BinarySwitch should be faster on average
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2015-01-31  Filip Pizlo  <fpizlo@apple.com>
2
3         BinarySwitch should be faster on average
4         https://bugs.webkit.org/show_bug.cgi?id=141046
5
6         Reviewed by Anders Carlsson.
7         
8         This optimizes our binary switch using math. It's strictly better than what we had before
9         assuming we bottom out in some case (rather than fall through), assuming all cases get
10         hit with equal probability. The difference is particularly large for large switch
11         statements. For example, a switch statement with 1000 cases would previously require on
12         average 13.207 branches to get to some case, while now it just requires 10.464.
13         
14         This is also a progression for the fall-through case, though we could shave off another
15         1/6 branch on average if we wanted to - though it would regress taking a case (not falling
16         through) by 1/6 branch. I believe it's better to bias the BinarySwitch for not falling
17         through.
18         
19         This also adds some randomness to the algorithm to minimize the likelihood of us
20         generating a switch statement that is always particularly bad for some input. Note that
21         the randomness has no effect on average-case performance assuming all cases are equally
22         likely.
23         
24         This ought to have no actual performance change because we don't rely on binary switches
25         that much. The main reason why this change is interesting is that I'm finding myself
26         increasingly relying on BinarySwitch, and I'd like to know that it's optimal.
27
28         * jit/BinarySwitch.cpp:
29         (JSC::BinarySwitch::BinarySwitch):
30         (JSC::BinarySwitch::~BinarySwitch):
31         (JSC::BinarySwitch::build):
32         * jit/BinarySwitch.h:
33
34 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
35
36         Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext
37         https://bugs.webkit.org/show_bug.cgi?id=141064
38
39         Reviewed by Timothy Hatcher.
40
41         * inspector/protocol/CSS.json:
42
43 2015-02-02  Daniel Bates  <dabates@apple.com>
44
45         [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
46         https://bugs.webkit.org/show_bug.cgi?id=141057
47         <rdar://problem/19068790>
48
49         Reviewed by Alexey Proskuryakov.
50
51         * inspector/remote/RemoteInspector.mm:
52         (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
53         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
54         WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
55         and CryptoKeyRSA::generatePair().
56
57 2015-02-02  Saam Barati  <saambarati1@gmail.com>
58
59         Create tests for JSC's Control Flow Profiler
60         https://bugs.webkit.org/show_bug.cgi?id=141123
61
62         Reviewed by Filip Pizlo.
63
64         This patch creates a control flow profiler testing API in jsc.cpp 
65         that accepts a function and a string as arguments. The string must 
66         be a substring of the text of the function argument. The API returns 
67         a boolean indicating whether or not the basic block that encloses the 
68         substring has executed.
69
70         This patch uses this API to test that the control flow profiler
71         behaves as expected on basic block boundaries. These tests do not
72         provide full coverage for all JavaScript statements that can create
73         basic blocks boundaries. Full coverage will come in a later patch.
74
75         * jsc.cpp:
76         (GlobalObject::finishCreation):
77         (functionHasBasicBlockExecuted):
78         * runtime/ControlFlowProfiler.cpp:
79         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
80         * runtime/ControlFlowProfiler.h:
81         * tests/controlFlowProfiler: Added.
82         * tests/controlFlowProfiler.yaml: Added.
83         * tests/controlFlowProfiler/driver: Added.
84         * tests/controlFlowProfiler/driver/driver.js: Added.
85         (assert):
86         * tests/controlFlowProfiler/if-statement.js: Added.
87         (testIf):
88         (noMatches):
89         * tests/controlFlowProfiler/loop-statements.js: Added.
90         (forRegular):
91         (forIn):
92         (forOf):
93         (whileLoop):
94         * tests/controlFlowProfiler/switch-statements.js: Added.
95         (testSwitch):
96         * tests/controlFlowProfiler/test-jit.js: Added.
97         (tierUpToBaseline):
98         (tierUpToDFG):
99         (baselineTest):
100         (dfgTest):
101
102 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
103
104         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
105         https://bugs.webkit.org/show_bug.cgi?id=140660
106
107         Reviewed by Geoffrey Garen.
108         
109         When we first implemented polymorphic call inlining, we did the profiling based on a call
110         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
111         global log that was processed lazily. Processing the log would give precise counts of call
112         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
113         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
114         nonetheless.
115         
116         Experience with this code shows three things. First, the call edge profiler is buggy and
117         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
118         overhead for latency code that we care deeply about. Third, it's not at all clear that
119         having call edge counts for every possible callee is any better than just having call edge
120         counts for the limited number of callees that an inline cache would catch.
121         
122         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
123         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
124         out-of-line stub that cases on the previously known callees. If that misses again, then we
125         rewrite that stub to include the new callee. We do this up to some number of callees. If we
126         hit the limit then we switch to using a plain virtual call.
127         
128         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
129         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
130         
131         Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.
132
133         * CMakeLists.txt:
134         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
135         * JavaScriptCore.xcodeproj/project.pbxproj:
136         * bytecode/CallEdge.h:
137         (JSC::CallEdge::count):
138         (JSC::CallEdge::CallEdge):
139         * bytecode/CallEdgeProfile.cpp: Removed.
140         * bytecode/CallEdgeProfile.h: Removed.
141         * bytecode/CallEdgeProfileInlines.h: Removed.
