3c9262e9d261de179f16ec7d54f47d9cf7484742
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-08-06  Mark Lam  <mark.lam@apple.com>
2
3         Gardening: fix for build failure on EFL bots.
4
5         Not reviewed.
6
7         * runtime/EnumerationMode.h:
8         (JSC::shouldIncludeJSObjectPropertyNames):
9         (JSC::modeThatSkipsJSObject):
10         * runtime/JSCell.cpp:
11         (JSC::JSCell::getEnumerableLength):
12         * runtime/JSCell.h:
13
14 2014-08-06  Dean Jackson  <dino@apple.com>
15
16         ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED is not used anywhere. Remove it.
17         https://bugs.webkit.org/show_bug.cgi?id=135675
18
19         Reviewed by Sam Weinig.
20
21         * Configurations/FeatureDefines.xcconfig:
22
23 2014-08-06  Wenson Hsieh  <wenson_hsieh@apple.com>
24
25         Implement parsing for CSS scroll snap points
26         https://bugs.webkit.org/show_bug.cgi?id=134301
27
28         Reviewed by Dean Jackson.
29
30         * Configurations/FeatureDefines.xcconfig: Added ENABLE_CSS_SCROLL_SNAP
31
32 2014-08-06  Mark Lam  <mark.lam@apple.com>
33
34         Gardening: fix for build failure on GTK bots.
35
36         Not reviewed.
37
38         * runtime/FunctionHasExecutedCache.cpp:
39         - #include <limits.h> for UINT_MAX's definition.
40
41 2014-08-06  Mark Lam  <mark.lam@apple.com>
42
43         Gardening: fix for build failure on EFL bots.
44
45         Not reviewed.
46
47         * jit/JITInlines.h:
48         (JSC::JIT::emitLoadForArrayMode):
49
50 2014-08-06  Mark Lam  <mark.lam@apple.com>
51
52         Gardening: adding missing build file changes from the FTLOPT merge at r172176.
53
54         Not reviewed.
55
56         * CMakeLists.txt:
57         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
58         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
59
60 2014-08-06  Ryuan Choi  <ryuan.choi@samsung.com>
61
62         Unreviewed build fix attempt since r172184
63
64         * CMakeLists.txt: Removed TypeLocation.cpp
65
66 2014-08-06  Mark Lam  <mark.lam@apple.com>
67
68         Gardening: adding missing build file changes from r171510.
69         <https://webkit.org/b/134860>
70
71         Not reviewed.
72
73         * CMakeLists.txt:
74         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
75         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
76
77 2014-08-06  Mark Lam  <mark.lam@apple.com>
78
79         Gardening: adding missing build file changes from r170490.
80         <https://webkit.org/b/133395>
81
82         Not reviewed.
83
84         * CMakeLists.txt:
85         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
86
87 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
88
89         Silence a debug assertion.
90
91         Reviewed by Mark Hahnenberg.
92
93         * runtime/JSPropertyNameEnumerator.h:
94         (JSC::JSPropertyNameEnumerator::cachedStructure):
95
96 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
97
98         Fix 32-bit build.
99
100         * jit/JITOpcodes32_64.cpp:
101         (JSC::JIT::privateCompileHasIndexedProperty):
102
103 2014-08-06  Filip Pizlo  <fpizlo@apple.com>
104
105         Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.
106
107     2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
108     
109             Support for-in in the FTL
110             https://bugs.webkit.org/show_bug.cgi?id=134140
111     
112             Reviewed by Filip Pizlo.
113     
114             * dfg/DFGSSALoweringPhase.cpp:
115             (JSC::DFG::SSALoweringPhase::handleNode):
116             * ftl/FTLAbstractHeapRepository.cpp:
117             * ftl/FTLAbstractHeapRepository.h:
118             * ftl/FTLCapabilities.cpp:
119             (JSC::FTL::canCompile):
120             * ftl/FTLIntrinsicRepository.h:
121             * ftl/FTLLowerDFGToLLVM.cpp:
122             (JSC::FTL::LowerDFGToLLVM::compileNode):
123             (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
124             (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
125             (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
126             (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
127             (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
128             (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
129             (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
130             (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
131             (JSC::FTL::LowerDFGToLLVM::compileToIndexString):
132     
133     2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
134     
135             Remove JSPropertyNameIterator
136             https://bugs.webkit.org/show_bug.cgi?id=135066
137     
138             Reviewed by Geoffrey Garen.
139     
140             It has been replaced by JSPropertyNameEnumerator.
141     
142             * JavaScriptCore.order:
143             * bytecode/BytecodeBasicBlock.cpp:
144             (JSC::isBranch):
145             * bytecode/BytecodeList.json:
146             * bytecode/BytecodeUseDef.h:
147             (JSC::computeUsesForBytecodeOffset):
148             (JSC::computeDefsForBytecodeOffset):
149             * bytecode/CodeBlock.cpp:
150             (JSC::CodeBlock::dumpBytecode):
151             * bytecode/PreciseJumpTargets.cpp:
152             (JSC::getJumpTargetsForBytecodeOffset):
153             * bytecompiler/BytecodeGenerator.cpp:
154             (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
155             (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
156             * bytecompiler/BytecodeGenerator.h:
157             * interpreter/Interpreter.cpp:
158             * interpreter/Register.h:
159             * jit/JIT.cpp:
160             (JSC::JIT::privateCompileMainPass):
161             (JSC::JIT::privateCompileSlowCases):
162             * jit/JIT.h:
163             * jit/JITOpcodes.cpp:
164             (JSC::JIT::emit_op_get_pnames): Deleted.
165             (JSC::JIT::emit_op_next_pname): Deleted.
166             * jit/JITOpcodes32_64.cpp:
167             (JSC::JIT::emit_op_get_pnames): Deleted.
168             (JSC::JIT::emit_op_next_pname): Deleted.
169             * jit/JITOperations.cpp:
170             * jit/JITPropertyAccess.cpp:
171             (JSC::JIT::emit_op_get_by_pname): Deleted.
172             (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
173             * jit/JITPropertyAccess32_64.cpp:
174             (JSC::JIT::emit_op_get_by_pname): Deleted.
175             (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
176             * llint/LLIntOffsetsExtractor.cpp:
177             * llint/LLIntSlowPaths.cpp:
178             (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
179             * llint/LLIntSlowPaths.h:
180             * llint/LowLevelInterpreter.asm:
181             * llint/LowLevelInterpreter32_64.asm:
182             * llint/LowLevelInterpreter64.asm:
183             * runtime/CommonSlowPaths.cpp:
184             * runtime/JSPropertyNameIterator.cpp:
185             (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
186             (JSC::JSPropertyNameIterator::create): Deleted.
187             (JSC::JSPropertyNameIterator::destroy): Deleted.
188             (JSC::JSPropertyNameIterator::get): Deleted.
189             (JSC::JSPropertyNameIterator::visitChildren): Deleted.
190             * runtime/JSPropertyNameIterator.h:
191             (JSC::JSPropertyNameIterator::createStructure): Deleted.
192             (JSC::JSPropertyNameIterator::size): Deleted.
193             (JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
194             (JSC::JSPropertyNameIterator::cachedStructure): Deleted.
195             (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
196             (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
197             (JSC::JSPropertyNameIterator::finishCreation): Deleted.
198             (JSC::Register::propertyNameIterator): Deleted.
199             (JSC::StructureRareData::enumerationCache): Deleted.
200             (JSC::StructureRareData::setEnumerationCache): Deleted.
201             * runtime/Structure.cpp:
202             (JSC::Structure::addPropertyWithoutTransition):
203             (JSC::Structure::removePropertyWithoutTransition):
204             * runtime/Structure.h:
205             * runtime/StructureInlines.h:
206             (JSC::Structure::setEnumerationCache): Deleted.
207             (JSC::Structure::enumerationCache): Deleted.
208             * runtime/StructureRareData.cpp:
209             (JSC::StructureRareData::visitChildren):
210             * runtime/StructureRareData.h:
211             * runtime/VM.cpp:
212             (JSC::VM::VM):
213     
214     2014-07-25  Saam Barati  <sbarati@apple.com>
215     
216             Fix 32-bit build breakage for type profiling
217             https://bugs.webkit.org/process_bug.cgi
218     
219             Reviewed by Mark Hahnenberg.
220     
221             32-bit builds currently break because global variable IDs for high
222             fidelity type profiling are int64_t. Change this to intptr_t so that
223             it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
224     
225             * bytecode/CodeBlock.cpp:
226             (JSC::CodeBlock::CodeBlock):
227             (JSC::CodeBlock::scopeDependentProfile):
228             * bytecode/TypeLocation.h:
229             * runtime/SymbolTable.cpp:
230             (JSC::SymbolTable::uniqueIDForVariable):
231             (JSC::SymbolTable::uniqueIDForRegister):
232             * runtime/SymbolTable.h:
233             * runtime/TypeLocationCache.cpp:
234             (JSC::TypeLocationCache::getTypeLocation):
235             * runtime/TypeLocationCache.h:
236             * runtime/VM.h:
237             (JSC::VM::getNextUniqueVariableID):
238     
239     2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
240     
241             Reindent PropertyNameArray.h
242             https://bugs.webkit.org/show_bug.cgi?id=135067
243     
244             Reviewed by Geoffrey Garen.
245     
246             * runtime/PropertyNameArray.h:
247             (JSC::RefCountedIdentifierSet::contains):
248             (JSC::RefCountedIdentifierSet::size):
249             (JSC::RefCountedIdentifierSet::add):
250             (JSC::PropertyNameArrayData::create):
251             (JSC::PropertyNameArrayData::propertyNameVector):
252             (JSC::PropertyNameArrayData::PropertyNameArrayData):
253             (JSC::PropertyNameArray::PropertyNameArray):
254             (JSC::PropertyNameArray::vm):
255             (JSC::PropertyNameArray::add):
256             (JSC::PropertyNameArray::addKnownUnique):
257             (JSC::PropertyNameArray::operator[]):
258             (JSC::PropertyNameArray::setData):
259             (JSC::PropertyNameArray::data):
260             (JSC::PropertyNameArray::releaseData):
261             (JSC::PropertyNameArray::identifierSet):
262             (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
263             (JSC::PropertyNameArray::size):
264             (JSC::PropertyNameArray::begin):
265             (JSC::PropertyNameArray::end):
266             (JSC::PropertyNameArray::numCacheableSlots):
267             (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
268             (JSC::PropertyNameArray::setBaseObject):
269             (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
270     
271     2014-07-23  Mark Hahnenberg  <mhahnenberg@apple.com>
272     
273             Refactor our current implementation of for-in
274             https://bugs.webkit.org/show_bug.cgi?id=134142
275     
276             Reviewed by Filip Pizlo.
277     
278             This patch splits for-in loops into three distinct parts:
279     
280             - Iterating over the indexed properties in the base object.
281             - Iterating over the Structure properties in the base object.
282             - Iterating over any other enumerable properties for that object and any objects in the prototype chain.
283      
284             It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to 
285             support the various operations required for each loop.
286     
287             * API/JSCallbackObjectFunctions.h:
288             (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
289             * JavaScriptCore.xcodeproj/project.pbxproj:
290             * bytecode/BytecodeList.json:
291             * bytecode/BytecodeUseDef.h:
292             (JSC::computeUsesForBytecodeOffset):
293             (JSC::computeDefsForBytecodeOffset):
294             * bytecode/CallLinkStatus.h:
295             (JSC::CallLinkStatus::CallLinkStatus):
296             * bytecode/CodeBlock.cpp:
297             (JSC::CodeBlock::dumpBytecode):
298             (JSC::CodeBlock::CodeBlock):
299             * bytecompiler/BytecodeGenerator.cpp:
300             (JSC::BytecodeGenerator::emitGetByVal):
301             (JSC::BytecodeGenerator::emitComplexPopScopes):
302             (JSC::BytecodeGenerator::emitGetEnumerableLength):
303             (JSC::BytecodeGenerator::emitHasGenericProperty):
304             (JSC::BytecodeGenerator::emitHasIndexedProperty):
305             (JSC::BytecodeGenerator::emitHasStructureProperty):
306             (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
307             (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
308             (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
309             (JSC::BytecodeGenerator::emitToIndexString):
310             (JSC::BytecodeGenerator::pushIndexedForInScope):
311             (JSC::BytecodeGenerator::popIndexedForInScope):
312             (JSC::BytecodeGenerator::pushStructureForInScope):
313             (JSC::BytecodeGenerator::popStructureForInScope):
314             (JSC::BytecodeGenerator::invalidateForInContextForLocal):
315             * bytecompiler/BytecodeGenerator.h:
316             (JSC::ForInContext::ForInContext):
317             (JSC::ForInContext::~ForInContext):
318             (JSC::ForInContext::isValid):
319             (JSC::ForInContext::invalidate):
320             (JSC::ForInContext::local):
321             (JSC::StructureForInContext::StructureForInContext):
322             (JSC::StructureForInContext::type):
323             (JSC::StructureForInContext::index):
324             (JSC::StructureForInContext::property):
325             (JSC::StructureForInContext::enumerator):
326             (JSC::IndexedForInContext::IndexedForInContext):
327             (JSC::IndexedForInContext::type):
328             (JSC::IndexedForInContext::index):
329             (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
330             (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
331             * bytecompiler/NodesCodegen.cpp:
332             (JSC::ReadModifyResolveNode::emitBytecode):
333             (JSC::AssignResolveNode::emitBytecode):
334             (JSC::ForInNode::tryGetBoundLocal):
335             (JSC::ForInNode::emitLoopHeader):
336             (JSC::ForInNode::emitMultiLoopBytecode):
337             (JSC::ForInNode::emitBytecode):
338             * debugger/DebuggerScope.h:
339             * dfg/DFGAbstractHeap.h:
340             * dfg/DFGAbstractInterpreterInlines.h:
341             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
342             * dfg/DFGByteCodeParser.cpp:
343             (JSC::DFG::ByteCodeParser::parseBlock):
344             * dfg/DFGCapabilities.cpp:
345             (JSC::DFG::capabilityLevel):
346             * dfg/DFGClobberize.h:
347             (JSC::DFG::clobberize):
348             * dfg/DFGDoesGC.cpp:
349             (JSC::DFG::doesGC):
350             * dfg/DFGFixupPhase.cpp:
351             (JSC::DFG::FixupPhase::fixupNode):
352             * dfg/DFGHeapLocation.cpp:
353             (WTF::printInternal):
354             * dfg/DFGHeapLocation.h:
355             * dfg/DFGNode.h:
356             (JSC::DFG::Node::hasHeapPrediction):
357             (JSC::DFG::Node::hasArrayMode):
358             * dfg/DFGNodeType.h:
359             * dfg/DFGPredictionPropagationPhase.cpp:
360             (JSC::DFG::PredictionPropagationPhase::propagate):
361             * dfg/DFGSafeToExecute.h:
362             (JSC::DFG::safeToExecute):
363             * dfg/DFGSpeculativeJIT.h:
364             (JSC::DFG::SpeculativeJIT::callOperation):
365             * dfg/DFGSpeculativeJIT32_64.cpp:
366             (JSC::DFG::SpeculativeJIT::compile):
367             * dfg/DFGSpeculativeJIT64.cpp:
368             (JSC::DFG::SpeculativeJIT::compile):
369             * jit/JIT.cpp:
370             (JSC::JIT::privateCompileMainPass):
371             (JSC::JIT::privateCompileSlowCases):
372             * jit/JIT.h:
373             (JSC::JIT::compileHasIndexedProperty):
374             (JSC::JIT::emitInt32Load):
375             * jit/JITInlines.h:
376             (JSC::JIT::emitDoubleGetByVal):
377             (JSC::JIT::emitLoadForArrayMode):
378             (JSC::JIT::emitContiguousGetByVal):
379             (JSC::JIT::emitArrayStorageGetByVal):
380             * jit/JITOpcodes.cpp:
381             (JSC::JIT::emit_op_get_enumerable_length):
382             (JSC::JIT::emit_op_has_structure_property):
383             (JSC::JIT::emitSlow_op_has_structure_property):
384             (JSC::JIT::emit_op_has_generic_property):
385             (JSC::JIT::privateCompileHasIndexedProperty):
386             (JSC::JIT::emit_op_has_indexed_property):
387             (JSC::JIT::emitSlow_op_has_indexed_property):
388             (JSC::JIT::emit_op_get_direct_pname):
389             (JSC::JIT::emitSlow_op_get_direct_pname):
390             (JSC::JIT::emit_op_get_structure_property_enumerator):
391             (JSC::JIT::emit_op_get_generic_property_enumerator):
392             (JSC::JIT::emit_op_next_enumerator_pname):
393             (JSC::JIT::emit_op_to_index_string):
394             * jit/JITOpcodes32_64.cpp:
395             (JSC::JIT::emit_op_get_enumerable_length):
396             (JSC::JIT::emit_op_has_structure_property):
397             (JSC::JIT::emitSlow_op_has_structure_property):
398             (JSC::JIT::emit_op_has_generic_property):
399             (JSC::JIT::privateCompileHasIndexedProperty):
400             (JSC::JIT::emit_op_has_indexed_property):
401             (JSC::JIT::emitSlow_op_has_indexed_property):
402             (JSC::JIT::emit_op_get_direct_pname):
403             (JSC::JIT::emitSlow_op_get_direct_pname):
404             (JSC::JIT::emit_op_get_structure_property_enumerator):
405             (JSC::JIT::emit_op_get_generic_property_enumerator):
406             (JSC::JIT::emit_op_next_enumerator_pname):
407             (JSC::JIT::emit_op_to_index_string):
408             * jit/JITOperations.cpp:
409             * jit/JITOperations.h:
410             * jit/JITPropertyAccess.cpp:
411             (JSC::JIT::emitDoubleLoad):
412             (JSC::JIT::emitContiguousLoad):
413             (JSC::JIT::emitArrayStorageLoad):
414             (JSC::JIT::emitDoubleGetByVal): Deleted.
415             (JSC::JIT::emitContiguousGetByVal): Deleted.
416             (JSC::JIT::emitArrayStorageGetByVal): Deleted.
417             * jit/JITPropertyAccess32_64.cpp:
418             (JSC::JIT::emitContiguousLoad):
419             (JSC::JIT::emitDoubleLoad):
420             (JSC::JIT::emitArrayStorageLoad):
421             (JSC::JIT::emitContiguousGetByVal): Deleted.
422             (JSC::JIT::emitDoubleGetByVal): Deleted.
423             (JSC::JIT::emitArrayStorageGetByVal): Deleted.
424             * llint/LowLevelInterpreter.asm:
425             * parser/Nodes.h:
426             * runtime/Arguments.cpp:
427             (JSC::Arguments::getOwnPropertyNames):
428             * runtime/ClassInfo.h:
429             * runtime/CommonSlowPaths.cpp:
430             (JSC::SLOW_PATH_DECL):
431             * runtime/CommonSlowPaths.h:
432             * runtime/EnumerationMode.h: Added.
433             (JSC::shouldIncludeDontEnumProperties):
434             (JSC::shouldExcludeDontEnumProperties):
435             (JSC::shouldIncludeJSObjectPropertyNames):
436             (JSC::modeThatSkipsJSObject):
437             * runtime/JSActivation.cpp:
438             (JSC::JSActivation::getOwnNonIndexPropertyNames):
439             * runtime/JSArray.cpp:
440             (JSC::JSArray::getOwnNonIndexPropertyNames):
441             * runtime/JSArrayBuffer.cpp:
442             (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
443             * runtime/JSArrayBufferView.cpp:
444             (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
445             * runtime/JSCell.cpp:
446             (JSC::JSCell::getEnumerableLength):
447             (JSC::JSCell::getStructurePropertyNames):
448             (JSC::JSCell::getGenericPropertyNames):
449             * runtime/JSCell.h:
450             * runtime/JSFunction.cpp:
451             (JSC::JSFunction::getOwnNonIndexPropertyNames):
452             * runtime/JSGenericTypedArrayViewInlines.h:
453             (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
454             * runtime/JSObject.cpp:
455             (JSC::getClassPropertyNames):
456             (JSC::JSObject::hasOwnProperty):
457             (JSC::JSObject::getOwnPropertyNames):
458             (JSC::JSObject::getOwnNonIndexPropertyNames):
459             (JSC::JSObject::getEnumerableLength):
460             (JSC::JSObject::getStructurePropertyNames):
461             (JSC::JSObject::getGenericPropertyNames):
462             * runtime/JSObject.h:
463             * runtime/JSPropertyNameEnumerator.cpp: Added.
