Fix iOS build due to r172832 and move RUBBER_BANDING out of FeatureDefines.h
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-08-22  Jon Lee  <jonlee@apple.com>
2
3         Fix iOS build due to r172832 and move RUBBER_BANDING out of FeatureDefines.h
4         https://bugs.webkit.org/show_bug.cgi?id=136157
5
6         Reviewed by Simon Fraser.
7
8         * Configurations/FeatureDefines.xcconfig: Add ENABLE(RUBBER_BANDING).
9
10 2014-08-21  Mark Lam  <mark.lam@apple.com>
11
12         r171362 accidentally increased the size of InlineCallFrame.
13         <https://webkit.org/b/136141>
14
15         Reviewed by Filip Pizlo.
16
17         r171362 increased the size of InlineCallFrame::kind to 2 bits.  This increased
18         the size of InlineCallFrame from 72 to 80 though not intentionally.  The fix
19         is to reduce the size of InlineCallFrame::stackOffset to 29 bits.
20
21         Also added an assert to ensure that we never set a value that exceeds the size
22         of InlineCallFrame::stackOffset.
23
24         * bytecode/CodeOrigin.h:
25         (JSC::InlineCallFrame::setStackOffset):
26         * dfg/DFGByteCodeParser.cpp:
27         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
28
29 2014-08-21  Joseph Pecoraro  <pecoraro@apple.com>
30
31         Web Inspector: RetainPtr misuse, CFRunLoopSource leak
32         https://bugs.webkit.org/show_bug.cgi?id=136143
33
34         Reviewed by Timothy Hatcher.
35
36         Adopt a Create into the RetainPtr to avoid leaking.
37
38         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
39         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
40
41 2014-08-21  Mark Lam  <mark.lam@apple.com>
42
43         REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms.
44         <https://webkit.org/b/136123>
45
46         Reviewed by Filip Pizlo.
47
48         The original patch in r172808 removed the code to skip the top scope in
49         the 64-bit port of JIT::emitResolveClosure() but not in the 32-bit port.
50         This patch fixes that and achieves parity.
51
52         * jit/JITPropertyAccess32_64.cpp:
53         (JSC::JIT::emitResolveClosure):
54
55 2014-08-21  Zalan Bujtas  <zalan@apple.com>
56
57         Enable SATURATED_LAYOUT_ARITHMETIC.
58         https://bugs.webkit.org/show_bug.cgi?id=136106
59
60         Reviewed by Simon Fraser.
61
62         SATURATED_LAYOUT_ARITHMETIC protects LayoutUnit against arithmetic overflow.
63         (No measurable performance regression on Mac.)
64
65         * Configurations/FeatureDefines.xcconfig:
66
67 2014-08-20  Saam Barati  <sbarati@apple.com>
68
69         Fix how CodeBlock dumps the opcode op_profile_type
70         https://bugs.webkit.org/show_bug.cgi?id=136088
71
72         Reviewed by Filip Pizlo.
73
74         op_profile_type was modified to receive two extra arguments,
75         but its dump in CodeBlock::dumpBytecode wasn't changed to 
76         account for this, so it broke CodeBlock::dumpBytecode when
77         op_profile_type was in the stream of bytecode instructions.
78         CodeBlock::dumpBytecode now accounts for the change in 
79         op_profile_type's arity.
80
81         * bytecode/CodeBlock.cpp:
82         (JSC::CodeBlock::dumpBytecode):
83
84 2014-08-20  Saam Barati  <sbarati@apple.com>
85
86         Rename HighFidelityTypeProfiling variables for more clarity
87         https://bugs.webkit.org/show_bug.cgi?id=135899
88
89         Reviewed by Geoffrey Garen.
90
91         Many names that are used in the type profiling infrastructure
92         prefix themselves with "HighFidelity" or include the words "high"
93         and/or "fidelity" in some way. But the words "high" and "fidelity" don't 
94         add anything descriptive to the names surrounding type profiling. 
95         So this patch removes all uses of "HighFidelity" and its variants.
96
97         Most renamings change "HighFidelity*" to "TypeProfiler*" or simply 
98         drop the prefix "HighFidelity" all together. Now, almost all names 
99         in relation to type profiling contain in them "TypeProfiler" or 
100         "TypeProfiling" or some combination of the words "type" and "profile".
101
102         This patch also changes how we check if type profiling is enabled:
103         We no longer call vm::isProfilingTypesWithHighFidelity. We now just 
104         check that vm::typeProfiler is not null.
105
106         This patch also changes all calls to TypeProfilerLog::processLogEntries
107         to use ASCIILiteral to form WTFStrings instead of vanilla C string literals.
108
109         * CMakeLists.txt:
110         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
111         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
112         * JavaScriptCore.xcodeproj/project.pbxproj:
113         * bytecode/BytecodeList.json:
114         * bytecode/BytecodeUseDef.h:
115         (JSC::computeUsesForBytecodeOffset):
116         (JSC::computeDefsForBytecodeOffset):
117         * bytecode/CodeBlock.cpp:
118         (JSC::CodeBlock::dumpBytecode):
119         (JSC::CodeBlock::CodeBlock):
120         * bytecode/TypeLocation.h:
121         * bytecode/UnlinkedCodeBlock.cpp:
122         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
123         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
124         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
125         (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset): Deleted.
126         (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo): Deleted.
127         * bytecode/UnlinkedCodeBlock.h:
128         (JSC::UnlinkedFunctionExecutable::typeProfilingStartOffset):
129         (JSC::UnlinkedFunctionExecutable::typeProfilingEndOffset):
130         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): Deleted.
131         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset): Deleted.
132         * bytecompiler/BytecodeGenerator.cpp:
133         (JSC::BytecodeGenerator::generate):
134         (JSC::BytecodeGenerator::BytecodeGenerator):
135         (JSC::BytecodeGenerator::emitMove):
136         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
137         (JSC::BytecodeGenerator::emitProfileType):
138         (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
139         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
140         * bytecompiler/BytecodeGenerator.h:
141         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
142         * bytecompiler/NodesCodegen.cpp:
143         (JSC::ThisNode::emitBytecode):
144         (JSC::ResolveNode::emitBytecode):
145         (JSC::BracketAccessorNode::emitBytecode):
146         (JSC::DotAccessorNode::emitBytecode):
147         (JSC::FunctionCallValueNode::emitBytecode):
148         (JSC::FunctionCallResolveNode::emitBytecode):
149         (JSC::FunctionCallBracketNode::emitBytecode):
150         (JSC::FunctionCallDotNode::emitBytecode):
151         (JSC::CallFunctionCallDotNode::emitBytecode):
152         (JSC::ApplyFunctionCallDotNode::emitBytecode):
153         (JSC::PostfixNode::emitResolve):
154         (JSC::PostfixNode::emitBracket):
155         (JSC::PostfixNode::emitDot):
156         (JSC::PrefixNode::emitResolve):
157         (JSC::PrefixNode::emitBracket):
158         (JSC::PrefixNode::emitDot):
159         (JSC::ReadModifyResolveNode::emitBytecode):
160         (JSC::AssignResolveNode::emitBytecode):
161         (JSC::AssignDotNode::emitBytecode):
162         (JSC::ReadModifyDotNode::emitBytecode):
163         (JSC::AssignBracketNode::emitBytecode):
164         (JSC::ReadModifyBracketNode::emitBytecode):
165         (JSC::ConstDeclNode::emitCodeSingle):
166         (JSC::EmptyVarExpression::emitBytecode):
167         (JSC::ReturnNode::emitBytecode):
168         (JSC::FunctionBodyNode::emitBytecode):
169         * heap/Heap.cpp:
170         (JSC::Heap::collect):
171         * inspector/agents/InspectorRuntimeAgent.cpp:
172         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
173         (Inspector::recompileAllJSFunctionsForTypeProfiling):
174         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
175         (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
176         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
177         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
178         (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling): Deleted.
179         (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling): Deleted.
180         (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState): Deleted.
181         * inspector/agents/InspectorRuntimeAgent.h:
182         * inspector/protocol/Runtime.json:
183         * jit/JIT.cpp:
184         (JSC::JIT::privateCompileMainPass):
185         (JSC::JIT::privateCompile):
186         * jit/JIT.h:
187         * jit/JITOpcodes.cpp:
188         (JSC::JIT::emit_op_profile_type):
189         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
190         * jit/JITOpcodes32_64.cpp:
191         (JSC::JIT::emit_op_profile_type):
192         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
193         * jit/JITOperations.cpp:
194         * jsc.cpp:
195         (functionDumpTypesForAllVariables):
196         * llint/LLIntSlowPaths.cpp:
197         * llint/LowLevelInterpreter.asm:
198         * runtime/CodeCache.cpp:
199         (JSC::CodeCache::getGlobalCodeBlock):
200         * runtime/CommonSlowPaths.cpp:
201         (JSC::SLOW_PATH_DECL):
202         * runtime/CommonSlowPaths.h:
203         * runtime/Executable.cpp:
204         (JSC::ScriptExecutable::ScriptExecutable):
205         (JSC::ProgramExecutable::ProgramExecutable):
206         (JSC::FunctionExecutable::FunctionExecutable):
207         (JSC::ProgramExecutable::initializeGlobalProperties):
208         * runtime/Executable.h:
209         (JSC::ScriptExecutable::typeProfilingStartOffset):
210         (JSC::ScriptExecutable::typeProfilingEndOffset):
211         (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): Deleted.
212         (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset): Deleted.
213         * runtime/HighFidelityLog.cpp: Removed.
214         * runtime/HighFidelityLog.h: Removed.
215         * runtime/HighFidelityTypeProfiler.cpp: Removed.
216         * runtime/HighFidelityTypeProfiler.h: Removed.
217         * runtime/Options.h:
218         * runtime/SymbolTable.cpp:
219         (JSC::SymbolTable::prepareForTypeProfiling):
220         (JSC::SymbolTable::uniqueIDForVariable):
221         (JSC::SymbolTable::uniqueIDForRegister):
222         (JSC::SymbolTable::prepareForHighFidelityTypeProfiling): Deleted.
223         * runtime/SymbolTable.h:
224         * runtime/TypeProfiler.cpp: Added.
225         (JSC::TypeProfiler::logTypesForTypeLocation):
226         (JSC::TypeProfiler::insertNewLocation):
227         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector):
228         (JSC::descriptorMatchesTypeLocation):
229         (JSC::TypeProfiler::findLocation):
230         * runtime/TypeProfiler.h: Added.
231         (JSC::QueryKey::QueryKey):
232         (JSC::QueryKey::isHashTableDeletedValue):
233         (JSC::QueryKey::operator==):
234         (JSC::QueryKey::hash):
235         (JSC::QueryKeyHash::hash):
236         (JSC::QueryKeyHash::equal):
237         (JSC::TypeProfiler::functionHasExecutedCache):
238         (JSC::TypeProfiler::typeLocationCache):
239         * runtime/TypeProfilerLog.cpp: Added.
240         (JSC::TypeProfilerLog::initializeLog):
241         (JSC::TypeProfilerLog::~TypeProfilerLog):
242         (JSC::TypeProfilerLog::processLogEntries):
243         * runtime/TypeProfilerLog.h: Added.
244         (JSC::TypeProfilerLog::LogEntry::structureIDOffset):
245         (JSC::TypeProfilerLog::LogEntry::valueOffset):
246         (JSC::TypeProfilerLog::LogEntry::locationOffset):
247         (JSC::TypeProfilerLog::TypeProfilerLog):
248         (JSC::TypeProfilerLog::recordTypeInformationForLocation):
249         (JSC::TypeProfilerLog::logEndPtr):
250         (JSC::TypeProfilerLog::logStartOffset):
251         (JSC::TypeProfilerLog::currentLogEntryOffset):
252         * runtime/VM.cpp:
253         (JSC::VM::VM):
254         (JSC::VM::enableTypeProfiler):
255         (JSC::VM::disableTypeProfiler):
256         (JSC::VM::dumpTypeProfilerData):
257         (JSC::VM::enableHighFidelityTypeProfiling): Deleted.
258         (JSC::VM::disableHighFidelityTypeProfiling): Deleted.
259         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
260         * runtime/VM.h:
261         (JSC::VM::typeProfilerLog):
262         (JSC::VM::typeProfiler):
263         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
264         (JSC::VM::highFidelityLog): Deleted.
265         (JSC::VM::highFidelityTypeProfiler): Deleted.
266
267 2014-08-20  Csaba Osztrogonác  <ossy@webkit.org>
268
269         URTBF after r172799.
270
271         * disassembler/ARM64/A64DOpcode.cpp:
272         * disassembler/ARM64Disassembler.cpp:
273
274 2014-08-20  Oliver Hunt  <oliver@apple.com>
275
276         Stop implicitly skipping a function's own activation when walking the scope chain
277         https://bugs.webkit.org/show_bug.cgi?id=136118
278
279         Reviewed by Geoffrey Garen.
280
281         Remove the current logic that implicitly skips a function's
282         own activation when walking the scope chain. This is ground
283         work for ensuring that all closed variable access is made
284         through the function's activation. This leads to a further
285         10% regression on earley, but we're already tracking the
286         overall performance regression.
287
288         * bytecode/CodeBlock.cpp:
289         (JSC::CodeBlock::CodeBlock):
290         * dfg/DFGAbstractInterpreterInlines.h:
291         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
292         * dfg/DFGByteCodeParser.cpp:
293         (JSC::DFG::ByteCodeParser::getScope):
294         (JSC::DFG::ByteCodeParser::parseBlock):
295         * dfg/DFGClobberize.h:
296         (JSC::DFG::clobberize):
297         * dfg/DFGDoesGC.cpp:
298         (JSC::DFG::doesGC):
299         * dfg/DFGFixupPhase.cpp:
300         (JSC::DFG::FixupPhase::fixupNode):
301         * dfg/DFGHeapLocation.cpp:
302         (WTF::printInternal):
303         * dfg/DFGHeapLocation.h:
304         * dfg/DFGNodeType.h:
305         * dfg/DFGPredictionPropagationPhase.cpp:
306         (JSC::DFG::PredictionPropagationPhase::propagate):
307         * dfg/DFGSafeToExecute.h:
308         (JSC::DFG::safeToExecute):
309         * dfg/DFGSpeculativeJIT32_64.cpp:
310         (JSC::DFG::SpeculativeJIT::compile):
311         * dfg/DFGSpeculativeJIT64.cpp:
312         (JSC::DFG::SpeculativeJIT::compile):
313         * jit/JITPropertyAccess.cpp:
314         (JSC::JIT::emitResolveClosure):
315         * llint/LowLevelInterpreter32_64.asm:
316         * llint/LowLevelInterpreter64.asm:
317         * runtime/JSScope.cpp:
318         (JSC::JSScope::abstractResolve):
319         * runtime/JSScope.h:
320
321 2014-08-20  Michael Saboff  <msaboff@apple.com>
322
323         REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active
324         https://bugs.webkit.org/show_bug.cgi?id=136034
325
326         Reviewed by Mark Lam.
327
328         DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle
329         of the stack.  Hardened StackVisitor to skip over the frames between the current top frame
330         and the requested start frame.
331
332         * interpreter/StackVisitor.cpp:
333         (JSC::StackVisitor::StackVisitor):
334
335 2014-08-20  Brent Fulgham  <bfulgham@apple.com>
336
337         [Win] JavaScriptCore.dll is missing version information.
338         https://bugs.webkit.org/show_bug.cgi?id=136105
339         <rdar://problem/18075852>
340
341         Reviewed by Dean Jackson.
342
343         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Add missing step to generate
344         version information for intermediary build path.
345
346 2014-08-20  Saam Barati  <sbarati@apple.com>
347
348         Fix a memory leak in TypeSet
349         https://bugs.webkit.org/show_bug.cgi?id=135913
350
351         Reviewed by Filip Pizlo.
352
353         Currently, TypeSet unconditionally allocates memory for its member
354         variable m_structureHistory, but never deallocates it. Change this 
355         from being a pointer that is unconditionally allocated to a member 
356         variable that will be deallocated when TypeSet itself is deallocated.
357
358         * runtime/TypeSet.cpp:
359         (JSC::TypeSet::TypeSet):
360         (JSC::TypeSet::addTypeInformation):
361         (JSC::TypeSet::seenTypes):
362         (JSC::TypeSet::displayName):
363         (JSC::TypeSet::allStructureRepresentations):
364         (JSC::StructureShape::leastCommonAncestor):
365         * runtime/TypeSet.h:
366
367 2014-08-20  peavo@outlook.com  <peavo@outlook.com>
368
369         [Win] Assertion fails when running JSC stress tests.
370         https://bugs.webkit.org/show_bug.cgi?id=136103
371
372         Reviewed by Darin Adler.
373
374         Use unsigned bitfield member instead of enum bitfield member to avoid negative values.
375
376         * bytecode/CodeOrigin.h: Use unsigned bitfield member.
377         (JSC::InlineCallFrame::specializationKind): Compile fix.
378
379 2014-08-20  Akos Kiss  <akiss@inf.u-szeged.hu>
380
381         Enable ARM64 disassembler on EFL
382         https://bugs.webkit.org/show_bug.cgi?id=136089
383
384         Reviewed by Filip Pizlo.
385
386         * CMakeLists.txt:
387         Added disassembler/ARM64Disassembler.cpp and
388         disassembler/ARM64/A64DOpcode.cpp to JavaScriptCore_SOURCES.
389
390         * disassembler/ARM64/A64DOpcode.cpp:
391         Added USE(ARM64_DISASSEMBLER) guard around implementation.
392
393         * disassembler/ARM64/A64DOpcode.h:
394         (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedImmediate64):
395         (JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
396         Made format strings portable by changing "%llx" to "%" PRIx64 for
397         uint64_t arguments.
398
399 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
400
401         REGRESSION(r172401): for-in optimization no longer works at all
402         https://bugs.webkit.org/show_bug.cgi?id=136056
403
404         Reviewed by Geoffrey Garen.
405         
406         Roll this back in, along with a fix to make proxies work. Previously, for-in over proxies
407         would instacrash every time.
408
409         * bytecompiler/BytecodeGenerator.cpp:
410         (JSC::BytecodeGenerator::emitGetByVal):
411         (JSC::BytecodeGenerator::pushIndexedForInScope):
412         (JSC::BytecodeGenerator::pushStructureForInScope):
413         * bytecompiler/BytecodeGenerator.h:
414         (JSC::ForInContext::ForInContext):
415         (JSC::StructureForInContext::StructureForInContext):
416         (JSC::IndexedForInContext::IndexedForInContext):
417         (JSC::ForInContext::base): Deleted.