142         * bytecode/CallLinkInfo.cpp:
143         (JSC::CallLinkInfo::unlink):
144         (JSC::CallLinkInfo::visitWeak):
145         * bytecode/CallLinkInfo.h:
146         * bytecode/CallLinkStatus.cpp:
147         (JSC::CallLinkStatus::CallLinkStatus):
148         (JSC::CallLinkStatus::computeFor):
149         (JSC::CallLinkStatus::computeFromCallLinkInfo):
150         (JSC::CallLinkStatus::isClosureCall):
151         (JSC::CallLinkStatus::makeClosureCall):
152         (JSC::CallLinkStatus::dump):
153         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
154         * bytecode/CallLinkStatus.h:
155         (JSC::CallLinkStatus::CallLinkStatus):
156         (JSC::CallLinkStatus::isSet):
157         (JSC::CallLinkStatus::variants):
158         (JSC::CallLinkStatus::size):
159         (JSC::CallLinkStatus::at):
160         (JSC::CallLinkStatus::operator[]):
161         (JSC::CallLinkStatus::canOptimize):
162         (JSC::CallLinkStatus::edges): Deleted.
163         (JSC::CallLinkStatus::canTrustCounts): Deleted.
164         * bytecode/CallVariant.cpp:
165         (JSC::variantListWithVariant):
166         (JSC::despecifiedVariantList):
167         * bytecode/CallVariant.h:
168         * bytecode/CodeBlock.cpp:
169         (JSC::CodeBlock::~CodeBlock):
170         (JSC::CodeBlock::linkIncomingPolymorphicCall):
171         (JSC::CodeBlock::unlinkIncomingCalls):
172         (JSC::CodeBlock::noticeIncomingCall):
173         * bytecode/CodeBlock.h:
174         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
175         * dfg/DFGAbstractInterpreterInlines.h:
176         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
177         * dfg/DFGByteCodeParser.cpp:
178         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
179         (JSC::DFG::ByteCodeParser::handleCall):
180         (JSC::DFG::ByteCodeParser::handleInlining):
181         * dfg/DFGClobberize.h:
182         (JSC::DFG::clobberize):
183         * dfg/DFGConstantFoldingPhase.cpp:
184         (JSC::DFG::ConstantFoldingPhase::foldConstants):
185         * dfg/DFGDoesGC.cpp:
186         (JSC::DFG::doesGC):
187         * dfg/DFGDriver.cpp:
188         (JSC::DFG::compileImpl):
189         * dfg/DFGFixupPhase.cpp:
190         (JSC::DFG::FixupPhase::fixupNode):
191         * dfg/DFGNode.h:
192         (JSC::DFG::Node::hasHeapPrediction):
193         * dfg/DFGNodeType.h:
194         * dfg/DFGOperations.cpp:
195         * dfg/DFGPredictionPropagationPhase.cpp:
196         (JSC::DFG::PredictionPropagationPhase::propagate):
197         * dfg/DFGSafeToExecute.h:
198         (JSC::DFG::safeToExecute):
199         * dfg/DFGSpeculativeJIT32_64.cpp:
200         (JSC::DFG::SpeculativeJIT::emitCall):
201         (JSC::DFG::SpeculativeJIT::compile):
202         * dfg/DFGSpeculativeJIT64.cpp:
203         (JSC::DFG::SpeculativeJIT::emitCall):
204         (JSC::DFG::SpeculativeJIT::compile):
205         * dfg/DFGTierUpCheckInjectionPhase.cpp:
206         (JSC::DFG::TierUpCheckInjectionPhase::run):
207         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
208         * ftl/FTLCapabilities.cpp:
209         (JSC::FTL::canCompile):
210         * heap/Heap.cpp:
211         (JSC::Heap::collect):
212         * jit/BinarySwitch.h:
213         * jit/ClosureCallStubRoutine.cpp: Removed.
214         * jit/ClosureCallStubRoutine.h: Removed.
215         * jit/JITCall.cpp:
216         (JSC::JIT::compileOpCall):
217         * jit/JITCall32_64.cpp:
218         (JSC::JIT::compileOpCall):
219         * jit/JITOperations.cpp:
220         * jit/JITOperations.h:
221         (JSC::operationLinkPolymorphicCallFor):
222         (JSC::operationLinkClosureCallFor): Deleted.
223         * jit/JITStubRoutine.h:
224         * jit/JITWriteBarrier.h:
225         * jit/PolymorphicCallStubRoutine.cpp: Added.
226         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
227         (JSC::PolymorphicCallNode::unlink):
228         (JSC::PolymorphicCallCase::dump):
229         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
230         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
231         (JSC::PolymorphicCallStubRoutine::variants):
232         (JSC::PolymorphicCallStubRoutine::edges):
233         (JSC::PolymorphicCallStubRoutine::visitWeak):
234         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
235         * jit/PolymorphicCallStubRoutine.h: Added.
236         (JSC::PolymorphicCallNode::PolymorphicCallNode):
237         (JSC::PolymorphicCallCase::PolymorphicCallCase):
238         (JSC::PolymorphicCallCase::variant):
239         (JSC::PolymorphicCallCase::codeBlock):
240         * jit/Repatch.cpp:
241         (JSC::linkSlowFor):
242         (JSC::linkFor):
243         (JSC::revertCall):
244         (JSC::unlinkFor):
245         (JSC::linkVirtualFor):
246         (JSC::linkPolymorphicCall):
247         (JSC::linkClosureCall): Deleted.
248         * jit/Repatch.h:
249         * jit/ThunkGenerators.cpp:
250         (JSC::linkPolymorphicCallForThunkGenerator):
251         (JSC::linkPolymorphicCallThunkGenerator):
252         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
253         (JSC::linkClosureCallForThunkGenerator): Deleted.
254         (JSC::linkClosureCallThunkGenerator): Deleted.
