ee761e7ed96fff87158e26d2ef7cb30abbb78985
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-09-03  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Avoid warning if a process does not have access to com.apple.webinspector
4         https://bugs.webkit.org/show_bug.cgi?id=136473
5
6         Reviewed by Alexey Proskuryakov.
7
8         Pre-check for access to the mach port to avoid emitting warnings
9         in syslog for processes that do not have access.
10
11         * inspector/remote/RemoteInspector.mm:
12         (Inspector::canAccessWebInspectorMachPort):
13         (Inspector::RemoteInspector::shared):
14
15 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
16
17         Temporarily disable call edge profiling. It is causing crashes and I'm still investigating
18         them.
19
20         * runtime/Options.h:
21
22 2014-09-03  Balazs Kilvady  <kilvadyb@homejinni.com>
23
24         [MIPS] Wrong register usage in LLInt op_catch.
25         https://bugs.webkit.org/show_bug.cgi?id=125168
26
27         Reviewed by Geoffrey Garen.
28
29         Fix register usage and add PIC header to all the ops in LLInt.
30
31         * offlineasm/instructions.rb:
32         * offlineasm/mips.rb:
33
34 2014-09-03  Saam Barati  <saambarati1@gmail.com>
35
36         Create tests for type profiling
37         https://bugs.webkit.org/show_bug.cgi?id=136161
38
39         Reviewed by Geoffrey Garen.
40
41         The type profiler is now being tested. These are basic tests that don't 
42         check every edge case, but will catch any major failures in the type profiler. 
43         These tests cover:
44         - The basic, inheritance-based type system in TypeSet.
45         - Function return types.
46         - Correct merging of types for multiple assignments to one variable.
47
48         This patch also provides an API for writing new tests for
49         the type profiler. The API works by passing in a function and a 
50         unique substring of an expression contained in that function, and 
51         returns an object representing type information for that expression.
52
53         * jsc.cpp:
54         (GlobalObject::finishCreation):
55         (functionFindTypeForExpression):
56         (functionReturnTypeFor):
57         * runtime/TypeProfiler.cpp:
58         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
59         * runtime/TypeProfiler.h:
60         * runtime/TypeProfilerLog.h:
61         * runtime/TypeSet.cpp:
62         (JSC::TypeSet::toJSONString):
63         (JSC::StructureShape::toJSONString):
64         * runtime/TypeSet.h:
65         * tests/typeProfiler: Added.
66         * tests/typeProfiler.yaml: Added.
67         * tests/typeProfiler/basic.js: Added.
68         (wrapper.foo):
69         (wrapper):
70         * tests/typeProfiler/captured.js: Added.
71         (wrapper.changeFoo):
72         (wrapper):
73         * tests/typeProfiler/driver: Added.
74         * tests/typeProfiler/driver/driver.js: Added.
75         (assert):
76         * tests/typeProfiler/inheritance.js: Added.
77         (wrapper.A):
78         (wrapper.B):
79         (wrapper.C):
80         (wrapper):
81         * tests/typeProfiler/return.js: Added.
82         (foo):
83         (Ctor):
84
85 2014-09-03  Julien Brianceau   <jbriance@cisco.com>
86
87         Add missing implementations to fix build for sh4 architecture
88         https://bugs.webkit.org/show_bug.cgi?id=136455
89
90         Reviewed by Geoffrey Garen.
91
92         * assembler/MacroAssemblerSH4.h:
93         (JSC::MacroAssemblerSH4::store8):
94         (JSC::MacroAssemblerSH4::moveWithPatch):
95         (JSC::MacroAssemblerSH4::branchAdd32):
96         (JSC::MacroAssemblerSH4::branch32WithPatch):
97         (JSC::MacroAssemblerSH4::abortWithReason):
98         (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch):
99         (JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress):
100         (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch):
101         * jit/AssemblyHelpers.h:
102         (JSC::AssemblyHelpers::emitFunctionPrologue):
103         (JSC::AssemblyHelpers::emitFunctionEpilogue):
104
105 2014-09-03  Dan Bernstein  <mitz@apple.com>
106
107         Get rid of HIGH_DPI_CANVAS leftovers
108         https://bugs.webkit.org/show_bug.cgi?id=136491
109
110         Reviewed by Benjamin Poulain.
111
112         * Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS
113         and removed it from FEATURE_DEFINES.
114
115 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
116
117         CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
118         https://bugs.webkit.org/show_bug.cgi?id=136490
119
120         Reviewed by Geoffrey Garen.
121
122         * bytecode/CallEdgeProfile.cpp:
123         (JSC::CallEdgeProfile::visitWeak):
124
125 2014-09-03  Filip Pizlo  <fpizlo@apple.com>
126
127         FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
128         https://bugs.webkit.org/show_bug.cgi?id=136488
129
130         Reviewed by Mark Hahnenberg.
131
132         * ftl/FTLCompile.cpp:
133         (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
134         * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
135         (foo):
136
137 2014-09-03  Akos Kiss  <akiss@inf.u-szeged.hu>
138
139         Don't generate superfluous mov instructions for move immediate on ARM64.
140         https://bugs.webkit.org/show_bug.cgi?id=136435
141
142         Reviewed by Michael Saboff.
143
144         On ARM64, the size of an immediate operand for a mov instruction is 16
145         bits. Thus, a move immediate offlineasm instruction may potentially be
146         split up to several machine level instructions. The current
147         implementation always emits a mov for the least significant 16 bits of
148         the value. However, if any of the bits 63:16 are significant then the
149         first emitted mov already filled bits 15:0 with zeroes (or ones, for
150         negative values). So, if bits 15:0 of the value are all zeroes (or ones)
151         then the last mov does not need to be emitted.
152
153         * offlineasm/arm64.rb:
154
155 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
156
157         LegacyProfiler: remove redundant ProfileNode members and other cleanup
158         https://bugs.webkit.org/show_bug.cgi?id=136380
159
160         Reviewed by Timothy Hatcher.
161
162         ProfileNode's selfTime and totalTime members are redundant and only used
163         for dumping profile data from debug-only code. Remove the members and compute
164         the same data on-demand when necessary using a postorder traversal functor.
165
166         Remove ProfileNode.head since it is only used to calculate percentages for
167         dumped profile data. This can be explicitly passed around when needed.
168
169         Rename Profile.head to Profile.rootNode, and other various renamings.
170
171         Rearrange some header includes so that touching LegacyProfiler-related headers
172         will no longer cause a full rebuild.
173
174         * inspector/JSConsoleClient.cpp: Add header include.
175         * inspector/agents/InspectorProfilerAgent.cpp:
176         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
177         * inspector/protocol/Profiler.json: Remove unused Profile.idleTime member.
178         * jit/JIT.h: Remove header include.
179         * jit/JITCode.h: Remove header include.
180         * jit/JITOperations.cpp: Sort and add header include.
181         * llint/LLIntSlowPaths.cpp: Sort and add header include.
182         * profiler/Profile.cpp: Rename the debug dumping functions. Move the node
183         postorder traversal code to ProfileNode so we can traverse any subtree.
184         (JSC::Profile::Profile):
185         (JSC::Profile::debugPrint):
186         (JSC::Profile::debugPrintSampleStyle):
187         (JSC::Profile::forEach): Deleted.
188         (JSC::Profile::debugPrintData): Deleted.
189         (JSC::Profile::debugPrintDataSampleStyle): Deleted.
190         * profiler/Profile.h:
191         * profiler/ProfileGenerator.cpp:
192         (JSC::ProfileGenerator::ProfileGenerator):
193         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
194         (JSC::AddParentForConsoleStartFunctor::operator()):
195         (JSC::ProfileGenerator::addParentForConsoleStart):
196         (JSC::ProfileGenerator::didExecute):
197         (JSC::StopProfilingFunctor::operator()):
198         (JSC::ProfileGenerator::stopProfiling):
199         (JSC::ProfileGenerator::removeProfileStart):
200         (JSC::ProfileGenerator::removeProfileEnd):
201         * profiler/ProfileGenerator.h:
202         * profiler/ProfileNode.cpp:
203         (JSC::ProfileNode::ProfileNode):
204         (JSC::ProfileNode::willExecute):
205         (JSC::ProfileNode::removeChild):
206         (JSC::ProfileNode::stopProfiling):
207         (JSC::ProfileNode::endAndRecordCall):
208         (JSC::ProfileNode::debugPrint):
209         (JSC::ProfileNode::debugPrintSampleStyle):
210         (JSC::ProfileNode::debugPrintRecursively):
211         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
212         (JSC::ProfileNode::debugPrintData): Deleted.
213         (JSC::ProfileNode::debugPrintDataSampleStyle): Deleted.
214         * profiler/ProfileNode.h: Calculate per-node self and total times using a postorder traversal.
215         The forEachNodePostorder functor traverses the subtree rooted at |this|.
216         (JSC::ProfileNode::create):
217         (JSC::ProfileNode::calls):
218         (JSC::ProfileNode::forEachNodePostorder):
219         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
220         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
221         (JSC::ProfileNode::head): Deleted.
222         (JSC::ProfileNode::setHead): Deleted.
223         (JSC::ProfileNode::totalTime): Deleted.
224         (JSC::ProfileNode::setTotalTime): Deleted.
225         (JSC::ProfileNode::selfTime): Deleted.
226         (JSC::ProfileNode::setSelfTime): Deleted.
227         (JSC::ProfileNode::totalPercent): Deleted.
228         (JSC::ProfileNode::selfPercent): Deleted.
229         * runtime/ConsoleClient.h: Remove header include.
230
231 2014-09-02  Brian J. Burg  <burg@cs.washington.edu>
232
233         Web Inspector: remove ProfilerAgent and legacy profiler files in the frontend
234         https://bugs.webkit.org/show_bug.cgi?id=136462
235
236         Reviewed by Timothy Hatcher.
237
238         It's not used by the frontend anymore.
239
240         * CMakeLists.txt:
241         * DerivedSources.make:
242         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
243         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
244         * JavaScriptCore.xcodeproj/project.pbxproj:
245
246         * inspector/JSConsoleClient.cpp:
247         (Inspector::JSConsoleClient::JSConsoleClient): Stub out console.profile/profileEnd
248         methods since they didn't work for JSContexts anyway.
249         (Inspector::JSConsoleClient::profile):
250         (Inspector::JSConsoleClient::profileEnd):
251         * inspector/JSConsoleClient.h:
252
253         * inspector/JSGlobalObjectInspectorController.cpp:
254         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
255         * inspector/agents/InspectorProfilerAgent.cpp: Removed.
256         * inspector/agents/InspectorProfilerAgent.h: Removed.
257         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Removed.
258         * inspector/agents/JSGlobalObjectProfilerAgent.h: Removed.
259         * inspector/protocol/Profiler.json: Removed.
260
261 2014-09-02  Andreas Kling  <akling@apple.com>
262
263         Optimize own property GetByVals with rope string subscripts.
264         <https://webkit.org/b/136458>
265
266         For simple JSObjects that don't override getOwnPropertySlot to implement
267         custom properties, we have a fast path that grabs directly at the object
268         property storage.
269
270         Make this fast path even faster when the property name is an unresolved
271         rope string by using JSString::toExistingAtomicString(). This is faster
272         because it avoids allocating a new StringImpl if the string is already
273         a known Identifier, which is guaranteed to be the case if it's present
274         as an own property on the object.)
275
276         ~10% speed-up on Dromaeo/dom-attr.html
277
278         Reviewed by Geoffrey Garen.
279
280         * dfg/DFGOperations.cpp:
281         * jit/JITOperations.cpp:
282         (JSC::getByVal):
283         * llint/LLIntSlowPaths.cpp:
284         (JSC::LLInt::getByVal):
285
286             When using the fastGetOwnProperty() optimization, get the String
287             out of JSString by using toExistingAtomicString(). This avoids
288             StringImpl allocation and lets us bypass the PropertyTable lookup
289             entirely if no AtomicString is found.
290
291         * runtime/JSCell.h:
292         * runtime/JSCellInlines.h:
293         (JSC::JSCell::fastGetOwnProperty):
294
295             Make fastGetOwnProperty() take a PropertyName instead of a String.
296             This avoids churning the ref count, since we don't need to create
297             a temporary wrapper around the AtomicStringImpl* found in GetByVal.
298
299         * runtime/PropertyName.h:
300         (JSC::PropertyName::PropertyName):
301
302             Add constructor: PropertyName(AtomicStringImpl*)
303
304         * runtime/PropertyMapHashTable.h:
305         (JSC::PropertyTable::get):
306         (JSC::PropertyTable::findWithString): Deleted.
307         * runtime/Structure.h:
308         * runtime/StructureInlines.h:
309         (JSC::Structure::get):
310
311             Remove code for querying a PropertyTable with an unhashed string key
312             since the only client is now gone.
313
314 2014-09-02  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
315
316         [ARM] MacroAssembler generating incorrect code on ARM32 Traditional
317         https://bugs.webkit.org/show_bug.cgi?id=136429
318
319         Reviewed by Csaba Osztrogonác.
320
321         Changed test32 to use tst to check if reg is zero, instead of cmp.
322
323         * assembler/MacroAssemblerARM.h:
324         (JSC::MacroAssemblerARM::test32):
325
326 2014-09-02  Michael Saboff  <msaboff@apple.com>
327
328         Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute
329         https://bugs.webkit.org/show_bug.cgi?id=136305
330
331         Reviewed by Filip Pizlo.
332
333         While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch
334         and then JITCode::execute() calls the normal entrypoint.  This is incompatible
335         with the expectation of FTL generated functions.  Changed ProtoCallFrame to not 
336         perform the arity fix, but just flag an arity mismatch.  now JITCode::execute()
337         uses that arity mismatch condition to select the normal or arity check
338         entrypoint.  The entrypoint selection is only done for functions, programs
339         and eval always have one parameter.
340
341         * interpreter/ProtoCallFrame.cpp:
342         (JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it.
343         * interpreter/ProtoCallFrame.h:
344         (JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint
345         should be called.
346         * jit/JITCode.cpp:
347         (JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate.
348
349 2014-09-02  peavo@outlook.com  <peavo@outlook.com>
350
351         [WinCairo] testapi.exe is not built.
352         https://bugs.webkit.org/show_bug.cgi?id=136369
353
354         Reviewed by Alex Christensen.
355
356         The testapi project should be of type Application.
357
358         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Change project type to Application.
359         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Ditto.
360         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Compile and link fix.
361         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Change project type to Application.
362
363 2014-09-01  Akos Kiss  <akiss@inf.u-szeged.hu>
364
365         [CMAKE] Add missing offlineasm dependencies
366         https://bugs.webkit.org/show_bug.cgi?id=136437
367
368         Reviewed by Csaba Osztrogonác.
369
370         Add the ARM64, MIPS and SH4 backends to the dependencies.
371
372         * CMakeLists.txt:
373
374 2014-09-01  Brian J. Burg  <burg@cs.washington.edu>
375
376         Provide column numbers to DTrace willExecute/didExecute probes
377         https://bugs.webkit.org/show_bug.cgi?id=136434
378
379         Reviewed by Antti Koivisto.
380
381         Provide the columnNumber and update stubs for !HAVE(DTRACE).
382
383         * profiler/ProfileGenerator.cpp:
384         (JSC::ProfileGenerator::willExecute):
385         (JSC::ProfileGenerator::didExecute):
386         * runtime/Tracing.d:
387         * runtime/Tracing.h:
388
389 2014-09-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
390
391         [CMAKE] Build warning by INTERFACE_LINK_LIBRARIES
392         https://bugs.webkit.org/show_bug.cgi?id=136194
393
394         Reviewed by Csaba Osztrogonác.
395
396         Set the LINK_INTERFACE_LIBRARIES target property on the top level CMakeLists.txt.
397
398         * CMakeLists.txt:
399
400 2014-08-26  Maciej Stachowiak  <mjs@apple.com>
401
402         Use RetainPtr::autorelease in some places where it seems appropriate
403         https://bugs.webkit.org/show_bug.cgi?id=136280
404
405         Reviewed by Darin Adler.
406
407         * API/JSContext.mm:
408         (-[JSContext name]): Use RetainPtr::autorelease() in place of ObjC autorelease.
409         * API/JSValue.mm:
410         (valueToString): Make appropriate use of RetainPtr
411
412 2014-08-29  Akos Kiss  <akiss@inf.u-szeged.hu>
413
414         Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
415         https://bugs.webkit.org/show_bug.cgi?id=136391
416
417         Reviewed by Michael Saboff.
418
419         Do not rely on calling conventions to fill in the CallerFrame component
420         of the ExecState* parameter of the called function.
421
422         * llint/LowLevelInterpreter32_64.asm:
423         * llint/LowLevelInterpreter64.asm:
424
425 2014-08-29  Saam Barati  <sbarati@apple.com>
426
427         emit op_profile_type for deconstruction assignments
428         https://bugs.webkit.org/show_bug.cgi?id=136274
429
430         Reviewed by Filip Pizlo.
431
432         Enable type profiling for ES6 deconstruction expressions.
433
434         * bytecompiler/NodesCodegen.cpp:
435         (JSC::BindingNode::bindValue):
436
437 2014-08-29  Joseph Pecoraro  <pecoraro@apple.com>
438
439         JavaScriptCore: Use ASCIILiteral where possible
440         https://bugs.webkit.org/show_bug.cgi?id=136179
441
442         Reviewed by Michael Saboff.
443
444         General string / character related changes. Use ASCIILiteral where
445         possible, jsNontrivialString where possible, and replace string
446         literals with character literals in some places.
447
448         No new tests, no changes to functionality.
449
450         * bytecode/CodeBlock.cpp:
451         (JSC::CodeBlock::nameForRegister):
452         * bytecompiler/NodesCodegen.cpp:
453         (JSC::PostfixNode::emitBytecode):
454         (JSC::PrefixNode::emitBytecode):
455         (JSC::AssignErrorNode::emitBytecode):
456         (JSC::ForInNode::emitMultiLoopBytecode):
457         (JSC::ForOfNode::emitBytecode):
458         (JSC::ObjectPatternNode::toString):
459         * dfg/DFGFunctionWhitelist.cpp:
460         (JSC::DFG::FunctionWhitelist::contains):
461         * dfg/DFGOperations.cpp:
462         (JSC::DFG::newTypedArrayWithSize):
463         (JSC::DFG::newTypedArrayWithOneArgument):
464         * inspector/ConsoleMessage.cpp:
465         (Inspector::ConsoleMessage::addToFrontend):
466         * inspector/InspectorBackendDispatcher.cpp:
467         (Inspector::InspectorBackendDispatcher::dispatch):
468         * inspector/ScriptCallStackFactory.cpp:
469         (Inspector::extractSourceInformationFromException):
470         * inspector/scripts/codegen/generator_templates.py:
471         * interpreter/StackVisitor.cpp:
472         (JSC::StackVisitor::Frame::functionName):
473         (JSC::StackVisitor::Frame::sourceURL):
474         * jit/JITOperations.cpp:
475         * jsc.cpp:
476         (functionDescribeArray):
477         (functionRun):
478         (functionLoad):
479         (functionReadFile):
480         (functionCheckSyntax):
481         (functionTransferArrayBuffer):
482         (runWithScripts):
483         (runInteractive):
484         * parser/Lexer.cpp:
485         (JSC::Lexer<T>::invalidCharacterMessage):
486         (JSC::Lexer<T>::parseString):
487         (JSC::Lexer<T>::parseStringSlowCase):
488         (JSC::Lexer<T>::lex):
489         * profiler/Profile.cpp:
490         (JSC::Profile::Profile):
491         * runtime/Arguments.cpp:
492         (JSC::argumentsFuncIterator):
493         * runtime/ArrayPrototype.cpp:
494         (JSC::performSlowSort):
495         (JSC::arrayProtoFuncSort):
496         * runtime/ExceptionHelpers.cpp:
497         (JSC::createError):
498         (JSC::createInvalidParameterError):
499         (JSC::createNotAConstructorError):
500         (JSC::createNotAFunctionError):
501         (JSC::createNotAnObjectError):
502         (JSC::createErrorForInvalidGlobalAssignment):
503         * runtime/FunctionPrototype.cpp:
504         (JSC::insertSemicolonIfNeeded):
505         * runtime/JSArray.cpp:
506         (JSC::JSArray::defineOwnProperty):
507         (JSC::JSArray::pop):
508         (JSC::JSArray::push):
509         * runtime/JSArrayBufferConstructor.cpp:
510         (JSC::JSArrayBufferConstructor::finishCreation):
511         * runtime/JSArrayBufferPrototype.cpp:
512         (JSC::arrayBufferProtoFuncSlice):
513         * runtime/JSDataView.cpp:
514         (JSC::JSDataView::create):
515         * runtime/JSDataViewPrototype.cpp:
516         (JSC::getData):
517         (JSC::setData):
518         * runtime/JSGlobalObject.cpp:
519         (JSC::JSGlobalObject::reset):
520         * runtime/JSGlobalObjectFunctions.cpp:
521         (JSC::globalFuncProtoSetter):
522         * runtime/JSPromiseConstructor.cpp:
523         (JSC::JSPromiseConstructor::finishCreation):
524         * runtime/LiteralParser.cpp:
525         (JSC::LiteralParser<CharType>::Lexer::lex):
526         (JSC::LiteralParser<CharType>::Lexer::lexString):
527         (JSC::LiteralParser<CharType>::parse):
528         * runtime/LiteralParser.h:
529         (JSC::LiteralParser::getErrorMessage):
530         * runtime/TypeSet.cpp:
531         (JSC::TypeSet::seenTypes):
532         (JSC::TypeSet::displayName):
533         (JSC::TypeSet::allPrimitiveTypeNames):
534         (JSC::StructureShape::propertyHash):
535         (JSC::StructureShape::stringRepresentation):
536
537 2014-08-29  Csaba Osztrogonác  <ossy@webkit.org>
538
539         Unreviwed, remove empty directories.
540
541         * qt: Removed.
542
543 2014-08-28  Mark Lam  <mark.lam@apple.com>
544
545         DebuggerCallFrame::scope() should return a DebuggerScope.
546         <https://webkit.org/b/134420>
547
548         Reviewed by Geoffrey Garen.
549
550         Rolling back in r170680 with the fix for <https://webkit.org/b/135656>.
551
552         Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
553         peers) which the WebInspector will use to introspect CallFrame variables.
554         Instead, we should be returning a DebuggerScope as an abstraction layer that
555         provides the introspection functionality that the WebInspector needs.  This
556         is the first step towards not forcing every frame to have a JSActivation
557         object just because the debugger is enabled.
558
559         1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
560            instead of the VM.  This allows JSObject::globalObject() to be able to
561            return the global object for the DebuggerScope.
