Web Inspector: Modify the type profiler runtime protocol to transfer some computation...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-09-10  Saam Barati  <saambarati1@gmail.com>
2
3         Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
4         https://bugs.webkit.org/show_bug.cgi?id=136500
5
6         Reviewed by Joseph Pecoraro.
7
8         This patch changes the type profiler protocol to the Web Inspector
9         by moving the work of calculating computed properties that effect the UI 
10         into the Web Inspector. This makes the Web Inspector have control over the 
11         strings it displays as UI elements representing type information to the user 
12         instead of JavaScriptCore deciding on a convention for these strings.
13         JavaScriptCore now sends enough information to the Web Inspector so that 
14         it can compute the properties JavaScriptCore used to compute.
15
16         * inspector/agents/InspectorRuntimeAgent.cpp:
17         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
18         * inspector/protocol/Runtime.json:
19         * runtime/TypeProfiler.cpp:
20         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
21         * runtime/TypeProfiler.h:
22         * runtime/TypeSet.cpp:
23         (JSC::TypeSet::inspectorTypeSet):
24         (JSC::StructureShape::leastCommonAncestor):
25         (JSC::StructureShape::inspectorRepresentation):
26         * runtime/TypeSet.h:
27
28 2014-09-10  Akos Kiss  <akiss@inf.u-szeged.hu>
29
30         Apply ARM64-specific lowering to load/store instructions in offlineasm
31         https://bugs.webkit.org/show_bug.cgi?id=136569
32
33         Reviewed by Michael Saboff.
34
35         The standard risc lowering of load/store instructions with base +
36         immediate offset addresses is to move the offset to a temporary, add the
37         base to the temporary, and then change the load/store to use the
38         temporary + 0 immediate offset address. However, on ARM64, base +
39         register offset addressing mode is available, so it is unnecessary to
40         perform explicit register additions but it is enough to change load/store
41         to use base + temporary as the address.
42
43         * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses
44
45 2014-09-10  Oliver Hunt  <oliver@apple.com>
46
47         Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
48         https://bugs.webkit.org/show_bug.cgi?id=136710
49
50         Reviewed by Anders Carlsson.
51
52         This is a trivial rename.
53
54         * CMakeLists.txt:
55         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
56         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
57         * JavaScriptCore.xcodeproj/project.pbxproj:
58         * dfg/DFGAbstractHeap.h:
59         * dfg/DFGClobberize.h:
60         (JSC::DFG::clobberize):
61         * dfg/DFGSpeculativeJIT32_64.cpp:
62         (JSC::DFG::SpeculativeJIT::compile):
63         * dfg/DFGSpeculativeJIT64.cpp:
64         (JSC::DFG::SpeculativeJIT::compile):
65         * ftl/FTLAbstractHeapRepository.cpp:
66         * ftl/FTLAbstractHeapRepository.h:
67         * ftl/FTLLowerDFGToLLVM.cpp:
68         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
69         * jit/JITOpcodes32_64.cpp:
70         * jit/JITPropertyAccess.cpp:
71         (JSC::JIT::emitGetClosureVar):
72         (JSC::JIT::emitPutClosureVar):
73         * jit/JITPropertyAccess32_64.cpp:
74         (JSC::JIT::emitGetClosureVar):
75         (JSC::JIT::emitPutClosureVar):
76         * llint/LLIntOffsetsExtractor.cpp:
77         * llint/LowLevelInterpreter32_64.asm:
78         * llint/LowLevelInterpreter64.asm:
79         * runtime/JSActivation.cpp:
80         (JSC::JSActivation::getOwnNonIndexPropertyNames):
81         * runtime/JSActivation.h:
82         * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
83         * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
84         (JSC::JSEnvironmentRecord::registers):
85         (JSC::JSEnvironmentRecord::registerAt):
86         (JSC::JSEnvironmentRecord::addressOfRegisters):
87         (JSC::JSEnvironmentRecord::offsetOfRegisters):
88         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
89         * runtime/JSNameScope.h:
90         * runtime/JSSegmentedVariableObject.h:
91
92 2014-09-10  Julien Brianceau   <jbriance@cisco.com>
93
94         [mips] Add missing parts and fix LLINT mips backend
95         https://bugs.webkit.org/show_bug.cgi?id=136706
96
97         Reviewed by Michael Saboff.
98
99         * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
100         Implement initPCRelative and setEntryAddress macros.
101         * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
102         doVMEntry macro.
103
104 2014-09-10  Saam Barati  <saambarati1@gmail.com>
105
106         TypeSet needs a mode where it no longer profiles structure shapes
107         https://bugs.webkit.org/show_bug.cgi?id=136263
108
109         Reviewed by Filip Pizlo.
110
111         The TypeSet data structure used to gather as many StructureShape
112         objects as it encountered during type profiling. But, this meant 
113         that there was no upper limit on how many objects it could allocate. 
114         This patch places a fixed upper bound on the number of StructureShapes
115         allocated per TypeSet to prevent using too much memory for little gain
116         in type profiling usefulness.
117
118         StructureShape objects are now also aware of when they are created
119         from Structures which are dictionaries.
120
121         In total, this patch lays the final groundwork needed in refactoring 
122         the inspector protocol for the type profiler.
123
124         * runtime/Structure.cpp:
125         (JSC::Structure::toStructureShape):
126         * runtime/TypeProfiler.cpp:
127         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
128         * runtime/TypeSet.cpp:
129         (JSC::TypeSet::TypeSet):
130         (JSC::TypeSet::addTypeInformation):
131         (JSC::StructureShape::StructureShape):
132         (JSC::StructureShape::toJSONString):
133         (JSC::StructureShape::enterDictionaryMode):
134         * runtime/TypeSet.h:
135         (JSC::TypeSet::isOverflown):
136         * tests/typeProfiler/dictionary-mode.js: Added.
137         (wrapper):
138         * tests/typeProfiler/driver/driver.js:
139         * tests/typeProfiler/overflow.js: Added.
140         (wrapper.Proto):
141         (wrapper):
142
143 2014-09-10  Peter Gal  <galpeter@inf.u-szeged.hu>
144
145         [MIPS] branch32WithPatch missing
146         https://bugs.webkit.org/show_bug.cgi?id=136696
147
148         Reviewed by Michael Saboff.
149
150         Added the missing branch32WithPatch. The implementation
151         is currently the same as the branchPtrithPatch because
152         the macro assembler supports only 32 bit MIPS.
153
154         * assembler/MacroAssemblerMIPS.h:
155         (JSC::MacroAssemblerMIPS::branch32WithPatch):
156
157 2014-09-10  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
158
159         Fix !ENABLE(DFG_JIT) build
160         https://bugs.webkit.org/show_bug.cgi?id=136702
161
162         Reviewed by Michael Saboff.
163
164         * bytecode/CallEdgeProfile.h:
165
166 2014-09-09  Benjamin Poulain  <bpoulain@apple.com>
167
168         Disable the "unreachable-code" warning
169         https://bugs.webkit.org/show_bug.cgi?id=136677
170
171         Reviewed by Darin Adler.
172
173         * Configurations/Base.xcconfig:
174
175 2014-09-08  Filip Pizlo  <fpizlo@apple.com>
176
177         DFG should have a reusable SSA builder
178         https://bugs.webkit.org/show_bug.cgi?id=136331
179
180         Reviewed by Oliver Hunt.
181         
182         We want to implement sophisticated SSA transformations like object allocation sinking
183         (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
184         updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
185         Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
186         implementation of this algorithm only worked when doing CPS->SSA conversion. The code
187         could not be reused for cases where some phase happens to know that it introduced a few
188         defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
189         the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
190         updates, since it requires first inserting maximal Phis. That scales well when the Phis
191         were already there (like in our CPS form) but otherwise it's quite unnatural and may be
192         difficult to make efficient.
193         
194         The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
195         algorithm based on dominance frontiers. For a while now, I've been working on creating a
196         Cytron-based SSA calculator that can be used both as a replacement for our current SSA
197         converter and as a reusable tool for any phase that needs to do SSA update. I previously
198         optimized our dominator calculation and representation to use dominator trees computed
199         using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
200         the set of blocks that dominate you or vice-versa, and then I implemented a dominance
201         frontier calculator. This patch implements the final step towards making SSA update
202         available to all SSA phases: it implements an SSACalculator that can tell you where Phis
203         go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
204         good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
205         SSA converter with one based on the SSACalculator.
206         
207         This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
208         But even better, it makes SSAConversionPhase have significantly less tricky logic. It
209         mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
210         just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
211         In fact, using the Cytron et al approach means that there isn't really any "smoke and
212         mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
213         iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
214         The complexity is mostly confined to Dominators, which computes various dominator-related
215         properties over the control flow graph. That class can be difficult to understand, but at
216         least it follows well-known graph theory wisdom.
217
218         * CMakeLists.txt:
219         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
220         * JavaScriptCore.xcodeproj/project.pbxproj:
221         * dfg/DFGAnalysis.h:
222         * dfg/DFGCSEPhase.cpp:
223         * dfg/DFGDCEPhase.cpp:
224         (JSC::DFG::DCEPhase::run):
225         * dfg/DFGDominators.h:
226         (JSC::DFG::Dominators::immediateDominatorOf):
227         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
228         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
229         * dfg/DFGGraph.cpp:
230         (JSC::DFG::Graph::dump):
231         (JSC::DFG::Graph::blocksInPreOrder):
232         (JSC::DFG::Graph::blocksInPostOrder):
233         (JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
234         (JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
235         * dfg/DFGGraph.h:
236         * dfg/DFGLICMPhase.cpp:
237         (JSC::DFG::LICMPhase::run):
238         * dfg/DFGNodeFlags.h:
239         * dfg/DFGPhase.cpp:
240         (JSC::DFG::Phase::beginPhase):
241         (JSC::DFG::Phase::endPhase):
242         * dfg/DFGPhase.h:
243         * dfg/DFGSSACalculator.cpp: Added.
244         (JSC::DFG::SSACalculator::Variable::dump):
245         (JSC::DFG::SSACalculator::Variable::dumpVerbose):
246         (JSC::DFG::SSACalculator::Def::dump):
247         (JSC::DFG::SSACalculator::SSACalculator):
248         (JSC::DFG::SSACalculator::~SSACalculator):
249         (JSC::DFG::SSACalculator::newVariable):
250         (JSC::DFG::SSACalculator::newDef):
251         (JSC::DFG::SSACalculator::nonLocalReachingDef):
252         (JSC::DFG::SSACalculator::reachingDefAtTail):
253         (JSC::DFG::SSACalculator::dump):
254         * dfg/DFGSSACalculator.h: Added.
255         (JSC::DFG::SSACalculator::Variable::index):
256         (JSC::DFG::SSACalculator::Variable::Variable):
257         (JSC::DFG::SSACalculator::Def::variable):
258         (JSC::DFG::SSACalculator::Def::block):
259         (JSC::DFG::SSACalculator::Def::value):
260         (JSC::DFG::SSACalculator::Def::Def):
261         (JSC::DFG::SSACalculator::variable):
262         (JSC::DFG::SSACalculator::computePhis):
263         (JSC::DFG::SSACalculator::phisForBlock):
264         (JSC::DFG::SSACalculator::reachingDefAtHead):
265         * dfg/DFGSSAConversionPhase.cpp:
266         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
267         (JSC::DFG::SSAConversionPhase::run):
268         (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
269         (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
270         (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
271         (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
272         * dfg/DFGSSAConversionPhase.h:
273         * dfg/DFGValidate.cpp:
274         (JSC::DFG::Validate::Validate):
275         (JSC::DFG::Validate::dumpGraphIfAppropriate):
276         (JSC::DFG::validate):
277         * dfg/DFGValidate.h:
278         * ftl/FTLLowerDFGToLLVM.cpp:
279         (JSC::FTL::LowerDFGToLLVM::lower):
280         * runtime/Options.h:
281
282 2014-09-08  Commit Queue  <commit-queue@webkit.org>
283
284         Unreviewed, rolling out r173402.
285         https://bugs.webkit.org/show_bug.cgi?id=136649
286
287         Breaking buildw with error "unable to restore file position to
288         0x00000c60 for section __DWARF.__debug_info (errno = 9)"
289         (Requested by mlam_ on #webkit).
290
291         Reverted changeset:
292
293         "Move CallFrame and Register inlines functions out of
294         JSScope.h."
295         https://bugs.webkit.org/show_bug.cgi?id=136579
296         http://trac.webkit.org/changeset/173402
297
298 2014-09-08  Mark Lam  <mark.lam@apple.com>
299
300         Move CallFrame and Register inlines functions out of JSScope.h.
301         <https://webkit.org/b/136579>
302
303         Reviewed by Geoffrey Garen.
304
305         This include fixing up some files to #include JSCInlines.h to pick up
306         these inline functions.  I also added JSCellInlines.h to JSCInlines.h
307         since it is included from many of the affected .cpp files.
308
309         * API/ObjCCallbackFunction.mm:
310         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
311         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
312         * JavaScriptCore.xcodeproj/project.pbxproj:
313         * bindings/ScriptValue.cpp:
314         * inspector/InjectedScriptHost.cpp:
315         * inspector/InjectedScriptManager.cpp:
316         * inspector/JSGlobalObjectInspectorController.cpp:
317         * inspector/JSJavaScriptCallFrame.cpp:
318         * inspector/ScriptDebugServer.cpp:
319         * interpreter/CallFrameInlines.h:
320         (JSC::CallFrame::vm):
321         (JSC::CallFrame::lexicalGlobalObject):
322         (JSC::CallFrame::globalThisValue):
323         * interpreter/RegisterInlines.h: Added.
324         (JSC::Register::operator=):
325         (JSC::Register::scope):
326         * runtime/ArgumentsIteratorConstructor.cpp:
327         * runtime/JSArrayIterator.cpp:
328         * runtime/JSCInlines.h:
329         * runtime/JSCJSValue.cpp:
330         * runtime/JSMapIterator.cpp:
331         * runtime/JSPromiseConstructor.cpp:
332         * runtime/JSPromiseDeferred.cpp:
333         * runtime/JSPromiseFunctions.cpp:
334         * runtime/JSPromisePrototype.cpp:
335         * runtime/JSPromiseReaction.cpp:
336         * runtime/JSScope.h:
337         (JSC::Register::operator=): Deleted.
338         (JSC::Register::scope): Deleted.
339         (JSC::ExecState::vm): Deleted.
340         (JSC::ExecState::lexicalGlobalObject): Deleted.
341         (JSC::ExecState::globalThisValue): Deleted.
342         * runtime/JSSetIterator.cpp:
343         * runtime/MapConstructor.cpp:
344         * runtime/MapData.cpp:
345         * runtime/MapIteratorPrototype.cpp:
346         * runtime/MapPrototype.cpp:
347         * runtime/SetConstructor.cpp:
348         * runtime/SetIteratorPrototype.cpp:
349         * runtime/SetPrototype.cpp:
350         * runtime/WeakMapConstructor.cpp:
351         * runtime/WeakMapPrototype.cpp:
352
353 2014-09-08  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
354
355         Remove FILTERS flag
356         https://bugs.webkit.org/show_bug.cgi?id=136571
357
358         Reviewed by Darin Adler.
359
360         * Configurations/FeatureDefines.xcconfig:
361
362 2014-09-08  Saam Barati  <saambarati1@gmail.com>
363
364         Merge StructureShapes that share the same prototype chain
365         https://bugs.webkit.org/show_bug.cgi?id=136549
366
367         Reviewed by Filip Pizlo.
368
369         Instead of keeping track of many discrete StructureShapes that share
370         the same prototype chain, TypeSet should merge StructureShapes that 
371         have the same prototype chain and provide a new member variable for 
372         optional structure fields. This provides a cleaner and more concise
373         interface for dealing with StructureShapes within TypeSet. Instead
374         of having many discrete shapes that are almost identical, almost 
375         identical shapes will be merged together with an interface for 
376         understanding what fields the shapes being merged together differ in.
377
378         * runtime/TypeSet.cpp:
379         (JSC::TypeSet::addTypeInformation):
380         (JSC::StructureShape::addProperty):
381         (JSC::StructureShape::toJSONString):
382         (JSC::StructureShape::inspectorRepresentation):
383         (JSC::StructureShape::hasSamePrototypeChain):
384         (JSC::StructureShape::merge):
385         * runtime/TypeSet.h:
386         * tests/typeProfiler/optional-fields.js: Added.
387         (wrapper.func):
388         (wrapper):
389
390 2014-09-08  Jessie Berlin  <jberlin@apple.com>
391
392         More 32-bit Release build fixes after r173364.
393
394         * dfg/DFGSpeculativeJIT32_64.cpp:
395         (JSC::DFG::SpeculativeJIT::compile):
396
397 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
398
399         Fix typos in last patch to fix build.
400
401         Unreviewed build fix.
402
403         * dfg/DFGSpeculativeJIT.cpp:
404         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
405         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
406
407 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
408
409         Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it
410         https://bugs.webkit.org/show_bug.cgi?id=136616
411
412         Reviewed by Darin Adler.
413         
414         Many compilers will analyze unrechable code paths (e.g. after an
415         unreachable code path), so sometimes they need dead code initializations.
416         But clang with suitable warnings will complain about unreachable code. So
417         use the quirk to include it conditionally.
418
419         * bytecode/CodeBlock.cpp:
420         (JSC::CodeBlock::printGetByIdOp):
421         * dfg/DFGOSRExitCompilerCommon.cpp:
422         (JSC::DFG::handleExitCounts):
423         * dfg/DFGPlan.cpp:
424         (JSC::DFG::Plan::compileInThread):
425         * dfg/DFGSpeculativeJIT.cpp:
426         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
427         * jsc.cpp:
428         * runtime/JSArray.cpp:
429         (JSC::JSArray::fillArgList):
430         (JSC::JSArray::copyToArguments):
431         * runtime/RegExp.cpp:
432         (JSC::RegExp::compile):
433         (JSC::RegExp::compileMatchOnly):
434
435 2014-09-06  Darin Adler  <darin@apple.com>
436
437         Make updates suggested by new version of Xcode
438         https://bugs.webkit.org/show_bug.cgi?id=136603
439
440         Reviewed by Mark Rowe.
441
442         * Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES,
443         and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check.
444
445         * JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck.
446
447         * dfg/DFGSpeculativeJIT.cpp:
448         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code
449         for clang, since it understands the code is unreachable.
450         * runtime/JSArray.cpp:
451         (JSC::JSArray::fillArgList): Ditto.
452         (JSC::JSArray::copyToArguments): Ditto.
453
454 2014-09-05  Matt Baker  <mattbaker@apple.com>
455
456         Web Inspector: breakpoint actions should work regardless of Content Security Policy
457         https://bugs.webkit.org/show_bug.cgi?id=136542
458
459         Reviewed by Mark Lam.
460
461         Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a 
462         JSGlobalObject for the duration of a scope, returning the eval enabled state to its
463         original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate 
464         to allow breakpoint actions to execute JS in pages with a Content Security Policy
465         that would normally prohibit this (such as Inspector's Main.html).
466
467         Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually
468         setting eval enabled and then resetting the original eval enabled state.
469
470         NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer
471         for null to be equivalent with the original code in Inspector::InjectedScriptBase.
472         InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which
473         can currently be null.
474
475         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
476         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
477         * JavaScriptCore.xcodeproj/project.pbxproj:
478         * debugger/DebuggerCallFrame.cpp:
479         (JSC::DebuggerCallFrame::evaluate):
480         * debugger/DebuggerEvalEnabler.h: Added.
481         (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
482         (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
483         * inspector/InjectedScriptBase.cpp:
484         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
485
486 2014-09-05  peavo@outlook.com  <peavo@outlook.com>
487
488         [WinCairo] jsc.exe won't run.
489         https://bugs.webkit.org/show_bug.cgi?id=136481
490
491         Reviewed by Alex Christensen.
492         
493         We need to define WIN_CAIRO to avoid looking for the AAS folder.
494
495         * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added.
496         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
497         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
498         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
499         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:
500
501 2014-09-05  David Kilzer  <ddkilzer@apple.com>
502
503         JavaScriptCore should build with newer clang
504         <http://webkit.org/b/136002>
505         <rdar://problem/18020616>
506
507         Reviewed by Geoffrey Garen.
508
509         Other than the JSC::SourceProvider::asID() change (which simply
510         removes code that the optimizing compiler would have discarded
511         in Release builds), we move the |this| checks in OpaqueJSString
512         to NULL checks in to JSBase, JSObjectRef, JSScriptRef,
513         JSStringRef{CF} and JSValueRef.
514
515         Note that the following function arguments are _not_ NULL-checked
516         since doing so would just cover up bugs (and were not needed to
517         prevent any tests from failing):
518         - |script| in JSEvaluateScript(), JSCheckScriptSyntax();
519         - |body| in JSObjectMakeFunction();
520         - |source| in JSScriptCreateReferencingImmortalASCIIText()
521           (which is a const char* anyway);
522         - |source| in JSScriptCreateFromString().
523
524         * API/JSBase.cpp:
525         (JSEvaluateScript): Add NULL check for |sourceURL|.
526         (JSCheckScriptSyntax): Ditto.
527         * API/JSObjectRef.cpp:
528         (JSObjectMakeFunction): Ditto.
529         * API/JSScriptRef.cpp:
530         (JSScriptCreateReferencingImmortalASCIIText): Ditto.
531         (JSScriptCreateFromString): Add NULL check for |url|.
532         * API/JSStringRef.cpp:
533         (JSStringGetLength): Return early if NULL pointer is passed in.
534         (JSStringGetCharactersPtr): Ditto.
535         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
536         * API/JSStringRefCF.cpp:
537         (JSStringCopyCFString): Ditto.
538         * API/JSValueRef.cpp:
539         (JSValueMakeString): Add NULL check for |string|.
540
541         * API/OpaqueJSString.cpp:
542         (OpaqueJSString::string): Remove code that checks |this|.
543         (OpaqueJSString::identifier): Ditto.
544         (OpaqueJSString::characters): Ditto.
545         * API/OpaqueJSString.h:
546         (OpaqueJSString::is8Bit): Remove code that checks |this|.
547         (OpaqueJSString::characters8): Ditto.
548         (OpaqueJSString::characters16): Ditto.
549         (OpaqueJSString::length): Ditto.
550
551         * parser/SourceProvider.h:
552         (JSC::SourceProvider::asID): Remove code that checks |this|.
553
554 2014-06-06  Jer Noble  <jer.noble@apple.com>
555
556         Refactoring: make MediaTime the primary time type for audiovisual times.
557         https://bugs.webkit.org/show_bug.cgi?id=133579
558
559         Reviewed by Eric Carlson.
560
561         Add a utility function which converts a MediaTime to a JSNumber.
562
563         * runtime/JSCJSValue.h:
564         (JSC::jsNumber):
565
566 2014-09-04  Michael Saboff  <msaboff@apple.com>
567
568         ARM: Add more coverage to ARMv7 disassembler
569         https://bugs.webkit.org/show_bug.cgi?id=136565
570
571         Reviewed by Mark Lam.
572
573         Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions
574         VCMP, VCVT[R] between floating point and integer, and VLDR.
575
576         * disassembler/ARMv7/ARMv7DOpcode.cpp:
577         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList):
578         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format):
579         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format):
580         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format):
581         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format):
582         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format):
583         * disassembler/ARMv7/ARMv7DOpcode.h:
584         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList):
585         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition):
586         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition):
587         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit):
588         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd):
589         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit):
590         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit):
591         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit):
592         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm):
593         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition):
594         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit):
595         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2):
596         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd):
597         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit):
598         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op):
599         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit):
600         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm):
601         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition):
602         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit):
603         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn):
604         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd):
605         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg):
606         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8):
607
608 2014-09-04  Mark Lam  <mark.lam@apple.com>
609
610         Move PropertySlot's inline functions back to PropertySlot.h.
611         <https://webkit.org/b/136547>
612
613         Reviewed by Filip Pizlo.
614
615         * runtime/JSObject.h:
616         (JSC::PropertySlot::getValue): Deleted.
617         * runtime/PropertySlot.h:
618         (JSC::PropertySlot::getValue):
619
620 2014-09-04  Filip Pizlo  <fpizlo@apple.com>
621
622         Make sure that deleting all code first processes the call edge log, and reenable call edge profiling.
623
624         Rubber stamped by Sam Weinig.
625
626         * debugger/Debugger.cpp:
627         (JSC::Debugger::forEachCodeBlock):
628         (JSC::Debugger::setSteppingMode):
629         (JSC::Debugger::recompileAllJSFunctions):
630         * inspector/agents/InspectorRuntimeAgent.cpp:
631         (Inspector::recompileAllJSFunctionsForTypeProfiling):
632         * runtime/Options.h: Reenable call edge profiling.
633         * runtime/VM.cpp:
634         (JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed.
635         (JSC::VM::discardAllCode):
636         (JSC::VM::releaseExecutableMemory):
637         (JSC::VM::setEnabledProfiler):
638         (JSC::VM::waitForCompilationsToComplete): Deleted.
639         * runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted.
640
641 2014-09-04  Akos Kiss  <akiss@inf.u-szeged.hu>
642
643         Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee
644         https://bugs.webkit.org/show_bug.cgi?id=136485
645
646         Reviewed by Michael Saboff.
647
648         Changed makeHostFunctionCall to keep the stack pointer above the call
649         frame set up by doVMEntry. Thus the callee will/can not override the top
650         of the call frame.
651
652         Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be
653         more alike to help future maintenance.
654
655         * llint/LowLevelInterpreter32_64.asm:
656         * llint/LowLevelInterpreter64.asm:
657
658 2014-09-04  Michael Saboff  <msaboff@apple.com>
659
660         REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux
661         https://bugs.webkit.org/show_bug.cgi?id=136436
662
663         Reviewed by Geoffrey Garen.
664
665         Instead of trying to calculate a stack pointer that allows for possible
666         stacked argument space, just use the "home" stack pointer location.
667         That stack pointer provides space for the worst case number of stacked
668         arguments on architectures that use stacked arguments.  It also provides
669         stack space so that the return PC and caller frame pointer that are stored
670         as part of making the call to operationCallEval will not override any part
671         of the callee frame created on the stack.
672
673         Changed compileCallEval() to use the stackPointer value of the calling
674         function.  That stack pointer is calculated to have enough space for
675         outgoing stacked arguments.  By moving the stack pointer to its "home"
676         position, the caller frame and return PC are not set as part of making
677         the call to operationCallEval().  Moved the explicit setting of the
678         callerFrame field of the callee CallFrame from operationCallEval() to
679         compileCallEval() since it has been the artifact of making a call for
680         most architectures.  Simplified the exception logic in compileCallEval()
681         as a result of the change.  To be compliant with the stack state
682         expected by virtualCallThunkGenerator(), moved the stack pointer to
683         point above the CallerFrameAndPC of the callee CallFrame.
684
685         * jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...)
686         to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception
687         check.
688         * jit/JITCall.cpp & jit/JITCall32_64.cpp:
689         (JSC::JIT::compileCallEval): Use the home stack pointer when making the call
690         to operationCallEval.  Since the stack pointer adjustment no longer needs
691         to be done after making the call to operationCallEval(), the exception check
692         logic can be simplified.
693         (JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point
694         to above the calleeFrame as this is what the generated thunk expects.
695         * jit/JITInlines.h:
696         (JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck
697         with the addition of a standard exception check.
698         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
699         * jit/JITOperations.cpp:
700         (JSC::operationCallEval): Eliminated the explicit setting of caller frame
701         as that is now done in the code generated by compileCallEval().
702
703 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
704
705         Beef up the DFG's CFG analyses to include iterated dominance frontiers and more user-friendly BlockSets
706         https://bugs.webkit.org/show_bug.cgi?id=136520
707
708         Reviewed by Geoffrey Garen.
709         
710         Add code to compute iterated dominance frontiers. This involves using BlockSet a lot, so
711         this patch also makes BlockSet a lot more user-friendly.
712
713         * CMakeLists.txt:
714         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
715         * JavaScriptCore.xcodeproj/project.pbxproj:
716         * dfg/DFGBasicBlock.h:
717         * dfg/DFGBlockSet.cpp: Added.
718         (JSC::DFG::BlockSet::dump):
719         * dfg/DFGBlockSet.h:
720         (JSC::DFG::BlockSet::iterator::iterator):
721         (JSC::DFG::BlockSet::iterator::operator++):
722         (JSC::DFG::BlockSet::iterator::operator==):
723         (JSC::DFG::BlockSet::iterator::operator!=):
724         (JSC::DFG::BlockSet::Iterable::Iterable):
725         (JSC::DFG::BlockSet::Iterable::begin):
726         (JSC::DFG::BlockSet::Iterable::end):
727         (JSC::DFG::BlockSet::iterable):
728         (JSC::DFG::BlockAdder::BlockAdder):
729         (JSC::DFG::BlockAdder::operator()):
730         * dfg/DFGBlockSetInlines.h: Added.
731         (JSC::DFG::BlockSet::iterator::operator*):
732         * dfg/DFGDominators.cpp:
733         (JSC::DFG::Dominators::strictDominatorsOf):
734         (JSC::DFG::Dominators::dominatorsOf):
735         (JSC::DFG::Dominators::blocksStrictlyDominatedBy):
736         (JSC::DFG::Dominators::blocksDominatedBy):
737         (JSC::DFG::Dominators::dominanceFrontierOf):
738         (JSC::DFG::Dominators::iteratedDominanceFrontierOf):
739         * dfg/DFGDominators.h:
740         (JSC::DFG::Dominators::forAllStrictDominatorsOf):
741         (JSC::DFG::Dominators::forAllDominatorsOf):
742         (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy):
743         (JSC::DFG::Dominators::forAllBlocksDominatedBy):
744         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf):
745         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
746         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl):
747         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl):
748         * dfg/DFGGraph.cpp:
749         (JSC::DFG::Graph::dumpBlockHeader):
750         * dfg/DFGInvalidationPointInjectionPhase.cpp:
751         (JSC::DFG::InvalidationPointInjectionPhase::run):
752
753 2014-09-04  Mark Lam  <mark.lam@apple.com>
754
755         Fixed indentations and some style warnings in JavaScriptCore/runtime.
756         <https://webkit.org/b/136518>
757
758         Reviewed by Michael Saboff.
759
760         Also removed some superflous spaces.  There are no semantic changes.
761
762         * runtime/Completion.h:
763         * runtime/ConstructData.h:
764         * runtime/DateConstructor.h:
765         * runtime/DateInstance.h:
766         * runtime/DateInstanceCache.h:
767         * runtime/DatePrototype.h:
768         * runtime/Error.h:
769         * runtime/ErrorConstructor.h:
770         * runtime/ErrorInstance.h:
771         * runtime/ErrorPrototype.h:
772         * runtime/FunctionConstructor.h:
773         * runtime/FunctionPrototype.h:
774         * runtime/GetterSetter.h:
775         * runtime/Identifier.h:
776         * runtime/InitializeThreading.h:
777         * runtime/InternalFunction.h:
778         * runtime/JSAPIValueWrapper.h:
779         * runtime/JSFunction.h:
780         * runtime/JSLock.h:
781         * runtime/JSNotAnObject.h:
782         * runtime/JSONObject.h:
783         * runtime/JSString.h:
784         * runtime/JSTypeInfo.h:
785         * runtime/JSWrapperObject.h:
786         * runtime/Lookup.h:
787         * runtime/MathObject.h:
788         * runtime/NativeErrorConstructor.h:
789         * runtime/NativeErrorPrototype.h:
790         * runtime/NumberConstructor.h:
791         * runtime/NumberObject.h:
792         * runtime/NumberPrototype.h:
793         * runtime/NumericStrings.h:
794         * runtime/ObjectConstructor.h:
795         * runtime/ObjectPrototype.h:
796         * runtime/PropertyDescriptor.h:
797         * runtime/Protect.h:
798         * runtime/PutPropertySlot.h:
799         * runtime/RegExp.h:
800         * runtime/RegExpCachedResult.h:
801         * runtime/RegExpConstructor.h:
802         * runtime/RegExpMatchesArray.h:
803         * runtime/RegExpObject.h:
804         * runtime/RegExpPrototype.h:
805         * runtime/SmallStrings.h:
806         * runtime/StringConstructor.h:
807         * runtime/StringObject.h:
808         * runtime/StringPrototype.h:
809         * runtime/StructureChain.h:
810         * runtime/VM.h:
811
812 2014-09-04  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
813
814         Remove CSS_FILTERS flag
815         https://bugs.webkit.org/show_bug.cgi?id=136529
816
817         Reviewed by Dirk Schulze.
818
819         * Configurations/FeatureDefines.xcconfig:
820
821 2014-09-04  Commit Queue  <commit-queue@webkit.org>
822
823         Unreviewed, rolling out r173248.
824         https://bugs.webkit.org/show_bug.cgi?id=136536
825
826         call edge profiling and polymorphic call inlining are still
827         causing crashes (Requested by eric_carlson on #webkit).
828
829         Reverted changeset:
830
831         "Reenable call edge profiling and polymorphic call inlining,
832         now that a bunch of the bugs"
833         http://trac.webkit.org/changeset/173248
834
835 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
836
837         Web Inspector: the profiler should not accrue time to nodes while the debugger is paused
838         https://bugs.webkit.org/show_bug.cgi?id=136352
839
840         Reviewed by Timothy Hatcher.
841
842         Hook up pause/continue events to the LegacyProfiler and any active
843         ProfilerGenerators. If the debugger is paused, all intervening call
844         entries will be created with totalTime as 0.0.
845
846         * inspector/ScriptDebugServer.cpp:
847         (Inspector::ScriptDebugServer::handlePause):
848         * profiler/LegacyProfiler.cpp: Move from typedef'd callbacks to using
849         std::function. This allows callbacks to take different argument types.
850
851         (JSC::callFunctionForProfilesWithGroup):
852         (JSC::LegacyProfiler::willExecute):
853         (JSC::LegacyProfiler::didExecute):
854         (JSC::LegacyProfiler::exceptionUnwind):
855         (JSC::LegacyProfiler::didPause):
856         (JSC::LegacyProfiler::didContinue):
857         (JSC::dispatchFunctionToProfiles): Deleted.
858         * profiler/LegacyProfiler.h:
859         * profiler/ProfileGenerator.cpp:
860         (JSC::ProfileGenerator::ProfileGenerator):
861         (JSC::ProfileGenerator::endCallEntry):
862         (JSC::ProfileGenerator::didExecute): Deleted.
863         * profiler/ProfileGenerator.h:
864         (JSC::ProfileGenerator::didPause):
865         (JSC::ProfileGenerator::didContinue):
866
867 2014-09-04  Commit Queue  <commit-queue@webkit.org>
868
869         Unreviewed, rolling out r173245.
870         https://bugs.webkit.org/show_bug.cgi?id=136533
871
872         Broke JSC tests. (Requested by ddkilzer on #webkit).
873
874         Reverted changeset:
875
876         "JavaScriptCore should build with newer clang"
877         https://bugs.webkit.org/show_bug.cgi?id=136002
878         http://trac.webkit.org/changeset/173245
879
880 2014-09-04  Brian J. Burg  <burg@cs.washington.edu>
881
882         LegacyProfiler: ProfileNodes should be used more like structs
883         https://bugs.webkit.org/show_bug.cgi?id=136381
884
885         Reviewed by Timothy Hatcher.
886
887         Previously, both the profile generator and individual profile nodes
888         were collectively responsible for creating new Call entries and
889         maintaining data structure invariants. This complexity is unnecessary.
890
891         This patch centralizes profile data creation inside the profile generator.
892         The profile nodes manage nextSibling and parent pointers, but do not
893         collect the current time or create new Call entries themselves.
894
895         Since ProfileNode::nextSibling and its callers are only used within
896         debug printing code, it should be compiled out for release builds.
897
898         * profiler/ProfileGenerator.cpp:
899         (JSC::ProfileGenerator::ProfileGenerator):
900         (JSC::AddParentForConsoleStartFunctor::operator()):
901         (JSC::ProfileGenerator::beginCallEntry): create a new Call entry.
902         (JSC::ProfileGenerator::endCallEntry): finish the last Call entry.
903         (JSC::ProfileGenerator::willExecute): inline ProfileNode::willExecute()
904         (JSC::ProfileGenerator::didExecute): inline ProfileNode::didExecute()
905         (JSC::ProfileGenerator::stopProfiling): Only walk up the spine.
906         (JSC::ProfileGenerator::removeProfileStart):
907         (JSC::ProfileGenerator::removeProfileEnd):
908         * profiler/ProfileGenerator.h:
909         * profiler/ProfileNode.cpp:
910         (JSC::ProfileNode::ProfileNode):
911         (JSC::ProfileNode::addChild):
912         (JSC::ProfileNode::removeChild):
913         (JSC::ProfileNode::spliceNode): Renamed from insertNode.
914         (JSC::ProfileNode::debugPrintRecursively):
915         (JSC::ProfileNode::willExecute): Deleted.
916         (JSC::ProfileNode::insertNode): Deleted.
917         (JSC::ProfileNode::stopProfiling): Deleted.
918         (JSC::ProfileNode::traverseNextNodePostOrder):
919         (JSC::ProfileNode::endAndRecordCall): Deleted.
920         (JSC::ProfileNode::debugPrintDataSampleStyle):
921         * profiler/ProfileNode.h:
922         (JSC::ProfileNode::Call::setStartTime):
923         (JSC::ProfileNode::Call::setTotalTime):
924         (JSC::ProfileNode::appendCall):
925         (JSC::ProfileNode::firstChild):
926         (JSC::ProfileNode::lastChild):
927         (JSC::ProfileNode::nextSibling):
928         (JSC::ProfileNode::setNextSibling):
929
930 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
931
932         Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient
933         https://bugs.webkit.org/show_bug.cgi?id=136476
934
935         Reviewed by Timothy Hatcher.
936
937         * CMakeLists.txt:
938         * JavaScriptCore.xcodeproj/project.pbxproj:
939         * inspector/JSGlobalObjectConsoleClient.cpp: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.cpp.
940         * inspector/JSGlobalObjectConsoleClient.h: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.h.
941         * inspector/JSGlobalObjectInspectorController.cpp:
942         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
943         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
944         * inspector/JSGlobalObjectInspectorController.h:
945
946 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
947
948         Reenable call edge profiling and polymorphic call inlining, now that a bunch of the bugs
949         are fixed.
950
951         * runtime/Options.h:
952
953 2014-09-03  David Kilzer  <ddkilzer@apple.com>
954
955         JavaScriptCore should build with newer clang
956         <http://webkit.org/b/136002>
957         <rdar://problem/18020616>
958
959         Reviewed by Geoffrey Garen.
960
961         Other than the JSC::SourceProvider::asID() change (which simply
962         removes code that the optimizing compiler would have discarded
963         in Release builds), we move the |this| checks in OpaqueJSString
964         to NULL checks in to JSBase, JSScriptRef, JSStringRef{CF} and
965         JSValueRef.
966
967         * API/JSBase.cpp:
968         (JSEvaluateScript): Use String() in case |script| or |sourceURL|
969         are NULL.
970         * API/JSScriptRef.cpp:
971         (JSScriptCreateReferencingImmortalASCIIText): Use String() in
972         case |url| is NULL.
973         * API/JSStringRef.cpp:
974         (JSStringGetLength): Return early if NULL pointer is passed in.
975         (JSStringGetCharactersPtr): Ditto.
976         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
977         * API/JSStringRefCF.cpp:
978         (JSStringCopyCFString): Ditto.
979         * API/JSValueRef.cpp:
980         (JSValueMakeString): Use String() in case |string| is NULL.
981
982         * API/OpaqueJSString.cpp:
983         (OpaqueJSString::string): Remove code that checks |this|.
984         (OpaqueJSString::identifier): Ditto.
985         (OpaqueJSString::characters): Ditto.
986         * API/OpaqueJSString.h:
987         (OpaqueJSString::is8Bit): Remove code that checks |this|.
988         (OpaqueJSString::characters8): Ditto.
989         (OpaqueJSString::characters16): Ditto.
990         (OpaqueJSString::length): Ditto.
991
992         * parser/SourceProvider.h:
993         (JSC::SourceProvider::asID): Remove code that checks |this|.
994
995 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
996
997         CallEdgeProfile::visitWeak() shouldn't attempt to despecify empty profiles
998         https://bugs.webkit.org/show_bug.cgi?id=136511
999
1000         Reviewed by Geoffrey Garen.
1001
1002         * bytecode/CallEdgeProfile.cpp:
1003         (JSC::CallEdgeProfile::worthDespecifying):
1004         (JSC::CallEdgeProfile::visitWeak):
1005         (JSC::CallEdgeProfile::mergeBack):
1006
1007 2014-09-03  David Kilzer  <ddkilzer@apple.com>
1008
1009         REGRESSION (r167325): (null) entry added to Xcode project file when JSBoundFunction.h was removed
1010         <http://webkit.org/b/136509>
1011
1012         Reviewed by Daniel Bates.
1013
1014         * JavaScriptCore.xcodeproj/project.pbxproj: Remove the (null)
1015         entry left behind when JSBoundFunction.h was removed.
1016
1017 2014-09-03  Joseph Pecoraro  <pecoraro@apple.com>
1018
1019         Avoid warning if a process does not have access to com.apple.webinspector
1020         https://bugs.webkit.org/show_bug.cgi?id=136473
1021
1022         Reviewed by Alexey Proskuryakov.
1023
1024         Pre-check for access to the mach port to avoid emitting warnings
1025         in syslog for processes that do not have access.
1026
1027         * inspector/remote/RemoteInspector.mm:
1028         (Inspector::canAccessWebInspectorMachPort):
1029         (Inspector::RemoteInspector::shared):
1030
1031 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
1032
1033         Temporarily disable call edge profiling. It is causing crashes and I'm still investigating
1034         them.
1035
1036         * runtime/Options.h:
1037
1038 2014-09-03  Balazs Kilvady  <kilvadyb@homejinni.com>
1039
1040         [MIPS] Wrong register usage in LLInt op_catch.
1041         https://bugs.webkit.org/show_bug.cgi?id=125168
1042
1043         Reviewed by Geoffrey Garen.
1044
1045         Fix register usage and add PIC header to all the ops in LLInt.
1046
1047         * offlineasm/instructions.rb:
1048         * offlineasm/mips.rb:
1049
1050 2014-09-03  Saam Barati  <saambarati1@gmail.com>
1051
1052         Create tests for type profiling
1053         https://bugs.webkit.org/show_bug.cgi?id=136161
1054
1055         Reviewed by Geoffrey Garen.
1056
1057         The type profiler is now being tested. These are basic tests that don't 
1058         check every edge case, but will catch any major failures in the type profiler. 
1059         These tests cover:
1060         - The basic, inheritance-based type system in TypeSet.
1061         - Function return types.
1062         - Correct merging of types for multiple assignments to one variable.
1063
1064         This patch also provides an API for writing new tests for
1065         the type profiler. The API works by passing in a function and a 
1066         unique substring of an expression contained in that function, and 
1067         returns an object representing type information for that expression.
1068
1069         * jsc.cpp:
1070         (GlobalObject::finishCreation):
1071         (functionFindTypeForExpression):
1072         (functionReturnTypeFor):
1073         * runtime/TypeProfiler.cpp:
1074         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
1075         * runtime/TypeProfiler.h:
1076         * runtime/TypeProfilerLog.h:
1077         * runtime/TypeSet.cpp:
1078         (JSC::TypeSet::toJSONString):
1079         (JSC::StructureShape::toJSONString):
1080         * runtime/TypeSet.h:
1081         * tests/typeProfiler: Added.
1082         * tests/typeProfiler.yaml: Added.
1083         * tests/typeProfiler/basic.js: Added.
1084         (wrapper.foo):
1085         (wrapper):
1086         * tests/typeProfiler/captured.js: Added.
1087         (wrapper.changeFoo):
1088         (wrapper):
1089         * tests/typeProfiler/driver: Added.
1090         * tests/typeProfiler/driver/driver.js: Added.
1091         (assert):
1092         * tests/typeProfiler/inheritance.js: Added.
1093         (wrapper.A):
1094         (wrapper.B):
1095         (wrapper.C):
1096         (wrapper):
1097         * tests/typeProfiler/return.js: Added.
1098         (foo):
1099         (Ctor):
1100
1101 2014-09-03  Julien Brianceau   <jbriance@cisco.com>
1102
1103         Add missing implementations to fix build for sh4 architecture
1104         https://bugs.webkit.org/show_bug.cgi?id=136455
1105
1106         Reviewed by Geoffrey Garen.
1107
1108         * assembler/MacroAssemblerSH4.h:
1109         (JSC::MacroAssemblerSH4::store8):
1110         (JSC::MacroAssemblerSH4::moveWithPatch):
1111         (JSC::MacroAssemblerSH4::branchAdd32):
1112         (JSC::MacroAssemblerSH4::branch32WithPatch):
1113         (JSC::MacroAssemblerSH4::abortWithReason):
1114         (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch):
1115         (JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress):
1116         (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch):
1117         * jit/AssemblyHelpers.h:
1118         (JSC::AssemblyHelpers::emitFunctionPrologue):
1119         (JSC::AssemblyHelpers::emitFunctionEpilogue):
1120
1121 2014-09-03  Dan Bernstein  <mitz@apple.com>
1122
1123         Get rid of HIGH_DPI_CANVAS leftovers
1124         https://bugs.webkit.org/show_bug.cgi?id=136491
1125
1126         Reviewed by Benjamin Poulain.
1127
1128         * Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS
1129         and removed it from FEATURE_DEFINES.
1130
1131 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
1132
1133         CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
1134         https://bugs.webkit.org/show_bug.cgi?id=136490
1135
1136         Reviewed by Geoffrey Garen.
1137
1138         * bytecode/CallEdgeProfile.cpp:
1139         (JSC::CallEdgeProfile::visitWeak):
1140
1141 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
1142
1143         FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
1144         https://bugs.webkit.org/show_bug.cgi?id=136488
1145
1146         Reviewed by Mark Hahnenberg.
1147
1148         * ftl/FTLCompile.cpp:
1149         (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
1150         * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
1151         (foo):
1152
1153 2014-09-03  Akos Kiss  <akiss@inf.u-szeged.hu>
1154
1155         Don't generate superfluous mov instructions for move immediate on ARM64.
1156         https://bugs.webkit.org/show_bug.cgi?id=136435
1157
1158         Reviewed by Michael Saboff.
1159
1160         On ARM64, the size of an immediate operand for a mov instruction is 16
1161         bits. Thus, a move immediate offlineasm instruction may potentially be
1162         split up to several machine level instructions. The current
1163         implementation always emits a mov for the least significant 16 bits of
1164         the value. However, if any of the bits 63:16 are significant then the
1165         first emitted mov already filled bits 15:0 with zeroes (or ones, for
1166         negative values). So, if bits 15:0 of the value are all zeroes (or ones)
1167         then the last mov does not need to be emitted.
1168
1169         * offlineasm/arm64.rb:
1170
1171 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
1172
1173         LegacyProfiler: remove redundant ProfileNode members and other cleanup
1174         https://bugs.webkit.org/show_bug.cgi?id=136380
1175
1176         Reviewed by Timothy Hatcher.
1177
1178         ProfileNode's selfTime and totalTime members are redundant and only used
1179         for dumping profile data from debug-only code. Remove the members and compute
1180         the same data on-demand when necessary using a postorder traversal functor.
1181
1182         Remove ProfileNode.head since it is only used to calculate percentages for
1183         dumped profile data. This can be explicitly passed around when needed.
1184
1185         Rename Profile.head to Profile.rootNode, and other various renamings.
1186
1187         Rearrange some header includes so that touching LegacyProfiler-related headers
1188         will no longer cause a full rebuild.
1189
1190         * inspector/JSConsoleClient.cpp: Add header include.
1191         * inspector/agents/InspectorProfilerAgent.cpp:
1192         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
1193         * inspector/protocol/Profiler.json: Remove unused Profile.idleTime member.
1194         * jit/JIT.h: Remove header include.
1195         * jit/JITCode.h: Remove header include.
1196         * jit/JITOperations.cpp: Sort and add header include.
1197         * llint/LLIntSlowPaths.cpp: Sort and add header include.
1198         * profiler/Profile.cpp: Rename the debug dumping functions. Move the node
1199         postorder traversal code to ProfileNode so we can traverse any subtree.
1200         (JSC::Profile::Profile):
1201         (JSC::Profile::debugPrint):
1202         (JSC::Profile::debugPrintSampleStyle):
1203         (JSC::Profile::forEach): Deleted.
1204         (JSC::Profile::debugPrintData): Deleted.
1205         (JSC::Profile::debugPrintDataSampleStyle): Deleted.
1206         * profiler/Profile.h:
1207         * profiler/ProfileGenerator.cpp:
1208         (JSC::ProfileGenerator::ProfileGenerator):
1209         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
1210         (JSC::AddParentForConsoleStartFunctor::operator()):
1211         (JSC::ProfileGenerator::addParentForConsoleStart):
1212         (JSC::ProfileGenerator::didExecute):
1213         (JSC::StopProfilingFunctor::operator()):
1214         (JSC::ProfileGenerator::stopProfiling):
1215         (JSC::ProfileGenerator::removeProfileStart):
1216         (JSC::ProfileGenerator::removeProfileEnd):
1217         * profiler/ProfileGenerator.h:
1218         * profiler/ProfileNode.cpp:
1219         (JSC::ProfileNode::ProfileNode):
1220         (JSC::ProfileNode::willExecute):
1221         (JSC::ProfileNode::removeChild):
1222         (JSC::ProfileNode::stopProfiling):
1223         (JSC::ProfileNode::endAndRecordCall):
1224         (JSC::ProfileNode::debugPrint):
1225         (JSC::ProfileNode::debugPrintSampleStyle):
1226         (JSC::ProfileNode::debugPrintRecursively):
1227         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
1228         (JSC::ProfileNode::debugPrintData): Deleted.
1229         (JSC::ProfileNode::debugPrintDataSampleStyle): Deleted.
1230         * profiler/ProfileNode.h: Calculate per-node self and total times using a postorder traversal.
1231         The forEachNodePostorder functor traverses the subtree rooted at |this|.
1232         (JSC::ProfileNode::create):
1233         (JSC::ProfileNode::calls):
1234         (JSC::ProfileNode::forEachNodePostorder):
1235         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
1236         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
1237         (JSC::ProfileNode::head): Deleted.
1238         (JSC::ProfileNode::setHead): Deleted.
1239         (JSC::ProfileNode::totalTime): Deleted.
1240         (JSC::ProfileNode::setTotalTime): Deleted.
1241         (JSC::ProfileNode::selfTime): Deleted.
1242         (JSC::ProfileNode::setSelfTime): Deleted.
1243         (JSC::ProfileNode::totalPercent): Deleted.
1244         (JSC::ProfileNode::selfPercent): Deleted.
1245         * runtime/ConsoleClient.h: Remove header include.
1246
1247 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
1248
1249         Web Inspector: remove ProfilerAgent and legacy profiler files in the frontend
1250         https://bugs.webkit.org/show_bug.cgi?id=136462
1251
1252         Reviewed by Timothy Hatcher.
1253
1254         It's not used by the frontend anymore.
1255
1256         * CMakeLists.txt:
1257         * DerivedSources.make:
1258         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1259         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1260         * JavaScriptCore.xcodeproj/project.pbxproj:
1261
1262         * inspector/JSConsoleClient.cpp:
1263         (Inspector::JSConsoleClient::JSConsoleClient): Stub out console.profile/profileEnd
1264         methods since they didn't work for JSContexts anyway.
1265         (Inspector::JSConsoleClient::profile):
1266         (Inspector::JSConsoleClient::profileEnd):
1267         * inspector/JSConsoleClient.h:
1268
1269         * inspector/JSGlobalObjectInspectorController.cpp:
1270         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1271         * inspector/agents/InspectorProfilerAgent.cpp: Removed.
1272         * inspector/agents/InspectorProfilerAgent.h: Removed.
1273         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Removed.
1274         * inspector/agents/JSGlobalObjectProfilerAgent.h: Removed.
1275         * inspector/protocol/Profiler.json: Removed.
1276
1277 2014-09-02  Andreas Kling  <akling@apple.com>
1278
1279         Optimize own property GetByVals with rope string subscripts.
1280         <https://webkit.org/b/136458>
1281
1282         For simple JSObjects that don't override getOwnPropertySlot to implement
1283         custom properties, we have a fast path that grabs directly at the object
1284         property storage.
1285
1286         Make this fast path even faster when the property name is an unresolved
1287         rope string by using JSString::toExistingAtomicString(). This is faster
1288         because it avoids allocating a new StringImpl if the string is already
1289         a known Identifier, which is guaranteed to be the case if it's present
1290         as an own property on the object.)
1291
1292         ~10% speed-up on Dromaeo/dom-attr.html
1293
1294         Reviewed by Geoffrey Garen.
1295
1296         * dfg/DFGOperations.cpp:
1297         * jit/JITOperations.cpp:
1298         (JSC::getByVal):
1299         * llint/LLIntSlowPaths.cpp:
1300         (JSC::LLInt::getByVal):
1301
1302             When using the fastGetOwnProperty() optimization, get the String
1303             out of JSString by using toExistingAtomicString(). This avoids
1304             StringImpl allocation and lets us bypass the PropertyTable lookup
1305             entirely if no AtomicString is found.
1306
1307         * runtime/JSCell.h:
1308         * runtime/JSCellInlines.h:
1309         (JSC::JSCell::fastGetOwnProperty):
1310
1311             Make fastGetOwnProperty() take a PropertyName instead of a String.
1312             This avoids churning the ref count, since we don't need to create
1313             a temporary wrapper around the AtomicStringImpl* found in GetByVal.
1314
1315         * runtime/PropertyName.h:
1316         (JSC::PropertyName::PropertyName):
1317
1318             Add constructor: PropertyName(AtomicStringImpl*)
1319
1320         * runtime/PropertyMapHashTable.h:
1321         (JSC::PropertyTable::get):
1322         (JSC::PropertyTable::findWithString): Deleted.
1323         * runtime/Structure.h:
1324         * runtime/StructureInlines.h:
1325         (JSC::Structure::get):
1326
1327             Remove code for querying a PropertyTable with an unhashed string key
1328             since the only client is now gone.
1329
1330 2014-09-02  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1331
1332         [ARM] MacroAssembler generating incorrect code on ARM32 Traditional
1333         https://bugs.webkit.org/show_bug.cgi?id=136429
1334
1335         Reviewed by Csaba Osztrogonác.
1336
1337         Changed test32 to use tst to check if reg is zero, instead of cmp.
1338
1339         * assembler/MacroAssemblerARM.h:
1340         (JSC::MacroAssemblerARM::test32):
1341
1342 2014-09-02  Michael Saboff  <msaboff@apple.com>
1343
1344         Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute
1345         https://bugs.webkit.org/show_bug.cgi?id=136305
1346
1347         Reviewed by Filip Pizlo.
1348
1349         While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch
1350         and then JITCode::execute() calls the normal entrypoint.  This is incompatible
1351         with the expectation of FTL generated functions.  Changed ProtoCallFrame to not 
1352         perform the arity fix, but just flag an arity mismatch.  now JITCode::execute()
1353         uses that arity mismatch condition to select the normal or arity check
1354         entrypoint.  The entrypoint selection is only done for functions, programs
1355         and eval always have one parameter.
1356
1357         * interpreter/ProtoCallFrame.cpp:
1358         (JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it.
1359         * interpreter/ProtoCallFrame.h:
1360         (JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint
1361         should be called.
1362         * jit/JITCode.cpp:
1363         (JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate.
1364
1365 2014-09-02  peavo@outlook.com  <peavo@outlook.com>
1366
1367         [WinCairo] testapi.exe is not built.
1368         https://bugs.webkit.org/show_bug.cgi?id=136369
1369
1370         Reviewed by Alex Christensen.
1371
1372         The testapi project should be of type Application.
1373
1374         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Change project type to Application.
1375         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Ditto.
1376         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Compile and link fix.
1377         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Change project type to Application.
1378
1379 2014-09-01  Akos Kiss  <akiss@inf.u-szeged.hu>
1380
1381         [CMAKE] Add missing offlineasm dependencies
1382         https://bugs.webkit.org/show_bug.cgi?id=136437
1383
1384         Reviewed by Csaba Osztrogonác.
1385
1386         Add the ARM64, MIPS and SH4 backends to the dependencies.
1387
1388         * CMakeLists.txt:
1389
1390 2014-09-01  Brian J. Burg  <burg@cs.washington.edu>
1391
1392         Provide column numbers to DTrace willExecute/didExecute probes
1393         https://bugs.webkit.org/show_bug.cgi?id=136434
1394
1395         Reviewed by Antti Koivisto.
1396
1397         Provide the columnNumber and update stubs for !HAVE(DTRACE).
1398
1399         * profiler/ProfileGenerator.cpp:
1400         (JSC::ProfileGenerator::willExecute):
1401         (JSC::ProfileGenerator::didExecute):
1402         * runtime/Tracing.d:
1403         * runtime/Tracing.h:
1404
1405 2014-09-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1406
1407         [CMAKE] Build warning by INTERFACE_LINK_LIBRARIES
1408         https://bugs.webkit.org/show_bug.cgi?id=136194
1409
1410         Reviewed by Csaba Osztrogonác.
1411
1412         Set the LINK_INTERFACE_LIBRARIES target property on the top level CMakeLists.txt.
1413
1414         * CMakeLists.txt:
1415
1416 2014-08-26  Maciej Stachowiak  <mjs@apple.com>
1417
1418         Use RetainPtr::autorelease in some places where it seems appropriate
1419         https://bugs.webkit.org/show_bug.cgi?id=136280
1420
1421         Reviewed by Darin Adler.
1422
1423         * API/JSContext.mm:
1424         (-[JSContext name]): Use RetainPtr::autorelease() in place of ObjC autorelease.
1425         * API/JSValue.mm:
1426         (valueToString): Make appropriate use of RetainPtr
1427
1428 2014-08-29  Akos Kiss  <akiss@inf.u-szeged.hu>
1429
1430         Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
1431         https://bugs.webkit.org/show_bug.cgi?id=136391
1432
1433         Reviewed by Michael Saboff.
1434
1435         Do not rely on calling conventions to fill in the CallerFrame component
1436         of the ExecState* parameter of the called function.
1437
1438         * llint/LowLevelInterpreter32_64.asm:
1439         * llint/LowLevelInterpreter64.asm:
1440
1441 2014-08-29  Saam Barati  <sbarati@apple.com>
1442
1443         emit op_profile_type for deconstruction assignments
1444         https://bugs.webkit.org/show_bug.cgi?id=136274
1445
1446         Reviewed by Filip Pizlo.
1447
1448         Enable type profiling for ES6 deconstruction expressions.
1449
1450         * bytecompiler/NodesCodegen.cpp:
1451         (JSC::BindingNode::bindValue):
1452
1453 2014-08-29  Joseph Pecoraro  <pecoraro@apple.com>
1454
1455         JavaScriptCore: Use ASCIILiteral where possible
1456         https://bugs.webkit.org/show_bug.cgi?id=136179
1457
1458         Reviewed by Michael Saboff.
1459
1460         General string / character related changes. Use ASCIILiteral where
1461         possible, jsNontrivialString where possible, and replace string
1462         literals with character literals in some places.
1463
1464         No new tests, no changes to functionality.
1465
1466         * bytecode/CodeBlock.cpp:
1467         (JSC::CodeBlock::nameForRegister):
1468         * bytecompiler/NodesCodegen.cpp:
1469         (JSC::PostfixNode::emitBytecode):
1470         (JSC::PrefixNode::emitBytecode):
1471         (JSC::AssignErrorNode::emitBytecode):
1472         (JSC::ForInNode::emitMultiLoopBytecode):
1473         (JSC::ForOfNode::emitBytecode):
1474         (JSC::ObjectPatternNode::toString):
1475         * dfg/DFGFunctionWhitelist.cpp:
1476         (JSC::DFG::FunctionWhitelist::contains):
1477         * dfg/DFGOperations.cpp:
1478         (JSC::DFG::newTypedArrayWithSize):
1479         (JSC::DFG::newTypedArrayWithOneArgument):
1480         * inspector/ConsoleMessage.cpp:
1481         (Inspector::ConsoleMessage::addToFrontend):
1482         * inspector/InspectorBackendDispatcher.cpp:
1483         (Inspector::InspectorBackendDispatcher::dispatch):
1484         * inspector/ScriptCallStackFactory.cpp:
1485         (Inspector::extractSourceInformationFromException):
1486         * inspector/scripts/codegen/generator_templates.py:
1487         * interpreter/StackVisitor.cpp:
1488         (JSC::StackVisitor::Frame::functionName):
1489         (JSC::StackVisitor::Frame::sourceURL):
1490         * jit/JITOperations.cpp:
1491         * jsc.cpp:
1492         (functionDescribeArray):
1493         (functionRun):
1494         (functionLoad):
1495         (functionReadFile):
1496         (functionCheckSyntax):
1497         (functionTransferArrayBuffer):
1498         (runWithScripts):
1499         (runInteractive):
1500         * parser/Lexer.cpp:
1501         (JSC::Lexer<T>::invalidCharacterMessage):
1502         (JSC::Lexer<T>::parseString):
1503         (JSC::Lexer<T>::parseStringSlowCase):
1504         (JSC::Lexer<T>::lex):
1505         * profiler/Profile.cpp:
1506         (JSC::Profile::Profile):
1507         * runtime/Arguments.cpp:
1508         (JSC::argumentsFuncIterator):
1509         * runtime/ArrayPrototype.cpp:
1510         (JSC::performSlowSort):
1511         (JSC::arrayProtoFuncSort):
1512         * runtime/ExceptionHelpers.cpp:
1513         (JSC::createError):
1514         (JSC::createInvalidParameterError):
1515         (JSC::createNotAConstructorError):
1516         (JSC::createNotAFunctionError):
1517         (JSC::createNotAnObjectError):
1518         (JSC::createErrorForInvalidGlobalAssignment):
1519         * runtime/FunctionPrototype.cpp:
1520         (JSC::insertSemicolonIfNeeded):
1521         * runtime/JSArray.cpp:
1522         (JSC::JSArray::defineOwnProperty):
1523         (JSC::JSArray::pop):
1524         (JSC::JSArray::push):
1525         * runtime/JSArrayBufferConstructor.cpp:
1526         (JSC::JSArrayBufferConstructor::finishCreation):
1527         * runtime/JSArrayBufferPrototype.cpp:
1528         (JSC::arrayBufferProtoFuncSlice):
1529         * runtime/JSDataView.cpp:
1530         (JSC::JSDataView::create):
1531         * runtime/JSDataViewPrototype.cpp:
1532         (JSC::getData):
1533         (JSC::setData):
1534         * runtime/JSGlobalObject.cpp:
1535         (JSC::JSGlobalObject::reset):
1536         * runtime/JSGlobalObjectFunctions.cpp:
1537         (JSC::globalFuncProtoSetter):
1538         * runtime/JSPromiseConstructor.cpp:
1539         (JSC::JSPromiseConstructor::finishCreation):
1540         * runtime/LiteralParser.cpp:
1541         (JSC::LiteralParser<CharType>::Lexer::lex):
1542         (JSC::LiteralParser<CharType>::Lexer::lexString):
1543         (JSC::LiteralParser<CharType>::parse):
1544         * runtime/LiteralParser.h:
1545         (JSC::LiteralParser::getErrorMessage):
1546         * runtime/TypeSet.cpp:
1547         (JSC::TypeSet::seenTypes):
1548         (JSC::TypeSet::displayName):
1549         (JSC::TypeSet::allPrimitiveTypeNames):
1550         (JSC::StructureShape::propertyHash):
1551         (JSC::StructureShape::stringRepresentation):
1552
1553 2014-08-29  Csaba Osztrogonác  <ossy@webkit.org>
1554
1555         Unreviwed, remove empty directories.
1556
1557         * qt: Removed.
1558
1559 2014-08-28  Mark Lam  <mark.lam@apple.com>
1560
1561         DebuggerCallFrame::scope() should return a DebuggerScope.
1562         <https://webkit.org/b/134420>
1563
1564         Reviewed by Geoffrey Garen.
1565
1566         Rolling back in r170680 with the fix for <https://webkit.org/b/135656>.
1567
1568         Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
1569         peers) which the WebInspector will use to introspect CallFrame variables.
1570         Instead, we should be returning a DebuggerScope as an abstraction layer that
1571         provides the introspection functionality that the WebInspector needs.  This
1572         is the first step towards not forcing every frame to have a JSActivation
1573         object just because the debugger is enabled.
1574
1575         1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
1576            instead of the VM.  This allows JSObject::globalObject() to be able to
1577            return the global object for the DebuggerScope.
1578
1579         2. On the DebuggerScope's life-cycle management:
1580
1581            The DebuggerCallFrame is designed to be "valid" only during a debugging session
1582            (while the debugger is broken) through the use of a DebuggerCallFrameScope in
1583            Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
1584            DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
1585            We can't guarantee (from this code alone) that the Inspector code isn't still
1586            holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
1587            the frame will be invalidated, and any attempt to query it will return null values.
1588            This is pre-existing behavior.
1589
1590            Now, we're adding the DebuggerScope into the picture.  While a single debugger
1591            pause session is in progress, the Inspector may request the scope from the
1592            DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
1593            DebuggerCallFrame::scope() to always return the same DebuggerScope object.
1594            This is why we hold on to the DebuggerScope with a strong ref.
1595
1596            If we use a weak ref instead, the following cooky behavior can manifest:
1597            1. The Inspector calls Debugger::scope() to get the top scope.
1598            2. The Inspector iterates down the scope chain and is now only holding a
1599               reference to a parent scope.  It is no longer referencing the top scope.
1600            3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
1601               gets cleared.
1602            4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
1603               a different DebuggerScope instance.
1604            5. The Inspector iterates down the scope chain but never sees the parent scope
1605               instance that retained a ref to in step 2 above.  This is because when iterating
1606               this new DebuggerScope instance (which has no knowledge of the previous parent
1607               DebuggerScope instance), a new DebuggerScope instance will get created for the
1608               same parent scope. 
1609
1610            Since the DebuggerScope is a JSObject, its liveness is determined by its reachability.
1611            However, its "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
1612            When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
1613            instantiated) will also get invalidated.  This is why we need the
1614            DebuggerScope::invalidateChain() method.  The Inspector should not be using the
1615            DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
1616            those methods will do nothing or returned a failed status.
1617
1618         Fix for <https://webkit.org/b/135656>:
1619         3. DebuggerScope::getOwnPropertySlot() and DebuggerScope::put() need to set
1620            m_thisValue in the returned slot to the wrapped scope object.  Previously,
1621            it was pointing to the DebuggerScope though the rest of the fields in the
1622            returned slot will be set to data pertaining the wrapped scope object.
1623
1624         4. DebuggerScope::getOwnPropertySlot() will invoke getPropertySlot() on its
1625            wrapped scope.  This is because JSObject::getPropertySlot() cannot be
1626            overridden, and when called on a DebuggerScope, will not know to look in
1627            the ptototype chain of the DebuggerScope's wrapped scope.  Hence, we'll
1628            treat all properties in the wrapped scope as own properties in the
1629            DebuggerScope.  This is fine because the WebInspector does not presently
1630            care about where in the prototype chain the scope property comes from.
1631
1632            Note that the DebuggerScope and the JSActivation objects that it wraps do
1633            not have prototypes.  They are always jsNull().  This works perfectly with
1634            the above change to use getPropertySlot() instead of getOwnPropertySlot().
1635            To make this an explicit invariant, I also changed DebuggerScope::createStructure()
1636            and JSActivation::createStructure() to not take a prototype argument, and
1637            to always use jsNull() for their prototype value.
1638
1639         * debugger/Debugger.h:
1640         * debugger/DebuggerCallFrame.cpp:
1641         (JSC::DebuggerCallFrame::scope):
1642         (JSC::DebuggerCallFrame::evaluate):
1643         (JSC::DebuggerCallFrame::invalidate):
1644         * debugger/DebuggerCallFrame.h:
1645         * debugger/DebuggerScope.cpp:
1646         (JSC::DebuggerScope::DebuggerScope):
1647         (JSC::DebuggerScope::finishCreation):
1648         (JSC::DebuggerScope::visitChildren):
1649         (JSC::DebuggerScope::className):
1650         (JSC::DebuggerScope::getOwnPropertySlot):
1651         (JSC::DebuggerScope::put):
1652         (JSC::DebuggerScope::deleteProperty):
1653         (JSC::DebuggerScope::getOwnPropertyNames):
1654         (JSC::DebuggerScope::defineOwnProperty):
1655         (JSC::DebuggerScope::next):
1656         (JSC::DebuggerScope::invalidateChain):
1657         (JSC::DebuggerScope::isWithScope):
1658         (JSC::DebuggerScope::isGlobalScope):
1659         (JSC::DebuggerScope::isFunctionOrEvalScope):
1660         * debugger/DebuggerScope.h:
1661         (JSC::DebuggerScope::create):
1662         (JSC::DebuggerScope::createStructure):
1663         (JSC::DebuggerScope::iterator::iterator):
1664         (JSC::DebuggerScope::iterator::get):
1665         (JSC::DebuggerScope::iterator::operator++):
1666         (JSC::DebuggerScope::iterator::operator==):
1667         (JSC::DebuggerScope::iterator::operator!=):
1668         (JSC::DebuggerScope::isValid):
1669         (JSC::DebuggerScope::jsScope):
1670         (JSC::DebuggerScope::begin):
1671         (JSC::DebuggerScope::end):
1672         * inspector/JSJavaScriptCallFrame.cpp:
1673         (Inspector::JSJavaScriptCallFrame::scopeType):
1674         (Inspector::JSJavaScriptCallFrame::scopeChain):
1675         * inspector/JavaScriptCallFrame.h:
1676         (Inspector::JavaScriptCallFrame::scopeChain):
1677         * inspector/ScriptDebugServer.cpp:
1678         * runtime/JSActivation.h:
1679         (JSC::JSActivation::createStructure):
1680         * runtime/JSGlobalObject.cpp:
1681         (JSC::JSGlobalObject::reset):
1682         (JSC::JSGlobalObject::visitChildren):
1683         * runtime/JSGlobalObject.h:
1684         (JSC::JSGlobalObject::debuggerScopeStructure):
1685         * runtime/JSObject.cpp:
1686         * runtime/JSObject.h:
1687         (JSC::JSObject::isWithScope):
1688         * runtime/JSScope.h:
1689         * runtime/PropertySlot.h:
1690         (JSC::PropertySlot::setThisValue):
1691         * runtime/PutPropertySlot.h:
1692         (JSC::PutPropertySlot::setThisValue):
1693         * runtime/VM.cpp:
1694         (JSC::VM::VM):
1695         * runtime/VM.h:
1696
1697 2014-08-28  Andreas Kling  <akling@apple.com>
1698
1699         Use JSString::toIdentifier() in more places.
1700         <https://webkit.org/b/136348>
1701
1702         Call sites that grab the WTF::String from a JSString using value() can
1703         use the more efficient toIdentifier() if the string is going to be used
1704         to construct an Identifier.
1705
1706         If the JSString is a rope that resolves to something that is already
1707         present in the VM's Identifier table, using toIdentifier() can avoid
1708         allocating a new StringImpl.
1709
1710         Reviewed by Geoffrey Garen.
1711
1712         * jit/JITOperations.cpp:
1713         * llint/LLIntSlowPaths.cpp:
1714         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1715         * runtime/CommonSlowPaths.cpp:
1716         (JSC::SLOW_PATH_DECL):
1717         * runtime/CommonSlowPaths.h:
1718         (JSC::CommonSlowPaths::opIn):
1719         * runtime/JSONObject.cpp:
1720         (JSC::Stringifier::Stringifier):
1721         * runtime/ObjectConstructor.cpp:
1722         (JSC::objectConstructorGetOwnPropertyDescriptor):
1723         (JSC::objectConstructorDefineProperty):
1724         * runtime/ObjectPrototype.cpp:
1725         (JSC::objectProtoFuncPropertyIsEnumerable):
1726
1727 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
1728
1729         DFG should compute immediate dominators using the O(n log n) form of Lengauer and Tarjan's "A Fast Algorithm for Finding Dominators in a Flowgraph"
1730         https://bugs.webkit.org/show_bug.cgi?id=93361
1731
1732         Reviewed by Mark Hahnenberg.
1733         
1734         This patch also adds some new utilities for reasoning about block-keyed maps, block sets,
1735         and block worklists. It changes preexisting code to use these abstractions.
1736         
1737         The main effect of this code is that all current clients of dominators end up using the
1738         results of the new idom calculation. We convert the dom tree to a dominance test using
1739         Dietz's pre/post number range check trick.
1740
1741         * CMakeLists.txt:
1742         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1743         * JavaScriptCore.xcodeproj/project.pbxproj:
1744         * dfg/DFGAnalysis.h:
1745         (JSC::DFG::Analysis::computeIfNecessary):
1746         (JSC::DFG::Analysis::computeDependencies):
1747         * dfg/DFGBlockMap.h: Added.
1748         (JSC::DFG::BlockMap::BlockMap):
1749         (JSC::DFG::BlockMap::size):
1750         (JSC::DFG::BlockMap::atIndex):
1751         (JSC::DFG::BlockMap::operator[]):
1752         * dfg/DFGBlockMapInlines.h: Added.
1753         (JSC::DFG::BlockMap<T>::BlockMap):
1754         * dfg/DFGBlockSet.h: Added.
1755         (JSC::DFG::BlockSet::BlockSet):
1756         (JSC::DFG::BlockSet::add):
1757         (JSC::DFG::BlockSet::contains):
1758         * dfg/DFGBlockWorklist.cpp: Added.
1759         (JSC::DFG::BlockWorklist::BlockWorklist):
1760         (JSC::DFG::BlockWorklist::~BlockWorklist):
1761         (JSC::DFG::BlockWorklist::push):
1762         (JSC::DFG::BlockWorklist::pop):
1763         (JSC::DFG::PostOrderBlockWorklist::PostOrderBlockWorklist):
1764         (JSC::DFG::PostOrderBlockWorklist::~PostOrderBlockWorklist):
1765         (JSC::DFG::PostOrderBlockWorklist::pushPre):
1766         (JSC::DFG::PostOrderBlockWorklist::pushPost):
1767         (JSC::DFG::PostOrderBlockWorklist::pop):
1768         * dfg/DFGBlockWorklist.h: Added.
1769         (JSC::DFG::BlockWorklist::notEmpty):
1770         (JSC::DFG::BlockWith::BlockWith):
1771         (JSC::DFG::BlockWith::operator UnspecifiedBoolType*):
1772         (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist):
1773         (JSC::DFG::ExtendedBlockWorklist::forcePush):
1774         (JSC::DFG::ExtendedBlockWorklist::push):
1775         (JSC::DFG::ExtendedBlockWorklist::notEmpty):
1776         (JSC::DFG::ExtendedBlockWorklist::pop):
1777         (JSC::DFG::BlockWithOrder::BlockWithOrder):
1778         (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*):
1779         (JSC::DFG::PostOrderBlockWorklist::push):
1780         (JSC::DFG::PostOrderBlockWorklist::notEmpty):
1781         * dfg/DFGCSEPhase.cpp:
1782         * dfg/DFGDominators.cpp:
1783         (JSC::DFG::Dominators::compute):
1784         (JSC::DFG::Dominators::naiveDominates):
1785         (JSC::DFG::Dominators::dump):
1786         (JSC::DFG::Dominators::pruneDominators): Deleted.
1787         * dfg/DFGDominators.h:
1788         (JSC::DFG::Dominators::strictlyDominates):
1789         (JSC::DFG::Dominators::dominates):
1790         (JSC::DFG::Dominators::BlockData::BlockData):
1791         * dfg/DFGGraph.cpp:
1792         (JSC::DFG::Graph::dumpBlockHeader):
1793         (JSC::DFG::Graph::getBlocksInPreOrder):
1794         (JSC::DFG::Graph::getBlocksInPostOrder):
1795         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1796         (JSC::DFG::InvalidationPointInjectionPhase::run):
1797         * dfg/DFGNaiveDominators.cpp: Added.
1798         (JSC::DFG::NaiveDominators::NaiveDominators):
1799         (JSC::DFG::NaiveDominators::~NaiveDominators):
1800         (JSC::DFG::NaiveDominators::compute):
1801         (JSC::DFG::NaiveDominators::pruneDominators):
1802         (JSC::DFG::NaiveDominators::dump):
1803         * dfg/DFGNaiveDominators.h: Added.
1804         (JSC::DFG::NaiveDominators::dominates):
1805         * dfg/DFGNaturalLoops.cpp:
1806         (JSC::DFG::NaturalLoops::computeDependencies):
1807         (JSC::DFG::NaturalLoops::compute):
1808         * dfg/DFGNaturalLoops.h:
1809
1810 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
1811
1812         FTL should be able to do polymorphic call inlining
1813         https://bugs.webkit.org/show_bug.cgi?id=135145
1814
1815         Reviewed by Geoffrey Garen.
1816         
1817         Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
1818         baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
1819         inlining sites use the call edge profile if it is available, but they will still fall back
1820         on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
1821         multiple possible callees can be inlined with a switch to guard them. The slow path may
1822         either be an OSR exit or a virtual call.
1823         
1824         The call edge profiling added in this patch is very precise - it will tell you about every
1825         call that has ever happened. It took some effort to reduce the overhead of this profiling.
1826         This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
1827         in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
1828         it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
1829         I also experimented with reducing the precision of the profiling. This led to a significant
1830         reduction in the speed-up, so I avoided this approach. I also explored making log processing
1831         concurrent, but that didn't help. Also, I tested the overhead of the log processing and
1832         found that most of the overhead of this profiling is actually in putting things into the log
1833         rather than in processing the log - that part appears to be surprisingly cheap.
1834         
1835         Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
1836         and if we guarded such inlining sites with some profiling mechanism to detect
1837         polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
1838         it's actually monomorphic).
1839         
1840         This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
1841         other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
1842         on anything we care about. Some aggregates, like V8Spider, see a regression. This is
1843         highlighting the increase in profiling overhead. But since this doesn't show up on any major
1844         score (code-load or SunSpider), it's probably not relevant.
1845         
1846         Relanding after fixing debug assertions in fast/storage/serialized-script-value.html.
1847
1848         * CMakeLists.txt:
1849         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1850         * JavaScriptCore.xcodeproj/project.pbxproj:
1851         * bytecode/CallEdge.cpp: Added.
1852         (JSC::CallEdge::dump):
1853         * bytecode/CallEdge.h: Added.
1854         (JSC::CallEdge::operator!):
1855         (JSC::CallEdge::callee):
1856         (JSC::CallEdge::count):
1857         (JSC::CallEdge::despecifiedClosure):
1858         (JSC::CallEdge::CallEdge):
1859         * bytecode/CallEdgeProfile.cpp: Added.
1860         (JSC::CallEdgeProfile::callEdges):
1861         (JSC::CallEdgeProfile::numCallsToKnownCells):
1862         (JSC::worthDespecifying):
1863         (JSC::CallEdgeProfile::worthDespecifying):
1864         (JSC::CallEdgeProfile::visitWeak):
1865         (JSC::CallEdgeProfile::addSlow):
1866         (JSC::CallEdgeProfile::mergeBack):
1867         (JSC::CallEdgeProfile::fadeByHalf):
1868         (JSC::CallEdgeLog::CallEdgeLog):
1869         (JSC::CallEdgeLog::~CallEdgeLog):
1870         (JSC::CallEdgeLog::isEnabled):
1871         (JSC::operationProcessCallEdgeLog):
1872         (JSC::CallEdgeLog::emitLogCode):
1873         (JSC::CallEdgeLog::processLog):
1874         * bytecode/CallEdgeProfile.h: Added.
1875         (JSC::CallEdgeProfile::numCallsToNotCell):
1876         (JSC::CallEdgeProfile::numCallsToUnknownCell):
1877         (JSC::CallEdgeProfile::totalCalls):
1878         * bytecode/CallEdgeProfileInlines.h: Added.
1879         (JSC::CallEdgeProfile::CallEdgeProfile):
1880         (JSC::CallEdgeProfile::add):
1881         * bytecode/CallLinkInfo.cpp:
1882         (JSC::CallLinkInfo::visitWeak):
1883         * bytecode/CallLinkInfo.h:
1884         * bytecode/CallLinkStatus.cpp:
1885         (JSC::CallLinkStatus::CallLinkStatus):
1886         (JSC::CallLinkStatus::computeFromLLInt):
1887         (JSC::CallLinkStatus::computeFor):
1888         (JSC::CallLinkStatus::computeExitSiteData):
1889         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1890         (JSC::CallLinkStatus::computeFromCallEdgeProfile):
1891         (JSC::CallLinkStatus::computeDFGStatuses):
1892         (JSC::CallLinkStatus::isClosureCall):
1893         (JSC::CallLinkStatus::makeClosureCall):
1894         (JSC::CallLinkStatus::dump):
1895         (JSC::CallLinkStatus::function): Deleted.
1896         (JSC::CallLinkStatus::internalFunction): Deleted.
1897         (JSC::CallLinkStatus::intrinsicFor): Deleted.
1898         * bytecode/CallLinkStatus.h:
1899         (JSC::CallLinkStatus::CallLinkStatus):
1900         (JSC::CallLinkStatus::isSet):
1901         (JSC::CallLinkStatus::couldTakeSlowPath):
1902         (JSC::CallLinkStatus::edges):
1903         (JSC::CallLinkStatus::size):
1904         (JSC::CallLinkStatus::at):
1905         (JSC::CallLinkStatus::operator[]):
1906         (JSC::CallLinkStatus::canOptimize):
1907         (JSC::CallLinkStatus::canTrustCounts):
1908         (JSC::CallLinkStatus::isClosureCall): Deleted.
1909         (JSC::CallLinkStatus::callTarget): Deleted.
1910         (JSC::CallLinkStatus::executable): Deleted.
1911         (JSC::CallLinkStatus::makeClosureCall): Deleted.
1912         * bytecode/CallVariant.cpp: Added.
1913         (JSC::CallVariant::dump):
1914         * bytecode/CallVariant.h: Added.
1915         (JSC::CallVariant::CallVariant):
1916         (JSC::CallVariant::operator!):
1917         (JSC::CallVariant::despecifiedClosure):
1918         (JSC::CallVariant::rawCalleeCell):
1919         (JSC::CallVariant::internalFunction):
1920         (JSC::CallVariant::function):
1921         (JSC::CallVariant::isClosureCall):
1922         (JSC::CallVariant::executable):
1923         (JSC::CallVariant::nonExecutableCallee):
1924         (JSC::CallVariant::intrinsicFor):
1925         (JSC::CallVariant::functionExecutable):
1926         (JSC::CallVariant::isHashTableDeletedValue):
1927         (JSC::CallVariant::operator==):
1928         (JSC::CallVariant::operator!=):
1929         (JSC::CallVariant::operator<):
1930         (JSC::CallVariant::operator>):
1931         (JSC::CallVariant::operator<=):
1932         (JSC::CallVariant::operator>=):
1933         (JSC::CallVariant::hash):
1934         (JSC::CallVariant::deletedToken):
1935         (JSC::CallVariantHash::hash):
1936         (JSC::CallVariantHash::equal):
1937         * bytecode/CodeOrigin.h:
1938         (JSC::InlineCallFrame::isNormalCall):
1939         * bytecode/ExitKind.cpp:
1940         (JSC::exitKindToString):
1941         * bytecode/ExitKind.h:
1942         * bytecode/GetByIdStatus.cpp:
1943         (JSC::GetByIdStatus::computeForStubInfo):
1944         * bytecode/PutByIdStatus.cpp:
1945         (JSC::PutByIdStatus::computeForStubInfo):
1946         * dfg/DFGAbstractInterpreterInlines.h:
1947         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1948         * dfg/DFGBackwardsPropagationPhase.cpp:
1949         (JSC::DFG::BackwardsPropagationPhase::propagate):
1950         * dfg/DFGBasicBlock.cpp:
1951         (JSC::DFG::BasicBlock::~BasicBlock):
1952         * dfg/DFGBasicBlock.h:
1953         (JSC::DFG::BasicBlock::takeLast):
1954         (JSC::DFG::BasicBlock::didLink):
1955         * dfg/DFGByteCodeParser.cpp:
1956         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
1957         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
1958         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1959         (JSC::DFG::ByteCodeParser::addCall):
1960         (JSC::DFG::ByteCodeParser::handleCall):
1961         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
1962         (JSC::DFG::ByteCodeParser::undoFunctionChecks):
1963         (JSC::DFG::ByteCodeParser::inliningCost):
1964         (JSC::DFG::ByteCodeParser::inlineCall):
1965         (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
1966         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1967         (JSC::DFG::ByteCodeParser::handleInlining):
1968         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1969         (JSC::DFG::ByteCodeParser::prepareToParseBlock):
1970         (JSC::DFG::ByteCodeParser::clearCaches):
1971         (JSC::DFG::ByteCodeParser::parseBlock):
1972         (JSC::DFG::ByteCodeParser::linkBlock):
1973         (JSC::DFG::ByteCodeParser::linkBlocks):
1974         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1975         * dfg/DFGCPSRethreadingPhase.cpp:
1976         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1977         * dfg/DFGClobberize.h:
1978         (JSC::DFG::clobberize):
1979         * dfg/DFGCommon.h:
1980         * dfg/DFGConstantFoldingPhase.cpp:
1981         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1982         * dfg/DFGDoesGC.cpp:
1983         (JSC::DFG::doesGC):
1984         * dfg/DFGDriver.cpp:
1985         (JSC::DFG::compileImpl):
1986         * dfg/DFGFixupPhase.cpp:
1987         (JSC::DFG::FixupPhase::fixupNode):
1988         * dfg/DFGGraph.cpp:
1989         (JSC::DFG::Graph::dump):
1990         (JSC::DFG::Graph::getBlocksInPreOrder):
1991         (JSC::DFG::Graph::visitChildren):
1992         * dfg/DFGJITCompiler.cpp:
1993         (JSC::DFG::JITCompiler::link):
1994         * dfg/DFGLazyJSValue.cpp:
1995         (JSC::DFG::LazyJSValue::switchLookupValue):
1996         * dfg/DFGLazyJSValue.h:
1997         (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
1998         * dfg/DFGNode.cpp:
1999         (WTF::printInternal):
2000         * dfg/DFGNode.h:
2001         (JSC::DFG::OpInfo::OpInfo):
2002         (JSC::DFG::Node::hasHeapPrediction):
2003         (JSC::DFG::Node::hasCellOperand):
2004         (JSC::DFG::Node::cellOperand):
2005         (JSC::DFG::Node::setCellOperand):
2006         (JSC::DFG::Node::canBeKnownFunction): Deleted.
2007         (JSC::DFG::Node::hasKnownFunction): Deleted.
2008         (JSC::DFG::Node::knownFunction): Deleted.
2009         (JSC::DFG::Node::giveKnownFunction): Deleted.
2010         (JSC::DFG::Node::hasFunction): Deleted.
2011         (JSC::DFG::Node::function): Deleted.
2012         (JSC::DFG::Node::hasExecutable): Deleted.
2013         (JSC::DFG::Node::executable): Deleted.
2014         * dfg/DFGNodeType.h:
2015         * dfg/DFGPhantomCanonicalizationPhase.cpp:
2016         (JSC::DFG::PhantomCanonicalizationPhase::run):
2017         * dfg/DFGPhantomRemovalPhase.cpp:
2018         (JSC::DFG::PhantomRemovalPhase::run):
2019         * dfg/DFGPredictionPropagationPhase.cpp:
2020         (JSC::DFG::PredictionPropagationPhase::propagate):
2021         * dfg/DFGSafeToExecute.h:
2022         (JSC::DFG::safeToExecute):
2023         * dfg/DFGSpeculativeJIT.cpp:
2024         (JSC::DFG::SpeculativeJIT::emitSwitch):
2025         * dfg/DFGSpeculativeJIT32_64.cpp:
2026         (JSC::DFG::SpeculativeJIT::emitCall):
2027         (JSC::DFG::SpeculativeJIT::compile):
2028         * dfg/DFGSpeculativeJIT64.cpp:
2029         (JSC::DFG::SpeculativeJIT::emitCall):
2030         (JSC::DFG::SpeculativeJIT::compile):
2031         * dfg/DFGStructureRegistrationPhase.cpp:
2032         (JSC::DFG::StructureRegistrationPhase::run):
2033         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2034         (JSC::DFG::TierUpCheckInjectionPhase::run):
2035         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
2036         * dfg/DFGValidate.cpp:
2037         (JSC::DFG::Validate::validate):
2038         * dfg/DFGWatchpointCollectionPhase.cpp:
2039         (JSC::DFG::WatchpointCollectionPhase::handle):
2040         * ftl/FTLCapabilities.cpp:
2041         (JSC::FTL::canCompile):
2042         * ftl/FTLLowerDFGToLLVM.cpp:
2043         (JSC::FTL::ftlUnreachable):
2044         (JSC::FTL::LowerDFGToLLVM::lower):
2045         (JSC::FTL::LowerDFGToLLVM::compileNode):
2046         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
2047         (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
2048         (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
2049         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
2050         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2051         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
2052         (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
2053         (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
2054         * heap/Heap.cpp:
2055         (JSC::Heap::collect):
2056         * jit/AssemblyHelpers.h:
2057         (JSC::AssemblyHelpers::storeValue):
2058         (JSC::AssemblyHelpers::loadValue):
2059         * jit/CCallHelpers.h:
2060         (JSC::CCallHelpers::setupArguments):
2061         * jit/GPRInfo.h:
2062         (JSC::JSValueRegs::uses):
2063         * jit/JITCall.cpp:
2064         (JSC::JIT::compileOpCall):
2065         * jit/JITCall32_64.cpp:
2066         (JSC::JIT::compileOpCall):
2067         * runtime/Options.h:
2068         * runtime/VM.cpp:
2069         (JSC::VM::ensureCallEdgeLog):
2070         * runtime/VM.h:
2071         * tests/stress/fold-profiled-call-to-call.js: Added. This test pinpoints the problem we saw in fast/storage/serialized-script-value.html.
2072         * tests/stress/new-array-then-exit.js: Added.
2073         * tests/stress/poly-call-exit-this.js: Added.
2074         * tests/stress/poly-call-exit.js: Added.
2075
2076 2014-08-28  Julien Brianceau   <jbriance@cisco.com>
2077
2078         Correct GC length unit and prevent division by 0 in showObjectStatistics.
2079         https://bugs.webkit.org/show_bug.cgi?id=136340
2080
2081         Reviewed by Mark Hahnenberg.
2082
2083         * heap/HeapStatistics.cpp:
2084         (JSC::HeapStatistics::showObjectStatistics):
2085
2086 2014-08-27  Akos Kiss  <akiss@inf.u-szeged.hu>
2087
2088         Ensure that the call frame passed from JIT code via JSC::operationCallEval to JSC::eval always contains the valid scope chain.
2089         https://bugs.webkit.org/show_bug.cgi?id=136313
2090
2091         Reviewed by Michael Saboff.
2092
2093         Do not rely on calling conventions to fill in the CallerFrame component
2094         of the execCallee parameter of JSC::operationCallEval.
2095
2096         * jit/JITOperations.cpp:
2097
2098 2014-08-27  Saam Barati  <sbarati@apple.com>
2099
2100         Deconstruction object pattern node emits the wrong start/end text positions
2101         https://bugs.webkit.org/show_bug.cgi?id=136304
2102
2103         Reviewed by Geoffrey Garen.
2104
2105         Object pattern nodes that used the syntactic sugar binding: 
2106         'var {foo} = {foo:20}' instead of 'var {foo:foo} = {foo:20}' 
2107         would get the wrong text position for variable 'foo'. The position 
2108         would be placed on the comma(s)/closing brace instead of the identifier. 
2109         This patch fixes this bug by caching the identifier's JSToken before 
2110         trying to parse an optional colon.
2111
2112         * parser/Parser.cpp:
2113         (JSC::Parser<LexerType>::parseVarDeclarationList):
2114         (JSC::Parser<LexerType>::createBindingPattern):
2115         (JSC::Parser<LexerType>::parseDeconstructionPattern):
2116         * parser/Parser.h:
2117
2118 2014-08-27  Brent Fulgham  <bfulgham@apple.com>
2119
2120         [Win] Build fix after last commit.
2121
2122         Check in new DLLLauncherMain.cpp file.
2123
2124         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Added.
2125         (enableTerminationOnHeapCorruption):
2126         (getStringValue):
2127         (applePathFromRegistry):
2128         (appleApplicationSupportDirectory):
2129         (copyEnvironmentVariable):
2130         (prependPath):
2131         (fatalError):
2132         (directoryExists):
2133         (modifyPath):
2134         (getLastErrorString):
2135         (wWinMain):
2136
2137 2014-08-27  Brent Fulgham  <bfulgham@apple.com>
2138
2139         [Win] testapi and testRegExp need to find support libraries.
