT64.cpp:
873         (JSC::DFG::SpeculativeJIT::emitCall):
874         (JSC::DFG::SpeculativeJIT::compile):
875         * dfg/DFGTierUpCheckInjectionPhase.cpp:
876         (JSC::DFG::TierUpCheckInjectionPhase::run):
877         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
878         * ftl/FTLCapabilities.cpp:
879         (JSC::FTL::canCompile):
880         * heap/Heap.cpp:
881         (JSC::Heap::collect):
882         * jit/BinarySwitch.h:
883         * jit/ClosureCallStubRoutine.cpp: Removed.
884         * jit/ClosureCallStubRoutine.h: Removed.
885         * jit/JITCall.cpp:
886         (JSC::JIT::compileOpCall):
887         * jit/JITCall32_64.cpp:
888         (JSC::JIT::compileOpCall):
889         * jit/JITOperations.cpp:
890         * jit/JITOperations.h:
891         (JSC::operationLinkPolymorphicCallFor):
892         (JSC::operationLinkClosureCallFor): Deleted.
893         * jit/JITStubRoutine.h:
894         * jit/JITWriteBarrier.h:
895         * jit/PolymorphicCallStubRoutine.cpp: Added.
896         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
897         (JSC::PolymorphicCallNode::unlink):
898         (JSC::PolymorphicCallCase::dump):
899         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
900         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
901         (JSC::PolymorphicCallStubRoutine::variants):
902         (JSC::PolymorphicCallStubRoutine::edges):
903         (JSC::PolymorphicCallStubRoutine::visitWeak):
904         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
905         * jit/PolymorphicCallStubRoutine.h: Added.
906         (JSC::PolymorphicCallNode::PolymorphicCallNode):
907         (JSC::PolymorphicCallCase::PolymorphicCallCase):
908         (JSC::PolymorphicCallCase::variant):
909         (JSC::PolymorphicCallCase::codeBlock):
910         * jit/Repatch.cpp:
911         (JSC::linkSlowFor):
912         (JSC::linkFor):
913         (JSC::revertCall):
914         (JSC::unlinkFor):
915         (JSC::linkVirtualFor):
916         (JSC::linkPolymorphicCall):
917         (JSC::linkClosureCall): Deleted.
918         * jit/Repatch.h:
919         * jit/ThunkGenerators.cpp:
920         (JSC::linkPolymorphicCallForThunkGenerator):
921         (JSC::linkPolymorphicCallThunkGenerator):
922         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
923         (JSC::linkClosureCallForThunkGenerator): Deleted.
924         (JSC::linkClosureCallThunkGenerator): Deleted.
925         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
926         * jit/ThunkGenerators.h:
927         (JSC::linkPolymorphicCallThunkGeneratorFor):
928         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
929         * llint/LLIntSlowPaths.cpp:
930         (JSC::LLInt::jitCompileAndSetHeuristics):
931         * runtime/Options.h:
932         * runtime/VM.cpp:
933         (JSC::VM::prepareToDiscardCode):
934         (JSC::VM::ensureCallEdgeLog): Deleted.
935         * runtime/VM.h:
936
937 2015-01-29  Joseph Pecoraro  <pecoraro@apple.com>
938
939         Web Inspector: ES6: Improved Console Format for Set and Map Objects (like Arrays)
940         https://bugs.webkit.org/show_bug.cgi?id=122867
941
942         Reviewed by Timothy Hatcher.
943
944         Add new Runtime.RemoteObject object subtypes for "map", "set", and "weakmap".
945
946         Upgrade Runtime.ObjectPreview to include type/subtype information. Now,
947         an ObjectPreview can be used for any value, in place of a RemoteObject,
948         and not capture / hold a reference to the value. The value will be in
949         the string description.
950
951         Adding this information to ObjectPreview can duplicate some information
952         in the protocol messages if a preview is provided, but simplifies
953         previews, so that all the information you need for any RemoteObject
954         preview is available. To slim messages further, make "overflow" and
955         "properties" only available on previews that may contain properties.
956         So, not primitives or null.
957
958         Finally, for "Map/Set/WeakMap" add an "entries" list to the preview
959         that will return previews with "key" and "value" properties depending
960         on the collection type. To get live, non-preview objects from a
961         collection, use Runtime.getCollectionEntries.
962
963         In order to keep the WeakMap's values Weak the frontend may provide
964         a unique object group name when getting collection entries. It may
965         then release that object group, e.g. when not showing the WeakMap's
966         values to the user, and thus remove the strong reference to the keys
967         so they may be garbage collected.
968
969         * runtime/WeakMapData.h:
970         (JSC::WeakMapData::begin):
971         (JSC::WeakMapData::end):
972         Expose iterators so the Inspector may access WeakMap keys/values.
973
974         * inspector/JSInjectedScriptHostPrototype.cpp:
975         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
976         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
977         * inspector/JSInjectedScriptHost.h:
978         * inspector/JSInjectedScriptHost.cpp:
979         (Inspector::JSInjectedScriptHost::subtype):
980         Discern "map", "set", and "weakmap" object subtypes.
981
982         (Inspector::JSInjectedScriptHost::weakMapEntries):
983         Return a list of WeakMap entries. These are strong references
984         that the Inspector code is responsible for releasing.
985
986         * inspector/protocol/Runtime.json:
987         Update types and expose the new getCollectionEntries command.
988
989         * inspector/agents/InspectorRuntimeAgent.h:
990         * inspector/agents/InspectorRuntimeAgent.cpp:
991         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
992         * inspector/InjectedScript.h:
993         * inspector/InjectedScript.cpp:
994         (Inspector::InjectedScript::getInternalProperties):
995         (Inspector::InjectedScript::getCollectionEntries):
996         Pass through to the InjectedScript and call getCollectionEntries.
997
998         * inspector/scripts/codegen/generator.py:
999         Add another type with runtime casting.
1000
1001         * inspector/InjectedScriptSource.js:
1002         - Implement getCollectionEntries to get a range of values from a
1003         collection. The non-Weak collections have an order to their keys (in
1004         order of added) so range'd gets are okay. WeakMap does not have an
1005         order, so only allow fetching a number of values.
1006         - Update preview generation to address the Runtime.ObjectPreview
1007         type changes.
1008
1009 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
1010
1011         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1012         https://bugs.webkit.org/show_bug.cgi?id=140900
1013
1014         Reviewed by Mark Hahnenberg.
1015
1016         Re-landing just the GCArraySegment piece of this patch.
1017
1018         * heap/CodeBlockSet.cpp:
1019         (JSC::CodeBlockSet::CodeBlockSet):
1020         * heap/CodeBlockSet.h:
1021         * heap/GCSegmentedArray.h:
1022         (JSC::GCArraySegment::GCArraySegment):
1023         * heap/GCSegmentedArrayInlines.h:
1024         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
1025         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
1026         (JSC::GCSegmentedArray<T>::clear):
1027         (JSC::GCSegmentedArray<T>::expand):
1028         (JSC::GCSegmentedArray<T>::refill):
1029         (JSC::GCArraySegment<T>::create):
1030         (JSC::GCArraySegment<T>::destroy):
1031         * heap/GCThreadSharedData.cpp:
1032         (JSC::GCThreadSharedData::GCThreadSharedData):
1033         * heap/Heap.cpp:
1034         (JSC::Heap::Heap):
1035         * heap/MarkStack.cpp:
1036         (JSC::MarkStackArray::MarkStackArray):
1037         * heap/MarkStack.h:
1038         * heap/SlotVisitor.cpp:
1039         (JSC::SlotVisitor::SlotVisitor):
1040
1041 2015-01-29  Csaba Osztrogonác  <ossy@webkit.org>
1042
1043         Move HAVE_DTRACE definition back to Platform.h
1044         https://bugs.webkit.org/show_bug.cgi?id=141033
1045
1046         Reviewed by Dan Bernstein.
1047
1048         * Configurations/Base.xcconfig:
1049         * JavaScriptCore.xcodeproj/project.pbxproj:
1050
1051 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
1052
1053         Removed fastMallocForbid / fastMallocAllow
1054         https://bugs.webkit.org/show_bug.cgi?id=141012
1055
1056         Reviewed by Mark Hahnenberg.
1057
1058         Copy non-current thread stacks before scanning them instead of scanning
1059         them in-place.
1060
1061         This operation is uncommon (i.e., never in the web content process),
1062         and even in a stress test with 4 threads it only copies about 27kB,
1063         so I think the performance cost is OK.
1064
1065         Scanning in-place requires a complex dance where we constrain our GC
1066         data structures not to use malloc, free, or any other interesting functions
1067         that might acquire locks. We've gotten this wrong many times in the past,
1068         and I just got it wrong again yesterday. Since this code path is rarely
1069         tested, I want it to just make sense, and not depend on or constrain the
1070         details of the rest of the GC heap's design.
1071
1072         * heap/MachineStackMarker.cpp:
1073         (JSC::otherThreadStack): Factored out a helper function for dealing with
1074         unaligned and/or backwards pointers.
1075
1076         (JSC::MachineThreads::tryCopyOtherThreadStack): This is now the only
1077         constrained function, and it only calls memcpy and low-level thread APIs.
1078
1079         (JSC::MachineThreads::tryCopyOtherThreadStacks): The design here is that
1080         you do one pass over all the threads to compute their combined size,
1081         and then a second pass to do all the copying. In theory, the threads may
1082         grow in between passes, in which case you'll continue until the threads
1083         stop growing. In practice, you never continue.
1084
1085         (JSC::growBuffer): Helper function for growing.
1086
1087         (JSC::MachineThreads::gatherConservativeRoots):
1088         (JSC::MachineThreads::gatherFromOtherThread): Deleted.
1089         * heap/MachineStackMarker.h: Updated for interface changes.
1090
1091 2015-01-28  Brian J. Burg  <burg@cs.washington.edu>
1092
1093         Web Inspector: remove CSS.setPropertyText, CSS.toggleProperty and related dead code
1094         https://bugs.webkit.org/show_bug.cgi?id=140961
1095
1096         Reviewed by Timothy Hatcher.
1097
1098         * inspector/protocol/CSS.json: Remove unused protocol methods.
1099
1100 2015-01-28  Dana Burkart  <dburkart@apple.com>
1101
1102         Move ASan flag settings from DebugRelease.xcconfig to Base.xcconfig
1103         https://bugs.webkit.org/show_bug.cgi?id=136765
1104
1105         Reviewed by Alexey Proskuryakov.
1106
1107         * Configurations/Base.xcconfig:
1108         * Configurations/DebugRelease.xcconfig:
1109
1110 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
1111
1112         ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath, which is more precise
1113         https://bugs.webkit.org/show_bug.cgi?id=140980
1114
1115         Reviewed by Oliver Hunt.
1116
1117         * bytecode/CallLinkStatus.cpp:
1118         (JSC::CallLinkStatus::computeFor):
1119
1120 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
1121
1122         Move DFGBinarySwitch out of the DFG so that all of the JITs can use it
1123         https://bugs.webkit.org/show_bug.cgi?id=140959
1124
1125         Rubber stamped by Geoffrey Garen.
1126         
1127         I want to use this for polymorphic stubs for https://bugs.webkit.org/show_bug.cgi?id=140660.
1128         This code no longer has DFG dependencies so this is a very clean move.
1129
1130         * CMakeLists.txt:
1131         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1132         * JavaScriptCore.xcodeproj/project.pbxproj:
1133         * dfg/DFGBinarySwitch.cpp: Removed.
1134         * dfg/DFGBinarySwitch.h: Removed.
1135         * dfg/DFGSpeculativeJIT.cpp:
1136         * jit/BinarySwitch.cpp: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.cpp.
1137         * jit/BinarySwitch.h: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.h.
1138
1139 2015-01-27  Commit Queue  <commit-queue@webkit.org>
1140
1141         Unreviewed, rolling out r179192.
1142         https://bugs.webkit.org/show_bug.cgi?id=140953
1143
1144         Caused numerous layout test failures (Requested by mattbaker_
1145         on #webkit).
1146
1147         Reverted changeset:
1148
1149         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
1150         pages"
1151         https://bugs.webkit.org/show_bug.cgi?id=140900
1152         http://trac.webkit.org/changeset/179192
1153
1154 2015-01-27  Michael Saboff  <msaboff@apple.com>
1155
1156         REGRESSION(r178591): 20% regression in Octane box2d
1157         https://bugs.webkit.org/show_bug.cgi?id=140948
1158
1159         Reviewed by Geoffrey Garen.
1160
1161         Added check that we have a lexical environment to the arguments is captured check.
1162         It doesn't make sense to resolve "arguments" when it really isn't captured.
1163
1164         * bytecompiler/BytecodeGenerator.cpp:
1165         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
1166
1167 2015-01-26  Geoffrey Garen  <ggaren@apple.com>
1168
1169         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1170         https://bugs.webkit.org/show_bug.cgi?id=140900
1171
1172         Reviewed by Mark Hahnenberg.
1173
1174         Removes some more custom allocation code.
1175
1176         Looks like a speedup. (See results attached to bugzilla.)
1177
1178         Will hopefully reduce memory use by improving sharing between the GC and
1179         malloc heaps.
1180
1181         * API/JSBase.cpp:
1182         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1183         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1184         * JavaScriptCore.xcodeproj/project.pbxproj: Feed the compiler.
1185
1186         * heap/BlockAllocator.cpp: Removed.
1187         * heap/BlockAllocator.h: Removed. No need for a custom allocator anymore.
1188
1189         * heap/CodeBlockSet.cpp:
1190         (JSC::CodeBlockSet::CodeBlockSet):
1191         * heap/CodeBlockSet.h: Feed the compiler.
