f9aef98d757bf59a1ad43a9bf7696cd1a4769e94
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-08-27  Julien Brianceau   <jbriance@cisco.com>
2
3         Take advantage of 3 parameters or32() calls
4         https://bugs.webkit.org/show_bug.cgi?id=136287
5
6         Reviewed by Michael Saboff.
7
8         For specific architectures (arm and mips for instance), or32() calls
9         with 3 parameters are likely to produce a single instruction.
10
11         * dfg/DFGSpeculativeJIT32_64.cpp:
12         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
13         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
14         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
15         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
16         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
17         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
18         (JSC::DFG::SpeculativeJIT::branchIsOther):
19         (JSC::DFG::SpeculativeJIT::branchNotOther):
20
21 2014-08-26  Brian J. Burg  <burg@cs.washington.edu>
22
23         Web Inspector: put feature flags for Inspector domains in the protocol specification
24         https://bugs.webkit.org/show_bug.cgi?id=136027
25
26         Reviewed by Timothy Hatcher.
27
28         Remove the hardcoded map of domains to feature guards, and instead parse it from the specification.
29
30         Test: inspector/scripts/tests/generate-domains-with-feature-guards.json
31
32         * inspector/scripts/codegen/generator.py:
33         (Generator.wrap_with_guard_for_domain):
34         * inspector/scripts/codegen/models.py:
35         (Protocol.parse_domain):
36         (Domain.__init__):
37         (Domains):
38         * inspector/scripts/tests/generate-domains-with-feature-guards.json: Added.
39         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
40         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
41         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
42         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
43         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
44
45 2014-08-26  Andy Estes  <aestes@apple.com>
46
47         [Cocoa] Some projects are incorrectly installed to $BUILT_PRODUCTS_DIR
48         https://bugs.webkit.org/show_bug.cgi?id=136267
49
50         Reviewed by Dan Bernstein.
51
52         INSTALL_PATH was set to $BUILT_PRODUCTS_DIR for engineering configurations in r20225 as part of a build fix.
53         Not only is this no longer necessary to build, but it causes built products to be incorrectly installed in
54         engineering configurations.
55
56         Remove the setting of INSTALL_PATH from the pbxproj file so that the value specified in the xcconfig files is
57         used instead.
58
59         * JavaScriptCore.xcodeproj/project.pbxproj:
60
61 2014-08-26  Michael Saboff  <msaboff@apple.com>
62
63         [Win] 64-bit JavaScriptCore crashes on launch
64         https://bugs.webkit.org/show_bug.cgi?id=136241
65
66         Reviewed by Mark Lam.
67
68         * llint/LowLevelInterpreter.asm:
69         (vmEntryRecord): X86_64_WIN doesn't use "a0" (rax) for the first argument, it uses
70         "t2" (rcx).  Changed to get the input parameter using the correct register.
71
72 2014-08-26  Saam Barati  <sbarati@apple.com>
73
74         TypeSet caches structureIDs even after the corresponding Structure could be GCed
75         https://bugs.webkit.org/show_bug.cgi?id=136178
76
77         Reviewed by Geoffrey Garen.
78
79         Currently, TypeSet will never remove StructureIDs from its cache,
80         even after the corresponding Structures could be garbage collected.
81         Now, when the Garbage Collector collects, and type profiling is 
82         enabled, the Garbage Collector will invalidate all TypeSet caches.
83
84         * heap/Heap.cpp:
85         (JSC::Heap::collect):
86         * runtime/TypeSet.cpp:
87         (JSC::TypeSet::addTypeInformation):
88         (JSC::TypeSet::invalidateCache):
89         * runtime/TypeSet.h:
90         * runtime/VM.cpp:
91         (JSC::VM::invalidateTypeSetCache):
92         * runtime/VM.h:
93
94 2014-08-26  Michael Saboff  <msaboff@apple.com>
95
96         REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result
97         https://bugs.webkit.org/show_bug.cgi?id=136187
98
99         Reviewed by Mark Hahnenberg.
100
101         Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that
102         doesn't require a tag for the second argument, instead it fills in a CellTag.  This is
103         used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we
104         haven't set up a register with a tag and we know that argument 2 is a cell.
105
106         * dfg/DFGSpeculativeJIT.h:
107         (JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag.
108         * dfg/DFGSpeculativeJIT32_64.cpp:
109         (JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR
110         with CellTag as it wasn't in the control flow for the slow path that needed the tag.
111         Instead changed to calling new version of callOperation with an implicit CellTag.
112
113 2014-08-26  Commit Queue  <commit-queue@webkit.org>
114
115         Unreviewed, rolling out r172940.
116         https://bugs.webkit.org/show_bug.cgi?id=136256
117
118         Caused assertions on fast/storage/serialized-script-
119         value.html, and possibly flakiness on more tests (Requested by
120         ap on #webkit).
121
122         Reverted changeset:
123
124         "FTL should be able to do polymorphic call inlining"
125         https://bugs.webkit.org/show_bug.cgi?id=135145
126         http://trac.webkit.org/changeset/172940
127
128 2014-08-26  Michael Saboff  <msaboff@apple.com>
129
130         REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests.
131         https://bugs.webkit.org/show_bug.cgi?id=136165
132
133         Reviewed by Mark Hahnenberg.
134
135         Changed switch case GetDirectPname: to always use the slow path for X86 since it only has
136         6 registers available, but the code requires 7.
137
138         * dfg/DFGSpeculativeJIT32_64.cpp:
139         (JSC::DFG::SpeculativeJIT::compile):
140
141 2014-08-25  Saam Barati  <sbarati@apple.com>
142
143         TypeProfiler search breaks on return statements
144         https://bugs.webkit.org/show_bug.cgi?id=136201
145
146         Reviewed by Filip Pizlo.
147
148         Searching for return statements in the TypeProfiler currently 
149         breaks down because it expected to see the search descriptor 
150         TypeProfilerSearchDescriptorFunctionReturn when looking for 
151         return statements in the actual source code of the program. 
152         But, TypeProfilerSearchDescriptorFunctionReturn search descriptor 
153         is reserved for looking for return statements that aren't in the 
154         actual source code of the program, but when asking for the 
155         aggregate return type of a function. Now, searching for 
156         return statements in the actual source code of the program will 
157         work when passing in the search descriptor TypeProfilerSearchDescriptorNormal.  
158
159         * bytecode/CodeBlock.cpp:
160         (JSC::CodeBlock::CodeBlock):
161         * runtime/TypeProfiler.cpp:
162         (JSC::TypeProfiler::findLocation):
163         (JSC::descriptorMatchesTypeLocation): Deleted.
164
165 2014-08-25  Saam Barati  <sbarati@apple.com>
166
167         Return statement TypeSet's might be duplicated
168         https://bugs.webkit.org/show_bug.cgi?id=136200
169
170         Reviewed by Filip Pizlo.
171
172         Currently, the globalTypeSet that converges the types of all 
173         return statements in a function lives off of CodeBlock. It lives 
174         off CodeBlock because of a faulty assumption that CodeBlock 
175         will have a one to one mapping with a function in the source 
176         text of the program. (Currently, there isn't an actual bug 
177         with this design because TypeLocationCache will hash cons to 
178         the same TypeLocation, but this is still an incorrect design). 
179         In this patch, the globalTypeSet for function return statements  
180         is moved to the FunctionExecutable object which does have a one 
181         to one mapping with functions in the source text of a program.
182
183         * bytecode/CodeBlock.cpp:
184         (JSC::CodeBlock::CodeBlock):
185         * bytecode/CodeBlock.h:
186         (JSC::CodeBlock::returnStatementTypeSet): Deleted.
187         * runtime/Executable.h:
188         (JSC::FunctionExecutable::returnStatementTypeSet):
189
190 2014-08-24  Filip Pizlo  <fpizlo@apple.com>
191
192         FTL should be able to do polymorphic call inlining
193         https://bugs.webkit.org/show_bug.cgi?id=135145
194
195         Reviewed by Geoffrey Garen.
196         
197         Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
198         baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
199         inlining sites use the call edge profile if it is available, but they will still fall back
200         on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
201         multiple possible callees can be inlined with a switch to guard them. The slow path may
202         either be an OSR exit or a virtual call.
203         
204         The call edge profiling added in this patch is very precise - it will tell you about every
205         call that has ever happened. It took some effort to reduce the overhead of this profiling.
206         This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
207         in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
208         it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
209         I also experimented with reducing the precision of the profiling. This led to a significant
210         reduction in the speed-up, so I avoided this approach. I also explored making log processing
211         concurrent, but that didn't help. Also, I tested the overhead of the log processing and
212         found that most of the overhead of this profiling is actually in putting things into the log
213         rather than in processing the log - that part appears to be surprisingly cheap.
214         
215         Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
216         and if we guarded such inlining sites with some profiling mechanism to detect
217         polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
218         it's actually monomorphic).
219         
220         This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
221         other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
222         on anything we care about. Some aggregates, like V8Spider, see a regression. This is
223         highlighting the increase in profiling overhead. But since this doesn't show up on any major
224         score (code-load or SunSpider), it's probably not relevant.
225         
226         * CMakeLists.txt:
227         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
228         * JavaScriptCore.xcodeproj/project.pbxproj:
229         * bytecode/CallEdge.cpp: Added.
230         (JSC::CallEdge::dump):
231         * bytecode/CallEdge.h: Added.
232         (JSC::CallEdge::operator!):
233         (JSC::CallEdge::callee):
234         (JSC::CallEdge::count):
235         (JSC::CallEdge::despecifiedClosure):
236         (JSC::CallEdge::CallEdge):
237         * bytecode/CallEdgeProfile.cpp: Added.
238         (JSC::CallEdgeProfile::callEdges):
239         (JSC::CallEdgeProfile::numCallsToKnownCells):
240         (JSC::worthDespecifying):
241         (JSC::CallEdgeProfile::worthDespecifying):
242         (JSC::CallEdgeProfile::visitWeak):
243         (JSC::CallEdgeProfile::addSlow):
244         (JSC::CallEdgeProfile::mergeBack):
245         (JSC::CallEdgeProfile::fadeByHalf):
246         (JSC::CallEdgeLog::CallEdgeLog):
247         (JSC::CallEdgeLog::~CallEdgeLog):
248         (JSC::CallEdgeLog::isEnabled):
249         (JSC::operationProcessCallEdgeLog):
250         (JSC::CallEdgeLog::emitLogCode):
251         (JSC::CallEdgeLog::processLog):
252         * bytecode/CallEdgeProfile.h: Added.
253         (JSC::CallEdgeProfile::numCallsToNotCell):
254         (JSC::CallEdgeProfile::numCallsToUnknownCell):
255         (JSC::CallEdgeProfile::totalCalls):
256         * bytecode/CallEdgeProfileInlines.h: Added.
257         (JSC::CallEdgeProfile::CallEdgeProfile):
258         (JSC::CallEdgeProfile::add):
259         * bytecode/CallLinkInfo.cpp:
260         (JSC::CallLinkInfo::visitWeak):
261         * bytecode/CallLinkInfo.h:
262         * bytecode/CallLinkStatus.cpp:
263         (JSC::CallLinkStatus::CallLinkStatus):
264         (JSC::CallLinkStatus::computeFromLLInt):
265         (JSC::CallLinkStatus::computeFor):
266         (JSC::CallLinkStatus::computeExitSiteData):
267         (JSC::CallLinkStatus::computeFromCallLinkInfo):
268         (JSC::CallLinkStatus::computeFromCallEdgeProfile):
269         (JSC::CallLinkStatus::computeDFGStatuses):
270         (JSC::CallLinkStatus::isClosureCall):
271         (JSC::CallLinkStatus::makeClosureCall):
272         (JSC::CallLinkStatus::dump):
273         (JSC::CallLinkStatus::function): Deleted.
274         (JSC::CallLinkStatus::internalFunction): Deleted.
275         (JSC::CallLinkStatus::intrinsicFor): Deleted.
276         * bytecode/CallLinkStatus.h:
277         (JSC::CallLinkStatus::CallLinkStatus):
278         (JSC::CallLinkStatus::isSet):
279         (JSC::CallLinkStatus::couldTakeSlowPath):
280         (JSC::CallLinkStatus::edges):
281         (JSC::CallLinkStatus::size):
282         (JSC::CallLinkStatus::at):
283         (JSC::CallLinkStatus::operator[]):
284         (JSC::CallLinkStatus::canOptimize):
285         (JSC::CallLinkStatus::canTrustCounts):
286         (JSC::CallLinkStatus::isClosureCall): Deleted.
287         (JSC::CallLinkStatus::callTarget): Deleted.
288         (JSC::CallLinkStatus::executable): Deleted.
289         (JSC::CallLinkStatus::makeClosureCall): Deleted.
290         * bytecode/CallVariant.cpp: Added.
291         (JSC::CallVariant::dump):
292         * bytecode/CallVariant.h: Added.
293         (JSC::CallVariant::CallVariant):
294         (JSC::CallVariant::operator!):
295         (JSC::CallVariant::despecifiedClosure):
296         (JSC::CallVariant::rawCalleeCell):
297         (JSC::CallVariant::internalFunction):
298         (JSC::CallVariant::function):
299         (JSC::CallVariant::isClosureCall):
300         (JSC::CallVariant::executable):
301         (JSC::CallVariant::nonExecutableCallee):
302         (JSC::CallVariant::intrinsicFor):
303         (JSC::CallVariant::functionExecutable):
304         (JSC::CallVariant::isHashTableDeletedValue):
305         (JSC::CallVariant::operator==):
306         (JSC::CallVariant::operator!=):
307         (JSC::CallVariant::operator<):
308         (JSC::CallVariant::operator>):
309         (JSC::CallVariant::operator<=):
310         (JSC::CallVariant::operator>=):
311         (JSC::CallVariant::hash):
312         (JSC::CallVariant::deletedToken):
313         (JSC::CallVariantHash::hash):
314         (JSC::CallVariantHash::equal):
315         * bytecode/CodeOrigin.h:
316         (JSC::InlineCallFrame::isNormalCall):
317         * bytecode/ExitKind.cpp:
318         (JSC::exitKindToString):
319         * bytecode/ExitKind.h:
320         * bytecode/GetByIdStatus.cpp:
321         (JSC::GetByIdStatus::computeForStubInfo):
322         * bytecode/PutByIdStatus.cpp:
323         (JSC::PutByIdStatus::computeForStubInfo):
324         * dfg/DFGAbstractInterpreterInlines.h:
325         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
326         * dfg/DFGBackwardsPropagationPhase.cpp:
327         (JSC::DFG::BackwardsPropagationPhase::propagate):
328         * dfg/DFGBasicBlock.cpp:
329         (JSC::DFG::BasicBlock::~BasicBlock):
330         * dfg/DFGBasicBlock.h:
331         (JSC::DFG::BasicBlock::takeLast):
332         (JSC::DFG::BasicBlock::didLink):
333         * dfg/DFGByteCodeParser.cpp:
334         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
335         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
336         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
337         (JSC::DFG::ByteCodeParser::addCall):
338         (JSC::DFG::ByteCodeParser::handleCall):
339         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
340         (JSC::DFG::ByteCodeParser::undoFunctionChecks):
341         (JSC::DFG::ByteCodeParser::inliningCost):
342         (JSC::DFG::ByteCodeParser::inlineCall):
343         (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
344         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
345         (JSC::DFG::ByteCodeParser::handleInlining):
346         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
347         (JSC::DFG::ByteCodeParser::prepareToParseBlock):
348         (JSC::DFG::ByteCodeParser::clearCaches):
349         (JSC::DFG::ByteCodeParser::parseBlock):
350         (JSC::DFG::ByteCodeParser::linkBlock):
351         (JSC::DFG::ByteCodeParser::linkBlocks):
352         (JSC::DFG::ByteCodeParser::parseCodeBlock):
353         * dfg/DFGCPSRethreadingPhase.cpp:
354         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
355         * dfg/DFGClobberize.h:
356         (JSC::DFG::clobberize):
357         * dfg/DFGCommon.h:
358         * dfg/DFGConstantFoldingPhase.cpp:
359         (JSC::DFG::ConstantFoldingPhase::foldConstants):
360         * dfg/DFGDoesGC.cpp:
361         (JSC::DFG::doesGC):
362         * dfg/DFGDriver.cpp:
363         (JSC::DFG::compileImpl):
364         * dfg/DFGFixupPhase.cpp:
365         (JSC::DFG::FixupPhase::fixupNode):
366         * dfg/DFGGraph.cpp:
367         (JSC::DFG::Graph::dump):
368         (JSC::DFG::Graph::visitChildren):
369         * dfg/DFGJITCompiler.cpp:
370         (JSC::DFG::JITCompiler::link):
371         * dfg/DFGLazyJSValue.cpp:
372         (JSC::DFG::LazyJSValue::switchLookupValue):
373         * dfg/DFGLazyJSValue.h:
374         (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
375         * dfg/DFGNode.cpp:
376         (WTF::printInternal):
377         * dfg/DFGNode.h:
378         (JSC::DFG::OpInfo::OpInfo):
379         (JSC::DFG::Node::hasHeapPrediction):
380         (JSC::DFG::Node::hasCellOperand):
381         (JSC::DFG::Node::cellOperand):
382         (JSC::DFG::Node::setCellOperand):
383         (JSC::DFG::Node::canBeKnownFunction): Deleted.
384         (JSC::DFG::Node::hasKnownFunction): Deleted.
385         (JSC::DFG::Node::knownFunction): Deleted.
386         (JSC::DFG::Node::giveKnownFunction): Deleted.
387         (JSC::DFG::Node::hasFunction): Deleted.
388         (JSC::DFG::Node::function): Deleted.
389         (JSC::DFG::Node::hasExecutable): Deleted.
390         (JSC::DFG::Node::executable): Deleted.
391         * dfg/DFGNodeType.h:
392         * dfg/DFGPhantomCanonicalizationPhase.cpp:
393         (JSC::DFG::PhantomCanonicalizationPhase::run):
394         * dfg/DFGPhantomRemovalPhase.cpp:
395         (JSC::DFG::PhantomRemovalPhase::run):
396         * dfg/DFGPredictionPropagationPhase.cpp:
397         (JSC::DFG::PredictionPropagationPhase::propagate):
398         * dfg/DFGSafeToExecute.h:
399         (JSC::DFG::safeToExecute):
400         * dfg/DFGSpeculativeJIT.cpp:
401         (JSC::DFG::SpeculativeJIT::emitSwitch):
402         * dfg/DFGSpeculativeJIT32_64.cpp:
403         (JSC::DFG::SpeculativeJIT::emitCall):
404         (JSC::DFG::SpeculativeJIT::compile):
405         * dfg/DFGSpeculativeJIT64.cpp:
406         (JSC::DFG::SpeculativeJIT::emitCall):
407         (JSC::DFG::SpeculativeJIT::compile):
408         * dfg/DFGStructureRegistrationPhase.cpp:
409         (JSC::DFG::StructureRegistrationPhase::run):
410         * dfg/DFGTierUpCheckInjectionPhase.cpp:
411         (JSC::DFG::TierUpCheckInjectionPhase::run):
412         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
413         * dfg/DFGValidate.cpp:
414         (JSC::DFG::Validate::validate):
415         * dfg/DFGWatchpointCollectionPhase.cpp:
416         (JSC::DFG::WatchpointCollectionPhase::handle):
417         * ftl/FTLCapabilities.cpp:
418         (JSC::FTL::canCompile):
419         * ftl/FTLLowerDFGToLLVM.cpp:
420         (JSC::FTL::ftlUnreachable):
421         (JSC::FTL::LowerDFGToLLVM::lower):
422         (JSC::FTL::LowerDFGToLLVM::compileNode):
423         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
424         (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
425         (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
426         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
427         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
428         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
429         (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
430         (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
431         * heap/Heap.cpp:
432         (JSC::Heap::collect):
433         * jit/AssemblyHelpers.h:
434         (JSC::AssemblyHelpers::storeValue):
435         (JSC::AssemblyHelpers::loadValue):
436         * jit/CCallHelpers.h:
437         (JSC::CCallHelpers::setupArguments):
438         * jit/GPRInfo.h:
439         (JSC::JSValueRegs::uses):
440         * jit/JITCall.cpp:
441         (JSC::JIT::compileOpCall):
442         * jit/JITCall32_64.cpp:
443         (JSC::JIT::compileOpCall):
444         * runtime/Options.h:
445         * runtime/VM.cpp:
446         (JSC::VM::ensureCallEdgeLog):
447         * runtime/VM.h:
448         * tests/stress/new-array-then-exit.js: Added.
449         (foo):
450         * tests/stress/poly-call-exit-this.js: Added.
451         * tests/stress/poly-call-exit.js: Added.
452
453 2014-08-22  Michael Saboff  <msaboff@apple.com>
454
455         After r172867 another crash in in js/dom/line-column-numbers.html
456         https://bugs.webkit.org/show_bug.cgi?id=136192
457
458         Reviewed by Geoffrey Garen.
459
460         In lookupExceptionHandlerFromCallerFrame(), We need to use the caller's CallFrame
461         and VMEntryFrame when calling genericUnwind().  NativeCallFrameTracerWithRestore()
462         does that for us.
463
464         In general, NativeCallFrameTracerWithRestore(), restores the values because we may
465         do more processing that requires the current callFrame and vmEntryFrame before we
466         get to the catch handler where we change these to the catch values.  In this
467         particular case, that restoration isn't currently needed, but we add complexity
468         and possible future confusion if we create another NativeCallFrameTracerXXX()
469         version that doesn't restore the values.
470
471         * jit/JITOperations.cpp:
472         (JSC::lookupExceptionHandlerFromCallerFrame): Changed NativeCallFrameTracer() to
473         NativeCallFrameTracerWithRestore() so that VM::topVMEntryFrame will be updated
474         before calling genericUnwind().
