WebKit-https.git
6 years ago[iOS] Subresources referenced in converted QuickLook documents sometimes fail to...
aestes@apple.com [Thu, 7 Aug 2014 00:16:36 +0000 (00:16 +0000)]
[iOS] Subresources referenced in converted QuickLook documents sometimes fail to load
https://bugs.webkit.org/show_bug.cgi?id=135676

Reviewed by David Kilzer.

Source/WebCore:

* loader/DocumentLoader.h:
(WebCore::DocumentLoader::setQuickLookHandle):
(WebCore::DocumentLoader::quickLookHandle):

Source/WebKit2:

QuickLookHandle needs to stay alive in order for its NSURLProtocol to service subresource loads originating
from the converted HTML document. Some of these loads happen dynamically after the main resource finishes
loading, so we cannot tie the lifetime of the QuickLookHandle to that of the main resource's ResourceLoader.
Instead, give ownership of the QuickLookHandle to DocumentLoader.

* WebProcess/Network/WebResourceLoader.cpp:
(WebKit::WebResourceLoader::didReceiveResponseWithCertificateInfo): Stored the created QuickLookHandle in DocumentLoader.
(WebKit::WebResourceLoader::didReceiveData): Accessed DocumentLoader's QuickLookHandle.
(WebKit::WebResourceLoader::didFinishResourceLoad): Ditto.
(WebKit::WebResourceLoader::didFailResourceLoad): Ditto.
(WebKit::WebResourceLoader::didReceiveResource): Ditto.
* WebProcess/Network/WebResourceLoader.h: Removed m_quickLookHandle.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172191 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoGardening: fix for build failure on GTK bots.
mark.lam@apple.com [Thu, 7 Aug 2014 00:15:22 +0000 (00:15 +0000)]
Gardening: fix for build failure on GTK bots.

Not reviewed.

* runtime/FunctionHasExecutedCache.cpp:
- #include <limits.h> for UINT_MAX's definition.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172190 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoGardening: fix for build failure on EFL bots.
mark.lam@apple.com [Thu, 7 Aug 2014 00:09:14 +0000 (00:09 +0000)]
Gardening: fix for build failure on EFL bots.

Not reviewed.

* jit/JITInlines.h:
(JSC::JIT::emitLoadForArrayMode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172189 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoGardening: adding missing build file changes from the FTLOPT merge at r172176.
mark.lam@apple.com [Wed, 6 Aug 2014 23:54:30 +0000 (23:54 +0000)]
Gardening: adding missing build file changes from the FTLOPT merge at r172176.

Not reviewed.

* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172188 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoUnreviewed build fix attempt since r172184
ryuan.choi@samsung.com [Wed, 6 Aug 2014 23:49:15 +0000 (23:49 +0000)]
Unreviewed build fix attempt since r172184

* CMakeLists.txt: Removed TypeLocation.cpp

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172187 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoUnreviewed build fix: Make includes semicolon in assignment.
dfarler@apple.com [Wed, 6 Aug 2014 23:33:55 +0000 (23:33 +0000)]
Unreviewed build fix: Make includes semicolon in assignment.

* Makefile.shared: Remove a ;

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172186 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoGardening: adding missing build file changes from r171510.
mark.lam@apple.com [Wed, 6 Aug 2014 23:22:00 +0000 (23:22 +0000)]
Gardening: adding missing build file changes from r171510.
<https://webkit.org/b/134860>

Not reviewed.

* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172185 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoGardening: adding missing build file changes from r170490.
mark.lam@apple.com [Wed, 6 Aug 2014 23:11:47 +0000 (23:11 +0000)]
Gardening: adding missing build file changes from r170490.
<https://webkit.org/b/133395>

Not reviewed.

* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172184 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoREGRESSION (r168119): Album flipping animation doesn’t work
simon.fraser@apple.com [Wed, 6 Aug 2014 23:05:34 +0000 (23:05 +0000)]
REGRESSION (r168119): Album flipping animation doesn’t work
https://bugs.webkit.org/show_bug.cgi?id=132801
Source/WebCore:

<rdar://problem/16878497>, <rdar://problem/17908085>

Reviewed by Dean Jackson.

In r168119 I avoided creating backing store for backface-visibility:hidden unless
some ancestor was 3d-transformed. However, when starting transitions or animations
that apply transforms, we don't do a layout, and therefore don't update the RenderLayer
flags that mark an ancestor as having a transform. This broke various content which
used backface-visibility:hidden for "flip" animations.

Make a low-risk fix that looks for the pattern of CSS properties used for flipping,
making a compositing layer for backface-visibility:hidden if the stacking context element
has transform-style: preserve-3d.

Test: compositing/backing/backface-visibility-flip.html

* rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::requiresCompositingForBackfaceVisibility):

LayoutTests:

Reviewed by Dean Jackson.

Test that starts a transform animation and dumps layers.

* compositing/backing/backface-visibility-flip-expected.txt: Added.
* compositing/backing/backface-visibility-flip.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172183 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoConsolidate logic for calculating scrollbar page step size
bfulgham@apple.com [Wed, 6 Aug 2014 23:04:05 +0000 (23:04 +0000)]
Consolidate logic for calculating scrollbar page step size
https://bugs.webkit.org/show_bug.cgi?id=135670

Reviewed by Simon Fraser.

Consolidate the calculation of the scroll step size into a single place.
Improve the handling of sub-pixel layout behavior by performing proper
rounding on the fractional scroll ranges.

* editing/EditorCommand.cpp:
(WebCore::verticalScrollDistance): Switch to Scrollbar::pageStep method.
* platform/ScrollAnimator.cpp:
(WebCore::ScrollAnimator::handleWheelEvent): Ditto.
* platform/ScrollView.cpp:
(WebCore::ScrollView::updateScrollbars): Ditto.
* platform/Scrollbar.h:
(WebCore::Scrollbar::pageStep): Added.
(WebCore::Scrollbar::pageStepDelta): Added.
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::updateScrollbarsAfterLayout): Switch to Scrollbar method.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172182 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoSilence a debug assertion.
fpizlo@apple.com [Wed, 6 Aug 2014 22:52:08 +0000 (22:52 +0000)]
Silence a debug assertion.

Reviewed by Mark Hahnenberg.

* runtime/JSPropertyNameEnumerator.h:
(JSC::JSPropertyNameEnumerator::cachedStructure):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172181 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoWeb Replay: dispatch timing information should be stored out-of-line in a replay...
burg@cs.washington.edu [Wed, 6 Aug 2014 21:53:17 +0000 (21:53 +0000)]
Web Replay: dispatch timing information should be stored out-of-line in a replay segment
https://bugs.webkit.org/show_bug.cgi?id=135295

Reviewed by Timothy Hatcher.

We need to save a timestamp for each event loop input so that replay can
simulate the original user and network delays. Currently that timestamp
is stored on each EventLoopInput instance.

This patch stores timestamp data in a separate vector attached to the segment.
The event loop input class is now immutable, and new auxiliary data can be added
without adding members to the EventLoopInput class.

As part of the refactoring, InputCursors now keep a reference to the relevant
session segment instead of a reference to their input storage. InputCursors can
be created directly, instead of through ReplaySessionSegment.

No new tests. No behavior was changed.

* inspector/InspectorReplayAgent.cpp:
(WebCore::buildInspectorObjectForInput): Don't send the timestamp with the input.
(WebCore::buildInspectorObjectForSegment):
* inspector/protocol/Replay.json: Remove optional timestamp field for ReplayInput.
* replay/CapturingInputCursor.cpp:
(WebCore::CapturingInputCursor::CapturingInputCursor):
(WebCore::CapturingInputCursor::create):
(WebCore::CapturingInputCursor::storeInput): Save event loop input timings here.
* replay/CapturingInputCursor.h:
* replay/EventLoopInput.h:
(WebCore::EventLoopInputBase::EventLoopInputBase): Deleted.
(WebCore::EventLoopInputBase::timestamp): Deleted.
(WebCore::EventLoopInputBase::setTimestamp): Deleted.
* replay/EventLoopInputDispatcher.cpp: Use a struct for dispatch information.
(WebCore::EventLoopInputDispatcher::EventLoopInputDispatcher):
(WebCore::EventLoopInputDispatcher::dispatchInputSoon):
(WebCore::EventLoopInputDispatcher::dispatchInput):
* replay/EventLoopInputDispatcher.h:
* replay/FunctorInputCursor.h:
(WebCore::FunctorInputCursor::forEachInputInQueue):
(WebCore::FunctorInputCursor::FunctorInputCursor):
* replay/ReplayController.cpp:
(WebCore::ReplayController::createSegment):
(WebCore::ReplayController::loadSegmentAtIndex):
(WebCore::ReplayController::unloadSegment): Deleted.
(WebCore::ReplayController::startPlayback): Deleted.
* replay/ReplaySessionSegment.cpp:
(WebCore::ReplaySessionSegment::createCapturingCursor): Deleted.
(WebCore::ReplaySessionSegment::createReplayingCursor): Deleted.
(WebCore::ReplaySessionSegment::createFunctorCursor): Deleted.
* replay/ReplaySessionSegment.h:
(WebCore::ReplaySessionSegment::storage):
(WebCore::ReplaySessionSegment::eventLoopTimings):
* replay/ReplayingInputCursor.cpp:
(WebCore::ReplayingInputCursor::ReplayingInputCursor):
(WebCore::ReplayingInputCursor::create):
(WebCore::ReplayingInputCursor::uncheckedLoadInput):
(WebCore::ReplayingInputCursor::loadEventLoopInput): Added. This method collates
and returns the next event loop input with its associated dispatch information.
* replay/ReplayingInputCursor.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172180 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoDocument-relative overlays disappear after doing page-cache navigations
timothy_horton@apple.com [Wed, 6 Aug 2014 21:51:50 +0000 (21:51 +0000)]
Document-relative overlays disappear after doing page-cache navigations
https://bugs.webkit.org/show_bug.cgi?id=135669
<rdar://problem/17929171>

Reviewed by Simon Fraser.

* rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::rootLayerAttachmentChanged):
When navigating from one page to another, the document-relative overlay
layer is moved from the layer tree of the RenderLayerCompositor of the
first RenderView to the layer tree of the RenderLayerCompositor of the
new RenderView, upon layer tree construction.
When going "back" via a page cache navigation, we don't rebuild the
layer tree, and just assume that it is in a valid state.
However, the document-relative overlay layer was *moved*, and as such,
needs to be moved back. To do this, reattach the document-relative
overlay layer whenever the root layer attachment of a RenderLayerCompositor
changes, which will happen in the right order when going back to a cached page.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172179 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoFix 32-bit build.
fpizlo@apple.com [Wed, 6 Aug 2014 21:43:16 +0000 (21:43 +0000)]
Fix 32-bit build.

* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172177 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoMerge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763...
fpizlo@apple.com [Wed, 6 Aug 2014 21:32:55 +0000 (21:32 +0000)]
Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.

Source/JavaScriptCore:

    2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>

    Support for-in in the FTL
    https://bugs.webkit.org/show_bug.cgi?id=134140

    Reviewed by Filip Pizlo.

    * dfg/DFGSSALoweringPhase.cpp:
    (JSC::DFG::SSALoweringPhase::handleNode):
    * ftl/FTLAbstractHeapRepository.cpp:
    * ftl/FTLAbstractHeapRepository.h:
    * ftl/FTLCapabilities.cpp:
    (JSC::FTL::canCompile):
    * ftl/FTLIntrinsicRepository.h:
    * ftl/FTLLowerDFGToLLVM.cpp:
    (JSC::FTL::LowerDFGToLLVM::compileNode):
    (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
    (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
    (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
    (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
    (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
    (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
    (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
    (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
    (JSC::FTL::LowerDFGToLLVM::compileToIndexString):

    2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>

    Remove JSPropertyNameIterator
    https://bugs.webkit.org/show_bug.cgi?id=135066

    Reviewed by Geoffrey Garen.

    It has been replaced by JSPropertyNameEnumerator.

    * JavaScriptCore.order:
    * bytecode/BytecodeBasicBlock.cpp:
    (JSC::isBranch):
    * bytecode/BytecodeList.json:
    * bytecode/BytecodeUseDef.h:
    (JSC::computeUsesForBytecodeOffset):
    (JSC::computeDefsForBytecodeOffset):
    * bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::dumpBytecode):
    * bytecode/PreciseJumpTargets.cpp:
    (JSC::getJumpTargetsForBytecodeOffset):
    * bytecompiler/BytecodeGenerator.cpp:
    (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
    (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
    * bytecompiler/BytecodeGenerator.h:
    * interpreter/Interpreter.cpp:
    * interpreter/Register.h:
    * jit/JIT.cpp:
    (JSC::JIT::privateCompileMainPass):
    (JSC::JIT::privateCompileSlowCases):
    * jit/JIT.h:
    * jit/JITOpcodes.cpp:
    (JSC::JIT::emit_op_get_pnames): Deleted.
    (JSC::JIT::emit_op_next_pname): Deleted.
    * jit/JITOpcodes32_64.cpp:
    (JSC::JIT::emit_op_get_pnames): Deleted.
    (JSC::JIT::emit_op_next_pname): Deleted.
    * jit/JITOperations.cpp:
    * jit/JITPropertyAccess.cpp:
    (JSC::JIT::emit_op_get_by_pname): Deleted.
    (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
    * jit/JITPropertyAccess32_64.cpp:
    (JSC::JIT::emit_op_get_by_pname): Deleted.
    (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
    * llint/LLIntOffsetsExtractor.cpp:
    * llint/LLIntSlowPaths.cpp:
    (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
    * llint/LLIntSlowPaths.h:
    * llint/LowLevelInterpreter.asm:
    * llint/LowLevelInterpreter32_64.asm:
    * llint/LowLevelInterpreter64.asm:
    * runtime/CommonSlowPaths.cpp:
    * runtime/JSPropertyNameIterator.cpp:
    (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
    (JSC::JSPropertyNameIterator::create): Deleted.
    (JSC::JSPropertyNameIterator::destroy): Deleted.
    (JSC::JSPropertyNameIterator::get): Deleted.
    (JSC::JSPropertyNameIterator::visitChildren): Deleted.
    * runtime/JSPropertyNameIterator.h:
    (JSC::JSPropertyNameIterator::createStructure): Deleted.
    (JSC::JSPropertyNameIterator::size): Deleted.
    (JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
    (JSC::JSPropertyNameIterator::cachedStructure): Deleted.
    (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
    (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
    (JSC::JSPropertyNameIterator::finishCreation): Deleted.
    (JSC::Register::propertyNameIterator): Deleted.
    (JSC::StructureRareData::enumerationCache): Deleted.
    (JSC::StructureRareData::setEnumerationCache): Deleted.
    * runtime/Structure.cpp:
    (JSC::Structure::addPropertyWithoutTransition):
    (JSC::Structure::removePropertyWithoutTransition):
    * runtime/Structure.h:
    * runtime/StructureInlines.h:
    (JSC::Structure::setEnumerationCache): Deleted.
    (JSC::Structure::enumerationCache): Deleted.
    * runtime/StructureRareData.cpp:
    (JSC::StructureRareData::visitChildren):
    * runtime/StructureRareData.h:
    * runtime/VM.cpp:
    (JSC::VM::VM):

    2014-07-25  Saam Barati  <sbarati@apple.com>

    Fix 32-bit build breakage for type profiling
    https://bugs.webkit.org/process_bug.cgi

    Reviewed by Mark Hahnenberg.

    32-bit builds currently break because global variable IDs for high
    fidelity type profiling are int64_t. Change this to intptr_t so that
    it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.

    * bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::CodeBlock):
    (JSC::CodeBlock::scopeDependentProfile):
    * bytecode/TypeLocation.h:
    * runtime/SymbolTable.cpp:
    (JSC::SymbolTable::uniqueIDForVariable):
    (JSC::SymbolTable::uniqueIDForRegister):
    * runtime/SymbolTable.h:
    * runtime/TypeLocationCache.cpp:
    (JSC::TypeLocationCache::getTypeLocation):
    * runtime/TypeLocationCache.h:
    * runtime/VM.h:
    (JSC::VM::getNextUniqueVariableID):

    2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>

    Reindent PropertyNameArray.h
    https://bugs.webkit.org/show_bug.cgi?id=135067

    Reviewed by Geoffrey Garen.

    * runtime/PropertyNameArray.h:
    (JSC::RefCountedIdentifierSet::contains):
    (JSC::RefCountedIdentifierSet::size):
    (JSC::RefCountedIdentifierSet::add):
    (JSC::PropertyNameArrayData::create):
    (JSC::PropertyNameArrayData::propertyNameVector):
    (JSC::PropertyNameArrayData::PropertyNameArrayData):
    (JSC::PropertyNameArray::PropertyNameArray):
    (JSC::PropertyNameArray::vm):
    (JSC::PropertyNameArray::add):
    (JSC::PropertyNameArray::addKnownUnique):
    (JSC::PropertyNameArray::operator[]):
    (JSC::PropertyNameArray::setData):
    (JSC::PropertyNameArray::data):
    (JSC::PropertyNameArray::releaseData):
    (JSC::PropertyNameArray::identifierSet):
    (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
    (JSC::PropertyNameArray::size):
    (JSC::PropertyNameArray::begin):
    (JSC::PropertyNameArray::end):
    (JSC::PropertyNameArray::numCacheableSlots):
    (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
    (JSC::PropertyNameArray::setBaseObject):
    (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):

    2014-07-23  Mark Hahnenberg  <mhahnenberg@apple.com>

    Refactor our current implementation of for-in
    https://bugs.webkit.org/show_bug.cgi?id=134142

    Reviewed by Filip Pizlo.

    This patch splits for-in loops into three distinct parts:

    - Iterating over the indexed properties in the base object.
    - Iterating over the Structure properties in the base object.
    - Iterating over any other enumerable properties for that object and any objects in the prototype chain.

    It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
    support the various operations required for each loop.