255         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
256         * jit/ThunkGenerators.h:
257         (JSC::linkPolymorphicCallThunkGeneratorFor):
258         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
259         * llint/LLIntSlowPaths.cpp:
260         (JSC::LLInt::jitCompileAndSetHeuristics):
261         * runtime/Options.h:
262         * runtime/VM.cpp:
263         (JSC::VM::prepareToDiscardCode):
264         (JSC::VM::ensureCallEdgeLog): Deleted.
265         * runtime/VM.h:
266
267 2015-01-30  Filip Pizlo  <fpizlo@apple.com>
268
269         Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
270         https://bugs.webkit.org/show_bug.cgi?id=141107
271
272         Reviewed by Michael Saboff.
273         
274         See the bugzilla for a discussion of the problem. This addresses the problem by ensuring
275         that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini
276         OSR availability analysis to determine the right MovHint value to use for the Phantom.
277
278         * dfg/DFGCPSRethreadingPhase.cpp:
279         (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
280         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
281         (JSC::DFG::CPSRethreadingPhase::clearVariables):
282         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
283         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
284         (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted.
285         * dfg/DFGNode.h:
286         (JSC::DFG::Node::convertPhantomToPhantomLocal):
287         (JSC::DFG::Node::convertFlushToPhantomLocal):
288         (JSC::DFG::Node::convertToPhantomLocal): Deleted.
289         * dfg/DFGStrengthReductionPhase.cpp:
290         (JSC::DFG::StrengthReductionPhase::handleNode):
291         * tests/stress/inline-call-that-doesnt-use-all-args.js: Added.
292         (foo):
293         (bar):
294         (baz):
295
296 2015-01-31  Michael Saboff  <msaboff@apple.com>
297
298         Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
299         https://bugs.webkit.org/show_bug.cgi?id=141111
300
301         Reviewed by Filip Pizlo.
302
303         In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have
304         exited, we don't need to process the OSR availability or abstract interpreter.
305
306         * ftl/FTLLowerDFGToLLVM.cpp:
307         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate
308         method since we need to call it at the top and near the bottom of compileNode().
309         (JSC::FTL::LowerDFGToLLVM::compileNode):
310
311 2015-01-31  Sam Weinig  <sam@webkit.org>
312
313         Remove even more Mountain Lion support
314         https://bugs.webkit.org/show_bug.cgi?id=141124
315
316         Reviewed by Alexey Proskuryakov.
317
318         * API/tests/DateTests.mm:
319         * Configurations/Base.xcconfig:
320         * Configurations/DebugRelease.xcconfig:
321         * Configurations/FeatureDefines.xcconfig:
322         * Configurations/Version.xcconfig:
323         * jit/ExecutableAllocatorFixedVMPool.cpp:
324
325 2015-01-31  Commit Queue  <commit-queue@webkit.org>
326
327         Unreviewed, rolling out r179426.
328         https://bugs.webkit.org/show_bug.cgi?id=141119
329
330         "caused a memory use regression" (Requested by Guest45 on
331         #webkit).
332
333         Reverted changeset:
334
335         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
336         pages"
337         https://bugs.webkit.org/show_bug.cgi?id=140900
338         http://trac.webkit.org/changeset/179426
339
340 2015-01-30  Daniel Bates  <dabates@apple.com>
341
342         Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h
343         https://bugs.webkit.org/show_bug.cgi?id=141067
344
345         Reviewed by Timothy Hatcher.
346
347         Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we
348         do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm
349         and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via
350         header RemoteInspectorDebuggableConnection.h.
351
352         * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>.
353         * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>.
354         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>.
355
356 2015-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
357
358         Implement ES6 Symbol
359         https://bugs.webkit.org/show_bug.cgi?id=140435
360
361         Reviewed by Geoffrey Garen.
362
363         This patch implements ES6 Symbol. In this patch, we don't support
364         Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be
365         supported in the subsequent patches.
366
367         Since ES6 Symbol is introduced as new primitive value, we implement
368         Symbol as a derived class from JSCell. And now JSValue accepts Symbol*
369         as a new primitive value.
370
371         Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer
372         value represents the Symbol's identity. So don't compare Symbol's
373         JSCell pointer value for comparison.
374         This enables re-producing Symbol primitive value from StringImpl* uid
375         by executing`Symbol::create(vm, uid)`. This is needed to produce
376         Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`.
377
378         And Symbol.[[Description]] is folded into the string value of Symbol's uid.
379         By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*.
380
381         * CMakeLists.txt:
382         * DerivedSources.make:
383         * JavaScriptCore.order:
384         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
385         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
386         * JavaScriptCore.xcodeproj/project.pbxproj:
387         * builtins/BuiltinExecutables.cpp:
388         (JSC::BuiltinExecutables::createBuiltinExecutable):
389         * builtins/BuiltinNames.h:
390         * dfg/DFGOperations.cpp:
391         (JSC::DFG::operationPutByValInternal):
392         * inspector/JSInjectedScriptHost.cpp:
393         (Inspector::JSInjectedScriptHost::subtype):
394         * interpreter/Interpreter.cpp:
395         * jit/JITOperations.cpp:
396         (JSC::getByVal):
397         * llint/LLIntData.cpp:
398         (JSC::LLInt::Data::performAssertions):
399         * llint/LLIntSlowPaths.cpp:
400         (JSC::LLInt::getByVal):
401         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
402         * llint/LowLevelInterpreter.asm:
403         * runtime/CommonIdentifiers.h:
404         * runtime/CommonSlowPaths.cpp:
405         (JSC::SLOW_PATH_DECL):
406         * runtime/CommonSlowPaths.h:
407         (JSC::CommonSlowPaths::opIn):
408         * runtime/ExceptionHelpers.cpp:
409         (JSC::createUndefinedVariableError):
410         * runtime/JSCJSValue.cpp:
411         (JSC::JSValue::synthesizePrototype):
412         (JSC::JSValue::dumpInContextAssumingStructure):
413         (JSC::JSValue::toStringSlowCase):
414         * runtime/JSCJSValue.h:
415         * runtime/JSCJSValueInlines.h:
416         (JSC::JSValue::isSymbol):
417         (JSC::JSValue::isPrimitive):
418         (JSC::JSValue::toPropertyKey):
419
420         It represents ToPropertyKey abstract operation in the ES6 spec.
421         It cleans up the old implementation's `isName` checks.
422         And to prevent performance regressions in
423             js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html
424             js/regress/fold-get-by-id-to-multi-get-by-offset.html
425         we annnotate this function as ALWAYS_INLINE.
