Fix cloop build.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-10-06  Oliver Hunt  <oliver@apple.com>
2
3         Fix cloop build
4
5         * interpreter/Interpreter.cpp:
6         (JSC::unwindCallFrame):
7
8 2014-10-06  Mark Lam  <mark.lam@apple.com>
9
10         Unreviewed build fix.
11         <https://webkit.org/b/137279>
12
13         * jit/CCallHelpers.h:
14         (JSC::CCallHelpers::setupArgumentsWithExecState):
15
16 2014-10-06  Oliver Hunt  <oliver@apple.com>
17
18         REGRESSION(r174226): [JSC] Crash when running the perf test Speedometer/Full.html
19         https://bugs.webkit.org/show_bug.cgi?id=137404
20
21         Reviewed by Michael Saboff.
22
23         Update the Arguments object to recognise that it must always have an
24         environment record if the referenced callee has one, and if such is not
25         present it should not try to extract one from the callframe, as that
26         path leads to madness.
27
28         Happily this makes some of the other code more sensible, and removes a
29         bunch of unnecessary and icky logic.
30
31         * interpreter/Interpreter.cpp:
32         (JSC::unwindCallFrame):
33         * jit/JITOperations.cpp:
34         * llint/LLIntSlowPaths.cpp:
35         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
36         * runtime/Arguments.cpp:
37         (JSC::Arguments::tearOff):
38         (JSC::Arguments::didTearOffActivation): Deleted.
39         * runtime/Arguments.h:
40         (JSC::Arguments::argument):
41         (JSC::Arguments::finishCreation):
42
43 2014-10-04  Brian J. Burg  <burg@cs.washington.edu>
44
45         Unreviewed, rolling out r174319.
46
47         Causes assertions in fast/profiler tests. Needs nontrivial
48         investigation, will take offline.
49
50         Reverted changeset:
51
52         "Web Inspector: timelines should not count time elapsed while
53         paused in the debugger"
54         https://bugs.webkit.org/show_bug.cgi?id=136351
55         http://trac.webkit.org/changeset/174319
56
57 2014-10-04  Brian J. Burg  <burg@cs.washington.edu>
58
59         Web Inspector: timelines should not count time elapsed while paused in the debugger
60         https://bugs.webkit.org/show_bug.cgi?id=136351
61
62         Reviewed by Timothy Hatcher.
63
64         Now that we have a stopwatch to provide pause-aware timing data, we can remove the
65         profiler's handling of debugger pause/continue callbacks. The timeline agent accounts
66         for debugger pauses by pausing and resuming the stopwatch.
67
68         * API/JSProfilerPrivate.cpp:
69         (JSStartProfiling): Use a fresh stopwatch when profiling from the JSC API.
70         * inspector/ScriptDebugServer.cpp:
71         (Inspector::ScriptDebugServer::handlePause):
72         * profiler/LegacyProfiler.cpp:
73         (JSC::LegacyProfiler::profiler): Use nullptr.
74         (JSC::LegacyProfiler::startProfiling): Hand off a stopwatch to the profile generator.
75         (JSC::LegacyProfiler::stopProfiling): Use nullptr.
76         (JSC::LegacyProfiler::didPause): Deleted.
77         (JSC::LegacyProfiler::didContinue): Deleted.
78         * profiler/LegacyProfiler.h:
79         * profiler/ProfileGenerator.cpp: Remove debugger pause/continue callbacks and the
80         timestamp member that was used to track time elapsed by the debugger. Just use the
81         stopwatch's elapsed times to generate start/elapsed times for function calls.
82         (JSC::ProfileGenerator::create):
83         (JSC::ProfileGenerator::ProfileGenerator):
84         (JSC::ProfileGenerator::beginCallEntry):
85         (JSC::ProfileGenerator::endCallEntry):
86         (JSC::ProfileGenerator::didPause): Deleted.
87         (JSC::ProfileGenerator::didContinue): Deleted.
88         * profiler/ProfileGenerator.h:
89
90 2014-10-04  Filip Pizlo  <fpizlo@apple.com>
91
92         FTL should sink PutLocals
93         https://bugs.webkit.org/show_bug.cgi?id=137168
94
95         Reviewed by Oliver Hunt.
96         
97         We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we
98         "pass" arguments to an inlined function call, because we need to enable the runtime to grab
99         those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize
100         in that case but rather just relies on the arguments being flushed (i.e. a copy of their
101         values is spilled) at a well-known place in a well-known format.
102         
103         The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2)
104         they look like escaping sites and so they inhibit object allocation sinking.
105         
106         But in most cases, the PutLocals are unnecessary because the inlined code never performs any
107         side effect that could transitively lead to function.arguments. Even if the inlined code
108         could do such a side effect, it may be on a rare path so there is no need to penalize the
109         entire function.
110         
111         This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals
112         to the latest possible point. This is even more aggressive than the object allocation
113         sinking. That sinking algorithm avoids creating situations where an object could be
114         materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid
115         this at all - both to make the phase cheaper and simpler and to make it more aggressive.
116         Every PutLocal is sunk no matter what.
117         
118         The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past
119         their death", thus eliminating them completely. Others are sunk to rare paths. This enables a
120         lot of object allocation sinking and it removes a lot of pointless store instructions.
121         
122         It also has downsites. Sinking PutLocals increases register pressure because it increases the
123         live ranges of things like inlined arguments.
124         
125         This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2
126         progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench
127         regression. The biggest win is on Octane/raytrace, which improves by 27%.
128         
129         Relanding after fixing internal builds. We have to be careful about implicit casts from int64
130         to int32.
131
132         * CMakeLists.txt:
133         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
134         * JavaScriptCore.xcodeproj/project.pbxproj:
135         * bytecode/CodeBlock.h:
136         * bytecode/Operands.h:
137         (JSC::Operands::dump): Deleted.
138         * bytecode/OperandsInlines.h:
139         (JSC::Traits>::dump):
140         * bytecode/VirtualRegister.h:
141         (JSC::VirtualRegister::isHeader):
142         * dfg/DFGByteCodeParser.cpp:
143         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
144         * dfg/DFGClobberSet.h:
145         (JSC::DFG::ClobberSetAdd::operator()):
146         (JSC::DFG::ClobberSetOverlaps::operator()):
147         * dfg/DFGClobberize.h:
148         (JSC::DFG::clobberize):
149         (JSC::DFG::NoOpClobberize::operator()):
150         (JSC::DFG::CheckClobberize::operator()):
151         (JSC::DFG::AbstractHeapOverlaps::operator()):
152         (JSC::DFG::ReadMethodClobberize::operator()):
153         (JSC::DFG::WriteMethodClobberize::operator()):
154         (JSC::DFG::DefMethodClobberize::operator()):
155         * dfg/DFGFlushFormat.h:
156         (JSC::DFG::merge):
157         * dfg/DFGGraph.cpp:
158         (JSC::DFG::Graph::Graph):
159         * dfg/DFGGraph.h:
160         (JSC::DFG::Graph::capturedVarsFor):
161         * dfg/DFGObjectAllocationSinkingPhase.cpp:
162         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
163         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
164         * dfg/DFGPlan.cpp:
165         (JSC::DFG::Plan::compileInThreadImpl):
166         * dfg/DFGPreciseLocalClobberize.h: Added.
167         (JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
168         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
169         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
170         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
171         (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate):
172         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
173         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
174         (JSC::DFG::forEachLocalReadByUnwind):
175         (JSC::DFG::preciseLocalClobberize):
176         * dfg/DFGPutLocalSinkingPhase.cpp: Added.
177         (JSC::DFG::performPutLocalSinking):
178         * dfg/DFGPutLocalSinkingPhase.h: Added.
179         * dfg/DFGSSACalculator.h:
180         (JSC::DFG::SSACalculator::computePhis):
181         * dfg/DFGValidate.cpp:
182
183 2014-10-03  Michael Saboff  <msaboff@apple.com>
184
185         REGRESSION(r174216): CodeBlock::dumpByteCodes crashes on op_push_name_scope
186         https://bugs.webkit.org/show_bug.cgi?id=137412
187
188         Reviewed by Mark Lam.
189
190         Added support for the JSNameScope::type opcode parameter in dumpBytecode().
191
192         * bytecode/CodeBlock.cpp:
193         (JSC::CodeBlock::dumpBytecode):
194
195 2014-10-03  Saam Barati  <saambarati1@gmail.com>
196
197         Implement op_profile_type in the 32-bit baseline JIT
198         https://bugs.webkit.org/show_bug.cgi?id=137181
199
200         Reviewed by Michael Saboff.
201
202         Generate inline code to write to the TypeProfilerLog inside the 32-bit 
203         baseline JIT instead of unconditionally bailing out to the slow path 
204         for op_profile_type.
205
206         * jit/JITOpcodes32_64.cpp:
207         (JSC::JIT::emit_op_profile_type):
208
209 2014-10-03  Commit Queue  <commit-queue@webkit.org>
210
211         Unreviewed, rolling out r174275.
212         https://bugs.webkit.org/show_bug.cgi?id=137408
213
214         Build failures on the internal bots. (Requested by dethbakin
215         on #webkit).
216
217         Reverted changeset:
218
219         "FTL should sink PutLocals"
220         https://bugs.webkit.org/show_bug.cgi?id=137168
221         http://trac.webkit.org/changeset/174275
222
223 2014-10-03  Oliver Hunt  <oliver@apple.com>
224
225         tearoff_arguments should always refer to the unmodified arguments register
226         https://bugs.webkit.org/show_bug.cgi?id=137406
227
228         Reviewed by Michael Saboff.
229
230         To simplify subsequent work, and remove unnecessary work from
231         actual execution this patch simply ensures that tear_off_arguments
232         refers to the actual unmodified arguments register.
233
234         * bytecompiler/BytecodeGenerator.cpp:
235         (JSC::BytecodeGenerator::emitReturn):
236         * dfg/DFGByteCodeParser.cpp:
237         (JSC::DFG::ByteCodeParser::parseBlock):
238         * jit/JITOpcodes.cpp:
239         (JSC::JIT::emit_op_tear_off_arguments):
240         * jit/JITOpcodes32_64.cpp:
241         (JSC::JIT::emit_op_tear_off_arguments):
242         * llint/LLIntSlowPaths.cpp:
243         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
244         * llint/LowLevelInterpreter32_64.asm:
245         * llint/LowLevelInterpreter64.asm:
246
247 2014-10-03  Saam Barati  <saambarati1@gmail.com>
248
249         Web Inspector: Move the computation that results in UI strings from JSC to the Web Inspector
250         https://bugs.webkit.org/show_bug.cgi?id=137295
251
252         Reviewed by Timothy Hatcher.
253
254         Remove unnecessary functions and properties from JSC that are
255         now being computed inside the Web Inspector. 
256
257         * inspector/agents/InspectorRuntimeAgent.cpp:
258         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
259         * inspector/protocol/Runtime.json:
260         * runtime/TypeSet.cpp:
261         (JSC::TypeSet::allPrimitiveTypeNames): Deleted.
262         * runtime/TypeSet.h:
263
264 2014-10-02  Filip Pizlo  <fpizlo@apple.com>
265
266         FTL should sink PutLocals
267         https://bugs.webkit.org/show_bug.cgi?id=137168
268
269         Reviewed by Oliver Hunt.
270         
271         We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we
272         "pass" arguments to an inlined function call, because we need to enable the runtime to grab
273         those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize
274         in that case but rather just relies on the arguments being flushed (i.e. a copy of their
275         values is spilled) at a well-known place in a well-known format.
276         
277         The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2)
278         they look like escaping sites and so they inhibit object allocation sinking.
279         
280         But in most cases, the PutLocals are unnecessary because the inlined code never performs any
281         side effect that could transitively lead to function.arguments. Even if the inlined code
282         could do such a side effect, it may be on a rare path so there is no need to penalize the
283         entire function.
284         
285         This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals
286         to the latest possible point. This is even more aggressive than the object allocation
287         sinking. That sinking algorithm avoids creating situations where an object could be
288         materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid
289         this at all - both to make the phase cheaper and simpler and to make it more aggressive.
290         Every PutLocal is sunk no matter what.
291         
292         The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past
293         their death", thus eliminating them completely. Others are sunk to rare paths. This enables a
294         lot of object allocation sinking and it removes a lot of pointless store instructions.
295         
296         It also has downsites. Sinking PutLocals increases register pressure because it increases the
297         live ranges of things like inlined arguments.
298         
299         This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2
300         progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench
301         regression. The biggest win is on Octane/raytrace, which improves by 27%.
302
303         * CMakeLists.txt:
304         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
305         * JavaScriptCore.xcodeproj/project.pbxproj:
306         * bytecode/CodeBlock.h:
307         * bytecode/Operands.h:
308         (JSC::Operands::dump): Deleted.
309         * bytecode/OperandsInlines.h:
310         (JSC::Traits>::dump):
311         * bytecode/VirtualRegister.h:
312         (JSC::VirtualRegister::isHeader):
313         * dfg/DFGByteCodeParser.cpp:
314         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
315         * dfg/DFGClobberSet.h:
316         (JSC::DFG::ClobberSetAdd::operator()):
317         (JSC::DFG::ClobberSetOverlaps::operator()):
318         * dfg/DFGClobberize.h:
319         (JSC::DFG::clobberize):
320         (JSC::DFG::NoOpClobberize::operator()):
321         (JSC::DFG::CheckClobberize::operator()):
322         (JSC::DFG::AbstractHeapOverlaps::operator()):
323         (JSC::DFG::ReadMethodClobberize::operator()):
324         (JSC::DFG::WriteMethodClobberize::operator()):
325         (JSC::DFG::DefMethodClobberize::operator()):
326         * dfg/DFGFlushFormat.h:
327         (JSC::DFG::merge):
328         * dfg/DFGGraph.cpp:
329         (JSC::DFG::Graph::Graph):
330         * dfg/DFGGraph.h:
331         (JSC::DFG::Graph::capturedVarsFor):
332         * dfg/DFGObjectAllocationSinkingPhase.cpp:
333         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
334         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
335         * dfg/DFGPlan.cpp:
336         (JSC::DFG::Plan::compileInThreadImpl):
337         * dfg/DFGPreciseLocalClobberize.h: Added.
338         (JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
339         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
340         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
341         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
342         (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate):
343         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
344         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
345         (JSC::DFG::forEachLocalReadByUnwind):
346         (JSC::DFG::preciseLocalClobberize):
347         * dfg/DFGPutLocalSinkingPhase.cpp: Added.
348         (JSC::DFG::performPutLocalSinking):
349         * dfg/DFGPutLocalSinkingPhase.h: Added.
350         * dfg/DFGSSACalculator.h:
351         (JSC::DFG::SSACalculator::computePhis):
352         * dfg/DFGValidate.cpp:
353
354 2014-10-03  Saam Barati  <saambarati1@gmail.com>
355
356         Change how 32-bit JSValues check if they are a Boolean
357
358         Rubber stamped by Filip Pizlo.
359
360         32-bit JSValue::isBoolean can simply check if its tag corresponds 
361         to the boolean tag instead of checking if it's either true or false.
362
363         * runtime/JSCJSValueInlines.h:
364         (JSC::JSValue::isBoolean):
365
366 2014-10-01  Oliver Hunt  <oliver@apple.com>
367
368         Do all closed variable access through the local lexical object
369         https://bugs.webkit.org/show_bug.cgi?id=136869
370
371         Reviewed by Filip Pizlo.
372
373         This patch makes all reads and writes from captured registers
374         go through the lexical record, and by doing so removes the
375         need for record tearoff.
376
377         To keep the patch simple we still number variables as though
378         they are local stack allocated registers, but ::local() will
379         fail. When local fails we perform a generic resolve, and in
380         that resolve we now use a ResolveScopeInfo struct to pass
381         around information about whether a lookup is a statically
382         known captured variable, and its location in the activation.
383         To ensure correct behaviour during codeblock linking we also
384         add a LocalClosureVariable resolution type.
385
386         To ensure correct semantics for the Arguments object, we now
387         have to eagerly create the Arguments object for any function
388         that uses both the Arguments object and requires a lexical
389         record.
390
391         * bytecode/BytecodeList.json:
392         * bytecode/BytecodeUseDef.h:
393         (JSC::computeUsesForBytecodeOffset):
394         (JSC::computeDefsForBytecodeOffset):
395         * bytecode/CodeBlock.cpp:
396         (JSC::CodeBlock::dumpBytecode):
397         (JSC::CodeBlock::CodeBlock):
398         (JSC::CodeBlock::finalizeUnconditionally):
399         * bytecompiler/BytecodeGenerator.cpp:
400         (JSC::BytecodeGenerator::BytecodeGenerator):
401         (JSC::BytecodeGenerator::initializeCapturedVariable):
402           During the entry to a function we are not yet in a position
403           to allocate temporaries so we directly use the lexical
404           environment register.
405         (JSC::BytecodeGenerator::resolveCallee):
406         (JSC::BytecodeGenerator::emitMove):
407         (JSC::BytecodeGenerator::local):
408         (JSC::BytecodeGenerator::constLocal):
409         (JSC::BytecodeGenerator::emitResolveScope):
410         (JSC::BytecodeGenerator::emitResolveConstantLocal):
411           The two resolve scope operations could technically skip
412           the op_resolve_scope, and simply perform 
413               op_mov dst, recordRegister
414           but for now it seemed best to maintain the same basic
415           behaviour.
416         (JSC::BytecodeGenerator::emitGetFromScope):
417         (JSC::BytecodeGenerator::emitPutToScope):
418         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
419           If we have an environment we've already created Arguments
420           so no need to check again.
421         (JSC::BytecodeGenerator::emitReturn):
422           Don't need to emit tearoff_environment
423         * bytecompiler/BytecodeGenerator.h:
424         (JSC::Local::Local):
425         (JSC::Local::operator bool):
426         (JSC::Local::get):
427         (JSC::Local::isReadOnly):
428         (JSC::Local::isSpecial):
429         (JSC::ResolveScopeInfo::ResolveScopeInfo):
430         (JSC::ResolveScopeInfo::isLocal):
431         (JSC::ResolveScopeInfo::localIndex):
432         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly):
433         (JSC::Local::isCaptured): Deleted.
434         (JSC::Local::captureMode): Deleted.
435         * bytecompiler/NodesCodegen.cpp:
436         (JSC::ResolveNode::emitBytecode):
437         (JSC::EvalFunctionCallNode::emitBytecode):
438         (JSC::FunctionCallResolveNode::emitBytecode):
439         (JSC::PostfixNode::emitResolve):
440         (JSC::DeleteResolveNode::emitBytecode):
441         (JSC::TypeOfResolveNode::emitBytecode):
442         (JSC::PrefixNode::emitResolve):
443         (JSC::ReadModifyResolveNode::emitBytecode):
444         (JSC::AssignResolveNode::emitBytecode):
445         (JSC::ConstDeclNode::emitCodeSingle):
446         (JSC::EmptyVarExpression::emitBytecode):
447         (JSC::ForInNode::tryGetBoundLocal):
448         (JSC::ForInNode::emitLoopHeader):
449         (JSC::ForOfNode::emitBytecode):
450         (JSC::BindingNode::bindValue):
451         * dfg/DFGAbstractInterpreterInlines.h:
452         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
453         * dfg/DFGByteCodeParser.cpp:
454         (JSC::DFG::ByteCodeParser::parseBlock):
455         * dfg/DFGCapabilities.cpp:
456         (JSC::DFG::capabilityLevel):
457         * dfg/DFGClobberize.h:
458         (JSC::DFG::clobberize):
459         * dfg/DFGDoesGC.cpp:
460         (JSC::DFG::doesGC):
461         * dfg/DFGFixupPhase.cpp:
462         (JSC::DFG::FixupPhase::fixupNode):
463         * dfg/DFGGraph.cpp:
464         (JSC::DFG::Graph::tryGetRegisters):
465         * dfg/DFGNodeType.h:
466         * dfg/DFGPredictionPropagationPhase.cpp:
467         (JSC::DFG::PredictionPropagationPhase::propagate):
468         * dfg/DFGSafeToExecute.h:
469         (JSC::DFG::safeToExecute):
470         * dfg/DFGSpeculativeJIT32_64.cpp:
471         (JSC::DFG::SpeculativeJIT::compile):
472         * dfg/DFGSpeculativeJIT64.cpp:
473         (JSC::DFG::SpeculativeJIT::compile):
474         * ftl/FTLCapabilities.cpp:
475         (JSC::FTL::canCompile):
476         * interpreter/Interpreter.cpp:
477         (JSC::unwindCallFrame):
478         * jit/JIT.cpp:
479         (JSC::JIT::privateCompileMainPass):
480         (JSC::JIT::privateCompileSlowCases):
481         * jit/JIT.h:
482         * jit/JITOpcodes.cpp:
483         (JSC::JIT::emit_op_captured_mov): Deleted.
484         (JSC::JIT::emit_op_tear_off_lexical_environment): Deleted.
485         (JSC::JIT::emitSlow_op_captured_mov): Deleted.
486         * jit/JITOpcodes32_64.cpp:
487         (JSC::JIT::emit_op_captured_mov): Deleted.
488         (JSC::JIT::emit_op_tear_off_lexical_environment): Deleted.
489         * jit/JITOperations.cpp:
490         * jit/JITOperations.h:
491         * jit/JITPropertyAccess.cpp:
492         (JSC::JIT::emit_op_resolve_scope):
493         (JSC::JIT::emit_op_get_from_scope):
494         (JSC::JIT::emitPutClosureVar):
495         (JSC::JIT::emit_op_put_to_scope):
496         (JSC::JIT::emitSlow_op_put_to_scope):
497         * jit/JITPropertyAccess32_64.cpp:
498         (JSC::JIT::emit_op_resolve_scope):
499         (JSC::JIT::emit_op_get_from_scope):
500         (JSC::JIT::emitPutClosureVar):
501         (JSC::JIT::emit_op_put_to_scope):
502         (JSC::JIT::emitSlow_op_put_to_scope):
503         * llint/LLIntData.cpp:
504         (JSC::LLInt::Data::performAssertions):
505         * llint/LLIntSlowPaths.cpp:
506         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
507         * llint/LLIntSlowPaths.h:
508         * llint/LowLevelInterpreter.asm:
509         * llint/LowLevelInterpreter32_64.asm:
510         * llint/LowLevelInterpreter64.asm:
511         * runtime/Arguments.cpp:
512         (JSC::Arguments::tearOff):
513         * runtime/Arguments.h:
514         (JSC::Arguments::argument):
515         * runtime/CommonSlowPaths.cpp:
516         (JSC::SLOW_PATH_DECL): Deleted.
517         * runtime/CommonSlowPaths.h:
518         * runtime/JSLexicalEnvironment.cpp:
519         (JSC::JSLexicalEnvironment::visitChildren):
520         (JSC::JSLexicalEnvironment::symbolTableGet):
521         (JSC::JSLexicalEnvironment::symbolTablePut):
522         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
523         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
524         (JSC::JSLexicalEnvironment::argumentsGetter):
525         * runtime/JSLexicalEnvironment.h:
526         (JSC::JSLexicalEnvironment::create):
527         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
528         (JSC::JSLexicalEnvironment::tearOff): Deleted.
529         (JSC::JSLexicalEnvironment::isTornOff): Deleted.
530         * runtime/JSScope.cpp:
531         (JSC::resolveTypeName):
532         * runtime/JSScope.h:
533         (JSC::makeType):
534         (JSC::needsVarInjectionChecks):
535         * runtime/WriteBarrier.h:
536         (JSC::WriteBarrier<Unknown>::WriteBarrier):
537
538 2014-10-02  Filip Pizlo  <fpizlo@apple.com>
539
540         Object allocation sinking should have a sound story for picking materialization points
541         https://bugs.webkit.org/show_bug.cgi?id=137315
542
543         Reviewed by Oliver Hunt.
544         
545         The only missing piece was having the object allocation sinking phase locate materialization
546         points that were at CFG edges.
547         
548         The logic for how and why this "just works" relies on some properties of critical edge
549         breaking, so I was fairly careful in how I did this. Also, this requires inserting things at
550         the "first origin node" of a block - that is the first node in a block that has a NodeOrigin
551         and therefore is allowed to exit. We basically had support for such a notion before, but
552         didn't close the loop on it; this patch does that.
553         
554         Also I added the ability to provide a BasicBlock* as context for a DFG_ASSERT().
555
556         * dfg/DFGBasicBlock.cpp:
557         (JSC::DFG::BasicBlock::firstOriginNode):
558         (JSC::DFG::BasicBlock::firstOrigin):
559         * dfg/DFGBasicBlock.h:
560         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
561         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
562         * dfg/DFGGraph.cpp:
563         (JSC::DFG::crash):
564         (JSC::DFG::Graph::handleAssertionFailure):
565         * dfg/DFGGraph.h:
566         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
567         (JSC::DFG::createPreHeader):
568         * dfg/DFGNodeOrigin.h:
569         (JSC::DFG::NodeOrigin::isSet):
570         * dfg/DFGObjectAllocationSinkingPhase.cpp:
571         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
572         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
573         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
574         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
575         * dfg/DFGValidate.cpp:
576         (JSC::DFG::Validate::validate):
577         * runtime/Options.h:
578
579 2014-10-02  Daniel Bates  <dabates@apple.com>
580
581         Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header
582         https://bugs.webkit.org/show_bug.cgi?id=137277
583
584         Reviewed by Alexey Proskuryakov.
585
586         Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/
587         forward declaring XPC functions.
588
589         * inspector/remote/RemoteInspector.mm:
590         * inspector/remote/RemoteInspectorXPCConnection.h:
591         * inspector/remote/RemoteInspectorXPCConnection.mm:
592
593 2014-10-01  Anders Carlsson  <andersca@apple.com>
594
595         Use variadic templates for jsMakeNontrivialString
596         https://bugs.webkit.org/show_bug.cgi?id=137325
597
598         Reviewed by Sam Weinig.
599
600         * runtime/JSString.h:
601         (JSC::jsNontrivialString):
602         Add an overload that takes an rvalue reference to a String so we can transfer ownership easily.
603
604         * runtime/JSStringBuilder.h:
605         (JSC::jsMakeNontrivialString):
606         Make this a variadic function template, with a single-parameter version that can steal the string if it's OK to do so.
607
608 2014-10-02  Mark Lam  <mark.lam@apple.com>
609
610         Fixed the Inspector to be able to properly distinguish between scope types.
611         <https://webkit.org/b/137279>
612
613         Reviewed by Geoffrey Garen.
614
615         The pre-existing code incorrectly labels Catch Scopes and Function Name Scopes
616         as With Scopes.  This patch will fix this.
617
618         * bytecode/BytecodeList.json:
619         * bytecompiler/BytecodeGenerator.cpp:
620         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
621         (JSC::BytecodeGenerator::emitPushCatchScope):
622         - These now passes stores the desired JSNameScope::Type in a bytecode operand.
623         * debugger/DebuggerScope.cpp:
624         (JSC::DebuggerScope::isCatchScope):
625         (JSC::DebuggerScope::isFunctionNameScope):
626         - Added queries to be able to explicitly test if the scope is a CatchScope
627           or FunctionNameScope.  The FunctionNameScope is the case where the
628           NameScope is used to capture the function name of a function expression.
629         * debugger/DebuggerScope.h:
630         * inspector/InjectedScriptSource.js:
631         * inspector/JSJavaScriptCallFrame.cpp:
632         (Inspector::JSJavaScriptCallFrame::scopeType):
633         * inspector/JSJavaScriptCallFrame.h:
634         * inspector/JSJavaScriptCallFramePrototype.cpp:
635         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
636         (Inspector::jsJavaScriptCallFrameConstantFUNCTION_NAME_SCOPE):
637         * inspector/protocol/Debugger.json:
638         * jit/CCallHelpers.h:
639         (JSC::CCallHelpers::setupArgumentsWithExecState):
640         * jit/JIT.h:
641         * jit/JITInlines.h:
642         (JSC::JIT::callOperation):
643         * jit/JITOpcodes.cpp:
644         (JSC::JIT::emit_op_push_name_scope):
645         * jit/JITOpcodes32_64.cpp:
646         (JSC::JIT::emit_op_push_name_scope):
647         * jit/JITOperations.cpp:
648         * jit/JITOperations.h:
649         * llint/LLIntSlowPaths.cpp:
650         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
651         * llint/LowLevelInterpreter.asm:
652         * runtime/JSFunction.cpp:
653         (JSC::JSFunction::addNameScopeIfNeeded):
654         * runtime/JSNameScope.h:
655         (JSC::JSNameScope::create):
656         (JSC::JSNameScope::isFunctionNameScope):
657         (JSC::JSNameScope::isCatchScope):
658         (JSC::JSNameScope::JSNameScope):
659         - Now stores the JSNameScope::Type in a field.
660
661 2014-10-01  Commit Queue  <commit-queue@webkit.org>
662
663         Unreviewed, rolling out r174180, r174183, and r174186.
664         https://bugs.webkit.org/show_bug.cgi?id=137320
665
666         Broke the Mac MountainLion build. Will investigate offline.
667         (Requested by dydz on #webkit).
668
669         Reverted changesets:
670
671         "Clean up: Move XPC forward declarations in JavaScriptCore to
672         WTF SPI wrapper header"
673         https://bugs.webkit.org/show_bug.cgi?id=137277
674         http://trac.webkit.org/changeset/174180
675
676         "Attempt to fix the build after
677         <https://trac.webkit.org/changeset/174180>"
678         https://bugs.webkit.org/show_bug.cgi?id=137277
679         http://trac.webkit.org/changeset/174183
680
681         "Another attempt to fix the Mac build after
682         <https://trac.webkit.org/changeset/174180>"
683         https://bugs.webkit.org/show_bug.cgi?id=137277
684         http://trac.webkit.org/changeset/174186
685
686 2014-10-01  Daniel Bates  <dabates@apple.com>
687
688         Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header
689         https://bugs.webkit.org/show_bug.cgi?id=137277
690
691         Reviewed by Alexey Proskuryakov.
692
693         Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/
694         forward declaring XPC functions.
695
696         * inspector/remote/RemoteInspector.mm:
697         * inspector/remote/RemoteInspectorXPCConnection.h:
698         * inspector/remote/RemoteInspectorXPCConnection.mm:
699
700 2014-10-01  Brent Fulgham  <bfulgham@apple.com>
701
702         [Win] Unreviewed build gardening.
703
704         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Show files in the appropriate
705         folders in Visual Studio.
706
707 2014-10-01  Filip Pizlo  <fpizlo@apple.com>
708
709         Object allocation sinking is broken for escaping sites in loops
710         https://bugs.webkit.org/show_bug.cgi?id=137310
711
712         Reviewed by Michael Saboff.
713         
714         I tried to do this clever forward-flow based materialization point placement, and I messed up loops. Disabling
715         the phase for now and landing a test to demonstrate what it going on.
716
717         * dfg/DFGPlan.cpp:
718         (JSC::DFG::Plan::compileInThreadImpl):
719         * runtime/Options.h:
720         * tests/stress/object-escapes-in-loop.js: Added.
721         (foo):
722         (bar):
723
724 2014-10-01  Saam Barati  <saambarati1@gmail.com>
725
726         Support the type profiler in the DFG
727         https://bugs.webkit.org/show_bug.cgi?id=136712
728
729         Reviewed by Filip Pizlo.
730
731         This patch implements op_profile_type inside the DFG as the node: ProfileType.
732         The DFG will convert the ProfileType node into a Check node in the cases where
733         passing a type check is equivalent to writing to the TypeProfilerLog. This
734         gives the DFG the potential to optimize out multiple ProfileType nodes into
735         a single Check node.
736
737         When the DFG doesn't convert ProfileType into a Check node, it will generate
738         the same inline code as the baseline JIT does for writing an entry to the
739         TypeProfilerLog.
740
741         * dfg/DFGAbstractInterpreterInlines.h:
742         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
743         * dfg/DFGByteCodeParser.cpp:
744         (JSC::DFG::ByteCodeParser::parseBlock):
745         * dfg/DFGCapabilities.cpp:
746         (JSC::DFG::capabilityLevel):
747         * dfg/DFGClobberize.h:
748         (JSC::DFG::clobberize):
749         * dfg/DFGDoesGC.cpp:
750         (JSC::DFG::doesGC):
751         * dfg/DFGDriver.cpp:
752         (JSC::DFG::compileImpl):
753         * dfg/DFGFixupPhase.cpp:
754         (JSC::DFG::FixupPhase::fixupNode):
755         * dfg/DFGNode.h:
756         (JSC::DFG::Node::typeLocation):
757         * dfg/DFGNodeType.h:
758         * dfg/DFGOperations.cpp:
759         * dfg/DFGOperations.h:
760         * dfg/DFGPredictionPropagationPhase.cpp:
761         (JSC::DFG::PredictionPropagationPhase::propagate):
762         * dfg/DFGSafeToExecute.h:
763         (JSC::DFG::safeToExecute):
764         * dfg/DFGSpeculativeJIT.h:
765         (JSC::DFG::SpeculativeJIT::callOperation):
766         * dfg/DFGSpeculativeJIT32_64.cpp:
767         (JSC::DFG::SpeculativeJIT::compile):
768         * dfg/DFGSpeculativeJIT64.cpp:
769         (JSC::DFG::SpeculativeJIT::compile):
770         * runtime/TypeProfiler.cpp:
771         (JSC::TypeProfiler::logTypesForTypeLocation):
772         * runtime/TypeSet.cpp:
773         (JSC::TypeSet::dumpTypes):
774         (JSC::TypeSet::doesTypeConformTo):
775         Make this method public so others can reason about the types a TypeSet has seen.
776         (JSC::TypeSet::seenTypes): Deleted.
777         (JSC::TypeSet::dumpSeenTypes): Deleted.
778         Renamed to dumpTypes so the method seenTypes can be used as a public getter.
779         * runtime/TypeSet.h:
780         (JSC::TypeSet::seenTypes):
781         * tests/typeProfiler/dfg-jit-optimizations.js: Added.
782         (tierUpToDFG):
783         (funcs):
784         (.return):
785
786 2014-10-01  Filip Pizlo  <fpizlo@apple.com>
787
788         Unreviewed, fix 32-bit.
789
790         * dfg/DFGSpeculativeJIT32_64.cpp:
791         (JSC::DFG::SpeculativeJIT::compile):
792
793 2014-09-30  Filip Pizlo  <fpizlo@apple.com>
794
795         DFG SSA should use PutLocal/KillLocal instead of SetLocal to communicate what is flushed to the stack and when
796         https://bugs.webkit.org/show_bug.cgi?id=137242
797
798         Reviewed by Geoffrey Garen.
799         
800         OSR availability has to do with telling you the various ways that you could go about getting
801         the value of a bytecode variable. It can give you two options: node availability means that
802         there is a node in the DFG IR that has the right value, and flush availability tells you
803         that the value was already stored to the stack. The clients of OSR availability would
804         typically prefer flush over node availability.
805         
806         Previously OSR availability was affected thusly by the various local-related nodes: SetLocal
807         set both the node and flush availability, MovHint set node availability and cleared flush
808         availability, GetArgument set both, and ZombieHint cleared both.
809         
810         A MovHint could be turned into a ZombieHint if its source value was DCEd.
811         
812         The fact that each node affected both node and flush availability caused weirdness. For
813         example it meant that we could not insert MovHints in areas of the CFG where a SetLocal's
814         variable was still live, because then those parts of the code would forget that they had an
815         availability flush. This meant that if a flush was available, we wouldn't insert MovHints,
816         and so we would forget that a node was in fact available. This kind of "either-or" picking
817         was not only hackish but it led to interesting problems for IR transformation: for example
818         if you tried to do any kind of code motion on SetLocals, you had to be super careful because
819         you might violate the rule that "MovHints must exist for a live local if a flush is
820         unavailable".
821         
822         The right thing to do is to have independent nodes for flushing and making nodes available.
823         They shouldn't interact with each other. This patch accomplishes this:
824         
825         - PutLocal means that that a value is to be stored to the stack. It makes a flush available.
826         - KillLocal means that the value stored to the stack is no longer available for the purposes
827           of OSR (i.e. it no longer accurately corresponds to what that actual bytecode variable
828           would have been, so you have to fall back on node availability).
829         - MovHint means that a node is available. It has no effect on flush availability.
830         - ZombieHint means that a node is not available. It has no effect on flush availability.
831         
832         This means that we will see a lot of KillLocals and MovHints right next to each other. It's
833         a bit verbose, but at least it's precise.
