Web Inspector: Move the computation that results in UI strings from JSC to the Web...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-10-03  Saam Barati  <saambarati1@gmail.com>
2
3         Web Inspector: Move the computation that results in UI strings from JSC to the Web Inspector
4         https://bugs.webkit.org/show_bug.cgi?id=137295
5
6         Reviewed by Timothy Hatcher.
7
8         Remove unnecessary functions and properties from JSC that are
9         now being computed inside the Web Inspector. 
10
11         * inspector/agents/InspectorRuntimeAgent.cpp:
12         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
13         * inspector/protocol/Runtime.json:
14         * runtime/TypeSet.cpp:
15         (JSC::TypeSet::allPrimitiveTypeNames): Deleted.
16         * runtime/TypeSet.h:
17
18 2014-10-02  Filip Pizlo  <fpizlo@apple.com>
19
20         FTL should sink PutLocals
21         https://bugs.webkit.org/show_bug.cgi?id=137168
22
23         Reviewed by Oliver Hunt.
24         
25         We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we
26         "pass" arguments to an inlined function call, because we need to enable the runtime to grab
27         those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize
28         in that case but rather just relies on the arguments being flushed (i.e. a copy of their
29         values is spilled) at a well-known place in a well-known format.
30         
31         The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2)
32         they look like escaping sites and so they inhibit object allocation sinking.
33         
34         But in most cases, the PutLocals are unnecessary because the inlined code never performs any
35         side effect that could transitively lead to function.arguments. Even if the inlined code
36         could do such a side effect, it may be on a rare path so there is no need to penalize the
37         entire function.
38         
39         This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals
40         to the latest possible point. This is even more aggressive than the object allocation
41         sinking. That sinking algorithm avoids creating situations where an object could be
42         materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid
43         this at all - both to make the phase cheaper and simpler and to make it more aggressive.
44         Every PutLocal is sunk no matter what.
45         
46         The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past
47         their death", thus eliminating them completely. Others are sunk to rare paths. This enables a
48         lot of object allocation sinking and it removes a lot of pointless store instructions.
49         
50         It also has downsites. Sinking PutLocals increases register pressure because it increases the
51         live ranges of things like inlined arguments.
52         
53         This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2
54         progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench
55         regression. The biggest win is on Octane/raytrace, which improves by 27%.
56
57         * CMakeLists.txt:
58         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
59         * JavaScriptCore.xcodeproj/project.pbxproj:
60         * bytecode/CodeBlock.h:
61         * bytecode/Operands.h:
62         (JSC::Operands::dump): Deleted.
63         * bytecode/OperandsInlines.h:
64         (JSC::Traits>::dump):
65         * bytecode/VirtualRegister.h:
66         (JSC::VirtualRegister::isHeader):
67         * dfg/DFGByteCodeParser.cpp:
68         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
69         * dfg/DFGClobberSet.h:
70         (JSC::DFG::ClobberSetAdd::operator()):
71         (JSC::DFG::ClobberSetOverlaps::operator()):
72         * dfg/DFGClobberize.h:
73         (JSC::DFG::clobberize):
74         (JSC::DFG::NoOpClobberize::operator()):
75         (JSC::DFG::CheckClobberize::operator()):
76         (JSC::DFG::AbstractHeapOverlaps::operator()):
77         (JSC::DFG::ReadMethodClobberize::operator()):
78         (JSC::DFG::WriteMethodClobberize::operator()):
79         (JSC::DFG::DefMethodClobberize::operator()):
80         * dfg/DFGFlushFormat.h:
81         (JSC::DFG::merge):
82         * dfg/DFGGraph.cpp:
83         (JSC::DFG::Graph::Graph):
84         * dfg/DFGGraph.h:
85         (JSC::DFG::Graph::capturedVarsFor):
86         * dfg/DFGObjectAllocationSinkingPhase.cpp:
87         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
88         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
89         * dfg/DFGPlan.cpp:
90         (JSC::DFG::Plan::compileInThreadImpl):
91         * dfg/DFGPreciseLocalClobberize.h: Added.
92         (JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
93         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
94         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
95         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
96         (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate):
97         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
98         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
99         (JSC::DFG::forEachLocalReadByUnwind):
100         (JSC::DFG::preciseLocalClobberize):
101         * dfg/DFGPutLocalSinkingPhase.cpp: Added.
102         (JSC::DFG::performPutLocalSinking):
103         * dfg/DFGPutLocalSinkingPhase.h: Added.
104         * dfg/DFGSSACalculator.h:
105         (JSC::DFG::SSACalculator::computePhis):
106         * dfg/DFGValidate.cpp:
107
108 2014-10-03  Saam Barati  <saambarati1@gmail.com>
109
110         Change how 32-bit JSValues check if they are a Boolean
111
112         Rubber stamped by Filip Pizlo.
113
114         32-bit JSValue::isBoolean can simply check if its tag corresponds 
115         to the boolean tag instead of checking if it's either true or false.
116
117         * runtime/JSCJSValueInlines.h:
118         (JSC::JSValue::isBoolean):
119
120 2014-10-01  Oliver Hunt  <oliver@apple.com>
121
122         Do all closed variable access through the local lexical object
123         https://bugs.webkit.org/show_bug.cgi?id=136869
124
125         Reviewed by Filip Pizlo.
126
127         This patch makes all reads and writes from captured registers
128         go through the lexical record, and by doing so removes the
129         need for record tearoff.
130
131         To keep the patch simple we still number variables as though
132         they are local stack allocated registers, but ::local() will
133         fail. When local fails we perform a generic resolve, and in
134         that resolve we now use a ResolveScopeInfo struct to pass
135         around information about whether a lookup is a statically
136         known captured variable, and its location in the activation.
137         To ensure correct behaviour during codeblock linking we also
138         add a LocalClosureVariable resolution type.
139
140         To ensure correct semantics for the Arguments object, we now
141         have to eagerly create the Arguments object for any function
142         that uses both the Arguments object and requires a lexical
143         record.
144
145         * bytecode/BytecodeList.json:
146         * bytecode/BytecodeUseDef.h:
147         (JSC::computeUsesForBytecodeOffset):
148         (JSC::computeDefsForBytecodeOffset):
149         * bytecode/CodeBlock.cpp:
150         (JSC::CodeBlock::dumpBytecode):
151         (JSC::CodeBlock::CodeBlock):
152         (JSC::CodeBlock::finalizeUnconditionally):
153         * bytecompiler/BytecodeGenerator.cpp:
154         (JSC::BytecodeGenerator::BytecodeGenerator):
155         (JSC::BytecodeGenerator::initializeCapturedVariable):
156           During the entry to a function we are not yet in a position
157           to allocate temporaries so we directly use the lexical
158           environment register.
159         (JSC::BytecodeGenerator::resolveCallee):
160         (JSC::BytecodeGenerator::emitMove):
161         (JSC::BytecodeGenerator::local):
162         (JSC::BytecodeGenerator::constLocal):
163         (JSC::BytecodeGenerator::emitResolveScope):
164         (JSC::BytecodeGenerator::emitResolveConstantLocal):
165           The two resolve scope operations could technically skip
166           the op_resolve_scope, and simply perform 
167               op_mov dst, recordRegister
168           but for now it seemed best to maintain the same basic
169           behaviour.
170         (JSC::BytecodeGenerator::emitGetFromScope):
171         (JSC::BytecodeGenerator::emitPutToScope):
172         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
173           If we have an environment we've already created Arguments
174           so no need to check again.
175         (JSC::BytecodeGenerator::emitReturn):
176           Don't need to emit tearoff_environment
177         * bytecompiler/BytecodeGenerator.h:
178         (JSC::Local::Local):
179         (JSC::Local::operator bool):
180         (JSC::Local::get):
181         (JSC::Local::isReadOnly):
182         (JSC::Local::isSpecial):
183         (JSC::ResolveScopeInfo::ResolveScopeInfo):
184         (JSC::ResolveScopeInfo::isLocal):
185         (JSC::ResolveScopeInfo::localIndex):
186         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly):
187         (JSC::Local::isCaptured): Deleted.
188         (JSC::Local::captureMode): Deleted.
189         * bytecompiler/NodesCodegen.cpp:
190         (JSC::ResolveNode::emitBytecode):
191         (JSC::EvalFunctionCallNode::emitBytecode):
192         (JSC::FunctionCallResolveNode::emitBytecode):
193         (JSC::PostfixNode::emitResolve):
194         (JSC::DeleteResolveNode::emitBytecode):
195         (JSC::TypeOfResolveNode::emitBytecode):
196         (JSC::PrefixNode::emitResolve):
197         (JSC::ReadModifyResolveNode::emitBytecode):
198         (JSC::AssignResolveNode::emitBytecode):
199         (JSC::ConstDeclNode::emitCodeSingle):
200         (JSC::EmptyVarExpression::emitBytecode):
201         (JSC::ForInNode::tryGetBoundLocal):
202         (JSC::ForInNode::emitLoopHeader):
203         (JSC::ForOfNode::emitBytecode):
204         (JSC::BindingNode::bindValue):
205         * dfg/DFGAbstractInterpreterInlines.h:
206         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
207         * dfg/DFGByteCodeParser.cpp:
208         (JSC::DFG::ByteCodeParser::parseBlock):
209         * dfg/DFGCapabilities.cpp:
210         (JSC::DFG::capabilityLevel):
211         * dfg/DFGClobberize.h:
212         (JSC::DFG::clobberize):
213         * dfg/DFGDoesGC.cpp:
214         (JSC::DFG::doesGC):
215         * dfg/DFGFixupPhase.cpp:
216         (JSC::DFG::FixupPhase::fixupNode):
217         * dfg/DFGGraph.cpp:
218         (JSC::DFG::Graph::tryGetRegisters):
219         * dfg/DFGNodeType.h:
220         * dfg/DFGPredictionPropagationPhase.cpp:
221         (JSC::DFG::PredictionPropagationPhase::propagate):
222         * dfg/DFGSafeToExecute.h:
223         (JSC::DFG::safeToExecute):
224         * dfg/DFGSpeculativeJIT32_64.cpp:
225         (JSC::DFG::SpeculativeJIT::compile):
226         * dfg/DFGSpeculativeJIT64.cpp:
227         (JSC::DFG::SpeculativeJIT::compile):
228         * ftl/FTLCapabilities.cpp:
229         (JSC::FTL::canCompile):
230         * interpreter/Interpreter.cpp:
231         (JSC::unwindCallFrame):
232         * jit/JIT.cpp:
233         (JSC::JIT::privateCompileMainPass):
234         (JSC::JIT::privateCompileSlowCases):
235         * jit/JIT.h:
236         * jit/JITOpcodes.cpp:
237         (JSC::JIT::emit_op_captured_mov): Deleted.
238         (JSC::JIT::emit_op_tear_off_lexical_environment): Deleted.
239         (JSC::JIT::emitSlow_op_captured_mov): Deleted.
240         * jit/JITOpcodes32_64.cpp:
241         (JSC::JIT::emit_op_captured_mov): Deleted.
242         (JSC::JIT::emit_op_tear_off_lexical_environment): Deleted.
243         * jit/JITOperations.cpp:
244         * jit/JITOperations.h:
245         * jit/JITPropertyAccess.cpp:
246         (JSC::JIT::emit_op_resolve_scope):
247         (JSC::JIT::emit_op_get_from_scope):
248         (JSC::JIT::emitPutClosureVar):
249         (JSC::JIT::emit_op_put_to_scope):
250         (JSC::JIT::emitSlow_op_put_to_scope):
251         * jit/JITPropertyAccess32_64.cpp:
252         (JSC::JIT::emit_op_resolve_scope):
253         (JSC::JIT::emit_op_get_from_scope):
254         (JSC::JIT::emitPutClosureVar):
255         (JSC::JIT::emit_op_put_to_scope):
256         (JSC::JIT::emitSlow_op_put_to_scope):
257         * llint/LLIntData.cpp:
258         (JSC::LLInt::Data::performAssertions):
259         * llint/LLIntSlowPaths.cpp:
260         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
261         * llint/LLIntSlowPaths.h:
262         * llint/LowLevelInterpreter.asm:
263         * llint/LowLevelInterpreter32_64.asm:
264         * llint/LowLevelInterpreter64.asm:
265         * runtime/Arguments.cpp:
266         (JSC::Arguments::tearOff):
267         * runtime/Arguments.h:
268         (JSC::Arguments::argument):
269         * runtime/CommonSlowPaths.cpp:
270         (JSC::SLOW_PATH_DECL): Deleted.
271         * runtime/CommonSlowPaths.h:
272         * runtime/JSLexicalEnvironment.cpp:
273         (JSC::JSLexicalEnvironment::visitChildren):
274         (JSC::JSLexicalEnvironment::symbolTableGet):
275         (JSC::JSLexicalEnvironment::symbolTablePut):
276         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
277         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
278         (JSC::JSLexicalEnvironment::argumentsGetter):
279         * runtime/JSLexicalEnvironment.h:
280         (JSC::JSLexicalEnvironment::create):
281         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
282         (JSC::JSLexicalEnvironment::tearOff): Deleted.
283         (JSC::JSLexicalEnvironment::isTornOff): Deleted.
284         * runtime/JSScope.cpp:
285         (JSC::resolveTypeName):
286         * runtime/JSScope.h:
287         (JSC::makeType):
288         (JSC::needsVarInjectionChecks):
289         * runtime/WriteBarrier.h:
290         (JSC::WriteBarrier<Unknown>::WriteBarrier):
291
292 2014-10-02  Filip Pizlo  <fpizlo@apple.com>
293
294         Object allocation sinking should have a sound story for picking materialization points
295         https://bugs.webkit.org/show_bug.cgi?id=137315
296
297         Reviewed by Oliver Hunt.
298         
299         The only missing piece was having the object allocation sinking phase locate materialization
300         points that were at CFG edges.
301         
302         The logic for how and why this "just works" relies on some properties of critical edge
303         breaking, so I was fairly careful in how I did this. Also, this requires inserting things at
304         the "first origin node" of a block - that is the first node in a block that has a NodeOrigin
305         and therefore is allowed to exit. We basically had support for such a notion before, but
306         didn't close the loop on it; this patch does that.
307         
308         Also I added the ability to provide a BasicBlock* as context for a DFG_ASSERT().
309
310         * dfg/DFGBasicBlock.cpp:
311         (JSC::DFG::BasicBlock::firstOriginNode):
312         (JSC::DFG::BasicBlock::firstOrigin):
313         * dfg/DFGBasicBlock.h:
314         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
315         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
316         * dfg/DFGGraph.cpp:
317         (JSC::DFG::crash):
318         (JSC::DFG::Graph::handleAssertionFailure):
319         * dfg/DFGGraph.h:
320         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
321         (JSC::DFG::createPreHeader):
322         * dfg/DFGNodeOrigin.h:
323         (JSC::DFG::NodeOrigin::isSet):
324         * dfg/DFGObjectAllocationSinkingPhase.cpp:
325         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
326         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
327         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
328         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
329         * dfg/DFGValidate.cpp:
330         (JSC::DFG::Validate::validate):
331         * runtime/Options.h:
332
333 2014-10-02  Daniel Bates  <dabates@apple.com>
334
335         Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header
336         https://bugs.webkit.org/show_bug.cgi?id=137277
337
338         Reviewed by Alexey Proskuryakov.
339
340         Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/
341         forward declaring XPC functions.
342
343         * inspector/remote/RemoteInspector.mm:
344         * inspector/remote/RemoteInspectorXPCConnection.h:
345         * inspector/remote/RemoteInspectorXPCConnection.mm:
346
347 2014-10-01  Anders Carlsson  <andersca@apple.com>
348
349         Use variadic templates for jsMakeNontrivialString
350         https://bugs.webkit.org/show_bug.cgi?id=137325
351
352         Reviewed by Sam Weinig.
353
354         * runtime/JSString.h:
355         (JSC::jsNontrivialString):
356         Add an overload that takes an rvalue reference to a String so we can transfer ownership easily.
357
358         * runtime/JSStringBuilder.h:
359         (JSC::jsMakeNontrivialString):
360         Make this a variadic function template, with a single-parameter version that can steal the string if it's OK to do so.
361
362 2014-10-02  Mark Lam  <mark.lam@apple.com>
363
364         Fixed the Inspector to be able to properly distinguish between scope types.
365         <https://webkit.org/b/137279>
366
367         Reviewed by Geoffrey Garen.
368
369         The pre-existing code incorrectly labels Catch Scopes and Function Name Scopes
370         as With Scopes.  This patch will fix this.
371
372         * bytecode/BytecodeList.json:
373         * bytecompiler/BytecodeGenerator.cpp:
374         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
375         (JSC::BytecodeGenerator::emitPushCatchScope):
376         - These now passes stores the desired JSNameScope::Type in a bytecode operand.
377         * debugger/DebuggerScope.cpp:
378         (JSC::DebuggerScope::isCatchScope):
379         (JSC::DebuggerScope::isFunctionNameScope):
380         - Added queries to be able to explicitly test if the scope is a CatchScope
381           or FunctionNameScope.  The FunctionNameScope is the case where the
382           NameScope is used to capture the function name of a function expression.
383         * debugger/DebuggerScope.h:
384         * inspector/InjectedScriptSource.js:
385         * inspector/JSJavaScriptCallFrame.cpp:
386         (Inspector::JSJavaScriptCallFrame::scopeType):
387         * inspector/JSJavaScriptCallFrame.h:
388         * inspector/JSJavaScriptCallFramePrototype.cpp:
389         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
390         (Inspector::jsJavaScriptCallFrameConstantFUNCTION_NAME_SCOPE):
391         * inspector/protocol/Debugger.json:
392         * jit/CCallHelpers.h:
393         (JSC::CCallHelpers::setupArgumentsWithExecState):
394         * jit/JIT.h:
395         * jit/JITInlines.h:
396         (JSC::JIT::callOperation):
397         * jit/JITOpcodes.cpp:
398         (JSC::JIT::emit_op_push_name_scope):
399         * jit/JITOpcodes32_64.cpp:
400         (JSC::JIT::emit_op_push_name_scope):
401         * jit/JITOperations.cpp:
402         * jit/JITOperations.h:
403         * llint/LLIntSlowPaths.cpp:
404         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
405         * llint/LowLevelInterpreter.asm:
406         * runtime/JSFunction.cpp:
407         (JSC::JSFunction::addNameScopeIfNeeded):
408         * runtime/JSNameScope.h:
409         (JSC::JSNameScope::create):
410         (JSC::JSNameScope::isFunctionNameScope):
411         (JSC::JSNameScope::isCatchScope):
412         (JSC::JSNameScope::JSNameScope):
413         - Now stores the JSNameScope::Type in a field.
