f5e4d809afdfeb4ed042752ea657946aac186c8f
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-08-11  Andy Estes  <aestes@apple.com>
2
3         [iOS] Get rid of iOS.xcconfig
4         https://bugs.webkit.org/show_bug.cgi?id=135809
5
6         Reviewed by Joseph Pecoraro.
7
8         All iOS.xcconfig did was include AspenFamily.xcconfig, so there's no need for the indirection.
9
10         * Configurations/Base.xcconfig:
11         * Configurations/iOS.xcconfig: Removed.
12         * JavaScriptCore.xcodeproj/project.pbxproj:
13
14 2014-08-11  Michael Saboff  <msaboff@apple.com>
15
16         Eliminate {push,pop}CalleeSaves in favor of individual pushes & pops
17         https://bugs.webkit.org/show_bug.cgi?id=127155
18
19         Reviewed by Geoffrey Garen.
20
21         Eliminated the offline assembler instructions {push,pop}CalleeSaves as well as the
22         ARM64 specific {push,pop}LRAndFP and replaced them with individual push and pop
23         instructions. Where the registers referenced by the added push and pop instructions
24         are not part of the offline assembler register aliases, used a newly added "emit"
25         offline assembler instruction which takes a string literal and outputs that
26         string as a native instruction.
27
28         * llint/LowLevelInterpreter.asm:
29         * offlineasm/arm.rb:
30         * offlineasm/arm64.rb:
31         * offlineasm/ast.rb:
32         * offlineasm/cloop.rb:
33         * offlineasm/instructions.rb:
34         * offlineasm/mips.rb:
35         * offlineasm/parser.rb:
36         * offlineasm/sh4.rb:
37         * offlineasm/transform.rb:
38         * offlineasm/x86.rb:
39
40 2014-08-11  Mark Lam  <mark.lam@apple.com>
41
42         Re-landing r172401 with fixed test.
43         <https://webkit.org/b/135782>
44
45         Not reviewed.
46
47         * bytecompiler/BytecodeGenerator.cpp:
48         (JSC::BytecodeGenerator::emitGetByVal):
49         (JSC::BytecodeGenerator::pushIndexedForInScope):
50         (JSC::BytecodeGenerator::pushStructureForInScope):
51         * bytecompiler/BytecodeGenerator.h:
52         (JSC::ForInContext::ForInContext):
53         (JSC::ForInContext::base):
54         (JSC::StructureForInContext::StructureForInContext):
55         (JSC::IndexedForInContext::IndexedForInContext):
56         * bytecompiler/NodesCodegen.cpp:
57         (JSC::ForInNode::emitMultiLoopBytecode):
58         * tests/stress/for-in-tests.js:
59
60 2014-08-11  Commit Queue  <commit-queue@webkit.org>
61
62         Unreviewed, rolling out r172401.
63         https://bugs.webkit.org/show_bug.cgi?id=135812
64
65         Failing stress/for-in-tests.js
66         http://build.webkit.org/builders/Apple%20Mavericks%20Release%20WK1%20%28Tests%29/builds/7945/steps
67         /jscore-test/logs/stdio (Requested by mlam on #webkit).
68
69         Reverted changeset:
70
71         "for-in optimization should also make sure the base matches
72         the object being iterated"
73         https://bugs.webkit.org/show_bug.cgi?id=135782
74         http://trac.webkit.org/changeset/172401
75
76 2014-08-11  Brian J. Burg  <burg@cs.washington.edu>
77
78         Web Inspector: use type builders to construct high fidelity type information payloads
79         https://bugs.webkit.org/show_bug.cgi?id=135803
80
81         Reviewed by Timothy Hatcher.
82
83         Due to some typos in the protocol file, the code had worked with raw objects
84         rather than with type builders. Convert to using builders.
85
86         * inspector/agents/InspectorRuntimeAgent.cpp:
87         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
88         * inspector/agents/InspectorRuntimeAgent.h:
89         * inspector/protocol/Runtime.json: Fix 'item' for 'items'; true for 'true'.
90         * runtime/HighFidelityTypeProfiler.cpp:
91         (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
92         * runtime/HighFidelityTypeProfiler.h:
93         * runtime/TypeSet.cpp:
94         (JSC::TypeSet::allStructureRepresentations):
95         (JSC::StructureShape::stringRepresentation):
96         (JSC::StructureShape::inspectorRepresentation):
97         * runtime/TypeSet.h:
98
99 2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>
100
101         for-in optimization should also make sure the base matches the object being iterated
102         https://bugs.webkit.org/show_bug.cgi?id=135782
103
104         Reviewed by Geoffrey Garen.
105
106         If we access a different base object with the same index, we shouldn't try to randomly 
107         load from that object's backing store.
108
109         * bytecompiler/BytecodeGenerator.cpp:
110         (JSC::BytecodeGenerator::emitGetByVal):
111         (JSC::BytecodeGenerator::pushIndexedForInScope):
112         (JSC::BytecodeGenerator::pushStructureForInScope):
113         * bytecompiler/BytecodeGenerator.h:
114         (JSC::ForInContext::ForInContext):
115         (JSC::ForInContext::base):
116         (JSC::StructureForInContext::StructureForInContext):
117         (JSC::IndexedForInContext::IndexedForInContext):
118         * bytecompiler/NodesCodegen.cpp:
119         (JSC::ForInNode::emitMultiLoopBytecode):
120         * tests/stress/for-in-tests.js:
121
122 2014-08-11  Brent Fulgham  <bfulgham@apple.com>
123
124         [Win] Unreviewed gardening.
125
126         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Display files in
127         proper folder categories..
128
129 2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>
130
131         JIT should use full 64-bit stores for jsBoolean and jsNull
132         https://bugs.webkit.org/show_bug.cgi?id=135784
133
134         Reviewed by Michael Saboff.
135
136         This guarantees that we set the high bits of the register with the correct tag.
137
138         * dfg/DFGSpeculativeJIT64.cpp:
139         (JSC::DFG::SpeculativeJIT::compile):
140         * jit/JITOpcodes.cpp:
141         (JSC::JIT::emit_op_has_structure_property):
142         (JSC::JIT::emit_op_next_enumerator_pname):
143
144 2014-08-11  Brent Fulgham  <bfulgham@apple.com>
145
146         [Win] Adjust build script for Windows production build.
147         https://bugs.webkit.org/show_bug.cgi?id=135806
148         <rdar://problem/17978299>
149
150         Reviewed by Timothy Hatcher.
151
152         * JavaScriptCore.vcxproj/copy-files.cmd: Copy file for later use
153         in WebInspectorUI build.
154
155 2014-08-10  Oliver Hunt  <oliver@apple.com>
156
157         Destructuring assignment in a var declaration list incorrectly consumes subsequent variable initialisers
158         https://bugs.webkit.org/show_bug.cgi?id=135773
159
160         Reviewed by Michael Saboff.
161
162         We should be using parseAssignment expression in order to get the correct
163         precedence.
164
165         * parser/Parser.cpp:
166         (JSC::Parser<LexerType>::parseVarDeclarationList):
167
168 2014-08-10  Diego Pino Garcia  <dpino@igalia.com>
169
170         JSC Lexer is allowing octals 08 and 09 in strict mode functions
171         https://bugs.webkit.org/show_bug.cgi?id=135704
172
173         Reviewed by Oliver Hunt.
174
175         Return syntax error ("Decimal integer literals with a leading zero are
176         forbidden in strict mode") if a number starts with 0 and is followed 
177         by a digit.
178
179         * parser/Lexer.cpp:
180         (JSC::Lexer<T>::lex):
181
182 2014-08-08  Mark Lam  <mark.lam@apple.com>
183
184         REGRESSION: Inspector crashes when debugger is paused and injected scripts access window.screen().
185         <https://webkit.org/b/135656>
186
187         Not reviewed.
188
189         Rolling out r170680 which was merged to ToT in r172129.
190
191         * debugger/Debugger.h:
192         * debugger/DebuggerCallFrame.cpp:
193         (JSC::DebuggerCallFrame::scope):
194         (JSC::DebuggerCallFrame::evaluate):
195         (JSC::DebuggerCallFrame::invalidate):
196         * debugger/DebuggerCallFrame.h:
197         * debugger/DebuggerScope.cpp:
198         (JSC::DebuggerScope::DebuggerScope):
199         (JSC::DebuggerScope::finishCreation):
200         (JSC::DebuggerScope::visitChildren):
201         (JSC::DebuggerScope::className):
202         (JSC::DebuggerScope::getOwnPropertySlot):
203         (JSC::DebuggerScope::put):
204         (JSC::DebuggerScope::deleteProperty):
205         (JSC::DebuggerScope::getOwnPropertyNames):
206         (JSC::DebuggerScope::defineOwnProperty):
207         (JSC::DebuggerScope::next): Deleted.
208         (JSC::DebuggerScope::invalidateChain): Deleted.
209         (JSC::DebuggerScope::isWithScope): Deleted.
210         (JSC::DebuggerScope::isGlobalScope): Deleted.
211         (JSC::DebuggerScope::isFunctionScope): Deleted.
212         * debugger/DebuggerScope.h:
213         (JSC::DebuggerScope::create):
214         (JSC::DebuggerScope::Iterator::Iterator): Deleted.
215         (JSC::DebuggerScope::Iterator::get): Deleted.
216         (JSC::DebuggerScope::Iterator::operator++): Deleted.
217         (JSC::DebuggerScope::Iterator::operator==): Deleted.
218         (JSC::DebuggerScope::Iterator::operator!=): Deleted.
219         (JSC::DebuggerScope::isValid): Deleted.
220         (JSC::DebuggerScope::jsScope): Deleted.
221         (JSC::DebuggerScope::begin): Deleted.
222         (JSC::DebuggerScope::end): Deleted.
223         * inspector/JSJavaScriptCallFrame.cpp:
224         (Inspector::JSJavaScriptCallFrame::scopeType):
225         (Inspector::JSJavaScriptCallFrame::scopeChain):
226         * inspector/JavaScriptCallFrame.h:
227         (Inspector::JavaScriptCallFrame::scopeChain):
228         * inspector/ScriptDebugServer.cpp:
229         * runtime/JSGlobalObject.cpp:
230         (JSC::JSGlobalObject::reset):
231         (JSC::JSGlobalObject::visitChildren):
232         * runtime/JSGlobalObject.h:
233         (JSC::JSGlobalObject::debuggerScopeStructure): Deleted.
234         * runtime/JSObject.h:
235         (JSC::JSObject::isWithScope): Deleted.
236         * runtime/JSScope.h:
237         * runtime/VM.cpp:
238         (JSC::VM::VM):
239         * runtime/VM.h:
240
241 2014-08-07  Saam Barati  <sbarati@apple.com>
242
243         Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
244         https://bugs.webkit.org/show_bug.cgi?id=135358
245
246         Reviewed by Geoffrey Garen.
247
248         When VMEntryScope is destroyed, and it has a flag set indicating that the
249         Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
250         This flag is only used by Debugger to have VMEntryScope notify it when the
251         Debugger is safe to recompile all functions. This patch will substitute this
252         Debugger-specific recompilation flag with a list of callbacks that are notified 
253         when the outermost VMEntryScope dies. This creates a general purpose interface 
254         for being notified when the VM stops executing code via the event of the outermost 
255         VMEntryScope dying.
256
257         * debugger/Debugger.cpp:
258         (JSC::Debugger::recompileAllJSFunctions):
259         * runtime/VMEntryScope.cpp:
260         (JSC::VMEntryScope::VMEntryScope):
261         (JSC::VMEntryScope::setEntryScopeDidPopListener):
262         (JSC::VMEntryScope::~VMEntryScope):
263         * runtime/VMEntryScope.h:
264         (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
265
266 2014-08-07  Benjamin Poulain  <bpoulain@apple.com>
267
268         Get rid of SCRIPTED_SPEECH
269         https://bugs.webkit.org/show_bug.cgi?id=135729
270
271         Reviewed by Brent Fulgham.
272
273         * Configurations/FeatureDefines.xcconfig:
274
275 2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
276
277         SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
278         https://bugs.webkit.org/show_bug.cgi?id=135722
279
280         Reviewed by Filip Pizlo.
281
282         We should be using SpeculateStrictInt32Operand instead.
283
284         * dfg/DFGSpeculativeJIT64.cpp:
285         (JSC::DFG::SpeculativeJIT::compile):
286
287 2014-08-07  Benjamin Poulain  <bpoulain@apple.com>
288
289         Get rid of INPUT_SPEECH
290         https://bugs.webkit.org/show_bug.cgi?id=135672
291
292         Reviewed by Andreas Kling.
293
294         * Configurations/FeatureDefines.xcconfig:
295
296 2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
297
298         for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests
299         https://bugs.webkit.org/show_bug.cgi?id=135681
300
301         Reviewed by Filip Pizlo.
302
303         * runtime/Structure.cpp:
304         (JSC::Structure::canCacheGenericPropertyNameEnumerator): We were checking the entire 
305         prototype chain for overridesGetPropertyNames, but we were neglecting to check the 
306         base object's Structure. D'oh!
307
308 2014-08-06  Mark Lam  <mark.lam@apple.com>
309
310         Gardening: fix for build failure on EFL bots.
311
312         Not reviewed.
313
314         * runtime/EnumerationMode.h:
315         (JSC::shouldIncludeJSObjectPropertyNames):
316         (JSC::modeThatSkipsJSObject):
317         * runtime/JSCell.cpp:
318         (JSC::JSCell::getEnumerableLength):
319         * runtime/JSCell.h:
320
321 2014-08-06  Dean Jackson  <dino@apple.com>
322
323         ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED is not used anywhere. Remove it.
324         https://bugs.webkit.org/show_bug.cgi?id=135675
325
326         Reviewed by Sam Weinig.
327
328         * Configurations/FeatureDefines.xcconfig:
329
330 2014-08-06  Wenson Hsieh  <wenson_hsieh@apple.com>
331
332         Implement parsing for CSS scroll snap points
333         https://bugs.webkit.org/show_bug.cgi?id=134301
334
335         Reviewed by Dean Jackson.
336
337         * Configurations/FeatureDefines.xcconfig: Added ENABLE_CSS_SCROLL_SNAP
338
339 2014-08-06  Mark Lam  <mark.lam@apple.com>
340
341         Gardening: fix for build failure on GTK bots.
342
343         Not reviewed.
344
345         * runtime/FunctionHasExecutedCache.cpp:
346         - #include <limits.h> for UINT_MAX's definition.
347
348 2014-08-06  Mark Lam  <mark.lam@apple.com>
349
350         Gardening: fix for build failure on EFL bots.
351
352         Not reviewed.
353
354         * jit/JITInlines.h:
355         (JSC::JIT::emitLoadForArrayMode):
356
357 2014-08-06  Mark Lam  <mark.lam@apple.com>
358
359         Gardening: adding missing build file changes from the FTLOPT merge at r172176.
360
361         Not reviewed.
362
363         * CMakeLists.txt:
364         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
365         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
366
367 2014-08-06  Ryuan Choi  <ryuan.choi@samsung.com>
368
369         Unreviewed build fix attempt since r172184
370
371         * CMakeLists.txt: Removed TypeLocation.cpp
372
373 2014-08-06  Mark Lam  <mark.lam@apple.com>
374
375         Gardening: adding missing build file changes from r171510.
376         <https://webkit.org/b/134860>
377
378         Not reviewed.
379
380         * CMakeLists.txt:
381         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
382         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
383
384 2014-08-06  Mark Lam  <mark.lam@apple.com>
385
386         Gardening: adding missing build file changes from r170490.
387         <https://webkit.org/b/133395>
388
389         Not reviewed.
390
391         * CMakeLists.txt:
392         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
393
394 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
395
396         Silence a debug assertion.
397
398         Reviewed by Mark Hahnenberg.
399
400         * runtime/JSPropertyNameEnumerator.h:
401         (JSC::JSPropertyNameEnumerator::cachedStructure):
402
403 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
404
405         Fix 32-bit build.
406
407         * jit/JITOpcodes32_64.cpp:
408         (JSC::JIT::privateCompileHasIndexedProperty):
409
410 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
411
412         Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.
413
414     2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
415     
416             Support for-in in the FTL
417             https://bugs.webkit.org/show_bug.cgi?id=134140
418     
419             Reviewed by Filip Pizlo.
420     
421             * dfg/DFGSSALoweringPhase.cpp:
422             (JSC::DFG::SSALoweringPhase::handleNode):
423             * ftl/FTLAbstractHeapRepository.cpp:
424             * ftl/FTLAbstractHeapRepository.h:
425             * ftl/FTLCapabilities.cpp:
426             (JSC::FTL::canCompile):
427             * ftl/FTLIntrinsicRepository.h:
428             * ftl/FTLLowerDFGToLLVM.cpp:
429             (JSC::FTL::LowerDFGToLLVM::compileNode):
430             (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
431             (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
432             (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
433             (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
434             (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
435             (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
436             (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
437             (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
438             (JSC::FTL::LowerDFGToLLVM::compileToIndexString):
439     
440     2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
441     
442             Remove JSPropertyNameIterator
443             https://bugs.webkit.org/show_bug.cgi?id=135066
444     
445             Reviewed by Geoffrey Garen.
446     
447             It has been replaced by JSPropertyNameEnumerator.
448     
449             * JavaScriptCore.order:
450             * bytecode/BytecodeBasicBlock.cpp:
451             (JSC::isBranch):
452             * bytecode/BytecodeList.json:
453             * bytecode/BytecodeUseDef.h:
454             (JSC::computeUsesForBytecodeOffset):
455             (JSC::computeDefsForBytecodeOffset):
456             * bytecode/CodeBlock.cpp:
457             (JSC::CodeBlock::dumpBytecode):
458             * bytecode/PreciseJumpTargets.cpp:
459             (JSC::getJumpTargetsForBytecodeOffset):
460             * bytecompiler/BytecodeGenerator.cpp:
461             (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
462             (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
463             * bytecompiler/BytecodeGenerator.h:
464             * interpreter/Interpreter.cpp:
465             * interpreter/Register.h:
466             * jit/JIT.cpp:
467             (JSC::JIT::privateCompileMainPass):
468             (JSC::JIT::privateCompileSlowCases):
469             * jit/JIT.h:
470             * jit/JITOpcodes.cpp:
471             (JSC::JIT::emit_op_get_pnames): Deleted.
472             (JSC::JIT::emit_op_next_pname): Deleted.
473             * jit/JITOpcodes32_64.cpp:
474             (JSC::JIT::emit_op_get_pnames): Deleted.
475             (JSC::JIT::emit_op_next_pname): Deleted.
476             * jit/JITOperations.cpp:
477             * jit/JITPropertyAccess.cpp:
478             (JSC::JIT::emit_op_get_by_pname): Deleted.
479             (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
480             * jit/JITPropertyAccess32_64.cpp:
481             (JSC::JIT::emit_op_get_by_pname): Deleted.
482             (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
483             * llint/LLIntOffsetsExtractor.cpp:
484             * llint/LLIntSlowPaths.cpp:
485             (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
486             * llint/LLIntSlowPaths.h:
487             * llint/LowLevelInterpreter.asm:
488             * llint/LowLevelInterpreter32_64.asm:
489             * llint/LowLevelInterpreter64.asm:
490             * runtime/CommonSlowPaths.cpp:
491             * runtime/JSPropertyNameIterator.cpp:
492             (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
493             (JSC::JSPropertyNameIterator::create): Deleted.
494             (JSC::JSPropertyNameIterator::destroy): Deleted.
495             (JSC::JSPropertyNameIterator::get): Deleted.
496             (JSC::JSPropertyNameIterator::visitChildren): Deleted.
497             * runtime/JSPropertyNameIterator.h:
498             (JSC::JSPropertyNameIterator::createStructure): Deleted.
499             (JSC::JSPropertyNameIterator::size): Deleted.
500             (JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
501             (JSC::JSPropertyNameIterator::cachedStructure): Deleted.
502             (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
503             (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
504             (JSC::JSPropertyNameIterator::finishCreation): Deleted.
505             (JSC::Register::propertyNameIterator): Deleted.
506             (JSC::StructureRareData::enumerationCache): Deleted.
507             (JSC::StructureRareData::setEnumerationCache): Deleted.
508             * runtime/Structure.cpp:
509             (JSC::Structure::addPropertyWithoutTransition):
510             (JSC::Structure::removePropertyWithoutTransition):
511             * runtime/Structure.h:
512             * runtime/StructureInlines.h:
513             (JSC::Structure::setEnumerationCache): Deleted.
514             (JSC::Structure::enumerationCache): Deleted.