1192
1193         * heap/CopiedBlock.h:
1194         (JSC::CopiedBlock::createNoZeroFill):
1195         (JSC::CopiedBlock::create):
1196         (JSC::CopiedBlock::CopiedBlock):
1197         (JSC::CopiedBlock::isOversize):
1198         (JSC::CopiedBlock::payloadEnd):
1199         (JSC::CopiedBlock::capacity):
1200         * heap/CopiedBlockInlines.h:
1201         (JSC::CopiedBlock::reportLiveBytes): Each copied block now tracks its
1202         own size, since we can't rely on Region to tell us our size anymore.
1203
1204         * heap/CopiedSpace.cpp:
1205         (JSC::CopiedSpace::~CopiedSpace):
1206         (JSC::CopiedSpace::tryAllocateOversize):
1207         (JSC::CopiedSpace::tryReallocateOversize):
1208         * heap/CopiedSpaceInlines.h:
1209         (JSC::CopiedSpace::recycleEvacuatedBlock):
1210         (JSC::CopiedSpace::recycleBorrowedBlock):
1211         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
1212         (JSC::CopiedSpace::allocateBlock):
1213         (JSC::CopiedSpace::startedCopying): Deallocate blocks directly, rather
1214         than pushing them onto the block allocator's free list; the block
1215         allocator doesn't exist anymore.
1216
1217         * heap/CopyWorkList.h:
1218         (JSC::CopyWorkListSegment::create):
1219         (JSC::CopyWorkListSegment::CopyWorkListSegment):
1220         (JSC::CopyWorkList::~CopyWorkList):
1221         (JSC::CopyWorkList::append):
1222         (JSC::CopyWorkList::CopyWorkList): Deleted.
1223         * heap/GCSegmentedArray.h:
1224         (JSC::GCArraySegment::GCArraySegment):
1225         * heap/GCSegmentedArrayInlines.h:
1226         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
1227         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
1228         (JSC::GCSegmentedArray<T>::clear):
1229         (JSC::GCSegmentedArray<T>::expand):
1230         (JSC::GCSegmentedArray<T>::refill):
1231         (JSC::GCArraySegment<T>::create):
1232         * heap/GCThreadSharedData.cpp:
1233         (JSC::GCThreadSharedData::GCThreadSharedData):
1234         * heap/GCThreadSharedData.h: Feed the compiler.
1235
1236         * heap/HandleBlock.h:
1237         * heap/HandleBlockInlines.h:
1238         (JSC::HandleBlock::create):
1239         (JSC::HandleBlock::HandleBlock):
1240         (JSC::HandleBlock::payloadEnd):
1241         * heap/HandleSet.cpp:
1242         (JSC::HandleSet::~HandleSet):
1243         (JSC::HandleSet::grow): Same as above.
1244
1245         * heap/Heap.cpp:
1246         (JSC::Heap::Heap):
1247         * heap/Heap.h: Removed the block allocator since it is unused now.
1248
1249         * heap/HeapBlock.h:
1250         (JSC::HeapBlock::destroy):
1251         (JSC::HeapBlock::HeapBlock):
1252         (JSC::HeapBlock::region): Deleted. Removed the Region pointer from each
1253         HeapBlock since a HeapBlock is just a normal allocation now.
1254
1255         * heap/HeapInlines.h:
1256         (JSC::Heap::blockAllocator): Deleted.
1257
1258         * heap/HeapTimer.cpp:
1259         * heap/MarkStack.cpp:
1260         (JSC::MarkStackArray::MarkStackArray):
1261         * heap/MarkStack.h: Feed the compiler.
1262
1263         * heap/MarkedAllocator.cpp:
1264         (JSC::MarkedAllocator::allocateBlock): No need to use a custom code path
1265         based on size, since we use a general purpose allocator now.
1266
1267         * heap/MarkedBlock.cpp:
1268         (JSC::MarkedBlock::create):
1269         (JSC::MarkedBlock::destroy):
1270         (JSC::MarkedBlock::MarkedBlock):
1271         * heap/MarkedBlock.h:
1272         (JSC::MarkedBlock::capacity): Track block size explicitly, like CopiedBlock.
1273
1274         * heap/MarkedSpace.cpp:
1275         (JSC::MarkedSpace::freeBlock):
1276         * heap/MarkedSpace.h:
1277
1278         * heap/Region.h: Removed.
1279
1280         * heap/SlotVisitor.cpp:
1281         (JSC::SlotVisitor::SlotVisitor): Removed reference to block allocator.
1282
1283         * heap/SuperRegion.cpp: Removed.
1284         * heap/SuperRegion.h: Removed.
1285
1286         * heap/WeakBlock.cpp:
1287         (JSC::WeakBlock::create):
1288         (JSC::WeakBlock::WeakBlock):
1289         * heap/WeakBlock.h:
1290         * heap/WeakSet.cpp:
1291         (JSC::WeakSet::~WeakSet):
1292         (JSC::WeakSet::addAllocator):
1293         (JSC::WeakSet::removeAllocator): Removed reference to block allocator.
1294
1295 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
1296
1297         [ARM] Typo fix after r176083
1298         https://bugs.webkit.org/show_bug.cgi?id=140937
1299
1300         Reviewed by Anders Carlsson.
1301
1302         * assembler/ARMv7Assembler.h:
1303         (JSC::ARMv7Assembler::ldrh):
1304
1305 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
1306
1307         [Win] Unreviewed gardening, skip failing tests.
1308
1309         * tests/exceptionFuzz.yaml: Skip exception fuzz tests due to bug140928.
1310         * tests/mozilla/mozilla-tests.yaml: Skip ecma/Date/15.9.5.28-1.js due to bug140927.
1311
1312 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
1313
1314         [Win] Enable JSC stress tests by default
1315         https://bugs.webkit.org/show_bug.cgi?id=128307
1316
1317         Unreviewed typo fix after r179165.
1318
1319         * tests/mozilla/mozilla-tests.yaml:
1320
1321 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
1322
1323         [Win] Enable JSC stress tests by default
1324         https://bugs.webkit.org/show_bug.cgi?id=128307
1325
1326         Reviewed by Brent Fulgham.
1327
1328         * tests/mozilla/mozilla-tests.yaml: Skipped on Windows.
1329         * tests/stress/ftl-arithcos.js: Skipped on Windows.
1330
1331 2015-01-26  Ryosuke Niwa  <rniwa@webkit.org>
1332
1333         Parse a function expression as a primary expression
1334         https://bugs.webkit.org/show_bug.cgi?id=140908
1335
1336         Reviewed by Mark Lam.
1337
1338         Moved the code to generate an AST node for a function expression from parseMemberExpression
1339         to parsePrimaryExpression to match the ES6 specification terminology:
1340         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-primary-expression
1341
1342         There should be no behavior change from this change since parsePrimaryExpression is only
1343         called in parseMemberExpression other than the fact failIfStackOverflow() is called.
1344
1345         * parser/Parser.cpp:
1346         (JSC::Parser<LexerType>::parsePrimaryExpression):
1347         (JSC::Parser<LexerType>::parseMemberExpression):
1348
1349 2015-01-26  Myles C. Maxfield  <mmaxfield@apple.com>
1350
1351         [iOS] [SVG -> OTF Converter] Flip the switch off on iOS
1352         https://bugs.webkit.org/show_bug.cgi?id=140860
1353
1354         Reviewed by Darin Adler.
1355
1356         The fonts it makes are grotesque. (See what I did there? Typographic
1357         humor is the best humor.)
1358
1359         * Configurations/FeatureDefines.xcconfig:
1360
1361 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
1362
1363         Web Inspector: Rename InjectedScriptHost::type to subtype
1364         https://bugs.webkit.org/show_bug.cgi?id=140841
1365
1366         Reviewed by Timothy Hatcher.
1367
1368         We were using this to set the subtype of an "object" type RemoteObject
1369         so we should clean up the name and call it subtype.
1370
1371         * inspector/InjectedScriptHost.h:
1372         * inspector/InjectedScriptSource.js:
1373         * inspector/JSInjectedScriptHost.cpp:
1374         (Inspector::JSInjectedScriptHost::subtype):
1375         (Inspector::JSInjectedScriptHost::type): Deleted.
1376         * inspector/JSInjectedScriptHost.h:
1377         * inspector/JSInjectedScriptHostPrototype.cpp:
1378         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1379         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
1380         (Inspector::jsInjectedScriptHostPrototypeFunctionType): Deleted.
1381
1382 2015-01-23  Michael Saboff  <msaboff@apple.com>
1383
1384         LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds
1385         https://bugs.webkit.org/show_bug.cgi?id=140843
1386
1387         Reviewed by Oliver Hunt.
1388
1389         When we are in vmEntryToJavaScript, we keep the stack pointer at an
1390         alignment sutiable for pointing to a call frame header, which is the
1391         alignment post making a call.  We adjust the sp when calling to JS code,
1392         but don't adjust it before calling the out of stack handler.
1393
1394         * llint/LowLevelInterpreter32_64.asm:
1395         Moved stack point down 8 bytes to get it aligned.
1396
1397 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
1398
1399         Web Inspector: Object Previews in the Console
1400         https://bugs.webkit.org/show_bug.cgi?id=129204
1401
1402         Reviewed by Timothy Hatcher.
1403
1404         Update the very old, unused object preview code. Part of this comes from
1405         the earlier WebKit legacy implementation, and the Blink implementation.
1406
1407         A RemoteObject may include a preview, if it is asked for, and if the
1408         RemoteObject is an object. Previews are a shallow (single level) list
1409         of a limited number of properties on the object. The previewed
1410         properties are always stringified (even if primatives). Previews are
1411         limited to just 5 properties or 100 indices. Previews are marked
1412         as lossless if they are a complete snapshot of the object.
1413
1414         There is a path to make previews two levels deep, that is currently
1415         unused but should soon be used for tables (e.g. IndexedDB).
1416
1417         * inspector/InjectedScriptSource.js:
1418         - Move some code off of InjectedScript to be generic functions
1419         usable by RemoteObject as well.
1420         - Update preview generation to use 
1421
1422         * inspector/protocol/Runtime.json:
1423         - Add a new type, "accessor" for preview objects. This represents
1424         a getter / setter. We currently don't get the value.
1425
1426 2015-01-23  Michael Saboff  <msaboff@apple.com>
1427
1428         Immediate crash when setting JS breakpoint
1429         https://bugs.webkit.org/show_bug.cgi?id=140811
1430
1431         Reviewed by Mark Lam.
1432
1433         When the DFG stack layout phase doesn't allocate a register for the scope register,
1434         it incorrectly sets the scope register in the code block to a bad value, one with
1435         an offset of 0.  Changed it so that we set the code block's scope register to the 
1436         invalid VirtualRegister instead.
1437
1438         No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
1439         We crash with that ASSERT in testapi and likely many other tests as well.
1440
1441         * bytecode/CodeBlock.cpp:
1442         (JSC::CodeBlock::CodeBlock):
1443         * bytecode/CodeBlock.h:
1444         (JSC::CodeBlock::setScopeRegister):
1445         (JSC::CodeBlock::scopeRegister):
1446         Added ASSERTs to catch any future improper setting of the code block's scope register.
1447
1448         * dfg/DFGStackLayoutPhase.cpp:
1449         (JSC::DFG::StackLayoutPhase::run):
1450
1451 2015-01-22  Mark Hahnenberg  <mhahnenb@gmail.com>
1452
1453         EdenCollections unnecessarily visit SmallStrings
1454         https://bugs.webkit.org/show_bug.cgi?id=140762
1455
1456         Reviewed by Geoffrey Garen.
1457
1458         * heap/Heap.cpp:
1459         (JSC::Heap::copyBackingStores): Also added a GCPhase for copying
1460         backing stores, which is a significant portion of garbage collection.
1461         (JSC::Heap::visitSmallStrings): Check to see if we need to visit
1462         SmallStrings based on the collection type.
1463         * runtime/SmallStrings.cpp:
1464         (JSC::SmallStrings::SmallStrings):
1465         (JSC::SmallStrings::visitStrongReferences): Set the fact that we have
1466         visited the SmallStrings since the last modification.
1467         * runtime/SmallStrings.h:
1468         (JSC::SmallStrings::needsToBeVisited): If we're doing a
1469         FullCollection, we need to visit. Otherwise, it depends on whether
1470         we've been visited since the last modification/allocation.
1471
1472 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
1473
1474         Add a build flag for ES6 class syntax
1475         https://bugs.webkit.org/show_bug.cgi?id=140760
1476
1477         Reviewed by Michael Saboff.
1478
1479         Added ES6_CLASS_SYNTAX build flag and used it in tokenizer to recognize
1480         "class", "extends", "static" and "super" keywords.
1481
1482         * Configurations/FeatureDefines.xcconfig:
1483         * parser/Keywords.table:
1484         * parser/ParserTokens.h:
1485
1486 2015-01-22  Commit Queue  <commit-queue@webkit.org>
1487
1488         Unreviewed, rolling out r178894.
1489         https://bugs.webkit.org/show_bug.cgi?id=140775
1490
1491         Broke JSC and bindings tests (Requested by ap_ on #webkit).
1492
1493         Reverted changeset:
1494
1495         "put_by_val_direct need to check the property is index or not
1496         for using putDirect / putDirectIndex"
1497         https://bugs.webkit.org/show_bug.cgi?id=140426
1498         http://trac.webkit.org/changeset/178894
1499
1500 2015-01-22  Mark Lam  <mark.lam@apple.com>
1501
1502         BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
1503         <https://webkit.org/b/140743>
1504
1505         Reviewed by Oliver Hunt.
1506
1507         BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
1508         op_put_to_scope to an inappropriate value (i.e. 0).  As a result, the execution
1509         of put_to_scope could store a wrong inferred value into the VariableWatchpointSet
1510         for which ever captured variable is at local index 0.  In practice, this turns
1511         out to be the local for the Arguments object.  In this reproduction case in the
1512         bug, the wrong inferred value written there is the boolean true.