464             (JSC::JSPropertyNameEnumerator::create):
465             (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
466             (JSC::JSPropertyNameEnumerator::finishCreation):
467             (JSC::JSPropertyNameEnumerator::destroy):
468             (JSC::JSPropertyNameEnumerator::visitChildren):
469             * runtime/JSPropertyNameEnumerator.h: Added.
470             (JSC::JSPropertyNameEnumerator::createStructure):
471             (JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
472             (JSC::JSPropertyNameEnumerator::identifierSet):
473             (JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
474             (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
475             (JSC::JSPropertyNameEnumerator::cachedStructure):
476             (JSC::JSPropertyNameEnumerator::cachedStructureID):
477             (JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
478             (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
479             (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
480             (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
481             (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
482             (JSC::structurePropertyNameEnumerator):
483             (JSC::genericPropertyNameEnumerator):
484             * runtime/JSProxy.cpp:
485             (JSC::JSProxy::getEnumerableLength):
486             (JSC::JSProxy::getStructurePropertyNames):
487             (JSC::JSProxy::getGenericPropertyNames):
488             * runtime/JSProxy.h:
489             * runtime/JSSymbolTableObject.cpp:
490             (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
491             * runtime/PropertyNameArray.cpp:
492             (JSC::PropertyNameArray::add):
493             (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
494             * runtime/PropertyNameArray.h:
495             (JSC::RefCountedIdentifierSet::contains):
496             (JSC::RefCountedIdentifierSet::size):
497             (JSC::RefCountedIdentifierSet::add):
498             (JSC::PropertyNameArray::PropertyNameArray):
499             (JSC::PropertyNameArray::add):
500             (JSC::PropertyNameArray::addKnownUnique):
501             (JSC::PropertyNameArray::identifierSet):
502             (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
503             (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
504             * runtime/RegExpObject.cpp:
505             (JSC::RegExpObject::getOwnNonIndexPropertyNames):
506             (JSC::RegExpObject::getPropertyNames):
507             (JSC::RegExpObject::getGenericPropertyNames):
508             * runtime/RegExpObject.h:
509             * runtime/StringObject.cpp:
510             (JSC::StringObject::getOwnPropertyNames):
511             * runtime/Structure.cpp:
512             (JSC::Structure::getPropertyNamesFromStructure):
513             (JSC::Structure::setCachedStructurePropertyNameEnumerator):
514             (JSC::Structure::cachedStructurePropertyNameEnumerator):
515             (JSC::Structure::setCachedGenericPropertyNameEnumerator):
516             (JSC::Structure::cachedGenericPropertyNameEnumerator):
517             (JSC::Structure::canCacheStructurePropertyNameEnumerator):
518             (JSC::Structure::canCacheGenericPropertyNameEnumerator):
519             (JSC::Structure::canAccessPropertiesQuickly):
520             * runtime/Structure.h:
521             * runtime/StructureRareData.cpp:
522             (JSC::StructureRareData::visitChildren):
523             (JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
524             (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
525             (JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
526             (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
527             * runtime/StructureRareData.h:
528             * runtime/VM.cpp:
529             (JSC::VM::VM):
530             * runtime/VM.h:
531     
532     2014-07-23  Saam Barati  <sbarati@apple.com>
533     
534             Make improvements to Type Profiling
535             https://bugs.webkit.org/show_bug.cgi?id=134860
536     
537             Reviewed by Filip Pizlo.
538     
539             I improved the API between the inspector and JSC. We no longer send one huge
540             string to the inspector. We now send structured data that represents the type
541             information that JSC has collected. I've also created a beginning implementation 
542             of a type lattice that allows us to resolve a display name for a type that
543             consists of a single word.
544     
545             I created a data structure that knows which functions have executed. This
546             solves the bug where types inside an un-executed function will resolve
547             to the type of the enclosing expression of that function. This data
548             structure may also be useful later if the inspector chooses to create a UI
549             around showing which functions have executed.
550     
551             Better type information is gathered for objects. StructureShape now
552             represents an object's prototype chain.  StructureShape also collects
553             the constructor name for an object.
554     
555             Expression ranges are now zero indexed.
556     
557             Removed some extraneous methods.
558     
559             * JavaScriptCore.xcodeproj/project.pbxproj:
560             * bytecode/CodeBlock.cpp:
561             (JSC::CodeBlock::CodeBlock):
562             (JSC::CodeBlock::scopeDependentProfile):
563             * bytecode/CodeBlock.h:
564             * bytecode/TypeLocation.h:
565             (JSC::TypeLocation::TypeLocation):
566             * bytecode/UnlinkedCodeBlock.cpp:
567             (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
568             * bytecode/UnlinkedCodeBlock.h:
569             (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
570             (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
571             * bytecompiler/BytecodeGenerator.cpp:
572             (JSC::BytecodeGenerator::BytecodeGenerator):
573             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
574             * bytecompiler/BytecodeGenerator.h:
575             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
576             * heap/Heap.cpp:
577             (JSC::Heap::collect):
578             * inspector/agents/InspectorRuntimeAgent.cpp:
579             (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
580             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
581             * inspector/agents/InspectorRuntimeAgent.h:
582             * inspector/protocol/Runtime.json:
583             * runtime/Executable.cpp:
584             (JSC::ScriptExecutable::ScriptExecutable):
585             (JSC::ProgramExecutable::ProgramExecutable):
586             (JSC::FunctionExecutable::FunctionExecutable):
587             (JSC::ProgramExecutable::initializeGlobalProperties):
588             * runtime/Executable.h:
589             (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
590             (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
591             * runtime/FunctionHasExecutedCache.cpp: Added.
592             (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
593             (JSC::FunctionHasExecutedCache::insertUnexecutedRange):
594             (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
595             * runtime/FunctionHasExecutedCache.h: Added.
596             (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
597             (JSC::FunctionHasExecutedCache::FunctionRange::operator==):
598             (JSC::FunctionHasExecutedCache::FunctionRange::hash):
599             * runtime/HighFidelityLog.cpp:
600             (JSC::HighFidelityLog::processHighFidelityLog):
601             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
602             * runtime/HighFidelityLog.h:
603             (JSC::HighFidelityLog::recordTypeInformationForLocation):
604             * runtime/HighFidelityTypeProfiler.cpp:
605             (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
606             (JSC::HighFidelityTypeProfiler::insertNewLocation):
607             (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
608             (JSC::descriptorMatchesTypeLocation):
609             (JSC::HighFidelityTypeProfiler::findLocation):
610             (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
611             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
612             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
613             * runtime/HighFidelityTypeProfiler.h:
614             (JSC::QueryKey::QueryKey):
615             (JSC::QueryKey::isHashTableDeletedValue):
616             (JSC::QueryKey::operator==):
617             (JSC::QueryKey::hash):
618             (JSC::QueryKeyHash::hash):
619             (JSC::QueryKeyHash::equal):
620             (JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
621             (JSC::HighFidelityTypeProfiler::typeLocationCache):
622             * runtime/Structure.cpp:
623             (JSC::Structure::toStructureShape):
624             * runtime/Structure.h:
625             * runtime/TypeLocationCache.cpp: Added.
626             (JSC::TypeLocationCache::getTypeLocation):
627             * runtime/TypeLocationCache.h: Added.
628             (JSC::TypeLocationCache::LocationKey::LocationKey):
629             (JSC::TypeLocationCache::LocationKey::operator==):
630             (JSC::TypeLocationCache::LocationKey::hash):
631             * runtime/TypeSet.cpp:
632             (JSC::TypeSet::getRuntimeTypeForValue):
633             (JSC::TypeSet::addTypeForValue):
634             (JSC::TypeSet::seenTypes):
635             (JSC::TypeSet::doesTypeConformTo):
636             (JSC::TypeSet::displayName):
637             (JSC::TypeSet::allPrimitiveTypeNames):
638             (JSC::TypeSet::allStructureRepresentations):
639             (JSC::TypeSet::leastCommonAncestor):
640             (JSC::StructureShape::StructureShape):
641             (JSC::StructureShape::addProperty):
642             (JSC::StructureShape::propertyHash):
643             (JSC::StructureShape::leastCommonAncestor):
644             (JSC::StructureShape::stringRepresentation):
645             (JSC::StructureShape::inspectorRepresentation):
646             (JSC::StructureShape::leastUpperBound): Deleted.
647             * runtime/TypeSet.h:
648             (JSC::StructureShape::setConstructorName):
649             (JSC::StructureShape::constructorName):
650             (JSC::StructureShape::setProto):
651             * runtime/VM.cpp:
652             (JSC::VM::dumpHighFidelityProfilingTypes):
653             (JSC::VM::getTypesForVariableAtOffset): Deleted.
654             (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
655             * runtime/VM.h:
656             (JSC::VM::isProfilingTypesWithHighFidelity):
657             (JSC::VM::highFidelityTypeProfiler):
658     
659     2014-07-23  Filip Pizlo  <fpizlo@apple.com>
660     
661             Fix debug build.
662     
663             * bytecode/CallLinkStatus.h:
664             (JSC::CallLinkStatus::CallLinkStatus):
665     
666     2014-07-20  Filip Pizlo  <fpizlo@apple.com>
667     
668             [ftlopt] Phantoms in SSA form should be aggressively hoisted
669             https://bugs.webkit.org/show_bug.cgi?id=135111
670     
671             Reviewed by Oliver Hunt.
672             
673             In CPS form, Phantom means three things: (1) that the children should be kept alive so long
674             as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
675             at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
676             second meaning is not used but the other two stay.
677             
678             The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
679             even in a totally different basic block, complicates some SSA transformations. It's not
680             possible to just jettison some successor, since tha successor could have a Phantom that we
681             care about.
682             
683             This change rationalizes how Phantoms work so that:
684             
685             1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
686                in both CPS and SSA. This was true before and it's true now.
687             
688             2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
689                now, except that now we also don't bother preserving the live-in-bytecode information
690                that Phantoms convey, when we are in SSA.
691             
692             3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
693                use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
694                Phantom.
695             
696             The biggest part of this change is that in SSA, we canonicalize Phantoms:
697             
698             - All Phantoms are replaced with Check nodes that include only those edges that have
699               checks.
700             
701             - Nodes that were the children of any Phantoms have a Phantom right after them.
702             
703             For example, the following code:
704             
705                 5: ArithAdd(@1, @2)
706                 6: ArithSub(@5, @3)
707                 7: Phantom(Int32:@5)
708             
709             would be turned into the following:
710             
711                 5: ArithAdd(@1, @2)
712                 8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
713                                // @5. This is the only Phantom we will have for @5.
714                 6: ArithSub(@5, @3)
715                 7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
716                                    // a checking edge, we leave it.
717             
718             This is a slight speed-up across the board, presumably because we now do a better job of
719             reducing the size of the graph during compilation. It could also be a fluke, though. The
720             main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
721             become a requirement to run phantom canonicalization prior to some SSA phases. None of the
722             current phases need it, but future phases probably will.
723     
724             * CMakeLists.txt:
725             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
726             * JavaScriptCore.xcodeproj/project.pbxproj:
727             * dfg/DFGAbstractInterpreterInlines.h:
728             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
729             * dfg/DFGConstantFoldingPhase.cpp:
730             (JSC::DFG::ConstantFoldingPhase::foldConstants):
731             * dfg/DFGDCEPhase.cpp:
732             (JSC::DFG::DCEPhase::run):
733             (JSC::DFG::DCEPhase::findTypeCheckRoot):
734             (JSC::DFG::DCEPhase::countEdge):
735             (JSC::DFG::DCEPhase::fixupBlock):
736             (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
737             * dfg/DFGEdge.cpp:
738             (JSC::DFG::Edge::dump):
739             * dfg/DFGEdge.h:
740             (JSC::DFG::Edge::isProved):
741             (JSC::DFG::Edge::needsCheck): Deleted.
742             * dfg/DFGNodeFlags.h:
743             * dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
744             (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
745             (JSC::DFG::PhantomCanonicalizationPhase::run):
746             (JSC::DFG::performPhantomCanonicalization):
747             * dfg/DFGPhantomCanonicalizationPhase.h: Added.
748             * dfg/DFGPhantomRemovalPhase.cpp:
749             (JSC::DFG::PhantomRemovalPhase::run):
750             * dfg/DFGPhantomRemovalPhase.h:
751             * dfg/DFGPlan.cpp:
752             (JSC::DFG::Plan::compileInThreadImpl):
753             * ftl/FTLLowerDFGToLLVM.cpp:
754             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
755             (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
756     
757     2014-07-22  Filip Pizlo  <fpizlo@apple.com>
758     
759             [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
760             https://bugs.webkit.org/show_bug.cgi?id=135146
761     
762             Reviewed by Oliver Hunt.
763             
764             This greatly simplifies our closure call optimizations by taking advantage of the type
765             bits available in the cell header.
766     
767             * bytecode/CallLinkInfo.cpp:
768             (JSC::CallLinkInfo::visitWeak):
769             * bytecode/CallLinkStatus.cpp:
770             (JSC::CallLinkStatus::CallLinkStatus):
771             (JSC::CallLinkStatus::computeFor):
772             (JSC::CallLinkStatus::dump):
773             * bytecode/CallLinkStatus.h:
774             (JSC::CallLinkStatus::CallLinkStatus):
775             (JSC::CallLinkStatus::executable):
776             (JSC::CallLinkStatus::structure): Deleted.
777             * dfg/DFGByteCodeParser.cpp:
778             (JSC::DFG::ByteCodeParser::emitFunctionChecks):
779             * dfg/DFGFixupPhase.cpp:
780             (JSC::DFG::FixupPhase::fixupNode):
781             (JSC::DFG::FixupPhase::observeUseKindOnNode):
782             * dfg/DFGSafeToExecute.h:
783             (JSC::DFG::SafeToExecuteEdge::operator()):
784             * dfg/DFGSpeculativeJIT.cpp:
785             (JSC::DFG::SpeculativeJIT::checkArray):
786             (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
787             (JSC::DFG::SpeculativeJIT::speculateCellType):
788             (JSC::DFG::SpeculativeJIT::speculateFunction):
789             (JSC::DFG::SpeculativeJIT::speculateFinalObject):
790             (JSC::DFG::SpeculativeJIT::speculate):
791             * dfg/DFGSpeculativeJIT.h:
792             * dfg/DFGSpeculativeJIT32_64.cpp:
793             (JSC::DFG::SpeculativeJIT::compile):
794             * dfg/DFGSpeculativeJIT64.cpp:
795             (JSC::DFG::SpeculativeJIT::compile):
796             * dfg/DFGUseKind.cpp:
797             (WTF::printInternal):
798             * dfg/DFGUseKind.h:
799             (JSC::DFG::typeFilterFor):
800             (JSC::DFG::isCell):
801             * ftl/FTLCapabilities.cpp:
802             (JSC::FTL::canCompile):
803             * ftl/FTLLowerDFGToLLVM.cpp:
804             (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
805             (JSC::FTL::LowerDFGToLLVM::speculate):
806             (JSC::FTL::LowerDFGToLLVM::isFunction):
807             (JSC::FTL::LowerDFGToLLVM::isNotFunction):
808             (JSC::FTL::LowerDFGToLLVM::speculateFunction):
809             * jit/ClosureCallStubRoutine.cpp:
810             (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
811             (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
812             * jit/ClosureCallStubRoutine.h:
813             (JSC::ClosureCallStubRoutine::structure): Deleted.
814             * jit/JIT.h:
815             (JSC::JIT::compileClosureCall): Deleted.
816             * jit/JITCall.cpp:
817             (JSC::JIT::privateCompileClosureCall): Deleted.
818             * jit/JITCall32_64.cpp:
819             (JSC::JIT::privateCompileClosureCall): Deleted.
820             * jit/JITOperations.cpp:
821             * jit/Repatch.cpp:
822             (JSC::linkClosureCall):
823             * jit/Repatch.h:
824     
825 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
826
827         [ARM] Incorrect handling of Unicode characters
828         https://bugs.webkit.org/show_bug.cgi?id=135380
829
830         Reviewed by Darin Adler.
831
832         Removed erroneous fast case from stringFromUTF(), since it assumed that 
833         char is always implemented as signed.
834
835         * jsc.cpp:
836         (stringFromUTF):
837
838 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
839
840         [JSC] Build fix for FTL on EFL after ftlopt merge
841         https://bugs.webkit.org/show_bug.cgi?id=135565
842
843         Reviewed by Mark Lam.
844
845         Adding an enable guard for native inlining, since it now requires the bitcode
846         emitted from Clang, and we don't have a good way of creating it from other compilers.
847
848         * dfg/DFGByteCodeParser.cpp:
849         (JSC::DFG::ByteCodeParser::handleCall):
850         * ftl/FTLLowerDFGToLLVM.cpp:
851         (JSC::FTL::LowerDFGToLLVM::compileNode):
852         * ftl/FTLState.cpp:
853         (JSC::FTL::State::State):
854         * ftl/FTLState.h:
855
856 2014-08-05  Csaba Osztrogonác  <ossy@webkit.org>
857
858         URTBF after r172129. (ftlopt branch merge)
859
860         Remove the duplicated friend declaration to fix this build failure:
861         "error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"
862
863         * runtime/StructureRareData.h:
864
865 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
866
867         Attempt to fix CMake-based builds, part 3.
868
869         * CMakeLists.txt:
870
871 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
872
873         Attempt to fix CMake-based builds, part 2.
874
875         * CMakeLists.txt:
876
877 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
878
879         Attempt to fix Windows build, part 2.
880
881         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
882
883 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
884
885         Attempt to fix CMake-based builds.
886
887         * CMakeLists.txt:
888
889 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
890
891         Attempt to fix Windows build.
892
893         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
894
895 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
896
897         Fix cloop build.
898
899         * bytecode/CodeBlock.cpp:
900         (JSC::CodeBlock::jettison):
901
902 2014-07-29  Filip Pizlo  <fpizlo@apple.com>
903
904         Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.
905
906         This part of the merge delivers roughly a 2% across-the-board performance
907         improvement, mostly due to immutable property inference and DFG-side GCSE. It also
908         almost completely resolves accessor performance issues; in the common case the DFG
909         will compile a getter/setter access into code that is just as efficient as a normal
910         property access.
911         
912         Another major highlight of this part of the merge is the work to add a type profiler
913         to the inspector. This work is still on-going but this greatly increases coverage.
914
915         Note that this merge fixes a minor bug in the GetterSetter refactoring from
916         http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
917         It also adds a new tests to tests/stress to cover that bug. That bug was previously only
918         covered by layout tests.
919
920     2014-07-17  Filip Pizlo  <fpizlo@apple.com>
921     
922             [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
923             https://bugs.webkit.org/show_bug.cgi?id=135019
924     
925             Reviewed by Oliver Hunt.
926             
927             Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
928             has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
929             different code.
930     
931             * dfg/DFGNodeType.h:
932             * dfg/DFGStrengthReductionPhase.cpp:
933             (JSC::DFG::StrengthReductionPhase::handleNode):
934             * tests/stress/capture-escape-and-throw.js: Added.
935             (foo.f):
936             (foo):
937             * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
938             (foo):
939             (bar):
940     
941     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
942     
943             [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
944             https://bugs.webkit.org/show_bug.cgi?id=134962
945     
946             Reviewed by Oliver Hunt.
947             
948             This removes yet another steady-state-throughput implication of using getters and setters:
949             if your accessor call is monomorphic then you'll just get a structure check, nothing more.
950             No more loads to get to the GetterSetter object or the accessor function object.
951     
952             * dfg/DFGAbstractInterpreterInlines.h:
953             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
954             * runtime/GetterSetter.h:
955             (JSC::GetterSetter::getterConcurrently):
956             (JSC::GetterSetter::setGetter):
957             (JSC::GetterSetter::setterConcurrently):
958             (JSC::GetterSetter::setSetter):
959     
960     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
961     
962             [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
963             https://bugs.webkit.org/show_bug.cgi?id=134893
964     
965             Reviewed by Oliver Hunt.
966             
967             Replace Identity with Check instead of Phantom. Phantom means that the child of the
968             Identity should be unconditionally live. The liveness semantics of Identity are such that
969             if the parents of Identity are live then the child is live. Removing the Identity entirely
970             preserves such liveness semantics. So, the only thing that should be left behind is the
971             type check on the child, which is what Check means: do the check but don't keep the child
972             alive if the check isn't needed.
