for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests
4         https://bugs.webkit.org/show_bug.cgi?id=135681
5
6         Reviewed by Filip Pizlo.
7
8         * runtime/Structure.cpp:
9         (JSC::Structure::canCacheGenericPropertyNameEnumerator): We were checking the entire 
10         prototype chain for overridesGetPropertyNames, but we were neglecting to check the 
11         base object's Structure. D'oh!
12
13 2014-08-06  Mark Lam  <mark.lam@apple.com>
14
15         Gardening: fix for build failure on EFL bots.
16
17         Not reviewed.
18
19         * runtime/EnumerationMode.h:
20         (JSC::shouldIncludeJSObjectPropertyNames):
21         (JSC::modeThatSkipsJSObject):
22         * runtime/JSCell.cpp:
23         (JSC::JSCell::getEnumerableLength):
24         * runtime/JSCell.h:
25
26 2014-08-06  Dean Jackson  <dino@apple.com>
27
28         ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED is not used anywhere. Remove it.
29         https://bugs.webkit.org/show_bug.cgi?id=135675
30
31         Reviewed by Sam Weinig.
32
33         * Configurations/FeatureDefines.xcconfig:
34
35 2014-08-06  Wenson Hsieh  <wenson_hsieh@apple.com>
36
37         Implement parsing for CSS scroll snap points
38         https://bugs.webkit.org/show_bug.cgi?id=134301
39
40         Reviewed by Dean Jackson.
41
42         * Configurations/FeatureDefines.xcconfig: Added ENABLE_CSS_SCROLL_SNAP
43
44 2014-08-06  Mark Lam  <mark.lam@apple.com>
45
46         Gardening: fix for build failure on GTK bots.
47
48         Not reviewed.
49
50         * runtime/FunctionHasExecutedCache.cpp:
51         - #include <limits.h> for UINT_MAX's definition.
52
53 2014-08-06  Mark Lam  <mark.lam@apple.com>
54
55         Gardening: fix for build failure on EFL bots.
56
57         Not reviewed.
58
59         * jit/JITInlines.h:
60         (JSC::JIT::emitLoadForArrayMode):
61
62 2014-08-06  Mark Lam  <mark.lam@apple.com>
63
64         Gardening: adding missing build file changes from the FTLOPT merge at r172176.
65
66         Not reviewed.
67
68         * CMakeLists.txt:
69         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
70         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
71
72 2014-08-06  Ryuan Choi  <ryuan.choi@samsung.com>
73
74         Unreviewed build fix attempt since r172184
75
76         * CMakeLists.txt: Removed TypeLocation.cpp
77
78 2014-08-06  Mark Lam  <mark.lam@apple.com>
79
80         Gardening: adding missing build file changes from r171510.
81         <https://webkit.org/b/134860>
82
83         Not reviewed.
84
85         * CMakeLists.txt:
86         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
87         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
88
89 2014-08-06  Mark Lam  <mark.lam@apple.com>
90
91         Gardening: adding missing build file changes from r170490.
92         <https://webkit.org/b/133395>
93
94         Not reviewed.
95
96         * CMakeLists.txt:
97         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
98
99 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
100
101         Silence a debug assertion.
102
103         Reviewed by Mark Hahnenberg.
104
105         * runtime/JSPropertyNameEnumerator.h:
106         (JSC::JSPropertyNameEnumerator::cachedStructure):
107
108 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
109
110         Fix 32-bit build.
111
112         * jit/JITOpcodes32_64.cpp:
113         (JSC::JIT::privateCompileHasIndexedProperty):
114
115 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
116
117         Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.
118
119     2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
120     
121             Support for-in in the FTL
122             https://bugs.webkit.org/show_bug.cgi?id=134140
123     
124             Reviewed by Filip Pizlo.
125     
126             * dfg/DFGSSALoweringPhase.cpp:
127             (JSC::DFG::SSALoweringPhase::handleNode):
128             * ftl/FTLAbstractHeapRepository.cpp:
129             * ftl/FTLAbstractHeapRepository.h:
130             * ftl/FTLCapabilities.cpp:
131             (JSC::FTL::canCompile):
132             * ftl/FTLIntrinsicRepository.h:
133             * ftl/FTLLowerDFGToLLVM.cpp:
134             (JSC::FTL::LowerDFGToLLVM::compileNode):
135             (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
136             (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
137             (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
138             (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
139             (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
140             (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
141             (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
142             (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
143             (JSC::FTL::LowerDFGToLLVM::compileToIndexString):
144     
145     2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
146     
147             Remove JSPropertyNameIterator
148             https://bugs.webkit.org/show_bug.cgi?id=135066
149     
150             Reviewed by Geoffrey Garen.
151     
152             It has been replaced by JSPropertyNameEnumerator.
153     
154             * JavaScriptCore.order:
155             * bytecode/BytecodeBasicBlock.cpp:
156             (JSC::isBranch):
157             * bytecode/BytecodeList.json:
158             * bytecode/BytecodeUseDef.h:
159             (JSC::computeUsesForBytecodeOffset):
160             (JSC::computeDefsForBytecodeOffset):
161             * bytecode/CodeBlock.cpp:
162             (JSC::CodeBlock::dumpBytecode):
163             * bytecode/PreciseJumpTargets.cpp:
164             (JSC::getJumpTargetsForBytecodeOffset):
165             * bytecompiler/BytecodeGenerator.cpp:
166             (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
167             (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
168             * bytecompiler/BytecodeGenerator.h:
169             * interpreter/Interpreter.cpp:
170             * interpreter/Register.h:
171             * jit/JIT.cpp:
172             (JSC::JIT::privateCompileMainPass):
173             (JSC::JIT::privateCompileSlowCases):
174             * jit/JIT.h:
175             * jit/JITOpcodes.cpp:
176             (JSC::JIT::emit_op_get_pnames): Deleted.
177             (JSC::JIT::emit_op_next_pname): Deleted.
178             * jit/JITOpcodes32_64.cpp:
179             (JSC::JIT::emit_op_get_pnames): Deleted.
180             (JSC::JIT::emit_op_next_pname): Deleted.
181             * jit/JITOperations.cpp:
182             * jit/JITPropertyAccess.cpp:
183             (JSC::JIT::emit_op_get_by_pname): Deleted.
184             (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
185             * jit/JITPropertyAccess32_64.cpp:
186             (JSC::JIT::emit_op_get_by_pname): Deleted.
187             (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
188             * llint/LLIntOffsetsExtractor.cpp:
189             * llint/LLIntSlowPaths.cpp:
190             (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
191             * llint/LLIntSlowPaths.h:
192             * llint/LowLevelInterpreter.asm:
193             * llint/LowLevelInterpreter32_64.asm:
194             * llint/LowLevelInterpreter64.asm:
195             * runtime/CommonSlowPaths.cpp:
196             * runtime/JSPropertyNameIterator.cpp:
197             (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
198             (JSC::JSPropertyNameIterator::create): Deleted.
199             (JSC::JSPropertyNameIterator::destroy): Deleted.
200             (JSC::JSPropertyNameIterator::get): Deleted.
201             (JSC::JSPropertyNameIterator::visitChildren): Deleted.
202             * runtime/JSPropertyNameIterator.h:
203             (JSC::JSPropertyNameIterator::createStructure): Deleted.
204             (JSC::JSPropertyNameIterator::size): Deleted.
205             (JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
206             (JSC::JSPropertyNameIterator::cachedStructure): Deleted.
207             (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
208             (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
209             (JSC::JSPropertyNameIterator::finishCreation): Deleted.
210             (JSC::Register::propertyNameIterator): Deleted.
211             (JSC::StructureRareData::enumerationCache): Deleted.
212             (JSC::StructureRareData::setEnumerationCache): Deleted.
213             * runtime/Structure.cpp:
214             (JSC::Structure::addPropertyWithoutTransition):
215             (JSC::Structure::removePropertyWithoutTransition):
216             * runtime/Structure.h:
217             * runtime/StructureInlines.h:
218             (JSC::Structure::setEnumerationCache): Deleted.
219             (JSC::Structure::enumerationCache): Deleted.
220             * runtime/StructureRareData.cpp:
221             (JSC::StructureRareData::visitChildren):
222             * runtime/StructureRareData.h:
223             * runtime/VM.cpp:
224             (JSC::VM::VM):
225     
226     2014-07-25  Saam Barati  <sbarati@apple.com>
227     
228             Fix 32-bit build breakage for type profiling
229             https://bugs.webkit.org/process_bug.cgi
230     
231             Reviewed by Mark Hahnenberg.
232     
233             32-bit builds currently break because global variable IDs for high
234             fidelity type profiling are int64_t. Change this to intptr_t so that
235             it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
236     
237             * bytecode/CodeBlock.cpp:
238             (JSC::CodeBlock::CodeBlock):
239             (JSC::CodeBlock::scopeDependentProfile):
240             * bytecode/TypeLocation.h:
241             * runtime/SymbolTable.cpp:
242             (JSC::SymbolTable::uniqueIDForVariable):
243             (JSC::SymbolTable::uniqueIDForRegister):
244             * runtime/SymbolTable.h:
245             * runtime/TypeLocationCache.cpp:
246             (JSC::TypeLocationCache::getTypeLocation):
247             * runtime/TypeLocationCache.h:
248             * runtime/VM.h:
249             (JSC::VM::getNextUniqueVariableID):
250     
251     2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
252     
253             Reindent PropertyNameArray.h
254             https://bugs.webkit.org/show_bug.cgi?id=135067
255     
256             Reviewed by Geoffrey Garen.
257     
258             * runtime/PropertyNameArray.h:
259             (JSC::RefCountedIdentifierSet::contains):
260             (JSC::RefCountedIdentifierSet::size):
261             (JSC::RefCountedIdentifierSet::add):
262             (JSC::PropertyNameArrayData::create):
263             (JSC::PropertyNameArrayData::propertyNameVector):
264             (JSC::PropertyNameArrayData::PropertyNameArrayData):
265             (JSC::PropertyNameArray::PropertyNameArray):
266             (JSC::PropertyNameArray::vm):
267             (JSC::PropertyNameArray::add):
268             (JSC::PropertyNameArray::addKnownUnique):
269             (JSC::PropertyNameArray::operator[]):
270             (JSC::PropertyNameArray::setData):
271             (JSC::PropertyNameArray::data):
272             (JSC::PropertyNameArray::releaseData):
273             (JSC::PropertyNameArray::identifierSet):
274             (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
275             (JSC::PropertyNameArray::size):
276             (JSC::PropertyNameArray::begin):
277             (JSC::PropertyNameArray::end):
278             (JSC::PropertyNameArray::numCacheableSlots):
279             (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
280             (JSC::PropertyNameArray::setBaseObject):
281             (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
282     
283     2014-07-23  Mark Hahnenberg  <mhahnenberg@apple.com>
284     
285             Refactor our current implementation of for-in
286             https://bugs.webkit.org/show_bug.cgi?id=134142
287     
288             Reviewed by Filip Pizlo.
289     
290             This patch splits for-in loops into three distinct parts:
291     
292             - Iterating over the indexed properties in the base object.
293             - Iterating over the Structure properties in the base object.
294             - Iterating over any other enumerable properties for that object and any objects in the prototype chain.
295      
296             It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to 
297             support the various operations required for each loop.
298     
299             * API/JSCallbackObjectFunctions.h:
300             (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
301             * JavaScriptCore.xcodeproj/project.pbxproj:
302             * bytecode/BytecodeList.json:
303             * bytecode/BytecodeUseDef.h:
304             (JSC::computeUsesForBytecodeOffset):
305             (JSC::computeDefsForBytecodeOffset):
306             * bytecode/CallLinkStatus.h:
307             (JSC::CallLinkStatus::CallLinkStatus):
308             * bytecode/CodeBlock.cpp:
309             (JSC::CodeBlock::dumpBytecode):
310             (JSC::CodeBlock::CodeBlock):
311             * bytecompiler/BytecodeGenerator.cpp:
312             (JSC::BytecodeGenerator::emitGetByVal):
313             (JSC::BytecodeGenerator::emitComplexPopScopes):
314             (JSC::BytecodeGenerator::emitGetEnumerableLength):
315             (JSC::BytecodeGenerator::emitHasGenericProperty):
316             (JSC::BytecodeGenerator::emitHasIndexedProperty):
317             (JSC::BytecodeGenerator::emitHasStructureProperty):
318             (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
319             (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
320             (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
321             (JSC::BytecodeGenerator::emitToIndexString):
322             (JSC::BytecodeGenerator::pushIndexedForInScope):
323             (JSC::BytecodeGenerator::popIndexedForInScope):
324             (JSC::BytecodeGenerator::pushStructureForInScope):
325             (JSC::BytecodeGenerator::popStructureForInScope):
326             (JSC::BytecodeGenerator::invalidateForInContextForLocal):
327             * bytecompiler/BytecodeGenerator.h:
328             (JSC::ForInContext::ForInContext):
329             (JSC::ForInContext::~ForInContext):
330             (JSC::ForInContext::isValid):
331             (JSC::ForInContext::invalidate):
332             (JSC::ForInContext::local):
333             (JSC::StructureForInContext::StructureForInContext):
334             (JSC::StructureForInContext::type):
335             (JSC::StructureForInContext::index):
336             (JSC::StructureForInContext::property):
337             (JSC::StructureForInContext::enumerator):
338             (JSC::IndexedForInContext::IndexedForInContext):
339             (JSC::IndexedForInContext::type):
340             (JSC::IndexedForInContext::index):
341             (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
342             (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
343             * bytecompiler/NodesCodegen.cpp:
344             (JSC::ReadModifyResolveNode::emitBytecode):
345             (JSC::AssignResolveNode::emitBytecode):
346             (JSC::ForInNode::tryGetBoundLocal):
347             (JSC::ForInNode::emitLoopHeader):
348             (JSC::ForInNode::emitMultiLoopBytecode):
349             (JSC::ForInNode::emitBytecode):
350             * debugger/DebuggerScope.h:
351             * dfg/DFGAbstractHeap.h:
352             * dfg/DFGAbstractInterpreterInlines.h:
353             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
354             * dfg/DFGByteCodeParser.cpp:
355             (JSC::DFG::ByteCodeParser::parseBlock):
356             * dfg/DFGCapabilities.cpp:
357             (JSC::DFG::capabilityLevel):
358             * dfg/DFGClobberize.h:
359             (JSC::DFG::clobberize):
360             * dfg/DFGDoesGC.cpp:
361             (JSC::DFG::doesGC):
362             * dfg/DFGFixupPhase.cpp:
363             (JSC::DFG::FixupPhase::fixupNode):
364             * dfg/DFGHeapLocation.cpp:
365             (WTF::printInternal):
366             * dfg/DFGHeapLocation.h:
367             * dfg/DFGNode.h:
368             (JSC::DFG::Node::hasHeapPrediction):
369             (JSC::DFG::Node::hasArrayMode):
370             * dfg/DFGNodeType.h:
371             * dfg/DFGPredictionPropagationPhase.cpp:
372             (JSC::DFG::PredictionPropagationPhase::propagate):
373             * dfg/DFGSafeToExecute.h:
374             (JSC::DFG::safeToExecute):
375             * dfg/DFGSpeculativeJIT.h:
376             (JSC::DFG::SpeculativeJIT::callOperation):
377             * dfg/DFGSpeculativeJIT32_64.cpp:
378             (JSC::DFG::SpeculativeJIT::compile):
379             * dfg/DFGSpeculativeJIT64.cpp:
380             (JSC::DFG::SpeculativeJIT::compile):
381             * jit/JIT.cpp:
382             (JSC::JIT::privateCompileMainPass):
383             (JSC::JIT::privateCompileSlowCases):
384             * jit/JIT.h:
385             (JSC::JIT::compileHasIndexedProperty):
386             (JSC::JIT::emitInt32Load):
387             * jit/JITInlines.h:
388             (JSC::JIT::emitDoubleGetByVal):
389             (JSC::JIT::emitLoadForArrayMode):
390             (JSC::JIT::emitContiguousGetByVal):
391             (JSC::JIT::emitArrayStorageGetByVal):
392             * jit/JITOpcodes.cpp:
393             (JSC::JIT::emit_op_get_enumerable_length):
394             (JSC::JIT::emit_op_has_structure_property):
395             (JSC::JIT::emitSlow_op_has_structure_property):
396             (JSC::JIT::emit_op_has_generic_property):
397             (JSC::JIT::privateCompileHasIndexedProperty):
398             (JSC::JIT::emit_op_has_indexed_property):
399             (JSC::JIT::emitSlow_op_has_indexed_property):
400             (JSC::JIT::emit_op_get_direct_pname):
401             (JSC::JIT::emitSlow_op_get_direct_pname):
402             (JSC::JIT::emit_op_get_structure_property_enumerator):
403             (JSC::JIT::emit_op_get_generic_property_enumerator):
404             (JSC::JIT::emit_op_next_enumerator_pname):
405             (JSC::JIT::emit_op_to_index_string):
406             * jit/JITOpcodes32_64.cpp:
407             (JSC::JIT::emit_op_get_enumerable_length):
408             (JSC::JIT::emit_op_has_structure_property):
409             (JSC::JIT::emitSlow_op_has_structure_property):
410             (JSC::JIT::emit_op_has_generic_property):
411             (JSC::JIT::privateCompileHasIndexedProperty):
412             (JSC::JIT::emit_op_has_indexed_property):
413             (JSC::JIT::emitSlow_op_has_indexed_property):
414             (JSC::JIT::emit_op_get_direct_pname):
415             (JSC::JIT::emitSlow_op_get_direct_pname):
416             (JSC::JIT::emit_op_get_structure_property_enumerator):
417             (JSC::JIT::emit_op_get_generic_property_enumerator):
418             (JSC::JIT::emit_op_next_enumerator_pname):
419             (JSC::JIT::emit_op_to_index_string):
420             * jit/JITOperations.cpp:
421             * jit/JITOperations.h:
422             * jit/JITPropertyAccess.cpp:
423             (JSC::JIT::emitDoubleLoad):
424             (JSC::JIT::emitContiguousLoad):
425             (JSC::JIT::emitArrayStorageLoad):
426             (JSC::JIT::emitDoubleGetByVal): Deleted.