834
835         * dfg/DFGAbstractInterpreterInlines.h:
836         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
837         * dfg/DFGAvailability.h:
838         (JSC::DFG::Availability::setFlush):
839         (JSC::DFG::Availability::setNode):
840         (JSC::DFG::Availability::setNodeUnavailable):
841         * dfg/DFGClobberize.h:
842         (JSC::DFG::clobberize):
843         * dfg/DFGDoesGC.cpp:
844         (JSC::DFG::doesGC):
845         * dfg/DFGFixupPhase.cpp:
846         (JSC::DFG::FixupPhase::fixupNode):
847         * dfg/DFGNode.cpp:
848         (JSC::DFG::Node::hasVariableAccessData):
849         * dfg/DFGNode.h:
850         (JSC::DFG::Node::hasUnlinkedLocal):
851         (JSC::DFG::Node::willHaveCodeGenOrOSR):
852         * dfg/DFGNodeType.h:
853         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
854         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
855         * dfg/DFGPredictionPropagationPhase.cpp:
856         (JSC::DFG::PredictionPropagationPhase::propagate):
857         * dfg/DFGSSAConversionPhase.cpp:
858         (JSC::DFG::SSAConversionPhase::run):
859         * dfg/DFGSafeToExecute.h:
860         (JSC::DFG::safeToExecute):
861         * dfg/DFGSpeculativeJIT64.cpp:
862         (JSC::DFG::SpeculativeJIT::compile):
863         * dfg/DFGStackLayoutPhase.cpp:
864         (JSC::DFG::StackLayoutPhase::run):
865         * ftl/FTLCapabilities.cpp:
866         (JSC::FTL::canCompile):
867         * ftl/FTLLowerDFGToLLVM.cpp:
868         (JSC::FTL::LowerDFGToLLVM::compileNode):
869         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
870         (JSC::FTL::LowerDFGToLLVM::compileSetLocal): Deleted.
871
872 2014-10-01  Brent Fulgham  <bfulgham@apple.com>
873
874         [Win] 32-bit JavaScriptCore should limit itself to the C loop
875         https://bugs.webkit.org/show_bug.cgi?id=137304
876         <rdar://problem/18375370>
877
878         Reviewed by Michael Saboff.
879
880         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
881         Use the C loop for 32-bit builds.
882
883 2014-09-30  Brian J. Burg  <burg@cs.washington.edu>
884
885         Web Inspector: ErrorString should be passed by reference
886         https://bugs.webkit.org/show_bug.cgi?id=137257
887
888         Reviewed by Joseph Pecoraro.
889
890         Pass the leading ErrorString argument by reference, since it is always an out parameter.
891         Clean up callsites where the error message is written.
892
893         * inspector/InjectedScript.cpp:
894         (Inspector::InjectedScript::evaluate):
895         (Inspector::InjectedScript::callFunctionOn):
896         (Inspector::InjectedScript::evaluateOnCallFrame):
897         (Inspector::InjectedScript::getFunctionDetails):
898         (Inspector::InjectedScript::getProperties):
899         (Inspector::InjectedScript::getInternalProperties):
900         * inspector/InjectedScript.h:
901         * inspector/InjectedScriptBase.cpp:
902         (Inspector::InjectedScriptBase::makeEvalCall):
903         * inspector/InjectedScriptBase.h:
904         * inspector/agents/InspectorAgent.cpp:
905         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
906         (Inspector::InspectorAgent::enable):
907         (Inspector::InspectorAgent::disable):
908         (Inspector::InspectorAgent::initialized):
909         * inspector/agents/InspectorAgent.h:
910         * inspector/agents/InspectorConsoleAgent.cpp:
911         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
912         (Inspector::InspectorConsoleAgent::enable):
913         (Inspector::InspectorConsoleAgent::disable):
914         (Inspector::InspectorConsoleAgent::clearMessages):
915         (Inspector::InspectorConsoleAgent::reset):
916         (Inspector::InspectorConsoleAgent::addMessageToConsole):
917         * inspector/agents/InspectorConsoleAgent.h:
918         * inspector/agents/InspectorDebuggerAgent.cpp:
919         (Inspector::InspectorDebuggerAgent::enable):
920         (Inspector::InspectorDebuggerAgent::disable):
921         (Inspector::InspectorDebuggerAgent::setBreakpointsActive):
922         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
923         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
924         (Inspector::parseLocation):
925         (Inspector::InspectorDebuggerAgent::setBreakpoint):
926         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
927         (Inspector::InspectorDebuggerAgent::continueToLocation):
928         (Inspector::InspectorDebuggerAgent::searchInContent):
929         (Inspector::InspectorDebuggerAgent::getScriptSource):
930         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
931         (Inspector::InspectorDebuggerAgent::pause):
932         (Inspector::InspectorDebuggerAgent::resume):
933         (Inspector::InspectorDebuggerAgent::stepOver):
934         (Inspector::InspectorDebuggerAgent::stepInto):
935         (Inspector::InspectorDebuggerAgent::stepOut):
936         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
937         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
938         (Inspector::InspectorDebuggerAgent::setOverlayMessage):
939         (Inspector::InspectorDebuggerAgent::didParseSource):
940         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
941         (Inspector::InspectorDebuggerAgent::assertPaused):
942         * inspector/agents/InspectorDebuggerAgent.h:
943         * inspector/agents/InspectorRuntimeAgent.cpp:
944         (Inspector::InspectorRuntimeAgent::parse):
945         (Inspector::InspectorRuntimeAgent::evaluate):
946         (Inspector::InspectorRuntimeAgent::callFunctionOn):
947         (Inspector::InspectorRuntimeAgent::getProperties):
948         (Inspector::InspectorRuntimeAgent::releaseObject):
949         (Inspector::InspectorRuntimeAgent::releaseObjectGroup):
950         (Inspector::InspectorRuntimeAgent::run):
951         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
952         (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
953         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
954         * inspector/agents/InspectorRuntimeAgent.h:
955         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
956         (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
957         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
958         * inspector/agents/JSGlobalObjectConsoleAgent.h:
959         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
960         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
961         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
962         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
963         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
964         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
965         * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
966         (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
967         (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
968         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
969         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
970         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
971         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
972         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
973         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
974
975 2014-09-30  Mark Lam  <mark.lam@apple.com>
976
977         Label some asserts as having security implications.
978         <https://webkit.org/b/137260>
979
980         Reviewed by Filip Pizlo.
981
982         * dfg/DFGGraph.cpp:
983         (JSC::DFG::Graph::handleAssertionFailure):
984         * runtime/JSCell.h:
985         (JSC::jsCast):
986         * runtime/StructureIDTable.h:
987         (JSC::StructureIDTable::get):
988
989 2014-09-30  Filip Pizlo  <fpizlo@apple.com>
990
991         REGRESSION (r174025): Invalid cast in JSC::asString
992         https://bugs.webkit.org/show_bug.cgi?id=137224
993
994         Reviewed by Geoffrey Garen.
995         
996         Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
997         when we speak of "the value being stored" we are really referring to the right value.
998         
999         The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
1000         child3. So we were incorrectly removing all barriers from PutClosureVar.
1001
1002         * dfg/DFGFixupPhase.cpp:
1003         (JSC::DFG::FixupPhase::fixupNode):
1004
1005 2014-09-30  Brian J. Burg  <burg@cs.washington.edu>
1006
1007         Web Replay: use static Strings instead of AtomicStrings for replay input type tags
1008         https://bugs.webkit.org/show_bug.cgi?id=137086
1009
1010         Reviewed by Joseph Pecoraro.
1011
1012         This pattern doesn't work when we want to define some inputs in WebKit2.
1013         The ReplayInputTypes class was generated from WebCore inputs only. This
1014         patch moves all input traits to use static local Strings as type tags.
1015
1016         * replay/scripts/CodeGeneratorReplayInputs.py: Remove configuration of how
1017         type tags are generated, since all framework targets now generate the same code.
1018
1019         * replay/NondeterministicInput.h:
1020         * replay/scripts/CodeGeneratorReplayInputs.py: Simplify and rebase test results.
1021         (Generator.generate_input_trait_implementation):
1022         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Simplify templates.
1023
1024         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
1025         (JSC::InputTraits<Test::SavedMouseButton>::type):
1026         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
1027         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
1028         (JSC::InputTraits<Test::SavedMouseButton>::type):
1029         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
1030         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
1031         (JSC::InputTraits<Test::HandleWheelEvent>::type):
1032         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
1033         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
1034         (JSC::InputTraits<Test::FormCombo>::type):
1035         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
1036         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp:
1037         (JSC::InputTraits<Test::GetCurrentTime>::type):
1038         (JSC::InputTraits<Test::SetRandomSeed>::type):
1039         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
1040         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
1041         (JSC::InputTraits<Test::ArrayOfThings>::type):
1042         (JSC::InputTraits<Test::SavedHistory>::type):
1043         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
1044         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp:
1045         (JSC::InputTraits<Test::ScalarInput1>::type):
1046         (JSC::InputTraits<Test::ScalarInput2>::type):
1047         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
1048         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
1049         (JSC::InputTraits<Test::ScalarInput>::type):
1050         (JSC::InputTraits<Test::MapInput>::type):
1051         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
1052
1053 2014-09-30  Daniel Bates  <dabates@apple.com>
1054
1055         REGRESSION (r172532): JSBase.h declares NSMapTable functions that are SPI
1056         https://bugs.webkit.org/show_bug.cgi?id=137170
1057         <rdar://problem/18477384>
1058
1059         Reviewed by Geoffrey Garen.
1060
1061         Move conditional include of header Foundation/NSMapTablePriv.h and forward declarations
1062         of NSMapTable SPI from file JavaScriptCore/API/JSBase.h to WTF/wtf/spi/cocoa/NSMapTableSPI.h.
1063
1064         * API/JSBase.h:
1065         * API/JSManagedValue.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h.
1066         * API/JSVirtualMachine.mm: Ditto.
1067         * API/JSVirtualMachineInternal.h: Forward declare class NSMapTable.
1068         * API/JSWrapperMap.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h. Also, order
1069         #include directives such that they are sorted in alphabetical order.
1070
1071 2014-09-30  Oliver Hunt  <oliver@apple.com>
1072
1073         Fix C API header
1074         https://bugs.webkit.org/show_bug.cgi?id=137254
1075         <rdar://problem/18487528>
1076
1077         Build fix
1078
1079         Guard extern "C" behind __cplusplus ifdef
1080
1081         * API/JSBase.h:
1082
1083 2014-09-29  Brian J. Burg  <burg@cs.washington.edu>
1084
1085         Web Inspector: InjectedScripts should not be profiled or displayed in Timeline
1086         https://bugs.webkit.org/show_bug.cgi?id=136806
1087
1088         Reviewed by Timothy Hatcher.
1089
1090         It doesn't make sense to show profile nodes for injected scripts when profiling user content.
1091         For now, omit nodes by suspending profiling before and after executing injected scripts.
1092
1093         * profiler/LegacyProfiler.cpp:
1094         (JSC::LegacyProfiler::suspendProfiling): Added.
1095         (JSC::LegacyProfiler::unsuspendProfiling): Added.
1096         * profiler/LegacyProfiler.h:
1097         * profiler/ProfileGenerator.cpp: Add isSuspended() flag, remove unused typedef.
1098         (JSC::ProfileGenerator::ProfileGenerator):
1099         (JSC::ProfileGenerator::willExecute):
1100         (JSC::ProfileGenerator::didExecute):
1101         * profiler/ProfileGenerator.h:
1102         (JSC::ProfileGenerator::setIsSuspended): Added.
1103
1104 2014-09-29  Brian J. Burg  <burg@cs.washington.edu>
1105
1106         Web Inspector: InspectorValues should use references for out parameters
1107         https://bugs.webkit.org/show_bug.cgi?id=137190
1108
1109         Reviewed by Joseph Pecoraro.
1110
1111         Use references for out parameters in asType() and getType() methods.
1112         Also convert to references in some miscellaneous code where we don't
1113         expect or handle null values.
1114
1115         Remove variants of asObject() and asArray() that return a nullable RefPtr.
1116         Now, client code is forced to use out parameters and check for cast failure.
1117
1118         Iron out control flow in some functions and fix some style issues.
1119
1120         * inspector/InjectedScript.cpp:
1121         (Inspector::InjectedScript::getFunctionDetails):
1122         (Inspector::InjectedScript::wrapObject):
1123         (Inspector::InjectedScript::wrapTable):
1124         * inspector/InjectedScriptBase.cpp:
1125         (Inspector::InjectedScriptBase::makeEvalCall):
1126         * inspector/InjectedScriptManager.cpp:
1127         (Inspector::InjectedScriptManager::injectedScriptForObjectId): Simplify control flow.
1128         * inspector/InspectorBackendDispatcher.cpp:
1129         (Inspector::InspectorBackendDispatcher::dispatch):
1130         (Inspector::getPropertyValue):
1131         (Inspector::AsMethodBridges::asInteger):
1132         (Inspector::AsMethodBridges::asDouble):
1133         (Inspector::AsMethodBridges::asString):
1134         (Inspector::AsMethodBridges::asBoolean):
1135         (Inspector::AsMethodBridges::asObject):
1136         (Inspector::AsMethodBridges::asArray):
1137         * inspector/InspectorProtocolTypes.h:
1138         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1139         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1140         * inspector/InspectorValues.cpp: Use more by-reference out parameters. Add more spacing.
1141         (Inspector::InspectorValue::asBoolean):
1142         (Inspector::InspectorValue::asDouble):
1143         (Inspector::InspectorValue::asInteger):
1144         (Inspector::InspectorValue::asString):
1145         (Inspector::InspectorValue::asValue):
1146         (Inspector::InspectorValue::asObject):
1147         (Inspector::InspectorValue::asArray):
1148         (Inspector::InspectorValue::parseJSON):
1149         (Inspector::InspectorValue::toJSONString):
1150         (Inspector::InspectorValue::writeJSON):
1151         (Inspector::InspectorBasicValue::asBoolean):
1152         (Inspector::InspectorBasicValue::asDouble):
1153         (Inspector::InspectorBasicValue::asInteger):
1154         (Inspector::InspectorBasicValue::writeJSON):
1155         (Inspector::InspectorString::asString):
1156         (Inspector::InspectorString::writeJSON):
1157         (Inspector::InspectorObjectBase::asObject):
1158         (Inspector::InspectorObjectBase::openAccessors):
1159         (Inspector::InspectorObjectBase::getBoolean):
1160         (Inspector::InspectorObjectBase::getString):
1161         (Inspector::InspectorObjectBase::getObject):
1162         (Inspector::InspectorObjectBase::getArray):
1163         (Inspector::InspectorObjectBase::writeJSON):
1164         (Inspector::InspectorArrayBase::asArray):
1165         (Inspector::InspectorArrayBase::writeJSON):
1166         * inspector/InspectorValues.h:
1167         * inspector/agents/InspectorDebuggerAgent.cpp:
1168         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1169         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1170         (Inspector::parseLocation):
1171         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1172         (Inspector::InspectorDebuggerAgent::continueToLocation):
1173         (Inspector::InspectorDebuggerAgent::didParseSource):
1174         * inspector/agents/InspectorRuntimeAgent.cpp:
1175         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1176         * inspector/scripts/codegen/generate_protocol_types_implementation.py:
1177         (ProtocolTypesImplementationGenerator):
1178         (ProtocolTypesImplementationGenerator._generate_assertion_for_enum):
1179         * inspector/scripts/codegen/generator_templates.py:
1180         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1181         * replay/EncodedValue.cpp:
1182         (JSC::EncodedValue::asObject):
1183         (JSC::EncodedValue::asArray):
1184         (JSC::EncodedValue::convertTo<bool>):
1185         (JSC::EncodedValue::convertTo<double>):
1186         (JSC::EncodedValue::convertTo<float>):
1187         (JSC::EncodedValue::convertTo<int32_t>):
1188         (JSC::EncodedValue::convertTo<int64_t>):
1189         (JSC::EncodedValue::convertTo<uint32_t>):
1190         (JSC::EncodedValue::convertTo<uint64_t>):
1191         (JSC::EncodedValue::convertTo<String>):
1192
1193 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
1194
1195         DFG HasStructureProperty codegen should use one fewer registers
1196         https://bugs.webkit.org/show_bug.cgi?id=137235
1197
1198         Reviewed by Andreas Kling.
1199         
1200         This was an obvious source of inefficiency and it was causing us to run out of registers on
1201         x86-32.
1202
1203         * dfg/DFGSpeculativeJIT32_64.cpp:
1204         (JSC::DFG::SpeculativeJIT::compile):
1205         * dfg/DFGSpeculativeJIT64.cpp:
1206         (JSC::DFG::SpeculativeJIT::compile):
1207
1208 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
1209
1210         Don't use GPRResult unless you're flushing registers and making a runtime function call
1211         https://bugs.webkit.org/show_bug.cgi?id=137234
1212
1213         Rubber stamped by Andreas Kling.
1214
1215         Rename GPRResult to GPRFlushedCallResult, in an attempt to dissuade people from using it for results in the
1216         general case.
1217         
1218         Replace GPRResult with GPRTemporary in those places where it was causing bugs: particularly in GetDirectPname it
1219         would cause us to spill the register that has the base, and the code was assuming (rightly) that the base and the
1220         result were in different registers. That's a valid assumption when using GPRTemporary but not with GPRResult.
1221         Also this code wasn't getting any benefit from using GPRResult because it wasn't doing flushRegisters().
1222         
1223         I don't know how to test this. A test would require setting up a particularly awkward register allocation state.
1224         
1225         * dfg/DFGSpeculativeJIT.cpp:
1226         (JSC::DFG::SpeculativeJIT::compileIn):
1227         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
1228         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
1229         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1230         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1231         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1232         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1233         * dfg/DFGSpeculativeJIT.h:
1234         (JSC::DFG::GPRFlushedCallResult::GPRFlushedCallResult):
1235         (JSC::DFG::GPRFlushedCallResult2::GPRFlushedCallResult2):
1236         (JSC::DFG::GPRResult::GPRResult): Deleted.
1237         (JSC::DFG::GPRResult2::GPRResult2): Deleted.
1238         * dfg/DFGSpeculativeJIT32_64.cpp:
1239         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1240         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1241         (JSC::DFG::SpeculativeJIT::emitCall):
1242         (JSC::DFG::SpeculativeJIT::compile):
1243         * dfg/DFGSpeculativeJIT64.cpp:
1244         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1245         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1246         (JSC::DFG::SpeculativeJIT::emitCall):
1247         (JSC::DFG::SpeculativeJIT::compile):
1248         (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
1249
1250 2014-09-29  Diego Pino Garcia  <dpino@igalia.com>
1251
1252         Missing changes from r174049
1253         https://bugs.webkit.org/show_bug.cgi?id=137206
1254
1255         Reviewed by Darin Adler.
1256
1257         * runtime/CommonIdentifiers.h:
1258
1259 2014-09-28  Diego Pino Garcia  <dpino@igalia.com>
1260
1261         Simple ES6 feature: Number constructor extras
1262         https://bugs.webkit.org/show_bug.cgi?id=131707
1263
1264         Reviewed by Darin Adler.
1265
1266         * runtime/CommonIdentifiers.h:
1267         * runtime/NumberConstructor.cpp:
1268         (JSC::NumberConstructor::finishCreation): Setup constants and
1269         functions.
1270         (JSC::numberConstructorFuncIsFinite): Added.
1271         (JSC::numberConstructorFuncIsInteger): Added.
1272         (JSC::numberConstructorFuncIsNaN): Added.