2140         https://bugs.webkit.org/show_bug.cgi?id=136008.
2141
2142         Reviewed by Dean Jackson.
2143
2144         Revise the Windows build of jsc, testapi, and testRegExp so that they
2145         find and use the proper runtime support libraries.
2146
2147         These locations vary between the Apple Windows build and WinCairo, and
2148         are generally not in the system PATH environment setting. Consequently,
2149         these applications fail on launch unless the user modifies their
2150         PATH.
2151
2152         This patch revises these tools to work like WinLauncher and DumpRenderTree
2153         so that they run reliably.
2154
2155         * API/tests/testapi.c:
2156         (dllLauncherEntryPoint): Added.
2157         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Add new build projects and
2158           provide proper dependencies with existing projects.
2159         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Ditto.
2160         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Switch to build
2161           a DLL, rather than an executable.
2162         * JavaScriptCore.vcxproj/jsc/jscCommon.props: Add shlwapi.lib
2163           to the list of libraries needed at link-time, and to use
2164           the DLL/Console combination entry point.
2165         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Added.
2166         * JavaScriptCore.vcxproj/jsc/jscLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd.
2167         * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd.
2168         * JavaScriptCore.vcxproj/jsc/jscLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreLink.cmd.
2169         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Switch to build
2170           a DLL, rather than an executable.
2171         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Add shlwapi.lib
2172           to the list of libraries needed at link-time, and to use
2173           the DLL/Console combination entry point.
2174         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Added.
2175         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
2176         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
2177         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
2178         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Switch to build
2179           a DLL, rather than an executable.
2180         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Added.
2181         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Add shlwapi.lib
2182           to the list of libraries needed at link-time, and to use
2183           the DLL/Console combination entry point.
2184         * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
2185         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
2186         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
2187         * jsc.cpp:
2188         (dllLauncherEntryPoint): Added.
2189         * testRegExp.cpp:
2190         (dllLauncherEntryPoint): Added.
2191
2192 2014-08-27  Julien Brianceau   <jbriance@cisco.com>
2193
2194         Take advantage of 3 parameters or32() calls
2195         https://bugs.webkit.org/show_bug.cgi?id=136287
2196
2197         Reviewed by Michael Saboff.
2198
2199         For specific architectures (arm and mips for instance), or32() calls
2200         with 3 parameters are likely to produce a single instruction.
2201
2202         * dfg/DFGSpeculativeJIT32_64.cpp:
2203         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2204         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2205         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2206         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2207         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2208         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2209         (JSC::DFG::SpeculativeJIT::branchIsOther):
2210         (JSC::DFG::SpeculativeJIT::branchNotOther):
2211
2212 2014-08-26  Brian J. Burg  <burg@cs.washington.edu>
2213
2214         Web Inspector: put feature flags for Inspector domains in the protocol specification
2215         https://bugs.webkit.org/show_bug.cgi?id=136027
2216
2217         Reviewed by Timothy Hatcher.
2218
2219         Remove the hardcoded map of domains to feature guards, and instead parse it from the specification.
2220
2221         Test: inspector/scripts/tests/generate-domains-with-feature-guards.json
2222
2223         * inspector/scripts/codegen/generator.py:
2224         (Generator.wrap_with_guard_for_domain):
2225         * inspector/scripts/codegen/models.py:
2226         (Protocol.parse_domain):
2227         (Domain.__init__):
2228         (Domains):
2229         * inspector/scripts/tests/generate-domains-with-feature-guards.json: Added.
2230         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2231         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2232         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2233         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2234         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2235
2236 2014-08-26  Andy Estes  <aestes@apple.com>
2237
2238         [Cocoa] Some projects are incorrectly installed to $BUILT_PRODUCTS_DIR
2239         https://bugs.webkit.org/show_bug.cgi?id=136267
2240
2241         Reviewed by Dan Bernstein.
2242
2243         INSTALL_PATH was set to $BUILT_PRODUCTS_DIR for engineering configurations in r20225 as part of a build fix.
2244         Not only is this no longer necessary to build, but it causes built products to be incorrectly installed in
2245         engineering configurations.
2246
2247         Remove the setting of INSTALL_PATH from the pbxproj file so that the value specified in the xcconfig files is
2248         used instead.
2249
2250         * JavaScriptCore.xcodeproj/project.pbxproj:
2251
2252 2014-08-26  Michael Saboff  <msaboff@apple.com>
2253
2254         [Win] 64-bit JavaScriptCore crashes on launch
2255         https://bugs.webkit.org/show_bug.cgi?id=136241
2256
2257         Reviewed by Mark Lam.
2258
2259         * llint/LowLevelInterpreter.asm:
2260         (vmEntryRecord): X86_64_WIN doesn't use "a0" (rax) for the first argument, it uses
2261         "t2" (rcx).  Changed to get the input parameter using the correct register.
2262
2263 2014-08-26  Saam Barati  <sbarati@apple.com>
2264
2265         TypeSet caches structureIDs even after the corresponding Structure could be GCed
2266         https://bugs.webkit.org/show_bug.cgi?id=136178
2267
2268         Reviewed by Geoffrey Garen.
2269
2270         Currently, TypeSet will never remove StructureIDs from its cache,
2271         even after the corresponding Structures could be garbage collected.
2272         Now, when the Garbage Collector collects, and type profiling is 
2273         enabled, the Garbage Collector will invalidate all TypeSet caches.
2274
2275         * heap/Heap.cpp:
2276         (JSC::Heap::collect):
2277         * runtime/TypeSet.cpp:
2278         (JSC::TypeSet::addTypeInformation):
2279         (JSC::TypeSet::invalidateCache):
2280         * runtime/TypeSet.h:
2281         * runtime/VM.cpp:
2282         (JSC::VM::invalidateTypeSetCache):
2283         * runtime/VM.h:
2284
2285 2014-08-26  Michael Saboff  <msaboff@apple.com>
2286
2287         REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result
2288         https://bugs.webkit.org/show_bug.cgi?id=136187
2289
2290         Reviewed by Mark Hahnenberg.
2291
2292         Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that
2293         doesn't require a tag for the second argument, instead it fills in a CellTag.  This is
2294         used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we
2295         haven't set up a register with a tag and we know that argument 2 is a cell.
2296
2297         * dfg/DFGSpeculativeJIT.h:
2298         (JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag.
2299         * dfg/DFGSpeculativeJIT32_64.cpp:
2300         (JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR
2301         with CellTag as it wasn't in the control flow for the slow path that needed the tag.
2302         Instead changed to calling new version of callOperation with an implicit CellTag.
2303
2304 2014-08-26  Commit Queue  <commit-queue@webkit.org>
2305
2306         Unreviewed, rolling out r172940.
2307         https://bugs.webkit.org/show_bug.cgi?id=136256
2308
2309         Caused assertions on fast/storage/serialized-script-
2310         value.html, and possibly flakiness on more tests (Requested by
2311         ap on #webkit).
2312
2313         Reverted changeset:
2314
2315         "FTL should be able to do polymorphic call inlining"
2316         https://bugs.webkit.org/show_bug.cgi?id=135145
2317         http://trac.webkit.org/changeset/172940
2318
2319 2014-08-26  Michael Saboff  <msaboff@apple.com>
2320
2321         REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests.
2322         https://bugs.webkit.org/show_bug.cgi?id=136165
2323
2324         Reviewed by Mark Hahnenberg.
2325
2326         Changed switch case GetDirectPname: to always use the slow path for X86 since it only has
2327         6 registers available, but the code requires 7.
2328
2329         * dfg/DFGSpeculativeJIT32_64.cpp:
2330         (JSC::DFG::SpeculativeJIT::compile):
2331
2332 2014-08-25  Saam Barati  <sbarati@apple.com>
2333
2334         TypeProfiler search breaks on return statements
2335         https://bugs.webkit.org/show_bug.cgi?id=136201
2336
2337         Reviewed by Filip Pizlo.
2338
2339         Searching for return statements in the TypeProfiler currently 
2340         breaks down because it expected to see the search descriptor 
2341         TypeProfilerSearchDescriptorFunctionReturn when looking for 
2342         return statements in the actual source code of the program. 
2343         But, TypeProfilerSearchDescriptorFunctionReturn search descriptor 
2344         is reserved for looking for return statements that aren't in the 
2345         actual source code of the program, but when asking for the 
2346         aggregate return type of a function. Now, searching for 
2347         return statements in the actual source code of the program will 
2348         work when passing in the search descriptor TypeProfilerSearchDescriptorNormal.  
2349
2350         * bytecode/CodeBlock.cpp:
2351         (JSC::CodeBlock::CodeBlock):
2352         * runtime/TypeProfiler.cpp:
2353         (JSC::TypeProfiler::findLocation):
2354         (JSC::descriptorMatchesTypeLocation): Deleted.
2355
2356 2014-08-25  Saam Barati  <sbarati@apple.com>
2357
2358         Return statement TypeSet's might be duplicated
2359         https://bugs.webkit.org/show_bug.cgi?id=136200
2360
2361         Reviewed by Filip Pizlo.
2362
2363         Currently, the globalTypeSet that converges the types of all 
2364         return statements in a function lives off of CodeBlock. It lives 
2365         off CodeBlock because of a faulty assumption that CodeBlock 
2366         will have a one to one mapping with a function in the source 
2367         text of the program. (Currently, there isn't an actual bug 
2368         with this design because TypeLocationCache will hash cons to 
2369         the same TypeLocation, but this is still an incorrect design). 
2370         In this patch, the globalTypeSet for function return statements  
2371         is moved to the FunctionExecutable object which does have a one 
2372         to one mapping with functions in the source text of a program.
2373
2374         * bytecode/CodeBlock.cpp:
2375         (JSC::CodeBlock::CodeBlock):
2376         * bytecode/CodeBlock.h:
2377         (JSC::CodeBlock::returnStatementTypeSet): Deleted.
2378         * runtime/Executable.h:
2379         (JSC::FunctionExecutable::returnStatementTypeSet):
2380
2381 2014-08-24  Filip Pizlo  <fpizlo@apple.com>
2382
2383         FTL should be able to do polymorphic call inlining
2384         https://bugs.webkit.org/show_bug.cgi?id=135145
2385
2386         Reviewed by Geoffrey Garen.
2387         
2388         Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
2389         baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
2390         inlining sites use the call edge profile if it is available, but they will still fall back
2391         on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
2392         multiple possible callees can be inlined with a switch to guard them. The slow path may
2393         either be an OSR exit or a virtual call.
2394         
2395         The call edge profiling added in this patch is very precise - it will tell you about every
2396         call that has ever happened. It took some effort to reduce the overhead of this profiling.
2397         This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
2398         in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
2399         it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
2400         I also experimented with reducing the precision of the profiling. This led to a significant
2401         reduction in the speed-up, so I avoided this approach. I also explored making log processing
2402         concurrent, but that didn't help. Also, I tested the overhead of the log processing and
2403         found that most of the overhead of this profiling is actually in putting things into the log
2404         rather than in processing the log - that part appears to be surprisingly cheap.
2405         
2406         Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
2407         and if we guarded such inlining sites with some profiling mechanism to detect
2408         polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
2409         it's actually monomorphic).
2410         
2411         This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
2412         other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
2413         on anything we care about. Some aggregates, like V8Spider, see a regression. This is
2414         highlighting the increase in profiling overhead. But since this doesn't show up on any major
2415         score (code-load or SunSpider), it's probably not relevant.
2416         
2417         * CMakeLists.txt:
2418         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2419         * JavaScriptCore.xcodeproj/project.pbxproj:
2420         * bytecode/CallEdge.cpp: Added.
2421         (JSC::CallEdge::dump):
2422         * bytecode/CallEdge.h: Added.
2423         (JSC::CallEdge::operator!):
2424         (JSC::CallEdge::callee):
2425         (JSC::CallEdge::count):
2426         (JSC::CallEdge::despecifiedClosure):
2427         (JSC::CallEdge::CallEdge):
2428         * bytecode/CallEdgeProfile.cpp: Added.
2429         (JSC::CallEdgeProfile::callEdges):
2430         (JSC::CallEdgeProfile::numCallsToKnownCells):
2431         (JSC::worthDespecifying):
2432         (JSC::CallEdgeProfile::worthDespecifying):
2433         (JSC::CallEdgeProfile::visitWeak):
2434         (JSC::CallEdgeProfile::addSlow):
2435         (JSC::CallEdgeProfile::mergeBack):
2436         (JSC::CallEdgeProfile::fadeByHalf):
2437         (JSC::CallEdgeLog::CallEdgeLog):
2438         (JSC::CallEdgeLog::~CallEdgeLog):
2439         (JSC::CallEdgeLog::isEnabled):
2440         (JSC::operationProcessCallEdgeLog):
2441         (JSC::CallEdgeLog::emitLogCode):
2442         (JSC::CallEdgeLog::processLog):
2443         * bytecode/CallEdgeProfile.h: Added.
2444         (JSC::CallEdgeProfile::numCallsToNotCell):
2445         (JSC::CallEdgeProfile::numCallsToUnknownCell):
2446         (JSC::CallEdgeProfile::totalCalls):
2447         * bytecode/CallEdgeProfileInlines.h: Added.
2448         (JSC::CallEdgeProfile::CallEdgeProfile):
2449         (JSC::CallEdgeProfile::add):
2450         * bytecode/CallLinkInfo.cpp:
2451         (JSC::CallLinkInfo::visitWeak):
2452         * bytecode/CallLinkInfo.h:
2453         * bytecode/CallLinkStatus.cpp:
2454         (JSC::CallLinkStatus::CallLinkStatus):
2455         (JSC::CallLinkStatus::computeFromLLInt):
2456         (JSC::CallLinkStatus::computeFor):
2457         (JSC::CallLinkStatus::computeExitSiteData):
2458         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2459         (JSC::CallLinkStatus::computeFromCallEdgeProfile):
2460         (JSC::CallLinkStatus::computeDFGStatuses):
2461         (JSC::CallLinkStatus::isClosureCall):
2462         (JSC::CallLinkStatus::makeClosureCall):
2463         (JSC::CallLinkStatus::dump):
2464         (JSC::CallLinkStatus::function): Deleted.
2465         (JSC::CallLinkStatus::internalFunction): Deleted.
2466         (JSC::CallLinkStatus::intrinsicFor): Deleted.
2467         * bytecode/CallLinkStatus.h:
2468         (JSC::CallLinkStatus::CallLinkStatus):
2469         (JSC::CallLinkStatus::isSet):
2470         (JSC::CallLinkStatus::couldTakeSlowPath):
2471         (JSC::CallLinkStatus::edges):
2472         (JSC::CallLinkStatus::size):
2473         (JSC::CallLinkStatus::at):
2474         (JSC::CallLinkStatus::operator[]):
2475         (JSC::CallLinkStatus::canOptimize):
2476         (JSC::CallLinkStatus::canTrustCounts):
2477         (JSC::CallLinkStatus::isClosureCall): Deleted.
2478         (JSC::CallLinkStatus::callTarget): Deleted.
2479         (JSC::CallLinkStatus::executable): Deleted.
2480         (JSC::CallLinkStatus::makeClosureCall): Deleted.
2481         * bytecode/CallVariant.cpp: Added.
2482         (JSC::CallVariant::dump):
2483         * bytecode/CallVariant.h: Added.
2484         (JSC::CallVariant::CallVariant):
2485         (JSC::CallVariant::operator!):
2486         (JSC::CallVariant::despecifiedClosure):
2487         (JSC::CallVariant::rawCalleeCell):
2488         (JSC::CallVariant::internalFunction):
2489         (JSC::CallVariant::function):
2490         (JSC::CallVariant::isClosureCall):
2491         (JSC::CallVariant::executable):
2492         (JSC::CallVariant::nonExecutableCallee):
2493         (JSC::CallVariant::intrinsicFor):
2494         (JSC::CallVariant::functionExecutable):
2495         (JSC::CallVariant::isHashTableDeletedValue):
2496         (JSC::CallVariant::operator==):
2497         (JSC::CallVariant::operator!=):
2498         (JSC::CallVariant::operator<):
2499         (JSC::CallVariant::operator>):
2500         (JSC::CallVariant::operator<=):
2501         (JSC::CallVariant::operator>=):
2502         (JSC::CallVariant::hash):
2503         (JSC::CallVariant::deletedToken):
2504         (JSC::CallVariantHash::hash):
2505         (JSC::CallVariantHash::equal):
2506         * bytecode/CodeOrigin.h:
2507         (JSC::InlineCallFrame::isNormalCall):
2508         * bytecode/ExitKind.cpp:
2509         (JSC::exitKindToString):
2510         * bytecode/ExitKind.h:
2511         * bytecode/GetByIdStatus.cpp:
2512         (JSC::GetByIdStatus::computeForStubInfo):
2513         * bytecode/PutByIdStatus.cpp:
2514         (JSC::PutByIdStatus::computeForStubInfo):
2515         * dfg/DFGAbstractInterpreterInlines.h:
2516         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2517         * dfg/DFGBackwardsPropagationPhase.cpp:
2518         (JSC::DFG::BackwardsPropagationPhase::propagate):
2519         * dfg/DFGBasicBlock.cpp:
2520         (JSC::DFG::BasicBlock::~BasicBlock):
2521         * dfg/DFGBasicBlock.h:
2522         (JSC::DFG::BasicBlock::takeLast):
2523         (JSC::DFG::BasicBlock::didLink):
2524         * dfg/DFGByteCodeParser.cpp:
2525         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2526         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
2527         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
2528         (JSC::DFG::ByteCodeParser::addCall):
2529         (JSC::DFG::ByteCodeParser::handleCall):
2530         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2531         (JSC::DFG::ByteCodeParser::undoFunctionChecks):
2532         (JSC::DFG::ByteCodeParser::inliningCost):
2533         (JSC::DFG::ByteCodeParser::inlineCall):
2534         (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
2535         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2536         (JSC::DFG::ByteCodeParser::handleInlining):
2537         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2538         (JSC::DFG::ByteCodeParser::prepareToParseBlock):
2539         (JSC::DFG::ByteCodeParser::clearCaches):
2540         (JSC::DFG::ByteCodeParser::parseBlock):
2541         (JSC::DFG::ByteCodeParser::linkBlock):
2542         (JSC::DFG::ByteCodeParser::linkBlocks):
2543         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2544         * dfg/DFGCPSRethreadingPhase.cpp:
2545         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2546         * dfg/DFGClobberize.h:
2547         (JSC::DFG::clobberize):
2548         * dfg/DFGCommon.h:
2549         * dfg/DFGConstantFoldingPhase.cpp:
2550         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2551         * dfg/DFGDoesGC.cpp:
2552         (JSC::DFG::doesGC):
2553         * dfg/DFGDriver.cpp:
2554         (JSC::DFG::compileImpl):
2555         * dfg/DFGFixupPhase.cpp:
2556         (JSC::DFG::FixupPhase::fixupNode):
2557         * dfg/DFGGraph.cpp:
2558         (JSC::DFG::Graph::dump):
2559         (JSC::DFG::Graph::visitChildren):
2560         * dfg/DFGJITCompiler.cpp:
2561         (JSC::DFG::JITCompiler::link):
2562         * dfg/DFGLazyJSValue.cpp:
2563         (JSC::DFG::LazyJSValue::switchLookupValue):
2564         * dfg/DFGLazyJSValue.h:
2565         (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
2566         * dfg/DFGNode.cpp:
2567         (WTF::printInternal):
2568         * dfg/DFGNode.h:
2569         (JSC::DFG::OpInfo::OpInfo):
2570         (JSC::DFG::Node::hasHeapPrediction):
2571         (JSC::DFG::Node::hasCellOperand):
2572         (JSC::DFG::Node::cellOperand):
2573         (JSC::DFG::Node::setCellOperand):
2574         (JSC::DFG::Node::canBeKnownFunction): Deleted.
2575         (JSC::DFG::Node::hasKnownFunction): Deleted.
2576         (JSC::DFG::Node::knownFunction): Deleted.
2577         (JSC::DFG::Node::giveKnownFunction): Deleted.
2578         (JSC::DFG::Node::hasFunction): Deleted.
2579         (JSC::DFG::Node::function): Deleted.
2580         (JSC::DFG::Node::hasExecutable): Deleted.
2581         (JSC::DFG::Node::executable): Deleted.
2582         * dfg/DFGNodeType.h:
2583         * dfg/DFGPhantomCanonicalizationPhase.cpp:
2584         (JSC::DFG::PhantomCanonicalizationPhase::run):
2585         * dfg/DFGPhantomRemovalPhase.cpp:
2586         (JSC::DFG::PhantomRemovalPhase::run):
2587         * dfg/DFGPredictionPropagationPhase.cpp:
2588         (JSC::DFG::PredictionPropagationPhase::propagate):
2589         * dfg/DFGSafeToExecute.h:
2590         (JSC::DFG::safeToExecute):
2591         * dfg/DFGSpeculativeJIT.cpp:
2592         (JSC::DFG::SpeculativeJIT::emitSwitch):
2593         * dfg/DFGSpeculativeJIT32_64.cpp:
2594         (JSC::DFG::SpeculativeJIT::emitCall):
2595         (JSC::DFG::SpeculativeJIT::compile):
2596         * dfg/DFGSpeculativeJIT64.cpp:
2597         (JSC::DFG::SpeculativeJIT::emitCall):
2598         (JSC::DFG::SpeculativeJIT::compile):
2599         * dfg/DFGStructureRegistrationPhase.cpp:
2600         (JSC::DFG::StructureRegistrationPhase::run):
2601         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2602         (JSC::DFG::TierUpCheckInjectionPhase::run):
2603         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
2604         * dfg/DFGValidate.cpp:
2605         (JSC::DFG::Validate::validate):
2606         * dfg/DFGWatchpointCollectionPhase.cpp:
2607         (JSC::DFG::WatchpointCollectionPhase::handle):
2608         * ftl/FTLCapabilities.cpp:
2609         (JSC::FTL::canCompile):
2610         * ftl/FTLLowerDFGToLLVM.cpp:
2611         (JSC::FTL::ftlUnreachable):
2612         (JSC::FTL::LowerDFGToLLVM::lower):
2613         (JSC::FTL::LowerDFGToLLVM::compileNode):
2614         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
2615         (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
2616         (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
2617         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
2618         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2619         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
2620         (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
2621         (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
2622         * heap/Heap.cpp:
2623         (JSC::Heap::collect):
2624         * jit/AssemblyHelpers.h:
2625         (JSC::AssemblyHelpers::storeValue):
2626         (JSC::AssemblyHelpers::loadValue):
2627         * jit/CCallHelpers.h:
2628         (JSC::CCallHelpers::setupArguments):
2629         * jit/GPRInfo.h:
2630         (JSC::JSValueRegs::uses):
2631         * jit/JITCall.cpp:
2632         (JSC::JIT::compileOpCall):
2633         * jit/JITCall32_64.cpp:
2634         (JSC::JIT::compileOpCall):
2635         * runtime/Options.h:
2636         * runtime/VM.cpp:
2637         (JSC::VM::ensureCallEdgeLog):
2638         * runtime/VM.h:
2639         * tests/stress/new-array-then-exit.js: Added.
2640         (foo):
2641         * tests/stress/poly-call-exit-this.js: Added.
2642         * tests/stress/poly-call-exit.js: Added.
2643
2644 2014-08-22  Michael Saboff  <msaboff@apple.com>
2645
2646         After r172867 another crash in in js/dom/line-column-numbers.html
2647         https://bugs.webkit.org/show_bug.cgi?id=136192
2648
2649         Reviewed by Geoffrey Garen.
2650
2651         In lookupExceptionHandlerFromCallerFrame(), We need to use the caller's CallFrame
2652         and VMEntryFrame when calling genericUnwind().  NativeCallFrameTracerWithRestore()
2653         does that for us.
2654
2655         In general, NativeCallFrameTracerWithRestore(), restores the values because we may
2656         do more processing that requires the current callFrame and vmEntryFrame before we
2657         get to the catch handler where we change these to the catch values.  In this
2658         particular case, that restoration isn't currently needed, but we add complexity
2659         and possible future confusion if we create another NativeCallFrameTracerXXX()
2660         version that doesn't restore the values.
2661
2662         * jit/JITOperations.cpp:
2663         (JSC::lookupExceptionHandlerFromCallerFrame): Changed NativeCallFrameTracer() to
2664         NativeCallFrameTracerWithRestore() so that VM::topVMEntryFrame will be updated
2665         before calling genericUnwind().
2666
2667 2014-08-24  Brian J. Burg  <burg@cs.washington.edu>
2668
2669         Web Inspector: rename Inspector::TypeBuilder to Inspector::Protocol
2670         https://bugs.webkit.org/show_bug.cgi?id=136031
2671
2672         Reviewed by Timothy Hatcher.
2673
2674         Rename TypeBuilder namespace to Protocol. Disambiguate where
2675         necessary. Also rename InspectorTypeBuilder to ProtocolTypes.
2676
2677         * CMakeLists.txt:
2678         * DerivedSources.make:
2679         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2680         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2681         * JavaScriptCore.vcxproj/copy-files.cmd:
2682         * JavaScriptCore.xcodeproj/project.pbxproj:
2683         * inspector/ConsoleMessage.cpp:
2684         (Inspector::messageSourceValue):
2685         (Inspector::messageTypeValue):
2686         (Inspector::messageLevelValue):
2687         (Inspector::ConsoleMessage::addToFrontend):
2688         * inspector/ContentSearchUtilities.cpp:
2689         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
2690         (Inspector::ContentSearchUtilities::searchInTextByLines):
2691         * inspector/ContentSearchUtilities.h:
2692         * inspector/InjectedScript.cpp:
2693         (Inspector::InjectedScript::evaluate):
2694         (Inspector::InjectedScript::callFunctionOn):
2695         (Inspector::InjectedScript::evaluateOnCallFrame):
2696         (Inspector::InjectedScript::getFunctionDetails):
2697         (Inspector::InjectedScript::getProperties):
2698         (Inspector::InjectedScript::getInternalProperties):
2699         (Inspector::InjectedScript::wrapCallFrames):
2700         (Inspector::InjectedScript::wrapObject):
2701         (Inspector::InjectedScript::wrapTable):
2702         * inspector/InjectedScript.h:
2703         * inspector/InjectedScriptBase.cpp:
2704         (Inspector::InjectedScriptBase::makeEvalCall):
2705         * inspector/InjectedScriptBase.h:
2706         * inspector/InspectorTypeBuilder.h: Removed.
2707         * inspector/ScriptCallFrame.cpp:
2708         (Inspector::ScriptCallFrame::buildInspectorObject):
2709         * inspector/ScriptCallFrame.h:
2710         * inspector/ScriptCallStack.cpp:
2711         (Inspector::ScriptCallStack::buildInspectorArray):
2712         * inspector/ScriptCallStack.h:
2713         * inspector/agents/InspectorAgent.cpp:
2714         (Inspector::InspectorAgent::inspect):
2715         * inspector/agents/InspectorAgent.h:
2716         * inspector/agents/InspectorDebuggerAgent.cpp:
2717         (Inspector::breakpointActionTypeForString):
2718         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2719         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2720         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
2721         (Inspector::InspectorDebuggerAgent::searchInContent):
2722         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
2723         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
2724         (Inspector::InspectorDebuggerAgent::currentCallFrames):
2725         (Inspector::InspectorDebuggerAgent::didParseSource):
2726         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2727         * inspector/agents/InspectorDebuggerAgent.h:
2728         * inspector/agents/InspectorProfilerAgent.cpp:
2729         (Inspector::InspectorProfilerAgent::createProfileHeader):
2730         (Inspector::InspectorProfilerAgent::getProfileHeaders):
2731         (Inspector::buildInspectorObject):
2732         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
2733         (Inspector::InspectorProfilerAgent::getCPUProfile):
2734         * inspector/agents/InspectorProfilerAgent.h:
2735         * inspector/agents/InspectorRuntimeAgent.cpp:
2736         (Inspector::buildErrorRangeObject):
2737         (Inspector::InspectorRuntimeAgent::parse):
2738         (Inspector::InspectorRuntimeAgent::evaluate):
2739         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2740         (Inspector::InspectorRuntimeAgent::getProperties):
2741         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2742         * inspector/agents/InspectorRuntimeAgent.h:
2743         * inspector/scripts/codegen/__init__.py:
2744         * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
2745         (BackendDispatcherHeaderGenerator.generate_output):
2746         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
2747         (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
2748         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2749         * inspector/scripts/codegen/generate_frontend_dispatcher_header.py:
2750         (FrontendDispatcherHeaderGenerator.generate_output):
2751         * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py:
2752         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2753         * inspector/scripts/codegen/generate_type_builder_header.py: Removed.
2754         * inspector/scripts/codegen/generate_type_builder_implementation.py: Removed.
2755         * inspector/scripts/codegen/generator.py:
2756         (Generator.protocol_type_string_for_type):
2757         (Generator.protocol_type_string_for_type_member):
2758         (Generator.type_string_for_type_with_name):
2759         (Generator.type_string_for_formal_out_parameter):
2760         (Generator.type_string_for_formal_async_parameter):
2761         (Generator.type_string_for_stack_in_parameter):
2762         (Generator.type_string_for_stack_out_parameter):
2763         (Generator.assertion_method_for_type_member.assertion_method_for_type):
2764         (Generator.assertion_method_for_type_member):
2765         (Generator.type_builder_string_for_type): Deleted.
2766         (Generator.type_builder_string_for_type_member): Deleted.
2767         * inspector/scripts/codegen/generator_templates.py:
2768         (Inspector):
2769         * inspector/scripts/generate-inspector-protocol-bindings.py:
2770         (generate_from_specification):
2771         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2772         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2773         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2774         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2775         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2776         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2777         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2778         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2779         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2780         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2781         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2782         * runtime/HighFidelityTypeProfiler.cpp:
2783         (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
2784         * runtime/HighFidelityTypeProfiler.h:
2785         * runtime/TypeSet.cpp:
2786         (JSC::TypeSet::allPrimitiveTypeNames):
2787         (JSC::TypeSet::allStructureRepresentations):
2788         (JSC::StructureShape::inspectorRepresentation):
2789         * runtime/TypeSet.h:
2790
2791 2014-08-24  Brian J. Burg  <burg@cs.washington.edu>
2792
2793         Web Inspector: Rename DOM.RGBA and remove workarounds in the bindings generator
2794         https://bugs.webkit.org/show_bug.cgi?id=136025
2795
2796         Reviewed by Joseph Pecoraro.
2797
2798         This workaround can be removed since it is no longer necessary.
2799
2800         * inspector/scripts/codegen/models.py:
2801         (TypeReference.__init__):
2802         (Type.raw_name):
2803         (TypeDeclaration.__init__):
2804         * inspector/scripts/tests/type-declaration-object-type.json: Remove related test input.
2805         * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Rebaseline.
2806
2807 2014-08-23  Joseph Pecoraro  <pecoraro@apple.com>
2808
2809         Web Inspector: Do not copy large module source strings
2810         https://bugs.webkit.org/show_bug.cgi?id=136191
2811
2812         Reviewed by Benjamin Poulain.
2813
2814         * inspector/InjectedScriptManager.cpp:
2815         (Inspector::InjectedScriptManager::injectedScriptSource):
2816
2817 2014-08-21  Michael Saboff  <msaboff@apple.com>
2818
2819         REGRESSION(r163179): Sporadic crash in js/dom/line-column-numbers.html test
2820         https://bugs.webkit.org/show_bug.cgi?id=136111
2821
2822         Reviewed by Filip Pizlo.
2823
2824         The problem was that we weren't properly handling VM::topVMEntryFrame in two ways.
2825
2826         First in the case where we get an exception of a stack overflow during setup of the direct
2827         callee frame of a VM entry frame, we need to throw the exception in the caller's frame.
2828         This requires unrolling topVMEntryFrame while creating the exception object.  This is
2829         accomplished with the renamed NativeCallFrameTracerWithRestore object.  As part of this,
2830         split the JIT rollback exception handling to call a new helper,
2831         callLookupExceptionHandlerFromCallerFrame, which will unroll the callFrame and VMEntryFrame.
2832
2833         Second, when we unwind to find a handler, we also need to unwind topVMCallFrame for the
2834         case where we end up (re)throwing another exception after entering the catch block, but
2835         before another vmEntry call.  Added VM::vmEntryFrameForThrow as a way similar to
2836         VM::callFrameForThrow to pass the appropriate VMENtryFrame to the catch block.
2837
2838
2839         * dfg/DFGJITCompiler.cpp:
2840         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2841         * ftl/FTLCompile.cpp:
2842         (JSC::FTL::fixFunctionBasedOnStackMaps):
2843         * jit/JIT.cpp:
2844         (JSC::JIT::privateCompileExceptionHandlers):
2845         Split out the unroll cases to use the new helper callLookupExceptionHandlerFromCallerFrame()
2846         to unwind both the callFrame and topVMEntryFrame.
2847
2848         * interpreter/Interpreter.cpp:
2849         (JSC::UnwindFunctor::UnwindFunctor):
2850         (JSC::UnwindFunctor::operator()):
2851         (JSC::Interpreter::unwind):
2852         * jit/JITExceptions.cpp:
2853         (JSC::genericUnwind):
2854         Added VMEntryFrame as another component to unwind.
2855
2856         * interpreter/Interpreter.h:
2857         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2858         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
2859         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
2860         Renamed and changed to save and restore topCallFrame and topVMEntryFrame around the setting of
2861         both values.
2862
2863         * interpreter/StackVisitor.cpp:
2864         (JSC::StackVisitor::gotoNextFrame):
2865         (JSC::StackVisitor::readNonInlinedFrame):
2866         * interpreter/StackVisitor.h:
2867         (JSC::StackVisitor::Frame::vmEntryFrame):
2868         Added code to unwind the VMEntryFrame.
2869
2870         * jit/CCallHelpers.h:
2871         (JSC::CCallHelpers::jumpToExceptionHandler): Updated comment to indicate that the value
2872         the handler should use for VM::topEntryFrame is in VM::vmEntryFrameForThrow.
2873
2874         * jit/JITOpcodes.cpp:
2875         (JSC::JIT::emit_op_catch):
2876         * jit/JITOpcodes32_64.cpp:
2877         (JSC::JIT::emit_op_catch):
2878         * llint/LowLevelInterpreter32_64.asm:
2879         * llint/LowLevelInterpreter64.asm:
2880         Added code to update VM::topVMEntryFrame from VM::vmEntryFrameForThrowOffset.
2881
2882         * jit/JITOperations.cpp:
2883         * jit/JITOperations.h:
2884         (JSC::operationThrowStackOverflowError):
2885         (JSC::operationCallArityCheck):
2886         (JSC::operationConstructArityCheck):
2887
2888         * runtime/VM.h:
2889         (JSC::VM::vmEntryFrameForThrowOffset):
2890         (JSC::VM::topVMEntryFrameOffset):
2891         Added as the side channel to return the topVMEntryFrame that the handler should use.
2892
2893 2014-08-22  Daniel Bates  <dabates@apple.com>
2894
2895         [iOS] Disable ENABLE_IOS_{GESTURE, TOUCH}_EVENTS, and temporarily disable ENABLE_TOUCH_EVENTS
2896         and ENABLE_XSLT when building with the iOS public SDK
2897         https://bugs.webkit.org/show_bug.cgi?id=135945
2898
2899         Reviewed by Andy Estes.
2900
2901         * Configurations/FeatureDefines.xcconfig:
2902
2903 2014-08-22  Jon Lee  <jonlee@apple.com>
2904
2905         Fix iOS build due to r172832 and move RUBBER_BANDING out of FeatureDefines.h
2906         https://bugs.webkit.org/show_bug.cgi?id=136157
2907
2908         Reviewed by Simon Fraser.
2909
2910         * Configurations/FeatureDefines.xcconfig: Add ENABLE(RUBBER_BANDING).
2911
2912 2014-08-21  Mark Lam  <mark.lam@apple.com>
2913
2914         r171362 accidentally increased the size of InlineCallFrame.
2915         <https://webkit.org/b/136141>
2916
2917         Reviewed by Filip Pizlo.
2918
2919         r171362 increased the size of InlineCallFrame::kind to 2 bits.  This increased
2920         the size of InlineCallFrame from 72 to 80 though not intentionally.  The fix
2921         is to reduce the size of InlineCallFrame::stackOffset to 29 bits.
2922
2923         Also added an assert to ensure that we never set a value that exceeds the size
2924         of InlineCallFrame::stackOffset.
2925
2926         * bytecode/CodeOrigin.h:
2927         (JSC::InlineCallFrame::setStackOffset):
2928         * dfg/DFGByteCodeParser.cpp:
2929         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2930
2931 2014-08-21  Joseph Pecoraro  <pecoraro@apple.com>
2932
2933         Web Inspector: RetainPtr misuse, CFRunLoopSource leak
2934         https://bugs.webkit.org/show_bug.cgi?id=136143
2935
2936         Reviewed by Timothy Hatcher.
2937
2938         Adopt a Create into the RetainPtr to avoid leaking.
2939
2940         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2941         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
2942
2943 2014-08-21  Mark Lam  <mark.lam@apple.com>
2944
2945         REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms.
2946         <https://webkit.org/b/136123>
2947
2948         Reviewed by Filip Pizlo.
2949
2950         The original patch in r172808 removed the code to skip the top scope in
2951         the 64-bit port of JIT::emitResolveClosure() but not in the 32-bit port.
2952         This patch fixes that and achieves parity.
2953
2954         * jit/JITPropertyAccess32_64.cpp:
2955         (JSC::JIT::emitResolveClosure):
2956
2957 2014-08-21  Zalan Bujtas  <zalan@apple.com>
2958
2959         Enable SATURATED_LAYOUT_ARITHMETIC.
2960         https://bugs.webkit.org/show_bug.cgi?id=136106
2961
2962         Reviewed by Simon Fraser.
2963
2964         SATURATED_LAYOUT_ARITHMETIC protects LayoutUnit against arithmetic overflow.
2965         (No measurable performance regression on Mac.)
2966
2967         * Configurations/FeatureDefines.xcconfig:
2968
2969 2014-08-20  Saam Barati  <sbarati@apple.com>
2970
2971         Fix how CodeBlock dumps the opcode op_profile_type
2972         https://bugs.webkit.org/show_bug.cgi?id=136088
2973
2974         Reviewed by Filip Pizlo.
2975
2976         op_profile_type was modified to receive two extra arguments,
2977         but its dump in CodeBlock::dumpBytecode wasn't changed to 
2978         account for this, so it broke CodeBlock::dumpBytecode when
2979         op_profile_type was in the stream of bytecode instructions.
2980         CodeBlock::dumpBytecode now accounts for the change in 
2981         op_profile_type's arity.
2982
2983         * bytecode/CodeBlock.cpp:
2984         (JSC::CodeBlock::dumpBytecode):
2985
2986 2014-08-20  Saam Barati  <sbarati@apple.com>
2987
2988         Rename HighFidelityTypeProfiling variables for more clarity
2989         https://bugs.webkit.org/show_bug.cgi?id=135899
2990
2991         Reviewed by Geoffrey Garen.
2992
2993         Many names that are used in the type profiling infrastructure
2994         prefix themselves with "HighFidelity" or include the words "high"
2995         and/or "fidelity" in some way. But the words "high" and "fidelity" don't 
2996         add anything descriptive to the names surrounding type profiling. 
2997         So this patch removes all uses of "HighFidelity" and its variants.
2998
2999         Most renamings change "HighFidelity*" to "TypeProfiler*" or simply 
3000         drop the prefix "HighFidelity" all together. Now, almost all names 
3001         in relation to type profiling contain in them "TypeProfiler" or 
3002         "TypeProfiling" or some combination of the words "type" and "profile".
3003
3004         This patch also changes how we check if type profiling is enabled:
3005         We no longer call vm::isProfilingTypesWithHighFidelity. We now just 
3006         check that vm::typeProfiler is not null.
3007
3008         This patch also changes all calls to TypeProfilerLog::processLogEntries
3009         to use ASCIILiteral to form WTFStrings instead of vanilla C string literals.
3010
3011         * CMakeLists.txt:
3012         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3013         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3014         * JavaScriptCore.xcodeproj/project.pbxproj:
3015         * bytecode/BytecodeList.json:
3016         * bytecode/BytecodeUseDef.h:
3017         (JSC::computeUsesForBytecodeOffset):
3018         (JSC::computeDefsForBytecodeOffset):
3019         * bytecode/CodeBlock.cpp:
3020         (JSC::CodeBlock::dumpBytecode):
3021         (JSC::CodeBlock::CodeBlock):
3022         * bytecode/TypeLocation.h:
3023         * bytecode/UnlinkedCodeBlock.cpp:
3024         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3025         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
3026         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
3027         (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset): Deleted.
3028         (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo): Deleted.
3029         * bytecode/UnlinkedCodeBlock.h:
3030         (JSC::UnlinkedFunctionExecutable::typeProfilingStartOffset):
3031         (JSC::UnlinkedFunctionExecutable::typeProfilingEndOffset):
3032         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): Deleted.
3033         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset): Deleted.
3034         * bytecompiler/BytecodeGenerator.cpp:
3035         (JSC::BytecodeGenerator::generate):
3036         (JSC::BytecodeGenerator::BytecodeGenerator):
3037         (JSC::BytecodeGenerator::emitMove):
3038         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
3039         (JSC::BytecodeGenerator::emitProfileType):
3040         (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
3041         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
3042         * bytecompiler/BytecodeGenerator.h:
3043         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
3044         * bytecompiler/NodesCodegen.cpp:
3045         (JSC::ThisNode::emitBytecode):
3046         (JSC::ResolveNode::emitBytecode):
3047         (JSC::BracketAccessorNode::emitBytecode):
3048         (JSC::DotAccessorNode::emitBytecode):
3049         (JSC::FunctionCallValueNode::emitBytecode):
3050         (JSC::FunctionCallResolveNode::emitBytecode):
3051         (JSC::FunctionCallBracketNode::emitBytecode):
3052         (JSC::FunctionCallDotNode::emitBytecode):
3053         (JSC::CallFunctionCallDotNode::emitBytecode):
3054         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3055         (JSC::PostfixNode::emitResolve):
3056         (JSC::PostfixNode::emitBracket):
3057         (JSC::PostfixNode::emitDot):
3058         (JSC::PrefixNode::emitResolve):
3059         (JSC::PrefixNode::emitBracket):
3060         (JSC::PrefixNode::emitDot):
3061         (JSC::ReadModifyResolveNode::emitBytecode):
3062         (JSC::AssignResolveNode::emitBytecode):
3063         (JSC::AssignDotNode::emitBytecode):
3064         (JSC::ReadModifyDotNode::emitBytecode):
3065         (JSC::AssignBracketNode::emitBytecode):
3066         (JSC::ReadModifyBracketNode::emitBytecode):
3067         (JSC::ConstDeclNode::emitCodeSingle):
3068         (JSC::EmptyVarExpression::emitBytecode):
3069         (JSC::ReturnNode::emitBytecode):
3070         (JSC::FunctionBodyNode::emitBytecode):
3071         * heap/Heap.cpp:
3072         (JSC::Heap::collect):
3073         * inspector/agents/InspectorRuntimeAgent.cpp:
3074         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3075         (Inspector::recompileAllJSFunctionsForTypeProfiling):
3076         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
3077         (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
3078         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
3079         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
3080         (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling): Deleted.
3081         (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling): Deleted.
3082         (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState): Deleted.
3083         * inspector/agents/InspectorRuntimeAgent.h:
3084         * inspector/protocol/Runtime.json:
3085         * jit/JIT.cpp:
3086         (JSC::JIT::privateCompileMainPass):
3087         (JSC::JIT::privateCompile):
3088         * jit/JIT.h:
3089         * jit/JITOpcodes.cpp:
3090         (JSC::JIT::emit_op_profile_type):
3091         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
3092         * jit/JITOpcodes32_64.cpp:
3093         (JSC::JIT::emit_op_profile_type):
3094         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
3095         * jit/JITOperations.cpp:
3096         * jsc.cpp:
3097         (functionDumpTypesForAllVariables):
3098         * llint/LLIntSlowPaths.cpp:
3099         * llint/LowLevelInterpreter.asm:
3100         * runtime/CodeCache.cpp:
3101         (JSC::CodeCache::getGlobalCodeBlock):
3102         * runtime/CommonSlowPaths.cpp:
3103         (JSC::SLOW_PATH_DECL):
3104         * runtime/CommonSlowPaths.h:
3105         * runtime/Executable.cpp:
3106         (JSC::ScriptExecutable::ScriptExecutable):
3107         (JSC::ProgramExecutable::ProgramExecutable):
3108         (JSC::FunctionExecutable::FunctionExecutable):
3109         (JSC::ProgramExecutable::initializeGlobalProperties):
3110         * runtime/Executable.h:
3111         (JSC::ScriptExecutable::typeProfilingStartOffset):
3112         (JSC::ScriptExecutable::typeProfilingEndOffset):
3113         (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): Deleted.
3114         (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset): Deleted.
3115         * runtime/HighFidelityLog.cpp: Removed.
3116         * runtime/HighFidelityLog.h: Removed.
3117         * runtime/HighFidelityTypeProfiler.cpp: Removed.
3118         * runtime/HighFidelityTypeProfiler.h: Removed.
3119         * runtime/Options.h:
3120         * runtime/SymbolTable.cpp:
3121         (JSC::SymbolTable::prepareForTypeProfiling):
3122         (JSC::SymbolTable::uniqueIDForVariable):
3123         (JSC::SymbolTable::uniqueIDForRegister):
3124         (JSC::SymbolTable::prepareForHighFidelityTypeProfiling): Deleted.
3125         * runtime/SymbolTable.h:
3126         * runtime/TypeProfiler.cpp: Added.
3127         (JSC::TypeProfiler::logTypesForTypeLocation):
3128         (JSC::TypeProfiler::insertNewLocation):
3129         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector):
3130         (JSC::descriptorMatchesTypeLocation):
3131         (JSC::TypeProfiler::findLocation):
3132         * runtime/TypeProfiler.h: Added.
3133         (JSC::QueryKey::QueryKey):
3134         (JSC::QueryKey::isHashTableDeletedValue):
3135         (JSC::QueryKey::operator==):
3136         (JSC::QueryKey::hash):
3137         (JSC::QueryKeyHash::hash):
3138         (JSC::QueryKeyHash::equal):
3139         (JSC::TypeProfiler::functionHasExecutedCache):
3140         (JSC::TypeProfiler::typeLocationCache):
3141         * runtime/TypeProfilerLog.cpp: Added.
3142         (JSC::TypeProfilerLog::initializeLog):
3143         (JSC::TypeProfilerLog::~TypeProfilerLog):
3144         (JSC::TypeProfilerLog::processLogEntries):
3145         * runtime/TypeProfilerLog.h: Added.
3146         (JSC::TypeProfilerLog::LogEntry::structureIDOffset):
3147         (JSC::TypeProfilerLog::LogEntry::valueOffset):
3148         (JSC::TypeProfilerLog::LogEntry::locationOffset):
3149         (JSC::TypeProfilerLog::TypeProfilerLog):
3150         (JSC::TypeProfilerLog::recordTypeInformationForLocation):
3151         (JSC::TypeProfilerLog::logEndPtr):
3152         (JSC::TypeProfilerLog::logStartOffset):
3153         (JSC::TypeProfilerLog::currentLogEntryOffset):
3154         * runtime/VM.cpp:
3155         (JSC::VM::VM):
3156         (JSC::VM::enableTypeProfiler):
3157         (JSC::VM::disableTypeProfiler):
3158         (JSC::VM::dumpTypeProfilerData):
3159         (JSC::VM::enableHighFidelityTypeProfiling): Deleted.
3160         (JSC::VM::disableHighFidelityTypeProfiling): Deleted.
3161         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
3162         * runtime/VM.h:
3163         (JSC::VM::typeProfilerLog):
3164         (JSC::VM::typeProfiler):
3165         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
3166         (JSC::VM::highFidelityLog): Deleted.
3167         (JSC::VM::highFidelityTypeProfiler): Deleted.
3168
3169 2014-08-20  Csaba Osztrogonác  <ossy@webkit.org>
3170
3171         URTBF after r172799.
3172
3173         * disassembler/ARM64/A64DOpcode.cpp:
3174         * disassembler/ARM64Disassembler.cpp:
3175
3176 2014-08-20  Oliver Hunt  <oliver@apple.com>
3177
3178         Stop implicitly skipping a function's own activation when walking the scope chain
3179         https://bugs.webkit.org/show_bug.cgi?id=136118
3180
3181         Reviewed by Geoffrey Garen.
3182
3183         Remove the current logic that implicitly skips a function's
3184         own activation when walking the scope chain. This is ground
3185         work for ensuring that all closed variable access is made
3186         through the function's activation. This leads to a further
3187         10% regression on earley, but we're already tracking the
3188         overall performance regression.
3189
3190         * bytecode/CodeBlock.cpp:
3191         (JSC::CodeBlock::CodeBlock):
3192         * dfg/DFGAbstractInterpreterInlines.h:
3193         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3194         * dfg/DFGByteCodeParser.cpp:
3195         (JSC::DFG::ByteCodeParser::getScope):
3196         (JSC::DFG::ByteCodeParser::parseBlock):
3197         * dfg/DFGClobberize.h:
3198         (JSC::DFG::clobberize):
3199         * dfg/DFGDoesGC.cpp:
3200         (JSC::DFG::doesGC):
3201         * dfg/DFGFixupPhase.cpp:
3202         (JSC::DFG::FixupPhase::fixupNode):
3203         * dfg/DFGHeapLocation.cpp:
3204         (WTF::printInternal):
3205         * dfg/DFGHeapLocation.h:
3206         * dfg/DFGNodeType.h:
3207         * dfg/DFGPredictionPropagationPhase.cpp:
3208         (JSC::DFG::PredictionPropagationPhase::propagate):
3209         * dfg/DFGSafeToExecute.h:
3210         (JSC::DFG::safeToExecute):
3211         * dfg/DFGSpeculativeJIT32_64.cpp:
3212         (JSC::DFG::SpeculativeJIT::compile):
3213         * dfg/DFGSpeculativeJIT64.cpp:
3214         (JSC::DFG::SpeculativeJIT::compile):
3215         * jit/JITPropertyAccess.cpp:
3216         (JSC::JIT::emitResolveClosure):
3217         * llint/LowLevelInterpreter32_64.asm:
3218         * llint/LowLevelInterpreter64.asm:
3219         * runtime/JSScope.cpp:
3220         (JSC::JSScope::abstractResolve):
3221         * runtime/JSScope.h:
3222
3223 2014-08-20  Michael Saboff  <msaboff@apple.com>
3224
3225         REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active
3226         https://bugs.webkit.org/show_bug.cgi?id=136034
3227
3228         Reviewed by Mark Lam.
3229
3230         DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle
3231         of the stack.  Hardened StackVisitor to skip over the frames between the current top frame
3232         and the requested start frame.
3233
3234         * interpreter/StackVisitor.cpp:
3235         (JSC::StackVisitor::StackVisitor):
3236
3237 2014-08-20  Brent Fulgham  <bfulgham@apple.com>
3238
3239         [Win] JavaScriptCore.dll is missing version information.
3240         https://bugs.webkit.org/show_bug.cgi?id=136105
3241         <rdar://problem/18075852>
3242
3243         Reviewed by Dean Jackson.
3244
3245         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Add missing step to generate
3246         version information for intermediary build path.
3247
3248 2014-08-20  Saam Barati  <sbarati@apple.com>
3249
3250         Fix a memory leak in TypeSet
3251         https://bugs.webkit.org/show_bug.cgi?id=135913
3252
3253         Reviewed by Filip Pizlo.
3254
3255         Currently, TypeSet unconditionally allocates memory for its member
3256         variable m_structureHistory, but never deallocates it. Change this 
3257         from being a pointer that is unconditionally allocated to a member 
3258         variable that will be deallocated when TypeSet itself is deallocated.
3259
3260         * runtime/TypeSet.cpp:
3261         (JSC::TypeSet::TypeSet):
3262         (JSC::TypeSet::addTypeInformation):
3263         (JSC::TypeSet::seenTypes):
3264         (JSC::TypeSet::displayName):
3265         (JSC::TypeSet::allStructureRepresentations):
3266         (JSC::StructureShape::leastCommonAncestor):
3267         * runtime/TypeSet.h:
3268
3269 2014-08-20  peavo@outlook.com  <peavo@outlook.com>
3270
3271         [Win] Assertion fails when running JSC stress tests.
3272         https://bugs.webkit.org/show_bug.cgi?id=136103
3273
3274         Reviewed by Darin Adler.
3275
3276         Use unsigned bitfield member instead of enum bitfield member to avoid negative values.
3277
3278         * bytecode/CodeOrigin.h: Use unsigned bitfield member.
3279         (JSC::InlineCallFrame::specializationKind): Compile fix.
3280
3281 2014-08-20  Akos Kiss  <akiss@inf.u-szeged.hu>
3282
3283         Enable ARM64 disassembler on EFL
3284         https://bugs.webkit.org/show_bug.cgi?id=136089
3285
3286         Reviewed by Filip Pizlo.
3287
3288         * CMakeLists.txt:
3289         Added disassembler/ARM64Disassembler.cpp and
3290         disassembler/ARM64/A64DOpcode.cpp to JavaScriptCore_SOURCES.
3291
3292         * disassembler/ARM64/A64DOpcode.cpp:
3293         Added USE(ARM64_DISASSEMBLER) guard around implementation.
3294
3295         * disassembler/ARM64/A64DOpcode.h:
3296         (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedImmediate64):
3297         (JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
3298         Made format strings portable by changing "%llx" to "%" PRIx64 for
3299         uint64_t arguments.
3300
3301 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
3302
3303         REGRESSION(r172401): for-in optimization no longer works at all
3304         https://bugs.webkit.org/show_bug.cgi?id=136056
3305
3306         Reviewed by Geoffrey Garen.
3307         
3308         Roll this back in, along with a fix to make proxies work. Previously, for-in over proxies
3309         would instacrash every time.
3310
3311         * bytecompiler/BytecodeGenerator.cpp:
3312         (JSC::BytecodeGenerator::emitGetByVal):
3313         (JSC::BytecodeGenerator::pushIndexedForInScope):
3314         (JSC::BytecodeGenerator::pushStructureForInScope):
3315         * bytecompiler/BytecodeGenerator.h:
3316         (JSC::ForInContext::ForInContext):
3317         (JSC::StructureForInContext::StructureForInContext):
3318         (JSC::IndexedForInContext::IndexedForInContext):
3319         (JSC::ForInContext::base): Deleted.
3320         * bytecompiler/NodesCodegen.cpp:
3321         (JSC::ForInNode::emitMultiLoopBytecode):
3322         * runtime/JSProxy.cpp:
3323         (JSC::JSProxy::getStructurePropertyNames):
3324         (JSC::JSProxy::getGenericPropertyNames):
3325         * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
3326         (foo):
3327         * tests/stress/for-in-base-reassigned-later.js: Added.
3328         (foo):
3329         * tests/stress/for-in-base-reassigned.js: Added.
3330         (foo):
3331         * tests/stress/for-in-proxy-target-changed-structure.js: Added.
3332         (deleteAll):
3333         (foo):
3334         * tests/stress/for-in-proxy.js: Added.
3335         (foo):
3336
3337 2014-08-19  Jaehun Lim  <ljaehun.lim@samsung.com>
3338
3339         Unreviewed, fix EFL build after r17275
3340
3341         Fix error: ignoring #pragma clang diagnostic [-Werror=unknown-pragmas]
3342
3343         * runtime/JSDataViewPrototype.cpp:
3344         Add #if COMPILER(CLANG) and #endif.
3345
3346 2014-08-19  Michael Saboff  <msaboff@apple.com>
3347