418         * bytecompiler/NodesCodegen.cpp:
419         (JSC::ForInNode::emitMultiLoopBytecode):
420         * runtime/JSProxy.cpp:
421         (JSC::JSProxy::getStructurePropertyNames):
422         (JSC::JSProxy::getGenericPropertyNames):
423         * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
424         (foo):
425         * tests/stress/for-in-base-reassigned-later.js: Added.
426         (foo):
427         * tests/stress/for-in-base-reassigned.js: Added.
428         (foo):
429         * tests/stress/for-in-proxy-target-changed-structure.js: Added.
430         (deleteAll):
431         (foo):
432         * tests/stress/for-in-proxy.js: Added.
433         (foo):
434
435 2014-08-19  Jaehun Lim  <ljaehun.lim@samsung.com>
436
437         Unreviewed, fix EFL build after r17275
438
439         Fix error: ignoring #pragma clang diagnostic [-Werror=unknown-pragmas]
440
441         * runtime/JSDataViewPrototype.cpp:
442         Add #if COMPILER(CLANG) and #endif.
443
444 2014-08-19  Michael Saboff  <msaboff@apple.com>
445
446         Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js
447         https://bugs.webkit.org/show_bug.cgi?id=136080
448
449         Reviewed by Mark Lam.
450
451         Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame
452         to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry
453         frame.  In that case, the caller will have the prior VM entry frame.
454
455         The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing
456         an exception from a caller frame.  The value to use for the VMEntryFrame should be a
457         value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller.
458
459         * interpreter/Interpreter.h:
460         (JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a
461         VMEntryFrame.  Added an ASSERT to both constructors to check that the updated topCallFrame
462         is below the current vmEntryFrame.
463
464         * jit/JITOperations.cpp:
465         (JSC::operationThrowStackOverflowError):
466         (JSC::operationCallArityCheck):
467         (JSC::operationConstructArityCheck):
468         Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame.
469
470 2014-08-19  Andy Estes  <aestes@apple.com>
471
472         [Cocoa] Offline Assembler build phase fails when $BUILT_PRODUCTS_DIR contains spaces
473         https://bugs.webkit.org/show_bug.cgi?id=136086
474
475         Reviewed by Filip Pizlo.
476
477         Enclosed arguments to asm.rb containing $BUILT_PRODUCTS_DIR in double quotes so that they don't get split on
478         whitespace. Also let Xcode have its way with an unrelated part of the project file.
479
480         * JavaScriptCore.xcodeproj/project.pbxproj:
481
482 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
483
484         LLInt build should be way faster
485         https://bugs.webkit.org/show_bug.cgi?id=136085
486
487         Reviewed by Geoffrey Garen.
488         
489         This does three things to improve the LLInt build performance. One of them is only for
490         Xcode for now while the others should benefit all platforms:
491         
492         - Don't exponentially build settings combinations that correspond to being on two backends
493           simultaneously. This is by far the biggest win.
494         
495         - Don't generate offset extraction code for backends that aren't supported by the current
496           port. This currently only works on Xcode-based ports. This is a relatively small win.
497         
498         - Remove the ALWAYS_ALLOCATE_SLOW option. Each option increases build time, and we haven't
499           used this one in a long time. Anyway, setting this option could be emulated by just
500           directly hacking the code.
501         
502         This is an enormous speed-up in the LLInt build.
503
504         * JavaScriptCore.xcodeproj/project.pbxproj: Prune the set of backends that we should consider on Xcode-based platforms.
505         * llint/LLIntOfflineAsmConfig.h: Remove ALWAYS_ALLOCATE_SLOW
506         * llint/LowLevelInterpreter.asm: Remove ALWAYS_ALLOCATE_SLOW
507         * offlineasm/backends.rb: Add infrastructure for reasoning about valid backends.
508         * offlineasm/generate_offset_extractor.rb: Allow the client to specify a filtered set of valid backends.
509         * offlineasm/settings.rb: Improve the construction of settings combinations so that it doesn't traverse the enourmous set of obviously invalid multi-backend combinations. Also glue into support for valid backends.
510
511 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
512
513         Fix indentation and style in LowLevelInterpreter.asm
514         https://bugs.webkit.org/show_bug.cgi?id=136083
515
516         Reviewed by Mark Lam.
517
518         * llint/LowLevelInterpreter.asm:
519
520 2014-08-19  Magnus Granberg  <zorry@gentoo.org>
521
522         TEXTREL in libjavascriptcoregtk-1.0.so.0.11.0 on x86 (or i586)
523         https://bugs.webkit.org/show_bug.cgi?id=70610
524
525         Reviewed by Darin Adler.
526
527         Setup %ebx so we can use the plt.
528
529         * jit/ThunkGenerators.cpp:
530
531 2014-08-19  Zalan Bujtas  <zalan@apple.com>
532
533         Remove ENABLE(SUBPIXEL_LAYOUT).
534         https://bugs.webkit.org/show_bug.cgi?id=136077
535
536         Reviewed by Simon Fraser.
537
538         Remove compile time flag SUBPIXEL_LAYOUT. All ports have it enabled for a while now.
539
540         * Configurations/FeatureDefines.xcconfig:
541
542 2014-08-19  Alex Christensen  <achristensen@webkit.org>
543
544         [CMake] Generate LLInt assembly correctly on Windows.
545         https://bugs.webkit.org/show_bug.cgi?id=135888
546
547         Reviewed by Oliver Hunt.
548
549         * CMakeLists.txt:
550         Generate LowLevelInterpreterWin.asm instead of LLIntAssembly.h on Windows like the existing build system.
551         * PlatformWin.cmake:
552         Don't build JSGlobalObjectInspectorController.cpp on Windows.
553         * offlineasm/x86.rb:
554         Detect non-cygwin ruby installations correctly.
555
556 2014-08-19  Michael Saboff  <msaboff@apple.com>
557
558         REGRESSION(r163179): It broke the build on ARM Thumb2 with GCC
559         https://bugs.webkit.org/show_bug.cgi?id=136028
560
561         Reviewed by Oliver Hunt.
562
563         Added back ARMv7 conditionals around three op addp and subp since ARM Thumb2 spec says that
564         the behavior for those ops are undefined.  This was originally done in changeset 163179.
565
566         * llint/LowLevelInterpreter32_64.asm:
567
568 2014-08-18  Commit Queue  <commit-queue@webkit.org>
569
570         Unreviewed, rolling out r172741.
571         https://bugs.webkit.org/show_bug.cgi?id=136058
572
573         This change is breaking PLT. (Requested by mlam on #webkit).
574
575         Reverted changeset:
576
577         "REGRESSION(r172401): for-in optimization no longer works at
578         all"
579         https://bugs.webkit.org/show_bug.cgi?id=136056
580         http://trac.webkit.org/changeset/172741
581
582 2014-08-18  Filip Pizlo  <fpizlo@apple.com>
583
584         REGRESSION(r172401): for-in optimization no longer works at all
585         https://bugs.webkit.org/show_bug.cgi?id=136056
586
587         Reviewed by Mark Hahnenberg.
588         
589         This is a partial roll-out of r172401. It turns out that the fix wasn't actually fixing a
590         real bug (since it's fine to use op_get_direct_pname on the wrong base because it has a
591         structure check) and it was actually breaking the entire for-in optimization (since there is
592         no way that we can statically prove that the base matches, because the base we see is a
593         newly created temporary, and anyway doing it right would be really hard in our bytecode
594         because it's 3AC form).
595         
596         But, I added a new test for the problem, and kept the original test. Both the old test and
597         the new test prove that r172401 wasn't fixing what it thought it was fixing. To the extent
598         that it resolved crashes it was because it just disabled the for-in optimization entirely.
599
600         * bytecompiler/BytecodeGenerator.cpp:
601         (JSC::BytecodeGenerator::emitGetByVal):
602         (JSC::BytecodeGenerator::pushIndexedForInScope):
603         (JSC::BytecodeGenerator::pushStructureForInScope):
604         * bytecompiler/BytecodeGenerator.h:
605         (JSC::ForInContext::ForInContext):
606         (JSC::StructureForInContext::StructureForInContext):
607         (JSC::IndexedForInContext::IndexedForInContext):
608         (JSC::ForInContext::base): Deleted.
609         * bytecompiler/NodesCodegen.cpp:
610         (JSC::ForInNode::emitMultiLoopBytecode):
611         * tests/stress/for-in-base-reassigned.js: Added.
612         * tests/stress/for-in-base-reassigned-later.js: Added.
613         * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
614
615 2014-08-18  Mark Lam  <mark.lam@apple.com>
616
617         Gardening: build fix for non-Mac builds after r172737.
618         https://bugs.webkit.org/show_bug.cgi?id=135750
619
620         Not reviewed.
621
622         * CMakeLists.txt:
623         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
624         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
625
626 2014-08-18  Filip Pizlo  <fpizlo@apple.com>
627
628         REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash
629         https://bugs.webkit.org/show_bug.cgi?id=135750
630
631         Reviewed by Mark Lam.
632         
633         This was caused by a rather embarrassing oversight in how the DFG tracks structures: we
634         could sometimes perform an optimization that requires a structure to be alive but forget to
635         ensure that the structure is actually kept alive. In particular, any watchpoint-based
636         optimizations involve setting watchpoints even if the code that got optimized is eventually
637         deleted because it is unreachable. All such optimizations would leave behind something in
638         the IR to tell us that we are interested in the structure and that therefore it should be
639         kept alive. But, IR can be deleted if it is unreachable.
640         
641         The solution is to ensure that as soon as the DFG is made aware of a structure, it adds it
642         to the set of weak references.
643
644         * JavaScriptCore.xcodeproj/project.pbxproj:
645         * dfg/DFGAbstractInterpreterInlines.h:
646         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
647         * dfg/DFGAbstractValue.cpp:
648         (JSC::DFG::AbstractValue::setOSREntryValue):
649         (JSC::DFG::AbstractValue::set):
650         (JSC::DFG::AbstractValue::normalizeClarity):
651         (JSC::DFG::AbstractValue::assertIsRegistered):
652         (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
653         * dfg/DFGAbstractValue.h:
654         (JSC::DFG::AbstractValue::assertIsRegistered):
655         (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
656         * dfg/DFGCommon.h:
657         * dfg/DFGConstantFoldingPhase.cpp:
658         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
659         * dfg/DFGDesiredWeakReferences.cpp:
660         (JSC::DFG::DesiredWeakReferences::addLazily):
661         (JSC::DFG::DesiredWeakReferences::contains):
662         (JSC::DFG::DesiredWeakReferences::reallyAdd):
663         (JSC::DFG::DesiredWeakReferences::visitChildren):
664         * dfg/DFGDesiredWeakReferences.h:
665         * dfg/DFGFixupPhase.cpp:
666         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
667         * dfg/DFGGraph.cpp:
668         (JSC::DFG::Graph::Graph):
669         (JSC::DFG::Graph::registerFrozenValues):
670         (JSC::DFG::Graph::convertToConstant):
671         (JSC::DFG::Graph::registerStructure):
672         (JSC::DFG::Graph::assertIsRegistered):
673         (JSC::DFG::Graph::assertIsWatched): Deleted.
674         * dfg/DFGGraph.h:
675         * dfg/DFGPlan.cpp:
676         (JSC::DFG::Plan::compileInThreadImpl):
677         * dfg/DFGStructureAbstractValue.cpp:
678         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
679         (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
680         * dfg/DFGStructureAbstractValue.h:
681         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
682         (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
683         * dfg/DFGStructureRegistrationPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp.
684         (JSC::DFG::StructureRegistrationPhase::StructureRegistrationPhase):
685         (JSC::DFG::StructureRegistrationPhase::run):
686         (JSC::DFG::StructureRegistrationPhase::registerStructures):
687         (JSC::DFG::StructureRegistrationPhase::registerStructure):
688         (JSC::DFG::performStructureRegistration):
689         (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase): Deleted.
690         (JSC::DFG::WatchableStructureWatchingPhase::run): Deleted.
691         (JSC::DFG::WatchableStructureWatchingPhase::tryWatch): Deleted.
692         (JSC::DFG::performWatchableStructureWatching): Deleted.
693         * dfg/DFGStructureRegistrationPhase.h: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.h.
694         * dfg/DFGWatchableStructureWatchingPhase.cpp: Removed.
695         * dfg/DFGWatchableStructureWatchingPhase.h: Removed.
696
697 2014-08-18  Akos Kiss  <akiss@inf.u-szeged.hu>
698
699         Fix ASSERT in ARM64's JSC::GPRInfo::debugName
700         https://bugs.webkit.org/show_bug.cgi?id=136050
701
702         Reviewed by Darin Adler.
703
704         Remove cast of GPRReg to unsigned to prevent signed/unsigned comparison
705         error.
706
707         * jit/GPRInfo.h:
708         (JSC::GPRInfo::debugName):
709
710 2014-08-18  Andreas Kling  <akling@apple.com>
711
712         REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings.
713         <https://webkit.org/b/133574>
714         <rdar://problem/18051847>
715
716         The optimization that resolves JSRopeStrings into an existing
717         AtomicString (to save time and memory by avoiding StringImpl allocation)
718         had a bug that it wasn't copying the 8-bit flag from the AtomicString.
719
720         This could lead to a situation where a 16-bit StringImpl containing
721         only 8-bit characters is sitting in the AtomicString table, is found
722         by the rope resolution optimization, and gives you a rope that thinks
723         it's all 8-bit, but has a fiber with 16-bit characters.
724
725         Resolving that rope will then yield incorrect results.
726
727         This was all caught by an assertion, but very hard to reproduce.
728
729         Test: js/dopey-rope-with-16-bit-propertyname.html
730
731         Reviewed by Darin Adler.
732
733         * runtime/JSString.cpp:
734         (JSC::JSRopeString::resolveRopeToAtomicString):
735         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
736         * runtime/JSString.h:
737         (JSC::JSString::setIs8Bit):
738         (JSC::JSString::toExistingAtomicString):
739
740 2014-08-18  Matthew Mirman  <mmirman@apple.com>
741
742         Merges the two native inlining passes from the build.
743         Also adds the AvailableExternallyLinkage assertion to linked 
744         functions to allow unused and duplicate ones to be removed.
745         https://bugs.webkit.org/show_bug.cgi?id=135526
746
747         Reviewed by Filip Pizlo.
748
749         * JavaScriptCore.xcodeproj/project.pbxproj: 
750         Removed second generation of llvm binary files.
751         Fixed the flags on the first pass. 
752         * build-symbol-table-index.py: Modified some paths.
753         * build-symbol-table-index.sh: Removed.
754         * copy-llvm-ir-to-derived-sources.sh: Now calls build-symbol-table-index directly.
755         * ftl/FTLLowerDFGToLLVM.cpp: Added LLVMAvailableExternallyLinkage assertion.
756         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): 
757         * runtime/ArrayPrototype.cpp: Removed static declarations. 
758         * runtime/DateConstructor.cpp: ditto.
759         (JSC::dateParse):
760         (JSC::dateNow):
761         (JSC::dateUTC):
762         * runtime/DatePrototype.cpp: ditto.
763         * runtime/JSDataViewPrototype.cpp: ditto on both.
764         (JSC::dataViewProtoFuncGetInt8):
765         (JSC::dataViewProtoFuncGetInt16):
766         (JSC::dataViewProtoFuncGetInt32):
767         (JSC::dataViewProtoFuncGetUint8):
768         (JSC::dataViewProtoFuncGetUint16):
769         (JSC::dataViewProtoFuncGetUint32):
770         (JSC::dataViewProtoFuncGetFloat32):
771         (JSC::dataViewProtoFuncGetFloat64):
772         (JSC::dataViewProtoFuncSetInt8):
773         (JSC::dataViewProtoFuncSetInt16):
774         (JSC::dataViewProtoFuncSetInt32):
775         (JSC::dataViewProtoFuncSetUint8):
776         (JSC::dataViewProtoFuncSetUint16):
777         (JSC::dataViewProtoFuncSetUint32):
778         (JSC::dataViewProtoFuncSetFloat32):
779         (JSC::dataViewProtoFuncSetFloat64):
780         * runtime/JSONObject.cpp: ditto.
781         * runtime/ObjectConstructor.cpp: ditto.
782         * runtime/StringPrototype.cpp: ditto.
783
784 2014-08-18  Saam Barati  <sbarati@apple.com>
785
786         The parser should generate AST nodes the var declarations with no initializers
787         https://bugs.webkit.org/show_bug.cgi?id=135545
788
789         Reviewed by Geoffrey Garen.
790
791         Currently, JSC's parser ignores variable declarations
792         that have no assignment initializer value because all 
793         variables are implicitly assigned to undefined. But, 
794         type profiling needs an AST node to be generated for these 
795         empty variable declarations because it needs to be able to 
796         profile their text locations and to see that their type 
797         is undefined.
798
799         * bytecompiler/NodesCodegen.cpp:
800         (JSC::EmptyVarExpression::emitBytecode):
801         * parser/ASTBuilder.h:
802         (JSC::ASTBuilder::createVarStatement):
803         (JSC::ASTBuilder::createEmptyVarExpression):
804         * parser/NodeConstructors.h:
805         (JSC::EmptyVarExpression::EmptyVarExpression):
806         * parser/Nodes.h:
807         * parser/Parser.cpp:
808         (JSC::Parser<LexerType>::parseVarDeclarationList):
809         * parser/SyntaxChecker.h:
810         (JSC::SyntaxChecker::createEmptyVarExpression):
811
812 2014-08-18  Diego Pino Garcia  <dpino@igalia.com>
813
814         Completed iterator can be revived by adding more than one new entry to the target object
815         https://bugs.webkit.org/show_bug.cgi?id=129993
816
817         Reviewed by Oliver Hunt.
818
819         When iterator reaches end, finish iterator.
820
821         * runtime/JSMapIterator.h:
822         (JSC::JSMapIterator::finish):
823         * runtime/JSSetIterator.h:
824         (JSC::JSSetIterator::finish):
825         * runtime/MapData.h:
826         (JSC::MapData::const_iterator::finish): set index of iterator to max
827         Int32.
828         * runtime/MapIteratorPrototype.cpp:
829         (JSC::MapIteratorPrototypeFuncNext):
830         * runtime/SetIteratorPrototype.cpp:
831         (JSC::SetIteratorPrototypeFuncNext):
832
833 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
834
835         Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
836         https://bugs.webkit.org/show_bug.cgi?id=131596
837
838         Unreviewed gardening to rebaseline inspector generator tests after addressing review comments.
839
840         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
841         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
842         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
843         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
844         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
845         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
846         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
847         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
848         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
849         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
850         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
851
852 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
853
854         Unreviewed build fix for some GTK bots after r172655.
855
856         Some bots use Python 2.6, which lacks the 'flags' named parameter for re.sub.
857
858         * inspector/scripts/codegen/generator.py:
859         (Generator.stylized_name_for_enum_value): Do things the old-school way.