973     
974             * dfg/DFGCSEPhase.cpp:
975             * dfg/DFGNode.h:
976             (JSC::DFG::Node::convertToCheck):
977     
978     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
979     
980             [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
981             https://bugs.webkit.org/show_bug.cgi?id=134677
982     
983             Reviewed by Sam Weinig.
984             
985             This removes the old local CSE phase, which was based on manually written backward-search 
986             rules for all of the different kinds of things we cared about, and adds a new local/global
987             CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
988             clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
989             structures used for storing sets of available values. This results in a large reduction in
990             code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
991             global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
992             structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
993             that this is a significant (~0.7%) throughput improvement.
994             
995             This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
996             means that the node being analyzed makes available some value in some DFG node, and that
997             future attempts to compute that value can simply use that node. In other words, it
998             establishes an available value mapping of the form value=>node. There are two kinds of
999             values that can be passed to def():
1000             
1001             PureValue. This captures everything needed to determine whether two pure nodes - nodes that
1002                 neither read nor write, and produce a value that is a CSE candidate - are identical. It
1003                 carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
1004                 usually used for things like the arithmetic mode or constant pointer. Passing a
1005                 PureValue to def() means that the node produces a value that is valid anywhere that the
1006                 node dominates.
1007             
1008             HeapLocation. This describes a location in the heap that could be written to or read from.
1009                 Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
1010                 heap that both serves as part of the "name" of the heap location (together with the
1011                 other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
1012                 write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
1013                 then it means that the values for that location are no longer available.
1014             
1015             This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
1016             tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
1017             interpreting the semantics of different DFG node types - that is now almost entirely in
1018             clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
1019             CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
1020             and the LocalCSE rule for turning PutByVal into PutByValAlias.
1021             
1022             This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
1023             not a bigger win because LLVM was already giving us most of what we needed in its GVN.
1024             Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
1025             is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
1026             generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
1027             it improves both the quality of the code we generate and the speed with which we generate
1028             it. Also, any future optimizations that depend on GCSE will now be easier to implement.
1029             
1030             During the development of this patch I also rationalized some other stuff, like Graph's
1031             ordered traversals - we now have preorder and postorder rather than just "depth first".
1032     
1033             * CMakeLists.txt:
1034             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1035             * JavaScriptCore.xcodeproj/project.pbxproj:
1036             * dfg/DFGAbstractHeap.h:
1037             * dfg/DFGAdjacencyList.h:
1038             (JSC::DFG::AdjacencyList::hash):
1039             (JSC::DFG::AdjacencyList::operator==):
1040             * dfg/DFGBasicBlock.h:
1041             * dfg/DFGCSEPhase.cpp:
1042             (JSC::DFG::performLocalCSE):
1043             (JSC::DFG::performGlobalCSE):
1044             (JSC::DFG::CSEPhase::CSEPhase): Deleted.
1045             (JSC::DFG::CSEPhase::run): Deleted.
1046             (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
1047             (JSC::DFG::CSEPhase::pureCSE): Deleted.
1048             (JSC::DFG::CSEPhase::constantCSE): Deleted.
1049             (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
1050             (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
1051             (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
1052             (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
1053             (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
1054             (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
1055             (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
1056             (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
1057             (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
1058             (JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
1059             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
1060             (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
1061             (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
1062             (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
1063             (JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
1064             (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
1065             (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
1066             (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
1067             (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
1068             (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
1069             (JSC::DFG::CSEPhase::setReplacement): Deleted.
1070             (JSC::DFG::CSEPhase::eliminate): Deleted.
1071             (JSC::DFG::CSEPhase::performNodeCSE): Deleted.
1072             (JSC::DFG::CSEPhase::performBlockCSE): Deleted.
1073             (JSC::DFG::performCSE): Deleted.
1074             * dfg/DFGCSEPhase.h:
1075             * dfg/DFGClobberSet.cpp:
1076             (JSC::DFG::addReads):
1077             (JSC::DFG::addWrites):
1078             (JSC::DFG::addReadsAndWrites):
1079             (JSC::DFG::readsOverlap):
1080             (JSC::DFG::writesOverlap):
1081             * dfg/DFGClobberize.cpp:
1082             (JSC::DFG::doesWrites):
1083             (JSC::DFG::accessesOverlap):
1084             (JSC::DFG::writesOverlap):
1085             * dfg/DFGClobberize.h:
1086             (JSC::DFG::clobberize):
1087             (JSC::DFG::NoOpClobberize::operator()):
1088             (JSC::DFG::CheckClobberize::operator()):
1089             (JSC::DFG::ReadMethodClobberize::ReadMethodClobberize):
1090             (JSC::DFG::ReadMethodClobberize::operator()):
1091             (JSC::DFG::WriteMethodClobberize::WriteMethodClobberize):
1092             (JSC::DFG::WriteMethodClobberize::operator()):
1093             (JSC::DFG::DefMethodClobberize::DefMethodClobberize):
1094             (JSC::DFG::DefMethodClobberize::operator()):
1095             * dfg/DFGDCEPhase.cpp:
1096             (JSC::DFG::DCEPhase::run):
1097             (JSC::DFG::DCEPhase::fixupBlock):
1098             * dfg/DFGGraph.cpp:
1099             (JSC::DFG::Graph::getBlocksInPreOrder):
1100             (JSC::DFG::Graph::getBlocksInPostOrder):
1101             (JSC::DFG::Graph::addForDepthFirstSort): Deleted.
1102             (JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted.
1103             * dfg/DFGGraph.h:
1104             * dfg/DFGHeapLocation.cpp: Added.
1105             (JSC::DFG::HeapLocation::dump):
1106             (WTF::printInternal):
1107             * dfg/DFGHeapLocation.h: Added.
1108             (JSC::DFG::HeapLocation::HeapLocation):
1109             (JSC::DFG::HeapLocation::operator!):
1110             (JSC::DFG::HeapLocation::kind):
1111             (JSC::DFG::HeapLocation::heap):
1112             (JSC::DFG::HeapLocation::base):
1113             (JSC::DFG::HeapLocation::index):
1114             (JSC::DFG::HeapLocation::hash):
1115             (JSC::DFG::HeapLocation::operator==):
1116             (JSC::DFG::HeapLocation::isHashTableDeletedValue):
1117             (JSC::DFG::HeapLocationHash::hash):
1118             (JSC::DFG::HeapLocationHash::equal):
1119             * dfg/DFGLICMPhase.cpp:
1120             (JSC::DFG::LICMPhase::run):
1121             * dfg/DFGNode.h:
1122             (JSC::DFG::Node::replaceWith):
1123             (JSC::DFG::Node::convertToPhantomUnchecked): Deleted.
1124             * dfg/DFGPlan.cpp:
1125             (JSC::DFG::Plan::compileInThreadImpl):
1126             * dfg/DFGPureValue.cpp: Added.
1127             (JSC::DFG::PureValue::dump):
1128             * dfg/DFGPureValue.h: Added.
1129             (JSC::DFG::PureValue::PureValue):
1130             (JSC::DFG::PureValue::operator!):
1131             (JSC::DFG::PureValue::op):
1132             (JSC::DFG::PureValue::children):
1133             (JSC::DFG::PureValue::info):
1134             (JSC::DFG::PureValue::hash):
1135             (JSC::DFG::PureValue::operator==):
1136             (JSC::DFG::PureValue::isHashTableDeletedValue):
1137             (JSC::DFG::PureValueHash::hash):
1138             (JSC::DFG::PureValueHash::equal):
1139             * dfg/DFGSSAConversionPhase.cpp:
1140             (JSC::DFG::SSAConversionPhase::run):
1141             * ftl/FTLLowerDFGToLLVM.cpp:
1142             (JSC::FTL::LowerDFGToLLVM::lower):
1143     
1144     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
1145     
1146             Unreviewed, revert unintended change in r171051.
1147     
1148             * dfg/DFGCSEPhase.cpp:
1149     
1150     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
1151     
1152             [ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase
1153             https://bugs.webkit.org/show_bug.cgi?id=134739
1154     
1155             Reviewed by Mark Hahnenberg.
1156             
1157             I'm going to streamline CSE around clobberize() as part of
1158             https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store
1159             elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which
1160             means that it belongs in StrengthReductionPhase, since that's intended to be our
1161             dumping ground.
1162             
1163             To do this I had to add some missing smarts to clobberize(). Previously clobberize()
1164             could play a bit loose with reads of Variables because it wasn't used for store
1165             elimination. The main client of read() was LICM, but it would only use it to
1166             determine hoistability and anything that did a write() was not hoistable - so, we had
1167             benign (but still wrong) missing read() calls in places that did write()s. This fixes
1168             a bunch of those cases.
1169     
1170             * dfg/DFGCSEPhase.cpp:
1171             (JSC::DFG::CSEPhase::performNodeCSE):
1172             (JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted.
1173             * dfg/DFGClobberize.cpp:
1174             (JSC::DFG::accessesOverlap):
1175             * dfg/DFGClobberize.h:
1176             (JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound.
1177             * dfg/DFGStrengthReductionPhase.cpp:
1178             (JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize().
1179     
1180     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
1181     
1182             [ftlopt] Phantom simplification should be in its own phase
1183             https://bugs.webkit.org/show_bug.cgi?id=134742
1184     
1185             Reviewed by Geoffrey Garen.
1186             
1187             This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it
1188             more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had
1189             this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for
1190             SSA.
1191     
1192             * CMakeLists.txt:
1193             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1194             * JavaScriptCore.xcodeproj/project.pbxproj:
1195             * dfg/DFGAdjacencyList.h:
1196             * dfg/DFGCSEPhase.cpp:
1197             (JSC::DFG::CSEPhase::run):
1198             (JSC::DFG::CSEPhase::setReplacement):
1199             (JSC::DFG::CSEPhase::eliminate):
1200             (JSC::DFG::CSEPhase::performNodeCSE):
1201             (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted.
1202             * dfg/DFGPhantomRemovalPhase.cpp: Added.
1203             (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase):
1204             (JSC::DFG::PhantomRemovalPhase::run):
1205             (JSC::DFG::performCleanUp):
1206             * dfg/DFGPhantomRemovalPhase.h: Added.
1207             * dfg/DFGPlan.cpp:
1208             (JSC::DFG::Plan::compileInThreadImpl):
1209     
1210     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
1211     
1212             [ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously
1213             https://bugs.webkit.org/show_bug.cgi?id=134730
1214     
1215             Reviewed by Mark Lam.
1216             
1217             This will allow for a better GCSE implementation.
1218     
1219             * dfg/DFGCPSRethreadingPhase.cpp:
1220             (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1221             * dfg/DFGCSEPhase.cpp:
1222             (JSC::DFG::CSEPhase::setReplacement):
1223             * dfg/DFGEdgeDominates.h:
1224             (JSC::DFG::EdgeDominates::operator()):
1225             * dfg/DFGGraph.cpp:
1226             (JSC::DFG::Graph::clearReplacements):
1227             (JSC::DFG::Graph::initializeNodeOwners):
1228             * dfg/DFGGraph.h:
1229             (JSC::DFG::Graph::performSubstitutionForEdge):
1230             * dfg/DFGLICMPhase.cpp:
1231             (JSC::DFG::LICMPhase::attemptHoist):
1232             * dfg/DFGNode.h:
1233             (JSC::DFG::Node::Node):
1234             * dfg/DFGSSAConversionPhase.cpp:
1235             (JSC::DFG::SSAConversionPhase::run):
1236     
1237     2014-07-04  Filip Pizlo  <fpizlo@apple.com>
1238     
1239             [ftlopt] Infer immutable object properties
1240             https://bugs.webkit.org/show_bug.cgi?id=134567
1241     
1242             Reviewed by Mark Hahnenberg.
1243             
1244             This introduces a new way of inferring immutable object properties. A property is said to
1245             be immutable if after its creation (i.e. the transition that creates it), we never
1246             overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own
1247             property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f"
1248             directly and not on a prototype. More specifically, the immutability inference will prove
1249             that a property on some structure is immutable. This means that, for example, we may have a
1250             structure S1 with property "f" where we claim that "f" at S1 is immutable, but S1 has a
1251             transition to S2 that adds a new property "g" and we may claim that "f" at S2 is actually
1252             mutable. This is mainly for convenience; it allows us to decouple immutability logic from
1253             transition logic. Immutability can be used to constant-fold accesses to objects at
1254             DFG-time. The DFG needs to prove the following to constant-fold the access:
1255             
1256             - The base of the access must be a constant object pointer. We prove that a property at a
1257               structure is immutable, but that says nothing of its value; each actual instance of that
1258               property may have a different value. So, a constant object pointer is needed to get an
1259               actual constant instance of the immutable value.
1260             
1261             - A check (or watchpoint) must have been emitted proving that the object has a structure
1262               that allows loading the property in question.
1263             
1264             - The replacement watchpoint set of the property in the structure that we've proven the
1265               object to have is still valid and we add a watchpoint to it lazily. The replacement
1266               watchpoint set is the key new mechanism that this change adds. It's possible that we have
1267               proven that the object has one of many structures, in which case each of those structures
1268               needs a valid replacement watchpoint set.
1269             
1270             The replacement watchpoint set is created the first time that any access to the property is
1271             cached. A put replace cache will create, and immediately invalidate, the watchpoint set. A
1272             get cache will create the watchpoint set and make it start watching. Any non-cached put
1273             access will invalidate the watchpoint set if one had been created; the underlying algorithm
1274             ensures that checking for the existence of a replacement watchpoint set is very fast in the
1275             common case. This algorithm ensures that no cached access needs to ever do any work to
1276             invalidate, or check the validity of, any replacement watchpoint sets. It also has some
1277             other nice properties:
1278             
1279             - It's very robust in its definition of immutability. The strictest that it will ever be is
1280               that for any instance of the object, the property must be written to only once,
1281               specifically at the time that the property is created. But it's looser than this in
1282               practice. For example, the property may be written to any number of times before we add
1283               the final property that the object will have before anyone reads the property; this works
1284               since for optimization purposes we only care if we detect immutability on the structure
1285               that the object will have when it is most frequently read from, not any previous
1286               structure that the object had. Also, we may write to the property any number of times
1287               before anyone caches accesses to it.
1288             
1289             - It is mostly orthogonal to structure transitions. No new structures need to be created to
1290               track the immutability of a property. Hence, there is no risk from this feature causing
1291               more polymorphism. This is different from the previous "specificValue" constant
1292               inference, which did cause additional structures to be created and sometimes those
1293               structures led to fake polymorphism. This feature does leverage existing transitions to
1294               do some of the watchpointing: property deletions don't fire the replacement watchpoint
1295               set because that would cause a new structure and so the mandatory structure check would
1296               fail. Also, this feature is guaranteed to never kick in for uncacheable dictionaries
1297               because those wouldn't allow for cacheable accesses - and it takes a cacheable access for
1298               this feature to be enabled.
1299             
1300             - No memory overhead is incurred except when accesses to the property are cached.
1301               Dictionary properties will typically have no meta-data for immutability. The number of
1302               replacement watchpoint sets we allocate is proportional to the number of inline caches in
1303               the program, which is typically must smaller than the number of structures or even the
1304               number of objects.
1305             
1306             This inference is far more powerful than the previous "specificValue" inference, so this
1307             change also removes all of that code. It's interesting that the amount of code that is
1308             changed to remove that feature is almost as big as the amount of code added to support the
1309             new inference - and that's if you include the new tests in the tally. Without new tests,
1310             it appears that the new feature actually touches less code!
1311             
1312             There is one corner case where the previous "specificValue" inference was more powerful.
1313             You can imagine someone creating objects with functions as self properties on those
1314             objects, such that each object instance had the same function pointers - essentially,
1315             someone might be trying to create a vtable but failing at the whole "one vtable for many
1316             instances" concept. The "specificValue" inference would do very well for such programs,
1317             because a structure check would be sufficient to prove a constant value for all of the
1318             function properties. This new inference will fail because it doesn't track the constant
1319             values of constant properties; instead it detects the immutability of otherwise variable
1320             properties (in the sense that each instance of the property may have a different value).
1321             So, the new inference requires having a particular object instance to actually get the
1322             constant value. I think it's OK to lose this antifeature. It took a lot of code to support
1323             and was a constant source of grief in our transition logic, and there doesn't appear to be
1324             any real evidence that programs benefited from that particular kind of inference since
1325             usually it's the singleton prototype instance that has all of the functions.
1326             
1327             This change is a speed-up on everything. date-format-xparb and both SunSpider/raytrace and
1328             V8/raytrace seem to be the biggest winners among the macrobenchmarks; they see >5%
1329             speed-ups. Many of our microbenchmarks see very large performance improvements, even 80% in
1330             one case.
1331     
1332             * bytecode/ComplexGetStatus.cpp:
1333             (JSC::ComplexGetStatus::computeFor):
1334             * bytecode/GetByIdStatus.cpp:
1335             (JSC::GetByIdStatus::computeFromLLInt):
1336             (JSC::GetByIdStatus::computeForStubInfo):
1337             (JSC::GetByIdStatus::computeFor):
1338             * bytecode/GetByIdVariant.cpp:
1339             (JSC::GetByIdVariant::GetByIdVariant):
1340             (JSC::GetByIdVariant::operator=):
1341             (JSC::GetByIdVariant::attemptToMerge):
1342             (JSC::GetByIdVariant::dumpInContext):
1343             * bytecode/GetByIdVariant.h:
1344             (JSC::GetByIdVariant::alternateBase):
1345             (JSC::GetByIdVariant::specificValue): Deleted.
1346             * bytecode/PutByIdStatus.cpp:
1347             (JSC::PutByIdStatus::computeForStubInfo):
1348             (JSC::PutByIdStatus::computeFor):
1349             * bytecode/PutByIdVariant.cpp:
1350             (JSC::PutByIdVariant::operator=):
1351             (JSC::PutByIdVariant::setter):
1352             (JSC::PutByIdVariant::dumpInContext):
1353             * bytecode/PutByIdVariant.h:
1354             (JSC::PutByIdVariant::specificValue): Deleted.
1355             * bytecode/Watchpoint.cpp:
1356             (JSC::WatchpointSet::fireAllSlow):
1357             (JSC::WatchpointSet::fireAll): Deleted.
1358             * bytecode/Watchpoint.h:
1359             (JSC::WatchpointSet::fireAll):
1360             * dfg/DFGAbstractInterpreterInlines.h:
1361             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1362             * dfg/DFGByteCodeParser.cpp:
1363             (JSC::DFG::ByteCodeParser::handleGetByOffset):
1364             (JSC::DFG::ByteCodeParser::handleGetById):
1365             (JSC::DFG::ByteCodeParser::handlePutById):
1366             (JSC::DFG::ByteCodeParser::parseBlock):
1367             * dfg/DFGConstantFoldingPhase.cpp:
1368             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1369             * dfg/DFGFixupPhase.cpp:
1370             (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1371             (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1372             * dfg/DFGGraph.cpp:
1373             (JSC::DFG::Graph::tryGetConstantProperty):
1374             (JSC::DFG::Graph::visitChildren):
1375             * dfg/DFGGraph.h:
1376             * dfg/DFGWatchableStructureWatchingPhase.cpp:
1377             (JSC::DFG::WatchableStructureWatchingPhase::run):
1378             * ftl/FTLLowerDFGToLLVM.cpp:
1379             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1380             * jit/JITOperations.cpp:
1381             * jit/Repatch.cpp:
1382             (JSC::repatchByIdSelfAccess):
1383             (JSC::generateByIdStub):
1384             (JSC::tryCacheGetByID):
1385             (JSC::tryCachePutByID):
1386             (JSC::tryBuildPutByIdList):
1387             * llint/LLIntSlowPaths.cpp:
1388             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1389             (JSC::LLInt::putToScopeCommon):
1390             * runtime/CommonSlowPaths.h:
1391             (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1392             * runtime/IntendedStructureChain.cpp:
1393             (JSC::IntendedStructureChain::mayInterceptStoreTo):
1394             * runtime/JSCJSValue.cpp:
1395             (JSC::JSValue::putToPrimitive):
1396             * runtime/JSGlobalObject.cpp:
1397             (JSC::JSGlobalObject::reset):
1398             * runtime/JSObject.cpp:
1399             (JSC::JSObject::put):
1400             (JSC::JSObject::putDirectNonIndexAccessor):
1401             (JSC::JSObject::deleteProperty):
1402             (JSC::JSObject::defaultValue):
1403             (JSC::getCallableObjectSlow): Deleted.
1404             (JSC::JSObject::getPropertySpecificValue): Deleted.