414
415 2014-10-01  Commit Queue  <commit-queue@webkit.org>
416
417         Unreviewed, rolling out r174180, r174183, and r174186.
418         https://bugs.webkit.org/show_bug.cgi?id=137320
419
420         Broke the Mac MountainLion build. Will investigate offline.
421         (Requested by dydz on #webkit).
422
423         Reverted changesets:
424
425         "Clean up: Move XPC forward declarations in JavaScriptCore to
426         WTF SPI wrapper header"
427         https://bugs.webkit.org/show_bug.cgi?id=137277
428         http://trac.webkit.org/changeset/174180
429
430         "Attempt to fix the build after
431         <https://trac.webkit.org/changeset/174180>"
432         https://bugs.webkit.org/show_bug.cgi?id=137277
433         http://trac.webkit.org/changeset/174183
434
435         "Another attempt to fix the Mac build after
436         <https://trac.webkit.org/changeset/174180>"
437         https://bugs.webkit.org/show_bug.cgi?id=137277
438         http://trac.webkit.org/changeset/174186
439
440 2014-10-01  Daniel Bates  <dabates@apple.com>
441
442         Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header
443         https://bugs.webkit.org/show_bug.cgi?id=137277
444
445         Reviewed by Alexey Proskuryakov.
446
447         Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/
448         forward declaring XPC functions.
449
450         * inspector/remote/RemoteInspector.mm:
451         * inspector/remote/RemoteInspectorXPCConnection.h:
452         * inspector/remote/RemoteInspectorXPCConnection.mm:
453
454 2014-10-01  Brent Fulgham  <bfulgham@apple.com>
455
456         [Win] Unreviewed build gardening.
457
458         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Show files in the appropriate
459         folders in Visual Studio.
460
461 2014-10-01  Filip Pizlo  <fpizlo@apple.com>
462
463         Object allocation sinking is broken for escaping sites in loops
464         https://bugs.webkit.org/show_bug.cgi?id=137310
465
466         Reviewed by Michael Saboff.
467         
468         I tried to do this clever forward-flow based materialization point placement, and I messed up loops. Disabling
469         the phase for now and landing a test to demonstrate what it going on.
470
471         * dfg/DFGPlan.cpp:
472         (JSC::DFG::Plan::compileInThreadImpl):
473         * runtime/Options.h:
474         * tests/stress/object-escapes-in-loop.js: Added.
475         (foo):
476         (bar):
477
478 2014-10-01  Saam Barati  <saambarati1@gmail.com>
479
480         Support the type profiler in the DFG
481         https://bugs.webkit.org/show_bug.cgi?id=136712
482
483         Reviewed by Filip Pizlo.
484
485         This patch implements op_profile_type inside the DFG as the node: ProfileType.
486         The DFG will convert the ProfileType node into a Check node in the cases where
487         passing a type check is equivalent to writing to the TypeProfilerLog. This
488         gives the DFG the potential to optimize out multiple ProfileType nodes into
489         a single Check node.
490
491         When the DFG doesn't convert ProfileType into a Check node, it will generate
492         the same inline code as the baseline JIT does for writing an entry to the
493         TypeProfilerLog.
494
495         * dfg/DFGAbstractInterpreterInlines.h:
496         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
497         * dfg/DFGByteCodeParser.cpp:
498         (JSC::DFG::ByteCodeParser::parseBlock):
499         * dfg/DFGCapabilities.cpp:
500         (JSC::DFG::capabilityLevel):
501         * dfg/DFGClobberize.h:
502         (JSC::DFG::clobberize):
503         * dfg/DFGDoesGC.cpp:
504         (JSC::DFG::doesGC):
505         * dfg/DFGDriver.cpp:
506         (JSC::DFG::compileImpl):
507         * dfg/DFGFixupPhase.cpp:
508         (JSC::DFG::FixupPhase::fixupNode):
509         * dfg/DFGNode.h:
510         (JSC::DFG::Node::typeLocation):
511         * dfg/DFGNodeType.h:
512         * dfg/DFGOperations.cpp:
513         * dfg/DFGOperations.h:
514         * dfg/DFGPredictionPropagationPhase.cpp:
515         (JSC::DFG::PredictionPropagationPhase::propagate):
516         * dfg/DFGSafeToExecute.h:
517         (JSC::DFG::safeToExecute):
518         * dfg/DFGSpeculativeJIT.h:
519         (JSC::DFG::SpeculativeJIT::callOperation):
520         * dfg/DFGSpeculativeJIT32_64.cpp:
521         (JSC::DFG::SpeculativeJIT::compile):
522         * dfg/DFGSpeculativeJIT64.cpp:
523         (JSC::DFG::SpeculativeJIT::compile):
524         * runtime/TypeProfiler.cpp:
525         (JSC::TypeProfiler::logTypesForTypeLocation):
526         * runtime/TypeSet.cpp:
527         (JSC::TypeSet::dumpTypes):
528         (JSC::TypeSet::doesTypeConformTo):
529         Make this method public so others can reason about the types a TypeSet has seen.
530         (JSC::TypeSet::seenTypes): Deleted.
531         (JSC::TypeSet::dumpSeenTypes): Deleted.
532         Renamed to dumpTypes so the method seenTypes can be used as a public getter.
533         * runtime/TypeSet.h:
534         (JSC::TypeSet::seenTypes):
535         * tests/typeProfiler/dfg-jit-optimizations.js: Added.
536         (tierUpToDFG):
537         (funcs):
538         (.return):
539
540 2014-10-01  Filip Pizlo  <fpizlo@apple.com>
541
542         Unreviewed, fix 32-bit.
543
544         * dfg/DFGSpeculativeJIT32_64.cpp:
545         (JSC::DFG::SpeculativeJIT::compile):
546
547 2014-09-30  Filip Pizlo  <fpizlo@apple.com>
548
549         DFG SSA should use PutLocal/KillLocal instead of SetLocal to communicate what is flushed to the stack and when
550         https://bugs.webkit.org/show_bug.cgi?id=137242
551
552         Reviewed by Geoffrey Garen.
553         
554         OSR availability has to do with telling you the various ways that you could go about getting
555         the value of a bytecode variable. It can give you two options: node availability means that
556         there is a node in the DFG IR that has the right value, and flush availability tells you
557         that the value was already stored to the stack. The clients of OSR availability would
558         typically prefer flush over node availability.
559         
560         Previously OSR availability was affected thusly by the various local-related nodes: SetLocal
561         set both the node and flush availability, MovHint set node availability and cleared flush
562         availability, GetArgument set both, and ZombieHint cleared both.
563         
564         A MovHint could be turned into a ZombieHint if its source value was DCEd.
565         
566         The fact that each node affected both node and flush availability caused weirdness. For
567         example it meant that we could not insert MovHints in areas of the CFG where a SetLocal's
568         variable was still live, because then those parts of the code would forget that they had an
569         availability flush. This meant that if a flush was available, we wouldn't insert MovHints,
570         and so we would forget that a node was in fact available. This kind of "either-or" picking
571         was not only hackish but it led to interesting problems for IR transformation: for example
572         if you tried to do any kind of code motion on SetLocals, you had to be super careful because
573         you might violate the rule that "MovHints must exist for a live local if a flush is
574         unavailable".
575         
576         The right thing to do is to have independent nodes for flushing and making nodes available.
577         They shouldn't interact with each other. This patch accomplishes this:
578         
579         - PutLocal means that that a value is to be stored to the stack. It makes a flush available.
580         - KillLocal means that the value stored to the stack is no longer available for the purposes
581           of OSR (i.e. it no longer accurately corresponds to what that actual bytecode variable
582           would have been, so you have to fall back on node availability).
583         - MovHint means that a node is available. It has no effect on flush availability.
584         - ZombieHint means that a node is not available. It has no effect on flush availability.
585         
586         This means that we will see a lot of KillLocals and MovHints right next to each other. It's
587         a bit verbose, but at least it's precise.
588
589         * dfg/DFGAbstractInterpreterInlines.h:
590         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
591         * dfg/DFGAvailability.h:
592         (JSC::DFG::Availability::setFlush):
593         (JSC::DFG::Availability::setNode):
594         (JSC::DFG::Availability::setNodeUnavailable):
595         * dfg/DFGClobberize.h:
596         (JSC::DFG::clobberize):
597         * dfg/DFGDoesGC.cpp:
598         (JSC::DFG::doesGC):
599         * dfg/DFGFixupPhase.cpp:
600         (JSC::DFG::FixupPhase::fixupNode):
601         * dfg/DFGNode.cpp:
602         (JSC::DFG::Node::hasVariableAccessData):
603         * dfg/DFGNode.h:
604         (JSC::DFG::Node::hasUnlinkedLocal):
605         (JSC::DFG::Node::willHaveCodeGenOrOSR):
606         * dfg/DFGNodeType.h:
607         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
608         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
609         * dfg/DFGPredictionPropagationPhase.cpp:
610         (JSC::DFG::PredictionPropagationPhase::propagate):
611         * dfg/DFGSSAConversionPhase.cpp:
612         (JSC::DFG::SSAConversionPhase::run):
613         * dfg/DFGSafeToExecute.h:
614         (JSC::DFG::safeToExecute):
615         * dfg/DFGSpeculativeJIT64.cpp:
616         (JSC::DFG::SpeculativeJIT::compile):
617         * dfg/DFGStackLayoutPhase.cpp:
618         (JSC::DFG::StackLayoutPhase::run):
619         * ftl/FTLCapabilities.cpp:
620         (JSC::FTL::canCompile):
621         * ftl/FTLLowerDFGToLLVM.cpp:
622         (JSC::FTL::LowerDFGToLLVM::compileNode):
623         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
624         (JSC::FTL::LowerDFGToLLVM::compileSetLocal): Deleted.
625
626 2014-10-01  Brent Fulgham  <bfulgham@apple.com>
627
628         [Win] 32-bit JavaScriptCore should limit itself to the C loop
629         https://bugs.webkit.org/show_bug.cgi?id=137304
630         <rdar://problem/18375370>
631
632         Reviewed by Michael Saboff.
633
634         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
635         Use the C loop for 32-bit builds.
636
637 2014-09-30  Brian J. Burg  <burg@cs.washington.edu>
638
639         Web Inspector: ErrorString should be passed by reference
640         https://bugs.webkit.org/show_bug.cgi?id=137257
641
642         Reviewed by Joseph Pecoraro.
643
644         Pass the leading ErrorString argument by reference, since it is always an out parameter.
645         Clean up callsites where the error message is written.
646
647         * inspector/InjectedScript.cpp:
648         (Inspector::InjectedScript::evaluate):
649         (Inspector::InjectedScript::callFunctionOn):
650         (Inspector::InjectedScript::evaluateOnCallFrame):
651         (Inspector::InjectedScript::getFunctionDetails):
652         (Inspector::InjectedScript::getProperties):
653         (Inspector::InjectedScript::getInternalProperties):
654         * inspector/InjectedScript.h:
655         * inspector/InjectedScriptBase.cpp:
656         (Inspector::InjectedScriptBase::makeEvalCall):
657         * inspector/InjectedScriptBase.h:
658         * inspector/agents/InspectorAgent.cpp:
659         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
660         (Inspector::InspectorAgent::enable):
661         (Inspector::InspectorAgent::disable):
662         (Inspector::InspectorAgent::initialized):
663         * inspector/agents/InspectorAgent.h:
664         * inspector/agents/InspectorConsoleAgent.cpp:
665         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
666         (Inspector::InspectorConsoleAgent::enable):
667         (Inspector::InspectorConsoleAgent::disable):
668         (Inspector::InspectorConsoleAgent::clearMessages):
669         (Inspector::InspectorConsoleAgent::reset):
670         (Inspector::InspectorConsoleAgent::addMessageToConsole):
671         * inspector/agents/InspectorConsoleAgent.h:
672         * inspector/agents/InspectorDebuggerAgent.cpp:
673         (Inspector::InspectorDebuggerAgent::enable):
674         (Inspector::InspectorDebuggerAgent::disable):
675         (Inspector::InspectorDebuggerAgent::setBreakpointsActive):
676         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
677         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
678         (Inspector::parseLocation):
679         (Inspector::InspectorDebuggerAgent::setBreakpoint):
680         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
681         (Inspector::InspectorDebuggerAgent::continueToLocation):
682         (Inspector::InspectorDebuggerAgent::searchInContent):
683         (Inspector::InspectorDebuggerAgent::getScriptSource):
684         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
685         (Inspector::InspectorDebuggerAgent::pause):
686         (Inspector::InspectorDebuggerAgent::resume):
687         (Inspector::InspectorDebuggerAgent::stepOver):
688         (Inspector::InspectorDebuggerAgent::stepInto):
689         (Inspector::InspectorDebuggerAgent::stepOut):
690         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
691         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
692         (Inspector::InspectorDebuggerAgent::setOverlayMessage):
693         (Inspector::InspectorDebuggerAgent::didParseSource):
694         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
695         (Inspector::InspectorDebuggerAgent::assertPaused):
696         * inspector/agents/InspectorDebuggerAgent.h:
697         * inspector/agents/InspectorRuntimeAgent.cpp:
698         (Inspector::InspectorRuntimeAgent::parse):
699         (Inspector::InspectorRuntimeAgent::evaluate):
700         (Inspector::InspectorRuntimeAgent::callFunctionOn):
701         (Inspector::InspectorRuntimeAgent::getProperties):
702         (Inspector::InspectorRuntimeAgent::releaseObject):
703         (Inspector::InspectorRuntimeAgent::releaseObjectGroup):
704         (Inspector::InspectorRuntimeAgent::run):
705         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
706         (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
707         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
708         * inspector/agents/InspectorRuntimeAgent.h:
709         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
710         (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
711         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
712         * inspector/agents/JSGlobalObjectConsoleAgent.h:
713         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
714         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
715         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
716         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
717         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
718         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
719         * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
720         (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
721         (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
722         * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
723         (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
724         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
725         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
726         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
727         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
728
729 2014-09-30  Mark Lam  <mark.lam@apple.com>
730
731         Label some asserts as having security implications.
732         <https://webkit.org/b/137260>
733
734         Reviewed by Filip Pizlo.
735
736         * dfg/DFGGraph.cpp:
737         (JSC::DFG::Graph::handleAssertionFailure):
738         * runtime/JSCell.h:
739         (JSC::jsCast):
740         * runtime/StructureIDTable.h:
741         (JSC::StructureIDTable::get):
742
743 2014-09-30  Filip Pizlo  <fpizlo@apple.com>
744
745         REGRESSION (r174025): Invalid cast in JSC::asString
746         https://bugs.webkit.org/show_bug.cgi?id=137224
747
748         Reviewed by Geoffrey Garen.
749         
750         Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
751         when we speak of "the value being stored" we are really referring to the right value.
752         
753         The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
754         child3. So we were incorrectly removing all barriers from PutClosureVar.
755
756         * dfg/DFGFixupPhase.cpp:
757         (JSC::DFG::FixupPhase::fixupNode):
758
759 2014-09-30  Brian J. Burg  <burg@cs.washington.edu>
760
761         Web Replay: use static Strings instead of AtomicStrings for replay input type tags
762         https://bugs.webkit.org/show_bug.cgi?id=137086
763
764         Reviewed by Joseph Pecoraro.
765
766         This pattern doesn't work when we want to define some inputs in WebKit2.
767         The ReplayInputTypes class was generated from WebCore inputs only. This
768         patch moves all input traits to use static local Strings as type tags.
769
770         * replay/scripts/CodeGeneratorReplayInputs.py: Remove configuration of how
771         type tags are generated, since all framework targets now generate the same code.
772
773         * replay/NondeterministicInput.h:
774         * replay/scripts/CodeGeneratorReplayInputs.py: Simplify and rebase test results.
775         (Generator.generate_input_trait_implementation):
776         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Simplify templates.
777
778         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
779         (JSC::InputTraits<Test::SavedMouseButton>::type):
780         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
781         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
782         (JSC::InputTraits<Test::SavedMouseButton>::type):
783         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
784         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
785         (JSC::InputTraits<Test::HandleWheelEvent>::type):
786         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
787         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
788         (JSC::InputTraits<Test::FormCombo>::type):
789         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
790         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp:
791         (JSC::InputTraits<Test::GetCurrentTime>::type):
792         (JSC::InputTraits<Test::SetRandomSeed>::type):
793         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
794         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
795         (JSC::InputTraits<Test::ArrayOfThings>::type):
796         (JSC::InputTraits<Test::SavedHistory>::type):
797         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
798         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp:
799         (JSC::InputTraits<Test::ScalarInput1>::type):
800         (JSC::InputTraits<Test::ScalarInput2>::type):
801         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
802         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
803         (JSC::InputTraits<Test::ScalarInput>::type):
804         (JSC::InputTraits<Test::MapInput>::type):
805         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
806
807 2014-09-30  Daniel Bates  <dabates@apple.com>
808
809         REGRESSION (r172532): JSBase.h declares NSMapTable functions that are SPI
810         https://bugs.webkit.org/show_bug.cgi?id=137170
811         <rdar://problem/18477384>
812
813         Reviewed by Geoffrey Garen.
814
815         Move conditional include of header Foundation/NSMapTablePriv.h and forward declarations
816         of NSMapTable SPI from file JavaScriptCore/API/JSBase.h to WTF/wtf/spi/cocoa/NSMapTableSPI.h.
817
818         * API/JSBase.h:
819         * API/JSManagedValue.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h.
820         * API/JSVirtualMachine.mm: Ditto.
821         * API/JSVirtualMachineInternal.h: Forward declare class NSMapTable.
822         * API/JSWrapperMap.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h. Also, order
823         #include directives such that they are sorted in alphabetical order.
824
825 2014-09-30  Oliver Hunt  <oliver@apple.com>
826
827         Fix C API header
828         https://bugs.webkit.org/show_bug.cgi?id=137254
829         <rdar://problem/18487528>
830
831         Build fix
832
833         Guard extern "C" behind __cplusplus ifdef
834
835         * API/JSBase.h:
836
837 2014-09-29  Brian J. Burg  <burg@cs.washington.edu>
838
839         Web Inspector: InjectedScripts should not be profiled or displayed in Timeline
840         https://bugs.webkit.org/show_bug.cgi?id=136806
841
842         Reviewed by Timothy Hatcher.
843
844         It doesn't make sense to show profile nodes for injected scripts when profiling user content.
845         For now, omit nodes by suspending profiling before and after executing injected scripts.
846
847         * profiler/LegacyProfiler.cpp:
848         (JSC::LegacyProfiler::suspendProfiling): Added.