562
563         2. On the DebuggerScope's life-cycle management:
564
565            The DebuggerCallFrame is designed to be "valid" only during a debugging session
566            (while the debugger is broken) through the use of a DebuggerCallFrameScope in
567            Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
568            DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
569            We can't guarantee (from this code alone) that the Inspector code isn't still
570            holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
571            the frame will be invalidated, and any attempt to query it will return null values.
572            This is pre-existing behavior.
573
574            Now, we're adding the DebuggerScope into the picture.  While a single debugger
575            pause session is in progress, the Inspector may request the scope from the
576            DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
577            DebuggerCallFrame::scope() to always return the same DebuggerScope object.
578            This is why we hold on to the DebuggerScope with a strong ref.
579
580            If we use a weak ref instead, the following cooky behavior can manifest:
581            1. The Inspector calls Debugger::scope() to get the top scope.
582            2. The Inspector iterates down the scope chain and is now only holding a
583               reference to a parent scope.  It is no longer referencing the top scope.
584            3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
585               gets cleared.
586            4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
587               a different DebuggerScope instance.
588            5. The Inspector iterates down the scope chain but never sees the parent scope
589               instance that retained a ref to in step 2 above.  This is because when iterating
590               this new DebuggerScope instance (which has no knowledge of the previous parent
591               DebuggerScope instance), a new DebuggerScope instance will get created for the
592               same parent scope. 
593
594            Since the DebuggerScope is a JSObject, its liveness is determined by its reachability.
595            However, its "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
596            When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
597            instantiated) will also get invalidated.  This is why we need the
598            DebuggerScope::invalidateChain() method.  The Inspector should not be using the
599            DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
600            those methods will do nothing or returned a failed status.
601
602         Fix for <https://webkit.org/b/135656>:
603         3. DebuggerScope::getOwnPropertySlot() and DebuggerScope::put() need to set
604            m_thisValue in the returned slot to the wrapped scope object.  Previously,
605            it was pointing to the DebuggerScope though the rest of the fields in the
606            returned slot will be set to data pertaining the wrapped scope object.
607
608         4. DebuggerScope::getOwnPropertySlot() will invoke getPropertySlot() on its
609            wrapped scope.  This is because JSObject::getPropertySlot() cannot be
610            overridden, and when called on a DebuggerScope, will not know to look in
611            the ptototype chain of the DebuggerScope's wrapped scope.  Hence, we'll
612            treat all properties in the wrapped scope as own properties in the
613            DebuggerScope.  This is fine because the WebInspector does not presently
614            care about where in the prototype chain the scope property comes from.
615
616            Note that the DebuggerScope and the JSActivation objects that it wraps do
617            not have prototypes.  They are always jsNull().  This works perfectly with
618            the above change to use getPropertySlot() instead of getOwnPropertySlot().
619            To make this an explicit invariant, I also changed DebuggerScope::createStructure()
620            and JSActivation::createStructure() to not take a prototype argument, and
621            to always use jsNull() for their prototype value.
622
623         * debugger/Debugger.h:
624         * debugger/DebuggerCallFrame.cpp:
625         (JSC::DebuggerCallFrame::scope):
626         (JSC::DebuggerCallFrame::evaluate):
627         (JSC::DebuggerCallFrame::invalidate):
628         * debugger/DebuggerCallFrame.h:
629         * debugger/DebuggerScope.cpp:
630         (JSC::DebuggerScope::DebuggerScope):
631         (JSC::DebuggerScope::finishCreation):
632         (JSC::DebuggerScope::visitChildren):
633         (JSC::DebuggerScope::className):
634         (JSC::DebuggerScope::getOwnPropertySlot):
635         (JSC::DebuggerScope::put):
636         (JSC::DebuggerScope::deleteProperty):
637         (JSC::DebuggerScope::getOwnPropertyNames):
638         (JSC::DebuggerScope::defineOwnProperty):
639         (JSC::DebuggerScope::next):
640         (JSC::DebuggerScope::invalidateChain):
641         (JSC::DebuggerScope::isWithScope):
642         (JSC::DebuggerScope::isGlobalScope):
643         (JSC::DebuggerScope::isFunctionOrEvalScope):
644         * debugger/DebuggerScope.h:
645         (JSC::DebuggerScope::create):
646         (JSC::DebuggerScope::createStructure):
647         (JSC::DebuggerScope::iterator::iterator):
648         (JSC::DebuggerScope::iterator::get):
649         (JSC::DebuggerScope::iterator::operator++):
650         (JSC::DebuggerScope::iterator::operator==):
651         (JSC::DebuggerScope::iterator::operator!=):
652         (JSC::DebuggerScope::isValid):
653         (JSC::DebuggerScope::jsScope):
654         (JSC::DebuggerScope::begin):
655         (JSC::DebuggerScope::end):
656         * inspector/JSJavaScriptCallFrame.cpp:
657         (Inspector::JSJavaScriptCallFrame::scopeType):
658         (Inspector::JSJavaScriptCallFrame::scopeChain):
659         * inspector/JavaScriptCallFrame.h:
660         (Inspector::JavaScriptCallFrame::scopeChain):
661         * inspector/ScriptDebugServer.cpp:
662         * runtime/JSActivation.h:
663         (JSC::JSActivation::createStructure):
664         * runtime/JSGlobalObject.cpp:
665         (JSC::JSGlobalObject::reset):
666         (JSC::JSGlobalObject::visitChildren):
667         * runtime/JSGlobalObject.h:
668         (JSC::JSGlobalObject::debuggerScopeStructure):
669         * runtime/JSObject.cpp:
670         * runtime/JSObject.h:
671         (JSC::JSObject::isWithScope):
672         * runtime/JSScope.h:
673         * runtime/PropertySlot.h:
674         (JSC::PropertySlot::setThisValue):
675         * runtime/PutPropertySlot.h:
676         (JSC::PutPropertySlot::setThisValue):
677         * runtime/VM.cpp:
678         (JSC::VM::VM):
679         * runtime/VM.h:
680
681 2014-08-28  Andreas Kling  <akling@apple.com>
682
683         Use JSString::toIdentifier() in more places.
684         <https://webkit.org/b/136348>
685
686         Call sites that grab the WTF::String from a JSString using value() can
687         use the more efficient toIdentifier() if the string is going to be used
688         to construct an Identifier.
689
690         If the JSString is a rope that resolves to something that is already
691         present in the VM's Identifier table, using toIdentifier() can avoid
692         allocating a new StringImpl.
693
694         Reviewed by Geoffrey Garen.
695
696         * jit/JITOperations.cpp:
697         * llint/LLIntSlowPaths.cpp:
698         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
699         * runtime/CommonSlowPaths.cpp:
700         (JSC::SLOW_PATH_DECL):
701         * runtime/CommonSlowPaths.h:
702         (JSC::CommonSlowPaths::opIn):
703         * runtime/JSONObject.cpp:
704         (JSC::Stringifier::Stringifier):
705         * runtime/ObjectConstructor.cpp:
706         (JSC::objectConstructorGetOwnPropertyDescriptor):
707         (JSC::objectConstructorDefineProperty):
708         * runtime/ObjectPrototype.cpp:
709         (JSC::objectProtoFuncPropertyIsEnumerable):
710
711 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
712
713         DFG should compute immediate dominators using the O(n log n) form of Lengauer and Tarjan's "A Fast Algorithm for Finding Dominators in a Flowgraph"
714         https://bugs.webkit.org/show_bug.cgi?id=93361
715
716         Reviewed by Mark Hahnenberg.
717         
718         This patch also adds some new utilities for reasoning about block-keyed maps, block sets,
719         and block worklists. It changes preexisting code to use these abstractions.
720         
721         The main effect of this code is that all current clients of dominators end up using the
722         results of the new idom calculation. We convert the dom tree to a dominance test using
723         Dietz's pre/post number range check trick.
724
725         * CMakeLists.txt:
726         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
727         * JavaScriptCore.xcodeproj/project.pbxproj:
728         * dfg/DFGAnalysis.h:
729         (JSC::DFG::Analysis::computeIfNecessary):
730         (JSC::DFG::Analysis::computeDependencies):
731         * dfg/DFGBlockMap.h: Added.
732         (JSC::DFG::BlockMap::BlockMap):
733         (JSC::DFG::BlockMap::size):
734         (JSC::DFG::BlockMap::atIndex):
735         (JSC::DFG::BlockMap::operator[]):
736         * dfg/DFGBlockMapInlines.h: Added.
737         (JSC::DFG::BlockMap<T>::BlockMap):
738         * dfg/DFGBlockSet.h: Added.
739         (JSC::DFG::BlockSet::BlockSet):
740         (JSC::DFG::BlockSet::add):
741         (JSC::DFG::BlockSet::contains):
742         * dfg/DFGBlockWorklist.cpp: Added.
743         (JSC::DFG::BlockWorklist::BlockWorklist):
744         (JSC::DFG::BlockWorklist::~BlockWorklist):
745         (JSC::DFG::BlockWorklist::push):
746         (JSC::DFG::BlockWorklist::pop):
747         (JSC::DFG::PostOrderBlockWorklist::PostOrderBlockWorklist):
748         (JSC::DFG::PostOrderBlockWorklist::~PostOrderBlockWorklist):
749         (JSC::DFG::PostOrderBlockWorklist::pushPre):
750         (JSC::DFG::PostOrderBlockWorklist::pushPost):
751         (JSC::DFG::PostOrderBlockWorklist::pop):
752         * dfg/DFGBlockWorklist.h: Added.
753         (JSC::DFG::BlockWorklist::notEmpty):
754         (JSC::DFG::BlockWith::BlockWith):
755         (JSC::DFG::BlockWith::operator UnspecifiedBoolType*):
756         (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist):
757         (JSC::DFG::ExtendedBlockWorklist::forcePush):
758         (JSC::DFG::ExtendedBlockWorklist::push):
759         (JSC::DFG::ExtendedBlockWorklist::notEmpty):
760         (JSC::DFG::ExtendedBlockWorklist::pop):
761         (JSC::DFG::BlockWithOrder::BlockWithOrder):
762         (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*):
763         (JSC::DFG::PostOrderBlockWorklist::push):
764         (JSC::DFG::PostOrderBlockWorklist::notEmpty):
765         * dfg/DFGCSEPhase.cpp:
766         * dfg/DFGDominators.cpp:
767         (JSC::DFG::Dominators::compute):
768         (JSC::DFG::Dominators::naiveDominates):
769         (JSC::DFG::Dominators::dump):
770         (JSC::DFG::Dominators::pruneDominators): Deleted.
771         * dfg/DFGDominators.h:
772         (JSC::DFG::Dominators::strictlyDominates):
773         (JSC::DFG::Dominators::dominates):
774         (JSC::DFG::Dominators::BlockData::BlockData):
775         * dfg/DFGGraph.cpp:
776         (JSC::DFG::Graph::dumpBlockHeader):
777         (JSC::DFG::Graph::getBlocksInPreOrder):
778         (JSC::DFG::Graph::getBlocksInPostOrder):
779         * dfg/DFGInvalidationPointInjectionPhase.cpp:
780         (JSC::DFG::InvalidationPointInjectionPhase::run):
781         * dfg/DFGNaiveDominators.cpp: Added.
782         (JSC::DFG::NaiveDominators::NaiveDominators):
783         (JSC::DFG::NaiveDominators::~NaiveDominators):
784         (JSC::DFG::NaiveDominators::compute):
785         (JSC::DFG::NaiveDominators::pruneDominators):
786         (JSC::DFG::NaiveDominators::dump):
787         * dfg/DFGNaiveDominators.h: Added.
788         (JSC::DFG::NaiveDominators::dominates):
789         * dfg/DFGNaturalLoops.cpp:
790         (JSC::DFG::NaturalLoops::computeDependencies):
791         (JSC::DFG::NaturalLoops::compute):
792         * dfg/DFGNaturalLoops.h:
793
794 2014-08-27  Filip Pizlo  <fpizlo@apple.com>
795
796         FTL should be able to do polymorphic call inlining
797         https://bugs.webkit.org/show_bug.cgi?id=135145
798
799         Reviewed by Geoffrey Garen.
800         
801         Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
802         baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
803         inlining sites use the call edge profile if it is available, but they will still fall back
804         on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
805         multiple possible callees can be inlined with a switch to guard them. The slow path may
806         either be an OSR exit or a virtual call.
807         
808         The call edge profiling added in this patch is very precise - it will tell you about every
809         call that has ever happened. It took some effort to reduce the overhead of this profiling.
810         This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
811         in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
812         it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
813         I also experimented with reducing the precision of the profiling. This led to a significant
814         reduction in the speed-up, so I avoided this approach. I also explored making log processing
815         concurrent, but that didn't help. Also, I tested the overhead of the log processing and
816         found that most of the overhead of this profiling is actually in putting things into the log
817         rather than in processing the log - that part appears to be surprisingly cheap.
818         
819         Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
820         and if we guarded such inlining sites with some profiling mechanism to detect
821         polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
822         it's actually monomorphic).
823         
824         This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
825         other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
826         on anything we care about. Some aggregates, like V8Spider, see a regression. This is
827         highlighting the increase in profiling overhead. But since this doesn't show up on any major
828         score (code-load or SunSpider), it's probably not relevant.
829         
830         Relanding after fixing debug assertions in fast/storage/serialized-script-value.html.
831
832         * CMakeLists.txt:
833         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
834         * JavaScriptCore.xcodeproj/project.pbxproj:
835         * bytecode/CallEdge.cpp: Added.
836         (JSC::CallEdge::dump):
837         * bytecode/CallEdge.h: Added.
838         (JSC::CallEdge::operator!):
839         (JSC::CallEdge::callee):
840         (JSC::CallEdge::count):
841         (JSC::CallEdge::despecifiedClosure):
842         (JSC::CallEdge::CallEdge):
843         * bytecode/CallEdgeProfile.cpp: Added.
844         (JSC::CallEdgeProfile::callEdges):
845         (JSC::CallEdgeProfile::numCallsToKnownCells):
846         (JSC::worthDespecifying):
847         (JSC::CallEdgeProfile::worthDespecifying):
848         (JSC::CallEdgeProfile::visitWeak):
849         (JSC::CallEdgeProfile::addSlow):
850         (JSC::CallEdgeProfile::mergeBack):
851         (JSC::CallEdgeProfile::fadeByHalf):
852         (JSC::CallEdgeLog::CallEdgeLog):
853         (JSC::CallEdgeLog::~CallEdgeLog):
854         (JSC::CallEdgeLog::isEnabled):
855         (JSC::operationProcessCallEdgeLog):
856         (JSC::CallEdgeLog::emitLogCode):
857         (JSC::CallEdgeLog::processLog):
858         * bytecode/CallEdgeProfile.h: Added.
859         (JSC::CallEdgeProfile::numCallsToNotCell):
860         (JSC::CallEdgeProfile::numCallsToUnknownCell):
861         (JSC::CallEdgeProfile::totalCalls):
862         * bytecode/CallEdgeProfileInlines.h: Added.
863         (JSC::CallEdgeProfile::CallEdgeProfile):
864         (JSC::CallEdgeProfile::add):
865         * bytecode/CallLinkInfo.cpp:
866         (JSC::CallLinkInfo::visitWeak):
867         * bytecode/CallLinkInfo.h:
868         * bytecode/CallLinkStatus.cpp:
869         (JSC::CallLinkStatus::CallLinkStatus):
870         (JSC::CallLinkStatus::computeFromLLInt):
871         (JSC::CallLinkStatus::computeFor):
872         (JSC::CallLinkStatus::computeExitSiteData):
873         (JSC::CallLinkStatus::computeFromCallLinkInfo):
874         (JSC::CallLinkStatus::computeFromCallEdgeProfile):
875         (JSC::CallLinkStatus::computeDFGStatuses):
876         (JSC::CallLinkStatus::isClosureCall):
877         (JSC::CallLinkStatus::makeClosureCall):
878         (JSC::CallLinkStatus::dump):
879         (JSC::CallLinkStatus::function): Deleted.
880         (JSC::CallLinkStatus::internalFunction): Deleted.
881         (JSC::CallLinkStatus::intrinsicFor): Deleted.
882         * bytecode/CallLinkStatus.h:
883         (JSC::CallLinkStatus::CallLinkStatus):
884         (JSC::CallLinkStatus::isSet):
885         (JSC::CallLinkStatus::couldTakeSlowPath):
886         (JSC::CallLinkStatus::edges):
887         (JSC::CallLinkStatus::size):
888         (JSC::CallLinkStatus::at):
889         (JSC::CallLinkStatus::operator[]):
890         (JSC::CallLinkStatus::canOptimize):
891         (JSC::CallLinkStatus::canTrustCounts):
892         (JSC::CallLinkStatus::isClosureCall): Deleted.
893         (JSC::CallLinkStatus::callTarget): Deleted.
894         (JSC::CallLinkStatus::executable): Deleted.
895         (JSC::CallLinkStatus::makeClosureCall): Deleted.
896         * bytecode/CallVariant.cpp: Added.
897         (JSC::CallVariant::dump):
898         * bytecode/CallVariant.h: Added.
899         (JSC::CallVariant::CallVariant):
900         (JSC::CallVariant::operator!):
901         (JSC::CallVariant::despecifiedClosure):
902         (JSC::CallVariant::rawCalleeCell):
903         (JSC::CallVariant::internalFunction):
904         (JSC::CallVariant::function):
905         (JSC::CallVariant::isClosureCall):
906         (JSC::CallVariant::executable):
907         (JSC::CallVariant::nonExecutableCallee):
908         (JSC::CallVariant::intrinsicFor):
909         (JSC::CallVariant::functionExecutable):
910         (JSC::CallVariant::isHashTableDeletedValue):
911         (JSC::CallVariant::operator==):
912         (JSC::CallVariant::operator!=):
913         (JSC::CallVariant::operator<):
914         (JSC::CallVariant::operator>):
915         (JSC::CallVariant::operator<=):
916         (JSC::CallVariant::operator>=):
917         (JSC::CallVariant::hash):
918         (JSC::CallVariant::deletedToken):
919         (JSC::CallVariantHash::hash):
920         (JSC::CallVariantHash::equal):
921         * bytecode/CodeOrigin.h:
922         (JSC::InlineCallFrame::isNormalCall):
923         * bytecode/ExitKind.cpp:
924         (JSC::exitKindToString):
925         * bytecode/ExitKind.h:
926         * bytecode/GetByIdStatus.cpp:
927         (JSC::GetByIdStatus::computeForStubInfo):
928         * bytecode/PutByIdStatus.cpp:
929         (JSC::PutByIdStatus::computeForStubInfo):
930         * dfg/DFGAbstractInterpreterInlines.h:
931         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
932         * dfg/DFGBackwardsPropagationPhase.cpp:
933         (JSC::DFG::BackwardsPropagationPhase::propagate):
934         * dfg/DFGBasicBlock.cpp:
935         (JSC::DFG::BasicBlock::~BasicBlock):
936         * dfg/DFGBasicBlock.h:
937         (JSC::DFG::BasicBlock::takeLast):
938         (JSC::DFG::BasicBlock::didLink):
939         * dfg/DFGByteCodeParser.cpp:
940         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
941         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
942         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
943         (JSC::DFG::ByteCodeParser::addCall):
944         (JSC::DFG::ByteCodeParser::handleCall):
945         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
946         (JSC::DFG::ByteCodeParser::undoFunctionChecks):
947         (JSC::DFG::ByteCodeParser::inliningCost):
948         (JSC::DFG::ByteCodeParser::inlineCall):
949         (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
950         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
951         (JSC::DFG::ByteCodeParser::handleInlining):
952         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
953         (JSC::DFG::ByteCodeParser::prepareToParseBlock):
954         (JSC::DFG::ByteCodeParser::clearCaches):
955         (JSC::DFG::ByteCodeParser::parseBlock):
956         (JSC::DFG::ByteCodeParser::linkBlock):
957         (JSC::DFG::ByteCodeParser::linkBlocks):
958         (JSC::DFG::ByteCodeParser::parseCodeBlock):
959         * dfg/DFGCPSRethreadingPhase.cpp:
960         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
961         * dfg/DFGClobberize.h:
962         (JSC::DFG::clobberize):
963         * dfg/DFGCommon.h:
964         * dfg/DFGConstantFoldingPhase.cpp:
965         (JSC::DFG::ConstantFoldingPhase::foldConstants):
966         * dfg/DFGDoesGC.cpp:
967         (JSC::DFG::doesGC):
968         * dfg/DFGDriver.cpp:
969         (JSC::DFG::compileImpl):
970         * dfg/DFGFixupPhase.cpp:
971         (JSC::DFG::FixupPhase::fixupNode):
972         * dfg/DFGGraph.cpp:
973         (JSC::DFG::Graph::dump):
974         (JSC::DFG::Graph::getBlocksInPreOrder):
975         (JSC::DFG::Graph::visitChildren):
976         * dfg/DFGJITCompiler.cpp:
977         (JSC::DFG::JITCompiler::link):
978         * dfg/DFGLazyJSValue.cpp:
979         (JSC::DFG::LazyJSValue::switchLookupValue):
980         * dfg/DFGLazyJSValue.h:
981         (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
982         * dfg/DFGNode.cpp:
983         (WTF::printInternal):
984         * dfg/DFGNode.h:
985         (JSC::DFG::OpInfo::OpInfo):
986         (JSC::DFG::Node::hasHeapPrediction):
987         (JSC::DFG::Node::hasCellOperand):
988         (JSC::DFG::Node::cellOperand):
989         (JSC::DFG::Node::setCellOperand):
990         (JSC::DFG::Node::canBeKnownFunction): Deleted.
991         (JSC::DFG::Node::hasKnownFunction): Deleted.
992         (JSC::DFG::Node::knownFunction): Deleted.
993         (JSC::DFG::Node::giveKnownFunction): Deleted.
994         (JSC::DFG::Node::hasFunction): Deleted.
995         (JSC::DFG::Node::function): Deleted.
996         (JSC::DFG::Node::hasExecutable): Deleted.
997         (JSC::DFG::Node::executable): Deleted.
998         * dfg/DFGNodeType.h:
999         * dfg/DFGPhantomCanonicalizationPhase.cpp:
1000         (JSC::DFG::PhantomCanonicalizationPhase::run):
1001         * dfg/DFGPhantomRemovalPhase.cpp:
1002         (JSC::DFG::PhantomRemovalPhase::run):
1003         * dfg/DFGPredictionPropagationPhase.cpp:
1004         (JSC::DFG::PredictionPropagationPhase::propagate):
1005         * dfg/DFGSafeToExecute.h:
1006         (JSC::DFG::safeToExecute):
1007         * dfg/DFGSpeculativeJIT.cpp:
1008         (JSC::DFG::SpeculativeJIT::emitSwitch):
1009         * dfg/DFGSpeculativeJIT32_64.cpp:
1010         (JSC::DFG::SpeculativeJIT::emitCall):
1011         (JSC::DFG::SpeculativeJIT::compile):
1012         * dfg/DFGSpeculativeJIT64.cpp:
1013         (JSC::DFG::SpeculativeJIT::emitCall):
1014         (JSC::DFG::SpeculativeJIT::compile):
1015         * dfg/DFGStructureRegistrationPhase.cpp:
1016         (JSC::DFG::StructureRegistrationPhase::run):
1017         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1018         (JSC::DFG::TierUpCheckInjectionPhase::run):
1019         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
1020         * dfg/DFGValidate.cpp:
1021         (JSC::DFG::Validate::validate):
1022         * dfg/DFGWatchpointCollectionPhase.cpp:
1023         (JSC::DFG::WatchpointCollectionPhase::handle):
1024         * ftl/FTLCapabilities.cpp:
1025         (JSC::FTL::canCompile):
1026         * ftl/FTLLowerDFGToLLVM.cpp:
1027         (JSC::FTL::ftlUnreachable):
1028         (JSC::FTL::LowerDFGToLLVM::lower):
1029         (JSC::FTL::LowerDFGToLLVM::compileNode):
1030         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
1031         (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
1032         (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
1033         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
1034         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
1035         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
1036         (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
1037         (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
1038         * heap/Heap.cpp:
1039         (JSC::Heap::collect):
1040         * jit/AssemblyHelpers.h:
1041         (JSC::AssemblyHelpers::storeValue):
1042         (JSC::AssemblyHelpers::loadValue):
1043         * jit/CCallHelpers.h:
1044         (JSC::CCallHelpers::setupArguments):
1045         * jit/GPRInfo.h:
1046         (JSC::JSValueRegs::uses):
1047         * jit/JITCall.cpp:
1048         (JSC::JIT::compileOpCall):
1049         * jit/JITCall32_64.cpp:
1050         (JSC::JIT::compileOpCall):
1051         * runtime/Options.h:
1052         * runtime/VM.cpp:
1053         (JSC::VM::ensureCallEdgeLog):
1054         * runtime/VM.h:
1055         * tests/stress/fold-profiled-call-to-call.js: Added. This test pinpoints the problem we saw in fast/storage/serialized-script-value.html.
1056         * tests/stress/new-array-then-exit.js: Added.
1057         * tests/stress/poly-call-exit-this.js: Added.
1058         * tests/stress/poly-call-exit.js: Added.
1059
1060 2014-08-28  Julien Brianceau   <jbriance@cisco.com>
1061
1062         Correct GC length unit and prevent division by 0 in showObjectStatistics.
1063         https://bugs.webkit.org/show_bug.cgi?id=136340
1064
1065         Reviewed by Mark Hahnenberg.
1066
1067         * heap/HeapStatistics.cpp:
1068         (JSC::HeapStatistics::showObjectStatistics):
1069
1070 2014-08-27  Akos Kiss  <akiss@inf.u-szeged.hu>
1071
1072         Ensure that the call frame passed from JIT code via JSC::operationCallEval to JSC::eval always contains the valid scope chain.
1073         https://bugs.webkit.org/show_bug.cgi?id=136313
1074
1075         Reviewed by Michael Saboff.
1076
1077         Do not rely on calling conventions to fill in the CallerFrame component
1078         of the execCallee parameter of JSC::operationCallEval.
1079
1080         * jit/JITOperations.cpp:
1081
1082 2014-08-27  Saam Barati  <sbarati@apple.com>
1083
1084         Deconstruction object pattern node emits the wrong start/end text positions
1085         https://bugs.webkit.org/show_bug.cgi?id=136304
1086
1087         Reviewed by Geoffrey Garen.
1088
1089         Object pattern nodes that used the syntactic sugar binding: 
1090         'var {foo} = {foo:20}' instead of 'var {foo:foo} = {foo:20}' 
1091         would get the wrong text position for variable 'foo'. The position 
1092         would be placed on the comma(s)/closing brace instead of the identifier. 
1093         This patch fixes this bug by caching the identifier's JSToken before 
1094         trying to parse an optional colon.
1095
1096         * parser/Parser.cpp:
1097         (JSC::Parser<LexerType>::parseVarDeclarationList):
1098         (JSC::Parser<LexerType>::createBindingPattern):
1099         (JSC::Parser<LexerType>::parseDeconstructionPattern):
1100         * parser/Parser.h:
1101
1102 2014-08-27  Brent Fulgham  <bfulgham@apple.com>
1103
1104         [Win] Build fix after last commit.
1105
1106         Check in new DLLLauncherMain.cpp file.
1107
1108         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Added.
1109         (enableTerminationOnHeapCorruption):
1110         (getStringValue):
1111         (applePathFromRegistry):
1112         (appleApplicationSupportDirectory):
1113         (copyEnvironmentVariable):
1114         (prependPath):
1115         (fatalError):
1116         (directoryExists):
1117         (modifyPath):
1118         (getLastErrorString):
1119         (wWinMain):
1120
1121 2014-08-27  Brent Fulgham  <bfulgham@apple.com>
1122
1123         [Win] testapi and testRegExp need to find support libraries.
1124         https://bugs.webkit.org/show_bug.cgi?id=136008.
1125
1126         Reviewed by Dean Jackson.
1127
1128         Revise the Windows build of jsc, testapi, and testRegExp so that they
1129         find and use the proper runtime support libraries.
1130
1131         These locations vary between the Apple Windows build and WinCairo, and
1132         are generally not in the system PATH environment setting. Consequently,
1133         these applications fail on launch unless the user modifies their
1134         PATH.
1135
1136         This patch revises these tools to work like WinLauncher and DumpRenderTree
1137         so that they run reliably.
1138
1139         * API/tests/testapi.c:
1140         (dllLauncherEntryPoint): Added.
1141         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Add new build projects and
1142           provide proper dependencies with existing projects.
1143         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Ditto.
1144         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Switch to build
1145           a DLL, rather than an executable.
1146         * JavaScriptCore.vcxproj/jsc/jscCommon.props: Add shlwapi.lib
1147           to the list of libraries needed at link-time, and to use
1148           the DLL/Console combination entry point.
1149         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Added.
1150         * JavaScriptCore.vcxproj/jsc/jscLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd.
1151         * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd.
1152         * JavaScriptCore.vcxproj/jsc/jscLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreLink.cmd.
1153         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Switch to build
1154           a DLL, rather than an executable.
1155         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Add shlwapi.lib
1156           to the list of libraries needed at link-time, and to use
1157           the DLL/Console combination entry point.
1158         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Added.
1159         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
1160         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
1161         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
1162         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Switch to build
1163           a DLL, rather than an executable.
1164         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Added.
1165         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Add shlwapi.lib
1166           to the list of libraries needed at link-time, and to use
1167           the DLL/Console combination entry point.
1168         * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
1169         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
1170         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
1171         * jsc.cpp:
1172         (dllLauncherEntryPoint): Added.
1173         * testRegExp.cpp:
1174         (dllLauncherEntryPoint): Added.
1175
1176 2014-08-27  Julien Brianceau   <jbriance@cisco.com>
1177
1178         Take advantage of 3 parameters or32() calls
1179         https://bugs.webkit.org/show_bug.cgi?id=136287
1180
1181         Reviewed by Michael Saboff.
1182
1183         For specific architectures (arm and mips for instance), or32() calls
1184         with 3 parameters are likely to produce a single instruction.
1185
1186         * dfg/DFGSpeculativeJIT32_64.cpp:
1187         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1188         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1189         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1190         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1191         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1192         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1193         (JSC::DFG::SpeculativeJIT::branchIsOther):
1194         (JSC::DFG::SpeculativeJIT::branchNotOther):
1195
1196 2014-08-26  Brian J. Burg  <burg@cs.washington.edu>
1197
1198         Web Inspector: put feature flags for Inspector domains in the protocol specification
1199         https://bugs.webkit.org/show_bug.cgi?id=136027
1200
1201         Reviewed by Timothy Hatcher.
1202
1203         Remove the hardcoded map of domains to feature guards, and instead parse it from the specification.
1204
1205         Test: inspector/scripts/tests/generate-domains-with-feature-guards.json
1206
1207         * inspector/scripts/codegen/generator.py:
1208         (Generator.wrap_with_guard_for_domain):
1209         * inspector/scripts/codegen/models.py:
1210         (Protocol.parse_domain):
1211         (Domain.__init__):
1212         (Domains):
1213         * inspector/scripts/tests/generate-domains-with-feature-guards.json: Added.
1214         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1215         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1216         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1217         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1218         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1219
1220 2014-08-26  Andy Estes  <aestes@apple.com>
1221
1222         [Cocoa] Some projects are incorrectly installed to $BUILT_PRODUCTS_DIR
1223         https://bugs.webkit.org/show_bug.cgi?id=136267
1224
1225         Reviewed by Dan Bernstein.
1226
1227         INSTALL_PATH was set to $BUILT_PRODUCTS_DIR for engineering configurations in r20225 as part of a build fix.
1228         Not only is this no longer necessary to build, but it causes built products to be incorrectly installed in
1229         engineering configurations.
1230
1231         Remove the setting of INSTALL_PATH from the pbxproj file so that the value specified in the xcconfig files is
1232         used instead.
1233
1234         * JavaScriptCore.xcodeproj/project.pbxproj:
1235
1236 2014-08-26  Michael Saboff  <msaboff@apple.com>
1237
1238         [Win] 64-bit JavaScriptCore crashes on launch
1239         https://bugs.webkit.org/show_bug.cgi?id=136241
1240
1241         Reviewed by Mark Lam.
1242
1243         * llint/LowLevelInterpreter.asm:
1244         (vmEntryRecord): X86_64_WIN doesn't use "a0" (rax) for the first argument, it uses
1245         "t2" (rcx).  Changed to get the input parameter using the correct register.
1246
1247 2014-08-26  Saam Barati  <sbarati@apple.com>
1248
1249         TypeSet caches structureIDs even after the corresponding Structure could be GCed
1250         https://bugs.webkit.org/show_bug.cgi?id=136178
1251
1252         Reviewed by Geoffrey Garen.
1253
1254         Currently, TypeSet will never remove StructureIDs from its cache,
1255         even after the corresponding Structures could be garbage collected.
1256         Now, when the Garbage Collector collects, and type profiling is 
1257         enabled, the Garbage Collector will invalidate all TypeSet caches.
1258
1259         * heap/Heap.cpp:
1260         (JSC::Heap::collect):
1261         * runtime/TypeSet.cpp:
1262         (JSC::TypeSet::addTypeInformation):
1263         (JSC::TypeSet::invalidateCache):
1264         * runtime/TypeSet.h:
1265         * runtime/VM.cpp:
1266         (JSC::VM::invalidateTypeSetCache):
1267         * runtime/VM.h:
1268
1269 2014-08-26  Michael Saboff  <msaboff@apple.com>
1270
1271         REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result
1272         https://bugs.webkit.org/show_bug.cgi?id=136187
1273
1274         Reviewed by Mark Hahnenberg.
1275
1276         Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that
1277         doesn't require a tag for the second argument, instead it fills in a CellTag.  This is
1278         used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we
1279         haven't set up a register with a tag and we know that argument 2 is a cell.
1280
1281         * dfg/DFGSpeculativeJIT.h:
1282         (JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag.
1283         * dfg/DFGSpeculativeJIT32_64.cpp:
1284         (JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR
1285         with CellTag as it wasn't in the control flow for the slow path that needed the tag.
1286         Instead changed to calling new version of callOperation with an implicit CellTag.
1287
1288 2014-08-26  Commit Queue  <commit-queue@webkit.org>
1289
1290         Unreviewed, rolling out r172940.
1291         https://bugs.webkit.org/show_bug.cgi?id=136256
1292
1293         Caused assertions on fast/storage/serialized-script-
1294         value.html, and possibly flakiness on more tests (Requested by
1295         ap on #webkit).
1296
1297         Reverted changeset:
1298
1299         "FTL should be able to do polymorphic call inlining"
1300         https://bugs.webkit.org/show_bug.cgi?id=135145
1301         http://trac.webkit.org/changeset/172940
1302
1303 2014-08-26  Michael Saboff  <msaboff@apple.com>
1304
1305         REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests.
1306         https://bugs.webkit.org/show_bug.cgi?id=136165
1307
1308         Reviewed by Mark Hahnenberg.
1309
1310         Changed switch case GetDirectPname: to always use the slow path for X86 since it only has
1311         6 registers available, but the code requires 7.
1312
1313         * dfg/DFGSpeculativeJIT32_64.cpp:
1314         (JSC::DFG::SpeculativeJIT::compile):
1315
1316 2014-08-25  Saam Barati  <sbarati@apple.com>
1317
1318         TypeProfiler search breaks on return statements
1319         https://bugs.webkit.org/show_bug.cgi?id=136201
1320
1321         Reviewed by Filip Pizlo.
1322
1323         Searching for return statements in the TypeProfiler currently 
1324         breaks down because it expected to see the search descriptor 
1325         TypeProfilerSearchDescriptorFunctionReturn when looking for 
1326         return statements in the actual source code of the program. 
1327         But, TypeProfilerSearchDescriptorFunctionReturn search descriptor 
1328         is reserved for looking for return statements that aren't in the 
1329         actual source code of the program, but when asking for the 
1330         aggregate return type of a function. Now, searching for 
1331         return statements in the actual source code of the program will 
1332         work when passing in the search descriptor TypeProfilerSearchDescriptorNormal.  
1333
1334         * bytecode/CodeBlock.cpp:
1335         (JSC::CodeBlock::CodeBlock):
1336         * runtime/TypeProfiler.cpp:
1337         (JSC::TypeProfiler::findLocation):
1338         (JSC::descriptorMatchesTypeLocation): Deleted.
1339
1340 2014-08-25  Saam Barati  <sbarati@apple.com>
1341
1342         Return statement TypeSet's might be duplicated
1343         https://bugs.webkit.org/show_bug.cgi?id=136200
1344
1345         Reviewed by Filip Pizlo.
1346
1347         Currently, the globalTypeSet that converges the types of all 
1348         return statements in a function lives off of CodeBlock. It lives 
1349         off CodeBlock because of a faulty assumption that CodeBlock 
1350         will have a one to one mapping with a function in the source 
1351         text of the program. (Currently, there isn't an actual bug 
1352         with this design because TypeLocationCache will hash cons to 
1353         the same TypeLocation, but this is still an incorrect design). 
1354         In this patch, the globalTypeSet for function return statements  
1355         is moved to the FunctionExecutable object which does have a one 
1356         to one mapping with functions in the source text of a program.
1357
1358         * bytecode/CodeBlock.cpp:
1359         (JSC::CodeBlock::CodeBlock):
1360         * bytecode/CodeBlock.h:
1361         (JSC::CodeBlock::returnStatementTypeSet): Deleted.
1362         * runtime/Executable.h:
1363         (JSC::FunctionExecutable::returnStatementTypeSet):
1364
1365 2014-08-24  Filip Pizlo  <fpizlo@apple.com>
1366
1367         FTL should be able to do polymorphic call inlining
1368         https://bugs.webkit.org/show_bug.cgi?id=135145
1369
1370         Reviewed by Geoffrey Garen.
1371         
1372         Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
1373         baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
1374         inlining sites use the call edge profile if it is available, but they will still fall back
1375         on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
1376         multiple possible callees can be inlined with a switch to guard them. The slow path may
1377         either be an OSR exit or a virtual call.
1378         
1379         The call edge profiling added in this patch is very precise - it will tell you about every
1380         call that has ever happened. It took some effort to reduce the overhead of this profiling.
1381         This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
1382         in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
1383         it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
1384         I also experimented with reducing the precision of the profiling. This led to a significant
1385         reduction in the speed-up, so I avoided this approach. I also explored making log processing
1386         concurrent, but that didn't help. Also, I tested the overhead of the log processing and
1387         found that most of the overhead of this profiling is actually in putting things into the log
1388         rather than in processing the log - that part appears to be surprisingly cheap.
1389         
1390         Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
1391         and if we guarded such inlining sites with some profiling mechanism to detect
1392         polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
1393         it's actually monomorphic).
1394         
1395         This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
1396         other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
1397         on anything we care about. Some aggregates, like V8Spider, see a regression. This is
1398         highlighting the increase in profiling overhead. But since this doesn't show up on any major
1399         score (code-load or SunSpider), it's probably not relevant.
1400         
1401         * CMakeLists.txt:
1402         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1403         * JavaScriptCore.xcodeproj/project.pbxproj:
1404         * bytecode/CallEdge.cpp: Added.
1405         (JSC::CallEdge::dump):
1406         * bytecode/CallEdge.h: Added.
1407         (JSC::CallEdge::operator!):
1408         (JSC::CallEdge::callee):
1409         (JSC::CallEdge::count):
1410         (JSC::CallEdge::despecifiedClosure):
1411         (JSC::CallEdge::CallEdge):
1412         * bytecode/CallEdgeProfile.cpp: Added.
1413         (JSC::CallEdgeProfile::callEdges):
1414         (JSC::CallEdgeProfile::numCallsToKnownCells):
1415         (JSC::worthDespecifying):
1416         (JSC::CallEdgeProfile::worthDespecifying):
1417         (JSC::CallEdgeProfile::visitWeak):
1418         (JSC::CallEdgeProfile::addSlow):
1419         (JSC::CallEdgeProfile::mergeBack):
1420         (JSC::CallEdgeProfile::fadeByHalf):
1421         (JSC::CallEdgeLog::CallEdgeLog):
1422         (JSC::CallEdgeLog::~CallEdgeLog):
1423         (JSC::CallEdgeLog::isEnabled):
1424         (JSC::operationProcessCallEdgeLog):
1425         (JSC::CallEdgeLog::emitLogCode):
1426         (JSC::CallEdgeLog::processLog):
1427         * bytecode/CallEdgeProfile.h: Added.
1428         (JSC::CallEdgeProfile::numCallsToNotCell):
1429         (JSC::CallEdgeProfile::numCallsToUnknownCell):
1430         (JSC::CallEdgeProfile::totalCalls):
1431         * bytecode/CallEdgeProfileInlines.h: Added.
1432         (JSC::CallEdgeProfile::CallEdgeProfile):
1433         (JSC::CallEdgeProfile::add):
1434         * bytecode/CallLinkInfo.cpp:
1435         (JSC::CallLinkInfo::visitWeak):
1436         * bytecode/CallLinkInfo.h:
1437         * bytecode/CallLinkStatus.cpp:
1438         (JSC::CallLinkStatus::CallLinkStatus):
1439         (JSC::CallLinkStatus::computeFromLLInt):
1440         (JSC::CallLinkStatus::computeFor):
1441         (JSC::CallLinkStatus::computeExitSiteData):
1442         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1443         (JSC::CallLinkStatus::computeFromCallEdgeProfile):
1444         (JSC::CallLinkStatus::computeDFGStatuses):
1445         (JSC::CallLinkStatus::isClosureCall):
1446         (JSC::CallLinkStatus::makeClosureCall):
1447         (JSC::CallLinkStatus::dump):
1448         (JSC::CallLinkStatus::function): Deleted.
1449         (JSC::CallLinkStatus::internalFunction): Deleted.
1450         (JSC::CallLinkStatus::intrinsicFor): Deleted.
1451         * bytecode/CallLinkStatus.h:
1452         (JSC::CallLinkStatus::CallLinkStatus):
1453         (JSC::CallLinkStatus::isSet):
1454         (JSC::CallLinkStatus::couldTakeSlowPath):
1455         (JSC::CallLinkStatus::edges):
1456         (JSC::CallLinkStatus::size):
1457         (JSC::CallLinkStatus::at):
1458         (JSC::CallLinkStatus::operator[]):
1459         (JSC::CallLinkStatus::canOptimize):
1460         (JSC::CallLinkStatus::canTrustCounts):
1461         (JSC::CallLinkStatus::isClosureCall): Deleted.
1462         (JSC::CallLinkStatus::callTarget): Deleted.
1463         (JSC::CallLinkStatus::executable): Deleted.
1464         (JSC::CallLinkStatus::makeClosureCall): Deleted.
1465         * bytecode/CallVariant.cpp: Added.
1466         (JSC::CallVariant::dump):
1467         * bytecode/CallVariant.h: Added.
1468         (JSC::CallVariant::CallVariant):
1469         (JSC::CallVariant::operator!):
1470         (JSC::CallVariant::despecifiedClosure):
1471         (JSC::CallVariant::rawCalleeCell):
1472         (JSC::CallVariant::internalFunction):
1473         (JSC::CallVariant::function):
1474         (JSC::CallVariant::isClosureCall):
1475         (JSC::CallVariant::executable):
1476         (JSC::CallVariant::nonExecutableCallee):
1477         (JSC::CallVariant::intrinsicFor):
1478         (JSC::CallVariant::functionExecutable):
1479         (JSC::CallVariant::isHashTableDeletedValue):
1480         (JSC::CallVariant::operator==):
1481         (JSC::CallVariant::operator!=):
1482         (JSC::CallVariant::operator<):
1483         (JSC::CallVariant::operator>):
1484         (JSC::CallVariant::operator<=):
1485         (JSC::CallVariant::operator>=):
1486         (JSC::CallVariant::hash):
1487         (JSC::CallVariant::deletedToken):
1488         (JSC::CallVariantHash::hash):
1489         (JSC::CallVariantHash::equal):
1490         * bytecode/CodeOrigin.h:
1491         (JSC::InlineCallFrame::isNormalCall):
1492         * bytecode/ExitKind.cpp:
1493         (JSC::exitKindToString):
1494         * bytecode/ExitKind.h:
1495         * bytecode/GetByIdStatus.cpp:
1496         (JSC::GetByIdStatus::computeForStubInfo):
1497         * bytecode/PutByIdStatus.cpp:
1498         (JSC::PutByIdStatus::computeForStubInfo):
1499         * dfg/DFGAbstractInterpreterInlines.h:
1500         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1501         * dfg/DFGBackwardsPropagationPhase.cpp:
1502         (JSC::DFG::BackwardsPropagationPhase::propagate):
1503         * dfg/DFGBasicBlock.cpp:
1504         (JSC::DFG::BasicBlock::~BasicBlock):
1505         * dfg/DFGBasicBlock.h:
1506         (JSC::DFG::BasicBlock::takeLast):
1507         (JSC::DFG::BasicBlock::didLink):
1508         * dfg/DFGByteCodeParser.cpp:
1509         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
1510         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
1511         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1512         (JSC::DFG::ByteCodeParser::addCall):
1513         (JSC::DFG::ByteCodeParser::handleCall):
1514         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
1515         (JSC::DFG::ByteCodeParser::undoFunctionChecks):
1516         (JSC::DFG::ByteCodeParser::inliningCost):
1517         (JSC::DFG::ByteCodeParser::inlineCall):
1518         (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
1519         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1520         (JSC::DFG::ByteCodeParser::handleInlining):
1521         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1522         (JSC::DFG::ByteCodeParser::prepareToParseBlock):
1523         (JSC::DFG::ByteCodeParser::clearCaches):
1524         (JSC::DFG::ByteCodeParser::parseBlock):
1525         (JSC::DFG::ByteCodeParser::linkBlock):
1526         (JSC::DFG::ByteCodeParser::linkBlocks):
1527         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1528         * dfg/DFGCPSRethreadingPhase.cpp:
1529         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1530         * dfg/DFGClobberize.h:
1531         (JSC::DFG::clobberize):
1532         * dfg/DFGCommon.h:
1533         * dfg/DFGConstantFoldingPhase.cpp:
1534         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1535         * dfg/DFGDoesGC.cpp:
1536         (JSC::DFG::doesGC):
1537         * dfg/DFGDriver.cpp:
1538         (JSC::DFG::compileImpl):
1539         * dfg/DFGFixupPhase.cpp:
1540         (JSC::DFG::FixupPhase::fixupNode):
1541         * dfg/DFGGraph.cpp:
1542         (JSC::DFG::Graph::dump):
1543         (JSC::DFG::Graph::visitChildren):
1544         * dfg/DFGJITCompiler.cpp:
1545         (JSC::DFG::JITCompiler::link):
1546         * dfg/DFGLazyJSValue.cpp:
1547         (JSC::DFG::LazyJSValue::switchLookupValue):
1548         * dfg/DFGLazyJSValue.h:
1549         (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
1550         * dfg/DFGNode.cpp:
1551         (WTF::printInternal):
1552         * dfg/DFGNode.h:
1553         (JSC::DFG::OpInfo::OpInfo):
1554         (JSC::DFG::Node::hasHeapPrediction):
1555         (JSC::DFG::Node::hasCellOperand):
1556         (JSC::DFG::Node::cellOperand):
1557         (JSC::DFG::Node::setCellOperand):
1558         (JSC::DFG::Node::canBeKnownFunction): Deleted.
1559         (JSC::DFG::Node::hasKnownFunction): Deleted.
1560         (JSC::DFG::Node::knownFunction): Deleted.
1561         (JSC::DFG::Node::giveKnownFunction): Deleted.
1562         (JSC::DFG::Node::hasFunction): Deleted.
1563         (JSC::DFG::Node::function): Deleted.
1564         (JSC::DFG::Node::hasExecutable): Deleted.
1565         (JSC::DFG::Node::executable): Deleted.
1566         * dfg/DFGNodeType.h:
1567         * dfg/DFGPhantomCanonicalizationPhase.cpp:
1568         (JSC::DFG::PhantomCanonicalizationPhase::run):
1569         * dfg/DFGPhantomRemovalPhase.cpp:
1570         (JSC::DFG::PhantomRemovalPhase::run):
1571         * dfg/DFGPredictionPropagationPhase.cpp:
1572         (JSC::DFG::PredictionPropagationPhase::propagate):
1573         * dfg/DFGSafeToExecute.h:
1574         (JSC::DFG::safeToExecute):
1575         * dfg/DFGSpeculativeJIT.cpp:
1576         (JSC::DFG::SpeculativeJIT::emitSwitch):
1577         * dfg/DFGSpeculativeJIT32_64.cpp:
1578         (JSC::DFG::SpeculativeJIT::emitCall):
1579         (JSC::DFG::SpeculativeJIT::compile):
1580         * dfg/DFGSpeculativeJIT64.cpp:
1581         (JSC::DFG::SpeculativeJIT::emitCall):
1582         (JSC::DFG::SpeculativeJIT::compile):
1583         * dfg/DFGStructureRegistrationPhase.cpp:
1584         (JSC::DFG::StructureRegistrationPhase::run):
1585         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1586         (JSC::DFG::TierUpCheckInjectionPhase::run):
1587         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
1588         * dfg/DFGValidate.cpp:
1589         (JSC::DFG::Validate::validate):
1590         * dfg/DFGWatchpointCollectionPhase.cpp:
1591         (JSC::DFG::WatchpointCollectionPhase::handle):
1592         * ftl/FTLCapabilities.cpp:
1593         (JSC::FTL::canCompile):
1594         * ftl/FTLLowerDFGToLLVM.cpp:
1595         (JSC::FTL::ftlUnreachable):
1596         (JSC::FTL::LowerDFGToLLVM::lower):
1597         (JSC::FTL::LowerDFGToLLVM::compileNode):
1598         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
1599         (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
1600         (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
1601         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
1602         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
1603         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
1604         (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
1605         (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
1606         * heap/Heap.cpp:
1607         (JSC::Heap::collect):
1608         * jit/AssemblyHelpers.h:
1609         (JSC::AssemblyHelpers::storeValue):
1610         (JSC::AssemblyHelpers::loadValue):
1611         * jit/CCallHelpers.h:
1612         (JSC::CCallHelpers::setupArguments):
1613         * jit/GPRInfo.h:
1614         (JSC::JSValueRegs::uses):
1615         * jit/JITCall.cpp:
1616         (JSC::JIT::compileOpCall):
1617         * jit/JITCall32_64.cpp:
1618         (JSC::JIT::compileOpCall):
1619         * runtime/Options.h:
1620         * runtime/VM.cpp:
1621         (JSC::VM::ensureCallEdgeLog):
1622         * runtime/VM.h:
1623         * tests/stress/new-array-then-exit.js: Added.
1624         (foo):
1625         * tests/stress/poly-call-exit-this.js: Added.
1626         * tests/stress/poly-call-exit.js: Added.
1627
1628 2014-08-22  Michael Saboff  <msaboff@apple.com>
1629
1630         After r172867 another crash in in js/dom/line-column-numbers.html
1631         https://bugs.webkit.org/show_bug.cgi?id=136192
1632
1633         Reviewed by Geoffrey Garen.
1634
1635         In lookupExceptionHandlerFromCallerFrame(), We need to use the caller's CallFrame
1636         and VMEntryFrame when calling genericUnwind().  NativeCallFrameTracerWithRestore()
1637         does that for us.
1638
1639         In general, NativeCallFrameTracerWithRestore(), restores the values because we may
1640         do more processing that requires the current callFrame and vmEntryFrame before we
1641         get to the catch handler where we change these to the catch values.  In this
1642         particular case, that restoration isn't currently needed, but we add complexity
1643         and possible future confusion if we create another NativeCallFrameTracerXXX()
1644         version that doesn't restore the values.
1645
1646         * jit/JITOperations.cpp:
1647         (JSC::lookupExceptionHandlerFromCallerFrame): Changed NativeCallFrameTracer() to
1648         NativeCallFrameTracerWithRestore() so that VM::topVMEntryFrame will be updated
1649         before calling genericUnwind().
1650
1651 2014-08-24  Brian J. Burg  <burg@cs.washington.edu>
1652
1653         Web Inspector: rename Inspector::TypeBuilder to Inspector::Protocol
1654         https://bugs.webkit.org/show_bug.cgi?id=136031
1655
1656         Reviewed by Timothy Hatcher.
1657
1658         Rename TypeBuilder namespace to Protocol. Disambiguate where
1659         necessary. Also rename InspectorTypeBuilder to ProtocolTypes.
1660
1661         * CMakeLists.txt:
1662         * DerivedSources.make:
1663         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1664         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1665         * JavaScriptCore.vcxproj/copy-files.cmd:
1666         * JavaScriptCore.xcodeproj/project.pbxproj:
1667         * inspector/ConsoleMessage.cpp:
1668         (Inspector::messageSourceValue):
1669         (Inspector::messageTypeValue):
1670         (Inspector::messageLevelValue):
1671         (Inspector::ConsoleMessage::addToFrontend):
1672         * inspector/ContentSearchUtilities.cpp:
1673         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
1674         (Inspector::ContentSearchUtilities::searchInTextByLines):
1675         * inspector/ContentSearchUtilities.h:
1676         * inspector/InjectedScript.cpp:
1677         (Inspector::InjectedScript::evaluate):
1678         (Inspector::InjectedScript::callFunctionOn):
1679         (Inspector::InjectedScript::evaluateOnCallFrame):
1680         (Inspector::InjectedScript::getFunctionDetails):
1681         (Inspector::InjectedScript::getProperties):
1682         (Inspector::InjectedScript::getInternalProperties):
1683         (Inspector::InjectedScript::wrapCallFrames):
1684         (Inspector::InjectedScript::wrapObject):
1685         (Inspector::InjectedScript::wrapTable):
1686         * inspector/InjectedScript.h:
1687         * inspector/InjectedScriptBase.cpp:
1688         (Inspector::InjectedScriptBase::makeEvalCall):
1689         * inspector/InjectedScriptBase.h:
1690         * inspector/InspectorTypeBuilder.h: Removed.
1691         * inspector/ScriptCallFrame.cpp:
1692         (Inspector::ScriptCallFrame::buildInspectorObject):
1693         * inspector/ScriptCallFrame.h:
1694         * inspector/ScriptCallStack.cpp:
1695         (Inspector::ScriptCallStack::buildInspectorArray):
1696         * inspector/ScriptCallStack.h:
1697         * inspector/agents/InspectorAgent.cpp:
1698         (Inspector::InspectorAgent::inspect):
1699         * inspector/agents/InspectorAgent.h:
1700         * inspector/agents/InspectorDebuggerAgent.cpp:
1701         (Inspector::breakpointActionTypeForString):
1702         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1703         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1704         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
1705         (Inspector::InspectorDebuggerAgent::searchInContent):
1706         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1707         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1708         (Inspector::InspectorDebuggerAgent::currentCallFrames):
1709         (Inspector::InspectorDebuggerAgent::didParseSource):
1710         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
1711         * inspector/agents/InspectorDebuggerAgent.h:
1712         * inspector/agents/InspectorProfilerAgent.cpp:
1713         (Inspector::InspectorProfilerAgent::createProfileHeader):
1714         (Inspector::InspectorProfilerAgent::getProfileHeaders):
1715         (Inspector::buildInspectorObject):
1716         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
1717         (Inspector::InspectorProfilerAgent::getCPUProfile):
1718         * inspector/agents/InspectorProfilerAgent.h:
1719         * inspector/agents/InspectorRuntimeAgent.cpp:
1720         (Inspector::buildErrorRangeObject):
1721         (Inspector::InspectorRuntimeAgent::parse):
1722         (Inspector::InspectorRuntimeAgent::evaluate):
1723         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1724         (Inspector::InspectorRuntimeAgent::getProperties):
1725         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1726         * inspector/agents/InspectorRuntimeAgent.h:
1727         * inspector/scripts/codegen/__init__.py:
1728         * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
1729         (BackendDispatcherHeaderGenerator.generate_output):
1730         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
1731         (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1732         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1733         * inspector/scripts/codegen/generate_frontend_dispatcher_header.py:
1734         (FrontendDispatcherHeaderGenerator.generate_output):
1735         * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py:
1736         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1737         * inspector/scripts/codegen/generate_type_builder_header.py: Removed.
1738         * inspector/scripts/codegen/generate_type_builder_implementation.py: Removed.
1739         * inspector/scripts/codegen/generator.py:
1740         (Generator.protocol_type_string_for_type):
1741         (Generator.protocol_type_string_for_type_member):
1742         (Generator.type_string_for_type_with_name):
1743         (Generator.type_string_for_formal_out_parameter):
1744         (Generator.type_string_for_formal_async_parameter):
1745         (Generator.type_string_for_stack_in_parameter):
1746         (Generator.type_string_for_stack_out_parameter):
1747         (Generator.assertion_method_for_type_member.assertion_method_for_type):
1748         (Generator.assertion_method_for_type_member):
1749         (Generator.type_builder_string_for_type): Deleted.
1750         (Generator.type_builder_string_for_type_member): Deleted.
1751         * inspector/scripts/codegen/generator_templates.py:
1752         (Inspector):
1753         * inspector/scripts/generate-inspector-protocol-bindings.py:
1754         (generate_from_specification):
1755         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1756         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1757         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1758         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1759         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1760         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1761         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1762         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1763         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1764         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1765         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1766         * runtime/HighFidelityTypeProfiler.cpp:
1767         (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
1768         * runtime/HighFidelityTypeProfiler.h:
1769         * runtime/TypeSet.cpp:
1770         (JSC::TypeSet::allPrimitiveTypeNames):
1771         (JSC::TypeSet::allStructureRepresentations):
1772         (JSC::StructureShape::inspectorRepresentation):
1773         * runtime/TypeSet.h:
1774
1775 2014-08-24  Brian J. Burg  <burg@cs.washington.edu>
1776
1777         Web Inspector: Rename DOM.RGBA and remove workarounds in the bindings generator
1778         https://bugs.webkit.org/show_bug.cgi?id=136025
1779
1780         Reviewed by Joseph Pecoraro.
1781
1782         This workaround can be removed since it is no longer necessary.
1783
1784         * inspector/scripts/codegen/models.py:
1785         (TypeReference.__init__):
1786         (Type.raw_name):
1787         (TypeDeclaration.__init__):
1788         * inspector/scripts/tests/type-declaration-object-type.json: Remove related test input.
1789         * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Rebaseline.
1790
1791 2014-08-23  Joseph Pecoraro  <pecoraro@apple.com>
1792
1793         Web Inspector: Do not copy large module source strings
1794         https://bugs.webkit.org/show_bug.cgi?id=136191
1795
1796         Reviewed by Benjamin Poulain.
1797
1798         * inspector/InjectedScriptManager.cpp:
1799         (Inspector::InjectedScriptManager::injectedScriptSource):
1800
1801 2014-08-21  Michael Saboff  <msaboff@apple.com>
1802
1803         REGRESSION(r163179): Sporadic crash in js/dom/line-column-numbers.html test
1804         https://bugs.webkit.org/show_bug.cgi?id=136111
1805
1806         Reviewed by Filip Pizlo.
1807
1808         The problem was that we weren't properly handling VM::topVMEntryFrame in two ways.
1809
1810         First in the case where we get an exception of a stack overflow during setup of the direct
1811         callee frame of a VM entry frame, we need to throw the exception in the caller's frame.
1812         This requires unrolling topVMEntryFrame while creating the exception object.  This is
1813         accomplished with the renamed NativeCallFrameTracerWithRestore object.  As part of this,
1814         split the JIT rollback exception handling to call a new helper,
1815         callLookupExceptionHandlerFromCallerFrame, which will unroll the callFrame and VMEntryFrame.
1816
1817         Second, when we unwind to find a handler, we also need to unwind topVMCallFrame for the
1818         case where we end up (re)throwing another exception after entering the catch block, but
1819         before another vmEntry call.  Added VM::vmEntryFrameForThrow as a way similar to
1820         VM::callFrameForThrow to pass the appropriate VMENtryFrame to the catch block.
1821
1822
1823         * dfg/DFGJITCompiler.cpp:
1824         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1825         * ftl/FTLCompile.cpp:
1826         (JSC::FTL::fixFunctionBasedOnStackMaps):
1827         * jit/JIT.cpp:
1828         (JSC::JIT::privateCompileExceptionHandlers):
1829         Split out the unroll cases to use the new helper callLookupExceptionHandlerFromCallerFrame()
1830         to unwind both the callFrame and topVMEntryFrame.
1831
1832         * interpreter/Interpreter.cpp:
1833         (JSC::UnwindFunctor::UnwindFunctor):
1834         (JSC::UnwindFunctor::operator()):
1835         (JSC::Interpreter::unwind):
1836         * jit/JITExceptions.cpp:
1837         (JSC::genericUnwind):
1838         Added VMEntryFrame as another component to unwind.
1839
1840         * interpreter/Interpreter.h:
1841         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1842         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
1843         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
1844         Renamed and changed to save and restore topCallFrame and topVMEntryFrame around the setting of
1845         both values.
1846
1847         * interpreter/StackVisitor.cpp:
1848         (JSC::StackVisitor::gotoNextFrame):
1849         (JSC::StackVisitor::readNonInlinedFrame):
1850         * interpreter/StackVisitor.h:
1851         (JSC::StackVisitor::Frame::vmEntryFrame):
1852         Added code to unwind the VMEntryFrame.
1853
1854         * jit/CCallHelpers.h:
1855         (JSC::CCallHelpers::jumpToExceptionHandler): Updated comment to indicate that the value
1856         the handler should use for VM::topEntryFrame is in VM::vmEntryFrameForThrow.
1857
1858         * jit/JITOpcodes.cpp:
1859         (JSC::JIT::emit_op_catch):
1860         * jit/JITOpcodes32_64.cpp:
1861         (JSC::JIT::emit_op_catch):
1862         * llint/LowLevelInterpreter32_64.asm:
1863         * llint/LowLevelInterpreter64.asm:
1864         Added code to update VM::topVMEntryFrame from VM::vmEntryFrameForThrowOffset.
1865
1866         * jit/JITOperations.cpp:
1867         * jit/JITOperations.h:
1868         (JSC::operationThrowStackOverflowError):
1869         (JSC::operationCallArityCheck):
1870         (JSC::operationConstructArityCheck):
1871
1872         * runtime/VM.h:
1873         (JSC::VM::vmEntryFrameForThrowOffset):
1874         (JSC::VM::topVMEntryFrameOffset):
1875         Added as the side channel to return the topVMEntryFrame that the handler should use.
1876
1877 2014-08-22  Daniel Bates  <dabates@apple.com>
1878
1879         [iOS] Disable ENABLE_IOS_{GESTURE, TOUCH}_EVENTS, and temporarily disable ENABLE_TOUCH_EVENTS
1880         and ENABLE_XSLT when building with the iOS public SDK
1881         https://bugs.webkit.org/show_bug.cgi?id=135945
1882
1883         Reviewed by Andy Estes.
1884
1885         * Configurations/FeatureDefines.xcconfig:
1886
1887 2014-08-22  Jon Lee  <jonlee@apple.com>
1888
1889         Fix iOS build due to r172832 and move RUBBER_BANDING out of FeatureDefines.h
1890         https://bugs.webkit.org/show_bug.cgi?id=136157
1891
1892         Reviewed by Simon Fraser.
1893
1894         * Configurations/FeatureDefines.xcconfig: Add ENABLE(RUBBER_BANDING).
1895
1896 2014-08-21  Mark Lam  <mark.lam@apple.com>
1897
1898         r171362 accidentally increased the size of InlineCallFrame.
1899         <https://webkit.org/b/136141>
1900
1901         Reviewed by Filip Pizlo.
1902
1903         r171362 increased the size of InlineCallFrame::kind to 2 bits.  This increased
1904         the size of InlineCallFrame from 72 to 80 though not intentionally.  The fix
1905         is to reduce the size of InlineCallFrame::stackOffset to 29 bits.
1906
1907         Also added an assert to ensure that we never set a value that exceeds the size
1908         of InlineCallFrame::stackOffset.
1909
1910         * bytecode/CodeOrigin.h:
1911         (JSC::InlineCallFrame::setStackOffset):
1912         * dfg/DFGByteCodeParser.cpp:
1913         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1914
1915 2014-08-21  Joseph Pecoraro  <pecoraro@apple.com>
1916
1917         Web Inspector: RetainPtr misuse, CFRunLoopSource leak
1918         https://bugs.webkit.org/show_bug.cgi?id=136143
1919
1920         Reviewed by Timothy Hatcher.
1921
1922         Adopt a Create into the RetainPtr to avoid leaking.
1923
1924         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1925         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
1926
1927 2014-08-21  Mark Lam  <mark.lam@apple.com>
1928
1929         REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms.
1930         <https://webkit.org/b/136123>
1931
1932         Reviewed by Filip Pizlo.
1933
1934         The original patch in r172808 removed the code to skip the top scope in
1935         the 64-bit port of JIT::emitResolveClosure() but not in the 32-bit port.
1936         This patch fixes that and achieves parity.
1937
1938         * jit/JITPropertyAccess32_64.cpp:
1939         (JSC::JIT::emitResolveClosure):
1940
1941 2014-08-21  Zalan Bujtas  <zalan@apple.com>
1942
1943         Enable SATURATED_LAYOUT_ARITHMETIC.
1944         https://bugs.webkit.org/show_bug.cgi?id=136106
1945
1946         Reviewed by Simon Fraser.
1947
1948         SATURATED_LAYOUT_ARITHMETIC protects LayoutUnit against arithmetic overflow.
1949         (No measurable performance regression on Mac.)
1950
1951         * Configurations/FeatureDefines.xcconfig:
1952
1953 2014-08-20  Saam Barati  <sbarati@apple.com>
1954
1955         Fix how CodeBlock dumps the opcode op_profile_type
1956         https://bugs.webkit.org/show_bug.cgi?id=136088
1957
1958         Reviewed by Filip Pizlo.
1959
1960         op_profile_type was modified to receive two extra arguments,
1961         but its dump in CodeBlock::dumpBytecode wasn't changed to 
1962         account for this, so it broke CodeBlock::dumpBytecode when
1963         op_profile_type was in the stream of bytecode instructions.
1964         CodeBlock::dumpBytecode now accounts for the change in 
1965         op_profile_type's arity.
1966
1967         * bytecode/CodeBlock.cpp:
1968         (JSC::CodeBlock::dumpBytecode):
1969
1970 2014-08-20  Saam Barati  <sbarati@apple.com>
1971
1972         Rename HighFidelityTypeProfiling variables for more clarity
1973         https://bugs.webkit.org/show_bug.cgi?id=135899
1974
1975         Reviewed by Geoffrey Garen.
1976
1977         Many names that are used in the type profiling infrastructure
1978         prefix themselves with "HighFidelity" or include the words "high"
1979         and/or "fidelity" in some way. But the words "high" and "fidelity" don't 
1980         add anything descriptive to the names surrounding type profiling. 
1981         So this patch removes all uses of "HighFidelity" and its variants.
1982
1983         Most renamings change "HighFidelity*" to "TypeProfiler*" or simply 
1984         drop the prefix "HighFidelity" all together. Now, almost all names 
1985         in relation to type profiling contain in them "TypeProfiler" or 
1986         "TypeProfiling" or some combination of the words "type" and "profile".
1987
1988         This patch also changes how we check if type profiling is enabled:
1989         We no longer call vm::isProfilingTypesWithHighFidelity. We now just 
1990         check that vm::typeProfiler is not null.
1991
1992         This patch also changes all calls to TypeProfilerLog::processLogEntries
1993         to use ASCIILiteral to form WTFStrings instead of vanilla C string literals.
1994
1995         * CMakeLists.txt:
1996         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1997         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1998         * JavaScriptCore.xcodeproj/project.pbxproj:
1999         * bytecode/BytecodeList.json:
2000         * bytecode/BytecodeUseDef.h:
2001         (JSC::computeUsesForBytecodeOffset):
2002         (JSC::computeDefsForBytecodeOffset):
2003         * bytecode/CodeBlock.cpp:
2004         (JSC::CodeBlock::dumpBytecode):
2005         (JSC::CodeBlock::CodeBlock):
2006         * bytecode/TypeLocation.h:
2007         * bytecode/UnlinkedCodeBlock.cpp:
2008         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2009         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
2010         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
2011         (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset): Deleted.
2012         (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo): Deleted.
2013         * bytecode/UnlinkedCodeBlock.h:
2014         (JSC::UnlinkedFunctionExecutable::typeProfilingStartOffset):
2015         (JSC::UnlinkedFunctionExecutable::typeProfilingEndOffset):
2016         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): Deleted.
2017         (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset): Deleted.
2018         * bytecompiler/BytecodeGenerator.cpp:
2019         (JSC::BytecodeGenerator::generate):
2020         (JSC::BytecodeGenerator::BytecodeGenerator):
2021         (JSC::BytecodeGenerator::emitMove):
2022         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
2023         (JSC::BytecodeGenerator::emitProfileType):
2024         (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
2025         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
2026         * bytecompiler/BytecodeGenerator.h:
2027         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
2028         * bytecompiler/NodesCodegen.cpp:
2029         (JSC::ThisNode::emitBytecode):
2030         (JSC::ResolveNode::emitBytecode):
2031         (JSC::BracketAccessorNode::emitBytecode):
2032         (JSC::DotAccessorNode::emitBytecode):
2033         (JSC::FunctionCallValueNode::emitBytecode):
2034         (JSC::FunctionCallResolveNode::emitBytecode):
2035         (JSC::FunctionCallBracketNode::emitBytecode):
2036         (JSC::FunctionCallDotNode::emitBytecode):
2037         (JSC::CallFunctionCallDotNode::emitBytecode):
2038         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2039         (JSC::PostfixNode::emitResolve):
2040         (JSC::PostfixNode::emitBracket):
2041         (JSC::PostfixNode::emitDot):
2042         (JSC::PrefixNode::emitResolve):
2043         (JSC::PrefixNode::emitBracket):
2044         (JSC::PrefixNode::emitDot):
2045         (JSC::ReadModifyResolveNode::emitBytecode):
2046         (JSC::AssignResolveNode::emitBytecode):
2047         (JSC::AssignDotNode::emitBytecode):
2048         (JSC::ReadModifyDotNode::emitBytecode):
2049         (JSC::AssignBracketNode::emitBytecode):
2050         (JSC::ReadModifyBracketNode::emitBytecode):
2051         (JSC::ConstDeclNode::emitCodeSingle):
2052         (JSC::EmptyVarExpression::emitBytecode):
2053         (JSC::ReturnNode::emitBytecode):
2054         (JSC::FunctionBodyNode::emitBytecode):
2055         * heap/Heap.cpp:
2056         (JSC::Heap::collect):
2057         * inspector/agents/InspectorRuntimeAgent.cpp:
2058         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2059         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2060         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
2061         (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
2062         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
2063         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
2064         (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling): Deleted.
2065         (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling): Deleted.
2066         (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState): Deleted.
2067         * inspector/agents/InspectorRuntimeAgent.h:
2068         * inspector/protocol/Runtime.json:
2069         * jit/JIT.cpp:
2070         (JSC::JIT::privateCompileMainPass):
2071         (JSC::JIT::privateCompile):
2072         * jit/JIT.h:
2073         * jit/JITOpcodes.cpp:
2074         (JSC::JIT::emit_op_profile_type):
2075         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
2076         * jit/JITOpcodes32_64.cpp:
2077         (JSC::JIT::emit_op_profile_type):
2078         (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
2079         * jit/JITOperations.cpp:
2080         * jsc.cpp:
2081         (functionDumpTypesForAllVariables):
2082         * llint/LLIntSlowPaths.cpp:
2083         * llint/LowLevelInterpreter.asm:
2084         * runtime/CodeCache.cpp:
2085         (JSC::CodeCache::getGlobalCodeBlock):
2086         * runtime/CommonSlowPaths.cpp:
2087         (JSC::SLOW_PATH_DECL):
2088         * runtime/CommonSlowPaths.h:
2089         * runtime/Executable.cpp:
2090         (JSC::ScriptExecutable::ScriptExecutable):
2091         (JSC::ProgramExecutable::ProgramExecutable):
2092         (JSC::FunctionExecutable::FunctionExecutable):
2093         (JSC::ProgramExecutable::initializeGlobalProperties):
2094         * runtime/Executable.h:
2095         (JSC::ScriptExecutable::typeProfilingStartOffset):
2096         (JSC::ScriptExecutable::typeProfilingEndOffset):
2097         (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): Deleted.
2098         (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset): Deleted.
2099         * runtime/HighFidelityLog.cpp: Removed.
2100         * runtime/HighFidelityLog.h: Removed.
2101         * runtime/HighFidelityTypeProfiler.cpp: Removed.
2102         * runtime/HighFidelityTypeProfiler.h: Removed.
2103         * runtime/Options.h:
2104         * runtime/SymbolTable.cpp:
2105         (JSC::SymbolTable::prepareForTypeProfiling):
2106         (JSC::SymbolTable::uniqueIDForVariable):
2107         (JSC::SymbolTable::uniqueIDForRegister):
2108         (JSC::SymbolTable::prepareForHighFidelityTypeProfiling): Deleted.
2109         * runtime/SymbolTable.h:
2110         * runtime/TypeProfiler.cpp: Added.
2111         (JSC::TypeProfiler::logTypesForTypeLocation):
2112         (JSC::TypeProfiler::insertNewLocation):
2113         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector):
2114         (JSC::descriptorMatchesTypeLocation):
2115         (JSC::TypeProfiler::findLocation):
2116         * runtime/TypeProfiler.h: Added.
2117         (JSC::QueryKey::QueryKey):
2118         (JSC::QueryKey::isHashTableDeletedValue):
2119         (JSC::QueryKey::operator==):
2120         (JSC::QueryKey::hash):
2121         (JSC::QueryKeyHash::hash):
2122         (JSC::QueryKeyHash::equal):
2123         (JSC::TypeProfiler::functionHasExecutedCache):
2124         (JSC::TypeProfiler::typeLocationCache):
2125         * runtime/TypeProfilerLog.cpp: Added.
2126         (JSC::TypeProfilerLog::initializeLog):
2127         (JSC::TypeProfilerLog::~TypeProfilerLog):
2128         (JSC::TypeProfilerLog::processLogEntries):
2129         * runtime/TypeProfilerLog.h: Added.
2130         (JSC::TypeProfilerLog::LogEntry::structureIDOffset):
2131         (JSC::TypeProfilerLog::LogEntry::valueOffset):
2132         (JSC::TypeProfilerLog::LogEntry::locationOffset):
2133         (JSC::TypeProfilerLog::TypeProfilerLog):
2134         (JSC::TypeProfilerLog::recordTypeInformationForLocation):
2135         (JSC::TypeProfilerLog::logEndPtr):
2136         (JSC::TypeProfilerLog::logStartOffset):
2137         (JSC::TypeProfilerLog::currentLogEntryOffset):
2138         * runtime/VM.cpp:
2139         (JSC::VM::VM):
2140         (JSC::VM::enableTypeProfiler):
2141         (JSC::VM::disableTypeProfiler):
2142         (JSC::VM::dumpTypeProfilerData):
2143         (JSC::VM::enableHighFidelityTypeProfiling): Deleted.
2144         (JSC::VM::disableHighFidelityTypeProfiling): Deleted.
2145         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
2146         * runtime/VM.h:
2147         (JSC::VM::typeProfilerLog):
2148         (JSC::VM::typeProfiler):
2149         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
2150         (JSC::VM::highFidelityLog): Deleted.
2151         (JSC::VM::highFidelityTypeProfiler): Deleted.
2152
2153 2014-08-20  Csaba Osztrogonác  <ossy@webkit.org>
2154
2155         URTBF after r172799.
2156
2157         * disassembler/ARM64/A64DOpcode.cpp:
2158         * disassembler/ARM64Disassembler.cpp:
2159
2160 2014-08-20  Oliver Hunt  <oliver@apple.com>
2161
2162         Stop implicitly skipping a function's own activation when walking the scope chain
2163         https://bugs.webkit.org/show_bug.cgi?id=136118
2164
2165         Reviewed by Geoffrey Garen.
2166
2167         Remove the current logic that implicitly skips a function's
2168         own activation when walking the scope chain. This is ground
2169         work for ensuring that all closed variable access is made
2170         through the function's activation. This leads to a further
2171         10% regression on earley, but we're already tracking the
2172         overall performance regression.
2173
2174         * bytecode/CodeBlock.cpp:
2175         (JSC::CodeBlock::CodeBlock):
2176         * dfg/DFGAbstractInterpreterInlines.h:
2177         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2178         * dfg/DFGByteCodeParser.cpp:
2179         (JSC::DFG::ByteCodeParser::getScope):
2180         (JSC::DFG::ByteCodeParser::parseBlock):
2181         * dfg/DFGClobberize.h:
2182         (JSC::DFG::clobberize):
2183         * dfg/DFGDoesGC.cpp:
2184         (JSC::DFG::doesGC):
2185         * dfg/DFGFixupPhase.cpp:
2186         (JSC::DFG::FixupPhase::fixupNode):
2187         * dfg/DFGHeapLocation.cpp:
2188         (WTF::printInternal):
2189         * dfg/DFGHeapLocation.h:
2190         * dfg/DFGNodeType.h:
2191         * dfg/DFGPredictionPropagationPhase.cpp:
2192         (JSC::DFG::PredictionPropagationPhase::propagate):
2193         * dfg/DFGSafeToExecute.h:
2194         (JSC::DFG::safeToExecute):
2195         * dfg/DFGSpeculativeJIT32_64.cpp:
2196         (JSC::DFG::SpeculativeJIT::compile):
2197         * dfg/DFGSpeculativeJIT64.cpp:
2198         (JSC::DFG::SpeculativeJIT::compile):
2199         * jit/JITPropertyAccess.cpp:
2200         (JSC::JIT::emitResolveClosure):
2201         * llint/LowLevelInterpreter32_64.asm:
2202         * llint/LowLevelInterpreter64.asm:
2203         * runtime/JSScope.cpp:
2204         (JSC::JSScope::abstractResolve):
2205         * runtime/JSScope.h:
2206
2207 2014-08-20  Michael Saboff  <msaboff@apple.com>
2208
2209         REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active
2210         https://bugs.webkit.org/show_bug.cgi?id=136034
2211
2212         Reviewed by Mark Lam.
2213
2214         DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle
2215         of the stack.  Hardened StackVisitor to skip over the frames between the current top frame
2216         and the requested start frame.
2217
2218         * interpreter/StackVisitor.cpp:
2219         (JSC::StackVisitor::StackVisitor):
2220
2221 2014-08-20  Brent Fulgham  <bfulgham@apple.com>
2222
2223         [Win] JavaScriptCore.dll is missing version information.
2224         https://bugs.webkit.org/show_bug.cgi?id=136105
2225         <rdar://problem/18075852>
2226
2227         Reviewed by Dean Jackson.
2228
2229         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Add missing step to generate
2230         version information for intermediary build path.
2231
2232 2014-08-20  Saam Barati  <sbarati@apple.com>
2233
2234         Fix a memory leak in TypeSet
2235         https://bugs.webkit.org/show_bug.cgi?id=135913
2236
2237         Reviewed by Filip Pizlo.
2238
2239         Currently, TypeSet unconditionally allocates memory for its member
2240         variable m_structureHistory, but never deallocates it. Change this 
2241         from being a pointer that is unconditionally allocated to a member 
2242         variable that will be deallocated when TypeSet itself is deallocated.
2243
2244         * runtime/TypeSet.cpp:
2245         (JSC::TypeSet::TypeSet):
2246         (JSC::TypeSet::addTypeInformation):
2247         (JSC::TypeSet::seenTypes):
2248         (JSC::TypeSet::displayName):
2249         (JSC::TypeSet::allStructureRepresentations):
2250         (JSC::StructureShape::leastCommonAncestor):
2251         * runtime/TypeSet.h:
2252
2253 2014-08-20  peavo@outlook.com  <peavo@outlook.com>
2254
2255         [Win] Assertion fails when running JSC stress tests.
2256         https://bugs.webkit.org/show_bug.cgi?id=136103
2257
2258         Reviewed by Darin Adler.
2259
2260         Use unsigned bitfield member instead of enum bitfield member to avoid negative values.
2261
2262         * bytecode/CodeOrigin.h: Use unsigned bitfield member.
2263         (JSC::InlineCallFrame::specializationKind): Compile fix.
2264
2265 2014-08-20  Akos Kiss  <akiss@inf.u-szeged.hu>
2266
2267         Enable ARM64 disassembler on EFL
2268         https://bugs.webkit.org/show_bug.cgi?id=136089
2269
2270         Reviewed by Filip Pizlo.
2271
2272         * CMakeLists.txt:
2273         Added disassembler/ARM64Disassembler.cpp and
2274         disassembler/ARM64/A64DOpcode.cpp to JavaScriptCore_SOURCES.
2275
2276         * disassembler/ARM64/A64DOpcode.cpp:
2277         Added USE(ARM64_DISASSEMBLER) guard around implementation.
2278
2279         * disassembler/ARM64/A64DOpcode.h:
2280         (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedImmediate64):
2281         (JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
2282         Made format strings portable by changing "%llx" to "%" PRIx64 for
2283         uint64_t arguments.
2284
2285 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
2286
2287         REGRESSION(r172401): for-in optimization no longer works at all
2288         https://bugs.webkit.org/show_bug.cgi?id=136056
2289
2290         Reviewed by Geoffrey Garen.
2291         
2292         Roll this back in, along with a fix to make proxies work. Previously, for-in over proxies
2293         would instacrash every time.
2294
2295         * bytecompiler/BytecodeGenerator.cpp:
2296         (JSC::BytecodeGenerator::emitGetByVal):
2297         (JSC::BytecodeGenerator::pushIndexedForInScope):
2298         (JSC::BytecodeGenerator::pushStructureForInScope):
2299         * bytecompiler/BytecodeGenerator.h:
2300         (JSC::ForInContext::ForInContext):
2301         (JSC::StructureForInContext::StructureForInContext):
2302         (JSC::IndexedForInContext::IndexedForInContext):
2303         (JSC::ForInContext::base): Deleted.
2304         * bytecompiler/NodesCodegen.cpp:
2305         (JSC::ForInNode::emitMultiLoopBytecode):
2306         * runtime/JSProxy.cpp:
2307         (JSC::JSProxy::getStructurePropertyNames):
2308         (JSC::JSProxy::getGenericPropertyNames):
2309         * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
2310         (foo):
2311         * tests/stress/for-in-base-reassigned-later.js: Added.
2312         (foo):
2313         * tests/stress/for-in-base-reassigned.js: Added.
2314         (foo):
2315         * tests/stress/for-in-proxy-target-changed-structure.js: Added.
2316         (deleteAll):
2317         (foo):
2318         * tests/stress/for-in-proxy.js: Added.
2319         (foo):
2320
2321 2014-08-19  Jaehun Lim  <ljaehun.lim@samsung.com>
2322
2323         Unreviewed, fix EFL build after r17275
2324
2325         Fix error: ignoring #pragma clang diagnostic [-Werror=unknown-pragmas]
2326
2327         * runtime/JSDataViewPrototype.cpp:
2328         Add #if COMPILER(CLANG) and #endif.
2329
2330 2014-08-19  Michael Saboff  <msaboff@apple.com>
2331
2332         Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js
2333         https://bugs.webkit.org/show_bug.cgi?id=136080
2334
2335         Reviewed by Mark Lam.
2336
2337         Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame
2338         to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry
2339         frame.  In that case, the caller will have the prior VM entry frame.
2340
2341         The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing
2342         an exception from a caller frame.  The value to use for the VMEntryFrame should be a
2343         value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller.
2344
2345         * interpreter/Interpreter.h:
2346         (JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a
2347         VMEntryFrame.  Added an ASSERT to both constructors to check that the updated topCallFrame
2348         is below the current vmEntryFrame.
2349
2350         * jit/JITOperations.cpp:
2351         (JSC::operationThrowStackOverflowError):
2352         (JSC::operationCallArityCheck):
2353         (JSC::operationConstructArityCheck):
2354         Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame.
2355
2356 2014-08-19  Andy Estes  <aestes@apple.com>
2357
2358         [Cocoa] Offline Assembler build phase fails when $BUILT_PRODUCTS_DIR contains spaces
2359         https://bugs.webkit.org/show_bug.cgi?id=136086
2360
2361         Reviewed by Filip Pizlo.
2362
2363         Enclosed arguments to asm.rb containing $BUILT_PRODUCTS_DIR in double quotes so that they don't get split on
2364         whitespace. Also let Xcode have its way with an unrelated part of the project file.
2365
2366         * JavaScriptCore.xcodeproj/project.pbxproj:
2367
2368 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
2369
2370         LLInt build should be way faster
2371         https://bugs.webkit.org/show_bug.cgi?id=136085
2372
2373         Reviewed by Geoffrey Garen.
2374         
2375         This does three things to improve the LLInt build performance. One of them is only for
2376         Xcode for now while the others should benefit all platforms:
2377         
2378         - Don't exponentially build settings combinations that correspond to being on two backends
2379           simultaneously. This is by far the biggest win.
2380         
2381         - Don't generate offset extraction code for backends that aren't supported by the current
2382           port. This currently only works on Xcode-based ports. This is a relatively small win.
2383         
2384         - Remove the ALWAYS_ALLOCATE_SLOW option. Each option increases build time, and we haven't
2385           used this one in a long time. Anyway, setting this option could be emulated by just
2386           directly hacking the code.
2387         
2388         This is an enormous speed-up in the LLInt build.
2389
2390         * JavaScriptCore.xcodeproj/project.pbxproj: Prune the set of backends that we should consider on Xcode-based platforms.
2391         * llint/LLIntOfflineAsmConfig.h: Remove ALWAYS_ALLOCATE_SLOW
2392         * llint/LowLevelInterpreter.asm: Remove ALWAYS_ALLOCATE_SLOW
2393         * offlineasm/backends.rb: Add infrastructure for reasoning about valid backends.
2394         * offlineasm/generate_offset_extractor.rb: Allow the client to specify a filtered set of valid backends.
2395         * offlineasm/settings.rb: Improve the construction of settings combinations so that it doesn't traverse the enourmous set of obviously invalid multi-backend combinations. Also glue into support for valid backends.
2396
2397 2014-08-19  Filip Pizlo  <fpizlo@apple.com>
2398
2399         Fix indentation and style in LowLevelInterpreter.asm
2400         https://bugs.webkit.org/show_bug.cgi?id=136083
2401
2402         Reviewed by Mark Lam.
2403
2404         * llint/LowLevelInterpreter.asm:
2405
2406 2014-08-19  Magnus Granberg  <zorry@gentoo.org>
2407
2408         TEXTREL in libjavascriptcoregtk-1.0.so.0.11.0 on x86 (or i586)
2409         https://bugs.webkit.org/show_bug.cgi?id=70610
2410
2411         Reviewed by Darin Adler.
2412
2413         Setup %ebx so we can use the plt.
2414
2415         * jit/ThunkGenerators.cpp:
2416
2417 2014-08-19  Zalan Bujtas  <zalan@apple.com>
2418
2419         Remove ENABLE(SUBPIXEL_LAYOUT).
2420         https://bugs.webkit.org/show_bug.cgi?id=136077
2421
2422         Reviewed by Simon Fraser.
2423
2424         Remove compile time flag SUBPIXEL_LAYOUT. All ports have it enabled for a while now.
2425
2426         * Configurations/FeatureDefines.xcconfig:
2427
2428 2014-08-19  Alex Christensen  <achristensen@webkit.org>
2429
2430         [CMake] Generate LLInt assembly correctly on Windows.
2431         https://bugs.webkit.org/show_bug.cgi?id=135888
2432
2433         Reviewed by Oliver Hunt.
2434
2435         * CMakeLists.txt:
2436         Generate LowLevelInterpreterWin.asm instead of LLIntAssembly.h on Windows like the existing build system.
2437         * PlatformWin.cmake:
2438         Don't build JSGlobalObjectInspectorController.cpp on Windows.
2439         * offlineasm/x86.rb:
2440         Detect non-cygwin ruby installations correctly.
2441
2442 2014-08-19  Michael Saboff  <msaboff@apple.com>
2443
2444         REGRESSION(r163179): It broke the build on ARM Thumb2 with GCC
2445         https://bugs.webkit.org/show_bug.cgi?id=136028
2446
2447         Reviewed by Oliver Hunt.
2448
2449         Added back ARMv7 conditionals around three op addp and subp since ARM Thumb2 spec says that
2450         the behavior for those ops are undefined.  This was originally done in changeset 163179.
2451
2452         * llint/LowLevelInterpreter32_64.asm:
2453
2454 2014-08-18  Commit Queue  <commit-queue@webkit.org>
2455
2456         Unreviewed, rolling out r172741.
2457         https://bugs.webkit.org/show_bug.cgi?id=136058
2458
2459         This change is breaking PLT. (Requested by mlam on #webkit).
2460
2461         Reverted changeset:
2462
2463         "REGRESSION(r172401): for-in optimization no longer works at
2464         all"
2465         https://bugs.webkit.org/show_bug.cgi?id=136056
2466         http://trac.webkit.org/changeset/172741
2467
2468 2014-08-18  Filip Pizlo  <fpizlo@apple.com>
2469
2470         REGRESSION(r172401): for-in optimization no longer works at all
2471         https://bugs.webkit.org/show_bug.cgi?id=136056
2472
2473         Reviewed by Mark Hahnenberg.
2474         
2475         This is a partial roll-out of r172401. It turns out that the fix wasn't actually fixing a
2476         real bug (since it's fine to use op_get_direct_pname on the wrong base because it has a
2477         structure check) and it was actually breaking the entire for-in optimization (since there is
2478         no way that we can statically prove that the base matches, because the base we see is a
2479         newly created temporary, and anyway doing it right would be really hard in our bytecode
2480         because it's 3AC form).
2481         
2482         But, I added a new test for the problem, and kept the original test. Both the old test and
2483         the new test prove that r172401 wasn't fixing what it thought it was fixing. To the extent
2484         that it resolved crashes it was because it just disabled the for-in optimization entirely.
2485
2486         * bytecompiler/BytecodeGenerator.cpp:
2487         (JSC::BytecodeGenerator::emitGetByVal):
2488         (JSC::BytecodeGenerator::pushIndexedForInScope):
2489         (JSC::BytecodeGenerator::pushStructureForInScope):
2490         * bytecompiler/BytecodeGenerator.h:
2491         (JSC::ForInContext::ForInContext):
2492         (JSC::StructureForInContext::StructureForInContext):
2493         (JSC::IndexedForInContext::IndexedForInContext):
2494         (JSC::ForInContext::base): Deleted.
2495         * bytecompiler/NodesCodegen.cpp:
2496         (JSC::ForInNode::emitMultiLoopBytecode):
2497         * tests/stress/for-in-base-reassigned.js: Added.
2498         * tests/stress/for-in-base-reassigned-later.js: Added.
2499         * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
2500
2501 2014-08-18  Mark Lam  <mark.lam@apple.com>
2502
2503         Gardening: build fix for non-Mac builds after r172737.
2504         https://bugs.webkit.org/show_bug.cgi?id=135750
2505
2506         Not reviewed.
2507
2508         * CMakeLists.txt:
2509         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2510         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2511
2512 2014-08-18  Filip Pizlo  <fpizlo@apple.com>
2513
2514         REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash
2515         https://bugs.webkit.org/show_bug.cgi?id=135750
2516
2517         Reviewed by Mark Lam.
2518         
2519         This was caused by a rather embarrassing oversight in how the DFG tracks structures: we
2520         could sometimes perform an optimization that requires a structure to be alive but forget to
2521         ensure that the structure is actually kept alive. In particular, any watchpoint-based
2522         optimizations involve setting watchpoints even if the code that got optimized is eventually
2523         deleted because it is unreachable. All such optimizations would leave behind something in
2524         the IR to tell us that we are interested in the structure and that therefore it should be
2525         kept alive. But, IR can be deleted if it is unreachable.
2526         
2527         The solution is to ensure that as soon as the DFG is made aware of a structure, it adds it
2528         to the set of weak references.
2529
2530         * JavaScriptCore.xcodeproj/project.pbxproj:
2531         * dfg/DFGAbstractInterpreterInlines.h:
2532         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2533         * dfg/DFGAbstractValue.cpp:
2534         (JSC::DFG::AbstractValue::setOSREntryValue):
2535         (JSC::DFG::AbstractValue::set):
2536         (JSC::DFG::AbstractValue::normalizeClarity):
2537         (JSC::DFG::AbstractValue::assertIsRegistered):
2538         (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
2539         * dfg/DFGAbstractValue.h:
2540         (JSC::DFG::AbstractValue::assertIsRegistered):
2541         (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
2542         * dfg/DFGCommon.h:
2543         * dfg/DFGConstantFoldingPhase.cpp:
2544         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2545         * dfg/DFGDesiredWeakReferences.cpp:
2546         (JSC::DFG::DesiredWeakReferences::addLazily):
2547         (JSC::DFG::DesiredWeakReferences::contains):
2548         (JSC::DFG::DesiredWeakReferences::reallyAdd):
2549         (JSC::DFG::DesiredWeakReferences::visitChildren):
2550         * dfg/DFGDesiredWeakReferences.h:
2551         * dfg/DFGFixupPhase.cpp:
2552         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
2553         * dfg/DFGGraph.cpp:
2554         (JSC::DFG::Graph::Graph):
2555         (JSC::DFG::Graph::registerFrozenValues):
2556         (JSC::DFG::Graph::convertToConstant):
2557         (JSC::DFG::Graph::registerStructure):
2558         (JSC::DFG::Graph::assertIsRegistered):
2559         (JSC::DFG::Graph::assertIsWatched): Deleted.
2560         * dfg/DFGGraph.h:
2561         * dfg/DFGPlan.cpp:
2562         (JSC::DFG::Plan::compileInThreadImpl):
2563         * dfg/DFGStructureAbstractValue.cpp:
2564         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
2565         (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
2566         * dfg/DFGStructureAbstractValue.h:
2567         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
2568         (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
2569         * dfg/DFGStructureRegistrationPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp.
2570         (JSC::DFG::StructureRegistrationPhase::StructureRegistrationPhase):
2571         (JSC::DFG::StructureRegistrationPhase::run):
2572         (JSC::DFG::StructureRegistrationPhase::registerStructures):
2573         (JSC::DFG::StructureRegistrationPhase::registerStructure):
2574         (JSC::DFG::performStructureRegistration):
2575         (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase): Deleted.
2576         (JSC::DFG::WatchableStructureWatchingPhase::run): Deleted.
2577         (JSC::DFG::WatchableStructureWatchingPhase::tryWatch): Deleted.
2578         (JSC::DFG::performWatchableStructureWatching): Deleted.
2579         * dfg/DFGStructureRegistrationPhase.h: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.h.
2580         * dfg/DFGWatchableStructureWatchingPhase.cpp: Removed.
2581         * dfg/DFGWatchableStructureWatchingPhase.h: Removed.
2582
2583 2014-08-18  Akos Kiss  <akiss@inf.u-szeged.hu>
2584
2585         Fix ASSERT in ARM64's JSC::GPRInfo::debugName
2586         https://bugs.webkit.org/show_bug.cgi?id=136050
2587
2588         Reviewed by Darin Adler.
2589
2590         Remove cast of GPRReg to unsigned to prevent signed/unsigned comparison
2591         error.
2592
2593         * jit/GPRInfo.h:
2594         (JSC::GPRInfo::debugName):
2595
2596 2014-08-18  Andreas Kling  <akling@apple.com>
2597
2598         REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings.
2599         <https://webkit.org/b/133574>
2600         <rdar://problem/18051847>
2601
2602         The optimization that resolves JSRopeStrings into an existing
2603         AtomicString (to save time and memory by avoiding StringImpl allocation)
2604         had a bug that it wasn't copying the 8-bit flag from the AtomicString.
2605
2606         This could lead to a situation where a 16-bit StringImpl containing
2607         only 8-bit characters is sitting in the AtomicString table, is found
2608         by the rope resolution optimization, and gives you a rope that thinks
2609         it's all 8-bit, but has a fiber with 16-bit characters.
2610
2611         Resolving that rope will then yield incorrect results.
2612
2613         This was all caught by an assertion, but very hard to reproduce.
2614
2615         Test: js/dopey-rope-with-16-bit-propertyname.html
2616
2617         Reviewed by Darin Adler.
2618
2619         * runtime/JSString.cpp:
2620         (JSC::JSRopeString::resolveRopeToAtomicString):
2621         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
2622         * runtime/JSString.h:
2623         (JSC::JSString::setIs8Bit):
2624         (JSC::JSString::toExistingAtomicString):
2625
2626 2014-08-18  Matthew Mirman  <mmirman@apple.com>
2627
2628         Merges the two native inlining passes from the build.
2629         Also adds the AvailableExternallyLinkage assertion to linked 
2630         functions to allow unused and duplicate ones to be removed.
2631         https://bugs.webkit.org/show_bug.cgi?id=135526
2632
2633         Reviewed by Filip Pizlo.
2634
2635         * JavaScriptCore.xcodeproj/project.pbxproj: 
2636         Removed second generation of llvm binary files.
2637         Fixed the flags on the first pass. 
2638         * build-symbol-table-index.py: Modified some paths.
2639         * build-symbol-table-index.sh: Removed.
2640         * copy-llvm-ir-to-derived-sources.sh: Now calls build-symbol-table-index directly.
2641         * ftl/FTLLowerDFGToLLVM.cpp: Added LLVMAvailableExternallyLinkage assertion.
2642         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): 
2643         * runtime/ArrayPrototype.cpp: Removed static declarations. 
2644         * runtime/DateConstructor.cpp: ditto.
2645         (JSC::dateParse):
2646         (JSC::dateNow):
2647         (JSC::dateUTC):
2648         * runtime/DatePrototype.cpp: ditto.
2649         * runtime/JSDataViewPrototype.cpp: ditto on both.
2650         (JSC::dataViewProtoFuncGetInt8):
2651         (JSC::dataViewProtoFuncGetInt16):
2652         (JSC::dataViewProtoFuncGetInt32):
2653         (JSC::dataViewProtoFuncGetUint8):
2654         (JSC::dataViewProtoFuncGetUint16):
2655         (JSC::dataViewProtoFuncGetUint32):
2656         (JSC::dataViewProtoFuncGetFloat32):
2657         (JSC::dataViewProtoFuncGetFloat64):
2658         (JSC::dataViewProtoFuncSetInt8):
2659         (JSC::dataViewProtoFuncSetInt16):
2660         (JSC::dataViewProtoFuncSetInt32):
2661         (JSC::dataViewProtoFuncSetUint8):
2662         (JSC::dataViewProtoFuncSetUint16):
2663         (JSC::dataViewProtoFuncSetUint32):
2664         (JSC::dataViewProtoFuncSetFloat32):
2665         (JSC::dataViewProtoFuncSetFloat64):
2666         * runtime/JSONObject.cpp: ditto.
2667         * runtime/ObjectConstructor.cpp: ditto.
2668         * runtime/StringPrototype.cpp: ditto.
2669
2670 2014-08-18  Saam Barati  <sbarati@apple.com>
2671
2672         The parser should generate AST nodes the var declarations with no initializers
2673         https://bugs.webkit.org/show_bug.cgi?id=135545
2674
2675         Reviewed by Geoffrey Garen.
2676
2677         Currently, JSC's parser ignores variable declarations
2678         that have no assignment initializer value because all 
2679         variables are implicitly assigned to undefined. But, 
2680         type profiling needs an AST node to be generated for these 
2681         empty variable declarations because it needs to be able to 
2682         profile their text locations and to see that their type 
2683         is undefined.
2684
2685         * bytecompiler/NodesCodegen.cpp:
2686         (JSC::EmptyVarExpression::emitBytecode):
2687         * parser/ASTBuilder.h:
2688         (JSC::ASTBuilder::createVarStatement):
2689         (JSC::ASTBuilder::createEmptyVarExpression):
2690         * parser/NodeConstructors.h:
2691         (JSC::EmptyVarExpression::EmptyVarExpression):
2692         * parser/Nodes.h:
2693         * parser/Parser.cpp:
2694         (JSC::Parser<LexerType>::parseVarDeclarationList):
2695         * parser/SyntaxChecker.h:
2696         (JSC::SyntaxChecker::createEmptyVarExpression):
2697
2698 2014-08-18  Diego Pino Garcia  <dpino@igalia.com>
2699
2700         Completed iterator can be revived by adding more than one new entry to the target object
2701         https://bugs.webkit.org/show_bug.cgi?id=129993
2702
2703         Reviewed by Oliver Hunt.
2704
2705         When iterator reaches end, finish iterator.
2706
2707         * runtime/JSMapIterator.h:
2708         (JSC::JSMapIterator::finish):
2709         * runtime/JSSetIterator.h:
2710         (JSC::JSSetIterator::finish):
2711         * runtime/MapData.h:
2712         (JSC::MapData::const_iterator::finish): set index of iterator to max
2713         Int32.
2714         * runtime/MapIteratorPrototype.cpp:
2715         (JSC::MapIteratorPrototypeFuncNext):
2716         * runtime/SetIteratorPrototype.cpp:
2717         (JSC::SetIteratorPrototypeFuncNext):
2718
2719 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
2720
2721         Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
2722         https://bugs.webkit.org/show_bug.cgi?id=131596
2723
2724         Unreviewed gardening to rebaseline inspector generator tests after addressing review comments.
2725
2726         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2727         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2728         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2729         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2730         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2731         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2732         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2733         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2734         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2735         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2736         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2737
2738 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
2739
2740         Unreviewed build fix for some GTK bots after r172655.
2741
2742         Some bots use Python 2.6, which lacks the 'flags' named parameter for re.sub.
2743
2744         * inspector/scripts/codegen/generator.py:
2745         (Generator.stylized_name_for_enum_value): Do things the old-school way.
2746
2747 2014-08-15  Michael Saboff  <msaboff@apple.com>
2748
2749         Change callToJavaScript and callToNativeFunction so their callFrames match the native calling conventions
2750         https://bugs.webkit.org/show_bug.cgi?id=131578
2751
2752         Reviewed by Geoffrey Garen.
2753
2754         Renamed callToJavaScript and callToNativeFunction to vmEntryToJavaScript and vmEntryToNative,
2755         respectively.  Eliminated the sentinel frame and replaced it with the structure VMEntryRecord
2756         that appears in the "locals" area of a VM entry stack frame.  Changed the order that
2757         vmEntryToJavaScript and vmEntryToNative creates their stack frames to be native calling
2758         convention compliant.  That is to save prior frame pointer, save callee save registers, then
2759         allocate and populate the VMEntryRecord, and finally allocate a CallFrame for the JS function
2760         that vmEntryToJavaScript will invoke.  The top most vm entry frame pointer is saved in
2761         VM::topVMEntryFrame.  The vmEntry functions save prior contents of VM::topVMEntryFrame
2762         along with the VM and VM::topCallFrame in the VMEntryRecord it places on the stack.  Starting
2763         at VM::topCallFrame, the stack can be walked using these VMEntryRecords.
2764
2765         Arbitrary stack unwinding is now handled either iteratively by loading VM::topVMEntryFrame
2766         into a local variable and using CallFrame::callerFrame(VMEntryFrame*&) or by using StackVisitor.
2767         Given that the stack is effectively a singly linked list, general stack unwinding needs to use
2768         one of these two methods.
2769
2770         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2771         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2772         * JavaScriptCore.xcodeproj/project.pbxproj:
2773         Addition of VMEntryRecord.h
2774
2775         * bytecode/BytecodeList.json:
2776         Renaming of llint helper opcodes due to renaming callToJavaScript and callToNativeFunction.
2777
2778         * debugger/Debugger.cpp:
2779         (JSC::Debugger::stepOutOfFunction):
2780         (JSC::Debugger::returnEvent):
2781         (JSC::Debugger::didExecuteProgram):
2782         * jsc.cpp:
2783         (functionDumpCallFrame):
2784         * jit/JITOperations.cpp:
2785         Changed unwinding to use CallFrame::callerFrame(VMEntryFrame*&).
2786
2787         * bytecode/CodeBlock.cpp:
2788         (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
2789         (JSC::RecursionCheckFunctor::operator()):
2790         (JSC::RecursionCheckFunctor::didRecurse):
2791         (JSC::CodeBlock::noticeIncomingCall):
2792         * debugger/DebuggerCallFrame.cpp:
2793         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
2794         (JSC::FindCallerMidStackFunctor::operator()):
2795         (JSC::FindCallerMidStackFunctor::getCallerFrame):
2796         (JSC::DebuggerCallFrame::callerFrame):
2797         * interpreter/VMInspector.cpp:
2798         (JSC::CountFramesFunctor::CountFramesFunctor):
2799         (JSC::CountFramesFunctor::operator()):
2800         (JSC::CountFramesFunctor::count):
2801         (JSC::VMInspector::countFrames):
2802         * runtime/VM.cpp:
2803         (JSC::VM::VM):
2804         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
2805         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
2806         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
2807         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
2808         (JSC::VM::throwException):
2809         Changed unwinding to use StackVisitor including added functor classes.
2810
2811         * interpreter/CallFrame.cpp:
2812         (JSC::CallFrame::callerFrame):
2813         Added new flavor of callerFrame() that can iteratively unwind the stack.
2814
2815         * interpreter/CallFrame.h:
2816         (JSC::ExecState::callerFrame): Changed callerFrame() to use private common helper.
2817         (JSC::ExecState::callerFrameOrVMEntryFrame): Deleted.
2818         (JSC::ExecState::isVMEntrySentinel): Deleted.
2819         (JSC::ExecState::vmEntrySentinelCallerFrame): Deleted.
2820         (JSC::ExecState::initializeVMEntrySentinelFrame): Deleted.
2821         (JSC::ExecState::callerFrameSkippingVMEntrySentinel): Deleted.
2822         (JSC::ExecState::vmEntrySentinelCodeBlock): Deleted.
2823
2824         * interpreter/CallFrame.h:
2825         (JSC::ExecState::init):
2826         (JSC::ExecState::topOfFrame):
2827         (JSC::ExecState::currentVPC):
2828         (JSC::ExecState::setCurrentVPC):
2829         Eliminated unneded checking of sentinel frame.
2830
2831         * interpreter/Interpreter.cpp:
2832         (JSC::unwindCallFrame):
2833         (JSC::Interpreter::getStackTrace): Updated for unwidning changes.
2834         (JSC::Interpreter::unwind): Eliminated unneeded sentinel frame check.
2835
2836         * interpreter/Interpreter.cpp:
2837         (JSC::Interpreter::executeCall):
2838         (JSC::Interpreter::executeConstruct):
2839         * jit/JITStubs.h:
2840         * llint/LLIntThunks.cpp:
2841         (JSC::callToJavaScript): Deleted.
2842         (JSC::callToNativetion): Deleted.
2843         (JSC::vmEntryToJavaScript):
2844         (JSC::vmEntryToNative):
2845         * llint/LLIntThunks.h:
2846         Updated for vmEntryToJavaScript and vmEntryToNative name changes.
2847
2848         * interpreter/Interpreter.h:
2849         (JSC::TopCallFrameSetter::TopCallFrameSetter):
2850         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
2851         Eliminated unneeded sentinel frame check.
2852
2853         * interpreter/Interpreter.h:
2854         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2855         Removed sentinel specific constructor.
2856
2857         * interpreter/StackVisitor.cpp:
2858         (JSC::StackVisitor::StackVisitor):
2859         (JSC::StackVisitor::readFrame):
2860         (JSC::StackVisitor::readNonInlinedFrame):
2861         (JSC::StackVisitor::readInlinedFrame):
2862         (JSC::StackVisitor::Frame::print):
2863         * interpreter/StackVisitor.h:
2864         (JSC::StackVisitor::Frame::callerIsVMEntry):
2865         Changes for unwinding using CallFrame::callerFrame(VMEntryFrame*&).  Also added field that
2866         indicates when about to step over a VM entry frame.
2867
2868         * interpreter/VMEntryRecord.h: Added.
2869         (JSC::VMEntryRecord::prevTopCallFrame):
2870         (JSC::VMEntryRecord::prevTopVMEntryFrame):
2871         New struct to record prior state of VM's notion of VM entry and top call frames.
2872
2873         * jit/JITCode.cpp:
2874         (JSC::JITCode::execute):
2875         Use new vmEntryToJavaScript and vmEntryToNative name.
2876
2877         * llint/LLIntOffsetsExtractor.cpp: Added include for VMEntryRecord.h.
2878
2879         * llint/LowLevelInterpreter.asm:
2880         * llint/LowLevelInterpreter32_64.asm:
2881         * llint/LowLevelInterpreter64.asm:
2882         Offline assembly implementation of creating stack frame with VMEntryRecord and well as restoring 
2883         relevent VM fields when exiting the VM.  Added a helper that returns a VMEntryRecord given
2884         a pointer to the VM entry frame.
2885
2886         * llint/LLIntThunks.cpp:
2887         (JSC::vmEntryRecord):
2888         * llint/LowLevelInterpreter.cpp:
2889         (JSC::CLoop::execute):
2890         C Loop changes to mirror the assembly changes.
2891
2892         * runtime/VM.h:
2893         Added topVMEntryFrame field.
2894
2895 2014-08-15  Brian J. Burg  <burg@cs.washington.edu>
2896
2897         Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
2898         https://bugs.webkit.org/show_bug.cgi?id=131596
2899
2900         Reviewed by Joseph Pecoraro.
2901
2902         Replace CodeGeneratorInspector.py with generate-inspector-protocol-bindings.py.
2903         The new generator decouples parsing and typechecking a model of the protocol from
2904         code generation. Each generated file is created by a different subclass of Generator.
2905         Helper methods to compute various type signatures are shared among generators.
2906
2907         This patch introduces a test harness and a test suite that covers all functionality.
2908
2909         Aside from hooking up the new inspector bindings generator to the build system,
2910         there are a few comingled changes that would be painful to split from the main
2911         patch:
2912
2913         Convert protocol enumeration types from struct-namespaced enums to C++ scoped enums.
2914
2915         Move all runtimeCast(), assertValueHasExpectedType(), and RuntimeCastHelper methods to static
2916         methods of BindingTraits specializations.
2917
2918         Together, these changes reduce duplication and make it possible to forward-declare
2919         all protocol enum and object types, reducing weird ordering dependencies between domains.
2920
2921         * CMakeLists.txt:
2922         * DerivedSources.make:
2923         * JavaScriptCore.vcxproj/copy-files.cmd:
2924         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2925         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Add inspector scripts to solution filters.
2926         * JavaScriptCore.xcodeproj/project.pbxproj:
2927         * inspector/ConsoleMessage.cpp: Convert to scoped enums.
2928         (Inspector::messageSourceValue):
2929         (Inspector::messageTypeValue):
2930         (Inspector::messageLevelValue):
2931         * inspector/InjectedScript.cpp: Convert to scoped enums and BindingTraits.
2932         (Inspector::InjectedScript::getFunctionDetails):
2933         (Inspector::InjectedScript::getProperties):
2934         (Inspector::InjectedScript::getInternalProperties):
2935         (Inspector::InjectedScript::wrapCallFrames):
2936         (Inspector::InjectedScript::wrapObject):
2937         (Inspector::InjectedScript::wrapTable):
2938         * inspector/InjectedScriptBase.cpp: Convert InspectorValue::Type to a scoped enum.
2939         (Inspector::InjectedScriptBase::makeEvalCall):
2940         * inspector/InjectedScriptManager.cpp:
2941         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2942         * inspector/InspectorTypeBuilder.h:
2943         (Inspector::TypeBuilder::Array::create):
2944         (Inspector::TypeBuilder::StructItemTraits::pushRefPtr):
2945         (Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::pushRaw):
2946         (Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::pushRaw):
2947         (Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::pushRaw):
2948         (Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::pushRaw):
2949         (Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr):
2950         (Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr):
2951         (Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr):
2952         (Inspector::TypeBuilder::PrimitiveBindingTraits::assertValueHasExpectedType):
2953         (Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::runtimeCast):
2954         (Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::assertValueHasExpectedType):
2955         (Inspector::TypeBuilder::BindingTraits<InspectorValue>::assertValueHasExpectedType):
2956         (Inspector::TypeBuilder::BindingTraits<int>::assertValueHasExpectedType):
2957         (Inspector::TypeBuilder::ExactlyInt::ExactlyInt): Deleted. It was not used.
2958         (Inspector::TypeBuilder::ExactlyInt::operator int): Deleted.
2959         (Inspector::TypeBuilder::ExactlyInt::cast_to_int): Deleted.
2960         (Inspector::TypeBuilder::ExactlyInt::cast_to_int<int>): Deleted.
2961         (Inspector::TypeBuilder::int>): Deleted.
2962         (Inspector::TypeBuilder::RuntimeCastHelper::assertType): Deleted.
2963         (Inspector::TypeBuilder::RuntimeCastHelper::assertAny): Deleted.
2964         (Inspector::TypeBuilder::RuntimeCastHelper::assertInt): Deleted.
2965         (Inspector::TypeBuilder::Array::runtimeCast): Deleted.
2966         (Inspector::TypeBuilder::Array::assertCorrectValue): Deleted.
2967         (Inspector::TypeBuilder::StructItemTraits::assertCorrectValue): Deleted.
2968         (Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::assertCorrectValue): Deleted.
2969         (Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::assertCorrectValue): Deleted.
2970         (Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::assertCorrectValue): Deleted.
2971         (Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::assertCorrectValue): Deleted.
2972         (Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::assertCorrectValue): Deleted.
2973         (Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::assertCorrectValue): Deleted.
2974         (Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::assertCorrectValue): Deleted.
2975         (Inspector::TypeBuilder::ArrayItemHelper<TypeBuilder::Array<T>>::Traits::assertCorrectValue): Deleted.
2976
2977         * inspector/InspectorValues.cpp: Convert InspectorValue::Type to a scoped enum.
2978         (Inspector::InspectorValue::writeJSON):
2979         (Inspector::InspectorBasicValue::asBoolean):
2980         (Inspector::InspectorBasicValue::asNumber):
2981         (Inspector::InspectorBasicValue::writeJSON):
2982         (Inspector::InspectorString::writeJSON):
2983         (Inspector::InspectorObjectBase::InspectorObjectBase):
2984         (Inspector::InspectorObjectBase::setArray): Take InspectorArrayBase.
2985         (Inspector::InspectorObjectBase::setObject): Take InspectorObjectBase.
2986         (Inspector::InspectorArrayBase::InspectorArrayBase):
2987         * inspector/InspectorValues.h:
2988
2989         * inspector/agents/InspectorDebuggerAgent.cpp: Convert to scoped enums.
2990         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2991         (Inspector::InspectorDebuggerAgent::breakProgram):
2992         * inspector/agents/InspectorDebuggerAgent.h:
2993         * inspector/agents/InspectorRuntimeAgent.cpp:
2994         (Inspector::InspectorRuntimeAgent::parse):
2995         * inspector/agents/InspectorRuntimeAgent.h:
2996
2997         * inspector/scripts/CodeGeneratorInspector.py: Removed.
2998         * inspector/scripts/codegen/__init__.py: Added.
2999         * inspector/scripts/codegen/generate_backend_commands.py: Added.
3000         (BackendCommandsGenerator):
3001         (BackendCommandsGenerator.__init__):
3002         (BackendCommandsGenerator.model):
3003         (BackendCommandsGenerator.output_filename):
3004         (BackendCommandsGenerator.generate_license):
3005         (BackendCommandsGenerator.generate_output):
3006         (BackendCommandsGenerator.generate_domain):
3007         (BackendCommandsGenerator.generate_domain.is_anonymous_enum_member):
3008         (BackendCommandsGenerator.generate_domain.generate_parameter_object):
3009         * inspector/scripts/codegen/generate_backend_dispatcher_header.py: Added.
3010         (BackendDispatcherHeaderGenerator):
3011         (BackendDispatcherHeaderGenerator.__init__):
3012         (BackendDispatcherHeaderGenerator.model):
3013         (BackendDispatcherHeaderGenerator.output_filename):
3014         (BackendDispatcherHeaderGenerator.generate_license):
3015         (BackendDispatcherHeaderGenerator.generate_output):
3016         (BackendDispatcherHeaderGenerator.generate_output.for):
3017         (BackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
3018         (BackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
3019         (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
3020         (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
3021         (BackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
3022         (BackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
3023         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: Added.
3024         (BackendDispatcherImplementationGenerator):
3025         (BackendDispatcherImplementationGenerator.__init__):
3026         (BackendDispatcherImplementationGenerator.model):
3027         (BackendDispatcherImplementationGenerator.output_filename):
3028         (BackendDispatcherImplementationGenerator.generate_license):
3029         (BackendDispatcherImplementationGenerator.generate_output):
3030         (BackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
3031         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
3032         (BackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
3033         (BackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
3034         (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
3035         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3036         * inspector/scripts/codegen/generate_frontend_dispatcher_header.py: Added.
3037         (FrontendDispatcherHeaderGenerator):
3038         (FrontendDispatcherHeaderGenerator.__init__):
3039         (FrontendDispatcherHeaderGenerator.model):
3040         (FrontendDispatcherHeaderGenerator.output_filename):
3041         (FrontendDispatcherHeaderGenerator.generate_license):
3042         (FrontendDispatcherHeaderGenerator.generate_output):
3043         (FrontendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
3044         (FrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
3045         (FrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event):
3046         * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py: Added.
3047         (FrontendDispatcherImplementationGenerator):
3048         (FrontendDispatcherImplementationGenerator.__init__):
3049         (FrontendDispatcherImplementationGenerator.model):
3050         (FrontendDispatcherImplementationGenerator.output_filename):
3051         (FrontendDispatcherImplementationGenerator.generate_license):
3052         (FrontendDispatcherImplementationGenerator.generate_output):
3053         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
3054         (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3055         * inspector/scripts/codegen/generate_type_builder_header.py: Added.
3056         (TypeBuilderHeaderGenerator):
3057         (TypeBuilderHeaderGenerator.__init__):
3058         (TypeBuilderHeaderGenerator.model):
3059         (TypeBuilderHeaderGenerator.output_filename):
3060         (TypeBuilderHeaderGenerator.generate_license):
3061         (TypeBuilderHeaderGenerator.generate_output):
3062         (TypeBuilderHeaderGenerator._generate_forward_declarations):
3063         (_generate_typedefs):
3064         (_generate_typedefs_for_domain):
3065         (_generate_builders_for_domain):
3066         (_generate_class_for_object_declaration):
3067         (_generate_struct_for_enum_declaration):
3068         (_generate_struct_for_anonymous_enum_member):
3069         (_generate_struct_for_anonymous_enum_member.apply_indentation):
3070         (_generate_struct_for_enum_type):
3071         (_generate_builder_state_enum):
3072         (_generate_builder_setter_for_member):
3073         (_generate_unchecked_setter_for_member):
3074         (_generate_forward_declarations_for_binding_traits):
3075         * inspector/scripts/codegen/generate_type_builder_implementation.py: Added.
3076         (TypeBuilderImplementationGenerator):
3077         (TypeBuilderImplementationGenerator.__init__):
3078         (TypeBuilderImplementationGenerator.model):
3079         (TypeBuilderImplementationGenerator.output_filename):
3080         (TypeBuilderImplementationGenerator.generate_license):
3081         (TypeBuilderImplementationGenerator.generate_output):
3082         (TypeBuilderImplementationGenerator._generate_enum_mapping):
3083         (TypeBuilderImplementationGenerator._generate_open_field_names):
3084         (TypeBuilderImplementationGenerator._generate_builders_for_domain):
3085         (TypeBuilderImplementationGenerator._generate_runtime_cast_for_object_declaration):
3086         (TypeBuilderImplementationGenerator._generate_assertion_for_object_declaration):
3087         (TypeBuilderImplementationGenerator._generate_assertion_for_enum):
3088         * inspector/scripts/codegen/generator.py: Added.
3089         (ucfirst):
3090         (Generator):
3091         (Generator.__init__):
3092         (Generator.model):
3093         (Generator.generate_license):
3094         (Generator.domains_to_generate):
3095         (Generator.generate_output):
3096         (Generator.output_filename):
3097         (Generator.encoding_for_enum_value):
3098         (Generator.assigned_enum_values):
3099         (Generator.type_needs_runtime_casts):
3100         (Generator.type_has_open_fields):
3101         (Generator.type_needs_shape_assertions):
3102         (Generator.calculate_types_requiring_shape_assertions):
3103         (Generator.calculate_types_requiring_shape_assertions.gather_transitively_referenced_types):
3104         (Generator._traverse_and_assign_enum_values):
3105         (Generator._assign_encoding_for_enum_value):
3106         (Generator.wrap_with_guard_for_domain):
3107         (Generator.stylized_name_for_enum_value):
3108         (Generator.stylized_name_for_enum_value.replaceCallback):
3109         (Generator.keyed_get_method_for_type):
3110         (Generator.keyed_set_method_for_type):
3111         (Generator.type_builder_string_for_type):
3112         (Generator.type_builder_string_for_type_member):
3113         (Generator.type_string_for_unchecked_formal_in_parameter):
3114         (Generator.type_string_for_checked_formal_event_parameter):
3115         (Generator.type_string_for_type_member):
3116         (Generator.type_string_for_type_with_name):
3117         (Generator.type_string_for_formal_out_parameter):
3118         (Generator.type_string_for_formal_async_parameter):
3119         (Generator.type_string_for_stack_in_parameter):
3120         (Generator.type_string_for_stack_out_parameter):
3121         (Generator.assertion_method_for_type_member):
3122         (Generator.assertion_method_for_type_member.assertion_method_for_type):
3123         (Generator.cpp_name_for_primitive_type):
3124         (Generator.js_name_for_parameter_type):
3125         (Generator.should_use_wrapper_for_return_type):
3126         (Generator.should_pass_by_copy_for_return_type):
3127         * inspector/scripts/codegen/generator_templates.py: Added.
3128         (GeneratorTemplates):
3129         (void):
3130         (HashMap):
3131         (Builder):
3132         (Inspector):
3133         * inspector/scripts/codegen/models.py: Added.
3134         (ucfirst):
3135         (ParseException):
3136         (TypecheckException):
3137         (Framework):
3138         (Framework.__init__):
3139         (Framework.setting):
3140         (Framework.fromString):
3141         (Frameworks):
3142         (TypeReference):
3143         (TypeReference.__init__):
3144         (TypeReference.referenced_name):
3145         (Type):
3146         (Type.__init__):
3147         (Type.__eq__):
3148         (Type.__hash__):
3149         (Type.raw_name):
3150         (Type.is_enum):
3151         (Type.type_domain):
3152         (Type.qualified_name):
3153         (Type.resolve_type_references):
3154         (PrimitiveType):
3155         (PrimitiveType.__init__):
3156         (PrimitiveType.__repr__):
3157         (PrimitiveType.type_domain):
3158         (PrimitiveType.qualified_name):
3159         (AliasedType):
3160         (AliasedType.__init__):
3161         (AliasedType.__repr__):
3162         (AliasedType.is_enum):
3163         (AliasedType.type_domain):
3164         (AliasedType.qualified_name):
3165         (AliasedType.resolve_type_references):
3166         (EnumType):
3167         (EnumType.__init__):
3168         (EnumType.__repr__):
3169         (EnumType.is_enum):
3170         (EnumType.type_domain):
3171         (EnumType.enum_values):
3172         (EnumType.qualified_name):
3173         (EnumType.resolve_type_references):
3174         (ArrayType):
3175         (ArrayType.__init__):
3176         (ArrayType.__repr__):
3177         (ArrayType.type_domain):
3178         (ArrayType.qualified_name):
3179         (ArrayType.resolve_type_references):
3180         (ObjectType):
3181         (ObjectType.__init__):
3182         (ObjectType.__repr__):
3183         (ObjectType.type_domain):
3184         (ObjectType.qualified_name):
3185         (check_for_required_properties):
3186         (Protocol):
3187         (Protocol.__init__):
3188         (Protocol.parse_specification):
3189         (Protocol.parse_domain):
3190         (Protocol.parse_type_declaration):
3191         (Protocol.parse_type_member):
3192         (Protocol.parse_command):
3193         (Protocol.parse_event):
3194         (Protocol.parse_call_or_return_parameter):
3195         (Protocol.resolve_types):
3196         (Protocol.lookup_type_for_declaration):
3197         (Protocol.lookup_type_reference):
3198         (Domain):
3199         (Domain.__init__):
3200         (Domain.resolve_type_references):
3201         (Domains):
3202         (TypeDeclaration):
3203         (TypeDeclaration.__init__):
3204         (TypeDeclaration.resolve_type_references):
3205         (TypeMember):
3206         (TypeMember.__init__):
3207         (TypeMember.resolve_type_references):
3208         (Parameter):
3209         (Parameter.__init__):
3210         (Parameter.resolve_type_references):
3211         (Command):
3212         (Command.__init__):
3213         (Command.resolve_type_references):
3214         (Event):
3215         (Event.__init__):
3216         (Event.resolve_type_references):
3217         * inspector/scripts/generate-inspector-protocol-bindings.py: Added.
3218         (IncrementalFileWriter):
3219         (IncrementalFileWriter.__init__):
3220         (IncrementalFileWriter.write):
3221         (IncrementalFileWriter.close):
3222         (generate_from_specification):
3223         (generate_from_specification.load_specification):
3224         * inspector/scripts/tests/commands-with-async-attribute.json: Added.
3225         * inspector/scripts/tests/commands-with-optional-call-return-parameters.json: Added.
3226         * inspector/scripts/tests/domains-with-varying-command-sizes.json: Added.
3227         * inspector/scripts/tests/events-with-optional-parameters.json: Added.
3228         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: Added.
3229         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: Added.
3230         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: Added.
3231         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: Added.
3232         * inspector/scripts/tests/fail-on-duplicate-type-declarations.json-error: Added.
3233         * inspector/scripts/tests/fail-on-enum-with-no-values.json-error: Added.
3234         * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json-error: Added.
3235         * inspector/scripts/tests/fail-on-type-with-lowercase-name.json-error: Added.
3236         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json-error: Added.
3237         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json-error: Added.
3238         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: Added.
3239         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: Added.
3240         * inspector/scripts/tests/expected/type-declaration-array-type.json-result: Added.
3241         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: Added.
3242         * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Added.
3243         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: Added.
3244         * inspector/scripts/tests/fail-on-duplicate-type-declarations.json: Added.
3245         * inspector/scripts/tests/fail-on-enum-with-no-values.json: Added.
3246         * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json: Added.
3247         * inspector/scripts/tests/fail-on-type-with-lowercase-name.json: Added.
3248         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json: Added.
3249         * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json: Added.
3250         * inspector/scripts/tests/same-type-id-different-domain.json: Added.
3251         * inspector/scripts/tests/type-declaration-aliased-primitive-type.json: Added.
3252         * inspector/scripts/tests/type-declaration-array-type.json: Added.
3253         * inspector/scripts/tests/type-declaration-enum-type.json: Added.
3254         * inspector/scripts/tests/type-declaration-object-type.json: Added.
3255         * inspector/scripts/tests/type-requiring-runtime-casts.json: Added.
3256
3257 2014-08-15  Matthew Mirman  <mmirman@apple.com>
3258
3259         Made native inlining errors not segfault. 
3260         https://bugs.webkit.org/show_bug.cgi?id=135988
3261         
3262         Reviewed by Geoffrey Garen.
3263
3264         * ftl/FTLAbbreviations.h:
3265         (JSC::FTL::disposeMessage): Added.
3266         * ftl/FTLLowerDFGToLLVM.cpp:
3267         (JSC::FTL::LowerDFGToLLVM::compilePutById): 
3268         abstracted out Options::verboseCompilation as was the case in the rest of the file.
3269         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
3270         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): 
3271         added output error messages for llvm module loading.
3272
3273 2014-08-14  Andreas Kling  <akling@apple.com>
3274
3275         Allocate the whole RegExpMatchesArray backing store up front.
3276         <https://webkit.org/b/135217>
3277
3278         We were using the generic array backing store allocation path for
3279         RegExpMatchesArray which meant starting with 4 slots and then growing
3280         it dynamically as we append. Since we always know the final number of
3281         entries up front, allocate a perfectly-sized backing store right away.
3282
3283         ~2% progression on Octane/regexp.
3284
3285         Reviewed by Geoffrey Garen.
3286
3287         * runtime/JSArray.h:
3288         (JSC::createArrayButterflyWithExactLength):
3289         * runtime/RegExpMatchesArray.cpp:
3290         (JSC::RegExpMatchesArray::create):
3291
3292 2014-08-14  Saam Barati  <sbarati@apple.com>
3293
3294         Allow high fidelity type profiling to be enabled and disabled.
3295         https://bugs.webkit.org/show_bug.cgi?id=135423
3296
3297         Reviewed by Geoffrey Garen.
3298
3299         - Merged op_put_to_scope_with_profile and op_get_from_scope_with_profile into
3300           op_profile_types_with_high_fidelity by adding extra arguments to the opcode.
3301         - Altered SymbolTable to use less memory by adding a rare data structure for 
3302           type profiling.
3303         - Created an interface to turn on and off type profiling from the Web
3304           Inspector.
3305         - Refactored how entries are written to HighFidelityLog to make it
3306           easier to inline when generating machine code.
3307         - Implemented op_profile_types_with_high_fidelity in the baseline JIT
3308           by inlining the process of writing to the log and doing a small amount
3309           of type inference optimizations.
3310
3311         * bytecode/BytecodeList.json:
3312         * bytecode/BytecodeUseDef.h:
3313         (JSC::computeUsesForBytecodeOffset):
3314         (JSC::computeDefsForBytecodeOffset):
3315         * bytecode/CodeBlock.cpp:
3316         (JSC::CodeBlock::dumpBytecode):
3317         (JSC::CodeBlock::CodeBlock):
3318         (JSC::CodeBlock::finalizeUnconditionally):
3319         (JSC::CodeBlock::scopeDependentProfile): Deleted.
3320         * bytecode/CodeBlock.h:
3321         * bytecode/TypeLocation.h:
3322         (JSC::TypeLocation::TypeLocation):
3323         * bytecompiler/BytecodeGenerator.cpp:
3324         (JSC::BytecodeGenerator::generate):
3325         (JSC::BytecodeGenerator::emitMove):
3326         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
3327         (JSC::BytecodeGenerator::emitGetFromScopeWithProfile): Deleted.
3328         (JSC::BytecodeGenerator::emitPutToScopeWithProfile): Deleted.
3329         * bytecompiler/BytecodeGenerator.h:
3330         * bytecompiler/NodesCodegen.cpp:
3331         (JSC::ThisNode::emitBytecode):
3332         (JSC::ResolveNode::emitBytecode):
3333         (JSC::BracketAccessorNode::emitBytecode):
3334         (JSC::DotAccessorNode::emitBytecode):
3335         (JSC::FunctionCallValueNode::emitBytecode):
3336         (JSC::FunctionCallResolveNode::emitBytecode):
3337         (JSC::FunctionCallBracketNode::emitBytecode):
3338         (JSC::FunctionCallDotNode::emitBytecode):
3339         (JSC::CallFunctionCallDotNode::emitBytecode):
3340         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3341         (JSC::PostfixNode::emitResolve):
3342         (JSC::PostfixNode::emitBracket):
3343         (JSC::PostfixNode::emitDot):
3344         (JSC::PrefixNode::emitResolve):
3345         (JSC::PrefixNode::emitBracket):
3346         (JSC::PrefixNode::emitDot):
3347         (JSC::ReadModifyResolveNode::emitBytecode):
3348         (JSC::AssignResolveNode::emitBytecode):
3349         (JSC::AssignDotNode::emitBytecode):
3350         (JSC::ReadModifyDotNode::emitBytecode):
3351         (JSC::AssignBracketNode::emitBytecode):
3352         (JSC::ReadModifyBracketNode::emitBytecode):
3353         (JSC::ReturnNode::emitBytecode):
3354         (JSC::FunctionBodyNode::emitBytecode):
3355         * inspector/agents/InspectorRuntimeAgent.cpp:
3356         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
3357         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3358         (Inspector::TypeRecompiler::operator()):
3359         (Inspector::recompileAllJSFunctionsForTypeProfiling):
3360         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
3361         (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling):
3362         (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling):
3363         (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState):
3364         * inspector/agents/InspectorRuntimeAgent.h:
3365         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3366         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
3367         * inspector/protocol/Runtime.json:
3368         * jit/JIT.cpp:
3369         (JSC::JIT::privateCompileMainPass):
3370         (JSC::JIT::privateCompile):
3371         * jit/JIT.h:
3372         * jit/JITOpcodes.cpp:
3373         (JSC::JIT::emit_op_profile_types_with_high_fidelity):
3374         * jit/JITOpcodes32_64.cpp:
3375         (JSC::JIT::emit_op_profile_types_with_high_fidelity):
3376         * jit/JITOperations.cpp:
3377         * jit/JITOperations.h:
3378         * llint/LLIntSlowPaths.cpp:
3379         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3380         (JSC::LLInt::getFromScopeCommon): Deleted.
3381         (JSC::LLInt::putToScopeCommon): Deleted.
3382         * llint/LLIntSlowPaths.h:
3383         * llint/LowLevelInterpreter.asm:
3384         * runtime/CodeCache.cpp:
3385         (JSC::CodeCache::getGlobalCodeBlock):
3386         * runtime/CommonSlowPaths.cpp:
3387         (JSC::SLOW_PATH_DECL):
3388         * runtime/CommonSlowPaths.h:
3389         * runtime/HighFidelityLog.cpp:
3390         (JSC::HighFidelityLog::initializeHighFidelityLog):
3391         (JSC::HighFidelityLog::~HighFidelityLog):
3392         (JSC::HighFidelityLog::processHighFidelityLog):
3393         * runtime/HighFidelityLog.h:
3394         (JSC::HighFidelityLog::LogEntry::structureIDOffset):
3395         (JSC::HighFidelityLog::LogEntry::valueOffset):
3396         (JSC::HighFidelityLog::LogEntry::locationOffset):
3397         (JSC::HighFidelityLog::recordTypeInformationForLocation):
3398         (JSC::HighFidelityLog::logEndPtr):
3399         (JSC::HighFidelityLog::logStartOffset):
3400         (JSC::HighFidelityLog::currentLogEntryOffset):
3401         * runtime/HighFidelityTypeProfiler.cpp:
3402         (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
3403         (JSC::descriptorMatchesTypeLocation):
3404         * runtime/HighFidelityTypeProfiler.h:
3405         * runtime/SymbolTable.cpp:
3406         (JSC::SymbolTable::SymbolTable):
3407         (JSC::SymbolTable::cloneCapturedNames):
3408         (JSC::SymbolTable::prepareForHighFidelityTypeProfiling):
3409         (JSC::SymbolTable::uniqueIDForVariable):
3410         (JSC::SymbolTable::uniqueIDForRegister):
3411         (JSC::SymbolTable::globalTypeSetForRegister):
3412         (JSC::SymbolTable::globalTypeSetForVariable):
3413         * runtime/SymbolTable.h:
3414         (JSC::SymbolTable::add):
3415         (JSC::SymbolTable::set):
3416         * runtime/TypeLocationCache.cpp:
3417         (JSC::TypeLocationCache::getTypeLocation):
3418         * runtime/TypeSet.cpp:
3419         (JSC::TypeSet::getRuntimeTypeForValue):
3420         (JSC::TypeSet::addTypeInformation):
3421         (JSC::TypeSet::allPrimitiveTypeNames):
3422         (JSC::TypeSet::addTypeForValue): Deleted.
3423         * runtime/TypeSet.h:
3424         * runtime/VM.cpp:
3425         (JSC::VM::VM):
3426         (JSC::VM::nextTypeLocation):
3427         (JSC::VM::enableHighFidelityTypeProfiling):
3428         (JSC::VM::disableHighFidelityTypeProfiling):
3429         (JSC::VM::dumpHighFidelityProfilingTypes):
3430         * runtime/VM.h:
3431         (JSC::VM::nextLocation): Deleted.
3432
3433 2014-08-14  Oliver Hunt  <oliver@apple.com>
3434
3435         Update scope resolution to assume that the parent activation is always there
3436         https://bugs.webkit.org/show_bug.cgi?id=135947
3437
3438         Reviewed by Andreas Kling.
3439
3440         Another incremental step in removing the idea of lazily created
3441         activations.
3442
3443         * dfg/DFGSpeculativeJIT32_64.cpp:
3444         (JSC::DFG::SpeculativeJIT::compile):
3445         * dfg/DFGSpeculativeJIT64.cpp:
3446         (JSC::DFG::SpeculativeJIT::compile):
3447         * jit/JITPropertyAccess.cpp:
3448         (JSC::JIT::emitResolveClosure):
3449         * jit/JITPropertyAccess32_64.cpp:
3450         (JSC::JIT::emitResolveClosure):
3451         * llint/LowLevelInterpreter32_64.asm:
3452         * llint/LowLevelInterpreter64.asm:
3453
3454 2014-08-14  Oliver Hunt  <oliver@apple.com>
3455
3456         Create activations eagerly
3457         https://bugs.webkit.org/show_bug.cgi?id=135942
3458
3459         Reviewed by Geoffrey Garen.
3460
3461         Prepare to rewrite activation objects into a more
3462         sane implementation. Step 1 is reverting to eager
3463         creation of the activation object. This results in
3464         a 1.35x regression in earley, but otherwise has a
3465         minimal performance impact.
3466
3467         The earley regression is being tracked by bug #135943
3468
3469         * bytecompiler/BytecodeGenerator.cpp:
3470         (JSC::BytecodeGenerator::BytecodeGenerator):
3471         (JSC::BytecodeGenerator::emitNewFunctionInternal):
3472         (JSC::BytecodeGenerator::emitNewFunctionExpression):
3473         (JSC::BytecodeGenerator::emitCallEval):
3474         (JSC::BytecodeGenerator::emitPushWithScope):
3475         (JSC::BytecodeGenerator::emitPushCatchScope):
3476         (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
3477         * bytecompiler/BytecodeGenerator.h:
3478         * jit/JITOpcodes.cpp:
3479         (JSC::JIT::emit_op_create_activation):
3480         * jit/JITOpcodes32_64.cpp:
3481         (JSC::JIT::emit_op_create_activation):
3482         * llint/LowLevelInterpreter32_64.asm:
3483         * llint/LowLevelInterpreter64.asm:
3484
3485 2014-08-14  Oliver Hunt  <oliver@apple.com>
3486
3487         Create activations eagerly
3488         https://bugs.webkit.org/show_bug.cgi?id=135942
3489
3490         Reviewed by Geoffrey Garen.
3491
3492         Prepare to rewrite activation objects into a more
3493         sane implementation. Step 1 is reverting to eager
3494         creation of the activation object. This results in
3495         a 1.35x regression in earley, but otherwise has a
3496         minimal performance impact.
3497
3498         The earley regression is being tracked by 
3499         http://webkit.org/b/135943
3500
3501         * bytecompiler/BytecodeGenerator.cpp:
3502         (JSC::BytecodeGenerator::BytecodeGenerator):
3503         (JSC::BytecodeGenerator::emitNewFunctionInternal):
3504         (JSC::BytecodeGenerator::emitNewFunctionExpression):
3505         (JSC::BytecodeGenerator::emitCallEval):
3506         (JSC::BytecodeGenerator::emitPushWithScope):
3507         (JSC::BytecodeGenerator::emitPushCatchScope):
3508         (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
3509         * bytecompiler/BytecodeGenerator.h:
3510         * jit/JITOpcodes.cpp:
3511         (JSC::JIT::emit_op_create_activation):
3512         * jit/JITOpcodes32_64.cpp:
3513         (JSC::JIT::emit_op_create_activation):
3514         * llint/LowLevelInterpreter32_64.asm:
3515         * llint/LowLevelInterpreter64.asm:
3516
3517 2014-08-14  Tomas Popela  <tpopela@redhat.com>
3518
3519         Add support for ppc, ppc64, ppc64le, s390, s390x into the CMake build
3520         https://bugs.webkit.org/show_bug.cgi?id=135937
3521
3522         Reviewed by Carlos Garcia Campos.
3523
3524         * CMakeLists.txt:
3525
3526 2014-08-14  Akos Kiss  <akiss@inf.u-szeged.hu>
3527
3528         Fix JSC::ARM64Assembler::LinkRecord::RealTypes
3529         https://bugs.webkit.org/show_bug.cgi?id=135906
3530
3531         Reviewed by Michael Saboff.
3532
3533         JSC::ARM64Assembler::LinkRecord::RealTypes::m_compareRegister is defined
3534         to occupy 5 bits but JSC::ARM64Assembler::RegisterID needs 6 bits. So,
3535         increase the size of the bit field and also reorganize the struct to 
3536         better align with word boundaries.
3537
3538         * assembler/ARM64Assembler.h:
3539
3540 2014-08-13  Akos Kiss  <akiss@inf.u-szeged.hu>
3541
3542         Add ARM64 support to CMake-based builds
3543         https://bugs.webkit.org/show_bug.cgi?id=135912
3544
3545         Reviewed by Gyuyoung Kim.
3546
3547         This patch ensures that CMake does not fail with Unknown CPU error when
3548         building for ARM64.
3549
3550         * CMakeLists.txt:
3551
3552 2014-08-13  Wenson Hsieh  <wenson_hsieh@apple.com>
3553
3554         Enable CSS_SCROLL_SNAP for iOS
3555         https://bugs.webkit.org/show_bug.cgi?id=135915
3556
3557         Turn on CSS_SCROLL_SNAP for iOS and the iOS simulator.
3558
3559         Reviewed by Tim Horton.
3560
3561         * Configurations/FeatureDefines.xcconfig:
3562
3563 2014-08-13  Alex Christensen  <achristensen@webkit.org>
3564
3565         Progress towards CMake on Mac.
3566         https://bugs.webkit.org/show_bug.cgi?id=135819
3567
3568         Reviewed by Laszlo Gombos.
3569
3570         * CMakeLists.txt:
3571         Add the remote inspector headers to the forwarding headers list.
3572
3573 2014-08-13  Daniel Bates  <dabates@apple.com>
3574
3575         [iOS] Make JavaScriptCore and bmalloc build with the public SDK
3576         https://bugs.webkit.org/show_bug.cgi?id=135848
3577
3578         Reviewed by Geoffrey Garen.
3579
3580         * API/JSBase.h: Declare NSMap functions with external linkage when building for iOS without the
3581         header <Foundation/NSMapTablePriv.h>.
3582         * inspector/remote/RemoteInspector.mm: Define XPC functions with external linkage when building
3583         without the system header <xpc/xpc.h>.
3584         * inspector/remote/RemoteInspectorXPCConnection.h: Define xpc_connection_t and xpc_object_t when building
3585         without the system header <xpc/xpc.h>.
3586         * inspector/remote/RemoteInspectorXPCConnection.mm: Declare XPC functions with external linkage when
3587         building without without the system header <xpc/xpc.h>.
3588         (Inspector::RemoteInspectorXPCConnection::closeOnQueue): Fix code style; use nullptr instead of NULL.
3589         (Inspector::RemoteInspectorXPCConnection::sendMessage): Ditto.
3590
3591 2014-08-12  Peyton Randolph  <prandolph@apple.com>
3592
3593         Runtime switch for long mouse press gesture. Part of 135257 - Add long mouse press gesture.
3594         https://bugs.webkit.org/show_bug.cgi?id=135682
3595
3596         Reviewed by Tim Horton.
3597
3598         * Configurations/FeatureDefines.xcconfig:
3599         Remove ENABLE_LONG_MOUSE_PRESS feature flag.
3600
3601 2014-08-12  Alex Christensen  <achristensen@webkit.org>
3602
3603         Generate header detection headers for CMake on Windows.
3604         https://bugs.webkit.org/show_bug.cgi?id=135807
3605
3606         Reviewed by Brent Fulgham.
3607
3608         * CMakeLists.txt:
3609         Include the derived sources directory to find WTF/WTFHeaderDetection.h.
3610
3611 2014-08-11  Andy Estes  <aestes@apple.com>
3612
3613         [iOS] Get rid of iOS.xcconfig
3614         https://bugs.webkit.org/show_bug.cgi?id=135809
3615
3616         Reviewed by Joseph Pecoraro.
3617
3618         All iOS.xcconfig did was include AspenFamily.xcconfig, so there's no need for the indirection.
3619
3620         * Configurations/Base.xcconfig:
3621         * Configurations/iOS.xcconfig: Removed.
3622         * JavaScriptCore.xcodeproj/project.pbxproj:
3623
3624 2014-08-11  Michael Saboff  <msaboff@apple.com>
3625
3626         Eliminate {push,pop}CalleeSaves in favor of individual pushes & pops
3627         https://bugs.webkit.org/show_bug.cgi?id=127155
3628
3629         Reviewed by Geoffrey Garen.
3630
3631         Eliminated the offline assembler instructions {push,pop}CalleeSaves as well as the
3632         ARM64 specific {push,pop}LRAndFP and replaced them with individual push and pop
3633         instructions. Where the registers referenced by the added push and pop instructions
3634         are not part of the offline assembler register aliases, used a newly added "emit"
3635         offline assembler instruction which takes a string literal and outputs that
3636         string as a native instruction.
3637
3638         * llint/LowLevelInterpreter.asm:
3639         * offlineasm/arm.rb:
3640         * offlineasm/arm64.rb:
3641         * offlineasm/ast.rb:
3642         * offlineasm/cloop.rb:
3643         * offlineasm/instructions.rb:
3644         * offlineasm/mips.rb:
3645         * offlineasm/parser.rb:
3646         * offlineasm/sh4.rb:
3647         * offlineasm/transform.rb:
3648         * offlineasm/x86.rb:
3649
3650 2014-08-11  Mark Lam  <mark.lam@apple.com>
3651
3652         Re-landing r172401 with fixed test.
3653         <https://webkit.org/b/135782>
3654
3655         Not reviewed.
3656
3657         * bytecompiler/BytecodeGenerator.cpp:
3658         (JSC::BytecodeGenerator::emitGetByVal):
3659         (JSC::BytecodeGenerator::pushIndexedForInScope):
3660         (JSC::BytecodeGenerator::pushStructureForInScope):
3661         * bytecompiler/BytecodeGenerator.h:
3662         (JSC::ForInContext::ForInContext):
3663         (JSC::ForInContext::base):
3664         (JSC::StructureForInContext::StructureForInContext):
3665         (JSC::IndexedForInContext::IndexedForInContext):
3666         * bytecompiler/NodesCodegen.cpp:
3667         (JSC::ForInNode::emitMultiLoopBytecode):
3668         * tests/stress/for-in-tests.js:
3669
3670 2014-08-11  Commit Queue  <commit-queue@webkit.org>
3671
3672         Unreviewed, rolling out r172401.
3673         https://bugs.webkit.org/show_bug.cgi?id=135812
3674
3675         Failing stress/for-in-tests.js
3676         http://build.webkit.org/builders/Apple%20Mavericks%20Release%20WK1%20%28Tests%29/builds/7945/steps
3677         /jscore-test/logs/stdio (Requested by mlam on #webkit).
3678
3679         Reverted changeset:
3680
3681         "for-in optimization should also make sure the base matches
3682         the object being iterated"
3683         https://bugs.webkit.org/show_bug.cgi?id=135782
3684         http://trac.webkit.org/changeset/172401
3685
3686 2014-08-11  Brian J. Burg  <burg@cs.washington.edu>
3687
3688         Web Inspector: use type builders to construct high fidelity type information payloads
3689         https://bugs.webkit.org/show_bug.cgi?id=135803
3690
3691         Reviewed by Timothy Hatcher.
3692
3693         Due to some typos in the protocol file, the code had worked with raw objects
3694         rather than with type builders. Convert to using builders.
3695
3696         * inspector/agents/InspectorRuntimeAgent.cpp:
3697         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3698         * inspector/agents/InspectorRuntimeAgent.h:
3699         * inspector/protocol/Runtime.json: Fix 'item' for 'items'; true for 'true'.
3700         * runtime/HighFidelityTypeProfiler.cpp:
3701         (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
3702         * runtime/HighFidelityTypeProfiler.h:
3703         * runtime/TypeSet.cpp:
3704         (JSC::TypeSet::allStructureRepresentations):
3705         (JSC::StructureShape::stringRepresentation):
3706         (JSC::StructureShape::inspectorRepresentation):
3707         * runtime/TypeSet.h:
3708
3709 2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3710
3711         for-in optimization should also make sure the base matches the object being iterated
3712         https://bugs.webkit.org/show_bug.cgi?id=135782
3713
3714         Reviewed by Geoffrey Garen.
3715
3716         If we access a different base object with the same index, we shouldn't try to randomly 
3717         load from that object's backing store.
3718
3719         * bytecompiler/BytecodeGenerator.cpp:
3720         (JSC::BytecodeGenerator::emitGetByVal):
3721         (JSC::BytecodeGenerator::pushIndexedForInScope):
3722         (JSC::BytecodeGenerator::pushStructureForInScope):
3723         * bytecompiler/BytecodeGenerator.h:
3724         (JSC::ForInContext::ForInContext):
3725         (JSC::ForInContext::base):
3726         (JSC::StructureForInContext::StructureForInContext):
3727         (JSC::IndexedForInContext::IndexedForInContext):
3728         * bytecompiler/NodesCodegen.cpp:
3729         (JSC::ForInNode::emitMultiLoopBytecode):
3730         * tests/stress/for-in-tests.js:
3731
3732 2014-08-11  Brent Fulgham  <bfulgham@apple.com>
3733
3734         [Win] Unreviewed gardening.
3735
3736         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Display files in
3737         proper folder categories..
3738
3739 2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3740
3741         JIT should use full 64-bit stores for jsBoolean and jsNull
3742         https://bugs.webkit.org/show_bug.cgi?id=135784
3743
3744         Reviewed by Michael Saboff.
3745
3746         This guarantees that we set the high bits of the register with the correct tag.
3747
3748         * dfg/DFGSpeculativeJIT64.cpp:
3749         (JSC::DFG::SpeculativeJIT::compile):
3750         * jit/JITOpcodes.cpp:
3751         (JSC::JIT::emit_op_has_structure_property):
3752         (JSC::JIT::emit_op_next_enumerator_pname):
3753
3754 2014-08-11  Brent Fulgham  <bfulgham@apple.com>
3755
3756         [Win] Adjust build script for Windows production build.
3757         https://bugs.webkit.org/show_bug.cgi?id=135806
3758         <rdar://problem/17978299>
3759
3760         Reviewed by Timothy Hatcher.
3761
3762         * JavaScriptCore.vcxproj/copy-files.cmd: Copy file for later use
3763         in WebInspectorUI build.
3764
3765 2014-08-10  Oliver Hunt  <oliver@apple.com>
3766
3767         Destructuring assignment in a var declaration list incorrectly consumes subsequent variable initialisers
3768         https://bugs.webkit.org/show_bug.cgi?id=135773
3769
3770         Reviewed by Michael Saboff.
3771
3772         We should be using parseAssignment expression in order to get the correct
3773         precedence.
3774
3775         * parser/Parser.cpp:
3776         (JSC::Parser<LexerType>::parseVarDeclarationList):
3777
3778 2014-08-10  Diego Pino Garcia  <dpino@igalia.com>
3779
3780         JSC Lexer is allowing octals 08 and 09 in strict mode functions
3781         https://bugs.webkit.org/show_bug.cgi?id=135704
3782
3783         Reviewed by Oliver Hunt.
3784
3785         Return syntax error ("Decimal integer literals with a leading zero are
3786         forbidden in strict mode") if a number starts with 0 and is followed 
3787         by a digit.
3788
3789         * parser/Lexer.cpp:
3790         (JSC::Lexer<T>::lex):
3791
3792 2014-08-08  Mark Lam  <mark.lam@apple.com>
3793
3794         REGRESSION: Inspector crashes when debugger is paused and injected scripts access window.screen().
3795         <https://webkit.org/b/135656>
3796
3797         Not reviewed.
3798
3799         Rolling out r170680 which was merged to ToT in r172129.
3800
3801         * debugger/Debugger.h:
3802         * debugger/DebuggerCallFrame.cpp:
3803         (JSC::DebuggerCallFrame::scope):
3804         (JSC::DebuggerCallFrame::evaluate):
3805         (JSC::DebuggerCallFrame::invalidate):
3806         * debugger/DebuggerCallFrame.h:
3807         * debugger/DebuggerScope.cpp:
3808         (JSC::DebuggerScope::DebuggerScope):
3809         (JSC::DebuggerScope::finishCreation):
3810         (JSC::DebuggerScope::visitChildren):
3811         (JSC::DebuggerScope::className):
3812         (JSC::DebuggerScope::getOwnPropertySlot):
3813         (JSC::DebuggerScope::put):
3814         (JSC::DebuggerScope::deleteProperty):
3815         (JSC::DebuggerScope::getOwnPropertyNames):
3816         (JSC::DebuggerScope::defineOwnProperty):
3817         (JSC::DebuggerScope::next): Deleted.
3818         (JSC::DebuggerScope::invalidateChain): Deleted.
3819         (JSC::DebuggerScope::isWithScope): Deleted.
3820         (JSC::DebuggerScope::isGlobalScope): Deleted.
3821         (JSC::DebuggerScope::isFunctionScope): Deleted.
3822         * debugger/DebuggerScope.h:
3823         (JSC::DebuggerScope::create):
3824         (JSC::DebuggerScope::Iterator::Iterator): Deleted.
3825         (JSC::DebuggerScope::Iterator::get): Deleted.
3826         (JSC::DebuggerScope::Iterator::operator++): Deleted.
3827         (JSC::DebuggerScope::Iterator::operator==): Deleted.
3828         (JSC::DebuggerScope::Iterator::operator!=): Deleted.
3829         (JSC::DebuggerScope::isValid): Deleted.
3830         (JSC::DebuggerScope::jsScope): Deleted.
3831         (JSC::DebuggerScope::begin): Deleted.
3832         (JSC::DebuggerScope::end): Deleted.
3833         * inspector/JSJavaScriptCallFrame.cpp:
3834         (Inspector::JSJavaScriptCallFrame::scopeType):
3835         (Inspector::JSJavaScriptCallFrame::scopeChain):
3836         * inspector/JavaScriptCallFrame.h:
3837         (Inspector::JavaScriptCallFrame::scopeChain):
3838         * inspector/ScriptDebugServer.cpp:
3839         * runtime/JSGlobalObject.cpp:
3840         (JSC::JSGlobalObject::reset):
3841         (JSC::JSGlobalObject::visitChildren):
3842         * runtime/JSGlobalObject.h:
3843         (JSC::JSGlobalObject::debuggerScopeStructure): Deleted.
3844         * runtime/JSObject.h:
3845         (JSC::JSObject::isWithScope): Deleted.
3846         * runtime/JSScope.h:
3847         * runtime/VM.cpp:
3848         (JSC::VM::VM):
3849         * runtime/VM.h:
3850
3851 2014-08-07  Saam Barati  <sbarati@apple.com>
3852
3853         Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
3854         https://bugs.webkit.org/show_bug.cgi?id=135358
3855
3856         Reviewed by Geoffrey Garen.
3857
3858         When VMEntryScope is destroyed, and it has a flag set indicating that the
3859         Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
3860         This flag is only used by Debugger to have VMEntryScope notify it when the
3861         Debugger is safe to recompile all functions. This patch will substitute this
3862         Debugger-specific recompilation flag with a list of callbacks that are notified 
3863         when the outermost VMEntryScope dies. This creates a general purpose interface 
3864         for being notified when the VM stops executing code via the event of the outermost 
3865         VMEntryScope dying.
3866
3867         * debugger/Debugger.cpp:
3868         (JSC::Debugger::recompileAllJSFunctions):
3869         * runtime/VMEntryScope.cpp:
3870         (JSC::VMEntryScope::VMEntryScope):
3871         (JSC::VMEntryScope::setEntryScopeDidPopListener):
3872         (JSC::VMEntryScope::~VMEntryScope):
3873         * runtime/VMEntryScope.h:
3874         (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
3875
3876 2014-08-07  Benjamin Poulain  <bpoulain@apple.com>
3877
3878         Get rid of SCRIPTED_SPEECH
3879         https://bugs.webkit.org/show_bug.cgi?id=135729
3880
3881         Reviewed by Brent Fulgham.
3882
3883         * Configurations/FeatureDefines.xcconfig:
3884
3885 2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3886
3887         SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
3888         https://bugs.webkit.org/show_bug.cgi?id=135722
3889
3890         Reviewed by Filip Pizlo.
3891
3892         We should be using SpeculateStrictInt32Operand instead.
3893
3894         * dfg/DFGSpeculativeJIT64.cpp:
3895         (JSC::DFG::SpeculativeJIT::compile):
3896
3897 2014-08-07  Benjamin Poulain  <bpoulain@apple.com>
3898
3899         Get rid of INPUT_SPEECH
3900         https://bugs.webkit.org/show_bug.cgi?id=135672
3901
3902         Reviewed by Andreas Kling.
3903
3904        &nb