[FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
2
3         [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
4         https://bugs.webkit.org/show_bug.cgi?id=141180
5         rdar://problem/19677552
6
7         Reviewed by Benjamin Poulain.
8         
9         If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
10         bounds check already terminates execution. This means we can skip the part where we
11         previously did an out-of-bound array access on the inlined call frame arguments vector.
12
13         * ftl/FTLLowerDFGToLLVM.cpp:
14         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
15         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
16         (JSC::FTL::LowerDFGToLLVM::terminate):
17         (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
18         (JSC::FTL::LowerDFGToLLVM::crash):
19         * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
20         (foo):
21         (bar):
22
23 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
24
25         REGRESSION(r179477): arguments simplification no longer works
26         https://bugs.webkit.org/show_bug.cgi?id=141169
27
28         Reviewed by Mark Lam.
29         
30         The operations involved in callee/scope access don't exit and shouldn't get in the way
31         of strength-reducing a Flush to a PhantomLocal. Then the PhantomLocal shouldn't get in
32         the way of further such strength-reduction. We also need to canonicalize PhantomLocal
33         before running arguments simplification.
34
35         * dfg/DFGMayExit.cpp:
36         (JSC::DFG::mayExit):
37         * dfg/DFGPlan.cpp:
38         (JSC::DFG::Plan::compileInThreadImpl):
39         * dfg/DFGStrengthReductionPhase.cpp:
40         (JSC::DFG::StrengthReductionPhase::handleNode):
41
42 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
43
44         VirtualRegister should really know how to dump itself
45         https://bugs.webkit.org/show_bug.cgi?id=141171
46
47         Reviewed by Geoffrey Garen.
48         
49         Gives VirtualRegister a dump() method that pretty-prints the virtual register. The rest of
50         the patch is all about using this new power.
51
52         * CMakeLists.txt:
53         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
54         * JavaScriptCore.xcodeproj/project.pbxproj:
55         * bytecode/CodeBlock.cpp:
56         (JSC::constantName):
57         (JSC::CodeBlock::registerName):
58         * bytecode/CodeBlock.h:
59         (JSC::missingThisObjectMarker): Deleted.
60         * bytecode/VirtualRegister.cpp: Added.
61         (JSC::VirtualRegister::dump):
62         * bytecode/VirtualRegister.h:
63         (WTF::printInternal): Deleted.
64         * dfg/DFGArgumentPosition.h:
65         (JSC::DFG::ArgumentPosition::dump):
66         * dfg/DFGFlushedAt.cpp:
67         (JSC::DFG::FlushedAt::dump):
68         * dfg/DFGGraph.cpp:
69         (JSC::DFG::Graph::dump):
70         * dfg/DFGPutLocalSinkingPhase.cpp:
71         * dfg/DFGSSAConversionPhase.cpp:
72         (JSC::DFG::SSAConversionPhase::run):
73         * dfg/DFGValidate.cpp:
74         (JSC::DFG::Validate::reportValidationContext):
75         * dfg/DFGValueSource.cpp:
76         (JSC::DFG::ValueSource::dump):
77         * dfg/DFGVariableEvent.cpp:
78         (JSC::DFG::VariableEvent::dump):
79         (JSC::DFG::VariableEvent::dumpSpillInfo):
80         * ftl/FTLExitArgumentForOperand.cpp:
81         (JSC::FTL::ExitArgumentForOperand::dump):
82         * ftl/FTLExitValue.cpp:
83         (JSC::FTL::ExitValue::dumpInContext):
84         * profiler/ProfilerBytecodeSequence.cpp:
85         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
86
87 2015-02-02  Geoffrey Garen  <ggaren@apple.com>
88
89         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
90         https://bugs.webkit.org/show_bug.cgi?id=140900
91
92         Reviewed by Mark Hahnenberg.
93
94         Re-landing just the HandleBlock piece of this patch.
95
96         * heap/HandleBlock.h:
97         * heap/HandleBlockInlines.h:
98         (JSC::HandleBlock::create):
99         (JSC::HandleBlock::destroy):
100         (JSC::HandleBlock::HandleBlock):
101         (JSC::HandleBlock::payloadEnd):
102         * heap/HandleSet.cpp:
103         (JSC::HandleSet::~HandleSet):
104         (JSC::HandleSet::grow):
105
106 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
107
108         Web Inspector: Support console.table
109         https://bugs.webkit.org/show_bug.cgi?id=141058
110
111         Reviewed by Timothy Hatcher.
112
113         * inspector/InjectedScriptSource.js:
114         Include the firstLevelKeys filter when generating previews.
115
116         * runtime/ConsoleClient.cpp:
117         (JSC::appendMessagePrefix):
118         Differentiate console.table logs to system log.
119
120 2015-01-31  Filip Pizlo  <fpizlo@apple.com>
121
122         BinarySwitch should be faster on average
123         https://bugs.webkit.org/show_bug.cgi?id=141046
124
125         Reviewed by Anders Carlsson.
126         
127         This optimizes our binary switch using math. It's strictly better than what we had before
128         assuming we bottom out in some case (rather than fall through), assuming all cases get
129         hit with equal probability. The difference is particularly large for large switch
130         statements. For example, a switch statement with 1000 cases would previously require on
131         average 13.207 branches to get to some case, while now it just requires 10.464.
132         
133         This is also a progression for the fall-through case, though we could shave off another
134         1/6 branch on average if we wanted to - though it would regress taking a case (not falling
135         through) by 1/6 branch. I believe it's better to bias the BinarySwitch for not falling
136         through.
137         
138         This also adds some randomness to the algorithm to minimize the likelihood of us
139         generating a switch statement that is always particularly bad for some input. Note that
140         the randomness has no effect on average-case performance assuming all cases are equally
141         likely.
142         
143         This ought to have no actual performance change because we don't rely on binary switches
144         that much. The main reason why this change is interesting is that I'm finding myself
145         increasingly relying on BinarySwitch, and I'd like to know that it's optimal.
146
147         * jit/BinarySwitch.cpp:
148         (JSC::BinarySwitch::BinarySwitch):
149         (JSC::BinarySwitch::~BinarySwitch):
150         (JSC::BinarySwitch::build):
151         * jit/BinarySwitch.h:
152
153 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
154
155         Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext
156         https://bugs.webkit.org/show_bug.cgi?id=141064
157
158         Reviewed by Timothy Hatcher.
159
160         * inspector/protocol/CSS.json:
161
162 2015-02-02  Daniel Bates  <dabates@apple.com>
163
164         [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
165         https://bugs.webkit.org/show_bug.cgi?id=141057
166         <rdar://problem/19068790>
167
168         Reviewed by Alexey Proskuryakov.
169
170         * inspector/remote/RemoteInspector.mm:
171         (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
172         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
173         WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
174         and CryptoKeyRSA::generatePair().
175
176 2015-02-02  Saam Barati  <saambarati1@gmail.com>
177
178         Create tests for JSC's Control Flow Profiler
179         https://bugs.webkit.org/show_bug.cgi?id=141123
180
181         Reviewed by Filip Pizlo.
182
183         This patch creates a control flow profiler testing API in jsc.cpp 
184         that accepts a function and a string as arguments. The string must 
185         be a substring of the text of the function argument. The API returns 
186         a boolean indicating whether or not the basic block that encloses the 
187         substring has executed.
188
189         This patch uses this API to test that the control flow profiler
190         behaves as expected on basic block boundaries. These tests do not
191         provide full coverage for all JavaScript statements that can create
192         basic blocks boundaries. Full coverage will come in a later patch.
193
194         * jsc.cpp:
195         (GlobalObject::finishCreation):
196         (functionHasBasicBlockExecuted):
197         * runtime/ControlFlowProfiler.cpp:
198         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
199         * runtime/ControlFlowProfiler.h:
200         * tests/controlFlowProfiler: Added.
201         * tests/controlFlowProfiler.yaml: Added.
202         * tests/controlFlowProfiler/driver: Added.
203         * tests/controlFlowProfiler/driver/driver.js: Added.
204         (assert):
205         * tests/controlFlowProfiler/if-statement.js: Added.
206         (testIf):
207         (noMatches):
208         * tests/controlFlowProfiler/loop-statements.js: Added.
209         (forRegular):
210         (forIn):
211         (forOf):
212         (whileLoop):
213         * tests/controlFlowProfiler/switch-statements.js: Added.
214         (testSwitch):
215         * tests/controlFlowProfiler/test-jit.js: Added.
216         (tierUpToBaseline):
217         (tierUpToDFG):
218         (baselineTest):
219         (dfgTest):
220
221 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
222
223         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
224         https://bugs.webkit.org/show_bug.cgi?id=140660
225
226         Reviewed by Geoffrey Garen.
227         
228         When we first implemented polymorphic call inlining, we did the profiling based on a call
229         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
230         global log that was processed lazily. Processing the log would give precise counts of call
231         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
232         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
233         nonetheless.
234         
235         Experience with this code shows three things. First, the call edge profiler is buggy and
236         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
237         overhead for latency code that we care deeply about. Third, it's not at all clear that
238         having call edge counts for every possible callee is any better than just having call edge
239         counts for the limited number of callees that an inline cache would catch.
240         
241         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
242         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
243         out-of-line stub that cases on the previously known callees. If that misses again, then we
244         rewrite that stub to include the new callee. We do this up to some number of callees. If we
245         hit the limit then we switch to using a plain virtual call.
246         
247         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
248         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
249         
250         Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.
251
252         * CMakeLists.txt:
253         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
254         * JavaScriptCore.xcodeproj/project.pbxproj:
255         * bytecode/CallEdge.h:
256         (JSC::CallEdge::count):
257         (JSC::CallEdge::CallEdge):
258         * bytecode/CallEdgeProfile.cpp: Removed.
259         * bytecode/CallEdgeProfile.h: Removed.
260         * bytecode/CallEdgeProfileInlines.h: Removed.
261         * bytecode/CallLinkInfo.cpp:
262         (JSC::CallLinkInfo::unlink):
263         (JSC::CallLinkInfo::visitWeak):
264         * bytecode/CallLinkInfo.h:
265         * bytecode/CallLinkStatus.cpp:
266         (JSC::CallLinkStatus::CallLinkStatus):
267         (JSC::CallLinkStatus::computeFor):
268         (JSC::CallLinkStatus::computeFromCallLinkInfo):
269         (JSC::CallLinkStatus::isClosureCall):
270         (JSC::CallLinkStatus::makeClosureCall):
271         (JSC::CallLinkStatus::dump):
272         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
273         * bytecode/CallLinkStatus.h:
274         (JSC::CallLinkStatus::CallLinkStatus):
275         (JSC::CallLinkStatus::isSet):
276         (JSC::CallLinkStatus::variants):
277         (JSC::CallLinkStatus::size):
278         (JSC::CallLinkStatus::at):
279         (JSC::CallLinkStatus::operator[]):
280         (JSC::CallLinkStatus::canOptimize):
281         (JSC::CallLinkStatus::edges): Deleted.
282         (JSC::CallLinkStatus::canTrustCounts): Deleted.
283         * bytecode/CallVariant.cpp:
284         (JSC::variantListWithVariant):
285         (JSC::despecifiedVariantList):
286         * bytecode/CallVariant.h:
287         * bytecode/CodeBlock.cpp:
288         (JSC::CodeBlock::~CodeBlock):
289         (JSC::CodeBlock::linkIncomingPolymorphicCall):
290         (JSC::CodeBlock::unlinkIncomingCalls):
291         (JSC::CodeBlock::noticeIncomingCall):
292         * bytecode/CodeBlock.h:
293         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
294         * dfg/DFGAbstractInterpreterInlines.h:
295         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
296         * dfg/DFGByteCodeParser.cpp:
297         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
298         (JSC::DFG::ByteCodeParser::handleCall):
299         (JSC::DFG::ByteCodeParser::handleInlining):
300         * dfg/DFGClobberize.h:
301         (JSC::DFG::clobberize):
302         * dfg/DFGConstantFoldingPhase.cpp:
303         (JSC::DFG::ConstantFoldingPhase::foldConstants):
304         * dfg/DFGDoesGC.cpp:
305         (JSC::DFG::doesGC):
306         * dfg/DFGDriver.cpp:
307         (JSC::DFG::compileImpl):
308         * dfg/DFGFixupPhase.cpp:
309         (JSC::DFG::FixupPhase::fixupNode):
310         * dfg/DFGNode.h:
311         (JSC::DFG::Node::hasHeapPrediction):
312         * dfg/DFGNodeType.h:
313         * dfg/DFGOperations.cpp:
314         * dfg/DFGPredictionPropagationPhase.cpp:
315         (JSC::DFG::PredictionPropagationPhase::propagate):
316         * dfg/DFGSafeToExecute.h:
317         (JSC::DFG::safeToExecute):
318         * dfg/DFGSpeculativeJIT32_64.cpp:
319         (JSC::DFG::SpeculativeJIT::emitCall):
320         (JSC::DFG::SpeculativeJIT::compile):
321         * dfg/DFGSpeculativeJIT64.cpp:
322         (JSC::DFG::SpeculativeJIT::emitCall):
323         (JSC::DFG::SpeculativeJIT::compile):
324         * dfg/DFGTierUpCheckInjectionPhase.cpp:
325         (JSC::DFG::TierUpCheckInjectionPhase::run):
326         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
327         * ftl/FTLCapabilities.cpp:
328         (JSC::FTL::canCompile):
329         * heap/Heap.cpp:
330         (JSC::Heap::collect):
331         * jit/BinarySwitch.h:
332         * jit/ClosureCallStubRoutine.cpp: Removed.
333         * jit/ClosureCallStubRoutine.h: Removed.
334         * jit/JITCall.cpp:
335         (JSC::JIT::compileOpCall):
336         * jit/JITCall32_64.cpp:
337         (JSC::JIT::compileOpCall):
338         * jit/JITOperations.cpp:
339         * jit/JITOperations.h:
340         (JSC::operationLinkPolymorphicCallFor):
341         (JSC::operationLinkClosureCallFor): Deleted.
342         * jit/JITStubRoutine.h:
343         * jit/JITWriteBarrier.h:
344         * jit/PolymorphicCallStubRoutine.cpp: Added.
345         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
346         (JSC::PolymorphicCallNode::unlink):
347         (JSC::PolymorphicCallCase::dump):
348         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
349         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
350         (JSC::PolymorphicCallStubRoutine::variants):
351         (JSC::PolymorphicCallStubRoutine::edges):
352         (JSC::PolymorphicCallStubRoutine::visitWeak):
353         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
354         * jit/PolymorphicCallStubRoutine.h: Added.
355         (JSC::PolymorphicCallNode::PolymorphicCallNode):
356         (JSC::PolymorphicCallCase::PolymorphicCallCase):
357         (JSC::PolymorphicCallCase::variant):
358         (JSC::PolymorphicCallCase::codeBlock):
359         * jit/Repatch.cpp:
360         (JSC::linkSlowFor):
361         (JSC::linkFor):
362         (JSC::revertCall):
363         (JSC::unlinkFor):
364         (JSC::linkVirtualFor):
365         (JSC::linkPolymorphicCall):
366         (JSC::linkClosureCall): Deleted.
367         * jit/Repatch.h:
368         * jit/ThunkGenerators.cpp:
369         (JSC::linkPolymorphicCallForThunkGenerator):
370         (JSC::linkPolymorphicCallThunkGenerator):
371         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
372         (JSC::linkClosureCallForThunkGenerator): Deleted.
373         (JSC::linkClosureCallThunkGenerator): Deleted.
374         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
375         * jit/ThunkGenerators.h:
376         (JSC::linkPolymorphicCallThunkGeneratorFor):
377         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
378         * llint/LLIntSlowPaths.cpp:
379         (JSC::LLInt::jitCompileAndSetHeuristics):
380         * runtime/Options.h:
381         * runtime/VM.cpp:
382         (JSC::VM::prepareToDiscardCode):
383         (JSC::VM::ensureCallEdgeLog): Deleted.
384         * runtime/VM.h:
385
386 2015-01-30  Filip Pizlo  <fpizlo@apple.com>
387
388         Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
389         https://bugs.webkit.org/show_bug.cgi?id=141107
390
391         Reviewed by Michael Saboff.
392         
393         See the bugzilla for a discussion of the problem. This addresses the problem by ensuring
394         that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini
395         OSR availability analysis to determine the right MovHint value to use for the Phantom.
396
397         * dfg/DFGCPSRethreadingPhase.cpp:
398         (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
399         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
400         (JSC::DFG::CPSRethreadingPhase::clearVariables):
401         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
402         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
403         (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted.
404         * dfg/DFGNode.h:
405         (JSC::DFG::Node::convertPhantomToPhantomLocal):
406         (JSC::DFG::Node::convertFlushToPhantomLocal):
407         (JSC::DFG::Node::convertToPhantomLocal): Deleted.
408         * dfg/DFGStrengthReductionPhase.cpp:
409         (JSC::DFG::StrengthReductionPhase::handleNode):
410         * tests/stress/inline-call-that-doesnt-use-all-args.js: Added.
411         (foo):
412         (bar):
413         (baz):
414
415 2015-01-31  Michael Saboff  <msaboff@apple.com>
416
417         Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
418         https://bugs.webkit.org/show_bug.cgi?id=141111
419
420         Reviewed by Filip Pizlo.
421
422         In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have
423         exited, we don't need to process the OSR availability or abstract interpreter.
424
425         * ftl/FTLLowerDFGToLLVM.cpp:
426         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate
427         method since we need to call it at the top and near the bottom of compileNode().
428         (JSC::FTL::LowerDFGToLLVM::compileNode):
429
430 2015-01-31  Sam Weinig  <sam@webkit.org>
431
432         Remove even more Mountain Lion support
433         https://bugs.webkit.org/show_bug.cgi?id=141124
434
435         Reviewed by Alexey Proskuryakov.
436
437         * API/tests/DateTests.mm:
438         * Configurations/Base.xcconfig:
439         * Configurations/DebugRelease.xcconfig:
440         * Configurations/FeatureDefines.xcconfig:
441         * Configurations/Version.xcconfig:
442         * jit/ExecutableAllocatorFixedVMPool.cpp:
443
444 2015-01-31  Commit Queue  <commit-queue@webkit.org>
445
446         Unreviewed, rolling out r179426.
447         https://bugs.webkit.org/show_bug.cgi?id=141119
448
449         "caused a memory use regression" (Requested by Guest45 on
450         #webkit).
451
452         Reverted changeset:
453
454         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
455         pages"
456         https://bugs.webkit.org/show_bug.cgi?id=140900
457         http://trac.webkit.org/changeset/179426
458
459 2015-01-30  Daniel Bates  <dabates@apple.com>
460
461         Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h
462         https://bugs.webkit.org/show_bug.cgi?id=141067
463
464         Reviewed by Timothy Hatcher.
465
466         Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we
467         do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm
468         and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via
469         header RemoteInspectorDebuggableConnection.h.
470
471         * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>.
472         * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>.
473         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>.
474
475 2015-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
476
477         Implement ES6 Symbol
478         https://bugs.webkit.org/show_bug.cgi?id=140435
479
480         Reviewed by Geoffrey Garen.
481
482         This patch implements ES6 Symbol. In this patch, we don't support
483         Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be
484         supported in the subsequent patches.
485
486         Since ES6 Symbol is introduced as new primitive value, we implement
487         Symbol as a derived class from JSCell. And now JSValue accepts Symbol*
488         as a new primitive value.
489
490         Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer
491         value represents the Symbol's identity. So don't compare Symbol's
492         JSCell pointer value for comparison.
493         This enables re-producing Symbol primitive value from StringImpl* uid
494         by executing`Symbol::create(vm, uid)`. This is needed to produce
495         Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`.
496
497         And Symbol.[[Description]] is folded into the string value of Symbol's uid.
498         By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*.
499
500         * CMakeLists.txt:
501         * DerivedSources.make:
502         * JavaScriptCore.order:
503         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
504         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
505         * JavaScriptCore.xcodeproj/project.pbxproj:
506         * builtins/BuiltinExecutables.cpp:
507         (JSC::BuiltinExecutables::createBuiltinExecutable):
508         * builtins/BuiltinNames.h:
509         * dfg/DFGOperations.cpp:
510         (JSC::DFG::operationPutByValInternal):
511         * inspector/JSInjectedScriptHost.cpp:
512         (Inspector::JSInjectedScriptHost::subtype):
513         * interpreter/Interpreter.cpp:
514         * jit/JITOperations.cpp:
515         (JSC::getByVal):
516         * llint/LLIntData.cpp:
517         (JSC::LLInt::Data::performAssertions):
518         * llint/LLIntSlowPaths.cpp:
519         (JSC::LLInt::getByVal):
520         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
521         * llint/LowLevelInterpreter.asm:
522         * runtime/CommonIdentifiers.h:
523         * runtime/CommonSlowPaths.cpp:
524         (JSC::SLOW_PATH_DECL):
525         * runtime/CommonSlowPaths.h:
526         (JSC::CommonSlowPaths::opIn):
527         * runtime/ExceptionHelpers.cpp:
528         (JSC::createUndefinedVariableError):
529         * runtime/JSCJSValue.cpp:
530         (JSC::JSValue::synthesizePrototype):
531         (JSC::JSValue::dumpInContextAssumingStructure):
532         (JSC::JSValue::toStringSlowCase):
533         * runtime/JSCJSValue.h:
534         * runtime/JSCJSValueInlines.h:
535         (JSC::JSValue::isSymbol):
536         (JSC::JSValue::isPrimitive):
537         (JSC::JSValue::toPropertyKey):
538
539         It represents ToPropertyKey abstract operation in the ES6 spec.
540         It cleans up the old implementation's `isName` checks.
541         And to prevent performance regressions in
542             js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html
543             js/regress/fold-get-by-id-to-multi-get-by-offset.html
544         we annnotate this function as ALWAYS_INLINE.
545
546         (JSC::JSValue::getPropertySlot):
547         (JSC::JSValue::get):
548         (JSC::JSValue::equalSlowCaseInline):
549         (JSC::JSValue::strictEqualSlowCaseInline):
550         * runtime/JSCell.cpp:
551         (JSC::JSCell::put):
552         (JSC::JSCell::putByIndex):
553         (JSC::JSCell::toPrimitive):
554         (JSC::JSCell::getPrimitiveNumber):
555         (JSC::JSCell::toNumber):
556         (JSC::JSCell::toObject):
557         * runtime/JSCell.h:
558         * runtime/JSCellInlines.h:
559         (JSC::JSCell::isSymbol):
560         (JSC::JSCell::toBoolean):
561         (JSC::JSCell::pureToBoolean):
562         * runtime/JSGlobalObject.cpp:
563         (JSC::JSGlobalObject::init):
564         (JSC::JSGlobalObject::visitChildren):
565         * runtime/JSGlobalObject.h:
566         (JSC::JSGlobalObject::symbolPrototype):
567         (JSC::JSGlobalObject::symbolObjectStructure):
568         * runtime/JSONObject.cpp:
569         (JSC::Stringifier::Stringifier):
570         * runtime/JSSymbolTableObject.cpp:
571         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
572         * runtime/JSType.h:
573         * runtime/JSTypeInfo.h:
574         (JSC::TypeInfo::isName): Deleted.
575         * runtime/MapData.cpp:
576         (JSC::MapData::find):
577         (JSC::MapData::add):
578         (JSC::MapData::remove):
579         (JSC::MapData::replaceAndPackBackingStore):
580         * runtime/MapData.h:
581         (JSC::MapData::clear):
582         * runtime/NameInstance.h: Removed.
583         * runtime/NamePrototype.cpp: Removed.
584         * runtime/ObjectConstructor.cpp:
585         (JSC::objectConstructorGetOwnPropertyDescriptor):
586         (JSC::objectConstructorDefineProperty):
587         * runtime/ObjectPrototype.cpp:
588         (JSC::objectProtoFuncHasOwnProperty):
589         (JSC::objectProtoFuncDefineGetter):
590         (JSC::objectProtoFuncDefineSetter):
591         (JSC::objectProtoFuncLookupGetter):
592         (JSC::objectProtoFuncLookupSetter):
593         (JSC::objectProtoFuncPropertyIsEnumerable):
594         * runtime/Operations.cpp:
595         (JSC::jsTypeStringForValue):
596         (JSC::jsIsObjectType):
597         * runtime/PrivateName.h:
598         (JSC::PrivateName::PrivateName):
599         (JSC::PrivateName::operator==):
600         (JSC::PrivateName::operator!=):
601         * runtime/PropertyMapHashTable.h:
602         (JSC::PropertyTable::find):
603         (JSC::PropertyTable::get):
604         * runtime/PropertyName.h:
605         (JSC::PropertyName::PropertyName):
606         (JSC::PropertyName::publicName):
607         * runtime/SmallStrings.h:
608         * runtime/StringConstructor.cpp:
609         (JSC::callStringConstructor):
610
611         In ES6, String constructor accepts Symbol to execute `String(symbol)`.
612
613         * runtime/Structure.cpp:
614         (JSC::Structure::getPropertyNamesFromStructure):
615         * runtime/StructureInlines.h:
616         (JSC::Structure::prototypeForLookup):
617         * runtime/Symbol.cpp: Added.
618         (JSC::Symbol::Symbol):
619         (JSC::SymbolObject::create):
620         (JSC::Symbol::toPrimitive):
621         (JSC::Symbol::toBoolean):
622         (JSC::Symbol::getPrimitiveNumber):
623         (JSC::Symbol::toObject):
624         (JSC::Symbol::toNumber):
625         (JSC::Symbol::destroy):
626         (JSC::Symbol::descriptiveString):
627         * runtime/Symbol.h: Added.
628         (JSC::Symbol::createStructure):
629         (JSC::Symbol::create):
630         (JSC::Symbol::privateName):
631         (JSC::Symbol::finishCreation):
632         (JSC::asSymbol):
633         * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp.
634         (JSC::SymbolConstructor::SymbolConstructor):
635         (JSC::SymbolConstructor::finishCreation):
636         (JSC::callSymbol):
637         (JSC::SymbolConstructor::getConstructData):
638         (JSC::SymbolConstructor::getCallData):
639         * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h.
640         (JSC::SymbolConstructor::create):
641         (JSC::SymbolConstructor::createStructure):
642         * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp.
643         (JSC::SymbolObject::SymbolObject):
644         (JSC::SymbolObject::finishCreation):
645         (JSC::SymbolObject::defaultValue):
646
647         Now JSC doesn't support @@toPrimitive. So instead of it, we implement
648         Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]].
649
650         * runtime/SymbolObject.h: Added.
651         (JSC::SymbolObject::create):
652         (JSC::SymbolObject::internalValue):
653         (JSC::SymbolObject::createStructure):
654         * runtime/SymbolPrototype.cpp: Added.
655         (JSC::SymbolPrototype::SymbolPrototype):
656         (JSC::SymbolPrototype::finishCreation):
657         (JSC::SymbolPrototype::getOwnPropertySlot):
658         (JSC::symbolProtoFuncToString):
659         (JSC::symbolProtoFuncValueOf):
660         * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h.
661         (JSC::SymbolPrototype::create):
662         (JSC::SymbolPrototype::createStructure):
663
664         SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol.
665         It is tested in js/symbol-prototype-is-ordinary-object.html.
666
667         * runtime/VM.cpp:
668         (JSC::VM::VM):
669         * runtime/VM.h:
670
671 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
672
673         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
674         https://bugs.webkit.org/show_bug.cgi?id=140900
675
676         Reviewed by Mark Hahnenberg.
677
678         Re-landing just the HandleBlock piece of this patch.
679
680         * heap/HandleBlock.h:
681         * heap/HandleBlockInlines.h:
682         (JSC::HandleBlock::create):
683         (JSC::HandleBlock::destroy):
684         (JSC::HandleBlock::HandleBlock):
685         (JSC::HandleBlock::payloadEnd):
686         * heap/HandleSet.cpp:
687         (JSC::HandleSet::~HandleSet):
688         (JSC::HandleSet::grow):
689
690 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
691
692         GC marking threads should clear malloc caches
693         https://bugs.webkit.org/show_bug.cgi?id=141097
694
695         Reviewed by Sam Weinig.
696
697         Follow-up based on Mark Hahnenberg's review: Release after the copy
698         phase, rather than after any phase, since we'd rather not release
699         between marking and copying.
700
701         * heap/GCThread.cpp:
702         (JSC::GCThread::waitForNextPhase):
703         (JSC::GCThread::gcThreadMain):
704
705 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
706
707         GC marking threads should clear malloc caches
708         https://bugs.webkit.org/show_bug.cgi?id=141097
709
710         Reviewed by Andreas Kling.
711
712         This is an attempt to ameliorate a potential memory use regression
713         caused by https://bugs.webkit.org/show_bug.cgi?id=140900
714         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages.
715
716         FastMalloc may accumulate a per-thread cache on each of the 8-ish
717         GC marking threads, which can be expensive.
718
719         * heap/GCThread.cpp:
720         (JSC::GCThread::waitForNextPhase): Scavenge the current thread before
721         going to sleep. There's probably not too much value to keeping our
722         per-thread cache between GCs, and it has some memory footprint.
723
724 2015-01-30  Chris Dumez  <cdumez@apple.com>
725
726         Rename shared() static member functions to singleton() for singleton classes.
727         https://bugs.webkit.org/show_bug.cgi?id=141088
728
729         Reviewed by Ryosuke Niwa and Benjamin Poulain.
730
731         Rename shared() static member functions to singleton() for singleton
732         classes as per the recent coding style change.
733
734         * inspector/remote/RemoteInspector.h:
735         * inspector/remote/RemoteInspector.mm:
736         (Inspector::RemoteInspector::singleton):
737         (Inspector::RemoteInspector::start):
738         (Inspector::RemoteInspector::shared): Deleted.
739         * inspector/remote/RemoteInspectorDebuggable.cpp:
740         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
741         (Inspector::RemoteInspectorDebuggable::init):
742         (Inspector::RemoteInspectorDebuggable::update):
743         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
744         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
745         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
746         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
747         (Inspector::RemoteInspectorDebuggableConnection::setup):
748         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
749
750 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
751
752         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
753         https://bugs.webkit.org/show_bug.cgi?id=140900
754
755         Reviewed by Mark Hahnenberg.
756
757         Re-landing just the CopyWorkListSegment piece of this patch.
758
759         * heap/CopiedBlockInlines.h:
760         (JSC::CopiedBlock::reportLiveBytes):
761         * heap/CopyWorkList.h:
762         (JSC::CopyWorkListSegment::create):
763         (JSC::CopyWorkListSegment::destroy):
764         (JSC::CopyWorkListSegment::CopyWorkListSegment):
765         (JSC::CopyWorkList::CopyWorkList):
766         (JSC::CopyWorkList::~CopyWorkList):
767         (JSC::CopyWorkList::append):
768
769 2015-01-29  Commit Queue  <commit-queue@webkit.org>
770
771         Unreviewed, rolling out r179357 and r179358.
772         https://bugs.webkit.org/show_bug.cgi?id=141062
773
774         Suspect this caused WebGL tests to start flaking (Requested by
775         kling on #webkit).
776
777         Reverted changesets:
778
779         "Polymorphic call inlining should be based on polymorphic call
780         inline caching rather than logging"
781         https://bugs.webkit.org/show_bug.cgi?id=140660
782         http://trac.webkit.org/changeset/179357
783
784         "Unreviewed, fix no-JIT build."
785         http://trac.webkit.org/changeset/179358
786
787 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
788
789         Removed op_ret_object_or_this
790         https://bugs.webkit.org/show_bug.cgi?id=141048
791
792         Reviewed by Michael Saboff.
793
794         op_ret_object_or_this was one opcode that would keep us out of the
795         optimizing compilers.
796
797         We don't need a special-purpose opcode; we can just use a branch.
798
799         * bytecode/BytecodeBasicBlock.cpp:
800         (JSC::isTerminal): Removed.
801         * bytecode/BytecodeList.json:
802         * bytecode/BytecodeUseDef.h:
803         (JSC::computeUsesForBytecodeOffset):
804         (JSC::computeDefsForBytecodeOffset): Removed.
805
806         * bytecode/CodeBlock.cpp:
807         (JSC::CodeBlock::dumpBytecode): Removed.
808
809         * bytecompiler/BytecodeGenerator.cpp:
810         (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine
811         if we need to substitute 'this' for the return value. Our engine no longer
812         benefits from fused opcodes that dispatch less in the interpreter.
813
814         * jit/JIT.cpp:
815         (JSC::JIT::privateCompileMainPass):
816         * jit/JIT.h:
817         * jit/JITCall32_64.cpp:
818         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
819         * jit/JITOpcodes.cpp:
820         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
821         * llint/LowLevelInterpreter32_64.asm:
822         * llint/LowLevelInterpreter64.asm: Removed.
823
824 2015-01-29  Ryosuke Niwa  <rniwa@webkit.org>
825
826         Implement ES6 class syntax without inheritance support
827         https://bugs.webkit.org/show_bug.cgi?id=140918
828
829         Reviewed by Geoffrey Garen.
830
831         Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like:
832         class A {
833             constructor() { }
834             someMethod() { }
835         }
836
837         We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches.
838         We also don't support block scoping of a class declaration.
839
840         We support both class declaration and class expression. A class expression is implemented by the newly added
841         ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around
842         AssignResolveNode.
843
844         Tests: js/class-syntax-declaration.html
845                js/class-syntax-expression.html
846
847         * bytecompiler/NodesCodegen.cpp:
848         (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode.
849         Also fixed the 5-space indentation.
850         (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this.
851         (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code.
852         (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by
853         emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way.
854
855         * parser/ASTBuilder.h:
856         (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode.
857         (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode.
858
859         * parser/NodeConstructors.h:
860         (JSC::ClassDeclNode::ClassDeclNode): Added.
861         (JSC::ClassExprNode::ClassExprNode): Added.
862
863         * parser/Nodes.h:
864         (JSC::ClassExprNode): Added.
865         (JSC::ClassDeclNode): Added.
866
867         * parser/Parser.cpp:
868         (JSC::Parser<LexerType>::parseStatement): Added the support for class declaration.
869         (JSC::stringForFunctionMode): Return "method" for MethodMode.
870         (JSC::Parser<LexerType>::parseClassDeclaration): Added. Uses parseClass to create a class expression and wraps
871         it with ClassDeclNode as described above.
872         (JSC::Parser<LexerType>::parseClass): Parses a class expression.
873         (JSC::Parser<LexerType>::parseProperty):
874         (JSC::Parser<LexerType>::parseGetterSetter): Extracted from parseProperty to share the code between parseProperty
875         and parseClass.
876         (JSC::Parser<LexerType>::parsePrimaryExpression): Added the support for class expression.
877
878         * parser/Parser.h:
879         (FunctionParseMode): Added MethodMode.
880
881         * parser/SyntaxChecker.h:
882         (JSC::SyntaxChecker::createClassExpr): Added.
883         (JSC::SyntaxChecker::createClassDeclStatement): Added.
884
885 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
886
887         Try to fix the Windows build.
888
889         Not reviewed.
890
891         * heap/WeakBlock.h: Use the fully qualified name when declaring our friend.
892
893 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
894
895         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
896         https://bugs.webkit.org/show_bug.cgi?id=140900
897
898         Reviewed by Mark Hahnenberg.
899
900         Re-landing just the WeakBlock piece of this patch.
901
902         * heap/WeakBlock.cpp:
903         (JSC::WeakBlock::create):
904         (JSC::WeakBlock::destroy):
905         (JSC::WeakBlock::WeakBlock):
906         * heap/WeakBlock.h:
907         * heap/WeakSet.cpp:
908         (JSC::WeakSet::~WeakSet):
909         (JSC::WeakSet::addAllocator):
910         (JSC::WeakSet::removeAllocator):
911
912 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
913
914         Use Vector instead of GCSegmentedArray in CodeBlockSet
915         https://bugs.webkit.org/show_bug.cgi?id=141044
916
917         Reviewed by Ryosuke Niwa.
918
919         This is allowed now that we've gotten rid of fastMallocForbid.
920
921         4kB was a bit overkill for just storing a few pointers.
