6d6335bff3619fdce8fce793dafb06bcab3d74b4
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-09-29  Brian J. Burg  <burg@cs.washington.edu>
2
3         Web Inspector: InspectorValues should use references for out parameters
4         https://bugs.webkit.org/show_bug.cgi?id=137190
5
6         Reviewed by Joseph Pecoraro.
7
8         Use references for out parameters in asType() and getType() methods.
9         Also convert to references in some miscellaneous code where we don't
10         expect or handle null values.
11
12         Remove variants of asObject() and asArray() that return a nullable RefPtr.
13         Now, client code is forced to use out parameters and check for cast failure.
14
15         Iron out control flow in some functions and fix some style issues.
16
17         * inspector/InjectedScript.cpp:
18         (Inspector::InjectedScript::getFunctionDetails):
19         (Inspector::InjectedScript::wrapObject):
20         (Inspector::InjectedScript::wrapTable):
21         * inspector/InjectedScriptBase.cpp:
22         (Inspector::InjectedScriptBase::makeEvalCall):
23         * inspector/InjectedScriptManager.cpp:
24         (Inspector::InjectedScriptManager::injectedScriptForObjectId): Simplify control flow.
25         * inspector/InspectorBackendDispatcher.cpp:
26         (Inspector::InspectorBackendDispatcher::dispatch):
27         (Inspector::getPropertyValue):
28         (Inspector::AsMethodBridges::asInteger):
29         (Inspector::AsMethodBridges::asDouble):
30         (Inspector::AsMethodBridges::asString):
31         (Inspector::AsMethodBridges::asBoolean):
32         (Inspector::AsMethodBridges::asObject):
33         (Inspector::AsMethodBridges::asArray):
34         * inspector/InspectorProtocolTypes.h:
35         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
36         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
37         * inspector/InspectorValues.cpp: Use more by-reference out parameters. Add more spacing.
38         (Inspector::InspectorValue::asBoolean):
39         (Inspector::InspectorValue::asDouble):
40         (Inspector::InspectorValue::asInteger):
41         (Inspector::InspectorValue::asString):
42         (Inspector::InspectorValue::asValue):
43         (Inspector::InspectorValue::asObject):
44         (Inspector::InspectorValue::asArray):
45         (Inspector::InspectorValue::parseJSON):
46         (Inspector::InspectorValue::toJSONString):
47         (Inspector::InspectorValue::writeJSON):
48         (Inspector::InspectorBasicValue::asBoolean):
49         (Inspector::InspectorBasicValue::asDouble):
50         (Inspector::InspectorBasicValue::asInteger):
51         (Inspector::InspectorBasicValue::writeJSON):
52         (Inspector::InspectorString::asString):
53         (Inspector::InspectorString::writeJSON):
54         (Inspector::InspectorObjectBase::asObject):
55         (Inspector::InspectorObjectBase::openAccessors):
56         (Inspector::InspectorObjectBase::getBoolean):
57         (Inspector::InspectorObjectBase::getString):
58         (Inspector::InspectorObjectBase::getObject):
59         (Inspector::InspectorObjectBase::getArray):
60         (Inspector::InspectorObjectBase::writeJSON):
61         (Inspector::InspectorArrayBase::asArray):
62         (Inspector::InspectorArrayBase::writeJSON):
63         * inspector/InspectorValues.h:
64         * inspector/agents/InspectorDebuggerAgent.cpp:
65         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
66         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
67         (Inspector::parseLocation):
68         (Inspector::InspectorDebuggerAgent::setBreakpoint):
69         (Inspector::InspectorDebuggerAgent::continueToLocation):
70         (Inspector::InspectorDebuggerAgent::didParseSource):
71         * inspector/agents/InspectorRuntimeAgent.cpp:
72         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
73         * inspector/scripts/codegen/generate_protocol_types_implementation.py:
74         (ProtocolTypesImplementationGenerator):
75         (ProtocolTypesImplementationGenerator._generate_assertion_for_enum):
76         * inspector/scripts/codegen/generator_templates.py:
77         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
78         * replay/EncodedValue.cpp:
79         (JSC::EncodedValue::asObject):
80         (JSC::EncodedValue::asArray):
81         (JSC::EncodedValue::convertTo<bool>):
82         (JSC::EncodedValue::convertTo<double>):
83         (JSC::EncodedValue::convertTo<float>):
84         (JSC::EncodedValue::convertTo<int32_t>):
85         (JSC::EncodedValue::convertTo<int64_t>):
86         (JSC::EncodedValue::convertTo<uint32_t>):
87         (JSC::EncodedValue::convertTo<uint64_t>):
88         (JSC::EncodedValue::convertTo<String>):
89
90 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
91
92         DFG HasStructureProperty codegen should use one fewer registers
93         https://bugs.webkit.org/show_bug.cgi?id=137235
94
95         Reviewed by Andreas Kling.
96         
97         This was an obvious source of inefficiency and it was causing us to run out of registers on
98         x86-32.
99
100         * dfg/DFGSpeculativeJIT32_64.cpp:
101         (JSC::DFG::SpeculativeJIT::compile):
102         * dfg/DFGSpeculativeJIT64.cpp:
103         (JSC::DFG::SpeculativeJIT::compile):
104
105 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
106
107         Don't use GPRResult unless you're flushing registers and making a runtime function call
108         https://bugs.webkit.org/show_bug.cgi?id=137234
109
110         Rubber stamped by Andreas Kling.
111
112         Rename GPRResult to GPRFlushedCallResult, in an attempt to dissuade people from using it for results in the
113         general case.
114         
115         Replace GPRResult with GPRTemporary in those places where it was causing bugs: particularly in GetDirectPname it
116         would cause us to spill the register that has the base, and the code was assuming (rightly) that the base and the
117         result were in different registers. That's a valid assumption when using GPRTemporary but not with GPRResult.
118         Also this code wasn't getting any benefit from using GPRResult because it wasn't doing flushRegisters().
119         
120         I don't know how to test this. A test would require setting up a particularly awkward register allocation state.
121         
122         * dfg/DFGSpeculativeJIT.cpp:
123         (JSC::DFG::SpeculativeJIT::compileIn):
124         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
125         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
126         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
127         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
128         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
129         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
130         * dfg/DFGSpeculativeJIT.h:
131         (JSC::DFG::GPRFlushedCallResult::GPRFlushedCallResult):
132         (JSC::DFG::GPRFlushedCallResult2::GPRFlushedCallResult2):
133         (JSC::DFG::GPRResult::GPRResult): Deleted.
134         (JSC::DFG::GPRResult2::GPRResult2): Deleted.
135         * dfg/DFGSpeculativeJIT32_64.cpp:
136         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
137         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
138         (JSC::DFG::SpeculativeJIT::emitCall):
139         (JSC::DFG::SpeculativeJIT::compile):
140         * dfg/DFGSpeculativeJIT64.cpp:
141         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
142         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
143         (JSC::DFG::SpeculativeJIT::emitCall):
144         (JSC::DFG::SpeculativeJIT::compile):
145         (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
146
147 2014-09-29  Diego Pino Garcia  <dpino@igalia.com>
148
149         Missing changes from r174049
150         https://bugs.webkit.org/show_bug.cgi?id=137206
151
152         Reviewed by Darin Adler.
153
154         * runtime/CommonIdentifiers.h:
155
156 2014-09-28  Diego Pino Garcia  <dpino@igalia.com>
157
158         Simple ES6 feature: Number constructor extras
159         https://bugs.webkit.org/show_bug.cgi?id=131707
160
161         Reviewed by Darin Adler.
162
163         * runtime/CommonIdentifiers.h:
164         * runtime/NumberConstructor.cpp:
165         (JSC::NumberConstructor::finishCreation): Setup constants and
166         functions.
167         (JSC::numberConstructorFuncIsFinite): Added.
168         (JSC::numberConstructorFuncIsInteger): Added.
169         (JSC::numberConstructorFuncIsNaN): Added.
170         (JSC::numberConstructorFuncIsSafeInteger): Added.
171         (JSC::NumberConstructor::getOwnPropertySlot): Deleted.
172         (JSC::numberConstructorNaNValue): Deleted.
173         (JSC::numberConstructorNegInfinity): Deleted.
174         (JSC::numberConstructorPosInfinity): Deleted.
175         (JSC::numberConstructorMaxValue): Deleted.
176         (JSC::numberConstructorMinValue): Deleted.
177         * runtime/NumberConstructor.h:
178
179 2014-09-26  Filip Pizlo  <fpizlo@apple.com>
180
181         Disable function.arguments
182         https://bugs.webkit.org/show_bug.cgi?id=137167
183
184         Rubber stamped by Geoffrey Garen.
185         
186         Add an option to disable function.arguments. Add a test for disabling it.
187         
188         Disabling function.arguments means that it returns an Arguments object that claims that
189         there were zero arguments. All other Arguments functionality still works, so any code
190         that tries to inspect this object will still think that it is looking at a perfectly
191         valid Arguments object.
192         
193         This also makes function.arguments disabled by default. Note that the RJST harness will
194         enable them by default, to continue to get test coverage for the code that implements
195         the feature.
196         
197         We will rip out that code once we're confident that it's really safe to remove this
198         feature. Only once we rip out that support will we be able to do optimizations to
199         leverage the lack of this feature. It's important to keep the support code, and the test
200         infrastructure, in place before we are confident. The logic to keep this working touches
201         the entire compiler and a large chunk of the runtime, so reimplementing it - or even
202         merging it back in - would be a nightmare. That's also basically the reason why we want
203         to rip it out if at all possible. It's a lot of terrible code.
204
205         * interpreter/StackVisitor.cpp:
206         (JSC::StackVisitor::Frame::createArguments):
207         * runtime/Arguments.h:
208         (JSC::Arguments::create):
209         (JSC::Arguments::finishCreation):
210         * runtime/Options.h:
211         * tests/stress/disable-function-dot-arguments.js: Added.
212         (foo):
213         (bar):
214
215 2014-09-26  Joseph Pecoraro  <pecoraro@apple.com>
216
217         Web Inspector: Automatic Inspection should continue once all breakpoints are loaded
218         https://bugs.webkit.org/show_bug.cgi?id=137038
219
220         Reviewed by Timothy Hatcher.
221
222         Add a new protocol command "Inspector.initialized" that signifies to the backend
223         when the frontend has sent all its initialization messages to the backend. This
224         can include information like breakpoints, which we would want to have loaded
225         before any JavaScript evaluates in the context.
226
227         * inspector/protocol/InspectorDomain.json:
228         New protocol command, Inspector.initialized.
229
230         * inspector/agents/InspectorAgent.h:
231         * inspector/agents/InspectorAgent.cpp:
232         (Inspector::InspectorAgent::InspectorAgent):
233         (Inspector::InspectorAgent::initialized):
234         Tell the InspectorEnvironment (the Controller) the frontend has initialized.
235
236         * inspector/InspectorEnvironment.h:
237         Abstract virtual method to handle frontend initialization. To be
238         implemented by all of the InspectorControllers.
239
240         * inspector/JSGlobalObjectInspectorController.h:
241         * inspector/JSGlobalObjectInspectorController.cpp:
242         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
243         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
244         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
245         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
246         When a frontend is initialized, if it was automatic inspection unpause the debuggable.
247
248         * inspector/remote/RemoteInspectorDebuggable.cpp:
249         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
250         Complete setup for this debuggable.
251
252         * inspector/remote/RemoteInspectorDebuggable.h:
253         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
254         (Inspector::RemoteInspectorDebuggableConnection::setup):
255         Move the setup complete to later, when the frontend sends an "initialized" message.
256
257         * inspector/remote/RemoteInspector.h:
258         * inspector/remote/RemoteInspector.mm:
259         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
260         Provide a longer timeout now that the frontend must send messages after the connection
261         has established. The longest I have seen in  600ms, but the average tends to be 200ms.
262         So bump the timeout to 800ms for a buffer.
263
264         (Inspector::RemoteInspector::setupSucceeded): Deleted.
265         (Inspector::RemoteInspector::setupCompleted):
266         Rename, as this happens at a slightly different time.
267
268 2014-09-26  Filip Pizlo  <fpizlo@apple.com>
269
270         DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell
271         https://bugs.webkit.org/show_bug.cgi?id=137161
272
273         Reviewed by Mark Hahnenberg.
274         
275         This looks like a 1% Octane speed-up.
276
277         * bytecode/SpeculatedType.h:
278         (JSC::isNotCellSpeculation):
279         * dfg/DFGFixupPhase.cpp:
280         (JSC::DFG::FixupPhase::fixupNode):
281         (JSC::DFG::FixupPhase::insertStoreBarrier):
282         (JSC::DFG::FixupPhase::insertCheck):
283         * dfg/DFGNode.h:
284         (JSC::DFG::Node::shouldSpeculateNotCell):
285
286 2014-09-26  Peter Varga  <pvarga@webkit.org>
287
288         Fix typo in YARR at BOL check
289         https://bugs.webkit.org/show_bug.cgi?id=137144
290
291         Reviewed by Darin Adler.
292
293         * yarr/YarrPattern.cpp: replace bitwise and operator by logical and
294         (JSC::Yarr::YarrPatternConstructor::assertionBOL):
295
296 2014-09-25  Saam Barati  <saambarati1@gmail.com>
297
298         Web Inspector: console.assert(bitString) TypeSet:50 
299         https://bugs.webkit.org/show_bug.cgi?id=137051
300
301         Reviewed by Joseph Pecoraro.
302
303         This patch creates stricter requirements on a TypeDescription
304         being valid. To be valid, a TypeDescription now ensures that 
305         the TypeSet it describes has non null type information.
306
307         * inspector/agents/InspectorRuntimeAgent.cpp:
308         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
309         * runtime/TypeSet.h:
310         (JSC::TypeSet::isEmpty):
311
312 2014-09-25  Filip Pizlo  <fpizlo@apple.com>
313
314         FTL should sink object allocations
315         https://bugs.webkit.org/show_bug.cgi?id=136330
316
317         Reviewed by Oliver Hunt.
318         
319         This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The
320         ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to
321         eliminate it completely. The way sinking reasons about the CFG means that it resembles a
322         partial escape analysis: we create paths through a function where some allocation(s) don't
323         have to be done at all even if there are other paths along which those allocations still have
324         to happen. But it also produces other side benefits. Even if an allocation isn't eliminated
325         along any path, the act of sinking reduces the number of barriers that have to execute.
326         
327         Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11
328         sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and
329         successors; and to add more functor goodness to allow for more lambdas.
330         
331         This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this
332         is a spectacular speed-up on microbenchmarks but it's still too limited to affect big
333         benchmarks. For example, doing o == p makes the sinking phase think that o and p escape.
334         That's just an omission and there are likely others; we can easily fix them. I think it's
335         best to land it in its current form and then to worry about the big benchmarks in subsequent
336         work (see bug 137126).
337
338         * CMakeLists.txt:
339         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
340         * JavaScriptCore.xcodeproj/project.pbxproj:
341         * bytecode/StructureSet.h:
342         (JSC::StructureSet::iterator::iterator):
343         (JSC::StructureSet::iterator::operator*):
344         (JSC::StructureSet::iterator::operator++):
345         (JSC::StructureSet::iterator::operator==):
346         (JSC::StructureSet::iterator::operator!=):
347         (JSC::StructureSet::begin):
348         (JSC::StructureSet::end):
349         * dfg/DFGAbstractInterpreter.h:
350         (JSC::DFG::AbstractInterpreter::phiChildren):
351         * dfg/DFGAbstractInterpreterInlines.h:
352         (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
353         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
354         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
355         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
356         * dfg/DFGAvailability.h:
357         (JSC::DFG::Availability::shouldUseNode):
358         (JSC::DFG::Availability::isFlushUseful):
359         (JSC::DFG::Availability::isDead):
360         (JSC::DFG::Availability::operator!=):
361         * dfg/DFGAvailabilityMap.cpp: Added.
362         (JSC::DFG::AvailabilityMap::prune):
363         (JSC::DFG::AvailabilityMap::clear):
364         (JSC::DFG::AvailabilityMap::dump):
365         (JSC::DFG::AvailabilityMap::operator==):
366         (JSC::DFG::AvailabilityMap::merge):
367         * dfg/DFGAvailabilityMap.h: Added.
368         (JSC::DFG::AvailabilityMap::forEachAvailability):
369         * dfg/DFGBasicBlock.cpp:
370         (JSC::DFG::BasicBlock::SSAData::SSAData):
371         * dfg/DFGBasicBlock.h:
372         (JSC::DFG::BasicBlock::begin):
373         (JSC::DFG::BasicBlock::end):
374         (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable):
375         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator):
376         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*):
377         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++):
378         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==):
379         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=):
380         (JSC::DFG::BasicBlock::SuccessorsIterable::begin):
381         (JSC::DFG::BasicBlock::SuccessorsIterable::end):
382         (JSC::DFG::BasicBlock::successors):
383         * dfg/DFGClobberize.h:
384         (JSC::DFG::clobberize):
385         * dfg/DFGConstantFoldingPhase.cpp:
386         (JSC::DFG::ConstantFoldingPhase::foldConstants):
387         * dfg/DFGDoesGC.cpp:
388         (JSC::DFG::doesGC):
389         * dfg/DFGFixupPhase.cpp:
390         (JSC::DFG::FixupPhase::fixupNode):
391         * dfg/DFGFlushedAt.cpp:
392         (JSC::DFG::FlushedAt::dump):
393         * dfg/DFGFlushedAt.h:
394         (JSC::DFG::FlushedAt::FlushedAt):
395         * dfg/DFGGraph.cpp:
396         (JSC::DFG::Graph::dump):
397         (JSC::DFG::Graph::dumpBlockHeader):
398         (JSC::DFG::Graph::mergeRelevantToOSR):
399         (JSC::DFG::Graph::invalidateCFG):
400         * dfg/DFGGraph.h:
401         (JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable):
402         (JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator):
403         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*):
404         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++):
405         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==):
406         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=):
407         (JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext):
408         (JSC::DFG::Graph::NaturalBlockIterable::begin):
409         (JSC::DFG::Graph::NaturalBlockIterable::end):
410         (JSC::DFG::Graph::blocksInNaturalOrder):
411         (JSC::DFG::Graph::doToChildrenWithNode):
412         (JSC::DFG::Graph::doToChildren):
413         * dfg/DFGHeapLocation.cpp:
414         (WTF::printInternal):
415         * dfg/DFGHeapLocation.h:
416         * dfg/DFGInsertOSRHintsForUpdate.cpp: Added.
417         (JSC::DFG::insertOSRHintsForUpdate):
418         * dfg/DFGInsertOSRHintsForUpdate.h: Added.
419         * dfg/DFGInsertionSet.h:
420         (JSC::DFG::InsertionSet::graph):
421         * dfg/DFGMayExit.cpp:
422         (JSC::DFG::mayExit):
423         * dfg/DFGNode.h:
424         (JSC::DFG::Node::convertToPutByOffsetHint):
425         (JSC::DFG::Node::convertToPutStructureHint):
426         (JSC::DFG::Node::convertToPhantomNewObject):
427         (JSC::DFG::Node::isCellConstant):
428         (JSC::DFG::Node::castConstant):
429         (JSC::DFG::Node::hasIdentifier):
430         (JSC::DFG::Node::hasStorageAccessData):
431         (JSC::DFG::Node::hasObjectMaterializationData):
432         (JSC::DFG::Node::objectMaterializationData):
433         (JSC::DFG::Node::isPhantomObjectAllocation):
434         * dfg/DFGNodeType.h:
435         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
436         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
437         (JSC::DFG::LocalOSRAvailabilityCalculator::endBlock):
438         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
439         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
440         * dfg/DFGObjectAllocationSinkingPhase.cpp: Added.
441         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase):
442         (JSC::DFG::ObjectAllocationSinkingPhase::run):
443         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
444         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
445         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
446         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
447         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
448         (JSC::DFG::ObjectAllocationSinkingPhase::resolve):
449         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
450         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
451         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
452         (JSC::DFG::performObjectAllocationSinking):
453         * dfg/DFGObjectAllocationSinkingPhase.h: Added.
454         * dfg/DFGObjectMaterializationData.cpp: Added.
455         (JSC::DFG::PhantomPropertyValue::dump):
456         (JSC::DFG::ObjectMaterializationData::dump):
457         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore):
458         (JSC::DFG::ObjectMaterializationData::similarityScore):
459         * dfg/DFGObjectMaterializationData.h: Added.
460         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue):
461         (JSC::DFG::PhantomPropertyValue::operator==):
462         * dfg/DFGPhantomCanonicalizationPhase.cpp:
463         (JSC::DFG::PhantomCanonicalizationPhase::run):
464         * dfg/DFGPhantomRemovalPhase.cpp:
465         (JSC::DFG::PhantomRemovalPhase::run):
466         * dfg/DFGPhiChildren.cpp: Added.
467         (JSC::DFG::PhiChildren::PhiChildren):
468         (JSC::DFG::PhiChildren::~PhiChildren):
469         (JSC::DFG::PhiChildren::upsilonsOf):
470         * dfg/DFGPhiChildren.h: Added.
471         (JSC::DFG::PhiChildren::forAllIncomingValues):
472         (JSC::DFG::PhiChildren::forAllTransitiveIncomingValues):
473         * dfg/DFGPlan.cpp:
474         (JSC::DFG::Plan::compileInThreadImpl):
475         * dfg/DFGPrePostNumbering.cpp: Added.
476         (JSC::DFG::PrePostNumbering::PrePostNumbering):
477         (JSC::DFG::PrePostNumbering::~PrePostNumbering):
478         (JSC::DFG::PrePostNumbering::compute):
479         (WTF::printInternal):
480         * dfg/DFGPrePostNumbering.h: Added.