426
427         (JSC::JSValue::getPropertySlot):
428         (JSC::JSValue::get):
429         (JSC::JSValue::equalSlowCaseInline):
430         (JSC::JSValue::strictEqualSlowCaseInline):
431         * runtime/JSCell.cpp:
432         (JSC::JSCell::put):
433         (JSC::JSCell::putByIndex):
434         (JSC::JSCell::toPrimitive):
435         (JSC::JSCell::getPrimitiveNumber):
436         (JSC::JSCell::toNumber):
437         (JSC::JSCell::toObject):
438         * runtime/JSCell.h:
439         * runtime/JSCellInlines.h:
440         (JSC::JSCell::isSymbol):
441         (JSC::JSCell::toBoolean):
442         (JSC::JSCell::pureToBoolean):
443         * runtime/JSGlobalObject.cpp:
444         (JSC::JSGlobalObject::init):
445         (JSC::JSGlobalObject::visitChildren):
446         * runtime/JSGlobalObject.h:
447         (JSC::JSGlobalObject::symbolPrototype):
448         (JSC::JSGlobalObject::symbolObjectStructure):
449         * runtime/JSONObject.cpp:
450         (JSC::Stringifier::Stringifier):
451         * runtime/JSSymbolTableObject.cpp:
452         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
453         * runtime/JSType.h:
454         * runtime/JSTypeInfo.h:
455         (JSC::TypeInfo::isName): Deleted.
456         * runtime/MapData.cpp:
457         (JSC::MapData::find):
458         (JSC::MapData::add):
459         (JSC::MapData::remove):
460         (JSC::MapData::replaceAndPackBackingStore):
461         * runtime/MapData.h:
462         (JSC::MapData::clear):
463         * runtime/NameInstance.h: Removed.
464         * runtime/NamePrototype.cpp: Removed.
465         * runtime/ObjectConstructor.cpp:
466         (JSC::objectConstructorGetOwnPropertyDescriptor):
467         (JSC::objectConstructorDefineProperty):
468         * runtime/ObjectPrototype.cpp:
469         (JSC::objectProtoFuncHasOwnProperty):
470         (JSC::objectProtoFuncDefineGetter):
471         (JSC::objectProtoFuncDefineSetter):
472         (JSC::objectProtoFuncLookupGetter):
473         (JSC::objectProtoFuncLookupSetter):
474         (JSC::objectProtoFuncPropertyIsEnumerable):
475         * runtime/Operations.cpp:
476         (JSC::jsTypeStringForValue):
477         (JSC::jsIsObjectType):
478         * runtime/PrivateName.h:
479         (JSC::PrivateName::PrivateName):
480         (JSC::PrivateName::operator==):
481         (JSC::PrivateName::operator!=):
482         * runtime/PropertyMapHashTable.h:
483         (JSC::PropertyTable::find):
484         (JSC::PropertyTable::get):
485         * runtime/PropertyName.h:
486         (JSC::PropertyName::PropertyName):
487         (JSC::PropertyName::publicName):
488         * runtime/SmallStrings.h:
489         * runtime/StringConstructor.cpp:
490         (JSC::callStringConstructor):
491
492         In ES6, String constructor accepts Symbol to execute `String(symbol)`.
493
494         * runtime/Structure.cpp:
495         (JSC::Structure::getPropertyNamesFromStructure):
496         * runtime/StructureInlines.h:
497         (JSC::Structure::prototypeForLookup):
498         * runtime/Symbol.cpp: Added.
499         (JSC::Symbol::Symbol):
500         (JSC::SymbolObject::create):
501         (JSC::Symbol::toPrimitive):
502         (JSC::Symbol::toBoolean):
503         (JSC::Symbol::getPrimitiveNumber):
504         (JSC::Symbol::toObject):
505         (JSC::Symbol::toNumber):
506         (JSC::Symbol::destroy):
507         (JSC::Symbol::descriptiveString):
508         * runtime/Symbol.h: Added.
509         (JSC::Symbol::createStructure):
510         (JSC::Symbol::create):
511         (JSC::Symbol::privateName):
512         (JSC::Symbol::finishCreation):
513         (JSC::asSymbol):
514         * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp.
515         (JSC::SymbolConstructor::SymbolConstructor):
516         (JSC::SymbolConstructor::finishCreation):
517         (JSC::callSymbol):
518         (JSC::SymbolConstructor::getConstructData):
519         (JSC::SymbolConstructor::getCallData):
520         * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h.
521         (JSC::SymbolConstructor::create):
522         (JSC::SymbolConstructor::createStructure):
523         * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp.
524         (JSC::SymbolObject::SymbolObject):
525         (JSC::SymbolObject::finishCreation):
526         (JSC::SymbolObject::defaultValue):
527
528         Now JSC doesn't support @@toPrimitive. So instead of it, we implement
529         Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]].
530
531         * runtime/SymbolObject.h: Added.