860
861 2014-08-15  Michael Saboff  <msaboff@apple.com>
862
863         Change callToJavaScript and callToNativeFunction so their callFrames match the native calling conventions
864         https://bugs.webkit.org/show_bug.cgi?id=131578
865
866         Reviewed by Geoffrey Garen.
867
868         Renamed callToJavaScript and callToNativeFunction to vmEntryToJavaScript and vmEntryToNative,
869         respectively.  Eliminated the sentinel frame and replaced it with the structure VMEntryRecord
870         that appears in the "locals" area of a VM entry stack frame.  Changed the order that
871         vmEntryToJavaScript and vmEntryToNative creates their stack frames to be native calling
872         convention compliant.  That is to save prior frame pointer, save callee save registers, then
873         allocate and populate the VMEntryRecord, and finally allocate a CallFrame for the JS function
874         that vmEntryToJavaScript will invoke.  The top most vm entry frame pointer is saved in
875         VM::topVMEntryFrame.  The vmEntry functions save prior contents of VM::topVMEntryFrame
876         along with the VM and VM::topCallFrame in the VMEntryRecord it places on the stack.  Starting
877         at VM::topCallFrame, the stack can be walked using these VMEntryRecords.
878
879         Arbitrary stack unwinding is now handled either iteratively by loading VM::topVMEntryFrame
880         into a local variable and using CallFrame::callerFrame(VMEntryFrame*&) or by using StackVisitor.
881         Given that the stack is effectively a singly linked list, general stack unwinding needs to use
882         one of these two methods.
883
884         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
885         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
886         * JavaScriptCore.xcodeproj/project.pbxproj:
887         Addition of VMEntryRecord.h
888
889         * bytecode/BytecodeList.json:
890         Renaming of llint helper opcodes due to renaming callToJavaScript and callToNativeFunction.
891
892         * debugger/Debugger.cpp:
893         (JSC::Debugger::stepOutOfFunction):
894         (JSC::Debugger::returnEvent):
895         (JSC::Debugger::didExecuteProgram):
896         * jsc.cpp:
897         (functionDumpCallFrame):
898         * jit/JITOperations.cpp:
899         Changed unwinding to use CallFrame::callerFrame(VMEntryFrame*&).
900
901         * bytecode/CodeBlock.cpp:
902         (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
903         (JSC::RecursionCheckFunctor::operator()):
904         (JSC::RecursionCheckFunctor::didRecurse):
905         (JSC::CodeBlock::noticeIncomingCall):
906         * debugger/DebuggerCallFrame.cpp:
907         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
908         (JSC::FindCallerMidStackFunctor::operator()):
909         (JSC::FindCallerMidStackFunctor::getCallerFrame):
910         (JSC::DebuggerCallFrame::callerFrame):
911         * interpreter/VMInspector.cpp:
912         (JSC::CountFramesFunctor::CountFramesFunctor):
913         (JSC::CountFramesFunctor::operator()):
914         (JSC::CountFramesFunctor::count):
915         (JSC::VMInspector::countFrames):
916         * runtime/VM.cpp:
917         (JSC::VM::VM):
918         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
919         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
920         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
921         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
922         (JSC::VM::throwException):
923         Changed unwinding to use StackVisitor including added functor classes.
924
925         * interpreter/CallFrame.cpp:
926         (JSC::CallFrame::callerFrame):
927         Added new flavor of callerFrame() that can iteratively unwind the stack.
928
929         * interpreter/CallFrame.h:
930         (JSC::ExecState::callerFrame): Changed callerFrame() to use private common helper.
931         (JSC::ExecState::callerFrameOrVMEntryFrame): Deleted.
932         (JSC::ExecState::isVMEntrySentinel): Deleted.
933         (JSC::ExecState::vmEntrySentinelCallerFrame): Deleted.
934         (JSC::ExecState::initializeVMEntrySentinelFrame): Deleted.
935         (JSC::ExecState::callerFrameSkippingVMEntrySentinel): Deleted.
936         (JSC::ExecState::vmEntrySentinelCodeBlock): Deleted.
937
938         * interpreter/CallFrame.h:
939         (JSC::ExecState::init):
940         (JSC::ExecState::topOfFrame):
941         (JSC::ExecState::currentVPC):
942         (JSC::ExecState::setCurrentVPC):
943         Eliminated unneded checking of sentinel frame.
944
945         * interpreter/Interpreter.cpp:
946         (JSC::unwindCallFrame):
947         (JSC::Interpreter::getStackTrace): Updated for unwidning changes.
948         (JSC::Interpreter::unwind): Eliminated unneeded sentinel frame check.
949
950         * interpreter/Interpreter.cpp:
951         (JSC::Interpreter::executeCall):
952         (JSC::Interpreter::executeConstruct):
953         * jit/JITStubs.h:
954         * llint/LLIntThunks.cpp:
955         (JSC::callToJavaScript): Deleted.
956         (JSC::callToNativetion): Deleted.
957         (JSC::vmEntryToJavaScript):
958         (JSC::vmEntryToNative):
959         * llint/LLIntThunks.h:
960         Updated for vmEntryToJavaScript and vmEntryToNative name changes.
961
962         * interpreter/Interpreter.h:
963         (JSC::TopCallFrameSetter::TopCallFrameSetter):
964         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
965         Eliminated unneeded sentinel frame check.
966
967         * interpreter/Interpreter.h:
968         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
969         Removed sentinel specific constructor.
970
971         * interpreter/StackVisitor.cpp:
972         (JSC::StackVisitor::StackVisitor):
973         (JSC::StackVisitor::readFrame):
974         (JSC::StackVisitor::readNonInlinedFrame):
975         (JSC::StackVisitor::readInlinedFrame):
976         (JSC::StackVisitor::Frame::print):
977         * interpreter/StackVisitor.h:
978         (JSC::StackVisitor::Frame::callerIsVMEntry):
979         Changes for unwinding using CallFrame::callerFrame(VMEntryFrame*&).  Also added field that
980         indicates when about to step over a VM entry frame.
981
982         * interpreter/VMEntryRecord.h: Added.
983         (JSC::VMEntryRecord::prevTopCallFrame):
984         (JSC::VMEntryRecord::prevTopVMEntryFrame):
985         New struct to record prior state of VM's notion of VM entry and top call frames.
986
987         * jit/JITCode.cpp:
988         (JSC::JITCode::execute):
989         Use new vmEntryToJavaScript and vmEntryToNative name.
990
991         * llint/LLIntOffsetsExtractor.cpp: Added include for VMEntryRecord.h.
992
993         * llint/LowLevelInterpreter.asm:
994         * llint/LowLevelInterpreter32_64.asm:
995         * llint/LowLevelInterpreter64.asm:
996         Offline assembly implementation of creating stack frame with VMEntryRecord and well as restoring 
997         relevent VM fields when exiting the VM.  Added a helper that returns a VMEntryRecord given
998         a pointer to the VM entry frame.
999
1000         * llint/LLIntThunks.cpp:
1001         (JSC::vmEntryRecord):
1002         * llint/LowLevelInterpreter.cpp:
1003         (JSC::CLoop::execute):
1004         C Loop changes to mirror the assembly changes.
1005
1006         * runtime/VM.h:
1007         Added topVMEntryFrame field.
1008
1009 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
1010
1011         Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
1012         https://bugs.webkit.org/show_bug.cgi?id=131596
1013
1014         Reviewed by Joseph Pecoraro.
1015
1016         Replace CodeGeneratorInspector.py with generate-inspector-protocol-bindings.py.
1017         The new generator decouples parsing and typechecking a model of the protocol from
1018         code generation. Each generated file is created by a different subclass of Generator.
1019         Helper methods to compute various type signatures are shared among generators.
1020
1021         This patch introduces a test harness and a test suite that covers all functionality.
1022
1023         Aside from hooking up the new inspector bindings generator to the build system,
1024         there are a few comingled changes that would be painful to split from the main
1025         patch:
1026
1027         Convert protocol enumeration types from struct-namespaced enums to C++ scoped enums.
1028
1029         Move all runtimeCast(), assertValueHasExpectedType(), and RuntimeCastHelper methods to static
1030         methods of BindingTraits specializations.
1031
1032         Together, these changes reduce duplication and make it possible to forward-declare
1033         all protocol enum and object types, reducing weird ordering dependencies between domains.
1034
1035         * CMakeLists.txt:
1036         * DerivedSources.make:
1037         * JavaScriptCore.vcxproj/copy-files.cmd:
1038         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1039         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Add inspector scripts to solution filters.
1040         * JavaScriptCore.xcodeproj/project.pbxproj:
1041         * inspector/ConsoleMessage.cpp: Convert to scoped enums.
1042         (Inspector::messageSourceValue):
1043         (Inspector::messageTypeValue):
1044         (Inspector::messageLevelValue):
1045         * inspector/InjectedScript.cpp: Convert to scoped enums and BindingTraits.
1046         (Inspector::InjectedScript::getFunctionDetails):
1047         (Inspector::InjectedScript::getProperties):
1048         (Inspector::InjectedScript::getInternalProperties):
1049         (Inspector::InjectedScript::wrapCallFrames):
1050         (Inspector::InjectedScript::wrapObject):
1051         (Inspector::InjectedScript::wrapTable):
1052         * inspector/InjectedScriptBase.cpp: Convert InspectorValue::Type to a scoped enum.
1053         (Inspector::InjectedScriptBase::makeEvalCall):
1054         * inspector/InjectedScriptManager.cpp:
1055         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1056         * inspector/InspectorTypeBuilder.h:
1057         (Inspector::TypeBuilder::Array::create):
1058         (Inspector::TypeBuilder::StructItemTraits::pushRefPtr):
1059         (Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::pushRaw):
1060         (Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::pushRaw):
1061         (Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::pushRaw):
1062         (Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::pushRaw):
1063         (Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr):
1064         (Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr):
1065         (Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr):
1066         (Inspector::TypeBuilder::PrimitiveBindingTraits::assertValueHasExpectedType):
1067         (Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::runtimeCast):
1068         (Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::assertValueHasExpectedType):
1069         (Inspector::TypeBuilder::BindingTraits<InspectorValue>::assertValueHasExpectedType):
1070         (Inspector::TypeBuilder::BindingTraits<int>::assertValueHasExpectedType):
1071         (Inspector::TypeBuilder::ExactlyInt::ExactlyInt): Deleted. It was not used.
1072         (Inspector::TypeBuilder::ExactlyInt::operator int): Deleted.
1073         (Inspector::TypeBuilder::ExactlyInt::cast_to_int): Deleted.
1074         (Inspector::TypeBuilder::ExactlyInt::cast_to_int<int>): Deleted.
1075         (Inspector::TypeBuilder::int>): Deleted.
1076         (Inspector::TypeBuilder::RuntimeCastHelper::assertType): Deleted.
1077         (Inspector::TypeBuilder::RuntimeCastHelper::assertAny): Deleted.
1078         (Inspector::TypeBuilder::RuntimeCastHelper::assertInt): Deleted.
1079         (Inspector::TypeBuilder::Array::runtimeCast): Deleted.
1080         (Inspector::TypeBuilder::Array::assertCorrectValue): Deleted.
1081         (Inspector::TypeBuilder::StructItemTraits::assertCorrectValue): Deleted.
1082         (Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::assertCorrectValue): Deleted.
1083         (Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::assertCorrectValue): Deleted.
1084         (Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::assertCorrectValue): Deleted.
1085         (Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::assertCorrectValue): Deleted.
1086         (Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::assertCorrectValue): Deleted.
1087         (Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::assertCorrectValue): Deleted.
1088         (Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::assertCorrectValue): Deleted.
1089         (Inspector::TypeBuilder::ArrayItemHelper<TypeBuilder::Array<T>>::Traits::assertCorrectValue): Deleted.
1090
1091         * inspector/InspectorValues.cpp: Convert InspectorValue::Type to a scoped enum.
1092         (Inspector::InspectorValue::writeJSON):
1093         (Inspector::InspectorBasicValue::asBoolean):
1094         (Inspector::InspectorBasicValue::asNumber):
1095         (Inspector::InspectorBasicValue::writeJSON):
1096         (Inspector::InspectorString::writeJSON):
1097         (Inspector::InspectorObjectBase::InspectorObjectBase):
1098         (Inspector::InspectorObjectBase::setArray): Take InspectorArrayBase.
1099         (Inspector::InspectorObjectBase::setObject): Take InspectorObjectBase.
1100         (Inspector::InspectorArrayBase::InspectorArrayBase):
1101         * inspector/InspectorValues.h:
1102
1103         * inspector/agents/InspectorDebuggerAgent.cpp: Convert to scoped enums.
1104         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1105         (Inspector::InspectorDebuggerAgent::breakProgram):
1106         * inspector/agents/InspectorDebuggerAgent.h:
1107         * inspector/agents/InspectorRuntimeAgent.cpp:
1108         (Inspector::InspectorRuntimeAgent::parse):
1109         * inspector/agents/InspectorRuntimeAgent.h:
1110
1111         * inspector/scripts/CodeGeneratorInspector.py: Removed.
1112         * inspector/scripts/codegen/__init__.py: Added.
1113         * inspector/scripts/codegen/generate_backend_commands.py: Added.
1114         (BackendCommandsGenerator):
1115         (BackendCommandsGenerator.__init__):
1116         (BackendCommandsGenerator.model):
1117         (BackendCommandsGenerator.output_filename):
1118         (BackendCommandsGenerator.generate_license):
1119         (BackendCommandsGenerator.generate_output):
1120         (BackendCommandsGenerator.generate_domain):
1121         (BackendCommandsGenerator.generate_domain.is_anonymous_enum_member):
1122         (BackendCommandsGenerator.generate_domain.generate_parameter_object):
1123         * inspector/scripts/codegen/generate_backend_dispatcher_header.py: Added.
1124         (BackendDispatcherHeaderGenerator):
1125         (BackendDispatcherHeaderGenerator.__init__):
1126         (BackendDispatcherHeaderGenerator.model):
1127         (BackendDispatcherHeaderGenerator.output_filename):
1128         (BackendDispatcherHeaderGenerator.generate_license):
1129         (BackendDispatcherHeaderGenerator.generate_output):
1130         (BackendDispatcherHeaderGenerator.generate_output.for):
1131         (BackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
1132         (BackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
1133         (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1134         (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
1135         (BackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1136         (BackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1137         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: Added.
1138         (BackendDispatcherImplementationGenerator):
1139         (BackendDispatcherImplementationGenerator.__init__):
1140         (BackendDispatcherImplementationGenerator.model):
1141         (BackendDispatcherImplementationGenerator.output_filename):
1142         (BackendDispatcherImplementationGenerator.generate_license):
1143         (BackendDispatcherImplementationGenerator.generate_output):
1144         (BackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
1145         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
1146         (BackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
1147         (BackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
1148         (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1149         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1150         * inspector/scripts/codegen/generate_frontend_dispatcher_header.py: Added.
1151         (FrontendDispatcherHeaderGenerator):
1152         (FrontendDispatcherHeaderGenerator.__init__):
1153         (FrontendDispatcherHeaderGenerator.model):
1154         (FrontendDispatcherHeaderGenerator.output_filename):
1155         (FrontendDispatcherHeaderGenerator.generate_license):
1156         (FrontendDispatcherHeaderGenerator.generate_output):
1157         (FrontendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
1158         (FrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1159         (FrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event):
1160         * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py: Added.
1161         (FrontendDispatcherImplementationGenerator):
1162         (FrontendDispatcherImplementationGenerator.__init__):
1163         (FrontendDispatcherImplementationGenerator.model):
1164         (FrontendDispatcherImplementationGenerator.output_filename):
1165         (FrontendDispatcherImplementationGenerator.generate_license):
1166         (FrontendDispatcherImplementationGenerator.generate_output):
1167         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
1168         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1169         * inspector/scripts/codegen/generate_type_builder_header.py: Added.
1170         (TypeBuilderHeaderGenerator):
1171         (TypeBuilderHeaderGenerator.__init__):
1172         (TypeBuilderHeaderGenerator.model):
1173         (TypeBuilderHeaderGenerator.output_filename):
1174         (TypeBuilderHeaderGenerator.generate_license):
1175         (TypeBuilderHeaderGenerator.generate_output):
1176         (TypeBuilderHeaderGenerator._generate_forward_declarations):
1177         (_generate_typedefs):
1178         (_generate_typedefs_for_domain):
1179         (_generate_builders_for_domain):
1180         (_generate_class_for_object_declaration):
1181         (_generate_struct_for_enum_declaration):
1182         (_generate_struct_for_anonymous_enum_member):
1183         (_generate_struct_for_anonymous_enum_member.apply_indentation):
1184         (_generate_struct_for_enum_type):
1185         (_generate_builder_state_enum):
1186         (_generate_builder_setter_for_member):
1187         (_generate_unchecked_setter_for_member):
1188         (_generate_forward_declarations_for_binding_traits):
1189         * inspector/scripts/codegen/generate_type_builder_implementation.py: Added.
1190         (TypeBuilderImplementationGenerator):
1191         (TypeBuilderImplementationGenerator.__init__):
1192         (TypeBuilderImplementationGenerator.model):
1193         (TypeBuilderImplementationGenerator.output_filename):
1194         (TypeBuilderImplementationGenerator.generate_license):
1195         (TypeBuilderImplementationGenerator.generate_output):
1196         (TypeBuilderImplementationGenerator._generate_enum_mapping):
1197         (TypeBuilderImplementationGenerator._generate_open_field_names):
1198         (TypeBuilderImplementationGenerator._generate_builders_for_domain):
1199         (TypeBuilderImplementationGenerator._generate_runtime_cast_for_object_declaration):
1200         (TypeBuilderImplementationGenerator._generate_assertion_for_object_declaration):
1201         (TypeBuilderImplementationGenerator._generate_assertion_for_enum):
1202         * inspector/scripts/codegen/generator.py: Added.
