Create a more generic way for VMEntryScope to notify those interested that it will...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-08-04  Saam Barati  <sbarati@apple.com>
2
3         Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
4         https://bugs.webkit.org/show_bug.cgi?id=135358
5
6         Reviewed by Geoffrey Garen.
7
8         When VMEntryScope is destroyed, and it has a flag set indicating that the
9         Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
10         This flag is only used by Debugger to have VMEntryScope notify it when the
11         Debugger is safe to recompile all functions. This patch will substitute this
12         Debugger-specific recompilation flag with a list of callbacks that are notified 
13         when the outermost VMEntryScope dies. This creates a general purpose interface 
14         for being notified when the VM stops executing code via the event of the outermost 
15         VMEntryScope dying.
16
17         * debugger/Debugger.cpp:
18         (JSC::Debugger::recompileAllJSFunctions):
19         * runtime/VMEntryScope.cpp:
20         (JSC::VMEntryScope::VMEntryScope):
21         (JSC::VMEntryScope::addEntryScopeDidPopListener):
22         (JSC::VMEntryScope::~VMEntryScope):
23         * runtime/VMEntryScope.h:
24         (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
25
26 2014-08-01  Carlos Alberto Lopez Perez  <clopez@igalia.com>
27
28         REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
29         https://bugs.webkit.org/show_bug.cgi?id=135522
30
31         Reviewed by Martin Robinson.
32
33         * CMakeLists.txt: Output the inspector headers inside inspector
34         subdirectory.
35
36 2014-08-01  Mark Lam  <mark.lam@apple.com>
37
38         Add some structure related assertions.
39         <https://webkit.org/b/135523>
40
41         Reviewed by Geoffrey Garen.
42
43         Adding 2 assertions:
44         1. assert that we don't index pass the end of the StructureIDTable.
45            This should never happen, but this assertion will help catch bugs
46            where a bad structureID gets passed in.
47         2. assert that cells in MarkedBlock::callDestructor() that are not
48            zapped should have a non-null StructureID.  This will help us catch
49            bugs where the other cell header flag bits get set after the cell is
50            zapped, thereby making the cell look like an unzapped cell but has a
51            null structureID.
52
53         * heap/MarkedBlock.cpp:
54         (JSC::MarkedBlock::callDestructor):
55         * runtime/StructureIDTable.h:
56         (JSC::StructureIDTable::get):
57
58 2014-08-01  Csaba Osztrogonác  <ossy@webkit.org>
59
60         URTBF after r171946 to fix non-Apple builds.
61
62         * bytecode/InlineCallFrameSet.cpp:
63
64 2014-08-01  Mark Hahnenberg  <mhahnenberg@apple.com>
65
66         CodeBlock fails to visit the Executables of its InlineCallFrames
67         https://bugs.webkit.org/show_bug.cgi?id=135471
68
69         Reviewed by Geoffrey Garen.
70
71         CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they 
72         can be prematurely collected and cause crashes.
73
74         * bytecode/CodeBlock.cpp:
75         (JSC::CodeBlock::stronglyVisitStrongReferences):
76         * bytecode/CodeOrigin.h:
77         (JSC::InlineCallFrame::visitAggregate):
78         * bytecode/InlineCallFrameSet.cpp:
79         (JSC::InlineCallFrameSet::visitAggregate):
80         * bytecode/InlineCallFrameSet.h:
81
82 2014-08-01  Alex Christensen  <achristensen@webkit.org>
83
84         Progress towards cmake on Windows.
85         https://bugs.webkit.org/show_bug.cgi?id=135484
86
87         Reviewed by Martin Robinson.
88
89         * CMakeLists.txt:
90         Generate code directly to inspector directory to avoid using the cp command
91         which is not available on Windows.
92         * PlatformWin.cmake: Added.
93
94 2014-07-31  Andreas Kling  <akling@apple.com>
95
96         Remove the JSC::OverridesVisitChildren flag.
97         <https://webkit.org/b/135489>
98
99         Except for 3 special classes, the visitChildren() call is always
100         dispatched through the method table (see SlotVisitor.cpp.)
101
102         The OverridesVisitChildren flag doesn't actually do anything.
103         It could be used to implement a non-virtual direct call to
104         JSCell::visitChildren, bypassing the method table for some objects,
105         but such a micro-optimization seems like a weak trade for all this
106         code complexity. Instead, just remove the flag.
107
108         This change frees up an inline flag bit in JSCell.
109
110         Reviewed by Geoffrey Garen.
111
112         * API/JSAPIWrapperObject.h:
113         * API/JSAPIWrapperObject.mm:
114         (JSC::JSAPIWrapperObject::visitChildren):
115         * API/JSCallbackObject.h:
116         (JSC::JSCallbackObject::visitChildren):
117         * bytecode/UnlinkedCodeBlock.cpp:
118         (JSC::UnlinkedFunctionExecutable::visitChildren):
119         (JSC::UnlinkedCodeBlock::visitChildren):
120         (JSC::UnlinkedProgramCodeBlock::visitChildren):
121         * bytecode/UnlinkedCodeBlock.h:
122         * debugger/DebuggerScope.cpp:
123         (JSC::DebuggerScope::visitChildren):
124         * debugger/DebuggerScope.h:
125         * jsc.cpp:
126         * runtime/Arguments.cpp:
127         (JSC::Arguments::visitChildren):
128         * runtime/Arguments.h:
129         * runtime/Executable.cpp:
130         (JSC::EvalExecutable::visitChildren):
131         (JSC::ProgramExecutable::visitChildren):
132         (JSC::FunctionExecutable::visitChildren):
133         * runtime/Executable.h:
134         * runtime/GetterSetter.cpp:
135         (JSC::GetterSetter::visitChildren):
136         * runtime/GetterSetter.h:
137         (JSC::GetterSetter::createStructure):
138         * runtime/JSAPIValueWrapper.h:
139         (JSC::JSAPIValueWrapper::createStructure):
140         * runtime/JSActivation.cpp:
141         (JSC::JSActivation::visitChildren):
142         * runtime/JSActivation.h:
143         * runtime/JSArrayIterator.cpp:
144         (JSC::JSArrayIterator::visitChildren):
145         * runtime/JSArrayIterator.h:
146         * runtime/JSBoundFunction.cpp:
147         (JSC::JSBoundFunction::visitChildren):
148         * runtime/JSBoundFunction.h:
149         * runtime/JSCellInlines.h:
150         (JSC::JSCell::setStructure):
151         * runtime/JSFunction.cpp:
152         (JSC::JSFunction::visitChildren):
153         * runtime/JSFunction.h:
154         * runtime/JSGlobalObject.cpp:
155         (JSC::JSGlobalObject::visitChildren):
156         * runtime/JSGlobalObject.h:
157         * runtime/JSMap.h:
158         * runtime/JSMapIterator.cpp:
159         (JSC::JSMapIterator::visitChildren):
160         * runtime/JSMapIterator.h:
161         * runtime/JSNameScope.cpp:
162         (JSC::JSNameScope::visitChildren):
163         * runtime/JSNameScope.h:
164         * runtime/JSPromise.cpp:
165         (JSC::JSPromise::visitChildren):
166         * runtime/JSPromise.h:
167         * runtime/JSPromiseDeferred.cpp:
168         (JSC::JSPromiseDeferred::visitChildren):
169         * runtime/JSPromiseDeferred.h:
170         * runtime/JSPromiseReaction.cpp:
171         (JSC::JSPromiseReaction::visitChildren):
172         * runtime/JSPromiseReaction.h:
173         * runtime/JSPropertyNameIterator.cpp:
174         (JSC::JSPropertyNameIterator::visitChildren):
175         * runtime/JSPropertyNameIterator.h:
176         * runtime/JSProxy.cpp:
177         (JSC::JSProxy::visitChildren):
178         * runtime/JSProxy.h:
179         * runtime/JSScope.cpp:
180         (JSC::JSScope::visitChildren):
181         * runtime/JSScope.h:
182         * runtime/JSSegmentedVariableObject.cpp:
183         (JSC::JSSegmentedVariableObject::visitChildren):
184         * runtime/JSSegmentedVariableObject.h:
185         * runtime/JSSet.h:
186         * runtime/JSSetIterator.cpp:
187         (JSC::JSSetIterator::visitChildren):
188         * runtime/JSSetIterator.h:
189         * runtime/JSSymbolTableObject.cpp:
190         (JSC::JSSymbolTableObject::visitChildren):
191         * runtime/JSSymbolTableObject.h:
192         * runtime/JSTypeInfo.h:
193         (JSC::TypeInfo::overridesVisitChildren): Deleted.
194         * runtime/JSWeakMap.h:
195         * runtime/JSWithScope.cpp:
196         (JSC::JSWithScope::visitChildren):
197         * runtime/JSWithScope.h:
198         * runtime/JSWrapperObject.cpp:
199         (JSC::JSWrapperObject::visitChildren):
200         * runtime/JSWrapperObject.h:
201         * runtime/MapData.h:
202         * runtime/NativeErrorConstructor.cpp:
203         (JSC::NativeErrorConstructor::visitChildren):
204         * runtime/NativeErrorConstructor.h:
205         * runtime/PropertyMapHashTable.h:
206         * runtime/PropertyTable.cpp:
207         (JSC::PropertyTable::visitChildren):
208         * runtime/RegExpConstructor.cpp:
209         (JSC::RegExpConstructor::visitChildren):
210         * runtime/RegExpConstructor.h:
211         * runtime/RegExpMatchesArray.cpp:
212         (JSC::RegExpMatchesArray::visitChildren):
213         * runtime/RegExpMatchesArray.h:
214         * runtime/RegExpObject.cpp:
215         (JSC::RegExpObject::visitChildren):
216         * runtime/RegExpObject.h:
217         * runtime/SparseArrayValueMap.h:
218         * runtime/Structure.cpp:
219         (JSC::Structure::Structure):
220         (JSC::Structure::visitChildren):
221         * runtime/StructureChain.cpp:
222         (JSC::StructureChain::visitChildren):
223         * runtime/StructureChain.h:
224         * runtime/StructureRareData.cpp:
225         (JSC::StructureRareData::visitChildren):
226         * runtime/StructureRareData.h:
227         * runtime/WeakMapData.h:
228
229 2014-07-31  Mark Lam  <mark.lam@apple.com>
230
231         JSCell::classInfo() belongs in JSCellInlines.h.
232         <https://webkit.org/b/135475>
233
234         Reviewed by Mark Hahnenberg.
235
236         * runtime/JSCellInlines.h:
237         (JSC::JSCell::classInfo):
238         * runtime/JSDestructibleObject.h:
239         (JSC::JSCell::classInfo): Deleted.
240
241 2014-07-31  Tanay C  <tanay.c@samsung.com>
242
243         Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
244         https://bugs.webkit.org/show_bug.cgi?id=135414
245
246         Reviewed by Csaba Osztrogonác.
247
248         * llint/LLIntSlowPaths.cpp:
249         (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition
250
251 2014-07-30  Filip Pizlo  <fpizlo@apple.com>
252
253         NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
254         https://bugs.webkit.org/show_bug.cgi?id=135430
255
256         Reviewed by Mark Hahnenberg.
257
258         We already handled this correctly after the ftlopt merge, but it's useful to have the test.
259
260         * tests/stress/new-function-expression-has-structures.js: Added.
261         (foo.f):
262         (foo.f.prototype.f):
263         (foo):
264
265 2014-07-30  Andreas Kling  <akling@apple.com>
266
267         Speculative Windows build fix.
268
269         Try to dllimport the dllexported global object HashTable.
270
271         * jsc.cpp:
272         * testRegExp.cpp:
273
274 2014-07-30  Andreas Kling  <akling@apple.com>
275
276         PropertyName's internal string is always atomic.
277         <https://webkit.org/b/135451>
278
279         Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
280         we know that any string that's an Identifier is guaranteed to be atomic.
281
282         A PropertyName can be either an Identifier or a PrivateName, and the
283         private names are also guaranteed to be atomic internally.
284
285         Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
286
287         Reviewed by Benjamin Poulain.
288
289         * runtime/PropertyName.h:
290         (JSC::PropertyName::PropertyName):
291         (JSC::PropertyName::uid):
292         (JSC::PropertyName::publicName):
293
294 2014-07-30  Andy Estes  <aestes@apple.com>
295
296         USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
297         https://bugs.webkit.org/show_bug.cgi?id=135439
298
299         Reviewed by Tim Horton.
300
301         We now support two different platform content filters, and will soon support a mock content filter (as part of
302         webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
303         library. ENABLE() is the correct macro to use for such a feature.
304
305         * Configurations/FeatureDefines.xcconfig:
306
307 2014-07-30  Andreas Kling  <akling@apple.com>
308
309         Static hash tables no longer need to be coupled with a VM.
310         <https://webkit.org/b/135421>
311
312         Now that the static hash tables are using char** instead of StringImpl**,
313         it's no longer necessary to make them per-VM.
314
315         This patch removes the hook in ClassInfo for providing your own static
316         hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
317         Most of this patch is tweaking ClassInfo construction sites to pass one
318         less null pointer.
319
320         Also simplified Lookup.h to stop requiring ExecState/VM to access the
321         static hash tables.
322
323         Reviewed by Geoffrey Garen.
324
325         * API/JSAPIWrapperObject.mm:
326         * API/JSCallbackConstructor.cpp:
327         * API/JSCallbackFunction.cpp:
328         * API/JSCallbackObject.cpp:
329         * API/ObjCCallbackFunction.mm:
330         * bytecode/UnlinkedCodeBlock.cpp:
331         * create_hash_table:
332         * debugger/DebuggerScope.cpp:
333         * inspector/JSInjectedScriptHost.cpp:
334         * inspector/JSInjectedScriptHostPrototype.cpp:
335         * inspector/JSJavaScriptCallFrame.cpp:
336         * inspector/JSJavaScriptCallFramePrototype.cpp:
337         * interpreter/CallFrame.h:
338         (JSC::ExecState::arrayConstructorTable): Deleted.
339         (JSC::ExecState::arrayPrototypeTable): Deleted.
340         (JSC::ExecState::booleanPrototypeTable): Deleted.
341         (JSC::ExecState::dataViewTable): Deleted.
342         (JSC::ExecState::dateTable): Deleted.
343         (JSC::ExecState::dateConstructorTable): Deleted.
344         (JSC::ExecState::errorPrototypeTable): Deleted.
345         (JSC::ExecState::globalObjectTable): Deleted.
346         (JSC::ExecState::jsonTable): Deleted.
347         (JSC::ExecState::numberConstructorTable): Deleted.
348         (JSC::ExecState::numberPrototypeTable): Deleted.
349         (JSC::ExecState::objectConstructorTable): Deleted.
350         (JSC::ExecState::privateNamePrototypeTable): Deleted.
351         (JSC::ExecState::regExpTable): Deleted.
352         (JSC::ExecState::regExpConstructorTable): Deleted.
353         (JSC::ExecState::regExpPrototypeTable): Deleted.
354         (JSC::ExecState::stringConstructorTable): Deleted.
355         (JSC::ExecState::promisePrototypeTable): Deleted.
356         (JSC::ExecState::promiseConstructorTable): Deleted.
357         * jsc.cpp:
358         * parser/Lexer.h:
359         (JSC::Keywords::isKeyword):
360         (JSC::Keywords::getKeyword):
361         * runtime/Arguments.cpp:
362         * runtime/ArgumentsIteratorConstructor.cpp:
363         * runtime/ArgumentsIteratorPrototype.cpp:
364         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
365         * runtime/ArrayConstructor.cpp:
366         (JSC::ArrayConstructor::getOwnPropertySlot):
367         * runtime/ArrayIteratorConstructor.cpp:
368         * runtime/ArrayIteratorPrototype.cpp:
369         * runtime/ArrayPrototype.cpp:
370         (JSC::ArrayPrototype::getOwnPropertySlot):
371         * runtime/BooleanConstructor.cpp:
372         * runtime/BooleanObject.cpp:
373         * runtime/BooleanPrototype.cpp:
374         (JSC::BooleanPrototype::getOwnPropertySlot):
375         * runtime/ClassInfo.h:
376         (JSC::ClassInfo::hasStaticProperties):
377         (JSC::ClassInfo::propHashTable): Deleted.
378         * runtime/ConsolePrototype.cpp:
379         * runtime/CustomGetterSetter.cpp:
380         * runtime/DateConstructor.cpp:
381         (JSC::DateConstructor::getOwnPropertySlot):
382         * runtime/DateInstance.cpp:
383         * runtime/DatePrototype.cpp:
384         (JSC::DatePrototype::getOwnPropertySlot):
385         * runtime/Error.cpp:
386         * runtime/ErrorConstructor.cpp:
387         * runtime/ErrorInstance.cpp:
388         * runtime/ErrorPrototype.cpp:
389         (JSC::ErrorPrototype::getOwnPropertySlot):
390         * runtime/ExceptionHelpers.cpp:
391         * runtime/Executable.cpp:
392         * runtime/FunctionConstructor.cpp:
393         * runtime/FunctionPrototype.cpp:
394         * runtime/GetterSetter.cpp:
395         * runtime/InternalFunction.cpp:
396         * runtime/JSAPIValueWrapper.cpp:
397         * runtime/JSActivation.cpp:
398         * runtime/JSArgumentsIterator.cpp:
399         * runtime/JSArray.cpp:
400         * runtime/JSArrayBuffer.cpp:
401         * runtime/JSArrayBufferConstructor.cpp:
402         * runtime/JSArrayBufferPrototype.cpp:
403         * runtime/JSArrayBufferView.cpp:
404         * runtime/JSArrayIterator.cpp:
405         * runtime/JSBoundFunction.cpp:
406         * runtime/JSConsole.cpp:
407         * runtime/JSDataView.cpp:
408         * runtime/JSDataViewPrototype.cpp:
409         (JSC::JSDataViewPrototype::getOwnPropertySlot):
410         * runtime/JSFunction.cpp:
411         * runtime/JSGlobalObject.cpp:
412         (JSC::JSGlobalObject::getOwnPropertySlot):
413         * runtime/JSMap.cpp:
414         * runtime/JSMapIterator.cpp:
415         * runtime/JSNameScope.cpp:
416         * runtime/JSNotAnObject.cpp:
417         * runtime/JSONObject.cpp:
418         (JSC::JSONObject::getOwnPropertySlot):
419         * runtime/JSObject.cpp:
420         (JSC::getClassPropertyNames):
421         (JSC::JSObject::put):
422         (JSC::JSObject::deleteProperty):
423         (JSC::JSObject::findPropertyHashEntry):
424         (JSC::JSObject::reifyStaticFunctionsForDelete):
425         * runtime/JSObject.h:
426         * runtime/JSPromise.cpp:
427         * runtime/JSPromiseConstructor.cpp:
428         (JSC::JSPromiseConstructor::getOwnPropertySlot):
429         * runtime/JSPromiseDeferred.cpp:
430         * runtime/JSPromisePrototype.cpp:
431         (JSC::JSPromisePrototype::getOwnPropertySlot):
432         * runtime/JSPromiseReaction.cpp:
433         * runtime/JSPropertyNameIterator.cpp:
434         * runtime/JSProxy.cpp:
435         * runtime/JSSet.cpp:
436         * runtime/JSSetIterator.cpp:
437         * runtime/JSString.cpp:
438         * runtime/JSTypedArrayConstructors.cpp:
439         * runtime/JSTypedArrayPrototypes.cpp:
440         * runtime/JSTypedArrays.cpp:
441         * runtime/JSVariableObject.cpp:
442         * runtime/JSWeakMap.cpp:
443         * runtime/JSWithScope.cpp:
444         * runtime/Lookup.cpp:
445         (JSC::HashTable::createTable):
446         * runtime/Lookup.h:
447         (JSC::HashTable::initializeIfNeeded):
448         (JSC::HashTable::entry):
449         (JSC::HashTable::begin):
450         (JSC::HashTable::end):
451         (JSC::getStaticPropertySlot):
452         (JSC::getStaticFunctionSlot):
453         (JSC::getStaticValueSlot):
454         (JSC::lookupPut):
455         * runtime/MapConstructor.cpp:
456         * runtime/MapData.cpp:
457         * runtime/MapIteratorConstructor.cpp:
458         * runtime/MapIteratorPrototype.cpp:
459         * runtime/MapPrototype.cpp:
460         * runtime/MathObject.cpp:
461         * runtime/NameConstructor.cpp:
462         * runtime/NameInstance.cpp:
463         * runtime/NamePrototype.cpp:
464         (JSC::NamePrototype::getOwnPropertySlot):
465         * runtime/NativeErrorConstructor.cpp:
466         * runtime/NumberConstructor.cpp:
467         (JSC::NumberConstructor::getOwnPropertySlot):
468         * runtime/NumberObject.cpp:
469         * runtime/NumberPrototype.cpp:
470         (JSC::NumberPrototype::getOwnPropertySlot):
471         * runtime/ObjectConstructor.cpp:
472         (JSC::ObjectConstructor::getOwnPropertySlot):
473         * runtime/ObjectPrototype.cpp:
474         * runtime/PropertyTable.cpp:
475         * runtime/RegExp.cpp:
476         * runtime/RegExpConstructor.cpp:
477         (JSC::RegExpConstructor::getOwnPropertySlot):
478         * runtime/RegExpMatchesArray.cpp:
479         * runtime/RegExpObject.cpp:
480         (JSC::RegExpObject::getOwnPropertySlot):
481         * runtime/RegExpPrototype.cpp:
482         (JSC::RegExpPrototype::getOwnPropertySlot):
483         * runtime/SetConstructor.cpp:
484         * runtime/SetIteratorConstructor.cpp:
485         * runtime/SetIteratorPrototype.cpp:
486         * runtime/SetPrototype.cpp:
487         * runtime/SparseArrayValueMap.cpp:
488         * runtime/StrictEvalActivation.cpp:
489         * runtime/StringConstructor.cpp:
490         (JSC::StringConstructor::getOwnPropertySlot):
491         * runtime/StringObject.cpp:
492         * runtime/StringPrototype.cpp:
493         * runtime/Structure.cpp:
494         (JSC::Structure::Structure):
495         (JSC::Structure::freezeTransition):
496         (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
497         * runtime/StructureChain.cpp:
498         * runtime/StructureRareData.cpp:
499         * runtime/SymbolTable.cpp:
500         * runtime/VM.cpp:
501         (JSC::VM::VM):
502         (JSC::VM::~VM):
503         * runtime/VM.h:
504         * runtime/WeakMapConstructor.cpp:
505         * runtime/WeakMapData.cpp:
506         * runtime/WeakMapPrototype.cpp:
507         * testRegExp.cpp:
508
509 2014-07-29  Brent Fulgham  <bfulgham@apple.com>
510
511         [Win] Modify version numbering scheme to support 5-tuple versions
512         https://bugs.webkit.org/show_bug.cgi?id=135400
513         <rdar://problem/17849033>
514
515         Reviewed by David Kilzer.
516
517         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
518         new version-stamp.pl script to version JavaScriptCore.dll.
519
520 2014-07-29  Daniel Bates  <dabates@apple.com>
521
522         Use WTF::move() instead of std::move() to help ensure move semantics
523         https://bugs.webkit.org/show_bug.cgi?id=135351
524
525         Reviewed by Alexey Proskuryakov.
526
527         * bytecode/GetByIdStatus.cpp:
528         (JSC::GetByIdStatus::computeForStubInfo):
529         * bytecode/GetByIdVariant.cpp:
530         (JSC::GetByIdVariant::GetByIdVariant):
531
532 2014-07-28  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
533
534         BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
535         https://bugs.webkit.org/show_bug.cgi?id=135287
536
537         Reviewed by Darin Adler.
538
539         The set() method tries to use a part of the old value (the reservedFlag bit) which
540         was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
541
542         * bytecode/StructureSet.h:
543         (JSC::StructureSet::StructureSet):
544
545 2014-07-28  Benjamin Poulain  <bpoulain@apple.com>
546
547         [JSC] JIT::assertStackPointerOffset() crashes on ARM64
548         https://bugs.webkit.org/show_bug.cgi?id=135316
549
550         Reviewed by Geoffrey Garen.
551
552         JIT::assertStackPointerOffset() does a compare between an arbitrary register
553         and the stack pointer. This was not supported by the ARM64 assembler.
554
555         There are no variation that can take a stack pointer for Xd. There is one version of subs
556         that can take a stack pointer, but only for the Xn: the shift+extend one.
557         To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
558         the implementation of sub.
559
560         * assembler/ARM64Assembler.h:
561         (JSC::ARM64Assembler::sub):
562         In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
563         with either version of sub.
564
565         In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
566         the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
567         gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
568
569         Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
570         not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
571         the shift value must be zero, it is safe to call either variant.
572
573         * assembler/MacroAssemblerARM64.h:
574         (JSC::MacroAssemblerARM64::branch64):
575         With the changes described above, we can now use SP for the left register. What do we do if the rightmost
576         register is SP?
577
578         For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
579         we just switch the registers before generating the instruction.
580
581         For the generic case, just move the value of SP to a GPR before doing the CMP.
582
583 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
584
585         Unreviewed build fix after r171682.
586
587         * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
588         as an exported symbol.
589
590 2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
591
592         REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
593         https://bugs.webkit.org/show_bug.cgi?id=135322
594
595         Reviewed by Oliver Hunt.
596
597         The prototype chain of the JSProxy object should match that of the JSGlobalObject. 
598
599         This is a separate but related issue with JSObjectSetPrototype which doesn't correctly 
600         account for JSProxies. I also audited the rest of the C API to check that we correctly 
601         handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
602         and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when 
603         passed a JSProxy.
604
605         I also added some new tests for these cases.
606
607         * API/JSObjectRef.cpp:
608         (JSObjectSetPrototype):
609         (JSObjectGetPrivateProperty):
610         (JSObjectSetPrivateProperty):
611         (JSObjectDeletePrivateProperty):
612         * API/JSWeakObjectMapRefPrivate.cpp:
613         * API/tests/CustomGlobalObjectClassTest.c:
614         (globalObjectSetPrototypeTest):
615         (globalObjectPrivatePropertyTest):
616         * API/tests/CustomGlobalObjectClassTest.h:
617         * API/tests/testapi.c:
618         (main):
619
620 2014-07-28  Filip Pizlo  <fpizlo@apple.com>
621
622         Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
623         https://bugs.webkit.org/show_bug.cgi?id=135350
624         <rdar://problem/17509889>
625
626         Reviewed by Mark Hahnenberg and Oliver Hunt.
627         
628         If we have an exiting node that uses a conversion node, then that exiting node
629         needs to have a Phantom after it for the the original node. But we can't do that
630         for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
631
632         * dfg/DFGFixupPhase.cpp:
633         (JSC::DFG::FixupPhase::fixupNode):
634         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
635         * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
636         (foo):
637         (test):
638         * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
639         (foo):
640         (test):
641
642 2014-07-28  Joseph Pecoraro  <pecoraro@apple.com>
643
644         JSContext Inspector: crash when using step-into
645         https://bugs.webkit.org/show_bug.cgi?id=135345
646
647         Reviewed by Timothy Hatcher.
648
649         * inspector/agents/InspectorDebuggerAgent.cpp:
650         (Inspector::InspectorDebuggerAgent::stepInto):
651         Null check m_listener since it may not be set.
652
653 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
654
655         Web Replay: auto-decoding of parameterized vector's elements is incorrect
656         https://bugs.webkit.org/show_bug.cgi?id=135343
657
658         Reviewed by Timothy Hatcher.
659
660         Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
661         that was using the element's decoded type as the type parameter to
662         EncodedValue::append<T>. It should instead be the raw type T. This
663         causes problems when encoding Vector<RefPtr<T>>, as it later tries to
664         use encoding traits for RefPtr<T> rather than for T.
665
666         Fix incorrect generated encoding traits argument for vectors of
667         RefCounted objects. Updated test to cover this scenario.
668
669         * replay/scripts/CodeGeneratorReplayInputs.py:
670         (Type.encoding_type_argument):
671         (VectorType.type_name):
672         (VectorType):
673         (VectorType.encoding_type_argument):
674         (Generator.generate_input_encode_implementation):
675         (Generator.generate_input_decode_implementation):
676         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
677         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
678         * replay/scripts/tests/generate-input-with-vector-members.json: Updated.
679
680 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
681
682         Web Replay: incorrect serialization code generated for enum classes inside class scope
683         https://bugs.webkit.org/show_bug.cgi?id=135342
684
685         Reviewed by Timothy Hatcher.
686
687         If an enum class is defined inside of a class scope, then the enum class
688         cannot be forward-declared and the relevant header should be included.
689         Some generated code used incorrectly-scoped enum values in this situation.
690
691         * replay/scripts/CodeGeneratorReplayInputs.py:
692         (Generator.generate_includes.declaration.is):
693         (Generator.generate_enum_trait_implementation.is):
694         (Generator.generate_enum_trait_implementation):
695
696         Tests:
697
698         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
699         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
700         * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
701         class types to this test case.
702
703 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
704
705         Web Replay: vectors of characters should be base64-encoded
706         https://bugs.webkit.org/show_bug.cgi?id=135341
707
708         Reviewed by Timothy Hatcher.
709
710         Without this specialization, encode/decode methods try to create an
711         array of single characters in JSON, rather than treating the
712         vector as a binary blob.
713
714         * replay/EncodedValue.cpp:
715         (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
716         (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
717         * replay/EncodedValue.h:
718
719 2014-07-28  Brent Fulgham  <bfulgham@apple.com>
720
721         [Win] Unreviewed build fix.
722
723         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
724         builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
725
726 2014-07-27  Ryuan Choi  <ryuan.choi@samsung.com>
727
728         Unreviewed build fix on the EFL port
729
730         Build break because of -Werror=return-type
731
732         * bytecode/PutByIdVariant.cpp:
733         (JSC::PutByIdVariant::oldStructureForTransition):
734         * dfg/DFGValueStrength.h:
735         (JSC::DFG::merge):
736
737 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
738
739         [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
740         https://bugs.webkit.org/show_bug.cgi?id=135323
741
742         Reviewed by Oliver Hunt.
743         
744         SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
745         then it's a constant that can be represented using that node's current DataFormat.
746         This doesn't work if the constant had been filled as a JSValue, and then one of the
747         fillSpeculateBlah() methods had speculated that it's of some type that the constant
748         isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
749         a constant that claims to have a contradictory data format.
750         
751         This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
752         fillSpeculateCell() appears to not have this bug, but I added a similar defense
753         mechanism anyway just in case, since this is one of those mistakes that keeps
754         reappearing.
755
756         * dfg/DFGSpeculativeJIT.cpp:
757         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
758         * dfg/DFGSpeculativeJIT32_64.cpp:
759         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
760         * dfg/DFGSpeculativeJIT64.cpp:
761         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
762
763 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
764
765         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
766         
767         This fixes the previous mismerge and adds test coverage for the thing that went wrong.
768         
769         Additional changes listed here:
770
771         * jsc.cpp:
772         (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
773         * runtime/Structure.cpp:
774         (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
775         * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
776
777     2014-06-27  Michael Saboff  <msaboff@apple.com>
778     
779             Unreviewed build fix after r169795.
780     
781             Fixed ASSERT for 32 bit build.
782     
783             * dfg/DFGSpeculativeJIT.cpp:
784             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
785     
786     2014-06-24  Saam Barati  <sbarati@apple.com>
787     
788             Web Inspector: debugger should be able to show variable types
789             https://bugs.webkit.org/show_bug.cgi?id=133395
790     
791             Reviewed by Filip Pizlo.
792     
793             Increase the amount of type information the VM gathers when directed
794             to do so. This initial commit is working towards the goal of
795             capturing, and then showing (via the Web Inspector) type information for all
796             assignment and load operations. This patch doesn't have the feature fully 
797             implemented, but it ensures the VM has no performance regressions
798             unless the feature is specifically turned on.
799     
800             * JavaScriptCore.xcodeproj/project.pbxproj:
801             * bytecode/BytecodeList.json:
802             * bytecode/BytecodeUseDef.h:
803             (JSC::computeUsesForBytecodeOffset):
804             (JSC::computeDefsForBytecodeOffset):
805             * bytecode/CodeBlock.cpp:
806             (JSC::CodeBlock::dumpBytecode):
807             (JSC::CodeBlock::CodeBlock):
808             (JSC::CodeBlock::finalizeUnconditionally):
809             * bytecode/CodeBlock.h:
810             * bytecode/Instruction.h:
811             * bytecode/TypeLocation.h: Added.
812             (JSC::TypeLocation::TypeLocation):
813             * bytecompiler/BytecodeGenerator.cpp:
814             (JSC::BytecodeGenerator::emitMove):
815             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
816             (JSC::BytecodeGenerator::emitPutToScope):
817             (JSC::BytecodeGenerator::emitPutById):
818             (JSC::BytecodeGenerator::emitPutByVal):
819             * bytecompiler/BytecodeGenerator.h:
820             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
821             * bytecompiler/NodesCodegen.cpp:
822             (JSC::PostfixNode::emitResolve):
823             (JSC::PrefixNode::emitResolve):
824             (JSC::ReadModifyResolveNode::emitBytecode):
825             (JSC::AssignResolveNode::emitBytecode):
826             (JSC::ConstDeclNode::emitCodeSingle):
827             (JSC::ForInNode::emitBytecode):
828             * heap/Heap.cpp:
829             (JSC::Heap::collect):
830             * inspector/agents/InspectorRuntimeAgent.cpp:
831             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
832             * inspector/agents/InspectorRuntimeAgent.h:
833             * inspector/protocol/Runtime.json:
834             * jsc.cpp:
835             (GlobalObject::finishCreation):
836             (functionDumpTypesForAllVariables):
837             * llint/LLIntSlowPaths.cpp:
838             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
839             (JSC::LLInt::putToScopeCommon):
840             * llint/LLIntSlowPaths.h:
841             * llint/LowLevelInterpreter.asm:
842             * runtime/HighFidelityLog.cpp: Added.
843             (JSC::HighFidelityLog::initializeHighFidelityLog):
844             (JSC::HighFidelityLog::~HighFidelityLog):
845             (JSC::HighFidelityLog::recordTypeInformationForLocation):
846             (JSC::HighFidelityLog::processHighFidelityLog):
847             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
848             * runtime/HighFidelityLog.h: Added.
849             (JSC::HighFidelityLog::HighFidelityLog):
850             * runtime/HighFidelityTypeProfiler.cpp: Added.
851             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
852             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
853             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
854             (JSC::HighFidelityTypeProfiler::insertNewLocation):
855             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
856             * runtime/HighFidelityTypeProfiler.h: Added.
857             * runtime/Options.h:
858             * runtime/Structure.cpp:
859             (JSC::Structure::toStructureShape):
860             * runtime/Structure.h:
861             * runtime/SymbolTable.cpp:
862             (JSC::SymbolTable::SymbolTable):
863             (JSC::SymbolTable::cloneCapturedNames):
864             (JSC::SymbolTable::uniqueIDForVariable):
865             (JSC::SymbolTable::uniqueIDForRegister):
866             (JSC::SymbolTable::globalTypeSetForRegister):
867             (JSC::SymbolTable::globalTypeSetForVariable):
868             * runtime/SymbolTable.h:
869             (JSC::SymbolTable::add):
870             (JSC::SymbolTable::set):
871             * runtime/TypeSet.cpp: Added.
872             (JSC::TypeSet::TypeSet):
873             (JSC::TypeSet::getRuntimeTypeForValue):
874             (JSC::TypeSet::addTypeForValue):
875             (JSC::TypeSet::removeDuplicatesInStructureHistory):
876             (JSC::TypeSet::seenTypes):
877             (JSC::TypeSet::dumpSeenTypes):
878             (JSC::StructureShape::StructureShape):
879             (JSC::StructureShape::markAsFinal):
880             (JSC::StructureShape::addProperty):
881             (JSC::StructureShape::propertyHash):
882             (JSC::StructureShape::leastUpperBound):
883             (JSC::StructureShape::stringRepresentation):
884             * runtime/TypeSet.h: Added.
885             (JSC::StructureShape::create):
886             (JSC::TypeSet::create):
887             * runtime/VM.cpp:
888             (JSC::VM::VM):
889             (JSC::VM::getTypesForVariableInRange):
890             (JSC::VM::updateHighFidelityTypeProfileState):
891             (JSC::VM::dumpHighFidelityProfilingTypes):
892             * runtime/VM.h:
893             (JSC::VM::isProfilingTypesWithHighFidelity):
894             (JSC::VM::highFidelityLog):
895             (JSC::VM::highFidelityTypeProfiler):
896             (JSC::VM::nextLocation):
897             (JSC::VM::getNextUniqueVariableID):
898     
899     2014-06-26  Mark Lam  <mark.lam@apple.com>
900     
901             Remove unused instantiation of the WithScope structure.
902             <https://webkit.org/b/134331>
903     
904             Reviewed by Oliver Hunt.
905     
906             The WithScope structure instance is the VM is unused, and is now removed.
907     
908             * runtime/VM.cpp:
909             (JSC::VM::VM):
910             * runtime/VM.h:
911     
912     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
913     
914             Structure bit fields should have a consistent format
915             https://bugs.webkit.org/show_bug.cgi?id=134307
916     
917             Reviewed by Filip Pizlo.
918     
919             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
920             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
921             format to make it easy to load and test these variables in JIT code.
922     
923             * runtime/JSObject.cpp:
924             (JSC::JSObject::putDirectNonIndexAccessor):
925             (JSC::JSObject::reifyStaticFunctionsForDelete):
926             * runtime/Structure.cpp:
927             (JSC::StructureTransitionTable::contains):
928             (JSC::StructureTransitionTable::get):
929             (JSC::StructureTransitionTable::add):
930             (JSC::Structure::Structure):
931             (JSC::Structure::materializePropertyMap):
932             (JSC::Structure::addPropertyTransition):
933             (JSC::Structure::despecifyFunctionTransition):
934             (JSC::Structure::toDictionaryTransition):
935             (JSC::Structure::freezeTransition):
936             (JSC::Structure::preventExtensionsTransition):
937             (JSC::Structure::takePropertyTableOrCloneIfPinned):
938             (JSC::Structure::nonPropertyTransition):
939             (JSC::Structure::flattenDictionaryStructure):
940             (JSC::Structure::addPropertyWithoutTransition):
941             (JSC::Structure::pin):
942             (JSC::Structure::allocateRareData):
943             (JSC::Structure::cloneRareDataFrom):
944             (JSC::Structure::getConcurrently):
945             (JSC::Structure::putSpecificValue):
946             (JSC::Structure::getPropertyNamesFromStructure):
947             (JSC::Structure::visitChildren):
948             (JSC::Structure::checkConsistency):
949             * runtime/Structure.h:
950             (JSC::Structure::isExtensible):
951             (JSC::Structure::isDictionary):
952             (JSC::Structure::isUncacheableDictionary):
953             (JSC::Structure::propertyAccessesAreCacheable):
954             (JSC::Structure::previousID):
955             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
956             (JSC::Structure::setContainsReadOnlyProperties):
957             (JSC::Structure::disableSpecificFunctionTracking):
958             (JSC::Structure::objectToStringValue):
959             (JSC::Structure::setObjectToStringValue):
960             (JSC::Structure::setPreviousID):
961             (JSC::Structure::clearPreviousID):
962             (JSC::Structure::previous):
963             (JSC::Structure::rareData):
964             (JSC::Structure::didTransition): Deleted.
965             (JSC::Structure::hasGetterSetterProperties): Deleted.
966             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
967             (JSC::Structure::setHasGetterSetterProperties): Deleted.
968             (JSC::Structure::hasNonEnumerableProperties): Deleted.
969             (JSC::Structure::staticFunctionsReified): Deleted.
970             (JSC::Structure::setStaticFunctionsReified): Deleted.
971             * runtime/StructureInlines.h:
972             (JSC::Structure::setEnumerationCache):
973             (JSC::Structure::enumerationCache):
974             (JSC::Structure::checkOffsetConsistency):
975     
976     2014-06-24  Mark Lam  <mark.lam@apple.com>
977     
978             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
979             <https://webkit.org/b/134273>
980     
981             Reviewed by Michael Saboff.
982     
983             * CMakeLists.txt:
984             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
985             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
986             * JavaScriptCore.xcodeproj/project.pbxproj:
987             * debugger/DebuggerActivation.cpp: Removed.
988             * debugger/DebuggerActivation.h: Removed.
989             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
990             (JSC::DebuggerScope::DebuggerScope):
991             (JSC::DebuggerScope::finishCreation):
992             (JSC::DebuggerScope::visitChildren):
993             (JSC::DebuggerScope::className):
994             (JSC::DebuggerScope::getOwnPropertySlot):
995             (JSC::DebuggerScope::put):
996             (JSC::DebuggerScope::deleteProperty):
997             (JSC::DebuggerScope::getOwnPropertyNames):
998             (JSC::DebuggerScope::defineOwnProperty):
999             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
1000             (JSC::DebuggerActivation::finishCreation): Deleted.
1001             (JSC::DebuggerActivation::visitChildren): Deleted.
1002             (JSC::DebuggerActivation::className): Deleted.
1003             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
1004             (JSC::DebuggerActivation::put): Deleted.
1005             (JSC::DebuggerActivation::deleteProperty): Deleted.
1006             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
1007             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
1008             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
1009             (JSC::DebuggerScope::create):
1010             (JSC::DebuggerActivation::create): Deleted.
1011             * runtime/VM.cpp:
1012             (JSC::VM::VM):
1013             * runtime/VM.h:
1014     
1015     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1016     
1017             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
1018             https://bugs.webkit.org/show_bug.cgi?id=134265
1019     
1020             Reviewed by Geoffrey Garen.
1021             
1022             More assertion fallout from the PutById folding work.
1023     
1024             * dfg/DFGNode.h:
1025             (JSC::DFG::Node::convertToPutByOffset):
1026     
1027     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1028     
1029             [ftlopt] GC should notify us if it resets to_this
1030             https://bugs.webkit.org/show_bug.cgi?id=128231
1031     
1032             Reviewed by Geoffrey Garen.
1033     
1034             * CMakeLists.txt:
1035             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1036             * JavaScriptCore.xcodeproj/project.pbxproj:
1037             * bytecode/BytecodeList.json:
1038             * bytecode/CodeBlock.cpp:
1039             (JSC::CodeBlock::dumpBytecode):
1040             (JSC::CodeBlock::finalizeUnconditionally):
1041             * bytecode/Instruction.h:
1042             * bytecode/ToThisStatus.cpp: Added.
1043             (JSC::merge):
1044             (WTF::printInternal):
1045             * bytecode/ToThisStatus.h: Added.
1046             * bytecompiler/BytecodeGenerator.cpp:
1047             (JSC::BytecodeGenerator::BytecodeGenerator):
1048             * dfg/DFGByteCodeParser.cpp:
1049             (JSC::DFG::ByteCodeParser::parseBlock):
1050             * llint/LowLevelInterpreter32_64.asm:
1051             * llint/LowLevelInterpreter64.asm:
1052             * runtime/CommonSlowPaths.cpp:
1053             (JSC::SLOW_PATH_DECL):
1054     
1055     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1056     
1057             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
1058             https://bugs.webkit.org/show_bug.cgi?id=134256
1059     
1060             Reviewed by Michael Saboff.
1061             
1062             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
1063             point is to be able to precisely model what goes on in the snippets of code between a
1064             side-effect and an InvalidationPoint.
1065             
1066             This patch also cleans up onlyStructure() by delegating more work to
1067             StructureSet::onlyStructure().
1068     
1069             * dfg/DFGStructureAbstractValue.h:
1070             (JSC::DFG::StructureAbstractValue::onlyStructure):
1071     
1072     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1073     
1074             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
1075             https://bugs.webkit.org/show_bug.cgi?id=134260
1076     
1077             Reviewed by Geoffrey Garen.
1078             
1079             This was causing loads of assertion failures in debug builds.
1080     
1081             * dfg/DFGAbstractInterpreterInlines.h:
1082             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1083     
1084     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
1085     
1086             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
1087             https://bugs.webkit.org/show_bug.cgi?id=134090
1088     
1089             Reviewed by Oliver Hunt.
1090             
1091             This pretty much finishes off the work to eliminate the special-casing of singleton
1092             structure sets by making it possible to fold GetById and PutById to various polymorphic
1093             forms of the ByOffset nodes.
1094             
1095             * bytecode/GetByIdStatus.cpp:
1096             (JSC::GetByIdStatus::computeForStubInfo):
1097             (JSC::GetByIdStatus::computeFor):
1098             * bytecode/GetByIdStatus.h:
1099             * bytecode/PutByIdStatus.cpp:
1100             (JSC::PutByIdStatus::computeFor):
1101             * bytecode/PutByIdStatus.h:
1102             * bytecode/PutByIdVariant.h:
1103             (JSC::PutByIdVariant::constantChecks):
1104             * dfg/DFGAbstractInterpreterInlines.h:
1105             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1106             * dfg/DFGByteCodeParser.cpp:
1107             (JSC::DFG::ByteCodeParser::parseBlock):
1108             * dfg/DFGConstantFoldingPhase.cpp:
1109             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1110             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1111             (JSC::DFG::ConstantFoldingPhase::addChecks):
1112             * dfg/DFGNode.h:
1113             (JSC::DFG::Node::convertToMultiGetByOffset):
1114             (JSC::DFG::Node::convertToMultiPutByOffset):
1115             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
1116             (JSC::DFG::SpeculativeJIT::fillJSValue):
1117             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1118             (JSC::DFG::SpeculativeJIT::emitCall):
1119             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1120             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1121             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1122             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1123             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1124             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1125             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1126             (JSC::DFG::SpeculativeJIT::emitBranch):
1127             (JSC::DFG::SpeculativeJIT::compile):
1128             * dfg/DFGStructureAbstractValue.h:
1129             (JSC::DFG::StructureAbstractValue::set):
1130     
1131     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
1132     
1133             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
1134             https://bugs.webkit.org/show_bug.cgi?id=134077
1135     
1136             Reviewed by Sam Weinig.
1137             
1138             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
1139             in the abstract interpreter.
1140     
1141             * bytecode/StructureSet.h:
1142             (JSC::StructureSet::onlyStructure):
1143     
1144     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
1145     
1146             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
1147             https://bugs.webkit.org/show_bug.cgi?id=133918
1148     
1149             Reviewed by Mark Hahnenberg.
1150             
1151             This also adds pruning of PutStructure, since I basically had no choice but
1152             to implement such logic within MultiPutByOffset.
1153             
1154             Also adds a bunch of PutById cache status dumping to bytecode dumping.
1155     
1156             * bytecode/GetByIdVariant.cpp:
1157             (JSC::GetByIdVariant::dumpInContext):
1158             * bytecode/GetByIdVariant.h:
1159             (JSC::GetByIdVariant::structureSet):
1160             * bytecode/PutByIdVariant.h:
1161             (JSC::PutByIdVariant::oldStructure):
1162             * bytecode/StructureSet.cpp:
1163             (JSC::StructureSet::filter):
1164             (JSC::StructureSet::filterArrayModes):
1165             * bytecode/StructureSet.h:
1166             * dfg/DFGAbstractInterpreterInlines.h:
1167             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1168             * dfg/DFGAbstractValue.cpp:
1169             (JSC::DFG::AbstractValue::changeStructure):
1170             (JSC::DFG::AbstractValue::contains):
1171             * dfg/DFGAbstractValue.h:
1172             (JSC::DFG::AbstractValue::couldBeType):
1173             (JSC::DFG::AbstractValue::isType):
1174             * dfg/DFGConstantFoldingPhase.cpp:
1175             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1176             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1177             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1178             (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
1179             * dfg/DFGGraph.cpp:
1180             (JSC::DFG::Graph::freezeStrong):
1181             * dfg/DFGGraph.h:
1182             * dfg/DFGStructureAbstractValue.h:
1183             (JSC::DFG::StructureAbstractValue::operator=):
1184             * ftl/FTLLowerDFGToLLVM.cpp:
1185             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1186             * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
1187             (foo):
1188             (fu):
1189             (bar):
1190             (baz):
1191             (.bar):
1192             (.baz):
1193             * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
1194             (foo):
1195             (fu):
1196             (bar):
1197             (baz):
1198             (.bar):
1199             (.baz):
1200             * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
1201             (foo):
1202             (fu):
1203             (bar):
1204             (baz):
1205             (.bar):
1206             (.baz):
1207     
1208     2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1209     
1210             Remove CompoundType and LeafType
1211             https://bugs.webkit.org/show_bug.cgi?id=134037
1212     
1213             Reviewed by Filip Pizlo.
1214     
1215             We don't use them for anything. We'll replace them with a generic CellType type for all 
1216             the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
1217             their JSType at runtime.
1218     
1219             * llint/LLIntData.cpp:
1220             (JSC::LLInt::Data::performAssertions):
1221             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1222             (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
1223             * runtime/Executable.h:
1224             (JSC::ExecutableBase::createStructure):
1225             (JSC::NativeExecutable::createStructure):
1226             * runtime/JSPromiseDeferred.h:
1227             (JSC::JSPromiseDeferred::createStructure):
1228             * runtime/JSPromiseReaction.h:
1229             (JSC::JSPromiseReaction::createStructure):
1230             * runtime/JSPropertyNameIterator.h:
1231             (JSC::JSPropertyNameIterator::createStructure):
1232             * runtime/JSType.h:
1233             * runtime/JSTypeInfo.h:
1234             (JSC::TypeInfo::TypeInfo):
1235             * runtime/MapData.h:
1236             (JSC::MapData::createStructure):
1237             * runtime/PropertyMapHashTable.h:
1238             (JSC::PropertyTable::createStructure):
1239             * runtime/RegExp.h:
1240             (JSC::RegExp::createStructure):
1241             * runtime/SparseArrayValueMap.cpp:
1242             (JSC::SparseArrayValueMap::createStructure):
1243             * runtime/Structure.cpp:
1244             (JSC::Structure::Structure):
1245             * runtime/StructureChain.h:
1246             (JSC::StructureChain::createStructure):
1247             * runtime/StructureRareData.cpp:
1248             (JSC::StructureRareData::createStructure):
1249             * runtime/SymbolTable.h:
1250             (JSC::SymbolTable::createStructure):
1251             * runtime/WeakMapData.h:
1252             (JSC::WeakMapData::createStructure):
1253     
1254     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
1255     
1256             [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
1257             https://bugs.webkit.org/show_bug.cgi?id=134002
1258     
1259             Reviewed by Mark Hahnenberg.
1260             
1261             The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
1262             JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
1263             of the structure if that structure was watchable.
1264             
1265             Also kill PhantomPutStructure.
1266     
1267             * dfg/DFGAbstractInterpreterInlines.h:
1268             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1269             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1270             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1271             * dfg/DFGClobberize.h:
1272             (JSC::DFG::clobberize):
1273             * dfg/DFGDoesGC.cpp:
1274             (JSC::DFG::doesGC):
1275             * dfg/DFGFixupPhase.cpp:
1276             (JSC::DFG::FixupPhase::fixupNode):
1277             * dfg/DFGGraph.cpp:
1278             (JSC::DFG::Graph::visitChildren):
1279             * dfg/DFGNode.h:
1280             (JSC::DFG::Node::hasTransition):
1281             * dfg/DFGNodeType.h:
1282             * dfg/DFGPredictionPropagationPhase.cpp:
1283             (JSC::DFG::PredictionPropagationPhase::propagate):
1284             * dfg/DFGSafeToExecute.h:
1285             (JSC::DFG::safeToExecute):
1286             * dfg/DFGSpeculativeJIT32_64.cpp:
1287             (JSC::DFG::SpeculativeJIT::compile):
1288             * dfg/DFGSpeculativeJIT64.cpp:
1289             (JSC::DFG::SpeculativeJIT::compile):
1290             * dfg/DFGStructureAbstractValue.cpp:
1291             (JSC::DFG::StructureAbstractValue::observeTransition):
1292             (JSC::DFG::StructureAbstractValue::observeTransitions):
1293             * dfg/DFGValidate.cpp:
1294             (JSC::DFG::Validate::validate):
1295             * dfg/DFGWatchableStructureWatchingPhase.cpp:
1296             (JSC::DFG::WatchableStructureWatchingPhase::run):
1297             * ftl/FTLCapabilities.cpp:
1298             (JSC::FTL::canCompile):
1299             * ftl/FTLLowerDFGToLLVM.cpp:
1300             (JSC::FTL::LowerDFGToLLVM::compileNode):
1301             (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
1302     
1303     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
1304     
1305             [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
1306             https://bugs.webkit.org/show_bug.cgi?id=133964
1307     
1308             Reviewed by Mark Hahnenberg.
1309     
1310             * bytecode/PutByIdStatus.cpp:
1311             (JSC::PutByIdStatus::appendVariant):
1312             (JSC::PutByIdStatus::computeForStubInfo):
1313             * bytecode/PutByIdVariant.cpp:
1314             (JSC::PutByIdVariant::oldStructureForTransition):
1315             (JSC::PutByIdVariant::writesStructures):
1316             (JSC::PutByIdVariant::reallocatesStorage):
1317             (JSC::PutByIdVariant::attemptToMerge):
1318             (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
1319             (JSC::PutByIdVariant::dumpInContext):
1320             * bytecode/PutByIdVariant.h:
1321             (JSC::PutByIdVariant::PutByIdVariant):
1322             (JSC::PutByIdVariant::replace):
1323             (JSC::PutByIdVariant::transition):
1324             (JSC::PutByIdVariant::structure):
1325             (JSC::PutByIdVariant::oldStructure):
1326             * dfg/DFGAbstractInterpreterInlines.h:
1327             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1328             * dfg/DFGByteCodeParser.cpp:
1329             (JSC::DFG::ByteCodeParser::handlePutById):
1330             (JSC::DFG::ByteCodeParser::parseBlock):
1331             * dfg/DFGConstantFoldingPhase.cpp:
1332             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1333             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1334             * dfg/DFGGraph.cpp:
1335             (JSC::DFG::Graph::visitChildren):
1336             * dfg/DFGNode.cpp:
1337             (JSC::DFG::MultiPutByOffsetData::writesStructures):
1338             (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1339             * ftl/FTLAbbreviations.h:
1340             (JSC::FTL::getLinkage):
1341             * ftl/FTLLowerDFGToLLVM.cpp:
1342             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1343             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1344     
1345 2014-07-26  Filip Pizlo  <fpizlo@apple.com>
1346
1347         Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
1348         reland later.
1349
1350         * CMakeLists.txt:
1351         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1352         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1353         * JavaScriptCore.xcodeproj/project.pbxproj:
1354         * bytecode/BytecodeList.json:
1355         * bytecode/BytecodeUseDef.h:
1356         (JSC::computeUsesForBytecodeOffset):
1357         (JSC::computeDefsForBytecodeOffset):
1358         * bytecode/CodeBlock.cpp:
1359         (JSC::CodeBlock::dumpBytecode):
1360         (JSC::CodeBlock::CodeBlock):
1361         (JSC::CodeBlock::finalizeUnconditionally):
1362         (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
1363         * bytecode/CodeBlock.h:
1364         * bytecode/GetByIdStatus.cpp:
1365         (JSC::GetByIdStatus::computeForStubInfo):
1366         (JSC::GetByIdStatus::computeFor):
1367         * bytecode/GetByIdStatus.h:
1368         * bytecode/GetByIdVariant.cpp:
1369         (JSC::GetByIdVariant::dumpInContext):
1370         * bytecode/GetByIdVariant.h:
1371         (JSC::GetByIdVariant::structureSet):
1372         * bytecode/Instruction.h:
1373         * bytecode/PutByIdStatus.cpp:
1374         (JSC::PutByIdStatus::appendVariant):
1375         (JSC::PutByIdStatus::computeForStubInfo):
1376         (JSC::PutByIdStatus::computeFor):
1377         * bytecode/PutByIdStatus.h:
1378         * bytecode/PutByIdVariant.cpp:
1379         (JSC::PutByIdVariant::dumpInContext):
1380         (JSC::PutByIdVariant::oldStructureForTransition): Deleted.
1381         (JSC::PutByIdVariant::writesStructures): Deleted.
1382         (JSC::PutByIdVariant::reallocatesStorage): Deleted.
1383         (JSC::PutByIdVariant::attemptToMerge): Deleted.
1384         (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.
1385         * bytecode/PutByIdVariant.h:
1386         (JSC::PutByIdVariant::PutByIdVariant):
1387         (JSC::PutByIdVariant::replace):
1388         (JSC::PutByIdVariant::transition):
1389         (JSC::PutByIdVariant::structure):
1390         (JSC::PutByIdVariant::oldStructure):
1391         (JSC::PutByIdVariant::newStructure):
1392         (JSC::PutByIdVariant::constantChecks):
1393         * bytecode/StructureSet.cpp:
1394         (JSC::StructureSet::filter): Deleted.
1395         (JSC::StructureSet::filterArrayModes): Deleted.
1396         * bytecode/StructureSet.h:
1397         (JSC::StructureSet::onlyStructure):
1398         * bytecode/ToThisStatus.cpp: Removed.
1399         * bytecode/ToThisStatus.h: Removed.
1400         * bytecode/TypeLocation.h: Removed.
1401         * bytecompiler/BytecodeGenerator.cpp:
1402         (JSC::BytecodeGenerator::BytecodeGenerator):
1403         (JSC::BytecodeGenerator::emitMove):
1404         (JSC::BytecodeGenerator::emitPutToScope):
1405         (JSC::BytecodeGenerator::emitPutById):
1406         (JSC::BytecodeGenerator::emitPutByVal):
1407         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
1408         * bytecompiler/BytecodeGenerator.h:
1409         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
1410         * bytecompiler/NodesCodegen.cpp:
1411         (JSC::PostfixNode::emitResolve):
1412         (JSC::PrefixNode::emitResolve):
1413         (JSC::ReadModifyResolveNode::emitBytecode):
1414         (JSC::AssignResolveNode::emitBytecode):
1415         (JSC::ConstDeclNode::emitCodeSingle):
1416         (JSC::ForInNode::emitBytecode):
1417         * debugger/DebuggerActivation.cpp: Added.
1418         (JSC::DebuggerActivation::DebuggerActivation):
1419         (JSC::DebuggerActivation::finishCreation):
1420         (JSC::DebuggerActivation::visitChildren):
1421         (JSC::DebuggerActivation::className):
1422         (JSC::DebuggerActivation::getOwnPropertySlot):
1423         (JSC::DebuggerActivation::put):
1424         (JSC::DebuggerActivation::deleteProperty):
1425         (JSC::DebuggerActivation::getOwnPropertyNames):
1426         (JSC::DebuggerActivation::defineOwnProperty):
1427         * debugger/DebuggerActivation.h: Added.
1428         (JSC::DebuggerActivation::create):
1429         (JSC::DebuggerActivation::createStructure):
1430         * debugger/DebuggerScope.cpp: Removed.
1431         * debugger/DebuggerScope.h: Removed.
1432         * dfg/DFGAbstractInterpreterInlines.h:
1433         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1434         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1435         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1436         * dfg/DFGAbstractValue.cpp:
1437         (JSC::DFG::AbstractValue::changeStructure): Deleted.
1438         (JSC::DFG::AbstractValue::contains): Deleted.
1439         * dfg/DFGAbstractValue.h:
1440         (JSC::DFG::AbstractValue::couldBeType):
1441         (JSC::DFG::AbstractValue::isType):
1442         * dfg/DFGByteCodeParser.cpp:
1443         (JSC::DFG::ByteCodeParser::handlePutById):
1444         (JSC::DFG::ByteCodeParser::parseBlock):
1445         * dfg/DFGClobberize.h:
1446         (JSC::DFG::clobberize):
1447         * dfg/DFGConstantFoldingPhase.cpp:
1448         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1449         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1450         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1451         (JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
1452         (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
1453         * dfg/DFGDoesGC.cpp:
1454         (JSC::DFG::doesGC):
1455         * dfg/DFGFixupPhase.cpp:
1456         (JSC::DFG::FixupPhase::fixupNode):
1457         * dfg/DFGGraph.cpp:
1458         (JSC::DFG::Graph::visitChildren):
1459         (JSC::DFG::Graph::freezeStrong):
1460         * dfg/DFGGraph.h:
1461         * dfg/DFGNode.cpp:
1462         (JSC::DFG::MultiPutByOffsetData::writesStructures):
1463         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1464         * dfg/DFGNode.h:
1465         (JSC::DFG::Node::convertToPutByOffset):
1466         (JSC::DFG::Node::hasTransition):
1467         (JSC::DFG::Node::convertToMultiGetByOffset): Deleted.
1468         (JSC::DFG::Node::convertToMultiPutByOffset): Deleted.
1469         * dfg/DFGNodeType.h:
1470         * dfg/DFGPredictionPropagationPhase.cpp:
1471         (JSC::DFG::PredictionPropagationPhase::propagate):
1472         * dfg/DFGSafeToExecute.h:
1473         (JSC::DFG::safeToExecute):
1474         * dfg/DFGSpeculativeJIT.cpp:
1475         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1476         * dfg/DFGSpeculativeJIT32_64.cpp:
1477         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1478         (JSC::DFG::SpeculativeJIT::compile):
1479         * dfg/DFGSpeculativeJIT64.cpp:
1480         (JSC::DFG::SpeculativeJIT::fillJSValue):
1481         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1482         (JSC::DFG::SpeculativeJIT::emitCall):
1483         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1484         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1485         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1486         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1487         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1488         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1489         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1490         (JSC::DFG::SpeculativeJIT::emitBranch):
1491         (JSC::DFG::SpeculativeJIT::compile):
1492         * dfg/DFGStructureAbstractValue.cpp:
1493         (JSC::DFG::StructureAbstractValue::observeTransition):
1494         (JSC::DFG::StructureAbstractValue::observeTransitions):
1495         * dfg/DFGStructureAbstractValue.h:
1496         (JSC::DFG::StructureAbstractValue::onlyStructure):
1497         (JSC::DFG::StructureAbstractValue::operator=): Deleted.
1498         (JSC::DFG::StructureAbstractValue::set): Deleted.
1499         * dfg/DFGValidate.cpp:
1500         (JSC::DFG::Validate::validate):
1501         * dfg/DFGWatchableStructureWatchingPhase.cpp:
1502         (JSC::DFG::WatchableStructureWatchingPhase::run):
1503         * ftl/FTLAbbreviations.h:
1504         (JSC::FTL::getLinkage): Deleted.
1505         * ftl/FTLCapabilities.cpp:
1506         (JSC::FTL::canCompile):
1507         * ftl/FTLLowerDFGToLLVM.cpp:
1508         (JSC::FTL::LowerDFGToLLVM::compileNode):
1509         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1510         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1511         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1512         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1513         * heap/Heap.cpp:
1514         (JSC::Heap::collect):
1515         * inspector/agents/InspectorRuntimeAgent.cpp:
1516         (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
1517         * inspector/agents/InspectorRuntimeAgent.h:
1518         * inspector/protocol/Runtime.json:
1519         * jsc.cpp:
1520         (GlobalObject::finishCreation):
1521         (functionDumpTypesForAllVariables): Deleted.
1522         * llint/LLIntData.cpp:
1523         (JSC::LLInt::Data::performAssertions):
1524         * llint/LLIntSlowPaths.cpp:
1525         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1526         (JSC::LLInt::putToScopeCommon): Deleted.
1527         * llint/LLIntSlowPaths.h:
1528         * llint/LowLevelInterpreter.asm:
1529         * llint/LowLevelInterpreter32_64.asm:
1530         * llint/LowLevelInterpreter64.asm:
1531         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1532         (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
1533         * runtime/CommonSlowPaths.cpp:
1534         (JSC::SLOW_PATH_DECL):
1535         * runtime/Executable.h:
1536         (JSC::ExecutableBase::createStructure):
1537         (JSC::NativeExecutable::createStructure):
1538         * runtime/HighFidelityLog.cpp: Removed.
1539         * runtime/HighFidelityLog.h: Removed.
1540         * runtime/HighFidelityTypeProfiler.cpp: Removed.
1541         * runtime/HighFidelityTypeProfiler.h: Removed.
1542         * runtime/JSObject.cpp:
1543         (JSC::JSObject::putDirectCustomAccessor):
1544         (JSC::JSObject::putDirectNonIndexAccessor):
1545         (JSC::JSObject::reifyStaticFunctionsForDelete):
1546         * runtime/JSPromiseDeferred.h:
1547         (JSC::JSPromiseDeferred::createStructure):
1548         * runtime/JSPromiseReaction.h:
1549         (JSC::JSPromiseReaction::createStructure):
1550         * runtime/JSPropertyNameIterator.h:
1551         (JSC::JSPropertyNameIterator::createStructure):
1552         * runtime/JSType.h:
1553         * runtime/JSTypeInfo.h:
1554         (JSC::TypeInfo::TypeInfo):
1555         * runtime/MapData.h:
1556         (JSC::MapData::createStructure):
1557         * runtime/Options.h:
1558         * runtime/PropertyMapHashTable.h:
1559         (JSC::PropertyTable::createStructure):
1560         * runtime/RegExp.h:
1561         (JSC::RegExp::createStructure):
1562         * runtime/SparseArrayValueMap.cpp:
1563         (JSC::SparseArrayValueMap::createStructure):
1564         * runtime/Structure.cpp:
1565         (JSC::StructureTransitionTable::contains):
1566         (JSC::StructureTransitionTable::get):
1567         (JSC::StructureTransitionTable::add):
1568         (JSC::Structure::Structure):
1569         (JSC::Structure::materializePropertyMap):
1570         (JSC::Structure::addPropertyTransition):
1571         (JSC::Structure::despecifyFunctionTransition):
1572         (JSC::Structure::toDictionaryTransition):
1573         (JSC::Structure::freezeTransition):
1574         (JSC::Structure::preventExtensionsTransition):
1575         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1576         (JSC::Structure::nonPropertyTransition):
1577         (JSC::Structure::flattenDictionaryStructure):
1578         (JSC::Structure::addPropertyWithoutTransition):
1579         (JSC::Structure::pin):
1580         (JSC::Structure::allocateRareData):
1581         (JSC::Structure::cloneRareDataFrom):
1582         (JSC::Structure::getConcurrently):
1583         (JSC::Structure::putSpecificValue):
1584         (JSC::Structure::getPropertyNamesFromStructure):
1585         (JSC::Structure::visitChildren):
1586         (JSC::Structure::checkConsistency):
1587         (JSC::Structure::toStructureShape): Deleted.
1588         * runtime/Structure.h:
1589         (JSC::Structure::isExtensible):
1590         (JSC::Structure::didTransition):
1591         (JSC::Structure::isDictionary):
1592         (JSC::Structure::isUncacheableDictionary):
1593         (JSC::Structure::hasBeenFlattenedBefore):
1594         (JSC::Structure::propertyAccessesAreCacheable):
1595         (JSC::Structure::previousID):
1596         (JSC::Structure::hasGetterSetterProperties):
1597         (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
1598         (JSC::Structure::setHasGetterSetterProperties):
1599         (JSC::Structure::hasCustomGetterSetterProperties):
1600         (JSC::Structure::setHasCustomGetterSetterProperties):
1601         (JSC::Structure::setContainsReadOnlyProperties):
1602         (JSC::Structure::hasNonEnumerableProperties):
1603         (JSC::Structure::disableSpecificFunctionTracking):
1604         (JSC::Structure::objectToStringValue):
1605         (JSC::Structure::setObjectToStringValue):
1606         (JSC::Structure::staticFunctionsReified):
1607         (JSC::Structure::setStaticFunctionsReified):
1608         (JSC::Structure::transitionWatchpointSet):
1609         (JSC::Structure::setPreviousID):
1610         (JSC::Structure::clearPreviousID):
1611         (JSC::Structure::previous):
1612         (JSC::Structure::rareData):
1613         (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted.
1614         (JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted.
1615         * runtime/StructureChain.h:
1616         (JSC::StructureChain::createStructure):
1617         * runtime/StructureInlines.h:
1618         (JSC::Structure::setEnumerationCache):
1619         (JSC::Structure::enumerationCache):
1620         (JSC::Structure::checkOffsetConsistency):
1621         * runtime/StructureRareData.cpp:
1622         (JSC::StructureRareData::createStructure):
1623         * runtime/SymbolTable.cpp:
1624         (JSC::SymbolTable::SymbolTable):
1625         (JSC::SymbolTable::cloneCapturedNames):
1626         (JSC::SymbolTable::uniqueIDForVariable): Deleted.
1627         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
1628         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
1629         (JSC::SymbolTable::globalTypeSetForVariable): Deleted.
1630         * runtime/SymbolTable.h:
1631         (JSC::SymbolTable::createStructure):
1632         (JSC::SymbolTable::add):
1633         (JSC::SymbolTable::set):
1634         * runtime/TypeSet.cpp: Removed.
1635         * runtime/TypeSet.h: Removed.
1636         * runtime/VM.cpp:
1637         (JSC::VM::VM):
1638         (JSC::VM::getTypesForVariableInRange): Deleted.
1639         (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
1640         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
1641         * runtime/VM.h:
1642         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
1643         (JSC::VM::highFidelityLog): Deleted.
1644         (JSC::VM::highFidelityTypeProfiler): Deleted.
1645         (JSC::VM::nextLocation): Deleted.
1646         (JSC::VM::getNextUniqueVariableID): Deleted.
1647         * runtime/WeakMapData.h:
1648         (JSC::WeakMapData::createStructure):
1649         * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed.
1650         * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed.
1651         * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed.
1652
1653 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1654
1655         Attempt to fix non-Xcode platforms.
1656
1657         * CMakeLists.txt:
1658         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1659
1660 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1661
1662         Fix cloop.
1663
1664         * bytecode/CodeBlock.cpp:
1665         (JSC::dumpChain):
1666         (JSC::CodeBlock::printPutByIdCacheStatus):
1667         * bytecode/StructureSet.cpp:
1668         * bytecode/StructureSet.h:
1669
1670 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1671
1672         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
1673
1674     2014-06-27  Michael Saboff  <msaboff@apple.com>
1675     
1676             Unreviewed build fix after r169795.
1677     
1678             Fixed ASSERT for 32 bit build.
1679     
1680             * dfg/DFGSpeculativeJIT.cpp:
1681             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1682     
1683     2014-06-24  Saam Barati  <sbarati@apple.com>
1684     
1685             Web Inspector: debugger should be able to show variable types
1686             https://bugs.webkit.org/show_bug.cgi?id=133395
1687     
1688             Reviewed by Filip Pizlo.
1689     
1690             Increase the amount of type information the VM gathers when directed
1691             to do so. This initial commit is working towards the goal of
1692             capturing, and then showing (via the Web Inspector) type information for all
1693             assignment and load operations. This patch doesn't have the feature fully 
1694             implemented, but it ensures the VM has no performance regressions
1695             unless the feature is specifically turned on.
1696     
1697             * JavaScriptCore.xcodeproj/project.pbxproj:
1698             * bytecode/BytecodeList.json:
1699             * bytecode/BytecodeUseDef.h:
1700             (JSC::computeUsesForBytecodeOffset):
1701             (JSC::computeDefsForBytecodeOffset):
1702             * bytecode/CodeBlock.cpp:
1703             (JSC::CodeBlock::dumpBytecode):
1704             (JSC::CodeBlock::CodeBlock):
1705             (JSC::CodeBlock::finalizeUnconditionally):
1706             * bytecode/CodeBlock.h:
1707             * bytecode/Instruction.h:
1708             * bytecode/TypeLocation.h: Added.
1709             (JSC::TypeLocation::TypeLocation):
1710             * bytecompiler/BytecodeGenerator.cpp:
1711             (JSC::BytecodeGenerator::emitMove):
1712             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
1713             (JSC::BytecodeGenerator::emitPutToScope):
1714             (JSC::BytecodeGenerator::emitPutById):
1715             (JSC::BytecodeGenerator::emitPutByVal):
1716             * bytecompiler/BytecodeGenerator.h:
1717             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
1718             * bytecompiler/NodesCodegen.cpp:
1719             (JSC::PostfixNode::emitResolve):
1720             (JSC::PrefixNode::emitResolve):
1721             (JSC::ReadModifyResolveNode::emitBytecode):
1722             (JSC::AssignResolveNode::emitBytecode):
1723             (JSC::ConstDeclNode::emitCodeSingle):
1724             (JSC::ForInNode::emitBytecode):
1725             * heap/Heap.cpp:
1726             (JSC::Heap::collect):
1727             * inspector/agents/InspectorRuntimeAgent.cpp:
1728             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
1729             * inspector/agents/InspectorRuntimeAgent.h:
1730             * inspector/protocol/Runtime.json:
1731             * jsc.cpp:
1732             (GlobalObject::finishCreation):
1733             (functionDumpTypesForAllVariables):
1734             * llint/LLIntSlowPaths.cpp:
1735             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1736             (JSC::LLInt::putToScopeCommon):
1737             * llint/LLIntSlowPaths.h:
1738             * llint/LowLevelInterpreter.asm:
1739             * runtime/HighFidelityLog.cpp: Added.
1740             (JSC::HighFidelityLog::initializeHighFidelityLog):
1741             (JSC::HighFidelityLog::~HighFidelityLog):
1742             (JSC::HighFidelityLog::recordTypeInformationForLocation):
1743             (JSC::HighFidelityLog::processHighFidelityLog):
1744             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
1745             * runtime/HighFidelityLog.h: Added.
1746             (JSC::HighFidelityLog::HighFidelityLog):
1747             * runtime/HighFidelityTypeProfiler.cpp: Added.
1748             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
1749             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
1750             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
1751             (JSC::HighFidelityTypeProfiler::insertNewLocation):
1752             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
1753             * runtime/HighFidelityTypeProfiler.h: Added.
1754             * runtime/Options.h:
1755             * runtime/Structure.cpp:
1756             (JSC::Structure::toStructureShape):
1757             * runtime/Structure.h:
1758             * runtime/SymbolTable.cpp:
1759             (JSC::SymbolTable::SymbolTable):
1760             (JSC::SymbolTable::cloneCapturedNames):
1761             (JSC::SymbolTable::uniqueIDForVariable):
1762             (JSC::SymbolTable::uniqueIDForRegister):
1763             (JSC::SymbolTable::globalTypeSetForRegister):
1764             (JSC::SymbolTable::globalTypeSetForVariable):
1765             * runtime/SymbolTable.h:
1766             (JSC::SymbolTable::add):
1767             (JSC::SymbolTable::set):
1768             * runtime/TypeSet.cpp: Added.
1769             (JSC::TypeSet::TypeSet):
1770             (JSC::TypeSet::getRuntimeTypeForValue):
1771             (JSC::TypeSet::addTypeForValue):
1772             (JSC::TypeSet::removeDuplicatesInStructureHistory):
1773             (JSC::TypeSet::seenTypes):
1774             (JSC::TypeSet::dumpSeenTypes):
1775             (JSC::StructureShape::StructureShape):
1776             (JSC::StructureShape::markAsFinal):
1777             (JSC::StructureShape::addProperty):
1778             (JSC::StructureShape::propertyHash):
1779             (JSC::StructureShape::leastUpperBound):
1780             (JSC::StructureShape::stringRepresentation):
1781             * runtime/TypeSet.h: Added.
1782             (JSC::StructureShape::create):
1783             (JSC::TypeSet::create):
1784             * runtime/VM.cpp:
1785             (JSC::VM::VM):
1786             (JSC::VM::getTypesForVariableInRange):
1787             (JSC::VM::updateHighFidelityTypeProfileState):
1788             (JSC::VM::dumpHighFidelityProfilingTypes):
1789             * runtime/VM.h:
1790             (JSC::VM::isProfilingTypesWithHighFidelity):
1791             (JSC::VM::highFidelityLog):
1792             (JSC::VM::highFidelityTypeProfiler):
1793             (JSC::VM::nextLocation):
1794             (JSC::VM::getNextUniqueVariableID):
1795     
1796     2014-06-26  Mark Lam  <mark.lam@apple.com>
1797     
1798             Remove unused instantiation of the WithScope structure.
1799             <https://webkit.org/b/134331>
1800     
1801             Reviewed by Oliver Hunt.
1802     
1803             The WithScope structure instance is the VM is unused, and is now removed.
1804     
1805             * runtime/VM.cpp:
1806             (JSC::VM::VM):
1807             * runtime/VM.h:
1808     
1809     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1810     
1811             Structure bit fields should have a consistent format
1812             https://bugs.webkit.org/show_bug.cgi?id=134307
1813     
1814             Reviewed by Filip Pizlo.
1815     
1816             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
1817             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
1818             format to make it easy to load and test these variables in JIT code.
1819     
1820             * runtime/JSObject.cpp:
1821             (JSC::JSObject::putDirectNonIndexAccessor):
1822             (JSC::JSObject::reifyStaticFunctionsForDelete):
1823             * runtime/Structure.cpp:
1824             (JSC::StructureTransitionTable::contains):
1825             (JSC::StructureTransitionTable::get):
1826             (JSC::StructureTransitionTable::add):
1827             (JSC::Structure::Structure):
1828             (JSC::Structure::materializePropertyMap):
1829             (JSC::Structure::addPropertyTransition):
1830             (JSC::Structure::despecifyFunctionTransition):
1831             (JSC::Structure::toDictionaryTransition):
1832             (JSC::Structure::freezeTransition):
1833             (JSC::Structure::preventExtensionsTransition):
1834             (JSC::Structure::takePropertyTableOrCloneIfPinned):
1835             (JSC::Structure::nonPropertyTransition):
1836             (JSC::Structure::flattenDictionaryStructure):
1837             (JSC::Structure::addPropertyWithoutTransition):
1838             (JSC::Structure::pin):
1839             (JSC::Structure::allocateRareData):
1840             (JSC::Structure::cloneRareDataFrom):
1841             (JSC::Structure::getConcurrently):
1842             (JSC::Structure::putSpecificValue):
1843             (JSC::Structure::getPropertyNamesFromStructure):
1844             (JSC::Structure::visitChildren):
1845             (JSC::Structure::checkConsistency):
1846             * runtime/Structure.h:
1847             (JSC::Structure::isExtensible):
1848             (JSC::Structure::isDictionary):
1849             (JSC::Structure::isUncacheableDictionary):
1850             (JSC::Structure::propertyAccessesAreCacheable):
1851             (JSC::Structure::previousID):
1852             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
1853             (JSC::Structure::setContainsReadOnlyProperties):
1854             (JSC::Structure::disableSpecificFunctionTracking):
1855             (JSC::Structure::objectToStringValue):
1856             (JSC::Structure::setObjectToStringValue):
1857             (JSC::Structure::setPreviousID):
1858             (JSC::Structure::clearPreviousID):
1859             (JSC::Structure::previous):
1860             (JSC::Structure::rareData):
1861             (JSC::Structure::didTransition): Deleted.
1862             (JSC::Structure::hasGetterSetterProperties): Deleted.
1863             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
1864             (JSC::Structure::setHasGetterSetterProperties): Deleted.
1865             (JSC::Structure::hasNonEnumerableProperties): Deleted.
1866             (JSC::Structure::staticFunctionsReified): Deleted.
1867             (JSC::Structure::setStaticFunctionsReified): Deleted.
1868             * runtime/StructureInlines.h:
1869             (JSC::Structure::setEnumerationCache):
1870             (JSC::Structure::enumerationCache):
1871             (JSC::Structure::checkOffsetConsistency):
1872     
1873     2014-06-24  Mark Lam  <mark.lam@apple.com>
1874     
1875             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
1876             <https://webkit.org/b/134273>
1877     
1878             Reviewed by Michael Saboff.
1879     
1880             * CMakeLists.txt:
1881             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1882             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1883             * JavaScriptCore.xcodeproj/project.pbxproj:
1884             * debugger/DebuggerActivation.cpp: Removed.
1885             * debugger/DebuggerActivation.h: Removed.
1886             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
1887             (JSC::DebuggerScope::DebuggerScope):
1888             (JSC::DebuggerScope::finishCreation):
1889             (JSC::DebuggerScope::visitChildren):
1890             (JSC::DebuggerScope::className):
1891             (JSC::DebuggerScope::getOwnPropertySlot):
1892             (JSC::DebuggerScope::put):
1893             (JSC::DebuggerScope::deleteProperty):
1894             (JSC::DebuggerScope::getOwnPropertyNames):
1895             (JSC::DebuggerScope::defineOwnProperty):
1896             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
1897             (JSC::DebuggerActivation::finishCreation): Deleted.
1898             (JSC::DebuggerActivation::visitChildren): Deleted.
1899             (JSC::DebuggerActivation::className): Deleted.
1900             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
1901             (JSC::DebuggerActivation::put): Deleted.
1902             (JSC::DebuggerActivation::deleteProperty): Deleted.
1903             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
1904             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
1905             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
1906             (JSC::DebuggerScope::create):
1907             (JSC::DebuggerActivation::create): Deleted.
1908             * runtime/VM.cpp:
1909             (JSC::VM::VM):
1910             * runtime/VM.h:
1911     
1912     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1913     
1914             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
1915             https://bugs.webkit.org/show_bug.cgi?id=134265
1916     
1917             Reviewed by Geoffrey Garen.
1918             
1919             More assertion fallout from the PutById folding work.
1920     
1921             * dfg/DFGNode.h:
1922             (JSC::DFG::Node::convertToPutByOffset):
1923     
1924     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1925     
1926             [ftlopt] GC should notify us if it resets to_this
1927             https://bugs.webkit.org/show_bug.cgi?id=128231
1928     
1929             Reviewed by Geoffrey Garen.
1930     
1931             * CMakeLists.txt:
1932             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1933             * JavaScriptCore.xcodeproj/project.pbxproj:
1934             * bytecode/BytecodeList.json:
1935             * bytecode/CodeBlock.cpp:
1936             (JSC::CodeBlock::dumpBytecode):
1937             (JSC::CodeBlock::finalizeUnconditionally):
1938             * bytecode/Instruction.h:
1939             * bytecode/ToThisStatus.cpp: Added.
1940             (JSC::merge):
1941             (WTF::printInternal):
1942             * bytecode/ToThisStatus.h: Added.
1943             * bytecompiler/BytecodeGenerator.cpp:
1944             (JSC::BytecodeGenerator::BytecodeGenerator):
1945             * dfg/DFGByteCodeParser.cpp:
1946             (JSC::DFG::ByteCodeParser::parseBlock):
1947             * llint/LowLevelInterpreter32_64.asm:
1948             * llint/LowLevelInterpreter64.asm:
1949             * runtime/CommonSlowPaths.cpp:
1950             (JSC::SLOW_PATH_DECL):
1951     
1952     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1953     
1954             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
1955             https://bugs.webkit.org/show_bug.cgi?id=134256
1956     
1957             Reviewed by Michael Saboff.
1958             
1959             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
1960             point is to be able to precisely model what goes on in the snippets of code between a
1961             side-effect and an InvalidationPoint.
1962             
1963             This patch also cleans up onlyStructure() by delegating more work to
1964             StructureSet::onlyStructure().
1965     
1966             * dfg/DFGStructureAbstractValue.h:
1967             (JSC::DFG::StructureAbstractValue::onlyStructure):
1968     
1969     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1970     
1971             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
1972             https://bugs.webkit.org/show_bug.cgi?id=134260
1973     
1974             Reviewed by Geoffrey Garen.
1975             
1976             This was causing loads of assertion failures in debug builds.
1977     
1978             * dfg/DFGAbstractInterpreterInlines.h:
1979             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1980     
1981     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
1982     
1983             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
1984             https://bugs.webkit.org/show_bug.cgi?id=134090
1985     
1986             Reviewed by Oliver Hunt.
1987             
1988             This pretty much finishes off the work to eliminate the special-casing of singleton
1989             structure sets by making it possible to fold GetById and PutById to various polymorphic
1990             forms of the ByOffset nodes.
1991             
1992             * bytecode/GetByIdStatus.cpp:
1993             (JSC::GetByIdStatus::computeForStubInfo):
1994             (JSC::GetByIdStatus::computeFor):
1995             * bytecode/GetByIdStatus.h:
1996             * bytecode/PutByIdStatus.cpp:
1997             (JSC::PutByIdStatus::computeFor):
1998             * bytecode/PutByIdStatus.h:
1999             * bytecode/PutByIdVariant.h:
2000             (JSC::PutByIdVariant::constantChecks):
2001             * dfg/DFGAbstractInterpreterInlines.h:
2002             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2003             * dfg/DFGByteCodeParser.cpp:
2004             (JSC::DFG::ByteCodeParser::parseBlock):
2005             * dfg/DFGConstantFoldingPhase.cpp:
2006             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2007             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2008             (JSC::DFG::ConstantFoldingPhase::addChecks):
2009             * dfg/DFGNode.h:
2010             (JSC::DFG::Node::convertToMultiGetByOffset):
2011             (JSC::DFG::Node::convertToMultiPutByOffset):
2012             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
2013             (JSC::DFG::SpeculativeJIT::fillJSValue):
2014             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2015             (JSC::DFG::SpeculativeJIT::emitCall):
2016             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2017             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
2018             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2019             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2020             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2021             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2022             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2023             (JSC::DFG::SpeculativeJIT::emitBranch):
2024             (JSC::DFG::SpeculativeJIT::compile):
2025             * dfg/DFGStructureAbstractValue.h:
2026             (JSC::DFG::StructureAbstractValue::set):
2027     
2028     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
2029     
2030             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
2031             https://bugs.webkit.org/show_bug.cgi?id=134077
2032     
2033             Reviewed by Sam Weinig.
2034             
2035             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
2036             in the abstract interpreter.
2037     
2038             * bytecode/StructureSet.h:
2039             (JSC::StructureSet::onlyStructure):
2040     
2041     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
2042     
2043             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
2044             https://bugs.webkit.org/show_bug.cgi?id=133918
2045     
2046             Reviewed by Mark Hahnenberg.
2047             
2048             This also adds pruning of PutStructure, since I basically had no choice but
2049             to implement such logic within MultiPutByOffset.
2050             
2051             Also adds a bunch of PutById cache status dumping to bytecode dumping.
2052     
2053             * bytecode/GetByIdVariant.cpp:
2054             (JSC::GetByIdVariant::dumpInContext):
2055             * bytecode/GetByIdVariant.h:
2056             (JSC::GetByIdVariant::structureSet):
2057             * bytecode/PutByIdVariant.h:
2058             (JSC::PutByIdVariant::oldStructure):
2059             * bytecode/StructureSet.cpp:
2060             (JSC::StructureSet::filter):
2061             (JSC::StructureSet::filterArrayModes):
2062             * bytecode/StructureSet.h:
2063             * dfg/DFGAbstractInterpreterInlines.h:
2064             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2065             * dfg/DFGAbstractValue.cpp:
2066             (JSC::DFG::AbstractValue::changeStructure):
2067             (JSC::DFG::AbstractValue::contains):
2068             * dfg/DFGAbstractValue.h:
2069             (JSC::DFG::AbstractValue::couldBeType):
2070             (JSC::DFG::AbstractValue::isType):
2071             * dfg/DFGConstantFoldingPhase.cpp:
2072             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2073             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2074             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2075             (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
2076             * dfg/DFGGraph.cpp:
2077             (JSC::DFG::Graph::freezeStrong):
2078             * dfg/DFGGraph.h:
2079             * dfg/DFGStructureAbstractValue.h:
2080             (JSC::DFG::StructureAbstractValue::operator=):
2081             * ftl/FTLLowerDFGToLLVM.cpp:
2082             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2083             * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
2084             (foo):
2085             (fu):
2086             (bar):
2087             (baz):
2088             (.bar):
2089             (.baz):
2090             * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
2091             (foo):
2092             (fu):
2093             (bar):
2094             (baz):
2095             (.bar):
2096             (.baz):
2097             * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
2098             (foo):
2099             (fu):
2100             (bar):
2101             (baz):
2102             (.bar):
2103             (.baz):
2104     
2105     2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
2106     
2107             Remove CompoundType and LeafType
2108             https://bugs.webkit.org/show_bug.cgi?id=134037
2109     
2110             Reviewed by Filip Pizlo.
2111     
2112             We don't use them for anything. We'll replace them with a generic CellType type for all 
2113             the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
2114             their JSType at runtime.
2115     
2116             * llint/LLIntData.cpp:
2117             (JSC::LLInt::Data::performAssertions):
2118             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2119             (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
2120             * runtime/Executable.h:
2121             (JSC::ExecutableBase::createStructure):
2122             (JSC::NativeExecutable::createStructure):
2123             * runtime/JSPromiseDeferred.h:
2124             (JSC::JSPromiseDeferred::createStructure):
2125             * runtime/JSPromiseReaction.h:
2126             (JSC::JSPromiseReaction::createStructure):
2127             * runtime/JSPropertyNameIterator.h:
2128             (JSC::JSPropertyNameIterator::createStructure):
2129             * runtime/JSType.h:
2130             * runtime/JSTypeInfo.h:
2131             (JSC::TypeInfo::TypeInfo):
2132             * runtime/MapData.h:
2133             (JSC::MapData::createStructure):
2134             * runtime/PropertyMapHashTable.h:
2135             (JSC::PropertyTable::createStructure):
2136             * runtime/RegExp.h:
2137             (JSC::RegExp::createStructure):
2138             * runtime/SparseArrayValueMap.cpp:
2139             (JSC::SparseArrayValueMap::createStructure):
2140             * runtime/Structure.cpp:
2141             (JSC::Structure::Structure):
2142             * runtime/StructureChain.h:
2143             (JSC::StructureChain::createStructure):
2144             * runtime/StructureRareData.cpp:
2145             (JSC::StructureRareData::createStructure):
2146             * runtime/SymbolTable.h:
2147             (JSC::SymbolTable::createStructure):
2148             * runtime/WeakMapData.h:
2149             (JSC::WeakMapData::createStructure):
2150     
2151     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2152     
2153             [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
2154             https://bugs.webkit.org/show_bug.cgi?id=134002
2155     
2156             Reviewed by Mark Hahnenberg.
2157             
2158             The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
2159             JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
2160             of the structure if that structure was watchable.
2161             
2162             Also kill PhantomPutStructure.
2163     
2164             * dfg/DFGAbstractInterpreterInlines.h:
2165             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2166             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2167             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2168             * dfg/DFGClobberize.h:
2169             (JSC::DFG::clobberize):
2170             * dfg/DFGDoesGC.cpp:
2171             (JSC::DFG::doesGC):
2172             * dfg/DFGFixupPhase.cpp:
2173             (JSC::DFG::FixupPhase::fixupNode):
2174             * dfg/DFGGraph.cpp:
2175             (JSC::DFG::Graph::visitChildren):
2176             * dfg/DFGNode.h:
2177             (JSC::DFG::Node::hasTransition):
2178             * dfg/DFGNodeType.h:
2179             * dfg/DFGPredictionPropagationPhase.cpp:
2180             (JSC::DFG::PredictionPropagationPhase::propagate):
2181             * dfg/DFGSafeToExecute.h:
2182             (JSC::DFG::safeToExecute):
2183             * dfg/DFGSpeculativeJIT32_64.cpp:
2184             (JSC::DFG::SpeculativeJIT::compile):
2185             * dfg/DFGSpeculativeJIT64.cpp:
2186             (JSC::DFG::SpeculativeJIT::compile):
2187             * dfg/DFGStructureAbstractValue.cpp:
2188             (JSC::DFG::StructureAbstractValue::observeTransition):
2189             (JSC::DFG::StructureAbstractValue::observeTransitions):
2190             * dfg/DFGValidate.cpp:
2191             (JSC::DFG::Validate::validate):
2192             * dfg/DFGWatchableStructureWatchingPhase.cpp:
2193             (JSC::DFG::WatchableStructureWatchingPhase::run):
2194             * ftl/FTLCapabilities.cpp:
2195             (JSC::FTL::canCompile):
2196             * ftl/FTLLowerDFGToLLVM.cpp:
2197             (JSC::FTL::LowerDFGToLLVM::compileNode):
2198             (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
2199     
2200     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2201     
2202             [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
2203             https://bugs.webkit.org/show_bug.cgi?id=133964
2204     
2205             Reviewed by Mark Hahnenberg.
2206     
2207             * bytecode/PutByIdStatus.cpp:
2208             (JSC::PutByIdStatus::appendVariant):
2209             (JSC::PutByIdStatus::computeForStubInfo):
2210             * bytecode/PutByIdVariant.cpp:
2211             (JSC::PutByIdVariant::oldStructureForTransition):
2212             (JSC::PutByIdVariant::writesStructures):
2213             (JSC::PutByIdVariant::reallocatesStorage):
2214             (JSC::PutByIdVariant::attemptToMerge):
2215             (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
2216             (JSC::PutByIdVariant::dumpInContext):
2217             * bytecode/PutByIdVariant.h:
2218             (JSC::PutByIdVariant::PutByIdVariant):
2219             (JSC::PutByIdVariant::replace):
2220             (JSC::PutByIdVariant::transition):
2221             (JSC::PutByIdVariant::structure):
2222             (JSC::PutByIdVariant::oldStructure):
2223             * dfg/DFGAbstractInterpreterInlines.h:
2224             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2225             * dfg/DFGByteCodeParser.cpp:
2226             (JSC::DFG::ByteCodeParser::handlePutById):
2227             (JSC::DFG::ByteCodeParser::parseBlock):
2228             * dfg/DFGConstantFoldingPhase.cpp:
2229             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2230             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2231             * dfg/DFGGraph.cpp:
2232             (JSC::DFG::Graph::visitChildren):
2233             * dfg/DFGNode.cpp:
2234             (JSC::DFG::MultiPutByOffsetData::writesStructures):
2235             (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
2236             * ftl/FTLAbbreviations.h:
2237             (JSC::FTL::getLinkage):
2238             * ftl/FTLLowerDFGToLLVM.cpp:
2239             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2240             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
2241     
2242 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
2243
2244         Add an option to disable native call inlining. Disable it for now to see how it
2245         affects the bots.
2246
2247         * dfg/DFGByteCodeParser.cpp:
2248         (JSC::DFG::ByteCodeParser::handleCall):
2249         * runtime/Options.h:
2250
2251 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
2252
2253         Fix cloop.
2254
2255         * dfg/DFGMayExit.cpp:
2256
2257 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
2258
2259         Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.
2260
2261     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2262     
2263             [ftlopt] Fold constant Phis
2264             https://bugs.webkit.org/show_bug.cgi?id=133967
2265     
2266             Reviewed by Mark Hahnenberg.
2267             
2268             It's surprising but we didn't really do this before. Or, rather, we only did it
2269             incidentally when we would likely crash if it ever happened.
2270             
2271             Making this work required cleaning up the validater a bit, so I did that too. I also added
2272             mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
2273             the Phi header of basic blocks). But this required beefing up mayExit() a bit.
2274     
2275             * dfg/DFGAbstractInterpreterInlines.h:
2276             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2277             * dfg/DFGAdjacencyList.h:
2278             (JSC::DFG::AdjacencyList::isEmpty):
2279             * dfg/DFGConstantFoldingPhase.cpp:
2280             (JSC::DFG::ConstantFoldingPhase::run):
2281             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2282             (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
2283             * dfg/DFGInPlaceAbstractState.h:
2284             * dfg/DFGLICMPhase.cpp:
2285             (JSC::DFG::LICMPhase::run):
2286             (JSC::DFG::LICMPhase::attemptHoist):
2287             * dfg/DFGMayExit.cpp:
2288             (JSC::DFG::mayExit):
2289             * dfg/DFGValidate.cpp:
2290             (JSC::DFG::Validate::validate):
2291             (JSC::DFG::Validate::validateSSA):
2292     
2293     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2294     
2295             [ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
2296             https://bugs.webkit.org/show_bug.cgi?id=133985
2297     
2298             Reviewed by Michael Saboff and Mark Hahnenberg.
2299             
2300             Store elimination phase has never been very profitable, and now that LLVM can do dead
2301             store elimination for us, this phase is just completely pointless.
2302             
2303             This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
2304             computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
2305             maintain.
2306             
2307             This patch does introduce a new mayExit() calculator that is independent of the CFA and
2308             should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
2309             for assertions in the DFG backend, but we could use it if we ever brought back any of the
2310             other optimizations that previously relied upon NodeDoesNotExit.
2311             
2312             This is performance-neutral, except for SunSpider, where it's a speed-up.
2313     
2314             * CMakeLists.txt:
2315             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2316             * JavaScriptCore.xcodeproj/project.pbxproj:
2317             * dfg/DFGAbstractInterpreter.h:
2318             (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
2319             (JSC::DFG::AbstractInterpreter::filterByType):
2320             * dfg/DFGAbstractInterpreterInlines.h:
2321             (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2322             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2323             * dfg/DFGCSEPhase.cpp:
2324             (JSC::DFG::CSEPhase::CSEPhase):
2325             (JSC::DFG::CSEPhase::invalidationPointElimination):
2326             (JSC::DFG::CSEPhase::setLocalStoreElimination):
2327             (JSC::DFG::CSEPhase::performNodeCSE):
2328             (JSC::DFG::CSEPhase::performBlockCSE):
2329             (JSC::DFG::performCSE):
2330             (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted.
2331             (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted.
2332             (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted.
2333             (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted.
2334             (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
2335             (JSC::DFG::performStoreElimination): Deleted.
2336             * dfg/DFGCSEPhase.h:
2337             * dfg/DFGFixupPhase.cpp:
2338             (JSC::DFG::FixupPhase::fixupNode):
2339             * dfg/DFGGraph.cpp:
2340             (JSC::DFG::Graph::resetExitStates): Deleted.
2341             * dfg/DFGGraph.h:
2342             * dfg/DFGMayExit.cpp: Added.
2343             (JSC::DFG::mayExit):
2344             * dfg/DFGMayExit.h: Added.
2345             * dfg/DFGNode.h:
2346             (JSC::DFG::Node::mergeFlags):
2347             (JSC::DFG::Node::filterFlags):
2348             (JSC::DFG::Node::setCanExit): Deleted.
2349             (JSC::DFG::Node::canExit): Deleted.
2350             * dfg/DFGNodeFlags.cpp:
2351             (JSC::DFG::dumpNodeFlags):
2352             * dfg/DFGNodeFlags.h:
2353             * dfg/DFGNodeType.h:
2354             * dfg/DFGPlan.cpp:
2355             (JSC::DFG::Plan::compileInThreadImpl):
2356             * dfg/DFGSpeculativeJIT.cpp:
2357             (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2358             (JSC::DFG::SpeculativeJIT::bail):
2359             (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2360             * dfg/DFGSpeculativeJIT32_64.cpp:
2361             (JSC::DFG::SpeculativeJIT::compile):
2362             * dfg/DFGSpeculativeJIT64.cpp:
2363             (JSC::DFG::SpeculativeJIT::compile):
2364     
2365     2014-06-15  Filip Pizlo  <fpizlo@apple.com>
2366     
2367             [ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
2368             https://bugs.webkit.org/show_bug.cgi?id=133931
2369     
2370             Reviewed by Oliver Hunt.
2371     
2372             * dfg/DFGAbstractInterpreterInlines.h:
2373             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
2374             * dfg/DFGConstantFoldingPhase.cpp:
2375             (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
2376             * dfg/DFGPlan.cpp:
2377             (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.
2378     
2379     2014-06-15  Filip Pizlo  <fpizlo@apple.com>
2380     
2381             [ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
2382             https://bugs.webkit.org/show_bug.cgi?id=133935
2383     
2384             Reviewed by Oliver Hunt.
2385     
2386             * bytecode/Operands.h:
2387             (JSC::Operands::Operands):
2388             (JSC::Operands::ensureLocals):
2389             * dfg/DFGAbstractValue.cpp:
2390             (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
2391             * dfg/DFGAbstractValue.h:
2392             (JSC::DFG::AbstractValue::makeFullTop): Completeness.
2393             (JSC::DFG::AbstractValue::bytecodeTop): Completeness.
2394             (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
2395             * dfg/DFGBasicBlock.cpp:
2396             (JSC::DFG::BasicBlock::BasicBlock):
2397             (JSC::DFG::BasicBlock::ensureLocals):
2398             * dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
2399             * dfg/DFGCFAPhase.cpp:
2400             (JSC::DFG::CFAPhase::run): Compute the intersection.
2401             * dfg/DFGConstantFoldingPhase.cpp:
2402             (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
2403             * dfg/DFGGraph.cpp:
2404             (JSC::DFG::Graph::dumpBlockHeader): Better dumping.
2405             (JSC::DFG::Graph::dump): Better dumping.
2406             * dfg/DFGJITCompiler.h:
2407             (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
2408             * dfg/DFGSpeculativeJIT.cpp:
2409             (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.
2410     
2411     2014-06-12  Filip Pizlo  <fpizlo@apple.com>
2412     
2413             [ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
2414             https://bugs.webkit.org/show_bug.cgi?id=133821
2415     
2416             Reviewed by Mark Hahnenberg.
2417             
2418             This allows us to efficiently cache accesses that differ only in the prototypes on the path
2419             from the base to the prototype that has the field.
2420             
2421             It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
2422             data structure.
2423     
2424             * CMakeLists.txt:
2425             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2426             * JavaScriptCore.xcodeproj/project.pbxproj:
2427             * bytecode/ConstantStructureCheck.cpp: Added.
2428             (JSC::ConstantStructureCheck::dumpInContext):
2429             (JSC::ConstantStructureCheck::dump):
2430             (JSC::structureFor):
2431             (JSC::areCompatible):
2432             (JSC::mergeInto):
2433             * bytecode/ConstantStructureCheck.h: Added.
2434             (JSC::ConstantStructureCheck::ConstantStructureCheck):
2435             (JSC::ConstantStructureCheck::operator!):
2436             (JSC::ConstantStructureCheck::constant):
2437             (JSC::ConstantStructureCheck::structure):
2438             * bytecode/GetByIdStatus.cpp:
2439             (JSC::GetByIdStatus::computeForStubInfo):
2440             * bytecode/GetByIdVariant.cpp:
2441             (JSC::GetByIdVariant::GetByIdVariant):
2442             (JSC::GetByIdVariant::operator=):
2443             (JSC::GetByIdVariant::attemptToMerge):
2444             (JSC::GetByIdVariant::dumpInContext):
2445             * bytecode/GetByIdVariant.h:
2446             (JSC::GetByIdVariant::constantChecks):
2447             (JSC::GetByIdVariant::alternateBase):
2448             (JSC::GetByIdVariant::GetByIdVariant): Deleted.
2449             (JSC::GetByIdVariant::chain): Deleted.
2450             * bytecode/PutByIdVariant.cpp:
2451             (JSC::PutByIdVariant::dumpInContext):
2452             * bytecode/PutByIdVariant.h:
2453             (JSC::PutByIdVariant::transition):
2454             (JSC::PutByIdVariant::constantChecks):
2455             (JSC::PutByIdVariant::structureChain): Deleted.
2456             * dfg/DFGAbstractInterpreterInlines.h:
2457             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2458             * dfg/DFGByteCodeParser.cpp:
2459             (JSC::DFG::ByteCodeParser::emitChecks):
2460             (JSC::DFG::ByteCodeParser::handleGetById):
2461             (JSC::DFG::ByteCodeParser::handlePutById):
2462             (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted.
2463             (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted.
2464             (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
2465             * dfg/DFGConstantFoldingPhase.cpp:
2466             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2467             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2468             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2469             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2470             * dfg/DFGDesiredStructureChains.cpp: Removed.
2471             * dfg/DFGDesiredStructureChains.h: Removed.
2472             * dfg/DFGGraph.h:
2473             (JSC::DFG::Graph::watchpoints):
2474             (JSC::DFG::Graph::chains): Deleted.
2475             * dfg/DFGPlan.cpp:
2476             (JSC::DFG::Plan::isStillValid):
2477             (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2478             (JSC::DFG::Plan::cancel):
2479             * dfg/DFGPlan.h:
2480             * ftl/FTLLowerDFGToLLVM.cpp:
2481             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2482             * runtime/IntendedStructureChain.cpp:
2483             (JSC::IntendedStructureChain::gatherChecks):
2484             * runtime/IntendedStructureChain.h:
2485             (JSC::IntendedStructureChain::at):
2486             (JSC::IntendedStructureChain::operator[]):
2487     
2488     2014-06-12  Filip Pizlo  <fpizlo@apple.com>
2489     
2490             [ftlopt] Constant folding and strength reduction should work in SSA
2491             https://bugs.webkit.org/show_bug.cgi?id=133839
2492     
2493             Reviewed by Oliver Hunt.
2494     
2495             * dfg/DFGAtTailAbstractState.cpp:
2496             (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2497             (JSC::DFG::AtTailAbstractState::forNode):
2498             * dfg/DFGAtTailAbstractState.h:
2499             * dfg/DFGConstantFoldingPhase.cpp:
2500             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2501             * dfg/DFGGraph.cpp:
2502             (JSC::DFG::Graph::convertToConstant):
2503             * dfg/DFGIntegerCheckCombiningPhase.cpp:
2504             (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
2505             * dfg/DFGLICMPhase.cpp:
2506             (JSC::DFG::LICMPhase::LICMPhase):
2507             * dfg/DFGPlan.cpp:
2508             (JSC::DFG::Plan::compileInThreadImpl):
2509     
2510     2014-06-11  Filip Pizlo  <fpizlo@apple.com>
2511     
2512             [ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
2513             https://bugs.webkit.org/show_bug.cgi?id=133751
2514     
2515             Reviewed by Mark Hahnenberg.
2516     
2517             * bytecode/GetByIdStatus.cpp:
2518             (JSC::GetByIdStatus::appendVariant):
2519             (JSC::GetByIdStatus::computeForStubInfo):
2520             * bytecode/GetByIdVariant.cpp:
2521             (JSC::GetByIdVariant::attemptToMerge):
2522             * bytecode/GetByIdVariant.h:
2523             * bytecode/PutByIdStatus.cpp:
2524             (JSC::PutByIdStatus::computeFor):
2525             * dfg/DFGByteCodeParser.cpp:
2526             (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2527             (JSC::DFG::ByteCodeParser::handleGetById):
2528             (JSC::DFG::ByteCodeParser::handlePutById):
2529             * runtime/IntendedStructureChain.cpp:
2530             (JSC::IntendedStructureChain::IntendedStructureChain):
2531             (JSC::IntendedStructureChain::isStillValid):
2532             (JSC::IntendedStructureChain::isNormalized):
2533             (JSC::IntendedStructureChain::terminalPrototype):
2534             (JSC::IntendedStructureChain::operator==):
2535             (JSC::IntendedStructureChain::visitChildren):
2536             (JSC::IntendedStructureChain::dumpInContext):
2537             (JSC::IntendedStructureChain::chain): Deleted.
2538             * runtime/IntendedStructureChain.h:
2539             (JSC::IntendedStructureChain::prototype):
2540             (JSC::IntendedStructureChain::operator!=):
2541             (JSC::IntendedStructureChain::head): Deleted.
2542     
2543     2014-06-11  Matthew Mirman  <mmirman@apple.com>
2544     
2545            Readded native calling to the FTL and Split the DFG nodes 
2546            Call and Construct into NativeCall and NativeConstruct 
2547            to better represent their semantics.
2548            https://bugs.webkit.org/show_bug.cgi?id=133660
2549     
2550            Reviewed by Filip Pizlo.
2551     
2552            * dfg/DFGAbstractInterpreterInlines.h:
2553            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 
2554            Added NativeCall and NativeConstruct case
2555            * dfg/DFGByteCodeParser.cpp:
2556            (JSC::DFG::ByteCodeParser::addCall): added NativeCall case. 
2557            (JSC::DFG::ByteCodeParser::handleCall): 
2558            set to return NativeCall or NativeConstruct instead of Call or Construct
2559            in the presence of a native function.
2560            * dfg/DFGClobberize.h:
2561            (JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
2562            * dfg/DFGDoesGC.cpp:
2563            (JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
2564            * dfg/DFGFixupPhase.cpp:
2565            (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
2566            * dfg/DFGNode.h:
2567            (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case.
2568            (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct.
2569            (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
2570            * dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
2571            * dfg/DFGPredictionPropagationPhase.cpp:
2572            (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
2573            * dfg/DFGSafeToExecute.h:
2574            (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
2575            * dfg/DFGSpeculativeJIT32_64.cpp:
2576            (JSC::DFG::SpeculativeJIT::emitCall): ditto
2577            (JSC::DFG::SpeculativeJIT::compile): ditto
2578            * dfg/DFGSpeculativeJIT64.cpp:
2579            (JSC::DFG::SpeculativeJIT::emitCall): ditto
2580            (JSC::DFG::SpeculativeJIT::compile): ditto
2581            * ftl/FTLCapabilities.cpp:
2582            (JSC::FTL::canCompile): ditto
2583            * ftl/FTLLowerDFGToLLVM.cpp:  
2584            (JSC::FTL::LowerDFGToLLVM::lower): ditto
2585            (JSC::FTL::LowerDFGToLLVM::compileNode): ditto.
2586            (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added.
2587            (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality.
2588            (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
2589            * runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.
2590            
2591     2014-06-11  Matthew Mirman  <mmirman@apple.com>
2592     
2593             Ensured Native Calls and Construct and associated checks 
2594             are only emitted during ftl mode.
2595             https://bugs.webkit.org/show_bug.cgi?id=133718
2596             
2597             Reviewed by Filip Pizlo.
2598             
2599             * dfg/DFGByteCodeParser.cpp:
2600             (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode 
2601             before attaching the native function to Call or Construct.
2602             
2603     2014-06-10  Filip Pizlo  <fpizlo@apple.com>
2604     
2605             [ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
2606             https://bugs.webkit.org/show_bug.cgi?id=133426
2607     
2608             Reviewed by Geoffrey Garen.
2609             
2610             The impetus for this was to provide some sense and reason to race conditions arising from
2611             cell constants having their structure changed on the main thread - this is harmess because
2612             we defend against it, but when it goes wrong, it can be difficult to reproduce because it
2613             requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.
2614             
2615             But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
2616             about constants. It no longer relies on the CodeBlock constant pool at all, which allows
2617             for a more object-oriented approach: for example a Node that has a constant can tell you
2618             what constant it has without needing a CodeBlock.
2619     
2620             * CMakeLists.txt:
2621             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2622             * JavaScriptCore.xcodeproj/project.pbxproj:
2623             * bytecode/CallLinkStatus.cpp:
2624             (JSC::CallLinkStatus::computeExitSiteData):
2625             * bytecode/ExitKind.cpp:
2626             (JSC::exitKindToString):
2627             (JSC::exitKindIsCountable):
2628             * bytecode/ExitKind.h:
2629             (JSC::isWatchpoint): Deleted.
2630             * bytecode/GetByIdStatus.cpp:
2631             (JSC::GetByIdStatus::hasExitSite):
2632             * bytecode/PutByIdStatus.cpp:
2633             (JSC::PutByIdStatus::hasExitSite):
2634             * dfg/DFGAbstractInterpreter.h:
2635             (JSC::DFG::AbstractInterpreter::filterByValue):
2636             (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
2637             (JSC::DFG::AbstractInterpreter::setConstant):
2638             * dfg/DFGAbstractInterpreterInlines.h:
2639             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2640             (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
2641             * dfg/DFGAbstractValue.cpp:
2642             (JSC::DFG::AbstractValue::setOSREntryValue):
2643             (JSC::DFG::AbstractValue::set):
2644             (JSC::DFG::AbstractValue::filterByValue):
2645             (JSC::DFG::AbstractValue::setMostSpecific): Deleted.
2646             * dfg/DFGAbstractValue.h:
2647             * dfg/DFGArgumentsSimplificationPhase.cpp:
2648             (JSC::DFG::ArgumentsSimplificationPhase::run):
2649             * dfg/DFGBackwardsPropagationPhase.cpp:
2650             (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
2651             (JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
2652             (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
2653             (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
2654             * dfg/DFGByteCodeParser.cpp:
2655             (JSC::DFG::ByteCodeParser::ByteCodeParser):
2656             (JSC::DFG::ByteCodeParser::getDirect):
2657             (JSC::DFG::ByteCodeParser::get):
2658             (JSC::DFG::ByteCodeParser::getLocal):
2659             (JSC::DFG::ByteCodeParser::setLocal):
2660             (JSC::DFG::ByteCodeParser::setArgument):
2661             (JSC::DFG::ByteCodeParser::jsConstant):
2662             (JSC::DFG::ByteCodeParser::weakJSConstant):
2663             (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
2664             (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
2665             (JSC::DFG::ByteCodeParser::handleCall):
2666             (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2667             (JSC::DFG::ByteCodeParser::handleInlining):
2668             (JSC::DFG::ByteCodeParser::handleMinMax):
2669             (JSC::DFG::ByteCodeParser::handleIntrinsic):
2670             (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2671             (JSC::DFG::ByteCodeParser::handleGetById):
2672             (JSC::DFG::ByteCodeParser::prepareToParseBlock):
2673             (JSC::DFG::ByteCodeParser::parseBlock):
2674             (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
2675             (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2676             (JSC::DFG::ByteCodeParser::parseCodeBlock):
2677             (JSC::DFG::ByteCodeParser::addConstant): Deleted.
2678             (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted.
2679             (JSC::DFG::ByteCodeParser::getJSConstant): Deleted.
2680             (JSC::DFG::ByteCodeParser::isJSConstant): Deleted.
2681             (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted.
2682             (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted.
2683             (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted.
2684             (JSC::DFG::ByteCodeParser::constantUndefined): Deleted.
2685             (JSC::DFG::ByteCodeParser::constantNull): Deleted.
2686             (JSC::DFG::ByteCodeParser::one): Deleted.
2687             (JSC::DFG::ByteCodeParser::constantNaN): Deleted.
2688             (JSC::DFG::ByteCodeParser::cellConstant): Deleted.
2689             (JSC::DFG::ByteCodeParser::inferredConstant): Deleted.
2690             (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
2691             * dfg/DFGCFGSimplificationPhase.cpp:
2692             (JSC::DFG::CFGSimplificationPhase::run):
2693             * dfg/DFGCSEPhase.cpp:
2694             (JSC::DFG::CSEPhase::constantCSE):
2695             (JSC::DFG::CSEPhase::checkFunctionElimination):
2696             (JSC::DFG::CSEPhase::performNodeCSE):
2697             (JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
2698             * dfg/DFGClobberize.h:
2699             (JSC::DFG::clobberize):
2700             * dfg/DFGCommon.h:
2701             * dfg/DFGConstantFoldingPhase.cpp:
2702             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2703             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2704             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2705             * dfg/DFGDoesGC.cpp:
2706             (JSC::DFG::doesGC):
2707             * dfg/DFGFixupPhase.cpp:
2708             (JSC::DFG::FixupPhase::fixupNode):
2709             (JSC::DFG::FixupPhase::fixupMakeRope):
2710             (JSC::DFG::FixupPhase::truncateConstantToInt32):
2711             (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2712             (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2713             * dfg/DFGFrozenValue.cpp: Added.
2714             (JSC::DFG::FrozenValue::emptySingleton):
2715             (JSC::DFG::FrozenValue::dumpInContext):
2716             (JSC::DFG::FrozenValue::dump):
2717             * dfg/DFGFrozenValue.h: Added.
2718             (JSC::DFG::FrozenValue::FrozenValue):
2719             (JSC::DFG::FrozenValue::operator!):
2720             (JSC::DFG::FrozenValue::value):
2721             (JSC::DFG::FrozenValue::structure):
2722             (JSC::DFG::FrozenValue::strengthenTo):
2723             (JSC::DFG::FrozenValue::strength):
2724             (JSC::DFG::FrozenValue::freeze):
2725             * dfg/DFGGraph.cpp:
2726             (JSC::DFG::Graph::Graph):
2727             (JSC::DFG::Graph::dump):
2728             (JSC::DFG::Graph::tryGetActivation):
2729             (JSC::DFG::Graph::tryGetFoldableView):
2730             (JSC::DFG::Graph::registerFrozenValues):
2731             (JSC::DFG::Graph::visitChildren):
2732             (JSC::DFG::Graph::freezeFragile):
2733             (JSC::DFG::Graph::freeze):
2734             (JSC::DFG::Graph::freezeStrong):
2735             (JSC::DFG::Graph::convertToConstant):
2736             (JSC::DFG::Graph::convertToStrongConstant):
2737             (JSC::DFG::Graph::assertIsWatched):
2738             * dfg/DFGGraph.h:
2739             (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
2740             (JSC::DFG::Graph::convertToConstant): Deleted.
2741             (JSC::DFG::Graph::constantRegisterForConstant): Deleted.
2742             (JSC::DFG::Graph::getJSConstantSpeculation): Deleted.
2743             (JSC::DFG::Graph::isConstant): Deleted.
2744             (JSC::DFG::Graph::isJSConstant): Deleted.
2745             (JSC::DFG::Graph::isInt32Constant): Deleted.
2746             (JSC::DFG::Graph::isDoubleConstant): Deleted.
2747             (JSC::DFG::Graph::isNumberConstant): Deleted.
2748             (JSC::DFG::Graph::isBooleanConstant): Deleted.
2749             (JSC::DFG::Graph::isCellConstant): Deleted.
2750             (JSC::DFG::Graph::isFunctionConstant): Deleted.
2751             (JSC::DFG::Graph::isInternalFunctionConstant): Deleted.
2752             (JSC::DFG::Graph::valueOfJSConstant): Deleted.
2753             (JSC::DFG::Graph::valueOfInt32Constant): Deleted.
2754             (JSC::DFG::Graph::valueOfNumberConstant): Deleted.
2755             (JSC::DFG::Graph::valueOfBooleanConstant): Deleted.
2756             (JSC::DFG::Graph::valueOfFunctionConstant): Deleted.
2757             (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
2758             * dfg/DFGInPlaceAbstractState.cpp:
2759             (JSC::DFG::InPlaceAbstractState::initialize):
2760             * dfg/DFGInsertionSet.h:
2761             (JSC::DFG::InsertionSet::insertConstant):
2762             (JSC::DFG::InsertionSet::insertConstantForUse):
2763             * dfg/DFGIntegerCheckCombiningPhase.cpp:
2764             (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
2765             * dfg/DFGJITCompiler.cpp:
2766             (JSC::DFG::JITCompiler::link):
2767             * dfg/DFGLazyJSValue.cpp:
2768             (JSC::DFG::LazyJSValue::getValue):
2769             (JSC::DFG::LazyJSValue::strictEqual):
2770             (JSC::DFG::LazyJSValue::dumpInContext):
2771             * dfg/DFGLazyJSValue.h:
2772             (JSC::DFG::LazyJSValue::LazyJSValue):
2773             (JSC::DFG::LazyJSValue::tryGetValue):
2774             (JSC::DFG::LazyJSValue::value):
2775             (JSC::DFG::LazyJSValue::switchLookupValue):
2776             * dfg/DFGMinifiedNode.cpp:
2777             (JSC::DFG::MinifiedNode::fromNode):
2778             * dfg/DFGMinifiedNode.h:
2779             (JSC::DFG::belongsInMinifiedGraph):
2780             (JSC::DFG::MinifiedNode::hasConstant):
2781             (JSC::DFG::MinifiedNode::constant):
2782             (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted.
2783             (JSC::DFG::MinifiedNode::constantNumber): Deleted.
2784             (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted.
2785             (JSC::DFG::MinifiedNode::weakConstant): Deleted.
2786             * dfg/DFGNode.h:
2787             (JSC::DFG::Node::hasConstant):
2788             (JSC::DFG::Node::constant):
2789             (JSC::DFG::Node::convertToConstant):
2790             (JSC::DFG::Node::asJSValue):
2791             (JSC::DFG::Node::isInt32Constant):
2792             (JSC::DFG::Node::asInt32):
2793             (JSC::DFG::Node::asUInt32):
2794             (JSC::DFG::Node::isDoubleConstant):
2795             (JSC::DFG::Node::isNumberConstant):
2796             (JSC::DFG::Node::asNumber):
2797             (JSC::DFG::Node::isMachineIntConstant):
2798             (JSC::DFG::Node::asMachineInt):
2799             (JSC::DFG::Node::isBooleanConstant):
2800             (JSC::DFG::Node::asBoolean):
2801             (JSC::DFG::Node::isCellConstant):
2802             (JSC::DFG::Node::asCell):
2803             (JSC::DFG::Node::dynamicCastConstant):
2804             (JSC::DFG::Node::function):
2805             (JSC::DFG::Node::isWeakConstant): Deleted.
2806             (JSC::DFG::Node::constantNumber): Deleted.
2807             (JSC::DFG::Node::convertToWeakConstant): Deleted.
2808             (JSC::DFG::Node::weakConstant): Deleted.
2809             (JSC::DFG::Node::valueOfJSConstant): Deleted.
