[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2014-09-26  Filip Pizlo  <fpizlo@apple.com>

        Disable function.arguments
        https://bugs.webkit.org/show_bug.cgi?id=137167

        Rubber stamped by Geoffrey Garen.
        
        Add an option to disable function.arguments. Add a test for disabling it.
        
        Disabling function.arguments means that it returns an Arguments object that claims that
        there were zero arguments. All other Arguments functionality still works, so any code
        that tries to inspect this object will still think that it is looking at a perfectly
        valid Arguments object.
        
        This also makes function.arguments disabled by default. Note that the RJST harness will
        enable them by default, to continue to get test coverage for the code that implements
        the feature.
        
        We will rip out that code once we're confident that it's really safe to remove this
        feature. Only once we rip out that support will we be able to do optimizations to
        leverage the lack of this feature. It's important to keep the support code, and the test
        infrastructure, in place before we are confident. The logic to keep this working touches
        the entire compiler and a large chunk of the runtime, so reimplementing it - or even
        merging it back in - would be a nightmare. That's also basically the reason why we want
        to rip it out if at all possible. It's a lot of terrible code.

        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::createArguments):
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        (JSC::Arguments::finishCreation):
        * runtime/Options.h:
        * tests/stress/disable-function-dot-arguments.js: Added.
        (foo):
        (bar):

2014-09-26  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Automatic Inspection should continue once all breakpoints are loaded
        https://bugs.webkit.org/show_bug.cgi?id=137038

        Reviewed by Timothy Hatcher.

        Add a new protocol command "Inspector.initialized" that signifies to the backend
        when the frontend has sent all its initialization messages to the backend. This
        can include information like breakpoints, which we would want to have loaded
        before any JavaScript evaluates in the context.

        * inspector/protocol/InspectorDomain.json:
        New protocol command, Inspector.initialized.

        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::InspectorAgent):
        (Inspector::InspectorAgent::initialized):
        Tell the InspectorEnvironment (the Controller) the frontend has initialized.

        * inspector/InspectorEnvironment.h:
        Abstract virtual method to handle frontend initialization. To be
        implemented by all of the InspectorControllers.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
        (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
        When a frontend is initialized, if it was automatic inspection unpause the debuggable.

        * inspector/remote/RemoteInspectorDebuggable.cpp:
        (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
        Complete setup for this debuggable.

        * inspector/remote/RemoteInspectorDebuggable.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setup):
        Move the setup complete to later, when the frontend sends an "initialized" message.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
        Provide a longer timeout now that the frontend must send messages after the connection
        has established. The longest I have seen in  600ms, but the average tends to be 200ms.
        So bump the timeout to 800ms for a buffer.

        (Inspector::RemoteInspector::setupSucceeded): Deleted.
        (Inspector::RemoteInspector::setupCompleted):
        Rename, as this happens at a slightly different time.

2014-09-26  Filip Pizlo  <fpizlo@apple.com>

        DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell
        https://bugs.webkit.org/show_bug.cgi?id=137161

        Reviewed by Mark Hahnenberg.
        
        This looks like a 1% Octane speed-up.

        * bytecode/SpeculatedType.h:
        (JSC::isNotCellSpeculation):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::insertStoreBarrier):
        (JSC::DFG::FixupPhase::insertCheck):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateNotCell):

2014-09-26  Peter Varga  <pvarga@webkit.org>

        Fix typo in YARR at BOL check
        https://bugs.webkit.org/show_bug.cgi?id=137144

        Reviewed by Darin Adler.

        * yarr/YarrPattern.cpp: replace bitwise and operator by logical and
        (JSC::Yarr::YarrPatternConstructor::assertionBOL):

2014-09-25  Saam Barati  <saambarati1@gmail.com>

        Web Inspector: console.assert(bitString) TypeSet:50 
        https://bugs.webkit.org/show_bug.cgi?id=137051

        Reviewed by Joseph Pecoraro.

        This patch creates stricter requirements on a TypeDescription
        being valid. To be valid, a TypeDescription now ensures that 
        the TypeSet it describes has non null type information.

        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * runtime/TypeSet.h:
        (JSC::TypeSet::isEmpty):

2014-09-25  Filip Pizlo  <fpizlo@apple.com>

        FTL should sink object allocations
        https://bugs.webkit.org/show_bug.cgi?id=136330

        Reviewed by Oliver Hunt.
        
        This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The
        ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to
        eliminate it completely. The way sinking reasons about the CFG means that it resembles a
        partial escape analysis: we create paths through a function where some allocation(s) don't
        have to be done at all even if there are other paths along which those allocations still have
        to happen. But it also produces other side benefits. Even if an allocation isn't eliminated
        along any path, the act of sinking reduces the number of barriers that have to execute.
        
        Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11
        sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and
        successors; and to add more functor goodness to allow for more lambdas.
        
        This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this
        is a spectacular speed-up on microbenchmarks but it's still too limited to affect big
        benchmarks. For example, doing o == p makes the sinking phase think that o and p escape.
        That's just an omission and there are likely others; we can easily fix them. I think it's
        best to land it in its current form and then to worry about the big benchmarks in subsequent
        work (see bug 137126).

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/StructureSet.h:
        (JSC::StructureSet::iterator::iterator):
        (JSC::StructureSet::iterator::operator*):
        (JSC::StructureSet::iterator::operator++):
        (JSC::StructureSet::iterator::operator==):
        (JSC::StructureSet::iterator::operator!=):
        (JSC::StructureSet::begin):
        (JSC::StructureSet::end):
        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::phiChildren):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
        * dfg/DFGAvailability.h:
        (JSC::DFG::Availability::shouldUseNode):
        (JSC::DFG::Availability::isFlushUseful):
        (JSC::DFG::Availability::isDead):
        (JSC::DFG::Availability::operator!=):
        * dfg/DFGAvailabilityMap.cpp: Added.
        (JSC::DFG::AvailabilityMap::prune):
        (JSC::DFG::AvailabilityMap::clear):
        (JSC::DFG::AvailabilityMap::dump):
        (JSC::DFG::AvailabilityMap::operator==):
        (JSC::DFG::AvailabilityMap::merge):
        * dfg/DFGAvailabilityMap.h: Added.
        (JSC::DFG::AvailabilityMap::forEachAvailability):
        * dfg/DFGBasicBlock.cpp:
        (JSC::DFG::BasicBlock::SSAData::SSAData):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::begin):
        (JSC::DFG::BasicBlock::end):
        (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable):
        (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator):
        (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*):
        (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++):
        (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==):
        (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=):
        (JSC::DFG::BasicBlock::SuccessorsIterable::begin):
        (JSC::DFG::BasicBlock::SuccessorsIterable::end):
        (JSC::DFG::BasicBlock::successors):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGFlushedAt.cpp:
        (JSC::DFG::FlushedAt::dump):
        * dfg/DFGFlushedAt.h:
        (JSC::DFG::FlushedAt::FlushedAt):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::dumpBlockHeader):
        (JSC::DFG::Graph::mergeRelevantToOSR):
        (JSC::DFG::Graph::invalidateCFG):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable):
        (JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator):
        (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*):
        (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++):
        (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==):
        (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=):
        (JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext):
        (JSC::DFG::Graph::NaturalBlockIterable::begin):
        (JSC::DFG::Graph::NaturalBlockIterable::end):
        (JSC::DFG::Graph::blocksInNaturalOrder):
        (JSC::DFG::Graph::doToChildrenWithNode):
        (JSC::DFG::Graph::doToChildren):
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGInsertOSRHintsForUpdate.cpp: Added.
        (JSC::DFG::insertOSRHintsForUpdate):
        * dfg/DFGInsertOSRHintsForUpdate.h: Added.
        * dfg/DFGInsertionSet.h:
        (JSC::DFG::InsertionSet::graph):
        * dfg/DFGMayExit.cpp:
        (JSC::DFG::mayExit):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToPutByOffsetHint):
        (JSC::DFG::Node::convertToPutStructureHint):
        (JSC::DFG::Node::convertToPhantomNewObject):
        (JSC::DFG::Node::isCellConstant):
        (JSC::DFG::Node::castConstant):
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::hasStorageAccessData):
        (JSC::DFG::Node::hasObjectMaterializationData):
        (JSC::DFG::Node::objectMaterializationData):
        (JSC::DFG::Node::isPhantomObjectAllocation):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        (JSC::DFG::LocalOSRAvailabilityCalculator::endBlock):
        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
        * dfg/DFGOSRAvailabilityAnalysisPhase.h:
        * dfg/DFGObjectAllocationSinkingPhase.cpp: Added.
        (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase):
        (JSC::DFG::ObjectAllocationSinkingPhase::run):
        (JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
        (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
        (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
        (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
        (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
        (JSC::DFG::ObjectAllocationSinkingPhase::resolve):
        (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
        (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
        (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
        (JSC::DFG::performObjectAllocationSinking):
        * dfg/DFGObjectAllocationSinkingPhase.h: Added.
        * dfg/DFGObjectMaterializationData.cpp: Added.
        (JSC::DFG::PhantomPropertyValue::dump):
        (JSC::DFG::ObjectMaterializationData::dump):
        (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore):
        (JSC::DFG::ObjectMaterializationData::similarityScore):
        * dfg/DFGObjectMaterializationData.h: Added.
        (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue):
        (JSC::DFG::PhantomPropertyValue::operator==):
        * dfg/DFGPhantomCanonicalizationPhase.cpp:
        (JSC::DFG::PhantomCanonicalizationPhase::run):
        * dfg/DFGPhantomRemovalPhase.cpp:
        (JSC::DFG::PhantomRemovalPhase::run):
        * dfg/DFGPhiChildren.cpp: Added.
        (JSC::DFG::PhiChildren::PhiChildren):
        (JSC::DFG::PhiChildren::~PhiChildren):
        (JSC::DFG::PhiChildren::upsilonsOf):
        * dfg/DFGPhiChildren.h: Added.
        (JSC::DFG::PhiChildren::forAllIncomingValues):
        (JSC::DFG::PhiChildren::forAllTransitiveIncomingValues):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPrePostNumbering.cpp: Added.
        (JSC::DFG::PrePostNumbering::PrePostNumbering):
        (JSC::DFG::PrePostNumbering::~PrePostNumbering):
        (JSC::DFG::PrePostNumbering::compute):
        (WTF::printInternal):
        * dfg/DFGPrePostNumbering.h: Added.
        (JSC::DFG::PrePostNumbering::preNumber):
        (JSC::DFG::PrePostNumbering::postNumber):
        (JSC::DFG::PrePostNumbering::isStrictAncestorOf):
        (JSC::DFG::PrePostNumbering::isAncestorOf):
        (JSC::DFG::PrePostNumbering::isStrictDescendantOf):
        (JSC::DFG::PrePostNumbering::isDescendantOf):
        (JSC::DFG::PrePostNumbering::edgeKind):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGPromoteHeapAccess.h: Added.
        (JSC::DFG::promoteHeapAccess):
        * dfg/DFGPromotedHeapLocation.cpp: Added.
        (JSC::DFG::PromotedLocationDescriptor::dump):
        (JSC::DFG::PromotedHeapLocation::createHint):
        (JSC::DFG::PromotedHeapLocation::dump):
        (WTF::printInternal):
        * dfg/DFGPromotedHeapLocation.h: Added.
        (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
        (JSC::DFG::PromotedLocationDescriptor::operator!):
        (JSC::DFG::PromotedLocationDescriptor::kind):
        (JSC::DFG::PromotedLocationDescriptor::info):
        (JSC::DFG::PromotedLocationDescriptor::hash):
        (JSC::DFG::PromotedLocationDescriptor::operator==):
        (JSC::DFG::PromotedLocationDescriptor::operator!=):
        (JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue):
        (JSC::DFG::PromotedHeapLocation::PromotedHeapLocation):
        (JSC::DFG::PromotedHeapLocation::operator!):
        (JSC::DFG::PromotedHeapLocation::kind):
        (JSC::DFG::PromotedHeapLocation::base):
        (JSC::DFG::PromotedHeapLocation::info):
        (JSC::DFG::PromotedHeapLocation::descriptor):
        (JSC::DFG::PromotedHeapLocation::hash):
        (JSC::DFG::PromotedHeapLocation::operator==):
        (JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue):
        (JSC::DFG::PromotedHeapLocationHash::hash):
        (JSC::DFG::PromotedHeapLocationHash::equal):
        * dfg/DFGSSACalculator.cpp:
        (JSC::DFG::SSACalculator::reset):
        * dfg/DFGSSACalculator.h:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLExitPropertyValue.cpp: Added.
        (JSC::FTL::ExitPropertyValue::dump):
        * ftl/FTLExitPropertyValue.h: Added.
        (JSC::FTL::ExitPropertyValue::ExitPropertyValue):
        (JSC::FTL::ExitPropertyValue::operator!):
        (JSC::FTL::ExitPropertyValue::location):
        (JSC::FTL::ExitPropertyValue::value):
        * ftl/FTLExitTimeObjectMaterialization.cpp: Added.
        (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
        (JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization):
        (JSC::FTL::ExitTimeObjectMaterialization::add):
        (JSC::FTL::ExitTimeObjectMaterialization::get):
        (JSC::FTL::ExitTimeObjectMaterialization::dump):
        * ftl/FTLExitTimeObjectMaterialization.h: Added.
        (JSC::FTL::ExitTimeObjectMaterialization::type):
        (JSC::FTL::ExitTimeObjectMaterialization::properties):
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::materializeNewObject):
        (JSC::FTL::ExitValue::dumpInContext):
        * ftl/FTLExitValue.h:
        (JSC::FTL::ExitValue::isObjectMaterialization):
        (JSC::FTL::ExitValue::objectMaterialization):
        (JSC::FTL::ExitValue::withVirtualRegister):
        (JSC::FTL::ExitValue::valueFormat):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
        (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
        (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
        (JSC::FTL::LowerDFGToLLVM::compileNewObject):
        (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
        (JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject):
        (JSC::FTL::LowerDFGToLLVM::checkStructure):
        (JSC::FTL::LowerDFGToLLVM::allocateCell):
        (JSC::FTL::LowerDFGToLLVM::storeStructure):
        (JSC::FTL::LowerDFGToLLVM::allocateObject):
        (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
        (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
        (JSC::FTL::LowerDFGToLLVM::weakStructureID):
        (JSC::FTL::LowerDFGToLLVM::weakStructure):
        (JSC::FTL::LowerDFGToLLVM::availabilityMap):
        (JSC::FTL::LowerDFGToLLVM::availability): Deleted.
        * ftl/FTLOSRExit.h:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileRecovery):
        (JSC::FTL::compileStub):
        * ftl/FTLOperations.cpp: Added.
        (JSC::FTL::operationNewObjectWithButterfly):
        (JSC::FTL::operationMaterializeObjectInOSR):
        * ftl/FTLOperations.h: Added.
        * ftl/FTLSwitchCase.h:
        (JSC::FTL::SwitchCase::SwitchCase):
        * runtime/JSObject.h:
        (JSC::JSObject::finishCreation):
        (JSC::JSFinalObject::JSFinalObject):
        (JSC::JSFinalObject::create):
        * runtime/Structure.cpp:
        (JSC::Structure::canUseForAllocationsOf):
        * runtime/Structure.h:
        * tests/stress/elidable-new-object-roflcopter-then-exit.js: Added.
        (sumOfArithSeries):
        (foo):
        * tests/stress/elide-new-object-dag-then-exit.js: Added.
        (sumOfArithSeries):
        (bar):
        (verify):
        (foo):
        * tests/stress/obviously-elidable-new-object-then-exit.js: Added.
        (sumOfArithSeries):
        (foo):

2014-09-25  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: Check event loop input extents during replaying too
        https://bugs.webkit.org/show_bug.cgi?id=136316

        Reviewed by Timothy Hatcher.

        Sometimes we see different nondeterminism during capture and replay
        executions, so we should add determinism checks during replay too.

        Move the withinEventLoopInputExtent flag to the base class, and tighten
        the assertion to address <http://webkit.org/b/133019>.

        * replay/InputCursor.h:
        (JSC::InputCursor::InputCursor):
        (JSC::InputCursor::setWithinEventLoopInputExtent): Added.
        This assertion is slightly wrong because it does not account for nested run loops.
        We can be within two input extents when a nested run loop processes additional
        user inputs while the debugger is paused.

        This should only be the case when execution is being neither captured or
        replayed. The debugger should not pause when capturing, and we should not replay
        event loop inputs while in a nested run loop.

        (JSC::InputCursor::withinEventLoopInputExtent): Added.

2014-09-25  Csaba Osztrogonác  <ossy@webkit.org>

        Remove WinCE port from trunk
        https://bugs.webkit.org/show_bug.cgi?id=136951

        Reviewed by Alex Christensen.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::cacheFlush):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::cacheFlush):
        * config.h:
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::gatherFromCurrentThread):
        (JSC::MachineThreads::gatherFromOtherThread):
        (JSC::swapIfBackwards): Deleted.
        * jit/ExecutableAllocator.h:
        * jsc.cpp:
        (main):
        * runtime/DateConstructor.cpp:
        * runtime/Options.cpp:
        (JSC::overrideOptionWithHeuristic):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * testRegExp.cpp:
        (main):
        * tools/CodeProfiling.cpp:
        (JSC::CodeProfiling::notifyAllocator):

2014-09-24  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: subtract elapsed time while debugger is paused from profile nodes
        https://bugs.webkit.org/show_bug.cgi?id=136796

        Reviewed by Timothy Hatcher.

        Rather than accruing no time to any profile node created while the debugger is paused,
        we can instead count a node's elapsed time and exclude time elapsed while paused.

        Time for a node may elapse in a non-contiguous fashion depending on the interleaving of
        didPause, didContinue, willExecute, and didExecute. A node's start time is set to the
        start of the last such interval that accrues elapsed time.

        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::ProfileGenerator):
        (JSC::ProfileGenerator::beginCallEntry):
        (JSC::ProfileGenerator::endCallEntry):
        (JSC::ProfileGenerator::didPause): Added.
        (JSC::ProfileGenerator::didContinue): Added.
        * profiler/ProfileGenerator.h:
        (JSC::ProfileGenerator::didPause): Deleted.
        (JSC::ProfileGenerator::didContinue): Deleted.
        * profiler/ProfileNode.h: Rename totalTime to elapsedTime.
        (JSC::ProfileNode::Call::Call):
        (JSC::ProfileNode::Call::elapsedTime): Added.
        (JSC::ProfileNode::Call::setElapsedTime): Added.
        (JSC::CalculateProfileSubtreeDataFunctor::operator()):
        (JSC::ProfileNode::Call::totalTime): Deleted.
        (JSC::ProfileNode::Call::setTotalTime): Deleted.

2014-09-24  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r173839.
        https://bugs.webkit.org/show_bug.cgi?id=137062

        NumberConstruct should no longer use static tables (Requested
        by dpino on #webkit).

        Reverted changeset:

        "Simple ES6 feature: Number constructor extras"
        https://bugs.webkit.org/show_bug.cgi?id=131707
        http://trac.webkit.org/changeset/173839

2014-09-23  Mark Lam  <mark.lam@apple.com>

        DebuggerCallFrame::invalidate() should invalidate all DebuggerScope chains.
        <https://webkit.org/b/137045>

        Reviewed by Geoffrey Garen.

        DebuggerCallFrame::invalidate() currently invalidates all DebuggerCallFrames
        in the debugger stack, but only invalidates the DebuggerScope chain of the
        top most frame.  We should also invalidate all the DebuggerScope chains of
        the other frames in the debugger stack.

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::invalidate):
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::invalidateChain):

2014-09-23  Mark Lam  <mark.lam@apple.com>

        Renamed DebuggerCallFrameScope to DebuggerPausedScope.
        <https://webkit.org/b/137042>

        Reviewed by Michael Saboff.

        DebuggerPausedScope is a better name for this data structure because it
        is meant for tracking the period within which the debugger is paused,
        and doing clean ups after the pause ends.

        * debugger/Debugger.cpp:
        (JSC::DebuggerPausedScope::DebuggerPausedScope):
        (JSC::DebuggerPausedScope::~DebuggerPausedScope):
        (JSC::Debugger::pauseIfNeeded):
        (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): Deleted.
        (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): Deleted.
        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.h:

2014-09-23  Tomas Popela  <tpopela@redhat.com>

        [CLoop] - Fix CLoop on the 32-bit Big-Endians
        https://bugs.webkit.org/show_bug.cgi?id=137020

        Reviewed by Mark Lam.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:

2014-09-23  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
        https://bugs.webkit.org/show_bug.cgi?id=136893

        Reviewed by Timothy Hatcher.

        Adds new remote inspector protocol handling for automatic inspection.
        Debuggers can signal they have enabled automatic inspection, and
        when debuggables are created the current application will pause to
        see if the debugger will inspect or decline to inspect the debuggable.

        * inspector/remote/RemoteInspectorConstants.h:
        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::globalAutomaticInspectionState):
        (Inspector::RemoteInspector::RemoteInspector):
        (Inspector::RemoteInspector::start):
        When first starting, check the global "is there an auto-inspect" debugger state.
        This is necessary so that the current application knows if it should pause or
        not when a debuggable is created, even without having connected to webinspectord yet.

        (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
        When a debuggable has enabled remote inspection, take this path to propose
        it as an automatic inspection candidate if there is an auto-inspect debugger.

        (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
        Send the automatic inspection candidate message.

        (Inspector::RemoteInspector::receivedSetupMessage):
        (Inspector::RemoteInspector::setupFailed):
        (Inspector::RemoteInspector::setupSucceeded):
        After attempting to open an inspector, unpause if it was for the
        automatic inspection candidate.

        (Inspector::RemoteInspector::waitingForAutomaticInspection):
        When running a nested runloop, check if we should remain paused.

        (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
        If by the time we connect to webinspectord we have a candidate, then
        immediately send the candidate message.

        (Inspector::RemoteInspector::stopInternal):
        (Inspector::RemoteInspector::xpcConnectionFailed):
        In error cases, clear our state.

        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
        (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
        Update state when receiving new messages.


        * inspector/remote/RemoteInspectorDebuggable.h:
        * inspector/remote/RemoteInspectorDebuggable.cpp:
        (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
        Special case when a debuggable is newly allowed to be debuggable.

        (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
        Run a nested run loop while this is an automatic inspection candidate.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        When the inspector starts via automatic inspection automatically pause.
        We plan on removing this condition by having the frontend signal to the
        backend when it is completely initialized.
        
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setup):
        Pass on the flag of whether or not this was automatic inspection.

        * runtime/JSGlobalObjectDebuggable.h:
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
        When pausing in a JSGlobalObject we need to release the API lock.

2014-09-22  Filip Pizlo  <fpizlo@apple.com>

        FTL allocatePropertyStorage code should involve less copy-paste
        https://bugs.webkit.org/show_bug.cgi?id=137006

        Reviewed by Michael Saboff.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):

2014-09-22  Diego Pino Garcia  <dpino@igalia.com>

        Simple ES6 feature: Number constructor extras
        https://bugs.webkit.org/show_bug.cgi?id=131707

        Reviewed by Darin Adler.

        * runtime/CommonIdentifiers.h: Added new identifiers.
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        (JSC::NumberConstructor::isFunction): Added.
        (JSC::numberConstructorEpsilonValue): Added.
        (JSC::numberConstructorNegInfinity): Added.
        (JSC::numberConstructorPosInfinity): Added.
        (JSC::numberConstructorMaxValue): Added.
        (JSC::numberConstructorMinValue): Added.
        (JSC::numberConstructorMaxSafeInteger): Added.
        (JSC::numberConstructorMinSafeInteger): Added.
        (JSC::numberConstructorFuncIsFinite): Added.
        (JSC::numberConstructorFuncIsInteger): Added.
        (JSC::numberConstructorFuncIsNaN): Added.
        (JSC::numberConstructorFuncIsSafeInteger): Added.
        * runtime/NumberConstructor.h:

2014-09-21  Filip Pizlo  <fpizlo@apple.com>

        FTL should store the four bytes of the cell header using a 32-bit store rather than four 8-bit stores
        https://bugs.webkit.org/show_bug.cgi?id=136992

        Reviewed by Sam Weinig.
        
        LLVM ought to be able to do this optimization for us given how the code was written, but
        any such lower-level attempts to optimize this would get into trouble with the weird
        object materialization logic I'll be introducing in bug 136330. So, this brings the
        merging of the byte stores into the FTL lowering so that we can control it explicitly.

        * ftl/FTLAbstractHeap.h:
        (JSC::FTL::AbstractHeap::changeParent):
        * ftl/FTLAbstractHeapRepository.cpp:
        (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::allocateCell):

2014-09-21  Saam Barati  <saambarati1@gmail.com>

        Web Inspector: fix TypeSet hierarchy in TypeTokenView
        https://bugs.webkit.org/show_bug.cgi?id=136982

        Reviewed by Joseph Pecoraro.

        TypeSet was computing the set of type booleans in the Inspector::Protocol::Runtime::TypeSet 
        object incorrectly because it was calling TypeSet::doesTypeConformTo(T) which checks if the 
        type set has only been of type T. It now checks '(m_seenTypes & T) != TypeNothing' to see 
        if type T is in the set of seen types, but not the entire set itself.

        * runtime/TypeSet.cpp:
        (JSC::TypeSet::inspectorTypeSet):

2014-09-21  Filip Pizlo  <fpizlo@apple.com>

        Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste
        https://bugs.webkit.org/show_bug.cgi?id=136983

        Reviewed by Mark Hahnenberg.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyMapEntry::PropertyMapEntry): Moved PropertyMapEntry struct to Structure.h so that Structure can refer to it.
        * runtime/Structure.cpp:
        (JSC::Structure::getConcurrently): Switch to using the new forEachPropertyConcurrently() method.
        (JSC::Structure::getPropertiesConcurrently): The subject of this patch. It will be useful for object allocation sinking (bug 136330).
        (JSC::Structure::dump): Switch to using the new forEachPropertyConcurrently() method.
        * runtime/Structure.h:
        (JSC::PropertyMapEntry::PropertyMapEntry): Moved from PropertyMapHashTable.h.
        * runtime/StructureInlines.h:
        (JSC::Structure::forEachPropertyConcurrently): Capture this very common concurrent structure iteration pattern into a template method.

2014-09-21  Filip Pizlo  <fpizlo@apple.com>

        Structure::getConcurrently() doesn't need to take a VM& argument.

        Rubber stamped by Dan Bernstein.
        
        Removed the extra argument, and then removed similar arguments from other methods until
        I could build successfully again. It turned out that many methods took a VM& argument
        just for calling getConcurrently().

        * bytecode/CodeBlock.cpp:
        (JSC::dumpStructure):
        (JSC::dumpChain):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printPutByIdCacheStatus):
        * bytecode/ComplexGetStatus.cpp:
        (JSC::ComplexGetStatus::computeFor):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC::GetByIdStatus::computeForStubInfo):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC::PutByIdStatus::computeForStubInfo):
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
        * runtime/IntendedStructureChain.cpp:
        (JSC::IntendedStructureChain::mayInterceptStoreTo):
        * runtime/IntendedStructureChain.h:
        * runtime/Structure.cpp:
        (JSC::Structure::getConcurrently):
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::getConcurrently):

2014-09-20  Filip Pizlo  <fpizlo@apple.com>

        FTL OSRExit construction should be based on methods that return ExitValues rather than methods that add ExitValues to OSRExit
        https://bugs.webkit.org/show_bug.cgi?id=136978

        Reviewed by Dean Jackson.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
        (JSC::FTL::LowerDFGToLLVM::exitArgument):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): Deleted.
        (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): Deleted.
        (JSC::FTL::LowerDFGToLLVM::addExitArgument): Deleted.

2014-09-20  Filip Pizlo  <fpizlo@apple.com>

        FTL OSR exit should do reboxing and value recovery in the same pass
        https://bugs.webkit.org/show_bug.cgi?id=136977

        Reviewed by Oliver Hunt.
        
        It's conceptually simpler to have all of the logic in one place. After the
        recover-and-rebox loop is done, all of the exit values are in the form that the baseline
        JIT would want them to be in; the only remaining task is to move them into the right
        place on the stack after we do all of the necessary stack adjustments.

        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):

2014-09-19  Filip Pizlo  <fpizlo@apple.com>

        StorageAccessData should be referenced in a sensible way
        https://bugs.webkit.org/show_bug.cgi?id=136963

        Reviewed and rubber stamped by Michael Saboff.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetByOffset):
        (JSC::DFG::ByteCodeParser::handlePutByOffset):
        (JSC::DFG::ByteCodeParser::handlePutById):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
        (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToGetByOffset):
        (JSC::DFG::Node::convertToPutByOffset):
        (JSC::DFG::Node::storageAccessData):
        (JSC::DFG::Node::storageAccessDataIndex): Deleted.
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):

2014-09-19  Ryosuke Niwa  <rniwa@webkit.org>

        Leak of mallocs under StructureSet::OutOfLineList::create
        https://bugs.webkit.org/show_bug.cgi?id=136970

        Reviewed by Filip Pizlo.

        addOutOfLine should free the old list when expanding the capacity.

        * bytecode/StructureSet.cpp:
        (JSC::StructureSet::addOutOfLine):

2014-09-19  Daniel Bates  <dabates@apple.com>

        Always assume internal SDK when building configuration Production
        https://bugs.webkit.org/show_bug.cgi?id=136925
        <rdar://problem/18362399>

        Reviewed by Dan Bernstein.

        As a side effect of this change we will always enable ENABLE_TOUCH_EVENTS, ENABLE_IOS_{GESTURE, TOUCH}_EVENTS,
        and ENABLE_XSLT when either building configuration Production or building with the Internal SDK.

        * Configurations/Base.xcconfig:

2014-09-19  Diego Pino Garcia  <dpino@igalia.com>

        Simple ES6 feature:String prototype additions
        https://bugs.webkit.org/show_bug.cgi?id=131704

        Reviewed by Darin Adler.

        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::stringProtoFuncStartsWith): Added.
        (JSC::stringProtoFuncEndsWith): Added.
        (JSC::stringProtoFuncContains): Added.

2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed rollout r173731. Broke multiple builds.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::RemoteInspector):
        (Inspector::RemoteInspector::setupFailed):
        (Inspector::RemoteInspector::start):
        (Inspector::RemoteInspector::stopInternal):
        (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        (Inspector::RemoteInspector::xpcConnectionFailed):
        (Inspector::RemoteInspector::receivedSetupMessage):
        (Inspector::globalAutomaticInspectionState): Deleted.
        (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): Deleted.
        (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): Deleted.
        (Inspector::RemoteInspector::setupSucceeded): Deleted.
        (Inspector::RemoteInspector::waitingForAutomaticInspection): Deleted.
        (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): Deleted.
        (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): Deleted.
        * inspector/remote/RemoteInspectorConstants.h:
        * inspector/remote/RemoteInspectorDebuggable.cpp:
        (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
        (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): Deleted.
        * inspector/remote/RemoteInspectorDebuggable.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setup):
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): Deleted.
        * runtime/JSGlobalObjectDebuggable.h:

2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
        https://bugs.webkit.org/show_bug.cgi?id=136893

        Reviewed by Timothy Hatcher.

        Adds new remote inspector protocol handling for automatic inspection.
        Debuggers can signal they have enabled automatic inspection, and
        when debuggables are created the current application will pause to
        see if the debugger will inspect or decline to inspect the debuggable.

        * inspector/remote/RemoteInspectorConstants.h:
        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::globalAutomaticInspectionState):
        (Inspector::RemoteInspector::RemoteInspector):
        (Inspector::RemoteInspector::start):
        When first starting, check the global "is there an auto-inspect" debugger state.
        This is necessary so that the current application knows if it should pause or
        not when a debuggable is created, even without having connected to webinspectord yet.

        (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
        When a debuggable has enabled remote inspection, take this path to propose
        it as an automatic inspection candidate if there is an auto-inspect debugger.

        (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
        Send the automatic inspection candidate message.

        (Inspector::RemoteInspector::receivedSetupMessage):
        (Inspector::RemoteInspector::setupFailed):
        (Inspector::RemoteInspector::setupSucceeded):
        After attempting to open an inspector, unpause if it was for the
        automatic inspection candidate.

        (Inspector::RemoteInspector::waitingForAutomaticInspection):
        When running a nested runloop, check if we should remain paused.

        (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
        If by the time we connect to webinspectord we have a candidate, then
        immediately send the candidate message.

        (Inspector::RemoteInspector::stopInternal):
        (Inspector::RemoteInspector::xpcConnectionFailed):
        In error cases, clear our state.

        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
        (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
        Update state when receiving new messages.


        * inspector/remote/RemoteInspectorDebuggable.h:
        * inspector/remote/RemoteInspectorDebuggable.cpp:
        (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
        Special case when a debuggable is newly allowed to be debuggable.

        (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
        Run a nested run loop while this is an automatic inspection candidate.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        When the inspector starts via automatic inspection automatically pause.
        We plan on removing this condition by having the frontend signal to the
        backend when it is completely initialized.
        
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setup):
        Pass on the flag of whether or not this was automatic inspection.

        * runtime/JSGlobalObjectDebuggable.h:
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
        When pausing in a JSGlobalObject we need to release the API lock.

2014-09-18  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        Fix "Tools/Scripts/build-webkit --efl --no-inspector" build
        https://bugs.webkit.org/show_bug.cgi?id=136912

        Reviewed by Darin Adler.

        * runtime/TypeSet.cpp:
        (JSC::TypeSet::leastCommonAncestor):

2014-09-17  Michael Saboff  <msaboff@apple.com>

        Change CallFrame to use Callee instead of JSScope to implement vm()
        https://bugs.webkit.org/show_bug.cgi?id=136894

        Reviewed by Geoffrey Garen.

        Added JSCell::vm() method that can be used on any JSObject.  Changed CallFrame::vm() to
        use JSCell::vm with the Callee.  Made similar changes in the LLInt.
        In support of this, changed JSGlobalObject::init() to take a VM& parameter, as there is
        a chicken/egg problem with trying to use the Callee in the global exec before the Callee
        has been create.  Besides, the vm is readily available in finishCreation(), the caller of
        init().

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        Changed the calculation of CallFrame::VM to use the Callee instead of JSScope.

        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::vm): New method for getting VM from the pointer.
        (JSC::ExecState::vm): Moved this method from JSScope.h to here since this file
        contains the implementation of JSCell::vm(), this file is included by all users
        of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing
        many other .h files and possible the WebCore generator generate-bindings.pl.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        Changed init() to take a VM parameter.

        * runtime/JSScope.h:
        (JSC::ExecState::vm): Deleted.

2014-09-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, disable native inlining because it causes build failures.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-09-16  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Reduce a bit of churn setting initial remote inspection state
        https://bugs.webkit.org/show_bug.cgi?id=136875

        Reviewed by Timothy Hatcher.

        * API/JSContextRef.cpp:
        (JSGlobalContextCreateInGroup):
        Set the defaultl remote debuggable state at the API boundary.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        Do not set remote debuggable state here. Let clients set it.

2014-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        Promise: Drop Promise.cast
        https://bugs.webkit.org/show_bug.cgi?id=136222

        Reviewed by Sam Weinig.

        Promise.cast is dropped and Promise.resolve is replaced with old Promise.cast.

        * runtime/CommonIdentifiers.h:
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructorFuncResolve):
        (JSC::JSPromiseConstructorFuncRace):
        (JSC::JSPromiseConstructorFuncAll):
        (JSC::JSPromiseConstructorFuncCast): Deleted.

2014-09-16  Filip Pizlo  <fpizlo@apple.com>

        Local OSR availability calculation should be reusable
        https://bugs.webkit.org/show_bug.cgi?id=136860

        Reviewed by Oliver Hunt.
        
        Previously, the FTL lowering repeated some of the logic of the OSR availability analysis
        phase. Humorously, it actually did this logic a bit differently; for example the phase
        would claim that a SetLocal makes both the flush and the node available while the FTL
        only claimed that the flush was available. This different was benign, but still: yuck!
        
        Also, previously if you wanted to use availability information then you'd have to repeat
        some of the logic that both the phase itself and the FTL lowering already had.
        Presumably, you could get epic style points for finding other benign ways in which to
        make your copy of the logic different from the other two!
        
        This reduces the amount of style points one could conceivably get in the future when
        hacking JSC, by creating a single reusable thingy for computing local OSR availability.

        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
        (JSC::DFG::LocalOSRAvailabilityCalculator::~LocalOSRAvailabilityCalculator):
        (JSC::DFG::LocalOSRAvailabilityCalculator::beginBlock):
        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
        * dfg/DFGOSRAvailabilityAnalysisPhase.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileBlock):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::availability):
        (JSC::FTL::LowerDFGToLLVM::compileMovHint): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileZombieHint): Deleted.
        (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): Deleted.

2014-09-16  Csaba Osztrogonác  <ossy@webkit.org>

        JSC test gardening
        https://bugs.webkit.org/show_bug.cgi?id=136823

        Reviewed by Geoffrey Garen.

        * tests/mozilla/mozilla-tests.yaml: Unskip passing tests.

2014-09-15  Michael Saboff  <msaboff@apple.com>

        Create a JSCallee for GlobalExec object
        https://bugs.webkit.org/show_bug.cgi?id=136840

        Reviewed by Geoffrey Garen.

        Added m_globalCallee, initialized it and then used it to set the globalExec's callee.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:

2014-09-14  Filip Pizlo  <fpizlo@apple.com>

        DFG ref count calculation should be reusable
        https://bugs.webkit.org/show_bug.cgi?id=136811

        Reviewed by Oliver Hunt.
        
        Henceforth if you call Graph::computeRefCounts(), a nifty O(n) operation, every Node
        will be able to tell you how many places it is used from. Currently only DCE uses this,
        but it will be useful for https://bugs.webkit.org/show_bug.cgi?id=136330.

        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        (JSC::DFG::DCEPhase::findTypeCheckRoot): Deleted.
        (JSC::DFG::DCEPhase::countNode): Deleted.
        (JSC::DFG::DCEPhase::countEdge): Deleted.
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::computeRefCounts):
        * dfg/DFGGraph.h:

2014-09-12  Michael Saboff  <msaboff@apple.com>

        Merge JSGlobalObject::reset() into ::init()
        https://bugs.webkit.org/show_bug.cgi?id=136800

        Reviewed by Oliver Hunt.

        Moved the contents of reset() into init().
        Note that the diff shows more changes.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): Moved body of reset() into init.
        (JSC::JSGlobalObject::put):
        (JSC::JSGlobalObject::defineOwnProperty):
        (JSC::JSGlobalObject::addGlobalVar):
        (JSC::JSGlobalObject::addFunction):
        (JSC::lastInPrototypeChain):
        (JSC::JSGlobalObject::reset): Deleted.
        * runtime/JSGlobalObject.h:

2014-09-12  Michael Saboff  <msaboff@apple.com>

        Add JSCallee to program and eval CallFrames
        https://bugs.webkit.org/show_bug.cgi?id=136785

        Reviewed by Mark Lam.

        Populated Callee slot for program and call eval CallFrames with a JSCallee objects.
        Made supporting changes including adding a JSCallee structure to global object and adding
        JSCallee::create() method.  Added code so that the newly added callee object won't be
        returned by Function.caller.  Changed null pointer checks of callee to check the if
        the type is JSFunction* or JSCallee*.

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::functionName):
        (JSC::DebuggerCallFrame::type):
        * profiler/LegacyProfiler.cpp:
        (JSC::LegacyProfiler::createCallIdentifier):
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        Changed checks of callee is a JSFunction* or JSCallee* instead of just checking
        if it is null or not.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...)
        and execute(ProgramExecutable, ...)

        * jit/JITCode.cpp:
        (JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions.

        * runtime/JSCallee.cpp:
        (JSC::JSCallee::create): Not used, therefore deleted.

        * runtime/JSCallee.h:
        (JSC::JSCallee::create): Added.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't
        JSFunction's.  This can only be the case when the JSCallee comes from a program or
        call eval CallFrame.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::calleeStructure):
        Added new JSCallee structure.

2014-09-10  Jon Honeycutt  <jhoneycutt@apple.com>

        Re-add the request autocomplete feature

        <https://bugs.webkit.org/show_bug.cgi?id=136730>

        This feature was rolled out in r148731 because it was only used by
        Chromium. As we consider supporting this feature, roll it back in, but
        leave it disabled.

        This rolls out r148731 (which removed the feature) with small changes
        needed to make the code build in ToT, to match modern style, to make
        the tests run, and to remove unused code.

        Reviewed by Andy Estes.

        * Configurations/FeatureDefines.xcconfig:

2014-09-12  Julien Brianceau  <jbriance@cisco.com>

        [x86] moveDoubleToInts() does not clobber its source register anymore
        https://bugs.webkit.org/show_bug.cgi?id=131690

        Reviewed by Oliver Hunt.

        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::moveDoubleToInts):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueRep):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::returnDouble):

2014-09-12  Mark Lam  <mark.lam@apple.com>

        Unreviewed build fix for CLOOP build.

        * runtime/JSCallee.h:

2014-09-12  Michael Saboff  <msaboff@apple.com>

        Remove unneeded declarations from JSCallee.h
        https://bugs.webkit.org/show_bug.cgi?id=136783

        Reviewed by Mark Lam.

        * runtime/JSCallee.h:
        (JSCallee::name): Deleted.
        (JSCallee::displayName): Deleted.
        (JSCallee::calculatedDisplayName): Deleted.

2014-09-11  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: disambiguate double and integer primitive types in the protocol
        https://bugs.webkit.org/show_bug.cgi?id=136606

        Reviewed by Timothy Hatcher.

        Right now it's really easy to mix up doubles and integers when serializing or deserializing
        values for the inspector protocol. This patch disambiguates setting/getting doubles and integers
        so that it is clearer as to which type is intended.

        A new InspectorValue::Type is added for Integer types, and the Number type is renamed to Double.
        The existing callsites for asNumber/getNumber/setNumber have been fixed.

        Address various integration points to make sure the right type tag is assigned to InspectorValues.

        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue): Make an Integer if the JSValue is Int52 or smaller.
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::injectedScriptForObjectId):
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::InspectorBackendDispatcher::dispatch):
        (Inspector::InspectorBackendDispatcher::sendResponse):
        (Inspector::InspectorBackendDispatcher::reportProtocolError):
        (Inspector::AsMethodBridges::asInteger):
        (Inspector::AsMethodBridges::asDouble):
        (Inspector::InspectorBackendDispatcher::getInteger):
        (Inspector::InspectorBackendDispatcher::getDouble):
        (Inspector::AsMethodBridges::asInt): Deleted.
        (Inspector::InspectorBackendDispatcher::getInt): Deleted.
        * inspector/InspectorBackendDispatcher.h:
        * inspector/InspectorProtocolTypes.h: Remove the special case for checking int type tags.
        (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw):
        (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw):
        (Inspector::Protocol::BindingTraits<int>::assertValueHasExpectedType): Deleted.
        * inspector/InspectorValues.cpp: Allow integers and doubles to be convertible using asInteger/asDouble.
        (Inspector::InspectorValue::asDouble):
        (Inspector::InspectorValue::asInteger):
        (Inspector::InspectorBasicValue::asDouble):
        (Inspector::InspectorBasicValue::asInteger):
        (Inspector::InspectorBasicValue::writeJSON):
        (Inspector::InspectorValue::asNumber): Deleted.
        (Inspector::InspectorBasicValue::asNumber): Deleted.
        * inspector/InspectorValues.h:
        (Inspector::InspectorObjectBase::setInteger):
        (Inspector::InspectorObjectBase::setDouble):
        (Inspector::InspectorArrayBase::pushInteger):
        (Inspector::InspectorArrayBase::pushDouble):
        (Inspector::InspectorObjectBase::setNumber): Deleted.
        (Inspector::InspectorArrayBase::pushInt): Deleted.
        (Inspector::InspectorArrayBase::pushNumber): Deleted.
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::buildObjectForBreakpointCookie):
        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
        (Inspector::parseLocation):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * inspector/scripts/codegen/generator.py: Update emitted code and rebaseline test results.
        (Generator.keyed_get_method_for_type):
        (Generator.keyed_set_method_for_type):
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
        * replay/EncodedValue.cpp:
        (JSC::EncodedValue::convertTo<double>):
        (JSC::EncodedValue::convertTo<float>):
        (JSC::EncodedValue::convertTo<int32_t>):
        (JSC::EncodedValue::convertTo<int64_t>):
        (JSC::EncodedValue::convertTo<uint32_t>):
        (JSC::EncodedValue::convertTo<uint64_t>):

2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Occasional ASSERT closing web inspector
        https://bugs.webkit.org/show_bug.cgi?id=136762

        Reviewed by Timothy Hatcher.

        It is harmless, and indeed possible to have an empty set of listeners
        now that each Page gets its own PageDebugServer instead of a shared
        global. So we should replace the null checks with isEmpty checks.
        Since nobody was ever returning null, convert to references as well.

        * inspector/JSGlobalObjectScriptDebugServer.h:
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
        (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
        (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
        (Inspector::ScriptDebugServer::sourceParsed):
        (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
        (Inspector::ScriptDebugServer::notifyDoneProcessingDebuggerEvents):
        (Inspector::ScriptDebugServer::handlePause):
        (Inspector::ScriptDebugServer::needPauseHandling): Deleted.
        * inspector/ScriptDebugServer.h:

2014-09-10  Michael Saboff  <msaboff@apple.com>

        Move JSScope out of JSFunction into separate JSCallee class
        https://bugs.webkit.org/show_bug.cgi?id=136725

        Reviewed by Oliver Hunt.

        Created new JSCallee class that contains a JSScope*.  Changed JSFunction to inherit from
        JSCallee.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Build changes.  Added JSCallee.cpp and JSCallee.h.

        * runtime/JSCallee.cpp: Added.
        (JSC::JSCallee::create):
        (JSC::JSCallee::destroy):
        (JSC::JSCallee::JSCallee):
        (JSC::JSCallee::finishCreation):
        (JSC::JSCallee::visitChildren):
        (JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function.
        (JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function.
        (JSC::JSCallee::put): Pass through wrapper function.
        (JSC::JSCallee::deleteProperty): Pass through wrapper function.
        (JSC::JSCallee::defineOwnProperty): Pass through wrapper function.

        * runtime/JSCallee.h: Added.
        (JSC::JSCallee::scope):
        (JSC::JSCallee::scopeUnchecked):
        (JSC::JSCallee::setScope):
        (JSC::JSCallee::createStructure):
        (JSC::JSCallee::offsetOfScopeChain):

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::addNameScopeIfNeeded):
        (JSC::JSFunction::visitChildren):
        * runtime/JSFunction.h:
        (JSC::JSFunction::scope): Deleted.
        (JSC::JSFunction::scopeUnchecked): Deleted.
        (JSC::JSFunction::setScope): Deleted.
        (JSC::JSFunction::offsetOfScopeChain): Deleted.
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::JSFunction):
        Changed to reference JSCallee and its methods.

        * runtime/JSType.h: Added JSCallee as a TypeEnum.

2014-09-11  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r172129): Vine pages load as blank
        https://bugs.webkit.org/show_bug.cgi?id=136655
        rdar://problem/18281215

        Reviewed by Michael Saboff.
        
        If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
        that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
        Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
        conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
        reasonably compact; it's OK if we miss cases here.

        * dfg/DFGPhantomRemovalPhase.cpp:
        (JSC::DFG::PhantomRemovalPhase::run):
        * tests/stress/remove-phantom-after-setlocal.js: Added.

2014-09-11  Bear Travis  <betravis@adobe.com>

        [CSS Font Loading] Enable CSS Font Loading on Mac
        https://bugs.webkit.org/show_bug.cgi?id=135473

        Reviewed by Antti Koivisto.

        Enable CSS Font Loading in FeatureDefines.

        * Configurations/FeatureDefines.xcconfig:

2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed rebaseline of inspector generator test results after r173120.

        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:

2014-09-11  Oliver Hunt  <oliver@apple.com>

        Rename activation to be more in line with spec language
        https://bugs.webkit.org/show_bug.cgi?id=136721

        Reviewed by Michael Saboff.

        Somewhat bigger than the last one, but still just a rename.

        * CMakeLists.txt:
        * JavaScriptCore.order:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CallVariant.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::isCaptured):
        (JSC::CodeBlock::nameForRegister):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setActivationRegister):
        (JSC::CodeBlock::activationRegister):
        (JSC::CodeBlock::uncheckedActivationRegister):
        (JSC::CodeBlock::needsActivation):
        * bytecode/Instruction.h:
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::setActivationRegister):
        (JSC::UnlinkedCodeBlock::activationRegister):
        (JSC::UnlinkedCodeBlock::hasActivationRegister):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitReturn):
        * bytecompiler/BytecodeGenerator.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::scope):
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::isFunctionOrEvalScope):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::tryGetActivation):
        (JSC::DFG::Graph::tryGetRegisters):
        * dfg/DFGGraph.h:
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::lexicalEnvironment):
        (JSC::CallFrame::setActivation):
        (JSC::CallFrame::activation): Deleted.
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        * interpreter/Register.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_tear_off_lexical_environment):
        (JSC::JIT::emit_op_tear_off_arguments):
        (JSC::JIT::emit_op_create_lexical_environment):
        (JSC::JIT::emit_op_tear_off_activation): Deleted.
        (JSC::JIT::emit_op_create_activation): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_tear_off_lexical_environment):
        (JSC::JIT::emit_op_tear_off_arguments):
        (JSC::JIT::emit_op_create_lexical_environment):
        (JSC::JIT::emit_op_tear_off_activation): Deleted.
        (JSC::JIT::emit_op_create_activation): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        (JSC::Arguments::tearOff):
        (JSC::Arguments::didTearOffActivation):
        * runtime/Arguments.h:
        (JSC::Arguments::offsetOfActivation):
        (JSC::Arguments::argument):
        (JSC::Arguments::finishCreation):
        * runtime/CommonSlowPaths.cpp:
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::activationStructure):
        * runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp.
        (JSC::JSLexicalEnvironment::visitChildren):
        (JSC::JSLexicalEnvironment::symbolTableGet):
        (JSC::JSLexicalEnvironment::symbolTablePut):
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
        (JSC::JSLexicalEnvironment::getOwnPropertySlot):
        (JSC::JSLexicalEnvironment::put):
        (JSC::JSLexicalEnvironment::deleteProperty):
        (JSC::JSLexicalEnvironment::toThis):
        (JSC::JSLexicalEnvironment::argumentsGetter):
        * runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h.
        (JSC::JSLexicalEnvironment::create):
        (JSC::JSLexicalEnvironment::createStructure):
        (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
        (JSC::asActivation):
        (JSC::Register::lexicalEnvironment):
        (JSC::JSLexicalEnvironment::registersOffset):
        (JSC::JSLexicalEnvironment::tearOff):
        (JSC::JSLexicalEnvironment::isTornOff):
        (JSC::JSLexicalEnvironment::storageOffset):
        (JSC::JSLexicalEnvironment::storage):
        (JSC::JSLexicalEnvironment::allocationSize):
        (JSC::JSLexicalEnvironment::isValidIndex):
        (JSC::JSLexicalEnvironment::isValid):
        (JSC::JSLexicalEnvironment::registerAt):
        * runtime/JSObject.h:
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        * runtime/JSScope.h:
        (JSC::ResolveOp::ResolveOp):
        * runtime/JSSymbolTableObject.cpp:
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::create):
        * runtime/VM.cpp:

2014-09-11  László Langó  <llango.u-szeged@partner.samsung.com>

        [JavaScriptCore] Fix FTL on platform EFL.
        https://bugs.webkit.org/show_bug.cgi?id=133571

        Reviewed by Filip Pizlo.

        There are no compact_unwind sections on Linux systems so FTL crashes.
        We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind
        and get the information for stack unwinding from there.

        * CMakeLists.txt: Revert r169181.
        * ftl/FTLCompile.cpp:
        Change section name literals to use SECTION_NAME macro, because of architecture differencies.
        (JSC::FTL::mmAllocateCodeSection):
        (JSC::FTL::mmAllocateDataSection):
        (JSC::FTL::compile):
        * ftl/FTLJITCode.h:
        We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here.
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLState.h:
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        * ftl/FTLUnwindInfo.h:
        * ftl/FTLUnwindInfo.cpp:
        Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes.
        Parse eh_frame on Linux instead of compact_unwind.
        (JSC::FTL::UnwindInfo::parse):

2014-09-10  Saam Barati  <saambarati1@gmail.com>

        Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
        https://bugs.webkit.org/show_bug.cgi?id=136500

        Reviewed by Joseph Pecoraro.

        This patch changes the type profiler protocol to the Web Inspector
        by moving the work of calculating computed properties that effect the UI 
        into the Web Inspector. This makes the Web Inspector have control over the 
        strings it displays as UI elements representing type information to the user 
        instead of JavaScriptCore deciding on a convention for these strings.
        JavaScriptCore now sends enough information to the Web Inspector so that 
        it can compute the properties JavaScriptCore used to compute.

        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * inspector/protocol/Runtime.json:
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
        * runtime/TypeProfiler.h:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::inspectorTypeSet):
        (JSC::StructureShape::leastCommonAncestor):
        (JSC::StructureShape::inspectorRepresentation):
        * runtime/TypeSet.h:

2014-09-10  Akos Kiss  <akiss@inf.u-szeged.hu>

        Apply ARM64-specific lowering to load/store instructions in offlineasm
        https://bugs.webkit.org/show_bug.cgi?id=136569

        Reviewed by Michael Saboff.

        The standard risc lowering of load/store instructions with base +
        immediate offset addresses is to move the offset to a temporary, add the
        base to the temporary, and then change the load/store to use the
        temporary + 0 immediate offset address. However, on ARM64, base +
        register offset addressing mode is available, so it is unnecessary to
        perform explicit register additions but it is enough to change load/store
        to use base + temporary as the address.

        * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses

2014-09-10  Oliver Hunt  <oliver@apple.com>

        Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
        https://bugs.webkit.org/show_bug.cgi?id=136710

        Reviewed by Anders Carlsson.