    * API/JSCallbackObjectFunctions.h:
    (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
    * JavaScriptCore.xcodeproj/project.pbxproj:
    * bytecode/BytecodeList.json:
    * bytecode/BytecodeUseDef.h:
    (JSC::computeUsesForBytecodeOffset):
    (JSC::computeDefsForBytecodeOffset):
    * bytecode/CallLinkStatus.h:
    (JSC::CallLinkStatus::CallLinkStatus):
    * bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::dumpBytecode):
    (JSC::CodeBlock::CodeBlock):
    * bytecompiler/BytecodeGenerator.cpp:
    (JSC::BytecodeGenerator::emitGetByVal):
    (JSC::BytecodeGenerator::emitComplexPopScopes):
    (JSC::BytecodeGenerator::emitGetEnumerableLength):
    (JSC::BytecodeGenerator::emitHasGenericProperty):
    (JSC::BytecodeGenerator::emitHasIndexedProperty):
    (JSC::BytecodeGenerator::emitHasStructureProperty):
    (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
    (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
    (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
    (JSC::BytecodeGenerator::emitToIndexString):
    (JSC::BytecodeGenerator::pushIndexedForInScope):
    (JSC::BytecodeGenerator::popIndexedForInScope):
    (JSC::BytecodeGenerator::pushStructureForInScope):
    (JSC::BytecodeGenerator::popStructureForInScope):
    (JSC::BytecodeGenerator::invalidateForInContextForLocal):
    * bytecompiler/BytecodeGenerator.h:
    (JSC::ForInContext::ForInContext):
    (JSC::ForInContext::~ForInContext):
    (JSC::ForInContext::isValid):
    (JSC::ForInContext::invalidate):
    (JSC::ForInContext::local):
    (JSC::StructureForInContext::StructureForInContext):
    (JSC::StructureForInContext::type):
    (JSC::StructureForInContext::index):
    (JSC::StructureForInContext::property):
    (JSC::StructureForInContext::enumerator):
    (JSC::IndexedForInContext::IndexedForInContext):
    (JSC::IndexedForInContext::type):
    (JSC::IndexedForInContext::index):
    (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
    (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
    * bytecompiler/NodesCodegen.cpp:
    (JSC::ReadModifyResolveNode::emitBytecode):
    (JSC::AssignResolveNode::emitBytecode):
    (JSC::ForInNode::tryGetBoundLocal):
    (JSC::ForInNode::emitLoopHeader):
    (JSC::ForInNode::emitMultiLoopBytecode):
    (JSC::ForInNode::emitBytecode):
    * debugger/DebuggerScope.h:
    * dfg/DFGAbstractHeap.h:
    * dfg/DFGAbstractInterpreterInlines.h:
    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
    * dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::parseBlock):
    * dfg/DFGCapabilities.cpp:
    (JSC::DFG::capabilityLevel):
    * dfg/DFGClobberize.h:
    (JSC::DFG::clobberize):
    * dfg/DFGDoesGC.cpp:
    (JSC::DFG::doesGC):
    * dfg/DFGFixupPhase.cpp:
    (JSC::DFG::FixupPhase::fixupNode):
    * dfg/DFGHeapLocation.cpp:
    (WTF::printInternal):
    * dfg/DFGHeapLocation.h:
    * dfg/DFGNode.h:
    (JSC::DFG::Node::hasHeapPrediction):
    (JSC::DFG::Node::hasArrayMode):
    * dfg/DFGNodeType.h:
    * dfg/DFGPredictionPropagationPhase.cpp:
    (JSC::DFG::PredictionPropagationPhase::propagate):
    * dfg/DFGSafeToExecute.h:
    (JSC::DFG::safeToExecute):
    * dfg/DFGSpeculativeJIT.h:
    (JSC::DFG::SpeculativeJIT::callOperation):
    * dfg/DFGSpeculativeJIT32_64.cpp:
    (JSC::DFG::SpeculativeJIT::compile):
    * dfg/DFGSpeculativeJIT64.cpp:
    (JSC::DFG::SpeculativeJIT::compile):
    * jit/JIT.cpp:
    (JSC::JIT::privateCompileMainPass):
    (JSC::JIT::privateCompileSlowCases):
    * jit/JIT.h:
    (JSC::JIT::compileHasIndexedProperty):
    (JSC::JIT::emitInt32Load):
    * jit/JITInlines.h:
    (JSC::JIT::emitDoubleGetByVal):
    (JSC::JIT::emitLoadForArrayMode):
    (JSC::JIT::emitContiguousGetByVal):
    (JSC::JIT::emitArrayStorageGetByVal):
    * jit/JITOpcodes.cpp:
    (JSC::JIT::emit_op_get_enumerable_length):
    (JSC::JIT::emit_op_has_structure_property):
    (JSC::JIT::emitSlow_op_has_structure_property):
    (JSC::JIT::emit_op_has_generic_property):
    (JSC::JIT::privateCompileHasIndexedProperty):
    (JSC::JIT::emit_op_has_indexed_property):
    (JSC::JIT::emitSlow_op_has_indexed_property):
    (JSC::JIT::emit_op_get_direct_pname):
    (JSC::JIT::emitSlow_op_get_direct_pname):
    (JSC::JIT::emit_op_get_structure_property_enumerator):
    (JSC::JIT::emit_op_get_generic_property_enumerator):
    (JSC::JIT::emit_op_next_enumerator_pname):
    (JSC::JIT::emit_op_to_index_string):
    * jit/JITOpcodes32_64.cpp:
    (JSC::JIT::emit_op_get_enumerable_length):
    (JSC::JIT::emit_op_has_structure_property):
    (JSC::JIT::emitSlow_op_has_structure_property):
    (JSC::JIT::emit_op_has_generic_property):
    (JSC::JIT::privateCompileHasIndexedProperty):
    (JSC::JIT::emit_op_has_indexed_property):
    (JSC::JIT::emitSlow_op_has_indexed_property):
    (JSC::JIT::emit_op_get_direct_pname):
    (JSC::JIT::emitSlow_op_get_direct_pname):
    (JSC::JIT::emit_op_get_structure_property_enumerator):
    (JSC::JIT::emit_op_get_generic_property_enumerator):
    (JSC::JIT::emit_op_next_enumerator_pname):
    (JSC::JIT::emit_op_to_index_string):
    * jit/JITOperations.cpp:
    * jit/JITOperations.h:
    * jit/JITPropertyAccess.cpp:
    (JSC::JIT::emitDoubleLoad):
    (JSC::JIT::emitContiguousLoad):
    (JSC::JIT::emitArrayStorageLoad):
    (JSC::JIT::emitDoubleGetByVal): Deleted.
    (JSC::JIT::emitContiguousGetByVal): Deleted.
    (JSC::JIT::emitArrayStorageGetByVal): Deleted.
    * jit/JITPropertyAccess32_64.cpp:
    (JSC::JIT::emitContiguousLoad):
    (JSC::JIT::emitDoubleLoad):
    (JSC::JIT::emitArrayStorageLoad):
    (JSC::JIT::emitContiguousGetByVal): Deleted.
    (JSC::JIT::emitDoubleGetByVal): Deleted.
    (JSC::JIT::emitArrayStorageGetByVal): Deleted.
    * llint/LowLevelInterpreter.asm:
    * parser/Nodes.h:
    * runtime/Arguments.cpp:
    (JSC::Arguments::getOwnPropertyNames):
    * runtime/ClassInfo.h:
    * runtime/CommonSlowPaths.cpp:
    (JSC::SLOW_PATH_DECL):
    * runtime/CommonSlowPaths.h:
    * runtime/EnumerationMode.h: Added.
    (JSC::shouldIncludeDontEnumProperties):
    (JSC::shouldExcludeDontEnumProperties):
    (JSC::shouldIncludeJSObjectPropertyNames):
    (JSC::modeThatSkipsJSObject):
    * runtime/JSActivation.cpp:
    (JSC::JSActivation::getOwnNonIndexPropertyNames):
    * runtime/JSArray.cpp:
    (JSC::JSArray::getOwnNonIndexPropertyNames):
    * runtime/JSArrayBuffer.cpp:
    (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
    * runtime/JSArrayBufferView.cpp:
    (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
    * runtime/JSCell.cpp:
    (JSC::JSCell::getEnumerableLength):
    (JSC::JSCell::getStructurePropertyNames):
    (JSC::JSCell::getGenericPropertyNames):
    * runtime/JSCell.h:
    * runtime/JSFunction.cpp:
    (JSC::JSFunction::getOwnNonIndexPropertyNames):
    * runtime/JSGenericTypedArrayViewInlines.h:
    (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
    * runtime/JSObject.cpp:
    (JSC::getClassPropertyNames):
    (JSC::JSObject::hasOwnProperty):
    (JSC::JSObject::getOwnPropertyNames):
    (JSC::JSObject::getOwnNonIndexPropertyNames):
    (JSC::JSObject::getEnumerableLength):
    (JSC::JSObject::getStructurePropertyNames):
    (JSC::JSObject::getGenericPropertyNames):
    * runtime/JSObject.h:
    * runtime/JSPropertyNameEnumerator.cpp: Added.
    (JSC::JSPropertyNameEnumerator::create):
    (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
    (JSC::JSPropertyNameEnumerator::finishCreation):
    (JSC::JSPropertyNameEnumerator::destroy):
    (JSC::JSPropertyNameEnumerator::visitChildren):
    * runtime/JSPropertyNameEnumerator.h: Added.
    (JSC::JSPropertyNameEnumerator::createStructure):
    (JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
    (JSC::JSPropertyNameEnumerator::identifierSet):
    (JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
    (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
    (JSC::JSPropertyNameEnumerator::cachedStructure):
    (JSC::JSPropertyNameEnumerator::cachedStructureID):
    (JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
    (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
    (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
    (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
    (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
    (JSC::structurePropertyNameEnumerator):
    (JSC::genericPropertyNameEnumerator):
    * runtime/JSProxy.cpp:
    (JSC::JSProxy::getEnumerableLength):
    (JSC::JSProxy::getStructurePropertyNames):
    (JSC::JSProxy::getGenericPropertyNames):
    * runtime/JSProxy.h:
    * runtime/JSSymbolTableObject.cpp:
    (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
    * runtime/PropertyNameArray.cpp:
    (JSC::PropertyNameArray::add):
    (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
    * runtime/PropertyNameArray.h:
    (JSC::RefCountedIdentifierSet::contains):
    (JSC::RefCountedIdentifierSet::size):
    (JSC::RefCountedIdentifierSet::add):
    (JSC::PropertyNameArray::PropertyNameArray):
    (JSC::PropertyNameArray::add):
    (JSC::PropertyNameArray::addKnownUnique):
    (JSC::PropertyNameArray::identifierSet):
    (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
    (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
    * runtime/RegExpObject.cpp:
    (JSC::RegExpObject::getOwnNonIndexPropertyNames):
    (JSC::RegExpObject::getPropertyNames):
    (JSC::RegExpObject::getGenericPropertyNames):
    * runtime/RegExpObject.h:
    * runtime/StringObject.cpp:
    (JSC::StringObject::getOwnPropertyNames):
    * runtime/Structure.cpp:
    (JSC::Structure::getPropertyNamesFromStructure):
    (JSC::Structure::setCachedStructurePropertyNameEnumerator):
    (JSC::Structure::cachedStructurePropertyNameEnumerator):
    (JSC::Structure::setCachedGenericPropertyNameEnumerator):
    (JSC::Structure::cachedGenericPropertyNameEnumerator):
    (JSC::Structure::canCacheStructurePropertyNameEnumerator):
    (JSC::Structure::canCacheGenericPropertyNameEnumerator):
    (JSC::Structure::canAccessPropertiesQuickly):
    * runtime/Structure.h:
    * runtime/StructureRareData.cpp:
    (JSC::StructureRareData::visitChildren):
    (JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
    (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
    (JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
    (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
    * runtime/StructureRareData.h:
    * runtime/VM.cpp:
    (JSC::VM::VM):
    * runtime/VM.h:

    2014-07-23  Saam Barati  <sbarati@apple.com>

    Make improvements to Type Profiling
    https://bugs.webkit.org/show_bug.cgi?id=134860

    Reviewed by Filip Pizlo.

    I improved the API between the inspector and JSC. We no longer send one huge
    string to the inspector. We now send structured data that represents the type
    information that JSC has collected. I've also created a beginning implementation
    of a type lattice that allows us to resolve a display name for a type that
    consists of a single word.

    I created a data structure that knows which functions have executed. This
    solves the bug where types inside an un-executed function will resolve
    to the type of the enclosing expression of that function. This data
    structure may also be useful later if the inspector chooses to create a UI
    around showing which functions have executed.

    Better type information is gathered for objects. StructureShape now
    represents an object's prototype chain.  StructureShape also collects
    the constructor name for an object.

    Expression ranges are now zero indexed.

    Removed some extraneous methods.

    * JavaScriptCore.xcodeproj/project.pbxproj:
    * bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::CodeBlock):
    (JSC::CodeBlock::scopeDependentProfile):
    * bytecode/CodeBlock.h:
    * bytecode/TypeLocation.h:
    (JSC::TypeLocation::TypeLocation):
    * bytecode/UnlinkedCodeBlock.cpp:
    (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
    * bytecode/UnlinkedCodeBlock.h:
    (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
    (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
    * bytecompiler/BytecodeGenerator.cpp:
    (JSC::BytecodeGenerator::BytecodeGenerator):
    (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
    * bytecompiler/BytecodeGenerator.h:
    (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
    * heap/Heap.cpp:
    (JSC::Heap::collect):
    * inspector/agents/InspectorRuntimeAgent.cpp:
    (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
    (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
    * inspector/agents/InspectorRuntimeAgent.h:
    * inspector/protocol/Runtime.json:
    * runtime/Executable.cpp:
    (JSC::ScriptExecutable::ScriptExecutable):
    (JSC::ProgramExecutable::ProgramExecutable):
    (JSC::FunctionExecutable::FunctionExecutable):
    (JSC::ProgramExecutable::initializeGlobalProperties):
    * runtime/Executable.h:
    (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
    (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
    * runtime/FunctionHasExecutedCache.cpp: Added.
    (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
    (JSC::FunctionHasExecutedCache::insertUnexecutedRange):
    (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
    * runtime/FunctionHasExecutedCache.h: Added.
    (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
    (JSC::FunctionHasExecutedCache::FunctionRange::operator==):
    (JSC::FunctionHasExecutedCache::FunctionRange::hash):
    * runtime/HighFidelityLog.cpp:
    (JSC::HighFidelityLog::processHighFidelityLog):
    (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
    * runtime/HighFidelityLog.h:
    (JSC::HighFidelityLog::recordTypeInformationForLocation):
    * runtime/HighFidelityTypeProfiler.cpp:
    (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
    (JSC::HighFidelityTypeProfiler::insertNewLocation):
    (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
    (JSC::descriptorMatchesTypeLocation):
    (JSC::HighFidelityTypeProfiler::findLocation):
    (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
    (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
    (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
    * runtime/HighFidelityTypeProfiler.h:
    (JSC::QueryKey::QueryKey):
    (JSC::QueryKey::isHashTableDeletedValue):
    (JSC::QueryKey::operator==):
    (JSC::QueryKey::hash):
    (JSC::QueryKeyHash::hash):
    (JSC::QueryKeyHash::equal):
    (JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
    (JSC::HighFidelityTypeProfiler::typeLocationCache):
    * runtime/Structure.cpp:
    (JSC::Structure::toStructureShape):
    * runtime/Structure.h:
    * runtime/TypeLocationCache.cpp: Added.
    (JSC::TypeLocationCache::getTypeLocation):
    * runtime/TypeLocationCache.h: Added.
    (JSC::TypeLocationCache::LocationKey::LocationKey):
    (JSC::TypeLocationCache::LocationKey::operator==):
    (JSC::TypeLocationCache::LocationKey::hash):
    * runtime/TypeSet.cpp:
    (JSC::TypeSet::getRuntimeTypeForValue):
    (JSC::TypeSet::addTypeForValue):
    (JSC::TypeSet::seenTypes):
    (JSC::TypeSet::doesTypeConformTo):
    (JSC::TypeSet::displayName):
    (JSC::TypeSet::allPrimitiveTypeNames):
    (JSC::TypeSet::allStructureRepresentations):
    (JSC::TypeSet::leastCommonAncestor):
    (JSC::StructureShape::StructureShape):
    (JSC::StructureShape::addProperty):
    (JSC::StructureShape::propertyHash):
    (JSC::StructureShape::leastCommonAncestor):
    (JSC::StructureShape::stringRepresentation):
    (JSC::StructureShape::inspectorRepresentation):
    (JSC::StructureShape::leastUpperBound): Deleted.
    * runtime/TypeSet.h:
    (JSC::StructureShape::setConstructorName):
    (JSC::StructureShape::constructorName):
    (JSC::StructureShape::setProto):
    * runtime/VM.cpp:
    (JSC::VM::dumpHighFidelityProfilingTypes):
    (JSC::VM::getTypesForVariableAtOffset): Deleted.
    (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
    * runtime/VM.h:
    (JSC::VM::isProfilingTypesWithHighFidelity):
    (JSC::VM::highFidelityTypeProfiler):

    2014-07-23  Filip Pizlo  <fpizlo@apple.com>

    Fix debug build.

    * bytecode/CallLinkStatus.h:
    (JSC::CallLinkStatus::CallLinkStatus):

    2014-07-20  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Phantoms in SSA form should be aggressively hoisted
    https://bugs.webkit.org/show_bug.cgi?id=135111

    Reviewed by Oliver Hunt.

    In CPS form, Phantom means three things: (1) that the children should be kept alive so long
    as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
    at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
    second meaning is not used but the other two stay.

    The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
    even in a totally different basic block, complicates some SSA transformations. It's not
    possible to just jettison some successor, since tha successor could have a Phantom that we
    care about.

    This change rationalizes how Phantoms work so that:

    1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
       in both CPS and SSA. This was true before and it's true now.

    2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
       now, except that now we also don't bother preserving the live-in-bytecode information
       that Phantoms convey, when we are in SSA.

    3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
       use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
       Phantom.

    The biggest part of this change is that in SSA, we canonicalize Phantoms:

    - All Phantoms are replaced with Check nodes that include only those edges that have
      checks.

    - Nodes that were the children of any Phantoms have a Phantom right after them.

    For example, the following code:

        5: ArithAdd(@1, @2)
        6: ArithSub(@5, @3)
        7: Phantom(Int32:@5)

    would be turned into the following:

        5: ArithAdd(@1, @2)
        8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
                       // @5. This is the only Phantom we will have for @5.
        6: ArithSub(@5, @3)
        7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
                           // a checking edge, we leave it.

    This is a slight speed-up across the board, presumably because we now do a better job of
    reducing the size of the graph during compilation. It could also be a fluke, though. The
    main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
    become a requirement to run phantom canonicalization prior to some SSA phases. None of the
    current phases need it, but future phases probably will.

    * CMakeLists.txt:
    * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
    * JavaScriptCore.xcodeproj/project.pbxproj:
    * dfg/DFGAbstractInterpreterInlines.h:
    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
    * dfg/DFGConstantFoldingPhase.cpp:
    (JSC::DFG::ConstantFoldingPhase::foldConstants):
    * dfg/DFGDCEPhase.cpp:
    (JSC::DFG::DCEPhase::run):
    (JSC::DFG::DCEPhase::findTypeCheckRoot):
    (JSC::DFG::DCEPhase::countEdge):
    (JSC::DFG::DCEPhase::fixupBlock):
    (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
    * dfg/DFGEdge.cpp:
    (JSC::DFG::Edge::dump):
    * dfg/DFGEdge.h:
    (JSC::DFG::Edge::isProved):
    (JSC::DFG::Edge::needsCheck): Deleted.
    * dfg/DFGNodeFlags.h:
    * dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
    (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
    (JSC::DFG::PhantomCanonicalizationPhase::run):
    (JSC::DFG::performPhantomCanonicalization):
    * dfg/DFGPhantomCanonicalizationPhase.h: Added.
    * dfg/DFGPhantomRemovalPhase.cpp:
    (JSC::DFG::PhantomRemovalPhase::run):
    * dfg/DFGPhantomRemovalPhase.h:
    * dfg/DFGPlan.cpp:
    (JSC::DFG::Plan::compileInThreadImpl):
    * ftl/FTLLowerDFGToLLVM.cpp:
    (JSC::FTL::LowerDFGToLLVM::lowJSValue):
    (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):

    2014-07-22  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
    https://bugs.webkit.org/show_bug.cgi?id=135146

    Reviewed by Oliver Hunt.

    This greatly simplifies our closure call optimizations by taking advantage of the type
    bits available in the cell header.

    * bytecode/CallLinkInfo.cpp:
    (JSC::CallLinkInfo::visitWeak):
    * bytecode/CallLinkStatus.cpp:
    (JSC::CallLinkStatus::CallLinkStatus):
    (JSC::CallLinkStatus::computeFor):
    (JSC::CallLinkStatus::dump):
    * bytecode/CallLinkStatus.h:
    (JSC::CallLinkStatus::CallLinkStatus):
    (JSC::CallLinkStatus::executable):
    (JSC::CallLinkStatus::structure): Deleted.
    * dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::emitFunctionChecks):
    * dfg/DFGFixupPhase.cpp:
    (JSC::DFG::FixupPhase::fixupNode):
    (JSC::DFG::FixupPhase::observeUseKindOnNode):
    * dfg/DFGSafeToExecute.h:
    (JSC::DFG::SafeToExecuteEdge::operator()):
    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::checkArray):
    (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
    (JSC::DFG::SpeculativeJIT::speculateCellType):
    (JSC::DFG::SpeculativeJIT::speculateFunction):
    (JSC::DFG::SpeculativeJIT::speculateFinalObject):
    (JSC::DFG::SpeculativeJIT::speculate):
    * dfg/DFGSpeculativeJIT.h:
    * dfg/DFGSpeculativeJIT32_64.cpp:
    (JSC::DFG::SpeculativeJIT::compile):
    * dfg/DFGSpeculativeJIT64.cpp:
    (JSC::DFG::SpeculativeJIT::compile):
    * dfg/DFGUseKind.cpp:
    (WTF::printInternal):
    * dfg/DFGUseKind.h:
    (JSC::DFG::typeFilterFor):
    (JSC::DFG::isCell):
    * ftl/FTLCapabilities.cpp:
    (JSC::FTL::canCompile):
    * ftl/FTLLowerDFGToLLVM.cpp:
    (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
    (JSC::FTL::LowerDFGToLLVM::speculate):
    (JSC::FTL::LowerDFGToLLVM::isFunction):
    (JSC::FTL::LowerDFGToLLVM::isNotFunction):
    (JSC::FTL::LowerDFGToLLVM::speculateFunction):
    * jit/ClosureCallStubRoutine.cpp:
    (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
    (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
    * jit/ClosureCallStubRoutine.h:
    (JSC::ClosureCallStubRoutine::structure): Deleted.
    * jit/JIT.h:
    (JSC::JIT::compileClosureCall): Deleted.
    * jit/JITCall.cpp:
    (JSC::JIT::privateCompileClosureCall): Deleted.
    * jit/JITCall32_64.cpp:
    (JSC::JIT::privateCompileClosureCall): Deleted.
    * jit/JITOperations.cpp:
    * jit/Repatch.cpp:
    (JSC::linkClosureCall):
    * jit/Repatch.h:

Source/WebCore:

    2014-08-06  Mark Hahnenberg  <mhahnenberg@apple.com>

    Refactor our current implementation of for-in
    https://bugs.webkit.org/show_bug.cgi?id=134142

    Reviewed by Filip Pizlo.

    No new tests.

    This patch splits for-in loops into three distinct parts:

    - Iterating over the indexed properties in the base object.
    - Iterating over the Structure properties in the base object.
    - Iterating over any other enumerable properties for that object and any objects in the prototype chain.

    It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
    support the various operations required for each loop.

    * bindings/js/JSDOMWindowCustom.cpp:
    (WebCore::JSDOMWindow::getEnumerableLength):
    (WebCore::JSDOMWindow::getStructurePropertyNames):
    (WebCore::JSDOMWindow::getGenericPropertyNames):
    * bindings/scripts/CodeGeneratorJS.pm:
    (GenerateHeader):
    * bridge/runtime_array.cpp:
    (JSC::RuntimeArray::getOwnPropertyNames):

Source/WebKit2:

    2014-08-06  Mark Hahnenberg  <mhahnenberg@apple.com>

    Refactor our current implementation of for-in
    https://bugs.webkit.org/show_bug.cgi?id=134142

    Reviewed by Filip Pizlo.

    * WebProcess/Plugins/Netscape/JSNPObject.cpp:
    (WebKit::JSNPObject::invalidate): Fixed an invalid ASSERT that was crashing in debug builds.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172176 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoSet DSYMUTIL_NUM_THREADS to the number of logical cores
dfarler@apple.com [Wed, 6 Aug 2014 20:38:15 +0000 (20:38 +0000)]
Set DSYMUTIL_NUM_THREADS to the number of logical cores
https://bugs.webkit.org/show_bug.cgi?id=135655

Reviewed by Mark Rowe.

.:

* Makefile.shared: Export DSYMUTIL_NUM_THREADS.

Tools:

* Scripts/webkitdirs.pm:
(buildXCodeProject): Set before calling xcodebuild.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172174 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoREGRESSION (WebKit2): iOS Safari default encoding doesn't follow system language
ap@apple.com [Wed, 6 Aug 2014 20:25:00 +0000 (20:25 +0000)]
REGRESSION (WebKit2): iOS Safari default encoding doesn't follow system language
https://bugs.webkit.org/show_bug.cgi?id=135667
<rdar://problem/17862892>

Reviewed by Anders Carlsson.

Source/WebCore:
Moved a function that computes default encoding from WebKit to WebCore, so that
it could be shared with WebKit2.

* WebCore.exp.in:
* platform/ios/WebCoreSystemInterfaceIOS.mm:
* platform/mac/WebCoreSystemInterface.h:
* platform/mac/WebCoreSystemInterface.mm:
* platform/text/TextEncodingRegistry.cpp:
(WebCore::defaultTextEncodingNameForSystemLanguage):
* platform/text/TextEncodingRegistry.h:

Source/WebKit/mac:
* WebView/WebPreferences.mm: (+[WebPreferences _setInitialDefaultTextEncodingToSystemEncoding]):
Moved implementation to WebCore, so that it can be shared with WebKit2.

* WebCoreSupport/WebSystemInterface.mm: (InitWebCoreSystemInterface):
We now use WKGetWebDefaultCFStringEncoding in WebCore, so it needs to be initialized.

Source/WebKit2:
* Shared/WebPreferencesDefinitions.h: Compute the actual proper default, don't
hardcode it to ISO-8859-1 hoping that someone else will correct it later.

* Shared/WebPreferencesStore.cpp: Added an include for WebPreferencesDefinitions.h
macro expansion to compile.

* UIProcess/WebPreferences.cpp: (WebKit::WebPreferences::createWithLegacyDefaults):
Added a FIXME.

* WebProcess/WebCoreSupport/mac/WebSystemInterface.mm: (InitWebCoreSystemInterface):
We now use WKGetWebDefaultCFStringEncoding in WebCore, so it needs to be initialized.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172172 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoHashTable based classes leak a lot
benjamin@webkit.org [Wed, 6 Aug 2014 20:12:14 +0000 (20:12 +0000)]
HashTable based classes leak a lot
https://bugs.webkit.org/show_bug.cgi?id=135638

Reviewed by Darin Adler.

* wtf/HashTable.h:
The operator= taking a rvalue reference was never freeing the memory allocated
for the table of the left hand side object.