532         (JSC::SymbolObject::create):
533         (JSC::SymbolObject::internalValue):
534         (JSC::SymbolObject::createStructure):
535         * runtime/SymbolPrototype.cpp: Added.
536         (JSC::SymbolPrototype::SymbolPrototype):
537         (JSC::SymbolPrototype::finishCreation):
538         (JSC::SymbolPrototype::getOwnPropertySlot):
539         (JSC::symbolProtoFuncToString):
540         (JSC::symbolProtoFuncValueOf):
541         * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h.
542         (JSC::SymbolPrototype::create):
543         (JSC::SymbolPrototype::createStructure):
544
545         SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol.
546         It is tested in js/symbol-prototype-is-ordinary-object.html.
547
548         * runtime/VM.cpp:
549         (JSC::VM::VM):
550         * runtime/VM.h:
551
552 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
553
554         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
555         https://bugs.webkit.org/show_bug.cgi?id=140900
556
557         Reviewed by Mark Hahnenberg.
558
559         Re-landing just the HandleBlock piece of this patch.
560
561         * heap/HandleBlock.h:
562         * heap/HandleBlockInlines.h:
563         (JSC::HandleBlock::create):
564         (JSC::HandleBlock::destroy):
565         (JSC::HandleBlock::HandleBlock):
566         (JSC::HandleBlock::payloadEnd):
567         * heap/HandleSet.cpp:
568         (JSC::HandleSet::~HandleSet):
569         (JSC::HandleSet::grow):
570
571 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
572
573         GC marking threads should clear malloc caches
574         https://bugs.webkit.org/show_bug.cgi?id=141097
575
576         Reviewed by Sam Weinig.
577
578         Follow-up based on Mark Hahnenberg's review: Release after the copy
579         phase, rather than after any phase, since we'd rather not release
580         between marking and copying.
581
582         * heap/GCThread.cpp:
583         (JSC::GCThread::waitForNextPhase):
584         (JSC::GCThread::gcThreadMain):
585
586 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
587
588         GC marking threads should clear malloc caches
589         https://bugs.webkit.org/show_bug.cgi?id=141097
590
591         Reviewed by Andreas Kling.
592
593         This is an attempt to ameliorate a potential memory use regression
594         caused by https://bugs.webkit.org/show_bug.cgi?id=140900
595         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages.
596
597         FastMalloc may accumulate a per-thread cache on each of the 8-ish
598         GC marking threads, which can be expensive.
599
600         * heap/GCThread.cpp:
601         (JSC::GCThread::waitForNextPhase): Scavenge the current thread before
602         going to sleep. There's probably not too much value to keeping our
603         per-thread cache between GCs, and it has some memory footprint.
604
605 2015-01-30  Chris Dumez  <cdumez@apple.com>
606
607         Rename shared() static member functions to singleton() for singleton classes.
608         https://bugs.webkit.org/show_bug.cgi?id=141088
609
610         Reviewed by Ryosuke Niwa and Benjamin Poulain.
611
612         Rename shared() static member functions to singleton() for singleton
613         classes as per the recent coding style change.
614
615         * inspector/remote/RemoteInspector.h:
616         * inspector/remote/RemoteInspector.mm:
617         (Inspector::RemoteInspector::singleton):
618         (Inspector::RemoteInspector::start):
619         (Inspector::RemoteInspector::shared): Deleted.
620         * inspector/remote/RemoteInspectorDebuggable.cpp:
621         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
622         (Inspector::RemoteInspectorDebuggable::init):
623         (Inspector::RemoteInspectorDebuggable::update):
624         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
625         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
626         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
627         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
628         (Inspector::RemoteInspectorDebuggableConnection::setup):
629         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
630
631 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
632
633         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
634         https://bugs.webkit.org/show_bug.cgi?id=140900
635
636         Reviewed by Mark Hahnenberg.
637
638         Re-landing just the CopyWorkListSegment piece of this patch.
639
640         * heap/CopiedBlockInlines.h:
641         (JSC::CopiedBlock::reportLiveBytes):
642         * heap/CopyWorkList.h:
643         (JSC::CopyWorkListSegment::create):
644         (JSC::CopyWorkListSegment::destroy):
645         (JSC::CopyWorkListSegment::CopyWorkListSegment):
646         (JSC::CopyWorkList::CopyWorkList):
647         (JSC::CopyWorkList::~CopyWorkList):
648         (JSC::CopyWorkList::append):
649
650 2015-01-29  Commit Queue  <commit-queue@webkit.org>
651
652         Unreviewed, rolling out r179357 and r179358.
653         https://bugs.webkit.org/show_bug.cgi?id=141062
654
655         Suspect this caused WebGL tests to start flaking (Requested by
656         kling on #webkit).
657
658         Reverted changesets:
659
660         "Polymorphic call inlining should be based on polymorphic call
661         inline caching rather than logging"
662         https://bugs.webkit.org/show_bug.cgi?id=140660
663         http://trac.webkit.org/changeset/179357
664
665         "Unreviewed, fix no-JIT build."
666         http://trac.webkit.org/changeset/179358
667
668 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
669
670         Removed op_ret_object_or_this
671         https://bugs.webkit.org/show_bug.cgi?id=141048
672
673         Reviewed by Michael Saboff.
674
675         op_ret_object_or_this was one opcode that would keep us out of the
676         optimizing compilers.
677
678         We don't need a special-purpose opcode; we can just use a branch.
679
680         * bytecode/BytecodeBasicBlock.cpp:
681         (JSC::isTerminal): Removed.
682         * bytecode/BytecodeList.json:
683         * bytecode/BytecodeUseDef.h:
684         (JSC::computeUsesForBytecodeOffset):
685         (JSC::computeDefsForBytecodeOffset): Removed.
686
687         * bytecode/CodeBlock.cpp:
688         (JSC::CodeBlock::dumpBytecode): Removed.
689
690         * bytecompiler/BytecodeGenerator.cpp:
691         (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine
692         if we need to substitute 'this' for the return value. Our engine no longer
693         benefits from fused opcodes that dispatch less in the interpreter.
694
695         * jit/JIT.cpp:
696         (JSC::JIT::privateCompileMainPass):
697         * jit/JIT.h:
698         * jit/JITCall32_64.cpp:
699         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
700         * jit/JITOpcodes.cpp:
701         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
702         * llint/LowLevelInterpreter32_64.asm:
703         * llint/LowLevelInterpreter64.asm: Removed.
704
705 2015-01-29  Ryosuke Niwa  <rniwa@webkit.org>
706
707         Implement ES6 class syntax without inheritance support
708         https://bugs.webkit.org/show_bug.cgi?id=140918
709
710         Reviewed by Geoffrey Garen.
711
712         Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like:
713         class A {
714             constructor() { }
715             someMethod() { }
716         }
717
718         We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches.
719         We also don't support block scoping of a class declaration.
720
721         We support both class declaration and class expression. A class expression is implemented by the newly added
722         ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around
723         AssignResolveNode.
724
725         Tests: js/class-syntax-declaration.html
726                js/class-syntax-expression.html
727
728         * bytecompiler/NodesCodegen.cpp:
729         (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode.
730         Also fixed the 5-space indentation.
731         (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this.
732         (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code.
733         (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by
734         emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way.
735
736         * parser/ASTBuilder.h:
737         (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode.
738         (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode.
739
740         * parser/NodeConstructors.h:
741         (JSC::ClassDeclNode::ClassDeclNode): Added.
742         (JSC::ClassExprNode::ClassExprNode): Added.
743
744         * parser/Nodes.h:
745         (JSC::ClassExprNode): Added.
746         (JSC::ClassDeclNode): Added.
747
748         * parser/Parser.cpp:
749         (JSC::Parser<LexerType>::parseStatement): Added the support for class declaration.
750         (JSC::stringForFunctionMode): Return "method" for MethodMode.
751         (JSC::Parser<LexerType>::parseClassDeclaration): Added. Uses parseClass to create a class expression and wraps
752         it with ClassDeclNode as described above.
753         (JSC::Parser<LexerType>::parseClass): Parses a class expression.
754         (JSC::Parser<LexerType>::parseProperty):
755         (JSC::Parser<LexerType>::parseGetterSetter): Extracted from parseProperty to share the code between parseProperty
756         and parseClass.
757         (JSC::Parser<LexerType>::parsePrimaryExpression): Added the support for class expression.
758
759         * parser/Parser.h:
760         (FunctionParseMode): Added MethodMode.
761
762         * parser/SyntaxChecker.h:
763         (JSC::SyntaxChecker::createClassExpr): Added.
764         (JSC::SyntaxChecker::createClassDeclStatement): Added.
765
766 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
767
768         Try to fix the Windows build.
769
770         Not reviewed.
771
772         * heap/WeakBlock.h: Use the fully qualified name when declaring our friend.
773
774 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
775
776         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
777         https://bugs.webkit.org/show_bug.cgi?id=140900
778
779         Reviewed by Mark Hahnenberg.
780
781         Re-landing just the WeakBlock piece of this patch.
782
783         * heap/WeakBlock.cpp:
784         (JSC::WeakBlock::create):
785         (JSC::WeakBlock::destroy):
786         (JSC::WeakBlock::WeakBlock):
787         * heap/WeakBlock.h:
788         * heap/WeakSet.cpp:
789         (JSC::WeakSet::~WeakSet):
790         (JSC::WeakSet::addAllocator):
791         (JSC::WeakSet::removeAllocator):
792
793 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
794
795         Use Vector instead of GCSegmentedArray in CodeBlockSet
796         https://bugs.webkit.org/show_bug.cgi?id=141044
797
798         Reviewed by Ryosuke Niwa.
799
800         This is allowed now that we've gotten rid of fastMallocForbid.
801
802         4kB was a bit overkill for just storing a few pointers.
803
804         * heap/CodeBlockSet.cpp:
805         (JSC::CodeBlockSet::CodeBlockSet):
806         * heap/CodeBlockSet.h:
807         * heap/Heap.cpp:
808         (JSC::Heap::Heap):
809
810 2015-01-29  Filip Pizlo  <fpizlo@apple.com>
811
812         Unreviewed, fix no-JIT build.
813
814         * jit/PolymorphicCallStubRoutine.cpp:
815
816 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
817
818         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
819         https://bugs.webkit.org/show_bug.cgi?id=140660
820
821         Reviewed by Geoffrey Garen.
822         
823         When we first implemented polymorphic call inlining, we did the profiling based on a call
824         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
825         global log that was processed lazily. Processing the log would give precise counts of call
826         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
827         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
828         nonetheless.
829         
830         Experience with this code shows three things. First, the call edge profiler is buggy and
831         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
832         overhead for latency code that we care deeply about. Third, it's not at all clear that
833         having call edge counts for every possible callee is any better than just having call edge
834         counts for the limited number of callees that an inline cache would catch.
835         
836         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
837         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
838         out-of-line stub that cases on the previously known callees. If that misses again, then we
839         rewrite that stub to include the new callee. We do this up to some number of callees. If we
840         hit the limit then we switch to using a plain virtual call.
841         
842         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
843         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
844
845         * CMakeLists.txt:
846         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
847         * JavaScriptCore.xcodeproj/project.pbxproj:
848         * bytecode/CallEdge.h:
849         (JSC::CallEdge::count):
850         (JSC::CallEdge::CallEdge):
851         * bytecode/CallEdgeProfile.cpp: Removed.