1513
1514         Subsequently, DFG compilation occurs and CreateArguments is emitted to first do
1515         a check of the local for the Arguments object.  But because that local has a
1516         wrong inferred value, the check always discovers a non-null value and we never
1517         actually create the Arguments object.  Immediately after this, an OSR exit
1518         occurs leaving the Arguments object local uninitialized.  Later on at arguments
1519         tear off, we run into a boolean true where we had expected to find an Arguments
1520         object, which in turn, leads to the crash.
1521
1522         The fix is to:
1523         1. In the case where the resolveModeType is LocalClosureVar, change the
1524            5th operand of op_put_to_scope to be a boolean.  True means that the
1525            local var is watchable.  False means it is not watchable.  We no longer
1526            pass the local index (instead of true) and UINT_MAX (instead of false).
1527
1528            This allows us to express more clearer in the code what that value means,
1529            as well as remove the redundant way of getting the local's identifier.
1530            The identifier is always the one passed in the 2nd operand. 
1531
1532         2. Previously, though intuitively, we know that the watchable variable
1533            identifier should be the same as the one that is passed in operand 2, this
1534            relationship was not clear in the code.  By code analysis, I confirmed that 
1535            the callers of BytecodeGenerator::emitPutToScope() always use the same
1536            identifier for operand 2 and for filling out the ResolveScopeInfo from
1537            which we get the watchable variable identifier later.  I've changed the
1538            code to make this clear now by always using the identifier passed in
1539            operand 2.
1540
1541         3. In the case where the resolveModeType is LocalClosureVar,
1542            initializeCapturedVariable() and emitPutToScope() will now query
1543            hasWatchableVariable() to determine if the local is watchable or not.
1544            Accordingly, we pass the boolean result of hasWatchableVariable() as
1545            operand 5 of op_put_to_scope.
1546
1547         Also added some assertions.
1548
1549         * bytecode/CodeBlock.cpp:
1550         (JSC::CodeBlock::CodeBlock):
1551         * bytecompiler/BytecodeGenerator.cpp:
1552         (JSC::BytecodeGenerator::initializeCapturedVariable):
1553         (JSC::BytecodeGenerator::hasConstant):
1554         (JSC::BytecodeGenerator::emitPutToScope):
1555         * bytecompiler/BytecodeGenerator.h:
1556         (JSC::BytecodeGenerator::hasWatchableVariable):
1557         (JSC::BytecodeGenerator::watchableVariableIdentifier):
1558         (JSC::BytecodeGenerator::watchableVariable): Deleted.
1559
1560 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
1561
1562         PropertyListNode::emitNode duplicates the code to put a constant property
1563         https://bugs.webkit.org/show_bug.cgi?id=140761
1564
1565         Reviewed by Geoffrey Garen.
1566
1567         Extracted PropertyListNode::emitPutConstantProperty to share the code.
1568
1569         Also made PropertyListNode::emitBytecode private since nobody is calling this function directly.
1570
1571         * bytecompiler/NodesCodegen.cpp:
1572         (JSC::PropertyListNode::emitBytecode):
1573         (JSC::PropertyListNode::emitPutConstantProperty): Added.
1574         * parser/Nodes.h:
1575
1576 2015-01-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1577
1578         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
1579         https://bugs.webkit.org/show_bug.cgi?id=140426
1580
1581         Reviewed by Geoffrey Garen.
1582
1583         In the put_by_val_direct operation, we use JSObject::putDirect.
1584         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
1585         This patch changes Identifier::asIndex() to return Optional<uint32_t>.
1586         It forces callers to check the value is index or not explicitly.
1587         Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
1588
1589         * bytecode/GetByIdStatus.cpp:
1590         (JSC::GetByIdStatus::computeFor):
1591         * bytecode/PutByIdStatus.cpp:
1592         (JSC::PutByIdStatus::computeFor):
1593         * bytecompiler/BytecodeGenerator.cpp:
1594         (JSC::BytecodeGenerator::emitDirectPutById):
1595         * dfg/DFGOperations.cpp:
1596         (JSC::DFG::operationPutByValInternal):
1597         * jit/JITOperations.cpp:
1598         * jit/Repatch.cpp:
1599         (JSC::emitPutTransitionStubAndGetOldStructure):
1600         * jsc.cpp:
1601         * llint/LLIntSlowPaths.cpp:
1602         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1603         * runtime/Arguments.cpp:
1604         (JSC::Arguments::getOwnPropertySlot):
1605         (JSC::Arguments::put):
1606         (JSC::Arguments::deleteProperty):
1607         (JSC::Arguments::defineOwnProperty):
1608         * runtime/ArrayPrototype.cpp:
1609         (JSC::arrayProtoFuncSort):
1610         * runtime/JSArray.cpp:
1611         (JSC::JSArray::defineOwnProperty):
1612         * runtime/JSCJSValue.cpp:
1613         (JSC::JSValue::putToPrimitive):
1614         * runtime/JSGenericTypedArrayViewInlines.h:
1615         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1616         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1617         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1618         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1619         * runtime/JSObject.cpp:
1620         (JSC::JSObject::put):
1621         (JSC::JSObject::putDirectAccessor):
1622         (JSC::JSObject::putDirectCustomAccessor):
1623         (JSC::JSObject::deleteProperty):
1624         (JSC::JSObject::putDirectMayBeIndex):
1625         (JSC::JSObject::defineOwnProperty):
1626         * runtime/JSObject.h:
1627         (JSC::JSObject::getOwnPropertySlot):
1628         (JSC::JSObject::getPropertySlot):
1629         (JSC::JSObject::putDirectInternal):
1630         * runtime/JSString.cpp:
1631         (JSC::JSString::getStringPropertyDescriptor):
1632         * runtime/JSString.h:
1633         (JSC::JSString::getStringPropertySlot):
1634         * runtime/LiteralParser.cpp:
1635         (JSC::LiteralParser<CharType>::parse):
1636         * runtime/PropertyName.h:
1637         (JSC::toUInt32FromCharacters):
1638         (JSC::toUInt32FromStringImpl):
1639         (JSC::PropertyName::asIndex):
1640         * runtime/PropertyNameArray.cpp:
1641         (JSC::PropertyNameArray::add):
1642         * runtime/StringObject.cpp:
1643         (JSC::StringObject::deleteProperty):
1644         * runtime/Structure.cpp:
1645         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1646
1647 2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>
1648
1649         Consolidate out arguments of parseFunctionInfo into a struct
1650         https://bugs.webkit.org/show_bug.cgi?id=140754
1651
1652         Reviewed by Oliver Hunt.
1653
1654         Introduced ParserFunctionInfo for storing out arguments of parseFunctionInfo.
1655
1656         * JavaScriptCore.xcodeproj/project.pbxproj:
1657         * parser/ASTBuilder.h:
1658         (JSC::ASTBuilder::createFunctionExpr):
1659         (JSC::ASTBuilder::createGetterOrSetterProperty): This one takes a property name in addition to
1660         ParserFunctionInfo since the property name and the function name could differ.
1661         (JSC::ASTBuilder::createFuncDeclStatement):
1662         * parser/Parser.cpp:
1663         (JSC::Parser<LexerType>::parseFunctionInfo):
1664         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1665         (JSC::Parser<LexerType>::parseProperty):
1666         (JSC::Parser<LexerType>::parseMemberExpression):
1667         * parser/Parser.h:
1668         * parser/ParserFunctionInfo.h: Added.
1669         * parser/SyntaxChecker.h:
1670         (JSC::SyntaxChecker::createFunctionExpr):
1671         (JSC::SyntaxChecker::createFuncDeclStatement):
1672         (JSC::SyntaxChecker::createClassDeclStatement):
1673         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1674
1675 2015-01-21  Mark Hahnenberg  <mhahnenb@gmail.com>
1676
1677         Change Heap::m_compiledCode to use a Vector
1678         https://bugs.webkit.org/show_bug.cgi?id=140717
1679
1680         Reviewed by Andreas Kling.
1681
1682         Right now it's a DoublyLinkedList, which is iterated during each
1683         collection. This contributes to some of the longish Eden pause times.
1684         A Vector would be more appropriate and would also allow ExecutableBase
1685         to be 2 pointers smaller.
1686
1687         * heap/Heap.cpp:
1688         (JSC::Heap::deleteAllCompiledCode):
1689         (JSC::Heap::deleteAllUnlinkedFunctionCode):
1690         (JSC::Heap::clearUnmarkedExecutables):
1691         * heap/Heap.h:
1692         * runtime/Executable.h: No longer need to inherit from DoublyLinkedListNode.
1693
1694 2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>
1695
1696         BytecodeGenerator shouldn't expose all of its member variables
1697         https://bugs.webkit.org/show_bug.cgi?id=140752
1698
1699         Reviewed by Mark Lam.
1700
1701         Added "private:" and removed unused data members as detected by clang.
1702
1703         * bytecompiler/BytecodeGenerator.cpp:
1704         (JSC::BytecodeGenerator::BytecodeGenerator):
1705         * bytecompiler/BytecodeGenerator.h:
1706         (JSC::BytecodeGenerator::lastOpcodeID): Added. Used in BinaryOpNode::emitBytecode.
1707         * bytecompiler/NodesCodegen.cpp:
1708         (JSC::BinaryOpNode::emitBytecode):
1709
1710 2015-01-21  Joseph Pecoraro  <pecoraro@apple.com>
1711
1712         Web Inspector: ASSERT expanding objects in console PrimitiveBindingTraits<T>::assertValueHasExpectedType
1713         https://bugs.webkit.org/show_bug.cgi?id=140746
1714
1715         Reviewed by Timothy Hatcher.
1716
1717         * inspector/InjectedScriptSource.js:
1718         Do not add impure properties to the descriptor object that will
1719         eventually be sent to the frontend.
1720
1721 2015-01-21  Matthew Mirman  <mmirman@apple.com>
1722
1723         Updated split such that it does not include the empty end of input string match.
1724         https://bugs.webkit.org/show_bug.cgi?id=138129
1725         <rdar://problem/18807403>
1726
1727         Reviewed by Filip Pizlo.
1728
1729         * runtime/StringPrototype.cpp:
1730         (JSC::stringProtoFuncSplit):
1731         * tests/stress/empty_eos_regex_split.js: Added.
1732
1733 2015-01-21  Michael Saboff  <msaboff@apple.com>
1734
1735         Eliminate Scope slot from JavaScript CallFrame
1736         https://bugs.webkit.org/show_bug.cgi?id=136724
1737
1738         Reviewed by Geoffrey Garen.
1739
1740         This finishes the removal of the scope chain slot from the call frame header.
1741
1742         * dfg/DFGOSRExitCompilerCommon.cpp:
1743         (JSC::DFG::reifyInlinedCallFrames):
1744         * dfg/DFGPreciseLocalClobberize.h:
1745         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1746         * dfg/DFGSpeculativeJIT32_64.cpp:
1747         (JSC::DFG::SpeculativeJIT::emitCall):
1748         * dfg/DFGSpeculativeJIT64.cpp:
1749         (JSC::DFG::SpeculativeJIT::emitCall):
1750         * ftl/FTLJSCall.cpp:
1751         (JSC::FTL::JSCall::emit):
1752         * ftl/FTLLowerDFGToLLVM.cpp:
1753         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
1754         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
1755         * interpreter/JSStack.h:
1756         * interpreter/VMInspector.cpp:
1757         (JSC::VMInspector::dumpFrame):
1758         * jit/JITCall.cpp:
1759         (JSC::JIT::compileOpCall):
1760         * jit/JITCall32_64.cpp:
1761         (JSC::JIT::compileOpCall):
1762         * jit/JITOpcodes32_64.cpp:
1763         (JSC::JIT::privateCompileCTINativeCall):
1764         * jit/Repatch.cpp:
1765         (JSC::generateByIdStub):
1766         (JSC::linkClosureCall):
1767         * jit/ThunkGenerators.cpp:
1768         (JSC::virtualForThunkGenerator):
1769         (JSC::nativeForGenerator):
1770         Deleted ScopeChain slot from JSStack.  Removed all code where ScopeChain was being
1771         read or set.  In most cases this was where we make JS calls.
1772
1773         * interpreter/CallFrameClosure.h:
1774         (JSC::CallFrameClosure::setArgument):
1775         (JSC::CallFrameClosure::resetCallFrame): Deleted.
1776         * interpreter/Interpreter.cpp:
1777         (JSC::Interpreter::execute):
1778         (JSC::Interpreter::executeCall):
1779         (JSC::Interpreter::executeConstruct):
1780         (JSC::Interpreter::prepareForRepeatCall):
1781         * interpreter/ProtoCallFrame.cpp:
1782         (JSC::ProtoCallFrame::init):
1783         * interpreter/ProtoCallFrame.h:
1784         (JSC::ProtoCallFrame::scope): Deleted.
1785         (JSC::ProtoCallFrame::setScope): Deleted.
1786         * llint/LLIntData.cpp:
1787         (JSC::LLInt::Data::performAssertions):
1788         * llint/LowLevelInterpreter.asm:
1789         * llint/LowLevelInterpreter64.asm:
1790         Removed the related scopeChainValue member from ProtoCallFrame.  Reduced the number of
1791         registers that needed to be copied from the ProtoCallFrame to a callee's frame
1792         from 5 to 4.