849         (JSC::LegacyProfiler::unsuspendProfiling): Added.
850         * profiler/LegacyProfiler.h:
851         * profiler/ProfileGenerator.cpp: Add isSuspended() flag, remove unused typedef.
852         (JSC::ProfileGenerator::ProfileGenerator):
853         (JSC::ProfileGenerator::willExecute):
854         (JSC::ProfileGenerator::didExecute):
855         * profiler/ProfileGenerator.h:
856         (JSC::ProfileGenerator::setIsSuspended): Added.
857
858 2014-09-29  Brian J. Burg  <burg@cs.washington.edu>
859
860         Web Inspector: InspectorValues should use references for out parameters
861         https://bugs.webkit.org/show_bug.cgi?id=137190
862
863         Reviewed by Joseph Pecoraro.
864
865         Use references for out parameters in asType() and getType() methods.
866         Also convert to references in some miscellaneous code where we don't
867         expect or handle null values.
868
869         Remove variants of asObject() and asArray() that return a nullable RefPtr.
870         Now, client code is forced to use out parameters and check for cast failure.
871
872         Iron out control flow in some functions and fix some style issues.
873
874         * inspector/InjectedScript.cpp:
875         (Inspector::InjectedScript::getFunctionDetails):
876         (Inspector::InjectedScript::wrapObject):
877         (Inspector::InjectedScript::wrapTable):
878         * inspector/InjectedScriptBase.cpp:
879         (Inspector::InjectedScriptBase::makeEvalCall):
880         * inspector/InjectedScriptManager.cpp:
881         (Inspector::InjectedScriptManager::injectedScriptForObjectId): Simplify control flow.
882         * inspector/InspectorBackendDispatcher.cpp:
883         (Inspector::InspectorBackendDispatcher::dispatch):
884         (Inspector::getPropertyValue):
885         (Inspector::AsMethodBridges::asInteger):
886         (Inspector::AsMethodBridges::asDouble):
887         (Inspector::AsMethodBridges::asString):
888         (Inspector::AsMethodBridges::asBoolean):
889         (Inspector::AsMethodBridges::asObject):
890         (Inspector::AsMethodBridges::asArray):
891         * inspector/InspectorProtocolTypes.h:
892         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
893         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
894         * inspector/InspectorValues.cpp: Use more by-reference out parameters. Add more spacing.
895         (Inspector::InspectorValue::asBoolean):
896         (Inspector::InspectorValue::asDouble):
897         (Inspector::InspectorValue::asInteger):
898         (Inspector::InspectorValue::asString):
899         (Inspector::InspectorValue::asValue):
900         (Inspector::InspectorValue::asObject):
901         (Inspector::InspectorValue::asArray):
902         (Inspector::InspectorValue::parseJSON):
903         (Inspector::InspectorValue::toJSONString):
904         (Inspector::InspectorValue::writeJSON):
905         (Inspector::InspectorBasicValue::asBoolean):
906         (Inspector::InspectorBasicValue::asDouble):
907         (Inspector::InspectorBasicValue::asInteger):
908         (Inspector::InspectorBasicValue::writeJSON):
909         (Inspector::InspectorString::asString):
910         (Inspector::InspectorString::writeJSON):
911         (Inspector::InspectorObjectBase::asObject):
912         (Inspector::InspectorObjectBase::openAccessors):
913         (Inspector::InspectorObjectBase::getBoolean):
914         (Inspector::InspectorObjectBase::getString):
915         (Inspector::InspectorObjectBase::getObject):
916         (Inspector::InspectorObjectBase::getArray):
917         (Inspector::InspectorObjectBase::writeJSON):
918         (Inspector::InspectorArrayBase::asArray):
919         (Inspector::InspectorArrayBase::writeJSON):
920         * inspector/InspectorValues.h:
921         * inspector/agents/InspectorDebuggerAgent.cpp:
922         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
923         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
924         (Inspector::parseLocation):
925         (Inspector::InspectorDebuggerAgent::setBreakpoint):
926         (Inspector::InspectorDebuggerAgent::continueToLocation):
927         (Inspector::InspectorDebuggerAgent::didParseSource):
928         * inspector/agents/InspectorRuntimeAgent.cpp:
929         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
930         * inspector/scripts/codegen/generate_protocol_types_implementation.py:
931         (ProtocolTypesImplementationGenerator):
932         (ProtocolTypesImplementationGenerator._generate_assertion_for_enum):
933         * inspector/scripts/codegen/generator_templates.py:
934         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
935         * replay/EncodedValue.cpp:
936         (JSC::EncodedValue::asObject):
937         (JSC::EncodedValue::asArray):
938         (JSC::EncodedValue::convertTo<bool>):
939         (JSC::EncodedValue::convertTo<double>):
940         (JSC::EncodedValue::convertTo<float>):
941         (JSC::EncodedValue::convertTo<int32_t>):
942         (JSC::EncodedValue::convertTo<int64_t>):
943         (JSC::EncodedValue::convertTo<uint32_t>):
944         (JSC::EncodedValue::convertTo<uint64_t>):
945         (JSC::EncodedValue::convertTo<String>):
946
947 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
948
949         DFG HasStructureProperty codegen should use one fewer registers
950         https://bugs.webkit.org/show_bug.cgi?id=137235
951
952         Reviewed by Andreas Kling.
953         
954         This was an obvious source of inefficiency and it was causing us to run out of registers on
955         x86-32.
956
957         * dfg/DFGSpeculativeJIT32_64.cpp:
958         (JSC::DFG::SpeculativeJIT::compile):
959         * dfg/DFGSpeculativeJIT64.cpp:
960         (JSC::DFG::SpeculativeJIT::compile):
961
962 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
963
964         Don't use GPRResult unless you're flushing registers and making a runtime function call
965         https://bugs.webkit.org/show_bug.cgi?id=137234
966
967         Rubber stamped by Andreas Kling.
968
969         Rename GPRResult to GPRFlushedCallResult, in an attempt to dissuade people from using it for results in the
970         general case.
971         
972         Replace GPRResult with GPRTemporary in those places where it was causing bugs: particularly in GetDirectPname it
973         would cause us to spill the register that has the base, and the code was assuming (rightly) that the base and the
974         result were in different registers. That's a valid assumption when using GPRTemporary but not with GPRResult.
975         Also this code wasn't getting any benefit from using GPRResult because it wasn't doing flushRegisters().
976         
977         I don't know how to test this. A test would require setting up a particularly awkward register allocation state.
978         
979         * dfg/DFGSpeculativeJIT.cpp:
980         (JSC::DFG::SpeculativeJIT::compileIn):
981         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
982         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
983         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
984         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
985         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
986         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
987         * dfg/DFGSpeculativeJIT.h:
988         (JSC::DFG::GPRFlushedCallResult::GPRFlushedCallResult):
989         (JSC::DFG::GPRFlushedCallResult2::GPRFlushedCallResult2):
990         (JSC::DFG::GPRResult::GPRResult): Deleted.
991         (JSC::DFG::GPRResult2::GPRResult2): Deleted.
992         * dfg/DFGSpeculativeJIT32_64.cpp:
993         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
994         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
995         (JSC::DFG::SpeculativeJIT::emitCall):
996         (JSC::DFG::SpeculativeJIT::compile):
997         * dfg/DFGSpeculativeJIT64.cpp:
998         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
999         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1000         (JSC::DFG::SpeculativeJIT::emitCall):
1001         (JSC::DFG::SpeculativeJIT::compile):
1002         (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
1003
1004 2014-09-29  Diego Pino Garcia  <dpino@igalia.com>
1005
1006         Missing changes from r174049
1007         https://bugs.webkit.org/show_bug.cgi?id=137206
1008
1009         Reviewed by Darin Adler.
1010
1011         * runtime/CommonIdentifiers.h:
1012
1013 2014-09-28  Diego Pino Garcia  <dpino@igalia.com>
1014
1015         Simple ES6 feature: Number constructor extras
1016         https://bugs.webkit.org/show_bug.cgi?id=131707
1017
1018         Reviewed by Darin Adler.
1019
1020         * runtime/CommonIdentifiers.h:
1021         * runtime/NumberConstructor.cpp:
1022         (JSC::NumberConstructor::finishCreation): Setup constants and
1023         functions.
1024         (JSC::numberConstructorFuncIsFinite): Added.
1025         (JSC::numberConstructorFuncIsInteger): Added.
1026         (JSC::numberConstructorFuncIsNaN): Added.
1027         (JSC::numberConstructorFuncIsSafeInteger): Added.
1028         (JSC::NumberConstructor::getOwnPropertySlot): Deleted.
1029         (JSC::numberConstructorNaNValue): Deleted.
1030         (JSC::numberConstructorNegInfinity): Deleted.
1031         (JSC::numberConstructorPosInfinity): Deleted.
1032         (JSC::numberConstructorMaxValue): Deleted.
1033         (JSC::numberConstructorMinValue): Deleted.
1034         * runtime/NumberConstructor.h:
1035
1036 2014-09-26  Filip Pizlo  <fpizlo@apple.com>
1037
1038         Disable function.arguments
1039         https://bugs.webkit.org/show_bug.cgi?id=137167
1040
1041         Rubber stamped by Geoffrey Garen.
1042         
1043         Add an option to disable function.arguments. Add a test for disabling it.
1044         
1045         Disabling function.arguments means that it returns an Arguments object that claims that
1046         there were zero arguments. All other Arguments functionality still works, so any code
1047         that tries to inspect this object will still think that it is looking at a perfectly
1048         valid Arguments object.
1049         
1050         This also makes function.arguments disabled by default. Note that the RJST harness will
1051         enable them by default, to continue to get test coverage for the code that implements
1052         the feature.
1053         
1054         We will rip out that code once we're confident that it's really safe to remove this
1055         feature. Only once we rip out that support will we be able to do optimizations to
1056         leverage the lack of this feature. It's important to keep the support code, and the test
1057         infrastructure, in place before we are confident. The logic to keep this working touches
1058         the entire compiler and a large chunk of the runtime, so reimplementing it - or even
1059         merging it back in - would be a nightmare. That's also basically the reason why we want
1060         to rip it out if at all possible. It's a lot of terrible code.
1061
1062         * interpreter/StackVisitor.cpp:
1063         (JSC::StackVisitor::Frame::createArguments):
1064         * runtime/Arguments.h:
1065         (JSC::Arguments::create):
1066         (JSC::Arguments::finishCreation):
1067         * runtime/Options.h:
1068         * tests/stress/disable-function-dot-arguments.js: Added.
1069         (foo):
1070         (bar):
1071
1072 2014-09-26  Joseph Pecoraro  <pecoraro@apple.com>
1073
1074         Web Inspector: Automatic Inspection should continue once all breakpoints are loaded
1075         https://bugs.webkit.org/show_bug.cgi?id=137038
1076
1077         Reviewed by Timothy Hatcher.
1078
1079         Add a new protocol command "Inspector.initialized" that signifies to the backend
1080         when the frontend has sent all its initialization messages to the backend. This
1081         can include information like breakpoints, which we would want to have loaded
1082         before any JavaScript evaluates in the context.
1083
1084         * inspector/protocol/InspectorDomain.json:
1085         New protocol command, Inspector.initialized.
1086
1087         * inspector/agents/InspectorAgent.h:
1088         * inspector/agents/InspectorAgent.cpp:
1089         (Inspector::InspectorAgent::InspectorAgent):
1090         (Inspector::InspectorAgent::initialized):
1091         Tell the InspectorEnvironment (the Controller) the frontend has initialized.
1092
1093         * inspector/InspectorEnvironment.h:
1094         Abstract virtual method to handle frontend initialization. To be
1095         implemented by all of the InspectorControllers.
1096
1097         * inspector/JSGlobalObjectInspectorController.h:
1098         * inspector/JSGlobalObjectInspectorController.cpp:
1099         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1100         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1101         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1102         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
1103         When a frontend is initialized, if it was automatic inspection unpause the debuggable.
1104
1105         * inspector/remote/RemoteInspectorDebuggable.cpp:
1106         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
1107         Complete setup for this debuggable.
1108
1109         * inspector/remote/RemoteInspectorDebuggable.h:
1110         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1111         (Inspector::RemoteInspectorDebuggableConnection::setup):
1112         Move the setup complete to later, when the frontend sends an "initialized" message.
1113
1114         * inspector/remote/RemoteInspector.h:
1115         * inspector/remote/RemoteInspector.mm:
1116         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1117         Provide a longer timeout now that the frontend must send messages after the connection
1118         has established. The longest I have seen in  600ms, but the average tends to be 200ms.
1119         So bump the timeout to 800ms for a buffer.
1120
1121         (Inspector::RemoteInspector::setupSucceeded): Deleted.
1122         (Inspector::RemoteInspector::setupCompleted):
1123         Rename, as this happens at a slightly different time.
1124
1125 2014-09-26  Filip Pizlo  <fpizlo@apple.com>
1126
1127         DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell
1128         https://bugs.webkit.org/show_bug.cgi?id=137161
1129
1130         Reviewed by Mark Hahnenberg.
1131         
1132         This looks like a 1% Octane speed-up.
1133
1134         * bytecode/SpeculatedType.h:
1135         (JSC::isNotCellSpeculation):
1136         * dfg/DFGFixupPhase.cpp:
1137         (JSC::DFG::FixupPhase::fixupNode):
1138         (JSC::DFG::FixupPhase::insertStoreBarrier):
1139         (JSC::DFG::FixupPhase::insertCheck):
1140         * dfg/DFGNode.h:
1141         (JSC::DFG::Node::shouldSpeculateNotCell):
1142
1143 2014-09-26  Peter Varga  <pvarga@webkit.org>
1144
1145         Fix typo in YARR at BOL check
1146         https://bugs.webkit.org/show_bug.cgi?id=137144
1147
1148         Reviewed by Darin Adler.
1149
1150         * yarr/YarrPattern.cpp: replace bitwise and operator by logical and
1151         (JSC::Yarr::YarrPatternConstructor::assertionBOL):
1152
1153 2014-09-25  Saam Barati  <saambarati1@gmail.com>
1154
1155         Web Inspector: console.assert(bitString) TypeSet:50 
1156         https://bugs.webkit.org/show_bug.cgi?id=137051
1157
1158         Reviewed by Joseph Pecoraro.
1159
1160         This patch creates stricter requirements on a TypeDescription
1161         being valid. To be valid, a TypeDescription now ensures that 
1162         the TypeSet it describes has non null type information.
1163
1164         * inspector/agents/InspectorRuntimeAgent.cpp:
1165         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1166         * runtime/TypeSet.h:
1167         (JSC::TypeSet::isEmpty):
1168
1169 2014-09-25  Filip Pizlo  <fpizlo@apple.com>
1170
1171         FTL should sink object allocations
1172         https://bugs.webkit.org/show_bug.cgi?id=136330
1173
1174         Reviewed by Oliver Hunt.
1175         
1176         This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The
1177         ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to
1178         eliminate it completely. The way sinking reasons about the CFG means that it resembles a
1179         partial escape analysis: we create paths through a function where some allocation(s) don't
1180         have to be done at all even if there are other paths along which those allocations still have
1181         to happen. But it also produces other side benefits. Even if an allocation isn't eliminated
1182         along any path, the act of sinking reduces the number of barriers that have to execute.
1183         
1184         Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11
1185         sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and
1186         successors; and to add more functor goodness to allow for more lambdas.
1187         
1188         This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this
1189         is a spectacular speed-up on microbenchmarks but it's still too limited to affect big
1190         benchmarks. For example, doing o == p makes the sinking phase think that o and p escape.
1191         That's just an omission and there are likely others; we can easily fix them. I think it's
1192         best to land it in its current form and then to worry about the big benchmarks in subsequent
1193         work (see bug 137126).
1194
1195         * CMakeLists.txt:
1196         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1197         * JavaScriptCore.xcodeproj/project.pbxproj:
1198         * bytecode/StructureSet.h:
1199         (JSC::StructureSet::iterator::iterator):
1200         (JSC::StructureSet::iterator::operator*):
1201         (JSC::StructureSet::iterator::operator++):
1202         (JSC::StructureSet::iterator::operator==):
1203         (JSC::StructureSet::iterator::operator!=):
1204         (JSC::StructureSet::begin):
1205         (JSC::StructureSet::end):
1206         * dfg/DFGAbstractInterpreter.h:
1207         (JSC::DFG::AbstractInterpreter::phiChildren):
1208         * dfg/DFGAbstractInterpreterInlines.h:
1209         (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
1210         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
1211         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1212         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1213         * dfg/DFGAvailability.h:
1214         (JSC::DFG::Availability::shouldUseNode):
1215         (JSC::DFG::Availability::isFlushUseful):
1216         (JSC::DFG::Availability::isDead):
1217         (JSC::DFG::Availability::operator!=):
1218         * dfg/DFGAvailabilityMap.cpp: Added.
1219         (JSC::DFG::AvailabilityMap::prune):
1220         (JSC::DFG::AvailabilityMap::clear):
1221         (JSC::DFG::AvailabilityMap::dump):
1222         (JSC::DFG::AvailabilityMap::operator==):
1223         (JSC::DFG::AvailabilityMap::merge):
1224         * dfg/DFGAvailabilityMap.h: Added.
1225         (JSC::DFG::AvailabilityMap::forEachAvailability):
1226         * dfg/DFGBasicBlock.cpp:
1227         (JSC::DFG::BasicBlock::SSAData::SSAData):
1228         * dfg/DFGBasicBlock.h:
1229         (JSC::DFG::BasicBlock::begin):
1230         (JSC::DFG::BasicBlock::end):
1231         (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable):
1232         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator):
1233         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*):
1234         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++):
1235         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==):
1236         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=):
1237         (JSC::DFG::BasicBlock::SuccessorsIterable::begin):
1238         (JSC::DFG::BasicBlock::SuccessorsIterable::end):
1239         (JSC::DFG::BasicBlock::successors):
1240         * dfg/DFGClobberize.h:
1241         (JSC::DFG::clobberize):
1242         * dfg/DFGConstantFoldingPhase.cpp:
1243         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1244         * dfg/DFGDoesGC.cpp:
1245         (JSC::DFG::doesGC):
1246         * dfg/DFGFixupPhase.cpp:
1247         (JSC::DFG::FixupPhase::fixupNode):
1248         * dfg/DFGFlushedAt.cpp:
1249         (JSC::DFG::FlushedAt::dump):
1250         * dfg/DFGFlushedAt.h:
1251         (JSC::DFG::FlushedAt::FlushedAt):
1252         * dfg/DFGGraph.cpp:
1253         (JSC::DFG::Graph::dump):
1254         (JSC::DFG::Graph::dumpBlockHeader):
1255         (JSC::DFG::Graph::mergeRelevantToOSR):
1256         (JSC::DFG::Graph::invalidateCFG):
1257         * dfg/DFGGraph.h:
1258         (JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable):
1259         (JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator):
1260         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*):
1261         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++):
1262         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==):
1263         (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=):
1264         (JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext):
1265         (JSC::DFG::Graph::NaturalBlockIterable::begin):
1266         (JSC::DFG::Graph::NaturalBlockIterable::end):
1267         (JSC::DFG::Graph::blocksInNaturalOrder):
1268         (JSC::DFG::Graph::doToChildrenWithNode):
1269         (JSC::DFG::Graph::doToChildren):
1270         * dfg/DFGHeapLocation.cpp:
1271         (WTF::printInternal):
1272         * dfg/DFGHeapLocation.h:
1273         * dfg/DFGInsertOSRHintsForUpdate.cpp: Added.
