3f937d25897e67a2f5354ebf913b55d779bd0394
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-09-10  Akos Kiss  <akiss@inf.u-szeged.hu>
2
3         Apply ARM64-specific lowering to load/store instructions in offlineasm
4         https://bugs.webkit.org/show_bug.cgi?id=136569
5
6         Reviewed by Michael Saboff.
7
8         The standard risc lowering of load/store instructions with base +
9         immediate offset addresses is to move the offset to a temporary, add the
10         base to the temporary, and then change the load/store to use the
11         temporary + 0 immediate offset address. However, on ARM64, base +
12         register offset addressing mode is available, so it is unnecessary to
13         perform explicit register additions but it is enough to change load/store
14         to use base + temporary as the address.
15
16         * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses
17
18 2014-09-10  Oliver Hunt  <oliver@apple.com>
19
20         Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
21         https://bugs.webkit.org/show_bug.cgi?id=136710
22
23         Reviewed by Anders Carlsson.
24
25         This is a trivial rename.
26
27         * CMakeLists.txt:
28         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
29         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
30         * JavaScriptCore.xcodeproj/project.pbxproj:
31         * dfg/DFGAbstractHeap.h:
32         * dfg/DFGClobberize.h:
33         (JSC::DFG::clobberize):
34         * dfg/DFGSpeculativeJIT32_64.cpp:
35         (JSC::DFG::SpeculativeJIT::compile):
36         * dfg/DFGSpeculativeJIT64.cpp:
37         (JSC::DFG::SpeculativeJIT::compile):
38         * ftl/FTLAbstractHeapRepository.cpp:
39         * ftl/FTLAbstractHeapRepository.h:
40         * ftl/FTLLowerDFGToLLVM.cpp:
41         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
42         * jit/JITOpcodes32_64.cpp:
43         * jit/JITPropertyAccess.cpp:
44         (JSC::JIT::emitGetClosureVar):
45         (JSC::JIT::emitPutClosureVar):
46         * jit/JITPropertyAccess32_64.cpp:
47         (JSC::JIT::emitGetClosureVar):
48         (JSC::JIT::emitPutClosureVar):
49         * llint/LLIntOffsetsExtractor.cpp:
50         * llint/LowLevelInterpreter32_64.asm:
51         * llint/LowLevelInterpreter64.asm:
52         * runtime/JSActivation.cpp:
53         (JSC::JSActivation::getOwnNonIndexPropertyNames):
54         * runtime/JSActivation.h:
55         * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
56         * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
57         (JSC::JSEnvironmentRecord::registers):
58         (JSC::JSEnvironmentRecord::registerAt):
59         (JSC::JSEnvironmentRecord::addressOfRegisters):
60         (JSC::JSEnvironmentRecord::offsetOfRegisters):
61         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
62         * runtime/JSNameScope.h:
63         * runtime/JSSegmentedVariableObject.h:
64
65 2014-09-10  Julien Brianceau   <jbriance@cisco.com>
66
67         [mips] Add missing parts and fix LLINT mips backend
68         https://bugs.webkit.org/show_bug.cgi?id=136706
69
70         Reviewed by Michael Saboff.
71
72         * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
73         Implement initPCRelative and setEntryAddress macros.
74         * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
75         doVMEntry macro.
76
77 2014-09-10  Saam Barati  <saambarati1@gmail.com>
78
79         TypeSet needs a mode where it no longer profiles structure shapes
80         https://bugs.webkit.org/show_bug.cgi?id=136263
81
82         Reviewed by Filip Pizlo.
83
84         The TypeSet data structure used to gather as many StructureShape
85         objects as it encountered during type profiling. But, this meant 
86         that there was no upper limit on how many objects it could allocate. 
87         This patch places a fixed upper bound on the number of StructureShapes
88         allocated per TypeSet to prevent using too much memory for little gain
89         in type profiling usefulness.
90
91         StructureShape objects are now also aware of when they are created
92         from Structures which are dictionaries.
93
94         In total, this patch lays the final groundwork needed in refactoring 
95         the inspector protocol for the type profiler.
96
97         * runtime/Structure.cpp:
98         (JSC::Structure::toStructureShape):
99         * runtime/TypeProfiler.cpp:
100         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
101         * runtime/TypeSet.cpp:
102         (JSC::TypeSet::TypeSet):
103         (JSC::TypeSet::addTypeInformation):
104         (JSC::StructureShape::StructureShape):
105         (JSC::StructureShape::toJSONString):
106         (JSC::StructureShape::enterDictionaryMode):
107         * runtime/TypeSet.h:
108         (JSC::TypeSet::isOverflown):
109         * tests/typeProfiler/dictionary-mode.js: Added.
110         (wrapper):
111         * tests/typeProfiler/driver/driver.js:
112         * tests/typeProfiler/overflow.js: Added.
113         (wrapper.Proto):
114         (wrapper):
115
116 2014-09-10  Peter Gal  <galpeter@inf.u-szeged.hu>
117
118         [MIPS] branch32WithPatch missing
119         https://bugs.webkit.org/show_bug.cgi?id=136696
120
121         Reviewed by Michael Saboff.
122
123         Added the missing branch32WithPatch. The implementation
124         is currently the same as the branchPtrithPatch because
125         the macro assembler supports only 32 bit MIPS.
126
127         * assembler/MacroAssemblerMIPS.h:
128         (JSC::MacroAssemblerMIPS::branch32WithPatch):
129
130 2014-09-10  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
131
132         Fix !ENABLE(DFG_JIT) build
133         https://bugs.webkit.org/show_bug.cgi?id=136702
134
135         Reviewed by Michael Saboff.
136
137         * bytecode/CallEdgeProfile.h:
138
139 2014-09-09  Benjamin Poulain  <bpoulain@apple.com>
140
141         Disable the "unreachable-code" warning
142         https://bugs.webkit.org/show_bug.cgi?id=136677
143
144         Reviewed by Darin Adler.
145
146         * Configurations/Base.xcconfig:
147
148 2014-09-08  Filip Pizlo  <fpizlo@apple.com>
149
150         DFG should have a reusable SSA builder
151         https://bugs.webkit.org/show_bug.cgi?id=136331
152
153         Reviewed by Oliver Hunt.
154         
155         We want to implement sophisticated SSA transformations like object allocation sinking
156         (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
157         updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
158         Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
159         implementation of this algorithm only worked when doing CPS->SSA conversion. The code
160         could not be reused for cases where some phase happens to know that it introduced a few
161         defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
162         the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
163         updates, since it requires first inserting maximal Phis. That scales well when the Phis
164         were already there (like in our CPS form) but otherwise it's quite unnatural and may be
165         difficult to make efficient.
166         
167         The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
168         algorithm based on dominance frontiers. For a while now, I've been working on creating a
169         Cytron-based SSA calculator that can be used both as a replacement for our current SSA
170         converter and as a reusable tool for any phase that needs to do SSA update. I previously
171         optimized our dominator calculation and representation to use dominator trees computed
172         using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
173         the set of blocks that dominate you or vice-versa, and then I implemented a dominance
174         frontier calculator. This patch implements the final step towards making SSA update
175         available to all SSA phases: it implements an SSACalculator that can tell you where Phis
176         go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
177         good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
178         SSA converter with one based on the SSACalculator.
179         
180         This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
181         But even better, it makes SSAConversionPhase have significantly less tricky logic. It
182         mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
183         just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
184         In fact, using the Cytron et al approach means that there isn't really any "smoke and
185         mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
186         iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
187         The complexity is mostly confined to Dominators, which computes various dominator-related
188         properties over the control flow graph. That class can be difficult to understand, but at
189         least it follows well-known graph theory wisdom.
190
191         * CMakeLists.txt:
192         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
193         * JavaScriptCore.xcodeproj/project.pbxproj:
194         * dfg/DFGAnalysis.h:
195         * dfg/DFGCSEPhase.cpp:
196         * dfg/DFGDCEPhase.cpp:
197         (JSC::DFG::DCEPhase::run):
198         * dfg/DFGDominators.h:
199         (JSC::DFG::Dominators::immediateDominatorOf):
200         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
201         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
202         * dfg/DFGGraph.cpp:
203         (JSC::DFG::Graph::dump):
204         (JSC::DFG::Graph::blocksInPreOrder):
205         (JSC::DFG::Graph::blocksInPostOrder):
206         (JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
207         (JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
208         * dfg/DFGGraph.h:
209         * dfg/DFGLICMPhase.cpp:
210         (JSC::DFG::LICMPhase::run):
211         * dfg/DFGNodeFlags.h:
212         * dfg/DFGPhase.cpp:
213         (JSC::DFG::Phase::beginPhase):
214         (JSC::DFG::Phase::endPhase):
215         * dfg/DFGPhase.h:
216         * dfg/DFGSSACalculator.cpp: Added.
217         (JSC::DFG::SSACalculator::Variable::dump):
218         (JSC::DFG::SSACalculator::Variable::dumpVerbose):
219         (JSC::DFG::SSACalculator::Def::dump):
220         (JSC::DFG::SSACalculator::SSACalculator):
221         (JSC::DFG::SSACalculator::~SSACalculator):
222         (JSC::DFG::SSACalculator::newVariable):
223         (JSC::DFG::SSACalculator::newDef):
224         (JSC::DFG::SSACalculator::nonLocalReachingDef):
225         (JSC::DFG::SSACalculator::reachingDefAtTail):
226         (JSC::DFG::SSACalculator::dump):
227         * dfg/DFGSSACalculator.h: Added.
228         (JSC::DFG::SSACalculator::Variable::index):
229         (JSC::DFG::SSACalculator::Variable::Variable):
230         (JSC::DFG::SSACalculator::Def::variable):
231         (JSC::DFG::SSACalculator::Def::block):
232         (JSC::DFG::SSACalculator::Def::value):
233         (JSC::DFG::SSACalculator::Def::Def):
234         (JSC::DFG::SSACalculator::variable):
235         (JSC::DFG::SSACalculator::computePhis):
236         (JSC::DFG::SSACalculator::phisForBlock):
237         (JSC::DFG::SSACalculator::reachingDefAtHead):
238         * dfg/DFGSSAConversionPhase.cpp:
239         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
240         (JSC::DFG::SSAConversionPhase::run):
241         (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
242         (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
243         (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
244         (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
245         * dfg/DFGSSAConversionPhase.h:
246         * dfg/DFGValidate.cpp:
247         (JSC::DFG::Validate::Validate):
248         (JSC::DFG::Validate::dumpGraphIfAppropriate):
249         (JSC::DFG::validate):
250         * dfg/DFGValidate.h:
251         * ftl/FTLLowerDFGToLLVM.cpp:
252         (JSC::FTL::LowerDFGToLLVM::lower):
253         * runtime/Options.h:
254
255 2014-09-08  Commit Queue  <commit-queue@webkit.org>
256
257         Unreviewed, rolling out r173402.
258         https://bugs.webkit.org/show_bug.cgi?id=136649
259
260         Breaking buildw with error "unable to restore file position to
261         0x00000c60 for section __DWARF.__debug_info (errno = 9)"
262         (Requested by mlam_ on #webkit).
263
264         Reverted changeset:
265
266         "Move CallFrame and Register inlines functions out of
267         JSScope.h."
268         https://bugs.webkit.org/show_bug.cgi?id=136579
269         http://trac.webkit.org/changeset/173402
270
271 2014-09-08  Mark Lam  <mark.lam@apple.com>
272
273         Move CallFrame and Register inlines functions out of JSScope.h.
274         <https://webkit.org/b/136579>
275
276         Reviewed by Geoffrey Garen.
277
278         This include fixing up some files to #include JSCInlines.h to pick up
279         these inline functions.  I also added JSCellInlines.h to JSCInlines.h
280         since it is included from many of the affected .cpp files.
281
282         * API/ObjCCallbackFunction.mm:
283         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
284         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
285         * JavaScriptCore.xcodeproj/project.pbxproj:
286         * bindings/ScriptValue.cpp:
287         * inspector/InjectedScriptHost.cpp:
288         * inspector/InjectedScriptManager.cpp:
289         * inspector/JSGlobalObjectInspectorController.cpp:
290         * inspector/JSJavaScriptCallFrame.cpp:
291         * inspector/ScriptDebugServer.cpp:
292         * interpreter/CallFrameInlines.h:
293         (JSC::CallFrame::vm):
294         (JSC::CallFrame::lexicalGlobalObject):
295         (JSC::CallFrame::globalThisValue):
296         * interpreter/RegisterInlines.h: Added.
297         (JSC::Register::operator=):
298         (JSC::Register::scope):
299         * runtime/ArgumentsIteratorConstructor.cpp:
300         * runtime/JSArrayIterator.cpp:
301         * runtime/JSCInlines.h:
302         * runtime/JSCJSValue.cpp:
303         * runtime/JSMapIterator.cpp:
304         * runtime/JSPromiseConstructor.cpp:
305         * runtime/JSPromiseDeferred.cpp:
306         * runtime/JSPromiseFunctions.cpp:
307         * runtime/JSPromisePrototype.cpp:
308         * runtime/JSPromiseReaction.cpp:
309         * runtime/JSScope.h:
310         (JSC::Register::operator=): Deleted.
311         (JSC::Register::scope): Deleted.
312         (JSC::ExecState::vm): Deleted.
313         (JSC::ExecState::lexicalGlobalObject): Deleted.
314         (JSC::ExecState::globalThisValue): Deleted.
315         * runtime/JSSetIterator.cpp:
316         * runtime/MapConstructor.cpp:
317         * runtime/MapData.cpp:
318         * runtime/MapIteratorPrototype.cpp:
319         * runtime/MapPrototype.cpp:
320         * runtime/SetConstructor.cpp:
321         * runtime/SetIteratorPrototype.cpp:
322         * runtime/SetPrototype.cpp:
323         * runtime/WeakMapConstructor.cpp:
324         * runtime/WeakMapPrototype.cpp:
325
326 2014-09-08  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
327
328         Remove FILTERS flag
329         https://bugs.webkit.org/show_bug.cgi?id=136571
330
331         Reviewed by Darin Adler.
332
333         * Configurations/FeatureDefines.xcconfig:
334
335 2014-09-08  Saam Barati  <saambarati1@gmail.com>
336
337         Merge StructureShapes that share the same prototype chain
338         https://bugs.webkit.org/show_bug.cgi?id=136549
339
340         Reviewed by Filip Pizlo.
341
342         Instead of keeping track of many discrete StructureShapes that share
343         the same prototype chain, TypeSet should merge StructureShapes that 
344         have the same prototype chain and provide a new member variable for 
345         optional structure fields. This provides a cleaner and more concise
346         interface for dealing with StructureShapes within TypeSet. Instead
347         of having many discrete shapes that are almost identical, almost 
348         identical shapes will be merged together with an interface for 
349         understanding what fields the shapes being merged together differ in.
350
351         * runtime/TypeSet.cpp:
352         (JSC::TypeSet::addTypeInformation):
353         (JSC::StructureShape::addProperty):
354         (JSC::StructureShape::toJSONString):
355         (JSC::StructureShape::inspectorRepresentation):
356         (JSC::StructureShape::hasSamePrototypeChain):
357         (JSC::StructureShape::merge):
358         * runtime/TypeSet.h:
359         * tests/typeProfiler/optional-fields.js: Added.
360         (wrapper.func):
361         (wrapper):
362
363 2014-09-08  Jessie Berlin  <jberlin@apple.com>
364
365         More 32-bit Release build fixes after r173364.
366
367         * dfg/DFGSpeculativeJIT32_64.cpp:
368         (JSC::DFG::SpeculativeJIT::compile):
369
370 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
371
372         Fix typos in last patch to fix build.
373
374         Unreviewed build fix.
375
376         * dfg/DFGSpeculativeJIT.cpp:
377         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
378         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
379
380 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
381
382         Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it
383         https://bugs.webkit.org/show_bug.cgi?id=136616
384
385         Reviewed by Darin Adler.
386         
387         Many compilers will analyze unrechable code paths (e.g. after an
388         unreachable code path), so sometimes they need dead code initializations.
389         But clang with suitable warnings will complain about unreachable code. So
390         use the quirk to include it conditionally.
391
392         * bytecode/CodeBlock.cpp:
393         (JSC::CodeBlock::printGetByIdOp):
394         * dfg/DFGOSRExitCompilerCommon.cpp:
395         (JSC::DFG::handleExitCounts):
396         * dfg/DFGPlan.cpp:
397         (JSC::DFG::Plan::compileInThread):
398         * dfg/DFGSpeculativeJIT.cpp:
399         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
400         * jsc.cpp:
401         * runtime/JSArray.cpp:
402         (JSC::JSArray::fillArgList):
403         (JSC::JSArray::copyToArguments):
404         * runtime/RegExp.cpp:
405         (JSC::RegExp::compile):
406         (JSC::RegExp::compileMatchOnly):
407
408 2014-09-06  Darin Adler  <darin@apple.com>
409
410         Make updates suggested by new version of Xcode
411         https://bugs.webkit.org/show_bug.cgi?id=136603
412
413         Reviewed by Mark Rowe.
414
415         * Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES,
416         and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check.
417
418         * JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck.
419
420         * dfg/DFGSpeculativeJIT.cpp:
421         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code
422         for clang, since it understands the code is unreachable.
423         * runtime/JSArray.cpp:
424         (JSC::JSArray::fillArgList): Ditto.
425         (JSC::JSArray::copyToArguments): Ditto.
426
427 2014-09-05  Matt Baker  <mattbaker@apple.com>
428
429         Web Inspector: breakpoint actions should work regardless of Content Security Policy
430         https://bugs.webkit.org/show_bug.cgi?id=136542
431
432         Reviewed by Mark Lam.
433
434         Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a 
435         JSGlobalObject for the duration of a scope, returning the eval enabled state to its
436         original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate 
437         to allow breakpoint actions to execute JS in pages with a Content Security Policy
438         that would normally prohibit this (such as Inspector's Main.html).
439
440         Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually
441         setting eval enabled and then resetting the original eval enabled state.
442
443         NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer
444         for null to be equivalent with the original code in Inspector::InjectedScriptBase.
445         InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which
446         can currently be null.
447
448         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
449         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
450         * JavaScriptCore.xcodeproj/project.pbxproj:
451         * debugger/DebuggerCallFrame.cpp:
452         (JSC::DebuggerCallFrame::evaluate):
453         * debugger/DebuggerEvalEnabler.h: Added.
454         (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
455         (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
456         * inspector/InjectedScriptBase.cpp:
457         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
458
459 2014-09-05  peavo@outlook.com  <peavo@outlook.com>
460
461         [WinCairo] jsc.exe won't run.
462         https://bugs.webkit.org/show_bug.cgi?id=136481
463
464         Reviewed by Alex Christensen.
465         
466         We need to define WIN_CAIRO to avoid looking for the AAS folder.
467
468         * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added.
469         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
470         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
471         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
472         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:
473
474 2014-09-05  David Kilzer  <ddkilzer@apple.com>
475
476         JavaScriptCore should build with newer clang
477         <http://webkit.org/b/136002>
478         <rdar://problem/18020616>
479
480         Reviewed by Geoffrey Garen.
481
482         Other than the JSC::SourceProvider::asID() change (which simply
483         removes code that the optimizing compiler would have discarded
484         in Release builds), we move the |this| checks in OpaqueJSString
485         to NULL checks in to JSBase, JSObjectRef, JSScriptRef,
486         JSStringRef{CF} and JSValueRef.
487
488         Note that the following function arguments are _not_ NULL-checked
489         since doing so would just cover up bugs (and were not needed to
490         prevent any tests from failing):
491         - |script| in JSEvaluateScript(), JSCheckScriptSyntax();
492         - |body| in JSObjectMakeFunction();
493         - |source| in JSScriptCreateReferencingImmortalASCIIText()
494           (which is a const char* anyway);
495         - |source| in JSScriptCreateFromString().
496
497         * API/JSBase.cpp:
498         (JSEvaluateScript): Add NULL check for |sourceURL|.
499         (JSCheckScriptSyntax): Ditto.
500         * API/JSObjectRef.cpp:
501         (JSObjectMakeFunction): Ditto.
502         * API/JSScriptRef.cpp:
503         (JSScriptCreateReferencingImmortalASCIIText): Ditto.
504         (JSScriptCreateFromString): Add NULL check for |url|.
505         * API/JSStringRef.cpp:
506         (JSStringGetLength): Return early if NULL pointer is passed in.
507         (JSStringGetCharactersPtr): Ditto.
508         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
509         * API/JSStringRefCF.cpp:
510         (JSStringCopyCFString): Ditto.
511         * API/JSValueRef.cpp:
512         (JSValueMakeString): Add NULL check for |string|.
513
514         * API/OpaqueJSString.cpp:
515         (OpaqueJSString::string): Remove code that checks |this|.
516         (OpaqueJSString::identifier): Ditto.
517         (OpaqueJSString::characters): Ditto.
518         * API/OpaqueJSString.h:
519         (OpaqueJSString::is8Bit): Remove code that checks |this|.
520         (OpaqueJSString::characters8): Ditto.
521         (OpaqueJSString::characters16): Ditto.
522         (OpaqueJSString::length): Ditto.
523
524         * parser/SourceProvider.h:
525         (JSC::SourceProvider::asID): Remove code that checks |this|.