852         * bytecode/CallEdgeProfile.h: Removed.
853         * bytecode/CallEdgeProfileInlines.h: Removed.
854         * bytecode/CallLinkInfo.cpp:
855         (JSC::CallLinkInfo::unlink):
856         (JSC::CallLinkInfo::visitWeak):
857         * bytecode/CallLinkInfo.h:
858         * bytecode/CallLinkStatus.cpp:
859         (JSC::CallLinkStatus::CallLinkStatus):
860         (JSC::CallLinkStatus::computeFor):
861         (JSC::CallLinkStatus::computeFromCallLinkInfo):
862         (JSC::CallLinkStatus::isClosureCall):
863         (JSC::CallLinkStatus::makeClosureCall):
864         (JSC::CallLinkStatus::dump):
865         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
866         * bytecode/CallLinkStatus.h:
867         (JSC::CallLinkStatus::CallLinkStatus):
868         (JSC::CallLinkStatus::isSet):
869         (JSC::CallLinkStatus::variants):
870         (JSC::CallLinkStatus::size):
871         (JSC::CallLinkStatus::at):
872         (JSC::CallLinkStatus::operator[]):
873         (JSC::CallLinkStatus::canOptimize):
874         (JSC::CallLinkStatus::edges): Deleted.
875         (JSC::CallLinkStatus::canTrustCounts): Deleted.
876         * bytecode/CallVariant.cpp:
877         (JSC::variantListWithVariant):
878         (JSC::despecifiedVariantList):
879         * bytecode/CallVariant.h:
880         * bytecode/CodeBlock.cpp:
881         (JSC::CodeBlock::~CodeBlock):
882         (JSC::CodeBlock::linkIncomingPolymorphicCall):
883         (JSC::CodeBlock::unlinkIncomingCalls):
884         (JSC::CodeBlock::noticeIncomingCall):
885         * bytecode/CodeBlock.h:
886         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
887         * dfg/DFGAbstractInterpreterInlines.h:
888         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
889         * dfg/DFGByteCodeParser.cpp:
890         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
891         (JSC::DFG::ByteCodeParser::handleCall):
892         (JSC::DFG::ByteCodeParser::handleInlining):
893         * dfg/DFGClobberize.h:
894         (JSC::DFG::clobberize):
895         * dfg/DFGConstantFoldingPhase.cpp:
896         (JSC::DFG::ConstantFoldingPhase::foldConstants):
897         * dfg/DFGDoesGC.cpp:
898         (JSC::DFG::doesGC):
899         * dfg/DFGDriver.cpp:
900         (JSC::DFG::compileImpl):
901         * dfg/DFGFixupPhase.cpp:
902         (JSC::DFG::FixupPhase::fixupNode):
903         * dfg/DFGNode.h:
904         (JSC::DFG::Node::hasHeapPrediction):
905         * dfg/DFGNodeType.h:
906         * dfg/DFGOperations.cpp:
907         * dfg/DFGPredictionPropagationPhase.cpp:
908         (JSC::DFG::PredictionPropagationPhase::propagate):
909         * dfg/DFGSafeToExecute.h:
910         (JSC::DFG::safeToExecute):
911         * dfg/DFGSpeculativeJIT32_64.cpp:
912         (JSC::DFG::SpeculativeJIT::emitCall):
913         (JSC::DFG::SpeculativeJIT::compile):
914         * dfg/DFGSpeculativeJIT64.cpp:
915         (JSC::DFG::SpeculativeJIT::emitCall):
916         (JSC::DFG::SpeculativeJIT::compile):
917         * dfg/DFGTierUpCheckInjectionPhase.cpp:
918         (JSC::DFG::TierUpCheckInjectionPhase::run):
919         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
920         * ftl/FTLCapabilities.cpp:
921         (JSC::FTL::canCompile):
922         * heap/Heap.cpp:
923         (JSC::Heap::collect):
924         * jit/BinarySwitch.h:
925         * jit/ClosureCallStubRoutine.cpp: Removed.
926         * jit/ClosureCallStubRoutine.h: Removed.
927         * jit/JITCall.cpp:
928         (JSC::JIT::compileOpCall):
929         * jit/JITCall32_64.cpp:
930         (JSC::JIT::compileOpCall):
931         * jit/JITOperations.cpp:
932         * jit/JITOperations.h:
933         (JSC::operationLinkPolymorphicCallFor):
934         (JSC::operationLinkClosureCallFor): Deleted.
935         * jit/JITStubRoutine.h:
936         * jit/JITWriteBarrier.h:
937         * jit/PolymorphicCallStubRoutine.cpp: Added.
938         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
939         (JSC::PolymorphicCallNode::unlink):
940         (JSC::PolymorphicCallCase::dump):
941         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
942         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
943         (JSC::PolymorphicCallStubRoutine::variants):
944         (JSC::PolymorphicCallStubRoutine::edges):
945         (JSC::PolymorphicCallStubRoutine::visitWeak):
946         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
947         * jit/PolymorphicCallStubRoutine.h: Added.
948         (JSC::PolymorphicCallNode::PolymorphicCallNode):
949         (JSC::PolymorphicCallCase::PolymorphicCallCase):
950         (JSC::PolymorphicCallCase::variant):
951         (JSC::PolymorphicCallCase::codeBlock):
952         * jit/Repatch.cpp:
953         (JSC::linkSlowFor):
954         (JSC::linkFor):
955         (JSC::revertCall):
956         (JSC::unlinkFor):
957         (JSC::linkVirtualFor):
958         (JSC::linkPolymorphicCall):
959         (JSC::linkClosureCall): Deleted.