1203         (ucfirst):
1204         (Generator):
1205         (Generator.__init__):
1206         (Generator.model):
1207         (Generator.generate_license):
1208         (Generator.domains_to_generate):
1209         (Generator.generate_output):
1210         (Generator.output_filename):
1211         (Generator.encoding_for_enum_value):
1212         (Generator.assigned_enum_values):
1213         (Generator.type_needs_runtime_casts):
1214         (Generator.type_has_open_fields):
1215         (Generator.type_needs_shape_assertions):
1216         (Generator.calculate_types_requiring_shape_assertions):
1217         (Generator.calculate_types_requiring_shape_assertions.gather_transitively_referenced_types):
1218         (Generator._traverse_and_assign_enum_values):
1219         (Generator._assign_encoding_for_enum_value):
1220         (Generator.wrap_with_guard_for_domain):
1221         (Generator.stylized_name_for_enum_value):
1222         (Generator.stylized_name_for_enum_value.replaceCallback):
1223         (Generator.keyed_get_method_for_type):
1224         (Generator.keyed_set_method_for_type):
1225         (Generator.type_builder_string_for_type):
1226         (Generator.type_builder_string_for_type_member):
1227         (Generator.type_string_for_unchecked_formal_in_parameter):
1228         (Generator.type_string_for_checked_formal_event_parameter):
1229         (Generator.type_string_for_type_member):
1230         (Generator.type_string_for_type_with_name):
1231         (Generator.type_string_for_formal_out_parameter):
1232         (Generator.type_string_for_formal_async_parameter):
1233         (Generator.type_string_for_stack_in_parameter):
1234         (Generator.type_string_for_stack_out_parameter):
1235         (Generator.assertion_method_for_type_member):
1236         (Generator.assertion_method_for_type_member.assertion_method_for_type):
1237         (Generator.cpp_name_for_primitive_type):
1238         (Generator.js_name_for_parameter_type):
1239         (Generator.should_use_wrapper_for_return_type):
1240         (Generator.should_pass_by_copy_for_return_type):
1241         * inspector/scripts/codegen/generator_templates.py: Added.
1242         (GeneratorTemplates):
1243         (void):
1244         (HashMap):
1245         (Builder):
1246         (Inspector):
1247         * inspector/scripts/codegen/models.py: Added.
1248         (ucfirst):
1249         (ParseException):
1250         (TypecheckException):
1251         (Framework):
1252         (Framework.__init__):
1253         (Framework.setting):
1254         (Framework.fromString):
1255         (Frameworks):
1256         (TypeReference):
1257         (TypeReference.__init__):
1258         (TypeReference.referenced_name):
1259         (Type):
1260         (Type.__init__):
1261         (Type.__eq__):
1262         (Type.__hash__):
1263         (Type.raw_name):
1264         (Type.is_enum):
1265         (Type.type_domain):
1266         (Type.qualified_name):
1267         (Type.resolve_type_references):
1268         (PrimitiveType):
1269         (PrimitiveType.__init__):
1270         (PrimitiveType.__repr__):
1271         (PrimitiveType.type_domain):
1272         (PrimitiveType.qualified_name):
1273         (AliasedType):
1274         (AliasedType.__init__):
1275         (AliasedType.__repr__):
1276         (AliasedType.is_enum):
1277         (AliasedType.type_domain):
1278         (AliasedType.qualified_name):
1279         (AliasedType.resolve_type_references):
1280         (EnumType):
1281         (EnumType.__init__):
1282         (EnumType.__repr__):
1283         (EnumType.is_enum):
1284         (EnumType.type_domain):
1285         (EnumType.enum_values):
1286         (EnumType.qualified_name):
1287         (EnumType.resolve_type_references):
1288         (ArrayType):
1289         (ArrayType.__init__):
1290         (ArrayType.__repr__):
1291         (ArrayType.type_domain):
1292         (ArrayType.qualified_name):
1293         (ArrayType.resolve_type_references):
1294         (ObjectType):
1295         (ObjectType.__init__):
1296         (ObjectType.__repr__):
1297         (ObjectType.type_domain):
1298         (ObjectType.qualified_name):
1299         (check_for_required_properties):
1300         (Protocol):
1301         (Protocol.__init__):
1302         (Protocol.parse_specification):
1303         (Protocol.parse_domain):
1304         (Protocol.parse_type_declaration):
1305         (Protocol.parse_type_member):
1306         (Protocol.parse_command):
1307         (Protocol.parse_event):
1308         (Protocol.parse_call_or_return_parameter):
1309         (Protocol.resolve_types):
1310         (Protocol.lookup_type_for_declaration):
1311         (Protocol.lookup_type_reference):
1312         (Domain):
1313         (Domain.__init__):
1314         (Domain.resolve_type_references):
1315         (Domains):
1316         (TypeDeclaration):
1317         (TypeDeclaration.__init__):
1318         (TypeDeclaration.resolve_type_references):
1319         (TypeMember):
1320         (TypeMember.__init__):
1321         (TypeMember.resolve_type_references):
1322         (Parameter):
1323         (Parameter.__init__):
1324         (Parameter.resolve_type_references):
1325         (Command):
1326         (Command.__init__):
1327         (Command.resolve_type_references):
1328         (Event):
1329         (Event.__init__):
1330         (Event.resolve_type_references):
1331         * inspector/scripts/generate-inspector-protocol-bindings.py: Added.
1332         (IncrementalFileWriter):
1333         (IncrementalFileWriter.__init__):
1334         (IncrementalFileWriter.write):
1335         (IncrementalFileWriter.close):
1336         (generate_from_specification):
1337         (generate_from_specification.load_specification):
1338         * inspector/scripts/tests/commands-with-async-attribute.json: Added.
1339         * inspector/scripts/tests/commands-with-optional-call-return-parameters.json: Added.
1340         * inspector/scripts/tests/domains-with-varying-command-sizes.json: Added.
1341         * inspector/scripts/tests/events-with-optional-parameters.json: Added.
1342         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: Added.
1343         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: Added.
1344         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: Added.
1345         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: Added.
1346         * inspector/scripts/tests/fail-on-duplicate-type-declarations.json-error: Added.
1347         * inspector/scripts/tests/fail-on-enum-with-no-values.json-error: Added.
1348         * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json-error: Added.
1349         * inspector/scripts/tests/fail-on-type-with-lowercase-name.json-error: Added.
1350         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json-error: Added.
1351         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json-error: Added.
1352         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: Added.
1353         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: Added.
1354         * inspector/scripts/tests/expected/type-declaration-array-type.json-result: Added.
1355         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: Added.
1356         * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Added.
1357         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: Added.
1358         * inspector/scripts/tests/fail-on-duplicate-type-declarations.json: Added.
1359         * inspector/scripts/tests/fail-on-enum-with-no-values.json: Added.
1360         * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json: Added.
1361         * inspector/scripts/tests/fail-on-type-with-lowercase-name.json: Added.
1362         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json: Added.
1363         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json: Added.
1364         * inspector/scripts/tests/same-type-id-different-domain.json: Added.
1365         * inspector/scripts/tests/type-declaration-aliased-primitive-type.json: Added.
1366         * inspector/scripts/tests/type-declaration-array-type.json: Added.
1367         * inspector/scripts/tests/type-declaration-enum-type.json: Added.
1368         * inspector/scripts/tests/type-declaration-object-type.json: Added.
1369         * inspector/scripts/tests/type-requiring-runtime-casts.json: Added.
1370
1371 2014-08-15  Matthew Mirman  <mmirman@apple.com>
1372
1373         Made native inlining errors not segfault. 
1374         https://bugs.webkit.org/show_bug.cgi?id=135988
1375         
1376         Reviewed by Geoffrey Garen.
1377
1378         * ftl/FTLAbbreviations.h:
1379         (JSC::FTL::disposeMessage): Added.
1380         * ftl/FTLLowerDFGToLLVM.cpp:
1381         (JSC::FTL::LowerDFGToLLVM::compilePutById): 
1382         abstracted out Options::verboseCompilation as was the case in the rest of the file.
1383         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
1384         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): 
1385         added output error messages for llvm module loading.
1386
1387 2014-08-14  Andreas Kling  <akling@apple.com>
1388
1389         Allocate the whole RegExpMatchesArray backing store up front.
1390         <https://webkit.org/b/135217>
1391
1392         We were using the generic array backing store allocation path for
1393         RegExpMatchesArray which meant starting with 4 slots and then growing
1394         it dynamically as we append. Since we always know the final number of
1395         entries up front, allocate a perfectly-sized backing store right away.
1396
1397         ~2% progression on Octane/regexp.
1398
1399         Reviewed by Geoffrey Garen.
1400
1401         * runtime/JSArray.h:
1402         (JSC::createArrayButterflyWithExactLength):
1403         * runtime/RegExpMatchesArray.cpp:
1404         (JSC::RegExpMatchesArray::create):
1405
1406 2014-08-14  Saam Barati  <sbarati@apple.com>
1407
1408         Allow high fidelity type profiling to be enabled and disabled.
1409         https://bugs.webkit.org/show_bug.cgi?id=135423
1410
1411         Reviewed by Geoffrey Garen.
1412
1413         - Merged op_put_to_scope_with_profile and op_get_from_scope_with_profile into
1414           op_profile_types_with_high_fidelity by adding extra arguments to the opcode.
1415         - Altered SymbolTable to use less memory by adding a rare data structure for 
1416           type profiling.
1417         - Created an interface to turn on and off type profiling from the Web
1418           Inspector.
1419         - Refactored how entries are written to HighFidelityLog to make it
1420           easier to inline when generating machine code.
1421         - Implemented op_profile_types_with_high_fidelity in the baseline JIT
1422           by inlining the process of writing to the log and doing a small amount
1423           of type inference optimizations.
1424
1425         * bytecode/BytecodeList.json:
1426         * bytecode/BytecodeUseDef.h:
1427         (JSC::computeUsesForBytecodeOffset):
1428         (JSC::computeDefsForBytecodeOffset):
1429         * bytecode/CodeBlock.cpp:
1430         (JSC::CodeBlock::dumpBytecode):
1431         (JSC::CodeBlock::CodeBlock):
1432         (JSC::CodeBlock::finalizeUnconditionally):
1433         (JSC::CodeBlock::scopeDependentProfile): Deleted.
1434         * bytecode/CodeBlock.h:
1435         * bytecode/TypeLocation.h:
1436         (JSC::TypeLocation::TypeLocation):
1437         * bytecompiler/BytecodeGenerator.cpp:
1438         (JSC::BytecodeGenerator::generate):
1439         (JSC::BytecodeGenerator::emitMove):
1440         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
1441         (JSC::BytecodeGenerator::emitGetFromScopeWithProfile): Deleted.
1442         (JSC::BytecodeGenerator::emitPutToScopeWithProfile): Deleted.
1443         * bytecompiler/BytecodeGenerator.h:
1444         * bytecompiler/NodesCodegen.cpp:
1445         (JSC::ThisNode::emitBytecode):
1446         (JSC::ResolveNode::emitBytecode):
1447         (JSC::BracketAccessorNode::emitBytecode):
1448         (JSC::DotAccessorNode::emitBytecode):
1449         (JSC::FunctionCallValueNode::emitBytecode):
1450         (JSC::FunctionCallResolveNode::emitBytecode):
1451         (JSC::FunctionCallBracketNode::emitBytecode):
1452         (JSC::FunctionCallDotNode::emitBytecode):
1453         (JSC::CallFunctionCallDotNode::emitBytecode):
1454         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1455         (JSC::PostfixNode::emitResolve):
1456         (JSC::PostfixNode::emitBracket):
1457         (JSC::PostfixNode::emitDot):
1458         (JSC::PrefixNode::emitResolve):
1459         (JSC::PrefixNode::emitBracket):
1460         (JSC::PrefixNode::emitDot):
1461         (JSC::ReadModifyResolveNode::emitBytecode):
1462         (JSC::AssignResolveNode::emitBytecode):
1463         (JSC::AssignDotNode::emitBytecode):
1464         (JSC::ReadModifyDotNode::emitBytecode):
1465         (JSC::AssignBracketNode::emitBytecode):
1466         (JSC::ReadModifyBracketNode::emitBytecode):
1467         (JSC::ReturnNode::emitBytecode):
1468         (JSC::FunctionBodyNode::emitBytecode):
1469         * inspector/agents/InspectorRuntimeAgent.cpp:
1470         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
1471         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1472         (Inspector::TypeRecompiler::operator()):
1473         (Inspector::recompileAllJSFunctionsForTypeProfiling):
1474         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
1475         (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling):
1476         (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling):
1477         (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState):
1478         * inspector/agents/InspectorRuntimeAgent.h:
1479         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1480         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
1481         * inspector/protocol/Runtime.json:
1482         * jit/JIT.cpp:
1483         (JSC::JIT::privateCompileMainPass):
1484         (JSC::JIT::privateCompile):
1485         * jit/JIT.h:
1486         * jit/JITOpcodes.cpp:
1487         (JSC::JIT::emit_op_profile_types_with_high_fidelity):
1488         * jit/JITOpcodes32_64.cpp:
1489         (JSC::JIT::emit_op_profile_types_with_high_fidelity):
1490         * jit/JITOperations.cpp:
1491         * jit/JITOperations.h:
1492         * llint/LLIntSlowPaths.cpp:
1493         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1494         (JSC::LLInt::getFromScopeCommon): Deleted.
1495         (JSC::LLInt::putToScopeCommon): Deleted.
1496         * llint/LLIntSlowPaths.h:
1497         * llint/LowLevelInterpreter.asm:
1498         * runtime/CodeCache.cpp:
1499         (JSC::CodeCache::getGlobalCodeBlock):
1500         * runtime/CommonSlowPaths.cpp:
1501         (JSC::SLOW_PATH_DECL):
1502         * runtime/CommonSlowPaths.h:
1503         * runtime/HighFidelityLog.cpp:
1504         (JSC::HighFidelityLog::initializeHighFidelityLog):
1505         (JSC::HighFidelityLog::~HighFidelityLog):
1506         (JSC::HighFidelityLog::processHighFidelityLog):
1507         * runtime/HighFidelityLog.h:
1508         (JSC::HighFidelityLog::LogEntry::structureIDOffset):
1509         (JSC::HighFidelityLog::LogEntry::valueOffset):
1510         (JSC::HighFidelityLog::LogEntry::locationOffset):
1511         (JSC::HighFidelityLog::recordTypeInformationForLocation):
1512         (JSC::HighFidelityLog::logEndPtr):
1513         (JSC::HighFidelityLog::logStartOffset):
1514         (JSC::HighFidelityLog::currentLogEntryOffset):
1515         * runtime/HighFidelityTypeProfiler.cpp:
1516         (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
1517         (JSC::descriptorMatchesTypeLocation):
1518         * runtime/HighFidelityTypeProfiler.h:
1519         * runtime/SymbolTable.cpp:
1520         (JSC::SymbolTable::SymbolTable):
1521         (JSC::SymbolTable::cloneCapturedNames):
1522         (JSC::SymbolTable::prepareForHighFidelityTypeProfiling):
1523         (JSC::SymbolTable::uniqueIDForVariable):
1524         (JSC::SymbolTable::uniqueIDForRegister):
1525         (JSC::SymbolTable::globalTypeSetForRegister):
1526         (JSC::SymbolTable::globalTypeSetForVariable):
1527         * runtime/SymbolTable.h:
1528         (JSC::SymbolTable::add):
1529         (JSC::SymbolTable::set):
1530         * runtime/TypeLocationCache.cpp:
1531         (JSC::TypeLocationCache::getTypeLocation):
1532         * runtime/TypeSet.cpp:
1533         (JSC::TypeSet::getRuntimeTypeForValue):
1534         (JSC::TypeSet::addTypeInformation):
1535         (JSC::TypeSet::allPrimitiveTypeNames):
1536         (JSC::TypeSet::addTypeForValue): Deleted.
1537         * runtime/TypeSet.h:
1538         * runtime/VM.cpp:
1539         (JSC::VM::VM):
1540         (JSC::VM::nextTypeLocation):
1541         (JSC::VM::enableHighFidelityTypeProfiling):
1542         (JSC::VM::disableHighFidelityTypeProfiling):
1543         (JSC::VM::dumpHighFidelityProfilingTypes):
1544         * runtime/VM.h:
1545         (JSC::VM::nextLocation): Deleted.
1546
1547 2014-08-14  Oliver Hunt  <oliver@apple.com>
1548
1549         Update scope resolution to assume that the parent activation is always there
1550         https://bugs.webkit.org/show_bug.cgi?id=135947
1551
1552         Reviewed by Andreas Kling.
1553
1554         Another incremental step in removing the idea of lazily created
1555         activations.
1556
1557         * dfg/DFGSpeculativeJIT32_64.cpp:
1558         (JSC::DFG::SpeculativeJIT::compile):
1559         * dfg/DFGSpeculativeJIT64.cpp:
1560         (JSC::DFG::SpeculativeJIT::compile):
1561         * jit/JITPropertyAccess.cpp:
1562         (JSC::JIT::emitResolveClosure):
1563         * jit/JITPropertyAccess32_64.cpp:
1564         (JSC::JIT::emitResolveClosure):
1565         * llint/LowLevelInterpreter32_64.asm:
1566         * llint/LowLevelInterpreter64.asm:
1567
1568 2014-08-14  Oliver Hunt  <oliver@apple.com>
1569
1570         Create activations eagerly
1571         https://bugs.webkit.org/show_bug.cgi?id=135942
1572
1573         Reviewed by Geoffrey Garen.
1574
1575         Prepare to rewrite activation objects into a more
1576         sane implementation. Step 1 is reverting to eager
1577         creation of the activation object. This results in
1578         a 1.35x regression in earley, but otherwise has a
1579         minimal performance impact.
1580
1581         The earley regression is being tracked by bug #135943
1582
1583         * bytecompiler/BytecodeGenerator.cpp:
1584         (JSC::BytecodeGenerator::BytecodeGenerator):
1585         (JSC::BytecodeGenerator::emitNewFunctionInternal):
1586         (JSC::BytecodeGenerator::emitNewFunctionExpression):
1587         (JSC::BytecodeGenerator::emitCallEval):
1588         (JSC::BytecodeGenerator::emitPushWithScope):
1589         (JSC::BytecodeGenerator::emitPushCatchScope):
1590         (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
1591         * bytecompiler/BytecodeGenerator.h:
1592         * jit/JITOpcodes.cpp:
1593         (JSC::JIT::emit_op_create_activation):
1594         * jit/JITOpcodes32_64.cpp:
1595         (JSC::JIT::emit_op_create_activation):
1596         * llint/LowLevelInterpreter32_64.asm:
1597         * llint/LowLevelInterpreter64.asm:
1598
1599 2014-08-14  Oliver Hunt  <oliver@apple.com>
1600
1601         Create activations eagerly
1602         https://bugs.webkit.org/show_bug.cgi?id=135942
1603
1604         Reviewed by Geoffrey Garen.
1605
1606         Prepare to rewrite activation objects into a more
1607         sane implementation. Step 1 is reverting to eager
1608         creation of the activation object. This results in
1609         a 1.35x regression in earley, but otherwise has a
1610         minimal performance impact.