481         (JSC::DFG::PrePostNumbering::preNumber):
482         (JSC::DFG::PrePostNumbering::postNumber):
483         (JSC::DFG::PrePostNumbering::isStrictAncestorOf):
484         (JSC::DFG::PrePostNumbering::isAncestorOf):
485         (JSC::DFG::PrePostNumbering::isStrictDescendantOf):
486         (JSC::DFG::PrePostNumbering::isDescendantOf):
487         (JSC::DFG::PrePostNumbering::edgeKind):
488         * dfg/DFGPredictionPropagationPhase.cpp:
489         (JSC::DFG::PredictionPropagationPhase::propagate):
490         * dfg/DFGPromoteHeapAccess.h: Added.
491         (JSC::DFG::promoteHeapAccess):
492         * dfg/DFGPromotedHeapLocation.cpp: Added.
493         (JSC::DFG::PromotedLocationDescriptor::dump):
494         (JSC::DFG::PromotedHeapLocation::createHint):
495         (JSC::DFG::PromotedHeapLocation::dump):
496         (WTF::printInternal):
497         * dfg/DFGPromotedHeapLocation.h: Added.
498         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
499         (JSC::DFG::PromotedLocationDescriptor::operator!):
500         (JSC::DFG::PromotedLocationDescriptor::kind):
501         (JSC::DFG::PromotedLocationDescriptor::info):
502         (JSC::DFG::PromotedLocationDescriptor::hash):
503         (JSC::DFG::PromotedLocationDescriptor::operator==):
504         (JSC::DFG::PromotedLocationDescriptor::operator!=):
505         (JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue):
506         (JSC::DFG::PromotedHeapLocation::PromotedHeapLocation):
507         (JSC::DFG::PromotedHeapLocation::operator!):
508         (JSC::DFG::PromotedHeapLocation::kind):
509         (JSC::DFG::PromotedHeapLocation::base):
510         (JSC::DFG::PromotedHeapLocation::info):
511         (JSC::DFG::PromotedHeapLocation::descriptor):
512         (JSC::DFG::PromotedHeapLocation::hash):
513         (JSC::DFG::PromotedHeapLocation::operator==):
514         (JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue):
515         (JSC::DFG::PromotedHeapLocationHash::hash):
516         (JSC::DFG::PromotedHeapLocationHash::equal):
517         * dfg/DFGSSACalculator.cpp:
518         (JSC::DFG::SSACalculator::reset):
519         * dfg/DFGSSACalculator.h:
520         * dfg/DFGSafeToExecute.h:
521         (JSC::DFG::safeToExecute):
522         * dfg/DFGSpeculativeJIT.cpp:
523         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
524         * dfg/DFGSpeculativeJIT32_64.cpp:
525         (JSC::DFG::SpeculativeJIT::compile):
526         * dfg/DFGSpeculativeJIT64.cpp:
527         (JSC::DFG::SpeculativeJIT::compile):
528         * dfg/DFGStructureRegistrationPhase.cpp:
529         (JSC::DFG::StructureRegistrationPhase::run):
530         * dfg/DFGValidate.cpp:
531         (JSC::DFG::Validate::validate):
532         * ftl/FTLCapabilities.cpp:
533         (JSC::FTL::canCompile):
534         * ftl/FTLExitPropertyValue.cpp: Added.
535         (JSC::FTL::ExitPropertyValue::dump):
536         * ftl/FTLExitPropertyValue.h: Added.
537         (JSC::FTL::ExitPropertyValue::ExitPropertyValue):
538         (JSC::FTL::ExitPropertyValue::operator!):
539         (JSC::FTL::ExitPropertyValue::location):
540         (JSC::FTL::ExitPropertyValue::value):
541         * ftl/FTLExitTimeObjectMaterialization.cpp: Added.
542         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
543         (JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization):
544         (JSC::FTL::ExitTimeObjectMaterialization::add):
545         (JSC::FTL::ExitTimeObjectMaterialization::get):
546         (JSC::FTL::ExitTimeObjectMaterialization::dump):
547         * ftl/FTLExitTimeObjectMaterialization.h: Added.
548         (JSC::FTL::ExitTimeObjectMaterialization::type):
549         (JSC::FTL::ExitTimeObjectMaterialization::properties):
550         * ftl/FTLExitValue.cpp:
551         (JSC::FTL::ExitValue::materializeNewObject):
552         (JSC::FTL::ExitValue::dumpInContext):
553         * ftl/FTLExitValue.h:
554         (JSC::FTL::ExitValue::isObjectMaterialization):
555         (JSC::FTL::ExitValue::objectMaterialization):
556         (JSC::FTL::ExitValue::withVirtualRegister):
557         (JSC::FTL::ExitValue::valueFormat):
558         * ftl/FTLLowerDFGToLLVM.cpp:
559         (JSC::FTL::LowerDFGToLLVM::compileNode):
560         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
561         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
562         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
563         (JSC::FTL::LowerDFGToLLVM::compileNewObject):
564         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
565         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
566         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
567         (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
568         (JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject):
569         (JSC::FTL::LowerDFGToLLVM::checkStructure):
570         (JSC::FTL::LowerDFGToLLVM::allocateCell):
571         (JSC::FTL::LowerDFGToLLVM::storeStructure):
572         (JSC::FTL::LowerDFGToLLVM::allocateObject):
573         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
574         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
575         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
576         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
577         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
578         (JSC::FTL::LowerDFGToLLVM::weakStructureID):
579         (JSC::FTL::LowerDFGToLLVM::weakStructure):
580         (JSC::FTL::LowerDFGToLLVM::availabilityMap):
581         (JSC::FTL::LowerDFGToLLVM::availability): Deleted.
582         * ftl/FTLOSRExit.h:
583         * ftl/FTLOSRExitCompiler.cpp:
584         (JSC::FTL::compileRecovery):
585         (JSC::FTL::compileStub):
586         * ftl/FTLOperations.cpp: Added.
587         (JSC::FTL::operationNewObjectWithButterfly):
588         (JSC::FTL::operationMaterializeObjectInOSR):
589         * ftl/FTLOperations.h: Added.
590         * ftl/FTLSwitchCase.h:
591         (JSC::FTL::SwitchCase::SwitchCase):
592         * runtime/JSObject.h:
593         (JSC::JSObject::finishCreation):
594         (JSC::JSFinalObject::JSFinalObject):
595         (JSC::JSFinalObject::create):
596         * runtime/Structure.cpp:
597         (JSC::Structure::canUseForAllocationsOf):
598         * runtime/Structure.h:
599         * tests/stress/elidable-new-object-roflcopter-then-exit.js: Added.
600         (sumOfArithSeries):
601         (foo):
602         * tests/stress/elide-new-object-dag-then-exit.js: Added.
603         (sumOfArithSeries):
604         (bar):
605         (verify):
606         (foo):
607         * tests/stress/obviously-elidable-new-object-then-exit.js: Added.
608         (sumOfArithSeries):
609         (foo):
610
611 2014-09-25  Brian J. Burg  <burg@cs.washington.edu>
612
613         Web Replay: Check event loop input extents during replaying too
614         https://bugs.webkit.org/show_bug.cgi?id=136316
615
616         Reviewed by Timothy Hatcher.
617
618         Sometimes we see different nondeterminism during capture and replay
619         executions, so we should add determinism checks during replay too.
620
621         Move the withinEventLoopInputExtent flag to the base class, and tighten
622         the assertion to address <http://webkit.org/b/133019>.
623
624         * replay/InputCursor.h:
625         (JSC::InputCursor::InputCursor):
626         (JSC::InputCursor::setWithinEventLoopInputExtent): Added.
627         This assertion is slightly wrong because it does not account for nested run loops.
628         We can be within two input extents when a nested run loop processes additional
629         user inputs while the debugger is paused.
630
631         This should only be the case when execution is being neither captured or
632         replayed. The debugger should not pause when capturing, and we should not replay
633         event loop inputs while in a nested run loop.
634
635         (JSC::InputCursor::withinEventLoopInputExtent): Added.
636
637 2014-09-25  Csaba Osztrogonác  <ossy@webkit.org>
638
639         Remove WinCE port from trunk
640         https://bugs.webkit.org/show_bug.cgi?id=136951
641
642         Reviewed by Alex Christensen.
643
644         * assembler/ARMAssembler.h:
645         (JSC::ARMAssembler::cacheFlush):
646         * assembler/ARMv7Assembler.h:
647         (JSC::ARMv7Assembler::cacheFlush):
648         * config.h:
649         * heap/MachineStackMarker.cpp:
650         (JSC::MachineThreads::gatherFromCurrentThread):
651         (JSC::MachineThreads::gatherFromOtherThread):
652         (JSC::swapIfBackwards): Deleted.
653         * jit/ExecutableAllocator.h:
654         * jsc.cpp:
655         (main):
656         * runtime/DateConstructor.cpp:
657         * runtime/Options.cpp:
658         (JSC::overrideOptionWithHeuristic):
659         * runtime/VM.cpp:
660         (JSC::VM::VM):
661         * testRegExp.cpp:
662         (main):
663         * tools/CodeProfiling.cpp:
664         (JSC::CodeProfiling::notifyAllocator):
665
666 2014-09-24  Brian J. Burg  <burg@cs.washington.edu>
667
668         Web Inspector: subtract elapsed time while debugger is paused from profile nodes
669         https://bugs.webkit.org/show_bug.cgi?id=136796
670
671         Reviewed by Timothy Hatcher.
672
673         Rather than accruing no time to any profile node created while the debugger is paused,
674         we can instead count a node's elapsed time and exclude time elapsed while paused.
675
676         Time for a node may elapse in a non-contiguous fashion depending on the interleaving of
677         didPause, didContinue, willExecute, and didExecute. A node's start time is set to the
678         start of the last such interval that accrues elapsed time.
679
680         * profiler/ProfileGenerator.cpp:
681         (JSC::ProfileGenerator::ProfileGenerator):
682         (JSC::ProfileGenerator::beginCallEntry):
683         (JSC::ProfileGenerator::endCallEntry):
684         (JSC::ProfileGenerator::didPause): Added.
685         (JSC::ProfileGenerator::didContinue): Added.
686         * profiler/ProfileGenerator.h:
687         (JSC::ProfileGenerator::didPause): Deleted.
688         (JSC::ProfileGenerator::didContinue): Deleted.
689         * profiler/ProfileNode.h: Rename totalTime to elapsedTime.
690         (JSC::ProfileNode::Call::Call):
691         (JSC::ProfileNode::Call::elapsedTime): Added.
692         (JSC::ProfileNode::Call::setElapsedTime): Added.
693         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
694         (JSC::ProfileNode::Call::totalTime): Deleted.
695         (JSC::ProfileNode::Call::setTotalTime): Deleted.
696
697 2014-09-24  Commit Queue  <commit-queue@webkit.org>
698
699         Unreviewed, rolling out r173839.
700         https://bugs.webkit.org/show_bug.cgi?id=137062
701
702         NumberConstruct should no longer use static tables (Requested
703         by dpino on #webkit).
704
705         Reverted changeset:
706
707         "Simple ES6 feature: Number constructor extras"
708         https://bugs.webkit.org/show_bug.cgi?id=131707
709         http://trac.webkit.org/changeset/173839
710
711 2014-09-23  Mark Lam  <mark.lam@apple.com>
712
713         DebuggerCallFrame::invalidate() should invalidate all DebuggerScope chains.
714         <https://webkit.org/b/137045>
715
716         Reviewed by Geoffrey Garen.
717
718         DebuggerCallFrame::invalidate() currently invalidates all DebuggerCallFrames
719         in the debugger stack, but only invalidates the DebuggerScope chain of the
720         top most frame.  We should also invalidate all the DebuggerScope chains of
721         the other frames in the debugger stack.
722
723         * debugger/DebuggerCallFrame.cpp:
724         (JSC::DebuggerCallFrame::invalidate):
725         * debugger/DebuggerScope.cpp:
726         (JSC::DebuggerScope::invalidateChain):
727
728 2014-09-23  Mark Lam  <mark.lam@apple.com>
729
730         Renamed DebuggerCallFrameScope to DebuggerPausedScope.
731         <https://webkit.org/b/137042>
732
733         Reviewed by Michael Saboff.
734
735         DebuggerPausedScope is a better name for this data structure because it
736         is meant for tracking the period within which the debugger is paused,
737         and doing clean ups after the pause ends.
738
739         * debugger/Debugger.cpp:
740         (JSC::DebuggerPausedScope::DebuggerPausedScope):
741         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
742         (JSC::Debugger::pauseIfNeeded):
743         (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): Deleted.
744         (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): Deleted.
745         * debugger/Debugger.h:
746         * debugger/DebuggerCallFrame.h:
747
748 2014-09-23  Tomas Popela  <tpopela@redhat.com>
749
750         [CLoop] - Fix CLoop on the 32-bit Big-Endians
751         https://bugs.webkit.org/show_bug.cgi?id=137020
752
753         Reviewed by Mark Lam.
754
755         * llint/LowLevelInterpreter.asm:
756         * llint/LowLevelInterpreter32_64.asm:
757
758 2014-09-23  Joseph Pecoraro  <pecoraro@apple.com>
759
760         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
761         https://bugs.webkit.org/show_bug.cgi?id=136893
762
763         Reviewed by Timothy Hatcher.
764
765         Adds new remote inspector protocol handling for automatic inspection.
766         Debuggers can signal they have enabled automatic inspection, and
767         when debuggables are created the current application will pause to
768         see if the debugger will inspect or decline to inspect the debuggable.
769
770         * inspector/remote/RemoteInspectorConstants.h:
771         * inspector/remote/RemoteInspector.h:
772         * inspector/remote/RemoteInspector.mm:
773         (Inspector::globalAutomaticInspectionState):
774         (Inspector::RemoteInspector::RemoteInspector):
775         (Inspector::RemoteInspector::start):
776         When first starting, check the global "is there an auto-inspect" debugger state.
777         This is necessary so that the current application knows if it should pause or
778         not when a debuggable is created, even without having connected to webinspectord yet.
779
780         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
781         When a debuggable has enabled remote inspection, take this path to propose
782         it as an automatic inspection candidate if there is an auto-inspect debugger.
783
784         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
785         Send the automatic inspection candidate message.
786
787         (Inspector::RemoteInspector::receivedSetupMessage):
788         (Inspector::RemoteInspector::setupFailed):
789         (Inspector::RemoteInspector::setupSucceeded):
790         After attempting to open an inspector, unpause if it was for the
791         automatic inspection candidate.
792
793         (Inspector::RemoteInspector::waitingForAutomaticInspection):
794         When running a nested runloop, check if we should remain paused.
795
796         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
797         If by the time we connect to webinspectord we have a candidate, then
798         immediately send the candidate message.
799
800         (Inspector::RemoteInspector::stopInternal):
801         (Inspector::RemoteInspector::xpcConnectionFailed):
802         In error cases, clear our state.
803
804         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
805         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
806         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
807         Update state when receiving new messages.
808
809
810         * inspector/remote/RemoteInspectorDebuggable.h:
811         * inspector/remote/RemoteInspectorDebuggable.cpp:
812         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
813         Special case when a debuggable is newly allowed to be debuggable.
814
815         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
816         Run a nested run loop while this is an automatic inspection candidate.
817
818         * inspector/JSGlobalObjectInspectorController.h:
819         * inspector/JSGlobalObjectInspectorController.cpp:
820         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
821         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
822         When the inspector starts via automatic inspection automatically pause.
823         We plan on removing this condition by having the frontend signal to the
824         backend when it is completely initialized.
825         
826         * inspector/remote/RemoteInspectorDebuggableConnection.h:
827         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
828         (Inspector::RemoteInspectorDebuggableConnection::setup):
829         Pass on the flag of whether or not this was automatic inspection.
830
831         * runtime/JSGlobalObjectDebuggable.h:
832         * runtime/JSGlobalObjectDebuggable.cpp:
833         (JSC::JSGlobalObjectDebuggable::connect):
834         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
835         When pausing in a JSGlobalObject we need to release the API lock.
836
837 2014-09-22  Filip Pizlo  <fpizlo@apple.com>
838
839         FTL allocatePropertyStorage code should involve less copy-paste
840         https://bugs.webkit.org/show_bug.cgi?id=137006
841
842         Reviewed by Michael Saboff.
843
844         * ftl/FTLLowerDFGToLLVM.cpp:
845         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
846         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
847         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
848
849 2014-09-22  Diego Pino Garcia  <dpino@igalia.com>
850
851         Simple ES6 feature: Number constructor extras
852         https://bugs.webkit.org/show_bug.cgi?id=131707
853
854         Reviewed by Darin Adler.
855
856         * runtime/CommonIdentifiers.h: Added new identifiers.
857         * runtime/NumberConstructor.cpp:
858         (JSC::NumberConstructor::getOwnPropertySlot):
859         (JSC::NumberConstructor::isFunction): Added.
860         (JSC::numberConstructorEpsilonValue): Added.
861         (JSC::numberConstructorNegInfinity): Added.
862         (JSC::numberConstructorPosInfinity): Added.
863         (JSC::numberConstructorMaxValue): Added.
864         (JSC::numberConstructorMinValue): Added.
865         (JSC::numberConstructorMaxSafeInteger): Added.
866         (JSC::numberConstructorMinSafeInteger): Added.
867         (JSC::numberConstructorFuncIsFinite): Added.
868         (JSC::numberConstructorFuncIsInteger): Added.
869         (JSC::numberConstructorFuncIsNaN): Added.
870         (JSC::numberConstructorFuncIsSafeInteger): Added.
871         * runtime/NumberConstructor.h:
872
873 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
874
875         FTL should store the four bytes of the cell header using a 32-bit store rather than four 8-bit stores
876         https://bugs.webkit.org/show_bug.cgi?id=136992
877
878         Reviewed by Sam Weinig.
879         
880         LLVM ought to be able to do this optimization for us given how the code was written, but
881         any such lower-level attempts to optimize this would get into trouble with the weird
882         object materialization logic I'll be introducing in bug 136330. So, this brings the
883         merging of the byte stores into the FTL lowering so that we can control it explicitly.
884
885         * ftl/FTLAbstractHeap.h:
886         (JSC::FTL::AbstractHeap::changeParent):
887         * ftl/FTLAbstractHeapRepository.cpp:
888         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
889         * ftl/FTLAbstractHeapRepository.h:
890         * ftl/FTLLowerDFGToLLVM.cpp:
891         (JSC::FTL::LowerDFGToLLVM::allocateCell):
892
893 2014-09-21  Saam Barati  <saambarati1@gmail.com>
894
895         Web Inspector: fix TypeSet hierarchy in TypeTokenView
896         https://bugs.webkit.org/show_bug.cgi?id=136982
897
898         Reviewed by Joseph Pecoraro.
899
900         TypeSet was computing the set of type booleans in the Inspector::Protocol::Runtime::TypeSet 
901         object incorrectly because it was calling TypeSet::doesTypeConformTo(T) which checks if the 
902         type set has only been of type T. It now checks '(m_seenTypes & T) != TypeNothing' to see 
903         if type T is in the set of seen types, but not the entire set itself.
904
905         * runtime/TypeSet.cpp:
906         (JSC::TypeSet::inspectorTypeSet):
907
908 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
909
910         Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste
911         https://bugs.webkit.org/show_bug.cgi?id=136983
912
913         Reviewed by Mark Hahnenberg.
914
915         * runtime/PropertyMapHashTable.h:
916         (JSC::PropertyMapEntry::PropertyMapEntry): Moved PropertyMapEntry struct to Structure.h so that Structure can refer to it.
917         * runtime/Structure.cpp:
918         (JSC::Structure::getConcurrently): Switch to using the new forEachPropertyConcurrently() method.
919         (JSC::Structure::getPropertiesConcurrently): The subject of this patch. It will be useful for object allocation sinking (bug 136330).
920         (JSC::Structure::dump): Switch to using the new forEachPropertyConcurrently() method.
921         * runtime/Structure.h:
922         (JSC::PropertyMapEntry::PropertyMapEntry): Moved from PropertyMapHashTable.h.
923         * runtime/StructureInlines.h:
924         (JSC::Structure::forEachPropertyConcurrently): Capture this very common concurrent structure iteration pattern into a template method.
925
926 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
927
928         Structure::getConcurrently() doesn't need to take a VM& argument.
929
930         Rubber stamped by Dan Bernstein.
931         
932         Removed the extra argument, and then removed similar arguments from other methods until
933         I could build successfully again. It turned out that many methods took a VM& argument
934         just for calling getConcurrently().
935
936         * bytecode/CodeBlock.cpp:
937         (JSC::dumpStructure):
938         (JSC::dumpChain):
939         (JSC::CodeBlock::printGetByIdCacheStatus):
940         (JSC::CodeBlock::printPutByIdCacheStatus):
941         * bytecode/ComplexGetStatus.cpp:
942         (JSC::ComplexGetStatus::computeFor):
943         * bytecode/GetByIdStatus.cpp:
944         (JSC::GetByIdStatus::computeFromLLInt):
945         (JSC::GetByIdStatus::computeForStubInfo):
946         (JSC::GetByIdStatus::computeFor):
947         * bytecode/GetByIdStatus.h:
948         * bytecode/PutByIdStatus.cpp:
949         (JSC::PutByIdStatus::computeFromLLInt):
950         (JSC::PutByIdStatus::computeForStubInfo):
951         (JSC::PutByIdStatus::computeFor):
952         * bytecode/PutByIdStatus.h:
953         * dfg/DFGAbstractInterpreterInlines.h:
954         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
955         * dfg/DFGByteCodeParser.cpp:
956         (JSC::DFG::ByteCodeParser::parseBlock):
957         * dfg/DFGConstantFoldingPhase.cpp:
958         (JSC::DFG::ConstantFoldingPhase::foldConstants):
959         * dfg/DFGFixupPhase.cpp:
960         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
961         * runtime/IntendedStructureChain.cpp:
962         (JSC::IntendedStructureChain::mayInterceptStoreTo):
963         * runtime/IntendedStructureChain.h:
964         * runtime/Structure.cpp:
965         (JSC::Structure::getConcurrently):
966         * runtime/Structure.h:
967         * runtime/StructureInlines.h:
968         (JSC::Structure::getConcurrently):
969
970 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
971
972         FTL OSRExit construction should be based on methods that return ExitValues rather than methods that add ExitValues to OSRExit
973         https://bugs.webkit.org/show_bug.cgi?id=136978
974
975         Reviewed by Dean Jackson.
976
977         * ftl/FTLLowerDFGToLLVM.cpp:
978         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
979         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
980         (JSC::FTL::LowerDFGToLLVM::exitArgument):
981         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): Deleted.