This patch fixes the leaks by doing an alloc+swap with a new object.
The object temp gets the reference to m_table, and destroys it in the regular destructor
when going out of scope.

Kudos to Pratik Solanki for finding the leaks.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172167 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoRemove unused RenderBox::reflectionBox().
akling@apple.com [Wed, 6 Aug 2014 19:21:15 +0000 (19:21 +0000)]
Remove unused RenderBox::reflectionBox().
<https://webkit.org/b/135661>

Reviewed by Antti Koivisto.

* rendering/RenderBox.cpp:
(WebCore::RenderBox::reflectionBox): Deleted.
* rendering/RenderBox.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172165 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[Win] Build error when OFFICIAL_BUILD != 1.
commit-queue@webkit.org [Wed, 6 Aug 2014 18:48:55 +0000 (18:48 +0000)]
[Win] Build error when OFFICIAL_BUILD != 1.
https://bugs.webkit.org/show_bug.cgi?id=135613

Patch by peavo@outlook.com <peavo@outlook.com> on 2014-08-06
Reviewed by Alex Christensen.

Added python installation as a required step before building on Windows.

* building/tools.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172163 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoREGRESSION(r172094): tests fail because Inspector test harness does not include UIString
burg@cs.washington.edu [Wed, 6 Aug 2014 18:32:38 +0000 (18:32 +0000)]
REGRESSION(r172094): tests fail because Inspector test harness does not include UIString
https://bugs.webkit.org/show_bug.cgi?id=135658

Reviewed by Joseph Pecoraro.

* UserInterface/Base/Test.js:
(WebInspector.contentLoaded): Fix brace placement.
(WebInspector.UIString): Added. This is the identity function during testing.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172162 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoWeb Inspector: convert ReplayManager to a promise-based API
burg@cs.washington.edu [Wed, 6 Aug 2014 18:30:01 +0000 (18:30 +0000)]
Web Inspector: convert ReplayManager to a promise-based API
https://bugs.webkit.org/show_bug.cgi?id=135249

Reviewed by Timothy Hatcher.

Source/WebCore:

Fix some assertions to match ReplayController's preconditions.

* inspector/InspectorReplayAgent.cpp:
(WebCore::InspectorReplayAgent::replayToPosition):
(WebCore::InspectorReplayAgent::replayToCompletion):

Source/WebInspectorUI:

Convert replay commands to an asynchronous, promise-based API. This addresses
two problems with a synchronous replay API: clients can only use the synchronous
API if session and segment state are exactly correct, and trying to change state
to match this requirement requires chaining multiple commands and events.

The asynchronous API allows clients to issue replay commands with impunity,
as long as they can be unambiguously handled. For example, issuing
pausePlayback() while capturing is not allowed, but issuing startCapturing()
while replaying is allowed. The API also hides implementation details that
are not important, such as steps to unpause or temporarily disable the debugger.

This patch also cleans up uses of promises, such as adding error re-throwing.
It adds return type annotations to public ReplayManager asynchronous methods.

* UserInterface/Controllers/ReplayManager.js:
(WebInspector.ReplayManager.catch):
(WebInspector.ReplayManager):
(WebInspector.ReplayManager.prototype.createSession):
(WebInspector.ReplayManager.prototype.switchSession):
(WebInspector.ReplayManager.prototype.startCapturing):
(WebInspector.ReplayManager.prototype.stopCapturing):
(WebInspector.ReplayManager.prototype.replayToPosition):
(WebInspector.ReplayManager.prototype.replayToCompletion):
(WebInspector.ReplayManager.prototype.sessionCreated.catch): re-throw.
(WebInspector.ReplayManager.prototype.segmentCompleted.catch): re-throw.
(WebInspector.ReplayManager.prototype.segmentCompleted.catch): re-throw.
(WebInspector.ReplayManager.prototype.segmentUnloaded.catch): re-throw.
(WebInspector.ReplayManager.prototype.sessionCreated.catech): re-throw.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172161 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[Mac] Unable to scroll to bottom of nested scrollable areas
bfulgham@apple.com [Wed, 6 Aug 2014 18:25:08 +0000 (18:25 +0000)]
[Mac] Unable to scroll to bottom of nested scrollable areas
https://bugs.webkit.org/show_bug.cgi?id=135637
<rdar://problem/17910241>

Reviewed by Zalan Bujtas.

Source/WebCore:

Test: platform/mac/fast/scrolling/scroll-latched-nested-div.html

Avoid truncating the fractional portion of scroll ranges.

* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::updateScrollbarsAfterLayout): Round
the LayoutUnit values for scroll width and height rather than
truncating.

LayoutTests:

* platform/mac/fast/scrolling/scroll-latched-nested-div-expected.txt: Added.
* platform/mac/fast/scrolling/scroll-latched-nested-div.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172160 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[iOS] QuickLook returns an invalid MIME type for some documents
aestes@apple.com [Wed, 6 Aug 2014 18:18:14 +0000 (18:18 +0000)]
[iOS] QuickLook returns an invalid MIME type for some documents
https://bugs.webkit.org/show_bug.cgi?id=135651

Reviewed by David Kilzer.

r172151 ensured that we ignore QuickLook delegate messages after an error, but neglected to do so for
connectionDidFinishLoading:. Do not call ResourceLoader::didFinishLoading() if an error has occurred.

* platform/network/ios/QuickLook.mm:
(-[WebResourceLoaderQuickLookDelegate connectionDidFinishLoading:]):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172159 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoWeb Inspector: protocol command invocations should return a promise if no callback...
burg@cs.washington.edu [Wed, 6 Aug 2014 17:59:06 +0000 (17:59 +0000)]
Web Inspector: protocol command invocations should return a promise if no callback is supplied
https://bugs.webkit.org/show_bug.cgi?id=130702

Reviewed by Timothy Hatcher.

Source/WebInspectorUI:

This allows the trailing Agent.command.promise(args) to be dropped in favor of just
Agent.command(args). It should make it a bit easier to convert code to use promises.

Test: LayoutTests/inspector/protocol-promise-result.html

* UserInterface/Controllers/ReplayManager.js: Drop use of .promise().
* UserInterface/Controllers/TimelineManager.js: Drop use of .promise().
(WebInspector.TimelineManager.prototype.startCapturing):
* UserInterface/Protocol/InspectorBackend.js:
(.callable): Redirect to the promise entry point if the last argument isn't a function.
(InspectorBackend.Command.create):

LayoutTests:

Addd a test for recieving protocol command results through an explicit callback,
via the .promise() entry point, and via an implicitly created promise.

* inspector/protocol-promise-result-expected.txt: Added.
* inspector/protocol-promise-result.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172158 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoUnreviewed, rolling out r172155.
commit-queue@webkit.org [Wed, 6 Aug 2014 17:57:47 +0000 (17:57 +0000)]
Unreviewed, rolling out r172155.
https://bugs.webkit.org/show_bug.cgi?id=135659

ChangeLog and commit message are wrong (Requested by estes on
#webkit).

Reverted changeset:

"Unreviewed, rolling out r172145."
https://bugs.webkit.org/show_bug.cgi?id=135657
http://trac.webkit.org/changeset/172155

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172157 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoUnreviewed build fix
mmaxfield@apple.com [Wed, 6 Aug 2014 17:53:50 +0000 (17:53 +0000)]
Unreviewed build fix

* rendering/TextPainter.cpp: Used incorrect variable name

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172156 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoUnreviewed, rolling out r172145.
aestes@apple.com [Wed, 6 Aug 2014 17:46:37 +0000 (17:46 +0000)]
Unreviewed, rolling out r172145.
https://bugs.webkit.org/show_bug.cgi?id=135657

caused 1 API test to fail (Requested by zalan on #webkit).

Reverted changeset:

"Cleanup InlineTextBox::paintSelection and
::localSelectionRect."
https://bugs.webkit.org/show_bug.cgi?id=135631
http://trac.webkit.org/changeset/172145

Patch by Commit Queue <commit-queue@webkit.org> on 2014-08-06

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172155 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoUnreviewed, rolling out r172145.
commit-queue@webkit.org [Wed, 6 Aug 2014 17:44:57 +0000 (17:44 +0000)]
Unreviewed, rolling out r172145.
https://bugs.webkit.org/show_bug.cgi?id=135657

caused 1 API test to fail (Requested by zalan on #webkit).

Reverted changeset:

"Cleanup InlineTextBox::paintSelection and
::localSelectionRect."
https://bugs.webkit.org/show_bug.cgi?id=135631
http://trac.webkit.org/changeset/172145

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172154 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoText-shadow with (0, 0) offset and radius = 0 is ugly
mmaxfield@apple.com [Wed, 6 Aug 2014 17:35:59 +0000 (17:35 +0000)]
Text-shadow with (0, 0) offset and radius = 0 is ugly
https://bugs.webkit.org/show_bug.cgi?id=135357

Reviewed by Darin Adler.

Source/WebCore:

Instead, check for this kind of shadow and don't draw it.

Test: fast/text/empty-shadow.html

* rendering/TextPainter.cpp:
(WebCore::isEmptyShadow): Does a shadow match these criteria?
(WebCore::paintTextWithShadows): If so, don't draw it.

LayoutTests:

Check that this kind of shadow ends up invisible.

* fast/text/empty-shadow-expected.html: Added
* fast/text/empty-shadow.html: Added

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172153 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[ARM] Incorrect handling of Unicode characters
dbatyai.u-szeged@partner.samsung.com [Wed, 6 Aug 2014 17:27:41 +0000 (17:27 +0000)]
[ARM] Incorrect handling of Unicode characters
https://bugs.webkit.org/show_bug.cgi?id=135380

Reviewed by Darin Adler.

Removed erroneous fast case from stringFromUTF(), since it assumed that
char is always implemented as signed.

* jsc.cpp:
(stringFromUTF):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172152 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[iOS] QuickLook returns an invalid MIME type for some documents
aestes@apple.com [Wed, 6 Aug 2014 17:23:04 +0000 (17:23 +0000)]
[iOS] QuickLook returns an invalid MIME type for some documents
https://bugs.webkit.org/show_bug.cgi?id=135651

Reviewed by David Kilzer.

In some cases QuickLook indicates a failure by returning a nil MIME type in -[QLPreviewConverter previewResponse]
rather than calling connection:didFailWithError:. Calling ResourceLoader::didReceiveResponse() with a response
containing a nil MIME type leads to a crash.

Stop loading the resource and display an error page if QuickLook cannot provide a MIME type for the converted response.

No new tests. QuickLook is not testable from WebKit.

* platform/network/ios/QuickLook.mm:
(-[WebResourceLoaderQuickLookDelegate _sendDidReceiveResponseIfNecessary]): Called ResourceLoader::didFail() if
MIME type was nil. Called ResourceLoader::didReceiveResponse() otherwise.
(-[WebResourceLoaderQuickLookDelegate connection:didReceiveDataArray:]): Called -_sendDidReceiveResponseIfNecessary.
(-[WebResourceLoaderQuickLookDelegate connection:didReceiveData:lengthReceived:]): Ditto.
(-[WebResourceLoaderQuickLookDelegate connection:didFailWithError:]): Ditto.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172151 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[CSSRegions] Move full screen tests into fast/regions/fullscreen
mihnea@adobe.com [Wed, 6 Aug 2014 16:02:33 +0000 (16:02 +0000)]
[CSSRegions] Move full screen tests into fast/regions/fullscreen
https://bugs.webkit.org/show_bug.cgi?id=135650

Reviewed by Andrei Bucur.

Move files and adjust paths accordingly.

* fast/regions/fullscreen/full-screen-video-from-region-expected.txt: Renamed from LayoutTests/fast/regions/full-screen-video-from-region-expected.txt.
* fast/regions/fullscreen/full-screen-video-from-region.html: Renamed from LayoutTests/fast/regions/full-screen-video-from-region.html.
* fast/regions/fullscreen/full-screen-video-in-region-crash-expected.txt: Renamed from LayoutTests/fast/regions/full-screen-video-in-region-crash-expected.txt.
* fast/regions/fullscreen/full-screen-video-in-region-crash.html: Renamed from LayoutTests/fast/regions/full-screen-video-in-region-crash.html.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172150 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[JSC] Build fix for FTL on EFL after ftlopt merge
dbatyai.u-szeged@partner.samsung.com [Wed, 6 Aug 2014 15:44:57 +0000 (15:44 +0000)]
[JSC] Build fix for FTL on EFL after ftlopt merge
https://bugs.webkit.org/show_bug.cgi?id=135565

Reviewed by Mark Lam.

Source/JavaScriptCore:

Adding an enable guard for native inlining, since it now requires the bitcode
emitted from Clang, and we don't have a good way of creating it from other compilers.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
* ftl/FTLState.cpp:
(JSC::FTL::State::State):
* ftl/FTLState.h:

Source/WTF:

Added ENABLE(FTL_NATIVE_CALL_INLINING).

* wtf/Platform.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172149 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[CSSRegions] Move parsing tests into fast/regions/parsing
mihnea@adobe.com [Wed, 6 Aug 2014 15:09:52 +0000 (15:09 +0000)]
[CSSRegions] Move parsing tests into fast/regions/parsing
https://bugs.webkit.org/show_bug.cgi?id=135649

Reviewed by Andrei Bucur.

Move files and adjust file paths.

* fast/regions/parsing/webkit-flow-from-parsing-expected.txt: Renamed from LayoutTests/fast/regions/webkit-flow-from-parsing-expected.txt.
* fast/regions/parsing/webkit-flow-from-parsing.html: Added.
* fast/regions/parsing/webkit-flow-into-parsing-expected.txt: Renamed from LayoutTests/fast/regions/webkit-flow-into-parsing-expected.txt.
* fast/regions/parsing/webkit-flow-into-parsing.html: Renamed from LayoutTests/fast/regions/webkit-flow-into-parsing.html.
* fast/regions/parsing/webkit-region-fragment-parsing-expected.txt: Renamed from LayoutTests/fast/regions/webkit-region-fragment-parsing-expected.txt.
* fast/regions/parsing/webkit-region-fragment-parsing.html: Added.
* fast/regions/webkit-flow-from-parsing.html: Removed.
* fast/regions/webkit-region-fragment-parsing.html: Removed.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172148 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[GTK] Add support for user scripts to WebKitUserContentManager
commit-queue@webkit.org [Wed, 6 Aug 2014 15:07:08 +0000 (15:07 +0000)]
[GTK] Add support for user scripts to WebKitUserContentManager
https://bugs.webkit.org/show_bug.cgi?id=134738

Patch by Adrian Perez de Castro <aperez@igalia.com> on 2014-08-06
Reviewed by Carlos Garcia Campos.

Add support for user scripts, to complement the user style sheet
support already present in WebKitUserContentManager. Most of the
moving parts are already present, so this just adds a boxed type
for user scripts (WebKitUserScript) and the corresponding methods
to add and remove scripts from the WebKitUserContentManager.

Source/WebKit2:

* UIProcess/API/gtk/WebKitUserContent.cpp: Add a WebKitUserScript
boxed type and its corresponding methods and enums.
(toUserScriptInjectionTime): Needed to convert
WebKitUserScriptInjectionTime values into its WebCore counterparts.
(_WebKitUserScript::_WebKitUserScript): Added.
(_WebKitUserScript::referenceCount): Ditto.
(webkit_user_script_ref):
(webkit_user_script_unref):
(webkit_user_script_new):
(webkitUserScriptGetUserScript): Internal method to obtain the
boxed WebCore::UserScript value.
* UIProcess/API/gtk/WebKitUserContent.h: Add the new public API
methods.
* UIProcess/API/gtk/WebKitUserContentManager.cpp: Implement the
methods for adding and removing user scripts.
(webkit_user_content_manager_add_script):
(webkit_user_content_manager_remove_all_scripts):
* UIProcess/API/gtk/WebKitUserContentManager.h: Add the new public
API methods.
* UIProcess/API/gtk/WebKitUserContentPrivate.h: Add the definition
for the new private function.
* UIProcess/API/gtk/docs/webkit2gtk-sections.txt: Include the
new public methods in the API documentation.

Tools:

* TestWebKitAPI/Tests/WebKit2Gtk/TestWebKitUserContentManager.cpp:
Add test case for injected user scripts.
(isScriptInjectedForURLAtPath):
(removeOldInjectedContentAndResetLists):
(testUserContentManagerInjectedStyleSheet):
(testUserContentManagerInjectedScript):
(beforeAll):
(removeOldInjectedStyleSheetsAndResetLists): Deleted.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172147 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoREGRESSION (r163382): Overflow hidden for inner elements breaks blurring
stavila@adobe.com [Wed, 6 Aug 2014 15:06:08 +0000 (15:06 +0000)]
REGRESSION (r163382): Overflow hidden for inner elements breaks blurring
https://bugs.webkit.org/show_bug.cgi?id=135318

Reviewed by Zalan Bujtas.

Source/WebCore:

For elements with border radius, clipping must be applied using clipRoundedRect.
This regressed in r163382, when normal clipping started being applied also
for elements having border radius.

Test: fast/filter-image/clipped-filter.html

* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::clipToRect):
(WebCore::RenderLayer::restoreClip):

LayoutTests:

Added test for filter applied on an element overflowing its parent, which has overflow:hidden.

* fast/filter-image/clipped-filter-expected.html: Added.
* fast/filter-image/clipped-filter.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172146 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoCleanup InlineTextBox::paintSelection and ::localSelectionRect.
zalan@apple.com [Wed, 6 Aug 2014 15:04:09 +0000 (15:04 +0000)]
Cleanup InlineTextBox::paintSelection and ::localSelectionRect.
https://bugs.webkit.org/show_bug.cgi?id=135631

Reviewed by Darin Adler.

Covered by existing tests.

* rendering/InlineTextBox.cpp: Ideally these 2 functions should share some more code.
(WebCore::InlineTextBox::localSelectionRect): Local coordinates should not be snapped/enclosed.
This change could potentially break some selections. Should that be the case, they need to be addressed
separately.
(WebCore::InlineTextBox::paint):
(WebCore::InlineTextBox::paintSelection): Minor cleanup.
* rendering/InlineTextBox.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172145 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[GTK] Be able to disable gtk2 dependency
carlosgc@webkit.org [Wed, 6 Aug 2014 15:01:29 +0000 (15:01 +0000)]
[GTK] Be able to disable gtk2 dependency
https://bugs.webkit.org/show_bug.cgi?id=135505

Reviewed by Gustavo Noronha Silva.

.:

Add ENABLE_PLUGIN_PROCESS_GTK2 compile option. GTK+2 is only
required when it's enabled. It's enabled by default.

* Source/cmake/OptionsGTK.cmake:

Source/WebCore:

Do not build WebCorePlatformGTK2 when ENABLE_PLUGIN_PROCESS_GTK2
is OFF.

* PlatformGTK.cmake:

Source/WebKit2:

* PlatformGTK.cmake: Only build WebKitPluginProcess2 when
ENABLE_PLUGIN_PROCESS_GTK2 is ON.
* UIProcess/Launcher/gtk/ProcessLauncherGtk.cpp:
(WebKit::ProcessLauncher::launchProcess): Do not try to launch
WebKitPluginProcess2 executable when ENABLE_PLUGIN_PROCESS_GTK2 is OFF.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172144 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoGardening: fix bindings test breakage for for r170564 merged in r172129.
mark.lam@apple.com [Wed, 6 Aug 2014 13:45:43 +0000 (13:45 +0000)]
Gardening: fix bindings test breakage for for r170564 merged in r172129.
<https://webkit.org/b/134333>

Not reviewed.

No new tests.

* bindings/scripts/test/JS/JSTestEventTarget.h:
(WebCore::JSTestEventTarget::create):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172143 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[GTK] Rename translation domain to WebKit2GTK-4.0
berto@igalia.com [Wed, 6 Aug 2014 13:36:25 +0000 (13:36 +0000)]
[GTK] Rename translation domain to WebKit2GTK-4.0
https://bugs.webkit.org/show_bug.cgi?id=135646

Reviewed by Carlos Garcia Campos.

* CMakeLists.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172142 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[CSSRegions] Move selection tests under fast/regions/selection
mihnea@adobe.com [Wed, 6 Aug 2014 11:13:07 +0000 (11:13 +0000)]
[CSSRegions] Move selection tests under fast/regions/selection
https://bugs.webkit.org/show_bug.cgi?id=135641

Reviewed by Andrei Bucur.

Move selection related tests under fast/regions/selection.

* fast/regions/selection/selection-gaps-paint-crash-expected.txt: Renamed from LayoutTests/fast/regions/selection-gaps-paint-crash-expected.txt.
* fast/regions/selection/selection-gaps-paint-crash.html: Renamed from LayoutTests/fast/regions/selection-gaps-paint-crash.html.
* fast/regions/selection/selection-in-overflow-expected.html: Renamed from LayoutTests/fast/regions/selection-in-overflow-expected.html.
* fast/regions/selection/selection-in-overflow-hit-testing-expected.html: Renamed from LayoutTests/fast/regions/selection-in-overflow-hit-testing-expected.html.
* fast/regions/selection/selection-in-overflow-hit-testing.html: Renamed from LayoutTests/fast/regions/selection-in-overflow-hit-testing.html.
* fast/regions/selection/selection-in-overflow.html: Renamed from LayoutTests/fast/regions/selection-in-overflow.html.
* fast/regions/selection/selection-in-text-after-overflow-hit-testing-expected.html: Renamed from LayoutTests/fast/regions/selection-in-text-after-overflow-hit-testing-expected.html.
* fast/regions/selection/selection-in-text-after-overflow-hit-testing.html: Renamed from LayoutTests/fast/regions/selection-in-text-after-overflow-hit-testing.html.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172141 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[CSSRegions] Move auto-height tests into fast/regions/auto-size
mihnea@adobe.com [Wed, 6 Aug 2014 11:00:05 +0000 (11:00 +0000)]
[CSSRegions] Move auto-height tests into fast/regions/auto-size
https://bugs.webkit.org/show_bug.cgi?id=135645

Reviewed by Andrei Bucur.

* fast/regions/auto-size/region-height-auto-to-defined-expected.txt: Renamed from LayoutTests/fast/regions/region-height-auto-to-defined-expected.txt.
* fast/regions/auto-size/region-height-auto-to-defined.html: Renamed from LayoutTests/fast/regions/region-height-auto-to-defined.html.
* fast/regions/auto-size/region-height-defined-to-auto-expected.txt: Renamed from LayoutTests/fast/regions/region-height-defined-to-auto-expected.txt.
* fast/regions/auto-size/region-height-defined-to-auto.html: Renamed from LayoutTests/fast/regions/region-height-defined-to-auto.html.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172140 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[GTK] run-launcher --gtk still fails
commit-queue@webkit.org [Wed, 6 Aug 2014 10:50:32 +0000 (10:50 +0000)]
[GTK] run-launcher --gtk still fails
https://bugs.webkit.org/show_bug.cgi?id=135642

Patch by Philippe Normand <pnormand@igalia.com> on 2014-08-06
Reviewed by Carlos Garcia Campos.