1405             * runtime/JSObject.h:
1406             (JSC::JSObject::getDirect):
1407             (JSC::JSObject::getDirectOffset):
1408             (JSC::JSObject::inlineGetOwnPropertySlot):
1409             (JSC::JSObject::putDirectInternal):
1410             (JSC::JSObject::putOwnDataProperty):
1411             (JSC::JSObject::putDirect):
1412             (JSC::JSObject::putDirectWithoutTransition):
1413             (JSC::getCallableObject): Deleted.
1414             * runtime/JSScope.cpp:
1415             (JSC::abstractAccess):
1416             * runtime/PropertyMapHashTable.h:
1417             (JSC::PropertyMapEntry::PropertyMapEntry):
1418             (JSC::PropertyTable::copy):
1419             * runtime/PropertyTable.cpp:
1420             (JSC::PropertyTable::clone):
1421             (JSC::PropertyTable::PropertyTable):
1422             (JSC::PropertyTable::visitChildren): Deleted.
1423             * runtime/Structure.cpp:
1424             (JSC::Structure::Structure):
1425             (JSC::Structure::materializePropertyMap):
1426             (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
1427             (JSC::Structure::addPropertyTransitionToExistingStructure):
1428             (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
1429             (JSC::Structure::addPropertyTransition):
1430             (JSC::Structure::changePrototypeTransition):
1431             (JSC::Structure::attributeChangeTransition):
1432             (JSC::Structure::toDictionaryTransition):
1433             (JSC::Structure::preventExtensionsTransition):
1434             (JSC::Structure::takePropertyTableOrCloneIfPinned):
1435             (JSC::Structure::nonPropertyTransition):
1436             (JSC::Structure::addPropertyWithoutTransition):
1437             (JSC::Structure::allocateRareData):
1438             (JSC::Structure::ensurePropertyReplacementWatchpointSet):
1439             (JSC::Structure::startWatchingPropertyForReplacements):
1440             (JSC::Structure::didCachePropertyReplacement):
1441             (JSC::Structure::startWatchingInternalProperties):
1442             (JSC::Structure::copyPropertyTable):
1443             (JSC::Structure::copyPropertyTableForPinning):
1444             (JSC::Structure::getConcurrently):
1445             (JSC::Structure::get):
1446             (JSC::Structure::add):
1447             (JSC::Structure::visitChildren):
1448             (JSC::Structure::prototypeChainMayInterceptStoreTo):
1449             (JSC::Structure::dump):
1450             (JSC::Structure::despecifyDictionaryFunction): Deleted.
1451             (JSC::Structure::despecifyFunctionTransition): Deleted.
1452             (JSC::Structure::despecifyFunction): Deleted.
1453             (JSC::Structure::despecifyAllFunctions): Deleted.
1454             (JSC::Structure::putSpecificValue): Deleted.
1455             * runtime/Structure.h:
1456             (JSC::Structure::startWatchingPropertyForReplacements):
1457             (JSC::Structure::startWatchingInternalPropertiesIfNecessary):
1458             (JSC::Structure::startWatchingInternalPropertiesIfNecessaryForEntireChain):
1459             (JSC::Structure::transitionDidInvolveSpecificValue): Deleted.
1460             (JSC::Structure::disableSpecificFunctionTracking): Deleted.
1461             * runtime/StructureInlines.h:
1462             (JSC::Structure::getConcurrently):
1463             (JSC::Structure::didReplaceProperty):
1464             (JSC::Structure::propertyReplacementWatchpointSet):
1465             * runtime/StructureRareData.cpp:
1466             (JSC::StructureRareData::destroy):
1467             * runtime/StructureRareData.h:
1468             * tests/stress/infer-constant-global-property.js: Added.
1469             (foo.Math.sin):
1470             (foo):
1471             * tests/stress/infer-constant-property.js: Added.
1472             (foo):
1473             * tests/stress/jit-cache-poly-replace-then-cache-get-and-fold-then-invalidate.js: Added.
1474             (foo):
1475             (bar):
1476             * tests/stress/jit-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
1477             (foo):
1478             (bar):
1479             * tests/stress/jit-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
1480             (foo):
1481             (bar):
1482             * tests/stress/llint-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
1483             (foo):
1484             (bar):
1485             * tests/stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
1486             (foo):
1487             (bar):
1488             * tests/stress/repeat-put-to-scope-global-with-same-value-watchpoint-invalidate.js: Added.
1489             (foo):
1490             (bar):
1491     
1492     2014-07-03  Saam Barati  <sbarati@apple.com>
1493     
1494             Add more coverage for the profile_types_with_high_fidelity op code.
1495             https://bugs.webkit.org/show_bug.cgi?id=134616
1496     
1497             Reviewed by Filip Pizlo.
1498     
1499             More operations are now being recorded by the profile_types_with_high_fidelity 
1500             opcode. Specifically: function parameters, function return values,
1501             function 'this' value, get_by_id, get_by_value, resolve nodes, function return 
1502             values at the call site. Added more flags to the profile_types_with_high_fidelity
1503             opcode so more focused tasks can take place when the instruction is
1504             being linked in CodeBlock. Re-worked the type profiler to search 
1505             through character offset ranges when asked for the type of an expression
1506             at a given offset. Removed redundant calls to Structure::toStructureShape
1507             in HighFidelityLog and TypeSet by caching calls based on StructureID.
1508     
1509             * bytecode/BytecodeList.json:
1510             * bytecode/BytecodeUseDef.h:
1511             (JSC::computeUsesForBytecodeOffset):
1512             (JSC::computeDefsForBytecodeOffset):
1513             * bytecode/CodeBlock.cpp:
1514             (JSC::CodeBlock::CodeBlock):
1515             (JSC::CodeBlock::finalizeUnconditionally):
1516             (JSC::CodeBlock::scopeDependentProfile):
1517             * bytecode/CodeBlock.h:
1518             (JSC::CodeBlock::returnStatementTypeSet):
1519             * bytecode/TypeLocation.h:
1520             * bytecode/UnlinkedCodeBlock.cpp:
1521             (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset):
1522             (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo):
1523             * bytecode/UnlinkedCodeBlock.h:
1524             * bytecompiler/BytecodeGenerator.cpp:
1525             (JSC::BytecodeGenerator::emitMove):
1526             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
1527             (JSC::BytecodeGenerator::emitGetFromScopeWithProfile):
1528             (JSC::BytecodeGenerator::emitPutToScope):
1529             (JSC::BytecodeGenerator::emitPutToScopeWithProfile):
1530             (JSC::BytecodeGenerator::emitPutById):
1531             (JSC::BytecodeGenerator::emitPutByVal):
1532             * bytecompiler/BytecodeGenerator.h:
1533             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
1534             * bytecompiler/NodesCodegen.cpp:
1535             (JSC::ResolveNode::emitBytecode):
1536             (JSC::BracketAccessorNode::emitBytecode):
1537             (JSC::DotAccessorNode::emitBytecode):
1538             (JSC::FunctionCallValueNode::emitBytecode):
1539             (JSC::FunctionCallResolveNode::emitBytecode):
1540             (JSC::FunctionCallBracketNode::emitBytecode):
1541             (JSC::FunctionCallDotNode::emitBytecode):
1542             (JSC::CallFunctionCallDotNode::emitBytecode):
1543             (JSC::ApplyFunctionCallDotNode::emitBytecode):
1544             (JSC::PostfixNode::emitResolve):
1545             (JSC::PostfixNode::emitBracket):
1546             (JSC::PostfixNode::emitDot):
1547             (JSC::PrefixNode::emitResolve):
1548             (JSC::PrefixNode::emitBracket):
1549             (JSC::PrefixNode::emitDot):
1550             (JSC::ReadModifyResolveNode::emitBytecode):
1551             (JSC::AssignResolveNode::emitBytecode):
1552             (JSC::AssignDotNode::emitBytecode):
1553             (JSC::ReadModifyDotNode::emitBytecode):
1554             (JSC::AssignBracketNode::emitBytecode):
1555             (JSC::ReadModifyBracketNode::emitBytecode):
1556             (JSC::ReturnNode::emitBytecode):
1557             (JSC::FunctionBodyNode::emitBytecode):
1558             * inspector/agents/InspectorRuntimeAgent.cpp:
1559             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset):
1560             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
1561             * inspector/agents/InspectorRuntimeAgent.h:
1562             * inspector/protocol/Runtime.json:
1563             * llint/LLIntSlowPaths.cpp:
1564             (JSC::LLInt::getFromScopeCommon):
1565             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1566             * llint/LLIntSlowPaths.h:
1567             * llint/LowLevelInterpreter.asm:
1568             * runtime/HighFidelityLog.cpp:
1569             (JSC::HighFidelityLog::processHighFidelityLog):
1570             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
1571             (JSC::HighFidelityLog::recordTypeInformationForLocation): Deleted.
1572             * runtime/HighFidelityLog.h:
1573             (JSC::HighFidelityLog::recordTypeInformationForLocation):
1574             * runtime/HighFidelityTypeProfiler.cpp:
1575             (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset):
1576             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset):
1577             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset):
1578             (JSC::HighFidelityTypeProfiler::insertNewLocation):
1579             (JSC::HighFidelityTypeProfiler::findLocation):
1580             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): Deleted.
1581             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): Deleted.
1582             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): Deleted.
1583             (JSC::HighFidelityTypeProfiler::getLocationBasedHash): Deleted.
1584             * runtime/HighFidelityTypeProfiler.h:
1585             (JSC::LocationKey::LocationKey): Deleted.
1586             (JSC::LocationKey::hash): Deleted.
1587             (JSC::LocationKey::operator==): Deleted.
1588             * runtime/Structure.cpp:
1589             (JSC::Structure::toStructureShape):
1590             * runtime/Structure.h:
1591             * runtime/TypeSet.cpp:
1592             (JSC::TypeSet::TypeSet):
1593             (JSC::TypeSet::addTypeForValue):
1594             (JSC::TypeSet::seenTypes):
1595             (JSC::TypeSet::removeDuplicatesInStructureHistory): Deleted.
1596             * runtime/TypeSet.h:
1597             (JSC::StructureShape::setConstructorName):
1598             * runtime/VM.cpp:
1599             (JSC::VM::getTypesForVariableAtOffset):
1600             (JSC::VM::dumpHighFidelityProfilingTypes):
1601             (JSC::VM::getTypesForVariableInRange): Deleted.
1602             * runtime/VM.h:
1603     
1604     2014-07-04  Filip Pizlo  <fpizlo@apple.com>
1605     
1606             [ftlopt][REGRESSION] debug tests fail because PutByIdDirect is now implemented in terms of In
1607             https://bugs.webkit.org/show_bug.cgi?id=134642
1608     
1609             Rubber stamped by Andreas Kling.
1610     
1611             * ftl/FTLLowerDFGToLLVM.cpp:
1612             (JSC::FTL::LowerDFGToLLVM::compileNode):
1613     
1614     2014-07-01  Filip Pizlo  <fpizlo@apple.com>
1615     
1616             [ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null, so that if we constant-infer an accessor slot then we immediately get the function constant for free
1617             https://bugs.webkit.org/show_bug.cgi?id=134518
1618     
1619             Reviewed by Mark Hahnenberg.
1620             
1621             This has no real effect right now, particularly since almost all uses of
1622             setSetter/setGetter were already allocating a branch new GetterSetter. But once we start
1623             doing more aggressive constant property inference, this change will allow us to remove
1624             all runtime checks from getter/setter calls.
1625     
1626             * runtime/GetterSetter.cpp:
1627             (JSC::GetterSetter::withGetter):
1628             (JSC::GetterSetter::withSetter):
1629             * runtime/GetterSetter.h:
1630             (JSC::GetterSetter::setGetter):
1631             (JSC::GetterSetter::setSetter):
1632             * runtime/JSObject.cpp:
1633             (JSC::JSObject::defineOwnNonIndexProperty):
1634     
1635     2014-07-02  Filip Pizlo  <fpizlo@apple.com>
1636     
1637             [ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure
1638     
1639             Rubber stamped by Mark Hahnenberg.
1640     
1641             * runtime/Structure.cpp:
1642             (JSC::Structure::Structure):
1643             (JSC::Structure::nonPropertyTransition):
1644             (JSC::Structure::didTransitionFromThisStructure):
1645             (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
1646             * runtime/Structure.h:
1647     
1648     2014-07-02  Filip Pizlo  <fpizlo@apple.com>
1649     
1650             [ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore.
1651     
1652             Rubber stamped by Mark Hahnenberg.
1653     
1654             * runtime/Structure.cpp:
1655             (JSC::Structure::Structure):
1656             (JSC::Structure::cloneRareDataFrom): Deleted.
1657             * runtime/Structure.h:
1658             * runtime/StructureRareData.cpp:
1659             (JSC::StructureRareData::clone): Deleted.
1660             (JSC::StructureRareData::StructureRareData): Deleted.
1661             * runtime/StructureRareData.h:
1662             (JSC::StructureRareData::needsCloning): Deleted.
1663     
1664     2014-07-01  Mark Lam  <mark.lam@apple.com>
1665     
1666             [ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope.
1667             <https://webkit.org/b/134420>
1668     
1669             Reviewed by Geoffrey Garen.
1670     
1671             Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
1672             peers) which the WebInspector will use to introspect CallFrame variables.
1673             Instead, we should be returning a DebuggerScope as an abstraction layer that
1674             provides the introspection functionality that the WebInspector needs.  This
1675             is the first step towards not forcing every frame to have a JSActivation
1676             object just because the debugger is enabled.
1677     
1678             1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
1679                instead of the VM.  This allows JSObject::globalObject() to be able to
1680                return the global object for the DebuggerScope.
1681     
1682             2. On the DebuggerScope's life-cycle management:
1683     
1684                The DebuggerCallFrame is designed to be "valid" only during a debugging session
1685                (while the debugger is broken) through the use of a DebuggerCallFrameScope in
1686                Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
1687                DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
1688                We can't guarantee (from this code alone) that the Inspector code isn't still
1689                holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
1690                the frame will be invalidated, and any attempt to query it will return null values.
1691                This is pre-existing behavior.
1692     
1693                Now, we're adding the DebuggerScope into the picture.  While a single debugger
1694                pause session is in progress, the Inspector may request the scope from the
1695                DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
1696                DebuggerCallFrame::scope() to always return the same DebuggerScope object.
1697                This is why we hold on to the DebuggerScope with a strong ref.
1698     
1699                If we use a weak ref instead, the following cooky behavior can manifest:
1700                1. The Inspector calls Debugger::scope() to get the top scope.
1701                2. The Inspector iterates down the scope chain and is now only holding a
1702                   reference to a parent scope.  It is no longer referencing the top scope.
1703                3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
1704                   gets cleared.
1705                4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
1706                   a different DebuggerScope instance.
1707                5. The Inspector iterates down the scope chain but never sees the parent scope
1708                   instance that retained a ref to in step 2 above.  This is because when iterating
1709                   this new DebuggerScope instance (which has no knowledge of the previous parent
1710                   DebuggerScope instance), a new DebuggerScope instance will get created for the
1711                   same parent scope. 
1712     
1713                Since the DebuggerScope is a JSObject, it's liveness is determined by its reachability.
1714                However, it's "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
1715                When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
1716                instantiated) will also get invalidated.  This is why we need the
1717                DebuggerScope::invalidateChain() method.  The Inspector should not be using the
1718                DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
1719                those methods will do nothing or returned a failed status.
1720     
1721             * debugger/Debugger.h:
1722             * debugger/DebuggerCallFrame.cpp:
1723             (JSC::DebuggerCallFrame::scope):
1724             (JSC::DebuggerCallFrame::evaluate):
1725             (JSC::DebuggerCallFrame::invalidate):
1726             (JSC::DebuggerCallFrame::vm):
1727             (JSC::DebuggerCallFrame::lexicalGlobalObject):
1728             * debugger/DebuggerCallFrame.h:
1729             * debugger/DebuggerScope.cpp:
1730             (JSC::DebuggerScope::DebuggerScope):
1731             (JSC::DebuggerScope::finishCreation):
1732             (JSC::DebuggerScope::visitChildren):
1733             (JSC::DebuggerScope::className):
1734             (JSC::DebuggerScope::getOwnPropertySlot):
1735             (JSC::DebuggerScope::put):
1736             (JSC::DebuggerScope::deleteProperty):
1737             (JSC::DebuggerScope::getOwnPropertyNames):
1738             (JSC::DebuggerScope::defineOwnProperty):
1739             (JSC::DebuggerScope::next):
1740             (JSC::DebuggerScope::invalidateChain):
1741             (JSC::DebuggerScope::isWithScope):
1742             (JSC::DebuggerScope::isGlobalScope):
1743             (JSC::DebuggerScope::isFunctionScope):
1744             * debugger/DebuggerScope.h:
1745             (JSC::DebuggerScope::create):
1746             (JSC::DebuggerScope::Iterator::Iterator):
1747             (JSC::DebuggerScope::Iterator::get):
1748             (JSC::DebuggerScope::Iterator::operator++):
1749             (JSC::DebuggerScope::Iterator::operator==):
1750             (JSC::DebuggerScope::Iterator::operator!=):
1751             (JSC::DebuggerScope::isValid):
1752             (JSC::DebuggerScope::jsScope):
1753             (JSC::DebuggerScope::begin):
1754             (JSC::DebuggerScope::end):
1755             * inspector/JSJavaScriptCallFrame.cpp:
1756             (Inspector::JSJavaScriptCallFrame::scopeType):
1757             (Inspector::JSJavaScriptCallFrame::scopeChain):
1758             * inspector/JavaScriptCallFrame.h:
1759             (Inspector::JavaScriptCallFrame::scopeChain):
1760             * inspector/ScriptDebugServer.cpp:
1761             * runtime/JSGlobalObject.cpp:
1762             (JSC::JSGlobalObject::reset):
1763             (JSC::JSGlobalObject::visitChildren):
1764             * runtime/JSGlobalObject.h:
1765             (JSC::JSGlobalObject::debuggerScopeStructure):
1766             * runtime/JSObject.h:
1767             (JSC::JSObject::isWithScope):
1768             * runtime/JSScope.h:
1769             * runtime/VM.cpp:
1770             (JSC::VM::VM):
1771             * runtime/VM.h:
1772     
1773     2014-07-01  Filip Pizlo  <fpizlo@apple.com>
1774     
1775             [ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
1776             https://bugs.webkit.org/show_bug.cgi?id=130756
1777     
1778             Reviewed by Oliver Hunt.
1779             
1780             The enables exposing the call to setters in the DFG, and then inlining it. Previously we
1781             already supproted inlined-cached calls to setters from within put_by_id inline caches,
1782             and the DFG could certainly emit such IC's. Now, if an IC had a setter call, then the DFG
1783             will either emit the GetGetterSetterByOffset/GetSetter/Call combo, or it will do one
1784             better and inline the call.
1785             
1786             A lot of the core functionality was already available from the previous work to inline
1787             getters. So, there are some refactorings in this patch that move preexisting
1788             functionality around. For example, the work to figure out how the DFG should go about
1789             getting to what we call the "loaded value" - i.e. the GetterSetter object reference in
1790             the case of accessors - is now shared in ComplexGetStatus, and both GetByIdStatus and
1791             PutByIdStatus use it. This means that we can keep the safety checks common.  This patch
1792             also does additional refactorings in DFG::ByteCodeParser so that we can continue to reuse
1793             handleCall() for all of the various kinds of calls we can now emit.
1794             
1795             83% speed-up on getter-richards, 2% speed-up on box2d.
1796     
1797             * CMakeLists.txt:
1798             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1799             * JavaScriptCore.xcodeproj/project.pbxproj:
1800             * bytecode/ComplexGetStatus.cpp: Added.
1801             (JSC::ComplexGetStatus::computeFor):
1802             * bytecode/ComplexGetStatus.h: Added.
1803             (JSC::ComplexGetStatus::ComplexGetStatus):
1804             (JSC::ComplexGetStatus::skip):
1805             (JSC::ComplexGetStatus::takesSlowPath):
1806             (JSC::ComplexGetStatus::kind):
1807             (JSC::ComplexGetStatus::attributes):
1808             (JSC::ComplexGetStatus::specificValue):
1809             (JSC::ComplexGetStatus::offset):
1810             (JSC::ComplexGetStatus::chain):
1811             * bytecode/GetByIdStatus.cpp:
1812             (JSC::GetByIdStatus::computeForStubInfo):
1813             * bytecode/GetByIdVariant.cpp:
1814             (JSC::GetByIdVariant::GetByIdVariant):
1815             * bytecode/PolymorphicPutByIdList.h:
1816             (JSC::PutByIdAccess::PutByIdAccess):
1817             (JSC::PutByIdAccess::setter):
1818             (JSC::PutByIdAccess::structure):
1819             (JSC::PutByIdAccess::chainCount):
1820             * bytecode/PutByIdStatus.cpp:
1821             (JSC::PutByIdStatus::computeFromLLInt):
1822             (JSC::PutByIdStatus::computeFor):
1823             (JSC::PutByIdStatus::computeForStubInfo):
1824             (JSC::PutByIdStatus::makesCalls):
1825             * bytecode/PutByIdStatus.h:
1826             (JSC::PutByIdStatus::makesCalls): Deleted.