526
527 2014-06-06  Jer Noble  <jer.noble@apple.com>
528
529         Refactoring: make MediaTime the primary time type for audiovisual times.
530         https://bugs.webkit.org/show_bug.cgi?id=133579
531
532         Reviewed by Eric Carlson.
533
534         Add a utility function which converts a MediaTime to a JSNumber.
535
536         * runtime/JSCJSValue.h:
537         (JSC::jsNumber):
538
539 2014-09-04  Michael Saboff  <msaboff@apple.com>
540
541         ARM: Add more coverage to ARMv7 disassembler
542         https://bugs.webkit.org/show_bug.cgi?id=136565
543
544         Reviewed by Mark Lam.
545
546         Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions
547         VCMP, VCVT[R] between floating point and integer, and VLDR.
548
549         * disassembler/ARMv7/ARMv7DOpcode.cpp:
550         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList):
551         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format):
552         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format):
553         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format):
554         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format):
555         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format):
556         * disassembler/ARMv7/ARMv7DOpcode.h:
557         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList):
558         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition):
559         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition):
560         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit):
561         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd):
562         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit):
563         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit):
564         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit):
565         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm):
566         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition):
567         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit):
568         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2):
569         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd):
570         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit):
571         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op):
572         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit):
573         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm):
574         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition):
575         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit):
576         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn):
577         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd):
578         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg):
579         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8):
580
581 2014-09-04  Mark Lam  <mark.lam@apple.com>
582
583         Move PropertySlot's inline functions back to PropertySlot.h.
584         <https://webkit.org/b/136547>
585
586         Reviewed by Filip Pizlo.
587
588         * runtime/JSObject.h:
589         (JSC::PropertySlot::getValue): Deleted.
590         * runtime/PropertySlot.h:
591         (JSC::PropertySlot::getValue):
592
593 2014-09-04  Filip Pizlo  <fpizlo@apple.com>
594
595         Make sure that deleting all code first processes the call edge log, and reenable call edge profiling.
596
597         Rubber stamped by Sam Weinig.
598
599         * debugger/Debugger.cpp:
600         (JSC::Debugger::forEachCodeBlock):
601         (JSC::Debugger::setSteppingMode):
602         (JSC::Debugger::recompileAllJSFunctions):
603         * inspector/agents/InspectorRuntimeAgent.cpp:
604         (Inspector::recompileAllJSFunctionsForTypeProfiling):
605         * runtime/Options.h: Reenable call edge profiling.
606         * runtime/VM.cpp:
607         (JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed.
608         (JSC::VM::discardAllCode):
609         (JSC::VM::releaseExecutableMemory):
610         (JSC::VM::setEnabledProfiler):
611         (JSC::VM::waitForCompilationsToComplete): Deleted.
612         * runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted.
613
614 2014-09-04  Akos Kiss  <akiss@inf.u-szeged.hu>
615
616         Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee
617         https://bugs.webkit.org/show_bug.cgi?id=136485
618
619         Reviewed by Michael Saboff.
620
621         Changed makeHostFunctionCall to keep the stack pointer above the call
622         frame set up by doVMEntry. Thus the callee will/can not override the top
623         of the call frame.
624
625         Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be
626         more alike to help future maintenance.
627
628         * llint/LowLevelInterpreter32_64.asm:
629         * llint/LowLevelInterpreter64.asm:
630
631 2014-09-04  Michael Saboff  <msaboff@apple.com>
632
633         REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux
634         https://bugs.webkit.org/show_bug.cgi?id=136436
635
636         Reviewed by Geoffrey Garen.
637
638         Instead of trying to calculate a stack pointer that allows for possible
639         stacked argument space, just use the "home" stack pointer location.
640         That stack pointer provides space for the worst case number of stacked
641         arguments on architectures that use stacked arguments.  It also provides
642         stack space so that the return PC and caller frame pointer that are stored
643         as part of making the call to operationCallEval will not override any part
644         of the callee frame created on the stack.
645
646         Changed compileCallEval() to use the stackPointer value of the calling
647         function.  That stack pointer is calculated to have enough space for
648         outgoing stacked arguments.  By moving the stack pointer to its "home"
649         position, the caller frame and return PC are not set as part of making
650         the call to operationCallEval().  Moved the explicit setting of the
651         callerFrame field of the callee CallFrame from operationCallEval() to
652         compileCallEval() since it has been the artifact of making a call for
653         most architectures.  Simplified the exception logic in compileCallEval()
654         as a result of the change.  To be compliant with the stack state
655         expected by virtualCallThunkGenerator(), moved the stack pointer to
656         point above the CallerFrameAndPC of the callee CallFrame.
657
658         * jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...)
659         to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception
660         check.
661         * jit/JITCall.cpp & jit/JITCall32_64.cpp:
662         (JSC::JIT::compileCallEval): Use the home stack pointer when making the call
663         to operationCallEval.  Since the stack pointer adjustment no longer needs
664         to be done after making the call to operationCallEval(), the exception check
665         logic can be simplified.
666         (JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point
667         to above the calleeFrame as this is what the generated thunk expects.
668         * jit/JITInlines.h:
669         (JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck
670         with the addition of a standard exception check.
671         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
672         * jit/JITOperations.cpp:
673         (JSC::operationCallEval): Eliminated the explicit setting of caller frame
674         as that is now done in the code generated by compileCallEval().
675
676 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
677
678         Beef up the DFG's CFG analyses to include iterated dominance frontiers and more user-friendly BlockSets
679         https://bugs.webkit.org/show_bug.cgi?id=136520
680
681         Reviewed by Geoffrey Garen.
682         
683         Add code to compute iterated dominance frontiers. This involves using BlockSet a lot, so
684         this patch also makes BlockSet a lot more user-friendly.
685
686         * CMakeLists.txt:
687         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
688         * JavaScriptCore.xcodeproj/project.pbxproj:
689         * dfg/DFGBasicBlock.h:
690         * dfg/DFGBlockSet.cpp: Added.
691         (JSC::DFG::BlockSet::dump):
692         * dfg/DFGBlockSet.h:
693         (JSC::DFG::BlockSet::iterator::iterator):
694         (JSC::DFG::BlockSet::iterator::operator++):
695         (JSC::DFG::BlockSet::iterator::operator==):
696         (JSC::DFG::BlockSet::iterator::operator!=):
697         (JSC::DFG::BlockSet::Iterable::Iterable):
698         (JSC::DFG::BlockSet::Iterable::begin):
699         (JSC::DFG::BlockSet::Iterable::end):
700         (JSC::DFG::BlockSet::iterable):
701         (JSC::DFG::BlockAdder::BlockAdder):
702         (JSC::DFG::BlockAdder::operator()):
703         * dfg/DFGBlockSetInlines.h: Added.
704         (JSC::DFG::BlockSet::iterator::operator*):
705         * dfg/DFGDominators.cpp:
706         (JSC::DFG::Dominators::strictDominatorsOf):
707         (JSC::DFG::Dominators::dominatorsOf):
708         (JSC::DFG::Dominators::blocksStrictlyDominatedBy):
709         (JSC::DFG::Dominators::blocksDominatedBy):
710         (JSC::DFG::Dominators::dominanceFrontierOf):
711         (JSC::DFG::Dominators::iteratedDominanceFrontierOf):
712         * dfg/DFGDominators.h:
713         (JSC::DFG::Dominators::forAllStrictDominatorsOf):
714         (JSC::DFG::Dominators::forAllDominatorsOf):
715         (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy):
716         (JSC::DFG::Dominators::forAllBlocksDominatedBy):
717         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf):
718         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
719         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl):
720         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl):
721         * dfg/DFGGraph.cpp:
722         (JSC::DFG::Graph::dumpBlockHeader):
723         * dfg/DFGInvalidationPointInjectionPhase.cpp:
724         (JSC::DFG::InvalidationPointInjectionPhase::run):
725
726 2014-09-04  Mark Lam  <mark.lam@apple.com>
727
728         Fixed indentations and some style warnings in JavaScriptCore/runtime.
729         <https://webkit.org/b/136518>
730
731         Reviewed by Michael Saboff.
732
733         Also removed some superflous spaces.  There are no semantic changes.
734
735         * runtime/Completion.h:
736         * runtime/ConstructData.h:
737         * runtime/DateConstructor.h:
738         * runtime/DateInstance.h:
739         * runtime/DateInstanceCache.h:
740         * runtime/DatePrototype.h:
741         * runtime/Error.h:
742         * runtime/ErrorConstructor.h:
743         * runtime/ErrorInstance.h:
744         * runtime/ErrorPrototype.h:
745         * runtime/FunctionConstructor.h:
746         * runtime/FunctionPrototype.h:
747         * runtime/GetterSetter.h:
748         * runtime/Identifier.h:
749         * runtime/InitializeThreading.h:
750         * runtime/InternalFunction.h:
751         * runtime/JSAPIValueWrapper.h:
752         * runtime/JSFunction.h:
753         * runtime/JSLock.h:
754         * runtime/JSNotAnObject.h:
755         * runtime/JSONObject.h:
756         * runtime/JSString.h:
757         * runtime/JSTypeInfo.h:
758         * runtime/JSWrapperObject.h:
759         * runtime/Lookup.h:
760         * runtime/MathObject.h:
761         * runtime/NativeErrorConstructor.h:
762         * runtime/NativeErrorPrototype.h:
763         * runtime/NumberConstructor.h:
764         * runtime/NumberObject.h:
765         * runtime/NumberPrototype.h:
766         * runtime/NumericStrings.h:
767         * runtime/ObjectConstructor.h:
768         * runtime/ObjectPrototype.h:
769         * runtime/PropertyDescriptor.h:
770         * runtime/Protect.h:
771         * runtime/PutPropertySlot.h:
772         * runtime/RegExp.h:
773         * runtime/RegExpCachedResult.h:
774         * runtime/RegExpConstructor.h:
775         * runtime/RegExpMatchesArray.h:
776         * runtime/RegExpObject.h:
777         * runtime/RegExpPrototype.h:
778         * runtime/SmallStrings.h:
779         * runtime/StringConstructor.h:
780         * runtime/StringObject.h:
781         * runtime/StringPrototype.h:
782         * runtime/StructureChain.h:
783         * runtime/VM.h:
784
785 2014-09-04  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
786
787         Remove CSS_FILTERS flag
788         https://bugs.webkit.org/show_bug.cgi?id=136529
789
790         Reviewed by Dirk Schulze.
791
792         * Configurations/FeatureDefines.xcconfig:
793
794 2014-09-04  Commit Queue  <commit-queue@webkit.org>
795
796         Unreviewed, rolling out r173248.
797         https://bugs.webkit.org/show_bug.cgi?id=136536
798
799         call edge profiling and polymorphic call inlining are still
800         causing crashes (Requested by eric_carlson on #webkit).
801
802         Reverted changeset:
803
804         "Reenable call edge profiling and polymorphic call inlining,
805         now that a bunch of the bugs"
806         http://trac.webkit.org/changeset/173248
807
808 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
809
810         Web Inspector: the profiler should not accrue time to nodes while the debugger is paused
811         https://bugs.webkit.org/show_bug.cgi?id=136352
812
813         Reviewed by Timothy Hatcher.
814
815         Hook up pause/continue events to the LegacyProfiler and any active
816         ProfilerGenerators. If the debugger is paused, all intervening call
817         entries will be created with totalTime as 0.0.
818
819         * inspector/ScriptDebugServer.cpp:
820         (Inspector::ScriptDebugServer::handlePause):
821         * profiler/LegacyProfiler.cpp: Move from typedef'd callbacks to using
822         std::function. This allows callbacks to take different argument types.
823
824         (JSC::callFunctionForProfilesWithGroup):
825         (JSC::LegacyProfiler::willExecute):
826         (JSC::LegacyProfiler::didExecute):
827         (JSC::LegacyProfiler::exceptionUnwind):
828         (JSC::LegacyProfiler::didPause):
829         (JSC::LegacyProfiler::didContinue):
830         (JSC::dispatchFunctionToProfiles): Deleted.
831         * profiler/LegacyProfiler.h:
832         * profiler/ProfileGenerator.cpp:
833         (JSC::ProfileGenerator::ProfileGenerator):
834         (JSC::ProfileGenerator::endCallEntry):
835         (JSC::ProfileGenerator::didExecute): Deleted.
836         * profiler/ProfileGenerator.h:
837         (JSC::ProfileGenerator::didPause):
838         (JSC::ProfileGenerator::didContinue):
839
840 2014-09-04  Commit Queue  <commit-queue@webkit.org>
841
842         Unreviewed, rolling out r173245.
843         https://bugs.webkit.org/show_bug.cgi?id=136533
844
845         Broke JSC tests. (Requested by ddkilzer on #webkit).
846
847         Reverted changeset:
848
849         "JavaScriptCore should build with newer clang"
850         https://bugs.webkit.org/show_bug.cgi?id=136002
851         http://trac.webkit.org/changeset/173245
852
853 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
854
855         LegacyProfiler: ProfileNodes should be used more like structs
856         https://bugs.webkit.org/show_bug.cgi?id=136381
857
858         Reviewed by Timothy Hatcher.
859
860         Previously, both the profile generator and individual profile nodes
861         were collectively responsible for creating new Call entries and
862         maintaining data structure invariants. This complexity is unnecessary.
863
864         This patch centralizes profile data creation inside the profile generator.
865         The profile nodes manage nextSibling and parent pointers, but do not
866         collect the current time or create new Call entries themselves.
867
868         Since ProfileNode::nextSibling and its callers are only used within
869         debug printing code, it should be compiled out for release builds.
870
871         * profiler/ProfileGenerator.cpp:
872         (JSC::ProfileGenerator::ProfileGenerator):
873         (JSC::AddParentForConsoleStartFunctor::operator()):
874         (JSC::ProfileGenerator::beginCallEntry): create a new Call entry.
875         (JSC::ProfileGenerator::endCallEntry): finish the last Call entry.
876         (JSC::ProfileGenerator::willExecute): inline ProfileNode::willExecute()
877         (JSC::ProfileGenerator::didExecute): inline ProfileNode::didExecute()
878         (JSC::ProfileGenerator::stopProfiling): Only walk up the spine.
879         (JSC::ProfileGenerator::removeProfileStart):
880         (JSC::ProfileGenerator::removeProfileEnd):
881         * profiler/ProfileGenerator.h:
882         * profiler/ProfileNode.cpp:
883         (JSC::ProfileNode::ProfileNode):
884         (JSC::ProfileNode::addChild):
885         (JSC::ProfileNode::removeChild):
886         (JSC::ProfileNode::spliceNode): Renamed from insertNode.
887         (JSC::ProfileNode::debugPrintRecursively):
888         (JSC::ProfileNode::willExecute): Deleted.
889         (JSC::ProfileNode::insertNode): Deleted.
890         (JSC::ProfileNode::stopProfiling): Deleted.
891         (JSC::ProfileNode::traverseNextNodePostOrder):
892         (JSC::ProfileNode::endAndRecordCall): Deleted.
893         (JSC::ProfileNode::debugPrintDataSampleStyle):
894         * profiler/ProfileNode.h:
895         (JSC::ProfileNode::Call::setStartTime):
896         (JSC::ProfileNode::Call::setTotalTime):
897         (JSC::ProfileNode::appendCall):
898         (JSC::ProfileNode::firstChild):
899         (JSC::ProfileNode::lastChild):
900         (JSC::ProfileNode::nextSibling):
901         (JSC::ProfileNode::setNextSibling):
902
903 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
904
905         Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient
906         https://bugs.webkit.org/show_bug.cgi?id=136476
907
908         Reviewed by Timothy Hatcher.
909
910         * CMakeLists.txt:
911         * JavaScriptCore.xcodeproj/project.pbxproj:
912         * inspector/JSGlobalObjectConsoleClient.cpp: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.cpp.
913         * inspector/JSGlobalObjectConsoleClient.h: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.h.
914         * inspector/JSGlobalObjectInspectorController.cpp:
915         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
916         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
917         * inspector/JSGlobalObjectInspectorController.h:
918
919 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
920
921         Reenable call edge profiling and polymorphic call inlining, now that a bunch of the bugs
922         are fixed.
923
924         * runtime/Options.h:
925
926 2014-09-03  David Kilzer  <ddkilzer@apple.com>
927
928         JavaScriptCore should build with newer clang
929         <http://webkit.org/b/136002>
930         <rdar://problem/18020616>
931
932         Reviewed by Geoffrey Garen.
933
934         Other than the JSC::SourceProvider::asID() change (which simply
935         removes code that the optimizing compiler would have discarded
936         in Release builds), we move the |this| checks in OpaqueJSString
937         to NULL checks in to JSBase, JSScriptRef, JSStringRef{CF} and
938         JSValueRef.
939
940         * API/JSBase.cpp:
941         (JSEvaluateScript): Use String() in case |script| or |sourceURL|
942         are NULL.
943         * API/JSScriptRef.cpp:
944         (JSScriptCreateReferencingImmortalASCIIText): Use String() in
945         case |url| is NULL.
946         * API/JSStringRef.cpp:
947         (JSStringGetLength): Return early if NULL pointer is passed in.
948         (JSStringGetCharactersPtr): Ditto.
949         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
950         * API/JSStringRefCF.cpp:
951         (JSStringCopyCFString): Ditto.
952         * API/JSValueRef.cpp:
953         (JSValueMakeString): Use String() in case |string| is NULL.
954
955         * API/OpaqueJSString.cpp:
956         (OpaqueJSString::string): Remove code that checks |this|.
957         (OpaqueJSString::identifier): Ditto.
958         (OpaqueJSString::characters): Ditto.
959         * API/OpaqueJSString.h:
960         (OpaqueJSString::is8Bit): Remove code that checks |this|.
961         (OpaqueJSString::characters8): Ditto.
962         (OpaqueJSString::characters16): Ditto.
963         (OpaqueJSString::length): Ditto.
964
965         * parser/SourceProvider.h:
966         (JSC::SourceProvider::asID): Remove code that checks |this|.
967
968 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
969
970         CallEdgeProfile::visitWeak() shouldn't attempt to despecify empty profiles
971         https://bugs.webkit.org/show_bug.cgi?id=136511
972
973         Reviewed by Geoffrey Garen.
974
975         * bytecode/CallEdgeProfile.cpp:
976         (JSC::CallEdgeProfile::worthDespecifying):
977         (JSC::CallEdgeProfile::visitWeak):
978         (JSC::CallEdgeProfile::mergeBack):
979
980 2014-09-03  David Kilzer  <ddkilzer@apple.com>
981
982         REGRESSION (r167325): (null) entry added to Xcode project file when JSBoundFunction.h was removed
983         <http://webkit.org/b/136509>
984
985         Reviewed by Daniel Bates.
986
987         * JavaScriptCore.xcodeproj/project.pbxproj: Remove the (null)
988         entry left behind when JSBoundFunction.h was removed.
989
990 2014-09-03  Joseph Pecoraro  <pecoraro@apple.com>
991
992         Avoid warning if a process does not have access to com.apple.webinspector
993         https://bugs.webkit.org/show_bug.cgi?id=136473
994
995         Reviewed by Alexey Proskuryakov.
996
997         Pre-check for access to the mach port to avoid emitting warnings
998         in syslog for processes that do not have access.
999
1000         * inspector/remote/RemoteInspector.mm:
1001         (Inspector::canAccessWebInspectorMachPort):
1002         (Inspector::RemoteInspector::shared):
1003
1004 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
1005
1006         Temporarily disable call edge profiling. It is causing crashes and I'm still investigating
1007         them.
1008
1009         * runtime/Options.h:
1010
1011 2014-09-03  Balazs Kilvady  <kilvadyb@homejinni.com>
1012
1013         [MIPS] Wrong register usage in LLInt op_catch.
1014         https://bugs.webkit.org/show_bug.cgi?id=125168
1015
1016         Reviewed by Geoffrey Garen.
1017
1018         Fix register usage and add PIC header to all the ops in LLInt.
1019
1020         * offlineasm/instructions.rb:
1021         * offlineasm/mips.rb:
1022
1023 2014-09-03  Saam Barati  <saambarati1@gmail.com>
1024
1025         Create tests for type profiling
1026         https://bugs.webkit.org/show_bug.cgi?id=136161
1027
1028         Reviewed by Geoffrey Garen.
1029
1030         The type profiler is now being tested. These are basic tests that don't 
1031         check every edge case, but will catch any major failures in the type profiler. 
1032         These tests cover:
1033         - The basic, inheritance-based type system in TypeSet.
1034         - Function return types.
1035         - Correct merging of types for multiple assignments to one variable.
1036
1037         This patch also provides an API for writing new tests for
1038         the type profiler. The API works by passing in a function and a 
1039         unique substring of an expression contained in that function, and 
1040         returns an object representing type information for that expression.
1041
1042         * jsc.cpp:
1043         (GlobalObject::finishCreation):
1044         (functionFindTypeForExpression):
1045         (functionReturnTypeFor):
1046         * runtime/TypeProfiler.cpp:
1047         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
1048         * runtime/TypeProfiler.h:
1049         * runtime/TypeProfilerLog.h:
1050         * runtime/TypeSet.cpp:
1051         (JSC::TypeSet::toJSONString):
1052         (JSC::StructureShape::toJSONString):
1053         * runtime/TypeSet.h:
1054         * tests/typeProfiler: Added.
1055         * tests/typeProfiler.yaml: Added.
1056         * tests/typeProfiler/basic.js: Added.
1057         (wrapper.foo):
1058         (wrapper):
1059         * tests/typeProfiler/captured.js: Added.
1060         (wrapper.changeFoo):
1061         (wrapper):
1062         * tests/typeProfiler/driver: Added.
1063         * tests/typeProfiler/driver/driver.js: Added.
1064         (assert):
1065         * tests/typeProfiler/inheritance.js: Added.
1066         (wrapper.A):
1067         (wrapper.B):
1068         (wrapper.C):
1069         (wrapper):
1070         * tests/typeProfiler/return.js: Added.
1071         (foo):
1072         (Ctor):
1073
1074 2014-09-03  Julien Brianceau   <jbriance@cisco.com>
1075
1076         Add missing implementations to fix build for sh4 architecture
1077         https://bugs.webkit.org/show_bug.cgi?id=136455
1078
1079         Reviewed by Geoffrey Garen.
1080
1081         * assembler/MacroAssemblerSH4.h:
1082         (JSC::MacroAssemblerSH4::store8):
1083         (JSC::MacroAssemblerSH4::moveWithPatch):
1084         (JSC::MacroAssemblerSH4::branchAdd32):
1085         (JSC::MacroAssemblerSH4::branch32WithPatch):
1086         (JSC::MacroAssemblerSH4::abortWithReason):
1087         (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch):
1088         (JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress):
1089         (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch):
1090         * jit/AssemblyHelpers.h:
1091         (JSC::AssemblyHelpers::emitFunctionPrologue):
1092         (JSC::AssemblyHelpers::emitFunctionEpilogue):
1093
1094 2014-09-03  Dan Bernstein  <mitz@apple.com>
1095
1096         Get rid of HIGH_DPI_CANVAS leftovers
1097         https://bugs.webkit.org/show_bug.cgi?id=136491
1098
1099         Reviewed by Benjamin Poulain.
1100
1101         * Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS
1102         and removed it from FEATURE_DEFINES.
1103
1104 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
1105
1106         CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
1107         https://bugs.webkit.org/show_bug.cgi?id=136490
1108
1109         Reviewed by Geoffrey Garen.
1110
1111         * bytecode/CallEdgeProfile.cpp:
1112         (JSC::CallEdgeProfile::visitWeak):
1113
1114 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
1115
1116         FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
1117         https://bugs.webkit.org/show_bug.cgi?id=136488
1118
1119         Reviewed by Mark Hahnenberg.
1120
1121         * ftl/FTLCompile.cpp:
1122         (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
1123         * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
1124         (foo):
1125
1126 2014-09-03  Akos Kiss  <akiss@inf.u-szeged.hu>
1127
1128         Don't generate superfluous mov instructions for move immediate on ARM64.
1129         https://bugs.webkit.org/show_bug.cgi?id=136435
1130
1131         Reviewed by Michael Saboff.
1132
1133         On ARM64, the size of an immediate operand for a mov instruction is 16
1134         bits. Thus, a move immediate offlineasm instruction may potentially be
1135         split up to several machine level instructions. The current
1136         implementation always emits a mov for the least significant 16 bits of
1137         the value. However, if any of the bits 63:16 are significant then the
1138         first emitted mov already filled bits 15:0 with zeroes (or ones, for
1139         negative values). So, if bits 15:0 of the value are all zeroes (or ones)
1140         then the last mov does not need to be emitted.
1141
1142         * offlineasm/arm64.rb:
1143
1144 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
1145
1146         LegacyProfiler: remove redundant ProfileNode members and other cleanup
1147         https://bugs.webkit.org/show_bug.cgi?id=136380
1148
1149         Reviewed by Timothy Hatcher.
1150
1151         ProfileNode's selfTime and totalTime members are redundant and only used
1152         for dumping profile data from debug-only code. Remove the members and compute
1153         the same data on-demand when necessary using a postorder traversal functor.
1154
1155         Remove ProfileNode.head since it is only used to calculate percentages for
1156         dumped profile data. This can be explicitly passed around when needed.
1157
1158         Rename Profile.head to Profile.rootNode, and other various renamings.
1159
1160         Rearrange some header includes so that touching LegacyProfiler-related headers
1161         will no longer cause a full rebuild.
1162
1163         * inspector/JSConsoleClient.cpp: Add header include.
1164         * inspector/agents/InspectorProfilerAgent.cpp:
1165         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
1166         * inspector/protocol/Profiler.json: Remove unused Profile.idleTime member.
1167         * jit/JIT.h: Remove header include.
1168         * jit/JITCode.h: Remove header include.
1169         * jit/JITOperations.cpp: Sort and add header include.
1170         * llint/LLIntSlowPaths.cpp: Sort and add header include.
1171         * profiler/Profile.cpp: Rename the debug dumping functions. Move the node
1172         postorder traversal code to ProfileNode so we can traverse any subtree.
1173         (JSC::Profile::Profile):
1174         (JSC::Profile::debugPrint):
1175         (JSC::Profile::debugPrintSampleStyle):
1176         (JSC::Profile::forEach): Deleted.
1177         (JSC::Profile::debugPrintData): Deleted.
1178         (JSC::Profile::debugPrintDataSampleStyle): Deleted.
1179         * profiler/Profile.h:
1180         * profiler/ProfileGenerator.cpp:
1181         (JSC::ProfileGenerator::ProfileGenerator):
1182         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
1183         (JSC::AddParentForConsoleStartFunctor::operator()):
1184         (JSC::ProfileGenerator::addParentForConsoleStart):
1185         (JSC::ProfileGenerator::didExecute):
1186         (JSC::StopProfilingFunctor::operator()):
1187         (JSC::ProfileGenerator::stopProfiling):
1188         (JSC::ProfileGenerator::removeProfileStart):
1189         (JSC::ProfileGenerator::removeProfileEnd):
1190         * profiler/ProfileGenerator.h:
1191         * profiler/ProfileNode.cpp:
1192         (JSC::ProfileNode::ProfileNode):
1193         (JSC::ProfileNode::willExecute):
1194         (JSC::ProfileNode::removeChild):
1195         (JSC::ProfileNode::stopProfiling):
1196         (JSC::ProfileNode::endAndRecordCall):
1197         (JSC::ProfileNode::debugPrint):
1198         (JSC::ProfileNode::debugPrintSampleStyle):
1199         (JSC::ProfileNode::debugPrintRecursively):
1200         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
1201         (JSC::ProfileNode::debugPrintData): Deleted.
1202         (JSC::ProfileNode::debugPrintDataSampleStyle): Deleted.
1203         * profiler/ProfileNode.h: Calculate per-node self and total times using a postorder traversal.
1204         The forEachNodePostorder functor traverses the subtree rooted at |this|.
1205         (JSC::ProfileNode::create):
1206         (JSC::ProfileNode::calls):
1207         (JSC::ProfileNode::forEachNodePostorder):
1208         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
1209         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
1210         (JSC::ProfileNode::head): Deleted.
1211         (JSC::ProfileNode::setHead): Deleted.
1212         (JSC::ProfileNode::totalTime): Deleted.
1213         (JSC::ProfileNode::setTotalTime): Deleted.
1214         (JSC::ProfileNode::selfTime): Deleted.
1215         (JSC::ProfileNode::setSelfTime): Deleted.
1216         (JSC::ProfileNode::totalPercent): Deleted.
1217         (JSC::ProfileNode::selfPercent): Deleted.
1218         * runtime/ConsoleClient.h: Remove header include.
1219
1220 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
1221
1222         Web Inspector: remove ProfilerAgent and legacy profiler files in the frontend
1223         https://bugs.webkit.org/show_bug.cgi?id=136462
1224
1225         Reviewed by Timothy Hatcher.
1226
1227         It's not used by the frontend anymore.
1228
1229         * CMakeLists.txt:
1230         * DerivedSources.make:
1231         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1232         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1233         * JavaScriptCore.xcodeproj/project.pbxproj:
1234
1235         * inspector/JSConsoleClient.cpp:
1236         (Inspector::JSConsoleClient::JSConsoleClient): Stub out console.profile/profileEnd
1237         methods since they didn't work for JSContexts anyway.
1238         (Inspector::JSConsoleClient::profile):
1239         (Inspector::JSConsoleClient::profileEnd):
1240         * inspector/JSConsoleClient.h:
1241
1242         * inspector/JSGlobalObjectInspectorController.cpp:
1243         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1244         * inspector/agents/InspectorProfilerAgent.cpp: Removed.
1245         * inspector/agents/InspectorProfilerAgent.h: Removed.
1246         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Removed.
1247         * inspector/agents/JSGlobalObjectProfilerAgent.h: Removed.
1248         * inspector/protocol/Profiler.json: Removed.
1249
1250 2014-09-02  Andreas Kling  <akling@apple.com>
1251
1252         Optimize own property GetByVals with rope string subscripts.
1253         <https://webkit.org/b/136458>
1254
1255         For simple JSObjects that don't override getOwnPropertySlot to implement
1256         custom properties, we have a fast path that grabs directly at the object
1257         property storage.
1258
1259         Make this fast path even faster when the property name is an unresolved
1260         rope string by using JSString::toExistingAtomicString(). This is faster
1261         because it avoids allocating a new StringImpl if the string is already
1262         a known Identifier, which is guaranteed to be the case if it's present
1263         as an own property on the object.)
1264
1265         ~10% speed-up on Dromaeo/dom-attr.html
1266
1267         Reviewed by Geoffrey Garen.
1268
1269         * dfg/DFGOperations.cpp:
1270         * jit/JITOperations.cpp:
1271         (JSC::getByVal):
1272         * llint/LLIntSlowPaths.cpp:
1273         (JSC::LLInt::getByVal):
1274
1275             When using the fastGetOwnProperty() optimization, get the String
1276             out of JSString by using toExistingAtomicString(). This avoids
1277             StringImpl allocation and lets us bypass the PropertyTable lookup
1278             entirely if no AtomicString is found.
1279
1280         * runtime/JSCell.h:
1281         * runtime/JSCellInlines.h:
1282         (JSC::JSCell::fastGetOwnProperty):
1283
1284             Make fastGetOwnProperty() take a PropertyName instead of a String.
1285             This avoids churning the ref count, since we don't need to create
1286             a temporary wrapper around the AtomicStringImpl* found in GetByVal.
1287
1288         * runtime/PropertyName.h:
1289         (JSC::PropertyName::PropertyName):
1290
1291             Add constructor: PropertyName(AtomicStringImpl*)
1292
1293         * runtime/PropertyMapHashTable.h:
1294         (JSC::PropertyTable::get):
1295         (JSC::PropertyTable::findWithString): Deleted.
1296         * runtime/Structure.h:
1297         * runtime/StructureInlines.h:
1298         (JSC::Structure::get):
1299
1300             Remove code for querying a PropertyTable with an unhashed string key
1301             since the only client is now gone.
1302
1303 2014-09-02  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1304
1305         [ARM] MacroAssembler generating incorrect code on ARM32 Traditional
1306         https://bugs.webkit.org/show_bug.cgi?id=136429
1307
1308         Reviewed by Csaba Osztrogonác.
1309
1310         Changed test32 to use tst to check if reg is zero, instead of cmp.
1311
1312         * assembler/MacroAssemblerARM.h:
1313         (JSC::MacroAssemblerARM::test32):
1314
1315 2014-09-02  Michael Saboff  <msaboff@apple.com>
1316
1317         Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute
1318         https://bugs.webkit.org/show_bug.cgi?id=136305
1319
1320         Reviewed by Filip Pizlo.
1321
1322         While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch
1323         and then JITCode::execute() calls the normal entrypoint.  This is incompatible
1324         with the expectation of FTL generated functions.  Changed ProtoCallFrame to not 
1325         perform the arity fix, but just flag an arity mismatch.  now JITCode::execute()
1326         uses that arity mismatch condition to select the normal or arity check
1327         entrypoint.  The entrypoint selection is only done for functions, programs
1328         and eval always have one parameter.
1329
1330         * interpreter/ProtoCallFrame.cpp:
1331         (JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it.
1332         * interpreter/ProtoCallFrame.h:
1333         (JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint
1334         should be called.
1335         * jit/JITCode.cpp:
1336         (JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate.
1337
1338 2014-09-02  peavo@outlook.com  <peavo@outlook.com>
1339
1340         [WinCairo] testapi.exe is not built.
1341         https://bugs.webkit.org/show_bug.cgi?id=136369
1342
1343         Reviewed by Alex Christensen.
1344
1345         The testapi project should be of type Application.
1346
1347         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Change project type to Application.
1348         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Ditto.
1349         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Compile and link fix.
1350         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Change project type to Application.
1351
1352 2014-09-01  Akos Kiss  <akiss@inf.u-szeged.hu>
1353
1354         [CMAKE] Add missing offlineasm dependencies
1355         https://bugs.webkit.org/show_bug.cgi?id=136437
1356
1357         Reviewed by Csaba Osztrogonác.
1358
1359         Add the ARM64, MIPS and SH4 backends to the dependencies.
1360
1361         * CMakeLists.txt:
1362
1363 2014-09-01  Brian J. Burg  <burg@cs.washington.edu>
1364
1365         Provide column numbers to DTrace willExecute/didExecute probes
1366         https://bugs.webkit.org/show_bug.cgi?id=136434
1367
1368         Reviewed by Antti Koivisto.
1369
1370         Provide the columnNumber and update stubs for !HAVE(DTRACE).
1371
1372         * profiler/ProfileGenerator.cpp:
1373         (JSC::ProfileGenerator::willExecute):
1374         (JSC::ProfileGenerator::didExecute):
1375         * runtime/Tracing.d:
1376         * runtime/Tracing.h:
1377
1378 2014-09-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1379
1380         [CMAKE] Build warning by INTERFACE_LINK_LIBRARIES
1381         https://bugs.webkit.org/show_bug.cgi?id=136194
1382
1383         Reviewed by Csaba Osztrogonác.
1384
1385         Set the LINK_INTERFACE_LIBRARIES target property on the top level CMakeLists.txt.
1386
1387         * CMakeLists.txt:
1388
1389 2014-08-26  Maciej Stachowiak  <mjs@apple.com>
1390
1391         Use RetainPtr::autorelease in some places where it seems appropriate
1392         https://bugs.webkit.org/show_bug.cgi?id=136280
1393
1394         Reviewed by Darin Adler.
1395
1396         * API/JSContext.mm:
1397         (-[JSContext name]): Use RetainPtr::autorelease() in place of ObjC autorelease.
1398         * API/JSValue.mm:
1399         (valueToString): Make appropriate use of RetainPtr
1400
1401 2014-08-29  Akos Kiss  <akiss@inf.u-szeged.hu>
1402
1403         Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
1404         https://bugs.webkit.org/show_bug.cgi?id=136391
1405
1406         Reviewed by Michael Saboff.
1407
1408         Do not rely on calling conventions to fill in the CallerFrame component
1409         of the ExecState* parameter of the called function.
1410
1411         * llint/LowLevelInterpreter32_64.asm:
1412         * llint/LowLevelInterpreter64.asm:
1413
1414 2014-08-29  Saam Barati  <sbarati@apple.com>
1415
1416         emit op_profile_type for deconstruction assignments
1417         https://bugs.webkit.org/show_bug.cgi?id=136274
1418
1419         Reviewed by Filip Pizlo.
1420
1421         Enable type profiling for ES6 deconstruction expressions.
1422
1423         * bytecompiler/NodesCodegen.cpp:
1424         (JSC::BindingNode::bindValue):
1425
1426 2014-08-29  Joseph Pecoraro  <pecoraro@apple.com>
1427
1428         JavaScriptCore: Use ASCIILiteral where possible
1429         https://bugs.webkit.org/show_bug.cgi?id=136179
1430
1431         Reviewed by Michael Saboff.
1432
1433         General string / character related changes. Use ASCIILiteral where
1434         possible, jsNontrivialString where possible, and replace string
1435         literals with character literals in some places.
1436
1437         No new tests, no changes to functionality.
1438
1439         * bytecode/CodeBlock.cpp:
1440         (JSC::CodeBlock::nameForRegister):
1441         * bytecompiler/NodesCodegen.cpp:
1442         (JSC::PostfixNode::emitBytecode):
1443         (JSC::PrefixNode::emitBytecode):
1444         (JSC::AssignErrorNode::emitBytecode):
1445         (JSC::ForInNode::emitMultiLoopBytecode):
1446         (JSC::ForOfNode::emitBytecode):
1447         (JSC::ObjectPatternNode::toString):
1448         * dfg/DFGFunctionWhitelist.cpp:
1449         (JSC::DFG::FunctionWhitelist::contains):
1450         * dfg/DFGOperations.cpp:
1451         (JSC::DFG::newTypedArrayWithSize):
1452         (JSC::DFG::newTypedArrayWithOneArgument):
1453         * inspector/ConsoleMessage.cpp:
1454         (Inspector::ConsoleMessage::addToFrontend):
1455         * inspector/InspectorBackendDispatcher.cpp:
1456         (Inspector::InspectorBackendDispatcher::dispatch):
1457         * inspector/ScriptCallStackFactory.cpp:
1458         (Inspector::extractSourceInformationFromException):
1459         * inspector/scripts/codegen/generator_templates.py:
1460         * interpreter/StackVisitor.cpp:
1461         (JSC::StackVisitor::Frame::functionName):
1462         (JSC::StackVisitor::Frame::sourceURL):
1463         * jit/JITOperations.cpp:
1464         * jsc.cpp:
1465         (functionDescribeArray):
1466         (functionRun):
1467         (functionLoad):
1468         (functionReadFile):
1469         (functionCheckSyntax):
1470         (functionTransferArrayBuffer):
1471         (runWithScripts):
1472         (runInteractive):
1473         * parser/Lexer.cpp:
1474         (JSC::Lexer<T>::invalidCharacterMessage):
1475         (JSC::Lexer<T>::parseString):
1476         (JSC::Lexer<T>::parseStringSlowCase):
1477         (JSC::Lexer<T>::lex):
1478         * profiler/Profile.cpp:
1479         (JSC::Profile::Profile):
1480         * runtime/Arguments.cpp:
1481         (JSC::argumentsFuncIterator):
1482         * runtime/ArrayPrototype.cpp:
1483         (JSC::performSlowSort):
1484         (JSC::arrayProtoFuncSort):
1485         * runtime/ExceptionHelpers.cpp:
1486         (JSC::createError):
1487         (JSC::createInvalidParameterError):
1488         (JSC::createNotAConstructorError):
1489         (JSC::createNotAFunctionError):
1490         (JSC::createNotAnObjectError):
1491         (JSC::createErrorForInvalidGlobalAssignment):
1492         * runtime/FunctionPrototype.cpp:
1493         (JSC::insertSemicolonIfNeeded):
1494         * runtime/JSArray.cpp:
1495         (JSC::JSArray::defineOwnProperty):
1496         (JSC::JSArray::pop):
1497         (JSC::JSArray::push):
1498         * runtime/JSArrayBufferConstructor.cpp:
1499         (JSC::JSArrayBufferConstructor::finishCreation):
1500         * runtime/JSArrayBufferPrototype.cpp:
1501         (JSC::arrayBufferProtoFuncSlice):
1502         * runtime/JSDataView.cpp:
1503         (JSC::JSDataView::create):
1504         * runtime/JSDataViewPrototype.cpp:
1505         (JSC::getData):
1506         (JSC::setData):
1507         * runtime/JSGlobalObject.cpp:
1508         (JSC::JSGlobalObject::reset):
1509         * runtime/JSGlobalObjectFunctions.cpp:
1510         (JSC::globalFuncProtoSetter):
1511         * runtime/JSPromiseConstructor.cpp:
1512         (JSC::JSPromiseConstructor::finishCreation):
1513         * runtime/LiteralParser.cpp:
1514         (JSC::LiteralParser<CharType>::Lexer::lex):
1515         (JSC::LiteralParser<CharType>::Lexer::lexString):
1516         (JSC::LiteralParser<CharType>::parse):
1517         * runtime/LiteralParser.h:
1518         (JSC::LiteralParser::getErrorMessage):
1519         * runtime/TypeSet.cpp:
1520         (JSC::TypeSet::seenTypes):
1521         (JSC::TypeSet::displayName):
1522         (JSC::TypeSet::allPrimitiveTypeNames):
1523         (JSC::StructureShape::propertyHash):
1524         (JSC::StructureShape::stringRepresentation):
1525
1526 2014-08-29  Csaba Osztrogonác  <ossy@webkit.org>
1527
1528         Unreviwed, remove empty directories.
1529
1530         * qt: Removed.
1531
1532 2014-08-28  Mark Lam  <mark.lam@apple.com>
1533
1534         DebuggerCallFrame::scope() should return a DebuggerScope.
1535         <https://webkit.org/b/134420>
1536
1537         Reviewed by Geoffrey Garen.
1538
1539         Rolling back in r170680 with the fix for <https://webkit.org/b/135656>.
1540
1541         Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
1542         peers) which the WebInspector will use to introspect CallFrame variables.
1543         Instead, we should be returning a DebuggerScope as an abstraction layer that
1544         provides the introspection functionality that the WebInspector needs.  This
1545         is the first step towards not forcing every frame to have a JSActivation
1546         object just because the debugger is enabled.
1547
1548         1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
1549            instead of the VM.  This allows JSObject::globalObject() to be able to
1550            return the global object for the DebuggerScope.
1551
1552         2. On the DebuggerScope's life-cycle management:
1553
1554            The DebuggerCallFrame is designed to be "valid" only during a debugging session
1555            (while the debugger is broken) through the use of a DebuggerCallFrameScope in
1556            Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
1557            DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
1558            We can't guarantee (from this code alone) that the Inspector code isn't still
1559            holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
1560            the frame will be invalidated, and any attempt to query it will return null values.
1561            This is pre-existing behavior.
1562
1563            Now, we're adding the DebuggerScope into the picture.  While a single debugger
1564            pause session is in progress, the Inspector may request the scope from the
1565            DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
1566            DebuggerCallFrame::scope() to always return the same DebuggerScope object.
1567            This is why we hold on to the DebuggerScope with a strong ref.
1568
1569            If we use a weak ref instead, the following cooky behavior can manifest:
1570            1. The Inspector calls Debugger::scope() to get the top scope.
1571            2. The Inspector iterates down the scope chain and is now only holding a
1572               reference to a parent scope.  It is no longer referencing the top scope.
1573            3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
1574               gets cleared.
1575            4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
1576               a different DebuggerScope instance.
1577            5. The Inspector iterates down the scope chain but never sees the parent scope
1578               instance that retained a ref to in step 2 above.  This is because when iterating
1579               this new DebuggerScope instance (which has no knowledge of the previous parent
1580               DebuggerScope instance), a new DebuggerScope instance will get created for the
1581               same parent scope. 
1582
1583            Since the DebuggerScope is a JSObject, its liveness is determined by its reachability.
1584            However, its "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
1585            When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
1586            instantiated) will also get invalidated.  This is why we need the
1587            DebuggerScope::invalidateChain() method.  The Inspector should not be using the
1588            DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
1589            those methods will do nothing or returned a failed status.
1590
1591         Fix for <https://webkit.org/b/135656>:
1592         3. DebuggerScope::getOwnPropertySlot() and DebuggerScope::put() need to set
1593            m_thisValue in the returned slot to the wrapped scope object.  Previously,
1594            it was pointing to the DebuggerScope though the rest of the fields in the
1595            returned slot will be set to data pertaining the wrapped scope object.
1596
1597         4. DebuggerScope::getOwnPropertySlot() will invoke getPropertySlot() on its
1598            wrapped scope.  This is because JSObject::getPropertySlot() cannot be
1599            overridden, and when called on a DebuggerScope, will not know to look in
1600            the ptototype chain of the DebuggerScope's wrapped scope.  Hence, we'll
1601            treat all properties in the wrapped scope as own properties in the
1602            DebuggerScope.  This is fine because the WebInspector does not presently
1603            care about where in the prototype chain the scope property comes from.
1604
1605            Note that the DebuggerScope and the JSActivation objects that it wraps do
1606            not have prototypes.  They are always jsNull().  This works perfectly with
1607            the above change to use getPropertySlot() instead of getOwnPropertySlot().
1608            To make this an explicit invariant, I also changed DebuggerScope::createStructure()
1609            and JSActivation::createStructure() to not take a prototype argument, and
1610            to always use jsNull() for their prototype value.
1611
1612         * debugger/Debugger.h:
1613         * debugger/DebuggerCallFrame.cpp:
1614         (JSC::DebuggerCallFrame::scope):
1615         (JSC::DebuggerCallFrame::evaluate):
1616         (JSC::DebuggerCallFrame::invalidate):
1617         * debugger/DebuggerCallFrame.h:
1618         * debugger/DebuggerScope.cpp:
1619         (JSC::DebuggerScope::DebuggerScope):
1620         (JSC::DebuggerScope::finishCreation):
1621         (JSC::DebuggerScope::visitChildren):
1622         (JSC::DebuggerScope::className):
1623         (JSC::DebuggerScope::getOwnPropertySlot):
1624         (JSC::DebuggerScope::put):
1625         (JSC::DebuggerScope::deleteProperty):
1626         (JSC::DebuggerScope::getOwnPropertyNames):
1627         (JSC::DebuggerScope::defineOwnProperty):
1628         (JSC::DebuggerScope::next):
1629         (JSC::DebuggerScope::invalidateChain):
1630         (JSC::DebuggerScope::isWithScope):
1631         (JSC::DebuggerScope::isGlobalScope):
1632         (JSC::DebuggerScope::isFunctionOrEvalScope):
1633         * debugger/DebuggerScope.h:
1634         (JSC::DebuggerScope::create):
1635         (JSC::DebuggerScope::createStructure):
1636         (JSC::DebuggerScope::iterator::iterator):
1637         (JSC::DebuggerScope::iterator::get):
1638         (JSC::DebuggerScope::iterator::operator++):
1639         (JSC::DebuggerScope::iterator::operator==):
1640         (JSC::DebuggerScope::iterator::operator!=):
1641         (JSC::DebuggerScope::isValid):
1642         (JSC::DebuggerScope::jsScope):
1643         (JSC::DebuggerScope::begin):
1644         (JSC::DebuggerScope::end):
1645         * inspector/JSJavaScriptCallFrame.cpp:
1646         (Inspector::JSJavaScriptCallFrame::scopeType):
1647         (Inspector::JSJavaScriptCallFrame::scopeChain):
1648         * inspector/JavaScriptCallFrame.h:
1649         (Inspector::JavaScriptCallFrame::scopeChain):
1650         * inspector/ScriptDebugServer.cpp:
1651         * runtime/JSActivation.h:
1652         (JSC::JSActivation::createStructure):
1653         * runtime/JSGlobalObject.cpp:
1654         (JSC::JSGlobalObject::reset):
1655         (JSC::JSGlobalObject::visitChildren):
1656         * runtime/JSGlobalObject.h:
1657         (JSC::JSGlobalObject::debuggerScopeStructure):
1658         * runtime/JSObject.cpp:
1659         * runtime/JSObject.h:
1660         (JSC::JSObject::isWithScope):
1661         * runtime/JSScope.h:
1662         * runtime/PropertySlot.h:
1663         (JSC::PropertySlot::setThisValue):
1664         * runtime/PutPropertySlot.h:
1665         (JSC::PutPropertySlot::setThisValue):
1666         * runtime/VM.cpp:
1667         (JSC::VM::VM):
1668         * runtime/VM.h:
1669
1670 2014-08-28  Andreas Kling  <akling@apple.com>
1671
1672         Use JSString::toIdentifier() in more places.
1673         <https://webkit.org/b/136348>
1674
1675         Call sites that grab the WTF::String from a JSString using value() can
1676         use the more efficient toIdentifier() if the string is going to be used
1677         to construct an Identifier.
1678
1679         If the JSString is a rope that resolves to something that is already
1680         present in the VM's Identifier table, using toIdentifier() can avoid
1681         allocating a new StringImpl.
1682
1683         Reviewed by Geoffrey Garen.
1684
1685         * jit/JITOperations.cpp:
1686         * llint/LLIntSlowPaths.cpp:
1687         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1688         * runtime/CommonSlowPaths.cpp:
1689         (JSC::SLOW_PATH_DECL):
1690         * runtime/CommonSlowPaths.h:
1691         (JSC::CommonSlowPaths::opIn):
1692         * runtime/JSONObject.cpp:
1693         (JSC::Stringifier::Stringifier):
1694         * runtime/ObjectConstructor.cpp:
1695         (JSC::objectConstructorGetOwnPropertyDescriptor):
1696         (JSC::objectConstructorDefineProperty):
1697         * runtime/ObjectPrototype.cpp:
1698         (JSC::objectProtoFuncPropertyIsEnumerable):
1699
1700 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
1701
1702         DFG should compute immediate dominators using the O(n log n) form of Lengauer and Tarjan's "A Fast Algorithm for Finding Dominators in a Flowgraph"
1703         https://bugs.webkit.org/show_bug.cgi?id=93361
1704
1705         Reviewed by Mark Hahnenberg.
1706         
1707         This patch also adds some new utilities for reasoning about block-keyed maps, block sets,
1708         and block worklists. It changes preexisting code to use these abstractions.
1709         
1710         The main effect of this code is that all current clients of dominators end up using the
1711         results of the new idom calculation. We convert the dom tree to a dominance test using
1712         Dietz's pre/post number range check trick.
1713
1714         * CMakeLists.txt:
1715         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1716         * JavaScriptCore.xcodeproj/project.pbxproj:
1717         * dfg/DFGAnalysis.h:
1718         (JSC::DFG::Analysis::computeIfNecessary):
1719         (JSC::DFG::Analysis::computeDependencies):
1720         * dfg/DFGBlockMap.h: Added.
1721         (JSC::DFG::BlockMap::BlockMap):
1722         (JSC::DFG::BlockMap::size):
1723         (JSC::DFG::BlockMap::atIndex):
1724         (JSC::DFG::BlockMap::operator[]):
1725         * dfg/DFGBlockMapInlines.h: Added.
1726         (JSC::DFG::BlockMap<T>::BlockMap):
1727         * dfg/DFGBlockSet.h: Added.
1728         (JSC::DFG::BlockSet::BlockSet):
1729         (JSC::DFG::BlockSet::add):
1730         (JSC::DFG::BlockSet::contains):
1731         * dfg/DFGBlockWorklist.cpp: Added.
1732         (JSC::DFG::BlockWorklist::BlockWorklist):
1733         (JSC::DFG::BlockWorklist::~BlockWorklist):
1734         (JSC::DFG::BlockWorklist::push):
1735         (JSC::DFG::BlockWorklist::pop):
1736         (JSC::DFG::PostOrderBlockWorklist::PostOrderBlockWorklist):
1737         (JSC::DFG::PostOrderBlockWorklist::~PostOrderBlockWorklist):
1738         (JSC::DFG::PostOrderBlockWorklist::pushPre):
1739         (JSC::DFG::PostOrderBlockWorklist::pushPost):
1740         (JSC::DFG::PostOrderBlockWorklist::pop):
1741         * dfg/DFGBlockWorklist.h: Added.
1742         (JSC::DFG::BlockWorklist::notEmpty):
1743         (JSC::DFG::BlockWith::BlockWith):
1744         (JSC::DFG::BlockWith::operator UnspecifiedBoolType*):
1745         (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist):
1746         (JSC::DFG::ExtendedBlockWorklist::forcePush):
1747         (JSC::DFG::ExtendedBlockWorklist::push):
1748         (JSC::DFG::ExtendedBlockWorklist::notEmpty):
1749         (JSC::DFG::ExtendedBlockWorklist::pop):
1750         (JSC::DFG::BlockWithOrder::BlockWithOrder):
1751         (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*):
1752         (JSC::DFG::PostOrderBlockWorklist::push):
1753         (JSC::DFG::PostOrderBlockWorklist::notEmpty):
1754         * dfg/DFGCSEPhase.cpp:
1755         * dfg/DFGDominators.cpp:
1756         (JSC::DFG::Dominators::compute):
1757         (JSC::DFG::Dominators::naiveDominates):
1758         (JSC::DFG::Dominators::dump):
1759         (JSC::DFG::Dominators::pruneDominators): Deleted.
1760         * dfg/DFGDominators.h:
1761         (JSC::DFG::Dominators::strictlyDominates):
1762         (JSC::DFG::Dominators::dominates):
1763         (JSC::DFG::Dominators::BlockData::BlockData):
1764         * dfg/DFGGraph.cpp:
1765         (JSC::DFG::Graph::dumpBlockHeader):
1766         (JSC::DFG::Graph::getBlocksInPreOrder):
1767         (JSC::DFG::Graph::getBlocksInPostOrder):
1768         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1769         (JSC::DFG::InvalidationPointInjectionPhase::run):
1770         * dfg/DFGNaiveDominators.cpp: Added.
1771         (JSC::DFG::NaiveDominators::NaiveDominators):
1772         (JSC::DFG::NaiveDominators::~NaiveDominators):
1773         (JSC::DFG::NaiveDominators::compute):
1774         (JSC::DFG::NaiveDominators::pruneDominators):
1775         (JSC::DFG::NaiveDominators::dump):
1776         * dfg/DFGNaiveDominators.h: Added.
1777         (JSC::DFG::NaiveDominators::dominates):
1778         * dfg/DFGNaturalLoops.cpp:
1779         (JSC::DFG::NaturalLoops::computeDependencies):
1780         (JSC::DFG::NaturalLoops::compute):
1781         * dfg/DFGNaturalLoops.h:
1782
1783 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
1784
1785         FTL should be able to do polymorphic call inlining
1786         https://bugs.webkit.org/show_bug.cgi?id=135145
1787
1788         Reviewed by Geoffrey Garen.
1789         
1790         Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
1791         baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
1792         inlining sites use the call edge profile if it is available, but they will still fall back
1793         on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
1794         multiple possible callees can be inlined with a switch to guard them. The slow path may
1795         either be an OSR exit or a virtual call.
1796         
1797         The call edge profiling added in this patch is very precise - it will tell you about every
1798         call that has ever happened. It took some effort to reduce the overhead of this profiling.
1799         This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
1800         in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
1801         it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
1802         I also experimented with reducing the precision of the profiling. This led to a significant
1803         reduction in the speed-up, so I avoided this approach. I also explored making log processing
1804         concurrent, but that didn't help. Also, I tested the overhead of the log processing and
1805         found that most of the overhead of this profiling is actually in putting things into the log
1806         rather than in processing the log - that part appears to be surprisingly cheap.
1807         
1808         Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
1809         and if we guarded such inlining sites with some profiling mechanism to detect
1810         polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
1811         it's actually monomorphic).
1812         
1813         This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
1814         other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
1815         on anything we care about. Some aggregates, like V8Spider, see a regression. This is
1816         highlighting the increase in profiling overhead. But since this doesn't show up on any major
1817         score (code-load or SunSpider), it's probably not relevant.
1818         
1819         Relanding after fixing debug assertions in fast/storage/serialized-script-value.html.
1820
1821         * CMakeLists.txt:
1822         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1823         * JavaScriptCore.xcodeproj/project.pbxproj:
1824         * bytecode/CallEdge.cpp: Added.
1825         (JSC::CallEdge::dump):
1826         * bytecode/CallEdge.h: Added.
1827         (JSC::CallEdge::operator!):
1828         (JSC::CallEdge::callee):
1829         (JSC::CallEdge::count):
1830         (JSC::CallEdge::despecifiedClosure):
1831         (JSC::CallEdge::CallEdge):
1832         * bytecode/CallEdgeProfile.cpp: Added.
1833         (JSC::CallEdgeProfile::callEdges):
1834         (JSC::CallEdgeProfile::numCallsToKnownCells):
1835         (JSC::worthDespecifying):
1836         (JSC::CallEdgeProfile::worthDespecifying):
1837         (JSC::CallEdgeProfile::visitWeak):
1838         (JSC::CallEdgeProfile::addSlow):
1839         (JSC::CallEdgeProfile::mergeBack):
1840         (JSC::CallEdgeProfile::fadeByHalf):
1841         (JSC::CallEdgeLog::CallEdgeLog):
1842         (JSC::CallEdgeLog::~CallEdgeLog):
1843         (JSC::CallEdgeLog::isEnabled):
1844         (JSC::operationProcessCallEdgeLog):
1845         (JSC::CallEdgeLog::emitLogCode):
1846         (JSC::CallEdgeLog::processLog):
1847         * bytecode/CallEdgeProfile.h: Added.
1848         (JSC::CallEdgeProfile::numCallsToNotCell):
1849         (JSC::CallEdgeProfile::numCallsToUnknownCell):
1850         (JSC::CallEdgeProfile::totalCalls):
1851         * bytecode/CallEdgeProfileInlines.h: Added.
1852         (JSC::CallEdgeProfile::CallEdgeProfile):
1853         (JSC::CallEdgeProfile::add):
1854         * bytecode/CallLinkInfo.cpp:
1855         (JSC::CallLinkInfo::visitWeak):
1856         * bytecode/CallLinkInfo.h:
1857         * bytecode/CallLinkStatus.cpp:
1858         (JSC::CallLinkStatus::CallLinkStatus):
1859         (JSC::CallLinkStatus::computeFromLLInt):
1860         (JSC::CallLinkStatus::computeFor):
1861         (JSC::CallLinkStatus::computeExitSiteData):
1862         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1863         (JSC::CallLinkStatus::computeFromCallEdgeProfile):
1864         (JSC::CallLinkStatus::computeDFGStatuses):
1865         (JSC::CallLinkStatus::isClosureCall):
1866         (JSC::CallLinkStatus::makeClosureCall):
1867         (JSC::CallLinkStatus::dump):
1868         (JSC::CallLinkStatus::function): Deleted.
1869         (JSC::CallLinkStatus::internalFunction): Deleted.
1870         (JSC::CallLinkStatus::intrinsicFor): Deleted.
1871         * bytecode/CallLinkStatus.h:
1872         (JSC::CallLinkStatus::CallLinkStatus):
1873         (JSC::CallLinkStatus::isSet):
1874         (JSC::CallLinkStatus::couldTakeSlowPath):
1875         (JSC::CallLinkStatus::edges):
1876         (JSC::CallLinkStatus::size):
1877         (JSC::CallLinkStatus::at):
1878         (JSC::CallLinkStatus::operator[]):
1879         (JSC::CallLinkStatus::canOptimize):
1880         (JSC::CallLinkStatus::canTrustCounts):
1881         (JSC::CallLinkStatus::isClosureCall): Deleted.
1882         (JSC::CallLinkStatus::callTarget): Deleted.
1883         (JSC::CallLinkStatus::executable): Deleted.
1884         (JSC::CallLinkStatus::makeClosureCall): Deleted.
1885         * bytecode/CallVariant.cpp: Added.
1886         (JSC::CallVariant::dump):
1887         * bytecode/CallVariant.h: Added.
1888         (JSC::CallVariant::CallVariant):
1889         (JSC::CallVariant::operator!):
1890         (JSC::CallVariant::despecifiedClosure):
1891         (JSC::CallVariant::rawCalleeCell):
1892         (JSC::CallVariant::internalFunction):
1893         (JSC::CallVariant::function):
1894         (JSC::CallVariant::isClosureCall):
1895         (JSC::CallVariant::executable):
1896         (JSC::CallVariant::nonExecutableCallee):
1897         (JSC::CallVariant::intrinsicFor):
1898         (JSC::CallVariant::functionExecutable):
1899         (JSC::CallVariant::isHashTableDeletedValue):
1900         (JSC::CallVariant::operator==):
1901         (JSC::CallVariant::operator!=):
1902         (JSC::CallVariant::operator<):
1903         (JSC::CallVariant::operator>):
1904         (JSC::CallVariant::operator<=):
1905         (JSC::CallVariant::operator>=):
1906         (JSC::CallVariant::hash):
1907         (JSC::CallVariant::deletedToken):
1908         (JSC::CallVariantHash::hash):
1909         (JSC::CallVariantHash::equal):
1910         * bytecode/CodeOrigin.h:
1911         (JSC::InlineCallFrame::isNormalCall):
1912         * bytecode/ExitKind.cpp:
1913         (JSC::exitKindToString):
1914         * bytecode/ExitKind.h:
1915         * bytecode/GetByIdStatus.cpp:
1916         (JSC::GetByIdStatus::computeForStubInfo):
1917         * bytecode/PutByIdStatus.cpp:
1918         (JSC::PutByIdStatus::computeForStubInfo):
1919         * dfg/DFGAbstractInterpreterInlines.h:
1920         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1921         * dfg/DFGBackwardsPropagationPhase.cpp:
1922         (JSC::DFG::BackwardsPropagationPhase::propagate):
1923         * dfg/DFGBasicBlock.cpp:
1924         (JSC::DFG::BasicBlock::~BasicBlock):
1925         * dfg/DFGBasicBlock.h:
1926         (JSC::DFG::BasicBlock::takeLast):
1927         (JSC::DFG::BasicBlock::didLink):
1928         * dfg/DFGByteCodeParser.cpp:
1929         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
1930         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
1931         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1932         (JSC::DFG::ByteCodeParser::addCall):
1933         (JSC::DFG::ByteCodeParser::handleCall):
1934         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
1935         (JSC::DFG::ByteCodeParser::undoFunctionChecks):
1936         (JSC::DFG::ByteCodeParser::inliningCost):
1937         (JSC::DFG::ByteCodeParser::inlineCall):
1938         (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
1939         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1940         (JSC::DFG::ByteCodeParser::handleInlining):
1941         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1942         (JSC::DFG::ByteCodeParser::prepareToParseBlock):
1943         (JSC::DFG::ByteCodeParser::clearCaches):
1944         (JSC::DFG::ByteCodeParser::parseBlock):
1945         (JSC::DFG::ByteCodeParser::linkBlock):
1946         (JSC::DFG::ByteCodeParser::linkBlocks):
1947         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1948         * dfg/DFGCPSRethreadingPhase.cpp:
1949         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1950         * dfg/DFGClobberize.h:
1951         (JSC::DFG::clobberize):
1952         * dfg/DFGCommon.h:
1953         * dfg/DFGConstantFoldingPhase.cpp:
1954         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1955         * dfg/DFGDoesGC.cpp:
1956         (JSC::DFG::doesGC):
1957         * dfg/DFGDriver.cpp:
1958         (JSC::DFG::compileImpl):
1959         * dfg/DFGFixupPhase.cpp:
1960         (JSC::DFG::FixupPhase::fixupNode):
1961         * dfg/DFGGraph.cpp:
1962         (JSC::DFG::Graph::dump):
1963         (JSC::DFG::Graph::getBlocksInPreOrder):
1964         (JSC::DFG::Graph::visitChildren):
1965         * dfg/DFGJITCompiler.cpp:
1966         (JSC::DFG::JITCompiler::link):
1967         * dfg/DFGLazyJSValue.cpp:
1968         (JSC::DFG::LazyJSValue::switchLookupValue):
1969         * dfg/DFGLazyJSValue.h:
1970         (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
1971         * dfg/DFGNode.cpp:
1972         (WTF::printInternal):
1973         * dfg/DFGNode.h:
1974         (JSC::DFG::OpInfo::OpInfo):
1975         (JSC::DFG::Node::hasHeapPrediction):
1976         (JSC::DFG::Node::hasCellOperand):
1977         (JSC::DFG::Node::cellOperand):
1978         (JSC::DFG::Node::setCellOperand):
1979         (JSC::DFG::Node::canBeKnownFunction): Deleted.
1980         (JSC::DFG::Node::hasKnownFunction): Deleted.
1981         (JSC::DFG::Node::knownFunction): Deleted.
1982         (JSC::DFG::Node::giveKnownFunction): Deleted.
1983         (JSC::DFG::Node::hasFunction): Deleted.
1984         (JSC::DFG::Node::function): Deleted.
1985         (JSC::DFG::Node::hasExecutable): Deleted.
1986         (JSC::DFG::Node::executable): Deleted.
1987         * dfg/DFGNodeType.h:
1988         * dfg/DFGPhantomCanonicalizationPhase.cpp:
1989         (JSC::DFG::PhantomCanonicalizationPhase::run):
1990         * dfg/DFGPhantomRemovalPhase.cpp:
1991         (JSC::DFG::PhantomRemovalPhase::run):
1992         * dfg/DFGPredictionPropagationPhase.cpp:
1993         (JSC::DFG::PredictionPropagationPhase::propagate):
1994         * dfg/DFGSafeToExecute.h:
1995         (JSC::DFG::safeToExecute):
1996         * dfg/DFGSpeculativeJIT.cpp:
1997         (JSC::DFG::SpeculativeJIT::emitSwitch):
1998         * dfg/DFGSpeculativeJIT32_64.cpp:
1999         (JSC::DFG::SpeculativeJIT::emitCall):
2000         (JSC::DFG::SpeculativeJIT::compile):
2001         * dfg/DFGSpeculativeJIT64.cpp:
2002         (JSC::DFG::SpeculativeJIT::emitCall):
2003         (JSC::DFG::SpeculativeJIT::compile):
2004         * dfg/DFGStructureRegistrationPhase.cpp:
2005         (JSC::DFG::StructureRegistrationPhase::run):
2006         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2007         (JSC::DFG::TierUpCheckInjectionPhase::run):
2008         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
2009         * dfg/DFGValidate.cpp:
2010         (JSC::DFG::Validate::validate):
2011         * dfg/DFGWatchpointCollectionPhase.cpp:
2012         (JSC::DFG::WatchpointCollectionPhase::handle):
2013         * ftl/FTLCapabilities.cpp:
2014         (JSC::FTL::canCompile):
2015         * ftl/FTLLowerDFGToLLVM.cpp:
2016         (JSC::FTL::ftlUnreachable):
2017         (JSC::FTL::LowerDFGToLLVM::lower):
2018         (JSC::FTL::LowerDFGToLLVM::compileNode):
2019         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
2020         (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
2021         (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
2022         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
2023         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2024         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
2025         (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
2026         (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
2027         * heap/Heap.cpp:
2028         (JSC::Heap::collect):
2029         * jit/AssemblyHelpers.h:
2030         (JSC::AssemblyHelpers::storeValue):
2031         (JSC::AssemblyHelpers::loadValue):
2032         * jit/CCallHelpers.h:
2033         (JSC::CCallHelpers::setupArguments):
2034         * jit/GPRInfo.h:
2035         (JSC::JSValueRegs::uses):
2036         * jit/JITCall.cpp:
2037         (JSC::JIT::compileOpCall):
2038         * jit/JITCall32_64.cpp:
2039         (JSC::JIT::compileOpCall):
2040         * runtime/Options.h:
2041         * runtime/VM.cpp:
2042         (JSC::VM::ensureCallEdgeLog):
2043         * runtime/VM.h:
2044         * tests/stress/fold-profiled-call-to-call.js: Added. This test pinpoints the problem we saw in fast/storage/serialized-script-value.html.
2045         * tests/stress/new-array-then-exit.js: Added.
2046         * tests/stress/poly-call-exit-this.js: Added.
2047         * tests/stress/poly-call-exit.js: Added.
2048
2049 2014-08-28  Julien Brianceau   <jbriance@cisco.com>
2050
2051         Correct GC length unit and prevent division by 0 in showObjectStatistics.
2052         https://bugs.webkit.org/show_bug.cgi?id=136340
2053
2054         Reviewed by Mark Hahnenberg.
2055
2056         * heap/HeapStatistics.cpp:
2057         (JSC::HeapStatistics::showObjectStatistics):
2058
2059 2014-08-27  Akos Kiss  <akiss@inf.u-szeged.hu>
2060
2061         Ensure that the call frame passed from JIT code via JSC::operationCallEval to JSC::eval always contains the valid scope chain.
2062         https://bugs.webkit.org/show_bug.cgi?id=136313
2063
2064         Reviewed by Michael Saboff.
2065
2066         Do not rely on calling conventions to fill in the CallerFrame component
2067         of the execCallee parameter of JSC::operationCallEval.
2068
2069         * jit/JITOperations.cpp:
2070
2071 2014-08-27  Saam Barati  <sbarati@apple.com>
2072
2073         Deconstruction object pattern node emits the wrong start/end text positions
2074         https://bugs.webkit.org/show_bug.cgi?id=136304
2075
2076         Reviewed by Geoffrey Garen.
2077
2078         Object pattern nodes that used the syntactic sugar binding: 
2079         'var {foo} = {foo:20}' instead of 'var {foo:foo} = {foo:20}' 
2080         would get the wrong text position for variable 'foo'. The position 
2081         would be placed on the comma(s)/closing brace instead of the identifier. 
2082         This patch fixes this bug by caching the identifier's JSToken before 
2083         trying to parse an optional colon.
2084
2085         * parser/Parser.cpp:
2086         (JSC::Parser<LexerType>::parseVarDeclarationList):
2087         (JSC::Parser<LexerType>::createBindingPattern):
2088         (JSC::Parser<LexerType>::parseDeconstructionPattern):
2089         * parser/Parser.h:
2090
2091 2014-08-27  Brent Fulgham  <bfulgham@apple.com>
2092
2093         [Win] Build fix after last commit.
2094
2095         Check in new DLLLauncherMain.cpp file.
2096
2097         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Added.
2098         (enableTerminationOnHeapCorruption):
2099         (getStringValue):
2100         (applePathFromRegistry):
2101         (appleApplicationSupportDirectory):
2102         (copyEnvironmentVariable):
2103         (prependPath):
2104         (fatalError):
2105         (directoryExists):
2106         (modifyPath):
2107         (getLastErrorString):
2108         (wWinMain):
2109
2110 2014-08-27  Brent Fulgham  <bfulgham@apple.com>
2111
2112         [Win] testapi and testRegExp need to find support libraries.
2113         https://bugs.webkit.org/show_bug.cgi?id=136008.
2114
2115         Reviewed by Dean Jackson.
2116
2117         Revise the Windows build of jsc, testapi, and testRegExp so that they
2118         find and use the proper runtime support libraries.
2119
2120         These locations vary between the Apple Windows build and WinCairo, and
2121         are generally not in the system PATH environment setting. Consequently,
2122         these applications fail on launch unless the user modifies their
2123         PATH.
2124
2125         This patch revises these tools to work like WinLauncher and DumpRenderTree
2126         so that they run reliably.
2127
2128         * API/tests/testapi.c:
2129         (dllLauncherEntryPoint): Added.
2130         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Add new build projects and
2131           provide proper dependencies with existing projects.
2132         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Ditto.
2133         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Switch to build
2134           a DLL, rather than an executable.
2135         * JavaScriptCore.vcxproj/jsc/jscCommon.props: Add shlwapi.lib
2136           to the list of libraries needed at link-time, and to use
2137           the DLL/Console combination entry point.
2138         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Added.
2139         * JavaScriptCore.vcxproj/jsc/jscLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd.
2140         * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd.
2141         * JavaScriptCore.vcxproj/jsc/jscLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreLink.cmd.
2142         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Switch to build
2143           a DLL, rather than an executable.
2144         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Add shlwapi.lib
2145           to the list of libraries needed at link-time, and to use
2146           the DLL/Console combination entry point.
2147         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Added.
2148         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
2149         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
2150         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
2151         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Switch to build
2152           a DLL, rather than an executable.
2153         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Added.
2154         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Add shlwapi.lib
2155           to the list of libraries needed at link-time, and to use
2156           the DLL/Console combination entry point.
2157         * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
2158         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
2159         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
2160         * jsc.cpp:
2161         (dllLauncherEntryPoint): Added.
2162         * testRegExp.cpp:
2163         (dllLauncherEntryPoint): Added.
2164
2165 2014-08-27  Julien Brianceau   <jbriance@cisco.com>
2166
2167         Take advantage of 3 parameters or32() calls
2168         https://bugs.webkit.org/show_bug.cgi?id=136287
2169
2170         Reviewed by Michael Saboff.
2171
2172         For specific architectures (arm and mips for instance), or32() calls
2173         with 3 parameters are likely to produce a single instruction.
2174
2175         * dfg/DFGSpeculativeJIT32_64.cpp:
2176         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2177         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2178         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2179         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2180         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2181         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2182         (JSC::DFG::SpeculativeJIT::branchIsOther):
2183         (JSC::DFG::SpeculativeJIT::branchNotOther):
2184
2185 2014-08-26  Brian J. Burg  <burg@cs.washington.edu>
2186
2187         Web Inspector: put feature flags for Inspector domains in the protocol specification
2188         https://bugs.webkit.org/show_bug.cgi?id=136027
2189
2190         Reviewed by Timothy Hatcher.
2191
2192         Remove the hardcoded map of domains to feature guards, and instead parse it from the specification.
2193
2194         Test: inspector/scripts/tests/generate-domains-with-feature-guards.json
2195
2196         * inspector/scripts/codegen/generator.py:
2197         (Generator.wrap_with_guard_for_domain):
2198         * inspector/scripts/codegen/models.py:
2199         (Protocol.parse_domain):
2200         (Domain.__init__):
2201         (Domains):
2202         * inspector/scripts/tests/generate-domains-with-feature-guards.json: Added.
2203         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2204         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2205         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2206         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2207         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2208
2209 2014-08-26  Andy Estes  <aestes@apple.com>
2210
2211         [Cocoa] Some projects are incorrectly installed to $BUILT_PRODUCTS_DIR
2212         https://bugs.webkit.org/show_bug.cgi?id=136267
2213
2214         Reviewed by Dan Bernstein.
2215
2216         INSTALL_PATH was set to $BUILT_PRODUCTS_DIR for engineering configurations in r20225 as part of a build fix.
2217         Not only is this no longer necessary to build, but it causes built products to be incorrectly installed in
2218         engineering configurations.
2219
2220         Remove the setting of INSTALL_PATH from the pbxproj file so that the value specified in the xcconfig files is
2221         used instead.
2222
2223         * JavaScriptCore.xcodeproj/project.pbxproj:
2224
2225 2014-08-26  Michael Saboff  <msaboff@apple.com>
2226
2227         [Win] 64-bit JavaScriptCore crashes on launch
2228         https://bugs.webkit.org/show_bug.cgi?id=136241
2229
2230         Reviewed by Mark Lam.
2231
2232         * llint/LowLevelInterpreter.asm:
2233         (vmEntryRecord): X86_64_WIN doesn't use "a0" (rax) for the first argument, it uses
2234         "t2" (rcx).  Changed to get the input parameter using the correct register.
2235
2236 2014-08-26  Saam Barati  <sbarati@apple.com>
2237
2238         TypeSet caches structureIDs even after the corresponding Structure could be GCed
2239         https://bugs.webkit.org/show_bug.cgi?id=136178
2240
2241         Reviewed by Geoffrey Garen.
2242
2243         Currently, TypeSet will never remove StructureIDs from its cache,
2244         even after the corresponding Structures could be garbage collected.
2245         Now, when the Garbage Collector collects, and type profiling is 
2246         enabled, the Garbage Collector will invalidate all TypeSet caches.
2247
2248         * heap/Heap.cpp:
2249         (JSC::Heap::collect):
2250         * runtime/TypeSet.cpp:
2251         (JSC::TypeSet::addTypeInformation):
2252         (JSC::TypeSet::invalidateCache):
2253         * runtime/TypeSet.h:
2254         * runtime/VM.cpp:
2255         (JSC::VM::invalidateTypeSetCache):
2256         * runtime/VM.h:
2257
2258 2014-08-26  Michael Saboff  <msaboff@apple.com>
2259
2260         REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result
2261         https://bugs.webkit.org/show_bug.cgi?id=136187
2262
2263         Reviewed by Mark Hahnenberg.
2264
2265         Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that
2266         doesn't require a tag for the second argument, instead it fills in a CellTag.  This is
2267         used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we
2268         haven't set up a register with a tag and we know that argument 2 is a cell.
2269
2270         * dfg/DFGSpeculativeJIT.h:
2271         (JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag.
2272         * dfg/DFGSpeculativeJIT32_64.cpp:
2273         (JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR
2274         with CellTag as it wasn't in the control flow for the slow path that needed the tag.
2275         Instead changed to calling new version of callOperation with an implicit CellTag.
2276
2277 2014-08-26  Commit Queue  <commit-queue@webkit.org>
2278
2279         Unreviewed, rolling out r172940.
2280         https://bugs.webkit.org/show_bug.cgi?id=136256
2281
2282         Caused assertions on fast/storage/serialized-script-
2283         value.html, and possibly flakiness on more tests (Requested by
2284         ap on #webkit).
2285
2286         Reverted changeset:
2287
2288         "FTL should be able to do polymorphic call inlining"
2289         https://bugs.webkit.org/show_bug.cgi?id=135145
2290         http://trac.webkit.org/changeset/172940
2291
2292 2014-08-26  Michael Saboff  <msaboff@apple.com>
2293
2294         REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests.
2295         https://bugs.webkit.org/show_bug.cgi?id=136165
2296
2297         Reviewed by Mark Hahnenberg.
2298
2299         Changed switch case GetDirectPname: to always use the slow path for X86 since it only has
2300         6 registers available, but the code requires 7.
2301
2302         * dfg/DFGSpeculativeJIT32_64.cpp:
2303         (JSC::DFG::SpeculativeJIT::compile):
2304
2305 2014-08-25  Saam Barati  <sbarati@apple.com>
2306
2307         TypeProfiler search breaks on return statements
2308         https://bugs.webkit.org/show_bug.cgi?id=136201
2309
2310         Reviewed by Filip Pizlo.
2311
2312         Searching for return statements in the TypeProfiler currently 
2313         breaks down because it expected to see the search descriptor 
2314         TypeProfilerSearchDescriptorFunctionReturn when looking for 
2315         return statements in the actual source code of the program. 
2316         But, TypeProfilerSearchDescriptorFunctionReturn search descriptor 
2317         is reserved for looking for return statements that aren't in the 
2318         actual source code of the program, but when asking for the 
2319         aggregate return type of a function. Now, searching for 
2320         return statements in the actual source code of the program will 
2321         work when passing in the search descriptor TypeProfilerSearchDescriptorNormal.  
2322
2323         * bytecode/CodeBlock.cpp:
2324         (JSC::CodeBlock::CodeBlock):
2325         * runtime/TypeProfiler.cpp:
2326         (JSC::TypeProfiler::findLocation):
2327         (JSC::descriptorMatchesTypeLocation): Deleted.
2328
2329 2014-08-25  Saam Barati  <sbarati@apple.com>
2330
2331         Return statement TypeSet's might be duplicated
2332         https://bugs.webkit.org/show_bug.cgi?id=136200
2333
2334         Reviewed by Filip Pizlo.
2335
2336         Currently, the globalTypeSet that converges the types of all 
2337         return statements in a function lives off of CodeBlock. It lives 
2338         off CodeBlock because of a faulty assumption that CodeBlock 
2339         will have a one to one mapping with a function in the source 
2340         text of the program. (Currently, there isn't an actual bug 
2341         with this design because TypeLocationCache will hash cons to 
2342         the same TypeLocation, but this is still an incorrect design). 
2343         In this patch, the globalTypeSet for function return statements  
2344         is moved to the FunctionExecutable object which does have a one 
2345         to one mapping with functions in the source text of a program.
2346
2347         * bytecode/CodeBlock.cpp:
2348         (JSC::CodeBlock::CodeBlock):
2349         * bytecode/CodeBlock.h:
2350         (JSC::CodeBlock::returnStatementTypeSet): Deleted.
2351         * runtime/Executable.h:
2352         (JSC::FunctionExecutable::returnStatementTypeSet):
2353
2354 2014-08-24  Filip Pizlo  <fpizlo@apple.com>
2355
2356         FTL should be able to do polymorphic call inlining
2357         https://bugs.webkit.org/show_bug.cgi?id=135145
2358
2359         Reviewed by Geoffrey Garen.
2360         
2361         Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
2362         baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
2363         inlining sites use the call edge profile if it is available, but they will still fall back
2364         on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
2365         multiple possible callees can be inlined with a switch to guard them. The slow path may
2366         either be an OSR exit or a virtual call.
2367         
2368         The call edge profiling added in this patch is very precise - it will tell you about every
2369         call that has ever happened. It took some effort to reduce the overhead of this profiling.
2370         This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
2371         in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
2372         it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
2373         I also experimented with reducing the precision of the profiling. This led to a significant
2374         reduction in the speed-up, so I avoided this approach. I also explored making log processing
2375         concurrent, but that didn't help. Also, I tested the overhead of the log processing and
2376         found that most of the overhead of this profiling is actually in putting things into the log
2377         rather than in processing the log - that part appears to be surprisingly cheap.
2378         
2379         Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
2380         and if we guarded such inlining sites with some profiling mechanism to detect
2381         polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
2382         it's actually monomorphic).
2383         
2384         This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
2385         other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
2386         on anything we care about. Some aggregates, like V8Spider, see a regression. This is
2387         highlighting the increase in profiling overhead. But since this doesn't show up on any major
2388         score (code-load or SunSpider), it's probably not relevant.
2389         
2390         * CMakeLists.txt:
2391         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2392         * JavaScriptCore.xcodeproj/project.pbxproj:
2393         * bytecode/CallEdge.cpp: Added.
2394         (JSC::CallEdge::dump):
2395         * bytecode/CallEdge.h: Added.
2396         (JSC::CallEdge::operator!):
2397         (JSC::CallEdge::callee):
2398         (JSC::CallEdge::count):
2399         (JSC::CallEdge::despecifiedClosure):
2400         (JSC::CallEdge::CallEdge):
2401         * bytecode/CallEdgeProfile.cpp: Added.
2402         (JSC::CallEdgeProfile::callEdges):
2403         (JSC::CallEdgeProfile::numCallsToKnownCells):
2404         (JSC::worthDespecifying):
2405         (JSC::CallEdgeProfile::worthDespecifying):
2406         (JSC::CallEdgeProfile::visitWeak):
2407         (JSC::CallEdgeProfile::addSlow):
2408         (JSC::CallEdgeProfile::mergeBack):
2409         (JSC::CallEdgeProfile::fadeByHalf):
2410         (JSC::CallEdgeLog::CallEdgeLog):
2411         (JSC::CallEdgeLog::~CallEdgeLog):
2412         (JSC::CallEdgeLog::isEnabled):
2413         (JSC::operationProcessCallEdgeLog):
2414         (JSC::CallEdgeLog::emitLogCode):
2415         (JSC::CallEdgeLog::processLog):
2416         * bytecode/CallEdgeProfile.h: Added.
2417         (JSC::CallEdgeProfile::numCallsToNotCell):
2418         (JSC::CallEdgeProfile::numCallsToUnknownCell):
2419         (JSC::CallEdgeProfile::totalCalls):
2420         * bytecode/CallEdgeProfileInlines.h: Added.
2421         (JSC::CallEdgeProfile::CallEdgeProfile):
2422         (JSC::CallEdgeProfile::add):
2423         * bytecode/CallLinkInfo.cpp:
2424         (JSC::CallLinkInfo::visitWeak):
2425         * bytecode/CallLinkInfo.h:
2426         * bytecode/CallLinkStatus.cpp:
2427         (JSC::CallLinkStatus::CallLinkStatus):
2428         (JSC::CallLinkStatus::computeFromLLInt):
2429         (JSC::CallLinkStatus::computeFor):
2430         (JSC::CallLinkStatus::computeExitSiteData):
2431         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2432         (JSC::CallLinkStatus::computeFromCallEdgeProfile):
2433         (JSC::CallLinkStatus::computeDFGStatuses):
2434         (JSC::CallLinkStatus::isClosureCall):
2435         (JSC::CallLinkStatus::makeClosureCall):
2436         (JSC::CallLinkStatus::dump):
2437         (JSC::CallLinkStatus::function): Deleted.
2438         (JSC::CallLinkStatus::internalFunction): Deleted.
2439         (JSC::CallLinkStatus::intrinsicFor): Deleted.
2440         * bytecode/CallLinkStatus.h:
2441         (JSC::CallLinkStatus::CallLinkStatus):
2442         (JSC::CallLinkStatus::isSet):
2443         (JSC::CallLinkStatus::couldTakeSlowPath):
2444         (JSC::CallLinkStatus::edges):
2445         (JSC::CallLinkStatus::size):
2446         (JSC::CallLinkStatus::at):
2447         (JSC::CallLinkStatus::operator[]):
2448         (JSC::CallLinkStatus::canOptimize):
2449         (JSC::CallLinkStatus::canTrustCounts):
2450         (JSC::CallLinkStatus::isClosureCall): Deleted.
2451         (JSC::CallLinkStatus::callTarget): Deleted.
2452         (JSC::CallLinkStatus::executable): Deleted.
2453         (JSC::CallLinkStatus::makeClosureCall): Deleted.
2454         * bytecode/CallVariant.cpp: Added.
2455         (JSC::CallVariant::dump):
2456         * bytecode/CallVariant.h: Added.
2457         (JSC::CallVariant::CallVariant):
2458         (JSC::CallVariant::operator!):
2459         (JSC::CallVariant::despecifiedClosure):
2460         (JSC::CallVariant::rawCalleeCell):
2461         (JSC::CallVariant::internalFunction):
2462         (JSC::CallVariant::function):
2463         (JSC::CallVariant::isClosureCall):
2464         (JSC::CallVariant::executable):
2465         (JSC::CallVariant::nonExecutableCallee):
2466         (JSC::CallVariant::intrinsicFor):
2467         (JSC::CallVariant::functionExecutable):
2468         (JSC::CallVariant::isHashTableDeletedValue):
2469         (JSC::CallVariant::operator==):
2470         (JSC::CallVariant::operator!=):
2471         (JSC::CallVariant::operator<):
2472         (JSC::CallVariant::operator>):
2473         (JSC::CallVariant::operator<=):
2474         (JSC::CallVariant::operator>=):
2475         (JSC::CallVariant::hash):
2476         (JSC::CallVariant::deletedToken):
2477         (JSC::CallVariantHash::hash):
2478         (JSC::CallVariantHash::equal):
2479         * bytecode/CodeOrigin.h:
2480         (JSC::InlineCallFrame::isNormalCall):
2481         * bytecode/ExitKind.cpp:
2482         (JSC::exitKindToString):
2483         * bytecode/ExitKind.h:
2484         * bytecode/GetByIdStatus.cpp:
2485         (JSC::GetByIdStatus::computeForStubInfo):
2486         * bytecode/PutByIdStatus.cpp:
2487         (JSC::PutByIdStatus::computeForStubInfo):
2488         * dfg/DFGAbstractInterpreterInlines.h:
2489         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2490         * dfg/DFGBackwardsPropagationPhase.cpp:
2491         (JSC::DFG::BackwardsPropagationPhase::propagate):
2492         * dfg/DFGBasicBlock.cpp:
2493         (JSC::DFG::BasicBlock::~BasicBlock):
2494         * dfg/DFGBasicBlock.h:
2495         (JSC::DFG::BasicBlock::takeLast):
2496         (JSC::DFG::BasicBlock::didLink):
2497         * dfg/DFGByteCodeParser.cpp:
2498         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2499         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
2500         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
2501         (JSC::DFG::ByteCodeParser::addCall):
2502         (JSC::DFG::ByteCodeParser::handleCall):
2503         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2504         (JSC::DFG::ByteCodeParser::undoFunctionChecks):
2505         (JSC::DFG::ByteCodeParser::inliningCost):
2506         (JSC::DFG::ByteCodeParser::inlineCall):
2507         (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
2508         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2509         (JSC::DFG::ByteCodeParser::handleInlining):
2510         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2511         (JSC::DFG::ByteCodeParser::prepareToParseBlock):
2512         (JSC::DFG::ByteCodeParser::clearCaches):
2513         (JSC::DFG::ByteCodeParser::parseBlock):
2514         (JSC::DFG::ByteCodeParser::linkBlock):
2515         (JSC::DFG::ByteCodeParser::linkBlocks):
2516         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2517         * dfg/DFGCPSRethreadingPhase.cpp:
2518         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2519         * dfg/DFGClobberize.h:
2520         (JSC::DFG::clobberize):
2521         * dfg/DFGCommon.h:
2522         * dfg/DFGConstantFoldingPhase.cpp:
2523         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2524         * dfg/DFGDoesGC.cpp:
2525         (JSC::DFG::doesGC):
2526         * dfg/DFGDriver.cpp:
2527         (JSC::DFG::compileImpl):
2528         * dfg/DFGFixupPhase.cpp:
2529         (JSC::DFG::FixupPhase::fixupNode):
2530         * dfg/DFGGraph.cpp:
2531         (JSC::DFG::Graph::dump):
2532         (JSC::DFG::Graph::visitChildren):
2533         * dfg/DFGJITCompiler.cpp:
2534         (JSC::DFG::JITCompiler::link):
2535         * dfg/DFGLazyJSValue.cpp:
2536         (JSC::DFG::LazyJSValue::switchLookupValue):
2537         * dfg/DFGLazyJSValue.h:
2538         (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
2539         * dfg/DFGNode.cpp:
2540         (WTF::printInternal):
2541         * dfg/DFGNode.h:
2542         (JSC::DFG::OpInfo::OpInfo):
2543         (JSC::DFG::Node::hasHeapPrediction):
2544         (JSC::DFG::Node::hasCellOperand):
2545         (JSC::DFG::Node::cellOperand):
2546         (JSC::DFG::Node::setCellOperand):
2547         (JSC::DFG::Node::canBeKnownFunction): Deleted.
2548         (JSC::DFG::Node::hasKnownFunction): Deleted.
2549         (JSC::DFG::Node::knownFunction): Deleted.
2550         (JSC::DFG::Node::giveKnownFunction): Deleted.
2551         (JSC::DFG::Node::hasFunction): Deleted.
2552         (JSC::DFG::Node::function): Deleted.
2553         (JSC::DFG::Node::hasExecutable): Deleted.
2554         (JSC::DFG::Node::executable): Deleted.
2555         * dfg/DFGNodeType.h:
2556         * dfg/DFGPhantomCanonicalizationPhase.cpp:
2557         (JSC::DFG::PhantomCanonicalizationPhase::run):
2558         * dfg/DFGPhantomRemovalPhase.cpp:
2559         (JSC::DFG::PhantomRemovalPhase::run):
2560         * dfg/DFGPredictionPropagationPhase.cpp:
2561         (JSC::DFG::PredictionPropagationPhase::propagate):
2562         * dfg/DFGSafeToExecute.h:
2563         (JSC::DFG::safeToExecute):
2564         * dfg/DFGSpeculativeJIT.cpp:
2565         (JSC::DFG::SpeculativeJIT::emitSwitch):
2566         * dfg/DFGSpeculativeJIT32_64.cpp:
2567         (JSC::DFG::SpeculativeJIT::emitCall):
2568         (JSC::DFG::SpeculativeJIT::compile):
2569         * dfg/DFGSpeculativeJIT64.cpp:
2570         (JSC::DFG::SpeculativeJIT::emitCall):
2571         (JSC::DFG::SpeculativeJIT::compile):
2572         * dfg/DFGStructureRegistrationPhase.cpp:
2573         (JSC::DFG::StructureRegistrationPhase::run):
2574         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2575         (JSC::DFG::TierUpCheckInjectionPhase::run):
2576         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
2577         * dfg/DFGValidate.cpp:
2578         (JSC::DFG::Validate::validate):
2579         * dfg/DFGWatchpointCollectionPhase.cpp:
2580         (JSC::DFG::WatchpointCollectionPhase::handle):
2581         * ftl/FTLCapabilities.cpp:
2582         (JSC::FTL::canCompile):
2583         * ftl/FTLLowerDFGToLLVM.cpp:
2584         (JSC::FTL::ftlUnreachable):
2585         (JSC::FTL::LowerDFGToLLVM::lower):
2586         (JSC::FTL::LowerDFGToLLVM::compileNode):
2587         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
2588         (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
2589         (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
2590         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
2591         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2592         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
2593         (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
2594         (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
2595         * heap/Heap.cpp:
2596         (JSC::Heap::collect):
2597         * jit/AssemblyHelpers.h:
2598         (JSC::AssemblyHelpers::storeValue):
2599         (JSC::AssemblyHelpers::loadValue):
2600         * jit/CCallHelpers.h:
2601         (JSC::CCallHelpers::setupArguments):
2602         * jit/GPRInfo.h:
2603         (JSC::JSValueRegs::uses):
2604         * jit/JITCall.cpp:
2605         (JSC::JIT::compileOpCall):
2606         * jit/JITCall32_64.cpp:
2607         (JSC::JIT::compileOpCall):
2608         * runtime/Options.h:
2609         * runtime/VM.cpp:
2610         (JSC::VM::ensureCallEdgeLog):
2611         * runtime/VM.h:
2612         * tests/stress/new-array-then-exit.js: Added.
2613         (foo):
2614         * tests/stress/poly-call-exit-this.js: Added.
2615         * tests/stress/poly-call-exit.js: Added.
2616
2617 2014-08-22  Michael Saboff  <msaboff@apple.com>
2618
2619         After r172867 another crash in in js/dom/line-column-numbers.html
2620         https://bugs.webkit.org/show_bug.cgi?id=136192
2621
2622         Reviewed by Geoffrey Garen.
2623
2624         In lookupExceptionHandlerFromCallerFrame(), We need to use the caller's CallFrame
2625         and VMEntryFrame when calling genericUnwind().  NativeCallFrameTracerWithRestore()
2626         does that for us.
2627
2628         In general, NativeCallFrameTracerWithRestore(), restores the values because we may
2629         do more processing that requires the current callFrame and vmEntryFrame before we
2630         get to the catch handler where we change these to the catch values.  In this
2631         particular case, that restoration isn't currently needed, but we add complexity
2632         and possible future confusion if we create another NativeCallFrameTracerXXX()
2633         version that doesn't restore the values.
2634
2635         * jit/JITOperations.cpp:
2636         (JSC::lookupExceptionHandlerFromCallerFrame): Changed NativeCallFrameTracer() to
2637         NativeCallFrameTracerWithRestore() so that VM::topVMEntryFrame will be updated
2638         before calling genericUnwind().
2639
2640 2014-08-24  Brian J. Burg  <burg@cs.washington.edu>
2641
2642         Web Inspector: rename Inspector::TypeBuilder to Inspector::Protocol
2643         https://bugs.webkit.org/show_bug.cgi?id=136031
2644
2645         Reviewed by Timothy Hatcher.
2646
2647         Rename TypeBuilder namespace to Protocol. Disambiguate where
2648         necessary. Also rename InspectorTypeBuilder to ProtocolTypes.
2649
2650         * CMakeLists.txt:
2651         * DerivedSources.make:
2652         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2653         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2654         * JavaScriptCore.vcxproj/copy-files.cmd:
2655         * JavaScriptCore.xcodeproj/project.pbxproj:
2656         * inspector/ConsoleMessage.cpp:
2657         (Inspector::messageSourceValue):
2658         (Inspector::messageTypeValue):
2659         (Inspector::messageLevelValue):
2660         (Inspector::ConsoleMessage::addToFrontend):
2661         * inspector/ContentSearchUtilities.cpp:
2662         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
2663         (Inspector::ContentSearchUtilities::searchInTextByLines):
2664         * inspector/ContentSearchUtilities.h:
2665         * inspector/InjectedScript.cpp:
2666         (Inspector::InjectedScript::evaluate):
2667         (Inspector::InjectedScript::callFunctionOn):
2668         (Inspector::InjectedScript::evaluateOnCallFrame):
2669         (Inspector::InjectedScript::getFunctionDetails):
2670         (Inspector::InjectedScript::getProperties):
2671         (Inspector::InjectedScript::getInternalProperties):
2672         (Inspector::InjectedScript::wrapCallFrames):
2673         (Inspector::InjectedScript::wrapObject):
2674         (Inspector::InjectedScript::wrapTable):
2675         * inspector/InjectedScript.h:
2676         * inspector/InjectedScriptBase.cpp:
2677         (Inspector::InjectedScriptBase::makeEvalCall):
2678         * inspector/InjectedScriptBase.h:
2679         * inspector/InspectorTypeBuilder.h: Removed.
2680         * inspector/ScriptCallFrame.cpp:
2681         (Inspector::ScriptCallFrame::buildInspectorObject):
2682         * inspector/ScriptCallFrame.h:
2683         * inspector/ScriptCallStack.cpp:
2684         (Inspector::ScriptCallStack::buildInspectorArray):
2685         * inspector/ScriptCallStack.h:
2686         * inspector/agents/InspectorAgent.cpp:
2687         (Inspector::InspectorAgent::inspect):
2688         * inspector/agents/InspectorAgent.h:
2689         * inspector/agents/InspectorDebuggerAgent.cpp:
2690         (Inspector::breakpointActionTypeForString):
2691         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2692         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2693         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
2694         (Inspector::InspectorDebuggerAgent::searchInContent):
2695         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
2696         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
2697         (Inspector::InspectorDebuggerAgent::currentCallFrames):
2698         (Inspector::InspectorDebuggerAgent::didParseSource):
2699         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2700         * inspector/agents/InspectorDebuggerAgent.h:
2701         * inspector/agents/InspectorProfilerAgent.cpp:
2702         (Inspector::InspectorProfilerAgent::createProfileHeader):
2703         (Inspector::InspectorProfilerAgent::getProfileHeaders):
2704         (Inspector::buildInspectorObject):
2705         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
2706         (Inspector::InspectorProfilerAgent::getCPUProfile):
2707         * inspector/agents/InspectorProfilerAgent.h:
2708         * inspector/agents/InspectorRuntimeAgent.cpp:
2709         (Inspector::buildErrorRangeObject):
2710         (Inspector::InspectorRuntimeAgent::parse):
2711         (Inspector::InspectorRuntimeAgent::evaluate):
2712         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2713         (Inspector::InspectorRuntimeAgent::getProperties):
2714         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2715         * inspector/agents/InspectorRuntimeAgent.h:
2716         * inspector/scripts/codegen/__init__.py:
2717         * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
2718         (BackendDispatcherHeaderGenerator.generate_output):
2719         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
2720         (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
2721         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2722         * inspector/scripts/codegen/generate_frontend_dispatcher_header.py:
2723         (FrontendDispatcherHeaderGenerator.generate_output):
2724         * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py:
2725         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2726         * inspector/scripts/codegen/generate_type_builder_header.py: Removed.
2727         * inspector/scripts/codegen/generate_type_builder_implementation.py: Removed.
2728         * inspector/scripts/codegen/generator.py:
2729         (Generator.protocol_type_string_for_type):
2730         (Generator.protocol_type_string_for_type_member):
2731         (Generator.type_string_for_type_with_name):
2732         (Generator.type_string_for_formal_out_parameter):
2733         (Generator.type_string_for_formal_async_parameter):
2734         (Generator.type_string_for_stack_in_parameter):
2735         (Generator.type_string_for_stack_out_parameter):
2736         (Generator.assertion_method_for_type_member.assertion_method_for_type):
2737         (Generator.assertion_method_for_type_member):
2738         (Generator.type_builder_string_for_type): Deleted.
2739         (Generator.type_builder_string_for_type_member): Deleted.
2740         * inspector/scripts/codegen/generator_templates.py:
2741         (Inspector):
2742         * inspector/scripts/generate-inspector-protocol-bindings.py:
2743         (generate_from_specification):
2744         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2745         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2746         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2747         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2748         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2749         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2750         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2751         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2752         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2753         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2754         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2755         * runtime/HighFidelityTypeProfiler.cpp:
2756         (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
2757         * runtime/HighFidelityTypeProfiler.h:
2758         * runtime/TypeSet.cpp:
2759         (JSC::TypeSet::allPrimitiveTypeNames):
2760         (JSC::TypeSet::allStructureRepresentations):
2761         (JSC::StructureShape::inspectorRepresentation):
2762         * runtime/TypeSet.h:
2763
2764 2014-08-24  Brian J. Burg  <burg@cs.washington.edu>
2765
2766         Web Inspector: Rename DOM.RGBA and remove workarounds in the bindings generator
2767         https://bugs.webkit.org/show_bug.cgi?id=136025
2768
2769         Reviewed by Joseph Pecoraro.
2770
2771         This workaround can be removed since it is no longer necessary.
2772
2773         * inspector/scripts/codegen/models.py:
2774         (TypeReference.__init__):
2775         (Type.raw_name):
2776         (TypeDeclaration.__init__):
2777         * inspector/scripts/tests/type-declaration-object-type.json: Remove related test input.
2778         * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Rebaseline.
2779
2780 2014-08-23  Joseph Pecoraro  <pecoraro@apple.com>
2781
2782         Web Inspector: Do not copy large module source strings
2783         https://bugs.webkit.org/show_bug.cgi?id=136191
2784
2785         Reviewed by Benjamin Poulain.
2786
2787         * inspector/InjectedScriptManager.cpp:
2788         (Inspector::InjectedScriptManager::injectedScriptSource):
2789
2790 2014-08-21  Michael Saboff  <msaboff@apple.com>
2791
2792         REGRESSION(r163179): Sporadic crash in js/dom/line-column-numbers.html test
2793         https://bugs.webkit.org/show_bug.cgi?id=136111
2794
2795         Reviewed by Filip Pizlo.
2796
2797         The problem was that we weren't properly handling VM::topVMEntryFrame in two ways.
2798
2799         First in the case where we get an exception of a stack overflow during setup of the direct
2800         callee frame of a VM entry frame, we need to throw the exception in the caller's frame.
2801         This requires unrolling topVMEntryFrame while creating the exception object.  This is
2802         accomplished with the renamed NativeCallFrameTracerWithRestore object.  As part of this,
2803         split the JIT rollback exception handling to call a new helper,
2804         callLookupExceptionHandlerFromCallerFrame, which will unroll the callFrame and VMEntryFrame.
2805
2806         Second, when we unwind to find a handler, we also need to unwind topVMCallFrame for the
2807         case where we end up (re)throwing another exception after entering the catch block, but
2808         before another vmEntry call.  Added VM::vmEntryFrameForThrow as a way similar to
2809         VM::callFrameForThrow to pass the appropriate VMENtryFrame to the catch block.
2810
2811
2812         * dfg/DFGJITCompiler.cpp:
2813         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2814         * ftl/FTLCompile.cpp:
2815         (JSC::FTL::fixFunctionBasedOnStackMaps):
2816         * jit/JIT.cpp:
2817         (JSC::JIT::privateCompileExceptionHandlers):
2818         Split out the unroll cases to use the new helper callLookupExceptionHandlerFromCallerFrame()
2819         to unwind both the callFrame and topVMEntryFrame.
2820
2821         * interpreter/Interpreter.cpp:
2822         (JSC::UnwindFunctor::UnwindFunctor):
2823         (JSC::UnwindFunctor::operator()):
2824         (JSC::Interpreter::unwind):
2825         * jit/JITExceptions.cpp:
2826         (JSC::genericUnwind):
2827         Added VMEntryFrame as another component to unwind.
2828
2829         * interpreter/Interpreter.h:
2830         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2831         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
2832         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
2833         Renamed and changed to save and restore topCallFrame and topVMEntryFrame around the setting of
2834         both values.
2835
2836         * interpreter/StackVisitor.cpp:
2837         (JSC::StackVisitor::gotoNextFrame):
2838         (JSC::StackVisitor::readNonInlinedFrame):
2839         * interpreter/StackVisitor.h:
2840         (JSC::StackVisitor::Frame::vmEntryFrame):
2841         Added code to unwind the VMEntryFrame.
2842
2843         * jit/CCallHelpers.h:
2844         (JSC::CCallHelpers::jumpToExceptionHandler): Updated comment to indicate that the value
2845         the handler should use for VM::topEntryFrame is in VM::vmEntryFrameForThrow.
2846
2847         * jit/JITOpcodes.cpp:
2848         (JSC::JIT::emit_op_catch):
2849         * jit/JITOpcodes32_64.cpp:
2850         (JSC::JIT::emit_op_catch):
2851         * llint/LowLevelInterpreter32_64.asm:
2852         * llint/LowLevelInterpreter64.asm:
2853         Added code to update VM::topVMEntryFrame from VM::vmEntryFrameForThrowOffset.
2854
2855         * jit/JITOperations.cpp:
2856         * jit/JITOperations.h:
2857         (JSC::operationThrowStackOverflowError):
2858         (JSC::operationCallArityCheck):
2859         (JSC::operationConstructArityCheck):
2860
2861         * runtime/VM.h:
2862         (JSC::VM::vmEntryFrameForThrowOffset):
2863         (JSC::VM::topVMEntryFrameOffset):
2864         Added as the side channel to return the topVMEntryFrame that the handler should use.
2865
2866 2014-08-22  Daniel Bates  <dabates@apple.com>
2867
2868         [iOS] Disable ENABLE_IOS_{GESTURE, TOUCH}_EVENTS, and temporarily disable ENABLE_TOUCH_EVENTS
2869         and ENABLE_XSLT when building with the iOS public SDK
2870         https://bugs.webkit.org/show_bug.cgi?id=135945
2871
2872         Reviewed by Andy Estes.
2873
2874         * Configurations/FeatureDefines.xcconfig:
2875
2876 2014-08-22  Jon Lee  <jonlee@apple.com>
2877
2878         Fix iOS build due to r172832 and move RUBBER_BANDING out of FeatureDefines.h
2879         https://bugs.webkit.org/show_bug.cgi?id=136157
2880
2881         Reviewed by Simon Fraser.
2882
2883         * Configurations/FeatureDefines.xcconfig: Add ENABLE(RUBBER_BANDING).
2884
2885 2014-08-21  Mark Lam  <mark.lam@apple.com>
2886
2887         r171362 accidentally increased the size of InlineCallFrame.
2888         <https://webkit.org/b/136141>
2889
2890         Reviewed by Filip Pizlo.
2891
2892         r171362 increased the size of InlineCallFrame::kind to 2 bits.  This increased
2893         the size of InlineCallFrame from 72 to 80 though not intentionally.  The fix
2894         is to reduce the size of InlineCallFrame::stackOffset to 29 bits.
2895
2896         Also added an assert to ensure that we never set a value that exceeds the size
2897         of InlineCallFrame::stackOffset.
2898
2899         * bytecode/CodeOrigin.h:
2900         (JSC::InlineCallFrame::setStackOffset):
2901         * dfg/DFGByteCodeParser.cpp:
2902         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2903
2904 2014-08-21  Joseph Pecoraro  <pecoraro@apple.com>
2905
2906         Web Inspector: RetainPtr misuse, CFRunLoopSource leak
2907         https://bugs.webkit.org/show_bug.cgi?id=136143
2908
2909         Reviewed by Timothy Hatcher.
2910
2911         Adopt a Create into the RetainPtr to avoid leaking.
2912
2913         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2914         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
2915
2916 2014-08-21  Mark Lam  <mark.lam@apple.com>
2917
2918         REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms.
2919         <https://webkit.org/b/136123>
2920
2921         Reviewed by Filip Pizlo.
2922
2923         The original patch in r172808 removed the code to skip the top scope in
2924         the 64-bit port of JIT::emitResolveClosure() but not in the 32-bit port.
2925         This patch fixes that and achieves parity.
2926
2927         * jit/JITPropertyAccess32_64.cpp:
2928         (JSC::JIT::emitResolveClosure):
2929
2930 2014-08-21  Zalan Bujtas  <zalan@apple.com>
2931
2932         Enable SATURATED_LAYOUT_ARITHMETIC.
2933         https://bugs.webkit.org/show_bug.cgi?id=136106
2934
2935         Reviewed by Simon Fraser.
2936
2937         SATURATED_LAYOUT_ARITHMETIC protects LayoutUnit against arithmetic overflow.
2938         (No measurable performance regression on Mac.)
2939
2940         * Configurations/FeatureDefines.xcconfig:
2941
2942 2014-08-20  Saam Barati  <sbarati@apple.com>
2943
2944         Fix how CodeBlock dumps the opcode op_profile_type
2945         https://bugs.webkit.org/show_bug.cgi?id=136088
2946
2947         Reviewed by Filip Pizlo.
2948
2949         op_profile_type was modified to receive two extra arguments,
2950         but its dump in CodeBlock::dumpBytecode wasn't changed to 
2951         account for this, so it broke CodeBlock::dumpBytecode when
2952         op_profile_type was in the stream of bytecode instructions.
2953         CodeBlock::dumpBytecode now accounts for the change in 
2954         op_profile_type's arity.