1793
1794         * llint/LowLevelInterpreter32_64.asm:
1795         In addition to the prior changes, also deleted the unused macro getDeBruijnScope.
1796
1797 2015-01-21  Michael Saboff  <msaboff@apple.com>
1798
1799         Eliminate construct methods from NullGetterFunction and NullSetterFunction classes
1800         https://bugs.webkit.org/show_bug.cgi?id=140708
1801
1802         Reviewed by Mark Lam.
1803
1804         Eliminated construct methods and change getConstructData() for both classes to return
1805         ConstructTypeNone as they can never be called.
1806
1807         * runtime/NullGetterFunction.cpp:
1808         (JSC::NullGetterFunction::getConstructData):
1809         (JSC::constructReturnUndefined): Deleted.
1810         * runtime/NullSetterFunction.cpp:
1811         (JSC::NullSetterFunction::getConstructData):
1812         (JSC::constructReturnUndefined): Deleted.
1813
1814 2015-01-21  Csaba Osztrogonác  <ossy@webkit.org>
1815
1816         Remove ENABLE(INSPECTOR) ifdef guards
1817         https://bugs.webkit.org/show_bug.cgi?id=140668
1818
1819         Reviewed by Darin Adler.
1820
1821         * Configurations/FeatureDefines.xcconfig:
1822         * bindings/ScriptValue.cpp:
1823         (Deprecated::ScriptValue::toInspectorValue):
1824         * bindings/ScriptValue.h:
1825         * inspector/ConsoleMessage.cpp:
1826         * inspector/ConsoleMessage.h:
1827         * inspector/ContentSearchUtilities.cpp:
1828         * inspector/ContentSearchUtilities.h:
1829         * inspector/IdentifiersFactory.cpp:
1830         * inspector/IdentifiersFactory.h:
1831         * inspector/InjectedScript.cpp:
1832         * inspector/InjectedScript.h:
1833         * inspector/InjectedScriptBase.cpp:
1834         * inspector/InjectedScriptBase.h:
1835         * inspector/InjectedScriptHost.cpp:
1836         * inspector/InjectedScriptHost.h:
1837         * inspector/InjectedScriptManager.cpp:
1838         * inspector/InjectedScriptManager.h:
1839         * inspector/InjectedScriptModule.cpp:
1840         * inspector/InjectedScriptModule.h:
1841         * inspector/InspectorAgentRegistry.cpp:
1842         * inspector/InspectorBackendDispatcher.cpp:
1843         * inspector/InspectorBackendDispatcher.h:
1844         * inspector/InspectorProtocolTypes.h:
1845         * inspector/JSGlobalObjectConsoleClient.cpp:
1846         * inspector/JSGlobalObjectInspectorController.cpp:
1847         * inspector/JSGlobalObjectInspectorController.h:
1848         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1849         * inspector/JSGlobalObjectScriptDebugServer.h:
1850         * inspector/JSInjectedScriptHost.cpp:
1851         * inspector/JSInjectedScriptHost.h:
1852         * inspector/JSInjectedScriptHostPrototype.cpp:
1853         * inspector/JSInjectedScriptHostPrototype.h:
1854         * inspector/JSJavaScriptCallFrame.cpp:
1855         * inspector/JSJavaScriptCallFrame.h:
1856         * inspector/JSJavaScriptCallFramePrototype.cpp:
1857         * inspector/JSJavaScriptCallFramePrototype.h:
1858         * inspector/JavaScriptCallFrame.cpp:
1859         * inspector/JavaScriptCallFrame.h:
1860         * inspector/ScriptCallFrame.cpp:
1861         (Inspector::ScriptCallFrame::buildInspectorObject):
1862         * inspector/ScriptCallFrame.h:
1863         * inspector/ScriptCallStack.cpp:
1864         (Inspector::ScriptCallStack::buildInspectorArray):
1865         * inspector/ScriptCallStack.h:
1866         * inspector/ScriptDebugServer.cpp:
1867         * inspector/agents/InspectorAgent.cpp:
1868         * inspector/agents/InspectorAgent.h:
1869         * inspector/agents/InspectorConsoleAgent.cpp:
1870         * inspector/agents/InspectorConsoleAgent.h:
1871         * inspector/agents/InspectorDebuggerAgent.cpp:
1872         * inspector/agents/InspectorDebuggerAgent.h:
1873         * inspector/agents/InspectorRuntimeAgent.cpp:
1874         * inspector/agents/InspectorRuntimeAgent.h:
1875         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
1876         * inspector/agents/JSGlobalObjectConsoleAgent.h:
1877         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1878         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
1879         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1880         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1881         * inspector/scripts/codegen/cpp_generator_templates.py:
1882         (CppGeneratorTemplates):
1883         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1884         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1885         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1886         * inspector/scripts/tests/expected/enum-values.json-result:
1887         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1888         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1889         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1890         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1891         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1892         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1893         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1894         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1895         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1896         * runtime/TypeSet.cpp:
1897         (JSC::TypeSet::inspectorTypeSet):
1898         (JSC::StructureShape::inspectorRepresentation):
1899
1900 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
1901
1902         Web Inspector: Clean up InjectedScriptSource.js
1903         https://bugs.webkit.org/show_bug.cgi?id=140709
1904
1905         Reviewed by Timothy Hatcher.
1906
1907         This patch includes some relevant Blink patches and small changes.
1908         
1909         Patch by <aandrey@chromium.org>
1910         DevTools: Remove console last result $_ on console clear.
1911         https://src.chromium.org/viewvc/blink?revision=179179&view=revision
1912
1913         Patch by <eustas@chromium.org>
1914         [Inspect DOM properties] incorrect CSS Selector Syntax
1915         https://src.chromium.org/viewvc/blink?revision=156903&view=revision
1916
1917         * inspector/InjectedScriptSource.js:
1918
1919 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
1920
1921         Web Inspector: Cleanup RuntimeAgent a bit
1922         https://bugs.webkit.org/show_bug.cgi?id=140706
1923
1924         Reviewed by Timothy Hatcher.
1925
1926         * inspector/InjectedScript.h:
1927         * inspector/InspectorBackendDispatcher.h:
1928         * inspector/ScriptCallFrame.cpp:
1929         * inspector/agents/InspectorRuntimeAgent.cpp:
1930         (Inspector::InspectorRuntimeAgent::evaluate):
1931         (Inspector::InspectorRuntimeAgent::getProperties):
1932         (Inspector::InspectorRuntimeAgent::run):
1933         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1934         (Inspector::recompileAllJSFunctionsForTypeProfiling):
1935         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
1936
1937 2015-01-20  Matthew Mirman  <mmirman@apple.com>
1938
1939         Made Identity in the DFG allocate a new temp register and move 
1940         the old data to it.
1941         https://bugs.webkit.org/show_bug.cgi?id=140700
1942         <rdar://problem/19339106>
1943
1944         Reviewed by Filip Pizlo.
1945
1946         * dfg/DFGSpeculativeJIT64.cpp:
1947         (JSC::DFG::SpeculativeJIT::compile): 
1948         Added scratch registers for Identity. 
1949         * tests/mozilla/mozilla-tests.yaml: enabled previously failing test
1950
1951 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
1952
1953         Web Inspector: Expanding event objects in console shows undefined for most values, it should have real values
1954         https://bugs.webkit.org/show_bug.cgi?id=137306
1955
1956         Reviewed by Timothy Hatcher.
1957
1958         Provide another optional parameter to getProperties, to gather a list
1959         of all own and getter properties.
1960
1961         * inspector/InjectedScript.cpp:
1962         (Inspector::InjectedScript::getProperties):
1963         * inspector/InjectedScript.h:
1964         * inspector/InjectedScriptSource.js:
1965         * inspector/agents/InspectorRuntimeAgent.cpp:
1966         (Inspector::InspectorRuntimeAgent::getProperties):
1967         * inspector/agents/InspectorRuntimeAgent.h:
1968         * inspector/protocol/Runtime.json:
1969
1970 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
1971
1972         Web Inspector: Should show dynamic specificity values
1973         https://bugs.webkit.org/show_bug.cgi?id=140647
1974
1975         Reviewed by Benjamin Poulain.
1976
1977         * inspector/protocol/CSS.json:
1978         Clarify CSSSelector optional values and add "dynamic" property indicating
1979         if the selector can be dynamic based on the element it is matched against.
1980
1981 2015-01-20  Commit Queue  <commit-queue@webkit.org>
1982
1983         Unreviewed, rolling out r178751.
1984         https://bugs.webkit.org/show_bug.cgi?id=140694
1985
1986         Caused 32-bit JSC test failures (Requested by JoePeck on
1987         #webkit).
1988
1989         Reverted changeset:
1990
1991         "put_by_val_direct need to check the property is index or not
1992         for using putDirect / putDirectIndex"
1993         https://bugs.webkit.org/show_bug.cgi?id=140426
1994         http://trac.webkit.org/changeset/178751
1995
1996 2015-01-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1997
1998         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
1999         https://bugs.webkit.org/show_bug.cgi?id=140426
2000
2001         Reviewed by Geoffrey Garen.
2002
2003         In the put_by_val_direct operation, we use JSObject::putDirect.
2004         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
2005         This patch changes Identifier::asIndex() to return Optional<uint32_t>.
2006         It forces callers to check the value is index or not explicitly.
2007         Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
2008
2009         * bytecode/GetByIdStatus.cpp:
2010         (JSC::GetByIdStatus::computeFor):
2011         * bytecode/PutByIdStatus.cpp:
2012         (JSC::PutByIdStatus::computeFor):
2013         * bytecompiler/BytecodeGenerator.cpp:
2014         (JSC::BytecodeGenerator::emitDirectPutById):
2015         * dfg/DFGOperations.cpp:
2016         (JSC::DFG::operationPutByValInternal):
2017         * jit/JITOperations.cpp:
2018         * jit/Repatch.cpp:
2019         (JSC::emitPutTransitionStubAndGetOldStructure):
2020         * jsc.cpp:
2021         * llint/LLIntSlowPaths.cpp:
2022         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2023         * runtime/Arguments.cpp:
2024         (JSC::Arguments::getOwnPropertySlot):
2025         (JSC::Arguments::put):
2026         (JSC::Arguments::deleteProperty):
2027         (JSC::Arguments::defineOwnProperty):
2028         * runtime/ArrayPrototype.cpp:
2029         (JSC::arrayProtoFuncSort):
2030         * runtime/JSArray.cpp:
2031         (JSC::JSArray::defineOwnProperty):
2032         * runtime/JSCJSValue.cpp:
2033         (JSC::JSValue::putToPrimitive):
2034         * runtime/JSGenericTypedArrayViewInlines.h:
2035         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2036         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2037         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
2038         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
2039         * runtime/JSObject.cpp:
2040         (JSC::JSObject::put):
2041         (JSC::JSObject::putDirectAccessor):
2042         (JSC::JSObject::putDirectCustomAccessor):
2043         (JSC::JSObject::deleteProperty):
2044         (JSC::JSObject::putDirectMayBeIndex):
2045         (JSC::JSObject::defineOwnProperty):
2046         * runtime/JSObject.h:
2047         (JSC::JSObject::getOwnPropertySlot):
2048         (JSC::JSObject::getPropertySlot):
2049         (JSC::JSObject::putDirectInternal):
2050         * runtime/JSString.cpp:
2051         (JSC::JSString::getStringPropertyDescriptor):
2052         * runtime/JSString.h:
2053         (JSC::JSString::getStringPropertySlot):
2054         * runtime/LiteralParser.cpp:
2055         (JSC::LiteralParser<CharType>::parse):
2056         * runtime/PropertyName.h:
2057         (JSC::toUInt32FromCharacters):
2058         (JSC::toUInt32FromStringImpl):
2059         (JSC::PropertyName::asIndex):
2060         * runtime/PropertyNameArray.cpp:
2061         (JSC::PropertyNameArray::add):
2062         * runtime/StringObject.cpp:
2063         (JSC::StringObject::deleteProperty):
2064         * runtime/Structure.cpp:
2065         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2066
2067 2015-01-20  Michael Saboff  <msaboff@apple.com>
2068
2069         REGRESSION(178696): Sporadic crashes while garbage collecting
2070         https://bugs.webkit.org/show_bug.cgi?id=140688
2071
2072         Reviewed by Geoffrey Garen.
2073
2074         Added missing visitor.append(&thisObject->m_nullSetterFunction).
2075
2076         * runtime/JSGlobalObject.cpp:
2077         (JSC::JSGlobalObject::visitChildren):
2078
2079 2015-01-19  Brian J. Burg  <burg@cs.washington.edu>
2080
2081         Web Replay: code generator should take supplemental specifications and allow cross-framework references
2082         https://bugs.webkit.org/show_bug.cgi?id=136312
2083
2084         Reviewed by Joseph Pecoraro.
2085
2086         Some types are shared between replay inputs from different frameworks.
2087         Previously, these type declarations were duplicated in every input
2088         specification file in which they were used. This caused some type encoding
2089         traits to be emitted twice if used from WebCore inputs and WebKit2 inputs.
2090
2091         This patch teaches the replay inputs code generator to accept multiple
2092         input specification files. Inputs can freely reference types from other
2093         frameworks without duplicating declarations.
2094
2095         On the code generation side, the model could contain types and inputs from
2096         frameworks that are not the target framework. Only generate code for the
2097         target framework.
2098
2099         To properly generate cross-framework type encoding traits, use
2100         Type.encoding_type_argument in more places, and add the export macro for WebCore
2101         and the Test framework.