515             * runtime/StructureRareData.cpp:
516             (JSC::StructureRareData::visitChildren):
517             * runtime/StructureRareData.h:
518             * runtime/VM.cpp:
519             (JSC::VM::VM):
520     
521     2014-07-25  Saam Barati  <sbarati@apple.com>
522     
523             Fix 32-bit build breakage for type profiling
524             https://bugs.webkit.org/process_bug.cgi
525     
526             Reviewed by Mark Hahnenberg.
527     
528             32-bit builds currently break because global variable IDs for high
529             fidelity type profiling are int64_t. Change this to intptr_t so that
530             it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
531     
532             * bytecode/CodeBlock.cpp:
533             (JSC::CodeBlock::CodeBlock):
534             (JSC::CodeBlock::scopeDependentProfile):
535             * bytecode/TypeLocation.h:
536             * runtime/SymbolTable.cpp:
537             (JSC::SymbolTable::uniqueIDForVariable):
538             (JSC::SymbolTable::uniqueIDForRegister):
539             * runtime/SymbolTable.h:
540             * runtime/TypeLocationCache.cpp:
541             (JSC::TypeLocationCache::getTypeLocation):
542             * runtime/TypeLocationCache.h:
543             * runtime/VM.h:
544             (JSC::VM::getNextUniqueVariableID):
545     
546     2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
547     
548             Reindent PropertyNameArray.h
549             https://bugs.webkit.org/show_bug.cgi?id=135067
550     
551             Reviewed by Geoffrey Garen.
552     
553             * runtime/PropertyNameArray.h:
554             (JSC::RefCountedIdentifierSet::contains):
555             (JSC::RefCountedIdentifierSet::size):
556             (JSC::RefCountedIdentifierSet::add):
557             (JSC::PropertyNameArrayData::create):
558             (JSC::PropertyNameArrayData::propertyNameVector):
559             (JSC::PropertyNameArrayData::PropertyNameArrayData):
560             (JSC::PropertyNameArray::PropertyNameArray):
561             (JSC::PropertyNameArray::vm):
562             (JSC::PropertyNameArray::add):
563             (JSC::PropertyNameArray::addKnownUnique):
564             (JSC::PropertyNameArray::operator[]):
565             (JSC::PropertyNameArray::setData):
566             (JSC::PropertyNameArray::data):
567             (JSC::PropertyNameArray::releaseData):
568             (JSC::PropertyNameArray::identifierSet):
569             (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
570             (JSC::PropertyNameArray::size):
571             (JSC::PropertyNameArray::begin):
572             (JSC::PropertyNameArray::end):
573             (JSC::PropertyNameArray::numCacheableSlots):
574             (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
575             (JSC::PropertyNameArray::setBaseObject):
576             (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
577     
578     2014-07-23  Mark Hahnenberg  <mhahnenberg@apple.com>
579     
580             Refactor our current implementation of for-in
581             https://bugs.webkit.org/show_bug.cgi?id=134142
582     
583             Reviewed by Filip Pizlo.
584     
585             This patch splits for-in loops into three distinct parts:
586     
587             - Iterating over the indexed properties in the base object.
588             - Iterating over the Structure properties in the base object.
589             - Iterating over any other enumerable properties for that object and any objects in the prototype chain.
590      
591             It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to 
592             support the various operations required for each loop.
593     
594             * API/JSCallbackObjectFunctions.h:
595             (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
596             * JavaScriptCore.xcodeproj/project.pbxproj:
597             * bytecode/BytecodeList.json:
598             * bytecode/BytecodeUseDef.h:
599             (JSC::computeUsesForBytecodeOffset):
600             (JSC::computeDefsForBytecodeOffset):
601             * bytecode/CallLinkStatus.h:
602             (JSC::CallLinkStatus::CallLinkStatus):
603             * bytecode/CodeBlock.cpp:
604             (JSC::CodeBlock::dumpBytecode):
605             (JSC::CodeBlock::CodeBlock):
606             * bytecompiler/BytecodeGenerator.cpp:
607             (JSC::BytecodeGenerator::emitGetByVal):
608             (JSC::BytecodeGenerator::emitComplexPopScopes):
609             (JSC::BytecodeGenerator::emitGetEnumerableLength):
610             (JSC::BytecodeGenerator::emitHasGenericProperty):
611             (JSC::BytecodeGenerator::emitHasIndexedProperty):
612             (JSC::BytecodeGenerator::emitHasStructureProperty):
613             (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
614             (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
615             (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
616             (JSC::BytecodeGenerator::emitToIndexString):
617             (JSC::BytecodeGenerator::pushIndexedForInScope):
618             (JSC::BytecodeGenerator::popIndexedForInScope):
619             (JSC::BytecodeGenerator::pushStructureForInScope):
620             (JSC::BytecodeGenerator::popStructureForInScope):
621             (JSC::BytecodeGenerator::invalidateForInContextForLocal):
622             * bytecompiler/BytecodeGenerator.h:
623             (JSC::ForInContext::ForInContext):
624             (JSC::ForInContext::~ForInContext):
625             (JSC::ForInContext::isValid):
626             (JSC::ForInContext::invalidate):
627             (JSC::ForInContext::local):
628             (JSC::StructureForInContext::StructureForInContext):
629             (JSC::StructureForInContext::type):
630             (JSC::StructureForInContext::index):
631             (JSC::StructureForInContext::property):
632             (JSC::StructureForInContext::enumerator):
633             (JSC::IndexedForInContext::IndexedForInContext):
634             (JSC::IndexedForInContext::type):
635             (JSC::IndexedForInContext::index):
636             (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
637             (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
638             * bytecompiler/NodesCodegen.cpp:
639             (JSC::ReadModifyResolveNode::emitBytecode):
640             (JSC::AssignResolveNode::emitBytecode):
641             (JSC::ForInNode::tryGetBoundLocal):
642             (JSC::ForInNode::emitLoopHeader):
643             (JSC::ForInNode::emitMultiLoopBytecode):
644             (JSC::ForInNode::emitBytecode):
645             * debugger/DebuggerScope.h:
646             * dfg/DFGAbstractHeap.h:
647             * dfg/DFGAbstractInterpreterInlines.h:
648             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
649             * dfg/DFGByteCodeParser.cpp:
650             (JSC::DFG::ByteCodeParser::parseBlock):
651             * dfg/DFGCapabilities.cpp:
652             (JSC::DFG::capabilityLevel):
653             * dfg/DFGClobberize.h:
654             (JSC::DFG::clobberize):
655             * dfg/DFGDoesGC.cpp:
656             (JSC::DFG::doesGC):
657             * dfg/DFGFixupPhase.cpp:
658             (JSC::DFG::FixupPhase::fixupNode):
659             * dfg/DFGHeapLocation.cpp:
660             (WTF::printInternal):
661             * dfg/DFGHeapLocation.h:
662             * dfg/DFGNode.h:
663             (JSC::DFG::Node::hasHeapPrediction):
664             (JSC::DFG::Node::hasArrayMode):
665             * dfg/DFGNodeType.h:
666             * dfg/DFGPredictionPropagationPhase.cpp:
667             (JSC::DFG::PredictionPropagationPhase::propagate):
668             * dfg/DFGSafeToExecute.h:
669             (JSC::DFG::safeToExecute):
670             * dfg/DFGSpeculativeJIT.h:
671             (JSC::DFG::SpeculativeJIT::callOperation):
672             * dfg/DFGSpeculativeJIT32_64.cpp:
673             (JSC::DFG::SpeculativeJIT::compile):
674             * dfg/DFGSpeculativeJIT64.cpp:
675             (JSC::DFG::SpeculativeJIT::compile):
676             * jit/JIT.cpp:
677             (JSC::JIT::privateCompileMainPass):
678             (JSC::JIT::privateCompileSlowCases):
679             * jit/JIT.h:
680             (JSC::JIT::compileHasIndexedProperty):
681             (JSC::JIT::emitInt32Load):
682             * jit/JITInlines.h:
683             (JSC::JIT::emitDoubleGetByVal):
684             (JSC::JIT::emitLoadForArrayMode):
685             (JSC::JIT::emitContiguousGetByVal):
686             (JSC::JIT::emitArrayStorageGetByVal):
687             * jit/JITOpcodes.cpp:
688             (JSC::JIT::emit_op_get_enumerable_length):
689             (JSC::JIT::emit_op_has_structure_property):
690             (JSC::JIT::emitSlow_op_has_structure_property):
691             (JSC::JIT::emit_op_has_generic_property):
692             (JSC::JIT::privateCompileHasIndexedProperty):
693             (JSC::JIT::emit_op_has_indexed_property):
694             (JSC::JIT::emitSlow_op_has_indexed_property):
695             (JSC::JIT::emit_op_get_direct_pname):
696             (JSC::JIT::emitSlow_op_get_direct_pname):
697             (JSC::JIT::emit_op_get_structure_property_enumerator):
698             (JSC::JIT::emit_op_get_generic_property_enumerator):
699             (JSC::JIT::emit_op_next_enumerator_pname):
700             (JSC::JIT::emit_op_to_index_string):
701             * jit/JITOpcodes32_64.cpp:
702             (JSC::JIT::emit_op_get_enumerable_length):
703             (JSC::JIT::emit_op_has_structure_property):
704             (JSC::JIT::emitSlow_op_has_structure_property):
705             (JSC::JIT::emit_op_has_generic_property):
706             (JSC::JIT::privateCompileHasIndexedProperty):
707             (JSC::JIT::emit_op_has_indexed_property):
708             (JSC::JIT::emitSlow_op_has_indexed_property):
709             (JSC::JIT::emit_op_get_direct_pname):
710             (JSC::JIT::emitSlow_op_get_direct_pname):
711             (JSC::JIT::emit_op_get_structure_property_enumerator):
712             (JSC::JIT::emit_op_get_generic_property_enumerator):
713             (JSC::JIT::emit_op_next_enumerator_pname):
714             (JSC::JIT::emit_op_to_index_string):
715             * jit/JITOperations.cpp:
716             * jit/JITOperations.h:
717             * jit/JITPropertyAccess.cpp:
718             (JSC::JIT::emitDoubleLoad):
719             (JSC::JIT::emitContiguousLoad):
720             (JSC::JIT::emitArrayStorageLoad):
721             (JSC::JIT::emitDoubleGetByVal): Deleted.
722             (JSC::JIT::emitContiguousGetByVal): Deleted.
723             (JSC::JIT::emitArrayStorageGetByVal): Deleted.
724             * jit/JITPropertyAccess32_64.cpp:
725             (JSC::JIT::emitContiguousLoad):
726             (JSC::JIT::emitDoubleLoad):
727             (JSC::JIT::emitArrayStorageLoad):
728             (JSC::JIT::emitContiguousGetByVal): Deleted.
729             (JSC::JIT::emitDoubleGetByVal): Deleted.
730             (JSC::JIT::emitArrayStorageGetByVal): Deleted.
731             * llint/LowLevelInterpreter.asm:
732             * parser/Nodes.h:
733             * runtime/Arguments.cpp:
734             (JSC::Arguments::getOwnPropertyNames):
735             * runtime/ClassInfo.h:
736             * runtime/CommonSlowPaths.cpp:
737             (JSC::SLOW_PATH_DECL):
738             * runtime/CommonSlowPaths.h:
739             * runtime/EnumerationMode.h: Added.
740             (JSC::shouldIncludeDontEnumProperties):
741             (JSC::shouldExcludeDontEnumProperties):
742             (JSC::shouldIncludeJSObjectPropertyNames):
743             (JSC::modeThatSkipsJSObject):
744             * runtime/JSActivation.cpp:
745             (JSC::JSActivation::getOwnNonIndexPropertyNames):
746             * runtime/JSArray.cpp:
747             (JSC::JSArray::getOwnNonIndexPropertyNames):
748             * runtime/JSArrayBuffer.cpp:
749             (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
750             * runtime/JSArrayBufferView.cpp:
751             (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
752             * runtime/JSCell.cpp:
753             (JSC::JSCell::getEnumerableLength):
754             (JSC::JSCell::getStructurePropertyNames):
755             (JSC::JSCell::getGenericPropertyNames):
756             * runtime/JSCell.h:
757             * runtime/JSFunction.cpp:
758             (JSC::JSFunction::getOwnNonIndexPropertyNames):
759             * runtime/JSGenericTypedArrayViewInlines.h:
760             (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
761             * runtime/JSObject.cpp:
762             (JSC::getClassPropertyNames):
763             (JSC::JSObject::hasOwnProperty):
764             (JSC::JSObject::getOwnPropertyNames):
765             (JSC::JSObject::getOwnNonIndexPropertyNames):
766             (JSC::JSObject::getEnumerableLength):
767             (JSC::JSObject::getStructurePropertyNames):
768             (JSC::JSObject::getGenericPropertyNames):
769             * runtime/JSObject.h:
770             * runtime/JSPropertyNameEnumerator.cpp: Added.
771             (JSC::JSPropertyNameEnumerator::create):
772             (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
773             (JSC::JSPropertyNameEnumerator::finishCreation):
774             (JSC::JSPropertyNameEnumerator::destroy):
775             (JSC::JSPropertyNameEnumerator::visitChildren):
776             * runtime/JSPropertyNameEnumerator.h: Added.
777             (JSC::JSPropertyNameEnumerator::createStructure):
778             (JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
779             (JSC::JSPropertyNameEnumerator::identifierSet):
780             (JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
781             (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
782             (JSC::JSPropertyNameEnumerator::cachedStructure):
783             (JSC::JSPropertyNameEnumerator::cachedStructureID):
784             (JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
785             (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
786             (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
787             (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
788             (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
789             (JSC::structurePropertyNameEnumerator):
790             (JSC::genericPropertyNameEnumerator):
791             * runtime/JSProxy.cpp:
792             (JSC::JSProxy::getEnumerableLength):
793             (JSC::JSProxy::getStructurePropertyNames):
794             (JSC::JSProxy::getGenericPropertyNames):
795             * runtime/JSProxy.h:
796             * runtime/JSSymbolTableObject.cpp:
797             (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
798             * runtime/PropertyNameArray.cpp:
799             (JSC::PropertyNameArray::add):
800             (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
801             * runtime/PropertyNameArray.h:
802             (JSC::RefCountedIdentifierSet::contains):
803             (JSC::RefCountedIdentifierSet::size):
804             (JSC::RefCountedIdentifierSet::add):
805             (JSC::PropertyNameArray::PropertyNameArray):
806             (JSC::PropertyNameArray::add):
807             (JSC::PropertyNameArray::addKnownUnique):
808             (JSC::PropertyNameArray::identifierSet):
809             (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
810             (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
811             * runtime/RegExpObject.cpp:
812             (JSC::RegExpObject::getOwnNonIndexPropertyNames):
813             (JSC::RegExpObject::getPropertyNames):
814             (JSC::RegExpObject::getGenericPropertyNames):
815             * runtime/RegExpObject.h:
816             * runtime/StringObject.cpp:
817             (JSC::StringObject::getOwnPropertyNames):
818             * runtime/Structure.cpp:
819             (JSC::Structure::getPropertyNamesFromStructure):
820             (JSC::Structure::setCachedStructurePropertyNameEnumerator):
821             (JSC::Structure::cachedStructurePropertyNameEnumerator):
822             (JSC::Structure::setCachedGenericPropertyNameEnumerator):
823             (JSC::Structure::cachedGenericPropertyNameEnumerator):
824             (JSC::Structure::canCacheStructurePropertyNameEnumerator):
825             (JSC::Structure::canCacheGenericPropertyNameEnumerator):
826             (JSC::Structure::canAccessPropertiesQuickly):
827             * runtime/Structure.h:
828             * runtime/StructureRareData.cpp:
829             (JSC::StructureRareData::visitChildren):
830             (JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
831             (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
832             (JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
833             (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
834             * runtime/StructureRareData.h:
835             * runtime/VM.cpp:
836             (JSC::VM::VM):
837             * runtime/VM.h:
838     
839     2014-07-23  Saam Barati  <sbarati@apple.com>
840     
841             Make improvements to Type Profiling
842             https://bugs.webkit.org/show_bug.cgi?id=134860
843     
844             Reviewed by Filip Pizlo.
845     
846             I improved the API between the inspector and JSC. We no longer send one huge
847             string to the inspector. We now send structured data that represents the type
848             information that JSC has collected. I've also created a beginning implementation 
849             of a type lattice that allows us to resolve a display name for a type that
850             consists of a single word.
851     
852             I created a data structure that knows which functions have executed. This
853             solves the bug where types inside an un-executed function will resolve
854             to the type of the enclosing expression of that function. This data
855             structure may also be useful later if the inspector chooses to create a UI
856             around showing which functions have executed.
857     
858             Better type information is gathered for objects. StructureShape now
859             represents an object's prototype chain.  StructureShape also collects
860             the constructor name for an object.
861     
862             Expression ranges are now zero indexed.
863     
864             Removed some extraneous methods.
865     
866             * JavaScriptCore.xcodeproj/project.pbxproj:
867             * bytecode/CodeBlock.cpp:
868             (JSC::CodeBlock::CodeBlock):
869             (JSC::CodeBlock::scopeDependentProfile):
870             * bytecode/CodeBlock.h:
871             * bytecode/TypeLocation.h:
872             (JSC::TypeLocation::TypeLocation):
873             * bytecode/UnlinkedCodeBlock.cpp:
874             (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
875             * bytecode/UnlinkedCodeBlock.h:
876             (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
877             (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
878             * bytecompiler/BytecodeGenerator.cpp:
879             (JSC::BytecodeGenerator::BytecodeGenerator):
880             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
881             * bytecompiler/BytecodeGenerator.h:
882             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
883             * heap/Heap.cpp:
884             (JSC::Heap::collect):
885             * inspector/agents/InspectorRuntimeAgent.cpp:
886             (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
887             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
888             * inspector/agents/InspectorRuntimeAgent.h:
889             * inspector/protocol/Runtime.json:
890             * runtime/Executable.cpp:
891             (JSC::ScriptExecutable::ScriptExecutable):
892             (JSC::ProgramExecutable::ProgramExecutable):
893             (JSC::FunctionExecutable::FunctionExecutable):
894             (JSC::ProgramExecutable::initializeGlobalProperties):
895             * runtime/Executable.h:
896             (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
897             (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
898             * runtime/FunctionHasExecutedCache.cpp: Added.
899             (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
900             (JSC::FunctionHasExecutedCache::insertUnexecutedRange):
901             (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
902             * runtime/FunctionHasExecutedCache.h: Added.
903             (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
904             (JSC::FunctionHasExecutedCache::FunctionRange::operator==):
905             (JSC::FunctionHasExecutedCache::FunctionRange::hash):
906             * runtime/HighFidelityLog.cpp:
907             (JSC::HighFidelityLog::processHighFidelityLog):
908             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
909             * runtime/HighFidelityLog.h:
910             (JSC::HighFidelityLog::recordTypeInformationForLocation):
911             * runtime/HighFidelityTypeProfiler.cpp:
912             (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
913             (JSC::HighFidelityTypeProfiler::insertNewLocation):
914             (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
915             (JSC::descriptorMatchesTypeLocation):
916             (JSC::HighFidelityTypeProfiler::findLocation):
917             (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
918             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
919             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
920             * runtime/HighFidelityTypeProfiler.h:
921             (JSC::QueryKey::QueryKey):
922             (JSC::QueryKey::isHashTableDeletedValue):
923             (JSC::QueryKey::operator==):
924             (JSC::QueryKey::hash):
925             (JSC::QueryKeyHash::hash):
926             (JSC::QueryKeyHash::equal):
927             (JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
928             (JSC::HighFidelityTypeProfiler::typeLocationCache):
929             * runtime/Structure.cpp:
930             (JSC::Structure::toStructureShape):
931             * runtime/Structure.h:
932             * runtime/TypeLocationCache.cpp: Added.
933             (JSC::TypeLocationCache::getTypeLocation):
934             * runtime/TypeLocationCache.h: Added.
935             (JSC::TypeLocationCache::LocationKey::LocationKey):
936             (JSC::TypeLocationCache::LocationKey::operator==):
937             (JSC::TypeLocationCache::LocationKey::hash):
938             * runtime/TypeSet.cpp:
939             (JSC::TypeSet::getRuntimeTypeForValue):
940             (JSC::TypeSet::addTypeForValue):
941             (JSC::TypeSet::seenTypes):
942             (JSC::TypeSet::doesTypeConformTo):
943             (JSC::TypeSet::displayName):
944             (JSC::TypeSet::allPrimitiveTypeNames):
945             (JSC::TypeSet::allStructureRepresentations):
946             (JSC::TypeSet::leastCommonAncestor):
947             (JSC::StructureShape::StructureShape):
948             (JSC::StructureShape::addProperty):
949             (JSC::StructureShape::propertyHash):
950             (JSC::StructureShape::leastCommonAncestor):
951             (JSC::StructureShape::stringRepresentation):
952             (JSC::StructureShape::inspectorRepresentation):
953             (JSC::StructureShape::leastUpperBound): Deleted.