        This is a trivial rename.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLAbstractHeapRepository.cpp:
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
        * jit/JITOpcodes32_64.cpp:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitGetClosureVar):
        (JSC::JIT::emitPutClosureVar):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitGetClosureVar):
        (JSC::JIT::emitPutClosureVar):
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::getOwnNonIndexPropertyNames):
        * runtime/JSActivation.h:
        * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
        * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
        (JSC::JSEnvironmentRecord::registers):
        (JSC::JSEnvironmentRecord::registerAt):
        (JSC::JSEnvironmentRecord::addressOfRegisters):
        (JSC::JSEnvironmentRecord::offsetOfRegisters):
        (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
        * runtime/JSNameScope.h:
        * runtime/JSSegmentedVariableObject.h:

2014-09-10  Julien Brianceau   <jbriance@cisco.com>

        [mips] Add missing parts and fix LLINT mips backend
        https://bugs.webkit.org/show_bug.cgi?id=136706

        Reviewed by Michael Saboff.

        * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
        Implement initPCRelative and setEntryAddress macros.
        * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
        doVMEntry macro.

2014-09-10  Saam Barati  <saambarati1@gmail.com>

        TypeSet needs a mode where it no longer profiles structure shapes
        https://bugs.webkit.org/show_bug.cgi?id=136263

        Reviewed by Filip Pizlo.

        The TypeSet data structure used to gather as many StructureShape
        objects as it encountered during type profiling. But, this meant 
        that there was no upper limit on how many objects it could allocate. 
        This patch places a fixed upper bound on the number of StructureShapes
        allocated per TypeSet to prevent using too much memory for little gain
        in type profiling usefulness.

        StructureShape objects are now also aware of when they are created
        from Structures which are dictionaries.

        In total, this patch lays the final groundwork needed in refactoring 
        the inspector protocol for the type profiler.

        * runtime/Structure.cpp:
        (JSC::Structure::toStructureShape):
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::TypeSet):
        (JSC::TypeSet::addTypeInformation):
        (JSC::StructureShape::StructureShape):
        (JSC::StructureShape::toJSONString):
        (JSC::StructureShape::enterDictionaryMode):
        * runtime/TypeSet.h:
        (JSC::TypeSet::isOverflown):
        * tests/typeProfiler/dictionary-mode.js: Added.
        (wrapper):
        * tests/typeProfiler/driver/driver.js:
        * tests/typeProfiler/overflow.js: Added.
        (wrapper.Proto):
        (wrapper):

2014-09-10  Peter Gal  <galpeter@inf.u-szeged.hu>

        [MIPS] branch32WithPatch missing
        https://bugs.webkit.org/show_bug.cgi?id=136696

        Reviewed by Michael Saboff.

        Added the missing branch32WithPatch. The implementation
        is currently the same as the branchPtrithPatch because
        the macro assembler supports only 32 bit MIPS.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branch32WithPatch):

2014-09-10  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        Fix !ENABLE(DFG_JIT) build
        https://bugs.webkit.org/show_bug.cgi?id=136702

        Reviewed by Michael Saboff.

        * bytecode/CallEdgeProfile.h:

2014-09-09  Benjamin Poulain  <bpoulain@apple.com>

        Disable the "unreachable-code" warning
        https://bugs.webkit.org/show_bug.cgi?id=136677

        Reviewed by Darin Adler.

        * Configurations/Base.xcconfig:

2014-09-08  Filip Pizlo  <fpizlo@apple.com>

        DFG should have a reusable SSA builder
        https://bugs.webkit.org/show_bug.cgi?id=136331

        Reviewed by Oliver Hunt.
        
        We want to implement sophisticated SSA transformations like object allocation sinking
        (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
        updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
        Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
        implementation of this algorithm only worked when doing CPS->SSA conversion. The code
        could not be reused for cases where some phase happens to know that it introduced a few
        defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
        the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
        updates, since it requires first inserting maximal Phis. That scales well when the Phis
        were already there (like in our CPS form) but otherwise it's quite unnatural and may be
        difficult to make efficient.
        
        The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
        algorithm based on dominance frontiers. For a while now, I've been working on creating a
        Cytron-based SSA calculator that can be used both as a replacement for our current SSA
        converter and as a reusable tool for any phase that needs to do SSA update. I previously
        optimized our dominator calculation and representation to use dominator trees computed
        using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
        the set of blocks that dominate you or vice-versa, and then I implemented a dominance
        frontier calculator. This patch implements the final step towards making SSA update
        available to all SSA phases: it implements an SSACalculator that can tell you where Phis
        go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
        good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
        SSA converter with one based on the SSACalculator.
        
        This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
        But even better, it makes SSAConversionPhase have significantly less tricky logic. It
        mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
        just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
        In fact, using the Cytron et al approach means that there isn't really any "smoke and
        mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
        iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
        The complexity is mostly confined to Dominators, which computes various dominator-related
        properties over the control flow graph. That class can be difficult to understand, but at
        least it follows well-known graph theory wisdom.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAnalysis.h:
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        * dfg/DFGDominators.h:
        (JSC::DFG::Dominators::immediateDominatorOf):
        (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
        (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::blocksInPreOrder):
        (JSC::DFG::Graph::blocksInPostOrder):
        (JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
        (JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
        * dfg/DFGGraph.h:
        * dfg/DFGLICMPhase.cpp:
        (JSC::DFG::LICMPhase::run):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::beginPhase):
        (JSC::DFG::Phase::endPhase):
        * dfg/DFGPhase.h:
        * dfg/DFGSSACalculator.cpp: Added.
        (JSC::DFG::SSACalculator::Variable::dump):
        (JSC::DFG::SSACalculator::Variable::dumpVerbose):
        (JSC::DFG::SSACalculator::Def::dump):
        (JSC::DFG::SSACalculator::SSACalculator):
        (JSC::DFG::SSACalculator::~SSACalculator):
        (JSC::DFG::SSACalculator::newVariable):
        (JSC::DFG::SSACalculator::newDef):
        (JSC::DFG::SSACalculator::nonLocalReachingDef):
        (JSC::DFG::SSACalculator::reachingDefAtTail):
        (JSC::DFG::SSACalculator::dump):
        * dfg/DFGSSACalculator.h: Added.
        (JSC::DFG::SSACalculator::Variable::index):
        (JSC::DFG::SSACalculator::Variable::Variable):
        (JSC::DFG::SSACalculator::Def::variable):
        (JSC::DFG::SSACalculator::Def::block):
        (JSC::DFG::SSACalculator::Def::value):
        (JSC::DFG::SSACalculator::Def::Def):
        (JSC::DFG::SSACalculator::variable):
        (JSC::DFG::SSACalculator::computePhis):
        (JSC::DFG::SSACalculator::phisForBlock):
        (JSC::DFG::SSACalculator::reachingDefAtHead):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
        (JSC::DFG::SSAConversionPhase::run):
        (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
        (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
        (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
        (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
        * dfg/DFGSSAConversionPhase.h:
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::Validate):
        (JSC::DFG::Validate::dumpGraphIfAppropriate):
        (JSC::DFG::validate):
        * dfg/DFGValidate.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        * runtime/Options.h:

2014-09-08  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r173402.
        https://bugs.webkit.org/show_bug.cgi?id=136649

        Breaking buildw with error "unable to restore file position to
        0x00000c60 for section __DWARF.__debug_info (errno = 9)"
        (Requested by mlam_ on #webkit).

        Reverted changeset:

        "Move CallFrame and Register inlines functions out of
        JSScope.h."
        https://bugs.webkit.org/show_bug.cgi?id=136579
        http://trac.webkit.org/changeset/173402

2014-09-08  Mark Lam  <mark.lam@apple.com>

        Move CallFrame and Register inlines functions out of JSScope.h.
        <https://webkit.org/b/136579>

        Reviewed by Geoffrey Garen.

        This include fixing up some files to #include JSCInlines.h to pick up
        these inline functions.  I also added JSCellInlines.h to JSCInlines.h
        since it is included from many of the affected .cpp files.

        * API/ObjCCallbackFunction.mm:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bindings/ScriptValue.cpp:
        * inspector/InjectedScriptHost.cpp:
        * inspector/InjectedScriptManager.cpp:
        * inspector/JSGlobalObjectInspectorController.cpp:
        * inspector/JSJavaScriptCallFrame.cpp:
        * inspector/ScriptDebugServer.cpp:
        * interpreter/CallFrameInlines.h:
        (JSC::CallFrame::vm):
        (JSC::CallFrame::lexicalGlobalObject):
        (JSC::CallFrame::globalThisValue):
        * interpreter/RegisterInlines.h: Added.
        (JSC::Register::operator=):
        (JSC::Register::scope):
        * runtime/ArgumentsIteratorConstructor.cpp:
        * runtime/JSArrayIterator.cpp:
        * runtime/JSCInlines.h:
        * runtime/JSCJSValue.cpp:
        * runtime/JSMapIterator.cpp:
        * runtime/JSPromiseConstructor.cpp:
        * runtime/JSPromiseDeferred.cpp:
        * runtime/JSPromiseFunctions.cpp:
        * runtime/JSPromisePrototype.cpp:
        * runtime/JSPromiseReaction.cpp:
        * runtime/JSScope.h:
        (JSC::Register::operator=): Deleted.
        (JSC::Register::scope): Deleted.
        (JSC::ExecState::vm): Deleted.
        (JSC::ExecState::lexicalGlobalObject): Deleted.
        (JSC::ExecState::globalThisValue): Deleted.
        * runtime/JSSetIterator.cpp:
        * runtime/MapConstructor.cpp:
        * runtime/MapData.cpp:
        * runtime/MapIteratorPrototype.cpp:
        * runtime/MapPrototype.cpp:
        * runtime/SetConstructor.cpp:
        * runtime/SetIteratorPrototype.cpp:
        * runtime/SetPrototype.cpp:
        * runtime/WeakMapConstructor.cpp:
        * runtime/WeakMapPrototype.cpp:

2014-09-08  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        Remove FILTERS flag
        https://bugs.webkit.org/show_bug.cgi?id=136571

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig:

2014-09-08  Saam Barati  <saambarati1@gmail.com>

        Merge StructureShapes that share the same prototype chain
        https://bugs.webkit.org/show_bug.cgi?id=136549

        Reviewed by Filip Pizlo.

        Instead of keeping track of many discrete StructureShapes that share
        the same prototype chain, TypeSet should merge StructureShapes that 
        have the same prototype chain and provide a new member variable for 
        optional structure fields. This provides a cleaner and more concise
        interface for dealing with StructureShapes within TypeSet. Instead
        of having many discrete shapes that are almost identical, almost 
        identical shapes will be merged together with an interface for 
        understanding what fields the shapes being merged together differ in.

        * runtime/TypeSet.cpp:
        (JSC::TypeSet::addTypeInformation):
        (JSC::StructureShape::addProperty):
        (JSC::StructureShape::toJSONString):
        (JSC::StructureShape::inspectorRepresentation):
        (JSC::StructureShape::hasSamePrototypeChain):
        (JSC::StructureShape::merge):
        * runtime/TypeSet.h:
        * tests/typeProfiler/optional-fields.js: Added.
        (wrapper.func):
        (wrapper):

2014-09-08  Jessie Berlin  <jberlin@apple.com>

        More 32-bit Release build fixes after r173364.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2014-09-07  Maciej Stachowiak  <mjs@apple.com>

        Fix typos in last patch to fix build.

        Unreviewed build fix.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):

2014-09-07  Maciej Stachowiak  <mjs@apple.com>

        Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it
        https://bugs.webkit.org/show_bug.cgi?id=136616

        Reviewed by Darin Adler.
        
        Many compilers will analyze unrechable code paths (e.g. after an
        unreachable code path), so sometimes they need dead code initializations.
        But clang with suitable warnings will complain about unreachable code. So
        use the quirk to include it conditionally.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdOp):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::handleExitCounts):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThread):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        * jsc.cpp:
        * runtime/JSArray.cpp:
        (JSC::JSArray::fillArgList):
        (JSC::JSArray::copyToArguments):
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileMatchOnly):

2014-09-06  Darin Adler  <darin@apple.com>

        Make updates suggested by new version of Xcode
        https://bugs.webkit.org/show_bug.cgi?id=136603

        Reviewed by Mark Rowe.

        * Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES,
        and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check.

        * JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code
        for clang, since it understands the code is unreachable.
        * runtime/JSArray.cpp:
        (JSC::JSArray::fillArgList): Ditto.
        (JSC::JSArray::copyToArguments): Ditto.

2014-09-05  Matt Baker  <mattbaker@apple.com>

        Web Inspector: breakpoint actions should work regardless of Content Security Policy
        https://bugs.webkit.org/show_bug.cgi?id=136542

        Reviewed by Mark Lam.

        Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a 
        JSGlobalObject for the duration of a scope, returning the eval enabled state to its
        original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate 
        to allow breakpoint actions to execute JS in pages with a Content Security Policy
        that would normally prohibit this (such as Inspector's Main.html).

        Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually
        setting eval enabled and then resetting the original eval enabled state.

        NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer
        for null to be equivalent with the original code in Inspector::InjectedScriptBase.
        InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which
        can currently be null.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluate):
        * debugger/DebuggerEvalEnabler.h: Added.
        (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
        (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):

2014-09-05  peavo@outlook.com  <peavo@outlook.com>

        [WinCairo] jsc.exe won't run.
        https://bugs.webkit.org/show_bug.cgi?id=136481

        Reviewed by Alex Christensen.
        
        We need to define WIN_CAIRO to avoid looking for the AAS folder.

        * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added.
        * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
        * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
        * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
        * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:

2014-09-05  David Kilzer  <ddkilzer@apple.com>

        JavaScriptCore should build with newer clang
        <http://webkit.org/b/136002>
        <rdar://problem/18020616>

        Reviewed by Geoffrey Garen.