2102
2103         Adjust some tests so that enum coverage is preserved by moving the enum types
2104         into "Test" (the target framework for tests).
2105
2106         * JavaScriptCore.vcxproj/copy-files.cmd:
2107         For Windows, copy over JSInputs.json as if it were a private header.
2108
2109         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSInputs.json a private header.
2110         * replay/JSInputs.json:
2111         Put all primitive types and WTF types in this specification file.
2112
2113         * replay/scripts/CodeGeneratorReplayInputs.py:
2114         (Input.__init__):
2115         (InputsModel.__init__): Keep track of the input's framework.
2116         (InputsModel.parse_specification): Parse the framework here. Adjust to new format,
2117         and allow either types or inputs to be missing from a single file.
2118
2119         (InputsModel.parse_type_with_framework):
2120         (InputsModel.parse_input_with_framework):
2121         (Generator.should_generate_item): Added helper method.
2122         (Generator.generate_header): Filter inputs to generate.
2123         (Generator.generate_implementation): Filter inputs to generate.
2124         (Generator.generate_enum_trait_declaration): Filter enums to generate.
2125         Add WEBCORE_EXPORT macro to enum encoding traits.
2126
2127         (Generator.generate_for_each_macro): Filter inputs to generate.
2128         (Generator.generate_enum_trait_implementation): Filter enums to generate.
2129         (generate_from_specifications): Added.
2130         (generate_from_specifications.parse_json_from_file):
2131         (InputsModel.parse_toplevel): Deleted.
2132         (InputsModel.parse_type_with_framework_name): Deleted.
2133         (InputsModel.parse_input): Deleted.
2134         (generate_from_specification): Deleted.
2135         * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
2136         * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Removed.
2137         * replay/scripts/tests/expected/fail-on-no-types.json-error: Removed.
2138         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
2139         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
2140         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
2141         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
2142         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
2143         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
2144         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
2145         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
2146         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
2147         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2148         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
2149         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
2150         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json:
2151         * replay/scripts/tests/fail-on-duplicate-enum-type.json:
2152         * replay/scripts/tests/fail-on-duplicate-input-names.json:
2153         * replay/scripts/tests/fail-on-duplicate-type-names.json:
2154         * replay/scripts/tests/fail-on-enum-type-missing-values.json:
2155         * replay/scripts/tests/fail-on-missing-input-member-name.json:
2156         * replay/scripts/tests/fail-on-missing-input-name.json:
2157         * replay/scripts/tests/fail-on-missing-input-queue.json:
2158         * replay/scripts/tests/fail-on-missing-type-mode.json:
2159         * replay/scripts/tests/fail-on-missing-type-name.json:
2160         * replay/scripts/tests/fail-on-no-inputs.json:
2161         Removed, no longer required to be in a single file.
2162
2163         * replay/scripts/tests/fail-on-no-types.json:
2164         Removed, no longer required to be in a single file.
2165
2166         * replay/scripts/tests/fail-on-unknown-input-queue.json:
2167         * replay/scripts/tests/fail-on-unknown-member-type.json:
2168         * replay/scripts/tests/fail-on-unknown-type-mode.json:
2169         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json:
2170         * replay/scripts/tests/generate-enum-encoding-helpers.json:
2171         * replay/scripts/tests/generate-enum-with-guard.json:
2172         Include enums that are and are not generated.
2173
2174         * replay/scripts/tests/generate-enums-with-same-base-name.json:
2175         * replay/scripts/tests/generate-event-loop-shape-types.json:
2176         * replay/scripts/tests/generate-input-with-guard.json:
2177         * replay/scripts/tests/generate-input-with-vector-members.json:
2178         * replay/scripts/tests/generate-inputs-with-flags.json:
2179         * replay/scripts/tests/generate-memoized-type-modes.json:
2180
2181 2015-01-20  Tomas Popela  <tpopela@redhat.com>
2182
2183         [GTK] Cannot compile 2.7.3 on PowerPC machines
2184         https://bugs.webkit.org/show_bug.cgi?id=140616
2185
2186         Include climits for INT_MAX and wtf/DataLog.h for dataLogF
2187
2188         Reviewed by Csaba Osztrogonác.
2189
2190         * runtime/BasicBlockLocation.cpp:
2191
2192 2015-01-19  Michael Saboff  <msaboff@apple.com>
2193
2194         A "cached" null setter should throw a TypeException when called in strict mode and doesn't
2195         https://bugs.webkit.org/show_bug.cgi?id=139418
2196
2197         Reviewed by Filip Pizlo.
2198
2199         Made a new NullSetterFunction class similar to NullGetterFunction.  The difference is that 
2200         NullSetterFunction will throw a TypeError per the ECMA262 spec for a strict mode caller.
2201
2202         * CMakeLists.txt:
2203         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2204         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2205         * JavaScriptCore.xcodeproj/project.pbxproj:
2206         Added new files NullSetterFunction.cpp and NullSetterFunction.h.
2207
2208         * runtime/GetterSetter.h:
2209         (JSC::GetterSetter::GetterSetter):
2210         (JSC::GetterSetter::isSetterNull):
2211         (JSC::GetterSetter::setSetter):
2212         Change setter instances from using NullGetterFunction to using NullSetterFunction.
2213
2214         * runtime/JSGlobalObject.cpp:
2215         (JSC::JSGlobalObject::init):
2216         * runtime/JSGlobalObject.h:
2217         (JSC::JSGlobalObject::nullSetterFunction):
2218         Added m_nullSetterFunction and accessor.
2219
2220         * runtime/NullSetterFunction.cpp: Added.
2221         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
2222         (JSC::GetCallerStrictnessFunctor::operator()):
2223         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
2224         (JSC::callerIsStrict):
2225         Method to determine if the caller is in strict mode.
2226
2227         (JSC::callReturnUndefined):
2228         (JSC::constructReturnUndefined):
2229         (JSC::NullSetterFunction::getCallData):
2230         (JSC::NullSetterFunction::getConstructData):
2231         * runtime/NullSetterFunction.h: Added.
2232         (JSC::NullSetterFunction::create):
2233         (JSC::NullSetterFunction::createStructure):
2234         (JSC::NullSetterFunction::NullSetterFunction):
2235         Class with handlers for a null setter.
2236
2237 2015-01-19  Saam Barati  <saambarati1@gmail.com>
2238
2239         Web Inspector: Provide a front end for JSC's Control Flow Profiler
2240         https://bugs.webkit.org/show_bug.cgi?id=138454
2241
2242         Reviewed by Timothy Hatcher.
2243
2244         This patch puts the final touches on what JSC needs to provide
2245         for the Web Inspector to show a UI for the control flow profiler.
2246
2247         * inspector/agents/InspectorRuntimeAgent.cpp:
2248         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2249         * runtime/ControlFlowProfiler.cpp:
2250         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
2251         * runtime/FunctionHasExecutedCache.cpp:
2252         (JSC::FunctionHasExecutedCache::getFunctionRanges):
2253         (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges): Deleted.
2254         * runtime/FunctionHasExecutedCache.h:
2255
2256 2015-01-19  David Kilzer  <ddkilzer@apple.com>
2257
2258         [iOS] Only use LLVM static library arguments on 64-bit builds of libllvmForJSC.dylib
2259         <http://webkit.org/b/140658>
2260
2261         Reviewed by Filip Pizlo.
2262
2263         * Configurations/LLVMForJSC.xcconfig: Set OTHER_LDFLAGS_LLVM
2264         only when building for 64-bit architectures.
2265
2266 2015-01-19  Filip Pizlo  <fpizlo@apple.com>
2267
2268         ClosureCallStubRoutine no longer needs codeOrigin
2269         https://bugs.webkit.org/show_bug.cgi?id=140659
2270
2271         Reviewed by Michael Saboff.
2272         
2273         Once upon a time, we would look for the CodeOrigin associated with a return PC. This search
2274         would start with the CodeBlock according to the caller frame's call frame header. But if the
2275         call was a closure call, the return PC would be inside some closure call stub. So if the
2276         CodeBlock search failed, we would search *all* closure call stub routines to see which one
2277         encompasses the return PC. Then, we would use the CodeOrigin stored in the stub routine
2278         object. This was all a bunch of madness, and we actually got rid of it - we now determine
2279         the CodeOrigin for a call frame using the encoded code origin bits inside the tag of the
2280         argument count.
2281         
2282         This patch removes the final vestiges of the madness:
2283         
2284         - Remove the totally unused method declaration for the thing that did the closure call stub
2285           search.
2286         
2287         - Remove the CodeOrigin field from the ClosureCallStubRoutine. Except for that crazy search
2288           that we no longer do, everyone else who finds a ClosureCallStubRoutine will find it via
2289           the CallLinkInfo. The CallLinkInfo also has the CodeOrigin, so we don't need this field
2290           anymore.
2291
2292         * bytecode/CodeBlock.h:
2293         * jit/ClosureCallStubRoutine.cpp:
2294         (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
2295         * jit/ClosureCallStubRoutine.h:
2296         (JSC::ClosureCallStubRoutine::executable):
2297         (JSC::ClosureCallStubRoutine::codeOrigin): Deleted.
2298         * jit/Repatch.cpp:
2299         (JSC::linkClosureCall):
2300
2301 2015-01-19  Saam Barati  <saambarati1@gmail.com>
2302
2303         Basic block start offsets should never be larger than end offsets in the control flow profiler
2304         https://bugs.webkit.org/show_bug.cgi?id=140377
2305
2306         Reviewed by Filip Pizlo.
2307
2308         The bytecode generator will emit code more than once for some AST nodes. For instance, 
2309         the finally block of TryNode will emit two code paths for its finally block: one for 
2310         the normal path, and another for the path where an exception is thrown in the catch block. 
2311         
2312         This repeated code emission of the same AST node previously broke how the control 
2313         flow profiler computed text ranges of basic blocks because when the same AST node 
2314         is emitted multiple times, there is a good chance that there are ranges that span 
2315         from the end offset of one of these duplicated nodes back to the start offset of 
2316         the same duplicated node. This caused a basic block range to report a larger start 
2317         offset than end offset. This was incorrect. Now, when this situation is encountered 
2318         while linking a CodeBlock, the faulty range in question is ignored.
2319
2320         * bytecode/CodeBlock.cpp:
2321         (JSC::CodeBlock::CodeBlock):
2322         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2323         * bytecode/CodeBlock.h:
2324         * bytecompiler/NodesCodegen.cpp:
2325         (JSC::ForInNode::emitMultiLoopBytecode):
2326         (JSC::ForOfNode::emitBytecode):
2327         (JSC::TryNode::emitBytecode):
2328         * parser/Parser.cpp:
2329         (JSC::Parser<LexerType>::parseConditionalExpression):
2330         * runtime/ControlFlowProfiler.cpp:
2331         (JSC::ControlFlowProfiler::ControlFlowProfiler):
2332         * runtime/ControlFlowProfiler.h:
2333         (JSC::ControlFlowProfiler::dummyBasicBlock):
2334
2335 2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
2336
2337         [SVG -> OTF Converter] Flip the switch on
2338         https://bugs.webkit.org/show_bug.cgi?id=140592
2339
2340         Reviewed by Antti Koivisto.
2341
2342         * Configurations/FeatureDefines.xcconfig:
2343
2344 2015-01-19  Brian J. Burg  <burg@cs.washington.edu>
2345
2346         Web Replay: convert to is<T> and downcast<T> for decoding replay inputs
2347         https://bugs.webkit.org/show_bug.cgi?id=140512
2348
2349         Reviewed by Chris Dumez.
2350
2351         Generate a SPECIALIZE_TYPE_TRAITS_* chunk of code for each input. This cannot
2352         be done using REPLAY_INPUT_NAMES_FOR_EACH macro since that doesn't fully qualify
2353         input types, and the type traits macro is defined in namespace WTF.
2354
2355         * replay/NondeterministicInput.h: Make overridden methods public.
2356         * replay/scripts/CodeGeneratorReplayInputs.py:
2357         (Generator.generate_header):
2358         (Generator.qualified_input_name): Allow forcing qualification. WTF is never a target framework.
2359         (Generator.generate_input_type_trait_declaration): Added.
2360         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Add a template.
2361         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
2362         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
2363         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
2364         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
2365         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
2366         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2367         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
2368         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
2369
2370 2015-01-19  Commit Queue  <commit-queue@webkit.org>
2371
2372         Unreviewed, rolling out r178653.
2373         https://bugs.webkit.org/show_bug.cgi?id=140634
2374
2375         Broke multiple SVG tests on Mountain Lion (Requested by ap on
2376         #webkit).
2377
2378         Reverted changeset:
2379
2380         "[SVG -> OTF Converter] Flip the switch on"
2381         https://bugs.webkit.org/show_bug.cgi?id=140592
2382         http://trac.webkit.org/changeset/178653
2383
2384 2015-01-18  Dean Jackson  <dino@apple.com>
2385
2386         ES6: Support Array.of construction
2387         https://bugs.webkit.org/show_bug.cgi?id=140605
2388         <rdar://problem/19513655>
2389
2390         Reviewed by Geoffrey Garen.
2391
2392         Add and implementation of Array.of, described in 22.1.2.3 of the ES6
2393         specification (15 Jan 2015). The Array.of() method creates a new Array
2394         instance with a variable number of arguments, regardless of number or type
2395         of the arguments.
2396
2397         * runtime/ArrayConstructor.cpp:
2398         (JSC::arrayConstructorOf): Create a new empty Array, then iterate
2399         over the arguments, setting them to the appropriate index.