1827             * bytecode/PutByIdVariant.cpp:
1828             (JSC::PutByIdVariant::PutByIdVariant):
1829             (JSC::PutByIdVariant::operator=):
1830             (JSC::PutByIdVariant::replace):
1831             (JSC::PutByIdVariant::transition):
1832             (JSC::PutByIdVariant::setter):
1833             (JSC::PutByIdVariant::writesStructures):
1834             (JSC::PutByIdVariant::reallocatesStorage):
1835             (JSC::PutByIdVariant::makesCalls):
1836             (JSC::PutByIdVariant::dumpInContext):
1837             * bytecode/PutByIdVariant.h:
1838             (JSC::PutByIdVariant::PutByIdVariant):
1839             (JSC::PutByIdVariant::structure):
1840             (JSC::PutByIdVariant::oldStructure):
1841             (JSC::PutByIdVariant::alternateBase):
1842             (JSC::PutByIdVariant::specificValue):
1843             (JSC::PutByIdVariant::callLinkStatus):
1844             (JSC::PutByIdVariant::replace): Deleted.
1845             (JSC::PutByIdVariant::transition): Deleted.
1846             * dfg/DFGByteCodeParser.cpp:
1847             (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1848             (JSC::DFG::ByteCodeParser::addCall):
1849             (JSC::DFG::ByteCodeParser::handleCall):
1850             (JSC::DFG::ByteCodeParser::handleInlining):
1851             (JSC::DFG::ByteCodeParser::handleGetById):
1852             (JSC::DFG::ByteCodeParser::handlePutById):
1853             (JSC::DFG::ByteCodeParser::parseBlock):
1854             * jit/Repatch.cpp:
1855             (JSC::tryCachePutByID):
1856             (JSC::tryBuildPutByIdList):
1857             * runtime/IntendedStructureChain.cpp:
1858             (JSC::IntendedStructureChain::takesSlowPathInDFGForImpureProperty):
1859             * runtime/IntendedStructureChain.h:
1860             * tests/stress/exit-from-setter.js: Added.
1861             * tests/stress/poly-chain-setter.js: Added.
1862             (Cons):
1863             (foo):
1864             (test):
1865             * tests/stress/poly-chain-then-setter.js: Added.
1866             (Cons1):
1867             (Cons2):
1868             (foo):
1869             (test):
1870             * tests/stress/poly-setter-combo.js: Added.
1871             (Cons1):
1872             (Cons2):
1873             (foo):
1874             (test):
1875             (.test):
1876             * tests/stress/poly-setter-then-self.js: Added.
1877             (foo):
1878             (test):
1879             (.test):
1880             * tests/stress/weird-setter-counter.js: Added.
1881             (foo):
1882             (test):
1883             * tests/stress/weird-setter-counter-syntactic.js: Added.
1884             (foo):
1885             (test):
1886     
1887     2014-07-01  Matthew Mirman  <mmirman@apple.com>
1888     
1889             Added an implementation of the "in" check to FTL.
1890             https://bugs.webkit.org/show_bug.cgi?id=134508
1891     
1892             Reviewed by Filip Pizlo.
1893     
1894             * ftl/FTLCapabilities.cpp: enabled compilation for "in"
1895             (JSC::FTL::canCompile): ditto
1896             * ftl/FTLCompile.cpp:
1897             (JSC::FTL::generateCheckInICFastPath): added.
1898             (JSC::FTL::fixFunctionBasedOnStackMaps): added case for CheckIn descriptors.
1899             * ftl/FTLInlineCacheDescriptor.h:
1900             (JSC::FTL::CheckInGenerator::CheckInGenerator): added.
1901             (JSC::FTL::CheckInDescriptor::CheckInDescriptor): added.
1902             * ftl/FTLInlineCacheSize.cpp: 
1903             (JSC::FTL::sizeOfCheckIn): added. Currently larger than necessary.
1904             * ftl/FTLInlineCacheSize.h: ditto
1905             * ftl/FTLIntrinsicRepository.h: Added function type for operationInGeneric
1906             * ftl/FTLLowerDFGToLLVM.cpp: 
1907             (JSC::FTL::LowerDFGToLLVM::compileNode): added case for In.
1908             (JSC::FTL::LowerDFGToLLVM::compileIn): added.
1909             * ftl/FTLSlowPathCall.cpp: Added a callOperation for operationIn
1910             (JSC::FTL::callOperation): ditto
1911             * ftl/FTLSlowPathCall.h: ditto
1912             * ftl/FTLState.h: Added a vector to hold CheckIn descriptors.
1913             * jit/JITOperations.h: made operationIns internal.
1914             * tests/stress/ftl-checkin.js: Added.
1915             * tests/stress/ftl-checkin-variable.js: Added.
1916     
1917     2014-06-30  Mark Hahnenberg  <mhahnenberg@apple.com>
1918     
1919             CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences
1920             https://bugs.webkit.org/show_bug.cgi?id=134455
1921     
1922             Reviewed by Geoffrey Garen.
1923     
1924             Otherwise we get hanging pointers which can cause us to die later.
1925     
1926             * bytecode/CodeBlock.cpp:
1927             (JSC::CodeBlock::stronglyVisitWeakReferences):
1928     
1929     2014-06-27  Filip Pizlo  <fpizlo@apple.com>
1930     
1931             [ftlopt] Reduce the GC's influence on optimization decisions
1932             https://bugs.webkit.org/show_bug.cgi?id=134427
1933     
1934             Reviewed by Oliver Hunt.
1935             
1936             This is a slight speed-up on some platforms, that arises from a bunch of fixes that I made
1937             while trying to make the GC keep more structures alive
1938             (https://bugs.webkit.org/show_bug.cgi?id=128072).
1939             
1940             The fixes are, roughly:
1941             
1942             - If the GC clears an inline cache, then this no longer causes the IC to be forever
1943               polymorphic.
1944             
1945             - If we exit in inlined code into a function that tries to OSR enter, then we jettison
1946               sooner.
1947             
1948             - Some variables being uninitialized led to rage-recompilations.
1949             
1950             This is a pretty strong step in the direction of keeping more Structures alive and not
1951             blowing away code just because a Structure died. But, it seems like there is still a slight
1952             speed-up to be had from blowing away code that references dead Structures.
1953     
1954             * bytecode/CodeBlock.cpp:
1955             (JSC::CodeBlock::dumpAssumingJITType):
1956             (JSC::shouldMarkTransition):
1957             (JSC::CodeBlock::propagateTransitions):
1958             (JSC::CodeBlock::determineLiveness):
1959             * bytecode/GetByIdStatus.cpp:
1960             (JSC::GetByIdStatus::computeForStubInfo):
1961             * bytecode/PutByIdStatus.cpp:
1962             (JSC::PutByIdStatus::computeForStubInfo):
1963             * dfg/DFGCapabilities.cpp:
1964             (JSC::DFG::isSupportedForInlining):
1965             (JSC::DFG::mightInlineFunctionForCall):
1966             (JSC::DFG::mightInlineFunctionForClosureCall):
1967             (JSC::DFG::mightInlineFunctionForConstruct):
1968             * dfg/DFGCapabilities.h:
1969             * dfg/DFGCommonData.h:
1970             * dfg/DFGDesiredWeakReferences.cpp:
1971             (JSC::DFG::DesiredWeakReferences::reallyAdd):
1972             * dfg/DFGOSREntry.cpp:
1973             (JSC::DFG::prepareOSREntry):
1974             * dfg/DFGOSRExitCompilerCommon.cpp:
1975             (JSC::DFG::handleExitCounts):
1976             * dfg/DFGOperations.cpp:
1977             * dfg/DFGOperations.h:
1978             * ftl/FTLForOSREntryJITCode.cpp:
1979             (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): These variables being uninitialized is benign in terms of correctness but can sometimes cause rage-recompilations. For some reason it took this patch to reveal this.
1980             * ftl/FTLOSREntry.cpp:
1981             (JSC::FTL::prepareOSREntry):
1982             * runtime/Executable.cpp:
1983             (JSC::ExecutableBase::destroy):
1984             (JSC::NativeExecutable::destroy):
1985             (JSC::ScriptExecutable::ScriptExecutable):
1986             (JSC::ScriptExecutable::destroy):
1987             (JSC::ScriptExecutable::installCode):
1988             (JSC::EvalExecutable::EvalExecutable):
1989             (JSC::ProgramExecutable::ProgramExecutable):
1990             * runtime/Executable.h:
1991             (JSC::ScriptExecutable::setDidTryToEnterInLoop):
1992             (JSC::ScriptExecutable::didTryToEnterInLoop):
1993             (JSC::ScriptExecutable::addressOfDidTryToEnterInLoop):
1994             (JSC::ScriptExecutable::ScriptExecutable): Deleted.
1995             * runtime/StructureInlines.h:
1996             (JSC::Structure::storedPrototypeObject):
1997             (JSC::Structure::storedPrototypeStructure):
1998     
1999     2014-06-25  Filip Pizlo  <fpizlo@apple.com>
2000     
2001             [ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint
2002             https://bugs.webkit.org/show_bug.cgi?id=134333
2003     
2004             Reviewed by Geoffrey Garen.
2005             
2006             This is engineered to provide loads of information to the profiler without incurring any
2007             costs when the profiler is disabled. It's the oldest trick in the book: the thing that
2008             fires the watchpoint doesn't actually create anything to describe the reason why it was
2009             fired; instead it creates a stack-allocated FireDetail subclass instance. Only if the
2010             FireDetail::dump() virtual method is called does anything happen.
2011             
2012             Currently we use this to produce very fine-grained data for Structure watchpoints and
2013             some cases of variable watchpoints. For all other situations, the given reason is just a
2014             string constant, by using StringFireDetail. If we find a situation where that string
2015             constant is insufficient to diagnose an issue then we can change it to provide more
2016             fine-grained information.
2017     
2018             * JavaScriptCore.xcodeproj/project.pbxproj:
2019             * bytecode/CodeBlock.cpp:
2020             (JSC::CodeBlock::CodeBlock):
2021             (JSC::CodeBlock::jettison):
2022             * bytecode/CodeBlock.h:
2023             * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2024             (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
2025             * bytecode/CodeBlockJettisoningWatchpoint.h:
2026             * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Removed.
2027             * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Removed.
2028             * bytecode/StructureStubClearingWatchpoint.cpp:
2029             (JSC::StructureStubClearingWatchpoint::fireInternal):
2030             * bytecode/StructureStubClearingWatchpoint.h:
2031             * bytecode/VariableWatchpointSet.h:
2032             (JSC::VariableWatchpointSet::invalidate):
2033             (JSC::VariableWatchpointSet::finalizeUnconditionally):
2034             * bytecode/VariableWatchpointSetInlines.h:
2035             (JSC::VariableWatchpointSet::notifyWrite):
2036             * bytecode/Watchpoint.cpp:
2037             (JSC::StringFireDetail::dump):
2038             (JSC::WatchpointSet::fireAll):
2039             (JSC::WatchpointSet::fireAllSlow):
2040             (JSC::WatchpointSet::fireAllWatchpoints):
2041             (JSC::InlineWatchpointSet::fireAll):
2042             * bytecode/Watchpoint.h:
2043             (JSC::FireDetail::FireDetail):
2044             (JSC::FireDetail::~FireDetail):
2045             (JSC::StringFireDetail::StringFireDetail):
2046             (JSC::Watchpoint::fire):
2047             (JSC::WatchpointSet::fireAll):
2048             (JSC::WatchpointSet::touch):
2049             (JSC::WatchpointSet::invalidate):
2050             (JSC::InlineWatchpointSet::fireAll):
2051             (JSC::InlineWatchpointSet::touch):
2052             * dfg/DFGCommonData.h:
2053             * dfg/DFGOperations.cpp:
2054             * interpreter/Interpreter.cpp:
2055             (JSC::Interpreter::execute):
2056             * jsc.cpp:
2057             (WTF::Masquerader::create):
2058             * profiler/ProfilerCompilation.cpp:
2059             (JSC::Profiler::Compilation::setJettisonReason):
2060             (JSC::Profiler::Compilation::toJS):
2061             * profiler/ProfilerCompilation.h:
2062             (JSC::Profiler::Compilation::setJettisonReason): Deleted.
2063             * runtime/ArrayBuffer.cpp:
2064             (JSC::ArrayBuffer::transfer):
2065             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2066             (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
2067             * runtime/ArrayBufferNeuteringWatchpoint.h:
2068             * runtime/CommonIdentifiers.h:
2069             * runtime/CommonSlowPaths.cpp:
2070             (JSC::SLOW_PATH_DECL):
2071             * runtime/Identifier.cpp:
2072             (JSC::Identifier::dump):
2073             * runtime/Identifier.h:
2074             * runtime/JSFunction.cpp:
2075             (JSC::JSFunction::put):
2076             (JSC::JSFunction::defineOwnProperty):
2077             * runtime/JSGlobalObject.cpp:
2078             (JSC::JSGlobalObject::addFunction):
2079             (JSC::JSGlobalObject::haveABadTime):
2080             * runtime/JSSymbolTableObject.cpp:
2081             (JSC::VariableWriteFireDetail::dump):
2082             * runtime/JSSymbolTableObject.h:
2083             (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
2084             (JSC::symbolTablePut):
2085             (JSC::symbolTablePutWithAttributes):
2086             * runtime/PropertyName.h:
2087             (JSC::PropertyName::dump):
2088             * runtime/Structure.cpp:
2089             (JSC::Structure::notifyTransitionFromThisStructure):
2090             * runtime/Structure.h:
2091             (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
2092             * runtime/SymbolTable.cpp:
2093             (JSC::SymbolTableEntry::notifyWriteSlow):
2094             (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
2095             * runtime/SymbolTable.h:
2096             (JSC::SymbolTableEntry::notifyWrite):
2097             * runtime/VM.cpp:
2098             (JSC::VM::addImpureProperty):
2099     
2100 2014-08-05  Commit Queue  <commit-queue@webkit.org>
2101
2102         Unreviewed, rolling out r172099.
2103         https://bugs.webkit.org/show_bug.cgi?id=135635
2104
2105         Needs a do-over. (Requested by kling on #webkit).
2106
2107         Reverted changeset:
2108
2109         "The JIT should cache property lookup misses."
2110         https://bugs.webkit.org/show_bug.cgi?id=135578
2111         http://trac.webkit.org/changeset/172099
2112
2113 2014-08-05  Przemyslaw Kuczynski  <p.kuczynski@samsung.com>
2114
2115         Fix resource leak of unclosed file descriptor.
2116         https://bugs.webkit.org/show_bug.cgi?id=135417
2117
2118         Reviewed by Darin Adler.
2119
2120         When open returns zero, fd handle leaks. Checking (fd > 0) needs to be replaced
2121         with (fd != -1).
2122
2123         * assembler/MacroAssemblerARM.cpp:
2124         (JSC::isVFPPresent):
2125
2126 2014-08-05  Andreas Kling  <akling@apple.com>
2127
2128         The JIT should cache property lookup misses.
2129         <https://webkit.org/b/135578>
2130
2131         Add support for inline caching of object properties that don't exist.
2132         Previously we'd fall back to the C++ slow-path whenever a property was missing.
2133
2134         It's implemented as a simple GetById-style stub that returns jsUndefined() as
2135         long as the Structure chain check passes.
2136
2137         10x speedup on the included microbenchmark.
2138
2139         Reviewed by Geoffrey Garen.
2140
2141         * jit/Repatch.cpp:
2142         (JSC::toString):
2143         (JSC::kindFor):
2144         (JSC::generateByIdStub):
2145         (JSC::tryCacheGetByID):
2146         (JSC::patchJumpToGetByIdStub):
2147         * runtime/PropertySlot.h:
2148         (JSC::PropertySlot::isUnset):
2149
2150 2014-08-05  Commit Queue  <commit-queue@webkit.org>
2151
2152         Unreviewed, rolling out r172009.
2153         https://bugs.webkit.org/show_bug.cgi?id=135627
2154
2155         "Commit landed on trunk instead of ftlopt branch." (Requested
2156         by saamyjoon on #webkit).
2157
2158         Reverted changeset:
2159
2160         "Create a more generic way for VMEntryScope to notify those
2161         interested that it will be destroyed"
2162         https://bugs.webkit.org/show_bug.cgi?id=135358
2163         http://trac.webkit.org/changeset/172009
2164
2165 2014-08-05  Alex Christensen  <achristensen@webkit.org>
2166
2167         More work on CMake.
2168         https://bugs.webkit.org/show_bug.cgi?id=135620
2169
2170         Reviewed by Laszlo Gombos.
2171
2172         * CMakeLists.txt:
2173         Added missing source files.
2174         * PlatformEfl.cmake:
2175         * PlatformGTK.cmake:
2176         Include glib directories and libraries to find glib.h in EventLoop.cpp.
2177         * PlatformMac.cmake:
2178         Moved STATICALLY_LINKED_WITH_WTF definition away from the common CMakeLists
2179         because it should not be defined on Windows.
2180         Added remote inspector source files.
2181
2182 2014-08-05  Peyton Randolph  <prandolph@apple.com>
2183
2184         Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
2185         https://bugs.webkit.org/show_bug.cgi?id=135276
2186
2187         Reviewed by Beth Dakin.
2188
2189         * Configurations/FeatureDefines.xcconfig:
2190
2191 2014-08-04  Benjamin Poulain  <benjamin@webkit.org>
2192
2193         Add a flag for the CSS Selectors level 4 implementation
2194         https://bugs.webkit.org/show_bug.cgi?id=135535
2195
2196         Reviewed by Andreas Kling.
2197
2198         * Configurations/FeatureDefines.xcconfig:
2199
2200 2014-08-04  Alex Christensen  <achristensen@webkit.org>
2201
2202         Progress towards CMake on Mac.
2203         https://bugs.webkit.org/show_bug.cgi?id=135528
2204
2205         Reviewed by Gyuyoung Kim.
2206
2207         * CMakeLists.txt:
2208         Include necessary directories and copy all necessary forwarding headers.
2209         Only compile UDis86Disassembler.cpp if we're using UDIS86.
2210         * PlatformMac.cmake: Added.
2211         * tools/CodeProfiling.cpp:
2212         Compile fix.  Include sys/time.h on darwin, too.
2213
2214 2014-08-04  Saam Barati  <sbarati@apple.com>
2215
2216         Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
2217         https://bugs.webkit.org/show_bug.cgi?id=135358
2218
2219         Reviewed by Geoffrey Garen.
2220
2221         When VMEntryScope is destroyed, and it has a flag set indicating that the
2222         Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
2223         This flag is only used by Debugger to have VMEntryScope notify it when the
2224         Debugger is safe to recompile all functions. This patch will substitute this
2225         Debugger-specific recompilation flag with a list of callbacks that are notified 
2226         when the outermost VMEntryScope dies. This creates a general purpose interface 
2227         for being notified when the VM stops executing code via the event of the outermost 
2228         VMEntryScope dying.
2229
2230         * debugger/Debugger.cpp:
2231         (JSC::Debugger::recompileAllJSFunctions):
2232         * runtime/VMEntryScope.cpp:
2233         (JSC::VMEntryScope::VMEntryScope):
2234         (JSC::VMEntryScope::addEntryScopeDidPopListener):
2235         (JSC::VMEntryScope::~VMEntryScope):
2236         * runtime/VMEntryScope.h:
2237         (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
2238
2239 2014-08-01  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2240
2241         REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
2242         https://bugs.webkit.org/show_bug.cgi?id=135522
2243
2244         Reviewed by Martin Robinson.
2245
2246         * CMakeLists.txt: Output the inspector headers inside inspector
2247         subdirectory.
2248
2249 2014-08-01  Mark Lam  <mark.lam@apple.com>
2250
2251         Add some structure related assertions.
2252         <https://webkit.org/b/135523>
2253
2254         Reviewed by Geoffrey Garen.
2255
2256         Adding 2 assertions:
2257         1. assert that we don't index pass the end of the StructureIDTable.
2258            This should never happen, but this assertion will help catch bugs
2259            where a bad structureID gets passed in.
2260         2. assert that cells in MarkedBlock::callDestructor() that are not
2261            zapped should have a non-null StructureID.  This will help us catch
2262            bugs where the other cell header flag bits get set after the cell is
2263            zapped, thereby making the cell look like an unzapped cell but has a
2264            null structureID.
2265
2266         * heap/MarkedBlock.cpp:
2267         (JSC::MarkedBlock::callDestructor):
2268         * runtime/StructureIDTable.h:
2269         (JSC::StructureIDTable::get):
2270
2271 2014-08-01  Csaba Osztrogonác  <ossy@webkit.org>
2272
2273         URTBF after r171946 to fix non-Apple builds.
2274
2275         * bytecode/InlineCallFrameSet.cpp:
2276
2277 2014-08-01  Mark Hahnenberg  <mhahnenberg@apple.com>
2278
2279         CodeBlock fails to visit the Executables of its InlineCallFrames
2280         https://bugs.webkit.org/show_bug.cgi?id=135471
2281
2282         Reviewed by Geoffrey Garen.
2283
2284         CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they 
2285         can be prematurely collected and cause crashes.
2286
2287         * bytecode/CodeBlock.cpp:
2288         (JSC::CodeBlock::stronglyVisitStrongReferences):
2289         * bytecode/CodeOrigin.h:
2290         (JSC::InlineCallFrame::visitAggregate):
2291         * bytecode/InlineCallFrameSet.cpp:
2292         (JSC::InlineCallFrameSet::visitAggregate):
2293         * bytecode/InlineCallFrameSet.h:
2294
2295 2014-08-01  Alex Christensen  <achristensen@webkit.org>
2296
2297         Progress towards cmake on Windows.
2298         https://bugs.webkit.org/show_bug.cgi?id=135484
2299
2300         Reviewed by Martin Robinson.
2301
2302         * CMakeLists.txt:
2303         Generate code directly to inspector directory to avoid using the cp command
2304         which is not available on Windows.
2305         * PlatformWin.cmake: Added.
2306
2307 2014-07-31  Andreas Kling  <akling@apple.com>
2308
2309         Remove the JSC::OverridesVisitChildren flag.
2310         <https://webkit.org/b/135489>
2311
2312         Except for 3 special classes, the visitChildren() call is always
2313         dispatched through the method table (see SlotVisitor.cpp.)
2314
2315         The OverridesVisitChildren flag doesn't actually do anything.
2316         It could be used to implement a non-virtual direct call to
2317         JSCell::visitChildren, bypassing the method table for some objects,
2318         but such a micro-optimization seems like a weak trade for all this
2319         code complexity. Instead, just remove the flag.
2320
2321         This change frees up an inline flag bit in JSCell.
2322
2323         Reviewed by Geoffrey Garen.
2324
2325         * API/JSAPIWrapperObject.h:
2326         * API/JSAPIWrapperObject.mm:
2327         (JSC::JSAPIWrapperObject::visitChildren):
2328         * API/JSCallbackObject.h:
2329         (JSC::JSCallbackObject::visitChildren):
2330         * bytecode/UnlinkedCodeBlock.cpp:
2331         (JSC::UnlinkedFunctionExecutable::visitChildren):
2332         (JSC::UnlinkedCodeBlock::visitChildren):
2333         (JSC::UnlinkedProgramCodeBlock::visitChildren):
2334         * bytecode/UnlinkedCodeBlock.h:
2335         * debugger/DebuggerScope.cpp:
2336         (JSC::DebuggerScope::visitChildren):
2337         * debugger/DebuggerScope.h:
2338         * jsc.cpp:
2339         * runtime/Arguments.cpp:
2340         (JSC::Arguments::visitChildren):
2341         * runtime/Arguments.h:
2342         * runtime/Executable.cpp:
2343         (JSC::EvalExecutable::visitChildren):
2344         (JSC::ProgramExecutable::visitChildren):
2345         (JSC::FunctionExecutable::visitChildren):
2346         * runtime/Executable.h:
2347         * runtime/GetterSetter.cpp:
2348         (JSC::GetterSetter::visitChildren):
2349         * runtime/GetterSetter.h:
2350         (JSC::GetterSetter::createStructure):
2351         * runtime/JSAPIValueWrapper.h:
2352         (JSC::JSAPIValueWrapper::createStructure):
2353         * runtime/JSActivation.cpp:
2354         (JSC::JSActivation::visitChildren):
2355         * runtime/JSActivation.h:
2356         * runtime/JSArrayIterator.cpp:
2357         (JSC::JSArrayIterator::visitChildren):
2358         * runtime/JSArrayIterator.h:
2359         * runtime/JSBoundFunction.cpp:
2360         (JSC::JSBoundFunction::visitChildren):
2361         * runtime/JSBoundFunction.h:
2362         * runtime/JSCellInlines.h:
2363         (JSC::JSCell::setStructure):
2364         * runtime/JSFunction.cpp:
2365         (JSC::JSFunction::visitChildren):
2366         * runtime/JSFunction.h:
2367         * runtime/JSGlobalObject.cpp:
2368         (JSC::JSGlobalObject::visitChildren):
2369         * runtime/JSGlobalObject.h:
2370         * runtime/JSMap.h:
2371         * runtime/JSMapIterator.cpp:
2372         (JSC::JSMapIterator::visitChildren):
2373         * runtime/JSMapIterator.h:
2374         * runtime/JSNameScope.cpp:
2375         (JSC::JSNameScope::visitChildren):
2376         * runtime/JSNameScope.h:
2377         * runtime/JSPromise.cpp:
2378         (JSC::JSPromise::visitChildren):
2379         * runtime/JSPromise.h:
2380         * runtime/JSPromiseDeferred.cpp:
2381         (JSC::JSPromiseDeferred::visitChildren):
2382         * runtime/JSPromiseDeferred.h:
2383         * runtime/JSPromiseReaction.cpp:
2384         (JSC::JSPromiseReaction::visitChildren):
2385         * runtime/JSPromiseReaction.h:
2386         * runtime/JSPropertyNameIterator.cpp:
2387         (JSC::JSPropertyNameIterator::visitChildren):
2388         * runtime/JSPropertyNameIterator.h:
2389         * runtime/JSProxy.cpp:
2390         (JSC::JSProxy::visitChildren):
2391         * runtime/JSProxy.h:
2392         * runtime/JSScope.cpp:
2393         (JSC::JSScope::visitChildren):
2394         * runtime/JSScope.h:
2395         * runtime/JSSegmentedVariableObject.cpp:
2396         (JSC::JSSegmentedVariableObject::visitChildren):
2397         * runtime/JSSegmentedVariableObject.h:
2398         * runtime/JSSet.h:
2399         * runtime/JSSetIterator.cpp:
2400         (JSC::JSSetIterator::visitChildren):
2401         * runtime/JSSetIterator.h:
2402         * runtime/JSSymbolTableObject.cpp:
2403         (JSC::JSSymbolTableObject::visitChildren):
2404         * runtime/JSSymbolTableObject.h:
2405         * runtime/JSTypeInfo.h:
2406         (JSC::TypeInfo::overridesVisitChildren): Deleted.
2407         * runtime/JSWeakMap.h:
2408         * runtime/JSWithScope.cpp:
2409         (JSC::JSWithScope::visitChildren):
2410         * runtime/JSWithScope.h:
2411         * runtime/JSWrapperObject.cpp:
2412         (JSC::JSWrapperObject::visitChildren):
2413         * runtime/JSWrapperObject.h:
2414         * runtime/MapData.h:
2415         * runtime/NativeErrorConstructor.cpp:
2416         (JSC::NativeErrorConstructor::visitChildren):
2417         * runtime/NativeErrorConstructor.h:
2418         * runtime/PropertyMapHashTable.h:
2419         * runtime/PropertyTable.cpp:
2420         (JSC::PropertyTable::visitChildren):
2421         * runtime/RegExpConstructor.cpp:
2422         (JSC::RegExpConstructor::visitChildren):
2423         * runtime/RegExpConstructor.h:
2424         * runtime/RegExpMatchesArray.cpp:
2425         (JSC::RegExpMatchesArray::visitChildren):
2426         * runtime/RegExpMatchesArray.h:
2427         * runtime/RegExpObject.cpp:
2428         (JSC::RegExpObject::visitChildren):
2429         * runtime/RegExpObject.h:
2430         * runtime/SparseArrayValueMap.h:
2431         * runtime/Structure.cpp:
2432         (JSC::Structure::Structure):
2433         (JSC::Structure::visitChildren):
2434         * runtime/StructureChain.cpp:
2435         (JSC::StructureChain::visitChildren):
2436         * runtime/StructureChain.h:
2437         * runtime/StructureRareData.cpp:
2438         (JSC::StructureRareData::visitChildren):
2439         * runtime/StructureRareData.h:
2440         * runtime/WeakMapData.h:
2441
2442 2014-07-31  Mark Lam  <mark.lam@apple.com>
2443
2444         JSCell::classInfo() belongs in JSCellInlines.h.
2445         <https://webkit.org/b/135475>
2446
2447         Reviewed by Mark Hahnenberg.
2448
2449         * runtime/JSCellInlines.h:
2450         (JSC::JSCell::classInfo):
2451         * runtime/JSDestructibleObject.h:
2452         (JSC::JSCell::classInfo): Deleted.
2453
2454 2014-07-31  Tanay C  <tanay.c@samsung.com>
2455
2456         Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
2457         https://bugs.webkit.org/show_bug.cgi?id=135414
2458
2459         Reviewed by Csaba Osztrogonác.
2460
2461         * llint/LLIntSlowPaths.cpp:
2462         (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition
2463
2464 2014-07-30  Filip Pizlo  <fpizlo@apple.com>
2465
2466         NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
2467         https://bugs.webkit.org/show_bug.cgi?id=135430
2468
2469         Reviewed by Mark Hahnenberg.
2470
2471         We already handled this correctly after the ftlopt merge, but it's useful to have the test.
2472
2473         * tests/stress/new-function-expression-has-structures.js: Added.
2474         (foo.f):
2475         (foo.f.prototype.f):
2476         (foo):
2477
2478 2014-07-30  Andreas Kling  <akling@apple.com>
2479
2480         Speculative Windows build fix.
2481
2482         Try to dllimport the dllexported global object HashTable.
2483
2484         * jsc.cpp:
2485         * testRegExp.cpp:
2486
2487 2014-07-30  Andreas Kling  <akling@apple.com>
2488
2489         PropertyName's internal string is always atomic.
2490         <https://webkit.org/b/135451>
2491
2492         Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
2493         we know that any string that's an Identifier is guaranteed to be atomic.
2494
2495         A PropertyName can be either an Identifier or a PrivateName, and the
2496         private names are also guaranteed to be atomic internally.
2497
2498         Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
2499
2500         Reviewed by Benjamin Poulain.
2501
2502         * runtime/PropertyName.h:
2503         (JSC::PropertyName::PropertyName):
2504         (JSC::PropertyName::uid):
2505         (JSC::PropertyName::publicName):
2506
2507 2014-07-30  Andy Estes  <aestes@apple.com>
2508
2509         USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
2510         https://bugs.webkit.org/show_bug.cgi?id=135439
2511
2512         Reviewed by Tim Horton.
2513
2514         We now support two different platform content filters, and will soon support a mock content filter (as part of
2515         webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
2516         library. ENABLE() is the correct macro to use for such a feature.
2517
2518         * Configurations/FeatureDefines.xcconfig:
2519
2520 2014-07-30  Andreas Kling  <akling@apple.com>
2521
2522         Static hash tables no longer need to be coupled with a VM.
2523         <https://webkit.org/b/135421>
2524
2525         Now that the static hash tables are using char** instead of StringImpl**,
2526         it's no longer necessary to make them per-VM.
2527
2528         This patch removes the hook in ClassInfo for providing your own static
2529         hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
2530         Most of this patch is tweaking ClassInfo construction sites to pass one
2531         less null pointer.
2532
2533         Also simplified Lookup.h to stop requiring ExecState/VM to access the
2534         static hash tables.
2535
2536         Reviewed by Geoffrey Garen.
2537
2538         * API/JSAPIWrapperObject.mm:
2539         * API/JSCallbackConstructor.cpp:
2540         * API/JSCallbackFunction.cpp:
2541         * API/JSCallbackObject.cpp:
2542         * API/ObjCCallbackFunction.mm:
2543         * bytecode/UnlinkedCodeBlock.cpp:
2544         * create_hash_table:
2545         * debugger/DebuggerScope.cpp:
2546         * inspector/JSInjectedScriptHost.cpp:
2547         * inspector/JSInjectedScriptHostPrototype.cpp:
2548         * inspector/JSJavaScriptCallFrame.cpp:
2549         * inspector/JSJavaScriptCallFramePrototype.cpp:
2550         * interpreter/CallFrame.h:
2551         (JSC::ExecState::arrayConstructorTable): Deleted.
2552         (JSC::ExecState::arrayPrototypeTable): Deleted.
2553         (JSC::ExecState::booleanPrototypeTable): Deleted.
2554         (JSC::ExecState::dataViewTable): Deleted.
2555         (JSC::ExecState::dateTable): Deleted.
2556         (JSC::ExecState::dateConstructorTable): Deleted.
2557         (JSC::ExecState::errorPrototypeTable): Deleted.
2558         (JSC::ExecState::globalObjectTable): Deleted.
2559         (JSC::ExecState::jsonTable): Deleted.
2560         (JSC::ExecState::numberConstructorTable): Deleted.
2561         (JSC::ExecState::numberPrototypeTable): Deleted.
2562         (JSC::ExecState::objectConstructorTable): Deleted.
2563         (JSC::ExecState::privateNamePrototypeTable): Deleted.
2564         (JSC::ExecState::regExpTable): Deleted.
2565         (JSC::ExecState::regExpConstructorTable): Deleted.
2566         (JSC::ExecState::regExpPrototypeTable): Deleted.
2567         (JSC::ExecState::stringConstructorTable): Deleted.
2568         (JSC::ExecState::promisePrototypeTable): Deleted.
2569         (JSC::ExecState::promiseConstructorTable): Deleted.
2570         * jsc.cpp:
2571         * parser/Lexer.h:
2572         (JSC::Keywords::isKeyword):
2573         (JSC::Keywords::getKeyword):
2574         * runtime/Arguments.cpp:
2575         * runtime/ArgumentsIteratorConstructor.cpp:
2576         * runtime/ArgumentsIteratorPrototype.cpp:
2577         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2578         * runtime/ArrayConstructor.cpp:
2579         (JSC::ArrayConstructor::getOwnPropertySlot):
2580         * runtime/ArrayIteratorConstructor.cpp:
2581         * runtime/ArrayIteratorPrototype.cpp:
2582         * runtime/ArrayPrototype.cpp:
2583         (JSC::ArrayPrototype::getOwnPropertySlot):
2584         * runtime/BooleanConstructor.cpp:
2585         * runtime/BooleanObject.cpp:
2586         * runtime/BooleanPrototype.cpp:
2587         (JSC::BooleanPrototype::getOwnPropertySlot):
2588         * runtime/ClassInfo.h:
2589         (JSC::ClassInfo::hasStaticProperties):
2590         (JSC::ClassInfo::propHashTable): Deleted.
2591         * runtime/ConsolePrototype.cpp:
2592         * runtime/CustomGetterSetter.cpp:
2593         * runtime/DateConstructor.cpp:
2594         (JSC::DateConstructor::getOwnPropertySlot):
2595         * runtime/DateInstance.cpp:
2596         * runtime/DatePrototype.cpp:
2597         (JSC::DatePrototype::getOwnPropertySlot):
2598         * runtime/Error.cpp:
2599         * runtime/ErrorConstructor.cpp:
2600         * runtime/ErrorInstance.cpp:
2601         * runtime/ErrorPrototype.cpp:
2602         (JSC::ErrorPrototype::getOwnPropertySlot):
2603         * runtime/ExceptionHelpers.cpp:
2604         * runtime/Executable.cpp:
2605         * runtime/FunctionConstructor.cpp:
2606         * runtime/FunctionPrototype.cpp:
2607         * runtime/GetterSetter.cpp:
2608         * runtime/InternalFunction.cpp:
2609         * runtime/JSAPIValueWrapper.cpp:
2610         * runtime/JSActivation.cpp:
2611         * runtime/JSArgumentsIterator.cpp:
2612         * runtime/JSArray.cpp:
2613         * runtime/JSArrayBuffer.cpp:
2614         * runtime/JSArrayBufferConstructor.cpp:
2615         * runtime/JSArrayBufferPrototype.cpp:
2616         * runtime/JSArrayBufferView.cpp:
2617         * runtime/JSArrayIterator.cpp:
2618         * runtime/JSBoundFunction.cpp:
2619         * runtime/JSConsole.cpp:
2620         * runtime/JSDataView.cpp:
2621         * runtime/JSDataViewPrototype.cpp:
2622         (JSC::JSDataViewPrototype::getOwnPropertySlot):
2623         * runtime/JSFunction.cpp:
2624         * runtime/JSGlobalObject.cpp:
2625         (JSC::JSGlobalObject::getOwnPropertySlot):
2626         * runtime/JSMap.cpp:
2627         * runtime/JSMapIterator.cpp:
2628         * runtime/JSNameScope.cpp:
2629         * runtime/JSNotAnObject.cpp:
2630         * runtime/JSONObject.cpp:
2631         (JSC::JSONObject::getOwnPropertySlot):
2632         * runtime/JSObject.cpp:
2633         (JSC::getClassPropertyNames):
2634         (JSC::JSObject::put):
2635         (JSC::JSObject::deleteProperty):
2636         (JSC::JSObject::findPropertyHashEntry):
2637         (JSC::JSObject::reifyStaticFunctionsForDelete):
2638         * runtime/JSObject.h:
2639         * runtime/JSPromise.cpp:
2640         * runtime/JSPromiseConstructor.cpp:
2641         (JSC::JSPromiseConstructor::getOwnPropertySlot):
2642         * runtime/JSPromiseDeferred.cpp:
2643         * runtime/JSPromisePrototype.cpp:
2644         (JSC::JSPromisePrototype::getOwnPropertySlot):
2645         * runtime/JSPromiseReaction.cpp:
2646         * runtime/JSPropertyNameIterator.cpp:
2647         * runtime/JSProxy.cpp:
2648         * runtime/JSSet.cpp:
2649         * runtime/JSSetIterator.cpp:
2650         * runtime/JSString.cpp:
2651         * runtime/JSTypedArrayConstructors.cpp:
2652         * runtime/JSTypedArrayPrototypes.cpp:
2653         * runtime/JSTypedArrays.cpp:
2654         * runtime/JSVariableObject.cpp:
2655         * runtime/JSWeakMap.cpp:
2656         * runtime/JSWithScope.cpp:
2657         * runtime/Lookup.cpp:
2658         (JSC::HashTable::createTable):
2659         * runtime/Lookup.h:
2660         (JSC::HashTable::initializeIfNeeded):
2661         (JSC::HashTable::entry):
2662         (JSC::HashTable::begin):
2663         (JSC::HashTable::end):
2664         (JSC::getStaticPropertySlot):
2665         (JSC::getStaticFunctionSlot):
2666         (JSC::getStaticValueSlot):
2667         (JSC::lookupPut):
2668         * runtime/MapConstructor.cpp:
2669         * runtime/MapData.cpp:
2670         * runtime/MapIteratorConstructor.cpp:
2671         * runtime/MapIteratorPrototype.cpp:
2672         * runtime/MapPrototype.cpp:
2673         * runtime/MathObject.cpp:
2674         * runtime/NameConstructor.cpp:
2675         * runtime/NameInstance.cpp:
2676         * runtime/NamePrototype.cpp:
2677         (JSC::NamePrototype::getOwnPropertySlot):
2678         * runtime/NativeErrorConstructor.cpp:
2679         * runtime/NumberConstructor.cpp:
2680         (JSC::NumberConstructor::getOwnPropertySlot):
2681         * runtime/NumberObject.cpp:
2682         * runtime/NumberPrototype.cpp:
2683         (JSC::NumberPrototype::getOwnPropertySlot):
2684         * runtime/ObjectConstructor.cpp:
2685         (JSC::ObjectConstructor::getOwnPropertySlot):
2686         * runtime/ObjectPrototype.cpp:
2687         * runtime/PropertyTable.cpp:
2688         * runtime/RegExp.cpp:
2689         * runtime/RegExpConstructor.cpp:
2690         (JSC::RegExpConstructor::getOwnPropertySlot):
2691         * runtime/RegExpMatchesArray.cpp:
2692         * runtime/RegExpObject.cpp:
2693         (JSC::RegExpObject::getOwnPropertySlot):
2694         * runtime/RegExpPrototype.cpp:
2695         (JSC::RegExpPrototype::getOwnPropertySlot):
2696         * runtime/SetConstructor.cpp:
2697         * runtime/SetIteratorConstructor.cpp:
2698         * runtime/SetIteratorPrototype.cpp:
2699         * runtime/SetPrototype.cpp:
2700         * runtime/SparseArrayValueMap.cpp:
2701         * runtime/StrictEvalActivation.cpp:
2702         * runtime/StringConstructor.cpp:
2703         (JSC::StringConstructor::getOwnPropertySlot):
2704         * runtime/StringObject.cpp:
2705         * runtime/StringPrototype.cpp:
2706         * runtime/Structure.cpp:
2707         (JSC::Structure::Structure):
2708         (JSC::Structure::freezeTransition):
2709         (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
2710         * runtime/StructureChain.cpp:
2711         * runtime/StructureRareData.cpp:
2712         * runtime/SymbolTable.cpp:
2713         * runtime/VM.cpp:
2714         (JSC::VM::VM):
2715         (JSC::VM::~VM):
2716         * runtime/VM.h:
2717         * runtime/WeakMapConstructor.cpp:
2718         * runtime/WeakMapData.cpp:
2719         * runtime/WeakMapPrototype.cpp:
2720         * testRegExp.cpp:
2721
2722 2014-07-29  Brent Fulgham  <bfulgham@apple.com>
2723
2724         [Win] Modify version numbering scheme to support 5-tuple versions
2725         https://bugs.webkit.org/show_bug.cgi?id=135400
2726         <rdar://problem/17849033>
2727
2728         Reviewed by David Kilzer.
2729
2730         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
2731         new version-stamp.pl script to version JavaScriptCore.dll.
2732
2733 2014-07-29  Daniel Bates  <dabates@apple.com>
2734
2735         Use WTF::move() instead of std::move() to help ensure move semantics
2736         https://bugs.webkit.org/show_bug.cgi?id=135351
2737
2738         Reviewed by Alexey Proskuryakov.
2739
2740         * bytecode/GetByIdStatus.cpp:
2741         (JSC::GetByIdStatus::computeForStubInfo):
2742         * bytecode/GetByIdVariant.cpp:
2743         (JSC::GetByIdVariant::GetByIdVariant):
2744
2745 2014-07-28  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
2746
2747         BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
2748         https://bugs.webkit.org/show_bug.cgi?id=135287
2749
2750         Reviewed by Darin Adler.
2751
2752         The set() method tries to use a part of the old value (the reservedFlag bit) which
2753         was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
2754
2755         * bytecode/StructureSet.h:
2756         (JSC::StructureSet::StructureSet):
2757
2758 2014-07-28  Benjamin Poulain  <bpoulain@apple.com>
2759
2760         [JSC] JIT::assertStackPointerOffset() crashes on ARM64
2761         https://bugs.webkit.org/show_bug.cgi?id=135316
2762
2763         Reviewed by Geoffrey Garen.
2764
2765         JIT::assertStackPointerOffset() does a compare between an arbitrary register
2766         and the stack pointer. This was not supported by the ARM64 assembler.
2767
2768         There are no variation that can take a stack pointer for Xd. There is one version of subs
2769         that can take a stack pointer, but only for the Xn: the shift+extend one.
2770         To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
2771         the implementation of sub.
2772
2773         * assembler/ARM64Assembler.h:
2774         (JSC::ARM64Assembler::sub):
2775         In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
2776         with either version of sub.
2777
2778         In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
2779         the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
2780         gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
2781
2782         Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
2783         not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
2784         the shift value must be zero, it is safe to call either variant.
2785
2786         * assembler/MacroAssemblerARM64.h:
2787         (JSC::MacroAssemblerARM64::branch64):
2788         With the changes described above, we can now use SP for the left register. What do we do if the rightmost
2789         register is SP?
2790
2791         For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
2792         we just switch the registers before generating the instruction.
2793
2794         For the generic case, just move the value of SP to a GPR before doing the CMP.
2795
2796 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
2797
2798         Unreviewed build fix after r171682.
2799
2800         * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
2801         as an exported symbol.
2802
2803 2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2804
2805         REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
2806         https://bugs.webkit.org/show_bug.cgi?id=135322
2807
2808         Reviewed by Oliver Hunt.
2809
2810         The prototype chain of the JSProxy object should match that of the JSGlobalObject. 
2811
2812         This is a separate but related issue with JSObjectSetPrototype which doesn't correctly 
2813         account for JSProxies. I also audited the rest of the C API to check that we correctly 
2814         handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
2815         and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when 
2816         passed a JSProxy.
2817
2818         I also added some new tests for these cases.
2819
2820         * API/JSObjectRef.cpp:
2821         (JSObjectSetPrototype):
2822         (JSObjectGetPrivateProperty):
2823         (JSObjectSetPrivateProperty):
2824         (JSObjectDeletePrivateProperty):
2825         * API/JSWeakObjectMapRefPrivate.cpp:
2826         * API/tests/CustomGlobalObjectClassTest.c:
2827         (globalObjectSetPrototypeTest):
2828         (globalObjectPrivatePropertyTest):
2829         * API/tests/CustomGlobalObjectClassTest.h:
2830         * API/tests/testapi.c:
2831         (main):
2832
2833 2014-07-28  Filip Pizlo  <fpizlo@apple.com>
2834
2835         Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
2836         https://bugs.webkit.org/show_bug.cgi?id=135350
2837         <rdar://problem/17509889>
2838
2839         Reviewed by Mark Hahnenberg and Oliver Hunt.
2840         
2841         If we have an exiting node that uses a conversion node, then that exiting node
2842         needs to have a Phantom after it for the the original node. But we can't do that
2843         for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
2844
2845         * dfg/DFGFixupPhase.cpp:
2846         (JSC::DFG::FixupPhase::fixupNode):
2847         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
2848         * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
2849         (foo):
2850         (test):
2851         * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
2852         (foo):
2853         (test):
2854
2855 2014-07-28  Joseph Pecoraro  <pecoraro@apple.com>
2856
2857         JSContext Inspector: crash when using step-into
2858         https://bugs.webkit.org/show_bug.cgi?id=135345
2859
2860         Reviewed by Timothy Hatcher.
2861
2862         * inspector/agents/InspectorDebuggerAgent.cpp:
2863         (Inspector::InspectorDebuggerAgent::stepInto):
2864         Null check m_listener since it may not be set.
2865
2866 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
2867
2868         Web Replay: auto-decoding of parameterized vector's elements is incorrect
2869         https://bugs.webkit.org/show_bug.cgi?id=135343
2870
2871         Reviewed by Timothy Hatcher.
2872
2873         Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
2874         that was using the element's decoded type as the type parameter to
2875         EncodedValue::append<T>. It should instead be the raw type T. This
2876         causes problems when encoding Vector<RefPtr<T>>, as it later tries to
2877         use encoding traits for RefPtr<T> rather than for T.
2878
2879         Fix incorrect generated encoding traits argument for vectors of
2880         RefCounted objects. Updated test to cover this scenario.
2881
2882         * replay/scripts/CodeGeneratorReplayInputs.py:
2883         (Type.encoding_type_argument):
2884         (VectorType.type_name):
2885         (VectorType):
2886         (VectorType.encoding_type_argument):
2887         (Generator.generate_input_encode_implementation):
2888         (Generator.generate_input_decode_implementation):
2889         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
2890         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2891         * replay/scripts/tests/generate-input-with-vector-members.json: Updated.
2892
2893 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
2894
2895         Web Replay: incorrect serialization code generated for enum classes inside class scope
2896         https://bugs.webkit.org/show_bug.cgi?id=135342
2897
2898         Reviewed by Timothy Hatcher.
2899
2900         If an enum class is defined inside of a class scope, then the enum class
2901         cannot be forward-declared and the relevant header should be included.
2902         Some generated code used incorrectly-scoped enum values in this situation.
2903
2904         * replay/scripts/CodeGeneratorReplayInputs.py:
2905         (Generator.generate_includes.declaration.is):
2906         (Generator.generate_enum_trait_implementation.is):
2907         (Generator.generate_enum_trait_implementation):
2908
2909         Tests:
2910
2911         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
2912         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
2913         * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
2914         class types to this test case.
2915
2916 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
2917
2918         Web Replay: vectors of characters should be base64-encoded
2919         https://bugs.webkit.org/show_bug.cgi?id=135341
2920
2921         Reviewed by Timothy Hatcher.
2922
2923         Without this specialization, encode/decode methods try to create an
2924         array of single characters in JSON, rather than treating the
2925         vector as a binary blob.
2926
2927         * replay/EncodedValue.cpp:
2928         (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
2929         (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
2930         * replay/EncodedValue.h:
2931
2932 2014-07-28  Brent Fulgham  <bfulgham@apple.com>
2933
2934         [Win] Unreviewed build fix.
2935
2936         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
2937         builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
2938
2939 2014-07-27  Ryuan Choi  <ryuan.choi@samsung.com>
2940
2941         Unreviewed build fix on the EFL port
2942
2943         Build break because of -Werror=return-type
2944
2945         * bytecode/PutByIdVariant.cpp:
2946         (JSC::PutByIdVariant::oldStructureForTransition):
2947         * dfg/DFGValueStrength.h:
2948         (JSC::DFG::merge):
2949
2950 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
2951
2952         [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
2953         https://bugs.webkit.org/show_bug.cgi?id=135323
2954
2955         Reviewed by Oliver Hunt.
2956         
2957         SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
2958         then it's a constant that can be represented using that node's current DataFormat.
2959         This doesn't work if the constant had been filled as a JSValue, and then one of the
2960         fillSpeculateBlah() methods had speculated that it's of some type that the constant
2961         isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
2962         a constant that claims to have a contradictory data format.
2963         
2964         This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
2965         fillSpeculateCell() appears to not have this bug, but I added a similar defense
2966         mechanism anyway just in case, since this is one of those mistakes that keeps
2967         reappearing.
2968
2969         * dfg/DFGSpeculativeJIT.cpp:
2970         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2971         * dfg/DFGSpeculativeJIT32_64.cpp:
2972         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2973         * dfg/DFGSpeculativeJIT64.cpp:
2974         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2975
2976 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
2977
2978         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
2979         
2980         This fixes the previous mismerge and adds test coverage for the thing that went wrong.
2981         
2982         Additional changes listed here:
2983
2984         * jsc.cpp:
2985         (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
2986         * runtime/Structure.cpp:
2987         (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
2988         * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
2989
2990     2014-06-27  Michael Saboff  <msaboff@apple.com>
2991     
2992             Unreviewed build fix after r169795.
2993     
2994             Fixed ASSERT for 32 bit build.
2995     
2996             * dfg/DFGSpeculativeJIT.cpp:
2997             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2998     
2999     2014-06-24  Saam Barati  <sbarati@apple.com>
3000     
3001             Web Inspector: debugger should be able to show variable types
3002             https://bugs.webkit.org/show_bug.cgi?id=133395
3003     
3004             Reviewed by Filip Pizlo.
3005     
3006             Increase the amount of type information the VM gathers when directed
3007             to do so. This initial commit is working towards the goal of
3008             capturing, and then showing (via the Web Inspector) type information for all
3009             assignment and load operations. This patch doesn't have the feature fully 
3010             implemented, but it ensures the VM has no performance regressions
3011             unless the feature is specifically turned on.
3012     
3013             * JavaScriptCore.xcodeproj/project.pbxproj:
3014             * bytecode/BytecodeList.json:
3015             * bytecode/BytecodeUseDef.h:
3016             (JSC::computeUsesForBytecodeOffset):
3017             (JSC::computeDefsForBytecodeOffset):
3018             * bytecode/CodeBlock.cpp:
3019             (JSC::CodeBlock::dumpBytecode):
3020             (JSC::CodeBlock::CodeBlock):
3021             (JSC::CodeBlock::finalizeUnconditionally):
3022             * bytecode/CodeBlock.h:
3023             * bytecode/Instruction.h:
3024             * bytecode/TypeLocation.h: Added.
3025             (JSC::TypeLocation::TypeLocation):
3026             * bytecompiler/BytecodeGenerator.cpp:
3027             (JSC::BytecodeGenerator::emitMove):
3028             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
3029             (JSC::BytecodeGenerator::emitPutToScope):
3030             (JSC::BytecodeGenerator::emitPutById):
3031             (JSC::BytecodeGenerator::emitPutByVal):
3032             * bytecompiler/BytecodeGenerator.h:
3033             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
3034             * bytecompiler/NodesCodegen.cpp:
3035             (JSC::PostfixNode::emitResolve):
3036             (JSC::PrefixNode::emitResolve):
3037             (JSC::ReadModifyResolveNode::emitBytecode):
3038             (JSC::AssignResolveNode::emitBytecode):
3039             (JSC::ConstDeclNode::emitCodeSingle):
3040             (JSC::ForInNode::emitBytecode):
3041             * heap/Heap.cpp:
3042             (JSC::Heap::collect):
3043             * inspector/agents/InspectorRuntimeAgent.cpp:
3044             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
3045             * inspector/agents/InspectorRuntimeAgent.h:
3046             * inspector/protocol/Runtime.json:
3047             * jsc.cpp:
3048             (GlobalObject::finishCreation):
3049             (functionDumpTypesForAllVariables):
3050             * llint/LLIntSlowPaths.cpp:
3051             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3052             (JSC::LLInt::putToScopeCommon):
3053             * llint/LLIntSlowPaths.h:
3054             * llint/LowLevelInterpreter.asm:
3055             * runtime/HighFidelityLog.cpp: Added.
3056             (JSC::HighFidelityLog::initializeHighFidelityLog):
3057             (JSC::HighFidelityLog::~HighFidelityLog):
3058             (JSC::HighFidelityLog::recordTypeInformationForLocation):
3059             (JSC::HighFidelityLog::processHighFidelityLog):
3060             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
3061             * runtime/HighFidelityLog.h: Added.
3062             (JSC::HighFidelityLog::HighFidelityLog):
3063             * runtime/HighFidelityTypeProfiler.cpp: Added.
3064             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
3065             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
3066             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
3067             (JSC::HighFidelityTypeProfiler::insertNewLocation):
3068             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
3069             * runtime/HighFidelityTypeProfiler.h: Added.
3070             * runtime/Options.h:
3071             * runtime/Structure.cpp:
3072             (JSC::Structure::toStructureShape):
3073             * runtime/Structure.h:
3074             * runtime/SymbolTable.cpp:
3075             (JSC::SymbolTable::SymbolTable):
3076             (JSC::SymbolTable::cloneCapturedNames):
3077             (JSC::SymbolTable::uniqueIDForVariable):
3078             (JSC::SymbolTable::uniqueIDForRegister):
3079             (JSC::SymbolTable::globalTypeSetForRegister):
3080             (JSC::SymbolTable::globalTypeSetForVariable):
3081             * runtime/SymbolTable.h:
3082             (JSC::SymbolTable::add):
3083             (JSC::SymbolTable::set):
3084             * runtime/TypeSet.cpp: Added.
3085             (JSC::TypeSet::TypeSet):
3086             (JSC::TypeSet::getRuntimeTypeForValue):
3087             (JSC::TypeSet::addTypeForValue):
3088             (JSC::TypeSet::removeDuplicatesInStructureHistory):
3089             (JSC::TypeSet::seenTypes):
3090             (JSC::TypeSet::dumpSeenTypes):
3091             (JSC::StructureShape::StructureShape):
3092             (JSC::StructureShape::markAsFinal):
3093             (JSC::StructureShape::addProperty):
3094             (JSC::StructureShape::propertyHash):
3095             (JSC::StructureShape::leastUpperBound):
3096             (JSC::StructureShape::stringRepresentation):
3097             * runtime/TypeSet.h: Added.
3098             (JSC::StructureShape::create):
3099             (JSC::TypeSet::create):
3100             * runtime/VM.cpp:
3101             (JSC::VM::VM):
3102             (JSC::VM::getTypesForVariableInRange):
3103             (JSC::VM::updateHighFidelityTypeProfileState):
3104             (JSC::VM::dumpHighFidelityProfilingTypes):
3105             * runtime/VM.h:
3106             (JSC::VM::isProfilingTypesWithHighFidelity):
3107             (JSC::VM::highFidelityLog):
3108             (JSC::VM::highFidelityTypeProfiler):
3109             (JSC::VM::nextLocation):
3110             (JSC::VM::getNextUniqueVariableID):
3111     
3112     2014-06-26  Mark Lam  <mark.lam@apple.com>
3113     
3114             Remove unused instantiation of the WithScope structure.
3115             <https://webkit.org/b/134331>
3116     
3117             Reviewed by Oliver Hunt.
3118     
3119             The WithScope structure instance is the VM is unused, and is now removed.
3120     
3121             * runtime/VM.cpp:
3122             (JSC::VM::VM):
3123             * runtime/VM.h:
3124     
3125     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
3126     
3127             Structure bit fields should have a consistent format
3128             https://bugs.webkit.org/show_bug.cgi?id=134307
3129     
3130             Reviewed by Filip Pizlo.
3131     
3132             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
3133             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
3134             format to make it easy to load and test these variables in JIT code.
3135     
3136             * runtime/JSObject.cpp:
3137             (JSC::JSObject::putDirectNonIndexAccessor):
3138             (JSC::JSObject::reifyStaticFunctionsForDelete):
3139             * runtime/Structure.cpp:
3140             (JSC::StructureTransitionTable::contains):
3141             (JSC::StructureTransitionTable::get):
3142             (JSC::StructureTransitionTable::add):
3143             (JSC::Structure::Structure):
3144             (JSC::Structure::materializePropertyMap):
3145             (JSC::Structure::addPropertyTransition):
3146             (JSC::Structure::despecifyFunctionTransition):
3147             (JSC::Structure::toDictionaryTransition):
3148             (JSC::Structure::freezeTransition):
3149             (JSC::Structure::preventExtensionsTransition):
3150             (JSC::Structure::takePropertyTableOrCloneIfPinned):
3151             (JSC::Structure::nonPropertyTransition):
3152             (JSC::Structure::flattenDictionaryStructure):
3153             (JSC::Structure::addPropertyWithoutTransition):
3154             (JSC::Structure::pin):
3155             (JSC::Structure::allocateRareData):
3156             (JSC::Structure::cloneRareDataFrom):
3157             (JSC::Structure::getConcurrently):
3158             (JSC::Structure::putSpecificValue):
3159             (JSC::Structure::getPropertyNamesFromStructure):
3160             (JSC::Structure::visitChildren):
3161             (JSC::Structure::checkConsistency):
3162             * runtime/Structure.h:
3163             (JSC::Structure::isExtensible):
3164             (JSC::Structure::isDictionary):
3165             (JSC::Structure::isUncacheableDictionary):
3166             (JSC::Structure::propertyAccessesAreCacheable):
3167             (JSC::Structure::previousID):
3168             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
3169             (JSC::Structure::setContainsReadOnlyProperties):
3170             (JSC::Structure::disableSpecificFunctionTracking):
3171             (JSC::Structure::objectToStringValue):
3172             (JSC::Structure::setObjectToStringValue):
3173             (JSC::Structure::setPreviousID):
3174             (JSC::Structure::clearPreviousID):
3175             (JSC::Structure::previous):
3176             (JSC::Structure::rareData):
3177             (JSC::Structure::didTransition): Deleted.
3178             (JSC::Structure::hasGetterSetterProperties): Deleted.
3179             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
3180             (JSC::Structure::setHasGetterSetterProperties): Deleted.
3181             (JSC::Structure::hasNonEnumerableProperties): Deleted.
3182             (JSC::Structure::staticFunctionsReified): Deleted.
3183             (JSC::Structure::setStaticFunctionsReified): Deleted.
3184             * runtime/StructureInlines.h:
3185             (JSC::Structure::setEnumerationCache):
3186             (JSC::Structure::enumerationCache):
3187             (JSC::Structure::checkOffsetConsistency):
3188     
3189     2014-06-24  Mark Lam  <mark.lam@apple.com>
3190     
3191             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
3192             <https://webkit.org/b/134273>
3193     
3194             Reviewed by Michael Saboff.
3195     
3196             * CMakeLists.txt:
3197             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3198             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3199             * JavaScriptCore.xcodeproj/project.pbxproj:
3200             * debugger/DebuggerActivation.cpp: Removed.
