944cf3265df9399c93137ed455cf63ff62c78e1c
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
2
3         REGRESSION(r179477): arguments simplification no longer works
4         https://bugs.webkit.org/show_bug.cgi?id=141169
5
6         Reviewed by Mark Lam.
7         
8         The operations involved in callee/scope access don't exit and shouldn't get in the way
9         of strength-reducing a Flush to a PhantomLocal. Then the PhantomLocal shouldn't get in
10         the way of further such strength-reduction. We also need to canonicalize PhantomLocal
11         before running arguments simplification.
12
13         * dfg/DFGMayExit.cpp:
14         (JSC::DFG::mayExit):
15         * dfg/DFGPlan.cpp:
16         (JSC::DFG::Plan::compileInThreadImpl):
17         * dfg/DFGStrengthReductionPhase.cpp:
18         (JSC::DFG::StrengthReductionPhase::handleNode):
19
20 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
21
22         VirtualRegister should really know how to dump itself
23         https://bugs.webkit.org/show_bug.cgi?id=141171
24
25         Reviewed by Geoffrey Garen.
26         
27         Gives VirtualRegister a dump() method that pretty-prints the virtual register. The rest of
28         the patch is all about using this new power.
29
30         * CMakeLists.txt:
31         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
32         * JavaScriptCore.xcodeproj/project.pbxproj:
33         * bytecode/CodeBlock.cpp:
34         (JSC::constantName):
35         (JSC::CodeBlock::registerName):
36         * bytecode/CodeBlock.h:
37         (JSC::missingThisObjectMarker): Deleted.
38         * bytecode/VirtualRegister.cpp: Added.
39         (JSC::VirtualRegister::dump):
40         * bytecode/VirtualRegister.h:
41         (WTF::printInternal): Deleted.
42         * dfg/DFGArgumentPosition.h:
43         (JSC::DFG::ArgumentPosition::dump):
44         * dfg/DFGFlushedAt.cpp:
45         (JSC::DFG::FlushedAt::dump):
46         * dfg/DFGGraph.cpp:
47         (JSC::DFG::Graph::dump):
48         * dfg/DFGPutLocalSinkingPhase.cpp:
49         * dfg/DFGSSAConversionPhase.cpp:
50         (JSC::DFG::SSAConversionPhase::run):
51         * dfg/DFGValidate.cpp:
52         (JSC::DFG::Validate::reportValidationContext):
53         * dfg/DFGValueSource.cpp:
54         (JSC::DFG::ValueSource::dump):
55         * dfg/DFGVariableEvent.cpp:
56         (JSC::DFG::VariableEvent::dump):
57         (JSC::DFG::VariableEvent::dumpSpillInfo):
58         * ftl/FTLExitArgumentForOperand.cpp:
59         (JSC::FTL::ExitArgumentForOperand::dump):
60         * ftl/FTLExitValue.cpp:
61         (JSC::FTL::ExitValue::dumpInContext):
62         * profiler/ProfilerBytecodeSequence.cpp:
63         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
64
65 2015-02-02  Geoffrey Garen  <ggaren@apple.com>
66
67         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
68         https://bugs.webkit.org/show_bug.cgi?id=140900
69
70         Reviewed by Mark Hahnenberg.
71
72         Re-landing just the HandleBlock piece of this patch.
73
74         * heap/HandleBlock.h:
75         * heap/HandleBlockInlines.h:
76         (JSC::HandleBlock::create):
77         (JSC::HandleBlock::destroy):
78         (JSC::HandleBlock::HandleBlock):
79         (JSC::HandleBlock::payloadEnd):
80         * heap/HandleSet.cpp:
81         (JSC::HandleSet::~HandleSet):
82         (JSC::HandleSet::grow):
83
84 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
85
86         Web Inspector: Support console.table
87         https://bugs.webkit.org/show_bug.cgi?id=141058
88
89         Reviewed by Timothy Hatcher.
90
91         * inspector/InjectedScriptSource.js:
92         Include the firstLevelKeys filter when generating previews.
93
94         * runtime/ConsoleClient.cpp:
95         (JSC::appendMessagePrefix):
96         Differentiate console.table logs to system log.
97
98 2015-01-31  Filip Pizlo  <fpizlo@apple.com>
99
100         BinarySwitch should be faster on average
101         https://bugs.webkit.org/show_bug.cgi?id=141046
102
103         Reviewed by Anders Carlsson.
104         
105         This optimizes our binary switch using math. It's strictly better than what we had before
106         assuming we bottom out in some case (rather than fall through), assuming all cases get
107         hit with equal probability. The difference is particularly large for large switch
108         statements. For example, a switch statement with 1000 cases would previously require on
109         average 13.207 branches to get to some case, while now it just requires 10.464.
110         
111         This is also a progression for the fall-through case, though we could shave off another
112         1/6 branch on average if we wanted to - though it would regress taking a case (not falling
113         through) by 1/6 branch. I believe it's better to bias the BinarySwitch for not falling
114         through.
115         
116         This also adds some randomness to the algorithm to minimize the likelihood of us
117         generating a switch statement that is always particularly bad for some input. Note that
118         the randomness has no effect on average-case performance assuming all cases are equally
119         likely.
120         
121         This ought to have no actual performance change because we don't rely on binary switches
122         that much. The main reason why this change is interesting is that I'm finding myself
123         increasingly relying on BinarySwitch, and I'd like to know that it's optimal.
124
125         * jit/BinarySwitch.cpp:
126         (JSC::BinarySwitch::BinarySwitch):
127         (JSC::BinarySwitch::~BinarySwitch):
128         (JSC::BinarySwitch::build):
129         * jit/BinarySwitch.h:
130
131 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
132
133         Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext
134         https://bugs.webkit.org/show_bug.cgi?id=141064
135
136         Reviewed by Timothy Hatcher.
137
138         * inspector/protocol/CSS.json:
139
140 2015-02-02  Daniel Bates  <dabates@apple.com>
141
142         [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
143         https://bugs.webkit.org/show_bug.cgi?id=141057
144         <rdar://problem/19068790>
145
146         Reviewed by Alexey Proskuryakov.
147
148         * inspector/remote/RemoteInspector.mm:
149         (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
150         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
151         WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
152         and CryptoKeyRSA::generatePair().
153
154 2015-02-02  Saam Barati  <saambarati1@gmail.com>
155
156         Create tests for JSC's Control Flow Profiler
157         https://bugs.webkit.org/show_bug.cgi?id=141123
158
159         Reviewed by Filip Pizlo.
160
161         This patch creates a control flow profiler testing API in jsc.cpp 
162         that accepts a function and a string as arguments. The string must 
163         be a substring of the text of the function argument. The API returns 
164         a boolean indicating whether or not the basic block that encloses the 
165         substring has executed.
166
167         This patch uses this API to test that the control flow profiler
168         behaves as expected on basic block boundaries. These tests do not
169         provide full coverage for all JavaScript statements that can create
170         basic blocks boundaries. Full coverage will come in a later patch.
171
172         * jsc.cpp:
173         (GlobalObject::finishCreation):
174         (functionHasBasicBlockExecuted):
175         * runtime/ControlFlowProfiler.cpp:
176         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
177         * runtime/ControlFlowProfiler.h:
178         * tests/controlFlowProfiler: Added.
179         * tests/controlFlowProfiler.yaml: Added.
180         * tests/controlFlowProfiler/driver: Added.
181         * tests/controlFlowProfiler/driver/driver.js: Added.
182         (assert):
183         * tests/controlFlowProfiler/if-statement.js: Added.
184         (testIf):
185         (noMatches):
186         * tests/controlFlowProfiler/loop-statements.js: Added.
187         (forRegular):
188         (forIn):
189         (forOf):
190         (whileLoop):
191         * tests/controlFlowProfiler/switch-statements.js: Added.
192         (testSwitch):
193         * tests/controlFlowProfiler/test-jit.js: Added.
194         (tierUpToBaseline):
195         (tierUpToDFG):
196         (baselineTest):
197         (dfgTest):
198
199 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
200
201         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
202         https://bugs.webkit.org/show_bug.cgi?id=140660
203
204         Reviewed by Geoffrey Garen.
205         
206         When we first implemented polymorphic call inlining, we did the profiling based on a call
207         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
208         global log that was processed lazily. Processing the log would give precise counts of call
209         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
210         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
211         nonetheless.
212         
213         Experience with this code shows three things. First, the call edge profiler is buggy and
214         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
215         overhead for latency code that we care deeply about. Third, it's not at all clear that
216         having call edge counts for every possible callee is any better than just having call edge
217         counts for the limited number of callees that an inline cache would catch.
218         
219         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
220         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
221         out-of-line stub that cases on the previously known callees. If that misses again, then we
222         rewrite that stub to include the new callee. We do this up to some number of callees. If we
223         hit the limit then we switch to using a plain virtual call.
224         
225         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
226         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
227         
228         Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.
229
230         * CMakeLists.txt:
231         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
232         * JavaScriptCore.xcodeproj/project.pbxproj:
233         * bytecode/CallEdge.h:
234         (JSC::CallEdge::count):
235         (JSC::CallEdge::CallEdge):
236         * bytecode/CallEdgeProfile.cpp: Removed.
237         * bytecode/CallEdgeProfile.h: Removed.
238         * bytecode/CallEdgeProfileInlines.h: Removed.
239         * bytecode/CallLinkInfo.cpp:
240         (JSC::CallLinkInfo::unlink):
241         (JSC::CallLinkInfo::visitWeak):
242         * bytecode/CallLinkInfo.h:
243         * bytecode/CallLinkStatus.cpp:
244         (JSC::CallLinkStatus::CallLinkStatus):
245         (JSC::CallLinkStatus::computeFor):
246         (JSC::CallLinkStatus::computeFromCallLinkInfo):
247         (JSC::CallLinkStatus::isClosureCall):
248         (JSC::CallLinkStatus::makeClosureCall):
249         (JSC::CallLinkStatus::dump):
250         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
251         * bytecode/CallLinkStatus.h:
252         (JSC::CallLinkStatus::CallLinkStatus):
253         (JSC::CallLinkStatus::isSet):
254         (JSC::CallLinkStatus::variants):
255         (JSC::CallLinkStatus::size):
256         (JSC::CallLinkStatus::at):
257         (JSC::CallLinkStatus::operator[]):
258         (JSC::CallLinkStatus::canOptimize):
259         (JSC::CallLinkStatus::edges): Deleted.
260         (JSC::CallLinkStatus::canTrustCounts): Deleted.
261         * bytecode/CallVariant.cpp:
262         (JSC::variantListWithVariant):
263         (JSC::despecifiedVariantList):
264         * bytecode/CallVariant.h:
265         * bytecode/CodeBlock.cpp:
266         (JSC::CodeBlock::~CodeBlock):
267         (JSC::CodeBlock::linkIncomingPolymorphicCall):
268         (JSC::CodeBlock::unlinkIncomingCalls):
269         (JSC::CodeBlock::noticeIncomingCall):
270         * bytecode/CodeBlock.h:
271         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
272         * dfg/DFGAbstractInterpreterInlines.h:
273         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
274         * dfg/DFGByteCodeParser.cpp:
275         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
276         (JSC::DFG::ByteCodeParser::handleCall):
277         (JSC::DFG::ByteCodeParser::handleInlining):
278         * dfg/DFGClobberize.h:
279         (JSC::DFG::clobberize):
280         * dfg/DFGConstantFoldingPhase.cpp:
281         (JSC::DFG::ConstantFoldingPhase::foldConstants):
282         * dfg/DFGDoesGC.cpp:
283         (JSC::DFG::doesGC):
284         * dfg/DFGDriver.cpp:
285         (JSC::DFG::compileImpl):
286         * dfg/DFGFixupPhase.cpp:
287         (JSC::DFG::FixupPhase::fixupNode):
288         * dfg/DFGNode.h:
289         (JSC::DFG::Node::hasHeapPrediction):
290         * dfg/DFGNodeType.h:
291         * dfg/DFGOperations.cpp:
292         * dfg/DFGPredictionPropagationPhase.cpp:
293         (JSC::DFG::PredictionPropagationPhase::propagate):
294         * dfg/DFGSafeToExecute.h:
295         (JSC::DFG::safeToExecute):
296         * dfg/DFGSpeculativeJIT32_64.cpp:
297         (JSC::DFG::SpeculativeJIT::emitCall):
298         (JSC::DFG::SpeculativeJIT::compile):
299         * dfg/DFGSpeculativeJIT64.cpp:
300         (JSC::DFG::SpeculativeJIT::emitCall):
301         (JSC::DFG::SpeculativeJIT::compile):
302         * dfg/DFGTierUpCheckInjectionPhase.cpp:
303         (JSC::DFG::TierUpCheckInjectionPhase::run):
304         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
305         * ftl/FTLCapabilities.cpp:
306         (JSC::FTL::canCompile):
307         * heap/Heap.cpp:
308         (JSC::Heap::collect):
309         * jit/BinarySwitch.h:
310         * jit/ClosureCallStubRoutine.cpp: Removed.
311         * jit/ClosureCallStubRoutine.h: Removed.
312         * jit/JITCall.cpp:
313         (JSC::JIT::compileOpCall):
314         * jit/JITCall32_64.cpp:
315         (JSC::JIT::compileOpCall):
316         * jit/JITOperations.cpp:
317         * jit/JITOperations.h:
318         (JSC::operationLinkPolymorphicCallFor):
319         (JSC::operationLinkClosureCallFor): Deleted.
320         * jit/JITStubRoutine.h:
321         * jit/JITWriteBarrier.h:
322         * jit/PolymorphicCallStubRoutine.cpp: Added.
323         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
324         (JSC::PolymorphicCallNode::unlink):
325         (JSC::PolymorphicCallCase::dump):
326         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
327         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
328         (JSC::PolymorphicCallStubRoutine::variants):
329         (JSC::PolymorphicCallStubRoutine::edges):
330         (JSC::PolymorphicCallStubRoutine::visitWeak):
331         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
332         * jit/PolymorphicCallStubRoutine.h: Added.
333         (JSC::PolymorphicCallNode::PolymorphicCallNode):
334         (JSC::PolymorphicCallCase::PolymorphicCallCase):
335         (JSC::PolymorphicCallCase::variant):
336         (JSC::PolymorphicCallCase::codeBlock):
337         * jit/Repatch.cpp:
338         (JSC::linkSlowFor):
339         (JSC::linkFor):
340         (JSC::revertCall):
341         (JSC::unlinkFor):
342         (JSC::linkVirtualFor):
343         (JSC::linkPolymorphicCall):
344         (JSC::linkClosureCall): Deleted.
345         * jit/Repatch.h:
346         * jit/ThunkGenerators.cpp:
347         (JSC::linkPolymorphicCallForThunkGenerator):
348         (JSC::linkPolymorphicCallThunkGenerator):
349         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
350         (JSC::linkClosureCallForThunkGenerator): Deleted.
351         (JSC::linkClosureCallThunkGenerator): Deleted.
352         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
353         * jit/ThunkGenerators.h:
354         (JSC::linkPolymorphicCallThunkGeneratorFor):
355         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
356         * llint/LLIntSlowPaths.cpp:
357         (JSC::LLInt::jitCompileAndSetHeuristics):
358         * runtime/Options.h:
359         * runtime/VM.cpp:
360         (JSC::VM::prepareToDiscardCode):
361         (JSC::VM::ensureCallEdgeLog): Deleted.
362         * runtime/VM.h:
363
364 2015-01-30  Filip Pizlo  <fpizlo@apple.com>
365
366         Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
367         https://bugs.webkit.org/show_bug.cgi?id=141107
368
369         Reviewed by Michael Saboff.
370         
371         See the bugzilla for a discussion of the problem. This addresses the problem by ensuring
372         that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini
373         OSR availability analysis to determine the right MovHint value to use for the Phantom.
374
375         * dfg/DFGCPSRethreadingPhase.cpp:
376         (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
377         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
378         (JSC::DFG::CPSRethreadingPhase::clearVariables):
379         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
380         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
381         (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted.
382         * dfg/DFGNode.h:
383         (JSC::DFG::Node::convertPhantomToPhantomLocal):
384         (JSC::DFG::Node::convertFlushToPhantomLocal):
385         (JSC::DFG::Node::convertToPhantomLocal): Deleted.
386         * dfg/DFGStrengthReductionPhase.cpp:
387         (JSC::DFG::StrengthReductionPhase::handleNode):
388         * tests/stress/inline-call-that-doesnt-use-all-args.js: Added.
389         (foo):
390         (bar):
391         (baz):
392
393 2015-01-31  Michael Saboff  <msaboff@apple.com>
394
395         Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
396         https://bugs.webkit.org/show_bug.cgi?id=141111
397
398         Reviewed by Filip Pizlo.
399
400         In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have
401         exited, we don't need to process the OSR availability or abstract interpreter.
402
403         * ftl/FTLLowerDFGToLLVM.cpp:
404         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate
405         method since we need to call it at the top and near the bottom of compileNode().
406         (JSC::FTL::LowerDFGToLLVM::compileNode):
407
408 2015-01-31  Sam Weinig  <sam@webkit.org>
409
410         Remove even more Mountain Lion support
411         https://bugs.webkit.org/show_bug.cgi?id=141124
412
413         Reviewed by Alexey Proskuryakov.
414
415         * API/tests/DateTests.mm:
416         * Configurations/Base.xcconfig:
417         * Configurations/DebugRelease.xcconfig:
418         * Configurations/FeatureDefines.xcconfig:
419         * Configurations/Version.xcconfig:
420         * jit/ExecutableAllocatorFixedVMPool.cpp:
421
422 2015-01-31  Commit Queue  <commit-queue@webkit.org>
423
424         Unreviewed, rolling out r179426.
425         https://bugs.webkit.org/show_bug.cgi?id=141119
426
427         "caused a memory use regression" (Requested by Guest45 on
428         #webkit).
429
430         Reverted changeset:
431
432         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
433         pages"
434         https://bugs.webkit.org/show_bug.cgi?id=140900
435         http://trac.webkit.org/changeset/179426
436
437 2015-01-30  Daniel Bates  <dabates@apple.com>
438
439         Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h
440         https://bugs.webkit.org/show_bug.cgi?id=141067
441
442         Reviewed by Timothy Hatcher.
443
444         Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we
445         do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm
446         and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via
447         header RemoteInspectorDebuggableConnection.h.
448
449         * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>.
450         * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>.
451         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>.
452
453 2015-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
454
455         Implement ES6 Symbol
456         https://bugs.webkit.org/show_bug.cgi?id=140435
457
458         Reviewed by Geoffrey Garen.
459
460         This patch implements ES6 Symbol. In this patch, we don't support
461         Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be
462         supported in the subsequent patches.
463
464         Since ES6 Symbol is introduced as new primitive value, we implement
465         Symbol as a derived class from JSCell. And now JSValue accepts Symbol*
466         as a new primitive value.
467
468         Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer
469         value represents the Symbol's identity. So don't compare Symbol's
470         JSCell pointer value for comparison.
471         This enables re-producing Symbol primitive value from StringImpl* uid
472         by executing`Symbol::create(vm, uid)`. This is needed to produce
473         Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`.
474
475         And Symbol.[[Description]] is folded into the string value of Symbol's uid.
476         By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*.
477
478         * CMakeLists.txt:
479         * DerivedSources.make:
480         * JavaScriptCore.order:
481         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
482         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
483         * JavaScriptCore.xcodeproj/project.pbxproj:
484         * builtins/BuiltinExecutables.cpp:
485         (JSC::BuiltinExecutables::createBuiltinExecutable):
486         * builtins/BuiltinNames.h:
487         * dfg/DFGOperations.cpp:
488         (JSC::DFG::operationPutByValInternal):
489         * inspector/JSInjectedScriptHost.cpp:
490         (Inspector::JSInjectedScriptHost::subtype):
491         * interpreter/Interpreter.cpp:
492         * jit/JITOperations.cpp:
493         (JSC::getByVal):
494         * llint/LLIntData.cpp:
495         (JSC::LLInt::Data::performAssertions):
496         * llint/LLIntSlowPaths.cpp:
497         (JSC::LLInt::getByVal):
498         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
499         * llint/LowLevelInterpreter.asm:
500         * runtime/CommonIdentifiers.h:
501         * runtime/CommonSlowPaths.cpp:
502         (JSC::SLOW_PATH_DECL):
503         * runtime/CommonSlowPaths.h:
504         (JSC::CommonSlowPaths::opIn):
505         * runtime/ExceptionHelpers.cpp:
506         (JSC::createUndefinedVariableError):
507         * runtime/JSCJSValue.cpp:
508         (JSC::JSValue::synthesizePrototype):
509         (JSC::JSValue::dumpInContextAssumingStructure):
510         (JSC::JSValue::toStringSlowCase):
511         * runtime/JSCJSValue.h:
512         * runtime/JSCJSValueInlines.h:
513         (JSC::JSValue::isSymbol):
514         (JSC::JSValue::isPrimitive):
515         (JSC::JSValue::toPropertyKey):
516
517         It represents ToPropertyKey abstract operation in the ES6 spec.
518         It cleans up the old implementation's `isName` checks.
519         And to prevent performance regressions in
520             js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html
521             js/regress/fold-get-by-id-to-multi-get-by-offset.html
522         we annnotate this function as ALWAYS_INLINE.
523
524         (JSC::JSValue::getPropertySlot):
525         (JSC::JSValue::get):
526         (JSC::JSValue::equalSlowCaseInline):
527         (JSC::JSValue::strictEqualSlowCaseInline):
528         * runtime/JSCell.cpp:
529         (JSC::JSCell::put):
530         (JSC::JSCell::putByIndex):
531         (JSC::JSCell::toPrimitive):
532         (JSC::JSCell::getPrimitiveNumber):
533         (JSC::JSCell::toNumber):
534         (JSC::JSCell::toObject):
535         * runtime/JSCell.h:
536         * runtime/JSCellInlines.h:
537         (JSC::JSCell::isSymbol):
538         (JSC::JSCell::toBoolean):
539         (JSC::JSCell::pureToBoolean):
540         * runtime/JSGlobalObject.cpp:
541         (JSC::JSGlobalObject::init):
542         (JSC::JSGlobalObject::visitChildren):
543         * runtime/JSGlobalObject.h:
544         (JSC::JSGlobalObject::symbolPrototype):
545         (JSC::JSGlobalObject::symbolObjectStructure):
546         * runtime/JSONObject.cpp:
547         (JSC::Stringifier::Stringifier):
548         * runtime/JSSymbolTableObject.cpp:
549         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
550         * runtime/JSType.h:
551         * runtime/JSTypeInfo.h:
552         (JSC::TypeInfo::isName): Deleted.
553         * runtime/MapData.cpp:
554         (JSC::MapData::find):
555         (JSC::MapData::add):
556         (JSC::MapData::remove):
557         (JSC::MapData::replaceAndPackBackingStore):
558         * runtime/MapData.h:
559         (JSC::MapData::clear):
560         * runtime/NameInstance.h: Removed.
561         * runtime/NamePrototype.cpp: Removed.
562         * runtime/ObjectConstructor.cpp:
563         (JSC::objectConstructorGetOwnPropertyDescriptor):
564         (JSC::objectConstructorDefineProperty):
565         * runtime/ObjectPrototype.cpp:
566         (JSC::objectProtoFuncHasOwnProperty):
567         (JSC::objectProtoFuncDefineGetter):
568         (JSC::objectProtoFuncDefineSetter):
569         (JSC::objectProtoFuncLookupGetter):
570         (JSC::objectProtoFuncLookupSetter):
571         (JSC::objectProtoFuncPropertyIsEnumerable):
572         * runtime/Operations.cpp:
573         (JSC::jsTypeStringForValue):
574         (JSC::jsIsObjectType):
575         * runtime/PrivateName.h:
576         (JSC::PrivateName::PrivateName):
577         (JSC::PrivateName::operator==):
578         (JSC::PrivateName::operator!=):
579         * runtime/PropertyMapHashTable.h:
580         (JSC::PropertyTable::find):
581         (JSC::PropertyTable::get):
582         * runtime/PropertyName.h:
583         (JSC::PropertyName::PropertyName):
584         (JSC::PropertyName::publicName):
585         * runtime/SmallStrings.h:
586         * runtime/StringConstructor.cpp:
587         (JSC::callStringConstructor):
588
589         In ES6, String constructor accepts Symbol to execute `String(symbol)`.
590
591         * runtime/Structure.cpp:
592         (JSC::Structure::getPropertyNamesFromStructure):
593         * runtime/StructureInlines.h:
594         (JSC::Structure::prototypeForLookup):
595         * runtime/Symbol.cpp: Added.
596         (JSC::Symbol::Symbol):
597         (JSC::SymbolObject::create):
598         (JSC::Symbol::toPrimitive):
599         (JSC::Symbol::toBoolean):
600         (JSC::Symbol::getPrimitiveNumber):
601         (JSC::Symbol::toObject):
602         (JSC::Symbol::toNumber):
603         (JSC::Symbol::destroy):
604         (JSC::Symbol::descriptiveString):
605         * runtime/Symbol.h: Added.
606         (JSC::Symbol::createStructure):
607         (JSC::Symbol::create):
608         (JSC::Symbol::privateName):
609         (JSC::Symbol::finishCreation):
610         (JSC::asSymbol):
611         * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp.
612         (JSC::SymbolConstructor::SymbolConstructor):
613         (JSC::SymbolConstructor::finishCreation):
614         (JSC::callSymbol):
615         (JSC::SymbolConstructor::getConstructData):
616         (JSC::SymbolConstructor::getCallData):
617         * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h.
618         (JSC::SymbolConstructor::create):
619         (JSC::SymbolConstructor::createStructure):
620         * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp.
621         (JSC::SymbolObject::SymbolObject):
622         (JSC::SymbolObject::finishCreation):
623         (JSC::SymbolObject::defaultValue):
624
625         Now JSC doesn't support @@toPrimitive. So instead of it, we implement
626         Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]].
627
628         * runtime/SymbolObject.h: Added.
629         (JSC::SymbolObject::create):
630         (JSC::SymbolObject::internalValue):
631         (JSC::SymbolObject::createStructure):
632         * runtime/SymbolPrototype.cpp: Added.
633         (JSC::SymbolPrototype::SymbolPrototype):
634         (JSC::SymbolPrototype::finishCreation):
635         (JSC::SymbolPrototype::getOwnPropertySlot):
636         (JSC::symbolProtoFuncToString):
637         (JSC::symbolProtoFuncValueOf):
638         * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h.
639         (JSC::SymbolPrototype::create):
640         (JSC::SymbolPrototype::createStructure):
641
642         SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol.
643         It is tested in js/symbol-prototype-is-ordinary-object.html.
644
645         * runtime/VM.cpp:
646         (JSC::VM::VM):
647         * runtime/VM.h:
648
649 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
650
651         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
652         https://bugs.webkit.org/show_bug.cgi?id=140900
653
654         Reviewed by Mark Hahnenberg.
655
656         Re-landing just the HandleBlock piece of this patch.
657
658         * heap/HandleBlock.h:
659         * heap/HandleBlockInlines.h:
660         (JSC::HandleBlock::create):
661         (JSC::HandleBlock::destroy):
662         (JSC::HandleBlock::HandleBlock):
663         (JSC::HandleBlock::payloadEnd):
664         * heap/HandleSet.cpp:
665         (JSC::HandleSet::~HandleSet):
666         (JSC::HandleSet::grow):
667
668 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
669
670         GC marking threads should clear malloc caches
671         https://bugs.webkit.org/show_bug.cgi?id=141097
672
673         Reviewed by Sam Weinig.
674
675         Follow-up based on Mark Hahnenberg's review: Release after the copy
676         phase, rather than after any phase, since we'd rather not release
677         between marking and copying.
678
679         * heap/GCThread.cpp:
680         (JSC::GCThread::waitForNextPhase):
681         (JSC::GCThread::gcThreadMain):
682
683 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
684
685         GC marking threads should clear malloc caches
686         https://bugs.webkit.org/show_bug.cgi?id=141097
687
688         Reviewed by Andreas Kling.
689
690         This is an attempt to ameliorate a potential memory use regression
691         caused by https://bugs.webkit.org/show_bug.cgi?id=140900
692         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages.
693
694         FastMalloc may accumulate a per-thread cache on each of the 8-ish
695         GC marking threads, which can be expensive.
696
697         * heap/GCThread.cpp:
698         (JSC::GCThread::waitForNextPhase): Scavenge the current thread before
699         going to sleep. There's probably not too much value to keeping our
700         per-thread cache between GCs, and it has some memory footprint.
701
702 2015-01-30  Chris Dumez  <cdumez@apple.com>
703
704         Rename shared() static member functions to singleton() for singleton classes.
705         https://bugs.webkit.org/show_bug.cgi?id=141088
706
707         Reviewed by Ryosuke Niwa and Benjamin Poulain.
708
709         Rename shared() static member functions to singleton() for singleton
710         classes as per the recent coding style change.
711
712         * inspector/remote/RemoteInspector.h:
713         * inspector/remote/RemoteInspector.mm:
714         (Inspector::RemoteInspector::singleton):
715         (Inspector::RemoteInspector::start):
716         (Inspector::RemoteInspector::shared): Deleted.
717         * inspector/remote/RemoteInspectorDebuggable.cpp:
718         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
719         (Inspector::RemoteInspectorDebuggable::init):
720         (Inspector::RemoteInspectorDebuggable::update):
721         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
722         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
723         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
724         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
725         (Inspector::RemoteInspectorDebuggableConnection::setup):
726         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
727
728 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
729
730         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
731         https://bugs.webkit.org/show_bug.cgi?id=140900
732
733         Reviewed by Mark Hahnenberg.
734
735         Re-landing just the CopyWorkListSegment piece of this patch.
736
737         * heap/CopiedBlockInlines.h:
738         (JSC::CopiedBlock::reportLiveBytes):
739         * heap/CopyWorkList.h:
740         (JSC::CopyWorkListSegment::create):
741         (JSC::CopyWorkListSegment::destroy):
742         (JSC::CopyWorkListSegment::CopyWorkListSegment):
743         (JSC::CopyWorkList::CopyWorkList):
744         (JSC::CopyWorkList::~CopyWorkList):
745         (JSC::CopyWorkList::append):
746
747 2015-01-29  Commit Queue  <commit-queue@webkit.org>
748
749         Unreviewed, rolling out r179357 and r179358.
750         https://bugs.webkit.org/show_bug.cgi?id=141062
751
752         Suspect this caused WebGL tests to start flaking (Requested by
753         kling on #webkit).
754
755         Reverted changesets:
756
757         "Polymorphic call inlining should be based on polymorphic call
758         inline caching rather than logging"
759         https://bugs.webkit.org/show_bug.cgi?id=140660
760         http://trac.webkit.org/changeset/179357
761
762         "Unreviewed, fix no-JIT build."
763         http://trac.webkit.org/changeset/179358
764
765 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
766
767         Removed op_ret_object_or_this
768         https://bugs.webkit.org/show_bug.cgi?id=141048
769
770         Reviewed by Michael Saboff.
771
772         op_ret_object_or_this was one opcode that would keep us out of the
773         optimizing compilers.
774
775         We don't need a special-purpose opcode; we can just use a branch.
776
777         * bytecode/BytecodeBasicBlock.cpp:
778         (JSC::isTerminal): Removed.
779         * bytecode/BytecodeList.json:
780         * bytecode/BytecodeUseDef.h:
781         (JSC::computeUsesForBytecodeOffset):
782         (JSC::computeDefsForBytecodeOffset): Removed.
783
784         * bytecode/CodeBlock.cpp:
785         (JSC::CodeBlock::dumpBytecode): Removed.
786
787         * bytecompiler/BytecodeGenerator.cpp:
788         (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine
789         if we need to substitute 'this' for the return value. Our engine no longer
790         benefits from fused opcodes that dispatch less in the interpreter.
791
792         * jit/JIT.cpp:
793         (JSC::JIT::privateCompileMainPass):
794         * jit/JIT.h:
795         * jit/JITCall32_64.cpp:
796         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
797         * jit/JITOpcodes.cpp:
798         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
799         * llint/LowLevelInterpreter32_64.asm:
800         * llint/LowLevelInterpreter64.asm: Removed.
801
802 2015-01-29  Ryosuke Niwa  <rniwa@webkit.org>
803
804         Implement ES6 class syntax without inheritance support
805         https://bugs.webkit.org/show_bug.cgi?id=140918
806
807         Reviewed by Geoffrey Garen.
808
809         Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like:
810         class A {
811             constructor() { }
812             someMethod() { }
813         }
814
815         We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches.
816         We also don't support block scoping of a class declaration.
817
818         We support both class declaration and class expression. A class expression is implemented by the newly added
819         ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around
820         AssignResolveNode.
821
822         Tests: js/class-syntax-declaration.html
823                js/class-syntax-expression.html
824
825         * bytecompiler/NodesCodegen.cpp:
826         (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode.
827         Also fixed the 5-space indentation.
828         (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this.
829         (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code.
830         (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by
831         emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way.
832
833         * parser/ASTBuilder.h:
834         (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode.
835         (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode.
836
837         * parser/NodeConstructors.h:
838         (JSC::ClassDeclNode::ClassDeclNode): Added.
839         (JSC::ClassExprNode::ClassExprNode): Added.
840
841         * parser/Nodes.h:
842         (JSC::ClassExprNode): Added.
843         (JSC::ClassDeclNode): Added.
844
845         * parser/Parser.cpp:
846         (JSC::Parser<LexerType>::parseStatement): Added the support for class declaration.
847         (JSC::stringForFunctionMode): Return "method" for MethodMode.
848         (JSC::Parser<LexerType>::parseClassDeclaration): Added. Uses parseClass to create a class expression and wraps
849         it with ClassDeclNode as described above.
850         (JSC::Parser<LexerType>::parseClass): Parses a class expression.
851         (JSC::Parser<LexerType>::parseProperty):
852         (JSC::Parser<LexerType>::parseGetterSetter): Extracted from parseProperty to share the code between parseProperty
853         and parseClass.
854         (JSC::Parser<LexerType>::parsePrimaryExpression): Added the support for class expression.
855
856         * parser/Parser.h:
857         (FunctionParseMode): Added MethodMode.
858
859         * parser/SyntaxChecker.h:
860         (JSC::SyntaxChecker::createClassExpr): Added.
861         (JSC::SyntaxChecker::createClassDeclStatement): Added.
862
863 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
864
865         Try to fix the Windows build.
866
867         Not reviewed.
868
869         * heap/WeakBlock.h: Use the fully qualified name when declaring our friend.
870
871 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
872
873         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
874         https://bugs.webkit.org/show_bug.cgi?id=140900
875
876         Reviewed by Mark Hahnenberg.
877
878         Re-landing just the WeakBlock piece of this patch.
879
880         * heap/WeakBlock.cpp:
881         (JSC::WeakBlock::create):
882         (JSC::WeakBlock::destroy):
883         (JSC::WeakBlock::WeakBlock):
884         * heap/WeakBlock.h:
885         * heap/WeakSet.cpp:
886         (JSC::WeakSet::~WeakSet):
887         (JSC::WeakSet::addAllocator):
888         (JSC::WeakSet::removeAllocator):
889
890 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
891
892         Use Vector instead of GCSegmentedArray in CodeBlockSet
893         https://bugs.webkit.org/show_bug.cgi?id=141044
894
895         Reviewed by Ryosuke Niwa.
896
897         This is allowed now that we've gotten rid of fastMallocForbid.
898
899         4kB was a bit overkill for just storing a few pointers.
900
901         * heap/CodeBlockSet.cpp:
902         (JSC::CodeBlockSet::CodeBlockSet):
903         * heap/CodeBlockSet.h:
904         * heap/Heap.cpp:
905         (JSC::Heap::Heap):
906
907 2015-01-29  Filip Pizlo  <fpizlo@apple.com>
908
909         Unreviewed, fix no-JIT build.
910
911         * jit/PolymorphicCallStubRoutine.cpp:
912
913 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
914
915         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
916         https://bugs.webkit.org/show_bug.cgi?id=140660
917
918         Reviewed by Geoffrey Garen.
919         
920         When we first implemented polymorphic call inlining, we did the profiling based on a call
921         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
922         global log that was processed lazily. Processing the log would give precise counts of call
923         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
924         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
925         nonetheless.
926         
927         Experience with this code shows three things. First, the call edge profiler is buggy and
928         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
929         overhead for latency code that we care deeply about. Third, it's not at all clear that
930         having call edge counts for every possible callee is any better than just having call edge
931         counts for the limited number of callees that an inline cache would catch.
932         
933         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
934         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
935         out-of-line stub that cases on the previously known callees. If that misses again, then we
936         rewrite that stub to include the new callee. We do this up to some number of callees. If we
937         hit the limit then we switch to using a plain virtual call.
938         
939         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
940         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
941
942         * CMakeLists.txt:
943         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
944         * JavaScriptCore.xcodeproj/project.pbxproj:
945         * bytecode/CallEdge.h:
946         (JSC::CallEdge::count):
947         (JSC::CallEdge::CallEdge):
948         * bytecode/CallEdgeProfile.cpp: Removed.
949         * bytecode/CallEdgeProfile.h: Removed.
950         * bytecode/CallEdgeProfileInlines.h: Removed.
951         * bytecode/CallLinkInfo.cpp:
952         (JSC::CallLinkInfo::unlink):
953         (JSC::CallLinkInfo::visitWeak):
954         * bytecode/CallLinkInfo.h:
955         * bytecode/CallLinkStatus.cpp:
956         (JSC::CallLinkStatus::CallLinkStatus):
957         (JSC::CallLinkStatus::computeFor):
958         (JSC::CallLinkStatus::computeFromCallLinkInfo):
959         (JSC::CallLinkStatus::isClosureCall):
960         (JSC::CallLinkStatus::makeClosureCall):
961         (JSC::CallLinkStatus::dump):
962         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
963         * bytecode/CallLinkStatus.h:
964         (JSC::CallLinkStatus::CallLinkStatus):
965         (JSC::CallLinkStatus::isSet):
966         (JSC::CallLinkStatus::variants):
967         (JSC::CallLinkStatus::size):
968         (JSC::CallLinkStatus::at):
969         (JSC::CallLinkStatus::operator[]):
970         (JSC::CallLinkStatus::canOptimize):
971         (JSC::CallLinkStatus::edges): Deleted.
972         (JSC::CallLinkStatus::canTrustCounts): Deleted.
973         * bytecode/CallVariant.cpp:
974         (JSC::variantListWithVariant):
975         (JSC::despecifiedVariantList):
976         * bytecode/CallVariant.h:
977         * bytecode/CodeBlock.cpp:
978         (JSC::CodeBlock::~CodeBlock):
979         (JSC::CodeBlock::linkIncomingPolymorphicCall):
980         (JSC::CodeBlock::unlinkIncomingCalls):
981         (JSC::CodeBlock::noticeIncomingCall):
982         * bytecode/CodeBlock.h:
983         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
984         * dfg/DFGAbstractInterpreterInlines.h:
985         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
986         * dfg/DFGByteCodeParser.cpp:
987         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
988         (JSC::DFG::ByteCodeParser::handleCall):
989         (JSC::DFG::ByteCodeParser::handleInlining):
990         * dfg/DFGClobberize.h:
991         (JSC::DFG::clobberize):
992         * dfg/DFGConstantFoldingPhase.cpp:
993         (JSC::DFG::ConstantFoldingPhase::foldConstants):
994         * dfg/DFGDoesGC.cpp:
995         (JSC::DFG::doesGC):
996         * dfg/DFGDriver.cpp:
997         (JSC::DFG::compileImpl):
998         * dfg/DFGFixupPhase.cpp:
999         (JSC::DFG::FixupPhase::fixupNode):
1000         * dfg/DFGNode.h:
1001         (JSC::DFG::Node::hasHeapPrediction):
1002         * dfg/DFGNodeType.h:
1003         * dfg/DFGOperations.cpp:
1004         * dfg/DFGPredictionPropagationPhase.cpp:
1005         (JSC::DFG::PredictionPropagationPhase::propagate):
1006         * dfg/DFGSafeToExecute.h:
1007         (JSC::DFG::safeToExecute):
1008         * dfg/DFGSpeculativeJIT32_64.cpp:
1009         (JSC::DFG::SpeculativeJIT::emitCall):
1010         (JSC::DFG::SpeculativeJIT::compile):
1011         * dfg/DFGSpeculativeJIT64.cpp:
1012         (JSC::DFG::SpeculativeJIT::emitCall):
1013         (JSC::DFG::SpeculativeJIT::compile):
1014         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1015         (JSC::DFG::TierUpCheckInjectionPhase::run):
1016         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
1017         * ftl/FTLCapabilities.cpp:
1018         (JSC::FTL::canCompile):
1019         * heap/Heap.cpp:
1020         (JSC::Heap::collect):
1021         * jit/BinarySwitch.h:
1022         * jit/ClosureCallStubRoutine.cpp: Removed.
1023         * jit/ClosureCallStubRoutine.h: Removed.
1024         * jit/JITCall.cpp:
1025         (JSC::JIT::compileOpCall):
1026         * jit/JITCall32_64.cpp:
1027         (JSC::JIT::compileOpCall):
1028         * jit/JITOperations.cpp:
1029         * jit/JITOperations.h:
1030         (JSC::operationLinkPolymorphicCallFor):
1031         (JSC::operationLinkClosureCallFor): Deleted.
1032         * jit/JITStubRoutine.h:
1033         * jit/JITWriteBarrier.h:
1034         * jit/PolymorphicCallStubRoutine.cpp: Added.
1035         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
1036         (JSC::PolymorphicCallNode::unlink):
1037         (JSC::PolymorphicCallCase::dump):
1038         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1039         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
1040         (JSC::PolymorphicCallStubRoutine::variants):
1041         (JSC::PolymorphicCallStubRoutine::edges):
1042         (JSC::PolymorphicCallStubRoutine::visitWeak):
1043         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
1044         * jit/PolymorphicCallStubRoutine.h: Added.
1045         (JSC::PolymorphicCallNode::PolymorphicCallNode):
1046         (JSC::PolymorphicCallCase::PolymorphicCallCase):
1047         (JSC::PolymorphicCallCase::variant):
1048         (JSC::PolymorphicCallCase::codeBlock):
1049         * jit/Repatch.cpp:
1050         (JSC::linkSlowFor):
1051         (JSC::linkFor):
1052         (JSC::revertCall):
1053         (JSC::unlinkFor):
1054         (JSC::linkVirtualFor):
1055         (JSC::linkPolymorphicCall):
1056         (JSC::linkClosureCall): Deleted.
1057         * jit/Repatch.h:
1058         * jit/ThunkGenerators.cpp:
1059         (JSC::linkPolymorphicCallForThunkGenerator):
1060         (JSC::linkPolymorphicCallThunkGenerator):
1061         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
1062         (JSC::linkClosureCallForThunkGenerator): Deleted.
1063         (JSC::linkClosureCallThunkGenerator): Deleted.
1064         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
1065         * jit/ThunkGenerators.h:
1066         (JSC::linkPolymorphicCallThunkGeneratorFor):
1067         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
1068         * llint/LLIntSlowPaths.cpp:
1069         (JSC::LLInt::jitCompileAndSetHeuristics):
1070         * runtime/Options.h:
1071         * runtime/VM.cpp:
1072         (JSC::VM::prepareToDiscardCode):
1073         (JSC::VM::ensureCallEdgeLog): Deleted.
1074         * runtime/VM.h:
1075
1076 2015-01-29  Joseph Pecoraro  <pecoraro@apple.com>
1077
1078         Web Inspector: ES6: Improved Console Format for Set and Map Objects (like Arrays)
1079         https://bugs.webkit.org/show_bug.cgi?id=122867
1080
1081         Reviewed by Timothy Hatcher.
1082
1083         Add new Runtime.RemoteObject object subtypes for "map", "set", and "weakmap".
1084
1085         Upgrade Runtime.ObjectPreview to include type/subtype information. Now,
1086         an ObjectPreview can be used for any value, in place of a RemoteObject,
1087         and not capture / hold a reference to the value. The value will be in
1088         the string description.
1089
1090         Adding this information to ObjectPreview can duplicate some information
1091         in the protocol messages if a preview is provided, but simplifies
1092         previews, so that all the information you need for any RemoteObject
1093         preview is available. To slim messages further, make "overflow" and
1094         "properties" only available on previews that may contain properties.
1095         So, not primitives or null.
1096
1097         Finally, for "Map/Set/WeakMap" add an "entries" list to the preview
1098         that will return previews with "key" and "value" properties depending
1099         on the collection type. To get live, non-preview objects from a
1100         collection, use Runtime.getCollectionEntries.
1101
1102         In order to keep the WeakMap's values Weak the frontend may provide
1103         a unique object group name when getting collection entries. It may
1104         then release that object group, e.g. when not showing the WeakMap's
1105         values to the user, and thus remove the strong reference to the keys
1106         so they may be garbage collected.
1107
1108         * runtime/WeakMapData.h:
1109         (JSC::WeakMapData::begin):
1110         (JSC::WeakMapData::end):
1111         Expose iterators so the Inspector may access WeakMap keys/values.
1112
1113         * inspector/JSInjectedScriptHostPrototype.cpp:
1114         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1115         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
1116         * inspector/JSInjectedScriptHost.h:
1117         * inspector/JSInjectedScriptHost.cpp:
1118         (Inspector::JSInjectedScriptHost::subtype):
1119         Discern "map", "set", and "weakmap" object subtypes.
1120
1121         (Inspector::JSInjectedScriptHost::weakMapEntries):
1122         Return a list of WeakMap entries. These are strong references
1123         that the Inspector code is responsible for releasing.
1124
1125         * inspector/protocol/Runtime.json:
1126         Update types and expose the new getCollectionEntries command.
1127
1128         * inspector/agents/InspectorRuntimeAgent.h:
1129         * inspector/agents/InspectorRuntimeAgent.cpp:
1130         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1131         * inspector/InjectedScript.h:
1132         * inspector/InjectedScript.cpp:
1133         (Inspector::InjectedScript::getInternalProperties):
1134         (Inspector::InjectedScript::getCollectionEntries):
1135         Pass through to the InjectedScript and call getCollectionEntries.
1136
1137         * inspector/scripts/codegen/generator.py:
1138         Add another type with runtime casting.
1139
1140         * inspector/InjectedScriptSource.js:
1141         - Implement getCollectionEntries to get a range of values from a
1142         collection. The non-Weak collections have an order to their keys (in
1143         order of added) so range'd gets are okay. WeakMap does not have an
1144         order, so only allow fetching a number of values.
1145         - Update preview generation to address the Runtime.ObjectPreview
1146         type changes.
1147
1148 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
1149
1150         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1151         https://bugs.webkit.org/show_bug.cgi?id=140900
1152
1153         Reviewed by Mark Hahnenberg.
1154
1155         Re-landing just the GCArraySegment piece of this patch.
1156
1157         * heap/CodeBlockSet.cpp:
1158         (JSC::CodeBlockSet::CodeBlockSet):
1159         * heap/CodeBlockSet.h:
1160         * heap/GCSegmentedArray.h:
1161         (JSC::GCArraySegment::GCArraySegment):
1162         * heap/GCSegmentedArrayInlines.h:
1163         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
1164         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
1165         (JSC::GCSegmentedArray<T>::clear):
1166         (JSC::GCSegmentedArray<T>::expand):
1167         (JSC::GCSegmentedArray<T>::refill):
1168         (JSC::GCArraySegment<T>::create):
1169         (JSC::GCArraySegment<T>::destroy):
1170         * heap/GCThreadSharedData.cpp:
1171         (JSC::GCThreadSharedData::GCThreadSharedData):
1172         * heap/Heap.cpp:
1173         (JSC::Heap::Heap):
1174         * heap/MarkStack.cpp:
1175         (JSC::MarkStackArray::MarkStackArray):
1176         * heap/MarkStack.h:
1177         * heap/SlotVisitor.cpp:
1178         (JSC::SlotVisitor::SlotVisitor):
1179
1180 2015-01-29  Csaba Osztrogonác  <ossy@webkit.org>
1181
1182         Move HAVE_DTRACE definition back to Platform.h
1183         https://bugs.webkit.org/show_bug.cgi?id=141033
1184
1185         Reviewed by Dan Bernstein.
1186
1187         * Configurations/Base.xcconfig:
1188         * JavaScriptCore.xcodeproj/project.pbxproj:
1189
1190 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
1191
1192         Removed fastMallocForbid / fastMallocAllow
1193         https://bugs.webkit.org/show_bug.cgi?id=141012
1194
1195         Reviewed by Mark Hahnenberg.
1196
1197         Copy non-current thread stacks before scanning them instead of scanning
1198         them in-place.
1199
1200         This operation is uncommon (i.e., never in the web content process),
1201         and even in a stress test with 4 threads it only copies about 27kB,
1202         so I think the performance cost is OK.
1203
1204         Scanning in-place requires a complex dance where we constrain our GC
1205         data structures not to use malloc, free, or any other interesting functions
1206         that might acquire locks. We've gotten this wrong many times in the past,
1207         and I just got it wrong again yesterday. Since this code path is rarely
1208         tested, I want it to just make sense, and not depend on or constrain the
1209         details of the rest of the GC heap's design.
1210
1211         * heap/MachineStackMarker.cpp:
1212         (JSC::otherThreadStack): Factored out a helper function for dealing with
1213         unaligned and/or backwards pointers.
1214
1215         (JSC::MachineThreads::tryCopyOtherThreadStack): This is now the only
1216         constrained function, and it only calls memcpy and low-level thread APIs.
1217
1218         (JSC::MachineThreads::tryCopyOtherThreadStacks): The design here is that
1219         you do one pass over all the threads to compute their combined size,
1220         and then a second pass to do all the copying. In theory, the threads may
1221         grow in between passes, in which case you'll continue until the threads
1222         stop growing. In practice, you never continue.
1223
1224         (JSC::growBuffer): Helper function for growing.
1225
1226         (JSC::MachineThreads::gatherConservativeRoots):
1227         (JSC::MachineThreads::gatherFromOtherThread): Deleted.
1228         * heap/MachineStackMarker.h: Updated for interface changes.
1229
1230 2015-01-28  Brian J. Burg  <burg@cs.washington.edu>
1231
1232         Web Inspector: remove CSS.setPropertyText, CSS.toggleProperty and related dead code
1233         https://bugs.webkit.org/show_bug.cgi?id=140961
1234
1235         Reviewed by Timothy Hatcher.
1236
1237         * inspector/protocol/CSS.json: Remove unused protocol methods.
1238
1239 2015-01-28  Dana Burkart  <dburkart@apple.com>
1240
1241         Move ASan flag settings from DebugRelease.xcconfig to Base.xcconfig
1242         https://bugs.webkit.org/show_bug.cgi?id=136765
1243
1244         Reviewed by Alexey Proskuryakov.
1245
1246         * Configurations/Base.xcconfig:
1247         * Configurations/DebugRelease.xcconfig:
1248
1249 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
1250
1251         ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath, which is more precise
1252         https://bugs.webkit.org/show_bug.cgi?id=140980
1253
1254         Reviewed by Oliver Hunt.
1255
1256         * bytecode/CallLinkStatus.cpp:
1257         (JSC::CallLinkStatus::computeFor):
1258
1259 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
1260
1261         Move DFGBinarySwitch out of the DFG so that all of the JITs can use it
1262         https://bugs.webkit.org/show_bug.cgi?id=140959
1263
1264         Rubber stamped by Geoffrey Garen.
1265         
1266         I want to use this for polymorphic stubs for https://bugs.webkit.org/show_bug.cgi?id=140660.
1267         This code no longer has DFG dependencies so this is a very clean move.
1268
1269         * CMakeLists.txt:
1270         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1271         * JavaScriptCore.xcodeproj/project.pbxproj:
1272         * dfg/DFGBinarySwitch.cpp: Removed.
1273         * dfg/DFGBinarySwitch.h: Removed.
1274         * dfg/DFGSpeculativeJIT.cpp:
1275         * jit/BinarySwitch.cpp: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.cpp.
1276         * jit/BinarySwitch.h: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.h.
1277
1278 2015-01-27  Commit Queue  <commit-queue@webkit.org>
1279
1280         Unreviewed, rolling out r179192.
1281         https://bugs.webkit.org/show_bug.cgi?id=140953
1282
1283         Caused numerous layout test failures (Requested by mattbaker_
1284         on #webkit).
1285
1286         Reverted changeset:
1287
1288         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
1289         pages"
1290         https://bugs.webkit.org/show_bug.cgi?id=140900
1291         http://trac.webkit.org/changeset/179192
1292
1293 2015-01-27  Michael Saboff  <msaboff@apple.com>
1294
1295         REGRESSION(r178591): 20% regression in Octane box2d
1296         https://bugs.webkit.org/show_bug.cgi?id=140948
1297
1298         Reviewed by Geoffrey Garen.
1299
1300         Added check that we have a lexical environment to the arguments is captured check.
1301         It doesn't make sense to resolve "arguments" when it really isn't captured.
1302
1303         * bytecompiler/BytecodeGenerator.cpp:
1304         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
1305
1306 2015-01-26  Geoffrey Garen  <ggaren@apple.com>
1307
1308         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1309         https://bugs.webkit.org/show_bug.cgi?id=140900
1310
1311         Reviewed by Mark Hahnenberg.
1312
1313         Removes some more custom allocation code.
1314
1315         Looks like a speedup. (See results attached to bugzilla.)
1316
1317         Will hopefully reduce memory use by improving sharing between the GC and
1318         malloc heaps.
1319
1320         * API/JSBase.cpp:
1321         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1322         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1323         * JavaScriptCore.xcodeproj/project.pbxproj: Feed the compiler.
1324
1325         * heap/BlockAllocator.cpp: Removed.
1326         * heap/BlockAllocator.h: Removed. No need for a custom allocator anymore.
1327
1328         * heap/CodeBlockSet.cpp:
1329         (JSC::CodeBlockSet::CodeBlockSet):
1330         * heap/CodeBlockSet.h: Feed the compiler.
1331
1332         * heap/CopiedBlock.h:
1333         (JSC::CopiedBlock::createNoZeroFill):
1334         (JSC::CopiedBlock::create):
1335         (JSC::CopiedBlock::CopiedBlock):
1336         (JSC::CopiedBlock::isOversize):
1337         (JSC::CopiedBlock::payloadEnd):
1338         (JSC::CopiedBlock::capacity):
1339         * heap/CopiedBlockInlines.h:
1340         (JSC::CopiedBlock::reportLiveBytes): Each copied block now tracks its
1341         own size, since we can't rely on Region to tell us our size anymore.
1342
1343         * heap/CopiedSpace.cpp:
1344         (JSC::CopiedSpace::~CopiedSpace):
1345         (JSC::CopiedSpace::tryAllocateOversize):
1346         (JSC::CopiedSpace::tryReallocateOversize):
1347         * heap/CopiedSpaceInlines.h:
1348         (JSC::CopiedSpace::recycleEvacuatedBlock):
1349         (JSC::CopiedSpace::recycleBorrowedBlock):
1350         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
1351         (JSC::CopiedSpace::allocateBlock):
1352         (JSC::CopiedSpace::startedCopying): Deallocate blocks directly, rather
1353         than pushing them onto the block allocator's free list; the block
1354         allocator doesn't exist anymore.
1355
1356         * heap/CopyWorkList.h:
1357         (JSC::CopyWorkListSegment::create):
1358         (JSC::CopyWorkListSegment::CopyWorkListSegment):
1359         (JSC::CopyWorkList::~CopyWorkList):
1360         (JSC::CopyWorkList::append):
1361         (JSC::CopyWorkList::CopyWorkList): Deleted.
1362         * heap/GCSegmentedArray.h:
1363         (JSC::GCArraySegment::GCArraySegment):
1364         * heap/GCSegmentedArrayInlines.h:
1365         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
1366         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
1367         (JSC::GCSegmentedArray<T>::clear):
1368         (JSC::GCSegmentedArray<T>::expand):
1369         (JSC::GCSegmentedArray<T>::refill):
1370         (JSC::GCArraySegment<T>::create):
1371         * heap/GCThreadSharedData.cpp:
1372         (JSC::GCThreadSharedData::GCThreadSharedData):
1373         * heap/GCThreadSharedData.h: Feed the compiler.
1374
1375         * heap/HandleBlock.h:
1376         * heap/HandleBlockInlines.h:
1377         (JSC::HandleBlock::create):
1378         (JSC::HandleBlock::HandleBlock):
1379         (JSC::HandleBlock::payloadEnd):
1380         * heap/HandleSet.cpp:
1381         (JSC::HandleSet::~HandleSet):
1382         (JSC::HandleSet::grow): Same as above.
1383
1384         * heap/Heap.cpp:
1385         (JSC::Heap::Heap):
1386         * heap/Heap.h: Removed the block allocator since it is unused now.
1387
1388         * heap/HeapBlock.h:
1389         (JSC::HeapBlock::destroy):
1390         (JSC::HeapBlock::HeapBlock):
1391         (JSC::HeapBlock::region): Deleted. Removed the Region pointer from each
1392         HeapBlock since a HeapBlock is just a normal allocation now.
1393
1394         * heap/HeapInlines.h:
1395         (JSC::Heap::blockAllocator): Deleted.
1396
1397         * heap/HeapTimer.cpp:
1398         * heap/MarkStack.cpp:
1399         (JSC::MarkStackArray::MarkStackArray):
1400         * heap/MarkStack.h: Feed the compiler.
1401
1402         * heap/MarkedAllocator.cpp:
1403         (JSC::MarkedAllocator::allocateBlock): No need to use a custom code path
1404         based on size, since we use a general purpose allocator now.
1405
1406         * heap/MarkedBlock.cpp:
1407         (JSC::MarkedBlock::create):
1408         (JSC::MarkedBlock::destroy):
1409         (JSC::MarkedBlock::MarkedBlock):
1410         * heap/MarkedBlock.h:
1411         (JSC::MarkedBlock::capacity): Track block size explicitly, like CopiedBlock.
1412
1413         * heap/MarkedSpace.cpp:
1414         (JSC::MarkedSpace::freeBlock):
1415         * heap/MarkedSpace.h:
1416
1417         * heap/Region.h: Removed.
1418
1419         * heap/SlotVisitor.cpp:
1420         (JSC::SlotVisitor::SlotVisitor): Removed reference to block allocator.
1421
1422         * heap/SuperRegion.cpp: Removed.
1423         * heap/SuperRegion.h: Removed.
1424
1425         * heap/WeakBlock.cpp:
1426         (JSC::WeakBlock::create):
1427         (JSC::WeakBlock::WeakBlock):
1428         * heap/WeakBlock.h:
1429         * heap/WeakSet.cpp:
1430         (JSC::WeakSet::~WeakSet):
1431         (JSC::WeakSet::addAllocator):
1432         (JSC::WeakSet::removeAllocator): Removed reference to block allocator.
1433
1434 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
1435
1436         [ARM] Typo fix after r176083
1437         https://bugs.webkit.org/show_bug.cgi?id=140937
1438
1439         Reviewed by Anders Carlsson.
1440
1441         * assembler/ARMv7Assembler.h:
1442         (JSC::ARMv7Assembler::ldrh):
1443
1444 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
1445
1446         [Win] Unreviewed gardening, skip failing tests.
1447
1448         * tests/exceptionFuzz.yaml: Skip exception fuzz tests due to bug140928.
1449         * tests/mozilla/mozilla-tests.yaml: Skip ecma/Date/15.9.5.28-1.js due to bug140927.
1450
1451 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
1452
1453         [Win] Enable JSC stress tests by default
1454         https://bugs.webkit.org/show_bug.cgi?id=128307
1455
1456         Unreviewed typo fix after r179165.
1457
1458         * tests/mozilla/mozilla-tests.yaml:
1459
1460 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
1461
1462         [Win] Enable JSC stress tests by default
1463         https://bugs.webkit.org/show_bug.cgi?id=128307
1464
1465         Reviewed by Brent Fulgham.
1466
1467         * tests/mozilla/mozilla-tests.yaml: Skipped on Windows.
1468         * tests/stress/ftl-arithcos.js: Skipped on Windows.
1469
1470 2015-01-26  Ryosuke Niwa  <rniwa@webkit.org>
1471
1472         Parse a function expression as a primary expression
1473         https://bugs.webkit.org/show_bug.cgi?id=140908
1474
1475         Reviewed by Mark Lam.
1476
1477         Moved the code to generate an AST node for a function expression from parseMemberExpression
1478         to parsePrimaryExpression to match the ES6 specification terminology:
1479         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-primary-expression
1480
1481         There should be no behavior change from this change since parsePrimaryExpression is only
1482         called in parseMemberExpression other than the fact failIfStackOverflow() is called.
1483
1484         * parser/Parser.cpp:
1485         (JSC::Parser<LexerType>::parsePrimaryExpression):
1486         (JSC::Parser<LexerType>::parseMemberExpression):
1487
1488 2015-01-26  Myles C. Maxfield  <mmaxfield@apple.com>
1489
1490         [iOS] [SVG -> OTF Converter] Flip the switch off on iOS
1491         https://bugs.webkit.org/show_bug.cgi?id=140860
1492
1493         Reviewed by Darin Adler.
1494
1495         The fonts it makes are grotesque. (See what I did there? Typographic
1496         humor is the best humor.)
1497
1498         * Configurations/FeatureDefines.xcconfig:
1499
1500 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
1501
1502         Web Inspector: Rename InjectedScriptHost::type to subtype
1503         https://bugs.webkit.org/show_bug.cgi?id=140841
1504
1505         Reviewed by Timothy Hatcher.
1506
1507         We were using this to set the subtype of an "object" type RemoteObject
1508         so we should clean up the name and call it subtype.
1509
1510         * inspector/InjectedScriptHost.h:
1511         * inspector/InjectedScriptSource.js:
1512         * inspector/JSInjectedScriptHost.cpp:
1513         (Inspector::JSInjectedScriptHost::subtype):
1514         (Inspector::JSInjectedScriptHost::type): Deleted.
1515         * inspector/JSInjectedScriptHost.h:
1516         * inspector/JSInjectedScriptHostPrototype.cpp:
1517         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1518         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
1519         (Inspector::jsInjectedScriptHostPrototypeFunctionType): Deleted.
1520
1521 2015-01-23  Michael Saboff  <msaboff@apple.com>
1522
1523         LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds
1524         https://bugs.webkit.org/show_bug.cgi?id=140843
1525
1526         Reviewed by Oliver Hunt.
1527
1528         When we are in vmEntryToJavaScript, we keep the stack pointer at an
1529         alignment sutiable for pointing to a call frame header, which is the
1530         alignment post making a call.  We adjust the sp when calling to JS code,
1531         but don't adjust it before calling the out of stack handler.
1532
1533         * llint/LowLevelInterpreter32_64.asm:
1534         Moved stack point down 8 bytes to get it aligned.
1535
1536 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
1537
1538         Web Inspector: Object Previews in the Console
1539         https://bugs.webkit.org/show_bug.cgi?id=129204
1540
1541         Reviewed by Timothy Hatcher.
1542
1543         Update the very old, unused object preview code. Part of this comes from
1544         the earlier WebKit legacy implementation, and the Blink implementation.
1545
1546         A RemoteObject may include a preview, if it is asked for, and if the
1547         RemoteObject is an object. Previews are a shallow (single level) list
1548         of a limited number of properties on the object. The previewed
1549         properties are always stringified (even if primatives). Previews are
1550         limited to just 5 properties or 100 indices. Previews are marked
1551         as lossless if they are a complete snapshot of the object.
1552
1553         There is a path to make previews two levels deep, that is currently
1554         unused but should soon be used for tables (e.g. IndexedDB).
1555
1556         * inspector/InjectedScriptSource.js:
1557         - Move some code off of InjectedScript to be generic functions
1558         usable by RemoteObject as well.
1559         - Update preview generation to use 
1560
1561         * inspector/protocol/Runtime.json:
1562         - Add a new type, "accessor" for preview objects. This represents
1563         a getter / setter. We currently don't get the value.
1564
1565 2015-01-23  Michael Saboff  <msaboff@apple.com>
1566
1567         Immediate crash when setting JS breakpoint
1568         https://bugs.webkit.org/show_bug.cgi?id=140811
1569
1570         Reviewed by Mark Lam.
1571
1572         When the DFG stack layout phase doesn't allocate a register for the scope register,
1573         it incorrectly sets the scope register in the code block to a bad value, one with
1574         an offset of 0.  Changed it so that we set the code block's scope register to the 
1575         invalid VirtualRegister instead.
1576
1577         No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
1578         We crash with that ASSERT in testapi and likely many other tests as well.
1579
1580         * bytecode/CodeBlock.cpp:
1581         (JSC::CodeBlock::CodeBlock):
1582         * bytecode/CodeBlock.h:
1583         (JSC::CodeBlock::setScopeRegister):
1584         (JSC::CodeBlock::scopeRegister):
1585         Added ASSERTs to catch any future improper setting of the code block's scope register.
1586
1587         * dfg/DFGStackLayoutPhase.cpp:
1588         (JSC::DFG::StackLayoutPhase::run):
1589
1590 2015-01-22  Mark Hahnenberg  <mhahnenb@gmail.com>
1591
1592         EdenCollections unnecessarily visit SmallStrings
1593         https://bugs.webkit.org/show_bug.cgi?id=140762
1594
1595         Reviewed by Geoffrey Garen.
1596
1597         * heap/Heap.cpp:
1598         (JSC::Heap::copyBackingStores): Also added a GCPhase for copying
1599         backing stores, which is a significant portion of garbage collection.
1600         (JSC::Heap::visitSmallStrings): Check to see if we need to visit
1601         SmallStrings based on the collection type.
1602         * runtime/SmallStrings.cpp:
1603         (JSC::SmallStrings::SmallStrings):
1604         (JSC::SmallStrings::visitStrongReferences): Set the fact that we have
1605         visited the SmallStrings since the last modification.
1606         * runtime/SmallStrings.h:
1607         (JSC::SmallStrings::needsToBeVisited): If we're doing a
1608         FullCollection, we need to visit. Otherwise, it depends on whether
1609         we've been visited since the last modification/allocation.
1610
1611 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
1612
1613         Add a build flag for ES6 class syntax
1614         https://bugs.webkit.org/show_bug.cgi?id=140760
1615
1616         Reviewed by Michael Saboff.
1617
1618         Added ES6_CLASS_SYNTAX build flag and used it in tokenizer to recognize
1619         "class", "extends", "static" and "super" keywords.
1620
1621         * Configurations/FeatureDefines.xcconfig:
1622         * parser/Keywords.table:
1623         * parser/ParserTokens.h:
1624
1625 2015-01-22  Commit Queue  <commit-queue@webkit.org>
1626
1627         Unreviewed, rolling out r178894.
1628         https://bugs.webkit.org/show_bug.cgi?id=140775
1629
1630         Broke JSC and bindings tests (Requested by ap_ on #webkit).
1631
1632         Reverted changeset:
1633
1634         "put_by_val_direct need to check the property is index or not
1635         for using putDirect / putDirectIndex"
1636         https://bugs.webkit.org/show_bug.cgi?id=140426
1637         http://trac.webkit.org/changeset/178894
1638
1639 2015-01-22  Mark Lam  <mark.lam@apple.com>
1640
1641         BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
1642         <https://webkit.org/b/140743>
1643
1644         Reviewed by Oliver Hunt.
1645
1646         BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
1647         op_put_to_scope to an inappropriate value (i.e. 0).  As a result, the execution
1648         of put_to_scope could store a wrong inferred value into the VariableWatchpointSet
1649         for which ever captured variable is at local index 0.  In practice, this turns
1650         out to be the local for the Arguments object.  In this reproduction case in the
1651         bug, the wrong inferred value written there is the boolean true.
1652
1653         Subsequently, DFG compilation occurs and CreateArguments is emitted to first do
1654         a check of the local for the Arguments object.  But because that local has a
1655         wrong inferred value, the check always discovers a non-null value and we never
1656         actually create the Arguments object.  Immediately after this, an OSR exit
1657         occurs leaving the Arguments object local uninitialized.  Later on at arguments
1658         tear off, we run into a boolean true where we had expected to find an Arguments
1659         object, which in turn, leads to the crash.
1660
1661         The fix is to:
1662         1. In the case where the resolveModeType is LocalClosureVar, change the
1663            5th operand of op_put_to_scope to be a boolean.  True means that the
1664            local var is watchable.  False means it is not watchable.  We no longer
1665            pass the local index (instead of true) and UINT_MAX (instead of false).
1666
1667            This allows us to express more clearer in the code what that value means,
1668            as well as remove the redundant way of getting the local's identifier.
1669            The identifier is always the one passed in the 2nd operand. 
1670
1671         2. Previously, though intuitively, we know that the watchable variable
1672            identifier should be the same as the one that is passed in operand 2, this
1673            relationship was not clear in the code.  By code analysis, I confirmed that 
1674            the callers of BytecodeGenerator::emitPutToScope() always use the same
1675            identifier for operand 2 and for filling out the ResolveScopeInfo from
1676            which we get the watchable variable identifier later.  I've changed the
1677            code to make this clear now by always using the identifier passed in
1678            operand 2.
1679
1680         3. In the case where the resolveModeType is LocalClosureVar,
1681            initializeCapturedVariable() and emitPutToScope() will now query
1682            hasWatchableVariable() to determine if the local is watchable or not.
1683            Accordingly, we pass the boolean result of hasWatchableVariable() as
1684            operand 5 of op_put_to_scope.
1685
1686         Also added some assertions.
1687
1688         * bytecode/CodeBlock.cpp:
1689         (JSC::CodeBlock::CodeBlock):
1690         * bytecompiler/BytecodeGenerator.cpp:
1691         (JSC::BytecodeGenerator::initializeCapturedVariable):
1692         (JSC::BytecodeGenerator::hasConstant):
1693         (JSC::BytecodeGenerator::emitPutToScope):
1694         * bytecompiler/BytecodeGenerator.h:
1695         (JSC::BytecodeGenerator::hasWatchableVariable):
1696         (JSC::BytecodeGenerator::watchableVariableIdentifier):
1697         (JSC::BytecodeGenerator::watchableVariable): Deleted.
1698
1699 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
1700
1701         PropertyListNode::emitNode duplicates the code to put a constant property
1702         https://bugs.webkit.org/show_bug.cgi?id=140761
1703
1704         Reviewed by Geoffrey Garen.
1705
1706         Extracted PropertyListNode::emitPutConstantProperty to share the code.
1707
1708         Also made PropertyListNode::emitBytecode private since nobody is calling this function directly.
1709
1710         * bytecompiler/NodesCodegen.cpp:
1711         (JSC::PropertyListNode::emitBytecode):
1712         (JSC::PropertyListNode::emitPutConstantProperty): Added.
1713         * parser/Nodes.h:
1714
1715 2015-01-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1716
1717         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
1718         https://bugs.webkit.org/show_bug.cgi?id=140426
1719
1720         Reviewed by Geoffrey Garen.
1721
1722         In the put_by_val_direct operation, we use JSObject::putDirect.
1723         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
1724         This patch changes Identifier::asIndex() to return Optional<uint32_t>.
1725         It forces callers to check the value is index or not explicitly.
1726         Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
1727
1728         * bytecode/GetByIdStatus.cpp:
1729         (JSC::GetByIdStatus::computeFor):
1730         * bytecode/PutByIdStatus.cpp:
1731         (JSC::PutByIdStatus::computeFor):
1732         * bytecompiler/BytecodeGenerator.cpp:
1733         (JSC::BytecodeGenerator::emitDirectPutById):
1734         * dfg/DFGOperations.cpp:
1735         (JSC::DFG::operationPutByValInternal):
1736         * jit/JITOperations.cpp:
1737         * jit/Repatch.cpp:
1738         (JSC::emitPutTransitionStubAndGetOldStructure):
1739         * jsc.cpp:
1740         * llint/LLIntSlowPaths.cpp:
1741         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1742         * runtime/Arguments.cpp:
1743         (JSC::Arguments::getOwnPropertySlot):
1744         (JSC::Arguments::put):
1745         (JSC::Arguments::deleteProperty):
1746         (JSC::Arguments::defineOwnProperty):
1747         * runtime/ArrayPrototype.cpp:
1748         (JSC::arrayProtoFuncSort):
1749         * runtime/JSArray.cpp:
1750         (JSC::JSArray::defineOwnProperty):
1751         * runtime/JSCJSValue.cpp:
1752         (JSC::JSValue::putToPrimitive):
1753         * runtime/JSGenericTypedArrayViewInlines.h:
1754         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1755         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1756         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1757         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1758         * runtime/JSObject.cpp:
1759         (JSC::JSObject::put):
1760         (JSC::JSObject::putDirectAccessor):
1761         (JSC::JSObject::putDirectCustomAccessor):
1762         (JSC::JSObject::deleteProperty):
1763         (JSC::JSObject::putDirectMayBeIndex):
1764         (JSC::JSObject::defineOwnProperty):
1765         * runtime/JSObject.h:
1766         (JSC::JSObject::getOwnPropertySlot):
1767         (JSC::JSObject::getPropertySlot):
1768         (JSC::JSObject::putDirectInternal):
1769         * runtime/JSString.cpp:
1770         (JSC::JSString::getStringPropertyDescriptor):
1771         * runtime/JSString.h:
1772         (JSC::JSString::getStringPropertySlot):
1773         * runtime/LiteralParser.cpp:
1774         (JSC::LiteralParser<CharType>::parse):
1775         * runtime/PropertyName.h:
1776         (JSC::toUInt32FromCharacters):
1777         (JSC::toUInt32FromStringImpl):
1778         (JSC::PropertyName::asIndex):
1779         * runtime/PropertyNameArray.cpp:
1780         (JSC::PropertyNameArray::add):
1781         * runtime/StringObject.cpp:
1782         (JSC::StringObject::deleteProperty):
1783         * runtime/Structure.cpp:
1784         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1785
1786 2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>
1787
1788         Consolidate out arguments of parseFunctionInfo into a struct
1789         https://bugs.webkit.org/show_bug.cgi?id=140754
1790
1791         Reviewed by Oliver Hunt.
1792
1793         Introduced ParserFunctionInfo for storing out arguments of parseFunctionInfo.
1794
1795         * JavaScriptCore.xcodeproj/project.pbxproj:
1796         * parser/ASTBuilder.h:
1797         (JSC::ASTBuilder::createFunctionExpr):
1798         (JSC::ASTBuilder::createGetterOrSetterProperty): This one takes a property name in addition to
1799         ParserFunctionInfo since the property name and the function name could differ.
1800         (JSC::ASTBuilder::createFuncDeclStatement):
1801         * parser/Parser.cpp:
1802         (JSC::Parser<LexerType>::parseFunctionInfo):
1803         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1804         (JSC::Parser<LexerType>::parseProperty):
1805         (JSC::Parser<LexerType>::parseMemberExpression):
1806         * parser/Parser.h:
1807         * parser/ParserFunctionInfo.h: Added.
1808         * parser/SyntaxChecker.h:
1809         (JSC::SyntaxChecker::createFunctionExpr):
1810         (JSC::SyntaxChecker::createFuncDeclStatement):
1811         (JSC::SyntaxChecker::createClassDeclStatement):
1812         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1813
1814 2015-01-21  Mark Hahnenberg  <mhahnenb@gmail.com>
1815
1816         Change Heap::m_compiledCode to use a Vector
1817         https://bugs.webkit.org/show_bug.cgi?id=140717
1818
1819         Reviewed by Andreas Kling.
1820
1821         Right now it's a DoublyLinkedList, which is iterated during each
1822         collection. This contributes to some of the longish Eden pause times.
1823         A Vector would be more appropriate and would also allow ExecutableBase
1824         to be 2 pointers smaller.
1825
1826         * heap/Heap.cpp:
1827         (JSC::Heap::deleteAllCompiledCode):
1828         (JSC::Heap::deleteAllUnlinkedFunctionCode):
1829         (JSC::Heap::clearUnmarkedExecutables):
1830         * heap/Heap.h:
1831         * runtime/Executable.h: No longer need to inherit from DoublyLinkedListNode.
1832
1833 2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>
1834
1835         BytecodeGenerator shouldn't expose all of its member variables
1836         https://bugs.webkit.org/show_bug.cgi?id=140752
1837
1838         Reviewed by Mark Lam.
1839
1840         Added "private:" and removed unused data members as detected by clang.
1841
1842         * bytecompiler/BytecodeGenerator.cpp:
1843         (JSC::BytecodeGenerator::BytecodeGenerator):
1844         * bytecompiler/BytecodeGenerator.h:
1845         (JSC::BytecodeGenerator::lastOpcodeID): Added. Used in BinaryOpNode::emitBytecode.
1846         * bytecompiler/NodesCodegen.cpp:
1847         (JSC::BinaryOpNode::emitBytecode):
1848
1849 2015-01-21  Joseph Pecoraro  <pecoraro@apple.com>
1850
1851         Web Inspector: ASSERT expanding objects in console PrimitiveBindingTraits<T>::assertValueHasExpectedType
1852         https://bugs.webkit.org/show_bug.cgi?id=140746
1853
1854         Reviewed by Timothy Hatcher.
1855
1856         * inspector/InjectedScriptSource.js:
1857         Do not add impure properties to the descriptor object that will
1858         eventually be sent to the frontend.
1859
1860 2015-01-21  Matthew Mirman  <mmirman@apple.com>
1861
1862         Updated split such that it does not include the empty end of input string match.
1863         https://bugs.webkit.org/show_bug.cgi?id=138129
1864         <rdar://problem/18807403>
1865
1866         Reviewed by Filip Pizlo.
1867
1868         * runtime/StringPrototype.cpp:
1869         (JSC::stringProtoFuncSplit):
1870         * tests/stress/empty_eos_regex_split.js: Added.
1871
1872 2015-01-21  Michael Saboff  <msaboff@apple.com>
1873
1874         Eliminate Scope slot from JavaScript CallFrame
1875         https://bugs.webkit.org/show_bug.cgi?id=136724
1876
1877         Reviewed by Geoffrey Garen.
1878
1879         This finishes the removal of the scope chain slot from the call frame header.
1880
1881         * dfg/DFGOSRExitCompilerCommon.cpp:
1882         (JSC::DFG::reifyInlinedCallFrames):
1883         * dfg/DFGPreciseLocalClobberize.h:
1884         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1885         * dfg/DFGSpeculativeJIT32_64.cpp:
1886         (JSC::DFG::SpeculativeJIT::emitCall):
1887         * dfg/DFGSpeculativeJIT64.cpp:
1888         (JSC::DFG::SpeculativeJIT::emitCall):
1889         * ftl/FTLJSCall.cpp:
1890         (JSC::FTL::JSCall::emit):
1891         * ftl/FTLLowerDFGToLLVM.cpp:
1892         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
1893         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
1894         * interpreter/JSStack.h:
1895         * interpreter/VMInspector.cpp:
1896         (JSC::VMInspector::dumpFrame):
1897         * jit/JITCall.cpp:
1898         (JSC::JIT::compileOpCall):
1899         * jit/JITCall32_64.cpp:
1900         (JSC::JIT::compileOpCall):
1901         * jit/JITOpcodes32_64.cpp:
1902         (JSC::JIT::privateCompileCTINativeCall):
1903         * jit/Repatch.cpp:
1904         (JSC::generateByIdStub):
1905         (JSC::linkClosureCall):
1906         * jit/ThunkGenerators.cpp:
1907         (JSC::virtualForThunkGenerator):
1908         (JSC::nativeForGenerator):
1909         Deleted ScopeChain slot from JSStack.  Removed all code where ScopeChain was being
1910         read or set.  In most cases this was where we make JS calls.
1911
1912         * interpreter/CallFrameClosure.h:
1913         (JSC::CallFrameClosure::setArgument):
1914         (JSC::CallFrameClosure::resetCallFrame): Deleted.
1915         * interpreter/Interpreter.cpp:
1916         (JSC::Interpreter::execute):
1917         (JSC::Interpreter::executeCall):
1918         (JSC::Interpreter::executeConstruct):
1919         (JSC::Interpreter::prepareForRepeatCall):
1920         * interpreter/ProtoCallFrame.cpp:
1921         (JSC::ProtoCallFrame::init):
1922         * interpreter/ProtoCallFrame.h:
1923         (JSC::ProtoCallFrame::scope): Deleted.
1924         (JSC::ProtoCallFrame::setScope): Deleted.
1925         * llint/LLIntData.cpp:
1926         (JSC::LLInt::Data::performAssertions):
1927         * llint/LowLevelInterpreter.asm:
1928         * llint/LowLevelInterpreter64.asm:
1929         Removed the related scopeChainValue member from ProtoCallFrame.  Reduced the number of
1930         registers that needed to be copied from the ProtoCallFrame to a callee's frame
1931         from 5 to 4.
1932
1933         * llint/LowLevelInterpreter32_64.asm:
1934         In addition to the prior changes, also deleted the unused macro getDeBruijnScope.
1935
1936 2015-01-21  Michael Saboff  <msaboff@apple.com>
1937
1938         Eliminate construct methods from NullGetterFunction and NullSetterFunction classes
1939         https://bugs.webkit.org/show_bug.cgi?id=140708
1940
1941         Reviewed by Mark Lam.
1942
1943         Eliminated construct methods and change getConstructData() for both classes to return
1944         ConstructTypeNone as they can never be called.
1945
1946         * runtime/NullGetterFunction.cpp:
1947         (JSC::NullGetterFunction::getConstructData):
1948         (JSC::constructReturnUndefined): Deleted.
1949         * runtime/NullSetterFunction.cpp:
1950         (JSC::NullSetterFunction::getConstructData):
1951         (JSC::constructReturnUndefined): Deleted.
1952
1953 2015-01-21  Csaba Osztrogonác  <ossy@webkit.org>
1954
1955         Remove ENABLE(INSPECTOR) ifdef guards
1956         https://bugs.webkit.org/show_bug.cgi?id=140668
1957
1958         Reviewed by Darin Adler.
1959
1960         * Configurations/FeatureDefines.xcconfig:
1961         * bindings/ScriptValue.cpp:
1962         (Deprecated::ScriptValue::toInspectorValue):
1963         * bindings/ScriptValue.h:
1964         * inspector/ConsoleMessage.cpp:
1965         * inspector/ConsoleMessage.h:
1966         * inspector/ContentSearchUtilities.cpp:
1967         * inspector/ContentSearchUtilities.h:
1968         * inspector/IdentifiersFactory.cpp:
1969         * inspector/IdentifiersFactory.h:
1970         * inspector/InjectedScript.cpp:
1971         * inspector/InjectedScript.h:
1972         * inspector/InjectedScriptBase.cpp:
1973         * inspector/InjectedScriptBase.h:
1974         * inspector/InjectedScriptHost.cpp:
1975         * inspector/InjectedScriptHost.h:
1976         * inspector/InjectedScriptManager.cpp:
1977         * inspector/InjectedScriptManager.h:
1978         * inspector/InjectedScriptModule.cpp:
1979         * inspector/InjectedScriptModule.h:
1980         * inspector/InspectorAgentRegistry.cpp:
1981         * inspector/InspectorBackendDispatcher.cpp:
1982         * inspector/InspectorBackendDispatcher.h:
1983         * inspector/InspectorProtocolTypes.h:
1984         * inspector/JSGlobalObjectConsoleClient.cpp:
1985         * inspector/JSGlobalObjectInspectorController.cpp:
1986         * inspector/JSGlobalObjectInspectorController.h:
1987         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1988         * inspector/JSGlobalObjectScriptDebugServer.h:
1989         * inspector/JSInjectedScriptHost.cpp:
1990         * inspector/JSInjectedScriptHost.h:
1991         * inspector/JSInjectedScriptHostPrototype.cpp:
1992         * inspector/JSInjectedScriptHostPrototype.h:
1993         * inspector/JSJavaScriptCallFrame.cpp:
1994         * inspector/JSJavaScriptCallFrame.h:
1995         * inspector/JSJavaScriptCallFramePrototype.cpp:
1996         * inspector/JSJavaScriptCallFramePrototype.h:
1997         * inspector/JavaScriptCallFrame.cpp:
1998         * inspector/JavaScriptCallFrame.h:
1999         * inspector/ScriptCallFrame.cpp:
2000         (Inspector::ScriptCallFrame::buildInspectorObject):
2001         * inspector/ScriptCallFrame.h:
2002         * inspector/ScriptCallStack.cpp:
2003         (Inspector::ScriptCallStack::buildInspectorArray):
2004         * inspector/ScriptCallStack.h:
2005         * inspector/ScriptDebugServer.cpp:
2006         * inspector/agents/InspectorAgent.cpp:
2007         * inspector/agents/InspectorAgent.h:
2008         * inspector/agents/InspectorConsoleAgent.cpp:
2009         * inspector/agents/InspectorConsoleAgent.h:
2010         * inspector/agents/InspectorDebuggerAgent.cpp:
2011         * inspector/agents/InspectorDebuggerAgent.h:
2012         * inspector/agents/InspectorRuntimeAgent.cpp:
2013         * inspector/agents/InspectorRuntimeAgent.h:
2014         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
2015         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2016         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2017         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2018         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2019         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2020         * inspector/scripts/codegen/cpp_generator_templates.py:
2021         (CppGeneratorTemplates):
2022         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2023         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2024         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2025         * inspector/scripts/tests/expected/enum-values.json-result:
2026         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2027         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2028         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2029         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2030         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2031         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2032         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2033         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2034         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2035         * runtime/TypeSet.cpp:
2036         (JSC::TypeSet::inspectorTypeSet):
2037         (JSC::StructureShape::inspectorRepresentation):
2038
2039 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2040
2041         Web Inspector: Clean up InjectedScriptSource.js
2042         https://bugs.webkit.org/show_bug.cgi?id=140709
2043
2044         Reviewed by Timothy Hatcher.
2045
2046         This patch includes some relevant Blink patches and small changes.
2047         
2048         Patch by <aandrey@chromium.org>
2049         DevTools: Remove console last result $_ on console clear.
2050         https://src.chromium.org/viewvc/blink?revision=179179&view=revision
2051
2052         Patch by <eustas@chromium.org>
2053         [Inspect DOM properties] incorrect CSS Selector Syntax
2054         https://src.chromium.org/viewvc/blink?revision=156903&view=revision
2055
2056         * inspector/InjectedScriptSource.js:
2057
2058 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2059
2060         Web Inspector: Cleanup RuntimeAgent a bit
2061         https://bugs.webkit.org/show_bug.cgi?id=140706
2062
2063         Reviewed by Timothy Hatcher.
2064
2065         * inspector/InjectedScript.h:
2066         * inspector/InspectorBackendDispatcher.h:
2067         * inspector/ScriptCallFrame.cpp:
2068         * inspector/agents/InspectorRuntimeAgent.cpp:
2069         (Inspector::InspectorRuntimeAgent::evaluate):
2070         (Inspector::InspectorRuntimeAgent::getProperties):
2071         (Inspector::InspectorRuntimeAgent::run):
2072         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2073         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2074         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
2075
2076 2015-01-20  Matthew Mirman  <mmirman@apple.com>
2077
2078         Made Identity in the DFG allocate a new temp register and move 
2079         the old data to it.
2080         https://bugs.webkit.org/show_bug.cgi?id=140700
2081         <rdar://problem/19339106>
2082
2083         Reviewed by Filip Pizlo.
2084
2085         * dfg/DFGSpeculativeJIT64.cpp:
2086         (JSC::DFG::SpeculativeJIT::compile): 
2087         Added scratch registers for Identity. 
2088         * tests/mozilla/mozilla-tests.yaml: enabled previously failing test
2089
2090 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2091
2092         Web Inspector: Expanding event objects in console shows undefined for most values, it should have real values
2093         https://bugs.webkit.org/show_bug.cgi?id=137306
2094
2095         Reviewed by Timothy Hatcher.
2096
2097         Provide another optional parameter to getProperties, to gather a list
2098         of all own and getter properties.
2099
2100         * inspector/InjectedScript.cpp:
2101         (Inspector::InjectedScript::getProperties):
2102         * inspector/InjectedScript.h:
2103         * inspector/InjectedScriptSource.js:
2104         * inspector/agents/InspectorRuntimeAgent.cpp:
2105         (Inspector::InspectorRuntimeAgent::getProperties):
2106         * inspector/agents/InspectorRuntimeAgent.h:
2107         * inspector/protocol/Runtime.json:
2108
2109 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2110
2111         Web Inspector: Should show dynamic specificity values
2112         https://bugs.webkit.org/show_bug.cgi?id=140647
2113
2114         Reviewed by Benjamin Poulain.
2115
2116         * inspector/protocol/CSS.json:
2117         Clarify CSSSelector optional values and add "dynamic" property indicating
2118         if the selector can be dynamic based on the element it is matched against.
2119
2120 2015-01-20  Commit Queue  <commit-queue@webkit.org>
2121
2122         Unreviewed, rolling out r178751.
2123         https://bugs.webkit.org/show_bug.cgi?id=140694
2124
2125         Caused 32-bit JSC test failures (Requested by JoePeck on
2126         #webkit).
2127
2128         Reverted changeset:
2129
2130         "put_by_val_direct need to check the property is index or not
2131         for using putDirect / putDirectIndex"
2132         https://bugs.webkit.org/show_bug.cgi?id=140426
2133         http://trac.webkit.org/changeset/178751
2134
2135 2015-01-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2136
2137         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
2138         https://bugs.webkit.org/show_bug.cgi?id=140426
2139
2140         Reviewed by Geoffrey Garen.
2141
2142         In the put_by_val_direct operation, we use JSObject::putDirect.
2143         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
2144         This patch changes Identifier::asIndex() to return Optional<uint32_t>.
2145         It forces callers to check the value is index or not explicitly.
2146         Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
2147
2148         * bytecode/GetByIdStatus.cpp:
2149         (JSC::GetByIdStatus::computeFor):
2150         * bytecode/PutByIdStatus.cpp:
2151         (JSC::PutByIdStatus::computeFor):
2152         * bytecompiler/BytecodeGenerator.cpp:
2153         (JSC::BytecodeGenerator::emitDirectPutById):
2154         * dfg/DFGOperations.cpp:
2155         (JSC::DFG::operationPutByValInternal):
2156         * jit/JITOperations.cpp:
2157         * jit/Repatch.cpp:
2158         (JSC::emitPutTransitionStubAndGetOldStructure):
2159         * jsc.cpp:
2160         * llint/LLIntSlowPaths.cpp:
2161         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2162         * runtime/Arguments.cpp:
2163         (JSC::Arguments::getOwnPropertySlot):
2164         (JSC::Arguments::put):
2165         (JSC::Arguments::deleteProperty):
2166         (JSC::Arguments::defineOwnProperty):
2167         * runtime/ArrayPrototype.cpp:
2168         (JSC::arrayProtoFuncSort):
2169         * runtime/JSArray.cpp:
2170         (JSC::JSArray::defineOwnProperty):
2171         * runtime/JSCJSValue.cpp:
2172         (JSC::JSValue::putToPrimitive):
2173         * runtime/JSGenericTypedArrayViewInlines.h:
2174         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2175         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2176         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
2177         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
2178         * runtime/JSObject.cpp:
2179         (JSC::JSObject::put):
2180         (JSC::JSObject::putDirectAccessor):
2181         (JSC::JSObject::putDirectCustomAccessor):
2182         (JSC::JSObject::deleteProperty):
2183         (JSC::JSObject::putDirectMayBeIndex):
2184         (JSC::JSObject::defineOwnProperty):
2185         * runtime/JSObject.h:
2186         (JSC::JSObject::getOwnPropertySlot):
2187         (JSC::JSObject::getPropertySlot):
2188         (JSC::JSObject::putDirectInternal):
2189         * runtime/JSString.cpp:
2190         (JSC::JSString::getStringPropertyDescriptor):
2191         * runtime/JSString.h:
2192         (JSC::JSString::getStringPropertySlot):
2193         * runtime/LiteralParser.cpp:
2194         (JSC::LiteralParser<CharType>::parse):
2195         * runtime/PropertyName.h:
2196         (JSC::toUInt32FromCharacters):
2197         (JSC::toUInt32FromStringImpl):
2198         (JSC::PropertyName::asIndex):
2199         * runtime/PropertyNameArray.cpp:
2200         (JSC::PropertyNameArray::add):
2201         * runtime/StringObject.cpp:
2202         (JSC::StringObject::deleteProperty):
2203         * runtime/Structure.cpp:
2204         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2205
2206 2015-01-20  Michael Saboff  <msaboff@apple.com>
2207
2208         REGRESSION(178696): Sporadic crashes while garbage collecting
2209         https://bugs.webkit.org/show_bug.cgi?id=140688
2210
2211         Reviewed by Geoffrey Garen.
2212
2213         Added missing visitor.append(&thisObject->m_nullSetterFunction).
2214
2215         * runtime/JSGlobalObject.cpp:
2216         (JSC::JSGlobalObject::visitChildren):
2217
2218 2015-01-19  Brian J. Burg  <burg@cs.washington.edu>
2219
2220         Web Replay: code generator should take supplemental specifications and allow cross-framework references
2221         https://bugs.webkit.org/show_bug.cgi?id=136312
2222
2223         Reviewed by Joseph Pecoraro.
2224
2225         Some types are shared between replay inputs from different frameworks.
2226         Previously, these type declarations were duplicated in every input
2227         specification file in which they were used. This caused some type encoding
2228         traits to be emitted twice if used from WebCore inputs and WebKit2 inputs.
2229
2230         This patch teaches the replay inputs code generator to accept multiple
2231         input specification files. Inputs can freely reference types from other
2232         frameworks without duplicating declarations.
2233
2234         On the code generation side, the model could contain types and inputs from
2235         frameworks that are not the target framework. Only generate code for the
2236         target framework.
2237
2238         To properly generate cross-framework type encoding traits, use
2239         Type.encoding_type_argument in more places, and add the export macro for WebCore
2240         and the Test framework.
2241
2242         Adjust some tests so that enum coverage is preserved by moving the enum types
2243         into "Test" (the target framework for tests).
2244
2245         * JavaScriptCore.vcxproj/copy-files.cmd:
2246         For Windows, copy over JSInputs.json as if it were a private header.
2247
2248         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSInputs.json a private header.
2249         * replay/JSInputs.json:
2250         Put all primitive types and WTF types in this specification file.
2251
2252         * replay/scripts/CodeGeneratorReplayInputs.py:
2253         (Input.__init__):
2254         (InputsModel.__init__): Keep track of the input's framework.
2255         (InputsModel.parse_specification): Parse the framework here. Adjust to new format,
2256         and allow either types or inputs to be missing from a single file.
2257
2258         (InputsModel.parse_type_with_framework):
2259         (InputsModel.parse_input_with_framework):
2260         (Generator.should_generate_item): Added helper method.
2261         (Generator.generate_header): Filter inputs to generate.
2262         (Generator.generate_implementation): Filter inputs to generate.
2263         (Generator.generate_enum_trait_declaration): Filter enums to generate.
2264         Add WEBCORE_EXPORT macro to enum encoding traits.
2265
2266         (Generator.generate_for_each_macro): Filter inputs to generate.
2267         (Generator.generate_enum_trait_implementation): Filter enums to generate.
2268         (generate_from_specifications): Added.
2269         (generate_from_specifications.parse_json_from_file):
2270         (InputsModel.parse_toplevel): Deleted.
2271         (InputsModel.parse_type_with_framework_name): Deleted.
2272         (InputsModel.parse_input): Deleted.
2273         (generate_from_specification): Deleted.
2274         * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
2275         * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Removed.
2276         * replay/scripts/tests/expected/fail-on-no-types.json-error: Removed.
2277         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
2278         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
2279         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
2280         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
2281         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
2282         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
2283         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
2284         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
2285         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
2286         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2287         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
2288         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
2289         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json:
2290         * replay/scripts/tests/fail-on-duplicate-enum-type.json:
2291         * replay/scripts/tests/fail-on-duplicate-input-names.json:
2292         * replay/scripts/tests/fail-on-duplicate-type-names.json:
2293         * replay/scripts/tests/fail-on-enum-type-missing-values.json:
2294         * replay/scripts/tests/fail-on-missing-input-member-name.json:
2295         * replay/scripts/tests/fail-on-missing-input-name.json:
2296         * replay/scripts/tests/fail-on-missing-input-queue.json:
2297         * replay/scripts/tests/fail-on-missing-type-mode.json:
2298         * replay/scripts/tests/fail-on-missing-type-name.json:
2299         * replay/scripts/tests/fail-on-no-inputs.json:
2300         Removed, no longer required to be in a single file.
2301
2302         * replay/scripts/tests/fail-on-no-types.json:
2303         Removed, no longer required to be in a single file.
2304
2305         * replay/scripts/tests/fail-on-unknown-input-queue.json:
2306         * replay/scripts/tests/fail-on-unknown-member-type.json:
2307         * replay/scripts/tests/fail-on-unknown-type-mode.json:
2308         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json:
2309         * replay/scripts/tests/generate-enum-encoding-helpers.json:
2310         * replay/scripts/tests/generate-enum-with-guard.json:
2311         Include enums that are and are not generated.
2312
2313         * replay/scripts/tests/generate-enums-with-same-base-name.json:
2314         * replay/scripts/tests/generate-event-loop-shape-types.json:
2315         * replay/scripts/tests/generate-input-with-guard.json:
2316         * replay/scripts/tests/generate-input-with-vector-members.json:
2317         * replay/scripts/tests/generate-inputs-with-flags.json:
2318         * replay/scripts/tests/generate-memoized-type-modes.json:
2319
2320 2015-01-20  Tomas Popela  <tpopela@redhat.com>
2321
2322         [GTK] Cannot compile 2.7.3 on PowerPC machines
2323         https://bugs.webkit.org/show_bug.cgi?id=140616
2324
2325         Include climits for INT_MAX and wtf/DataLog.h for dataLogF
2326
2327         Reviewed by Csaba Osztrogonác.
2328
2329         * runtime/BasicBlockLocation.cpp:
2330
2331 2015-01-19  Michael Saboff  <msaboff@apple.com>
2332
2333         A "cached" null setter should throw a TypeException when called in strict mode and doesn't
2334         https://bugs.webkit.org/show_bug.cgi?id=139418
2335
2336         Reviewed by Filip Pizlo.
2337
2338         Made a new NullSetterFunction class similar to NullGetterFunction.  The difference is that 
2339         NullSetterFunction will throw a TypeError per the ECMA262 spec for a strict mode caller.
2340
2341         * CMakeLists.txt:
2342         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2343         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2344         * JavaScriptCore.xcodeproj/project.pbxproj:
2345         Added new files NullSetterFunction.cpp and NullSetterFunction.h.
2346
2347         * runtime/GetterSetter.h:
2348         (JSC::GetterSetter::GetterSetter):
2349         (JSC::GetterSetter::isSetterNull):
2350         (JSC::GetterSetter::setSetter):
2351         Change setter instances from using NullGetterFunction to using NullSetterFunction.
2352
2353         * runtime/JSGlobalObject.cpp:
2354         (JSC::JSGlobalObject::init):
2355         * runtime/JSGlobalObject.h:
2356         (JSC::JSGlobalObject::nullSetterFunction):
2357         Added m_nullSetterFunction and accessor.
2358
2359         * runtime/NullSetterFunction.cpp: Added.
2360         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
2361         (JSC::GetCallerStrictnessFunctor::operator()):
2362         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
2363         (JSC::callerIsStrict):
2364         Method to determine if the caller is in strict mode.
2365
2366         (JSC::callReturnUndefined):
2367         (JSC::constructReturnUndefined):
2368         (JSC::NullSetterFunction::getCallData):
2369         (JSC::NullSetterFunction::getConstructData):
2370         * runtime/NullSetterFunction.h: Added.
2371         (JSC::NullSetterFunction::create):
2372         (JSC::NullSetterFunction::createStructure):
2373         (JSC::NullSetterFunction::NullSetterFunction):
2374         Class with handlers for a null setter.
2375
2376 2015-01-19  Saam Barati  <saambarati1@gmail.com>
2377
2378         Web Inspector: Provide a front end for JSC's Control Flow Profiler
2379         https://bugs.webkit.org/show_bug.cgi?id=138454
2380
2381         Reviewed by Timothy Hatcher.
2382
2383         This patch puts the final touches on what JSC needs to provide
2384         for the Web Inspector to show a UI for the control flow profiler.
2385
2386         * inspector/agents/InspectorRuntimeAgent.cpp:
2387         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2388         * runtime/ControlFlowProfiler.cpp:
2389         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
2390         * runtime/FunctionHasExecutedCache.cpp:
2391         (JSC::FunctionHasExecutedCache::getFunctionRanges):
2392         (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges): Deleted.
2393         * runtime/FunctionHasExecutedCache.h:
2394
2395 2015-01-19  David Kilzer  <ddkilzer@apple.com>
2396
2397         [iOS] Only use LLVM static library arguments on 64-bit builds of libllvmForJSC.dylib
2398         <http://webkit.org/b/140658>
2399
2400         Reviewed by Filip Pizlo.
2401
2402         * Configurations/LLVMForJSC.xcconfig: Set OTHER_LDFLAGS_LLVM
2403         only when building for 64-bit architectures.
2404
2405 2015-01-19  Filip Pizlo  <fpizlo@apple.com>
2406
2407         ClosureCallStubRoutine no longer needs codeOrigin
2408         https://bugs.webkit.org/show_bug.cgi?id=140659
2409
2410         Reviewed by Michael Saboff.
2411         
2412         Once upon a time, we would look for the CodeOrigin associated with a return PC. This search
2413         would start with the CodeBlock according to the caller frame's call frame header. But if the
2414         call was a closure call, the return PC would be inside some closure call stub. So if the
2415         CodeBlock search failed, we would search *all* closure call stub routines to see which one
2416         encompasses the return PC. Then, we would use the CodeOrigin stored in the stub routine
2417         object. This was all a bunch of madness, and we actually got rid of it - we now determine
2418         the CodeOrigin for a call frame using the encoded code origin bits inside the tag of the
2419         argument count.
2420         
2421         This patch removes the final vestiges of the madness:
2422         
2423         - Remove the totally unused method declaration for the thing that did the closure call stub
2424           search.
2425         
2426         - Remove the CodeOrigin field from the ClosureCallStubRoutine. Except for that crazy search
2427           that we no longer do, everyone else who finds a ClosureCallStubRoutine will find it via
2428           the CallLinkInfo. The CallLinkInfo also has the CodeOrigin, so we don't need this field
2429           anymore.
2430
2431         * bytecode/CodeBlock.h:
2432         * jit/ClosureCallStubRoutine.cpp:
2433         (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
2434         * jit/ClosureCallStubRoutine.h:
2435         (JSC::ClosureCallStubRoutine::executable):
2436         (JSC::ClosureCallStubRoutine::codeOrigin): Deleted.
2437         * jit/Repatch.cpp:
2438         (JSC::linkClosureCall):
2439
2440 2015-01-19  Saam Barati  <saambarati1@gmail.com>
2441
2442         Basic block start offsets should never be larger than end offsets in the control flow profiler
2443         https://bugs.webkit.org/show_bug.cgi?id=140377
2444
2445         Reviewed by Filip Pizlo.
2446
2447         The bytecode generator will emit code more than once for some AST nodes. For instance, 
2448         the finally block of TryNode will emit two code paths for its finally block: one for 
2449         the normal path, and another for the path where an exception is thrown in the catch block. 
2450         
2451         This repeated code emission of the same AST node previously broke how the control 
2452         flow profiler computed text ranges of basic blocks because when the same AST node 
2453         is emitted multiple times, there is a good chance that there are ranges that span 
2454         from the end offset of one of these duplicated nodes back to the start offset of 
2455         the same duplicated node. This caused a basic block range to report a larger start 
2456         offset than end offset. This was incorrect. Now, when this situation is encountered 
2457         while linking a CodeBlock, the faulty range in question is ignored.
2458
2459         * bytecode/CodeBlock.cpp:
2460         (JSC::CodeBlock::CodeBlock):
2461         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2462         * bytecode/CodeBlock.h:
2463         * bytecompiler/NodesCodegen.cpp:
2464         (JSC::ForInNode::emitMultiLoopBytecode):
2465         (JSC::ForOfNode::emitBytecode):
2466         (JSC::TryNode::emitBytecode):
2467         * parser/Parser.cpp:
2468         (JSC::Parser<LexerType>::parseConditionalExpression):
2469         * runtime/ControlFlowProfiler.cpp:
2470         (JSC::ControlFlowProfiler::ControlFlowProfiler):
2471         * runtime/ControlFlowProfiler.h:
2472         (JSC::ControlFlowProfiler::dummyBasicBlock):
2473
2474 2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
2475
2476         [SVG -> OTF Converter] Flip the switch on
2477         https://bugs.webkit.org/show_bug.cgi?id=140592
2478
2479         Reviewed by Antti Koivisto.
2480
2481         * Configurations/FeatureDefines.xcconfig:
2482
2483 2015-01-19  Brian J. Burg  <burg@cs.washington.edu>
2484
2485         Web Replay: convert to is<T> and downcast<T> for decoding replay inputs
2486         https://bugs.webkit.org/show_bug.cgi?id=140512
2487
2488         Reviewed by Chris Dumez.
2489
2490         Generate a SPECIALIZE_TYPE_TRAITS_* chunk of code for each input. This cannot
2491         be done using REPLAY_INPUT_NAMES_FOR_EACH macro since that doesn't fully qualify
2492         input types, and the type traits macro is defined in namespace WTF.
2493
2494         * replay/NondeterministicInput.h: Make overridden methods public.
2495         * replay/scripts/CodeGeneratorReplayInputs.py:
2496         (Generator.generate_header):
2497         (Generator.qualified_input_name): Allow forcing qualification. WTF is never a target framework.
2498         (Generator.generate_input_type_trait_declaration): Added.
2499         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Add a template.
2500         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
2501         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
2502         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
2503         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
2504         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
2505         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2506         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
2507         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
2508
2509 2015-01-19  Commit Queue  <commit-queue@webkit.org>
2510
2511         Unreviewed, rolling out r178653.
2512         https://bugs.webkit.org/show_bug.cgi?id=140634
2513
2514         Broke multiple SVG tests on Mountain Lion (Requested by ap on
2515         #webkit).
2516
2517         Reverted changeset:
2518
2519         "[SVG -> OTF Converter] Flip the switch on"
2520         https://bugs.webkit.org/show_bug.cgi?id=140592
2521         http://trac.webkit.org/changeset/178653
2522
2523 2015-01-18  Dean Jackson  <dino@apple.com>
2524
2525         ES6: Support Array.of construction
2526         https://bugs.webkit.org/show_bug.cgi?id=140605
2527         <rdar://problem/19513655>
2528
2529         Reviewed by Geoffrey Garen.
2530
2531         Add and implementation of Array.of, described in 22.1.2.3 of the ES6
2532         specification (15 Jan 2015). The Array.of() method creates a new Array
2533         instance with a variable number of arguments, regardless of number or type
2534         of the arguments.
2535
2536         * runtime/ArrayConstructor.cpp:
2537         (JSC::arrayConstructorOf): Create a new empty Array, then iterate
2538         over the arguments, setting them to the appropriate index.
2539
2540 2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
2541
2542         [SVG -> OTF Converter] Flip the switch on
2543         https://bugs.webkit.org/show_bug.cgi?id=140592
2544
2545         Reviewed by Antti Koivisto.
2546
2547         * Configurations/FeatureDefines.xcconfig:
2548
2549 2015-01-17  Brian J. Burg  <burg@cs.washington.edu>
2550
2551         Web Inspector: highlight data for overlay should use protocol type builders
2552         https://bugs.webkit.org/show_bug.cgi?id=129441
2553
2554         Reviewed by Timothy Hatcher.
2555
2556         Add a new domain for overlay types.
2557
2558         * CMakeLists.txt:
2559         * DerivedSources.make:
2560         * inspector/protocol/OverlayTypes.json: Added.
2561
2562 2015-01-17  Michael Saboff  <msaboff@apple.com>
2563
2564         Crash in JSScope::resolve() on tools.ups.com
2565         https://bugs.webkit.org/show_bug.cgi?id=140579
2566
2567         Reviewed by Geoffrey Garen.
2568
2569         For op_resolve_scope of a global property or variable that needs to check for the var
2570         injection check watchpoint, we need to keep the scope around with a Phantom.  The
2571         baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint
2572         fired.
2573
2574         * dfg/DFGByteCodeParser.cpp:
2575         (JSC::DFG::ByteCodeParser::parseBlock):
2576
2577 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2578
2579         Web Inspector: code generator should introduce typedefs for protocol types that are arrays
2580         https://bugs.webkit.org/show_bug.cgi?id=140557
2581
2582         Reviewed by Joseph Pecoraro.
2583
2584         Currently, there is no generated type name for "array" type declarations such as Console.CallStack.
2585         This makes it longwinded and confusing to use the type in C++ code.
2586
2587         This patch adds a typedef for array type declarations, so types such as Console::CallStack
2588         can be referred to directly, rather than using Inspector::Protocol::Array<Console::CallFrame>.
2589
2590         Some tests were updated to cover array type declarations used as parameters and type members.
2591
2592         * inspector/ScriptCallStack.cpp: Use the new typedef.
2593         (Inspector::ScriptCallStack::buildInspectorArray):
2594         * inspector/ScriptCallStack.h:
2595         * inspector/scripts/codegen/cpp_generator.py:
2596         (CppGenerator.cpp_protocol_type_for_type): If an ArrayType is nominal, use the typedef'd name instead.
2597         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2598         (_generate_typedefs_for_domain): Also generate typedefs for array type declarations.
2599         (_generate_typedefs_for_domain.Inspector):
2600         * inspector/scripts/codegen/models.py: Save the name of an ArrayType when it is a type declaration.
2601         (ArrayType.__init__):
2602         (Protocol.resolve_types):
2603         (Protocol.lookup_type_reference):
2604         * inspector/scripts/tests/commands-with-async-attribute.json:
2605         * inspector/scripts/tests/commands-with-optional-call-return-parameters.json:
2606         * inspector/scripts/tests/events-with-optional-parameters.json:
2607         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2608         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2609         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2610         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2611         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2612         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2613         * inspector/scripts/tests/type-declaration-object-type.json:
2614
2615 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2616
2617         Web Replay: purge remaining PassRefPtr uses and minor cleanup
2618         https://bugs.webkit.org/show_bug.cgi?id=140456
2619
2620         Reviewed by Andreas Kling.
2621
2622         Get rid of PassRefPtr. Introduce default initializers where it makes sense.
2623         Remove mistaken uses of AtomicString that were not removed as part of r174113.
2624
2625         * replay/EmptyInputCursor.h:
2626         * replay/InputCursor.h:
2627         (JSC::InputCursor::InputCursor):
2628
2629 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2630
2631         Web Inspector: code generator should fail on duplicate parameter and member names
2632         https://bugs.webkit.org/show_bug.cgi?id=140555
2633
2634         Reviewed by Timothy Hatcher.
2635
2636         * inspector/scripts/codegen/models.py:
2637         (find_duplicates): Add a helper function to find duplicates in a list.
2638         (Protocol.parse_type_declaration):
2639         (Protocol.parse_command):
2640         (Protocol.parse_event):
2641         * inspector/scripts/tests/expected/fail-on-duplicate-command-call-parameter-names.json-error: Added.
2642         * inspector/scripts/tests/expected/fail-on-duplicate-command-return-parameter-names.json-error: Added.
2643         * inspector/scripts/tests/expected/fail-on-duplicate-event-parameter-names.json-error: Added.
2644         * inspector/scripts/tests/expected/fail-on-duplicate-type-member-names.json-error: Added.
2645         * inspector/scripts/tests/fail-on-duplicate-command-call-parameter-names.json: Added.
2646         * inspector/scripts/tests/fail-on-duplicate-command-return-parameter-names.json: Added.
2647         * inspector/scripts/tests/fail-on-duplicate-event-parameter-names.json: Added.
2648         * inspector/scripts/tests/fail-on-duplicate-type-member-names.json: Added.
2649
2650 2015-01-16  Michael Saboff  <msaboff@apple.com>
2651
2652         REGRESSION (r174226): Header on huffingtonpost.com is too large
2653         https://bugs.webkit.org/show_bug.cgi?id=140306
2654
2655         Reviewed by Filip Pizlo.
2656
2657         BytecodeGenerator::willResolveToArguments() is used to check to see if we can use the
2658         arguments register or whether we need to resolve "arguments".  If the arguments have
2659         been captured, then they are stored in the lexical environment and the arguments
2660         register is not used.
2661
2662         Changed BytecodeGenerator::willResolveToArguments() to also check to see if the arguments
2663         register is captured.  Renamed the function to willResolveToArgumentsRegister() to
2664         better indicate what we are checking.
2665
2666         Aligned 32 and 64 bit paths in ArgumentsRecoveryGenerator::generateFor() for creating
2667         an arguments object that was optimized out of an inlined callFrame.  The 32 bit path
2668         incorrectly calculated the location of the reified callee frame.  This alignment resulted
2669         in the removal of operationCreateInlinedArgumentsDuringOSRExit()
2670
2671         * bytecompiler/BytecodeGenerator.cpp:
2672         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
2673         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister):
2674         (JSC::BytecodeGenerator::emitCall):
2675         (JSC::BytecodeGenerator::emitConstruct):
2676         (JSC::BytecodeGenerator::emitEnumeration):
2677         (JSC::BytecodeGenerator::willResolveToArguments): Deleted.
2678         * bytecompiler/BytecodeGenerator.h:
2679         * bytecompiler/NodesCodegen.cpp:
2680         (JSC::BracketAccessorNode::emitBytecode):
2681         (JSC::DotAccessorNode::emitBytecode):
2682         (JSC::getArgumentByVal):
2683         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2684         (JSC::ArrayPatternNode::emitDirectBinding):
2685         * dfg/DFGOSRExitCompilerCommon.cpp:
2686         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
2687         * dfg/DFGOperations.cpp:
2688         (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
2689         * dfg/DFGOperations.h:
2690         (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
2691
2692 2015-01-15  Csaba Osztrogonác  <ossy@webkit.org>
2693
2694         Remove ENABLE(SQL_DATABASE) guards
2695         https://bugs.webkit.org/show_bug.cgi?id=140434
2696
2697         Reviewed by Darin Adler.
2698
2699         * CMakeLists.txt:
2700         * Configurations/FeatureDefines.xcconfig:
2701         * DerivedSources.make:
2702         * inspector/protocol/Database.json:
2703
2704 2015-01-14  Alexey Proskuryakov  <ap@apple.com>
2705
2706         Web Inspector and regular console use different source code locations for messages
2707         https://bugs.webkit.org/show_bug.cgi?id=140478
2708
2709         Reviewed by Brian Burg.
2710
2711         * inspector/ConsoleMessage.h: Expose computed source location.
2712
2713         * inspector/agents/InspectorConsoleAgent.cpp:
2714         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2715         (Inspector::InspectorConsoleAgent::stopTiming):
2716         (Inspector::InspectorConsoleAgent::count):
2717         * inspector/agents/InspectorConsoleAgent.h:
2718         addMessageToConsole() now takes a pre-made ConsoleMessage object.
2719
2720         * inspector/JSGlobalObjectConsoleClient.cpp:
2721         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
2722         (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
2723         * inspector/JSGlobalObjectInspectorController.cpp:
2724         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2725         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2726         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2727         Updated for the above changes.
2728
2729 2015-01-15  Mark Lam  <mark.lam@apple.com>
2730
2731         [Part 2] Argument object created by "Function dot arguments" should use a clone of argument values.
2732         <https://webkit.org/b/140093>
2733
2734         Reviewed by Geoffrey Garen.
2735
2736         * interpreter/StackVisitor.cpp:
2737         (JSC::StackVisitor::Frame::createArguments):
2738         - We should not fetching the lexicalEnvironment here.  The reason we've
2739           introduced the ClonedArgumentsCreationMode is because the lexicalEnvironment
2740           may not be available to us at this point.  Instead, we'll just pass a nullptr.
2741
2742         * runtime/Arguments.cpp:
2743         (JSC::Arguments::tearOffForCloning):
2744         * runtime/Arguments.h:
2745         (JSC::Arguments::finishCreation):
2746         - Use the new tearOffForCloning() to tear off arguments right out of the values
2747           passed on the stack.  tearOff() is not appropriate for this purpose because
2748           it takes slowArgumentsData into account.
2749
2750 2015-01-14  Matthew Mirman  <mmirman@apple.com>
2751
2752         Removed accidental commit of "invalid_array.js" 
2753         http://trac.webkit.org/changeset/178439
2754
2755         * tests/stress/invalid_array.js: Removed.
2756
2757 2015-01-14  Matthew Mirman  <mmirman@apple.com>
2758
2759         Fixes operationPutByIdOptimizes such that they check that the put didn't
2760         change the structure of the object who's property access is being
2761         cached.  Also removes uses of the new base value from the cache generation code.
2762         https://bugs.webkit.org/show_bug.cgi?id=139500
2763
2764         Reviewed by Filip Pizlo.
2765
2766         * jit/JITOperations.cpp:
2767         (JSC::operationPutByIdStrictOptimize): saved the structure before the put.
2768         (JSC::operationPutByIdNonStrictOptimize): ditto.
2769         (JSC::operationPutByIdDirectStrictOptimize): ditto.
2770         (JSC::operationPutByIdDirectNonStrictOptimize): ditto.
2771         * jit/Repatch.cpp:
2772         (JSC::generateByIdStub):
2773         (JSC::tryCacheGetByID):
2774         (JSC::tryBuildGetByIDList):
2775         (JSC::emitPutReplaceStub):
2776         (JSC::emitPutTransitionStubAndGetOldStructure): Added.
2777         (JSC::tryCachePutByID):
2778         (JSC::repatchPutByID):
2779         (JSC::tryBuildPutByIdList):
2780         (JSC::tryRepatchIn):
2781         (JSC::emitPutTransitionStub): Deleted.
2782         * jit/Repatch.h:
2783         * llint/LLIntSlowPaths.cpp:
2784         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2785         * runtime/JSPropertyNameEnumerator.h:
2786         (JSC::genericPropertyNameEnumerator):
2787         * runtime/Operations.h:
2788         (JSC::normalizePrototypeChainForChainAccess): restructured to not use the base value.
2789         (JSC::normalizePrototypeChain): restructured to not use the base value.
2790         * tests/mozilla/mozilla-tests.yaml:
2791         * tests/stress/proto-setter.js: Added.
2792         * tests/stress/put-by-id-build-list-order-recurse.js: Added.
2793         Added test that fails without this patch.
2794
2795 2015-01-13  Joseph Pecoraro  <pecoraro@apple.com>
2796
2797         Web Inspector: Remove unused ResizeImage and DecodeImageData timeline events
2798         https://bugs.webkit.org/show_bug.cgi?id=140404
2799
2800         Reviewed by Timothy Hatcher.
2801
2802         * inspector/protocol/Timeline.json:
2803
2804 2015-01-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2805
2806         DFG can call PutByValDirect for generic arrays
2807         https://bugs.webkit.org/show_bug.cgi?id=140389
2808
2809         Reviewed by Geoffrey Garen.
2810
2811         Computed properties in object initializers (ES6) use the put_by_val_direct operation.
2812         However, current DFG asserts that put_by_val_direct is not used for the generic array,
2813         the assertion failure is raised.
2814         This patch allow DFG to use put_by_val_direct to generic arrays.
2815
2816         And fix the DFG put_by_val_direct implementation for string properties.
2817         At first, put_by_val_direct is inteded to be used for spread elements.
2818         So the property keys were limited to numbers (indexes).
2819         But now, it's also used for computed properties in object initializers.
2820
2821         * dfg/DFGOperations.cpp:
2822         (JSC::DFG::operationPutByValInternal):
2823         * dfg/DFGSpeculativeJIT64.cpp:
2824         (JSC::DFG::SpeculativeJIT::compile):
2825
2826 2015-01-13  Geoffrey Garen  <ggaren@apple.com>
2827
2828         Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
2829         https://bugs.webkit.org/show_bug.cgi?id=140397
2830
2831         Reviewed by Geoffrey Garen.
2832
2833         Patch by Alexey Proskuryakov.
2834
2835         Reviewed, performance tested, and ChangeLogged by Geoffrey Garen.
2836
2837         No performance change.
2838
2839         No test, since this is a small past-the-end read, which is very
2840         difficult to turn into a reproducible failing test -- and existing tests
2841         crash reliably using ASan.
2842
2843         * bytecompiler/NodesCodegen.cpp:
2844         (JSC::BracketAccessorNode::emitBytecode):
2845         (JSC::DotAccessorNode::emitBytecode):
2846         (JSC::FunctionCallBracketNode::emitBytecode):
2847         (JSC::PostfixNode::emitResolve):
2848         (JSC::DeleteBracketNode::emitBytecode):
2849         (JSC::DeleteDotNode::emitBytecode):
2850         (JSC::PrefixNode::emitResolve):
2851         (JSC::UnaryOpNode::emitBytecode):
2852         (JSC::BitwiseNotNode::emitBytecode):
2853         (JSC::BinaryOpNode::emitBytecode):
2854         (JSC::EqualNode::emitBytecode):
2855         (JSC::StrictEqualNode::emitBytecode):
2856         (JSC::ThrowableBinaryOpNode::emitBytecode):
2857         (JSC::AssignDotNode::emitBytecode):
2858         (JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any
2859         register used across a call to a function that might allocate a new
2860         temporary register must be held in a RefPtr.
2861
2862 2015-01-12  Michael Saboff  <msaboff@apple.com>
2863
2864         Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
2865         https://bugs.webkit.org/show_bug.cgi?id=140348
2866
2867         Reviewed by Mark Lam.
2868
2869         We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late
2870         because those registers may have been spilled on the stack and replaced with other values by
2871         the time we call down to gatherFromCurrentThread().
2872
2873         Now we get the register contents at the same place that we demarcate the current top of
2874         stack using the address of a local variable, in Heap::markRoots().  The register contents
2875         buffer is passed along with the demarcation pointer.  These need to be done at this level 
2876         in the call tree and no lower, as markRoots() calls various functions that visit object
2877         pointers that may be latter proven dead.  Any of those pointers that are left on the
2878         stack or in registers could be incorrectly marked as live if we scan the stack contents
2879         from a called function or one of its callees.  The stack demarcation pointer and register
2880         saving need to be done in the same function so that we have a consistent stack, active
2881         and spilled registers.
2882
2883         Because we don't want to make unnecessary calls to get the register contents, we use
2884         a macro to allocated, and possibly align, the register structure and get the actual
2885         register contents.
2886
2887
2888         * heap/Heap.cpp:
2889         (JSC::Heap::markRoots):
2890         (JSC::Heap::gatherStackRoots):
2891         * heap/Heap.h:
2892         * heap/MachineStackMarker.cpp:
2893         (JSC::MachineThreads::gatherFromCurrentThread):
2894         (JSC::MachineThreads::gatherConservativeRoots):
2895         * heap/MachineStackMarker.h:
2896
2897 2015-01-12  Benjamin Poulain  <benjamin@webkit.org>
2898
2899         Add basic pattern matching support to the url filters
2900         https://bugs.webkit.org/show_bug.cgi?id=140283
2901
2902         Reviewed by Andreas Kling.
2903
2904         * JavaScriptCore.xcodeproj/project.pbxproj:
2905         Make YarrParser.h private in order to use it from WebCore.
2906
2907 2015-01-12  Geoffrey Garen  <ggaren@apple.com>
2908
2909         Out of bounds read in IdentifierArena::makeIdentifier
2910         https://bugs.webkit.org/show_bug.cgi?id=140376
2911
2912         Patch by Alexey Proskuryakov.
2913
2914         Reviewed and ChangeLogged by Geoffrey Garen.
2915
2916         No test, since this is a small past-the-end read, which is very
2917         difficult to turn into a reproducible failing test -- and existing tests
2918         crash reliably using ASan.
2919
2920         * parser/ParserArena.h:
2921         (JSC::IdentifierArena::makeIdentifier):
2922         (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
2923         zero-length string input, like we do in the literal parser, since it is
2924         not valid to dereference characters in a zero-length string.
2925
2926         A zero-length string is allowed in JavaScript -- for example, "".
2927
2928 2015-01-11  Sam Weinig  <sam@webkit.org>
2929
2930         Remove support for SharedWorkers
2931         https://bugs.webkit.org/show_bug.cgi?id=140344
2932
2933         Reviewed by Anders Carlsson.
2934
2935         * Configurations/FeatureDefines.xcconfig:
2936
2937 2015-01-12  Myles C. Maxfield  <mmaxfield@apple.com>
2938
2939         Allow targetting the SVG->OTF font converter with ENABLE(SVG_OTF_CONVERTER)
2940         https://bugs.webkit.org/show_bug.cgi?id=136769
2941
2942         Reviewed by Antti Koivisto.
2943
2944         * Configurations/FeatureDefines.xcconfig:
2945
2946 2015-01-12  Commit Queue  <commit-queue@webkit.org>
2947
2948         Unreviewed, rolling out r178266.
2949         https://bugs.webkit.org/show_bug.cgi?id=140363
2950
2951         Broke a JSC test (Requested by ap on #webkit).
2952
2953         Reverted changeset:
2954
2955         "Local JSArray* "keys" in objectConstructorKeys() is not
2956         marked during garbage collection"
2957         https://bugs.webkit.org/show_bug.cgi?id=140348
2958         http://trac.webkit.org/changeset/178266
2959
2960 2015-01-12  Michael Saboff  <msaboff@apple.com>
2961
2962         Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
2963         https://bugs.webkit.org/show_bug.cgi?id=140348
2964
2965         Reviewed by Mark Lam.
2966
2967         Move the address of the local variable that is used to demarcate the top of the stack for 
2968         conservative roots down to MachineThreads::gatherFromCurrentThread() since it also gets
2969         the register values using setjmp().  That way we don't lose any callee save register
2970         contents between Heap::markRoots(), where it was set, and gatherFromCurrentThread().
2971         If we lose any JSObject* that are only in callee save registers, they will be GC'ed
2972         erroneously.
2973
2974         * heap/Heap.cpp:
2975         (JSC::Heap::markRoots):
2976         (JSC::Heap::gatherStackRoots):
2977         * heap/Heap.h:
2978         * heap/MachineStackMarker.cpp:
2979         (JSC::MachineThreads::gatherFromCurrentThread):
2980         (JSC::MachineThreads::gatherConservativeRoots):
2981         * heap/MachineStackMarker.h:
2982
2983 2015-01-11  Eric Carlson  <eric.carlson@apple.com>
2984
2985         Fix typo in testate.c error messages
2986         https://bugs.webkit.org/show_bug.cgi?id=140305
2987
2988         Reviewed by Geoffrey Garen.
2989
2990         * API/tests/testapi.c:
2991         (main): "... script did not timed out ..." -> "... script did not time out ..."
2992
2993 2015-01-09  Michael Saboff  <msaboff@apple.com>
2994
2995         Breakpoint doesn't fire in this HTML5 game
2996         https://bugs.webkit.org/show_bug.cgi?id=140269
2997
2998         Reviewed by Mark Lam.
2999
3000         When parsing a single line cached function, use the lineStartOffset of the
3001         location where we found the cached function instead of the cached lineStartOffset.
3002         The cache location's lineStartOffset has not been adjusted for any possible
3003         containing functions.
3004
3005         This change is not needed for multi-line cached functions.  Consider the
3006         single line source:
3007
3008         function outer(){function inner1(){doStuff();}; (function inner2() {doMoreStuff()})()}
3009
3010         The first parser pass, we parse and cache inner1() and inner2() with a lineStartOffset
3011         of 0.  Later when we parse outer() and find inner1() in the cache, SourceCode start
3012         character is at outer()'s outermost open brace.  That is what we should use for
3013         lineStartOffset for inner1().  When done parsing inner1() we set the parsing token
3014         to the saved location for inner1(), including the lineStartOffset of 0.  We need
3015         to use the value of lineStartOffset before we started parsing inner1().  That is
3016         what the fix does.  When we parse inner2() the lineStartOffset will be correct.
3017
3018         For a multi-line function, the close brace is guaranteed to be on a different line
3019         than the open brace.  Hence, its lineStartOffset will not change with the change of
3020         the SourceCode start character
3021
3022         * parser/Parser.cpp:
3023         (JSC::Parser<LexerType>::parseFunctionInfo):
3024
3025 2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>
3026
3027         Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint
3028         https://bugs.webkit.org/show_bug.cgi?id=140279
3029         rdar://problem/19422299
3030
3031         Reviewed by Oliver Hunt.
3032
3033         * runtime/MapData.cpp:
3034         (JSC::MapData::replaceAndPackBackingStore):
3035         The cell table also needs to have its values fixed.
3036
3037 2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>
3038
3039         Web Inspector: Remove or use TimelineAgent Resource related event types
3040         https://bugs.webkit.org/show_bug.cgi?id=140155
3041
3042         Reviewed by Timothy Hatcher.
3043
3044         Remove unused / stale Timeline event types.
3045
3046         * inspector/protocol/Timeline.json:
3047
3048 2015-01-09  Csaba Osztrogonác  <ossy@webkit.org>
3049
3050         REGRESSION(r177925): It broke the !ENABLE(INSPECTOR) build
3051         https://bugs.webkit.org/show_bug.cgi?id=140098
3052
3053         Reviewed by Brian Burg.
3054
3055         * inspector/InspectorBackendDispatcher.h: Missing ENABLE(INSPECTOR) guard added.
3056
3057 2015-01-08  Mark Lam  <mark.lam@apple.com>
3058
3059         Argument object created by "Function dot arguments" should use a clone of the argument values.
3060         <https://webkit.org/b/140093>
3061
3062         Reviewed by Geoffrey Garen.
3063
3064         After the change in <https://webkit.org/b/139827>, the dfg-tear-off-arguments-not-activation.js
3065         test will crash.  The relevant code which manifests the issue is as follows:
3066
3067             function bar() {
3068                 return foo.arguments;
3069             }
3070
3071             function foo(p) {
3072                 var x = 42;
3073                 if (p)
3074                     return (function() { return x; });
3075                 else
3076                     return bar();
3077             }
3078
3079         In this case, foo() has no knowledge of bar() needing its LexicalEnvironment and
3080         has dead code eliminated the SetLocal that stores it into its designated local.
3081         In bar(), the factory for the Arguments object (for creating foo.arguments) tries
3082         to read foo's LexicalEnvironment from its designated lexicalEnvironment local,
3083         but instead, finds it to be uninitialized.  This results in a null pointer access
3084         which causes a crash.
3085
3086         This can be resolved by having bar() instantiate a clone of the Arguments object
3087         instead, and populate its elements with values fetched directly from foo's frame.
3088         There's no need to reference foo's LexicalEnvironment (whether present or not).
3089
3090         * interpreter/StackVisitor.cpp:
3091         (JSC::StackVisitor::Frame::createArguments):
3092         * runtime/Arguments.h:
3093         (JSC::Arguments::finishCreation):
3094
3095 2015-01-08  Mark Lam  <mark.lam@apple.com>
3096
3097         Make the LLINT and Baseline JIT's op_create_arguments and op_get_argument_by_val use their lexicalEnvironment operand.
3098         <https://webkit.org/b/140236>
3099
3100         Reviewed by Geoffrey Garen.
3101
3102         Will change the DFG to use the operand on a subsequent pass.  For now,
3103         the DFG uses a temporary thunk (operationCreateArgumentsForDFG()) to
3104         retain the old behavior of getting the lexicalEnviroment from the
3105         ExecState.
3106
3107         * bytecompiler/BytecodeGenerator.cpp:
3108         (JSC::BytecodeGenerator::BytecodeGenerator):
3109         (JSC::BytecodeGenerator::emitGetArgumentByVal):
3110         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3111         - When the lexicalEnvironment is not available, pass the invalid VirtualRegister
3112           instead of an empty JSValue as the lexicalEnvironment operand.
3113
3114         * dfg/DFGOperations.cpp:
3115         - Use the lexicalEnvironment from the ExecState for now.
3116
3117         * dfg/DFGSpeculativeJIT32_64.cpp:
3118         (JSC::DFG::SpeculativeJIT::compile):
3119         * dfg/DFGSpeculativeJIT64.cpp:
3120         (JSC::DFG::SpeculativeJIT::compile):
3121         - Use the operationCreateArgumentsForDFG() thunk for now.
3122
3123         * interpreter/CallFrame.cpp:
3124         (JSC::CallFrame::lexicalEnvironmentOrNullptr):
3125         * interpreter/CallFrame.h:
3126         - Added this convenience function to return either the
3127           lexicalEnvironment or a nullptr so that we don't need to do a
3128           conditional check on codeBlock->needsActivation() at multiple sites.
3129
3130         * interpreter/StackVisitor.cpp:
3131         (JSC::StackVisitor::Frame::createArguments):
3132         * jit/JIT.h:
3133         * jit/JITInlines.h:
3134         (JSC::JIT::callOperation):
3135         * jit/JITOpcodes.cpp:
3136         (JSC::JIT::emit_op_create_arguments):
3137         (JSC::JIT::emitSlow_op_get_argument_by_val):
3138         * jit/JITOpcodes32_64.cpp:
3139         (JSC::JIT::emit_op_create_arguments):
3140         (JSC::JIT::emitSlow_op_get_argument_by_val):
3141         * jit/JITOperations.cpp:
3142         * jit/JITOperations.h:
3143         * llint/LLIntSlowPaths.cpp:
3144         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3145         * runtime/Arguments.h:
3146         (JSC::Arguments::create):
3147         (JSC::Arguments::finishCreation):
3148         * runtime/CommonSlowPaths.cpp:
3149         (JSC::SLOW_PATH_DECL):
3150         * runtime/JSLexicalEnvironment.cpp:
3151         (JSC::JSLexicalEnvironment::argumentsGetter):
3152
3153 2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>
3154
3155         Web Inspector: Pause Reason Improvements (Breakpoint, Debugger Statement, Pause on Next Statement)
3156         https://bugs.webkit.org/show_bug.cgi?id=138991
3157
3158         Reviewed by Timothy Hatcher.
3159
3160         * debugger/Debugger.cpp:
3161         (JSC::Debugger::Debugger):
3162         (JSC::Debugger::pauseIfNeeded):
3163         (JSC::Debugger::didReachBreakpoint):
3164         When actually pausing, if we hit a breakpoint ensure the reason
3165         is PausedForBreakpoint, otherwise use the current reason.
3166
3167         * debugger/Debugger.h:
3168         Make pause reason and pausing breakpoint ID public.
3169
3170         * inspector/agents/InspectorDebuggerAgent.h:
3171         * inspector/agents/InspectorDebuggerAgent.cpp:
3172         (Inspector::buildAssertPauseReason):
3173         (Inspector::buildCSPViolationPauseReason):
3174         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
3175         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
3176         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3177         (Inspector::buildObjectForBreakpointCookie):
3178         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3179         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
3180         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3181         (Inspector::InspectorDebuggerAgent::pause):
3182         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
3183         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3184         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
3185         Clean up creation of pause reason objects and other cleanup
3186         of PassRefPtr use and InjectedScript use.
3187
3188         (Inspector::InspectorDebuggerAgent::didPause):
3189         Clean up so that we first check for an Exception, and then fall
3190         back to including a Pause Reason derived from the Debugger.
3191
3192         * inspector/protocol/Debugger.json:
3193         Add new DebuggerStatement, Breakpoint, and PauseOnNextStatement reasons.
3194
3195 2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>
3196
3197         Web Inspector: Type check NSArray's in ObjC Interfaces have the right object types
3198         https://bugs.webkit.org/show_bug.cgi?id=140209
3199
3200         Reviewed by Timothy Hatcher.
3201
3202         Check the types of objects in NSArrays for all interfaces (commands, events, types)
3203         when the user can set an array of objects. Previously we were only type checking
3204         they were RWIJSONObjects, now we add an explicit check for the exact object type.
3205
3206         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3207         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3208         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3209         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3210         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3211         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
3212         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
3213         * inspector/scripts/codegen/objc_generator.py:
3214         (ObjCGenerator.objc_class_for_array_type):
3215         (ObjCGenerator):
3216
3217 2015-01-07  Mark Lam  <mark.lam@apple.com>
3218
3219         Add the lexicalEnvironment as an operand to op_get_argument_by_val.
3220         <https://webkit.org/b/140233>
3221
3222         Reviewed by Filip Pizlo.
3223
3224         This patch only adds the operand to the bytecode.  It is not in use yet.
3225
3226         * bytecode/BytecodeList.json:
3227         * bytecode/BytecodeUseDef.h:
3228         (JSC::computeUsesForBytecodeOffset):
3229         * bytecode/CodeBlock.cpp:
3230         (JSC::CodeBlock::dumpBytecode):
3231         * bytecompiler/BytecodeGenerator.cpp:
3232         (JSC::BytecodeGenerator::emitGetArgumentByVal):
3233         * llint/LowLevelInterpreter32_64.asm:
3234         * llint/LowLevelInterpreter64.asm:
3235
3236 2015-01-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3237
3238         Investigate the character type of repeated string instead of checking is8Bit flag
3239         https://bugs.webkit.org/show_bug.cgi?id=140139
3240
3241         Reviewed by Darin Adler.
3242
3243         Instead of checking is8Bit flag of the repeated string, investigate
3244         the actual value of the repeated character since i8Bit flag give a false negative case.
3245
3246         * runtime/StringPrototype.cpp:
3247         (JSC::repeatCharacter):
3248         (JSC::stringProtoFuncRepeat):
3249         (JSC::repeatSmallString): Deleted.
3250
3251 2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>
3252
3253         Web Inspector: ObjC Generate types from the GenericTypes domain
3254         https://bugs.webkit.org/show_bug.cgi?id=140229
3255
3256         Reviewed by Timothy Hatcher.
3257
3258         Generate types from the GenericTypes domain, as they are expected
3259         by other domains (like Page domain). Also, don't include the @protocol
3260         forward declaration for a domain if it doesn't have any commands.
3261
3262         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
3263         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
3264         (ObjCBackendDispatcherHeaderGenerator): Deleted.
3265         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations_for_domains): Deleted.
3266         * inspector/scripts/codegen/objc_generator.py:
3267         (ObjCGenerator):
3268         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3269         * inspector/scripts/tests/expected/enum-values.json-result:
3270         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3271         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3272         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3273         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3274         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3275         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3276         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3277         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3278         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3279
3280 2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>
3281
3282         Web Inspector: Remove unnecessary copyRef for paramsObject in generated dispatchers
3283         https://bugs.webkit.org/show_bug.cgi?id=140228
3284
3285         Reviewed by Timothy Hatcher.
3286
3287         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3288         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3289         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3290         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3291         * inspector/scripts/tests/expected/enum-values.json-result:
3292         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3293
3294 2015-01-07  Saam Barati  <saambarati1@gmail.com>
3295
3296         interpret op_profile_type in the LLInt instead of unconditionally calling into the slow path
3297         https://bugs.webkit.org/show_bug.cgi?id=140165
3298
3299         Reviewed by Michael Saboff.
3300
3301         Inlining the functionality of TypeProfilerLog::recordTypeInformationForLocation
3302         into the LLInt speeds up type profiling.
3303
3304         * llint/LLIntOffsetsExtractor.cpp:
3305         * llint/LowLevelInterpreter.asm:
3306         * llint/LowLevelInterpreter32_64.asm:
3307         * llint/LowLevelInterpreter64.asm:
3308         * runtime/CommonSlowPaths.cpp:
3309         (JSC::SLOW_PATH_DECL):
3310         * runtime/CommonSlowPaths.h:
3311         * runtime/TypeProfilerLog.h:
3312         (JSC::TypeProfilerLog::recordTypeInformationForLocation): Deleted.
3313
3314 2015-01-07  Brian J. Burg  <burg@cs.washington.edu>
3315
3316         Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
3317         https://bugs.webkit.org/show_bug.cgi?id=140053
3318
3319         Reviewed by Andreas Kling.
3320
3321         This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
3322         related to Web Inspector. It also converts many uses of RefPtr to Ref where
3323         references are always non-null. These two refactorings have been combined since
3324         they tend to require similar changes to the code.
3325
3326         Creation methods for subclasses of InspectorValue now return a Ref, and callsites
3327         have been updated to take a Ref instead of RefPtr.
3328
3329         Builders for typed protocol objects now return a Ref. Since there is no implicit
3330         call to operator&, callsites now must explicitly call .release() to convert a
3331         builder object into the corresponding protocol object once required fields are set.
3332         Update callsites and use auto to eliminate repetition of longwinded protocol types.
3333
3334         Tests for inspector protocol and replay inputs have been rebaselined.
3335
3336         * bindings/ScriptValue.cpp:
3337         (Deprecated::jsToInspectorValue):
3338         (Deprecated::ScriptValue::toInspectorValue):
3339         * bindings/ScriptValue.h:
3340         * inspector/ConsoleMessage.cpp:
3341         (Inspector::ConsoleMessage::addToFrontend):
3342         * inspector/ContentSearchUtilities.cpp:
3343         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
3344         (Inspector::ContentSearchUtilities::searchInTextByLines):
3345         * inspector/ContentSearchUtilities.h:
3346         * inspector/InjectedScript.cpp:
3347         (Inspector::InjectedScript::getFunctionDetails):
3348         (Inspector::InjectedScript::getProperties):
3349         (Inspector::InjectedScript::getInternalProperties):
3350         (Inspector::InjectedScript::wrapCallFrames):
3351         (Inspector::InjectedScript::wrapObject):
3352         (Inspector::InjectedScript::wrapTable):
3353         * inspector/InjectedScript.h:
3354         * inspector/InjectedScriptBase.cpp:
3355         (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits.
3356         * inspector/InspectorBackendDispatcher.cpp:
3357         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase):
3358         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive):
3359         (Inspector::InspectorBackendDispatcher::create):
3360         (Inspector::InspectorBackendDispatcher::dispatch):
3361         (Inspector::InspectorBackendDispatcher::sendResponse):
3362         (Inspector::InspectorBackendDispatcher::reportProtocolError):
3363         (Inspector::getPropertyValue): Add a comment to clarify what this clever code does.
3364         (Inspector::InspectorBackendDispatcher::getInteger):
3365         (Inspector::InspectorBackendDispatcher::getDouble):
3366         (Inspector::InspectorBackendDispatcher::getString):
3367         (Inspector::InspectorBackendDispatcher::getBoolean):
3368         (Inspector::InspectorBackendDispatcher::getObject):
3369         (Inspector::InspectorBackendDispatcher::getArray):
3370         (Inspector::InspectorBackendDispatcher::getValue):
3371         * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect
3372         protocol error strings.
3373         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
3374         Convert the supplemental dispatcher's reference to Ref since it is never null.
3375         * inspector/InspectorEnvironment.h:
3376         * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and
3377         StructItemTraits. Add more versions of addItem to handle pushing various types.
3378         (Inspector::Protocol::Array::openAccessors):
3379         (Inspector::Protocol::Array::addItem):
3380         (Inspector::Protocol::Array::create):
3381         (Inspector::Protocol::StructItemTraits::push):
3382         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument.
3383         (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted.
3384         (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted.
3385         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted.
3386         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted.
3387         (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted.
3388         (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted.
3389         (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted.
3390         (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted.
3391         (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted.
3392         * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have
3393         the same call signature as other getters. Use Ref where possible.
3394         (Inspector::InspectorObjectBase::getBoolean):
3395         (Inspector::InspectorObjectBase::getString):
3396         (Inspector::InspectorObjectBase::getObject):
3397         (Inspector::InspectorObjectBase::getArray):
3398         (Inspector::InspectorObjectBase::getValue):
3399         (Inspector::InspectorObjectBase::writeJSON):
3400         (Inspector::InspectorArrayBase::get):
3401         (Inspector::InspectorObject::create):
3402         (Inspector::InspectorArray::create):
3403         (Inspector::InspectorValue::null):
3404         (Inspector::InspectorString::create):
3405         (Inspector::InspectorBasicValue::create):
3406         (Inspector::InspectorObjectBase::get): Deleted.
3407         * inspector/InspectorValues.h:
3408         (Inspector::InspectorObjectBase::setValue):
3409         (Inspector::InspectorObjectBase::setObject):
3410         (Inspector::InspectorObjectBase::setArray):
3411         (Inspector::InspectorArrayBase::pushValue):
3412         (Inspector::InspectorArrayBase::pushObject):
3413         (Inspector::InspectorArrayBase::pushArray):
3414         * inspector/JSGlobalObjectConsoleClient.cpp:
3415         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3416         (Inspector::JSGlobalObjectConsoleClient::count):
3417         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
3418         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
3419         * inspector/JSGlobalObjectConsoleClient.h:
3420         * inspector/JSGlobalObjectInspectorController.cpp:
3421         (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
3422         * inspector/JSGlobalObjectInspectorController.h:
3423         * inspector/ScriptCallFrame.cpp:
3424         (Inspector::ScriptCallFrame::buildInspectorObject):
3425         * inspector/ScriptCallFrame.h:
3426         * inspector/ScriptCallStack.cpp:
3427         (Inspector::ScriptCallStack::create):
3428         (Inspector::ScriptCallStack::buildInspectorArray):
3429         * inspector/ScriptCallStack.h:
3430         * inspector/agents/InspectorAgent.cpp:
3431         (Inspector::InspectorAgent::enable):
3432         (Inspector::InspectorAgent::inspect):
3433         (Inspector::InspectorAgent::activateExtraDomain):
3434         * inspector/agents/InspectorAgent.h:
3435         * inspector/agents/InspectorDebuggerAgent.cpp:
3436         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3437         (Inspector::buildObjectForBreakpointCookie):
3438         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3439         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3440         (Inspector::InspectorDebuggerAgent::continueToLocation):
3441         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3442         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3443         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
3444         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3445         (Inspector::InspectorDebuggerAgent::didParseSource):
3446         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3447         (Inspector::InspectorDebuggerAgent::breakProgram):
3448         * inspector/agents/InspectorDebuggerAgent.h:
3449         * inspector/agents/InspectorRuntimeAgent.cpp:
3450         (Inspector::buildErrorRangeObject):
3451         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3452         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3453         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3454         * inspector/agents/InspectorRuntimeAgent.h:
3455         * inspector/scripts/codegen/cpp_generator.py:
3456         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
3457         (CppGenerator.cpp_type_for_type_with_name):
3458         (CppGenerator.cpp_type_for_formal_async_parameter):
3459         (CppGenerator.should_use_references_for_type):
3460         (CppGenerator):
3461         * inspector/scripts/codegen/cpp_generator_templates.py:
3462         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3463         (CppBackendDispatcherHeaderGenerator.generate_output):
3464         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
3465         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3466         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
3467         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3468         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3469         (CppFrontendDispatcherHeaderGenerator.generate_output):
3470         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3471         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3472         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3473         (CppProtocolTypesHeaderGenerator.generate_output):
3474         (_generate_class_for_object_declaration):
3475         (_generate_unchecked_setter_for_member):
3476         (_generate_forward_declarations_for_binding_traits):
3477         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3478         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3479         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3480         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3481         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3482         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3483         (ObjCProtocolTypesImplementationGenerator.generate_output):
3484         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3485         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3486         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3487         * inspector/scripts/tests/expected/enum-values.json-result:
3488         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3489         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3490         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3491         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3492         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3493         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3494         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3495         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3496         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3497         * replay/EncodedValue.cpp:
3498         (JSC::EncodedValue::asObject):
3499         (JSC::EncodedValue::asArray):
3500         (JSC::EncodedValue::put<EncodedValue>):
3501         (JSC::EncodedValue::append<EncodedValue>):
3502         (JSC::EncodedValue::get<EncodedValue>):
3503         * replay/EncodedValue.h:
3504         * replay/scripts/CodeGeneratorReplayInputs.py:
3505         (Type.borrow_type):
3506         (Type.argument_type):
3507         (Generator.generate_member_move_expression):
3508         * runtime/ConsoleClient.cpp:
3509         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3510         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
3511         (JSC::ConsoleClient::logWithLevel):
3512         (JSC::ConsoleClient::clear):
3513         (JSC::ConsoleClient::dir):
3514         (JSC::ConsoleClient::dirXML):
3515         (JSC::ConsoleClient::table):
3516         (JSC::ConsoleClient::trace):
3517         (JSC::ConsoleClient::assertCondition):
3518         (JSC::ConsoleClient::group):
3519         (JSC::ConsoleClient::groupCollapsed):
3520         (JSC::ConsoleClient::groupEnd):
3521         * runtime/ConsoleClient.h:
3522         * runtime/TypeSet.cpp:
3523         (JSC::TypeSet::allStructureRepresentations):
3524         (JSC::TypeSet::inspectorTypeSet):
3525         (JSC::StructureShape::inspectorRepresentation):
3526         * runtime/TypeSet.h:
3527
3528 2015-01-07  Commit Queue  <commit-queue@webkit.org>
3529
3530         Unreviewed, rolling out r178039.
3531         https://bugs.webkit.org/show_bug.cgi?id=140187
3532
3533         Breaks ObjC Inspector Protocol (Requested by JoePeck on
3534         #webkit).
3535
3536         Reverted changeset:
3537
3538         "Web Inspector: purge PassRefPtr from Inspector code and use
3539         Ref for typed and untyped protocol objects"
3540         https://bugs.webkit.org/show_bug.cgi?id=140053
3541         http://trac.webkit.org/changeset/178039
3542
3543 2015-01-06  Brian J. Burg  <burg@cs.washington.edu>
3544
3545         Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
3546         https://bugs.webkit.org/show_bug.cgi?id=140053
3547
3548         Reviewed by Andreas Kling.
3549
3550         This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
3551         related to Web Inspector. It also converts many uses of RefPtr to Ref where
3552         references are always non-null. These two refactorings have been combined since
3553         they tend to require similar changes to the code.
3554
3555         Creation methods for subclasses of InspectorValue now return a Ref, and callsites
3556         have been updated to take a Ref instead of RefPtr.
3557
3558         Builders for typed protocol objects now return a Ref. Since there is no implicit
3559         call to operator&, callsites now must explicitly call .release() to convert a
3560         builder object into the corresponding protocol object once required fields are set.
3561         Update callsites and use auto to eliminate repetition of longwinded protocol types.
3562
3563         Tests for inspector protocol and replay inputs have been rebaselined.
3564
3565         * bindings/ScriptValue.cpp:
3566         (Deprecated::jsToInspectorValue):
3567         (Deprecated::ScriptValue::toInspectorValue):
3568         * bindings/ScriptValue.h:
3569         * inspector/ConsoleMessage.cpp:
3570         (Inspector::ConsoleMessage::addToFrontend):
3571         * inspector/ContentSearchUtilities.cpp:
3572         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
3573         (Inspector::ContentSearchUtilities::searchInTextByLines):
3574         * inspector/ContentSearchUtilities.h:
3575         * inspector/InjectedScript.cpp:
3576         (Inspector::InjectedScript::getFunctionDetails):
3577         (Inspector::InjectedScript::getProperties):
3578         (Inspector::InjectedScript::getInternalProperties):
3579         (Inspector::InjectedScript::wrapCallFrames):
3580         (Inspector::InjectedScript::wrapObject):
3581         (Inspector::InjectedScript::wrapTable):
3582         * inspector/InjectedScript.h:
3583         * inspector/InjectedScriptBase.cpp:
3584         (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits.
3585         * inspector/InspectorBackendDispatcher.cpp:
3586         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase):
3587         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive):
3588         (Inspector::InspectorBackendDispatcher::create):
3589         (Inspector::InspectorBackendDispatcher::dispatch):
3590         (Inspector::InspectorBackendDispatcher::sendResponse):
3591         (Inspector::InspectorBackendDispatcher::reportProtocolError):
3592         (Inspector::getPropertyValue): Add a comment to clarify what this clever code does.
3593         (Inspector::InspectorBackendDispatcher::getInteger):
3594         (Inspector::InspectorBackendDispatcher::getDouble):
3595         (Inspector::InspectorBackendDispatcher::getString):
3596         (Inspector::InspectorBackendDispatcher::getBoolean):
3597         (Inspector::InspectorBackendDispatcher::getObject):
3598         (Inspector::InspectorBackendDispatcher::getArray):
3599         (Inspector::InspectorBackendDispatcher::getValue):
3600         * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect
3601         protocol error strings.
3602         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
3603         Convert the supplemental dispatcher's reference to Ref since it is never null.
3604         * inspector/InspectorEnvironment.h:
3605         * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and
3606         StructItemTraits. Add more versions of addItem to handle pushing various types.
3607         (Inspector::Protocol::Array::openAccessors):
3608         (Inspector::Protocol::Array::addItem):
3609         (Inspector::Protocol::Array::create):
3610         (Inspector::Protocol::StructItemTraits::push):
3611         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument.
3612         (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted.
3613         (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted.
3614         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted.
3615         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted.
3616         (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted.
3617         (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted.
3618         (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted.
3619         (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted.
3620         (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted.
3621         * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have
3622         the same call signature as other getters. Use Ref where possible.
3623         (Inspector::InspectorObjectBase::getBoolean):
3624         (Inspector::InspectorObjectBase::getString):
3625         (Inspector::InspectorObjectBase::getObject):
3626         (Inspector::InspectorObjectBase::getArray):
3627         (Inspector::InspectorObjectBase::getValue):
3628         (Inspector::InspectorObjectBase::writeJSON):
3629         (Inspector::InspectorArrayBase::get):
3630         (Inspector::InspectorObject::create):
3631         (Inspector::InspectorArray::create):
3632         (Inspector::InspectorValue::null):
3633         (Inspector::InspectorString::create):
3634         (Inspector::InspectorBasicValue::create):
3635         (Inspector::InspectorObjectBase::get): Deleted.
3636         * inspector/InspectorValues.h:
3637         (Inspector::InspectorObjectBase::setValue):
3638         (Inspector::InspectorObjectBase::setObject):
3639         (Inspector::InspectorObjectBase::setArray):
3640         (Inspector::InspectorArrayBase::pushValue):
3641         (Inspector::InspectorArrayBase::pushObject):
3642         (Inspector::InspectorArrayBase::pushArray):
3643         * inspector/JSGlobalObjectConsoleClient.cpp:
3644         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3645         (Inspector::JSGlobalObjectConsoleClient::count):
3646         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
3647         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
3648         * inspector/JSGlobalObjectConsoleClient.h:
3649         * inspector/JSGlobalObjectInspectorController.cpp:
3650         (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
3651         * inspector/JSGlobalObjectInspectorController.h:
3652         * inspector/ScriptCallFrame.cpp:
3653         (Inspector::ScriptCallFrame::buildInspectorObject):
3654         * inspector/ScriptCallFrame.h:
3655         * inspector/ScriptCallStack.cpp:
3656         (Inspector::ScriptCallStack::create):
3657         (Inspector::ScriptCallStack::buildInspectorArray):
3658         * inspector/ScriptCallStack.h:
3659         * inspector/agents/InspectorAgent.cpp:
3660         (Inspector::InspectorAgent::enable):
3661         (Inspector::InspectorAgent::inspect):
3662         (Inspector::InspectorAgent::activateExtraDomain):
3663         * inspector/agents/InspectorAgent.h:
3664         * inspector/agents/InspectorDebuggerAgent.cpp:
3665         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3666         (Inspector::buildObjectForBreakpointCookie):
3667         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3668         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3669         (Inspector::InspectorDebuggerAgent::continueToLocation):
3670         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3671         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3672         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
3673         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3674         (Inspector::InspectorDebuggerAgent::didParseSource):
3675         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3676         (Inspector::InspectorDebuggerAgent::breakProgram):
3677         * inspector/agents/InspectorDebuggerAgent.h:
3678         * inspector/agents/InspectorRuntimeAgent.cpp:
3679         (Inspector::buildErrorRangeObject):
3680         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3681         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3682         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3683         * inspector/agents/InspectorRuntimeAgent.h:
3684         * inspector/scripts/codegen/cpp_generator.py:
3685         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
3686         (CppGenerator.cpp_type_for_type_with_name):
3687         (CppGenerator.cpp_type_for_formal_async_parameter):
3688         (CppGenerator.should_use_references_for_type):
3689         (CppGenerator):
3690         * inspector/scripts/codegen/cpp_generator_templates.py:
3691         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3692         (CppBackendDispatcherHeaderGenerator.generate_output):
3693         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
3694         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3695         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
3696         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3697         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3698         (CppFrontendDispatcherHeaderGenerator.generate_output):
3699         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3700         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3701         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3702         (CppProtocolTypesHeaderGenerator.generate_output):
3703         (_generate_class_for_object_declaration):
3704         (_generate_unchecked_setter_for_member):
3705         (_generate_forward_declarations_for_binding_traits):
3706         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3707         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3708         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3709         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3710         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3711         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3712         (ObjCProtocolTypesImplementationGenerator.generate_output):
3713         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3714         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3715         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3716         * inspector/scripts/tests/expected/enum-values.json-result:
3717         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3718         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3719         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3720         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3721         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3722         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3723         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3724         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3725         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3726         * replay/EncodedValue.cpp:
3727         (JSC::EncodedValue::asObject):
3728         (JSC::EncodedValue::asArray):
3729         (JSC::EncodedValue::put<EncodedValue>):
3730         (JSC::EncodedValue::append<EncodedValue>):
3731         (JSC::EncodedValue::get<EncodedValue>):
3732         * replay/EncodedValue.h:
3733         * replay/scripts/CodeGeneratorReplayInputs.py:
3734         (Type.borrow_type):
3735         (Type.argument_type):
3736         (Generator.generate_member_move_expression):
3737         * runtime/ConsoleClient.cpp:
3738         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3739         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
3740         (JSC::ConsoleClient::logWithLevel):
3741         (JSC::ConsoleClient::clear):
3742         (JSC::ConsoleClient::dir):
3743         (JSC::ConsoleClient::dirXML):
3744         (JSC::ConsoleClient::table):
3745         (JSC::ConsoleClient::trace):
3746         (JSC::ConsoleClient::assertCondition):
3747         (JSC::ConsoleClient::group):
3748         (JSC::ConsoleClient::groupCollapsed):
3749         (JSC::ConsoleClient::groupEnd):
3750         * runtime/ConsoleClient.h:
3751         * runtime/TypeSet.cpp:
3752         (JSC::TypeSet::allStructureRepresentations):
3753         (JSC::TypeSet::inspectorTypeSet):
3754         (JSC::StructureShape::inspectorRepresentation):
3755         * runtime/TypeSet.h:
3756
3757 2015-01-06  Chris Dumez  <cdumez@apple.com>
3758
3759         Drop ResourceResponseBase::connectionID and connectionReused members
3760         https://bugs.webkit.org/show_bug.cgi?id=140158
3761
3762         Reviewed by Sam Weinig.
3763
3764         Drop ResourceResponseBase::connectionID and connectionReused members.
3765         Those were needed by the Chromium port but are no longer used.
3766
3767         * inspector/protocol/Network.json:
3768
3769 2015-01-06  Mark Lam  <mark.lam@apple.com>
3770
3771         Add the lexicalEnvironment as an operand to op_create_arguments.
3772         <https://webkit.org/b/140148>
3773
3774         Reviewed by Geoffrey Garen.
3775
3776         This patch only adds the operand to the bytecode.  It is not in use yet.
3777
3778         * bytecode/BytecodeList.json:
3779         * bytecode/BytecodeUseDef.h:
3780         (JSC::computeUsesForBytecodeOffset):
3781         * bytecode/CodeBlock.cpp:
3782         (JSC::CodeBlock::dumpBytecode):
3783         * bytecompiler/BytecodeGenerator.cpp:
3784         (JSC::BytecodeGenerator::BytecodeGenerator):
3785         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3786         - Adds the lexicalEnvironment register (if present) as an operand to
3787           op_create_arguments.  Else, adds a constant empty JSValue.
3788         * llint/LowLevelInterpreter32_64.asm:
3789         * llint/LowLevelInterpreter64.asm:
3790
3791 2015-01-06  Alexey Proskuryakov  <ap@apple.com>
3792
3793         ADDRESS_SANITIZER macro is overloaded
3794         https://bugs.webkit.org/show_bug.cgi?id=140130
3795
3796         Reviewed by Anders Carlsson.
3797
3798         * interpreter/JSStack.cpp: (JSC::JSStack::sanitizeStack): Use the new macro.
3799         This code is nearly unused (only compiled in when JIT is disabled at build time),
3800         however I've been told that it's best to keep it.
3801
3802 2015-01-06  Mark Lam  <mark.lam@apple.com>
3803
3804         Fix Use details for op_create_arguments.
3805         <https://webkit.org/b/140110>
3806
3807         Rubber stamped by Filip Pizlo.
3808
3809         The previous patch was wrong about op_create_arguments not using its 1st operand.
3810         It does read from it (hence, used) to check if the Arguments object has already
3811         been created or not.  This patch reverts the change for op_create_arguments.
3812
3813         * bytecode/BytecodeUseDef.h:
3814         (JSC::computeUsesForBytecodeOffset):
3815
3816 2015-01-06  Mark Lam  <mark.lam@apple.com>
3817
3818         Fix Use details for op_create_lexical_environment and op_create_arguments.
3819         <https://webkit.org/b/140110>
3820
3821         Reviewed by Filip Pizlo.
3822
3823         The current "Use" details for op_create_lexical_environment and
3824         op_create_arguments are wrong.  op_create_argument uses nothing instead of the
3825         1st operand (the output local).  op_create_lexical_environment uses its 2nd
3826         operand (the scope chain) instead of the 1st (the output local).
3827         This patch fixes them to specify the proper uses.
3828
3829         * bytecode/BytecodeUseDef.h:
3830         (JSC::computeUsesForBytecodeOffset):
3831
3832 2015-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3833
3834         Implement ES6 String.prototype.repeat(count)
3835         https://bugs.webkit.org/show_bug.cgi?id=140047
3836
3837         Reviewed by Darin Adler.
3838
3839         Introducing ES6 String.prototype.repeat(count) function.
3840
3841         * runtime/JSString.h:
3842         * runtime/StringPrototype.cpp:
3843         (JSC::StringPrototype::finishCreation):
3844         (JSC::repeatSmallString):
3845         (JSC::stringProtoFuncRepeat):
3846
3847 2015-01-03  Michael Saboff  <msaboff@apple.com>
3848
3849         Crash in operationNewFunction when scrolling on Google+
3850         https://bugs.webkit.org/show_bug.cgi?id=140033
3851
3852         Reviewed by Oliver Hunt.
3853
3854         In DFG code, the scope register can be eliminated because all uses have been
3855         dead code eliminated.  In the case where one of the uses was creating a function
3856         that is never used, the baseline code will still create the function.  If we OSR
3857         exit to a path where that function gets created, check the scope register value
3858         and set the new, but dead, function to undefined instead of creating a new function.
3859
3860         * jit/JITOpcodes.cpp:
3861         (JSC::JIT::emit_op_new_func_exp):
3862
3863 2015-01-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3864
3865         String includes methods perform toString on searchString before toInt32 on a offset
3866         https://bugs.webkit.org/show_bug.cgi?id=140031
3867
3868         Reviewed by Darin Adler.
3869
3870         * runtime/StringPrototype.cpp:
3871         (JSC::stringProtoFuncStartsWith):
3872         (JSC::stringProtoFuncEndsWith):
3873         (JSC::stringProtoFuncIncludes):
3874
3875 2015-01-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3876
3877         Change to return std::unique_ptr<> in fooCreate()
3878         https://bugs.webkit.org/show_bug.cgi?id=139983
3879
3880         Reviewed by Darin Adler.
3881
3882         To avoid unnecessary std::unique_ptr<> casting, fooCreate() returns std::unique_ptr<> directly.
3883
3884         * create_regex_tables:
3885         * yarr/YarrPattern.h:
3886         (JSC::Yarr::YarrPattern::reset):
3887         (JSC::Yarr::YarrPattern::newlineCharacterClass):
3888         (JSC::Yarr::YarrPattern::digitsCharacterClass):
3889         (JSC::Yarr::YarrPattern::spacesCharacterClass):
3890         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
3891         (JSC::Yarr::YarrPattern::nondigitsCharacterClass):
3892         (JSC::Yarr::YarrPattern::nonspacesCharacterClass):
3893         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
3894
3895 2015-01-01  Jeff Miller  <jeffm@apple.com>
3896
3897         Update user-visible copyright strings to include 2015
3898         https://bugs.webkit.org/show_bug.cgi?id=139880
3899
3900         Reviewed by Darin Adler.
3901
3902         * Info.plist:
3903
3904 2015-01-01  Darin Adler  <darin@apple.com>
3905
3906         We often misspell identifier as "identifer"
3907         https://bugs.webkit.org/show_bug.cgi?id=140025
3908
3909         Reviewed by Michael Saboff.
3910
3911         * runtime/ArrayConventions.h: Fix it.