[JSC] Build fix for FTL on EFL after ftlopt merge
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2
3         [JSC] Build fix for FTL on EFL after ftlopt merge
4         https://bugs.webkit.org/show_bug.cgi?id=135565
5
6         Reviewed by Mark Lam.
7
8         Adding an enable guard for native inlining, since it now requires the bitcode
9         emitted from Clang, and we don't have a good way of creating it from other compilers.
10
11         * dfg/DFGByteCodeParser.cpp:
12         (JSC::DFG::ByteCodeParser::handleCall):
13         * ftl/FTLLowerDFGToLLVM.cpp:
14         (JSC::FTL::LowerDFGToLLVM::compileNode):
15         * ftl/FTLState.cpp:
16         (JSC::FTL::State::State):
17         * ftl/FTLState.h:
18
19 2014-08-05  Csaba Osztrogonác  <ossy@webkit.org>
20
21         URTBF after r172129. (ftlopt branch merge)
22
23         Remove the duplicated friend declaration to fix this build failure:
24         "error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"
25
26         * runtime/StructureRareData.h:
27
28 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
29
30         Attempt to fix CMake-based builds, part 3.
31
32         * CMakeLists.txt:
33
34 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
35
36         Attempt to fix CMake-based builds, part 2.
37
38         * CMakeLists.txt:
39
40 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
41
42         Attempt to fix Windows build, part 2.
43
44         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
45
46 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
47
48         Attempt to fix CMake-based builds.
49
50         * CMakeLists.txt:
51
52 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
53
54         Attempt to fix Windows build.
55
56         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
57
58 2014-08-05  Filip Pizlo  <fpizlo@apple.com>
59
60         Fix cloop build.
61
62         * bytecode/CodeBlock.cpp:
63         (JSC::CodeBlock::jettison):
64
65 2014-07-29  Filip Pizlo  <fpizlo@apple.com>
66
67         Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.
68
69         This part of the merge delivers roughly a 2% across-the-board performance
70         improvement, mostly due to immutable property inference and DFG-side GCSE. It also
71         almost completely resolves accessor performance issues; in the common case the DFG
72         will compile a getter/setter access into code that is just as efficient as a normal
73         property access.
74         
75         Another major highlight of this part of the merge is the work to add a type profiler
76         to the inspector. This work is still on-going but this greatly increases coverage.
77
78         Note that this merge fixes a minor bug in the GetterSetter refactoring from
79         http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
80         It also adds a new tests to tests/stress to cover that bug. That bug was previously only
81         covered by layout tests.
82
83     2014-07-17  Filip Pizlo  <fpizlo@apple.com>
84     
85             [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
86             https://bugs.webkit.org/show_bug.cgi?id=135019
87     
88             Reviewed by Oliver Hunt.
89             
90             Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
91             has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
92             different code.
93     
94             * dfg/DFGNodeType.h:
95             * dfg/DFGStrengthReductionPhase.cpp:
96             (JSC::DFG::StrengthReductionPhase::handleNode):
97             * tests/stress/capture-escape-and-throw.js: Added.
98             (foo.f):
99             (foo):
100             * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
101             (foo):
102             (bar):
103     
104     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
105     
106             [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
107             https://bugs.webkit.org/show_bug.cgi?id=134962
108     
109             Reviewed by Oliver Hunt.
110             
111             This removes yet another steady-state-throughput implication of using getters and setters:
112             if your accessor call is monomorphic then you'll just get a structure check, nothing more.
113             No more loads to get to the GetterSetter object or the accessor function object.
114     
115             * dfg/DFGAbstractInterpreterInlines.h:
116             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
117             * runtime/GetterSetter.h:
118             (JSC::GetterSetter::getterConcurrently):
119             (JSC::GetterSetter::setGetter):
120             (JSC::GetterSetter::setterConcurrently):
121             (JSC::GetterSetter::setSetter):
122     
123     2014-07-15  Filip Pizlo  <fpizlo@apple.com>
124     
125             [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
126             https://bugs.webkit.org/show_bug.cgi?id=134893
127     
128             Reviewed by Oliver Hunt.
129             
130             Replace Identity with Check instead of Phantom. Phantom means that the child of the
131             Identity should be unconditionally live. The liveness semantics of Identity are such that
132             if the parents of Identity are live then the child is live. Removing the Identity entirely
133             preserves such liveness semantics. So, the only thing that should be left behind is the
134             type check on the child, which is what Check means: do the check but don't keep the child
135             alive if the check isn't needed.
136     
137             * dfg/DFGCSEPhase.cpp:
138             * dfg/DFGNode.h:
139             (JSC::DFG::Node::convertToCheck):
140     
141     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
142     
143             [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
144             https://bugs.webkit.org/show_bug.cgi?id=134677
145     
146             Reviewed by Sam Weinig.
147             
148             This removes the old local CSE phase, which was based on manually written backward-search 
149             rules for all of the different kinds of things we cared about, and adds a new local/global
150             CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
151             clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
152             structures used for storing sets of available values. This results in a large reduction in
153             code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
154             global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
155             structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
156             that this is a significant (~0.7%) throughput improvement.
157             
158             This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
159             means that the node being analyzed makes available some value in some DFG node, and that
160             future attempts to compute that value can simply use that node. In other words, it
161             establishes an available value mapping of the form value=>node. There are two kinds of
162             values that can be passed to def():
163             
164             PureValue. This captures everything needed to determine whether two pure nodes - nodes that
165                 neither read nor write, and produce a value that is a CSE candidate - are identical. It
166                 carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
167                 usually used for things like the arithmetic mode or constant pointer. Passing a
168                 PureValue to def() means that the node produces a value that is valid anywhere that the
169                 node dominates.
170             
171             HeapLocation. This describes a location in the heap that could be written to or read from.
172                 Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
173                 heap that both serves as part of the "name" of the heap location (together with the
174                 other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
175                 write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
176                 then it means that the values for that location are no longer available.
177             
178             This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
179             tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
180             interpreting the semantics of different DFG node types - that is now almost entirely in
181             clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
182             CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
183             and the LocalCSE rule for turning PutByVal into PutByValAlias.
184             
185             This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
186             not a bigger win because LLVM was already giving us most of what we needed in its GVN.
187             Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
188             is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
189             generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
190             it improves both the quality of the code we generate and the speed with which we generate
191             it. Also, any future optimizations that depend on GCSE will now be easier to implement.
192             
193             During the development of this patch I also rationalized some other stuff, like Graph's
194             ordered traversals - we now have preorder and postorder rather than just "depth first".
195     
196             * CMakeLists.txt:
197             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
198             * JavaScriptCore.xcodeproj/project.pbxproj:
199             * dfg/DFGAbstractHeap.h:
200             * dfg/DFGAdjacencyList.h:
201             (JSC::DFG::AdjacencyList::hash):
202             (JSC::DFG::AdjacencyList::operator==):
203             * dfg/DFGBasicBlock.h:
204             * dfg/DFGCSEPhase.cpp:
205             (JSC::DFG::performLocalCSE):
206             (JSC::DFG::performGlobalCSE):
207             (JSC::DFG::CSEPhase::CSEPhase): Deleted.
208             (JSC::DFG::CSEPhase::run): Deleted.
209             (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
210             (JSC::DFG::CSEPhase::pureCSE): Deleted.
211             (JSC::DFG::CSEPhase::constantCSE): Deleted.
212             (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
213             (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
214             (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
215             (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
216             (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
217             (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
218             (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
219             (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
220             (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
221             (JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
222             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
223             (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
224             (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
225             (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
226             (JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
227             (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
228             (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
229             (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
230             (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
231             (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
232             (JSC::DFG::CSEPhase::setReplacement): Deleted.
233             (JSC::DFG::CSEPhase::eliminate): Deleted.
234             (JSC::DFG::CSEPhase::performNodeCSE): Deleted.
235             (JSC::DFG::CSEPhase::performBlockCSE): Deleted.
236             (JSC::DFG::performCSE): Deleted.
237             * dfg/DFGCSEPhase.h:
238             * dfg/DFGClobberSet.cpp:
239             (JSC::DFG::addReads):
240             (JSC::DFG::addWrites):
241             (JSC::DFG::addReadsAndWrites):
242             (JSC::DFG::readsOverlap):
243             (JSC::DFG::writesOverlap):
244             * dfg/DFGClobberize.cpp:
245             (JSC::DFG::doesWrites):
246             (JSC::DFG::accessesOverlap):
247             (JSC::DFG::writesOverlap):
248             * dfg/DFGClobberize.h:
249             (JSC::DFG::clobberize):
250             (JSC::DFG::NoOpClobberize::operator()):
251             (JSC::DFG::CheckClobberize::operator()):
252             (JSC::DFG::ReadMethodClobberize::ReadMethodClobberize):
253             (JSC::DFG::ReadMethodClobberize::operator()):
254             (JSC::DFG::WriteMethodClobberize::WriteMethodClobberize):
255             (JSC::DFG::WriteMethodClobberize::operator()):
256             (JSC::DFG::DefMethodClobberize::DefMethodClobberize):
257             (JSC::DFG::DefMethodClobberize::operator()):
258             * dfg/DFGDCEPhase.cpp:
259             (JSC::DFG::DCEPhase::run):
260             (JSC::DFG::DCEPhase::fixupBlock):
261             * dfg/DFGGraph.cpp:
262             (JSC::DFG::Graph::getBlocksInPreOrder):
263             (JSC::DFG::Graph::getBlocksInPostOrder):
264             (JSC::DFG::Graph::addForDepthFirstSort): Deleted.
265             (JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted.
266             * dfg/DFGGraph.h:
267             * dfg/DFGHeapLocation.cpp: Added.
268             (JSC::DFG::HeapLocation::dump):
269             (WTF::printInternal):
270             * dfg/DFGHeapLocation.h: Added.
271             (JSC::DFG::HeapLocation::HeapLocation):
272             (JSC::DFG::HeapLocation::operator!):
273             (JSC::DFG::HeapLocation::kind):
274             (JSC::DFG::HeapLocation::heap):
275             (JSC::DFG::HeapLocation::base):
276             (JSC::DFG::HeapLocation::index):
277             (JSC::DFG::HeapLocation::hash):
278             (JSC::DFG::HeapLocation::operator==):
279             (JSC::DFG::HeapLocation::isHashTableDeletedValue):
280             (JSC::DFG::HeapLocationHash::hash):
281             (JSC::DFG::HeapLocationHash::equal):
282             * dfg/DFGLICMPhase.cpp:
283             (JSC::DFG::LICMPhase::run):
284             * dfg/DFGNode.h:
285             (JSC::DFG::Node::replaceWith):
286             (JSC::DFG::Node::convertToPhantomUnchecked): Deleted.
287             * dfg/DFGPlan.cpp:
288             (JSC::DFG::Plan::compileInThreadImpl):
289             * dfg/DFGPureValue.cpp: Added.
290             (JSC::DFG::PureValue::dump):
291             * dfg/DFGPureValue.h: Added.
292             (JSC::DFG::PureValue::PureValue):
293             (JSC::DFG::PureValue::operator!):
294             (JSC::DFG::PureValue::op):
295             (JSC::DFG::PureValue::children):
296             (JSC::DFG::PureValue::info):
297             (JSC::DFG::PureValue::hash):
298             (JSC::DFG::PureValue::operator==):
299             (JSC::DFG::PureValue::isHashTableDeletedValue):
300             (JSC::DFG::PureValueHash::hash):
301             (JSC::DFG::PureValueHash::equal):
302             * dfg/DFGSSAConversionPhase.cpp:
303             (JSC::DFG::SSAConversionPhase::run):
304             * ftl/FTLLowerDFGToLLVM.cpp:
305             (JSC::FTL::LowerDFGToLLVM::lower):
306     
307     2014-07-13  Filip Pizlo  <fpizlo@apple.com>
308     
309             Unreviewed, revert unintended change in r171051.
310     
311             * dfg/DFGCSEPhase.cpp:
312     
313     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
314     
315             [ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase
316             https://bugs.webkit.org/show_bug.cgi?id=134739
317     
318             Reviewed by Mark Hahnenberg.
319             
320             I'm going to streamline CSE around clobberize() as part of
321             https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store
322             elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which
323             means that it belongs in StrengthReductionPhase, since that's intended to be our
324             dumping ground.
325             
326             To do this I had to add some missing smarts to clobberize(). Previously clobberize()
327             could play a bit loose with reads of Variables because it wasn't used for store
328             elimination. The main client of read() was LICM, but it would only use it to
329             determine hoistability and anything that did a write() was not hoistable - so, we had
330             benign (but still wrong) missing read() calls in places that did write()s. This fixes
331             a bunch of those cases.
332     
333             * dfg/DFGCSEPhase.cpp:
334             (JSC::DFG::CSEPhase::performNodeCSE):
335             (JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted.
336             * dfg/DFGClobberize.cpp:
337             (JSC::DFG::accessesOverlap):
338             * dfg/DFGClobberize.h:
339             (JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound.
340             * dfg/DFGStrengthReductionPhase.cpp:
341             (JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize().
342     
343     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
344     
345             [ftlopt] Phantom simplification should be in its own phase
346             https://bugs.webkit.org/show_bug.cgi?id=134742
347     
348             Reviewed by Geoffrey Garen.
349             
350             This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it
351             more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had
352             this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for
353             SSA.
354     
355             * CMakeLists.txt:
356             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
357             * JavaScriptCore.xcodeproj/project.pbxproj:
358             * dfg/DFGAdjacencyList.h:
359             * dfg/DFGCSEPhase.cpp:
360             (JSC::DFG::CSEPhase::run):
361             (JSC::DFG::CSEPhase::setReplacement):
362             (JSC::DFG::CSEPhase::eliminate):
363             (JSC::DFG::CSEPhase::performNodeCSE):
364             (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted.
365             * dfg/DFGPhantomRemovalPhase.cpp: Added.
366             (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase):
367             (JSC::DFG::PhantomRemovalPhase::run):
368             (JSC::DFG::performCleanUp):
369             * dfg/DFGPhantomRemovalPhase.h: Added.
370             * dfg/DFGPlan.cpp:
371             (JSC::DFG::Plan::compileInThreadImpl):
372     
373     2014-07-08  Filip Pizlo  <fpizlo@apple.com>
374     
375             [ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously
376             https://bugs.webkit.org/show_bug.cgi?id=134730
377     
378             Reviewed by Mark Lam.
379             
380             This will allow for a better GCSE implementation.
381     
382             * dfg/DFGCPSRethreadingPhase.cpp:
383             (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
384             * dfg/DFGCSEPhase.cpp:
385             (JSC::DFG::CSEPhase::setReplacement):
386             * dfg/DFGEdgeDominates.h:
387             (JSC::DFG::EdgeDominates::operator()):
388             * dfg/DFGGraph.cpp:
389             (JSC::DFG::Graph::clearReplacements):
390             (JSC::DFG::Graph::initializeNodeOwners):
391             * dfg/DFGGraph.h:
392             (JSC::DFG::Graph::performSubstitutionForEdge):
393             * dfg/DFGLICMPhase.cpp:
394             (JSC::DFG::LICMPhase::attemptHoist):
395             * dfg/DFGNode.h:
396             (JSC::DFG::Node::Node):
397             * dfg/DFGSSAConversionPhase.cpp:
398             (JSC::DFG::SSAConversionPhase::run):
399     
400     2014-07-04  Filip Pizlo  <fpizlo@apple.com>
401     
402             [ftlopt] Infer immutable object properties
403             https://bugs.webkit.org/show_bug.cgi?id=134567
404     
405             Reviewed by Mark Hahnenberg.
406             
407             This introduces a new way of inferring immutable object properties. A property is said to
408             be immutable if after its creation (i.e. the transition that creates it), we never
409             overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own
410             property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f"
411             directly and not on a prototype. More specifically, the immutability inference will prove
412             that a property on some structure is immutable. This means that, for example, we may have a
413             structure S1 with property "f" where we claim that "f" at S1 is immutable, but S1 has a
414             transition to S2 that adds a new property "g" and we may claim that "f" at S2 is actually
415             mutable. This is mainly for convenience; it allows us to decouple immutability logic from
416             transition logic. Immutability can be used to constant-fold accesses to objects at
417             DFG-time. The DFG needs to prove the following to constant-fold the access:
418             
419             - The base of the access must be a constant object pointer. We prove that a property at a
420               structure is immutable, but that says nothing of its value; each actual instance of that
421               property may have a different value. So, a constant object pointer is needed to get an
422               actual constant instance of the immutable value.
423             
424             - A check (or watchpoint) must have been emitted proving that the object has a structure
425               that allows loading the property in question.
426             
427             - The replacement watchpoint set of the property in the structure that we've proven the
428               object to have is still valid and we add a watchpoint to it lazily. The replacement
429               watchpoint set is the key new mechanism that this change adds. It's possible that we have
430               proven that the object has one of many structures, in which case each of those structures
431               needs a valid replacement watchpoint set.
432             
433             The replacement watchpoint set is created the first time that any access to the property is
434             cached. A put replace cache will create, and immediately invalidate, the watchpoint set. A
435             get cache will create the watchpoint set and make it start watching. Any non-cached put
436             access will invalidate the watchpoint set if one had been created; the underlying algorithm
437             ensures that checking for the existence of a replacement watchpoint set is very fast in the
438             common case. This algorithm ensures that no cached access needs to ever do any work to
439             invalidate, or check the validity of, any replacement watchpoint sets. It also has some
440             other nice properties:
441             
442             - It's very robust in its definition of immutability. The strictest that it will ever be is
443               that for any instance of the object, the property must be written to only once,
444               specifically at the time that the property is created. But it's looser than this in
445               practice. For example, the property may be written to any number of times before we add
446               the final property that the object will have before anyone reads the property; this works
447               since for optimization purposes we only care if we detect immutability on the structure
448               that the object will have when it is most frequently read from, not any previous
449               structure that the object had. Also, we may write to the property any number of times
450               before anyone caches accesses to it.
451             
452             - It is mostly orthogonal to structure transitions. No new structures need to be created to
453               track the immutability of a property. Hence, there is no risk from this feature causing
454               more polymorphism. This is different from the previous "specificValue" constant
455               inference, which did cause additional structures to be created and sometimes those
456               structures led to fake polymorphism. This feature does leverage existing transitions to
457               do some of the watchpointing: property deletions don't fire the replacement watchpoint
458               set because that would cause a new structure and so the mandatory structure check would
459               fail. Also, this feature is guaranteed to never kick in for uncacheable dictionaries
460               because those wouldn't allow for cacheable accesses - and it takes a cacheable access for
461               this feature to be enabled.
462             
463             - No memory overhead is incurred except when accesses to the property are cached.
464               Dictionary properties will typically have no meta-data for immutability. The number of
465               replacement watchpoint sets we allocate is proportional to the number of inline caches in
466               the program, which is typically must smaller than the number of structures or even the
467               number of objects.
468             
469             This inference is far more powerful than the previous "specificValue" inference, so this
470             change also removes all of that code. It's interesting that the amount of code that is
471             changed to remove that feature is almost as big as the amount of code added to support the
472             new inference - and that's if you include the new tests in the tally. Without new tests,
473             it appears that the new feature actually touches less code!
474             
475             There is one corner case where the previous "specificValue" inference was more powerful.
476             You can imagine someone creating objects with functions as self properties on those
477             objects, such that each object instance had the same function pointers - essentially,
478             someone might be trying to create a vtable but failing at the whole "one vtable for many
479             instances" concept. The "specificValue" inference would do very well for such programs,
480             because a structure check would be sufficient to prove a constant value for all of the
481             function properties. This new inference will fail because it doesn't track the constant
482             values of constant properties; instead it detects the immutability of otherwise variable
483             properties (in the sense that each instance of the property may have a different value).
484             So, the new inference requires having a particular object instance to actually get the
485             constant value. I think it's OK to lose this antifeature. It took a lot of code to support
486             and was a constant source of grief in our transition logic, and there doesn't appear to be
487             any real evidence that programs benefited from that particular kind of inference since
488             usually it's the singleton prototype instance that has all of the functions.
489             
490             This change is a speed-up on everything. date-format-xparb and both SunSpider/raytrace and
491             V8/raytrace seem to be the biggest winners among the macrobenchmarks; they see >5%
492             speed-ups. Many of our microbenchmarks see very large performance improvements, even 80% in
493             one case.
494     
495             * bytecode/ComplexGetStatus.cpp:
496             (JSC::ComplexGetStatus::computeFor):
497             * bytecode/GetByIdStatus.cpp:
498             (JSC::GetByIdStatus::computeFromLLInt):
499             (JSC::GetByIdStatus::computeForStubInfo):
500             (JSC::GetByIdStatus::computeFor):
501             * bytecode/GetByIdVariant.cpp:
502             (JSC::GetByIdVariant::GetByIdVariant):
503             (JSC::GetByIdVariant::operator=):
504             (JSC::GetByIdVariant::attemptToMerge):
505             (JSC::GetByIdVariant::dumpInContext):
506             * bytecode/GetByIdVariant.h:
507             (JSC::GetByIdVariant::alternateBase):
508             (JSC::GetByIdVariant::specificValue): Deleted.
509             * bytecode/PutByIdStatus.cpp:
510             (JSC::PutByIdStatus::computeForStubInfo):
511             (JSC::PutByIdStatus::computeFor):
512             * bytecode/PutByIdVariant.cpp:
513             (JSC::PutByIdVariant::operator=):
514             (JSC::PutByIdVariant::setter):
515             (JSC::PutByIdVariant::dumpInContext):
516             * bytecode/PutByIdVariant.h:
517             (JSC::PutByIdVariant::specificValue): Deleted.
518             * bytecode/Watchpoint.cpp:
519             (JSC::WatchpointSet::fireAllSlow):
520             (JSC::WatchpointSet::fireAll): Deleted.
521             * bytecode/Watchpoint.h:
522             (JSC::WatchpointSet::fireAll):
523             * dfg/DFGAbstractInterpreterInlines.h:
524             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
525             * dfg/DFGByteCodeParser.cpp:
526             (JSC::DFG::ByteCodeParser::handleGetByOffset):
527             (JSC::DFG::ByteCodeParser::handleGetById):
528             (JSC::DFG::ByteCodeParser::handlePutById):
529             (JSC::DFG::ByteCodeParser::parseBlock):
530             * dfg/DFGConstantFoldingPhase.cpp:
531             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
532             * dfg/DFGFixupPhase.cpp:
533             (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
534             (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
535             * dfg/DFGGraph.cpp:
536             (JSC::DFG::Graph::tryGetConstantProperty):
537             (JSC::DFG::Graph::visitChildren):
538             * dfg/DFGGraph.h:
539             * dfg/DFGWatchableStructureWatchingPhase.cpp:
540             (JSC::DFG::WatchableStructureWatchingPhase::run):
541             * ftl/FTLLowerDFGToLLVM.cpp:
542             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
543             * jit/JITOperations.cpp:
544             * jit/Repatch.cpp:
545             (JSC::repatchByIdSelfAccess):
546             (JSC::generateByIdStub):
547             (JSC::tryCacheGetByID):
548             (JSC::tryCachePutByID):
549             (JSC::tryBuildPutByIdList):
550             * llint/LLIntSlowPaths.cpp:
551             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
552             (JSC::LLInt::putToScopeCommon):
553             * runtime/CommonSlowPaths.h:
554             (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
555             * runtime/IntendedStructureChain.cpp:
556             (JSC::IntendedStructureChain::mayInterceptStoreTo):
557             * runtime/JSCJSValue.cpp:
558             (JSC::JSValue::putToPrimitive):
559             * runtime/JSGlobalObject.cpp:
560             (JSC::JSGlobalObject::reset):
561             * runtime/JSObject.cpp:
562             (JSC::JSObject::put):
563             (JSC::JSObject::putDirectNonIndexAccessor):
564             (JSC::JSObject::deleteProperty):
565             (JSC::JSObject::defaultValue):
566             (JSC::getCallableObjectSlow): Deleted.
567             (JSC::JSObject::getPropertySpecificValue): Deleted.
568             * runtime/JSObject.h:
569             (JSC::JSObject::getDirect):
570             (JSC::JSObject::getDirectOffset):
571             (JSC::JSObject::inlineGetOwnPropertySlot):
572             (JSC::JSObject::putDirectInternal):
573             (JSC::JSObject::putOwnDataProperty):
574             (JSC::JSObject::putDirect):
575             (JSC::JSObject::putDirectWithoutTransition):
576             (JSC::getCallableObject): Deleted.
577             * runtime/JSScope.cpp:
578             (JSC::abstractAccess):
579             * runtime/PropertyMapHashTable.h:
580             (JSC::PropertyMapEntry::PropertyMapEntry):
581             (JSC::PropertyTable::copy):
582             * runtime/PropertyTable.cpp:
583             (JSC::PropertyTable::clone):
584             (JSC::PropertyTable::PropertyTable):
585             (JSC::PropertyTable::visitChildren): Deleted.
586             * runtime/Structure.cpp:
587             (JSC::Structure::Structure):
588             (JSC::Structure::materializePropertyMap):
589             (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
590             (JSC::Structure::addPropertyTransitionToExistingStructure):
591             (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
592             (JSC::Structure::addPropertyTransition):
593             (JSC::Structure::changePrototypeTransition):
594             (JSC::Structure::attributeChangeTransition):
595             (JSC::Structure::toDictionaryTransition):
596             (JSC::Structure::preventExtensionsTransition):
597             (JSC::Structure::takePropertyTableOrCloneIfPinned):
598             (JSC::Structure::nonPropertyTransition):
599             (JSC::Structure::addPropertyWithoutTransition):
600             (JSC::Structure::allocateRareData):
601             (JSC::Structure::ensurePropertyReplacementWatchpointSet):
602             (JSC::Structure::startWatchingPropertyForReplacements):
603             (JSC::Structure::didCachePropertyReplacement):
604             (JSC::Structure::startWatchingInternalProperties):
605             (JSC::Structure::copyPropertyTable):
606             (JSC::Structure::copyPropertyTableForPinning):
607             (JSC::Structure::getConcurrently):
608             (JSC::Structure::get):
609             (JSC::Structure::add):
610             (JSC::Structure::visitChildren):
611             (JSC::Structure::prototypeChainMayInterceptStoreTo):
612             (JSC::Structure::dump):
613             (JSC::Structure::despecifyDictionaryFunction): Deleted.
614             (JSC::Structure::despecifyFunctionTransition): Deleted.
615             (JSC::Structure::despecifyFunction): Deleted.
616             (JSC::Structure::despecifyAllFunctions): Deleted.
617             (JSC::Structure::putSpecificValue): Deleted.
618             * runtime/Structure.h:
619             (JSC::Structure::startWatchingPropertyForReplacements):
620             (JSC::Structure::startWatchingInternalPropertiesIfNecessary):
621             (JSC::Structure::startWatchingInternalPropertiesIfNecessaryForEntireChain):
622             (JSC::Structure::transitionDidInvolveSpecificValue): Deleted.
623             (JSC::Structure::disableSpecificFunctionTracking): Deleted.
624             * runtime/StructureInlines.h:
625             (JSC::Structure::getConcurrently):
626             (JSC::Structure::didReplaceProperty):
627             (JSC::Structure::propertyReplacementWatchpointSet):
628             * runtime/StructureRareData.cpp:
629             (JSC::StructureRareData::destroy):
630             * runtime/StructureRareData.h:
631             * tests/stress/infer-constant-global-property.js: Added.
632             (foo.Math.sin):
633             (foo):
634             * tests/stress/infer-constant-property.js: Added.
635             (foo):
636             * tests/stress/jit-cache-poly-replace-then-cache-get-and-fold-then-invalidate.js: Added.
637             (foo):
638             (bar):
639             * tests/stress/jit-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
640             (foo):
641             (bar):
642             * tests/stress/jit-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
643             (foo):
644             (bar):
645             * tests/stress/llint-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
646             (foo):
647             (bar):
648             * tests/stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
649             (foo):
650             (bar):
651             * tests/stress/repeat-put-to-scope-global-with-same-value-watchpoint-invalidate.js: Added.
652             (foo):
653             (bar):
654     
655     2014-07-03  Saam Barati  <sbarati@apple.com>
656     
657             Add more coverage for the profile_types_with_high_fidelity op code.
658             https://bugs.webkit.org/show_bug.cgi?id=134616
659     
660             Reviewed by Filip Pizlo.
661     
662             More operations are now being recorded by the profile_types_with_high_fidelity 
663             opcode. Specifically: function parameters, function return values,
664             function 'this' value, get_by_id, get_by_value, resolve nodes, function return 
665             values at the call site. Added more flags to the profile_types_with_high_fidelity
666             opcode so more focused tasks can take place when the instruction is
667             being linked in CodeBlock. Re-worked the type profiler to search 
668             through character offset ranges when asked for the type of an expression
669             at a given offset. Removed redundant calls to Structure::toStructureShape
670             in HighFidelityLog and TypeSet by caching calls based on StructureID.
671     
672             * bytecode/BytecodeList.json:
673             * bytecode/BytecodeUseDef.h:
674             (JSC::computeUsesForBytecodeOffset):
675             (JSC::computeDefsForBytecodeOffset):
676             * bytecode/CodeBlock.cpp:
677             (JSC::CodeBlock::CodeBlock):
678             (JSC::CodeBlock::finalizeUnconditionally):
679             (JSC::CodeBlock::scopeDependentProfile):
680             * bytecode/CodeBlock.h:
681             (JSC::CodeBlock::returnStatementTypeSet):
682             * bytecode/TypeLocation.h:
683             * bytecode/UnlinkedCodeBlock.cpp:
684             (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset):
685             (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo):
686             * bytecode/UnlinkedCodeBlock.h:
687             * bytecompiler/BytecodeGenerator.cpp:
688             (JSC::BytecodeGenerator::emitMove):
689             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
690             (JSC::BytecodeGenerator::emitGetFromScopeWithProfile):
691             (JSC::BytecodeGenerator::emitPutToScope):
692             (JSC::BytecodeGenerator::emitPutToScopeWithProfile):
693             (JSC::BytecodeGenerator::emitPutById):
694             (JSC::BytecodeGenerator::emitPutByVal):
695             * bytecompiler/BytecodeGenerator.h:
696             (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
697             * bytecompiler/NodesCodegen.cpp:
698             (JSC::ResolveNode::emitBytecode):
699             (JSC::BracketAccessorNode::emitBytecode):
700             (JSC::DotAccessorNode::emitBytecode):
701             (JSC::FunctionCallValueNode::emitBytecode):
702             (JSC::FunctionCallResolveNode::emitBytecode):
703             (JSC::FunctionCallBracketNode::emitBytecode):
704             (JSC::FunctionCallDotNode::emitBytecode):
705             (JSC::CallFunctionCallDotNode::emitBytecode):
706             (JSC::ApplyFunctionCallDotNode::emitBytecode):
707             (JSC::PostfixNode::emitResolve):
708             (JSC::PostfixNode::emitBracket):
709             (JSC::PostfixNode::emitDot):
710             (JSC::PrefixNode::emitResolve):
711             (JSC::PrefixNode::emitBracket):
712             (JSC::PrefixNode::emitDot):
713             (JSC::ReadModifyResolveNode::emitBytecode):
714             (JSC::AssignResolveNode::emitBytecode):
715             (JSC::AssignDotNode::emitBytecode):
716             (JSC::ReadModifyDotNode::emitBytecode):
717             (JSC::AssignBracketNode::emitBytecode):
718             (JSC::ReadModifyBracketNode::emitBytecode):
719             (JSC::ReturnNode::emitBytecode):
720             (JSC::FunctionBodyNode::emitBytecode):
721             * inspector/agents/InspectorRuntimeAgent.cpp:
722             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset):
723             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
724             * inspector/agents/InspectorRuntimeAgent.h:
725             * inspector/protocol/Runtime.json:
726             * llint/LLIntSlowPaths.cpp:
727             (JSC::LLInt::getFromScopeCommon):
728             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
729             * llint/LLIntSlowPaths.h:
730             * llint/LowLevelInterpreter.asm:
731             * runtime/HighFidelityLog.cpp:
732             (JSC::HighFidelityLog::processHighFidelityLog):
733             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
734             (JSC::HighFidelityLog::recordTypeInformationForLocation): Deleted.
735             * runtime/HighFidelityLog.h:
736             (JSC::HighFidelityLog::recordTypeInformationForLocation):
737             * runtime/HighFidelityTypeProfiler.cpp:
738             (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset):
739             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset):
740             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset):
741             (JSC::HighFidelityTypeProfiler::insertNewLocation):
742             (JSC::HighFidelityTypeProfiler::findLocation):
743             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): Deleted.
744             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): Deleted.
745             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): Deleted.
746             (JSC::HighFidelityTypeProfiler::getLocationBasedHash): Deleted.
747             * runtime/HighFidelityTypeProfiler.h:
748             (JSC::LocationKey::LocationKey): Deleted.
749             (JSC::LocationKey::hash): Deleted.
750             (JSC::LocationKey::operator==): Deleted.
751             * runtime/Structure.cpp:
752             (JSC::Structure::toStructureShape):
753             * runtime/Structure.h:
754             * runtime/TypeSet.cpp:
755             (JSC::TypeSet::TypeSet):
756             (JSC::TypeSet::addTypeForValue):
757             (JSC::TypeSet::seenTypes):
758             (JSC::TypeSet::removeDuplicatesInStructureHistory): Deleted.
759             * runtime/TypeSet.h:
760             (JSC::StructureShape::setConstructorName):
761             * runtime/VM.cpp:
762             (JSC::VM::getTypesForVariableAtOffset):
763             (JSC::VM::dumpHighFidelityProfilingTypes):
764             (JSC::VM::getTypesForVariableInRange): Deleted.
765             * runtime/VM.h:
766     
767     2014-07-04  Filip Pizlo  <fpizlo@apple.com>
768     
769             [ftlopt][REGRESSION] debug tests fail because PutByIdDirect is now implemented in terms of In
770             https://bugs.webkit.org/show_bug.cgi?id=134642
771     
772             Rubber stamped by Andreas Kling.
773     
774             * ftl/FTLLowerDFGToLLVM.cpp:
775             (JSC::FTL::LowerDFGToLLVM::compileNode):
776     
777     2014-07-01  Filip Pizlo  <fpizlo@apple.com>
778     
779             [ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null, so that if we constant-infer an accessor slot then we immediately get the function constant for free
780             https://bugs.webkit.org/show_bug.cgi?id=134518
781     
782             Reviewed by Mark Hahnenberg.
783             
784             This has no real effect right now, particularly since almost all uses of
785             setSetter/setGetter were already allocating a branch new GetterSetter. But once we start
786             doing more aggressive constant property inference, this change will allow us to remove
787             all runtime checks from getter/setter calls.
788     
789             * runtime/GetterSetter.cpp:
790             (JSC::GetterSetter::withGetter):
791             (JSC::GetterSetter::withSetter):
792             * runtime/GetterSetter.h:
793             (JSC::GetterSetter::setGetter):
794             (JSC::GetterSetter::setSetter):
795             * runtime/JSObject.cpp:
796             (JSC::JSObject::defineOwnNonIndexProperty):
797     
798     2014-07-02  Filip Pizlo  <fpizlo@apple.com>
799     
800             [ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure
801     
802             Rubber stamped by Mark Hahnenberg.
803     
804             * runtime/Structure.cpp:
805             (JSC::Structure::Structure):
806             (JSC::Structure::nonPropertyTransition):
807             (JSC::Structure::didTransitionFromThisStructure):
808             (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
809             * runtime/Structure.h:
810     
811     2014-07-02  Filip Pizlo  <fpizlo@apple.com>
812     
813             [ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore.
814     
815             Rubber stamped by Mark Hahnenberg.
816     
817             * runtime/Structure.cpp:
818             (JSC::Structure::Structure):
819             (JSC::Structure::cloneRareDataFrom): Deleted.
820             * runtime/Structure.h:
821             * runtime/StructureRareData.cpp:
822             (JSC::StructureRareData::clone): Deleted.
823             (JSC::StructureRareData::StructureRareData): Deleted.
824             * runtime/StructureRareData.h:
825             (JSC::StructureRareData::needsCloning): Deleted.
826     
827     2014-07-01  Mark Lam  <mark.lam@apple.com>
828     
829             [ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope.
830             <https://webkit.org/b/134420>
831     
832             Reviewed by Geoffrey Garen.
833     
834             Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
835             peers) which the WebInspector will use to introspect CallFrame variables.
836             Instead, we should be returning a DebuggerScope as an abstraction layer that
837             provides the introspection functionality that the WebInspector needs.  This
838             is the first step towards not forcing every frame to have a JSActivation
839             object just because the debugger is enabled.
840     
841             1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
842                instead of the VM.  This allows JSObject::globalObject() to be able to
843                return the global object for the DebuggerScope.
844     
845             2. On the DebuggerScope's life-cycle management:
846     
847                The DebuggerCallFrame is designed to be "valid" only during a debugging session
848                (while the debugger is broken) through the use of a DebuggerCallFrameScope in
849                Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
850                DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
851                We can't guarantee (from this code alone) that the Inspector code isn't still
852                holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
853                the frame will be invalidated, and any attempt to query it will return null values.
854                This is pre-existing behavior.
855     
856                Now, we're adding the DebuggerScope into the picture.  While a single debugger
857                pause session is in progress, the Inspector may request the scope from the
858                DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
859                DebuggerCallFrame::scope() to always return the same DebuggerScope object.
860                This is why we hold on to the DebuggerScope with a strong ref.
861     
862                If we use a weak ref instead, the following cooky behavior can manifest:
863                1. The Inspector calls Debugger::scope() to get the top scope.
864                2. The Inspector iterates down the scope chain and is now only holding a
865                   reference to a parent scope.  It is no longer referencing the top scope.
866                3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
867                   gets cleared.
868                4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
869                   a different DebuggerScope instance.
870                5. The Inspector iterates down the scope chain but never sees the parent scope
871                   instance that retained a ref to in step 2 above.  This is because when iterating
872                   this new DebuggerScope instance (which has no knowledge of the previous parent
873                   DebuggerScope instance), a new DebuggerScope instance will get created for the
874                   same parent scope. 
875     
876                Since the DebuggerScope is a JSObject, it's liveness is determined by its reachability.
877                However, it's "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
878                When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
879                instantiated) will also get invalidated.  This is why we need the
880                DebuggerScope::invalidateChain() method.  The Inspector should not be using the
881                DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
882                those methods will do nothing or returned a failed status.
883     
884             * debugger/Debugger.h:
885             * debugger/DebuggerCallFrame.cpp:
886             (JSC::DebuggerCallFrame::scope):
887             (JSC::DebuggerCallFrame::evaluate):
888             (JSC::DebuggerCallFrame::invalidate):
889             (JSC::DebuggerCallFrame::vm):
890             (JSC::DebuggerCallFrame::lexicalGlobalObject):
891             * debugger/DebuggerCallFrame.h:
892             * debugger/DebuggerScope.cpp:
893             (JSC::DebuggerScope::DebuggerScope):
894             (JSC::DebuggerScope::finishCreation):
895             (JSC::DebuggerScope::visitChildren):
896             (JSC::DebuggerScope::className):
897             (JSC::DebuggerScope::getOwnPropertySlot):
898             (JSC::DebuggerScope::put):
899             (JSC::DebuggerScope::deleteProperty):
900             (JSC::DebuggerScope::getOwnPropertyNames):
901             (JSC::DebuggerScope::defineOwnProperty):
902             (JSC::DebuggerScope::next):
903             (JSC::DebuggerScope::invalidateChain):
904             (JSC::DebuggerScope::isWithScope):
905             (JSC::DebuggerScope::isGlobalScope):
906             (JSC::DebuggerScope::isFunctionScope):
907             * debugger/DebuggerScope.h:
908             (JSC::DebuggerScope::create):
909             (JSC::DebuggerScope::Iterator::Iterator):
910             (JSC::DebuggerScope::Iterator::get):
911             (JSC::DebuggerScope::Iterator::operator++):
912             (JSC::DebuggerScope::Iterator::operator==):
913             (JSC::DebuggerScope::Iterator::operator!=):
914             (JSC::DebuggerScope::isValid):
915             (JSC::DebuggerScope::jsScope):
916             (JSC::DebuggerScope::begin):
917             (JSC::DebuggerScope::end):
918             * inspector/JSJavaScriptCallFrame.cpp:
919             (Inspector::JSJavaScriptCallFrame::scopeType):
920             (Inspector::JSJavaScriptCallFrame::scopeChain):
921             * inspector/JavaScriptCallFrame.h:
922             (Inspector::JavaScriptCallFrame::scopeChain):
923             * inspector/ScriptDebugServer.cpp:
924             * runtime/JSGlobalObject.cpp:
925             (JSC::JSGlobalObject::reset):
926             (JSC::JSGlobalObject::visitChildren):
927             * runtime/JSGlobalObject.h:
928             (JSC::JSGlobalObject::debuggerScopeStructure):
929             * runtime/JSObject.h:
930             (JSC::JSObject::isWithScope):
931             * runtime/JSScope.h:
932             * runtime/VM.cpp:
933             (JSC::VM::VM):
934             * runtime/VM.h:
935     
936     2014-07-01  Filip Pizlo  <fpizlo@apple.com>
937     
938             [ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
939             https://bugs.webkit.org/show_bug.cgi?id=130756
940     
941             Reviewed by Oliver Hunt.
942             
943             The enables exposing the call to setters in the DFG, and then inlining it. Previously we
944             already supproted inlined-cached calls to setters from within put_by_id inline caches,
945             and the DFG could certainly emit such IC's. Now, if an IC had a setter call, then the DFG
946             will either emit the GetGetterSetterByOffset/GetSetter/Call combo, or it will do one
947             better and inline the call.
948             
949             A lot of the core functionality was already available from the previous work to inline
950             getters. So, there are some refactorings in this patch that move preexisting
951             functionality around. For example, the work to figure out how the DFG should go about
952             getting to what we call the "loaded value" - i.e. the GetterSetter object reference in
953             the case of accessors - is now shared in ComplexGetStatus, and both GetByIdStatus and
954             PutByIdStatus use it. This means that we can keep the safety checks common.  This patch
955             also does additional refactorings in DFG::ByteCodeParser so that we can continue to reuse
956             handleCall() for all of the various kinds of calls we can now emit.
957             
958             83% speed-up on getter-richards, 2% speed-up on box2d.
959     
960             * CMakeLists.txt:
961             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
962             * JavaScriptCore.xcodeproj/project.pbxproj:
963             * bytecode/ComplexGetStatus.cpp: Added.
964             (JSC::ComplexGetStatus::computeFor):
965             * bytecode/ComplexGetStatus.h: Added.
966             (JSC::ComplexGetStatus::ComplexGetStatus):
967             (JSC::ComplexGetStatus::skip):
968             (JSC::ComplexGetStatus::takesSlowPath):
969             (JSC::ComplexGetStatus::kind):
970             (JSC::ComplexGetStatus::attributes):
971             (JSC::ComplexGetStatus::specificValue):
972             (JSC::ComplexGetStatus::offset):
973             (JSC::ComplexGetStatus::chain):
974             * bytecode/GetByIdStatus.cpp:
975             (JSC::GetByIdStatus::computeForStubInfo):
976             * bytecode/GetByIdVariant.cpp:
977             (JSC::GetByIdVariant::GetByIdVariant):
978             * bytecode/PolymorphicPutByIdList.h:
979             (JSC::PutByIdAccess::PutByIdAccess):
980             (JSC::PutByIdAccess::setter):
981             (JSC::PutByIdAccess::structure):
982             (JSC::PutByIdAccess::chainCount):
983             * bytecode/PutByIdStatus.cpp:
984             (JSC::PutByIdStatus::computeFromLLInt):
985             (JSC::PutByIdStatus::computeFor):
986             (JSC::PutByIdStatus::computeForStubInfo):
987             (JSC::PutByIdStatus::makesCalls):
988             * bytecode/PutByIdStatus.h:
989             (JSC::PutByIdStatus::makesCalls): Deleted.
990             * bytecode/PutByIdVariant.cpp:
991             (JSC::PutByIdVariant::PutByIdVariant):
992             (JSC::PutByIdVariant::operator=):
993             (JSC::PutByIdVariant::replace):
994             (JSC::PutByIdVariant::transition):
995             (JSC::PutByIdVariant::setter):
996             (JSC::PutByIdVariant::writesStructures):
997             (JSC::PutByIdVariant::reallocatesStorage):
998             (JSC::PutByIdVariant::makesCalls):
999             (JSC::PutByIdVariant::dumpInContext):
1000             * bytecode/PutByIdVariant.h:
1001             (JSC::PutByIdVariant::PutByIdVariant):
1002             (JSC::PutByIdVariant::structure):
1003             (JSC::PutByIdVariant::oldStructure):
1004             (JSC::PutByIdVariant::alternateBase):
1005             (JSC::PutByIdVariant::specificValue):
1006             (JSC::PutByIdVariant::callLinkStatus):
1007             (JSC::PutByIdVariant::replace): Deleted.
1008             (JSC::PutByIdVariant::transition): Deleted.
1009             * dfg/DFGByteCodeParser.cpp:
1010             (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1011             (JSC::DFG::ByteCodeParser::addCall):
1012             (JSC::DFG::ByteCodeParser::handleCall):
1013             (JSC::DFG::ByteCodeParser::handleInlining):
1014             (JSC::DFG::ByteCodeParser::handleGetById):
1015             (JSC::DFG::ByteCodeParser::handlePutById):
1016             (JSC::DFG::ByteCodeParser::parseBlock):
1017             * jit/Repatch.cpp:
1018             (JSC::tryCachePutByID):
1019             (JSC::tryBuildPutByIdList):
1020             * runtime/IntendedStructureChain.cpp:
1021             (JSC::IntendedStructureChain::takesSlowPathInDFGForImpureProperty):
1022             * runtime/IntendedStructureChain.h:
1023             * tests/stress/exit-from-setter.js: Added.
1024             * tests/stress/poly-chain-setter.js: Added.
1025             (Cons):
1026             (foo):
1027             (test):
1028             * tests/stress/poly-chain-then-setter.js: Added.
1029             (Cons1):
1030             (Cons2):
1031             (foo):
1032             (test):
1033             * tests/stress/poly-setter-combo.js: Added.
1034             (Cons1):
1035             (Cons2):
1036             (foo):
1037             (test):
1038             (.test):
1039             * tests/stress/poly-setter-then-self.js: Added.
1040             (foo):
1041             (test):
1042             (.test):
1043             * tests/stress/weird-setter-counter.js: Added.
1044             (foo):
1045             (test):
1046             * tests/stress/weird-setter-counter-syntactic.js: Added.
1047             (foo):
1048             (test):
1049     
1050     2014-07-01  Matthew Mirman  <mmirman@apple.com>
1051     
1052             Added an implementation of the "in" check to FTL.
1053             https://bugs.webkit.org/show_bug.cgi?id=134508
1054     
1055             Reviewed by Filip Pizlo.
1056     
1057             * ftl/FTLCapabilities.cpp: enabled compilation for "in"
1058             (JSC::FTL::canCompile): ditto
1059             * ftl/FTLCompile.cpp:
1060             (JSC::FTL::generateCheckInICFastPath): added.
1061             (JSC::FTL::fixFunctionBasedOnStackMaps): added case for CheckIn descriptors.
1062             * ftl/FTLInlineCacheDescriptor.h:
1063             (JSC::FTL::CheckInGenerator::CheckInGenerator): added.
1064             (JSC::FTL::CheckInDescriptor::CheckInDescriptor): added.
1065             * ftl/FTLInlineCacheSize.cpp: 
1066             (JSC::FTL::sizeOfCheckIn): added. Currently larger than necessary.
1067             * ftl/FTLInlineCacheSize.h: ditto
1068             * ftl/FTLIntrinsicRepository.h: Added function type for operationInGeneric
1069             * ftl/FTLLowerDFGToLLVM.cpp: 
1070             (JSC::FTL::LowerDFGToLLVM::compileNode): added case for In.
1071             (JSC::FTL::LowerDFGToLLVM::compileIn): added.
1072             * ftl/FTLSlowPathCall.cpp: Added a callOperation for operationIn
1073             (JSC::FTL::callOperation): ditto
1074             * ftl/FTLSlowPathCall.h: ditto
1075             * ftl/FTLState.h: Added a vector to hold CheckIn descriptors.
1076             * jit/JITOperations.h: made operationIns internal.
1077             * tests/stress/ftl-checkin.js: Added.
1078             * tests/stress/ftl-checkin-variable.js: Added.
1079     
1080     2014-06-30  Mark Hahnenberg  <mhahnenberg@apple.com>
1081     
1082             CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences
1083             https://bugs.webkit.org/show_bug.cgi?id=134455
1084     
1085             Reviewed by Geoffrey Garen.
1086     
1087             Otherwise we get hanging pointers which can cause us to die later.
1088     
1089             * bytecode/CodeBlock.cpp:
1090             (JSC::CodeBlock::stronglyVisitWeakReferences):
1091     
1092     2014-06-27  Filip Pizlo  <fpizlo@apple.com>
1093     
1094             [ftlopt] Reduce the GC's influence on optimization decisions
1095             https://bugs.webkit.org/show_bug.cgi?id=134427
1096     
1097             Reviewed by Oliver Hunt.
1098             
1099             This is a slight speed-up on some platforms, that arises from a bunch of fixes that I made
1100             while trying to make the GC keep more structures alive
1101             (https://bugs.webkit.org/show_bug.cgi?id=128072).
1102             
1103             The fixes are, roughly:
1104             
1105             - If the GC clears an inline cache, then this no longer causes the IC to be forever
1106               polymorphic.
1107             
1108             - If we exit in inlined code into a function that tries to OSR enter, then we jettison
1109               sooner.
1110             
1111             - Some variables being uninitialized led to rage-recompilations.
1112             
1113             This is a pretty strong step in the direction of keeping more Structures alive and not
1114             blowing away code just because a Structure died. But, it seems like there is still a slight
1115             speed-up to be had from blowing away code that references dead Structures.
1116     
1117             * bytecode/CodeBlock.cpp:
1118             (JSC::CodeBlock::dumpAssumingJITType):
1119             (JSC::shouldMarkTransition):
1120             (JSC::CodeBlock::propagateTransitions):
1121             (JSC::CodeBlock::determineLiveness):
1122             * bytecode/GetByIdStatus.cpp:
1123             (JSC::GetByIdStatus::computeForStubInfo):
1124             * bytecode/PutByIdStatus.cpp:
1125             (JSC::PutByIdStatus::computeForStubInfo):
1126             * dfg/DFGCapabilities.cpp:
1127             (JSC::DFG::isSupportedForInlining):
1128             (JSC::DFG::mightInlineFunctionForCall):
1129             (JSC::DFG::mightInlineFunctionForClosureCall):
1130             (JSC::DFG::mightInlineFunctionForConstruct):
1131             * dfg/DFGCapabilities.h:
1132             * dfg/DFGCommonData.h:
1133             * dfg/DFGDesiredWeakReferences.cpp:
1134             (JSC::DFG::DesiredWeakReferences::reallyAdd):
1135             * dfg/DFGOSREntry.cpp:
1136             (JSC::DFG::prepareOSREntry):
1137             * dfg/DFGOSRExitCompilerCommon.cpp:
1138             (JSC::DFG::handleExitCounts):
1139             * dfg/DFGOperations.cpp:
1140             * dfg/DFGOperations.h:
1141             * ftl/FTLForOSREntryJITCode.cpp:
1142             (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): These variables being uninitialized is benign in terms of correctness but can sometimes cause rage-recompilations. For some reason it took this patch to reveal this.
1143             * ftl/FTLOSREntry.cpp:
1144             (JSC::FTL::prepareOSREntry):
1145             * runtime/Executable.cpp:
1146             (JSC::ExecutableBase::destroy):
1147             (JSC::NativeExecutable::destroy):
1148             (JSC::ScriptExecutable::ScriptExecutable):
1149             (JSC::ScriptExecutable::destroy):
1150             (JSC::ScriptExecutable::installCode):
1151             (JSC::EvalExecutable::EvalExecutable):
1152             (JSC::ProgramExecutable::ProgramExecutable):
1153             * runtime/Executable.h:
1154             (JSC::ScriptExecutable::setDidTryToEnterInLoop):
1155             (JSC::ScriptExecutable::didTryToEnterInLoop):
1156             (JSC::ScriptExecutable::addressOfDidTryToEnterInLoop):
1157             (JSC::ScriptExecutable::ScriptExecutable): Deleted.
1158             * runtime/StructureInlines.h:
1159             (JSC::Structure::storedPrototypeObject):
1160             (JSC::Structure::storedPrototypeStructure):
1161     
1162     2014-06-25  Filip Pizlo  <fpizlo@apple.com>
1163     
1164             [ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint
1165             https://bugs.webkit.org/show_bug.cgi?id=134333
1166     
1167             Reviewed by Geoffrey Garen.
1168             
1169             This is engineered to provide loads of information to the profiler without incurring any
1170             costs when the profiler is disabled. It's the oldest trick in the book: the thing that
1171             fires the watchpoint doesn't actually create anything to describe the reason why it was
1172             fired; instead it creates a stack-allocated FireDetail subclass instance. Only if the
1173             FireDetail::dump() virtual method is called does anything happen.
1174             
1175             Currently we use this to produce very fine-grained data for Structure watchpoints and
1176             some cases of variable watchpoints. For all other situations, the given reason is just a
1177             string constant, by using StringFireDetail. If we find a situation where that string
1178             constant is insufficient to diagnose an issue then we can change it to provide more
1179             fine-grained information.
1180     
1181             * JavaScriptCore.xcodeproj/project.pbxproj:
1182             * bytecode/CodeBlock.cpp:
1183             (JSC::CodeBlock::CodeBlock):
1184             (JSC::CodeBlock::jettison):
1185             * bytecode/CodeBlock.h:
1186             * bytecode/CodeBlockJettisoningWatchpoint.cpp:
1187             (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
1188             * bytecode/CodeBlockJettisoningWatchpoint.h:
1189             * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Removed.
1190             * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Removed.
1191             * bytecode/StructureStubClearingWatchpoint.cpp:
1192             (JSC::StructureStubClearingWatchpoint::fireInternal):
1193             * bytecode/StructureStubClearingWatchpoint.h:
1194             * bytecode/VariableWatchpointSet.h:
1195             (JSC::VariableWatchpointSet::invalidate):
1196             (JSC::VariableWatchpointSet::finalizeUnconditionally):
1197             * bytecode/VariableWatchpointSetInlines.h:
1198             (JSC::VariableWatchpointSet::notifyWrite):
1199             * bytecode/Watchpoint.cpp:
1200             (JSC::StringFireDetail::dump):
1201             (JSC::WatchpointSet::fireAll):
1202             (JSC::WatchpointSet::fireAllSlow):
1203             (JSC::WatchpointSet::fireAllWatchpoints):
1204             (JSC::InlineWatchpointSet::fireAll):
1205             * bytecode/Watchpoint.h:
1206             (JSC::FireDetail::FireDetail):
1207             (JSC::FireDetail::~FireDetail):
1208             (JSC::StringFireDetail::StringFireDetail):
1209             (JSC::Watchpoint::fire):
1210             (JSC::WatchpointSet::fireAll):
1211             (JSC::WatchpointSet::touch):
1212             (JSC::WatchpointSet::invalidate):
1213             (JSC::InlineWatchpointSet::fireAll):
1214             (JSC::InlineWatchpointSet::touch):
1215             * dfg/DFGCommonData.h:
1216             * dfg/DFGOperations.cpp:
1217             * interpreter/Interpreter.cpp:
1218             (JSC::Interpreter::execute):
1219             * jsc.cpp:
1220             (WTF::Masquerader::create):
1221             * profiler/ProfilerCompilation.cpp:
1222             (JSC::Profiler::Compilation::setJettisonReason):
1223             (JSC::Profiler::Compilation::toJS):
1224             * profiler/ProfilerCompilation.h:
1225             (JSC::Profiler::Compilation::setJettisonReason): Deleted.
1226             * runtime/ArrayBuffer.cpp:
1227             (JSC::ArrayBuffer::transfer):
1228             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1229             (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
1230             * runtime/ArrayBufferNeuteringWatchpoint.h:
1231             * runtime/CommonIdentifiers.h:
1232             * runtime/CommonSlowPaths.cpp:
1233             (JSC::SLOW_PATH_DECL):
1234             * runtime/Identifier.cpp:
1235             (JSC::Identifier::dump):
1236             * runtime/Identifier.h:
1237             * runtime/JSFunction.cpp:
1238             (JSC::JSFunction::put):
1239             (JSC::JSFunction::defineOwnProperty):
1240             * runtime/JSGlobalObject.cpp:
1241             (JSC::JSGlobalObject::addFunction):
1242             (JSC::JSGlobalObject::haveABadTime):
1243             * runtime/JSSymbolTableObject.cpp:
1244             (JSC::VariableWriteFireDetail::dump):
1245             * runtime/JSSymbolTableObject.h:
1246             (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
1247             (JSC::symbolTablePut):
1248             (JSC::symbolTablePutWithAttributes):
1249             * runtime/PropertyName.h:
1250             (JSC::PropertyName::dump):
1251             * runtime/Structure.cpp:
1252             (JSC::Structure::notifyTransitionFromThisStructure):
1253             * runtime/Structure.h:
1254             (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
1255             * runtime/SymbolTable.cpp:
1256             (JSC::SymbolTableEntry::notifyWriteSlow):
1257             (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
1258             * runtime/SymbolTable.h:
1259             (JSC::SymbolTableEntry::notifyWrite):
1260             * runtime/VM.cpp:
1261             (JSC::VM::addImpureProperty):
1262     
1263 2014-08-05  Commit Queue  <commit-queue@webkit.org>
1264
1265         Unreviewed, rolling out r172099.
1266         https://bugs.webkit.org/show_bug.cgi?id=135635
1267
1268         Needs a do-over. (Requested by kling on #webkit).
1269
1270         Reverted changeset:
1271
1272         "The JIT should cache property lookup misses."
1273         https://bugs.webkit.org/show_bug.cgi?id=135578
1274         http://trac.webkit.org/changeset/172099
1275
1276 2014-08-05  Przemyslaw Kuczynski  <p.kuczynski@samsung.com>
1277
1278         Fix resource leak of unclosed file descriptor.
1279         https://bugs.webkit.org/show_bug.cgi?id=135417
1280
1281         Reviewed by Darin Adler.
1282
1283         When open returns zero, fd handle leaks. Checking (fd > 0) needs to be replaced
1284         with (fd != -1).
1285
1286         * assembler/MacroAssemblerARM.cpp:
1287         (JSC::isVFPPresent):
1288
1289 2014-08-05  Andreas Kling  <akling@apple.com>
1290
1291         The JIT should cache property lookup misses.
1292         <https://webkit.org/b/135578>
1293
1294         Add support for inline caching of object properties that don't exist.
1295         Previously we'd fall back to the C++ slow-path whenever a property was missing.
1296
1297         It's implemented as a simple GetById-style stub that returns jsUndefined() as
1298         long as the Structure chain check passes.
1299
1300         10x speedup on the included microbenchmark.
1301
1302         Reviewed by Geoffrey Garen.
1303
1304         * jit/Repatch.cpp:
1305         (JSC::toString):
1306         (JSC::kindFor):
1307         (JSC::generateByIdStub):
1308         (JSC::tryCacheGetByID):
1309         (JSC::patchJumpToGetByIdStub):
1310         * runtime/PropertySlot.h:
1311         (JSC::PropertySlot::isUnset):
1312
1313 2014-08-05  Commit Queue  <commit-queue@webkit.org>
1314
1315         Unreviewed, rolling out r172009.
1316         https://bugs.webkit.org/show_bug.cgi?id=135627
1317
1318         "Commit landed on trunk instead of ftlopt branch." (Requested
1319         by saamyjoon on #webkit).
1320
1321         Reverted changeset:
1322
1323         "Create a more generic way for VMEntryScope to notify those
1324         interested that it will be destroyed"
1325         https://bugs.webkit.org/show_bug.cgi?id=135358
1326         http://trac.webkit.org/changeset/172009
1327
1328 2014-08-05  Alex Christensen  <achristensen@webkit.org>
1329
1330         More work on CMake.
1331         https://bugs.webkit.org/show_bug.cgi?id=135620
1332
1333         Reviewed by Laszlo Gombos.
1334
1335         * CMakeLists.txt:
1336         Added missing source files.
1337         * PlatformEfl.cmake:
1338         * PlatformGTK.cmake:
1339         Include glib directories and libraries to find glib.h in EventLoop.cpp.
1340         * PlatformMac.cmake:
1341         Moved STATICALLY_LINKED_WITH_WTF definition away from the common CMakeLists
1342         because it should not be defined on Windows.
1343         Added remote inspector source files.
1344
1345 2014-08-05  Peyton Randolph  <prandolph@apple.com>
1346
1347         Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
1348         https://bugs.webkit.org/show_bug.cgi?id=135276
1349
1350         Reviewed by Beth Dakin.
1351
1352         * Configurations/FeatureDefines.xcconfig:
1353
1354 2014-08-04  Benjamin Poulain  <benjamin@webkit.org>
1355
1356         Add a flag for the CSS Selectors level 4 implementation
1357         https://bugs.webkit.org/show_bug.cgi?id=135535
1358
1359         Reviewed by Andreas Kling.
1360
1361         * Configurations/FeatureDefines.xcconfig:
1362
1363 2014-08-04  Alex Christensen  <achristensen@webkit.org>
1364
1365         Progress towards CMake on Mac.
1366         https://bugs.webkit.org/show_bug.cgi?id=135528
1367
1368         Reviewed by Gyuyoung Kim.
1369
1370         * CMakeLists.txt:
1371         Include necessary directories and copy all necessary forwarding headers.
1372         Only compile UDis86Disassembler.cpp if we're using UDIS86.
1373         * PlatformMac.cmake: Added.
1374         * tools/CodeProfiling.cpp:
1375         Compile fix.  Include sys/time.h on darwin, too.
1376
1377 2014-08-04  Saam Barati  <sbarati@apple.com>
1378
1379         Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
1380         https://bugs.webkit.org/show_bug.cgi?id=135358
1381
1382         Reviewed by Geoffrey Garen.
1383
1384         When VMEntryScope is destroyed, and it has a flag set indicating that the
1385         Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
1386         This flag is only used by Debugger to have VMEntryScope notify it when the
1387         Debugger is safe to recompile all functions. This patch will substitute this
1388         Debugger-specific recompilation flag with a list of callbacks that are notified 
1389         when the outermost VMEntryScope dies. This creates a general purpose interface 
1390         for being notified when the VM stops executing code via the event of the outermost 
1391         VMEntryScope dying.
1392
1393         * debugger/Debugger.cpp:
1394         (JSC::Debugger::recompileAllJSFunctions):
1395         * runtime/VMEntryScope.cpp:
1396         (JSC::VMEntryScope::VMEntryScope):
1397         (JSC::VMEntryScope::addEntryScopeDidPopListener):
1398         (JSC::VMEntryScope::~VMEntryScope):
1399         * runtime/VMEntryScope.h:
1400         (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
1401
1402 2014-08-01  Carlos Alberto Lopez Perez  <clopez@igalia.com>
1403
1404         REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
1405         https://bugs.webkit.org/show_bug.cgi?id=135522
1406
1407         Reviewed by Martin Robinson.
1408
1409         * CMakeLists.txt: Output the inspector headers inside inspector
1410         subdirectory.
1411
1412 2014-08-01  Mark Lam  <mark.lam@apple.com>
1413
1414         Add some structure related assertions.
1415         <https://webkit.org/b/135523>
1416
1417         Reviewed by Geoffrey Garen.
1418
1419         Adding 2 assertions:
1420         1. assert that we don't index pass the end of the StructureIDTable.
1421            This should never happen, but this assertion will help catch bugs
1422            where a bad structureID gets passed in.
1423         2. assert that cells in MarkedBlock::callDestructor() that are not
1424            zapped should have a non-null StructureID.  This will help us catch
1425            bugs where the other cell header flag bits get set after the cell is
1426            zapped, thereby making the cell look like an unzapped cell but has a
1427            null structureID.
1428
1429         * heap/MarkedBlock.cpp:
1430         (JSC::MarkedBlock::callDestructor):
1431         * runtime/StructureIDTable.h:
1432         (JSC::StructureIDTable::get):
1433
1434 2014-08-01  Csaba Osztrogonác  <ossy@webkit.org>
1435
1436         URTBF after r171946 to fix non-Apple builds.
1437
1438         * bytecode/InlineCallFrameSet.cpp:
1439
1440 2014-08-01  Mark Hahnenberg  <mhahnenberg@apple.com>
1441
1442         CodeBlock fails to visit the Executables of its InlineCallFrames
1443         https://bugs.webkit.org/show_bug.cgi?id=135471
1444
1445         Reviewed by Geoffrey Garen.
1446
1447         CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they 
1448         can be prematurely collected and cause crashes.
1449
1450         * bytecode/CodeBlock.cpp:
1451         (JSC::CodeBlock::stronglyVisitStrongReferences):
1452         * bytecode/CodeOrigin.h:
1453         (JSC::InlineCallFrame::visitAggregate):
1454         * bytecode/InlineCallFrameSet.cpp:
1455         (JSC::InlineCallFrameSet::visitAggregate):
1456         * bytecode/InlineCallFrameSet.h:
1457
1458 2014-08-01  Alex Christensen  <achristensen@webkit.org>
1459
1460         Progress towards cmake on Windows.
1461         https://bugs.webkit.org/show_bug.cgi?id=135484
1462
1463         Reviewed by Martin Robinson.
1464
1465         * CMakeLists.txt:
1466         Generate code directly to inspector directory to avoid using the cp command
1467         which is not available on Windows.
1468         * PlatformWin.cmake: Added.
1469
1470 2014-07-31  Andreas Kling  <akling@apple.com>
1471
1472         Remove the JSC::OverridesVisitChildren flag.
1473         <https://webkit.org/b/135489>
1474
1475         Except for 3 special classes, the visitChildren() call is always
1476         dispatched through the method table (see SlotVisitor.cpp.)
1477
1478         The OverridesVisitChildren flag doesn't actually do anything.
1479         It could be used to implement a non-virtual direct call to
1480         JSCell::visitChildren, bypassing the method table for some objects,
1481         but such a micro-optimization seems like a weak trade for all this
1482         code complexity. Instead, just remove the flag.
1483
1484         This change frees up an inline flag bit in JSCell.
1485
1486         Reviewed by Geoffrey Garen.
1487
1488         * API/JSAPIWrapperObject.h:
1489         * API/JSAPIWrapperObject.mm:
1490         (JSC::JSAPIWrapperObject::visitChildren):
1491         * API/JSCallbackObject.h:
1492         (JSC::JSCallbackObject::visitChildren):
1493         * bytecode/UnlinkedCodeBlock.cpp:
1494         (JSC::UnlinkedFunctionExecutable::visitChildren):
1495         (JSC::UnlinkedCodeBlock::visitChildren):
1496         (JSC::UnlinkedProgramCodeBlock::visitChildren):
1497         * bytecode/UnlinkedCodeBlock.h:
1498         * debugger/DebuggerScope.cpp:
1499         (JSC::DebuggerScope::visitChildren):
1500         * debugger/DebuggerScope.h:
1501         * jsc.cpp:
1502         * runtime/Arguments.cpp:
1503         (JSC::Arguments::visitChildren):
1504         * runtime/Arguments.h:
1505         * runtime/Executable.cpp:
1506         (JSC::EvalExecutable::visitChildren):
1507         (JSC::ProgramExecutable::visitChildren):
1508         (JSC::FunctionExecutable::visitChildren):
1509         * runtime/Executable.h:
1510         * runtime/GetterSetter.cpp:
1511         (JSC::GetterSetter::visitChildren):
1512         * runtime/GetterSetter.h:
1513         (JSC::GetterSetter::createStructure):
1514         * runtime/JSAPIValueWrapper.h:
1515         (JSC::JSAPIValueWrapper::createStructure):
1516         * runtime/JSActivation.cpp:
1517         (JSC::JSActivation::visitChildren):
1518         * runtime/JSActivation.h:
1519         * runtime/JSArrayIterator.cpp:
1520         (JSC::JSArrayIterator::visitChildren):
1521         * runtime/JSArrayIterator.h:
1522         * runtime/JSBoundFunction.cpp:
1523         (JSC::JSBoundFunction::visitChildren):
1524         * runtime/JSBoundFunction.h:
1525         * runtime/JSCellInlines.h:
1526         (JSC::JSCell::setStructure):
1527         * runtime/JSFunction.cpp:
1528         (JSC::JSFunction::visitChildren):
1529         * runtime/JSFunction.h:
1530         * runtime/JSGlobalObject.cpp:
1531         (JSC::JSGlobalObject::visitChildren):
1532         * runtime/JSGlobalObject.h:
1533         * runtime/JSMap.h:
1534         * runtime/JSMapIterator.cpp:
1535         (JSC::JSMapIterator::visitChildren):
1536         * runtime/JSMapIterator.h:
1537         * runtime/JSNameScope.cpp:
1538         (JSC::JSNameScope::visitChildren):
1539         * runtime/JSNameScope.h:
1540         * runtime/JSPromise.cpp:
1541         (JSC::JSPromise::visitChildren):
1542         * runtime/JSPromise.h:
1543         * runtime/JSPromiseDeferred.cpp:
1544         (JSC::JSPromiseDeferred::visitChildren):
1545         * runtime/JSPromiseDeferred.h:
1546         * runtime/JSPromiseReaction.cpp:
1547         (JSC::JSPromiseReaction::visitChildren):
1548         * runtime/JSPromiseReaction.h:
1549         * runtime/JSPropertyNameIterator.cpp:
1550         (JSC::JSPropertyNameIterator::visitChildren):
1551         * runtime/JSPropertyNameIterator.h:
1552         * runtime/JSProxy.cpp:
1553         (JSC::JSProxy::visitChildren):
1554         * runtime/JSProxy.h:
1555         * runtime/JSScope.cpp:
1556         (JSC::JSScope::visitChildren):
1557         * runtime/JSScope.h:
1558         * runtime/JSSegmentedVariableObject.cpp:
1559         (JSC::JSSegmentedVariableObject::visitChildren):
1560         * runtime/JSSegmentedVariableObject.h:
1561         * runtime/JSSet.h:
1562         * runtime/JSSetIterator.cpp:
1563         (JSC::JSSetIterator::visitChildren):
1564         * runtime/JSSetIterator.h:
1565         * runtime/JSSymbolTableObject.cpp:
1566         (JSC::JSSymbolTableObject::visitChildren):
1567         * runtime/JSSymbolTableObject.h:
1568         * runtime/JSTypeInfo.h:
1569         (JSC::TypeInfo::overridesVisitChildren): Deleted.
1570         * runtime/JSWeakMap.h:
1571         * runtime/JSWithScope.cpp:
1572         (JSC::JSWithScope::visitChildren):
1573         * runtime/JSWithScope.h:
1574         * runtime/JSWrapperObject.cpp:
1575         (JSC::JSWrapperObject::visitChildren):
1576         * runtime/JSWrapperObject.h:
1577         * runtime/MapData.h:
1578         * runtime/NativeErrorConstructor.cpp:
1579         (JSC::NativeErrorConstructor::visitChildren):
1580         * runtime/NativeErrorConstructor.h:
1581         * runtime/PropertyMapHashTable.h:
1582         * runtime/PropertyTable.cpp:
1583         (JSC::PropertyTable::visitChildren):
1584         * runtime/RegExpConstructor.cpp:
1585         (JSC::RegExpConstructor::visitChildren):
1586         * runtime/RegExpConstructor.h:
1587         * runtime/RegExpMatchesArray.cpp:
1588         (JSC::RegExpMatchesArray::visitChildren):
1589         * runtime/RegExpMatchesArray.h:
1590         * runtime/RegExpObject.cpp:
1591         (JSC::RegExpObject::visitChildren):
1592         * runtime/RegExpObject.h:
1593         * runtime/SparseArrayValueMap.h:
1594         * runtime/Structure.cpp:
1595         (JSC::Structure::Structure):
1596         (JSC::Structure::visitChildren):
1597         * runtime/StructureChain.cpp:
1598         (JSC::StructureChain::visitChildren):
1599         * runtime/StructureChain.h:
1600         * runtime/StructureRareData.cpp:
1601         (JSC::StructureRareData::visitChildren):
1602         * runtime/StructureRareData.h:
1603         * runtime/WeakMapData.h:
1604
1605 2014-07-31  Mark Lam  <mark.lam@apple.com>
1606
1607         JSCell::classInfo() belongs in JSCellInlines.h.
1608         <https://webkit.org/b/135475>
1609
1610         Reviewed by Mark Hahnenberg.
1611
1612         * runtime/JSCellInlines.h:
1613         (JSC::JSCell::classInfo):
1614         * runtime/JSDestructibleObject.h:
1615         (JSC::JSCell::classInfo): Deleted.
1616
1617 2014-07-31  Tanay C  <tanay.c@samsung.com>
1618
1619         Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
1620         https://bugs.webkit.org/show_bug.cgi?id=135414
1621
1622         Reviewed by Csaba Osztrogonác.
1623
1624         * llint/LLIntSlowPaths.cpp:
1625         (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition
1626
1627 2014-07-30  Filip Pizlo  <fpizlo@apple.com>
1628
1629         NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
1630         https://bugs.webkit.org/show_bug.cgi?id=135430
1631
1632         Reviewed by Mark Hahnenberg.
1633
1634         We already handled this correctly after the ftlopt merge, but it's useful to have the test.
1635
1636         * tests/stress/new-function-expression-has-structures.js: Added.
1637         (foo.f):
1638         (foo.f.prototype.f):
1639         (foo):
1640
1641 2014-07-30  Andreas Kling  <akling@apple.com>
1642
1643         Speculative Windows build fix.
1644
1645         Try to dllimport the dllexported global object HashTable.
1646
1647         * jsc.cpp:
1648         * testRegExp.cpp:
1649
1650 2014-07-30  Andreas Kling  <akling@apple.com>
1651
1652         PropertyName's internal string is always atomic.
1653         <https://webkit.org/b/135451>
1654
1655         Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
1656         we know that any string that's an Identifier is guaranteed to be atomic.
1657
1658         A PropertyName can be either an Identifier or a PrivateName, and the
1659         private names are also guaranteed to be atomic internally.
1660
1661         Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
1662
1663         Reviewed by Benjamin Poulain.
1664
1665         * runtime/PropertyName.h:
1666         (JSC::PropertyName::PropertyName):
1667         (JSC::PropertyName::uid):
1668         (JSC::PropertyName::publicName):
1669
1670 2014-07-30  Andy Estes  <aestes@apple.com>
1671
1672         USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
1673         https://bugs.webkit.org/show_bug.cgi?id=135439
1674
1675         Reviewed by Tim Horton.
1676
1677         We now support two different platform content filters, and will soon support a mock content filter (as part of
1678         webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
1679         library. ENABLE() is the correct macro to use for such a feature.
1680
1681         * Configurations/FeatureDefines.xcconfig:
1682
1683 2014-07-30  Andreas Kling  <akling@apple.com>
1684
1685         Static hash tables no longer need to be coupled with a VM.
1686         <https://webkit.org/b/135421>
1687
1688         Now that the static hash tables are using char** instead of StringImpl**,
1689         it's no longer necessary to make them per-VM.
1690
1691         This patch removes the hook in ClassInfo for providing your own static
1692         hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
1693         Most of this patch is tweaking ClassInfo construction sites to pass one
1694         less null pointer.
1695
1696         Also simplified Lookup.h to stop requiring ExecState/VM to access the
1697         static hash tables.
1698
1699         Reviewed by Geoffrey Garen.
1700
1701         * API/JSAPIWrapperObject.mm:
1702         * API/JSCallbackConstructor.cpp:
1703         * API/JSCallbackFunction.cpp:
1704         * API/JSCallbackObject.cpp:
1705         * API/ObjCCallbackFunction.mm:
1706         * bytecode/UnlinkedCodeBlock.cpp:
1707         * create_hash_table:
1708         * debugger/DebuggerScope.cpp:
1709         * inspector/JSInjectedScriptHost.cpp:
1710         * inspector/JSInjectedScriptHostPrototype.cpp:
1711         * inspector/JSJavaScriptCallFrame.cpp:
1712         * inspector/JSJavaScriptCallFramePrototype.cpp:
1713         * interpreter/CallFrame.h:
1714         (JSC::ExecState::arrayConstructorTable): Deleted.
1715         (JSC::ExecState::arrayPrototypeTable): Deleted.
1716         (JSC::ExecState::booleanPrototypeTable): Deleted.
1717         (JSC::ExecState::dataViewTable): Deleted.
1718         (JSC::ExecState::dateTable): Deleted.
1719         (JSC::ExecState::dateConstructorTable): Deleted.
1720         (JSC::ExecState::errorPrototypeTable): Deleted.
1721         (JSC::ExecState::globalObjectTable): Deleted.
1722         (JSC::ExecState::jsonTable): Deleted.
1723         (JSC::ExecState::numberConstructorTable): Deleted.
1724         (JSC::ExecState::numberPrototypeTable): Deleted.
1725         (JSC::ExecState::objectConstructorTable): Deleted.
1726         (JSC::ExecState::privateNamePrototypeTable): Deleted.
1727         (JSC::ExecState::regExpTable): Deleted.
1728         (JSC::ExecState::regExpConstructorTable): Deleted.
1729         (JSC::ExecState::regExpPrototypeTable): Deleted.
1730         (JSC::ExecState::stringConstructorTable): Deleted.
1731         (JSC::ExecState::promisePrototypeTable): Deleted.
1732         (JSC::ExecState::promiseConstructorTable): Deleted.
1733         * jsc.cpp:
1734         * parser/Lexer.h:
1735         (JSC::Keywords::isKeyword):
1736         (JSC::Keywords::getKeyword):
1737         * runtime/Arguments.cpp:
1738         * runtime/ArgumentsIteratorConstructor.cpp:
1739         * runtime/ArgumentsIteratorPrototype.cpp:
1740         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1741         * runtime/ArrayConstructor.cpp:
1742         (JSC::ArrayConstructor::getOwnPropertySlot):
1743         * runtime/ArrayIteratorConstructor.cpp:
1744         * runtime/ArrayIteratorPrototype.cpp:
1745         * runtime/ArrayPrototype.cpp:
1746         (JSC::ArrayPrototype::getOwnPropertySlot):
1747         * runtime/BooleanConstructor.cpp:
1748         * runtime/BooleanObject.cpp:
1749         * runtime/BooleanPrototype.cpp:
1750         (JSC::BooleanPrototype::getOwnPropertySlot):
1751         * runtime/ClassInfo.h:
1752         (JSC::ClassInfo::hasStaticProperties):
1753         (JSC::ClassInfo::propHashTable): Deleted.
1754         * runtime/ConsolePrototype.cpp:
1755         * runtime/CustomGetterSetter.cpp:
1756         * runtime/DateConstructor.cpp:
1757         (JSC::DateConstructor::getOwnPropertySlot):
1758         * runtime/DateInstance.cpp:
1759         * runtime/DatePrototype.cpp:
1760         (JSC::DatePrototype::getOwnPropertySlot):
1761         * runtime/Error.cpp:
1762         * runtime/ErrorConstructor.cpp:
1763         * runtime/ErrorInstance.cpp:
1764         * runtime/ErrorPrototype.cpp:
1765         (JSC::ErrorPrototype::getOwnPropertySlot):
1766         * runtime/ExceptionHelpers.cpp:
1767         * runtime/Executable.cpp:
1768         * runtime/FunctionConstructor.cpp:
1769         * runtime/FunctionPrototype.cpp:
1770         * runtime/GetterSetter.cpp:
1771         * runtime/InternalFunction.cpp:
1772         * runtime/JSAPIValueWrapper.cpp:
1773         * runtime/JSActivation.cpp:
1774         * runtime/JSArgumentsIterator.cpp:
1775         * runtime/JSArray.cpp:
1776         * runtime/JSArrayBuffer.cpp:
1777         * runtime/JSArrayBufferConstructor.cpp:
1778         * runtime/JSArrayBufferPrototype.cpp:
1779         * runtime/JSArrayBufferView.cpp:
1780         * runtime/JSArrayIterator.cpp:
1781         * runtime/JSBoundFunction.cpp:
1782         * runtime/JSConsole.cpp:
1783         * runtime/JSDataView.cpp:
1784         * runtime/JSDataViewPrototype.cpp:
1785         (JSC::JSDataViewPrototype::getOwnPropertySlot):
1786         * runtime/JSFunction.cpp:
1787         * runtime/JSGlobalObject.cpp:
1788         (JSC::JSGlobalObject::getOwnPropertySlot):
1789         * runtime/JSMap.cpp:
1790         * runtime/JSMapIterator.cpp:
1791         * runtime/JSNameScope.cpp:
1792         * runtime/JSNotAnObject.cpp:
1793         * runtime/JSONObject.cpp:
1794         (JSC::JSONObject::getOwnPropertySlot):
1795         * runtime/JSObject.cpp:
1796         (JSC::getClassPropertyNames):
1797         (JSC::JSObject::put):
1798         (JSC::JSObject::deleteProperty):
1799         (JSC::JSObject::findPropertyHashEntry):
1800         (JSC::JSObject::reifyStaticFunctionsForDelete):
1801         * runtime/JSObject.h:
1802         * runtime/JSPromise.cpp:
1803         * runtime/JSPromiseConstructor.cpp:
1804         (JSC::JSPromiseConstructor::getOwnPropertySlot):
1805         * runtime/JSPromiseDeferred.cpp:
1806         * runtime/JSPromisePrototype.cpp:
1807         (JSC::JSPromisePrototype::getOwnPropertySlot):
1808         * runtime/JSPromiseReaction.cpp:
1809         * runtime/JSPropertyNameIterator.cpp:
1810         * runtime/JSProxy.cpp:
1811         * runtime/JSSet.cpp:
1812         * runtime/JSSetIterator.cpp:
1813         * runtime/JSString.cpp:
1814         * runtime/JSTypedArrayConstructors.cpp:
1815         * runtime/JSTypedArrayPrototypes.cpp:
1816         * runtime/JSTypedArrays.cpp:
1817         * runtime/JSVariableObject.cpp:
1818         * runtime/JSWeakMap.cpp:
1819         * runtime/JSWithScope.cpp:
1820         * runtime/Lookup.cpp:
1821         (JSC::HashTable::createTable):
1822         * runtime/Lookup.h:
1823         (JSC::HashTable::initializeIfNeeded):
1824         (JSC::HashTable::entry):
1825         (JSC::HashTable::begin):
1826         (JSC::HashTable::end):
1827         (JSC::getStaticPropertySlot):
1828         (JSC::getStaticFunctionSlot):
1829         (JSC::getStaticValueSlot):
1830         (JSC::lookupPut):
1831         * runtime/MapConstructor.cpp:
1832         * runtime/MapData.cpp:
1833         * runtime/MapIteratorConstructor.cpp:
1834         * runtime/MapIteratorPrototype.cpp:
1835         * runtime/MapPrototype.cpp:
1836         * runtime/MathObject.cpp:
1837         * runtime/NameConstructor.cpp:
1838         * runtime/NameInstance.cpp:
1839         * runtime/NamePrototype.cpp:
1840         (JSC::NamePrototype::getOwnPropertySlot):
1841         * runtime/NativeErrorConstructor.cpp:
1842         * runtime/NumberConstructor.cpp:
1843         (JSC::NumberConstructor::getOwnPropertySlot):
1844         * runtime/NumberObject.cpp:
1845         * runtime/NumberPrototype.cpp:
1846         (JSC::NumberPrototype::getOwnPropertySlot):
1847         * runtime/ObjectConstructor.cpp:
1848         (JSC::ObjectConstructor::getOwnPropertySlot):
1849         * runtime/ObjectPrototype.cpp:
1850         * runtime/PropertyTable.cpp:
1851         * runtime/RegExp.cpp:
1852         * runtime/RegExpConstructor.cpp:
1853         (JSC::RegExpConstructor::getOwnPropertySlot):
1854         * runtime/RegExpMatchesArray.cpp:
1855         * runtime/RegExpObject.cpp:
1856         (JSC::RegExpObject::getOwnPropertySlot):
1857         * runtime/RegExpPrototype.cpp:
1858         (JSC::RegExpPrototype::getOwnPropertySlot):
1859         * runtime/SetConstructor.cpp:
1860         * runtime/SetIteratorConstructor.cpp:
1861         * runtime/SetIteratorPrototype.cpp:
1862         * runtime/SetPrototype.cpp:
1863         * runtime/SparseArrayValueMap.cpp:
1864         * runtime/StrictEvalActivation.cpp:
1865         * runtime/StringConstructor.cpp:
1866         (JSC::StringConstructor::getOwnPropertySlot):
1867         * runtime/StringObject.cpp:
1868         * runtime/StringPrototype.cpp:
1869         * runtime/Structure.cpp:
1870         (JSC::Structure::Structure):
1871         (JSC::Structure::freezeTransition):
1872         (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
1873         * runtime/StructureChain.cpp:
1874         * runtime/StructureRareData.cpp:
1875         * runtime/SymbolTable.cpp:
1876         * runtime/VM.cpp:
1877         (JSC::VM::VM):
1878         (JSC::VM::~VM):
1879         * runtime/VM.h:
1880         * runtime/WeakMapConstructor.cpp:
1881         * runtime/WeakMapData.cpp:
1882         * runtime/WeakMapPrototype.cpp:
1883         * testRegExp.cpp:
1884
1885 2014-07-29  Brent Fulgham  <bfulgham@apple.com>
1886
1887         [Win] Modify version numbering scheme to support 5-tuple versions
1888         https://bugs.webkit.org/show_bug.cgi?id=135400
1889         <rdar://problem/17849033>
1890
1891         Reviewed by David Kilzer.
1892
1893         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
1894         new version-stamp.pl script to version JavaScriptCore.dll.
1895
1896 2014-07-29  Daniel Bates  <dabates@apple.com>
1897
1898         Use WTF::move() instead of std::move() to help ensure move semantics
1899         https://bugs.webkit.org/show_bug.cgi?id=135351
1900
1901         Reviewed by Alexey Proskuryakov.
1902
1903         * bytecode/GetByIdStatus.cpp:
1904         (JSC::GetByIdStatus::computeForStubInfo):
1905         * bytecode/GetByIdVariant.cpp:
1906         (JSC::GetByIdVariant::GetByIdVariant):
1907
1908 2014-07-28  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
1909
1910         BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
1911         https://bugs.webkit.org/show_bug.cgi?id=135287
1912
1913         Reviewed by Darin Adler.
1914
1915         The set() method tries to use a part of the old value (the reservedFlag bit) which
1916         was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
1917
1918         * bytecode/StructureSet.h:
1919         (JSC::StructureSet::StructureSet):
1920
1921 2014-07-28  Benjamin Poulain  <bpoulain@apple.com>
1922
1923         [JSC] JIT::assertStackPointerOffset() crashes on ARM64
1924         https://bugs.webkit.org/show_bug.cgi?id=135316
1925
1926         Reviewed by Geoffrey Garen.
1927
1928         JIT::assertStackPointerOffset() does a compare between an arbitrary register
1929         and the stack pointer. This was not supported by the ARM64 assembler.
1930
1931         There are no variation that can take a stack pointer for Xd. There is one version of subs
1932         that can take a stack pointer, but only for the Xn: the shift+extend one.
1933         To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
1934         the implementation of sub.
1935
1936         * assembler/ARM64Assembler.h:
1937         (JSC::ARM64Assembler::sub):
1938         In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
1939         with either version of sub.
1940
1941         In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
1942         the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
1943         gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
1944
1945         Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
1946         not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
1947         the shift value must be zero, it is safe to call either variant.
1948
1949         * assembler/MacroAssemblerARM64.h:
1950         (JSC::MacroAssemblerARM64::branch64):
1951         With the changes described above, we can now use SP for the left register. What do we do if the rightmost
1952         register is SP?
1953
1954         For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
1955         we just switch the registers before generating the instruction.
1956
1957         For the generic case, just move the value of SP to a GPR before doing the CMP.
1958
1959 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
1960
1961         Unreviewed build fix after r171682.
1962
1963         * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
1964         as an exported symbol.
1965
1966 2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1967
1968         REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
1969         https://bugs.webkit.org/show_bug.cgi?id=135322
1970
1971         Reviewed by Oliver Hunt.
1972
1973         The prototype chain of the JSProxy object should match that of the JSGlobalObject. 
1974
1975         This is a separate but related issue with JSObjectSetPrototype which doesn't correctly 
1976         account for JSProxies. I also audited the rest of the C API to check that we correctly 
1977         handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
1978         and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when 
1979         passed a JSProxy.
1980
1981         I also added some new tests for these cases.
1982
1983         * API/JSObjectRef.cpp:
1984         (JSObjectSetPrototype):
1985         (JSObjectGetPrivateProperty):
1986         (JSObjectSetPrivateProperty):
1987         (JSObjectDeletePrivateProperty):
1988         * API/JSWeakObjectMapRefPrivate.cpp:
1989         * API/tests/CustomGlobalObjectClassTest.c:
1990         (globalObjectSetPrototypeTest):
1991         (globalObjectPrivatePropertyTest):
1992         * API/tests/CustomGlobalObjectClassTest.h:
1993         * API/tests/testapi.c:
1994         (main):
1995
1996 2014-07-28  Filip Pizlo  <fpizlo@apple.com>
1997
1998         Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
1999         https://bugs.webkit.org/show_bug.cgi?id=135350
2000         <rdar://problem/17509889>
2001
2002         Reviewed by Mark Hahnenberg and Oliver Hunt.
2003         
2004         If we have an exiting node that uses a conversion node, then that exiting node
2005         needs to have a Phantom after it for the the original node. But we can't do that
2006         for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
2007
2008         * dfg/DFGFixupPhase.cpp:
2009         (JSC::DFG::FixupPhase::fixupNode):
2010         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
2011         * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
2012         (foo):
2013         (test):
2014         * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
2015         (foo):
2016         (test):
2017
2018 2014-07-28  Joseph Pecoraro  <pecoraro@apple.com>
2019
2020         JSContext Inspector: crash when using step-into
2021         https://bugs.webkit.org/show_bug.cgi?id=135345
2022
2023         Reviewed by Timothy Hatcher.
2024
2025         * inspector/agents/InspectorDebuggerAgent.cpp:
2026         (Inspector::InspectorDebuggerAgent::stepInto):
2027         Null check m_listener since it may not be set.
2028
2029 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
2030
2031         Web Replay: auto-decoding of parameterized vector's elements is incorrect
2032         https://bugs.webkit.org/show_bug.cgi?id=135343
2033
2034         Reviewed by Timothy Hatcher.
2035
2036         Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
2037         that was using the element's decoded type as the type parameter to
2038         EncodedValue::append<T>. It should instead be the raw type T. This
2039         causes problems when encoding Vector<RefPtr<T>>, as it later tries to
2040         use encoding traits for RefPtr<T> rather than for T.
2041
2042         Fix incorrect generated encoding traits argument for vectors of
2043         RefCounted objects. Updated test to cover this scenario.
2044
2045         * replay/scripts/CodeGeneratorReplayInputs.py:
2046         (Type.encoding_type_argument):
2047         (VectorType.type_name):
2048         (VectorType):
2049         (VectorType.encoding_type_argument):
2050         (Generator.generate_input_encode_implementation):
2051         (Generator.generate_input_decode_implementation):
2052         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
2053         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2054         * replay/scripts/tests/generate-input-with-vector-members.json: Updated.
2055
2056 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
2057
2058         Web Replay: incorrect serialization code generated for enum classes inside class scope
2059         https://bugs.webkit.org/show_bug.cgi?id=135342
2060
2061         Reviewed by Timothy Hatcher.
2062
2063         If an enum class is defined inside of a class scope, then the enum class
2064         cannot be forward-declared and the relevant header should be included.
2065         Some generated code used incorrectly-scoped enum values in this situation.
2066
2067         * replay/scripts/CodeGeneratorReplayInputs.py:
2068         (Generator.generate_includes.declaration.is):
2069         (Generator.generate_enum_trait_implementation.is):
2070         (Generator.generate_enum_trait_implementation):
2071
2072         Tests:
2073
2074         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
2075         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
2076         * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
2077         class types to this test case.
2078
2079 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
2080
2081         Web Replay: vectors of characters should be base64-encoded
2082         https://bugs.webkit.org/show_bug.cgi?id=135341
2083
2084         Reviewed by Timothy Hatcher.
2085
2086         Without this specialization, encode/decode methods try to create an
2087         array of single characters in JSON, rather than treating the
2088         vector as a binary blob.
2089
2090         * replay/EncodedValue.cpp:
2091         (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
2092         (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
2093         * replay/EncodedValue.h:
2094
2095 2014-07-28  Brent Fulgham  <bfulgham@apple.com>
2096
2097         [Win] Unreviewed build fix.
2098
2099         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
2100         builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
2101
2102 2014-07-27  Ryuan Choi  <ryuan.choi@samsung.com>
2103
2104         Unreviewed build fix on the EFL port
2105
2106         Build break because of -Werror=return-type
2107
2108         * bytecode/PutByIdVariant.cpp:
2109         (JSC::PutByIdVariant::oldStructureForTransition):
2110         * dfg/DFGValueStrength.h:
2111         (JSC::DFG::merge):
2112
2113 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
2114
2115         [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
2116         https://bugs.webkit.org/show_bug.cgi?id=135323
2117
2118         Reviewed by Oliver Hunt.
2119         
2120         SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
2121         then it's a constant that can be represented using that node's current DataFormat.
2122         This doesn't work if the constant had been filled as a JSValue, and then one of the
2123         fillSpeculateBlah() methods had speculated that it's of some type that the constant
2124         isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
2125         a constant that claims to have a contradictory data format.
2126         
2127         This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
2128         fillSpeculateCell() appears to not have this bug, but I added a similar defense
2129         mechanism anyway just in case, since this is one of those mistakes that keeps
2130         reappearing.
2131
2132         * dfg/DFGSpeculativeJIT.cpp:
2133         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2134         * dfg/DFGSpeculativeJIT32_64.cpp:
2135         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2136         * dfg/DFGSpeculativeJIT64.cpp:
2137         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2138
2139 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
2140
2141         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
2142         
2143         This fixes the previous mismerge and adds test coverage for the thing that went wrong.
2144         
2145         Additional changes listed here:
2146
2147         * jsc.cpp:
2148         (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
2149         * runtime/Structure.cpp:
2150         (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
2151         * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
2152
2153     2014-06-27  Michael Saboff  <msaboff@apple.com>
2154     
2155             Unreviewed build fix after r169795.
2156     
2157             Fixed ASSERT for 32 bit build.
2158     
2159             * dfg/DFGSpeculativeJIT.cpp:
2160             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2161     
2162     2014-06-24  Saam Barati  <sbarati@apple.com>
2163     
2164             Web Inspector: debugger should be able to show variable types
2165             https://bugs.webkit.org/show_bug.cgi?id=133395
2166     
2167             Reviewed by Filip Pizlo.
2168     
2169             Increase the amount of type information the VM gathers when directed
2170             to do so. This initial commit is working towards the goal of
2171             capturing, and then showing (via the Web Inspector) type information for all
2172             assignment and load operations. This patch doesn't have the feature fully 
2173             implemented, but it ensures the VM has no performance regressions
2174             unless the feature is specifically turned on.
2175     
2176             * JavaScriptCore.xcodeproj/project.pbxproj:
2177             * bytecode/BytecodeList.json:
2178             * bytecode/BytecodeUseDef.h:
2179             (JSC::computeUsesForBytecodeOffset):
2180             (JSC::computeDefsForBytecodeOffset):
2181             * bytecode/CodeBlock.cpp:
2182             (JSC::CodeBlock::dumpBytecode):
2183             (JSC::CodeBlock::CodeBlock):
2184             (JSC::CodeBlock::finalizeUnconditionally):
2185             * bytecode/CodeBlock.h:
2186             * bytecode/Instruction.h:
2187             * bytecode/TypeLocation.h: Added.
2188             (JSC::TypeLocation::TypeLocation):
2189             * bytecompiler/BytecodeGenerator.cpp:
2190             (JSC::BytecodeGenerator::emitMove):
2191             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
2192             (JSC::BytecodeGenerator::emitPutToScope):
2193             (JSC::BytecodeGenerator::emitPutById):
2194             (JSC::BytecodeGenerator::emitPutByVal):
2195             * bytecompiler/BytecodeGenerator.h:
2196             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
2197             * bytecompiler/NodesCodegen.cpp:
2198             (JSC::PostfixNode::emitResolve):
2199             (JSC::PrefixNode::emitResolve):
2200             (JSC::ReadModifyResolveNode::emitBytecode):
2201             (JSC::AssignResolveNode::emitBytecode):
2202             (JSC::ConstDeclNode::emitCodeSingle):
2203             (JSC::ForInNode::emitBytecode):
2204             * heap/Heap.cpp:
2205             (JSC::Heap::collect):
2206             * inspector/agents/InspectorRuntimeAgent.cpp:
2207             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
2208             * inspector/agents/InspectorRuntimeAgent.h:
2209             * inspector/protocol/Runtime.json:
2210             * jsc.cpp:
2211             (GlobalObject::finishCreation):
2212             (functionDumpTypesForAllVariables):
2213             * llint/LLIntSlowPaths.cpp:
2214             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2215             (JSC::LLInt::putToScopeCommon):
2216             * llint/LLIntSlowPaths.h:
2217             * llint/LowLevelInterpreter.asm:
2218             * runtime/HighFidelityLog.cpp: Added.
2219             (JSC::HighFidelityLog::initializeHighFidelityLog):
2220             (JSC::HighFidelityLog::~HighFidelityLog):
2221             (JSC::HighFidelityLog::recordTypeInformationForLocation):
2222             (JSC::HighFidelityLog::processHighFidelityLog):
2223             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
2224             * runtime/HighFidelityLog.h: Added.
2225             (JSC::HighFidelityLog::HighFidelityLog):
2226             * runtime/HighFidelityTypeProfiler.cpp: Added.
2227             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
2228             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
2229             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
2230             (JSC::HighFidelityTypeProfiler::insertNewLocation):
2231             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
2232             * runtime/HighFidelityTypeProfiler.h: Added.
2233             * runtime/Options.h:
2234             * runtime/Structure.cpp:
2235             (JSC::Structure::toStructureShape):
2236             * runtime/Structure.h:
2237             * runtime/SymbolTable.cpp:
2238             (JSC::SymbolTable::SymbolTable):
2239             (JSC::SymbolTable::cloneCapturedNames):
2240             (JSC::SymbolTable::uniqueIDForVariable):
2241             (JSC::SymbolTable::uniqueIDForRegister):
2242             (JSC::SymbolTable::globalTypeSetForRegister):
2243             (JSC::SymbolTable::globalTypeSetForVariable):
2244             * runtime/SymbolTable.h:
2245             (JSC::SymbolTable::add):
2246             (JSC::SymbolTable::set):
2247             * runtime/TypeSet.cpp: Added.
2248             (JSC::TypeSet::TypeSet):
2249             (JSC::TypeSet::getRuntimeTypeForValue):
2250             (JSC::TypeSet::addTypeForValue):
2251             (JSC::TypeSet::removeDuplicatesInStructureHistory):
2252             (JSC::TypeSet::seenTypes):
2253             (JSC::TypeSet::dumpSeenTypes):
2254             (JSC::StructureShape::StructureShape):
2255             (JSC::StructureShape::markAsFinal):
2256             (JSC::StructureShape::addProperty):
2257             (JSC::StructureShape::propertyHash):
2258             (JSC::StructureShape::leastUpperBound):
2259             (JSC::StructureShape::stringRepresentation):
2260             * runtime/TypeSet.h: Added.
2261             (JSC::StructureShape::create):
2262             (JSC::TypeSet::create):
2263             * runtime/VM.cpp:
2264             (JSC::VM::VM):
2265             (JSC::VM::getTypesForVariableInRange):
2266             (JSC::VM::updateHighFidelityTypeProfileState):
2267             (JSC::VM::dumpHighFidelityProfilingTypes):
2268             * runtime/VM.h:
2269             (JSC::VM::isProfilingTypesWithHighFidelity):
2270             (JSC::VM::highFidelityLog):
2271             (JSC::VM::highFidelityTypeProfiler):
2272             (JSC::VM::nextLocation):
2273             (JSC::VM::getNextUniqueVariableID):
2274     
2275     2014-06-26  Mark Lam  <mark.lam@apple.com>
2276     
2277             Remove unused instantiation of the WithScope structure.
2278             <https://webkit.org/b/134331>
2279     
2280             Reviewed by Oliver Hunt.
2281     
2282             The WithScope structure instance is the VM is unused, and is now removed.
2283     
2284             * runtime/VM.cpp:
2285             (JSC::VM::VM):
2286             * runtime/VM.h:
2287     
2288     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
2289     
2290             Structure bit fields should have a consistent format
2291             https://bugs.webkit.org/show_bug.cgi?id=134307
2292     
2293             Reviewed by Filip Pizlo.
2294     
2295             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
2296             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
2297             format to make it easy to load and test these variables in JIT code.
2298     
2299             * runtime/JSObject.cpp:
2300             (JSC::JSObject::putDirectNonIndexAccessor):
2301             (JSC::JSObject::reifyStaticFunctionsForDelete):
2302             * runtime/Structure.cpp:
2303             (JSC::StructureTransitionTable::contains):
2304             (JSC::StructureTransitionTable::get):
2305             (JSC::StructureTransitionTable::add):
2306             (JSC::Structure::Structure):
2307             (JSC::Structure::materializePropertyMap):
2308             (JSC::Structure::addPropertyTransition):
2309             (JSC::Structure::despecifyFunctionTransition):
2310             (JSC::Structure::toDictionaryTransition):
2311             (JSC::Structure::freezeTransition):
2312             (JSC::Structure::preventExtensionsTransition):
2313             (JSC::Structure::takePropertyTableOrCloneIfPinned):
2314             (JSC::Structure::nonPropertyTransition):
2315             (JSC::Structure::flattenDictionaryStructure):
2316             (JSC::Structure::addPropertyWithoutTransition):
2317             (JSC::Structure::pin):
2318             (JSC::Structure::allocateRareData):
2319             (JSC::Structure::cloneRareDataFrom):
2320             (JSC::Structure::getConcurrently):
2321             (JSC::Structure::putSpecificValue):
2322             (JSC::Structure::getPropertyNamesFromStructure):
2323             (JSC::Structure::visitChildren):
2324             (JSC::Structure::checkConsistency):
2325             * runtime/Structure.h:
2326             (JSC::Structure::isExtensible):
2327             (JSC::Structure::isDictionary):
2328             (JSC::Structure::isUncacheableDictionary):
2329             (JSC::Structure::propertyAccessesAreCacheable):
2330             (JSC::Structure::previousID):
2331             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
2332             (JSC::Structure::setContainsReadOnlyProperties):
2333             (JSC::Structure::disableSpecificFunctionTracking):
2334             (JSC::Structure::objectToStringValue):
2335             (JSC::Structure::setObjectToStringValue):
2336             (JSC::Structure::setPreviousID):
2337             (JSC::Structure::clearPreviousID):
2338             (JSC::Structure::previous):
2339             (JSC::Structure::rareData):
2340             (JSC::Structure::didTransition): Deleted.
2341             (JSC::Structure::hasGetterSetterProperties): Deleted.
2342             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
2343             (JSC::Structure::setHasGetterSetterProperties): Deleted.
2344             (JSC::Structure::hasNonEnumerableProperties): Deleted.
2345             (JSC::Structure::staticFunctionsReified): Deleted.
2346             (JSC::Structure::setStaticFunctionsReified): Deleted.
2347             * runtime/StructureInlines.h:
2348             (JSC::Structure::setEnumerationCache):
2349             (JSC::Structure::enumerationCache):
2350             (JSC::Structure::checkOffsetConsistency):
2351     
2352     2014-06-24  Mark Lam  <mark.lam@apple.com>
2353     
2354             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
2355             <https://webkit.org/b/134273>
2356     
2357             Reviewed by Michael Saboff.
2358     
2359             * CMakeLists.txt:
2360             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2361             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2362             * JavaScriptCore.xcodeproj/project.pbxproj:
2363             * debugger/DebuggerActivation.cpp: Removed.
2364             * debugger/DebuggerActivation.h: Removed.
2365             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
2366             (JSC::DebuggerScope::DebuggerScope):
2367             (JSC::DebuggerScope::finishCreation):
2368             (JSC::DebuggerScope::visitChildren):
2369             (JSC::DebuggerScope::className):
2370             (JSC::DebuggerScope::getOwnPropertySlot):
2371             (JSC::DebuggerScope::put):
2372             (JSC::DebuggerScope::deleteProperty):
2373             (JSC::DebuggerScope::getOwnPropertyNames):
2374             (JSC::DebuggerScope::defineOwnProperty):
2375             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
2376             (JSC::DebuggerActivation::finishCreation): Deleted.
2377             (JSC::DebuggerActivation::visitChildren): Deleted.
2378             (JSC::DebuggerActivation::className): Deleted.
2379             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
2380             (JSC::DebuggerActivation::put): Deleted.
2381             (JSC::DebuggerActivation::deleteProperty): Deleted.
2382             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
2383             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
2384             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
2385             (JSC::DebuggerScope::create):
2386             (JSC::DebuggerActivation::create): Deleted.
2387             * runtime/VM.cpp:
2388             (JSC::VM::VM):
2389             * runtime/VM.h:
2390     
2391     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
2392     
2393             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
2394             https://bugs.webkit.org/show_bug.cgi?id=134265
2395     
2396             Reviewed by Geoffrey Garen.
2397             
2398             More assertion fallout from the PutById folding work.
2399     
2400             * dfg/DFGNode.h:
2401             (JSC::DFG::Node::convertToPutByOffset):
2402     
2403     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
2404     
2405             [ftlopt] GC should notify us if it resets to_this
2406             https://bugs.webkit.org/show_bug.cgi?id=128231
2407     
2408             Reviewed by Geoffrey Garen.
2409     
2410             * CMakeLists.txt:
2411             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2412             * JavaScriptCore.xcodeproj/project.pbxproj:
2413             * bytecode/BytecodeList.json:
2414             * bytecode/CodeBlock.cpp:
2415             (JSC::CodeBlock::dumpBytecode):
2416             (JSC::CodeBlock::finalizeUnconditionally):
2417             * bytecode/Instruction.h:
2418             * bytecode/ToThisStatus.cpp: Added.
2419             (JSC::merge):
2420             (WTF::printInternal):
2421             * bytecode/ToThisStatus.h: Added.
2422             * bytecompiler/BytecodeGenerator.cpp:
2423             (JSC::BytecodeGenerator::BytecodeGenerator):
2424             * dfg/DFGByteCodeParser.cpp:
2425             (JSC::DFG::ByteCodeParser::parseBlock):
2426             * llint/LowLevelInterpreter32_64.asm:
2427             * llint/LowLevelInterpreter64.asm:
2428             * runtime/CommonSlowPaths.cpp:
2429             (JSC::SLOW_PATH_DECL):
2430     
2431     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
2432     
2433             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
2434             https://bugs.webkit.org/show_bug.cgi?id=134256
2435     
2436             Reviewed by Michael Saboff.
2437             
2438             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
2439             point is to be able to precisely model what goes on in the snippets of code between a
2440             side-effect and an InvalidationPoint.
2441             
2442             This patch also cleans up onlyStructure() by delegating more work to
2443             StructureSet::onlyStructure().
2444     
2445             * dfg/DFGStructureAbstractValue.h:
2446             (JSC::DFG::StructureAbstractValue::onlyStructure):
2447     
2448     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
2449     
2450             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
2451             https://bugs.webkit.org/show_bug.cgi?id=134260
2452     
2453             Reviewed by Geoffrey Garen.
2454             
2455             This was causing loads of assertion failures in debug builds.
2456     
2457             * dfg/DFGAbstractInterpreterInlines.h:
2458             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2459     
2460     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
2461     
2462             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
2463             https://bugs.webkit.org/show_bug.cgi?id=134090
2464     
2465             Reviewed by Oliver Hunt.
2466             
2467             This pretty much finishes off the work to eliminate the special-casing of singleton
2468             structure sets by making it possible to fold GetById and PutById to various polymorphic
2469             forms of the ByOffset nodes.
2470             
2471             * bytecode/GetByIdStatus.cpp:
2472             (JSC::GetByIdStatus::computeForStubInfo):
2473             (JSC::GetByIdStatus::computeFor):
2474             * bytecode/GetByIdStatus.h:
2475             * bytecode/PutByIdStatus.cpp:
2476             (JSC::PutByIdStatus::computeFor):
2477             * bytecode/PutByIdStatus.h:
2478             * bytecode/PutByIdVariant.h:
2479             (JSC::PutByIdVariant::constantChecks):
2480             * dfg/DFGAbstractInterpreterInlines.h:
2481             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2482             * dfg/DFGByteCodeParser.cpp:
2483             (JSC::DFG::ByteCodeParser::parseBlock):
2484             * dfg/DFGConstantFoldingPhase.cpp:
2485             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2486             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2487             (JSC::DFG::ConstantFoldingPhase::addChecks):
2488             * dfg/DFGNode.h:
2489             (JSC::DFG::Node::convertToMultiGetByOffset):
2490             (JSC::DFG::Node::convertToMultiPutByOffset):
2491             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
2492             (JSC::DFG::SpeculativeJIT::fillJSValue):
2493             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2494             (JSC::DFG::SpeculativeJIT::emitCall):
2495             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2496             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
2497             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2498             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2499             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2500             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2501             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2502             (JSC::DFG::SpeculativeJIT::emitBranch):
2503             (JSC::DFG::SpeculativeJIT::compile):
2504             * dfg/DFGStructureAbstractValue.h:
2505             (JSC::DFG::StructureAbstractValue::set):
2506     
2507     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
2508     
2509             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
2510             https://bugs.webkit.org/show_bug.cgi?id=134077
2511     
2512             Reviewed by Sam Weinig.
2513             
2514             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
2515             in the abstract interpreter.
2516     
2517             * bytecode/StructureSet.h:
2518             (JSC::StructureSet::onlyStructure):
2519     
2520     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
2521     
2522             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
2523             https://bugs.webkit.org/show_bug.cgi?id=133918
2524     
2525             Reviewed by Mark Hahnenberg.
2526             
2527             This also adds pruning of PutStructure, since I basically had no choice but
2528             to implement such logic within MultiPutByOffset.
2529             
2530             Also adds a bunch of PutById cache status dumping to bytecode dumping.
2531     
2532             * bytecode/GetByIdVariant.cpp:
2533             (JSC::GetByIdVariant::dumpInContext):
2534             * bytecode/GetByIdVariant.h:
2535             (JSC::GetByIdVariant::structureSet):
2536             * bytecode/PutByIdVariant.h:
2537             (JSC::PutByIdVariant::oldStructure):
2538             * bytecode/StructureSet.cpp:
2539             (JSC::StructureSet::filter):
2540             (JSC::StructureSet::filterArrayModes):
2541             * bytecode/StructureSet.h:
2542             * dfg/DFGAbstractInterpreterInlines.h:
2543             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2544             * dfg/DFGAbstractValue.cpp:
2545             (JSC::DFG::AbstractValue::changeStructure):
2546             (JSC::DFG::AbstractValue::contains):
2547             * dfg/DFGAbstractValue.h:
2548             (JSC::DFG::AbstractValue::couldBeType):
2549             (JSC::DFG::AbstractValue::isType):
2550             * dfg/DFGConstantFoldingPhase.cpp:
2551             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2552             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2553             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2554             (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
2555             * dfg/DFGGraph.cpp:
2556             (JSC::DFG::Graph::freezeStrong):
2557             * dfg/DFGGraph.h:
2558             * dfg/DFGStructureAbstractValue.h:
2559             (JSC::DFG::StructureAbstractValue::operator=):
2560             * ftl/FTLLowerDFGToLLVM.cpp:
2561             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2562             * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
2563             (foo):
2564             (fu):
2565             (bar):
2566             (baz):
2567             (.bar):
2568             (.baz):
2569             * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
2570             (foo):
2571             (fu):
2572             (bar):
2573             (baz):
2574             (.bar):
2575             (.baz):
2576             * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
2577             (foo):
2578             (fu):
2579             (bar):
2580             (baz):
2581             (.bar):
2582             (.baz):
2583     
2584     2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
2585     
2586             Remove CompoundType and LeafType
2587             https://bugs.webkit.org/show_bug.cgi?id=134037
2588     
2589             Reviewed by Filip Pizlo.
2590     
2591             We don't use them for anything. We'll replace them with a generic CellType type for all 
2592             the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
2593             their JSType at runtime.
2594     
2595             * llint/LLIntData.cpp:
2596             (JSC::LLInt::Data::performAssertions):
2597             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2598             (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
2599             * runtime/Executable.h:
2600             (JSC::ExecutableBase::createStructure):
2601             (JSC::NativeExecutable::createStructure):
2602             * runtime/JSPromiseDeferred.h:
2603             (JSC::JSPromiseDeferred::createStructure):
2604             * runtime/JSPromiseReaction.h:
2605             (JSC::JSPromiseReaction::createStructure):
2606             * runtime/JSPropertyNameIterator.h:
2607             (JSC::JSPropertyNameIterator::createStructure):
2608             * runtime/JSType.h:
2609             * runtime/JSTypeInfo.h:
2610             (JSC::TypeInfo::TypeInfo):
2611             * runtime/MapData.h:
2612             (JSC::MapData::createStructure):
2613             * runtime/PropertyMapHashTable.h:
2614             (JSC::PropertyTable::createStructure):
2615             * runtime/RegExp.h:
2616             (JSC::RegExp::createStructure):
2617             * runtime/SparseArrayValueMap.cpp:
2618             (JSC::SparseArrayValueMap::createStructure):
2619             * runtime/Structure.cpp:
2620             (JSC::Structure::Structure):
2621             * runtime/StructureChain.h:
2622             (JSC::StructureChain::createStructure):
2623             * runtime/StructureRareData.cpp:
2624             (JSC::StructureRareData::createStructure):
2625             * runtime/SymbolTable.h:
2626             (JSC::SymbolTable::createStructure):
2627             * runtime/WeakMapData.h:
2628             (JSC::WeakMapData::createStructure):
2629     
2630     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2631     
2632             [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
2633             https://bugs.webkit.org/show_bug.cgi?id=134002
2634     
2635             Reviewed by Mark Hahnenberg.
2636             
2637             The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
2638             JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
2639             of the structure if that structure was watchable.
2640             
2641             Also kill PhantomPutStructure.
2642     
2643             * dfg/DFGAbstractInterpreterInlines.h:
2644             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2645             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2646             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2647             * dfg/DFGClobberize.h:
2648             (JSC::DFG::clobberize):
2649             * dfg/DFGDoesGC.cpp:
2650             (JSC::DFG::doesGC):
2651             * dfg/DFGFixupPhase.cpp:
2652             (JSC::DFG::FixupPhase::fixupNode):
2653             * dfg/DFGGraph.cpp:
2654             (JSC::DFG::Graph::visitChildren):
2655             * dfg/DFGNode.h:
2656             (JSC::DFG::Node::hasTransition):
2657             * dfg/DFGNodeType.h:
2658             * dfg/DFGPredictionPropagationPhase.cpp:
2659             (JSC::DFG::PredictionPropagationPhase::propagate):
2660             * dfg/DFGSafeToExecute.h:
2661             (JSC::DFG::safeToExecute):
2662             * dfg/DFGSpeculativeJIT32_64.cpp:
2663             (JSC::DFG::SpeculativeJIT::compile):
2664             * dfg/DFGSpeculativeJIT64.cpp:
2665             (JSC::DFG::SpeculativeJIT::compile):
2666             * dfg/DFGStructureAbstractValue.cpp:
2667             (JSC::DFG::StructureAbstractValue::observeTransition):
2668             (JSC::DFG::StructureAbstractValue::observeTransitions):
2669             * dfg/DFGValidate.cpp:
2670             (JSC::DFG::Validate::validate):
2671             * dfg/DFGWatchableStructureWatchingPhase.cpp:
2672             (JSC::DFG::WatchableStructureWatchingPhase::run):
2673             * ftl/FTLCapabilities.cpp:
2674             (JSC::FTL::canCompile):
2675             * ftl/FTLLowerDFGToLLVM.cpp:
2676             (JSC::FTL::LowerDFGToLLVM::compileNode):
2677             (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
2678     
2679     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2680     
2681             [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
2682             https://bugs.webkit.org/show_bug.cgi?id=133964
2683     
2684             Reviewed by Mark Hahnenberg.
2685     
2686             * bytecode/PutByIdStatus.cpp:
2687             (JSC::PutByIdStatus::appendVariant):
2688             (JSC::PutByIdStatus::computeForStubInfo):
2689             * bytecode/PutByIdVariant.cpp:
2690             (JSC::PutByIdVariant::oldStructureForTransition):
2691             (JSC::PutByIdVariant::writesStructures):
2692             (JSC::PutByIdVariant::reallocatesStorage):
2693             (JSC::PutByIdVariant::attemptToMerge):
2694             (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
2695             (JSC::PutByIdVariant::dumpInContext):
2696             * bytecode/PutByIdVariant.h:
2697             (JSC::PutByIdVariant::PutByIdVariant):
2698             (JSC::PutByIdVariant::replace):
2699             (JSC::PutByIdVariant::transition):
2700             (JSC::PutByIdVariant::structure):
2701             (JSC::PutByIdVariant::oldStructure):
2702             * dfg/DFGAbstractInterpreterInlines.h:
2703             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2704             * dfg/DFGByteCodeParser.cpp:
2705             (JSC::DFG::ByteCodeParser::handlePutById):
2706             (JSC::DFG::ByteCodeParser::parseBlock):
2707             * dfg/DFGConstantFoldingPhase.cpp:
2708             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2709             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2710             * dfg/DFGGraph.cpp:
2711             (JSC::DFG::Graph::visitChildren):
2712             * dfg/DFGNode.cpp:
2713             (JSC::DFG::MultiPutByOffsetData::writesStructures):
2714             (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
2715             * ftl/FTLAbbreviations.h:
2716             (JSC::FTL::getLinkage):
2717             * ftl/FTLLowerDFGToLLVM.cpp:
2718             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2719             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
2720     
2721 2014-07-26  Filip Pizlo  <fpizlo@apple.com>
2722
2723         Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
2724         reland later.
2725
2726         * CMakeLists.txt:
2727         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2728         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2729         * JavaScriptCore.xcodeproj/project.pbxproj:
2730         * bytecode/BytecodeList.json:
2731         * bytecode/BytecodeUseDef.h:
2732         (JSC::computeUsesForBytecodeOffset):
2733         (JSC::computeDefsForBytecodeOffset):
2734         * bytecode/CodeBlock.cpp:
2735         (JSC::CodeBlock::dumpBytecode):
2736         (JSC::CodeBlock::CodeBlock):
2737         (JSC::CodeBlock::finalizeUnconditionally):
2738         (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
2739         * bytecode/CodeBlock.h:
2740         * bytecode/GetByIdStatus.cpp:
2741         (JSC::GetByIdStatus::computeForStubInfo):
2742         (JSC::GetByIdStatus::computeFor):
2743         * bytecode/GetByIdStatus.h:
2744         * bytecode/GetByIdVariant.cpp:
2745         (JSC::GetByIdVariant::dumpInContext):
2746         * bytecode/GetByIdVariant.h:
2747         (JSC::GetByIdVariant::structureSet):
2748         * bytecode/Instruction.h:
2749         * bytecode/PutByIdStatus.cpp:
2750         (JSC::PutByIdStatus::appendVariant):
2751         (JSC::PutByIdStatus::computeForStubInfo):
2752         (JSC::PutByIdStatus::computeFor):
2753         * bytecode/PutByIdStatus.h:
2754         * bytecode/PutByIdVariant.cpp:
2755         (JSC::PutByIdVariant::dumpInContext):
2756         (JSC::PutByIdVariant::oldStructureForTransition): Deleted.
2757         (JSC::PutByIdVariant::writesStructures): Deleted.
2758         (JSC::PutByIdVariant::reallocatesStorage): Deleted.
2759         (JSC::PutByIdVariant::attemptToMerge): Deleted.
2760         (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.
2761         * bytecode/PutByIdVariant.h:
2762         (JSC::PutByIdVariant::PutByIdVariant):
2763         (JSC::PutByIdVariant::replace):
2764         (JSC::PutByIdVariant::transition):
2765         (JSC::PutByIdVariant::structure):
2766         (JSC::PutByIdVariant::oldStructure):
2767         (JSC::PutByIdVariant::newStructure):
2768         (JSC::PutByIdVariant::constantChecks):
2769         * bytecode/StructureSet.cpp:
2770         (JSC::StructureSet::filter): Deleted.
2771         (JSC::StructureSet::filterArrayModes): Deleted.
2772         * bytecode/StructureSet.h:
2773         (JSC::StructureSet::onlyStructure):
2774         * bytecode/ToThisStatus.cpp: Removed.
2775         * bytecode/ToThisStatus.h: Removed.
2776         * bytecode/TypeLocation.h: Removed.
2777         * bytecompiler/BytecodeGenerator.cpp:
2778         (JSC::BytecodeGenerator::BytecodeGenerator):
2779         (JSC::BytecodeGenerator::emitMove):
2780         (JSC::BytecodeGenerator::emitPutToScope):
2781         (JSC::BytecodeGenerator::emitPutById):
2782         (JSC::BytecodeGenerator::emitPutByVal):
2783         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
2784         * bytecompiler/BytecodeGenerator.h:
2785         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
2786         * bytecompiler/NodesCodegen.cpp:
2787         (JSC::PostfixNode::emitResolve):
2788         (JSC::PrefixNode::emitResolve):
2789         (JSC::ReadModifyResolveNode::emitBytecode):
2790         (JSC::AssignResolveNode::emitBytecode):
2791         (JSC::ConstDeclNode::emitCodeSingle):
2792         (JSC::ForInNode::emitBytecode):
2793         * debugger/DebuggerActivation.cpp: Added.
2794         (JSC::DebuggerActivation::DebuggerActivation):
2795         (JSC::DebuggerActivation::finishCreation):
2796         (JSC::DebuggerActivation::visitChildren):
2797         (JSC::DebuggerActivation::className):
2798         (JSC::DebuggerActivation::getOwnPropertySlot):
2799         (JSC::DebuggerActivation::put):
2800         (JSC::DebuggerActivation::deleteProperty):
2801         (JSC::DebuggerActivation::getOwnPropertyNames):
2802         (JSC::DebuggerActivation::defineOwnProperty):
2803         * debugger/DebuggerActivation.h: Added.
2804         (JSC::DebuggerActivation::create):
2805         (JSC::DebuggerActivation::createStructure):
2806         * debugger/DebuggerScope.cpp: Removed.
2807         * debugger/DebuggerScope.h: Removed.
2808         * dfg/DFGAbstractInterpreterInlines.h:
2809         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2810         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2811         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2812         * dfg/DFGAbstractValue.cpp:
2813         (JSC::DFG::AbstractValue::changeStructure): Deleted.
2814         (JSC::DFG::AbstractValue::contains): Deleted.
2815         * dfg/DFGAbstractValue.h:
2816         (JSC::DFG::AbstractValue::couldBeType):
2817         (JSC::DFG::AbstractValue::isType):
2818         * dfg/DFGByteCodeParser.cpp:
2819         (JSC::DFG::ByteCodeParser::handlePutById):
2820         (JSC::DFG::ByteCodeParser::parseBlock):
2821         * dfg/DFGClobberize.h:
2822         (JSC::DFG::clobberize):
2823         * dfg/DFGConstantFoldingPhase.cpp:
2824         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2825         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2826         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2827         (JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
2828         (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
2829         * dfg/DFGDoesGC.cpp:
2830         (JSC::DFG::doesGC):
2831         * dfg/DFGFixupPhase.cpp:
2832         (JSC::DFG::FixupPhase::fixupNode):
2833         * dfg/DFGGraph.cpp:
2834         (JSC::DFG::Graph::visitChildren):
2835         (JSC::DFG::Graph::freezeStrong):
2836         * dfg/DFGGraph.h:
2837         * dfg/DFGNode.cpp:
2838         (JSC::DFG::MultiPutByOffsetData::writesStructures):
2839         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
2840         * dfg/DFGNode.h:
2841         (JSC::DFG::Node::convertToPutByOffset):
2842         (JSC::DFG::Node::hasTransition):
2843         (JSC::DFG::Node::convertToMultiGetByOffset): Deleted.
2844         (JSC::DFG::Node::convertToMultiPutByOffset): Deleted.
2845         * dfg/DFGNodeType.h:
2846         * dfg/DFGPredictionPropagationPhase.cpp:
2847         (JSC::DFG::PredictionPropagationPhase::propagate):
2848         * dfg/DFGSafeToExecute.h:
2849         (JSC::DFG::safeToExecute):
2850         * dfg/DFGSpeculativeJIT.cpp:
2851         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2852         * dfg/DFGSpeculativeJIT32_64.cpp:
2853         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2854         (JSC::DFG::SpeculativeJIT::compile):
2855         * dfg/DFGSpeculativeJIT64.cpp:
2856         (JSC::DFG::SpeculativeJIT::fillJSValue):
2857         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2858         (JSC::DFG::SpeculativeJIT::emitCall):
2859         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2860         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
2861         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2862         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2863         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2864         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2865         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2866         (JSC::DFG::SpeculativeJIT::emitBranch):
2867         (JSC::DFG::SpeculativeJIT::compile):
2868         * dfg/DFGStructureAbstractValue.cpp:
2869         (JSC::DFG::StructureAbstractValue::observeTransition):
2870         (JSC::DFG::StructureAbstractValue::observeTransitions):
2871         * dfg/DFGStructureAbstractValue.h:
2872         (JSC::DFG::StructureAbstractValue::onlyStructure):
2873         (JSC::DFG::StructureAbstractValue::operator=): Deleted.
2874         (JSC::DFG::StructureAbstractValue::set): Deleted.
2875         * dfg/DFGValidate.cpp:
2876         (JSC::DFG::Validate::validate):
2877         * dfg/DFGWatchableStructureWatchingPhase.cpp:
2878         (JSC::DFG::WatchableStructureWatchingPhase::run):
2879         * ftl/FTLAbbreviations.h:
2880         (JSC::FTL::getLinkage): Deleted.
2881         * ftl/FTLCapabilities.cpp:
2882         (JSC::FTL::canCompile):
2883         * ftl/FTLLowerDFGToLLVM.cpp:
2884         (JSC::FTL::LowerDFGToLLVM::compileNode):
2885         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
2886         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2887         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2888         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
2889         * heap/Heap.cpp:
2890         (JSC::Heap::collect):
2891         * inspector/agents/InspectorRuntimeAgent.cpp:
2892         (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
2893         * inspector/agents/InspectorRuntimeAgent.h:
2894         * inspector/protocol/Runtime.json:
2895         * jsc.cpp:
2896         (GlobalObject::finishCreation):
2897         (functionDumpTypesForAllVariables): Deleted.
2898         * llint/LLIntData.cpp:
2899         (JSC::LLInt::Data::performAssertions):
2900         * llint/LLIntSlowPaths.cpp:
2901         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2902         (JSC::LLInt::putToScopeCommon): Deleted.
2903         * llint/LLIntSlowPaths.h:
2904         * llint/LowLevelInterpreter.asm:
2905         * llint/LowLevelInterpreter32_64.asm:
2906         * llint/LowLevelInterpreter64.asm:
2907         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2908         (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
2909         * runtime/CommonSlowPaths.cpp:
2910         (JSC::SLOW_PATH_DECL):
2911         * runtime/Executable.h:
2912         (JSC::ExecutableBase::createStructure):
2913         (JSC::NativeExecutable::createStructure):
2914         * runtime/HighFidelityLog.cpp: Removed.
2915         * runtime/HighFidelityLog.h: Removed.
2916         * runtime/HighFidelityTypeProfiler.cpp: Removed.
2917         * runtime/HighFidelityTypeProfiler.h: Removed.
2918         * runtime/JSObject.cpp:
2919         (JSC::JSObject::putDirectCustomAccessor):
2920         (JSC::JSObject::putDirectNonIndexAccessor):
2921         (JSC::JSObject::reifyStaticFunctionsForDelete):
2922         * runtime/JSPromiseDeferred.h:
2923         (JSC::JSPromiseDeferred::createStructure):
2924         * runtime/JSPromiseReaction.h:
2925         (JSC::JSPromiseReaction::createStructure):
2926         * runtime/JSPropertyNameIterator.h:
2927         (JSC::JSPropertyNameIterator::createStructure):
2928         * runtime/JSType.h:
2929         * runtime/JSTypeInfo.h:
2930         (JSC::TypeInfo::TypeInfo):
2931         * runtime/MapData.h:
2932         (JSC::MapData::createStructure):
2933         * runtime/Options.h:
2934         * runtime/PropertyMapHashTable.h:
2935         (JSC::PropertyTable::createStructure):
2936         * runtime/RegExp.h:
2937         (JSC::RegExp::createStructure):
2938         * runtime/SparseArrayValueMap.cpp:
2939         (JSC::SparseArrayValueMap::createStructure):
2940         * runtime/Structure.cpp:
2941         (JSC::StructureTransitionTable::contains):
2942         (JSC::StructureTransitionTable::get):
2943         (JSC::StructureTransitionTable::add):
2944         (JSC::Structure::Structure):
2945         (JSC::Structure::materializePropertyMap):
2946         (JSC::Structure::addPropertyTransition):
2947         (JSC::Structure::despecifyFunctionTransition):
2948         (JSC::Structure::toDictionaryTransition):
2949         (JSC::Structure::freezeTransition):
2950         (JSC::Structure::preventExtensionsTransition):
2951         (JSC::Structure::takePropertyTableOrCloneIfPinned):
2952         (JSC::Structure::nonPropertyTransition):
2953         (JSC::Structure::flattenDictionaryStructure):
2954         (JSC::Structure::addPropertyWithoutTransition):
2955         (JSC::Structure::pin):
2956         (JSC::Structure::allocateRareData):
2957         (JSC::Structure::cloneRareDataFrom):
2958         (JSC::Structure::getConcurrently):
2959         (JSC::Structure::putSpecificValue):
2960         (JSC::Structure::getPropertyNamesFromStructure):
2961         (JSC::Structure::visitChildren):
2962         (JSC::Structure::checkConsistency):
2963         (JSC::Structure::toStructureShape): Deleted.
2964         * runtime/Structure.h:
2965         (JSC::Structure::isExtensible):
2966         (JSC::Structure::didTransition):
2967         (JSC::Structure::isDictionary):
2968         (JSC::Structure::isUncacheableDictionary):
2969         (JSC::Structure::hasBeenFlattenedBefore):
2970         (JSC::Structure::propertyAccessesAreCacheable):
2971         (JSC::Structure::previousID):
2972         (JSC::Structure::hasGetterSetterProperties):
2973         (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
2974         (JSC::Structure::setHasGetterSetterProperties):
2975         (JSC::Structure::hasCustomGetterSetterProperties):
2976         (JSC::Structure::setHasCustomGetterSetterProperties):
2977         (JSC::Structure::setContainsReadOnlyProperties):
2978         (JSC::Structure::hasNonEnumerableProperties):
2979         (JSC::Structure::disableSpecificFunctionTracking):
2980         (JSC::Structure::objectToStringValue):
2981         (JSC::Structure::setObjectToStringValue):
2982         (JSC::Structure::staticFunctionsReified):
2983         (JSC::Structure::setStaticFunctionsReified):
2984         (JSC::Structure::transitionWatchpointSet):
2985         (JSC::Structure::setPreviousID):
2986         (JSC::Structure::clearPreviousID):
2987         (JSC::Structure::previous):
2988         (JSC::Structure::rareData):
2989         (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted.
2990         (JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted.
2991         * runtime/StructureChain.h:
2992         (JSC::StructureChain::createStructure):
2993         * runtime/StructureInlines.h:
2994         (JSC::Structure::setEnumerationCache):
2995         (JSC::Structure::enumerationCache):
2996         (JSC::Structure::checkOffsetConsistency):
2997         * runtime/StructureRareData.cpp:
2998         (JSC::StructureRareData::createStructure):
2999         * runtime/SymbolTable.cpp:
3000         (JSC::SymbolTable::SymbolTable):
3001         (JSC::SymbolTable::cloneCapturedNames):
3002         (JSC::SymbolTable::uniqueIDForVariable): Deleted.
3003         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
3004         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
3005         (JSC::SymbolTable::globalTypeSetForVariable): Deleted.
3006         * runtime/SymbolTable.h:
3007         (JSC::SymbolTable::createStructure):
3008         (JSC::SymbolTable::add):
3009         (JSC::SymbolTable::set):
3010         * runtime/TypeSet.cpp: Removed.
3011         * runtime/TypeSet.h: Removed.
3012         * runtime/VM.cpp:
3013         (JSC::VM::VM):
3014         (JSC::VM::getTypesForVariableInRange): Deleted.
3015         (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
3016         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
3017         * runtime/VM.h:
3018         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
3019         (JSC::VM::highFidelityLog): Deleted.
3020         (JSC::VM::highFidelityTypeProfiler): Deleted.
3021         (JSC::VM::nextLocation): Deleted.
3022         (JSC::VM::getNextUniqueVariableID): Deleted.
3023         * runtime/WeakMapData.h:
3024         (JSC::WeakMapData::createStructure):
3025         * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed.
3026         * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed.
3027         * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed.
3028
3029 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
3030
3031         Attempt to fix non-Xcode platforms.
3032
3033         * CMakeLists.txt:
3034         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3035
3036 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
3037
3038         Fix cloop.
3039
3040         * bytecode/CodeBlock.cpp:
3041         (JSC::dumpChain):
3042         (JSC::CodeBlock::printPutByIdCacheStatus):
3043         * bytecode/StructureSet.cpp:
3044         * bytecode/StructureSet.h:
3045
3046 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
3047
3048         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
3049
3050     2014-06-27  Michael Saboff  <msaboff@apple.com>
3051     
3052             Unreviewed build fix after r169795.
3053     
3054             Fixed ASSERT for 32 bit build.
3055     
3056             * dfg/DFGSpeculativeJIT.cpp:
3057             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3058     
3059     2014-06-24  Saam Barati  <sbarati@apple.com>
3060     
3061             Web Inspector: debugger should be able to show variable types
3062             https://bugs.webkit.org/show_bug.cgi?id=133395
3063     
3064             Reviewed by Filip Pizlo.
3065     
3066             Increase the amount of type information the VM gathers when directed
3067             to do so. This initial commit is working towards the goal of
3068             capturing, and then showing (via the Web Inspector) type information for all
3069             assignment and load operations. This patch doesn't have the feature fully 
3070             implemented, but it ensures the VM has no performance regressions
3071             unless the feature is specifically turned on.
3072     
3073             * JavaScriptCore.xcodeproj/project.pbxproj:
3074             * bytecode/BytecodeList.json:
3075             * bytecode/BytecodeUseDef.h:
3076             (JSC::computeUsesForBytecodeOffset):
3077             (JSC::computeDefsForBytecodeOffset):
3078             * bytecode/CodeBlock.cpp:
3079             (JSC::CodeBlock::dumpBytecode):
3080             (JSC::CodeBlock::CodeBlock):
3081             (JSC::CodeBlock::finalizeUnconditionally):
3082             * bytecode/CodeBlock.h:
3083             * bytecode/Instruction.h:
3084             * bytecode/TypeLocation.h: Added.
3085             (JSC::TypeLocation::TypeLocation):
3086             * bytecompiler/BytecodeGenerator.cpp:
3087             (JSC::BytecodeGenerator::emitMove):
3088             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
3089             (JSC::BytecodeGenerator::emitPutToScope):
3090             (JSC::BytecodeGenerator::emitPutById):
3091             (JSC::BytecodeGenerator::emitPutByVal):
3092             * bytecompiler/BytecodeGenerator.h:
3093             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
3094             * bytecompiler/NodesCodegen.cpp:
3095             (JSC::PostfixNode::emitResolve):
3096             (JSC::PrefixNode::emitResolve):
3097             (JSC::ReadModifyResolveNode::emitBytecode):
3098             (JSC::AssignResolveNode::emitBytecode):
3099             (JSC::ConstDeclNode::emitCodeSingle):
3100             (JSC::ForInNode::emitBytecode):
3101             * heap/Heap.cpp:
3102             (JSC::Heap::collect):
3103             * inspector/agents/InspectorRuntimeAgent.cpp:
3104             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
3105             * inspector/agents/InspectorRuntimeAgent.h:
3106             * inspector/protocol/Runtime.json:
3107             * jsc.cpp:
3108             (GlobalObject::finishCreation):
3109             (functionDumpTypesForAllVariables):
3110             * llint/LLIntSlowPaths.cpp:
3111             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3112             (JSC::LLInt::putToScopeCommon):
3113             * llint/LLIntSlowPaths.h:
3114             * llint/LowLevelInterpreter.asm:
3115             * runtime/HighFidelityLog.cpp: Added.
3116             (JSC::HighFidelityLog::initializeHighFidelityLog):
3117             (JSC::HighFidelityLog::~HighFidelityLog):
3118             (JSC::HighFidelityLog::recordTypeInformationForLocation):
3119             (JSC::HighFidelityLog::processHighFidelityLog):
3120             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
3121             * runtime/HighFidelityLog.h: Added.
3122             (JSC::HighFidelityLog::HighFidelityLog):
3123             * runtime/HighFidelityTypeProfiler.cpp: Added.
3124             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
3125             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
3126             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
3127             (JSC::HighFidelityTypeProfiler::insertNewLocation):
3128             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
3129             * runtime/HighFidelityTypeProfiler.h: Added.
3130             * runtime/Options.h:
3131             * runtime/Structure.cpp:
3132             (JSC::Structure::toStructureShape):
3133             * runtime/Structure.h:
3134             * runtime/SymbolTable.cpp:
3135             (JSC::SymbolTable::SymbolTable):
3136             (JSC::SymbolTable::cloneCapturedNames):
3137             (JSC::SymbolTable::uniqueIDForVariable):
3138             (JSC::SymbolTable::uniqueIDForRegister):
3139             (JSC::SymbolTable::globalTypeSetForRegister):
3140             (JSC::SymbolTable::globalTypeSetForVariable):
3141             * runtime/SymbolTable.h:
3142             (JSC::SymbolTable::add):
3143             (JSC::SymbolTable::set):
3144             * runtime/TypeSet.cpp: Added.
3145             (JSC::TypeSet::TypeSet):
3146             (JSC::TypeSet::getRuntimeTypeForValue):
3147             (JSC::TypeSet::addTypeForValue):
3148             (JSC::TypeSet::removeDuplicatesInStructureHistory):
3149             (JSC::TypeSet::seenTypes):
3150             (JSC::TypeSet::dumpSeenTypes):
3151             (JSC::StructureShape::StructureShape):
3152             (JSC::StructureShape::markAsFinal):
3153             (JSC::StructureShape::addProperty):
3154             (JSC::StructureShape::propertyHash):
3155             (JSC::StructureShape::leastUpperBound):
3156             (JSC::StructureShape::stringRepresentation):
3157             * runtime/TypeSet.h: Added.
3158             (JSC::StructureShape::create):
3159             (JSC::TypeSet::create):
3160             * runtime/VM.cpp:
3161             (JSC::VM::VM):
3162             (JSC::VM::getTypesForVariableInRange):
3163             (JSC::VM::updateHighFidelityTypeProfileState):
3164             (JSC::VM::dumpHighFidelityProfilingTypes):
3165             * runtime/VM.h:
3166             (JSC::VM::isProfilingTypesWithHighFidelity):
3167             (JSC::VM::highFidelityLog):
3168             (JSC::VM::highFidelityTypeProfiler):
3169             (JSC::VM::nextLocation):
3170             (JSC::VM::getNextUniqueVariableID):
3171     
3172     2014-06-26  Mark Lam  <mark.lam@apple.com>
3173     
3174             Remove unused instantiation of the WithScope structure.
3175             <https://webkit.org/b/134331>
3176     
3177             Reviewed by Oliver Hunt.
3178     
3179             The WithScope structure instance is the VM is unused, and is now removed.
3180     
3181             * runtime/VM.cpp:
3182             (JSC::VM::VM):
3183             * runtime/VM.h:
3184     
3185     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
3186     
3187             Structure bit fields should have a consistent format
3188             https://bugs.webkit.org/show_bug.cgi?id=134307
3189     
3190             Reviewed by Filip Pizlo.
3191