2400
2401 2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
2402
2403         [SVG -> OTF Converter] Flip the switch on
2404         https://bugs.webkit.org/show_bug.cgi?id=140592
2405
2406         Reviewed by Antti Koivisto.
2407
2408         * Configurations/FeatureDefines.xcconfig:
2409
2410 2015-01-17  Brian J. Burg  <burg@cs.washington.edu>
2411
2412         Web Inspector: highlight data for overlay should use protocol type builders
2413         https://bugs.webkit.org/show_bug.cgi?id=129441
2414
2415         Reviewed by Timothy Hatcher.
2416
2417         Add a new domain for overlay types.
2418
2419         * CMakeLists.txt:
2420         * DerivedSources.make:
2421         * inspector/protocol/OverlayTypes.json: Added.
2422
2423 2015-01-17  Michael Saboff  <msaboff@apple.com>
2424
2425         Crash in JSScope::resolve() on tools.ups.com
2426         https://bugs.webkit.org/show_bug.cgi?id=140579
2427
2428         Reviewed by Geoffrey Garen.
2429
2430         For op_resolve_scope of a global property or variable that needs to check for the var
2431         injection check watchpoint, we need to keep the scope around with a Phantom.  The
2432         baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint
2433         fired.
2434
2435         * dfg/DFGByteCodeParser.cpp:
2436         (JSC::DFG::ByteCodeParser::parseBlock):
2437
2438 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2439
2440         Web Inspector: code generator should introduce typedefs for protocol types that are arrays
2441         https://bugs.webkit.org/show_bug.cgi?id=140557
2442
2443         Reviewed by Joseph Pecoraro.
2444
2445         Currently, there is no generated type name for "array" type declarations such as Console.CallStack.
2446         This makes it longwinded and confusing to use the type in C++ code.
2447
2448         This patch adds a typedef for array type declarations, so types such as Console::CallStack
2449         can be referred to directly, rather than using Inspector::Protocol::Array<Console::CallFrame>.
2450
2451         Some tests were updated to cover array type declarations used as parameters and type members.
2452
2453         * inspector/ScriptCallStack.cpp: Use the new typedef.
2454         (Inspector::ScriptCallStack::buildInspectorArray):
2455         * inspector/ScriptCallStack.h:
2456         * inspector/scripts/codegen/cpp_generator.py:
2457         (CppGenerator.cpp_protocol_type_for_type): If an ArrayType is nominal, use the typedef'd name instead.
2458         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2459         (_generate_typedefs_for_domain): Also generate typedefs for array type declarations.
2460         (_generate_typedefs_for_domain.Inspector):
2461         * inspector/scripts/codegen/models.py: Save the name of an ArrayType when it is a type declaration.
2462         (ArrayType.__init__):
2463         (Protocol.resolve_types):
2464         (Protocol.lookup_type_reference):
2465         * inspector/scripts/tests/commands-with-async-attribute.json:
2466         * inspector/scripts/tests/commands-with-optional-call-return-parameters.json:
2467         * inspector/scripts/tests/events-with-optional-parameters.json:
2468         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2469         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2470         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2471         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2472         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2473         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2474         * inspector/scripts/tests/type-declaration-object-type.json:
2475
2476 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2477
2478         Web Replay: purge remaining PassRefPtr uses and minor cleanup
2479         https://bugs.webkit.org/show_bug.cgi?id=140456
2480
2481         Reviewed by Andreas Kling.
2482
2483         Get rid of PassRefPtr. Introduce default initializers where it makes sense.
2484         Remove mistaken uses of AtomicString that were not removed as part of r174113.
2485
2486         * replay/EmptyInputCursor.h:
2487         * replay/InputCursor.h:
2488         (JSC::InputCursor::InputCursor):
2489
2490 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2491
2492         Web Inspector: code generator should fail on duplicate parameter and member names
2493         https://bugs.webkit.org/show_bug.cgi?id=140555
2494
2495         Reviewed by Timothy Hatcher.
2496
2497         * inspector/scripts/codegen/models.py:
2498         (find_duplicates): Add a helper function to find duplicates in a list.
2499         (Protocol.parse_type_declaration):
2500         (Protocol.parse_command):
2501         (Protocol.parse_event):
2502         * inspector/scripts/tests/expected/fail-on-duplicate-command-call-parameter-names.json-error: Added.
2503         * inspector/scripts/tests/expected/fail-on-duplicate-command-return-parameter-names.json-error: Added.
2504         * inspector/scripts/tests/expected/fail-on-duplicate-event-parameter-names.json-error: Added.
2505         * inspector/scripts/tests/expected/fail-on-duplicate-type-member-names.json-error: Added.
2506         * inspector/scripts/tests/fail-on-duplicate-command-call-parameter-names.json: Added.
2507         * inspector/scripts/tests/fail-on-duplicate-command-return-parameter-names.json: Added.
2508         * inspector/scripts/tests/fail-on-duplicate-event-parameter-names.json: Added.
2509         * inspector/scripts/tests/fail-on-duplicate-type-member-names.json: Added.
2510
2511 2015-01-16  Michael Saboff  <msaboff@apple.com>
2512
2513         REGRESSION (r174226): Header on huffingtonpost.com is too large
2514         https://bugs.webkit.org/show_bug.cgi?id=140306
2515
2516         Reviewed by Filip Pizlo.
2517
2518         BytecodeGenerator::willResolveToArguments() is used to check to see if we can use the
2519         arguments register or whether we need to resolve "arguments".  If the arguments have
2520         been captured, then they are stored in the lexical environment and the arguments
2521         register is not used.
2522
2523         Changed BytecodeGenerator::willResolveToArguments() to also check to see if the arguments
2524         register is captured.  Renamed the function to willResolveToArgumentsRegister() to
2525         better indicate what we are checking.
2526
2527         Aligned 32 and 64 bit paths in ArgumentsRecoveryGenerator::generateFor() for creating
2528         an arguments object that was optimized out of an inlined callFrame.  The 32 bit path
2529         incorrectly calculated the location of the reified callee frame.  This alignment resulted
2530         in the removal of operationCreateInlinedArgumentsDuringOSRExit()
2531
2532         * bytecompiler/BytecodeGenerator.cpp:
2533         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
2534         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister):
2535         (JSC::BytecodeGenerator::emitCall):
2536         (JSC::BytecodeGenerator::emitConstruct):
2537         (JSC::BytecodeGenerator::emitEnumeration):
2538         (JSC::BytecodeGenerator::willResolveToArguments): Deleted.
2539         * bytecompiler/BytecodeGenerator.h:
2540         * bytecompiler/NodesCodegen.cpp:
2541         (JSC::BracketAccessorNode::emitBytecode):
2542         (JSC::DotAccessorNode::emitBytecode):
2543         (JSC::getArgumentByVal):
2544         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2545         (JSC::ArrayPatternNode::emitDirectBinding):
2546         * dfg/DFGOSRExitCompilerCommon.cpp:
2547         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
2548         * dfg/DFGOperations.cpp:
2549         (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
2550         * dfg/DFGOperations.h:
2551         (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
2552
2553 2015-01-15  Csaba Osztrogonác  <ossy@webkit.org>
2554
2555         Remove ENABLE(SQL_DATABASE) guards
2556         https://bugs.webkit.org/show_bug.cgi?id=140434
2557
2558         Reviewed by Darin Adler.
2559
2560         * CMakeLists.txt:
2561         * Configurations/FeatureDefines.xcconfig:
2562         * DerivedSources.make:
2563         * inspector/protocol/Database.json:
2564
2565 2015-01-14  Alexey Proskuryakov  <ap@apple.com>
2566
2567         Web Inspector and regular console use different source code locations for messages
2568         https://bugs.webkit.org/show_bug.cgi?id=140478
2569
2570         Reviewed by Brian Burg.
2571
2572         * inspector/ConsoleMessage.h: Expose computed source location.
2573
2574         * inspector/agents/InspectorConsoleAgent.cpp:
2575         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2576         (Inspector::InspectorConsoleAgent::stopTiming):
2577         (Inspector::InspectorConsoleAgent::count):
2578         * inspector/agents/InspectorConsoleAgent.h:
2579         addMessageToConsole() now takes a pre-made ConsoleMessage object.
2580
2581         * inspector/JSGlobalObjectConsoleClient.cpp:
2582         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
2583         (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
2584         * inspector/JSGlobalObjectInspectorController.cpp:
2585         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2586         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2587         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2588         Updated for the above changes.
2589
2590 2015-01-15  Mark Lam  <mark.lam@apple.com>
2591
2592         [Part 2] Argument object created by "Function dot arguments" should use a clone of argument values.
2593         <https://webkit.org/b/140093>
2594
2595         Reviewed by Geoffrey Garen.
2596
2597         * interpreter/StackVisitor.cpp:
2598         (JSC::StackVisitor::Frame::createArguments):
2599         - We should not fetching the lexicalEnvironment here.  The reason we've
2600           introduced the ClonedArgumentsCreationMode is because the lexicalEnvironment
2601           may not be available to us at this point.  Instead, we'll just pass a nullptr.
2602
2603         * runtime/Arguments.cpp:
2604         (JSC::Arguments::tearOffForCloning):
2605         * runtime/Arguments.h:
2606         (JSC::Arguments::finishCreation):
2607         - Use the new tearOffForCloning() to tear off arguments right out of the values
2608           passed on the stack.  tearOff() is not appropriate for this purpose because
2609           it takes slowArgumentsData into account.
2610
2611 2015-01-14  Matthew Mirman  <mmirman@apple.com>
2612
2613         Removed accidental commit of "invalid_array.js" 
2614         http://trac.webkit.org/changeset/178439
2615
2616         * tests/stress/invalid_array.js: Removed.
2617
2618 2015-01-14  Matthew Mirman  <mmirman@apple.com>
2619
2620         Fixes operationPutByIdOptimizes such that they check that the put didn't
2621         change the structure of the object who's property access is being
2622         cached.  Also removes uses of the new base value from the cache generation code.
2623         https://bugs.webkit.org/show_bug.cgi?id=139500
2624
2625         Reviewed by Filip Pizlo.
2626
2627         * jit/JITOperations.cpp:
2628         (JSC::operationPutByIdStrictOptimize): saved the structure before the put.
2629         (JSC::operationPutByIdNonStrictOptimize): ditto.
2630         (JSC::operationPutByIdDirectStrictOptimize): ditto.
2631         (JSC::operationPutByIdDirectNonStrictOptimize): ditto.
2632         * jit/Repatch.cpp:
2633         (JSC::generateByIdStub):
2634         (JSC::tryCacheGetByID):
2635         (JSC::tryBuildGetByIDList):
2636         (JSC::emitPutReplaceStub):
2637         (JSC::emitPutTransitionStubAndGetOldStructure): Added.
2638         (JSC::tryCachePutByID):
2639         (JSC::repatchPutByID):
2640         (JSC::tryBuildPutByIdList):
2641         (JSC::tryRepatchIn):
2642         (JSC::emitPutTransitionStub): Deleted.
2643         * jit/Repatch.h:
2644         * llint/LLIntSlowPaths.cpp:
2645         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2646         * runtime/JSPropertyNameEnumerator.h:
2647         (JSC::genericPropertyNameEnumerator):
2648         * runtime/Operations.h:
2649         (JSC::normalizePrototypeChainForChainAccess): restructured to not use the base value.
2650         (JSC::normalizePrototypeChain): restructured to not use the base value.
2651         * tests/mozilla/mozilla-tests.yaml:
2652         * tests/stress/proto-setter.js: Added.
2653         * tests/stress/put-by-id-build-list-order-recurse.js: Added.
2654         Added test that fails without this patch.
2655
2656 2015-01-13  Joseph Pecoraro  <pecoraro@apple.com>
2657
2658         Web Inspector: Remove unused ResizeImage and DecodeImageData timeline events
2659         https://bugs.webkit.org/show_bug.cgi?id=140404
2660
2661         Reviewed by Timothy Hatcher.
2662
2663         * inspector/protocol/Timeline.json:
2664
2665 2015-01-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2666
2667         DFG can call PutByValDirect for generic arrays
2668         https://bugs.webkit.org/show_bug.cgi?id=140389
2669
2670         Reviewed by Geoffrey Garen.
2671
2672         Computed properties in object initializers (ES6) use the put_by_val_direct operation.
2673         However, current DFG asserts that put_by_val_direct is not used for the generic array,
2674         the assertion failure is raised.
2675         This patch allow DFG to use put_by_val_direct to generic arrays.
2676
2677         And fix the DFG put_by_val_direct implementation for string properties.
2678         At first, put_by_val_direct is inteded to be used for spread elements.
2679         So the property keys were limited to numbers (indexes).
2680         But now, it's also used for computed properties in object initializers.
2681
2682         * dfg/DFGOperations.cpp:
2683         (JSC::DFG::operationPutByValInternal):
2684         * dfg/DFGSpeculativeJIT64.cpp:
2685         (JSC::DFG::SpeculativeJIT::compile):
2686
2687 2015-01-13  Geoffrey Garen  <ggaren@apple.com>
2688
2689         Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
2690         https://bugs.webkit.org/show_bug.cgi?id=140397
2691
2692         Reviewed by Geoffrey Garen.
2693
2694         Patch by Alexey Proskuryakov.
2695
2696         Reviewed, performance tested, and ChangeLogged by Geoffrey Garen.
2697
2698         No performance change.
2699
2700         No test, since this is a small past-the-end read, which is very
2701         difficult to turn into a reproducible failing test -- and existing tests
2702         crash reliably using ASan.