1274         (JSC::DFG::insertOSRHintsForUpdate):
1275         * dfg/DFGInsertOSRHintsForUpdate.h: Added.
1276         * dfg/DFGInsertionSet.h:
1277         (JSC::DFG::InsertionSet::graph):
1278         * dfg/DFGMayExit.cpp:
1279         (JSC::DFG::mayExit):
1280         * dfg/DFGNode.h:
1281         (JSC::DFG::Node::convertToPutByOffsetHint):
1282         (JSC::DFG::Node::convertToPutStructureHint):
1283         (JSC::DFG::Node::convertToPhantomNewObject):
1284         (JSC::DFG::Node::isCellConstant):
1285         (JSC::DFG::Node::castConstant):
1286         (JSC::DFG::Node::hasIdentifier):
1287         (JSC::DFG::Node::hasStorageAccessData):
1288         (JSC::DFG::Node::hasObjectMaterializationData):
1289         (JSC::DFG::Node::objectMaterializationData):
1290         (JSC::DFG::Node::isPhantomObjectAllocation):
1291         * dfg/DFGNodeType.h:
1292         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1293         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1294         (JSC::DFG::LocalOSRAvailabilityCalculator::endBlock):
1295         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1296         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1297         * dfg/DFGObjectAllocationSinkingPhase.cpp: Added.
1298         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase):
1299         (JSC::DFG::ObjectAllocationSinkingPhase::run):
1300         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
1301         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
1302         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
1303         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
1304         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
1305         (JSC::DFG::ObjectAllocationSinkingPhase::resolve):
1306         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
1307         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
1308         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
1309         (JSC::DFG::performObjectAllocationSinking):
1310         * dfg/DFGObjectAllocationSinkingPhase.h: Added.
1311         * dfg/DFGObjectMaterializationData.cpp: Added.
1312         (JSC::DFG::PhantomPropertyValue::dump):
1313         (JSC::DFG::ObjectMaterializationData::dump):
1314         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore):
1315         (JSC::DFG::ObjectMaterializationData::similarityScore):
1316         * dfg/DFGObjectMaterializationData.h: Added.
1317         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue):
1318         (JSC::DFG::PhantomPropertyValue::operator==):
1319         * dfg/DFGPhantomCanonicalizationPhase.cpp:
1320         (JSC::DFG::PhantomCanonicalizationPhase::run):
1321         * dfg/DFGPhantomRemovalPhase.cpp:
1322         (JSC::DFG::PhantomRemovalPhase::run):
1323         * dfg/DFGPhiChildren.cpp: Added.
1324         (JSC::DFG::PhiChildren::PhiChildren):
1325         (JSC::DFG::PhiChildren::~PhiChildren):
1326         (JSC::DFG::PhiChildren::upsilonsOf):
1327         * dfg/DFGPhiChildren.h: Added.
1328         (JSC::DFG::PhiChildren::forAllIncomingValues):
1329         (JSC::DFG::PhiChildren::forAllTransitiveIncomingValues):
1330         * dfg/DFGPlan.cpp:
1331         (JSC::DFG::Plan::compileInThreadImpl):
1332         * dfg/DFGPrePostNumbering.cpp: Added.
1333         (JSC::DFG::PrePostNumbering::PrePostNumbering):
1334         (JSC::DFG::PrePostNumbering::~PrePostNumbering):
1335         (JSC::DFG::PrePostNumbering::compute):
1336         (WTF::printInternal):
1337         * dfg/DFGPrePostNumbering.h: Added.
1338         (JSC::DFG::PrePostNumbering::preNumber):
1339         (JSC::DFG::PrePostNumbering::postNumber):
1340         (JSC::DFG::PrePostNumbering::isStrictAncestorOf):
1341         (JSC::DFG::PrePostNumbering::isAncestorOf):
1342         (JSC::DFG::PrePostNumbering::isStrictDescendantOf):
1343         (JSC::DFG::PrePostNumbering::isDescendantOf):
1344         (JSC::DFG::PrePostNumbering::edgeKind):
1345         * dfg/DFGPredictionPropagationPhase.cpp:
1346         (JSC::DFG::PredictionPropagationPhase::propagate):
1347         * dfg/DFGPromoteHeapAccess.h: Added.
1348         (JSC::DFG::promoteHeapAccess):
1349         * dfg/DFGPromotedHeapLocation.cpp: Added.
1350         (JSC::DFG::PromotedLocationDescriptor::dump):
1351         (JSC::DFG::PromotedHeapLocation::createHint):
1352         (JSC::DFG::PromotedHeapLocation::dump):
1353         (WTF::printInternal):
1354         * dfg/DFGPromotedHeapLocation.h: Added.
1355         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
1356         (JSC::DFG::PromotedLocationDescriptor::operator!):
1357         (JSC::DFG::PromotedLocationDescriptor::kind):
1358         (JSC::DFG::PromotedLocationDescriptor::info):
1359         (JSC::DFG::PromotedLocationDescriptor::hash):
1360         (JSC::DFG::PromotedLocationDescriptor::operator==):
1361         (JSC::DFG::PromotedLocationDescriptor::operator!=):
1362         (JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue):
1363         (JSC::DFG::PromotedHeapLocation::PromotedHeapLocation):
1364         (JSC::DFG::PromotedHeapLocation::operator!):
1365         (JSC::DFG::PromotedHeapLocation::kind):
1366         (JSC::DFG::PromotedHeapLocation::base):
1367         (JSC::DFG::PromotedHeapLocation::info):
1368         (JSC::DFG::PromotedHeapLocation::descriptor):
1369         (JSC::DFG::PromotedHeapLocation::hash):
1370         (JSC::DFG::PromotedHeapLocation::operator==):
1371         (JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue):
1372         (JSC::DFG::PromotedHeapLocationHash::hash):
1373         (JSC::DFG::PromotedHeapLocationHash::equal):
1374         * dfg/DFGSSACalculator.cpp:
1375         (JSC::DFG::SSACalculator::reset):
1376         * dfg/DFGSSACalculator.h:
1377         * dfg/DFGSafeToExecute.h:
1378         (JSC::DFG::safeToExecute):
1379         * dfg/DFGSpeculativeJIT.cpp:
1380         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1381         * dfg/DFGSpeculativeJIT32_64.cpp:
1382         (JSC::DFG::SpeculativeJIT::compile):
1383         * dfg/DFGSpeculativeJIT64.cpp:
1384         (JSC::DFG::SpeculativeJIT::compile):
1385         * dfg/DFGStructureRegistrationPhase.cpp:
1386         (JSC::DFG::StructureRegistrationPhase::run):
1387         * dfg/DFGValidate.cpp:
1388         (JSC::DFG::Validate::validate):
1389         * ftl/FTLCapabilities.cpp:
1390         (JSC::FTL::canCompile):
1391         * ftl/FTLExitPropertyValue.cpp: Added.
1392         (JSC::FTL::ExitPropertyValue::dump):
1393         * ftl/FTLExitPropertyValue.h: Added.
1394         (JSC::FTL::ExitPropertyValue::ExitPropertyValue):
1395         (JSC::FTL::ExitPropertyValue::operator!):
1396         (JSC::FTL::ExitPropertyValue::location):
1397         (JSC::FTL::ExitPropertyValue::value):
1398         * ftl/FTLExitTimeObjectMaterialization.cpp: Added.
1399         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
1400         (JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization):
1401         (JSC::FTL::ExitTimeObjectMaterialization::add):
1402         (JSC::FTL::ExitTimeObjectMaterialization::get):
1403         (JSC::FTL::ExitTimeObjectMaterialization::dump):
1404         * ftl/FTLExitTimeObjectMaterialization.h: Added.
1405         (JSC::FTL::ExitTimeObjectMaterialization::type):
1406         (JSC::FTL::ExitTimeObjectMaterialization::properties):
1407         * ftl/FTLExitValue.cpp:
1408         (JSC::FTL::ExitValue::materializeNewObject):
1409         (JSC::FTL::ExitValue::dumpInContext):
1410         * ftl/FTLExitValue.h:
1411         (JSC::FTL::ExitValue::isObjectMaterialization):
1412         (JSC::FTL::ExitValue::objectMaterialization):
1413         (JSC::FTL::ExitValue::withVirtualRegister):
1414         (JSC::FTL::ExitValue::valueFormat):
1415         * ftl/FTLLowerDFGToLLVM.cpp:
1416         (JSC::FTL::LowerDFGToLLVM::compileNode):
1417         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
1418         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1419         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1420         (JSC::FTL::LowerDFGToLLVM::compileNewObject):
1421         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1422         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1423         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
1424         (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
1425         (JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject):
1426         (JSC::FTL::LowerDFGToLLVM::checkStructure):
1427         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1428         (JSC::FTL::LowerDFGToLLVM::storeStructure):
1429         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1430         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
1431         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1432         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1433         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1434         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1435         (JSC::FTL::LowerDFGToLLVM::weakStructureID):
1436         (JSC::FTL::LowerDFGToLLVM::weakStructure):
1437         (JSC::FTL::LowerDFGToLLVM::availabilityMap):
1438         (JSC::FTL::LowerDFGToLLVM::availability): Deleted.
1439         * ftl/FTLOSRExit.h:
1440         * ftl/FTLOSRExitCompiler.cpp:
1441         (JSC::FTL::compileRecovery):
1442         (JSC::FTL::compileStub):
1443         * ftl/FTLOperations.cpp: Added.
1444         (JSC::FTL::operationNewObjectWithButterfly):
1445         (JSC::FTL::operationMaterializeObjectInOSR):
1446         * ftl/FTLOperations.h: Added.
1447         * ftl/FTLSwitchCase.h:
1448         (JSC::FTL::SwitchCase::SwitchCase):
1449         * runtime/JSObject.h:
1450         (JSC::JSObject::finishCreation):
1451         (JSC::JSFinalObject::JSFinalObject):
1452         (JSC::JSFinalObject::create):
1453         * runtime/Structure.cpp:
1454         (JSC::Structure::canUseForAllocationsOf):
1455         * runtime/Structure.h:
1456         * tests/stress/elidable-new-object-roflcopter-then-exit.js: Added.
1457         (sumOfArithSeries):
1458         (foo):
1459         * tests/stress/elide-new-object-dag-then-exit.js: Added.
1460         (sumOfArithSeries):
1461         (bar):
1462         (verify):
1463         (foo):
1464         * tests/stress/obviously-elidable-new-object-then-exit.js: Added.
1465         (sumOfArithSeries):
1466         (foo):
1467
1468 2014-09-25  Brian J. Burg  <burg@cs.washington.edu>
1469
1470         Web Replay: Check event loop input extents during replaying too
1471         https://bugs.webkit.org/show_bug.cgi?id=136316
1472
1473         Reviewed by Timothy Hatcher.
1474
1475         Sometimes we see different nondeterminism during capture and replay
1476         executions, so we should add determinism checks during replay too.
1477
1478         Move the withinEventLoopInputExtent flag to the base class, and tighten
1479         the assertion to address <http://webkit.org/b/133019>.
1480
1481         * replay/InputCursor.h:
1482         (JSC::InputCursor::InputCursor):
1483         (JSC::InputCursor::setWithinEventLoopInputExtent): Added.
1484         This assertion is slightly wrong because it does not account for nested run loops.
1485         We can be within two input extents when a nested run loop processes additional
1486         user inputs while the debugger is paused.
1487
1488         This should only be the case when execution is being neither captured or
1489         replayed. The debugger should not pause when capturing, and we should not replay
1490         event loop inputs while in a nested run loop.
1491
1492         (JSC::InputCursor::withinEventLoopInputExtent): Added.
1493
1494 2014-09-25  Csaba Osztrogonác  <ossy@webkit.org>
1495
1496         Remove WinCE port from trunk
1497         https://bugs.webkit.org/show_bug.cgi?id=136951
1498
1499         Reviewed by Alex Christensen.
1500
1501         * assembler/ARMAssembler.h:
1502         (JSC::ARMAssembler::cacheFlush):
1503         * assembler/ARMv7Assembler.h:
1504         (JSC::ARMv7Assembler::cacheFlush):
1505         * config.h:
1506         * heap/MachineStackMarker.cpp:
1507         (JSC::MachineThreads::gatherFromCurrentThread):
1508         (JSC::MachineThreads::gatherFromOtherThread):
1509         (JSC::swapIfBackwards): Deleted.
1510         * jit/ExecutableAllocator.h:
1511         * jsc.cpp:
1512         (main):
1513         * runtime/DateConstructor.cpp:
1514         * runtime/Options.cpp:
1515         (JSC::overrideOptionWithHeuristic):
1516         * runtime/VM.cpp:
1517         (JSC::VM::VM):
1518         * testRegExp.cpp:
1519         (main):
1520         * tools/CodeProfiling.cpp:
1521         (JSC::CodeProfiling::notifyAllocator):
1522
1523 2014-09-24  Brian J. Burg  <burg@cs.washington.edu>
1524
1525         Web Inspector: subtract elapsed time while debugger is paused from profile nodes
1526         https://bugs.webkit.org/show_bug.cgi?id=136796
1527
1528         Reviewed by Timothy Hatcher.
1529
1530         Rather than accruing no time to any profile node created while the debugger is paused,
1531         we can instead count a node's elapsed time and exclude time elapsed while paused.
1532
1533         Time for a node may elapse in a non-contiguous fashion depending on the interleaving of
1534         didPause, didContinue, willExecute, and didExecute. A node's start time is set to the
1535         start of the last such interval that accrues elapsed time.
1536
1537         * profiler/ProfileGenerator.cpp:
1538         (JSC::ProfileGenerator::ProfileGenerator):
1539         (JSC::ProfileGenerator::beginCallEntry):
1540         (JSC::ProfileGenerator::endCallEntry):
1541         (JSC::ProfileGenerator::didPause): Added.
1542         (JSC::ProfileGenerator::didContinue): Added.
1543         * profiler/ProfileGenerator.h:
1544         (JSC::ProfileGenerator::didPause): Deleted.
1545         (JSC::ProfileGenerator::didContinue): Deleted.
1546         * profiler/ProfileNode.h: Rename totalTime to elapsedTime.
1547         (JSC::ProfileNode::Call::Call):
1548         (JSC::ProfileNode::Call::elapsedTime): Added.
1549         (JSC::ProfileNode::Call::setElapsedTime): Added.
1550         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
1551         (JSC::ProfileNode::Call::totalTime): Deleted.
1552         (JSC::ProfileNode::Call::setTotalTime): Deleted.
1553
1554 2014-09-24  Commit Queue  <commit-queue@webkit.org>
1555
1556         Unreviewed, rolling out r173839.
1557         https://bugs.webkit.org/show_bug.cgi?id=137062
1558
1559         NumberConstruct should no longer use static tables (Requested
1560         by dpino on #webkit).
1561
1562         Reverted changeset:
1563
1564         "Simple ES6 feature: Number constructor extras"
1565         https://bugs.webkit.org/show_bug.cgi?id=131707
1566         http://trac.webkit.org/changeset/173839
1567
1568 2014-09-23  Mark Lam  <mark.lam@apple.com>
1569
1570         DebuggerCallFrame::invalidate() should invalidate all DebuggerScope chains.
1571         <https://webkit.org/b/137045>
1572
1573         Reviewed by Geoffrey Garen.
1574
1575         DebuggerCallFrame::invalidate() currently invalidates all DebuggerCallFrames
1576         in the debugger stack, but only invalidates the DebuggerScope chain of the
1577         top most frame.  We should also invalidate all the DebuggerScope chains of
1578         the other frames in the debugger stack.
1579
1580         * debugger/DebuggerCallFrame.cpp:
1581         (JSC::DebuggerCallFrame::invalidate):
1582         * debugger/DebuggerScope.cpp:
1583         (JSC::DebuggerScope::invalidateChain):
1584
1585 2014-09-23  Mark Lam  <mark.lam@apple.com>
1586
1587         Renamed DebuggerCallFrameScope to DebuggerPausedScope.
1588         <https://webkit.org/b/137042>
1589
1590         Reviewed by Michael Saboff.
1591
1592         DebuggerPausedScope is a better name for this data structure because it
1593         is meant for tracking the period within which the debugger is paused,
1594         and doing clean ups after the pause ends.
1595
1596         * debugger/Debugger.cpp:
1597         (JSC::DebuggerPausedScope::DebuggerPausedScope):
1598         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
1599         (JSC::Debugger::pauseIfNeeded):
1600         (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): Deleted.
1601         (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): Deleted.
1602         * debugger/Debugger.h:
1603         * debugger/DebuggerCallFrame.h:
1604
1605 2014-09-23  Tomas Popela  <tpopela@redhat.com>
1606
1607         [CLoop] - Fix CLoop on the 32-bit Big-Endians
1608         https://bugs.webkit.org/show_bug.cgi?id=137020
1609
1610         Reviewed by Mark Lam.
1611
1612         * llint/LowLevelInterpreter.asm:
1613         * llint/LowLevelInterpreter32_64.asm:
1614
1615 2014-09-23  Joseph Pecoraro  <pecoraro@apple.com>
1616
1617         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
1618         https://bugs.webkit.org/show_bug.cgi?id=136893
1619
1620         Reviewed by Timothy Hatcher.
1621
1622         Adds new remote inspector protocol handling for automatic inspection.
1623         Debuggers can signal they have enabled automatic inspection, and
1624         when debuggables are created the current application will pause to
1625         see if the debugger will inspect or decline to inspect the debuggable.