475
476 2014-08-24  Brian J. Burg  <burg@cs.washington.edu>
477
478         Web Inspector: rename Inspector::TypeBuilder to Inspector::Protocol
479         https://bugs.webkit.org/show_bug.cgi?id=136031
480
481         Reviewed by Timothy Hatcher.
482
483         Rename TypeBuilder namespace to Protocol. Disambiguate where
484         necessary. Also rename InspectorTypeBuilder to ProtocolTypes.
485
486         * CMakeLists.txt:
487         * DerivedSources.make:
488         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
489         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
490         * JavaScriptCore.vcxproj/copy-files.cmd:
491         * JavaScriptCore.xcodeproj/project.pbxproj:
492         * inspector/ConsoleMessage.cpp:
493         (Inspector::messageSourceValue):
494         (Inspector::messageTypeValue):
495         (Inspector::messageLevelValue):
496         (Inspector::ConsoleMessage::addToFrontend):
497         * inspector/ContentSearchUtilities.cpp:
498         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
499         (Inspector::ContentSearchUtilities::searchInTextByLines):
500         * inspector/ContentSearchUtilities.h:
501         * inspector/InjectedScript.cpp:
502         (Inspector::InjectedScript::evaluate):
503         (Inspector::InjectedScript::callFunctionOn):
504         (Inspector::InjectedScript::evaluateOnCallFrame):
505         (Inspector::InjectedScript::getFunctionDetails):
506         (Inspector::InjectedScript::getProperties):
507         (Inspector::InjectedScript::getInternalProperties):
508         (Inspector::InjectedScript::wrapCallFrames):
509         (Inspector::InjectedScript::wrapObject):
510         (Inspector::InjectedScript::wrapTable):
511         * inspector/InjectedScript.h:
512         * inspector/InjectedScriptBase.cpp:
513         (Inspector::InjectedScriptBase::makeEvalCall):
514         * inspector/InjectedScriptBase.h:
515         * inspector/InspectorTypeBuilder.h: Removed.
516         * inspector/ScriptCallFrame.cpp:
517         (Inspector::ScriptCallFrame::buildInspectorObject):
518         * inspector/ScriptCallFrame.h:
519         * inspector/ScriptCallStack.cpp:
520         (Inspector::ScriptCallStack::buildInspectorArray):
521         * inspector/ScriptCallStack.h:
522         * inspector/agents/InspectorAgent.cpp:
523         (Inspector::InspectorAgent::inspect):
524         * inspector/agents/InspectorAgent.h:
525         * inspector/agents/InspectorDebuggerAgent.cpp:
526         (Inspector::breakpointActionTypeForString):
527         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
528         (Inspector::InspectorDebuggerAgent::setBreakpoint):
529         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
530         (Inspector::InspectorDebuggerAgent::searchInContent):
531         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
532         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
533         (Inspector::InspectorDebuggerAgent::currentCallFrames):
534         (Inspector::InspectorDebuggerAgent::didParseSource):
535         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
536         * inspector/agents/InspectorDebuggerAgent.h:
537         * inspector/agents/InspectorProfilerAgent.cpp:
538         (Inspector::InspectorProfilerAgent::createProfileHeader):
539         (Inspector::InspectorProfilerAgent::getProfileHeaders):
540         (Inspector::buildInspectorObject):
541         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
542         (Inspector::InspectorProfilerAgent::getCPUProfile):
543         * inspector/agents/InspectorProfilerAgent.h:
544         * inspector/agents/InspectorRuntimeAgent.cpp:
545         (Inspector::buildErrorRangeObject):
546         (Inspector::InspectorRuntimeAgent::parse):
547         (Inspector::InspectorRuntimeAgent::evaluate):
548         (Inspector::InspectorRuntimeAgent::callFunctionOn):
549         (Inspector::InspectorRuntimeAgent::getProperties):
550         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
551         * inspector/agents/InspectorRuntimeAgent.h:
552         * inspector/scripts/codegen/__init__.py:
553         * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
554         (BackendDispatcherHeaderGenerator.generate_output):
555         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
556         (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
557         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
558         * inspector/scripts/codegen/generate_frontend_dispatcher_header.py:
559         (FrontendDispatcherHeaderGenerator.generate_output):
560         * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py:
561         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
562         * inspector/scripts/codegen/generate_type_builder_header.py: Removed.
563         * inspector/scripts/codegen/generate_type_builder_implementation.py: Removed.
564         * inspector/scripts/codegen/generator.py:
565         (Generator.protocol_type_string_for_type):
566         (Generator.protocol_type_string_for_type_member):
567         (Generator.type_string_for_type_with_name):
568         (Generator.type_string_for_formal_out_parameter):
569         (Generator.type_string_for_formal_async_parameter):
570         (Generator.type_string_for_stack_in_parameter):
571         (Generator.type_string_for_stack_out_parameter):
572         (Generator.assertion_method_for_type_member.assertion_method_for_type):
573         (Generator.assertion_method_for_type_member):
574         (Generator.type_builder_string_for_type): Deleted.
575         (Generator.type_builder_string_for_type_member): Deleted.
576         * inspector/scripts/codegen/generator_templates.py:
577         (Inspector):
578         * inspector/scripts/generate-inspector-protocol-bindings.py:
579         (generate_from_specification):
580         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
581         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
582         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
583         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
584         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
585         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
586         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
587         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
588         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
589         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
590         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
591         * runtime/HighFidelityTypeProfiler.cpp:
592         (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
593         * runtime/HighFidelityTypeProfiler.h:
594         * runtime/TypeSet.cpp:
595         (JSC::TypeSet::allPrimitiveTypeNames):
596         (JSC::TypeSet::allStructureRepresentations):
597         (JSC::StructureShape::inspectorRepresentation):
598         * runtime/TypeSet.h:
599
600 2014-08-24  Brian J. Burg  <burg@cs.washington.edu>
601
602         Web Inspector: Rename DOM.RGBA and remove workarounds in the bindings generator
603         https://bugs.webkit.org/show_bug.cgi?id=136025
604
605         Reviewed by Joseph Pecoraro.
606
607         This workaround can be removed since it is no longer necessary.
608
609         * inspector/scripts/codegen/models.py:
610         (TypeReference.__init__):
611         (Type.raw_name):
612         (TypeDeclaration.__init__):
613         * inspector/scripts/tests/type-declaration-object-type.json: Remove related test input.
614         * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Rebaseline.
615
616 2014-08-23  Joseph Pecoraro  <pecoraro@apple.com>
617
618         Web Inspector: Do not copy large module source strings
619         https://bugs.webkit.org/show_bug.cgi?id=136191
620
621         Reviewed by Benjamin Poulain.
622
623         * inspector/InjectedScriptManager.cpp:
624         (Inspector::InjectedScriptManager::injectedScriptSource):
625
626 2014-08-21  Michael Saboff  <msaboff@apple.com>
627
628         REGRESSION(r163179): Sporadic crash in js/dom/line-column-numbers.html test
629         https://bugs.webkit.org/show_bug.cgi?id=136111
630
631         Reviewed by Filip Pizlo.
632
633         The problem was that we weren't properly handling VM::topVMEntryFrame in two ways.
634
635         First in the case where we get an exception of a stack overflow during setup of the direct
636         callee frame of a VM entry frame, we need to throw the exception in the caller's frame.
637         This requires unrolling topVMEntryFrame while creating the exception object.  This is
638         accomplished with the renamed NativeCallFrameTracerWithRestore object.  As part of this,
639         split the JIT rollback exception handling to call a new helper,
640         callLookupExceptionHandlerFromCallerFrame, which will unroll the callFrame and VMEntryFrame.
641
642         Second, when we unwind to find a handler, we also need to unwind topVMCallFrame for the
643         case where we end up (re)throwing another exception after entering the catch block, but
644         before another vmEntry call.  Added VM::vmEntryFrameForThrow as a way similar to
645         VM::callFrameForThrow to pass the appropriate VMENtryFrame to the catch block.
646
647
648         * dfg/DFGJITCompiler.cpp:
649         (JSC::DFG::JITCompiler::compileExceptionHandlers):
650         * ftl/FTLCompile.cpp:
651         (JSC::FTL::fixFunctionBasedOnStackMaps):
652         * jit/JIT.cpp:
653         (JSC::JIT::privateCompileExceptionHandlers):
654         Split out the unroll cases to use the new helper callLookupExceptionHandlerFromCallerFrame()
655         to unwind both the callFrame and topVMEntryFrame.
656
657         * interpreter/Interpreter.cpp:
658         (JSC::UnwindFunctor::UnwindFunctor):
659         (JSC::UnwindFunctor::operator()):
660         (JSC::Interpreter::unwind):
661         * jit/JITExceptions.cpp:
662         (JSC::genericUnwind):
663         Added VMEntryFrame as another component to unwind.
664
665         * interpreter/Interpreter.h:
666         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
667         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
668         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
669         Renamed and changed to save and restore topCallFrame and topVMEntryFrame around the setting of
670         both values.
671
672         * interpreter/StackVisitor.cpp:
673         (JSC::StackVisitor::gotoNextFrame):
674         (JSC::StackVisitor::readNonInlinedFrame):
675         * interpreter/StackVisitor.h:
676         (JSC::StackVisitor::Frame::vmEntryFrame):
677         Added code to unwind the VMEntryFrame.
678
679         * jit/CCallHelpers.h:
680         (JSC::CCallHelpers::jumpToExceptionHandler): Updated comment to indicate that the value
681         the handler should use for VM::topEntryFrame is in VM::vmEntryFrameForThrow.
682
683         * jit/JITOpcodes.cpp:
684         (JSC::JIT::emit_op_catch):
685         * jit/JITOpcodes32_64.cpp:
686         (JSC::JIT::emit_op_catch):
687         * llint/LowLevelInterpreter32_64.asm:
688         * llint/LowLevelInterpreter64.asm:
689         Added code to update VM::topVMEntryFrame from VM::vmEntryFrameForThrowOffset.
690
691         * jit/JITOperations.cpp:
692         * jit/JITOperations.h:
693         (JSC::operationThrowStackOverflowError):
694         (JSC::operationCallArityCheck):
695         (JSC::operationConstructArityCheck):
696
697         * runtime/VM.h:
698         (JSC::VM::vmEntryFrameForThrowOffset):
699         (JSC::VM::topVMEntryFrameOffset):
700         Added as the side channel to return the topVMEntryFrame that the handler should use.
701
702 2014-08-22  Daniel Bates  <dabates@apple.com>
703
704         [iOS] Disable ENABLE_IOS_{GESTURE, TOUCH}_EVENTS, and temporarily disable ENABLE_TOUCH_EVENTS
705         and ENABLE_XSLT when building with the iOS public SDK
706         https://bugs.webkit.org/show_bug.cgi?id=135945
707
708         Reviewed by Andy Estes.
709
710         * Configurations/FeatureDefines.xcconfig:
711
712 2014-08-22  Jon Lee  <jonlee@apple.com>
713
714         Fix iOS build due to r172832 and move RUBBER_BANDING out of FeatureDefines.h
715         https://bugs.webkit.org/show_bug.cgi?id=136157
716
717         Reviewed by Simon Fraser.
718
719         * Configurations/FeatureDefines.xcconfig: Add ENABLE(RUBBER_BANDING).
720
721 2014-08-21  Mark Lam  <mark.lam@apple.com>
722
723         r171362 accidentally increased the size of InlineCallFrame.
724         <https://webkit.org/b/136141>
725
726         Reviewed by Filip Pizlo.
727
728         r171362 increased the size of InlineCallFrame::kind to 2 bits.  This increased
729         the size of InlineCallFrame from 72 to 80 though not intentionally.  The fix
730         is to reduce the size of InlineCallFrame::stackOffset to 29 bits.
731
732         Also added an assert to ensure that we never set a value that exceeds the size
733         of InlineCallFrame::stackOffset.
734
735         * bytecode/CodeOrigin.h:
736         (JSC::InlineCallFrame::setStackOffset):
737         * dfg/DFGByteCodeParser.cpp:
738         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
739
740 2014-08-21  Joseph Pecoraro  <pecoraro@apple.com>
741
742         Web Inspector: RetainPtr misuse, CFRunLoopSource leak
743         https://bugs.webkit.org/show_bug.cgi?id=136143
744
745         Reviewed by Timothy Hatcher.
746
747         Adopt a Create into the RetainPtr to avoid leaking.
748
749         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
750         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
751
752 2014-08-21  Mark Lam  <mark.lam@apple.com>
753
754         REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms.
755         <https://webkit.org/b/136123>
756
757         Reviewed by Filip Pizlo.
758
759         The original patch in r172808 removed the code to skip the top scope in
760         the 64-bit port of JIT::emitResolveClosure() but not in the 32-bit port.
761         This patch fixes that and achieves parity.
762
763         * jit/JITPropertyAccess32_64.cpp:
764         (JSC::JIT::emitResolveClosure):
765
766 2014-08-21  Zalan Bujtas  <zalan@apple.com>
767
768         Enable SATURATED_LAYOUT_ARITHMETIC.
769         https://bugs.webkit.org/show_bug.cgi?id=136106
770
771         Reviewed by Simon Fraser.
772
773         SATURATED_LAYOUT_ARITHMETIC protects LayoutUnit against arithmetic overflow.
774         (No measurable performance regression on Mac.)
775
776         * Configurations/FeatureDefines.xcconfig:
777
778 2014-08-20  Saam Barati  <sbarati@apple.com>
779
780         Fix how CodeBlock dumps the opcode op_profile_type
781         https://bugs.webkit.org/show_bug.cgi?id=136088
782
783         Reviewed by Filip Pizlo.
784
785         op_profile_type was modified to receive two extra arguments,
786         but its dump in CodeBlock::dumpBytecode wasn't changed to 
787         account for this, so it broke CodeBlock::dumpBytecode when
788         op_profile_type was in the stream of bytecode instructions.
789         CodeBlock::dumpBytecode now accounts for the change in 
790         op_profile_type's arity.
791
792         * bytecode/CodeBlock.cpp:
793         (JSC::CodeBlock::dumpBytecode):
794
795 2014-08-20  Saam Barati  <sbarati@apple.com>
796
797         Rename HighFidelityTypeProfiling variables for more clarity
798         https://bugs.webkit.org/show_bug.cgi?id=135899
799
800         Reviewed by Geoffrey Garen.
801
802         Many names that are used in the type profiling infrastructure
803         prefix themselves with "HighFidelity" or include the words "high"
804         and/or "fidelity" in some way. But the words "high" and "fidelity" don't 
805         add anything descriptive to the names surrounding type profiling. 
806         So this patch removes all uses of "HighFidelity" and its variants.
807
808         Most renamings change "HighFidelity*" to "TypeProfiler*" or simply 
809         drop the prefix "HighFidelity" all together. Now, almost all names 
810         in relation to type profiling contain in them "TypeProfiler" or 
811         "TypeProfiling" or some combination of the words "type" and "profile".
812
813         This patch also changes how we check if type profiling is enabled:
814         We no longer call vm::isProfilingTypesWithHighFidelity. We now just 
815         check that vm::typeProfiler is not null.
816
817         This patch also changes all calls to TypeProfilerLog::processLogEntries
818         to use ASCIILiteral to form WTFStrings instead of vanilla C string literals.
819
820         * CMakeLists.txt:
821         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
822         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
823         * JavaScriptCore.xcodeproj/project.pbxproj:
824         * bytecode/BytecodeList.json:
825         * bytecode/BytecodeUseDef.h:
826         (JSC::computeUsesForBytecodeOffset):
827         (JSC::computeDefsForBytecodeOffset):
828         * bytecode/CodeBlock.cpp:
829         (JSC::CodeBlock::dumpBytecode):
830         (JSC::CodeBlock::CodeBlock):
831         * bytecode/TypeLocation.h:
832         * bytecode/UnlinkedCodeBlock.cpp:
833         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
834         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
835         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
836         (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset): Deleted.
837         (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo): Deleted.
838         * bytecode/UnlinkedCodeBlock.h:
839         (JSC::UnlinkedFunctionExecutable::typeProfilingStartOffset):
840         (JSC::UnlinkedFunctionExecutable::typeProfilingEndOffset):
841         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): Deleted.
842         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset): Deleted.
843         * bytecompiler/BytecodeGenerator.cpp:
844         (JSC::BytecodeGenerator::generate):
845         (JSC::BytecodeGenerator::BytecodeGenerator):
846         (JSC::BytecodeGenerator::emitMove):
847         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
848         (JSC::BytecodeGenerator::emitProfileType):
849         (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
850         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
851         * bytecompiler/BytecodeGenerator.h:
852         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
853         * bytecompiler/NodesCodegen.cpp:
854         (JSC::ThisNode::emitBytecode):
855         (JSC::ResolveNode::emitBytecode):
856         (JSC::BracketAccessorNode::emitBytecode):
857         (JSC::DotAccessorNode::emitBytecode):
858         (JSC::FunctionCallValueNode::emitBytecode):
859         (JSC::FunctionCallResolveNode::emitBytecode):
860         (JSC::FunctionCallBracketNode::emitBytecode):
861         (JSC::FunctionCallDotNode::emitBytecode):
862         (JSC::CallFunctionCallDotNode::emitBytecode):
863         (JSC::ApplyFunctionCallDotNode::emitBytecode):
864         (JSC::PostfixNode::emitResolve):
865         (JSC::PostfixNode::emitBracket):
866         (JSC::PostfixNode::emitDot):
867         (JSC::PrefixNode::emitResolve):
868         (JSC::PrefixNode::emitBracket):
869         (JSC::PrefixNode::emitDot):
870         (JSC::ReadModifyResolveNode::emitBytecode):
871         (JSC::AssignResolveNode::emitBytecode):
872         (JSC::AssignDotNode::emitBytecode):
873         (JSC::ReadModifyDotNode::emitBytecode):
874         (JSC::AssignBracketNode::emitBytecode):
875         (JSC::ReadModifyBracketNode::emitBytecode):
876         (JSC::ConstDeclNode::emitCodeSingle):
877         (JSC::EmptyVarExpression::emitBytecode):
878         (JSC::ReturnNode::emitBytecode):
879         (JSC::FunctionBodyNode::emitBytecode):
880         * heap/Heap.cpp:
881         (JSC::Heap::collect):
882         * inspector/agents/InspectorRuntimeAgent.cpp:
883         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
884         (Inspector::recompileAllJSFunctionsForTypeProfiling):
885         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
886         (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
887         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
888         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
889         (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling): Deleted.
890         (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling): Deleted.
891         (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState): Deleted.
892         * inspector/agents/InspectorRuntimeAgent.h:
893         * inspector/protocol/Runtime.json:
894         * jit/JIT.cpp:
895         (JSC::JIT::privateCompileMainPass):
896         (JSC::JIT::privateCompile):
897         * jit/JIT.h:
898         * jit/JITOpcodes.cpp:
899         (JSC::JIT::emit_op_profile_type):
900         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
901         * jit/JITOpcodes32_64.cpp:
902         (JSC::JIT::emit_op_profile_type):
903         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
904         * jit/JITOperations.cpp:
905         * jsc.cpp:
906         (functionDumpTypesForAllVariables):
907         * llint/LLIntSlowPaths.cpp:
908         * llint/LowLevelInterpreter.asm:
909         * runtime/CodeCache.cpp:
910         (JSC::CodeCache::getGlobalCodeBlock):
911         * runtime/CommonSlowPaths.cpp:
912         (JSC::SLOW_PATH_DECL):
913         * runtime/CommonSlowPaths.h:
914         * runtime/Executable.cpp:
915         (JSC::ScriptExecutable::ScriptExecutable):
916         (JSC::ProgramExecutable::ProgramExecutable):
917         (JSC::FunctionExecutable::FunctionExecutable):
918         (JSC::ProgramExecutable::initializeGlobalProperties):
919         * runtime/Executable.h:
920         (JSC::ScriptExecutable::typeProfilingStartOffset):
921         (JSC::ScriptExecutable::typeProfilingEndOffset):
922         (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): Deleted.
923         (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset): Deleted.
924         * runtime/HighFidelityLog.cpp: Removed.
925         * runtime/HighFidelityLog.h: Removed.
926         * runtime/HighFidelityTypeProfiler.cpp: Removed.
927         * runtime/HighFidelityTypeProfiler.h: Removed.
928         * runtime/Options.h:
929         * runtime/SymbolTable.cpp:
930         (JSC::SymbolTable::prepareForTypeProfiling):
931         (JSC::SymbolTable::uniqueIDForVariable):
932         (JSC::SymbolTable::uniqueIDForRegister):
933         (JSC::SymbolTable::prepareForHighFidelityTypeProfiling): Deleted.
934         * runtime/SymbolTable.h:
935         * runtime/TypeProfiler.cpp: Added.
936         (JSC::TypeProfiler::logTypesForTypeLocation):
937         (JSC::TypeProfiler::insertNewLocation):
938         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector):
939         (JSC::descriptorMatchesTypeLocation):
940         (JSC::TypeProfiler::findLocation):
941         * runtime/TypeProfiler.h: Added.
942         (JSC::QueryKey::QueryKey):
943         (JSC::QueryKey::isHashTableDeletedValue):
944         (JSC::QueryKey::operator==):
945         (JSC::QueryKey::hash):
946         (JSC::QueryKeyHash::hash):
947         (JSC::QueryKeyHash::equal):
948         (JSC::TypeProfiler::functionHasExecutedCache):
949         (JSC::TypeProfiler::typeLocationCache):
950         * runtime/TypeProfilerLog.cpp: Added.
951         (JSC::TypeProfilerLog::initializeLog):
952         (JSC::TypeProfilerLog::~TypeProfilerLog):
953         (JSC::TypeProfilerLog::processLogEntries):
954         * runtime/TypeProfilerLog.h: Added.
