Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-08-05  Peyton Randolph  <prandolph@apple.com>
2
3         Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
4         https://bugs.webkit.org/show_bug.cgi?id=135276
5
6         Reviewed by Beth Dakin.
7
8         * Configurations/FeatureDefines.xcconfig:
9
10 2014-08-04  Benjamin Poulain  <benjamin@webkit.org>
11
12         Add a flag for the CSS Selectors level 4 implementation
13         https://bugs.webkit.org/show_bug.cgi?id=135535
14
15         Reviewed by Andreas Kling.
16
17         * Configurations/FeatureDefines.xcconfig:
18
19 2014-08-04  Alex Christensen  <achristensen@webkit.org>
20
21         Progress towards CMake on Mac.
22         https://bugs.webkit.org/show_bug.cgi?id=135528
23
24         Reviewed by Gyuyoung Kim.
25
26         * CMakeLists.txt:
27         Include necessary directories and copy all necessary forwarding headers.
28         Only compile UDis86Disassembler.cpp if we're using UDIS86.
29         * PlatformMac.cmake: Added.
30         * tools/CodeProfiling.cpp:
31         Compile fix.  Include sys/time.h on darwin, too.
32
33 2014-08-04  Saam Barati  <sbarati@apple.com>
34
35         Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
36         https://bugs.webkit.org/show_bug.cgi?id=135358
37
38         Reviewed by Geoffrey Garen.
39
40         When VMEntryScope is destroyed, and it has a flag set indicating that the
41         Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
42         This flag is only used by Debugger to have VMEntryScope notify it when the
43         Debugger is safe to recompile all functions. This patch will substitute this
44         Debugger-specific recompilation flag with a list of callbacks that are notified 
45         when the outermost VMEntryScope dies. This creates a general purpose interface 
46         for being notified when the VM stops executing code via the event of the outermost 
47         VMEntryScope dying.
48
49         * debugger/Debugger.cpp:
50         (JSC::Debugger::recompileAllJSFunctions):
51         * runtime/VMEntryScope.cpp:
52         (JSC::VMEntryScope::VMEntryScope):
53         (JSC::VMEntryScope::addEntryScopeDidPopListener):
54         (JSC::VMEntryScope::~VMEntryScope):
55         * runtime/VMEntryScope.h:
56         (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
57
58 2014-08-01  Carlos Alberto Lopez Perez  <clopez@igalia.com>
59
60         REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
61         https://bugs.webkit.org/show_bug.cgi?id=135522
62
63         Reviewed by Martin Robinson.
64
65         * CMakeLists.txt: Output the inspector headers inside inspector
66         subdirectory.
67
68 2014-08-01  Mark Lam  <mark.lam@apple.com>
69
70         Add some structure related assertions.
71         <https://webkit.org/b/135523>
72
73         Reviewed by Geoffrey Garen.
74
75         Adding 2 assertions:
76         1. assert that we don't index pass the end of the StructureIDTable.
77            This should never happen, but this assertion will help catch bugs
78            where a bad structureID gets passed in.
79         2. assert that cells in MarkedBlock::callDestructor() that are not
80            zapped should have a non-null StructureID.  This will help us catch
81            bugs where the other cell header flag bits get set after the cell is
82            zapped, thereby making the cell look like an unzapped cell but has a
83            null structureID.
84
85         * heap/MarkedBlock.cpp:
86         (JSC::MarkedBlock::callDestructor):
87         * runtime/StructureIDTable.h:
88         (JSC::StructureIDTable::get):
89
90 2014-08-01  Csaba Osztrogonác  <ossy@webkit.org>
91
92         URTBF after r171946 to fix non-Apple builds.
93
94         * bytecode/InlineCallFrameSet.cpp:
95
96 2014-08-01  Mark Hahnenberg  <mhahnenberg@apple.com>
97
98         CodeBlock fails to visit the Executables of its InlineCallFrames
99         https://bugs.webkit.org/show_bug.cgi?id=135471
100
101         Reviewed by Geoffrey Garen.
102
103         CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they 
104         can be prematurely collected and cause crashes.
105
106         * bytecode/CodeBlock.cpp:
107         (JSC::CodeBlock::stronglyVisitStrongReferences):
108         * bytecode/CodeOrigin.h:
109         (JSC::InlineCallFrame::visitAggregate):
110         * bytecode/InlineCallFrameSet.cpp:
111         (JSC::InlineCallFrameSet::visitAggregate):
112         * bytecode/InlineCallFrameSet.h:
113
114 2014-08-01  Alex Christensen  <achristensen@webkit.org>
115
116         Progress towards cmake on Windows.
117         https://bugs.webkit.org/show_bug.cgi?id=135484
118
119         Reviewed by Martin Robinson.
120
121         * CMakeLists.txt:
122         Generate code directly to inspector directory to avoid using the cp command
123         which is not available on Windows.
124         * PlatformWin.cmake: Added.
125
126 2014-07-31  Andreas Kling  <akling@apple.com>
127
128         Remove the JSC::OverridesVisitChildren flag.
129         <https://webkit.org/b/135489>
130
131         Except for 3 special classes, the visitChildren() call is always
132         dispatched through the method table (see SlotVisitor.cpp.)
133
134         The OverridesVisitChildren flag doesn't actually do anything.
135         It could be used to implement a non-virtual direct call to
136         JSCell::visitChildren, bypassing the method table for some objects,
137         but such a micro-optimization seems like a weak trade for all this
138         code complexity. Instead, just remove the flag.
139
140         This change frees up an inline flag bit in JSCell.
141
142         Reviewed by Geoffrey Garen.
143
144         * API/JSAPIWrapperObject.h:
145         * API/JSAPIWrapperObject.mm:
146         (JSC::JSAPIWrapperObject::visitChildren):
147         * API/JSCallbackObject.h:
148         (JSC::JSCallbackObject::visitChildren):
149         * bytecode/UnlinkedCodeBlock.cpp:
150         (JSC::UnlinkedFunctionExecutable::visitChildren):
151         (JSC::UnlinkedCodeBlock::visitChildren):
152         (JSC::UnlinkedProgramCodeBlock::visitChildren):
153         * bytecode/UnlinkedCodeBlock.h:
154         * debugger/DebuggerScope.cpp:
155         (JSC::DebuggerScope::visitChildren):
156         * debugger/DebuggerScope.h:
157         * jsc.cpp:
158         * runtime/Arguments.cpp:
159         (JSC::Arguments::visitChildren):
160         * runtime/Arguments.h:
161         * runtime/Executable.cpp:
162         (JSC::EvalExecutable::visitChildren):
163         (JSC::ProgramExecutable::visitChildren):
164         (JSC::FunctionExecutable::visitChildren):
165         * runtime/Executable.h:
166         * runtime/GetterSetter.cpp:
167         (JSC::GetterSetter::visitChildren):
168         * runtime/GetterSetter.h:
169         (JSC::GetterSetter::createStructure):
170         * runtime/JSAPIValueWrapper.h:
171         (JSC::JSAPIValueWrapper::createStructure):
172         * runtime/JSActivation.cpp:
173         (JSC::JSActivation::visitChildren):
174         * runtime/JSActivation.h:
175         * runtime/JSArrayIterator.cpp:
176         (JSC::JSArrayIterator::visitChildren):
177         * runtime/JSArrayIterator.h:
178         * runtime/JSBoundFunction.cpp:
179         (JSC::JSBoundFunction::visitChildren):
180         * runtime/JSBoundFunction.h:
181         * runtime/JSCellInlines.h:
182         (JSC::JSCell::setStructure):
183         * runtime/JSFunction.cpp:
184         (JSC::JSFunction::visitChildren):
185         * runtime/JSFunction.h:
186         * runtime/JSGlobalObject.cpp:
187         (JSC::JSGlobalObject::visitChildren):
188         * runtime/JSGlobalObject.h:
189         * runtime/JSMap.h:
190         * runtime/JSMapIterator.cpp:
191         (JSC::JSMapIterator::visitChildren):
192         * runtime/JSMapIterator.h:
193         * runtime/JSNameScope.cpp:
194         (JSC::JSNameScope::visitChildren):
195         * runtime/JSNameScope.h:
196         * runtime/JSPromise.cpp:
197         (JSC::JSPromise::visitChildren):
198         * runtime/JSPromise.h:
199         * runtime/JSPromiseDeferred.cpp:
200         (JSC::JSPromiseDeferred::visitChildren):
201         * runtime/JSPromiseDeferred.h:
202         * runtime/JSPromiseReaction.cpp:
203         (JSC::JSPromiseReaction::visitChildren):
204         * runtime/JSPromiseReaction.h:
205         * runtime/JSPropertyNameIterator.cpp:
206         (JSC::JSPropertyNameIterator::visitChildren):
207         * runtime/JSPropertyNameIterator.h:
208         * runtime/JSProxy.cpp:
209         (JSC::JSProxy::visitChildren):
210         * runtime/JSProxy.h:
211         * runtime/JSScope.cpp:
212         (JSC::JSScope::visitChildren):
213         * runtime/JSScope.h:
214         * runtime/JSSegmentedVariableObject.cpp:
215         (JSC::JSSegmentedVariableObject::visitChildren):
216         * runtime/JSSegmentedVariableObject.h:
217         * runtime/JSSet.h:
218         * runtime/JSSetIterator.cpp:
219         (JSC::JSSetIterator::visitChildren):
220         * runtime/JSSetIterator.h:
221         * runtime/JSSymbolTableObject.cpp:
222         (JSC::JSSymbolTableObject::visitChildren):
223         * runtime/JSSymbolTableObject.h:
224         * runtime/JSTypeInfo.h:
225         (JSC::TypeInfo::overridesVisitChildren): Deleted.
226         * runtime/JSWeakMap.h:
227         * runtime/JSWithScope.cpp:
228         (JSC::JSWithScope::visitChildren):
229         * runtime/JSWithScope.h:
230         * runtime/JSWrapperObject.cpp:
231         (JSC::JSWrapperObject::visitChildren):
232         * runtime/JSWrapperObject.h:
233         * runtime/MapData.h:
234         * runtime/NativeErrorConstructor.cpp:
235         (JSC::NativeErrorConstructor::visitChildren):
236         * runtime/NativeErrorConstructor.h:
237         * runtime/PropertyMapHashTable.h:
238         * runtime/PropertyTable.cpp:
239         (JSC::PropertyTable::visitChildren):
240         * runtime/RegExpConstructor.cpp:
241         (JSC::RegExpConstructor::visitChildren):
242         * runtime/RegExpConstructor.h:
243         * runtime/RegExpMatchesArray.cpp:
244         (JSC::RegExpMatchesArray::visitChildren):
245         * runtime/RegExpMatchesArray.h:
246         * runtime/RegExpObject.cpp:
247         (JSC::RegExpObject::visitChildren):
248         * runtime/RegExpObject.h:
249         * runtime/SparseArrayValueMap.h:
250         * runtime/Structure.cpp:
251         (JSC::Structure::Structure):
252         (JSC::Structure::visitChildren):
253         * runtime/StructureChain.cpp:
254         (JSC::StructureChain::visitChildren):
255         * runtime/StructureChain.h:
256         * runtime/StructureRareData.cpp:
257         (JSC::StructureRareData::visitChildren):
258         * runtime/StructureRareData.h:
259         * runtime/WeakMapData.h:
260
261 2014-07-31  Mark Lam  <mark.lam@apple.com>
262
263         JSCell::classInfo() belongs in JSCellInlines.h.
264         <https://webkit.org/b/135475>
265
266         Reviewed by Mark Hahnenberg.
267
268         * runtime/JSCellInlines.h:
269         (JSC::JSCell::classInfo):
270         * runtime/JSDestructibleObject.h:
271         (JSC::JSCell::classInfo): Deleted.
272
273 2014-07-31  Tanay C  <tanay.c@samsung.com>
274
275         Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
276         https://bugs.webkit.org/show_bug.cgi?id=135414
277
278         Reviewed by Csaba Osztrogonác.
279
280         * llint/LLIntSlowPaths.cpp:
281         (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition
282
283 2014-07-30  Filip Pizlo  <fpizlo@apple.com>
284
285         NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
286         https://bugs.webkit.org/show_bug.cgi?id=135430
287
288         Reviewed by Mark Hahnenberg.
289
290         We already handled this correctly after the ftlopt merge, but it's useful to have the test.
291
292         * tests/stress/new-function-expression-has-structures.js: Added.
293         (foo.f):
294         (foo.f.prototype.f):
295         (foo):
296
297 2014-07-30  Andreas Kling  <akling@apple.com>
298
299         Speculative Windows build fix.
300
301         Try to dllimport the dllexported global object HashTable.
302
303         * jsc.cpp:
304         * testRegExp.cpp:
305
306 2014-07-30  Andreas Kling  <akling@apple.com>
307
308         PropertyName's internal string is always atomic.
309         <https://webkit.org/b/135451>
310
311         Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
312         we know that any string that's an Identifier is guaranteed to be atomic.
313
314         A PropertyName can be either an Identifier or a PrivateName, and the
315         private names are also guaranteed to be atomic internally.
316
317         Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
318
319         Reviewed by Benjamin Poulain.
320
321         * runtime/PropertyName.h:
322         (JSC::PropertyName::PropertyName):
323         (JSC::PropertyName::uid):
324         (JSC::PropertyName::publicName):
325
326 2014-07-30  Andy Estes  <aestes@apple.com>
327
328         USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
329         https://bugs.webkit.org/show_bug.cgi?id=135439
330
331         Reviewed by Tim Horton.
332
333         We now support two different platform content filters, and will soon support a mock content filter (as part of
334         webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
335         library. ENABLE() is the correct macro to use for such a feature.
336
337         * Configurations/FeatureDefines.xcconfig:
338
339 2014-07-30  Andreas Kling  <akling@apple.com>
340
341         Static hash tables no longer need to be coupled with a VM.
342         <https://webkit.org/b/135421>
343
344         Now that the static hash tables are using char** instead of StringImpl**,
345         it's no longer necessary to make them per-VM.
346
347         This patch removes the hook in ClassInfo for providing your own static
348         hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
349         Most of this patch is tweaking ClassInfo construction sites to pass one
350         less null pointer.
351
352         Also simplified Lookup.h to stop requiring ExecState/VM to access the
353         static hash tables.
354
355         Reviewed by Geoffrey Garen.
356
357         * API/JSAPIWrapperObject.mm:
358         * API/JSCallbackConstructor.cpp:
359         * API/JSCallbackFunction.cpp:
360         * API/JSCallbackObject.cpp:
361         * API/ObjCCallbackFunction.mm:
362         * bytecode/UnlinkedCodeBlock.cpp:
363         * create_hash_table:
364         * debugger/DebuggerScope.cpp:
365         * inspector/JSInjectedScriptHost.cpp:
366         * inspector/JSInjectedScriptHostPrototype.cpp:
367         * inspector/JSJavaScriptCallFrame.cpp:
368         * inspector/JSJavaScriptCallFramePrototype.cpp:
369         * interpreter/CallFrame.h:
370         (JSC::ExecState::arrayConstructorTable): Deleted.
371         (JSC::ExecState::arrayPrototypeTable): Deleted.
372         (JSC::ExecState::booleanPrototypeTable): Deleted.
373         (JSC::ExecState::dataViewTable): Deleted.
374         (JSC::ExecState::dateTable): Deleted.
375         (JSC::ExecState::dateConstructorTable): Deleted.
376         (JSC::ExecState::errorPrototypeTable): Deleted.
377         (JSC::ExecState::globalObjectTable): Deleted.
378         (JSC::ExecState::jsonTable): Deleted.
379         (JSC::ExecState::numberConstructorTable): Deleted.
380         (JSC::ExecState::numberPrototypeTable): Deleted.
381         (JSC::ExecState::objectConstructorTable): Deleted.
382         (JSC::ExecState::privateNamePrototypeTable): Deleted.
383         (JSC::ExecState::regExpTable): Deleted.
384         (JSC::ExecState::regExpConstructorTable): Deleted.
385         (JSC::ExecState::regExpPrototypeTable): Deleted.
386         (JSC::ExecState::stringConstructorTable): Deleted.
387         (JSC::ExecState::promisePrototypeTable): Deleted.
388         (JSC::ExecState::promiseConstructorTable): Deleted.
389         * jsc.cpp:
390         * parser/Lexer.h:
391         (JSC::Keywords::isKeyword):
392         (JSC::Keywords::getKeyword):
393         * runtime/Arguments.cpp:
394         * runtime/ArgumentsIteratorConstructor.cpp:
395         * runtime/ArgumentsIteratorPrototype.cpp:
396         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
397         * runtime/ArrayConstructor.cpp:
398         (JSC::ArrayConstructor::getOwnPropertySlot):
399         * runtime/ArrayIteratorConstructor.cpp:
400         * runtime/ArrayIteratorPrototype.cpp:
401         * runtime/ArrayPrototype.cpp:
402         (JSC::ArrayPrototype::getOwnPropertySlot):
403         * runtime/BooleanConstructor.cpp:
404         * runtime/BooleanObject.cpp:
405         * runtime/BooleanPrototype.cpp:
406         (JSC::BooleanPrototype::getOwnPropertySlot):
407         * runtime/ClassInfo.h:
408         (JSC::ClassInfo::hasStaticProperties):
409         (JSC::ClassInfo::propHashTable): Deleted.
410         * runtime/ConsolePrototype.cpp:
411         * runtime/CustomGetterSetter.cpp:
412         * runtime/DateConstructor.cpp:
413         (JSC::DateConstructor::getOwnPropertySlot):
414         * runtime/DateInstance.cpp:
415         * runtime/DatePrototype.cpp:
416         (JSC::DatePrototype::getOwnPropertySlot):
417         * runtime/Error.cpp:
418         * runtime/ErrorConstructor.cpp:
419         * runtime/ErrorInstance.cpp:
420         * runtime/ErrorPrototype.cpp:
421         (JSC::ErrorPrototype::getOwnPropertySlot):
422         * runtime/ExceptionHelpers.cpp:
423         * runtime/Executable.cpp:
424         * runtime/FunctionConstructor.cpp:
425         * runtime/FunctionPrototype.cpp:
426         * runtime/GetterSetter.cpp:
427         * runtime/InternalFunction.cpp:
428         * runtime/JSAPIValueWrapper.cpp:
429         * runtime/JSActivation.cpp:
430         * runtime/JSArgumentsIterator.cpp:
431         * runtime/JSArray.cpp:
432         * runtime/JSArrayBuffer.cpp:
433         * runtime/JSArrayBufferConstructor.cpp:
434         * runtime/JSArrayBufferPrototype.cpp:
435         * runtime/JSArrayBufferView.cpp:
436         * runtime/JSArrayIterator.cpp:
437         * runtime/JSBoundFunction.cpp:
438         * runtime/JSConsole.cpp:
439         * runtime/JSDataView.cpp:
440         * runtime/JSDataViewPrototype.cpp:
441         (JSC::JSDataViewPrototype::getOwnPropertySlot):
442         * runtime/JSFunction.cpp:
443         * runtime/JSGlobalObject.cpp:
444         (JSC::JSGlobalObject::getOwnPropertySlot):
445         * runtime/JSMap.cpp:
446         * runtime/JSMapIterator.cpp:
447         * runtime/JSNameScope.cpp:
448         * runtime/JSNotAnObject.cpp:
449         * runtime/JSONObject.cpp:
450         (JSC::JSONObject::getOwnPropertySlot):
451         * runtime/JSObject.cpp:
452         (JSC::getClassPropertyNames):
453         (JSC::JSObject::put):
454         (JSC::JSObject::deleteProperty):
455         (JSC::JSObject::findPropertyHashEntry):
456         (JSC::JSObject::reifyStaticFunctionsForDelete):
457         * runtime/JSObject.h:
458         * runtime/JSPromise.cpp:
459         * runtime/JSPromiseConstructor.cpp:
460         (JSC::JSPromiseConstructor::getOwnPropertySlot):
461         * runtime/JSPromiseDeferred.cpp:
462         * runtime/JSPromisePrototype.cpp:
463         (JSC::JSPromisePrototype::getOwnPropertySlot):
464         * runtime/JSPromiseReaction.cpp:
465         * runtime/JSPropertyNameIterator.cpp:
466         * runtime/JSProxy.cpp:
467         * runtime/JSSet.cpp:
468         * runtime/JSSetIterator.cpp:
469         * runtime/JSString.cpp:
470         * runtime/JSTypedArrayConstructors.cpp:
471         * runtime/JSTypedArrayPrototypes.cpp:
472         * runtime/JSTypedArrays.cpp:
473         * runtime/JSVariableObject.cpp:
474         * runtime/JSWeakMap.cpp:
475         * runtime/JSWithScope.cpp:
476         * runtime/Lookup.cpp:
477         (JSC::HashTable::createTable):
478         * runtime/Lookup.h:
479         (JSC::HashTable::initializeIfNeeded):
480         (JSC::HashTable::entry):
481         (JSC::HashTable::begin):
482         (JSC::HashTable::end):
483         (JSC::getStaticPropertySlot):
484         (JSC::getStaticFunctionSlot):
485         (JSC::getStaticValueSlot):
486         (JSC::lookupPut):
487         * runtime/MapConstructor.cpp:
488         * runtime/MapData.cpp:
489         * runtime/MapIteratorConstructor.cpp:
490         * runtime/MapIteratorPrototype.cpp:
491         * runtime/MapPrototype.cpp:
492         * runtime/MathObject.cpp:
493         * runtime/NameConstructor.cpp:
494         * runtime/NameInstance.cpp:
495         * runtime/NamePrototype.cpp:
496         (JSC::NamePrototype::getOwnPropertySlot):
497         * runtime/NativeErrorConstructor.cpp:
498         * runtime/NumberConstructor.cpp:
499         (JSC::NumberConstructor::getOwnPropertySlot):
500         * runtime/NumberObject.cpp:
501         * runtime/NumberPrototype.cpp:
502         (JSC::NumberPrototype::getOwnPropertySlot):
503         * runtime/ObjectConstructor.cpp:
504         (JSC::ObjectConstructor::getOwnPropertySlot):
505         * runtime/ObjectPrototype.cpp:
506         * runtime/PropertyTable.cpp:
507         * runtime/RegExp.cpp:
508         * runtime/RegExpConstructor.cpp:
509         (JSC::RegExpConstructor::getOwnPropertySlot):
510         * runtime/RegExpMatchesArray.cpp:
511         * runtime/RegExpObject.cpp:
512         (JSC::RegExpObject::getOwnPropertySlot):
513         * runtime/RegExpPrototype.cpp:
514         (JSC::RegExpPrototype::getOwnPropertySlot):
515         * runtime/SetConstructor.cpp:
516         * runtime/SetIteratorConstructor.cpp:
517         * runtime/SetIteratorPrototype.cpp:
518         * runtime/SetPrototype.cpp:
519         * runtime/SparseArrayValueMap.cpp:
520         * runtime/StrictEvalActivation.cpp:
521         * runtime/StringConstructor.cpp:
522         (JSC::StringConstructor::getOwnPropertySlot):
523         * runtime/StringObject.cpp:
524         * runtime/StringPrototype.cpp:
525         * runtime/Structure.cpp:
526         (JSC::Structure::Structure):
527         (JSC::Structure::freezeTransition):
528         (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
529         * runtime/StructureChain.cpp:
530         * runtime/StructureRareData.cpp:
531         * runtime/SymbolTable.cpp:
532         * runtime/VM.cpp:
533         (JSC::VM::VM):
534         (JSC::VM::~VM):
535         * runtime/VM.h:
536         * runtime/WeakMapConstructor.cpp:
537         * runtime/WeakMapData.cpp:
538         * runtime/WeakMapPrototype.cpp:
539         * testRegExp.cpp:
540
541 2014-07-29  Brent Fulgham  <bfulgham@apple.com>
542
543         [Win] Modify version numbering scheme to support 5-tuple versions
544         https://bugs.webkit.org/show_bug.cgi?id=135400
545         <rdar://problem/17849033>
546
547         Reviewed by David Kilzer.
548
549         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
550         new version-stamp.pl script to version JavaScriptCore.dll.
551
552 2014-07-29  Daniel Bates  <dabates@apple.com>
553
554         Use WTF::move() instead of std::move() to help ensure move semantics
555         https://bugs.webkit.org/show_bug.cgi?id=135351
556
557         Reviewed by Alexey Proskuryakov.
558
559         * bytecode/GetByIdStatus.cpp:
560         (JSC::GetByIdStatus::computeForStubInfo):
561         * bytecode/GetByIdVariant.cpp:
562         (JSC::GetByIdVariant::GetByIdVariant):
563
564 2014-07-28  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
565
566         BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
567         https://bugs.webkit.org/show_bug.cgi?id=135287
568
569         Reviewed by Darin Adler.
570
571         The set() method tries to use a part of the old value (the reservedFlag bit) which
572         was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
573
574         * bytecode/StructureSet.h:
575         (JSC::StructureSet::StructureSet):
576
577 2014-07-28  Benjamin Poulain  <bpoulain@apple.com>
578
579         [JSC] JIT::assertStackPointerOffset() crashes on ARM64
580         https://bugs.webkit.org/show_bug.cgi?id=135316
581
582         Reviewed by Geoffrey Garen.
583
584         JIT::assertStackPointerOffset() does a compare between an arbitrary register
585         and the stack pointer. This was not supported by the ARM64 assembler.
586
587         There are no variation that can take a stack pointer for Xd. There is one version of subs
588         that can take a stack pointer, but only for the Xn: the shift+extend one.
589         To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
590         the implementation of sub.
591
592         * assembler/ARM64Assembler.h:
593         (JSC::ARM64Assembler::sub):
594         In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
595         with either version of sub.
596
597         In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
598         the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
599         gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
600
601         Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
602         not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
603         the shift value must be zero, it is safe to call either variant.
604
605         * assembler/MacroAssemblerARM64.h:
606         (JSC::MacroAssemblerARM64::branch64):
607         With the changes described above, we can now use SP for the left register. What do we do if the rightmost
608         register is SP?
609
610         For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
611         we just switch the registers before generating the instruction.
612
613         For the generic case, just move the value of SP to a GPR before doing the CMP.
614
615 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
616
617         Unreviewed build fix after r171682.
618
619         * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
620         as an exported symbol.
621
622 2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
623
624         REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
625         https://bugs.webkit.org/show_bug.cgi?id=135322
626
627         Reviewed by Oliver Hunt.
628
629         The prototype chain of the JSProxy object should match that of the JSGlobalObject. 
630
631         This is a separate but related issue with JSObjectSetPrototype which doesn't correctly 
632         account for JSProxies. I also audited the rest of the C API to check that we correctly 
633         handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
634         and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when 
635         passed a JSProxy.
636
637         I also added some new tests for these cases.
638
639         * API/JSObjectRef.cpp:
640         (JSObjectSetPrototype):
641         (JSObjectGetPrivateProperty):
642         (JSObjectSetPrivateProperty):
643         (JSObjectDeletePrivateProperty):
644         * API/JSWeakObjectMapRefPrivate.cpp:
645         * API/tests/CustomGlobalObjectClassTest.c:
646         (globalObjectSetPrototypeTest):
647         (globalObjectPrivatePropertyTest):
648         * API/tests/CustomGlobalObjectClassTest.h:
649         * API/tests/testapi.c:
650         (main):
651
652 2014-07-28  Filip Pizlo  <fpizlo@apple.com>
653
654         Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
655         https://bugs.webkit.org/show_bug.cgi?id=135350
656         <rdar://problem/17509889>
657
658         Reviewed by Mark Hahnenberg and Oliver Hunt.
659         
660         If we have an exiting node that uses a conversion node, then that exiting node
661         needs to have a Phantom after it for the the original node. But we can't do that
662         for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
663
664         * dfg/DFGFixupPhase.cpp:
665         (JSC::DFG::FixupPhase::fixupNode):
666         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
667         * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
668         (foo):
669         (test):
670         * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
671         (foo):
672         (test):
673
674 2014-07-28  Joseph Pecoraro  <pecoraro@apple.com>
675
676         JSContext Inspector: crash when using step-into
677         https://bugs.webkit.org/show_bug.cgi?id=135345
678
679         Reviewed by Timothy Hatcher.
680
681         * inspector/agents/InspectorDebuggerAgent.cpp:
682         (Inspector::InspectorDebuggerAgent::stepInto):
683         Null check m_listener since it may not be set.
684
685 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
686
687         Web Replay: auto-decoding of parameterized vector's elements is incorrect
688         https://bugs.webkit.org/show_bug.cgi?id=135343
689
690         Reviewed by Timothy Hatcher.
691
692         Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
693         that was using the element's decoded type as the type parameter to
694         EncodedValue::append<T>. It should instead be the raw type T. This
695         causes problems when encoding Vector<RefPtr<T>>, as it later tries to
696         use encoding traits for RefPtr<T> rather than for T.
697
698         Fix incorrect generated encoding traits argument for vectors of
699         RefCounted objects. Updated test to cover this scenario.
700
701         * replay/scripts/CodeGeneratorReplayInputs.py:
702         (Type.encoding_type_argument):
703         (VectorType.type_name):
704         (VectorType):
705         (VectorType.encoding_type_argument):
706         (Generator.generate_input_encode_implementation):
707         (Generator.generate_input_decode_implementation):
708         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
709         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
710         * replay/scripts/tests/generate-input-with-vector-members.json: Updated.
711
712 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
713
714         Web Replay: incorrect serialization code generated for enum classes inside class scope
715         https://bugs.webkit.org/show_bug.cgi?id=135342
716
717         Reviewed by Timothy Hatcher.
718
719         If an enum class is defined inside of a class scope, then the enum class
720         cannot be forward-declared and the relevant header should be included.
721         Some generated code used incorrectly-scoped enum values in this situation.
722
723         * replay/scripts/CodeGeneratorReplayInputs.py:
724         (Generator.generate_includes.declaration.is):
725         (Generator.generate_enum_trait_implementation.is):
726         (Generator.generate_enum_trait_implementation):
727
728         Tests:
729
730         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
731         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
732         * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
733         class types to this test case.
734
735 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
736
737         Web Replay: vectors of characters should be base64-encoded
738         https://bugs.webkit.org/show_bug.cgi?id=135341
739
740         Reviewed by Timothy Hatcher.
741
742         Without this specialization, encode/decode methods try to create an
743         array of single characters in JSON, rather than treating the
744         vector as a binary blob.
745
746         * replay/EncodedValue.cpp:
747         (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
748         (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
749         * replay/EncodedValue.h:
750
751 2014-07-28  Brent Fulgham  <bfulgham@apple.com>
752
753         [Win] Unreviewed build fix.
754
755         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
756         builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
757
758 2014-07-27  Ryuan Choi  <ryuan.choi@samsung.com>
759
760         Unreviewed build fix on the EFL port
761
762         Build break because of -Werror=return-type
763
764         * bytecode/PutByIdVariant.cpp:
765         (JSC::PutByIdVariant::oldStructureForTransition):
766         * dfg/DFGValueStrength.h:
767         (JSC::DFG::merge):
768
769 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
770
771         [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
772         https://bugs.webkit.org/show_bug.cgi?id=135323
773
774         Reviewed by Oliver Hunt.
775         
776         SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
777         then it's a constant that can be represented using that node's current DataFormat.
778         This doesn't work if the constant had been filled as a JSValue, and then one of the
779         fillSpeculateBlah() methods had speculated that it's of some type that the constant
780         isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
781         a constant that claims to have a contradictory data format.
782         
783         This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
784         fillSpeculateCell() appears to not have this bug, but I added a similar defense
785         mechanism anyway just in case, since this is one of those mistakes that keeps
786         reappearing.
787
788         * dfg/DFGSpeculativeJIT.cpp:
789         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
790         * dfg/DFGSpeculativeJIT32_64.cpp:
791         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
792         * dfg/DFGSpeculativeJIT64.cpp:
793         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
794
795 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
796
797         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
798         
799         This fixes the previous mismerge and adds test coverage for the thing that went wrong.
800         
801         Additional changes listed here:
802
803         * jsc.cpp:
804         (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
805         * runtime/Structure.cpp:
806         (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
807         * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
808
809     2014-06-27  Michael Saboff  <msaboff@apple.com>
810     
811             Unreviewed build fix after r169795.
812     
813             Fixed ASSERT for 32 bit build.
814     
815             * dfg/DFGSpeculativeJIT.cpp:
816             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
817     
818     2014-06-24  Saam Barati  <sbarati@apple.com>
819     
820             Web Inspector: debugger should be able to show variable types
821             https://bugs.webkit.org/show_bug.cgi?id=133395
822     
823             Reviewed by Filip Pizlo.
824     
825             Increase the amount of type information the VM gathers when directed
826             to do so. This initial commit is working towards the goal of
827             capturing, and then showing (via the Web Inspector) type information for all
828             assignment and load operations. This patch doesn't have the feature fully 
829             implemented, but it ensures the VM has no performance regressions
830             unless the feature is specifically turned on.
831     
832             * JavaScriptCore.xcodeproj/project.pbxproj:
833             * bytecode/BytecodeList.json:
834             * bytecode/BytecodeUseDef.h:
835             (JSC::computeUsesForBytecodeOffset):
836             (JSC::computeDefsForBytecodeOffset):
837             * bytecode/CodeBlock.cpp:
838             (JSC::CodeBlock::dumpBytecode):
839             (JSC::CodeBlock::CodeBlock):
840             (JSC::CodeBlock::finalizeUnconditionally):
841             * bytecode/CodeBlock.h:
842             * bytecode/Instruction.h:
843             * bytecode/TypeLocation.h: Added.
844             (JSC::TypeLocation::TypeLocation):
845             * bytecompiler/BytecodeGenerator.cpp:
846             (JSC::BytecodeGenerator::emitMove):
847             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
848             (JSC::BytecodeGenerator::emitPutToScope):
849             (JSC::BytecodeGenerator::emitPutById):
850             (JSC::BytecodeGenerator::emitPutByVal):
851             * bytecompiler/BytecodeGenerator.h:
852             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
853             * bytecompiler/NodesCodegen.cpp:
854             (JSC::PostfixNode::emitResolve):
855             (JSC::PrefixNode::emitResolve):
856             (JSC::ReadModifyResolveNode::emitBytecode):
857             (JSC::AssignResolveNode::emitBytecode):
858             (JSC::ConstDeclNode::emitCodeSingle):
859             (JSC::ForInNode::emitBytecode):
860             * heap/Heap.cpp:
861             (JSC::Heap::collect):
862             * inspector/agents/InspectorRuntimeAgent.cpp:
863             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
864             * inspector/agents/InspectorRuntimeAgent.h:
865             * inspector/protocol/Runtime.json:
866             * jsc.cpp:
867             (GlobalObject::finishCreation):
868             (functionDumpTypesForAllVariables):
869             * llint/LLIntSlowPaths.cpp:
870             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
871             (JSC::LLInt::putToScopeCommon):
872             * llint/LLIntSlowPaths.h:
873             * llint/LowLevelInterpreter.asm:
874             * runtime/HighFidelityLog.cpp: Added.
875             (JSC::HighFidelityLog::initializeHighFidelityLog):
876             (JSC::HighFidelityLog::~HighFidelityLog):
877             (JSC::HighFidelityLog::recordTypeInformationForLocation):
878             (JSC::HighFidelityLog::processHighFidelityLog):
879             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
880             * runtime/HighFidelityLog.h: Added.
881             (JSC::HighFidelityLog::HighFidelityLog):
882             * runtime/HighFidelityTypeProfiler.cpp: Added.
883             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
884             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
885             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
886             (JSC::HighFidelityTypeProfiler::insertNewLocation):
887             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
888             * runtime/HighFidelityTypeProfiler.h: Added.
889             * runtime/Options.h:
890             * runtime/Structure.cpp:
891             (JSC::Structure::toStructureShape):
892             * runtime/Structure.h:
893             * runtime/SymbolTable.cpp:
894             (JSC::SymbolTable::SymbolTable):
895             (JSC::SymbolTable::cloneCapturedNames):
896             (JSC::SymbolTable::uniqueIDForVariable):
897             (JSC::SymbolTable::uniqueIDForRegister):
898             (JSC::SymbolTable::globalTypeSetForRegister):
899             (JSC::SymbolTable::globalTypeSetForVariable):
900             * runtime/SymbolTable.h:
901             (JSC::SymbolTable::add):
902             (JSC::SymbolTable::set):
903             * runtime/TypeSet.cpp: Added.
904             (JSC::TypeSet::TypeSet):
905             (JSC::TypeSet::getRuntimeTypeForValue):
906             (JSC::TypeSet::addTypeForValue):
907             (JSC::TypeSet::removeDuplicatesInStructureHistory):
908             (JSC::TypeSet::seenTypes):
909             (JSC::TypeSet::dumpSeenTypes):
910             (JSC::StructureShape::StructureShape):
911             (JSC::StructureShape::markAsFinal):
912             (JSC::StructureShape::addProperty):
913             (JSC::StructureShape::propertyHash):
914             (JSC::StructureShape::leastUpperBound):
915             (JSC::StructureShape::stringRepresentation):
916             * runtime/TypeSet.h: Added.
917             (JSC::StructureShape::create):
918             (JSC::TypeSet::create):
919             * runtime/VM.cpp:
920             (JSC::VM::VM):
921             (JSC::VM::getTypesForVariableInRange):
922             (JSC::VM::updateHighFidelityTypeProfileState):
923             (JSC::VM::dumpHighFidelityProfilingTypes):
924             * runtime/VM.h:
925             (JSC::VM::isProfilingTypesWithHighFidelity):
926             (JSC::VM::highFidelityLog):
927             (JSC::VM::highFidelityTypeProfiler):
928             (JSC::VM::nextLocation):
929             (JSC::VM::getNextUniqueVariableID):
930     
931     2014-06-26  Mark Lam  <mark.lam@apple.com>
932     
933             Remove unused instantiation of the WithScope structure.
934             <https://webkit.org/b/134331>
935     
936             Reviewed by Oliver Hunt.
937     
938             The WithScope structure instance is the VM is unused, and is now removed.
939     
940             * runtime/VM.cpp:
941             (JSC::VM::VM):
942             * runtime/VM.h:
943     
944     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
945     
946             Structure bit fields should have a consistent format
947             https://bugs.webkit.org/show_bug.cgi?id=134307
948     
949             Reviewed by Filip Pizlo.
950     
951             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
952             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
953             format to make it easy to load and test these variables in JIT code.
954     
955             * runtime/JSObject.cpp:
956             (JSC::JSObject::putDirectNonIndexAccessor):
957             (JSC::JSObject::reifyStaticFunctionsForDelete):
958             * runtime/Structure.cpp:
959             (JSC::StructureTransitionTable::contains):
960             (JSC::StructureTransitionTable::get):
961             (JSC::StructureTransitionTable::add):
962             (JSC::Structure::Structure):
963             (JSC::Structure::materializePropertyMap):
964             (JSC::Structure::addPropertyTransition):
965             (JSC::Structure::despecifyFunctionTransition):
966             (JSC::Structure::toDictionaryTransition):
967             (JSC::Structure::freezeTransition):
968             (JSC::Structure::preventExtensionsTransition):
969             (JSC::Structure::takePropertyTableOrCloneIfPinned):
970             (JSC::Structure::nonPropertyTransition):
971             (JSC::Structure::flattenDictionaryStructure):
972             (JSC::Structure::addPropertyWithoutTransition):
973             (JSC::Structure::pin):
974             (JSC::Structure::allocateRareData):
975             (JSC::Structure::cloneRareDataFrom):
976             (JSC::Structure::getConcurrently):
977             (JSC::Structure::putSpecificValue):
978             (JSC::Structure::getPropertyNamesFromStructure):
979             (JSC::Structure::visitChildren):
980             (JSC::Structure::checkConsistency):
981             * runtime/Structure.h:
982             (JSC::Structure::isExtensible):
983             (JSC::Structure::isDictionary):
984             (JSC::Structure::isUncacheableDictionary):
985             (JSC::Structure::propertyAccessesAreCacheable):
986             (JSC::Structure::previousID):
987             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
988             (JSC::Structure::setContainsReadOnlyProperties):
989             (JSC::Structure::disableSpecificFunctionTracking):
990             (JSC::Structure::objectToStringValue):
991             (JSC::Structure::setObjectToStringValue):
992             (JSC::Structure::setPreviousID):
993             (JSC::Structure::clearPreviousID):
994             (JSC::Structure::previous):
995             (JSC::Structure::rareData):
996             (JSC::Structure::didTransition): Deleted.
997             (JSC::Structure::hasGetterSetterProperties): Deleted.
998             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
999             (JSC::Structure::setHasGetterSetterProperties): Deleted.
1000             (JSC::Structure::hasNonEnumerableProperties): Deleted.
1001             (JSC::Structure::staticFunctionsReified): Deleted.
1002             (JSC::Structure::setStaticFunctionsReified): Deleted.
1003             * runtime/StructureInlines.h:
1004             (JSC::Structure::setEnumerationCache):
1005             (JSC::Structure::enumerationCache):
1006             (JSC::Structure::checkOffsetConsistency):
1007     
1008     2014-06-24  Mark Lam  <mark.lam@apple.com>
1009     
1010             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
1011             <https://webkit.org/b/134273>
1012     
1013             Reviewed by Michael Saboff.
1014     
1015             * CMakeLists.txt:
1016             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1017             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1018             * JavaScriptCore.xcodeproj/project.pbxproj:
1019             * debugger/DebuggerActivation.cpp: Removed.
1020             * debugger/DebuggerActivation.h: Removed.
1021             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
1022             (JSC::DebuggerScope::DebuggerScope):
1023             (JSC::DebuggerScope::finishCreation):
1024             (JSC::DebuggerScope::visitChildren):
1025             (JSC::DebuggerScope::className):
1026             (JSC::DebuggerScope::getOwnPropertySlot):
1027             (JSC::DebuggerScope::put):
1028             (JSC::DebuggerScope::deleteProperty):
1029             (JSC::DebuggerScope::getOwnPropertyNames):
1030             (JSC::DebuggerScope::defineOwnProperty):
1031             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
1032             (JSC::DebuggerActivation::finishCreation): Deleted.
1033             (JSC::DebuggerActivation::visitChildren): Deleted.
1034             (JSC::DebuggerActivation::className): Deleted.
1035             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
1036             (JSC::DebuggerActivation::put): Deleted.
1037             (JSC::DebuggerActivation::deleteProperty): Deleted.
1038             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
1039             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
1040             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
1041             (JSC::DebuggerScope::create):
1042             (JSC::DebuggerActivation::create): Deleted.
1043             * runtime/VM.cpp:
1044             (JSC::VM::VM):
1045             * runtime/VM.h:
1046     
1047     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1048     
1049             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
1050             https://bugs.webkit.org/show_bug.cgi?id=134265
1051     
1052             Reviewed by Geoffrey Garen.
1053             
1054             More assertion fallout from the PutById folding work.
1055     
1056             * dfg/DFGNode.h:
1057             (JSC::DFG::Node::convertToPutByOffset):
1058     
1059     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1060     
1061             [ftlopt] GC should notify us if it resets to_this
1062             https://bugs.webkit.org/show_bug.cgi?id=128231
1063     
1064             Reviewed by Geoffrey Garen.
1065     
1066             * CMakeLists.txt:
1067             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1068             * JavaScriptCore.xcodeproj/project.pbxproj:
1069             * bytecode/BytecodeList.json:
1070             * bytecode/CodeBlock.cpp:
1071             (JSC::CodeBlock::dumpBytecode):
1072             (JSC::CodeBlock::finalizeUnconditionally):
1073             * bytecode/Instruction.h:
1074             * bytecode/ToThisStatus.cpp: Added.
1075             (JSC::merge):
1076             (WTF::printInternal):
1077             * bytecode/ToThisStatus.h: Added.
1078             * bytecompiler/BytecodeGenerator.cpp:
1079             (JSC::BytecodeGenerator::BytecodeGenerator):
1080             * dfg/DFGByteCodeParser.cpp:
1081             (JSC::DFG::ByteCodeParser::parseBlock):
1082             * llint/LowLevelInterpreter32_64.asm:
1083             * llint/LowLevelInterpreter64.asm:
1084             * runtime/CommonSlowPaths.cpp:
1085             (JSC::SLOW_PATH_DECL):
1086     
1087     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1088     
1089             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
1090             https://bugs.webkit.org/show_bug.cgi?id=134256
1091     
1092             Reviewed by Michael Saboff.
1093             
1094             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
1095             point is to be able to precisely model what goes on in the snippets of code between a
1096             side-effect and an InvalidationPoint.
1097             
1098             This patch also cleans up onlyStructure() by delegating more work to
1099             StructureSet::onlyStructure().
1100     
1101             * dfg/DFGStructureAbstractValue.h:
1102             (JSC::DFG::StructureAbstractValue::onlyStructure):
1103     
1104     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1105     
1106             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
1107             https://bugs.webkit.org/show_bug.cgi?id=134260
1108     
1109             Reviewed by Geoffrey Garen.
1110             
1111             This was causing loads of assertion failures in debug builds.
1112     
1113             * dfg/DFGAbstractInterpreterInlines.h:
1114             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1115     
1116     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
1117     
1118             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
1119             https://bugs.webkit.org/show_bug.cgi?id=134090
1120     
1121             Reviewed by Oliver Hunt.
1122             
1123             This pretty much finishes off the work to eliminate the special-casing of singleton
1124             structure sets by making it possible to fold GetById and PutById to various polymorphic
1125             forms of the ByOffset nodes.
1126             
1127             * bytecode/GetByIdStatus.cpp:
1128             (JSC::GetByIdStatus::computeForStubInfo):
1129             (JSC::GetByIdStatus::computeFor):
1130             * bytecode/GetByIdStatus.h:
1131             * bytecode/PutByIdStatus.cpp:
1132             (JSC::PutByIdStatus::computeFor):
1133             * bytecode/PutByIdStatus.h:
1134             * bytecode/PutByIdVariant.h:
1135             (JSC::PutByIdVariant::constantChecks):
1136             * dfg/DFGAbstractInterpreterInlines.h:
1137             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1138             * dfg/DFGByteCodeParser.cpp:
1139             (JSC::DFG::ByteCodeParser::parseBlock):
1140             * dfg/DFGConstantFoldingPhase.cpp:
1141             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1142             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1143             (JSC::DFG::ConstantFoldingPhase::addChecks):
1144             * dfg/DFGNode.h:
1145             (JSC::DFG::Node::convertToMultiGetByOffset):
1146             (JSC::DFG::Node::convertToMultiPutByOffset):
1147             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
1148             (JSC::DFG::SpeculativeJIT::fillJSValue):
1149             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1150             (JSC::DFG::SpeculativeJIT::emitCall):
1151             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1152             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1153             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1154             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1155             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1156             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1157             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1158             (JSC::DFG::SpeculativeJIT::emitBranch):
1159             (JSC::DFG::SpeculativeJIT::compile):
1160             * dfg/DFGStructureAbstractValue.h:
1161             (JSC::DFG::StructureAbstractValue::set):
1162     
1163     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
1164     
1165             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
1166             https://bugs.webkit.org/show_bug.cgi?id=134077
1167     
1168             Reviewed by Sam Weinig.
1169             
1170             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
1171             in the abstract interpreter.
1172     
1173             * bytecode/StructureSet.h:
1174             (JSC::StructureSet::onlyStructure):
1175     
1176     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
1177     
1178             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
1179             https://bugs.webkit.org/show_bug.cgi?id=133918
1180     
1181             Reviewed by Mark Hahnenberg.
1182             
1183             This also adds pruning of PutStructure, since I basically had no choice but
1184             to implement such logic within MultiPutByOffset.
1185             
1186             Also adds a bunch of PutById cache status dumping to bytecode dumping.
1187     
1188             * bytecode/GetByIdVariant.cpp:
1189             (JSC::GetByIdVariant::dumpInContext):
1190             * bytecode/GetByIdVariant.h:
1191             (JSC::GetByIdVariant::structureSet):
1192             * bytecode/PutByIdVariant.h:
1193             (JSC::PutByIdVariant::oldStructure):
1194             * bytecode/StructureSet.cpp:
1195             (JSC::StructureSet::filter):
1196             (JSC::StructureSet::filterArrayModes):
1197             * bytecode/StructureSet.h:
1198             * dfg/DFGAbstractInterpreterInlines.h:
1199             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1200             * dfg/DFGAbstractValue.cpp:
1201             (JSC::DFG::AbstractValue::changeStructure):
1202             (JSC::DFG::AbstractValue::contains):
1203             * dfg/DFGAbstractValue.h:
1204             (JSC::DFG::AbstractValue::couldBeType):
1205             (JSC::DFG::AbstractValue::isType):
1206             * dfg/DFGConstantFoldingPhase.cpp:
1207             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1208             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1209             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1210             (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
1211             * dfg/DFGGraph.cpp:
1212             (JSC::DFG::Graph::freezeStrong):
1213             * dfg/DFGGraph.h:
1214             * dfg/DFGStructureAbstractValue.h:
1215             (JSC::DFG::StructureAbstractValue::operator=):
1216             * ftl/FTLLowerDFGToLLVM.cpp:
1217             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1218             * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
1219             (foo):
1220             (fu):
1221             (bar):
1222             (baz):
1223             (.bar):
1224             (.baz):
1225             * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
1226             (foo):
1227             (fu):
1228             (bar):
1229             (baz):
1230             (.bar):
1231             (.baz):
1232             * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
1233             (foo):
1234             (fu):
1235             (bar):
1236             (baz):
1237             (.bar):
1238             (.baz):
1239     
1240     2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1241     
1242             Remove CompoundType and LeafType
1243             https://bugs.webkit.org/show_bug.cgi?id=134037
1244     
1245             Reviewed by Filip Pizlo.
1246     
1247             We don't use them for anything. We'll replace them with a generic CellType type for all 
1248             the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
1249             their JSType at runtime.
1250     
1251             * llint/LLIntData.cpp:
1252             (JSC::LLInt::Data::performAssertions):
1253             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1254             (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
1255             * runtime/Executable.h:
1256             (JSC::ExecutableBase::createStructure):
1257             (JSC::NativeExecutable::createStructure):
1258             * runtime/JSPromiseDeferred.h:
1259             (JSC::JSPromiseDeferred::createStructure):
1260             * runtime/JSPromiseReaction.h:
1261             (JSC::JSPromiseReaction::createStructure):
1262             * runtime/JSPropertyNameIterator.h:
1263             (JSC::JSPropertyNameIterator::createStructure):
1264             * runtime/JSType.h:
1265             * runtime/JSTypeInfo.h:
1266             (JSC::TypeInfo::TypeInfo):
1267             * runtime/MapData.h:
1268             (JSC::MapData::createStructure):
1269             * runtime/PropertyMapHashTable.h:
1270             (JSC::PropertyTable::createStructure):
1271             * runtime/RegExp.h:
1272             (JSC::RegExp::createStructure):
1273             * runtime/SparseArrayValueMap.cpp:
1274             (JSC::SparseArrayValueMap::createStructure):
1275             * runtime/Structure.cpp:
1276             (JSC::Structure::Structure):
1277             * runtime/StructureChain.h:
1278             (JSC::StructureChain::createStructure):
1279             * runtime/StructureRareData.cpp:
1280             (JSC::StructureRareData::createStructure):
1281             * runtime/SymbolTable.h:
1282             (JSC::SymbolTable::createStructure):
1283             * runtime/WeakMapData.h:
1284             (JSC::WeakMapData::createStructure):
1285     
1286     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
1287     
1288             [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
1289             https://bugs.webkit.org/show_bug.cgi?id=134002
1290     
1291             Reviewed by Mark Hahnenberg.
1292             
1293             The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
1294             JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
1295             of the structure if that structure was watchable.
1296             
1297             Also kill PhantomPutStructure.
1298     
1299             * dfg/DFGAbstractInterpreterInlines.h:
1300             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1301             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1302             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1303             * dfg/DFGClobberize.h:
1304             (JSC::DFG::clobberize):
1305             * dfg/DFGDoesGC.cpp:
1306             (JSC::DFG::doesGC):
1307             * dfg/DFGFixupPhase.cpp:
1308             (JSC::DFG::FixupPhase::fixupNode):
1309             * dfg/DFGGraph.cpp:
1310             (JSC::DFG::Graph::visitChildren):
1311             * dfg/DFGNode.h:
1312             (JSC::DFG::Node::hasTransition):
1313             * dfg/DFGNodeType.h:
1314             * dfg/DFGPredictionPropagationPhase.cpp:
1315             (JSC::DFG::PredictionPropagationPhase::propagate):
1316             * dfg/DFGSafeToExecute.h:
1317             (JSC::DFG::safeToExecute):
1318             * dfg/DFGSpeculativeJIT32_64.cpp:
1319             (JSC::DFG::SpeculativeJIT::compile):
1320             * dfg/DFGSpeculativeJIT64.cpp:
1321             (JSC::DFG::SpeculativeJIT::compile):
1322             * dfg/DFGStructureAbstractValue.cpp:
1323             (JSC::DFG::StructureAbstractValue::observeTransition):
1324             (JSC::DFG::StructureAbstractValue::observeTransitions):
1325             * dfg/DFGValidate.cpp:
1326             (JSC::DFG::Validate::validate):
1327             * dfg/DFGWatchableStructureWatchingPhase.cpp:
1328             (JSC::DFG::WatchableStructureWatchingPhase::run):
1329             * ftl/FTLCapabilities.cpp:
1330             (JSC::FTL::canCompile):
1331             * ftl/FTLLowerDFGToLLVM.cpp:
1332             (JSC::FTL::LowerDFGToLLVM::compileNode):
1333             (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
1334     
1335     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
1336     
1337             [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
1338             https://bugs.webkit.org/show_bug.cgi?id=133964
1339     
1340             Reviewed by Mark Hahnenberg.
1341     
1342             * bytecode/PutByIdStatus.cpp:
1343             (JSC::PutByIdStatus::appendVariant):
1344             (JSC::PutByIdStatus::computeForStubInfo):
1345             * bytecode/PutByIdVariant.cpp:
1346             (JSC::PutByIdVariant::oldStructureForTransition):
1347             (JSC::PutByIdVariant::writesStructures):
1348             (JSC::PutByIdVariant::reallocatesStorage):
1349             (JSC::PutByIdVariant::attemptToMerge):
1350             (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
1351             (JSC::PutByIdVariant::dumpInContext):
1352             * bytecode/PutByIdVariant.h:
1353             (JSC::PutByIdVariant::PutByIdVariant):
1354             (JSC::PutByIdVariant::replace):
1355             (JSC::PutByIdVariant::transition):
1356             (JSC::PutByIdVariant::structure):
1357             (JSC::PutByIdVariant::oldStructure):
1358             * dfg/DFGAbstractInterpreterInlines.h:
1359             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1360             * dfg/DFGByteCodeParser.cpp:
1361             (JSC::DFG::ByteCodeParser::handlePutById):
1362             (JSC::DFG::ByteCodeParser::parseBlock):
1363             * dfg/DFGConstantFoldingPhase.cpp:
1364             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1365             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1366             * dfg/DFGGraph.cpp:
1367             (JSC::DFG::Graph::visitChildren):
1368             * dfg/DFGNode.cpp:
1369             (JSC::DFG::MultiPutByOffsetData::writesStructures):
1370             (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1371             * ftl/FTLAbbreviations.h:
1372             (JSC::FTL::getLinkage):
1373             * ftl/FTLLowerDFGToLLVM.cpp:
1374             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1375             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1376     
1377 2014-07-26  Filip Pizlo  <fpizlo@apple.com>
1378
1379         Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
1380         reland later.
1381
1382         * CMakeLists.txt:
1383         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1384         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1385         * JavaScriptCore.xcodeproj/project.pbxproj:
1386         * bytecode/BytecodeList.json:
1387         * bytecode/BytecodeUseDef.h:
1388         (JSC::computeUsesForBytecodeOffset):
1389         (JSC::computeDefsForBytecodeOffset):
1390         * bytecode/CodeBlock.cpp:
1391         (JSC::CodeBlock::dumpBytecode):
1392         (JSC::CodeBlock::CodeBlock):
1393         (JSC::CodeBlock::finalizeUnconditionally):
1394         (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
1395         * bytecode/CodeBlock.h:
1396         * bytecode/GetByIdStatus.cpp:
1397         (JSC::GetByIdStatus::computeForStubInfo):
1398         (JSC::GetByIdStatus::computeFor):
1399         * bytecode/GetByIdStatus.h:
1400         * bytecode/GetByIdVariant.cpp:
1401         (JSC::GetByIdVariant::dumpInContext):
1402         * bytecode/GetByIdVariant.h:
1403         (JSC::GetByIdVariant::structureSet):
1404         * bytecode/Instruction.h:
1405         * bytecode/PutByIdStatus.cpp:
1406         (JSC::PutByIdStatus::appendVariant):
1407         (JSC::PutByIdStatus::computeForStubInfo):
1408         (JSC::PutByIdStatus::computeFor):
1409         * bytecode/PutByIdStatus.h:
1410         * bytecode/PutByIdVariant.cpp:
1411         (JSC::PutByIdVariant::dumpInContext):
1412         (JSC::PutByIdVariant::oldStructureForTransition): Deleted.
1413         (JSC::PutByIdVariant::writesStructures): Deleted.
1414         (JSC::PutByIdVariant::reallocatesStorage): Deleted.
1415         (JSC::PutByIdVariant::attemptToMerge): Deleted.
1416         (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.
1417         * bytecode/PutByIdVariant.h:
1418         (JSC::PutByIdVariant::PutByIdVariant):
1419         (JSC::PutByIdVariant::replace):
1420         (JSC::PutByIdVariant::transition):
1421         (JSC::PutByIdVariant::structure):
1422         (JSC::PutByIdVariant::oldStructure):
1423         (JSC::PutByIdVariant::newStructure):
1424         (JSC::PutByIdVariant::constantChecks):
1425         * bytecode/StructureSet.cpp:
1426         (JSC::StructureSet::filter): Deleted.
1427         (JSC::StructureSet::filterArrayModes): Deleted.
1428         * bytecode/StructureSet.h:
1429         (JSC::StructureSet::onlyStructure):
1430         * bytecode/ToThisStatus.cpp: Removed.
1431         * bytecode/ToThisStatus.h: Removed.
1432         * bytecode/TypeLocation.h: Removed.
1433         * bytecompiler/BytecodeGenerator.cpp:
1434         (JSC::BytecodeGenerator::BytecodeGenerator):
1435         (JSC::BytecodeGenerator::emitMove):
1436         (JSC::BytecodeGenerator::emitPutToScope):
1437         (JSC::BytecodeGenerator::emitPutById):
1438         (JSC::BytecodeGenerator::emitPutByVal):
1439         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
1440         * bytecompiler/BytecodeGenerator.h:
1441         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
1442         * bytecompiler/NodesCodegen.cpp:
1443         (JSC::PostfixNode::emitResolve):
1444         (JSC::PrefixNode::emitResolve):
1445         (JSC::ReadModifyResolveNode::emitBytecode):
1446         (JSC::AssignResolveNode::emitBytecode):
1447         (JSC::ConstDeclNode::emitCodeSingle):
1448         (JSC::ForInNode::emitBytecode):
1449         * debugger/DebuggerActivation.cpp: Added.
1450         (JSC::DebuggerActivation::DebuggerActivation):
1451         (JSC::DebuggerActivation::finishCreation):
1452         (JSC::DebuggerActivation::visitChildren):
1453         (JSC::DebuggerActivation::className):
1454         (JSC::DebuggerActivation::getOwnPropertySlot):
1455         (JSC::DebuggerActivation::put):
1456         (JSC::DebuggerActivation::deleteProperty):
1457         (JSC::DebuggerActivation::getOwnPropertyNames):
1458         (JSC::DebuggerActivation::defineOwnProperty):
1459         * debugger/DebuggerActivation.h: Added.
1460         (JSC::DebuggerActivation::create):
1461         (JSC::DebuggerActivation::createStructure):
1462         * debugger/DebuggerScope.cpp: Removed.
1463         * debugger/DebuggerScope.h: Removed.
1464         * dfg/DFGAbstractInterpreterInlines.h:
1465         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1466         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1467         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1468         * dfg/DFGAbstractValue.cpp:
1469         (JSC::DFG::AbstractValue::changeStructure): Deleted.
1470         (JSC::DFG::AbstractValue::contains): Deleted.
1471         * dfg/DFGAbstractValue.h:
1472         (JSC::DFG::AbstractValue::couldBeType):
1473         (JSC::DFG::AbstractValue::isType):
1474         * dfg/DFGByteCodeParser.cpp:
1475         (JSC::DFG::ByteCodeParser::handlePutById):
1476         (JSC::DFG::ByteCodeParser::parseBlock):
1477         * dfg/DFGClobberize.h:
1478         (JSC::DFG::clobberize):
1479         * dfg/DFGConstantFoldingPhase.cpp:
1480         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1481         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1482         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1483         (JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
1484         (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
1485         * dfg/DFGDoesGC.cpp:
1486         (JSC::DFG::doesGC):
1487         * dfg/DFGFixupPhase.cpp:
1488         (JSC::DFG::FixupPhase::fixupNode):
1489         * dfg/DFGGraph.cpp:
1490         (JSC::DFG::Graph::visitChildren):
1491         (JSC::DFG::Graph::freezeStrong):
1492         * dfg/DFGGraph.h:
1493         * dfg/DFGNode.cpp:
1494         (JSC::DFG::MultiPutByOffsetData::writesStructures):
1495         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1496         * dfg/DFGNode.h:
1497         (JSC::DFG::Node::convertToPutByOffset):
1498         (JSC::DFG::Node::hasTransition):
1499         (JSC::DFG::Node::convertToMultiGetByOffset): Deleted.
1500         (JSC::DFG::Node::convertToMultiPutByOffset): Deleted.
1501         * dfg/DFGNodeType.h:
1502         * dfg/DFGPredictionPropagationPhase.cpp:
1503         (JSC::DFG::PredictionPropagationPhase::propagate):
1504         * dfg/DFGSafeToExecute.h:
1505         (JSC::DFG::safeToExecute):
1506         * dfg/DFGSpeculativeJIT.cpp:
1507         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1508         * dfg/DFGSpeculativeJIT32_64.cpp:
1509         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1510         (JSC::DFG::SpeculativeJIT::compile):
1511         * dfg/DFGSpeculativeJIT64.cpp:
1512         (JSC::DFG::SpeculativeJIT::fillJSValue):
1513         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1514         (JSC::DFG::SpeculativeJIT::emitCall):
1515         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1516         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1517         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1518         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1519         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1520         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1521         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1522         (JSC::DFG::SpeculativeJIT::emitBranch):
1523         (JSC::DFG::SpeculativeJIT::compile):
1524         * dfg/DFGStructureAbstractValue.cpp:
1525         (JSC::DFG::StructureAbstractValue::observeTransition):
1526         (JSC::DFG::StructureAbstractValue::observeTransitions):
1527         * dfg/DFGStructureAbstractValue.h:
1528         (JSC::DFG::StructureAbstractValue::onlyStructure):
1529         (JSC::DFG::StructureAbstractValue::operator=): Deleted.
1530         (JSC::DFG::StructureAbstractValue::set): Deleted.
1531         * dfg/DFGValidate.cpp:
1532         (JSC::DFG::Validate::validate):
1533         * dfg/DFGWatchableStructureWatchingPhase.cpp:
1534         (JSC::DFG::WatchableStructureWatchingPhase::run):
1535         * ftl/FTLAbbreviations.h:
1536         (JSC::FTL::getLinkage): Deleted.
1537         * ftl/FTLCapabilities.cpp:
1538         (JSC::FTL::canCompile):
1539         * ftl/FTLLowerDFGToLLVM.cpp:
1540         (JSC::FTL::LowerDFGToLLVM::compileNode):
1541         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1542         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1543         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1544         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1545         * heap/Heap.cpp:
1546         (JSC::Heap::collect):
1547         * inspector/agents/InspectorRuntimeAgent.cpp:
1548         (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
1549         * inspector/agents/InspectorRuntimeAgent.h:
1550         * inspector/protocol/Runtime.json:
1551         * jsc.cpp:
1552         (GlobalObject::finishCreation):
1553         (functionDumpTypesForAllVariables): Deleted.
1554         * llint/LLIntData.cpp:
1555         (JSC::LLInt::Data::performAssertions):
1556         * llint/LLIntSlowPaths.cpp:
1557         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1558         (JSC::LLInt::putToScopeCommon): Deleted.
1559         * llint/LLIntSlowPaths.h:
1560         * llint/LowLevelInterpreter.asm:
1561         * llint/LowLevelInterpreter32_64.asm:
1562         * llint/LowLevelInterpreter64.asm:
1563         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1564         (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
1565         * runtime/CommonSlowPaths.cpp:
1566         (JSC::SLOW_PATH_DECL):
1567         * runtime/Executable.h:
1568         (JSC::ExecutableBase::createStructure):
1569         (JSC::NativeExecutable::createStructure):
1570         * runtime/HighFidelityLog.cpp: Removed.
1571         * runtime/HighFidelityLog.h: Removed.
1572         * runtime/HighFidelityTypeProfiler.cpp: Removed.
1573         * runtime/HighFidelityTypeProfiler.h: Removed.
1574         * runtime/JSObject.cpp:
1575         (JSC::JSObject::putDirectCustomAccessor):
1576         (JSC::JSObject::putDirectNonIndexAccessor):
1577         (JSC::JSObject::reifyStaticFunctionsForDelete):
1578         * runtime/JSPromiseDeferred.h:
1579         (JSC::JSPromiseDeferred::createStructure):
1580         * runtime/JSPromiseReaction.h:
1581         (JSC::JSPromiseReaction::createStructure):
1582         * runtime/JSPropertyNameIterator.h:
1583         (JSC::JSPropertyNameIterator::createStructure):
1584         * runtime/JSType.h:
1585         * runtime/JSTypeInfo.h:
1586         (JSC::TypeInfo::TypeInfo):
1587         * runtime/MapData.h:
1588         (JSC::MapData::createStructure):
1589         * runtime/Options.h:
1590         * runtime/PropertyMapHashTable.h:
1591         (JSC::PropertyTable::createStructure):
1592         * runtime/RegExp.h:
1593         (JSC::RegExp::createStructure):
1594         * runtime/SparseArrayValueMap.cpp:
1595         (JSC::SparseArrayValueMap::createStructure):
1596         * runtime/Structure.cpp:
1597         (JSC::StructureTransitionTable::contains):
1598         (JSC::StructureTransitionTable::get):
1599         (JSC::StructureTransitionTable::add):
1600         (JSC::Structure::Structure):
1601         (JSC::Structure::materializePropertyMap):
1602         (JSC::Structure::addPropertyTransition):
1603         (JSC::Structure::despecifyFunctionTransition):
1604         (JSC::Structure::toDictionaryTransition):
1605         (JSC::Structure::freezeTransition):
1606         (JSC::Structure::preventExtensionsTransition):
1607         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1608         (JSC::Structure::nonPropertyTransition):
1609         (JSC::Structure::flattenDictionaryStructure):
1610         (JSC::Structure::addPropertyWithoutTransition):
1611         (JSC::Structure::pin):
1612         (JSC::Structure::allocateRareData):
1613         (JSC::Structure::cloneRareDataFrom):
1614         (JSC::Structure::getConcurrently):
1615         (JSC::Structure::putSpecificValue):
1616         (JSC::Structure::getPropertyNamesFromStructure):
1617         (JSC::Structure::visitChildren):
1618         (JSC::Structure::checkConsistency):
1619         (JSC::Structure::toStructureShape): Deleted.
1620         * runtime/Structure.h:
1621         (JSC::Structure::isExtensible):
1622         (JSC::Structure::didTransition):
1623         (JSC::Structure::isDictionary):
1624         (JSC::Structure::isUncacheableDictionary):
1625         (JSC::Structure::hasBeenFlattenedBefore):
1626         (JSC::Structure::propertyAccessesAreCacheable):
1627         (JSC::Structure::previousID):
1628         (JSC::Structure::hasGetterSetterProperties):
1629         (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
1630         (JSC::Structure::setHasGetterSetterProperties):
1631         (JSC::Structure::hasCustomGetterSetterProperties):
1632         (JSC::Structure::setHasCustomGetterSetterProperties):
1633         (JSC::Structure::setContainsReadOnlyProperties):
1634         (JSC::Structure::hasNonEnumerableProperties):
1635         (JSC::Structure::disableSpecificFunctionTracking):
1636         (JSC::Structure::objectToStringValue):
1637         (JSC::Structure::setObjectToStringValue):
1638         (JSC::Structure::staticFunctionsReified):
1639         (JSC::Structure::setStaticFunctionsReified):
1640         (JSC::Structure::transitionWatchpointSet):
1641         (JSC::Structure::setPreviousID):
1642         (JSC::Structure::clearPreviousID):
1643         (JSC::Structure::previous):
1644         (JSC::Structure::rareData):
1645         (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted.
1646         (JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted.
1647         * runtime/StructureChain.h:
1648         (JSC::StructureChain::createStructure):
1649         * runtime/StructureInlines.h:
1650         (JSC::Structure::setEnumerationCache):
1651         (JSC::Structure::enumerationCache):
1652         (JSC::Structure::checkOffsetConsistency):
1653         * runtime/StructureRareData.cpp:
1654         (JSC::StructureRareData::createStructure):
1655         * runtime/SymbolTable.cpp:
1656         (JSC::SymbolTable::SymbolTable):
1657         (JSC::SymbolTable::cloneCapturedNames):
1658         (JSC::SymbolTable::uniqueIDForVariable): Deleted.
1659         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
1660         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
1661         (JSC::SymbolTable::globalTypeSetForVariable): Deleted.
1662         * runtime/SymbolTable.h:
1663         (JSC::SymbolTable::createStructure):
1664         (JSC::SymbolTable::add):
1665         (JSC::SymbolTable::set):
1666         * runtime/TypeSet.cpp: Removed.
1667         * runtime/TypeSet.h: Removed.
1668         * runtime/VM.cpp:
1669         (JSC::VM::VM):
1670         (JSC::VM::getTypesForVariableInRange): Deleted.
1671         (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
1672         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
1673         * runtime/VM.h:
1674         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
1675         (JSC::VM::highFidelityLog): Deleted.
1676         (JSC::VM::highFidelityTypeProfiler): Deleted.
1677         (JSC::VM::nextLocation): Deleted.
1678         (JSC::VM::getNextUniqueVariableID): Deleted.
1679         * runtime/WeakMapData.h:
1680         (JSC::WeakMapData::createStructure):
1681         * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed.
1682         * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed.
1683         * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed.
1684
1685 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1686
1687         Attempt to fix non-Xcode platforms.
1688
1689         * CMakeLists.txt:
1690         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1691
1692 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1693
1694         Fix cloop.
1695
1696         * bytecode/CodeBlock.cpp:
1697         (JSC::dumpChain):
1698         (JSC::CodeBlock::printPutByIdCacheStatus):
1699         * bytecode/StructureSet.cpp:
1700         * bytecode/StructureSet.h:
1701
1702 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1703
1704         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
1705
1706     2014-06-27  Michael Saboff  <msaboff@apple.com>
1707     
1708             Unreviewed build fix after r169795.
1709     
1710             Fixed ASSERT for 32 bit build.
1711     
1712             * dfg/DFGSpeculativeJIT.cpp:
1713             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1714     
1715     2014-06-24  Saam Barati  <sbarati@apple.com>
1716     
1717             Web Inspector: debugger should be able to show variable types
1718             https://bugs.webkit.org/show_bug.cgi?id=133395
1719     
1720             Reviewed by Filip Pizlo.
1721     
1722             Increase the amount of type information the VM gathers when directed
1723             to do so. This initial commit is working towards the goal of
1724             capturing, and then showing (via the Web Inspector) type information for all
1725             assignment and load operations. This patch doesn't have the feature fully 
1726             implemented, but it ensures the VM has no performance regressions
1727             unless the feature is specifically turned on.
1728     
1729             * JavaScriptCore.xcodeproj/project.pbxproj:
1730             * bytecode/BytecodeList.json:
1731             * bytecode/BytecodeUseDef.h:
1732             (JSC::computeUsesForBytecodeOffset):
1733             (JSC::computeDefsForBytecodeOffset):
1734             * bytecode/CodeBlock.cpp:
1735             (JSC::CodeBlock::dumpBytecode):
1736             (JSC::CodeBlock::CodeBlock):
1737             (JSC::CodeBlock::finalizeUnconditionally):
1738             * bytecode/CodeBlock.h:
1739             * bytecode/Instruction.h:
1740             * bytecode/TypeLocation.h: Added.
1741             (JSC::TypeLocation::TypeLocation):
1742             * bytecompiler/BytecodeGenerator.cpp:
1743             (JSC::BytecodeGenerator::emitMove):
1744             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
1745             (JSC::BytecodeGenerator::emitPutToScope):
1746             (JSC::BytecodeGenerator::emitPutById):
1747             (JSC::BytecodeGenerator::emitPutByVal):
1748             * bytecompiler/BytecodeGenerator.h:
1749             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
1750             * bytecompiler/NodesCodegen.cpp:
1751             (JSC::PostfixNode::emitResolve):
1752             (JSC::PrefixNode::emitResolve):
1753             (JSC::ReadModifyResolveNode::emitBytecode):
1754             (JSC::AssignResolveNode::emitBytecode):
1755             (JSC::ConstDeclNode::emitCodeSingle):
1756             (JSC::ForInNode::emitBytecode):
1757             * heap/Heap.cpp:
1758             (JSC::Heap::collect):
1759             * inspector/agents/InspectorRuntimeAgent.cpp:
1760             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
1761             * inspector/agents/InspectorRuntimeAgent.h:
1762             * inspector/protocol/Runtime.json:
1763             * jsc.cpp:
1764             (GlobalObject::finishCreation):
1765             (functionDumpTypesForAllVariables):
1766             * llint/LLIntSlowPaths.cpp:
1767             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1768             (JSC::LLInt::putToScopeCommon):
1769             * llint/LLIntSlowPaths.h:
1770             * llint/LowLevelInterpreter.asm:
1771             * runtime/HighFidelityLog.cpp: Added.
1772             (JSC::HighFidelityLog::initializeHighFidelityLog):
1773             (JSC::HighFidelityLog::~HighFidelityLog):
1774             (JSC::HighFidelityLog::recordTypeInformationForLocation):
1775             (JSC::HighFidelityLog::processHighFidelityLog):
1776             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
1777             * runtime/HighFidelityLog.h: Added.
1778             (JSC::HighFidelityLog::HighFidelityLog):
1779             * runtime/HighFidelityTypeProfiler.cpp: Added.
1780             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
1781             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
1782             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
1783             (JSC::HighFidelityTypeProfiler::insertNewLocation):
1784             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
1785             * runtime/HighFidelityTypeProfiler.h: Added.
1786             * runtime/Options.h:
1787             * runtime/Structure.cpp:
1788             (JSC::Structure::toStructureShape):
1789             * runtime/Structure.h:
1790             * runtime/SymbolTable.cpp:
1791             (JSC::SymbolTable::SymbolTable):
1792             (JSC::SymbolTable::cloneCapturedNames):
1793             (JSC::SymbolTable::uniqueIDForVariable):
1794             (JSC::SymbolTable::uniqueIDForRegister):
1795             (JSC::SymbolTable::globalTypeSetForRegister):
1796             (JSC::SymbolTable::globalTypeSetForVariable):
1797             * runtime/SymbolTable.h:
1798             (JSC::SymbolTable::add):
1799             (JSC::SymbolTable::set):
1800             * runtime/TypeSet.cpp: Added.
1801             (JSC::TypeSet::TypeSet):
1802             (JSC::TypeSet::getRuntimeTypeForValue):
1803             (JSC::TypeSet::addTypeForValue):
1804             (JSC::TypeSet::removeDuplicatesInStructureHistory):
1805             (JSC::TypeSet::seenTypes):
1806             (JSC::TypeSet::dumpSeenTypes):
1807             (JSC::StructureShape::StructureShape):
1808             (JSC::StructureShape::markAsFinal):
1809             (JSC::StructureShape::addProperty):
1810             (JSC::StructureShape::propertyHash):
1811             (JSC::StructureShape::leastUpperBound):
1812             (JSC::StructureShape::stringRepresentation):
1813             * runtime/TypeSet.h: Added.
1814             (JSC::StructureShape::create):
1815             (JSC::TypeSet::create):
1816             * runtime/VM.cpp:
1817             (JSC::VM::VM):
1818             (JSC::VM::getTypesForVariableInRange):
1819             (JSC::VM::updateHighFidelityTypeProfileState):
1820             (JSC::VM::dumpHighFidelityProfilingTypes):
1821             * runtime/VM.h:
1822             (JSC::VM::isProfilingTypesWithHighFidelity):
1823             (JSC::VM::highFidelityLog):
1824             (JSC::VM::highFidelityTypeProfiler):
1825             (JSC::VM::nextLocation):
1826             (JSC::VM::getNextUniqueVariableID):
1827     
1828     2014-06-26  Mark Lam  <mark.lam@apple.com>
1829     
1830             Remove unused instantiation of the WithScope structure.
1831             <https://webkit.org/b/134331>
1832     
1833             Reviewed by Oliver Hunt.
1834     
1835             The WithScope structure instance is the VM is unused, and is now removed.
1836     
1837             * runtime/VM.cpp:
1838             (JSC::VM::VM):
1839             * runtime/VM.h:
1840     
1841     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1842     
1843             Structure bit fields should have a consistent format
1844             https://bugs.webkit.org/show_bug.cgi?id=134307
1845     
1846             Reviewed by Filip Pizlo.
1847     
1848             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
1849             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
1850             format to make it easy to load and test these variables in JIT code.
1851     
1852             * runtime/JSObject.cpp:
1853             (JSC::JSObject::putDirectNonIndexAccessor):
1854             (JSC::JSObject::reifyStaticFunctionsForDelete):
1855             * runtime/Structure.cpp:
1856             (JSC::StructureTransitionTable::contains):
1857             (JSC::StructureTransitionTable::get):
1858             (JSC::StructureTransitionTable::add):
1859             (JSC::Structure::Structure):
1860             (JSC::Structure::materializePropertyMap):
1861             (JSC::Structure::addPropertyTransition):
1862             (JSC::Structure::despecifyFunctionTransition):
1863             (JSC::Structure::toDictionaryTransition):
1864             (JSC::Structure::freezeTransition):
1865             (JSC::Structure::preventExtensionsTransition):
1866             (JSC::Structure::takePropertyTableOrCloneIfPinned):
1867             (JSC::Structure::nonPropertyTransition):
1868             (JSC::Structure::flattenDictionaryStructure):
1869             (JSC::Structure::addPropertyWithoutTransition):
1870             (JSC::Structure::pin):
1871             (JSC::Structure::allocateRareData):
1872             (JSC::Structure::cloneRareDataFrom):
1873             (JSC::Structure::getConcurrently):
1874             (JSC::Structure::putSpecificValue):
1875             (JSC::Structure::getPropertyNamesFromStructure):
1876             (JSC::Structure::visitChildren):
1877             (JSC::Structure::checkConsistency):
1878             * runtime/Structure.h:
1879             (JSC::Structure::isExtensible):
1880             (JSC::Structure::isDictionary):
1881             (JSC::Structure::isUncacheableDictionary):
1882             (JSC::Structure::propertyAccessesAreCacheable):
1883             (JSC::Structure::previousID):
1884             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
1885             (JSC::Structure::setContainsReadOnlyProperties):
1886             (JSC::Structure::disableSpecificFunctionTracking):
1887             (JSC::Structure::objectToStringValue):
1888             (JSC::Structure::setObjectToStringValue):
1889             (JSC::Structure::setPreviousID):
1890             (JSC::Structure::clearPreviousID):
1891             (JSC::Structure::previous):
1892             (JSC::Structure::rareData):
1893             (JSC::Structure::didTransition): Deleted.
1894             (JSC::Structure::hasGetterSetterProperties): Deleted.
1895             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
1896             (JSC::Structure::setHasGetterSetterProperties): Deleted.
1897             (JSC::Structure::hasNonEnumerableProperties): Deleted.
1898             (JSC::Structure::staticFunctionsReified): Deleted.
1899             (JSC::Structure::setStaticFunctionsReified): Deleted.
1900             * runtime/StructureInlines.h:
1901             (JSC::Structure::setEnumerationCache):
1902             (JSC::Structure::enumerationCache):
1903             (JSC::Structure::checkOffsetConsistency):
1904     
1905     2014-06-24  Mark Lam  <mark.lam@apple.com>
1906     
1907             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
1908             <https://webkit.org/b/134273>
1909     
1910             Reviewed by Michael Saboff.
1911     
1912             * CMakeLists.txt:
1913             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1914             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1915             * JavaScriptCore.xcodeproj/project.pbxproj:
1916             * debugger/DebuggerActivation.cpp: Removed.
1917             * debugger/DebuggerActivation.h: Removed.
1918             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
1919             (JSC::DebuggerScope::DebuggerScope):
1920             (JSC::DebuggerScope::finishCreation):
1921             (JSC::DebuggerScope::visitChildren):
1922             (JSC::DebuggerScope::className):
1923             (JSC::DebuggerScope::getOwnPropertySlot):
1924             (JSC::DebuggerScope::put):
1925             (JSC::DebuggerScope::deleteProperty):
1926             (JSC::DebuggerScope::getOwnPropertyNames):
1927             (JSC::DebuggerScope::defineOwnProperty):
1928             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
1929             (JSC::DebuggerActivation::finishCreation): Deleted.
1930             (JSC::DebuggerActivation::visitChildren): Deleted.
1931             (JSC::DebuggerActivation::className): Deleted.
1932             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
1933             (JSC::DebuggerActivation::put): Deleted.
1934             (JSC::DebuggerActivation::deleteProperty): Deleted.
1935             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
1936             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
1937             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
1938             (JSC::DebuggerScope::create):
1939             (JSC::DebuggerActivation::create): Deleted.
1940             * runtime/VM.cpp:
1941             (JSC::VM::VM):
1942             * runtime/VM.h:
1943     
1944     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1945     
1946             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
1947             https://bugs.webkit.org/show_bug.cgi?id=134265
1948     
1949             Reviewed by Geoffrey Garen.
1950             
1951             More assertion fallout from the PutById folding work.
1952     
1953             * dfg/DFGNode.h:
1954             (JSC::DFG::Node::convertToPutByOffset):
1955     
1956     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1957     
1958             [ftlopt] GC should notify us if it resets to_this
1959             https://bugs.webkit.org/show_bug.cgi?id=128231
1960     
1961             Reviewed by Geoffrey Garen.
1962     
1963             * CMakeLists.txt:
1964             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1965             * JavaScriptCore.xcodeproj/project.pbxproj:
1966             * bytecode/BytecodeList.json:
1967             * bytecode/CodeBlock.cpp:
1968             (JSC::CodeBlock::dumpBytecode):
1969             (JSC::CodeBlock::finalizeUnconditionally):
1970             * bytecode/Instruction.h:
1971             * bytecode/ToThisStatus.cpp: Added.
1972             (JSC::merge):
1973             (WTF::printInternal):
1974             * bytecode/ToThisStatus.h: Added.
1975             * bytecompiler/BytecodeGenerator.cpp:
1976             (JSC::BytecodeGenerator::BytecodeGenerator):
1977             * dfg/DFGByteCodeParser.cpp:
1978             (JSC::DFG::ByteCodeParser::parseBlock):
1979             * llint/LowLevelInterpreter32_64.asm:
1980             * llint/LowLevelInterpreter64.asm:
1981             * runtime/CommonSlowPaths.cpp:
1982             (JSC::SLOW_PATH_DECL):
1983     
1984     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1985     
1986             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
1987             https://bugs.webkit.org/show_bug.cgi?id=134256
1988     
1989             Reviewed by Michael Saboff.
1990             
1991             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
1992             point is to be able to precisely model what goes on in the snippets of code between a
1993             side-effect and an InvalidationPoint.
1994             
1995             This patch also cleans up onlyStructure() by delegating more work to
1996             StructureSet::onlyStructure().
1997     
1998             * dfg/DFGStructureAbstractValue.h:
1999             (JSC::DFG::StructureAbstractValue::onlyStructure):
2000     
2001     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
2002     
2003             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
2004             https://bugs.webkit.org/show_bug.cgi?id=134260
2005     
2006             Reviewed by Geoffrey Garen.
2007             
2008             This was causing loads of assertion failures in debug builds.
2009     
2010             * dfg/DFGAbstractInterpreterInlines.h:
2011             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2012     
2013     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
2014     
2015             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
2016             https://bugs.webkit.org/show_bug.cgi?id=134090
2017     
2018             Reviewed by Oliver Hunt.
2019             
2020             This pretty much finishes off the work to eliminate the special-casing of singleton
2021             structure sets by making it possible to fold GetById and PutById to various polymorphic
2022             forms of the ByOffset nodes.
2023             
2024             * bytecode/GetByIdStatus.cpp:
2025             (JSC::GetByIdStatus::computeForStubInfo):
2026             (JSC::GetByIdStatus::computeFor):
2027             * bytecode/GetByIdStatus.h:
2028             * bytecode/PutByIdStatus.cpp:
2029             (JSC::PutByIdStatus::computeFor):
2030             * bytecode/PutByIdStatus.h:
2031             * bytecode/PutByIdVariant.h:
2032             (JSC::PutByIdVariant::constantChecks):
2033             * dfg/DFGAbstractInterpreterInlines.h:
2034             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2035             * dfg/DFGByteCodeParser.cpp:
2036             (JSC::DFG::ByteCodeParser::parseBlock):
2037             * dfg/DFGConstantFoldingPhase.cpp:
2038             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2039             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2040             (JSC::DFG::ConstantFoldingPhase::addChecks):
2041             * dfg/DFGNode.h:
2042             (JSC::DFG::Node::convertToMultiGetByOffset):
2043             (JSC::DFG::Node::convertToMultiPutByOffset):
2044             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
2045             (JSC::DFG::SpeculativeJIT::fillJSValue):
2046             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2047             (JSC::DFG::SpeculativeJIT::emitCall):
2048             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2049             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
2050             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2051             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2052             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2053             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2054             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2055             (JSC::DFG::SpeculativeJIT::emitBranch):
2056             (JSC::DFG::SpeculativeJIT::compile):
2057             * dfg/DFGStructureAbstractValue.h:
2058             (JSC::DFG::StructureAbstractValue::set):
2059     
2060     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
2061     
2062             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
2063             https://bugs.webkit.org/show_bug.cgi?id=134077
2064     
2065             Reviewed by Sam Weinig.
2066             
2067             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
2068             in the abstract interpreter.
2069     
2070             * bytecode/StructureSet.h:
2071             (JSC::StructureSet::onlyStructure):
2072     
2073     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
2074     
2075             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
2076             https://bugs.webkit.org/show_bug.cgi?id=133918
2077     
2078             Reviewed by Mark Hahnenberg.
2079             
2080             This also adds pruning of PutStructure, since I basically had no choice but
2081             to implement such logic within MultiPutByOffset.
2082             
2083             Also adds a bunch of PutById cache status dumping to bytecode dumping.
2084     
2085             * bytecode/GetByIdVariant.cpp:
2086             (JSC::GetByIdVariant::dumpInContext):
2087             * bytecode/GetByIdVariant.h:
2088             (JSC::GetByIdVariant::structureSet):
2089             * bytecode/PutByIdVariant.h:
2090             (JSC::PutByIdVariant::oldStructure):
2091             * bytecode/StructureSet.cpp:
2092             (JSC::StructureSet::filter):
2093             (JSC::StructureSet::filterArrayModes):
2094             * bytecode/StructureSet.h:
2095             * dfg/DFGAbstractInterpreterInlines.h:
2096             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2097             * dfg/DFGAbstractValue.cpp:
2098             (JSC::DFG::AbstractValue::changeStructure):
2099             (JSC::DFG::AbstractValue::contains):
2100             * dfg/DFGAbstractValue.h:
2101             (JSC::DFG::AbstractValue::couldBeType):
2102             (JSC::DFG::AbstractValue::isType):
2103             * dfg/DFGConstantFoldingPhase.cpp:
2104             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2105             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2106             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2107             (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
2108             * dfg/DFGGraph.cpp:
2109             (JSC::DFG::Graph::freezeStrong):
2110             * dfg/DFGGraph.h:
2111             * dfg/DFGStructureAbstractValue.h:
2112             (JSC::DFG::StructureAbstractValue::operator=):
2113             * ftl/FTLLowerDFGToLLVM.cpp:
2114             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2115             * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
2116             (foo):
2117             (fu):
2118             (bar):
2119             (baz):
2120             (.bar):
2121             (.baz):
2122             * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
2123             (foo):
2124             (fu):
2125             (bar):
2126             (baz):
2127             (.bar):
2128             (.baz):
2129             * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
2130             (foo):
2131             (fu):
2132             (bar):
2133             (baz):
2134             (.bar):
2135             (.baz):
2136     
2137     2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
2138     
2139             Remove CompoundType and LeafType
2140             https://bugs.webkit.org/show_bug.cgi?id=134037
2141     
2142             Reviewed by Filip Pizlo.
2143     
2144             We don't use them for anything. We'll replace them with a generic CellType type for all 
2145             the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
2146             their JSType at runtime.
2147     
2148             * llint/LLIntData.cpp:
2149             (JSC::LLInt::Data::performAssertions):
2150             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2151             (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
2152             * runtime/Executable.h:
2153             (JSC::ExecutableBase::createStructure):
2154             (JSC::NativeExecutable::createStructure):
2155             * runtime/JSPromiseDeferred.h:
2156             (JSC::JSPromiseDeferred::createStructure):
2157             * runtime/JSPromiseReaction.h:
2158             (JSC::JSPromiseReaction::createStructure):
2159             * runtime/JSPropertyNameIterator.h:
2160             (JSC::JSPropertyNameIterator::createStructure):
2161             * runtime/JSType.h:
2162             * runtime/JSTypeInfo.h:
2163             (JSC::TypeInfo::TypeInfo):
2164             * runtime/MapData.h:
2165             (JSC::MapData::createStructure):
2166             * runtime/PropertyMapHashTable.h:
2167             (JSC::PropertyTable::createStructure):
2168             * runtime/RegExp.h:
2169             (JSC::RegExp::createStructure):
2170             * runtime/SparseArrayValueMap.cpp:
2171             (JSC::SparseArrayValueMap::createStructure):
2172             * runtime/Structure.cpp:
2173             (JSC::Structure::Structure):
2174             * runtime/StructureChain.h:
2175             (JSC::StructureChain::createStructure):
2176             * runtime/StructureRareData.cpp:
2177             (JSC::StructureRareData::createStructure):
2178             * runtime/SymbolTable.h:
2179             (JSC::SymbolTable::createStructure):
2180             * runtime/WeakMapData.h:
2181             (JSC::WeakMapData::createStructure):
2182     
2183     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2184     
2185             [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
2186             https://bugs.webkit.org/show_bug.cgi?id=134002
2187     
2188             Reviewed by Mark Hahnenberg.
2189             
2190             The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
2191             JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
2192             of the structure if that structure was watchable.
2193             
2194             Also kill PhantomPutStructure.
2195     
2196             * dfg/DFGAbstractInterpreterInlines.h:
2197             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2198             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2199             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2200             * dfg/DFGClobberize.h:
2201             (JSC::DFG::clobberize):
2202             * dfg/DFGDoesGC.cpp:
2203             (JSC::DFG::doesGC):
2204             * dfg/DFGFixupPhase.cpp:
2205             (JSC::DFG::FixupPhase::fixupNode):
2206             * dfg/DFGGraph.cpp:
2207             (JSC::DFG::Graph::visitChildren):
2208             * dfg/DFGNode.h:
2209             (JSC::DFG::Node::hasTransition):
2210             * dfg/DFGNodeType.h:
2211             * dfg/DFGPredictionPropagationPhase.cpp:
2212             (JSC::DFG::PredictionPropagationPhase::propagate):
2213             * dfg/DFGSafeToExecute.h:
2214             (JSC::DFG::safeToExecute):
2215             * dfg/DFGSpeculativeJIT32_64.cpp:
2216             (JSC::DFG::SpeculativeJIT::compile):
2217             * dfg/DFGSpeculativeJIT64.cpp:
2218             (JSC::DFG::SpeculativeJIT::compile):
2219             * dfg/DFGStructureAbstractValue.cpp:
2220             (JSC::DFG::StructureAbstractValue::observeTransition):
2221             (JSC::DFG::StructureAbstractValue::observeTransitions):
2222             * dfg/DFGValidate.cpp:
2223             (JSC::DFG::Validate::validate):
2224             * dfg/DFGWatchableStructureWatchingPhase.cpp:
2225             (JSC::DFG::WatchableStructureWatchingPhase::run):
2226             * ftl/FTLCapabilities.cpp:
2227             (JSC::FTL::canCompile):
2228             * ftl/FTLLowerDFGToLLVM.cpp:
2229             (JSC::FTL::LowerDFGToLLVM::compileNode):
2230             (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
2231     
2232     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2233     
2234             [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
2235             https://bugs.webkit.org/show_bug.cgi?id=133964
2236     
2237             Reviewed by Mark Hahnenberg.
2238     
2239             * bytecode/PutByIdStatus.cpp:
2240             (JSC::PutByIdStatus::appendVariant):
2241             (JSC::PutByIdStatus::computeForStubInfo):
2242             * bytecode/PutByIdVariant.cpp:
2243             (JSC::PutByIdVariant::oldStructureForTransition):
2244             (JSC::PutByIdVariant::writesStructures):
2245             (JSC::PutByIdVariant::reallocatesStorage):
2246             (JSC::PutByIdVariant::attemptToMerge):
2247             (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
2248             (JSC::PutByIdVariant::dumpInContext):
2249             * bytecode/PutByIdVariant.h:
2250             (JSC::PutByIdVariant::PutByIdVariant):
2251             (JSC::PutByIdVariant::replace):
2252             (JSC::PutByIdVariant::transition):
2253             (JSC::PutByIdVariant::structure):
2254             (JSC::PutByIdVariant::oldStructure):
2255             * dfg/DFGAbstractInterpreterInlines.h:
2256             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2257             * dfg/DFGByteCodeParser.cpp:
2258             (JSC::DFG::ByteCodeParser::handlePutById):
2259             (JSC::DFG::ByteCodeParser::parseBlock):
2260             * dfg/DFGConstantFoldingPhase.cpp:
2261             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2262             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2263             * dfg/DFGGraph.cpp:
2264             (JSC::DFG::Graph::visitChildren):
2265             * dfg/DFGNode.cpp:
2266             (JSC::DFG::MultiPutByOffsetData::writesStructures):
2267             (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
2268             * ftl/FTLAbbreviations.h:
2269             (JSC::FTL::getLinkage):
2270             * ftl/FTLLowerDFGToLLVM.cpp:
2271             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2272             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
2273     
2274 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
2275
2276         Add an option to disable native call inlining. Disable it for now to see how it
2277         affects the bots.
2278
2279         * dfg/DFGByteCodeParser.cpp:
2280         (JSC::DFG::ByteCodeParser::handleCall):
2281         * runtime/Options.h:
2282
2283 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
2284
2285         Fix cloop.
2286
2287         * dfg/DFGMayExit.cpp:
2288
2289 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
2290
2291         Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.
2292
2293     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2294     
2295             [ftlopt] Fold constant Phis
2296             https://bugs.webkit.org/show_bug.cgi?id=133967
2297     
2298             Reviewed by Mark Hahnenberg.
2299             
2300             It's surprising but we didn't really do this before. Or, rather, we only did it
2301             incidentally when we would likely crash if it ever happened.
2302             
2303             Making this work required cleaning up the validater a bit, so I did that too. I also added
2304             mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
2305             the Phi header of basic blocks). But this required beefing up mayExit() a bit.
2306     
2307             * dfg/DFGAbstractInterpreterInlines.h:
2308             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2309             * dfg/DFGAdjacencyList.h:
2310             (JSC::DFG::AdjacencyList::isEmpty):
2311             * dfg/DFGConstantFoldingPhase.cpp:
2312             (JSC::DFG::ConstantFoldingPhase::run):
2313             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2314             (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
2315             * dfg/DFGInPlaceAbstractState.h:
2316             * dfg/DFGLICMPhase.cpp:
2317             (JSC::DFG::LICMPhase::run):
2318             (JSC::DFG::LICMPhase::attemptHoist):
2319             * dfg/DFGMayExit.cpp:
2320             (JSC::DFG::mayExit):
2321             * dfg/DFGValidate.cpp:
2322             (JSC::DFG::Validate::validate):
2323             (JSC::DFG::Validate::validateSSA):
2324     
2325     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2326     
2327             [ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
2328             https://bugs.webkit.org/show_bug.cgi?id=133985
2329     
2330             Reviewed by Michael Saboff and Mark Hahnenberg.
2331             
2332             Store elimination phase has never been very profitable, and now that LLVM can do dead
2333             store elimination for us, this phase is just completely pointless.
2334             
2335             This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
2336             computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
2337             maintain.
2338             
2339             This patch does introduce a new mayExit() calculator that is independent of the CFA and
2340             should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
2341             for assertions in the DFG backend, but we could use it if we ever brought back any of the
2342             other optimizations that previously relied upon NodeDoesNotExit.
2343             
2344             This is performance-neutral, except for SunSpider, where it's a speed-up.
2345     
2346             * CMakeLists.txt:
2347             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2348             * JavaScriptCore.xcodeproj/project.pbxproj:
2349             * dfg/DFGAbstractInterpreter.h:
2350             (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
2351             (JSC::DFG::AbstractInterpreter::filterByType):
2352             * dfg/DFGAbstractInterpreterInlines.h:
2353             (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2354             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2355             * dfg/DFGCSEPhase.cpp:
2356             (JSC::DFG::CSEPhase::CSEPhase):
2357             (JSC::DFG::CSEPhase::invalidationPointElimination):
2358             (JSC::DFG::CSEPhase::setLocalStoreElimination):
2359             (JSC::DFG::CSEPhase::performNodeCSE):
2360             (JSC::DFG::CSEPhase::performBlockCSE):
2361             (JSC::DFG::performCSE):
2362             (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted.
2363             (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted.
2364             (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted.
2365             (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted.
2366             (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
2367             (JSC::DFG::performStoreElimination): Deleted.
2368             * dfg/DFGCSEPhase.h:
2369             * dfg/DFGFixupPhase.cpp:
2370             (JSC::DFG::FixupPhase::fixupNode):
2371             * dfg/DFGGraph.cpp:
2372             (JSC::DFG::Graph::resetExitStates): Deleted.
2373             * dfg/DFGGraph.h:
2374             * dfg/DFGMayExit.cpp: Added.
2375             (JSC::DFG::mayExit):
2376             * dfg/DFGMayExit.h: Added.
2377             * dfg/DFGNode.h:
2378             (JSC::DFG::Node::mergeFlags):
2379             (JSC::DFG::Node::filterFlags):
2380             (JSC::DFG::Node::setCanExit): Deleted.
2381             (JSC::DFG::Node::canExit): Deleted.
2382             * dfg/DFGNodeFlags.cpp:
2383             (JSC::DFG::dumpNodeFlags):
2384             * dfg/DFGNodeFlags.h:
2385             * dfg/DFGNodeType.h:
2386             * dfg/DFGPlan.cpp:
2387             (JSC::DFG::Plan::compileInThreadImpl):
2388             * dfg/DFGSpeculativeJIT.cpp:
2389             (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2390             (JSC::DFG::SpeculativeJIT::bail):
2391             (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2392             * dfg/DFGSpeculativeJIT32_64.cpp:
2393             (JSC::DFG::SpeculativeJIT::compile):
2394             * dfg/DFGSpeculativeJIT64.cpp:
2395             (JSC::DFG::SpeculativeJIT::compile):
2396     
2397     2014-06-15  Filip Pizlo  <fpizlo@apple.com>
2398     
2399             [ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
2400             https://bugs.webkit.org/show_bug.cgi?id=133931
2401     
2402             Reviewed by Oliver Hunt.
2403     
2404             * dfg/DFGAbstractInterpreterInlines.h:
2405             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
2406             * dfg/DFGConstantFoldingPhase.cpp:
2407             (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
2408             * dfg/DFGPlan.cpp:
2409             (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.
2410     
2411     2014-06-15  Filip Pizlo  <fpizlo@apple.com>
2412     
2413             [ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
2414             https://bugs.webkit.org/show_bug.cgi?id=133935
2415     
2416             Reviewed by Oliver Hunt.
2417     
2418             * bytecode/Operands.h:
2419             (JSC::Operands::Operands):
2420             (JSC::Operands::ensureLocals):
2421             * dfg/DFGAbstractValue.cpp:
2422             (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
2423             * dfg/DFGAbstractValue.h:
2424             (JSC::DFG::AbstractValue::makeFullTop): Completeness.
2425             (JSC::DFG::AbstractValue::bytecodeTop): Completeness.
2426             (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
2427             * dfg/DFGBasicBlock.cpp:
2428             (JSC::DFG::BasicBlock::BasicBlock):
2429             (JSC::DFG::BasicBlock::ensureLocals):
2430             * dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
2431             * dfg/DFGCFAPhase.cpp:
2432             (JSC::DFG::CFAPhase::run): Compute the intersection.
2433             * dfg/DFGConstantFoldingPhase.cpp:
2434             (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
2435             * dfg/DFGGraph.cpp:
2436             (JSC::DFG::Graph::dumpBlockHeader): Better dumping.
2437             (JSC::DFG::Graph::dump): Better dumping.
2438             * dfg/DFGJITCompiler.h:
2439             (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
2440             * dfg/DFGSpeculativeJIT.cpp:
2441             (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.
2442     
2443     2014-06-12  Filip Pizlo  <fpizlo@apple.com>
2444     
2445             [ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
2446             https://bugs.webkit.org/show_bug.cgi?id=133821
2447     
2448             Reviewed by Mark Hahnenberg.
2449             
2450             This allows us to efficiently cache accesses that differ only in the prototypes on the path
2451             from the base to the prototype that has the field.
2452             
2453             It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
2454             data structure.
2455     
2456             * CMakeLists.txt:
2457             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2458             * JavaScriptCore.xcodeproj/project.pbxproj:
2459             * bytecode/ConstantStructureCheck.cpp: Added.
2460             (JSC::ConstantStructureCheck::dumpInContext):
2461             (JSC::ConstantStructureCheck::dump):
2462             (JSC::structureFor):
2463             (JSC::areCompatible):
2464             (JSC::mergeInto):
2465             * bytecode/ConstantStructureCheck.h: Added.
2466             (JSC::ConstantStructureCheck::ConstantStructureCheck):
2467             (JSC::ConstantStructureCheck::operator!):
2468             (JSC::ConstantStructureCheck::constant):
2469             (JSC::ConstantStructureCheck::structure):
2470             * bytecode/GetByIdStatus.cpp:
2471             (JSC::GetByIdStatus::computeForStubInfo):
2472             * bytecode/GetByIdVariant.cpp:
2473             (JSC::GetByIdVariant::GetByIdVariant):
2474             (JSC::GetByIdVariant::operator=):
2475             (JSC::GetByIdVariant::attemptToMerge):
2476             (JSC::GetByIdVariant::dumpInContext):
2477             * bytecode/GetByIdVariant.h:
2478             (JSC::GetByIdVariant::constantChecks):
2479             (JSC::GetByIdVariant::alternateBase):
2480             (JSC::GetByIdVariant::GetByIdVariant): Deleted.
2481             (JSC::GetByIdVariant::chain): Deleted.
2482             * bytecode/PutByIdVariant.cpp:
2483             (JSC::PutByIdVariant::dumpInContext):
2484             * bytecode/PutByIdVariant.h:
2485             (JSC::PutByIdVariant::transition):
2486             (JSC::PutByIdVariant::constantChecks):
2487             (JSC::PutByIdVariant::structureChain): Deleted.
2488             * dfg/DFGAbstractInterpreterInlines.h:
2489             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2490             * dfg/DFGByteCodeParser.cpp:
2491             (JSC::DFG::ByteCodeParser::emitChecks):
2492             (JSC::DFG::ByteCodeParser::handleGetById):
2493             (JSC::DFG::ByteCodeParser::handlePutById):
2494             (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted.
2495             (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted.
2496             (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
2497             * dfg/DFGConstantFoldingPhase.cpp:
2498             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2499             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2500             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2501             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2502             * dfg/DFGDesiredStructureChains.cpp: Removed.
2503             * dfg/DFGDesiredStructureChains.h: Removed.
2504             * dfg/DFGGraph.h:
2505             (JSC::DFG::Graph::watchpoints):
2506             (JSC::DFG::Graph::chains): Deleted.
2507             * dfg/DFGPlan.cpp:
2508             (JSC::DFG::Plan::isStillValid):
2509             (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2510             (JSC::DFG::Plan::cancel):
2511             * dfg/DFGPlan.h:
2512             * ftl/FTLLowerDFGToLLVM.cpp:
2513             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2514             * runtime/IntendedStructureChain.cpp:
2515             (JSC::IntendedStructureChain::gatherChecks):
2516             * runtime/IntendedStructureChain.h:
2517             (JSC::IntendedStructureChain::at):
2518             (JSC::IntendedStructureChain::operator[]):
2519     
2520     2014-06-12  Filip Pizlo  <fpizlo@apple.com>
2521     
2522             [ftlopt] Constant folding and strength reduction should work in SSA
2523             https://bugs.webkit.org/show_bug.cgi?id=133839
2524     
2525             Reviewed by Oliver Hunt.
2526     
2527             * dfg/DFGAtTailAbstractState.cpp:
2528             (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2529             (JSC::DFG::AtTailAbstractState::forNode):
2530             * dfg/DFGAtTailAbstractState.h:
2531             * dfg/DFGConstantFoldingPhase.cpp:
2532             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2533             * dfg/DFGGraph.cpp:
2534             (JSC::DFG::Graph::convertToConstant):
2535             * dfg/DFGIntegerCheckCombiningPhase.cpp:
2536             (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
2537             * dfg/DFGLICMPhase.cpp:
2538             (JSC::DFG::LICMPhase::LICMPhase):
2539             * dfg/DFGPlan.cpp:
2540             (JSC::DFG::Plan::compileInThreadImpl):
2541     
2542     2014-06-11  Filip Pizlo  <fpizlo@apple.com>
2543     
2544             [ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
2545             https://bugs.webkit.org/show_bug.cgi?id=133751
2546     
2547             Reviewed by Mark Hahnenberg.
2548     
2549             * bytecode/GetByIdStatus.cpp:
2550             (JSC::GetByIdStatus::appendVariant):
2551             (JSC::GetByIdStatus::computeForStubInfo):
2552             * bytecode/GetByIdVariant.cpp:
2553             (JSC::GetByIdVariant::attemptToMerge):
2554             * bytecode/GetByIdVariant.h:
2555             * bytecode/PutByIdStatus.cpp:
2556             (JSC::PutByIdStatus::computeFor):
2557             * dfg/DFGByteCodeParser.cpp:
2558             (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2559             (JSC::DFG::ByteCodeParser::handleGetById):
2560             (JSC::DFG::ByteCodeParser::handlePutById):
2561             * runtime/IntendedStructureChain.cpp:
2562             (JSC::IntendedStructureChain::IntendedStructureChain):
2563             (JSC::IntendedStructureChain::isStillValid):
2564             (JSC::IntendedStructureChain::isNormalized):
2565             (JSC::IntendedStructureChain::terminalPrototype):
2566             (JSC::IntendedStructureChain::operator==):
2567             (JSC::IntendedStructureChain::visitChildren):
2568             (JSC::IntendedStructureChain::dumpInContext):
2569             (JSC::IntendedStructureChain::chain): Deleted.
2570             * runtime/IntendedStructureChain.h:
2571             (JSC::IntendedStructureChain::prototype):
2572             (JSC::IntendedStructureChain::operator!=):
2573             (JSC::IntendedStructureChain::head): Deleted.
2574     
2575     2014-06-11  Matthew Mirman  <mmirman@apple.com>
2576     
2577            Readded native calling to the FTL and Split the DFG nodes 
2578            Call and Construct into NativeCall and NativeConstruct 
2579            to better represent their semantics.
2580            https://bugs.webkit.org/show_bug.cgi?id=133660
2581     
2582            Reviewed by Filip Pizlo.
2583     
2584            * dfg/DFGAbstractInterpreterInlines.h:
2585            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 
2586            Added NativeCall and NativeConstruct case
2587            * dfg/DFGByteCodeParser.cpp:
2588            (JSC::DFG::ByteCodeParser::addCall): added NativeCall case. 
2589            (JSC::DFG::ByteCodeParser::handleCall): 
2590            set to return NativeCall or NativeConstruct instead of Call or Construct
2591            in the presence of a native function.
2592            * dfg/DFGClobberize.h:
2593            (JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
2594            * dfg/DFGDoesGC.cpp:
2595            (JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
2596            * dfg/DFGFixupPhase.cpp:
2597            (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
2598            * dfg/DFGNode.h:
2599            (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case.
2600            (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct.
2601            (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
2602            * dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
2603            * dfg/DFGPredictionPropagationPhase.cpp:
2604            (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
2605            * dfg/DFGSafeToExecute.h:
2606            (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
2607            * dfg/DFGSpeculativeJIT32_64.cpp:
2608            (JSC::DFG::SpeculativeJIT::emitCall): ditto
2609            (JSC::DFG::SpeculativeJIT::compile): ditto
2610            * dfg/DFGSpeculativeJIT64.cpp:
2611            (JSC::DFG::SpeculativeJIT::emitCall): ditto
2612            (JSC::DFG::SpeculativeJIT::compile): ditto
2613            * ftl/FTLCapabilities.cpp:
2614            (JSC::FTL::canCompile): ditto
2615            * ftl/FTLLowerDFGToLLVM.cpp:  
2616            (JSC::FTL::LowerDFGToLLVM::lower): ditto
2617            (JSC::FTL::LowerDFGToLLVM::compileNode): ditto.
2618            (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added.
2619            (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality.
2620            (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
2621            * runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.
2622            
2623     2014-06-11  Matthew Mirman  <mmirman@apple.com>
2624     
2625             Ensured Native Calls and Construct and associated checks 
2626             are only emitted during ftl mode.
2627             https://bugs.webkit.org/show_bug.cgi?id=133718
2628             
2629             Reviewed by Filip Pizlo.
2630             
2631             * dfg/DFGByteCodeParser.cpp:
2632             (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode 
2633             before attaching the native function to Call or Construct.
2634             
2635     2014-06-10  Filip Pizlo  <fpizlo@apple.com>
2636     
2637             [ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
2638             https://bugs.webkit.org/show_bug.cgi?id=133426
2639     
2640             Reviewed by Geoffrey Garen.
2641             
2642             The impetus for this was to provide some sense and reason to race conditions arising from
2643             cell constants having their structure changed on the main thread - this is harmess because
2644             we defend against it, but when it goes wrong, it can be difficult to reproduce because it
2645             requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.
2646             
2647             But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
2648             about constants. It no longer relies on the CodeBlock constant pool at all, which allows
2649             for a more object-oriented approach: for example a Node that has a constant can tell you
2650             what constant it has without needing a CodeBlock.
2651     
2652             * CMakeLists.txt:
2653             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2654             * JavaScriptCore.xcodeproj/project.pbxproj:
2655             * bytecode/CallLinkStatus.cpp:
2656             (JSC::CallLinkStatus::computeExitSiteData):
2657             * bytecode/ExitKind.cpp:
2658             (JSC::exitKindToString):
2659             (JSC::exitKindIsCountable):
2660             * bytecode/ExitKind.h:
2661             (JSC::isWatchpoint): Deleted.
2662             * bytecode/GetByIdStatus.cpp:
2663             (JSC::GetByIdStatus::hasExitSite):
2664             * bytecode/PutByIdStatus.cpp:
2665             (JSC::PutByIdStatus::hasExitSite):
2666             * dfg/DFGAbstractInterpreter.h:
2667             (JSC::DFG::AbstractInterpreter::filterByValue):
2668             (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
2669             (JSC::DFG::AbstractInterpreter::setConstant):
2670             * dfg/DFGAbstractInterpreterInlines.h:
2671             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2672             (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
2673             * dfg/DFGAbstractValue.cpp:
2674             (JSC::DFG::AbstractValue::setOSREntryValue):
2675             (JSC::DFG::AbstractValue::set):
2676             (JSC::DFG::AbstractValue::filterByValue):
2677             (JSC::DFG::AbstractValue::setMostSpecific): Deleted.
2678             * dfg/DFGAbstractValue.h:
2679             * dfg/DFGArgumentsSimplificationPhase.cpp:
2680             (JSC::DFG::ArgumentsSimplificationPhase::run):
2681             * dfg/DFGBackwardsPropagationPhase.cpp:
2682             (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
2683             (JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
2684             (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
2685             (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
2686             * dfg/DFGByteCodeParser.cpp:
2687             (JSC::DFG::ByteCodeParser::ByteCodeParser):
2688             (JSC::DFG::ByteCodeParser::getDirect):
2689             (JSC::DFG::ByteCodeParser::get):
2690             (JSC::DFG::ByteCodeParser::getLocal):
2691             (JSC::DFG::ByteCodeParser::setLocal):
2692             (JSC::DFG::ByteCodeParser::setArgument):
2693             (JSC::DFG::ByteCodeParser::jsConstant):
2694             (JSC::DFG::ByteCodeParser::weakJSConstant):
2695             (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
2696             (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
2697             (JSC::DFG::ByteCodeParser::handleCall):
2698             (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2699             (JSC::DFG::ByteCodeParser::handleInlining):
2700             (JSC::DFG::ByteCodeParser::handleMinMax):
2701             (JSC::DFG::ByteCodeParser::handleIntrinsic):
2702             (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2703             (JSC::DFG::ByteCodeParser::handleGetById):
2704             (JSC::DFG::ByteCodeParser::prepareToParseBlock):
2705             (JSC::DFG::ByteCodeParser::parseBlock):
2706             (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
2707             (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2708             (JSC::DFG::ByteCodeParser::parseCodeBlock):
2709             (JSC::DFG::ByteCodeParser::addConstant): Deleted.
2710             (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted.
2711             (JSC::DFG::ByteCodeParser::getJSConstant): Deleted.
2712             (JSC::DFG::ByteCodeParser::isJSConstant): Deleted.
2713             (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted.
2714             (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted.
2715             (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted.
2716             (JSC::DFG::ByteCodeParser::constantUndefined): Deleted.
2717             (JSC::DFG::ByteCodeParser::constantNull): Deleted.
2718             (JSC::DFG::ByteCodeParser::one): Deleted.
2719             (JSC::DFG::ByteCodeParser::constantNaN): Deleted.
2720             (JSC::DFG::ByteCodeParser::cellConstant): Deleted.
2721             (JSC::DFG::ByteCodeParser::inferredConstant): Deleted.
2722             (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
2723             * dfg/DFGCFGSimplificationPhase.cpp:
2724             (JSC::DFG::CFGSimplificationPhase::run):
2725             * dfg/DFGCSEPhase.cpp:
2726             (JSC::DFG::CSEPhase::constantCSE):
2727             (JSC::DFG::CSEPhase::checkFunctionElimination):
2728             (JSC::DFG::CSEPhase::performNodeCSE):
2729             (JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
2730             * dfg/DFGClobberize.h:
2731             (JSC::DFG::clobberize):
2732             * dfg/DFGCommon.h:
2733             * dfg/DFGConstantFoldingPhase.cpp:
2734             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2735             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2736             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2737             * dfg/DFGDoesGC.cpp:
2738             (JSC::DFG::doesGC):
2739             * dfg/DFGFixupPhase.cpp:
2740             (JSC::DFG::FixupPhase::fixupNode):
2741             (JSC::DFG::FixupPhase::fixupMakeRope):
2742             (JSC::DFG::FixupPhase::truncateConstantToInt32):
2743             (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2744             (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2745             * dfg/DFGFrozenValue.cpp: Added.
2746             (JSC::DFG::FrozenValue::emptySingleton):
2747             (JSC::DFG::FrozenValue::dumpInContext):
2748             (JSC::DFG::FrozenValue::dump):
2749             * dfg/DFGFrozenValue.h: Added.
2750             (JSC::DFG::FrozenValue::FrozenValue):
2751             (JSC::DFG::FrozenValue::operator!):
2752             (JSC::DFG::FrozenValue::value):
2753             (JSC::DFG::FrozenValue::structure):
2754             (JSC::DFG::FrozenValue::strengthenTo):
2755             (JSC::DFG::FrozenValue::strength):
2756             (JSC::DFG::FrozenValue::freeze):
2757             * dfg/DFGGraph.cpp:
2758             (JSC::DFG::Graph::Graph):
2759             (JSC::DFG::Graph::dump):
2760             (JSC::DFG::Graph::tryGetActivation):
2761             (JSC::DFG::Graph::tryGetFoldableView):
2762             (JSC::DFG::Graph::registerFrozenValues):
2763             (JSC::DFG::Graph::visitChildren):
2764             (JSC::DFG::Graph::freezeFragile):
2765             (JSC::DFG::Graph::freeze):
2766             (JSC::DFG::Graph::freezeStrong):
2767             (JSC::DFG::Graph::convertToConstant):
2768             (JSC::DFG::Graph::convertToStrongConstant):
2769             (JSC::DFG::Graph::assertIsWatched):
2770             * dfg/DFGGraph.h:
2771             (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
2772             (JSC::DFG::Graph::convertToConstant): Deleted.
2773             (JSC::DFG::Graph::constantRegisterForConstant): Deleted.
2774             (JSC::DFG::Graph::getJSConstantSpeculation): Deleted.
2775             (JSC::DFG::Graph::isConstant): Deleted.
2776             (JSC::DFG::Graph::isJSConstant): Deleted.
2777             (JSC::DFG::Graph::isInt32Constant): Deleted.
2778             (JSC::DFG::Graph::isDoubleConstant): Deleted.
2779             (JSC::DFG::Graph::isNumberConstant): Deleted.
2780             (JSC::DFG::Graph::isBooleanConstant): Deleted.
2781             (JSC::DFG::Graph::isCellConstant): Deleted.
2782             (JSC::DFG::Graph::isFunctionConstant): Deleted.
2783             (JSC::DFG::Graph::isInternalFunctionConstant): Deleted.
2784             (JSC::DFG::Graph::valueOfJSConstant): Deleted.
2785             (JSC::DFG::Graph::valueOfInt32Constant): Deleted.
2786             (JSC::DFG::Graph::valueOfNumberConstant): Deleted.
2787             (JSC::DFG::Graph::valueOfBooleanConstant): Deleted.
2788             (JSC::DFG::Graph::valueOfFunctionConstant): Deleted.
2789             (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
2790             * dfg/DFGInPlaceAbstractState.cpp:
2791             (JSC::DFG::InPlaceAbstractState::initialize):
2792             * dfg/DFGInsertionSet.h:
2793             (JSC::DFG::InsertionSet::insertConstant):
2794             (JSC::DFG::InsertionSet::insertConstantForUse):
2795             * dfg/DFGIntegerCheckCombiningPhase.cpp:
2796             (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
2797             * dfg/DFGJITCompiler.cpp:
2798             (JSC::DFG::JITCompiler::link):
2799             * dfg/DFGLazyJSValue.cpp:
2800             (JSC::DFG::LazyJSValue::getValue):
2801             (JSC::DFG::LazyJSValue::strictEqual):
2802             (JSC::DFG::LazyJSValue::dumpInContext):
2803             * dfg/DFGLazyJSValue.h:
2804             (JSC::DFG::LazyJSValue::LazyJSValue):
2805             (JSC::DFG::LazyJSValue::tryGetValue):
2806             (JSC::DFG::LazyJSValue::value):
2807             (JSC::DFG::LazyJSValue::switchLookupValue):
2808             * dfg/DFGMinifiedNode.cpp:
2809             (JSC::DFG::MinifiedNode::fromNode):
2810             * dfg/DFGMinifiedNode.h:
2811             (JSC::DFG::belongsInMinifiedGraph):
2812             (JSC::DFG::MinifiedNode::hasConstant):
2813             (JSC::DFG::MinifiedNode::constant):
2814             (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted.
2815             (JSC::DFG::MinifiedNode::constantNumber): Deleted.
2816             (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted.
2817             (JSC::DFG::MinifiedNode::weakConstant): Deleted.
2818             * dfg/DFGNode.h:
2819             (JSC::DFG::Node::hasConstant):
2820             (JSC::DFG::Node::constant):
2821             (JSC::DFG::Node::convertToConstant):
2822             (JSC::DFG::Node::asJSValue):
2823             (JSC::DFG::Node::isInt32Constant):
2824             (JSC::DFG::Node::asInt32):
2825             (JSC::DFG::Node::asUInt32):
2826             (JSC::DFG::Node::isDoubleConstant):
2827             (JSC::DFG::Node::isNumberConstant):
2828             (JSC::DFG::Node::asNumber):
2829             (JSC::DFG::Node::isMachineIntConstant):
2830             (JSC::DFG::Node::asMachineInt):
2831             (JSC::DFG::Node::isBooleanConstant):
2832             (JSC::DFG::Node::asBoolean):
2833             (JSC::DFG::Node::isCellConstant):
2834             (JSC::DFG::Node::asCell):
2835             (JSC::DFG::Node::dynamicCastConstant):
2836             (JSC::DFG::Node::function):
2837             (JSC::DFG::Node::isWeakConstant): Deleted.
2838             (JSC::DFG::Node::constantNumber): Deleted.
2839             (JSC::DFG::Node::convertToWeakConstant): Deleted.
2840             (JSC::DFG::Node::weakConstant): Deleted.
2841             (JSC::DFG::Node::valueOfJSConstant): Deleted.
2842             * dfg/DFGNodeType.h:
2843             * dfg/DFGOSRExitCompiler.cpp:
2844             * dfg/DFGPredictionPropagationPhase.cpp:
2845             (JSC::DFG::PredictionPropagationPhase::propagate):
2846             * dfg/DFGSafeToExecute.h:
2847             (JSC::DFG::safeToExecute):
2848             * dfg/DFGSpeculativeJIT.cpp:
2849             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2850             (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
2851             (JSC::DFG::SpeculativeJIT::silentFill):
2852             (JSC::DFG::SpeculativeJIT::compileIn):
2853             (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
2854             (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
2855             (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2856             (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2857             (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2858             (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2859             (JSC::DFG::SpeculativeJIT::compileAdd):
2860             (JSC::DFG::SpeculativeJIT::compileArithSub):
2861             (JSC::DFG::SpeculativeJIT::compileArithMod):
2862             * dfg/DFGSpeculativeJIT.h:
2863             (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
2864             (JSC::DFG::SpeculativeJIT::initConstantInfo):
2865             (JSC::DFG::SpeculativeJIT::isConstant): Deleted.
2866             (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted.
2867             (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted.
2868             (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted.
2869             (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted.
2870             (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted.
2871             (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted.
2872             (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted.
2873             (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted.
2874             (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted.
2875             (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted.
2876             (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted.
2877             (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted.
2878             (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted.
2879             (JSC::DFG::SpeculativeJIT::isInteger): Deleted.
2880             * dfg/DFGSpeculativeJIT32_64.cpp:
2881             (JSC::DFG::SpeculativeJIT::fillJSValue):
2882             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2883             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2884             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2885             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2886             (JSC::DFG::SpeculativeJIT::compile):
2887             * dfg/DFGSpeculativeJIT64.cpp:
2888             (JSC::DFG::SpeculativeJIT::fillJSValue):
2889             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2890             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2891             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2892             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2893             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2894             (JSC::DFG::SpeculativeJIT::compile):
2895             * dfg/DFGStrengthReductionPhase.cpp:
2896             (JSC::DFG::StrengthReductionPhase::handleNode):
2897             * dfg/DFGValidate.cpp:
2898             (JSC::DFG::Validate::validate):
2899             * dfg/DFGValueStrength.cpp: Added.
2900             (WTF::printInternal):
2901             * dfg/DFGValueStrength.h: Added.
2902             (JSC::DFG::merge):
2903             * dfg/DFGVariableEventStream.cpp:
2904             (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2905             (JSC::DFG::VariableEventStream::reconstruct):
2906             * dfg/DFGVariableEventStream.h:
2907             * dfg/DFGWatchableStructureWatchingPhase.cpp:
2908             (JSC::DFG::WatchableStructureWatchingPhase::run):
2909             (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
2910             * dfg/DFGWatchpointCollectionPhase.cpp:
2911             (JSC::DFG::WatchpointCollectionPhase::handle):
2912             * ftl/FTLCapabilities.cpp:
2913             (JSC::FTL::canCompile):
2914             * ftl/FTLLink.cpp:
2915             (JSC::FTL::link):
2916             * ftl/FTLLowerDFGToLLVM.cpp:
2917             (JSC::FTL::LowerDFGToLLVM::compileNode):
2918             (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
2919             (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
2920             (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
2921             (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
2922             (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
2923             (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
2924             (JSC::FTL::LowerDFGToLLVM::lowInt32):
2925             (JSC::FTL::LowerDFGToLLVM::lowCell):
2926             (JSC::FTL::LowerDFGToLLVM::lowBoolean):
2927             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2928             (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2929             (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
2930             * ftl/FTLOSRExitCompiler.cpp:
2931             (JSC::FTL::compileStub):
2932             * runtime/JSCJSValue.cpp:
2933             (JSC::JSValue::dumpInContext):
2934             (JSC::JSValue::dumpInContextAssumingStructure):
2935             * runtime/JSCJSValue.h:
2936     
2937 2014-07-24  Brent Fulgham  <bfulgham@apple.com>
2938
2939         [Win] Correct build order in JavaScriptCore.submit.sln
2940         https://bugs.webkit.org/show_bug.cgi?id=135282
2941         <rdar://problem/17805592>
2942
2943         Unreviewed build fix.
2944
2945         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
2946         such that LLIntDesiredOffset is built prior to the rest of JSC.
2947
2948 2014-07-24  Mark Lam  <mark.lam@apple.com>
2949
2950         JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
2951         <https://webkit.org/b/135258>
2952
2953         Reviewed by Mark Hahnenberg.
2954
2955         Where needed, we cache the prototype object pointer in a stack local var.
2956         This allows it to be scanned by the GC, and hence be kept alive until
2957         we use it.  The constructor object will in turn be kept alive by the
2958         prototype object.
2959
2960         Also added some comments to warn against future code additions that could
2961         regress this issue.
2962
2963         * API/JSWrapperMap.mm:
2964         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
2965         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
2966         (-[JSObjCClassInfo wrapperForObject:]):
2967         (-[JSObjCClassInfo constructor]):
2968
2969 2014-07-24  Joseph Pecoraro  <pecoraro@apple.com>
2970
2971         JSLock release should only modify the AtomicStringTable if it modified in acquire
2972         https://bugs.webkit.org/show_bug.cgi?id=135143
2973
2974         Reviewed by Darin Adler.
2975
2976         * runtime/JSLock.cpp:
2977         (JSC::JSLock::JSLock):
2978         Initialize the member variable to nullptr.
2979
2980         (JSC::JSLock::willDestroyVM):
2981         Update style to use nullptr instead of 0.
2982
2983         (JSC::JSLock::willReleaseLock):
2984         We should only reset the thread data's atomic string table if
2985         didAcquireLock changed it. m_entryAtomicStringTable will have
2986         been set by didAcquireLock if it changed, or nullptr if it didn't.
2987         This way we are sure we are balanced, regardless of m_vm changes.
2988
2989 2014-07-24  Peyton Randolph  <prandolph@apple.com>
2990
2991         Rename feature flag for long-press gesture on Mac.                                                                   
2992         https://bugs.webkit.org/show_bug.cgi?id=135259                                                                 
2993
2994         Reviewed by Beth Dakin.
2995
2996         * Configurations/FeatureDefines.xcconfig:
2997         Rename LINK_LONG_PRESS to MAC_LONG_PRESS.
2998
2999 2014-07-24  Commit Queue  <commit-queue@webkit.org>
3000
3001         Unreviewed, rolling out r171527.
3002         https://bugs.webkit.org/show_bug.cgi?id=135265
3003
3004         Breaks JSC API tests (Requested by mlam on #webkit).
3005
3006         Reverted changeset:
3007
3008         "JSWrapperMap's jsWrapperForObject() needs to defer GC."
3009         https://bugs.webkit.org/show_bug.cgi?id=135258
3010         http://trac.webkit.org/changeset/171527
3011
3012 2014-07-24  Mark Hahnenberg  <mhahnenberg@apple.com>
3013
3014         Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
3015         https://bugs.webkit.org/show_bug.cgi?id=135250
3016
3017         Reviewed by Geoffrey Garen.
3018
3019         JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its 
3020         JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype 
3021         chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
3022         the JSProxy's prototype fixes the issue.
3023
3024         * API/JSValueRef.cpp:
3025         (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
3026         would claim it wasn't of the specified class, even if the target was of the specified class.
3027         * API/tests/CustomGlobalObjectClassTest.c: Added.
3028         (jsDoSomething):
3029         (customGlobalObjectClassTest):
3030         * API/tests/CustomGlobalObjectClassTest.h: Added.
3031         * API/tests/testapi.c:
3032         (assertTrue):
3033         (main):
3034         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
3035         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
3036         * JavaScriptCore.xcodeproj/project.pbxproj:
3037         * runtime/JSGlobalObject.cpp:
3038         (JSC::JSGlobalObject::resetPrototype):
3039
3040 2014-07-24  Brian J. Burg  <burg@cs.washington.edu>
3041
3042         Web Replay: don't encode/decode primitive types that lack explicit sizes
3043         https://bugs.webkit.org/show_bug.cgi?id=133430
3044
3045         Reviewed by Anders Carlsson.
3046
3047         Don't support encode/decode of unsigned long, since its size is compiler-dependent.
3048
3049         * replay/EncodedValue.cpp:
3050         (JSC::EncodedValue::convertTo<unsigned long>):
3051         (JSC::unsigned long>::encodeValue): Deleted.
3052         * replay/EncodedValue.h:
3053
3054 2014-07-24  Mark Lam  <mark.lam@apple.com>
3055
3056         JSWrapperMap's jsWrapperForObject() needs to defer GC.
3057         <https://webkit.org/b/135258>
3058
3059         Reviewed by Oliver Hunt.
3060
3061         In the process of creating a JS wrapper, jsWrapperForObject() will create
3062         the prototype and constructor of the corresponding ObjC class, as well as
3063         for classes in its inheritance chain.  These prototypes and constructors
3064         are stored in Weak references in the JSObjCClassInfo objects.  During all
3065         the allocation that is being done to create all the prototypes and
3066         constructors as well as the wrapper objects, a GC may occur thereby
3067         collecting one or more of these newly created prototype and constructor
3068         objects.
3069
3070         One example of where this problem can manifest is in wrapperForObject()
3071         which is called from jsWrapperForObject().  In wrapperFoObject(), we do
3072         the following steps:
3073
3074         1. reallocateConstructorAndOrPrototype() which creates the prototype
3075            object and store it in JSObjCClassInfo's m_prototype which is a Weak
3076            ref.
3077         2. makeWrapper() to create the wrapper object, which may trigger a GC.
3078            GC will collect the prototype object and nullify the corresponding
3079            JSObjCClassInfo's m_prototype Weak ref.
3080         3. call JSObjectSetPrototype() to set the JSObjCClassInfo's m_prototype
3081            in the newly created wrapper.  This results in the wrapper getting a
3082            jsNull as a prototype instead of the expected prototype object.
3083
3084         To ensure that the prototype and constructor objects are retained until
3085         they can be referenced properly from the wrapper object,
3086         jsWrapperForObject() should defer GC until it's done with its work.
3087
3088         * API/JSWrapperMap.mm:
3089         (-[JSWrapperMap jsWrapperForObject:]):
3090
3091 2014-07-23  Brent Fulgham  <bfulgham@apple.com>
3092
3093         Build fix after r171482.
3094
3095         Rubberstamped by Joe Pecoraro.
3096
3097         * runtime/Identifier.h: Make header declarations match
3098         implementation file.
3099
3100 2014-07-23  Brent Fulgham  <bfulgham@apple.com>
3101
3102         [Win] Use NO_RETURN_DUE_TO_CRASH on Windows
3103         https://bugs.webkit.org/show_bug.cgi?id=135199
3104
3105         Reviewed by Mark Lam.
3106
3107         * jsc.cpp:
3108         (WTF::RuntimeArray::deleteProperty): Stop using ugly
3109         compiler work-around on Windows; use NO_RETURN_DUE_TO_CRASH
3110         codepath instead.
3111         * runtime/Identifier.h: Add NO_RETURN_DUE_TO_CRASH
3112         to header so function declaration matches implementation.
3113
3114 2014-07-23  Bem Jones-Bey  <bjonesbe@adobe.com>
3115
3116         Remove CSS_EXCLUSIONS compile flag and leftover code
3117         https://bugs.webkit.org/show_bug.cgi?id=135175
3118
3119         Reviewed by Zoltan Horvath.
3120
3121         At this point, the CSS_EXCLUSIONS flag guards nothing but some useless
3122         stubs. This removes the flag and the useless code.
3123
3124         * Configurations/FeatureDefines.xcconfig:
3125
3126 2014-07-23  Commit Queue  <commit-queue@webkit.org>
3127
3128         Unreviewed, rolling out r171367.
3129         https://bugs.webkit.org/show_bug.cgi?id=135192
3130
3131         broke three API tests (Requested by thorton on #webkit).
3132
3133         Reverted changeset:
3134
3135         "JSLock release should only modify the AtomicStringTable if it
3136         modified in acquire"
3137         https://bugs.webkit.org/show_bug.cgi?id=135143
3138         http://trac.webkit.org/changeset/171367
3139
3140 2014-07-22  László Langó  <llango.u-szeged@partner.samsung.com>
3141
3142         [EFL] Build fix after the [ftlopt] branch merge.
3143
3144         Reviewed by Csaba Osztrogonác.
3145
3146         * dfg/DFGBranchDirection.h:
3147         (JSC::DFG::branchDirectionToString):
3148         * dfg/DFGStructureClobberState.h:
3149         (JSC::DFG::merge):
3150
3151 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
3152
3153         Build fix for non-clang compile.
3154
3155         * jsc.cpp:
3156         (WTF::RuntimeArray::put): Remove incorrect return statement
3157         I added.
3158
3159 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
3160
3161         Build fix for non-clang compile.
3162
3163         * jsc.cpp:
3164         (WTF::RuntimeArray::deleteProperty): Need (fake) return
3165         value when NO_RETURN_DUE_TO_CRASH is not defined.
3166
3167 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3168
3169         Merge r169628 from ftlopt.
3170
3171     2014-06-04  Matthew Mirman  <mmirman@apple.com>
3172     
3173             Added system for inlining native functions via the FTL.
3174             https://bugs.webkit.org/show_bug.cgi?id=131515
3175     
3176             Reviewed by Filip Pizlo.
3177     
3178             Also fixed the build to not compress the bitcode and to 
3179             include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, 
3180             the produced bitcode files are a 100th the size they were before.  
3181             Now we can include all of the relevant runtime files with only a 3mb overhead. 
3182             This is the same overhead as for two compressed files before, 
3183             but done more efficiently (on both ends) and with less code.
3184             
3185             Deciding whether to inline native functions is left up to LLVM. 
3186             The entire module containing the function is linked into the current 
3187             compiled JS so that inlining the native functions shouldn't make them smaller.
3188             
3189             Rather than loading Runtime.symtbl at runtime FTLState.cpp now generates a file 
3190             InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.  
3191             
3192             * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
3193             * build-symbol-table-index.py: Changed bitcode suffix. 
3194             Added inclusion of only tested symbols.  
3195             Added output to InlineRuntimeSymbolTable.h. 
3196             * build-symbol-table-index.sh: Changed bitcode suffix.
3197             * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
3198             * tested-symbols.symlst: Added.
3199             * dfg/DFGByteCodeParser.cpp:
3200             (JSC::DFG::ByteCodeParser::handleCall):  
3201             Now sets the knownFunction of the call node if such a function exists 
3202             and emits a check that during runtime the callee is in fact known.
3203             * dfg/DFGNode.h:
3204             Added functions to set the known function of a call node.
3205             (JSC::DFG::Node::canBeKnownFunction): Added.
3206             (JSC::DFG::Node::hasKnownFunction): Added.
3207             (JSC::DFG::Node::knownFunction): Added.
3208             (JSC::DFG::Node::giveKnownFunction): Added.
3209             * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
3210             * ftl/FTLAbbreviations.h: Added some abbreviations.
3211             * ftl/FTLLowerDFGToLLVM.cpp:
3212             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
3213             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
3214             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
3215             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
3216             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):  
3217             Added call to possiblyCompileInlineableNativeCall
3218             * ftl/FTLOutput.h:
3219             (JSC::FTL::Output::allocaName):  Added. Useful for debugging.
3220             * ftl/FTLState.cpp:
3221             (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
3222             * ftl/FTLState.h: Added symbol table hash table.
3223             * ftl/FTLCompile.cpp:
3224             (JSC::FTL::compile): Added inlining and dead function elimination passes.
3225             * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
3226             * llvm/InitializeLLVMMac.mm: Deleted.
3227             * llvm/InitializeLLVMMac.cpp: Added.
3228             * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
3229             * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
3230             * runtime/BundlePath.h: Added.
3231             * runtime/BundlePath.mm: Added.
3232             * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
3233             * runtime/DateInstance.h: ditto.
3234             * runtime/DateConversion.h: ditto.
3235             * runtime/ExceptionHelpers.h: ditto.
<