922
923         * heap/CodeBlockSet.cpp:
924         (JSC::CodeBlockSet::CodeBlockSet):
925         * heap/CodeBlockSet.h:
926         * heap/Heap.cpp:
927         (JSC::Heap::Heap):
928
929 2015-01-29  Filip Pizlo  <fpizlo@apple.com>
930
931         Unreviewed, fix no-JIT build.
932
933         * jit/PolymorphicCallStubRoutine.cpp:
934
935 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
936
937         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
938         https://bugs.webkit.org/show_bug.cgi?id=140660
939
940         Reviewed by Geoffrey Garen.
941         
942         When we first implemented polymorphic call inlining, we did the profiling based on a call
943         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
944         global log that was processed lazily. Processing the log would give precise counts of call
945         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
946         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
947         nonetheless.
948         
949         Experience with this code shows three things. First, the call edge profiler is buggy and
950         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
951         overhead for latency code that we care deeply about. Third, it's not at all clear that
952         having call edge counts for every possible callee is any better than just having call edge
953         counts for the limited number of callees that an inline cache would catch.
954         
955         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
956         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
957         out-of-line stub that cases on the previously known callees. If that misses again, then we
958         rewrite that stub to include the new callee. We do this up to some number of callees. If we
959         hit the limit then we switch to using a plain virtual call.
960         
961         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
962         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
963
964         * CMakeLists.txt:
965         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
966         * JavaScriptCore.xcodeproj/project.pbxproj:
967         * bytecode/CallEdge.h:
968         (JSC::CallEdge::count):
969         (JSC::CallEdge::CallEdge):
970         * bytecode/CallEdgeProfile.cpp: Removed.
971         * bytecode/CallEdgeProfile.h: Removed.
972         * bytecode/CallEdgeProfileInlines.h: Removed.
973         * bytecode/CallLinkInfo.cpp:
974         (JSC::CallLinkInfo::unlink):
975         (JSC::CallLinkInfo::visitWeak):
976         * bytecode/CallLinkInfo.h:
977         * bytecode/CallLinkStatus.cpp:
978         (JSC::CallLinkStatus::CallLinkStatus):
979         (JSC::CallLinkStatus::computeFor):
980         (JSC::CallLinkStatus::computeFromCallLinkInfo):
981         (JSC::CallLinkStatus::isClosureCall):
982         (JSC::CallLinkStatus::makeClosureCall):
983         (JSC::CallLinkStatus::dump):
984         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
985         * bytecode/CallLinkStatus.h:
986         (JSC::CallLinkStatus::CallLinkStatus):
987         (JSC::CallLinkStatus::isSet):
988         (JSC::CallLinkStatus::variants):
989         (JSC::CallLinkStatus::size):
990         (JSC::CallLinkStatus::at):
991         (JSC::CallLinkStatus::operator[]):
992         (JSC::CallLinkStatus::canOptimize):
993         (JSC::CallLinkStatus::edges): Deleted.
994         (JSC::CallLinkStatus::canTrustCounts): Deleted.
995         * bytecode/CallVariant.cpp:
996         (JSC::variantListWithVariant):
997         (JSC::despecifiedVariantList):
998         * bytecode/CallVariant.h:
999         * bytecode/CodeBlock.cpp:
1000         (JSC::CodeBlock::~CodeBlock):
1001         (JSC::CodeBlock::linkIncomingPolymorphicCall):
1002         (JSC::CodeBlock::unlinkIncomingCalls):
1003         (JSC::CodeBlock::noticeIncomingCall):
1004         * bytecode/CodeBlock.h:
1005         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
1006         * dfg/DFGAbstractInterpreterInlines.h:
1007         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1008         * dfg/DFGByteCodeParser.cpp:
1009         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1010         (JSC::DFG::ByteCodeParser::handleCall):
1011         (JSC::DFG::ByteCodeParser::handleInlining):
1012         * dfg/DFGClobberize.h:
1013         (JSC::DFG::clobberize):
1014         * dfg/DFGConstantFoldingPhase.cpp:
1015         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1016         * dfg/DFGDoesGC.cpp:
1017         (JSC::DFG::doesGC):
1018         * dfg/DFGDriver.cpp:
1019         (JSC::DFG::compileImpl):
1020         * dfg/DFGFixupPhase.cpp:
1021         (JSC::DFG::FixupPhase::fixupNode):
1022         * dfg/DFGNode.h:
1023         (JSC::DFG::Node::hasHeapPrediction):
1024         * dfg/DFGNodeType.h:
1025         * dfg/DFGOperations.cpp:
1026         * dfg/DFGPredictionPropagationPhase.cpp:
1027         (JSC::DFG::PredictionPropagationPhase::propagate):
1028         * dfg/DFGSafeToExecute.h:
1029         (JSC::DFG::safeToExecute):
1030         * dfg/DFGSpeculativeJIT32_64.cpp:
1031         (JSC::DFG::SpeculativeJIT::emitCall):
1032         (JSC::DFG::SpeculativeJIT::compile):
1033         * dfg/DFGSpeculativeJIT64.cpp:
1034         (JSC::DFG::SpeculativeJIT::emitCall):
1035         (JSC::DFG::SpeculativeJIT::compile):
1036         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1037         (JSC::DFG::TierUpCheckInjectionPhase::run):
1038         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
1039         * ftl/FTLCapabilities.cpp:
1040         (JSC::FTL::canCompile):
1041         * heap/Heap.cpp:
1042         (JSC::Heap::collect):
1043         * jit/BinarySwitch.h:
1044         * jit/ClosureCallStubRoutine.cpp: Removed.
1045         * jit/ClosureCallStubRoutine.h: Removed.
1046         * jit/JITCall.cpp:
1047         (JSC::JIT::compileOpCall):
1048         * jit/JITCall32_64.cpp:
1049         (JSC::JIT::compileOpCall):
1050         * jit/JITOperations.cpp:
1051         * jit/JITOperations.h:
1052         (JSC::operationLinkPolymorphicCallFor):
1053         (JSC::operationLinkClosureCallFor): Deleted.
1054         * jit/JITStubRoutine.h:
1055         * jit/JITWriteBarrier.h:
1056         * jit/PolymorphicCallStubRoutine.cpp: Added.
1057         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
1058         (JSC::PolymorphicCallNode::unlink):
1059         (JSC::PolymorphicCallCase::dump):
1060         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1061         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
1062         (JSC::PolymorphicCallStubRoutine::variants):
1063         (JSC::PolymorphicCallStubRoutine::edges):
1064         (JSC::PolymorphicCallStubRoutine::visitWeak):
1065         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
1066         * jit/PolymorphicCallStubRoutine.h: Added.
1067         (JSC::PolymorphicCallNode::PolymorphicCallNode):
1068         (JSC::PolymorphicCallCase::PolymorphicCallCase):
1069         (JSC::PolymorphicCallCase::variant):
1070         (JSC::PolymorphicCallCase::codeBlock):
1071         * jit/Repatch.cpp:
1072         (JSC::linkSlowFor):
1073         (JSC::linkFor):
1074         (JSC::revertCall):
1075         (JSC::unlinkFor):
1076         (JSC::linkVirtualFor):
1077         (JSC::linkPolymorphicCall):
1078         (JSC::linkClosureCall): Deleted.
1079         * jit/Repatch.h:
1080         * jit/ThunkGenerators.cpp:
1081         (JSC::linkPolymorphicCallForThunkGenerator):
1082         (JSC::linkPolymorphicCallThunkGenerator):
1083         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
1084         (JSC::linkClosureCallForThunkGenerator): Deleted.
1085         (JSC::linkClosureCallThunkGenerator): Deleted.
1086         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
1087         * jit/ThunkGenerators.h:
1088         (JSC::linkPolymorphicCallThunkGeneratorFor):
1089         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
1090         * llint/LLIntSlowPaths.cpp:
1091         (JSC::LLInt::jitCompileAndSetHeuristics):
1092         * runtime/Options.h:
1093         * runtime/VM.cpp:
1094         (JSC::VM::prepareToDiscardCode):
1095         (JSC::VM::ensureCallEdgeLog): Deleted.
1096         * runtime/VM.h:
1097
1098 2015-01-29  Joseph Pecoraro  <pecoraro@apple.com>
1099
1100         Web Inspector: ES6: Improved Console Format for Set and Map Objects (like Arrays)
1101         https://bugs.webkit.org/show_bug.cgi?id=122867
1102
1103         Reviewed by Timothy Hatcher.
1104
1105         Add new Runtime.RemoteObject object subtypes for "map", "set", and "weakmap".
1106
1107         Upgrade Runtime.ObjectPreview to include type/subtype information. Now,
1108         an ObjectPreview can be used for any value, in place of a RemoteObject,
1109         and not capture / hold a reference to the value. The value will be in
1110         the string description.
1111
1112         Adding this information to ObjectPreview can duplicate some information
1113         in the protocol messages if a preview is provided, but simplifies
1114         previews, so that all the information you need for any RemoteObject
1115         preview is available. To slim messages further, make "overflow" and
1116         "properties" only available on previews that may contain properties.
1117         So, not primitives or null.
1118
1119         Finally, for "Map/Set/WeakMap" add an "entries" list to the preview
1120         that will return previews with "key" and "value" properties depending
1121         on the collection type. To get live, non-preview objects from a
1122         collection, use Runtime.getCollectionEntries.
1123
1124         In order to keep the WeakMap's values Weak the frontend may provide
1125         a unique object group name when getting collection entries. It may
1126         then release that object group, e.g. when not showing the WeakMap's
1127         values to the user, and thus remove the strong reference to the keys
1128         so they may be garbage collected.
1129
1130         * runtime/WeakMapData.h:
1131         (JSC::WeakMapData::begin):
1132         (JSC::WeakMapData::end):
1133         Expose iterators so the Inspector may access WeakMap keys/values.
1134
1135         * inspector/JSInjectedScriptHostPrototype.cpp:
1136         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1137         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
1138         * inspector/JSInjectedScriptHost.h:
1139         * inspector/JSInjectedScriptHost.cpp:
1140         (Inspector::JSInjectedScriptHost::subtype):
1141         Discern "map", "set", and "weakmap" object subtypes.
1142
1143         (Inspector::JSInjectedScriptHost::weakMapEntries):
1144         Return a list of WeakMap entries. These are strong references
1145         that the Inspector code is responsible for releasing.
1146
1147         * inspector/protocol/Runtime.json:
1148         Update types and expose the new getCollectionEntries command.
1149
1150         * inspector/agents/InspectorRuntimeAgent.h:
1151         * inspector/agents/InspectorRuntimeAgent.cpp:
1152         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1153         * inspector/InjectedScript.h:
1154         * inspector/InjectedScript.cpp:
1155         (Inspector::InjectedScript::getInternalProperties):
1156         (Inspector::InjectedScript::getCollectionEntries):
1157         Pass through to the InjectedScript and call getCollectionEntries.
1158
1159         * inspector/scripts/codegen/generator.py:
1160         Add another type with runtime casting.
1161
1162         * inspector/InjectedScriptSource.js:
1163         - Implement getCollectionEntries to get a range of values from a
1164         collection. The non-Weak collections have an order to their keys (in
1165         order of added) so range'd gets are okay. WeakMap does not have an
1166         order, so only allow fetching a number of values.
1167         - Update preview generation to address the Runtime.ObjectPreview
1168         type changes.
1169
1170 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
1171
1172         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1173         https://bugs.webkit.org/show_bug.cgi?id=140900
1174
1175         Reviewed by Mark Hahnenberg.
1176
1177         Re-landing just the GCArraySegment piece of this patch.
1178
1179         * heap/CodeBlockSet.cpp:
1180         (JSC::CodeBlockSet::CodeBlockSet):
1181         * heap/CodeBlockSet.h:
1182         * heap/GCSegmentedArray.h:
1183         (JSC::GCArraySegment::GCArraySegment):
1184         * heap/GCSegmentedArrayInlines.h:
1185         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
1186         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
1187         (JSC::GCSegmentedArray<T>::clear):
1188         (JSC::GCSegmentedArray<T>::expand):
1189         (JSC::GCSegmentedArray<T>::refill):
1190         (JSC::GCArraySegment<T>::create):
1191         (JSC::GCArraySegment<T>::destroy):
1192         * heap/GCThreadSharedData.cpp:
1193         (JSC::GCThreadSharedData::GCThreadSharedData):
1194         * heap/Heap.cpp:
1195         (JSC::Heap::Heap):
1196         * heap/MarkStack.cpp:
1197         (JSC::MarkStackArray::MarkStackArray):
1198         * heap/MarkStack.h:
1199         * heap/SlotVisitor.cpp:
1200         (JSC::SlotVisitor::SlotVisitor):
1201
1202 2015-01-29  Csaba Osztrogonác  <ossy@webkit.org>
1203
1204         Move HAVE_DTRACE definition back to Platform.h
1205         https://bugs.webkit.org/show_bug.cgi?id=141033
1206
1207         Reviewed by Dan Bernstein.
1208
1209         * Configurations/Base.xcconfig:
1210         * JavaScriptCore.xcodeproj/project.pbxproj:
1211
1212 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
1213
1214         Removed fastMallocForbid / fastMallocAllow
1215         https://bugs.webkit.org/show_bug.cgi?id=141012
1216
1217         Reviewed by Mark Hahnenberg.
1218
1219         Copy non-current thread stacks before scanning them instead of scanning
1220         them in-place.
1221
1222         This operation is uncommon (i.e., never in the web content process),
1223         and even in a stress test with 4 threads it only copies about 27kB,
1224         so I think the performance cost is OK.
1225
1226         Scanning in-place requires a complex dance where we constrain our GC
1227         data structures not to use malloc, free, or any other interesting functions
1228         that might acquire locks. We've gotten this wrong many times in the past,
1229         and I just got it wrong again yesterday. Since this code path is rarely
1230         tested, I want it to just make sense, and not depend on or constrain the
1231         details of the rest of the GC heap's design.
1232
1233         * heap/MachineStackMarker.cpp:
1234         (JSC::otherThreadStack): Factored out a helper function for dealing with
1235         unaligned and/or backwards pointers.
1236
1237         (JSC::MachineThreads::tryCopyOtherThreadStack): This is now the only
1238         constrained function, and it only calls memcpy and low-level thread APIs.
1239
1240         (JSC::MachineThreads::tryCopyOtherThreadStacks): The design here is that
1241         you do one pass over all the threads to compute their combined size,
1242         and then a second pass to do all the copying. In theory, the threads may
1243         grow in between passes, in which case you'll continue until the threads
1244         stop growing. In practice, you never continue.
1245
1246         (JSC::growBuffer): Helper function for growing.
1247
1248         (JSC::MachineThreads::gatherConservativeRoots):
1249         (JSC::MachineThreads::gatherFromOtherThread): Deleted.
1250         * heap/MachineStackMarker.h: Updated for interface changes.
1251
1252 2015-01-28  Brian J. Burg  <burg@cs.washington.edu>
1253
1254         Web Inspector: remove CSS.setPropertyText, CSS.toggleProperty and related dead code
1255         https://bugs.webkit.org/show_bug.cgi?id=140961
1256
1257         Reviewed by Timothy Hatcher.
1258
1259         * inspector/protocol/CSS.json: Remove unused protocol methods.
1260
1261 2015-01-28  Dana Burkart  <dburkart@apple.com>
1262
1263         Move ASan flag settings from DebugRelease.xcconfig to Base.xcconfig
1264         https://bugs.webkit.org/show_bug.cgi?id=136765
1265
1266         Reviewed by Alexey Proskuryakov.
1267
1268         * Configurations/Base.xcconfig:
1269         * Configurations/DebugRelease.xcconfig:
1270
1271 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
1272
1273         ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath, which is more precise
1274         https://bugs.webkit.org/show_bug.cgi?id=140980
1275
1276         Reviewed by Oliver Hunt.
1277
1278         * bytecode/CallLinkStatus.cpp:
1279         (JSC::CallLinkStatus::computeFor):
1280
1281 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
1282
1283         Move DFGBinarySwitch out of the DFG so that all of the JITs can use it
1284         https://bugs.webkit.org/show_bug.cgi?id=140959
1285
1286         Rubber stamped by Geoffrey Garen.
1287         
1288         I want to use this for polymorphic stubs for https://bugs.webkit.org/show_bug.cgi?id=140660.
1289         This code no longer has DFG dependencies so this is a very clean move.
1290
1291         * CMakeLists.txt:
1292         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1293         * JavaScriptCore.xcodeproj/project.pbxproj:
1294         * dfg/DFGBinarySwitch.cpp: Removed.
1295         * dfg/DFGBinarySwitch.h: Removed.
1296         * dfg/DFGSpeculativeJIT.cpp:
1297         * jit/BinarySwitch.cpp: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.cpp.
1298         * jit/BinarySwitch.h: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.h.
1299
1300 2015-01-27  Commit Queue  <commit-queue@webkit.org>
1301
1302         Unreviewed, rolling out r179192.
1303         https://bugs.webkit.org/show_bug.cgi?id=140953
1304
1305         Caused numerous layout test failures (Requested by mattbaker_
1306         on #webkit).
1307
1308         Reverted changeset:
1309
1310         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
1311         pages"
1312         https://bugs.webkit.org/show_bug.cgi?id=140900
1313         http://trac.webkit.org/changeset/179192
1314
1315 2015-01-27  Michael Saboff  <msaboff@apple.com>
1316
1317         REGRESSION(r178591): 20% regression in Octane box2d
1318         https://bugs.webkit.org/show_bug.cgi?id=140948
1319
1320         Reviewed by Geoffrey Garen.
1321
1322         Added check that we have a lexical environment to the arguments is captured check.
1323         It doesn't make sense to resolve "arguments" when it really isn't captured.
1324
1325         * bytecompiler/BytecodeGenerator.cpp:
1326         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
1327
1328 2015-01-26  Geoffrey Garen  <ggaren@apple.com>
1329
1330         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1331         https://bugs.webkit.org/show_bug.cgi?id=140900
1332
1333         Reviewed by Mark Hahnenberg.
1334
1335         Removes some more custom allocation code.
1336
1337         Looks like a speedup. (See results attached to bugzilla.)
1338
1339         Will hopefully reduce memory use by improving sharing between the GC and
1340         malloc heaps.
1341
1342         * API/JSBase.cpp:
1343         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1344         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1345         * JavaScriptCore.xcodeproj/project.pbxproj: Feed the compiler.
1346
1347         * heap/BlockAllocator.cpp: Removed.
1348         * heap/BlockAllocator.h: Removed. No need for a custom allocator anymore.
1349
1350         * heap/CodeBlockSet.cpp:
1351         (JSC::CodeBlockSet::CodeBlockSet):
1352         * heap/CodeBlockSet.h: Feed the compiler.
1353
1354         * heap/CopiedBlock.h:
1355         (JSC::CopiedBlock::createNoZeroFill):
1356         (JSC::CopiedBlock::create):
1357         (JSC::CopiedBlock::CopiedBlock):
1358         (JSC::CopiedBlock::isOversize):
1359         (JSC::CopiedBlock::payloadEnd):
1360         (JSC::CopiedBlock::capacity):
1361         * heap/CopiedBlockInlines.h:
1362         (JSC::CopiedBlock::reportLiveBytes): Each copied block now tracks its
1363         own size, since we can't rely on Region to tell us our size anymore.
1364
1365         * heap/CopiedSpace.cpp:
1366         (JSC::CopiedSpace::~CopiedSpace):
1367         (JSC::CopiedSpace::tryAllocateOversize):
1368         (JSC::CopiedSpace::tryReallocateOversize):
1369         * heap/CopiedSpaceInlines.h:
1370         (JSC::CopiedSpace::recycleEvacuatedBlock):
1371         (JSC::CopiedSpace::recycleBorrowedBlock):
1372         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
1373         (JSC::CopiedSpace::allocateBlock):
1374         (JSC::CopiedSpace::startedCopying): Deallocate blocks directly, rather
1375         than pushing them onto the block allocator's free list; the block
1376         allocator doesn't exist anymore.
1377
1378         * heap/CopyWorkList.h:
1379         (JSC::CopyWorkListSegment::create):
1380         (JSC::CopyWorkListSegment::CopyWorkListSegment):
1381         (JSC::CopyWorkList::~CopyWorkList):
1382         (JSC::CopyWorkList::append):
1383         (JSC::CopyWorkList::CopyWorkList): Deleted.
1384         * heap/GCSegmentedArray.h:
1385         (JSC::GCArraySegment::GCArraySegment):
1386         * heap/GCSegmentedArrayInlines.h:
1387         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
1388         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
1389         (JSC::GCSegmentedArray<T>::clear):
1390         (JSC::GCSegmentedArray<T>::expand):
1391         (JSC::GCSegmentedArray<T>::refill):
1392         (JSC::GCArraySegment<T>::create):
1393         * heap/GCThreadSharedData.cpp:
1394         (JSC::GCThreadSharedData::GCThreadSharedData):
1395         * heap/GCThreadSharedData.h: Feed the compiler.
1396
1397         * heap/HandleBlock.h:
1398         * heap/HandleBlockInlines.h:
1399         (JSC::HandleBlock::create):
1400         (JSC::HandleBlock::HandleBlock):
1401         (JSC::HandleBlock::payloadEnd):
1402         * heap/HandleSet.cpp:
1403         (JSC::HandleSet::~HandleSet):
1404         (JSC::HandleSet::grow): Same as above.
1405
1406         * heap/Heap.cpp:
1407         (JSC::Heap::Heap):
1408         * heap/Heap.h: Removed the block allocator since it is unused now.
1409
1410         * heap/HeapBlock.h:
1411         (JSC::HeapBlock::destroy):
1412         (JSC::HeapBlock::HeapBlock):
1413         (JSC::HeapBlock::region): Deleted. Removed the Region pointer from each
1414         HeapBlock since a HeapBlock is just a normal allocation now.
1415
1416         * heap/HeapInlines.h:
1417         (JSC::Heap::blockAllocator): Deleted.
1418
1419         * heap/HeapTimer.cpp:
1420         * heap/MarkStack.cpp:
1421         (JSC::MarkStackArray::MarkStackArray):
1422         * heap/MarkStack.h: Feed the compiler.
1423
1424         * heap/MarkedAllocator.cpp:
1425         (JSC::MarkedAllocator::allocateBlock): No need to use a custom code path
1426         based on size, since we use a general purpose allocator now.
1427
1428         * heap/MarkedBlock.cpp:
1429         (JSC::MarkedBlock::create):
1430         (JSC::MarkedBlock::destroy):
1431         (JSC::MarkedBlock::MarkedBlock):
1432         * heap/MarkedBlock.h:
1433         (JSC::MarkedBlock::capacity): Track block size explicitly, like CopiedBlock.
1434
1435         * heap/MarkedSpace.cpp:
1436         (JSC::MarkedSpace::freeBlock):
1437         * heap/MarkedSpace.h:
1438
1439         * heap/Region.h: Removed.
1440
1441         * heap/SlotVisitor.cpp:
1442         (JSC::SlotVisitor::SlotVisitor): Removed reference to block allocator.
1443
1444         * heap/SuperRegion.cpp: Removed.
1445         * heap/SuperRegion.h: Removed.
1446
1447         * heap/WeakBlock.cpp:
1448         (JSC::WeakBlock::create):
1449         (JSC::WeakBlock::WeakBlock):
1450         * heap/WeakBlock.h:
1451         * heap/WeakSet.cpp:
1452         (JSC::WeakSet::~WeakSet):
1453         (JSC::WeakSet::addAllocator):
1454         (JSC::WeakSet::removeAllocator): Removed reference to block allocator.
1455
1456 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
1457
1458         [ARM] Typo fix after r176083
1459         https://bugs.webkit.org/show_bug.cgi?id=140937
1460
1461         Reviewed by Anders Carlsson.
1462
1463         * assembler/ARMv7Assembler.h:
1464         (JSC::ARMv7Assembler::ldrh):
1465
1466 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
1467
1468         [Win] Unreviewed gardening, skip failing tests.
1469
1470         * tests/exceptionFuzz.yaml: Skip exception fuzz tests due to bug140928.
1471         * tests/mozilla/mozilla-tests.yaml: Skip ecma/Date/15.9.5.28-1.js due to bug140927.
1472
1473 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
1474
1475         [Win] Enable JSC stress tests by default
1476         https://bugs.webkit.org/show_bug.cgi?id=128307
1477
1478         Unreviewed typo fix after r179165.
1479
1480         * tests/mozilla/mozilla-tests.yaml:
1481
1482 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
1483
1484         [Win] Enable JSC stress tests by default
1485         https://bugs.webkit.org/show_bug.cgi?id=128307
1486
1487         Reviewed by Brent Fulgham.
1488
1489         * tests/mozilla/mozilla-tests.yaml: Skipped on Windows.
1490         * tests/stress/ftl-arithcos.js: Skipped on Windows.
1491
1492 2015-01-26  Ryosuke Niwa  <rniwa@webkit.org>
1493
1494         Parse a function expression as a primary expression
1495         https://bugs.webkit.org/show_bug.cgi?id=140908
1496
1497         Reviewed by Mark Lam.
1498
1499         Moved the code to generate an AST node for a function expression from parseMemberExpression
1500         to parsePrimaryExpression to match the ES6 specification terminology:
1501         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-primary-expression
1502
1503         There should be no behavior change from this change since parsePrimaryExpression is only
1504         called in parseMemberExpression other than the fact failIfStackOverflow() is called.
1505
1506         * parser/Parser.cpp:
1507         (JSC::Parser<LexerType>::parsePrimaryExpression):
1508         (JSC::Parser<LexerType>::parseMemberExpression):
1509
1510 2015-01-26  Myles C. Maxfield  <mmaxfield@apple.com>
1511
1512         [iOS] [SVG -> OTF Converter] Flip the switch off on iOS
1513         https://bugs.webkit.org/show_bug.cgi?id=140860
1514
1515         Reviewed by Darin Adler.
1516
1517         The fonts it makes are grotesque. (See what I did there? Typographic
1518         humor is the best humor.)
1519
1520         * Configurations/FeatureDefines.xcconfig:
1521
1522 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
1523
1524         Web Inspector: Rename InjectedScriptHost::type to subtype
1525         https://bugs.webkit.org/show_bug.cgi?id=140841
1526
1527         Reviewed by Timothy Hatcher.
1528
1529         We were using this to set the subtype of an "object" type RemoteObject
1530         so we should clean up the name and call it subtype.
1531
1532         * inspector/InjectedScriptHost.h:
1533         * inspector/InjectedScriptSource.js:
1534         * inspector/JSInjectedScriptHost.cpp:
1535         (Inspector::JSInjectedScriptHost::subtype):
1536         (Inspector::JSInjectedScriptHost::type): Deleted.
1537         * inspector/JSInjectedScriptHost.h:
1538         * inspector/JSInjectedScriptHostPrototype.cpp:
1539         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1540         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
1541         (Inspector::jsInjectedScriptHostPrototypeFunctionType): Deleted.
1542
1543 2015-01-23  Michael Saboff  <msaboff@apple.com>
1544
1545         LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds
1546         https://bugs.webkit.org/show_bug.cgi?id=140843
1547
1548         Reviewed by Oliver Hunt.
1549
1550         When we are in vmEntryToJavaScript, we keep the stack pointer at an
1551         alignment sutiable for pointing to a call frame header, which is the
1552         alignment post making a call.  We adjust the sp when calling to JS code,
1553         but don't adjust it before calling the out of stack handler.
1554
1555         * llint/LowLevelInterpreter32_64.asm:
1556         Moved stack point down 8 bytes to get it aligned.
1557
1558 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
1559
1560         Web Inspector: Object Previews in the Console
1561         https://bugs.webkit.org/show_bug.cgi?id=129204
1562
1563         Reviewed by Timothy Hatcher.
1564
1565         Update the very old, unused object preview code. Part of this comes from
1566         the earlier WebKit legacy implementation, and the Blink implementation.
1567
1568         A RemoteObject may include a preview, if it is asked for, and if the
1569         RemoteObject is an object. Previews are a shallow (single level) list
1570         of a limited number of properties on the object. The previewed
1571         properties are always stringified (even if primatives). Previews are
1572         limited to just 5 properties or 100 indices. Previews are marked
1573         as lossless if they are a complete snapshot of the object.
1574
1575         There is a path to make previews two levels deep, that is currently
1576         unused but should soon be used for tables (e.g. IndexedDB).
1577
1578         * inspector/InjectedScriptSource.js:
1579         - Move some code off of InjectedScript to be generic functions
1580         usable by RemoteObject as well.
1581         - Update preview generation to use 
1582
1583         * inspector/protocol/Runtime.json:
1584         - Add a new type, "accessor" for preview objects. This represents
1585         a getter / setter. We currently don't get the value.
1586
1587 2015-01-23  Michael Saboff  <msaboff@apple.com>
1588
1589         Immediate crash when setting JS breakpoint
1590         https://bugs.webkit.org/show_bug.cgi?id=140811
1591
1592         Reviewed by Mark Lam.
1593
1594         When the DFG stack layout phase doesn't allocate a register for the scope register,
1595         it incorrectly sets the scope register in the code block to a bad value, one with
1596         an offset of 0.  Changed it so that we set the code block's scope register to the 
1597         invalid VirtualRegister instead.
1598
1599         No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
1600         We crash with that ASSERT in testapi and likely many other tests as well.
1601
1602         * bytecode/CodeBlock.cpp:
1603         (JSC::CodeBlock::CodeBlock):
1604         * bytecode/CodeBlock.h:
1605         (JSC::CodeBlock::setScopeRegister):
1606         (JSC::CodeBlock::scopeRegister):
1607         Added ASSERTs to catch any future improper setting of the code block's scope register.
1608
1609         * dfg/DFGStackLayoutPhase.cpp:
1610         (JSC::DFG::StackLayoutPhase::run):
1611
1612 2015-01-22  Mark Hahnenberg  <mhahnenb@gmail.com>
1613
1614         EdenCollections unnecessarily visit SmallStrings
1615         https://bugs.webkit.org/show_bug.cgi?id=140762
1616
1617         Reviewed by Geoffrey Garen.
1618
1619         * heap/Heap.cpp:
1620         (JSC::Heap::copyBackingStores): Also added a GCPhase for copying
1621         backing stores, which is a significant portion of garbage collection.
1622         (JSC::Heap::visitSmallStrings): Check to see if we need to visit
1623         SmallStrings based on the collection type.
1624         * runtime/SmallStrings.cpp:
1625         (JSC::SmallStrings::SmallStrings):
1626         (JSC::SmallStrings::visitStrongReferences): Set the fact that we have
1627         visited the SmallStrings since the last modification.
1628         * runtime/SmallStrings.h:
1629         (JSC::SmallStrings::needsToBeVisited): If we're doing a
1630         FullCollection, we need to visit. Otherwise, it depends on whether
1631         we've been visited since the last modification/allocation.
1632
1633 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
1634
1635         Add a build flag for ES6 class syntax
1636         https://bugs.webkit.org/show_bug.cgi?id=140760
1637
1638         Reviewed by Michael Saboff.
1639
1640         Added ES6_CLASS_SYNTAX build flag and used it in tokenizer to recognize
1641         "class", "extends", "static" and "super" keywords.
1642
1643         * Configurations/FeatureDefines.xcconfig:
1644         * parser/Keywords.table:
1645         * parser/ParserTokens.h:
1646
1647 2015-01-22  Commit Queue  <commit-queue@webkit.org>
1648
1649         Unreviewed, rolling out r178894.
1650         https://bugs.webkit.org/show_bug.cgi?id=140775
1651
1652         Broke JSC and bindings tests (Requested by ap_ on #webkit).
1653
1654         Reverted changeset:
1655
1656         "put_by_val_direct need to check the property is index or not
1657         for using putDirect / putDirectIndex"
1658         https://bugs.webkit.org/show_bug.cgi?id=140426
1659         http://trac.webkit.org/changeset/178894
1660
1661 2015-01-22  Mark Lam  <mark.lam@apple.com>
1662
1663         BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
1664         <https://webkit.org/b/140743>
1665
1666         Reviewed by Oliver Hunt.
1667
1668         BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
1669         op_put_to_scope to an inappropriate value (i.e. 0).  As a result, the execution
1670         of put_to_scope could store a wrong inferred value into the VariableWatchpointSet
1671         for which ever captured variable is at local index 0.  In practice, this turns
1672         out to be the local for the Arguments object.  In this reproduction case in the
1673         bug, the wrong inferred value written there is the boolean true.
1674
1675         Subsequently, DFG compilation occurs and CreateArguments is emitted to first do
1676         a check of the local for the Arguments object.  But because that local has a
1677         wrong inferred value, the check always discovers a non-null value and we never
1678         actually create the Arguments object.  Immediately after this, an OSR exit
1679         occurs leaving the Arguments object local uninitialized.  Later on at arguments
1680         tear off, we run into a boolean true where we had expected to find an Arguments
1681         object, which in turn, leads to the crash.
1682
1683         The fix is to:
1684         1. In the case where the resolveModeType is LocalClosureVar, change the
1685            5th operand of op_put_to_scope to be a boolean.  True means that the
1686            local var is watchable.  False means it is not watchable.  We no longer
1687            pass the local index (instead of true) and UINT_MAX (instead of false).
1688
1689            This allows us to express more clearer in the code what that value means,
1690            as well as remove the redundant way of getting the local's identifier.
1691            The identifier is always the one passed in the 2nd operand. 
1692
1693         2. Previously, though intuitively, we know that the watchable variable
1694            identifier should be the same as the one that is passed in operand 2, this
1695            relationship was not clear in the code.  By code analysis, I confirmed that 
1696            the callers of BytecodeGenerator::emitPutToScope() always use the same
1697            identifier for operand 2 and for filling out the ResolveScopeInfo from
1698            which we get the watchable variable identifier later.  I've changed the
1699            code to make this clear now by always using the identifier passed in
1700            operand 2.
1701
1702         3. In the case where the resolveModeType is LocalClosureVar,
1703            initializeCapturedVariable() and emitPutToScope() will now query
1704            hasWatchableVariable() to determine if the local is watchable or not.
1705            Accordingly, we pass the boolean result of hasWatchableVariable() as
1706            operand 5 of op_put_to_scope.
1707
1708         Also added some assertions.
1709
1710         * bytecode/CodeBlock.cpp:
1711         (JSC::CodeBlock::CodeBlock):
1712         * bytecompiler/BytecodeGenerator.cpp:
1713         (JSC::BytecodeGenerator::initializeCapturedVariable):
1714         (JSC::BytecodeGenerator::hasConstant):
1715         (JSC::BytecodeGenerator::emitPutToScope):
1716         * bytecompiler/BytecodeGenerator.h:
1717         (JSC::BytecodeGenerator::hasWatchableVariable):
1718         (JSC::BytecodeGenerator::watchableVariableIdentifier):
1719         (JSC::BytecodeGenerator::watchableVariable): Deleted.
1720
1721 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
1722
1723         PropertyListNode::emitNode duplicates the code to put a constant property
1724         https://bugs.webkit.org/show_bug.cgi?id=140761
1725
1726         Reviewed by Geoffrey Garen.
1727
1728         Extracted PropertyListNode::emitPutConstantProperty to share the code.
1729
1730         Also made PropertyListNode::emitBytecode private since nobody is calling this function directly.
1731
1732         * bytecompiler/NodesCodegen.cpp:
1733         (JSC::PropertyListNode::emitBytecode):
1734         (JSC::PropertyListNode::emitPutConstantProperty): Added.
1735         * parser/Nodes.h:
1736
1737 2015-01-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1738
1739         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
1740         https://bugs.webkit.org/show_bug.cgi?id=140426
1741
1742         Reviewed by Geoffrey Garen.
1743
1744         In the put_by_val_direct operation, we use JSObject::putDirect.
1745         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
1746         This patch changes Identifier::asIndex() to return Optional<uint32_t>.
1747         It forces callers to check the value is index or not explicitly.
1748         Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
1749
1750         * bytecode/GetByIdStatus.cpp:
1751         (JSC::GetByIdStatus::computeFor):
1752         * bytecode/PutByIdStatus.cpp:
1753         (JSC::PutByIdStatus::computeFor):
1754         * bytecompiler/BytecodeGenerator.cpp:
1755         (JSC::BytecodeGenerator::emitDirectPutById):
1756         * dfg/DFGOperations.cpp:
1757         (JSC::DFG::operationPutByValInternal):
1758         * jit/JITOperations.cpp:
1759         * jit/Repatch.cpp:
1760         (JSC::emitPutTransitionStubAndGetOldStructure):
1761         * jsc.cpp:
1762         * llint/LLIntSlowPaths.cpp:
1763         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1764         * runtime/Arguments.cpp:
1765         (JSC::Arguments::getOwnPropertySlot):
1766         (JSC::Arguments::put):
1767         (JSC::Arguments::deleteProperty):
1768         (JSC::Arguments::defineOwnProperty):
1769         * runtime/ArrayPrototype.cpp:
1770         (JSC::arrayProtoFuncSort):
1771         * runtime/JSArray.cpp:
1772         (JSC::JSArray::defineOwnProperty):
1773         * runtime/JSCJSValue.cpp:
1774         (JSC::JSValue::putToPrimitive):
1775         * runtime/JSGenericTypedArrayViewInlines.h:
1776         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1777         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1778         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1779         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1780         * runtime/JSObject.cpp:
1781         (JSC::JSObject::put):
1782         (JSC::JSObject::putDirectAccessor):
1783         (JSC::JSObject::putDirectCustomAccessor):
1784         (JSC::JSObject::deleteProperty):
1785         (JSC::JSObject::putDirectMayBeIndex):
1786         (JSC::JSObject::defineOwnProperty):
1787         * runtime/JSObject.h:
1788         (JSC::JSObject::getOwnPropertySlot):
1789         (JSC::JSObject::getPropertySlot):
1790         (JSC::JSObject::putDirectInternal):
1791         * runtime/JSString.cpp:
1792         (JSC::JSString::getStringPropertyDescriptor):
1793         * runtime/JSString.h:
1794         (JSC::JSString::getStringPropertySlot):
1795         * runtime/LiteralParser.cpp:
1796         (JSC::LiteralParser<CharType>::parse):
1797         * runtime/PropertyName.h:
1798         (JSC::toUInt32FromCharacters):
1799         (JSC::toUInt32FromStringImpl):
1800         (JSC::PropertyName::asIndex):
1801         * runtime/PropertyNameArray.cpp:
1802         (JSC::PropertyNameArray::add):
1803         * runtime/StringObject.cpp:
1804         (JSC::StringObject::deleteProperty):
1805         * runtime/Structure.cpp:
1806         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1807
1808 2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>
1809
1810         Consolidate out arguments of parseFunctionInfo into a struct
1811         https://bugs.webkit.org/show_bug.cgi?id=140754
1812
1813         Reviewed by Oliver Hunt.
1814
1815         Introduced ParserFunctionInfo for storing out arguments of parseFunctionInfo.
1816
1817         * JavaScriptCore.xcodeproj/project.pbxproj:
1818         * parser/ASTBuilder.h:
1819         (JSC::ASTBuilder::createFunctionExpr):
1820         (JSC::ASTBuilder::createGetterOrSetterProperty): This one takes a property name in addition to
1821         ParserFunctionInfo since the property name and the function name could differ.
1822         (JSC::ASTBuilder::createFuncDeclStatement):
1823         * parser/Parser.cpp:
1824         (JSC::Parser<LexerType>::parseFunctionInfo):
1825         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1826         (JSC::Parser<LexerType>::parseProperty):
1827         (JSC::Parser<LexerType>::parseMemberExpression):
1828         * parser/Parser.h:
1829         * parser/ParserFunctionInfo.h: Added.
1830         * parser/SyntaxChecker.h:
1831         (JSC::SyntaxChecker::createFunctionExpr):
1832         (JSC::SyntaxChecker::createFuncDeclStatement):
1833         (JSC::SyntaxChecker::createClassDeclStatement):
1834         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1835
1836 2015-01-21  Mark Hahnenberg  <mhahnenb@gmail.com>
1837
1838         Change Heap::m_compiledCode to use a Vector
1839         https://bugs.webkit.org/show_bug.cgi?id=140717
1840
1841         Reviewed by Andreas Kling.
1842
1843         Right now it's a DoublyLinkedList, which is iterated during each
1844         collection. This contributes to some of the longish Eden pause times.
1845         A Vector would be more appropriate and would also allow ExecutableBase
1846         to be 2 pointers smaller.
1847
1848         * heap/Heap.cpp:
1849         (JSC::Heap::deleteAllCompiledCode):
1850         (JSC::Heap::deleteAllUnlinkedFunctionCode):
1851         (JSC::Heap::clearUnmarkedExecutables):
1852         * heap/Heap.h:
1853         * runtime/Executable.h: No longer need to inherit from DoublyLinkedListNode.
1854
1855 2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>
1856
1857         BytecodeGenerator shouldn't expose all of its member variables
1858         https://bugs.webkit.org/show_bug.cgi?id=140752
1859
1860         Reviewed by Mark Lam.
1861
1862         Added "private:" and removed unused data members as detected by clang.
1863
1864         * bytecompiler/BytecodeGenerator.cpp:
1865         (JSC::BytecodeGenerator::BytecodeGenerator):
1866         * bytecompiler/BytecodeGenerator.h:
1867         (JSC::BytecodeGenerator::lastOpcodeID): Added. Used in BinaryOpNode::emitBytecode.
1868         * bytecompiler/NodesCodegen.cpp:
1869         (JSC::BinaryOpNode::emitBytecode):
1870
1871 2015-01-21  Joseph Pecoraro  <pecoraro@apple.com>
1872
1873         Web Inspector: ASSERT expanding objects in console PrimitiveBindingTraits<T>::assertValueHasExpectedType
1874         https://bugs.webkit.org/show_bug.cgi?id=140746
1875
1876         Reviewed by Timothy Hatcher.
1877
1878         * inspector/InjectedScriptSource.js:
1879         Do not add impure properties to the descriptor object that will
1880         eventually be sent to the frontend.
1881
1882 2015-01-21  Matthew Mirman  <mmirman@apple.com>
1883
1884         Updated split such that it does not include the empty end of input string match.
1885         https://bugs.webkit.org/show_bug.cgi?id=138129
1886         <rdar://problem/18807403>
1887
1888         Reviewed by Filip Pizlo.
1889
1890         * runtime/StringPrototype.cpp:
1891         (JSC::stringProtoFuncSplit):
1892         * tests/stress/empty_eos_regex_split.js: Added.
1893
1894 2015-01-21  Michael Saboff  <msaboff@apple.com>
1895
1896         Eliminate Scope slot from JavaScript CallFrame
1897         https://bugs.webkit.org/show_bug.cgi?id=136724
1898
1899         Reviewed by Geoffrey Garen.
1900
1901         This finishes the removal of the scope chain slot from the call frame header.
1902
1903         * dfg/DFGOSRExitCompilerCommon.cpp:
1904         (JSC::DFG::reifyInlinedCallFrames):
1905         * dfg/DFGPreciseLocalClobberize.h:
1906         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1907         * dfg/DFGSpeculativeJIT32_64.cpp:
1908         (JSC::DFG::SpeculativeJIT::emitCall):
1909         * dfg/DFGSpeculativeJIT64.cpp:
1910         (JSC::DFG::SpeculativeJIT::emitCall):
1911         * ftl/FTLJSCall.cpp:
1912         (JSC::FTL::JSCall::emit):
1913         * ftl/FTLLowerDFGToLLVM.cpp:
1914         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
1915         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
1916         * interpreter/JSStack.h:
1917         * interpreter/VMInspector.cpp:
1918         (JSC::VMInspector::dumpFrame):
1919         * jit/JITCall.cpp:
1920         (JSC::JIT::compileOpCall):
1921         * jit/JITCall32_64.cpp:
1922         (JSC::JIT::compileOpCall):
1923         * jit/JITOpcodes32_64.cpp:
1924         (JSC::JIT::privateCompileCTINativeCall):
1925         * jit/Repatch.cpp:
1926         (JSC::generateByIdStub):
1927         (JSC::linkClosureCall):
1928         * jit/ThunkGenerators.cpp:
1929         (JSC::virtualForThunkGenerator):
1930         (JSC::nativeForGenerator):
1931         Deleted ScopeChain slot from JSStack.  Removed all code where ScopeChain was being
1932         read or set.  In most cases this was where we make JS calls.
1933
1934         * interpreter/CallFrameClosure.h:
1935         (JSC::CallFrameClosure::setArgument):
1936         (JSC::CallFrameClosure::resetCallFrame): Deleted.
1937         * interpreter/Interpreter.cpp:
1938         (JSC::Interpreter::execute):
1939         (JSC::Interpreter::executeCall):
1940         (JSC::Interpreter::executeConstruct):
1941         (JSC::Interpreter::prepareForRepeatCall):
1942         * interpreter/ProtoCallFrame.cpp:
1943         (JSC::ProtoCallFrame::init):
1944         * interpreter/ProtoCallFrame.h:
1945         (JSC::ProtoCallFrame::scope): Deleted.
1946         (JSC::ProtoCallFrame::setScope): Deleted.
1947         * llint/LLIntData.cpp:
1948         (JSC::LLInt::Data::performAssertions):
1949         * llint/LowLevelInterpreter.asm:
1950         * llint/LowLevelInterpreter64.asm:
1951         Removed the related scopeChainValue member from ProtoCallFrame.  Reduced the number of
1952         registers that needed to be copied from the ProtoCallFrame to a callee's frame
1953         from 5 to 4.
1954
1955         * llint/LowLevelInterpreter32_64.asm:
1956         In addition to the prior changes, also deleted the unused macro getDeBruijnScope.
1957
1958 2015-01-21  Michael Saboff  <msaboff@apple.com>
1959
1960         Eliminate construct methods from NullGetterFunction and NullSetterFunction classes
1961         https://bugs.webkit.org/show_bug.cgi?id=140708
1962
1963         Reviewed by Mark Lam.
1964
1965         Eliminated construct methods and change getConstructData() for both classes to return
1966         ConstructTypeNone as they can never be called.
1967
1968         * runtime/NullGetterFunction.cpp:
1969         (JSC::NullGetterFunction::getConstructData):
1970         (JSC::constructReturnUndefined): Deleted.
1971         * runtime/NullSetterFunction.cpp:
1972         (JSC::NullSetterFunction::getConstructData):
1973         (JSC::constructReturnUndefined): Deleted.
1974
1975 2015-01-21  Csaba Osztrogonác  <ossy@webkit.org>
1976
1977         Remove ENABLE(INSPECTOR) ifdef guards
1978         https://bugs.webkit.org/show_bug.cgi?id=140668
1979
1980         Reviewed by Darin Adler.
1981
1982         * Configurations/FeatureDefines.xcconfig:
1983         * bindings/ScriptValue.cpp:
1984         (Deprecated::ScriptValue::toInspectorValue):
1985         * bindings/ScriptValue.h:
1986         * inspector/ConsoleMessage.cpp:
1987         * inspector/ConsoleMessage.h:
1988         * inspector/ContentSearchUtilities.cpp:
1989         * inspector/ContentSearchUtilities.h:
1990         * inspector/IdentifiersFactory.cpp:
1991         * inspector/IdentifiersFactory.h:
1992         * inspector/InjectedScript.cpp:
1993         * inspector/InjectedScript.h:
1994         * inspector/InjectedScriptBase.cpp:
1995         * inspector/InjectedScriptBase.h:
1996         * inspector/InjectedScriptHost.cpp:
1997         * inspector/InjectedScriptHost.h:
1998         * inspector/InjectedScriptManager.cpp:
1999         * inspector/InjectedScriptManager.h:
2000         * inspector/InjectedScriptModule.cpp:
2001         * inspector/InjectedScriptModule.h:
2002         * inspector/InspectorAgentRegistry.cpp:
2003         * inspector/InspectorBackendDispatcher.cpp:
2004         * inspector/InspectorBackendDispatcher.h:
2005         * inspector/InspectorProtocolTypes.h:
2006         * inspector/JSGlobalObjectConsoleClient.cpp:
2007         * inspector/JSGlobalObjectInspectorController.cpp:
2008         * inspector/JSGlobalObjectInspectorController.h:
2009         * inspector/JSGlobalObjectScriptDebugServer.cpp:
2010         * inspector/JSGlobalObjectScriptDebugServer.h:
2011         * inspector/JSInjectedScriptHost.cpp:
2012         * inspector/JSInjectedScriptHost.h:
2013         * inspector/JSInjectedScriptHostPrototype.cpp:
2014         * inspector/JSInjectedScriptHostPrototype.h:
2015         * inspector/JSJavaScriptCallFrame.cpp:
2016         * inspector/JSJavaScriptCallFrame.h:
2017         * inspector/JSJavaScriptCallFramePrototype.cpp:
2018         * inspector/JSJavaScriptCallFramePrototype.h:
2019         * inspector/JavaScriptCallFrame.cpp:
2020         * inspector/JavaScriptCallFrame.h:
2021         * inspector/ScriptCallFrame.cpp:
2022         (Inspector::ScriptCallFrame::buildInspectorObject):
2023         * inspector/ScriptCallFrame.h:
2024         * inspector/ScriptCallStack.cpp:
2025         (Inspector::ScriptCallStack::buildInspectorArray):
2026         * inspector/ScriptCallStack.h:
2027         * inspector/ScriptDebugServer.cpp:
2028         * inspector/agents/InspectorAgent.cpp:
2029         * inspector/agents/InspectorAgent.h:
2030         * inspector/agents/InspectorConsoleAgent.cpp:
2031         * inspector/agents/InspectorConsoleAgent.h:
2032         * inspector/agents/InspectorDebuggerAgent.cpp:
2033         * inspector/agents/InspectorDebuggerAgent.h:
2034         * inspector/agents/InspectorRuntimeAgent.cpp:
2035         * inspector/agents/InspectorRuntimeAgent.h:
2036         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
2037         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2038         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2039         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2040         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2041         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2042         * inspector/scripts/codegen/cpp_generator_templates.py:
2043         (CppGeneratorTemplates):
2044         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2045         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2046         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2047         * inspector/scripts/tests/expected/enum-values.json-result:
2048         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2049         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2050         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2051         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2052         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2053         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2054         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2055         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2056         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2057         * runtime/TypeSet.cpp:
2058         (JSC::TypeSet::inspectorTypeSet):
2059         (JSC::StructureShape::inspectorRepresentation):
2060
2061 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2062
2063         Web Inspector: Clean up InjectedScriptSource.js
2064         https://bugs.webkit.org/show_bug.cgi?id=140709
2065
2066         Reviewed by Timothy Hatcher.
2067
2068         This patch includes some relevant Blink patches and small changes.
2069         
2070         Patch by <aandrey@chromium.org>
2071         DevTools: Remove console last result $_ on console clear.
2072         https://src.chromium.org/viewvc/blink?revision=179179&view=revision
2073
2074         Patch by <eustas@chromium.org>
2075         [Inspect DOM properties] incorrect CSS Selector Syntax
2076         https://src.chromium.org/viewvc/blink?revision=156903&view=revision
2077
2078         * inspector/InjectedScriptSource.js:
2079
2080 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2081
2082         Web Inspector: Cleanup RuntimeAgent a bit
2083         https://bugs.webkit.org/show_bug.cgi?id=140706
2084
2085         Reviewed by Timothy Hatcher.
2086
2087         * inspector/InjectedScript.h:
2088         * inspector/InspectorBackendDispatcher.h:
2089         * inspector/ScriptCallFrame.cpp:
2090         * inspector/agents/InspectorRuntimeAgent.cpp:
2091         (Inspector::InspectorRuntimeAgent::evaluate):
2092         (Inspector::InspectorRuntimeAgent::getProperties):
2093         (Inspector::InspectorRuntimeAgent::run):
2094         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2095         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2096         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
2097
2098 2015-01-20  Matthew Mirman  <mmirman@apple.com>
2099
2100         Made Identity in the DFG allocate a new temp register and move 
2101         the old data to it.
2102         https://bugs.webkit.org/show_bug.cgi?id=140700
2103         <rdar://problem/19339106>
2104
2105         Reviewed by Filip Pizlo.
2106
2107         * dfg/DFGSpeculativeJIT64.cpp:
2108         (JSC::DFG::SpeculativeJIT::compile): 
2109         Added scratch registers for Identity. 
2110         * tests/mozilla/mozilla-tests.yaml: enabled previously failing test
2111
2112 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2113
2114         Web Inspector: Expanding event objects in console shows undefined for most values, it should have real values
2115         https://bugs.webkit.org/show_bug.cgi?id=137306
2116
2117         Reviewed by Timothy Hatcher.
2118
2119         Provide another optional parameter to getProperties, to gather a list
2120         of all own and getter properties.
2121
2122         * inspector/InjectedScript.cpp:
2123         (Inspector::InjectedScript::getProperties):
2124         * inspector/InjectedScript.h:
2125         * inspector/InjectedScriptSource.js:
2126         * inspector/agents/InspectorRuntimeAgent.cpp:
2127         (Inspector::InspectorRuntimeAgent::getProperties):
2128         * inspector/agents/InspectorRuntimeAgent.h:
2129         * inspector/protocol/Runtime.json:
2130
2131 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2132
2133         Web Inspector: Should show dynamic specificity values
2134         https://bugs.webkit.org/show_bug.cgi?id=140647
2135
2136         Reviewed by Benjamin Poulain.
2137
2138         * inspector/protocol/CSS.json:
2139         Clarify CSSSelector optional values and add "dynamic" property indicating
2140         if the selector can be dynamic based on the element it is matched against.
2141
2142 2015-01-20  Commit Queue  <commit-queue@webkit.org>
2143
2144         Unreviewed, rolling out r178751.
2145         https://bugs.webkit.org/show_bug.cgi?id=140694
2146
2147         Caused 32-bit JSC test failures (Requested by JoePeck on
2148         #webkit).
2149
2150         Reverted changeset:
2151
2152         "put_by_val_direct need to check the property is index or not
2153         for using putDirect / putDirectIndex"
2154         https://bugs.webkit.org/show_bug.cgi?id=140426
2155         http://trac.webkit.org/changeset/178751
2156
2157 2015-01-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2158
2159         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
2160         https://bugs.webkit.org/show_bug.cgi?id=140426
2161
2162         Reviewed by Geoffrey Garen.
2163
2164         In the put_by_val_direct operation, we use JSObject::putDirect.
2165         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
2166         This patch changes Identifier::asIndex() to return Optional<uint32_t>.
2167         It forces callers to check the value is index or not explicitly.
2168         Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
2169
2170         * bytecode/GetByIdStatus.cpp:
2171         (JSC::GetByIdStatus::computeFor):
2172         * bytecode/PutByIdStatus.cpp:
2173         (JSC::PutByIdStatus::computeFor):
2174         * bytecompiler/BytecodeGenerator.cpp:
2175         (JSC::BytecodeGenerator::emitDirectPutById):
2176         * dfg/DFGOperations.cpp:
2177         (JSC::DFG::operationPutByValInternal):
2178         * jit/JITOperations.cpp:
2179         * jit/Repatch.cpp:
2180         (JSC::emitPutTransitionStubAndGetOldStructure):
2181         * jsc.cpp:
2182         * llint/LLIntSlowPaths.cpp:
2183         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2184         * runtime/Arguments.cpp:
2185         (JSC::Arguments::getOwnPropertySlot):
2186         (JSC::Arguments::put):
2187         (JSC::Arguments::deleteProperty):
2188         (JSC::Arguments::defineOwnProperty):
2189         * runtime/ArrayPrototype.cpp:
2190         (JSC::arrayProtoFuncSort):
2191         * runtime/JSArray.cpp:
2192         (JSC::JSArray::defineOwnProperty):
2193         * runtime/JSCJSValue.cpp:
2194         (JSC::JSValue::putToPrimitive):
2195         * runtime/JSGenericTypedArrayViewInlines.h:
2196         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2197         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2198         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
2199         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
2200         * runtime/JSObject.cpp:
2201         (JSC::JSObject::put):
2202         (JSC::JSObject::putDirectAccessor):
2203         (JSC::JSObject::putDirectCustomAccessor):
2204         (JSC::JSObject::deleteProperty):
2205         (JSC::JSObject::putDirectMayBeIndex):
2206         (JSC::JSObject::defineOwnProperty):
2207         * runtime/JSObject.h:
2208         (JSC::JSObject::getOwnPropertySlot):
2209         (JSC::JSObject::getPropertySlot):
2210         (JSC::JSObject::putDirectInternal):
2211         * runtime/JSString.cpp:
2212         (JSC::JSString::getStringPropertyDescriptor):
2213         * runtime/JSString.h:
2214         (JSC::JSString::getStringPropertySlot):
2215         * runtime/LiteralParser.cpp:
2216         (JSC::LiteralParser<CharType>::parse):
2217         * runtime/PropertyName.h:
2218         (JSC::toUInt32FromCharacters):
2219         (JSC::toUInt32FromStringImpl):
2220         (JSC::PropertyName::asIndex):
2221         * runtime/PropertyNameArray.cpp:
2222         (JSC::PropertyNameArray::add):
2223         * runtime/StringObject.cpp:
2224         (JSC::StringObject::deleteProperty):
2225         * runtime/Structure.cpp:
2226         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2227
2228 2015-01-20  Michael Saboff  <msaboff@apple.com>
2229
2230         REGRESSION(178696): Sporadic crashes while garbage collecting
2231         https://bugs.webkit.org/show_bug.cgi?id=140688
2232
2233         Reviewed by Geoffrey Garen.
2234
2235         Added missing visitor.append(&thisObject->m_nullSetterFunction).
2236
2237         * runtime/JSGlobalObject.cpp:
2238         (JSC::JSGlobalObject::visitChildren):
2239
2240 2015-01-19  Brian J. Burg  <burg@cs.washington.edu>
2241
2242         Web Replay: code generator should take supplemental specifications and allow cross-framework references
2243         https://bugs.webkit.org/show_bug.cgi?id=136312
2244
2245         Reviewed by Joseph Pecoraro.
2246
2247         Some types are shared between replay inputs from different frameworks.
2248         Previously, these type declarations were duplicated in every input
2249         specification file in which they were used. This caused some type encoding
2250         traits to be emitted twice if used from WebCore inputs and WebKit2 inputs.
2251
2252         This patch teaches the replay inputs code generator to accept multiple
2253         input specification files. Inputs can freely reference types from other
2254         frameworks without duplicating declarations.
2255
2256         On the code generation side, the model could contain types and inputs from
2257         frameworks that are not the target framework. Only generate code for the
2258         target framework.
2259
2260         To properly generate cross-framework type encoding traits, use
2261         Type.encoding_type_argument in more places, and add the export macro for WebCore
2262         and the Test framework.
2263
2264         Adjust some tests so that enum coverage is preserved by moving the enum types
2265         into "Test" (the target framework for tests).
2266
2267         * JavaScriptCore.vcxproj/copy-files.cmd:
2268         For Windows, copy over JSInputs.json as if it were a private header.
2269
2270         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSInputs.json a private header.
2271         * replay/JSInputs.json:
2272         Put all primitive types and WTF types in this specification file.
2273
2274         * replay/scripts/CodeGeneratorReplayInputs.py:
2275         (Input.__init__):
2276         (InputsModel.__init__): Keep track of the input's framework.
2277         (InputsModel.parse_specification): Parse the framework here. Adjust to new format,
2278         and allow either types or inputs to be missing from a single file.
2279
2280         (InputsModel.parse_type_with_framework):
2281         (InputsModel.parse_input_with_framework):
2282         (Generator.should_generate_item): Added helper method.
2283         (Generator.generate_header): Filter inputs to generate.
2284         (Generator.generate_implementation): Filter inputs to generate.
2285         (Generator.generate_enum_trait_declaration): Filter enums to generate.
2286         Add WEBCORE_EXPORT macro to enum encoding traits.
2287
2288         (Generator.generate_for_each_macro): Filter inputs to generate.
2289         (Generator.generate_enum_trait_implementation): Filter enums to generate.
2290         (generate_from_specifications): Added.
2291         (generate_from_specifications.parse_json_from_file):
2292         (InputsModel.parse_toplevel): Deleted.
2293         (InputsModel.parse_type_with_framework_name): Deleted.
2294         (InputsModel.parse_input): Deleted.
2295         (generate_from_specification): Deleted.
2296         * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
2297         * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Removed.
2298         * replay/scripts/tests/expected/fail-on-no-types.json-error: Removed.
2299         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
2300         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
2301         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
2302         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
2303         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
2304         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
2305         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
2306         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
2307         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
2308         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2309         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
2310         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
2311         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json:
2312         * replay/scripts/tests/fail-on-duplicate-enum-type.json:
2313         * replay/scripts/tests/fail-on-duplicate-input-names.json:
2314         * replay/scripts/tests/fail-on-duplicate-type-names.json:
2315         * replay/scripts/tests/fail-on-enum-type-missing-values.json:
2316         * replay/scripts/tests/fail-on-missing-input-member-name.json:
2317         * replay/scripts/tests/fail-on-missing-input-name.json:
2318         * replay/scripts/tests/fail-on-missing-input-queue.json:
2319         * replay/scripts/tests/fail-on-missing-type-mode.json:
2320         * replay/scripts/tests/fail-on-missing-type-name.json:
2321         * replay/scripts/tests/fail-on-no-inputs.json:
2322         Removed, no longer required to be in a single file.
2323
2324         * replay/scripts/tests/fail-on-no-types.json:
2325         Removed, no longer required to be in a single file.
2326
2327         * replay/scripts/tests/fail-on-unknown-input-queue.json:
2328         * replay/scripts/tests/fail-on-unknown-member-type.json:
2329         * replay/scripts/tests/fail-on-unknown-type-mode.json:
2330         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json:
2331         * replay/scripts/tests/generate-enum-encoding-helpers.json:
2332         * replay/scripts/tests/generate-enum-with-guard.json:
2333         Include enums that are and are not generated.
2334
2335         * replay/scripts/tests/generate-enums-with-same-base-name.json:
2336         * replay/scripts/tests/generate-event-loop-shape-types.json:
2337         * replay/scripts/tests/generate-input-with-guard.json:
2338         * replay/scripts/tests/generate-input-with-vector-members.json:
2339         * replay/scripts/tests/generate-inputs-with-flags.json:
2340         * replay/scripts/tests/generate-memoized-type-modes.json:
2341
2342 2015-01-20  Tomas Popela  <tpopela@redhat.com>
2343
2344         [GTK] Cannot compile 2.7.3 on PowerPC machines
2345         https://bugs.webkit.org/show_bug.cgi?id=140616
2346
2347         Include climits for INT_MAX and wtf/DataLog.h for dataLogF
2348
2349         Reviewed by Csaba Osztrogonác.
2350
2351         * runtime/BasicBlockLocation.cpp:
2352
2353 2015-01-19  Michael Saboff  <msaboff@apple.com>
2354
2355         A "cached" null setter should throw a TypeException when called in strict mode and doesn't
2356         https://bugs.webkit.org/show_bug.cgi?id=139418
2357
2358         Reviewed by Filip Pizlo.
2359
2360         Made a new NullSetterFunction class similar to NullGetterFunction.  The difference is that 
2361         NullSetterFunction will throw a TypeError per the ECMA262 spec for a strict mode caller.
2362
2363         * CMakeLists.txt:
2364         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2365         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2366         * JavaScriptCore.xcodeproj/project.pbxproj:
2367         Added new files NullSetterFunction.cpp and NullSetterFunction.h.
2368
2369         * runtime/GetterSetter.h:
2370         (JSC::GetterSetter::GetterSetter):
2371         (JSC::GetterSetter::isSetterNull):
2372         (JSC::GetterSetter::setSetter):
2373         Change setter instances from using NullGetterFunction to using NullSetterFunction.
2374
2375         * runtime/JSGlobalObject.cpp:
2376         (JSC::JSGlobalObject::init):
2377         * runtime/JSGlobalObject.h:
2378         (JSC::JSGlobalObject::nullSetterFunction):
2379         Added m_nullSetterFunction and accessor.
2380
2381         * runtime/NullSetterFunction.cpp: Added.
2382         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
2383         (JSC::GetCallerStrictnessFunctor::operator()):
2384         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
2385         (JSC::callerIsStrict):
2386         Method to determine if the caller is in strict mode.
2387
2388         (JSC::callReturnUndefined):
2389         (JSC::constructReturnUndefined):
2390         (JSC::NullSetterFunction::getCallData):
2391         (JSC::NullSetterFunction::getConstructData):
2392         * runtime/NullSetterFunction.h: Added.
2393         (JSC::NullSetterFunction::create):
2394         (JSC::NullSetterFunction::createStructure):
2395         (JSC::NullSetterFunction::NullSetterFunction):
2396         Class with handlers for a null setter.
2397
2398 2015-01-19  Saam Barati  <saambarati1@gmail.com>
2399
2400         Web Inspector: Provide a front end for JSC's Control Flow Profiler
2401         https://bugs.webkit.org/show_bug.cgi?id=138454
2402
2403         Reviewed by Timothy Hatcher.
2404
2405         This patch puts the final touches on what JSC needs to provide
2406         for the Web Inspector to show a UI for the control flow profiler.
2407
2408         * inspector/agents/InspectorRuntimeAgent.cpp:
2409         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2410         * runtime/ControlFlowProfiler.cpp:
2411         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
2412         * runtime/FunctionHasExecutedCache.cpp:
2413         (JSC::FunctionHasExecutedCache::getFunctionRanges):
2414         (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges): Deleted.
2415         * runtime/FunctionHasExecutedCache.h:
2416
2417 2015-01-19  David Kilzer  <ddkilzer@apple.com>
2418
2419         [iOS] Only use LLVM static library arguments on 64-bit builds of libllvmForJSC.dylib
2420         <http://webkit.org/b/140658>
2421
2422         Reviewed by Filip Pizlo.
2423
2424         * Configurations/LLVMForJSC.xcconfig: Set OTHER_LDFLAGS_LLVM
2425         only when building for 64-bit architectures.
2426
2427 2015-01-19  Filip Pizlo  <fpizlo@apple.com>
2428
2429         ClosureCallStubRoutine no longer needs codeOrigin
2430         https://bugs.webkit.org/show_bug.cgi?id=140659
2431
2432         Reviewed by Michael Saboff.
2433         
2434         Once upon a time, we would look for the CodeOrigin associated with a return PC. This search
2435         would start with the CodeBlock according to the caller frame's call frame header. But if the
2436         call was a closure call, the return PC would be inside some closure call stub. So if the
2437         CodeBlock search failed, we would search *all* closure call stub routines to see which one
2438         encompasses the return PC. Then, we would use the CodeOrigin stored in the stub routine
2439         object. This was all a bunch of madness, and we actually got rid of it - we now determine
2440         the CodeOrigin for a call frame using the encoded code origin bits inside the tag of the
2441         argument count.
2442         
2443         This patch removes the final vestiges of the madness:
2444         
2445         - Remove the totally unused method declaration for the thing that did the closure call stub
2446           search.
2447         
2448         - Remove the CodeOrigin field from the ClosureCallStubRoutine. Except for that crazy search
2449           that we no longer do, everyone else who finds a ClosureCallStubRoutine will find it via
2450           the CallLinkInfo. The CallLinkInfo also has the CodeOrigin, so we don't need this field
2451           anymore.
2452
2453         * bytecode/CodeBlock.h:
2454         * jit/ClosureCallStubRoutine.cpp:
2455         (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
2456         * jit/ClosureCallStubRoutine.h:
2457         (JSC::ClosureCallStubRoutine::executable):
2458         (JSC::ClosureCallStubRoutine::codeOrigin): Deleted.
2459         * jit/Repatch.cpp:
2460         (JSC::linkClosureCall):
2461
2462 2015-01-19  Saam Barati  <saambarati1@gmail.com>
2463
2464         Basic block start offsets should never be larger than end offsets in the control flow profiler
2465         https://bugs.webkit.org/show_bug.cgi?id=140377
2466
2467         Reviewed by Filip Pizlo.
2468
2469         The bytecode generator will emit code more than once for some AST nodes. For instance, 
2470         the finally block of TryNode will emit two code paths for its finally block: one for 
2471         the normal path, and another for the path where an exception is thrown in the catch block. 
2472         
2473         This repeated code emission of the same AST node previously broke how the control 
2474         flow profiler computed text ranges of basic blocks because when the same AST node 
2475         is emitted multiple times, there is a good chance that there are ranges that span 
2476         from the end offset of one of these duplicated nodes back to the start offset of 
2477         the same duplicated node. This caused a basic block range to report a larger start 
2478         offset than end offset. This was incorrect. Now, when this situation is encountered 
2479         while linking a CodeBlock, the faulty range in question is ignored.
2480
2481         * bytecode/CodeBlock.cpp:
2482         (JSC::CodeBlock::CodeBlock):
2483         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2484         * bytecode/CodeBlock.h:
2485         * bytecompiler/NodesCodegen.cpp:
2486         (JSC::ForInNode::emitMultiLoopBytecode):
2487         (JSC::ForOfNode::emitBytecode):
2488         (JSC::TryNode::emitBytecode):
2489         * parser/Parser.cpp:
2490         (JSC::Parser<LexerType>::parseConditionalExpression):
2491         * runtime/ControlFlowProfiler.cpp:
2492         (JSC::ControlFlowProfiler::ControlFlowProfiler):
2493         * runtime/ControlFlowProfiler.h:
2494         (JSC::ControlFlowProfiler::dummyBasicBlock):
2495
2496 2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
2497
2498         [SVG -> OTF Converter] Flip the switch on
2499         https://bugs.webkit.org/show_bug.cgi?id=140592
2500
2501         Reviewed by Antti Koivisto.
2502
2503         * Configurations/FeatureDefines.xcconfig:
2504
2505 2015-01-19  Brian J. Burg  <burg@cs.washington.edu>
2506
2507         Web Replay: convert to is<T> and downcast<T> for decoding replay inputs
2508         https://bugs.webkit.org/show_bug.cgi?id=140512
2509
2510         Reviewed by Chris Dumez.
2511
2512         Generate a SPECIALIZE_TYPE_TRAITS_* chunk of code for each input. This cannot
2513         be done using REPLAY_INPUT_NAMES_FOR_EACH macro since that doesn't fully qualify
2514         input types, and the type traits macro is defined in namespace WTF.
2515
2516         * replay/NondeterministicInput.h: Make overridden methods public.
2517         * replay/scripts/CodeGeneratorReplayInputs.py:
2518         (Generator.generate_header):
2519         (Generator.qualified_input_name): Allow forcing qualification. WTF is never a target framework.
2520         (Generator.generate_input_type_trait_declaration): Added.
2521         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Add a template.
2522         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
2523         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
2524         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
2525         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
2526         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
2527         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2528         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
2529         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
2530
2531 2015-01-19  Commit Queue  <commit-queue@webkit.org>
2532
2533         Unreviewed, rolling out r178653.
2534         https://bugs.webkit.org/show_bug.cgi?id=140634
2535
2536         Broke multiple SVG tests on Mountain Lion (Requested by ap on
2537         #webkit).
2538
2539         Reverted changeset:
2540
2541         "[SVG -> OTF Converter] Flip the switch on"
2542         https://bugs.webkit.org/show_bug.cgi?id=140592
2543         http://trac.webkit.org/changeset/178653
2544
2545 2015-01-18  Dean Jackson  <dino@apple.com>
2546
2547         ES6: Support Array.of construction
2548         https://bugs.webkit.org/show_bug.cgi?id=140605
2549         <rdar://problem/19513655>
2550
2551         Reviewed by Geoffrey Garen.
2552
2553         Add and implementation of Array.of, described in 22.1.2.3 of the ES6
2554         specification (15 Jan 2015). The Array.of() method creates a new Array
2555         instance with a variable number of arguments, regardless of number or type
2556         of the arguments.
2557
2558         * runtime/ArrayConstructor.cpp:
2559         (JSC::arrayConstructorOf): Create a new empty Array, then iterate
2560         over the arguments, setting them to the appropriate index.
2561
2562 2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
2563
2564         [SVG -> OTF Converter] Flip the switch on
2565         https://bugs.webkit.org/show_bug.cgi?id=140592
2566
2567         Reviewed by Antti Koivisto.
2568
2569         * Configurations/FeatureDefines.xcconfig:
2570
2571 2015-01-17  Brian J. Burg  <burg@cs.washington.edu>
2572
2573         Web Inspector: highlight data for overlay should use protocol type builders
2574         https://bugs.webkit.org/show_bug.cgi?id=129441
2575
2576         Reviewed by Timothy Hatcher.
2577
2578         Add a new domain for overlay types.
2579
2580         * CMakeLists.txt:
2581         * DerivedSources.make:
2582         * inspector/protocol/OverlayTypes.json: Added.
2583
2584 2015-01-17  Michael Saboff  <msaboff@apple.com>
2585
2586         Crash in JSScope::resolve() on tools.ups.com
2587         https://bugs.webkit.org/show_bug.cgi?id=140579
2588
2589         Reviewed by Geoffrey Garen.
2590
2591         For op_resolve_scope of a global property or variable that needs to check for the var
2592         injection check watchpoint, we need to keep the scope around with a Phantom.  The
2593         baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint
2594         fired.
2595
2596         * dfg/DFGByteCodeParser.cpp:
2597         (JSC::DFG::ByteCodeParser::parseBlock):
2598
2599 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2600
2601         Web Inspector: code generator should introduce typedefs for protocol types that are arrays
2602         https://bugs.webkit.org/show_bug.cgi?id=140557
2603
2604         Reviewed by Joseph Pecoraro.
2605
2606         Currently, there is no generated type name for "array" type declarations such as Console.CallStack.
2607         This makes it longwinded and confusing to use the type in C++ code.
2608
2609         This patch adds a typedef for array type declarations, so types such as Console::CallStack
2610         can be referred to directly, rather than using Inspector::Protocol::Array<Console::CallFrame>.
2611
2612         Some tests were updated to cover array type declarations used as parameters and type members.
2613
2614         * inspector/ScriptCallStack.cpp: Use the new typedef.
2615         (Inspector::ScriptCallStack::buildInspectorArray):
2616         * inspector/ScriptCallStack.h:
2617         * inspector/scripts/codegen/cpp_generator.py:
2618         (CppGenerator.cpp_protocol_type_for_type): If an ArrayType is nominal, use the typedef'd name instead.
2619         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2620         (_generate_typedefs_for_domain): Also generate typedefs for array type declarations.
2621         (_generate_typedefs_for_domain.Inspector):
2622         * inspector/scripts/codegen/models.py: Save the name of an ArrayType when it is a type declaration.
2623         (ArrayType.__init__):
2624         (Protocol.resolve_types):
2625         (Protocol.lookup_type_reference):
2626         * inspector/scripts/tests/commands-with-async-attribute.json:
2627         * inspector/scripts/tests/commands-with-optional-call-return-parameters.json:
2628         * inspector/scripts/tests/events-with-optional-parameters.json:
2629         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2630         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2631         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2632         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2633         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2634         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2635         * inspector/scripts/tests/type-declaration-object-type.json:
2636
2637 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2638
2639         Web Replay: purge remaining PassRefPtr uses and minor cleanup
2640         https://bugs.webkit.org/show_bug.cgi?id=140456
2641
2642         Reviewed by Andreas Kling.
2643
2644         Get rid of PassRefPtr. Introduce default initializers where it makes sense.
2645         Remove mistaken uses of AtomicString that were not removed as part of r174113.
2646
2647         * replay/EmptyInputCursor.h:
2648         * replay/InputCursor.h:
2649         (JSC::InputCursor::InputCursor):
2650
2651 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2652
2653         Web Inspector: code generator should fail on duplicate parameter and member names
2654         https://bugs.webkit.org/show_bug.cgi?id=140555
2655
2656         Reviewed by Timothy Hatcher.
2657
2658         * inspector/scripts/codegen/models.py:
2659         (find_duplicates): Add a helper function to find duplicates in a list.
2660         (Protocol.parse_type_declaration):
2661         (Protocol.parse_command):
2662         (Protocol.parse_event):
2663         * inspector/scripts/tests/expected/fail-on-duplicate-command-call-parameter-names.json-error: Added.
2664         * inspector/scripts/tests/expected/fail-on-duplicate-command-return-parameter-names.json-error: Added.
2665         * inspector/scripts/tests/expected/fail-on-duplicate-event-parameter-names.json-error: Added.
2666         * inspector/scripts/tests/expected/fail-on-duplicate-type-member-names.json-error: Added.
2667         * inspector/scripts/tests/fail-on-duplicate-command-call-parameter-names.json: Added.
2668         * inspector/scripts/tests/fail-on-duplicate-command-return-parameter-names.json: Added.
2669         * inspector/scripts/tests/fail-on-duplicate-event-parameter-names.json: Added.
2670         * inspector/scripts/tests/fail-on-duplicate-type-member-names.json: Added.
2671
2672 2015-01-16  Michael Saboff  <msaboff@apple.com>
2673
2674         REGRESSION (r174226): Header on huffingtonpost.com is too large
2675         https://bugs.webkit.org/show_bug.cgi?id=140306
2676
2677         Reviewed by Filip Pizlo.
2678
2679         BytecodeGenerator::willResolveToArguments() is used to check to see if we can use the
2680         arguments register or whether we need to resolve "arguments".  If the arguments have
2681         been captured, then they are stored in the lexical environment and the arguments
2682         register is not used.
2683
2684         Changed BytecodeGenerator::willResolveToArguments() to also check to see if the arguments
2685         register is captured.  Renamed the function to willResolveToArgumentsRegister() to
2686         better indicate what we are checking.
2687
2688         Aligned 32 and 64 bit paths in ArgumentsRecoveryGenerator::generateFor() for creating
2689         an arguments object that was optimized out of an inlined callFrame.  The 32 bit path
2690         incorrectly calculated the location of the reified callee frame.  This alignment resulted
2691         in the removal of operationCreateInlinedArgumentsDuringOSRExit()
2692
2693         * bytecompiler/BytecodeGenerator.cpp:
2694         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
2695         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister):
2696         (JSC::BytecodeGenerator::emitCall):
2697         (JSC::BytecodeGenerator::emitConstruct):
2698         (JSC::BytecodeGenerator::emitEnumeration):
2699         (JSC::BytecodeGenerator::willResolveToArguments): Deleted.
2700         * bytecompiler/BytecodeGenerator.h:
2701         * bytecompiler/NodesCodegen.cpp:
2702         (JSC::BracketAccessorNode::emitBytecode):
2703         (JSC::DotAccessorNode::emitBytecode):
2704         (JSC::getArgumentByVal):
2705         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2706         (JSC::ArrayPatternNode::emitDirectBinding):
2707         * dfg/DFGOSRExitCompilerCommon.cpp:
2708         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
2709         * dfg/DFGOperations.cpp:
2710         (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
2711         * dfg/DFGOperations.h:
2712         (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
2713
2714 2015-01-15  Csaba Osztrogonác  <ossy@webkit.org>
2715
2716         Remove ENABLE(SQL_DATABASE) guards
2717         https://bugs.webkit.org/show_bug.cgi?id=140434
2718
2719         Reviewed by Darin Adler.
2720
2721         * CMakeLists.txt:
2722         * Configurations/FeatureDefines.xcconfig:
2723         * DerivedSources.make:
2724         * inspector/protocol/Database.json:
2725
2726 2015-01-14  Alexey Proskuryakov  <ap@apple.com>
2727
2728         Web Inspector and regular console use different source code locations for messages
2729         https://bugs.webkit.org/show_bug.cgi?id=140478
2730
2731         Reviewed by Brian Burg.
2732
2733         * inspector/ConsoleMessage.h: Expose computed source location.
2734
2735         * inspector/agents/InspectorConsoleAgent.cpp:
2736         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2737         (Inspector::InspectorConsoleAgent::stopTiming):
2738         (Inspector::InspectorConsoleAgent::count):
2739         * inspector/agents/InspectorConsoleAgent.h:
2740         addMessageToConsole() now takes a pre-made ConsoleMessage object.
2741
2742         * inspector/JSGlobalObjectConsoleClient.cpp:
2743         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
2744         (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
2745         * inspector/JSGlobalObjectInspectorController.cpp:
2746         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2747         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2748         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2749         Updated for the above changes.
2750
2751 2015-01-15  Mark Lam  <mark.lam@apple.com>
2752
2753         [Part 2] Argument object created by "Function dot arguments" should use a clone of argument values.
2754         <https://webkit.org/b/140093>
2755
2756         Reviewed by Geoffrey Garen.
2757
2758         * interpreter/StackVisitor.cpp:
2759         (JSC::StackVisitor::Frame::createArguments):
2760         - We should not fetching the lexicalEnvironment here.  The reason we've
2761           introduced the ClonedArgumentsCreationMode is because the lexicalEnvironment
2762           may not be available to us at this point.  Instead, we'll just pass a nullptr.
2763
2764         * runtime/Arguments.cpp:
2765         (JSC::Arguments::tearOffForCloning):
2766         * runtime/Arguments.h:
2767         (JSC::Arguments::finishCreation):
2768         - Use the new tearOffForCloning() to tear off arguments right out of the values
2769           passed on the stack.  tearOff() is not appropriate for this purpose because
2770           it takes slowArgumentsData into account.
2771
2772 2015-01-14  Matthew Mirman  <mmirman@apple.com>
2773
2774         Removed accidental commit of "invalid_array.js" 
2775         http://trac.webkit.org/changeset/178439
2776
2777         * tests/stress/invalid_array.js: Removed.
2778
2779 2015-01-14  Matthew Mirman  <mmirman@apple.com>
2780
2781         Fixes operationPutByIdOptimizes such that they check that the put didn't
2782         change the structure of the object who's property access is being
2783         cached.  Also removes uses of the new base value from the cache generation code.
2784         https://bugs.webkit.org/show_bug.cgi?id=139500
2785
2786         Reviewed by Filip Pizlo.
2787
2788         * jit/JITOperations.cpp:
2789         (JSC::operationPutByIdStrictOptimize): saved the structure before the put.
2790         (JSC::operationPutByIdNonStrictOptimize): ditto.
2791         (JSC::operationPutByIdDirectStrictOptimize): ditto.
2792         (JSC::operationPutByIdDirectNonStrictOptimize): ditto.
2793         * jit/Repatch.cpp:
2794         (JSC::generateByIdStub):
2795         (JSC::tryCacheGetByID):
2796         (JSC::tryBuildGetByIDList):
2797         (JSC::emitPutReplaceStub):
2798         (JSC::emitPutTransitionStubAndGetOldStructure): Added.
2799         (JSC::tryCachePutByID):
2800         (JSC::repatchPutByID):
2801         (JSC::tryBuildPutByIdList):
2802         (JSC::tryRepatchIn):
2803         (JSC::emitPutTransitionStub): Deleted.
2804         * jit/Repatch.h:
2805         * llint/LLIntSlowPaths.cpp:
2806         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2807         * runtime/JSPropertyNameEnumerator.h:
2808         (JSC::genericPropertyNameEnumerator):
2809         * runtime/Operations.h:
2810         (JSC::normalizePrototypeChainForChainAccess): restructured to not use the base value.
2811         (JSC::normalizePrototypeChain): restructured to not use the base value.
2812         * tests/mozilla/mozilla-tests.yaml:
2813         * tests/stress/proto-setter.js: Added.
2814         * tests/stress/put-by-id-build-list-order-recurse.js: Added.
2815         Added test that fails without this patch.
2816
2817 2015-01-13  Joseph Pecoraro  <pecoraro@apple.com>
2818
2819         Web Inspector: Remove unused ResizeImage and DecodeImageData timeline events
2820         https://bugs.webkit.org/show_bug.cgi?id=140404
2821
2822         Reviewed by Timothy Hatcher.
2823
2824         * inspector/protocol/Timeline.json:
2825
2826 2015-01-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2827
2828         DFG can call PutByValDirect for generic arrays
2829         https://bugs.webkit.org/show_bug.cgi?id=140389
2830
2831         Reviewed by Geoffrey Garen.
2832
2833         Computed properties in object initializers (ES6) use the put_by_val_direct operation.
2834         However, current DFG asserts that put_by_val_direct is not used for the generic array,
2835         the assertion failure is raised.
2836         This patch allow DFG to use put_by_val_direct to generic arrays.
2837
2838         And fix the DFG put_by_val_direct implementation for string properties.
2839         At first, put_by_val_direct is inteded to be used for spread elements.
2840         So the property keys were limited to numbers (indexes).
2841         But now, it's also used for computed properties in object initializers.
2842
2843         * dfg/DFGOperations.cpp:
2844         (JSC::DFG::operationPutByValInternal):
2845         * dfg/DFGSpeculativeJIT64.cpp:
2846         (JSC::DFG::SpeculativeJIT::compile):
2847
2848 2015-01-13  Geoffrey Garen  <ggaren@apple.com>
2849
2850         Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
2851         https://bugs.webkit.org/show_bug.cgi?id=140397
2852
2853         Reviewed by Geoffrey Garen.
2854
2855         Patch by Alexey Proskuryakov.
2856
2857         Reviewed, performance tested, and ChangeLogged by Geoffrey Garen.
2858
2859         No performance change.
2860
2861         No test, since this is a small past-the-end read, which is very
2862         difficult to turn into a reproducible failing test -- and existing tests
2863         crash reliably using ASan.
2864
2865         * bytecompiler/NodesCodegen.cpp:
2866         (JSC::BracketAccessorNode::emitBytecode):
2867         (JSC::DotAccessorNode::emitBytecode):
2868         (JSC::FunctionCallBracketNode::emitBytecode):
2869         (JSC::PostfixNode::emitResolve):
2870         (JSC::DeleteBracketNode::emitBytecode):
2871         (JSC::DeleteDotNode::emitBytecode):
2872         (JSC::PrefixNode::emitResolve):
2873         (JSC::UnaryOpNode::emitBytecode):
2874         (JSC::BitwiseNotNode::emitBytecode):
2875         (JSC::BinaryOpNode::emitBytecode):
2876         (JSC::EqualNode::emitBytecode):
2877         (JSC::StrictEqualNode::emitBytecode):
2878         (JSC::ThrowableBinaryOpNode::emitBytecode):
2879         (JSC::AssignDotNode::emitBytecode):
2880         (JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any
2881         register used across a call to a function that might allocate a new
2882         temporary register must be held in a RefPtr.
2883
2884 2015-01-12  Michael Saboff  <msaboff@apple.com>
2885
2886         Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
2887         https://bugs.webkit.org/show_bug.cgi?id=140348
2888
2889         Reviewed by Mark Lam.
2890
2891         We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late
2892         because those registers may have been spilled on the stack and replaced with other values by
2893         the time we call down to gatherFromCurrentThread().
2894
2895         Now we get the register contents at the same place that we demarcate the current top of
2896         stack using the address of a local variable, in Heap::markRoots().  The register contents
2897         buffer is passed along with the demarcation pointer.  These need to be done at this level 
2898         in the call tree and no lower, as markRoots() calls various functions that visit object
2899         pointers that may be latter proven dead.  Any of those pointers that are left on the
2900         stack or in registers could be incorrectly marked as live if we scan the stack contents
2901         from a called function or one of its callees.  The stack demarcation pointer and register
2902         saving need to be done in the same function so that we have a consistent stack, active
2903         and spilled registers.
2904
2905         Because we don't want to make unnecessary calls to get the register contents, we use
2906         a macro to allocated, and possibly align, the register structure and get the actual
2907         register contents.
2908
2909
2910         * heap/Heap.cpp:
2911         (JSC::Heap::markRoots):
2912         (JSC::Heap::gatherStackRoots):
2913         * heap/Heap.h:
2914         * heap/MachineStackMarker.cpp:
2915         (JSC::MachineThreads::gatherFromCurrentThread):
2916         (JSC::MachineThreads::gatherConservativeRoots):
2917         * heap/MachineStackMarker.h:
2918
2919 2015-01-12  Benjamin Poulain  <benjamin@webkit.org>
2920
2921         Add basic pattern matching support to the url filters
2922         https://bugs.webkit.org/show_bug.cgi?id=140283
2923
2924         Reviewed by Andreas Kling.
2925
2926         * JavaScriptCore.xcodeproj/project.pbxproj:
2927         Make YarrParser.h private in order to use it from WebCore.
2928
2929 2015-01-12  Geoffrey Garen  <ggaren@apple.com>
2930
2931         Out of bounds read in IdentifierArena::makeIdentifier
2932         https://bugs.webkit.org/show_bug.cgi?id=140376
2933
2934         Patch by Alexey Proskuryakov.
2935
2936         Reviewed and ChangeLogged by Geoffrey Garen.
2937
2938         No test, since this is a small past-the-end read, which is very
2939         difficult to turn into a reproducible failing test -- and existing tests
2940         crash reliably using ASan.
2941
2942         * parser/ParserArena.h:
2943         (JSC::IdentifierArena::makeIdentifier):
2944         (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
2945         zero-length string input, like we do in the literal parser, since it is
2946         not valid to dereference characters in a zero-length string.
2947
2948         A zero-length string is allowed in JavaScript -- for example, "".
2949
2950 2015-01-11  Sam Weinig  <sam@webkit.org>
2951
2952         Remove support for SharedWorkers
2953         https://bugs.webkit.org/show_bug.cgi?id=140344
2954
2955         Reviewed by Anders Carlsson.
2956
2957         * Configurations/FeatureDefines.xcconfig:
2958
2959 2015-01-12  Myles C. Maxfield  <mmaxfield@apple.com>
2960
2961         Allow targetting the SVG->OTF font converter with ENABLE(SVG_OTF_CONVERTER)
2962         https://bugs.webkit.org/show_bug.cgi?id=136769
2963
2964         Reviewed by Antti Koivisto.
2965
2966         * Configurations/FeatureDefines.xcconfig:
2967
2968 2015-01-12  Commit Queue  <commit-queue@webkit.org>
2969
2970         Unreviewed, rolling out r178266.
2971         https://bugs.webkit.org/show_bug.cgi?id=140363
2972
2973         Broke a JSC test (Requested by ap on #webkit).
2974
2975         Reverted changeset:
2976
2977         "Local JSArray* "keys" in objectConstructorKeys() is not
2978         marked during garbage collection"
2979         https://bugs.webkit.org/show_bug.cgi?id=140348
2980         http://trac.webkit.org/changeset/178266
2981
2982 2015-01-12  Michael Saboff  <msaboff@apple.com>
2983
2984         Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
2985         https://bugs.webkit.org/show_bug.cgi?id=140348
2986
2987         Reviewed by Mark Lam.
2988
2989         Move the address of the local variable that is used to demarcate the top of the stack for 
2990         conservative roots down to MachineThreads::gatherFromCurrentThread() since it also gets
2991         the register values using setjmp().  That way we don't lose any callee save register
2992         contents between Heap::markRoots(), where it was set, and gatherFromCurrentThread().
2993         If we lose any JSObject* that are only in callee save registers, they will be GC'ed
2994         erroneously.
2995
2996         * heap/Heap.cpp:
2997         (JSC::Heap::markRoots):
2998         (JSC::Heap::gatherStackRoots):
2999         * heap/Heap.h:
3000         * heap/MachineStackMarker.cpp:
3001         (JSC::MachineThreads::gatherFromCurrentThread):
3002         (JSC::MachineThreads::gatherConservativeRoots):
3003         * heap/MachineStackMarker.h:
3004
3005 2015-01-11  Eric Carlson  <eric.carlson@apple.com>
3006
3007         Fix typo in testate.c error messages
3008         https://bugs.webkit.org/show_bug.cgi?id=140305
3009
3010         Reviewed by Geoffrey Garen.
3011
3012         * API/tests/testapi.c:
3013         (main): "... script did not timed out ..." -> "... script did not time out ..."
3014
3015 2015-01-09  Michael Saboff  <msaboff@apple.com>
3016
3017         Breakpoint doesn't fire in this HTML5 game
3018         https://bugs.webkit.org/show_bug.cgi?id=140269
3019
3020         Reviewed by Mark Lam.
3021
3022         When parsing a single line cached function, use the lineStartOffset of the
3023         location where we found the cached function instead of the cached lineStartOffset.
3024         The cache location's lineStartOffset has not been adjusted for any possible
3025         containing functions.
3026
3027         This change is not needed for multi-line cached functions.  Consider the
3028         single line source:
3029
3030         function outer(){function inner1(){doStuff();}; (function inner2() {doMoreStuff()})()}
3031
3032         The first parser pass, we parse and cache inner1() and inner2() with a lineStartOffset
3033         of 0.  Later when we parse outer() and find inner1() in the cache, SourceCode start
3034         character is at outer()'s outermost open brace.  That is what we should use for
3035         lineStartOffset for inner1().  When done parsing inner1() we set the parsing token
3036         to the saved location for inner1(), including the lineStartOffset of 0.  We need
3037         to use the value of lineStartOffset before we started parsing inner1().  That is
3038         what the fix does.  When we parse inner2() the lineStartOffset will be correct.
3039
3040         For a multi-line function, the close brace is guaranteed to be on a different line
3041         than the open brace.  Hence, its lineStartOffset will not change with the change of
3042         the SourceCode start character
3043
3044         * parser/Parser.cpp:
3045         (JSC::Parser<LexerType>::parseFunctionInfo):
3046
3047 2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>
3048
3049         Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint
3050         https://bugs.webkit.org/show_bug.cgi?id=140279
3051         rdar://problem/19422299
3052
3053         Reviewed by Oliver Hunt.
3054
3055         * runtime/MapData.cpp:
3056         (JSC::MapData::replaceAndPackBackingStore):
3057         The cell table also needs to have its values fixed.
3058
3059 2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>
3060
3061         Web Inspector: Remove or use TimelineAgent Resource related event types
3062         https://bugs.webkit.org/show_bug.cgi?id=140155
3063
3064         Reviewed by Timothy Hatcher.
3065
3066         Remove unused / stale Timeline event types.
3067
3068         * inspector/protocol/Timeline.json:
3069
3070 2015-01-09  Csaba Osztrogonác  <ossy@webkit.org>
3071
3072         REGRESSION(r177925): It broke the !ENABLE(INSPECTOR) build
3073         https://bugs.webkit.org/show_bug.cgi?id=140098
3074
3075         Reviewed by Brian Burg.
3076
3077         * inspector/InspectorBackendDispatcher.h: Missing ENABLE(INSPECTOR) guard added.
3078
3079 2015-01-08  Mark Lam  <mark.lam@apple.com>
3080
3081         Argument object created by "Function dot arguments" should use a clone of the argument values.
3082         <https://webkit.org/b/140093>
3083
3084         Reviewed by Geoffrey Garen.
3085
3086         After the change in <https://webkit.org/b/139827>, the dfg-tear-off-arguments-not-activation.js
3087         test will crash.  The relevant code which manifests the issue is as follows:
3088
3089             function bar() {
3090                 return foo.arguments;
3091             }
3092
3093             function foo(p) {
3094                 var x = 42;
3095                 if (p)
3096                     return (function() { return x; });
3097                 else
3098                     return bar();
3099             }
3100
3101         In this case, foo() has no knowledge of bar() needing its LexicalEnvironment and
3102         has dead code eliminated the SetLocal that stores it into its designated local.
3103         In bar(), the factory for the Arguments object (for creating foo.arguments) tries
3104         to read foo's LexicalEnvironment from its designated lexicalEnvironment local,
3105         but instead, finds it to be uninitialized.  This results in a null pointer access
3106         which causes a crash.
3107
3108         This can be resolved by having bar() instantiate a clone of the Arguments object
3109         instead, and populate its elements with values fetched directly from foo's frame.
3110         There's no need to reference foo's LexicalEnvironment (whether present or not).
3111
3112         * interpreter/StackVisitor.cpp:
3113         (JSC::StackVisitor::Frame::createArguments):
3114         * runtime/Arguments.h:
3115         (JSC::Arguments::finishCreation):
3116
3117 2015-01-08  Mark Lam  <mark.lam@apple.com>
3118
3119         Make the LLINT and Baseline JIT's op_create_arguments and op_get_argument_by_val use their lexicalEnvironment operand.
3120         <https://webkit.org/b/140236>
3121
3122         Reviewed by Geoffrey Garen.
3123
3124         Will change the DFG to use the operand on a subsequent pass.  For now,
3125         the DFG uses a temporary thunk (operationCreateArgumentsForDFG()) to
3126         retain the old behavior of getting the lexicalEnviroment from the
3127         ExecState.
3128
3129         * bytecompiler/BytecodeGenerator.cpp:
3130         (JSC::BytecodeGenerator::BytecodeGenerator):
3131         (JSC::BytecodeGenerator::emitGetArgumentByVal):
3132         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3133         - When the lexicalEnvironment is not available, pass the invalid VirtualRegister
3134           instead of an empty JSValue as the lexicalEnvironment operand.
3135
3136         * dfg/DFGOperations.cpp:
3137         - Use the lexicalEnvironment from the ExecState for now.
3138
3139         * dfg/DFGSpeculativeJIT32_64.cpp:
3140         (JSC::DFG::SpeculativeJIT::compile):
3141         * dfg/DFGSpeculativeJIT64.cpp:
3142         (JSC::DFG::SpeculativeJIT::compile):
3143         - Use the operationCreateArgumentsForDFG() thunk for now.
3144
3145         * interpreter/CallFrame.cpp:
3146         (JSC::CallFrame::lexicalEnvironmentOrNullptr):
3147         * interpreter/CallFrame.h:
3148         - Added this convenience function to return either the
3149           lexicalEnvironment or a nullptr so that we don't need to do a
3150           conditional check on codeBlock->needsActivation() at multiple sites.
3151
3152         * interpreter/StackVisitor.cpp:
3153         (JSC::StackVisitor::Frame::createArguments):
3154         * jit/JIT.h:
3155         * jit/JITInlines.h:
3156         (JSC::JIT::callOperation):
3157         * jit/JITOpcodes.cpp:
3158         (JSC::JIT::emit_op_create_arguments):
3159         (JSC::JIT::emitSlow_op_get_argument_by_val):
3160         * jit/JITOpcodes32_64.cpp:
3161         (JSC::JIT::emit_op_create_arguments):
3162         (JSC::JIT::emitSlow_op_get_argument_by_val):
3163         * jit/JITOperations.cpp:
3164         * jit/JITOperations.h:
3165         * llint/LLIntSlowPaths.cpp:
3166         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3167         * runtime/Arguments.h:
3168         (JSC::Arguments::create):
3169         (JSC::Arguments::finishCreation):
3170         * runtime/CommonSlowPaths.cpp:
3171         (JSC::SLOW_PATH_DECL):
3172         * runtime/JSLexicalEnvironment.cpp:
3173         (JSC::JSLexicalEnvironment::argumentsGetter):
3174
3175 2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>
3176
3177         Web Inspector: Pause Reason Improvements (Breakpoint, Debugger Statement, Pause on Next Statement)
3178         https://bugs.webkit.org/show_bug.cgi?id=138991
3179
3180         Reviewed by Timothy Hatcher.
3181
3182         * debugger/Debugger.cpp:
3183         (JSC::Debugger::Debugger):
3184         (JSC::Debugger::pauseIfNeeded):
3185         (JSC::Debugger::didReachBreakpoint):
3186         When actually pausing, if we hit a breakpoint ensure the reason
3187         is PausedForBreakpoint, otherwise use the current reason.
3188
3189         * debugger/Debugger.h:
3190         Make pause reason and pausing breakpoint ID public.
3191
3192         * inspector/agents/InspectorDebuggerAgent.h:
3193         * inspector/agents/InspectorDebuggerAgent.cpp:
3194         (Inspector::buildAssertPauseReason):
3195         (Inspector::buildCSPViolationPauseReason):
3196         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
3197         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
3198         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3199         (Inspector::buildObjectForBreakpointCookie):
3200         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3201         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
3202         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3203         (Inspector::InspectorDebuggerAgent::pause):
3204         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
3205         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3206         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
3207         Clean up creation of pause reason objects and other cleanup
3208         of PassRefPtr use and InjectedScript use.
3209
3210         (Inspector::InspectorDebuggerAgent::didPause):
3211         Clean up so that we first check for an Exception, and then fall
3212         back to including a Pause Reason derived from the Debugger.
3213
3214         * inspector/protocol/Debugger.json:
3215         Add new DebuggerStatement, Breakpoint, and PauseOnNextStatement reasons.
3216
3217 2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>
3218
3219         Web Inspector: Type check NSArray's in ObjC Interfaces have the right object types
3220         https://bugs.webkit.org/show_bug.cgi?id=140209
3221
3222         Reviewed by Timothy Hatcher.
3223
3224         Check the types of objects in NSArrays for all interfaces (commands, events, types)
3225         when the user can set an array of objects. Previously we were only type checking
3226         they were RWIJSONObjects, now we add an explicit check for the exact object type.
3227
3228         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3229         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3230         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3231         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3232         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3233         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
3234         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
3235         * inspector/scripts/codegen/objc_generator.py:
3236         (ObjCGenerator.objc_class_for_array_type):
3237         (ObjCGenerator):
3238
3239 2015-01-07  Mark Lam  <mark.lam@apple.com>
3240
3241         Add the lexicalEnvironment as an operand to op_get_argument_by_val.
3242         <https://webkit.org/b/140233>
3243
3244         Reviewed by Filip Pizlo.
3245
3246         This patch only adds the operand to the bytecode.  It is not in use yet.
3247
3248         * bytecode/BytecodeList.json:
3249         * bytecode/BytecodeUseDef.h:
3250         (JSC::computeUsesForBytecodeOffset):
3251         * bytecode/CodeBlock.cpp:
3252         (JSC::CodeBlock::dumpBytecode):
3253         * bytecompiler/BytecodeGenerator.cpp:
3254         (JSC::BytecodeGenerator::emitGetArgumentByVal):
3255         * llint/LowLevelInterpreter32_64.asm:
3256         * llint/LowLevelInterpreter64.asm:
3257
3258 2015-01-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3259
3260         Investigate the character type of repeated string instead of checking is8Bit flag
3261         https://bugs.webkit.org/show_bug.cgi?id=140139
3262
3263         Reviewed by Darin Adler.
3264
3265         Instead of checking is8Bit flag of the repeated string, investigate
3266         the actual value of the repeated character since i8Bit flag give a false negative case.
3267
3268         * runtime/StringPrototype.cpp:
3269         (JSC::repeatCharacter):
3270         (JSC::stringProtoFuncRepeat):
3271         (JSC::repeatSmallString): Deleted.
3272
3273 2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>
3274
3275         Web Inspector: ObjC Generate types from the GenericTypes domain
3276         https://bugs.webkit.org/show_bug.cgi?id=140229
3277
3278         Reviewed by Timothy Hatcher.
3279
3280         Generate types from the GenericTypes domain, as they are expected
3281         by other domains (like Page domain). Also, don't include the @protocol
3282         forward declaration for a domain if it doesn't have any commands.
3283
3284         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
3285         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
3286         (ObjCBackendDispatcherHeaderGenerator): Deleted.
3287         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations_for_domains): Deleted.
3288         * inspector/scripts/codegen/objc_generator.py:
3289         (ObjCGenerator):
3290         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3291         * inspector/scripts/tests/expected/enum-values.json-result:
3292         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3293         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3294         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3295         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3296         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3297         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3298         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3299         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3300         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3301
3302 2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>
3303
3304         Web Inspector: Remove unnecessary copyRef for paramsObject in generated dispatchers
3305         https://bugs.webkit.org/show_bug.cgi?id=140228
3306
3307         Reviewed by Timothy Hatcher.
3308
3309         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3310         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3311         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3312         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3313         * inspector/scripts/tests/expected/enum-values.json-result:
3314         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3315
3316 2015-01-07  Saam Barati  <saambarati1@gmail.com>
3317
3318         interpret op_profile_type in the LLInt instead of unconditionally calling into the slow path
3319         https://bugs.webkit.org/show_bug.cgi?id=140165
3320
3321         Reviewed by Michael Saboff.
3322
3323         Inlining the functionality of TypeProfilerLog::recordTypeInformationForLocation
3324         into the LLInt speeds up type profiling.
3325
3326         * llint/LLIntOffsetsExtractor.cpp:
3327         * llint/LowLevelInterpreter.asm:
3328         * llint/LowLevelInterpreter32_64.asm:
3329         * llint/LowLevelInterpreter64.asm:
3330         * runtime/CommonSlowPaths.cpp:
3331         (JSC::SLOW_PATH_DECL):
3332         * runtime/CommonSlowPaths.h:
3333         * runtime/TypeProfilerLog.h:
3334         (JSC::TypeProfilerLog::recordTypeInformationForLocation): Deleted.
3335
3336 2015-01-07  Brian J. Burg  <burg@cs.washington.edu>
3337
3338         Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
3339         https://bugs.webkit.org/show_bug.cgi?id=140053
3340
3341         Reviewed by Andreas Kling.
3342
3343         This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
3344         related to Web Inspector. It also converts many uses of RefPtr to Ref where
3345         references are always non-null. These two refactorings have been combined since
3346         they tend to require similar changes to the code.
3347
3348         Creation methods for subclasses of InspectorValue now return a Ref, and callsites
3349         have been updated to take a Ref instead of RefPtr.
3350
3351         Builders for typed protocol objects now return a Ref. Since there is no implicit
3352         call to operator&, callsites now must explicitly call .release() to convert a
3353         builder object into the corresponding protocol object once required fields are set.
3354         Update callsites and use auto to eliminate repetition of longwinded protocol types.
3355
3356         Tests for inspector protocol and replay inputs have been rebaselined.
3357
3358         * bindings/ScriptValue.cpp:
3359         (Deprecated::jsToInspectorValue):
3360         (Deprecated::ScriptValue::toInspectorValue):
3361         * bindings/ScriptValue.h:
3362         * inspector/ConsoleMessage.cpp:
3363         (Inspector::ConsoleMessage::addToFrontend):
3364         * inspector/ContentSearchUtilities.cpp:
3365         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
3366         (Inspector::ContentSearchUtilities::searchInTextByLines):
3367         * inspector/ContentSearchUtilities.h:
3368         * inspector/InjectedScript.cpp: