Source/JavaScriptCore:
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-09-25  Brian J. Burg  <burg@cs.washington.edu>
2
3         Web Replay: Check event loop input extents during replaying too
4         https://bugs.webkit.org/show_bug.cgi?id=136316
5
6         Reviewed by Timothy Hatcher.
7
8         Sometimes we see different nondeterminism during capture and replay
9         executions, so we should add determinism checks during replay too.
10
11         Move the withinEventLoopInputExtent flag to the base class, and tighten
12         the assertion to address <http://webkit.org/b/133019>.
13
14         * replay/InputCursor.h:
15         (JSC::InputCursor::InputCursor):
16         (JSC::InputCursor::setWithinEventLoopInputExtent): Added.
17         This assertion is slightly wrong because it does not account for nested run loops.
18         We can be within two input extents when a nested run loop processes additional
19         user inputs while the debugger is paused.
20
21         This should only be the case when execution is being neither captured or
22         replayed. The debugger should not pause when capturing, and we should not replay
23         event loop inputs while in a nested run loop.
24
25         (JSC::InputCursor::withinEventLoopInputExtent): Added.
26
27 2014-09-25  Csaba Osztrogonác  <ossy@webkit.org>
28
29         Remove WinCE port from trunk
30         https://bugs.webkit.org/show_bug.cgi?id=136951
31
32         Reviewed by Alex Christensen.
33
34         * assembler/ARMAssembler.h:
35         (JSC::ARMAssembler::cacheFlush):
36         * assembler/ARMv7Assembler.h:
37         (JSC::ARMv7Assembler::cacheFlush):
38         * config.h:
39         * heap/MachineStackMarker.cpp:
40         (JSC::MachineThreads::gatherFromCurrentThread):
41         (JSC::MachineThreads::gatherFromOtherThread):
42         (JSC::swapIfBackwards): Deleted.
43         * jit/ExecutableAllocator.h:
44         * jsc.cpp:
45         (main):
46         * runtime/DateConstructor.cpp:
47         * runtime/Options.cpp:
48         (JSC::overrideOptionWithHeuristic):
49         * runtime/VM.cpp:
50         (JSC::VM::VM):
51         * testRegExp.cpp:
52         (main):
53         * tools/CodeProfiling.cpp:
54         (JSC::CodeProfiling::notifyAllocator):
55
56 2014-09-24  Brian J. Burg  <burg@cs.washington.edu>
57
58         Web Inspector: subtract elapsed time while debugger is paused from profile nodes
59         https://bugs.webkit.org/show_bug.cgi?id=136796
60
61         Reviewed by Timothy Hatcher.
62
63         Rather than accruing no time to any profile node created while the debugger is paused,
64         we can instead count a node's elapsed time and exclude time elapsed while paused.
65
66         Time for a node may elapse in a non-contiguous fashion depending on the interleaving of
67         didPause, didContinue, willExecute, and didExecute. A node's start time is set to the
68         start of the last such interval that accrues elapsed time.
69
70         * profiler/ProfileGenerator.cpp:
71         (JSC::ProfileGenerator::ProfileGenerator):
72         (JSC::ProfileGenerator::beginCallEntry):
73         (JSC::ProfileGenerator::endCallEntry):
74         (JSC::ProfileGenerator::didPause): Added.
75         (JSC::ProfileGenerator::didContinue): Added.
76         * profiler/ProfileGenerator.h:
77         (JSC::ProfileGenerator::didPause): Deleted.
78         (JSC::ProfileGenerator::didContinue): Deleted.
79         * profiler/ProfileNode.h: Rename totalTime to elapsedTime.
80         (JSC::ProfileNode::Call::Call):
81         (JSC::ProfileNode::Call::elapsedTime): Added.
82         (JSC::ProfileNode::Call::setElapsedTime): Added.
83         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
84         (JSC::ProfileNode::Call::totalTime): Deleted.
85         (JSC::ProfileNode::Call::setTotalTime): Deleted.
86
87 2014-09-24  Commit Queue  <commit-queue@webkit.org>
88
89         Unreviewed, rolling out r173839.
90         https://bugs.webkit.org/show_bug.cgi?id=137062
91
92         NumberConstruct should no longer use static tables (Requested
93         by dpino on #webkit).
94
95         Reverted changeset:
96
97         "Simple ES6 feature: Number constructor extras"
98         https://bugs.webkit.org/show_bug.cgi?id=131707
99         http://trac.webkit.org/changeset/173839
100
101 2014-09-23  Mark Lam  <mark.lam@apple.com>
102
103         DebuggerCallFrame::invalidate() should invalidate all DebuggerScope chains.
104         <https://webkit.org/b/137045>
105
106         Reviewed by Geoffrey Garen.
107
108         DebuggerCallFrame::invalidate() currently invalidates all DebuggerCallFrames
109         in the debugger stack, but only invalidates the DebuggerScope chain of the
110         top most frame.  We should also invalidate all the DebuggerScope chains of
111         the other frames in the debugger stack.
112
113         * debugger/DebuggerCallFrame.cpp:
114         (JSC::DebuggerCallFrame::invalidate):
115         * debugger/DebuggerScope.cpp:
116         (JSC::DebuggerScope::invalidateChain):
117
118 2014-09-23  Mark Lam  <mark.lam@apple.com>
119
120         Renamed DebuggerCallFrameScope to DebuggerPausedScope.
121         <https://webkit.org/b/137042>
122
123         Reviewed by Michael Saboff.
124
125         DebuggerPausedScope is a better name for this data structure because it
126         is meant for tracking the period within which the debugger is paused,
127         and doing clean ups after the pause ends.
128
129         * debugger/Debugger.cpp:
130         (JSC::DebuggerPausedScope::DebuggerPausedScope):
131         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
132         (JSC::Debugger::pauseIfNeeded):
133         (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): Deleted.
134         (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): Deleted.
135         * debugger/Debugger.h:
136         * debugger/DebuggerCallFrame.h:
137
138 2014-09-23  Tomas Popela  <tpopela@redhat.com>
139
140         [CLoop] - Fix CLoop on the 32-bit Big-Endians
141         https://bugs.webkit.org/show_bug.cgi?id=137020
142
143         Reviewed by Mark Lam.
144
145         * llint/LowLevelInterpreter.asm:
146         * llint/LowLevelInterpreter32_64.asm:
147
148 2014-09-23  Joseph Pecoraro  <pecoraro@apple.com>
149
150         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
151         https://bugs.webkit.org/show_bug.cgi?id=136893
152
153         Reviewed by Timothy Hatcher.
154
155         Adds new remote inspector protocol handling for automatic inspection.
156         Debuggers can signal they have enabled automatic inspection, and
157         when debuggables are created the current application will pause to
158         see if the debugger will inspect or decline to inspect the debuggable.
159
160         * inspector/remote/RemoteInspectorConstants.h:
161         * inspector/remote/RemoteInspector.h:
162         * inspector/remote/RemoteInspector.mm:
163         (Inspector::globalAutomaticInspectionState):
164         (Inspector::RemoteInspector::RemoteInspector):
165         (Inspector::RemoteInspector::start):
166         When first starting, check the global "is there an auto-inspect" debugger state.
167         This is necessary so that the current application knows if it should pause or
168         not when a debuggable is created, even without having connected to webinspectord yet.
169
170         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
171         When a debuggable has enabled remote inspection, take this path to propose
172         it as an automatic inspection candidate if there is an auto-inspect debugger.
173
174         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
175         Send the automatic inspection candidate message.
176
177         (Inspector::RemoteInspector::receivedSetupMessage):
178         (Inspector::RemoteInspector::setupFailed):
179         (Inspector::RemoteInspector::setupSucceeded):
180         After attempting to open an inspector, unpause if it was for the
181         automatic inspection candidate.
182
183         (Inspector::RemoteInspector::waitingForAutomaticInspection):
184         When running a nested runloop, check if we should remain paused.
185
186         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
187         If by the time we connect to webinspectord we have a candidate, then
188         immediately send the candidate message.
189
190         (Inspector::RemoteInspector::stopInternal):
191         (Inspector::RemoteInspector::xpcConnectionFailed):
192         In error cases, clear our state.
193
194         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
195         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
196         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
197         Update state when receiving new messages.
198
199
200         * inspector/remote/RemoteInspectorDebuggable.h:
201         * inspector/remote/RemoteInspectorDebuggable.cpp:
202         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
203         Special case when a debuggable is newly allowed to be debuggable.
204
205         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
206         Run a nested run loop while this is an automatic inspection candidate.
207
208         * inspector/JSGlobalObjectInspectorController.h:
209         * inspector/JSGlobalObjectInspectorController.cpp:
210         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
211         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
212         When the inspector starts via automatic inspection automatically pause.
213         We plan on removing this condition by having the frontend signal to the
214         backend when it is completely initialized.
215         
216         * inspector/remote/RemoteInspectorDebuggableConnection.h:
217         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
218         (Inspector::RemoteInspectorDebuggableConnection::setup):
219         Pass on the flag of whether or not this was automatic inspection.
220
221         * runtime/JSGlobalObjectDebuggable.h:
222         * runtime/JSGlobalObjectDebuggable.cpp:
223         (JSC::JSGlobalObjectDebuggable::connect):
224         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
225         When pausing in a JSGlobalObject we need to release the API lock.
226
227 2014-09-22  Filip Pizlo  <fpizlo@apple.com>
228
229         FTL allocatePropertyStorage code should involve less copy-paste
230         https://bugs.webkit.org/show_bug.cgi?id=137006
231
232         Reviewed by Michael Saboff.
233
234         * ftl/FTLLowerDFGToLLVM.cpp:
235         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
236         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
237         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
238
239 2014-09-22  Diego Pino Garcia  <dpino@igalia.com>
240
241         Simple ES6 feature: Number constructor extras
242         https://bugs.webkit.org/show_bug.cgi?id=131707
243
244         Reviewed by Darin Adler.
245
246         * runtime/CommonIdentifiers.h: Added new identifiers.
247         * runtime/NumberConstructor.cpp:
248         (JSC::NumberConstructor::getOwnPropertySlot):
249         (JSC::NumberConstructor::isFunction): Added.
250         (JSC::numberConstructorEpsilonValue): Added.
251         (JSC::numberConstructorNegInfinity): Added.
252         (JSC::numberConstructorPosInfinity): Added.
253         (JSC::numberConstructorMaxValue): Added.
254         (JSC::numberConstructorMinValue): Added.
255         (JSC::numberConstructorMaxSafeInteger): Added.
256         (JSC::numberConstructorMinSafeInteger): Added.
257         (JSC::numberConstructorFuncIsFinite): Added.
258         (JSC::numberConstructorFuncIsInteger): Added.
259         (JSC::numberConstructorFuncIsNaN): Added.
260         (JSC::numberConstructorFuncIsSafeInteger): Added.
261         * runtime/NumberConstructor.h:
262
263 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
264
265         FTL should store the four bytes of the cell header using a 32-bit store rather than four 8-bit stores
266         https://bugs.webkit.org/show_bug.cgi?id=136992
267
268         Reviewed by Sam Weinig.
269         
270         LLVM ought to be able to do this optimization for us given how the code was written, but
271         any such lower-level attempts to optimize this would get into trouble with the weird
272         object materialization logic I'll be introducing in bug 136330. So, this brings the
273         merging of the byte stores into the FTL lowering so that we can control it explicitly.
274
275         * ftl/FTLAbstractHeap.h:
276         (JSC::FTL::AbstractHeap::changeParent):
277         * ftl/FTLAbstractHeapRepository.cpp:
278         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
279         * ftl/FTLAbstractHeapRepository.h:
280         * ftl/FTLLowerDFGToLLVM.cpp:
281         (JSC::FTL::LowerDFGToLLVM::allocateCell):
282
283 2014-09-21  Saam Barati  <saambarati1@gmail.com>
284
285         Web Inspector: fix TypeSet hierarchy in TypeTokenView
286         https://bugs.webkit.org/show_bug.cgi?id=136982
287
288         Reviewed by Joseph Pecoraro.
289
290         TypeSet was computing the set of type booleans in the Inspector::Protocol::Runtime::TypeSet 
291         object incorrectly because it was calling TypeSet::doesTypeConformTo(T) which checks if the 
292         type set has only been of type T. It now checks '(m_seenTypes & T) != TypeNothing' to see 
293         if type T is in the set of seen types, but not the entire set itself.
294
295         * runtime/TypeSet.cpp:
296         (JSC::TypeSet::inspectorTypeSet):
297
298 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
299
300         Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste
301         https://bugs.webkit.org/show_bug.cgi?id=136983
302
303         Reviewed by Mark Hahnenberg.
304
305         * runtime/PropertyMapHashTable.h:
306         (JSC::PropertyMapEntry::PropertyMapEntry): Moved PropertyMapEntry struct to Structure.h so that Structure can refer to it.
307         * runtime/Structure.cpp:
308         (JSC::Structure::getConcurrently): Switch to using the new forEachPropertyConcurrently() method.
309         (JSC::Structure::getPropertiesConcurrently): The subject of this patch. It will be useful for object allocation sinking (bug 136330).
310         (JSC::Structure::dump): Switch to using the new forEachPropertyConcurrently() method.
311         * runtime/Structure.h:
312         (JSC::PropertyMapEntry::PropertyMapEntry): Moved from PropertyMapHashTable.h.
313         * runtime/StructureInlines.h:
314         (JSC::Structure::forEachPropertyConcurrently): Capture this very common concurrent structure iteration pattern into a template method.
315
316 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
317
318         Structure::getConcurrently() doesn't need to take a VM& argument.
319
320         Rubber stamped by Dan Bernstein.
321         
322         Removed the extra argument, and then removed similar arguments from other methods until
323         I could build successfully again. It turned out that many methods took a VM& argument
324         just for calling getConcurrently().
325
326         * bytecode/CodeBlock.cpp:
327         (JSC::dumpStructure):
328         (JSC::dumpChain):
329         (JSC::CodeBlock::printGetByIdCacheStatus):
330         (JSC::CodeBlock::printPutByIdCacheStatus):
331         * bytecode/ComplexGetStatus.cpp:
332         (JSC::ComplexGetStatus::computeFor):
333         * bytecode/GetByIdStatus.cpp:
334         (JSC::GetByIdStatus::computeFromLLInt):
335         (JSC::GetByIdStatus::computeForStubInfo):
336         (JSC::GetByIdStatus::computeFor):
337         * bytecode/GetByIdStatus.h:
338         * bytecode/PutByIdStatus.cpp:
339         (JSC::PutByIdStatus::computeFromLLInt):
340         (JSC::PutByIdStatus::computeForStubInfo):
341         (JSC::PutByIdStatus::computeFor):
342         * bytecode/PutByIdStatus.h:
343         * dfg/DFGAbstractInterpreterInlines.h:
344         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
345         * dfg/DFGByteCodeParser.cpp:
346         (JSC::DFG::ByteCodeParser::parseBlock):
347         * dfg/DFGConstantFoldingPhase.cpp:
348         (JSC::DFG::ConstantFoldingPhase::foldConstants):
349         * dfg/DFGFixupPhase.cpp:
350         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
351         * runtime/IntendedStructureChain.cpp:
352         (JSC::IntendedStructureChain::mayInterceptStoreTo):
353         * runtime/IntendedStructureChain.h:
354         * runtime/Structure.cpp:
355         (JSC::Structure::getConcurrently):
356         * runtime/Structure.h:
357         * runtime/StructureInlines.h:
358         (JSC::Structure::getConcurrently):
359
360 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
361
362         FTL OSRExit construction should be based on methods that return ExitValues rather than methods that add ExitValues to OSRExit
363         https://bugs.webkit.org/show_bug.cgi?id=136978
364
365         Reviewed by Dean Jackson.
366
367         * ftl/FTLLowerDFGToLLVM.cpp:
368         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
369         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
370         (JSC::FTL::LowerDFGToLLVM::exitArgument):
371         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): Deleted.
372         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): Deleted.
373         (JSC::FTL::LowerDFGToLLVM::addExitArgument): Deleted.
374
375 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
376
377         FTL OSR exit should do reboxing and value recovery in the same pass
378         https://bugs.webkit.org/show_bug.cgi?id=136977
379
380         Reviewed by Oliver Hunt.
381         
382         It's conceptually simpler to have all of the logic in one place. After the
383         recover-and-rebox loop is done, all of the exit values are in the form that the baseline
384         JIT would want them to be in; the only remaining task is to move them into the right
385         place on the stack after we do all of the necessary stack adjustments.
386
387         * ftl/FTLOSRExitCompiler.cpp:
388         (JSC::FTL::compileStub):
389
390 2014-09-19  Filip Pizlo  <fpizlo@apple.com>
391
392         StorageAccessData should be referenced in a sensible way
393         https://bugs.webkit.org/show_bug.cgi?id=136963
394
395         Reviewed and rubber stamped by Michael Saboff.
396
397         * dfg/DFGAbstractInterpreterInlines.h:
398         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
399         * dfg/DFGByteCodeParser.cpp:
400         (JSC::DFG::ByteCodeParser::handleGetByOffset):
401         (JSC::DFG::ByteCodeParser::handlePutByOffset):
402         (JSC::DFG::ByteCodeParser::handlePutById):
403         * dfg/DFGClobberize.h:
404         (JSC::DFG::clobberize):
405         * dfg/DFGConstantFoldingPhase.cpp:
406         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
407         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
408         * dfg/DFGGraph.cpp:
409         (JSC::DFG::Graph::dump):
410         * dfg/DFGGraph.h:
411         * dfg/DFGNode.h:
412         (JSC::DFG::Node::convertToGetByOffset):
413         (JSC::DFG::Node::convertToPutByOffset):
414         (JSC::DFG::Node::storageAccessData):
415         (JSC::DFG::Node::storageAccessDataIndex): Deleted.
416         * dfg/DFGSafeToExecute.h:
417         (JSC::DFG::safeToExecute):
418         * dfg/DFGSpeculativeJIT32_64.cpp:
419         (JSC::DFG::SpeculativeJIT::compile):
420         * dfg/DFGSpeculativeJIT64.cpp:
421         (JSC::DFG::SpeculativeJIT::compile):
422         * ftl/FTLLowerDFGToLLVM.cpp:
423         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
424         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
425
426 2014-09-19  Ryosuke Niwa  <rniwa@webkit.org>
427
428         Leak of mallocs under StructureSet::OutOfLineList::create
429         https://bugs.webkit.org/show_bug.cgi?id=136970
430
431         Reviewed by Filip Pizlo.
432
433         addOutOfLine should free the old list when expanding the capacity.
434
435         * bytecode/StructureSet.cpp:
436         (JSC::StructureSet::addOutOfLine):
437
438 2014-09-19  Daniel Bates  <dabates@apple.com>
439
440         Always assume internal SDK when building configuration Production
441         https://bugs.webkit.org/show_bug.cgi?id=136925
442         <rdar://problem/18362399>
443
444         Reviewed by Dan Bernstein.
445
446         As a side effect of this change we will always enable ENABLE_TOUCH_EVENTS, ENABLE_IOS_{GESTURE, TOUCH}_EVENTS,
447         and ENABLE_XSLT when either building configuration Production or building with the Internal SDK.
448
449         * Configurations/Base.xcconfig:
450
451 2014-09-19  Diego Pino Garcia  <dpino@igalia.com>
452
453         Simple ES6 feature:String prototype additions
454         https://bugs.webkit.org/show_bug.cgi?id=131704
455
456         Reviewed by Darin Adler.
457
458         * runtime/StringPrototype.cpp:
459         (JSC::StringPrototype::finishCreation):
460         (JSC::stringProtoFuncStartsWith): Added.
461         (JSC::stringProtoFuncEndsWith): Added.
462         (JSC::stringProtoFuncContains): Added.
463
464 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
465
466         Unreviewed rollout r173731. Broke multiple builds.
467
468         * inspector/JSGlobalObjectInspectorController.cpp:
469         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
470         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
471         * inspector/JSGlobalObjectInspectorController.h:
472         * inspector/remote/RemoteInspector.h:
473         * inspector/remote/RemoteInspector.mm:
474         (Inspector::RemoteInspector::RemoteInspector):
475         (Inspector::RemoteInspector::setupFailed):
476         (Inspector::RemoteInspector::start):
477         (Inspector::RemoteInspector::stopInternal):
478         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
479         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
480         (Inspector::RemoteInspector::xpcConnectionFailed):
481         (Inspector::RemoteInspector::receivedSetupMessage):
482         (Inspector::globalAutomaticInspectionState): Deleted.
483         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): Deleted.
484         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): Deleted.
485         (Inspector::RemoteInspector::setupSucceeded): Deleted.
486         (Inspector::RemoteInspector::waitingForAutomaticInspection): Deleted.
487         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): Deleted.
488         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): Deleted.
489         * inspector/remote/RemoteInspectorConstants.h:
490         * inspector/remote/RemoteInspectorDebuggable.cpp:
491         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
492         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): Deleted.
493         * inspector/remote/RemoteInspectorDebuggable.h:
494         * inspector/remote/RemoteInspectorDebuggableConnection.h:
495         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
496         (Inspector::RemoteInspectorDebuggableConnection::setup):
497         * runtime/JSGlobalObjectDebuggable.cpp:
498         (JSC::JSGlobalObjectDebuggable::connect):
499         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): Deleted.
500         * runtime/JSGlobalObjectDebuggable.h:
501
502 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
503
504         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
505         https://bugs.webkit.org/show_bug.cgi?id=136893
506
507         Reviewed by Timothy Hatcher.
508
509         Adds new remote inspector protocol handling for automatic inspection.
510         Debuggers can signal they have enabled automatic inspection, and
511         when debuggables are created the current application will pause to
512         see if the debugger will inspect or decline to inspect the debuggable.
513
514         * inspector/remote/RemoteInspectorConstants.h:
515         * inspector/remote/RemoteInspector.h:
516         * inspector/remote/RemoteInspector.mm:
517         (Inspector::globalAutomaticInspectionState):
518         (Inspector::RemoteInspector::RemoteInspector):
519         (Inspector::RemoteInspector::start):
520         When first starting, check the global "is there an auto-inspect" debugger state.
521         This is necessary so that the current application knows if it should pause or
522         not when a debuggable is created, even without having connected to webinspectord yet.
523
524         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
525         When a debuggable has enabled remote inspection, take this path to propose
526         it as an automatic inspection candidate if there is an auto-inspect debugger.
527
528         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
529         Send the automatic inspection candidate message.
530
531         (Inspector::RemoteInspector::receivedSetupMessage):
532         (Inspector::RemoteInspector::setupFailed):
533         (Inspector::RemoteInspector::setupSucceeded):
534         After attempting to open an inspector, unpause if it was for the
535         automatic inspection candidate.
536
537         (Inspector::RemoteInspector::waitingForAutomaticInspection):
538         When running a nested runloop, check if we should remain paused.
539
540         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
541         If by the time we connect to webinspectord we have a candidate, then
542         immediately send the candidate message.
543
544         (Inspector::RemoteInspector::stopInternal):
545         (Inspector::RemoteInspector::xpcConnectionFailed):
546         In error cases, clear our state.
547
548         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
549         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
550         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
551         Update state when receiving new messages.
552
553
554         * inspector/remote/RemoteInspectorDebuggable.h:
555         * inspector/remote/RemoteInspectorDebuggable.cpp:
556         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
557         Special case when a debuggable is newly allowed to be debuggable.
558
559         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
560         Run a nested run loop while this is an automatic inspection candidate.
561
562         * inspector/JSGlobalObjectInspectorController.h:
563         * inspector/JSGlobalObjectInspectorController.cpp:
564         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
565         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
566         When the inspector starts via automatic inspection automatically pause.
567         We plan on removing this condition by having the frontend signal to the
568         backend when it is completely initialized.
569         
570         * inspector/remote/RemoteInspectorDebuggableConnection.h:
571         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
572         (Inspector::RemoteInspectorDebuggableConnection::setup):
573         Pass on the flag of whether or not this was automatic inspection.
574
575         * runtime/JSGlobalObjectDebuggable.h:
576         * runtime/JSGlobalObjectDebuggable.cpp:
577         (JSC::JSGlobalObjectDebuggable::connect):
578         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
579         When pausing in a JSGlobalObject we need to release the API lock.
580
581 2014-09-18  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
582
583         Fix "Tools/Scripts/build-webkit --efl --no-inspector" build
584         https://bugs.webkit.org/show_bug.cgi?id=136912
585
586         Reviewed by Darin Adler.
587
588         * runtime/TypeSet.cpp:
589         (JSC::TypeSet::leastCommonAncestor):
590
591 2014-09-17  Michael Saboff  <msaboff@apple.com>
592
593         Change CallFrame to use Callee instead of JSScope to implement vm()
594         https://bugs.webkit.org/show_bug.cgi?id=136894
595
596         Reviewed by Geoffrey Garen.
597
598         Added JSCell::vm() method that can be used on any JSObject.  Changed CallFrame::vm() to
599         use JSCell::vm with the Callee.  Made similar changes in the LLInt.
600         In support of this, changed JSGlobalObject::init() to take a VM& parameter, as there is
601         a chicken/egg problem with trying to use the Callee in the global exec before the Callee
602         has been create.  Besides, the vm is readily available in finishCreation(), the caller of
603         init().
604
605         * llint/LowLevelInterpreter32_64.asm:
606         * llint/LowLevelInterpreter64.asm:
607         Changed the calculation of CallFrame::VM to use the Callee instead of JSScope.
608
609         * runtime/JSCell.h:
610         * runtime/JSCellInlines.h:
611         (JSC::JSCell::vm): New method for getting VM from the pointer.
612         (JSC::ExecState::vm): Moved this method from JSScope.h to here since this file
613         contains the implementation of JSCell::vm(), this file is included by all users
614         of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing
615         many other .h files and possible the WebCore generator generate-bindings.pl.
616
617         * runtime/JSGlobalObject.cpp:
618         (JSC::JSGlobalObject::init):
619         * runtime/JSGlobalObject.h:
620         (JSC::JSGlobalObject::finishCreation):
621         Changed init() to take a VM parameter.
622
623         * runtime/JSScope.h:
624         (JSC::ExecState::vm): Deleted.
625
626 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
627
628         Unreviewed, disable native inlining because it causes build failures.
629
630         * JavaScriptCore.xcodeproj/project.pbxproj:
631
632 2014-09-16  Joseph Pecoraro  <pecoraro@apple.com>
633
634         Web Inspector: Reduce a bit of churn setting initial remote inspection state
635         https://bugs.webkit.org/show_bug.cgi?id=136875
636
637         Reviewed by Timothy Hatcher.
638
639         * API/JSContextRef.cpp:
640         (JSGlobalContextCreateInGroup):
641         Set the defaultl remote debuggable state at the API boundary.
642
643         * runtime/JSGlobalObject.cpp:
644         (JSC::JSGlobalObject::init):
645         Do not set remote debuggable state here. Let clients set it.
646
647 2014-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>
648
649         Promise: Drop Promise.cast
650         https://bugs.webkit.org/show_bug.cgi?id=136222
651
652         Reviewed by Sam Weinig.
653
654         Promise.cast is dropped and Promise.resolve is replaced with old Promise.cast.
655
656         * runtime/CommonIdentifiers.h:
657         * runtime/JSPromiseConstructor.cpp:
658         (JSC::JSPromiseConstructorFuncResolve):
659         (JSC::JSPromiseConstructorFuncRace):
660         (JSC::JSPromiseConstructorFuncAll):
661         (JSC::JSPromiseConstructorFuncCast): Deleted.
662
663 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
664
665         Local OSR availability calculation should be reusable
666         https://bugs.webkit.org/show_bug.cgi?id=136860
667
668         Reviewed by Oliver Hunt.
669         
670         Previously, the FTL lowering repeated some of the logic of the OSR availability analysis
671         phase. Humorously, it actually did this logic a bit differently; for example the phase
672         would claim that a SetLocal makes both the flush and the node available while the FTL
673         only claimed that the flush was available. This different was benign, but still: yuck!
674         
675         Also, previously if you wanted to use availability information then you'd have to repeat
676         some of the logic that both the phase itself and the FTL lowering already had.
677         Presumably, you could get epic style points for finding other benign ways in which to
678         make your copy of the logic different from the other two!
679         
680         This reduces the amount of style points one could conceivably get in the future when
681         hacking JSC, by creating a single reusable thingy for computing local OSR availability.
682
683         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
684         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
685         (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
686         (JSC::DFG::LocalOSRAvailabilityCalculator::~LocalOSRAvailabilityCalculator):
687         (JSC::DFG::LocalOSRAvailabilityCalculator::beginBlock):
688         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
689         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
690         * ftl/FTLLowerDFGToLLVM.cpp:
691         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
692         (JSC::FTL::LowerDFGToLLVM::compileBlock):
693         (JSC::FTL::LowerDFGToLLVM::compileNode):
694         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
695         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
696         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
697         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
698         (JSC::FTL::LowerDFGToLLVM::availability):
699         (JSC::FTL::LowerDFGToLLVM::compileMovHint): Deleted.
700         (JSC::FTL::LowerDFGToLLVM::compileZombieHint): Deleted.
701         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): Deleted.
702
703 2014-09-16  Csaba Osztrogonác  <ossy@webkit.org>
704
705         JSC test gardening
706         https://bugs.webkit.org/show_bug.cgi?id=136823
707
708         Reviewed by Geoffrey Garen.
709
710         * tests/mozilla/mozilla-tests.yaml: Unskip passing tests.
711
712 2014-09-15  Michael Saboff  <msaboff@apple.com>
713
714         Create a JSCallee for GlobalExec object
715         https://bugs.webkit.org/show_bug.cgi?id=136840
716
717         Reviewed by Geoffrey Garen.
718
719         Added m_globalCallee, initialized it and then used it to set the globalExec's callee.
720
721         * runtime/JSGlobalObject.cpp:
722         (JSC::JSGlobalObject::init):
723         (JSC::JSGlobalObject::visitChildren):
724         * runtime/JSGlobalObject.h:
725
726 2014-09-14  Filip Pizlo  <fpizlo@apple.com>
727
728         DFG ref count calculation should be reusable
729         https://bugs.webkit.org/show_bug.cgi?id=136811
730
731         Reviewed by Oliver Hunt.
732         
733         Henceforth if you call Graph::computeRefCounts(), a nifty O(n) operation, every Node
734         will be able to tell you how many places it is used from. Currently only DCE uses this,
735         but it will be useful for https://bugs.webkit.org/show_bug.cgi?id=136330.
736
737         * dfg/DFGDCEPhase.cpp:
738         (JSC::DFG::DCEPhase::run):
739         (JSC::DFG::DCEPhase::findTypeCheckRoot): Deleted.
740         (JSC::DFG::DCEPhase::countNode): Deleted.
741         (JSC::DFG::DCEPhase::countEdge): Deleted.
742         * dfg/DFGGraph.cpp:
743         (JSC::DFG::Graph::computeRefCounts):
744         * dfg/DFGGraph.h:
745
746 2014-09-12  Michael Saboff  <msaboff@apple.com>
747
748         Merge JSGlobalObject::reset() into ::init()
749         https://bugs.webkit.org/show_bug.cgi?id=136800
750
751         Reviewed by Oliver Hunt.
752
753         Moved the contents of reset() into init().
754         Note that the diff shows more changes.
755
756         * runtime/JSGlobalObject.cpp:
757         (JSC::JSGlobalObject::init): Moved body of reset() into init.
758         (JSC::JSGlobalObject::put):
759         (JSC::JSGlobalObject::defineOwnProperty):
760         (JSC::JSGlobalObject::addGlobalVar):
761         (JSC::JSGlobalObject::addFunction):
762         (JSC::lastInPrototypeChain):
763         (JSC::JSGlobalObject::reset): Deleted.
764         * runtime/JSGlobalObject.h:
765
766 2014-09-12  Michael Saboff  <msaboff@apple.com>
767
768         Add JSCallee to program and eval CallFrames
769         https://bugs.webkit.org/show_bug.cgi?id=136785
770
771         Reviewed by Mark Lam.
772
773         Populated Callee slot for program and call eval CallFrames with a JSCallee objects.
774         Made supporting changes including adding a JSCallee structure to global object and adding
775         JSCallee::create() method.  Added code so that the newly added callee object won't be
776         returned by Function.caller.  Changed null pointer checks of callee to check the if
777         the type is JSFunction* or JSCallee*.
778
779         * debugger/DebuggerCallFrame.cpp:
780         (JSC::DebuggerCallFrame::functionName):
781         (JSC::DebuggerCallFrame::type):
782         * profiler/LegacyProfiler.cpp:
783         (JSC::LegacyProfiler::createCallIdentifier):
784         * interpreter/Interpreter.cpp:
785         (JSC::unwindCallFrame):
786         Changed checks of callee is a JSFunction* or JSCallee* instead of just checking
787         if it is null or not.
788
789         * interpreter/Interpreter.cpp:
790         (JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...)
791         and execute(ProgramExecutable, ...)
792
793         * jit/JITCode.cpp:
794         (JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions.
795
796         * runtime/JSCallee.cpp:
797         (JSC::JSCallee::create): Not used, therefore deleted.
798
799         * runtime/JSCallee.h:
800         (JSC::JSCallee::create): Added.
801
802         * runtime/JSFunction.cpp:
803         (JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't
804         JSFunction's.  This can only be the case when the JSCallee comes from a program or
805         call eval CallFrame.
806
807         * runtime/JSGlobalObject.cpp:
808         (JSC::JSGlobalObject::reset):
809         (JSC::JSGlobalObject::visitChildren):
810         * runtime/JSGlobalObject.h:
811         (JSC::JSGlobalObject::calleeStructure):
812         Added new JSCallee structure.
813
814 2014-09-10  Jon Honeycutt  <jhoneycutt@apple.com>
815
816         Re-add the request autocomplete feature
817
818         <https://bugs.webkit.org/show_bug.cgi?id=136730>
819
820         This feature was rolled out in r148731 because it was only used by
821         Chromium. As we consider supporting this feature, roll it back in, but
822         leave it disabled.
823
824         This rolls out r148731 (which removed the feature) with small changes
825         needed to make the code build in ToT, to match modern style, to make
826         the tests run, and to remove unused code.
827
828         Reviewed by Andy Estes.
829
830         * Configurations/FeatureDefines.xcconfig:
831
832 2014-09-12  Julien Brianceau  <jbriance@cisco.com>
833
834         [x86] moveDoubleToInts() does not clobber its source register anymore
835         https://bugs.webkit.org/show_bug.cgi?id=131690
836
837         Reviewed by Oliver Hunt.
838
839         * assembler/MacroAssemblerX86.h:
840         (JSC::MacroAssemblerX86::moveDoubleToInts):
841         * dfg/DFGSpeculativeJIT.cpp:
842         (JSC::DFG::SpeculativeJIT::compileValueRep):
843         * jit/SpecializedThunkJIT.h:
844         (JSC::SpecializedThunkJIT::returnDouble):
845
846 2014-09-12  Mark Lam  <mark.lam@apple.com>
847
848         Unreviewed build fix for CLOOP build.
849
850         * runtime/JSCallee.h:
851
852 2014-09-12  Michael Saboff  <msaboff@apple.com>
853
854         Remove unneeded declarations from JSCallee.h
855         https://bugs.webkit.org/show_bug.cgi?id=136783
856
857         Reviewed by Mark Lam.
858
859         * runtime/JSCallee.h:
860         (JSCallee::name): Deleted.
861         (JSCallee::displayName): Deleted.
862         (JSCallee::calculatedDisplayName): Deleted.
863
864 2014-09-11  Brian J. Burg  <burg@cs.washington.edu>
865
866         Web Inspector: disambiguate double and integer primitive types in the protocol
867         https://bugs.webkit.org/show_bug.cgi?id=136606
868
869         Reviewed by Timothy Hatcher.
870
871         Right now it's really easy to mix up doubles and integers when serializing or deserializing
872         values for the inspector protocol. This patch disambiguates setting/getting doubles and integers
873         so that it is clearer as to which type is intended.
874
875         A new InspectorValue::Type is added for Integer types, and the Number type is renamed to Double.
876         The existing callsites for asNumber/getNumber/setNumber have been fixed.
877
878         Address various integration points to make sure the right type tag is assigned to InspectorValues.
879
880         * bindings/ScriptValue.cpp:
881         (Deprecated::jsToInspectorValue): Make an Integer if the JSValue is Int52 or smaller.
882         * inspector/InjectedScriptManager.cpp:
883         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
884         * inspector/InspectorBackendDispatcher.cpp:
885         (Inspector::InspectorBackendDispatcher::dispatch):
886         (Inspector::InspectorBackendDispatcher::sendResponse):
887         (Inspector::InspectorBackendDispatcher::reportProtocolError):
888         (Inspector::AsMethodBridges::asInteger):
889         (Inspector::AsMethodBridges::asDouble):
890         (Inspector::InspectorBackendDispatcher::getInteger):
891         (Inspector::InspectorBackendDispatcher::getDouble):
892         (Inspector::AsMethodBridges::asInt): Deleted.
893         (Inspector::InspectorBackendDispatcher::getInt): Deleted.
894         * inspector/InspectorBackendDispatcher.h:
895         * inspector/InspectorProtocolTypes.h: Remove the special case for checking int type tags.
896         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw):
897         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw):
898         (Inspector::Protocol::BindingTraits<int>::assertValueHasExpectedType): Deleted.
899         * inspector/InspectorValues.cpp: Allow integers and doubles to be convertible using asInteger/asDouble.
900         (Inspector::InspectorValue::asDouble):
901         (Inspector::InspectorValue::asInteger):
902         (Inspector::InspectorBasicValue::asDouble):
903         (Inspector::InspectorBasicValue::asInteger):
904         (Inspector::InspectorBasicValue::writeJSON):
905         (Inspector::InspectorValue::asNumber): Deleted.
906         (Inspector::InspectorBasicValue::asNumber): Deleted.
907         * inspector/InspectorValues.h:
908         (Inspector::InspectorObjectBase::setInteger):
909         (Inspector::InspectorObjectBase::setDouble):
910         (Inspector::InspectorArrayBase::pushInteger):
911         (Inspector::InspectorArrayBase::pushDouble):
912         (Inspector::InspectorObjectBase::setNumber): Deleted.
913         (Inspector::InspectorArrayBase::pushInt): Deleted.
914         (Inspector::InspectorArrayBase::pushNumber): Deleted.
915         * inspector/agents/InspectorDebuggerAgent.cpp:
916         (Inspector::buildObjectForBreakpointCookie):
917         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
918         (Inspector::parseLocation):
919         (Inspector::InspectorDebuggerAgent::didParseSource):
920         * inspector/agents/InspectorRuntimeAgent.cpp:
921         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
922         * inspector/scripts/codegen/generator.py: Update emitted code and rebaseline test results.
923         (Generator.keyed_get_method_for_type):
924         (Generator.keyed_set_method_for_type):
925         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
926         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
927         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
928         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
929         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
930         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
931         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
932         * replay/EncodedValue.cpp:
933         (JSC::EncodedValue::convertTo<double>):
934         (JSC::EncodedValue::convertTo<float>):
935         (JSC::EncodedValue::convertTo<int32_t>):
936         (JSC::EncodedValue::convertTo<int64_t>):
937         (JSC::EncodedValue::convertTo<uint32_t>):
938         (JSC::EncodedValue::convertTo<uint64_t>):
939
940 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
941
942         Web Inspector: Occasional ASSERT closing web inspector
943         https://bugs.webkit.org/show_bug.cgi?id=136762
944
945         Reviewed by Timothy Hatcher.
946
947         It is harmless, and indeed possible to have an empty set of listeners
948         now that each Page gets its own PageDebugServer instead of a shared
949         global. So we should replace the null checks with isEmpty checks.
950         Since nobody was ever returning null, convert to references as well.
951
952         * inspector/JSGlobalObjectScriptDebugServer.h:
953         * inspector/ScriptDebugServer.cpp:
954         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
955         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
956         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
957         (Inspector::ScriptDebugServer::sourceParsed):
958         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
959         (Inspector::ScriptDebugServer::notifyDoneProcessingDebuggerEvents):
960         (Inspector::ScriptDebugServer::handlePause):
961         (Inspector::ScriptDebugServer::needPauseHandling): Deleted.
962         * inspector/ScriptDebugServer.h:
963
964 2014-09-10  Michael Saboff  <msaboff@apple.com>
965
966         Move JSScope out of JSFunction into separate JSCallee class
967         https://bugs.webkit.org/show_bug.cgi?id=136725
968
969         Reviewed by Oliver Hunt.
970
971         Created new JSCallee class that contains a JSScope*.  Changed JSFunction to inherit from
972         JSCallee.
973
974         * CMakeLists.txt:
975         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
976         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
977         * JavaScriptCore.xcodeproj/project.pbxproj:
978         Build changes.  Added JSCallee.cpp and JSCallee.h.
979
980         * runtime/JSCallee.cpp: Added.
981         (JSC::JSCallee::create):
982         (JSC::JSCallee::destroy):
983         (JSC::JSCallee::JSCallee):
984         (JSC::JSCallee::finishCreation):
985         (JSC::JSCallee::visitChildren):
986         (JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function.
987         (JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function.
988         (JSC::JSCallee::put): Pass through wrapper function.
989         (JSC::JSCallee::deleteProperty): Pass through wrapper function.
990         (JSC::JSCallee::defineOwnProperty): Pass through wrapper function.
991
992         * runtime/JSCallee.h: Added.
993         (JSC::JSCallee::scope):
994         (JSC::JSCallee::scopeUnchecked):
995         (JSC::JSCallee::setScope):
996         (JSC::JSCallee::createStructure):
997         (JSC::JSCallee::offsetOfScopeChain):
998
999         * runtime/JSFunction.cpp:
1000         (JSC::JSFunction::JSFunction):
1001         (JSC::JSFunction::addNameScopeIfNeeded):
1002         (JSC::JSFunction::visitChildren):
1003         * runtime/JSFunction.h:
1004         (JSC::JSFunction::scope): Deleted.
1005         (JSC::JSFunction::scopeUnchecked): Deleted.
1006         (JSC::JSFunction::setScope): Deleted.
1007         (JSC::JSFunction::offsetOfScopeChain): Deleted.
1008         * runtime/JSFunctionInlines.h:
1009         (JSC::JSFunction::JSFunction):
1010         Changed to reference JSCallee and its methods.
1011
1012         * runtime/JSType.h: Added JSCallee as a TypeEnum.
1013
1014 2014-09-11  Filip Pizlo  <fpizlo@apple.com>
1015
1016         REGRESSION (r172129): Vine pages load as blank
1017         https://bugs.webkit.org/show_bug.cgi?id=136655
1018         rdar://problem/18281215
1019
1020         Reviewed by Michael Saboff.
1021         
1022         If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
1023         that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
1024         Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
1025         conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
1026         reasonably compact; it's OK if we miss cases here.
1027
1028         * dfg/DFGPhantomRemovalPhase.cpp:
1029         (JSC::DFG::PhantomRemovalPhase::run):
1030         * tests/stress/remove-phantom-after-setlocal.js: Added.
1031
1032 2014-09-11  Bear Travis  <betravis@adobe.com>
1033
1034         [CSS Font Loading] Enable CSS Font Loading on Mac
1035         https://bugs.webkit.org/show_bug.cgi?id=135473
1036
1037         Reviewed by Antti Koivisto.
1038
1039         Enable CSS Font Loading in FeatureDefines.
1040
1041         * Configurations/FeatureDefines.xcconfig:
1042
1043 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
1044
1045         Unreviewed rebaseline of inspector generator test results after r173120.
1046
1047         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1048         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1049         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1050         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1051
1052 2014-09-11  Oliver Hunt  <oliver@apple.com>
1053
1054         Rename activation to be more in line with spec language
1055         https://bugs.webkit.org/show_bug.cgi?id=136721
1056
1057         Reviewed by Michael Saboff.
1058
1059         Somewhat bigger than the last one, but still just a rename.
1060
1061         * CMakeLists.txt:
1062         * JavaScriptCore.order:
1063         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1064         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1065         * JavaScriptCore.xcodeproj/project.pbxproj:
1066         * bytecode/BytecodeList.json:
1067         * bytecode/BytecodeUseDef.h:
1068         (JSC::computeUsesForBytecodeOffset):
1069         (JSC::computeDefsForBytecodeOffset):
1070         * bytecode/CallVariant.h:
1071         * bytecode/CodeBlock.cpp:
1072         (JSC::CodeBlock::dumpBytecode):
1073         (JSC::CodeBlock::CodeBlock):
1074         (JSC::CodeBlock::finalizeUnconditionally):
1075         (JSC::CodeBlock::isCaptured):
1076         (JSC::CodeBlock::nameForRegister):
1077         * bytecode/CodeBlock.h:
1078         (JSC::CodeBlock::setActivationRegister):
1079         (JSC::CodeBlock::activationRegister):
1080         (JSC::CodeBlock::uncheckedActivationRegister):
1081         (JSC::CodeBlock::needsActivation):
1082         * bytecode/Instruction.h:
1083         * bytecode/UnlinkedCodeBlock.h:
1084         (JSC::UnlinkedCodeBlock::setActivationRegister):
1085         (JSC::UnlinkedCodeBlock::activationRegister):
1086         (JSC::UnlinkedCodeBlock::hasActivationRegister):
1087         * bytecompiler/BytecodeGenerator.cpp:
1088         (JSC::BytecodeGenerator::BytecodeGenerator):
1089         (JSC::BytecodeGenerator::emitReturn):
1090         * bytecompiler/BytecodeGenerator.h:
1091         * debugger/DebuggerCallFrame.cpp:
1092         (JSC::DebuggerCallFrame::scope):
1093         * debugger/DebuggerScope.cpp:
1094         (JSC::DebuggerScope::isFunctionOrEvalScope):
1095         * dfg/DFGByteCodeParser.cpp:
1096         (JSC::DFG::ByteCodeParser::parseBlock):
1097         * dfg/DFGCapabilities.cpp:
1098         (JSC::DFG::capabilityLevel):
1099         * dfg/DFGGraph.cpp:
1100         (JSC::DFG::Graph::tryGetActivation):
1101         (JSC::DFG::Graph::tryGetRegisters):
1102         * dfg/DFGGraph.h:
1103         * dfg/DFGNodeType.h:
1104         * dfg/DFGOperations.cpp:
1105         * dfg/DFGSpeculativeJIT32_64.cpp:
1106         (JSC::DFG::SpeculativeJIT::compile):
1107         * dfg/DFGSpeculativeJIT64.cpp:
1108         (JSC::DFG::SpeculativeJIT::compile):
1109         * interpreter/CallFrame.cpp:
1110         (JSC::CallFrame::lexicalEnvironment):
1111         (JSC::CallFrame::setActivation):
1112         (JSC::CallFrame::activation): Deleted.
1113         * interpreter/CallFrame.h:
1114         * interpreter/Interpreter.cpp:
1115         (JSC::unwindCallFrame):
1116         * interpreter/Register.h:
1117         * jit/JIT.cpp:
1118         (JSC::JIT::privateCompileMainPass):
1119         * jit/JIT.h:
1120         * jit/JITOpcodes.cpp:
1121         (JSC::JIT::emit_op_tear_off_lexical_environment):
1122         (JSC::JIT::emit_op_tear_off_arguments):
1123         (JSC::JIT::emit_op_create_lexical_environment):
1124         (JSC::JIT::emit_op_tear_off_activation): Deleted.
1125         (JSC::JIT::emit_op_create_activation): Deleted.
1126         * jit/JITOpcodes32_64.cpp:
1127         (JSC::JIT::emit_op_tear_off_lexical_environment):
1128         (JSC::JIT::emit_op_tear_off_arguments):
1129         (JSC::JIT::emit_op_create_lexical_environment):
1130         (JSC::JIT::emit_op_tear_off_activation): Deleted.
1131         (JSC::JIT::emit_op_create_activation): Deleted.
1132         * jit/JITOperations.cpp:
1133         * jit/JITOperations.h:
1134         * llint/LLIntSlowPaths.cpp:
1135         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1136         * llint/LLIntSlowPaths.h:
1137         * llint/LowLevelInterpreter32_64.asm:
1138         * llint/LowLevelInterpreter64.asm:
1139         * runtime/Arguments.cpp:
1140         (JSC::Arguments::visitChildren):
1141         (JSC::Arguments::tearOff):
1142         (JSC::Arguments::didTearOffActivation):
1143         * runtime/Arguments.h:
1144         (JSC::Arguments::offsetOfActivation):
1145         (JSC::Arguments::argument):
1146         (JSC::Arguments::finishCreation):
1147         * runtime/CommonSlowPaths.cpp:
1148         * runtime/JSFunction.h:
1149         * runtime/JSGlobalObject.cpp:
1150         (JSC::JSGlobalObject::reset):
1151         (JSC::JSGlobalObject::visitChildren):
1152         * runtime/JSGlobalObject.h:
1153         (JSC::JSGlobalObject::activationStructure):
1154         * runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp.
1155         (JSC::JSLexicalEnvironment::visitChildren):
1156         (JSC::JSLexicalEnvironment::symbolTableGet):
1157         (JSC::JSLexicalEnvironment::symbolTablePut):
1158         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1159         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
1160         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
1161         (JSC::JSLexicalEnvironment::put):
1162         (JSC::JSLexicalEnvironment::deleteProperty):
1163         (JSC::JSLexicalEnvironment::toThis):
1164         (JSC::JSLexicalEnvironment::argumentsGetter):
1165         * runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h.
1166         (JSC::JSLexicalEnvironment::create):
1167         (JSC::JSLexicalEnvironment::createStructure):
1168         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
1169         (JSC::asActivation):
1170         (JSC::Register::lexicalEnvironment):
1171         (JSC::JSLexicalEnvironment::registersOffset):
1172         (JSC::JSLexicalEnvironment::tearOff):
1173         (JSC::JSLexicalEnvironment::isTornOff):
1174         (JSC::JSLexicalEnvironment::storageOffset):
1175         (JSC::JSLexicalEnvironment::storage):
1176         (JSC::JSLexicalEnvironment::allocationSize):
1177         (JSC::JSLexicalEnvironment::isValidIndex):
1178         (JSC::JSLexicalEnvironment::isValid):
1179         (JSC::JSLexicalEnvironment::registerAt):
1180         * runtime/JSObject.h:
1181         * runtime/JSScope.cpp:
1182         (JSC::abstractAccess):
1183         * runtime/JSScope.h:
1184         (JSC::ResolveOp::ResolveOp):
1185         * runtime/JSSymbolTableObject.cpp:
1186         * runtime/StrictEvalActivation.h:
1187         (JSC::StrictEvalActivation::create):
1188         * runtime/VM.cpp:
1189
1190 2014-09-11  László Langó  <llango.u-szeged@partner.samsung.com>
1191
1192         [JavaScriptCore] Fix FTL on platform EFL.
1193         https://bugs.webkit.org/show_bug.cgi?id=133571
1194
1195         Reviewed by Filip Pizlo.
1196
1197         There are no compact_unwind sections on Linux systems so FTL crashes.
1198         We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind
1199         and get the information for stack unwinding from there.
1200
1201         * CMakeLists.txt: Revert r169181.
1202         * ftl/FTLCompile.cpp:
1203         Change section name literals to use SECTION_NAME macro, because of architecture differencies.
1204         (JSC::FTL::mmAllocateCodeSection):
1205         (JSC::FTL::mmAllocateDataSection):
1206         (JSC::FTL::compile):
1207         * ftl/FTLJITCode.h:
1208         We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here.
1209         * ftl/FTLLink.cpp:
1210         (JSC::FTL::link):
1211         * ftl/FTLState.h:
1212         * ftl/FTLState.cpp:
1213         (JSC::FTL::State::State):
1214         * ftl/FTLUnwindInfo.h:
1215         * ftl/FTLUnwindInfo.cpp:
1216         Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes.
1217         Parse eh_frame on Linux instead of compact_unwind.
1218         (JSC::FTL::UnwindInfo::parse):
1219
1220 2014-09-10  Saam Barati  <saambarati1@gmail.com>
1221
1222         Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
1223         https://bugs.webkit.org/show_bug.cgi?id=136500
1224
1225         Reviewed by Joseph Pecoraro.
1226
1227         This patch changes the type profiler protocol to the Web Inspector
1228         by moving the work of calculating computed properties that effect the UI 
1229         into the Web Inspector. This makes the Web Inspector have control over the 
1230         strings it displays as UI elements representing type information to the user 
1231         instead of JavaScriptCore deciding on a convention for these strings.
1232         JavaScriptCore now sends enough information to the Web Inspector so that 
1233         it can compute the properties JavaScriptCore used to compute.
1234
1235         * inspector/agents/InspectorRuntimeAgent.cpp:
1236         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1237         * inspector/protocol/Runtime.json:
1238         * runtime/TypeProfiler.cpp:
1239         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
1240         * runtime/TypeProfiler.h:
1241         * runtime/TypeSet.cpp:
1242         (JSC::TypeSet::inspectorTypeSet):
1243         (JSC::StructureShape::leastCommonAncestor):
1244         (JSC::StructureShape::inspectorRepresentation):
1245         * runtime/TypeSet.h:
1246
1247 2014-09-10  Akos Kiss  <akiss@inf.u-szeged.hu>
1248
1249         Apply ARM64-specific lowering to load/store instructions in offlineasm
1250         https://bugs.webkit.org/show_bug.cgi?id=136569
1251
1252         Reviewed by Michael Saboff.
1253
1254         The standard risc lowering of load/store instructions with base +
1255         immediate offset addresses is to move the offset to a temporary, add the
1256         base to the temporary, and then change the load/store to use the
1257         temporary + 0 immediate offset address. However, on ARM64, base +
1258         register offset addressing mode is available, so it is unnecessary to
1259         perform explicit register additions but it is enough to change load/store
1260         to use base + temporary as the address.
1261
1262         * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses
1263
1264 2014-09-10  Oliver Hunt  <oliver@apple.com>
1265
1266         Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
1267         https://bugs.webkit.org/show_bug.cgi?id=136710
1268
1269         Reviewed by Anders Carlsson.
1270
1271         This is a trivial rename.
1272
1273         * CMakeLists.txt:
1274         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1275         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1276         * JavaScriptCore.xcodeproj/project.pbxproj:
1277         * dfg/DFGAbstractHeap.h:
1278         * dfg/DFGClobberize.h:
1279         (JSC::DFG::clobberize):
1280         * dfg/DFGSpeculativeJIT32_64.cpp:
1281         (JSC::DFG::SpeculativeJIT::compile):
1282         * dfg/DFGSpeculativeJIT64.cpp:
1283         (JSC::DFG::SpeculativeJIT::compile):
1284         * ftl/FTLAbstractHeapRepository.cpp:
1285         * ftl/FTLAbstractHeapRepository.h:
1286         * ftl/FTLLowerDFGToLLVM.cpp:
1287         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
1288         * jit/JITOpcodes32_64.cpp:
1289         * jit/JITPropertyAccess.cpp:
1290         (JSC::JIT::emitGetClosureVar):
1291         (JSC::JIT::emitPutClosureVar):
1292         * jit/JITPropertyAccess32_64.cpp:
1293         (JSC::JIT::emitGetClosureVar):
1294         (JSC::JIT::emitPutClosureVar):
1295         * llint/LLIntOffsetsExtractor.cpp:
1296         * llint/LowLevelInterpreter32_64.asm:
1297         * llint/LowLevelInterpreter64.asm:
1298         * runtime/JSActivation.cpp:
1299         (JSC::JSActivation::getOwnNonIndexPropertyNames):
1300         * runtime/JSActivation.h:
1301         * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
1302         * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
1303         (JSC::JSEnvironmentRecord::registers):
1304         (JSC::JSEnvironmentRecord::registerAt):
1305         (JSC::JSEnvironmentRecord::addressOfRegisters):
1306         (JSC::JSEnvironmentRecord::offsetOfRegisters):
1307         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1308         * runtime/JSNameScope.h:
1309         * runtime/JSSegmentedVariableObject.h:
1310
1311 2014-09-10  Julien Brianceau   <jbriance@cisco.com>
1312
1313         [mips] Add missing parts and fix LLINT mips backend
1314         https://bugs.webkit.org/show_bug.cgi?id=136706
1315
1316         Reviewed by Michael Saboff.
1317
1318         * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
1319         Implement initPCRelative and setEntryAddress macros.
1320         * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
1321         doVMEntry macro.
1322
1323 2014-09-10  Saam Barati  <saambarati1@gmail.com>
1324
1325         TypeSet needs a mode where it no longer profiles structure shapes
1326         https://bugs.webkit.org/show_bug.cgi?id=136263
1327
1328         Reviewed by Filip Pizlo.
1329
1330         The TypeSet data structure used to gather as many StructureShape
1331         objects as it encountered during type profiling. But, this meant 
1332         that there was no upper limit on how many objects it could allocate. 
1333         This patch places a fixed upper bound on the number of StructureShapes
1334         allocated per TypeSet to prevent using too much memory for little gain
1335         in type profiling usefulness.
1336
1337         StructureShape objects are now also aware of when they are created
1338         from Structures which are dictionaries.
1339
1340         In total, this patch lays the final groundwork needed in refactoring 
1341         the inspector protocol for the type profiler.
1342
1343         * runtime/Structure.cpp:
1344         (JSC::Structure::toStructureShape):
1345         * runtime/TypeProfiler.cpp:
1346         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
1347         * runtime/TypeSet.cpp:
1348         (JSC::TypeSet::TypeSet):
1349         (JSC::TypeSet::addTypeInformation):
1350         (JSC::StructureShape::StructureShape):
1351         (JSC::StructureShape::toJSONString):
1352         (JSC::StructureShape::enterDictionaryMode):
1353         * runtime/TypeSet.h:
1354         (JSC::TypeSet::isOverflown):
1355         * tests/typeProfiler/dictionary-mode.js: Added.
1356         (wrapper):
1357         * tests/typeProfiler/driver/driver.js:
1358         * tests/typeProfiler/overflow.js: Added.
1359         (wrapper.Proto):
1360         (wrapper):
1361
1362 2014-09-10  Peter Gal  <galpeter@inf.u-szeged.hu>
1363
1364         [MIPS] branch32WithPatch missing
1365         https://bugs.webkit.org/show_bug.cgi?id=136696
1366
1367         Reviewed by Michael Saboff.
1368
1369         Added the missing branch32WithPatch. The implementation
1370         is currently the same as the branchPtrithPatch because
1371         the macro assembler supports only 32 bit MIPS.
1372
1373         * assembler/MacroAssemblerMIPS.h:
1374         (JSC::MacroAssemblerMIPS::branch32WithPatch):
1375
1376 2014-09-10  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1377
1378         Fix !ENABLE(DFG_JIT) build
1379         https://bugs.webkit.org/show_bug.cgi?id=136702
1380
1381         Reviewed by Michael Saboff.
1382
1383         * bytecode/CallEdgeProfile.h:
1384
1385 2014-09-09  Benjamin Poulain  <bpoulain@apple.com>
1386
1387         Disable the "unreachable-code" warning
1388         https://bugs.webkit.org/show_bug.cgi?id=136677
1389
1390         Reviewed by Darin Adler.
1391
1392         * Configurations/Base.xcconfig:
1393
1394 2014-09-08  Filip Pizlo  <fpizlo@apple.com>
1395
1396         DFG should have a reusable SSA builder
1397         https://bugs.webkit.org/show_bug.cgi?id=136331
1398
1399         Reviewed by Oliver Hunt.
1400         
1401         We want to implement sophisticated SSA transformations like object allocation sinking
1402         (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
1403         updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
1404         Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
1405         implementation of this algorithm only worked when doing CPS->SSA conversion. The code
1406         could not be reused for cases where some phase happens to know that it introduced a few
1407         defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
1408         the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
1409         updates, since it requires first inserting maximal Phis. That scales well when the Phis
1410         were already there (like in our CPS form) but otherwise it's quite unnatural and may be
1411         difficult to make efficient.
1412         
1413         The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
1414         algorithm based on dominance frontiers. For a while now, I've been working on creating a
1415         Cytron-based SSA calculator that can be used both as a replacement for our current SSA
1416         converter and as a reusable tool for any phase that needs to do SSA update. I previously
1417         optimized our dominator calculation and representation to use dominator trees computed
1418         using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
1419         the set of blocks that dominate you or vice-versa, and then I implemented a dominance
1420         frontier calculator. This patch implements the final step towards making SSA update
1421         available to all SSA phases: it implements an SSACalculator that can tell you where Phis
1422         go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
1423         good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
1424         SSA converter with one based on the SSACalculator.
1425         
1426         This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
1427         But even better, it makes SSAConversionPhase have significantly less tricky logic. It
1428         mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
1429         just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
1430         In fact, using the Cytron et al approach means that there isn't really any "smoke and
1431         mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
1432         iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
1433         The complexity is mostly confined to Dominators, which computes various dominator-related
1434         properties over the control flow graph. That class can be difficult to understand, but at
1435         least it follows well-known graph theory wisdom.
1436
1437         * CMakeLists.txt:
1438         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1439         * JavaScriptCore.xcodeproj/project.pbxproj:
1440         * dfg/DFGAnalysis.h:
1441         * dfg/DFGCSEPhase.cpp:
1442         * dfg/DFGDCEPhase.cpp:
1443         (JSC::DFG::DCEPhase::run):
1444         * dfg/DFGDominators.h:
1445         (JSC::DFG::Dominators::immediateDominatorOf):
1446         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
1447         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
1448         * dfg/DFGGraph.cpp:
1449         (JSC::DFG::Graph::dump):
1450         (JSC::DFG::Graph::blocksInPreOrder):
1451         (JSC::DFG::Graph::blocksInPostOrder):
1452         (JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
1453         (JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
1454         * dfg/DFGGraph.h:
1455         * dfg/DFGLICMPhase.cpp:
1456         (JSC::DFG::LICMPhase::run):
1457         * dfg/DFGNodeFlags.h:
1458         * dfg/DFGPhase.cpp:
1459         (JSC::DFG::Phase::beginPhase):
1460         (JSC::DFG::Phase::endPhase):
1461         * dfg/DFGPhase.h:
1462         * dfg/DFGSSACalculator.cpp: Added.
1463         (JSC::DFG::SSACalculator::Variable::dump):
1464         (JSC::DFG::SSACalculator::Variable::dumpVerbose):
1465         (JSC::DFG::SSACalculator::Def::dump):
1466         (JSC::DFG::SSACalculator::SSACalculator):
1467         (JSC::DFG::SSACalculator::~SSACalculator):
1468         (JSC::DFG::SSACalculator::newVariable):
1469         (JSC::DFG::SSACalculator::newDef):
1470         (JSC::DFG::SSACalculator::nonLocalReachingDef):
1471         (JSC::DFG::SSACalculator::reachingDefAtTail):
1472         (JSC::DFG::SSACalculator::dump):
1473         * dfg/DFGSSACalculator.h: Added.
1474         (JSC::DFG::SSACalculator::Variable::index):
1475         (JSC::DFG::SSACalculator::Variable::Variable):
1476         (JSC::DFG::SSACalculator::Def::variable):
1477         (JSC::DFG::SSACalculator::Def::block):
1478         (JSC::DFG::SSACalculator::Def::value):
1479         (JSC::DFG::SSACalculator::Def::Def):
1480         (JSC::DFG::SSACalculator::variable):
1481         (JSC::DFG::SSACalculator::computePhis):
1482         (JSC::DFG::SSACalculator::phisForBlock):
1483         (JSC::DFG::SSACalculator::reachingDefAtHead):
1484         * dfg/DFGSSAConversionPhase.cpp:
1485         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
1486         (JSC::DFG::SSAConversionPhase::run):
1487         (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
1488         (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
1489         (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
1490         (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
1491         * dfg/DFGSSAConversionPhase.h:
1492         * dfg/DFGValidate.cpp:
1493         (JSC::DFG::Validate::Validate):
1494         (JSC::DFG::Validate::dumpGraphIfAppropriate):
1495         (JSC::DFG::validate):
1496         * dfg/DFGValidate.h:
1497         * ftl/FTLLowerDFGToLLVM.cpp:
1498         (JSC::FTL::LowerDFGToLLVM::lower):
1499         * runtime/Options.h:
1500
1501 2014-09-08  Commit Queue  <commit-queue@webkit.org>
1502
1503         Unreviewed, rolling out r173402.
1504         https://bugs.webkit.org/show_bug.cgi?id=136649
1505
1506         Breaking buildw with error "unable to restore file position to
1507         0x00000c60 for section __DWARF.__debug_info (errno = 9)"
1508         (Requested by mlam_ on #webkit).
1509
1510         Reverted changeset:
1511
1512         "Move CallFrame and Register inlines functions out of
1513         JSScope.h."
1514         https://bugs.webkit.org/show_bug.cgi?id=136579
1515         http://trac.webkit.org/changeset/173402
1516
1517 2014-09-08  Mark Lam  <mark.lam@apple.com>
1518
1519         Move CallFrame and Register inlines functions out of JSScope.h.
1520         <https://webkit.org/b/136579>
1521
1522         Reviewed by Geoffrey Garen.
1523
1524         This include fixing up some files to #include JSCInlines.h to pick up
1525         these inline functions.  I also added JSCellInlines.h to JSCInlines.h
1526         since it is included from many of the affected .cpp files.
1527
1528         * API/ObjCCallbackFunction.mm:
1529         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1530         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1531         * JavaScriptCore.xcodeproj/project.pbxproj:
1532         * bindings/ScriptValue.cpp:
1533         * inspector/InjectedScriptHost.cpp:
1534         * inspector/InjectedScriptManager.cpp:
1535         * inspector/JSGlobalObjectInspectorController.cpp:
1536         * inspector/JSJavaScriptCallFrame.cpp:
1537         * inspector/ScriptDebugServer.cpp:
1538         * interpreter/CallFrameInlines.h:
1539         (JSC::CallFrame::vm):
1540         (JSC::CallFrame::lexicalGlobalObject):
1541         (JSC::CallFrame::globalThisValue):
1542         * interpreter/RegisterInlines.h: Added.
1543         (JSC::Register::operator=):
1544         (JSC::Register::scope):
1545         * runtime/ArgumentsIteratorConstructor.cpp:
1546         * runtime/JSArrayIterator.cpp:
1547         * runtime/JSCInlines.h:
1548         * runtime/JSCJSValue.cpp:
1549         * runtime/JSMapIterator.cpp:
1550         * runtime/JSPromiseConstructor.cpp:
1551         * runtime/JSPromiseDeferred.cpp:
1552         * runtime/JSPromiseFunctions.cpp:
1553         * runtime/JSPromisePrototype.cpp:
1554         * runtime/JSPromiseReaction.cpp:
1555         * runtime/JSScope.h:
1556         (JSC::Register::operator=): Deleted.
1557         (JSC::Register::scope): Deleted.
1558         (JSC::ExecState::vm): Deleted.
1559         (JSC::ExecState::lexicalGlobalObject): Deleted.
1560         (JSC::ExecState::globalThisValue): Deleted.
1561         * runtime/JSSetIterator.cpp:
1562         * runtime/MapConstructor.cpp:
1563         * runtime/MapData.cpp:
1564         * runtime/MapIteratorPrototype.cpp:
1565         * runtime/MapPrototype.cpp:
1566         * runtime/SetConstructor.cpp:
1567         * runtime/SetIteratorPrototype.cpp:
1568         * runtime/SetPrototype.cpp:
1569         * runtime/WeakMapConstructor.cpp:
1570         * runtime/WeakMapPrototype.cpp:
1571
1572 2014-09-08  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1573
1574         Remove FILTERS flag
1575         https://bugs.webkit.org/show_bug.cgi?id=136571
1576
1577         Reviewed by Darin Adler.
1578
1579         * Configurations/FeatureDefines.xcconfig:
1580
1581 2014-09-08  Saam Barati  <saambarati1@gmail.com>
1582
1583         Merge StructureShapes that share the same prototype chain
1584         https://bugs.webkit.org/show_bug.cgi?id=136549
1585
1586         Reviewed by Filip Pizlo.
1587
1588         Instead of keeping track of many discrete StructureShapes that share
1589         the same prototype chain, TypeSet should merge StructureShapes that 
1590         have the same prototype chain and provide a new member variable for 
1591         optional structure fields. This provides a cleaner and more concise
1592         interface for dealing with StructureShapes within TypeSet. Instead
1593         of having many discrete shapes that are almost identical, almost 
1594         identical shapes will be merged together with an interface for 
1595         understanding what fields the shapes being merged together differ in.
1596
1597         * runtime/TypeSet.cpp:
1598         (JSC::TypeSet::addTypeInformation):
1599         (JSC::StructureShape::addProperty):
1600         (JSC::StructureShape::toJSONString):
1601         (JSC::StructureShape::inspectorRepresentation):
1602         (JSC::StructureShape::hasSamePrototypeChain):
1603         (JSC::StructureShape::merge):
1604         * runtime/TypeSet.h:
1605         * tests/typeProfiler/optional-fields.js: Added.
1606         (wrapper.func):
1607         (wrapper):
1608
1609 2014-09-08  Jessie Berlin  <jberlin@apple.com>
1610
1611         More 32-bit Release build fixes after r173364.
1612
1613         * dfg/DFGSpeculativeJIT32_64.cpp:
1614         (JSC::DFG::SpeculativeJIT::compile):
1615
1616 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
1617
1618         Fix typos in last patch to fix build.
1619
1620         Unreviewed build fix.
1621
1622         * dfg/DFGSpeculativeJIT.cpp:
1623         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1624         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
1625
1626 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
1627
1628         Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it
1629         https://bugs.webkit.org/show_bug.cgi?id=136616
1630
1631         Reviewed by Darin Adler.
1632         
1633         Many compilers will analyze unrechable code paths (e.g. after an
1634         unreachable code path), so sometimes they need dead code initializations.
1635         But clang with suitable warnings will complain about unreachable code. So
1636         use the quirk to include it conditionally.
1637
1638         * bytecode/CodeBlock.cpp:
1639         (JSC::CodeBlock::printGetByIdOp):
1640         * dfg/DFGOSRExitCompilerCommon.cpp:
1641         (JSC::DFG::handleExitCounts):
1642         * dfg/DFGPlan.cpp:
1643         (JSC::DFG::Plan::compileInThread):
1644         * dfg/DFGSpeculativeJIT.cpp:
1645         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1646         * jsc.cpp:
1647         * runtime/JSArray.cpp:
1648         (JSC::JSArray::fillArgList):
1649         (JSC::JSArray::copyToArguments):
1650         * runtime/RegExp.cpp:
1651         (JSC::RegExp::compile):
1652         (JSC::RegExp::compileMatchOnly):
1653
1654 2014-09-06  Darin Adler  <darin@apple.com>
1655
1656         Make updates suggested by new version of Xcode
1657         https://bugs.webkit.org/show_bug.cgi?id=136603
1658
1659         Reviewed by Mark Rowe.
1660
1661         * Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES,
1662         and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check.
1663
1664         * JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck.
1665
1666         * dfg/DFGSpeculativeJIT.cpp:
1667         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code
1668         for clang, since it understands the code is unreachable.
1669         * runtime/JSArray.cpp:
1670         (JSC::JSArray::fillArgList): Ditto.
1671         (JSC::JSArray::copyToArguments): Ditto.
1672
1673 2014-09-05  Matt Baker  <mattbaker@apple.com>
1674
1675         Web Inspector: breakpoint actions should work regardless of Content Security Policy
1676         https://bugs.webkit.org/show_bug.cgi?id=136542
1677
1678         Reviewed by Mark Lam.
1679
1680         Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a 
1681         JSGlobalObject for the duration of a scope, returning the eval enabled state to its
1682         original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate 
1683         to allow breakpoint actions to execute JS in pages with a Content Security Policy
1684         that would normally prohibit this (such as Inspector's Main.html).
1685
1686         Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually
1687         setting eval enabled and then resetting the original eval enabled state.
1688
1689         NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer
1690         for null to be equivalent with the original code in Inspector::InjectedScriptBase.
1691         InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which
1692         can currently be null.
1693
1694         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1695         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1696         * JavaScriptCore.xcodeproj/project.pbxproj:
1697         * debugger/DebuggerCallFrame.cpp:
1698         (JSC::DebuggerCallFrame::evaluate):
1699         * debugger/DebuggerEvalEnabler.h: Added.
1700         (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
1701         (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
1702         * inspector/InjectedScriptBase.cpp:
1703         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
1704
1705 2014-09-05  peavo@outlook.com  <peavo@outlook.com>
1706
1707         [WinCairo] jsc.exe won't run.
1708         https://bugs.webkit.org/show_bug.cgi?id=136481
1709
1710         Reviewed by Alex Christensen.
1711         
1712         We need to define WIN_CAIRO to avoid looking for the AAS folder.
1713
1714         * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added.
1715         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
1716         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
1717         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
1718         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:
1719
1720 2014-09-05  David Kilzer  <ddkilzer@apple.com>
1721
1722         JavaScriptCore should build with newer clang
1723         <http://webkit.org/b/136002>
1724         <rdar://problem/18020616>
1725
1726         Reviewed by Geoffrey Garen.
1727
1728         Other than the JSC::SourceProvider::asID() change (which simply
1729         removes code that the optimizing compiler would have discarded
1730         in Release builds), we move the |this| checks in OpaqueJSString
1731         to NULL checks in to JSBase, JSObjectRef, JSScriptRef,
1732         JSStringRef{CF} and JSValueRef.
1733
1734         Note that the following function arguments are _not_ NULL-checked
1735         since doing so would just cover up bugs (and were not needed to
1736         prevent any tests from failing):
1737         - |script| in JSEvaluateScript(), JSCheckScriptSyntax();
1738         - |body| in JSObjectMakeFunction();
1739         - |source| in JSScriptCreateReferencingImmortalASCIIText()
1740           (which is a const char* anyway);
1741         - |source| in JSScriptCreateFromString().
1742
1743         * API/JSBase.cpp:
1744         (JSEvaluateScript): Add NULL check for |sourceURL|.
1745         (JSCheckScriptSyntax): Ditto.
1746         * API/JSObjectRef.cpp:
1747         (JSObjectMakeFunction): Ditto.
1748         * API/JSScriptRef.cpp:
1749         (JSScriptCreateReferencingImmortalASCIIText): Ditto.
1750         (JSScriptCreateFromString): Add NULL check for |url|.
1751         * API/JSStringRef.cpp:
1752         (JSStringGetLength): Return early if NULL pointer is passed in.
1753         (JSStringGetCharactersPtr): Ditto.
1754         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
1755         * API/JSStringRefCF.cpp:
1756         (JSStringCopyCFString): Ditto.
1757         * API/JSValueRef.cpp:
1758         (JSValueMakeString): Add NULL check for |string|.
1759
1760         * API/OpaqueJSString.cpp:
1761         (OpaqueJSString::string): Remove code that checks |this|.
1762         (OpaqueJSString::identifier): Ditto.
1763         (OpaqueJSString::characters): Ditto.
1764         * API/OpaqueJSString.h:
1765         (OpaqueJSString::is8Bit): Remove code that checks |this|.
1766         (OpaqueJSString::characters8): Ditto.
1767         (OpaqueJSString::characters16): Ditto.
1768         (OpaqueJSString::length): Ditto.
1769
1770         * parser/SourceProvider.h:
1771         (JSC::SourceProvider::asID): Remove code that checks |this|.
1772
1773 2014-06-06  Jer Noble  <jer.noble@apple.com>
1774
1775         Refactoring: make MediaTime the primary time type for audiovisual times.
1776         https://bugs.webkit.org/show_bug.cgi?id=133579
1777
1778         Reviewed by Eric Carlson.
1779
1780         Add a utility function which converts a MediaTime to a JSNumber.
1781
1782         * runtime/JSCJSValue.h:
1783         (JSC::jsNumber):
1784
1785 2014-09-04  Michael Saboff  <msaboff@apple.com>
1786
1787         ARM: Add more coverage to ARMv7 disassembler
1788         https://bugs.webkit.org/show_bug.cgi?id=136565
1789
1790         Reviewed by Mark Lam.
1791
1792         Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions
1793         VCMP, VCVT[R] between floating point and integer, and VLDR.
1794
1795         * disassembler/ARMv7/ARMv7DOpcode.cpp:
1796         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList):
1797         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format):
1798         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format):
1799         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format):
1800         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format):
1801         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format):
1802         * disassembler/ARMv7/ARMv7DOpcode.h:
1803         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList):
1804         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition):
1805         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition):
1806         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit):
1807         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd):
1808         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit):
1809         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit):
1810         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit):
1811         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm):
1812         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition):
1813         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit):
1814         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2):
1815         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd):
1816         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit):
1817         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op):
1818         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit):
1819         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm):
1820         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition):
1821         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit):
1822         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn):
1823         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd):
1824         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg):
1825         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8):
1826
1827 2014-09-04  Mark Lam  <mark.lam@apple.com>
1828
1829         Move PropertySlot's inline functions back to PropertySlot.h.
1830         <https://webkit.org/b/136547>
1831
1832         Reviewed by Filip Pizlo.
1833
1834         * runtime/JSObject.h:
1835         (JSC::PropertySlot::getValue): Deleted.
1836         * runtime/PropertySlot.h:
1837         (JSC::PropertySlot::getValue):
1838
1839 2014-09-04  Filip Pizlo  <fpizlo@apple.com>
1840
1841         Make sure that deleting all code first processes the call edge log, and reenable call edge profiling.
1842
1843         Rubber stamped by Sam Weinig.
1844
1845         * debugger/Debugger.cpp:
1846         (JSC::Debugger::forEachCodeBlock):
1847         (JSC::Debugger::setSteppingMode):
1848         (JSC::Debugger::recompileAllJSFunctions):
1849         * inspector/agents/InspectorRuntimeAgent.cpp:
1850         (Inspector::recompileAllJSFunctionsForTypeProfiling):
1851         * runtime/Options.h: Reenable call edge profiling.
1852         * runtime/VM.cpp:
1853         (JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed.
1854         (JSC::VM::discardAllCode):
1855         (JSC::VM::releaseExecutableMemory):
1856         (JSC::VM::setEnabledProfiler):
1857         (JSC::VM::waitForCompilationsToComplete): Deleted.
1858         * runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted.
1859
1860 2014-09-04  Akos Kiss  <akiss@inf.u-szeged.hu>
1861
1862         Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee
1863         https://bugs.webkit.org/show_bug.cgi?id=136485
1864
1865         Reviewed by Michael Saboff.
1866
1867         Changed makeHostFunctionCall to keep the stack pointer above the call
1868         frame set up by doVMEntry. Thus the callee will/can not override the top
1869         of the call frame.
1870
1871         Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be
1872         more alike to help future maintenance.
1873
1874         * llint/LowLevelInterpreter32_64.asm:
1875         * llint/LowLevelInterpreter64.asm:
1876
1877 2014-09-04  Michael Saboff  <msaboff@apple.com>
1878
1879         REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux
1880         https://bugs.webkit.org/show_bug.cgi?id=136436
1881
1882         Reviewed by Geoffrey Garen.
1883
1884         Instead of trying to calculate a stack pointer that allows for possible
1885         stacked argument space, just use the "home" stack pointer location.
1886         That stack pointer provides space for the worst case number of stacked
1887         arguments on architectures that use stacked arguments.  It also provides
1888         stack space so that the return PC and caller frame pointer that are stored
1889         as part of making the call to operationCallEval will not override any part
1890         of the callee frame created on the stack.
1891
1892         Changed compileCallEval() to use the stackPointer value of the calling
1893         function.  That stack pointer is calculated to have enough space for
1894         outgoing stacked arguments.  By moving the stack pointer to its "home"
1895         position, the caller frame and return PC are not set as part of making
1896         the call to operationCallEval().  Moved the explicit setting of the
1897         callerFrame field of the callee CallFrame from operationCallEval() to
1898         compileCallEval() since it has been the artifact of making a call for
1899         most architectures.  Simplified the exception logic in compileCallEval()
1900         as a result of the change.  To be compliant with the stack state
1901         expected by virtualCallThunkGenerator(), moved the stack pointer to
1902         point above the CallerFrameAndPC of the callee CallFrame.
1903
1904         * jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...)
1905         to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception
1906         check.
1907         * jit/JITCall.cpp & jit/JITCall32_64.cpp:
1908         (JSC::JIT::compileCallEval): Use the home stack pointer when making the call
1909         to operationCallEval.  Since the stack pointer adjustment no longer needs
1910         to be done after making the call to operationCallEval(), the exception check
1911         logic can be simplified.
1912         (JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point
1913         to above the calleeFrame as this is what the generated thunk expects.
1914         * jit/JITInlines.h:
1915         (JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck
1916         with the addition of a standard exception check.
1917         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
1918         * jit/JITOperations.cpp:
1919         (JSC::operationCallEval): Eliminated the explicit setting of caller frame
1920         as that is now done in the code generated by compileCallEval().
1921
1922 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
1923
1924         Beef up the DFG's CFG analyses to include iterated dominance frontiers and more user-friendly BlockSets
1925         https://bugs.webkit.org/show_bug.cgi?id=136520
1926
1927         Reviewed by Geoffrey Garen.
1928         
1929         Add code to compute iterated dominance frontiers. This involves using BlockSet a lot, so
1930         this patch also makes BlockSet a lot more user-friendly.
1931
1932         * CMakeLists.txt:
1933         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1934         * JavaScriptCore.xcodeproj/project.pbxproj:
1935         * dfg/DFGBasicBlock.h:
1936         * dfg/DFGBlockSet.cpp: Added.
1937         (JSC::DFG::BlockSet::dump):
1938         * dfg/DFGBlockSet.h:
1939         (JSC::DFG::BlockSet::iterator::iterator):
1940         (JSC::DFG::BlockSet::iterator::operator++):
1941         (JSC::DFG::BlockSet::iterator::operator==):
1942         (JSC::DFG::BlockSet::iterator::operator!=):
1943         (JSC::DFG::BlockSet::Iterable::Iterable):
1944         (JSC::DFG::BlockSet::Iterable::begin):
1945         (JSC::DFG::BlockSet::Iterable::end):
1946         (JSC::DFG::BlockSet::iterable):
1947         (JSC::DFG::BlockAdder::BlockAdder):
1948         (JSC::DFG::BlockAdder::operator()):
1949         * dfg/DFGBlockSetInlines.h: Added.
1950         (JSC::DFG::BlockSet::iterator::operator*):
1951         * dfg/DFGDominators.cpp:
1952         (JSC::DFG::Dominators::strictDominatorsOf):
1953         (JSC::DFG::Dominators::dominatorsOf):
1954         (JSC::DFG::Dominators::blocksStrictlyDominatedBy):
1955         (JSC::DFG::Dominators::blocksDominatedBy):
1956         (JSC::DFG::Dominators::dominanceFrontierOf):
1957         (JSC::DFG::Dominators::iteratedDominanceFrontierOf):
1958         * dfg/DFGDominators.h:
1959         (JSC::DFG::Dominators::forAllStrictDominatorsOf):
1960         (JSC::DFG::Dominators::forAllDominatorsOf):
1961         (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy):
1962         (JSC::DFG::Dominators::forAllBlocksDominatedBy):
1963         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf):
1964         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
1965         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl):
1966         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl):
1967         * dfg/DFGGraph.cpp:
1968         (JSC::DFG::Graph::dumpBlockHeader):
1969         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1970         (JSC::DFG::InvalidationPointInjectionPhase::run):
1971
1972 2014-09-04  Mark Lam  <mark.lam@apple.com>
1973
1974         Fixed indentations and some style warnings in JavaScriptCore/runtime.
1975         <https://webkit.org/b/136518>
1976
1977         Reviewed by Michael Saboff.
1978
1979         Also removed some superflous spaces.  There are no semantic changes.
1980
1981         * runtime/Completion.h:
1982         * runtime/ConstructData.h:
1983         * runtime/DateConstructor.h:
1984         * runtime/DateInstance.h:
1985         * runtime/DateInstanceCache.h:
1986         * runtime/DatePrototype.h:
1987         * runtime/Error.h:
1988         * runtime/ErrorConstructor.h:
1989         * runtime/ErrorInstance.h:
1990         * runtime/ErrorPrototype.h:
1991         * runtime/FunctionConstructor.h:
1992         * runtime/FunctionPrototype.h:
1993         * runtime/GetterSetter.h:
1994         * runtime/Identifier.h:
1995         * runtime/InitializeThreading.h:
1996         * runtime/InternalFunction.h:
1997         * runtime/JSAPIValueWrapper.h:
1998         * runtime/JSFunction.h:
1999         * runtime/JSLock.h:
2000         * runtime/JSNotAnObject.h:
2001         * runtime/JSONObject.h:
2002         * runtime/JSString.h:
2003         * runtime/JSTypeInfo.h:
2004         * runtime/JSWrapperObject.h:
2005         * runtime/Lookup.h:
2006         * runtime/MathObject.h:
2007         * runtime/NativeErrorConstructor.h:
2008         * runtime/NativeErrorPrototype.h:
2009         * runtime/NumberConstructor.h:
2010         * runtime/NumberObject.h:
2011         * runtime/NumberPrototype.h:
2012         * runtime/NumericStrings.h:
2013         * runtime/ObjectConstructor.h:
2014         * runtime/ObjectPrototype.h:
2015         * runtime/PropertyDescriptor.h:
2016         * runtime/Protect.h:
2017         * runtime/PutPropertySlot.h:
2018         * runtime/RegExp.h:
2019         * runtime/RegExpCachedResult.h:
2020         * runtime/RegExpConstructor.h:
2021         * runtime/RegExpMatchesArray.h:
2022         * runtime/RegExpObject.h:
2023         * runtime/RegExpPrototype.h:
2024         * runtime/SmallStrings.h:
2025         * runtime/StringConstructor.h:
2026         * runtime/StringObject.h:
2027         * runtime/StringPrototype.h:
2028         * runtime/StructureChain.h:
2029         * runtime/VM.h:
2030
2031 2014-09-04  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2032
2033         Remove CSS_FILTERS flag
2034         https://bugs.webkit.org/show_bug.cgi?id=136529
2035
2036         Reviewed by Dirk Schulze.
2037
2038         * Configurations/FeatureDefines.xcconfig:
2039
2040 2014-09-04  Commit Queue  <commit-queue@webkit.org>
2041
2042         Unreviewed, rolling out r173248.
2043         https://bugs.webkit.org/show_bug.cgi?id=136536
2044
2045         call edge profiling and polymorphic call inlining are still
2046         causing crashes (Requested by eric_carlson on #webkit).
2047
2048         Reverted changeset:
2049
2050         "Reenable call edge profiling and polymorphic call inlining,
2051         now that a bunch of the bugs"
2052         http://trac.webkit.org/changeset/173248
2053
2054 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
2055
2056         Web Inspector: the profiler should not accrue time to nodes while the debugger is paused
2057         https://bugs.webkit.org/show_bug.cgi?id=136352
2058
2059         Reviewed by Timothy Hatcher.
2060
2061         Hook up pause/continue events to the LegacyProfiler and any active
2062         ProfilerGenerators. If the debugger is paused, all intervening call
2063         entries will be created with totalTime as 0.0.
2064
2065         * inspector/ScriptDebugServer.cpp:
2066         (Inspector::ScriptDebugServer::handlePause):
2067         * profiler/LegacyProfiler.cpp: Move from typedef'd callbacks to using
2068         std::function. This allows callbacks to take different argument types.
2069
2070         (JSC::callFunctionForProfilesWithGroup):
2071         (JSC::LegacyProfiler::willExecute):
2072         (JSC::LegacyProfiler::didExecute):
2073         (JSC::LegacyProfiler::exceptionUnwind):
2074         (JSC::LegacyProfiler::didPause):
2075         (JSC::LegacyProfiler::didContinue):
2076         (JSC::dispatchFunctionToProfiles): Deleted.
2077         * profiler/LegacyProfiler.h:
2078         * profiler/ProfileGenerator.cpp:
2079         (JSC::ProfileGenerator::ProfileGenerator):
2080         (JSC::ProfileGenerator::endCallEntry):
2081         (JSC::ProfileGenerator::didExecute): Deleted.
2082         * profiler/ProfileGenerator.h:
2083         (JSC::ProfileGenerator::didPause):
2084         (JSC::ProfileGenerator::didContinue):
2085
2086 2014-09-04  Commit Queue  <commit-queue@webkit.org>
2087
2088         Unreviewed, rolling out r173245.
2089         https://bugs.webkit.org/show_bug.cgi?id=136533
2090
2091         Broke JSC tests. (Requested by ddkilzer on #webkit).
2092
2093         Reverted changeset:
2094
2095         "JavaScriptCore should build with newer clang"
2096         https://bugs.webkit.org/show_bug.cgi?id=136002
2097         http://trac.webkit.org/changeset/173245
2098
2099 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
2100
2101         LegacyProfiler: ProfileNodes should be used more like structs
2102         https://bugs.webkit.org/show_bug.cgi?id=136381
2103
2104         Reviewed by Timothy Hatcher.
2105
2106         Previously, both the profile generator and individual profile nodes
2107         were collectively responsible for creating new Call entries and
2108         maintaining data structure invariants. This complexity is unnecessary.
2109
2110         This patch centralizes profile data creation inside the profile generator.
2111         The profile nodes manage nextSibling and parent pointers, but do not
2112         collect the current time or create new Call entries themselves.
2113
2114         Since ProfileNode::nextSibling and its callers are only used within
2115         debug printing code, it should be compiled out for release builds.
2116
2117         * profiler/ProfileGenerator.cpp:
2118         (JSC::ProfileGenerator::ProfileGenerator):
2119         (JSC::AddParentForConsoleStartFunctor::operator()):
2120         (JSC::ProfileGenerator::beginCallEntry): create a new Call entry.
2121         (JSC::ProfileGenerator::endCallEntry): finish the last Call entry.
2122         (JSC::ProfileGenerator::willExecute): inline ProfileNode::willExecute()
2123         (JSC::ProfileGenerator::didExecute): inline ProfileNode::didExecute()
2124         (JSC::ProfileGenerator::stopProfiling): Only walk up the spine.
2125         (JSC::ProfileGenerator::removeProfileStart):
2126         (JSC::ProfileGenerator::removeProfileEnd):
2127         * profiler/ProfileGenerator.h:
2128         * profiler/ProfileNode.cpp:
2129         (JSC::ProfileNode::ProfileNode):
2130         (JSC::ProfileNode::addChild):
2131         (JSC::ProfileNode::removeChild):
2132         (JSC::ProfileNode::spliceNode): Renamed from insertNode.
2133         (JSC::ProfileNode::debugPrintRecursively):
2134         (JSC::ProfileNode::willExecute): Deleted.
2135         (JSC::ProfileNode::insertNode): Deleted.
2136         (JSC::ProfileNode::stopProfiling): Deleted.
2137         (JSC::ProfileNode::traverseNextNodePostOrder):
2138         (JSC::ProfileNode::endAndRecordCall): Deleted.
2139         (JSC::ProfileNode::debugPrintDataSampleStyle):
2140         * profiler/ProfileNode.h:
2141         (JSC::ProfileNode::Call::setStartTime):
2142         (JSC::ProfileNode::Call::setTotalTime):
2143         (JSC::ProfileNode::appendCall):
2144         (JSC::ProfileNode::firstChild):
2145         (JSC::ProfileNode::lastChild):
2146         (JSC::ProfileNode::nextSibling):
2147         (JSC::ProfileNode::setNextSibling):
2148
2149 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
2150
2151         Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient
2152         https://bugs.webkit.org/show_bug.cgi?id=136476
2153
2154         Reviewed by Timothy Hatcher.
2155
2156         * CMakeLists.txt:
2157         * JavaScriptCore.xcodeproj/project.pbxproj:
2158         * inspector/JSGlobalObjectConsoleClient.cpp: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.cpp.
2159         * inspector/JSGlobalObjectConsoleClient.h: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.h.
2160         * inspector/JSGlobalObjectInspectorController.cpp:
2161         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2162         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2163         * inspector/JSGlobalObjectInspectorController.h:
2164
2165 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2166
2167         Reenable call edge profiling and polymorphic call inlining, now that a bunch of the bugs
2168         are fixed.
2169
2170         * runtime/Options.h:
2171
2172 2014-09-03  David Kilzer  <ddkilzer@apple.com>
2173
2174         JavaScriptCore should build with newer clang
2175         <http://webkit.org/b/136002>
2176         <rdar://problem/18020616>
2177
2178         Reviewed by Geoffrey Garen.
2179
2180         Other than the JSC::SourceProvider::asID() change (which simply
2181         removes code that the optimizing compiler would have discarded
2182         in Release builds), we move the |this| checks in OpaqueJSString
2183         to NULL checks in to JSBase, JSScriptRef, JSStringRef{CF} and
2184         JSValueRef.
2185
2186         * API/JSBase.cpp:
2187         (JSEvaluateScript): Use String() in case |script| or |sourceURL|
2188         are NULL.
2189         * API/JSScriptRef.cpp:
2190         (JSScriptCreateReferencingImmortalASCIIText): Use String() in
2191         case |url| is NULL.
2192         * API/JSStringRef.cpp:
2193         (JSStringGetLength): Return early if NULL pointer is passed in.
2194         (JSStringGetCharactersPtr): Ditto.
2195         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
2196         * API/JSStringRefCF.cpp:
2197         (JSStringCopyCFString): Ditto.
2198         * API/JSValueRef.cpp:
2199         (JSValueMakeString): Use String() in case |string| is NULL.
2200
2201         * API/OpaqueJSString.cpp:
2202         (OpaqueJSString::string): Remove code that checks |this|.
2203         (OpaqueJSString::identifier): Ditto.
2204         (OpaqueJSString::characters): Ditto.
2205         * API/OpaqueJSString.h:
2206         (OpaqueJSString::is8Bit): Remove code that checks |this|.
2207         (OpaqueJSString::characters8): Ditto.
2208         (OpaqueJSString::characters16): Ditto.
2209         (OpaqueJSString::length): Ditto.
2210
2211         * parser/SourceProvider.h:
2212         (JSC::SourceProvider::asID): Remove code that checks |this|.
2213
2214 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2215
2216         CallEdgeProfile::visitWeak() shouldn't attempt to despecify empty profiles
2217         https://bugs.webkit.org/show_bug.cgi?id=136511
2218
2219         Reviewed by Geoffrey Garen.
2220
2221         * bytecode/CallEdgeProfile.cpp:
2222         (JSC::CallEdgeProfile::worthDespecifying):
2223         (JSC::CallEdgeProfile::visitWeak):
2224         (JSC::CallEdgeProfile::mergeBack):
2225
2226 2014-09-03  David Kilzer  <ddkilzer@apple.com>
2227
2228         REGRESSION (r167325): (null) entry added to Xcode project file when JSBoundFunction.h was removed
2229         <http://webkit.org/b/136509>
2230
2231         Reviewed by Daniel Bates.
2232
2233         * JavaScriptCore.xcodeproj/project.pbxproj: Remove the (null)
2234         entry left behind when JSBoundFunction.h was removed.
2235
2236 2014-09-03  Joseph Pecoraro  <pecoraro@apple.com>
2237
2238         Avoid warning if a process does not have access to com.apple.webinspector
2239         https://bugs.webkit.org/show_bug.cgi?id=136473
2240
2241         Reviewed by Alexey Proskuryakov.
2242
2243         Pre-check for access to the mach port to avoid emitting warnings
2244         in syslog for processes that do not have access.
2245
2246         * inspector/remote/RemoteInspector.mm:
2247         (Inspector::canAccessWebInspectorMachPort):
2248         (Inspector::RemoteInspector::shared):
2249
2250 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2251
2252         Temporarily disable call edge profiling. It is causing crashes and I'm still investigating
2253         them.
2254
2255         * runtime/Options.h:
2256
2257 2014-09-03  Balazs Kilvady  <kilvadyb@homejinni.com>
2258
2259         [MIPS] Wrong register usage in LLInt op_catch.
2260         https://bugs.webkit.org/show_bug.cgi?id=125168
2261
2262         Reviewed by Geoffrey Garen.
2263
2264         Fix register usage and add PIC header to all the ops in LLInt.
2265
2266         * offlineasm/instructions.rb:
2267         * offlineasm/mips.rb:
2268
2269 2014-09-03  Saam Barati  <saambarati1@gmail.com>
2270
2271         Create tests for type profiling
2272         https://bugs.webkit.org/show_bug.cgi?id=136161
2273
2274         Reviewed by Geoffrey Garen.
2275
2276         The type profiler is now being tested. These are basic tests that don't 
2277         check every edge case, but will catch any major failures in the type profiler. 
2278         These tests cover:
2279         - The basic, inheritance-based type system in TypeSet.
2280         - Function return types.
2281         - Correct merging of types for multiple assignments to one variable.
2282
2283         This patch also provides an API for writing new tests for
2284         the type profiler. The API works by passing in a function and a 
2285         unique substring of an expression contained in that function, and 
2286         returns an object representing type information for that expression.
2287
2288         * jsc.cpp:
2289         (GlobalObject::finishCreation):
2290         (functionFindTypeForExpression):
2291         (functionReturnTypeFor):
2292         * runtime/TypeProfiler.cpp:
2293         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
2294         * runtime/TypeProfiler.h:
2295         * runtime/TypeProfilerLog.h:
2296         * runtime/TypeSet.cpp:
2297         (JSC::TypeSet::toJSONString):
2298         (JSC::StructureShape::toJSONString):
2299         * runtime/TypeSet.h:
2300         * tests/typeProfiler: Added.
2301         * tests/typeProfiler.yaml: Added.
2302         * tests/typeProfiler/basic.js: Added.
2303         (wrapper.foo):
2304         (wrapper):
2305         * tests/typeProfiler/captured.js: Added.
2306         (wrapper.changeFoo):
2307         (wrapper):
2308         * tests/typeProfiler/driver: Added.
2309         * tests/typeProfiler/driver/driver.js: Added.
2310         (assert):
2311         * tests/typeProfiler/inheritance.js: Added.
2312         (wrapper.A):
2313         (wrapper.B):
2314         (wrapper.C):
2315         (wrapper):
2316         * tests/typeProfiler/return.js: Added.
2317         (foo):
2318         (Ctor):
2319
2320 2014-09-03  Julien Brianceau   <jbriance@cisco.com>
2321
2322         Add missing implementations to fix build for sh4 architecture
2323         https://bugs.webkit.org/show_bug.cgi?id=136455
2324
2325         Reviewed by Geoffrey Garen.
2326
2327         * assembler/MacroAssemblerSH4.h:
2328         (JSC::MacroAssemblerSH4::store8):
2329         (JSC::MacroAssemblerSH4::moveWithPatch):
2330         (JSC::MacroAssemblerSH4::branchAdd32):
2331         (JSC::MacroAssemblerSH4::branch32WithPatch):
2332         (JSC::MacroAssemblerSH4::abortWithReason):
2333         (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch):
2334         (JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress):
2335         (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch):
2336         * jit/AssemblyHelpers.h:
2337         (JSC::AssemblyHelpers::emitFunctionPrologue):
2338         (JSC::AssemblyHelpers::emitFunctionEpilogue):
2339
2340 2014-09-03  Dan Bernstein  <mitz@apple.com>
2341
2342         Get rid of HIGH_DPI_CANVAS leftovers
2343         https://bugs.webkit.org/show_bug.cgi?id=136491
2344
2345         Reviewed by Benjamin Poulain.
2346
2347         * Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS
2348         and removed it from FEATURE_DEFINES.
2349
2350 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2351
2352         CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
2353         https://bugs.webkit.org/show_bug.cgi?id=136490
2354
2355         Reviewed by Geoffrey Garen.
2356
2357         * bytecode/CallEdgeProfile.cpp:
2358         (JSC::CallEdgeProfile::visitWeak):
2359
2360 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
2361
2362         FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
2363         https://bugs.webkit.org/show_bug.cgi?id=136488
2364
2365         Reviewed by Mark Hahnenberg.
2366
2367         * ftl/FTLCompile.cpp:
2368         (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
2369         * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
2370         (foo):
2371
2372 2014-09-03  Akos Kiss  <akiss@inf.u-szeged.hu>
2373
2374         Don't generate superfluous mov instructions for move immediate on ARM64.
2375         https://bugs.webkit.org/show_bug.cgi?id=136435
2376
2377         Reviewed by Michael Saboff.
2378
2379         On ARM64, the size of an immediate operand for a mov instruction is 16
2380         bits. Thus, a move immediate offlineasm instruction may potentially be
2381         split up to several machine level instructions. The current
2382         implementation always emits a mov for the least significant 16 bits of
2383         the value. However, if any of the bits 63:16 are significant then the
2384         first emitted mov already filled bits 15:0 with zeroes (or ones, for
2385         negative values). So, if bits 15:0 of the value are all zeroes (or ones)
2386         then the last mov does not need to be emitted.
2387
2388         * offlineasm/arm64.rb:
2389
2390 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
2391
2392         LegacyProfiler: remove redundant ProfileNode members and other cleanup
2393         https://bugs.webkit.org/show_bug.cgi?id=136380
2394
2395         Reviewed by Timothy Hatcher.
2396
2397         ProfileNode's selfTime and totalTime members are redundant and only used
2398         for dumping profile data from debug-only code. Remove the members and compute
2399         the same data on-demand when necessary using a postorder traversal functor.
2400
2401         Remove ProfileNode.head since it is only used to calculate percentages for
2402         dumped profile data. This can be explicitly passed around when needed.
2403
2404         Rename Profile.head to Profile.rootNode, and other various renamings.
2405
2406         Rearrange some header includes so that touching LegacyProfiler-related headers
2407         will no longer cause a full rebuild.
2408
2409         * inspector/JSConsoleClient.cpp: Add header include.
2410         * inspector/agents/InspectorProfilerAgent.cpp:
2411         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
2412         * inspector/protocol/Profiler.json: Remove unused Profile.idleTime member.
2413         * jit/JIT.h: Remove header include.
2414         * jit/JITCode.h: Remove header include.
2415         * jit/JITOperations.cpp: Sort and add header include.
2416         * llint/LLIntSlowPaths.cpp: Sort and add header include.
2417         * profiler/Profile.cpp: Rename the debug dumping functions. Move the node
2418         postorder traversal code to ProfileNode so we can traverse any subtree.
2419         (JSC::Profile::Profile):
2420         (JSC::Profile::debugPrint):
2421         (JSC::Profile::debugPrintSampleStyle):
2422         (JSC::Profile::forEach): Deleted.
2423         (JSC::Profile::debugPrintData): Deleted.
2424         (JSC::Profile::debugPrintDataSampleStyle): Deleted.
2425         * profiler/Profile.h:
2426         * profiler/ProfileGenerator.cpp:
2427         (JSC::ProfileGenerator::ProfileGenerator):
2428         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
2429         (JSC::AddParentForConsoleStartFunctor::operator()):
2430         (JSC::ProfileGenerator::addParentForConsoleStart):
2431         (JSC::ProfileGenerator::didExecute):
2432         (JSC::StopProfilingFunctor::operator()):
2433         (JSC::ProfileGenerator::stopProfiling):
2434         (JSC::ProfileGenerator::removeProfileStart):
2435         (JSC::ProfileGenerator::removeProfileEnd):
2436         * profiler/ProfileGenerator.h:
2437         * profiler/ProfileNode.cpp:
2438         (JSC::ProfileNode::ProfileNode):
2439         (JSC::ProfileNode::willExecute):
2440         (JSC::ProfileNode::removeChild):
2441         (JSC::ProfileNode::stopProfiling):
2442         (JSC::ProfileNode::endAndRecordCall):
2443         (JSC::ProfileNode::debugPrint):
2444         (JSC::ProfileNode::debugPrintSampleStyle):
2445         (JSC::ProfileNode::debugPrintRecursively):
2446         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
2447         (JSC::ProfileNode::debugPrintData): Deleted.
2448         (JSC::ProfileNode::debugPrintDataSampleStyle): Deleted.
2449         * profiler/ProfileNode.h: Calculate per-node self and total times using a postorder traversal.
2450         The forEachNodePostorder functor traverses the subtree rooted at |this|.
2451         (JSC::ProfileNode::create):
2452         (JSC::ProfileNode::calls):
2453         (JSC::ProfileNode::forEachNodePostorder):
2454         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
2455         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
2456         (JSC::ProfileNode::head): Deleted.
2457         (JSC::ProfileNode::setHead): Deleted.
2458         (JSC::ProfileNode::totalTime): Deleted.
2459         (JSC::ProfileNode::setTotalTime): Deleted.
2460         (JSC::ProfileNode::selfTime): Deleted.
2461         (JSC::ProfileNode::setSelfTime): Deleted.
2462         (JSC::ProfileNode::totalPercent): Deleted.
2463         (JSC::ProfileNode::selfPercent): Deleted.
2464         * runtime/ConsoleClient.h: Remove header include.
2465
2466 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
2467
2468         Web Inspector: remove ProfilerAgent and legacy profiler files in the frontend
2469         https://bugs.webkit.org/show_bug.cgi?id=136462
2470
2471         Reviewed by Timothy Hatcher.
2472
2473         It's not used by the frontend anymore.
2474
2475         * CMakeLists.txt:
2476         * DerivedSources.make:
2477         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2478         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2479         * JavaScriptCore.xcodeproj/project.pbxproj:
2480
2481         * inspector/JSConsoleClient.cpp:
2482         (Inspector::JSConsoleClient::JSConsoleClient): Stub out console.profile/profileEnd
2483         methods since they didn't work for JSContexts anyway.
2484         (Inspector::JSConsoleClient::profile):
2485         (Inspector::JSConsoleClient::profileEnd):
2486         * inspector/JSConsoleClient.h:
2487
2488         * inspector/JSGlobalObjectInspectorController.cpp:
2489         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2490         * inspector/agents/InspectorProfilerAgent.cpp: Removed.
2491         * inspector/agents/InspectorProfilerAgent.h: Removed.
2492         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Removed.
2493         * inspector/agents/JSGlobalObjectProfilerAgent.h: Removed.
2494         * inspector/protocol/Profiler.json: Removed.
2495
2496 2014-09-02  Andreas Kling  <akling@apple.com>
2497
2498         Optimize own property GetByVals with rope string subscripts.
2499         <https://webkit.org/b/136458>
2500
2501         For simple JSObjects that don't override getOwnPropertySlot to implement
2502         custom properties, we have a fast path that grabs directly at the object
2503         property storage.
2504
2505         Make this fast path even faster when the property name is an unresolved
2506         rope string by using JSString::toExistingAtomicString(). This is faster
2507         because it avoids allocating a new StringImpl if the string is already
2508         a known Identifier, which is guaranteed to be the case if it's present
2509         as an own property on the object.)
2510
2511         ~10% speed-up on Dromaeo/dom-attr.html
2512
2513         Reviewed by Geoffrey Garen.
2514
2515         * dfg/DFGOperations.cpp:
2516         * jit/JITOperations.cpp:
2517         (JSC::getByVal):
2518         * llint/LLIntSlowPaths.cpp:
2519         (JSC::LLInt::getByVal):
2520
2521             When using the fastGetOwnProperty() optimization, get the String
2522             out of JSString by using toExistingAtomicString(). This avoids
2523             StringImpl allocation and lets us bypass the PropertyTable lookup
2524             entirely if no AtomicString is found.
2525
2526         * runtime/JSCell.h:
2527         * runtime/JSCellInlines.h:
2528         (JSC::JSCell::fastGetOwnProperty):
2529
2530             Make fastGetOwnProperty() take a PropertyName instead of a String.
2531             This avoids churning the ref count, since we don't need to create
2532             a temporary wrapper around the AtomicStringImpl* found in GetByVal.
2533
2534         * runtime/PropertyName.h:
2535         (JSC::PropertyName::PropertyName):
2536
2537             Add constructor: PropertyName(AtomicStringImpl*)
2538
2539         * runtime/PropertyMapHashTable.h:
2540         (JSC::PropertyTable::get):
2541         (JSC::PropertyTable::findWithString): Deleted.
2542         * runtime/Structure.h:
2543         * runtime/StructureInlines.h:
2544         (JSC::Structure::get):
2545
2546             Remove code for querying a PropertyTable with an unhashed string key
2547             since the only client is now gone.
2548
2549 2014-09-02  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2550
2551         [ARM] MacroAssembler generating incorrect code on ARM32 Traditional
2552         https://bugs.webkit.org/show_bug.cgi?id=136429
2553
2554         Reviewed by Csaba Osztrogonác.
2555
2556         Changed test32 to use tst to check if reg is zero, instead of cmp.
2557
2558         * assembler/MacroAssemblerARM.h:
2559         (JSC::MacroAssemblerARM::test32):
2560
2561 2014-09-02  Michael Saboff  <msaboff@apple.com>
2562
2563         Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute
2564         https://bugs.webkit.org/show_bug.cgi?id=136305
2565
2566         Reviewed by Filip Pizlo.
2567
2568         While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch
2569         and then JITCode::execute() calls the normal entrypoint.  This is incompatible
2570         with the expectation of FTL generated functions.  Changed ProtoCallFrame to not 
2571         perform the arity fix, but just flag an arity mismatch.  now JITCode::execute()
2572         uses that arity mismatch condition to select the normal or arity check
2573         entrypoint.  The entrypoint selection is only done for functions, programs
2574         and eval always have one parameter.
2575
2576         * interpreter/ProtoCallFrame.cpp:
2577         (JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it.
2578         * interpreter/ProtoCallFrame.h:
2579         (JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint
2580         should be called.
2581         * jit/JITCode.cpp:
2582         (JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate.
2583
2584 2014-09-02  peavo@outlook.com  <peavo@outlook.com>
2585
2586         [WinCairo] testapi.exe is not built.
2587         https://bugs.webkit.org/show_bug.cgi?id=136369
2588
2589         Reviewed by Alex Christensen.
2590
2591         The testapi project should be of type Application.
2592
2593         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Change project type to Application.
2594         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Ditto.
2595         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Compile and link fix.
2596         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Change project type to Application.
2597
2598 2014-09-01  Akos Kiss  <akiss@inf.u-szeged.hu>
2599
2600         [CMAKE] Add missing offlineasm dependencies
2601         https://bugs.webkit.org/show_bug.cgi?id=136437
2602
2603         Reviewed by Csaba Osztrogonác.
2604
2605         Add the ARM64, MIPS and SH4 backends to the dependencies.
2606
2607         * CMakeLists.txt:
2608
2609 2014-09-01  Brian J. Burg  <burg@cs.washington.edu>
2610
2611         Provide column numbers to DTrace willExecute/didExecute probes
2612         https://bugs.webkit.org/show_bug.cgi?id=136434
2613
2614         Reviewed by Antti Koivisto.
2615
2616         Provide the columnNumber and update stubs for !HAVE(DTRACE).
2617
2618         * profiler/ProfileGenerator.cpp:
2619         (JSC::ProfileGenerator::willExecute):
2620         (JSC::ProfileGenerator::didExecute):
2621         * runtime/Tracing.d:
2622         * runtime/Tracing.h:
2623
2624 2014-09-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
2625
2626         [CMAKE] Build warning by INTERFACE_LINK_LIBRARIES
2627         https://bugs.webkit.org/show_bug.cgi?id=136194
2628
2629         Reviewed by Csaba Osztrogonác.
2630
2631         Set the LINK_INTERFACE_LIBRARIES target property on the top level CMakeLists.txt.
2632
2633         * CMakeLists.txt:
2634
2635 2014-08-26  Maciej Stachowiak  <mjs@apple.com>
2636
2637         Use RetainPtr::autorelease in some places where it seems appropriate
2638         https://bugs.webkit.org/show_bug.cgi?id=136280
2639
2640         Reviewed by Darin Adler.
2641
2642         * API/JSContext.mm:
2643         (-[JSContext name]): Use RetainPtr::autorelease() in place of ObjC autorelease.
2644         * API/JSValue.mm:
2645         (valueToString): Make appropriate use of RetainPtr
2646
2647 2014-08-29  Akos Kiss  <akiss@inf.u-szeged.hu>
2648
2649         Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
2650         https://bugs.webkit.org/show_bug.cgi?id=136391
2651
2652         Reviewed by Michael Saboff.
2653
2654         Do not rely on calling conventions to fill in the CallerFrame component
2655         of the ExecState* parameter of the called function.
2656
2657         * llint/LowLevelInterpreter32_64.asm:
2658         * llint/LowLevelInterpreter64.asm:
2659
2660 2014-08-29  Saam Barati  <sbarati@apple.com>
2661
2662         emit op_profile_type for deconstruction assignments
2663         https://bugs.webkit.org/show_bug.cgi?id=136274
2664
2665         Reviewed by Filip Pizlo.
2666
2667         Enable type profiling for ES6 deconstruction expressions.
2668
2669         * bytecompiler/NodesCodegen.cpp:
2670         (JSC::BindingNode::bindValue):
2671
2672 2014-08-29  Joseph Pecoraro  <pecoraro@apple.com>
2673
2674         JavaScriptCore: Use ASCIILiteral where possible
2675         https://bugs.webkit.org/show_bug.cgi?id=136179
2676
2677         Reviewed by Michael Saboff.
2678
2679         General string / character related changes. Use ASCIILiteral where
2680         possible, jsNontrivialString where possible, and replace string
2681         literals with character literals in some places.
2682
2683         No new tests, no changes to functionality.
2684
2685         * bytecode/CodeBlock.cpp:
2686         (JSC::CodeBlock::nameForRegister):
2687         * bytecompiler/NodesCodegen.cpp:
2688         (JSC::PostfixNode::emitBytecode):
2689         (JSC::PrefixNode::emitBytecode):
2690         (JSC::AssignErrorNode::emitBytecode):
2691         (JSC::ForInNode::emitMultiLoopBytecode):
2692         (JSC::ForOfNode::emitBytecode):
2693         (JSC::ObjectPatternNode::toString):
2694         * dfg/DFGFunctionWhitelist.cpp:
2695         (JSC::DFG::FunctionWhitelist::contains):
2696         * dfg/DFGOperations.cpp:
2697         (JSC::DFG::newTypedArrayWithSize):
2698         (JSC::DFG::newTypedArrayWithOneArgument):
2699         * inspector/ConsoleMessage.cpp:
2700         (Inspector::ConsoleMessage::addToFrontend):
2701         * inspector/InspectorBackendDispatcher.cpp:
2702         (Inspector::InspectorBackendDispatcher::dispatch):
2703         * inspector/ScriptCallStackFactory.cpp:
2704         (Inspector::extractSourceInformationFromException):
2705         * inspector/scripts/codegen/generator_templates.py:
2706         * interpreter/StackVisitor.cpp:
2707         (JSC::StackVisitor::Frame::functionName):
2708         (JSC::StackVisitor::Frame::sourceURL):
2709         * jit/JITOperations.cpp:
2710         * jsc.cpp:
2711         (functionDescribeArray):
2712         (functionRun):
2713         (functionLoad):
2714         (functionReadFile):
2715         (functionCheckSyntax):
2716         (functionTransferArrayBuffer):
2717         (runWithScripts):
2718         (runInteractive):
2719         * parser/Lexer.cpp:
2720         (JSC::Lexer<T>::invalidCharacterMessage):
2721         (JSC::Lexer<T>::parseString):
2722         (JSC::Lexer<T>::parseStringSlowCase):
2723         (JSC::Lexer<T>::lex):
2724         * profiler/Profile.cpp:
2725         (JSC::Profile::Profile):
2726         * runtime/Arguments.cpp:
2727         (JSC::argumentsFuncIterator):
2728         * runtime/ArrayPrototype.cpp:
2729         (JSC::performSlowSort):
2730         (JSC::arrayProtoFuncSort):
2731         * runtime/ExceptionHelpers.cpp:
2732         (JSC::createError):
2733         (JSC::createInvalidParameterError):
2734         (JSC::createNotAConstructorError):
2735         (JSC::createNotAFunctionError):
2736         (JSC::createNotAnObjectError):
2737         (JSC::createErrorForInvalidGlobalAssignment):
2738         * runtime/FunctionPrototype.cpp:
2739         (JSC::insertSemicolonIfNeeded):
2740         * runtime/JSArray.cpp:
2741         (JSC::JSArray::defineOwnProperty):
2742         (JSC::JSArray::pop):
2743         (JSC::JSArray::push):
2744         * runtime/JSArrayBufferConstructor.cpp:
2745         (JSC::JSArrayBufferConstructor::finishCreation):
2746         * runtime/JSArrayBufferPrototype.cpp:
2747         (JSC::arrayBufferProtoFuncSlice):
2748         * runtime/JSDataView.cpp:
2749         (JSC::JSDataView::create):
2750         * runtime/JSDataViewPrototype.cpp:
2751         (JSC::getData):
2752         (JSC::setData):
2753         * runtime/JSGlobalObject.cpp:
2754         (JSC::JSGlobalObject::reset):
2755         * runtime/JSGlobalObjectFunctions.cpp:
2756         (JSC::globalFuncProtoSetter):
2757         * runtime/JSPromiseConstructor.cpp:
2758         (JSC::JSPromiseConstructor::finishCreation):
2759         * runtime/LiteralParser.cpp:
2760         (JSC::LiteralParser<CharType>::Lexer::lex):
2761         (JSC::LiteralParser<CharType>::Lexer::lexString):
2762         (JSC::LiteralParser<CharType>::parse):
2763         * runtime/LiteralParser.h:
2764         (JSC::LiteralParser::getErrorMessage):
2765         * runtime/TypeSet.cpp:
2766         (JSC::TypeSet::seenTypes):
2767         (JSC::TypeSet::displayName):
2768         (JSC::TypeSet::allPrimitiveTypeNames):
2769         (JSC::StructureShape::propertyHash):
2770         (JSC::StructureShape::stringRepresentation):
2771
2772 2014-08-29  Csaba Osztrogonác  <ossy@webkit.org>
2773
2774         Unreviwed, remove empty directories.
2775
2776         * qt: Removed.
2777
2778 2014-08-28  Mark Lam  <mark.lam@apple.com>
2779
2780         DebuggerCallFrame::scope() should return a DebuggerScope.
2781         <https://webkit.org/b/134420>
2782
2783         Reviewed by Geoffrey Garen.
2784
2785         Rolling back in r170680 with the fix for <https://webkit.org/b/135656>.
2786
2787         Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
2788         peers) which the WebInspector will use to introspect CallFrame variables.
2789         Instead, we should be returning a DebuggerScope as an abstraction layer that
2790         provides the introspection functionality that the WebInspector needs.  This
2791         is the first step towards not forcing every frame to have a JSActivation
2792         object just because the debugger is enabled.
2793
2794         1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
2795            instead of the VM.  This allows JSObject::globalObject() to be able to
2796            return the global object for the DebuggerScope.
2797
2798         2. On the DebuggerScope's life-cycle management:
2799
2800            The DebuggerCallFrame is designed to be "valid" only during a debugging session
2801            (while the debugger is broken) through the use of a DebuggerCallFrameScope in
2802            Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
2803            DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
2804            We can't guarantee (from this code alone) that the Inspector code isn't still
2805            holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
2806            the frame will be invalidated, and any attempt to query it will return null values.
2807            This is pre-existing behavior.
2808
2809            Now, we're adding the DebuggerScope into the picture.  While a single debugger
2810            pause session is in progress, the Inspector may request the scope from the
2811            DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
2812            DebuggerCallFrame::scope() to always return the same DebuggerScope object.
2813            This is why we hold on to the DebuggerScope with a strong ref.
2814
2815            If we use a weak ref instead, the following cooky behavior can manifest:
2816            1. The Inspector calls Debugger::scope() to get the top scope.
2817            2. The Inspector iterates down the scope chain and is now only holding a
2818               reference to a parent scope.  It is no longer referencing the top scope.
2819            3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
2820               gets cleared.
2821            4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
2822               a different DebuggerScope instance.
2823            5. The Inspector iterates down the scope chain but never sees the parent scope
2824               instance that retained a ref to in step 2 above.  This is because when iterating
2825               this new DebuggerScope instance (which has no knowledge of the previous parent
2826               DebuggerScope instance), a new DebuggerScope instance will get created for the
2827               same parent scope. 
2828
2829            Since the DebuggerScope is a JSObject, its liveness is determined by its reachability.
2830            However, its "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
2831            When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
2832            instantiated) will also get invalidated.  This is why we need the
2833            DebuggerScope::invalidateChain() method.  The Inspector should not be using the
2834            DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
2835            those methods will do nothing or returned a failed status.
2836
2837         Fix for <https://webkit.org/b/135656>:
2838         3. DebuggerScope::getOwnPropertySlot() and DebuggerScope::put() need to set
2839            m_thisValue in the returned slot to the wrapped scope object.  Previously,
2840            it was pointing to the DebuggerScope though the rest of the fields in the
2841            returned slot will be set to data pertaining the wrapped scope object.
2842
2843         4. DebuggerScope::getOwnPropertySlot() will invoke getPropertySlot() on its
2844            wrapped scope.  This is because JSObject::getPropertySlot() cannot be
2845            overridden, and when called on a DebuggerScope, will not know to look in
2846            the ptototype chain of the DebuggerScope's wrapped scope.  Hence, we'll
2847            treat all properties in the wrapped scope as own properties in the
2848            DebuggerScope.  This is fine because the WebInspector does not presently
2849            care about where in the prototype chain the scope property comes from.
2850
2851            Note that the DebuggerScope and the JSActivation objects that it wraps do
2852            not have prototypes.  They are always jsNull().  This works perfectly with
2853            the above change to use getPropertySlot() instead of getOwnPropertySlot().
2854            To make this an explicit invariant, I also changed DebuggerScope::createStructure()
2855            and JSActivation::createStructure() to not take a prototype argument, and
2856            to always use jsNull() for their prototype value.
2857
2858         * debugger/Debugger.h:
2859         * debugger/DebuggerCallFrame.cpp:
2860         (JSC::DebuggerCallFrame::scope):
2861         (JSC::DebuggerCallFrame::evaluate):
2862         (JSC::DebuggerCallFrame::invalidate):
2863         * debugger/DebuggerCallFrame.h:
2864         * debugger/DebuggerScope.cpp:
2865         (JSC::DebuggerScope::DebuggerScope):
2866         (JSC::DebuggerScope::finishCreation):
2867         (JSC::DebuggerScope::visitChildren):
2868         (JSC::DebuggerScope::className):
2869         (JSC::DebuggerScope::getOwnPropertySlot):
2870         (JSC::DebuggerScope::put):
2871         (JSC::DebuggerScope::deleteProperty):
2872         (JSC::DebuggerScope::getOwnPropertyNames):
2873         (JSC::DebuggerScope::defineOwnProperty):
2874         (JSC::DebuggerScope::next):
2875         (JSC::DebuggerScope::invalidateChain):
2876         (JSC::DebuggerScope::isWithScope):
2877         (JSC::DebuggerScope::isGlobalScope):
2878         (JSC::DebuggerScope::isFunctionOrEvalScope):
2879         * debugger/DebuggerScope.h:
2880         (JSC::DebuggerScope::create):
2881         (JSC::DebuggerScope::createStructure):
2882         (JSC::DebuggerScope::iterator::iterator):
2883         (JSC::DebuggerScope::iterator::get):
2884         (JSC::DebuggerScope::iterator::operator++):
2885         (JSC::DebuggerScope::iterator::operator==):
2886         (JSC::DebuggerScope::iterator::operator!=):
2887         (JSC::DebuggerScope::isValid):
2888         (JSC::DebuggerScope::jsScope):
2889         (JSC::DebuggerScope::begin):
2890         (JSC::DebuggerScope::end):
2891         * inspector/JSJavaScriptCallFrame.cpp:
2892         (Inspector::JSJavaScriptCallFrame::scopeType):
2893         (Inspector::JSJavaScriptCallFrame::scopeChain):
2894         * inspector/JavaScriptCallFrame.h:
2895         (Inspector::JavaScriptCallFrame::scopeChain):
2896         * inspector/ScriptDebugServer.cpp:
2897         * runtime/JSActivation.h:
2898         (JSC::JSActivation::createStructure):
2899         * runtime/JSGlobalObject.cpp:
2900         (JSC::JSGlobalObject::reset):
2901         (JSC::JSGlobalObject::visitChildren):
2902         * runtime/JSGlobalObject.h:
2903         (JSC::JSGlobalObject::debuggerScopeStructure):
2904         * runtime/JSObject.cpp:
2905         * runtime/JSObject.h:
2906         (JSC::JSObject::isWithScope):
2907         * runtime/JSScope.h:
2908         * runtime/PropertySlot.h:
2909         (JSC::PropertySlot::setThisValue):
2910         * runtime/PutPropertySlot.h:
2911         (JSC::PutPropertySlot::setThisValue):
2912         * runtime/VM.cpp:
2913         (JSC::VM::VM):
2914         * runtime/VM.h:
2915
2916 2014-08-28  Andreas Kling  <akling@apple.com>
2917
2918         Use JSString::toIdentifier() in more places.
2919         <https://webkit.org/b/136348>
2920
2921         Call sites that grab the WTF::String from a JSString using value() can
2922         use the more efficient toIdentifier() if the string is going to be used
2923         to construct an Identifier.
2924
2925         If the JSString is a rope that resolves to something that is already
2926         present in the VM's Identifier table, using toIdentifier() can avoid
2927         allocating a new StringImpl.
2928
2929         Reviewed by Geoffrey Garen.
2930
2931         * jit/JITOperations.cpp:
2932         * llint/LLIntSlowPaths.cpp:
2933         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2934         * runtime/CommonSlowPaths.cpp:
2935         (JSC::SLOW_PATH_DECL):
2936         * runtime/CommonSlowPaths.h:
2937         (JSC::CommonSlowPaths::opIn):
2938         * runtime/JSONObject.cpp:
2939         (JSC::Stringifier::Stringifier):
2940         * runtime/ObjectConstructor.cpp:
2941         (JSC::objectConstructorGetOwnPropertyDescriptor):
2942         (JSC::objectConstructorDefineProperty):
2943         * runtime/ObjectPrototype.cpp:
2944         (JSC::objectProtoFuncPropertyIsEnumerable):
2945
2946 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
2947
2948         DFG should compute immediate dominators using the O(n log n) form of Lengauer and Tarjan's "A Fast Algorithm for Finding Dominators in a Flowgraph"
2949         https://bugs.webkit.org/show_bug.cgi?id=93361
2950
2951         Reviewed by Mark Hahnenberg.
2952         
2953         This patch also adds some new utilities for reasoning about block-keyed maps, block sets,
2954         and block worklists. It changes preexisting code to use these abstractions.
2955         
2956         The main effect of this code is that all current clients of dominators end up using the
2957         results of the new idom calculation. We convert the dom tree to a dominance test using
2958         Dietz's pre/post number range check trick.
2959
2960         * CMakeLists.txt:
2961         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2962         * JavaScriptCore.xcodeproj/project.pbxproj:
2963         * dfg/DFGAnalysis.h:
2964         (JSC::DFG::Analysis::computeIfNecessary):
2965         (JSC::DFG::Analysis::computeDependencies):
2966         * dfg/DFGBlockMap.h: Added.
2967         (JSC::DFG::BlockMap::BlockMap):
2968         (JSC::DFG::BlockMap::size):
2969         (JSC::DFG::BlockMap::atIndex):
2970         (JSC::DFG::BlockMap::operator[]):
2971         * dfg/DFGBlockMapInlines.h: Added.
2972         (JSC::DFG::BlockMap<T>::BlockMap):
2973         * dfg/DFGBlockSet.h: Added.
2974         (JSC::DFG::BlockSet::BlockSet):
2975         (JSC::DFG::BlockSet::add):
2976         (JSC::DFG::BlockSet::contains):
2977         * dfg/DFGBlockWorklist.cpp: Added.
2978         (JSC::DFG::BlockWorklist::BlockWorklist):
2979         (JSC::DFG::BlockWorklist::~BlockWorklist):
2980         (JSC::DFG::BlockWorklist::push):
2981         (JSC::DFG::BlockWorklist::pop):
2982         (JSC::DFG::PostOrderBlockWorklist::PostOrderBlockWorklist):
2983         (JSC::DFG::PostOrderBlockWorklist::~PostOrderBlockWorklist):
2984         (JSC::DFG::PostOrderBlockWorklist::pushPre):
2985         (JSC::DFG::PostOrderBlockWorklist::pushPost):
2986         (JSC::DFG::PostOrderBlockWorklist::pop):
2987         * dfg/DFGBlockWorklist.h: Added.