2703
2704         * bytecompiler/NodesCodegen.cpp:
2705         (JSC::BracketAccessorNode::emitBytecode):
2706         (JSC::DotAccessorNode::emitBytecode):
2707         (JSC::FunctionCallBracketNode::emitBytecode):
2708         (JSC::PostfixNode::emitResolve):
2709         (JSC::DeleteBracketNode::emitBytecode):
2710         (JSC::DeleteDotNode::emitBytecode):
2711         (JSC::PrefixNode::emitResolve):
2712         (JSC::UnaryOpNode::emitBytecode):
2713         (JSC::BitwiseNotNode::emitBytecode):
2714         (JSC::BinaryOpNode::emitBytecode):
2715         (JSC::EqualNode::emitBytecode):
2716         (JSC::StrictEqualNode::emitBytecode):
2717         (JSC::ThrowableBinaryOpNode::emitBytecode):
2718         (JSC::AssignDotNode::emitBytecode):
2719         (JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any
2720         register used across a call to a function that might allocate a new
2721         temporary register must be held in a RefPtr.
2722
2723 2015-01-12  Michael Saboff  <msaboff@apple.com>
2724
2725         Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
2726         https://bugs.webkit.org/show_bug.cgi?id=140348
2727
2728         Reviewed by Mark Lam.
2729
2730         We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late
2731         because those registers may have been spilled on the stack and replaced with other values by
2732         the time we call down to gatherFromCurrentThread().
2733
2734         Now we get the register contents at the same place that we demarcate the current top of
2735         stack using the address of a local variable, in Heap::markRoots().  The register contents
2736         buffer is passed along with the demarcation pointer.  These need to be done at this level 
2737         in the call tree and no lower, as markRoots() calls various functions that visit object
2738         pointers that may be latter proven dead.  Any of those pointers that are left on the
2739         stack or in registers could be incorrectly marked as live if we scan the stack contents
2740         from a called function or one of its callees.  The stack demarcation pointer and register
2741         saving need to be done in the same function so that we have a consistent stack, active
2742         and spilled registers.
2743
2744         Because we don't want to make unnecessary calls to get the register contents, we use
2745         a macro to allocated, and possibly align, the register structure and get the actual
2746         register contents.
2747
2748
2749         * heap/Heap.cpp:
2750         (JSC::Heap::markRoots):
2751         (JSC::Heap::gatherStackRoots):
2752         * heap/Heap.h:
2753         * heap/MachineStackMarker.cpp:
2754         (JSC::MachineThreads::gatherFromCurrentThread):
2755         (JSC::MachineThreads::gatherConservativeRoots):
2756         * heap/MachineStackMarker.h:
2757
2758 2015-01-12  Benjamin Poulain  <benjamin@webkit.org>
2759
2760         Add basic pattern matching support to the url filters
2761         https://bugs.webkit.org/show_bug.cgi?id=140283
2762
2763         Reviewed by Andreas Kling.
2764
2765         * JavaScriptCore.xcodeproj/project.pbxproj:
2766         Make YarrParser.h private in order to use it from WebCore.
2767
2768 2015-01-12  Geoffrey Garen  <ggaren@apple.com>
2769
2770         Out of bounds read in IdentifierArena::makeIdentifier
2771         https://bugs.webkit.org/show_bug.cgi?id=140376
2772
2773         Patch by Alexey Proskuryakov.
2774
2775         Reviewed and ChangeLogged by Geoffrey Garen.
2776
2777         No test, since this is a small past-the-end read, which is very
2778         difficult to turn into a reproducible failing test -- and existing tests
2779         crash reliably using ASan.
2780
2781         * parser/ParserArena.h:
2782         (JSC::IdentifierArena::makeIdentifier):
2783         (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
2784         zero-length string input, like we do in the literal parser, since it is
2785         not valid to dereference characters in a zero-length string.
2786
2787         A zero-length string is allowed in JavaScript -- for example, "".
2788
2789 2015-01-11  Sam Weinig  <sam@webkit.org>
2790
2791         Remove support for SharedWorkers
2792         https://bugs.webkit.org/show_bug.cgi?id=140344
2793
2794         Reviewed by Anders Carlsson.
2795
2796         * Configurations/FeatureDefines.xcconfig:
2797
2798 2015-01-12  Myles C. Maxfield  <mmaxfield@apple.com>
2799
2800         Allow targetting the SVG->OTF font converter with ENABLE(SVG_OTF_CONVERTER)
2801         https://bugs.webkit.org/show_bug.cgi?id=136769
2802
2803         Reviewed by Antti Koivisto.
2804
2805         * Configurations/FeatureDefines.xcconfig:
2806
2807 2015-01-12  Commit Queue  <commit-queue@webkit.org>
2808
2809         Unreviewed, rolling out r178266.
2810         https://bugs.webkit.org/show_bug.cgi?id=140363
2811
2812         Broke a JSC test (Requested by ap on #webkit).
2813
2814         Reverted changeset:
2815
2816         "Local JSArray* "keys" in objectConstructorKeys() is not
2817         marked during garbage collection"
2818         https://bugs.webkit.org/show_bug.cgi?id=140348
2819         http://trac.webkit.org/changeset/178266
2820
2821 2015-01-12  Michael Saboff  <msaboff@apple.com>
2822
2823         Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
2824         https://bugs.webkit.org/show_bug.cgi?id=140348
2825
2826         Reviewed by Mark Lam.
2827
2828         Move the address of the local variable that is used to demarcate the top of the stack for 
2829         conservative roots down to MachineThreads::gatherFromCurrentThread() since it also gets
2830         the register values using setjmp().  That way we don't lose any callee save register
2831         contents between Heap::markRoots(), where it was set, and gatherFromCurrentThread().
2832         If we lose any JSObject* that are only in callee save registers, they will be GC'ed
2833         erroneously.
2834
2835         * heap/Heap.cpp:
2836         (JSC::Heap::markRoots):
2837         (JSC::Heap::gatherStackRoots):
2838         * heap/Heap.h:
2839         * heap/MachineStackMarker.cpp:
2840         (JSC::MachineThreads::gatherFromCurrentThread):
2841         (JSC::MachineThreads::gatherConservativeRoots):
2842         * heap/MachineStackMarker.h:
2843
2844 2015-01-11  Eric Carlson  <eric.carlson@apple.com>
2845
2846         Fix typo in testate.c error messages
2847         https://bugs.webkit.org/show_bug.cgi?id=140305
2848
2849         Reviewed by Geoffrey Garen.
2850
2851         * API/tests/testapi.c:
2852         (main): "... script did not timed out ..." -> "... script did not time out ..."
2853
2854 2015-01-09  Michael Saboff  <msaboff@apple.com>
2855
2856         Breakpoint doesn't fire in this HTML5 game
2857         https://bugs.webkit.org/show_bug.cgi?id=140269
2858
2859         Reviewed by Mark Lam.
2860
2861         When parsing a single line cached function, use the lineStartOffset of the
2862         location where we found the cached function instead of the cached lineStartOffset.
2863         The cache location's lineStartOffset has not been adjusted for any possible
2864         containing functions.
2865
2866         This change is not needed for multi-line cached functions.  Consider the
2867         single line source:
2868
2869         function outer(){function inner1(){doStuff();}; (function inner2() {doMoreStuff()})()}
2870
2871         The first parser pass, we parse and cache inner1() and inner2() with a lineStartOffset
2872         of 0.  Later when we parse outer() and find inner1() in the cache, SourceCode start
2873         character is at outer()'s outermost open brace.  That is what we should use for
2874         lineStartOffset for inner1().  When done parsing inner1() we set the parsing token
2875         to the saved location for inner1(), including the lineStartOffset of 0.  We need
2876         to use the value of lineStartOffset before we started parsing inner1().  That is
2877         what the fix does.  When we parse inner2() the lineStartOffset will be correct.
2878
2879         For a multi-line function, the close brace is guaranteed to be on a different line
2880         than the open brace.  Hence, its lineStartOffset will not change with the change of
2881         the SourceCode start character
2882
2883         * parser/Parser.cpp:
2884         (JSC::Parser<LexerType>::parseFunctionInfo):
2885
2886 2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>
2887
2888         Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint
2889         https://bugs.webkit.org/show_bug.cgi?id=140279
2890         rdar://problem/19422299
2891
2892         Reviewed by Oliver Hunt.
2893
2894         * runtime/MapData.cpp:
2895         (JSC::MapData::replaceAndPackBackingStore):
2896         The cell table also needs to have its values fixed.
2897
2898 2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>
2899
2900         Web Inspector: Remove or use TimelineAgent Resource related event types
2901         https://bugs.webkit.org/show_bug.cgi?id=140155
2902
2903         Reviewed by Timothy Hatcher.
2904
2905         Remove unused / stale Timeline event types.
2906
2907         * inspector/protocol/Timeline.json:
2908
2909 2015-01-09  Csaba Osztrogonác  <ossy@webkit.org>
2910
2911         REGRESSION(r177925): It broke the !ENABLE(INSPECTOR) build
2912         https://bugs.webkit.org/show_bug.cgi?id=140098
2913
2914         Reviewed by Brian Burg.
2915
2916         * inspector/InspectorBackendDispatcher.h: Missing ENABLE(INSPECTOR) guard added.
2917
2918 2015-01-08  Mark Lam  <mark.lam@apple.com>
2919
2920         Argument object created by "Function dot arguments" should use a clone of the argument values.
2921         <https://webkit.org/b/140093>
2922
2923         Reviewed by Geoffrey Garen.
2924
2925         After the change in <https://webkit.org/b/139827>, the dfg-tear-off-arguments-not-activation.js
2926         test will crash.  The relevant code which manifests the issue is as follows:
2927
2928             function bar() {
2929                 return foo.arguments;
2930             }
2931
2932             function foo(p) {
2933                 var x = 42;
2934                 if (p)
2935                     return (function() { return x; });
2936                 else
2937                     return bar();
2938             }
2939
2940         In this case, foo() has no knowledge of bar() needing its LexicalEnvironment and
2941         has dead code eliminated the SetLocal that stores it into its designated local.
2942         In bar(), the factory for the Arguments object (for creating foo.arguments) tries
2943         to read foo's LexicalEnvironment from its designated lexicalEnvironment local,
2944         but instead, finds it to be uninitialized.  This results in a null pointer access
2945         which causes a crash.
2946
2947         This can be resolved by having bar() instantiate a clone of the Arguments object
2948         instead, and populate its elements with values fetched directly from foo's frame.
2949         There's no need to reference foo's LexicalEnvironment (whether present or not).
2950
2951         * interpreter/StackVisitor.cpp:
2952         (JSC::StackVisitor::Frame::createArguments):
2953         * runtime/Arguments.h:
2954         (JSC::Arguments::finishCreation):
2955
2956 2015-01-08  Mark Lam  <mark.lam@apple.com>
2957
2958         Make the LLINT and Baseline JIT's op_create_arguments and op_get_argument_by_val use their lexicalEnvironment operand.
2959         <https://webkit.org/b/140236>
2960
2961         Reviewed by Geoffrey Garen.
2962
2963         Will change the DFG to use the operand on a subsequent pass.  For now,
2964         the DFG uses a temporary thunk (operationCreateArgumentsForDFG()) to
2965         retain the old behavior of getting the lexicalEnviroment from the
2966         ExecState.
2967
2968         * bytecompiler/BytecodeGenerator.cpp:
2969         (JSC::BytecodeGenerator::BytecodeGenerator):
2970         (JSC::BytecodeGenerator::emitGetArgumentByVal):
2971         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2972         - When the lexicalEnvironment is not available, pass the invalid VirtualRegister
2973           instead of an empty JSValue as the lexicalEnvironment operand.
2974
2975         * dfg/DFGOperations.cpp:
2976         - Use the lexicalEnvironment from the ExecState for now.
2977
2978         * dfg/DFGSpeculativeJIT32_64.cpp:
2979         (JSC::DFG::SpeculativeJIT::compile):
2980         * dfg/DFGSpeculativeJIT64.cpp:
2981         (JSC::DFG::SpeculativeJIT::compile):
2982         - Use the operationCreateArgumentsForDFG() thunk for now.
2983
2984         * interpreter/CallFrame.cpp:
2985         (JSC::CallFrame::lexicalEnvironmentOrNullptr):
2986         * interpreter/CallFrame.h:
2987         - Added this convenience function to return either the
2988           lexicalEnvironment or a nullptr so that we don't need to do a
2989           conditional check on codeBlock->needsActivation() at multiple sites.
2990
2991         * interpreter/StackVisitor.cpp:
2992         (JSC::StackVisitor::Frame::createArguments):
2993         * jit/JIT.h:
2994         * jit/JITInlines.h:
2995         (JSC::JIT::callOperation):
2996         * jit/JITOpcodes.cpp:
2997         (JSC::JIT::emit_op_create_arguments):
2998         (JSC::JIT::emitSlow_op_get_argument_by_val):
2999         * jit/JITOpcodes32_64.cpp:
3000         (JSC::JIT::emit_op_create_arguments):
3001         (JSC::JIT::emitSlow_op_get_argument_by_val):
3002         * jit/JITOperations.cpp:
3003         * jit/JITOperations.h:
3004         * llint/LLIntSlowPaths.cpp:
3005         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3006         * runtime/Arguments.h:
3007         (JSC::Arguments::create):
3008         (JSC::Arguments::finishCreation):
3009         * runtime/CommonSlowPaths.cpp:
3010         (JSC::SLOW_PATH_DECL):
3011         * runtime/JSLexicalEnvironment.cpp:
3012         (JSC::JSLexicalEnvironment::argumentsGetter):
3013
3014 2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>
3015
3016         Web Inspector: Pause Reason Improvements (Breakpoint, Debugger Statement, Pause on Next Statement)
3017         https://bugs.webkit.org/show_bug.cgi?id=138991
3018
3019         Reviewed by Timothy Hatcher.
3020
3021         * debugger/Debugger.cpp:
3022         (JSC::Debugger::Debugger):
3023         (JSC::Debugger::pauseIfNeeded):
3024         (JSC::Debugger::didReachBreakpoint):
3025         When actually pausing, if we hit a breakpoint ensure the reason
3026         is PausedForBreakpoint, otherwise use the current reason.