1273         (JSC::numberConstructorFuncIsSafeInteger): Added.
1274         (JSC::NumberConstructor::getOwnPropertySlot): Deleted.
1275         (JSC::numberConstructorNaNValue): Deleted.
1276         (JSC::numberConstructorNegInfinity): Deleted.
1277         (JSC::numberConstructorPosInfinity): Deleted.
1278         (JSC::numberConstructorMaxValue): Deleted.
1279         (JSC::numberConstructorMinValue): Deleted.
1280         * runtime/NumberConstructor.h:
1281
1282 2014-09-26  Filip Pizlo  <fpizlo@apple.com>
1283
1284         Disable function.arguments
1285         https://bugs.webkit.org/show_bug.cgi?id=137167
1286
1287         Rubber stamped by Geoffrey Garen.
1288         
1289         Add an option to disable function.arguments. Add a test for disabling it.
1290         
1291         Disabling function.arguments means that it returns an Arguments object that claims that
1292         there were zero arguments. All other Arguments functionality still works, so any code
1293         that tries to inspect this object will still think that it is looking at a perfectly
1294         valid Arguments object.
1295         
1296         This also makes function.arguments disabled by default. Note that the RJST harness will
1297         enable them by default, to continue to get test coverage for the code that implements
1298         the feature.
1299         
1300         We will rip out that code once we're confident that it's really safe to remove this
1301         feature. Only once we rip out that support will we be able to do optimizations to
1302         leverage the lack of this feature. It's important to keep the support code, and the test
1303         infrastructure, in place before we are confident. The logic to keep this working touches
1304         the entire compiler and a large chunk of the runtime, so reimplementing it - or even
1305         merging it back in - would be a nightmare. That's also basically the reason why we want
1306         to rip it out if at all possible. It's a lot of terrible code.
1307
1308         * interpreter/StackVisitor.cpp:
1309         (JSC::StackVisitor::Frame::createArguments):
1310         * runtime/Arguments.h:
1311         (JSC::Arguments::create):
1312         (JSC::Arguments::finishCreation):
1313         * runtime/Options.h:
1314         * tests/stress/disable-function-dot-arguments.js: Added.
1315         (foo):
1316         (bar):
1317
1318 2014-09-26  Joseph Pecoraro  <pecoraro@apple.com>
1319
1320         Web Inspector: Automatic Inspection should continue once all breakpoints are loaded
1321         https://bugs.webkit.org/show_bug.cgi?id=137038
1322
1323         Reviewed by Timothy Hatcher.
1324
1325         Add a new protocol command "Inspector.initialized" that signifies to the backend
1326         when the frontend has sent all its initialization messages to the backend. This
1327         can include information like breakpoints, which we would want to have loaded
1328         before any JavaScript evaluates in the context.
1329
1330         * inspector/protocol/InspectorDomain.json:
1331         New protocol command, Inspector.initialized.
1332
1333         * inspector/agents/InspectorAgent.h:
1334         * inspector/agents/InspectorAgent.cpp:
1335         (Inspector::InspectorAgent::InspectorAgent):
1336         (Inspector::InspectorAgent::initialized):
1337         Tell the InspectorEnvironment (the Controller) the frontend has initialized.
1338
1339         * inspector/InspectorEnvironment.h:
1340         Abstract virtual method to handle frontend initialization. To be
1341         implemented by all of the InspectorControllers.
1342
1343         * inspector/JSGlobalObjectInspectorController.h:
1344         * inspector/JSGlobalObjectInspectorController.cpp:
1345         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1346         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1347         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1348         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
1349         When a frontend is initialized, if it was automatic inspection unpause the debuggable.
1350
1351         * inspector/remote/RemoteInspectorDebuggable.cpp:
1352         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
1353         Complete setup for this debuggable.
1354
1355         * inspector/remote/RemoteInspectorDebuggable.h:
1356         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1357         (Inspector::RemoteInspectorDebuggableConnection::setup):
1358         Move the setup complete to later, when the frontend sends an "initialized" message.
1359
1360         * inspector/remote/RemoteInspector.h:
1361         * inspector/remote/RemoteInspector.mm:
1362         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1363         Provide a longer timeout now that the frontend must send messages after the connection
1364         has established. The longest I have seen in  600ms, but the average tends to be 200ms.
1365         So bump the timeout to 800ms for a buffer.
1366
1367         (Inspector::RemoteInspector::setupSucceeded): Deleted.
1368         (Inspector::RemoteInspector::setupCompleted):
1369         Rename, as this happens at a slightly different time.
1370
1371 2014-09-26  Filip Pizlo  <fpizlo@apple.com>
1372
1373         DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell
1374         https://bugs.webkit.org/show_bug.cgi?id=137161
1375
1376         Reviewed by Mark Hahnenberg.
1377         
1378         This looks like a 1% Octane speed-up.
1379
1380         * bytecode/SpeculatedType.h:
1381         (JSC::isNotCellSpeculation):
1382         * dfg/DFGFixupPhase.cpp:
1383         (JSC::DFG::FixupPhase::fixupNode):
1384         (JSC::DFG::FixupPhase::insertStoreBarrier):
1385         (JSC::DFG::FixupPhase::insertCheck):
1386         * dfg/DFGNode.h:
1387         (JSC::DFG::Node::shouldSpeculateNotCell):
1388
1389 2014-09-26  Peter Varga  <pvarga@webkit.org>
1390
1391         Fix typo in YARR at BOL check
1392         https://bugs.webkit.org/show_bug.cgi?id=137144
1393
1394         Reviewed by Darin Adler.
1395
1396         * yarr/YarrPattern.cpp: replace bitwise and operator by logical and
1397         (JSC::Yarr::YarrPatternConstructor::assertionBOL):
1398
1399 2014-09-25  Saam Barati  <saambarati1@gmail.com>
1400
1401         Web Inspector: console.assert(bitString) TypeSet:50 
1402         https://bugs.webkit.org/show_bug.cgi?id=137051
1403
1404         Reviewed by Joseph Pecoraro.
1405
1406         This patch creates stricter requirements on a TypeDescription
1407         being valid. To be valid, a TypeDescription now ensures that 
1408         the TypeSet it describes has non null type information.
1409
1410         * inspector/agents/InspectorRuntimeAgent.cpp:
1411         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1412         * runtime/TypeSet.h:
1413         (JSC::TypeSet::isEmpty):
1414
1415 2014-09-25  Filip Pizlo  <fpizlo@apple.com>
1416
1417         FTL should sink object allocations
1418         https://bugs.webkit.org/show_bug.cgi?id=136330
1419
1420         Reviewed by Oliver Hunt.
1421         
1422         This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The
1423         ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to
1424         eliminate it completely. The way sinking reasons about the CFG means that it resembles a
1425         partial escape analysis: we create paths through a function where some allocation(s) don't
1426         have to be done at all even if there are other paths along which those allocations still have
1427         to happen. But it also produces other side benefits. Even if an allocation isn't eliminated
1428         along any path, the act of sinking reduces the number of barriers that have to execute.
1429         
1430         Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11
1431         sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and
1432         successors; and to add more functor goodness to allow for more lambdas.
1433         
1434         This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this
1435         is a spectacular speed-up on microbenchmarks but it's still too limited to affect big
1436         benchmarks. For example, doing o == p makes the sinking phase think that o and p escape.
1437         That's just an omission and there are likely others; we can easily fix them. I think it's
1438         best to land it in its current form and then to worry about the big benchmarks in subsequent
1439         work (see bug 137126).
1440
1441         * CMakeLists.txt:
1442         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1443         * JavaScriptCore.xcodeproj/project.pbxproj:
1444         * bytecode/StructureSet.h:
1445         (JSC::StructureSet::iterator::iterator):
1446         (JSC::StructureSet::iterator::operator*):
1447         (JSC::StructureSet::iterator::operator++):
1448         (JSC::StructureSet::iterator::operator==):
1449         (JSC::StructureSet::iterator::operator!=):
1450         (JSC::StructureSet::begin):
1451         (JSC::StructureSet::end):
1452         * dfg/DFGAbstractInterpreter.h:
1453         (JSC::DFG::AbstractInterpreter::phiChildren):
1454         * dfg/DFGAbstractInterpreterInlines.h:
1455         (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
1456         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
1457         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1458         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1459         * dfg/DFGAvailability.h:
1460         (JSC::DFG::Availability::shouldUseNode):
1461         (JSC::DFG::Availability::isFlushUseful):
1462         (JSC::DFG::Availability::isDead):
1463         (JSC::DFG::Availability::operator!=):
1464         * dfg/DFGAvailabilityMap.cpp: Added.
1465         (JSC::DFG::AvailabilityMap::prune):
1466         (JSC::DFG::AvailabilityMap::clear):
1467         (JSC::DFG::AvailabilityMap::dump):
1468         (JSC::DFG::AvailabilityMap::operator==):
1469         (JSC::DFG::AvailabilityMap::merge):
1470         * dfg/DFGAvailabilityMap.h: Added.
1471         (JSC::DFG::AvailabilityMap::forEachAvailability):
1472         * dfg/DFGBasicBlock.cpp:
1473         (JSC::DFG::BasicBlock::SSAData::SSAData):
1474         * dfg/DFGBasicBlock.h:
1475         (JSC::DFG::BasicBlock::begin):
1476         (JSC::DFG::BasicBlock::end):
1477         (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable):
1478         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator):
1479         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*):
1480         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++):
1481         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==):
1482         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=):
1483         (JSC::DFG::BasicBlock::SuccessorsIterable::begin):
1484         (JSC::DFG::BasicBlock::SuccessorsIterable::end):
1485         (JSC::DFG::BasicBlock::successors):
1486         * dfg/DFGClobberize.h:
1487         (JSC::DFG::clobberize):
1488         * dfg/DFGConstantFoldingPhase.cpp:
1489         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1490         * dfg/DFGDoesGC.cpp:
1491         (JSC::DFG::doesGC):
1492         * dfg/DFGFixupPhase.cpp:
1493         (JSC::DFG::FixupPhase::fixupNode):
1494         * dfg/DFGFlushedAt.cpp:
1495         (JSC::DFG::FlushedAt::dump):
1496         * dfg/DFGFlushedAt.h:
1497         (JSC::DFG::FlushedAt::FlushedAt):
1498         * dfg/DFGGraph.cpp:
1499         (JSC::DFG::Graph::dump):
1500         (JSC::DFG::Graph::dumpBlockHeader):
1501         (JSC::DFG::Graph::mergeRelevantToOSR):
1502         (JSC::DFG::Graph::invalidateCFG):
1503         * dfg/DFGGraph.h:
1504         (JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable):
1505         (JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator):
1506         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*):
1507         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++):
1508         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==):
1509         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=):
1510         (JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext):
1511         (JSC::DFG::Graph::NaturalBlockIterable::begin):
1512         (JSC::DFG::Graph::NaturalBlockIterable::end):
1513         (JSC::DFG::Graph::blocksInNaturalOrder):
1514         (JSC::DFG::Graph::doToChildrenWithNode):
1515         (JSC::DFG::Graph::doToChildren):
1516         * dfg/DFGHeapLocation.cpp:
1517         (WTF::printInternal):
1518         * dfg/DFGHeapLocation.h:
1519         * dfg/DFGInsertOSRHintsForUpdate.cpp: Added.
1520         (JSC::DFG::insertOSRHintsForUpdate):
1521         * dfg/DFGInsertOSRHintsForUpdate.h: Added.
1522         * dfg/DFGInsertionSet.h:
1523         (JSC::DFG::InsertionSet::graph):
1524         * dfg/DFGMayExit.cpp:
1525         (JSC::DFG::mayExit):
1526         * dfg/DFGNode.h:
1527         (JSC::DFG::Node::convertToPutByOffsetHint):
1528         (JSC::DFG::Node::convertToPutStructureHint):
1529         (JSC::DFG::Node::convertToPhantomNewObject):
1530         (JSC::DFG::Node::isCellConstant):
1531         (JSC::DFG::Node::castConstant):
1532         (JSC::DFG::Node::hasIdentifier):
1533         (JSC::DFG::Node::hasStorageAccessData):
1534         (JSC::DFG::Node::hasObjectMaterializationData):
1535         (JSC::DFG::Node::objectMaterializationData):
1536         (JSC::DFG::Node::isPhantomObjectAllocation):
1537         * dfg/DFGNodeType.h:
1538         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1539         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1540         (JSC::DFG::LocalOSRAvailabilityCalculator::endBlock):
1541         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1542         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1543         * dfg/DFGObjectAllocationSinkingPhase.cpp: Added.
1544         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase):
1545         (JSC::DFG::ObjectAllocationSinkingPhase::run):
1546         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
1547         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
1548         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
1549         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
1550         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
1551         (JSC::DFG::ObjectAllocationSinkingPhase::resolve):
1552         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
1553         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
1554         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
1555         (JSC::DFG::performObjectAllocationSinking):
1556         * dfg/DFGObjectAllocationSinkingPhase.h: Added.
1557         * dfg/DFGObjectMaterializationData.cpp: Added.
1558         (JSC::DFG::PhantomPropertyValue::dump):
1559         (JSC::DFG::ObjectMaterializationData::dump):
1560         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore):
1561         (JSC::DFG::ObjectMaterializationData::similarityScore):
1562         * dfg/DFGObjectMaterializationData.h: Added.
1563         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue):
1564         (JSC::DFG::PhantomPropertyValue::operator==):
1565         * dfg/DFGPhantomCanonicalizationPhase.cpp:
1566         (JSC::DFG::PhantomCanonicalizationPhase::run):
1567         * dfg/DFGPhantomRemovalPhase.cpp:
1568         (JSC::DFG::PhantomRemovalPhase::run):
1569         * dfg/DFGPhiChildren.cpp: Added.
1570         (JSC::DFG::PhiChildren::PhiChildren):
1571         (JSC::DFG::PhiChildren::~PhiChildren):
1572         (JSC::DFG::PhiChildren::upsilonsOf):
1573         * dfg/DFGPhiChildren.h: Added.
1574         (JSC::DFG::PhiChildren::forAllIncomingValues):
1575         (JSC::DFG::PhiChildren::forAllTransitiveIncomingValues):
1576         * dfg/DFGPlan.cpp:
1577         (JSC::DFG::Plan::compileInThreadImpl):
1578         * dfg/DFGPrePostNumbering.cpp: Added.
1579         (JSC::DFG::PrePostNumbering::PrePostNumbering):
1580         (JSC::DFG::PrePostNumbering::~PrePostNumbering):
1581         (JSC::DFG::PrePostNumbering::compute):
1582         (WTF::printInternal):
1583         * dfg/DFGPrePostNumbering.h: Added.
1584         (JSC::DFG::PrePostNumbering::preNumber):
1585         (JSC::DFG::PrePostNumbering::postNumber):
1586         (JSC::DFG::PrePostNumbering::isStrictAncestorOf):
1587         (JSC::DFG::PrePostNumbering::isAncestorOf):
1588         (JSC::DFG::PrePostNumbering::isStrictDescendantOf):
1589         (JSC::DFG::PrePostNumbering::isDescendantOf):
1590         (JSC::DFG::PrePostNumbering::edgeKind):
1591         * dfg/DFGPredictionPropagationPhase.cpp:
1592         (JSC::DFG::PredictionPropagationPhase::propagate):
1593         * dfg/DFGPromoteHeapAccess.h: Added.
1594         (JSC::DFG::promoteHeapAccess):
1595         * dfg/DFGPromotedHeapLocation.cpp: Added.
1596         (JSC::DFG::PromotedLocationDescriptor::dump):
1597         (JSC::DFG::PromotedHeapLocation::createHint):
1598         (JSC::DFG::PromotedHeapLocation::dump):
1599         (WTF::printInternal):
1600         * dfg/DFGPromotedHeapLocation.h: Added.
1601         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
1602         (JSC::DFG::PromotedLocationDescriptor::operator!):
1603         (JSC::DFG::PromotedLocationDescriptor::kind):
1604         (JSC::DFG::PromotedLocationDescriptor::info):
1605         (JSC::DFG::PromotedLocationDescriptor::hash):
1606         (JSC::DFG::PromotedLocationDescriptor::operator==):
1607         (JSC::DFG::PromotedLocationDescriptor::operator!=):
1608         (JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue):
1609         (JSC::DFG::PromotedHeapLocation::PromotedHeapLocation):
1610         (JSC::DFG::PromotedHeapLocation::operator!):
1611         (JSC::DFG::PromotedHeapLocation::kind):
1612         (JSC::DFG::PromotedHeapLocation::base):
1613         (JSC::DFG::PromotedHeapLocation::info):
1614         (JSC::DFG::PromotedHeapLocation::descriptor):
1615         (JSC::DFG::PromotedHeapLocation::hash):
1616         (JSC::DFG::PromotedHeapLocation::operator==):
1617         (JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue):
1618         (JSC::DFG::PromotedHeapLocationHash::hash):
1619         (JSC::DFG::PromotedHeapLocationHash::equal):
1620         * dfg/DFGSSACalculator.cpp:
1621         (JSC::DFG::SSACalculator::reset):
1622         * dfg/DFGSSACalculator.h:
1623         * dfg/DFGSafeToExecute.h:
1624         (JSC::DFG::safeToExecute):
1625         * dfg/DFGSpeculativeJIT.cpp:
1626         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1627         * dfg/DFGSpeculativeJIT32_64.cpp:
1628         (JSC::DFG::SpeculativeJIT::compile):
1629         * dfg/DFGSpeculativeJIT64.cpp:
1630         (JSC::DFG::SpeculativeJIT::compile):
1631         * dfg/DFGStructureRegistrationPhase.cpp:
1632         (JSC::DFG::StructureRegistrationPhase::run):
1633         * dfg/DFGValidate.cpp:
1634         (JSC::DFG::Validate::validate):
1635         * ftl/FTLCapabilities.cpp:
1636         (JSC::FTL::canCompile):
1637         * ftl/FTLExitPropertyValue.cpp: Added.
1638         (JSC::FTL::ExitPropertyValue::dump):
1639         * ftl/FTLExitPropertyValue.h: Added.
1640         (JSC::FTL::ExitPropertyValue::ExitPropertyValue):
1641         (JSC::FTL::ExitPropertyValue::operator!):
1642         (JSC::FTL::ExitPropertyValue::location):
1643         (JSC::FTL::ExitPropertyValue::value):
1644         * ftl/FTLExitTimeObjectMaterialization.cpp: Added.
1645         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
1646         (JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization):
1647         (JSC::FTL::ExitTimeObjectMaterialization::add):
1648         (JSC::FTL::ExitTimeObjectMaterialization::get):
1649         (JSC::FTL::ExitTimeObjectMaterialization::dump):
1650         * ftl/FTLExitTimeObjectMaterialization.h: Added.