The perl interpreter is confused by the combination of string
concatenation and a ternary in the same line. Using a separate
variable to determine the library file extension fixes this issue.

* Scripts/webkitdirs.pm:
(builtDylibPathForName): Use an intermediate variable, it's more
readable and unambiguous.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172139 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoUnreviewed typo correction.
ryuan.choi@samsung.com [Wed, 6 Aug 2014 10:10:54 +0000 (10:10 +0000)]
Unreviewed typo correction.

* bindings/scripts/CodeGeneratorJS.pm: removed unnecessary space.
(GenerateImplementation):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172138 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoURTBF after r172129. (ftlopt branch merge)
ossy@webkit.org [Wed, 6 Aug 2014 06:53:10 +0000 (06:53 +0000)]
URTBF after r172129. (ftlopt branch merge)

Remove the duplicated friend declaration to fix this build failure:
"error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"

* runtime/StructureRareData.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172137 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoWeb Inspector: AXI: Add label string once AccessibilityObject::computedLabel() is...
jcraig@apple.com [Wed, 6 Aug 2014 06:21:03 +0000 (06:21 +0000)]
Web Inspector: AXI: Add label string once AccessibilityObject::computedLabel() is available
https://bugs.webkit.org/show_bug.cgi?id=129940

Reviewed by Chris Fleizach.

Source/WebCore:

Test: inspector-protocol/dom/getAccessibilityPropertiesForNode-expected.txt

* accessibility/AccessibilityObject.cpp: Fixed crash.
(WebCore::AccessibilityObject::accessibilityComputedLabel):
* accessibility/AccessibilityObject.h: Method name update.
* inspector/InspectorDOMAgent.cpp: New support for getting Node label from AccessibilityObject.
(WebCore::InspectorDOMAgent::buildObjectForAccessibilityProperties):

Source/WebInspectorUI:

* UserInterface/Views/DOMNodeDetailsSidebarPanel.js: UI update for label field in Node Inspector.
(WebInspector.DOMNodeDetailsSidebarPanel.prototype._refreshAccessibility):

LayoutTests:

* inspector-protocol/dom/getAccessibilityPropertiesForNode-expected.txt: LayoutTest expectation update.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172136 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoAttempt to fix CMake-based builds, part 3.
fpizlo@apple.com [Wed, 6 Aug 2014 06:14:48 +0000 (06:14 +0000)]
Attempt to fix CMake-based builds, part 3.

* CMakeLists.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172135 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoAttempt to fix CMake-based builds, part 2.
fpizlo@apple.com [Wed, 6 Aug 2014 06:09:55 +0000 (06:09 +0000)]
Attempt to fix CMake-based builds, part 2.

* CMakeLists.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172134 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoAttempt to fix Windows build, part 2.
fpizlo@apple.com [Wed, 6 Aug 2014 06:06:57 +0000 (06:06 +0000)]
Attempt to fix Windows build, part 2.

* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172133 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoAttempt to fix CMake-based builds.
fpizlo@apple.com [Wed, 6 Aug 2014 06:03:50 +0000 (06:03 +0000)]
Attempt to fix CMake-based builds.

* CMakeLists.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172132 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoAttempt to fix Windows build.
fpizlo@apple.com [Wed, 6 Aug 2014 06:02:27 +0000 (06:02 +0000)]
Attempt to fix Windows build.

* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172131 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoFix cloop build.
fpizlo@apple.com [Wed, 6 Aug 2014 05:55:39 +0000 (05:55 +0000)]
Fix cloop build.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172130 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoMerge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729...
fpizlo@apple.com [Wed, 6 Aug 2014 05:27:46 +0000 (05:27 +0000)]
Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.

Source/JavaScriptCore:

This part of the merge delivers roughly a 2% across-the-board performance
improvement, mostly due to immutable property inference and DFG-side GCSE. It also
almost completely resolves accessor performance issues; in the common case the DFG
will compile a getter/setter access into code that is just as efficient as a normal
property access.

Another major highlight of this part of the merge is the work to add a type profiler
to the inspector. This work is still on-going but this greatly increases coverage.

Note that this merge fixes a minor bug in the GetterSetter refactoring from
http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
It also adds a new tests to tests/stress to cover that bug. That bug was previously only
covered by layout tests.

    2014-07-17  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
    https://bugs.webkit.org/show_bug.cgi?id=135019

    Reviewed by Oliver Hunt.

    Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
    has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
    different code.

    * dfg/DFGNodeType.h:
    * dfg/DFGStrengthReductionPhase.cpp:
    (JSC::DFG::StrengthReductionPhase::handleNode):
    * tests/stress/capture-escape-and-throw.js: Added.
    (foo.f):
    (foo):
    * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
    (foo):
    (bar):

    2014-07-15  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
    https://bugs.webkit.org/show_bug.cgi?id=134962

    Reviewed by Oliver Hunt.

    This removes yet another steady-state-throughput implication of using getters and setters:
    if your accessor call is monomorphic then you'll just get a structure check, nothing more.
    No more loads to get to the GetterSetter object or the accessor function object.

    * dfg/DFGAbstractInterpreterInlines.h:
    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
    * runtime/GetterSetter.h:
    (JSC::GetterSetter::getterConcurrently):
    (JSC::GetterSetter::setGetter):
    (JSC::GetterSetter::setterConcurrently):
    (JSC::GetterSetter::setSetter):

    2014-07-15  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
    https://bugs.webkit.org/show_bug.cgi?id=134893

    Reviewed by Oliver Hunt.

    Replace Identity with Check instead of Phantom. Phantom means that the child of the
    Identity should be unconditionally live. The liveness semantics of Identity are such that
    if the parents of Identity are live then the child is live. Removing the Identity entirely
    preserves such liveness semantics. So, the only thing that should be left behind is the
    type check on the child, which is what Check means: do the check but don't keep the child
    alive if the check isn't needed.

    * dfg/DFGCSEPhase.cpp:
    * dfg/DFGNode.h:
    (JSC::DFG::Node::convertToCheck):

    2014-07-13  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
    https://bugs.webkit.org/show_bug.cgi?id=134677

    Reviewed by Sam Weinig.

    This removes the old local CSE phase, which was based on manually written backward-search
    rules for all of the different kinds of things we cared about, and adds a new local/global
    CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
    clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
    structures used for storing sets of available values. This results in a large reduction in
    code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
    global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
    structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
    that this is a significant (~0.7%) throughput improvement.

    This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
    means that the node being analyzed makes available some value in some DFG node, and that
    future attempts to compute that value can simply use that node. In other words, it
    establishes an available value mapping of the form value=>node. There are two kinds of
    values that can be passed to def():

    PureValue. This captures everything needed to determine whether two pure nodes - nodes that
        neither read nor write, and produce a value that is a CSE candidate - are identical. It
        carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
        usually used for things like the arithmetic mode or constant pointer. Passing a
        PureValue to def() means that the node produces a value that is valid anywhere that the
        node dominates.

    HeapLocation. This describes a location in the heap that could be written to or read from.
        Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
        heap that both serves as part of the "name" of the heap location (together with the
        other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
        write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
        then it means that the values for that location are no longer available.

    This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
    tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
    interpreting the semantics of different DFG node types - that is now almost entirely in
    clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
    CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
    and the LocalCSE rule for turning PutByVal into PutByValAlias.

    This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
    not a bigger win because LLVM was already giving us most of what we needed in its GVN.
    Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
    is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
    generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
    it improves both the quality of the code we generate and the speed with which we generate
    it. Also, any future optimizations that depend on GCSE will now be easier to implement.

    During the development of this patch I also rationalized some other stuff, like Graph's
    ordered traversals - we now have preorder and postorder rather than just "depth first".

    * CMakeLists.txt:
    * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
    * JavaScriptCore.xcodeproj/project.pbxproj:
    * dfg/DFGAbstractHeap.h:
    * dfg/DFGAdjacencyList.h:
    (JSC::DFG::AdjacencyList::hash):
    (JSC::DFG::AdjacencyList::operator==):
    * dfg/DFGBasicBlock.h:
    * dfg/DFGCSEPhase.cpp:
    (JSC::DFG::performLocalCSE):
    (JSC::DFG::performGlobalCSE):
    (JSC::DFG::CSEPhase::CSEPhase): Deleted.
    (JSC::DFG::CSEPhase::run): Deleted.
    (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
    (JSC::DFG::CSEPhase::pureCSE): Deleted.
    (JSC::DFG::CSEPhase::constantCSE): Deleted.
    (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
    (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
    (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
    (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
    (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
    (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
    (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
    (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
    (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
    (JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
    (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
    (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
    (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
    (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
    (JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
    (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
    (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
    (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
    (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
    (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
    (JSC::DFG::CSEPhase::setReplacement): Deleted.
    (JSC::DFG::CSEPhase::eliminate): Deleted.
    (JSC::DFG::CSEPhase::performNodeCSE): Deleted.
    (JSC::DFG::CSEPhase::performBlockCSE): Deleted.
    (JSC::DFG::performCSE): Deleted.
    * dfg/DFGCSEPhase.h:
    * dfg/DFGClobberSet.cpp:
    (JSC::DFG::addReads):
    (JSC::DFG::addWrites):
    (JSC::DFG::addReadsAndWrites):
    (JSC::DFG::readsOverlap):
    (JSC::DFG::writesOverlap):
    * dfg/DFGClobberize.cpp:
    (JSC::DFG::doesWrites):
    (JSC::DFG::accessesOverlap):
    (JSC::DFG::writesOverlap):
    * dfg/DFGClobberize.h:
    (JSC::DFG::clobberize):
    (JSC::DFG::NoOpClobberize::operator()):
    (JSC::DFG::CheckClobberize::operator()):
    (JSC::DFG::ReadMethodClobberize::ReadMethodClobberize):
    (JSC::DFG::ReadMethodClobberize::operator()):
    (JSC::DFG::WriteMethodClobberize::WriteMethodClobberize):
    (JSC::DFG::WriteMethodClobberize::operator()):
    (JSC::DFG::DefMethodClobberize::DefMethodClobberize):
    (JSC::DFG::DefMethodClobberize::operator()):
    * dfg/DFGDCEPhase.cpp:
    (JSC::DFG::DCEPhase::run):
    (JSC::DFG::DCEPhase::fixupBlock):
    * dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::getBlocksInPreOrder):
    (JSC::DFG::Graph::getBlocksInPostOrder):
    (JSC::DFG::Graph::addForDepthFirstSort): Deleted.
    (JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted.
    * dfg/DFGGraph.h:
    * dfg/DFGHeapLocation.cpp: Added.
    (JSC::DFG::HeapLocation::dump):
    (WTF::printInternal):
    * dfg/DFGHeapLocation.h: Added.
    (JSC::DFG::HeapLocation::HeapLocation):
    (JSC::DFG::HeapLocation::operator!):
    (JSC::DFG::HeapLocation::kind):
    (JSC::DFG::HeapLocation::heap):
    (JSC::DFG::HeapLocation::base):
    (JSC::DFG::HeapLocation::index):
    (JSC::DFG::HeapLocation::hash):
    (JSC::DFG::HeapLocation::operator==):
    (JSC::DFG::HeapLocation::isHashTableDeletedValue):
    (JSC::DFG::HeapLocationHash::hash):
    (JSC::DFG::HeapLocationHash::equal):
    * dfg/DFGLICMPhase.cpp:
    (JSC::DFG::LICMPhase::run):
    * dfg/DFGNode.h:
    (JSC::DFG::Node::replaceWith):
    (JSC::DFG::Node::convertToPhantomUnchecked): Deleted.
    * dfg/DFGPlan.cpp:
    (JSC::DFG::Plan::compileInThreadImpl):
    * dfg/DFGPureValue.cpp: Added.
    (JSC::DFG::PureValue::dump):
    * dfg/DFGPureValue.h: Added.
    (JSC::DFG::PureValue::PureValue):
    (JSC::DFG::PureValue::operator!):
    (JSC::DFG::PureValue::op):
    (JSC::DFG::PureValue::children):
    (JSC::DFG::PureValue::info):
    (JSC::DFG::PureValue::hash):
    (JSC::DFG::PureValue::operator==):
    (JSC::DFG::PureValue::isHashTableDeletedValue):
    (JSC::DFG::PureValueHash::hash):
    (JSC::DFG::PureValueHash::equal):
    * dfg/DFGSSAConversionPhase.cpp:
    (JSC::DFG::SSAConversionPhase::run):
    * ftl/FTLLowerDFGToLLVM.cpp:
    (JSC::FTL::LowerDFGToLLVM::lower):

    2014-07-13  Filip Pizlo  <fpizlo@apple.com>

    Unreviewed, revert unintended change in r171051.

    * dfg/DFGCSEPhase.cpp:

    2014-07-08  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase
    https://bugs.webkit.org/show_bug.cgi?id=134739

    Reviewed by Mark Hahnenberg.

    I'm going to streamline CSE around clobberize() as part of
    https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store
    elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which
    means that it belongs in StrengthReductionPhase, since that's intended to be our
    dumping ground.

    To do this I had to add some missing smarts to clobberize(). Previously clobberize()
    could play a bit loose with reads of Variables because it wasn't used for store
    elimination. The main client of read() was LICM, but it would only use it to
    determine hoistability and anything that did a write() was not hoistable - so, we had
    benign (but still wrong) missing read() calls in places that did write()s. This fixes
    a bunch of those cases.

    * dfg/DFGCSEPhase.cpp:
    (JSC::DFG::CSEPhase::performNodeCSE):
    (JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted.
    * dfg/DFGClobberize.cpp:
    (JSC::DFG::accessesOverlap):
    * dfg/DFGClobberize.h:
    (JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound.
    * dfg/DFGStrengthReductionPhase.cpp:
    (JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize().

    2014-07-08  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Phantom simplification should be in its own phase
    https://bugs.webkit.org/show_bug.cgi?id=134742

    Reviewed by Geoffrey Garen.

    This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it
    more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had
    this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for
    SSA.

    * CMakeLists.txt:
    * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
    * JavaScriptCore.xcodeproj/project.pbxproj:
    * dfg/DFGAdjacencyList.h:
    * dfg/DFGCSEPhase.cpp:
    (JSC::DFG::CSEPhase::run):
    (JSC::DFG::CSEPhase::setReplacement):
    (JSC::DFG::CSEPhase::eliminate):
    (JSC::DFG::CSEPhase::performNodeCSE):
    (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted.
    * dfg/DFGPhantomRemovalPhase.cpp: Added.
    (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase):
    (JSC::DFG::PhantomRemovalPhase::run):
    (JSC::DFG::performCleanUp):
    * dfg/DFGPhantomRemovalPhase.h: Added.
    * dfg/DFGPlan.cpp:
    (JSC::DFG::Plan::compileInThreadImpl):

    2014-07-08  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously
    https://bugs.webkit.org/show_bug.cgi?id=134730

    Reviewed by Mark Lam.

    This will allow for a better GCSE implementation.

    * dfg/DFGCPSRethreadingPhase.cpp:
    (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
    * dfg/DFGCSEPhase.cpp:
    (JSC::DFG::CSEPhase::setReplacement):
    * dfg/DFGEdgeDominates.h:
    (JSC::DFG::EdgeDominates::operator()):
    * dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::clearReplacements):
    (JSC::DFG::Graph::initializeNodeOwners):
    * dfg/DFGGraph.h:
    (JSC::DFG::Graph::performSubstitutionForEdge):
    * dfg/DFGLICMPhase.cpp:
    (JSC::DFG::LICMPhase::attemptHoist):
    * dfg/DFGNode.h:
    (JSC::DFG::Node::Node):
    * dfg/DFGSSAConversionPhase.cpp:
    (JSC::DFG::SSAConversionPhase::run):

    2014-07-04  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Infer immutable object properties
    https://bugs.webkit.org/show_bug.cgi?id=134567

    Reviewed by Mark Hahnenberg.

    This introduces a new way of inferring immutable object properties. A property is said to
    be immutable if after its creation (i.e. the transition that creates it), we never
    overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own
    property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f"
    directly and not on a prototype. More specifically, the immutability inference will prove
    that a property on some structure is immutable. This means that, for example, we may have a
    structure S1 with property "f" where we claim that "f" at S1 is immutable, but S1 has a
    transition to S2 that adds a new property "g" and we may claim that "f" at S2 is actually
    mutable. This is mainly for convenience; it allows us to decouple immutability logic from
    transition logic. Immutability can be used to constant-fold accesses to objects at
    DFG-time. The DFG needs to prove the following to constant-fold the access:

    - The base of the access must be a constant object pointer. We prove that a property at a
      structure is immutable, but that says nothing of its value; each actual instance of that
      property may have a different value. So, a constant object pointer is needed to get an
      actual constant instance of the immutable value.

    - A check (or watchpoint) must have been emitted proving that the object has a structure
      that allows loading the property in question.

    - The replacement watchpoint set of the property in the structure that we've proven the
      object to have is still valid and we add a watchpoint to it lazily. The replacement
      watchpoint set is the key new mechanism that this change adds. It's possible that we have
      proven that the object has one of many structures, in which case each of those structures
      needs a valid replacement watchpoint set.

    The replacement watchpoint set is created the first time that any access to the property is
    cached. A put replace cache will create, and immediately invalidate, the watchpoint set. A
    get cache will create the watchpoint set and make it start watching. Any non-cached put
    access will invalidate the watchpoint set if one had been created; the underlying algorithm
    ensures that checking for the existence of a replacement watchpoint set is very fast in the
    common case. This algorithm ensures that no cached access needs to ever do any work to
    invalidate, or check the validity of, any replacement watchpoint sets. It also has some
    other nice properties:

    - It's very robust in its definition of immutability. The strictest that it will ever be is
      that for any instance of the object, the property must be written to only once,
      specifically at the time that the property is created. But it's looser than this in
      practice. For example, the property may be written to any number of times before we add
      the final property that the object will have before anyone reads the property; this works
      since for optimization purposes we only care if we detect immutability on the structure
      that the object will have when it is most frequently read from, not any previous
      structure that the object had. Also, we may write to the property any number of times
      before anyone caches accesses to it.

    - It is mostly orthogonal to structure transitions. No new structures need to be created to
      track the immutability of a property. Hence, there is no risk from this feature causing
      more polymorphism. This is different from the previous "specificValue" constant
      inference, which did cause additional structures to be created and sometimes those
      structures led to fake polymorphism. This feature does leverage existing transitions to
      do some of the watchpointing: property deletions don't fire the replacement watchpoint
      set because that would cause a new structure and so the mandatory structure check would
      fail. Also, this feature is guaranteed to never kick in for uncacheable dictionaries
      because those wouldn't allow for cacheable accesses - and it takes a cacheable access for
      this feature to be enabled.

    - No memory overhead is incurred except when accesses to the property are cached.
      Dictionary properties will typically have no meta-data for immutability. The number of
      replacement watchpoint sets we allocate is proportional to the number of inline caches in
      the program, which is typically must smaller than the number of structures or even the
      number of objects.

    This inference is far more powerful than the previous "specificValue" inference, so this
    change also removes all of that code. It's interesting that the amount of code that is
    changed to remove that feature is almost as big as the amount of code added to support the
    new inference - and that's if you include the new tests in the tally. Without new tests,
    it appears that the new feature actually touches less code!

    There is one corner case where the previous "specificValue" inference was more powerful.
    You can imagine someone creating objects with functions as self properties on those
    objects, such that each object instance had the same function pointers - essentially,
    someone might be trying to create a vtable but failing at the whole "one vtable for many
    instances" concept. The "specificValue" inference would do very well for such programs,
    because a structure check would be sufficient to prove a constant value for all of the
    function properties. This new inference will fail because it doesn't track the constant
    values of constant properties; instead it detects the immutability of otherwise variable
    properties (in the sense that each instance of the property may have a different value).
    So, the new inference requires having a particular object instance to actually get the
    constant value. I think it's OK to lose this antifeature. It took a lot of code to support
    and was a constant source of grief in our transition logic, and there doesn't appear to be
    any real evidence that programs benefited from that particular kind of inference since
    usually it's the singleton prototype instance that has all of the functions.

    This change is a speed-up on everything. date-format-xparb and both SunSpider/raytrace and
    V8/raytrace seem to be the biggest winners among the macrobenchmarks; they see >5%
    speed-ups. Many of our microbenchmarks see very large performance improvements, even 80% in
    one case.

    * bytecode/ComplexGetStatus.cpp:
    (JSC::ComplexGetStatus::computeFor):
    * bytecode/GetByIdStatus.cpp:
    (JSC::GetByIdStatus::computeFromLLInt):
    (JSC::GetByIdStatus::computeForStubInfo):
    (JSC::GetByIdStatus::computeFor):
    * bytecode/GetByIdVariant.cpp:
    (JSC::GetByIdVariant::GetByIdVariant):
    (JSC::GetByIdVariant::operator=):
    (JSC::GetByIdVariant::attemptToMerge):
    (JSC::GetByIdVariant::dumpInContext):
    * bytecode/GetByIdVariant.h:
    (JSC::GetByIdVariant::alternateBase):
    (JSC::GetByIdVariant::specificValue): Deleted.
    * bytecode/PutByIdStatus.cpp:
    (JSC::PutByIdStatus::computeForStubInfo):
    (JSC::PutByIdStatus::computeFor):
    * bytecode/PutByIdVariant.cpp:
    (JSC::PutByIdVariant::operator=):
    (JSC::PutByIdVariant::setter):
    (JSC::PutByIdVariant::dumpInContext):
    * bytecode/PutByIdVariant.h:
    (JSC::PutByIdVariant::specificValue): Deleted.
    * bytecode/Watchpoint.cpp:
    (JSC::WatchpointSet::fireAllSlow):
    (JSC::WatchpointSet::fireAll): Deleted.
    * bytecode/Watchpoint.h:
    (JSC::WatchpointSet::fireAll):
    * dfg/DFGAbstractInterpreterInlines.h:
    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
    * dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::handleGetByOffset):
    (JSC::DFG::ByteCodeParser::handleGetById):
    (JSC::DFG::ByteCodeParser::handlePutById):
    (JSC::DFG::ByteCodeParser::parseBlock):
    * dfg/DFGConstantFoldingPhase.cpp:
    (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
    * dfg/DFGFixupPhase.cpp:
    (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
    (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
    * dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::tryGetConstantProperty):
    (JSC::DFG::Graph::visitChildren):
    * dfg/DFGGraph.h:
    * dfg/DFGWatchableStructureWatchingPhase.cpp:
    (JSC::DFG::WatchableStructureWatchingPhase::run):
    * ftl/FTLLowerDFGToLLVM.cpp:
    (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
    * jit/JITOperations.cpp:
    * jit/Repatch.cpp:
    (JSC::repatchByIdSelfAccess):
    (JSC::generateByIdStub):
    (JSC::tryCacheGetByID):
    (JSC::tryCachePutByID):
    (JSC::tryBuildPutByIdList):
    * llint/LLIntSlowPaths.cpp:
    (JSC::LLInt::LLINT_SLOW_PATH_DECL):
    (JSC::LLInt::putToScopeCommon):
    * runtime/CommonSlowPaths.h:
    (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
    * runtime/IntendedStructureChain.cpp:
    (JSC::IntendedStructureChain::mayInterceptStoreTo):
    * runtime/JSCJSValue.cpp:
    (JSC::JSValue::putToPrimitive):
    * runtime/JSGlobalObject.cpp:
    (JSC::JSGlobalObject::reset):
    * runtime/JSObject.cpp:
    (JSC::JSObject::put):
    (JSC::JSObject::putDirectNonIndexAccessor):
    (JSC::JSObject::deleteProperty):
    (JSC::JSObject::defaultValue):
    (JSC::getCallableObjectSlow): Deleted.
    (JSC::JSObject::getPropertySpecificValue): Deleted.
    * runtime/JSObject.h:
    (JSC::JSObject::getDirect):
    (JSC::JSObject::getDirectOffset):
    (JSC::JSObject::inlineGetOwnPropertySlot):
    (JSC::JSObject::putDirectInternal):
    (JSC::JSObject::putOwnDataProperty):
    (JSC::JSObject::putDirect):
    (JSC::JSObject::putDirectWithoutTransition):
    (JSC::getCallableObject): Deleted.
    * runtime/JSScope.cpp:
    (JSC::abstractAccess):
    * runtime/PropertyMapHashTable.h:
    (JSC::PropertyMapEntry::PropertyMapEntry):
    (JSC::PropertyTable::copy):
    * runtime/PropertyTable.cpp:
    (JSC::PropertyTable::clone):
    (JSC::PropertyTable::PropertyTable):
    (JSC::PropertyTable::visitChildren): Deleted.
    * runtime/Structure.cpp:
    (JSC::Structure::Structure):
    (JSC::Structure::materializePropertyMap):
    (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
    (JSC::Structure::addPropertyTransitionToExistingStructure):
    (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
    (JSC::Structure::addPropertyTransition):
    (JSC::Structure::changePrototypeTransition):
    (JSC::Structure::attributeChangeTransition):
    (JSC::Structure::toDictionaryTransition):
    (JSC::Structure::preventExtensionsTransition):
    (JSC::Structure::takePropertyTableOrCloneIfPinned):
    (JSC::Structure::nonPropertyTransition):
    (JSC::Structure::addPropertyWithoutTransition):
    (JSC::Structure::allocateRareData):
    (JSC::Structure::ensurePropertyReplacementWatchpointSet):
    (JSC::Structure::startWatchingPropertyForReplacements):
    (JSC::Structure::didCachePropertyReplacement):
    (JSC::Structure::startWatchingInternalProperties):
    (JSC::Structure::copyPropertyTable):
    (JSC::Structure::copyPropertyTableForPinning):
    (JSC::Structure::getConcurrently):
    (JSC::Structure::get):
    (JSC::Structure::add):
    (JSC::Structure::visitChildren):
    (JSC::Structure::prototypeChainMayInterceptStoreTo):
    (JSC::Structure::dump):
    (JSC::Structure::despecifyDictionaryFunction): Deleted.
    (JSC::Structure::despecifyFunctionTransition): Deleted.
    (JSC::Structure::despecifyFunction): Deleted.
    (JSC::Structure::despecifyAllFunctions): Deleted.
    (JSC::Structure::putSpecificValue): Deleted.
    * runtime/Structure.h:
    (JSC::Structure::startWatchingPropertyForReplacements):
    (JSC::Structure::startWatchingInternalPropertiesIfNecessary):
    (JSC::Structure::startWatchingInternalPropertiesIfNecessaryForEntireChain):
    (JSC::Structure::transitionDidInvolveSpecificValue): Deleted.
    (JSC::Structure::disableSpecificFunctionTracking): Deleted.
    * runtime/StructureInlines.h:
    (JSC::Structure::getConcurrently):
    (JSC::Structure::didReplaceProperty):
    (JSC::Structure::propertyReplacementWatchpointSet):
    * runtime/StructureRareData.cpp:
    (JSC::StructureRareData::destroy):
    * runtime/StructureRareData.h:
    * tests/stress/infer-constant-global-property.js: Added.
    (foo.Math.sin):
    (foo):
    * tests/stress/infer-constant-property.js: Added.
    (foo):
    * tests/stress/jit-cache-poly-replace-then-cache-get-and-fold-then-invalidate.js: Added.
    (foo):
    (bar):
    * tests/stress/jit-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
    (foo):
    (bar):
    * tests/stress/jit-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
    (foo):
    (bar):
    * tests/stress/llint-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
    (foo):
    (bar):
    * tests/stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
    (foo):
    (bar):
    * tests/stress/repeat-put-to-scope-global-with-same-value-watchpoint-invalidate.js: Added.
    (foo):
    (bar):

    2014-07-03  Saam Barati  <sbarati@apple.com>

    Add more coverage for the profile_types_with_high_fidelity op code.
    https://bugs.webkit.org/show_bug.cgi?id=134616

    Reviewed by Filip Pizlo.

    More operations are now being recorded by the profile_types_with_high_fidelity
    opcode. Specifically: function parameters, function return values,
    function 'this' value, get_by_id, get_by_value, resolve nodes, function return
    values at the call site. Added more flags to the profile_types_with_high_fidelity
    opcode so more focused tasks can take place when the instruction is
    being linked in CodeBlock. Re-worked the type profiler to search
    through character offset ranges when asked for the type of an expression
    at a given offset. Removed redundant calls to Structure::toStructureShape
    in HighFidelityLog and TypeSet by caching calls based on StructureID.

    * bytecode/BytecodeList.json:
    * bytecode/BytecodeUseDef.h:
    (JSC::computeUsesForBytecodeOffset):
    (JSC::computeDefsForBytecodeOffset):
    * bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::CodeBlock):
    (JSC::CodeBlock::finalizeUnconditionally):
    (JSC::CodeBlock::scopeDependentProfile):
    * bytecode/CodeBlock.h:
    (JSC::CodeBlock::returnStatementTypeSet):
    * bytecode/TypeLocation.h:
    * bytecode/UnlinkedCodeBlock.cpp:
    (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset):
    (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo):
    * bytecode/UnlinkedCodeBlock.h:
    * bytecompiler/BytecodeGenerator.cpp:
    (JSC::BytecodeGenerator::emitMove):
    (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
    (JSC::BytecodeGenerator::emitGetFromScopeWithProfile):
    (JSC::BytecodeGenerator::emitPutToScope):
    (JSC::BytecodeGenerator::emitPutToScopeWithProfile):
    (JSC::BytecodeGenerator::emitPutById):
    (JSC::BytecodeGenerator::emitPutByVal):
    * bytecompiler/BytecodeGenerator.h:
    (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
    * bytecompiler/NodesCodegen.cpp:
    (JSC::ResolveNode::emitBytecode):
    (JSC::BracketAccessorNode::emitBytecode):
    (JSC::DotAccessorNode::emitBytecode):
    (JSC::FunctionCallValueNode::emitBytecode):
    (JSC::FunctionCallResolveNode::emitBytecode):
    (JSC::FunctionCallBracketNode::emitBytecode):
    (JSC::FunctionCallDotNode::emitBytecode):
    (JSC::CallFunctionCallDotNode::emitBytecode):
    (JSC::ApplyFunctionCallDotNode::emitBytecode):
    (JSC::PostfixNode::emitResolve):
    (JSC::PostfixNode::emitBracket):
    (JSC::PostfixNode::emitDot):
    (JSC::PrefixNode::emitResolve):
    (JSC::PrefixNode::emitBracket):
    (JSC::PrefixNode::emitDot):
    (JSC::ReadModifyResolveNode::emitBytecode):
    (JSC::AssignResolveNode::emitBytecode):
    (JSC::AssignDotNode::emitBytecode):
    (JSC::ReadModifyDotNode::emitBytecode):
    (JSC::AssignBracketNode::emitBytecode):
    (JSC::ReadModifyBracketNode::emitBytecode):
    (JSC::ReturnNode::emitBytecode):
    (JSC::FunctionBodyNode::emitBytecode):
    * inspector/agents/InspectorRuntimeAgent.cpp:
    (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset):
    (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
    * inspector/agents/InspectorRuntimeAgent.h:
    * inspector/protocol/Runtime.json:
    * llint/LLIntSlowPaths.cpp:
    (JSC::LLInt::getFromScopeCommon):
    (JSC::LLInt::LLINT_SLOW_PATH_DECL):
    * llint/LLIntSlowPaths.h:
    * llint/LowLevelInterpreter.asm:
    * runtime/HighFidelityLog.cpp:
    (JSC::HighFidelityLog::processHighFidelityLog):
    (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
    (JSC::HighFidelityLog::recordTypeInformationForLocation): Deleted.
    * runtime/HighFidelityLog.h:
    (JSC::HighFidelityLog::recordTypeInformationForLocation):
    * runtime/HighFidelityTypeProfiler.cpp:
    (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset):
    (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset):
    (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset):
    (JSC::HighFidelityTypeProfiler::insertNewLocation):
    (JSC::HighFidelityTypeProfiler::findLocation):
    (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): Deleted.
    (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): Deleted.
    (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): Deleted.
    (JSC::HighFidelityTypeProfiler::getLocationBasedHash): Deleted.
    * runtime/HighFidelityTypeProfiler.h:
    (JSC::LocationKey::LocationKey): Deleted.
    (JSC::LocationKey::hash): Deleted.
    (JSC::LocationKey::operator==): Deleted.
    * runtime/Structure.cpp:
    (JSC::Structure::toStructureShape):
    * runtime/Structure.h:
    * runtime/TypeSet.cpp:
    (JSC::TypeSet::TypeSet):
    (JSC::TypeSet::addTypeForValue):
    (JSC::TypeSet::seenTypes):
    (JSC::TypeSet::removeDuplicatesInStructureHistory): Deleted.
    * runtime/TypeSet.h:
    (JSC::StructureShape::setConstructorName):
    * runtime/VM.cpp:
    (JSC::VM::getTypesForVariableAtOffset):
    (JSC::VM::dumpHighFidelityProfilingTypes):
    (JSC::VM::getTypesForVariableInRange): Deleted.
    * runtime/VM.h:

    2014-07-04  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt][REGRESSION] debug tests fail because PutByIdDirect is now implemented in terms of In
    https://bugs.webkit.org/show_bug.cgi?id=134642

    Rubber stamped by Andreas Kling.

    * ftl/FTLLowerDFGToLLVM.cpp:
    (JSC::FTL::LowerDFGToLLVM::compileNode):

    2014-07-01  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null, so that if we constant-infer an accessor slot then we immediately get the function constant for free
    https://bugs.webkit.org/show_bug.cgi?id=134518

    Reviewed by Mark Hahnenberg.

    This has no real effect right now, particularly since almost all uses of
    setSetter/setGetter were already allocating a branch new GetterSetter. But once we start
    doing more aggressive constant property inference, this change will allow us to remove
    all runtime checks from getter/setter calls.

    * runtime/GetterSetter.cpp:
    (JSC::GetterSetter::withGetter):
    (JSC::GetterSetter::withSetter):
    * runtime/GetterSetter.h:
    (JSC::GetterSetter::setGetter):
    (JSC::GetterSetter::setSetter):
    * runtime/JSObject.cpp:
    (JSC::JSObject::defineOwnNonIndexProperty):

    2014-07-02  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure

    Rubber stamped by Mark Hahnenberg.

    * runtime/Structure.cpp:
    (JSC::Structure::Structure):
    (JSC::Structure::nonPropertyTransition):
    (JSC::Structure::didTransitionFromThisStructure):
    (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
    * runtime/Structure.h:

    2014-07-02  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore.

    Rubber stamped by Mark Hahnenberg.

    * runtime/Structure.cpp:
    (JSC::Structure::Structure):
    (JSC::Structure::cloneRareDataFrom): Deleted.
    * runtime/Structure.h:
    * runtime/StructureRareData.cpp:
    (JSC::StructureRareData::clone): Deleted.
    (JSC::StructureRareData::StructureRareData): Deleted.
    * runtime/StructureRareData.h:
    (JSC::StructureRareData::needsCloning): Deleted.

    2014-07-01  Mark Lam  <mark.lam@apple.com>

    [ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope.
    <https://webkit.org/b/134420>

    Reviewed by Geoffrey Garen.

    Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
    peers) which the WebInspector will use to introspect CallFrame variables.
    Instead, we should be returning a DebuggerScope as an abstraction layer that
    provides the introspection functionality that the WebInspector needs.  This
    is the first step towards not forcing every frame to have a JSActivation
    object just because the debugger is enabled.

    1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
       instead of the VM.  This allows JSObject::globalObject() to be able to
       return the global object for the DebuggerScope.

    2. On the DebuggerScope's life-cycle management:

       The DebuggerCallFrame is designed to be "valid" only during a debugging session
       (while the debugger is broken) through the use of a DebuggerCallFrameScope in
       Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
       DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
       We can't guarantee (from this code alone) that the Inspector code isn't still
       holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
       the frame will be invalidated, and any attempt to query it will return null values.
       This is pre-existing behavior.

       Now, we're adding the DebuggerScope into the picture.  While a single debugger
       pause session is in progress, the Inspector may request the scope from the
       DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
       DebuggerCallFrame::scope() to always return the same DebuggerScope object.
       This is why we hold on to the DebuggerScope with a strong ref.

       If we use a weak ref instead, the following cooky behavior can manifest:
       1. The Inspector calls Debugger::scope() to get the top scope.
       2. The Inspector iterates down the scope chain and is now only holding a
          reference to a parent scope.  It is no longer referencing the top scope.
       3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
          gets cleared.
       4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
          a different DebuggerScope instance.
       5. The Inspector iterates down the scope chain but never sees the parent scope
          instance that retained a ref to in step 2 above.  This is because when iterating
          this new DebuggerScope instance (which has no knowledge of the previous parent
          DebuggerScope instance), a new DebuggerScope instance will get created for the
          same parent scope.

       Since the DebuggerScope is a JSObject, it's liveness is determined by its reachability.
       However, it's "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
       When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
       instantiated) will also get invalidated.  This is why we need the
       DebuggerScope::invalidateChain() method.  The Inspector should not be using the
       DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
       those methods will do nothing or returned a failed status.

    * debugger/Debugger.h:
    * debugger/DebuggerCallFrame.cpp:
    (JSC::DebuggerCallFrame::scope):
    (JSC::DebuggerCallFrame::evaluate):
    (JSC::DebuggerCallFrame::invalidate):
    (JSC::DebuggerCallFrame::vm):
    (JSC::DebuggerCallFrame::lexicalGlobalObject):
    * debugger/DebuggerCallFrame.h:
    * debugger/DebuggerScope.cpp:
    (JSC::DebuggerScope::DebuggerScope):
    (JSC::DebuggerScope::finishCreation):
    (JSC::DebuggerScope::visitChildren):
    (JSC::DebuggerScope::className):
    (JSC::DebuggerScope::getOwnPropertySlot):
    (JSC::DebuggerScope::put):
    (JSC::DebuggerScope::deleteProperty):
    (JSC::DebuggerScope::getOwnPropertyNames):
    (JSC::DebuggerScope::defineOwnProperty):
    (JSC::DebuggerScope::next):
    (JSC::DebuggerScope::invalidateChain):
    (JSC::DebuggerScope::isWithScope):
    (JSC::DebuggerScope::isGlobalScope):
    (JSC::DebuggerScope::isFunctionScope):
    * debugger/DebuggerScope.h:
    (JSC::DebuggerScope::create):
    (JSC::DebuggerScope::Iterator::Iterator):
    (JSC::DebuggerScope::Iterator::get):
    (JSC::DebuggerScope::Iterator::operator++):
    (JSC::DebuggerScope::Iterator::operator==):
    (JSC::DebuggerScope::Iterator::operator!=):
    (JSC::DebuggerScope::isValid):
    (JSC::DebuggerScope::jsScope):
    (JSC::DebuggerScope::begin):
    (JSC::DebuggerScope::end):
    * inspector/JSJavaScriptCallFrame.cpp:
    (Inspector::JSJavaScriptCallFrame::scopeType):
    (Inspector::JSJavaScriptCallFrame::scopeChain):
    * inspector/JavaScriptCallFrame.h:
    (Inspector::JavaScriptCallFrame::scopeChain):
    * inspector/ScriptDebugServer.cpp:
    * runtime/JSGlobalObject.cpp:
    (JSC::JSGlobalObject::reset):
    (JSC::JSGlobalObject::visitChildren):
    * runtime/JSGlobalObject.h:
    (JSC::JSGlobalObject::debuggerScopeStructure):
    * runtime/JSObject.h:
    (JSC::JSObject::isWithScope):
    * runtime/JSScope.h:
    * runtime/VM.cpp:
    (JSC::VM::VM):
    * runtime/VM.h:

    2014-07-01  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
    https://bugs.webkit.org/show_bug.cgi?id=130756

    Reviewed by Oliver Hunt.

    The enables exposing the call to setters in the DFG, and then inlining it. Previously we
    already supproted inlined-cached calls to setters from within put_by_id inline caches,
    and the DFG could certainly emit such IC's. Now, if an IC had a setter call, then the DFG
    will either emit the GetGetterSetterByOffset/GetSetter/Call combo, or it will do one
    better and inline the call.

    A lot of the core functionality was already available from the previous work to inline
    getters. So, there are some refactorings in this patch that move preexisting
    functionality around. For example, the work to figure out how the DFG should go about
    getting to what we call the "loaded value" - i.e. the GetterSetter object reference in
    the case of accessors - is now shared in ComplexGetStatus, and both GetByIdStatus and
    PutByIdStatus use it. This means that we can keep the safety checks common.  This patch
    also does additional refactorings in DFG::ByteCodeParser so that we can continue to reuse
    handleCall() for all of the various kinds of calls we can now emit.

    83% speed-up on getter-richards, 2% speed-up on box2d.

    * CMakeLists.txt:
    * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
    * JavaScriptCore.xcodeproj/project.pbxproj:
    * bytecode/ComplexGetStatus.cpp: Added.
    (JSC::ComplexGetStatus::computeFor):
    * bytecode/ComplexGetStatus.h: Added.
    (JSC::ComplexGetStatus::ComplexGetStatus):
    (JSC::ComplexGetStatus::skip):
    (JSC::ComplexGetStatus::takesSlowPath):
    (JSC::ComplexGetStatus::kind):
    (JSC::ComplexGetStatus::attributes):
    (JSC::ComplexGetStatus::specificValue):
    (JSC::ComplexGetStatus::offset):
    (JSC::ComplexGetStatus::chain):
    * bytecode/GetByIdStatus.cpp:
    (JSC::GetByIdStatus::computeForStubInfo):
    * bytecode/GetByIdVariant.cpp:
    (JSC::GetByIdVariant::GetByIdVariant):
    * bytecode/PolymorphicPutByIdList.h:
    (JSC::PutByIdAccess::PutByIdAccess):
    (JSC::PutByIdAccess::setter):
    (JSC::PutByIdAccess::structure):
    (JSC::PutByIdAccess::chainCount):
    * bytecode/PutByIdStatus.cpp:
    (JSC::PutByIdStatus::computeFromLLInt):
    (JSC::PutByIdStatus::computeFor):
    (JSC::PutByIdStatus::computeForStubInfo):
    (JSC::PutByIdStatus::makesCalls):
    * bytecode/PutByIdStatus.h:
    (JSC::PutByIdStatus::makesCalls): Deleted.
    * bytecode/PutByIdVariant.cpp:
    (JSC::PutByIdVariant::PutByIdVariant):
    (JSC::PutByIdVariant::operator=):
    (JSC::PutByIdVariant::replace):
    (JSC::PutByIdVariant::transition):
    (JSC::PutByIdVariant::setter):
    (JSC::PutByIdVariant::writesStructures):
    (JSC::PutByIdVariant::reallocatesStorage):
    (JSC::PutByIdVariant::makesCalls):
    (JSC::PutByIdVariant::dumpInContext):
    * bytecode/PutByIdVariant.h:
    (JSC::PutByIdVariant::PutByIdVariant):
    (JSC::PutByIdVariant::structure):
    (JSC::PutByIdVariant::oldStructure):
    (JSC::PutByIdVariant::alternateBase):
    (JSC::PutByIdVariant::specificValue):
    (JSC::PutByIdVariant::callLinkStatus):
    (JSC::PutByIdVariant::replace): Deleted.
    (JSC::PutByIdVariant::transition): Deleted.
    * dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
    (JSC::DFG::ByteCodeParser::addCall):
    (JSC::DFG::ByteCodeParser::handleCall):
    (JSC::DFG::ByteCodeParser::handleInlining):
    (JSC::DFG::ByteCodeParser::handleGetById):
    (JSC::DFG::ByteCodeParser::handlePutById):
    (JSC::DFG::ByteCodeParser::parseBlock):
    * jit/Repatch.cpp:
    (JSC::tryCachePutByID):
    (JSC::tryBuildPutByIdList):
    * runtime/IntendedStructureChain.cpp:
    (JSC::IntendedStructureChain::takesSlowPathInDFGForImpureProperty):
    * runtime/IntendedStructureChain.h:
    * tests/stress/exit-from-setter.js: Added.
    * tests/stress/poly-chain-setter.js: Added.
    (Cons):
    (foo):
    (test):
    * tests/stress/poly-chain-then-setter.js: Added.
    (Cons1):
    (Cons2):
    (foo):
    (test):
    * tests/stress/poly-setter-combo.js: Added.
    (Cons1):
    (Cons2):
    (foo):
    (test):
    (.test):
    * tests/stress/poly-setter-then-self.js: Added.
    (foo):
    (test):
    (.test):
    * tests/stress/weird-setter-counter.js: Added.
    (foo):
    (test):
    * tests/stress/weird-setter-counter-syntactic.js: Added.
    (foo):
    (test):

    2014-07-01  Matthew Mirman  <mmirman@apple.com>

    Added an implementation of the "in" check to FTL.
    https://bugs.webkit.org/show_bug.cgi?id=134508

    Reviewed by Filip Pizlo.

    * ftl/FTLCapabilities.cpp: enabled compilation for "in"
    (JSC::FTL::canCompile): ditto
    * ftl/FTLCompile.cpp:
    (JSC::FTL::generateCheckInICFastPath): added.
    (JSC::FTL::fixFunctionBasedOnStackMaps): added case for CheckIn descriptors.
    * ftl/FTLInlineCacheDescriptor.h:
    (JSC::FTL::CheckInGenerator::CheckInGenerator): added.
    (JSC::FTL::CheckInDescriptor::CheckInDescriptor): added.
    * ftl/FTLInlineCacheSize.cpp:
    (JSC::FTL::sizeOfCheckIn): added. Currently larger than necessary.
    * ftl/FTLInlineCacheSize.h: ditto
    * ftl/FTLIntrinsicRepository.h: Added function type for operationInGeneric
    * ftl/FTLLowerDFGToLLVM.cpp:
    (JSC::FTL::LowerDFGToLLVM::compileNode): added case for In.
    (JSC::FTL::LowerDFGToLLVM::compileIn): added.
    * ftl/FTLSlowPathCall.cpp: Added a callOperation for operationIn
    (JSC::FTL::callOperation): ditto
    * ftl/FTLSlowPathCall.h: ditto
    * ftl/FTLState.h: Added a vector to hold CheckIn descriptors.
    * jit/JITOperations.h: made operationIns internal.
    * tests/stress/ftl-checkin.js: Added.
    * tests/stress/ftl-checkin-variable.js: Added.

    2014-06-30  Mark Hahnenberg  <mhahnenberg@apple.com>

    CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences
    https://bugs.webkit.org/show_bug.cgi?id=134455

    Reviewed by Geoffrey Garen.

    Otherwise we get hanging pointers which can cause us to die later.

    * bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::stronglyVisitWeakReferences):

    2014-06-27  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Reduce the GC's influence on optimization decisions
    https://bugs.webkit.org/show_bug.cgi?id=134427

    Reviewed by Oliver Hunt.

    This is a slight speed-up on some platforms, that arises from a bunch of fixes that I made
    while trying to make the GC keep more structures alive
    (https://bugs.webkit.org/show_bug.cgi?id=128072).

    The fixes are, roughly:

    - If the GC clears an inline cache, then this no longer causes the IC to be forever
      polymorphic.

    - If we exit in inlined code into a function that tries to OSR enter, then we jettison
      sooner.

    - Some variables being uninitialized led to rage-recompilations.

    This is a pretty strong step in the direction of keeping more Structures alive and not
    blowing away code just because a Structure died. But, it seems like there is still a slight
    speed-up to be had from blowing away code that references dead Structures.

    * bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::dumpAssumingJITType):
    (JSC::shouldMarkTransition):
    (JSC::CodeBlock::propagateTransitions):
    (JSC::CodeBlock::determineLiveness):
    * bytecode/GetByIdStatus.cpp:
    (JSC::GetByIdStatus::computeForStubInfo):
    * bytecode/PutByIdStatus.cpp:
    (JSC::PutByIdStatus::computeForStubInfo):
    * dfg/DFGCapabilities.cpp:
    (JSC::DFG::isSupportedForInlining):
    (JSC::DFG::mightInlineFunctionForCall):
    (JSC::DFG::mightInlineFunctionForClosureCall):
    (JSC::DFG::mightInlineFunctionForConstruct):
    * dfg/DFGCapabilities.h:
    * dfg/DFGCommonData.h:
    * dfg/DFGDesiredWeakReferences.cpp:
    (JSC::DFG::DesiredWeakReferences::reallyAdd):
    * dfg/DFGOSREntry.cpp:
    (JSC::DFG::prepareOSREntry):
    * dfg/DFGOSRExitCompilerCommon.cpp:
    (JSC::DFG::handleExitCounts):
    * dfg/DFGOperations.cpp:
    * dfg/DFGOperations.h:
    * ftl/FTLForOSREntryJITCode.cpp:
    (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): These variables being uninitialized is benign in terms of correctness but can sometimes cause rage-recompilations. For some reason it took this patch to reveal this.
    * ftl/FTLOSREntry.cpp:
    (JSC::FTL::prepareOSREntry):
    * runtime/Executable.cpp:
    (JSC::ExecutableBase::destroy):
    (JSC::NativeExecutable::destroy):
    (JSC::ScriptExecutable::ScriptExecutable):
    (JSC::ScriptExecutable::destroy):
    (JSC::ScriptExecutable::installCode):
    (JSC::EvalExecutable::EvalExecutable):
    (JSC::ProgramExecutable::ProgramExecutable):
    * runtime/Executable.h:
    (JSC::ScriptExecutable::setDidTryToEnterInLoop):
    (JSC::ScriptExecutable::didTryToEnterInLoop):
    (JSC::ScriptExecutable::addressOfDidTryToEnterInLoop):
    (JSC::ScriptExecutable::ScriptExecutable): Deleted.
    * runtime/StructureInlines.h:
    (JSC::Structure::storedPrototypeObject):
    (JSC::Structure::storedPrototypeStructure):

    2014-06-25  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint
    https://bugs.webkit.org/show_bug.cgi?id=134333

    Reviewed by Geoffrey Garen.

    This is engineered to provide loads of information to the profiler without incurring any
    costs when the profiler is disabled. It's the oldest trick in the book: the thing that
    fires the watchpoint doesn't actually create anything to describe the reason why it was
    fired; instead it creates a stack-allocated FireDetail subclass instance. Only if the
    FireDetail::dump() virtual method is called does anything happen.

    Currently we use this to produce very fine-grained data for Structure watchpoints and
    some cases of variable watchpoints. For all other situations, the given reason is just a
    string constant, by using StringFireDetail. If we find a situation where that string
    constant is insufficient to diagnose an issue then we can change it to provide more
    fine-grained information.

    * JavaScriptCore.xcodeproj/project.pbxproj:
    * bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::CodeBlock):
    (JSC::CodeBlock::jettison):
    * bytecode/CodeBlock.h:
    * bytecode/CodeBlockJettisoningWatchpoint.cpp:
    (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
    * bytecode/CodeBlockJettisoningWatchpoint.h:
    * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Removed.
    * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Removed.
    * bytecode/StructureStubClearingWatchpoint.cpp:
    (JSC::StructureStubClearingWatchpoint::fireInternal):
    * bytecode/StructureStubClearingWatchpoint.h:
    * bytecode/VariableWatchpointSet.h:
    (JSC::VariableWatchpointSet::invalidate):
    (JSC::VariableWatchpointSet::finalizeUnconditionally):
    * bytecode/VariableWatchpointSetInlines.h:
    (JSC::VariableWatchpointSet::notifyWrite):
    * bytecode/Watchpoint.cpp:
    (JSC::StringFireDetail::dump):
    (JSC::WatchpointSet::fireAll):
    (JSC::WatchpointSet::fireAllSlow):
    (JSC::WatchpointSet::fireAllWatchpoints):
    (JSC::InlineWatchpointSet::fireAll):
    * bytecode/Watchpoint.h:
    (JSC::FireDetail::FireDetail):
    (JSC::FireDetail::~FireDetail):
    (JSC::StringFireDetail::StringFireDetail):
    (JSC::Watchpoint::fire):
    (JSC::WatchpointSet::fireAll):
    (JSC::WatchpointSet::touch):
    (JSC::WatchpointSet::invalidate):
    (JSC::InlineWatchpointSet::fireAll):
    (JSC::InlineWatchpointSet::touch):
    * dfg/DFGCommonData.h:
    * dfg/DFGOperations.cpp:
    * interpreter/Interpreter.cpp:
    (JSC::Interpreter::execute):
    * jsc.cpp:
    (WTF::Masquerader::create):
    * profiler/ProfilerCompilation.cpp:
    (JSC::Profiler::Compilation::setJettisonReason):
    (JSC::Profiler::Compilation::toJS):
    * profiler/ProfilerCompilation.h:
    (JSC::Profiler::Compilation::setJettisonReason): Deleted.
    * runtime/ArrayBuffer.cpp:
    (JSC::ArrayBuffer::transfer):
    * runtime/ArrayBufferNeuteringWatchpoint.cpp:
    (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
    * runtime/ArrayBufferNeuteringWatchpoint.h:
    * runtime/CommonIdentifiers.h:
    * runtime/CommonSlowPaths.cpp:
    (JSC::SLOW_PATH_DECL):
    * runtime/Identifier.cpp:
    (JSC::Identifier::dump):
    * runtime/Identifier.h:
    * runtime/JSFunction.cpp:
    (JSC::JSFunction::put):
    (JSC::JSFunction::defineOwnProperty):
    * runtime/JSGlobalObject.cpp:
    (JSC::JSGlobalObject::addFunction):
    (JSC::JSGlobalObject::haveABadTime):
    * runtime/JSSymbolTableObject.cpp:
    (JSC::VariableWriteFireDetail::dump):
    * runtime/JSSymbolTableObject.h:
    (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
    (JSC::symbolTablePut):
    (JSC::symbolTablePutWithAttributes):
    * runtime/PropertyName.h:
    (JSC::PropertyName::dump):
    * runtime/Structure.cpp:
    (JSC::Structure::notifyTransitionFromThisStructure):
    * runtime/Structure.h:
    (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
    * runtime/SymbolTable.cpp:
    (JSC::SymbolTableEntry::notifyWriteSlow):
    (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
    * runtime/SymbolTable.h:
    (JSC::SymbolTableEntry::notifyWrite):
    * runtime/VM.cpp:
    (JSC::VM::addImpureProperty):

Source/WebCore:

    2014-07-01  Mark Lam  <mark.lam@apple.com>

    [ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope.
    <https://webkit.org/b/134420>

    Reviewed by Geoffrey Garen.

    No new tests.

    * ForwardingHeaders/debugger/DebuggerCallFrame.h: Removed.
    - This is not in use.  Hence, we can remove it.
    * bindings/js/ScriptController.cpp:
    (WebCore::ScriptController::attachDebugger):
    - We should acquire the JSLock before modifying a JS global object.

    2014-06-25  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint
    https://bugs.webkit.org/show_bug.cgi?id=134333

    Reviewed by Geoffrey Garen.

    No new tests because no change in behavior.

    * bindings/scripts/CodeGeneratorJS.pm:
    (GenerateHeader):

Tools:

    2014-06-25  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint
    https://bugs.webkit.org/show_bug.cgi?id=134333

    Reviewed by Geoffrey Garen.

    * Scripts/display-profiler-output:

LayoutTests:

    2014-07-16  Mark Hahnenberg  <mhahnenberg@apple.com>

    sputnik/Implementation_Diagnostics/S12.6.4_D1.html depends on undefined behavior
    https://bugs.webkit.org/show_bug.cgi?id=135007

    Reviewed by Filip Pizlo.

    EcmaScript 5.1 specifies that during for-in enumeration newly added properties may or may not be
    visited during the current enumeration. Specifically, in section 12.6.4 the spec states:

    "If new properties are added to the object being enumerated during enumeration, the newly added properties
    are not guaranteed to be visited in the active enumeration."

    The sputnik/Implementation_Diagnostics/S12.6.4_D1.html layout test is from before sputnik was added
    to the test262 suite. I believe it has since been removed, so it would probably be okay to remove it
    from our layout test suite.

    * sputnik/Implementation_Diagnostics/S12.6.4_D1-expected.txt: Removed.
    * sputnik/Implementation_Diagnostics/S12.6.4_D1.html: Removed.

    2014-07-13  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
    https://bugs.webkit.org/show_bug.cgi?id=134677

    Reviewed by Sam Weinig.

    * js/regress/gcse-expected.txt: Added.
    * js/regress/gcse-poly-get-expected.txt: Added.
    * js/regress/gcse-poly-get-less-obvious-expected.txt: Added.
    * js/regress/gcse-poly-get-less-obvious.html: Added.
    * js/regress/gcse-poly-get.html: Added.
    * js/regress/gcse.html: Added.
    * js/regress/script-tests/gcse-poly-get-less-obvious.js: Added.
    * js/regress/script-tests/gcse-poly-get.js: Added.
    * js/regress/script-tests/gcse.js: Added.

    2014-07-04  Filip Pizlo  <fpizlo@apple.com>

    [ftlopt] Infer immutable object properties
    https://bugs.webkit.org/show_bug.cgi?id=134567

    Reviewed by Mark Hahnenberg.

    * js/regress/infer-constant-global-property-expected.txt: Added.
    * js/regress/infer-constant-global-property.html: Added.
    * js/regress/infer-constant-property-expected.txt: Added.
    * js/regress/infer-constant-property.html: Added.
    * js/regress/script-tests/infer-constant-global-property.js: Added.
    * js/regress/script-tests/infer-constant-property.js: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172129 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBuild break since r172093
ryuan.choi@samsung.com [Wed, 6 Aug 2014 05:20:33 +0000 (05:20 +0000)]
Build break since r172093
https://bugs.webkit.org/show_bug.cgi?id=135636

Reviewed by Gyuyoung Kim.

Since r172093, AbstractView.idl is added in CMake Build but CodeGeneratorJS.pm does not take care of it.

No new tests required, no new functionality.

* bindings/scripts/CodeGeneratorJS.pm:
(ShouldGenerateToJSDeclaration):
(ShouldGenerateToJSImplementation):
(GetImplClassName): Added to rename implClassName to DOMWindow if interface name is AbstractView.
(GenerateHeader):
(GenerateImplementation):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172128 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoUnreviewed, rolling out r172099.
commit-queue@webkit.org [Wed, 6 Aug 2014 02:30:22 +0000 (02:30 +0000)]
Unreviewed, rolling out r172099.
https://bugs.webkit.org/show_bug.cgi?id=135635

Needs a do-over. (Requested by kling on #webkit).

Reverted changeset:

"The JIT should cache property lookup misses."
https://bugs.webkit.org/show_bug.cgi?id=135578
http://trac.webkit.org/changeset/172099

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172120 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[CG] strokeRect does not honor lineJoin
commit-queue@webkit.org [Wed, 6 Aug 2014 02:19:40 +0000 (02:19 +0000)]
[CG] strokeRect does not honor lineJoin
https://bugs.webkit.org/show_bug.cgi?id=132948

Patch by Nikos Andronikos <nikos.andronikos-webkit@cisra.canon.com.au> on 2014-08-05
Reviewed by Darin Adler.

Source/WebCore:

Replaced use of CGContextStrokeRectWithWidth convenience function with explicit
call to CGContextAddRect and CGContextStrokePath.  The convenience functions
CGContextStrokeRect and CGContextStrokeRectWithWidth fail to apply some attributes
(e.g. stroke join) of the graphics state in certain cases.

Test: fast/canvas/canvas-strokeRect-lineJoin.html

* platform/graphics/cg/GraphicsContextCG.cpp:
(WebCore::GraphicsContext::strokeRect):

LayoutTests:

Test behavior of canvas with stroke rect with line join

* fast/canvas/canvas-strokeRect-lineJoin-expected.txt: Added.
* fast/canvas/canvas-strokeRect-lineJoin.html: Added.
* fast/canvas/script-tests/canvas-strokeRect-lineJoin.js: Added.
* platform/mac-mountainlion/canvas/philip/tests/2d.strokeRect.zero.5-expected.txt: Added.
* platform/mac/fast/canvas/canvas-strokeRect-alpha-shadow-expected.txt: Removed.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172119 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[iOS] Run ImageDiff in the sim bootstrap
dfarler@apple.com [Wed, 6 Aug 2014 01:39:58 +0000 (01:39 +0000)]
[iOS] Run ImageDiff in the sim bootstrap
https://bugs.webkit.org/show_bug.cgi?id=135624

Reviewed by David Kilzer.

* Scripts/webkitpy/port/image_diff.py:
(ImageDiffer.stop):
(IOSSimulatorImageDiffer):
(IOSSimulatorImageDiffer._start):
* Scripts/webkitpy/port/ios.py:
(IOSSimulatorPort.diff_image):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172118 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[iOS] run-webkit-tests: defaults for --runtime and --device-type flags
dfarler@apple.com [Wed, 6 Aug 2014 01:38:06 +0000 (01:38 +0000)]
[iOS] run-webkit-tests: defaults for --runtime and --device-type flags
https://bugs.webkit.org/show_bug.cgi?id=135441

Reviewed by Tim Horton.

* Scripts/webkitpy/layout_tests/run_webkit_tests.py:
(parse_args):
(_set_up_derived_options):
If using the ios-simulator platform and runtime or device-type
aren't defined, get the latest runtime from the active Xcode.app
and pick a default device type based on the desired architecture:
iPhone 5 for i386 and iPhone 5s for x86_64.
* Scripts/webkitpy/xcode/__init__.py: Added.
* Scripts/webkitpy/xcode/simulator.py: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172117 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[GTK] [CSS Shapes] Layout test fast/shapes/shape-outside-floats/shape-outside-image...
bjonesbe@adobe.com [Wed, 6 Aug 2014 01:30:27 +0000 (01:30 +0000)]
[GTK] [CSS Shapes] Layout test fast/shapes/shape-outside-floats/shape-outside-image-shape-margin.html fails
https://bugs.webkit.org/show_bug.cgi?id=135585

Reviewed by Zoltan Horvath.

The positioning was dependent on the font metrics of the <p> tag,
which differs between platforms. This fixes that, which should make
the test pass on all platforms.

* fast/shapes/shape-outside-floats/shape-outside-image-shape-margin-expected.html:
* fast/shapes/shape-outside-floats/shape-outside-image-shape-margin.html:
* platform/gtk/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172116 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[iOS] simctl can hang if run quickly after shutting down CoreSimulator services
dfarler@apple.com [Wed, 6 Aug 2014 01:07:09 +0000 (01:07 +0000)]
[iOS] simctl can hang if run quickly after shutting down CoreSimulator services
https://bugs.webkit.org/show_bug.cgi?id=135626

Reviewed by Dan Bernstein.

* Scripts/webkitpy/port/ios.py:
(IOSSimulatorPort.setup_test_run):
Remove call to simctl shutdown <device> - telling the simulator app to quit
will shut down all booted devices.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172115 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[Win] Build attempts to use ANGLE when not building WebGL.
bfulgham@apple.com [Wed, 6 Aug 2014 01:06:02 +0000 (01:06 +0000)]
[Win] Build attempts to use ANGLE when not building WebGL.
https://bugs.webkit.org/show_bug.cgi?id=135630
<rdar://problem/135630>

Unreviewed build fix.

* platform/graphics/win/GraphicsContext3DWin.cpp: Move #include of GraphicsContext3D.h
inside USE(3D_GRAPHICS) guard.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172114 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoFix resource leak of unclosed file descriptor.
commit-queue@webkit.org [Wed, 6 Aug 2014 01:02:50 +0000 (01:02 +0000)]
Fix resource leak of unclosed file descriptor.
https://bugs.webkit.org/show_bug.cgi?id=135417

Patch by Przemyslaw Kuczynski <p.kuczynski@samsung.com> on 2014-08-05
Reviewed by Darin Adler.

When open returns zero, fd handle leaks. Checking (fd > 0) needs to be replaced
with (fd != -1).

* assembler/MacroAssemblerARM.cpp:
(JSC::isVFPPresent):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172113 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[iOS WK2] Crash going back on a specific tumblr blog (under ScrollingStateTree::remov...
simon.fraser@apple.com [Wed, 6 Aug 2014 00:54:04 +0000 (00:54 +0000)]
[iOS WK2] Crash going back on a specific tumblr blog (under ScrollingStateTree::removeNodeAndAllDescendants)
https://bugs.webkit.org/show_bug.cgi?id=135629
<rdar://problem/17802174>

Reviewed by Tim Horton.

Source/WebCore:

In r170198 I added an "orphan scrolling nodes" code path that sets aside subtrees
of scrolling nodes into an m_orphanedSubframeNodes map, which keeps them alive until
they get reparented or destroyed. The nodes in that subtree remain in m_stateNodeMap,
which holds raw pointers to them.

However, ScrollingStateTree::commit() can clear m_orphanedSubframeNodes, which is
sometimes non-empty at this point. When that happened, we would destroy nodes which
were still referenced by m_stateNodeMap, with the result that a later query for the
same nodeID would hand back a pointer to a deleted object.

Fix by calling recursiveNodeWillBeRemoved() on nodes in the m_orphanedSubframeNodes
before clearing it, which removes them and all their descendants from the state node map.

Test: platform/mac-wk2/tiled-drawing/scrolling/frames/orphaned-subtree.html

* page/scrolling/ScrollingStateTree.cpp:
(WebCore::ScrollingStateTree::clear):
(WebCore::ScrollingStateTree::commit):

LayoutTests:

Testcase with nesting of frames inside fixed inside frames, where a subframe disconnects
part of the scrolling tree.

* platform/mac-wk2/tiled-drawing/scrolling/frames/orphaned-subtree-expected.txt: Added.
* platform/mac-wk2/tiled-drawing/scrolling/frames/orphaned-subtree.html: Added.
* platform/mac-wk2/tiled-drawing/scrolling/frames/resources/leaf-frame.html: Added.
* platform/mac-wk2/tiled-drawing/scrolling/frames/resources/subframe-inside-fixed.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172112 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoAdd the ability to force text to render in white, not just black
commit-queue@webkit.org [Tue, 5 Aug 2014 23:40:24 +0000 (23:40 +0000)]
Add the ability to force text to render in white, not just black
https://bugs.webkit.org/show_bug.cgi?id=135625

Patch by Peyton Randolph <prandolph@apple.com> on 2014-08-05
Reviewed by Beth Dakin.

This patch introduces PaintBehaviorForceWhiteText, a complement to PaintBehaviorForceBlackText. If
a client specifies both PaintBehaviorForceWhiteText and PaintBehaviorForceBlackText, the text will be
painted black.

No new tests.

* rendering/EllipsisBox.cpp:
(WebCore::EllipsisBox::paint): Use the forced text color to paint the text if requested.
* rendering/InlineTextBox.cpp:
(WebCore::InlineTextBox::paint): Disable the text shadow if a text color has been forced.
* rendering/PaintInfo.h:
(WebCore::PaintInfo::forceTextColor):
Return true iff the client has requested to force a black or white text color.
(WebCore::PaintInfo::forceWhiteText):
Return true iff forcing white text has been requested.
(WebCore::PaintInfo::forcedTextColor):
Return the forced text color. Currently only white and black are supported.
* rendering/PaintPhase.h:
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::paintLayerContents): Remove the forceBlackText-related code as it is redundant.
(WebCore::RenderLayer::paintForegroundForFragments):
Remove forceBlackText parameter and infer the correct behavior from the given paint behavior.
* rendering/RenderLayer.h:
* rendering/TextPaintStyle.cpp:
(WebCore::computeTextPaintStyle): Use the forced text color if available.
(WebCore::computeTextSelectionPaintStyle): Use the forced text color if available.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172110 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoREGRESSION (r164337): Pages are sometimes cut off/oriented incorrectly after using...
timothy_horton@apple.com [Tue, 5 Aug 2014 23:32:24 +0000 (23:32 +0000)]
REGRESSION (r164337): Pages are sometimes cut off/oriented incorrectly after using WKThumbnailView
https://bugs.webkit.org/show_bug.cgi?id=135622
<rdar://problem/17202556>

Reviewed by Dan Bernstein.

In some cases (when the page changed scroll offset while thumbnailed),
when transitioning back to thumbnail scale = 1, we would get the math
wrong and end up with a non-identity sublayerTransform on the DrawingArea.

Luckily, none of this code is necessary anymore, as the only client
of WKThumbnailView only uses its snapshotting mode.

* Shared/ImageOptions.h:
Remove SnapshotOptionsRespectDrawingAreaTransform; DrawingArea no longer
has a rootLayerTransform().

* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::setThumbnailScale): Deleted.
* UIProcess/WebPageProxy.h:
* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::WebPage):
(WebKit::WebPage::scaledSnapshotWithOptions):
(WebKit::WebPage::snapshotAtSize):

(WebKit::WebPage::setThumbnailScale): Deleted.
* WebProcess/WebPage/WebPage.h:
* WebProcess/WebPage/WebPage.messages.in:
Remove setThumbnailScale and SnapshotOptionsRespectDrawingAreaTransform.

* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::didCommitLoad):
Revert this to its state before r164337, as we no longer have "thumbnail scale".

* UIProcess/API/Cocoa/_WKThumbnailView.h:
* UIProcess/API/Cocoa/_WKThumbnailView.mm:
(-[_WKThumbnailView initWithFrame:fromWKView:]):
(-[_WKThumbnailView _viewWasUnparented]):
(-[_WKThumbnailView _viewWasParented]):
(-[_WKThumbnailView _requestSnapshotIfNeeded]):
(-[_WKThumbnailView setScale:]):
Clean up code assuming _shouldApplyThumbnailScale = NO, _usesSnapshot = YES.

(-[_WKThumbnailView setUsesSnapshot:]):
(-[_WKThumbnailView usesSnapshot]):
Always return YES from usesSnapshot; we only support snapshotting WKThumbnailViews.
Ignore setUsesSnapshot.

* UIProcess/API/mac/WKView.mm:
(-[WKView _setThumbnailView:]):
(-[WKView _updateThumbnailViewLayer]):
Stop checking usesSnapshot; it's always true.

* WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.h:
* WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:
(WebKit::TiledCoreAnimationDrawingArea::setRootLayerTransform): Deleted.
* WebProcess/WebPage/DrawingArea.cpp:
(WebKit::DrawingArea::rootLayerTransform): Deleted.
* WebProcess/WebPage/DrawingArea.h:
(WebKit::DrawingArea::setRootLayerTransform): Deleted.
Remove rootLayerTransform() and setRootLayerTransform().

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172104 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoThe JIT should cache property lookup misses.
akling@apple.com [Tue, 5 Aug 2014 23:10:38 +0000 (23:10 +0000)]
The JIT should cache property lookup misses.
<https://webkit.org/b/135578>

Source/JavaScriptCore:

Add support for inline caching of object properties that don't exist.
Previously we'd fall back to the C++ slow-path whenever a property was missing.

It's implemented as a simple GetById-style stub that returns jsUndefined() as
long as the Structure chain check passes.

10x speedup on the included microbenchmark.

Reviewed by Geoffrey Garen.

* jit/Repatch.cpp:
(JSC::toString):
(JSC::kindFor):
(JSC::generateByIdStub):
(JSC::tryCacheGetByID):
(JSC::patchJumpToGetByIdStub):
* runtime/PropertySlot.h:
(JSC::PropertySlot::isUnset):

LayoutTests:

Add a JS microbenchmark that accesses an undefined property in a hot loop.

Reviewed by Geoffrey Garen.

* js/regress/script-tests/undefined-property-access.js: Added.
(foo):
* js/regress/undefined-property-access-expected.txt: Added.
* js/regress/undefined-property-access.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172099 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoUnreviewed, rolling out r172009.
commit-queue@webkit.org [Tue, 5 Aug 2014 23:06:03 +0000 (23:06 +0000)]
Unreviewed, rolling out r172009.
https://bugs.webkit.org/show_bug.cgi?id=135627

"Commit landed on trunk instead of ftlopt branch." (Requested
by saamyjoon on #webkit).

Reverted changeset:

"Create a more generic way for VMEntryScope to notify those
interested that it will be destroyed"
https://bugs.webkit.org/show_bug.cgi?id=135358
http://trac.webkit.org/changeset/172009

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172098 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoRemove an unused argument from BuildbotQueue.update()
ap@apple.com [Tue, 5 Aug 2014 23:00:57 +0000 (23:00 +0000)]
Remove an unused argument from BuildbotQueue.update()
https://bugs.webkit.org/show_bug.cgi?id=135623

Reviewed by Timothy Hatcher.

Also remaned a constant to better match what it means.

* BuildSlaveSupport/build.webkit.org-config/public_html/dashboard/Scripts/BuildbotQueue.js:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172097 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoWeb Inspector: support storing multiple timeline recordings in the manager
burg@cs.washington.edu [Tue, 5 Aug 2014 22:32:58 +0000 (22:32 +0000)]
Web Inspector: support storing multiple timeline recordings in the manager
https://bugs.webkit.org/show_bug.cgi?id=132875

Reviewed by Timothy Hatcher.

This patch adds support for capturing multiple timeline recordings and switching
between them in the user interface using hierarchical path components.

* Localizations/en.lproj/localizedStrings.js:
* UserInterface/Base/Main.js:
(WebInspector.contentLoaded): Remove hard-coded priming of the timeline sidebar panel.
Instead, load the first recording in the timeline manager after the initial load.

(WebInspector._revealAndSelectRepresentedObjectInNavigationSidebar): Don't suppress
onselect events when selecting the tree element for a newly shown content view. This
allows the sidebar to sync the current content view and timeline tree element selection
with what is displayed in the content browser.

* UserInterface/Controllers/TimelineManager.js: Add two new events, RecordingCreated and
RecordingLoaded. A recording is considered active when any new records recieved will be
appended to that recording. The user interface is not necessarily viewing the active
recording.

(WebInspector.TimelineManager.delayedWork):
(WebInspector.TimelineManager): Keep a list of recordings, and load the first recording
asynchronously so that everyone can add an event listener for it.

(WebInspector.TimelineManager.prototype.get activeRecording):
(WebInspector.TimelineManager.prototype.get recordings):
(WebInspector.TimelineManager.prototype.startCapturing):
(WebInspector.TimelineManager.prototype.stopCapturing): Use promises to make the iOS 7
fallback path better match the async semantics of the non-fallback path.

(WebInspector.TimelineManager.prototype.unloadRecording):
(WebInspector.TimelineManager.prototype._loadNewRecording): Stop capturing and unload
any existing recording before creating and loading a new recording.

(WebInspector.TimelineManager.prototype._startAutoCapturing): Create a new recording
rather than resetting the current recording.

* UserInterface/Models/NetworkTimeline.js:
(WebInspector.NetworkTimeline):
* UserInterface/Models/Timeline.js:
(WebInspector.Timeline):
(WebInspector.Timeline.prototype.get type): Each timeline stores its TimelineRecord.Type
so that other code can create type-specific views using the Timeline as a representedObject.

* UserInterface/Models/TimelineRecording.js: For each recording, add new state for a unique identifier,
display string, and an isWritable flag. Once a recording is unloaded, it becomes read-only.
(WebInspector.TimelineRecording.prototype.get displayName):
(WebInspector.TimelineRecording.prototype.get identifier):
(WebInspector.TimelineRecording.prototype.isWritable):
(WebInspector.TimelineRecording.prototype.unloaded):
(WebInspector.TimelineRecording.prototype.reset): A recording can only be reset if it is writable.

* UserInterface/Protocol/InspectorFrontendAPI.js:
(InspectorFrontendAPI.setTimelineProfilingEnabled): Don't make redundant start/stop capturing calls.

* UserInterface/Views/LayoutTimelineOverviewGraph.js: Use a timeline as the representedObject for all
timeline-specific graphs and views. Otherwise, use the recording.
(WebInspector.LayoutTimelineOverviewGraph):
* UserInterface/Views/LayoutTimelineView.js:
(WebInspector.LayoutTimelineView):
(WebInspector.LayoutTimelineView.prototype._treeElementSelected):
* UserInterface/Views/NetworkTimelineOverviewGraph.js:
(WebInspector.NetworkTimelineOverviewGraph):
* UserInterface/Views/NetworkTimelineView.js:
(WebInspector.NetworkTimelineView):
* UserInterface/Views/OverviewTimelineView.js:
(WebInspector.OverviewTimelineView.prototype._networkTimelineRecordAdded):
* UserInterface/Views/ScriptTimelineOverviewGraph.js:
(WebInspector.ScriptTimelineOverviewGraph):
* UserInterface/Views/ScriptTimelineView.js:
(WebInspector.ScriptTimelineView):
(WebInspector.ScriptTimelineView.prototype._treeElementSelected):

* UserInterface/Views/TimelineContentView.js: Iterate over timeline objects when setting up maps. Use timelines
as keys rather than their type identifiers.
(WebInspector.TimelineContentView.prototype.showTimelineViewForTimeline): Renamed from showTimelineView. This
function takes a Timeline instance rather than an identifier, since the conten view is specific to one recording.
(WebInspector.TimelineContentView.prototype.get selectionPathComponents): Match types against the currently
visible timeline's representedObject.
(WebInspector.TimelineContentView.prototype.get currentTimelineView): Used by the sidebar panel to sync timeline
tree element selections to TimelineView shown by the TimelineContentView.
(WebInspector.TimelineContentView.prototype.shown): Sync enablement of the "Clear Timelines" button to recording
read-only state.

(WebInspector.TimelineContentView.prototype.saveToCookie):
(WebInspector.TimelineContentView.prototype.restoreFromCookie): Added. Only handle saving/restoring the subview.

(WebInspector.TimelineContentView.prototype._pathComponentSelected):
(WebInspector.TimelineContentView.prototype._showTimelineView): Relax the early return so that timeline views
and content tree outlines are reattached when re-navigating to the same timeline view via back-forward entries.
(WebInspector.TimelineContentView.prototype.showTimelineView): Deleted.

* UserInterface/Views/TimelineOverviewGraph.js:
(WebInspector.TimelineOverviewGraph):

* UserInterface/Views/TimelineSidebarPanel.js:
(WebInspector.TimelineSidebarPanel): Keep a tree outline and tree element map for storing available recordings.
(WebInspector.TimelineSidebarPanel.createTimelineTreeElement):
(WebInspector.TimelineSidebarPanel.prototype.shown): Added.
(WebInspector.TimelineSidebarPanel.prototype.showDefaultContentView): Add a guard.
(WebInspector.TimelineSidebarPanel.prototype.get hasSelectedElement): Added. Selected recording tree elements
should be considered when deciding whether a represented object has been selected in the sidebar panel.

(WebInspector.TimelineSidebarPanel.prototype.treeElementForRepresentedObject.looselyCompareRepresentedObjects):
(WebInspector.TimelineSidebarPanel.prototype.treeElementForRepresentedObject.get if):
(WebInspector.TimelineSidebarPanel.prototype.treeElementForRepresentedObject):
(WebInspector.TimelineSidebarPanel.prototype.showTimelineOverview):
(WebInspector.TimelineSidebarPanel.prototype.showTimelineViewForType): Renamed to explicit take a type identifier.
Delegate the actual showing of the timeline view to the onselect handler for the timelines tree outline.

(WebInspector.TimelineSidebarPanel.prototype.matchTreeElementAgainstCustomFilters):
(WebInspector.TimelineSidebarPanel.prototype.saveStateToCookie): Fix a typo.
(WebInspector.TimelineSidebarPanel.prototype.restoreStateFromCookie): Fix a typo.
(WebInspector.TimelineSidebarPanel.prototype._recordingsTreeElementSelected): Sync the currently displayed
recording object and content view, and sync the selected tree element to the displayed timeline subview.

(WebInspector.TimelineSidebarPanel.prototype._timelinesTreeElementSelected): If this is a user action, show the timeline.
(WebInspector.TimelineSidebarPanel.prototype._contentBrowserCurrentContentViewDidChange): Use classList.toggle().
(WebInspector.TimelineSidebarPanel.prototype._recordingCreated): Dynamically add new recordings to the interface.
(WebInspector.TimelineSidebarPanel.prototype._recordingLoaded): Automatically show recordings when they are loaded.
(WebInspector.TimelineSidebarPanel.prototype._recordGlyphClicked): Shift+click will force-create a new recording.
(WebInspector.TimelineSidebarPanel.prototype.initialize): Deleted.
* UserInterface/Views/TimelineView.js:
(WebInspector.TimelineView):
(WebInspector.TimelineView.prototype.get representedObject):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172094 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoMore work on CMake.
achristensen@apple.com [Tue, 5 Aug 2014 22:28:19 +0000 (22:28 +0000)]
More work on CMake.
https://bugs.webkit.org/show_bug.cgi?id=135620

.:
Reviewed by Laszlo Gombos.

* Source/cmake/OptionsMac.cmake:
Use UDIS86 by default on Mac.

Source/JavaScriptCore:
Reviewed by Laszlo Gombos.

* CMakeLists.txt:
Added missing source files.
* PlatformEfl.cmake:
* PlatformGTK.cmake:
Include glib directories and libraries to find glib.h in EventLoop.cpp.
* PlatformMac.cmake:
Moved STATICALLY_LINKED_WITH_WTF definition away from the common CMakeLists
because it should not be defined on Windows.
Added remote inspector source files.

Source/WebCore:
Reviewed by Reviewed by Laszlo Gombos.

* CMakeLists.txt:
Added missing idls.
* PlatformMac.cmake:
Added additional include directories and source files.
* css/makeSelectorPseudoClassAndCompatibilityElementMap.py:
* css/makeSelectorPseudoElementsMap.py:
The Windows distribution of gperf doesn't like single quotes for its key-positions parameters.
* page/Chrome.h:
Compile fix.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172093 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoWeb Inspector: ReplayManager shouldn't assume replay status when the inspector is...
burg@cs.washington.edu [Tue, 5 Aug 2014 21:56:57 +0000 (21:56 +0000)]
Web Inspector: ReplayManager shouldn't assume replay status when the inspector is opened
https://bugs.webkit.org/show_bug.cgi?id=135212

Reviewed by Timothy Hatcher.

Source/WebCore:

The frontend should be able to introspect the session and segment state machines,
currently loaded segment and session identifiers, and replay position.

* inspector/InspectorReplayAgent.cpp:
(WebCore::buildInspectorObjectForSessionState): Added.
(WebCore::buildInspectorObjectForSegmentState): Added.
(WebCore::InspectorReplayAgent::currentReplayState): Added.
* inspector/InspectorReplayAgent.h:
* inspector/protocol/Replay.json: Add currentReplayState query command.
* replay/ReplayController.h: Add some accessors.

Source/WebInspectorUI:

The inspector could be closed and reopened at any point during capturing or replaying.
ReplayManager should query the current state on initialization rather than assuming
that the replay controller is still in its initial state.

ReplayManager's initialization code requires querying the backend for the current replay
state. This could race with replay protocol events that mutate the manager's state before
it is fully initialized, leading to undefined behavior.

To mitigate this, all protocol event handlers (called by ReplayObserver) are wrapped
with a guard that enqueues the callback if initialization is not yet complete. This
queue is implemented via multiple then-chaining of a shared 'initialization' promise
which resolves when initialization completes.

* UserInterface/Controllers/ReplayManager.js:
(WebInspector.ReplayManager.then):
(WebInspector.ReplayManager.catch):
(WebInspector.ReplayManager): Rewrite the initialization code to first query the replay
state, set the initialization flag to true, and then request and update session records.
The sessions must be loaded after querying initial state because ReplayManager.sessionCreated
requires replay state to be initialized.

(WebInspector.ReplayManager.prototype.get sessionState):
(WebInspector.ReplayManager.prototype.get segmentState):
(WebInspector.ReplayManager.prototype.get activeSessionIdentifier):
(WebInspector.ReplayManager.prototype.get activeSegmentIdentifier):
(WebInspector.ReplayManager.prototype.get playbackSpeed):
(WebInspector.ReplayManager.prototype.set playbackSpeed):
(WebInspector.ReplayManager.prototype.get currentPosition): Add assertions to catch uses of
manager state before the manager is fully initialized.

(WebInspector.ReplayManager.prototype.waitUntilInitialized): Added. It returns a shared promise
that is fulfilled when initialization is complete.

(WebInspector.ReplayManager.prototype.captureStarted):
(WebInspector.ReplayManager.prototype.captureStopped):
(WebInspector.ReplayManager.prototype.playbackStarted):
(WebInspector.ReplayManager.prototype.playbackHitPosition):
(WebInspector.ReplayManager.prototype.playbackPaused):
(WebInspector.ReplayManager.prototype.playbackFinished):
(WebInspector.ReplayManager.prototype.sessionModified):
(WebInspector.ReplayManager.prototype.sessionLoaded):
(WebInspector.ReplayManager.prototype.segmentCompleted.set catch):
(WebInspector.ReplayManager.prototype.segmentCompleted):
(WebInspector.ReplayManager.prototype.segmentRemoved.then):
(WebInspector.ReplayManager.prototype.segmentRemoved):
(WebInspector.ReplayManager.prototype.segmentLoaded): Add initialization guards.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172087 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[iOS] Media controls layout incorrectly in RTL content
dino@apple.com [Tue, 5 Aug 2014 21:33:54 +0000 (21:33 +0000)]
[iOS] Media controls layout incorrectly in RTL content
https://bugs.webkit.org/show_bug.cgi?id=135621
<rdar://problem/17849206>

Reviewed by Eric Carlson.

Media controls should always layout in LTR mode, even when the
page content is RTL. There already was a rule to do this on
non-iOS systems, but it wasn't getting included for iOS.
In this case I put the rule on the composited parent of the
controls in order to maintain the padding of the control panel.
This should still leave the captions unaffected.

* Modules/mediacontrols/mediaControlsiOS.css:
(video::-webkit-media-controls-panel-composited-parent): Add direction: ltr.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172083 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoWeb Replay: rename protocol methods for getting replay session/segment data
burg@cs.washington.edu [Tue, 5 Aug 2014 21:28:38 +0000 (21:28 +0000)]
Web Replay: rename protocol methods for getting replay session/segment data
https://bugs.webkit.org/show_bug.cgi?id=135618

Reviewed by Timothy Hatcher.

Source/WebCore:

* inspector/InspectorReplayAgent.cpp:
(WebCore::InspectorReplayAgent::getSessionData):
(WebCore::InspectorReplayAgent::getSegmentData):
(WebCore::InspectorReplayAgent::getSerializedSession): Deleted.
(WebCore::InspectorReplayAgent::getSerializedSegment): Deleted.
* inspector/InspectorReplayAgent.h:
* inspector/protocol/Replay.json:

Source/WebInspectorUI:

* UserInterface/Controllers/ReplayManager.js:
(WebInspector.ReplayManager.prototype.getSession.get var):
(WebInspector.ReplayManager.prototype.getSegment.get var):
* UserInterface/Models/ReplaySession.js:
(WebInspector.ReplaySession.prototype.segmentsChanged):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172080 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoREGRESSION: Extremely flashy scrolling while a page is still loading (because of...
antti@apple.com [Tue, 5 Aug 2014 20:15:40 +0000 (20:15 +0000)]
REGRESSION: Extremely flashy scrolling while a page is still loading (because of flush throttling)
https://bugs.webkit.org/show_bug.cgi?id=135603
<rdar://problem/17876385>

This hit ASSERT(frame().isMainFrame()) in FrameView::updateLayerFlushThrottling
running scrollbars/scrollbar-iframe-click-does-not-blur-content.html and a few other tests.

* page/FrameView.cpp:
(WebCore::FrameView::setWasScrolledByUser): Only invoke updateLayerFlushThrottling for the main frame.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172053 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoRename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
commit-queue@webkit.org [Tue, 5 Aug 2014 19:53:07 +0000 (19:53 +0000)]
Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
https://bugs.webkit.org/show_bug.cgi?id=135276

Patch by Peyton Randolph <prandolph@apple.com> on 2014-08-05
Reviewed by Beth Dakin.

Source/JavaScriptCore:

* Configurations/FeatureDefines.xcconfig:

Source/WebCore:

No new tests. Just a compiler flag.

* Configurations/FeatureDefines.xcconfig:

Source/WebKit/mac:

* Configurations/FeatureDefines.xcconfig:

Source/WebKit2:

* Configurations/FeatureDefines.xcconfig:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172048 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[Media iOS] Ensure there is a nice default fallback for missing wireless target names
dino@apple.com [Tue, 5 Aug 2014 19:36:39 +0000 (19:36 +0000)]
[Media iOS] Ensure there is a nice default fallback for missing wireless target names
https://bugs.webkit.org/show_bug.cgi?id=135488
<rdar://problem/17879156>

Reviewed by Antoine Quint.

Antoine found me on iMessage to tell me I'm an idiot and that I've
forgotten how to write JavaScript. Embarrassingly, this code is what
I originally had, but then second-guessed myself.

* Modules/mediacontrols/mediaControlsiOS.js:
(ControllerIOS.prototype.updateWirelessPlaybackStatus): No need for the local
variable or conditional statement, since null and "" both evaluate as false.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172047 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoWeb Inspector: cannot navigate between multiple applicable dashboards
burg@cs.washington.edu [Tue, 5 Aug 2014 19:25:07 +0000 (19:25 +0000)]
Web Inspector: cannot navigate between multiple applicable dashboards
https://bugs.webkit.org/show_bug.cgi?id=135130

Reviewed by Timothy Hatcher.

Add navigation arrows between dashboards when multiple dashboards are applicable.
For example, the user should be able to go back to the default dashboard while paused
at a breakpoint. Dashboards form a stack based on when they are first introduced.

* UserInterface/Views/DashboardContainerView.css:
(.toolbar .dashboard): Increase padding-right a bit to make room for arrows.
(.toolbar .dashboard:not(.visible)): Fix a bug where higher dashboards in the dashboard stack
can shine through when animating between two lower dashboards that have transparent background.
This ensures that at most two dashboards (namely, the ones being animated) are displayed.

(.dashboard-container .advance-arrow): Main style class for navigation arrows.
(.dashboard-container .advance-arrow:hover):
(.dashboard-container .advance-arrow:active):
(.dashboard-container .advance-arrow.inactive):
(.toolbar.label-only .dashboard-container .advance-arrow): Make arrows slightly smaller when
the dashboards get shorter.

(.dashboard-container .advance-arrow.advance-forward):
(.dashboard-container .advance-arrow.advance-backward):
* UserInterface/Views/DashboardContainerView.js:
(WebInspector.DashboardContainerView): Arrow styles are updated when a dashboard is shown,
hidden, or closed. When moving away, we dismiss (i.e., set zero opacity) arrows at animation
start. When the animation finishes, redisplay arrows that are applicable for the new dashboard.

(WebInspector.DashboardContainerView.prototype._advanceForwardArrowClicked):
(WebInspector.DashboardContainerView.prototype._advanceBackwardArrowClicked):
(WebInspector.DashboardContainerView.prototype._dismissAdvanceArrows):
(WebInspector.DashboardContainerView.prototype._updateAdvanceArrowVisibility):
(WebInspector.DashboardContainerView.prototype._showDashboardAtIndex): There was a bug here
where it would unconditionally use the same animation direction when showing a dashboard, but
it was hard to spot without arrows that must correlate with the animation direction.

(WebInspector.DashboardContainerView.prototype.animationEnded):
(WebInspector.DashboardContainerView.prototype._showDashboardView):
(WebInspector.DashboardContainerView.prototype._hideDashboardView):
(WebInspector.DashboardContainerView.prototype._closeDashboardView):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172044 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoREGRESSION: Extremely flashy scrolling while a page is still loading (because of...
antti@apple.com [Tue, 5 Aug 2014 18:34:57 +0000 (18:34 +0000)]
REGRESSION: Extremely flashy scrolling while a page is still loading (because of flush throttling)
https://bugs.webkit.org/show_bug.cgi?id=135603
<rdar://problem/17876385>

Reviewed by Andreas Kling.

* page/FrameView.cpp:
(WebCore::determineLayerFlushThrottleState):

    Disable throttling after user has scrolled the page.
    This is consistent with the speculative tiling. It also gets enabled on first scroll.

(WebCore::FrameView::setWasScrolledByUser):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172039 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoWeb Inspector: shown() called on a content view when stepping over an instruction...
commit-queue@webkit.org [Tue, 5 Aug 2014 18:29:42 +0000 (18:29 +0000)]
Web Inspector: shown() called on a content view when stepping over an instruction in the debugger
https://bugs.webkit.org/show_bug.cgi?id=135311

Patch by Saam Barati <sbarati@apple.com> on 2014-08-05
Reviewed by Timothy Hatcher.

ContentViewContainer should not repeatedly call ContentView.prototype.shown
on ContentViews that are already visible. ContentViewContainer now passes
a flag to BackForwardEntry.prototype.prepareToShow indicating whether it should
call the shown function on the ContentView it is about to display.
ContentViewContainer.prototype.showBackForwardEntryForIndex passes in this
flag based on its ContentView being visible.

* UserInterface/Models/BackForwardEntry.js:
(WebInspector.BackForwardEntry.prototype.prepareToShow):
* UserInterface/Views/ContentViewContainer.js:
(WebInspector.ContentViewContainer.prototype.showBackForwardEntryForIndex):
(WebInspector.ContentViewContainer.prototype.replaceContentView):
(WebInspector.ContentViewContainer.prototype.closeAllContentViewsOfPrototype):
(WebInspector.ContentViewContainer.prototype.shown):
(WebInspector.ContentViewContainer.prototype._showEntry):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172038 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detectAtToken
commit-queue@webkit.org [Tue, 5 Aug 2014 18:14:31 +0000 (18:14 +0000)]
ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detectAtToken
https://bugs.webkit.org/show_bug.cgi?id=134632

Source/WebCore:

At-rules must consist of at least two characters: the '@' symbol followed by
an identifier name. The failure of this condition makes the assertion fail.

The length of an at-rule is currently calculated by pointer arithmetic on
the 'result' pointer, which is expected to be set to the end of the at-rule
identifier by the WebCore::*CSSTokenizer::parseIdentifier method.
If the at-rule token is a sequence of 8-bit-only characters then
'result' will point correctly at the end of the identifier. However, if
the at-rule contains a 16-bit Unicode escape then 'result' will not be
updated correctly anymore, hence it cannot be used for length calculation.
The patch makes the parseIdentifier bump the result pointer even in the 16-bit slow case.

Patch by Renata Hodovan, backported from Chromium: https://codereview.chromium.org/241053002

Patch by Martin Hodovan <mhodovan.u-szeged@partner.samsung.com> on 2014-08-05
Reviewed by Darin Adler.

Test: fast/css/atrule-with-escape-character-crash.html

* css/CSSParser.cpp:
(WebCore::CSSParser::realLex):

LayoutTests:

Added test demonstrates that at-rules containing 16-bit Unicode characters
can be handled properly.

Patch by Martin Hodovan <mhodovan.u-szeged@partner.samsung.com> on 2014-08-05
Reviewed by Darin Adler.

* fast/css/atrule-with-escape-character-crash-expected.txt: Added.
* fast/css/atrule-with-escape-character-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172036 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[iOS] The raw bytes of an iWork document's PDF preview are displayed rather than...
aestes@apple.com [Tue, 5 Aug 2014 17:49:44 +0000 (17:49 +0000)]
[iOS] The raw bytes of an iWork document's PDF preview are displayed rather than the PDF itself
https://bugs.webkit.org/show_bug.cgi?id=135596

Reviewed by David Kilzer.

Source/WebCore:

Some iWork documents contain pre-rendered PDF previews. When WebKit asks QuickLook to convert such a document,
QuickLook will return this PDF as the converted response. However, until WebKit has sent the document's data to
QuickLook, -[QLPreviewConverter previewResponse] will misleadingly tell WebKit that the converted resource will
be of type 'text/html'. This leads WebKit to render the PDF preview as HTML.

Instead of querying QLPreviewConverter for the previewResponse before we've sent it any data, postpone calling
ResourceLoader::didReceiveResponse until we've begun to receive data via the QLPreviewConverter delegate. At
that point -[QLPreviewConverter previewResponse] will have the correct MIME type and we can call didReceiveResponse.

No new tests. QuickLook is not testable from WebKit.

* platform/network/ios/QuickLook.mm:
(-[WebResourceLoaderQuickLookDelegate connection:didReceiveDataArray:]): If didReceiveResponse has yet to be
called, call it now with QuickLookHandle::nsResponse().
(-[WebResourceLoaderQuickLookDelegate connection:didReceiveData:lengthReceived:]): Ditto.
(-[WebResourceLoaderQuickLookDelegate connection:didFailWithError:]): Ditto.
(-[WebResourceLoaderQuickLookDelegate connectionDidFinishLoading:]): Assert that didReceiveResponse has been called.
(-[WebResourceLoaderQuickLookDelegate clearHandle]): Cleared the raw pointer to QuickLookHandle.
(WebCore::QuickLookHandle::create): Pointed WebResourceLoaderQuickLookDelegate's quickLookHandle property to
the newly created QuickLookHandle.

Source/WebKit2:

* WebProcess/Network/WebResourceLoader.cpp:
(WebKit::WebResourceLoader::didReceiveResponseWithCertificateInfo): If the response will be handled by
QuickLook, do not call ResourceLoader::didReceiveResponse. It will be called later by
WebResourceLoaderQuickLookDelegate once converted data is received.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172035 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBuild fix.
ap@apple.com [Tue, 5 Aug 2014 17:03:25 +0000 (17:03 +0000)]
Build fix.

* UIProcess/WebContext.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172034 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoFixing calc() parameter parsing in cubic-bezier functions
commit-queue@webkit.org [Tue, 5 Aug 2014 16:46:20 +0000 (16:46 +0000)]
Fixing calc() parameter parsing in cubic-bezier functions
https://bugs.webkit.org/show_bug.cgi?id=135605

Patch by Renata Hodovan <rhodovan.u-szeged@partner.samsung.com> on 2014-08-05
Reviewed by Andreas Kling.

Source/WebCore:

Before this patch, calc values in cubic-bezier functions weren't being read correctly
since they were handled as simple floats.

Blink: https://codereview.chromium.org/369313002/
Test: css3/calc/cubic-bezier-with-multiple-calcs-crash.html.html

* css/CSSParser.cpp:
(WebCore::CSSParser::parseCubicBezierTimingFunctionValue):

LayoutTests:

* css3/calc/cubic-bezier-with-multiple-calcs-crash.html-expected.txt: Added.
* css3/calc/cubic-bezier-with-multiple-calcs-crash.html.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172033 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[MSE] Seeking occasionally causes many frames to be displayed in "fast forward" mode
jer.noble@apple.com [Tue, 5 Aug 2014 16:42:09 +0000 (16:42 +0000)]
[MSE] Seeking occasionally causes many frames to be displayed in "fast forward" mode
https://bugs.webkit.org/show_bug.cgi?id=135422

Reviewed by Eric Carlson.

Three related fixes:

In reenqueueMediaForTime(), update TrackBuffer.lastEnqueuedPresentationTime when we flush
samples, so that the next time samples are re-enqueued, the starting point for re-enqueueing
is correct.

In sourceBufferPrivateDidReceiveSample(), do not add samples to the decode queue
if they are before the current media time.

When a seek is pending, but samples for the new time is not yet present in the SourceBuffer,
the SourceBufferPrivate may signal that it's ready for new samples through the
sourceBufferPrivateDidBecomeReadyForMoreSamples() method. In this situation, we should not
continue to provideMediaData(), as that will append samples from the prior-to-seeking media
timeline. Since the timeline may have moved forward due to the seek, a decoder may decide to
display those frames as quickly as possible (the "fast forward" behavior) in order to catch
up to the new current time.

If a re-enqueue is pending, don't provide media data in response to being notified that the
SourceBufferPrivate is ready for more samples. Wait until samples for the new current time
are appended.

Also, don't provide media data if we are waiting for a seek to complete.

* Modules/mediasource/MediaSource.h:
(WebCore::MediaSource::isSeeking): Convenience method.
* Modules/mediasource/SourceBuffer.cpp:
(WebCore::SourceBuffer::sourceBufferPrivateDidReceiveSample):
(WebCore::SourceBuffer::sourceBufferPrivateDidBecomeReadyForMoreSamples):
(WebCore::SourceBuffer::reenqueueMediaForTime):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172032 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoSSO expects to be able to walk parent application's bundle
oliver@apple.com [Tue, 5 Aug 2014 16:41:46 +0000 (16:41 +0000)]
SSO expects to be able to walk parent application's bundle
https://bugs.webkit.org/show_bug.cgi?id=135581
<rdar://problem/17864079>

Reviewed by Alexey Proskuryakov.

SSO expects to be able to walk the parent application's
bundle looking for Info plists. To allow this to actually
work we provide an extension from the ui process that
covers the bundle directory, and then in the profile
restrict access to the ability to read directories and
files named Info.plist.

* NetworkProcess/cocoa/NetworkProcessCocoa.mm:
(WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
* Shared/Network/NetworkProcessCreationParameters.cpp:
(WebKit::NetworkProcessCreationParameters::encode):
(WebKit::NetworkProcessCreationParameters::decode):
* Shared/Network/NetworkProcessCreationParameters.h:
* UIProcess/WebContext.cpp:
(WebKit::WebContext::ensureNetworkProcess):
(WebKit::WebContext::parentBundleDirectory):
* UIProcess/WebContext.h:
* UIProcess/mac/WebContextMac.mm:
(WebKit::WebContext::parentBundleDirectory):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172031 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[gtk] Include llvm-dev(el) package to satisfy mesa build configuration
vivek.vg@samsung.com [Tue, 5 Aug 2014 16:38:53 +0000 (16:38 +0000)]
[gtk] Include llvm-dev(el) package to satisfy mesa build configuration
https://bugs.webkit.org/show_bug.cgi?id=135555

Reviewed by Philippe Normand.

Initial setup of gtk on linux requires this package to be installed.
This is required during the build configuration of mesa through jhbuild.

* gtk/install-dependencies:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172030 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoFix the commit-log-editor after r167243 and add more unit tests
commit-queue@webkit.org [Tue, 5 Aug 2014 15:16:23 +0000 (15:16 +0000)]
Fix the commit-log-editor after r167243 and add more unit tests
https://bugs.webkit.org/show_bug.cgi?id=131727

Patch by Eva Balazsfalvi <evab.u-szeged@partner.samsung.com> on 2014-08-05
Reviewed by Csaba Osztrogonác.

* Scripts/commit-log-editor:
(createCommitMessage):
(removeLongestCommonPrefixEndingInNewline):
* Scripts/webkitpy/common/checkout/checkout_unittest.py:
(CommitMessageForThisCommitTest):
(CommitMessageForThisCommitTest.mock_changelog):
(CommitMessageForThisCommitTest.mock_checkout_for_test):
(CommitMessageForThisCommitTest.test_commit_message_for_unreviewed_changelogs_with_different_messages):
(test_commit_message_for_one_reviewed_changelog):
(test_commit_message_for_changelogs_with_same_messages):
(test_commit_message_for_changelogs_with_different_messages):
(test_commit_message_for_one_rollout_changelog):
(test_commit_message_for_rollout_changelogs_with_different_directories):
(setUp): Deleted.
(test_commit_message_for_this_commit): Deleted.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172029 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoAX: Select text activity should return replaced text instead of previously selected...
cfleizach@apple.com [Tue, 5 Aug 2014 15:15:58 +0000 (15:15 +0000)]
AX: Select text activity should return replaced text instead of previously selected text
https://bugs.webkit.org/show_bug.cgi?id=135595

Reviewed by Mario Sanchez Prada.

Source/WebCore:
When the select activity API is used to replace text, the replacement string should be returned instead of the old selected text.

Updated existing test: platform/mac/accessibility/select-text.html

* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::selectText):

LayoutTests:
* platform/mac/accessibility/select-text-expected.txt:
* platform/mac/accessibility/select-text.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172028 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoAX: Select activity behavior does not work when an existing range is already selected
cfleizach@apple.com [Tue, 5 Aug 2014 05:09:05 +0000 (05:09 +0000)]
AX: Select activity behavior does not work when an existing range is already selected
https://bugs.webkit.org/show_bug.cgi?id=135579

Reviewed by Mario Sanchez Prada.

Source/WebCore:
If you have an existing range selected, and try to apply a select and replace operation, like capitalize,
searching for that range will fail because it skips the currently selected range.

For these cases, it seems the best way is to start the search from the start position, rather than relying on the
entire range.

Updated existing test: platform/mac/accessibility/select-text.html

* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::selectText):

LayoutTests:
* platform/mac/accessibility/select-text-expected.txt:
* platform/mac/accessibility/select-text.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172027 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[MSE][Mac] Seeking past buffered range will not resume playback when seek completes.
jer.noble@apple.com [Tue, 5 Aug 2014 03:58:28 +0000 (03:58 +0000)]
[MSE][Mac] Seeking past buffered range will not resume playback when seek completes.
https://bugs.webkit.org/show_bug.cgi?id=135591

Reviewed by Eric Carlson.

If a seek is delayed due to seeking into an unbuffered area, playback will not be restarted
at that point. Instead, playback must resume when enough media data has been added, and
the MediaSource indicates the seek should complete.

* platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.mm:
(WebCore::MediaPlayerPrivateMediaSourceAVFObjC::seekCompleted):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172026 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[MSE] Videos will report a stall when within 1 frame-duration before the end of a...
jer.noble@apple.com [Tue, 5 Aug 2014 03:57:27 +0000 (03:57 +0000)]
[MSE] Videos will report a stall when within 1 frame-duration before the end of a movie.
https://bugs.webkit.org/show_bug.cgi?id=135586

Reviewed by Eric Carlson.

Under certain circumstances, videos which are within 1/24 seconds before the end of a media stream when
monitorSourceBuffers() is called will fail the hasFutureTime() check. This is because hasFutureTime()
checks whether enough media is buffered to play back at least some time in the future, but when the
current time is close to the duration, not enough data is buffered to satisfy that check.

Add some logic which will break out early when the SourceBuffer has buffered up to and including the
media's duration, and return that the buffer indeed hasFutureTime() available.

* Modules/mediasource/SourceBuffer.cpp:
(WebCore::SourceBuffer::hasFutureTime):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172025 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoSimplify the StyleInvalidation mode of rule collection
benjamin@webkit.org [Tue, 5 Aug 2014 03:40:55 +0000 (03:40 +0000)]
Simplify the StyleInvalidation mode of rule collection
https://bugs.webkit.org/show_bug.cgi?id=135521

Reviewed by Antti Koivisto.

Source/WebCore:
There are two branches where StyleInvalidation code is removed:
-Pseudo elements for shadow dom elements.
-Pseudo elements without dom tree counterpart.

The first can never be hit because StyleInvalidationAnalysis does a complete invalidation
when there is any shadow dom styling involved in the stylesheets.

Even if that branch was hit, not failing on custom pseudo elements would be equivalent
to ignoring those pseudo elements from the Selector. By doing so, we would match elements
that do not have shadow dom and invalidate pretty much everything.

Unlike pseudo elements without real elements, shadow dom elements are not matched separately with a different
context, thus we could generalize StyleInvalidationAnalysis to handle this case.

The second case handle pseudo elements that do not have a real element. That case no longer need to be handled
separately at the filter time, it has become a special case of SelectorChecker::match() after everything else
has matched.

The only condition for this to work is that the Context's pseudoId must be NOPSEUDO. This is the case
in practice since matching specific pseudo types would be a waste of time. ElementRuleCollector::collectMatchingRules()
has a new assertion to enforce that.

Test: fast/css/stylesheet-change-updates-pseudo-elements.html

* css/ElementRuleCollector.cpp:
(WebCore::ElementRuleCollector::collectMatchingRules):
* css/SelectorChecker.cpp:
(WebCore::SelectorChecker::matchRecursively):
* cssjit/SelectorCompiler.cpp:
(WebCore::SelectorCompiler::SelectorCodeGenerator::generateRequestedPseudoElementEqualsToSelectorPseudoElement):

LayoutTests:
This test by:
1) Forcing the recalc of the user-agent stylesheet.
2) Wait for the page to finish loading.
3) Add a style changing only pseudo elements without corresponding shadow element.

* fast/css/stylesheet-change-updates-pseudo-elements-expected.html: Added.
* fast/css/stylesheet-change-updates-pseudo-elements.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172024 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoAdd a flag for the CSS Selectors level 4 implementation
benjamin@webkit.org [Tue, 5 Aug 2014 03:25:52 +0000 (03:25 +0000)]
Add a flag for the CSS Selectors level 4 implementation
https://bugs.webkit.org/show_bug.cgi?id=135535

Reviewed by Andreas Kling.

.:
* Source/cmake/OptionsEfl.cmake:
* Source/cmake/OptionsGTK.cmake:
* Source/cmake/WebKitFeatures.cmake:
* Source/cmakeconfig.h.cmake:

Source/JavaScriptCore:
* Configurations/FeatureDefines.xcconfig:

Source/WebCore:
* Configurations/FeatureDefines.xcconfig:

Source/WebKit/mac:
* Configurations/FeatureDefines.xcconfig:

Source/WebKit2:
* Configurations/FeatureDefines.xcconfig:

WebKitLibraries:
* win/tools/vsprops/FeatureDefines.props:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172023 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[GTK] run-launcher --gtk is broken
commit-queue@webkit.org [Tue, 5 Aug 2014 02:51:50 +0000 (02:51 +0000)]
[GTK] run-launcher --gtk is broken
https://bugs.webkit.org/show_bug.cgi?id=135571

Patch by Michael Catanzaro <mcatanzaro@igalia.com> on 2014-08-04
Reviewed by Martin Robinson.

* Scripts/webkitdirs.pm:
(builtDylibPathForName): Search for libwebkit2gtk-4.0

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172022 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoAX: add AccessibilityObject::computedLabelString() for WebAXI
cfleizach@apple.com [Tue, 5 Aug 2014 02:47:01 +0000 (02:47 +0000)]
AX: add AccessibilityObject::computedLabelString() for WebAXI
https://bugs.webkit.org/show_bug.cgi?id=129939

Reviewed by Mario Sanchez Prada.

Provide a method that the WebKit Inspector can call in order to
display an accessible name for an AX node.

* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::accessibilityComputedLabel):
* accessibility/AccessibilityObject.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172021 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoLots of crashes in WebKit1 after r172013.
timothy_horton@apple.com [Tue, 5 Aug 2014 01:39:24 +0000 (01:39 +0000)]
Lots of crashes in WebKit1 after r172013.
https://bugs.webkit.org/show_bug.cgi?id=135582
<rdar://problem/17837636>

Reviewed by Enrica Casucci.

* editing/SelectionRectGatherer.cpp:
(WebCore::SelectionRectGatherer::addRect):
(WebCore::SelectionRectGatherer::addGapRects):
Don't try to do local-to-absolute coordinate conversion if we don't have
a repaint container, which happens a lot in WebKit1.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172018 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago[GTK] Unreviewed GTK gardening.
clopez@igalia.com [Tue, 5 Aug 2014 01:22:03 +0000 (01:22 +0000)]
[GTK] Unreviewed GTK gardening.

* platform/gtk/TestExpectations: Report and mark new failures after 172008 and r172010.
Remove expectations for test that now pass after r171964 (revert of r171957).
Update expectations for new flaky tests.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172017 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoCheck for null frame when processing geolocation authorization request
benjamin@webkit.org [Tue, 5 Aug 2014 01:04:55 +0000 (01:04 +0000)]
Check for null frame when processing geolocation authorization request
https://bugs.webkit.org/show_bug.cgi?id=135577
<rdar://problem/17896295>

Patch by Benjamin Poulain <bpoulain@apple.com> on 2014-08-04
Reviewed by Geoffrey Garen.

Source/WebKit/mac:
* WebCoreSupport/WebGeolocationClient.mm:
(WebGeolocationClient::requestPermission):

Source/WebKit2:
I could have put the null check in GeolocationController instead of the WebKit layer,
but that would be a little weird as GeolocationController knows nothing about how
the WebKit layer decides what to do with requests.

* WebProcess/Geolocation/GeolocationPermissionRequestManager.cpp:
(WebKit::GeolocationPermissionRequestManager::startRequestForGeolocation):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172016 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoProgress towards CMake on Mac.
achristensen@apple.com [Tue, 5 Aug 2014 00:30:15 +0000 (00:30 +0000)]
Progress towards CMake on Mac.
https://bugs.webkit.org/show_bug.cgi?id=135528

Reviewed by Gyuyoung Kim.

.:
* Source/cmake/OptionsMac.cmake:
Made options list based on FeatureDefines.xcconfig files.

Source/JavaScriptCore:
* CMakeLists.txt:
Include necessary directories and copy all necessary forwarding headers.
Only compile UDis86Disassembler.cpp if we're using UDIS86.
* PlatformMac.cmake: Added.
* tools/CodeProfiling.cpp:
Compile fix.  Include sys/time.h on darwin, too.

Source/WebCore:
* PlatformMac.cmake: Added.

Source/WTF:
* wtf/CMakeLists.txt:
Include text directory.
* wtf/PlatformMac.cmake: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172014 268f45cc-cd09-0410-ab3c-d52691b4dbfc