3201             * debugger/DebuggerActivation.h: Removed.
3202             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
3203             (JSC::DebuggerScope::DebuggerScope):
3204             (JSC::DebuggerScope::finishCreation):
3205             (JSC::DebuggerScope::visitChildren):
3206             (JSC::DebuggerScope::className):
3207             (JSC::DebuggerScope::getOwnPropertySlot):
3208             (JSC::DebuggerScope::put):
3209             (JSC::DebuggerScope::deleteProperty):
3210             (JSC::DebuggerScope::getOwnPropertyNames):
3211             (JSC::DebuggerScope::defineOwnProperty):
3212             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
3213             (JSC::DebuggerActivation::finishCreation): Deleted.
3214             (JSC::DebuggerActivation::visitChildren): Deleted.
3215             (JSC::DebuggerActivation::className): Deleted.
3216             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
3217             (JSC::DebuggerActivation::put): Deleted.
3218             (JSC::DebuggerActivation::deleteProperty): Deleted.
3219             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
3220             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
3221             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
3222             (JSC::DebuggerScope::create):
3223             (JSC::DebuggerActivation::create): Deleted.
3224             * runtime/VM.cpp:
3225             (JSC::VM::VM):
3226             * runtime/VM.h:
3227     
3228     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
3229     
3230             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
3231             https://bugs.webkit.org/show_bug.cgi?id=134265
3232     
3233             Reviewed by Geoffrey Garen.
3234             
3235             More assertion fallout from the PutById folding work.
3236     
3237             * dfg/DFGNode.h:
3238             (JSC::DFG::Node::convertToPutByOffset):
3239     
3240     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
3241     
3242             [ftlopt] GC should notify us if it resets to_this
3243             https://bugs.webkit.org/show_bug.cgi?id=128231
3244     
3245             Reviewed by Geoffrey Garen.
3246     
3247             * CMakeLists.txt:
3248             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3249             * JavaScriptCore.xcodeproj/project.pbxproj:
3250             * bytecode/BytecodeList.json:
3251             * bytecode/CodeBlock.cpp:
3252             (JSC::CodeBlock::dumpBytecode):
3253             (JSC::CodeBlock::finalizeUnconditionally):
3254             * bytecode/Instruction.h:
3255             * bytecode/ToThisStatus.cpp: Added.
3256             (JSC::merge):
3257             (WTF::printInternal):
3258             * bytecode/ToThisStatus.h: Added.
3259             * bytecompiler/BytecodeGenerator.cpp:
3260             (JSC::BytecodeGenerator::BytecodeGenerator):
3261             * dfg/DFGByteCodeParser.cpp:
3262             (JSC::DFG::ByteCodeParser::parseBlock):
3263             * llint/LowLevelInterpreter32_64.asm:
3264             * llint/LowLevelInterpreter64.asm:
3265             * runtime/CommonSlowPaths.cpp:
3266             (JSC::SLOW_PATH_DECL):
3267     
3268     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
3269     
3270             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
3271             https://bugs.webkit.org/show_bug.cgi?id=134256
3272     
3273             Reviewed by Michael Saboff.
3274             
3275             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
3276             point is to be able to precisely model what goes on in the snippets of code between a
3277             side-effect and an InvalidationPoint.
3278             
3279             This patch also cleans up onlyStructure() by delegating more work to
3280             StructureSet::onlyStructure().
3281     
3282             * dfg/DFGStructureAbstractValue.h:
3283             (JSC::DFG::StructureAbstractValue::onlyStructure):
3284     
3285     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
3286     
3287             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
3288             https://bugs.webkit.org/show_bug.cgi?id=134260
3289     
3290             Reviewed by Geoffrey Garen.
3291             
3292             This was causing loads of assertion failures in debug builds.
3293     
3294             * dfg/DFGAbstractInterpreterInlines.h:
3295             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3296     
3297     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
3298     
3299             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
3300             https://bugs.webkit.org/show_bug.cgi?id=134090
3301     
3302             Reviewed by Oliver Hunt.
3303             
3304             This pretty much finishes off the work to eliminate the special-casing of singleton
3305             structure sets by making it possible to fold GetById and PutById to various polymorphic
3306             forms of the ByOffset nodes.
3307             
3308             * bytecode/GetByIdStatus.cpp:
3309             (JSC::GetByIdStatus::computeForStubInfo):
3310             (JSC::GetByIdStatus::computeFor):
3311             * bytecode/GetByIdStatus.h:
3312             * bytecode/PutByIdStatus.cpp:
3313             (JSC::PutByIdStatus::computeFor):
3314             * bytecode/PutByIdStatus.h:
3315             * bytecode/PutByIdVariant.h:
3316             (JSC::PutByIdVariant::constantChecks):
3317             * dfg/DFGAbstractInterpreterInlines.h:
3318             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3319             * dfg/DFGByteCodeParser.cpp:
3320             (JSC::DFG::ByteCodeParser::parseBlock):
3321             * dfg/DFGConstantFoldingPhase.cpp:
3322             (JSC::DFG::ConstantFoldingPhase::foldConstants):
3323             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3324             (JSC::DFG::ConstantFoldingPhase::addChecks):
3325             * dfg/DFGNode.h:
3326             (JSC::DFG::Node::convertToMultiGetByOffset):
3327             (JSC::DFG::Node::convertToMultiPutByOffset):
3328             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
3329             (JSC::DFG::SpeculativeJIT::fillJSValue):
3330             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
3331             (JSC::DFG::SpeculativeJIT::emitCall):
3332             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3333             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
3334             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3335             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3336             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3337             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3338             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3339             (JSC::DFG::SpeculativeJIT::emitBranch):
3340             (JSC::DFG::SpeculativeJIT::compile):
3341             * dfg/DFGStructureAbstractValue.h:
3342             (JSC::DFG::StructureAbstractValue::set):
3343     
3344     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
3345     
3346             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
3347             https://bugs.webkit.org/show_bug.cgi?id=134077
3348     
3349             Reviewed by Sam Weinig.
3350             
3351             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
3352             in the abstract interpreter.
3353     
3354             * bytecode/StructureSet.h:
3355             (JSC::StructureSet::onlyStructure):
3356     
3357     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
3358     
3359             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
3360             https://bugs.webkit.org/show_bug.cgi?id=133918
3361     
3362             Reviewed by Mark Hahnenberg.
3363             
3364             This also adds pruning of PutStructure, since I basically had no choice but
3365             to implement such logic within MultiPutByOffset.
3366             
3367             Also adds a bunch of PutById cache status dumping to bytecode dumping.
3368     
3369             * bytecode/GetByIdVariant.cpp:
3370             (JSC::GetByIdVariant::dumpInContext):
3371             * bytecode/GetByIdVariant.h:
3372             (JSC::GetByIdVariant::structureSet):
3373             * bytecode/PutByIdVariant.h:
3374             (JSC::PutByIdVariant::oldStructure):
3375             * bytecode/StructureSet.cpp:
3376             (JSC::StructureSet::filter):
3377             (JSC::StructureSet::filterArrayModes):
3378             * bytecode/StructureSet.h:
3379             * dfg/DFGAbstractInterpreterInlines.h:
3380             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3381             * dfg/DFGAbstractValue.cpp:
3382             (JSC::DFG::AbstractValue::changeStructure):
3383             (JSC::DFG::AbstractValue::contains):
3384             * dfg/DFGAbstractValue.h:
3385             (JSC::DFG::AbstractValue::couldBeType):
3386             (JSC::DFG::AbstractValue::isType):
3387             * dfg/DFGConstantFoldingPhase.cpp:
3388             (JSC::DFG::ConstantFoldingPhase::foldConstants):
3389             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
3390             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3391             (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
3392             * dfg/DFGGraph.cpp:
3393             (JSC::DFG::Graph::freezeStrong):
3394             * dfg/DFGGraph.h:
3395             * dfg/DFGStructureAbstractValue.h:
3396             (JSC::DFG::StructureAbstractValue::operator=):
3397             * ftl/FTLLowerDFGToLLVM.cpp:
3398             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
3399             * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
3400             (foo):
3401             (fu):
3402             (bar):
3403             (baz):
3404             (.bar):
3405             (.baz):
3406             * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
3407             (foo):
3408             (fu):
3409             (bar):
3410             (baz):
3411             (.bar):
3412             (.baz):
3413             * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
3414             (foo):
3415             (fu):
3416             (bar):
3417             (baz):
3418             (.bar):
3419             (.baz):
3420     
3421     2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
3422     
3423             Remove CompoundType and LeafType
3424             https://bugs.webkit.org/show_bug.cgi?id=134037
3425     
3426             Reviewed by Filip Pizlo.
3427     
3428             We don't use them for anything. We'll replace them with a generic CellType type for all 
3429             the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
3430             their JSType at runtime.
3431     
3432             * llint/LLIntData.cpp:
3433             (JSC::LLInt::Data::performAssertions):
3434             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
3435             (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
3436             * runtime/Executable.h:
3437             (JSC::ExecutableBase::createStructure):
3438             (JSC::NativeExecutable::createStructure):
3439             * runtime/JSPromiseDeferred.h:
3440             (JSC::JSPromiseDeferred::createStructure):
3441             * runtime/JSPromiseReaction.h:
3442             (JSC::JSPromiseReaction::createStructure):
3443             * runtime/JSPropertyNameIterator.h:
3444             (JSC::JSPropertyNameIterator::createStructure):
3445             * runtime/JSType.h:
3446             * runtime/JSTypeInfo.h:
3447             (JSC::TypeInfo::TypeInfo):
3448             * runtime/MapData.h:
3449             (JSC::MapData::createStructure):
3450             * runtime/PropertyMapHashTable.h:
3451             (JSC::PropertyTable::createStructure):
3452             * runtime/RegExp.h:
3453             (JSC::RegExp::createStructure):
3454             * runtime/SparseArrayValueMap.cpp:
3455             (JSC::SparseArrayValueMap::createStructure):
3456             * runtime/Structure.cpp:
3457             (JSC::Structure::Structure):
3458             * runtime/StructureChain.h:
3459             (JSC::StructureChain::createStructure):
3460             * runtime/StructureRareData.cpp:
3461             (JSC::StructureRareData::createStructure):
3462             * runtime/SymbolTable.h:
3463             (JSC::SymbolTable::createStructure):
3464             * runtime/WeakMapData.h:
3465             (JSC::WeakMapData::createStructure):
3466     
3467     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
3468     
3469             [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
3470             https://bugs.webkit.org/show_bug.cgi?id=134002
3471     
3472             Reviewed by Mark Hahnenberg.
3473             
3474             The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
3475             JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
3476             of the structure if that structure was watchable.
3477             
3478             Also kill PhantomPutStructure.
3479     
3480             * dfg/DFGAbstractInterpreterInlines.h:
3481             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3482             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
3483             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
3484             * dfg/DFGClobberize.h:
3485             (JSC::DFG::clobberize):
3486             * dfg/DFGDoesGC.cpp:
3487             (JSC::DFG::doesGC):
3488             * dfg/DFGFixupPhase.cpp:
3489             (JSC::DFG::FixupPhase::fixupNode):
3490             * dfg/DFGGraph.cpp:
3491             (JSC::DFG::Graph::visitChildren):
3492             * dfg/DFGNode.h:
3493             (JSC::DFG::Node::hasTransition):
3494             * dfg/DFGNodeType.h:
3495             * dfg/DFGPredictionPropagationPhase.cpp:
3496             (JSC::DFG::PredictionPropagationPhase::propagate):
3497             * dfg/DFGSafeToExecute.h:
3498             (JSC::DFG::safeToExecute):
3499             * dfg/DFGSpeculativeJIT32_64.cpp:
3500             (JSC::DFG::SpeculativeJIT::compile):
3501             * dfg/DFGSpeculativeJIT64.cpp:
3502             (JSC::DFG::SpeculativeJIT::compile):
3503             * dfg/DFGStructureAbstractValue.cpp:
3504             (JSC::DFG::StructureAbstractValue::observeTransition):
3505             (JSC::DFG::StructureAbstractValue::observeTransitions):
3506             * dfg/DFGValidate.cpp:
3507             (JSC::DFG::Validate::validate):
3508             * dfg/DFGWatchableStructureWatchingPhase.cpp:
3509             (JSC::DFG::WatchableStructureWatchingPhase::run):
3510             * ftl/FTLCapabilities.cpp:
3511             (JSC::FTL::canCompile):
3512             * ftl/FTLLowerDFGToLLVM.cpp:
3513             (JSC::FTL::LowerDFGToLLVM::compileNode):
3514             (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
3515     
3516     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
3517     
3518             [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
3519             https://bugs.webkit.org/show_bug.cgi?id=133964
3520     
3521             Reviewed by Mark Hahnenberg.
3522     
3523             * bytecode/PutByIdStatus.cpp:
3524             (JSC::PutByIdStatus::appendVariant):
3525             (JSC::PutByIdStatus::computeForStubInfo):
3526             * bytecode/PutByIdVariant.cpp:
3527             (JSC::PutByIdVariant::oldStructureForTransition):
3528             (JSC::PutByIdVariant::writesStructures):
3529             (JSC::PutByIdVariant::reallocatesStorage):
3530             (JSC::PutByIdVariant::attemptToMerge):
3531             (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
3532             (JSC::PutByIdVariant::dumpInContext):
3533             * bytecode/PutByIdVariant.h:
3534             (JSC::PutByIdVariant::PutByIdVariant):
3535             (JSC::PutByIdVariant::replace):
3536             (JSC::PutByIdVariant::transition):
3537             (JSC::PutByIdVariant::structure):
3538             (JSC::PutByIdVariant::oldStructure):
3539             * dfg/DFGAbstractInterpreterInlines.h:
3540             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3541             * dfg/DFGByteCodeParser.cpp:
3542             (JSC::DFG::ByteCodeParser::handlePutById):
3543             (JSC::DFG::ByteCodeParser::parseBlock):
3544             * dfg/DFGConstantFoldingPhase.cpp:
3545             (JSC::DFG::ConstantFoldingPhase::foldConstants):
3546             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3547             * dfg/DFGGraph.cpp:
3548             (JSC::DFG::Graph::visitChildren):
3549             * dfg/DFGNode.cpp:
3550             (JSC::DFG::MultiPutByOffsetData::writesStructures):
3551             (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
3552             * ftl/FTLAbbreviations.h:
3553             (JSC::FTL::getLinkage):
3554             * ftl/FTLLowerDFGToLLVM.cpp:
3555             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
3556             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
3557     
3558 2014-07-26  Filip Pizlo  <fpizlo@apple.com>
3559
3560         Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
3561         reland later.
3562
3563         * CMakeLists.txt:
3564         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3565         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3566         * JavaScriptCore.xcodeproj/project.pbxproj:
3567         * bytecode/BytecodeList.json:
3568         * bytecode/BytecodeUseDef.h:
3569         (JSC::computeUsesForBytecodeOffset):
3570         (JSC::computeDefsForBytecodeOffset):
3571         * bytecode/CodeBlock.cpp:
3572         (JSC::CodeBlock::dumpBytecode):
3573         (JSC::CodeBlock::CodeBlock):
3574         (JSC::CodeBlock::finalizeUnconditionally):
3575         (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
3576         * bytecode/CodeBlock.h:
3577         * bytecode/GetByIdStatus.cpp:
3578         (JSC::GetByIdStatus::computeForStubInfo):
3579         (JSC::GetByIdStatus::computeFor):
3580         * bytecode/GetByIdStatus.h:
3581         * bytecode/GetByIdVariant.cpp:
3582         (JSC::GetByIdVariant::dumpInContext):
3583         * bytecode/GetByIdVariant.h:
3584         (JSC::GetByIdVariant::structureSet):
3585         * bytecode/Instruction.h:
3586         * bytecode/PutByIdStatus.cpp:
3587         (JSC::PutByIdStatus::appendVariant):
3588         (JSC::PutByIdStatus::computeForStubInfo):
3589         (JSC::PutByIdStatus::computeFor):
3590         * bytecode/PutByIdStatus.h:
3591         * bytecode/PutByIdVariant.cpp:
3592         (JSC::PutByIdVariant::dumpInContext):
3593         (JSC::PutByIdVariant::oldStructureForTransition): Deleted.
3594         (JSC::PutByIdVariant::writesStructures): Deleted.
3595         (JSC::PutByIdVariant::reallocatesStorage): Deleted.
3596         (JSC::PutByIdVariant::attemptToMerge): Deleted.
3597         (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.
3598         * bytecode/PutByIdVariant.h:
3599         (JSC::PutByIdVariant::PutByIdVariant):
3600         (JSC::PutByIdVariant::replace):
3601         (JSC::PutByIdVariant::transition):
3602         (JSC::PutByIdVariant::structure):
3603         (JSC::PutByIdVariant::oldStructure):
3604         (JSC::PutByIdVariant::newStructure):
3605         (JSC::PutByIdVariant::constantChecks):
3606         * bytecode/StructureSet.cpp:
3607         (JSC::StructureSet::filter): Deleted.
3608         (JSC::StructureSet::filterArrayModes): Deleted.
3609         * bytecode/StructureSet.h:
3610         (JSC::StructureSet::onlyStructure):
3611         * bytecode/ToThisStatus.cpp: Removed.
3612         * bytecode/ToThisStatus.h: Removed.
3613         * bytecode/TypeLocation.h: Removed.
3614         * bytecompiler/BytecodeGenerator.cpp:
3615         (JSC::BytecodeGenerator::BytecodeGenerator):
3616         (JSC::BytecodeGenerator::emitMove):
3617         (JSC::BytecodeGenerator::emitPutToScope):
3618         (JSC::BytecodeGenerator::emitPutById):
3619         (JSC::BytecodeGenerator::emitPutByVal):
3620         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
3621         * bytecompiler/BytecodeGenerator.h:
3622         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
3623         * bytecompiler/NodesCodegen.cpp:
3624         (JSC::PostfixNode::emitResolve):
3625         (JSC::PrefixNode::emitResolve):
3626         (JSC::ReadModifyResolveNode::emitBytecode):
3627         (JSC::AssignResolveNode::emitBytecode):
3628         (JSC::ConstDeclNode::emitCodeSingle):
3629         (JSC::ForInNode::emitBytecode):
3630         * debugger/DebuggerActivation.cpp: Added.
3631         (JSC::DebuggerActivation::DebuggerActivation):
3632         (JSC::DebuggerActivation::finishCreation):
3633         (JSC::DebuggerActivation::visitChildren):
3634         (JSC::DebuggerActivation::className):
3635         (JSC::DebuggerActivation::getOwnPropertySlot):
3636         (JSC::DebuggerActivation::put):
3637         (JSC::DebuggerActivation::deleteProperty):
3638         (JSC::DebuggerActivation::getOwnPropertyNames):
3639         (JSC::DebuggerActivation::defineOwnProperty):
3640         * debugger/DebuggerActivation.h: Added.
3641         (JSC::DebuggerActivation::create):
3642         (JSC::DebuggerActivation::createStructure):
3643         * debugger/DebuggerScope.cpp: Removed.
3644         * debugger/DebuggerScope.h: Removed.
3645         * dfg/DFGAbstractInterpreterInlines.h:
3646         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3647         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
3648         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
3649         * dfg/DFGAbstractValue.cpp:
3650         (JSC::DFG::AbstractValue::changeStructure): Deleted.
3651         (JSC::DFG::AbstractValue::contains): Deleted.
3652         * dfg/DFGAbstractValue.h:
3653         (JSC::DFG::AbstractValue::couldBeType):
3654         (JSC::DFG::AbstractValue::isType):
3655         * dfg/DFGByteCodeParser.cpp:
3656         (JSC::DFG::ByteCodeParser::handlePutById):
3657         (JSC::DFG::ByteCodeParser::parseBlock):
3658         * dfg/DFGClobberize.h:
3659         (JSC::DFG::clobberize):
3660         * dfg/DFGConstantFoldingPhase.cpp:
3661         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3662         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
3663         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3664         (JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
3665         (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
3666         * dfg/DFGDoesGC.cpp:
3667         (JSC::DFG::doesGC):
3668         * dfg/DFGFixupPhase.cpp:
3669         (JSC::DFG::FixupPhase::fixupNode):
3670         * dfg/DFGGraph.cpp:
3671         (JSC::DFG::Graph::visitChildren):
3672         (JSC::DFG::Graph::freezeStrong):
3673