2810             * dfg/DFGNodeType.h:
2811             * dfg/DFGOSRExitCompiler.cpp:
2812             * dfg/DFGPredictionPropagationPhase.cpp:
2813             (JSC::DFG::PredictionPropagationPhase::propagate):
2814             * dfg/DFGSafeToExecute.h:
2815             (JSC::DFG::safeToExecute):
2816             * dfg/DFGSpeculativeJIT.cpp:
2817             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2818             (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
2819             (JSC::DFG::SpeculativeJIT::silentFill):
2820             (JSC::DFG::SpeculativeJIT::compileIn):
2821             (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
2822             (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
2823             (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2824             (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2825             (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2826             (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2827             (JSC::DFG::SpeculativeJIT::compileAdd):
2828             (JSC::DFG::SpeculativeJIT::compileArithSub):
2829             (JSC::DFG::SpeculativeJIT::compileArithMod):
2830             * dfg/DFGSpeculativeJIT.h:
2831             (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
2832             (JSC::DFG::SpeculativeJIT::initConstantInfo):
2833             (JSC::DFG::SpeculativeJIT::isConstant): Deleted.
2834             (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted.
2835             (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted.
2836             (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted.
2837             (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted.
2838             (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted.
2839             (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted.
2840             (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted.
2841             (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted.
2842             (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted.
2843             (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted.
2844             (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted.
2845             (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted.
2846             (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted.
2847             (JSC::DFG::SpeculativeJIT::isInteger): Deleted.
2848             * dfg/DFGSpeculativeJIT32_64.cpp:
2849             (JSC::DFG::SpeculativeJIT::fillJSValue):
2850             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2851             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2852             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2853             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2854             (JSC::DFG::SpeculativeJIT::compile):
2855             * dfg/DFGSpeculativeJIT64.cpp:
2856             (JSC::DFG::SpeculativeJIT::fillJSValue):
2857             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2858             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2859             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2860             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2861             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2862             (JSC::DFG::SpeculativeJIT::compile):
2863             * dfg/DFGStrengthReductionPhase.cpp:
2864             (JSC::DFG::StrengthReductionPhase::handleNode):
2865             * dfg/DFGValidate.cpp:
2866             (JSC::DFG::Validate::validate):
2867             * dfg/DFGValueStrength.cpp: Added.
2868             (WTF::printInternal):
2869             * dfg/DFGValueStrength.h: Added.
2870             (JSC::DFG::merge):
2871             * dfg/DFGVariableEventStream.cpp:
2872             (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2873             (JSC::DFG::VariableEventStream::reconstruct):
2874             * dfg/DFGVariableEventStream.h:
2875             * dfg/DFGWatchableStructureWatchingPhase.cpp:
2876             (JSC::DFG::WatchableStructureWatchingPhase::run):
2877             (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
2878             * dfg/DFGWatchpointCollectionPhase.cpp:
2879             (JSC::DFG::WatchpointCollectionPhase::handle):
2880             * ftl/FTLCapabilities.cpp:
2881             (JSC::FTL::canCompile):
2882             * ftl/FTLLink.cpp:
2883             (JSC::FTL::link):
2884             * ftl/FTLLowerDFGToLLVM.cpp:
2885             (JSC::FTL::LowerDFGToLLVM::compileNode):
2886             (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
2887             (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
2888             (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
2889             (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
2890             (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
2891             (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
2892             (JSC::FTL::LowerDFGToLLVM::lowInt32):
2893             (JSC::FTL::LowerDFGToLLVM::lowCell):
2894             (JSC::FTL::LowerDFGToLLVM::lowBoolean):
2895             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2896             (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2897             (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
2898             * ftl/FTLOSRExitCompiler.cpp:
2899             (JSC::FTL::compileStub):
2900             * runtime/JSCJSValue.cpp:
2901             (JSC::JSValue::dumpInContext):
2902             (JSC::JSValue::dumpInContextAssumingStructure):
2903             * runtime/JSCJSValue.h:
2904     
2905 2014-07-24  Brent Fulgham  <bfulgham@apple.com>
2906
2907         [Win] Correct build order in JavaScriptCore.submit.sln
2908         https://bugs.webkit.org/show_bug.cgi?id=135282
2909         <rdar://problem/17805592>
2910
2911         Unreviewed build fix.
2912
2913         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
2914         such that LLIntDesiredOffset is built prior to the rest of JSC.
2915
2916 2014-07-24  Mark Lam  <mark.lam@apple.com>
2917
2918         JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
2919         <https://webkit.org/b/135258>
2920
2921         Reviewed by Mark Hahnenberg.
2922
2923         Where needed, we cache the prototype object pointer in a stack local var.
2924         This allows it to be scanned by the GC, and hence be kept alive until
2925         we use it.  The constructor object will in turn be kept alive by the
2926         prototype object.
2927
2928         Also added some comments to warn against future code additions that could
2929         regress this issue.
2930
2931         * API/JSWrapperMap.mm:
2932         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
2933         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
2934         (-[JSObjCClassInfo wrapperForObject:]):
2935         (-[JSObjCClassInfo constructor]):
2936
2937 2014-07-24  Joseph Pecoraro  <pecoraro@apple.com>
2938
2939         JSLock release should only modify the AtomicStringTable if it modified in acquire
2940         https://bugs.webkit.org/show_bug.cgi?id=135143
2941
2942         Reviewed by Darin Adler.
2943
2944         * runtime/JSLock.cpp:
2945         (JSC::JSLock::JSLock):
2946         Initialize the member variable to nullptr.
2947
2948         (JSC::JSLock::willDestroyVM):
2949         Update style to use nullptr instead of 0.
2950
2951         (JSC::JSLock::willReleaseLock):
2952         We should only reset the thread data's atomic string table if
2953         didAcquireLock changed it. m_entryAtomicStringTable will have
2954         been set by didAcquireLock if it changed, or nullptr if it didn't.
2955         This way we are sure we are balanced, regardless of m_vm changes.
2956
2957 2014-07-24  Peyton Randolph  <prandolph@apple.com>
2958
2959         Rename feature flag for long-press gesture on Mac.                                                                   
2960         https://bugs.webkit.org/show_bug.cgi?id=135259                                                                 
2961
2962         Reviewed by Beth Dakin.
2963
2964         * Configurations/FeatureDefines.xcconfig:
2965         Rename LINK_LONG_PRESS to MAC_LONG_PRESS.
2966
2967 2014-07-24  Commit Queue  <commit-queue@webkit.org>
2968
2969         Unreviewed, rolling out r171527.
2970         https://bugs.webkit.org/show_bug.cgi?id=135265
2971
2972         Breaks JSC API tests (Requested by mlam on #webkit).
2973
2974         Reverted changeset:
2975
2976         "JSWrapperMap's jsWrapperForObject() needs to defer GC."
2977         https://bugs.webkit.org/show_bug.cgi?id=135258
2978         http://trac.webkit.org/changeset/171527
2979
2980 2014-07-24  Mark Hahnenberg  <mhahnenberg@apple.com>
2981
2982         Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
2983         https://bugs.webkit.org/show_bug.cgi?id=135250
2984
2985         Reviewed by Geoffrey Garen.
2986
2987         JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its 
2988         JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype 
2989         chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
2990         the JSProxy's prototype fixes the issue.
2991
2992         * API/JSValueRef.cpp:
2993         (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
2994         would claim it wasn't of the specified class, even if the target was of the specified class.
2995         * API/tests/CustomGlobalObjectClassTest.c: Added.
2996         (jsDoSomething):
2997         (customGlobalObjectClassTest):
2998         * API/tests/CustomGlobalObjectClassTest.h: Added.
2999         * API/tests/testapi.c:
3000         (assertTrue):
3001         (main):
3002         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
3003         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
3004         * JavaScriptCore.xcodeproj/project.pbxproj:
3005         * runtime/JSGlobalObject.cpp:
3006         (JSC::JSGlobalObject::resetPrototype):
3007
3008 2014-07-24  Brian J. Burg  <burg@cs.washington.edu>
3009
3010         Web Replay: don't encode/decode primitive types that lack explicit sizes
3011         https://bugs.webkit.org/show_bug.cgi?id=133430
3012
3013         Reviewed by Anders Carlsson.
3014
3015         Don't support encode/decode of unsigned long, since its size is compiler-dependent.
3016
3017         * replay/EncodedValue.cpp:
3018         (JSC::EncodedValue::convertTo<unsigned long>):
3019         (JSC::unsigned long>::encodeValue): Deleted.
3020         * replay/EncodedValue.h:
3021
3022 2014-07-24  Mark Lam  <mark.lam@apple.com>
3023
3024         JSWrapperMap's jsWrapperForObject() needs to defer GC.
3025         <https://webkit.org/b/135258>
3026
3027         Reviewed by Oliver Hunt.
3028
3029         In the process of creating a JS wrapper, jsWrapperForObject() will create
3030         the prototype and constructor of the corresponding ObjC class, as well as
3031         for classes in its inheritance chain.  These prototypes and constructors
3032         are stored in Weak references in the JSObjCClassInfo objects.  During all
3033         the allocation that is being done to create all the prototypes and
3034         constructors as well as the wrapper objects, a GC may occur thereby
3035         collecting one or more of these newly created prototype and constructor
3036         objects.
3037
3038         One example of where this problem can manifest is in wrapperForObject()
3039         which is called from jsWrapperForObject().  In wrapperFoObject(), we do
3040         the following steps:
3041
3042         1. reallocateConstructorAndOrPrototype() which creates the prototype
3043            object and store it in JSObjCClassInfo's m_prototype which is a Weak
3044            ref.
3045         2. makeWrapper() to create the wrapper object, which may trigger a GC.
3046            GC will collect the prototype object and nullify the corresponding
3047            JSObjCClassInfo's m_prototype Weak ref.
3048         3. call JSObjectSetPrototype() to set the JSObjCClassInfo's m_prototype
3049            in the newly created wrapper.  This results in the wrapper getting a
3050            jsNull as a prototype instead of the expected prototype object.
3051
3052         To ensure that the prototype and constructor objects are retained until
3053         they can be referenced properly from the wrapper object,
3054         jsWrapperForObject() should defer GC until it's done with its work.
3055
3056         * API/JSWrapperMap.mm:
3057         (-[JSWrapperMap jsWrapperForObject:]):
3058
3059 2014-07-23  Brent Fulgham  <bfulgham@apple.com>
3060
3061         Build fix after r171482.
3062
3063         Rubberstamped by Joe Pecoraro.
3064
3065         * runtime/Identifier.h: Make header declarations match
3066         implementation file.
3067
3068 2014-07-23  Brent Fulgham  <bfulgham@apple.com>
3069
3070         [Win] Use NO_RETURN_DUE_TO_CRASH on Windows
3071         https://bugs.webkit.org/show_bug.cgi?id=135199
3072
3073         Reviewed by Mark Lam.
3074
3075         * jsc.cpp:
3076         (WTF::RuntimeArray::deleteProperty): Stop using ugly
3077         compiler work-around on Windows; use NO_RETURN_DUE_TO_CRASH
3078         codepath instead.
3079         * runtime/Identifier.h: Add NO_RETURN_DUE_TO_CRASH
3080         to header so function declaration matches implementation.
3081
3082 2014-07-23  Bem Jones-Bey  <bjonesbe@adobe.com>
3083
3084         Remove CSS_EXCLUSIONS compile flag and leftover code
3085         https://bugs.webkit.org/show_bug.cgi?id=135175
3086
3087         Reviewed by Zoltan Horvath.
3088
3089         At this point, the CSS_EXCLUSIONS flag guards nothing but some useless
3090         stubs. This removes the flag and the useless code.
3091
3092         * Configurations/FeatureDefines.xcconfig:
3093
3094 2014-07-23  Commit Queue  <commit-queue@webkit.org>
3095
3096         Unreviewed, rolling out r171367.
3097         https://bugs.webkit.org/show_bug.cgi?id=135192
3098
3099         broke three API tests (Requested by thorton on #webkit).
3100
3101         Reverted changeset:
3102
3103         "JSLock release should only modify the AtomicStringTable if it
3104         modified in acquire"
3105         https://bugs.webkit.org/show_bug.cgi?id=135143
3106         http://trac.webkit.org/changeset/171367
3107
3108 2014-07-22  László Langó  <llango.u-szeged@partner.samsung.com>
3109
3110         [EFL] Build fix after the [ftlopt] branch merge.
3111
3112         Reviewed by Csaba Osztrogonác.
3113
3114         * dfg/DFGBranchDirection.h:
3115         (JSC::DFG::branchDirectionToString):
3116         * dfg/DFGStructureClobberState.h:
3117         (JSC::DFG::merge):
3118
3119 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
3120
3121         Build fix for non-clang compile.
3122
3123         * jsc.cpp:
3124         (WTF::RuntimeArray::put): Remove incorrect return statement
3125         I added.
3126
3127 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
3128
3129         Build fix for non-clang compile.
3130
3131         * jsc.cpp:
3132         (WTF::RuntimeArray::deleteProperty): Need (fake) return
3133         value when NO_RETURN_DUE_TO_CRASH is not defined.
3134
3135 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3136
3137         Merge r169628 from ftlopt.
3138
3139     2014-06-04  Matthew Mirman  <mmirman@apple.com>
3140     
3141             Added system for inlining native functions via the FTL.
3142             https://bugs.webkit.org/show_bug.cgi?id=131515
3143     
3144             Reviewed by Filip Pizlo.
3145     
3146             Also fixed the build to not compress the bitcode and to 
3147             include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, 
3148             the produced bitcode files are a 100th the size they were before.  
3149             Now we can include all of the relevant runtime files with only a 3mb overhead. 
3150             This is the same overhead as for two compressed files before, 
3151             but done more efficiently (on both ends) and with less code.
3152             
3153             Deciding whether to inline native functions is left up to LLVM. 
3154             The entire module containing the function is linked into the current 
3155             compiled JS so that inlining the native functions shouldn't make them smaller.
3156             
3157             Rather than loading Runtime.symtbl at runtime FTLState.cpp now generates a file 
3158             InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.  
3159             
3160             * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
3161             * build-symbol-table-index.py: Changed bitcode suffix. 
3162             Added inclusion of only tested symbols.  
3163             Added output to InlineRuntimeSymbolTable.h. 
3164             * build-symbol-table-index.sh: Changed bitcode suffix.
3165             * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
3166             * tested-symbols.symlst: Added.
3167             * dfg/DFGByteCodeParser.cpp:
3168             (JSC::DFG::ByteCodeParser::handleCall):  
3169             Now sets the knownFunction of the call node if such a function exists 
3170             and emits a check that during runtime the callee is in fact known.
3171             * dfg/DFGNode.h:
3172             Added functions to set the known function of a call node.
3173             (JSC::DFG::Node::canBeKnownFunction): Added.
3174             (JSC::DFG::Node::hasKnownFunction): Added.
3175             (JSC::DFG::Node::knownFunction): Added.
3176             (JSC::DFG::Node::giveKnownFunction): Added.
3177             * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
3178             * ftl/FTLAbbreviations.h: Added some abbreviations.
3179             * ftl/FTLLowerDFGToLLVM.cpp:
3180             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
3181             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
3182             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
3183             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
3184             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):  
3185             Added call to possiblyCompileInlineableNativeCall
3186             * ftl/FTLOutput.h:
3187             (JSC::FTL::Output::allocaName):  Added. Useful for debugging.
3188             * ftl/FTLState.cpp:
3189             (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
3190             * ftl/FTLState.h: Added symbol table hash table.
3191             * ftl/FTLCompile.cpp:
3192             (JSC::FTL::compile): Added inlining and dead function elimination passes.
3193             * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
3194             * llvm/InitializeLLVMMac.mm: Deleted.
3195             * llvm/InitializeLLVMMac.cpp: Added.
3196             * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
3197             * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
3198             * runtime/BundlePath.h: Added.
3199             * runtime/BundlePath.mm: Added.
3200             * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
3201             * runtime/DateInstance.h: ditto.
3202             * runtime/DateConversion.h: ditto.
3203             * runtime/ExceptionHelpers.h: ditto.
3204             * runtime/JSCJSValue.h: ditto.
3205             * runtime/JSArray.h: ditto.
3206             * runtime/JSDateMath.h: ditto.
3207             * runtime/JSObject.h: ditto.
3208             * runtime/JSObject.h: ditto.
3209             * runtime/RegExp.h: ditto.
3210             * runtime/Structure.h: ditto.
3211             * runtime/Options.h:  Added maximumLLVMInstructionCountForNativeInlining.
3212     
3213 2014-07-22  Mark Lam  <mark.lam@apple.com>
3214
3215         Array.concat() should work on runtime arrays too.
3216         <https://webkit.org/b/135179>
3217
3218         Reviewed by Geoffrey Garen.
3219
3220         * jsc.cpp:
3221         (WTF::RuntimeArray::create):
3222         (WTF::RuntimeArray::~RuntimeArray):
3223         (WTF::RuntimeArray::destroy):
3224         (WTF::RuntimeArray::getOwnPropertySlot):
3225         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
3226         (WTF::RuntimeArray::put):
3227         (WTF::RuntimeArray::deleteProperty):
3228         (WTF::RuntimeArray::getLength):
3229         (WTF::RuntimeArray::createPrototype):
3230         (WTF::RuntimeArray::createStructure):
3231         (WTF::RuntimeArray::finishCreation):
3232         (WTF::RuntimeArray::RuntimeArray):
3233         (WTF::RuntimeArray::len