2955
2956         * bytecode/CodeBlock.cpp:
2957         (JSC::CodeBlock::dumpBytecode):
2958
2959 2014-08-20  Saam Barati  <sbarati@apple.com>
2960
2961         Rename HighFidelityTypeProfiling variables for more clarity
2962         https://bugs.webkit.org/show_bug.cgi?id=135899
2963
2964         Reviewed by Geoffrey Garen.
2965
2966         Many names that are used in the type profiling infrastructure
2967         prefix themselves with "HighFidelity" or include the words "high"
2968         and/or "fidelity" in some way. But the words "high" and "fidelity" don't 
2969         add anything descriptive to the names surrounding type profiling. 
2970         So this patch removes all uses of "HighFidelity" and its variants.
2971
2972         Most renamings change "HighFidelity*" to "TypeProfiler*" or simply 
2973         drop the prefix "HighFidelity" all together. Now, almost all names 
2974         in relation to type profiling contain in them "TypeProfiler" or 
2975         "TypeProfiling" or some combination of the words "type" and "profile".
2976
2977         This patch also changes how we check if type profiling is enabled:
2978         We no longer call vm::isProfilingTypesWithHighFidelity. We now just 
2979         check that vm::typeProfiler is not null.
2980
2981         This patch also changes all calls to TypeProfilerLog::processLogEntries
2982         to use ASCIILiteral to form WTFStrings instead of vanilla C string literals.
2983
2984         * CMakeLists.txt:
2985         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2986         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2987         * JavaScriptCore.xcodeproj/project.pbxproj:
2988         * bytecode/BytecodeList.json:
2989         * bytecode/BytecodeUseDef.h:
2990         (JSC::computeUsesForBytecodeOffset):
2991         (JSC::computeDefsForBytecodeOffset):
2992         * bytecode/CodeBlock.cpp:
2993         (JSC::CodeBlock::dumpBytecode):
2994         (JSC::CodeBlock::CodeBlock):
2995         * bytecode/TypeLocation.h:
2996         * bytecode/UnlinkedCodeBlock.cpp:
2997         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2998         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
2999         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
3000         (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset): Deleted.
3001         (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo): Deleted.
3002         * bytecode/UnlinkedCodeBlock.h:
3003         (JSC::UnlinkedFunctionExecutable::typeProfilingStartOffset):
3004         (JSC::UnlinkedFunctionExecutable::typeProfilingEndOffset):
3005         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): Deleted.
3006         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset): Deleted.
3007         * bytecompiler/BytecodeGenerator.cpp:
3008         (JSC::BytecodeGenerator::generate):
3009         (JSC::BytecodeGenerator::BytecodeGenerator):
3010         (JSC::BytecodeGenerator::emitMove):
3011         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
3012         (JSC::BytecodeGenerator::emitProfileType):
3013         (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
3014         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
3015         * bytecompiler/BytecodeGenerator.h:
3016         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
3017         * bytecompiler/NodesCodegen.cpp:
3018         (JSC::ThisNode::emitBytecode):
3019         (JSC::ResolveNode::emitBytecode):
3020         (JSC::BracketAccessorNode::emitBytecode):
3021         (JSC::DotAccessorNode::emitBytecode):
3022         (JSC::FunctionCallValueNode::emitBytecode):
3023         (JSC::FunctionCallResolveNode::emitBytecode):
3024         (JSC::FunctionCallBracketNode::emitBytecode):
3025         (JSC::FunctionCallDotNode::emitBytecode):
3026         (JSC::CallFunctionCallDotNode::emitBytecode):
3027         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3028         (JSC::PostfixNode::emitResolve):
3029         (JSC::PostfixNode::emitBracket):
3030         (JSC::PostfixNode::emitDot):
3031         (JSC::PrefixNode::emitResolve):
3032         (JSC::PrefixNode::emitBracket):
3033         (JSC::PrefixNode::emitDot):
3034         (JSC::ReadModifyResolveNode::emitBytecode):
3035         (JSC::AssignResolveNode::emitBytecode):
3036         (JSC::AssignDotNode::emitBytecode):
3037         (JSC::ReadModifyDotNode::emitBytecode):
3038         (JSC::AssignBracketNode::emitBytecode):
3039         (JSC::ReadModifyBracketNode::emitBytecode):
3040         (JSC::ConstDeclNode::emitCodeSingle):
3041         (JSC::EmptyVarExpression::emitBytecode):
3042         (JSC::ReturnNode::emitBytecode):
3043         (JSC::FunctionBodyNode::emitBytecode):
3044         * heap/Heap.cpp:
3045         (JSC::Heap::collect):
3046         * inspector/agents/InspectorRuntimeAgent.cpp:
3047         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3048         (Inspector::recompileAllJSFunctionsForTypeProfiling):
3049         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
3050         (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
3051         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
3052         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
3053         (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling): Deleted.
3054         (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling): Deleted.
3055         (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState): Deleted.
3056         * inspector/agents/InspectorRuntimeAgent.h:
3057         * inspector/protocol/Runtime.json:
3058         * jit/JIT.cpp:
3059         (JSC::JIT::privateCompileMainPass):
3060         (JSC::JIT::privateCompile):
3061         * jit/JIT.h:
3062         * jit/JITOpcodes.cpp:
3063         (JSC::JIT::emit_op_profile_type):
3064         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
3065         * jit/JITOpcodes32_64.cpp:
3066         (JSC::JIT::emit_op_profile_type):
3067         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
3068         * jit/JITOperations.cpp:
3069         * jsc.cpp:
3070         (functionDumpTypesForAllVariables):
3071         * llint/LLIntSlowPaths.cpp:
3072         * llint/LowLevelInterpreter.asm:
3073         * runtime/CodeCache.cpp:
3074         (JSC::CodeCache::getGlobalCodeBlock):
3075         * runtime/CommonSlowPaths.cpp:
3076         (JSC::SLOW_PATH_DECL):
3077         * runtime/CommonSlowPaths.h:
3078         * runtime/Executable.cpp:
3079         (JSC::ScriptExecutable::ScriptExecutable):
3080         (JSC::ProgramExecutable::ProgramExecutable):
3081         (JSC::FunctionExecutable::FunctionExecutable):
3082         (JSC::ProgramExecutable::initializeGlobalProperties):
3083         * runtime/Executable.h:
3084         (JSC::ScriptExecutable::typeProfilingStartOffset):
3085         (JSC::ScriptExecutable::typeProfilingEndOffset):
3086         (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): Deleted.
3087         (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset): Deleted.
3088         * runtime/HighFidelityLog.cpp: Removed.
3089         * runtime/HighFidelityLog.h: Removed.
3090         * runtime/HighFidelityTypeProfiler.cpp: Removed.
3091         * runtime/HighFidelityTypeProfiler.h: Removed.
3092         * runtime/Options.h:
3093         * runtime/SymbolTable.cpp:
3094         (JSC::SymbolTable::prepareForTypeProfiling):
3095         (JSC::SymbolTable::uniqueIDForVariable):
3096         (JSC::SymbolTable::uniqueIDForRegister):
3097         (JSC::SymbolTable::prepareForHighFidelityTypeProfiling): Deleted.
3098         * runtime/SymbolTable.h:
3099         * runtime/TypeProfiler.cpp: Added.
3100         (JSC::TypeProfiler::logTypesForTypeLocation):
3101         (JSC::TypeProfiler::insertNewLocation):
3102         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector):
3103         (JSC::descriptorMatchesTypeLocation):
3104         (JSC::TypeProfiler::findLocation):
3105         * runtime/TypeProfiler.h: Added.
3106         (JSC::QueryKey::QueryKey):
3107         (JSC::QueryKey::isHashTableDeletedValue):
3108         (JSC::QueryKey::operator==):
3109         (JSC::QueryKey::hash):
3110         (JSC::QueryKeyHash::hash):
3111         (JSC::QueryKeyHash::equal):
3112         (JSC::TypeProfiler::functionHasExecutedCache):
3113         (JSC::TypeProfiler::typeLocationCache):
3114         * runtime/TypeProfilerLog.cpp: Added.
3115         (JSC::TypeProfilerLog::initializeLog):
3116         (JSC::TypeProfilerLog::~TypeProfilerLog):
3117         (JSC::TypeProfilerLog::processLogEntries):
3118         * runtime/TypeProfilerLog.h: Added.
3119         (JSC::TypeProfilerLog::LogEntry::structureIDOffset):
3120         (JSC::TypeProfilerLog::LogEntry::valueOffset):
3121         (JSC::TypeProfilerLog::LogEntry::locationOffset):
3122         (JSC::TypeProfilerLog::TypeProfilerLog):
3123         (JSC::TypeProfilerLog::recordTypeInformationForLocation):
3124         (JSC::TypeProfilerLog::logEndPtr):
3125         (JSC::TypeProfilerLog::logStartOffset):
3126         (JSC::TypeProfilerLog::currentLogEntryOffset):
3127         * runtime/VM.cpp:
3128         (JSC::VM::VM):
3129         (JSC::VM::enableTypeProfiler):
3130         (JSC::VM::disableTypeProfiler):
3131         (JSC::VM::dumpTypeProfilerData):
3132         (JSC::VM::enableHighFidelityTypeProfiling): Deleted.
3133         (JSC::VM::disableHighFidelityTypeProfiling): Deleted.
3134         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
3135         * runtime/VM.h:
3136         (JSC::VM::typeProfilerLog):
3137         (JSC::VM::typeProfiler):
3138         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
3139         (JSC::VM::highFidelityLog): Deleted.
3140         (JSC::VM::highFidelityTypeProfiler): Deleted.
3141
3142 2014-08-20  Csaba Osztrogonác  <ossy@webkit.org>
3143
3144         URTBF after r172799.
3145
3146         * disassembler/ARM64/A64DOpcode.cpp:
3147         * disassembler/ARM64Disassembler.cpp:
3148
3149 2014-08-20  Oliver Hunt  <oliver@apple.com>
3150
3151         Stop implicitly skipping a function's own activation when walking the scope chain
3152         https://bugs.webkit.org/show_bug.cgi?id=136118
3153
3154         Reviewed by Geoffrey Garen.
3155
3156         Remove the current logic that implicitly skips a function's
3157         own activation when walking the scope chain. This is ground
3158         work for ensuring that all closed variable access is made
3159         through the function's activation. This leads to a further
3160         10% regression on earley, but we're already tracking the
3161         overall performance regression.
3162
3163         * bytecode/CodeBlock.cpp:
3164         (JSC::CodeBlock::CodeBlock):
3165         * dfg/DFGAbstractInterpreterInlines.h:
3166         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3167         * dfg/DFGByteCodeParser.cpp:
3168         (JSC::DFG::ByteCodeParser::getScope):
3169         (JSC::DFG::ByteCodeParser::parseBlock):
3170         * dfg/DFGClobberize.h:
3171         (JSC::DFG::clobberize):
3172         * dfg/DFGDoesGC.cpp:
3173         (JSC::DFG::doesGC):
3174         * dfg/DFGFixupPhase.cpp:
3175         (JSC::DFG::FixupPhase::fixupNode):
3176         * dfg/DFGHeapLocation.cpp:
3177         (WTF::printInternal):
3178         * dfg/DFGHeapLocation.h:
3179         * dfg/DFGNodeType.h:
3180         * dfg/DFGPredictionPropagationPhase.cpp:
3181         (JSC::DFG::PredictionPropagationPhase::propagate):
3182         * dfg/DFGSafeToExecute.h:
3183         (JSC::DFG::safeToExecute):
3184         * dfg/DFGSpeculativeJIT32_64.cpp:
3185         (JSC::DFG::SpeculativeJIT::compile):
3186         * dfg/DFGSpeculativeJIT64.cpp:
3187         (JSC::DFG::SpeculativeJIT::compile):
3188         * jit/JITPropertyAccess.cpp:
3189         (JSC::JIT::emitResolveClosure):
3190         * llint/LowLevelInterpreter32_64.asm:
3191         * llint/LowLevelInterpreter64.asm:
3192         * runtime/JSScope.cpp:
3193         (JSC::JSScope::abstractResolve):
3194         * runtime/JSScope.h:
3195
3196 2014-08-20  Michael Saboff  <msaboff@apple.com>
3197
3198         REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active
3199         https://bugs.webkit.org/show_bug.cgi?id=136034
3200
3201         Reviewed by Mark Lam.
3202
3203         DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle
3204         of the stack.  Hardened StackVisitor to skip over the frames between the current top frame
3205         and the requested start frame.
3206
3207         * interpreter/StackVisitor.cpp:
3208         (JSC::StackVisitor::StackVisitor):
3209
3210 2014-08-20  Brent Fulgham  <bfulgham@apple.com>
3211
3212         [Win] JavaScriptCore.dll is missing version information.
3213         https://bugs.webkit.org/show_bug.cgi?id=136105
3214         <rdar://problem/18075852>
3215
3216         Reviewed by Dean Jackson.
3217
3218         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Add missing step to generate
3219         version information for intermediary build path.
3220
3221 2014-08-20  Saam Barati  <sbarati@apple.com>
3222
3223         Fix a memory leak in TypeSet
3224         https://bugs.webkit.org/show_bug.cgi?id=135913
3225
3226         Reviewed by Filip Pizlo.
3227
3228         Currently, TypeSet unconditionally allocates memory for its member
3229         variable m_structureHistory, but never deallocates it. Change this 
3230         from being a pointer that is unconditionally allocated to a member 
3231         variable that will be deallocated when TypeSet itself is deallocated.
3232
3233         * runtime/TypeSet.cpp:
3234         (JSC::TypeSet::TypeSet):
3235         (JSC::TypeSet::addTypeInformation):
3236         (JSC::TypeSet::seenTypes):
3237         (JSC::TypeSet::displayName):
3238         (JSC::TypeSet::allStructureRepresentations):
3239         (JSC::StructureShape::leastCommonAncestor):
3240         * runtime/TypeSet.h:
3241
3242 2014-08-20  peavo@outlook.com  <peavo@outlook.com>
3243
3244         [Win] Assertion fails when running JSC stress tests.
3245         https://bugs.webkit.org/show_bug.cgi?id=136103
3246
3247         Reviewed by Darin Adler.
3248
3249         Use unsigned bitfield member instead of enum bitfield member to avoid negative values.
3250
3251         * bytecode/CodeOrigin.h: Use unsigned bitfield member.
3252         (JSC::InlineCallFrame::specializationKind): Compile fix.
3253
3254 2014-08-20  Akos Kiss  <akiss@inf.u-szeged.hu>
3255
3256         Enable ARM64 disassembler on EFL
3257         https://bugs.webkit.org/show_bug.cgi?id=136089
3258
3259         Reviewed by Filip Pizlo.
3260
3261         * CMakeLists.txt:
3262         Added disassembler/ARM64Disassembler.cpp and
3263         disassembler/ARM64/A64DOpcode.cpp to JavaScriptCore_SOURCES.
3264
3265         * disassembler/ARM64/A64DOpcode.cpp:
3266         Added USE(ARM64_DISASSEMBLER) guard around implementation.
3267
3268         * disassembler/ARM64/A64DOpcode.h:
3269         (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedImmediate64):
3270         (JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
3271         Made format strings portable by changing "%llx" to "%" PRIx64 for
3272         uint64_t arguments.
3273
3274 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
3275
3276         REGRESSION(r172401): for-in optimization no longer works at all
3277         https://bugs.webkit.org/show_bug.cgi?id=136056
3278
3279         Reviewed by Geoffrey Garen.
3280         
3281         Roll this back in, along with a fix to make proxies work. Previously, for-in over proxies
3282         would instacrash every time.
3283
3284         * bytecompiler/BytecodeGenerator.cpp:
3285         (JSC::BytecodeGenerator::emitGetByVal):
3286         (JSC::BytecodeGenerator::pushIndexedForInScope):
3287         (JSC::BytecodeGenerator::pushStructureForInScope):
3288         * bytecompiler/BytecodeGenerator.h:
3289         (JSC::ForInContext::ForInContext):
3290         (JSC::StructureForInContext::StructureForInContext):
3291         (JSC::IndexedForInContext::IndexedForInContext):
3292         (JSC::ForInContext::base): Deleted.
3293         * bytecompiler/NodesCodegen.cpp:
3294         (JSC::ForInNode::emitMultiLoopBytecode):
3295         * runtime/JSProxy.cpp:
3296         (JSC::JSProxy::getStructurePropertyNames):
3297         (JSC::JSProxy::getGenericPropertyNames):
3298         * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
3299         (foo):
3300         * tests/stress/for-in-base-reassigned-later.js: Added.
3301         (foo):
3302         * tests/stress/for-in-base-reassigned.js: Added.
3303         (foo):
3304         * tests/stress/for-in-proxy-target-changed-structure.js: Added.
3305         (deleteAll):
3306         (foo):
3307         * tests/stress/for-in-proxy.js: Added.
3308         (foo):
3309
3310 2014-08-19  Jaehun Lim  <ljaehun.lim@samsung.com>
3311
3312         Unreviewed, fix EFL build after r17275
3313
3314         Fix error: ignoring #pragma clang diagnostic [-Werror=unknown-pragmas]
3315
3316         * runtime/JSDataViewPrototype.cpp:
3317         Add #if COMPILER(CLANG) and #endif.
3318
3319 2014-08-19  Michael Saboff  <msaboff@apple.com>
3320
3321         Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js
3322         https://bugs.webkit.org/show_bug.cgi?id=136080
3323
3324         Reviewed by Mark Lam.
3325
3326         Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame
3327         to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry
3328         frame.  In that case, the caller will have the prior VM entry frame.
3329
3330         The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing
3331         an exception from a caller frame.  The value to use for the VMEntryFrame should be a
3332         value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller.
3333
3334         * interpreter/Interpreter.h:
3335         (JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a
3336         VMEntryFrame.  Added an ASSERT to both constructors to check that the updated topCallFrame
3337         is below the current vmEntryFrame.
3338
3339         * jit/JITOperations.cpp:
3340         (JSC::operationThrowStackOverflowError):
3341         (JSC::operationCallArityCheck):
3342         (JSC::operationConstructArityCheck):
3343         Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame.
3344
3345 2014-08-19  Andy Estes  <aestes@apple.com>
3346
3347         [Cocoa] Offline Assembler build phase fails when $BUILT_PRODUCTS_DIR contains spaces
3348         https://bugs.webkit.org/show_bug.cgi?id=136086
3349
3350         Reviewed by Filip Pizlo.
3351
3352         Enclosed arguments to asm.rb containing $BUILT_PRODUCTS_DIR in double quotes so that they don't get split on
3353         whitespace. Also let Xcode have its way with an unrelated part of the project file.
3354
3355         * JavaScriptCore.xcodeproj/project.pbxproj:
3356
3357 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
3358
3359         LLInt build should be way faster
3360         https://bugs.webkit.org/show_bug.cgi?id=136085
3361
3362         Reviewed by Geoffrey Garen.
3363         
3364         This does three things to improve the LLInt build performance. One of them is only for
3365         Xcode for now while the others should benefit all platforms:
3366         
3367         - Don't exponentially build settings combinations that correspond to being on two backends
3368           simultaneously. This is by far the biggest win.
3369         
3370         - Don't generate offset extraction code for backends that aren't supported by the current
3371           port. This currently only works on Xcode-based ports. This is a relatively small win.
3372         
3373         - Remove the ALWAYS_ALLOCATE_SLOW option. Each option increases build time, and we haven't
3374           used this one in a long time. Anyway, setting this option could be emulated by just
3375           directly hacking the code.
3376         
3377         This is an enormous speed-up in the LLInt build.
3378
3379         * JavaScriptCore.xcodeproj/project.pbxproj: Prune the set of backends that we should consider on Xcode-based platforms.
3380         * llint/LLIntOfflineAsmConfig.h: Remove ALWAYS_ALLOCATE_SLOW
3381         * llint/LowLevelInterpreter.asm: Remove ALWAYS_ALLOCATE_SLOW
3382         * offlineasm/backends.rb: Add infrastructure for reasoning about valid backends.
3383         * offlineasm/generate_offset_extractor.rb: Allow the client to specify a filtered set of valid backends.
3384         * offlineasm/settings.rb: Improve the construction of settings combinations so that it doesn't traverse the enourmous set of obviously invalid multi-backend combinations. Also glue into support for valid backends.
3385
3386 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
3387
3388         Fix indentation and style in LowLevelInterpreter.asm
3389         https://bugs.webkit.org/show_bug.cgi?id=136083
3390
3391         Reviewed by Mark Lam.
3392
3393         * llint/LowLevelInterpreter.asm:
3394
3395 2014-08-19  Magnus Granberg  <zorry@gentoo.org>
3396
3397         TEXTREL in libjavascriptcoregtk-1.0.so.0.11.0 on x86 (or i586)
3398         https://bugs.webkit.org/show_bug.cgi?id=70610
3399
3400         Reviewed by Darin Adler.
3401
3402         Setup %ebx so we can use the plt.
3403
3404         * jit/ThunkGenerators.cpp:
3405
3406 2014-08-19  Zalan Bujtas  <zalan@apple.com>
3407
3408         Remove ENABLE(SUBPIXEL_LAYOUT).
3409         https://bugs.webkit.org/show_bug.cgi?id=136077
3410
3411         Reviewed by Simon Fraser.
3412
3413         Remove compile time flag SUBPIXEL_LAYOUT. All ports have it enabled for a while now.
3414
3415         * Configurations/FeatureDefines.xcconfig:
3416
3417 2014-08-19  Alex Christensen  <achristensen@webkit.org>
3418
3419         [CMake] Generate LLInt assembly correctly on Windows.
3420         https://bugs.webkit.org/show_bug.cgi?id=135888
3421
3422         Reviewed by Oliver Hunt.
3423
3424         * CMakeLists.txt:
3425         Generate LowLevelInterpreterWin.asm instead of LLIntAssembly.h on Windows like the existing build system.
3426         * PlatformWin.cmake:
3427         Don't build JSGlobalObjectInspectorController.cpp on Windows.
3428         * offlineasm/x86.rb:
3429         Detect non-cygwin ruby installations correctly.
3430
3431 2014-08-19  Michael Saboff  <msaboff@apple.com>
3432
3433         REGRESSION(r163179): It broke the build on ARM Thumb2 with GCC
3434         https://bugs.webkit.org/show_bug.cgi?id=136028
3435
3436         Reviewed by Oliver Hunt.
3437
3438         Added back ARMv7 conditionals around three op addp and subp since ARM Thumb2 spec says that
3439         the behavior for those ops are undefined.  This was originally done in changeset 163179.
3440
3441         * llint/LowLevelInterpreter32_64.asm:
3442
3443 2014-08-18  Commit Queue  <commit-queue@webkit.org>
3444
3445         Unreviewed, rolling out r172741.
3446         https://bugs.webkit.org/show_bug.cgi?id=136058
3447
3448         This change is breaking PLT. (Requested by mlam on #webkit).
3449
3450         Reverted changeset:
3451
3452         "REGRESSION(r172401): for-in optimization no longer works at
3453         all"
3454         https://bugs.webkit.org/show_bug.cgi?id=136056
3455         http://trac.webkit.org/changeset/172741
3456
3457 2014-08-18  Filip Pizlo  <fpizlo@apple.com>
3458
3459         REGRESSION(r172401): for-in optimization no longer works at all
3460         https://bugs.webkit.org/show_bug.cgi?id=136056
3461
3462         Reviewed by Mark Hahnenberg.
3463         
3464         This is a partial roll-out of r172401. It turns out that the fix wasn't actually fixing a
3465         real bug (since it's fine to use op_get_direct_pname on the wrong base because it has a
3466         structure check) and it was actually breaking the entire for-in optimization (since there is
3467         no way that we can statically prove that the base matches, because the base we see is a
3468         newly created temporary, and anyway doing it right would be really hard in our bytecode
3469         because it's 3AC form).
3470         
3471         But, I added a new test for the problem, and kept the original test. Both the old test and
3472         the new test prove that r172401 wasn't fixing what it thought it was fixing. To the extent
3473         that it resolved crashes it was because it just disabled the for-in optimization entirely.
3474
3475         * bytecompiler/BytecodeGenerator.cpp:
3476         (JSC::BytecodeGenerator::emitGetByVal):
3477         (JSC::BytecodeGenerator::pushIndexedForInScope):
3478         (JSC::BytecodeGenerator::pushStructureForInScope):
3479         * bytecompiler/BytecodeGenerator.h:
3480         (JSC::ForInContext::ForInContext):
3481         (JSC::StructureForInContext::StructureForInContext):
3482         (JSC::IndexedForInContext::IndexedForInContext):
3483         (JSC::ForInContext::base): Deleted.
3484         * bytecompiler/NodesCodegen.cpp:
3485         (JSC::ForInNode::emitMultiLoopBytecode):
3486         * tests/stress/for-in-base-reassigned.js: Added.
3487         * tests/stress/for-in-base-reassigned-later.js: Added.
3488         * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
3489
3490 2014-08-18  Mark Lam  <mark.lam@apple.com>
3491
3492         Gardening: build fix for non-Mac builds after r172737.
3493         https://bugs.webkit.org/show_bug.cgi?id=135750
3494
3495         Not reviewed.
3496
3497         * CMakeLists.txt:
3498         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3499         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3500
3501 2014-08-18  Filip Pizlo  <fpizlo@apple.com>
3502
3503         REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash
3504         https://bugs.webkit.org/show_bug.cgi?id=135750
3505
3506         Reviewed by Mark Lam.
3507         
3508         This was caused by a rather embarrassing oversight in how the DFG tracks structures: we
3509         could sometimes perform an optimization that requires a structure to be alive but forget to
3510         ensure that the structure is actually kept alive. In particular, any watchpoint-based
3511         optimizations involve setting watchpoints even if the code that got optimized is eventually
3512         deleted because it is unreachable. All such optimizations would leave behind something in
3513         the IR to tell us that we are interested in the structure and that therefore it should be
3514         kept alive. But, IR can be deleted if it is unreachable.
3515         
3516         The solution is to ensure that as soon as the DFG is made aware of a structure, it adds it
3517         to the set of weak references.
3518
3519         * JavaScriptCore.xcodeproj/project.pbxproj:
3520         * dfg/DFGAbstractInterpreterInlines.h:
3521         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3522         * dfg/DFGAbstractValue.cpp:
3523         (JSC::DFG::AbstractValue::setOSREntryValue):
3524         (JSC::DFG::AbstractValue::set):
3525         (JSC::DFG::AbstractValue::normalizeClarity):
3526         (JSC::DFG::AbstractValue::assertIsRegistered):
3527         (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
3528         * dfg/DFGAbstractValue.h:
3529         (JSC::DFG::AbstractValue::assertIsRegistered):
3530         (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
3531         * dfg/DFGCommon.h:
3532         * dfg/DFGConstantFoldingPhase.cpp:
3533         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
3534         * dfg/DFGDesiredWeakReferences.cpp:
3535         (JSC::DFG::DesiredWeakReferences::addLazily):
3536         (JSC::DFG::DesiredWeakReferences::contains):
3537         (JSC::DFG::DesiredWeakReferences::reallyAdd):
3538         (JSC::DFG::DesiredWeakReferences::visitChildren):
3539         * dfg/DFGDesiredWeakReferences.h:
3540         * dfg/DFGFixupPhase.cpp:
3541         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
3542         * dfg/DFGGraph.cpp:
3543         (JSC::DFG::Graph::Graph):
3544         (JSC::DFG::Graph::registerFrozenValues):
3545         (JSC::DFG::Graph::convertToConstant):
3546         (JSC::DFG::Graph::registerStructure):
3547         (JSC::DFG::Graph::assertIsRegistered):
3548         (JSC::DFG::Graph::assertIsWatched): Deleted.
3549         * dfg/DFGGraph.h:
3550         * dfg/DFGPlan.cpp:
3551         (JSC::DFG::Plan::compileInThreadImpl):
3552         * dfg/DFGStructureAbstractValue.cpp:
3553         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
3554         (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
3555         * dfg/DFGStructureAbstractValue.h:
3556         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
3557         (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
3558         * dfg/DFGStructureRegistrationPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp.
3559         (JSC::DFG::StructureRegistrationPhase::StructureRegistrationPhase):
3560         (JSC::DFG::StructureRegistrationPhase::run):
3561         (JSC::DFG::StructureRegistrationPhase::registerStructures):
3562         (JSC::DFG::StructureRegistrationPhase::registerStructure):
3563         (JSC::DFG::performStructureRegistration):
3564         (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase): Deleted.
3565         (JSC::DFG::WatchableStructureWatchingPhase::run): Deleted.
3566         (JSC::DFG::WatchableStructureWatchingPhase::tryWatch): Deleted.
3567         (JSC::DFG::performWatchableStructureWatching): Deleted.
3568         * dfg/DFGStructureRegistrationPhase.h: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.h.
3569         * dfg/DFGWatchableStructureWatchingPhase.cpp: Removed.
3570         * dfg/DFGWatchableStructureWatchingPhase.h: Removed.
3571
3572 2014-08-18  Akos Kiss  <akiss@inf.u-szeged.hu>
3573
3574         Fix ASSERT in ARM64's JSC::GPRInfo::debugName
3575         https://bugs.webkit.org/show_bug.cgi?id=136050
3576
3577         Reviewed by Darin Adler.
3578
3579         Remove cast of GPRReg to unsigned to prevent signed/unsigned comparison
3580         error.
3581
3582         * jit/GPRInfo.h:
3583         (JSC::GPRInfo::debugName):
3584
3585 2014-08-18  Andreas Kling  <akling@apple.com>
3586
3587         REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings.
3588         <https://webkit.org/b/133574>
3589         <rdar://problem/18051847>
3590
3591         The optimization that resolves JSRopeStrings into an existing
3592         AtomicString (to save time and memory by avoiding StringImpl allocation)
3593         had a bug that it wasn't copying the 8-bit flag from the AtomicString.
3594
3595         This could lead to a situation where a 16-bit StringImpl containing
3596         only 8-bit characters is sitting in the AtomicString table, is found
3597         by the rope resolution optimization, and gives you a rope that thinks
3598         it's all 8-bit, but has a fiber with 16-bit characters.
3599
3600         Resolving that rope will then yield incorrect results.
3601
3602         This was all caught by an assertion, but very hard to reproduce.
3603
3604         Test: js/dopey-rope-with-16-bit-propertyname.html
3605
3606         Reviewed by Darin Adler.
3607
3608         * runtime/JSString.cpp:
3609         (JSC::JSRopeString::resolveRopeToAtomicString):
3610         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
3611         * runtime/JSString.h:
3612         (JSC::JSString::setIs8Bit):
3613         (JSC::JSString::toExistingAtomicString):
3614
3615 2014-08-18  Matthew Mirman  <mmirman@apple.com>
3616
3617         Merges the two native inlining passes from the build.
3618         Also adds the AvailableExternallyLinkage assertion to linked 
3619         functions to allow unused and duplicate ones to be removed.
3620         https://bugs.webkit.org/show_bug.cgi?id=135526
3621
3622         Reviewed by Filip Pizlo.
3623
3624         * JavaScriptCore.xcodeproj/project.pbxproj: 
3625         Removed second generation of llvm binary files.
3626         Fixed the flags on the first pass. 
3627         * build-symbol-table-index.py: Modified some paths.
3628         * build-symbol-table-index.sh: Removed.
3629         * copy-llvm-ir-to-derived-sources.sh: Now calls build-symbol-table-index directly.
3630         * ftl/FTLLowerDFGToLLVM.cpp: Added LLVMAvailableExternallyLinkage assertion.
3631         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): 
3632         * runtime/ArrayPrototype.cpp: Removed static declarations. 
3633         * runtime/DateConstructor.cpp: ditto.
3634         (JSC::dateParse):
3635         (JSC::dateNow):
3636         (JSC::dateUTC):
3637         * runtime/DatePrototype.cpp: ditto.
3638         * runtime/JSDataViewPrototype.cpp: ditto on both.
3639         (JSC::dataViewProtoFuncGetInt8):
3640         (JSC::dataViewProtoFuncGetInt16):
3641         (JSC::dataViewProtoFuncGetInt32):
3642         (JSC::dataViewProtoFuncGetUint8):
3643         (JSC::dataViewProtoFuncGetUint16):
3644         (JSC::dataViewProtoFuncGetUint32):
3645         (JSC::dataViewProtoFuncGetFloat32):
3646         (JSC::dataViewProtoFuncGetFloat64):
3647         (JSC::dataViewProtoFuncSetInt8):
3648         (JSC::dataViewProtoFuncSetInt16):
3649         (JSC::dataViewProtoFuncSetInt32):
3650         (JSC::dataViewProtoFuncSetUint8):
3651         (JSC::dataViewProtoFuncSetUint16):
3652         (JSC::dataViewProtoFuncSetUint32):
3653         (JSC::dataViewProtoFuncSetFloat32):
3654         (JSC::dataViewProtoFuncSetFloat64):
3655         * runtime/JSONObject.cpp: ditto.
3656         * runtime/ObjectConstructor.cpp: ditto.
3657         * runtime/StringPrototype.cpp: ditto.
3658
3659 2014-08-18  Saam Barati  <sbarati@apple.com>
3660
3661         The parser should generate AST nodes the var declarations with no initializers
3662         https://bugs.webkit.org/show_bug.cgi?id=135545
3663
3664         Reviewed by Geoffrey Garen.
3665
3666         Currently, JSC's parser ignores variable declarations
3667         that have no assignment initializer value because all 
3668         variables are implicitly assigned to undefined. But, 
3669         type profiling needs an AST node to be generated for these 
3670         empty variable declarations because it needs to be able to 
3671         profile their text locations and to see that their type 
3672         is undefined.
3673
3674         * bytecompiler/NodesCodegen.cpp:
3675         (JSC::EmptyVarExpression::emitBytecode):
3676         * parser/ASTBuilder.h:
3677         (JSC::ASTBuilder::createVarStatement):
3678         (JSC::ASTBuilder::createEmptyVarExpression):
3679         * parser/NodeConstructors.h:
3680         (JSC::EmptyVarExpression::EmptyVarExpression):
3681         * parser/Nodes.h:
3682         * parser/Parser.cpp:
3683         (JSC::Parser<LexerType>::parseVarDeclarationList):
3684         * parser/SyntaxChecker.h:
3685         (JSC::SyntaxChecker::createEmptyVarExpression):
3686
3687 2014-08-18  Diego Pino Garcia  <dpino@igalia.com>
3688
3689         Completed iterator can be revived by adding more than one new entry to the target object
3690         https://bugs.webkit.org/show_bug.cgi?id=129993
3691
3692         Reviewed by Oliver Hunt.
3693
3694         When iterator reaches end, finish iterator.
3695
3696         * runtime/JSMapIterator.h:
3697         (JSC::JSMapIterator::finish):
3698         * runtime/JSSetIterator.h:
3699         (JSC::JSSetIterator::finish):
3700         * runtime/MapData.h:
3701         (JSC::MapData::const_iterator::finish): set index of iterator to max
3702         Int32.
3703         * runtime/MapIteratorPrototype.cpp:
3704         (JSC::MapIteratorPrototypeFuncNext):
3705         * runtime/SetIteratorPrototype.cpp:
3706         (JSC::SetIteratorPrototypeFuncNext):
3707
3708 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
3709
3710         Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
3711         https://bugs.webkit.org/show_bug.cgi?id=131596
3712
3713         Unreviewed gardening to rebaseline inspector generator tests after addressing review comments.
3714
3715         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3716         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3717         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3718         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3719         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3720         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3721         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3722         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3723         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3724         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3725         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3726
3727 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
3728
3729         Unreviewed build fix for some GTK bots after r172655.
3730
3731         Some bots use Python 2.6, which lacks the 'flags' named parameter for re.sub.
3732
3733         * inspector/scripts/codegen/generator.py:
3734         (Generator.stylized_name_for_enum_value): Do things the old-school way.
3735
3736 2014-08-15  Michael Saboff  <msaboff@apple.com>
3737
3738         Change callToJavaScript and callToNativeFunction so their callFrames match the native calling conventions
3739         https://bugs.webkit.org/show_bug.cgi?id=131578
3740
3741         Reviewed by Geoffrey Garen.
3742
3743         Renamed callToJavaScript and callToNativeFunction to vmEntryToJavaScript and vmEntryToNative,
3744         respectively.  Eliminated the sentinel frame and replaced it with the structure VMEntryRecord
3745         that appears in the "locals" area of a VM entry stack frame.  Changed the order that
3746         vmEntryToJavaScript and vmEntryToNative creates their stack frames to be native calling
3747         convention compliant.  That is to save prior frame pointer, save callee save registers, then
3748         allocate and populate the VMEntryRecord, and finally allocate a CallFrame for the JS function
3749         that vmEntryToJavaScript will invoke.  The top most vm entry frame pointer is saved in
3750         VM::topVMEntryFrame.  The vmEntry functions save prior contents of VM::topVMEntryFrame
3751         along with the VM and VM::topCallFrame in the VMEntryRecord it places on the stack.  Starting
3752         at VM::topCallFrame, the stack can be walked using these VMEntryRecords.
3753
3754         Arbitrary stack unwinding is now handled either iteratively by loading VM::topVMEntryFrame
3755         into a local variable and using CallFrame::callerFrame(VMEntryFrame*&) or by using StackVisitor.
3756         Given that the stack is effectively a singly linked list, general stack unwinding needs to use
3757         one of these two methods.
3758
3759         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3760         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3761         * JavaScriptCore.xcodeproj/project.pbxproj:
3762         Addition of VMEntryRecord.h
3763
3764         * bytecode/BytecodeList.json:
3765         Renaming of llint helper opcodes due to renaming callToJavaScript and callToNativeFunction.
3766
3767         * debugger/Debugger.cpp:
3768         (JSC::Debugger::stepOutOfFunction):
3769         (JSC::Debugger::returnEvent):
3770         (JSC::Debugger::didExecuteProgram):
3771         * jsc.cpp:
3772         (functionDumpCallFrame):
3773         * jit/JITOperations.cpp:
3774         Changed unwinding to use CallFrame::callerFrame(VMEntryFrame*&).
3775
3776         * bytecode/CodeBlock.cpp:
3777         (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
3778         (JSC::RecursionCheckFunctor::operator()):
3779         (JSC::RecursionCheckFunctor::didRecurse):
3780         (JSC::CodeBlock::noticeIncomingCall):
3781         * debugger/DebuggerCallFrame.cpp:
3782         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
3783         (JSC::FindCallerMidStackFunctor::operator()):
3784         (JSC::FindCallerMidStackFunctor::getCallerFrame):
3785         (JSC::DebuggerCallFrame::callerFrame):
3786         * interpreter/VMInspector.cpp:
3787         (JSC::CountFramesFunctor::CountFramesFunctor):
3788         (JSC::CountFramesFunctor::operator()):
3789         (JSC::CountFramesFunctor::count):
3790         (JSC::VMInspector::countFrames):
3791         * runtime/VM.cpp:
3792         (JSC::VM::VM):
3793         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
3794         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
3795         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
3796         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
3797         (JSC::VM::throwException):
3798         Changed unwinding to use StackVisitor including added functor classes.
3799
3800         * interpreter/CallFrame.cpp:
3801         (JSC::CallFrame::callerFrame):
3802         Added new flavor of callerFrame() that can iteratively unwind the stack.
3803
3804         * interpreter/CallFrame.h:
3805         (JSC::ExecState::callerFrame): Changed callerFrame() to use private common helper.
3806         (JSC::ExecState::callerFrameOrVMEntryFrame): Deleted.
3807         (JSC::ExecState::isVMEntrySentinel): Deleted.
3808         (JSC::ExecState::vmEntrySentinelCallerFrame): Deleted.
3809         (JSC::ExecState::initializeVMEntrySentinelFrame): Deleted.
3810         (JSC::ExecState::callerFrameSkippingVMEntrySentinel): Deleted.
3811         (JSC::ExecState::vmEntrySentinelCodeBlock): Deleted.
3812
3813         * interpreter/CallFrame.h:
3814         (JSC::ExecState::init):
3815         (JSC::ExecState::topOfFrame):
3816         (JSC::ExecState::currentVPC):
3817         (JSC::ExecState::setCurrentVPC):
3818         Eliminated unneded checking of sentinel frame.
3819
3820         * interpreter/Interpreter.cpp:
3821         (JSC::unwindCallFrame):
3822         (JSC::Interpreter::getStackTrace): Updated for unwidning changes.
3823         (JSC::Interpreter::unwind): Eliminated unneeded sentinel frame check.
3824
3825         * interpreter/Interpreter.cpp:
3826         (JSC::Interpreter::executeCall):
3827         (JSC::Interpreter::executeConstruct):
3828         * jit/JITStubs.h:
3829         * llint/LLIntThunks.cpp:
3830         (JSC::callToJavaScript): Deleted.
3831         (JSC::callToNativetion): Deleted.
3832         (JSC::vmEntryToJavaScript):
3833         (JSC::vmEntryToNative):
3834         * llint/LLIntThunks.h:
3835         Updated for vmEntryToJavaScript and vmEntryToNative name changes.
3836
3837         * interpreter/Interpreter.h:
3838         (JSC::TopCallFrameSetter::TopCallFrameSetter):
3839         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
3840         Eliminated unneeded sentinel frame check.
3841
3842         * interpreter/Interpreter.h:
3843         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
3844         Removed sentinel specific constructor.
3845
3846         * interpreter/StackVisitor.cpp:
3847         (JSC::StackVisitor::StackVisitor):
3848         (JSC::StackVisitor::readFrame):
3849         (JSC::StackVisitor::readNonInlinedFrame):
3850         (JSC::StackVisitor::readInlinedFrame):
3851         (JSC::StackVisitor::Frame::print):
3852         * interpreter/StackVisitor.h:
3853         (JSC::StackVisitor::Frame::callerIsVMEntry):
3854         Changes for unwinding using CallFrame::callerFrame(VMEntryFrame*&).  Also added field that
3855         indicates when about to step over a VM entry frame.
3856
3857         * interpreter/VMEntryRecord.h: Added.
3858         (JSC::VMEntryRecord::prevTopCallFrame):
3859         (JSC::VMEntryRecord::prevTopVMEntryFrame):
3860         New struct to record prior state of VM's notion of VM entry and top call frames.
3861
3862         * jit/JITCode.cpp:
3863         (JSC::JITCode::execute):
3864         Use new vmEntryToJavaScript and vmEntryToNative name.
3865
3866         * llint/LLIntOffsetsExtractor.cpp: Added include for VMEntryRecord.h.
3867
3868         * llint/LowLevelInterpreter.asm:
3869         * llint/LowLevelInterpreter32_64.asm:
3870         * llint/LowLevelInterpreter64.asm:
3871         Offline assembly implementation of creating stack frame with VMEntryRecord and well as restoring 
3872         relevent VM fields when exiting the VM.  Added a helper that returns a VMEntryRecord given
3873         a pointer to the VM entry frame.
3874
3875         * llint/LLIntThunks.cpp:
3876         (JSC::vmEntryRecord):
3877         * llint/LowLevelInterpreter.cpp:
3878         (JSC::CLoop::execute):
3879         C Loop changes to mirror the assembly changes.
3880
3881         * runtime/VM.h:
3882         Added topVMEntryFrame field.
3883
3884 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
3885
3886         Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
3887         https://bugs.webkit.org/show_bug.cgi?id=131596
3888
3889         Reviewed by Joseph Pecoraro.
3890
3891         Replace CodeGeneratorInspector.py with generate-inspector-protocol-bindings.py.
3892         The new generator decouples parsing and typechecking a model of the protocol from
3893         code generation. Each generated file is created by a different subclass of Generator.
3894         Helper methods to compute various type signatures are shared among generators.
3895
3896         This patch introduces a test harness and a test suite that covers all functionality.
3897
3898         Aside from hooking up the new&nbs