1651         (JSC::FTL::ExitTimeObjectMaterialization::type):
1652         (JSC::FTL::ExitTimeObjectMaterialization::properties):
1653         * ftl/FTLExitValue.cpp:
1654         (JSC::FTL::ExitValue::materializeNewObject):
1655         (JSC::FTL::ExitValue::dumpInContext):
1656         * ftl/FTLExitValue.h:
1657         (JSC::FTL::ExitValue::isObjectMaterialization):
1658         (JSC::FTL::ExitValue::objectMaterialization):
1659         (JSC::FTL::ExitValue::withVirtualRegister):
1660         (JSC::FTL::ExitValue::valueFormat):
1661         * ftl/FTLLowerDFGToLLVM.cpp:
1662         (JSC::FTL::LowerDFGToLLVM::compileNode):
1663         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
1664         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1665         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1666         (JSC::FTL::LowerDFGToLLVM::compileNewObject):
1667         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1668         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1669         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
1670         (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
1671         (JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject):
1672         (JSC::FTL::LowerDFGToLLVM::checkStructure):
1673         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1674         (JSC::FTL::LowerDFGToLLVM::storeStructure):
1675         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1676         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
1677         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1678         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1679         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1680         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1681         (JSC::FTL::LowerDFGToLLVM::weakStructureID):
1682         (JSC::FTL::LowerDFGToLLVM::weakStructure):
1683         (JSC::FTL::LowerDFGToLLVM::availabilityMap):
1684         (JSC::FTL::LowerDFGToLLVM::availability): Deleted.
1685         * ftl/FTLOSRExit.h:
1686         * ftl/FTLOSRExitCompiler.cpp:
1687         (JSC::FTL::compileRecovery):
1688         (JSC::FTL::compileStub):
1689         * ftl/FTLOperations.cpp: Added.
1690         (JSC::FTL::operationNewObjectWithButterfly):
1691         (JSC::FTL::operationMaterializeObjectInOSR):
1692         * ftl/FTLOperations.h: Added.
1693         * ftl/FTLSwitchCase.h:
1694         (JSC::FTL::SwitchCase::SwitchCase):
1695         * runtime/JSObject.h:
1696         (JSC::JSObject::finishCreation):
1697         (JSC::JSFinalObject::JSFinalObject):
1698         (JSC::JSFinalObject::create):
1699         * runtime/Structure.cpp:
1700         (JSC::Structure::canUseForAllocationsOf):
1701         * runtime/Structure.h:
1702         * tests/stress/elidable-new-object-roflcopter-then-exit.js: Added.
1703         (sumOfArithSeries):
1704         (foo):
1705         * tests/stress/elide-new-object-dag-then-exit.js: Added.
1706         (sumOfArithSeries):
1707         (bar):
1708         (verify):
1709         (foo):
1710         * tests/stress/obviously-elidable-new-object-then-exit.js: Added.
1711         (sumOfArithSeries):
1712         (foo):
1713
1714 2014-09-25  Brian J. Burg  <burg@cs.washington.edu>
1715
1716         Web Replay: Check event loop input extents during replaying too
1717         https://bugs.webkit.org/show_bug.cgi?id=136316
1718
1719         Reviewed by Timothy Hatcher.
1720
1721         Sometimes we see different nondeterminism during capture and replay
1722         executions, so we should add determinism checks during replay too.
1723
1724         Move the withinEventLoopInputExtent flag to the base class, and tighten
1725         the assertion to address <http://webkit.org/b/133019>.
1726
1727         * replay/InputCursor.h:
1728         (JSC::InputCursor::InputCursor):
1729         (JSC::InputCursor::setWithinEventLoopInputExtent): Added.
1730         This assertion is slightly wrong because it does not account for nested run loops.
1731         We can be within two input extents when a nested run loop processes additional
1732         user inputs while the debugger is paused.
1733
1734         This should only be the case when execution is being neither captured or
1735         replayed. The debugger should not pause when capturing, and we should not replay
1736         event loop inputs while in a nested run loop.
1737
1738         (JSC::InputCursor::withinEventLoopInputExtent): Added.
1739
1740 2014-09-25  Csaba Osztrogonác  <ossy@webkit.org>
1741
1742         Remove WinCE port from trunk
1743         https://bugs.webkit.org/show_bug.cgi?id=136951
1744
1745         Reviewed by Alex Christensen.
1746
1747         * assembler/ARMAssembler.h:
1748         (JSC::ARMAssembler::cacheFlush):
1749         * assembler/ARMv7Assembler.h:
1750         (JSC::ARMv7Assembler::cacheFlush):
1751         * config.h:
1752         * heap/MachineStackMarker.cpp:
1753         (JSC::MachineThreads::gatherFromCurrentThread):
1754         (JSC::MachineThreads::gatherFromOtherThread):
1755         (JSC::swapIfBackwards): Deleted.
1756         * jit/ExecutableAllocator.h:
1757         * jsc.cpp:
1758         (main):
1759         * runtime/DateConstructor.cpp:
1760         * runtime/Options.cpp:
1761         (JSC::overrideOptionWithHeuristic):
1762         * runtime/VM.cpp:
1763         (JSC::VM::VM):
1764         * testRegExp.cpp:
1765         (main):
1766         * tools/CodeProfiling.cpp:
1767         (JSC::CodeProfiling::notifyAllocator):
1768
1769 2014-09-24  Brian J. Burg  <burg@cs.washington.edu>
1770
1771         Web Inspector: subtract elapsed time while debugger is paused from profile nodes
1772         https://bugs.webkit.org/show_bug.cgi?id=136796
1773
1774         Reviewed by Timothy Hatcher.
1775
1776         Rather than accruing no time to any profile node created while the debugger is paused,
1777         we can instead count a node's elapsed time and exclude time elapsed while paused.
1778
1779         Time for a node may elapse in a non-contiguous fashion depending on the interleaving of
1780         didPause, didContinue, willExecute, and didExecute. A node's start time is set to the
1781         start of the last such interval that accrues elapsed time.
1782
1783         * profiler/ProfileGenerator.cpp:
1784         (JSC::ProfileGenerator::ProfileGenerator):
1785         (JSC::ProfileGenerator::beginCallEntry):
1786         (JSC::ProfileGenerator::endCallEntry):
1787         (JSC::ProfileGenerator::didPause): Added.
1788         (JSC::ProfileGenerator::didContinue): Added.
1789         * profiler/ProfileGenerator.h:
1790         (JSC::ProfileGenerator::didPause): Deleted.
1791         (JSC::ProfileGenerator::didContinue): Deleted.
1792         * profiler/ProfileNode.h: Rename totalTime to elapsedTime.
1793         (JSC::ProfileNode::Call::Call):
1794         (JSC::ProfileNode::Call::elapsedTime): Added.
1795         (JSC::ProfileNode::Call::setElapsedTime): Added.
1796         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
1797         (JSC::ProfileNode::Call::totalTime): Deleted.
1798         (JSC::ProfileNode::Call::setTotalTime): Deleted.
1799
1800 2014-09-24  Commit Queue  <commit-queue@webkit.org>
1801
1802         Unreviewed, rolling out r173839.
1803         https://bugs.webkit.org/show_bug.cgi?id=137062
1804
1805         NumberConstruct should no longer use static tables (Requested
1806         by dpino on #webkit).
1807
1808         Reverted changeset:
1809
1810         "Simple ES6 feature: Number constructor extras"
1811         https://bugs.webkit.org/show_bug.cgi?id=131707
1812         http://trac.webkit.org/changeset/173839
1813
1814 2014-09-23  Mark Lam  <mark.lam@apple.com>
1815
1816         DebuggerCallFrame::invalidate() should invalidate all DebuggerScope chains.
1817         <https://webkit.org/b/137045>
1818
1819         Reviewed by Geoffrey Garen.
1820
1821         DebuggerCallFrame::invalidate() currently invalidates all DebuggerCallFrames
1822         in the debugger stack, but only invalidates the DebuggerScope chain of the
1823         top most frame.  We should also invalidate all the DebuggerScope chains of
1824         the other frames in the debugger stack.
1825
1826         * debugger/DebuggerCallFrame.cpp:
1827         (JSC::DebuggerCallFrame::invalidate):
1828         * debugger/DebuggerScope.cpp:
1829         (JSC::DebuggerScope::invalidateChain):
1830
1831 2014-09-23  Mark Lam  <mark.lam@apple.com>
1832
1833         Renamed DebuggerCallFrameScope to DebuggerPausedScope.
1834         <https://webkit.org/b/137042>
1835
1836         Reviewed by Michael Saboff.
1837
1838         DebuggerPausedScope is a better name for this data structure because it
1839         is meant for tracking the period within which the debugger is paused,
1840         and doing clean ups after the pause ends.
1841
1842         * debugger/Debugger.cpp:
1843         (JSC::DebuggerPausedScope::DebuggerPausedScope):
1844         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
1845         (JSC::Debugger::pauseIfNeeded):
1846         (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): Deleted.
1847         (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): Deleted.
1848         * debugger/Debugger.h:
1849         * debugger/DebuggerCallFrame.h:
1850
1851 2014-09-23  Tomas Popela  <tpopela@redhat.com>
1852
1853         [CLoop] - Fix CLoop on the 32-bit Big-Endians
1854         https://bugs.webkit.org/show_bug.cgi?id=137020
1855
1856         Reviewed by Mark Lam.
1857
1858         * llint/LowLevelInterpreter.asm:
1859         * llint/LowLevelInterpreter32_64.asm:
1860
1861 2014-09-23  Joseph Pecoraro  <pecoraro@apple.com>
1862
1863         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
1864         https://bugs.webkit.org/show_bug.cgi?id=136893
1865
1866         Reviewed by Timothy Hatcher.
1867
1868         Adds new remote inspector protocol handling for automatic inspection.
1869         Debuggers can signal they have enabled automatic inspection, and
1870         when debuggables are created the current application will pause to
1871         see if the debugger will inspect or decline to inspect the debuggable.
1872
1873         * inspector/remote/RemoteInspectorConstants.h:
1874         * inspector/remote/RemoteInspector.h:
1875         * inspector/remote/RemoteInspector.mm:
1876         (Inspector::globalAutomaticInspectionState):
1877         (Inspector::RemoteInspector::RemoteInspector):
1878         (Inspector::RemoteInspector::start):
1879         When first starting, check the global "is there an auto-inspect" debugger state.
1880         This is necessary so that the current application knows if it should pause or
1881         not when a debuggable is created, even without having connected to webinspectord yet.
1882
1883         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1884         When a debuggable has enabled remote inspection, take this path to propose
1885         it as an automatic inspection candidate if there is an auto-inspect debugger.
1886
1887         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
1888         Send the automatic inspection candidate message.
1889
1890         (Inspector::RemoteInspector::receivedSetupMessage):
1891         (Inspector::RemoteInspector::setupFailed):
1892         (Inspector::RemoteInspector::setupSucceeded):
1893         After attempting to open an inspector, unpause if it was for the
1894         automatic inspection candidate.
1895
1896         (Inspector::RemoteInspector::waitingForAutomaticInspection):
1897         When running a nested runloop, check if we should remain paused.
1898
1899         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1900         If by the time we connect to webinspectord we have a candidate, then
1901         immediately send the candidate message.
1902
1903         (Inspector::RemoteInspector::stopInternal):
1904         (Inspector::RemoteInspector::xpcConnectionFailed):
1905         In error cases, clear our state.
1906
1907         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1908         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
1909         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
1910         Update state when receiving new messages.
1911
1912
1913         * inspector/remote/RemoteInspectorDebuggable.h:
1914         * inspector/remote/RemoteInspectorDebuggable.cpp:
1915         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
1916         Special case when a debuggable is newly allowed to be debuggable.
1917
1918         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
1919         Run a nested run loop while this is an automatic inspection candidate.
1920
1921         * inspector/JSGlobalObjectInspectorController.h:
1922         * inspector/JSGlobalObjectInspectorController.cpp:
1923         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1924         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1925         When the inspector starts via automatic inspection automatically pause.
1926         We plan on removing this condition by having the frontend signal to the
1927         backend when it is completely initialized.
1928         
1929         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1930         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1931         (Inspector::RemoteInspectorDebuggableConnection::setup):
1932         Pass on the flag of whether or not this was automatic inspection.
1933
1934         * runtime/JSGlobalObjectDebuggable.h:
1935         * runtime/JSGlobalObjectDebuggable.cpp:
1936         (JSC::JSGlobalObjectDebuggable::connect):
1937         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
1938         When pausing in a JSGlobalObject we need to release the API lock.
1939
1940 2014-09-22  Filip Pizlo  <fpizlo@apple.com>
1941
1942         FTL allocatePropertyStorage code should involve less copy-paste
1943         https://bugs.webkit.org/show_bug.cgi?id=137006
1944
1945         Reviewed by Michael Saboff.
1946
1947         * ftl/FTLLowerDFGToLLVM.cpp:
1948         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
1949         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
1950         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
1951
1952 2014-09-22  Diego Pino Garcia  <dpino@igalia.com>
1953
1954         Simple ES6 feature: Number constructor extras
1955         https://bugs.webkit.org/show_bug.cgi?id=131707
1956
1957         Reviewed by Darin Adler.
1958
1959         * runtime/CommonIdentifiers.h: Added new identifiers.
1960         * runtime/NumberConstructor.cpp:
1961         (JSC::NumberConstructor::getOwnPropertySlot):
1962         (JSC::NumberConstructor::isFunction): Added.
1963         (JSC::numberConstructorEpsilonValue): Added.
1964         (JSC::numberConstructorNegInfinity): Added.
1965         (JSC::numberConstructorPosInfinity): Added.
1966         (JSC::numberConstructorMaxValue): Added.
1967         (JSC::numberConstructorMinValue): Added.
1968         (JSC::numberConstructorMaxSafeInteger): Added.
1969         (JSC::numberConstructorMinSafeInteger): Added.
1970         (JSC::numberConstructorFuncIsFinite): Added.
1971         (JSC::numberConstructorFuncIsInteger): Added.
1972         (JSC::numberConstructorFuncIsNaN): Added.
1973         (JSC::numberConstructorFuncIsSafeInteger): Added.
1974         * runtime/NumberConstructor.h:
1975
1976 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
1977
1978         FTL should store the four bytes of the cell header using a 32-bit store rather than four 8-bit stores
1979         https://bugs.webkit.org/show_bug.cgi?id=136992
1980
1981         Reviewed by Sam Weinig.
1982         
1983         LLVM ought to be able to do this optimization for us given how the code was written, but
1984         any such lower-level attempts to optimize this would get into trouble with the weird
1985         object materialization logic I'll be introducing in bug 136330. So, this brings the
1986         merging of the byte stores into the FTL lowering so that we can control it explicitly.
1987
1988         * ftl/FTLAbstractHeap.h:
1989         (JSC::FTL::AbstractHeap::changeParent):
1990         * ftl/FTLAbstractHeapRepository.cpp:
1991         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1992         * ftl/FTLAbstractHeapRepository.h:
1993         * ftl/FTLLowerDFGToLLVM.cpp:
1994         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1995
1996 2014-09-21  Saam Barati  <saambarati1@gmail.com>
1997
1998         Web Inspector: fix TypeSet hierarchy in TypeTokenView
1999         https://bugs.webkit.org/show_bug.cgi?id=136982
2000
2001         Reviewed by Joseph Pecoraro.
2002
2003         TypeSet was computing the set of type booleans in the Inspector::Protocol::Runtime::TypeSet 
2004         object incorrectly because it was calling TypeSet::doesTypeConformTo(T) which checks if the 
2005         type set has only been of type T. It now checks '(m_seenTypes & T) != TypeNothing' to see 
2006         if type T is in the set of seen types, but not the entire set itself.
2007
2008         * runtime/TypeSet.cpp:
2009         (JSC::TypeSet::inspectorTypeSet):
2010
2011 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
2012
2013         Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste
2014         https://bugs.webkit.org/show_bug.cgi?id=136983
2015
2016         Reviewed by Mark Hahnenberg.
2017
2018         * runtime/PropertyMapHashTable.h:
2019         (JSC::PropertyMapEntry::PropertyMapEntry): Moved PropertyMapEntry struct to Structure.h so that Structure can refer to it.
2020         * runtime/Structure.cpp:
2021         (JSC::Structure::getConcurrently): Switch to using the new forEachPropertyConcurrently() method.
2022         (JSC::Structure::getPropertiesConcurrently): The subject of this patch. It will be useful for object allocation sinking (bug 136330).
2023         (JSC::Structure::dump): Switch to using the new forEachPropertyConcurrently() method.
2024         * runtime/Structure.h:
2025         (JSC::PropertyMapEntry::PropertyMapEntry): Moved from PropertyMapHashTable.h.
2026         * runtime/StructureInlines.h:
2027         (JSC::Structure::forEachPropertyConcurrently): Capture this very common concurrent structure iteration pattern into a template method.
2028
2029 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
2030
2031         Structure::getConcurrently() doesn't need to take a VM& argument.
2032
2033         Rubber stamped by Dan Bernstein.
2034         
2035         Removed the extra argument, and then removed similar arguments from other methods until
2036         I could build successfully again. It turned out that many methods took a VM& argument
2037         just for calling getConcurrently().
2038
2039         * bytecode/CodeBlock.cpp:
2040         (JSC::dumpStructure):
2041         (JSC::dumpChain):
2042         (JSC::CodeBlock::printGetByIdCacheStatus):
2043         (JSC::CodeBlock::printPutByIdCacheStatus):
2044         * bytecode/ComplexGetStatus.cpp:
2045         (JSC::ComplexGetStatus::computeFor):
2046         * bytecode/GetByIdStatus.cpp:
2047         (JSC::GetByIdStatus::computeFromLLInt):
2048         (JSC::GetByIdStatus::computeForStubInfo):
2049         (JSC::GetByIdStatus::computeFor):
2050         * bytecode/GetByIdStatus.h:
2051         * bytecode/PutByIdStatus.cpp:
2052         (JSC::PutByIdStatus::computeFromLLInt):
2053         (JSC::PutByIdStatus::computeForStubInfo):
2054         (JSC::PutByIdStatus::computeFor):
2055         * bytecode/PutByIdStatus.h:
2056         * dfg/DFGAbstractInterpreterInlines.h:
2057         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2058         * dfg/DFGByteCodeParser.cpp:
2059         (JSC::DFG::ByteCodeParser::parseBlock):
2060         * dfg/DFGConstantFoldingPhase.cpp:
2061         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2062         * dfg/DFGFixupPhase.cpp:
2063         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
2064         * runtime/IntendedStructureChain.cpp:
2065         (JSC::IntendedStructureChain::mayInterceptStoreTo):
2066         * runtime/IntendedStructureChain.h:
2067         * runtime/Structure.cpp:
2068         (JSC::Structure::getConcurrently):
2069         * runtime/Structure.h:
2070         * runtime/StructureInlines.h:
2071         (JSC::Structure::getConcurrently):
2072
2073 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
2074
2075         FTL OSRExit construction should be based on methods that return ExitValues rather than methods that add ExitValues to OSRExit
2076         https://bugs.webkit.org/show_bug.cgi?id=136978
2077
2078         Reviewed by Dean Jackson.
2079
2080         * ftl/FTLLowerDFGToLLVM.cpp:
2081         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2082         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2083         (JSC::FTL::LowerDFGToLLVM::exitArgument):
2084         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): Deleted.