427             (JSC::JIT::emitContiguousGetByVal): Deleted.
428             (JSC::JIT::emitArrayStorageGetByVal): Deleted.
429             * jit/JITPropertyAccess32_64.cpp:
430             (JSC::JIT::emitContiguousLoad):
431             (JSC::JIT::emitDoubleLoad):
432             (JSC::JIT::emitArrayStorageLoad):
433             (JSC::JIT::emitContiguousGetByVal): Deleted.
434             (JSC::JIT::emitDoubleGetByVal): Deleted.
435             (JSC::JIT::emitArrayStorageGetByVal): Deleted.
436             * llint/LowLevelInterpreter.asm:
437             * parser/Nodes.h:
438             * runtime/Arguments.cpp:
439             (JSC::Arguments::getOwnPropertyNames):
440             * runtime/ClassInfo.h:
441             * runtime/CommonSlowPaths.cpp:
442             (JSC::SLOW_PATH_DECL):
443             * runtime/CommonSlowPaths.h:
444             * runtime/EnumerationMode.h: Added.
445             (JSC::shouldIncludeDontEnumProperties):
446             (JSC::shouldExcludeDontEnumProperties):
447             (JSC::shouldIncludeJSObjectPropertyNames):
448             (JSC::modeThatSkipsJSObject):
449             * runtime/JSActivation.cpp:
450             (JSC::JSActivation::getOwnNonIndexPropertyNames):
451             * runtime/JSArray.cpp:
452             (JSC::JSArray::getOwnNonIndexPropertyNames):
453             * runtime/JSArrayBuffer.cpp:
454             (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
455             * runtime/JSArrayBufferView.cpp:
456             (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
457             * runtime/JSCell.cpp:
458             (JSC::JSCell::getEnumerableLength):
459             (JSC::JSCell::getStructurePropertyNames):
460             (JSC::JSCell::getGenericPropertyNames):
461             * runtime/JSCell.h:
462             * runtime/JSFunction.cpp:
463             (JSC::JSFunction::getOwnNonIndexPropertyNames):
464             * runtime/JSGenericTypedArrayViewInlines.h:
465             (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
466             * runtime/JSObject.cpp:
467             (JSC::getClassPropertyNames):
468             (JSC::JSObject::hasOwnProperty):
469             (JSC::JSObject::getOwnPropertyNames):
470             (JSC::JSObject::getOwnNonIndexPropertyNames):
471             (JSC::JSObject::getEnumerableLength):
472             (JSC::JSObject::getStructurePropertyNames):
473             (JSC::JSObject::getGenericPropertyNames):
474             * runtime/JSObject.h:
475             * runtime/JSPropertyNameEnumerator.cpp: Added.
476             (JSC::JSPropertyNameEnumerator::create):
477             (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
478             (JSC::JSPropertyNameEnumerator::finishCreation):
479             (JSC::JSPropertyNameEnumerator::destroy):
480             (JSC::JSPropertyNameEnumerator::visitChildren):
481             * runtime/JSPropertyNameEnumerator.h: Added.
482             (JSC::JSPropertyNameEnumerator::createStructure):
483             (JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
484             (JSC::JSPropertyNameEnumerator::identifierSet):
485             (JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
486             (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
487             (JSC::JSPropertyNameEnumerator::cachedStructure):
488             (JSC::JSPropertyNameEnumerator::cachedStructureID):
489             (JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
490             (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
491             (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
492             (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
493             (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
494             (JSC::structurePropertyNameEnumerator):
495             (JSC::genericPropertyNameEnumerator):
496             * runtime/JSProxy.cpp:
497             (JSC::JSProxy::getEnumerableLength):
498             (JSC::JSProxy::getStructurePropertyNames):
499             (JSC::JSProxy::getGenericPropertyNames):
500             * runtime/JSProxy.h:
501             * runtime/JSSymbolTableObject.cpp:
502             (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
503             * runtime/PropertyNameArray.cpp:
504             (JSC::PropertyNameArray::add):
505             (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
506             * runtime/PropertyNameArray.h:
507             (JSC::RefCountedIdentifierSet::contains):
508             (JSC::RefCountedIdentifierSet::size):
509             (JSC::RefCountedIdentifierSet::add):
510             (JSC::PropertyNameArray::PropertyNameArray):
511             (JSC::PropertyNameArray::add):
512             (JSC::PropertyNameArray::addKnownUnique):
513             (JSC::PropertyNameArray::identifierSet):
514             (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
515             (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
516             * runtime/RegExpObject.cpp:
517             (JSC::RegExpObject::getOwnNonIndexPropertyNames):
518             (JSC::RegExpObject::getPropertyNames):
519             (JSC::RegExpObject::getGenericPropertyNames):
520             * runtime/RegExpObject.h:
521             * runtime/StringObject.cpp:
522             (JSC::StringObject::getOwnPropertyNames):
523             * runtime/Structure.cpp:
524             (JSC::Structure::getPropertyNamesFromStructure):
525             (JSC::Structure::setCachedStructurePropertyNameEnumerator):
526             (JSC::Structure::cachedStructurePropertyNameEnumerator):
527             (JSC::Structure::setCachedGenericPropertyNameEnumerator):
528             (JSC::Structure::cachedGenericPropertyNameEnumerator):
529             (JSC::Structure::canCacheStructurePropertyNameEnumerator):
530             (JSC::Structure::canCacheGenericPropertyNameEnumerator):
531             (JSC::Structure::canAccessPropertiesQuickly):
532             * runtime/Structure.h:
533             * runtime/StructureRareData.cpp:
534             (JSC::StructureRareData::visitChildren):
535             (JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
536             (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
537             (JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
538             (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
539             * runtime/StructureRareData.h:
540             * runtime/VM.cpp:
541             (JSC::VM::VM):
542             * runtime/VM.h:
543     
544     2014-07-23  Saam Barati  <sbarati@apple.com>
545     
546             Make improvements to Type Profiling
547             https://bugs.webkit.org/show_bug.cgi?id=134860
548     
549             Reviewed by Filip Pizlo.
550     
551             I improved the API between the inspector and JSC. We no longer send one huge
552             string to the inspector. We now send structured data that represents the type
553             information that JSC has collected. I've also created a beginning implementation 
554             of a type lattice that allows us to resolve a display name for a type that
555             consists of a single word.
556     
557             I created a data structure that knows which functions have executed. This
558             solves the bug where types inside an un-executed function will resolve
559             to the type of the enclosing expression of that function. This data
560             structure may also be useful later if the inspector chooses to create a UI
561             around showing which functions have executed.
562     
563             Better type information is gathered for objects. StructureShape now
564             represents an object's prototype chain.  StructureShape also collects
565             the constructor name for an object.
566     
567             Expression ranges are now zero indexed.
568     
569             Removed some extraneous methods.
570     
571             * JavaScriptCore.xcodeproj/project.pbxproj:
572             * bytecode/CodeBlock.cpp:
573             (JSC::CodeBlock::CodeBlock):
574             (JSC::CodeBlock::scopeDependentProfile):
575             * bytecode/CodeBlock.h:
576             * bytecode/TypeLocation.h:
577             (JSC::TypeLocation::TypeLocation):
578             * bytecode/UnlinkedCodeBlock.cpp:
579             (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
580             * bytecode/UnlinkedCodeBlock.h:
581             (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
582             (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
583             * bytecompiler/BytecodeGenerator.cpp:
584             (JSC::BytecodeGenerator::BytecodeGenerator):
585             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
586             * bytecompiler/BytecodeGenerator.h:
587             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
588             * heap/Heap.cpp:
589             (JSC::Heap::collect):
590             * inspector/agents/InspectorRuntimeAgent.cpp:
591             (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
592             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
593             * inspector/agents/InspectorRuntimeAgent.h:
594             * inspector/protocol/Runtime.json:
595             * runtime/Executable.cpp:
596             (JSC::ScriptExecutable::ScriptExecutable):
597             (JSC::ProgramExecutable::ProgramExecutable):
598             (JSC::FunctionExecutable::FunctionExecutable):
599             (JSC::ProgramExecutable::initializeGlobalProperties):
600             * runtime/Executable.h:
601             (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
602             (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
603             * runtime/FunctionHasExecutedCache.cpp: Added.
604             (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
605             (JSC::FunctionHasExecutedCache::insertUnexecutedRange):
606             (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
607             * runtime/FunctionHasExecutedCache.h: Added.
608             (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
609             (JSC::FunctionHasExecutedCache::FunctionRange::operator==):
610             (JSC::FunctionHasExecutedCache::FunctionRange::hash):
611             * runtime/HighFidelityLog.cpp:
612             (JSC::HighFidelityLog::processHighFidelityLog):
613             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
614             * runtime/HighFidelityLog.h:
615             (JSC::HighFidelityLog::recordTypeInformationForLocation):
616             * runtime/HighFidelityTypeProfiler.cpp:
617             (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
618             (JSC::HighFidelityTypeProfiler::insertNewLocation):
619             (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
620             (JSC::descriptorMatchesTypeLocation):
621             (JSC::HighFidelityTypeProfiler::findLocation):
622             (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
623             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
624             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
625             * runtime/HighFidelityTypeProfiler.h:
626             (JSC::QueryKey::QueryKey):
627             (JSC::QueryKey::isHashTableDeletedValue):
628             (JSC::QueryKey::operator==):
629             (JSC::QueryKey::hash):
630             (JSC::QueryKeyHash::hash):
631             (JSC::QueryKeyHash::equal):
632             (JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
633             (JSC::HighFidelityTypeProfiler::typeLocationCache):
634             * runtime/Structure.cpp:
635             (JSC::Structure::toStructureShape):
636             * runtime/Structure.h:
637             * runtime/TypeLocationCache.cpp: Added.
638             (JSC::TypeLocationCache::getTypeLocation):
639             * runtime/TypeLocationCache.h: Added.
640             (JSC::TypeLocationCache::LocationKey::LocationKey):
641             (JSC::TypeLocationCache::LocationKey::operator==):
642             (JSC::TypeLocationCache::LocationKey::hash):
643             * runtime/TypeSet.cpp:
644             (JSC::TypeSet::getRuntimeTypeForValue):
645             (JSC::TypeSet::addTypeForValue):
646             (JSC::TypeSet::seenTypes):
647             (JSC::TypeSet::doesTypeConformTo):
648             (JSC::TypeSet::displayName):
649             (JSC::TypeSet::allPrimitiveTypeNames):
650             (JSC::TypeSet::allStructureRepresentations):
651             (JSC::TypeSet::leastCommonAncestor):
652             (JSC::StructureShape::StructureShape):
653             (JSC::StructureShape::addProperty):
654             (JSC::StructureShape::propertyHash):
655             (JSC::StructureShape::leastCommonAncestor):
656             (JSC::StructureShape::stringRepresentation):
657             (JSC::StructureShape::inspectorRepresentation):
658             (JSC::StructureShape::leastUpperBound): Deleted.
659             * runtime/TypeSet.h:
660             (JSC::StructureShape::setConstructorName):
661             (JSC::StructureShape::constructorName):
662             (JSC::StructureShape::setProto):
663             * runtime/VM.cpp:
664             (JSC::VM::dumpHighFidelityProfilingTypes):
665             (JSC::VM::getTypesForVariableAtOffset): Deleted.
666             (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
667             * runtime/VM.h:
668             (JSC::VM::isProfilingTypesWithHighFidelity):
669             (JSC::VM::highFidelityTypeProfiler):
670     
671     2014-07-23  Filip Pizlo  <fpizlo@apple.com>
672     
673             Fix debug build.
674     
675             * bytecode/CallLinkStatus.h:
676             (JSC::CallLinkStatus::CallLinkStatus):
677     
678     2014-07-20  Filip Pizlo  <fpizlo@apple.com>
679     
680             [ftlopt] Phantoms in SSA form should be aggressively hoisted
681             https://bugs.webkit.org/show_bug.cgi?id=135111
682     
683             Reviewed by Oliver Hunt.
684             
685             In CPS form, Phantom means three things: (1) that the children should be kept alive so long
686             as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
687             at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
688             second meaning is not used but the other two stay.
689             
690             The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
691             even in a totally different basic block, complicates some SSA transformations. It's not
692             possible to just jettison some successor, since tha successor could have a Phantom that we
693             care about.
694             
695             This change rationalizes how Phantoms work so that:
696             
697             1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
698                in both CPS and SSA. This was true before and it's true now.
699             
700             2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
701                now, except that now we also don't bother preserving the live-in-bytecode information
702                that Phantoms convey, when we are in SSA.
703             
704             3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
705                use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
706                Phantom.
707             
708             The biggest part of this change is that in SSA, we canonicalize Phantoms:
709             
710             - All Phantoms are replaced with Check nodes that include only those edges that have
711               checks.
712             
713             - Nodes that were the children of any Phantoms have a Phantom right after them.
714             
715             For example, the following code:
716             
717                 5: ArithAdd(@1, @2)
718                 6: ArithSub(@5, @3)
719                 7: Phantom(Int32:@5)
720             
721             would be turned into the following:
722             
723                 5: ArithAdd(@1, @2)
724                 8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
725                                // @5. This is the only Phantom we will have for @5.
726                 6: ArithSub(@5, @3)
727                 7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
728                                    // a checking edge, we leave it.
729             
730             This is a slight speed-up across the board, presumably because we now do a better job of
731             reducing the size of the graph during compilation. It could also be a fluke, though. The
732             main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
733             become a requirement to run phantom canonicalization prior to some SSA phases. None of the
734             current phases need it, but future phases probably will.
735     
736             * CMakeLists.txt:
737             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
738             * JavaScriptCore.xcodeproj/project.pbxproj:
739             * dfg/DFGAbstractInterpreterInlines.h:
740             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
741             * dfg/DFGConstantFoldingPhase.cpp:
742             (JSC::DFG::ConstantFoldingPhase::foldConstants):
743             * dfg/DFGDCEPhase.cpp:
744             (JSC::DFG::DCEPhase::run):
745             (JSC::DFG::DCEPhase::findTypeCheckRoot):
746             (JSC::DFG::DCEPhase::countEdge):
747             (JSC::DFG::DCEPhase::fixupBlock):
748             (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
749             * dfg/DFGEdge.cpp:
750             (JSC::DFG::Edge::dump):
751             * dfg/DFGEdge.h:
752             (JSC::DFG::Edge::isProved):
753             (JSC::DFG::Edge::needsCheck): Deleted.
754             * dfg/DFGNodeFlags.h:
755             * dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
756             (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
757             (JSC::DFG::PhantomCanonicalizationPhase::run):
758             (JSC::DFG::performPhantomCanonicalization):
759             * dfg/DFGPhantomCanonicalizationPhase.h: Added.
760             * dfg/DFGPhantomRemovalPhase.cpp:
761             (JSC::DFG::PhantomRemovalPhase::run):
762             * dfg/DFGPhantomRemovalPhase.h:
763             * dfg/DFGPlan.cpp:
764             (JSC::DFG::Plan::compileInThreadImpl):
765             * ftl/FTLLowerDFGToLLVM.cpp:
766             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
767             (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
768     
769     2014-07-22  Filip Pizlo  <fpizlo@apple.com>
770     
771             [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
772             https://bugs.webkit.org/show_bug.cgi?id=135146
773     
774             Reviewed by Oliver Hunt.
775             
776             This greatly simplifies our closure call optimizations by taking advantage of the type
777             bits available in the cell header.
778     
779             * bytecode/CallLinkInfo.cpp:
780             (JSC::CallLinkInfo::visitWeak):
781             * bytecode/CallLinkStatus.cpp:
782             (JSC::CallLinkStatus::CallLinkStatus):
783             (JSC::CallLinkStatus::computeFor):
784             (JSC::CallLinkStatus::dump):
785             * bytecode/CallLinkStatus.h:
786             (JSC::CallLinkStatus::CallLinkStatus):
787             (JSC::CallLinkStatus::executable):
788             (JSC::CallLinkStatus::structure): Deleted.
789             * dfg/DFGByteCodeParser.cpp:
790             (JSC::DFG::ByteCodeParser::emitFunctionChecks):
791             * dfg/DFGFixupPhase.cpp:
792             (JSC::DFG::FixupPhase::fixupNode):
793             (JSC::DFG::FixupPhase::observeUseKindOnNode):
794             * dfg/DFGSafeToExecute.h:
795             (JSC::DFG::SafeToExecuteEdge::operator()):
796             * dfg/DFGSpeculativeJIT.cpp:
797             (JSC::DFG::SpeculativeJIT::checkArray):
798             (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
799             (JSC::DFG::SpeculativeJIT::speculateCellType):
800             (JSC::DFG::SpeculativeJIT::speculateFunction):
801             (JSC::DFG::SpeculativeJIT::speculateFinalObject):
802             (JSC::DFG::SpeculativeJIT::speculate):
803             * dfg/DFGSpeculativeJIT.h:
804             * dfg/DFGSpeculativeJIT32_64.cpp:
805             (JSC::DFG::SpeculativeJIT::compile):
806             * dfg/DFGSpeculativeJIT64.cpp:
807             (JSC::DFG::SpeculativeJIT::compile):
808             * dfg/DFGUseKind.cpp:
809             (WTF::printInternal):
810             * dfg/DFGUseKind.h:
811             (JSC::DFG::typeFilterFor):
812             (JSC::DFG::isCell):
813             * ftl/FTLCapabilities.cpp:
814             (JSC::FTL::canCompile):
815             * ftl/FTLLowerDFGToLLVM.cpp:
816             (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
817             (JSC::FTL::LowerDFGToLLVM::speculate):
818             (JSC::FTL::LowerDFGToLLVM::isFunction):
819             (JSC::FTL::LowerDFGToLLVM::isNotFunction):
820             (JSC::FTL::LowerDFGToLLVM::speculateFunction):
821             * jit/ClosureCallStubRoutine.cpp:
822             (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
823             (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
824             * jit/ClosureCallStubRoutine.h:
825             (JSC::ClosureCallStubRoutine::structure): Deleted.
826             * jit/JIT.h:
827             (JSC::JIT::compileClosureCall): Deleted.
828             * jit/JITCall.cpp:
829             (JSC::JIT::privateCompileClosureCall): Deleted.
830             * jit/JITCall32_64.cpp:
831             (JSC::JIT::privateCompileClosureCall): Deleted.
832             * jit/JITOperations.cpp:
833             * jit/Repatch.cpp:
834             (JSC::linkClosureCall):
835             * jit/Repatch.h:
836     
837 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
838
839         [ARM] Incorrect handling of Unicode characters
840         https://bugs.webkit.org/show_bug.cgi?id=135380
841
842         Reviewed by Darin Adler.
843
844         Removed erroneous fast case from stringFromUTF(), since it assumed that 
845         char is always implemented as signed.
846
847         * jsc.cpp:
848         (stringFromUTF):
849
850 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
851
852         [JSC] Build fix for FTL on EFL after ftlopt merge
853         https://bugs.webkit.org/show_bug.cgi?id=135565
854
855         Reviewed by Mark Lam.
856
857         Adding an enable guard for native inlining, since it now requires the bitcode
858         emitted from Clang, and we don't have a good way of creating it from other compilers.
859
860         * dfg/DFGByteCodeParser.cpp:
861         (JSC::DFG::ByteCodeParser::handleCall):
862         * ftl/FTLLowerDFGToLLVM.cpp:
863         (JSC::FTL::LowerDFGToLLVM::compileNode):
864         * ftl/FTLState.cpp:
865         (JSC::FTL::State::State):
866         * ftl/FTLState.h:
867
868 2014-08-05  Csaba Osztrogonác  <ossy@webkit.org>
869
870         URTBF after r172129. (ftlopt branch merge)
871
872         Remove the duplicated friend declaration to fix this build failure:
873         "error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"
874
875         * runtime/StructureRareData.h:
876
877 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
878
879         Attempt to fix CMake-based builds, part 3.
880
881         * CMakeLists.txt:
882
883 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
884
885         Attempt to fix CMake-based builds, part 2.
886
887         * CMakeLists.txt:
888
889 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
890
891         Attempt to fix Windows build, part 2.
892
893         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
894
895 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
896
897         Attempt to fix CMake-based builds.
898
899         * CMakeLists.txt:
900
901 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
902
903         Attempt to fix Windows build.
904
905         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
906
907 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
908
909         Fix cloop build.
910
911         * bytecode/CodeBlock.cpp:
912         (JSC::CodeBlock::jettison):
913
914 2014-07-29  Filip Pizlo  <fpizlo@apple.com>
915
916         Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.
917
918         This part of the merge delivers roughly a 2% across-the-board performance
919         improvement, mostly due to immutable property inference and DFG-side GCSE. It also
920         almost completely resolves accessor performance issues; in the common case the DFG
921         will compile a getter/setter access into code that is just as efficient as a normal
922         property access.
923         
924         Another major highlight of this part of the merge is the work to add a type profiler
925         to the inspector. This work is still on-going but this greatly increases coverage.
926
927         Note that this merge fixes a minor bug in the GetterSetter refactoring from
928         http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
929         It also adds a new tests to tests/stress to cover that bug. That bug was previously only
930         covered by layout tests.
931
932     2014-07-17  Filip Pizlo  <fpizlo@apple.com>
933     
934             [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
935             https://bugs.webkit.org/show_bug.cgi?id=135019
936     
937             Reviewed by Oliver Hunt.
938             
939             Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
940             has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
941             different code.
942     
943             * dfg/DFGNodeType.h:
944             * dfg/DFGStrengthReductionPhase.cpp:
945             (JSC::DFG::StrengthReductionPhase::handleNode):
946             * tests/stress/capture-escape-and-throw.js: Added.
947             (foo.f):
948             (foo):
949             * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
950             (foo):
951             (bar):
952     
953     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
954     
955             [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
956             https://bugs.webkit.org/show_bug.cgi?id=134962
957     
958             Reviewed by Oliver Hunt.
959             
960             This removes yet another steady-state-throughput implication of using getters and setters:
961             if your accessor call is monomorphic then you'll just get a structure check, nothing more.
962             No more loads to get to the GetterSetter object or the accessor function object.
963     
964             * dfg/DFGAbstractInterpreterInlines.h:
965             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
966             * runtime/GetterSetter.h:
967             (JSC::GetterSetter::getterConcurrently):
968             (JSC::GetterSetter::setGetter):
969             (JSC::GetterSetter::setterConcurrently):
970             (JSC::GetterSetter::setSetter):
971     
972     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
973     
974             [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
975             https://bugs.webkit.org/show_bug.cgi?id=134893
976     
977             Reviewed by Oliver Hunt.
978             
979             Replace Identity with Check instead of Phantom. Phantom means that the child of the
980             Identity should be unconditionally live. The liveness semantics of Identity are such that
981             if the parents of Identity are live then the child is live. Removing the Identity entirely
982             preserves such liveness semantics. So, the only thing that should be left behind is the
983             type check on the child, which is what Check means: do the check but don't keep the child
984             alive if the check isn't needed.
985     
986             * dfg/DFGCSEPhase.cpp:
987             * dfg/DFGNode.h:
988             (JSC::DFG::Node::convertToCheck):
989     
990     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
991     
992             [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
993             https://bugs.webkit.org/show_bug.cgi?id=134677
994     
995             Reviewed by Sam Weinig.
996             
997             This removes the old local CSE phase, which was based on manually written backward-search 
998             rules for all of the different kinds of things we cared about, and adds a new local/global
999             CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
1000             clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
1001             structures used for storing sets of available values. This results in a large reduction in
1002             code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
1003             global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
1004             structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
1005             that this is a significant (~0.7%) throughput improvement.
1006             
1007             This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
1008             means that the node being analyzed makes available some value in some DFG node, and that
1009             future attempts to compute that value can simply use that node. In other words, it
1010             establishes an available value mapping of the form value=>node. There are two kinds of
1011             values that can be passed to def():
1012             
1013             PureValue. This captures everything needed to determine whether two pure nodes - nodes that
1014                 neither read nor write, and produce a value that is a CSE candidate - are identical. It
1015                 carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
1016                 usually used for things like the arithmetic mode or constant pointer. Passing a
1017                 PureValue to def() means that the node produces a value that is valid anywhere that the
1018                 node dominates.
1019             
1020             HeapLocation. This describes a location in the heap that could be written to or read from.
1021                 Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
1022                 heap that both serves as part of the "name" of the heap location (together with the
1023                 other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
1024                 write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
1025                 then it means that the values for that location are no longer available.
1026             
1027             This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
1028             tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
1029             interpreting the semantics of different DFG node types - that is now almost entirely in
1030             clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
1031             CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
1032             and the LocalCSE rule for turning PutByVal into PutByValAlias.
1033             
1034             This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
1035             not a bigger win because LLVM was already giving us most of what we needed in its GVN.
1036             Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
1037             is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
1038             generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
1039             it improves both the quality of the code we generate and the speed with which we generate
1040             it. Also, any future optimizations that depend on GCSE will now be easier to implement.
1041             
1042             During the development of this patch I also rationalized some other stuff, like Graph's
1043             ordered traversals - we now have preorder and postorder rather than just "depth first".
1044     
1045             * CMakeLists.txt:
1046             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1047             * JavaScriptCore.xcodeproj/project.pbxproj:
1048             * dfg/DFGAbstractHeap.h:
1049             * dfg/DFGAdjacencyList.h:
1050             (JSC::DFG::AdjacencyList::hash):
1051             (JSC::DFG::AdjacencyList::operator==):
1052             * dfg/DFGBasicBlock.h:
1053             * dfg/DFGCSEPhase.cpp:
1054             (JSC::DFG::performLocalCSE):
1055             (JSC::DFG::performGlobalCSE):
1056             (JSC::DFG::CSEPhase::CSEPhase): Deleted.
1057             (JSC::DFG::CSEPhase::run): Deleted.
1058             (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
1059             (JSC::DFG::CSEPhase::pureCSE): Deleted.
1060             (JSC::DFG::CSEPhase::constantCSE): Deleted.
1061             (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
1062             (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
1063             (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
1064             (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
1065             (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
1066             (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
1067             (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
1068             (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
1069             (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
1070             (JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
1071             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
1072             (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
1073             (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
1074             (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
1075             (JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
1076             (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
1077             (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
1078             (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
1079             (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
1080             (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
1081             (JSC::DFG::CSEPhase::setReplacement): Deleted.
1082             (JSC::DFG::CSEPhase::eliminate): Deleted.
1083             (JSC::DFG::CSEPhase::performNodeCSE): Deleted.
1084             (JSC::DFG::CSEPhase::performBlockCSE): Deleted.
1085             (JSC::DFG::performCSE): Deleted.
1086             * dfg/DFGCSEPhase.h:
1087             * dfg/DFGClobberSet.cpp:
1088             (JSC::DFG::addReads):
1089             (JSC::DFG::addWrites):
1090             (JSC::DFG::addReadsAndWrites):
1091             (JSC::DFG::readsOverlap):
1092             (JSC::DFG::writesOverlap):
1093             * dfg/DFGClobberize.cpp:
1094             (JSC::DFG::doesWrites):
1095             (JSC::DFG::accessesOverlap):
1096             (JSC::DFG::writesOverlap):
1097             * dfg/DFGClobberize.h:
1098             (JSC::DFG::clobberize):
1099             (JSC::DFG::NoOpClobberize::operator()):
1100             (JSC::DFG::CheckClobberize::operator()):
1101             (JSC::DFG::ReadMethodClobberize::ReadMethodClobberize):
1102             (JSC::DFG::ReadMethodClobberize::operator()):
1103             (JSC::DFG::WriteMethodClobberize::WriteMethodClobberize):
1104             (JSC::DFG::WriteMethodClobberize::operator()):
1105             (JSC::DFG::DefMethodClobberize::DefMethodClobberize):
1106             (JSC::DFG::DefMethodClobberize::operator()):
1107             * dfg/DFGDCEPhase.cpp:
1108             (JSC::DFG::DCEPhase::run):
1109             (JSC::DFG::DCEPhase::fixupBlock):
1110             * dfg/DFGGraph.cpp:
1111             (JSC::DFG::Graph::getBlocksInPreOrder):
1112             (JSC::DFG::Graph::getBlocksInPostOrder):
1113             (JSC::DFG::Graph::addForDepthFirstSort): Deleted.
1114             (JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted.
1115             * dfg/DFGGraph.h:
1116             * dfg/DFGHeapLocation.cpp: Added.
1117             (JSC::DFG::HeapLocation::dump):
1118             (WTF::printInternal):
1119             * dfg/DFGHeapLocation.h: Added.
1120             (JSC::DFG::HeapLocation::HeapLocation):
1121             (JSC::DFG::HeapLocation::operator!):
1122             (JSC::DFG::HeapLocation::kind):
1123             (JSC::DFG::HeapLocation::heap):
1124             (JSC::DFG::HeapLocation::base):
1125             (JSC::DFG::HeapLocation::index):
1126             (JSC::DFG::HeapLocation::hash):
1127             (JSC::DFG::HeapLocation::operator==):
1128             (JSC::DFG::HeapLocation::isHashTableDeletedValue):
1129             (JSC::DFG::HeapLocationHash::hash):
1130             (JSC::DFG::HeapLocationHash::equal):
1131             * dfg/DFGLICMPhase.cpp:
1132             (JSC::DFG::LICMPhase::run):
1133             * dfg/DFGNode.h:
1134             (JSC::DFG::Node::replaceWith):
1135             (JSC::DFG::Node::convertToPhantomUnchecked): Deleted.
1136             * dfg/DFGPlan.cpp:
1137             (JSC::DFG::Plan::compileInThreadImpl):
1138             * dfg/DFGPureValue.cpp: Added.
1139             (JSC::DFG::PureValue::dump):
1140             * dfg/DFGPureValue.h: Added.
1141             (JSC::DFG::PureValue::PureValue):
1142             (JSC::DFG::PureValue::operator!):
1143             (JSC::DFG::PureValue::op):
1144             (JSC::DFG::PureValue::children):
1145             (JSC::DFG::PureValue::info):
1146             (JSC::DFG::PureValue::hash):
1147             (JSC::DFG::PureValue::operator==):
1148             (JSC::DFG::PureValue::isHashTableDeletedValue):
1149             (JSC::DFG::PureValueHash::hash):
1150             (JSC::DFG::PureValueHash::equal):
1151             * dfg/DFGSSAConversionPhase.cpp:
1152             (JSC::DFG::SSAConversionPhase::run):
1153             * ftl/FTLLowerDFGToLLVM.cpp:
1154             (JSC::FTL::LowerDFGToLLVM::lower):
1155     
1156     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
1157     
1158             Unreviewed, revert unintended change in r171051.
1159     
1160             * dfg/DFGCSEPhase.cpp:
1161     
1162     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
1163     
1164             [ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase
1165             https://bugs.webkit.org/show_bug.cgi?id=134739
1166     
1167             Reviewed by Mark Hahnenberg.
1168             
1169             I'm going to streamline CSE around clobberize() as part of
1170             https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store
1171             elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which
1172             means that it belongs in StrengthReductionPhase, since that's intended to be our
1173             dumping ground.
1174             
1175             To do this I had to add some missing smarts to clobberize(). Previously clobberize()
1176             could play a bit loose with reads of Variables because it wasn't used for store
1177             elimination. The main client of read() was LICM, but it would only use it to
1178             determine hoistability and anything that did a write() was not hoistable - so, we had
1179             benign (but still wrong) missing read() calls in places that did write()s. This fixes
1180             a bunch of those cases.
1181     
1182             * dfg/DFGCSEPhase.cpp:
1183             (JSC::DFG::CSEPhase::performNodeCSE):
1184             (JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted.
1185             * dfg/DFGClobberize.cpp:
1186             (JSC::DFG::accessesOverlap):
1187             * dfg/DFGClobberize.h:
1188             (JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound.
1189             * dfg/DFGStrengthReductionPhase.cpp:
1190             (JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize().
1191     
1192     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
1193     
1194             [ftlopt] Phantom simplification should be in its own phase
1195             https://bugs.webkit.org/show_bug.cgi?id=134742
1196     
1197             Reviewed by Geoffrey Garen.
1198             
1199             This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it
1200             more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had
1201             this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for
1202             SSA.
1203     
1204             * CMakeLists.txt:
1205             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1206             * JavaScriptCore.xcodeproj/project.pbxproj:
1207             * dfg/DFGAdjacencyList.h:
1208             * dfg/DFGCSEPhase.cpp:
1209             (JSC::DFG::CSEPhase::run):
1210             (JSC::DFG::CSEPhase::setReplacement):
1211             (JSC::DFG::CSEPhase::eliminate):
1212             (JSC::DFG::CSEPhase::performNodeCSE):
1213             (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted.
1214             * dfg/DFGPhantomRemovalPhase.cpp: Added.
1215             (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase):
1216             (JSC::DFG::PhantomRemovalPhase::run):
1217             (JSC::DFG::performCleanUp):
1218             * dfg/DFGPhantomRemovalPhase.h: Added.
1219             * dfg/DFGPlan.cpp:
1220             (JSC::DFG::Plan::compileInThreadImpl):
1221     
1222     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
1223     
1224             [ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously
1225             https://bugs.webkit.org/show_bug.cgi?id=134730
1226     
1227             Reviewed by Mark Lam.
1228             
1229             This will allow for a better GCSE implementation.
1230     
1231             * dfg/DFGCPSRethreadingPhase.cpp:
1232             (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1233             * dfg/DFGCSEPhase.cpp:
1234             (JSC::DFG::CSEPhase::setReplacement):
1235             * dfg/DFGEdgeDominates.h:
1236             (JSC::DFG::EdgeDominates::operator()):
1237             * dfg/DFGGraph.cpp:
1238             (JSC::DFG::Graph::clearReplacements):
1239             (JSC::DFG::Graph::initializeNodeOwners):
1240             * dfg/DFGGraph.h:
1241             (JSC::DFG::Graph::performSubstitutionForEdge):
1242             * dfg/DFGLICMPhase.cpp:
1243             (JSC::DFG::LICMPhase::attemptHoist):
1244             * dfg/DFGNode.h:
1245             (JSC::DFG::Node::Node):
1246             * dfg/DFGSSAConversionPhase.cpp:
1247             (JSC::DFG::SSAConversionPhase::run):
1248     
1249     2014-07-04  Filip Pizlo  <fpizlo@apple.com>
1250     
1251             [ftlopt] Infer immutable object properties
1252             https://bugs.webkit.org/show_bug.cgi?id=134567
1253     
1254             Reviewed by Mark Hahnenberg.
1255             
1256             This introduces a new way of inferring immutable object properties. A property is said to
1257             be immutable if after its creation (i.e. the transition that creates it), we never
1258             overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own
1259             property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f"
1260             directly and not on a prototype. More specifically, the immutability inference will prove
1261             that a property on some structure is immutable. This means that, for example, we may have a
1262             structure S1 with property "f" where we claim that "f" at S1 is immutable, but S1 has a
1263             transition to S2 that adds a new property "g" and we may claim that "f" at S2 is actually
1264             mutable. This is mainly for convenience; it allows us to decouple immutability logic from
1265             transition logic. Immutability can be used to constant-fold accesses to objects at
1266             DFG-time. The DFG needs to prove the following to constant-fold the access:
1267             
1268             - The base of the access must be a constant object pointer. We prove that a property at a
1269               structure is immutable, but that says nothing of its value; each actual instance of that
1270               property may have a different value. So, a constant object pointer is needed to get an
1271               actual constant instance of the immutable value.
1272             
1273             - A check (or watchpoint) must have been emitted proving that the object has a structure
1274               that allows loading the property in question.
1275             
1276             - The replacement watchpoint set of the property in the structure that we've proven the
1277               object to have is still valid and we add a watchpoint to it lazily. The replacement
1278               watchpoint set is the key new mechanism that this change adds. It's possible that we have
1279               proven that the object has one of many structures, in which case each of those structures
1280               needs a valid replacement watchpoint set.
1281             
1282             The replacement watchpoint set is created the first time that any access to the property is
1283             cached. A put replace cache will create, and immediately invalidate, the watchpoint set. A
1284             get cache will create the watchpoint set and make it start watching. Any non-cached put
1285             access will invalidate the watchpoint set if one had been created; the underlying algorithm
1286             ensures that checking for the existence of a replacement watchpoint set is very fast in the
1287             common case. This algorithm ensures that no cached access needs to ever do any work to
1288             invalidate, or check the validity of, any replacement watchpoint sets. It also has some
1289             other nice properties:
1290             
1291             - It's very robust in its definition of immutability. The strictest that it will ever be is
1292               that for any instance of the object, the property must be written to only once,
1293               specifically at the time that the property is created. But it's looser than this in
1294               practice. For example, the property may be written to any number of times before we add
1295               the final property that the object will have before anyone reads the property; this works
1296               since for optimization purposes we only care if we detect immutability on the structure
1297               that the object will have when it is most frequently read from, not any previous
1298               structure that the object had. Also, we may write to the property any number of times
1299               before anyone caches accesses to it.
1300             
1301             - It is mostly orthogonal to structure transitions. No new structures need to be created to
1302               track the immutability of a property. Hence, there is no risk from this feature causing
1303               more polymorphism. This is different from the previous "specificValue" constant
1304               inference, which did cause additional structures to be created and sometimes those
1305               structures led to fake polymorphism. This feature does leverage existing transitions to
1306               do some of the watchpointing: property deletions don't fire the replacement watchpoint
1307               set because that would cause a new structure and so the mandatory structure check would
1308               fail. Also, this feature is guaranteed to never kick in for uncacheable dictionaries
1309               because those wouldn't allow for cacheable accesses - and it takes a cacheable access for
1310               this feature to be enabled.
1311             
1312             - No memory overhead is incurred except when accesses to the property are cached.
1313               Dictionary properties will typically have no meta-data for immutability. The number of
1314               replacement watchpoint sets we allocate is proportional to the number of inline caches in
1315               the program, which is typically must smaller than the number of structures or even the
1316               number of objects.
1317             
1318             This inference is far more powerful than the previous "specificValue" inference, so this
1319             change also removes all of that code. It's interesting that the amount of code that is
1320             changed to remove that feature is almost as big as the amount of code added to support the
1321             new inference - and that's if you include the new tests in the tally. Without new tests,
1322             it appears that the new feature actually touches less code!
1323             
1324             There is one corner case where the previous "specificValue" inference was more powerful.
1325             You can imagine someone creating objects with functions as self properties on those
1326             objects, such that each object instance had the same function pointers - essentially,
1327             someone might be trying to create a vtable but failing at the whole "one vtable for many
1328             instances" concept. The "specificValue" inference would do very well for such programs,
1329             because a structure check would be sufficient to prove a constant value for all of the
1330             function properties. This new inference will fail because it doesn't track the constant
1331             values of constant properties; instead it detects the immutability of otherwise variable
1332             properties (in the sense that each instance of the property may have a different value).
1333             So, the new inference requires having a particular object instance to actually get the
1334             constant value. I think it's OK to lose this antifeature. It took a lot of code to support
1335             and was a constant source of grief in our transition logic, and there doesn't appear to be
1336             any real evidence that programs benefited from that particular kind of inference since
1337             usually it's the singleton prototype instance that has all of the functions.
1338             
1339             This change is a speed-up on everything. date-format-xparb and both SunSpider/raytrace and
1340             V8/raytrace seem to be the biggest winners among the macrobenchmarks; they see >5%
1341             speed-ups. Many of our microbenchmarks see very large performance improvements, even 80% in
1342             one case.
1343     
1344             * bytecode/ComplexGetStatus.cpp:
1345             (JSC::ComplexGetStatus::computeFor):
1346             * bytecode/GetByIdStatus.cpp:
1347             (JSC::GetByIdStatus::computeFromLLInt):
1348             (JSC::GetByIdStatus::computeForStubInfo):
1349             (JSC::GetByIdStatus::computeFor):
1350             * bytecode/GetByIdVariant.cpp:
1351             (JSC::GetByIdVariant::GetByIdVariant):
1352             (JSC::GetByIdVariant::operator=):
1353             (JSC::GetByIdVariant::attemptToMerge):
1354             (JSC::GetByIdVariant::dumpInContext):
1355             * bytecode/GetByIdVariant.h:
1356             (JSC::GetByIdVariant::alternateBase):
1357             (JSC::GetByIdVariant::specificValue): Deleted.
1358             * bytecode/PutByIdStatus.cpp:
1359             (JSC::PutByIdStatus::computeForStubInfo):
1360             (JSC::PutByIdStatus::computeFor):
1361             * bytecode/PutByIdVariant.cpp:
1362             (JSC::PutByIdVariant::operator=):
1363             (JSC::PutByIdVariant::setter):
1364             (JSC::PutByIdVariant::dumpInContext):
1365             * bytecode/PutByIdVariant.h:
1366             (JSC::PutByIdVariant::specificValue): Deleted.
1367             * bytecode/Watchpoint.cpp:
1368             (JSC::WatchpointSet::fireAllSlow):
1369             (JSC::WatchpointSet::fireAll): Deleted.
1370             * bytecode/Watchpoint.h:
1371             (JSC::WatchpointSet::fireAll):
1372             * dfg/DFGAbstractInterpreterInlines.h:
1373             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1374             * dfg/DFGByteCodeParser.cpp:
1375             (JSC::DFG::ByteCodeParser::handleGetByOffset):
1376             (JSC::DFG::ByteCodeParser::handleGetById):
1377             (JSC::DFG::ByteCodeParser::handlePutById):
1378             (JSC::DFG::ByteCodeParser::parseBlock):
1379             * dfg/DFGConstantFoldingPhase.cpp:
1380             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1381             * dfg/DFGFixupPhase.cpp:
1382             (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1383             (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1384             * dfg/DFGGraph.cpp:
1385             (JSC::DFG::Graph::tryGetConstantProperty):
1386             (JSC::DFG::Graph::visitChildren):
1387             * dfg/DFGGraph.h:
1388             * dfg/DFGWatchableStructureWatchingPhase.cpp:
1389             (JSC::DFG::WatchableStructureWatchingPhase::run):
1390             * ftl/FTLLowerDFGToLLVM.cpp:
1391             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1392             * jit/JITOperations.cpp:
1393             * jit/Repatch.cpp:
1394             (JSC::repatchByIdSelfAccess):
1395             (JSC::generateByIdStub):
1396             (JSC::tryCacheGetByID):
1397             (JSC::tryCachePutByID):
1398             (JSC::tryBuildPutByIdList):
1399             * llint/LLIntSlowPaths.cpp:
1400             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1401             (JSC::LLInt::putToScopeCommon):
1402             * runtime/CommonSlowPaths.h:
1403             (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1404             * runtime/IntendedStructureChain.cpp:
1405             (JSC::IntendedStructureChain::mayInterceptStoreTo):
1406             * runtime/JSCJSValue.cpp:
1407             (JSC::JSValue::putToPrimitive):
1408             * runtime/JSGlobalObject.cpp:
1409             (JSC::JSGlobalObject::reset):
1410             * runtime/JSObject.cpp:
1411             (JSC::JSObject::put):
1412             (JSC::JSObject::putDirectNonIndexAccessor):
1413             (JSC::JSObject::deleteProperty):
1414             (JSC::JSObject::defaultValue):
1415             (JSC::getCallableObjectSlow): Deleted.
1416             (JSC::JSObject::getPropertySpecificValue): Deleted.
1417             * runtime/JSObject.h:
1418             (JSC::JSObject::getDirect):
1419             (JSC::JSObject::getDirectOffset):
1420             (JSC::JSObject::inlineGetOwnPropertySlot):
1421             (JSC::JSObject::putDirectInternal):
1422             (JSC::JSObject::putOwnDataProperty):
1423             (JSC::JSObject::putDirect):
1424             (JSC::JSObject::putDirectWithoutTransition):
1425             (JSC::getCallableObject): Deleted.
1426             * runtime/JSScope.cpp:
1427             (JSC::abstractAccess):
1428             * runtime/PropertyMapHashTable.h:
1429             (JSC::PropertyMapEntry::PropertyMapEntry):
1430             (JSC::PropertyTable::copy):
1431             * runtime/PropertyTable.cpp:
1432             (JSC::PropertyTable::clone):
1433             (JSC::PropertyTable::PropertyTable):
1434             (JSC::PropertyTable::visitChildren): Deleted.
1435             * runtime/Structure.cpp:
1436             (JSC::Structure::Structure):
1437             (JSC::Structure::materializePropertyMap):
1438             (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
1439             (JSC::Structure::addPropertyTransitionToExistingStructure):
1440             (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
1441             (JSC::Structure::addPropertyTransition):
1442             (JSC::Structure::changePrototypeTransition):
1443             (JSC::Structure::attributeChangeTransition):
1444             (JSC::Structure::toDictionaryTransition):
1445             (JSC::Structure::preventExtensionsTransition):
1446             (JSC::Structure::takePropertyTableOrCloneIfPinned):
1447             (JSC::Structure::nonPropertyTransition):
1448             (JSC::Structure::addPropertyWithoutTransition):
1449             (JSC::Structure::allocateRareData):
1450             (JSC::Structure::ensurePropertyReplacementWatchpointSet):
1451             (JSC::Structure::startWatchingPropertyForReplacements):
1452             (JSC::Structure::didCachePropertyReplacement):
1453             (JSC::Structure::startWatchingInternalProperties):
1454             (JSC::Structure::copyPropertyTable):
1455             (JSC::Structure::copyPropertyTableForPinning):
1456             (JSC::Structure::getConcurrently):
1457             (JSC::Structure::get):
1458             (JSC::Structure::add):
1459             (JSC::Structure::visitChildren):
1460             (JSC::Structure::prototypeChainMayInterceptStoreTo):
1461             (JSC::Structure::dump):
1462             (JSC::Structure::despecifyDictionaryFunction): Deleted.
1463             (JSC::Structure::despecifyFunctionTransition): Deleted.
1464             (JSC::Structure::despecifyFunction): Deleted.
1465             (JSC::Structure::despecifyAllFunctions): Deleted.
1466             (JSC::Structure::putSpecificValue): Deleted.
1467             * runtime/Structure.h:
1468             (JSC::Structure::startWatchingPropertyForReplacements):
1469             (JSC::Structure::startWatchingInternalPropertiesIfNecessary):
1470             (JSC::Structure::startWatchingInternalPropertiesIfNecessaryForEntireChain):
1471             (JSC::Structure::transitionDidInvolveSpecificValue): Deleted.
1472             (JSC::Structure::disableSpecificFunctionTracking): Deleted.
1473             * runtime/StructureInlines.h:
1474             (JSC::Structure::getConcurrently):
1475             (JSC::Structure::didReplaceProperty):
1476             (JSC::Structure::propertyReplacementWatchpointSet):
1477             * runtime/StructureRareData.cpp:
1478             (JSC::StructureRareData::destroy):
1479             * runtime/StructureRareData.h:
1480             * tests/stress/infer-constant-global-property.js: Added.
1481             (foo.Math.sin):
1482             (foo):
1483             * tests/stress/infer-constant-property.js: Added.
1484             (foo):
1485             * tests/stress/jit-cache-poly-replace-then-cache-get-and-fold-then-invalidate.js: Added.
1486             (foo):
1487             (bar):
1488             * tests/stress/jit-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
1489             (foo):
1490             (bar):
1491             * tests/stress/jit-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
1492             (foo):
1493             (bar):
1494             * tests/stress/llint-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
1495             (foo):
1496             (bar):
1497             * tests/stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
1498             (foo):
1499             (bar):
1500             * tests/stress/repeat-put-to-scope-global-with-same-value-watchpoint-invalidate.js: Added.
1501             (foo):
1502             (bar):
1503     
1504     2014-07-03  Saam Barati  <sbarati@apple.com>
1505     
1506             Add more coverage for the profile_types_with_high_fidelity op code.
1507             https://bugs.webkit.org/show_bug.cgi?id=134616
1508     
1509             Reviewed by Filip Pizlo.
1510     
1511             More operations are now being recorded by the profile_types_with_high_fidelity 
1512             opcode. Specifically: function parameters, function return values,
1513             function 'this' value, get_by_id, get_by_value, resolve nodes, function return 
1514             values at the call site. Added more flags to the profile_types_with_high_fidelity
1515             opcode so more focused tasks can take place when the instruction is
1516             being linked in CodeBlock. Re-worked the type profiler to search 
1517             through character offset ranges when asked for the type of an expression
1518             at a given offset. Removed redundant calls to Structure::toStructureShape
1519             in HighFidelityLog and TypeSet by caching calls based on StructureID.
1520     
1521             * bytecode/BytecodeList.json:
1522             * bytecode/BytecodeUseDef.h:
1523             (JSC::computeUsesForBytecodeOffset):
1524             (JSC::computeDefsForBytecodeOffset):
1525             * bytecode/CodeBlock.cpp:
1526             (JSC::CodeBlock::CodeBlock):
1527             (JSC::CodeBlock::finalizeUnconditionally):
1528             (JSC::CodeBlock::scopeDependentProfile):
1529             * bytecode/CodeBlock.h:
1530             (JSC::CodeBlock::returnStatementTypeSet):
1531             * bytecode/TypeLocation.h:
1532             * bytecode/UnlinkedCodeBlock.cpp:
1533             (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset):
1534             (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo):
1535             * bytecode/UnlinkedCodeBlock.h:
1536             * bytecompiler/BytecodeGenerator.cpp:
1537             (JSC::BytecodeGenerator::emitMove):
1538             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
1539             (JSC::BytecodeGenerator::emitGetFromScopeWithProfile):
1540             (JSC::BytecodeGenerator::emitPutToScope):
1541             (JSC::BytecodeGenerator::emitPutToScopeWithProfile):
1542             (JSC::BytecodeGenerator::emitPutById):
1543             (JSC::BytecodeGenerator::emitPutByVal):
1544             * bytecompiler/BytecodeGenerator.h:
1545             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
1546             * bytecompiler/NodesCodegen.cpp:
1547             (JSC::ResolveNode::emitBytecode):
1548             (JSC::BracketAccessorNode::emitBytecode):
1549             (JSC::DotAccessorNode::emitBytecode):
1550             (JSC::FunctionCallValueNode::emitBytecode):
1551             (JSC::FunctionCallResolveNode::emitBytecode):
1552             (JSC::FunctionCallBracketNode::emitBytecode):
1553             (JSC::FunctionCallDotNode::emitBytecode):
1554             (JSC::CallFunctionCallDotNode::emitBytecode):
1555             (JSC::ApplyFunctionCallDotNode::emitBytecode):
1556             (JSC::PostfixNode::emitResolve):
1557             (JSC::PostfixNode::emitBracket):
1558             (JSC::PostfixNode::emitDot):
1559             (JSC::PrefixNode::emitResolve):
1560             (JSC::PrefixNode::emitBracket):
1561             (JSC::PrefixNode::emitDot):
1562             (JSC::ReadModifyResolveNode::emitBytecode):
1563             (JSC::AssignResolveNode::emitBytecode):
1564             (JSC::AssignDotNode::emitBytecode):
1565             (JSC::ReadModifyDotNode::emitBytecode):
1566             (JSC::AssignBracketNode::emitBytecode):
1567             (JSC::ReadModifyBracketNode::emitBytecode):
1568             (JSC::ReturnNode::emitBytecode):
1569             (JSC::FunctionBodyNode::emitBytecode):
1570             * inspector/agents/InspectorRuntimeAgent.cpp:
1571             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset):
1572             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
1573             * inspector/agents/InspectorRuntimeAgent.h:
1574             * inspector/protocol/Runtime.json:
1575             * llint/LLIntSlowPaths.cpp:
1576             (JSC::LLInt::getFromScopeCommon):
1577             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1578             * llint/LLIntSlowPaths.h:
1579             * llint/LowLevelInterpreter.asm:
1580             * runtime/HighFidelityLog.cpp:
1581             (JSC::HighFidelityLog::processHighFidelityLog):
1582             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
1583             (JSC::HighFidelityLog::recordTypeInformationForLocation): Deleted.
1584             * runtime/HighFidelityLog.h:
1585             (JSC::HighFidelityLog::recordTypeInformationForLocation):
1586             * runtime/HighFidelityTypeProfiler.cpp:
1587             (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset):
1588             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset):
1589             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset):
1590             (JSC::HighFidelityTypeProfiler::insertNewLocation):
1591             (JSC::HighFidelityTypeProfiler::findLocation):
1592             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): Deleted.
1593             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): Deleted.
1594             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): Deleted.
1595             (JSC::HighFidelityTypeProfiler::getLocationBasedHash): Deleted.
1596             * runtime/HighFidelityTypeProfiler.h:
1597             (JSC::LocationKey::LocationKey): Deleted.
1598             (JSC::LocationKey::hash): Deleted.
1599             (JSC::LocationKey::operator==): Deleted.
1600             * runtime/Structure.cpp:
1601             (JSC::Structure::toStructureShape):
1602             * runtime/Structure.h:
1603             * runtime/TypeSet.cpp:
1604             (JSC::TypeSet::TypeSet):
1605             (JSC::TypeSet::addTypeForValue):
1606             (JSC::TypeSet::seenTypes):
1607             (JSC::TypeSet::removeDuplicatesInStructureHistory): Deleted.
1608             * runtime/TypeSet.h:
1609             (JSC::StructureShape::setConstructorName):
1610             * runtime/VM.cpp:
1611             (JSC::VM::getTypesForVariableAtOffset):
1612             (JSC::VM::dumpHighFidelityProfilingTypes):
1613             (JSC::VM::getTypesForVariableInRange): Deleted.
1614             * runtime/VM.h:
1615     
1616     2014-07-04  Filip Pizlo  <fpizlo@apple.com>
1617     
1618             [ftlopt][REGRESSION] debug tests fail because PutByIdDirect is now implemented in terms of In
1619             https://bugs.webkit.org/show_bug.cgi?id=134642
1620     
1621             Rubber stamped by Andreas Kling.
1622     
1623             * ftl/FTLLowerDFGToLLVM.cpp:
1624             (JSC::FTL::LowerDFGToLLVM::compileNode):
1625     
1626     2014-07-01  Filip Pizlo  <fpizlo@apple.com>
1627     
1628             [ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null, so that if we constant-infer an accessor slot then we immediately get the function constant for free
1629             https://bugs.webkit.org/show_bug.cgi?id=134518
1630     
1631             Reviewed by Mark Hahnenberg.
1632             
1633             This has no real effect right now, particularly since almost all uses of
1634             setSetter/setGetter were already allocating a branch new GetterSetter. But once we start
1635             doing more aggressive constant property inference, this change will allow us to remove
1636             all runtime checks from getter/setter calls.
1637     
1638             * runtime/GetterSetter.cpp:
1639             (JSC::GetterSetter::withGetter):
1640             (JSC::GetterSetter::withSetter):
1641             * runtime/GetterSetter.h:
1642             (JSC::GetterSetter::setGetter):
1643             (JSC::GetterSetter::setSetter):
1644             * runtime/JSObject.cpp:
1645             (JSC::JSObject::defineOwnNonIndexProperty):
1646     
1647     2014-07-02  Filip Pizlo  <fpizlo@apple.com>
1648     
1649             [ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure
1650     
1651             Rubber stamped by Mark Hahnenberg.
1652     
1653             * runtime/Structure.cpp:
1654             (JSC::Structure::Structure):
1655             (JSC::Structure::nonPropertyTransition):
1656             (JSC::Structure::didTransitionFromThisStructure):
1657             (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
1658             * runtime/Structure.h:
1659     
1660     2014-07-02  Filip Pizlo  <fpizlo@apple.com>
1661     
1662             [ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore.
1663     
1664             Rubber stamped by Mark Hahnenberg.
1665     
1666             * runtime/Structure.cpp:
1667             (JSC::Structure::Structure):
1668             (JSC::Structure::cloneRareDataFrom): Deleted.
1669             * runtime/Structure.h:
1670             * runtime/StructureRareData.cpp:
1671             (JSC::StructureRareData::clone): Deleted.
1672             (JSC::StructureRareData::StructureRareData): Deleted.
1673             * runtime/StructureRareData.h:
1674             (JSC::StructureRareData::needsCloning): Deleted.
1675     
1676     2014-07-01  Mark Lam  <mark.lam@apple.com>
1677     
1678             [ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope.
1679             <https://webkit.org/b/134420>
1680     
1681             Reviewed by Geoffrey Garen.
1682     
1683             Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
1684             peers) which the WebInspector will use to introspect CallFrame variables.
1685             Instead, we should be returning a DebuggerScope as an abstraction layer that
1686             provides the introspection functionality that the WebInspector needs.  This
1687             is the first step towards not forcing every frame to have a JSActivation
1688             object just because the debugger is enabled.
1689     
1690             1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
1691                instead of the VM.  This allows JSObject::globalObject() to be able to
1692                return the global object for the DebuggerScope.
1693     
1694             2. On the DebuggerScope's life-cycle management:
1695     
1696                The DebuggerCallFrame is designed to be "valid" only during a debugging session
1697                (while the debugger is broken) through the use of a DebuggerCallFrameScope in
1698                Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
1699                DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
1700                We can't guarantee (from this code alone) that the Inspector code isn't still
1701                holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
1702                the frame will be invalidated, and any attempt to query it will return null values.
1703                This is pre-existing behavior.
1704     
1705                Now, we're adding the DebuggerScope into the picture.  While a single debugger
1706                pause session is in progress, the Inspector may request the scope from the
1707                DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
1708                DebuggerCallFrame::scope() to always return the same DebuggerScope object.
1709                This is why we hold on to the DebuggerScope with a strong ref.
1710     
1711                If we use a weak ref instead, the following cooky behavior can manifest:
1712                1. The Inspector calls Debugger::scope() to get the top scope.
1713                2. The Inspector iterates down the scope chain and is now only holding a
1714                   reference to a parent scope.  It is no longer referencing the top scope.
1715                3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
1716                   gets cleared.
1717                4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
1718                   a different DebuggerScope instance.
1719                5. The Inspector iterates down the scope chain but never sees the parent scope
1720                   instance that retained a ref to in step 2 above.  This is because when iterating
1721                   this new DebuggerScope instance (which has no knowledge of the previous parent
1722                   DebuggerScope instance), a new DebuggerScope instance will get created for the
1723                   same parent scope. 
1724     
1725                Since the DebuggerScope is a JSObject, it's liveness is determined by its reachability.
1726                However, it's "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
1727                When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
1728                instantiated) will also get invalidated.  This is why we need the
1729                DebuggerScope::invalidateChain() method.  The Inspector should not be using the
1730                DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
1731                those methods will do nothing or returned a failed status.
1732     
1733             * debugger/Debugger.h:
1734             * debugger/DebuggerCallFrame.cpp:
1735             (JSC::DebuggerCallFrame::scope):
1736             (JSC::DebuggerCallFrame::evaluate):
1737             (JSC::DebuggerCallFrame::invalidate):
1738             (JSC::DebuggerCallFrame::vm):
1739             (JSC::DebuggerCallFrame::lexicalGlobalObject):
1740             * debugger/DebuggerCallFrame.h:
1741             * debugger/DebuggerScope.cpp:
1742             (JSC::DebuggerScope::DebuggerScope):
1743             (JSC::DebuggerScope::finishCreation):
1744             (JSC::DebuggerScope::visitChildren):
1745             (JSC::DebuggerScope::className):
1746             (JSC::DebuggerScope::getOwnPropertySlot):
1747             (JSC::DebuggerScope::put):
1748             (JSC::DebuggerScope::deleteProperty):
1749             (JSC::DebuggerScope::getOwnPropertyNames):
1750             (JSC::DebuggerScope::defineOwnProperty):
1751             (JSC::DebuggerScope::next):
1752             (JSC::DebuggerScope::invalidateChain):
1753             (JSC::DebuggerScope::isWithScope):
1754             (JSC::DebuggerScope::isGlobalScope):
1755             (JSC::DebuggerScope::isFunctionScope):
1756             * debugger/DebuggerScope.h:
1757             (JSC::DebuggerScope::create):
1758             (JSC::DebuggerScope::Iterator::Iterator):
1759             (JSC::DebuggerScope::Iterator::get):
1760             (JSC::DebuggerScope::Iterator::operator++):
1761             (JSC::DebuggerScope::Iterator::operator==):
1762             (JSC::DebuggerScope::Iterator::operator!=):
1763             (JSC::DebuggerScope::isValid):
1764             (JSC::DebuggerScope::jsScope):
1765             (JSC::DebuggerScope::begin):
1766             (JSC::DebuggerScope::end):
1767             * inspector/JSJavaScriptCallFrame.cpp:
1768             (Inspector::JSJavaScriptCallFrame::scopeType):
1769             (Inspector::JSJavaScriptCallFrame::scopeChain):
1770             * inspector/JavaScriptCallFrame.h:
1771             (Inspector::JavaScriptCallFrame::scopeChain):
1772             * inspector/ScriptDebugServer.cpp:
1773             * runtime/JSGlobalObject.cpp:
1774             (JSC::JSGlobalObject::reset):
1775             (JSC::JSGlobalObject::visitChildren):
1776             * runtime/JSGlobalObject.h:
1777             (JSC::JSGlobalObject::debuggerScopeStructure):
1778             * runtime/JSObject.h:
1779             (JSC::JSObject::isWithScope):
1780             * runtime/JSScope.h:
1781             * runtime/VM.cpp:
1782             (JSC::VM::VM):
1783             * runtime/VM.h:
1784     
1785     2014-07-01  Filip Pizlo  <fpizlo@apple.com>
1786     
1787             [ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
1788             https://bugs.webkit.org/show_bug.cgi?id=130756
1789     
1790             Reviewed by Oliver Hunt.
1791             
1792             The enables exposing the call to setters in the DFG, and then inlining it. Previously we
1793             already supproted inlined-cached calls to setters from within put_by_id inline caches,
1794             and the DFG could certainly emit such IC's. Now, if an IC had a setter call, then the DFG
1795             will either emit the GetGetterSetterByOffset/GetSetter/Call combo, or it will do one
1796             better and inline the call.
1797             
1798             A lot of the core functionality was already available from the previous work to inline
1799             getters. So, there are some refactorings in this patch that move preexisting
1800             functionality around. For example, the work to figure out how the DFG should go about
1801             getting to what we call the "loaded value" - i.e. the GetterSetter object reference in
1802             the case of accessors - is now shared in ComplexGetStatus, and both GetByIdStatus and
1803             PutByIdStatus use it. This means that we can keep the safety checks common.  This patch
1804             also does additional refactorings in DFG::ByteCodeParser so that we can continue to reuse
1805             handleCall() for all of the various kinds of calls we can now emit.
1806             
1807             83% speed-up on getter-richards, 2% speed-up on box2d.
1808     
1809             * CMakeLists.txt:
1810             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1811             * JavaScriptCore.xcodeproj/project.pbxproj:
1812             * bytecode/ComplexGetStatus.cpp: Added.
1813             (JSC::ComplexGetStatus::computeFor):
1814             * bytecode/ComplexGetStatus.h: Added.
1815             (JSC::ComplexGetStatus::ComplexGetStatus):
1816             (JSC::ComplexGetStatus::skip):
1817             (JSC::ComplexGetStatus::takesSlowPath):
1818             (JSC::ComplexGetStatus::kind):
1819             (JSC::ComplexGetStatus::attributes):
1820             (JSC::ComplexGetStatus::specificValue):
1821             (JSC::ComplexGetStatus::offset):
1822             (JSC::ComplexGetStatus::chain):
1823             * bytecode/GetByIdStatus.cpp:
1824             (JSC::GetByIdStatus::computeForStubInfo):
1825             * bytecode/GetByIdVariant.cpp:
1826             (JSC::GetByIdVariant::GetByIdVariant):
1827             * bytecode/PolymorphicPutByIdList.h:
1828             (JSC::PutByIdAccess::PutByIdAccess):
1829             (JSC::PutByIdAccess::setter):
1830             (JSC::PutByIdAccess::structure):
1831             (JSC::PutByIdAccess::chainCount):
1832             * bytecode/PutByIdStatus.cpp:
1833             (JSC::PutByIdStatus::computeFromLLInt):
1834             (JSC::PutByIdStatus::computeFor):
1835             (JSC::PutByIdStatus::computeForStubInfo):
1836             (JSC::PutByIdStatus::makesCalls):
1837             * bytecode/PutByIdStatus.h:
1838             (JSC::PutByIdStatus::makesCalls): Deleted.
1839             * bytecode/PutByIdVariant.cpp:
1840             (JSC::PutByIdVariant::PutByIdVariant):
1841             (JSC::PutByIdVariant::operator=):
1842             (JSC::PutByIdVariant::replace):
1843             (JSC::PutByIdVariant::transition):
1844             (JSC::PutByIdVariant::setter):
1845             (JSC::PutByIdVariant::writesStructures):
1846             (JSC::PutByIdVariant::reallocatesStorage):
1847             (JSC::PutByIdVariant::makesCalls):
1848             (JSC::PutByIdVariant::dumpInContext):
1849             * bytecode/PutByIdVariant.h:
1850             (JSC::PutByIdVariant::PutByIdVariant):
1851             (JSC::PutByIdVariant::structure):
1852             (JSC::PutByIdVariant::oldStructure):
1853             (JSC::PutByIdVariant::alternateBase):
1854             (JSC::PutByIdVariant::specificValue):
1855             (JSC::PutByIdVariant::callLinkStatus):
1856             (JSC::PutByIdVariant::replace): Deleted.
1857             (JSC::PutByIdVariant::transition): Deleted.
1858             * dfg/DFGByteCodeParser.cpp:
1859             (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1860             (JSC::DFG::ByteCodeParser::addCall):
1861             (JSC::DFG::ByteCodeParser::handleCall):
1862             (JSC::DFG::ByteCodeParser::handleInlining):
1863             (JSC::DFG::ByteCodeParser::handleGetById):
1864             (JSC::DFG::ByteCodeParser::handlePutById):
1865             (JSC::DFG::ByteCodeParser::parseBlock):
1866             * jit/Repatch.cpp:
1867             (JSC::tryCachePutByID):
1868             (JSC::tryBuildPutByIdList):
1869             * runtime/IntendedStructureChain.cpp:
1870             (JSC::IntendedStructureChain::takesSlowPathInDFGForImpureProperty):
1871             * runtime/IntendedStructureChain.h:
1872             * tests/stress/exit-from-setter.js: Added.
1873             * tests/stress/poly-chain-setter.js: Added.
1874             (Cons):
1875             (foo):
1876             (test):
1877             * tests/stress/poly-chain-then-setter.js: Added.
1878             (Cons1):
1879             (Cons2):
1880             (foo):
1881             (test):
1882             * tests/stress/poly-setter-combo.js: Added.
1883             (Cons1):
1884             (Cons2):
1885             (foo):
1886             (test):
1887             (.test):
1888             * tests/stress/poly-setter-then-self.js: Added.
1889             (foo):
1890             (test):
1891             (.test):
1892             * tests/stress/weird-setter-counter.js: Added.
1893             (foo):
1894             (test):
1895             * tests/stress/weird-setter-counter-syntactic.js: Added.
1896             (foo):
1897             (test):
1898     
1899     2014-07-01  Matthew Mirman  <mmirman@apple.com>
1900     
1901             Added an implementation of the "in" check to FTL.
1902             https://bugs.webkit.org/show_bug.cgi?id=134508
1903     
1904             Reviewed by Filip Pizlo.
1905     
1906             * ftl/FTLCapabilities.cpp: enabled compilation for "in"
1907             (JSC::FTL::canCompile): ditto
1908             * ftl/FTLCompile.cpp:
1909             (JSC::FTL::generateCheckInICFastPath): added.
1910             (JSC::FTL::fixFunctionBasedOnStackMaps): added case for CheckIn descriptors.
1911             * ftl/FTLInlineCacheDescriptor.h:
1912             (JSC::FTL::CheckInGenerator::CheckInGenerator): added.
1913             (JSC::FTL::CheckInDescriptor::CheckInDescriptor): added.
1914             * ftl/FTLInlineCacheSize.cpp: 
1915             (JSC::FTL::sizeOfCheckIn): added. Currently larger than necessary.
1916             * ftl/FTLInlineCacheSize.h: ditto
1917             * ftl/FTLIntrinsicRepository.h: Added function type for operationInGeneric
1918             * ftl/FTLLowerDFGToLLVM.cpp: 
1919             (JSC::FTL::LowerDFGToLLVM::compileNode): added case for In.
1920             (JSC::FTL::LowerDFGToLLVM::compileIn): added.
1921             * ftl/FTLSlowPathCall.cpp: Added a callOperation for operationIn
1922             (JSC::FTL::callOperation): ditto
1923             * ftl/FTLSlowPathCall.h: ditto
1924             * ftl/FTLState.h: Added a vector to hold CheckIn descriptors.
1925             * jit/JITOperations.h: made operationIns internal.
1926             * tests/stress/ftl-checkin.js: Added.
1927             * tests/stress/ftl-checkin-variable.js: Added.
1928     
1929     2014-06-30  Mark Hahnenberg  <mhahnenberg@apple.com>
1930     
1931             CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences
1932             https://bugs.webkit.org/show_bug.cgi?id=134455
1933     
1934             Reviewed by Geoffrey Garen.
1935     
1936             Otherwise we get hanging pointers which can cause us to die later.
1937     
1938             * bytecode/CodeBlock.cpp:
1939             (JSC::CodeBlock::stronglyVisitWeakReferences):
1940     
1941     2014-06-27  Filip Pizlo  <fpizlo@apple.com>
1942     
1943             [ftlopt] Reduce the GC's influence on optimization decisions
1944             https://bugs.webkit.org/show_bug.cgi?id=134427
1945     
1946             Reviewed by Oliver Hunt.
1947             
1948             This is a slight speed-up on some platforms, that arises from a bunch of fixes that I made
1949             while trying to make the GC keep more structures alive
1950             (https://bugs.webkit.org/show_bug.cgi?id=128072).
1951             
1952             The fixes are, roughly:
1953             
1954             - If the GC clears an inline cache, then this no longer causes the IC to be forever
1955               polymorphic.
1956             
1957             - If we exit in inlined code into a function that tries to OSR enter, then we jettison
1958               sooner.
1959             
1960             - Some variables being uninitialized led to rage-recompilations.
1961             
1962             This is a pretty strong step in the direction of keeping more Structures alive and not
1963             blowing away code just because a Structure died. But, it seems like there is still a slight
1964             speed-up to be had from blowing away code that references dead Structures.
1965     
1966             * bytecode/CodeBlock.cpp:
1967             (JSC::CodeBlock::dumpAssumingJITType):
1968             (JSC::shouldMarkTransition):
1969             (JSC::CodeBlock::propagateTransitions):
1970             (JSC::CodeBlock::determineLiveness):
1971             * bytecode/GetByIdStatus.cpp:
1972             (JSC::GetByIdStatus::computeForStubInfo):
1973             * bytecode/PutByIdStatus.cpp:
1974             (JSC::PutByIdStatus::computeForStubInfo):
1975             * dfg/DFGCapabilities.cpp:
1976             (JSC::DFG::isSupportedForInlining):
1977             (JSC::DFG::mightInlineFunctionForCall):
1978             (JSC::DFG::mightInlineFunctionForClosureCall):
1979             (JSC::DFG::mightInlineFunctionForConstruct):
1980             * dfg/DFGCapabilities.h:
1981             * dfg/DFGCommonData.h:
1982             * dfg/DFGDesiredWeakReferences.cpp:
1983             (JSC::DFG::DesiredWeakReferences::reallyAdd):
1984             * dfg/DFGOSREntry.cpp:
1985             (JSC::DFG::prepareOSREntry):
1986             * dfg/DFGOSRExitCompilerCommon.cpp:
1987             (JSC::DFG::handleExitCounts):
1988             * dfg/DFGOperations.cpp:
1989             * dfg/DFGOperations.h:
1990             * ftl/FTLForOSREntryJITCode.cpp:
1991             (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): These variables being uninitialized is benign in terms of correctness but can sometimes cause rage-recompilations. For some reason it took this patch to reveal this.
1992             * ftl/FTLOSREntry.cpp:
1993             (JSC::FTL::prepareOSREntry):
1994             * runtime/Executable.cpp:
1995             (JSC::ExecutableBase::destroy):
1996             (JSC::NativeExecutable::destroy):
1997             (JSC::ScriptExecutable::ScriptExecutable):
1998             (JSC::ScriptExecutable::destroy):
1999             (JSC::ScriptExecutable::installCode):
2000             (JSC::EvalExecutable::EvalExecutable):
2001             (JSC::ProgramExecutable::ProgramExecutable):
2002             * runtime/Executable.h:
2003             (JSC::ScriptExecutable::setDidTryToEnterInLoop):
2004             (JSC::ScriptExecutable::didTryToEnterInLoop):
2005             (JSC::ScriptExecutable::addressOfDidTryToEnterInLoop):
2006             (JSC::ScriptExecutable::ScriptExecutable): Deleted.
2007             * runtime/StructureInlines.h:
2008             (JSC::Structure::storedPrototypeObject):
2009             (JSC::Structure::storedPrototypeStructure):
2010     
2011     2014-06-25  Filip Pizlo  <fpizlo@apple.com>
2012     
2013             [ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint
2014             https://bugs.webkit.org/show_bug.cgi?id=134333
2015     
2016             Reviewed by Geoffrey Garen.
2017             
2018             This is engineered to provide loads of information to the profiler without incurring any
2019             costs when the profiler is disabled. It's the oldest trick in the book: the thing that
2020             fires the watchpoint doesn't actually create anything to describe the reason why it was
2021             fired; instead it creates a stack-allocated FireDetail subclass instance. Only if the
2022             FireDetail::dump() virtual method is called does anything happen.
2023             
2024             Currently we use this to produce very fine-grained data for Structure watchpoints and
2025             some cases of variable watchpoints. For all other situations, the given reason is just a
2026             string constant, by using StringFireDetail. If we find a situation where that string
2027             constant is insufficient to diagnose an issue then we can change it to provide more
2028             fine-grained information.
2029     
2030             * JavaScriptCore.xcodeproj/project.pbxproj:
2031             * bytecode/CodeBlock.cpp:
2032             (JSC::CodeBlock::CodeBlock):
2033             (JSC::CodeBlock::jettison):
2034             * bytecode/CodeBlock.h:
2035             * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2036             (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
2037             * bytecode/CodeBlockJettisoningWatchpoint.h:
2038             * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Removed.
2039             * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Removed.
2040             * bytecode/StructureStubClearingWatchpoint.cpp:
2041             (JSC::StructureStubClearingWatchpoint::fireInternal):
2042             * bytecode/StructureStubClearingWatchpoint.h:
2043             * bytecode/VariableWatchpointSet.h:
2044             (JSC::VariableWatchpointSet::invalidate):
2045             (JSC::VariableWatchpointSet::finalizeUnconditionally):
2046             * bytecode/VariableWatchpointSetInlines.h:
2047             (JSC::VariableWatchpointSet::notifyWrite):
2048             * bytecode/Watchpoint.cpp:
2049             (JSC::StringFireDetail::dump):
2050             (JSC::WatchpointSet::fireAll):
2051             (JSC::WatchpointSet::fireAllSlow):
2052             (JSC::WatchpointSet::fireAllWatchpoints):
2053             (JSC::InlineWatchpointSet::fireAll):
2054             * bytecode/Watchpoint.h:
2055             (JSC::FireDetail::FireDetail):
2056             (JSC::FireDetail::~FireDetail):
2057             (JSC::StringFireDetail::StringFireDetail):
2058             (JSC::Watchpoint::fire):
2059             (JSC::WatchpointSet::fireAll):
2060             (JSC::WatchpointSet::touch):
2061             (JSC::WatchpointSet::invalidate):
2062             (JSC::InlineWatchpointSet::fireAll):
2063             (JSC::InlineWatchpointSet::touch):
2064             * dfg/DFGCommonData.h:
2065             * dfg/DFGOperations.cpp:
2066             * interpreter/Interpreter.cpp:
2067             (JSC::Interpreter::execute):
2068             * jsc.cpp:
2069             (WTF::Masquerader::create):
2070             * profiler/ProfilerCompilation.cpp:
2071             (JSC::Profiler::Compilation::setJettisonReason):
2072             (JSC::Profiler::Compilation::toJS):
2073             * profiler/ProfilerCompilation.h:
2074             (JSC::Profiler::Compilation::setJettisonReason): Deleted.
2075             * runtime/ArrayBuffer.cpp:
2076             (JSC::ArrayBuffer::transfer):
2077             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2078             (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
2079             * runtime/ArrayBufferNeuteringWatchpoint.h:
2080             * runtime/CommonIdentifiers.h:
2081             * runtime/CommonSlowPaths.cpp:
2082             (JSC::SLOW_PATH_DECL):
2083             * runtime/Identifier.cpp:
2084             (JSC::Identifier::dump):
2085             * runtime/Identifier.h:
2086             * runtime/JSFunction.cpp:
2087             (JSC::JSFunction::put):
2088             (JSC::JSFunction::defineOwnProperty):
2089             * runtime/JSGlobalObject.cpp:
2090             (JSC::JSGlobalObject::addFunction):
2091             (JSC::JSGlobalObject::haveABadTime):
2092             * runtime/JSSymbolTableObject.cpp:
2093             (JSC::VariableWriteFireDetail::dump):
2094             * runtime/JSSymbolTableObject.h:
2095             (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
2096             (JSC::symbolTablePut):
2097             (JSC::symbolTablePutWithAttributes):
2098             * runtime/PropertyName.h:
2099             (JSC::PropertyName::dump):
2100             * runtime/Structure.cpp:
2101             (JSC::Structure::notifyTransitionFromThisStructure):
2102             * runtime/Structure.h:
2103             (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
2104             * runtime/SymbolTable.cpp:
2105             (JSC::SymbolTableEntry::notifyWriteSlow):
2106             (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
2107             * runtime/SymbolTable.h:
2108             (JSC::SymbolTableEntry::notifyWrite):
2109             * runtime/VM.cpp:
2110             (JSC::VM::addImpureProperty):
2111     
2112 2014-08-05  Commit Queue  <commit-queue@webkit.org>
2113
2114         Unreviewed, rolling out r172099.
2115         https://bugs.webkit.org/show_bug.cgi?id=135635
2116
2117         Needs a do-over. (Requested by kling on #webkit).
2118
2119         Reverted changeset:
2120
2121         "The JIT should cache property lookup misses."
2122         https://bugs.webkit.org/show_bug.cgi?id=135578
2123         http://trac.webkit.org/changeset/172099
2124
2125 2014-08-05  Przemyslaw Kuczynski  <p.kuczynski@samsung.com>
2126
2127         Fix resource leak of unclosed file descriptor.
2128         https://bugs.webkit.org/show_bug.cgi?id=135417
2129
2130         Reviewed by Darin Adler.
2131
2132         When open returns zero, fd handle leaks. Checking (fd > 0) needs to be replaced
2133         with (fd != -1).
2134
2135         * assembler/MacroAssemblerARM.cpp:
2136         (JSC::isVFPPresent):
2137
2138 2014-08-05  Andreas Kling  <akling@apple.com>
2139
2140         The JIT should cache property lookup misses.
2141         <https://webkit.org/b/135578>
2142
2143         Add support for inline caching of object properties that don't exist.
2144         Previously we'd fall back to the C++ slow-path whenever a property was missing.
2145
2146         It's implemented as a simple GetById-style stub that returns jsUndefined() as
2147         long as the Structure chain check passes.
2148
2149         10x speedup on the included microbenchmark.
2150
2151         Reviewed by Geoffrey Garen.
2152
2153         * jit/Repatch.cpp:
2154         (JSC::toString):
2155         (JSC::kindFor):
2156         (JSC::generateByIdStub):
2157         (JSC::tryCacheGetByID):
2158         (JSC::patchJumpToGetByIdStub):
2159         * runtime/PropertySlot.h:
2160         (JSC::PropertySlot::isUnset):
2161
2162 2014-08-05  Commit Queue  <commit-queue@webkit.org>
2163
2164         Unreviewed, rolling out r172009.
2165         https://bugs.webkit.org/show_bug.cgi?id=135627
2166
2167         "Commit landed on trunk instead of ftlopt branch." (Requested
2168         by saamyjoon on #webkit).
2169
2170         Reverted changeset:
2171
2172         "Create a more generic way for VMEntryScope to notify those
2173         interested that it will be destroyed"
2174         https://bugs.webkit.org/show_bug.cgi?id=135358
2175         http://trac.webkit.org/changeset/172009
2176
2177 2014-08-05  Alex Christensen  <achristensen@webkit.org>
2178
2179         More work on CMake.
2180         https://bugs.webkit.org/show_bug.cgi?id=135620
2181
2182         Reviewed by Laszlo Gombos.
2183
2184         * CMakeLists.txt:
2185         Added missing source files.
2186         * PlatformEfl.cmake:
2187         * PlatformGTK.cmake:
2188         Include glib directories and libraries to find glib.h in EventLoop.cpp.
2189         * PlatformMac.cmake:
2190         Moved STATICALLY_LINKED_WITH_WTF definition away from the common CMakeLists
2191         because it should not be defined on Windows.
2192         Added remote inspector source files.
2193
2194 2014-08-05  Peyton Randolph  <prandolph@apple.com>
2195
2196         Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
2197         https://bugs.webkit.org/show_bug.cgi?id=135276
2198
2199         Reviewed by Beth Dakin.
2200
2201         * Configurations/FeatureDefines.xcconfig:
2202
2203 2014-08-04  Benjamin Poulain  <benjamin@webkit.org>
2204
2205         Add a flag for the CSS Selectors level 4 implementation
2206         https://bugs.webkit.org/show_bug.cgi?id=135535
2207
2208         Reviewed by Andreas Kling.
2209
2210         * Configurations/FeatureDefines.xcconfig:
2211
2212 2014-08-04  Alex Christensen  <achristensen@webkit.org>
2213
2214         Progress towards CMake on Mac.
2215         https://bugs.webkit.org/show_bug.cgi?id=135528
2216
2217         Reviewed by Gyuyoung Kim.
2218
2219         * CMakeLists.txt:
2220         Include necessary directories and copy all necessary forwarding headers.
2221         Only compile UDis86Disassembler.cpp if we're using UDIS86.
2222         * PlatformMac.cmake: Added.
2223         * tools/CodeProfiling.cpp:
2224         Compile fix.  Include sys/time.h on darwin, too.
2225
2226 2014-08-04  Saam Barati  <sbarati@apple.com>
2227
2228         Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
2229         https://bugs.webkit.org/show_bug.cgi?id=135358
2230
2231         Reviewed by Geoffrey Garen.
2232
2233         When VMEntryScope is destroyed, and it has a flag set indicating that the
2234         Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
2235         This flag is only used by Debugger to have VMEntryScope notify it when the
2236         Debugger is safe to recompile all functions. This patch will substitute this
2237         Debugger-specific recompilation flag with a list of callbacks that are notified 
2238         when the outermost VMEntryScope dies. This creates a general purpose interface 
2239         for being notified when the VM stops executing code via the event of the outermost 
2240         VMEntryScope dying.
2241
2242         * debugger/Debugger.cpp:
2243         (JSC::Debugger::recompileAllJSFunctions):
2244         * runtime/VMEntryScope.cpp:
2245         (JSC::VMEntryScope::VMEntryScope):
2246         (JSC::VMEntryScope::addEntryScopeDidPopListener):
2247         (JSC::VMEntryScope::~VMEntryScope):
2248         * runtime/VMEntryScope.h:
2249         (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
2250
2251 2014-08-01  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2252
2253         REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
2254         https://bugs.webkit.org/show_bug.cgi?id=135522
2255
2256         Reviewed by Martin Robinson.
2257
2258         * CMakeLists.txt: Output the inspector headers inside inspector
2259         subdirectory.
2260
2261 2014-08-01  Mark Lam  <mark.lam@apple.com>
2262
2263         Add some structure related assertions.
2264         <https://webkit.org/b/135523>
2265
2266         Reviewed by Geoffrey Garen.
2267
2268         Adding 2 assertions:
2269         1. assert that we don't index pass the end of the StructureIDTable.
2270            This should never happen, but this assertion will help catch bugs
2271            where a bad structureID gets passed in.
2272         2. assert that cells in MarkedBlock::callDestructor() that are not
2273            zapped should have a non-null StructureID.  This will help us catch
2274            bugs where the other cell header flag bits get set after the cell is
2275            zapped, thereby making the cell look like an unzapped cell but has a
2276            null structureID.
2277
2278         * heap/MarkedBlock.cpp:
2279         (JSC::MarkedBlock::callDestructor):
2280         * runtime/StructureIDTable.h:
2281         (JSC::StructureIDTable::get):
2282
2283 2014-08-01  Csaba Osztrogonác  <ossy@webkit.org>
2284
2285         URTBF after r171946 to fix non-Apple builds.
2286
2287         * bytecode/InlineCallFrameSet.cpp:
2288
2289 2014-08-01  Mark Hahnenberg  <mhahnenberg@apple.com>
2290
2291         CodeBlock fails to visit the Executables of its InlineCallFrames
2292         https://bugs.webkit.org/show_bug.cgi?id=135471
2293
2294         Reviewed by Geoffrey Garen.
2295
2296         CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they 
2297         can be prematurely collected and cause crashes.
2298
2299         * bytecode/CodeBlock.cpp:
2300         (JSC::CodeBlock::stronglyVisitStrongReferences):
2301         * bytecode/CodeOrigin.h:
2302         (JSC::InlineCallFrame::visitAggregate):
2303         * bytecode/InlineCallFrameSet.cpp:
2304         (JSC::InlineCallFrameSet::visitAggregate):
2305         * bytecode/InlineCallFrameSet.h:
2306
2307 2014-08-01  Alex Christensen  <achristensen@webkit.org>
2308
2309         Progress towards cmake on Windows.
2310         https://bugs.webkit.org/show_bug.cgi?id=135484
2311
2312         Reviewed by Martin Robinson.
2313
2314         * CMakeLists.txt:
2315         Generate code directly to inspector directory to avoid using the cp command
2316         which is not available on Windows.
2317         * PlatformWin.cmake: Added.
2318
2319 2014-07-31  Andreas Kling  <akling@apple.com>
2320
2321         Remove the JSC::OverridesVisitChildren flag.
2322         <https://webkit.org/b/135489>
2323
2324         Except for 3 special classes, the visitChildren() call is always
2325         dispatched through the method table (see SlotVisitor.cpp.)
2326
2327         The OverridesVisitChildren flag doesn't actually do anything.
2328         It could be used to implement a non-virtual direct call to
2329         JSCell::visitChildren, bypassing the method table for some objects,
2330         but such a micro-optimization seems like a weak trade for all this
2331         code complexity. Instead, just remove the flag.
2332
2333         This change frees up an inline flag bit in JSCell.
2334
2335         Reviewed by Geoffrey Garen.
2336
2337         * API/JSAPIWrapperObject.h:
2338         * API/JSAPIWrapperObject.mm:
2339         (JSC::JSAPIWrapperObject::visitChildren):
2340         * API/JSCallbackObject.h:
2341         (JSC::JSCallbackObject::visitChildren):
2342         * bytecode/UnlinkedCodeBlock.cpp:
2343         (JSC::UnlinkedFunctionExecutable::visitChildren):
2344         (JSC::UnlinkedCodeBlock::visitChildren):
2345         (JSC::UnlinkedProgramCodeBlock::visitChildren):
2346         * bytecode/UnlinkedCodeBlock.h:
2347         * debugger/DebuggerScope.cpp:
2348         (JSC::DebuggerScope::visitChildren):
2349         * debugger/DebuggerScope.h:
2350         * jsc.cpp:
2351         * runtime/Arguments.cpp:
2352         (JSC::Arguments::visitChildren):
2353         * runtime/Arguments.h:
2354         * runtime/Executable.cpp:
2355         (JSC::EvalExecutable::visitChildren):
2356         (JSC::ProgramExecutable::visitChildren):
2357         (JSC::FunctionExecutable::visitChildren):
2358         * runtime/Executable.h:
2359         * runtime/GetterSetter.cpp:
2360         (JSC::GetterSetter::visitChildren):
2361         * runtime/GetterSetter.h:
2362         (JSC::GetterSetter::createStructure):
2363         * runtime/JSAPIValueWrapper.h:
2364         (JSC::JSAPIValueWrapper::createStructure):
2365         * runtime/JSActivation.cpp:
2366         (JSC::JSActivation::visitChildren):
2367         * runtime/JSActivation.h:
2368         * runtime/JSArrayIterator.cpp:
2369         (JSC::JSArrayIterator::visitChildren):
2370         * runtime/JSArrayIterator.h:
2371         * runtime/JSBoundFunction.cpp:
2372         (JSC::JSBoundFunction::visitChildren):
2373         * runtime/JSBoundFunction.h:
2374         * runtime/JSCellInlines.h:
2375         (JSC::JSCell::setStructure):
2376         * runtime/JSFunction.cpp:
2377         (JSC::JSFunction::visitChildren):
2378         * runtime/JSFunction.h:
2379         * runtime/JSGlobalObject.cpp:
2380         (JSC::JSGlobalObject::visitChildren):
2381         * runtime/JSGlobalObject.h:
2382         * runtime/JSMap.h:
2383         * runtime/JSMapIterator.cpp:
2384         (JSC::JSMapIterator::visitChildren):
2385         * runtime/JSMapIterator.h:
2386         * runtime/JSNameScope.cpp:
2387         (JSC::JSNameScope::visitChildren):
2388         * runtime/JSNameScope.h:
2389         * runtime/JSPromise.cpp:
2390         (JSC::JSPromise::visitChildren):
2391         * runtime/JSPromise.h:
2392         * runtime/JSPromiseDeferred.cpp:
2393         (JSC::JSPromiseDeferred::visitChildren):
2394         * runtime/JSPromiseDeferred.h:
2395         * runtime/JSPromiseReaction.cpp:
2396         (JSC::JSPromiseReaction::visitChildren):
2397         * runtime/JSPromiseReaction.h:
2398         * runtime/JSPropertyNameIterator.cpp:
2399         (JSC::JSPropertyNameIterator::visitChildren):
2400         * runtime/JSPropertyNameIterator.h:
2401         * runtime/JSProxy.cpp:
2402         (JSC::JSProxy::visitChildren):
2403         * runtime/JSProxy.h:
2404         * runtime/JSScope.cpp:
2405         (JSC::JSScope::visitChildren):
2406         * runtime/JSScope.h:
2407         * runtime/JSSegmentedVariableObject.cpp:
2408         (JSC::JSSegmentedVariableObject::visitChildren):
2409         * runtime/JSSegmentedVariableObject.h:
2410         * runtime/JSSet.h:
2411         * runtime/JSSetIterator.cpp:
2412         (JSC::JSSetIterator::visitChildren):
2413         * runtime/JSSetIterator.h:
2414         * runtime/JSSymbolTableObject.cpp:
2415         (JSC::JSSymbolTableObject::visitChildren):
2416         * runtime/JSSymbolTableObject.h:
2417         * runtime/JSTypeInfo.h:
2418         (JSC::TypeInfo::overridesVisitChildren): Deleted.
2419         * runtime/JSWeakMap.h:
2420         * runtime/JSWithScope.cpp:
2421         (JSC::JSWithScope::visitChildren):
2422         * runtime/JSWithScope.h:
2423         * runtime/JSWrapperObject.cpp:
2424         (JSC::JSWrapperObject::visitChildren):
2425         * runtime/JSWrapperObject.h:
2426         * runtime/MapData.h:
2427         * runtime/NativeErrorConstructor.cpp:
2428         (JSC::NativeErrorConstructor::visitChildren):
2429         * runtime/NativeErrorConstructor.h:
2430         * runtime/PropertyMapHashTable.h:
2431         * runtime/PropertyTable.cpp:
2432         (JSC::PropertyTable::visitChildren):
2433         * runtime/RegExpConstructor.cpp:
2434         (JSC::RegExpConstructor::visitChildren):
2435         * runtime/RegExpConstructor.h:
2436         * runtime/RegExpMatchesArray.cpp:
2437         (JSC::RegExpMatchesArray::visitChildren):
2438         * runtime/RegExpMatchesArray.h:
2439         * runtime/RegExpObject.cpp:
2440         (JSC::RegExpObject::visitChildren):
2441         * runtime/RegExpObject.h:
2442         * runtime/SparseArrayValueMap.h:
2443         * runtime/Structure.cpp:
2444         (JSC::Structure::Structure):
2445         (JSC::Structure::visitChildren):
2446         * runtime/StructureChain.cpp:
2447         (JSC::StructureChain::visitChildren):
2448         * runtime/StructureChain.h:
2449         * runtime/StructureRareData.cpp:
2450         (JSC::StructureRareData::visitChildren):
2451         * runtime/StructureRareData.h:
2452         * runtime/WeakMapData.h:
2453
2454 2014-07-31  Mark Lam  <mark.lam@apple.com>
2455
2456         JSCell::classInfo() belongs in JSCellInlines.h.
2457         <https://webkit.org/b/135475>
2458
2459         Reviewed by Mark Hahnenberg.
2460
2461         * runtime/JSCellInlines.h:
2462         (JSC::JSCell::classInfo):
2463         * runtime/JSDestructibleObject.h:
2464         (JSC::JSCell::classInfo): Deleted.
2465
2466 2014-07-31  Tanay C  <tanay.c@samsung.com>
2467
2468         Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
2469         https://bugs.webkit.org/show_bug.cgi?id=135414
2470
2471         Reviewed by Csaba Osztrogonác.
2472
2473         * llint/LLIntSlowPaths.cpp:
2474         (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition
2475
2476 2014-07-30  Filip Pizlo  <fpizlo@apple.com>
2477
2478         NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
2479         https://bugs.webkit.org/show_bug.cgi?id=135430
2480
2481         Reviewed by Mark Hahnenberg.
2482
2483         We already handled this correctly after the ftlopt merge, but it's useful to have the test.
2484
2485         * tests/stress/new-function-expression-has-structures.js: Added.
2486         (foo.f):
2487         (foo.f.prototype.f):
2488         (foo):
2489
2490 2014-07-30  Andreas Kling  <akling@apple.com>
2491
2492         Speculative Windows build fix.
2493
2494         Try to dllimport the dllexported global object HashTable.
2495
2496         * jsc.cpp:
2497         * testRegExp.cpp:
2498
2499 2014-07-30  Andreas Kling  <akling@apple.com>
2500
2501         PropertyName's internal string is always atomic.
2502         <https://webkit.org/b/135451>
2503
2504         Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
2505         we know that any string that's an Identifier is guaranteed to be atomic.
2506
2507         A PropertyName can be either an Identifier or a PrivateName, and the
2508         private names are also guaranteed to be atomic internally.
2509
2510         Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
2511
2512         Reviewed by Benjamin Poulain.
2513
2514         * runtime/PropertyName.h:
2515         (JSC::PropertyName::PropertyName):
2516         (JSC::PropertyName::uid):
2517         (JSC::PropertyName::publicName):
2518
2519 2014-07-30  Andy Estes  <aestes@apple.com>
2520
2521         USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
2522         https://bugs.webkit.org/show_bug.cgi?id=135439
2523
2524         Reviewed by Tim Horton.
2525
2526         We now support two different platform content filters, and will soon support a mock content filter (as part of
2527         webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
2528         library. ENABLE() is the correct macro to use for such a feature.
2529
2530         * Configurations/FeatureDefines.xcconfig:
2531
2532 2014-07-30  Andreas Kling  <akling@apple.com>
2533
2534         Static hash tables no longer need to be coupled with a VM.
2535         <https://webkit.org/b/135421>
2536
2537         Now that the static hash tables are using char** instead of StringImpl**,
2538         it's no longer necessary to make them per-VM.
2539
2540         This patch removes the hook in ClassInfo for providing your own static
2541         hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
2542         Most of this patch is tweaking ClassInfo construction sites to pass one
2543         less null pointer.
2544
2545         Also simplified Lookup.h to stop requiring ExecState/VM to access the
2546         static hash tables.
2547
2548         Reviewed by Geoffrey Garen.
2549
2550         * API/JSAPIWrapperObject.mm:
2551         * API/JSCallbackConstructor.cpp:
2552         * API/JSCallbackFunction.cpp:
2553         * API/JSCallbackObject.cpp:
2554         * API/ObjCCallbackFunction.mm:
2555         * bytecode/UnlinkedCodeBlock.cpp:
2556         * create_hash_table:
2557         * debugger/DebuggerScope.cpp:
2558         * inspector/JSInjectedScriptHost.cpp:
2559         * inspector/JSInjectedScriptHostPrototype.cpp:
2560         * inspector/JSJavaScriptCallFrame.cpp:
2561         * inspector/JSJavaScriptCallFramePrototype.cpp:
2562         * interpreter/CallFrame.h:
2563         (JSC::ExecState::arrayConstructorTable): Deleted.
2564         (JSC::ExecState::arrayPrototypeTable): Deleted.
2565         (JSC::ExecState::booleanPrototypeTable): Deleted.
2566         (JSC::ExecState::dataViewTable): Deleted.
2567         (JSC::ExecState::dateTable): Deleted.
2568         (JSC::ExecState::dateConstructorTable): Deleted.
2569         (JSC::ExecState::errorPrototypeTable): Deleted.
2570         (JSC::ExecState::globalObjectTable): Deleted.
2571         (JSC::ExecState::jsonTable): Deleted.
2572         (JSC::ExecState::numberConstructorTable): Deleted.
2573         (JSC::ExecState::numberPrototypeTable): Deleted.
2574         (JSC::ExecState::objectConstructorTable): Deleted.
2575         (JSC::ExecState::privateNamePrototypeTable): Deleted.
2576         (JSC::ExecState::regExpTable): Deleted.
2577         (JSC::ExecState::regExpConstructorTable): Deleted.
2578         (JSC::ExecState::regExpPrototypeTable): Deleted.
2579         (JSC::ExecState::stringConstructorTable): Deleted.
2580         (JSC::ExecState::promisePrototypeTable): Deleted.
2581         (JSC::ExecState::promiseConstructorTable): Deleted.
2582         * jsc.cpp:
2583         * parser/Lexer.h:
2584         (JSC::Keywords::isKeyword):
2585         (JSC::Keywords::getKeyword):
2586         * runtime/Arguments.cpp:
2587         * runtime/ArgumentsIteratorConstructor.cpp:
2588         * runtime/ArgumentsIteratorPrototype.cpp:
2589         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2590         * runtime/ArrayConstructor.cpp:
2591         (JSC::ArrayConstructor::getOwnPropertySlot):
2592         * runtime/ArrayIteratorConstructor.cpp:
2593         * runtime/ArrayIteratorPrototype.cpp:
2594         * runtime/ArrayPrototype.cpp:
2595         (JSC::ArrayPrototype::getOwnPropertySlot):
2596         * runtime/BooleanConstructor.cpp:
2597         * runtime/BooleanObject.cpp:
2598         * runtime/BooleanPrototype.cpp:
2599         (JSC::BooleanPrototype::getOwnPropertySlot):
2600         * runtime/ClassInfo.h:
2601         (JSC::ClassInfo::hasStaticProperties):
2602         (JSC::ClassInfo::propHashTable): Deleted.
2603         * runtime/ConsolePrototype.cpp:
2604         * runtime/CustomGetterSetter.cpp:
2605         * runtime/DateConstructor.cpp:
2606         (JSC::DateConstructor::getOwnPropertySlot):
2607         * runtime/DateInstance.cpp:
2608         * runtime/DatePrototype.cpp:
2609         (JSC::DatePrototype::getOwnPropertySlot):
2610         * runtime/Error.cpp:
2611         * runtime/ErrorConstructor.cpp:
2612         * runtime/ErrorInstance.cpp:
2613         * runtime/ErrorPrototype.cpp:
2614         (JSC::ErrorPrototype::getOwnPropertySlot):
2615         * runtime/ExceptionHelpers.cpp:
2616         * runtime/Executable.cpp:
2617         * runtime/FunctionConstructor.cpp:
2618         * runtime/FunctionPrototype.cpp:
2619         * runtime/GetterSetter.cpp:
2620         * runtime/InternalFunction.cpp:
2621         * runtime/JSAPIValueWrapper.cpp:
2622         * runtime/JSActivation.cpp:
2623         * runtime/JSArgumentsIterator.cpp:
2624         * runtime/JSArray.cpp:
2625         * runtime/JSArrayBuffer.cpp:
2626         * runtime/JSArrayBufferConstructor.cpp:
2627         * runtime/JSArrayBufferPrototype.cpp:
2628         * runtime/JSArrayBufferView.cpp:
2629         * runtime/JSArrayIterator.cpp:
2630         * runtime/JSBoundFunction.cpp:
2631         * runtime/JSConsole.cpp:
2632         * runtime/JSDataView.cpp:
2633         * runtime/JSDataViewPrototype.cpp:
2634         (JSC::JSDataViewPrototype::getOwnPropertySlot):
2635         * runtime/JSFunction.cpp:
2636         * runtime/JSGlobalObject.cpp:
2637         (JSC::JSGlobalObject::getOwnPropertySlot):
2638         * runtime/JSMap.cpp:
2639         * runtime/JSMapIterator.cpp:
2640         * runtime/JSNameScope.cpp:
2641         * runtime/JSNotAnObject.cpp:
2642         * runtime/JSONObject.cpp:
2643         (JSC::JSONObject::getOwnPropertySlot):
2644         * runtime/JSObject.cpp:
2645         (JSC::getClassPropertyNames):
2646         (JSC::JSObject::put):
2647         (JSC::JSObject::deleteProperty):
2648         (JSC::JSObject::findPropertyHashEntry):
2649         (JSC::JSObject::reifyStaticFunctionsForDelete):
2650         * runtime/JSObject.h:
2651         * runtime/JSPromise.cpp:
2652         * runtime/JSPromiseConstructor.cpp:
2653         (JSC::JSPromiseConstructor::getOwnPropertySlot):
2654         * runtime/JSPromiseDeferred.cpp:
2655         * runtime/JSPromisePrototype.cpp:
2656         (JSC::JSPromisePrototype::getOwnPropertySlot):
2657         * runtime/JSPromiseReaction.cpp:
2658         * runtime/JSPropertyNameIterator.cpp:
2659         * runtime/JSProxy.cpp:
2660         * runtime/JSSet.cpp:
2661         * runtime/JSSetIterator.cpp:
2662         * runtime/JSString.cpp:
2663         * runtime/JSTypedArrayConstructors.cpp:
2664         * runtime/JSTypedArrayPrototypes.cpp:
2665         * runtime/JSTypedArrays.cpp:
2666         * runtime/JSVariableObject.cpp:
2667         * runtime/JSWeakMap.cpp:
2668         * runtime/JSWithScope.cpp:
2669         * runtime/Lookup.cpp:
2670         (JSC::HashTable::createTable):
2671         * runtime/Lookup.h:
2672         (JSC::HashTable::initializeIfNeeded):
2673         (JSC::HashTable::entry):
2674         (JSC::HashTable::begin):
2675         (JSC::HashTable::end):
2676         (JSC::getStaticPropertySlot):
2677         (JSC::getStaticFunctionSlot):
2678         (JSC::getStaticValueSlot):
2679         (JSC::lookupPut):
2680         * runtime/MapConstructor.cpp:
2681         * runtime/MapData.cpp:
2682         * runtime/MapIteratorConstructor.cpp:
2683         * runtime/MapIteratorPrototype.cpp:
2684         * runtime/MapPrototype.cpp:
2685         * runtime/MathObject.cpp:
2686         * runtime/NameConstructor.cpp:
2687         * runtime/NameInstance.cpp:
2688         * runtime/NamePrototype.cpp:
2689         (JSC::NamePrototype::getOwnPropertySlot):
2690         * runtime/NativeErrorConstructor.cpp:
2691         * runtime/NumberConstructor.cpp:
2692         (JSC::NumberConstructor::getOwnPropertySlot):
2693         * runtime/NumberObject.cpp:
2694         * runtime/NumberPrototype.cpp:
2695         (JSC::NumberPrototype::getOwnPropertySlot):
2696         * runtime/ObjectConstructor.cpp:
2697         (JSC::ObjectConstructor::getOwnPropertySlot):
2698         * runtime/ObjectPrototype.cpp:
2699         * runtime/PropertyTable.cpp:
2700         * runtime/RegExp.cpp:
2701         * runtime/RegExpConstructor.cpp:
2702         (JSC::RegExpConstructor::getOwnPropertySlot):
2703         * runtime/RegExpMatchesArray.cpp:
2704         * runtime/RegExpObject.cpp:
2705         (JSC::RegExpObject::getOwnPropertySlot):
2706         * runtime/RegExpPrototype.cpp:
2707         (JSC::RegExpPrototype::getOwnPropertySlot):
2708         * runtime/SetConstructor.cpp:
2709         * runtime/SetIteratorConstructor.cpp:
2710         * runtime/SetIteratorPrototype.cpp:
2711         * runtime/SetPrototype.cpp:
2712         * runtime/SparseArrayValueMap.cpp:
2713         * runtime/StrictEvalActivation.cpp:
2714         * runtime/StringConstructor.cpp:
2715         (JSC::StringConstructor::getOwnPropertySlot):
2716         * runtime/StringObject.cpp:
2717         * runtime/StringPrototype.cpp:
2718         * runtime/Structure.cpp:
2719         (JSC::Structure::Structure):
2720         (JSC::Structure::freezeTransition):
2721         (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
2722         * runtime/StructureChain.cpp:
2723         * runtime/StructureRareData.cpp:
2724         * runtime/SymbolTable.cpp:
2725         * runtime/VM.cpp:
2726         (JSC::VM::VM):
2727         (JSC::VM::~VM):
2728         * runtime/VM.h:
2729         * runtime/WeakMapConstructor.cpp:
2730         * runtime/WeakMapData.cpp:
2731         * runtime/WeakMapPrototype.cpp:
2732         * testRegExp.cpp:
2733
2734 2014-07-29  Brent Fulgham  <bfulgham@apple.com>
2735
2736         [Win] Modify version numbering scheme to support 5-tuple versions
2737         https://bugs.webkit.org/show_bug.cgi?id=135400
2738         <rdar://problem/17849033>
2739
2740         Reviewed by David Kilzer.
2741
2742         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
2743         new version-stamp.pl script to version JavaScriptCore.dll.