1611
1612         The earley regression is being tracked by 
1613         http://webkit.org/b/135943
1614
1615         * bytecompiler/BytecodeGenerator.cpp:
1616         (JSC::BytecodeGenerator::BytecodeGenerator):
1617         (JSC::BytecodeGenerator::emitNewFunctionInternal):
1618         (JSC::BytecodeGenerator::emitNewFunctionExpression):
1619         (JSC::BytecodeGenerator::emitCallEval):
1620         (JSC::BytecodeGenerator::emitPushWithScope):
1621         (JSC::BytecodeGenerator::emitPushCatchScope):
1622         (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
1623         * bytecompiler/BytecodeGenerator.h:
1624         * jit/JITOpcodes.cpp:
1625         (JSC::JIT::emit_op_create_activation):
1626         * jit/JITOpcodes32_64.cpp:
1627         (JSC::JIT::emit_op_create_activation):
1628         * llint/LowLevelInterpreter32_64.asm:
1629         * llint/LowLevelInterpreter64.asm:
1630
1631 2014-08-14  Tomas Popela  <tpopela@redhat.com>
1632
1633         Add support for ppc, ppc64, ppc64le, s390, s390x into the CMake build
1634         https://bugs.webkit.org/show_bug.cgi?id=135937
1635
1636         Reviewed by Carlos Garcia Campos.
1637
1638         * CMakeLists.txt:
1639
1640 2014-08-14  Akos Kiss  <akiss@inf.u-szeged.hu>
1641
1642         Fix JSC::ARM64Assembler::LinkRecord::RealTypes
1643         https://bugs.webkit.org/show_bug.cgi?id=135906
1644
1645         Reviewed by Michael Saboff.
1646
1647         JSC::ARM64Assembler::LinkRecord::RealTypes::m_compareRegister is defined
1648         to occupy 5 bits but JSC::ARM64Assembler::RegisterID needs 6 bits. So,
1649         increase the size of the bit field and also reorganize the struct to 
1650         better align with word boundaries.
1651
1652         * assembler/ARM64Assembler.h:
1653
1654 2014-08-13  Akos Kiss  <akiss@inf.u-szeged.hu>
1655
1656         Add ARM64 support to CMake-based builds
1657         https://bugs.webkit.org/show_bug.cgi?id=135912
1658
1659         Reviewed by Gyuyoung Kim.
1660
1661         This patch ensures that CMake does not fail with Unknown CPU error when
1662         building for ARM64.
1663
1664         * CMakeLists.txt:
1665
1666 2014-08-13  Wenson Hsieh  <wenson_hsieh@apple.com>
1667
1668         Enable CSS_SCROLL_SNAP for iOS
1669         https://bugs.webkit.org/show_bug.cgi?id=135915
1670
1671         Turn on CSS_SCROLL_SNAP for iOS and the iOS simulator.
1672
1673         Reviewed by Tim Horton.
1674
1675         * Configurations/FeatureDefines.xcconfig:
1676
1677 2014-08-13  Alex Christensen  <achristensen@webkit.org>
1678
1679         Progress towards CMake on Mac.
1680         https://bugs.webkit.org/show_bug.cgi?id=135819
1681
1682         Reviewed by Laszlo Gombos.
1683
1684         * CMakeLists.txt:
1685         Add the remote inspector headers to the forwarding headers list.
1686
1687 2014-08-13  Daniel Bates  <dabates@apple.com>
1688
1689         [iOS] Make JavaScriptCore and bmalloc build with the public SDK
1690         https://bugs.webkit.org/show_bug.cgi?id=135848
1691
1692         Reviewed by Geoffrey Garen.
1693
1694         * API/JSBase.h: Declare NSMap functions with external linkage when building for iOS without the
1695         header <Foundation/NSMapTablePriv.h>.
1696         * inspector/remote/RemoteInspector.mm: Define XPC functions with external linkage when building
1697         without the system header <xpc/xpc.h>.
1698         * inspector/remote/RemoteInspectorXPCConnection.h: Define xpc_connection_t and xpc_object_t when building
1699         without the system header <xpc/xpc.h>.
1700         * inspector/remote/RemoteInspectorXPCConnection.mm: Declare XPC functions with external linkage when
1701         building without without the system header <xpc/xpc.h>.
1702         (Inspector::RemoteInspectorXPCConnection::closeOnQueue): Fix code style; use nullptr instead of NULL.
1703         (Inspector::RemoteInspectorXPCConnection::sendMessage): Ditto.
1704
1705 2014-08-12  Peyton Randolph  <prandolph@apple.com>
1706
1707         Runtime switch for long mouse press gesture. Part of 135257 - Add long mouse press gesture.
1708         https://bugs.webkit.org/show_bug.cgi?id=135682
1709
1710         Reviewed by Tim Horton.
1711
1712         * Configurations/FeatureDefines.xcconfig:
1713         Remove ENABLE_LONG_MOUSE_PRESS feature flag.
1714
1715 2014-08-12  Alex Christensen  <achristensen@webkit.org>
1716
1717         Generate header detection headers for CMake on Windows.
1718         https://bugs.webkit.org/show_bug.cgi?id=135807
1719
1720         Reviewed by Brent Fulgham.
1721
1722         * CMakeLists.txt:
1723         Include the derived sources directory to find WTF/WTFHeaderDetection.h.
1724
1725 2014-08-11  Andy Estes  <aestes@apple.com>
1726
1727         [iOS] Get rid of iOS.xcconfig
1728         https://bugs.webkit.org/show_bug.cgi?id=135809
1729
1730         Reviewed by Joseph Pecoraro.
1731
1732         All iOS.xcconfig did was include AspenFamily.xcconfig, so there's no need for the indirection.
1733
1734         * Configurations/Base.xcconfig:
1735         * Configurations/iOS.xcconfig: Removed.
1736         * JavaScriptCore.xcodeproj/project.pbxproj:
1737
1738 2014-08-11  Michael Saboff  <msaboff@apple.com>
1739
1740         Eliminate {push,pop}CalleeSaves in favor of individual pushes & pops
1741         https://bugs.webkit.org/show_bug.cgi?id=127155
1742
1743         Reviewed by Geoffrey Garen.
1744
1745         Eliminated the offline assembler instructions {push,pop}CalleeSaves as well as the
1746         ARM64 specific {push,pop}LRAndFP and replaced them with individual push and pop
1747         instructions. Where the registers referenced by the added push and pop instructions
1748         are not part of the offline assembler register aliases, used a newly added "emit"
1749         offline assembler instruction which takes a string literal and outputs that
1750         string as a native instruction.
1751
1752         * llint/LowLevelInterpreter.asm:
1753         * offlineasm/arm.rb:
1754         * offlineasm/arm64.rb:
1755         * offlineasm/ast.rb:
1756         * offlineasm/cloop.rb:
1757         * offlineasm/instructions.rb:
1758         * offlineasm/mips.rb:
1759         * offlineasm/parser.rb:
1760         * offlineasm/sh4.rb:
1761         * offlineasm/transform.rb:
1762         * offlineasm/x86.rb:
1763
1764 2014-08-11  Mark Lam  <mark.lam@apple.com>
1765
1766         Re-landing r172401 with fixed test.
1767         <https://webkit.org/b/135782>
1768
1769         Not reviewed.
1770
1771         * bytecompiler/BytecodeGenerator.cpp:
1772         (JSC::BytecodeGenerator::emitGetByVal):
1773         (JSC::BytecodeGenerator::pushIndexedForInScope):
1774         (JSC::BytecodeGenerator::pushStructureForInScope):
1775         * bytecompiler/BytecodeGenerator.h:
1776         (JSC::ForInContext::ForInContext):
1777         (JSC::ForInContext::base):
1778         (JSC::StructureForInContext::StructureForInContext):
1779         (JSC::IndexedForInContext::IndexedForInContext):
1780         * bytecompiler/NodesCodegen.cpp:
1781         (JSC::ForInNode::emitMultiLoopBytecode):
1782         * tests/stress/for-in-tests.js:
1783
1784 2014-08-11  Commit Queue  <commit-queue@webkit.org>
1785
1786         Unreviewed, rolling out r172401.
1787         https://bugs.webkit.org/show_bug.cgi?id=135812
1788
1789         Failing stress/for-in-tests.js
1790         http://build.webkit.org/builders/Apple%20Mavericks%20Release%20WK1%20%28Tests%29/builds/7945/steps
1791         /jscore-test/logs/stdio (Requested by mlam on #webkit).
1792
1793         Reverted changeset:
1794
1795         "for-in optimization should also make sure the base matches
1796         the object being iterated"
1797         https://bugs.webkit.org/show_bug.cgi?id=135782
1798         http://trac.webkit.org/changeset/172401
1799
1800 2014-08-11  Brian J. Burg  <burg@cs.washington.edu>
1801
1802         Web Inspector: use type builders to construct high fidelity type information payloads
1803         https://bugs.webkit.org/show_bug.cgi?id=135803
1804
1805         Reviewed by Timothy Hatcher.
1806
1807         Due to some typos in the protocol file, the code had worked with raw objects
1808         rather than with type builders. Convert to using builders.
1809
1810         * inspector/agents/InspectorRuntimeAgent.cpp:
1811         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1812         * inspector/agents/InspectorRuntimeAgent.h:
1813         * inspector/protocol/Runtime.json: Fix 'item' for 'items'; true for 'true'.
1814         * runtime/HighFidelityTypeProfiler.cpp:
1815         (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
1816         * runtime/HighFidelityTypeProfiler.h:
1817         * runtime/TypeSet.cpp:
1818         (JSC::TypeSet::allStructureRepresentations):
1819         (JSC::StructureShape::stringRepresentation):
1820         (JSC::StructureShape::inspectorRepresentation):
1821         * runtime/TypeSet.h:
1822
1823 2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1824
1825         for-in optimization should also make sure the base matches the object being iterated
1826         https://bugs.webkit.org/show_bug.cgi?id=135782
1827
1828         Reviewed by Geoffrey Garen.
1829
1830         If we access a different base object with the same index, we shouldn't try to randomly 
1831         load from that object's backing store.
1832
1833         * bytecompiler/BytecodeGenerator.cpp:
1834         (JSC::BytecodeGenerator::emitGetByVal):
1835         (JSC::BytecodeGenerator::pushIndexedForInScope):
1836         (JSC::BytecodeGenerator::pushStructureForInScope):
1837         * bytecompiler/BytecodeGenerator.h:
1838         (JSC::ForInContext::ForInContext):
1839         (JSC::ForInContext::base):
1840         (JSC::StructureForInContext::StructureForInContext):
1841         (JSC::IndexedForInContext::IndexedForInContext):
1842         * bytecompiler/NodesCodegen.cpp:
1843         (JSC::ForInNode::emitMultiLoopBytecode):
1844         * tests/stress/for-in-tests.js:
1845
1846 2014-08-11  Brent Fulgham  <bfulgham@apple.com>
1847
1848         [Win] Unreviewed gardening.
1849
1850         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Display files in
1851         proper folder categories..
1852
1853 2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1854
1855         JIT should use full 64-bit stores for jsBoolean and jsNull
1856         https://bugs.webkit.org/show_bug.cgi?id=135784
1857
1858         Reviewed by Michael Saboff.
1859
1860         This guarantees that we set the high bits of the register with the correct tag.
1861
1862         * dfg/DFGSpeculativeJIT64.cpp:
1863         (JSC::DFG::SpeculativeJIT::compile):
1864         * jit/JITOpcodes.cpp:
1865         (JSC::JIT::emit_op_has_structure_property):
1866         (JSC::JIT::emit_op_next_enumerator_pname):
1867
1868 2014-08-11  Brent Fulgham  <bfulgham@apple.com>
1869
1870         [Win] Adjust build script for Windows production build.
1871         https://bugs.webkit.org/show_bug.cgi?id=135806
1872         <rdar://problem/17978299>
1873
1874         Reviewed by Timothy Hatcher.
1875
1876         * JavaScriptCore.vcxproj/copy-files.cmd: Copy file for later use
1877         in WebInspectorUI build.
1878
1879 2014-08-10  Oliver Hunt  <oliver@apple.com>
1880
1881         Destructuring assignment in a var declaration list incorrectly consumes subsequent variable initialisers
1882         https://bugs.webkit.org/show_bug.cgi?id=135773
1883
1884         Reviewed by Michael Saboff.
1885
1886         We should be using parseAssignment expression in order to get the correct
1887         precedence.
1888
1889         * parser/Parser.cpp:
1890         (JSC::Parser<LexerType>::parseVarDeclarationList):
1891
1892 2014-08-10  Diego Pino Garcia  <dpino@igalia.com>
1893
1894         JSC Lexer is allowing octals 08 and 09 in strict mode functions
1895         https://bugs.webkit.org/show_bug.cgi?id=135704
1896
1897         Reviewed by Oliver Hunt.
1898
1899         Return syntax error ("Decimal integer literals with a leading zero are
1900         forbidden in strict mode") if a number starts with 0 and is followed 
1901         by a digit.
1902
1903         * parser/Lexer.cpp:
1904         (JSC::Lexer<T>::lex):
1905
1906 2014-08-08  Mark Lam  <mark.lam@apple.com>
1907
1908         REGRESSION: Inspector crashes when debugger is paused and injected scripts access window.screen().
1909         <https://webkit.org/b/135656>
1910
1911         Not reviewed.
1912
1913         Rolling out r170680 which was merged to ToT in r172129.
1914
1915         * debugger/Debugger.h:
1916         * debugger/DebuggerCallFrame.cpp:
1917         (JSC::DebuggerCallFrame::scope):
1918         (JSC::DebuggerCallFrame::evaluate):
1919         (JSC::DebuggerCallFrame::invalidate):
1920         * debugger/DebuggerCallFrame.h:
1921         * debugger/DebuggerScope.cpp:
1922         (JSC::DebuggerScope::DebuggerScope):
1923         (JSC::DebuggerScope::finishCreation):
1924         (JSC::DebuggerScope::visitChildren):
1925         (JSC::DebuggerScope::className):
1926         (JSC::DebuggerScope::getOwnPropertySlot):
1927         (JSC::DebuggerScope::put):
1928         (JSC::DebuggerScope::deleteProperty):
1929         (JSC::DebuggerScope::getOwnPropertyNames):
1930         (JSC::DebuggerScope::defineOwnProperty):
1931         (JSC::DebuggerScope::next): Deleted.
1932         (JSC::DebuggerScope::invalidateChain): Deleted.
1933         (JSC::DebuggerScope::isWithScope): Deleted.
1934         (JSC::DebuggerScope::isGlobalScope): Deleted.
1935         (JSC::DebuggerScope::isFunctionScope): Deleted.
1936         * debugger/DebuggerScope.h:
1937         (JSC::DebuggerScope::create):
1938         (JSC::DebuggerScope::Iterator::Iterator): Deleted.
1939         (JSC::DebuggerScope::Iterator::get): Deleted.
1940         (JSC::DebuggerScope::Iterator::operator++): Deleted.
1941         (JSC::DebuggerScope::Iterator::operator==): Deleted.
1942         (JSC::DebuggerScope::Iterator::operator!=): Deleted.
1943         (JSC::DebuggerScope::isValid): Deleted.
1944         (JSC::DebuggerScope::jsScope): Deleted.
1945         (JSC::DebuggerScope::begin): Deleted.
1946         (JSC::DebuggerScope::end): Deleted.
1947         * inspector/JSJavaScriptCallFrame.cpp:
1948         (Inspector::JSJavaScriptCallFrame::scopeType):
1949         (Inspector::JSJavaScriptCallFrame::scopeChain):
1950         * inspector/JavaScriptCallFrame.h:
1951         (Inspector::JavaScriptCallFrame::scopeChain):
1952         * inspector/ScriptDebugServer.cpp:
1953         * runtime/JSGlobalObject.cpp:
1954         (JSC::JSGlobalObject::reset):
1955         (JSC::JSGlobalObject::visitChildren):
1956         * runtime/JSGlobalObject.h:
1957         (JSC::JSGlobalObject::debuggerScopeStructure): Deleted.
1958         * runtime/JSObject.h:
1959         (JSC::JSObject::isWithScope): Deleted.
1960         * runtime/JSScope.h:
1961         * runtime/VM.cpp:
1962         (JSC::VM::VM):
1963         * runtime/VM.h:
1964
1965 2014-08-07  Saam Barati  <sbarati@apple.com>
1966
1967         Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
1968         https://bugs.webkit.org/show_bug.cgi?id=135358
1969
1970         Reviewed by Geoffrey Garen.
1971
1972         When VMEntryScope is destroyed, and it has a flag set indicating that the
1973         Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
1974         This flag is only used by Debugger to have VMEntryScope notify it when the
1975         Debugger is safe to recompile all functions. This patch will substitute this
1976         Debugger-specific recompilation flag with a list of callbacks that are notified 
1977         when the outermost VMEntryScope dies. This creates a general purpose interface 
1978         for being notified when the VM stops executing code via the event of the outermost 
1979         VMEntryScope dying.
1980
1981         * debugger/Debugger.cpp:
1982         (JSC::Debugger::recompileAllJSFunctions):
1983         * runtime/VMEntryScope.cpp:
1984         (JSC::VMEntryScope::VMEntryScope):
1985         (JSC::VMEntryScope::setEntryScopeDidPopListener):
1986         (JSC::VMEntryScope::~VMEntryScope):
1987         * runtime/VMEntryScope.h:
1988         (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
1989
1990 2014-08-07  Benjamin Poulain  <bpoulain@apple.com>
1991
1992         Get rid of SCRIPTED_SPEECH
1993         https://bugs.webkit.org/show_bug.cgi?id=135729
1994
1995         Reviewed by Brent Fulgham.
1996
1997         * Configurations/FeatureDefines.xcconfig:
1998
1999 2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2000
2001         SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
2002         https://bugs.webkit.org/show_bug.cgi?id=135722
2003
2004         Reviewed by Filip Pizlo.
2005
2006         We should be using SpeculateStrictInt32Operand instead.
2007
2008         * dfg/DFGSpeculativeJIT64.cpp:
2009         (JSC::DFG::SpeculativeJIT::compile):
2010
2011 2014-08-07  Benjamin Poulain  <bpoulain@apple.com>
2012
2013         Get rid of INPUT_SPEECH
2014         https://bugs.webkit.org/show_bug.cgi?id=135672
2015
2016         Reviewed by Andreas Kling.
2017
2018         * Configurations/FeatureDefines.xcconfig:
2019
2020 2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2021
2022         for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests
2023         https://bugs.webkit.org/show_bug.cgi?id=135681
2024
2025         Reviewed by Filip Pizlo.
2026
2027         * runtime/Structure.cpp:
2028         (JSC::Structure::canCacheGenericPropertyNameEnumerator): We were checking the entire 
2029         prototype chain for overridesGetPropertyNames, but we were neglecting to check the 
2030         base object's Structure. D'oh!
2031
2032 2014-08-06  Mark Lam  <mark.lam@apple.com>
2033
2034         Gardening: fix for build failure on EFL bots.
2035
2036         Not reviewed.
2037
2038         * runtime/EnumerationMode.h:
2039         (JSC::shouldIncludeJSObjectPropertyNames):
2040         (JSC::modeThatSkipsJSObject):
2041         * runtime/JSCell.cpp:
2042         (JSC::JSCell::getEnumerableLength):
2043         * runtime/JSCell.h:
2044
2045 2014-08-06  Dean Jackson  <dino@apple.com>
2046
2047         ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED is not used anywhere. Remove it.
2048         https://bugs.webkit.org/show_bug.cgi?id=135675
2049
2050         Reviewed by Sam Weinig.
2051
2052         * Configurations/FeatureDefines.xcconfig:
2053
2054 2014-08-06  Wenson Hsieh  <wenson_hsieh@apple.com>
2055
2056         Implement parsing for CSS scroll snap points
2057         https://bugs.webkit.org/show_bug.cgi?id=134301
2058
2059         Reviewed by Dean Jackson.
2060
2061         * Configurations/FeatureDefines.xcconfig: Added ENABLE_CSS_SCROLL_SNAP
2062
2063 2014-08-06  Mark Lam  <mark.lam@apple.com>
2064
2065         Gardening: fix for build failure on GTK bots.
2066
2067         Not reviewed.
2068
2069         * runtime/FunctionHasExecutedCache.cpp:
2070         - #include <limits.h> for UINT_MAX's definition.
2071
2072 2014-08-06  Mark Lam  <mark.lam@apple.com>
2073
2074         Gardening: fix for build failure on EFL bots.
2075
2076         Not reviewed.
2077
2078         * jit/JITInlines.h:
2079         (JSC::JIT::emitLoadForArrayMode):
2080
2081 2014-08-06  Mark Lam  <mark.lam@apple.com>
2082
2083         Gardening: adding missing build file changes from the FTLOPT merge at r172176.
2084
2085         Not reviewed.
2086
2087         * CMakeLists.txt:
2088         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2089         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2090
2091 2014-08-06  Ryuan Choi  <ryuan.choi@samsung.com>
2092
2093         Unreviewed build fix attempt since r172184
2094
2095         * CMakeLists.txt: Removed TypeLocation.cpp
2096
2097 2014-08-06  Mark Lam  <mark.lam@apple.com>
2098
2099         Gardening: adding missing build file changes from r171510.
2100         <https://webkit.org/b/134860>
2101
2102         Not reviewed.
2103
2104         * CMakeLists.txt:
2105         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2106         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2107
2108 2014-08-06  Mark Lam  <mark.lam@apple.com>
2109
2110         Gardening: adding missing build file changes from r170490.
2111         <https://webkit.org/b/133395>
2112
2113         Not reviewed.
2114
2115         * CMakeLists.txt:
2116         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2117
2118 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
2119
2120         Silence a debug assertion.
2121
2122         Reviewed by Mark Hahnenberg.
2123
2124         * runtime/JSPropertyNameEnumerator.h:
2125         (JSC::JSPropertyNameEnumerator::cachedStructure):
2126
2127 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
2128
2129         Fix 32-bit build.
2130
2131         * jit/JITOpcodes32_64.cpp:
2132         (JSC::JIT::privateCompileHasIndexedProperty):
2133
2134 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
2135
2136         Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.
2137
2138     2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2139     
2140             Support for-in in the FTL
2141             https://bugs.webkit.org/show_bug.cgi?id=134140
2142     
2143             Reviewed by Filip Pizlo.
2144     
2145             * dfg/DFGSSALoweringPhase.cpp:
2146             (JSC::DFG::SSALoweringPhase::handleNode):
2147             * ftl/FTLAbstractHeapRepository.cpp:
2148             * ftl/FTLAbstractHeapRepository.h:
2149             * ftl/FTLCapabilities.cpp:
2150             (JSC::FTL::canCompile):
2151             * ftl/FTLIntrinsicRepository.h:
2152             * ftl/FTLLowerDFGToLLVM.cpp:
2153             (JSC::FTL::LowerDFGToLLVM::compileNode):
2154             (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
2155             (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
2156             (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
2157             (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
2158             (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
2159             (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
2160             (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
2161             (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
2162             (JSC::FTL::LowerDFGToLLVM::compileToIndexString):
2163     
2164     2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
2165     
2166             Remove JSPropertyNameIterator
2167             https://bugs.webkit.org/show_bug.cgi?id=135066
2168     
2169             Reviewed by Geoffrey Garen.
2170     
2171             It has been replaced by JSPropertyNameEnumerator.
2172     
2173             * JavaScriptCore.order:
2174             * bytecode/BytecodeBasicBlock.cpp:
2175             (JSC::isBranch):
2176             * bytecode/BytecodeList.json:
2177             * bytecode/BytecodeUseDef.h:
2178             (JSC::computeUsesForBytecodeOffset):
2179             (JSC::computeDefsForBytecodeOffset):
2180             * bytecode/CodeBlock.cpp:
2181             (JSC::CodeBlock::dumpBytecode):
2182             * bytecode/PreciseJumpTargets.cpp:
2183             (JSC::getJumpTargetsForBytecodeOffset):
2184             * bytecompiler/BytecodeGenerator.cpp:
2185             (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
2186             (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
2187             * bytecompiler/BytecodeGenerator.h:
2188             * interpreter/Interpreter.cpp:
2189             * interpreter/Register.h:
2190             * jit/JIT.cpp:
2191             (JSC::JIT::privateCompileMainPass):
2192             (JSC::JIT::privateCompileSlowCases):
2193             * jit/JIT.h:
2194             * jit/JITOpcodes.cpp:
2195             (JSC::JIT::emit_op_get_pnames): Deleted.
2196             (JSC::JIT::emit_op_next_pname): Deleted.
2197             * jit/JITOpcodes32_64.cpp:
2198             (JSC::JIT::emit_op_get_pnames): Deleted.
2199             (JSC::JIT::emit_op_next_pname): Deleted.
2200             * jit/JITOperations.cpp:
2201             * jit/JITPropertyAccess.cpp:
2202             (JSC::JIT::emit_op_get_by_pname): Deleted.
2203             (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
2204             * jit/JITPropertyAccess32_64.cpp:
2205             (JSC::JIT::emit_op_get_by_pname): Deleted.
2206             (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
2207             * llint/LLIntOffsetsExtractor.cpp:
2208             * llint/LLIntSlowPaths.cpp:
2209             (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
2210             * llint/LLIntSlowPaths.h:
2211             * llint/LowLevelInterpreter.asm:
2212             * llint/LowLevelInterpreter32_64.asm:
2213             * llint/LowLevelInterpreter64.asm:
2214             * runtime/CommonSlowPaths.cpp:
2215             * runtime/JSPropertyNameIterator.cpp:
2216             (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
2217             (JSC::JSPropertyNameIterator::create): Deleted.
2218             (JSC::JSPropertyNameIterator::destroy): Deleted.
2219             (JSC::JSPropertyNameIterator::get): Deleted.
2220             (JSC::JSPropertyNameIterator::visitChildren): Deleted.
2221             * runtime/JSPropertyNameIterator.h:
2222             (JSC::JSPropertyNameIterator::createStructure): Deleted.
2223             (JSC::JSPropertyNameIterator::size): Deleted.
2224             (JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
2225             (JSC::JSPropertyNameIterator::cachedStructure): Deleted.
2226             (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
2227             (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
2228             (JSC::JSPropertyNameIterator::finishCreation): Deleted.
2229             (JSC::Register::propertyNameIterator): Deleted.
2230             (JSC::StructureRareData::enumerationCache): Deleted.
2231             (JSC::StructureRareData::setEnumerationCache): Deleted.
2232             * runtime/Structure.cpp:
2233             (JSC::Structure::addPropertyWithoutTransition):
2234             (JSC::Structure::removePropertyWithoutTransition):
2235             * runtime/Structure.h:
2236             * runtime/StructureInlines.h:
2237             (JSC::Structure::setEnumerationCache): Deleted.
2238             (JSC::Structure::enumerationCache): Deleted.
2239             * runtime/StructureRareData.cpp:
2240             (JSC::StructureRareData::visitChildren):
2241             * runtime/StructureRareData.h:
2242             * runtime/VM.cpp:
2243             (JSC::VM::VM):
2244     
2245     2014-07-25  Saam Barati  <sbarati@apple.com>
2246     
2247             Fix 32-bit build breakage for type profiling
2248             https://bugs.webkit.org/process_bug.cgi
2249     
2250             Reviewed by Mark Hahnenberg.
2251     
2252             32-bit builds currently break because global variable IDs for high
2253             fidelity type profiling are int64_t. Change this to intptr_t so that
2254             it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
2255     
2256             * bytecode/CodeBlock.cpp:
2257             (JSC::CodeBlock::CodeBlock):
2258             (JSC::CodeBlock::scopeDependentProfile):
2259             * bytecode/TypeLocation.h:
2260             * runtime/SymbolTable.cpp:
2261             (JSC::SymbolTable::uniqueIDForVariable):
2262             (JSC::SymbolTable::uniqueIDForRegister):
2263             * runtime/SymbolTable.h:
2264             * runtime/TypeLocationCache.cpp:
2265             (JSC::TypeLocationCache::getTypeLocation):
2266             * runtime/TypeLocationCache.h:
2267             * runtime/VM.h:
2268             (JSC::VM::getNextUniqueVariableID):
2269     
2270     2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
2271     
2272             Reindent PropertyNameArray.h
2273             https://bugs.webkit.org/show_bug.cgi?id=135067
2274     
2275             Reviewed by Geoffrey Garen.
2276     
2277             * runtime/PropertyNameArray.h:
2278             (JSC::RefCountedIdentifierSet::contains):
2279             (JSC::RefCountedIdentifierSet::size):
2280             (JSC::RefCountedIdentifierSet::add):
2281             (JSC::PropertyNameArrayData::create):
2282             (JSC::PropertyNameArrayData::propertyNameVector):
2283             (JSC::PropertyNameArrayData::PropertyNameArrayData):
2284             (JSC::PropertyNameArray::PropertyNameArray):
2285             (JSC::PropertyNameArray::vm):
2286             (JSC::PropertyNameArray::add):
2287             (JSC::PropertyNameArray::addKnownUnique):
2288             (JSC::PropertyNameArray::operator[]):
2289             (JSC::PropertyNameArray::setData):
2290             (JSC::PropertyNameArray::data):
2291             (JSC::PropertyNameArray::releaseData):
2292             (JSC::PropertyNameArray::identifierSet):
2293             (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
2294             (JSC::PropertyNameArray::size):
2295             (JSC::PropertyNameArray::begin):
2296             (JSC::PropertyNameArray::end):
2297             (JSC::PropertyNameArray::numCacheableSlots):
2298             (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
2299             (JSC::PropertyNameArray::setBaseObject):
2300             (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
2301     
2302     2014-07-23  Mark Hahnenberg  <mhahnenberg@apple.com>
2303     
2304             Refactor our current implementation of for-in
2305             https://bugs.webkit.org/show_bug.cgi?id=134142
2306     
2307             Reviewed by Filip Pizlo.
2308     
2309             This patch splits for-in loops into three distinct parts:
2310     
2311             - Iterating over the indexed properties in the base object.
2312             - Iterating over the Structure properties in the base object.
2313             - Iterating over any other enumerable properties for that object and any objects in the prototype chain.
2314      
2315             It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to 
2316             support the various operations required for each loop.
2317     
2318             * API/JSCallbackObjectFunctions.h:
2319             (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2320             * JavaScriptCore.xcodeproj/project.pbxproj:
2321             * bytecode/BytecodeList.json:
2322             * bytecode/BytecodeUseDef.h:
2323             (JSC::computeUsesForBytecodeOffset):
2324             (JSC::computeDefsForBytecodeOffset):
2325             * bytecode/CallLinkStatus.h:
2326             (JSC::CallLinkStatus::CallLinkStatus):
2327             * bytecode/CodeBlock.cpp:
2328             (JSC::CodeBlock::dumpBytecode):
2329             (JSC::CodeBlock::CodeBlock):
2330             * bytecompiler/BytecodeGenerator.cpp:
2331             (JSC::BytecodeGenerator::emitGetByVal):
2332             (JSC::BytecodeGenerator::emitComplexPopScopes):
2333             (JSC::BytecodeGenerator::emitGetEnumerableLength):
2334             (JSC::BytecodeGenerator::emitHasGenericProperty):
2335             (JSC::BytecodeGenerator::emitHasIndexedProperty):
2336             (JSC::BytecodeGenerator::emitHasStructureProperty):
2337             (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
2338             (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
2339             (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
2340             (JSC::BytecodeGenerator::emitToIndexString):
2341             (JSC::BytecodeGenerator::pushIndexedForInScope):
2342             (JSC::BytecodeGenerator::popIndexedForInScope):
2343             (JSC::BytecodeGenerator::pushStructureForInScope):
2344             (JSC::BytecodeGenerator::popStructureForInScope):
2345             (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2346             * bytecompiler/BytecodeGenerator.h:
2347             (JSC::ForInContext::ForInContext):
2348             (JSC::ForInContext::~ForInContext):
2349             (JSC::ForInContext::isValid):
2350             (JSC::ForInContext::invalidate):
2351             (JSC::ForInContext::local):
2352             (JSC::StructureForInContext::StructureForInContext):
2353             (JSC::StructureForInContext::type):
2354             (JSC::StructureForInContext::index):
2355             (JSC::StructureForInContext::property):
2356             (JSC::StructureForInContext::enumerator):
2357             (JSC::IndexedForInContext::IndexedForInContext):
2358             (JSC::IndexedForInContext::type):
2359             (JSC::IndexedForInContext::index):
2360             (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
2361             (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
2362             * bytecompiler/NodesCodegen.cpp:
2363             (JSC::ReadModifyResolveNode::emitBytecode):
2364             (JSC::AssignResolveNode::emitBytecode):
2365             (JSC::ForInNode::tryGetBoundLocal):
2366             (JSC::ForInNode::emitLoopHeader):
2367             (JSC::ForInNode::emitMultiLoopBytecode):
2368             (JSC::ForInNode::emitBytecode):
2369             * debugger/DebuggerScope.h:
2370             * dfg/DFGAbstractHeap.h:
2371             * dfg/DFGAbstractInterpreterInlines.h:
2372             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2373             * dfg/DFGByteCodeParser.cpp:
2374             (JSC::DFG::ByteCodeParser::parseBlock):
2375             * dfg/DFGCapabilities.cpp:
2376             (JSC::DFG::capabilityLevel):
2377             * dfg/DFGClobberize.h:
2378             (JSC::DFG::clobberize):
2379             * dfg/DFGDoesGC.cpp:
2380             (JSC::DFG::doesGC):
2381             * dfg/DFGFixupPhase.cpp:
2382             (JSC::DFG::FixupPhase::fixupNode):
2383             * dfg/DFGHeapLocation.cpp:
2384             (WTF::printInternal):
2385             * dfg/DFGHeapLocation.h:
2386             * dfg/DFGNode.h:
2387             (JSC::DFG::Node::hasHeapPrediction):
2388             (JSC::DFG::Node::hasArrayMode):
2389             * dfg/DFGNodeType.h:
2390             * dfg/DFGPredictionPropagationPhase.cpp:
2391             (JSC::DFG::PredictionPropagationPhase::propagate):
2392             * dfg/DFGSafeToExecute.h:
2393             (JSC::DFG::safeToExecute):
2394             * dfg/DFGSpeculativeJIT.h:
2395             (JSC::DFG::SpeculativeJIT::callOperation):
2396             * dfg/DFGSpeculativeJIT32_64.cpp:
2397             (JSC::DFG::SpeculativeJIT::compile):
2398             * dfg/DFGSpeculativeJIT64.cpp:
2399             (JSC::DFG::SpeculativeJIT::compile):
2400             * jit/JIT.cpp:
2401             (JSC::JIT::privateCompileMainPass):
2402             (JSC::JIT::privateCompileSlowCases):
2403             * jit/JIT.h:
2404             (JSC::JIT::compileHasIndexedProperty):
2405             (JSC::JIT::emitInt32Load):
2406             * jit/JITInlines.h:
2407             (JSC::JIT::emitDoubleGetByVal):
2408             (JSC::JIT::emitLoadForArrayMode):
2409             (JSC::JIT::emitContiguousGetByVal):
2410             (JSC::JIT::emitArrayStorageGetByVal):
2411             * jit/JITOpcodes.cpp:
2412             (JSC::JIT::emit_op_get_enumerable_length):
2413             (JSC::JIT::emit_op_has_structure_property):
2414             (JSC::JIT::emitSlow_op_has_structure_property):
2415             (JSC::JIT::emit_op_has_generic_property):
2416             (JSC::JIT::privateCompileHasIndexedProperty):
2417             (JSC::JIT::emit_op_has_indexed_property):
2418             (JSC::JIT::emitSlow_op_has_indexed_property):
2419             (JSC::JIT::emit_op_get_direct_pname):
2420             (JSC::JIT::emitSlow_op_get_direct_pname):
2421             (JSC::JIT::emit_op_get_structure_property_enumerator):
2422             (JSC::JIT::emit_op_get_generic_property_enumerator):
2423             (JSC::JIT::emit_op_next_enumerator_pname):
2424             (JSC::JIT::emit_op_to_index_string):
2425             * jit/JITOpcodes32_64.cpp:
2426             (JSC::JIT::emit_op_get_enumerable_length):
2427             (JSC::JIT::emit_op_has_structure_property):
2428             (JSC::JIT::emitSlow_op_has_structure_property):
2429             (JSC::JIT::emit_op_has_generic_property):
2430             (JSC::JIT::privateCompileHasIndexedProperty):
2431             (JSC::JIT::emit_op_has_indexed_property):
2432             (JSC::JIT::emitSlow_op_has_indexed_property):
2433             (JSC::JIT::emit_op_get_direct_pname):
2434             (JSC::JIT::emitSlow_op_get_direct_pname):
2435             (JSC::JIT::emit_op_get_structure_property_enumerator):
2436             (JSC::JIT::emit_op_get_generic_property_enumerator):
2437             (JSC::JIT::emit_op_next_enumerator_pname):
2438             (JSC::JIT::emit_op_to_index_string):
2439             * jit/JITOperations.cpp:
2440             * jit/JITOperations.h:
2441             * jit/JITPropertyAccess.cpp:
2442             (JSC::JIT::emitDoubleLoad):
2443             (JSC::JIT::emitContiguousLoad):
2444             (JSC::JIT::emitArrayStorageLoad):
2445             (JSC::JIT::emitDoubleGetByVal): Deleted.
2446             (JSC::JIT::emitContiguousGetByVal): Deleted.
2447             (JSC::JIT::emitArrayStorageGetByVal): Deleted.
2448             * jit/JITPropertyAccess32_64.cpp:
2449             (JSC::JIT::emitContiguousLoad):
2450             (JSC::JIT::emitDoubleLoad):
2451             (JSC::JIT::emitArrayStorageLoad):
2452             (JSC::JIT::emitContiguousGetByVal): Deleted.
2453             (JSC::JIT::emitDoubleGetByVal): Deleted.
2454             (JSC::JIT::emitArrayStorageGetByVal): Deleted.
2455             * llint/LowLevelInterpreter.asm:
2456             * parser/Nodes.h:
2457             * runtime/Arguments.cpp:
2458             (JSC::Arguments::getOwnPropertyNames):
2459             * runtime/ClassInfo.h:
2460             * runtime/CommonSlowPaths.cpp:
2461             (JSC::SLOW_PATH_DECL):
2462             * runtime/CommonSlowPaths.h:
2463             * runtime/EnumerationMode.h: Added.
2464             (JSC::shouldIncludeDontEnumProperties):
2465             (JSC::shouldExcludeDontEnumProperties):
2466             (JSC::shouldIncludeJSObjectPropertyNames):
2467             (JSC::modeThatSkipsJSObject):
2468             * runtime/JSActivation.cpp:
2469             (JSC::JSActivation::getOwnNonIndexPropertyNames):
2470             * runtime/JSArray.cpp:
2471             (JSC::JSArray::getOwnNonIndexPropertyNames):
2472             * runtime/JSArrayBuffer.cpp:
2473             (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2474             * runtime/JSArrayBufferView.cpp:
2475             (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2476             * runtime/JSCell.cpp:
2477             (JSC::JSCell::getEnumerableLength):
2478             (JSC::JSCell::getStructurePropertyNames):
2479             (JSC::JSCell::getGenericPropertyNames):
2480             * runtime/JSCell.h:
2481             * runtime/JSFunction.cpp:
2482             (JSC::JSFunction::getOwnNonIndexPropertyNames):
2483             * runtime/JSGenericTypedArrayViewInlines.h:
2484             (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
2485             * runtime/JSObject.cpp:
2486             (JSC::getClassPropertyNames):
2487             (JSC::JSObject::hasOwnProperty):
2488             (JSC::JSObject::getOwnPropertyNames):
2489             (JSC::JSObject::getOwnNonIndexPropertyNames):
2490             (JSC::JSObject::getEnumerableLength):
2491             (JSC::JSObject::getStructurePropertyNames):
2492             (JSC::JSObject::getGenericPropertyNames):
2493             * runtime/JSObject.h:
2494             * runtime/JSPropertyNameEnumerator.cpp: Added.
2495             (JSC::JSPropertyNameEnumerator::create):
2496             (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
2497             (JSC::JSPropertyNameEnumerator::finishCreation):
2498             (JSC::JSPropertyNameEnumerator::destroy):
2499             (JSC::JSPropertyNameEnumerator::visitChildren):
2500             * runtime/JSPropertyNameEnumerator.h: Added.
2501             (JSC::JSPropertyNameEnumerator::createStructure):
2502             (JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
2503             (JSC::JSPropertyNameEnumerator::identifierSet):
2504             (JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
2505             (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
2506             (JSC::JSPropertyNameEnumerator::cachedStructure):
2507             (JSC::JSPropertyNameEnumerator::cachedStructureID):
2508             (JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
2509             (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
2510             (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
2511             (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
2512             (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
2513             (JSC::structurePropertyNameEnumerator):
2514             (JSC::genericPropertyNameEnumerator):
2515             * runtime/JSProxy.cpp:
2516             (JSC::JSProxy::getEnumerableLength):
2517             (JSC::JSProxy::getStructurePropertyNames):
2518             (JSC::JSProxy::getGenericPropertyNames):
2519             * runtime/JSProxy.h:
2520             * runtime/JSSymbolTableObject.cpp:
2521             (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2522             * runtime/PropertyNameArray.cpp:
2523             (JSC::PropertyNameArray::add):
2524             (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
2525             * runtime/PropertyNameArray.h:
2526             (JSC::RefCountedIdentifierSet::contains):
2527             (JSC::RefCountedIdentifierSet::size):
2528             (JSC::RefCountedIdentifierSet::add):
2529             (JSC::PropertyNameArray::PropertyNameArray):
2530             (JSC::PropertyNameArray::add):
2531             (JSC::PropertyNameArray::addKnownUnique):
2532             (JSC::PropertyNameArray::identifierSet):
2533             (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
2534             (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
2535             * runtime/RegExpObject.cpp:
2536             (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2537             (JSC::RegExpObject::getPropertyNames):
2538             (JSC::RegExpObject::getGenericPropertyNames):
2539             * runtime/RegExpObject.h:
2540             * runtime/StringObject.cpp:
2541             (JSC::StringObject::getOwnPropertyNames):
2542             * runtime/Structure.cpp:
2543             (JSC::Structure::getPropertyNamesFromStructure):
2544             (JSC::Structure::setCachedStructurePropertyNameEnumerator):
2545             (JSC::Structure::cachedStructurePropertyNameEnumerator):
2546             (JSC::Structure::setCachedGenericPropertyNameEnumerator):
2547             (JSC::Structure::cachedGenericPropertyNameEnumerator):
2548             (JSC::Structure::canCacheStructurePropertyNameEnumerator):
2549             (JSC::Structure::canCacheGenericPropertyNameEnumerator):
2550             (JSC::Structure::canAccessPropertiesQuickly):
2551             * runtime/Structure.h:
2552             * runtime/StructureRareData.cpp:
2553             (JSC::StructureRareData::visitChildren):
2554             (JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
2555             (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
2556             (JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
2557             (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
2558             * runtime/StructureRareData.h:
2559             * runtime/VM.cpp:
2560             (JSC::VM::VM):
2561             * runtime/VM.h:
2562     
2563     2014-07-23  Saam Barati  <sbarati@apple.com>
2564     
2565             Make improvements to Type Profiling
2566             https://bugs.webkit.org/show_bug.cgi?id=134860
2567     
2568             Reviewed by Filip Pizlo.
2569     
2570             I improved the API between the inspector and JSC. We no longer send one huge
2571             string to the inspector. We now send structured data that represents the type
2572             information that JSC has collected. I've also created a beginning implementation 
2573             of a type lattice that allows us to resolve a display name for a type that
2574             consists of a single word.
2575     
2576             I created a data structure that knows which functions have executed. This
2577             solves the bug where types inside an un-executed function will resolve
2578             to the type of the enclosing expression of that function. This data
2579             structure may also be useful later if the inspector chooses to create a UI
2580             around showing which functions have executed.
2581     
2582             Better type information is gathered for objects. StructureShape now
2583             represents an object's prototype chain.  StructureShape also collects
2584             the constructor name for an object.
2585     
2586             Expression ranges are now zero indexed.
2587     
2588             Removed some extraneous methods.
2589     
2590             * JavaScriptCore.xcodeproj/project.pbxproj:
2591             * bytecode/CodeBlock.cpp:
2592             (JSC::CodeBlock::CodeBlock):
2593             (JSC::CodeBlock::scopeDependentProfile):
2594             * bytecode/CodeBlock.h:
2595             * bytecode/TypeLocation.h:
2596             (JSC::TypeLocation::TypeLocation):
2597             * bytecode/UnlinkedCodeBlock.cpp:
2598             (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2599             * bytecode/UnlinkedCodeBlock.h:
2600             (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
2601             (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
2602             * bytecompiler/BytecodeGenerator.cpp:
2603             (JSC::BytecodeGenerator::BytecodeGenerator):
2604             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
2605             * bytecompiler/BytecodeGenerator.h:
2606             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
2607             * heap/Heap.cpp:
2608             (JSC::Heap::collect):
2609             * inspector/agents/InspectorRuntimeAgent.cpp:
2610             (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2611             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
2612             * inspector/agents/InspectorRuntimeAgent.h:
2613             * inspector/protocol/Runtime.json:
2614             * runtime/Executable.cpp:
2615             (JSC::ScriptExecutable::ScriptExecutable):
2616             (JSC::ProgramExecutable::ProgramExecutable):
2617             (JSC::FunctionExecutable::FunctionExecutable):
2618             (JSC::ProgramExecutable::initializeGlobalProperties):
2619             * runtime/Executable.h:
2620             (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
2621             (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
2622             * runtime/FunctionHasExecutedCache.cpp: Added.
2623             (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
2624             (JSC::FunctionHasExecutedCache::insertUnexecutedRange):
2625             (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
2626             * runtime/FunctionHasExecutedCache.h: Added.
2627             (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
2628             (JSC::FunctionHasExecutedCache::FunctionRange::operator==):
2629             (JSC::FunctionHasExecutedCache::FunctionRange::hash):
2630             * runtime/HighFidelityLog.cpp:
2631             (JSC::HighFidelityLog::processHighFidelityLog):
2632             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
2633             * runtime/HighFidelityLog.h:
2634             (JSC::HighFidelityLog::recordTypeInformationForLocation):
2635             * runtime/HighFidelityTypeProfiler.cpp:
2636             (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
2637             (JSC::HighFidelityTypeProfiler::insertNewLocation):
2638             (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
2639             (JSC::descriptorMatchesTypeLocation):
2640             (JSC::HighFidelityTypeProfiler::findLocation):
2641             (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
2642             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
2643             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
2644             * runtime/HighFidelityTypeProfiler.h:
2645             (JSC::QueryKey::QueryKey):
2646             (JSC::QueryKey::isHashTableDeletedValue):
2647             (JSC::QueryKey::operator==):
2648             (JSC::QueryKey::hash):
2649             (JSC::QueryKeyHash::hash):
2650             (JSC::QueryKeyHash::equal):
2651             (JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
2652             (JSC::HighFidelityTypeProfiler::typeLocationCache):
2653             * runtime/Structure.cpp:
2654             (JSC::Structure::toStructureShape):
2655             * runtime/Structure.h:
2656             * runtime/TypeLocationCache.cpp: Added.
2657             (JSC::TypeLocationCache::getTypeLocation):
2658             * runtime/TypeLocationCache.h: Added.
2659             (JSC::TypeLocationCache::LocationKey::LocationKey):
2660             (JSC::TypeLocationCache::LocationKey::operator==):
2661             (JSC::TypeLocationCache::LocationKey::hash):
2662             * runtime/TypeSet.cpp:
2663             (JSC::TypeSet::getRuntimeTypeForValue):
2664             (JSC::TypeSet::addTypeForValue):
2665             (JSC::TypeSet::seenTypes):
2666             (JSC::TypeSet::doesTypeConformTo):
2667             (JSC::TypeSet::displayName):
2668             (JSC::TypeSet::allPrimitiveTypeNames):
2669             (JSC::TypeSet::allStructureRepresentations):
2670             (JSC::TypeSet::leastCommonAncestor):
2671             (JSC::StructureShape::StructureShape):
2672             (JSC::StructureShape::addProperty):
2673             (JSC::StructureShape::propertyHash):
2674             (JSC::StructureShape::leastCommonAncestor):
2675             (JSC::StructureShape::stringRepresentation):
2676             (JSC::StructureShape::inspectorRepresentation):
2677             (JSC::StructureShape::leastUpperBound): Deleted.
2678             * runtime/TypeSet.h:
2679             (JSC::StructureShape::setConstructorName):
2680             (JSC::StructureShape::constructorName):
2681             (JSC::StructureShape::setProto):
2682             * runtime/VM.cpp:
2683             (JSC::VM::dumpHighFidelityProfilingTypes):
2684             (JSC::VM::getTypesForVariableAtOffset): Deleted.
2685             (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
2686             * runtime/VM.h:
2687             (JSC::VM::isProfilingTypesWithHighFidelity):
2688             (JSC::VM::highFidelityTypeProfiler):
2689     
2690     2014-07-23  Filip Pizlo  <fpizlo@apple.com>
2691     
2692             Fix debug build.
2693     
2694             * bytecode/CallLinkStatus.h:
2695             (JSC::CallLinkStatus::CallLinkStatus):
2696     
2697     2014-07-20  Filip Pizlo  <fpizlo@apple.com>
2698     
2699             [ftlopt] Phantoms in SSA form should be aggressively hoisted
2700             https://bugs.webkit.org/show_bug.cgi?id=135111
2701     
2702             Reviewed by Oliver Hunt.
2703             
2704             In CPS form, Phantom means three things: (1) that the children should be kept alive so long
2705             as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
2706             at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
2707             second meaning is not used but the other two stay.
2708             
2709             The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
2710             even in a totally different basic block, complicates some SSA transformations. It's not
2711             possible to just jettison some successor, since tha successor could have a Phantom that we
2712             care about.
2713             
2714             This change rationalizes how Phantoms work so that:
2715             
2716             1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
2717                in both CPS and SSA. This was true before and it's true now.
2718             
2719             2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
2720                now, except that now we also don't bother preserving the live-in-bytecode information
2721                that Phantoms convey, when we are in SSA.
2722             
2723             3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
2724                use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
2725                Phantom.
2726             
2727             The biggest part of this change is that in SSA, we canonicalize Phantoms:
2728             
2729             - All Phantoms are replaced with Check nodes that include only those edges that have
2730               checks.
2731             
2732             - Nodes that were the children of any Phantoms have a Phantom right after them.
2733             
2734             For example, the following code:
2735             
2736                 5: ArithAdd(@1, @2)
2737                 6: ArithSub(@5, @3)
2738                 7: Phantom(Int32:@5)
2739             
2740             would be turned into the following:
2741             
2742                 5: ArithAdd(@1, @2)
2743                 8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
2744                                // @5. This is the only Phantom we will have for @5.
2745                 6: ArithSub(@5, @3)
2746                 7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
2747                                    // a checking edge, we leave it.
2748             
2749             This is a slight speed-up across the board, presumably because we now do a better job of
2750             reducing the size of the graph during compilation. It could also be a fluke, though. The
2751             main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
2752             become a requirement to run phantom canonicalization prior to some SSA phases. None of the
2753             current phases need it, but future phases probably will.
2754     
2755             * CMakeLists.txt:
2756             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2757             * JavaScriptCore.xcodeproj/project.pbxproj:
2758             * dfg/DFGAbstractInterpreterInlines.h:
2759             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2760             * dfg/DFGConstantFoldingPhase.cpp:
2761             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2762             * dfg/DFGDCEPhase.cpp:
2763             (JSC::DFG::DCEPhase::run):
2764             (JSC::DFG::DCEPhase::findTypeCheckRoot):
2765             (JSC::DFG::DCEPhase::countEdge):
2766             (JSC::DFG::DCEPhase::fixupBlock):
2767             (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
2768             * dfg/DFGEdge.cpp:
2769             (JSC::DFG::Edge::dump):
2770             * dfg/DFGEdge.h:
2771             (JSC::DFG::Edge::isProved):
2772             (JSC::DFG::Edge::needsCheck): Deleted.
2773             * dfg/DFGNodeFlags.h:
2774             * dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
2775             (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
2776             (JSC::DFG::PhantomCanonicalizationPhase::run):
2777             (JSC::DFG::performPhantomCanonicalization):
2778             * dfg/DFGPhantomCanonicalizationPhase.h: Added.
2779             * dfg/DFGPhantomRemovalPhase.cpp:
2780             (JSC::DFG::PhantomRemovalPhase::run):
2781             * dfg/DFGPhantomRemovalPhase.h:
2782             * dfg/DFGPlan.cpp:
2783             (JSC::DFG::Plan::compileInThreadImpl):
2784             * ftl/FTLLowerDFGToLLVM.cpp:
2785             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2786             (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2787     
2788     2014-07-22  Filip Pizlo  <fpizlo@apple.com>
2789     
2790             [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
2791             https://bugs.webkit.org/show_bug.cgi?id=135146
2792     
2793             Reviewed by Oliver Hunt.
2794             
2795             This greatly simplifies our closure call optimizations by taking advantage of the type
2796             bits available in the cell header.
2797     
2798             * bytecode/CallLinkInfo.cpp:
2799             (JSC::CallLinkInfo::visitWeak):
2800             * bytecode/CallLinkStatus.cpp:
2801             (JSC::CallLinkStatus::CallLinkStatus):
2802             (JSC::CallLinkStatus::computeFor):
2803             (JSC::CallLinkStatus::dump):
2804             * bytecode/CallLinkStatus.h:
2805             (JSC::CallLinkStatus::CallLinkStatus):
2806             (JSC::CallLinkStatus::executable):
2807             (JSC::CallLinkStatus::structure): Deleted.
2808             * dfg/DFGByteCodeParser.cpp:
2809             (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2810             * dfg/DFGFixupPhase.cpp:
2811             (JSC::DFG::FixupPhase::fixupNode):
2812             (JSC::DFG::FixupPhase::observeUseKindOnNode):
2813             * dfg/DFGSafeToExecute.h:
2814             (JSC::DFG::SafeToExecuteEdge::operator()):
2815             * dfg/DFGSpeculativeJIT.cpp:
2816             (JSC::DFG::SpeculativeJIT::checkArray):
2817             (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
2818             (JSC::DFG::SpeculativeJIT::speculateCellType):
2819             (JSC::DFG::SpeculativeJIT::speculateFunction):
2820             (JSC::DFG::SpeculativeJIT::speculateFinalObject):
2821             (JSC::DFG::SpeculativeJIT::speculate):
2822             * dfg/DFGSpeculativeJIT.h:
2823             * dfg/DFGSpeculativeJIT32_64.cpp:
2824             (JSC::DFG::SpeculativeJIT::compile):
2825             * dfg/DFGSpeculativeJIT64.cpp:
2826             (JSC::DFG::SpeculativeJIT::compile):
2827             * dfg/DFGUseKind.cpp:
2828             (WTF::printInternal):
2829             * dfg/DFGUseKind.h:
2830             (JSC::DFG::typeFilterFor):
2831             (JSC::DFG::isCell):
2832             * ftl/FTLCapabilities.cpp:
2833             (JSC::FTL::canCompile):
2834             * ftl/FTLLowerDFGToLLVM.cpp:
2835             (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
2836             (JSC::FTL::LowerDFGToLLVM::speculate):
2837             (JSC::FTL::LowerDFGToLLVM::isFunction):
2838             (JSC::FTL::LowerDFGToLLVM::isNotFunction):
2839             (JSC::FTL::LowerDFGToLLVM::speculateFunction):
2840             * jit/ClosureCallStubRoutine.cpp:
2841             (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
2842             (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
2843             * jit/ClosureCallStubRoutine.h:
2844             (JSC::ClosureCallStubRoutine::structure): Deleted.
2845             * jit/JIT.h:
2846             (JSC::JIT::compileClosureCall): Deleted.
2847             * jit/JITCall.cpp:
2848             (JSC::JIT::privateCompileClosureCall): Deleted.
2849             * jit/JITCall32_64.cpp:
2850             (JSC::JIT::privateCompileClosureCall): Deleted.
2851             * jit/JITOperations.cpp:
2852             * jit/Repatch.cpp:
2853             (JSC::linkClosureCall):
2854             * jit/Repatch.h:
2855     
2856 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2857
2858         [ARM] Incorrect handling of Unicode characters
2859         https://bugs.webkit.org/show_bug.cgi?id=135380
2860
2861         Reviewed by Darin Adler.
2862
2863         Removed erroneous fast case from stringFromUTF(), since it assumed that 
2864         char is always implemented as signed.
2865
2866         * jsc.cpp:
2867         (stringFromUTF):
2868
2869 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2870
2871         [JSC] Build fix for FTL on EFL after ftlopt merge
2872         https://bugs.webkit.org/show_bug.cgi?id=135565
2873
2874         Reviewed by Mark Lam.
2875
2876         Adding an enable guard for native inlining, since it now requires the bitcode
2877         emitted from Clang, and we don't have a good way of creating it from other compilers.
2878
2879         * dfg/DFGByteCodeParser.cpp:
2880         (JSC::DFG::ByteCodeParser::handleCall):
2881         * ftl/FTLLowerDFGToLLVM.cpp:
2882         (JSC::FTL::LowerDFGToLLVM::compileNode):
2883         * ftl/FTLState.cpp:
2884         (JSC::FTL::State::State):
2885         * ftl/FTLState.h:
2886
2887 2014-08-05  Csaba Osztrogonác  <ossy@webkit.org>
2888
2889         URTBF after r172129. (ftlopt branch merge)
2890
2891         Remove the duplicated friend declaration to fix this build failure:
2892         "error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"
2893
2894         * runtime/StructureRareData.h:
2895
2896 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
2897
2898         Attempt to fix CMake-based builds, part 3.
2899
2900         * CMakeLists.txt:
2901
2902 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
2903
2904         Attempt to fix CMake-based builds, part 2.
2905
2906         * CMakeLists.txt:
2907
2908 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
2909
2910         Attempt to fix Windows build, part 2.
2911
2912         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2913
2914 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
2915
2916         Attempt to fix CMake-based builds.
2917
2918         * CMakeLists.txt:
2919
2920 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
2921
2922         Attempt to fix Windows build.
2923
2924         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2925
2926 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
2927
2928         Fix cloop build.
2929
2930         * bytecode/CodeBlock.cpp:
2931         (JSC::CodeBlock::jettison):
2932
2933 2014-07-29  Filip Pizlo  <fpizlo@apple.com>
2934
2935         Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.
2936
2937         This part of the merge delivers roughly a 2% across-the-board performance
2938         improvement, mostly due to immutable property inference and DFG-side GCSE. It also
2939         almost completely resolves accessor performance issues; in the common case the DFG
2940         will compile a getter/setter access into code that is just as efficient as a normal
2941         property access.
2942         
2943         Another major highlight of this part of the merge is the work to add a type profiler
2944         to the inspector. This work is still on-going but this greatly increases coverage.
2945
2946         Note that this merge fixes a minor bug in the GetterSetter refactoring from
2947         http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
2948         It also adds a new tests to tests/stress to cover that bug. That bug was previously only
2949         covered by layout tests.
2950
2951     2014-07-17  Filip Pizlo  <fpizlo@apple.com>
2952     
2953             [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
2954             https://bugs.webkit.org/show_bug.cgi?id=135019
2955     
2956             Reviewed by Oliver Hunt.
2957             
2958             Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
2959             has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
2960             different code.
2961     
2962             * dfg/DFGNodeType.h:
2963             * dfg/DFGStrengthReductionPhase.cpp:
2964             (JSC::DFG::StrengthReductionPhase::handleNode):
2965             * tests/stress/capture-escape-and-throw.js: Added.
2966             (foo.f):
2967             (foo):
2968             * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
2969             (foo):
2970             (bar):
2971     
2972     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
2973     
2974             [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
2975             https://bugs.webkit.org/show_bug.cgi?id=134962
2976     
2977             Reviewed by Oliver Hunt.
2978             
2979             This removes yet another steady-state-throughput implication of using getters and setters:
2980             if your accessor call is monomorphic then you'll just get a structure check, nothing more.
2981             No more loads to get to the GetterSetter object or the accessor function object.
2982     
2983             * dfg/DFGAbstractInterpreterInlines.h:
2984             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2985             * runtime/GetterSetter.h:
2986             (JSC::GetterSetter::getterConcurrently):
2987             (JSC::GetterSetter::setGetter):
2988             (JSC::GetterSetter::setterConcurrently):
2989             (JSC::GetterSetter::setSetter):
2990     
2991     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
2992     
2993             [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
2994             https://bugs.webkit.org/show_bug.cgi?id=134893
2995     
2996             Reviewed by Oliver Hunt.
2997             
2998             Replace Identity with Check instead of Phantom. Phantom means that the child of the
2999             Identity should be unconditionally live. The liveness semantics of Identity are such that
3000             if the parents of Identity are live then the child is live. Removing the Identity entirely
3001             preserves such liveness semantics. So, the only thing that should be left behind is the
3002             type check on the child, which is what Check means: do the check but don't keep the child
3003             alive if the check isn't needed.
3004     
3005             * dfg/DFGCSEPhase.cpp:
3006             * dfg/DFGNode.h:
3007             (JSC::DFG::Node::convertToCheck):
3008     
3009     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
3010     
3011             [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
3012             https://bugs.webkit.org/show_bug.cgi?id=134677
3013     
3014             Reviewed by Sam Weinig.
3015             
3016             This removes the old local CSE phase, which was based on manually written backward-search 
3017             rules for all of the different kinds of things we cared about, and adds a new local/global
3018             CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
3019             clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
3020             structures used for storing sets of available values. This results in a large reduction in
3021             code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
3022             global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
3023             structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
3024             that this is a significant (~0.7%) throughput improvement.
3025             
3026             This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
3027             means that the node being analyzed makes available some value in some DFG node, and that
3028             future attempts to compute that value can simply use that node. In other words, it
3029             establishes an available value mapping of the form value=>node. There are two kinds of
3030             values that can be passed to def():
3031             
3032             PureValue. This captures everything needed to determine whether two pure nodes - nodes that
3033                 neither read nor write, and produce a value that is a CSE candidate - are identical. It
3034                 carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
3035                 usually used for things like the arithmetic mode or constant pointer. Passing a
3036                 PureValue to def() means that the node produces a value that is valid anywhere that the
3037                 node dominates.
3038             
3039             HeapLocation. This describes a location in the heap that could be written to or read from.
3040                 Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
3041                 heap that both serves as part of the "name" of the heap location (together with the
3042                 other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
3043                 write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
3044                 then it means that the values for that location are no longer available.
3045             
3046             This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
3047             tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
3048             interpreting the semantics of different DFG node types - that is now almost entirely in
3049             clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
3050             CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
3051             and the LocalCSE rule for turning PutByVal into PutByValAlias.
3052             
3053             This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
3054             not a bigger win because LLVM was already giving us most of what we needed in its GVN.
3055             Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
3056             is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
3057             generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
3058             it improves both the quality of the code we generate and the speed with which we generate
3059             it. Also, any future optimizations that depend on GCSE will now be easier to implement.
3060             
3061             During the development of this patch I also rationalized some other stuff, like Graph's
3062             ordered traversals - we now have preorder and postorder rather than just "depth first".
3063     
3064             * CMakeLists.txt:
3065             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3066             * JavaScriptCore.xcodeproj/project.pbxproj:
3067             * dfg/DFGAbstractHeap.h:
3068             * dfg/DFGAdjacencyList.h:
3069             (JSC::DFG::AdjacencyList::hash):
3070             (JSC::DFG::AdjacencyList::operator==):
3071             * dfg/DFGBasicBlock.h:
3072             * dfg/DFGCSEPhase.cpp:
3073             (JSC::DFG::performLocalCSE):
3074             (JSC::DFG::performGlobalCSE):
3075             (JSC::DFG::CSEPhase::CSEPhase): Deleted.
3076             (JSC::DFG::CSEPhase::run): Deleted.
3077             (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
3078             (JSC::DFG::CSEPhase::pureCSE): Deleted.
3079             (JSC::DFG::CSEPhase::constantCSE): Deleted.
3080             (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
3081             (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
3082             (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
3083             (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
3084             (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
3085             (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
3086             (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
3087             (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
3088             (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
3089             (JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
3090             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
3091             (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
3092             (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
3093             (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
3094             (JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
3095             (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
3096             (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
3097             (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
3098             (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
3099             (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
3100             (JSC::DFG::CSEPhase::setReplacement): Deleted.
3101             (JSC::DFG::CSEPhase::eliminate): Deleted.
3102             (JSC::DFG::CSEPhase::performNodeCSE): Deleted.
3103             (JSC::DFG::CSEPhase::performBlockCSE): Deleted.
3104             (JSC::DFG::performCSE): Deleted.
3105             * dfg/DFGCSEPhase.h:
3106             * dfg/DFGClobberSet.cpp:
3107             (JSC::DFG::addReads):
3108             (JSC::DFG::addWrites):
3109             (JSC::DFG::addReadsAndWrites):
3110             (JSC::DFG::readsOverlap):
3111             (JSC::DFG::writesOverlap):
3112             * dfg/DFGClobberize.cpp:
3113             (JSC::DFG::doesWrites):
3114             (JSC::DFG::accessesOverlap):
3115             (JSC::DFG::writesOverlap):
3116             * dfg/DFGClobberize.h:
3117             (JSC::DFG::clobberize):
3118             (JSC::DFG::NoOpClobberize::operator()):
3119             (JSC::DFG::CheckClobberize::operator()):
3120             (JSC::DFG::ReadMethodClobberize::ReadMethodClobberize):
3121             (JSC::DFG::ReadMethodClobberize::operator()):
3122             (JSC::DFG::WriteMethodClobberize::WriteMethodClobberize):
3123             (JSC::DFG::WriteMethodClobberize::operator()):
3124             (JSC::DFG::DefMethodClobberize::DefMethodClobberize):
3125             (JSC::DFG::DefMethodClobberize::operator()):
3126             * dfg/DFGDCEPhase.cpp:
3127             (JSC::DFG::DCEPhase::run):
3128             (JSC::DFG::DCEPhase::fixupBlock):
3129             * dfg/DFGGraph.cpp:
3130             (JSC::DFG::Graph::getBlocksInPreOrder):
3131             (JSC::DFG::Graph::getBlocksInPostOrder):
3132             (JSC::DFG::Graph::addForDepthFirstSort): Deleted.
3133             (JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted.
3134             * dfg/DFGGraph.h:
3135             * dfg/DFGHeapLocation.cpp: Added.
3136             (JSC::DFG::HeapLocation::dump):
3137             (WTF::printInternal):
3138             * dfg/DFGHeapLocation.h: Added.
3139             (JSC::DFG::HeapLocation::HeapLocation):
3140             (JSC::DFG::HeapLocation::operator!):
3141             (JSC::DFG::HeapLocation::kind):
3142             (JSC::DFG::HeapLocation::heap):
3143             (JSC::DFG::HeapLocation::base):
3144             (JSC::DFG::HeapLocation::index):
3145             (JSC::DFG::HeapLocation::hash):
3146             (JSC::DFG::HeapLocation::operator==):
3147             (JSC::DFG::HeapLocation::isHashTableDeletedValue):
3148             (JSC::DFG::HeapLocationHash::hash):
3149             (JSC::DFG::HeapLocationHash::equal):
3150             * dfg/DFGLICMPhase.cpp:
3151             (JSC::DFG::LICMPhase::run):
3152             * dfg/DFGNode.h:
3153             (JSC::DFG::Node::replaceWith):
3154             (JSC::DFG::Node::convertToPhantomUnchecked): Deleted.
3155             * dfg/DFGPlan.cpp:
3156             (JSC::DFG::Plan::compileInThreadImpl):
3157             * dfg/DFGPureValue.cpp: Added.
3158             (JSC::DFG::PureValue::dump):
3159             * dfg/DFGPureValue.h: Added.
3160             (JSC::DFG::PureValue::PureValue):
3161             (JSC::DFG::PureValue::operator!):
3162             (JSC::DFG::PureValue::op):
3163             (JSC::DFG::PureValue::children):
3164             (JSC::DFG::PureValue::info):
3165             (JSC::DFG::PureValue::hash):
3166             (JSC::DFG::PureValue::operator==):
3167             (JSC::DFG::PureValue::isHashTableDeletedValue):
3168             (JSC::DFG::PureValueHash::hash):
3169             (JSC::DFG::PureValueHash::equal):
3170             * dfg/DFGSSAConversionPhase.cpp:
3171             (JSC::DFG::SSAConversionPhase::run):
3172             * ftl/FTLLowerDFGToLLVM.cpp:
3173             (JSC::FTL::LowerDFGToLLVM::lower):
3174     
3175     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
3176     
3177             Unreviewed, revert unintended change in r171051.
3178     
3179             * dfg/DFGCSEPhase.cpp:
3180     
3181     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
3182     
3183             [ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase
3184             https://bugs.webkit.org/show_bug.cgi?id=134739
3185     
3186             Reviewed by Mark Hahnenberg.
3187             
3188             I'm going to streamline CSE around clobberize() as part of
3189             https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store
3190             elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which
3191             means that it belongs in StrengthReductionPhase, since that's intended to be our
3192             dumping ground.
3193             
3194             To do this I had to add some missing smarts to clobberize(). Previously clobberize()
3195             could play a bit loose with reads of Variables because it wasn't used for store
3196             elimination. The main client of read() was LICM, but it would only use it to
3197             determine hoistability and anything that did a write() was not hoistable - so, we had
3198             benign (but still wrong) missing read() calls in places that did write()s. This fixes
3199             a bunch of those cases.
3200     
3201             * dfg/DFGCSEPhase.cpp:
3202             (JSC::DFG::CSEPhase::performNodeCSE):
3203             (JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted.
3204             * dfg/DFGClobberize.cpp:
3205             (JSC::DFG::accessesOverlap):
3206             * dfg/DFGClobberize.h:
3207             (JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound.
3208             * dfg/DFGStrengthReductionPhase.cpp:
3209             (JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize().
3210     
3211     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
3212     
3213             [ftlopt] Phantom simplification should be in its own phase
3214             https://bugs.webkit.org/show_bug.cgi?id=134742
3215     
3216             Reviewed by Geoffrey Garen.
3217             
3218             This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it
3219             more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had
3220             this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for
3221             SSA.
3222     
3223             * CMakeLists.txt:
3224             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3225             * JavaScriptCore.xcodeproj/project.pbxproj:
3226             * dfg/DFGAdjacencyList.h:
3227             * dfg/DFGCSEPhase.cpp:
3228             (JSC::DFG::CSEPhase::run):
3229             (JSC::DFG::CSEPhase::setReplacement):
3230             (JSC::DFG::CSEPhase::eliminate):
3231             (JSC::DFG::CSEPhase::performNodeCSE):
3232             (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted.
3233             * dfg/DFGPhantomRemovalPhase.cpp: Added.
3234             (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase):
3235             (JSC::DFG::PhantomRemovalPhase::run):
3236             (JSC::DFG::performCleanUp):
3237             * dfg/DFGPhantomRemovalPhase.h: Added.
3238             * dfg/DFGPlan.cpp:
3239             (JSC::DFG::Plan::compileInThreadImpl):
3240     
3241     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
3242     
3243             [ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously
3244             https://bugs.webkit.org/show_bug.cgi?id=134730
3245     
3246             Reviewed by Mark Lam.
3247             
3248             This will allow for a better GCSE implementation.
3249     
3250             * dfg/DFGCPSRethreadingPhase.cpp:
3251             (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3252             * dfg/DFGCSEPhase.cpp:
3253             (JSC::DFG::CSEPhase::setReplacement):
3254             * dfg/DFGEdgeDominates.h:
3255             (JSC::DFG::EdgeDominates::operator()):
3256             * dfg/DFGGraph.cpp:
3257             (JSC::DFG::Graph::clearReplacements):
3258             (JSC::DFG::Graph::initializeNodeOwners):
3259             * dfg/DFGGraph.h:
3260             (JSC::DFG::Graph::performSubstitutionForEdge):
3261             * dfg/DFGLICMPhase.cpp:
3262             (JSC::DFG::LICMPhase::attemptHoist):
3263             * dfg/DFGNode.h:
3264             (JSC::DFG::Node::Node):
3265             * dfg/DFGSSAConversionPhase.cpp:
3266             (JSC::DFG::SSAConversionPhase::run):
3267     
3268     2014-07-04  Filip Pizlo  <fpizlo@apple.com>
3269     
3270             [ftlopt] Infer immutable object properties
3271             https://bugs.webkit.org/show_bug.cgi?id=134567
3272     
3273             Reviewed by Mark Hahnenberg.
3274             
3275             This introduces a new way of inferring immutable object properties. A property is said to
3276             be immutable if after its creation (i.e. the transition that creates it), we never
3277             overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own
3278             property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f"
3279             directly and not on a prototype. More specifically, the immutability inference will prove
3280             that a property on some structure is immutable. This means that, for example, we may have a