2085         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): Deleted.
2086         (JSC::FTL::LowerDFGToLLVM::addExitArgument): Deleted.
2087
2088 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
2089
2090         FTL OSR exit should do reboxing and value recovery in the same pass
2091         https://bugs.webkit.org/show_bug.cgi?id=136977
2092
2093         Reviewed by Oliver Hunt.
2094         
2095         It's conceptually simpler to have all of the logic in one place. After the
2096         recover-and-rebox loop is done, all of the exit values are in the form that the baseline
2097         JIT would want them to be in; the only remaining task is to move them into the right
2098         place on the stack after we do all of the necessary stack adjustments.
2099
2100         * ftl/FTLOSRExitCompiler.cpp:
2101         (JSC::FTL::compileStub):
2102
2103 2014-09-19  Filip Pizlo  <fpizlo@apple.com>
2104
2105         StorageAccessData should be referenced in a sensible way
2106         https://bugs.webkit.org/show_bug.cgi?id=136963
2107
2108         Reviewed and rubber stamped by Michael Saboff.
2109
2110         * dfg/DFGAbstractInterpreterInlines.h:
2111         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2112         * dfg/DFGByteCodeParser.cpp:
2113         (JSC::DFG::ByteCodeParser::handleGetByOffset):
2114         (JSC::DFG::ByteCodeParser::handlePutByOffset):
2115         (JSC::DFG::ByteCodeParser::handlePutById):
2116         * dfg/DFGClobberize.h:
2117         (JSC::DFG::clobberize):
2118         * dfg/DFGConstantFoldingPhase.cpp:
2119         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2120         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2121         * dfg/DFGGraph.cpp:
2122         (JSC::DFG::Graph::dump):
2123         * dfg/DFGGraph.h:
2124         * dfg/DFGNode.h:
2125         (JSC::DFG::Node::convertToGetByOffset):
2126         (JSC::DFG::Node::convertToPutByOffset):
2127         (JSC::DFG::Node::storageAccessData):
2128         (JSC::DFG::Node::storageAccessDataIndex): Deleted.
2129         * dfg/DFGSafeToExecute.h:
2130         (JSC::DFG::safeToExecute):
2131         * dfg/DFGSpeculativeJIT32_64.cpp:
2132         (JSC::DFG::SpeculativeJIT::compile):
2133         * dfg/DFGSpeculativeJIT64.cpp:
2134         (JSC::DFG::SpeculativeJIT::compile):
2135         * ftl/FTLLowerDFGToLLVM.cpp:
2136         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
2137         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
2138
2139 2014-09-19  Ryosuke Niwa  <rniwa@webkit.org>
2140
2141         Leak of mallocs under StructureSet::OutOfLineList::create
2142         https://bugs.webkit.org/show_bug.cgi?id=136970
2143
2144         Reviewed by Filip Pizlo.
2145
2146         addOutOfLine should free the old list when expanding the capacity.
2147
2148         * bytecode/StructureSet.cpp:
2149         (JSC::StructureSet::addOutOfLine):
2150
2151 2014-09-19  Daniel Bates  <dabates@apple.com>
2152
2153         Always assume internal SDK when building configuration Production
2154         https://bugs.webkit.org/show_bug.cgi?id=136925
2155         <rdar://problem/18362399>
2156
2157         Reviewed by Dan Bernstein.
2158
2159         As a side effect of this change we will always enable ENABLE_TOUCH_EVENTS, ENABLE_IOS_{GESTURE, TOUCH}_EVENTS,
2160         and ENABLE_XSLT when either building configuration Production or building with the Internal SDK.
2161
2162         * Configurations/Base.xcconfig:
2163
2164 2014-09-19  Diego Pino Garcia  <dpino@igalia.com>
2165
2166         Simple ES6 feature:String prototype additions
2167         https://bugs.webkit.org/show_bug.cgi?id=131704
2168
2169         Reviewed by Darin Adler.
2170
2171         * runtime/StringPrototype.cpp:
2172         (JSC::StringPrototype::finishCreation):
2173         (JSC::stringProtoFuncStartsWith): Added.
2174         (JSC::stringProtoFuncEndsWith): Added.
2175         (JSC::stringProtoFuncContains): Added.
2176
2177 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
2178
2179         Unreviewed rollout r173731. Broke multiple builds.
2180
2181         * inspector/JSGlobalObjectInspectorController.cpp:
2182         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2183         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2184         * inspector/JSGlobalObjectInspectorController.h:
2185         * inspector/remote/RemoteInspector.h:
2186         * inspector/remote/RemoteInspector.mm:
2187         (Inspector::RemoteInspector::RemoteInspector):
2188         (Inspector::RemoteInspector::setupFailed):
2189         (Inspector::RemoteInspector::start):
2190         (Inspector::RemoteInspector::stopInternal):
2191         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2192         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2193         (Inspector::RemoteInspector::xpcConnectionFailed):
2194         (Inspector::RemoteInspector::receivedSetupMessage):
2195         (Inspector::globalAutomaticInspectionState): Deleted.
2196         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): Deleted.
2197         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): Deleted.
2198         (Inspector::RemoteInspector::setupSucceeded): Deleted.
2199         (Inspector::RemoteInspector::waitingForAutomaticInspection): Deleted.
2200         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): Deleted.
2201         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): Deleted.
2202         * inspector/remote/RemoteInspectorConstants.h:
2203         * inspector/remote/RemoteInspectorDebuggable.cpp:
2204         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
2205         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): Deleted.
2206         * inspector/remote/RemoteInspectorDebuggable.h:
2207         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2208         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2209         (Inspector::RemoteInspectorDebuggableConnection::setup):
2210         * runtime/JSGlobalObjectDebuggable.cpp:
2211         (JSC::JSGlobalObjectDebuggable::connect):
2212         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): Deleted.
2213         * runtime/JSGlobalObjectDebuggable.h:
2214
2215 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
2216
2217         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
2218         https://bugs.webkit.org/show_bug.cgi?id=136893
2219
2220         Reviewed by Timothy Hatcher.
2221
2222         Adds new remote inspector protocol handling for automatic inspection.
2223         Debuggers can signal they have enabled automatic inspection, and
2224         when debuggables are created the current application will pause to
2225         see if the debugger will inspect or decline to inspect the debuggable.
2226
2227         * inspector/remote/RemoteInspectorConstants.h:
2228         * inspector/remote/RemoteInspector.h:
2229         * inspector/remote/RemoteInspector.mm:
2230         (Inspector::globalAutomaticInspectionState):
2231         (Inspector::RemoteInspector::RemoteInspector):
2232         (Inspector::RemoteInspector::start):
2233         When first starting, check the global "is there an auto-inspect" debugger state.
2234         This is necessary so that the current application knows if it should pause or
2235         not when a debuggable is created, even without having connected to webinspectord yet.
2236
2237         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
2238         When a debuggable has enabled remote inspection, take this path to propose
2239         it as an automatic inspection candidate if there is an auto-inspect debugger.
2240
2241         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
2242         Send the automatic inspection candidate message.
2243
2244         (Inspector::RemoteInspector::receivedSetupMessage):
2245         (Inspector::RemoteInspector::setupFailed):
2246         (Inspector::RemoteInspector::setupSucceeded):
2247         After attempting to open an inspector, unpause if it was for the
2248         automatic inspection candidate.
2249
2250         (Inspector::RemoteInspector::waitingForAutomaticInspection):
2251         When running a nested runloop, check if we should remain paused.
2252
2253         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2254         If by the time we connect to webinspectord we have a candidate, then
2255         immediately send the candidate message.
2256
2257         (Inspector::RemoteInspector::stopInternal):
2258         (Inspector::RemoteInspector::xpcConnectionFailed):
2259         In error cases, clear our state.
2260
2261         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2262         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
2263         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
2264         Update state when receiving new messages.
2265
2266
2267         * inspector/remote/RemoteInspectorDebuggable.h:
2268         * inspector/remote/RemoteInspectorDebuggable.cpp:
2269         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
2270         Special case when a debuggable is newly allowed to be debuggable.
2271
2272         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
2273         Run a nested run loop while this is an automatic inspection candidate.
2274
2275         * inspector/JSGlobalObjectInspectorController.h:
2276         * inspector/JSGlobalObjectInspectorController.cpp:
2277         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2278         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2279         When the inspector starts via automatic inspection automatically pause.
2280         We plan on removing this condition by having the frontend signal to the
2281         backend when it is completely initialized.
2282         
2283         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2284         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2285         (Inspector::RemoteInspectorDebuggableConnection::setup):
2286         Pass on the flag of whether or not this was automatic inspection.
2287
2288         * runtime/JSGlobalObjectDebuggable.h:
2289         * runtime/JSGlobalObjectDebuggable.cpp:
2290         (JSC::JSGlobalObjectDebuggable::connect):
2291         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
2292         When pausing in a JSGlobalObject we need to release the API lock.
2293
2294 2014-09-18  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2295
2296         Fix "Tools/Scripts/build-webkit --efl --no-inspector" build
2297         https://bugs.webkit.org/show_bug.cgi?id=136912
2298
2299         Reviewed by Darin Adler.
2300
2301         * runtime/TypeSet.cpp:
2302         (JSC::TypeSet::leastCommonAncestor):
2303
2304 2014-09-17  Michael Saboff  <msaboff@apple.com>
2305
2306         Change CallFrame to use Callee instead of JSScope to implement vm()
2307         https://bugs.webkit.org/show_bug.cgi?id=136894
2308
2309         Reviewed by Geoffrey Garen.
2310
2311         Added JSCell::vm() method that can be used on any JSObject.  Changed CallFrame::vm() to
2312         use JSCell::vm with the Callee.  Made similar changes in the LLInt.
2313         In support of this, changed JSGlobalObject::init() to take a VM& parameter, as there is
2314         a chicken/egg problem with trying to use the Callee in the global exec before the Callee
2315         has been create.  Besides, the vm is readily available in finishCreation(), the caller of
2316         init().
2317
2318         * llint/LowLevelInterpreter32_64.asm:
2319         * llint/LowLevelInterpreter64.asm:
2320         Changed the calculation of CallFrame::VM to use the Callee instead of JSScope.
2321
2322         * runtime/JSCell.h:
2323         * runtime/JSCellInlines.h:
2324         (JSC::JSCell::vm): New method for getting VM from the pointer.
2325         (JSC::ExecState::vm): Moved this method from JSScope.h to here since this file
2326         contains the implementation of JSCell::vm(), this file is included by all users
2327         of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing
2328         many other .h files and possible the WebCore generator generate-bindings.pl.
2329
2330         * runtime/JSGlobalObject.cpp:
2331         (JSC::JSGlobalObject::init):
2332         * runtime/JSGlobalObject.h:
2333         (JSC::JSGlobalObject::finishCreation):
2334         Changed init() to take a VM parameter.
2335
2336         * runtime/JSScope.h:
2337         (JSC::ExecState::vm): Deleted.
2338
2339 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
2340
2341         Unreviewed, disable native inlining because it causes build failures.
2342
2343         * JavaScriptCore.xcodeproj/project.pbxproj:
2344
2345 2014-09-16  Joseph Pecoraro  <pecoraro@apple.com>
2346
2347         Web Inspector: Reduce a bit of churn setting initial remote inspection state
2348         https://bugs.webkit.org/show_bug.cgi?id=136875
2349
2350         Reviewed by Timothy Hatcher.
2351
2352         * API/JSContextRef.cpp:
2353         (JSGlobalContextCreateInGroup):
2354         Set the defaultl remote debuggable state at the API boundary.
2355
2356         * runtime/JSGlobalObject.cpp:
2357         (JSC::JSGlobalObject::init):
2358         Do not set remote debuggable state here. Let clients set it.
2359
2360 2014-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2361
2362         Promise: Drop Promise.cast
2363         https://bugs.webkit.org/show_bug.cgi?id=136222
2364
2365         Reviewed by Sam Weinig.
2366
2367         Promise.cast is dropped and Promise.resolve is replaced with old Promise.cast.
2368
2369         * runtime/CommonIdentifiers.h:
2370         * runtime/JSPromiseConstructor.cpp:
2371         (JSC::JSPromiseConstructorFuncResolve):
2372         (JSC::JSPromiseConstructorFuncRace):
2373         (JSC::JSPromiseConstructorFuncAll):
2374         (JSC::JSPromiseConstructorFuncCast): Deleted.
2375
2376 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
2377
2378         Local OSR availability calculation should be reusable
2379         https://bugs.webkit.org/show_bug.cgi?id=136860
2380
2381         Reviewed by Oliver Hunt.
2382         
2383         Previously, the FTL lowering repeated some of the logic of the OSR availability analysis
2384         phase. Humorously, it actually did this logic a bit differently; for example the phase
2385         would claim that a SetLocal makes both the flush and the node available while the FTL
2386         only claimed that the flush was available. This different was benign, but still: yuck!
2387         
2388         Also, previously if you wanted to use availability information then you'd have to repeat
2389         some of the logic that both the phase itself and the FTL lowering already had.
2390         Presumably, you could get epic style points for finding other benign ways in which to
2391         make your copy of the logic different from the other two!
2392         
2393         This reduces the amount of style points one could conceivably get in the future when
2394         hacking JSC, by creating a single reusable thingy for computing local OSR availability.
2395
2396         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2397         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2398         (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
2399         (JSC::DFG::LocalOSRAvailabilityCalculator::~LocalOSRAvailabilityCalculator):
2400         (JSC::DFG::LocalOSRAvailabilityCalculator::beginBlock):
2401         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2402         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2403         * ftl/FTLLowerDFGToLLVM.cpp:
2404         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
2405         (JSC::FTL::LowerDFGToLLVM::compileBlock):
2406         (JSC::FTL::LowerDFGToLLVM::compileNode):
2407         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
2408         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
2409         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2410         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2411         (JSC::FTL::LowerDFGToLLVM::availability):
2412         (JSC::FTL::LowerDFGToLLVM::compileMovHint): Deleted.
2413         (JSC::FTL::LowerDFGToLLVM::compileZombieHint): Deleted.
2414         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): Deleted.
2415
2416 2014-09-16  Csaba Osztrogonác  <ossy@webkit.org>
2417
2418         JSC test gardening
2419         https://bugs.webkit.org/show_bug.cgi?id=136823
2420
2421         Reviewed by Geoffrey Garen.
2422
2423         * tests/mozilla/mozilla-tests.yaml: Unskip passing tests.
2424
2425 2014-09-15  Michael Saboff  <msaboff@apple.com>
2426
2427         Create a JSCallee for GlobalExec object
2428         https://bugs.webkit.org/show_bug.cgi?id=136840
2429
2430         Reviewed by Geoffrey Garen.
2431
2432         Added m_globalCallee, initialized it and then used it to set the globalExec's callee.
2433
2434         * runtime/JSGlobalObject.cpp:
2435         (JSC::JSGlobalObject::init):
2436         (JSC::JSGlobalObject::visitChildren):
2437         * runtime/JSGlobalObject.h:
2438
2439 2014-09-14  Filip Pizlo  <fpizlo@apple.com>
2440
2441         DFG ref count calculation should be reusable
2442         https://bugs.webkit.org/show_bug.cgi?id=136811
2443
2444         Reviewed by Oliver Hunt.
2445         
2446         Henceforth if you call Graph::computeRefCounts(), a nifty O(n) operation, every Node
2447         will be able to tell you how many places it is used from. Currently only DCE uses this,
2448         but it will be useful for https://bugs.webkit.org/show_bug.cgi?id=136330.
2449
2450         * dfg/DFGDCEPhase.cpp:
2451         (JSC::DFG::DCEPhase::run):
2452         (JSC::DFG::DCEPhase::findTypeCheckRoot): Deleted.
2453         (JSC::DFG::DCEPhase::countNode): Deleted.
2454         (JSC::DFG::DCEPhase::countEdge): Deleted.
2455         * dfg/DFGGraph.cpp:
2456         (JSC::DFG::Graph::computeRefCounts):
2457         * dfg/DFGGraph.h:
2458
2459 2014-09-12  Michael Saboff  <msaboff@apple.com>
2460
2461         Merge JSGlobalObject::reset() into ::init()
2462         https://bugs.webkit.org/show_bug.cgi?id=136800
2463
2464         Reviewed by Oliver Hunt.
2465
2466         Moved the contents of reset() into init().
2467         Note that the diff shows more changes.
2468
2469         * runtime/JSGlobalObject.cpp:
2470         (JSC::JSGlobalObject::init): Moved body of reset() into init.
2471         (JSC::JSGlobalObject::put):
2472         (JSC::JSGlobalObject::defineOwnProperty):
2473         (JSC::JSGlobalObject::addGlobalVar):
2474         (JSC::JSGlobalObject::addFunction):
2475         (JSC::lastInPrototypeChain):
2476         (JSC::JSGlobalObject::reset): Deleted.
2477         * runtime/JSGlobalObject.h:
2478
2479 2014-09-12  Michael Saboff  <msaboff@apple.com>
2480
2481         Add JSCallee to program and eval CallFrames
2482         https://bugs.webkit.org/show_bug.cgi?id=136785
2483
2484         Reviewed by Mark Lam.
2485
2486         Populated Callee slot for program and call eval CallFrames with a JSCallee objects.
2487         Made supporting changes including adding a JSCallee structure to global object and adding
2488         JSCallee::create() method.  Added code so that the newly added callee object won't be
2489         returned by Function.caller.  Changed null pointer checks of callee to check the if
2490         the type is JSFunction* or JSCallee*.
2491
2492         * debugger/DebuggerCallFrame.cpp:
2493         (JSC::DebuggerCallFrame::functionName):
2494         (JSC::DebuggerCallFrame::type):
2495         * profiler/LegacyProfiler.cpp:
2496         (JSC::LegacyProfiler::createCallIdentifier):
2497         * interpreter/Interpreter.cpp:
2498         (JSC::unwindCallFrame):
2499         Changed checks of callee is a JSFunction* or JSCallee* instead of just checking
2500         if it is null or not.
2501
2502         * interpreter/Interpreter.cpp:
2503         (JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...)
2504         and execute(ProgramExecutable, ...)