3027
3028         * debugger/Debugger.h:
3029         Make pause reason and pausing breakpoint ID public.
3030
3031         * inspector/agents/InspectorDebuggerAgent.h:
3032         * inspector/agents/InspectorDebuggerAgent.cpp:
3033         (Inspector::buildAssertPauseReason):
3034         (Inspector::buildCSPViolationPauseReason):
3035         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
3036         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
3037         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3038         (Inspector::buildObjectForBreakpointCookie):
3039         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3040         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
3041         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3042         (Inspector::InspectorDebuggerAgent::pause):
3043         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
3044         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3045         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
3046         Clean up creation of pause reason objects and other cleanup
3047         of PassRefPtr use and InjectedScript use.
3048
3049         (Inspector::InspectorDebuggerAgent::didPause):
3050         Clean up so that we first check for an Exception, and then fall
3051         back to including a Pause Reason derived from the Debugger.
3052
3053         * inspector/protocol/Debugger.json:
3054         Add new DebuggerStatement, Breakpoint, and PauseOnNextStatement reasons.
3055
3056 2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>
3057
3058         Web Inspector: Type check NSArray's in ObjC Interfaces have the right object types
3059         https://bugs.webkit.org/show_bug.cgi?id=140209
3060
3061         Reviewed by Timothy Hatcher.
3062
3063         Check the types of objects in NSArrays for all interfaces (commands, events, types)
3064         when the user can set an array of objects. Previously we were only type checking
3065         they were RWIJSONObjects, now we add an explicit check for the exact object type.
3066
3067         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3068         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3069         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3070         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3071         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3072         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
3073         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
3074         * inspector/scripts/codegen/objc_generator.py:
3075         (ObjCGenerator.objc_class_for_array_type):
3076         (ObjCGenerator):
3077
3078 2015-01-07  Mark Lam  <mark.lam@apple.com>
3079
3080         Add the lexicalEnvironment as an operand to op_get_argument_by_val.
3081         <https://webkit.org/b/140233>
3082
3083         Reviewed by Filip Pizlo.
3084
3085         This patch only adds the operand to the bytecode.  It is not in use yet.
3086
3087         * bytecode/BytecodeList.json:
3088         * bytecode/BytecodeUseDef.h:
3089         (JSC::computeUsesForBytecodeOffset):
3090         * bytecode/CodeBlock.cpp:
3091         (JSC::CodeBlock::dumpBytecode):
3092         * bytecompiler/BytecodeGenerator.cpp:
3093         (JSC::BytecodeGenerator::emitGetArgumentByVal):
3094         * llint/LowLevelInterpreter32_64.asm:
3095         * llint/LowLevelInterpreter64.asm:
3096
3097 2015-01-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3098
3099         Investigate the character type of repeated string instead of checking is8Bit flag
3100         https://bugs.webkit.org/show_bug.cgi?id=140139
3101
3102         Reviewed by Darin Adler.
3103
3104         Instead of checking is8Bit flag of the repeated string, investigate
3105         the actual value of the repeated character since i8Bit flag give a false negative case.
3106
3107         * runtime/StringPrototype.cpp:
3108         (JSC::repeatCharacter):
3109         (JSC::stringProtoFuncRepeat):
3110         (JSC::repeatSmallString): Deleted.
3111
3112 2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>
3113
3114         Web Inspector: ObjC Generate types from the GenericTypes domain
3115         https://bugs.webkit.org/show_bug.cgi?id=140229
3116
3117         Reviewed by Timothy Hatcher.
3118
3119         Generate types from the GenericTypes domain, as they are expected
3120         by other domains (like Page domain). Also, don't include the @protocol
3121         forward declaration for a domain if it doesn't have any commands.
3122
3123         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
3124         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
3125         (ObjCBackendDispatcherHeaderGenerator): Deleted.
3126         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations_for_domains): Deleted.
3127         * inspector/scripts/codegen/objc_generator.py:
3128         (ObjCGenerator):
3129         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3130         * inspector/scripts/tests/expected/enum-values.json-result:
3131         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3132         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3133         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3134         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3135         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3136         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3137         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3138         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3139         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3140
3141 2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>
3142
3143         Web Inspector: Remove unnecessary copyRef for paramsObject in generated dispatchers
3144         https://bugs.webkit.org/show_bug.cgi?id=140228
3145
3146         Reviewed by Timothy Hatcher.
3147
3148         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3149         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3150         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3151         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3152         * inspector/scripts/tests/expected/enum-values.json-result:
3153         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3154
3155 2015-01-07  Saam Barati  <saambarati1@gmail.com>
3156
3157         interpret op_profile_type in the LLInt instead of unconditionally calling into the slow path
3158         https://bugs.webkit.org/show_bug.cgi?id=140165
3159
3160         Reviewed by Michael Saboff.
3161
3162         Inlining the functionality of TypeProfilerLog::recordTypeInformationForLocation
3163         into the LLInt speeds up type profiling.
3164
3165         * llint/LLIntOffsetsExtractor.cpp:
3166         * llint/LowLevelInterpreter.asm:
3167         * llint/LowLevelInterpreter32_64.asm:
3168         * llint/LowLevelInterpreter64.asm:
3169         * runtime/CommonSlowPaths.cpp:
3170         (JSC::SLOW_PATH_DECL):
3171         * runtime/CommonSlowPaths.h:
3172         * runtime/TypeProfilerLog.h:
3173         (JSC::TypeProfilerLog::recordTypeInformationForLocation): Deleted.
3174
3175 2015-01-07  Brian J. Burg  <burg@cs.washington.edu>
3176
3177         Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
3178         https://bugs.webkit.org/show_bug.cgi?id=140053
3179
3180         Reviewed by Andreas Kling.
3181
3182         This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
3183         related to Web Inspector. It also converts many uses of RefPtr to Ref where
3184         references are always non-null. These two refactorings have been combined since
3185         they tend to require similar changes to the code.
3186
3187         Creation methods for subclasses of InspectorValue now return a Ref, and callsites
3188         have been updated to take a Ref instead of RefPtr.
3189
3190         Builders for typed protocol objects now return a Ref. Since there is no implicit
3191         call to operator&, callsites now must explicitly call .release() to convert a
3192         builder object into the corresponding protocol object once required fields are set.
3193         Update callsites and use auto to eliminate repetition of longwinded protocol types.
3194
3195         Tests for inspector protocol and replay inputs have been rebaselined.
3196
3197         * bindings/ScriptValue.cpp:
3198         (Deprecated::jsToInspectorValue):
3199         (Deprecated::ScriptValue::toInspectorValue):
3200         * bindings/ScriptValue.h:
3201         * inspector/ConsoleMessage.cpp:
3202         (Inspector::ConsoleMessage::addToFrontend):
3203         * inspector/ContentSearchUtilities.cpp:
3204         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
3205         (Inspector::ContentSearchUtilities::searchInTextByLines):
3206         * inspector/ContentSearchUtilities.h:
3207         * inspector/InjectedScript.cpp:
3208         (Inspector::InjectedScript::getFunctionDetails):
3209         (Inspector::InjectedScript::getProperties):
3210         (Inspector::InjectedScript::getInternalProperties):
3211         (Inspector::InjectedScript::wrapCallFrames):
3212         (Inspector::InjectedScript::wrapObject):
3213         (Inspector::InjectedScript::wrapTable):
3214         * inspector/InjectedScript.h:
3215         * inspector/InjectedScriptBase.cpp:
3216         (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits.
3217         * inspector/InspectorBackendDispatcher.cpp:
3218         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase):
3219         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive):
3220         (Inspector::InspectorBackendDispatcher::create):
3221         (Inspector::InspectorBackendDispatcher::dispatch):
3222         (Inspector::InspectorBackendDispatcher::sendResponse):
3223         (Inspector::InspectorBackendDispatcher::reportProtocolError):
3224         (Inspector::getPropertyValue): Add a comment to clarify what this clever code does.
3225         (Inspector::InspectorBackendDispatcher::getInteger):
3226         (Inspector::InspectorBackendDispatcher::getDouble):
3227         (Inspector::InspectorBackendDispatcher::getString):
3228         (Inspector::InspectorBackendDispatcher::getBoolean):
3229         (Inspector::InspectorBackendDispatcher::getObject):
3230         (Inspector::InspectorBackendDispatcher::getArray):
3231         (Inspector::InspectorBackendDispatcher::getValue):
3232         * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect
3233         protocol error strings.
3234         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
3235         Convert the supplemental dispatcher's reference to Ref since it is never null.
3236         * inspector/InspectorEnvironment.h:
3237         * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and
3238         StructItemTraits. Add more versions of addItem to handle pushing various types.
3239         (Inspector::Protocol::Array::openAccessors):
3240         (Inspector::Protocol::Array::addItem):
3241         (Inspector::Protocol::Array::create):
3242         (Inspector::Protocol::StructItemTraits::push):
3243         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument.
3244         (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted.
3245         (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted.
3246         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted.
3247         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted.
3248         (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted.
3249         (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted.
3250         (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted.
3251         (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted.
3252         (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted.
3253         * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have
3254         the same call signature as other getters. Use Ref where possible.
3255         (Inspector::InspectorObjectBase::getBoolean):
3256         (Inspector::InspectorObjectBase::getString):
3257         (Inspector::InspectorObjectBase::getObject):
3258         (Inspector::InspectorObjectBase::getArray):
3259         (Inspector::InspectorObjectBase::getValue):
3260         (Inspector::InspectorObjectBase::writeJSON):
3261         (Inspector::InspectorArrayBase::get):
3262         (Inspector::InspectorObject::create):
3263         (Inspector::InspectorArray::create):
3264         (Inspector::InspectorValue::null):
3265         (Inspector::InspectorString::create):
3266         (Inspector::InspectorBasicValue::create):
3267         (Inspector::InspectorObjectBase::get): Deleted.
3268         * inspector/InspectorValues.h:
3269         (Inspector::InspectorObjectBase::setValue):
3270         (Inspector::InspectorObjectBase::setObject):
3271         (Inspector::InspectorObjectBase::setArray):
3272         (Inspector::InspectorArrayBase::pushValue):
3273         (Inspector::InspectorArrayBase::pushObject):
3274         (Inspector::InspectorArrayBase::pushArray):
3275         * inspector/JSGlobalObjectConsoleClient.cpp:
3276         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3277         (Inspector::JSGlobalObjectConsoleClient::count):
3278         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
3279         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
3280         * inspector/JSGlobalObjectConsoleClient.h:
3281         * inspector/JSGlobalObjectInspectorController.cpp:
3282         (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
3283         * inspector/JSGlobalObjectInspectorController.h:
3284         * inspector/ScriptCallFrame.cpp:
3285         (Inspector::ScriptCallFrame::buildInspectorObject):
3286         * inspector/ScriptCallFrame.h:
3287         * inspector/ScriptCallStack.cpp:
3288         (Inspector::ScriptCallStack::create):
3289         (Inspector::ScriptCallStack::buildInspectorArray):
3290         * inspector/ScriptCallStack.h:
3291         * inspector/agents/InspectorAgent.cpp:
3292         (Inspector::InspectorAgent::enable):
3293         (Inspector::InspectorAgent::inspect):
3294         (Inspector::InspectorAgent::activateExtraDomain):
3295         * inspector/agents/InspectorAgent.h:
3296         * inspector/agents/InspectorDebuggerAgent.cpp:
3297         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3298         (Inspector::buildObjectForBreakpointCookie):
3299         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3300         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3301         (Inspector::InspectorDebuggerAgent::continueToLocation):
3302         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3303         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3304         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
3305         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3306         (Inspector::InspectorDebuggerAgent::didParseSource):
3307         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3308         (Inspector::InspectorDebuggerAgent::breakProgram):
3309         * inspector/agents/InspectorDebuggerAgent.h:
3310         * inspector/agents/InspectorRuntimeAgent.cpp:
3311         (Inspector::buildErrorRangeObject):
3312         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3313         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3314         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3315         * inspector/agents/InspectorRuntimeAgent.h:
3316         * inspector/scripts/codegen/cpp_generator.py:
3317         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
3318         (CppGenerator.cpp_type_for_type_with_name):
3319         (CppGenerator.cpp_type_for_formal_async_parameter):
3320         (CppGenerator.should_use_references_for_type):
3321         (CppGenerator):
3322         * inspector/scripts/codegen/cpp_generator_templates.py:
3323         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3324         (CppBackendDispatcherHeaderGenerator.generate_output):
3325         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
3326         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3327         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
3328         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3329         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3330         (CppFrontendDispatcherHeaderGenerator.generate_output):
3331         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3332         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3333         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3334         (CppProtocolTypesHeaderGenerator.generate_output):
3335         (_generate_class_for_object_declaration):
3336         (_generate_unchecked_setter_for_member):
3337         (_generate_forward_declarations_for_binding_traits):
3338         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3339         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3340         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3341         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3342         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3343         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3344         (ObjCProtocolTypesImplementationGenerator.generate_output):
3345         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3346         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3347         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3348         * inspector/scripts/tests/expected/enum-values.json-result:
3349         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3350         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3351         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3352         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3353         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3354         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3355         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3356         * inspector/scripts/tests/expected/type-declaration-object-type.json-result: