b2e44467514d3b47e77e4f485f3c6a6e8330d493
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-08-21  Mark Lam  <mark.lam@apple.com>
2
3         r171362 accidentally increased the size of InlineCallFrame.
4         <https://webkit.org/b/136141>
5
6         Reviewed by Filip Pizlo.
7
8         r171362 increased the size of InlineCallFrame::kind to 2 bits.  This increased
9         the size of InlineCallFrame from 72 to 80 though not intentionally.  The fix
10         is to reduce the size of InlineCallFrame::stackOffset to 29 bits.
11
12         Also added an assert to ensure that we never set a value that exceeds the size
13         of InlineCallFrame::stackOffset.
14
15         * bytecode/CodeOrigin.h:
16         (JSC::InlineCallFrame::setStackOffset):
17         * dfg/DFGByteCodeParser.cpp:
18         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
19
20 2014-08-21  Joseph Pecoraro  <pecoraro@apple.com>
21
22         Web Inspector: RetainPtr misuse, CFRunLoopSource leak
23         https://bugs.webkit.org/show_bug.cgi?id=136143
24
25         Reviewed by Timothy Hatcher.
26
27         Adopt a Create into the RetainPtr to avoid leaking.
28
29         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
30         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
31
32 2014-08-21  Mark Lam  <mark.lam@apple.com>
33
34         REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms.
35         <https://webkit.org/b/136123>
36
37         Reviewed by Filip Pizlo.
38
39         The original patch in r172808 removed the code to skip the top scope in
40         the 64-bit port of JIT::emitResolveClosure() but not in the 32-bit port.
41         This patch fixes that and achieves parity.
42
43         * jit/JITPropertyAccess32_64.cpp:
44         (JSC::JIT::emitResolveClosure):
45
46 2014-08-21  Zalan Bujtas  <zalan@apple.com>
47
48         Enable SATURATED_LAYOUT_ARITHMETIC.
49         https://bugs.webkit.org/show_bug.cgi?id=136106
50
51         Reviewed by Simon Fraser.
52
53         SATURATED_LAYOUT_ARITHMETIC protects LayoutUnit against arithmetic overflow.
54         (No measurable performance regression on Mac.)
55
56         * Configurations/FeatureDefines.xcconfig:
57
58 2014-08-20  Saam Barati  <sbarati@apple.com>
59
60         Fix how CodeBlock dumps the opcode op_profile_type
61         https://bugs.webkit.org/show_bug.cgi?id=136088
62
63         Reviewed by Filip Pizlo.
64
65         op_profile_type was modified to receive two extra arguments,
66         but its dump in CodeBlock::dumpBytecode wasn't changed to 
67         account for this, so it broke CodeBlock::dumpBytecode when
68         op_profile_type was in the stream of bytecode instructions.
69         CodeBlock::dumpBytecode now accounts for the change in 
70         op_profile_type's arity.
71
72         * bytecode/CodeBlock.cpp:
73         (JSC::CodeBlock::dumpBytecode):
74
75 2014-08-20  Saam Barati  <sbarati@apple.com>
76
77         Rename HighFidelityTypeProfiling variables for more clarity
78         https://bugs.webkit.org/show_bug.cgi?id=135899
79
80         Reviewed by Geoffrey Garen.
81
82         Many names that are used in the type profiling infrastructure
83         prefix themselves with "HighFidelity" or include the words "high"
84         and/or "fidelity" in some way. But the words "high" and "fidelity" don't 
85         add anything descriptive to the names surrounding type profiling. 
86         So this patch removes all uses of "HighFidelity" and its variants.
87
88         Most renamings change "HighFidelity*" to "TypeProfiler*" or simply 
89         drop the prefix "HighFidelity" all together. Now, almost all names 
90         in relation to type profiling contain in them "TypeProfiler" or 
91         "TypeProfiling" or some combination of the words "type" and "profile".
92
93         This patch also changes how we check if type profiling is enabled:
94         We no longer call vm::isProfilingTypesWithHighFidelity. We now just 
95         check that vm::typeProfiler is not null.
96
97         This patch also changes all calls to TypeProfilerLog::processLogEntries
98         to use ASCIILiteral to form WTFStrings instead of vanilla C string literals.
99
100         * CMakeLists.txt:
101         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
102         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
103         * JavaScriptCore.xcodeproj/project.pbxproj:
104         * bytecode/BytecodeList.json:
105         * bytecode/BytecodeUseDef.h:
106         (JSC::computeUsesForBytecodeOffset):
107         (JSC::computeDefsForBytecodeOffset):
108         * bytecode/CodeBlock.cpp:
109         (JSC::CodeBlock::dumpBytecode):
110         (JSC::CodeBlock::CodeBlock):
111         * bytecode/TypeLocation.h:
112         * bytecode/UnlinkedCodeBlock.cpp:
113         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
114         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
115         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
116         (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset): Deleted.
117         (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo): Deleted.
118         * bytecode/UnlinkedCodeBlock.h:
119         (JSC::UnlinkedFunctionExecutable::typeProfilingStartOffset):
120         (JSC::UnlinkedFunctionExecutable::typeProfilingEndOffset):
121         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): Deleted.
122         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset): Deleted.
123         * bytecompiler/BytecodeGenerator.cpp:
124         (JSC::BytecodeGenerator::generate):
125         (JSC::BytecodeGenerator::BytecodeGenerator):
126         (JSC::BytecodeGenerator::emitMove):
127         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
128         (JSC::BytecodeGenerator::emitProfileType):
129         (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
130         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
131         * bytecompiler/BytecodeGenerator.h:
132         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
133         * bytecompiler/NodesCodegen.cpp:
134         (JSC::ThisNode::emitBytecode):
135         (JSC::ResolveNode::emitBytecode):
136         (JSC::BracketAccessorNode::emitBytecode):
137         (JSC::DotAccessorNode::emitBytecode):
138         (JSC::FunctionCallValueNode::emitBytecode):
139         (JSC::FunctionCallResolveNode::emitBytecode):
140         (JSC::FunctionCallBracketNode::emitBytecode):
141         (JSC::FunctionCallDotNode::emitBytecode):
142         (JSC::CallFunctionCallDotNode::emitBytecode):
143         (JSC::ApplyFunctionCallDotNode::emitBytecode):
144         (JSC::PostfixNode::emitResolve):
145         (JSC::PostfixNode::emitBracket):
146         (JSC::PostfixNode::emitDot):
147         (JSC::PrefixNode::emitResolve):
148         (JSC::PrefixNode::emitBracket):
149         (JSC::PrefixNode::emitDot):
150         (JSC::ReadModifyResolveNode::emitBytecode):
151         (JSC::AssignResolveNode::emitBytecode):
152         (JSC::AssignDotNode::emitBytecode):
153         (JSC::ReadModifyDotNode::emitBytecode):
154         (JSC::AssignBracketNode::emitBytecode):
155         (JSC::ReadModifyBracketNode::emitBytecode):
156         (JSC::ConstDeclNode::emitCodeSingle):
157         (JSC::EmptyVarExpression::emitBytecode):
158         (JSC::ReturnNode::emitBytecode):
159         (JSC::FunctionBodyNode::emitBytecode):
160         * heap/Heap.cpp:
161         (JSC::Heap::collect):
162         * inspector/agents/InspectorRuntimeAgent.cpp:
163         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
164         (Inspector::recompileAllJSFunctionsForTypeProfiling):
165         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
166         (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
167         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
168         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
169         (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling): Deleted.
170         (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling): Deleted.
171         (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState): Deleted.
172         * inspector/agents/InspectorRuntimeAgent.h:
173         * inspector/protocol/Runtime.json:
174         * jit/JIT.cpp:
175         (JSC::JIT::privateCompileMainPass):
176         (JSC::JIT::privateCompile):
177         * jit/JIT.h:
178         * jit/JITOpcodes.cpp:
179         (JSC::JIT::emit_op_profile_type):
180         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
181         * jit/JITOpcodes32_64.cpp:
182         (JSC::JIT::emit_op_profile_type):
183         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
184         * jit/JITOperations.cpp:
185         * jsc.cpp:
186         (functionDumpTypesForAllVariables):
187         * llint/LLIntSlowPaths.cpp:
188         * llint/LowLevelInterpreter.asm:
189         * runtime/CodeCache.cpp:
190         (JSC::CodeCache::getGlobalCodeBlock):
191         * runtime/CommonSlowPaths.cpp:
192         (JSC::SLOW_PATH_DECL):
193         * runtime/CommonSlowPaths.h:
194         * runtime/Executable.cpp:
195         (JSC::ScriptExecutable::ScriptExecutable):
196         (JSC::ProgramExecutable::ProgramExecutable):
197         (JSC::FunctionExecutable::FunctionExecutable):
198         (JSC::ProgramExecutable::initializeGlobalProperties):
199         * runtime/Executable.h:
200         (JSC::ScriptExecutable::typeProfilingStartOffset):
201         (JSC::ScriptExecutable::typeProfilingEndOffset):
202         (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): Deleted.
203         (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset): Deleted.
204         * runtime/HighFidelityLog.cpp: Removed.
205         * runtime/HighFidelityLog.h: Removed.
206         * runtime/HighFidelityTypeProfiler.cpp: Removed.
207         * runtime/HighFidelityTypeProfiler.h: Removed.
208         * runtime/Options.h:
209         * runtime/SymbolTable.cpp:
210         (JSC::SymbolTable::prepareForTypeProfiling):
211         (JSC::SymbolTable::uniqueIDForVariable):
212         (JSC::SymbolTable::uniqueIDForRegister):
213         (JSC::SymbolTable::prepareForHighFidelityTypeProfiling): Deleted.
214         * runtime/SymbolTable.h:
215         * runtime/TypeProfiler.cpp: Added.
216         (JSC::TypeProfiler::logTypesForTypeLocation):
217         (JSC::TypeProfiler::insertNewLocation):
218         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector):
219         (JSC::descriptorMatchesTypeLocation):
220         (JSC::TypeProfiler::findLocation):
221         * runtime/TypeProfiler.h: Added.
222         (JSC::QueryKey::QueryKey):
223         (JSC::QueryKey::isHashTableDeletedValue):
224         (JSC::QueryKey::operator==):
225         (JSC::QueryKey::hash):
226         (JSC::QueryKeyHash::hash):
227         (JSC::QueryKeyHash::equal):
228         (JSC::TypeProfiler::functionHasExecutedCache):
229         (JSC::TypeProfiler::typeLocationCache):
230         * runtime/TypeProfilerLog.cpp: Added.
231         (JSC::TypeProfilerLog::initializeLog):
232         (JSC::TypeProfilerLog::~TypeProfilerLog):
233         (JSC::TypeProfilerLog::processLogEntries):
234         * runtime/TypeProfilerLog.h: Added.
235         (JSC::TypeProfilerLog::LogEntry::structureIDOffset):
236         (JSC::TypeProfilerLog::LogEntry::valueOffset):
237         (JSC::TypeProfilerLog::LogEntry::locationOffset):
238         (JSC::TypeProfilerLog::TypeProfilerLog):
239         (JSC::TypeProfilerLog::recordTypeInformationForLocation):
240         (JSC::TypeProfilerLog::logEndPtr):
241         (JSC::TypeProfilerLog::logStartOffset):
242         (JSC::TypeProfilerLog::currentLogEntryOffset):
243         * runtime/VM.cpp:
244         (JSC::VM::VM):
245         (JSC::VM::enableTypeProfiler):
246         (JSC::VM::disableTypeProfiler):
247         (JSC::VM::dumpTypeProfilerData):
248         (JSC::VM::enableHighFidelityTypeProfiling): Deleted.
249         (JSC::VM::disableHighFidelityTypeProfiling): Deleted.
250         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
251         * runtime/VM.h:
252         (JSC::VM::typeProfilerLog):
253         (JSC::VM::typeProfiler):
254         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
255         (JSC::VM::highFidelityLog): Deleted.
256         (JSC::VM::highFidelityTypeProfiler): Deleted.
257
258 2014-08-20  Csaba Osztrogonác  <ossy@webkit.org>
259
260         URTBF after r172799.
261
262         * disassembler/ARM64/A64DOpcode.cpp:
263         * disassembler/ARM64Disassembler.cpp:
264
265 2014-08-20  Oliver Hunt  <oliver@apple.com>
266
267         Stop implicitly skipping a function's own activation when walking the scope chain
268         https://bugs.webkit.org/show_bug.cgi?id=136118
269
270         Reviewed by Geoffrey Garen.
271
272         Remove the current logic that implicitly skips a function's
273         own activation when walking the scope chain. This is ground
274         work for ensuring that all closed variable access is made
275         through the function's activation. This leads to a further
276         10% regression on earley, but we're already tracking the
277         overall performance regression.
278
279         * bytecode/CodeBlock.cpp:
280         (JSC::CodeBlock::CodeBlock):
281         * dfg/DFGAbstractInterpreterInlines.h:
282         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
283         * dfg/DFGByteCodeParser.cpp:
284         (JSC::DFG::ByteCodeParser::getScope):
285         (JSC::DFG::ByteCodeParser::parseBlock):
286         * dfg/DFGClobberize.h:
287         (JSC::DFG::clobberize):
288         * dfg/DFGDoesGC.cpp:
289         (JSC::DFG::doesGC):
290         * dfg/DFGFixupPhase.cpp:
291         (JSC::DFG::FixupPhase::fixupNode):
292         * dfg/DFGHeapLocation.cpp:
293         (WTF::printInternal):
294         * dfg/DFGHeapLocation.h:
295         * dfg/DFGNodeType.h:
296         * dfg/DFGPredictionPropagationPhase.cpp:
297         (JSC::DFG::PredictionPropagationPhase::propagate):
298         * dfg/DFGSafeToExecute.h:
299         (JSC::DFG::safeToExecute):
300         * dfg/DFGSpeculativeJIT32_64.cpp:
301         (JSC::DFG::SpeculativeJIT::compile):
302         * dfg/DFGSpeculativeJIT64.cpp:
303         (JSC::DFG::SpeculativeJIT::compile):
304         * jit/JITPropertyAccess.cpp:
305         (JSC::JIT::emitResolveClosure):
306         * llint/LowLevelInterpreter32_64.asm:
307         * llint/LowLevelInterpreter64.asm:
308         * runtime/JSScope.cpp:
309         (JSC::JSScope::abstractResolve):
310         * runtime/JSScope.h:
311
312 2014-08-20  Michael Saboff  <msaboff@apple.com>
313
314         REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active
315         https://bugs.webkit.org/show_bug.cgi?id=136034
316
317         Reviewed by Mark Lam.
318
319         DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle
320         of the stack.  Hardened StackVisitor to skip over the frames between the current top frame
321         and the requested start frame.
322
323         * interpreter/StackVisitor.cpp:
324         (JSC::StackVisitor::StackVisitor):
325
326 2014-08-20  Brent Fulgham  <bfulgham@apple.com>
327
328         [Win] JavaScriptCore.dll is missing version information.
329         https://bugs.webkit.org/show_bug.cgi?id=136105
330         <rdar://problem/18075852>
331
332         Reviewed by Dean Jackson.
333
334         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Add missing step to generate
335         version information for intermediary build path.
336
337 2014-08-20  Saam Barati  <sbarati@apple.com>
338
339         Fix a memory leak in TypeSet
340         https://bugs.webkit.org/show_bug.cgi?id=135913
341
342         Reviewed by Filip Pizlo.
343
344         Currently, TypeSet unconditionally allocates memory for its member
345         variable m_structureHistory, but never deallocates it. Change this 
346         from being a pointer that is unconditionally allocated to a member 
347         variable that will be deallocated when TypeSet itself is deallocated.
348
349         * runtime/TypeSet.cpp:
350         (JSC::TypeSet::TypeSet):
351         (JSC::TypeSet::addTypeInformation):
352         (JSC::TypeSet::seenTypes):
353         (JSC::TypeSet::displayName):
354         (JSC::TypeSet::allStructureRepresentations):
355         (JSC::StructureShape::leastCommonAncestor):
356         * runtime/TypeSet.h:
357
358 2014-08-20  peavo@outlook.com  <peavo@outlook.com>
359
360         [Win] Assertion fails when running JSC stress tests.
361         https://bugs.webkit.org/show_bug.cgi?id=136103
362
363         Reviewed by Darin Adler.
364
365         Use unsigned bitfield member instead of enum bitfield member to avoid negative values.
366
367         * bytecode/CodeOrigin.h: Use unsigned bitfield member.
368         (JSC::InlineCallFrame::specializationKind): Compile fix.
369
370 2014-08-20  Akos Kiss  <akiss@inf.u-szeged.hu>
371
372         Enable ARM64 disassembler on EFL
373         https://bugs.webkit.org/show_bug.cgi?id=136089
374
375         Reviewed by Filip Pizlo.
376
377         * CMakeLists.txt:
378         Added disassembler/ARM64Disassembler.cpp and
379         disassembler/ARM64/A64DOpcode.cpp to JavaScriptCore_SOURCES.
380
381         * disassembler/ARM64/A64DOpcode.cpp:
382         Added USE(ARM64_DISASSEMBLER) guard around implementation.
383
384         * disassembler/ARM64/A64DOpcode.h:
385         (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedImmediate64):
386         (JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
387         Made format strings portable by changing "%llx" to "%" PRIx64 for
388         uint64_t arguments.
389
390 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
391
392         REGRESSION(r172401): for-in optimization no longer works at all
393         https://bugs.webkit.org/show_bug.cgi?id=136056
394
395         Reviewed by Geoffrey Garen.
396         
397         Roll this back in, along with a fix to make proxies work. Previously, for-in over proxies
398         would instacrash every time.
399
400         * bytecompiler/BytecodeGenerator.cpp:
401         (JSC::BytecodeGenerator::emitGetByVal):
402         (JSC::BytecodeGenerator::pushIndexedForInScope):
403         (JSC::BytecodeGenerator::pushStructureForInScope):
404         * bytecompiler/BytecodeGenerator.h:
405         (JSC::ForInContext::ForInContext):
406         (JSC::StructureForInContext::StructureForInContext):
407         (JSC::IndexedForInContext::IndexedForInContext):
408         (JSC::ForInContext::base): Deleted.
409         * bytecompiler/NodesCodegen.cpp:
410         (JSC::ForInNode::emitMultiLoopBytecode):
411         * runtime/JSProxy.cpp:
412         (JSC::JSProxy::getStructurePropertyNames):
413         (JSC::JSProxy::getGenericPropertyNames):
414         * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
415         (foo):
416         * tests/stress/for-in-base-reassigned-later.js: Added.
417         (foo):
418         * tests/stress/for-in-base-reassigned.js: Added.
419         (foo):
420         * tests/stress/for-in-proxy-target-changed-structure.js: Added.
421         (deleteAll):
422         (foo):
423         * tests/stress/for-in-proxy.js: Added.
424         (foo):
425
426 2014-08-19  Jaehun Lim  <ljaehun.lim@samsung.com>
427
428         Unreviewed, fix EFL build after r17275
429
430         Fix error: ignoring #pragma clang diagnostic [-Werror=unknown-pragmas]
431
432         * runtime/JSDataViewPrototype.cpp:
433         Add #if COMPILER(CLANG) and #endif.
434
435 2014-08-19  Michael Saboff  <msaboff@apple.com>
436
437         Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js
438         https://bugs.webkit.org/show_bug.cgi?id=136080
439
440         Reviewed by Mark Lam.
441
442         Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame
443         to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry
444         frame.  In that case, the caller will have the prior VM entry frame.
445
446         The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing
447         an exception from a caller frame.  The value to use for the VMEntryFrame should be a
448         value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller.
449
450         * interpreter/Interpreter.h:
451         (JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a
452         VMEntryFrame.  Added an ASSERT to both constructors to check that the updated topCallFrame
453         is below the current vmEntryFrame.
454
455         * jit/JITOperations.cpp:
456         (JSC::operationThrowStackOverflowError):
457         (JSC::operationCallArityCheck):
458         (JSC::operationConstructArityCheck):
459         Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame.
460
461 2014-08-19  Andy Estes  <aestes@apple.com>
462
463         [Cocoa] Offline Assembler build phase fails when $BUILT_PRODUCTS_DIR contains spaces
464         https://bugs.webkit.org/show_bug.cgi?id=136086
465
466         Reviewed by Filip Pizlo.
467
468         Enclosed arguments to asm.rb containing $BUILT_PRODUCTS_DIR in double quotes so that they don't get split on
469         whitespace. Also let Xcode have its way with an unrelated part of the project file.
470
471         * JavaScriptCore.xcodeproj/project.pbxproj:
472
473 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
474
475         LLInt build should be way faster
476         https://bugs.webkit.org/show_bug.cgi?id=136085
477
478         Reviewed by Geoffrey Garen.
479         
480         This does three things to improve the LLInt build performance. One of them is only for
481         Xcode for now while the others should benefit all platforms:
482         
483         - Don't exponentially build settings combinations that correspond to being on two backends
484           simultaneously. This is by far the biggest win.
485         
486         - Don't generate offset extraction code for backends that aren't supported by the current
487           port. This currently only works on Xcode-based ports. This is a relatively small win.
488         
489         - Remove the ALWAYS_ALLOCATE_SLOW option. Each option increases build time, and we haven't
490           used this one in a long time. Anyway, setting this option could be emulated by just
491           directly hacking the code.
492         
493         This is an enormous speed-up in the LLInt build.
494
495         * JavaScriptCore.xcodeproj/project.pbxproj: Prune the set of backends that we should consider on Xcode-based platforms.
496         * llint/LLIntOfflineAsmConfig.h: Remove ALWAYS_ALLOCATE_SLOW
497         * llint/LowLevelInterpreter.asm: Remove ALWAYS_ALLOCATE_SLOW
498         * offlineasm/backends.rb: Add infrastructure for reasoning about valid backends.
499         * offlineasm/generate_offset_extractor.rb: Allow the client to specify a filtered set of valid backends.
500         * offlineasm/settings.rb: Improve the construction of settings combinations so that it doesn't traverse the enourmous set of obviously invalid multi-backend combinations. Also glue into support for valid backends.
501
502 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
503
504         Fix indentation and style in LowLevelInterpreter.asm
505         https://bugs.webkit.org/show_bug.cgi?id=136083
506
507         Reviewed by Mark Lam.
508
509         * llint/LowLevelInterpreter.asm:
510
511 2014-08-19  Magnus Granberg  <zorry@gentoo.org>
512
513         TEXTREL in libjavascriptcoregtk-1.0.so.0.11.0 on x86 (or i586)
514         https://bugs.webkit.org/show_bug.cgi?id=70610
515
516         Reviewed by Darin Adler.
517
518         Setup %ebx so we can use the plt.
519
520         * jit/ThunkGenerators.cpp:
521
522 2014-08-19  Zalan Bujtas  <zalan@apple.com>
523
524         Remove ENABLE(SUBPIXEL_LAYOUT).
525         https://bugs.webkit.org/show_bug.cgi?id=136077
526
527         Reviewed by Simon Fraser.
528
529         Remove compile time flag SUBPIXEL_LAYOUT. All ports have it enabled for a while now.
530
531         * Configurations/FeatureDefines.xcconfig:
532
533 2014-08-19  Alex Christensen  <achristensen@webkit.org>
534
535         [CMake] Generate LLInt assembly correctly on Windows.
536         https://bugs.webkit.org/show_bug.cgi?id=135888
537
538         Reviewed by Oliver Hunt.
539
540         * CMakeLists.txt:
541         Generate LowLevelInterpreterWin.asm instead of LLIntAssembly.h on Windows like the existing build system.
542         * PlatformWin.cmake:
543         Don't build JSGlobalObjectInspectorController.cpp on Windows.
544         * offlineasm/x86.rb:
545         Detect non-cygwin ruby installations correctly.
546
547 2014-08-19  Michael Saboff  <msaboff@apple.com>
548
549         REGRESSION(r163179): It broke the build on ARM Thumb2 with GCC
550         https://bugs.webkit.org/show_bug.cgi?id=136028
551
552         Reviewed by Oliver Hunt.
553
554         Added back ARMv7 conditionals around three op addp and subp since ARM Thumb2 spec says that
555         the behavior for those ops are undefined.  This was originally done in changeset 163179.
556
557         * llint/LowLevelInterpreter32_64.asm:
558
559 2014-08-18  Commit Queue  <commit-queue@webkit.org>
560
561         Unreviewed, rolling out r172741.
562         https://bugs.webkit.org/show_bug.cgi?id=136058
563
564         This change is breaking PLT. (Requested by mlam on #webkit).
565
566         Reverted changeset:
567
568         "REGRESSION(r172401): for-in optimization no longer works at
569         all"
570         https://bugs.webkit.org/show_bug.cgi?id=136056
571         http://trac.webkit.org/changeset/172741
572
573 2014-08-18  Filip Pizlo  <fpizlo@apple.com>
574
575         REGRESSION(r172401): for-in optimization no longer works at all
576         https://bugs.webkit.org/show_bug.cgi?id=136056
577
578         Reviewed by Mark Hahnenberg.
579         
580         This is a partial roll-out of r172401. It turns out that the fix wasn't actually fixing a
581         real bug (since it's fine to use op_get_direct_pname on the wrong base because it has a
582         structure check) and it was actually breaking the entire for-in optimization (since there is
583         no way that we can statically prove that the base matches, because the base we see is a
584         newly created temporary, and anyway doing it right would be really hard in our bytecode
585         because it's 3AC form).
586         
587         But, I added a new test for the problem, and kept the original test. Both the old test and
588         the new test prove that r172401 wasn't fixing what it thought it was fixing. To the extent
589         that it resolved crashes it was because it just disabled the for-in optimization entirely.
590
591         * bytecompiler/BytecodeGenerator.cpp:
592         (JSC::BytecodeGenerator::emitGetByVal):
593         (JSC::BytecodeGenerator::pushIndexedForInScope):
594         (JSC::BytecodeGenerator::pushStructureForInScope):
595         * bytecompiler/BytecodeGenerator.h:
596         (JSC::ForInContext::ForInContext):
597         (JSC::StructureForInContext::StructureForInContext):
598         (JSC::IndexedForInContext::IndexedForInContext):
599         (JSC::ForInContext::base): Deleted.
600         * bytecompiler/NodesCodegen.cpp:
601         (JSC::ForInNode::emitMultiLoopBytecode):
602         * tests/stress/for-in-base-reassigned.js: Added.
603         * tests/stress/for-in-base-reassigned-later.js: Added.
604         * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
605
606 2014-08-18  Mark Lam  <mark.lam@apple.com>
607
608         Gardening: build fix for non-Mac builds after r172737.
609         https://bugs.webkit.org/show_bug.cgi?id=135750
610
611         Not reviewed.
612
613         * CMakeLists.txt:
614         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
615         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
616
617 2014-08-18  Filip Pizlo  <fpizlo@apple.com>
618
619         REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash
620         https://bugs.webkit.org/show_bug.cgi?id=135750
621
622         Reviewed by Mark Lam.
623         
624         This was caused by a rather embarrassing oversight in how the DFG tracks structures: we
625         could sometimes perform an optimization that requires a structure to be alive but forget to
626         ensure that the structure is actually kept alive. In particular, any watchpoint-based
627         optimizations involve setting watchpoints even if the code that got optimized is eventually
628         deleted because it is unreachable. All such optimizations would leave behind something in
629         the IR to tell us that we are interested in the structure and that therefore it should be
630         kept alive. But, IR can be deleted if it is unreachable.
631         
632         The solution is to ensure that as soon as the DFG is made aware of a structure, it adds it
633         to the set of weak references.
634
635         * JavaScriptCore.xcodeproj/project.pbxproj:
636         * dfg/DFGAbstractInterpreterInlines.h:
637         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
638         * dfg/DFGAbstractValue.cpp:
639         (JSC::DFG::AbstractValue::setOSREntryValue):
640         (JSC::DFG::AbstractValue::set):
641         (JSC::DFG::AbstractValue::normalizeClarity):
642         (JSC::DFG::AbstractValue::assertIsRegistered):
643         (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
644         * dfg/DFGAbstractValue.h:
645         (JSC::DFG::AbstractValue::assertIsRegistered):
646         (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
647         * dfg/DFGCommon.h:
648         * dfg/DFGConstantFoldingPhase.cpp:
649         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
650         * dfg/DFGDesiredWeakReferences.cpp:
651         (JSC::DFG::DesiredWeakReferences::addLazily):
652         (JSC::DFG::DesiredWeakReferences::contains):
653         (JSC::DFG::DesiredWeakReferences::reallyAdd):
654         (JSC::DFG::DesiredWeakReferences::visitChildren):
655         * dfg/DFGDesiredWeakReferences.h:
656         * dfg/DFGFixupPhase.cpp:
657         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
658         * dfg/DFGGraph.cpp:
659         (JSC::DFG::Graph::Graph):
660         (JSC::DFG::Graph::registerFrozenValues):
661         (JSC::DFG::Graph::convertToConstant):
662         (JSC::DFG::Graph::registerStructure):
663         (JSC::DFG::Graph::assertIsRegistered):
664         (JSC::DFG::Graph::assertIsWatched): Deleted.
665         * dfg/DFGGraph.h:
666         * dfg/DFGPlan.cpp:
667         (JSC::DFG::Plan::compileInThreadImpl):
668         * dfg/DFGStructureAbstractValue.cpp:
669         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
670         (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
671         * dfg/DFGStructureAbstractValue.h:
672         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
673         (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
674         * dfg/DFGStructureRegistrationPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp.
675         (JSC::DFG::StructureRegistrationPhase::StructureRegistrationPhase):
676         (JSC::DFG::StructureRegistrationPhase::run):
677         (JSC::DFG::StructureRegistrationPhase::registerStructures):
678         (JSC::DFG::StructureRegistrationPhase::registerStructure):
679         (JSC::DFG::performStructureRegistration):
680         (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase): Deleted.
681         (JSC::DFG::WatchableStructureWatchingPhase::run): Deleted.
682         (JSC::DFG::WatchableStructureWatchingPhase::tryWatch): Deleted.
683         (JSC::DFG::performWatchableStructureWatching): Deleted.
684         * dfg/DFGStructureRegistrationPhase.h: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.h.
685         * dfg/DFGWatchableStructureWatchingPhase.cpp: Removed.
686         * dfg/DFGWatchableStructureWatchingPhase.h: Removed.
687
688 2014-08-18  Akos Kiss  <akiss@inf.u-szeged.hu>
689
690         Fix ASSERT in ARM64's JSC::GPRInfo::debugName
691         https://bugs.webkit.org/show_bug.cgi?id=136050
692
693         Reviewed by Darin Adler.
694
695         Remove cast of GPRReg to unsigned to prevent signed/unsigned comparison
696         error.
697
698         * jit/GPRInfo.h:
699         (JSC::GPRInfo::debugName):
700
701 2014-08-18  Andreas Kling  <akling@apple.com>
702
703         REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings.
704         <https://webkit.org/b/133574>
705         <rdar://problem/18051847>
706
707         The optimization that resolves JSRopeStrings into an existing
708         AtomicString (to save time and memory by avoiding StringImpl allocation)
709         had a bug that it wasn't copying the 8-bit flag from the AtomicString.
710
711         This could lead to a situation where a 16-bit StringImpl containing
712         only 8-bit characters is sitting in the AtomicString table, is found
713         by the rope resolution optimization, and gives you a rope that thinks
714         it's all 8-bit, but has a fiber with 16-bit characters.
715
716         Resolving that rope will then yield incorrect results.
717
718         This was all caught by an assertion, but very hard to reproduce.
719
720         Test: js/dopey-rope-with-16-bit-propertyname.html
721
722         Reviewed by Darin Adler.
723
724         * runtime/JSString.cpp:
725         (JSC::JSRopeString::resolveRopeToAtomicString):
726         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
727         * runtime/JSString.h:
728         (JSC::JSString::setIs8Bit):
729         (JSC::JSString::toExistingAtomicString):
730
731 2014-08-18  Matthew Mirman  <mmirman@apple.com>
732
733         Merges the two native inlining passes from the build.
734         Also adds the AvailableExternallyLinkage assertion to linked 
735         functions to allow unused and duplicate ones to be removed.
736         https://bugs.webkit.org/show_bug.cgi?id=135526
737
738         Reviewed by Filip Pizlo.
739
740         * JavaScriptCore.xcodeproj/project.pbxproj: 
741         Removed second generation of llvm binary files.
742         Fixed the flags on the first pass. 
743         * build-symbol-table-index.py: Modified some paths.
744         * build-symbol-table-index.sh: Removed.
745         * copy-llvm-ir-to-derived-sources.sh: Now calls build-symbol-table-index directly.
746         * ftl/FTLLowerDFGToLLVM.cpp: Added LLVMAvailableExternallyLinkage assertion.
747         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): 
748         * runtime/ArrayPrototype.cpp: Removed static declarations. 
749         * runtime/DateConstructor.cpp: ditto.
750         (JSC::dateParse):
751         (JSC::dateNow):
752         (JSC::dateUTC):
753         * runtime/DatePrototype.cpp: ditto.
754         * runtime/JSDataViewPrototype.cpp: ditto on both.
755         (JSC::dataViewProtoFuncGetInt8):
756         (JSC::dataViewProtoFuncGetInt16):
757         (JSC::dataViewProtoFuncGetInt32):
758         (JSC::dataViewProtoFuncGetUint8):
759         (JSC::dataViewProtoFuncGetUint16):
760         (JSC::dataViewProtoFuncGetUint32):
761         (JSC::dataViewProtoFuncGetFloat32):
762         (JSC::dataViewProtoFuncGetFloat64):
763         (JSC::dataViewProtoFuncSetInt8):
764         (JSC::dataViewProtoFuncSetInt16):
765         (JSC::dataViewProtoFuncSetInt32):
766         (JSC::dataViewProtoFuncSetUint8):
767         (JSC::dataViewProtoFuncSetUint16):
768         (JSC::dataViewProtoFuncSetUint32):
769         (JSC::dataViewProtoFuncSetFloat32):
770         (JSC::dataViewProtoFuncSetFloat64):
771         * runtime/JSONObject.cpp: ditto.
772         * runtime/ObjectConstructor.cpp: ditto.
773         * runtime/StringPrototype.cpp: ditto.
774
775 2014-08-18  Saam Barati  <sbarati@apple.com>
776
777         The parser should generate AST nodes the var declarations with no initializers
778         https://bugs.webkit.org/show_bug.cgi?id=135545
779
780         Reviewed by Geoffrey Garen.
781
782         Currently, JSC's parser ignores variable declarations
783         that have no assignment initializer value because all 
784         variables are implicitly assigned to undefined. But, 
785         type profiling needs an AST node to be generated for these 
786         empty variable declarations because it needs to be able to 
787         profile their text locations and to see that their type 
788         is undefined.
789
790         * bytecompiler/NodesCodegen.cpp:
791         (JSC::EmptyVarExpression::emitBytecode):
792         * parser/ASTBuilder.h:
793         (JSC::ASTBuilder::createVarStatement):
794         (JSC::ASTBuilder::createEmptyVarExpression):
795         * parser/NodeConstructors.h:
796         (JSC::EmptyVarExpression::EmptyVarExpression):
797         * parser/Nodes.h:
798         * parser/Parser.cpp:
799         (JSC::Parser<LexerType>::parseVarDeclarationList):
800         * parser/SyntaxChecker.h:
801         (JSC::SyntaxChecker::createEmptyVarExpression):
802
803 2014-08-18  Diego Pino Garcia  <dpino@igalia.com>
804
805         Completed iterator can be revived by adding more than one new entry to the target object
806         https://bugs.webkit.org/show_bug.cgi?id=129993
807
808         Reviewed by Oliver Hunt.
809
810         When iterator reaches end, finish iterator.
811
812         * runtime/JSMapIterator.h:
813         (JSC::JSMapIterator::finish):
814         * runtime/JSSetIterator.h:
815         (JSC::JSSetIterator::finish):
816         * runtime/MapData.h:
817         (JSC::MapData::const_iterator::finish): set index of iterator to max
818         Int32.
819         * runtime/MapIteratorPrototype.cpp:
820         (JSC::MapIteratorPrototypeFuncNext):
821         * runtime/SetIteratorPrototype.cpp:
822         (JSC::SetIteratorPrototypeFuncNext):
823
824 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
825
826         Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
827         https://bugs.webkit.org/show_bug.cgi?id=131596
828
829         Unreviewed gardening to rebaseline inspector generator tests after addressing review comments.
830
831         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
832         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
833         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
834         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
835         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
836         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
837         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
838         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
839         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
840         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
841         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
842
843 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
844
845         Unreviewed build fix for some GTK bots after r172655.
846
847         Some bots use Python 2.6, which lacks the 'flags' named parameter for re.sub.
848
849         * inspector/scripts/codegen/generator.py:
850         (Generator.stylized_name_for_enum_value): Do things the old-school way.
851
852 2014-08-15  Michael Saboff  <msaboff@apple.com>
853
854         Change callToJavaScript and callToNativeFunction so their callFrames match the native calling conventions
855         https://bugs.webkit.org/show_bug.cgi?id=131578
856
857         Reviewed by Geoffrey Garen.
858
859         Renamed callToJavaScript and callToNativeFunction to vmEntryToJavaScript and vmEntryToNative,
860         respectively.  Eliminated the sentinel frame and replaced it with the structure VMEntryRecord
861         that appears in the "locals" area of a VM entry stack frame.  Changed the order that
862         vmEntryToJavaScript and vmEntryToNative creates their stack frames to be native calling
863         convention compliant.  That is to save prior frame pointer, save callee save registers, then
864         allocate and populate the VMEntryRecord, and finally allocate a CallFrame for the JS function
865         that vmEntryToJavaScript will invoke.  The top most vm entry frame pointer is saved in
866         VM::topVMEntryFrame.  The vmEntry functions save prior contents of VM::topVMEntryFrame
867         along with the VM and VM::topCallFrame in the VMEntryRecord it places on the stack.  Starting
868         at VM::topCallFrame, the stack can be walked using these VMEntryRecords.
869
870         Arbitrary stack unwinding is now handled either iteratively by loading VM::topVMEntryFrame
871         into a local variable and using CallFrame::callerFrame(VMEntryFrame*&) or by using StackVisitor.
872         Given that the stack is effectively a singly linked list, general stack unwinding needs to use
873         one of these two methods.
874
875         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
876         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
877         * JavaScriptCore.xcodeproj/project.pbxproj:
878         Addition of VMEntryRecord.h
879
880         * bytecode/BytecodeList.json:
881         Renaming of llint helper opcodes due to renaming callToJavaScript and callToNativeFunction.
882
883         * debugger/Debugger.cpp:
884         (JSC::Debugger::stepOutOfFunction):
885         (JSC::Debugger::returnEvent):
886         (JSC::Debugger::didExecuteProgram):
887         * jsc.cpp:
888         (functionDumpCallFrame):
889         * jit/JITOperations.cpp:
890         Changed unwinding to use CallFrame::callerFrame(VMEntryFrame*&).
891
892         * bytecode/CodeBlock.cpp:
893         (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
894         (JSC::RecursionCheckFunctor::operator()):
895         (JSC::RecursionCheckFunctor::didRecurse):
896         (JSC::CodeBlock::noticeIncomingCall):
897         * debugger/DebuggerCallFrame.cpp:
898         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
899         (JSC::FindCallerMidStackFunctor::operator()):
900         (JSC::FindCallerMidStackFunctor::getCallerFrame):
901         (JSC::DebuggerCallFrame::callerFrame):
902         * interpreter/VMInspector.cpp:
903         (JSC::CountFramesFunctor::CountFramesFunctor):
904         (JSC::CountFramesFunctor::operator()):
905         (JSC::CountFramesFunctor::count):
906         (JSC::VMInspector::countFrames):
907         * runtime/VM.cpp:
908         (JSC::VM::VM):
909         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
910         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
911         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
912         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
913         (JSC::VM::throwException):
914         Changed unwinding to use StackVisitor including added functor classes.
915
916         * interpreter/CallFrame.cpp:
917         (JSC::CallFrame::callerFrame):
918         Added new flavor of callerFrame() that can iteratively unwind the stack.
919
920         * interpreter/CallFrame.h:
921         (JSC::ExecState::callerFrame): Changed callerFrame() to use private common helper.
922         (JSC::ExecState::callerFrameOrVMEntryFrame): Deleted.
923         (JSC::ExecState::isVMEntrySentinel): Deleted.
924         (JSC::ExecState::vmEntrySentinelCallerFrame): Deleted.
925         (JSC::ExecState::initializeVMEntrySentinelFrame): Deleted.
926         (JSC::ExecState::callerFrameSkippingVMEntrySentinel): Deleted.
927         (JSC::ExecState::vmEntrySentinelCodeBlock): Deleted.
928
929         * interpreter/CallFrame.h:
930         (JSC::ExecState::init):
931         (JSC::ExecState::topOfFrame):
932         (JSC::ExecState::currentVPC):
933         (JSC::ExecState::setCurrentVPC):
934         Eliminated unneded checking of sentinel frame.
935
936         * interpreter/Interpreter.cpp:
937         (JSC::unwindCallFrame):
938         (JSC::Interpreter::getStackTrace): Updated for unwidning changes.
939         (JSC::Interpreter::unwind): Eliminated unneeded sentinel frame check.
940
941         * interpreter/Interpreter.cpp:
942         (JSC::Interpreter::executeCall):
943         (JSC::Interpreter::executeConstruct):
944         * jit/JITStubs.h:
945         * llint/LLIntThunks.cpp:
946         (JSC::callToJavaScript): Deleted.
947         (JSC::callToNativetion): Deleted.
948         (JSC::vmEntryToJavaScript):
949         (JSC::vmEntryToNative):
950         * llint/LLIntThunks.h:
951         Updated for vmEntryToJavaScript and vmEntryToNative name changes.
952
953         * interpreter/Interpreter.h:
954         (JSC::TopCallFrameSetter::TopCallFrameSetter):
955         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
956         Eliminated unneeded sentinel frame check.
957
958         * interpreter/Interpreter.h:
959         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
960         Removed sentinel specific constructor.
961
962         * interpreter/StackVisitor.cpp:
963         (JSC::StackVisitor::StackVisitor):
964         (JSC::StackVisitor::readFrame):
965         (JSC::StackVisitor::readNonInlinedFrame):
966         (JSC::StackVisitor::readInlinedFrame):
967         (JSC::StackVisitor::Frame::print):
968         * interpreter/StackVisitor.h:
969         (JSC::StackVisitor::Frame::callerIsVMEntry):
970         Changes for unwinding using CallFrame::callerFrame(VMEntryFrame*&).  Also added field that
971         indicates when about to step over a VM entry frame.
972
973         * interpreter/VMEntryRecord.h: Added.
974         (JSC::VMEntryRecord::prevTopCallFrame):
975         (JSC::VMEntryRecord::prevTopVMEntryFrame):
976         New struct to record prior state of VM's notion of VM entry and top call frames.
977
978         * jit/JITCode.cpp:
979         (JSC::JITCode::execute):
980         Use new vmEntryToJavaScript and vmEntryToNative name.
981
982         * llint/LLIntOffsetsExtractor.cpp: Added include for VMEntryRecord.h.
983
984         * llint/LowLevelInterpreter.asm:
985         * llint/LowLevelInterpreter32_64.asm:
986         * llint/LowLevelInterpreter64.asm:
987         Offline assembly implementation of creating stack frame with VMEntryRecord and well as restoring 
988         relevent VM fields when exiting the VM.  Added a helper that returns a VMEntryRecord given
989         a pointer to the VM entry frame.
990
991         * llint/LLIntThunks.cpp:
992         (JSC::vmEntryRecord):
993         * llint/LowLevelInterpreter.cpp:
994         (JSC::CLoop::execute):
995         C Loop changes to mirror the assembly changes.
996
997         * runtime/VM.h:
998         Added topVMEntryFrame field.
999
1000 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
1001
1002         Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
1003         https://bugs.webkit.org/show_bug.cgi?id=131596
1004
1005         Reviewed by Joseph Pecoraro.
1006
1007         Replace CodeGeneratorInspector.py with generate-inspector-protocol-bindings.py.
1008         The new generator decouples parsing and typechecking a model of the protocol from
1009         code generation. Each generated file is created by a different subclass of Generator.
1010         Helper methods to compute various type signatures are shared among generators.
1011
1012         This patch introduces a test harness and a test suite that covers all functionality.
1013
1014         Aside from hooking up the new inspector bindings generator to the build system,
1015         there are a few comingled changes that would be painful to split from the main
1016         patch:
1017
1018         Convert protocol enumeration types from struct-namespaced enums to C++ scoped enums.
1019
1020         Move all runtimeCast(), assertValueHasExpectedType(), and RuntimeCastHelper methods to static
1021         methods of BindingTraits specializations.
1022
1023         Together, these changes reduce duplication and make it possible to forward-declare
1024         all protocol enum and object types, reducing weird ordering dependencies between domains.
1025
1026         * CMakeLists.txt:
1027         * DerivedSources.make:
1028         * JavaScriptCore.vcxproj/copy-files.cmd:
1029         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1030         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Add inspector scripts to solution filters.
1031         * JavaScriptCore.xcodeproj/project.pbxproj:
1032         * inspector/ConsoleMessage.cpp: Convert to scoped enums.
1033         (Inspector::messageSourceValue):
1034         (Inspector::messageTypeValue):
1035         (Inspector::messageLevelValue):
1036         * inspector/InjectedScript.cpp: Convert to scoped enums and BindingTraits.
1037         (Inspector::InjectedScript::getFunctionDetails):
1038         (Inspector::InjectedScript::getProperties):
1039         (Inspector::InjectedScript::getInternalProperties):
1040         (Inspector::InjectedScript::wrapCallFrames):
1041         (Inspector::InjectedScript::wrapObject):
1042         (Inspector::InjectedScript::wrapTable):
1043         * inspector/InjectedScriptBase.cpp: Convert InspectorValue::Type to a scoped enum.
1044         (Inspector::InjectedScriptBase::makeEvalCall):
1045         * inspector/InjectedScriptManager.cpp:
1046         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1047         * inspector/InspectorTypeBuilder.h:
1048         (Inspector::TypeBuilder::Array::create):
1049         (Inspector::TypeBuilder::StructItemTraits::pushRefPtr):
1050         (Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::pushRaw):
1051         (Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::pushRaw):
1052         (Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::pushRaw):
1053         (Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::pushRaw):
1054         (Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr):
1055         (Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr):
1056         (Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr):
1057         (Inspector::TypeBuilder::PrimitiveBindingTraits::assertValueHasExpectedType):
1058         (Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::runtimeCast):
1059         (Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::assertValueHasExpectedType):
1060         (Inspector::TypeBuilder::BindingTraits<InspectorValue>::assertValueHasExpectedType):
1061         (Inspector::TypeBuilder::BindingTraits<int>::assertValueHasExpectedType):
1062         (Inspector::TypeBuilder::ExactlyInt::ExactlyInt): Deleted. It was not used.
1063         (Inspector::TypeBuilder::ExactlyInt::operator int): Deleted.
1064         (Inspector::TypeBuilder::ExactlyInt::cast_to_int): Deleted.
1065         (Inspector::TypeBuilder::ExactlyInt::cast_to_int<int>): Deleted.
1066         (Inspector::TypeBuilder::int>): Deleted.
1067         (Inspector::TypeBuilder::RuntimeCastHelper::assertType): Deleted.
1068         (Inspector::TypeBuilder::RuntimeCastHelper::assertAny): Deleted.
1069         (Inspector::TypeBuilder::RuntimeCastHelper::assertInt): Deleted.
1070         (Inspector::TypeBuilder::Array::runtimeCast): Deleted.
1071         (Inspector::TypeBuilder::Array::assertCorrectValue): Deleted.
1072         (Inspector::TypeBuilder::StructItemTraits::assertCorrectValue): Deleted.
1073         (Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::assertCorrectValue): Deleted.
1074         (Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::assertCorrectValue): Deleted.
1075         (Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::assertCorrectValue): Deleted.
1076         (Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::assertCorrectValue): Deleted.
1077         (Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::assertCorrectValue): Deleted.
1078         (Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::assertCorrectValue): Deleted.
1079         (Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::assertCorrectValue): Deleted.
1080         (Inspector::TypeBuilder::ArrayItemHelper<TypeBuilder::Array<T>>::Traits::assertCorrectValue): Deleted.
1081
1082         * inspector/InspectorValues.cpp: Convert InspectorValue::Type to a scoped enum.
1083         (Inspector::InspectorValue::writeJSON):
1084         (Inspector::InspectorBasicValue::asBoolean):
1085         (Inspector::InspectorBasicValue::asNumber):
1086         (Inspector::InspectorBasicValue::writeJSON):
1087         (Inspector::InspectorString::writeJSON):
1088         (Inspector::InspectorObjectBase::InspectorObjectBase):
1089         (Inspector::InspectorObjectBase::setArray): Take InspectorArrayBase.
1090         (Inspector::InspectorObjectBase::setObject): Take InspectorObjectBase.
1091         (Inspector::InspectorArrayBase::InspectorArrayBase):
1092         * inspector/InspectorValues.h:
1093
1094         * inspector/agents/InspectorDebuggerAgent.cpp: Convert to scoped enums.
1095         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1096         (Inspector::InspectorDebuggerAgent::breakProgram):
1097         * inspector/agents/InspectorDebuggerAgent.h:
1098         * inspector/agents/InspectorRuntimeAgent.cpp:
1099         (Inspector::InspectorRuntimeAgent::parse):
1100         * inspector/agents/InspectorRuntimeAgent.h:
1101
1102         * inspector/scripts/CodeGeneratorInspector.py: Removed.
1103         * inspector/scripts/codegen/__init__.py: Added.
1104         * inspector/scripts/codegen/generate_backend_commands.py: Added.
1105         (BackendCommandsGenerator):
1106         (BackendCommandsGenerator.__init__):
1107         (BackendCommandsGenerator.model):
1108         (BackendCommandsGenerator.output_filename):
1109         (BackendCommandsGenerator.generate_license):
1110         (BackendCommandsGenerator.generate_output):
1111         (BackendCommandsGenerator.generate_domain):
1112         (BackendCommandsGenerator.generate_domain.is_anonymous_enum_member):
1113         (BackendCommandsGenerator.generate_domain.generate_parameter_object):
1114         * inspector/scripts/codegen/generate_backend_dispatcher_header.py: Added.
1115         (BackendDispatcherHeaderGenerator):
1116         (BackendDispatcherHeaderGenerator.__init__):
1117         (BackendDispatcherHeaderGenerator.model):
1118         (BackendDispatcherHeaderGenerator.output_filename):
1119         (BackendDispatcherHeaderGenerator.generate_license):
1120         (BackendDispatcherHeaderGenerator.generate_output):
1121         (BackendDispatcherHeaderGenerator.generate_output.for):
1122         (BackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
1123         (BackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
1124         (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1125         (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
1126         (BackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1127         (BackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1128         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: Added.
1129         (BackendDispatcherImplementationGenerator):
1130         (BackendDispatcherImplementationGenerator.__init__):
1131         (BackendDispatcherImplementationGenerator.model):
1132         (BackendDispatcherImplementationGenerator.output_filename):
1133         (BackendDispatcherImplementationGenerator.generate_license):
1134         (BackendDispatcherImplementationGenerator.generate_output):
1135         (BackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
1136         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
1137         (BackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
1138         (BackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
1139         (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1140         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1141         * inspector/scripts/codegen/generate_frontend_dispatcher_header.py: Added.
1142         (FrontendDispatcherHeaderGenerator):
1143         (FrontendDispatcherHeaderGenerator.__init__):
1144         (FrontendDispatcherHeaderGenerator.model):
1145         (FrontendDispatcherHeaderGenerator.output_filename):
1146         (FrontendDispatcherHeaderGenerator.generate_license):
1147         (FrontendDispatcherHeaderGenerator.generate_output):
1148         (FrontendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
1149         (FrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1150         (FrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event):
1151         * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py: Added.
1152         (FrontendDispatcherImplementationGenerator):
1153         (FrontendDispatcherImplementationGenerator.__init__):
1154         (FrontendDispatcherImplementationGenerator.model):
1155         (FrontendDispatcherImplementationGenerator.output_filename):
1156         (FrontendDispatcherImplementationGenerator.generate_license):
1157         (FrontendDispatcherImplementationGenerator.generate_output):
1158         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
1159         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1160         * inspector/scripts/codegen/generate_type_builder_header.py: Added.
1161         (TypeBuilderHeaderGenerator):
1162         (TypeBuilderHeaderGenerator.__init__):
1163         (TypeBuilderHeaderGenerator.model):
1164         (TypeBuilderHeaderGenerator.output_filename):
1165         (TypeBuilderHeaderGenerator.generate_license):
1166         (TypeBuilderHeaderGenerator.generate_output):
1167         (TypeBuilderHeaderGenerator._generate_forward_declarations):
1168         (_generate_typedefs):
1169         (_generate_typedefs_for_domain):
1170         (_generate_builders_for_domain):
1171         (_generate_class_for_object_declaration):
1172         (_generate_struct_for_enum_declaration):
1173         (_generate_struct_for_anonymous_enum_member):
1174         (_generate_struct_for_anonymous_enum_member.apply_indentation):
1175         (_generate_struct_for_enum_type):
1176         (_generate_builder_state_enum):
1177         (_generate_builder_setter_for_member):
1178         (_generate_unchecked_setter_for_member):
1179         (_generate_forward_declarations_for_binding_traits):
1180         * inspector/scripts/codegen/generate_type_builder_implementation.py: Added.
1181         (TypeBuilderImplementationGenerator):
1182         (TypeBuilderImplementationGenerator.__init__):
1183         (TypeBuilderImplementationGenerator.model):
1184         (TypeBuilderImplementationGenerator.output_filename):
1185         (TypeBuilderImplementationGenerator.generate_license):
1186         (TypeBuilderImplementationGenerator.generate_output):
1187         (TypeBuilderImplementationGenerator._generate_enum_mapping):
1188         (TypeBuilderImplementationGenerator._generate_open_field_names):
1189         (TypeBuilderImplementationGenerator._generate_builders_for_domain):
1190         (TypeBuilderImplementationGenerator._generate_runtime_cast_for_object_declaration):
1191         (TypeBuilderImplementationGenerator._generate_assertion_for_object_declaration):
1192         (TypeBuilderImplementationGenerator._generate_assertion_for_enum):
1193         * inspector/scripts/codegen/generator.py: Added.
1194         (ucfirst):
1195         (Generator):
1196         (Generator.__init__):
1197         (Generator.model):
1198         (Generator.generate_license):
1199         (Generator.domains_to_generate):
1200         (Generator.generate_output):
1201         (Generator.output_filename):
1202         (Generator.encoding_for_enum_value):
1203         (Generator.assigned_enum_values):
1204         (Generator.type_needs_runtime_casts):
1205         (Generator.type_has_open_fields):
1206         (Generator.type_needs_shape_assertions):
1207         (Generator.calculate_types_requiring_shape_assertions):
1208         (Generator.calculate_types_requiring_shape_assertions.gather_transitively_referenced_types):
1209         (Generator._traverse_and_assign_enum_values):
1210         (Generator._assign_encoding_for_enum_value):
1211         (Generator.wrap_with_guard_for_domain):
1212         (Generator.stylized_name_for_enum_value):
1213         (Generator.stylized_name_for_enum_value.replaceCallback):
1214         (Generator.keyed_get_method_for_type):
1215         (Generator.keyed_set_method_for_type):
1216         (Generator.type_builder_string_for_type):
1217         (Generator.type_builder_string_for_type_member):
1218         (Generator.type_string_for_unchecked_formal_in_parameter):
1219         (Generator.type_string_for_checked_formal_event_parameter):
1220         (Generator.type_string_for_type_member):
1221         (Generator.type_string_for_type_with_name):
1222         (Generator.type_string_for_formal_out_parameter):
1223         (Generator.type_string_for_formal_async_parameter):
1224         (Generator.type_string_for_stack_in_parameter):
1225         (Generator.type_string_for_stack_out_parameter):
1226         (Generator.assertion_method_for_type_member):
1227         (Generator.assertion_method_for_type_member.assertion_method_for_type):
1228         (Generator.cpp_name_for_primitive_type):
1229         (Generator.js_name_for_parameter_type):
1230         (Generator.should_use_wrapper_for_return_type):
1231         (Generator.should_pass_by_copy_for_return_type):
1232         * inspector/scripts/codegen/generator_templates.py: Added.
1233         (GeneratorTemplates):
1234         (void):
1235         (HashMap):
1236         (Builder):
1237         (Inspector):
1238         * inspector/scripts/codegen/models.py: Added.
1239         (ucfirst):
1240         (ParseException):
1241         (TypecheckException):
1242         (Framework):
1243         (Framework.__init__):
1244         (Framework.setting):
1245         (Framework.fromString):
1246         (Frameworks):
1247         (TypeReference):
1248         (TypeReference.__init__):
1249         (TypeReference.referenced_name):
1250         (Type):
1251         (Type.__init__):
1252         (Type.__eq__):
1253         (Type.__hash__):
1254         (Type.raw_name):
1255         (Type.is_enum):
1256         (Type.type_domain):
1257         (Type.qualified_name):
1258         (Type.resolve_type_references):
1259         (PrimitiveType):
1260         (PrimitiveType.__init__):
1261         (PrimitiveType.__repr__):
1262         (PrimitiveType.type_domain):
1263         (PrimitiveType.qualified_name):
1264         (AliasedType):
1265         (AliasedType.__init__):
1266         (AliasedType.__repr__):
1267         (AliasedType.is_enum):
1268         (AliasedType.type_domain):
1269         (AliasedType.qualified_name):
1270         (AliasedType.resolve_type_references):
1271         (EnumType):
1272         (EnumType.__init__):
1273         (EnumType.__repr__):
1274         (EnumType.is_enum):
1275         (EnumType.type_domain):
1276         (EnumType.enum_values):
1277         (EnumType.qualified_name):
1278         (EnumType.resolve_type_references):
1279         (ArrayType):
1280         (ArrayType.__init__):
1281         (ArrayType.__repr__):
1282         (ArrayType.type_domain):
1283         (ArrayType.qualified_name):
1284         (ArrayType.resolve_type_references):
1285         (ObjectType):
1286         (ObjectType.__init__):
1287         (ObjectType.__repr__):
1288         (ObjectType.type_domain):
1289         (ObjectType.qualified_name):
1290         (check_for_required_properties):
1291         (Protocol):
1292         (Protocol.__init__):
1293         (Protocol.parse_specification):
1294         (Protocol.parse_domain):
1295         (Protocol.parse_type_declaration):
1296         (Protocol.parse_type_member):
1297         (Protocol.parse_command):
1298         (Protocol.parse_event):
1299         (Protocol.parse_call_or_return_parameter):
1300         (Protocol.resolve_types):
1301         (Protocol.lookup_type_for_declaration):
1302         (Protocol.lookup_type_reference):
1303         (Domain):
1304         (Domain.__init__):
1305         (Domain.resolve_type_references):
1306         (Domains):
1307         (TypeDeclaration):
1308         (TypeDeclaration.__init__):
1309         (TypeDeclaration.resolve_type_references):
1310         (TypeMember):
1311         (TypeMember.__init__):
1312         (TypeMember.resolve_type_references):
1313         (Parameter):
1314         (Parameter.__init__):
1315         (Parameter.resolve_type_references):
1316         (Command):
1317         (Command.__init__):
1318         (Command.resolve_type_references):
1319         (Event):
1320         (Event.__init__):
1321         (Event.resolve_type_references):
1322         * inspector/scripts/generate-inspector-protocol-bindings.py: Added.
1323         (IncrementalFileWriter):
1324         (IncrementalFileWriter.__init__):
1325         (IncrementalFileWriter.write):
1326         (IncrementalFileWriter.close):
1327         (generate_from_specification):
1328         (generate_from_specification.load_specification):
1329         * inspector/scripts/tests/commands-with-async-attribute.json: Added.
1330         * inspector/scripts/tests/commands-with-optional-call-return-parameters.json: Added.
1331         * inspector/scripts/tests/domains-with-varying-command-sizes.json: Added.
1332         * inspector/scripts/tests/events-with-optional-parameters.json: Added.
1333         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: Added.
1334         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: Added.
1335         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: Added.
1336         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: Added.
1337         * inspector/scripts/tests/fail-on-duplicate-type-declarations.json-error: Added.
1338         * inspector/scripts/tests/fail-on-enum-with-no-values.json-error: Added.
1339         * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json-error: Added.
1340         * inspector/scripts/tests/fail-on-type-with-lowercase-name.json-error: Added.
1341         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json-error: Added.
1342         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json-error: Added.
1343         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: Added.
1344         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: Added.
1345         * inspector/scripts/tests/expected/type-declaration-array-type.json-result: Added.
1346         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: Added.
1347         * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Added.
1348         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: Added.
1349         * inspector/scripts/tests/fail-on-duplicate-type-declarations.json: Added.
1350         * inspector/scripts/tests/fail-on-enum-with-no-values.json: Added.
1351         * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json: Added.
1352         * inspector/scripts/tests/fail-on-type-with-lowercase-name.json: Added.
1353         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json: Added.
1354         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json: Added.
1355         * inspector/scripts/tests/same-type-id-different-domain.json: Added.
1356         * inspector/scripts/tests/type-declaration-aliased-primitive-type.json: Added.
1357         * inspector/scripts/tests/type-declaration-array-type.json: Added.
1358         * inspector/scripts/tests/type-declaration-enum-type.json: Added.
1359         * inspector/scripts/tests/type-declaration-object-type.json: Added.
1360         * inspector/scripts/tests/type-requiring-runtime-casts.json: Added.
1361
1362 2014-08-15  Matthew Mirman  <mmirman@apple.com>
1363
1364         Made native inlining errors not segfault. 
1365         https://bugs.webkit.org/show_bug.cgi?id=135988
1366         
1367         Reviewed by Geoffrey Garen.
1368
1369         * ftl/FTLAbbreviations.h:
1370         (JSC::FTL::disposeMessage): Added.
1371         * ftl/FTLLowerDFGToLLVM.cpp:
1372         (JSC::FTL::LowerDFGToLLVM::compilePutById): 
1373         abstracted out Options::verboseCompilation as was the case in the rest of the file.
1374         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
1375         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): 
1376         added output error messages for llvm module loading.
1377
1378 2014-08-14  Andreas Kling  <akling@apple.com>
1379
1380         Allocate the whole RegExpMatchesArray backing store up front.
1381         <https://webkit.org/b/135217>
1382
1383         We were using the generic array backing store allocation path for
1384         RegExpMatchesArray which meant starting with 4 slots and then growing
1385         it dynamically as we append. Since we always know the final number of
1386         entries up front, allocate a perfectly-sized backing store right away.
1387
1388         ~2% progression on Octane/regexp.
1389
1390         Reviewed by Geoffrey Garen.
1391
1392         * runtime/JSArray.h:
1393         (JSC::createArrayButterflyWithExactLength):
1394         * runtime/RegExpMatchesArray.cpp:
1395         (JSC::RegExpMatchesArray::create):
1396
1397 2014-08-14  Saam Barati  <sbarati@apple.com>
1398
1399         Allow high fidelity type profiling to be enabled and disabled.
1400         https://bugs.webkit.org/show_bug.cgi?id=135423
1401
1402         Reviewed by Geoffrey Garen.
1403
1404         - Merged op_put_to_scope_with_profile and op_get_from_scope_with_profile into
1405           op_profile_types_with_high_fidelity by adding extra arguments to the opcode.
1406         - Altered SymbolTable to use less memory by adding a rare data structure for 
1407           type profiling.
1408         - Created an interface to turn on and off type profiling from the Web
1409           Inspector.
1410         - Refactored how entries are written to HighFidelityLog to make it
1411           easier to inline when generating machine code.
1412         - Implemented op_profile_types_with_high_fidelity in the baseline JIT
1413           by inlining the process of writing to the log and doing a small amount
1414           of type inference optimizations.
1415
1416         * bytecode/BytecodeList.json:
1417         * bytecode/BytecodeUseDef.h:
1418         (JSC::computeUsesForBytecodeOffset):
1419         (JSC::computeDefsForBytecodeOffset):
1420         * bytecode/CodeBlock.cpp:
1421         (JSC::CodeBlock::dumpBytecode):
1422         (JSC::CodeBlock::CodeBlock):
1423         (JSC::CodeBlock::finalizeUnconditionally):
1424         (JSC::CodeBlock::scopeDependentProfile): Deleted.
1425         * bytecode/CodeBlock.h:
1426         * bytecode/TypeLocation.h:
1427         (JSC::TypeLocation::TypeLocation):
1428         * bytecompiler/BytecodeGenerator.cpp:
1429         (JSC::BytecodeGenerator::generate):
1430         (JSC::BytecodeGenerator::emitMove):
1431         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
1432         (JSC::BytecodeGenerator::emitGetFromScopeWithProfile): Deleted.
1433         (JSC::BytecodeGenerator::emitPutToScopeWithProfile): Deleted.
1434         * bytecompiler/BytecodeGenerator.h:
1435         * bytecompiler/NodesCodegen.cpp:
1436         (JSC::ThisNode::emitBytecode):
1437         (JSC::ResolveNode::emitBytecode):
1438         (JSC::BracketAccessorNode::emitBytecode):
1439         (JSC::DotAccessorNode::emitBytecode):
1440         (JSC::FunctionCallValueNode::emitBytecode):
1441         (JSC::FunctionCallResolveNode::emitBytecode):
1442         (JSC::FunctionCallBracketNode::emitBytecode):
1443         (JSC::FunctionCallDotNode::emitBytecode):
1444         (JSC::CallFunctionCallDotNode::emitBytecode):
1445         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1446         (JSC::PostfixNode::emitResolve):
1447         (JSC::PostfixNode::emitBracket):
1448         (JSC::PostfixNode::emitDot):
1449         (JSC::PrefixNode::emitResolve):
1450         (JSC::PrefixNode::emitBracket):
1451         (JSC::PrefixNode::emitDot):
1452         (JSC::ReadModifyResolveNode::emitBytecode):
1453         (JSC::AssignResolveNode::emitBytecode):
1454         (JSC::AssignDotNode::emitBytecode):
1455         (JSC::ReadModifyDotNode::emitBytecode):
1456         (JSC::AssignBracketNode::emitBytecode):
1457         (JSC::ReadModifyBracketNode::emitBytecode):
1458         (JSC::ReturnNode::emitBytecode):
1459         (JSC::FunctionBodyNode::emitBytecode):
1460         * inspector/agents/InspectorRuntimeAgent.cpp:
1461         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
1462         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1463         (Inspector::TypeRecompiler::operator()):
1464         (Inspector::recompileAllJSFunctionsForTypeProfiling):
1465         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
1466         (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling):
1467         (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling):
1468         (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState):
1469         * inspector/agents/InspectorRuntimeAgent.h:
1470         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1471         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
1472         * inspector/protocol/Runtime.json:
1473         * jit/JIT.cpp:
1474         (JSC::JIT::privateCompileMainPass):
1475         (JSC::JIT::privateCompile):
1476         * jit/JIT.h:
1477         * jit/JITOpcodes.cpp:
1478         (JSC::JIT::emit_op_profile_types_with_high_fidelity):
1479         * jit/JITOpcodes32_64.cpp:
1480         (JSC::JIT::emit_op_profile_types_with_high_fidelity):
1481         * jit/JITOperations.cpp:
1482         * jit/JITOperations.h:
1483         * llint/LLIntSlowPaths.cpp:
1484         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1485         (JSC::LLInt::getFromScopeCommon): Deleted.
1486         (JSC::LLInt::putToScopeCommon): Deleted.
1487         * llint/LLIntSlowPaths.h:
1488         * llint/LowLevelInterpreter.asm:
1489         * runtime/CodeCache.cpp:
1490         (JSC::CodeCache::getGlobalCodeBlock):
1491         * runtime/CommonSlowPaths.cpp:
1492         (JSC::SLOW_PATH_DECL):
1493         * runtime/CommonSlowPaths.h:
1494         * runtime/HighFidelityLog.cpp:
1495         (JSC::HighFidelityLog::initializeHighFidelityLog):
1496         (JSC::HighFidelityLog::~HighFidelityLog):
1497         (JSC::HighFidelityLog::processHighFidelityLog):
1498         * runtime/HighFidelityLog.h:
1499         (JSC::HighFidelityLog::LogEntry::structureIDOffset):
1500         (JSC::HighFidelityLog::LogEntry::valueOffset):
1501         (JSC::HighFidelityLog::LogEntry::locationOffset):
1502         (JSC::HighFidelityLog::recordTypeInformationForLocation):
1503         (JSC::HighFidelityLog::logEndPtr):
1504         (JSC::HighFidelityLog::logStartOffset):
1505         (JSC::HighFidelityLog::currentLogEntryOffset):
1506         * runtime/HighFidelityTypeProfiler.cpp:
1507         (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
1508         (JSC::descriptorMatchesTypeLocation):
1509         * runtime/HighFidelityTypeProfiler.h:
1510         * runtime/SymbolTable.cpp:
1511         (JSC::SymbolTable::SymbolTable):
1512         (JSC::SymbolTable::cloneCapturedNames):
1513         (JSC::SymbolTable::prepareForHighFidelityTypeProfiling):
1514         (JSC::SymbolTable::uniqueIDForVariable):
1515         (JSC::SymbolTable::uniqueIDForRegister):
1516         (JSC::SymbolTable::globalTypeSetForRegister):
1517         (JSC::SymbolTable::globalTypeSetForVariable):
1518         * runtime/SymbolTable.h:
1519         (JSC::SymbolTable::add):
1520         (JSC::SymbolTable::set):
1521         * runtime/TypeLocationCache.cpp:
1522         (JSC::TypeLocationCache::getTypeLocation):
1523         * runtime/TypeSet.cpp:
1524         (JSC::TypeSet::getRuntimeTypeForValue):
1525         (JSC::TypeSet::addTypeInformation):
1526         (JSC::TypeSet::allPrimitiveTypeNames):
1527         (JSC::TypeSet::addTypeForValue): Deleted.
1528         * runtime/TypeSet.h:
1529         * runtime/VM.cpp:
1530         (JSC::VM::VM):
1531         (JSC::VM::nextTypeLocation):
1532         (JSC::VM::enableHighFidelityTypeProfiling):
1533         (JSC::VM::disableHighFidelityTypeProfiling):
1534         (JSC::VM::dumpHighFidelityProfilingTypes):
1535         * runtime/VM.h:
1536         (JSC::VM::nextLocation): Deleted.
1537
1538 2014-08-14  Oliver Hunt  <oliver@apple.com>
1539
1540         Update scope resolution to assume that the parent activation is always there
1541         https://bugs.webkit.org/show_bug.cgi?id=135947
1542
1543         Reviewed by Andreas Kling.
1544
1545         Another incremental step in removing the idea of lazily created
1546         activations.
1547
1548         * dfg/DFGSpeculativeJIT32_64.cpp:
1549         (JSC::DFG::SpeculativeJIT::compile):
1550         * dfg/DFGSpeculativeJIT64.cpp:
1551         (JSC::DFG::SpeculativeJIT::compile):
1552         * jit/JITPropertyAccess.cpp:
1553         (JSC::JIT::emitResolveClosure):
1554         * jit/JITPropertyAccess32_64.cpp:
1555         (JSC::JIT::emitResolveClosure):
1556         * llint/LowLevelInterpreter32_64.asm:
1557         * llint/LowLevelInterpreter64.asm:
1558
1559 2014-08-14  Oliver Hunt  <oliver@apple.com>
1560
1561         Create activations eagerly
1562         https://bugs.webkit.org/show_bug.cgi?id=135942
1563
1564         Reviewed by Geoffrey Garen.
1565
1566         Prepare to rewrite activation objects into a more
1567         sane implementation. Step 1 is reverting to eager
1568         creation of the activation object. This results in
1569         a 1.35x regression in earley, but otherwise has a
1570         minimal performance impact.
1571
1572         The earley regression is being tracked by bug #135943
1573
1574         * bytecompiler/BytecodeGenerator.cpp:
1575         (JSC::BytecodeGenerator::BytecodeGenerator):
1576         (JSC::BytecodeGenerator::emitNewFunctionInternal):
1577         (JSC::BytecodeGenerator::emitNewFunctionExpression):
1578         (JSC::BytecodeGenerator::emitCallEval):
1579         (JSC::BytecodeGenerator::emitPushWithScope):
1580         (JSC::BytecodeGenerator::emitPushCatchScope):
1581         (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
1582         * bytecompiler/BytecodeGenerator.h:
1583         * jit/JITOpcodes.cpp:
1584         (JSC::JIT::emit_op_create_activation):
1585         * jit/JITOpcodes32_64.cpp:
1586         (JSC::JIT::emit_op_create_activation):
1587         * llint/LowLevelInterpreter32_64.asm:
1588         * llint/LowLevelInterpreter64.asm:
1589
1590 2014-08-14  Oliver Hunt  <oliver@apple.com>
1591
1592         Create activations eagerly
1593         https://bugs.webkit.org/show_bug.cgi?id=135942
1594
1595         Reviewed by Geoffrey Garen.
1596
1597         Prepare to rewrite activation objects into a more
1598         sane implementation. Step 1 is reverting to eager
1599         creation of the activation object. This results in
1600         a 1.35x regression in earley, but otherwise has a
1601         minimal performance impact.
1602
1603         The earley regression is being tracked by 
1604         http://webkit.org/b/135943
1605
1606         * bytecompiler/BytecodeGenerator.cpp:
1607         (JSC::BytecodeGenerator::BytecodeGenerator):
1608         (JSC::BytecodeGenerator::emitNewFunctionInternal):
1609         (JSC::BytecodeGenerator::emitNewFunctionExpression):
1610         (JSC::BytecodeGenerator::emitCallEval):
1611         (JSC::BytecodeGenerator::emitPushWithScope):
1612         (JSC::BytecodeGenerator::emitPushCatchScope):
1613         (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
1614         * bytecompiler/BytecodeGenerator.h:
1615         * jit/JITOpcodes.cpp:
1616         (JSC::JIT::emit_op_create_activation):
1617         * jit/JITOpcodes32_64.cpp:
1618         (JSC::JIT::emit_op_create_activation):
1619         * llint/LowLevelInterpreter32_64.asm:
1620         * llint/LowLevelInterpreter64.asm:
1621
1622 2014-08-14  Tomas Popela  <tpopela@redhat.com>
1623
1624         Add support for ppc, ppc64, ppc64le, s390, s390x into the CMake build
1625         https://bugs.webkit.org/show_bug.cgi?id=135937
1626
1627         Reviewed by Carlos Garcia Campos.
1628
1629         * CMakeLists.txt:
1630
1631 2014-08-14  Akos Kiss  <akiss@inf.u-szeged.hu>
1632
1633         Fix JSC::ARM64Assembler::LinkRecord::RealTypes
1634         https://bugs.webkit.org/show_bug.cgi?id=135906
1635
1636         Reviewed by Michael Saboff.
1637
1638         JSC::ARM64Assembler::LinkRecord::RealTypes::m_compareRegister is defined
1639         to occupy 5 bits but JSC::ARM64Assembler::RegisterID needs 6 bits. So,
1640         increase the size of the bit field and also reorganize the struct to 
1641         better align with word boundaries.
1642
1643         * assembler/ARM64Assembler.h:
1644
1645 2014-08-13  Akos Kiss  <akiss@inf.u-szeged.hu>
1646
1647         Add ARM64 support to CMake-based builds
1648         https://bugs.webkit.org/show_bug.cgi?id=135912
1649
1650         Reviewed by Gyuyoung Kim.
1651
1652         This patch ensures that CMake does not fail with Unknown CPU error when
1653         building for ARM64.
1654
1655         * CMakeLists.txt:
1656
1657 2014-08-13  Wenson Hsieh  <wenson_hsieh@apple.com>
1658
1659         Enable CSS_SCROLL_SNAP for iOS
1660         https://bugs.webkit.org/show_bug.cgi?id=135915
1661
1662         Turn on CSS_SCROLL_SNAP for iOS and the iOS simulator.
1663
1664         Reviewed by Tim Horton.
1665
1666         * Configurations/FeatureDefines.xcconfig:
1667
1668 2014-08-13  Alex Christensen  <achristensen@webkit.org>
1669
1670         Progress towards CMake on Mac.
1671         https://bugs.webkit.org/show_bug.cgi?id=135819
1672
1673         Reviewed by Laszlo Gombos.
1674
1675         * CMakeLists.txt:
1676         Add the remote inspector headers to the forwarding headers list.
1677
1678 2014-08-13  Daniel Bates  <dabates@apple.com>
1679
1680         [iOS] Make JavaScriptCore and bmalloc build with the public SDK
1681         https://bugs.webkit.org/show_bug.cgi?id=135848
1682
1683         Reviewed by Geoffrey Garen.
1684
1685         * API/JSBase.h: Declare NSMap functions with external linkage when building for iOS without the
1686         header <Foundation/NSMapTablePriv.h>.
1687         * inspector/remote/RemoteInspector.mm: Define XPC functions with external linkage when building
1688         without the system header <xpc/xpc.h>.
1689         * inspector/remote/RemoteInspectorXPCConnection.h: Define xpc_connection_t and xpc_object_t when building
1690         without the system header <xpc/xpc.h>.
1691         * inspector/remote/RemoteInspectorXPCConnection.mm: Declare XPC functions with external linkage when
1692         building without without the system header <xpc/xpc.h>.
1693         (Inspector::RemoteInspectorXPCConnection::closeOnQueue): Fix code style; use nullptr instead of NULL.
1694         (Inspector::RemoteInspectorXPCConnection::sendMessage): Ditto.
1695
1696 2014-08-12  Peyton Randolph  <prandolph@apple.com>
1697
1698         Runtime switch for long mouse press gesture. Part of 135257 - Add long mouse press gesture.
1699         https://bugs.webkit.org/show_bug.cgi?id=135682
1700
1701         Reviewed by Tim Horton.
1702
1703         * Configurations/FeatureDefines.xcconfig:
1704         Remove ENABLE_LONG_MOUSE_PRESS feature flag.
1705
1706 2014-08-12  Alex Christensen  <achristensen@webkit.org>
1707
1708         Generate header detection headers for CMake on Windows.
1709         https://bugs.webkit.org/show_bug.cgi?id=135807
1710
1711         Reviewed by Brent Fulgham.
1712
1713         * CMakeLists.txt:
1714         Include the derived sources directory to find WTF/WTFHeaderDetection.h.
1715
1716 2014-08-11  Andy Estes  <aestes@apple.com>
1717
1718         [iOS] Get rid of iOS.xcconfig
1719         https://bugs.webkit.org/show_bug.cgi?id=135809
1720
1721         Reviewed by Joseph Pecoraro.
1722
1723         All iOS.xcconfig did was include AspenFamily.xcconfig, so there's no need for the indirection.
1724
1725         * Configurations/Base.xcconfig:
1726         * Configurations/iOS.xcconfig: Removed.
1727         * JavaScriptCore.xcodeproj/project.pbxproj:
1728
1729 2014-08-11  Michael Saboff  <msaboff@apple.com>
1730
1731         Eliminate {push,pop}CalleeSaves in favor of individual pushes & pops
1732         https://bugs.webkit.org/show_bug.cgi?id=127155
1733
1734         Reviewed by Geoffrey Garen.
1735
1736         Eliminated the offline assembler instructions {push,pop}CalleeSaves as well as the
1737         ARM64 specific {push,pop}LRAndFP and replaced them with individual push and pop
1738         instructions. Where the registers referenced by the added push and pop instructions
1739         are not part of the offline assembler register aliases, used a newly added "emit"
1740         offline assembler instruction which takes a string literal and outputs that
1741         string as a native instruction.
1742
1743         * llint/LowLevelInterpreter.asm:
1744         * offlineasm/arm.rb:
1745         * offlineasm/arm64.rb:
1746         * offlineasm/ast.rb:
1747         * offlineasm/cloop.rb:
1748         * offlineasm/instructions.rb:
1749         * offlineasm/mips.rb:
1750         * offlineasm/parser.rb:
1751         * offlineasm/sh4.rb:
1752         * offlineasm/transform.rb:
1753         * offlineasm/x86.rb:
1754
1755 2014-08-11  Mark Lam  <mark.lam@apple.com>
1756
1757         Re-landing r172401 with fixed test.
1758         <https://webkit.org/b/135782>
1759
1760         Not reviewed.
1761
1762         * bytecompiler/BytecodeGenerator.cpp:
1763         (JSC::BytecodeGenerator::emitGetByVal):
1764         (JSC::BytecodeGenerator::pushIndexedForInScope):
1765         (JSC::BytecodeGenerator::pushStructureForInScope):
1766         * bytecompiler/BytecodeGenerator.h:
1767         (JSC::ForInContext::ForInContext):
1768         (JSC::ForInContext::base):
1769         (JSC::StructureForInContext::StructureForInContext):
1770         (JSC::IndexedForInContext::IndexedForInContext):
1771         * bytecompiler/NodesCodegen.cpp:
1772         (JSC::ForInNode::emitMultiLoopBytecode):
1773         * tests/stress/for-in-tests.js:
1774
1775 2014-08-11  Commit Queue  <commit-queue@webkit.org>
1776
1777         Unreviewed, rolling out r172401.
1778         https://bugs.webkit.org/show_bug.cgi?id=135812
1779
1780         Failing stress/for-in-tests.js
1781         http://build.webkit.org/builders/Apple%20Mavericks%20Release%20WK1%20%28Tests%29/builds/7945/steps
1782         /jscore-test/logs/stdio (Requested by mlam on #webkit).
1783
1784         Reverted changeset:
1785
1786         "for-in optimization should also make sure the base matches
1787         the object being iterated"
1788         https://bugs.webkit.org/show_bug.cgi?id=135782
1789         http://trac.webkit.org/changeset/172401
1790
1791 2014-08-11  Brian J. Burg  <burg@cs.washington.edu>
1792
1793         Web Inspector: use type builders to construct high fidelity type information payloads
1794         https://bugs.webkit.org/show_bug.cgi?id=135803
1795
1796         Reviewed by Timothy Hatcher.
1797
1798         Due to some typos in the protocol file, the code had worked with raw objects
1799         rather than with type builders. Convert to using builders.
1800
1801         * inspector/agents/InspectorRuntimeAgent.cpp:
1802         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1803         * inspector/agents/InspectorRuntimeAgent.h:
1804         * inspector/protocol/Runtime.json: Fix 'item' for 'items'; true for 'true'.
1805         * runtime/HighFidelityTypeProfiler.cpp:
1806         (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
1807         * runtime/HighFidelityTypeProfiler.h:
1808         * runtime/TypeSet.cpp:
1809         (JSC::TypeSet::allStructureRepresentations):
1810         (JSC::StructureShape::stringRepresentation):
1811         (JSC::StructureShape::inspectorRepresentation):
1812         * runtime/TypeSet.h:
1813
1814 2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1815
1816         for-in optimization should also make sure the base matches the object being iterated
1817         https://bugs.webkit.org/show_bug.cgi?id=135782
1818
1819         Reviewed by Geoffrey Garen.
1820
1821         If we access a different base object with the same index, we shouldn't try to randomly 
1822         load from that object's backing store.
1823
1824         * bytecompiler/BytecodeGenerator.cpp:
1825         (JSC::BytecodeGenerator::emitGetByVal):
1826         (JSC::BytecodeGenerator::pushIndexedForInScope):
1827         (JSC::BytecodeGenerator::pushStructureForInScope):
1828         * bytecompiler/BytecodeGenerator.h:
1829         (JSC::ForInContext::ForInContext):
1830         (JSC::ForInContext::base):
1831         (JSC::StructureForInContext::StructureForInContext):
1832         (JSC::IndexedForInContext::IndexedForInContext):
1833         * bytecompiler/NodesCodegen.cpp:
1834         (JSC::ForInNode::emitMultiLoopBytecode):
1835         * tests/stress/for-in-tests.js:
1836
1837 2014-08-11  Brent Fulgham  <bfulgham@apple.com>
1838
1839         [Win] Unreviewed gardening.
1840
1841         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Display files in
1842         proper folder categories..
1843
1844 2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1845
1846         JIT should use full 64-bit stores for jsBoolean and jsNull
1847         https://bugs.webkit.org/show_bug.cgi?id=135784
1848
1849         Reviewed by Michael Saboff.
1850
1851         This guarantees that we set the high bits of the register with the correct tag.
1852
1853         * dfg/DFGSpeculativeJIT64.cpp:
1854         (JSC::DFG::SpeculativeJIT::compile):
1855         * jit/JITOpcodes.cpp:
1856         (JSC::JIT::emit_op_has_structure_property):
1857         (JSC::JIT::emit_op_next_enumerator_pname):
1858
1859 2014-08-11  Brent Fulgham  <bfulgham@apple.com>
1860
1861         [Win] Adjust build script for Windows production build.
1862         https://bugs.webkit.org/show_bug.cgi?id=135806
1863         <rdar://problem/17978299>
1864
1865         Reviewed by Timothy Hatcher.
1866
1867         * JavaScriptCore.vcxproj/copy-files.cmd: Copy file for later use
1868         in WebInspectorUI build.
1869
1870 2014-08-10  Oliver Hunt  <oliver@apple.com>
1871
1872         Destructuring assignment in a var declaration list incorrectly consumes subsequent variable initialisers
1873         https://bugs.webkit.org/show_bug.cgi?id=135773
1874
1875         Reviewed by Michael Saboff.
1876
1877         We should be using parseAssignment expression in order to get the correct
1878         precedence.
1879
1880         * parser/Parser.cpp:
1881         (JSC::Parser<LexerType>::parseVarDeclarationList):
1882
1883 2014-08-10  Diego Pino Garcia  <dpino@igalia.com>
1884
1885         JSC Lexer is allowing octals 08 and 09 in strict mode functions
1886         https://bugs.webkit.org/show_bug.cgi?id=135704
1887
1888         Reviewed by Oliver Hunt.
1889
1890         Return syntax error ("Decimal integer literals with a leading zero are
1891         forbidden in strict mode") if a number starts with 0 and is followed 
1892         by a digit.
1893
1894         * parser/Lexer.cpp:
1895         (JSC::Lexer<T>::lex):
1896
1897 2014-08-08  Mark Lam  <mark.lam@apple.com>
1898
1899         REGRESSION: Inspector crashes when debugger is paused and injected scripts access window.screen().
1900         <https://webkit.org/b/135656>
1901
1902         Not reviewed.
1903
1904         Rolling out r170680 which was merged to ToT in r172129.
1905
1906         * debugger/Debugger.h:
1907         * debugger/DebuggerCallFrame.cpp:
1908         (JSC::DebuggerCallFrame::scope):
1909         (JSC::DebuggerCallFrame::evaluate):
1910         (JSC::DebuggerCallFrame::invalidate):
1911         * debugger/DebuggerCallFrame.h:
1912         * debugger/DebuggerScope.cpp:
1913         (JSC::DebuggerScope::DebuggerScope):
1914         (JSC::DebuggerScope::finishCreation):
1915         (JSC::DebuggerScope::visitChildren):
1916         (JSC::DebuggerScope::className):
1917         (JSC::DebuggerScope::getOwnPropertySlot):
1918         (JSC::DebuggerScope::put):
1919         (JSC::DebuggerScope::deleteProperty):
1920         (JSC::DebuggerScope::getOwnPropertyNames):
1921         (JSC::DebuggerScope::defineOwnProperty):
1922         (JSC::DebuggerScope::next): Deleted.
1923         (JSC::DebuggerScope::invalidateChain): Deleted.
1924         (JSC::DebuggerScope::isWithScope): Deleted.
1925         (JSC::DebuggerScope::isGlobalScope): Deleted.
1926         (JSC::DebuggerScope::isFunctionScope): Deleted.
1927         * debugger/DebuggerScope.h:
1928         (JSC::DebuggerScope::create):
1929         (JSC::DebuggerScope::Iterator::Iterator): Deleted.
1930         (JSC::DebuggerScope::Iterator::get): Deleted.
1931         (JSC::DebuggerScope::Iterator::operator++): Deleted.
1932         (JSC::DebuggerScope::Iterator::operator==): Deleted.
1933         (JSC::DebuggerScope::Iterator::operator!=): Deleted.
1934         (JSC::DebuggerScope::isValid): Deleted.
1935         (JSC::DebuggerScope::jsScope): Deleted.
1936         (JSC::DebuggerScope::begin): Deleted.
1937         (JSC::DebuggerScope::end): Deleted.
1938         * inspector/JSJavaScriptCallFrame.cpp:
1939         (Inspector::JSJavaScriptCallFrame::scopeType):
1940         (Inspector::JSJavaScriptCallFrame::scopeChain):
1941         * inspector/JavaScriptCallFrame.h:
1942         (Inspector::JavaScriptCallFrame::scopeChain):
1943         * inspector/ScriptDebugServer.cpp:
1944         * runtime/JSGlobalObject.cpp:
1945         (JSC::JSGlobalObject::reset):
1946         (JSC::JSGlobalObject::visitChildren):
1947         * runtime/JSGlobalObject.h:
1948         (JSC::JSGlobalObject::debuggerScopeStructure): Deleted.
1949         * runtime/JSObject.h:
1950         (JSC::JSObject::isWithScope): Deleted.
1951         * runtime/JSScope.h:
1952         * runtime/VM.cpp:
1953         (JSC::VM::VM):
1954         * runtime/VM.h:
1955
1956 2014-08-07  Saam Barati  <sbarati@apple.com>
1957
1958         Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
1959         https://bugs.webkit.org/show_bug.cgi?id=135358
1960
1961         Reviewed by Geoffrey Garen.
1962
1963         When VMEntryScope is destroyed, and it has a flag set indicating that the
1964         Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
1965         This flag is only used by Debugger to have VMEntryScope notify it when the
1966         Debugger is safe to recompile all functions. This patch will substitute this
1967         Debugger-specific recompilation flag with a list of callbacks that are notified 
1968         when the outermost VMEntryScope dies. This creates a general purpose interface 
1969         for being notified when the VM stops executing code via the event of the outermost 
1970         VMEntryScope dying.
1971
1972         * debugger/Debugger.cpp:
1973         (JSC::Debugger::recompileAllJSFunctions):
1974         * runtime/VMEntryScope.cpp:
1975         (JSC::VMEntryScope::VMEntryScope):
1976         (JSC::VMEntryScope::setEntryScopeDidPopListener):
1977         (JSC::VMEntryScope::~VMEntryScope):
1978         * runtime/VMEntryScope.h:
1979         (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
1980
1981 2014-08-07  Benjamin Poulain  <bpoulain@apple.com>
1982
1983         Get rid of SCRIPTED_SPEECH
1984         https://bugs.webkit.org/show_bug.cgi?id=135729
1985
1986         Reviewed by Brent Fulgham.
1987
1988         * Configurations/FeatureDefines.xcconfig:
1989
1990 2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1991
1992         SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
1993         https://bugs.webkit.org/show_bug.cgi?id=135722
1994
1995         Reviewed by Filip Pizlo.
1996
1997         We should be using SpeculateStrictInt32Operand instead.
1998
1999         * dfg/DFGSpeculativeJIT64.cpp:
2000         (JSC::DFG::SpeculativeJIT::compile):
2001
2002 2014-08-07  Benjamin Poulain  <bpoulain@apple.com>
2003
2004         Get rid of INPUT_SPEECH
2005         https://bugs.webkit.org/show_bug.cgi?id=135672
2006
2007         Reviewed by Andreas Kling.
2008
2009         * Configurations/FeatureDefines.xcconfig:
2010
2011 2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2012
2013         for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests
2014         https://bugs.webkit.org/show_bug.cgi?id=135681
2015
2016         Reviewed by Filip Pizlo.
2017
2018         * runtime/Structure.cpp:
2019         (JSC::Structure::canCacheGenericPropertyNameEnumerator): We were checking the entire 
2020         prototype chain for overridesGetPropertyNames, but we were neglecting to check the 
2021         base object's Structure. D'oh!
2022
2023 2014-08-06  Mark Lam  <mark.lam@apple.com>
2024
2025         Gardening: fix for build failure on EFL bots.
2026
2027         Not reviewed.
2028
2029         * runtime/EnumerationMode.h:
2030         (JSC::shouldIncludeJSObjectPropertyNames):
2031         (JSC::modeThatSkipsJSObject):
2032         * runtime/JSCell.cpp:
2033         (JSC::JSCell::getEnumerableLength):
2034         * runtime/JSCell.h:
2035
2036 2014-08-06  Dean Jackson  <dino@apple.com>
2037
2038         ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED is not used anywhere. Remove it.
2039         https://bugs.webkit.org/show_bug.cgi?id=135675
2040
2041         Reviewed by Sam Weinig.
2042
2043         * Configurations/FeatureDefines.xcconfig:
2044
2045 2014-08-06  Wenson Hsieh  <wenson_hsieh@apple.com>
2046
2047         Implement parsing for CSS scroll snap points
2048         https://bugs.webkit.org/show_bug.cgi?id=134301
2049
2050         Reviewed by Dean Jackson.
2051
2052         * Configurations/FeatureDefines.xcconfig: Added ENABLE_CSS_SCROLL_SNAP
2053
2054 2014-08-06  Mark Lam  <mark.lam@apple.com>
2055
2056         Gardening: fix for build failure on GTK bots.
2057
2058         Not reviewed.
2059
2060         * runtime/FunctionHasExecutedCache.cpp:
2061         - #include <limits.h> for UINT_MAX's definition.
2062
2063 2014-08-06  Mark Lam  <mark.lam@apple.com>
2064
2065         Gardening: fix for build failure on EFL bots.
2066
2067         Not reviewed.
2068
2069         * jit/JITInlines.h:
2070         (JSC::JIT::emitLoadForArrayMode):
2071
2072 2014-08-06  Mark Lam  <mark.lam@apple.com>
2073
2074         Gardening: adding missing build file changes from the FTLOPT merge at r172176.
2075
2076         Not reviewed.
2077
2078         * CMakeLists.txt:
2079         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2080         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2081
2082 2014-08-06  Ryuan Choi  <ryuan.choi@samsung.com>
2083
2084         Unreviewed build fix attempt since r172184
2085
2086         * CMakeLists.txt: Removed TypeLocation.cpp
2087
2088 2014-08-06  Mark Lam  <mark.lam@apple.com>
2089
2090         Gardening: adding missing build file changes from r171510.
2091         <https://webkit.org/b/134860>
2092
2093         Not reviewed.
2094
2095         * CMakeLists.txt:
2096         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2097         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2098
2099 2014-08-06  Mark Lam  <mark.lam@apple.com>
2100
2101         Gardening: adding missing build file changes from r170490.
2102         <https://webkit.org/b/133395>
2103
2104         Not reviewed.
2105
2106         * CMakeLists.txt:
2107         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2108
2109 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
2110
2111         Silence a debug assertion.
2112
2113         Reviewed by Mark Hahnenberg.
2114
2115         * runtime/JSPropertyNameEnumerator.h:
2116         (JSC::JSPropertyNameEnumerator::cachedStructure):
2117
2118 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
2119
2120         Fix 32-bit build.
2121
2122         * jit/JITOpcodes32_64.cpp:
2123         (JSC::JIT::privateCompileHasIndexedProperty):
2124
2125 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
2126
2127         Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.
2128
2129     2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2130     
2131             Support for-in in the FTL
2132             https://bugs.webkit.org/show_bug.cgi?id=134140
2133     
2134             Reviewed by Filip Pizlo.
2135     
2136             * dfg/DFGSSALoweringPhase.cpp:
2137             (JSC::DFG::SSALoweringPhase::handleNode):
2138             * ftl/FTLAbstractHeapRepository.cpp:
2139             * ftl/FTLAbstractHeapRepository.h:
2140             * ftl/FTLCapabilities.cpp:
2141             (JSC::FTL::canCompile):
2142             * ftl/FTLIntrinsicRepository.h:
2143             * ftl/FTLLowerDFGToLLVM.cpp:
2144             (JSC::FTL::LowerDFGToLLVM::compileNode):
2145             (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
2146             (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
2147             (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
2148             (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
2149             (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
2150             (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
2151             (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
2152             (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
2153             (JSC::FTL::LowerDFGToLLVM::compileToIndexString):
2154     
2155     2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
2156     
2157             Remove JSPropertyNameIterator
2158             https://bugs.webkit.org/show_bug.cgi?id=135066
2159     
2160             Reviewed by Geoffrey Garen.
2161     
2162             It has been replaced by JSPropertyNameEnumerator.
2163     
2164             * JavaScriptCore.order:
2165             * bytecode/BytecodeBasicBlock.cpp:
2166             (JSC::isBranch):
2167             * bytecode/BytecodeList.json:
2168             * bytecode/BytecodeUseDef.h:
2169             (JSC::computeUsesForBytecodeOffset):
2170             (JSC::computeDefsForBytecodeOffset):
2171             * bytecode/CodeBlock.cpp:
2172             (JSC::CodeBlock::dumpBytecode):
2173             * bytecode/PreciseJumpTargets.cpp:
2174             (JSC::getJumpTargetsForBytecodeOffset):
2175             * bytecompiler/BytecodeGenerator.cpp:
2176             (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
2177             (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
2178             * bytecompiler/BytecodeGenerator.h:
2179             * interpreter/Interpreter.cpp:
2180             * interpreter/Register.h:
2181             * jit/JIT.cpp:
2182             (JSC::JIT::privateCompileMainPass):
2183             (JSC::JIT::privateCompileSlowCases):
2184             * jit/JIT.h:
2185             * jit/JITOpcodes.cpp:
2186             (JSC::JIT::emit_op_get_pnames): Deleted.
2187             (JSC::JIT::emit_op_next_pname): Deleted.
2188             * jit/JITOpcodes32_64.cpp:
2189             (JSC::JIT::emit_op_get_pnames): Deleted.
2190             (JSC::JIT::emit_op_next_pname): Deleted.
2191             * jit/JITOperations.cpp:
2192             * jit/JITPropertyAccess.cpp:
2193             (JSC::JIT::emit_op_get_by_pname): Deleted.
2194             (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
2195             * jit/JITPropertyAccess32_64.cpp:
2196             (JSC::JIT::emit_op_get_by_pname): Deleted.
2197             (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
2198             * llint/LLIntOffsetsExtractor.cpp:
2199             * llint/LLIntSlowPaths.cpp:
2200             (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
2201             * llint/LLIntSlowPaths.h:
2202             * llint/LowLevelInterpreter.asm:
2203             * llint/LowLevelInterpreter32_64.asm:
2204             * llint/LowLevelInterpreter64.asm:
2205             * runtime/CommonSlowPaths.cpp:
2206             * runtime/JSPropertyNameIterator.cpp:
2207             (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
2208             (JSC::JSPropertyNameIterator::create): Deleted.
2209             (JSC::JSPropertyNameIterator::destroy): Deleted.
2210             (JSC::JSPropertyNameIterator::get): Deleted.
2211             (JSC::JSPropertyNameIterator::visitChildren): Deleted.
2212             * runtime/JSPropertyNameIterator.h:
2213             (JSC::JSPropertyNameIterator::createStructure): Deleted.
2214             (JSC::JSPropertyNameIterator::size): Deleted.
2215             (JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
2216             (JSC::JSPropertyNameIterator::cachedStructure): Deleted.
2217             (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
2218             (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
2219             (JSC::JSPropertyNameIterator::finishCreation): Deleted.
2220             (JSC::Register::propertyNameIterator): Deleted.
2221             (JSC::StructureRareData::enumerationCache): Deleted.
2222             (JSC::StructureRareData::setEnumerationCache): Deleted.
2223             * runtime/Structure.cpp:
2224             (JSC::Structure::addPropertyWithoutTransition):
2225             (JSC::Structure::removePropertyWithoutTransition):
2226             * runtime/Structure.h:
2227             * runtime/StructureInlines.h:
2228             (JSC::Structure::setEnumerationCache): Deleted.
2229             (JSC::Structure::enumerationCache): Deleted.
2230             * runtime/StructureRareData.cpp:
2231             (JSC::StructureRareData::visitChildren):
2232             * runtime/StructureRareData.h:
2233             * runtime/VM.cpp:
2234             (JSC::VM::VM):
2235     
2236     2014-07-25  Saam Barati  <sbarati@apple.com>
2237     
2238             Fix 32-bit build breakage for type profiling
2239             https://bugs.webkit.org/process_bug.cgi
2240     
2241             Reviewed by Mark Hahnenberg.
2242     
2243             32-bit builds currently break because global variable IDs for high
2244             fidelity type profiling are int64_t. Change this to intptr_t so that
2245             it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
2246     
2247             * bytecode/CodeBlock.cpp:
2248             (JSC::CodeBlock::CodeBlock):
2249             (JSC::CodeBlock::scopeDependentProfile):
2250             * bytecode/TypeLocation.h:
2251             * runtime/SymbolTable.cpp:
2252             (JSC::SymbolTable::uniqueIDForVariable):
2253             (JSC::SymbolTable::uniqueIDForRegister):
2254             * runtime/SymbolTable.h:
2255             * runtime/TypeLocationCache.cpp:
2256             (JSC::TypeLocationCache::getTypeLocation):
2257             * runtime/TypeLocationCache.h:
2258             * runtime/VM.h:
2259             (JSC::VM::getNextUniqueVariableID):
2260     
2261     2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
2262     
2263             Reindent PropertyNameArray.h
2264             https://bugs.webkit.org/show_bug.cgi?id=135067
2265     
2266             Reviewed by Geoffrey Garen.
2267     
2268             * runtime/PropertyNameArray.h:
2269             (JSC::RefCountedIdentifierSet::contains):
2270             (JSC::RefCountedIdentifierSet::size):
2271             (JSC::RefCountedIdentifierSet::add):
2272             (JSC::PropertyNameArrayData::create):
2273             (JSC::PropertyNameArrayData::propertyNameVector):
2274             (JSC::PropertyNameArrayData::PropertyNameArrayData):
2275             (JSC::PropertyNameArray::PropertyNameArray):
2276             (JSC::PropertyNameArray::vm):
2277             (JSC::PropertyNameArray::add):
2278             (JSC::PropertyNameArray::addKnownUnique):
2279             (JSC::PropertyNameArray::operator[]):
2280             (JSC::PropertyNameArray::setData):
2281             (JSC::PropertyNameArray::data):
2282             (JSC::PropertyNameArray::releaseData):
2283             (JSC::PropertyNameArray::identifierSet):
2284             (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
2285             (JSC::PropertyNameArray::size):
2286             (JSC::PropertyNameArray::begin):
2287             (JSC::PropertyNameArray::end):
2288             (JSC::PropertyNameArray::numCacheableSlots):
2289             (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
2290             (JSC::PropertyNameArray::setBaseObject):
2291             (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
2292     
2293     2014-07-23  Mark Hahnenberg  <mhahnenberg@apple.com>
2294     
2295             Refactor our current implementation of for-in
2296             https://bugs.webkit.org/show_bug.cgi?id=134142
2297     
2298             Reviewed by Filip Pizlo.
2299     
2300             This patch splits for-in loops into three distinct parts:
2301     
2302             - Iterating over the indexed properties in the base object.
2303             - Iterating over the Structure properties in the base object.
2304             - Iterating over any other enumerable properties for that object and any objects in the prototype chain.
2305      
2306             It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to 
2307             support the various operations required for each loop.
2308     
2309             * API/JSCallbackObjectFunctions.h:
2310             (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2311             * JavaScriptCore.xcodeproj/project.pbxproj:
2312             * bytecode/BytecodeList.json:
2313             * bytecode/BytecodeUseDef.h:
2314             (JSC::computeUsesForBytecodeOffset):
2315             (JSC::computeDefsForBytecodeOffset):
2316             * bytecode/CallLinkStatus.h:
2317             (JSC::CallLinkStatus::CallLinkStatus):
2318             * bytecode/CodeBlock.cpp:
2319             (JSC::CodeBlock::dumpBytecode):
2320             (JSC::CodeBlock::CodeBlock):
2321             * bytecompiler/BytecodeGenerator.cpp:
2322             (JSC::BytecodeGenerator::emitGetByVal):
2323             (JSC::BytecodeGenerator::emitComplexPopScopes):
2324             (JSC::BytecodeGenerator::emitGetEnumerableLength):
2325             (JSC::BytecodeGenerator::emitHasGenericProperty):
2326             (JSC::BytecodeGenerator::emitHasIndexedProperty):
2327             (JSC::BytecodeGenerator::emitHasStructureProperty):
2328             (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
2329             (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
2330             (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
2331             (JSC::BytecodeGenerator::emitToIndexString):
2332             (JSC::BytecodeGenerator::pushIndexedForInScope):
2333             (JSC::BytecodeGenerator::popIndexedForInScope):
2334             (JSC::BytecodeGenerator::pushStructureForInScope):
2335             (JSC::BytecodeGenerator::popStructureForInScope):
2336             (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2337             * bytecompiler/BytecodeGenerator.h:
2338             (JSC::ForInContext::ForInContext):
2339             (JSC::ForInContext::~ForInContext):
2340             (JSC::ForInContext::isValid):
2341             (JSC::ForInContext::invalidate):
2342             (JSC::ForInContext::local):
2343             (JSC::StructureForInContext::StructureForInContext):
2344             (JSC::StructureForInContext::type):
2345             (JSC::StructureForInContext::index):
2346             (JSC::StructureForInContext::property):
2347             (JSC::StructureForInContext::enumerator):
2348             (JSC::IndexedForInContext::IndexedForInContext):
2349             (JSC::IndexedForInContext::type):
2350             (JSC::IndexedForInContext::index):
2351             (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
2352             (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
2353             * bytecompiler/NodesCodegen.cpp:
2354             (JSC::ReadModifyResolveNode::emitBytecode):
2355             (JSC::AssignResolveNode::emitBytecode):
2356             (JSC::ForInNode::tryGetBoundLocal):
2357             (JSC::ForInNode::emitLoopHeader):
2358             (JSC::ForInNode::emitMultiLoopBytecode):
2359             (JSC::ForInNode::emitBytecode):
2360             * debugger/DebuggerScope.h:
2361             * dfg/DFGAbstractHeap.h:
2362             * dfg/DFGAbstractInterpreterInlines.h:
2363             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2364             * dfg/DFGByteCodeParser.cpp:
2365             (JSC::DFG::ByteCodeParser::parseBlock):
2366             * dfg/DFGCapabilities.cpp:
2367             (JSC::DFG::capabilityLevel):
2368             * dfg/DFGClobberize.h:
2369             (JSC::DFG::clobberize):
2370             * dfg/DFGDoesGC.cpp:
2371             (JSC::DFG::doesGC):
2372             * dfg/DFGFixupPhase.cpp:
2373             (JSC::DFG::FixupPhase::fixupNode):
2374             * dfg/DFGHeapLocation.cpp:
2375             (WTF::printInternal):
2376             * dfg/DFGHeapLocation.h:
2377             * dfg/DFGNode.h:
2378             (JSC::DFG::Node::hasHeapPrediction):
2379             (JSC::DFG::Node::hasArrayMode):
2380             * dfg/DFGNodeType.h:
2381             * dfg/DFGPredictionPropagationPhase.cpp:
2382             (JSC::DFG::PredictionPropagationPhase::propagate):
2383             * dfg/DFGSafeToExecute.h:
2384             (JSC::DFG::safeToExecute):
2385             * dfg/DFGSpeculativeJIT.h:
2386             (JSC::DFG::SpeculativeJIT::callOperation):
2387             * dfg/DFGSpeculativeJIT32_64.cpp:
2388             (JSC::DFG::SpeculativeJIT::compile):
2389             * dfg/DFGSpeculativeJIT64.cpp:
2390             (JSC::DFG::SpeculativeJIT::compile):
2391             * jit/JIT.cpp:
2392             (JSC::JIT::privateCompileMainPass):
2393             (JSC::JIT::privateCompileSlowCases):
2394             * jit/JIT.h:
2395             (JSC::JIT::compileHasIndexedProperty):
2396             (JSC::JIT::emitInt32Load):
2397             * jit/JITInlines.h:
2398             (JSC::JIT::emitDoubleGetByVal):
2399             (JSC::JIT::emitLoadForArrayMode):
2400             (JSC::JIT::emitContiguousGetByVal):
2401             (JSC::JIT::emitArrayStorageGetByVal):
2402             * jit/JITOpcodes.cpp:
2403             (JSC::JIT::emit_op_get_enumerable_length):
2404             (JSC::JIT::emit_op_has_structure_property):
2405             (JSC::JIT::emitSlow_op_has_structure_property):
2406             (JSC::JIT::emit_op_has_generic_property):
2407             (JSC::JIT::privateCompileHasIndexedProperty):
2408             (JSC::JIT::emit_op_has_indexed_property):
2409             (JSC::JIT::emitSlow_op_has_indexed_property):
2410             (JSC::JIT::emit_op_get_direct_pname):
2411             (JSC::JIT::emitSlow_op_get_direct_pname):
2412             (JSC::JIT::emit_op_get_structure_property_enumerator):
2413             (JSC::JIT::emit_op_get_generic_property_enumerator):
2414             (JSC::JIT::emit_op_next_enumerator_pname):
2415             (JSC::JIT::emit_op_to_index_string):
2416             * jit/JITOpcodes32_64.cpp:
2417             (JSC::JIT::emit_op_get_enumerable_length):
2418             (JSC::JIT::emit_op_has_structure_property):
2419             (JSC::JIT::emitSlow_op_has_structure_property):
2420             (JSC::JIT::emit_op_has_generic_property):
2421             (JSC::JIT::privateCompileHasIndexedProperty):
2422             (JSC::JIT::emit_op_has_indexed_property):
2423             (JSC::JIT::emitSlow_op_has_indexed_property):
2424             (JSC::JIT::emit_op_get_direct_pname):
2425             (JSC::JIT::emitSlow_op_get_direct_pname):
2426             (JSC::JIT::emit_op_get_structure_property_enumerator):
2427             (JSC::JIT::emit_op_get_generic_property_enumerator):
2428             (JSC::JIT::emit_op_next_enumerator_pname):
2429             (JSC::JIT::emit_op_to_index_string):
2430             * jit/JITOperations.cpp:
2431             * jit/JITOperations.h:
2432             * jit/JITPropertyAccess.cpp:
2433             (JSC::JIT::emitDoubleLoad):
2434             (JSC::JIT::emitContiguousLoad):
2435             (JSC::JIT::emitArrayStorageLoad):
2436             (JSC::JIT::emitDoubleGetByVal): Deleted.
2437             (JSC::JIT::emitContiguousGetByVal): Deleted.
2438             (JSC::JIT::emitArrayStorageGetByVal): Deleted.
2439             * jit/JITPropertyAccess32_64.cpp:
2440             (JSC::JIT::emitContiguousLoad):
2441             (JSC::JIT::emitDoubleLoad):
2442             (JSC::JIT::emitArrayStorageLoad):
2443             (JSC::JIT::emitContiguousGetByVal): Deleted.
2444             (JSC::JIT::emitDoubleGetByVal): Deleted.
2445             (JSC::JIT::emitArrayStorageGetByVal): Deleted.
2446             * llint/LowLevelInterpreter.asm:
2447             * parser/Nodes.h:
2448             * runtime/Arguments.cpp:
2449             (JSC::Arguments::getOwnPropertyNames):
2450             * runtime/ClassInfo.h:
2451             * runtime/CommonSlowPaths.cpp:
2452             (JSC::SLOW_PATH_DECL):
2453             * runtime/CommonSlowPaths.h:
2454             * runtime/EnumerationMode.h: Added.
2455             (JSC::shouldIncludeDontEnumProperties):
2456             (JSC::shouldExcludeDontEnumProperties):
2457             (JSC::shouldIncludeJSObjectPropertyNames):
2458             (JSC::modeThatSkipsJSObject):
2459             * runtime/JSActivation.cpp:
2460             (JSC::JSActivation::getOwnNonIndexPropertyNames):
2461             * runtime/JSArray.cpp:
2462             (JSC::JSArray::getOwnNonIndexPropertyNames):
2463             * runtime/JSArrayBuffer.cpp:
2464             (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2465             * runtime/JSArrayBufferView.cpp:
2466             (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2467             * runtime/JSCell.cpp:
2468             (JSC::JSCell::getEnumerableLength):
2469             (JSC::JSCell::getStructurePropertyNames):
2470             (JSC::JSCell::getGenericPropertyNames):
2471             * runtime/JSCell.h:
2472             * runtime/JSFunction.cpp:
2473             (JSC::JSFunction::getOwnNonIndexPropertyNames):
2474             * runtime/JSGenericTypedArrayViewInlines.h:
2475             (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
2476             * runtime/JSObject.cpp:
2477             (JSC::getClassPropertyNames):
2478             (JSC::JSObject::hasOwnProperty):
2479             (JSC::JSObject::getOwnPropertyNames):
2480             (JSC::JSObject::getOwnNonIndexPropertyNames):
2481             (JSC::JSObject::getEnumerableLength):
2482             (JSC::JSObject::getStructurePropertyNames):
2483             (JSC::JSObject::getGenericPropertyNames):
2484             * runtime/JSObject.h:
2485             * runtime/JSPropertyNameEnumerator.cpp: Added.
2486             (JSC::JSPropertyNameEnumerator::create):
2487             (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
2488             (JSC::JSPropertyNameEnumerator::finishCreation):
2489             (JSC::JSPropertyNameEnumerator::destroy):
2490             (JSC::JSPropertyNameEnumerator::visitChildren):
2491             * runtime/JSPropertyNameEnumerator.h: Added.
2492             (JSC::JSPropertyNameEnumerator::createStructure):
2493             (JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
2494             (JSC::JSPropertyNameEnumerator::identifierSet):
2495             (JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
2496             (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
2497             (JSC::JSPropertyNameEnumerator::cachedStructure):
2498             (JSC::JSPropertyNameEnumerator::cachedStructureID):
2499             (JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
2500             (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
2501             (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
2502             (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
2503             (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
2504             (JSC::structurePropertyNameEnumerator):
2505             (JSC::genericPropertyNameEnumerator):
2506             * runtime/JSProxy.cpp:
2507             (JSC::JSProxy::getEnumerableLength):
2508             (JSC::JSProxy::getStructurePropertyNames):
2509             (JSC::JSProxy::getGenericPropertyNames):
2510             * runtime/JSProxy.h:
2511             * runtime/JSSymbolTableObject.cpp:
2512             (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2513             * runtime/PropertyNameArray.cpp:
2514             (JSC::PropertyNameArray::add):
2515             (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
2516             * runtime/PropertyNameArray.h:
2517             (JSC::RefCountedIdentifierSet::contains):
2518             (JSC::RefCountedIdentifierSet::size):
2519             (JSC::RefCountedIdentifierSet::add):
2520             (JSC::PropertyNameArray::PropertyNameArray):
2521             (JSC::PropertyNameArray::add):
2522             (JSC::PropertyNameArray::addKnownUnique):
2523             (JSC::PropertyNameArray::identifierSet):
2524             (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
2525             (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
2526             * runtime/RegExpObject.cpp:
2527             (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2528             (JSC::RegExpObject::getPropertyNames):
2529             (JSC::RegExpObject::getGenericPropertyNames):
2530             * runtime/RegExpObject.h:
2531             * runtime/StringObject.cpp:
2532             (JSC::StringObject::getOwnPropertyNames):
2533             * runtime/Structure.cpp:
2534             (JSC::Structure::getPropertyNamesFromStructure):
2535             (JSC::Structure::setCachedStructurePropertyNameEnumerator):
2536             (JSC::Structure::cachedStructurePropertyNameEnumerator):
2537             (JSC::Structure::setCachedGenericPropertyNameEnumerator):
2538             (JSC::Structure::cachedGenericPropertyNameEnumerator):
2539             (JSC::Structure::canCacheStructurePropertyNameEnumerator):
2540             (JSC::Structure::canCacheGenericPropertyNameEnumerator):
2541             (JSC::Structure::canAccessPropertiesQuickly):
2542             * runtime/Structure.h:
2543             * runtime/StructureRareData.cpp:
2544             (JSC::StructureRareData::visitChildren):
2545             (JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
2546             (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
2547             (JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
2548             (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
2549             * runtime/StructureRareData.h:
2550             * runtime/VM.cpp:
2551             (JSC::VM::VM):
2552             * runtime/VM.h:
2553     
2554     2014-07-23  Saam Barati  <sbarati@apple.com>
2555     
2556             Make improvements to Type Profiling
2557             https://bugs.webkit.org/show_bug.cgi?id=134860
2558     
2559             Reviewed by Filip Pizlo.
2560     
2561             I improved the API between the inspector and JSC. We no longer send one huge
2562             string to the inspector. We now send structured data that represents the type
2563             information that JSC has collected. I've also created a beginning implementation 
2564             of a type lattice that allows us to resolve a display name for a type that
2565             consists of a single word.
2566     
2567             I created a data structure that knows which functions have executed. This
2568             solves the bug where types inside an un-executed function will resolve
2569             to the type of the enclosing expression of that function. This data
2570             structure may also be useful later if the inspector chooses to create a UI
2571             around showing which functions have executed.
2572     
2573             Better type information is gathered for objects. StructureShape now
2574             represents an object's prototype chain.  StructureShape also collects
2575             the constructor name for an object.
2576     
2577             Expression ranges are now zero indexed.
2578     
2579             Removed some extraneous methods.
2580     
2581             * JavaScriptCore.xcodeproj/project.pbxproj:
2582             * bytecode/CodeBlock.cpp:
2583             (JSC::CodeBlock::CodeBlock):
2584             (JSC::CodeBlock::scopeDependentProfile):
2585             * bytecode/CodeBlock.h:
2586             * bytecode/TypeLocation.h:
2587             (JSC::TypeLocation::TypeLocation):
2588             * bytecode/UnlinkedCodeBlock.cpp:
2589             (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2590             * bytecode/UnlinkedCodeBlock.h:
2591             (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
2592             (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
2593             * bytecompiler/BytecodeGenerator.cpp:
2594             (JSC::BytecodeGenerator::BytecodeGenerator):
2595             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
2596             * bytecompiler/BytecodeGenerator.h:
2597             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
2598             * heap/Heap.cpp:
2599             (JSC::Heap::collect):
2600             * inspector/agents/InspectorRuntimeAgent.cpp:
2601             (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2602             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
2603             * inspector/agents/InspectorRuntimeAgent.h:
2604             * inspector/protocol/Runtime.json:
2605             * runtime/Executable.cpp:
2606             (JSC::ScriptExecutable::ScriptExecutable):
2607             (JSC::ProgramExecutable::ProgramExecutable):
2608             (JSC::FunctionExecutable::FunctionExecutable):
2609             (JSC::ProgramExecutable::initializeGlobalProperties):
2610             * runtime/Executable.h:
2611             (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
2612             (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
2613             * runtime/FunctionHasExecutedCache.cpp: Added.
2614             (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
2615             (JSC::FunctionHasExecutedCache::insertUnexecutedRange):
2616             (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
2617             * runtime/FunctionHasExecutedCache.h: Added.
2618             (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
2619             (JSC::FunctionHasExecutedCache::FunctionRange::operator==):
2620             (JSC::FunctionHasExecutedCache::FunctionRange::hash):
2621             * runtime/HighFidelityLog.cpp:
2622             (JSC::HighFidelityLog::processHighFidelityLog):
2623             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
2624             * runtime/HighFidelityLog.h:
2625             (JSC::HighFidelityLog::recordTypeInformationForLocation):
2626             * runtime/HighFidelityTypeProfiler.cpp:
2627             (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
2628             (JSC::HighFidelityTypeProfiler::insertNewLocation):
2629             (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
2630             (JSC::descriptorMatchesTypeLocation):
2631             (JSC::HighFidelityTypeProfiler::findLocation):
2632             (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
2633             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
2634             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
2635             * runtime/HighFidelityTypeProfiler.h:
2636             (JSC::QueryKey::QueryKey):
2637             (JSC::QueryKey::isHashTableDeletedValue):
2638             (JSC::QueryKey::operator==):
2639             (JSC::QueryKey::hash):
2640             (JSC::QueryKeyHash::hash):
2641             (JSC::QueryKeyHash::equal):
2642             (JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
2643             (JSC::HighFidelityTypeProfiler::typeLocationCache):
2644             * runtime/Structure.cpp:
2645             (JSC::Structure::toStructureShape):
2646             * runtime/Structure.h:
2647             * runtime/TypeLocationCache.cpp: Added.
2648             (JSC::TypeLocationCache::getTypeLocation):
2649             * runtime/TypeLocationCache.h: Added.
2650             (JSC::TypeLocationCache::LocationKey::LocationKey):
2651             (JSC::TypeLocationCache::LocationKey::operator==):
2652             (JSC::TypeLocationCache::LocationKey::hash):
2653             * runtime/TypeSet.cpp:
2654             (JSC::TypeSet::getRuntimeTypeForValue):
2655             (JSC::TypeSet::addTypeForValue):
2656             (JSC::TypeSet::seenTypes):
2657             (JSC::TypeSet::doesTypeConformTo):
2658             (JSC::TypeSet::displayName):
2659             (JSC::TypeSet::allPrimitiveTypeNames):
2660             (JSC::TypeSet::allStructureRepresentations):
2661             (JSC::TypeSet::leastCommonAncestor):
2662             (JSC::StructureShape::StructureShape):
2663             (JSC::StructureShape::addProperty):
2664             (JSC::StructureShape::propertyHash):
2665             (JSC::StructureShape::leastCommonAncestor):
2666             (JSC::StructureShape::stringRepresentation):
2667             (JSC::StructureShape::inspectorRepresentation):
2668             (JSC::StructureShape::leastUpperBound): Deleted.
2669             * runtime/TypeSet.h:
2670             (JSC::StructureShape::setConstructorName):
2671             (JSC::StructureShape::constructorName):
2672             (JSC::StructureShape::setProto):
2673             * runtime/VM.cpp:
2674             (JSC::VM::dumpHighFidelityProfilingTypes):
2675             (JSC::VM::getTypesForVariableAtOffset): Deleted.
2676             (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
2677             * runtime/VM.h:
2678             (JSC::VM::isProfilingTypesWithHighFidelity):
2679             (JSC::VM::highFidelityTypeProfiler):
2680     
2681     2014-07-23  Filip Pizlo  <fpizlo@apple.com>
2682     
2683             Fix debug build.
2684     
2685             * bytecode/CallLinkStatus.h:
2686             (JSC::CallLinkStatus::CallLinkStatus):
2687     
2688     2014-07-20  Filip Pizlo  <fpizlo@apple.com>
2689     
2690             [ftlopt] Phantoms in SSA form should be aggressively hoisted
2691             https://bugs.webkit.org/show_bug.cgi?id=135111
2692     
2693             Reviewed by Oliver Hunt.
2694             
2695             In CPS form, Phantom means three things: (1) that the children should be kept alive so long
2696             as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
2697             at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
2698             second meaning is not used but the other two stay.
2699             
2700             The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
2701             even in a totally different basic block, complicates some SSA transformations. It's not
2702             possible to just jettison some successor, since tha successor could have a Phantom that we
2703             care about.
2704             
2705             This change rationalizes how Phantoms work so that:
2706             
2707             1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
2708                in both CPS and SSA. This was true before and it's true now.
2709             
2710             2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
2711                now, except that now we also don't bother preserving the live-in-bytecode information
2712                that Phantoms convey, when we are in SSA.
2713             
2714             3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
2715                use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
2716                Phantom.
2717             
2718             The biggest part of this change is that in SSA, we canonicalize Phantoms:
2719             
2720             - All Phantoms are replaced with Check nodes that include only those edges that have
2721               checks.
2722             
2723             - Nodes that were the children of any Phantoms have a Phantom right after them.
2724             
2725             For example, the following code:
2726             
2727                 5: ArithAdd(@1, @2)
2728                 6: ArithSub(@5, @3)
2729                 7: Phantom(Int32:@5)
2730             
2731             would be turned into the following:
2732             
2733                 5: ArithAdd(@1, @2)
2734                 8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
2735                                // @5. This is the only Phantom we will have for @5.
2736                 6: ArithSub(@5, @3)
2737                 7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
2738                                    // a checking edge, we leave it.
2739             
2740             This is a slight speed-up across the board, presumably because we now do a better job of
2741             reducing the size of the graph during compilation. It could also be a fluke, though. The
2742             main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
2743             become a requirement to run phantom canonicalization prior to some SSA phases. None of the
2744             current phases need it, but future phases probably will.
2745     
2746             * CMakeLists.txt:
2747             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2748             * JavaScriptCore.xcodeproj/project.pbxproj:
2749             * dfg/DFGAbstractInterpreterInlines.h:
2750             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2751             * dfg/DFGConstantFoldingPhase.cpp:
2752             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2753             * dfg/DFGDCEPhase.cpp:
2754             (JSC::DFG::DCEPhase::run):
2755             (JSC::DFG::DCEPhase::findTypeCheckRoot):
2756             (JSC::DFG::DCEPhase::countEdge):
2757             (JSC::DFG::DCEPhase::fixupBlock):
2758             (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
2759             * dfg/DFGEdge.cpp:
2760             (JSC::DFG::Edge::dump):
2761             * dfg/DFGEdge.h:
2762             (JSC::DFG::Edge::isProved):
2763             (JSC::DFG::Edge::needsCheck): Deleted.
2764             * dfg/DFGNodeFlags.h:
2765             * dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
2766             (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
2767             (JSC::DFG::PhantomCanonicalizationPhase::run):
2768             (JSC::DFG::performPhantomCanonicalization):
2769             * dfg/DFGPhantomCanonicalizationPhase.h: Added.
2770             * dfg/DFGPhantomRemovalPhase.cpp:
2771             (JSC::DFG::PhantomRemovalPhase::run):
2772             * dfg/DFGPhantomRemovalPhase.h:
2773             * dfg/DFGPlan.cpp:
2774             (JSC::DFG::Plan::compileInThreadImpl):
2775             * ftl/FTLLowerDFGToLLVM.cpp:
2776             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2777             (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2778     
2779     2014-07-22  Filip Pizlo  <fpizlo@apple.com>
2780     
2781             [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
2782             https://bugs.webkit.org/show_bug.cgi?id=135146
2783     
2784             Reviewed by Oliver Hunt.
2785             
2786             This greatly simplifies our closure call optimizations by taking advantage of the type
2787             bits available in the cell header.
2788     
2789             * bytecode/CallLinkInfo.cpp:
2790             (JSC::CallLinkInfo::visitWeak):
2791             * bytecode/CallLinkStatus.cpp:
2792             (JSC::CallLinkStatus::CallLinkStatus):
2793             (JSC::CallLinkStatus::computeFor):
2794             (JSC::CallLinkStatus::dump):
2795             * bytecode/CallLinkStatus.h:
2796             (JSC::CallLinkStatus::CallLinkStatus):
2797             (JSC::CallLinkStatus::executable):
2798             (JSC::CallLinkStatus::structure): Deleted.
2799             * dfg/DFGByteCodeParser.cpp:
2800             (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2801             * dfg/DFGFixupPhase.cpp:
2802             (JSC::DFG::FixupPhase::fixupNode):
2803             (JSC::DFG::FixupPhase::observeUseKindOnNode):
2804             * dfg/DFGSafeToExecute.h:
2805             (JSC::DFG::SafeToExecuteEdge::operator()):
2806             * dfg/DFGSpeculativeJIT.cpp:
2807             (JSC::DFG::SpeculativeJIT::checkArray):
2808             (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
2809             (JSC::DFG::SpeculativeJIT::speculateCellType):
2810             (JSC::DFG::SpeculativeJIT::speculateFunction):
2811             (JSC::DFG::SpeculativeJIT::speculateFinalObject):
2812             (JSC::DFG::SpeculativeJIT::speculate):
2813             * dfg/DFGSpeculativeJIT.h:
2814             * dfg/DFGSpeculativeJIT32_64.cpp:
2815             (JSC::DFG::SpeculativeJIT::compile):
2816             * dfg/DFGSpeculativeJIT64.cpp:
2817             (JSC::DFG::SpeculativeJIT::compile):
2818             * dfg/DFGUseKind.cpp:
2819             (WTF::printInternal):
2820             * dfg/DFGUseKind.h:
2821             (JSC::DFG::typeFilterFor):
2822             (JSC::DFG::isCell):
2823             * ftl/FTLCapabilities.cpp:
2824             (JSC::FTL::canCompile):
2825             * ftl/FTLLowerDFGToLLVM.cpp:
2826             (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
2827             (JSC::FTL::LowerDFGToLLVM::speculate):
2828             (JSC::FTL::LowerDFGToLLVM::isFunction):
2829             (JSC::FTL::LowerDFGToLLVM::isNotFunction):
2830             (JSC::FTL::LowerDFGToLLVM::speculateFunction):
2831             * jit/ClosureCallStubRoutine.cpp:
2832             (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
2833             (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
2834             * jit/ClosureCallStubRoutine.h:
2835             (JSC::ClosureCallStubRoutine::structure): Deleted.
2836             * jit/JIT.h:
2837             (JSC::JIT::compileClosureCall): Deleted.
2838             * jit/JITCall.cpp:
2839             (JSC::JIT::privateCompileClosureCall): Deleted.
2840             * jit/JITCall32_64.cpp:
2841             (JSC::JIT::privateCompileClosureCall): Deleted.
2842             * jit/JITOperations.cpp:
2843             * jit/Repatch.cpp:
2844             (JSC::linkClosureCall):
2845             * jit/Repatch.h:
2846     
2847 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2848
2849         [ARM] Incorrect handling of Unicode characters
2850         https://bugs.webkit.org/show_bug.cgi?id=135380
2851
2852         Reviewed by Darin Adler.
2853
2854         Removed erroneous fast case from stringFromUTF(), since it assumed that 
2855         char is always implemented as signed.
2856
2857         * jsc.cpp:
2858         (stringFromUTF):
2859
2860 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2861
2862         [JSC] Build fix for FTL on EFL after ftlopt merge
2863         https://bugs.webkit.org/show_bug.cgi?id=135565
2864
2865         Reviewed by Mark Lam.
2866
2867         Adding an enable guard for native inlining, since it now requires the bitcode
2868         emitted from Clang, and we don't have a good way of creating it from other compilers.
2869
2870         * dfg/DFGByteCodeParser.cpp:
2871         (JSC::DFG::ByteCodeParser::handleCall):
2872         * ftl/FTLLowerDFGToLLVM.cpp:
2873         (JSC::FTL::LowerDFGToLLVM::compileNode):
2874         * ftl/FTLState.cpp:
2875         (JSC::FTL::State::State):
2876         * ftl/FTLState.h:
2877
2878 2014-08-05  Csaba Osztrogonác  <ossy@webkit.org>
2879
2880         URTBF after r172129. (ftlopt branch merge)
2881
2882         Remove the duplicated friend declaration to fix this build failure:
2883         "error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"
2884
2885         * runtime/StructureRareData.h:
2886
2887 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
2888
2889         Attempt to fix CMake-based builds, part 3.
2890
2891         * CMakeLists.txt:
2892
2893 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
2894
2895         Attempt to fix CMake-based builds, part 2.
2896
2897         * CMakeLists.txt:
2898
2899 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
2900
2901         Attempt to fix Windows build, part 2.
2902
2903         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2904
2905 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
2906
2907         Attempt to fix CMake-based builds.
2908
2909         * CMakeLists.txt:
2910
2911 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
2912
2913         Attempt to fix Windows build.
2914
2915         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2916
2917 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
2918
2919         Fix cloop build.
2920
2921         * bytecode/CodeBlock.cpp:
2922         (JSC::CodeBlock::jettison):
2923
2924 2014-07-29  Filip Pizlo  <fpizlo@apple.com>
2925
2926         Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.
2927
2928         This part of the merge delivers roughly a 2% across-the-board performance
2929         improvement, mostly due to immutable property inference and DFG-side GCSE. It also
2930         almost completely resolves accessor performance issues; in the common case the DFG
2931         will compile a getter/setter access into code that is just as efficient as a normal
2932         property access.
2933         
2934         Another major highlight of this part of the merge is the work to add a type profiler
2935         to the inspector. This work is still on-going but this greatly increases coverage.
2936
2937         Note that this merge fixes a minor bug in the GetterSetter refactoring from
2938         http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
2939         It also adds a new tests to tests/stress to cover that bug. That bug was previously only
2940         covered by layout tests.
2941
2942     2014-07-17  Filip Pizlo  <fpizlo@apple.com>
2943     
2944             [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
2945             https://bugs.webkit.org/show_bug.cgi?id=135019
2946     
2947             Reviewed by Oliver Hunt.
2948             
2949             Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
2950             has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
2951             different code.
2952     
2953             * dfg/DFGNodeType.h:
2954             * dfg/DFGStrengthReductionPhase.cpp:
2955             (JSC::DFG::StrengthReductionPhase::handleNode):
2956             * tests/stress/capture-escape-and-throw.js: Added.
2957             (foo.f):
2958             (foo):
2959             * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
2960             (foo):
2961             (bar):
2962     
2963     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
2964     
2965             [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
2966             https://bugs.webkit.org/show_bug.cgi?id=134962
2967     
2968             Reviewed by Oliver Hunt.
2969             
2970             This removes yet another steady-state-throughput implication of using getters and setters:
2971             if your accessor call is monomorphic then you'll just get a structure check, nothing more.
2972             No more loads to get to the GetterSetter object or the accessor function object.
2973     
2974             * dfg/DFGAbstractInterpreterInlines.h:
2975             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2976             * runtime/GetterSetter.h:
2977             (JSC::GetterSetter::getterConcurrently):
2978             (JSC::GetterSetter::setGetter):
2979             (JSC::GetterSetter::setterConcurrently):
2980             (JSC::GetterSetter::setSetter):
2981     
2982     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
2983     
2984             [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
2985             https://bugs.webkit.org/show_bug.cgi?id=134893
2986     
2987             Reviewed by Oliver Hunt.
2988             
2989             Replace Identity with Check instead of Phantom. Phantom means that the child of the
2990             Identity should be unconditionally live. The liveness semantics of Identity are such that
2991             if the parents of Identity are live then the child is live. Removing the Identity entirely
2992             preserves such liveness semantics. So, the only thing that should be left behind is the
2993             type check on the child, which is what Check means: do the check but don't keep the child
2994             alive if the check isn't needed.
2995     
2996             * dfg/DFGCSEPhase.cpp:
2997             * dfg/DFGNode.h:
2998             (JSC::DFG::Node::convertToCheck):
2999     
3000     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
3001     
3002             [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
3003             https://bugs.webkit.org/show_bug.cgi?id=134677
3004     
3005             Reviewed by Sam Weinig.
3006             
3007             This removes the old local CSE phase, which was based on manually written backward-search 
3008             rules for all of the different kinds of things we cared about, and adds a new local/global
3009             CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
3010             clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
3011             structures used for storing sets of available values. This results in a large reduction in
3012             code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
3013             global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
3014             structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
3015             that this is a significant (~0.7%) throughput improvement.
3016             
3017             This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
3018             means that the node being analyzed makes available some value in some DFG node, and that
3019             future attempts to compute that value can simply use that node. In other words, it
3020             establishes an available value mapping of the form value=>node. There are two kinds of
3021             values that can be passed to def():
3022             
3023             PureValue. This captures everything needed to determine whether two pure nodes - nodes that
3024                 neither read nor write, and produce a value that is a CSE candidate - are identical. It
3025                 carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
3026                 usually used for things like the arithmetic mode or constant pointer. Passing a
3027                 PureValue to def() means that the node produces a value that is valid anywhere that the
3028                 node dominates.
3029             
3030             HeapLocation. This describes a location in the heap that could be written to or read from.
3031                 Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
3032                 heap that both serves as part of the "name" of the heap location (together with the
3033                 other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
3034                 write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
3035                 then it means that the values for that location are no longer available.
3036             
3037             This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
3038             tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
3039             interpreting the semantics of different DFG node types - that is now almost entirely in
3040             clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
3041             CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
3042             and the LocalCSE rule for turning PutByVal into PutByValAlias.
3043             
3044             This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
3045             not a bigger win because LLVM was already giving us most of what we needed in its GVN.
3046             Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
3047             is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
3048             generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
3049             it improves both the quality of the code we generate and the speed with which we generate
3050             it. Also, any future optimizations that depend on GCSE will now be easier to implement.
3051             
3052             During the development of this patch I also rationalized some other stuff, like Graph's
3053             ordered traversals - we now have preorder and postorder rather than just "depth first".
3054     
3055             * CMakeLists.txt:
3056             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3057             * JavaScriptCore.xcodeproj/project.pbxproj:
3058             * dfg/DFGAbstractHeap.h:
3059             * dfg/DFGAdjacencyList.h:
3060             (JSC::DFG::AdjacencyList::hash):
3061             (JSC::DFG::AdjacencyList::operator==):
3062             * dfg/DFGBasicBlock.h:
3063             * dfg/DFGCSEPhase.cpp:
3064             (JSC::DFG::performLocalCSE):
3065             (JSC::DFG::performGlobalCSE):
3066             (JSC::DFG::CSEPhase::CSEPhase): Deleted.
3067             (JSC::DFG::CSEPhase::run): Deleted.
3068             (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
3069             (JSC::DFG::CSEPhase::pureCSE): Deleted.
3070             (JSC::DFG::CSEPhase::constantCSE): Deleted.
3071             (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
3072             (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
3073             (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
3074             (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
3075             (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
3076             (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
3077             (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
3078             (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
3079             (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
3080             (JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
3081             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
3082             (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
3083             (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
3084             (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
3085             (JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
3086             (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
3087             (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
3088             (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
3089             (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
3090             (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
3091             (JSC::DFG::CSEPhase::setReplacement): Deleted.
3092             (JSC::DFG::CSEPhase::eliminate): Deleted.
3093             (JSC::DFG::CSEPhase::performNodeCSE): Deleted.
3094             (JSC::DFG::CSEPhase::performBlockCSE): Deleted.
3095             (JSC::DFG::performCSE): Deleted.
3096             * dfg/DFGCSEPhase.h:
3097             * dfg/DFGClobberSet.cpp:
3098             (JSC::DFG::addReads):
3099             (JSC::DFG::addWrites):
3100             (JSC::DFG::addReadsAndWrites):
3101             (JSC::DFG::readsOverlap):
3102             (JSC::DFG::writesOverlap):
3103             * dfg/DFGClobberize.cpp:
3104             (JSC::DFG::doesWrites):
3105             (JSC::DFG::accessesOverlap):
3106             (JSC::DFG::writesOverlap):
3107             * dfg/DFGClobberize.h:
3108             (JSC::DFG::clobberize):
3109             (JSC::DFG::NoOpClobberize::operator()):
3110             (JSC::DFG::CheckClobberize::operator()):
3111             (JSC::DFG::ReadMethodClobberize::ReadMethodClobberize):
3112             (JSC::DFG::ReadMethodClobberize::operator()):
3113             (JSC::DFG::WriteMethodClobberize::WriteMethodClobberize):
3114             (JSC::DFG::WriteMethodClobberize::operator()):
3115             (JSC::DFG::DefMethodClobberize::DefMethodClobberize):
3116             (JSC::DFG::DefMethodClobberize::operator()):
3117             * dfg/DFGDCEPhase.cpp:
3118             (JSC::DFG::DCEPhase::run):
3119             (JSC::DFG::DCEPhase::fixupBlock):
3120             * dfg/DFGGraph.cpp:
3121             (JSC::DFG::Graph::getBlocksInPreOrder):
3122             (JSC::DFG::Graph::getBlocksInPostOrder):
3123             (JSC::DFG::Graph::addForDepthFirstSort): Deleted.
3124             (JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted.
3125             * dfg/DFGGraph.h:
3126             * dfg/DFGHeapLocation.cpp: Added.
3127             (JSC::DFG::HeapLocation::dump):
3128             (WTF::printInternal):
3129             * dfg/DFGHeapLocation.h: Added.
3130             (JSC::DFG::HeapLocation::HeapLocation):
3131             (JSC::DFG::HeapLocation::operator!):
3132             (JSC::DFG::HeapLocation::kind):
3133             (JSC::DFG::HeapLocation::heap):
3134             (JSC::DFG::HeapLocation::base):
3135             (JSC::DFG::HeapLocation::index):
3136             (JSC::DFG::HeapLocation::hash):
3137             (JSC::DFG::HeapLocation::operator==):
3138             (JSC::DFG::HeapLocation::isHashTableDeletedValue):
3139             (JSC::DFG::HeapLocationHash::hash):
3140             (JSC::DFG::HeapLocationHash::equal):
3141             * dfg/DFGLICMPhase.cpp:
3142             (JSC::DFG::LICMPhase::run):
3143             * dfg/DFGNode.h:
3144             (JSC::DFG::Node::replaceWith):
3145             (JSC::DFG::Node::convertToPhantomUnchecked): Deleted.
3146             * dfg/DFGPlan.cpp:
3147             (JSC::DFG::Plan::compileInThreadImpl):
3148             * dfg/DFGPureValue.cpp: Added.
3149             (JSC::DFG::PureValue::dump):
3150             * dfg/DFGPureValue.h: Added.
3151             (JSC::DFG::PureValue::PureValue):
3152             (JSC::DFG::PureValue::operator!):
3153             (JSC::DFG::PureValue::op):
3154             (JSC::DFG::PureValue::children):
3155             (JSC::DFG::PureValue::info):
3156             (JSC::DFG::PureValue::hash):
3157             (JSC::DFG::PureValue::operator==):
3158             (JSC::DFG::PureValue::isHashTableDeletedValue):
3159             (JSC::DFG::PureValueHash::hash):
3160             (JSC::DFG::PureValueHash::equal):
3161             * dfg/DFGSSAConversionPhase.cpp:
3162             (JSC::DFG::SSAConversionPhase::run):
3163             * ftl/FTLLowerDFGToLLVM.cpp:
3164             (JSC::FTL::LowerDFGToLLVM::lower):
3165     
3166     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
3167     
3168             Unreviewed, revert unintended change in r171051.
3169     
3170             * dfg/DFGCSEPhase.cpp:
3171     
3172     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
3173     
3174             [ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase
3175             https://bugs.webkit.org/show_bug.cgi?id=134739
3176     
3177             Reviewed by Mark Hahnenberg.
3178             
3179             I'm going to streamline CSE around clobberize() as part of
3180             https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store
3181             elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which
3182             means that it belongs in StrengthReductionPhase, since that's intended to be our
3183             dumping ground.
3184             
3185             To do this I had to add some missing smarts to clobberize(). Previously clobberize()
3186             could play a bit loose with reads of Variables because it wasn't used for store
3187             elimination. The main client of read() was LICM, but it would only use it to
3188             determine hoistability and anything that did a write() was not hoistable - so, we had
3189             benign (but still wrong) missing read() calls in places that did write()s. This fixes
3190             a bunch of those cases.
3191     
3192             * dfg/DFGCSEPhase.cpp:
3193             (JSC::DFG::CSEPhase::performNodeCSE):
3194             (JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted.
3195             * dfg/DFGClobberize.cpp:
3196             (JSC::DFG::accessesOverlap):
3197             * dfg/DFGClobberize.h:
3198             (JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound.
3199             * dfg/DFGStrengthReductionPhase.cpp:
3200             (JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize().
3201     
3202     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
3203     
3204             [ftlopt] Phantom simplification should be in its own phase
3205             https://bugs.webkit.org/show_bug.cgi?id=134742
3206     
3207             Reviewed by Geoffrey Garen.
3208             
3209             This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it
3210             more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had
3211             this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for
3212             SSA.
3213     
3214             * CMakeLists.txt:
3215             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3216             * JavaScriptCore.xcodeproj/project.pbxproj:
3217             * dfg/DFGAdjacencyList.h:
3218             * dfg/DFGCSEPhase.cpp:
3219             (JSC::DFG::CSEPhase::run):
3220             (JSC::DFG::CSEPhase::setReplacement):
3221             (JSC::DFG::CSEPhase::eliminate):
3222             (JSC::DFG::CSEPhase::performNodeCSE):
3223             (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted.
3224             * dfg/DFGPhantomRemovalPhase.cpp: Added.
3225             (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase):
3226             (JSC::DFG::PhantomRemovalPhase::run):
3227             (JSC::DFG::performCleanUp):
3228             * dfg/DFGPhantomRemovalPhase.h: Added.
3229             * dfg/DFGPlan.cpp:
3230             (JSC::DFG::Plan::compileInThreadImpl):
3231     
3232     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
3233     
3234             [ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously
3235             https://bugs.webkit.org/show_bug.cgi?id=134730
3236     
3237             Reviewed by Mark Lam.
3238             
3239             This will allow for a better GCSE implementation.
3240     
3241             * dfg/DFGCPSRethreadingPhase.cpp:
3242             (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3243             * dfg/DFGCSEPhase.cpp:
3244             (JSC::DFG::CSEPhase::setReplacement):
3245             * dfg/DFGEdgeDominates.h:
3246             (JSC::DFG::EdgeDominates::operator()):
3247             * dfg/DFGGraph.cpp:
3248             (JSC::DFG::Graph::clearReplacements):
3249             (JSC::DFG::Graph::initializeNodeOwners):
3250             * dfg/DFGGraph.h:
3251             (JSC::DFG::Graph::performSubstitutionForEdge):
3252             * dfg/DFGLICMPhase.cpp:
3253             (JSC::DFG::LICMPhase::attemptHoist):
3254             * dfg/DFGNode.h:
3255             (JSC::DFG::Node::Node):
3256             * dfg/DFGSSAConversionPhase.cpp:
3257             (JSC::DFG::SSAConversionPhase::run):
3258     
3259     2014-07-04  Filip Pizlo  <fpizlo@apple.com>
3260     
3261             [ftlopt] Infer immutable object properties
3262             https://bugs.webkit.org/show_bug.cgi?id=134567
3263     
3264             Reviewed by Mark Hahnenberg.
3265             
3266             This introduces a new way of inferring immutable object properties. A property is said to
3267             be immutable if after its creation (i.e. the transition that creates it), we never
3268             overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own
3269             property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f"
3270             directly and not on a prototype. More specifically, the immutability inference will prove
3271             that a property on some structure is immutable. This means that, for example, we may have a
3272             structure S1 with property "f" where we claim that "f" at S1 is immutable, but S1 has a
3273             transition to S2 that adds a new property "g" and we may claim that "f" at S2 is actually
3274             mutable. This is mainly for convenience; it allows us to decouple immutability logic from
3275             transition logic. Immutability can be used to constant-fold accesses to objects at
3276             DFG-time. The DFG needs to prove the following to constant-fold the access:
3277             
3278             - The base of the access must be a constant object pointer. We prove that a property at a
3279               structure is immutable, but that says nothing of its value; each actual instance of that
3280               property may have a different value. So, a constant object pointer is needed to get an
3281               actual constant instance of the immutable value.
3282             
3283             - A check (or watchpoint) must have been emitted proving that the object has a structure
3284               that allows loading the property in question.
3285             
3286             - The replacement watchpoint set of the property in the structure that we've proven the
3287               object to have is still valid and we add a watchpoint to it lazily. The replacement
3288               watchpoint set is the key new mechanism that this change adds. It's possible that we have
3289               proven that the object has one of many structures, in which case each of those structures
3290               needs a valid replacement watchpoint set.
3291             
3292             The replacement watchpoint set is created the first time that any access to the property is
3293             cached. A put replace cache will create, and immediately invalidate, the watchpoint set. A
3294             get cache will create the watchpoint set and make it start watching. Any non-cached put
3295             access will invalidate the watchpoint set if one had been created; the underlying algorithm
3296             ensures that checking for the existence of a replacement watchpoint set is very fast in the
3297             common case. This algorithm ensures that no cached access needs to ever do any work to
3298             invalidate, or check the validity of, any replacement watchpoint sets. It also has some
3299             other nice properties:
3300             
3301             - It's very robust in its definition of immutability. The strictest that it will ever be is
3302               that for any instance of the object, the property must be written to only once,
3303               specifically at the time that the property is created. But it's looser than this in
3304               practice. For example, the property may be written to any number of times before we add
3305               the final property that the object will have before anyone reads the property; this works
3306               since for optimization purposes we only care if we detect immutability on the structure
3307               that the object will have when it is most frequently read from, not any previous
3308               structure that the object had. Also, we may write to the property any number of times
3309               before anyone caches accesses to it.
3310             
3311             - It is mostly orthogonal to structure transitions. No new structures need to be created to
3312               track the immutability of a property. Hence, there is no risk from this feature causing
3313               more polymorphism. This is different from the previous "specificValue" constant
3314               inference, which did cause additional structures to be created and sometimes those
3315               structures led to fake polymorphism. This feature does leverage existing transitions to
3316               do some of the watchpointing: property deletions don't fire the replacement watchpoint
3317               set because that would cause a new structure and so the mandatory structure check would
3318               fail. Also, this feature is guaranteed to never kick in for uncacheable dictionaries
3319               because those wouldn't allow for cacheable accesses - and it takes a cacheable access for
3320               this feature to be enabled.
3321             
3322             - No memory overhead is incurred except when accesses to the property are cached.
3323               Dictionary properties will typically have no meta-data for immutability. The number of
3324               replacement watchpoint sets we allocate is proportional to the number of inline caches in
3325               the program, which is typically must smaller than the number of structures or even the
3326               number of objects.
3327             
3328             This inference is far more powerful than the previous "specificValue" inference, so this
3329             change also removes all of that code. It's interesting that the amount of code that is
3330             changed to remove that feature is almost as big as the amount of code added to support the
3331             new inference - and that's if you include the new tests in the tally. Without new tests,
3332             it appears that the new feature actually touches less code!
3333             
3334             There is one corner case where the previous "specificValue" inference was more powerful.
3335             You can imagine someone creating objects with functions as self properties on those
3336             objects, such that each object instance had the same function pointers - essentially,
3337             someone might be trying to create a vtable but failing at the whole "one vtable for many
3338             instances" concept. The "specificValue" inference would do very well for such programs,
3339             because a structure check would be sufficient to prove a constant value for all of the
3340             function properties. This new inference will fail because it doesn't track the constant
3341             values of constant properties; instead it detects the immutability of otherwise variable
3342             properties (in the sense that each instance of the property may have a different value).
3343             So, the new inference requires having a particular object instance to actually get the
3344             constant value. I think it's OK to lose this antifeature. It took a lot of code to support
3345             and was a constant source of grief in our transition logic, and there doesn't appear to be
3346             any real evidence that programs benefited from that particular kind of inference since
3347             usually it's the singleton prototype instance that has all of the functions.
3348             
3349             This change is a speed-up on everything. date-format-xparb and both SunSpider/raytrace and
3350             V8/raytrace seem to be the biggest winners among the macrobenchmarks; they see >5%
3351             speed-ups. Many of our microbenchmarks see very large performance improvements, even 80% in
3352             one case.
3353     
3354             * bytecode/ComplexGetStatus.cpp:
3355             (JSC::ComplexGetStatus::computeFor):
3356             * bytecode/GetByIdStatus.cpp:
3357             (JSC::GetByIdStatus::computeFromLLInt):
3358             (JSC::GetByIdStatus::computeForStubInfo):
3359             (JSC::GetByIdStatus::computeFor):
3360             * bytecode/GetByIdVariant.cpp:
3361             (JSC::GetByIdVariant::GetByIdVariant):
3362             (JSC::GetByIdVariant::operator=):
3363             (JSC::GetByIdVariant::attemptToMerge):
3364             (JSC::GetByIdVariant::dumpInContext):
3365             * bytecode/GetByIdVariant.h:
3366             (JSC::GetByIdVariant::alternateBase):
3367             (JSC::GetByIdVariant::specificValue): Deleted.
3368             * bytecode/PutByIdStatus.cpp:
3369             (JSC::PutByIdStatus::computeForStubInfo):
3370             (JSC::PutByIdStatus::computeFor):
3371             * bytecode/PutByIdVariant.cpp:
3372             (JSC::PutByIdVariant::operator=):
3373             (JSC::PutByIdVariant::setter):
3374             (JSC::PutByIdVariant::dumpInContext):
3375             * bytecode/PutByIdVariant.h:
3376             (JSC::PutByIdVariant::specificValue): Deleted.
3377             * bytecode/Watchpoint.cpp:
3378             (JSC::WatchpointSet::fireAllSlow):
3379             (JSC::WatchpointSet::fireAll): Deleted.
3380             * bytecode/Watchpoint.h:
3381             (JSC::WatchpointSet::fireAll):
3382             * dfg/DFGAbstractInterpreterInlines.h:
3383             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3384             * dfg/DFGByteCodeParser.cpp:
3385             (JSC::DFG::ByteCodeParser::handleGetByOffset):
3386             (JSC::DFG::ByteCodeParser::handleGetById):
3387             (JSC::DFG::ByteCodeParser::handlePutById):
3388             (JSC::DFG::ByteCodeParser::parseBlock):
3389             * dfg/DFGConstantFoldingPhase.cpp:
3390             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
3391             * dfg/DFGFixupPhase.cpp:
3392             (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
3393             (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
3394             * dfg/DFGGraph.cpp:
3395             (JSC::DFG::Graph::tryGetConstantProperty):
3396             (JSC::DFG::Graph::visitChildren):
3397             * dfg/DFGGraph.h:
3398             * dfg/DFGWatchableStructureWatchingPhase.cpp:
3399             (JSC::DFG::WatchableStructureWatchingPhase::run):
3400             * ftl/FTLLowerDFGToLLVM.cpp:
3401             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
3402             * jit/JITOperations.cpp:
3403             * jit/Repatch.cpp:
3404             (JSC::repatchByIdSelfAccess):
3405             (JSC::generateByIdStub):
3406             (JSC::tryCacheGetByID):
3407             (JSC::tryCachePutByID):
3408             (JSC::tryBuildPutByIdList):
3409             * llint/LLIntSlowPaths.cpp:
3410             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3411             (JSC::LLInt::putToScopeCommon):
3412             * runtime/CommonSlowPaths.h:
3413             (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
3414             * runtime/IntendedStructureChain.cpp:
3415             (JSC::IntendedStructureChain::mayInterceptStoreTo):
3416             * runtime/JSCJSValue.cpp:
3417             (JSC::JSValue::putToPrimitive):
3418             * runtime/JSGlobalObject.cpp:
3419             (JSC::JSGlobalObject::reset):
3420             * runtime/JSObject.cpp:
3421             (JSC::JSObject::put):
3422             (JSC::JSObject::putDirectNonIndexAccessor):
3423             (JSC::JSObject::deleteProperty):
3424             (JSC::JSObject::defaultValue):
3425             (JSC::getCallableObjectSlow): Deleted.
3426             (JSC::JSObject::getPropertySpecificValue): Deleted.
3427             * runtime/JSObject.h:
3428             (JSC::JSObject::getDirect):
3429             (JSC::JSObject::getDirectOffset):
3430             (JSC::JSObject::inlineGetOwnPropertySlot):
3431             (JSC::JSObject::putDirectInternal):
3432             (JSC::JSObject::putOwnDataProperty):
3433             (JSC::JSObject::putDirect):
3434             (JSC::JSObject::putDirectWithoutTransition):
3435             (JSC::getCallableObject): Deleted.
3436             * runtime/JSScope.cpp:
3437             (JSC::abstractAccess):
3438             * runtime/PropertyMapHashTable.h:
3439             (JSC::PropertyMapEntry::PropertyMapEntry):
3440             (JSC::PropertyTable::copy):
3441             * runtime/PropertyTable.cpp:
3442             (JSC::PropertyTable::clone):
3443             (JSC::PropertyTable::PropertyTable):
3444             (JSC::PropertyTable::visitChildren): Deleted.
3445             * runtime/Structure.cpp:
3446             (JSC::Structure::Structure):
3447             (JSC::Structure::materializePropertyMap):
3448             (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
3449             (JSC::Structure::addPropertyTransitionToExistingStructure):
3450             (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
3451             (JSC::Structure::addPropertyTransition):
3452             (JSC::Structure::changePrototypeTransition):
3453             (JSC::Structure::attributeChangeTransition):
3454             (JSC::Structure::toDictionaryTransition):
3455             (JSC::Structure::preventExtensionsTransition):
3456             (JSC::Structure::takePropertyTableOrCloneIfPinned):
3457             (JSC::Structure::nonPropertyTransition):
3458             (JSC::Structure::addPropertyWithoutTransition):
3459             (JSC::Structure::allocateRareData):
3460             (JSC::Structure::ensurePropertyReplacementWatchpointSet):
3461             (JSC::Structure::startWatchingPropertyForReplacements):
3462             (JSC::Structure::didCachePropertyReplacement):
3463             (JSC::Structure::startWatchingInternalProperties):
3464             (JSC::Structure::copyPropertyTable):
3465             (JSC::Structure::copyPropertyTableForPinning):
3466             (JSC::Structure::getConcurrently):
3467             (JSC::Structure::get):
3468             (JSC::Structure::add):
3469             (JSC::Structure::visitChildren):
3470             (JSC::Structure::prototypeChainMayInterceptStoreTo):
3471             (JSC::Structure::dump):
3472             (JSC::Structure::despecifyDictionaryFunction): Deleted.
3473             (JSC::Structure::despecifyFunctionTransition): Deleted.
3474             (JSC::Structure::despecifyFunction): Deleted.
3475             (JSC::Structure::despecifyAllFunctions): Deleted.
3476             (JSC::Structure::putSpecificValue): Deleted.
3477             * runtime/Structure.h:
3478             (JSC::Structure::startWatchingPropertyForReplacements):
3479             (JSC::Structure::startWatchingInternalPropertiesIfNecessary):
3480             (JSC::Structure::startWatchingInternalPropertiesIfNecessaryForEntireChain):
3481             (JSC::Structure::transitionDidInvolveSpecificValue): Deleted.
3482             (JSC::Structure::disableSpecificFunctionTracking): Deleted.
3483             * runtime/StructureInlines.h:
3484             (JSC::Structure::getConcurrently):
3485             (JSC::Structure::didReplaceProperty):
3486             (JSC::Structure::propertyReplacementWatchpointSet):
3487             * runtime/StructureRareData.cpp:
3488             (JSC::StructureRareData::destroy):
3489             * runtime/StructureRareData.h:
3490             * tests/stress/infer-constant-global-property.js: Added.
3491             (foo.Math.sin):
3492             (foo):
3493             * tests/stress/infer-constant-property.js: Added.
3494             (foo):
3495             * tests/stress/jit-cache-poly-replace-then-cache-get-and-fold-then-invalidate.js: Added.
3496             (foo):
3497             (bar):
3498             * tests/stress/jit-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
3499             (foo):
3500             (bar):
3501             * tests/stress/jit-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
3502             (foo):
3503             (bar):
3504             * tests/stress/llint-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
3505             (foo):
3506             (bar):
3507             * tests/stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
3508             (foo):
3509             (bar):
3510             * tests/stress/repeat-put-to-scope-global-with-same-value-watchpoint-invalidate.js: Added.
3511             (foo):
3512             (bar):
3513     
3514     2014-07-03  Saam Barati  <sbarati@apple.com>
3515     
3516             Add more coverage for the profile_types_with_high_fidelity op code.
3517             https://bugs.webkit.org/show_bug.cgi?id=134616
3518     
3519             Reviewed by Filip Pizlo.
3520     
3521             More operations are now being recorded by the profile_types_with_high_fidelity 
3522             opcode. Specifically: function parameters, function return values,
3523             function 'this' value, get_by_id, get_by_value, resolve nodes, function return 
3524             values at the call site. Added more flags to the profile_types_with_high_fidelity
3525             opcode so more focused tasks can take place when the instruction is
3526             being linked in CodeBlock. Re-worked the type profiler to search 
3527             through character offset ranges when asked for the type of an expression
3528             at a given offset. Removed redundant calls to Structure::toStructureShape
3529             in HighFidelityLog and TypeSet by caching calls based on StructureID.
3530     
3531             * bytecode/BytecodeList.json:
3532             * bytecode/BytecodeUseDef.h:
3533             (JSC::computeUsesForBytecodeOffset):
3534             (JSC::computeDefsForBytecodeOffset):
3535             * bytecode/CodeBlock.cpp:
3536             (JSC::CodeBlock::CodeBlock):
3537             (JSC::CodeBlock::finalizeUnconditionally):
3538             (JSC::CodeBlock::scopeDependentProfile):
3539             * bytecode/CodeBlock.h:
3540             (JSC::CodeBlock::returnStatementTypeSet):
3541             * bytecode/TypeLocation.h:
3542             * bytecode/UnlinkedCodeBlock.cpp:
3543             (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset):
3544             (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo):
3545             * bytecode/UnlinkedCodeBlock.h:
3546             * bytecompiler/BytecodeGenerator.cpp:
3547             (JSC::BytecodeGenerator::emitMove):
3548             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
3549             (JSC::BytecodeGenerator::emitGetFromScopeWithProfile):
3550             (JSC::BytecodeGenerator::emitPutToScope):
3551             (JSC::BytecodeGenerator::emitPutToScopeWithProfile):
3552             (JSC::BytecodeGenerator::emitPutById):
3553             (JSC::BytecodeGenerator::emitPutByVal):
3554             * bytecompiler/BytecodeGenerator.h:
3555             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
3556             * bytecompiler/NodesCodegen.cpp:
3557             (JSC::ResolveNode::emitBytecode):
3558             (JSC::BracketAccessorNode::emitBytecode):
3559             (JSC::DotAccessorNode::emitBytecode):
3560             (JSC::FunctionCallValueNode::emitBytecode):
3561             (JSC::FunctionCallResolveNode::emitBytecode):
3562             (JSC::FunctionCallBracketNode::emitBytecode):
3563             (JSC::FunctionCallDotNode::emitBytecode):
3564             (JSC::CallFunctionCallDotNode::emitBytecode):
3565             (JSC::ApplyFunctionCallDotNode::emitBytecode):
3566             (JSC::PostfixNode::emitResolve):
3567             (JSC::PostfixNode::emitBracket):
3568             (JSC::PostfixNode::emitDot):
3569             (JSC::PrefixNode::emitResolve):
3570             (JSC::PrefixNode::emitBracket):
3571             (JSC::PrefixNode::emitDot):
3572             (JSC::ReadModifyResolveNode::emitBytecode):
3573             (JSC::AssignResolveNode::emitBytecode):
3574             (JSC::AssignDotNode::emitBytecode):
3575             (JSC::ReadModifyDotNode::emitBytecode):
3576             (JSC::AssignBracketNode::emitBytecode):
3577             (JSC::ReadModifyBracketNode::emitBytecode):
3578             (JSC::ReturnNode::emitBytecode):
3579             (JSC::FunctionBodyNode::emitBytecode):
3580             * inspector/agents/InspectorRuntimeAgent.cpp:
3581             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset):
3582             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
3583             * inspector/agents/InspectorRuntimeAgent.h:
3584             * inspector/protocol/Runtime.json:
3585             * llint/LLIntSlowPaths.cpp:
3586             (JSC::LLInt::getFromScopeCommon):
3587             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3588             * llint/LLIntSlowPaths.h:
3589             * llint/LowLevelInterpreter.asm:
3590             * runtime/HighFidelityLog.cpp:
3591             (JSC::HighFidelityLog::processHighFidelityLog):
3592             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
3593             (JSC::HighFidelityLog::recordTypeInformationForLocation): Deleted.
3594             * runtime/HighFidelityLog.h:
3595             (JSC::HighFidelityLog::recordTypeInformationForLocation):
3596             * runtime/HighFidelityTypeProfiler.cpp:
3597             (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset):
3598             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset):
3599             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset):
3600             (JSC::HighFidelityTypeProfiler::insertNewLocation):
3601             (JSC::HighFidelityTypeProfiler::findLocation):
3602             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): Deleted.
3603             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): Deleted.
3604             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): Deleted.
3605             (JSC::HighFidelityTypeProfiler::getLocationBasedHash): Deleted.
3606             * runtime/HighFidelityTypeProfiler.h:
3607             (JSC::LocationKey::LocationKey): Deleted.
3608             (JSC::LocationKey::hash): Deleted.
3609             (JSC::LocationKey::operator==): Deleted.
3610             * runtime/Structure.cpp:
3611             (JSC::Structure::toStructureShape):
3612             * runtime/Structure.h:
3613             * runtime/TypeSet.cpp:
3614             (JSC::TypeSet::TypeSet):
3615             (JSC::TypeSet::addTypeForValue):
3616             (JSC::TypeSet::seenTypes):
3617             (JSC::TypeSet::removeDuplicatesInStructureHistory): Deleted.
3618             * runtime/TypeSet.h:
3619             (JSC::StructureShape::setConstructorName):
3620             * runtime/VM.cpp:
3621             (JSC::VM::getTypesForVariableAtOffset):
3622             (JSC::VM::dumpHighFidelityProfilingTypes):
3623             (JSC::VM::getTypesForVariableInRange): Deleted.
3624             * runtime/VM.h:
3625     
3626     2014-07-04  Filip Pizlo  <fpizlo@apple.com>
3627     
3628             [ftlopt][REGRESSION] debug tests fail because PutByIdDirect is now implemented in terms of In
3629             https://bugs.webkit.org/show_bug.cgi?id=134642
3630     
3631             Rubber stamped by Andreas Kling.
3632     
3633             * ftl/FTLLowerDFGToLLVM.cpp:
3634             (JSC::FTL::LowerDFGToLLVM::compileNode):
3635     
3636     2014-07-01  Filip Pizlo  <fpizlo@apple.com>
3637     
3638             [ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null, so that if we constant-infer an accessor slot then we immediately get the function constant for free
3639             https://bugs.webkit.org/show_bug.cgi?id=134518
3640     
3641             Reviewed by Mark Hahnenberg.
3642             
3643             This has no real effect right now, particularly since almost all uses of
3644             setSetter/setGetter were already allocating a branch new GetterSetter. But once we start
3645             doing more aggressive constant property inference, this change will allow us to remove
3646             all runtime checks from getter/setter calls.
3647     
3648             * runtime/GetterSetter.cpp:
3649             (JSC::GetterSetter::withGetter):
3650             (JSC::GetterSetter::withSetter):
3651             * runtime/GetterSetter.h:
3652             (JSC::GetterSetter::setGetter):
3653             (JSC::GetterSetter::setSetter):
3654             * runtime/JSObject.cpp:
3655             (JSC::JSObject::defineOwnNonIndexProperty):
3656     
3657     2014-07-02  Filip Pizlo  <fpizlo@apple.com>
3658     
3659             [ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure
3660     
3661             Rubber stamped by Mark Hahnenberg.
3662     
3663             * runtime/Structure.cpp:
3664             (JSC::Structure::Structure):
3665             (JSC::Structure::nonPropertyTransition):
3666             (JSC::Structure::didTransitionFromThisStructure):
3667             (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
3668             * runtime/Structure.h:
3669     
3670     2014-07-02  Filip Pizlo  <fpizlo@apple.com>
3671     
3672             [ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore.
3673     
3674             Rubber stamped by Mark Hahnenberg.
3675     
3676             * runtime/Structure.cpp:
3677             (JSC::Structure::Structure):
3678             (JSC::Structure::cloneRareDataFrom): Deleted.
3679             * runtime/Structure.h:
3680             * runtime/StructureRareData.cpp:
3681             (JSC::StructureRareData::clone): Deleted.
3682             (JSC::StructureRareData::StructureRareData): Deleted.
3683             * runtime/StructureRareData.h:
3684             (JSC::StructureRareData::needsCloning): Deleted.
3685     
3686     2014-07-01  Mark Lam  <mark.lam@apple.com>
3687     
3688             [ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope.
3689             <https://webkit.org/b/134420>
3690     
3691             Reviewed by Geoffrey Garen.
3692     
3693             Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
3694             peers) which the WebInspector will use to introspect CallFrame variables.
3695             Instead, we should be returning a DebuggerScope as an abstraction layer that
3696             provides the introspection functionality that the WebInspector needs.  This
3697             is the first step towards not forcing every frame to have a JSActivation
3698             object just because the debugger is enabled.
3699     
3700             1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
3701                instead of the VM.  This allows JSObject::globalObject() to be able to
3702                return the global object for the DebuggerScope.
3703     
3704             2. On the DebuggerScope's life-cycle management:
3705     
3706                The DebuggerCallFrame is designed to be "valid" only during a debugging session
3707                (while the debugger is broken) through the use of a DebuggerCallFrameScope in
3708                Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
3709                DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
3710                We can't guarantee (from this code alone) that the Inspector code isn't still
3711                holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
3712                the frame will be invalidated, and any attempt to query it will return null values.
3713                This is pre-existing behavior.
3714     
3715                Now, we're adding the DebuggerScope into the picture.  While a single debugger
3716                pause session is in progress, the Inspector may request the scope from the
3717                DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
3718                DebuggerCallFrame::scope() to always return the same DebuggerScope object.
3719                This is why we hold on to the DebuggerScope with a strong ref.
3720     
3721                If we use a weak ref instead, the following cooky behavior can manifest:
3722                1. The Inspector calls Debugger::scope() to get the top scope.
3723                2. The Inspector iterates down the scope chain and is now only holding a
3724                   reference to a parent scope.  It is no longer referencing the top scope.
3725                3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
3726                   gets cleared.
3727                4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
3728                   a different DebuggerScope instance.
3729                5. The Inspector iterates down the scope chain but never sees the parent scope
3730                   instance that retained a ref to in step 2 above.  This is because when iterating
3731                   this new DebuggerScope instance (which has no knowledge of the previous parent
3732                   DebuggerScope instance), a new DebuggerScope instance will get created for the
3733                   same parent scope. 
3734     
3735                Since the DebuggerScope is a JSObject, it's liveness is determined by its reachability.
3736                However, it's "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
3737                When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
3738                instantiated) will also get invalidated.  This is why we need the
3739                DebuggerScope::invalidateChain() method.  The Inspector should not be using the
3740                DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
3741                those methods will do nothing or returned a failed status.
3742     
3743       &