2988         (JSC::DFG::BlockWorklist::notEmpty):
2989         (JSC::DFG::BlockWith::BlockWith):
2990         (JSC::DFG::BlockWith::operator UnspecifiedBoolType*):
2991         (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist):
2992         (JSC::DFG::ExtendedBlockWorklist::forcePush):
2993         (JSC::DFG::ExtendedBlockWorklist::push):
2994         (JSC::DFG::ExtendedBlockWorklist::notEmpty):
2995         (JSC::DFG::ExtendedBlockWorklist::pop):
2996         (JSC::DFG::BlockWithOrder::BlockWithOrder):
2997         (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*):
2998         (JSC::DFG::PostOrderBlockWorklist::push):
2999         (JSC::DFG::PostOrderBlockWorklist::notEmpty):
3000         * dfg/DFGCSEPhase.cpp:
3001         * dfg/DFGDominators.cpp:
3002         (JSC::DFG::Dominators::compute):
3003         (JSC::DFG::Dominators::naiveDominates):
3004         (JSC::DFG::Dominators::dump):
3005         (JSC::DFG::Dominators::pruneDominators): Deleted.
3006         * dfg/DFGDominators.h:
3007         (JSC::DFG::Dominators::strictlyDominates):
3008         (JSC::DFG::Dominators::dominates):
3009         (JSC::DFG::Dominators::BlockData::BlockData):
3010         * dfg/DFGGraph.cpp:
3011         (JSC::DFG::Graph::dumpBlockHeader):
3012         (JSC::DFG::Graph::getBlocksInPreOrder):
3013         (JSC::DFG::Graph::getBlocksInPostOrder):
3014         * dfg/DFGInvalidationPointInjectionPhase.cpp:
3015         (JSC::DFG::InvalidationPointInjectionPhase::run):
3016         * dfg/DFGNaiveDominators.cpp: Added.
3017         (JSC::DFG::NaiveDominators::NaiveDominators):
3018         (JSC::DFG::NaiveDominators::~NaiveDominators):
3019         (JSC::DFG::NaiveDominators::compute):
3020         (JSC::DFG::NaiveDominators::pruneDominators):
3021         (JSC::DFG::NaiveDominators::dump):
3022         * dfg/DFGNaiveDominators.h: Added.
3023         (JSC::DFG::NaiveDominators::dominates):
3024         * dfg/DFGNaturalLoops.cpp:
3025         (JSC::DFG::NaturalLoops::computeDependencies):
3026         (JSC::DFG::NaturalLoops::compute):
3027         * dfg/DFGNaturalLoops.h:
3028
3029 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
3030
3031         FTL should be able to do polymorphic call inlining
3032         https://bugs.webkit.org/show_bug.cgi?id=135145
3033
3034         Reviewed by Geoffrey Garen.
3035         
3036         Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
3037         baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
3038         inlining sites use the call edge profile if it is available, but they will still fall back
3039         on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
3040         multiple possible callees can be inlined with a switch to guard them. The slow path may
3041         either be an OSR exit or a virtual call.
3042         
3043         The call edge profiling added in this patch is very precise - it will tell you about every
3044         call that has ever happened. It took some effort to reduce the overhead of this profiling.
3045         This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
3046         in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
3047         it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
3048         I also experimented with reducing the precision of the profiling. This led to a significant
3049         reduction in the speed-up, so I avoided this approach. I also explored making log processing
3050         concurrent, but that didn't help. Also, I tested the overhead of the log processing and
3051         found that most of the overhead of this profiling is actually in putting things into the log
3052         rather than in processing the log - that part appears to be surprisingly cheap.
3053         
3054         Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
3055         and if we guarded such inlining sites with some profiling mechanism to detect
3056         polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
3057         it's actually monomorphic).
3058         
3059         This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
3060         other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
3061         on anything we care about. Some aggregates, like V8Spider, see a regression. This is
3062         highlighting the increase in profiling overhead. But since this doesn't show up on any major
3063         score (code-load or SunSpider), it's probably not relevant.
3064         
3065         Relanding after fixing debug assertions in fast/storage/serialized-script-value.html.
3066
3067         * CMakeLists.txt:
3068         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3069         * JavaScriptCore.xcodeproj/project.pbxproj:
3070         * bytecode/CallEdge.cpp: Added.
3071         (JSC::CallEdge::dump):
3072         * bytecode/CallEdge.h: Added.
3073         (JSC::CallEdge::operator!):
3074         (JSC::CallEdge::callee):
3075         (JSC::CallEdge::count):
3076         (JSC::CallEdge::despecifiedClosure):
3077         (JSC::CallEdge::CallEdge):
3078         * bytecode/CallEdgeProfile.cpp: Added.
3079         (JSC::CallEdgeProfile::callEdges):
3080         (JSC::CallEdgeProfile::numCallsToKnownCells):
3081         (JSC::worthDespecifying):
3082         (JSC::CallEdgeProfile::worthDespecifying):
3083         (JSC::CallEdgeProfile::visitWeak):
3084         (JSC::CallEdgeProfile::addSlow):
3085         (JSC::CallEdgeProfile::mergeBack):
3086         (JSC::CallEdgeProfile::fadeByHalf):
3087         (JSC::CallEdgeLog::CallEdgeLog):
3088         (JSC::CallEdgeLog::~CallEdgeLog):
3089         (JSC::CallEdgeLog::isEnabled):
3090         (JSC::operationProcessCallEdgeLog):
3091         (JSC::CallEdgeLog::emitLogCode):
3092         (JSC::CallEdgeLog::processLog):
3093         * bytecode/CallEdgeProfile.h: Added.
3094         (JSC::CallEdgeProfile::numCallsToNotCell):
3095         (JSC::CallEdgeProfile::numCallsToUnknownCell):
3096         (JSC::CallEdgeProfile::totalCalls):
3097         * bytecode/CallEdgeProfileInlines.h: Added.
3098         (JSC::CallEdgeProfile::CallEdgeProfile):
3099         (JSC::CallEdgeProfile::add):
3100         * bytecode/CallLinkInfo.cpp:
3101         (JSC::CallLinkInfo::visitWeak):
3102         * bytecode/CallLinkInfo.h:
3103         * bytecode/CallLinkStatus.cpp:
3104         (JSC::CallLinkStatus::CallLinkStatus):
3105         (JSC::CallLinkStatus::computeFromLLInt):
3106         (JSC::CallLinkStatus::computeFor):
3107         (JSC::CallLinkStatus::computeExitSiteData):
3108         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3109         (JSC::CallLinkStatus::computeFromCallEdgeProfile):
3110         (JSC::CallLinkStatus::computeDFGStatuses):
3111         (JSC::CallLinkStatus::isClosureCall):
3112         (JSC::CallLinkStatus::makeClosureCall):
3113         (JSC::CallLinkStatus::dump):
3114         (JSC::CallLinkStatus::function): Deleted.
3115         (JSC::CallLinkStatus::internalFunction): Deleted.
3116         (JSC::CallLinkStatus::intrinsicFor): Deleted.
3117         * bytecode/CallLinkStatus.h:
3118         (JSC::CallLinkStatus::CallLinkStatus):
3119         (JSC::CallLinkStatus::isSet):
3120         (JSC::CallLinkStatus::couldTakeSlowPath):
3121         (JSC::CallLinkStatus::edges):
3122         (JSC::CallLinkStatus::size):
3123         (JSC::CallLinkStatus::at):
3124         (JSC::CallLinkStatus::operator[]):
3125         (JSC::CallLinkStatus::canOptimize):
3126         (JSC::CallLinkStatus::canTrustCounts):
3127         (JSC::CallLinkStatus::isClosureCall): Deleted.
3128         (JSC::CallLinkStatus::callTarget): Deleted.
3129         (JSC::CallLinkStatus::executable): Deleted.
3130         (JSC::CallLinkStatus::makeClosureCall): Deleted.
3131         * bytecode/CallVariant.cpp: Added.
3132         (JSC::CallVariant::dump):
3133         * bytecode/CallVariant.h: Added.
3134         (JSC::CallVariant::CallVariant):
3135         (JSC::CallVariant::operator!):
3136         (JSC::CallVariant::despecifiedClosure):
3137         (JSC::CallVariant::rawCalleeCell):
3138         (JSC::CallVariant::internalFunction):
3139         (JSC::CallVariant::function):
3140         (JSC::CallVariant::isClosureCall):
3141         (JSC::CallVariant::executable):
3142         (JSC::CallVariant::nonExecutableCallee):
3143         (JSC::CallVariant::intrinsicFor):
3144         (JSC::CallVariant::functionExecutable):
3145         (JSC::CallVariant::isHashTableDeletedValue):
3146         (JSC::CallVariant::operator==):
3147         (JSC::CallVariant::operator!=):
3148         (JSC::CallVariant::operator<):
3149         (JSC::CallVariant::operator>):
3150         (JSC::CallVariant::operator<=):
3151         (JSC::CallVariant::operator>=):
3152         (JSC::CallVariant::hash):
3153         (JSC::CallVariant::deletedToken):
3154         (JSC::CallVariantHash::hash):
3155         (JSC::CallVariantHash::equal):
3156         * bytecode/CodeOrigin.h:
3157         (JSC::InlineCallFrame::isNormalCall):
3158         * bytecode/ExitKind.cpp:
3159         (JSC::exitKindToString):
3160         * bytecode/ExitKind.h:
3161         * bytecode/GetByIdStatus.cpp:
3162         (JSC::GetByIdStatus::computeForStubInfo):
3163         * bytecode/PutByIdStatus.cpp:
3164         (JSC::PutByIdStatus::computeForStubInfo):
3165         * dfg/DFGAbstractInterpreterInlines.h:
3166         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3167         * dfg/DFGBackwardsPropagationPhase.cpp:
3168         (JSC::DFG::BackwardsPropagationPhase::propagate):
3169         * dfg/DFGBasicBlock.cpp:
3170         (JSC::DFG::BasicBlock::~BasicBlock):
3171         * dfg/DFGBasicBlock.h:
3172         (JSC::DFG::BasicBlock::takeLast):
3173         (JSC::DFG::BasicBlock::didLink):
3174         * dfg/DFGByteCodeParser.cpp:
3175         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
3176         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
3177         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
3178         (JSC::DFG::ByteCodeParser::addCall):
3179         (JSC::DFG::ByteCodeParser::handleCall):
3180         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
3181         (JSC::DFG::ByteCodeParser::undoFunctionChecks):
3182         (JSC::DFG::ByteCodeParser::inliningCost):
3183         (JSC::DFG::ByteCodeParser::inlineCall):
3184         (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
3185         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3186         (JSC::DFG::ByteCodeParser::handleInlining):
3187         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3188         (JSC::DFG::ByteCodeParser::prepareToParseBlock):
3189         (JSC::DFG::ByteCodeParser::clearCaches):
3190         (JSC::DFG::ByteCodeParser::parseBlock):
3191         (JSC::DFG::ByteCodeParser::linkBlock):
3192         (JSC::DFG::ByteCodeParser::linkBlocks):
3193         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3194         * dfg/DFGCPSRethreadingPhase.cpp:
3195         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3196         * dfg/DFGClobberize.h:
3197         (JSC::DFG::clobberize):
3198         * dfg/DFGCommon.h:
3199         * dfg/DFGConstantFoldingPhase.cpp:
3200         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3201         * dfg/DFGDoesGC.cpp:
3202         (JSC::DFG::doesGC):
3203         * dfg/DFGDriver.cpp:
3204         (JSC::DFG::compileImpl):
3205         * dfg/DFGFixupPhase.cpp:
3206         (JSC::DFG::FixupPhase::fixupNode):
3207         * dfg/DFGGraph.cpp:
3208         (JSC::DFG::Graph::dump):
3209         (JSC::DFG::Graph::getBlocksInPreOrder):
3210         (JSC::DFG::Graph::visitChildren):
3211         * dfg/DFGJITCompiler.cpp:
3212         (JSC::DFG::JITCompiler::link):
3213         * dfg/DFGLazyJSValue.cpp:
3214         (JSC::DFG::LazyJSValue::switchLookupValue):
3215         * dfg/DFGLazyJSValue.h:
3216         (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
3217         * dfg/DFGNode.cpp:
3218         (WTF::printInternal):
3219         * dfg/DFGNode.h:
3220         (JSC::DFG::OpInfo::OpInfo):
3221         (JSC::DFG::Node::hasHeapPrediction):
3222         (JSC::DFG::Node::hasCellOperand):
3223         (JSC::DFG::Node::cellOperand):
3224         (JSC::DFG::Node::setCellOperand):
3225         (JSC::DFG::Node::canBeKnownFunction): Deleted.
3226         (JSC::DFG::Node::hasKnownFunction): Deleted.
3227         (JSC::DFG::Node::knownFunction): Deleted.
3228         (JSC::DFG::Node::giveKnownFunction): Deleted.
3229         (JSC::DFG::Node::hasFunction): Deleted.
3230         (JSC::DFG::Node::function): Deleted.
3231         (JSC::DFG::Node::hasExecutable): Deleted.
3232         (JSC::DFG::Node::executable): Deleted.
3233         * dfg/DFGNodeType.h:
3234         * dfg/DFGPhantomCanonicalizationPhase.cpp:
3235         (JSC::DFG::PhantomCanonicalizationPhase::run):
3236         * dfg/DFGPhantomRemovalPhase.cpp:
3237         (JSC::DFG::PhantomRemovalPhase::run):
3238         * dfg/DFGPredictionPropagationPhase.cpp:
3239         (JSC::DFG::PredictionPropagationPhase::propagate):
3240         * dfg/DFGSafeToExecute.h:
3241         (JSC::DFG::safeToExecute):
3242         * dfg/DFGSpeculativeJIT.cpp:
3243         (JSC::DFG::SpeculativeJIT::emitSwitch):
3244         * dfg/DFGSpeculativeJIT32_64.cpp:
3245         (JSC::DFG::SpeculativeJIT::emitCall):
3246         (JSC::DFG::SpeculativeJIT::compile):
3247         * dfg/DFGSpeculativeJIT64.cpp:
3248         (JSC::DFG::SpeculativeJIT::emitCall):
3249         (JSC::DFG::SpeculativeJIT::compile):
3250         * dfg/DFGStructureRegistrationPhase.cpp:
3251         (JSC::DFG::StructureRegistrationPhase::run):
3252         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3253         (JSC::DFG::TierUpCheckInjectionPhase::run):
3254         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
3255         * dfg/DFGValidate.cpp:
3256         (JSC::DFG::Validate::validate):
3257         * dfg/DFGWatchpointCollectionPhase.cpp:
3258         (JSC::DFG::WatchpointCollectionPhase::handle):
3259         * ftl/FTLCapabilities.cpp:
3260         (JSC::FTL::canCompile):
3261         * ftl/FTLLowerDFGToLLVM.cpp:
3262         (JSC::FTL::ftlUnreachable):
3263         (JSC::FTL::LowerDFGToLLVM::lower):
3264         (JSC::FTL::LowerDFGToLLVM::compileNode):
3265         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
3266         (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
3267         (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
3268         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
3269         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
3270         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
3271         (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
3272         (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
3273         * heap/Heap.cpp:
3274         (JSC::Heap::collect):
3275         * jit/AssemblyHelpers.h:
3276         (JSC::AssemblyHelpers::storeValue):
3277         (JSC::AssemblyHelpers::loadValue):
3278         * jit/CCallHelpers.h:
3279         (JSC::CCallHelpers::setupArguments):
3280         * jit/GPRInfo.h:
3281         (JSC::JSValueRegs::uses):
3282         * jit/JITCall.cpp:
3283         (JSC::JIT::compileOpCall):
3284         * jit/JITCall32_64.cpp:
3285         (JSC::JIT::compileOpCall):
3286         * runtime/Options.h:
3287         * runtime/VM.cpp:
3288         (JSC::VM::ensureCallEdgeLog):
3289         * runtime/VM.h:
3290         * tests/stress/fold-profiled-call-to-call.js: Added. This test pinpoints the problem we saw in fast/storage/serialized-script-value.html.
3291         * tests/stress/new-array-then-exit.js: Added.
3292         * tests/stress/poly-call-exit-this.js: Added.
3293         * tests/stress/poly-call-exit.js: Added.
3294
3295 2014-08-28  Julien Brianceau   <jbriance@cisco.com>
3296
3297         Correct GC length unit and prevent division by 0 in showObjectStatistics.
3298         https://bugs.webkit.org/show_bug.cgi?id=136340
3299
3300         Reviewed by Mark Hahnenberg.
3301
3302         * heap/HeapStatistics.cpp:
3303         (JSC::HeapStatistics::showObjectStatistics):
3304
3305 2014-08-27  Akos Kiss  <akiss@inf.u-szeged.hu>
3306
3307         Ensure that the call frame passed from JIT code via JSC::operationCallEval to JSC::eval always contains the valid scope chain.
3308         https://bugs.webkit.org/show_bug.cgi?id=136313
3309
3310         Reviewed by Michael Saboff.
3311
3312         Do not rely on calling conventions to fill in the CallerFrame component
3313         of the execCallee parameter of JSC::operationCallEval.
3314
3315         * jit/JITOperations.cpp:
3316
3317 2014-08-27  Saam Barati  <sbarati@apple.com>
3318
3319         Deconstruction object pattern node emits the wrong start/end text positions
3320         https://bugs.webkit.org/show_bug.cgi?id=136304
3321
3322         Reviewed by Geoffrey Garen.
3323
3324         Object pattern nodes that used the syntactic sugar binding: 
3325         'var {foo} = {foo:20}' instead of 'var {foo:foo} = {foo:20}' 
3326         would get the wrong text position for variable 'foo'. The position 
3327         would be placed on the comma(s)/closing brace instead of the identifier. 
3328         This patch fixes this bug by caching the identifier's JSToken before 
3329         trying to parse an optional colon.
3330
3331         * parser/Parser.cpp:
3332         (JSC::Parser<LexerType>::parseVarDeclarationList):
3333         (JSC::Parser<LexerType>::createBindingPattern):
3334         (JSC::Parser<LexerType>::parseDeconstructionPattern):
3335         * parser/Parser.h:
3336
3337 2014-08-27  Brent Fulgham  <bfulgham@apple.com>
3338
3339         [Win] Build fix after last commit.
3340
3341         Check in new DLLLauncherMain.cpp file.
3342
3343         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Added.
3344         (enableTerminationOnHeapCorruption):
3345         (getStringValue):
3346         (applePathFromRegistry):
3347         (appleApplicationSupportDirectory):
3348         (copyEnvironmentVariable):
3349         (prependPath):
3350         (fatalError):
3351         (directoryExists):
3352         (modifyPath):
3353         (getLastErrorString):
3354         (wWinMain):
3355
3356 2014-08-27  Brent Fulgham  <bfulgham@apple.com>
3357
3358         [Win] testapi and testRegExp need to find support libraries.
3359         https://bugs.webkit.org/show_bug.cgi?id=136008.
3360
3361         Reviewed by Dean Jackson.