954             * runtime/TypeSet.h:
955             (JSC::StructureShape::setConstructorName):
956             (JSC::StructureShape::constructorName):
957             (JSC::StructureShape::setProto):
958             * runtime/VM.cpp:
959             (JSC::VM::dumpHighFidelityProfilingTypes):
960             (JSC::VM::getTypesForVariableAtOffset): Deleted.
961             (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
962             * runtime/VM.h:
963             (JSC::VM::isProfilingTypesWithHighFidelity):
964             (JSC::VM::highFidelityTypeProfiler):
965     
966     2014-07-23  Filip Pizlo  <fpizlo@apple.com>
967     
968             Fix debug build.
969     
970             * bytecode/CallLinkStatus.h:
971             (JSC::CallLinkStatus::CallLinkStatus):
972     
973     2014-07-20  Filip Pizlo  <fpizlo@apple.com>
974     
975             [ftlopt] Phantoms in SSA form should be aggressively hoisted
976             https://bugs.webkit.org/show_bug.cgi?id=135111
977     
978             Reviewed by Oliver Hunt.
979             
980             In CPS form, Phantom means three things: (1) that the children should be kept alive so long
981             as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
982             at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
983             second meaning is not used but the other two stay.
984             
985             The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
986             even in a totally different basic block, complicates some SSA transformations. It's not
987             possible to just jettison some successor, since tha successor could have a Phantom that we
988             care about.
989             
990             This change rationalizes how Phantoms work so that:
991             
992             1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
993                in both CPS and SSA. This was true before and it's true now.
994             
995             2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
996                now, except that now we also don't bother preserving the live-in-bytecode information
997                that Phantoms convey, when we are in SSA.
998             
999             3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
1000                use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
1001                Phantom.
1002             
1003             The biggest part of this change is that in SSA, we canonicalize Phantoms:
1004             
1005             - All Phantoms are replaced with Check nodes that include only those edges that have
1006               checks.
1007             
1008             - Nodes that were the children of any Phantoms have a Phantom right after them.
1009             
1010             For example, the following code:
1011             
1012                 5: ArithAdd(@1, @2)
1013                 6: ArithSub(@5, @3)
1014                 7: Phantom(Int32:@5)
1015             
1016             would be turned into the following:
1017             
1018                 5: ArithAdd(@1, @2)
1019                 8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
1020                                // @5. This is the only Phantom we will have for @5.
1021                 6: ArithSub(@5, @3)
1022                 7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
1023                                    // a checking edge, we leave it.
1024             
1025             This is a slight speed-up across the board, presumably because we now do a better job of
1026             reducing the size of the graph during compilation. It could also be a fluke, though. The
1027             main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
1028             become a requirement to run phantom canonicalization prior to some SSA phases. None of the
1029             current phases need it, but future phases probably will.
1030     
1031             * CMakeLists.txt:
1032             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1033             * JavaScriptCore.xcodeproj/project.pbxproj:
1034             * dfg/DFGAbstractInterpreterInlines.h:
1035             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1036             * dfg/DFGConstantFoldingPhase.cpp:
1037             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1038             * dfg/DFGDCEPhase.cpp:
1039             (JSC::DFG::DCEPhase::run):
1040             (JSC::DFG::DCEPhase::findTypeCheckRoot):
1041             (JSC::DFG::DCEPhase::countEdge):
1042             (JSC::DFG::DCEPhase::fixupBlock):
1043             (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
1044             * dfg/DFGEdge.cpp:
1045             (JSC::DFG::Edge::dump):
1046             * dfg/DFGEdge.h:
1047             (JSC::DFG::Edge::isProved):
1048             (JSC::DFG::Edge::needsCheck): Deleted.
1049             * dfg/DFGNodeFlags.h:
1050             * dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
1051             (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
1052             (JSC::DFG::PhantomCanonicalizationPhase::run):
1053             (JSC::DFG::performPhantomCanonicalization):
1054             * dfg/DFGPhantomCanonicalizationPhase.h: Added.
1055             * dfg/DFGPhantomRemovalPhase.cpp:
1056             (JSC::DFG::PhantomRemovalPhase::run):
1057             * dfg/DFGPhantomRemovalPhase.h:
1058             * dfg/DFGPlan.cpp:
1059             (JSC::DFG::Plan::compileInThreadImpl):
1060             * ftl/FTLLowerDFGToLLVM.cpp:
1061             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1062             (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
1063     
1064     2014-07-22  Filip Pizlo  <fpizlo@apple.com>
1065     
1066             [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
1067             https://bugs.webkit.org/show_bug.cgi?id=135146
1068     
1069             Reviewed by Oliver Hunt.
1070             
1071             This greatly simplifies our closure call optimizations by taking advantage of the type
1072             bits available in the cell header.
1073     
1074             * bytecode/CallLinkInfo.cpp:
1075             (JSC::CallLinkInfo::visitWeak):
1076             * bytecode/CallLinkStatus.cpp:
1077             (JSC::CallLinkStatus::CallLinkStatus):
1078             (JSC::CallLinkStatus::computeFor):
1079             (JSC::CallLinkStatus::dump):
1080             * bytecode/CallLinkStatus.h:
1081             (JSC::CallLinkStatus::CallLinkStatus):
1082             (JSC::CallLinkStatus::executable):
1083             (JSC::CallLinkStatus::structure): Deleted.
1084             * dfg/DFGByteCodeParser.cpp:
1085             (JSC::DFG::ByteCodeParser::emitFunctionChecks):
1086             * dfg/DFGFixupPhase.cpp:
1087             (JSC::DFG::FixupPhase::fixupNode):
1088             (JSC::DFG::FixupPhase::observeUseKindOnNode):
1089             * dfg/DFGSafeToExecute.h:
1090             (JSC::DFG::SafeToExecuteEdge::operator()):
1091             * dfg/DFGSpeculativeJIT.cpp:
1092             (JSC::DFG::SpeculativeJIT::checkArray):
1093             (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
1094             (JSC::DFG::SpeculativeJIT::speculateCellType):
1095             (JSC::DFG::SpeculativeJIT::speculateFunction):
1096             (JSC::DFG::SpeculativeJIT::speculateFinalObject):
1097             (JSC::DFG::SpeculativeJIT::speculate):
1098             * dfg/DFGSpeculativeJIT.h:
1099             * dfg/DFGSpeculativeJIT32_64.cpp:
1100             (JSC::DFG::SpeculativeJIT::compile):
1101             * dfg/DFGSpeculativeJIT64.cpp:
1102             (JSC::DFG::SpeculativeJIT::compile):
1103             * dfg/DFGUseKind.cpp:
1104             (WTF::printInternal):
1105             * dfg/DFGUseKind.h:
1106             (JSC::DFG::typeFilterFor):
1107             (JSC::DFG::isCell):
1108             * ftl/FTLCapabilities.cpp:
1109             (JSC::FTL::canCompile):
1110             * ftl/FTLLowerDFGToLLVM.cpp:
1111             (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
1112             (JSC::FTL::LowerDFGToLLVM::speculate):
1113             (JSC::FTL::LowerDFGToLLVM::isFunction):
1114             (JSC::FTL::LowerDFGToLLVM::isNotFunction):
1115             (JSC::FTL::LowerDFGToLLVM::speculateFunction):
1116             * jit/ClosureCallStubRoutine.cpp:
1117             (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
1118             (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
1119             * jit/ClosureCallStubRoutine.h:
1120             (JSC::ClosureCallStubRoutine::structure): Deleted.
1121             * jit/JIT.h:
1122             (JSC::JIT::compileClosureCall): Deleted.
1123             * jit/JITCall.cpp:
1124             (JSC::JIT::privateCompileClosureCall): Deleted.
1125             * jit/JITCall32_64.cpp:
1126             (JSC::JIT::privateCompileClosureCall): Deleted.
1127             * jit/JITOperations.cpp:
1128             * jit/Repatch.cpp:
1129             (JSC::linkClosureCall):
1130             * jit/Repatch.h:
1131     
1132 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1133
1134         [ARM] Incorrect handling of Unicode characters
1135         https://bugs.webkit.org/show_bug.cgi?id=135380
1136
1137         Reviewed by Darin Adler.
1138
1139         Removed erroneous fast case from stringFromUTF(), since it assumed that 
1140         char is always implemented as signed.
1141
1142         * jsc.cpp:
1143         (stringFromUTF):
1144
1145 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1146
1147         [JSC] Build fix for FTL on EFL after ftlopt merge
1148         https://bugs.webkit.org/show_bug.cgi?id=135565
1149
1150         Reviewed by Mark Lam.
1151
1152         Adding an enable guard for native inlining, since it now requires the bitcode
1153         emitted from Clang, and we don't have a good way of creating it from other compilers.
1154
1155         * dfg/DFGByteCodeParser.cpp:
1156         (JSC::DFG::ByteCodeParser::handleCall):
1157         * ftl/FTLLowerDFGToLLVM.cpp:
1158         (JSC::FTL::LowerDFGToLLVM::compileNode):
1159         * ftl/FTLState.cpp:
1160         (JSC::FTL::State::State):
1161         * ftl/FTLState.h:
1162
1163 2014-08-05  Csaba Osztrogonác  <ossy@webkit.org>
1164
1165         URTBF after r172129. (ftlopt branch merge)
1166
1167         Remove the duplicated friend declaration to fix this build failure:
1168         "error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"
1169
1170         * runtime/StructureRareData.h:
1171
1172 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
1173
1174         Attempt to fix CMake-based builds, part 3.
1175
1176         * CMakeLists.txt:
1177
1178 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
1179
1180         Attempt to fix CMake-based builds, part 2.
1181
1182         * CMakeLists.txt:
1183
1184 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
1185
1186         Attempt to fix Windows build, part 2.
1187
1188         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1189
1190 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
1191
1192         Attempt to fix CMake-based builds.
1193
1194         * CMakeLists.txt:
1195
1196 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
1197
1198         Attempt to fix Windows build.
1199
1200         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1201
1202 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
1203
1204         Fix cloop build.
1205
1206         * bytecode/CodeBlock.cpp:
1207         (JSC::CodeBlock::jettison):
1208
1209 2014-07-29  Filip Pizlo  <fpizlo@apple.com>
1210
1211         Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.
1212
1213         This part of the merge delivers roughly a 2% across-the-board performance
1214         improvement, mostly due to immutable property inference and DFG-side GCSE. It also
1215         almost completely resolves accessor performance issues; in the common case the DFG
1216         will compile a getter/setter access into code that is just as efficient as a normal
1217         property access.
1218         
1219         Another major highlight of this part of the merge is the work to add a type profiler
1220         to the inspector. This work is still on-going but this greatly increases coverage.
1221
1222         Note that this merge fixes a minor bug in the GetterSetter refactoring from
1223         http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
1224         It also adds a new tests to tests/stress to cover that bug. That bug was previously only
1225         covered by layout tests.
1226
1227     2014-07-17  Filip Pizlo  <fpizlo@apple.com>
1228     
1229             [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
1230             https://bugs.webkit.org/show_bug.cgi?id=135019
1231     
1232             Reviewed by Oliver Hunt.
1233             
1234             Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
1235             has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
1236             different code.
1237     
1238             * dfg/DFGNodeType.h:
1239             * dfg/DFGStrengthReductionPhase.cpp:
1240             (JSC::DFG::StrengthReductionPhase::handleNode):
1241             * tests/stress/capture-escape-and-throw.js: Added.
1242             (foo.f):
1243             (foo):
1244             * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
1245             (foo):
1246             (bar):
1247     
1248     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
1249     
1250             [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
1251             https://bugs.webkit.org/show_bug.cgi?id=134962
1252     
1253             Reviewed by Oliver Hunt.
1254             
1255             This removes yet another steady-state-throughput implication of using getters and setters:
1256             if your accessor call is monomorphic then you'll just get a structure check, nothing more.
1257             No more loads to get to the GetterSetter object or the accessor function object.
1258     
1259             * dfg/DFGAbstractInterpreterInlines.h:
1260             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1261             * runtime/GetterSetter.h:
1262             (JSC::GetterSetter::getterConcurrently):
1263             (JSC::GetterSetter::setGetter):
1264             (JSC::GetterSetter::setterConcurrently):
1265             (JSC::GetterSetter::setSetter):
1266     
1267     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
1268     
1269             [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
1270             https://bugs.webkit.org/show_bug.cgi?id=134893
1271     
1272             Reviewed by Oliver Hunt.
1273             
1274             Replace Identity with Check instead of Phantom. Phantom means that the child of the
1275             Identity should be unconditionally live. The liveness semantics of Identity are such that
1276             if the parents of Identity are live then the child is live. Removing the Identity entirely
1277             preserves such liveness semantics. So, the only thing that should be left behind is the
1278             type check on the child, which is what Check means: do the check but don't keep the child
1279             alive if the check isn't needed.
1280     
1281             * dfg/DFGCSEPhase.cpp:
1282             * dfg/DFGNode.h:
1283             (JSC::DFG::Node::convertToCheck):
1284     
1285     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
1286     
1287             [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
1288             https://bugs.webkit.org/show_bug.cgi?id=134677
1289     
1290             Reviewed by Sam Weinig.
1291             
1292             This removes the old local CSE phase, which was based on manually written backward-search 
1293             rules for all of the different kinds of things we cared about, and adds a new local/global
1294             CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
1295             clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
1296             structures used for storing sets of available values. This results in a large reduction in
1297             code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
1298             global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
1299             structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
1300             that this is a significant (~0.7%) throughput improvement.
1301             
1302             This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
1303             means that the node being analyzed makes available some value in some DFG node, and that
1304             future attempts to compute that value can simply use that node. In other words, it
1305             establishes an available value mapping of the form value=>node. There are two kinds of
1306             values that can be passed to def():
1307             
1308             PureValue. This captures everything needed to determine whether two pure nodes - nodes that
1309                 neither read nor write, and produce a value that is a CSE candidate - are identical. It
1310                 carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
1311                 usually used for things like the arithmetic mode or constant pointer. Passing a
1312                 PureValue to def() means that the node produces a value that is valid anywhere that the
1313                 node dominates.
1314             
1315             HeapLocation. This describes a location in the heap that could be written to or read from.
1316                 Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
1317                 heap that both serves as part of the "name" of the heap location (together with the
1318                 other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
1319                 write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
1320                 then it means that the values for that location are no longer available.
1321             
1322             This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
1323             tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
1324             interpreting the semantics of different DFG node types - that is now almost entirely in
1325             clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
1326             CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
1327             and the LocalCSE rule for turning PutByVal into PutByValAlias.
1328             
1329             This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
1330             not a bigger win because LLVM was already giving us most of what we needed in its GVN.
1331             Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
1332             is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
1333             generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
1334             it improves both the quality of the code we generate and the speed with which we generate
1335             it. Also, any future optimizations that depend on GCSE will now be easier to implement.
1336             
1337             During the development of this patch I also rationalized some other stuff, like Graph's
1338             ordered traversals - we now have preorder and postorder rather than just "depth first".
1339     
1340             * CMakeLists.txt:
1341             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1342             * JavaScriptCore.xcodeproj/project.pbxproj:
1343             * dfg/DFGAbstractHeap.h:
1344             * dfg/DFGAdjacencyList.h:
1345             (JSC::DFG::AdjacencyList::hash):
1346             (JSC::DFG::AdjacencyList::operator==):
1347             * dfg/DFGBasicBlock.h:
1348             * dfg/DFGCSEPhase.cpp:
1349             (JSC::DFG::performLocalCSE):
1350             (JSC::DFG::performGlobalCSE):
1351             (JSC::DFG::CSEPhase::CSEPhase): Deleted.
1352             (JSC::DFG::CSEPhase::run): Deleted.
1353             (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
1354             (JSC::DFG::CSEPhase::pureCSE): Deleted.
1355             (JSC::DFG::CSEPhase::constantCSE): Deleted.
1356             (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
1357             (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
1358             (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
1359             (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
1360             (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
1361             (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
1362             (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
1363             (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
1364             (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
1365             (JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
1366             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
1367             (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
1368             (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
1369             (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
1370             (JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
1371             (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
1372             (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
1373             (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
1374             (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
1375             (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
1376             (JSC::DFG::CSEPhase::setReplacement): Deleted.
1377             (JSC::DFG::CSEPhase::eliminate): Deleted.
1378             (JSC::DFG::CSEPhase::performNodeCSE): Deleted.
1379             (JSC::DFG::CSEPhase::performBlockCSE): Deleted.
1380             (JSC::DFG::performCSE): Deleted.
1381             * dfg/DFGCSEPhase.h:
1382             * dfg/DFGClobberSet.cpp:
1383             (JSC::DFG::addReads):
1384             (JSC::DFG::addWrites):
1385             (JSC::DFG::addReadsAndWrites):
1386             (JSC::DFG::readsOverlap):
1387             (JSC::DFG::writesOverlap):
1388             * dfg/DFGClobberize.cpp:
1389             (JSC::DFG::doesWrites):
1390             (JSC::DFG::accessesOverlap):
1391             (JSC::DFG::writesOverlap):
1392             * dfg/DFGClobberize.h:
1393             (JSC::DFG::clobberize):
1394             (JSC::DFG::NoOpClobberize::operator()):
1395             (JSC::DFG::CheckClobberize::operator()):
1396             (JSC::DFG::ReadMethodClobberize::ReadMethodClobberize):
1397             (JSC::DFG::ReadMethodClobberize::operator()):
1398             (JSC::DFG::WriteMethodClobberize::WriteMethodClobberize):
1399             (JSC::DFG::WriteMethodClobberize::operator()):
1400             (JSC::DFG::DefMethodClobberize::DefMethodClobberize):
1401             (JSC::DFG::DefMethodClobberize::operator()):
1402             * dfg/DFGDCEPhase.cpp:
1403             (JSC::DFG::DCEPhase::run):
1404             (JSC::DFG::DCEPhase::fixupBlock):
1405             * dfg/DFGGraph.cpp:
1406             (JSC::DFG::Graph::getBlocksInPreOrder):
1407             (JSC::DFG::Graph::getBlocksInPostOrder):
1408             (JSC::DFG::Graph::addForDepthFirstSort): Deleted.
1409             (JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted.
1410             * dfg/DFGGraph.h:
1411             * dfg/DFGHeapLocation.cpp: Added.
1412             (JSC::DFG::HeapLocation::dump):
1413             (WTF::printInternal):
1414             * dfg/DFGHeapLocation.h: Added.
1415             (JSC::DFG::HeapLocation::HeapLocation):
1416             (JSC::DFG::HeapLocation::operator!):
1417             (JSC::DFG::HeapLocation::kind):
1418             (JSC::DFG::HeapLocation::heap):
1419             (JSC::DFG::HeapLocation::base):
1420             (JSC::DFG::HeapLocation::index):
1421             (JSC::DFG::HeapLocation::hash):
1422             (JSC::DFG::HeapLocation::operator==):
1423             (JSC::DFG::HeapLocation::isHashTableDeletedValue):
1424             (JSC::DFG::HeapLocationHash::hash):
1425             (JSC::DFG::HeapLocationHash::equal):
1426             * dfg/DFGLICMPhase.cpp:
1427             (JSC::DFG::LICMPhase::run):
1428             * dfg/DFGNode.h:
1429             (JSC::DFG::Node::replaceWith):
1430             (JSC::DFG::Node::convertToPhantomUnchecked): Deleted.
1431             * dfg/DFGPlan.cpp:
1432             (JSC::DFG::Plan::compileInThreadImpl):
1433             * dfg/DFGPureValue.cpp: Added.
1434             (JSC::DFG::PureValue::dump):
1435             * dfg/DFGPureValue.h: Added.