982         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): Deleted.
983         (JSC::FTL::LowerDFGToLLVM::addExitArgument): Deleted.
984
985 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
986
987         FTL OSR exit should do reboxing and value recovery in the same pass
988         https://bugs.webkit.org/show_bug.cgi?id=136977
989
990         Reviewed by Oliver Hunt.
991         
992         It's conceptually simpler to have all of the logic in one place. After the
993         recover-and-rebox loop is done, all of the exit values are in the form that the baseline
994         JIT would want them to be in; the only remaining task is to move them into the right
995         place on the stack after we do all of the necessary stack adjustments.
996
997         * ftl/FTLOSRExitCompiler.cpp:
998         (JSC::FTL::compileStub):
999
1000 2014-09-19  Filip Pizlo  <fpizlo@apple.com>
1001
1002         StorageAccessData should be referenced in a sensible way
1003         https://bugs.webkit.org/show_bug.cgi?id=136963
1004
1005         Reviewed and rubber stamped by Michael Saboff.
1006
1007         * dfg/DFGAbstractInterpreterInlines.h:
1008         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1009         * dfg/DFGByteCodeParser.cpp:
1010         (JSC::DFG::ByteCodeParser::handleGetByOffset):
1011         (JSC::DFG::ByteCodeParser::handlePutByOffset):
1012         (JSC::DFG::ByteCodeParser::handlePutById):
1013         * dfg/DFGClobberize.h:
1014         (JSC::DFG::clobberize):
1015         * dfg/DFGConstantFoldingPhase.cpp:
1016         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1017         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1018         * dfg/DFGGraph.cpp:
1019         (JSC::DFG::Graph::dump):
1020         * dfg/DFGGraph.h:
1021         * dfg/DFGNode.h:
1022         (JSC::DFG::Node::convertToGetByOffset):
1023         (JSC::DFG::Node::convertToPutByOffset):
1024         (JSC::DFG::Node::storageAccessData):
1025         (JSC::DFG::Node::storageAccessDataIndex): Deleted.
1026         * dfg/DFGSafeToExecute.h:
1027         (JSC::DFG::safeToExecute):
1028         * dfg/DFGSpeculativeJIT32_64.cpp:
1029         (JSC::DFG::SpeculativeJIT::compile):
1030         * dfg/DFGSpeculativeJIT64.cpp:
1031         (JSC::DFG::SpeculativeJIT::compile):
1032         * ftl/FTLLowerDFGToLLVM.cpp:
1033         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
1034         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
1035
1036 2014-09-19  Ryosuke Niwa  <rniwa@webkit.org>
1037
1038         Leak of mallocs under StructureSet::OutOfLineList::create
1039         https://bugs.webkit.org/show_bug.cgi?id=136970
1040
1041         Reviewed by Filip Pizlo.
1042
1043         addOutOfLine should free the old list when expanding the capacity.
1044
1045         * bytecode/StructureSet.cpp:
1046         (JSC::StructureSet::addOutOfLine):
1047
1048 2014-09-19  Daniel Bates  <dabates@apple.com>
1049
1050         Always assume internal SDK when building configuration Production
1051         https://bugs.webkit.org/show_bug.cgi?id=136925
1052         <rdar://problem/18362399>
1053
1054         Reviewed by Dan Bernstein.
1055
1056         As a side effect of this change we will always enable ENABLE_TOUCH_EVENTS, ENABLE_IOS_{GESTURE, TOUCH}_EVENTS,
1057         and ENABLE_XSLT when either building configuration Production or building with the Internal SDK.
1058
1059         * Configurations/Base.xcconfig:
1060
1061 2014-09-19  Diego Pino Garcia  <dpino@igalia.com>
1062
1063         Simple ES6 feature:String prototype additions
1064         https://bugs.webkit.org/show_bug.cgi?id=131704
1065
1066         Reviewed by Darin Adler.
1067
1068         * runtime/StringPrototype.cpp:
1069         (JSC::StringPrototype::finishCreation):
1070         (JSC::stringProtoFuncStartsWith): Added.
1071         (JSC::stringProtoFuncEndsWith): Added.
1072         (JSC::stringProtoFuncContains): Added.
1073
1074 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
1075
1076         Unreviewed rollout r173731. Broke multiple builds.
1077
1078         * inspector/JSGlobalObjectInspectorController.cpp:
1079         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1080         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1081         * inspector/JSGlobalObjectInspectorController.h:
1082         * inspector/remote/RemoteInspector.h:
1083         * inspector/remote/RemoteInspector.mm:
1084         (Inspector::RemoteInspector::RemoteInspector):
1085         (Inspector::RemoteInspector::setupFailed):
1086         (Inspector::RemoteInspector::start):
1087         (Inspector::RemoteInspector::stopInternal):
1088         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1089         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1090         (Inspector::RemoteInspector::xpcConnectionFailed):
1091         (Inspector::RemoteInspector::receivedSetupMessage):
1092         (Inspector::globalAutomaticInspectionState): Deleted.
1093         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): Deleted.
1094         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): Deleted.
1095         (Inspector::RemoteInspector::setupSucceeded): Deleted.
1096         (Inspector::RemoteInspector::waitingForAutomaticInspection): Deleted.
1097         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): Deleted.
1098         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): Deleted.
1099         * inspector/remote/RemoteInspectorConstants.h:
1100         * inspector/remote/RemoteInspectorDebuggable.cpp:
1101         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
1102         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): Deleted.
1103         * inspector/remote/RemoteInspectorDebuggable.h:
1104         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1105         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1106         (Inspector::RemoteInspectorDebuggableConnection::setup):
1107         * runtime/JSGlobalObjectDebuggable.cpp:
1108         (JSC::JSGlobalObjectDebuggable::connect):
1109         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): Deleted.
1110         * runtime/JSGlobalObjectDebuggable.h:
1111
1112 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
1113
1114         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
1115         https://bugs.webkit.org/show_bug.cgi?id=136893
1116
1117         Reviewed by Timothy Hatcher.
1118
1119         Adds new remote inspector protocol handling for automatic inspection.
1120         Debuggers can signal they have enabled automatic inspection, and
1121         when debuggables are created the current application will pause to
1122         see if the debugger will inspect or decline to inspect the debuggable.
1123
1124         * inspector/remote/RemoteInspectorConstants.h:
1125         * inspector/remote/RemoteInspector.h:
1126         * inspector/remote/RemoteInspector.mm:
1127         (Inspector::globalAutomaticInspectionState):
1128         (Inspector::RemoteInspector::RemoteInspector):
1129         (Inspector::RemoteInspector::start):
1130         When first starting, check the global "is there an auto-inspect" debugger state.
1131         This is necessary so that the current application knows if it should pause or
1132         not when a debuggable is created, even without having connected to webinspectord yet.
1133
1134         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1135         When a debuggable has enabled remote inspection, take this path to propose
1136         it as an automatic inspection candidate if there is an auto-inspect debugger.
1137
1138         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
1139         Send the automatic inspection candidate message.
1140
1141         (Inspector::RemoteInspector::receivedSetupMessage):
1142         (Inspector::RemoteInspector::setupFailed):
1143         (Inspector::RemoteInspector::setupSucceeded):
1144         After attempting to open an inspector, unpause if it was for the
1145         automatic inspection candidate.
1146
1147         (Inspector::RemoteInspector::waitingForAutomaticInspection):
1148         When running a nested runloop, check if we should remain paused.
1149
1150         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1151         If by the time we connect to webinspectord we have a candidate, then
1152         immediately send the candidate message.
1153
1154         (Inspector::RemoteInspector::stopInternal):
1155         (Inspector::RemoteInspector::xpcConnectionFailed):
1156         In error cases, clear our state.
1157
1158         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1159         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
1160         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
1161         Update state when receiving new messages.
1162
1163
1164         * inspector/remote/RemoteInspectorDebuggable.h:
1165         * inspector/remote/RemoteInspectorDebuggable.cpp:
1166         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
1167         Special case when a debuggable is newly allowed to be debuggable.
1168
1169         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
1170         Run a nested run loop while this is an automatic inspection candidate.
1171
1172         * inspector/JSGlobalObjectInspectorController.h:
1173         * inspector/JSGlobalObjectInspectorController.cpp:
1174         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1175         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1176         When the inspector starts via automatic inspection automatically pause.
1177         We plan on removing this condition by having the frontend signal to the
1178         backend when it is completely initialized.
1179         
1180         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1181         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1182         (Inspector::RemoteInspectorDebuggableConnection::setup):
1183         Pass on the flag of whether or not this was automatic inspection.
1184
1185         * runtime/JSGlobalObjectDebuggable.h:
1186         * runtime/JSGlobalObjectDebuggable.cpp:
1187         (JSC::JSGlobalObjectDebuggable::connect):
1188         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
1189         When pausing in a JSGlobalObject we need to release the API lock.
1190
1191 2014-09-18  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1192
1193         Fix "Tools/Scripts/build-webkit --efl --no-inspector" build
1194         https://bugs.webkit.org/show_bug.cgi?id=136912
1195
1196         Reviewed by Darin Adler.
1197
1198         * runtime/TypeSet.cpp:
1199         (JSC::TypeSet::leastCommonAncestor):
1200
1201 2014-09-17  Michael Saboff  <msaboff@apple.com>
1202
1203         Change CallFrame to use Callee instead of JSScope to implement vm()
1204         https://bugs.webkit.org/show_bug.cgi?id=136894
1205
1206         Reviewed by Geoffrey Garen.
1207
1208         Added JSCell::vm() method that can be used on any JSObject.  Changed CallFrame::vm() to
1209         use JSCell::vm with the Callee.  Made similar changes in the LLInt.
1210         In support of this, changed JSGlobalObject::init() to take a VM& parameter, as there is
1211         a chicken/egg problem with trying to use the Callee in the global exec before the Callee
1212         has been create.  Besides, the vm is readily available in finishCreation(), the caller of
1213         init().
1214
1215         * llint/LowLevelInterpreter32_64.asm:
1216         * llint/LowLevelInterpreter64.asm:
1217         Changed the calculation of CallFrame::VM to use the Callee instead of JSScope.
1218
1219         * runtime/JSCell.h:
1220         * runtime/JSCellInlines.h:
1221         (JSC::JSCell::vm): New method for getting VM from the pointer.
1222         (JSC::ExecState::vm): Moved this method from JSScope.h to here since this file
1223         contains the implementation of JSCell::vm(), this file is included by all users
1224         of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing
1225         many other .h files and possible the WebCore generator generate-bindings.pl.
1226
1227         * runtime/JSGlobalObject.cpp:
1228         (JSC::JSGlobalObject::init):
1229         * runtime/JSGlobalObject.h:
1230         (JSC::JSGlobalObject::finishCreation):
1231         Changed init() to take a VM parameter.
1232
1233         * runtime/JSScope.h:
1234         (JSC::ExecState::vm): Deleted.
1235
1236 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
1237
1238         Unreviewed, disable native inlining because it causes build failures.
1239
1240         * JavaScriptCore.xcodeproj/project.pbxproj:
1241
1242 2014-09-16  Joseph Pecoraro  <pecoraro@apple.com>
1243
1244         Web Inspector: Reduce a bit of churn setting initial remote inspection state
1245         https://bugs.webkit.org/show_bug.cgi?id=136875
1246
1247         Reviewed by Timothy Hatcher.
1248
1249         * API/JSContextRef.cpp:
1250         (JSGlobalContextCreateInGroup):
1251         Set the defaultl remote debuggable state at the API boundary.
1252
1253         * runtime/JSGlobalObject.cpp:
1254         (JSC::JSGlobalObject::init):
1255         Do not set remote debuggable state here. Let clients set it.
1256
1257 2014-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1258
1259         Promise: Drop Promise.cast
1260         https://bugs.webkit.org/show_bug.cgi?id=136222
1261
1262         Reviewed by Sam Weinig.
1263
1264         Promise.cast is dropped and Promise.resolve is replaced with old Promise.cast.
1265
1266         * runtime/CommonIdentifiers.h:
1267         * runtime/JSPromiseConstructor.cpp:
1268         (JSC::JSPromiseConstructorFuncResolve):
1269         (JSC::JSPromiseConstructorFuncRace):
1270         (JSC::JSPromiseConstructorFuncAll):
1271         (JSC::JSPromiseConstructorFuncCast): Deleted.
1272
1273 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
1274
1275         Local OSR availability calculation should be reusable
1276         https://bugs.webkit.org/show_bug.cgi?id=136860
1277
1278         Reviewed by Oliver Hunt.
1279         
1280         Previously, the FTL lowering repeated some of the logic of the OSR availability analysis
1281         phase. Humorously, it actually did this logic a bit differently; for example the phase
1282         would claim that a SetLocal makes both the flush and the node available while the FTL
1283         only claimed that the flush was available. This different was benign, but still: yuck!
1284         
1285         Also, previously if you wanted to use availability information then you'd have to repeat
1286         some of the logic that both the phase itself and the FTL lowering already had.
1287         Presumably, you could get epic style points for finding other benign ways in which to
1288         make your copy of the logic different from the other two!
1289         
1290         This reduces the amount of style points one could conceivably get in the future when
1291         hacking JSC, by creating a single reusable thingy for computing local OSR availability.
1292
1293         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1294         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1295         (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
1296         (JSC::DFG::LocalOSRAvailabilityCalculator::~LocalOSRAvailabilityCalculator):
1297         (JSC::DFG::LocalOSRAvailabilityCalculator::beginBlock):
1298         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1299         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1300         * ftl/FTLLowerDFGToLLVM.cpp:
1301         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1302         (JSC::FTL::LowerDFGToLLVM::compileBlock):
1303         (JSC::FTL::LowerDFGToLLVM::compileNode):
1304         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
1305         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
1306         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1307         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1308         (JSC::FTL::LowerDFGToLLVM::availability):
1309         (JSC::FTL::LowerDFGToLLVM::compileMovHint): Deleted.
1310         (JSC::FTL::LowerDFGToLLVM::compileZombieHint): Deleted.
1311         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): Deleted.
1312
1313 2014-09-16  Csaba Osztrogonác  <ossy@webkit.org>
1314
1315         JSC test gardening
1316         https://bugs.webkit.org/show_bug.cgi?id=136823
1317
1318         Reviewed by Geoffrey Garen.
1319
1320         * tests/mozilla/mozilla-tests.yaml: Unskip passing tests.
1321
1322 2014-09-15  Michael Saboff  <msaboff@apple.com>
1323
1324         Create a JSCallee for GlobalExec object
1325         https://bugs.webkit.org/show_bug.cgi?id=136840
1326
1327         Reviewed by Geoffrey Garen.
1328
1329         Added m_globalCallee, initialized it and then used it to set the globalExec's callee.
1330
1331         * runtime/JSGlobalObject.cpp:
1332         (JSC::JSGlobalObject::init):
1333         (JSC::JSGlobalObject::visitChildren):
1334         * runtime/JSGlobalObject.h:
1335
1336 2014-09-14  Filip Pizlo  <fpizlo@apple.com>
1337
1338         DFG ref count calculation should be reusable
1339         https://bugs.webkit.org/show_bug.cgi?id=136811
1340
1341         Reviewed by Oliver Hunt.
1342         
1343         Henceforth if you call Graph::computeRefCounts(), a nifty O(n) operation, every Node
1344         will be able to tell you how many places it is used from. Currently only DCE uses this,
1345         but it will be useful for https://bugs.webkit.org/show_bug.cgi?id=136330.
1346
1347         * dfg/DFGDCEPhase.cpp:
1348         (JSC::DFG::DCEPhase::run):
1349         (JSC::DFG::DCEPhase::findTypeCheckRoot): Deleted.
1350         (JSC::DFG::DCEPhase::countNode): Deleted.
1351         (JSC::DFG::DCEPhase::countEdge): Deleted.
1352         * dfg/DFGGraph.cpp:
1353         (JSC::DFG::Graph::computeRefCounts):
1354         * dfg/DFGGraph.h:
1355
1356 2014-09-12  Michael Saboff  <msaboff@apple.com>
1357
1358         Merge JSGlobalObject::reset() into ::init()
1359         https://bugs.webkit.org/show_bug.cgi?id=136800
1360
1361         Reviewed by Oliver Hunt.
1362
1363         Moved the contents of reset() into init().
1364         Note that the diff shows more changes.
1365
1366         * runtime/JSGlobalObject.cpp:
1367         (JSC::JSGlobalObject::init): Moved body of reset() into init.
1368         (JSC::JSGlobalObject::put):
1369         (JSC::JSGlobalObject::defineOwnProperty):
1370         (JSC::JSGlobalObject::addGlobalVar):
1371         (JSC::JSGlobalObject::addFunction):
1372         (JSC::lastInPrototypeChain):
1373         (JSC::JSGlobalObject::reset): Deleted.
1374         * runtime/JSGlobalObject.h:
1375
1376 2014-09-12  Michael Saboff  <msaboff@apple.com>
1377
1378         Add JSCallee to program and eval CallFrames
1379         https://bugs.webkit.org/show_bug.cgi?id=136785
1380
1381         Reviewed by Mark Lam.
1382
1383         Populated Callee slot for program and call eval CallFrames with a JSCallee objects.
1384         Made supporting changes including adding a JSCallee structure to global object and adding
1385         JSCallee::create() method.  Added code so that the newly added callee object won't be
1386         returned by Function.caller.  Changed null pointer checks of callee to check the if
1387         the type is JSFunction* or JSCallee*.
1388
1389         * debugger/DebuggerCallFrame.cpp:
1390         (JSC::DebuggerCallFrame::functionName):
1391         (JSC::DebuggerCallFrame::type):
1392         * profiler/LegacyProfiler.cpp:
1393         (JSC::LegacyProfiler::createCallIdentifier):
1394         * interpreter/Interpreter.cpp:
1395         (JSC::unwindCallFrame):
1396         Changed checks of callee is a JSFunction* or JSCallee* instead of just checking
1397         if it is null or not.
1398
1399         * interpreter/Interpreter.cpp:
1400         (JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...)
1401         and execute(ProgramExecutable, ...)
1402
1403         * jit/JITCode.cpp:
1404         (JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions.
1405
1406         * runtime/JSCallee.cpp:
1407         (JSC::JSCallee::create): Not used, therefore deleted.
1408
1409         * runtime/JSCallee.h:
1410         (JSC::JSCallee::create): Added.
1411
1412         * runtime/JSFunction.cpp:
1413         (JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't
1414         JSFunction's.  This can only be the case when the JSCallee comes from a program or
1415         call eval CallFrame.
1416
1417         * runtime/JSGlobalObject.cpp:
1418         (JSC::JSGlobalObject::reset):
1419         (JSC::JSGlobalObject::visitChildren):
1420         * runtime/JSGlobalObject.h:
1421         (JSC::JSGlobalObject::calleeStructure):
1422         Added new JSCallee structure.
1423
1424 2014-09-10  Jon Honeycutt  <jhoneycutt@apple.com>
1425
1426         Re-add the request autocomplete feature
1427
1428         <https://bugs.webkit.org/show_bug.cgi?id=136730>
1429
1430         This feature was rolled out in r148731 because it was only used by
1431         Chromium. As we consider supporting this feature, roll it back in, but
1432         leave it disabled.
1433
1434         This rolls out r148731 (which removed the feature) with small changes
1435         needed to make the code build in ToT, to match modern style, to make
1436         the tests run, and to remove unused code.
1437
1438         Reviewed by Andy Estes.
1439
1440         * Configurations/FeatureDefines.xcconfig:
1441
1442 2014-09-12  Julien Brianceau  <jbriance@cisco.com>
1443
1444         [x86] moveDoubleToInts() does not clobber its source register anymore
1445         https://bugs.webkit.org/show_bug.cgi?id=131690
1446
1447         Reviewed by Oliver Hunt.
1448
1449         * assembler/MacroAssemblerX86.h:
1450         (JSC::MacroAssemblerX86::moveDoubleToInts):
1451         * dfg/DFGSpeculativeJIT.cpp:
1452         (JSC::DFG::SpeculativeJIT::compileValueRep):
1453         * jit/SpecializedThunkJIT.h:
1454         (JSC::SpecializedThunkJIT::returnDouble):
1455
1456 2014-09-12  Mark Lam  <mark.lam@apple.com>
1457
1458         Unreviewed build fix for CLOOP build.
1459
1460         * runtime/JSCallee.h:
1461
1462 2014-09-12  Michael Saboff  <msaboff@apple.com>
1463
1464         Remove unneeded declarations from JSCallee.h
1465         https://bugs.webkit.org/show_bug.cgi?id=136783
1466
1467         Reviewed by Mark Lam.
1468
1469         * runtime/JSCallee.h:
1470         (JSCallee::name): Deleted.
1471         (JSCallee::displayName): Deleted.
1472         (JSCallee::calculatedDisplayName): Deleted.
1473
1474 2014-09-11  Brian J. Burg  <burg@cs.washington.edu>
1475
1476         Web Inspector: disambiguate double and integer primitive types in the protocol
1477         https://bugs.webkit.org/show_bug.cgi?id=136606
1478
1479         Reviewed by Timothy Hatcher.
1480
1481         Right now it's really easy to mix up doubles and integers when serializing or deserializing
1482         values for the inspector protocol. This patch disambiguates setting/getting doubles and integers
1483         so that it is clearer as to which type is intended.
1484
1485         A new InspectorValue::Type is added for Integer types, and the Number type is renamed to Double.
1486         The existing callsites for asNumber/getNumber/setNumber have been fixed.
1487
1488         Address various integration points to make sure the right type tag is assigned to InspectorValues.
1489
1490         * bindings/ScriptValue.cpp:
1491         (Deprecated::jsToInspectorValue): Make an Integer if the JSValue is Int52 or smaller.
1492         * inspector/InjectedScriptManager.cpp:
1493         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1494         * inspector/InspectorBackendDispatcher.cpp:
1495         (Inspector::InspectorBackendDispatcher::dispatch):
1496         (Inspector::InspectorBackendDispatcher::sendResponse):
1497         (Inspector::InspectorBackendDispatcher::reportProtocolError):
1498         (Inspector::AsMethodBridges::asInteger):
1499         (Inspector::AsMethodBridges::asDouble):
1500         (Inspector::InspectorBackendDispatcher::getInteger):
1501         (Inspector::InspectorBackendDispatcher::getDouble):
1502         (Inspector::AsMethodBridges::asInt): Deleted.
1503         (Inspector::InspectorBackendDispatcher::getInt): Deleted.
1504         * inspector/InspectorBackendDispatcher.h:
1505         * inspector/InspectorProtocolTypes.h: Remove the special case for checking int type tags.
1506         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw):
1507         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw):
1508         (Inspector::Protocol::BindingTraits<int>::assertValueHasExpectedType): Deleted.
1509         * inspector/InspectorValues.cpp: Allow integers and doubles to be convertible using asInteger/asDouble.
1510         (Inspector::InspectorValue::asDouble):
1511         (Inspector::InspectorValue::asInteger):
1512         (Inspector::InspectorBasicValue::asDouble):
1513         (Inspector::InspectorBasicValue::asInteger):
1514         (Inspector::InspectorBasicValue::writeJSON):
1515         (Inspector::InspectorValue::asNumber): Deleted.
1516         (Inspector::InspectorBasicValue::asNumber): Deleted.
1517         * inspector/InspectorValues.h:
1518         (Inspector::InspectorObjectBase::setInteger):
1519         (Inspector::InspectorObjectBase::setDouble):
1520         (Inspector::InspectorArrayBase::pushInteger):
1521         (Inspector::InspectorArrayBase::pushDouble):
1522         (Inspector::InspectorObjectBase::setNumber): Deleted.
1523         (Inspector::InspectorArrayBase::pushInt): Deleted.
1524         (Inspector::InspectorArrayBase::pushNumber): Deleted.
1525         * inspector/agents/InspectorDebuggerAgent.cpp:
1526         (Inspector::buildObjectForBreakpointCookie):
1527         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1528         (Inspector::parseLocation):
1529         (Inspector::InspectorDebuggerAgent::didParseSource):
1530         * inspector/agents/InspectorRuntimeAgent.cpp:
1531         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1532         * inspector/scripts/codegen/generator.py: Update emitted code and rebaseline test results.
1533         (Generator.keyed_get_method_for_type):
1534         (Generator.keyed_set_method_for_type):
1535         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1536         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1537         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1538         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1539         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1540         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1541         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1542         * replay/EncodedValue.cpp:
1543         (JSC::EncodedValue::convertTo<double>):
1544         (JSC::EncodedValue::convertTo<float>):
1545         (JSC::EncodedValue::convertTo<int32_t>):
1546         (JSC::EncodedValue::convertTo<int64_t>):
1547         (JSC::EncodedValue::convertTo<uint32_t>):
1548         (JSC::EncodedValue::convertTo<uint64_t>):
1549
1550 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
1551
1552         Web Inspector: Occasional ASSERT closing web inspector
1553         https://bugs.webkit.org/show_bug.cgi?id=136762
1554
1555         Reviewed by Timothy Hatcher.
1556
1557         It is harmless, and indeed possible to have an empty set of listeners
1558         now that each Page gets its own PageDebugServer instead of a shared
1559         global. So we should replace the null checks with isEmpty checks.
1560         Since nobody was ever returning null, convert to references as well.
1561
1562         * inspector/JSGlobalObjectScriptDebugServer.h:
1563         * inspector/ScriptDebugServer.cpp:
1564         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
1565         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
1566         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
1567         (Inspector::ScriptDebugServer::sourceParsed):
1568         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
1569         (Inspector::ScriptDebugServer::notifyDoneProcessingDebuggerEvents):
1570         (Inspector::ScriptDebugServer::handlePause):
1571         (Inspector::ScriptDebugServer::needPauseHandling): Deleted.
1572         * inspector/ScriptDebugServer.h:
1573
1574 2014-09-10  Michael Saboff  <msaboff@apple.com>
1575
1576         Move JSScope out of JSFunction into separate JSCallee class
1577         https://bugs.webkit.org/show_bug.cgi?id=136725
1578
1579         Reviewed by Oliver Hunt.
1580
1581         Created new JSCallee class that contains a JSScope*.  Changed JSFunction to inherit from
1582         JSCallee.
1583
1584         * CMakeLists.txt:
1585         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1586         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1587         * JavaScriptCore.xcodeproj/project.pbxproj:
1588         Build changes.  Added JSCallee.cpp and JSCallee.h.
1589
1590         * runtime/JSCallee.cpp: Added.
1591         (JSC::JSCallee::create):
1592         (JSC::JSCallee::destroy):
1593         (JSC::JSCallee::JSCallee):
1594         (JSC::JSCallee::finishCreation):
1595         (JSC::JSCallee::visitChildren):
1596         (JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function.
1597         (JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function.
1598         (JSC::JSCallee::put): Pass through wrapper function.
1599         (JSC::JSCallee::deleteProperty): Pass through wrapper function.
1600         (JSC::JSCallee::defineOwnProperty): Pass through wrapper function.
1601
1602         * runtime/JSCallee.h: Added.
1603         (JSC::JSCallee::scope):
1604         (JSC::JSCallee::scopeUnchecked):
1605         (JSC::JSCallee::setScope):
1606         (JSC::JSCallee::createStructure):
1607         (JSC::JSCallee::offsetOfScopeChain):
1608
1609         * runtime/JSFunction.cpp:
1610         (JSC::JSFunction::JSFunction):
1611         (JSC::JSFunction::addNameScopeIfNeeded):
1612         (JSC::JSFunction::visitChildren):
1613         * runtime/JSFunction.h:
1614         (JSC::JSFunction::scope): Deleted.
1615         (JSC::JSFunction::scopeUnchecked): Deleted.
1616         (JSC::JSFunction::setScope): Deleted.
1617         (JSC::JSFunction::offsetOfScopeChain): Deleted.
1618         * runtime/JSFunctionInlines.h:
1619         (JSC::JSFunction::JSFunction):
1620         Changed to reference JSCallee and its methods.
1621
1622         * runtime/JSType.h: Added JSCallee as a TypeEnum.
1623
1624 2014-09-11  Filip Pizlo  <fpizlo@apple.com>
1625
1626         REGRESSION (r172129): Vine pages load as blank
1627         https://bugs.webkit.org/show_bug.cgi?id=136655
1628         rdar://problem/18281215
1629
1630         Reviewed by Michael Saboff.
1631         
1632         If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
1633         that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
1634         Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
1635         conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
1636         reasonably compact; it's OK if we miss cases here.
1637
1638         * dfg/DFGPhantomRemovalPhase.cpp:
1639         (JSC::DFG::PhantomRemovalPhase::run):
1640         * tests/stress/remove-phantom-after-setlocal.js: Added.
1641
1642 2014-09-11  Bear Travis  <betravis@adobe.com>
1643
1644         [CSS Font Loading] Enable CSS Font Loading on Mac
1645         https://bugs.webkit.org/show_bug.cgi?id=135473
1646
1647         Reviewed by Antti Koivisto.
1648
1649         Enable CSS Font Loading in FeatureDefines.
1650
1651         * Configurations/FeatureDefines.xcconfig:
1652
1653 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
1654
1655         Unreviewed rebaseline of inspector generator test results after r173120.
1656
1657         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1658         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1659         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1660         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1661
1662 2014-09-11  Oliver Hunt  <oliver@apple.com>
1663
1664         Rename activation to be more in line with spec language
1665         https://bugs.webkit.org/show_bug.cgi?id=136721
1666
1667         Reviewed by Michael Saboff.
1668
1669         Somewhat bigger than the last one, but still just a rename.
1670
1671         * CMakeLists.txt:
1672         * JavaScriptCore.order:
1673         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1674         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1675         * JavaScriptCore.xcodeproj/project.pbxproj:
1676         * bytecode/BytecodeList.json:
1677         * bytecode/BytecodeUseDef.h:
1678         (JSC::computeUsesForBytecodeOffset):
1679         (JSC::computeDefsForBytecodeOffset):
1680         * bytecode/CallVariant.h:
1681         * bytecode/CodeBlock.cpp:
1682         (JSC::CodeBlock::dumpBytecode):
1683         (JSC::CodeBlock::CodeBlock):
1684         (JSC::CodeBlock::finalizeUnconditionally):
1685         (JSC::CodeBlock::isCaptured):
1686         (JSC::CodeBlock::nameForRegister):
1687         * bytecode/CodeBlock.h:
1688         (JSC::CodeBlock::setActivationRegister):
1689         (JSC::CodeBlock::activationRegister):
1690         (JSC::CodeBlock::uncheckedActivationRegister):
1691         (JSC::CodeBlock::needsActivation):
1692         * bytecode/Instruction.h:
1693         * bytecode/UnlinkedCodeBlock.h:
1694         (JSC::UnlinkedCodeBlock::setActivationRegister):
1695         (JSC::UnlinkedCodeBlock::activationRegister):
1696         (JSC::UnlinkedCodeBlock::hasActivationRegister):
1697         * bytecompiler/BytecodeGenerator.cpp:
1698         (JSC::BytecodeGenerator::BytecodeGenerator):
1699         (JSC::BytecodeGenerator::emitReturn):
1700         * bytecompiler/BytecodeGenerator.h:
1701         * debugger/DebuggerCallFrame.cpp:
1702         (JSC::DebuggerCallFrame::scope):
1703         * debugger/DebuggerScope.cpp:
1704         (JSC::DebuggerScope::isFunctionOrEvalScope):
1705         * dfg/DFGByteCodeParser.cpp:
1706         (JSC::DFG::ByteCodeParser::parseBlock):
1707         * dfg/DFGCapabilities.cpp:
1708         (JSC::DFG::capabilityLevel):
1709         * dfg/DFGGraph.cpp:
1710         (JSC::DFG::Graph::tryGetActivation):
1711         (JSC::DFG::Graph::tryGetRegisters):
1712         * dfg/DFGGraph.h:
1713         * dfg/DFGNodeType.h:
1714         * dfg/DFGOperations.cpp:
1715         * dfg/DFGSpeculativeJIT32_64.cpp:
1716         (JSC::DFG::SpeculativeJIT::compile):
1717         * dfg/DFGSpeculativeJIT64.cpp:
1718         (JSC::DFG::SpeculativeJIT::compile):
1719         * interpreter/CallFrame.cpp:
1720         (JSC::CallFrame::lexicalEnvironment):
1721         (JSC::CallFrame::setActivation):
1722         (JSC::CallFrame::activation): Deleted.
1723         * interpreter/CallFrame.h:
1724         * interpreter/Interpreter.cpp:
1725         (JSC::unwindCallFrame):
1726         * interpreter/Register.h:
1727         * jit/JIT.cpp:
1728         (JSC::JIT::privateCompileMainPass):
1729         * jit/JIT.h:
1730         * jit/JITOpcodes.cpp:
1731         (JSC::JIT::emit_op_tear_off_lexical_environment):
1732         (JSC::JIT::emit_op_tear_off_arguments):
1733         (JSC::JIT::emit_op_create_lexical_environment):
1734         (JSC::JIT::emit_op_tear_off_activation): Deleted.
1735         (JSC::JIT::emit_op_create_activation): Deleted.
1736         * jit/JITOpcodes32_64.cpp:
1737         (JSC::JIT::emit_op_tear_off_lexical_environment):
1738         (JSC::JIT::emit_op_tear_off_arguments):
1739         (JSC::JIT::emit_op_create_lexical_environment):
1740         (JSC::JIT::emit_op_tear_off_activation): Deleted.
1741         (JSC::JIT::emit_op_create_activation): Deleted.
1742         * jit/JITOperations.cpp:
1743         * jit/JITOperations.h:
1744         * llint/LLIntSlowPaths.cpp:
1745         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1746         * llint/LLIntSlowPaths.h:
1747         * llint/LowLevelInterpreter32_64.asm:
1748         * llint/LowLevelInterpreter64.asm:
1749         * runtime/Arguments.cpp:
1750         (JSC::Arguments::visitChildren):
1751         (JSC::Arguments::tearOff):
1752         (JSC::Arguments::didTearOffActivation):
1753         * runtime/Arguments.h:
1754         (JSC::Arguments::offsetOfActivation):
1755         (JSC::Arguments::argument):
1756         (JSC::Arguments::finishCreation):
1757         * runtime/CommonSlowPaths.cpp:
1758         * runtime/JSFunction.h:
1759         * runtime/JSGlobalObject.cpp:
1760         (JSC::JSGlobalObject::reset):
1761         (JSC::JSGlobalObject::visitChildren):
1762         * runtime/JSGlobalObject.h:
1763         (JSC::JSGlobalObject::activationStructure):
1764         * runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp.
1765         (JSC::JSLexicalEnvironment::visitChildren):
1766         (JSC::JSLexicalEnvironment::symbolTableGet):
1767         (JSC::JSLexicalEnvironment::symbolTablePut):
1768         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1769         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
1770         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
1771         (JSC::JSLexicalEnvironment::put):
1772         (JSC::JSLexicalEnvironment::deleteProperty):
1773         (JSC::JSLexicalEnvironment::toThis):
1774         (JSC::JSLexicalEnvironment::argumentsGetter):
1775         * runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h.
1776         (JSC::JSLexicalEnvironment::create):
1777         (JSC::JSLexicalEnvironment::createStructure):
1778         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
1779         (JSC::asActivation):
1780         (JSC::Register::lexicalEnvironment):
1781         (JSC::JSLexicalEnvironment::registersOffset):
1782         (JSC::JSLexicalEnvironment::tearOff):
1783         (JSC::JSLexicalEnvironment::isTornOff):
1784         (JSC::JSLexicalEnvironment::storageOffset):
1785         (JSC::JSLexicalEnvironment::storage):
1786         (JSC::JSLexicalEnvironment::allocationSize):
1787         (JSC::JSLexicalEnvironment::isValidIndex):
1788         (JSC::JSLexicalEnvironment::isValid):
1789         (JSC::JSLexicalEnvironment::registerAt):
1790         * runtime/JSObject.h:
1791         * runtime/JSScope.cpp:
1792         (JSC::abstractAccess):
1793         * runtime/JSScope.h:
1794         (JSC::ResolveOp::ResolveOp):
1795         * runtime/JSSymbolTableObject.cpp:
1796         * runtime/StrictEvalActivation.h:
1797         (JSC::StrictEvalActivation::create):
1798         * runtime/VM.cpp:
1799
1800 2014-09-11  László Langó  <llango.u-szeged@partner.samsung.com>
1801
1802         [JavaScriptCore] Fix FTL on platform EFL.
1803         https://bugs.webkit.org/show_bug.cgi?id=133571
1804
1805         Reviewed by Filip Pizlo.
1806
1807         There are no compact_unwind sections on Linux systems so FTL crashes.
1808         We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind
1809         and get the information for stack unwinding from there.
1810
1811         * CMakeLists.txt: Revert r169181.
1812         * ftl/FTLCompile.cpp:
1813         Change section name literals to use SECTION_NAME macro, because of architecture differencies.
1814         (JSC::FTL::mmAllocateCodeSection):
1815         (JSC::FTL::mmAllocateDataSection):
1816         (JSC::FTL::compile):
1817         * ftl/FTLJITCode.h:
1818         We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here.
1819         * ftl/FTLLink.cpp:
1820         (JSC::FTL::link):
1821         * ftl/FTLState.h:
1822         * ftl/FTLState.cpp:
1823         (JSC::FTL::State::State):
1824         * ftl/FTLUnwindInfo.h:
1825         * ftl/FTLUnwindInfo.cpp:
1826         Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes.
1827         Parse eh_frame on Linux instead of compact_unwind.
1828         (JSC::FTL::UnwindInfo::parse):
1829
1830 2014-09-10  Saam Barati  <saambarati1@gmail.com>
1831
1832         Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
1833         https://bugs.webkit.org/show_bug.cgi?id=136500
1834
1835         Reviewed by Joseph Pecoraro.
1836
1837         This patch changes the type profiler protocol to the Web Inspector
1838         by moving the work of calculating computed properties that effect the UI 
1839         into the Web Inspector. This makes the Web Inspector have control over the 
1840         strings it displays as UI elements representing type information to the user 
1841         instead of JavaScriptCore deciding on a convention for these strings.
1842         JavaScriptCore now sends enough information to the Web Inspector so that 
1843         it can compute the properties JavaScriptCore used to compute.
1844
1845         * inspector/agents/InspectorRuntimeAgent.cpp:
1846         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1847         * inspector/protocol/Runtime.json:
1848         * runtime/TypeProfiler.cpp:
1849         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
1850         * runtime/TypeProfiler.h:
1851         * runtime/TypeSet.cpp:
1852         (JSC::TypeSet::inspectorTypeSet):
1853         (JSC::StructureShape::leastCommonAncestor):
1854         (JSC::StructureShape::inspectorRepresentation):
1855         * runtime/TypeSet.h:
1856
1857 2014-09-10  Akos Kiss  <akiss@inf.u-szeged.hu>
1858
1859         Apply ARM64-specific lowering to load/store instructions in offlineasm
1860         https://bugs.webkit.org/show_bug.cgi?id=136569
1861
1862         Reviewed by Michael Saboff.
1863
1864         The standard risc lowering of load/store instructions with base +
1865         immediate offset addresses is to move the offset to a temporary, add the
1866         base to the temporary, and then change the load/store to use the
1867         temporary + 0 immediate offset address. However, on ARM64, base +
1868         register offset addressing mode is available, so it is unnecessary to
1869         perform explicit register additions but it is enough to change load/store
1870         to use base + temporary as the address.
1871
1872         * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses
1873
1874 2014-09-10  Oliver Hunt  <oliver@apple.com>
1875
1876         Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
1877         https://bugs.webkit.org/show_bug.cgi?id=136710
1878
1879         Reviewed by Anders Carlsson.
1880
1881         This is a trivial rename.
1882
1883         * CMakeLists.txt:
1884         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1885         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1886         * JavaScriptCore.xcodeproj/project.pbxproj:
1887         * dfg/DFGAbstractHeap.h:
1888         * dfg/DFGClobberize.h:
1889         (JSC::DFG::clobberize):
1890         * dfg/DFGSpeculativeJIT32_64.cpp:
1891         (JSC::DFG::SpeculativeJIT::compile):
1892         * dfg/DFGSpeculativeJIT64.cpp:
1893         (JSC::DFG::SpeculativeJIT::compile):
1894         * ftl/FTLAbstractHeapRepository.cpp:
1895         * ftl/FTLAbstractHeapRepository.h:
1896         * ftl/FTLLowerDFGToLLVM.cpp:
1897         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
1898         * jit/JITOpcodes32_64.cpp:
1899         * jit/JITPropertyAccess.cpp:
1900         (JSC::JIT::emitGetClosureVar):
1901         (JSC::JIT::emitPutClosureVar):
1902         * jit/JITPropertyAccess32_64.cpp:
1903         (JSC::JIT::emitGetClosureVar):
1904         (JSC::JIT::emitPutClosureVar):
1905         * llint/LLIntOffsetsExtractor.cpp:
1906         * llint/LowLevelInterpreter32_64.asm:
1907         * llint/LowLevelInterpreter64.asm:
1908         * runtime/JSActivation.cpp:
1909         (JSC::JSActivation::getOwnNonIndexPropertyNames):
1910         * runtime/JSActivation.h:
1911         * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
1912         * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
1913         (JSC::JSEnvironmentRecord::registers):
1914         (JSC::JSEnvironmentRecord::registerAt):
1915         (JSC::JSEnvironmentRecord::addressOfRegisters):
1916         (JSC::JSEnvironmentRecord::offsetOfRegisters):
1917         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1918         * runtime/JSNameScope.h:
1919         * runtime/JSSegmentedVariableObject.h:
1920
1921 2014-09-10  Julien Brianceau   <jbriance@cisco.com>
1922
1923         [mips] Add missing parts and fix LLINT mips backend
1924         https://bugs.webkit.org/show_bug.cgi?id=136706
1925
1926         Reviewed by Michael Saboff.
1927
1928         * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
1929         Implement initPCRelative and setEntryAddress macros.
1930         * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
1931         doVMEntry macro.
1932
1933 2014-09-10  Saam Barati  <saambarati1@gmail.com>
1934
1935         TypeSet needs a mode where it no longer profiles structure shapes
1936         https://bugs.webkit.org/show_bug.cgi?id=136263
1937
1938         Reviewed by Filip Pizlo.
1939
1940         The TypeSet data structure used to gather as many StructureShape
1941         objects as it encountered during type profiling. But, this meant 
1942         that there was no upper limit on how many objects it could allocate. 
1943         This patch places a fixed upper bound on the number of StructureShapes
1944         allocated per TypeSet to prevent using too much memory for little gain
1945         in type profiling usefulness.
1946
1947         StructureShape objects are now also aware of when they are created
1948         from Structures which are dictionaries.
1949
1950         In total, this patch lays the final groundwork needed in refactoring 
1951         the inspector protocol for the type profiler.
1952
1953         * runtime/Structure.cpp:
1954         (JSC::Structure::toStructureShape):
1955         * runtime/TypeProfiler.cpp:
1956         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
1957         * runtime/TypeSet.cpp:
1958         (JSC::TypeSet::TypeSet):
1959         (JSC::TypeSet::addTypeInformation):
1960         (JSC::StructureShape::StructureShape):
1961         (JSC::StructureShape::toJSONString):
1962         (JSC::StructureShape::enterDictionaryMode):
1963         * runtime/TypeSet.h:
1964         (JSC::TypeSet::isOverflown):
1965         * tests/typeProfiler/dictionary-mode.js: Added.
1966         (wrapper):
1967         * tests/typeProfiler/driver/driver.js:
1968         * tests/typeProfiler/overflow.js: Added.
1969         (wrapper.Proto):
1970         (wrapper):
1971
1972 2014-09-10  Peter Gal  <galpeter@inf.u-szeged.hu>
1973
1974         [MIPS] branch32WithPatch missing
1975         https://bugs.webkit.org/show_bug.cgi?id=136696
1976
1977         Reviewed by Michael Saboff.
1978
1979         Added the missing branch32WithPatch. The implementation
1980         is currently the same as the branchPtrithPatch because
1981         the macro assembler supports only 32 bit MIPS.
1982
1983         * assembler/MacroAssemblerMIPS.h:
1984         (JSC::MacroAssemblerMIPS::branch32WithPatch):
1985
1986 2014-09-10  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1987
1988         Fix !ENABLE(DFG_JIT) build
1989         https://bugs.webkit.org/show_bug.cgi?id=136702
1990
1991         Reviewed by Michael Saboff.
1992
1993         * bytecode/CallEdgeProfile.h:
1994
1995 2014-09-09  Benjamin Poulain  <bpoulain@apple.com>
1996
1997         Disable the "unreachable-code" warning
1998         https://bugs.webkit.org/show_bug.cgi?id=136677
1999
2000         Reviewed by Darin Adler.
2001
2002         * Configurations/Base.xcconfig:
2003
2004 2014-09-08  Filip Pizlo  <fpizlo@apple.com>
2005
2006         DFG should have a reusable SSA builder
2007         https://bugs.webkit.org/show_bug.cgi?id=136331
2008
2009         Reviewed by Oliver Hunt.
2010         
2011         We want to implement sophisticated SSA transformations like object allocation sinking
2012         (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
2013         updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
2014         Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
2015         implementation of this algorithm only worked when doing CPS->SSA conversion. The code
2016         could not be reused for cases where some phase happens to know that it introduced a few
2017         defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
2018         the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
2019         updates, since it requires first inserting maximal Phis. That scales well when the Phis
2020         were already there (like in our CPS form) but otherwise it's quite unnatural and may be
2021         difficult to make efficient.
2022         
2023         The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
2024         algorithm based on dominance frontiers. For a while now, I've been working on creating a
2025         Cytron-based SSA calculator that can be used both as a replacement for our current SSA
2026         converter and as a reusable tool for any phase that needs to do SSA update. I previously
2027         optimized our dominator calculation and representation to use dominator trees computed
2028         using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
2029         the set of blocks that dominate you or vice-versa, and then I implemented a dominance
2030         frontier calculator. This patch implements the final step towards making SSA update
2031         available to all SSA phases: it implements an SSACalculator that can tell you where Phis
2032         go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
2033         good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
2034         SSA converter with one based on the SSACalculator.
2035         
2036         This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
2037         But even better, it makes SSAConversionPhase have significantly less tricky logic. It
2038         mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
2039         just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
2040         In fact, using the Cytron et al approach means that there isn't really any "smoke and
2041         mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
2042         iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
2043         The complexity is mostly confined to Dominators, which computes various dominator-related
2044         properties over the control flow graph. That class can be difficult to understand, but at
2045         least it follows well-known graph theory wisdom.
2046
2047         * CMakeLists.txt:
2048         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2049         * JavaScriptCore.xcodeproj/project.pbxproj:
2050         * dfg/DFGAnalysis.h:
2051         * dfg/DFGCSEPhase.cpp:
2052         * dfg/DFGDCEPhase.cpp:
2053         (JSC::DFG::DCEPhase::run):
2054         * dfg/DFGDominators.h:
2055         (JSC::DFG::Dominators::immediateDominatorOf):
2056         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
2057         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
2058         * dfg/DFGGraph.cpp:
2059         (JSC::DFG::Graph::dump):
2060         (JSC::DFG::Graph::blocksInPreOrder):
2061         (JSC::DFG::Graph::blocksInPostOrder):
2062         (JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
2063         (JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
2064         * dfg/DFGGraph.h:
2065         * dfg/DFGLICMPhase.cpp:
2066         (JSC::DFG::LICMPhase::run):
2067         * dfg/DFGNodeFlags.h:
2068         * dfg/DFGPhase.cpp:
2069         (JSC::DFG::Phase::beginPhase):
2070         (JSC::DFG::Phase::endPhase):
2071         * dfg/DFGPhase.h:
2072         * dfg/DFGSSACalculator.cpp: Added.
2073         (JSC::DFG::SSACalculator::Variable::dump):
2074         (JSC::DFG::SSACalculator::Variable::dumpVerbose):
2075         (JSC::DFG::SSACalculator::Def::dump):
2076         (JSC::DFG::SSACalculator::SSACalculator):
2077         (JSC::DFG::SSACalculator::~SSACalculator):
2078         (JSC::DFG::SSACalculator::newVariable):
2079         (JSC::DFG::SSACalculator::newDef):
2080         (JSC::DFG::SSACalculator::nonLocalReachingDef):
2081         (JSC::DFG::SSACalculator::reachingDefAtTail):
2082         (JSC::DFG::SSACalculator::dump):
2083         * dfg/DFGSSACalculator.h: Added.
2084         (JSC::DFG::SSACalculator::Variable::index):
2085         (JSC::DFG::SSACalculator::Variable::Variable):
2086         (JSC::DFG::SSACalculator::Def::variable):
2087         (JSC::DFG::SSACalculator::Def::block):
2088         (JSC::DFG::SSACalculator::Def::value):
2089         (JSC::DFG::SSACalculator::Def::Def):
2090         (JSC::DFG::SSACalculator::variable):
2091         (JSC::DFG::SSACalculator::computePhis):
2092         (JSC::DFG::SSACalculator::phisForBlock):
2093         (JSC::DFG::SSACalculator::reachingDefAtHead):
2094         * dfg/DFGSSAConversionPhase.cpp:
2095         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
2096         (JSC::DFG::SSAConversionPhase::run):
2097         (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
2098         (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
2099         (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
2100         (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
2101         * dfg/DFGSSAConversionPhase.h:
2102         * dfg/DFGValidate.cpp:
2103         (JSC::DFG::Validate::Validate):
2104         (JSC::DFG::Validate::dumpGraphIfAppropriate):
2105         (JSC::DFG::validate):
2106         * dfg/DFGValidate.h:
2107         * ftl/FTLLowerDFGToLLVM.cpp:
2108         (JSC::FTL::LowerDFGToLLVM::lower):
2109         * runtime/Options.h:
2110
2111 2014-09-08  Commit Queue  <commit-queue@webkit.org>
2112
2113         Unreviewed, rolling out r173402.
2114         https://bugs.webkit.org/show_bug.cgi?id=136649
2115
2116         Breaking buildw with error "unable to restore file position to
2117         0x00000c60 for section __DWARF.__debug_info (errno = 9)"
2118         (Requested by mlam_ on #webkit).
2119
2120         Reverted changeset:
2121
2122         "Move CallFrame and Register inlines functions out of
2123         JSScope.h."
2124         https://bugs.webkit.org/show_bug.cgi?id=136579
2125         http://trac.webkit.org/changeset/173402
2126
2127 2014-09-08  Mark Lam  <mark.lam@apple.com>
2128
2129         Move CallFrame and Register inlines functions out of JSScope.h.
2130         <https://webkit.org/b/136579>
2131
2132         Reviewed by Geoffrey Garen.
2133
2134         This include fixing up some files to #include JSCInlines.h to pick up
2135         these inline functions.  I also added JSCellInlines.h to JSCInlines.h
2136         since it is included from many of the affected .cpp files.
2137
2138         * API/ObjCCallbackFunction.mm:
2139         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2140         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2141         * JavaScriptCore.xcodeproj/project.pbxproj:
2142         * bindings/ScriptValue.cpp:
2143         * inspector/InjectedScriptHost.cpp:
2144         * inspector/InjectedScriptManager.cpp:
2145         * inspector/JSGlobalObjectInspectorController.cpp:
2146         * inspector/JSJavaScriptCallFrame.cpp:
2147         * inspector/ScriptDebugServer.cpp:
2148         * interpreter/CallFrameInlines.h:
2149         (JSC::CallFrame::vm):
2150         (JSC::CallFrame::lexicalGlobalObject):
2151         (JSC::CallFrame::globalThisValue):
2152         * interpreter/RegisterInlines.h: Added.
2153         (JSC::Register::operator=):
2154         (JSC::Register::scope):
2155         * runtime/ArgumentsIteratorConstructor.cpp:
2156         * runtime/JSArrayIterator.cpp:
2157         * runtime/JSCInlines.h:
2158         * runtime/JSCJSValue.cpp:
2159         * runtime/JSMapIterator.cpp:
2160         * runtime/JSPromiseConstructor.cpp:
2161         * runtime/JSPromiseDeferred.cpp:
2162         * runtime/JSPromiseFunctions.cpp:
2163         * runtime/JSPromisePrototype.cpp:
2164         * runtime/JSPromiseReaction.cpp:
2165         * runtime/JSScope.h:
2166         (JSC::Register::operator=): Deleted.
2167         (JSC::Register::scope): Deleted.
2168         (JSC::ExecState::vm): Deleted.
2169         (JSC::ExecState::lexicalGlobalObject): Deleted.
2170         (JSC::ExecState::globalThisValue): Deleted.
2171         * runtime/JSSetIterator.cpp:
2172         * runtime/MapConstructor.cpp:
2173         * runtime/MapData.cpp:
2174         * runtime/MapIteratorPrototype.cpp:
2175         * runtime/MapPrototype.cpp:
2176         * runtime/SetConstructor.cpp:
2177         * runtime/SetIteratorPrototype.cpp:
2178         * runtime/SetPrototype.cpp:
2179         * runtime/WeakMapConstructor.cpp:
2180         * runtime/WeakMapPrototype.cpp:
2181
2182 2014-09-08  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2183
2184         Remove FILTERS flag
2185         https://bugs.webkit.org/show_bug.cgi?id=136571
2186
2187         Reviewed by Darin Adler.
2188
2189         * Configurations/FeatureDefines.xcconfig:
2190
2191 2014-09-08  Saam Barati  <saambarati1@gmail.com>
2192
2193         Merge StructureShapes that share the same prototype chain
2194         https://bugs.webkit.org/show_bug.cgi?id=136549
2195
2196         Reviewed by Filip Pizlo.
2197
2198         Instead of keeping track of many discrete StructureShapes that share
2199         the same prototype chain, TypeSet should merge StructureShapes that 
2200         have the same prototype chain and provide a new member variable for 
2201         optional structure fields. This provides a cleaner and more concise
2202         interface for dealing with StructureShapes within TypeSet. Instead
2203         of having many discrete shapes that are almost identical, almost 
2204         identical shapes will be merged together with an interface for 
2205         understanding what fields the shapes being merged together differ in.
2206
2207         * runtime/TypeSet.cpp:
2208         (JSC::TypeSet::addTypeInformation):
2209         (JSC::StructureShape::addProperty):
2210         (JSC::StructureShape::toJSONString):
2211         (JSC::StructureShape::inspectorRepresentation):
2212         (JSC::StructureShape::hasSamePrototypeChain):
2213         (JSC::StructureShape::merge):
2214         * runtime/TypeSet.h:
2215         * tests/typeProfiler/optional-fields.js: Added.
2216         (wrapper.func):
2217         (wrapper):
2218
2219 2014-09-08  Jessie Berlin  <jberlin@apple.com>
2220
2221         More 32-bit Release build fixes after r173364.
2222
2223         * dfg/DFGSpeculativeJIT32_64.cpp:
2224         (JSC::DFG::SpeculativeJIT::compile):
2225
2226 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
2227
2228         Fix typos in last patch to fix build.
2229
2230         Unreviewed build fix.
2231
2232         * dfg/DFGSpeculativeJIT.cpp:
2233         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2234         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2235
2236 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
2237
2238         Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it
2239         https://bugs.webkit.org/show_bug.cgi?id=136616
2240
2241         Reviewed by Darin Adler.
2242         
2243         Many compilers will analyze unrechable code paths (e.g. after an
2244         unreachable code path), so sometimes they need dead code initializations.
2245         But clang with suitable warnings will complain about unreachable code. So
2246         use the quirk to include it conditionally.
2247
2248         * bytecode/CodeBlock.cpp:
2249         (JSC::CodeBlock::printGetByIdOp):
2250         * dfg/DFGOSRExitCompilerCommon.cpp:
2251         (JSC::DFG::handleExitCounts):
2252         * dfg/DFGPlan.cpp:
2253         (JSC::DFG::Plan::compileInThread):
2254         * dfg/DFGSpeculativeJIT.cpp:
2255         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2256         * jsc.cpp:
2257         * runtime/JSArray.cpp:
2258         (JSC::JSArray::fillArgList):
2259         (JSC::JSArray::copyToArguments):
2260         * runtime/RegExp.cpp:
2261         (JSC::RegExp::compile):
2262         (JSC::RegExp::compileMatchOnly):
2263
2264 2014-09-06  Darin Adler  <darin@apple.com>
2265
2266         Make updates suggested by new version of Xcode
2267         https://bugs.webkit.org/show_bug.cgi?id=136603
2268
2269         Reviewed by Mark Rowe.
2270
2271         * Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES,
2272         and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check.
2273
2274         * JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck.
2275
2276         * dfg/DFGSpeculativeJIT.cpp:
2277         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code
2278         for clang, since it understands the code is unreachable.
2279         * runtime/JSArray.cpp:
2280         (JSC::JSArray::fillArgList): Ditto.
2281         (JSC::JSArray::copyToArguments): Ditto.
2282
2283 2014-09-05  Matt Baker  <mattbaker@apple.com>
2284
2285         Web Inspector: breakpoint actions should work regardless of Content Security Policy
2286         https://bugs.webkit.org/show_bug.cgi?id=136542
2287
2288         Reviewed by Mark Lam.
2289
2290         Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a 
2291         JSGlobalObject for the duration of a scope, returning the eval enabled state to its
2292         original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate 
2293         to allow breakpoint actions to execute JS in pages with a Content Security Policy
2294         that would normally prohibit this (such as Inspector's Main.html).
2295
2296         Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually
2297         setting eval enabled and then resetting the original eval enabled state.
2298
2299         NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer
2300         for null to be equivalent with the original code in Inspector::InjectedScriptBase.
2301         InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which
2302         can currently be null.
2303
2304         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2305         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2306         * JavaScriptCore.xcodeproj/project.pbxproj:
2307         * debugger/DebuggerCallFrame.cpp:
2308         (JSC::DebuggerCallFrame::evaluate):
2309         * debugger/DebuggerEvalEnabler.h: Added.
2310         (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
2311         (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
2312         * inspector/InjectedScriptBase.cpp:
2313         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2314
2315 2014-09-05  peavo@outlook.com  <peavo@outlook.com>
2316
2317         [WinCairo] jsc.exe won't run.
2318         https://bugs.webkit.org/show_bug.cgi?id=136481
2319
2320         Reviewed by Alex Christensen.
2321         
2322         We need to define WIN_CAIRO to avoid looking for the AAS folder.
2323
2324         * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added.
2325         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
2326         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
2327         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
2328         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:
2329
2330 2014-09-05  David Kilzer  <ddkilzer@apple.com>
2331
2332         JavaScriptCore should build with newer clang
2333         <http://webkit.org/b/136002>
2334         <rdar://problem/18020616>
2335
2336         Reviewed by Geoffrey Garen.
2337
2338         Other than the JSC::SourceProvider::asID() change (which simply
2339         removes code that the optimizing compiler would have discarded
2340         in Release builds), we move the |this| checks in OpaqueJSString
2341         to NULL checks in to JSBase, JSObjectRef, JSScriptRef,
2342         JSStringRef{CF} and JSValueRef.
2343
2344         Note that the following function arguments are _not_ NULL-checked
2345         since doing so would just cover up bugs (and were not needed to
2346         prevent any tests from failing):
2347         - |script| in JSEvaluateScript(), JSCheckScriptSyntax();
2348         - |body| in JSObjectMakeFunction();
2349         - |source| in JSScriptCreateReferencingImmortalASCIIText()
2350           (which is a const char* anyway);
2351         - |source| in JSScriptCreateFromString().
2352
2353         * API/JSBase.cpp:
2354         (JSEvaluateScript): Add NULL check for |sourceURL|.
2355         (JSCheckScriptSyntax): Ditto.
2356         * API/JSObjectRef.cpp:
2357         (JSObjectMakeFunction): Ditto.
2358         * API/JSScriptRef.cpp:
2359         (JSScriptCreateReferencingImmortalASCIIText): Ditto.
2360         (JSScriptCreateFromString): Add NULL check for |url|.
2361         * API/JSStringRef.cpp:
2362         (JSStringGetLength): Return early if NULL pointer is passed in.
2363         (JSStringGetCharactersPtr): Ditto.
2364         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
2365         * API/JSStringRefCF.cpp:
2366         (JSStringCopyCFString): Ditto.
2367         * API/JSValueRef.cpp:
2368         (JSValueMakeString): Add NULL check for |string|.
2369
2370         * API/OpaqueJSString.cpp:
2371         (OpaqueJSString::string): Remove code that checks |this|.
2372         (OpaqueJSString::identifier): Ditto.
2373         (OpaqueJSString::characters): Ditto.
2374         * API/OpaqueJSString.h:
2375         (OpaqueJSString::is8Bit): Remove code that checks |this|.
2376         (OpaqueJSString::characters8): Ditto.
2377         (OpaqueJSString::characters16): Ditto.
2378         (OpaqueJSString::length): Ditto.
2379
2380         * parser/SourceProvider.h:
2381         (JSC::SourceProvider::asID): Remove code that checks |this|.
2382
2383 2014-06-06  Jer Noble  <jer.noble@apple.com>
2384
2385         Refactoring: make MediaTime the primary time type for audiovisual times.
2386         https://bugs.webkit.org/show_bug.cgi?id=133579
2387
2388         Reviewed by Eric Carlson.
2389
2390         Add a utility function which converts a MediaTime to a JSNumber.
2391
2392         * runtime/JSCJSValue.h:
2393         (JSC::jsNumber):
2394
2395 2014-09-04  Michael Saboff  <msaboff@apple.com>
2396
2397         ARM: Add more coverage to ARMv7 disassembler
2398         https://bugs.webkit.org/show_bug.cgi?id=136565
2399
2400         Reviewed by Mark Lam.
2401
2402         Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions
2403         VCMP, VCVT[R] between floating point and integer, and VLDR.
2404
2405         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2406         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList):
2407         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format):
2408         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format):
2409         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format):
2410         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format):
2411         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format):
2412         * disassembler/ARMv7/ARMv7DOpcode.h:
2413         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList):
2414         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition):
2415         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition):
2416         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit):
2417         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd):
2418         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit):
2419         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit):
2420         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit):
2421         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm):
2422         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition):
2423         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit):
2424         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2):
2425         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd):
2426         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit):
2427         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op):
2428         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit):
2429         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm):
2430         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition):
2431         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit):
2432         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn):
2433         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd):
2434         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg):
2435         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8):
2436
2437 2014-09-04  Mark Lam  <mark.lam@apple.com>
2438
2439         Move PropertySlot's inline functions back to PropertySlot.h.
2440         <https://webkit.org/b/136547>
2441
2442         Reviewed by Filip Pizlo.
2443
2444         * runtime/JSObject.h:
2445         (JSC::PropertySlot::getValue): Deleted.
2446         * runtime/PropertySlot.h:
2447         (JSC::PropertySlot::getValue):
2448
2449 2014-09-04  Filip Pizlo  <fpizlo@apple.com>
2450
2451         Make sure that deleting all code first processes the call edge log, and reenable call edge profiling.
2452
2453         Rubber stamped by Sam Weinig.
2454
2455         * debugger/Debugger.cpp:
2456         (JSC::Debugger::forEachCodeBlock):
2457         (JSC::Debugger::setSteppingMode):
2458         (JSC::Debugger::recompileAllJSFunctions):
2459         * inspector/agents/InspectorRuntimeAgent.cpp:
2460         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2461         * runtime/Options.h: Reenable call edge profiling.
2462         * runtime/VM.cpp:
2463         (JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed.
2464         (JSC::VM::discardAllCode):
2465         (JSC::VM::releaseExecutableMemory):
2466         (JSC::VM::setEnabledProfiler):
2467         (JSC::VM::waitForCompilationsToComplete): Deleted.
2468         * runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted.
2469
2470 2014-09-04  Akos Kiss  <akiss@inf.u-szeged.hu>
2471
2472         Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee
2473         https://bugs.webkit.org/show_bug.cgi?id=136485
2474
2475         Reviewed by Michael Saboff.
2476
2477         Changed makeHostFunctionCall to keep the stack pointer above the call
2478         frame set up by doVMEntry. Thus the callee will/can not override the top
2479         of the call frame.
2480
2481         Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be
2482         more alike to help future maintenance.
2483
2484         * llint/LowLevelInterpreter32_64.asm:
2485         * llint/LowLevelInterpreter64.asm:
2486
2487 2014-09-04  Michael Saboff  <msaboff@apple.com>
2488
2489         REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux
2490         https://bugs.webkit.org/show_bug.cgi?id=136436
2491
2492         Reviewed by Geoffrey Garen.
2493
2494         Instead of trying to calculate a stack pointer that allows for possible
2495         stacked argument space, just use the "home" stack pointer location.
2496         That stack pointer provides space for the worst case number of stacked
2497         arguments on architectures that use stacked arguments.  It also provides
2498         stack space so that the return PC and caller frame pointer that are stored
2499         as part of making the call to operationCallEval will not override any part
2500         of the callee frame created on the stack.
2501
2502         Changed compileCallEval() to use the stackPointer value of the calling
2503         function.  That stack pointer is calculated to have enough space for
2504         outgoing stacked arguments.  By moving the stack pointer to its "home"
2505         position, the caller frame and return PC are not set as part of making
2506         the call to operationCallEval().  Moved the explicit setting of the
2507         callerFrame field of the callee CallFrame from operationCallEval() to
2508         compileCallEval() since it has been the artifact of making a call for
2509         most architectures.  Simplified the exception logic in compileCallEval()
2510         as a result of the change.  To be compliant with the stack state
2511         expected by virtualCallThunkGenerator(), moved the stack pointer to
2512         point above the CallerFrameAndPC of the callee CallFrame.
2513
2514         * jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...)
2515         to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception
2516         check.
2517         * jit/JITCall.cpp & jit/JITCall32_64.cpp:
2518         (JSC::JIT::compileCallEval): Use the home stack pointer when making the call
2519         to operationCallEval.  Since the stack pointer adjustment no longer needs
2520         to be done after making the call to operationCallEval(), the exception check
2521         logic can be simplified.
2522         (JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point
2523         to above the calleeFrame as this is what the generated thunk expects.
2524         * jit/JITInlines.h:
2525         (JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck
2526         with the addition of a standard exception check.
2527         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
2528         * jit/JITOperations.cpp:
2529         (JSC::operationCallEval): Eliminated the explicit setting of caller frame
2530         as that is now done in the code generated by compileCallEval().
2531
2532 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2533
2534         Beef up the DFG's CFG analyses to include iterated dominance frontiers and more user-friendly BlockSets
2535         https://bugs.webkit.org/show_bug.cgi?id=136520
2536
2537         Reviewed by Geoffrey Garen.
2538         
2539         Add code to compute iterated dominance frontiers. This involves using BlockSet a lot, so
2540         this patch also makes BlockSet a lot more user-friendly.
2541
2542         * CMakeLists.txt:
2543         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2544         * JavaScriptCore.xcodeproj/project.pbxproj:
2545         * dfg/DFGBasicBlock.h:
2546         * dfg/DFGBlockSet.cpp: Added.
2547         (JSC::DFG::BlockSet::dump):
2548         * dfg/DFGBlockSet.h:
2549         (JSC::DFG::BlockSet::iterator::iterator):
2550         (JSC::DFG::BlockSet::iterator::operator++):
2551         (JSC::DFG::BlockSet::iterator::operator==):
2552         (JSC::DFG::BlockSet::iterator::operator!=):
2553         (JSC::DFG::BlockSet::Iterable::Iterable):
2554         (JSC::DFG::BlockSet::Iterable::begin):
2555         (JSC::DFG::BlockSet::Iterable::end):
2556         (JSC::DFG::BlockSet::iterable):
2557         (JSC::DFG::BlockAdder::BlockAdder):
2558         (JSC::DFG::BlockAdder::operator()):
2559         * dfg/DFGBlockSetInlines.h: Added.
2560         (JSC::DFG::BlockSet::iterator::operator*):
2561         * dfg/DFGDominators.cpp:
2562         (JSC::DFG::Dominators::strictDominatorsOf):
2563         (JSC::DFG::Dominators::dominatorsOf):
2564         (JSC::DFG::Dominators::blocksStrictlyDominatedBy):
2565         (JSC::DFG::Dominators::blocksDominatedBy):
2566         (JSC::DFG::Dominators::dominanceFrontierOf):
2567         (JSC::DFG::Dominators::iteratedDominanceFrontierOf):
2568         * dfg/DFGDominators.h:
2569         (JSC::DFG::Dominators::forAllStrictDominatorsOf):
2570         (JSC::DFG::Dominators::forAllDominatorsOf):
2571         (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy):
2572         (JSC::DFG::Dominators::forAllBlocksDominatedBy):
2573         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf):
2574         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
2575         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl):
2576         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl):
2577         * dfg/DFGGraph.cpp:
2578         (JSC::DFG::Graph::dumpBlockHeader):
2579         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2580         (JSC::DFG::InvalidationPointInjectionPhase::run):
2581
2582 2014-09-04  Mark Lam  <mark.lam@apple.com>
2583
2584         Fixed indentations and some style warnings in JavaScriptCore/runtime.
2585         <https://webkit.org/b/136518>
2586
2587         Reviewed by Michael Saboff.
2588
2589         Also removed some superflous spaces.  There are no semantic changes.
2590
2591         * runtime/Completion.h:
2592         * runtime/ConstructData.h:
2593         * runtime/DateConstructor.h:
2594         * runtime/DateInstance.h:
2595         * runtime/DateInstanceCache.h:
2596         * runtime/DatePrototype.h:
2597         * runtime/Error.h:
2598         * runtime/ErrorConstructor.h:
2599         * runtime/ErrorInstance.h:
2600         * runtime/ErrorPrototype.h:
2601         * runtime/FunctionConstructor.h:
2602         * runtime/FunctionPrototype.h:
2603         * runtime/GetterSetter.h:
2604         * runtime/Identifier.h:
2605         * runtime/InitializeThreading.h:
2606         * runtime/InternalFunction.h:
2607         * runtime/JSAPIValueWrapper.h:
2608         * runtime/JSFunction.h:
2609         * runtime/JSLock.h:
2610         * runtime/JSNotAnObject.h:
2611         * runtime/JSONObject.h:
2612         * runtime/JSString.h:
2613         * runtime/JSTypeInfo.h:
2614         * runtime/JSWrapperObject.h:
2615         * runtime/Lookup.h:
2616         * runtime/MathObject.h:
2617         * runtime/NativeErrorConstructor.h:
2618         * runtime/NativeErrorPrototype.h:
2619         * runtime/NumberConstructor.h:
2620         * runtime/NumberObject.h:
2621         * runtime/NumberPrototype.h:
2622         * runtime/NumericStrings.h:
2623         * runtime/ObjectConstructor.h:
2624         * runtime/ObjectPrototype.h:
2625         * runtime/PropertyDescriptor.h:
2626         * runtime/Protect.h:
2627         * runtime/PutPropertySlot.h:
2628         * runtime/RegExp.h:
2629         * runtime/RegExpCachedResult.h:
2630         * runtime/RegExpConstructor.h:
2631         * runtime/RegExpMatchesArray.h:
2632         * runtime/RegExpObject.h:
2633         * runtime/RegExpPrototype.h:
2634         * runtime/SmallStrings.h:
2635         * runtime/StringConstructor.h:
2636         * runtime/StringObject.h:
2637         * runtime/StringPrototype.h:
2638         * runtime/StructureChain.h:
2639         * runtime/VM.h:
2640
2641 2014-09-04  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2642
2643         Remove CSS_FILTERS flag
2644         https://bugs.webkit.org/show_bug.cgi?id=136529
2645
2646         Reviewed by Dirk Schulze.
2647
2648         * Configurations/FeatureDefines.xcconfig:
2649
2650 2014-09-04  Commit Queue  <commit-queue@webkit.org>
2651
2652         Unreviewed, rolling out r173248.
2653         https://bugs.webkit.org/show_bug.cgi?id=136536
2654
2655         call edge profiling and polymorphic call inlining are still
2656         causing crashes (Requested by eric_carlson on #webkit).
2657
2658         Reverted changeset:
2659
2660         "Reenable call edge profiling and polymorphic call inlining,
2661         now that a bunch of the bugs"
2662         http://trac.webkit.org/changeset/173248
2663
2664 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
2665
2666         Web Inspector: the profiler should not accrue time to nodes while the debugger is paused
2667         https://bugs.webkit.org/show_bug.cgi?id=136352
2668
2669         Reviewed by Timothy Hatcher.
2670
2671         Hook up pause/continue events to the LegacyProfiler and any active
2672         ProfilerGenerators. If the debugger is paused, all intervening call
2673         entries will be created with totalTime as 0.0.
2674
2675         * inspector/ScriptDebugServer.cpp:
2676         (Inspector::ScriptDebugServer::handlePause):
2677         * profiler/LegacyProfiler.cpp: Move from typedef'd callbacks to using
2678         std::function. This allows callbacks to take different argument types.
2679
2680         (JSC::callFunctionForProfilesWithGroup):
2681         (JSC::LegacyProfiler::willExecute):
2682         (JSC::LegacyProfiler::didExecute):
2683         (JSC::LegacyProfiler::exceptionUnwind):
2684         (JSC::LegacyProfiler::didPause):
2685         (JSC::LegacyProfiler::didContinue):
2686         (JSC::dispatchFunctionToProfiles): Deleted.
2687         * profiler/LegacyProfiler.h:
2688         * profiler/ProfileGenerator.cpp:
2689         (JSC::ProfileGenerator::ProfileGenerator):
2690         (JSC::ProfileGenerator::endCallEntry):
2691         (JSC::ProfileGenerator::didExecute): Deleted.
2692         * profiler/ProfileGenerator.h:
2693         (JSC::ProfileGenerator::didPause):
2694         (JSC::ProfileGenerator::didContinue):
2695
2696 2014-09-04  Commit Queue  <commit-queue@webkit.org>
2697
2698         Unreviewed, rolling out r173245.
2699         https://bugs.webkit.org/show_bug.cgi?id=136533
2700
2701         Broke JSC tests. (Requested by ddkilzer on #webkit).
2702
2703         Reverted changeset:
2704
2705         "JavaScriptCore should build with newer clang"
2706         https://bugs.webkit.org/show_bug.cgi?id=136002
2707         http://trac.webkit.org/changeset/173245
2708
2709 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
2710
2711         LegacyProfiler: ProfileNodes should be used more like structs
2712         https://bugs.webkit.org/show_bug.cgi?id=136381
2713
2714         Reviewed by Timothy Hatcher.
2715
2716         Previously, both the profile generator and individual profile nodes
2717         were collectively responsible for creating new Call entries and
2718         maintaining data structure invariants. This complexity is unnecessary.
2719
2720         This patch centralizes profile data creation inside the profile generator.
2721         The profile nodes manage nextSibling and parent pointers, but do not
2722         collect the current time or create new Call entries themselves.
2723
2724         Since ProfileNode::nextSibling and its callers are only used within
2725         debug printing code, it should be compiled out for release builds.
2726
2727         * profiler/ProfileGenerator.cpp:
2728         (JSC::ProfileGenerator::ProfileGenerator):
2729         (JSC::AddParentForConsoleStartFunctor::operator()):
2730         (JSC::ProfileGenerator::beginCallEntry): create a new Call entry.
2731         (JSC::ProfileGenerator::endCallEntry): finish the last Call entry.
2732         (JSC::ProfileGenerator::willExecute): inline ProfileNode::willExecute()
2733         (JSC::ProfileGenerator::didExecute): inline ProfileNode::didExecute()
2734         (JSC::ProfileGenerator::stopProfiling): Only walk up the spine.
2735         (JSC::ProfileGenerator::removeProfileStart):
2736         (JSC::ProfileGenerator::removeProfileEnd):
2737         * profiler/ProfileGenerator.h:
2738         * profiler/ProfileNode.cpp:
2739         (JSC::ProfileNode::ProfileNode):
2740         (JSC::ProfileNode::addChild):
2741         (JSC::ProfileNode::removeChild):
2742         (JSC::ProfileNode::spliceNode): Renamed from insertNode.
2743         (JSC::ProfileNode::debugPrintRecursively):
2744         (JSC::ProfileNode::willExecute): Deleted.
2745         (JSC::ProfileNode::insertNode): Deleted.
2746         (JSC::ProfileNode::stopProfiling): Deleted.
2747         (JSC::ProfileNode::traverseNextNodePostOrder):
2748         (JSC::ProfileNode::endAndRecordCall): Deleted.
2749         (JSC::ProfileNode::debugPrintDataSampleStyle):
2750         * profiler/ProfileNode.h:
2751         (JSC::ProfileNode::Call::setStartTime):
2752         (JSC::ProfileNode::Call::setTotalTime):
2753         (JSC::ProfileNode::appendCall):
2754         (JSC::ProfileNode::firstChild):
2755         (JSC::ProfileNode::lastChild):
2756         (JSC::ProfileNode::nextSibling):
2757         (JSC::ProfileNode::setNextSibling):
2758
2759 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
2760
2761         Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient
2762         https://bugs.webkit.org/show_bug.cgi?id=136476
2763
2764         Reviewed by Timothy Hatcher.
2765
2766         * CMakeLists.txt:
2767         * JavaScriptCore.xcodeproj/project.pbxproj:
2768         * inspector/JSGlobalObjectConsoleClient.cpp: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.cpp.
2769         * inspector/JSGlobalObjectConsoleClient.h: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.h.
2770         * inspector/JSGlobalObjectInspectorController.cpp:
2771         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2772         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2773         * inspector/JSGlobalObjectInspectorController.h:
2774
2775 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2776
2777         Reenable call edge profiling and polymorphic call inlining, now that a bunch of the bugs
2778         are fixed.
2779
2780         * runtime/Options.h:
2781
2782 2014-09-03  David Kilzer  <ddkilzer@apple.com>
2783
2784         JavaScriptCore should build with newer clang
2785         <http://webkit.org/b/136002>
2786         <rdar://problem/18020616>
2787
2788         Reviewed by Geoffrey Garen.
2789
2790         Other than the JSC::SourceProvider::asID() change (which simply
2791         removes code that the optimizing compiler would have discarded
2792         in Release builds), we move the |this| checks in OpaqueJSString
2793         to NULL checks in to JSBase, JSScriptRef, JSStringRef{CF} and
2794         JSValueRef.
2795
2796         * API/JSBase.cpp:
2797         (JSEvaluateScript): Use String() in case |script| or |sourceURL|
2798         are NULL.
2799         * API/JSScriptRef.cpp:
2800         (JSScriptCreateReferencingImmortalASCIIText): Use String() in
2801         case |url| is NULL.
2802         * API/JSStringRef.cpp:
2803         (JSStringGetLength): Return early if NULL pointer is passed in.
2804         (JSStringGetCharactersPtr): Ditto.
2805         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
2806         * API/JSStringRefCF.cpp:
2807         (JSStringCopyCFString): Ditto.
2808         * API/JSValueRef.cpp:
2809         (JSValueMakeString): Use String() in case |string| is NULL.
2810
2811         * API/OpaqueJSString.cpp:
2812         (OpaqueJSString::string): Remove code that checks |this|.
2813         (OpaqueJSString::identifier): Ditto.
2814         (OpaqueJSString::characters): Ditto.
2815         * API/OpaqueJSString.h:
2816         (OpaqueJSString::is8Bit): Remove code that checks |this|.
2817         (OpaqueJSString::characters8): Ditto.
2818         (OpaqueJSString::characters16): Ditto.
2819         (OpaqueJSString::length): Ditto.
2820
2821         * parser/SourceProvider.h:
2822         (JSC::SourceProvider::asID): Remove code that checks |this|.
2823
2824 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2825
2826         CallEdgeProfile::visitWeak() shouldn't attempt to despecify empty profiles
2827         https://bugs.webkit.org/show_bug.cgi?id=136511
2828
2829         Reviewed by Geoffrey Garen.
2830
2831         * bytecode/CallEdgeProfile.cpp:
2832         (JSC::CallEdgeProfile::worthDespecifying):
2833         (JSC::CallEdgeProfile::visitWeak):
2834         (JSC::CallEdgeProfile::mergeBack):
2835
2836 2014-09-03  David Kilzer  <ddkilzer@apple.com>
2837
2838         REGRESSION (r167325): (null) entry added to Xcode project file when JSBoundFunction.h was removed
2839         <http://webkit.org/b/136509>
2840
2841         Reviewed by Daniel Bates.
2842
2843         * JavaScriptCore.xcodeproj/project.pbxproj: Remove the (null)
2844         entry left behind when JSBoundFunction.h was removed.
2845
2846 2014-09-03  Joseph Pecoraro  <pecoraro@apple.com>
2847
2848         Avoid warning if a process does not have access to com.apple.webinspector
2849         https://bugs.webkit.org/show_bug.cgi?id=136473
2850
2851         Reviewed by Alexey Proskuryakov.
2852
2853         Pre-check for access to the mach port to avoid emitting warnings
2854         in syslog for processes that do not have access.
2855
2856         * inspector/remote/RemoteInspector.mm:
2857         (Inspector::canAccessWebInspectorMachPort):
2858         (Inspector::RemoteInspector::shared):
2859
2860 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2861
2862         Temporarily disable call edge profiling. It is causing crashes and I'm still investigating
2863         them.
2864
2865         * runtime/Options.h:
2866
2867 2014-09-03  Balazs Kilvady  <kilvadyb@homejinni.com>
2868
2869         [MIPS] Wrong register usage in LLInt op_catch.
2870         https://bugs.webkit.org/show_bug.cgi?id=125168
2871
2872         Reviewed by Geoffrey Garen.
2873
2874         Fix register usage and add PIC header to all the ops in LLInt.
2875
2876         * offlineasm/instructions.rb:
2877         * offlineasm/mips.rb:
2878
2879 2014-09-03  Saam Barati  <saambarati1@gmail.com>
2880
2881         Create tests for type profiling
2882         https://bugs.webkit.org/show_bug.cgi?id=136161
2883
2884         Reviewed by Geoffrey Garen.
2885
2886         The type profiler is now being tested. These are basic tests that don't 
2887         check every edge case, but will catch any major failures in the type profiler. 
2888         These tests cover:
2889         - The basic, inheritance-based type system in TypeSet.
2890         - Function return types.
2891         - Correct merging of types for multiple assignments to one variable.
2892
2893         This patch also provides an API for writing new tests for
2894         the type profiler. The API works by passing in a function and a 
2895         unique substring of an expression contained in that function, and 
2896         returns an object representing type information for that expression.
2897
2898         * jsc.cpp:
2899         (GlobalObject::finishCreation):
2900         (functionFindTypeForExpression):
2901         (functionReturnTypeFor):
2902         * runtime/TypeProfiler.cpp:
2903         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
2904         * runtime/TypeProfiler.h:
2905         * runtime/TypeProfilerLog.h:
2906         * runtime/TypeSet.cpp:
2907         (JSC::TypeSet::toJSONString):
2908         (JSC::StructureShape::toJSONString):
2909         * runtime/TypeSet.h:
2910         * tests/typeProfiler: Added.
2911         * tests/typeProfiler.yaml: Added.
2912         * tests/typeProfiler/basic.js: Added.
2913         (wrapper.foo):
2914         (wrapper):
2915         * tests/typeProfiler/captured.js: Added.
2916         (wrapper.changeFoo):
2917         (wrapper):
2918         * tests/typeProfiler/driver: Added.
2919         * tests/typeProfiler/driver/driver.js: Added.
2920         (assert):
2921         * tests/typeProfiler/inheritance.js: Added.
2922         (wrapper.A):
2923         (wrapper.B):
2924         (wrapper.C):
2925         (wrapper):
2926         * tests/typeProfiler/return.js: Added.
2927         (foo):
2928         (Ctor):
2929
2930 2014-09-03  Julien Brianceau   <jbriance@cisco.com>
2931
2932         Add missing implementations to fix build for sh4 architecture
2933         https://bugs.webkit.org/show_bug.cgi?id=136455
2934
2935         Reviewed by Geoffrey Garen.
2936
2937         * assembler/MacroAssemblerSH4.h:
2938         (JSC::MacroAssemblerSH4::store8):
2939         (JSC::MacroAssemblerSH4::moveWithPatch):
2940         (JSC::MacroAssemblerSH4::branchAdd32):
2941         (JSC::MacroAssemblerSH4::branch32WithPatch):
2942         (JSC::MacroAssemblerSH4::abortWithReason):
2943         (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch):
2944         (JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress):
2945         (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch):
2946         * jit/AssemblyHelpers.h:
2947         (JSC::AssemblyHelpers::emitFunctionPrologue):
2948         (JSC::AssemblyHelpers::emitFunctionEpilogue):
2949
2950 2014-09-03  Dan Bernstein  <mitz@apple.com>
2951
2952         Get rid of HIGH_DPI_CANVAS leftovers
2953         https://bugs.webkit.org/show_bug.cgi?id=136491
2954
2955         Reviewed by Benjamin Poulain.
2956
2957         * Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS
2958         and removed it from FEATURE_DEFINES.
2959
2960 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2961
2962         CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
2963         https://bugs.webkit.org/show_bug.cgi?id=136490
2964
2965         Reviewed by Geoffrey Garen.
2966
2967         * bytecode/CallEdgeProfile.cpp:
2968         (JSC::CallEdgeProfile::visitWeak):
2969
2970 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2971
2972         FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
2973         https://bugs.webkit.org/show_bug.cgi?id=136488
2974
2975         Reviewed by Mark Hahnenberg.
2976
2977         * ftl/FTLCompile.cpp:
2978         (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
2979         * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
2980         (foo):
2981
2982 2014-09-03  Akos Kiss  <akiss@inf.u-szeged.hu>
2983
2984         Don't generate superfluous mov instructions for move immediate on ARM64.
2985         https://bugs.webkit.org/show_bug.cgi?id=136435
2986
2987         Reviewed by Michael Saboff.
2988
2989         On ARM64, the size of an immediate operand for a mov instruction is 16
2990         bits. Thus, a move immediate offlineasm instruction may potentially be
2991         split up to several machine level instructions. The current
2992         implementation always emits a mov for the least significant 16 bits of
2993         the value. However, if any of the bits 63:16 are significant then the
2994         first emitted mov already filled bits 15:0 with zeroes (or ones, for
2995         negative values). So, if bits 15:0 of the value are all zeroes (or ones)
2996         then the last mov does not need to be emitted.
2997
2998         * offlineasm/arm64.rb:
2999
3000 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
3001
3002         LegacyProfiler: remove redundant ProfileNode members and other cleanup
3003         https://bugs.webkit.org/show_bug.cgi?id=136380
3004
3005         Reviewed by Timothy Hatcher.
3006
3007         ProfileNode's selfTime and totalTime members are redundant and only used
3008         for dumping profile data from debug-only code. Remove the members and compute
3009         the same data on-demand when necessary using a postorder traversal functor.
3010
3011         Remove ProfileNode.head since it is only used to calculate percentages for
3012         dumped profile data. This can be explicitly passed around when needed.
3013
3014         Rename Profile.head to Profile.rootNode, and other various renamings.
3015
3016         Rearrange some header includes so that touching LegacyProfiler-related headers
3017         will no longer cause a full rebuild.
3018
3019         * inspector/JSConsoleClient.cpp: Add header include.
3020         * inspector/agents/InspectorProfilerAgent.cpp:
3021         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
3022         * inspector/protocol/Profiler.json: Remove unused Profile.idleTime member.
3023         * jit/JIT.h: Remove header include.
3024         * jit/JITCode.h: Remove header include.
3025         * jit/JITOperations.cpp: Sort and add header include.
3026         * llint/LLIntSlowPaths.cpp: Sort and add header include.
3027         * profiler/Profile.cpp: Rename the debug dumping functions. Move the node
3028         postorder traversal code to ProfileNode so we can traverse any subtree.
3029         (JSC::Profile::Profile):
3030         (JSC::Profile::debugPrint):
3031         (JSC::Profile::debugPrintSampleStyle):
3032         (JSC::Profile::forEach): Deleted.
3033         (JSC::Profile::debugPrintData): Deleted.
3034         (JSC::Profile::debugPrintDataSampleStyle): Deleted.
3035         * profiler/Profile.h:
3036         * profiler/ProfileGenerator.cpp:
3037         (JSC::ProfileGenerator::ProfileGenerator):
3038         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
3039         (JSC::AddParentForConsoleStartFunctor::operator()):
3040         (JSC::ProfileGenerator::addParentForConsoleStart):
3041         (JSC::ProfileGenerator::didExecute):
3042         (JSC::StopProfilingFunctor::operator()):
3043         (JSC::ProfileGenerator::stopProfiling):
3044         (JSC::ProfileGenerator::removeProfileStart):
3045         (JSC::ProfileGenerator::removeProfileEnd):
3046         * profiler/ProfileGenerator.h:
3047         * profiler/ProfileNode.cpp:
3048         (JSC::ProfileNode::ProfileNode):
3049         (JSC::ProfileNode::willExecute):
3050         (JSC::ProfileNode::removeChild):
3051         (JSC::ProfileNode::stopProfiling):
3052         (JSC::ProfileNode::endAndRecordCall):
3053         (JSC::ProfileNode::debugPrint):
3054         (JSC::ProfileNode::debugPrintSampleStyle):
3055         (JSC::ProfileNode::debugPrintRecursively):
3056         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
3057         (JSC::ProfileNode::debugPrintData): Deleted.
3058         (JSC::ProfileNode::debugPrintDataSampleStyle): Deleted.
3059         * profiler/ProfileNode.h: Calculate per-node self and total times using a postorder traversal.
3060         The forEachNodePostorder functor traverses the subtree rooted at |this|.
3061         (JSC::ProfileNode::create):
3062         (JSC::ProfileNode::calls):
3063         (JSC::ProfileNode::forEachNodePostorder):
3064         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
3065         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
3066         (JSC::ProfileNode::head): Deleted.
3067         (JSC::ProfileNode::setHead): Deleted.
3068         (JSC::ProfileNode::totalTime): Deleted.
3069         (JSC::ProfileNode::setTotalTime): Deleted.
3070         (JSC::ProfileNode::selfTime): Deleted.
3071         (JSC::ProfileNode::setSelfTime): Deleted.
3072         (JSC::ProfileNode::totalPercent): Deleted.
3073         (JSC::ProfileNode::selfPercent): Deleted.
3074         * runtime/ConsoleClient.h: Remove header include.
3075
3076 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
3077
3078         Web Inspector: remove ProfilerAgent and legacy profiler files in the frontend
3079         https://bugs.webkit.org/show_bug.cgi?id=136462
3080
3081         Reviewed by Timothy Hatcher.
3082
3083         It's not used by the frontend anymore.
3084
3085         * CMakeLists.txt:
3086         * DerivedSources.make:
3087         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3088         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3089         * JavaScriptCore.xcodeproj/project.pbxproj:
3090
3091         * inspector/JSConsoleClient.cpp:
3092         (Inspector::JSConsoleClient::JSConsoleClient): Stub out console.profile/profileEnd
3093         methods since they didn't work for JSContexts anyway.
3094         (Inspector::JSConsoleClient::profile):
3095         (Inspector::JSConsoleClient::profileEnd):
3096         * inspector/JSConsoleClient.h:
3097
3098         * inspector/JSGlobalObjectInspectorController.cpp:
3099         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3100         * inspector/agents/InspectorProfilerAgent.cpp: Removed.
3101         * inspector/agents/InspectorProfilerAgent.h: Removed.
3102         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Removed.
3103         * inspector/agents/JSGlobalObjectProfilerAgent.h: Removed.
3104         * inspector/protocol/Profiler.json: Removed.
3105
3106 2014-09-02  Andreas Kling  <akling@apple.com>
3107
3108         Optimize own property GetByVals with rope string subscripts.
3109         <https://webkit.org/b/136458>
3110
3111         For simple JSObjects that don't override getOwnPropertySlot to implement
3112         custom properties, we have a fast path that grabs directly at the object
3113         property storage.
3114
3115         Make this fast path even faster when the property name is an unresolved
3116         rope string by using JSString::toExistingAtomicString(). This is faster
3117         because it avoids allocating a new StringImpl if the string is already
3118         a known Identifier, which is guaranteed to be the case if it's present
3119         as an own property on the object.)
3120
3121         ~10% speed-up on Dromaeo/dom-attr.html
3122
3123         Reviewed by Geoffrey Garen.
3124
3125         * dfg/DFGOperations.cpp:
3126         * jit/JITOperations.cpp:
3127         (JSC::getByVal):
3128         * llint/LLIntSlowPaths.cpp:
3129         (JSC::LLInt::getByVal):
3130
3131             When using the fastGetOwnProperty() optimization, get the String
3132             out of JSString by using toExistingAtomicString(). This avoids
3133             StringImpl allocation and lets us bypass the PropertyTable lookup
3134             entirely if no AtomicString is found.
3135
3136         * runtime/JSCell.h:
3137         * runtime/JSCellInlines.h:
3138         (JSC::JSCell::fastGetOwnProperty):
3139
3140             Make fastGetOwnProperty() take a PropertyName instead of a String.
3141             This avoids churning the ref count, since we don't need to create
3142             a temporary wrapper around the AtomicStringImpl* found in GetByVal.
3143
3144         * runtime/PropertyName.h:
3145         (JSC::PropertyName::PropertyName):
3146
3147             Add constructor: PropertyName(AtomicStringImpl*)
3148
3149         * runtime/PropertyMapHashTable.h:
3150         (JSC::PropertyTable::get):
3151         (JSC::PropertyTable::findWithString): Deleted.
3152         * runtime/Structure.h:
3153         * runtime/StructureInlines.h:
3154         (JSC::Structure::get):
3155
3156             Remove code for querying a PropertyTable with an unhashed string key
3157             since the only client is now gone.
3158
3159 2014-09-02  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
3160
3161         [ARM] MacroAssembler generating incorrect code on ARM32 Traditional
3162         https://bugs.webkit.org/show_bug.cgi?id=136429
3163
3164         Reviewed by Csaba Osztrogonác.
3165
3166         Changed test32 to use tst to check if reg is zero, instead of cmp.
3167
3168         * assembler/MacroAssemblerARM.h:
3169         (JSC::MacroAssemblerARM::test32):
3170
3171 2014-09-02  Michael Saboff  <msaboff@apple.com>
3172
3173         Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute
3174         https://bugs.webkit.org/show_bug.cgi?id=136305
3175
3176         Reviewed by Filip Pizlo.
3177
3178         While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch
3179         and then JITCode::execute() calls the normal entrypoint.  This is incompatible
3180         with the expectation of FTL generated functions.  Changed ProtoCallFrame to not 
3181         perform the arity fix, but just flag an arity mismatch.  now JITCode::execute()
3182         uses that arity mismatch condition to select the normal or arity check
3183         entrypoint.  The entrypoint selection is only done for functions, programs
3184         and eval always have one parameter.
3185
3186         * interpreter/ProtoCallFrame.cpp:
3187         (JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it.
3188         * interpreter/ProtoCallFrame.h:
3189         (JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint
3190         should be called.
3191         * jit/JITCode.cpp:
3192         (JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate.
3193
3194 2014-09-02  peavo@outlook.com  <peavo@outlook.com>
3195
3196         [WinCairo] testapi.exe is not built.
3197         https://bugs.webkit.org/show_bug.cgi?id=136369
3198
3199         Reviewed by Alex Christensen.
3200
3201         The testapi project should be of type Application.
3202
3203         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Change project type to Application.
3204         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Ditto.
3205         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Compile and link fix.
3206         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Change project type to Application.
3207
3208 2014-09-01  Akos Kiss  <akiss@inf.u-szeged.hu>
3209
3210         [CMAKE] Add missing offlineasm dependencies
3211         https://bugs.webkit.org/show_bug.cgi?id=136437
3212
3213         Reviewed by Csaba Osztrogonác.
3214
3215         Add the ARM64, MIPS and SH4 backends to the dependencies.
3216
3217         * CMakeLists.txt:
3218
3219 2014-09-01  Brian J. Burg  <burg@cs.washington.edu>
3220
3221         Provide column numbers to DTrace willExecute/didExecute probes
3222         https://bugs.webkit.org/show_bug.cgi?id=136434
3223
3224         Reviewed by Antti Koivisto.
3225
3226         Provide the columnNumber and update stubs for !HAVE(DTRACE).
3227
3228         * profiler/ProfileGenerator.cpp:
3229         (JSC::ProfileGenerator::willExecute):
3230         (JSC::ProfileGenerator::didExecute):
3231         * runtime/Tracing.d:
3232         * runtime/Tracing.h:
3233
3234 2014-09-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3235
3236         [CMAKE] Build warning by INTERFACE_LINK_LIBRARIES
3237         https://bugs.webkit.org/show_bug.cgi?id=136194
3238
3239         Reviewed by Csaba Osztrogonác.
3240
3241         Set the LINK_INTERFACE_LIBRARIES target property on the top level CMakeLists.txt.
3242
3243         * CMakeLists.txt:
3244
3245 2014-08-26  Maciej Stachowiak  <mjs@apple.com>
3246
3247         Use RetainPtr::autorelease in some places where it seems appropriate
3248         https://bugs.webkit.org/show_bug.cgi?id=136280
3249
3250         Reviewed by Darin Adler.
3251
3252         * API/JSContext.mm:
3253         (-[JSContext name]): Use RetainPtr::autorelease() in place of ObjC autorelease.
3254         * API/JSValue.mm:
3255         (valueToString): Make appropriate use of RetainPtr
3256
3257 2014-08-29  Akos Kiss  <akiss@inf.u-szeged.hu>
3258
3259         Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
3260         https://bugs.webkit.org/show_bug.cgi?id=136391
3261
3262         Reviewed by Michael Saboff.
3263
3264         Do not rely on calling conventions to fill in the CallerFrame component
3265         of the ExecState* parameter of the called function.
3266
3267         * llint/LowLevelInterpreter32_64.asm:
3268         * llint/LowLevelInterpreter64.asm:
3269
3270 2014-08-29  Saam Barati  <sbarati@apple.com>
3271
3272         emit op_profile_type for deconstruction assignments
3273         https://bugs.webkit.org/show_bug.cgi?id=136274
3274
3275         Reviewed by Filip Pizlo.
3276
3277         Enable type profiling for ES6 deconstruction expressions.
3278
3279         * bytecompiler/NodesCodegen.cpp:
3280         (JSC::BindingNode::bindValue):
3281
3282 2014-08-29  Joseph Pecoraro  <pecoraro@apple.com>
3283
3284         JavaScriptCore: Use ASCIILiteral where possible
3285         https://bugs.webkit.org/show_bug.cgi?id=136179
3286
3287         Reviewed by Michael Saboff.
3288
3289         General string / character related changes. Use ASCIILiteral where
3290         possible, jsNontrivialString where possible, and replace string
3291         literals with character literals in some places.
3292
3293         No new tests, no changes to functionality.
3294
3295         * bytecode/CodeBlock.cpp:
3296         (JSC::CodeBlock::nameForRegister):
3297         * bytecompiler/NodesCodegen.cpp:
3298         (JSC::PostfixNode::emitBytecode):
3299         (JSC::PrefixNode::emitBytecode):
3300         (JSC::AssignErrorNode::emitBytecode):
3301         (JSC::ForInNode::emitMultiLoopBytecode):
3302         (JSC::ForOfNode::emitBytecode):
3303         (JSC::ObjectPatternNode::toString):
3304         * dfg/DFGFunctionWhitelist.cpp:
3305         (JSC::DFG::FunctionWhitelist::contains):
3306         * dfg/DFGOperations.cpp:
3307         (JSC::DFG::newTypedArrayWithSize):
3308         (JSC::DFG::newTypedArrayWithOneArgument):
3309         * inspector/ConsoleMessage.cpp:
3310         (Inspector::ConsoleMessage::addToFrontend):
3311         * inspector/InspectorBackendDispatcher.cpp:
3312         (Inspector::InspectorBackendDispatcher::dispatch):
3313         * inspector/ScriptCallStackFactory.cpp:
3314         (Inspector::extractSourceInformationFromException):
3315         * inspector/scripts/codegen/generator_templates.py:
3316         * interpreter/StackVisitor.cpp:
3317         (JSC::StackVisitor::Frame::functionName):
3318         (JSC::StackVisitor::Frame::sourceURL):
3319         * jit/JITOperations.cpp:
3320         * jsc.cpp:
3321         (functionDescribeArray):
3322         (functionRun):
3323         (functionLoad):
3324         (functionReadFile):
3325         (functionCheckSyntax):
3326         (functionTransferArrayBuffer):
3327         (runWithScripts):
3328         (runInteractive):
3329         * parser/Lexer.cpp:
3330         (JSC::Lexer<T>::invalidCharacterMessage):
3331         (JSC::Lexer<T>::parseString):
3332         (JSC::Lexer<T>::parseStringSlowCase):
3333         (JSC::Lexer<T>::lex):
3334         * profiler/Profile.cpp:
3335         (JSC::Profile::Profile):
3336         * runtime/Arguments.cpp:
3337         (JSC::argumentsFuncIterator):
3338         * runtime/ArrayPrototype.cpp:
3339         (JSC::performSlowSort):
3340         (JSC::arrayProtoFuncSort):
3341         * runtime/ExceptionHelpers.cpp:
3342         (JSC::createError):
3343         (JSC::createInvalidParameterError):
3344         (JSC::createNotAConstructorError):
3345         (JSC::createNotAFunctionError):
3346         (JSC::createNotAnObjectError):
3347         (JSC::createErrorForInvalidGlobalAssignment):
3348         * runtime/FunctionPrototype.cpp:
3349         (JSC::insertSemicolonIfNeeded):
3350         * runtime/JSArray.cpp:
3351         (JSC::JSArray::defineOwnProperty):
3352         (JSC::JSArray::pop):
3353         (JSC::JSArray::push):
3354         * runtime/JSArrayBufferConstructor.cpp:
3355         (JSC::JSArrayBufferConstructor::finishCreation):
3356         * runtime/JSArrayBufferPrototype.cpp:
3357         (JSC::arrayBufferProtoFuncSlice):
3358         * runtime/JSDataView.cpp:
3359         (JSC::JSDataView::create):
3360         * runtime/JSDataViewPrototype.cpp:
3361         (JSC::getData):
3362         (JSC::setData):
3363         * runtime/JSGlobalObject.cpp:
3364         (JSC::JSGlobalObject::reset):
3365         * runtime/JSGlobalObjectFunctions.cpp:
3366         (JSC::globalFuncProtoSetter):
3367         * runtime/JSPromiseConstructor.cpp:
3368         (JSC::JSPromiseConstructor::finishCreation):
3369         * runtime/LiteralParser.cpp:
3370         (JSC::LiteralParser<CharType>::Lexer::lex):
3371         (JSC::LiteralParser<CharType>::Lexer::lexString):
3372         (JSC::LiteralParser<CharType>::parse):
3373         * runtime/LiteralParser.h:
3374         (JSC::LiteralParser::getErrorMessage):
3375         * runtime/TypeSet.cpp:
3376         (JSC::TypeSet::seenTypes):
3377         (JSC::TypeSet::displayName):
3378         (JSC::TypeSet::allPrimitiveTypeNames):
3379         (JSC::StructureShape::propertyHash):
3380         (JSC::StructureShape::stringRepresentation):
3381
3382 2014-08-29  Csaba Osztrogonác  <ossy@webkit.org>
3383
3384         Unreviwed, remove empty directories.
3385
3386         * qt: Removed.
3387
3388 2014-08-28  Mark Lam  <mark.lam@apple.com>
3389
3390         DebuggerCallFrame::scope() should return a DebuggerScope.
3391         <https://webkit.org/b/134420>
3392
3393         Reviewed by Geoffrey Garen.
3394
3395         Rolling back in r170680 with the fix for <https://webkit.org/b/135656>.
3396
3397         Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
3398         peers) which the WebInspector will use to introspect CallFrame variables.
3399         Instead, we should be returning a DebuggerScope as an abstraction layer that
3400         provides the introspection functionality that the WebInspector needs.  This
3401         is the first step towards not forcing every frame to have a JSActivation
3402         object just because the debugger is enabled.
3403
3404         1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
3405            instead of the VM.  This allows JSObject::globalObject() to be able to
3406            return the global object for the DebuggerScope.
3407
3408         2. On the DebuggerScope's life-cycle management:
3409
3410            The DebuggerCallFrame is designed to be "valid" only during a debugging session
3411            (while the debugger is broken) through the use of a DebuggerCallFrameScope in
3412            Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
3413            DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
3414            We can't guarantee (from this code alone) that the Inspector code isn't still
3415            holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
3416            the frame will be invalidated, and any attempt to query it will return null values.
3417            This is pre-existing behavior.
3418
3419            Now, we're adding the DebuggerScope into the picture.  While a single debugger
3420            pause session is in progress, the Inspector may request the scope from the
3421            DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
3422            DebuggerCallFrame::scope() to always return the same DebuggerScope object.
3423            This is why we hold on to the DebuggerScope with a strong ref.
3424
3425            If we use a weak ref instead, the following cooky behavior can manifest:
3426            1. The Inspector calls Debugger::scope() to get the top scope.
3427            2. The Inspector iterates down the scope chain and is now only holding a
3428               reference to a parent scope.  It is no longer referencing the top scope.
3429            3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
3430               gets cleared.
3431            4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
3432               a different DebuggerScope instance.
3433            5. The Inspector iterates down the scope chain but never sees the parent scope
3434               instance that retained a ref to in step 2 above.  This is because when iterating
3435               this new DebuggerScope instance (which has no knowledge of the previous parent
3436               DebuggerScope instance), a new DebuggerScope instance will get created for the
3437               same parent scope. 
3438
3439            Since the DebuggerScope is a JSObject, its liveness is determined by its reachability.
3440            However, its "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
3441            When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
3442            instantiated) will also get invalidated.  This is why we need the
3443            DebuggerScope::invalidateChain() method.  The Inspector should not be using the
3444            DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
3445            those methods will do nothing or returned a failed status.
3446
3447         Fix for <https://webkit.org/b/135656>:
3448         3. DebuggerScope::getOwnPropertySlot() and DebuggerScope::put() need to set
3449            m_thisValue in the returned slot to the wrapped scope object.  Previously,
3450            it was pointing to the DebuggerScope though the rest of the fields in the
3451            returned slot will be set to data pertaining the wrapped scope object.
3452
3453         4. DebuggerScope::getOwnPropertySlot() will invoke getPropertySlot() on its
3454            wrapped scope.  This is because JSObject::getPropertySlot() cannot be
3455            overridden, and when called on a DebuggerScope, will not know to look in
3456            the ptototype chain of the DebuggerScope's wrapped scope.  Hence, we'll
3457            treat all properties in the wrapped scope as own properties in the
3458            DebuggerScope.  This is fine because the WebInspector does not presently
3459            care about where in the prototype chain the scope property comes from.
3460
3461            Note that the DebuggerScope and the JSActivation objects that it wraps do
3462            not have prototypes.  They are always jsNull().  This works perfectly with
3463            the above change to use getPropertySlot() instead of getOwnPropertySlot().
3464            To make this an explicit invariant, I also changed DebuggerScope::createStructure()
3465            and JSActivation::createStructure() to not take a prototype argument, and
3466            to always use jsNull() for their prototype value.
3467
3468         * debugger/Debugger.h:
3469         * debugger/DebuggerCallFrame.cpp:
3470         (JSC::DebuggerCallFrame::scope):
3471         (JSC::DebuggerCallFrame::evaluate):
3472         (JSC::DebuggerCallFrame::invalidate):
3473         * debugger/DebuggerCallFrame.h:
3474         * debugger/DebuggerScope.cpp:
3475         (JSC::DebuggerScope::DebuggerScope):
3476         (JSC::DebuggerScope::finishCreation):
3477         (JSC::DebuggerScope::visitChildren):
3478         (JSC::DebuggerScope::className):
3479         (JSC::DebuggerScope::getOwnPropertySlot):
3480         (JSC::DebuggerScope::put):
3481         (JSC::DebuggerScope::deleteProperty):
3482         (JSC::DebuggerScope::getOwnPropertyNames):
3483         (JSC::DebuggerScope::defineOwnProperty):
3484         (JSC::DebuggerScope::next):
3485         (JSC::DebuggerScope::invalidateChain):
3486         (JSC::DebuggerScope::isWithScope):
3487         (JSC::DebuggerScope::isGlobalScope):
3488         (JSC::DebuggerScope::isFunctionOrEvalScope):
3489         * debugger/DebuggerScope.h:
3490         (JSC::DebuggerScope::create):
3491         (JSC::DebuggerScope::createStructure):
3492         (JSC::DebuggerScope::iterator::iterator):
3493         (JSC::DebuggerScope::iterator::get):
3494         (JSC::DebuggerScope::iterator::operator++):
3495         (JSC::DebuggerScope::iterator::operator==):
3496         (JSC::DebuggerScope::iterator::operator!=):
3497         (JSC::DebuggerScope::isValid):
3498         (JSC::DebuggerScope::jsScope):
3499         (JSC::DebuggerScope::begin):
3500         (JSC::DebuggerScope::end):
3501         * inspector/JSJavaScriptCallFrame.cpp:
3502         (Inspector::JSJavaScriptCallFrame::scopeType):
3503         (Inspector::JSJavaScriptCallFrame::scopeChain):
3504         * inspector/JavaScriptCallFrame.h:
3505         (Inspector::JavaScriptCallFrame::scopeChain):
3506         * inspector/ScriptDebugServer.cpp:
3507         * runtime/JSActivation.h:
3508         (JSC::JSActivation::createStructure):
3509         * runtime/JSGlobalObject.cpp:
3510         (JSC::JSGlobalObject::reset):
3511         (JSC::JSGlobalObject::visitChildren):
3512         * runtime/JSGlobalObject.h:
3513         (JSC::JSGlobalObject::debuggerScopeStructure):
3514         * runtime/JSObject.cpp:
3515         * runtime/JSObject.h:
3516         (JSC::JSObject::isWithScope):
3517         * runtime/JSScope.h:
3518         * runtime/PropertySlot.h:
3519         (JSC::PropertySlot::setThisValue):
3520         * runtime/PutPropertySlot.h:
3521         (JSC::PutPropertySlot::setThisValue):
3522         * runtime/VM.cpp:
3523         (JSC::VM::VM):
3524         * runtime/VM.h:
3525
3526 2014-08-28  Andreas Kling  <akling@apple.com>
3527
3528         Use JSString::toIdentifier() in more places.
3529         <https://webkit.org/b/136348>
3530
3531         Call sites that grab the WTF::String from a JSString using value() can
3532         use the more efficient toIdentifier() if the string is going to be used
3533         to construct an Identifier.
3534
3535         If the JSString is a rope that resolves to something that is already
3536         present in the VM's Identifier table, using toIdentifier() can avoid
3537         allocating a new StringImpl.
3538
3539         Reviewed by Geoffrey Garen.
3540
3541         * jit/JITOperations.cpp:
3542         * llint/LLIntSlowPaths.cpp:
3543         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3544         * runtime/CommonSlowPaths.cpp:
3545         (JSC::SLOW_PATH_DECL):
3546         * runtime/CommonSlowPaths.h:
3547         (JSC::CommonSlowPaths::opIn):
3548         * runtime/JSONObject.cpp:
3549         (JSC::Stringifier::Stringifier):
3550         * runtime/ObjectConstructor.cpp:
3551         (JSC::objectConstructorGetOwnPropertyDescriptor):
3552         (JSC::objectConstructorDefineProperty):
3553         * runtime/ObjectPrototype.cpp:
3554         (JSC::objectProtoFuncPropertyIsEnumerable):
3555
3556 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
3557
3558         DFG should compute immediate dominators using the O(n log n) form of Lengauer and Tarjan's "A Fast Algorithm for Finding Dominators in a Flowgraph"
3559         https://bugs.webkit.org/show_bug.cgi?id=93361
3560
3561         Reviewed by Mark Hahnenberg.
3562         
3563         This patch also adds some new utilities for reasoning about block-keyed maps, block sets,
3564         and block worklists. It changes preexisting code to use these abstractions.
3565         
3566         The main effect of this code is that all current clients of dominators end up using the
3567         results of the new idom calculation. We convert the dom tree to a dominance test using
3568         Dietz's pre/post number range check trick.
3569
3570         * CMakeLists.txt:
3571         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3572         * JavaScriptCore.xcodeproj/project.pbxproj:
3573         * dfg/DFGAnalysis.h:
3574         (JSC::DFG::Analysis::computeIfNecessary):
3575         (JSC::DFG::Analysis::computeDependencies):
3576         * dfg/DFGBlockMap.h: Added.
3577         (JSC::DFG::BlockMap::BlockMap):
3578         (JSC::DFG::BlockMap::size):
3579         (JSC::DFG::BlockMap::atIndex):
3580         (JSC::DFG::BlockMap::operator[]):
3581         * dfg/DFGBlockMapInlines.h: Added.
3582         (JSC::DFG::BlockMap<T>::BlockMap):
3583         * dfg/DFGBlockSet.h: Added.
3584         (JSC::DFG::BlockSet::BlockSet):
3585         (JSC::DFG::BlockSet::add):
3586         (JSC::DFG::BlockSet::contains):
3587         * dfg/DFGBlockWorklist.cpp: Added.
3588         (JSC::DFG::BlockWorklist::BlockWorklist):
3589         (JSC::DFG::BlockWorklist::~BlockWorklist):
3590         (JSC::DFG::BlockWorklist::push):
3591         (JSC::DFG::BlockWorklist::pop):
3592         (JSC::DFG::PostOrderBlockWorklist::PostOrderBlockWorklist):
3593         (JSC::DFG::PostOrderBlockWorklist::~PostOrderBlockWorklist):
3594         (JSC::DFG::PostOrderBlockWorklist::pushPre):
3595         (JSC::DFG::PostOrderBlockWorklist::pushPost):
3596         (JSC::DFG::PostOrderBlockWorklist::pop):
3597         * dfg/DFGBlockWorklist.h: Added.
3598         (JSC::DFG::BlockWorklist::notEmpty):
3599         (JSC::DFG::BlockWith::BlockWith):
3600         (JSC::DFG::BlockWith::operator UnspecifiedBoolType*):
3601         (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist):
3602         (JSC::DFG::ExtendedBlockWorklist::forcePush):
3603         (JSC::DFG::ExtendedBlockWorklist::push):
3604         (JSC::DFG::ExtendedBlockWorklist::notEmpty):
3605         (JSC::DFG::ExtendedBlockWorklist::pop):
3606         (JSC::DFG::BlockWithOrder::BlockWithOrder):
3607         (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*):
3608         (JSC::DFG::PostOrderBlockWorklist::push):
3609         (JSC::DFG::PostOrderBlockWorklist::notEmpty):
3610         * dfg/DFGCSEPhase.cpp:
3611         * dfg/DFGDominators.cpp:
3612         (JSC::DFG::Dominators::compute):
3613         (JSC::DFG::Dominators::naiveDominates):
3614         (JSC::DFG::Dominators::dump):
3615         (JSC::DFG::Dominators::pruneDominators): Deleted.
3616         * dfg/DFGDominators.h:
3617         (JSC::DFG::Dominators::strictlyDominates):
3618         (JSC::DFG::Dominators::dominates):
3619         (JSC::DFG::Dominators::BlockData::BlockData):
3620         * dfg/DFGGraph.cpp:
3621         (JSC::DFG::Graph::dumpBlockHeader):
3622         (JSC::DFG::Graph::getBlocksInPreOrder):
3623         (JSC::DFG::Graph::getBlocksInPostOrder):
3624         * dfg/DFGInvalidationPointInjectionPhase.cpp:
3625         (JSC::DFG::InvalidationPointInjectionPhase::run):
3626         * dfg/DFGNaiveDominators.cpp: Added.
3627         (JSC::DFG::NaiveDominators::NaiveDominators):
3628         (JSC::DFG::NaiveDominators::~NaiveDominators):
3629         (JSC::DFG::NaiveDominators::compute):
3630         (JSC::DFG::NaiveDominators::pruneDominators):
3631         (JSC::DFG::NaiveDominators::dump):
3632         * dfg/DFGNaiveDominators.h: Added.
3633         (JSC::DFG::NaiveDominators::dominates):
3634         * dfg/DFGNaturalLoops.cpp:
3635         (JSC::DFG::NaturalLoops::computeDependencies):
3636         (JSC::DFG::NaturalLoops::compute):
3637         * dfg/DFGNaturalLoops.h:
3638
3639 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
3640
3641         FTL should be able to do polymorphic call inlining
3642         https://bugs.webkit.org/show_bug.cgi?id=135145
3643
3644         Reviewed by Geoffrey Garen.
3645         
3646         Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
3647         baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
3648         inlining sites use the call edge profile if it is available, but they will still fall back
3649         on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
3650         multiple possible callees can be inlined with a switch to guard them. The slow path may
3651         either be an OSR exit or a virtual call.
3652         
3653         The call edge profiling added in this patch is very precise - it will tell you about every
3654         call that has ever happened. It took some effort to reduce the overhead of this profiling.
3655         This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
3656         in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
3657         it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
3658         I also experimented with reducing the precision of the profiling. This led to a significant
3659         reduction in the speed-up, so I avoided this approach. I also explored making log processing
3660         concurrent, but that didn't help. Also, I tested the overhead of the log processing and
3661         found that most of the overhead of this profiling is actually in putting things into the log
3662         rather than in processing the log - that part appears to be surprisingly cheap.
3663         
3664         Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
3665         and if we guarded such inlining sites with some profiling mechanism to detect
3666         polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
3667         it's actually monomorphic).
3668         
3669         This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
3670         other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
3671         on anything we care about. Some aggregates, like V8Spider, see a regression. This is
3672         highlighting the increase in profiling overhead. But since this doesn't show up on any major
3673         score (code-load or SunSpider), it's probably not relevant.
3674         
3675         Relanding after fixing debug assertions in fast/storage/serialized-script-value.html.
3676
3677         * CMakeLists.txt:
3678         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3679         * JavaScriptCore.xcodeproj/project.pbxproj:
3680         * bytecode/CallEdge.cpp: Added.
3681         (JSC::CallEdge::dump):
3682         * bytecode/CallEdge.h: Added.
3683         (JSC::CallEdge::operator!):
3684         (JSC::CallEdge::callee):
3685         (JSC::CallEdge::count):
3686         (JSC::CallEdge::despecifiedClosure):
3687         (JSC::CallEdge::CallEdge):
3688         * bytecode/CallEdgeProfile.cpp: Added.
3689         (JSC::CallEdgeProfile::callEdges):
3690         (JSC::CallEdgeProfile::numCallsToKnownCells):
3691         (JSC::worthDespecifying):
3692         (JSC::CallEdgeProfile::worthDespecifying):
3693         (JSC::CallEdgeProfile::visitWeak):
3694         (JSC::CallEdgeProfile::addSlow):
3695         (JSC::CallEdgeProfile::mergeBack):
3696         (JSC::CallEdgeProfile::fadeByHalf):
3697         (JSC::CallEdgeLog::CallEdgeLog):
3698         (JSC::CallEdgeLog::~CallEdgeLog):
3699         (JSC::CallEdgeLog::isEnabled):
3700         (JSC::operationProcessCallEdgeLog):
3701         (JSC::CallEdgeLog::emitLogCode):
3702         (JSC::CallEdgeLog::processLog):
3703         * bytecode/CallEdgeProfile.h: Added.
3704         (JSC::CallEdgeProfile::numCallsToNotCell):
3705         (JSC::CallEdgeProfile::numCallsToUnknownCell):
3706         (JSC::CallEdgeProfile::totalCalls):
3707         * bytecode/CallEdgeProfileInlines.h: Added.
3708         (JSC::CallEdgeProfile::CallEdgeProfile):
3709         (JSC::CallEdgeProfile::add):
3710         * bytecode/CallLinkInfo.cpp:
3711         (JSC::CallLinkInfo::visitWeak):
3712         * bytecode/CallLinkInfo.h:
3713         * bytecode/CallLinkStatus.cpp:
3714         (JSC::CallLinkStatus::CallLinkStatus):
3715         (JSC::CallLinkStatus::computeFromLLInt):
3716         (JSC::CallLinkStatus::computeFor):
3717         (JSC::CallLinkStatus::computeExitSiteData):
3718         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3719         (JSC::CallLinkStatus::computeFromCallEdgeProfile):
3720         (JSC::CallLinkStatus::computeDFGStatuses):
3721         (JSC::CallLinkStatus::isClosureCall):
3722         (JSC::CallLinkStatus::makeClosureCall):
3723         (JSC::CallLinkStatus::dump):
3724         (JSC::CallLinkStatus::function): Deleted.
3725         (JSC::CallLinkStatus::internalFunction): Deleted.
3726         (JSC::CallLinkStatus::intrinsicFor): Deleted.
3727         * bytecode/CallLinkStatus.h:
3728         (JSC::CallLinkStatus::CallLinkStatus):
3729         (JSC::CallLinkStatus::isSet):
3730         (JSC::CallLinkStatus::couldTakeSlowPath):
3731         (JSC::CallLinkStatus::edges):
3732         (JSC::CallLinkStatus::size):
3733         (JSC::CallLinkStatus::at):
3734         (JSC::CallLinkStatus::operator[]):
3735         (JSC::CallLinkStatus::canOptimize):
3736         (JSC::CallLinkStatus::canTrustCounts):
3737         (JSC::CallLinkStatus::isClosureCall): Deleted.
3738         (JSC::CallLinkStatus::callTarget): Deleted.
3739         (JSC::CallLinkStatus::executable): Deleted.
3740         (JSC::CallLinkStatus::makeClosureCall): Deleted.
3741         * bytecode/CallVariant.cpp: Added.
3742         (JSC::CallVariant::dump):
3743         * bytecode/CallVariant.h: Added.
3744         (JSC::CallVariant::CallVariant):
3745         (JSC::CallVariant::operator!):
3746         (JSC::CallVariant::despecifiedClosure):
3747         (JSC::CallVariant::rawCalleeCell):
3748         (JSC::CallVariant::internalFunction):
3749         (JSC::CallVariant::function):
3750         (JSC::CallVariant::isClosureCall):
3751         (JSC::CallVariant::executable):
3752         (JSC::CallVariant::nonExecutableCallee):
3753         (JSC::CallVariant::intrinsicFor):
3754         (JSC::CallVariant::functionExecutable):
3755         (JSC::CallVariant::isHashTableDeletedValue):
3756         (JSC::CallVariant::operator==):
3757         (JSC::CallVariant::operator!=):
3758         (JSC::CallVariant::operator<):
3759         (JSC::CallVariant::operator>):
3760         (JSC::CallVariant::operator<=):
3761         (JSC::CallVariant::operator>=):
3762         (JSC::CallVariant::hash):
3763         (JSC::CallVariant::deletedToken):
3764         (JSC::CallVariantHash::hash):
3765         (JSC::CallVariantHash::equal):
3766         * bytecode/CodeOrigin.h:
3767         (JSC::InlineCallFrame::isNormalCall):
3768         * bytecode/ExitKind.cpp:
3769         (JSC::exitKindToString):
3770         * bytecode/ExitKind.h:
3771         * bytecode/GetByIdStatus.cpp:
3772         (JSC::GetByIdStatus::computeForStubInfo):
3773         * bytecode/PutByIdStatus.cpp:
3774         (JSC::PutByIdStatus::computeForStubInfo):
3775         * dfg/DFGAbstractInterpreterInlines.h:
3776         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3777         * dfg/DFGBackwardsPropagationPhase.cpp:
3778         (JSC::DFG::BackwardsPropagationPhase::propagate):
3779         * dfg/DFGBasicBlock.cpp:
3780         (JSC::DFG::BasicBlock::~BasicBlock):
3781         * dfg/DFGBasicBlock.h:
3782         (JSC::DFG::BasicBlock::takeLast):
3783         (JSC::DFG::BasicBlock::didLink):
3784         * dfg/DFGByteCodeParser.cpp:
3785         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
3786         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
3787         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
3788         (JSC::DFG::ByteCodeParser::addCall):
3789         (JSC::DFG::ByteCodeParser::handleCall):
3790         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
3791         (JSC::DFG::ByteCodeParser::undoFunctionChecks):
3792         (JSC::DFG::ByteCodeParser::inliningCost):
3793         (JSC::DFG::ByteCodeParser::inlineCall):
3794         (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
3795         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3796         (JSC::DFG::ByteCodeParser::handleInlining):
3797         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3798         (JSC::DFG::ByteCodeParser::prepareToParseBlock):
3799         (JSC::DFG::ByteCodeParser::clearCaches):
3800         (JSC::DFG::ByteCodeParser::parseBlock):
3801         (JSC::DFG::ByteCodeParser::linkBlock):
3802         (JSC::DFG::ByteCodeParser::linkBlocks):
3803         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3804         * dfg/DFGCPSRethreadingPhase.cpp:
3805         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3806         * dfg/DFGClobberize.h:
3807         (JSC::DFG::clobberize):
3808         * dfg/DFGCommon.h:
3809         * dfg/DFGConstantFoldingPhase.cpp:
3810         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3811         * dfg/DFGDoesGC.cpp:
3812         (JSC::DFG::doesGC):
3813         * dfg/DFGDriver.cpp:
3814         (JSC::DFG::compileImpl):
3815         * dfg/DFGFixupPhase.cpp:
3816         (JSC::DFG::FixupPhase::fixupNode):
3817         * dfg/DFGGraph.cpp:
3818         (JSC::DFG::Graph::dump):
3819         (JSC::DFG::Graph::getBlocksInPreOrder):
3820         (JSC::DFG::Graph::visitChildren):
3821         * dfg/DFGJITCompiler.cpp:
3822         (JSC::DFG::JITCompiler::link):
3823         * dfg/DFGLazyJSValue.cpp:
3824         (JSC::DFG::LazyJSValue::switchLookupValue):
3825         * dfg/DFGLazyJSValue.h:
3826         (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
3827         * dfg/DFGNode.cpp:
3828         (WTF::printInternal):
3829         * dfg/DFGNode.h:
3830         (JSC::DFG::OpInfo::OpInfo):
3831         (JSC::DFG::Node::hasHeapPrediction):
3832         (JSC::DFG::Node::hasCellOperand):
3833         (JSC::DFG::Node::cellOperand):
3834         (JSC::DFG::Node::setCellOperand):
3835         (JSC::DFG::Node::canBeKnownFunction): Deleted.
3836         (JSC::DFG::Node::hasKnownFunction): Deleted.
3837         (JSC::DFG::Node::knownFunction): Deleted.
3838         (JSC::DFG::Node::giveKnownFunction): Deleted.
3839         (JSC::DFG::Node::hasFunction): Deleted.
3840         (JSC::DFG::Node::function): Deleted.
3841         (JSC::DFG::Node::hasExecutable): Deleted.
3842         (JSC::DFG::Node::executable): Deleted.
3843         * dfg/DFGNodeType.h:
3844         * dfg/DFGPhantomCanonicalizationPhase.cpp:
3845         (JSC::DFG::PhantomCanonicalizationPhase::run):
3846         * dfg/DFGPhantomRemovalPhase.cpp:
3847         (JSC::DFG::PhantomRemovalPhase::run):
3848         * dfg/DFGPredictionPropagationPhase.cpp:
3849         (JSC::DFG::PredictionPropagationPhase::propagate):
3850         * dfg/DFGSafeToExecute.h:
3851         (JSC::DFG::safeToExecute):
3852         * dfg/DFGSpeculativeJIT.cpp:
3853         (JSC::DFG::SpeculativeJIT::emitSwitch):
3854         * dfg/DFGSpeculativeJIT32_64.cpp:
3855         (JSC::DFG::SpeculativeJIT::emitCall):
3856         (JSC::DFG::SpeculativeJIT::compile):
3857         * dfg/DFGSpeculativeJIT64.cpp:
3858         (JSC::DFG::SpeculativeJIT::emitCall):
3859         (JSC::DFG::SpeculativeJIT::compile):
3860         * dfg/DFGStructureRegistrationPhase.cpp:
3861         (JSC::DFG::StructureRegistrationPhase::run):
3862         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3863         (JSC::DFG::TierUpCheckInjectionPhase::run):
3864         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
3865         * dfg/DFGValidate.cpp:
3866         (JSC::DFG::Validate::validate):
3867         * dfg/DFGWatchpointCollectionPhase.cpp:
3868         (JSC::DFG::WatchpointCollectionPhase::handle):
3869         * ftl/FTLCapabilities.cpp:
3870         (JSC::FTL::canCompile):
3871         * ftl/FTLLowerDFGToLLVM.cpp:
3872         (JSC::FTL::ftlUnreachable):
3873         (JSC::FTL::LowerDFGToLLVM::lower):
3874         (JSC::FTL::LowerDFGToLLVM::compileNode):
3875         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
3876         (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
3877         (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
3878         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
3879         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
3880         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
3881         (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
3882         (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
3883         * heap/Heap.cpp:
3884         (JSC::Heap::collect):
3885         * jit/AssemblyHelpers.h:
3886         (JSC::AssemblyHelpers::storeValue):
3887         (JSC::AssemblyHelpers::loadValue):
3888         * jit/CCallHelpers.h:
3889         (JSC::CCallHelpers::setupArguments):
3890         * jit/GPRInfo.h:
3891         (JSC::JSValueRegs::uses):
3892         * jit/JITCall.cpp:
3893         (JSC::JIT::compileOpCall):
3894         * jit/JITCall32_64.cpp:
3895         (JSC::JIT::compileOpCall):
3896         * runtime/Options.h:
3897         * runtime/VM.cpp:
3898         (JSC::VM::ensureCallEdgeLog):
3899         * runtime/VM.h:
3900         * tests/stress/fold-profiled-call-to-call.js: Added. This test pinpoints the problem we saw in fast/storage/serialized-script-value.html.
3901         * tests/stress/new-array-then-exit.js: Added.
3902         * tests/stress/poly-call-exit-this.js: Added.
3903     &nb