2744
2745 2014-07-29  Daniel Bates  <dabates@apple.com>
2746
2747         Use WTF::move() instead of std::move() to help ensure move semantics
2748         https://bugs.webkit.org/show_bug.cgi?id=135351
2749
2750         Reviewed by Alexey Proskuryakov.
2751
2752         * bytecode/GetByIdStatus.cpp:
2753         (JSC::GetByIdStatus::computeForStubInfo):
2754         * bytecode/GetByIdVariant.cpp:
2755         (JSC::GetByIdVariant::GetByIdVariant):
2756
2757 2014-07-28  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
2758
2759         BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
2760         https://bugs.webkit.org/show_bug.cgi?id=135287
2761
2762         Reviewed by Darin Adler.
2763
2764         The set() method tries to use a part of the old value (the reservedFlag bit) which
2765         was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
2766
2767         * bytecode/StructureSet.h:
2768         (JSC::StructureSet::StructureSet):
2769
2770 2014-07-28  Benjamin Poulain  <bpoulain@apple.com>
2771
2772         [JSC] JIT::assertStackPointerOffset() crashes on ARM64
2773         https://bugs.webkit.org/show_bug.cgi?id=135316
2774
2775         Reviewed by Geoffrey Garen.
2776
2777         JIT::assertStackPointerOffset() does a compare between an arbitrary register
2778         and the stack pointer. This was not supported by the ARM64 assembler.
2779
2780         There are no variation that can take a stack pointer for Xd. There is one version of subs
2781         that can take a stack pointer, but only for the Xn: the shift+extend one.
2782         To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
2783         the implementation of sub.
2784
2785         * assembler/ARM64Assembler.h:
2786         (JSC::ARM64Assembler::sub):
2787         In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
2788         with either version of sub.
2789
2790         In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
2791         the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
2792         gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
2793
2794         Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
2795         not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
2796         the shift value must be zero, it is safe to call either variant.
2797
2798         * assembler/MacroAssemblerARM64.h:
2799         (JSC::MacroAssemblerARM64::branch64):
2800         With the changes described above, we can now use SP for the left register. What do we do if the rightmost
2801         register is SP?
2802
2803         For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
2804         we just switch the registers before generating the instruction.
2805
2806         For the generic case, just move the value of SP to a GPR before doing the CMP.
2807
2808 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
2809
2810         Unreviewed build fix after r171682.
2811
2812         * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
2813         as an exported symbol.
2814
2815 2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2816
2817         REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
2818         https://bugs.webkit.org/show_bug.cgi?id=135322
2819
2820         Reviewed by Oliver Hunt.
2821
2822         The prototype chain of the JSProxy object should match that of the JSGlobalObject. 
2823
2824         This is a separate but related issue with JSObjectSetPrototype which doesn't correctly 
2825         account for JSProxies. I also audited the rest of the C API to check that we correctly 
2826         handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
2827         and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when 
2828         passed a JSProxy.
2829
2830         I also added some new tests for these cases.
2831
2832         * API/JSObjectRef.cpp:
2833         (JSObjectSetPrototype):
2834         (JSObjectGetPrivateProperty):
2835         (JSObjectSetPrivateProperty):
2836         (JSObjectDeletePrivateProperty):
2837         * API/JSWeakObjectMapRefPrivate.cpp:
2838         * API/tests/CustomGlobalObjectClassTest.c:
2839         (globalObjectSetPrototypeTest):
2840         (globalObjectPrivatePropertyTest):
2841         * API/tests/CustomGlobalObjectClassTest.h:
2842         * API/tests/testapi.c:
2843         (main):
2844
2845 2014-07-28  Filip Pizlo  <fpizlo@apple.com>
2846
2847         Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
2848         https://bugs.webkit.org/show_bug.cgi?id=135350
2849         <rdar://problem/17509889>
2850
2851         Reviewed by Mark Hahnenberg and Oliver Hunt.
2852         
2853         If we have an exiting node that uses a conversion node, then that exiting node
2854         needs to have a Phantom after it for the the original node. But we can't do that
2855         for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
2856
2857         * dfg/DFGFixupPhase.cpp:
2858         (JSC::DFG::FixupPhase::fixupNode):
2859         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
2860         * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
2861         (foo):
2862         (test):
2863         * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
2864         (foo):
2865         (test):
2866
2867 2014-07-28  Joseph Pecoraro  <pecoraro@apple.com>
2868
2869         JSContext Inspector: crash when using step-into
2870         https://bugs.webkit.org/show_bug.cgi?id=135345
2871
2872         Reviewed by Timothy Hatcher.
2873
2874         * inspector/agents/InspectorDebuggerAgent.cpp:
2875         (Inspector::InspectorDebuggerAgent::stepInto):
2876         Null check m_listener since it may not be set.
2877
2878 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
2879
2880         Web Replay: auto-decoding of parameterized vector's elements is incorrect
2881         https://bugs.webkit.org/show_bug.cgi?id=135343
2882
2883         Reviewed by Timothy Hatcher.
2884
2885         Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
2886         that was using the element's decoded type as the type parameter to
2887         EncodedValue::append<T>. It should instead be the raw type T. This
2888         causes problems when encoding Vector<RefPtr<T>>, as it later tries to
2889         use encoding traits for RefPtr<T> rather than for T.
2890
2891         Fix incorrect generated encoding traits argument for vectors of
2892         RefCounted objects. Updated test to cover this scenario.
2893
2894         * replay/scripts/CodeGeneratorReplayInputs.py:
2895         (Type.encoding_type_argument):
2896         (VectorType.type_name):
2897         (VectorType):
2898         (VectorType.encoding_type_argument):
2899         (Generator.generate_input_encode_implementation):
2900         (Generator.generate_input_decode_implementation):
2901         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
2902         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2903         * replay/scripts/tests/generate-input-with-vector-members.json: Updated.
2904
2905 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
2906
2907         Web Replay: incorrect serialization code generated for enum classes inside class scope
2908         https://bugs.webkit.org/show_bug.cgi?id=135342
2909
2910         Reviewed by Timothy Hatcher.
2911
2912         If an enum class is defined inside of a class scope, then the enum class
2913         cannot be forward-declared and the relevant header should be included.
2914         Some generated code used incorrectly-scoped enum values in this situation.
2915
2916         * replay/scripts/CodeGeneratorReplayInputs.py:
2917         (Generator.generate_includes.declaration.is):
2918         (Generator.generate_enum_trait_implementation.is):
2919         (Generator.generate_enum_trait_implementation):
2920
2921         Tests:
2922
2923         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
2924         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
2925         * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
2926         class types to this test case.
2927
2928 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
2929
2930         Web Replay: vectors of characters should be base64-encoded
2931         https://bugs.webkit.org/show_bug.cgi?id=135341
2932
2933         Reviewed by Timothy Hatcher.
2934
2935         Without this specialization, encode/decode methods try to create an
2936         array of single characters in JSON, rather than treating the
2937         vector as a binary blob.
2938
2939         * replay/EncodedValue.cpp:
2940         (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
2941         (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
2942         * replay/EncodedValue.h:
2943
2944 2014-07-28  Brent Fulgham  <bfulgham@apple.com>
2945
2946         [Win] Unreviewed build fix.
2947
2948         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
2949         builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
2950
2951 2014-07-27  Ryuan Choi  <ryuan.choi@samsung.com>
2952
2953         Unreviewed build fix on the EFL port
2954
2955         Build break because of -Werror=return-type
2956
2957         * bytecode/PutByIdVariant.cpp:
2958         (JSC::PutByIdVariant::oldStructureForTransition):
2959         * dfg/DFGValueStrength.h:
2960         (JSC::DFG::merge):
2961
2962 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
2963
2964         [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
2965         https://bugs.webkit.org/show_bug.cgi?id=135323
2966
2967         Reviewed by Oliver Hunt.
2968         
2969         SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
2970         then it's a constant that can be represented using that node's current DataFormat.
2971         This doesn't work if the constant had been filled as a JSValue, and then one of the
2972         fillSpeculateBlah() methods had speculated that it's of some type that the constant
2973         isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
2974         a constant that claims to have a contradictory data format.
2975         
2976         This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
2977         fillSpeculateCell() appears to not have this bug, but I added a similar defense
2978         mechanism anyway just in case, since this is one of those mistakes that keeps
2979         reappearing.
2980
2981         * dfg/DFGSpeculativeJIT.cpp:
2982         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2983         * dfg/DFGSpeculativeJIT32_64.cpp:
2984         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2985         * dfg/DFGSpeculativeJIT64.cpp:
2986         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2987
2988 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
2989
2990         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
2991         
2992         This fixes the previous mismerge and adds test coverage for the thing that went wrong.
2993         
2994         Additional changes listed here:
2995
2996         * jsc.cpp:
2997         (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
2998         * runtime/Structure.cpp:
2999         (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
3000         * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
3001
3002     2014-06-27  Michael Saboff  <msaboff@apple.com>
3003     
3004             Unreviewed build fix after r169795.
3005     
3006             Fixed ASSERT for 32 bit build.
3007     
3008             * dfg/DFGSpeculativeJIT.cpp:
3009             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3010     
3011     2014-06-24  Saam Barati  <sbarati@apple.com>
3012     
3013             Web Inspector: debugger should be able to show variable types
3014             https://bugs.webkit.org/show_bug.cgi?id=133395
3015     
3016             Reviewed by Filip Pizlo.
3017     
3018             Increase the amount of type information the VM gathers when directed
3019             to do so. This initial commit is working towards the goal of
3020             capturing, and then showing (via the Web Inspector) type information for all
3021             assignment and load operations. This patch doesn't have the feature fully 
3022             implemented, but it ensures the VM has no performance regressions
3023             unless the feature is specifically turned on.
3024     
3025             * JavaScriptCore.xcodeproj/project.pbxproj:
3026             * bytecode/BytecodeList.json:
3027             * bytecode/BytecodeUseDef.h:
3028             (JSC::computeUsesForBytecodeOffset):
3029             (JSC::computeDefsForBytecodeOffset):
3030             * bytecode/CodeBlock.cpp:
3031             (JSC::CodeBlock::dumpBytecode):
3032             (JSC::CodeBlock::CodeBlock):
3033             (JSC::CodeBlock::finalizeUnconditionally):
3034             * bytecode/CodeBlock.h:
3035             * bytecode/Instruction.h:
3036             * bytecode/TypeLocation.h: Added.
3037             (JSC::TypeLocation::TypeLocation):
3038             * bytecompiler/BytecodeGenerator.cpp:
3039             (JSC::BytecodeGenerator::emitMove):
3040             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
3041             (JSC::BytecodeGenerator::emitPutToScope):
3042             (JSC::BytecodeGenerator::emitPutById):
3043             (JSC::BytecodeGenerator::emitPutByVal):
3044             * bytecompiler/BytecodeGenerator.h:
3045             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
3046             * bytecompiler/NodesCodegen.cpp:
3047             (JSC::PostfixNode::emitResolve):
3048             (JSC::PrefixNode::emitResolve):
3049             (JSC::ReadModifyResolveNode::emitBytecode):
3050             (JSC::AssignResolveNode::emitBytecode):
3051             (JSC::ConstDeclNode::emitCodeSingle):
3052             (JSC::ForInNode::emitBytecode):
3053             * heap/Heap.cpp:
3054             (JSC::Heap::collect):
3055             * inspector/agents/InspectorRuntimeAgent.cpp:
3056             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
3057             * inspector/agents/InspectorRuntimeAgent.h:
3058             * inspector/protocol/Runtime.json:
3059             * jsc.cpp:
3060             (GlobalObject::finishCreation):
3061             (functionDumpTypesForAllVariables):
3062             * llint/LLIntSlowPaths.cpp:
3063             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3064             (JSC::LLInt::putToScopeCommon):
3065             * llint/LLIntSlowPaths.h:
3066             * llint/LowLevelInterpreter.asm:
3067             * runtime/HighFidelityLog.cpp: Added.
3068             (JSC::HighFidelityLog::initializeHighFidelityLog):
3069             (JSC::HighFidelityLog::~HighFidelityLog):
3070             (JSC::HighFidelityLog::recordTypeInformationForLocation):
3071             (JSC::HighFidelityLog::processHighFidelityLog):
3072             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
3073             * runtime/HighFidelityLog.h: Added.
3074             (JSC::HighFidelityLog::HighFidelityLog):
3075             * runtime/HighFidelityTypeProfiler.cpp: Added.
3076             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
3077             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
3078             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
3079             (JSC::HighFidelityTypeProfiler::insertNewLocation):
3080             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
3081             * runtime/HighFidelityTypeProfiler.h: Added.
3082             * runtime/Options.h:
3083             * runtime/Structure.cpp:
3084             (JSC::Structure::toStructureShape):
3085             * runtime/Structure.h:
3086             * runtime/SymbolTable.cpp:
3087             (JSC::SymbolTable::SymbolTable):
3088             (JSC::SymbolTable::cloneCapturedNames):
3089             (JSC::SymbolTable::uniqueIDForVariable):
3090             (JSC::SymbolTable::uniqueIDForRegister):
3091             (JSC::SymbolTable::globalTypeSetForRegister):
3092             (JSC::SymbolTable::globalTypeSetForVariable):
3093             * runtime/SymbolTable.h:
3094             (JSC::SymbolTable::add):
3095             (JSC::SymbolTable::set):
3096             * runtime/TypeSet.cpp: Added.
3097             (JSC::TypeSet::TypeSet):
3098             (JSC::TypeSet::getRuntimeTypeForValue):
3099             (JSC::TypeSet::addTypeForValue):
3100             (JSC::TypeSet::removeDuplicatesInStructureHistory):
3101             (JSC::TypeSet::seenTypes):
3102             (JSC::TypeSet::dumpSeenTypes):
3103             (JSC::StructureShape::StructureShape):
3104             (JSC::StructureShape::markAsFinal):
3105             (JSC::StructureShape::addProperty):
3106             (JSC::StructureShape::propertyHash):
3107             (JSC::StructureShape::leastUpperBound):
3108             (JSC::StructureShape::stringRepresentation):
3109             * runtime/TypeSet.h: Added.
3110             (JSC::StructureShape::create):
3111             (JSC::TypeSet::create):
3112             * runtime/VM.cpp:
3113             (JSC::VM::VM):
3114             (JSC::VM::getTypesForVariableInRange):
3115             (JSC::VM::updateHighFidelityTypeProfileState):
3116             (JSC::VM::dumpHighFidelityProfilingTypes):
3117             * runtime/VM.h:
3118             (JSC::VM::isProfilingTypesWithHighFidelity):
3119             (JSC::VM::highFidelityLog):
3120             (JSC::VM::highFidelityTypeProfiler):
3121             (JSC::VM::nextLocation):
3122             (JSC::VM::getNextUniqueVariableID):
3123     
3124     2014-06-26  Mark Lam  <mark.lam@apple.com>
3125     
3126             Remove unused instantiation of the WithScope structure.
3127             <https://webkit.org/b/134331>
3128     
3129             Reviewed by Oliver Hunt.
3130     
3131             The WithScope structure instance is the VM is unused, and is now removed.
3132     
3133             * runtime/VM.cpp:
3134             (JSC::VM::VM):
3135             * runtime/VM.h:
3136     
3137     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
3138     
3139             Structure bit fields should have a consistent format
3140             https://bugs.webkit.org/show_bug.cgi?id=134307
3141     
3142             Reviewed by Filip Pizlo.
3143     
3144             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
3145             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
3146             format to make it easy to load and test these variables in JIT code.
3147     
3148             * runtime/JSObject.cpp:
3149             (JSC::JSObject::putDirectNonIndexAccessor):
3150             (JSC::JSObject::reifyStaticFunctionsForDelete):
3151             * runtime/Structure.cpp:
3152             (JSC::StructureTransitionTable::contains):
3153             (JSC::StructureTransitionTable::get):
3154             (JSC::StructureTransitionTable::add):
3155             (JSC::Structure::Structure):
3156             (JSC::Structure::materializePropertyMap):
3157             (JSC::Structure::addPropertyTransition):
3158             (JSC::Structure::despecifyFunctionTransition):
3159             (JSC::Structure::toDictionaryTransition):
3160             (JSC::Structure::freezeTransition):
3161             (JSC::Structure::preventExtensionsTransition):
3162             (JSC::Structure::takePropertyTableOrCloneIfPinned):
3163             (JSC::Structure::nonPropertyTransition):
3164             (JSC::Structure::flattenDictionaryStructure):
3165             (JSC::Structure::addPropertyWithoutTransition):
3166             (JSC::Structure::pin):
3167             (JSC::Structure::allocateRareData):
3168             (JSC::Structure::cloneRareDataFrom):
3169             (JSC::Structure::getConcurrently):
3170             (JSC::Structure::putSpecificValue):
3171             (JSC::Structure::getPropertyNamesFromStructure):
3172             (JSC::Structure::visitChildren):
3173             (JSC::Structure::checkConsistency):
3174             * runtime/Structure.h:
3175             (JSC::Structure::isExtensible):