1436             (JSC::DFG::PureValue::PureValue):
1437             (JSC::DFG::PureValue::operator!):
1438             (JSC::DFG::PureValue::op):
1439             (JSC::DFG::PureValue::children):
1440             (JSC::DFG::PureValue::info):
1441             (JSC::DFG::PureValue::hash):
1442             (JSC::DFG::PureValue::operator==):
1443             (JSC::DFG::PureValue::isHashTableDeletedValue):
1444             (JSC::DFG::PureValueHash::hash):
1445             (JSC::DFG::PureValueHash::equal):
1446             * dfg/DFGSSAConversionPhase.cpp:
1447             (JSC::DFG::SSAConversionPhase::run):
1448             * ftl/FTLLowerDFGToLLVM.cpp:
1449             (JSC::FTL::LowerDFGToLLVM::lower):
1450     
1451     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
1452     
1453             Unreviewed, revert unintended change in r171051.
1454     
1455             * dfg/DFGCSEPhase.cpp:
1456     
1457     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
1458     
1459             [ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase
1460             https://bugs.webkit.org/show_bug.cgi?id=134739
1461     
1462             Reviewed by Mark Hahnenberg.
1463             
1464             I'm going to streamline CSE around clobberize() as part of
1465             https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store
1466             elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which
1467             means that it belongs in StrengthReductionPhase, since that's intended to be our
1468             dumping ground.
1469             
1470             To do this I had to add some missing smarts to clobberize(). Previously clobberize()
1471             could play a bit loose with reads of Variables because it wasn't used for store
1472             elimination. The main client of read() was LICM, but it would only use it to
1473             determine hoistability and anything that did a write() was not hoistable - so, we had
1474             benign (but still wrong) missing read() calls in places that did write()s. This fixes
1475             a bunch of those cases.
1476     
1477             * dfg/DFGCSEPhase.cpp:
1478             (JSC::DFG::CSEPhase::performNodeCSE):
1479             (JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted.
1480             * dfg/DFGClobberize.cpp:
1481             (JSC::DFG::accessesOverlap):
1482             * dfg/DFGClobberize.h:
1483             (JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound.
1484             * dfg/DFGStrengthReductionPhase.cpp:
1485             (JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize().
1486     
1487     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
1488     
1489             [ftlopt] Phantom simplification should be in its own phase
1490             https://bugs.webkit.org/show_bug.cgi?id=134742
1491     
1492             Reviewed by Geoffrey Garen.
1493             
1494             This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it
1495             more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had
1496             this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for
1497             SSA.
1498     
1499             * CMakeLists.txt:
1500             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1501             * JavaScriptCore.xcodeproj/project.pbxproj:
1502             * dfg/DFGAdjacencyList.h:
1503             * dfg/DFGCSEPhase.cpp:
1504             (JSC::DFG::CSEPhase::run):
1505             (JSC::DFG::CSEPhase::setReplacement):
1506             (JSC::DFG::CSEPhase::eliminate):
1507             (JSC::DFG::CSEPhase::performNodeCSE):
1508             (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted.
1509             * dfg/DFGPhantomRemovalPhase.cpp: Added.
1510             (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase):
1511             (JSC::DFG::PhantomRemovalPhase::run):
1512             (JSC::DFG::performCleanUp):
1513             * dfg/DFGPhantomRemovalPhase.h: Added.
1514             * dfg/DFGPlan.cpp:
1515             (JSC::DFG::Plan::compileInThreadImpl):
1516     
1517     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
1518     
1519             [ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously
1520             https://bugs.webkit.org/show_bug.cgi?id=134730
1521     
1522             Reviewed by Mark Lam.
1523             
1524             This will allow for a better GCSE implementation.
1525     
1526             * dfg/DFGCPSRethreadingPhase.cpp:
1527             (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1528             * dfg/DFGCSEPhase.cpp:
1529             (JSC::DFG::CSEPhase::setReplacement):
1530             * dfg/DFGEdgeDominates.h:
1531             (JSC::DFG::EdgeDominates::operator()):
1532             * dfg/DFGGraph.cpp:
1533             (JSC::DFG::Graph::clearReplacements):
1534             (JSC::DFG::Graph::initializeNodeOwners):
1535             * dfg/DFGGraph.h:
1536             (JSC::DFG::Graph::performSubstitutionForEdge):
1537             * dfg/DFGLICMPhase.cpp:
1538             (JSC::DFG::LICMPhase::attemptHoist):
1539             * dfg/DFGNode.h:
1540             (JSC::DFG::Node::Node):
1541             * dfg/DFGSSAConversionPhase.cpp:
1542             (JSC::DFG::SSAConversionPhase::run):
1543     
1544     2014-07-04  Filip Pizlo  <fpizlo@apple.com>
1545     
1546             [ftlopt] Infer immutable object properties
1547             https://bugs.webkit.org/show_bug.cgi?id=134567
1548     
1549             Reviewed by Mark Hahnenberg.
1550             
1551             This introduces a new way of inferring immutable object properties. A property is said to
1552             be immutable if after its creation (i.e. the transition that creates it), we never
1553             overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own
1554             property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f"
1555             directly and not on a prototype. More specifically, the immutability inference will prove
1556             that a property on some structure is immutable. This means that, for example, we may have a
1557             structure S1 with property "f" where we claim that "f" at S1 is immutable, but S1 has a
1558             transition to S2 that adds a new property "g" and we may claim that "f" at S2 is actually
1559             mutable. This is mainly for convenience; it allows us to decouple immutability logic from
1560             transition logic. Immutability can be used to constant-fold accesses to objects at
1561             DFG-time. The DFG needs to prove the following to constant-fold the access:
1562             
1563             - The base of the access must be a constant object pointer. We prove that a property at a
1564               structure is immutable, but that says nothing of its value; each actual instance of that
1565               property may have a different value. So, a constant object pointer is needed to get an
1566               actual constant instance of the immutable value.
1567             
1568             - A check (or watchpoint) must have been emitted proving that the object has a structure
1569               that allows loading the property in question.
1570             
1571             - The replacement watchpoint set of the property in the structure that we've proven the
1572               object to have is still valid and we add a watchpoint to it lazily. The replacement
1573               watchpoint set is the key new mechanism that this change adds. It's possible that we have
1574               proven that the object has one of many structures, in which case each of those structures
1575               needs a valid replacement watchpoint set.
1576             
1577             The replacement watchpoint set is created the first time that any access to the property is
1578             cached. A put replace cache will create, and immediately invalidate, the watchpoint set. A
1579             get cache will create the watchpoint set and make it start watching. Any non-cached put
1580             access will invalidate the watchpoint set if one had been created; the underlying algorithm
1581             ensures that checking for the existence of a replacement watchpoint set is very fast in the
1582             common case. This algorithm ensures that no cached access needs to ever do any work to
1583             invalidate, or check the validity of, any replacement watchpoint sets. It also has some
1584             other nice properties:
1585             
1586             - It's very robust in its definition of immutability. The strictest that it will ever be is
1587               that for any instance of the object, the property must be written to only once,
1588               specifically at the time that the property is created. But it's looser than this in
1589               practice. For example, the property may be written to any number of times before we add
1590               the final property that the object will have before anyone reads the property; this works
1591               since for optimization purposes we only care if we detect immutability on the structure
1592               that the object will have when it is most frequently read from, not any previous
1593               structure that the object had. Also, we may write to the property any number of times
1594               before anyone caches accesses to it.
1595             
1596             - It is mostly orthogonal to structure transitions. No new structures need to be created to
1597               track the immutability of a property. Hence, there is no risk from this feature causing
1598               more polymorphism. This is different from the previous "specificValue" constant
1599               inference, which did cause additional structures to be created and sometimes those
1600               structures led to fake polymorphism. This feature does leverage existing transitions to
1601               do some of the watchpointing: property deletions don't fire the replacement watchpoint
1602               set because that would cause a new structure and so the mandatory structure check would
1603               fail. Also, this feature is guaranteed to never kick in for uncacheable dictionaries
1604               because those wouldn't allow for cacheable accesses - and it takes a cacheable access for
1605               this feature to be enabled.
1606             
1607             - No memory overhead is incurred except when accesses to the property are cached.
1608               Dictionary properties will typically have no meta-data for immutability. The number of
1609               replacement watchpoint sets we allocate is proportional to the number of inline caches in
1610               the program, which is typically must smaller than the number of structures or even the
1611               number of objects.
1612             
1613             This inference is far more powerful than the previous "specificValue" inference, so this
1614             change also removes all of that code. It's interesting that the amount of code that is
1615             changed to remove that feature is almost as big as the amount of code added to support the
1616             new inference - and that's if you include the new tests in the tally. Without new tests,
1617             it appears that the new feature actually touches less code!
1618             
1619             There is one corner case where the previous "specificValue" inference was more powerful.
1620             You can imagine someone creating objects with functions as self properties on those
1621             objects, such that each object instance had the same function pointers - essentially,
1622             someone might be trying to create a vtable but failing at the whole "one vtable for many
1623             instances" concept. The "specificValue" inference would do very well for such programs,
1624             because a structure check would be sufficient to prove a constant value for all of the
1625             function properties. This new inference will fail because it doesn't track the constant
1626             values of constant properties; instead it detects the immutability of otherwise variable
1627             properties (in the sense that each instance of the property may have a different value).
1628             So, the new inference requires having a particular object instance to actually get the
1629             constant value. I think it's OK to lose this antifeature. It took a lot of code to support
1630             and was a constant source of grief in our transition logic, and there doesn't appear to be
1631             any real evidence that programs benefited from that particular kind of inference since
1632             usually it's the singleton prototype instance that has all of the functions.
1633             
1634             This change is a speed-up on everything. date-format-xparb and both SunSpider/raytrace and
1635             V8/raytrace seem to be the biggest winners among the macrobenchmarks; they see >5%
1636             speed-ups. Many of our microbenchmarks see very large performance improvements, even 80% in
1637             one case.
1638     
1639             * bytecode/ComplexGetStatus.cpp:
1640             (JSC::ComplexGetStatus::computeFor):
1641             * bytecode/GetByIdStatus.cpp:
1642             (JSC::GetByIdStatus::computeFromLLInt):
1643             (JSC::GetByIdStatus::computeForStubInfo):
1644             (JSC::GetByIdStatus::computeFor):
1645             * bytecode/GetByIdVariant.cpp:
1646             (JSC::GetByIdVariant::GetByIdVariant):
1647             (JSC::GetByIdVariant::operator=):
1648             (JSC::GetByIdVariant::attemptToMerge):
1649             (JSC::GetByIdVariant::dumpInContext):
1650             * bytecode/GetByIdVariant.h:
1651             (JSC::GetByIdVariant::alternateBase):
1652             (JSC::GetByIdVariant::specificValue): Deleted.
1653             * bytecode/PutByIdStatus.cpp:
1654             (JSC::PutByIdStatus::computeForStubInfo):
1655             (JSC::PutByIdStatus::computeFor):
1656             * bytecode/PutByIdVariant.cpp:
1657             (JSC::PutByIdVariant::operator=):
1658             (JSC::PutByIdVariant::setter):
1659             (JSC::PutByIdVariant::dumpInContext):
1660             * bytecode/PutByIdVariant.h:
1661             (JSC::PutByIdVariant::specificValue): Deleted.
1662             * bytecode/Watchpoint.cpp:
1663             (JSC::WatchpointSet::fireAllSlow):
1664             (JSC::WatchpointSet::fireAll): Deleted.
1665             * bytecode/Watchpoint.h:
1666             (JSC::WatchpointSet::fireAll):
1667             * dfg/DFGAbstractInterpreterInlines.h:
1668             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1669             * dfg/DFGByteCodeParser.cpp:
1670             (JSC::DFG::ByteCodeParser::handleGetByOffset):
1671             (JSC::DFG::ByteCodeParser::handleGetById):
1672             (JSC::DFG::ByteCodeParser::handlePutById):
1673             (JSC::DFG::ByteCodeParser::parseBlock):
1674             * dfg/DFGConstantFoldingPhase.cpp:
1675             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1676             * dfg/DFGFixupPhase.cpp:
1677             (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1678             (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1679             * dfg/DFGGraph.cpp:
1680             (JSC::DFG::Graph::tryGetConstantProperty):
1681             (JSC::DFG::Graph::visitChildren):
1682             * dfg/DFGGraph.h:
1683             * dfg/DFGWatchableStructureWatchingPhase.cpp:
1684             (JSC::DFG::WatchableStructureWatchingPhase::run):
1685             * ftl/FTLLowerDFGToLLVM.cpp:
1686             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1687             * jit/JITOperations.cpp:
1688             * jit/Repatch.cpp:
1689             (JSC::repatchByIdSelfAccess):
1690             (JSC::generateByIdStub):
1691             (JSC::tryCacheGetByID):
1692             (JSC::tryCachePutByID):
1693             (JSC::tryBuildPutByIdList):
1694             * llint/LLIntSlowPaths.cpp:
1695             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1696             (JSC::LLInt::putToScopeCommon):
1697             * runtime/CommonSlowPaths.h:
1698             (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1699             * runtime/IntendedStructureChain.cpp:
1700             (JSC::IntendedStructureChain::mayInterceptStoreTo):
1701             * runtime/JSCJSValue.cpp:
1702             (JSC::JSValue::putToPrimitive):
1703             * runtime/JSGlobalObject.cpp:
1704             (JSC::JSGlobalObject::reset):
1705             * runtime/JSObject.cpp:
1706             (JSC::JSObject::put):
1707             (JSC::JSObject::putDirectNonIndexAccessor):
1708             (JSC::JSObject::deleteProperty):
1709             (JSC::JSObject::defaultValue):
1710             (JSC::getCallableObjectSlow): Deleted.
1711             (JSC::JSObject::getPropertySpecificValue): Deleted.
1712             * runtime/JSObject.h:
1713             (JSC::JSObject::getDirect):
1714             (JSC::JSObject::getDirectOffset):
1715             (JSC::JSObject::inlineGetOwnPropertySlot):
1716             (JSC::JSObject::putDirectInternal):
1717             (JSC::JSObject::putOwnDataProperty):
1718             (JSC::JSObject::putDirect):
1719             (JSC::JSObject::putDirectWithoutTransition):
1720             (JSC::getCallableObject): Deleted.
1721             * runtime/JSScope.cpp:
1722             (JSC::abstractAccess):
1723             * runtime/PropertyMapHashTable.h:
1724             (JSC::PropertyMapEntry::PropertyMapEntry):
1725             (JSC::PropertyTable::copy):
1726             * runtime/PropertyTable.cpp:
1727             (JSC::PropertyTable::clone):
1728             (JSC::PropertyTable::PropertyTable):
1729             (JSC::PropertyTable::visitChildren): Deleted.
1730             * runtime/Structure.cpp:
1731             (JSC::Structure::Structure):
1732             (JSC::Structure::materializePropertyMap):
1733             (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
1734             (JSC::Structure::addPropertyTransitionToExistingStructure):
1735             (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
1736             (JSC::Structure::addPropertyTransition):
1737             (JSC::Structure::changePrototypeTransition):
1738             (JSC::Structure::attributeChangeTransition):
1739             (JSC::Structure::toDictionaryTransition):
1740             (JSC::Structure::preventExtensionsTransition):
1741             (JSC::Structure::takePropertyTableOrCloneIfPinned):
1742             (JSC::Structure::nonPropertyTransition):
1743             (JSC::Structure::addPropertyWithoutTransition):
1744             (JSC::Structure::allocateRareData):
1745             (JSC::Structure::ensurePropertyReplacementWatchpointSet):
1746             (JSC::Structure::startWatchingPropertyForReplacements):
1747             (JSC::Structure::didCachePropertyReplacement):
1748             (JSC::Structure::startWatchingInternalProperties):
1749             (JSC::Structure::copyPropertyTable):
1750             (JSC::Structure::copyPropertyTableForPinning):
1751             (JSC::Structure::getConcurrently):
1752             (JSC::Structure::get):
1753             (JSC::Structure::add):
1754             (JSC::Structure::visitChildren):
1755             (JSC::Structure::prototypeChainMayInterceptStoreTo):
1756             (JSC::Structure::dump):
1757             (JSC::Structure::despecifyDictionaryFunction): Deleted.
1758             (JSC::Structure::despecifyFunctionTransition): Deleted.
1759             (JSC::Structure::despecifyFunction): Deleted.
1760             (JSC::Structure::despecifyAllFunctions): Deleted.
1761             (JSC::Structure::putSpecificValue): Deleted.
1762             * runtime/Structure.h:
1763             (JSC::Structure::startWatchingPropertyForReplacements):
1764             (JSC::Structure::startWatchingInternalPropertiesIfNecessary):
1765             (JSC::Structure::startWatchingInternalPropertiesIfNecessaryForEntireChain):
1766             (JSC::Structure::transitionDidInvolveSpecificValue): Deleted.
1767             (JSC::Structure::disableSpecificFunctionTracking): Deleted.
1768             * runtime/StructureInlines.h:
1769             (JSC::Structure::getConcurrently):
1770             (JSC::Structure::didReplaceProperty):
1771             (JSC::Structure::propertyReplacementWatchpointSet):
1772             * runtime/StructureRareData.cpp:
1773             (JSC::StructureRareData::destroy):
1774             * runtime/StructureRareData.h:
1775             * tests/stress/infer-constant-global-property.js: Added.
1776             (foo.Math.sin):
1777             (foo):
1778             * tests/stress/infer-constant-property.js: Added.
1779             (foo):
1780             * tests/stress/jit-cache-poly-replace-then-cache-get-and-fold-then-invalidate.js: Added.
1781             (foo):
1782             (bar):
1783             * tests/stress/jit-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
1784             (foo):
1785             (bar):
1786             * tests/stress/jit-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
1787             (foo):
1788             (bar):
1789             * tests/stress/llint-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
1790             (foo):
1791             (bar):
1792             * tests/stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
1793             (foo):
1794             (bar):
1795             * tests/stress/repeat-put-to-scope-global-with-same-value-watchpoint-invalidate.js: Added.
1796             (foo):
1797             (bar):
1798     
1799     2014-07-03  Saam Barati  <sbarati@apple.com>
1800     
1801             Add more coverage for the profile_types_with_high_fidelity op code.
1802             https://bugs.webkit.org/show_bug.cgi?id=134616
1803     
1804             Reviewed by Filip Pizlo.
1805     
1806             More operations are now being recorded by the profile_types_with_high_fidelity 
1807             opcode. Specifically: function parameters, function return values,
1808             function 'this' value, get_by_id, get_by_value, resolve nodes, function return 
1809             values at the call site. Added more flags to the profile_types_with_high_fidelity
1810             opcode so more focused tasks can take place when the instruction is
1811             being linked in CodeBlock. Re-worked the type profiler to search 
1812             through character offset ranges when asked for the type of an expression
1813             at a given offset. Removed redundant calls to Structure::toStructureShape
1814             in HighFidelityLog and TypeSet by caching calls based on StructureID.
1815     
1816             * bytecode/BytecodeList.json:
1817             * bytecode/BytecodeUseDef.h:
1818             (JSC::computeUsesForBytecodeOffset):
1819             (JSC::computeDefsForBytecodeOffset):
1820             * bytecode/CodeBlock.cpp:
1821             (JSC::CodeBlock::CodeBlock):
1822             (JSC::CodeBlock::finalizeUnconditionally):
1823             (JSC::CodeBlock::scopeDependentProfile):
1824             * bytecode/CodeBlock.h:
1825             (JSC::CodeBlock::returnStatementTypeSet):
1826             * bytecode/TypeLocation.h:
1827             * bytecode/UnlinkedCodeBlock.cpp:
1828             (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset):
1829             (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo):
1830             * bytecode/UnlinkedCodeBlock.h:
1831             * bytecompiler/BytecodeGenerator.cpp:
1832             (JSC::BytecodeGenerator::emitMove):
1833             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
1834             (JSC::BytecodeGenerator::emitGetFromScopeWithProfile):
1835             (JSC::BytecodeGenerator::emitPutToScope):
1836             (JSC::BytecodeGenerator::emitPutToScopeWithProfile):
1837             (JSC::BytecodeGenerator::emitPutById):
1838             (JSC::BytecodeGenerator::emitPutByVal):
1839             * bytecompiler/BytecodeGenerator.h:
1840             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
1841             * bytecompiler/NodesCodegen.cpp:
1842             (JSC::ResolveNode::emitBytecode):
1843             (JSC::BracketAccessorNode::emitBytecode):
1844             (JSC::DotAccessorNode::emitBytecode):
1845             (JSC::FunctionCallValueNode::emitBytecode):
1846             (JSC::FunctionCallResolveNode::emitBytecode):
1847             (JSC::FunctionCallBracketNode::emitBytecode):
1848             (JSC::FunctionCallDotNode::emitBytecode):
1849             (JSC::CallFunctionCallDotNode::emitBytecode):
1850             (JSC::ApplyFunctionCallDotNode::emitBytecode):
1851             (JSC::PostfixNode::emitResolve):
1852             (JSC::PostfixNode::emitBracket):
1853             (JSC::PostfixNode::emitDot):
1854             (JSC::PrefixNode::emitResolve):
1855             (JSC::PrefixNode::emitBracket):
1856             (JSC::PrefixNode::emitDot):
1857             (JSC::ReadModifyResolveNode::emitBytecode):
1858             (JSC::AssignResolveNode::emitBytecode):
1859             (JSC::AssignDotNode::emitBytecode):
1860             (JSC::ReadModifyDotNode::emitBytecode):
1861             (JSC::AssignBracketNode::emitBytecode):
1862             (JSC::ReadModifyBracketNode::emitBytecode):
1863             (JSC::ReturnNode::emitBytecode):
1864             (JSC::FunctionBodyNode::emitBytecode):
1865             * inspector/agents/InspectorRuntimeAgent.cpp:
1866             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset):
1867             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
1868             * inspector/agents/InspectorRuntimeAgent.h:
1869             * inspector/protocol/Runtime.json:
1870             * llint/LLIntSlowPaths.cpp:
1871             (JSC::LLInt::getFromScopeCommon):
1872             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1873             * llint/LLIntSlowPaths.h:
1874             * llint/LowLevelInterpreter.asm:
1875             * runtime/HighFidelityLog.cpp:
1876             (JSC::HighFidelityLog::processHighFidelityLog):
1877             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
1878             (JSC::HighFidelityLog::recordTypeInformationForLocation): Deleted.
1879             * runtime/HighFidelityLog.h:
1880             (JSC::HighFidelityLog::recordTypeInformationForLocation):
1881             * runtime/HighFidelityTypeProfiler.cpp:
1882             (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset):
1883             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset):
1884             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset):
1885             (JSC::HighFidelityTypeProfiler::insertNewLocation):
1886             (JSC::HighFidelityTypeProfiler::findLocation):
1887             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): Deleted.
1888             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): Deleted.
1889             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): Deleted.
1890             (JSC::HighFidelityTypeProfiler::getLocationBasedHash): Deleted.
1891             * runtime/HighFidelityTypeProfiler.h:
1892             (JSC::LocationKey::LocationKey): Deleted.
1893             (JSC::LocationKey::hash): Deleted.
1894             (JSC::LocationKey::operator==): Deleted.
1895             * runtime/Structure.cpp:
1896             (JSC::Structure::toStructureShape):
1897             * runtime/Structure.h:
1898             * runtime/TypeSet.cpp:
1899             (JSC::TypeSet::TypeSet):
1900             (JSC::TypeSet::addTypeForValue):
1901             (JSC::TypeSet::seenTypes):
1902             (JSC::TypeSet::removeDuplicatesInStructureHistory): Deleted.
1903             * runtime/TypeSet.h:
1904             (JSC::StructureShape::setConstructorName):
1905             * runtime/VM.cpp:
1906             (JSC::VM::getTypesForVariableAtOffset):
1907             (JSC::VM::dumpHighFidelityProfilingTypes):
1908             (JSC::VM::getTypesForVariableInRange): Deleted.
1909             * runtime/VM.h:
1910     
1911     2014-07-04  Filip Pizlo  <fpizlo@apple.com>
1912     
1913             [ftlopt][REGRESSION] debug tests fail because PutByIdDirect is now implemented in terms of In
1914             https://bugs.webkit.org/show_bug.cgi?id=134642
1915     
1916             Rubber stamped by Andreas Kling.
1917     
1918             * ftl/FTLLowerDFGToLLVM.cpp:
1919             (JSC::FTL::LowerDFGToLLVM::compileNode):
1920     
1921     2014-07-01  Filip Pizlo  <fpizlo@apple.com>
1922     
1923             [ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null, so that if we constant-infer an accessor slot then we immediately get the function constant for free
1924             https://bugs.webkit.org/show_bug.cgi?id=134518
1925     
1926             Reviewed by Mark Hahnenberg.
1927             
1928             This has no real effect right now, particularly since almost all uses of
1929             setSetter/setGetter were already allocating a branch new GetterSetter. But once we start
1930             doing more aggressive constant property inference, this change will allow us to remove
1931             all runtime checks from getter/setter calls.
1932     
1933             * runtime/GetterSetter.cpp:
1934             (JSC::GetterSetter::withGetter):
1935             (JSC::GetterSetter::withSetter):
1936             * runtime/GetterSetter.h:
1937             (JSC::GetterSetter::setGetter):
1938             (JSC::GetterSetter::setSetter):
1939             * runtime/JSObject.cpp:
1940             (JSC::JSObject::defineOwnNonIndexProperty):
1941     
1942     2014-07-02  Filip Pizlo  <fpizlo@apple.com>
1943     
1944             [ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure
1945     
1946             Rubber stamped by Mark Hahnenberg.
1947     
1948             * runtime/Structure.cpp:
1949             (JSC::Structure::Structure):
1950             (JSC::Structure::nonPropertyTransition):
1951             (JSC::Structure::didTransitionFromThisStructure):
1952             (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
1953             * runtime/Structure.h:
1954     
1955     2014-07-02  Filip Pizlo  <fpizlo@apple.com>
1956     
1957             [ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore.
1958     
1959             Rubber stamped by Mark Hahnenberg.
1960     
1961             * runtime/Structure.cpp:
1962             (JSC::Structure::Structure):
1963             (JSC::Structure::cloneRareDataFrom): Deleted.
1964             * runtime/Structure.h:
1965             * runtime/StructureRareData.cpp:
1966             (JSC::StructureRareData::clone): Deleted.
1967             (JSC::StructureRareData::StructureRareData): Deleted.
1968             * runtime/StructureRareData.h:
1969             (JSC::StructureRareData::needsCloning): Deleted.
1970     
1971     2014-07-01  Mark Lam  <mark.lam@apple.com>
1972     
1973             [ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope.
1974             <https://webkit.org/b/134420>
1975     
1976             Reviewed by Geoffrey Garen.
1977     
1978             Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
1979             peers) which the WebInspector will use to introspect CallFrame variables.
1980             Instead, we should be returning a DebuggerScope as an abstraction layer that
1981             provides the introspection functionality that the WebInspector needs.  This
1982             is the first step towards not forcing every frame to have a JSActivation
1983             object just because the debugger is enabled.
1984     
1985             1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
1986                instead of the VM.  This allows JSObject::globalObject() to be able to
1987                return the global object for the DebuggerScope.
1988     
1989             2. On the DebuggerScope's life-cycle management:
1990     
1991                The DebuggerCallFrame is designed to be "valid" only during a debugging session
1992                (while the debugger is broken) through the use of a DebuggerCallFrameScope in
1993                Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
1994                DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
1995                We can't guarantee (from this code alone) that the Inspector code isn't still
1996                holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
1997                the frame will be invalidated, and any attempt to query it will return null values.
1998                This is pre-existing behavior.
1999     
2000                Now, we're adding the DebuggerScope into the picture.  While a single debugger
2001                pause session is in progress, the Inspector may request the scope from the
2002                DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
2003                DebuggerCallFrame::scope() to always return the same DebuggerScope object.
2004                This is why we hold on to the DebuggerScope with a strong ref.
2005     
2006                If we use a weak ref instead, the following cooky behavior can manifest:
2007                1. The Inspector calls Debugger::scope() to get the top scope.
2008                2. The Inspector iterates down the scope chain and is now only holding a
2009                   reference to a parent scope.  It is no longer referencing the top scope.
2010                3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
2011                   gets cleared.
2012                4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
2013                   a different DebuggerScope instance.
2014                5. The Inspector iterates down the scope chain but never sees the parent scope
2015                   instance that retained a ref to in step 2 above.  This is because when iterating
2016                   this new DebuggerScope instance (which has no knowledge of the previous parent
2017                   DebuggerScope instance), a new DebuggerScope instance will get created for the
2018                   same parent scope. 
2019     
2020                Since the DebuggerScope is a JSObject, it's liveness is determined by its reachability.
2021                However, it's "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
2022                When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
2023                instantiated) will also get invalidated.  This is why we need the
2024                DebuggerScope::invalidateChain() method.  The Inspector should not be using the
2025                DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
2026                those methods will do nothing or returned a failed status.
2027     
2028             * debugger/Debugger.h:
2029             * debugger/DebuggerCallFrame.cpp:
2030             (JSC::DebuggerCallFrame::scope):
2031             (JSC::DebuggerCallFrame::evaluate):
2032             (JSC::DebuggerCallFrame::invalidate):
2033             (JSC::DebuggerCallFrame::vm):
2034             (JSC::DebuggerCallFrame::lexicalGlobalObject):
2035             * debugger/DebuggerCallFrame.h:
2036             * debugger/DebuggerScope.cpp:
2037             (JSC::DebuggerScope::DebuggerScope):
2038             (JSC::DebuggerScope::finishCreation):
2039             (JSC::DebuggerScope::visitChildren):
2040             (JSC::DebuggerScope::className):
2041             (JSC::DebuggerScope::getOwnPropertySlot):
2042             (JSC::DebuggerScope::put):
2043             (JSC::DebuggerScope::deleteProperty):
2044             (JSC::DebuggerScope::getOwnPropertyNames):
2045             (JSC::DebuggerScope::defineOwnProperty):
2046             (JSC::DebuggerScope::next):
2047             (JSC::DebuggerScope::invalidateChain):
2048             (JSC::DebuggerScope::isWithScope):
2049             (JSC::DebuggerScope::isGlobalScope):
2050             (JSC::DebuggerScope::isFunctionScope):
2051             * debugger/DebuggerScope.h:
2052             (JSC::DebuggerScope::create):
2053             (JSC::DebuggerScope::Iterator::Iterator):
2054             (JSC::DebuggerScope::Iterator::get):
2055             (JSC::DebuggerScope::Iterator::operator++):
2056             (JSC::DebuggerScope::Iterator::operator==):
2057             (JSC::DebuggerScope::Iterator::operator!=):
2058             (JSC::DebuggerScope::isValid):
2059             (JSC::DebuggerScope::jsScope):
2060             (JSC::DebuggerScope::begin):
2061             (JSC::DebuggerScope::end):
2062             * inspector/JSJavaScriptCallFrame.cpp:
2063             (Inspector::JSJavaScriptCallFrame::scopeType):
2064             (Inspector::JSJavaScriptCallFrame::scopeChain):
2065             * inspector/JavaScriptCallFrame.h:
2066             (Inspector::JavaScriptCallFrame::scopeChain):
2067             * inspector/ScriptDebugServer.cpp:
2068             * runtime/JSGlobalObject.cpp:
2069             (JSC::JSGlobalObject::reset):
2070             (JSC::JSGlobalObject::visitChildren):
2071             * runtime/JSGlobalObject.h:
2072             (JSC::JSGlobalObject::debuggerScopeStructure):
2073             * runtime/JSObject.h:
2074             (JSC::JSObject::isWithScope):
2075             * runtime/JSScope.h:
2076             * runtime/VM.cpp:
2077             (JSC::VM::VM):
2078             * runtime/VM.h:
2079     
2080     2014-07-01  Filip Pizlo  <fpizlo@apple.com>
2081     
2082             [ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
2083             https://bugs.webkit.org/show_bug.cgi?id=130756
2084     
2085             Reviewed by Oliver Hunt.
2086             
2087             The enables exposing the call to setters in the DFG, and then inlining it. Previously we
2088             already supproted inlined-cached calls to setters from within put_by_id inline caches,
2089             and the DFG could certainly emit such IC's. Now, if an IC had a setter call, then the DFG
2090             will either emit the GetGetterSetterByOffset/GetSetter/Call combo, or it will do one
2091             better and inline the call.
2092             
2093             A lot of the core functionality was already available from the previous work to inline
2094             getters. So, there are some refactorings in this patch that move preexisting
2095             functionality around. For example, the work to figure out how the DFG should go about
2096             getting to what we call the "loaded value" - i.e. the GetterSetter object reference in
2097             the case of accessors - is now shared in ComplexGetStatus, and both GetByIdStatus and
2098             PutByIdStatus use it. This means that we can keep the safety checks common.  This patch
2099             also does additional refactorings in DFG::ByteCodeParser so that we can continue to reuse
2100             handleCall() for all of the various kinds of calls we can now emit.
2101             
2102             83% speed-up on getter-richards, 2% speed-up on box2d.
2103     
2104             * CMakeLists.txt:
2105             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2106             * JavaScriptCore.xcodeproj/project.pbxproj:
2107             * bytecode/ComplexGetStatus.cpp: Added.
2108             (JSC::ComplexGetStatus::computeFor):
2109             * bytecode/ComplexGetStatus.h: Added.
2110             (JSC::ComplexGetStatus::ComplexGetStatus):
2111             (JSC::ComplexGetStatus::skip):
2112             (JSC::ComplexGetStatus::takesSlowPath):
2113             (JSC::ComplexGetStatus::kind):
2114             (JSC::ComplexGetStatus::attributes):
2115             (JSC::ComplexGetStatus::specificValue):
2116             (JSC::ComplexGetStatus::offset):
2117             (JSC::ComplexGetStatus::chain):
2118             * bytecode/GetByIdStatus.cpp:
2119             (JSC::GetByIdStatus::computeForStubInfo):
2120             * bytecode/GetByIdVariant.cpp:
2121             (JSC::GetByIdVariant::GetByIdVariant):
2122             * bytecode/PolymorphicPutByIdList.h:
2123             (JSC::PutByIdAccess::PutByIdAccess):
2124             (JSC::PutByIdAccess::setter):
2125             (JSC::PutByIdAccess::structure):
2126             (JSC::PutByIdAccess::chainCount):
2127             * bytecode/PutByIdStatus.cpp:
2128             (JSC::PutByIdStatus::computeFromLLInt):
2129             (JSC::PutByIdStatus::computeFor):
2130             (JSC::PutByIdStatus::computeForStubInfo):
2131             (JSC::PutByIdStatus::makesCalls):
2132             * bytecode/PutByIdStatus.h:
2133             (JSC::PutByIdStatus::makesCalls): Deleted.
2134             * bytecode/PutByIdVariant.cpp:
2135             (JSC::PutByIdVariant::PutByIdVariant):
2136             (JSC::PutByIdVariant::operator=):
2137             (JSC::PutByIdVariant::replace):
2138             (JSC::PutByIdVariant::transition):
2139             (JSC::PutByIdVariant::setter):
2140             (JSC::PutByIdVariant::writesStructures):
2141             (JSC::PutByIdVariant::reallocatesStorage):
2142             (JSC::PutByIdVariant::makesCalls):
2143             (JSC::PutByIdVariant::dumpInContext):
2144             * bytecode/PutByIdVariant.h:
2145             (JSC::PutByIdVariant::PutByIdVariant):
2146             (JSC::PutByIdVariant::structure):
2147             (JSC::PutByIdVariant::oldStructure):
2148             (JSC::PutByIdVariant::alternateBase):
2149             (JSC::PutByIdVariant::specificValue):
2150             (JSC::PutByIdVariant::callLinkStatus):
2151             (JSC::PutByIdVariant::replace): Deleted.
2152             (JSC::PutByIdVariant::transition): Deleted.
2153             * dfg/DFGByteCodeParser.cpp:
2154             (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
2155             (JSC::DFG::ByteCodeParser::addCall):
2156             (JSC::DFG::ByteCodeParser::handleCall):
2157             (JSC::DFG::ByteCodeParser::handleInlining):
2158             (JSC::DFG::ByteCodeParser::handleGetById):
2159             (JSC::DFG::ByteCodeParser::handlePutById):
2160             (JSC::DFG::ByteCodeParser::parseBlock):
2161             * jit/Repatch.cpp:
2162             (JSC::tryCachePutByID):
2163             (JSC::tryBuildPutByIdList):
2164             * runtime/IntendedStructureChain.cpp:
2165             (JSC::IntendedStructureChain::takesSlowPathInDFGForImpureProperty):
2166             * runtime/IntendedStructureChain.h:
2167             * tests/stress/exit-from-setter.js: Added.
2168             * tests/stress/poly-chain-setter.js: Added.
2169             (Cons):
2170             (foo):
2171             (test):
2172             * tests/stress/poly-chain-then-setter.js: Added.
2173             (Cons1):
2174             (Cons2):
2175             (foo):
2176             (test):
2177             * tests/stress/poly-setter-combo.js: Added.
2178             (Cons1):
2179             (Cons2):
2180             (foo):
2181             (test):
2182             (.test):
2183             * tests/stress/poly-setter-then-self.js: Added.
2184             (foo):
2185             (test):
2186             (.test):
2187             * tests/stress/weird-setter-counter.js: Added.
2188             (foo):
2189             (test):
2190             * tests/stress/weird-setter-counter-syntactic.js: Added.
2191             (foo):
2192             (test):
2193     
2194     2014-07-01  Matthew Mirman  <mmirman@apple.com>
2195     
2196             Added an implementation of the "in" check to FTL.
2197             https://bugs.webkit.org/show_bug.cgi?id=134508
2198     
2199             Reviewed by Filip Pizlo.
2200     
2201             * ftl/FTLCapabilities.cpp: enabled compilation for "in"
2202             (JSC::FTL::canCompile): ditto
2203             * ftl/FTLCompile.cpp:
2204             (JSC::FTL::generateCheckInICFastPath): added.
2205             (JSC::FTL::fixFunctionBasedOnStackMaps): added case for CheckIn descriptors.
2206             * ftl/FTLInlineCacheDescriptor.h:
2207             (JSC::FTL::CheckInGenerator::CheckInGenerator): added.
2208             (JSC::FTL::CheckInDescriptor::CheckInDescriptor): added.
2209             * ftl/FTLInlineCacheSize.cpp: 
2210             (JSC::FTL::sizeOfCheckIn): added. Currently larger than necessary.
2211             * ftl/FTLInlineCacheSize.h: ditto
2212             * ftl/FTLIntrinsicRepository.h: Added function type for operationInGeneric
2213             * ftl/FTLLowerDFGToLLVM.cpp: 
2214             (JSC::FTL::LowerDFGToLLVM::compileNode): added case for In.
2215             (JSC::FTL::LowerDFGToLLVM::compileIn): added.
2216             * ftl/FTLSlowPathCall.cpp: Added a callOperation for operationIn
2217             (JSC::FTL::callOperation): ditto
2218             * ftl/FTLSlowPathCall.h: ditto
2219             * ftl/FTLState.h: Added a vector to hold CheckIn descriptors.
2220             * jit/JITOperations.h: made operationIns internal.
2221             * tests/stress/ftl-checkin.js: Added.
2222             * tests/stress/ftl-checkin-variable.js: Added.
2223     
2224     2014-06-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2225     
2226             CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences
2227             https://bugs.webkit.org/show_bug.cgi?id=134455
2228     
2229             Reviewed by Geoffrey Garen.
2230     
2231             Otherwise we get hanging pointers which can cause us to die later.
2232     
2233             * bytecode/CodeBlock.cpp:
2234             (JSC::CodeBlock::stronglyVisitWeakReferences):
2235     
2236     2014-06-27  Filip Pizlo  <fpizlo@apple.com>
2237     
2238             [ftlopt] Reduce the GC's influence on optimization decisions
2239             https://bugs.webkit.org/show_bug.cgi?id=134427
2240     
2241             Reviewed by Oliver Hunt.
2242             
2243             This is a slight speed-up on some platforms, that arises from a bunch of fixes that I made
2244             while trying to make the GC keep more structures alive
2245             (https://bugs.webkit.org/show_bug.cgi?id=128072).
2246             
2247             The fixes are, roughly:
2248             
2249             - If the GC clears an inline cache, then this no longer causes the IC to be forever
2250               polymorphic.
2251             
2252             - If we exit in inlined code into a function that tries to OSR enter, then we jettison
2253               sooner.
2254             
2255             - Some variables being uninitialized led to rage-recompilations.
2256             
2257             This is a pretty strong step in the direction of keeping more Structures alive and not
2258             blowing away code just because a Structure died. But, it seems like there is still a slight
2259             speed-up to be had from blowing away code that references dead Structures.
2260     
2261             * bytecode/CodeBlock.cpp:
2262             (JSC::CodeBlock::dumpAssumingJITType):
2263             (JSC::shouldMarkTransition):
2264             (JSC::CodeBlock::propagateTransitions):
2265             (JSC::CodeBlock::determineLiveness):
2266             * bytecode/GetByIdStatus.cpp:
2267             (JSC::GetByIdStatus::computeForStubInfo):
2268             * bytecode/PutByIdStatus.cpp:
2269             (JSC::PutByIdStatus::computeForStubInfo):
2270             * dfg/DFGCapabilities.cpp:
2271             (JSC::DFG::isSupportedForInlining):
2272             (JSC::DFG::mightInlineFunctionForCall):
2273             (JSC::DFG::mightInlineFunctionForClosureCall):
2274             (JSC::DFG::mightInlineFunctionForConstruct):
2275             * dfg/DFGCapabilities.h:
2276             * dfg/DFGCommonData.h:
2277             * dfg/DFGDesiredWeakReferences.cpp:
2278             (JSC::DFG::DesiredWeakReferences::reallyAdd):
2279             * dfg/DFGOSREntry.cpp:
2280             (JSC::DFG::prepareOSREntry):
2281             * dfg/DFGOSRExitCompilerCommon.cpp:
2282             (JSC::DFG::handleExitCounts):
2283             * dfg/DFGOperations.cpp:
2284             * dfg/DFGOperations.h:
2285             * ftl/FTLForOSREntryJITCode.cpp:
2286             (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): These variables being uninitialized is benign in terms of correctness but can sometimes cause rage-recompilations. For some reason it took this patch to reveal this.
2287             * ftl/FTLOSREntry.cpp:
2288             (JSC::FTL::prepareOSREntry):
2289             * runtime/Executable.cpp:
2290             (JSC::ExecutableBase::destroy):
2291             (JSC::NativeExecutable::destroy):
2292             (JSC::ScriptExecutable::ScriptExecutable):
2293             (JSC::ScriptExecutable::destroy):
2294             (JSC::ScriptExecutable::installCode):
2295             (JSC::EvalExecutable::EvalExecutable):
2296             (JSC::ProgramExecutable::ProgramExecutable):
2297             * runtime/Executable.h:
2298             (JSC::ScriptExecutable::setDidTryToEnterInLoop):
2299             (JSC::ScriptExecutable::didTryToEnterInLoop):
2300             (JSC::ScriptExecutable::addressOfDidTryToEnterInLoop):
2301             (JSC::ScriptExecutable::ScriptExecutable): Deleted.
2302             * runtime/StructureInlines.h:
2303             (JSC::Structure::storedPrototypeObject):
2304             (JSC::Structure::storedPrototypeStructure):
2305     
2306     2014-06-25  Filip Pizlo  <fpizlo@apple.com>
2307     
2308             [ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint
2309             https://bugs.webkit.org/show_bug.cgi?id=134333
2310     
2311             Reviewed by Geoffrey Garen.
2312             
2313             This is engineered to provide loads of information to the profiler without incurring any
2314             costs when the profiler is disabled. It's the oldest trick in the book: the thing that
2315             fires the watchpoint doesn't actually create anything to describe the reason why it was
2316             fired; instead it creates a stack-allocated FireDetail subclass instance. Only if the
2317             FireDetail::dump() virtual method is called does anything happen.
2318             
2319             Currently we use this to produce very fine-grained data for Structure watchpoints and
2320             some cases of variable watchpoints. For all other situations, the given reason is just a
2321             string constant, by using StringFireDetail. If we find a situation where that string
2322             constant is insufficient to diagnose an issue then we can change it to provide more
2323             fine-grained information.
2324     
2325             * JavaScriptCore.xcodeproj/project.pbxproj:
2326             * bytecode/CodeBlock.cpp:
2327             (JSC::CodeBlock::CodeBlock):
2328             (JSC::CodeBlock::jettison):
2329             * bytecode/CodeBlock.h:
2330             * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2331             (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
2332             * bytecode/CodeBlockJettisoningWatchpoint.h:
2333             * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Removed.
2334             * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Removed.
2335             * bytecode/StructureStubClearingWatchpoint.cpp:
2336             (JSC::StructureStubClearingWatchpoint::fireInternal):
2337             * bytecode/StructureStubClearingWatchpoint.h:
2338             * bytecode/VariableWatchpointSet.h:
2339             (JSC::VariableWatchpointSet::invalidate):
2340             (JSC::VariableWatchpointSet::finalizeUnconditionally):
2341             * bytecode/VariableWatchpointSetInlines.h:
2342             (JSC::VariableWatchpointSet::notifyWrite):
2343             * bytecode/Watchpoint.cpp:
2344             (JSC::StringFireDetail::dump):
2345             (JSC::WatchpointSet::fireAll):
2346             (JSC::WatchpointSet::fireAllSlow):
2347             (JSC::WatchpointSet::fireAllWatchpoints):
2348             (JSC::InlineWatchpointSet::fireAll):
2349             * bytecode/Watchpoint.h:
2350             (JSC::FireDetail::FireDetail):
2351             (JSC::FireDetail::~FireDetail):
2352             (JSC::StringFireDetail::StringFireDetail):
2353             (JSC::Watchpoint::fire):
2354             (JSC::WatchpointSet::fireAll):
2355             (JSC::WatchpointSet::touch):
2356             (JSC::WatchpointSet::invalidate):
2357             (JSC::InlineWatchpointSet::fireAll):
2358             (JSC::InlineWatchpointSet::touch):
2359             * dfg/DFGCommonData.h:
2360             * dfg/DFGOperations.cpp:
2361             * interpreter/Interpreter.cpp:
2362             (JSC::Interpreter::execute):
2363             * jsc.cpp:
2364             (WTF::Masquerader::create):
2365             * profiler/ProfilerCompilation.cpp:
2366             (JSC::Profiler::Compilation::setJettisonReason):
2367             (JSC::Profiler::Compilation::toJS):
2368             * profiler/ProfilerCompilation.h:
2369             (JSC::Profiler::Compilation::setJettisonReason): Deleted.
2370             * runtime/ArrayBuffer.cpp:
2371             (JSC::ArrayBuffer::transfer):
2372             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2373             (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
2374             * runtime/ArrayBufferNeuteringWatchpoint.h:
2375             * runtime/CommonIdentifiers.h:
2376             * runtime/CommonSlowPaths.cpp:
2377             (JSC::SLOW_PATH_DECL):
2378             * runtime/Identifier.cpp:
2379             (JSC::Identifier::dump):
2380             * runtime/Identifier.h:
2381             * runtime/JSFunction.cpp:
2382             (JSC::JSFunction::put):
2383             (JSC::JSFunction::defineOwnProperty):
2384             * runtime/JSGlobalObject.cpp:
2385             (JSC::JSGlobalObject::addFunction):
2386             (JSC::JSGlobalObject::haveABadTime):
2387             * runtime/JSSymbolTableObject.cpp:
2388             (JSC::VariableWriteFireDetail::dump):
2389             * runtime/JSSymbolTableObject.h:
2390             (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
2391             (JSC::symbolTablePut):
2392             (JSC::symbolTablePutWithAttributes):
2393             * runtime/PropertyName.h:
2394             (JSC::PropertyName::dump):
2395             * runtime/Structure.cpp:
2396             (JSC::Structure::notifyTransitionFromThisStructure):
2397             * runtime/Structure.h:
2398             (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
2399             * runtime/SymbolTable.cpp:
2400             (JSC::SymbolTableEntry::notifyWriteSlow):
2401             (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
2402             * runtime/SymbolTable.h:
2403             (JSC::SymbolTableEntry::notifyWrite):
2404             * runtime/VM.cpp:
2405             (JSC::VM::addImpureProperty):
2406     
2407 2014-08-05  Commit Queue  <commit-queue@webkit.org>
2408
2409         Unreviewed, rolling out r172099.
2410         https://bugs.webkit.org/show_bug.cgi?id=135635
2411
2412         Needs a do-over. (Requested by kling on #webkit).
2413
2414         Reverted changeset:
2415
2416         "The JIT should cache property lookup misses."
2417         https://bugs.webkit.org/show_bug.cgi?id=135578
2418         http://trac.webkit.org/changeset/172099
2419
2420 2014-08-05  Przemyslaw Kuczynski  <p.kuczynski@samsung.com>
2421
2422         Fix resource leak of unclosed file descriptor.
2423         https://bugs.webkit.org/show_bug.cgi?id=135417
2424
2425         Reviewed by Darin Adler.
2426
2427         When open returns zero, fd handle leaks. Checking (fd > 0) needs to be replaced
2428         with (fd != -1).
2429
2430         * assembler/MacroAssemblerARM.cpp:
2431         (JSC::isVFPPresent):
2432
2433 2014-08-05  Andreas Kling  <akling@apple.com>
2434
2435         The JIT should cache property lookup misses.
2436         <https://webkit.org/b/135578>
2437
2438         Add support for inline caching of object properties that don't exist.
2439         Previously we'd fall back to the C++ slow-path whenever a property was missing.
2440
2441         It's implemented as a simple GetById-style stub that returns jsUndefined() as
2442         long as the Structure chain check passes.
2443
2444         10x speedup on the included microbenchmark.
2445
2446         Reviewed by Geoffrey Garen.
2447
2448         * jit/Repatch.cpp:
2449         (JSC::toString):
2450         (JSC::kindFor):
2451         (JSC::generateByIdStub):
2452         (JSC::tryCacheGetByID):
2453         (JSC::patchJumpToGetByIdStub):
2454         * runtime/PropertySlot.h:
2455         (JSC::PropertySlot::isUnset):
2456
2457 2014-08-05  Commit Queue  <commit-queue@webkit.org>
2458
2459         Unreviewed, rolling out r172009.
2460         https://bugs.webkit.org/show_bug.cgi?id=135627
2461
2462         "Commit landed on trunk instead of ftlopt branch." (Requested
2463         by saamyjoon on #webkit).
2464
2465         Reverted changeset:
2466
2467         "Create a more generic way for VMEntryScope to notify those
2468         interested that it will be destroyed"
2469         https://bugs.webkit.org/show_bug.cgi?id=135358
2470         http://trac.webkit.org/changeset/172009
2471
2472 2014-08-05  Alex Christensen  <achristensen@webkit.org>
2473
2474         More work on CMake.
2475         https://bugs.webkit.org/show_bug.cgi?id=135620
2476
2477         Reviewed by Laszlo Gombos.
2478
2479         * CMakeLists.txt:
2480         Added missing source files.
2481         * PlatformEfl.cmake:
2482         * PlatformGTK.cmake:
2483         Include glib directories and libraries to find glib.h in EventLoop.cpp.
2484         * PlatformMac.cmake:
2485         Moved STATICALLY_LINKED_WITH_WTF definition away from the common CMakeLists
2486         because it should not be defined on Windows.
2487         Added remote inspector source files.
2488
2489 2014-08-05  Peyton Randolph  <prandolph@apple.com>
2490
2491         Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
2492         https://bugs.webkit.org/show_bug.cgi?id=135276
2493
2494         Reviewed by Beth Dakin.
2495
2496         * Configurations/FeatureDefines.xcconfig:
2497
2498 2014-08-04  Benjamin Poulain  <benjamin@webkit.org>
2499
2500         Add a flag for the CSS Selectors level 4 implementation
2501         https://bugs.webkit.org/show_bug.cgi?id=135535
2502
2503         Reviewed by Andreas Kling.
2504
2505         * Configurations/FeatureDefines.xcconfig:
2506
2507 2014-08-04  Alex Christensen  <achristensen@webkit.org>
2508
2509         Progress towards CMake on Mac.
2510         https://bugs.webkit.org/show_bug.cgi?id=135528
2511
2512         Reviewed by Gyuyoung Kim.
2513
2514         * CMakeLists.txt:
2515         Include necessary directories and copy all necessary forwarding headers.
2516         Only compile UDis86Disassembler.cpp if we're using UDIS86.
2517         * PlatformMac.cmake: Added.
2518         * tools/CodeProfiling.cpp:
2519         Compile fix.  Include sys/time.h on darwin, too.
2520
2521 2014-08-04  Saam Barati  <sbarati@apple.com>
2522
2523         Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
2524         https://bugs.webkit.org/show_bug.cgi?id=135358
2525
2526         Reviewed by Geoffrey Garen.
2527
2528         When VMEntryScope is destroyed, and it has a flag set indicating that the
2529         Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
2530         This flag is only used by Debugger to have VMEntryScope notify it when the
2531         Debugger is safe to recompile all functions. This patch will substitute this
2532         Debugger-specific recompilation flag with a list of callbacks that are notified 
2533         when the outermost VMEntryScope dies. This creates a general purpose interface 
2534         for being notified when the VM stops executing code via the event of the outermost 
2535         VMEntryScope dying.
2536
2537         * debugger/Debugger.cpp:
2538         (JSC::Debugger::recompileAllJSFunctions):
2539         * runtime/VMEntryScope.cpp:
2540         (JSC::VMEntryScope::VMEntryScope):
2541         (JSC::VMEntryScope::addEntryScopeDidPopListener):
2542         (JSC::VMEntryScope::~VMEntryScope):
2543         * runtime/VMEntryScope.h:
2544         (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
2545
2546 2014-08-01  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2547
2548         REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
2549         https://bugs.webkit.org/show_bug.cgi?id=135522
2550
2551         Reviewed by Martin Robinson.
2552
2553         * CMakeLists.txt: Output the inspector headers inside inspector
2554         subdirectory.
2555
2556 2014-08-01  Mark Lam  <mark.lam@apple.com>
2557
2558         Add some structure related assertions.
2559         <https://webkit.org/b/135523>
2560
2561         Reviewed by Geoffrey Garen.
2562
2563         Adding 2 assertions:
2564         1. assert that we don't index pass the end of the StructureIDTable.
2565            This should never happen, but this assertion will help catch bugs
2566            where a bad structureID gets passed in.
2567         2. assert that cells in MarkedBlock::callDestructor() that are not
2568            zapped should have a non-null StructureID.  This will help us catch
2569            bugs where the other cell header flag bits get set after the cell is
2570            zapped, thereby making the cell look like an unzapped cell but has a
2571            null structureID.
2572
2573         * heap/MarkedBlock.cpp:
2574         (JSC::MarkedBlock::callDestructor):
2575         * runtime/StructureIDTable.h:
2576         (JSC::StructureIDTable::get):
2577
2578 2014-08-01  Csaba Osztrogonác  <ossy@webkit.org>
2579
2580         URTBF after r171946 to fix non-Apple builds.
2581
2582         * bytecode/InlineCallFrameSet.cpp:
2583
2584 2014-08-01  Mark Hahnenberg  <mhahnenberg@apple.com>
2585
2586         CodeBlock fails to visit the Executables of its InlineCallFrames
2587         https://bugs.webkit.org/show_bug.cgi?id=135471
2588
2589         Reviewed by Geoffrey Garen.
2590
2591         CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they 
2592         can be prematurely collected and cause crashes.
2593
2594         * bytecode/CodeBlock.cpp:
2595         (JSC::CodeBlock::stronglyVisitStrongReferences):
2596         * bytecode/CodeOrigin.h:
2597         (JSC::InlineCallFrame::visitAggregate):
2598         * bytecode/InlineCallFrameSet.cpp:
2599         (JSC::InlineCallFrameSet::visitAggregate):
2600         * bytecode/InlineCallFrameSet.h:
2601
2602 2014-08-01  Alex Christensen  <achristensen@webkit.org>
2603
2604         Progress towards cmake on Windows.
2605         https://bugs.webkit.org/show_bug.cgi?id=135484
2606
2607         Reviewed by Martin Robinson.
2608
2609         * CMakeLists.txt:
2610         Generate code directly to inspector directory to avoid using the cp command
2611         which is not available on Windows.
2612         * PlatformWin.cmake: Added.
2613
2614 2014-07-31  Andreas Kling  <akling@apple.com>
2615
2616         Remove the JSC::OverridesVisitChildren flag.
2617         <https://webkit.org/b/135489>
2618
2619         Except for 3 special classes, the visitChildren() call is always
2620         dispatched through the method table (see SlotVisitor.cpp.)
2621
2622         The OverridesVisitChildren flag doesn't actually do anything.
2623         It could be used to implement a non-virtual direct call to
2624         JSCell::visitChildren, bypassing the method table for some objects,
2625         but such a micro-optimization seems like a weak trade for all this
2626         code complexity. Instead, just remove the flag.
2627
2628         This change frees up an inline flag bit in JSCell.
2629
2630         Reviewed by Geoffrey Garen.
2631
2632         * API/JSAPIWrapperObject.h:
2633         * API/JSAPIWrapperObject.mm:
2634         (JSC::JSAPIWrapperObject::visitChildren):
2635         * API/JSCallbackObject.h:
2636         (JSC::JSCallbackObject::visitChildren):
2637         * bytecode/UnlinkedCodeBlock.cpp:
2638         (JSC::UnlinkedFunctionExecutable::visitChildren):
2639         (JSC::UnlinkedCodeBlock::visitChildren):
2640         (JSC::UnlinkedProgramCodeBlock::visitChildren):
2641         * bytecode/UnlinkedCodeBlock.h:
2642         * debugger/DebuggerScope.cpp:
2643         (JSC::DebuggerScope::visitChildren):
2644         * debugger/DebuggerScope.h:
2645         * jsc.cpp:
2646         * runtime/Arguments.cpp:
2647         (JSC::Arguments::visitChildren):
2648         * runtime/Arguments.h:
2649         * runtime/Executable.cpp:
2650         (JSC::EvalExecutable::visitChildren):
2651         (JSC::ProgramExecutable::visitChildren):
2652         (JSC::FunctionExecutable::visitChildren):
2653         * runtime/Executable.h:
2654         * runtime/GetterSetter.cpp:
2655         (JSC::GetterSetter::visitChildren):
2656         * runtime/GetterSetter.h:
2657         (JSC::GetterSetter::createStructure):
2658         * runtime/JSAPIValueWrapper.h:
2659         (JSC::JSAPIValueWrapper::createStructure):
2660         * runtime/JSActivation.cpp:
2661         (JSC::JSActivation::visitChildren):
2662         * runtime/JSActivation.h:
2663         * runtime/JSArrayIterator.cpp:
2664         (JSC::JSArrayIterator::visitChildren):
2665         * runtime/JSArrayIterator.h:
2666         * runtime/JSBoundFunction.cpp:
2667         (JSC::JSBoundFunction::visitChildren):
2668         * runtime/JSBoundFunction.h:
2669         * runtime/JSCellInlines.h:
2670         (JSC::JSCell::setStructure):
2671         * runtime/JSFunction.cpp:
2672         (JSC::JSFunction::visitChildren):
2673         * runtime/JSFunction.h:
2674         * runtime/JSGlobalObject.cpp:
2675         (JSC::JSGlobalObject::visitChildren):
2676         * runtime/JSGlobalObject.h:
2677         * runtime/JSMap.h:
2678         * runtime/JSMapIterator.cpp:
2679         (JSC::JSMapIterator::visitChildren):
2680         * runtime/JSMapIterator.h:
2681         * runtime/JSNameScope.cpp:
2682         (JSC::JSNameScope::visitChildren):
2683         * runtime/JSNameScope.h:
2684         * runtime/JSPromise.cpp:
2685         (JSC::JSPromise::visitChildren):
2686         * runtime/JSPromise.h:
2687         * runtime/JSPromiseDeferred.cpp:
2688         (JSC::JSPromiseDeferred::visitChildren):
2689         * runtime/JSPromiseDeferred.h:
2690         * runtime/JSPromiseReaction.cpp:
2691         (JSC::JSPromiseReaction::visitChildren):
2692         * runtime/JSPromiseReaction.h:
2693         * runtime/JSPropertyNameIterator.cpp:
2694         (JSC::JSPropertyNameIterator::visitChildren):
2695         * runtime/JSPropertyNameIterator.h:
2696         * runtime/JSProxy.cpp:
2697         (JSC::JSProxy::visitChildren):
2698         * runtime/JSProxy.h:
2699         * runtime/JSScope.cpp:
2700         (JSC::JSScope::visitChildren):
2701         * runtime/JSScope.h:
2702         * runtime/JSSegmentedVariableObject.cpp:
2703         (JSC::JSSegmentedVariableObject::visitChildren):
2704         * runtime/JSSegmentedVariableObject.h:
2705         * runtime/JSSet.h:
2706         * runtime/JSSetIterator.cpp:
2707         (JSC::JSSetIterator::visitChildren):
2708         * runtime/JSSetIterator.h:
2709         * runtime/JSSymbolTableObject.cpp:
2710         (JSC::JSSymbolTableObject::visitChildren):
2711         * runtime/JSSymbolTableObject.h:
2712         * runtime/JSTypeInfo.h:
2713         (JSC::TypeInfo::overridesVisitChildren): Deleted.
2714         * runtime/JSWeakMap.h:
2715         * runtime/JSWithScope.cpp:
2716         (JSC::JSWithScope::visitChildren):
2717         * runtime/JSWithScope.h:
2718         * runtime/JSWrapperObject.cpp:
2719         (JSC::JSWrapperObject::visitChildren):
2720         * runtime/JSWrapperObject.h:
2721         * runtime/MapData.h:
2722         * runtime/NativeErrorConstructor.cpp:
2723         (JSC::NativeErrorConstructor::visitChildren):
2724         * runtime/NativeErrorConstructor.h:
2725         * runtime/PropertyMapHashTable.h:
2726         * runtime/PropertyTable.cpp:
2727         (JSC::PropertyTable::visitChildren):
2728         * runtime/RegExpConstructor.cpp:
2729         (JSC::RegExpConstructor::visitChildren):
2730         * runtime/RegExpConstructor.h:
2731         * runtime/RegExpMatchesArray.cpp:
2732         (JSC::RegExpMatchesArray::visitChildren):
2733         * runtime/RegExpMatchesArray.h:
2734         * runtime/RegExpObject.cpp:
2735         (JSC::RegExpObject::visitChildren):
2736         * runtime/RegExpObject.h:
2737         * runtime/SparseArrayValueMap.h:
2738         * runtime/Structure.cpp:
2739         (JSC::Structure::Structure):
2740         (JSC::Structure::visitChildren):
2741         * runtime/StructureChain.cpp:
2742         (JSC::StructureChain::visitChildren):
2743         * runtime/StructureChain.h:
2744         * runtime/StructureRareData.cpp:
2745         (JSC::StructureRareData::visitChildren):
2746         * runtime/StructureRareData.h:
2747         * runtime/WeakMapData.h:
2748
2749 2014-07-31  Mark Lam  <mark.lam@apple.com>
2750
2751         JSCell::classInfo() belongs in JSCellInlines.h.
2752         <https://webkit.org/b/135475>
2753
2754         Reviewed by Mark Hahnenberg.
2755
2756         * runtime/JSCellInlines.h:
2757         (JSC::JSCell::classInfo):
2758         * runtime/JSDestructibleObject.h:
2759         (JSC::JSCell::classInfo): Deleted.
2760
2761 2014-07-31  Tanay C  <tanay.c@samsung.com>
2762
2763         Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
2764         https://bugs.webkit.org/show_bug.cgi?id=135414
2765
2766         Reviewed by Csaba Osztrogonác.
2767
2768         * llint/LLIntSlowPaths.cpp:
2769         (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition
2770
2771 2014-07-30  Filip Pizlo  <fpizlo@apple.com>
2772
2773         NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
2774         https://bugs.webkit.org/show_bug.cgi?id=135430
2775
2776         Reviewed by Mark Hahnenberg.
2777
2778         We already handled this correctly after the ftlopt merge, but it's useful to have the test.
2779
2780         * tests/stress/new-function-expression-has-structures.js: Added.
2781         (foo.f):
2782         (foo.f.prototype.f):
2783         (foo):
2784
2785 2014-07-30  Andreas Kling  <akling@apple.com>
2786
2787         Speculative Windows build fix.
2788
2789         Try to dllimport the dllexported global object HashTable.
2790
2791         * jsc.cpp:
2792         * testRegExp.cpp:
2793
2794 2014-07-30  Andreas Kling  <akling@apple.com>
2795
2796         PropertyName's internal string is always atomic.
2797         <https://webkit.org/b/135451>
2798
2799         Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
2800         we know that any string that's an Identifier is guaranteed to be atomic.
2801
2802         A PropertyName can be either an Identifier or a PrivateName, and the
2803         private names are also guaranteed to be atomic internally.
2804
2805         Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
2806
2807         Reviewed by Benjamin Poulain.
2808
2809         * runtime/PropertyName.h:
2810         (JSC::PropertyName::PropertyName):
2811         (JSC::PropertyName::uid):
2812         (JSC::PropertyName::publicName):
2813
2814 2014-07-30  Andy Estes  <aestes@apple.com>
2815
2816         USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
2817         https://bugs.webkit.org/show_bug.cgi?id=135439
2818
2819         Reviewed by Tim Horton.
2820
2821         We now support two different platform content filters, and will soon support a mock content filter (as part of
2822         webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
2823         library. ENABLE() is the correct macro to use for such a feature.
2824
2825         * Configurations/FeatureDefines.xcconfig:
2826
2827 2014-07-30  Andreas Kling  <akling@apple.com>
2828
2829         Static hash tables no longer need to be coupled with a VM.
2830         <https://webkit.org/b/135421>
2831
2832         Now that the static hash tables are using char** instead of StringImpl**,
2833         it's no longer necessary to make them per-VM.
2834
2835         This patch removes the hook in ClassInfo for providing your own static
2836         hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
2837         Most of this patch is tweaking ClassInfo construction sites to pass one
2838         less null pointer.
2839
2840         Also simplified Lookup.h to stop requiring ExecState/VM to access the
2841         static hash tables.
2842
2843         Reviewed by Geoffrey Garen.
2844
2845         * API/JSAPIWrapperObject.mm:
2846         * API/JSCallbackConstructor.cpp:
2847         * API/JSCallbackFunction.cpp:
2848         * API/JSCallbackObject.cpp:
2849         * API/ObjCCallbackFunction.mm:
2850         * bytecode/UnlinkedCodeBlock.cpp:
2851         * create_hash_table:
2852         * debugger/DebuggerScope.cpp:
2853         * inspector/JSInjectedScriptHost.cpp:
2854         * inspector/JSInjectedScriptHostPrototype.cpp:
2855         * inspector/JSJavaScriptCallFrame.cpp:
2856         * inspector/JSJavaScriptCallFramePrototype.cpp:
2857         * interpreter/CallFrame.h:
2858         (JSC::ExecState::arrayConstructorTable): Deleted.
2859         (JSC::ExecState::arrayPrototypeTable): Deleted.
2860         (JSC::ExecState::booleanPrototypeTable): Deleted.
2861         (JSC::ExecState::dataViewTable): Deleted.
2862         (JSC::ExecState::dateTable): Deleted.
2863         (JSC::ExecState::dateConstructorTable): Deleted.
2864         (JSC::ExecState::errorPrototypeTable): Deleted.
2865         (JSC::ExecState::globalObjectTable): Deleted.
2866         (JSC::ExecState::jsonTable): Deleted.
2867         (JSC::ExecState::numberConstructorTable): Deleted.
2868         (JSC::ExecState::numberPrototypeTable): Deleted.
2869         (JSC::ExecState::objectConstructorTable): Deleted.
2870         (JSC::ExecState::privateNamePrototypeTable): Deleted.
2871         (JSC::ExecState::regExpTable): Deleted.
2872         (JSC::ExecState::regExpConstructorTable): Deleted.
2873         (JSC::ExecState::regExpPrototypeTable): Deleted.
2874         (JSC::ExecState::stringConstructorTable): Deleted.
2875         (JSC::ExecState::promisePrototypeTable): Deleted.
2876         (JSC::ExecState::promiseConstructorTable): Deleted.
2877         * jsc.cpp:
2878         * parser/Lexer.h:
2879         (JSC::Keywords::isKeyword):
2880         (JSC::Keywords::getKeyword):
2881         * runtime/Arguments.cpp:
2882         * runtime/ArgumentsIteratorConstructor.cpp:
2883         * runtime/ArgumentsIteratorPrototype.cpp:
2884         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2885         * runtime/ArrayConstructor.cpp:
2886         (JSC::ArrayConstructor::getOwnPropertySlot):
2887         * runtime/ArrayIteratorConstructor.cpp:
2888         * runtime/ArrayIteratorPrototype.cpp:
2889         * runtime/ArrayPrototype.cpp:
2890         (JSC::ArrayPrototype::getOwnPropertySlot):
2891         * runtime/BooleanConstructor.cpp:
2892         * runtime/BooleanObject.cpp:
2893         * runtime/BooleanPrototype.cpp:
2894         (JSC::BooleanPrototype::getOwnPropertySlot):
2895         * runtime/ClassInfo.h:
2896         (JSC::ClassInfo::hasStaticProperties):
2897         (JSC::ClassInfo::propHashTable): Deleted.
2898         * runtime/ConsolePrototype.cpp:
2899         * runtime/CustomGetterSetter.cpp:
2900         * runtime/DateConstructor.cpp:
2901         (JSC::DateConstructor::getOwnPropertySlot):
2902         * runtime/DateInstance.cpp:
2903         * runtime/DatePrototype.cpp:
2904         (JSC::DatePrototype::getOwnPropertySlot):
2905         * runtime/Error.cpp:
2906         * runtime/ErrorConstructor.cpp:
2907         * runtime/ErrorInstance.cpp:
2908         * runtime/ErrorPrototype.cpp:
2909         (JSC::ErrorPrototype::getOwnPropertySlot):
2910         * runtime/ExceptionHelpers.cpp:
2911         * runtime/Executable.cpp:
2912         * runtime/FunctionConstructor.cpp:
2913         * runtime/FunctionPrototype.cpp:
2914         * runtime/GetterSetter.cpp:
2915         * runtime/InternalFunction.cpp:
2916         * runtime/JSAPIValueWrapper.cpp:
2917         * runtime/JSActivation.cpp:
2918         * runtime/JSArgumentsIterator.cpp:
2919         * runtime/JSArray.cpp:
2920         * runtime/JSArrayBuffer.cpp:
2921         * runtime/JSArrayBufferConstructor.cpp:
2922         * runtime/JSArrayBufferPrototype.cpp:
2923         * runtime/JSArrayBufferView.cpp:
2924         * runtime/JSArrayIterator.cpp:
2925         * runtime/JSBoundFunction.cpp:
2926         * runtime/JSConsole.cpp:
2927         * runtime/JSDataView.cpp:
2928         * runtime/JSDataViewPrototype.cpp:
2929         (JSC::JSDataViewPrototype::getOwnPropertySlot):
2930         * runtime/JSFunction.cpp:
2931         * runtime/JSGlobalObject.cpp:
2932         (JSC::JSGlobalObject::getOwnPropertySlot):
2933         * runtime/JSMap.cpp:
2934         * runtime/JSMapIterator.cpp:
2935         * runtime/JSNameScope.cpp:
2936         * runtime/JSNotAnObject.cpp:
2937         * runtime/JSONObject.cpp:
2938         (JSC::JSONObject::getOwnPropertySlot):
2939         * runtime/JSObject.cpp:
2940         (JSC::getClassPropertyNames):
2941         (JSC::JSObject::put):
2942         (JSC::JSObject::deleteProperty):
2943         (JSC::JSObject::findPropertyHashEntry):
2944         (JSC::JSObject::reifyStaticFunctionsForDelete):
2945         * runtime/JSObject.h:
2946         * runtime/JSPromise.cpp:
2947         * runtime/JSPromiseConstructor.cpp:
2948         (JSC::JSPromiseConstructor::getOwnPropertySlot):
2949         * runtime/JSPromiseDeferred.cpp:
2950         * runtime/JSPromisePrototype.cpp:
2951         (JSC::JSPromisePrototype::getOwnPropertySlot):
2952         * runtime/JSPromiseReaction.cpp:
2953         * runtime/JSPropertyNameIterator.cpp:
2954         * runtime/JSProxy.cpp:
2955         * runtime/JSSet.cpp:
2956         * runtime/JSSetIterator.cpp:
2957         * runtime/JSString.cpp:
2958         * runtime/JSTypedArrayConstructors.cpp:
2959         * runtime/JSTypedArrayPrototypes.cpp:
2960         * runtime/JSTypedArrays.cpp:
2961         * runtime/JSVariableObject.cpp:
2962         * runtime/JSWeakMap.cpp:
2963         * runtime/JSWithScope.cpp:
2964         * runtime/Lookup.cpp:
2965         (JSC::HashTable::createTable):
2966         * runtime/Lookup.h:
2967         (JSC::HashTable::initializeIfNeeded):
2968         (JSC::HashTable::entry):
2969         (JSC::HashTable::begin):
2970         (JSC::HashTable::end):
2971         (JSC::getStaticPropertySlot):
2972         (JSC::getStaticFunctionSlot):
2973         (JSC::getStaticValueSlot):
2974         (JSC::lookupPut):
2975         * runtime/MapConstructor.cpp:
2976         * runtime/MapData.cpp:
2977         * runtime/MapIteratorConstructor.cpp:
2978         * runtime/MapIteratorPrototype.cpp:
2979         * runtime/MapPrototype.cpp:
2980         * runtime/MathObject.cpp:
2981         * runtime/NameConstructor.cpp:
2982         * runtime/NameInstance.cpp:
2983         * runtime/NamePrototype.cpp:
2984         (JSC::NamePrototype::getOwnPropertySlot):
2985         * runtime/NativeErrorConstructor.cpp:
2986         * runtime/NumberConstructor.cpp:
2987         (JSC::NumberConstructor::getOwnPropertySlot):
2988         * runtime/NumberObject.cpp:
2989         * runtime/NumberPrototype.cpp:
2990         (JSC::NumberPrototype::getOwnPropertySlot):
2991         * runtime/ObjectConstructor.cpp:
2992         (JSC::ObjectConstructor::getOwnPropertySlot):
2993         * runtime/ObjectPrototype.cpp:
2994         * runtime/PropertyTable.cpp:
2995         * runtime/RegExp.cpp:
2996         * runtime/RegExpConstructor.cpp:
2997         (JSC::RegExpConstructor::getOwnPropertySlot):
2998         * runtime/RegExpMatchesArray.cpp:
2999         * runtime/RegExpObject.cpp:
3000         (JSC::RegExpObject::getOwnPropertySlot):
3001         * runtime/RegExpPrototype.cpp:
3002         (JSC::RegExpPrototype::getOwnPropertySlot):
3003         * runtime/SetConstructor.cpp:
3004         * runtime/SetIteratorConstructor.cpp:
3005         * runtime/SetIteratorPrototype.cpp:
3006         * runtime/SetPrototype.cpp:
3007         * runtime/SparseArrayValueMap.cpp:
3008         * runtime/StrictEvalActivation.cpp:
3009         * runtime/StringConstructor.cpp:
3010         (JSC::StringConstructor::getOwnPropertySlot):
3011         * runtime/StringObject.cpp:
3012         * runtime/StringPrototype.cpp:
3013         * runtime/Structure.cpp:
3014         (JSC::Structure::Structure):
3015         (JSC::Structure::freezeTransition):
3016         (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
3017         * runtime/StructureChain.cpp:
3018         * runtime/StructureRareData.cpp:
3019         * runtime/SymbolTable.cpp:
3020         * runtime/VM.cpp:
3021         (JSC::VM::VM):
3022         (JSC::VM::~VM):
3023         * runtime/VM.h:
3024         * runtime/WeakMapConstructor.cpp:
3025         * runtime/WeakMapData.cpp:
3026         * runtime/WeakMapPrototype.cpp:
3027         * testRegExp.cpp:
3028
3029 2014-07-29  Brent Fulgham  <bfulgham@apple.com>
3030
3031         [Win] Modify version numbering scheme to support 5-tuple versions
3032         https://bugs.webkit.org/show_bug.cgi?id=135400
3033         <rdar://problem/17849033>
3034
3035         Reviewed by David Kilzer.
3036
3037         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
3038         new version-stamp.pl script to version JavaScriptCore.dll.
3039
3040 2014-07-29  Daniel Bates  <dabates@apple.com>
3041
3042         Use WTF::move() instead of std::move() to help ensure move semantics
3043         https://bugs.webkit.org/show_bug.cgi?id=135351
3044
3045         Reviewed by Alexey Proskuryakov.
3046
3047         * bytecode/GetByIdStatus.cpp:
3048         (JSC::GetByIdStatus::computeForStubInfo):
3049         * bytecode/GetByIdVariant.cpp:
3050         (JSC::GetByIdVariant::GetByIdVariant):
3051
3052 2014-07-28  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
3053
3054         BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
3055         https://bugs.webkit.org/show_bug.cgi?id=135287
3056
3057         Reviewed by Darin Adler.
3058
3059         The set() method tries to use a part of the old value (the reservedFlag bit) which
3060         was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
3061
3062         * bytecode/StructureSet.h:
3063         (JSC::StructureSet::StructureSet):
3064
3065 2014-07-28  Benjamin Poulain  <bpoulain@apple.com>
3066
3067         [JSC] JIT::assertStackPointerOffset() crashes on ARM64
3068         https://bugs.webkit.org/show_bug.cgi?id=135316
3069
3070         Reviewed by Geoffrey Garen.
3071
3072         JIT::assertStackPointerOffset() does a compare between an arbitrary register
3073         and the stack pointer. This was not supported by the ARM64 assembler.
3074
3075         There are no variation that can take a stack pointer for Xd. There is one version of subs
3076         that can take a stack pointer, but only for the Xn: the shift+extend one.
3077         To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
3078         the implementation of sub.
3079
3080         * assembler/ARM64Assembler.h:
3081         (JSC::ARM64Assembler::sub):
3082         In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
3083         with either version of sub.
3084
3085         In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
3086         the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
3087         gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
3088
3089         Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
3090         not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
3091         the shift value must be zero, it is safe to call either variant.
3092
3093         * assembler/MacroAssemblerARM64.h:
3094         (JSC::MacroAssemblerARM64::branch64):
3095         With the changes described above, we can now use SP for the left register. What do we do if the rightmost
3096         register is SP?
3097
3098         For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
3099         we just switch the registers before generating the instruction.
3100
3101         For the generic case, just move the value of SP to a GPR before doing the CMP.
3102
3103 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
3104
3105         Unreviewed build fix after r171682.
3106
3107         * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
3108         as an exported symbol.
3109
3110 2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
3111
3112         REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
3113         https://bugs.webkit.org/show_bug.cgi?id=135322
3114
3115         Reviewed by Oliver Hunt.
3116
3117         The prototype chain of the JSProxy object should match that of the JSGlobalObject. 
3118
3119         This is a separate but related issue with JSObjectSetPrototype which doesn't correctly 
3120         account for JSProxies. I also audited the rest of the C API to check that we correctly 
3121         handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
3122         and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when 
3123         passed a JSProxy.
3124
3125         I also added some new tests for these cases.
3126
3127         * API/JSObjectRef.cpp:
3128         (JSObjectSetPrototype):
3129         (JSObjectGetPrivateProperty):
3130         (JSObjectSetPrivateProperty):
3131         (JSObjectDeletePrivateProperty):
3132         * API/JSWeakObjectMapRefPrivate.cpp:
3133         * API/tests/CustomGlobalObjectClassTest.c:
3134         (globalObjectSetPrototypeTest):
3135         (globalObjectPrivatePropertyTest):
3136         * API/tests/CustomGlobalObjectClassTest.h:
3137         * API/tests/testapi.c:
3138         (main):
3139
3140 2014-07-28  Filip Pizlo  <fpizlo@apple.com>
3141
3142         Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
3143         https://bugs.webkit.org/show_bug.cgi?id=135350
3144         <rdar://problem/17509889>
3145
3146         Reviewed by Mark Hahnenberg and Oliver Hunt.
3147         
3148         If we have an exiting node that uses a conversion node, then that exiting node
3149         needs to have a Phantom after it for the the original node. But we can't do that
3150         for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
3151
3152         * dfg/DFGFixupPhase.cpp:
3153         (JSC::DFG::FixupPhase::fixupNode):
3154         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
3155         * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
3156         (foo):
3157         (test):
3158         * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
3159         (foo):
3160         (test):
3161
3162 2014-07-28  Joseph Pecoraro  <pecoraro@apple.com>
3163
3164         JSContext Inspector: crash when using step-into
3165         https://bugs.webkit.org/show_bug.cgi?id=135345
3166
3167         Reviewed by Timothy Hatcher.
3168
3169         * inspector/agents/InspectorDebuggerAgent.cpp:
3170         (Inspector::InspectorDebuggerAgent::stepInto):
3171         Null check m_listener since it may not be set.
3172
3173 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
3174
3175         Web Replay: auto-decoding of parameterized vector's elements is incorrect
3176         https://bugs.webkit.org/show_bug.cgi?id=135343
3177
3178         Reviewed by Timothy Hatcher.
3179
3180         Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
3181         that was using the element's decoded type as the type parameter to
3182         EncodedValue::append<T>. It should instead be the raw type T. This
3183         causes problems when encoding Vector<RefPtr<T>>, as it later tries to
3184         use encoding traits for RefPtr<T> rather than for T.
3185
3186         Fix incorrect generated encoding traits argument for vectors of
3187         RefCounted objects. Updated test to cover this scenario.
3188
3189         * replay/scripts/CodeGeneratorReplayInputs.py:
3190         (Type.encoding_type_argument):
3191         (VectorType.type_name):
3192         (VectorType):
3193         (VectorType.encoding_type_argument):
3194         (Generator.generate_input_encode_implementation):
3195         (Generator.generate_input_decode_implementation):
3196         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
3197         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
3198         * replay/scripts/tests/generate-input-with-vector-members.json: Updated.
3199
3200 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
3201
3202         Web Replay: incorrect serialization code generated for enum classes inside class scope
3203         https://bugs.webkit.org/show_bug.cgi?id=135342
3204
3205         Reviewed by Timothy Hatcher.
3206
3207         If an enum class is defined inside of a class scope, then the enum class
3208         cannot be forward-declared and the relevant header should be included.
3209         Some generated code used incorrectly-scoped enum values in this situation.
3210
3211         * replay/scripts/CodeGeneratorReplayInputs.py:
3212         (Generator.generate_includes.declaration.is):
3213         (Generator.generate_enum_trait_implementation.is):
3214         (Generator.generate_enum_trait_implementation):
3215
3216         Tests:
3217
3218         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
3219         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
3220         * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
3221         class types to this test case.
3222
3223 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
3224
3225         Web Replay: vectors of characters should be base64-encoded
3226         https://bugs.webkit.org/show_bug.cgi?id=135341
3227
3228         Reviewed by Timothy Hatcher.
3229
3230         Without this specialization, encode/decode methods try to create an
3231         array of single characters in JSON, rather than treating the
3232         vector as a binary blob.
3233
3234         * replay/EncodedValue.cpp:
3235         (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
3236         (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
3237         * replay/EncodedValue.h:
3238
3239 2014-07-28  Brent Fulgham  <bfulgham@apple.com>
3240
3241         [Win] Unreviewed build fix.
3242
3243         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
3244         builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
3245
3246 2014-07-27  Ryuan Choi  <ryuan.choi@samsung.com>
3247
3248         Unreviewed build fix on the EFL port
3249
3250         Build break because of -Werror=return-type
3251
3252         * bytecode/PutByIdVariant.cpp:
3253         (JSC::PutByIdVariant::oldStructureForTransition):
3254         * dfg/DFGValueStrength.h:
3255         (JSC::DFG::merge):
3256
3257 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
3258
3259         [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
3260         https://bugs.webkit.org/show_bug.cgi?id=135323
3261
3262         Reviewed by Oliver Hunt.
3263         
3264         SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
3265         then it's a constant that can be represented using that node's current DataFormat.
3266         This doesn't work if the constant had been filled as a JSValue, and then one of the
3267         fillSpeculateBlah() methods had speculated that it's of some type that the constant
3268         isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
3269         a constant that claims to have a contradictory data format.
3270         
3271         This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
3272         fillSpeculateCell() appears to not have this bug, but I added a similar defense
3273         mechanism anyway just in case, since this is one of those mistakes that keeps
3274         reappearing.
3275
3276         * dfg/DFGSpeculativeJIT.cpp:
3277         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3278         * dfg/DFGSpeculativeJIT32_64.cpp:
3279         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3280         * dfg/DFGSpeculativeJIT64.cpp:
3281         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3282
3283 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
3284
3285         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
3286         
3287         This fixes the previous mismerge and adds test coverage for the thing that went wrong.
3288         
3289         Additional changes listed here:
3290
3291         * jsc.cpp:
3292         (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
3293         * runtime/Structure.cpp:
3294         (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
3295         * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
3296
3297     2014-06-27  Michael Saboff  <msaboff@apple.com>
3298     
3299             Unreviewed build fix after r169795.
3300     
3301             Fixed ASSERT for 32 bit build.
3302     
3303             * dfg/DFGSpeculativeJIT.cpp:
3304             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3305     
3306     2014-06-24  Saam Barati  <sbarati@apple.com>
3307     
3308             Web Inspector: debugger should be able to show variable types
3309             https://bugs.webkit.org/show_bug.cgi?id=133395
3310     
3311             Reviewed by Filip Pizlo.
3312     
3313             Increase the amount of type information the VM gathers when directed
3314             to do so. This initial commit is working towards the goal of
3315             capturing, and then showing (via the Web Inspector) type information for all
3316             assignment and load operations. This patch doesn't have the feature fully 
3317             implemented, but it ensures the VM has no performance regressions
3318             unless the feature is specifically turned on.
3319     
3320             * JavaScriptCore.xcodeproj/project.pbxproj:
3321             * bytecode/BytecodeList.json:
3322             * bytecode/BytecodeUseDef.h:
3323             (JSC::computeUsesForBytecodeOffset):
3324             (JSC::computeDefsForBytecodeOffset):
3325             * bytecode/CodeBlock.cpp:
3326             (JSC::CodeBlock::dumpBytecode):
3327             (JSC::CodeBlock::CodeBlock):
3328             (JSC::CodeBlock::finalizeUnconditionally):
3329             * bytecode/CodeBlock.h:
3330             * bytecode/Instruction.h:
3331             * bytecode/TypeLocation.h: Added.
3332             (JSC::TypeLocation::TypeLocation):
3333             * bytecompiler/BytecodeGenerator.cpp:
3334             (JSC::BytecodeGenerator::emitMove):
3335             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
3336             (JSC::BytecodeGenerator::emitPutToScope):
3337             (JSC::BytecodeGenerator::emitPutById):
3338             (JSC::BytecodeGenerator::emitPutByVal):
3339             * bytecompiler/BytecodeGenerator.h:
3340             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
3341             * bytecompiler/NodesCodegen.cpp:
3342             (JSC::PostfixNode::emitResolve):
3343             (JSC::PrefixNode::emitResolve):
3344             (JSC::ReadModifyResolveNode::emitBytecode):
3345             (JSC::AssignResolveNode::emitBytecode):
3346             (JSC::ConstDeclNode::emitCodeSingle):
3347             (JSC::ForInNode::emitBytecode):
3348             * heap/Heap.cpp:
3349             (JSC::Heap::collect):
3350             * inspector/agents/InspectorRuntimeAgent.cpp:
3351             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
3352             * inspector/agents/InspectorRuntimeAgent.h:
3353             * inspector/protocol/Runtime.json:
3354             * jsc.cpp:
3355             (GlobalObject::finishCreation):
3356             (functionDumpTypesForAllVariables):
3357             * llint/LLIntSlowPaths.cpp:
3358             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3359             (JSC::LLInt::putToScopeCommon):
3360             * llint/LLIntSlowPaths.h:
3361             * llint/LowLevelInterpreter.asm:
3362             * runtime/HighFidelityLog.cpp: Added.
3363             (JSC::HighFidelityLog::initializeHighFidelityLog):
3364             (JSC::HighFidelityLog::~HighFidelityLog):
3365             (JSC::HighFidelityLog::recordTypeInformationForLocation):
3366             (JSC::HighFidelityLog::processHighFidelityLog):
3367             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
3368             * runtime/HighFidelityLog.h: Added.
3369             (JSC::HighFidelityLog::HighFidelityLog):
3370             * runtime/HighFidelityTypeProfiler.cpp: Added.
3371             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
3372             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
3373             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
3374             (JSC::HighFidelityTypeProfiler::insertNewLocation):
3375             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
3376             * runtime/HighFidelityTypeProfiler.h: Added.
3377             * runtime/Options.h:
3378             * runtime/Structure.cpp:
3379             (JSC::Structure::toStructureShape):
3380             * runtime/Structure.h:
3381             * runtime/SymbolTable.cpp:
3382             (JSC::SymbolTable::SymbolTable):
3383             (JSC::SymbolTable::cloneCapturedNames):
3384             (JSC::SymbolTable::uniqueIDForVariable):
3385             (JSC::SymbolTable::uniqueIDForRegister):
3386             (JSC::SymbolTable::globalTypeSetForRegister):
3387             (JSC::SymbolTable::globalTypeSetForVariable):
3388             * runtime/SymbolTable.h:
3389             (JSC::SymbolTable::add):
3390             (JSC::SymbolTable::set):
3391             * runtime/TypeSet.cpp: Added.
3392             (JSC::TypeSet::TypeSet):
3393             (JSC::TypeSet::getRuntimeTypeForValue):
3394             (JSC::TypeSet::addTypeForValue):
3395             (JSC::TypeSet::removeDuplicatesInStructureHistory):
3396             (JSC::TypeSet::seenTypes):
3397             (JSC::TypeSet::dumpSeenTypes):
3398             (JSC::StructureShape::StructureShape):
3399             (JSC::StructureShape::markAsFinal):
3400             (JSC::StructureShape::addProperty):
3401             (JSC::StructureShape::propertyHash):
3402             (JSC::StructureShape::leastUpperBound):
3403             (JSC::StructureShape::stringRepresentation):
3404             * runtime/TypeSet.h: Added.
3405             (JSC::StructureShape::create):
3406             (JSC::TypeSet::create):
3407             * runtime/VM.cpp:
3408             (JSC::VM::VM):
3409             (JSC::VM::getTypesForVariableInRange):
3410             (JSC::VM::updateHighFidelityTypeProfileState):
3411             (JSC::VM::dumpHighFidelityProfilingTypes):
3412             * runtime/VM.h:
3413             (JSC::VM::isProfilingTypesWithHighFidelity):
3414             (JSC::VM::highFidelityLog):
3415             (JSC::VM::highFidelityTypeProfiler):
3416             (JSC::VM::nextLocation):
3417             (JSC::VM::getNextUniqueVariableID):
3418     
3419     2014-06-26  Mark Lam  <mark.lam@apple.com>
3420     
3421             Remove unused instantiation of the WithScope structure.
3422             <https://webkit.org/b/134331>
3423     
3424             Reviewed by Oliver Hunt.
3425     
3426             The WithScope structure instance is the VM is unused, and is now removed.
3427     
3428             * runtime/VM.cpp:
3429             (JSC::VM::VM):
3430             * runtime/VM.h:
3431     
3432     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
3433     
3434             Structure bit fields should have a consistent format
3435             https://bugs.webkit.org/show_bug.cgi?id=134307
3436     
3437             Reviewed by Filip Pizlo.
3438     
3439             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
3440             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
3441             format to make it easy to load and test these variables in JIT code.
3442     
3443             * runtime/JSObject.cpp:
3444             (JSC::JSObject::putDirectNonIndexAccessor):
3445             (JSC::JSObject::reifyStaticFunctionsForDelete):
3446             * runtime/Structure.cpp:
3447             (JSC::StructureTransitionTable::contains):
3448             (JSC::StructureTransitionTable::get):
3449             (JSC::StructureTransitionTable::add):
3450             (JSC::Structure::Structure):
3451             (JSC::Structure::materializePropertyMap):
3452             (JSC::Structure::addPropertyTransition):
3453             (JSC::Structure::despecifyFunctionTransition):
3454             (JSC::Structure::toDictionaryTransition):
3455             (JSC::Structure::freezeTransition):
3456             (JSC::Structure::preventExtensionsTransition):
3457             (JSC::Structure::takePropertyTableOrCloneIfPinned):
3458             (JSC::Structure::nonPropertyTransition):
3459             (JSC::Structure::flattenDictionaryStructure):
3460             (JSC::Structure::addPropertyWithoutTransition):
3461             (JSC::Structure::pin):
3462             (JSC::Structure::allocateRareData):
3463             (JSC::Structure::cloneRareDataFrom):
3464             (JSC::Structure::getConcurrently):
3465             (JSC::Structure::putSpecificValue):
3466             (JSC::Structure::getPropertyNamesFromStructure):
3467             (JSC::Structure::visitChildren):
3468             (JSC::Structure::checkConsistency):
3469             * runtime/Structure.h:
3470             (JSC::Structure::isExtensible):
3471             (JSC::Structure::isDictionary):
3472             (JSC::Structure::isUncacheableDictionary):
3473             (JSC::Structure::propertyAccessesAreCacheable):
3474             (JSC::Structure::previousID):
3475             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
3476             (JSC::Structure::setContainsReadOnlyProperties):
3477             (JSC::Structure::disableSpecificFunctionTracking):
3478             (JSC::Structure::objectToStringValue):
3479             (JSC::Structure::setObjectToStringValue):
3480             (JSC::Structure::setPreviousID):
3481             (JSC::Structure::clearPreviousID):
3482             (JSC::Structure::previous):
3483             (JSC::Structure::rareData):
3484             (JSC::Structure::didTransition): Deleted.
3485             (JSC::Structure::hasGetterSetterProperties): Deleted.
3486             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
3487             (JSC::Structure::setHasGetterSetterProperties): Deleted.
3488             (JSC::Structure::hasNonEnumerableProperties): Deleted.
3489             (JSC::Structure::staticFunctionsReified): Deleted.
3490             (JSC::Structure::setStaticFunctionsReified): Deleted.
3491             * runtime/StructureInlines.h:
3492             (JSC::Structure::setEnumerationCache):
3493             (JSC::Structure::enumerationCache):
3494             (JSC::Structure::checkOffsetConsistency):
3495     
3496     2014-06-24  Mark Lam  <mark.lam@apple.com>
3497     
3498             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
3499             <https://webkit.org/b/134273>
3500     
3501             Reviewed by Michael Saboff.
3502     
3503             * CMakeLists.txt:
3504             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3505             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3506             * JavaScriptCore.xcodeproj/project.pbxproj:
3507             * debugger/DebuggerActivation.cpp: Removed.
3508             * debugger/DebuggerActivation.h: Removed.
3509             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
3510             (JSC::DebuggerScope::DebuggerScope):
3511             (JSC::DebuggerScope::finishCreation):
3512             (JSC::DebuggerScope::visitChildren):
3513             (JSC::DebuggerScope::className):
3514             (JSC::DebuggerScope::getOwnPropertySlot):
3515             (JSC::DebuggerScope::put):
3516             (JSC::DebuggerScope::deleteProperty):
3517             (JSC::DebuggerScope::getOwnPropertyNames):
3518             (JSC::DebuggerScope::defineOwnProperty):
3519             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
3520             (JSC::DebuggerActivation::finishCreation): Deleted.
3521             (JSC::DebuggerActivation::visitChildren): Deleted.
3522             (JSC::DebuggerActivation::className): Deleted.
3523             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
3524             (JSC::DebuggerActivation::put): Deleted.
3525             (JSC::DebuggerActivation::deleteProperty): Deleted.
3526             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
3527             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
3528             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
3529             (JSC::DebuggerScope::create):
3530             (JSC::DebuggerActivation::create): Deleted.
3531             * runtime/VM.cpp:
3532             (JSC::VM::VM):
3533             * runtime/VM.h:
3534     
3535     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
3536     
3537             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
3538             https://bugs.webkit.org/show_bug.cgi?id=134265
3539     
3540             Reviewed by Geoffrey Garen.
3541             
3542             More assertion fallout from the PutById folding work.
3543     
3544             * dfg/DFGNode.h:
3545             (JSC::DFG::Node::convertToPutByOffset):
3546     
3547     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
3548     
3549             [ftlopt] GC should notify us if it resets to_this
3550             https://bugs.webkit.org/show_bug.cgi?id=128231
3551     
3552             Reviewed by Geoffrey Garen.
3553     
3554             * CMakeLists.txt:
3555             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3556             * JavaScriptCore.xcodeproj/project.pbxproj:
3557             * bytecode/BytecodeList.json:
3558             * bytecode/CodeBlock.cpp:
3559             (JSC::CodeBlock::dumpBytecode):
3560             (JSC::CodeBlock::finalizeUnconditionally):
3561             * bytecode/Instruction.h:
3562             * bytecode/ToThisStatus.cpp: Added.
3563             (JSC::merge):
3564             (WTF::printInternal):
3565             * bytecode/ToThisStatus.h: Added.
3566             * bytecompiler/BytecodeGenerator.cpp:
3567             (JSC::BytecodeGenerator::BytecodeGenerator):
3568             * dfg/DFGByteCodeParser.cpp:
3569             (JSC::DFG::ByteCodeParser::parseBlock):
3570             * llint/LowLevelInterpreter32_64.asm:
3571             * llint/LowLevelInterpreter64.asm:
3572             * runtime/CommonSlowPaths.cpp:
3573             (JSC::SLOW_PATH_DECL):
3574     
3575     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
3576     
3577             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
3578             https://bugs.webkit.org/show_bug.cgi?id=134256
3579     
3580             Reviewed by Michael Saboff.
3581             
3582             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
3583             point is to be able to precisely model what goes on in the snippets of code between a
3584             side-effect and an InvalidationPoint.
3585             
3586             This patch also cleans up onlyStructure() by delegating more work to
3587             StructureSet::onlyStructure().
3588     
3589             * dfg/DFGStructureAbstractValue.h:
3590             (JSC::DFG::StructureAbstractValue::onlyStructure):
3591     
3592     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
3593     
3594             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
3595             https://bugs.webkit.org/show_bug.cgi?id=134260
3596     
3597             Reviewed by Geoffrey Garen.
3598             
3599             This was causing loads of assertion failures in debug builds.
3600     
3601             * dfg/DFGAbstractInterpreterInlines.h:
3602             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3603     
3604     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
3605     
3606             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
3607             https://bugs.webkit.org/show_bug.cgi?id=134090
3608     
3609             Reviewed by Oliver Hunt.
3610             
3611             This pretty much finishes off the work to eliminate the special-casing of singleton
3612             structure sets by making it possible to fold GetById and PutById to various polymorphic
3613             forms of the ByOffset nodes.
3614             
3615             * bytecode/GetByIdStatus.cpp:
3616             (JSC::GetByIdStatus::computeForStubInfo):
3617             (JSC::GetByIdStatus::computeFor):
3618             * bytecode/GetByIdStatus.h:
3619             * bytecode/PutByIdStatus.cpp:
3620             (JSC::PutByIdStatus::computeFor):
3621             * bytecode/PutByIdStatus.h:
3622             * bytecode/PutByIdVariant.h:
3623             (JSC::PutByIdVariant::constantChecks):
3624             * dfg/DFGAbstractInterpreterInlines.h:
3625             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3626             * dfg/DFGByteCodeParser.cpp:
3627             (JSC::DFG::ByteCodeParser::parseBlock):
3628             * dfg/DFGConstantFoldingPhase.cpp:
3629             (JSC::DFG::ConstantFoldingPhase::foldConstants):
3630             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3631             (JSC::DFG::ConstantFoldingPhase::addChecks):
3632             * dfg/DFGNode.h:
3633             (JSC::DFG::Node::convertToMultiGetByOffset):
3634             (JSC::DFG::Node::convertToMultiPutByOffset):
3635             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
3636             (JSC::DFG::SpeculativeJIT::fillJSValue):
3637             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
3638             (JSC::DFG::SpeculativeJIT::emitCall):
3639             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3640             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
3641             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3642             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3643             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3644             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3645             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3646             (JSC::DFG::SpeculativeJIT::emitBranch):
3647             (JSC::DFG::SpeculativeJIT::compile):
3648             * dfg/DFGStructureAbstractValue.h:
3649             (JSC::DFG::StructureAbstractValue::set):
3650     
3651     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
3652     
3653             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
3654             https://bugs.webkit.org/show_bug.cgi?id=134077
3655     
3656             Reviewed by Sam Weinig.
3657             
3658             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
3659             in the abstract interpreter.
3660     
3661             * bytecode/StructureSet.h:
3662             (JSC::StructureSet::onlyStructure):
3663     
3664     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
3665     
3666             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
3667             https://bugs.webkit.org/show_bug.cgi?id=133918
3668     
3669             Reviewed by Mark Hahnenberg.
3670             
3671             This also adds pruning of PutStructure, since I basically had no choice but
3672             to implement such logic within MultiPutByOffset.
3673             
3674             Also adds a bunch of PutById cache status dumping to bytecode dumping.
3675     
3676             * bytecode/GetByIdVariant.cpp:
3677             (JSC::GetByIdVariant::dumpInContext):
3678             * bytecode/GetByIdVariant.h:
3679             (JSC::GetByIdVariant::structureSet):
3680             * bytecode/PutByIdVariant.h:
3681             (JSC::PutByIdVariant::oldStructure):
3682             * bytecode/StructureSet.cpp:
3683             (JSC::StructureSet::filter):
3684             (JSC::StructureSet::filterArrayModes):
3685             * bytecode/StructureSet.h:
3686             * dfg/DFGAbstractInterpreterInlines.h:
3687             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3688             * dfg/DFGAbstractValue.cpp:
3689             (JSC::DFG::AbstractValue::changeStructure):
3690             (JSC::DFG::AbstractValue::contains):
3691             * dfg/DFGAbstractValue.h:
3692             (JSC::DFG::AbstractValue::couldBeType):
3693             (JSC::DFG::AbstractValue::isType):
3694             * dfg/DFGConstantFoldingPhase.cpp:
3695             (JSC::DFG::ConstantFoldingPhase::foldConstants):
3696             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):