2505
2506         * jit/JITCode.cpp:
2507         (JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions.
2508
2509         * runtime/JSCallee.cpp:
2510         (JSC::JSCallee::create): Not used, therefore deleted.
2511
2512         * runtime/JSCallee.h:
2513         (JSC::JSCallee::create): Added.
2514
2515         * runtime/JSFunction.cpp:
2516         (JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't
2517         JSFunction's.  This can only be the case when the JSCallee comes from a program or
2518         call eval CallFrame.
2519
2520         * runtime/JSGlobalObject.cpp:
2521         (JSC::JSGlobalObject::reset):
2522         (JSC::JSGlobalObject::visitChildren):
2523         * runtime/JSGlobalObject.h:
2524         (JSC::JSGlobalObject::calleeStructure):
2525         Added new JSCallee structure.
2526
2527 2014-09-10  Jon Honeycutt  <jhoneycutt@apple.com>
2528
2529         Re-add the request autocomplete feature
2530
2531         <https://bugs.webkit.org/show_bug.cgi?id=136730>
2532
2533         This feature was rolled out in r148731 because it was only used by
2534         Chromium. As we consider supporting this feature, roll it back in, but
2535         leave it disabled.
2536
2537         This rolls out r148731 (which removed the feature) with small changes
2538         needed to make the code build in ToT, to match modern style, to make
2539         the tests run, and to remove unused code.
2540
2541         Reviewed by Andy Estes.
2542
2543         * Configurations/FeatureDefines.xcconfig:
2544
2545 2014-09-12  Julien Brianceau  <jbriance@cisco.com>
2546
2547         [x86] moveDoubleToInts() does not clobber its source register anymore
2548         https://bugs.webkit.org/show_bug.cgi?id=131690
2549
2550         Reviewed by Oliver Hunt.
2551
2552         * assembler/MacroAssemblerX86.h:
2553         (JSC::MacroAssemblerX86::moveDoubleToInts):
2554         * dfg/DFGSpeculativeJIT.cpp:
2555         (JSC::DFG::SpeculativeJIT::compileValueRep):
2556         * jit/SpecializedThunkJIT.h:
2557         (JSC::SpecializedThunkJIT::returnDouble):
2558
2559 2014-09-12  Mark Lam  <mark.lam@apple.com>
2560
2561         Unreviewed build fix for CLOOP build.
2562
2563         * runtime/JSCallee.h:
2564
2565 2014-09-12  Michael Saboff  <msaboff@apple.com>
2566
2567         Remove unneeded declarations from JSCallee.h
2568         https://bugs.webkit.org/show_bug.cgi?id=136783
2569
2570         Reviewed by Mark Lam.
2571
2572         * runtime/JSCallee.h:
2573         (JSCallee::name): Deleted.
2574         (JSCallee::displayName): Deleted.
2575         (JSCallee::calculatedDisplayName): Deleted.
2576
2577 2014-09-11  Brian J. Burg  <burg@cs.washington.edu>
2578
2579         Web Inspector: disambiguate double and integer primitive types in the protocol
2580         https://bugs.webkit.org/show_bug.cgi?id=136606
2581
2582         Reviewed by Timothy Hatcher.
2583
2584         Right now it's really easy to mix up doubles and integers when serializing or deserializing
2585         values for the inspector protocol. This patch disambiguates setting/getting doubles and integers
2586         so that it is clearer as to which type is intended.
2587
2588         A new InspectorValue::Type is added for Integer types, and the Number type is renamed to Double.
2589         The existing callsites for asNumber/getNumber/setNumber have been fixed.
2590
2591         Address various integration points to make sure the right type tag is assigned to InspectorValues.
2592
2593         * bindings/ScriptValue.cpp:
2594         (Deprecated::jsToInspectorValue): Make an Integer if the JSValue is Int52 or smaller.
2595         * inspector/InjectedScriptManager.cpp:
2596         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2597         * inspector/InspectorBackendDispatcher.cpp:
2598         (Inspector::InspectorBackendDispatcher::dispatch):
2599         (Inspector::InspectorBackendDispatcher::sendResponse):
2600         (Inspector::InspectorBackendDispatcher::reportProtocolError):
2601         (Inspector::AsMethodBridges::asInteger):
2602         (Inspector::AsMethodBridges::asDouble):
2603         (Inspector::InspectorBackendDispatcher::getInteger):
2604         (Inspector::InspectorBackendDispatcher::getDouble):
2605         (Inspector::AsMethodBridges::asInt): Deleted.
2606         (Inspector::InspectorBackendDispatcher::getInt): Deleted.
2607         * inspector/InspectorBackendDispatcher.h:
2608         * inspector/InspectorProtocolTypes.h: Remove the special case for checking int type tags.
2609         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw):
2610         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw):
2611         (Inspector::Protocol::BindingTraits<int>::assertValueHasExpectedType): Deleted.
2612         * inspector/InspectorValues.cpp: Allow integers and doubles to be convertible using asInteger/asDouble.
2613         (Inspector::InspectorValue::asDouble):
2614         (Inspector::InspectorValue::asInteger):
2615         (Inspector::InspectorBasicValue::asDouble):
2616         (Inspector::InspectorBasicValue::asInteger):
2617         (Inspector::InspectorBasicValue::writeJSON):
2618         (Inspector::InspectorValue::asNumber): Deleted.
2619         (Inspector::InspectorBasicValue::asNumber): Deleted.
2620         * inspector/InspectorValues.h:
2621         (Inspector::InspectorObjectBase::setInteger):
2622         (Inspector::InspectorObjectBase::setDouble):
2623         (Inspector::InspectorArrayBase::pushInteger):
2624         (Inspector::InspectorArrayBase::pushDouble):
2625         (Inspector::InspectorObjectBase::setNumber): Deleted.
2626         (Inspector::InspectorArrayBase::pushInt): Deleted.
2627         (Inspector::InspectorArrayBase::pushNumber): Deleted.
2628         * inspector/agents/InspectorDebuggerAgent.cpp:
2629         (Inspector::buildObjectForBreakpointCookie):
2630         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2631         (Inspector::parseLocation):
2632         (Inspector::InspectorDebuggerAgent::didParseSource):
2633         * inspector/agents/InspectorRuntimeAgent.cpp:
2634         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2635         * inspector/scripts/codegen/generator.py: Update emitted code and rebaseline test results.
2636         (Generator.keyed_get_method_for_type):
2637         (Generator.keyed_set_method_for_type):
2638         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2639         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2640         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2641         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2642         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2643         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2644         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2645         * replay/EncodedValue.cpp:
2646         (JSC::EncodedValue::convertTo<double>):
2647         (JSC::EncodedValue::convertTo<float>):
2648         (JSC::EncodedValue::convertTo<int32_t>):
2649         (JSC::EncodedValue::convertTo<int64_t>):
2650         (JSC::EncodedValue::convertTo<uint32_t>):
2651         (JSC::EncodedValue::convertTo<uint64_t>):
2652
2653 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
2654
2655         Web Inspector: Occasional ASSERT closing web inspector
2656         https://bugs.webkit.org/show_bug.cgi?id=136762
2657
2658         Reviewed by Timothy Hatcher.
2659
2660         It is harmless, and indeed possible to have an empty set of listeners
2661         now that each Page gets its own PageDebugServer instead of a shared
2662         global. So we should replace the null checks with isEmpty checks.
2663         Since nobody was ever returning null, convert to references as well.
2664
2665         * inspector/JSGlobalObjectScriptDebugServer.h:
2666         * inspector/ScriptDebugServer.cpp:
2667         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
2668         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
2669         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
2670         (Inspector::ScriptDebugServer::sourceParsed):
2671         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
2672         (Inspector::ScriptDebugServer::notifyDoneProcessingDebuggerEvents):
2673         (Inspector::ScriptDebugServer::handlePause):
2674         (Inspector::ScriptDebugServer::needPauseHandling): Deleted.
2675         * inspector/ScriptDebugServer.h:
2676
2677 2014-09-10  Michael Saboff  <msaboff@apple.com>
2678
2679         Move JSScope out of JSFunction into separate JSCallee class
2680         https://bugs.webkit.org/show_bug.cgi?id=136725
2681
2682         Reviewed by Oliver Hunt.
2683
2684         Created new JSCallee class that contains a JSScope*.  Changed JSFunction to inherit from
2685         JSCallee.
2686
2687         * CMakeLists.txt:
2688         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2689         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2690         * JavaScriptCore.xcodeproj/project.pbxproj:
2691         Build changes.  Added JSCallee.cpp and JSCallee.h.
2692
2693         * runtime/JSCallee.cpp: Added.
2694         (JSC::JSCallee::create):
2695         (JSC::JSCallee::destroy):
2696         (JSC::JSCallee::JSCallee):
2697         (JSC::JSCallee::finishCreation):
2698         (JSC::JSCallee::visitChildren):
2699         (JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function.
2700         (JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function.
2701         (JSC::JSCallee::put): Pass through wrapper function.
2702         (JSC::JSCallee::deleteProperty): Pass through wrapper function.
2703         (JSC::JSCallee::defineOwnProperty): Pass through wrapper function.
2704
2705         * runtime/JSCallee.h: Added.
2706         (JSC::JSCallee::scope):
2707         (JSC::JSCallee::scopeUnchecked):
2708         (JSC::JSCallee::setScope):
2709         (JSC::JSCallee::createStructure):
2710         (JSC::JSCallee::offsetOfScopeChain):
2711
2712         * runtime/JSFunction.cpp:
2713         (JSC::JSFunction::JSFunction):
2714         (JSC::JSFunction::addNameScopeIfNeeded):
2715         (JSC::JSFunction::visitChildren):
2716         * runtime/JSFunction.h:
2717         (JSC::JSFunction::scope): Deleted.
2718         (JSC::JSFunction::scopeUnchecked): Deleted.
2719         (JSC::JSFunction::setScope): Deleted.
2720         (JSC::JSFunction::offsetOfScopeChain): Deleted.
2721         * runtime/JSFunctionInlines.h:
2722         (JSC::JSFunction::JSFunction):
2723         Changed to reference JSCallee and its methods.
2724
2725         * runtime/JSType.h: Added JSCallee as a TypeEnum.
2726
2727 2014-09-11  Filip Pizlo  <fpizlo@apple.com>
2728
2729         REGRESSION (r172129): Vine pages load as blank
2730         https://bugs.webkit.org/show_bug.cgi?id=136655
2731         rdar://problem/18281215
2732
2733         Reviewed by Michael Saboff.
2734         
2735         If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
2736         that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
2737         Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
2738         conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
2739         reasonably compact; it's OK if we miss cases here.
2740
2741         * dfg/DFGPhantomRemovalPhase.cpp:
2742         (JSC::DFG::PhantomRemovalPhase::run):
2743         * tests/stress/remove-phantom-after-setlocal.js: Added.
2744
2745 2014-09-11  Bear Travis  <betravis@adobe.com>
2746
2747         [CSS Font Loading] Enable CSS Font Loading on Mac
2748         https://bugs.webkit.org/show_bug.cgi?id=135473
2749
2750         Reviewed by Antti Koivisto.
2751
2752         Enable CSS Font Loading in FeatureDefines.
2753
2754         * Configurations/FeatureDefines.xcconfig:
2755
2756 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
2757
2758         Unreviewed rebaseline of inspector generator test results after r173120.
2759
2760         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2761         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2762         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2763         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2764
2765 2014-09-11  Oliver Hunt  <oliver@apple.com>
2766
2767         Rename activation to be more in line with spec language
2768         https://bugs.webkit.org/show_bug.cgi?id=136721
2769
2770         Reviewed by Michael Saboff.
2771
2772         Somewhat bigger than the last one, but still just a rename.
2773
2774         * CMakeLists.txt:
2775         * JavaScriptCore.order:
2776         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2777         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2778         * JavaScriptCore.xcodeproj/project.pbxproj:
2779         * bytecode/BytecodeList.json:
2780         * bytecode/BytecodeUseDef.h:
2781         (JSC::computeUsesForBytecodeOffset):
2782         (JSC::computeDefsForBytecodeOffset):
2783         * bytecode/CallVariant.h:
2784         * bytecode/CodeBlock.cpp:
2785         (JSC::CodeBlock::dumpBytecode):
2786         (JSC::CodeBlock::CodeBlock):
2787         (JSC::CodeBlock::finalizeUnconditionally):
2788         (JSC::CodeBlock::isCaptured):
2789         (JSC::CodeBlock::nameForRegister):
2790         * bytecode/CodeBlock.h:
2791         (JSC::CodeBlock::setActivationRegister):
2792         (JSC::CodeBlock::activationRegister):
2793         (JSC::CodeBlock::uncheckedActivationRegister):
2794         (JSC::CodeBlock::needsActivation):
2795         * bytecode/Instruction.h:
2796         * bytecode/UnlinkedCodeBlock.h:
2797         (JSC::UnlinkedCodeBlock::setActivationRegister):
2798         (JSC::UnlinkedCodeBlock::activationRegister):
2799         (JSC::UnlinkedCodeBlock::hasActivationRegister):
2800         * bytecompiler/BytecodeGenerator.cpp:
2801         (JSC::BytecodeGenerator::BytecodeGenerator):
2802         (JSC::BytecodeGenerator::emitReturn):
2803         * bytecompiler/BytecodeGenerator.h:
2804         * debugger/DebuggerCallFrame.cpp:
2805         (JSC::DebuggerCallFrame::scope):
2806         * debugger/DebuggerScope.cpp:
2807         (JSC::DebuggerScope::isFunctionOrEvalScope):
2808         * dfg/DFGByteCodeParser.cpp:
2809         (JSC::DFG::ByteCodeParser::parseBlock):
2810         * dfg/DFGCapabilities.cpp:
2811         (JSC::DFG::capabilityLevel):
2812         * dfg/DFGGraph.cpp:
2813         (JSC::DFG::Graph::tryGetActivation):
2814         (JSC::DFG::Graph::tryGetRegisters):
2815         * dfg/DFGGraph.h:
2816         * dfg/DFGNodeType.h:
2817         * dfg/DFGOperations.cpp:
2818         * dfg/DFGSpeculativeJIT32_64.cpp:
2819         (JSC::DFG::SpeculativeJIT::compile):
2820         * dfg/DFGSpeculativeJIT64.cpp:
2821         (JSC::DFG::SpeculativeJIT::compile):
2822         * interpreter/CallFrame.cpp:
2823         (JSC::CallFrame::lexicalEnvironment):
2824         (JSC::CallFrame::setActivation):
2825         (JSC::CallFrame::activation): Deleted.
2826         * interpreter/CallFrame.h:
2827         * interpreter/Interpreter.cpp:
2828         (JSC::unwindCallFrame):
2829         * interpreter/Register.h:
2830         * jit/JIT.cpp:
2831         (JSC::JIT::privateCompileMainPass):
2832         * jit/JIT.h:
2833         * jit/JITOpcodes.cpp:
2834         (JSC::JIT::emit_op_tear_off_lexical_environment):
2835         (JSC::JIT::emit_op_tear_off_arguments):
2836         (JSC::JIT::emit_op_create_lexical_environment):
2837         (JSC::JIT::emit_op_tear_off_activation): Deleted.
2838         (JSC::JIT::emit_op_create_activation): Deleted.
2839         * jit/JITOpcodes32_64.cpp:
2840         (JSC::JIT::emit_op_tear_off_lexical_environment):
2841         (JSC::JIT::emit_op_tear_off_arguments):
2842         (JSC::JIT::emit_op_create_lexical_environment):
2843         (JSC::JIT::emit_op_tear_off_activation): Deleted.
2844         (JSC::JIT::emit_op_create_activation): Deleted.
2845         * jit/JITOperations.cpp:
2846         * jit/JITOperations.h:
2847         * llint/LLIntSlowPaths.cpp:
2848         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2849         * llint/LLIntSlowPaths.h:
2850         * llint/LowLevelInterpreter32_64.asm:
2851         * llint/LowLevelInterpreter64.asm:
2852         * runtime/Arguments.cpp:
2853         (JSC::Arguments::visitChildren):
2854         (JSC::Arguments::tearOff):
2855         (JSC::Arguments::didTearOffActivation):
2856         * runtime/Arguments.h:
2857         (JSC::Arguments::offsetOfActivation):
2858         (JSC::Arguments::argument):
2859         (JSC::Arguments::finishCreation):
2860         * runtime/CommonSlowPaths.cpp:
2861         * runtime/JSFunction.h:
2862         * runtime/JSGlobalObject.cpp:
2863         (JSC::JSGlobalObject::reset):
2864         (JSC::JSGlobalObject::visitChildren):
2865         * runtime/JSGlobalObject.h:
2866         (JSC::JSGlobalObject::activationStructure):
2867         * runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp.
2868         (JSC::JSLexicalEnvironment::visitChildren):
2869         (JSC::JSLexicalEnvironment::symbolTableGet):
2870         (JSC::JSLexicalEnvironment::symbolTablePut):
2871         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2872         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2873         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2874         (JSC::JSLexicalEnvironment::put):
2875         (JSC::JSLexicalEnvironment::deleteProperty):
2876         (JSC::JSLexicalEnvironment::toThis):
2877         (JSC::JSLexicalEnvironment::argumentsGetter):
2878         * runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h.
2879         (JSC::JSLexicalEnvironment::create):
2880         (JSC::JSLexicalEnvironment::createStructure):
2881         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2882         (JSC::asActivation):
2883         (JSC::Register::lexicalEnvironment):
2884         (JSC::JSLexicalEnvironment::registersOffset):
2885         (JSC::JSLexicalEnvironment::tearOff):
2886         (JSC::JSLexicalEnvironment::isTornOff):
2887         (JSC::JSLexicalEnvironment::storageOffset):
2888         (JSC::JSLexicalEnvironment::storage):
2889         (JSC::JSLexicalEnvironment::allocationSize):
2890         (JSC::JSLexicalEnvironment::isValidIndex):
2891         (JSC::JSLexicalEnvironment::isValid):
2892         (JSC::JSLexicalEnvironment::registerAt):
2893         * runtime/JSObject.h:
2894         * runtime/JSScope.cpp:
2895         (JSC::abstractAccess):
2896         * runtime/JSScope.h:
2897         (JSC::ResolveOp::ResolveOp):
2898         * runtime/JSSymbolTableObject.cpp:
2899         * runtime/StrictEvalActivation.h:
2900         (JSC::StrictEvalActivation::create):
2901         * runtime/VM.cpp:
2902
2903 2014-09-11  László Langó  <llango.u-szeged@partner.samsung.com>
2904
2905         [JavaScriptCore] Fix FTL on platform EFL.
2906         https://bugs.webkit.org/show_bug.cgi?id=133571
2907
2908         Reviewed by Filip Pizlo.
2909
2910         There are no compact_unwind sections on Linux systems so FTL crashes.
2911         We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind
2912         and get the information for stack unwinding from there.
2913
2914         * CMakeLists.txt: Revert r169181.
2915         * ftl/FTLCompile.cpp:
2916         Change section name literals to use SECTION_NAME macro, because of architecture differencies.
2917         (JSC::FTL::mmAllocateCodeSection):
2918         (JSC::FTL::mmAllocateDataSection):
2919         (JSC::FTL::compile):
2920         * ftl/FTLJITCode.h:
2921         We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here.
2922         * ftl/FTLLink.cpp:
2923         (JSC::FTL::link):
2924         * ftl/FTLState.h:
2925         * ftl/FTLState.cpp:
2926         (JSC::FTL::State::State):
2927         * ftl/FTLUnwindInfo.h:
2928         * ftl/FTLUnwindInfo.cpp:
2929         Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes.
2930         Parse eh_frame on Linux instead of compact_unwind.
2931         (JSC::FTL::UnwindInfo::parse):
2932
2933 2014-09-10  Saam Barati  <saambarati1@gmail.com>
2934
2935         Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
2936         https://bugs.webkit.org/show_bug.cgi?id=136500
2937
2938         Reviewed by Joseph Pecoraro.
2939
2940         This patch changes the type profiler protocol to the Web Inspector
2941         by moving the work of calculating computed properties that effect the UI 
2942         into the Web Inspector. This makes the Web Inspector have control over the 
2943         strings it displays as UI elements representing type information to the user 
2944         instead of JavaScriptCore deciding on a convention for these strings.
2945         JavaScriptCore now sends enough information to the Web Inspector so that 
2946         it can compute the properties JavaScriptCore used to compute.
2947
2948         * inspector/agents/InspectorRuntimeAgent.cpp:
2949         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2950         * inspector/protocol/Runtime.json:
2951         * runtime/TypeProfiler.cpp:
2952         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
2953         * runtime/TypeProfiler.h:
2954         * runtime/TypeSet.cpp:
2955         (JSC::TypeSet::inspectorTypeSet):
2956         (JSC::StructureShape::leastCommonAncestor):
2957         (JSC::StructureShape::inspectorRepresentation):
2958         * runtime/TypeSet.h:
2959
2960 2014-09-10  Akos Kiss  <akiss@inf.u-szeged.hu>
2961
2962         Apply ARM64-specific lowering to load/store instructions in offlineasm
2963         https://bugs.webkit.org/show_bug.cgi?id=136569
2964
2965         Reviewed by Michael Saboff.
2966
2967         The standard risc lowering of load/store instructions with base +
2968         immediate offset addresses is to move the offset to a temporary, add the
2969         base to the temporary, and then change the load/store to use the
2970         temporary + 0 immediate offset address. However, on ARM64, base +
2971         register offset addressing mode is available, so it is unnecessary to
2972         perform explicit register additions but it is enough to change load/store
2973         to use base + temporary as the address.
2974
2975         * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses
2976
2977 2014-09-10  Oliver Hunt  <oliver@apple.com>
2978
2979         Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
2980         https://bugs.webkit.org/show_bug.cgi?id=136710
2981
2982         Reviewed by Anders Carlsson.
2983
2984         This is a trivial rename.
2985
2986         * CMakeLists.txt:
2987         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2988         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2989         * JavaScriptCore.xcodeproj/project.pbxproj:
2990         * dfg/DFGAbstractHeap.h:
2991         * dfg/DFGClobberize.h:
2992         (JSC::DFG::clobberize):
2993         * dfg/DFGSpeculativeJIT32_64.cpp:
2994         (JSC::DFG::SpeculativeJIT::compile):
2995         * dfg/DFGSpeculativeJIT64.cpp:
2996         (JSC::DFG::SpeculativeJIT::compile):
2997         * ftl/FTLAbstractHeapRepository.cpp:
2998         * ftl/FTLAbstractHeapRepository.h:
2999         * ftl/FTLLowerDFGToLLVM.cpp:
3000         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
3001         * jit/JITOpcodes32_64.cpp:
3002         * jit/JITPropertyAccess.cpp:
3003         (JSC::JIT::emitGetClosureVar):
3004         (JSC::JIT::emitPutClosureVar):
3005         * jit/JITPropertyAccess32_64.cpp:
3006         (JSC::JIT::emitGetClosureVar):
3007         (JSC::JIT::emitPutClosureVar):
3008         * llint/LLIntOffsetsExtractor.cpp:
3009         * llint/LowLevelInterpreter32_64.asm:
3010         * llint/LowLevelInterpreter64.asm:
3011         * runtime/JSActivation.cpp:
3012         (JSC::JSActivation::getOwnNonIndexPropertyNames):
3013         * runtime/JSActivation.h:
3014         * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
3015         * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
3016         (JSC::JSEnvironmentRecord::registers):
3017         (JSC::JSEnvironmentRecord::registerAt):
3018         (JSC::JSEnvironmentRecord::addressOfRegisters):
3019         (JSC::JSEnvironmentRecord::offsetOfRegisters):
3020         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
3021         * runtime/JSNameScope.h:
3022         * runtime/JSSegmentedVariableObject.h:
3023
3024 2014-09-10  Julien Brianceau   <jbriance@cisco.com>
3025
3026         [mips] Add missing parts and fix LLINT mips backend
3027         https://bugs.webkit.org/show_bug.cgi?id=136706
3028
3029         Reviewed by Michael Saboff.
3030
3031         * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
3032         Implement initPCRelative and setEntryAddress macros.
3033         * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
3034         doVMEntry macro.
3035
3036 2014-09-10  Saam Barati  <saambarati1@gmail.com>
3037
3038         TypeSet needs a mode where it no longer profiles structure shapes
3039         https://bugs.webkit.org/show_bug.cgi?id=136263
3040
3041         Reviewed by Filip Pizlo.
3042
3043         The TypeSet data structure used to gather as many StructureShape
3044         objects as it encountered during type profiling. But, this meant 
3045         that there was no upper limit on how many objects it could allocate. 
3046         This patch places a fixed upper bound on the number of StructureShapes
3047         allocated per TypeSet to prevent using too much memory for little gain
3048         in type profiling usefulness.
3049
3050         StructureShape objects are now also aware of when they are created
3051         from Structures which are dictionaries.
3052
3053         In total, this patch lays the final groundwork needed in refactoring 
3054         the inspector protocol for the type profiler.
3055
3056         * runtime/Structure.cpp:
3057         (JSC::Structure::toStructureShape):
3058         * runtime/TypeProfiler.cpp:
3059         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
3060         * runtime/TypeSet.cpp:
3061         (JSC::TypeSet::TypeSet):
3062         (JSC::TypeSet::addTypeInformation):
3063         (JSC::StructureShape::StructureShape):
3064         (JSC::StructureShape::toJSONString):
3065         (JSC::StructureShape::enterDictionaryMode):
3066         * runtime/TypeSet.h:
3067         (JSC::TypeSet::isOverflown):
3068         * tests/typeProfiler/dictionary-mode.js: Added.
3069         (wrapper):
3070         * tests/typeProfiler/driver/driver.js:
3071         * tests/typeProfiler/overflow.js: Added.
3072         (wrapper.Proto):
3073         (wrapper):
3074
3075 2014-09-10  Peter Gal  <galpeter@inf.u-szeged.hu>
3076
3077         [MIPS] branch32WithPatch missing
3078         https://bugs.webkit.org/show_bug.cgi?id=136696
3079
3080         Reviewed by Michael Saboff.
3081
3082         Added the missing branch32WithPatch. The implementation
3083         is currently the same as the branchPtrithPatch because
3084         the macro assembler supports only 32 bit MIPS.
3085
3086         * assembler/MacroAssemblerMIPS.h:
3087         (JSC::MacroAssemblerMIPS::branch32WithPatch):
3088
3089 2014-09-10  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
3090
3091         Fix !ENABLE(DFG_JIT) build
3092         https://bugs.webkit.org/show_bug.cgi?id=136702
3093
3094         Reviewed by Michael Saboff.
3095
3096         * bytecode/CallEdgeProfile.h:
3097
3098 2014-09-09  Benjamin Poulain  <bpoulain@apple.com>
3099
3100         Disable the "unreachable-code" warning
3101         https://bugs.webkit.org/show_bug.cgi?id=136677
3102
3103         Reviewed by Darin Adler.
3104
3105         * Configurations/Base.xcconfig:
3106
3107 2014-09-08  Filip Pizlo  <fpizlo@apple.com>
3108
3109         DFG should have a reusable SSA builder
3110         https://bugs.webkit.org/show_bug.cgi?id=136331
3111
3112         Reviewed by Oliver Hunt.
3113         
3114         We want to implement sophisticated SSA transformations like object allocation sinking
3115         (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
3116         updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
3117         Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
3118         implementation of this algorithm only worked when doing CPS->SSA conversion. The code
3119         could not be reused for cases where some phase happens to know that it introduced a few
3120         defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
3121         the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
3122         updates, since it requires first inserting maximal Phis. That scales well when the Phis
3123         were already there (like in our CPS form) but otherwise it's quite unnatural and may be
3124         difficult to make efficient.
3125         
3126         The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
3127         algorithm based on dominance frontiers. For a while now, I've been working on creating a
3128         Cytron-based SSA calculator that can be used both as a replacement for our current SSA
3129         converter and as a reusable tool for any phase that needs to do SSA update. I previously
3130         optimized our dominator calculation and representation to use dominator trees computed
3131         using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
3132         the set of blocks that dominate you or vice-versa, and then I implemented a dominance
3133         frontier calculator. This patch implements the final step towards making SSA update
3134         available to all SSA phases: it implements an SSACalculator that can tell you where Phis
3135         go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
3136         good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
3137         SSA converter with one based on the SSACalculator.
3138         
3139         This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
3140         But even better, it makes SSAConversionPhase have significantly less tricky logic. It
3141         mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
3142         just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
3143         In fact, using the Cytron et al approach means that there isn't really any "smoke and
3144         mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
3145         iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
3146         The complexity is mostly confined to Dominators, which computes various dominator-related
3147         properties over the control flow graph. That class can be difficult to understand, but at
3148         least it follows well-known graph theory wisdom.
3149
3150         * CMakeLists.txt:
3151         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3152         * JavaScriptCore.xcodeproj/project.pbxproj:
3153         * dfg/DFGAnalysis.h:
3154         * dfg/DFGCSEPhase.cpp:
3155         * dfg/DFGDCEPhase.cpp:
3156         (JSC::DFG::DCEPhase::run):
3157         * dfg/DFGDominators.h:
3158         (JSC::DFG::Dominators::immediateDominatorOf):
3159         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
3160         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
3161         * dfg/DFGGraph.cpp:
3162         (JSC::DFG::Graph::dump):
3163         (JSC::DFG::Graph::blocksInPreOrder):
3164         (JSC::DFG::Graph::blocksInPostOrder):
3165         (JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
3166         (JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
3167         * dfg/DFGGraph.h:
3168         * dfg/DFGLICMPhase.cpp:
3169         (JSC::DFG::LICMPhase::run):
3170         * dfg/DFGNodeFlags.h:
3171         * dfg/DFGPhase.cpp:
3172         (JSC::DFG::Phase::beginPhase):
3173         (JSC::DFG::Phase::endPhase):
3174         * dfg/DFGPhase.h:
3175         * dfg/DFGSSACalculator.cpp: Added.
3176         (JSC::DFG::SSACalculator::Variable::dump):
3177         (JSC::DFG::SSACalculator::Variable::dumpVerbose):
3178         (JSC::DFG::SSACalculator::Def::dump):
3179         (JSC::DFG::SSACalculator::SSACalculator):
3180         (JSC::DFG::SSACalculator::~SSACalculator):
3181         (JSC::DFG::SSACalculator::newVariable):
3182         (JSC::DFG::SSACalculator::newDef):
3183         (JSC::DFG::SSACalculator::nonLocalReachingDef):
3184         (JSC::DFG::SSACalculator::reachingDefAtTail):
3185         (JSC::DFG::SSACalculator::dump):
3186         * dfg/DFGSSACalculator.h: Added.
3187         (JSC::DFG::SSACalculator::Variable::index):
3188         (JSC::DFG::SSACalculator::Variable::Variable):
3189         (JSC::DFG::SSACalculator::Def::variable):
3190         (JSC::DFG::SSACalculator::Def::block):
3191         (JSC::DFG::SSACalculator::Def::value):
3192         (JSC::DFG::SSACalculator::Def::Def):
3193         (JSC::DFG::SSACalculator::variable):
3194         (JSC::DFG::SSACalculator::computePhis):
3195         (JSC::DFG::SSACalculator::phisForBlock):
3196         (JSC::DFG::SSACalculator::reachingDefAtHead):
3197         * dfg/DFGSSAConversionPhase.cpp:
3198         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
3199         (JSC::DFG::SSAConversionPhase::run):
3200         (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
3201         (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
3202         (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
3203         (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
3204         * dfg/DFGSSAConversionPhase.h:
3205         * dfg/DFGValidate.cpp:
3206         (JSC::DFG::Validate::Validate):
3207         (JSC::DFG::Validate::dumpGraphIfAppropriate):
3208         (JSC::DFG::validate):
3209         * dfg/DFGValidate.h:
3210         * ftl/FTLLowerDFGToLLVM.cpp:
3211         (JSC::FTL::LowerDFGToLLVM::lower):
3212         * runtime/Options.h:
3213
3214 2014-09-08  Commit Queue  <commit-queue@webkit.org>
3215
3216         Unreviewed, rolling out r173402.
3217         https://bugs.webkit.org/show_bug.cgi?id=136649
3218
3219         Breaking buildw with error "unable to restore file position to
3220         0x00000c60 for section __DWARF.__debug_info (errno = 9)"
3221         (Requested by mlam_ on #webkit).
3222
3223         Reverted changeset:
3224
3225         "Move CallFrame and Register inlines functions out of
3226         JSScope.h."
3227         https://bugs.webkit.org/show_bug.cgi?id=136579
3228         http://trac.webkit.org/changeset/173402
3229
3230 2014-09-08  Mark Lam  <mark.lam@apple.com>
3231
3232         Move CallFrame and Register inlines functions out of JSScope.h.
3233         <https://webkit.org/b/136579>
3234
3235         Reviewed by Geoffrey Garen.
3236
3237         This include fixing up some files to #include JSCInlines.h to pick up
3238         these inline functions.  I also added JSCellInlines.h to JSCInlines.h
3239         since it is included from many of the affected .cpp files.
3240
3241         * API/ObjCCallbackFunction.mm:
3242         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3243         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3244         * JavaScriptCore.xcodeproj/project.pbxproj:
3245         * bindings/ScriptValue.cpp:
3246         * inspector/InjectedScriptHost.cpp:
3247         * inspector/InjectedScriptManager.cpp:
3248         * inspector/JSGlobalObjectInspectorController.cpp:
3249         * inspector/JSJavaScriptCallFrame.cpp:
3250         * inspector/ScriptDebugServer.cpp:
3251         * interpreter/CallFrameInlines.h:
3252         (JSC::CallFrame::vm):
3253         (JSC::CallFrame::lexicalGlobalObject):
3254         (JSC::CallFrame::globalThisValue):
3255         * interpreter/RegisterInlines.h: Added.
3256         (JSC::Register::operator=):
3257         (JSC::Register::scope):
3258         * runtime/ArgumentsIteratorConstructor.cpp:
3259         * runtime/JSArrayIterator.cpp:
3260         * runtime/JSCInlines.h:
3261         * runtime/JSCJSValue.cpp:
3262         * runtime/JSMapIterator.cpp:
3263         * runtime/JSPromiseConstructor.cpp:
3264         * runtime/JSPromiseDeferred.cpp:
3265         * runtime/JSPromiseFunctions.cpp:
3266         * runtime/JSPromisePrototype.cpp:
3267         * runtime/JSPromiseReaction.cpp:
3268         * runtime/JSScope.h:
3269         (JSC::Register::operator=): Deleted.
3270         (JSC::Register::scope): Deleted.
3271         (JSC::ExecState::vm): Deleted.
3272         (JSC::ExecState::lexicalGlobalObject): Deleted.
3273         (JSC::ExecState::globalThisValue): Deleted.
3274         * runtime/JSSetIterator.cpp:
3275         * runtime/MapConstructor.cpp:
3276         * runtime/MapData.cpp:
3277         * runtime/MapIteratorPrototype.cpp:
3278         * runtime/MapPrototype.cpp:
3279         * runtime/SetConstructor.cpp:
3280         * runtime/SetIteratorPrototype.cpp:
3281         * runtime/SetPrototype.cpp:
3282         * runtime/WeakMapConstructor.cpp:
3283         * runtime/WeakMapPrototype.cpp:
3284
3285 2014-09-08  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
3286
3287         Remove FILTERS flag
3288         https://bugs.webkit.org/show_bug.cgi?id=136571
3289
3290         Reviewed by Darin Adler.
3291
3292         * Configurations/FeatureDefines.xcconfig:
3293
3294 2014-09-08  Saam Barati  <saambarati1@gmail.com>
3295
3296         Merge StructureShapes that share the same prototype chain
3297         https://bugs.webkit.org/show_bug.cgi?id=136549
3298
3299         Reviewed by Filip Pizlo.
3300
3301         Instead of keeping track of many discrete StructureShapes that share
3302         the same prototype chain, TypeSet should merge StructureShapes that 
3303         have the same prototype chain and provide a new member variable for 
3304         optional structure fields. This provides a cleaner and more concise
3305         interface for dealing with StructureShapes within TypeSet. Instead
3306         of having many discrete shapes that are almost identical, almost 
3307         identical shapes will be merged together with an interface for 
3308         understanding what fields the shapes being merged together differ in.
3309
3310         * runtime/TypeSet.cpp:
3311         (JSC::TypeSet::addTypeInformation):
3312         (JSC::StructureShape::addProperty):
3313         (JSC::StructureShape::toJSONString):
3314         (JSC::StructureShape::inspectorRepresentation):
3315         (JSC::StructureShape::hasSamePrototypeChain):
3316         (JSC::StructureShape::merge):
3317         * runtime/TypeSet.h:
3318         * tests/typeProfiler/optional-fields.js: Added.
3319         (wrapper.func):
3320         (wrapper):
3321
3322 2014-09-08  Jessie Berlin  <jberlin@apple.com>
3323
3324         More 32-bit Release build fixes after r173364.
3325
3326         * dfg/DFGSpeculativeJIT32_64.cpp:
3327         (JSC::DFG::SpeculativeJIT::compile):
3328
3329 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
3330
3331         Fix typos in last patch to fix build.
3332
3333         Unreviewed build fix.
3334
3335         * dfg/DFGSpeculativeJIT.cpp:
3336         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3337         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3338