1626
1627         * inspector/remote/RemoteInspectorConstants.h:
1628         * inspector/remote/RemoteInspector.h:
1629         * inspector/remote/RemoteInspector.mm:
1630         (Inspector::globalAutomaticInspectionState):
1631         (Inspector::RemoteInspector::RemoteInspector):
1632         (Inspector::RemoteInspector::start):
1633         When first starting, check the global "is there an auto-inspect" debugger state.
1634         This is necessary so that the current application knows if it should pause or
1635         not when a debuggable is created, even without having connected to webinspectord yet.
1636
1637         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1638         When a debuggable has enabled remote inspection, take this path to propose
1639         it as an automatic inspection candidate if there is an auto-inspect debugger.
1640
1641         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
1642         Send the automatic inspection candidate message.
1643
1644         (Inspector::RemoteInspector::receivedSetupMessage):
1645         (Inspector::RemoteInspector::setupFailed):
1646         (Inspector::RemoteInspector::setupSucceeded):
1647         After attempting to open an inspector, unpause if it was for the
1648         automatic inspection candidate.
1649
1650         (Inspector::RemoteInspector::waitingForAutomaticInspection):
1651         When running a nested runloop, check if we should remain paused.
1652
1653         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1654         If by the time we connect to webinspectord we have a candidate, then
1655         immediately send the candidate message.
1656
1657         (Inspector::RemoteInspector::stopInternal):
1658         (Inspector::RemoteInspector::xpcConnectionFailed):
1659         In error cases, clear our state.
1660
1661         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1662         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
1663         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
1664         Update state when receiving new messages.
1665
1666
1667         * inspector/remote/RemoteInspectorDebuggable.h:
1668         * inspector/remote/RemoteInspectorDebuggable.cpp:
1669         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
1670         Special case when a debuggable is newly allowed to be debuggable.
1671
1672         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
1673         Run a nested run loop while this is an automatic inspection candidate.
1674
1675         * inspector/JSGlobalObjectInspectorController.h:
1676         * inspector/JSGlobalObjectInspectorController.cpp:
1677         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1678         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1679         When the inspector starts via automatic inspection automatically pause.
1680         We plan on removing this condition by having the frontend signal to the
1681         backend when it is completely initialized.
1682         
1683         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1684         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1685         (Inspector::RemoteInspectorDebuggableConnection::setup):
1686         Pass on the flag of whether or not this was automatic inspection.
1687
1688         * runtime/JSGlobalObjectDebuggable.h:
1689         * runtime/JSGlobalObjectDebuggable.cpp:
1690         (JSC::JSGlobalObjectDebuggable::connect):
1691         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
1692         When pausing in a JSGlobalObject we need to release the API lock.
1693
1694 2014-09-22  Filip Pizlo  <fpizlo@apple.com>
1695
1696         FTL allocatePropertyStorage code should involve less copy-paste
1697         https://bugs.webkit.org/show_bug.cgi?id=137006
1698
1699         Reviewed by Michael Saboff.
1700
1701         * ftl/FTLLowerDFGToLLVM.cpp:
1702         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
1703         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
1704         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
1705
1706 2014-09-22  Diego Pino Garcia  <dpino@igalia.com>
1707
1708         Simple ES6 feature: Number constructor extras
1709         https://bugs.webkit.org/show_bug.cgi?id=131707
1710
1711         Reviewed by Darin Adler.
1712
1713         * runtime/CommonIdentifiers.h: Added new identifiers.
1714         * runtime/NumberConstructor.cpp:
1715         (JSC::NumberConstructor::getOwnPropertySlot):
1716         (JSC::NumberConstructor::isFunction): Added.
1717         (JSC::numberConstructorEpsilonValue): Added.
1718         (JSC::numberConstructorNegInfinity): Added.
1719         (JSC::numberConstructorPosInfinity): Added.
1720         (JSC::numberConstructorMaxValue): Added.
1721         (JSC::numberConstructorMinValue): Added.
1722         (JSC::numberConstructorMaxSafeInteger): Added.
1723         (JSC::numberConstructorMinSafeInteger): Added.
1724         (JSC::numberConstructorFuncIsFinite): Added.
1725         (JSC::numberConstructorFuncIsInteger): Added.
1726         (JSC::numberConstructorFuncIsNaN): Added.
1727         (JSC::numberConstructorFuncIsSafeInteger): Added.
1728         * runtime/NumberConstructor.h:
1729
1730 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
1731
1732         FTL should store the four bytes of the cell header using a 32-bit store rather than four 8-bit stores
1733         https://bugs.webkit.org/show_bug.cgi?id=136992
1734
1735         Reviewed by Sam Weinig.
1736         
1737         LLVM ought to be able to do this optimization for us given how the code was written, but
1738         any such lower-level attempts to optimize this would get into trouble with the weird
1739         object materialization logic I'll be introducing in bug 136330. So, this brings the
1740         merging of the byte stores into the FTL lowering so that we can control it explicitly.
1741
1742         * ftl/FTLAbstractHeap.h:
1743         (JSC::FTL::AbstractHeap::changeParent):
1744         * ftl/FTLAbstractHeapRepository.cpp:
1745         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1746         * ftl/FTLAbstractHeapRepository.h:
1747         * ftl/FTLLowerDFGToLLVM.cpp:
1748         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1749
1750 2014-09-21  Saam Barati  <saambarati1@gmail.com>
1751
1752         Web Inspector: fix TypeSet hierarchy in TypeTokenView
1753         https://bugs.webkit.org/show_bug.cgi?id=136982
1754
1755         Reviewed by Joseph Pecoraro.
1756
1757         TypeSet was computing the set of type booleans in the Inspector::Protocol::Runtime::TypeSet 
1758         object incorrectly because it was calling TypeSet::doesTypeConformTo(T) which checks if the 
1759         type set has only been of type T. It now checks '(m_seenTypes & T) != TypeNothing' to see 
1760         if type T is in the set of seen types, but not the entire set itself.
1761
1762         * runtime/TypeSet.cpp:
1763         (JSC::TypeSet::inspectorTypeSet):
1764
1765 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
1766
1767         Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste
1768         https://bugs.webkit.org/show_bug.cgi?id=136983
1769
1770         Reviewed by Mark Hahnenberg.
1771
1772         * runtime/PropertyMapHashTable.h:
1773         (JSC::PropertyMapEntry::PropertyMapEntry): Moved PropertyMapEntry struct to Structure.h so that Structure can refer to it.
1774         * runtime/Structure.cpp:
1775         (JSC::Structure::getConcurrently): Switch to using the new forEachPropertyConcurrently() method.
1776         (JSC::Structure::getPropertiesConcurrently): The subject of this patch. It will be useful for object allocation sinking (bug 136330).
1777         (JSC::Structure::dump): Switch to using the new forEachPropertyConcurrently() method.
1778         * runtime/Structure.h:
1779         (JSC::PropertyMapEntry::PropertyMapEntry): Moved from PropertyMapHashTable.h.
1780         * runtime/StructureInlines.h:
1781         (JSC::Structure::forEachPropertyConcurrently): Capture this very common concurrent structure iteration pattern into a template method.
1782
1783 2014-09-21  Filip Pizlo  <fpizlo@apple.com>
1784
1785         Structure::getConcurrently() doesn't need to take a VM& argument.
1786
1787         Rubber stamped by Dan Bernstein.
1788         
1789         Removed the extra argument, and then removed similar arguments from other methods until
1790         I could build successfully again. It turned out that many methods took a VM& argument
1791         just for calling getConcurrently().
1792
1793         * bytecode/CodeBlock.cpp:
1794         (JSC::dumpStructure):
1795         (JSC::dumpChain):
1796         (JSC::CodeBlock::printGetByIdCacheStatus):
1797         (JSC::CodeBlock::printPutByIdCacheStatus):
1798         * bytecode/ComplexGetStatus.cpp:
1799         (JSC::ComplexGetStatus::computeFor):
1800         * bytecode/GetByIdStatus.cpp:
1801         (JSC::GetByIdStatus::computeFromLLInt):
1802         (JSC::GetByIdStatus::computeForStubInfo):
1803         (JSC::GetByIdStatus::computeFor):
1804         * bytecode/GetByIdStatus.h:
1805         * bytecode/PutByIdStatus.cpp:
1806         (JSC::PutByIdStatus::computeFromLLInt):
1807         (JSC::PutByIdStatus::computeForStubInfo):
1808         (JSC::PutByIdStatus::computeFor):
1809         * bytecode/PutByIdStatus.h:
1810         * dfg/DFGAbstractInterpreterInlines.h:
1811         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1812         * dfg/DFGByteCodeParser.cpp:
1813         (JSC::DFG::ByteCodeParser::parseBlock):
1814         * dfg/DFGConstantFoldingPhase.cpp:
1815         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1816         * dfg/DFGFixupPhase.cpp:
1817         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1818         * runtime/IntendedStructureChain.cpp:
1819         (JSC::IntendedStructureChain::mayInterceptStoreTo):
1820         * runtime/IntendedStructureChain.h:
1821         * runtime/Structure.cpp:
1822         (JSC::Structure::getConcurrently):
1823         * runtime/Structure.h:
1824         * runtime/StructureInlines.h:
1825         (JSC::Structure::getConcurrently):
1826
1827 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
1828
1829         FTL OSRExit construction should be based on methods that return ExitValues rather than methods that add ExitValues to OSRExit
1830         https://bugs.webkit.org/show_bug.cgi?id=136978
1831
1832         Reviewed by Dean Jackson.
1833
1834         * ftl/FTLLowerDFGToLLVM.cpp:
1835         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1836         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1837         (JSC::FTL::LowerDFGToLLVM::exitArgument):
1838         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): Deleted.
1839         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): Deleted.
1840         (JSC::FTL::LowerDFGToLLVM::addExitArgument): Deleted.
1841
1842 2014-09-20  Filip Pizlo  <fpizlo@apple.com>
1843
1844         FTL OSR exit should do reboxing and value recovery in the same pass
1845         https://bugs.webkit.org/show_bug.cgi?id=136977
1846
1847         Reviewed by Oliver Hunt.
1848         
1849         It's conceptually simpler to have all of the logic in one place. After the
1850         recover-and-rebox loop is done, all of the exit values are in the form that the baseline
1851         JIT would want them to be in; the only remaining task is to move them into the right
1852         place on the stack after we do all of the necessary stack adjustments.
1853
1854         * ftl/FTLOSRExitCompiler.cpp:
1855         (JSC::FTL::compileStub):
1856
1857 2014-09-19  Filip Pizlo  <fpizlo@apple.com>
1858
1859         StorageAccessData should be referenced in a sensible way
1860         https://bugs.webkit.org/show_bug.cgi?id=136963
1861
1862         Reviewed and rubber stamped by Michael Saboff.
1863
1864         * dfg/DFGAbstractInterpreterInlines.h:
1865         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1866         * dfg/DFGByteCodeParser.cpp:
1867         (JSC::DFG::ByteCodeParser::handleGetByOffset):
1868         (JSC::DFG::ByteCodeParser::handlePutByOffset):
1869         (JSC::DFG::ByteCodeParser::handlePutById):
1870         * dfg/DFGClobberize.h:
1871         (JSC::DFG::clobberize):
1872         * dfg/DFGConstantFoldingPhase.cpp:
1873         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1874         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1875         * dfg/DFGGraph.cpp:
1876         (JSC::DFG::Graph::dump):
1877         * dfg/DFGGraph.h:
1878         * dfg/DFGNode.h:
1879         (JSC::DFG::Node::convertToGetByOffset):
1880         (JSC::DFG::Node::convertToPutByOffset):
1881         (JSC::DFG::Node::storageAccessData):
1882         (JSC::DFG::Node::storageAccessDataIndex): Deleted.
1883         * dfg/DFGSafeToExecute.h:
1884         (JSC::DFG::safeToExecute):
1885         * dfg/DFGSpeculativeJIT32_64.cpp:
1886         (JSC::DFG::SpeculativeJIT::compile):
1887         * dfg/DFGSpeculativeJIT64.cpp:
1888         (JSC::DFG::SpeculativeJIT::compile):
1889         * ftl/FTLLowerDFGToLLVM.cpp:
1890         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
1891         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
1892
1893 2014-09-19  Ryosuke Niwa  <rniwa@webkit.org>
1894
1895         Leak of mallocs under StructureSet::OutOfLineList::create
1896         https://bugs.webkit.org/show_bug.cgi?id=136970
1897
1898         Reviewed by Filip Pizlo.
1899
1900         addOutOfLine should free the old list when expanding the capacity.
1901
1902         * bytecode/StructureSet.cpp:
1903         (JSC::StructureSet::addOutOfLine):
1904
1905 2014-09-19  Daniel Bates  <dabates@apple.com>
1906
1907         Always assume internal SDK when building configuration Production
1908         https://bugs.webkit.org/show_bug.cgi?id=136925
1909         <rdar://problem/18362399>
1910
1911         Reviewed by Dan Bernstein.
1912
1913         As a side effect of this change we will always enable ENABLE_TOUCH_EVENTS, ENABLE_IOS_{GESTURE, TOUCH}_EVENTS,
1914         and ENABLE_XSLT when either building configuration Production or building with the Internal SDK.
1915
1916         * Configurations/Base.xcconfig:
1917
1918 2014-09-19  Diego Pino Garcia  <dpino@igalia.com>
1919
1920         Simple ES6 feature:String prototype additions
1921         https://bugs.webkit.org/show_bug.cgi?id=131704
1922
1923         Reviewed by Darin Adler.
1924
1925         * runtime/StringPrototype.cpp:
1926         (JSC::StringPrototype::finishCreation):
1927         (JSC::stringProtoFuncStartsWith): Added.
1928         (JSC::stringProtoFuncEndsWith): Added.
1929         (JSC::stringProtoFuncContains): Added.
1930
1931 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
1932
1933         Unreviewed rollout r173731. Broke multiple builds.
1934
1935         * inspector/JSGlobalObjectInspectorController.cpp:
1936         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1937         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1938         * inspector/JSGlobalObjectInspectorController.h:
1939         * inspector/remote/RemoteInspector.h:
1940         * inspector/remote/RemoteInspector.mm:
1941         (Inspector::RemoteInspector::RemoteInspector):
1942         (Inspector::RemoteInspector::setupFailed):
1943         (Inspector::RemoteInspector::start):
1944         (Inspector::RemoteInspector::stopInternal):
1945         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1946         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1947         (Inspector::RemoteInspector::xpcConnectionFailed):
1948         (Inspector::RemoteInspector::receivedSetupMessage):
1949         (Inspector::globalAutomaticInspectionState): Deleted.
1950         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): Deleted.
1951         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): Deleted.
1952         (Inspector::RemoteInspector::setupSucceeded): Deleted.
1953         (Inspector::RemoteInspector::waitingForAutomaticInspection): Deleted.
1954         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): Deleted.
1955         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): Deleted.
1956         * inspector/remote/RemoteInspectorConstants.h:
1957         * inspector/remote/RemoteInspectorDebuggable.cpp:
1958         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
1959         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): Deleted.
1960         * inspector/remote/RemoteInspectorDebuggable.h:
1961         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1962         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1963         (Inspector::RemoteInspectorDebuggableConnection::setup):
1964         * runtime/JSGlobalObjectDebuggable.cpp:
1965         (JSC::JSGlobalObjectDebuggable::connect):
1966         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): Deleted.
1967         * runtime/JSGlobalObjectDebuggable.h:
1968
1969 2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>
1970
1971         Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
1972         https://bugs.webkit.org/show_bug.cgi?id=136893
1973
1974         Reviewed by Timothy Hatcher.
1975
1976         Adds new remote inspector protocol handling for automatic inspection.
1977         Debuggers can signal they have enabled automatic inspection, and
1978         when debuggables are created the current application will pause to
1979         see if the debugger will inspect or decline to inspect the debuggable.
1980
1981         * inspector/remote/RemoteInspectorConstants.h:
1982         * inspector/remote/RemoteInspector.h:
1983         * inspector/remote/RemoteInspector.mm:
1984         (Inspector::globalAutomaticInspectionState):
1985         (Inspector::RemoteInspector::RemoteInspector):
1986         (Inspector::RemoteInspector::start):
1987         When first starting, check the global "is there an auto-inspect" debugger state.
1988         This is necessary so that the current application knows if it should pause or
1989         not when a debuggable is created, even without having connected to webinspectord yet.
1990
1991         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1992         When a debuggable has enabled remote inspection, take this path to propose
1993         it as an automatic inspection candidate if there is an auto-inspect debugger.
1994
1995         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
1996         Send the automatic inspection candidate message.
1997
1998         (Inspector::RemoteInspector::receivedSetupMessage):
1999         (Inspector::RemoteInspector::setupFailed):
2000         (Inspector::RemoteInspector::setupSucceeded):
2001         After attempting to open an inspector, unpause if it was for the
2002         automatic inspection candidate.
2003
2004         (Inspector::RemoteInspector::waitingForAutomaticInspection):
2005         When running a nested runloop, check if we should remain paused.
2006
2007         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2008         If by the time we connect to webinspectord we have a candidate, then
2009         immediately send the candidate message.
2010
2011         (Inspector::RemoteInspector::stopInternal):
2012         (Inspector::RemoteInspector::xpcConnectionFailed):
2013         In error cases, clear our state.
2014
2015         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2016         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
2017         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
2018         Update state when receiving new messages.
2019
2020
2021         * inspector/remote/RemoteInspectorDebuggable.h:
2022         * inspector/remote/RemoteInspectorDebuggable.cpp:
2023         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
2024         Special case when a debuggable is newly allowed to be debuggable.
2025
2026         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
2027         Run a nested run loop while this is an automatic inspection candidate.
2028
2029         * inspector/JSGlobalObjectInspectorController.h:
2030         * inspector/JSGlobalObjectInspectorController.cpp:
2031         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2032         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2033         When the inspector starts via automatic inspection automatically pause.
2034         We plan on removing this condition by having the frontend signal to the
2035         backend when it is completely initialized.
2036         
2037         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2038         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2039         (Inspector::RemoteInspectorDebuggableConnection::setup):
2040         Pass on the flag of whether or not this was automatic inspection.
2041
2042         * runtime/JSGlobalObjectDebuggable.h:
2043         * runtime/JSGlobalObjectDebuggable.cpp:
2044         (JSC::JSGlobalObjectDebuggable::connect):
2045         (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
2046         When pausing in a JSGlobalObject we need to release the API lock.
2047
2048 2014-09-18  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2049
2050         Fix "Tools/Scripts/build-webkit --efl --no-inspector" build
2051         https://bugs.webkit.org/show_bug.cgi?id=136912
2052
2053         Reviewed by Darin Adler.
2054
2055         * runtime/TypeSet.cpp:
2056         (JSC::TypeSet::leastCommonAncestor):
2057
2058 2014-09-17  Michael Saboff  <msaboff@apple.com>
2059
2060         Change CallFrame to use Callee instead of JSScope to implement vm()
2061         https://bugs.webkit.org/show_bug.cgi?id=136894
2062
2063         Reviewed by Geoffrey Garen.
2064
2065         Added JSCell::vm() method that can be used on any JSObject.  Changed CallFrame::vm() to
2066         use JSCell::vm with the Callee.  Made similar changes in the LLInt.
2067         In support of this, changed JSGlobalObject::init() to take a VM& parameter, as there is
2068         a chicken/egg problem with trying to use the Callee in the global exec before the Callee
2069         has been create.  Besides, the vm is readily available in finishCreation(), the caller of
2070         init().
2071
2072         * llint/LowLevelInterpreter32_64.asm:
2073         * llint/LowLevelInterpreter64.asm:
2074         Changed the calculation of CallFrame::VM to use the Callee instead of JSScope.
2075
2076         * runtime/JSCell.h:
2077         * runtime/JSCellInlines.h:
2078         (JSC::JSCell::vm): New method for getting VM from the pointer.
2079         (JSC::ExecState::vm): Moved this method from JSScope.h to here since this file
2080         contains the implementation of JSCell::vm(), this file is included by all users
2081         of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing
2082         many other .h files and possible the WebCore generator generate-bindings.pl.
2083
2084         * runtime/JSGlobalObject.cpp:
2085         (JSC::JSGlobalObject::init):
2086         * runtime/JSGlobalObject.h:
2087         (JSC::JSGlobalObject::finishCreation):
2088         Changed init() to take a VM parameter.
2089
2090         * runtime/JSScope.h:
2091         (JSC::ExecState::vm): Deleted.
2092
2093 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
2094
2095         Unreviewed, disable native inlining because it causes build failures.
2096
2097         * JavaScriptCore.xcodeproj/project.pbxproj:
2098
2099 2014-09-16  Joseph Pecoraro  <pecoraro@apple.com>
2100
2101         Web Inspector: Reduce a bit of churn setting initial remote inspection state
2102         https://bugs.webkit.org/show_bug.cgi?id=136875
2103
2104         Reviewed by Timothy Hatcher.
2105
2106         * API/JSContextRef.cpp:
2107         (JSGlobalContextCreateInGroup):
2108         Set the defaultl remote debuggable state at the API boundary.
2109
2110         * runtime/JSGlobalObject.cpp:
2111         (JSC::JSGlobalObject::init):
2112         Do not set remote debuggable state here. Let clients set it.
2113
2114 2014-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2115
2116         Promise: Drop Promise.cast
2117         https://bugs.webkit.org/show_bug.cgi?id=136222
2118
2119         Reviewed by Sam Weinig.
2120
2121         Promise.cast is dropped and Promise.resolve is replaced with old Promise.cast.
2122
2123         * runtime/CommonIdentifiers.h:
2124         * runtime/JSPromiseConstructor.cpp:
2125         (JSC::JSPromiseConstructorFuncResolve):
2126         (JSC::JSPromiseConstructorFuncRace):
2127         (JSC::JSPromiseConstructorFuncAll):
2128         (JSC::JSPromiseConstructorFuncCast): Deleted.
2129
2130 2014-09-16  Filip Pizlo  <fpizlo@apple.com>
2131
2132         Local OSR availability calculation should be reusable
2133         https://bugs.webkit.org/show_bug.cgi?id=136860
2134
2135         Reviewed by Oliver Hunt.
2136         
2137         Previously, the FTL lowering repeated some of the logic of the OSR availability analysis
2138         phase. Humorously, it actually did this logic a bit differently; for example the phase
2139         would claim that a SetLocal makes both the flush and the node available while the FTL
2140         only claimed that the flush was available. This different was benign, but still: yuck!
2141         
2142         Also, previously if you wanted to use availability information then you'd have to repeat
2143         some of the logic that both the phase itself and the FTL lowering already had.
2144         Presumably, you could get epic style points for finding other benign ways in which to
2145         make your copy of the logic different from the other two!
2146         
2147         This reduces the amount of style points one could conceivably get in the future when
2148         hacking JSC, by creating a single reusable thingy for computing local OSR availability.
2149
2150         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2151         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2152         (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
2153         (JSC::DFG::LocalOSRAvailabilityCalculator::~LocalOSRAvailabilityCalculator):
2154         (JSC::DFG::LocalOSRAvailabilityCalculator::beginBlock):
2155         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2156         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2157         * ftl/FTLLowerDFGToLLVM.cpp:
2158         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
2159         (JSC::FTL::LowerDFGToLLVM::compileBlock):
2160         (JSC::FTL::LowerDFGToLLVM::compileNode):
2161         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
2162         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
2163         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2164         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2165         (JSC::FTL::LowerDFGToLLVM::availability):
2166         (JSC::FTL::LowerDFGToLLVM::compileMovHint): Deleted.
2167         (JSC::FTL::LowerDFGToLLVM::compileZombieHint): Deleted.
2168         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): Deleted.
2169
2170 2014-09-16  Csaba Osztrogonác  <ossy@webkit.org>
2171
2172         JSC test gardening
2173         https://bugs.webkit.org/show_bug.cgi?id=136823
2174
2175         Reviewed by Geoffrey Garen.
2176
2177         * tests/mozilla/mozilla-tests.yaml: Unskip passing tests.
2178
2179 2014-09-15  Michael Saboff  <msaboff@apple.com>
2180
2181         Create a JSCallee for GlobalExec object
2182         https://bugs.webkit.org/show_bug.cgi?id=136840
2183
2184         Reviewed by Geoffrey Garen.
2185
2186         Added m_globalCallee, initialized it and then used it to set the globalExec's callee.
2187
2188         * runtime/JSGlobalObject.cpp:
2189         (JSC::JSGlobalObject::init):
2190         (JSC::JSGlobalObject::visitChildren):
2191         * runtime/JSGlobalObject.h:
2192
2193 2014-09-14  Filip Pizlo  <fpizlo@apple.com>
2194
2195         DFG ref count calculation should be reusable
2196         https://bugs.webkit.org/show_bug.cgi?id=136811
2197
2198         Reviewed by Oliver Hunt.
2199         
2200         Henceforth if you call Graph::computeRefCounts(), a nifty O(n) operation, every Node
2201         will be able to tell you how many places it is used from. Currently only DCE uses this,
2202         but it will be useful for https://bugs.webkit.org/show_bug.cgi?id=136330.
2203
2204         * dfg/DFGDCEPhase.cpp:
2205         (JSC::DFG::DCEPhase::run):
2206         (JSC::DFG::DCEPhase::findTypeCheckRoot): Deleted.
2207         (JSC::DFG::DCEPhase::countNode): Deleted.
2208         (JSC::DFG::DCEPhase::countEdge): Deleted.
2209         * dfg/DFGGraph.cpp:
2210         (JSC::DFG::Graph::computeRefCounts):
2211         * dfg/DFGGraph.h:
2212
2213 2014-09-12  Michael Saboff  <msaboff@apple.com>
2214
2215         Merge JSGlobalObject::reset() into ::init()
2216         https://bugs.webkit.org/show_bug.cgi?id=136800
2217
2218         Reviewed by Oliver Hunt.
2219
2220         Moved the contents of reset() into init().
2221         Note that the diff shows more changes.
2222
2223         * runtime/JSGlobalObject.cpp:
2224         (JSC::JSGlobalObject::init): Moved body of reset() into init.
2225         (JSC::JSGlobalObject::put):
2226         (JSC::JSGlobalObject::defineOwnProperty):
2227         (JSC::JSGlobalObject::addGlobalVar):
2228         (JSC::JSGlobalObject::addFunction):
2229         (JSC::lastInPrototypeChain):
2230         (JSC::JSGlobalObject::reset): Deleted.
2231         * runtime/JSGlobalObject.h:
2232
2233 2014-09-12  Michael Saboff  <msaboff@apple.com>
2234
2235         Add JSCallee to program and eval CallFrames
2236         https://bugs.webkit.org/show_bug.cgi?id=136785
2237
2238         Reviewed by Mark Lam.
2239
2240         Populated Callee slot for program and call eval CallFrames with a JSCallee objects.
2241         Made supporting changes including adding a JSCallee structure to global object and adding
2242         JSCallee::create() method.  Added code so that the newly added callee object won't be
2243         returned by Function.caller.  Changed null pointer checks of callee to check the if
2244         the type is JSFunction* or JSCallee*.
2245
2246         * debugger/DebuggerCallFrame.cpp:
2247         (JSC::DebuggerCallFrame::functionName):
2248         (JSC::DebuggerCallFrame::type):
2249         * profiler/LegacyProfiler.cpp:
2250         (JSC::LegacyProfiler::createCallIdentifier):
2251         * interpreter/Interpreter.cpp:
2252         (JSC::unwindCallFrame):
2253         Changed checks of callee is a JSFunction* or JSCallee* instead of just checking
2254         if it is null or not.
2255
2256         * interpreter/Interpreter.cpp:
2257         (JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...)
2258         and execute(ProgramExecutable, ...)
2259
2260         * jit/JITCode.cpp:
2261         (JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions.
2262
2263         * runtime/JSCallee.cpp:
2264         (JSC::JSCallee::create): Not used, therefore deleted.
2265
2266         * runtime/JSCallee.h:
2267         (JSC::JSCallee::create): Added.
2268
2269         * runtime/JSFunction.cpp:
2270         (JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't
2271         JSFunction's.  This can only be the case when the JSCallee comes from a program or
2272         call eval CallFrame.
2273
2274         * runtime/JSGlobalObject.cpp:
2275         (JSC::JSGlobalObject::reset):
2276         (JSC::JSGlobalObject::visitChildren):
2277         * runtime/JSGlobalObject.h:
2278         (JSC::JSGlobalObject::calleeStructure):
2279         Added new JSCallee structure.
2280
2281 2014-09-10  Jon Honeycutt  <jhoneycutt@apple.com>
2282
2283         Re-add the request autocomplete feature
2284
2285         <https://bugs.webkit.org/show_bug.cgi?id=136730>
2286
2287         This feature was rolled out in r148731 because it was only used by
2288         Chromium. As we consider supporting this feature, roll it back in, but
2289         leave it disabled.
2290
2291         This rolls out r148731 (which removed the feature) with small changes
2292         needed to make the code build in ToT, to match modern style, to make
2293         the tests run, and to remove unused code.
2294
2295         Reviewed by Andy Estes.
2296
2297         * Configurations/FeatureDefines.xcconfig:
2298
2299 2014-09-12  Julien Brianceau  <jbriance@cisco.com>
2300
2301         [x86] moveDoubleToInts() does not clobber its source register anymore
2302         https://bugs.webkit.org/show_bug.cgi?id=131690
2303
2304         Reviewed by Oliver Hunt.
2305
2306         * assembler/MacroAssemblerX86.h:
2307         (JSC::MacroAssemblerX86::moveDoubleToInts):
2308         * dfg/DFGSpeculativeJIT.cpp:
2309         (JSC::DFG::SpeculativeJIT::compileValueRep):
2310         * jit/SpecializedThunkJIT.h:
2311         (JSC::SpecializedThunkJIT::returnDouble):
2312
2313 2014-09-12  Mark Lam  <mark.lam@apple.com>
2314
2315         Unreviewed build fix for CLOOP build.
2316
2317         * runtime/JSCallee.h:
2318
2319 2014-09-12  Michael Saboff  <msaboff@apple.com>
2320
2321         Remove unneeded declarations from JSCallee.h
2322         https://bugs.webkit.org/show_bug.cgi?id=136783
2323
2324         Reviewed by Mark Lam.
2325
2326         * runtime/JSCallee.h:
2327         (JSCallee::name): Deleted.
2328         (JSCallee::displayName): Deleted.
2329         (JSCallee::calculatedDisplayName): Deleted.
2330
2331 2014-09-11  Brian J. Burg  <burg@cs.washington.edu>
2332
2333         Web Inspector: disambiguate double and integer primitive types in the protocol
2334         https://bugs.webkit.org/show_bug.cgi?id=136606
2335
2336         Reviewed by Timothy Hatcher.
2337
2338         Right now it's really easy to mix up doubles and integers when serializing or deserializing
2339         values for the inspector protocol. This patch disambiguates setting/getting doubles and integers
2340         so that it is clearer as to which type is intended.
2341
2342         A new InspectorValue::Type is added for Integer types, and the Number type is renamed to Double.
2343         The existing callsites for asNumber/getNumber/setNumber have been fixed.
2344
2345         Address various integration points to make sure the right type tag is assigned to InspectorValues.
2346
2347         * bindings/ScriptValue.cpp:
2348         (Deprecated::jsToInspectorValue): Make an Integer if the JSValue is Int52 or smaller.
2349         * inspector/InjectedScriptManager.cpp:
2350         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2351         * inspector/InspectorBackendDispatcher.cpp:
2352         (Inspector::InspectorBackendDispatcher::dispatch):
2353         (Inspector::InspectorBackendDispatcher::sendResponse):
2354         (Inspector::InspectorBackendDispatcher::reportProtocolError):
2355         (Inspector::AsMethodBridges::asInteger):
2356         (Inspector::AsMethodBridges::asDouble):
2357         (Inspector::InspectorBackendDispatcher::getInteger):
2358         (Inspector::InspectorBackendDispatcher::getDouble):
2359         (Inspector::AsMethodBridges::asInt): Deleted.
2360         (Inspector::InspectorBackendDispatcher::getInt): Deleted.
2361         * inspector/InspectorBackendDispatcher.h:
2362         * inspector/InspectorProtocolTypes.h: Remove the special case for checking int type tags.
2363         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw):
2364         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw):
2365         (Inspector::Protocol::BindingTraits<int>::assertValueHasExpectedType): Deleted.
2366         * inspector/InspectorValues.cpp: Allow integers and doubles to be convertible using asInteger/asDouble.
2367         (Inspector::InspectorValue::asDouble):
2368         (Inspector::InspectorValue::asInteger):
2369         (Inspector::InspectorBasicValue::asDouble):
2370         (Inspector::InspectorBasicValue::asInteger):
2371         (Inspector::InspectorBasicValue::writeJSON):
2372         (Inspector::InspectorValue::asNumber): Deleted.
2373         (Inspector::InspectorBasicValue::asNumber): Deleted.
2374         * inspector/InspectorValues.h:
2375         (Inspector::InspectorObjectBase::setInteger):
2376         (Inspector::InspectorObjectBase::setDouble):
2377         (Inspector::InspectorArrayBase::pushInteger):
2378         (Inspector::InspectorArrayBase::pushDouble):
2379         (Inspector::InspectorObjectBase::setNumber): Deleted.
2380         (Inspector::InspectorArrayBase::pushInt): Deleted.
2381         (Inspector::InspectorArrayBase::pushNumber): Deleted.
2382         * inspector/agents/InspectorDebuggerAgent.cpp:
2383         (Inspector::buildObjectForBreakpointCookie):
2384         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2385         (Inspector::parseLocation):
2386         (Inspector::InspectorDebuggerAgent::didParseSource):
2387         * inspector/agents/InspectorRuntimeAgent.cpp:
2388         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2389         * inspector/scripts/codegen/generator.py: Update emitted code and rebaseline test results.
2390         (Generator.keyed_get_method_for_type):
2391         (Generator.keyed_set_method_for_type):
2392         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2393         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2394         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2395         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2396         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2397         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2398         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2399         * replay/EncodedValue.cpp:
2400         (JSC::EncodedValue::convertTo<double>):
2401         (JSC::EncodedValue::convertTo<float>):
2402         (JSC::EncodedValue::convertTo<int32_t>):
2403         (JSC::EncodedValue::convertTo<int64_t>):
2404         (JSC::EncodedValue::convertTo<uint32_t>):
2405         (JSC::EncodedValue::convertTo<uint64_t>):
2406
2407 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
2408
2409         Web Inspector: Occasional ASSERT closing web inspector
2410         https://bugs.webkit.org/show_bug.cgi?id=136762
2411
2412         Reviewed by Timothy Hatcher.
2413
2414         It is harmless, and indeed possible to have an empty set of listeners
2415         now that each Page gets its own PageDebugServer instead of a shared
2416         global. So we should replace the null checks with isEmpty checks.
2417         Since nobody was ever returning null, convert to references as well.
2418
2419         * inspector/JSGlobalObjectScriptDebugServer.h:
2420         * inspector/ScriptDebugServer.cpp:
2421         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
2422         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
2423         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
2424         (Inspector::ScriptDebugServer::sourceParsed):
2425         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
2426         (Inspector::ScriptDebugServer::notifyDoneProcessingDebuggerEvents):
2427         (Inspector::ScriptDebugServer::handlePause):
2428         (Inspector::ScriptDebugServer::needPauseHandling): Deleted.
2429         * inspector/ScriptDebugServer.h:
2430
2431 2014-09-10  Michael Saboff  <msaboff@apple.com>
2432
2433         Move JSScope out of JSFunction into separate JSCallee class
2434         https://bugs.webkit.org/show_bug.cgi?id=136725
2435
2436         Reviewed by Oliver Hunt.
2437
2438         Created new JSCallee class that contains a JSScope*.  Changed JSFunction to inherit from
2439         JSCallee.
2440
2441         * CMakeLists.txt:
2442         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2443         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2444         * JavaScriptCore.xcodeproj/project.pbxproj:
2445         Build changes.  Added JSCallee.cpp and JSCallee.h.
2446
2447         * runtime/JSCallee.cpp: Added.
2448         (JSC::JSCallee::create):
2449         (JSC::JSCallee::destroy):
2450         (JSC::JSCallee::JSCallee):
2451         (JSC::JSCallee::finishCreation):
2452         (JSC::JSCallee::visitChildren):
2453         (JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function.
2454         (JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function.
2455         (JSC::JSCallee::put): Pass through wrapper function.
2456         (JSC::JSCallee::deleteProperty): Pass through wrapper function.
2457         (JSC::JSCallee::defineOwnProperty): Pass through wrapper function.
2458
2459         * runtime/JSCallee.h: Added.
2460         (JSC::JSCallee::scope):
2461         (JSC::JSCallee::scopeUnchecked):
2462         (JSC::JSCallee::setScope):
2463         (JSC::JSCallee::createStructure):
2464         (JSC::JSCallee::offsetOfScopeChain):
2465
2466         * runtime/JSFunction.cpp:
2467         (JSC::JSFunction::JSFunction):
2468         (JSC::JSFunction::addNameScopeIfNeeded):
2469         (JSC::JSFunction::visitChildren):
2470         * runtime/JSFunction.h:
2471         (JSC::JSFunction::scope): Deleted.
2472         (JSC::JSFunction::scopeUnchecked): Deleted.
2473         (JSC::JSFunction::setScope): Deleted.
2474         (JSC::JSFunction::offsetOfScopeChain): Deleted.
2475         * runtime/JSFunctionInlines.h:
2476         (JSC::JSFunction::JSFunction):
2477         Changed to reference JSCallee and its methods.
2478
2479         * runtime/JSType.h: Added JSCallee as a TypeEnum.
2480
2481 2014-09-11  Filip Pizlo  <fpizlo@apple.com>
2482
2483         REGRESSION (r172129): Vine pages load as blank
2484         https://bugs.webkit.org/show_bug.cgi?id=136655
2485         rdar://problem/18281215
2486
2487         Reviewed by Michael Saboff.
2488         
2489         If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
2490         that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
2491         Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
2492         conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
2493         reasonably compact; it's OK if we miss cases here.
2494
2495         * dfg/DFGPhantomRemovalPhase.cpp:
2496         (JSC::DFG::PhantomRemovalPhase::run):
2497         * tests/stress/remove-phantom-after-setlocal.js: Added.
2498
2499 2014-09-11  Bear Travis  <betravis@adobe.com>
2500
2501         [CSS Font Loading] Enable CSS Font Loading on Mac
2502         https://bugs.webkit.org/show_bug.cgi?id=135473
2503
2504         Reviewed by Antti Koivisto.
2505
2506         Enable CSS Font Loading in FeatureDefines.
2507
2508         * Configurations/FeatureDefines.xcconfig:
2509
2510 2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>
2511
2512         Unreviewed rebaseline of inspector generator test results after r173120.
2513
2514         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2515         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2516         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2517         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2518
2519 2014-09-11  Oliver Hunt  <oliver@apple.com>
2520
2521         Rename activation to be more in line with spec language
2522         https://bugs.webkit.org/show_bug.cgi?id=136721
2523
2524         Reviewed by Michael Saboff.
2525
2526         Somewhat bigger than the last one, but still just a rename.
2527
2528         * CMakeLists.txt:
2529         * JavaScriptCore.order:
2530         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2531         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2532         * JavaScriptCore.xcodeproj/project.pbxproj:
2533         * bytecode/BytecodeList.json:
2534         * bytecode/BytecodeUseDef.h:
2535         (JSC::computeUsesForBytecodeOffset):
2536         (JSC::computeDefsForBytecodeOffset):
2537         * bytecode/CallVariant.h:
2538         * bytecode/CodeBlock.cpp:
2539         (JSC::CodeBlock::dumpBytecode):
2540         (JSC::CodeBlock::CodeBlock):
2541         (JSC::CodeBlock::finalizeUnconditionally):
2542         (JSC::CodeBlock::isCaptured):
2543         (JSC::CodeBlock::nameForRegister):
2544         * bytecode/CodeBlock.h:
2545         (JSC::CodeBlock::setActivationRegister):
2546         (JSC::CodeBlock::activationRegister):
2547         (JSC::CodeBlock::uncheckedActivationRegister):
2548         (JSC::CodeBlock::needsActivation):
2549         * bytecode/Instruction.h:
2550         * bytecode/UnlinkedCodeBlock.h:
2551         (JSC::UnlinkedCodeBlock::setActivationRegister):
2552         (JSC::UnlinkedCodeBlock::activationRegister):
2553         (JSC::UnlinkedCodeBlock::hasActivationRegister):
2554         * bytecompiler/BytecodeGenerator.cpp:
2555         (JSC::BytecodeGenerator::BytecodeGenerator):
2556         (JSC::BytecodeGenerator::emitReturn):
2557         * bytecompiler/BytecodeGenerator.h:
2558         * debugger/DebuggerCallFrame.cpp:
2559         (JSC::DebuggerCallFrame::scope):
2560         * debugger/DebuggerScope.cpp:
2561         (JSC::DebuggerScope::isFunctionOrEvalScope):
2562         * dfg/DFGByteCodeParser.cpp:
2563         (JSC::DFG::ByteCodeParser::parseBlock):
2564         * dfg/DFGCapabilities.cpp:
2565         (JSC::DFG::capabilityLevel):
2566         * dfg/DFGGraph.cpp:
2567         (JSC::DFG::Graph::tryGetActivation):
2568         (JSC::DFG::Graph::tryGetRegisters):
2569         * dfg/DFGGraph.h:
2570         * dfg/DFGNodeType.h:
2571         * dfg/DFGOperations.cpp:
2572         * dfg/DFGSpeculativeJIT32_64.cpp:
2573         (JSC::DFG::SpeculativeJIT::compile):
2574         * dfg/DFGSpeculativeJIT64.cpp:
2575         (JSC::DFG::SpeculativeJIT::compile):
2576         * interpreter/CallFrame.cpp:
2577         (JSC::CallFrame::lexicalEnvironment):
2578         (JSC::CallFrame::setActivation):
2579         (JSC::CallFrame::activation): Deleted.
2580         * interpreter/CallFrame.h:
2581         * interpreter/Interpreter.cpp:
2582         (JSC::unwindCallFrame):
2583         * interpreter/Register.h:
2584         * jit/JIT.cpp:
2585         (JSC::JIT::privateCompileMainPass):
2586         * jit/JIT.h:
2587         * jit/JITOpcodes.cpp:
2588         (JSC::JIT::emit_op_tear_off_lexical_environment):
2589         (JSC::JIT::emit_op_tear_off_arguments):
2590         (JSC::JIT::emit_op_create_lexical_environment):
2591         (JSC::JIT::emit_op_tear_off_activation): Deleted.
2592         (JSC::JIT::emit_op_create_activation): Deleted.
2593         * jit/JITOpcodes32_64.cpp:
2594         (JSC::JIT::emit_op_tear_off_lexical_environment):
2595         (JSC::JIT::emit_op_tear_off_arguments):
2596         (JSC::JIT::emit_op_create_lexical_environment):
2597         (JSC::JIT::emit_op_tear_off_activation): Deleted.
2598         (JSC::JIT::emit_op_create_activation): Deleted.
2599         * jit/JITOperations.cpp:
2600         * jit/JITOperations.h:
2601         * llint/LLIntSlowPaths.cpp:
2602         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2603         * llint/LLIntSlowPaths.h:
2604         * llint/LowLevelInterpreter32_64.asm:
2605         * llint/LowLevelInterpreter64.asm:
2606         * runtime/Arguments.cpp:
2607         (JSC::Arguments::visitChildren):
2608         (JSC::Arguments::tearOff):
2609         (JSC::Arguments::didTearOffActivation):
2610         * runtime/Arguments.h:
2611         (JSC::Arguments::offsetOfActivation):
2612         (JSC::Arguments::argument):
2613         (JSC::Arguments::finishCreation):
2614         * runtime/CommonSlowPaths.cpp:
2615         * runtime/JSFunction.h:
2616         * runtime/JSGlobalObject.cpp:
2617         (JSC::JSGlobalObject::reset):
2618         (JSC::JSGlobalObject::visitChildren):
2619         * runtime/JSGlobalObject.h:
2620         (JSC::JSGlobalObject::activationStructure):
2621         * runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp.
2622         (JSC::JSLexicalEnvironment::visitChildren):
2623         (JSC::JSLexicalEnvironment::symbolTableGet):
2624         (JSC::JSLexicalEnvironment::symbolTablePut):
2625         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2626         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2627         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2628         (JSC::JSLexicalEnvironment::put):
2629         (JSC::JSLexicalEnvironment::deleteProperty):
2630         (JSC::JSLexicalEnvironment::toThis):
2631         (JSC::JSLexicalEnvironment::argumentsGetter):
2632         * runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h.
2633         (JSC::JSLexicalEnvironment::create):
2634         (JSC::JSLexicalEnvironment::createStructure):
2635         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2636         (JSC::asActivation):
2637         (JSC::Register::lexicalEnvironment):
2638         (JSC::JSLexicalEnvironment::registersOffset):
2639         (JSC::JSLexicalEnvironment::tearOff):
2640         (JSC::JSLexicalEnvironment::isTornOff):
2641         (JSC::JSLexicalEnvironment::storageOffset):
2642         (JSC::JSLexicalEnvironment::storage):
2643         (JSC::JSLexicalEnvironment::allocationSize):
2644         (JSC::JSLexicalEnvironment::isValidIndex):
2645         (JSC::JSLexicalEnvironment::isValid):
2646         (JSC::JSLexicalEnvironment::registerAt):
2647         * runtime/JSObject.h:
2648         * runtime/JSScope.cpp:
2649         (JSC::abstractAccess):
2650         * runtime/JSScope.h:
2651         (JSC::ResolveOp::ResolveOp):
2652         * runtime/JSSymbolTableObject.cpp:
2653         * runtime/StrictEvalActivation.h:
2654         (JSC::StrictEvalActivation::create):
2655         * runtime/VM.cpp:
2656
2657 2014-09-11  László Langó  <llango.u-szeged@partner.samsung.com>
2658
2659         [JavaScriptCore] Fix FTL on platform EFL.
2660         https://bugs.webkit.org/show_bug.cgi?id=133571
2661
2662         Reviewed by Filip Pizlo.
2663
2664         There are no compact_unwind sections on Linux systems so FTL crashes.
2665         We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind
2666         and get the information for stack unwinding from there.
2667
2668         * CMakeLists.txt: Revert r169181.
2669         * ftl/FTLCompile.cpp:
2670         Change section name literals to use SECTION_NAME macro, because of architecture differencies.
2671         (JSC::FTL::mmAllocateCodeSection):
2672         (JSC::FTL::mmAllocateDataSection):
2673         (JSC::FTL::compile):
2674         * ftl/FTLJITCode.h:
2675         We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here.
2676         * ftl/FTLLink.cpp:
2677         (JSC::FTL::link):
2678         * ftl/FTLState.h:
2679         * ftl/FTLState.cpp:
2680         (JSC::FTL::State::State):
2681         * ftl/FTLUnwindInfo.h:
2682         * ftl/FTLUnwindInfo.cpp:
2683         Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes.
2684         Parse eh_frame on Linux instead of compact_unwind.
2685         (JSC::FTL::UnwindInfo::parse):
2686
2687 2014-09-10  Saam Barati  <saambarati1@gmail.com>
2688
2689         Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
2690         https://bugs.webkit.org/show_bug.cgi?id=136500
2691
2692         Reviewed by Joseph Pecoraro.
2693
2694         This patch changes the type profiler protocol to the Web Inspector
2695         by moving the work of calculating computed properties that effect the UI 
2696         into the Web Inspector. This makes the Web Inspector have control over the 
2697         strings it displays as UI elements representing type information to the user 
2698         instead of JavaScriptCore deciding on a convention for these strings.
2699         JavaScriptCore now sends enough information to the Web Inspector so that 
2700         it can compute the properties JavaScriptCore used to compute.
2701
2702         * inspector/agents/InspectorRuntimeAgent.cpp:
2703         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2704         * inspector/protocol/Runtime.json:
2705         * runtime/TypeProfiler.cpp:
2706         (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
2707         * runtime/TypeProfiler.h:
2708         * runtime/TypeSet.cpp:
2709         (JSC::TypeSet::inspectorTypeSet):
2710         (JSC::StructureShape::leastCommonAncestor):
2711         (JSC::StructureShape::inspectorRepresentation):
2712         * runtime/TypeSet.h:
2713
2714 2014-09-10  Akos Kiss  <akiss@inf.u-szeged.hu>
2715
2716         Apply ARM64-specific lowering to load/store instructions in offlineasm
2717         https://bugs.webkit.org/show_bug.cgi?id=136569
2718
2719         Reviewed by Michael Saboff.
2720
2721         The standard risc lowering of load/store instructions with base +
2722         immediate offset addresses is to move the offset to a temporary, add the
2723         base to the temporary, and then change the load/store to use the
2724         temporary + 0 immediate offset address. However, on ARM64, base +
2725         register offset addressing mode is available, so it is unnecessary to
2726         perform explicit register additions but it is enough to change load/store
2727         to use base + temporary as the address.
2728
2729         * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses
2730
2731 2014-09-10  Oliver Hunt  <oliver@apple.com>
2732
2733         Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
2734         https://bugs.webkit.org/show_bug.cgi?id=136710
2735
2736         Reviewed by Anders Carlsson.
2737
2738         This is a trivial rename.
2739
2740         * CMakeLists.txt:
2741         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2742         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2743         * JavaScriptCore.xcodeproj/project.pbxproj:
2744         * dfg/DFGAbstractHeap.h:
2745         * dfg/DFGClobberize.h:
2746         (JSC::DFG::clobberize):
2747         * dfg/DFGSpeculativeJIT32_64.cpp:
2748         (JSC::DFG::SpeculativeJIT::compile):
2749         * dfg/DFGSpeculativeJIT64.cpp:
2750         (JSC::DFG::SpeculativeJIT::compile):
2751         * ftl/FTLAbstractHeapRepository.cpp:
2752         * ftl/FTLAbstractHeapRepository.h:
2753         * ftl/FTLLowerDFGToLLVM.cpp:
2754         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
2755         * jit/JITOpcodes32_64.cpp:
2756         * jit/JITPropertyAccess.cpp:
2757         (JSC::JIT::emitGetClosureVar):
2758         (JSC::JIT::emitPutClosureVar):
2759         * jit/JITPropertyAccess32_64.cpp:
2760         (JSC::JIT::emitGetClosureVar):
2761         (JSC::JIT::emitPutClosureVar):
2762         * llint/LLIntOffsetsExtractor.cpp:
2763         * llint/LowLevelInterpreter32_64.asm:
2764         * llint/LowLevelInterpreter64.asm:
2765         * runtime/JSActivation.cpp:
2766         (JSC::JSActivation::getOwnNonIndexPropertyNames):
2767         * runtime/JSActivation.h:
2768         * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
2769         * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
2770         (JSC::JSEnvironmentRecord::registers):
2771         (JSC::JSEnvironmentRecord::registerAt):
2772         (JSC::JSEnvironmentRecord::addressOfRegisters):
2773         (JSC::JSEnvironmentRecord::offsetOfRegisters):
2774         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
2775         * runtime/JSNameScope.h:
2776         * runtime/JSSegmentedVariableObject.h:
2777
2778 2014-09-10  Julien Brianceau   <jbriance@cisco.com>
2779
2780         [mips] Add missing parts and fix LLINT mips backend
2781         https://bugs.webkit.org/show_bug.cgi?id=136706
2782
2783         Reviewed by Michael Saboff.
2784
2785         * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
2786         Implement initPCRelative and setEntryAddress macros.
2787         * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
2788         doVMEntry macro.
2789
2790 2014-09-10  Saam Barati  <saambarati1@gmail.com>
2791
2792         TypeSet needs a mode where it no longer profiles structure shapes
2793         https://bugs.webkit.org/show_bug.cgi?id=136263
2794
2795         Reviewed by Filip Pizlo.
2796
2797         The TypeSet data structure used to gather as many StructureShape
2798         objects as it encountered during type profiling. But, this meant 
2799         that there was no upper limit on how many objects it could allocate. 
2800         This patch places a fixed upper bound on the number of StructureShapes
2801         allocated per TypeSet to prevent using too much memory for little gain
2802         in type profiling usefulness.
2803
2804         StructureShape objects are now also aware of when they are created
2805         from Structures which are dictionaries.
2806
2807         In total, this patch lays the final groundwork needed in refactoring 
2808         the inspector protocol for the type profiler.
2809
2810         * runtime/Structure.cpp:
2811         (JSC::Structure::toStructureShape):
2812         * runtime/TypeProfiler.cpp:
2813         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
2814         * runtime/TypeSet.cpp:
2815         (JSC::TypeSet::TypeSet):
2816         (JSC::TypeSet::addTypeInformation):
2817         (JSC::StructureShape::StructureShape):
2818         (JSC::StructureShape::toJSONString):
2819         (JSC::StructureShape::enterDictionaryMode):
2820         * runtime/TypeSet.h:
2821         (JSC::TypeSet::isOverflown):
2822         * tests/typeProfiler/dictionary-mode.js: Added.
2823         (wrapper):
2824         * tests/typeProfiler/driver/driver.js:
2825         * tests/typeProfiler/overflow.js: Added.
2826         (wrapper.Proto):
2827         (wrapper):
2828
2829 2014-09-10  Peter Gal  <galpeter@inf.u-szeged.hu>
2830
2831         [MIPS] branch32WithPatch missing
2832         https://bugs.webkit.org/show_bug.cgi?id=136696
2833
2834         Reviewed by Michael Saboff.
2835
2836         Added the missing branch32WithPatch. The implementation
2837         is currently the same as the branchPtrithPatch because
2838         the macro assembler supports only 32 bit MIPS.
2839
2840         * assembler/MacroAssemblerMIPS.h:
2841         (JSC::MacroAssemblerMIPS::branch32WithPatch):
2842
2843 2014-09-10  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2844
2845         Fix !ENABLE(DFG_JIT) build
2846         https://bugs.webkit.org/show_bug.cgi?id=136702
2847
2848         Reviewed by Michael Saboff.
2849
2850         * bytecode/CallEdgeProfile.h:
2851
2852 2014-09-09  Benjamin Poulain  <bpoulain@apple.com>
2853
2854         Disable the "unreachable-code" warning
2855         https://bugs.webkit.org/show_bug.cgi?id=136677
2856
2857         Reviewed by Darin Adler.
2858
2859         * Configurations/Base.xcconfig:
2860
2861 2014-09-08  Filip Pizlo  <fpizlo@apple.com>
2862
2863         DFG should have a reusable SSA builder
2864         https://bugs.webkit.org/show_bug.cgi?id=136331
2865
2866         Reviewed by Oliver Hunt.
2867         
2868         We want to implement sophisticated SSA transformations like object allocation sinking
2869         (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
2870         updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
2871         Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
2872         implementation of this algorithm only worked when doing CPS->SSA conversion. The code
2873         could not be reused for cases where some phase happens to know that it introduced a few
2874         defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
2875         the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
2876         updates, since it requires first inserting maximal Phis. That scales well when the Phis
2877         were already there (like in our CPS form) but otherwise it's quite unnatural and may be
2878         difficult to make efficient.
2879         
2880         The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
2881         algorithm based on dominance frontiers. For a while now, I've been working on creating a
2882         Cytron-based SSA calculator that can be used both as a replacement for our current SSA
2883         converter and as a reusable tool for any phase that needs to do SSA update. I previously
2884         optimized our dominator calculation and representation to use dominator trees computed
2885         using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
2886         the set of blocks that dominate you or vice-versa, and then I implemented a dominance
2887         frontier calculator. This patch implements the final step towards making SSA update
2888         available to all SSA phases: it implements an SSACalculator that can tell you where Phis
2889         go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
2890         good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
2891         SSA converter with one based on the SSACalculator.
2892         
2893         This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
2894         But even better, it makes SSAConversionPhase have significantly less tricky logic. It
2895         mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
2896         just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
2897         In fact, using the Cytron et al approach means that there isn't really any "smoke and
2898         mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
2899         iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
2900         The complexity is mostly confined to Dominators, which computes various dominator-related
2901         properties over the control flow graph. That class can be difficult to understand, but at
2902         least it follows well-known graph theory wisdom.
2903
2904         * CMakeLists.txt:
2905         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2906         * JavaScriptCore.xcodeproj/project.pbxproj:
2907         * dfg/DFGAnalysis.h:
2908         * dfg/DFGCSEPhase.cpp:
2909         * dfg/DFGDCEPhase.cpp:
2910         (JSC::DFG::DCEPhase::run):
2911         * dfg/DFGDominators.h:
2912         (JSC::DFG::Dominators::immediateDominatorOf):
2913         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
2914         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
2915         * dfg/DFGGraph.cpp:
2916         (JSC::DFG::Graph::dump):
2917         (JSC::DFG::Graph::blocksInPreOrder):
2918         (JSC::DFG::Graph::blocksInPostOrder):
2919         (JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
2920         (JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
2921         * dfg/DFGGraph.h:
2922         * dfg/DFGLICMPhase.cpp:
2923         (JSC::DFG::LICMPhase::run):
2924         * dfg/DFGNodeFlags.h:
2925         * dfg/DFGPhase.cpp:
2926         (JSC::DFG::Phase::beginPhase):
2927         (JSC::DFG::Phase::endPhase):
2928         * dfg/DFGPhase.h:
2929         * dfg/DFGSSACalculator.cpp: Added.
2930         (JSC::DFG::SSACalculator::Variable::dump):
2931         (JSC::DFG::SSACalculator::Variable::dumpVerbose):
2932         (JSC::DFG::SSACalculator::Def::dump):
2933         (JSC::DFG::SSACalculator::SSACalculator):
2934         (JSC::DFG::SSACalculator::~SSACalculator):
2935         (JSC::DFG::SSACalculator::newVariable):
2936         (JSC::DFG::SSACalculator::newDef):
2937         (JSC::DFG::SSACalculator::nonLocalReachingDef):
2938         (JSC::DFG::SSACalculator::reachingDefAtTail):
2939         (JSC::DFG::SSACalculator::dump):
2940         * dfg/DFGSSACalculator.h: Added.
2941         (JSC::DFG::SSACalculator::Variable::index):
2942         (JSC::DFG::SSACalculator::Variable::Variable):
2943         (JSC::DFG::SSACalculator::Def::variable):
2944         (JSC::DFG::SSACalculator::Def::block):
2945         (JSC::DFG::SSACalculator::Def::value):
2946         (JSC::DFG::SSACalculator::Def::Def):
2947         (JSC::DFG::SSACalculator::variable):
2948         (JSC::DFG::SSACalculator::computePhis):
2949         (JSC::DFG::SSACalculator::phisForBlock):
2950         (JSC::DFG::SSACalculator::reachingDefAtHead):
2951         * dfg/DFGSSAConversionPhase.cpp:
2952         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
2953         (JSC::DFG::SSAConversionPhase::run):
2954         (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
2955         (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
2956         (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
2957         (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
2958         * dfg/DFGSSAConversionPhase.h:
2959         * dfg/DFGValidate.cpp:
2960         (JSC::DFG::Validate::Validate):
2961         (JSC::DFG::Validate::dumpGraphIfAppropriate):
2962         (JSC::DFG::validate):
2963         * dfg/DFGValidate.h:
2964         * ftl/FTLLowerDFGToLLVM.cpp:
2965         (JSC::FTL::LowerDFGToLLVM::lower):
2966         * runtime/Options.h:
2967
2968 2014-09-08  Commit Queue  <commit-queue@webkit.org>
2969
2970         Unreviewed, rolling out r173402.
2971         https://bugs.webkit.org/show_bug.cgi?id=136649
2972
2973         Breaking buildw with error "unable to restore file position to
2974         0x00000c60 for section __DWARF.__debug_info (errno = 9)"
2975         (Requested by mlam_ on #webkit).
2976
2977         Reverted changeset:
2978
2979         "Move CallFrame and Register inlines functions out of
2980         JSScope.h."
2981         https://bugs.webkit.org/show_bug.cgi?id=136579
2982         http://trac.webkit.org/changeset/173402
2983
2984 2014-09-08  Mark Lam  <mark.lam@apple.com>
2985
2986         Move CallFrame and Register inlines functions out of JSScope.h.
2987         <https://webkit.org/b/136579>
2988
2989         Reviewed by Geoffrey Garen.
2990
2991         This include fixing up some files to #include JSCInlines.h to pick up
2992         these inline functions.  I also added JSCellInlines.h to JSCInlines.h
2993         since it is included from many of the affected .cpp files.
2994
2995         * API/ObjCCallbackFunction.mm:
2996         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2997         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2998         * JavaScriptCore.xcodeproj/project.pbxproj:
2999         * bindings/ScriptValue.cpp:
3000         * inspector/InjectedScriptHost.cpp:
3001         * inspector/InjectedScriptManager.cpp:
3002         * inspector/JSGlobalObjectInspectorController.cpp:
3003         * inspector/JSJavaScriptCallFrame.cpp:
3004         * inspector/ScriptDebugServer.cpp:
3005         * interpreter/CallFrameInlines.h:
3006         (JSC::CallFrame::vm):
3007         (JSC::CallFrame::lexicalGlobalObject):
3008         (JSC::CallFrame::globalThisValue):
3009         * interpreter/RegisterInlines.h: Added.
3010         (JSC::Register::operator=):
3011         (JSC::Register::scope):
3012         * runtime/ArgumentsIteratorConstructor.cpp:
3013         * runtime/JSArrayIterator.cpp:
3014         * runtime/JSCInlines.h:
3015         * runtime/JSCJSValue.cpp:
3016         * runtime/JSMapIterator.cpp:
3017         * runtime/JSPromiseConstructor.cpp:
3018         * runtime/JSPromiseDeferred.cpp:
3019         * runtime/JSPromiseFunctions.cpp:
3020         * runtime/JSPromisePrototype.cpp:
3021         * runtime/JSPromiseReaction.cpp:
3022         * runtime/JSScope.h:
3023         (JSC::Register::operator=): Deleted.
3024         (JSC::Register::scope): Deleted.
3025         (JSC::ExecState::vm): Deleted.
3026         (JSC::ExecState::lexicalGlobalObject): Deleted.
3027         (JSC::ExecState::globalThisValue): Deleted.
3028         * runtime/JSSetIterator.cpp:
3029         * runtime/MapConstructor.cpp:
3030         * runtime/MapData.cpp:
3031         * runtime/MapIteratorPrototype.cpp:
3032         * runtime/MapPrototype.cpp:
3033         * runtime/SetConstructor.cpp:
3034         * runtime/SetIteratorPrototype.cpp:
3035         * runtime/SetPrototype.cpp:
3036         * runtime/WeakMapConstructor.cpp:
3037         * runtime/WeakMapPrototype.cpp:
3038
3039 2014-09-08  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
3040
3041         Remove FILTERS flag
3042         https://bugs.webkit.org/show_bug.cgi?id=136571
3043
3044         Reviewed by Darin Adler.
3045
3046         * Configurations/FeatureDefines.xcconfig:
3047
3048 2014-09-08  Saam Barati  <saambarati1@gmail.com>
3049
3050         Merge StructureShapes that share the same prototype chain
3051         https://bugs.webkit.org/show_bug.cgi?id=136549
3052
3053         Reviewed by Filip Pizlo.
3054
3055         Instead of keeping track of many discrete StructureShapes that share
3056         the same prototype chain, TypeSet should merge StructureShapes that 
3057         have the same prototype chain and provide a new member variable for 
3058         optional structure fields. This provides a cleaner and more concise
3059         interface for dealing with StructureShapes within TypeSet. Instead
3060         of having many discrete shapes that are almost identical, almost 
3061         identical shapes will be merged together with an interface for 
3062         understanding what fields the shapes being merged together differ in.
3063
3064         * runtime/TypeSet.cpp:
3065         (JSC::TypeSet::addTypeInformation):
3066         (JSC::StructureShape::addProperty):
3067         (JSC::StructureShape::toJSONString):
3068         (JSC::StructureShape::inspectorRepresentation):
3069         (JSC::StructureShape::hasSamePrototypeChain):
3070         (JSC::StructureShape::merge):
3071         * runtime/TypeSet.h:
3072         * tests/typeProfiler/optional-fields.js: Added.
3073         (wrapper.func):
3074         (wrapper):
3075
3076 2014-09-08  Jessie Berlin  <jberlin@apple.com>
3077
3078         More 32-bit Release build fixes after r173364.
3079
3080         * dfg/DFGSpeculativeJIT32_64.cpp:
3081         (JSC::DFG::SpeculativeJIT::compile):
3082
3083 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
3084
3085         Fix typos in last patch to fix build.
3086
3087         Unreviewed build fix.
3088
3089         * dfg/DFGSpeculativeJIT.cpp:
3090         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3091         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3092
3093 2014-09-07  Maciej Stachowiak  <mjs@apple.com>
3094
3095         Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it
3096         https://bugs.webkit.org/show_bug.cgi?id=136616
3097
3098         Reviewed by Darin Adler.
3099         
3100         Many compilers will analyze unrechable code paths (e.g. after an
3101         unreachable code path), so sometimes they need dead code initializations.
3102         But clang with suitable warnings will complain about unreachable code. So
3103         use the quirk to include it conditionally.
3104
3105         * bytecode/CodeBlock.cpp:
3106         (JSC::CodeBlock::printGetByIdOp):
3107         * dfg/DFGOSRExitCompilerCommon.cpp:
3108         (JSC::DFG::handleExitCounts):
3109         * dfg/DFGPlan.cpp:
3110         (JSC::DFG::Plan::compileInThread):
3111         * dfg/DFGSpeculativeJIT.cpp:
3112         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3113         * jsc.cpp:
3114         * runtime/JSArray.cpp:
3115         (JSC::JSArray::fillArgList):
3116         (JSC::JSArray::copyToArguments):
3117         * runtime/RegExp.cpp:
3118         (JSC::RegExp::compile):
3119         (JSC::RegExp::compileMatchOnly):
3120
3121 2014-09-06  Darin Adler  <darin@apple.com>
3122
3123         Make updates suggested by new version of Xcode
3124         https://bugs.webkit.org/show_bug.cgi?id=136603
3125
3126         Reviewed by Mark Rowe.
3127
3128         * Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES,
3129         and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check.
3130
3131         * JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck.
3132
3133         * dfg/DFGSpeculativeJIT.cpp:
3134         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code
3135         for clang, since it understands the code is unreachable.
3136         * runtime/JSArray.cpp:
3137         (JSC::JSArray::fillArgList): Ditto.
3138         (JSC::JSArray::copyToArguments): Ditto.
3139
3140 2014-09-05  Matt Baker  <mattbaker@apple.com>
3141
3142         Web Inspector: breakpoint actions should work regardless of Content Security Policy
3143         https://bugs.webkit.org/show_bug.cgi?id=136542
3144
3145         Reviewed by Mark Lam.
3146
3147         Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a 
3148         JSGlobalObject for the duration of a scope, returning the eval enabled state to its
3149         original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate 
3150         to allow breakpoint actions to execute JS in pages with a Content Security Policy
3151         that would normally prohibit this (such as Inspector's Main.html).
3152
3153         Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually
3154         setting eval enabled and then resetting the original eval enabled state.
3155
3156         NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer
3157         for null to be equivalent with the original code in Inspector::InjectedScriptBase.
3158         InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which
3159         can currently be null.
3160
3161         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3162         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3163         * JavaScriptCore.xcodeproj/project.pbxproj:
3164         * debugger/DebuggerCallFrame.cpp:
3165         (JSC::DebuggerCallFrame::evaluate):
3166         * debugger/DebuggerEvalEnabler.h: Added.
3167         (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
3168         (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
3169         * inspector/InjectedScriptBase.cpp:
3170         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
3171
3172 2014-09-05  peavo@outlook.com  <peavo@outlook.com>
3173
3174         [WinCairo] jsc.exe won't run.
3175         https://bugs.webkit.org/show_bug.cgi?id=136481
3176
3177         Reviewed by Alex Christensen.
3178         
3179         We need to define WIN_CAIRO to avoid looking for the AAS folder.
3180
3181         * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added.
3182         * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
3183         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
3184         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
3185         * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:
3186
3187 2014-09-05  David Kilzer  <ddkilzer@apple.com>
3188
3189         JavaScriptCore should build with newer clang
3190         <http://webkit.org/b/136002>
3191         <rdar://problem/18020616>
3192
3193         Reviewed by Geoffrey Garen.
3194
3195         Other than the JSC::SourceProvider::asID() change (which simply
3196         removes code that the optimizing compiler would have discarded
3197         in Release builds), we move the |this| checks in OpaqueJSString
3198         to NULL checks in to JSBase, JSObjectRef, JSScriptRef,
3199         JSStringRef{CF} and JSValueRef.
3200
3201         Note that the following function arguments are _not_ NULL-checked
3202         since doing so would just cover up bugs (and were not needed to
3203         prevent any tests from failing):
3204         - |script| in JSEvaluateScript(), JSCheckScriptSyntax();
3205         - |body| in JSObjectMakeFunction();
3206         - |source| in JSScriptCreateReferencingImmortalASCIIText()
3207           (which is a const char* anyway);
3208         - |source| in JSScriptCreateFromString().
3209
3210         * API/JSBase.cpp:
3211         (JSEvaluateScript): Add NULL check for |sourceURL|.
3212         (JSCheckScriptSyntax): Ditto.
3213         * API/JSObjectRef.cpp:
3214         (JSObjectMakeFunction): Ditto.
3215         * API/JSScriptRef.cpp:
3216         (JSScriptCreateReferencingImmortalASCIIText): Ditto.
3217         (JSScriptCreateFromString): Add NULL check for |url|.
3218         * API/JSStringRef.cpp:
3219         (JSStringGetLength): Return early if NULL pointer is passed in.
3220         (JSStringGetCharactersPtr): Ditto.
3221         (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
3222         * API/JSStringRefCF.cpp:
3223         (JSStringCopyCFString): Ditto.
3224         * API/JSValueRef.cpp:
3225         (JSValueMakeString): Add NULL check for |string|.
3226
3227         * API/OpaqueJSString.cpp:
3228         (OpaqueJSString::string): Remove code that checks |this|.
3229         (OpaqueJSString::identifier): Ditto.
3230         (OpaqueJSString::characters): Ditto.
3231         * API/OpaqueJSString.h:
3232         (OpaqueJSString::is8Bit): Remove code that checks |this|.
3233         (OpaqueJSString::characters8): Ditto.
3234         (OpaqueJSString::characters16): Ditto.
3235         (OpaqueJSString::length): Ditto.
3236
3237         * parser/SourceProvider.h:
3238         (JSC::SourceProvider::asID): Remove code that checks |this|.
3239
3240 2014-06-06  Jer Noble  <jer.noble@apple.com>
3241
3242         Refactoring: make MediaTime the primary time type for audiovisual times.
3243         https://bugs.webkit.org/show_bug.cgi?id=133579
3244
3245         Reviewed by Eric Carlson.
3246
3247         Add a utility function which converts a MediaTime to a JSNumber.
3248
3249         * runtime/JSCJSValue.h:
3250         (JSC::jsNumber):
3251
3252 2014-09-04  Michael Saboff  <msaboff@apple.com>
3253
3254         ARM: Add more coverage to ARMv7 disassembler
3255         https://bugs.webkit.org/show_bug.cgi?id=136565
3256
3257         Reviewed by Mark Lam.
3258
3259         Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions
3260         VCMP, VCVT[R] between floating point and integer, and VLDR.
3261
3262         * disassembler/ARMv7/ARMv7DOpcode.cpp:
3263         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList):
3264         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format):
3265         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format):
3266         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format):
3267         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format):
3268         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format):
3269         * disassembler/ARMv7/ARMv7DOpcode.h:
3270         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList):
3271         (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition):
3272         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition):
3273         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit):
3274         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd):
3275         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit):
3276         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit):
3277         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit):
3278         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm):
3279         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition):
3280         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit):
3281         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2):
3282         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd):
3283         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit):
3284         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op):
3285         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit):
3286         (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm):
3287         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition):
3288         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit):
3289         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn):
3290         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd):
3291         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg):
3292         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8):
3293
3294 2014-09-04  Mark Lam  <mark.lam@apple.com>
3295
3296         Move PropertySlot's inline functions back to PropertySlot.h.
3297         <https://webkit.org/b/136547>
3298
3299         Reviewed by Filip Pizlo.
3300
3301         * runtime/JSObject.h:
3302         (JSC::PropertySlot::getValue): Deleted.
3303         * runtime/PropertySlot.h:
3304         (JSC::PropertySlot::getValue):
3305
3306 2014-09-04  Filip Pizlo  <fpizlo@apple.com>
3307
3308         Make sure that deleting all code first processes the call edge log, and reenable call edge profiling.
3309
3310         Rubber stamped by Sam Weinig.
3311
3312         * debugger/Debugger.cpp:
3313         (JSC::Debugger::forEachCodeBlock):
3314         (JSC::Debugger::setSteppingMode):
3315         (JSC::Debugger::recompileAllJSFunctions):
3316         * inspector/agents/InspectorRuntimeAgent.cpp:
3317         (Inspector::recompileAllJSFunctionsForTypeProfiling):
3318         * runtime/Options.h: Reenable call edge profiling.
3319         * runtime/VM.cpp:
3320         (JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed.
3321         (JSC::VM::discardAllCode):
3322         (JSC::VM::releaseExecutableMemory):
3323         (JSC::VM::setEnabledProfiler):
3324         (JSC::VM::waitForCompilationsToComplete): Deleted.
3325         * runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted.
3326
3327 2014-09-04  Akos Kiss  <akiss@inf.u-szeged.hu>
3328
3329         Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee
3330         https://bugs.webkit.org/show_bug.cgi?id=136485
3331
3332         Reviewed by Michael Saboff.
3333
3334         Changed makeHostFunctionCall to keep the stack pointer above the call
3335         frame set up by doVMEntry. Thus the callee will/can not override the top
3336         of the call frame.
3337
3338         Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be
3339         more alike to hel