955         (JSC::TypeProfilerLog::LogEntry::structureIDOffset):
956         (JSC::TypeProfilerLog::LogEntry::valueOffset):
957         (JSC::TypeProfilerLog::LogEntry::locationOffset):
958         (JSC::TypeProfilerLog::TypeProfilerLog):
959         (JSC::TypeProfilerLog::recordTypeInformationForLocation):
960         (JSC::TypeProfilerLog::logEndPtr):
961         (JSC::TypeProfilerLog::logStartOffset):
962         (JSC::TypeProfilerLog::currentLogEntryOffset):
963         * runtime/VM.cpp:
964         (JSC::VM::VM):
965         (JSC::VM::enableTypeProfiler):
966         (JSC::VM::disableTypeProfiler):
967         (JSC::VM::dumpTypeProfilerData):
968         (JSC::VM::enableHighFidelityTypeProfiling): Deleted.
969         (JSC::VM::disableHighFidelityTypeProfiling): Deleted.
970         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
971         * runtime/VM.h:
972         (JSC::VM::typeProfilerLog):
973         (JSC::VM::typeProfiler):
974         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
975         (JSC::VM::highFidelityLog): Deleted.
976         (JSC::VM::highFidelityTypeProfiler): Deleted.
977
978 2014-08-20  Csaba Osztrogonác  <ossy@webkit.org>
979
980         URTBF after r172799.
981
982         * disassembler/ARM64/A64DOpcode.cpp:
983         * disassembler/ARM64Disassembler.cpp:
984
985 2014-08-20  Oliver Hunt  <oliver@apple.com>
986
987         Stop implicitly skipping a function's own activation when walking the scope chain
988         https://bugs.webkit.org/show_bug.cgi?id=136118
989
990         Reviewed by Geoffrey Garen.
991
992         Remove the current logic that implicitly skips a function's
993         own activation when walking the scope chain. This is ground
994         work for ensuring that all closed variable access is made
995         through the function's activation. This leads to a further
996         10% regression on earley, but we're already tracking the
997         overall performance regression.
998
999         * bytecode/CodeBlock.cpp:
1000         (JSC::CodeBlock::CodeBlock):
1001         * dfg/DFGAbstractInterpreterInlines.h:
1002         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1003         * dfg/DFGByteCodeParser.cpp:
1004         (JSC::DFG::ByteCodeParser::getScope):
1005         (JSC::DFG::ByteCodeParser::parseBlock):
1006         * dfg/DFGClobberize.h:
1007         (JSC::DFG::clobberize):
1008         * dfg/DFGDoesGC.cpp:
1009         (JSC::DFG::doesGC):
1010         * dfg/DFGFixupPhase.cpp:
1011         (JSC::DFG::FixupPhase::fixupNode):
1012         * dfg/DFGHeapLocation.cpp:
1013         (WTF::printInternal):
1014         * dfg/DFGHeapLocation.h:
1015         * dfg/DFGNodeType.h:
1016         * dfg/DFGPredictionPropagationPhase.cpp:
1017         (JSC::DFG::PredictionPropagationPhase::propagate):
1018         * dfg/DFGSafeToExecute.h:
1019         (JSC::DFG::safeToExecute):
1020         * dfg/DFGSpeculativeJIT32_64.cpp:
1021         (JSC::DFG::SpeculativeJIT::compile):
1022         * dfg/DFGSpeculativeJIT64.cpp:
1023         (JSC::DFG::SpeculativeJIT::compile):
1024         * jit/JITPropertyAccess.cpp:
1025         (JSC::JIT::emitResolveClosure):
1026         * llint/LowLevelInterpreter32_64.asm:
1027         * llint/LowLevelInterpreter64.asm:
1028         * runtime/JSScope.cpp:
1029         (JSC::JSScope::abstractResolve):
1030         * runtime/JSScope.h:
1031
1032 2014-08-20  Michael Saboff  <msaboff@apple.com>
1033
1034         REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active
1035         https://bugs.webkit.org/show_bug.cgi?id=136034
1036
1037         Reviewed by Mark Lam.
1038
1039         DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle
1040         of the stack.  Hardened StackVisitor to skip over the frames between the current top frame
1041         and the requested start frame.
1042
1043         * interpreter/StackVisitor.cpp:
1044         (JSC::StackVisitor::StackVisitor):
1045
1046 2014-08-20  Brent Fulgham  <bfulgham@apple.com>
1047
1048         [Win] JavaScriptCore.dll is missing version information.
1049         https://bugs.webkit.org/show_bug.cgi?id=136105
1050         <rdar://problem/18075852>
1051
1052         Reviewed by Dean Jackson.
1053
1054         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Add missing step to generate
1055         version information for intermediary build path.
1056
1057 2014-08-20  Saam Barati  <sbarati@apple.com>
1058
1059         Fix a memory leak in TypeSet
1060         https://bugs.webkit.org/show_bug.cgi?id=135913
1061
1062         Reviewed by Filip Pizlo.
1063
1064         Currently, TypeSet unconditionally allocates memory for its member
1065         variable m_structureHistory, but never deallocates it. Change this 
1066         from being a pointer that is unconditionally allocated to a member 
1067         variable that will be deallocated when TypeSet itself is deallocated.
1068
1069         * runtime/TypeSet.cpp:
1070         (JSC::TypeSet::TypeSet):
1071         (JSC::TypeSet::addTypeInformation):
1072         (JSC::TypeSet::seenTypes):
1073         (JSC::TypeSet::displayName):
1074         (JSC::TypeSet::allStructureRepresentations):
1075         (JSC::StructureShape::leastCommonAncestor):
1076         * runtime/TypeSet.h:
1077
1078 2014-08-20  peavo@outlook.com  <peavo@outlook.com>
1079
1080         [Win] Assertion fails when running JSC stress tests.
1081         https://bugs.webkit.org/show_bug.cgi?id=136103
1082
1083         Reviewed by Darin Adler.
1084
1085         Use unsigned bitfield member instead of enum bitfield member to avoid negative values.
1086
1087         * bytecode/CodeOrigin.h: Use unsigned bitfield member.
1088         (JSC::InlineCallFrame::specializationKind): Compile fix.
1089
1090 2014-08-20  Akos Kiss  <akiss@inf.u-szeged.hu>
1091
1092         Enable ARM64 disassembler on EFL
1093         https://bugs.webkit.org/show_bug.cgi?id=136089
1094
1095         Reviewed by Filip Pizlo.
1096
1097         * CMakeLists.txt:
1098         Added disassembler/ARM64Disassembler.cpp and
1099         disassembler/ARM64/A64DOpcode.cpp to JavaScriptCore_SOURCES.
1100
1101         * disassembler/ARM64/A64DOpcode.cpp:
1102         Added USE(ARM64_DISASSEMBLER) guard around implementation.
1103
1104         * disassembler/ARM64/A64DOpcode.h:
1105         (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedImmediate64):
1106         (JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
1107         Made format strings portable by changing "%llx" to "%" PRIx64 for
1108         uint64_t arguments.
1109
1110 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
1111
1112         REGRESSION(r172401): for-in optimization no longer works at all
1113         https://bugs.webkit.org/show_bug.cgi?id=136056
1114
1115         Reviewed by Geoffrey Garen.
1116         
1117         Roll this back in, along with a fix to make proxies work. Previously, for-in over proxies
1118         would instacrash every time.
1119
1120         * bytecompiler/BytecodeGenerator.cpp:
1121         (JSC::BytecodeGenerator::emitGetByVal):
1122         (JSC::BytecodeGenerator::pushIndexedForInScope):
1123         (JSC::BytecodeGenerator::pushStructureForInScope):
1124         * bytecompiler/BytecodeGenerator.h:
1125         (JSC::ForInContext::ForInContext):
1126         (JSC::StructureForInContext::StructureForInContext):
1127         (JSC::IndexedForInContext::IndexedForInContext):
1128         (JSC::ForInContext::base): Deleted.
1129         * bytecompiler/NodesCodegen.cpp:
1130         (JSC::ForInNode::emitMultiLoopBytecode):
1131         * runtime/JSProxy.cpp:
1132         (JSC::JSProxy::getStructurePropertyNames):
1133         (JSC::JSProxy::getGenericPropertyNames):
1134         * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
1135         (foo):
1136         * tests/stress/for-in-base-reassigned-later.js: Added.
1137         (foo):
1138         * tests/stress/for-in-base-reassigned.js: Added.
1139         (foo):
1140         * tests/stress/for-in-proxy-target-changed-structure.js: Added.
1141         (deleteAll):
1142         (foo):
1143         * tests/stress/for-in-proxy.js: Added.
1144         (foo):
1145
1146 2014-08-19  Jaehun Lim  <ljaehun.lim@samsung.com>
1147
1148         Unreviewed, fix EFL build after r17275
1149
1150         Fix error: ignoring #pragma clang diagnostic [-Werror=unknown-pragmas]
1151
1152         * runtime/JSDataViewPrototype.cpp:
1153         Add #if COMPILER(CLANG) and #endif.
1154
1155 2014-08-19  Michael Saboff  <msaboff@apple.com>
1156
1157         Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js
1158         https://bugs.webkit.org/show_bug.cgi?id=136080
1159
1160         Reviewed by Mark Lam.
1161
1162         Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame
1163         to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry
1164         frame.  In that case, the caller will have the prior VM entry frame.
1165
1166         The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing
1167         an exception from a caller frame.  The value to use for the VMEntryFrame should be a
1168         value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller.
1169
1170         * interpreter/Interpreter.h:
1171         (JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a
1172         VMEntryFrame.  Added an ASSERT to both constructors to check that the updated topCallFrame
1173         is below the current vmEntryFrame.
1174
1175         * jit/JITOperations.cpp:
1176         (JSC::operationThrowStackOverflowError):
1177         (JSC::operationCallArityCheck):
1178         (JSC::operationConstructArityCheck):
1179         Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame.
1180
1181 2014-08-19  Andy Estes  <aestes@apple.com>
1182
1183         [Cocoa] Offline Assembler build phase fails when $BUILT_PRODUCTS_DIR contains spaces
1184         https://bugs.webkit.org/show_bug.cgi?id=136086
1185
1186         Reviewed by Filip Pizlo.
1187
1188         Enclosed arguments to asm.rb containing $BUILT_PRODUCTS_DIR in double quotes so that they don't get split on
1189         whitespace. Also let Xcode have its way with an unrelated part of the project file.
1190
1191         * JavaScriptCore.xcodeproj/project.pbxproj:
1192
1193 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
1194
1195         LLInt build should be way faster
1196         https://bugs.webkit.org/show_bug.cgi?id=136085
1197
1198         Reviewed by Geoffrey Garen.
1199         
1200         This does three things to improve the LLInt build performance. One of them is only for
1201         Xcode for now while the others should benefit all platforms:
1202         
1203         - Don't exponentially build settings combinations that correspond to being on two backends
1204           simultaneously. This is by far the biggest win.
1205         
1206         - Don't generate offset extraction code for backends that aren't supported by the current
1207           port. This currently only works on Xcode-based ports. This is a relatively small win.
1208         
1209         - Remove the ALWAYS_ALLOCATE_SLOW option. Each option increases build time, and we haven't
1210           used this one in a long time. Anyway, setting this option could be emulated by just
1211           directly hacking the code.
1212         
1213         This is an enormous speed-up in the LLInt build.
1214
1215         * JavaScriptCore.xcodeproj/project.pbxproj: Prune the set of backends that we should consider on Xcode-based platforms.
1216         * llint/LLIntOfflineAsmConfig.h: Remove ALWAYS_ALLOCATE_SLOW
1217         * llint/LowLevelInterpreter.asm: Remove ALWAYS_ALLOCATE_SLOW
1218         * offlineasm/backends.rb: Add infrastructure for reasoning about valid backends.
1219         * offlineasm/generate_offset_extractor.rb: Allow the client to specify a filtered set of valid backends.
1220         * offlineasm/settings.rb: Improve the construction of settings combinations so that it doesn't traverse the enourmous set of obviously invalid multi-backend combinations. Also glue into support for valid backends.
1221
1222 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
1223
1224         Fix indentation and style in LowLevelInterpreter.asm
1225         https://bugs.webkit.org/show_bug.cgi?id=136083
1226
1227         Reviewed by Mark Lam.
1228
1229         * llint/LowLevelInterpreter.asm:
1230
1231 2014-08-19  Magnus Granberg  <zorry@gentoo.org>
1232
1233         TEXTREL in libjavascriptcoregtk-1.0.so.0.11.0 on x86 (or i586)
1234         https://bugs.webkit.org/show_bug.cgi?id=70610
1235
1236         Reviewed by Darin Adler.
1237
1238         Setup %ebx so we can use the plt.
1239
1240         * jit/ThunkGenerators.cpp:
1241
1242 2014-08-19  Zalan Bujtas  <zalan@apple.com>
1243
1244         Remove ENABLE(SUBPIXEL_LAYOUT).
1245         https://bugs.webkit.org/show_bug.cgi?id=136077
1246
1247         Reviewed by Simon Fraser.
1248
1249         Remove compile time flag SUBPIXEL_LAYOUT. All ports have it enabled for a while now.
1250
1251         * Configurations/FeatureDefines.xcconfig:
1252
1253 2014-08-19  Alex Christensen  <achristensen@webkit.org>
1254
1255         [CMake] Generate LLInt assembly correctly on Windows.
1256         https://bugs.webkit.org/show_bug.cgi?id=135888
1257
1258         Reviewed by Oliver Hunt.
1259
1260         * CMakeLists.txt:
1261         Generate LowLevelInterpreterWin.asm instead of LLIntAssembly.h on Windows like the existing build system.
1262         * PlatformWin.cmake:
1263         Don't build JSGlobalObjectInspectorController.cpp on Windows.
1264         * offlineasm/x86.rb:
1265         Detect non-cygwin ruby installations correctly.
1266
1267 2014-08-19  Michael Saboff  <msaboff@apple.com>
1268
1269         REGRESSION(r163179): It broke the build on ARM Thumb2 with GCC
1270         https://bugs.webkit.org/show_bug.cgi?id=136028
1271
1272         Reviewed by Oliver Hunt.
1273
1274         Added back ARMv7 conditionals around three op addp and subp since ARM Thumb2 spec says that
1275         the behavior for those ops are undefined.  This was originally done in changeset 163179.
1276
1277         * llint/LowLevelInterpreter32_64.asm:
1278
1279 2014-08-18  Commit Queue  <commit-queue@webkit.org>
1280
1281         Unreviewed, rolling out r172741.
1282         https://bugs.webkit.org/show_bug.cgi?id=136058
1283
1284         This change is breaking PLT. (Requested by mlam on #webkit).
1285
1286         Reverted changeset:
1287
1288         "REGRESSION(r172401): for-in optimization no longer works at
1289         all"
1290         https://bugs.webkit.org/show_bug.cgi?id=136056
1291         http://trac.webkit.org/changeset/172741
1292
1293 2014-08-18  Filip Pizlo  <fpizlo@apple.com>
1294
1295         REGRESSION(r172401): for-in optimization no longer works at all
1296         https://bugs.webkit.org/show_bug.cgi?id=136056
1297
1298         Reviewed by Mark Hahnenberg.
1299         
1300         This is a partial roll-out of r172401. It turns out that the fix wasn't actually fixing a
1301         real bug (since it's fine to use op_get_direct_pname on the wrong base because it has a
1302         structure check) and it was actually breaking the entire for-in optimization (since there is
1303         no way that we can statically prove that the base matches, because the base we see is a
1304         newly created temporary, and anyway doing it right would be really hard in our bytecode
1305         because it's 3AC form).
1306         
1307         But, I added a new test for the problem, and kept the original test. Both the old test and
1308         the new test prove that r172401 wasn't fixing what it thought it was fixing. To the extent
1309         that it resolved crashes it was because it just disabled the for-in optimization entirely.
1310
1311         * bytecompiler/BytecodeGenerator.cpp:
1312         (JSC::BytecodeGenerator::emitGetByVal):
1313         (JSC::BytecodeGenerator::pushIndexedForInScope):
1314         (JSC::BytecodeGenerator::pushStructureForInScope):
1315         * bytecompiler/BytecodeGenerator.h:
1316         (JSC::ForInContext::ForInContext):
1317         (JSC::StructureForInContext::StructureForInContext):
1318         (JSC::IndexedForInContext::IndexedForInContext):
1319         (JSC::ForInContext::base): Deleted.
1320         * bytecompiler/NodesCodegen.cpp:
1321         (JSC::ForInNode::emitMultiLoopBytecode):
1322         * tests/stress/for-in-base-reassigned.js: Added.
1323         * tests/stress/for-in-base-reassigned-later.js: Added.
1324         * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
1325
1326 2014-08-18  Mark Lam  <mark.lam@apple.com>
1327
1328         Gardening: build fix for non-Mac builds after r172737.
1329         https://bugs.webkit.org/show_bug.cgi?id=135750
1330
1331         Not reviewed.
1332
1333         * CMakeLists.txt:
1334         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1335         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1336
1337 2014-08-18  Filip Pizlo  <fpizlo@apple.com>
1338
1339         REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash
1340         https://bugs.webkit.org/show_bug.cgi?id=135750
1341
1342         Reviewed by Mark Lam.
1343         
1344         This was caused by a rather embarrassing oversight in how the DFG tracks structures: we
1345         could sometimes perform an optimization that requires a structure to be alive but forget to
1346         ensure that the structure is actually kept alive. In particular, any watchpoint-based
1347         optimizations involve setting watchpoints even if the code that got optimized is eventually
1348         deleted because it is unreachable. All such optimizations would leave behind something in
1349         the IR to tell us that we are interested in the structure and that therefore it should be
1350         kept alive. But, IR can be deleted if it is unreachable.
1351         
1352         The solution is to ensure that as soon as the DFG is made aware of a structure, it adds it
1353         to the set of weak references.
1354
1355         * JavaScriptCore.xcodeproj/project.pbxproj:
1356         * dfg/DFGAbstractInterpreterInlines.h:
1357         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1358         * dfg/DFGAbstractValue.cpp:
1359         (JSC::DFG::AbstractValue::setOSREntryValue):
1360         (JSC::DFG::AbstractValue::set):
1361         (JSC::DFG::AbstractValue::normalizeClarity):
1362         (JSC::DFG::AbstractValue::assertIsRegistered):
1363         (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
1364         * dfg/DFGAbstractValue.h:
1365         (JSC::DFG::AbstractValue::assertIsRegistered):
1366         (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
1367         * dfg/DFGCommon.h:
1368         * dfg/DFGConstantFoldingPhase.cpp:
1369         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1370         * dfg/DFGDesiredWeakReferences.cpp:
1371         (JSC::DFG::DesiredWeakReferences::addLazily):
1372         (JSC::DFG::DesiredWeakReferences::contains):
1373         (JSC::DFG::DesiredWeakReferences::reallyAdd):
1374         (JSC::DFG::DesiredWeakReferences::visitChildren):
1375         * dfg/DFGDesiredWeakReferences.h:
1376         * dfg/DFGFixupPhase.cpp:
1377         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1378         * dfg/DFGGraph.cpp:
1379         (JSC::DFG::Graph::Graph):
1380         (JSC::DFG::Graph::registerFrozenValues):
1381         (JSC::DFG::Graph::convertToConstant):
1382         (JSC::DFG::Graph::registerStructure):
1383         (JSC::DFG::Graph::assertIsRegistered):
1384         (JSC::DFG::Graph::assertIsWatched): Deleted.
1385         * dfg/DFGGraph.h:
1386         * dfg/DFGPlan.cpp:
1387         (JSC::DFG::Plan::compileInThreadImpl):
1388         * dfg/DFGStructureAbstractValue.cpp:
1389         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
1390         (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
1391         * dfg/DFGStructureAbstractValue.h:
1392         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
1393         (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
1394         * dfg/DFGStructureRegistrationPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp.
1395         (JSC::DFG::StructureRegistrationPhase::StructureRegistrationPhase):
1396         (JSC::DFG::StructureRegistrationPhase::run):
1397         (JSC::DFG::StructureRegistrationPhase::registerStructures):
1398         (JSC::DFG::StructureRegistrationPhase::registerStructure):
1399         (JSC::DFG::performStructureRegistration):
1400         (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase): Deleted.
1401         (JSC::DFG::WatchableStructureWatchingPhase::run): Deleted.
1402         (JSC::DFG::WatchableStructureWatchingPhase::tryWatch): Deleted.
1403         (JSC::DFG::performWatchableStructureWatching): Deleted.
1404         * dfg/DFGStructureRegistrationPhase.h: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.h.
1405         * dfg/DFGWatchableStructureWatchingPhase.cpp: Removed.
1406         * dfg/DFGWatchableStructureWatchingPhase.h: Removed.
1407
1408 2014-08-18  Akos Kiss  <akiss@inf.u-szeged.hu>
1409
1410         Fix ASSERT in ARM64's JSC::GPRInfo::debugName
1411         https://bugs.webkit.org/show_bug.cgi?id=136050
1412
1413         Reviewed by Darin Adler.
1414
1415         Remove cast of GPRReg to unsigned to prevent signed/unsigned comparison
1416         error.
1417
1418         * jit/GPRInfo.h:
1419         (JSC::GPRInfo::debugName):
1420
1421 2014-08-18  Andreas Kling  <akling@apple.com>
1422
1423         REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings.
1424         <https://webkit.org/b/133574>
1425         <rdar://problem/18051847>
1426
1427         The optimization that resolves JSRopeStrings into an existing
1428         AtomicString (to save time and memory by avoiding StringImpl allocation)
1429         had a bug that it wasn't copying the 8-bit flag from the AtomicString.
1430
1431         This could lead to a situation where a 16-bit StringImpl containing
1432         only 8-bit characters is sitting in the AtomicString table, is found
1433         by the rope resolution optimization, and gives you a rope that thinks
1434         it's all 8-bit, but has a fiber with 16-bit characters.
1435
1436         Resolving that rope will then yield incorrect results.
1437
1438         This was all caught by an assertion, but very hard to reproduce.
1439
1440         Test: js/dopey-rope-with-16-bit-propertyname.html
1441
1442         Reviewed by Darin Adler.
1443
1444         * runtime/JSString.cpp:
1445         (JSC::JSRopeString::resolveRopeToAtomicString):
1446         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
1447         * runtime/JSString.h:
1448         (JSC::JSString::setIs8Bit):
1449         (JSC::JSString::toExistingAtomicString):
1450
1451 2014-08-18  Matthew Mirman  <mmirman@apple.com>
1452
1453         Merges the two native inlining passes from the build.
1454         Also adds the AvailableExternallyLinkage assertion to linked 
1455         functions to allow unused and duplicate ones to be removed.
1456         https://bugs.webkit.org/show_bug.cgi?id=135526
1457
1458         Reviewed by Filip Pizlo.
1459
1460         * JavaScriptCore.xcodeproj/project.pbxproj: 
1461         Removed second generation of llvm binary files.
1462         Fixed the flags on the first pass. 
1463         * build-symbol-table-index.py: Modified some paths.
1464         * build-symbol-table-index.sh: Removed.
1465         * copy-llvm-ir-to-derived-sources.sh: Now calls build-symbol-table-index directly.
1466         * ftl/FTLLowerDFGToLLVM.cpp: Added LLVMAvailableExternallyLinkage assertion.
1467         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): 
1468         * runtime/ArrayPrototype.cpp: Removed static declarations. 
1469         * runtime/DateConstructor.cpp: ditto.
1470         (JSC::dateParse):
1471         (JSC::dateNow):
1472         (JSC::dateUTC):
1473         * runtime/DatePrototype.cpp: ditto.
1474         * runtime/JSDataViewPrototype.cpp: ditto on both.
1475         (JSC::dataViewProtoFuncGetInt8):
1476         (JSC::dataViewProtoFuncGetInt16):
1477         (JSC::dataViewProtoFuncGetInt32):
1478         (JSC::dataViewProtoFuncGetUint8):
1479         (JSC::dataViewProtoFuncGetUint16):
1480         (JSC::dataViewProtoFuncGetUint32):
1481         (JSC::dataViewProtoFuncGetFloat32):
1482         (JSC::dataViewProtoFuncGetFloat64):
1483         (JSC::dataViewProtoFuncSetInt8):
1484         (JSC::dataViewProtoFuncSetInt16):
1485         (JSC::dataViewProtoFuncSetInt32):
1486         (JSC::dataViewProtoFuncSetUint8):
1487         (JSC::dataViewProtoFuncSetUint16):
1488         (JSC::dataViewProtoFuncSetUint32):
1489         (JSC::dataViewProtoFuncSetFloat32):
1490         (JSC::dataViewProtoFuncSetFloat64):
1491         * runtime/JSONObject.cpp: ditto.
1492         * runtime/ObjectConstructor.cpp: ditto.
1493         * runtime/StringPrototype.cpp: ditto.
1494
1495 2014-08-18  Saam Barati  <sbarati@apple.com>
1496
1497         The parser should generate AST nodes the var declarations with no initializers
1498         https://bugs.webkit.org/show_bug.cgi?id=135545
1499
1500         Reviewed by Geoffrey Garen.
1501
1502         Currently, JSC's parser ignores variable declarations
1503         that have no assignment initializer value because all 
1504         variables are implicitly assigned to undefined. But, 
1505         type profiling needs an AST node to be generated for these 
1506         empty variable declarations because it needs to be able to 
1507         profile their text locations and to see that their type 
1508         is undefined.
1509
1510         * bytecompiler/NodesCodegen.cpp:
1511         (JSC::EmptyVarExpression::emitBytecode):
1512         * parser/ASTBuilder.h:
1513         (JSC::ASTBuilder::createVarStatement):
1514         (JSC::ASTBuilder::createEmptyVarExpression):
1515         * parser/NodeConstructors.h:
1516         (JSC::EmptyVarExpression::EmptyVarExpression):
1517         * parser/Nodes.h:
1518         * parser/Parser.cpp:
1519         (JSC::Parser<LexerType>::parseVarDeclarationList):
1520         * parser/SyntaxChecker.h:
1521         (JSC::SyntaxChecker::createEmptyVarExpression):
1522
1523 2014-08-18  Diego Pino Garcia  <dpino@igalia.com>
1524
1525         Completed iterator can be revived by adding more than one new entry to the target object
1526         https://bugs.webkit.org/show_bug.cgi?id=129993
1527
1528         Reviewed by Oliver Hunt.
1529
1530         When iterator reaches end, finish iterator.
1531
1532         * runtime/JSMapIterator.h:
1533         (JSC::JSMapIterator::finish):
1534         * runtime/JSSetIterator.h:
1535         (JSC::JSSetIterator::finish):
1536         * runtime/MapData.h:
1537         (JSC::MapData::const_iterator::finish): set index of iterator to max
1538         Int32.
1539         * runtime/MapIteratorPrototype.cpp:
1540         (JSC::MapIteratorPrototypeFuncNext):
1541         * runtime/SetIteratorPrototype.cpp:
1542         (JSC::SetIteratorPrototypeFuncNext):
1543
1544 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
1545
1546         Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
1547         https://bugs.webkit.org/show_bug.cgi?id=131596
1548
1549         Unreviewed gardening to rebaseline inspector generator tests after addressing review comments.
1550
1551         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1552         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1553         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1554         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1555         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1556         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1557         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1558         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1559         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1560         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1561         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1562
1563 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
1564
1565         Unreviewed build fix for some GTK bots after r172655.
1566
1567         Some bots use Python 2.6, which lacks the 'flags' named parameter for re.sub.
1568
1569         * inspector/scripts/codegen/generator.py:
1570         (Generator.stylized_name_for_enum_value): Do things the old-school way.
1571
1572 2014-08-15  Michael Saboff  <msaboff@apple.com>
1573
1574         Change callToJavaScript and callToNativeFunction so their callFrames match the native calling conventions
1575         https://bugs.webkit.org/show_bug.cgi?id=131578
1576
1577         Reviewed by Geoffrey Garen.
1578
1579         Renamed callToJavaScript and callToNativeFunction to vmEntryToJavaScript and vmEntryToNative,
1580         respectively.  Eliminated the sentinel frame and replaced it with the structure VMEntryRecord
1581         that appears in the "locals" area of a VM entry stack frame.  Changed the order that
1582         vmEntryToJavaScript and vmEntryToNative creates their stack frames to be native calling
1583         convention compliant.  That is to save prior frame pointer, save callee save registers, then
1584         allocate and populate the VMEntryRecord, and finally allocate a CallFrame for the JS function
1585         that vmEntryToJavaScript will invoke.  The top most vm entry frame pointer is saved in
1586         VM::topVMEntryFrame.  The vmEntry functions save prior contents of VM::topVMEntryFrame
1587         along with the VM and VM::topCallFrame in the VMEntryRecord it places on the stack.  Starting
1588         at VM::topCallFrame, the stack can be walked using these VMEntryRecords.
1589
1590         Arbitrary stack unwinding is now handled either iteratively by loading VM::topVMEntryFrame
1591         into a local variable and using CallFrame::callerFrame(VMEntryFrame*&) or by using StackVisitor.
1592         Given that the stack is effectively a singly linked list, general stack unwinding needs to use
1593         one of these two methods.
1594
1595         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1596         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1597         * JavaScriptCore.xcodeproj/project.pbxproj:
1598         Addition of VMEntryRecord.h
1599
1600         * bytecode/BytecodeList.json:
1601         Renaming of llint helper opcodes due to renaming callToJavaScript and callToNativeFunction.
1602
1603         * debugger/Debugger.cpp:
1604         (JSC::Debugger::stepOutOfFunction):
1605         (JSC::Debugger::returnEvent):
1606         (JSC::Debugger::didExecuteProgram):
1607         * jsc.cpp:
1608         (functionDumpCallFrame):
1609         * jit/JITOperations.cpp:
1610         Changed unwinding to use CallFrame::callerFrame(VMEntryFrame*&).
1611
1612         * bytecode/CodeBlock.cpp:
1613         (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
1614         (JSC::RecursionCheckFunctor::operator()):
1615         (JSC::RecursionCheckFunctor::didRecurse):
1616         (JSC::CodeBlock::noticeIncomingCall):
1617         * debugger/DebuggerCallFrame.cpp:
1618         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
1619         (JSC::FindCallerMidStackFunctor::operator()):
1620         (JSC::FindCallerMidStackFunctor::getCallerFrame):
1621         (JSC::DebuggerCallFrame::callerFrame):
1622         * interpreter/VMInspector.cpp:
1623         (JSC::CountFramesFunctor::CountFramesFunctor):
1624         (JSC::CountFramesFunctor::operator()):
1625         (JSC::CountFramesFunctor::count):
1626         (JSC::VMInspector::countFrames):
1627         * runtime/VM.cpp:
1628         (JSC::VM::VM):
1629         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1630         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1631         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
1632         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
1633         (JSC::VM::throwException):
1634         Changed unwinding to use StackVisitor including added functor classes.
1635
1636         * interpreter/CallFrame.cpp:
1637         (JSC::CallFrame::callerFrame):
1638         Added new flavor of callerFrame() that can iteratively unwind the stack.
1639
1640         * interpreter/CallFrame.h:
1641         (JSC::ExecState::callerFrame): Changed callerFrame() to use private common helper.
1642         (JSC::ExecState::callerFrameOrVMEntryFrame): Deleted.
1643         (JSC::ExecState::isVMEntrySentinel): Deleted.
1644         (JSC::ExecState::vmEntrySentinelCallerFrame): Deleted.
1645         (JSC::ExecState::initializeVMEntrySentinelFrame): Deleted.
1646         (JSC::ExecState::callerFrameSkippingVMEntrySentinel): Deleted.
1647         (JSC::ExecState::vmEntrySentinelCodeBlock): Deleted.
1648
1649         * interpreter/CallFrame.h:
1650         (JSC::ExecState::init):
1651         (JSC::ExecState::topOfFrame):
1652         (JSC::ExecState::currentVPC):
1653         (JSC::ExecState::setCurrentVPC):
1654         Eliminated unneded checking of sentinel frame.
1655
1656         * interpreter/Interpreter.cpp:
1657         (JSC::unwindCallFrame):
1658         (JSC::Interpreter::getStackTrace): Updated for unwidning changes.
1659         (JSC::Interpreter::unwind): Eliminated unneeded sentinel frame check.
1660
1661         * interpreter/Interpreter.cpp:
1662         (JSC::Interpreter::executeCall):
1663         (JSC::Interpreter::executeConstruct):
1664         * jit/JITStubs.h:
1665         * llint/LLIntThunks.cpp:
1666         (JSC::callToJavaScript): Deleted.
1667         (JSC::callToNativetion): Deleted.
1668         (JSC::vmEntryToJavaScript):
1669         (JSC::vmEntryToNative):
1670         * llint/LLIntThunks.h:
1671         Updated for vmEntryToJavaScript and vmEntryToNative name changes.
1672
1673         * interpreter/Interpreter.h:
1674         (JSC::TopCallFrameSetter::TopCallFrameSetter):
1675         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
1676         Eliminated unneeded sentinel frame check.
1677
1678         * interpreter/Interpreter.h:
1679         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1680         Removed sentinel specific constructor.
1681
1682         * interpreter/StackVisitor.cpp:
1683         (JSC::StackVisitor::StackVisitor):
1684         (JSC::StackVisitor::readFrame):
1685         (JSC::StackVisitor::readNonInlinedFrame):
1686         (JSC::StackVisitor::readInlinedFrame):
1687         (JSC::StackVisitor::Frame::print):
1688         * interpreter/StackVisitor.h:
1689         (JSC::StackVisitor::Frame::callerIsVMEntry):
1690         Changes for unwinding using CallFrame::callerFrame(VMEntryFrame*&).  Also added field that
1691         indicates when about to step over a VM entry frame.
1692
1693         * interpreter/VMEntryRecord.h: Added.
1694         (JSC::VMEntryRecord::prevTopCallFrame):
1695         (JSC::VMEntryRecord::prevTopVMEntryFrame):
1696         New struct to record prior state of VM's notion of VM entry and top call frames.
1697
1698         * jit/JITCode.cpp:
1699         (JSC::JITCode::execute):
1700         Use new vmEntryToJavaScript and vmEntryToNative name.
1701
1702         * llint/LLIntOffsetsExtractor.cpp: Added include for VMEntryRecord.h.
1703
1704         * llint/LowLevelInterpreter.asm:
1705         * llint/LowLevelInterpreter32_64.asm:
1706         * llint/LowLevelInterpreter64.asm:
1707         Offline assembly implementation of creating stack frame with VMEntryRecord and well as restoring 
1708         relevent VM fields when exiting the VM.  Added a helper that returns a VMEntryRecord given
1709         a pointer to the VM entry frame.
1710
1711         * llint/LLIntThunks.cpp:
1712         (JSC::vmEntryRecord):
1713         * llint/LowLevelInterpreter.cpp:
1714         (JSC::CLoop::execute):
1715         C Loop changes to mirror the assembly changes.
1716
1717         * runtime/VM.h:
1718         Added topVMEntryFrame field.
1719
1720 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
1721
1722         Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
1723         https://bugs.webkit.org/show_bug.cgi?id=131596
1724
1725         Reviewed by Joseph Pecoraro.
1726
1727         Replace CodeGeneratorInspector.py with generate-inspector-protocol-bindings.py.
1728         The new generator decouples parsing and typechecking a model of the protocol from
1729         code generation. Each generated file is created by a different subclass of Generator.
1730         Helper methods to compute various type signatures are shared among generators.
1731
1732         This patch introduces a test harness and a test suite that covers all functionality.
1733
1734         Aside from hooking up the new inspector bindings generator to the build system,
1735         there are a few comingled changes that would be painful to split from the main
1736         patch:
1737
1738         Convert protocol enumeration types from struct-namespaced enums to C++ scoped enums.
1739
1740         Move all runtimeCast(), assertValueHasExpectedType(), and RuntimeCastHelper methods to static
1741         methods of BindingTraits specializations.
1742
1743         Together, these changes reduce duplication and make it possible to forward-declare
1744         all protocol enum and object types, reducing weird ordering dependencies between domains.
1745
1746         * CMakeLists.txt:
1747         * DerivedSources.make:
1748         * JavaScriptCore.vcxproj/copy-files.cmd:
1749         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1750         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Add inspector scripts to solution filters.
1751         * JavaScriptCore.xcodeproj/project.pbxproj:
1752         * inspector/ConsoleMessage.cpp: Convert to scoped enums.
1753         (Inspector::messageSourceValue):
1754         (Inspector::messageTypeValue):
1755         (Inspector::messageLevelValue):
1756         * inspector/InjectedScript.cpp: Convert to scoped enums and BindingTraits.
1757         (Inspector::InjectedScript::getFunctionDetails):
1758         (Inspector::InjectedScript::getProperties):
1759         (Inspector::InjectedScript::getInternalProperties):
1760         (Inspector::InjectedScript::wrapCallFrames):
1761         (Inspector::InjectedScript::wrapObject):
1762         (Inspector::InjectedScript::wrapTable):
1763         * inspector/InjectedScriptBase.cpp: Convert InspectorValue::Type to a scoped enum.
1764         (Inspector::InjectedScriptBase::makeEvalCall):
1765         * inspector/InjectedScriptManager.cpp:
1766         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1767         * inspector/InspectorTypeBuilder.h:
1768         (Inspector::TypeBuilder::Array::create):
1769         (Inspector::TypeBuilder::StructItemTraits::pushRefPtr):
1770         (Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::pushRaw):
1771         (Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::pushRaw):
1772         (Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::pushRaw):
1773         (Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::pushRaw):
1774         (Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr):
1775         (Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr):
1776         (Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr):
1777         (Inspector::TypeBuilder::PrimitiveBindingTraits::assertValueHasExpectedType):
1778         (Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::runtimeCast):
1779         (Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::assertValueHasExpectedType):
1780         (Inspector::TypeBuilder::BindingTraits<InspectorValue>::assertValueHasExpectedType):
1781         (Inspector::TypeBuilder::BindingTraits<int>::assertValueHasExpectedType):
1782         (Inspector::TypeBuilder::ExactlyInt::ExactlyInt): Deleted. It was not used.
1783         (Inspector::TypeBuilder::ExactlyInt::operator int): Deleted.
1784         (Inspector::TypeBuilder::ExactlyInt::cast_to_int): Deleted.
1785         (Inspector::TypeBuilder::ExactlyInt::cast_to_int<int>): Deleted.
1786         (Inspector::TypeBuilder::int>): Deleted.
1787         (Inspector::TypeBuilder::RuntimeCastHelper::assertType): Deleted.
1788         (Inspector::TypeBuilder::RuntimeCastHelper::assertAny): Deleted.
1789         (Inspector::TypeBuilder::RuntimeCastHelper::assertInt): Deleted.
1790         (Inspector::TypeBuilder::Array::runtimeCast): Deleted.
1791         (Inspector::TypeBuilder::Array::assertCorrectValue): Deleted.
1792         (Inspector::TypeBuilder::StructItemTraits::assertCorrectValue): Deleted.
1793         (Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::assertCorrectValue): Deleted.
1794         (Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::assertCorrectValue): Deleted.
1795         (Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::assertCorrectValue): Deleted.
1796         (Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::assertCorrectValue): Deleted.
1797         (Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::assertCorrectValue): Deleted.
1798         (Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::assertCorrectValue): Deleted.
1799         (Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::assertCorrectValue): Deleted.
1800         (Inspector::TypeBuilder::ArrayItemHelper<TypeBuilder::Array<T>>::Traits::assertCorrectValue): Deleted.
1801
1802         * inspector/InspectorValues.cpp: Convert InspectorValue::Type to a scoped enum.
1803         (Inspector::InspectorValue::writeJSON):
1804         (Inspector::InspectorBasicValue::asBoolean):
1805         (Inspector::InspectorBasicValue::asNumber):
1806         (Inspector::InspectorBasicValue::writeJSON):
1807         (Inspector::InspectorString::writeJSON):
1808         (Inspector::InspectorObjectBase::InspectorObjectBase):
1809         (Inspector::InspectorObjectBase::setArray): Take InspectorArrayBase.
1810         (Inspector::InspectorObjectBase::setObject): Take InspectorObjectBase.
1811         (Inspector::InspectorArrayBase::InspectorArrayBase):
1812         * inspector/InspectorValues.h:
1813
1814         * inspector/agents/InspectorDebuggerAgent.cpp: Convert to scoped enums.
1815         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1816         (Inspector::InspectorDebuggerAgent::breakProgram):
1817         * inspector/agents/InspectorDebuggerAgent.h:
1818         * inspector/agents/InspectorRuntimeAgent.cpp:
1819         (Inspector::InspectorRuntimeAgent::parse):
1820         * inspector/agents/InspectorRuntimeAgent.h:
1821
1822         * inspector/scripts/CodeGeneratorInspector.py: Removed.
1823         * inspector/scripts/codegen/__init__.py: Added.
1824         * inspector/scripts/codegen/generate_backend_commands.py: Added.
1825         (BackendCommandsGenerator):
1826         (BackendCommandsGenerator.__init__):
1827         (BackendCommandsGenerator.model):
1828         (BackendCommandsGenerator.output_filename):
1829         (BackendCommandsGenerator.generate_license):
1830         (BackendCommandsGenerator.generate_output):
1831         (BackendCommandsGenerator.generate_domain):
1832         (BackendCommandsGenerator.generate_domain.is_anonymous_enum_member):
1833         (BackendCommandsGenerator.generate_domain.generate_parameter_object):
1834         * inspector/scripts/codegen/generate_backend_dispatcher_header.py: Added.
1835         (BackendDispatcherHeaderGenerator):
1836         (BackendDispatcherHeaderGenerator.__init__):
1837         (BackendDispatcherHeaderGenerator.model):
1838         (BackendDispatcherHeaderGenerator.output_filename):
1839         (BackendDispatcherHeaderGenerator.generate_license):
1840         (BackendDispatcherHeaderGenerator.generate_output):
1841         (BackendDispatcherHeaderGenerator.generate_output.for):
1842         (BackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
1843         (BackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
1844         (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1845         (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
1846         (BackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1847         (BackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1848         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: Added.
1849         (BackendDispatcherImplementationGenerator):
1850         (BackendDispatcherImplementationGenerator.__init__):
1851         (BackendDispatcherImplementationGenerator.model):
1852         (BackendDispatcherImplementationGenerator.output_filename):
1853         (BackendDispatcherImplementationGenerator.generate_license):
1854         (BackendDispatcherImplementationGenerator.generate_output):
1855         (BackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
1856         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
1857         (BackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
1858         (BackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
1859         (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1860         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1861         * inspector/scripts/codegen/generate_frontend_dispatcher_header.py: Added.
1862         (FrontendDispatcherHeaderGenerator):
1863         (FrontendDispatcherHeaderGenerator.__init__):
1864         (FrontendDispatcherHeaderGenerator.model):
1865         (FrontendDispatcherHeaderGenerator.output_filename):
1866         (FrontendDispatcherHeaderGenerator.generate_license):
1867         (FrontendDispatcherHeaderGenerator.generate_output):
1868         (FrontendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
1869         (FrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1870         (FrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event):
1871         * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py: Added.
1872         (FrontendDispatcherImplementationGenerator):
1873         (FrontendDispatcherImplementationGenerator.__init__):
1874         (FrontendDispatcherImplementationGenerator.model):
1875         (FrontendDispatcherImplementationGenerator.output_filename):
1876         (FrontendDispatcherImplementationGenerator.generate_license):
1877         (FrontendDispatcherImplementationGenerator.generate_output):
1878         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
1879         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1880         * inspector/scripts/codegen/generate_type_builder_header.py: Added.
1881         (TypeBuilderHeaderGenerator):
1882         (TypeBuilderHeaderGenerator.__init__):
1883         (TypeBuilderHeaderGenerator.model):
1884         (TypeBuilderHeaderGenerator.output_filename):
1885         (TypeBuilderHeaderGenerator.generate_license):
1886         (TypeBuilderHeaderGenerator.generate_output):
1887         (TypeBuilderHeaderGenerator._generate_forward_declarations):
1888         (_generate_typedefs):
1889         (_generate_typedefs_for_domain):
1890         (_generate_builders_for_domain):
1891         (_generate_class_for_object_declaration):
1892         (_generate_struct_for_enum_declaration):
1893         (_generate_struct_for_anonymous_enum_member):
1894         (_generate_struct_for_anonymous_enum_member.apply_indentation):
1895         (_generate_struct_for_enum_type):
1896         (_generate_builder_state_enum):
1897         (_generate_builder_setter_for_member):
1898         (_generate_unchecked_setter_for_member):
1899         (_generate_forward_declarations_for_binding_traits):
1900         * inspector/scripts/codegen/generate_type_builder_implementation.py: Added.
1901         (TypeBuilderImplementationGenerator):
1902         (TypeBuilderImplementationGenerator.__init__):
1903         (TypeBuilderImplementationGenerator.model):
1904         (TypeBuilderImplementationGenerator.output_filename):
1905         (TypeBuilderImplementationGenerator.generate_license):
1906         (TypeBuilderImplementationGenerator.generate_output):
1907         (TypeBuilderImplementationGenerator._generate_enum_mapping):
1908         (TypeBuilderImplementationGenerator._generate_open_field_names):
1909         (TypeBuilderImplementationGenerator._generate_builders_for_domain):
1910         (TypeBuilderImplementationGenerator._generate_runtime_cast_for_object_declaration):
1911         (TypeBuilderImplementationGenerator._generate_assertion_for_object_declaration):
1912         (TypeBuilderImplementationGenerator._generate_assertion_for_enum):
1913         * inspector/scripts/codegen/generator.py: Added.
1914         (ucfirst):
1915         (Generator):
1916         (Generator.__init__):
1917         (Generator.model):
1918         (Generator.generate_license):
1919         (Generator.domains_to_generate):
1920         (Generator.generate_output):
1921         (Generator.output_filename):
1922         (Generator.encoding_for_enum_value):
1923         (Generator.assigned_enum_values):
1924         (Generator.type_needs_runtime_casts):
1925         (Generator.type_has_open_fields):
1926         (Generator.type_needs_shape_assertions):
1927         (Generator.calculate_types_requiring_shape_assertions):
1928         (Generator.calculate_types_requiring_shape_assertions.gather_transitively_referenced_types):
1929         (Generator._traverse_and_assign_enum_values):
1930         (Generator._assign_encoding_for_enum_value):
1931         (Generator.wrap_with_guard_for_domain):
1932         (Generator.stylized_name_for_enum_value):
1933         (Generator.stylized_name_for_enum_value.replaceCallback):
1934         (Generator.keyed_get_method_for_type):
1935         (Generator.keyed_set_method_for_type):
1936         (Generator.type_builder_string_for_type):
1937         (Generator.type_builder_string_for_type_member):
1938         (Generator.type_string_for_unchecked_formal_in_parameter):
1939         (Generator.type_string_for_checked_formal_event_parameter):
1940         (Generator.type_string_for_type_member):
1941         (Generator.type_string_for_type_with_name):
1942         (Generator.type_string_for_formal_out_parameter):
1943         (Generator.type_string_for_formal_async_parameter):
1944         (Generator.type_string_for_stack_in_parameter):
1945         (Generator.type_string_for_stack_out_parameter):
1946         (Generator.assertion_method_for_type_member):
1947         (Generator.assertion_method_for_type_member.assertion_method_for_type):
1948         (Generator.cpp_name_for_primitive_type):
1949         (Generator.js_name_for_parameter_type):
1950         (Generator.should_use_wrapper_for_return_type):
1951         (Generator.should_pass_by_copy_for_return_type):
1952         * inspector/scripts/codegen/generator_templates.py: Added.
1953         (GeneratorTemplates):
1954         (void):
1955         (HashMap):
1956         (Builder):
1957         (Inspector):
1958         * inspector/scripts/codegen/models.py: Added.
1959         (ucfirst):
1960         (ParseException):
1961         (TypecheckException):
1962         (Framework):
1963         (Framework.__init__):
1964         (Framework.setting):
1965         (Framework.fromString):
1966         (Frameworks):
1967         (TypeReference):
1968         (TypeReference.__init__):
1969         (TypeReference.referenced_name):
1970         (Type):
1971         (Type.__init__):
1972         (Type.__eq__):
1973         (Type.__hash__):
1974         (Type.raw_name):
1975         (Type.is_enum):
1976         (Type.type_domain):
1977         (Type.qualified_name):
1978         (Type.resolve_type_references):
1979         (PrimitiveType):
1980         (PrimitiveType.__init__):
1981         (PrimitiveType.__repr__):
1982         (PrimitiveType.type_domain):
1983         (PrimitiveType.qualified_name):
1984         (AliasedType):
1985         (AliasedType.__init__):
1986         (AliasedType.__repr__):
1987         (AliasedType.is_enum):
1988         (AliasedType.type_domain):
1989         (AliasedType.qualified_name):
1990         (AliasedType.resolve_type_references):
1991         (EnumType):
1992         (EnumType.__init__):
1993         (EnumType.__repr__):
1994         (EnumType.is_enum):
1995         (EnumType.type_domain):
1996         (EnumType.enum_values):
1997         (EnumType.qualified_name):
1998         (EnumType.resolve_type_references):
1999         (ArrayType):
2000         (ArrayType.__init__):
2001         (ArrayType.__repr__):
2002         (ArrayType.type_domain):
2003         (ArrayType.qualified_name):
2004         (ArrayType.resolve_type_references):
2005         (ObjectType):
2006         (ObjectType.__init__):
2007         (ObjectType.__repr__):
2008         (ObjectType.type_domain):
2009         (ObjectType.qualified_name):
2010         (check_for_required_properties):
2011         (Protocol):
2012         (Protocol.__init__):
2013         (Protocol.parse_specification):
2014         (Protocol.parse_domain):
2015         (Protocol.parse_type_declaration):
2016         (Protocol.parse_type_member):
2017         (Protocol.parse_command):
2018         (Protocol.parse_event):
2019         (Protocol.parse_call_or_return_parameter):
2020         (Protocol.resolve_types):
2021         (Protocol.lookup_type_for_declaration):
2022         (Protocol.lookup_type_reference):
2023         (Domain):
2024         (Domain.__init__):
2025         (Domain.resolve_type_references):
2026         (Domains):
2027         (TypeDeclaration):
2028         (TypeDeclaration.__init__):
2029         (TypeDeclaration.resolve_type_references):
2030         (TypeMember):
2031         (TypeMember.__init__):
2032         (TypeMember.resolve_type_references):
2033         (Parameter):
2034         (Parameter.__init__):
2035         (Parameter.resolve_type_references):
2036         (Command):
2037         (Command.__init__):
2038         (Command.resolve_type_references):
2039         (Event):
2040         (Event.__init__):
2041         (Event.resolve_type_references):
2042         * inspector/scripts/generate-inspector-protocol-bindings.py: Added.
2043         (IncrementalFileWriter):
2044         (IncrementalFileWriter.__init__):
2045         (IncrementalFileWriter.write):
2046         (IncrementalFileWriter.close):
2047         (generate_from_specification):
2048         (generate_from_specification.load_specification):
2049         * inspector/scripts/tests/commands-with-async-attribute.json: Added.
2050         * inspector/scripts/tests/commands-with-optional-call-return-parameters.json: Added.
2051         * inspector/scripts/tests/domains-with-varying-command-sizes.json: Added.
2052         * inspector/scripts/tests/events-with-optional-parameters.json: Added.
2053         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: Added.
2054         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: Added.
2055         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: Added.
2056         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: Added.
2057         * inspector/scripts/tests/fail-on-duplicate-type-declarations.json-error: Added.
2058         * inspector/scripts/tests/fail-on-enum-with-no-values.json-error: Added.
2059         * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json-error: Added.
2060         * inspector/scripts/tests/fail-on-type-with-lowercase-name.json-error: Added.
2061         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json-error: Added.
2062         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json-error: Added.
2063         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: Added.
2064         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: Added.
2065         * inspector/scripts/tests/expected/type-declaration-array-type.json-result: Added.
2066         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: Added.
2067         * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Added.
2068         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: Added.
2069         * inspector/scripts/tests/fail-on-duplicate-type-declarations.json: Added.
2070         * inspector/scripts/tests/fail-on-enum-with-no-values.json: Added.
2071         * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json: Added.
2072         * inspector/scripts/tests/fail-on-type-with-lowercase-name.json: Added.
2073         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json: Added.
2074         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json: Added.
2075         * inspector/scripts/tests/same-type-id-different-domain.json: Added.
2076         * inspector/scripts/tests/type-declaration-aliased-primitive-type.json: Added.
2077         * inspector/scripts/tests/type-declaration-array-type.json: Added.
2078         * inspector/scripts/tests/type-declaration-enum-type.json: Added.
2079         * inspector/scripts/tests/type-declaration-object-type.json: Added.
2080         * inspector/scripts/tests/type-requiring-runtime-casts.json: Added.
2081
2082 2014-08-15  Matthew Mirman  <mmirman@apple.com>
2083
2084         Made native inlining errors not segfault. 
2085         https://bugs.webkit.org/show_bug.cgi?id=135988
2086         
2087         Reviewed by Geoffrey Garen.
2088
2089         * ftl/FTLAbbreviations.h:
2090         (JSC::FTL::disposeMessage): Added.
2091         * ftl/FTLLowerDFGToLLVM.cpp:
2092         (JSC::FTL::LowerDFGToLLVM::compilePutById): 
2093         abstracted out Options::verboseCompilation as was the case in the rest of the file.
2094         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
2095         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): 
2096         added output error messages for llvm module loading.
2097
2098 2014-08-14  Andreas Kling  <akling@apple.com>
2099
2100         Allocate the whole RegExpMatchesArray backing store up front.
2101         <https://webkit.org/b/135217>
2102
2103         We were using the generic array backing store allocation path for
2104         RegExpMatchesArray which meant starting with 4 slots and then growing
2105         it dynamically as we append. Since we always know the final number of
2106         entries up front, allocate a perfectly-sized backing store right away.
2107
2108         ~2% progression on Octane/regexp.
2109
2110         Reviewed by Geoffrey Garen.
2111
2112         * runtime/JSArray.h:
2113         (JSC::createArrayButterflyWithExactLength):
2114         * runtime/RegExpMatchesArray.cpp:
2115         (JSC::RegExpMatchesArray::create):
2116
2117 2014-08-14  Saam Barati  <sbarati@apple.com>
2118
2119         Allow high fidelity type profiling to be enabled and disabled.
2120         https://bugs.webkit.org/show_bug.cgi?id=135423
2121
2122         Reviewed by Geoffrey Garen.
2123
2124         - Merged op_put_to_scope_with_profile and op_get_from_scope_with_profile into
2125           op_profile_types_with_high_fidelity by adding extra arguments to the opcode.
2126         - Altered SymbolTable to use less memory by adding a rare data structure for 
2127           type profiling.
2128         - Created an interface to turn on and off type profiling from the Web
2129           Inspector.
2130         - Refactored how entries are written to HighFidelityLog to make it
2131           easier to inline when generating machine code.
2132         - Implemented op_profile_types_with_high_fidelity in the baseline JIT
2133           by inlining the process of writing to the log and doing a small amount
2134           of type inference optimizations.
2135
2136         * bytecode/BytecodeList.json:
2137         * bytecode/BytecodeUseDef.h:
2138         (JSC::computeUsesForBytecodeOffset):
2139         (JSC::computeDefsForBytecodeOffset):
2140         * bytecode/CodeBlock.cpp:
2141         (JSC::CodeBlock::dumpBytecode):
2142         (JSC::CodeBlock::CodeBlock):
2143         (JSC::CodeBlock::finalizeUnconditionally):
2144         (JSC::CodeBlock::scopeDependentProfile): Deleted.
2145         * bytecode/CodeBlock.h:
2146         * bytecode/TypeLocation.h:
2147         (JSC::TypeLocation::TypeLocation):
2148         * bytecompiler/BytecodeGenerator.cpp:
2149         (JSC::BytecodeGenerator::generate):
2150         (JSC::BytecodeGenerator::emitMove):
2151         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
2152         (JSC::BytecodeGenerator::emitGetFromScopeWithProfile): Deleted.
2153         (JSC::BytecodeGenerator::emitPutToScopeWithProfile): Deleted.
2154         * bytecompiler/BytecodeGenerator.h:
2155         * bytecompiler/NodesCodegen.cpp:
2156         (JSC::ThisNode::emitBytecode):
2157         (JSC::ResolveNode::emitBytecode):
2158         (JSC::BracketAccessorNode::emitBytecode):
2159         (JSC::DotAccessorNode::emitBytecode):
2160         (JSC::FunctionCallValueNode::emitBytecode):
2161         (JSC::FunctionCallResolveNode::emitBytecode):
2162         (JSC::FunctionCallBracketNode::emitBytecode):
2163         (JSC::FunctionCallDotNode::emitBytecode):
2164         (JSC::CallFunctionCallDotNode::emitBytecode):
2165         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2166         (JSC::PostfixNode::emitResolve):
2167         (JSC::PostfixNode::emitBracket):
2168         (JSC::PostfixNode::emitDot):
2169         (JSC::PrefixNode::emitResolve):
2170         (JSC::PrefixNode::emitBracket):
2171         (JSC::PrefixNode::emitDot):
2172         (JSC::ReadModifyResolveNode::emitBytecode):
2173         (JSC::AssignResolveNode::emitBytecode):
2174         (JSC::AssignDotNode::emitBytecode):
2175         (JSC::ReadModifyDotNode::emitBytecode):
2176         (JSC::AssignBracketNode::emitBytecode):
2177         (JSC::ReadModifyBracketNode::emitBytecode):
2178         (JSC::ReturnNode::emitBytecode):
2179         (JSC::FunctionBodyNode::emitBytecode):
2180         * inspector/agents/InspectorRuntimeAgent.cpp:
2181         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
2182         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2183         (Inspector::TypeRecompiler::operator()):
2184         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2185         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
2186         (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling):
2187         (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling):
2188         (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState):
2189         * inspector/agents/InspectorRuntimeAgent.h:
2190         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2191         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
2192         * inspector/protocol/Runtime.json:
2193         * jit/JIT.cpp:
2194         (JSC::JIT::privateCompileMainPass):
2195         (JSC::JIT::privateCompile):
2196         * jit/JIT.h:
2197         * jit/JITOpcodes.cpp:
2198         (JSC::JIT::emit_op_profile_types_with_high_fidelity):
2199         * jit/JITOpcodes32_64.cpp:
2200         (JSC::JIT::emit_op_profile_types_with_high_fidelity):
2201         * jit/JITOperations.cpp:
2202         * jit/JITOperations.h:
2203         * llint/LLIntSlowPaths.cpp:
2204         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2205         (JSC::LLInt::getFromScopeCommon): Deleted.
2206         (JSC::LLInt::putToScopeCommon): Deleted.
2207         * llint/LLIntSlowPaths.h:
2208         * llint/LowLevelInterpreter.asm:
2209         * runtime/CodeCache.cpp:
2210         (JSC::CodeCache::getGlobalCodeBlock):
2211         * runtime/CommonSlowPaths.cpp:
2212         (JSC::SLOW_PATH_DECL):
2213         * runtime/CommonSlowPaths.h:
2214         * runtime/HighFidelityLog.cpp:
2215         (JSC::HighFidelityLog::initializeHighFidelityLog):
2216         (JSC::HighFidelityLog::~HighFidelityLog):
2217         (JSC::HighFidelityLog::processHighFidelityLog):
2218         * runtime/HighFidelityLog.h:
2219         (JSC::HighFidelityLog::LogEntry::structureIDOffset):
2220         (JSC::HighFidelityLog::LogEntry::valueOffset):
2221         (JSC::HighFidelityLog::LogEntry::locationOffset):
2222         (JSC::HighFidelityLog::recordTypeInformationForLocation):
2223         (JSC::HighFidelityLog::logEndPtr):
2224         (JSC::HighFidelityLog::logStartOffset):
2225         (JSC::HighFidelityLog::currentLogEntryOffset):
2226         * runtime/HighFidelityTypeProfiler.cpp:
2227         (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
2228         (JSC::descriptorMatchesTypeLocation):
2229         * runtime/HighFidelityTypeProfiler.h:
2230         * runtime/SymbolTable.cpp:
2231         (JSC::SymbolTable::SymbolTable):
2232         (JSC::SymbolTable::cloneCapturedNames):
2233         (JSC::SymbolTable::prepareForHighFidelityTypeProfiling):
2234         (JSC::SymbolTable::uniqueIDForVariable):
2235         (JSC::SymbolTable::uniqueIDForRegister):
2236         (JSC::SymbolTable::globalTypeSetForRegister):
2237         (JSC::SymbolTable::globalTypeSetForVariable):
2238         * runtime/SymbolTable.h:
2239         (JSC::SymbolTable::add):
2240         (JSC::SymbolTable::set):
2241         * runtime/TypeLocationCache.cpp:
2242         (JSC::TypeLocationCache::getTypeLocation):
2243         * runtime/TypeSet.cpp:
2244         (JSC::TypeSet::getRuntimeTypeForValue):
2245         (JSC::TypeSet::addTypeInformation):
2246         (JSC::TypeSet::allPrimitiveTypeNames):
2247         (JSC::TypeSet::addTypeForValue): Deleted.
2248         * runtime/TypeSet.h:
2249         * runtime/VM.cpp:
2250         (JSC::VM::VM):
2251         (JSC::VM::nextTypeLocation):
2252         (JSC::VM::enableHighFidelityTypeProfiling):
2253         (JSC::VM::disableHighFidelityTypeProfiling):
2254         (JSC::VM::dumpHighFidelityProfilingTypes):
2255         * runtime/VM.h:
2256         (JSC::VM::nextLocation): Deleted.
2257
2258 2014-08-14  Oliver Hunt  <oliver@apple.com>
2259
2260         Update scope resolution to assume that the parent activation is always there
2261         https://bugs.webkit.org/show_bug.cgi?id=135947
2262
2263         Reviewed by Andreas Kling.
2264
2265         Another incremental step in removing the idea of lazily created
2266         activations.
2267
2268         * dfg/DFGSpeculativeJIT32_64.cpp:
2269         (JSC::DFG::SpeculativeJIT::compile):
2270         * dfg/DFGSpeculativeJIT64.cpp:
2271         (JSC::DFG::SpeculativeJIT::compile):
2272         * jit/JITPropertyAccess.cpp:
2273         (JSC::JIT::emitResolveClosure):
2274         * jit/JITPropertyAccess32_64.cpp:
2275         (JSC::JIT::emitResolveClosure):
2276         * llint/LowLevelInterpreter32_64.asm:
2277         * llint/LowLevelInterpreter64.asm:
2278
2279 2014-08-14  Oliver Hunt  <oliver@apple.com>
2280
2281         Create activations eagerly
2282         https://bugs.webkit.org/show_bug.cgi?id=135942
2283
2284         Reviewed by Geoffrey Garen.
2285
2286         Prepare to rewrite activation objects into a more
2287         sane implementation. Step 1 is reverting to eager
2288         creation of the activation object. This results in
2289         a 1.35x regression in earley, but otherwise has a
2290         minimal performance impact.
2291
2292         The earley regression is being tracked by bug #135943
2293
2294         * bytecompiler/BytecodeGenerator.cpp:
2295         (JSC::BytecodeGenerator::BytecodeGenerator):
2296         (JSC::BytecodeGenerator::emitNewFunctionInternal):
2297         (JSC::BytecodeGenerator::emitNewFunctionExpression):
2298         (JSC::BytecodeGenerator::emitCallEval):
2299         (JSC::BytecodeGenerator::emitPushWithScope):
2300         (JSC::BytecodeGenerator::emitPushCatchScope):
2301         (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
2302         * bytecompiler/BytecodeGenerator.h:
2303         * jit/JITOpcodes.cpp:
2304         (JSC::JIT::emit_op_create_activation):
2305         * jit/JITOpcodes32_64.cpp:
2306         (JSC::JIT::emit_op_create_activation):
2307         * llint/LowLevelInterpreter32_64.asm:
2308         * llint/LowLevelInterpreter64.asm:
2309
2310 2014-08-14  Oliver Hunt  <oliver@apple.com>
2311
2312         Create activations eagerly
2313         https://bugs.webkit.org/show_bug.cgi?id=135942
2314
2315         Reviewed by Geoffrey Garen.
2316
2317         Prepare to rewrite activation objects into a more
2318         sane implementation. Step 1 is reverting to eager
2319         creation of the activation object. This results in
2320         a 1.35x regression in earley, but otherwise has a
2321         minimal performance impact.
2322
2323         The earley regression is being tracked by 
2324         http://webkit.org/b/135943
2325
2326         * bytecompiler/BytecodeGenerator.cpp:
2327         (JSC::BytecodeGenerator::BytecodeGenerator):
2328         (JSC::BytecodeGenerator::emitNewFunctionInternal):
2329         (JSC::BytecodeGenerator::emitNewFunctionExpression):
2330         (JSC::BytecodeGenerator::emitCallEval):
2331         (JSC::BytecodeGenerator::emitPushWithScope):
2332         (JSC::BytecodeGenerator::emitPushCatchScope):
2333         (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
2334         * bytecompiler/BytecodeGenerator.h:
2335         * jit/JITOpcodes.cpp:
2336         (JSC::JIT::emit_op_create_activation):
2337         * jit/JITOpcodes32_64.cpp:
2338         (JSC::JIT::emit_op_create_activation):
2339         * llint/LowLevelInterpreter32_64.asm:
2340         * llint/LowLevelInterpreter64.asm:
2341
2342 2014-08-14  Tomas Popela  <tpopela@redhat.com>
2343
2344         Add support for ppc, ppc64, ppc64le, s390, s390x into the CMake build
2345         https://bugs.webkit.org/show_bug.cgi?id=135937
2346
2347         Reviewed by Carlos Garcia Campos.
2348
2349         * CMakeLists.txt:
2350
2351 2014-08-14  Akos Kiss  <akiss@inf.u-szeged.hu>
2352
2353         Fix JSC::ARM64Assembler::LinkRecord::RealTypes
2354         https://bugs.webkit.org/show_bug.cgi?id=135906
2355
2356         Reviewed by Michael Saboff.
2357
2358         JSC::ARM64Assembler::LinkRecord::RealTypes::m_compareRegister is defined
2359         to occupy 5 bits but JSC::ARM64Assembler::RegisterID needs 6 bits. So,
2360         increase the size of the bit field and also reorganize the struct to 
2361         better align with word boundaries.
2362
2363         * assembler/ARM64Assembler.h:
2364
2365 2014-08-13  Akos Kiss  <akiss@inf.u-szeged.hu>
2366
2367         Add ARM64 support to CMake-based builds
2368         https://bugs.webkit.org/show_bug.cgi?id=135912
2369
2370         Reviewed by Gyuyoung Kim.
2371
2372         This patch ensures that CMake does not fail with Unknown CPU error when
2373         building for ARM64.
2374
2375         * CMakeLists.txt:
2376
2377 2014-08-13  Wenson Hsieh  <wenson_hsieh@apple.com>
2378
2379         Enable CSS_SCROLL_SNAP for iOS
2380         https://bugs.webkit.org/show_bug.cgi?id=135915
2381
2382         Turn on CSS_SCROLL_SNAP for iOS and the iOS simulator.
2383
2384         Reviewed by Tim Horton.
2385
2386         * Configurations/FeatureDefines.xcconfig:
2387
2388 2014-08-13  Alex Christensen  <achristensen@webkit.org>
2389
2390         Progress towards CMake on Mac.
2391         https://bugs.webkit.org/show_bug.cgi?id=135819
2392
2393         Reviewed by Laszlo Gombos.
2394
2395         * CMakeLists.txt:
2396         Add the remote inspector headers to the forwarding headers list.
2397
2398 2014-08-13  Daniel Bates  <dabates@apple.com>
2399
2400         [iOS] Make JavaScriptCore and bmalloc build with the public SDK
2401         https://bugs.webkit.org/show_bug.cgi?id=135848
2402
2403         Reviewed by Geoffrey Garen.
2404
2405         * API/JSBase.h: Declare NSMap functions with external linkage when building for iOS without the
2406         header <Foundation/NSMapTablePriv.h>.
2407         * inspector/remote/RemoteInspector.mm: Define XPC functions with external linkage when building
2408         without the system header <xpc/xpc.h>.
2409         * inspector/remote/RemoteInspectorXPCConnection.h: Define xpc_connection_t and xpc_object_t when building
2410         without the system header <xpc/xpc.h>.
2411         * inspector/remote/RemoteInspectorXPCConnection.mm: Declare XPC functions with external linkage when
2412         building without without the system header <xpc/xpc.h>.
2413         (Inspector::RemoteInspectorXPCConnection::closeOnQueue): Fix code style; use nullptr instead of NULL.
2414         (Inspector::RemoteInspectorXPCConnection::sendMessage): Ditto.
2415
2416 2014-08-12  Peyton Randolph  <prandolph@apple.com>
2417
2418         Runtime switch for long mouse press gesture. Part of 135257 - Add long mouse press gesture.
2419         https://bugs.webkit.org/show_bug.cgi?id=135682
2420
2421         Reviewed by Tim Horton.
2422
2423         * Configurations/FeatureDefines.xcconfig:
2424         Remove ENABLE_LONG_MOUSE_PRESS feature flag.
2425
2426 2014-08-12  Alex Christensen  <achristensen@webkit.org>
2427
2428         Generate header detection headers for CMake on Windows.
2429         https://bugs.webkit.org/show_bug.cgi?id=135807
2430
2431         Reviewed by Brent Fulgham.
2432
2433         * CMakeLists.txt:
2434         Include the derived sources directory to find WTF/WTFHeaderDetection.h.
2435
2436 2014-08-11  Andy Estes  <aestes@apple.com>
2437
2438         [iOS] Get rid of iOS.xcconfig
2439         https://bugs.webkit.org/show_bug.cgi?id=135809
2440
2441         Reviewed by Joseph Pecoraro.
2442
2443         All iOS.xcconfig did was include AspenFamily.xcconfig, so there's no need for the indirection.
2444
2445         * Configurations/Base.xcconfig:
2446         * Configurations/iOS.xcconfig: Removed.
2447         * JavaScriptCore.xcodeproj/project.pbxproj:
2448
2449 2014-08-11  Michael Saboff  <msaboff@apple.com>
2450
2451         Eliminate {push,pop}CalleeSaves in favor of individual pushes & pops
2452         https://bugs.webkit.org/show_bug.cgi?id=127155
2453
2454         Reviewed by Geoffrey Garen.
2455
2456         Eliminated the offline assembler instructions {push,pop}CalleeSaves as well as the
2457         ARM64 specific {push,pop}LRAndFP and replaced them with individual push and pop
2458         instructions. Where the registers referenced by the added push and pop instructions
2459         are not part of the offline assembler register aliases, used a newly added "emit"
2460         offline assembler instruction which takes a string literal and outputs that
2461         string as a native instruction.
2462
2463         * llint/LowLevelInterpreter.asm:
2464         * offlineasm/arm.rb:
2465         * offlineasm/arm64.rb:
2466         * offlineasm/ast.rb:
2467         * offlineasm/cloop.rb:
2468         * offlineasm/instructions.rb:
2469         * offlineasm/mips.rb:
2470         * offlineasm/parser.rb:
2471         * offlineasm/sh4.rb:
2472         * offlineasm/transform.rb:
2473         * offlineasm/x86.rb:
2474
2475 2014-08-11  Mark Lam  <mark.lam@apple.com>
2476
2477         Re-landing r172401 with fixed test.
2478         <https://webkit.org/b/135782>
2479
2480         Not reviewed.
2481
2482         * bytecompiler/BytecodeGenerator.cpp:
2483         (JSC::BytecodeGenerator::emitGetByVal):
2484         (JSC::BytecodeGenerator::pushIndexedForInScope):
2485         (JSC::BytecodeGenerator::pushStructureForInScope):
2486         * bytecompiler/BytecodeGenerator.h:
2487         (JSC::ForInContext::ForInContext):
2488         (JSC::ForInContext::base):
2489         (JSC::StructureForInContext::StructureForInContext):
2490         (JSC::IndexedForInContext::IndexedForInContext):
2491         * bytecompiler/NodesCodegen.cpp:
2492         (JSC::ForInNode::emitMultiLoopBytecode):
2493         * tests/stress/for-in-tests.js:
2494
2495 2014-08-11  Commit Queue  <commit-queue@webkit.org>
2496
2497         Unreviewed, rolling out r172401.
2498         https://bugs.webkit.org/show_bug.cgi?id=135812
2499
2500         Failing stress/for-in-tests.js
2501         http://build.webkit.org/builders/Apple%20Mavericks%20Release%20WK1%20%28Tests%29/builds/7945/steps
2502         /jscore-test/logs/stdio (Requested by mlam on #webkit).
2503
2504         Reverted changeset:
2505
2506         "for-in optimization should also make sure the base matches
2507         the object being iterated"
2508         https://bugs.webkit.org/show_bug.cgi?id=135782
2509         http://trac.webkit.org/changeset/172401
2510
2511 2014-08-11  Brian J. Burg  <burg@cs.washington.edu>
2512
2513         Web Inspector: use type builders to construct high fidelity type information payloads
2514         https://bugs.webkit.org/show_bug.cgi?id=135803
2515
2516         Reviewed by Timothy Hatcher.
2517
2518         Due to some typos in the protocol file, the code had worked with raw objects
2519         rather than with type builders. Convert to using builders.
2520
2521         * inspector/agents/InspectorRuntimeAgent.cpp:
2522         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2523         * inspector/agents/InspectorRuntimeAgent.h:
2524         * inspector/protocol/Runtime.json: Fix 'item' for 'items'; true for 'true'.
2525         * runtime/HighFidelityTypeProfiler.cpp:
2526         (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
2527         * runtime/HighFidelityTypeProfiler.h:
2528         * runtime/TypeSet.cpp:
2529         (JSC::TypeSet::allStructureRepresentations):
2530         (JSC::StructureShape::stringRepresentation):
2531         (JSC::StructureShape::inspectorRepresentation):
2532         * runtime/TypeSet.h:
2533
2534 2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2535
2536         for-in optimization should also make sure the base matches the object being iterated
2537         https://bugs.webkit.org/show_bug.cgi?id=135782
2538
2539         Reviewed by Geoffrey Garen.
2540
2541         If we access a different base object with the same index, we shouldn't try to randomly 
2542         load from that object's backing store.
2543
2544         * bytecompiler/BytecodeGenerator.cpp:
2545         (JSC::BytecodeGenerator::emitGetByVal):
2546         (JSC::BytecodeGenerator::pushIndexedForInScope):
2547         (JSC::BytecodeGenerator::pushStructureForInScope):
2548         * bytecompiler/BytecodeGenerator.h:
2549         (JSC::ForInContext::ForInContext):
2550         (JSC::ForInContext::base):
2551         (JSC::StructureForInContext::StructureForInContext):
2552         (JSC::IndexedForInContext::IndexedForInContext):
2553         * bytecompiler/NodesCodegen.cpp:
2554         (JSC::ForInNode::emitMultiLoopBytecode):
2555         * tests/stress/for-in-tests.js:
2556
2557 2014-08-11  Brent Fulgham  <bfulgham@apple.com>
2558
2559         [Win] Unreviewed gardening.
2560
2561         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Display files in
2562         proper folder categories..
2563
2564 2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2565
2566         JIT should use full 64-bit stores for jsBoolean and jsNull
2567         https://bugs.webkit.org/show_bug.cgi?id=135784
2568
2569         Reviewed by Michael Saboff.
2570
2571         This guarantees that we set the high bits of the register with the correct tag.
2572
2573         * dfg/DFGSpeculativeJIT64.cpp:
2574         (JSC::DFG::SpeculativeJIT::compile):
2575         * jit/JITOpcodes.cpp:
2576         (JSC::JIT::emit_op_has_structure_property):
2577         (JSC::JIT::emit_op_next_enumerator_pname):
2578
2579 2014-08-11  Brent Fulgham  <bfulgham@apple.com>
2580
2581         [Win] Adjust build script for Windows production build.
2582         https://bugs.webkit.org/show_bug.cgi?id=135806
2583         <rdar://problem/17978299>
2584
2585         Reviewed by Timothy Hatcher.
2586
2587         * JavaScriptCore.vcxproj/copy-files.cmd: Copy file for later use
2588         in WebInspectorUI build.
2589
2590 2014-08-10  Oliver Hunt  <oliver@apple.com>
2591
2592         Destructuring assignment in a var declaration list incorrectly consumes subsequent variable initialisers
2593         https://bugs.webkit.org/show_bug.cgi?id=135773
2594
2595         Reviewed by Michael Saboff.
2596
2597         We should be using parseAssignment expression in order to get the correct
2598         precedence.
2599
2600         * parser/Parser.cpp:
2601         (JSC::Parser<LexerType>::parseVarDeclarationList):
2602
2603 2014-08-10  Diego Pino Garcia  <dpino@igalia.com>
2604
2605         JSC Lexer is allowing octals 08 and 09 in strict mode functions
2606         https://bugs.webkit.org/show_bug.cgi?id=135704
2607
2608         Reviewed by Oliver Hunt.
2609
2610         Return syntax error ("Decimal integer literals with a leading zero are
2611         forbidden in strict mode") if a number starts with 0 and is followed 
2612         by a digit.
2613
2614         * parser/Lexer.cpp:
2615         (JSC::Lexer<T>::lex):
2616
2617 2014-08-08  Mark Lam  <mark.lam@apple.com>
2618
2619         REGRESSION: Inspector crashes when debugger is paused and injected scripts access window.screen().
2620         <https://webkit.org/b/135656>
2621
2622         Not reviewed.
2623
2624         Rolling out r170680 which was merged to ToT in r172129.
2625
2626         * debugger/Debugger.h:
2627         * debugger/DebuggerCallFrame.cpp:
2628         (JSC::DebuggerCallFrame::scope):
2629         (JSC::DebuggerCallFrame::evaluate):
2630         (JSC::DebuggerCallFrame::invalidate):
2631         * debugger/DebuggerCallFrame.h:
2632         * debugger/DebuggerScope.cpp:
2633         (JSC::DebuggerScope::DebuggerScope):
2634         (JSC::DebuggerScope::finishCreation):
2635         (JSC::DebuggerScope::visitChildren):
2636         (JSC::DebuggerScope::className):
2637         (JSC::DebuggerScope::getOwnPropertySlot):
2638         (JSC::DebuggerScope::put):
2639         (JSC::DebuggerScope::deleteProperty):
2640         (JSC::DebuggerScope::getOwnPropertyNames):
2641         (JSC::DebuggerScope::defineOwnProperty):
2642         (JSC::DebuggerScope::next): Deleted.
2643         (JSC::DebuggerScope::invalidateChain): Deleted.
2644         (JSC::DebuggerScope::isWithScope): Deleted.
2645         (JSC::DebuggerScope::isGlobalScope): Deleted.
2646         (JSC::DebuggerScope::isFunctionScope): Deleted.
2647         * debugger/DebuggerScope.h:
2648         (JSC::DebuggerScope::create):
2649         (JSC::DebuggerScope::Iterator::Iterator): Deleted.
2650         (JSC::DebuggerScope::Iterator::get): Deleted.
2651         (JSC::DebuggerScope::Iterator::operator++): Deleted.
2652         (JSC::DebuggerScope::Iterator::operator==): Deleted.
2653         (JSC::DebuggerScope::Iterator::operator!=): Deleted.
2654         (JSC::DebuggerScope::isValid): Deleted.
2655         (JSC::DebuggerScope::jsScope): Deleted.
2656         (JSC::DebuggerScope::begin): Deleted.
2657         (JSC::DebuggerScope::end): Deleted.
2658         * inspector/JSJavaScriptCallFrame.cpp:
2659         (Inspector::JSJavaScriptCallFrame::scopeType):
2660         (Inspector::JSJavaScriptCallFrame::scopeChain):
2661         * inspector/JavaScriptCallFrame.h:
2662         (Inspector::JavaScriptCallFrame::scopeChain):
2663         * inspector/ScriptDebugServer.cpp:
2664         * runtime/JSGlobalObject.cpp:
2665         (JSC::JSGlobalObject::reset):
2666         (JSC::JSGlobalObject::visitChildren):
2667         * runtime/JSGlobalObject.h:
2668         (JSC::JSGlobalObject::debuggerScopeStructure): Deleted.
2669         * runtime/JSObject.h:
2670         (JSC::JSObject::isWithScope): Deleted.
2671         * runtime/JSScope.h:
2672         * runtime/VM.cpp:
2673         (JSC::VM::VM):
2674         * runtime/VM.h:
2675
2676 2014-08-07  Saam Barati  <sbarati@apple.com>
2677
2678         Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
2679         https://bugs.webkit.org/show_bug.cgi?id=135358
2680
2681         Reviewed by Geoffrey Garen.
2682
2683         When VMEntryScope is destroyed, and it has a flag set indicating that the
2684         Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
2685         This flag is only used by Debugger to have VMEntryScope notify it when the
2686         Debugger is safe to recompile all functions. This patch will substitute this
2687         Debugger-specific recompilation flag with a list of callbacks that are notified 
2688         when the outermost VMEntryScope dies. This creates a general purpose interface 
2689         for being notified when the VM stops executing code via the event of the outermost 
2690         VMEntryScope dying.
2691
2692         * debugger/Debugger.cpp:
2693         (JSC::Debugger::recompileAllJSFunctions):
2694         * runtime/VMEntryScope.cpp:
2695         (JSC::VMEntryScope::VMEntryScope):
2696         (JSC::VMEntryScope::setEntryScopeDidPopListener):
2697         (JSC::VMEntryScope::~VMEntryScope):
2698         * runtime/VMEntryScope.h:
2699         (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
2700
2701 2014-08-07  Benjamin Poulain  <bpoulain@apple.com>
2702
2703         Get rid of SCRIPTED_SPEECH
2704         https://bugs.webkit.org/show_bug.cgi?id=135729
2705
2706         Reviewed by Brent Fulgham.
2707
2708         * Configurations/FeatureDefines.xcconfig:
2709
2710 2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2711
2712         SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
2713         https://bugs.webkit.org/show_bug.cgi?id=135722
2714
2715         Reviewed by Filip Pizlo.
2716
2717         We should be using SpeculateStrictInt32Operand instead.
2718
2719         * dfg/DFGSpeculativeJIT64.cpp:
2720         (JSC::DFG::SpeculativeJIT::compile):
2721
2722 2014-08-07  Benjamin Poulain  <bpoulain@apple.com>
2723
2724         Get rid of INPUT_SPEECH
2725         https://bugs.webkit.org/show_bug.cgi?id=135672
2726
2727         Reviewed by Andreas Kling.
2728
2729         * Configurations/FeatureDefines.xcconfig:
2730
2731 2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2732
2733         for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests
2734         https://bugs.webkit.org/show_bug.cgi?id=135681
2735
2736         Reviewed by Filip Pizlo.
2737
2738         * runtime/Structure.cpp:
2739         (JSC::Structure::canCacheGenericPropertyNameEnumerator): We were checking the entire 
2740         prototype chain for overridesGetPropertyNames, but we were neglecting to check the 
2741         base object's Structure. D'oh!
2742
2743 2014-08-06  Mark Lam  <mark.lam@apple.com>
2744
2745         Gardening: fix for build failure on EFL bots.
2746
2747         Not reviewed.
2748
2749         * runtime/EnumerationMode.h:
2750         (JSC::shouldIncludeJSObjectPropertyNames):
2751         (JSC::modeThatSkipsJSObject):
2752         * runtime/JSCell.cpp:
2753         (JSC::JSCell::getEnumerableLength):
2754         * runtime/JSCell.h:
2755
2756 2014-08-06  Dean Jackson  <dino@apple.com>
2757
2758         ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED is not used anywhere. Remove it.
2759         https://bugs.webkit.org/show_bug.cgi?id=135675
2760
2761         Reviewed by Sam Weinig.
2762
2763         * Configurations/FeatureDefines.xcconfig:
2764
2765 2014-08-06  Wenson Hsieh  <wenson_hsieh@apple.com>
2766
2767         Implement parsing for CSS scroll snap points
2768         https://bugs.webkit.org/show_bug.cgi?id=134301
2769
2770         Reviewed by Dean Jackson.
2771
2772         * Configurations/FeatureDefines.xcconfig: Added ENABLE_CSS_SCROLL_SNAP
2773
2774 2014-08-06  Mark Lam  <mark.lam@apple.com>
2775
2776         Gardening: fix for build failure on GTK bots.
2777
2778         Not reviewed.
2779
2780         * runtime/FunctionHasExecutedCache.cpp:
2781         - #include <limits.h> for UINT_MAX's definition.
2782
2783 2014-08-06  Mark Lam  <mark.lam@apple.com>
2784
2785         Gardening: fix for build failure on EFL bots.
2786
2787         Not reviewed.
2788
2789         * jit/JITInlines.h:
2790         (JSC::JIT::emitLoadForArrayMode):
2791
2792 2014-08-06  Mark Lam  <mark.lam@apple.com>
2793
2794         Gardening: adding missing build file changes from the FTLOPT merge at r172176.
2795
2796         Not reviewed.
2797
2798         * CMakeLists.txt:
2799         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2800         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2801
2802 2014-08-06  Ryuan Choi  <ryuan.choi@samsung.com>
2803
2804         Unreviewed build fix attempt since r172184
2805
2806         * CMakeLists.txt: Removed TypeLocation.cpp
2807
2808 2014-08-06  Mark Lam  <mark.lam@apple.com>
2809
2810         Gardening: adding missing build file changes from r171510.
2811         <https://webkit.org/b/134860>
2812
2813         Not reviewed.
2814
2815         * CMakeLists.txt:
2816         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2817         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2818
2819 2014-08-06  Mark Lam  <mark.lam@apple.com>
2820
2821         Gardening: adding missing build file changes from r170490.
2822         <https://webkit.org/b/133395>
2823
2824         Not reviewed.
2825
2826         * CMakeLists.txt:
2827         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2828
2829 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
2830
2831         Silence a debug assertion.
2832
2833         Reviewed by Mark Hahnenberg.
2834
2835         * runtime/JSPropertyNameEnumerator.h:
2836         (JSC::JSPropertyNameEnumerator::cachedStructure):
2837
2838 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
2839
2840         Fix 32-bit build.
2841
2842         * jit/JITOpcodes32_64.cpp:
2843         (JSC::JIT::privateCompileHasIndexedProperty):
2844
2845 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
2846
2847         Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.
2848
2849     2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2850     
2851             Support for-in in the FTL
2852             https://bugs.webkit.org/show_bug.cgi?id=134140
2853     
2854             Reviewed by Filip Pizlo.
2855     
2856             * dfg/DFGSSALoweringPhase.cpp:
2857             (JSC::DFG::SSALoweringPhase::handleNode):
2858             * ftl/FTLAbstractHeapRepository.cpp:
2859             * ftl/FTLAbstractHeapRepository.h:
2860             * ftl/FTLCapabilities.cpp:
2861             (JSC::FTL::canCompile):
2862             * ftl/FTLIntrinsicRepository.h:
2863             * ftl/FTLLowerDFGToLLVM.cpp:
2864             (JSC::FTL::LowerDFGToLLVM::compileNode):
2865             (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
2866             (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
2867             (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
2868             (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
2869             (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
2870             (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
2871             (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
2872             (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
2873             (JSC::FTL::LowerDFGToLLVM::compileToIndexString):
2874     
2875     2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
2876     
2877             Remove JSPropertyNameIterator
2878             https://bugs.webkit.org/show_bug.cgi?id=135066
2879     
2880             Reviewed by Geoffrey Garen.
2881     
2882             It has been replaced by JSPropertyNameEnumerator.
2883     
2884             * JavaScriptCore.order:
2885             * bytecode/BytecodeBasicBlock.cpp:
2886             (JSC::isBranch):
2887             * bytecode/BytecodeList.json:
2888             * bytecode/BytecodeUseDef.h:
2889             (JSC::computeUsesForBytecodeOffset):
2890             (JSC::computeDefsForBytecodeOffset):
2891             * bytecode/CodeBlock.cpp:
2892             (JSC::CodeBlock::dumpBytecode):
2893             * bytecode/PreciseJumpTargets.cpp:
2894             (JSC::getJumpTargetsForBytecodeOffset):
2895             * bytecompiler/BytecodeGenerator.cpp:
2896             (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
2897             (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
2898             * bytecompiler/BytecodeGenerator.h:
2899             * interpreter/Interpreter.cpp:
2900             * interpreter/Register.h:
2901             * jit/JIT.cpp:
2902             (JSC::JIT::privateCompileMainPass):
2903             (JSC::JIT::privateCompileSlowCases):
2904             * jit/JIT.h:
2905             * jit/JITOpcodes.cpp:
2906             (JSC::JIT::emit_op_get_pnames): Deleted.
2907             (JSC::JIT::emit_op_next_pname): Deleted.
2908             * jit/JITOpcodes32_64.cpp:
2909             (JSC::JIT::emit_op_get_pnames): Deleted.
2910             (JSC::JIT::emit_op_next_pname): Deleted.
2911             * jit/JITOperations.cpp:
2912             * jit/JITPropertyAccess.cpp:
2913             (JSC::JIT::emit_op_get_by_pname): Deleted.
2914             (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
2915             * jit/JITPropertyAccess32_64.cpp:
2916             (JSC::JIT::emit_op_get_by_pname): Deleted.
2917             (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
2918             * llint/LLIntOffsetsExtractor.cpp:
2919             * llint/LLIntSlowPaths.cpp:
2920             (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
2921             * llint/LLIntSlowPaths.h:
2922             * llint/LowLevelInterpreter.asm:
2923             * llint/LowLevelInterpreter32_64.asm:
2924             * llint/LowLevelInterpreter64.asm:
2925             * runtime/CommonSlowPaths.cpp:
2926             * runtime/JSPropertyNameIterator.cpp:
2927             (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
2928             (JSC::JSPropertyNameIterator::create): Deleted.
2929             (JSC::JSPropertyNameIterator::destroy): Deleted.
2930             (JSC::JSPropertyNameIterator::get): Deleted.
2931             (JSC::JSPropertyNameIterator::visitChildren): Deleted.
2932             * runtime/JSPropertyNameIterator.h:
2933             (JSC::JSPropertyNameIterator::createStructure): Deleted.
2934             (JSC::JSPropertyNameIterator::size): Deleted.
2935             (JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
2936             (JSC::JSPropertyNameIterator::cachedStructure): Deleted.
2937             (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
2938             (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
2939             (JSC::JSPropertyNameIterator::finishCreation): Deleted.
2940             (JSC::Register::propertyNameIterator): Deleted.
2941             (JSC::StructureRareData::enumerationCache): Deleted.
2942             (JSC::StructureRareData::setEnumerationCache): Deleted.
2943             * runtime/Structure.cpp:
2944             (JSC::Structure::addPropertyWithoutTransition):
2945             (JSC::Structure::removePropertyWithoutTransition):
2946             * runtime/Structure.h:
2947             * runtime/StructureInlines.h:
2948             (JSC::Structure::setEnumerationCache): Deleted.
2949             (JSC::Structure::enumerationCache): Deleted.
2950             * runtime/StructureRareData.cpp:
2951             (JSC::StructureRareData::visitChildren):
2952             * runtime/StructureRareData.h:
2953             * runtime/VM.cpp:
2954             (JSC::VM::VM):
2955     
2956     2014-07-25  Saam Barati  <sbarati@apple.com>
2957     
2958             Fix 32-bit build breakage for type profiling
2959             https://bugs.webkit.org/process_bug.cgi
2960     
2961             Reviewed by Mark Hahnenberg.
2962     
2963             32-bit builds currently break because global variable IDs for high
2964             fidelity type profiling are int64_t. Change this to intptr_t so that
2965             it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
2966     
2967             * bytecode/CodeBlock.cpp:
2968             (JSC::CodeBlock::CodeBlock):
2969             (JSC::CodeBlock::scopeDependentProfile):
2970             * bytecode/TypeLocation.h:
2971             * runtime/SymbolTable.cpp:
2972             (JSC::SymbolTable::uniqueIDForVariable):
2973             (JSC::SymbolTable::uniqueIDForRegister):
2974             * runtime/SymbolTable.h:
2975             * runtime/TypeLocationCache.cpp:
2976             (JSC::TypeLocationCache::getTypeLocation):
2977             * runtime/TypeLocationCache.h:
2978             * runtime/VM.h:
2979             (JSC::VM::getNextUniqueVariableID):
2980     
2981     2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
2982     
2983             Reindent PropertyNameArray.h
2984             https://bugs.webkit.org/show_bug.cgi?id=135067
2985     
2986             Reviewed by Geoffrey Garen.
2987     
2988             * runtime/PropertyNameArray.h:
2989             (JSC::RefCountedIdentifierSet::contains):
2990             (JSC::RefCountedIdentifierSet::size):
2991             (JSC::RefCountedIdentifierSet::add):
2992             (JSC::PropertyNameArrayData::create):
2993             (JSC::PropertyNameArrayData::propertyNameVector):
2994             (JSC::PropertyNameArrayData::PropertyNameArrayData):
2995             (JSC::PropertyNameArray::PropertyNameArray):
2996             (JSC::PropertyNameArray::vm):
2997             (JSC::PropertyNameArray::add):
2998             (JSC::PropertyNameArray::addKnownUnique):
2999             (JSC::PropertyNameArray::operator[]):
3000             (JSC::PropertyNameArray::setData):
3001             (JSC::PropertyNameArray::data):
3002             (JSC::PropertyNameArray::releaseData):
3003             (JSC::PropertyNameArray::identifierSet):
3004             (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
3005             (JSC::PropertyNameArray::size):
3006             (JSC::PropertyNameArray::begin):
3007             (JSC::PropertyNameArray::end):
3008             (JSC::PropertyNameArray::numCacheableSlots):
3009             (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
3010             (JSC::PropertyNameArray::setBaseObject):
3011             (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
3012     
3013     2014-07-23  Mark Hahnenberg  <mhahnenberg@apple.com>
3014     
3015             Refactor our current implementation of for-in
3016             https://bugs.webkit.org/show_bug.cgi?id=134142
3017     
3018             Reviewed by Filip Pizlo.
3019     
3020             This patch splits for-in loops into three distinct parts:
3021     
3022             - Iterating over the indexed properties in the base object.
3023             - Iterating over the Structure properties in the base object.
3024             - Iterating over any other enumerable properties for that object and any objects in the prototype chain.
3025      
3026             It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to 
3027             support the various operations required for each loop.
3028     
3029             * API/JSCallbackObjectFunctions.h:
3030             (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
3031             * JavaScriptCore.xcodeproj/project.pbxproj:
3032             * bytecode/BytecodeList.json:
3033             * bytecode/BytecodeUseDef.h:
3034             (JSC::computeUsesForBytecodeOffset):
3035             (JSC::computeDefsForBytecodeOffset):
3036             * bytecode/CallLinkStatus.h:
3037             (JSC::CallLinkStatus::CallLinkStatus):
3038             * bytecode/CodeBlock.cpp:
3039             (JSC::CodeBlock::dumpBytecode):
3040             (JSC::CodeBlock::CodeBlock):
3041             * bytecompiler/BytecodeGenerator.cpp:
3042             (JSC::BytecodeGenerator::emitGetByVal):
3043             (JSC::BytecodeGenerator::emitComplexPopScopes):
3044             (JSC::BytecodeGenerator::emitGetEnumerableLength):
3045             (JSC::BytecodeGenerator::emitHasGenericProperty):
3046             (JSC::BytecodeGenerator::emitHasIndexedProperty):
3047             (JSC::BytecodeGenerator::emitHasStructureProperty):
3048             (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
3049             (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
3050             (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
3051             (JSC::BytecodeGenerator::emitToIndexString):
3052             (JSC::BytecodeGenerator::pushIndexedForInScope):
3053             (JSC::BytecodeGenerator::popIndexedForInScope):
3054             (JSC::BytecodeGenerator::pushStructureForInScope):
3055             (JSC::BytecodeGenerator::popStructureForInScope):
3056             (JSC::BytecodeGenerator::invalidateForInContextForLocal):
3057             * bytecompiler/BytecodeGenerator.h:
3058             (JSC::ForInContext::ForInContext):
3059             (JSC::ForInContext::~ForInContext):
3060             (JSC::ForInContext::isValid):
3061             (JSC::ForInContext::invalidate):
3062             (JSC::ForInContext::local):
3063             (JSC::StructureForInContext::StructureForInContext):
3064             (JSC::StructureForInContext::type):
3065             (JSC::StructureForInContext::index):
3066             (JSC::StructureForInContext::property):
3067             (JSC::StructureForInContext::enumerator):
3068             (JSC::IndexedForInContext::IndexedForInContext):
3069             (JSC::IndexedForInContext::type):
3070             (JSC::IndexedForInContext::index):
3071             (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
3072             (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
3073             * bytecompiler/NodesCodegen.cpp:
3074             (JSC::ReadModifyResolveNode::emitBytecode):
3075             (JSC::AssignResolveNode::emitBytecode):
3076             (JSC::ForInNode::tryGetBoundLocal):
3077             (JSC::ForInNode::emitLoopHeader):
3078             (JSC::ForInNode::emitMultiLoopBytecode):
3079             (JSC::ForInNode::emitBytecode):
3080             * debugger/DebuggerScope.h:
3081             * dfg/DFGAbstractHeap.h:
3082             * dfg/DFGAbstractInterpreterInlines.h:
3083             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3084             * dfg/DFGByteCodeParser.cpp:
3085             (JSC::DFG::ByteCodeParser::parseBlock):
3086             * dfg/DFGCapabilities.cpp:
3087             (JSC::DFG::capabilityLevel):
3088             * dfg/DFGClobberize.h:
3089             (JSC::DFG::clobberize):
3090             * dfg/DFGDoesGC.cpp:
3091             (JSC::DFG::doesGC):
3092             * dfg/DFGFixupPhase.cpp:
3093             (JSC::DFG::FixupPhase::fixupNode):
3094             * dfg/DFGHeapLocation.cpp:
3095             (WTF::printInternal):
3096             * dfg/DFGHeapLocation.h:
3097             * dfg/DFGNode.h:
3098             (JSC::DFG::Node::hasHeapPrediction):
3099             (JSC::DFG::Node::hasArrayMode):
3100             * dfg/DFGNodeType.h:
3101             * dfg/DFGPredictionPropagationPhase.cpp:
3102             (JSC::DFG::PredictionPropagationPhase::propagate):
3103             * dfg/DFGSafeToExecute.h:
3104             (JSC::DFG::safeToExecute):
3105             * dfg/DFGSpeculativeJIT.h:
3106             (JSC::DFG::SpeculativeJIT::callOperation):
3107             * dfg/DFGSpeculativeJIT32_64.cpp:
3108             (JSC::DFG::SpeculativeJIT::compile):
3109             * dfg/DFGSpeculativeJIT64.cpp:
3110             (JSC::DFG::SpeculativeJIT::compile):
3111             * jit/JIT.cpp:
3112             (JSC::JIT::privateCompileMainPass):
3113             (JSC::JIT::privateCompileSlowCases):
3114             * jit/JIT.h:
3115             (JSC::JIT::compileHasIndexedProperty):
3116             (JSC::JIT::emitInt32Load):
3117             * jit/JITInlines.h:
3118             (JSC::JIT::emitDoubleGetByVal):
3119             (JSC::JIT::emitLoadForArrayMode):
3120             (JSC::JIT::emitContiguousGetByVal):
3121             (JSC::JIT::emitArrayStorageGetByVal):
3122             * jit/JITOpcodes.cpp:
3123             (JSC::JIT::emit_op_get_enumerable_length):
3124             (JSC::JIT::emit_op_has_structure_property):
3125             (JSC::JIT::emitSlow_op_has_structure_property):
3126             (JSC::JIT::emit_op_has_generic_property):
3127             (JSC::JIT::privateCompileHasIndexedProperty):
3128             (JSC::JIT::emit_op_has_indexed_property):
3129             (JSC::JIT::emitSlow_op_has_indexed_property):
3130             (JSC::JIT::emit_op_get_direct_pname):
3131             (JSC::JIT::emitSlow_op_get_direct_pname):
3132             (JSC::JIT::emit_op_get_structure_property_enumerator):
3133             (JSC::JIT::emit_op_get_generic_property_enumerator):
3134             (JSC::JIT::emit_op_next_enumerator_pname):
3135             (JSC::JIT::emit_op_to_index_string):
3136             * jit/JITOpcodes32_64.cpp:
3137             (JSC::JIT::emit_op_get_enumerable_length):
3138             (JSC::JIT::emit_op_has_structure_property):
3139             (JSC::JIT::emitSlow_op_has_structure_property):
3140             (JSC::JIT::emit_op_has_generic_property):
3141             (JSC::JIT::privateCompileHasIndexedProperty):
3142             (JSC::JIT::emit_op_has_indexed_property):
3143             (JSC::JIT::emitSlow_op_has_indexed_property):
3144             (JSC::JIT::emit_op_get_direct_pname):
3145             (JSC::JIT::emitSlow_op_get_direct_pname):
3146             (JSC::JIT::emit_op_get_structure_property_enumerator):
3147             (JSC::JIT::emit_op_get_generic_property_enumerator):
3148             (JSC::JIT::emit_op_next_enumerator_pname):
3149             (JSC::JIT::emit_op_to_index_string):
3150             * jit/JITOperations.cpp:
3151             * jit/JITOperations.h:
3152             * jit/JITPropertyAccess.cpp:
3153             (JSC::JIT::emitDoubleLoad):
3154             (JSC::JIT::emitContiguousLoad):
3155             (JSC::JIT::emitArrayStorageLoad):
3156             (JSC::JIT::emitDoubleGetByVal): Deleted.
3157             (JSC::JIT::emitContiguousGetByVal): Deleted.
3158             (JSC::JIT::emitArrayStorageGetByVal): Deleted.
3159             * jit/JITPropertyAccess32_64.cpp:
3160             (JSC::JIT::emitContiguousLoad):
3161             (JSC::JIT::emitDoubleLoad):
3162             (JSC::JIT::emitArrayStorageLoad):
3163             (JSC::JIT::emitContiguousGetByVal): Deleted.
3164             (JSC::JIT::emitDoubleGetByVal): Deleted.
3165             (JSC::JIT::emitArrayStorageGetByVal): Deleted.
3166             * llint/LowLevelInterpreter.asm:
3167             * parser/Nodes.h:
3168             * runtime/Arguments.cpp:
3169             (JSC::Arguments::getOwnPropertyNames):
3170             * runtime/ClassInfo.h:
3171             * runtime/CommonSlowPaths.cpp:
3172             (JSC::SLOW_PATH_DECL):
3173             * runtime/CommonSlowPaths.h:
3174             * runtime/EnumerationMode.h: Added.
3175             (JSC::shouldIncludeDontEnumProperties):
3176             (JSC::shouldExcludeDontEnumProperties):
3177             (JSC::shouldIncludeJSObjectPropertyNames):
3178             (JSC::modeThatSkipsJSObject):
3179             * runtime/JSActivation.cpp:
3180             (JSC::JSActivation::getOwnNonIndexPropertyNames):
3181             * runtime/JSArray.cpp:
3182             (JSC::JSArray::getOwnNonIndexPropertyNames):
3183             * runtime/JSArrayBuffer.cpp:
3184             (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
3185             * runtime/JSArrayBufferView.cpp:
3186             (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
3187             * runtime/JSCell.cpp:
3188             (JSC::JSCell::getEnumerableLength):
3189             (JSC::JSCell::getStructurePropertyNames):
3190             (JSC::JSCell::getGenericPropertyNames):
3191             * runtime/JSCell.h:
3192             * runtime/JSFunction.cpp:
3193             (JSC::JSFunction::getOwnNonIndexPropertyNames):
3194             * runtime/JSGenericTypedArrayViewInlines.h:
3195             (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
3196             * runtime/JSObject.cpp:
3197             (JSC::getClassPropertyNames):
3198             (JSC::JSObject::hasOwnProperty):
3199             (JSC::JSObject::getOwnPropertyNames):
3200             (JSC::JSObject::getOwnNonIndexPropertyNames):
3201             (JSC::JSObject::getEnumerableLength):
3202             (JSC::JSObject::getStructurePropertyNames):
3203             (JSC::JSObject::getGenericPropertyNames):
3204             * runtime/JSObject.h:
3205             * runtime/JSPropertyNameEnumerator.cpp: Added.
3206             (JSC::JSPropertyNameEnumerator::create):
3207             (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
3208             (JSC::JSPropertyNameEnumerator::finishCreation):
3209             (JSC::JSPropertyNameEnumerator::destroy):
3210             (JSC::JSPropertyNameEnumerator::visitChildren):
3211             * runtime/JSPropertyNameEnumerator.h: Added.
3212             (JSC::JSPropertyNameEnumerator::createStructure):
3213             (JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
3214             (JSC::JSPropertyNameEnumerator::identifierSet):
3215             (JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
3216             (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
3217             (JSC::JSPropertyNameEnumerator::cachedStructure):
3218             (JSC::JSPropertyNameEnumerator::cachedStructureID):
3219             (JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
3220             (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
3221             (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
3222             (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
3223             (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
3224             (JSC::structurePropertyNameEnumerator):
3225             (JSC::genericPropertyNameEnumerator):
3226             * runtime/JSProxy.cpp:
3227             (JSC::JSProxy::getEnumerableLength):
3228             (JSC::JSProxy::getStructurePropertyNames):
3229             (JSC::JSProxy::getGenericPropertyNames):
3230             * runtime/JSProxy.h:
3231             * runtime/JSSymbolTableObject.cpp:
3232             (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3233             * runtime/PropertyNameArray.cpp:
3234             (JSC::PropertyNameArray::add):
3235             (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
3236             * runtime/PropertyNameArray.h:
3237             (JSC::RefCountedIdentifierSet::contains):
3238             (JSC::RefCountedIdentifierSet::size):
3239             (JSC::RefCountedIdentifierSet::add):
3240             (JSC::PropertyNameArray::PropertyNameArray):
3241             (JSC::PropertyNameArray::add):
3242             (JSC::PropertyNameArray::addKnownUnique):
3243             (JSC::PropertyNameArray::identifierSet):
3244             (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
3245             (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
3246             * runtime/RegExpObject.cpp:
3247             (JSC::RegExpObject::getOwnNonIndexPropertyNames):
3248             (JSC::RegExpObject::getPropertyNames):
3249             (JSC::RegExpObject::getGenericPropertyNames):
3250             * runtime/RegExpObject.h:
3251             * runtime/StringObject.cpp:
3252             (JSC::StringObject::getOwnPropertyNames):
3253             * runtime/Structure.cpp:
3254             (JSC::Structure::getPropertyNamesFromStructure):
3255             (JSC::Structure::setCachedStructurePropertyNameEnumerator):
3256             (JSC::Structure::cachedStructurePropertyNameEnumerator):
3257             (JSC::Structure::setCachedGenericPropertyNameEnumerator):
3258             (JSC::Structure::cachedGenericPropertyNameEnumerator):
3259             (JSC::Structure::canCacheStructurePropertyNameEnumerator):
3260             (JSC::Structure::canCacheGenericPropertyNameEnumerator):
3261             (JSC::Structure::canAccessPropertiesQuickly):
3262             * runtime/Structure.h:
3263             * runtime/StructureRareData.cpp:
3264             (JSC::StructureRareData::visitChildren):
3265             (JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
3266             (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
3267             (JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
3268             (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
3269             * runtime/StructureRareData.h:
3270             * runtime/VM.cpp:
3271             (JSC::VM::VM):
3272             * runtime/VM.h:
3273     
3274     2014-07-23  Saam Barati  <sbarati@apple.com>
3275     
3276             Make improvements to Type Profiling
3277             https://bugs.webkit.org/show_bug.cgi?id=134860
3278     
3279             Reviewed by Filip Pizlo.
3280     
3281             I improved the API between the inspector and JSC. We no longer send one huge
3282             string to the inspector. We now send structured data that represents the type
3283             information that JSC has collected. I've also created a beginning implementation 
3284             of a type lattice that allows us to resolve a display name for a type that
3285             consists of a single word.
3286     
3287             I created a data structure that knows which functions have executed. This
3288             solves the bug where types inside an un-executed function will resolve
3289             to the type of the enclosing expression of that function. This data
3290             structure may also be useful later if the inspector chooses to create a UI
3291             around showing which functions have executed.
3292     
3293             Better type information is gathered for objects. StructureShape now
3294             represents an object's prototype chain.  StructureShape also collects
3295             the constructor name for an object.
3296     
3297             Expression ranges are now zero indexed.
3298     
3299             Removed some extraneous methods.
3300     
3301             * JavaScriptCore.xcodeproj/project.pbxproj:
3302             * bytecode/CodeBlock.cpp:
3303             (JSC::CodeBlock::CodeBlock):
3304             (JSC::CodeBlock::scopeDependentProfile):
3305             * bytecode/CodeBlock.h:
3306             * bytecode/TypeLocation.h:
3307             (JSC::TypeLocation::TypeLocation):
3308             * bytecode/UnlinkedCodeBlock.cpp:
3309             (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3310             * bytecode/UnlinkedCodeBlock.h:
3311             (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
3312             (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
3313             * bytecompiler/BytecodeGenerator.cpp:
3314             (JSC::BytecodeGenerator::BytecodeGenerator):
3315             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
3316             * bytecompiler/BytecodeGenerator.h:
3317             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
3318             * heap/Heap.cpp:
3319             (JSC::Heap::collect):
3320             * inspector/agents/InspectorRuntimeAgent.cpp:
3321             (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3322             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
3323             * inspector/agents/InspectorRuntimeAgent.h:
3324             * inspector/protocol/Runtime.json:
3325             * runtime/Executable.cpp:
3326             (JSC::ScriptExecutable::ScriptExecutable):
3327             (JSC::ProgramExecutable::ProgramExecutable):
3328             (JSC::FunctionExecutable::FunctionExecutable):
3329             (JSC::ProgramExecutable::initializeGlobalProperties):
3330             * runtime/Executable.h:
3331             (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
3332             (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
3333             * runtime/FunctionHasExecutedCache.cpp: Added.
3334             (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
3335             (JSC::FunctionHasExecutedCache::insertUnexecutedRange):
3336             (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
3337             * runtime/FunctionHasExecutedCache.h: Added.
3338             (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
3339             (JSC::FunctionHasExecutedCache::FunctionRange::operator==):
3340             (JSC::FunctionHasExecutedCache::FunctionRange::hash):
3341             * runtime/HighFidelityLog.cpp:
3342             (JSC::HighFidelityLog::processHighFidelityLog):
3343             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
3344             * runtime/HighFidelityLog.h:
3345             (JSC::HighFidelityLog::recordTypeInformationForLocation):
3346             * runtime/HighFidelityTypeProfiler.cpp:
3347             (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
3348             (JSC::HighFidelityTypeProfiler::insertNewLocation):
3349             (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
3350             (JSC::descriptorMatchesTypeLocation):
3351             (JSC::HighFidelityTypeProfiler::findLocation):
3352             (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
3353             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
3354             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
3355             * runtime/HighFidelityTypeProfiler.h:
3356             (JSC::QueryKey::QueryKey):
3357             (JSC::QueryKey::isHashTableDeletedValue):
3358             (JSC::QueryKey::operator==):
3359             (JSC::QueryKey::hash):
3360             (JSC::QueryKeyHash::hash):
3361             (JSC::QueryKeyHash::equal):
3362             (JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
3363             (JSC::HighFidelityTypeProfiler::typeLocationCache):
3364             * runtime/Structure.cpp:
3365             (JSC::Structure::toStructureShape):
3366             * runtime/Structure.h:
3367             * runtime/TypeLocationCache.cpp: Added.
3368             (JSC::TypeLocationCache::getTypeLocation):
3369             * runtime/TypeLocationCache.h: Added.
3370             (JSC::TypeLocationCache::LocationKey::LocationKey):
3371             (JSC::TypeLocationCache::LocationKey::operator==):
3372             (JSC::TypeLocationCache::LocationKey::hash):
3373             * runtime/TypeSet.cpp:
3374             (JSC::TypeSet::getRuntimeTypeForValue):
3375             (JSC::TypeSet::addTypeForValue):
3376             (JSC::TypeSet::seenTypes):
3377             (JSC::TypeSet::doesTypeConformTo):
3378             (JSC::TypeSet::displayName):
3379             (JSC::TypeSet::allPrimitiveTypeNames):
3380             (JSC::TypeSet::allStructureRepresentations):
3381             (JSC::TypeSet::leastCommonAncestor):
3382             (JSC::StructureShape::StructureShape):
3383             (JSC::StructureShape::addProperty):
3384             (JSC::StructureShape::propertyHash):
3385             (JSC::StructureShape::leastCommonAncestor):
3386             (JSC::StructureShape::stringRepresentation):
3387             (JSC::StructureShape::inspectorRepresentation):
3388             (JSC::StructureShape::leastUpperBound): Deleted.
3389             * runtime/TypeSet.h:
3390             (JSC::StructureShape::setConstructorName):
3391             (JSC::StructureShape::constructorName):
3392             (JSC::StructureShape::setProto):
3393             * runtime/VM.cpp:
3394             (JSC::VM::dumpHighFidelityProfilingTypes):
3395             (JSC::VM::getTypesForVariableAtOffset): Deleted.
3396             (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
3397             * runtime/VM.h:
3398             (JSC::VM::isProfilingTypesWithHighFidelity):
3399             (JSC::VM::highFidelityTypeProfiler):
3400     
3401     2014-07-23  Filip Pizlo  <fpizlo@apple.com>
3402     
3403             Fix debug build.
3404     
3405             * bytecode/CallLinkStatus.h:
3406             (JSC::CallLinkStatus::CallLinkStatus):
3407     
3408     2014-07-20  Filip Pizlo  <fpizlo@apple.com>
3409     
3410             [ftlopt] Phantoms in SSA form should be aggressively hoisted
3411             https://bugs.webkit.org/show_bug.cgi?id=135111
3412     
3413             Reviewed by Oliver Hunt.
3414             
3415             In CPS form, Phantom means three things: (1) that the children should be kept alive so long
3416             as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
3417             at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
3418             second meaning is not used but the other two stay.
3419             
3420             The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
3421             even in a totally different basic block, complicates some SSA transformations. It's not
3422             possible to just jettison some successor, since tha successor could have a Phantom that we
3423             care about.
3424             
3425             This change rationalizes how Phantoms work so that:
3426             
3427             1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
3428                in both CPS and SSA. This was true before and it's true now.
3429             
3430             2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
3431                now, except that now we also don't bother preserving the live-in-bytecode information
3432                that Phantoms convey, when we are in SSA.
3433             
3434             3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
3435                use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
3436                Phantom.
3437             
3438             The biggest part of this change is that in SSA, we canonicalize Phantoms:
3439             
3440             - All Phantoms are replaced with Check nodes that include only those edges that have
3441               checks.
3442             
3443             - Nodes that were the children of any Phantoms have a Phantom right after them.
3444             
3445             For example, the following code:
3446             
3447                 5: ArithAdd(@1, @2)
3448                 6: ArithSub(@5, @3)
3449                 7: Phantom(Int32:@5)
3450             
3451             would be turned into the following:
3452             
3453                 5: ArithAdd(@1, @2)
3454                 8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
3455                                // @5. This is the only Phantom we will have for @5.
3456                 6: ArithSub(@5, @3)
3457                 7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
3458                                    // a checking edge, we leave it.
3459             
3460             This is a slight speed-up across the board, presumably because we now do a better job of
3461             reducing the size of the graph during compilation. It could also be a fluke, though. The
3462             main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
3463             become a requirement to run phantom canonicalization prior to some SSA phases. None of the
3464             current phases need it, but future phases probably will.
3465     
3466             * CMakeLists.txt:
3467             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3468             * JavaScriptCore.xcodeproj/project.pbxproj:
3469             * dfg/DFGAbstractInterpreterInlines.h:
3470             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3471             * dfg/DFGConstantFoldingPhase.cpp:
3472             (JSC::DFG::ConstantFoldingPhase::foldConstants):
3473             * dfg/DFGDCEPhase.cpp:
3474             (JSC::DFG::DCEPhase::run):
3475             (JSC::DFG::DCEPhase::findTypeCheckRoot):
3476             (JSC::DFG::DCEPhase::countEdge):
3477             (JSC::DFG::DCEPhase::fixupBlock):
3478             (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
3479             * dfg/DFGEdge.cpp:
3480             (JSC::DFG::Edge::dump):
3481             * dfg/DFGEdge.h:
3482             (JSC::DFG::Edge::isProved):
3483             (JSC::DFG::Edge::needsCheck): Deleted.
3484             * dfg/DFGNodeFlags.h:
3485             * dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
3486             (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
3487             (JSC::DFG::PhantomCanonicalizationPhase::run):
3488             (JSC::DFG::performPhantomCanonicalization):
3489             * dfg/DFGPhantomCanonicalizationPhase.h: Added.
3490             * dfg/DFGPhantomRemovalPhase.cpp:
3491             (JSC::DFG::PhantomRemovalPhase::run):
3492             * dfg/DFGPhantomRemovalPhase.h:
3493             * dfg/DFGPlan.cpp:
3494             (JSC::DFG::Plan::compileInThreadImpl):
3495             * ftl/FTLLowerDFGToLLVM.cpp:
3496             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
3497             (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
3498     
3499     2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3500     
3501             [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
3502             https://bugs.webkit.org/show_bug.cgi?id=135146
3503     
3504             Reviewed by Oliver Hunt.
3505             
3506             This greatly simplifies our closure call optimizations by taking advantage of the type
3507             bits available in the cell header.
3508     
3509             * bytecode/CallLinkInfo.cpp:
3510             (JSC::CallLinkInfo::visitWeak):
3511             * bytecode/CallLinkStatus.cpp:
3512             (JSC::CallLinkStatus::CallLinkStatus):
3513             (JSC::CallLinkStatus::computeFor):
3514             (JSC::CallLinkStatus::dump):
3515             * bytecode/CallLinkStatus.h:
3516             (JSC::CallLinkStatus::CallLinkStatus):
3517             (JSC::CallLinkStatus::executable):
3518             (JSC::CallLinkStatus::structure): Deleted.
3519             * dfg/DFGByteCodeParser.cpp:
3520             (JSC::DFG::ByteCodeParser::emitFunctionChecks):
3521             * dfg/DFGFixupPhase.cpp:
3522             (JSC::DFG::FixupPhase::fixupNode):
3523             (JSC::DFG::FixupPhase::observeUseKindOnNode):
3524             * dfg/DFGSafeToExecute.h:
3525             (JSC::DFG::SafeToExecuteEdge::operator()):
3526             * dfg/DFGSpeculativeJIT.cpp:
3527             (JSC::DFG::SpeculativeJIT::checkArray):
3528             (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
3529             (JSC::DFG::SpeculativeJIT::speculateCellType):
3530             (JSC::DFG::SpeculativeJIT::speculateFunction):
3531             (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3532             (JSC::DFG::SpeculativeJIT::speculate):
3533             * dfg/DFGSpeculativeJIT.h:
3534             * dfg/DFGSpeculativeJIT32_64.cpp:
3535             (JSC::DFG::SpeculativeJIT::compile):
3536             * dfg/DFGSpeculativeJIT64.cpp:
3537             (JSC::DFG::SpeculativeJIT::compile):
3538             * dfg/DFGUseKind.cpp:
3539             (WTF::printInternal):
3540             * dfg/DFGUseKind.h:
3541             (JSC::DFG::typeFilterFor):
3542             (JSC::DFG::isCell):
3543             * ftl/FTLCapabilities.cpp:
3544             (JSC::FTL::canCompile):
3545             * ftl/FTLLowerDFGToLLVM.cpp:
3546             (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
3547             (JSC::FTL::LowerDFGToLLVM::speculate):
3548             (JSC::FTL::LowerDFGToLLVM::isFunction):
3549             (JSC::FTL::LowerDFGToLLVM::isNotFunction):
3550             (JSC::FTL::LowerDFGToLLVM::speculateFunction):
3551             * jit/ClosureCallStubRoutine.cpp:
3552             (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
3553             (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
3554             * jit/ClosureCallStubRoutine.h:
3555             (JSC::ClosureCallStubRoutine::structure): Deleted.
3556             * jit/JIT.h:
3557             (JSC::JIT::compileClosureCall): Deleted.
3558             * jit/JITCall.cpp:
3559             (JSC::JIT::privateCompileClosureCall): Deleted.
3560             * jit/JITCall32_64.cpp:
3561             (JSC::JIT::privateCompileClosureCall): Deleted.
3562             * jit/JITOperations.cpp:
3563             * jit/Repatch.cpp:
3564             (JSC::linkClosureCall):
3565             * jit/Repatch.h:
3566     
3567 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
3568
3569         [ARM] Incorrect handling of Unicode characters
3570         https://bugs.webkit.org/show_bug.cgi?id=135380
3571
3572         Reviewed by Darin Adler.
3573
3574         Removed erroneous fast case from stringFromUTF(), since it assumed that 
3575         char is always implemented as signed.
3576
3577         * jsc.cpp:
3578         (stringFromUTF):
3579
3580 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
3581
3582         [JSC] Build fix for FTL on EFL after ftlopt merge
3583         https://bugs.webkit.org/show_bug.cgi?id=135565
3584
3585         Reviewed by Mark Lam.
3586
3587         Adding an enable guard for native inlining, since it now requires the bitcode
3588         emitted from Clang, and we don't have a good way of creating it from other compilers.
3589
3590         * dfg/DFGByteCodeParser.cpp:
3591         (JSC::DFG::ByteCodeParser::handleCall):
3592         * ftl/FTLLowerDFGToLLVM.cpp:
3593         (JSC::FTL::LowerDFGToLLVM::compileNode):
3594         * ftl/FTLState.cpp:
3595         (JSC::FTL::State::State):
3596         * ftl/FTLState.h:
3597
3598 2014-08-05  Csaba Osztrogonác  <ossy@webkit.org>
3599
3600         URTBF after r172129. (ftlopt branch merge)
3601
3602         Remove the duplicated friend declaration to fix this build failure:
3603         "error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"
3604
3605         * runtime/StructureRareData.h:
3606
3607 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
3608
3609         Attempt to fix CMake-based builds, part 3.
3610
3611         * CMakeLists.txt:
3612
3613 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
3614
3615         Attempt to fix CMake-based builds, part 2.
3616
3617         * CMakeLists.txt:
3618
3619 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
3620
3621         Attempt to fix Windows build, part 2.
3622
3623         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3624
3625 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
3626
3627         Attempt to fix CMake-based builds.
3628
3629         * CMakeLists.txt:
3630
3631 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
3632
3633         Attempt to fix Windows build.
3634
3635         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3636
3637 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
3638
3639         Fix cloop build.
3640
3641         * bytecode/CodeBlock.cpp:
3642         (JSC::CodeBlock::jettison):
3643
3644 2014-07-29  Filip Pizlo  <fpizlo@apple.com>
3645
3646         Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.
3647
3648         This part of the merge delivers roughly a 2% across-the-board performance
3649         improvement, mostly due to immutable property inference and DFG-side GCSE. It also
3650         almost completely resolves accessor performance issues; in the common case the DFG
3651         will compile a getter/setter access into code that is just as efficient as a normal
3652         property access.
3653         
3654         Another major highlight of this part of the merge is the work to add a type profiler
3655         to the inspector. This work is still on-going but this greatly increases coverage.
3656
3657         Note that this merge fixes a minor bug in the GetterSetter refactoring from
3658         http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
3659         It also adds a new tests to tests/stress to cover that bug. That bug was previously only
3660         covered by layout tests.
3661
3662     2014-07-17  Filip Pizlo  <fpizlo@apple.com>
3663     
3664             [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
3665             https://bugs.webkit.org/show_bug.cgi?id=135019
3666     
3667             Reviewed by Oliver Hunt.
3668             
3669             Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
3670             has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
3671             different code.
3672     
3673             * dfg/DFGNodeType.h:
3674             * dfg/DFGStrengthReductionPhase.cpp:
3675             (JSC::DFG::StrengthReductionPhase::handleNode):
3676             * tests/stress/capture-escape-and-throw.js: Added.
3677             (foo.f):
3678             (foo):
3679             * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
3680             (foo):
3681             (bar):
3682     
3683     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
3684     
3685             [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
3686             https://bugs.webkit.org/show_bug.cgi?id=134962
3687     
3688             Reviewed by Oliver Hunt.
3689             
3690             This removes yet another steady-state-throughput implication of using getters and setters:
3691             if your accessor call is monomorphic then you'll just get a structure check, nothing more.
3692             No more loads to get to the GetterSetter object or the accessor function object.
3693     
3694             * dfg/DFGAbstractInterpreterInlines.h:
3695             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3696             * runtime/GetterSetter.h:
3697             (JSC::GetterSetter::getterConcurrently):
3698             (JSC::GetterSetter::setGetter):
3699             (JSC::GetterSetter::setterConcurrently):
3700             (JSC::GetterSetter::setSetter):
3701     
3702     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
3703     
3704             [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
3705             https://bugs.webkit.org/show_bug.cgi?id=134893
3706     
3707             Reviewed by Oliver Hunt.
3708             
3709             Replace Identity with Check instead of Phantom. Phantom means that the child of the
3710             Identity should be unconditionally live. The liveness semantics of Identity are such that
3711             if the parents of Identity are live then the child is live. Removing the Identity entirely
3712             preserves such liveness semantics. So, the only thing that should be left behind is the
3713             type check on the child, which is what Check means: do the check but don't keep the child
3714             alive if the check isn't needed.
3715     
3716             * dfg/DFGCSEPhase.cpp:
3717             * dfg/DFGNode.h:
3718             (JSC::DFG::Node::convertToCheck):
3719     
3720     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
3721     
3722             [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
3723             https://bugs.webkit.org/show_bug.cgi?id=134677
3724     
3725             Reviewed by Sam Weinig.
3726             
3727             This removes the old local CSE phase, which was based on manually written backward-search 
3728             rules for all of the different kinds of things we cared about, and adds a new local/global
3729             CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
3730             clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
3731             structures used for storing sets of available values. This results in a large reduction in
3732             code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
3733             global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
3734             structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
3735             that this is a significant (~0.7%) throughput improvement.
3736             
3737             This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
3738             means that the node being analyzed makes available some value in some DFG node, and that
3739             future attempts to compute that value can simply use that node. In other words, it
3740             establishes an available value mapping of the form value=>node. There are two kinds of
3741             values that can be passed to def():
3742             
3743             PureValue. This captures everything needed to determine whether two pure nodes - nodes that
3744                 neither read nor write, and produce a value that is a CSE candidate - are identical. It
3745                 carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
3746                 usually used for things like the arithmetic mode or constant pointer. Passing a
3747                 PureValue to def() means that the node produces a value that is valid anywhere that the
3748                 node dominates.
3749             
3750             HeapLocation. This describes a location in the heap that could be written to or read from.
3751                 Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
3752                 heap that both serves as part of the "name" of the heap location (together with the
3753                 other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
3754                 write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
3755                 then it means that the values for that location are no longer available.
3756             
3757             This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
3758             tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
3759             interpreting the semantics of different DFG node types - that is now almost entirely in
3760             clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
3761             CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
3762             and the LocalCSE rule for turning PutByVal into PutByValAlias.
3763             
3764             This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
3765             not a bigger win because LLVM was already giving us most of what we needed in its GVN.
3766             Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
3767             is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
3768             generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
3769             it improves both the quality of the code we generate and the speed with which we generate
3770             it. Also, any future optimizations that depend on GCSE will now be easier to implement.
3771             
3772             During the development of this patch I also rationalized some other stuff, like Graph's
3773             ordered traversals - we now have preorder and postorder rather than just "depth first".
3774     
3775             * CMakeLists.txt:
3776             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3777             * JavaScriptCore.xcodeproj/project.pbxproj:
3778             * dfg/DFGAbstractHeap.h:
3779             * dfg/DFGAdjacencyList.h:
3780             (JSC::DFG::AdjacencyList::hash):
3781             (JSC::DFG::AdjacencyList::operator==):
3782             * dfg/DFGBasicBlock.h:
3783             * dfg/DFGCSEPhase.cpp:
3784             (JSC::DFG::performLocalCSE):
3785             (JSC::DFG::performGlobalCSE):
3786             (JSC::DFG::CSEPhase::CSEPhase): Deleted.
3787             (JSC::DFG::CSEPhase::run): Deleted.
3788             (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
3789             (JSC::DFG::CSEPhase::pureCSE): Deleted.
3790             (JSC::DFG::CSEPhase::constantCSE): Deleted.
3791             (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
3792             (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
3793             (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
3794             (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
3795             (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
3796             (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
3797             (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
3798             (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
3799             (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
3800             (JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
3801             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
3802             (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
3803             (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
3804             (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
3805             (JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
3806             (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
3807             (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
3808             (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
3809             (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
3810             (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
3811             (JSC::DFG::CSEPhase::setReplacement): Deleted.
3812             (JSC::DFG::CSEPhase::eliminate): Deleted.
3813             (JSC::DFG::CSEPhase::performNodeCSE): Deleted.
3814             (JSC::DFG::CSEPhase::performBlockCSE): Deleted.
3815             (JSC::DFG::performCSE): Deleted.
3816             * dfg/DFGCSEPhase.h:
3817             * dfg/DFGClobberSet.cpp:
3818             (JSC::DFG::addReads):
3819             (JSC::DFG::addWrites):
3820             (JSC::DFG::addReadsAndWrites):
3821             (JSC::DFG::readsOverlap):
3822             (JSC::DFG::writesOverlap):
3823             * dfg/DFGClobberize.cpp:
3824             (JSC::DFG::doesWrites):
3825             (JSC::DFG::accessesOverlap):
3826             (JSC::DFG::writesOverlap):
3827             * dfg/DFGClobberize.h:
3828             (JSC::DFG::clobberize):
3829             (JSC::DFG::NoOpClobberize::operator()):
3830             (JSC::DFG::CheckClobberize::operator()):