        Other than the JSC::SourceProvider::asID() change (which simply
        removes code that the optimizing compiler would have discarded
        in Release builds), we move the |this| checks in OpaqueJSString
        to NULL checks in to JSBase, JSObjectRef, JSScriptRef,
        JSStringRef{CF} and JSValueRef.

        Note that the following function arguments are _not_ NULL-checked
        since doing so would just cover up bugs (and were not needed to
        prevent any tests from failing):
        - |script| in JSEvaluateScript(), JSCheckScriptSyntax();
        - |body| in JSObjectMakeFunction();
        - |source| in JSScriptCreateReferencingImmortalASCIIText()
          (which is a const char* anyway);
        - |source| in JSScriptCreateFromString().

        * API/JSBase.cpp:
        (JSEvaluateScript): Add NULL check for |sourceURL|.
        (JSCheckScriptSyntax): Ditto.
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction): Ditto.
        * API/JSScriptRef.cpp:
        (JSScriptCreateReferencingImmortalASCIIText): Ditto.
        (JSScriptCreateFromString): Add NULL check for |url|.
        * API/JSStringRef.cpp:
        (JSStringGetLength): Return early if NULL pointer is passed in.
        (JSStringGetCharactersPtr): Ditto.
        (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
        * API/JSStringRefCF.cpp:
        (JSStringCopyCFString): Ditto.
        * API/JSValueRef.cpp:
        (JSValueMakeString): Add NULL check for |string|.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::string): Remove code that checks |this|.
        (OpaqueJSString::identifier): Ditto.
        (OpaqueJSString::characters): Ditto.
        * API/OpaqueJSString.h:
        (OpaqueJSString::is8Bit): Remove code that checks |this|.
        (OpaqueJSString::characters8): Ditto.
        (OpaqueJSString::characters16): Ditto.
        (OpaqueJSString::length): Ditto.

        * parser/SourceProvider.h:
        (JSC::SourceProvider::asID): Remove code that checks |this|.

2014-06-06  Jer Noble  <jer.noble@apple.com>

        Refactoring: make MediaTime the primary time type for audiovisual times.
        https://bugs.webkit.org/show_bug.cgi?id=133579

        Reviewed by Eric Carlson.

        Add a utility function which converts a MediaTime to a JSNumber.

        * runtime/JSCJSValue.h:
        (JSC::jsNumber):

2014-09-04  Michael Saboff  <msaboff@apple.com>

        ARM: Add more coverage to ARMv7 disassembler
        https://bugs.webkit.org/show_bug.cgi?id=136565

        Reviewed by Mark Lam.

        Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions
        VCMP, VCVT[R] between floating point and integer, and VLDR.

        * disassembler/ARMv7/ARMv7DOpcode.cpp:
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format):
        * disassembler/ARMv7/ARMv7DOpcode.h:
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8):

2014-09-04  Mark Lam  <mark.lam@apple.com>

        Move PropertySlot's inline functions back to PropertySlot.h.
        <https://webkit.org/b/136547>

        Reviewed by Filip Pizlo.

        * runtime/JSObject.h:
        (JSC::PropertySlot::getValue): Deleted.
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::getValue):

2014-09-04  Filip Pizlo  <fpizlo@apple.com>

        Make sure that deleting all code first processes the call edge log, and reenable call edge profiling.

        Rubber stamped by Sam Weinig.

        * debugger/Debugger.cpp:
        (JSC::Debugger::forEachCodeBlock):
        (JSC::Debugger::setSteppingMode):
        (JSC::Debugger::recompileAllJSFunctions):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::recompileAllJSFunctionsForTypeProfiling):
        * runtime/Options.h: Reenable call edge profiling.
        * runtime/VM.cpp:
        (JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed.
        (JSC::VM::discardAllCode):
        (JSC::VM::releaseExecutableMemory):
        (JSC::VM::setEnabledProfiler):
        (JSC::VM::waitForCompilationsToComplete): Deleted.
        * runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted.

2014-09-04  Akos Kiss  <akiss@inf.u-szeged.hu>

        Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee
        https://bugs.webkit.org/show_bug.cgi?id=136485

        Reviewed by Michael Saboff.

        Changed makeHostFunctionCall to keep the stack pointer above the call
        frame set up by doVMEntry. Thus the callee will/can not override the top
        of the call frame.

        Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be
        more alike to help future maintenance.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-09-04  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux
        https://bugs.webkit.org/show_bug.cgi?id=136436

        Reviewed by Geoffrey Garen.

        Instead of trying to calculate a stack pointer that allows for possible
        stacked argument space, just use the "home" stack pointer location.
        That stack pointer provides space for the worst case number of stacked
        arguments on architectures that use stacked arguments.  It also provides
        stack space so that the return PC and caller frame pointer that are stored
        as part of making the call to operationCallEval will not override any part
        of the callee frame created on the stack.

        Changed compileCallEval() to use the stackPointer value of the calling
        function.  That stack pointer is calculated to have enough space for
        outgoing stacked arguments.  By moving the stack pointer to its "home"
        position, the caller frame and return PC are not set as part of making
        the call to operationCallEval().  Moved the explicit setting of the
        callerFrame field of the callee CallFrame from operationCallEval() to
        compileCallEval() since it has been the artifact of making a call for
        most architectures.  Simplified the exception logic in compileCallEval()
        as a result of the change.  To be compliant with the stack state
        expected by virtualCallThunkGenerator(), moved the stack pointer to
        point above the CallerFrameAndPC of the callee CallFrame.

        * jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...)
        to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception
        check.
        * jit/JITCall.cpp & jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEval): Use the home stack pointer when making the call
        to operationCallEval.  Since the stack pointer adjustment no longer needs
        to be done after making the call to operationCallEval(), the exception check
        logic can be simplified.
        (JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point
        to above the calleeFrame as this is what the generated thunk expects.
        * jit/JITInlines.h:
        (JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck
        with the addition of a standard exception check.
        (JSC::JIT::callOperationNoExceptionCheck): Deleted.
        * jit/JITOperations.cpp:
        (JSC::operationCallEval): Eliminated the explicit setting of caller frame
        as that is now done in the code generated by compileCallEval().

2014-09-03  Filip Pizlo  <fpizlo@apple.com>

        Beef up the DFG's CFG analyses to include iterated dominance frontiers and more user-friendly BlockSets
        https://bugs.webkit.org/show_bug.cgi?id=136520

        Reviewed by Geoffrey Garen.
        
        Add code to compute iterated dominance frontiers. This involves using BlockSet a lot, so
        this patch also makes BlockSet a lot more user-friendly.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGBasicBlock.h:
        * dfg/DFGBlockSet.cpp: Added.
        (JSC::DFG::BlockSet::dump):
        * dfg/DFGBlockSet.h:
        (JSC::DFG::BlockSet::iterator::iterator):
        (JSC::DFG::BlockSet::iterator::operator++):
        (JSC::DFG::BlockSet::iterator::operator==):
        (JSC::DFG::BlockSet::iterator::operator!=):
        (JSC::DFG::BlockSet::Iterable::Iterable):
        (JSC::DFG::BlockSet::Iterable::begin):
        (JSC::DFG::BlockSet::Iterable::end):
        (JSC::DFG::BlockSet::iterable):
        (JSC::DFG::BlockAdder::BlockAdder):
        (JSC::DFG::BlockAdder::operator()):
        * dfg/DFGBlockSetInlines.h: Added.
        (JSC::DFG::BlockSet::iterator::operator*):
        * dfg/DFGDominators.cpp:
        (JSC::DFG::Dominators::strictDominatorsOf):
        (JSC::DFG::Dominators::dominatorsOf):
        (JSC::DFG::Dominators::blocksStrictlyDominatedBy):
        (JSC::DFG::Dominators::blocksDominatedBy):
        (JSC::DFG::Dominators::dominanceFrontierOf):
        (JSC::DFG::Dominators::iteratedDominanceFrontierOf):
        * dfg/DFGDominators.h:
        (JSC::DFG::Dominators::forAllStrictDominatorsOf):
        (JSC::DFG::Dominators::forAllDominatorsOf):
        (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy):
        (JSC::DFG::Dominators::forAllBlocksDominatedBy):
        (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf):
        (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
        (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl):
        (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpBlockHeader):
        * dfg/DFGInvalidationPointInjectionPhase.cpp:
        (JSC::DFG::InvalidationPointInjectionPhase::run):

2014-09-04  Mark Lam  <mark.lam@apple.com>

        Fixed indentations and some style warnings in JavaScriptCore/runtime.
        <https://webkit.org/b/136518>

        Reviewed by Michael Saboff.

        Also removed some superflous spaces.  There are no semantic changes.

        * runtime/Completion.h:
        * runtime/ConstructData.h:
        * runtime/DateConstructor.h:
        * runtime/DateInstance.h:
        * runtime/DateInstanceCache.h:
        * runtime/DatePrototype.h:
        * runtime/Error.h:
        * runtime/ErrorConstructor.h:
        * runtime/ErrorInstance.h:
        * runtime/ErrorPrototype.h:
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.h:
        * runtime/GetterSetter.h:
        * runtime/Identifier.h:
        * runtime/InitializeThreading.h:
        * runtime/InternalFunction.h:
        * runtime/JSAPIValueWrapper.h:
        * runtime/JSFunction.h:
        * runtime/JSLock.h:
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.h:
        * runtime/JSString.h:
        * runtime/JSTypeInfo.h:
        * runtime/JSWrapperObject.h:
        * runtime/Lookup.h:
        * runtime/MathObject.h:
        * runtime/NativeErrorConstructor.h:
        * runtime/NativeErrorPrototype.h:
        * runtime/NumberConstructor.h:
        * runtime/NumberObject.h:
        * runtime/NumberPrototype.h:
        * runtime/NumericStrings.h:
        * runtime/ObjectConstructor.h:
        * runtime/ObjectPrototype.h:
        * runtime/PropertyDescriptor.h:
        * runtime/Protect.h:
        * runtime/PutPropertySlot.h:
        * runtime/RegExp.h:
        * runtime/RegExpCachedResult.h:
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.h:
        * runtime/RegExpPrototype.h:
        * runtime/SmallStrings.h:
        * runtime/StringConstructor.h:
        * runtime/StringObject.h:
        * runtime/StringPrototype.h:
        * runtime/StructureChain.h:
        * runtime/VM.h:

2014-09-04  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        Remove CSS_FILTERS flag
        https://bugs.webkit.org/show_bug.cgi?id=136529

        Reviewed by Dirk Schulze.

        * Configurations/FeatureDefines.xcconfig:

2014-09-04  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r173248.
        https://bugs.webkit.org/show_bug.cgi?id=136536

        call edge profiling and polymorphic call inlining are still
        causing crashes (Requested by eric_carlson on #webkit).

        Reverted changeset:

        "Reenable call edge profiling and polymorphic call inlining,
        now that a bunch of the bugs"
        http://trac.webkit.org/changeset/173248

2014-09-04  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: the profiler should not accrue time to nodes while the debugger is paused
        https://bugs.webkit.org/show_bug.cgi?id=136352

        Reviewed by Timothy Hatcher.

        Hook up pause/continue events to the LegacyProfiler and any active
        ProfilerGenerators. If the debugger is paused, all intervening call
        entries will be created with totalTime as 0.0.

        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::handlePause):
        * profiler/LegacyProfiler.cpp: Move from typedef'd callbacks to using
        std::function. This allows callbacks to take different argument types.

        (JSC::callFunctionForProfilesWithGroup):
        (JSC::LegacyProfiler::willExecute):
        (JSC::LegacyProfiler::didExecute):
        (JSC::LegacyProfiler::exceptionUnwind):
        (JSC::LegacyProfiler::didPause):
        (JSC::LegacyProfiler::didContinue):
        (JSC::dispatchFunctionToProfiles): Deleted.
        * profiler/LegacyProfiler.h:
        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::ProfileGenerator):
        (JSC::ProfileGenerator::endCallEntry):
        (JSC::ProfileGenerator::didExecute): Deleted.
        * profiler/ProfileGenerator.h:
        (JSC::ProfileGenerator::didPause):
        (JSC::ProfileGenerator::didContinue):

2014-09-04  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r173245.
        https://bugs.webkit.org/show_bug.cgi?id=136533

        Broke JSC tests. (Requested by ddkilzer on #webkit).

        Reverted changeset:

        "JavaScriptCore should build with newer clang"
        https://bugs.webkit.org/show_bug.cgi?id=136002
        http://trac.webkit.org/changeset/173245

2014-09-04  Brian J. Burg  <burg@cs.washington.edu>

        LegacyProfiler: ProfileNodes should be used more like structs
        https://bugs.webkit.org/show_bug.cgi?id=136381

        Reviewed by Timothy Hatcher.

        Previously, both the profile generator and individual profile nodes
        were collectively responsible for creating new Call entries and
        maintaining data structure invariants. This complexity is unnecessary.

        This patch centralizes profile data creation inside the profile generator.
        The profile nodes manage nextSibling and parent pointers, but do not
        collect the current time or create new Call entries themselves.

        Since ProfileNode::nextSibling and its callers are only used within
        debug printing code, it should be compiled out for release builds.

        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::ProfileGenerator):
        (JSC::AddParentForConsoleStartFunctor::operator()):
        (JSC::ProfileGenerator::beginCallEntry): create a new Call entry.
        (JSC::ProfileGenerator::endCallEntry): finish the last Call entry.
        (JSC::ProfileGenerator::willExecute): inline ProfileNode::willExecute()
        (JSC::ProfileGenerator::didExecute): inline ProfileNode::didExecute()
        (JSC::ProfileGenerator::stopProfiling): Only walk up the spine.
        (JSC::ProfileGenerator::removeProfileStart):
        (JSC::ProfileGenerator::removeProfileEnd):
        * profiler/ProfileGenerator.h:
        * profiler/ProfileNode.cpp:
        (JSC::ProfileNode::ProfileNode):
        (JSC::ProfileNode::addChild):
        (JSC::ProfileNode::removeChild):
        (JSC::ProfileNode::spliceNode): Renamed from insertNode.
        (JSC::ProfileNode::debugPrintRecursively):
        (JSC::ProfileNode::willExecute): Deleted.
        (JSC::ProfileNode::insertNode): Deleted.
        (JSC::ProfileNode::stopProfiling): Deleted.
        (JSC::ProfileNode::traverseNextNodePostOrder):
        (JSC::ProfileNode::endAndRecordCall): Deleted.
        (JSC::ProfileNode::debugPrintDataSampleStyle):
        * profiler/ProfileNode.h:
        (JSC::ProfileNode::Call::setStartTime):
        (JSC::ProfileNode::Call::setTotalTime):
        (JSC::ProfileNode::appendCall):
        (JSC::ProfileNode::firstChild):
        (JSC::ProfileNode::lastChild):
        (JSC::ProfileNode::nextSibling):
        (JSC::ProfileNode::setNextSibling):

2014-09-02  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient
        https://bugs.webkit.org/show_bug.cgi?id=136476

        Reviewed by Timothy Hatcher.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/JSGlobalObjectConsoleClient.cpp: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.cpp.
        * inspector/JSGlobalObjectConsoleClient.h: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.h.
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        * inspector/JSGlobalObjectInspectorController.h:

2014-09-03  Filip Pizlo  <fpizlo@apple.com>

        Reenable call edge profiling and polymorphic call inlining, now that a bunch of the bugs
        are fixed.

        * runtime/Options.h:

2014-09-03  David Kilzer  <ddkilzer@apple.com>

        JavaScriptCore should build with newer clang
        <http://webkit.org/b/136002>
        <rdar://problem/18020616>

        Reviewed by Geoffrey Garen.

        Other than the JSC::SourceProvider::asID() change (which simply
        removes code that the optimizing compiler would have discarded
        in Release builds), we move the |this| checks in OpaqueJSString
        to NULL checks in to JSBase, JSScriptRef, JSStringRef{CF} and
        JSValueRef.

        * API/JSBase.cpp:
        (JSEvaluateScript): Use String() in case |script| or |sourceURL|
        are NULL.
        * API/JSScriptRef.cpp:
        (JSScriptCreateReferencingImmortalASCIIText): Use String() in
        case |url| is NULL.
        * API/JSStringRef.cpp:
        (JSStringGetLength): Return early if NULL pointer is passed in.
        (JSStringGetCharactersPtr): Ditto.
        (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
        * API/JSStringRefCF.cpp:
        (JSStringCopyCFString): Ditto.
        * API/JSValueRef.cpp:
        (JSValueMakeString): Use String() in case |string| is NULL.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::string): Remove code that checks |this|.
        (OpaqueJSString::identifier): Ditto.
        (OpaqueJSString::characters): Ditto.
        * API/OpaqueJSString.h:
        (OpaqueJSString::is8Bit): Remove code that checks |this|.
        (OpaqueJSString::characters8): Ditto.
        (OpaqueJSString::characters16): Ditto.
        (OpaqueJSString::length): Ditto.

        * parser/SourceProvider.h:
        (JSC::SourceProvider::asID): Remove code that checks |this|.

2014-09-03  Filip Pizlo  <fpizlo@apple.com>

        CallEdgeProfile::visitWeak() shouldn't attempt to despecify empty profiles
        https://bugs.webkit.org/show_bug.cgi?id=136511

        Reviewed by Geoffrey Garen.

        * bytecode/CallEdgeProfile.cpp:
        (JSC::CallEdgeProfile::worthDespecifying):
        (JSC::CallEdgeProfile::visitWeak):
        (JSC::CallEdgeProfile::mergeBack):

2014-09-03  David Kilzer  <ddkilzer@apple.com>

        REGRESSION (r167325): (null) entry added to Xcode project file when JSBoundFunction.h was removed
        <http://webkit.org/b/136509>

        Reviewed by Daniel Bates.

        * JavaScriptCore.xcodeproj/project.pbxproj: Remove the (null)
        entry left behind when JSBoundFunction.h was removed.

2014-09-03  Joseph Pecoraro  <pecoraro@apple.com>

        Avoid warning if a process does not have access to com.apple.webinspector
        https://bugs.webkit.org/show_bug.cgi?id=136473

        Reviewed by Alexey Proskuryakov.

        Pre-check for access to the mach port to avoid emitting warnings
        in syslog for processes that do not have access.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::canAccessWebInspectorMachPort):
        (Inspector::RemoteInspector::shared):

2014-09-03  Filip Pizlo  <fpizlo@apple.com>

        Temporarily disable call edge profiling. It is causing crashes and I'm still investigating
        them.

        * runtime/Options.h:

2014-09-03  Balazs Kilvady  <kilvadyb@homejinni.com>

        [MIPS] Wrong register usage in LLInt op_catch.
        https://bugs.webkit.org/show_bug.cgi?id=125168

        Reviewed by Geoffrey Garen.

        Fix register usage and add PIC header to all the ops in LLInt.

        * offlineasm/instructions.rb:
        * offlineasm/mips.rb:

2014-09-03  Saam Barati  <saambarati1@gmail.com>

        Create tests for type profiling
        https://bugs.webkit.org/show_bug.cgi?id=136161

        Reviewed by Geoffrey Garen.

        The type profiler is now being tested. These are basic tests that don't 
        check every edge case, but will catch any major failures in the type profiler. 
        These tests cover:
        - The basic, inheritance-based type system in TypeSet.
        - Function return types.
        - Correct merging of types for multiple assignments to one variable.

        This patch also provides an API for writing new tests for
        the type profiler. The API works by passing in a function and a 
        unique substring of an expression contained in that function, and 
        returns an object representing type information for that expression.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionFindTypeForExpression):
        (functionReturnTypeFor):
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
        * runtime/TypeProfiler.h:
        * runtime/TypeProfilerLog.h:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::toJSONString):
        (JSC::StructureShape::toJSONString):
        * runtime/TypeSet.h:
        * tests/typeProfiler: Added.
        * tests/typeProfiler.yaml: Added.
        * tests/typeProfiler/basic.js: Added.
        (wrapper.foo):
        (wrapper):
        * tests/typeProfiler/captured.js: Added.
        (wrapper.changeFoo):
        (wrapper):
        * tests/typeProfiler/driver: Added.
        * tests/typeProfiler/driver/driver.js: Added.
        (assert):
        * tests/typeProfiler/inheritance.js: Added.
        (wrapper.A):
        (wrapper.B):
        (wrapper.C):
        (wrapper):
        * tests/typeProfiler/return.js: Added.
        (foo):
        (Ctor):

2014-09-03  Julien Brianceau   <jbriance@cisco.com>

        Add missing implementations to fix build for sh4 architecture
        https://bugs.webkit.org/show_bug.cgi?id=136455

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::store8):
        (JSC::MacroAssemblerSH4::moveWithPatch):
        (JSC::MacroAssemblerSH4::branchAdd32):
        (JSC::MacroAssemblerSH4::branch32WithPatch):
        (JSC::MacroAssemblerSH4::abortWithReason):
        (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch):
        (JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitFunctionPrologue):
        (JSC::AssemblyHelpers::emitFunctionEpilogue):

2014-09-03  Dan Bernstein  <mitz@apple.com>

        Get rid of HIGH_DPI_CANVAS leftovers
        https://bugs.webkit.org/show_bug.cgi?id=136491

        Reviewed by Benjamin Poulain.

        * Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS
        and removed it from FEATURE_DEFINES.

2014-09-03  Filip Pizlo  <fpizlo@apple.com>

        CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
        https://bugs.webkit.org/show_bug.cgi?id=136490

        Reviewed by Geoffrey Garen.

        * bytecode/CallEdgeProfile.cpp:
        (JSC::CallEdgeProfile::visitWeak):

2014-09-03  Filip Pizlo  <fpizlo@apple.com>

        FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
        https://bugs.webkit.org/show_bug.cgi?id=136488

        Reviewed by Mark Hahnenberg.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
        * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
        (foo):

2014-09-03  Akos Kiss  <akiss@inf.u-szeged.hu>

        Don't generate superfluous mov instructions for move immediate on ARM64.
        https://bugs.webkit.org/show_bug.cgi?id=136435

        Reviewed by Michael Saboff.

        On ARM64, the size of an immediate operand for a mov instruction is 16
        bits. Thus, a move immediate offlineasm instruction may potentially be
        split up to several machine level instructions. The current
        implementation always emits a mov for the least significant 16 bits of
        the value. However, if any of the bits 63:16 are significant then the
        first emitted mov already filled bits 15:0 with zeroes (or ones, for
        negative values). So, if bits 15:0 of the value are all zeroes (or ones)
        then the last mov does not need to be emitted.

        * offlineasm/arm64.rb:

2014-09-02  Brian J. Burg  <burg@cs.washington.edu>

        LegacyProfiler: remove redundant ProfileNode members and other cleanup
        https://bugs.webkit.org/show_bug.cgi?id=136380

        Reviewed by Timothy Hatcher.

        ProfileNode's selfTime and totalTime members are redundant and only used
        for dumping profile data from debug-only code. Remove the members and compute
        the same data on-demand when necessary using a postorder traversal functor.

        Remove ProfileNode.head since it is only used to calculate percentages for
        dumped profile data. This can be explicitly passed around when needed.

        Rename Profile.head to Profile.rootNode, and other various renamings.

        Rearrange some header includes so that touching LegacyProfiler-related headers
        will no longer cause a full rebuild.

        * inspector/JSConsoleClient.cpp: Add header include.
        * inspector/agents/InspectorProfilerAgent.cpp:
        (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
        * inspector/protocol/Profiler.json: Remove unused Profile.idleTime member.
        * jit/JIT.h: Remove header include.
        * jit/JITCode.h: Remove header include.
        * jit/JITOperations.cpp: Sort and add header include.
        * llint/LLIntSlowPaths.cpp: Sort and add header include.
        * profiler/Profile.cpp: Rename the debug dumping functions. Move the node
        postorder traversal code to ProfileNode so we can traverse any subtree.
        (JSC::Profile::Profile):
        (JSC::Profile::debugPrint):
        (JSC::Profile::debugPrintSampleStyle):
        (JSC::Profile::forEach): Deleted.
        (JSC::Profile::debugPrintData): Deleted.
        (JSC::Profile::debugPrintDataSampleStyle): Deleted.
        * profiler/Profile.h:
        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::ProfileGenerator):
        (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
        (JSC::AddParentForConsoleStartFunctor::operator()):
        (JSC::ProfileGenerator::addParentForConsoleStart):
        (JSC::ProfileGenerator::didExecute):
        (JSC::StopProfilingFunctor::operator()):
        (JSC::ProfileGenerator::stopProfiling):
        (JSC::ProfileGenerator::removeProfileStart):
        (JSC::ProfileGenerator::removeProfileEnd):
        * profiler/ProfileGenerator.h:
        * profiler/ProfileNode.cpp:
        (JSC::ProfileNode::ProfileNode):
        (JSC::ProfileNode::willExecute):
        (JSC::ProfileNode::removeChild):
        (JSC::ProfileNode::stopProfiling):
        (JSC::ProfileNode::endAndRecordCall):
        (JSC::ProfileNode::debugPrint):
        (JSC::ProfileNode::debugPrintSampleStyle):
        (JSC::ProfileNode::debugPrintRecursively):
        (JSC::ProfileNode::debugPrintSampleStyleRecursively):
        (JSC::ProfileNode::debugPrintData): Deleted.
        (JSC::ProfileNode::debugPrintDataSampleStyle): Deleted.
        * profiler/ProfileNode.h: Calculate per-node self and total times using a postorder traversal.
        The forEachNodePostorder functor traverses the subtree rooted at |this|.
        (JSC::ProfileNode::create):
        (JSC::ProfileNode::calls):
        (JSC::ProfileNode::forEachNodePostorder):
        (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
        (JSC::CalculateProfileSubtreeDataFunctor::operator()):
        (JSC::ProfileNode::head): Deleted.
        (JSC::ProfileNode::setHead): Deleted.
        (JSC::ProfileNode::totalTime): Deleted.
        (JSC::ProfileNode::setTotalTime): Deleted.
        (JSC::ProfileNode::selfTime): Deleted.
        (JSC::ProfileNode::setSelfTime): Deleted.
        (JSC::ProfileNode::totalPercent): Deleted.
        (JSC::ProfileNode::selfPercent): Deleted.
        * runtime/ConsoleClient.h: Remove header include.

2014-09-02  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: remove ProfilerAgent and legacy profiler files in the frontend
        https://bugs.webkit.org/show_bug.cgi?id=136462

        Reviewed by Timothy Hatcher.

        It's not used by the frontend anymore.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:

        * inspector/JSConsoleClient.cpp:
        (Inspector::JSConsoleClient::JSConsoleClient): Stub out console.profile/profileEnd
        methods since they didn't work for JSContexts anyway.
        (Inspector::JSConsoleClient::profile):
        (Inspector::JSConsoleClient::profileEnd):
        * inspector/JSConsoleClient.h:

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        * inspector/agents/InspectorProfilerAgent.cpp: Removed.
        * inspector/agents/InspectorProfilerAgent.h: Removed.
        * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Removed.
        * inspector/agents/JSGlobalObjectProfilerAgent.h: Removed.
        * inspector/protocol/Profiler.json: Removed.

2014-09-02  Andreas Kling  <akling@apple.com>

        Optimize own property GetByVals with rope string subscripts.
        <https://webkit.org/b/136458>

        For simple JSObjects that don't override getOwnPropertySlot to implement
        custom properties, we have a fast path that grabs directly at the object
        property storage.

        Make this fast path even faster when the property name is an unresolved
        rope string by using JSString::toExistingAtomicString(). This is faster
        because it avoids allocating a new StringImpl if the string is already
        a known Identifier, which is guaranteed to be the case if it's present
        as an own property on the object.)

        ~10% speed-up on Dromaeo/dom-attr.html

        Reviewed by Geoffrey Garen.

        * dfg/DFGOperations.cpp:
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):

            When using the fastGetOwnProperty() optimization, get the String
            out of JSString by using toExistingAtomicString(). This avoids
            StringImpl allocation and lets us bypass the PropertyTable lookup
            entirely if no AtomicString is found.

        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::fastGetOwnProperty):

            Make fastGetOwnProperty() take a PropertyName instead of a String.
            This avoids churning the ref count, since we don't need to create
            a temporary wrapper around the AtomicStringImpl* found in GetByVal.

        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):

            Add constructor: PropertyName(AtomicStringImpl*)

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::get):
        (JSC::PropertyTable::findWithString): Deleted.
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::get):

            Remove code for querying a PropertyTable with an unhashed string key
            since the only client is now gone.

2014-09-02  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        [ARM] MacroAssembler generating incorrect code on ARM32 Traditional
        https://bugs.webkit.org/show_bug.cgi?id=136429

        Reviewed by Csaba Osztrogonác.

        Changed test32 to use tst to check if reg is zero, instead of cmp.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::test32):

2014-09-02  Michael Saboff  <msaboff@apple.com>

        Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute
        https://bugs.webkit.org/show_bug.cgi?id=136305

        Reviewed by Filip Pizlo.

        While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch
        and then JITCode::execute() calls the normal entrypoint.  This is incompatible
        with the expectation of FTL generated functions.  Changed ProtoCallFrame to not 
        perform the arity fix, but just flag an arity mismatch.  now JITCode::execute()
        uses that arity mismatch condition to select the normal or arity check
        entrypoint.  The entrypoint selection is only done for functions, programs
        and eval always have one parameter.

        * interpreter/ProtoCallFrame.cpp:
        (JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it.
        * interpreter/ProtoCallFrame.h:
        (JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint
        should be called.
        * jit/JITCode.cpp:
        (JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate.

2014-09-02  peavo@outlook.com  <peavo@outlook.com>

        [WinCairo] testapi.exe is not built.
        https://bugs.webkit.org/show_bug.cgi?id=136369

        Reviewed by Alex Christensen.

        The testapi project should be of type Application.

        * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Change project type to Application.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Ditto.
        * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Compile and link fix.
        * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Change project type to Application.

2014-09-01  Akos Kiss  <akiss@inf.u-szeged.hu>

        [CMAKE] Add missing offlineasm dependencies
        https://bugs.webkit.org/show_bug.cgi?id=136437

        Reviewed by Csaba Osztrogonác.

        Add the ARM64, MIPS and SH4 backends to the dependencies.

        * CMakeLists.txt:

2014-09-01  Brian J. Burg  <burg@cs.washington.edu>

        Provide column numbers to DTrace willExecute/didExecute probes
        https://bugs.webkit.org/show_bug.cgi?id=136434

        Reviewed by Antti Koivisto.

        Provide the columnNumber and update stubs for !HAVE(DTRACE).

        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::willExecute):
        (JSC::ProfileGenerator::didExecute):
        * runtime/Tracing.d:
        * runtime/Tracing.h:

2014-09-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        [CMAKE] Build warning by INTERFACE_LINK_LIBRARIES
        https://bugs.webkit.org/show_bug.cgi?id=136194

        Reviewed by Csaba Osztrogonác.

        Set the LINK_INTERFACE_LIBRARIES target property on the top level CMakeLists.txt.

        * CMakeLists.txt:

2014-08-26  Maciej Stachowiak  <mjs@apple.com>

        Use RetainPtr::autorelease in some places where it seems appropriate
        https://bugs.webkit.org/show_bug.cgi?id=136280

        Reviewed by Darin Adler.

        * API/JSContext.mm:
        (-[JSContext name]): Use RetainPtr::autorelease() in place of ObjC autorelease.
        * API/JSValue.mm:
        (valueToString): Make appropriate use of RetainPtr

2014-08-29  Akos Kiss  <akiss@inf.u-szeged.hu>

        Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
        https://bugs.webkit.org/show_bug.cgi?id=136391

        Reviewed by Michael Saboff.

        Do not rely on calling conventions to fill in the CallerFrame component
        of the ExecState* parameter of the called function.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-08-29  Saam Barati  <sbarati@apple.com>

        emit op_profile_type for deconstruction assignments
        https://bugs.webkit.org/show_bug.cgi?id=136274

        Reviewed by Filip Pizlo.

        Enable type profiling for ES6 deconstruction expressions.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::BindingNode::bindValue):

2014-08-29  Joseph Pecoraro  <pecoraro@apple.com>

        JavaScriptCore: Use ASCIILiteral where possible
        https://bugs.webkit.org/show_bug.cgi?id=136179

        Reviewed by Michael Saboff.

        General string / character related changes. Use ASCIILiteral where
        possible, jsNontrivialString where possible, and replace string
        literals with character literals in some places.

        No new tests, no changes to functionality.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::nameForRegister):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PostfixNode::emitBytecode):
        (JSC::PrefixNode::emitBytecode):
        (JSC::AssignErrorNode::emitBytecode):
        (JSC::ForInNode::emitMultiLoopBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::ObjectPatternNode::toString):
        * dfg/DFGFunctionWhitelist.cpp:
        (JSC::DFG::FunctionWhitelist::contains):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::newTypedArrayWithSize):
        (JSC::DFG::newTypedArrayWithOneArgument):
        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::addToFrontend):
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::InspectorBackendDispatcher::dispatch):
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::extractSourceInformationFromException):
        * inspector/scripts/codegen/generator_templates.py:
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::functionName):
        (JSC::StackVisitor::Frame::sourceURL):
        * jit/JITOperations.cpp:
        * jsc.cpp:
        (functionDescribeArray):
        (functionRun):
        (functionLoad):
        (functionReadFile):
        (functionCheckSyntax):
        (functionTransferArrayBuffer):
        (runWithScripts):
        (runInteractive):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::invalidCharacterMessage):
        (JSC::Lexer<T>::parseString):
        (JSC::Lexer<T>::parseStringSlowCase):
        (JSC::Lexer<T>::lex):
        * profiler/Profile.cpp:
        (JSC::Profile::Profile):
        * runtime/Arguments.cpp:
        (JSC::argumentsFuncIterator):
        * runtime/ArrayPrototype.cpp:
        (JSC::performSlowSort):
        (JSC::arrayProtoFuncSort):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createError):
        (JSC::createInvalidParameterError):
        (JSC::createNotAConstructorError):
        (JSC::createNotAFunctionError):
        (JSC::createNotAnObjectError):
        (JSC::createErrorForInvalidGlobalAssignment):
        * runtime/FunctionPrototype.cpp:
        (JSC::insertSemicolonIfNeeded):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        (JSC::JSArray::pop):
        (JSC::JSArray::push):
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSArrayBufferConstructor::finishCreation):
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::arrayBufferProtoFuncSlice):
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::create):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        (JSC::setData):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoSetter):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::finishCreation):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::Lexer::lex):
        (JSC::LiteralParser<CharType>::Lexer::lexString):
        (JSC::LiteralParser<CharType>::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::getErrorMessage):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::seenTypes):
        (JSC::TypeSet::displayName):
        (JSC::TypeSet::allPrimitiveTypeNames):
        (JSC::StructureShape::propertyHash):
        (JSC::StructureShape::stringRepresentation):

2014-08-29  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviwed, remove empty directories.

        * qt: Removed.

2014-08-28  Mark Lam  <mark.lam@apple.com>

        DebuggerCallFrame::scope() should return a DebuggerScope.
        <https://webkit.org/b/134420>

        Reviewed by Geoffrey Garen.

        Rolling back in r170680 with the fix for <https://webkit.org/b/135656>.

        Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
        peers) which the WebInspector will use to introspect CallFrame variables.
        Instead, we should be returning a DebuggerScope as an abstraction layer that
        provides the introspection functionality that the WebInspector needs.  This
        is the first step towards not forcing every frame to have a JSActivation
        object just because the debugger is enabled.

        1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
           instead of the VM.  This allows JSObject::globalObject() to be able to
           return the global object for the DebuggerScope.

        2. On the DebuggerScope's life-cycle management:

           The DebuggerCallFrame is designed to be "valid" only during a debugging session
           (while the debugger is broken) through the use of a DebuggerCallFrameScope in
           Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
           DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
           We can't guarantee (from this code alone) that the Inspector code isn't still
           holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
           the frame will be invalidated, and any attempt to query it will return null values.
           This is pre-existing behavior.

           Now, we're adding the DebuggerScope into the picture.  While a single debugger
           pause session is in progress, the Inspector may request the scope from the
           DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
           DebuggerCallFrame::scope() to always return the same DebuggerScope object.
           This is why we hold on to the DebuggerScope with a strong ref.

           If we use a weak ref instead, the following cooky behavior can manifest:
           1. The Inspector calls Debugger::scope() to get the top scope.
           2. The Inspector iterates down the scope chain and is now only holding a
              reference to a parent scope.  It is no longer referencing the top scope.
           3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
              gets cleared.
           4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
              a different DebuggerScope instance.
           5. The Inspector iterates down the scope chain but never sees the parent scope
              instance that retained a ref to in step 2 above.  This is because when iterating
              this new DebuggerScope instance (which has no knowledge of the previous parent
              DebuggerScope instance), a new DebuggerScope instance will get created for the
              same parent scope. 

           Since the DebuggerScope is a JSObject, its liveness is determined by its reachability.
           However, its "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
           When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
           instantiated) will also get invalidated.  This is why we need the
           DebuggerScope::invalidateChain() method.  The Inspector should not be using the
           DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
           those methods will do nothing or returned a failed status.

        Fix for <https://webkit.org/b/135656>:
        3. DebuggerScope::getOwnPropertySlot() and DebuggerScope::put() need to set
           m_thisValue in the returned slot to the wrapped scope object.  Previously,
           it was pointing to the DebuggerScope though the rest of the fields in the
           returned slot will be set to data pertaining the wrapped scope object.

        4. DebuggerScope::getOwnPropertySlot() will invoke getPropertySlot() on its
           wrapped scope.  This is because JSObject::getPropertySlot() cannot be
           overridden, and when called on a DebuggerScope, will not know to look in
           the ptototype chain of the DebuggerScope's wrapped scope.  Hence, we'll
           treat all properties in the wrapped scope as own properties in the
           DebuggerScope.  This is fine because the WebInspector does not presently
           care about where in the prototype chain the scope property comes from.

           Note that the DebuggerScope and the JSActivation objects that it wraps do
           not have prototypes.  They are always jsNull().  This works perfectly with
           the above change to use getPropertySlot() instead of getOwnPropertySlot().
           To make this an explicit invariant, I also changed DebuggerScope::createStructure()
           and JSActivation::createStructure() to not take a prototype argument, and
           to always use jsNull() for their prototype value.

        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::scope):
        (JSC::DebuggerCallFrame::evaluate):
        (JSC::DebuggerCallFrame::invalidate):
        * debugger/DebuggerCallFrame.h:
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::DebuggerScope):
        (JSC::DebuggerScope::finishCreation):
        (JSC::DebuggerScope::visitChildren):
        (JSC::DebuggerScope::className):
        (JSC::DebuggerScope::getOwnPropertySlot):
        (JSC::DebuggerScope::put):
        (JSC::DebuggerScope::deleteProperty):
        (JSC::DebuggerScope::getOwnPropertyNames):
        (JSC::DebuggerScope::defineOwnProperty):
        (JSC::DebuggerScope::next):
        (JSC::DebuggerScope::invalidateChain):
        (JSC::DebuggerScope::isWithScope):
        (JSC::DebuggerScope::isGlobalScope):
        (JSC::DebuggerScope::isFunctionOrEvalScope):
        * debugger/DebuggerScope.h:
        (JSC::DebuggerScope::create):
        (JSC::DebuggerScope::createStructure):
        (JSC::DebuggerScope::iterator::iterator):
        (JSC::DebuggerScope::iterator::get):
        (JSC::DebuggerScope::iterator::operator++):
        (JSC::DebuggerScope::iterator::operator==):
        (JSC::DebuggerScope::iterator::operator!=):
        (JSC::DebuggerScope::isValid):
        (JSC::DebuggerScope::jsScope):
        (JSC::DebuggerScope::begin):
        (JSC::DebuggerScope::end):
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::scopeType):
        (Inspector::JSJavaScriptCallFrame::scopeChain):
        * inspector/JavaScriptCallFrame.h:
        (Inspector::JavaScriptCallFrame::scopeChain):
        * inspector/ScriptDebugServer.cpp:
        * runtime/JSActivation.h:
        (JSC::JSActivation::createStructure):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::debuggerScopeStructure):
        * runtime/JSObject.cpp:
        * runtime/JSObject.h:
        (JSC::JSObject::isWithScope):
        * runtime/JSScope.h:
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::setThisValue):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::setThisValue):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2014-08-28  Andreas Kling  <akling@apple.com>

        Use JSString::toIdentifier() in more places.
        <https://webkit.org/b/136348>

        Call sites that grab the WTF::String from a JSString using value() can
        use the more efficient toIdentifier() if the string is going to be used
        to construct an Identifier.

        If the JSString is a rope that resolves to something that is already
        present in the VM's Identifier table, using toIdentifier() can avoid