960         * jit/Repatch.h:
961         * jit/ThunkGenerators.cpp:
962         (JSC::linkPolymorphicCallForThunkGenerator):
963         (JSC::linkPolymorphicCallThunkGenerator):
964         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
965         (JSC::linkClosureCallForThunkGenerator): Deleted.
966         (JSC::linkClosureCallThunkGenerator): Deleted.
967         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
968         * jit/ThunkGenerators.h:
969         (JSC::linkPolymorphicCallThunkGeneratorFor):
970         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
971         * llint/LLIntSlowPaths.cpp:
972         (JSC::LLInt::jitCompileAndSetHeuristics):
973         * runtime/Options.h:
974         * runtime/VM.cpp:
975         (JSC::VM::prepareToDiscardCode):
976         (JSC::VM::ensureCallEdgeLog): Deleted.
977         * runtime/VM.h:
978
979 2015-01-29  Joseph Pecoraro  <pecoraro@apple.com>
980
981         Web Inspector: ES6: Improved Console Format for Set and Map Objects (like Arrays)
982         https://bugs.webkit.org/show_bug.cgi?id=122867
983
984         Reviewed by Timothy Hatcher.
985
986         Add new Runtime.RemoteObject object subtypes for "map", "set", and "weakmap".
987
988         Upgrade Runtime.ObjectPreview to include type/subtype information. Now,
989         an ObjectPreview can be used for any value, in place of a RemoteObject,
990         and not capture / hold a reference to the value. The value will be in
991         the string description.
992
993         Adding this information to ObjectPreview can duplicate some information
994         in the protocol messages if a preview is provided, but simplifies
995         previews, so that all the information you need for any RemoteObject
996         preview is available. To slim messages further, make "overflow" and
997         "properties" only available on previews that may contain properties.
998         So, not primitives or null.
999
1000         Finally, for "Map/Set/WeakMap" add an "entries" list to the preview
1001         that will return previews with "key" and "value" properties depending
1002         on the collection type. To get live, non-preview objects from a
1003         collection, use Runtime.getCollectionEntries.
1004
1005         In order to keep the WeakMap's values Weak the frontend may provide
1006         a unique object group name when getting collection entries. It may
1007         then release that object group, e.g. when not showing the WeakMap's
1008         values to the user, and thus remove the strong reference to the keys
1009         so they may be garbage collected.
1010
1011         * runtime/WeakMapData.h:
1012         (JSC::WeakMapData::begin):
1013         (JSC::WeakMapData::end):
1014         Expose iterators so the Inspector may access WeakMap keys/values.
1015
1016         * inspector/JSInjectedScriptHostPrototype.cpp:
1017         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1018         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
1019         * inspector/JSInjectedScriptHost.h:
1020         * inspector/JSInjectedScriptHost.cpp:
1021         (Inspector::JSInjectedScriptHost::subtype):
1022         Discern "map", "set", and "weakmap" object subtypes.
1023
1024         (Inspector::JSInjectedScriptHost::weakMapEntries):
1025         Return a list of WeakMap entries. These are strong references
1026         that the Inspector code is responsible for releasing.
1027
1028         * inspector/protocol/Runtime.json:
1029         Update types and expose the new getCollectionEntries command.
1030
1031         * inspector/agents/InspectorRuntimeAgent.h:
1032         * inspector/agents/InspectorRuntimeAgent.cpp:
1033         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1034         * inspector/InjectedScript.h:
1035         * inspector/InjectedScript.cpp:
1036         (Inspector::InjectedScript::getInternalProperties):
1037         (Inspector::InjectedScript::getCollectionEntries):
1038         Pass through to the InjectedScript and call getCollectionEntries.
1039
1040         * inspector/scripts/codegen/generator.py:
1041         Add another type with runtime casting.
1042
1043         * inspector/InjectedScriptSource.js:
1044         - Implement getCollectionEntries to get a range of values from a
1045         collection. The non-Weak collections have an order to their keys (in
1046         order of added) so range'd gets are okay. WeakMap does not have an
1047         order, so only allow fetching a number of values.
1048         - Update preview generation to address the Runtime.ObjectPreview
1049         type changes.
1050
1051 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
1052
1053         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1054         https://bugs.webkit.org/show_bug.cgi?id=140900
1055
1056         Reviewed by Mark Hahnenberg.
1057
1058         Re-landing just the GCArraySegment piece of this patch.
1059
1060         * heap/CodeBlockSet.cpp:
1061         (JSC::CodeBlockSet::CodeBlockSet):
1062         * heap/CodeBlockSet.h:
1063         * heap/GCSegmentedArray.h:
1064         (JSC::GCArraySegment::GCArraySegment):
1065         * heap/GCSegmentedArrayInlines.h:
1066         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
1067         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
1068         (JSC::GCSegmentedArray<T>::clear):
1069         (JSC::GCSegmentedArray<T>::expand):
1070         (JSC::GCSegmentedArray<T>::refill):
1071         (JSC::GCArraySegment<T>::create):
1072         (JSC::GCArraySegment<T>::destroy):
1073         * heap/GCThreadSharedData.cpp:
1074         (JSC::GCThreadSharedData::GCThreadSharedData):
1075         * heap/Heap.cpp:
1076         (JSC::Heap::Heap):
1077         * heap/MarkStack.cpp:
1078         (JSC::MarkStackArray::MarkStackArray):
1079         * heap/MarkStack.h:
1080         * heap/SlotVisitor.cpp:
1081         (JSC::SlotVisitor::SlotVisitor):
1082
1083 2015-01-29  Csaba Osztrogonác  <ossy@webkit.org>
1084
1085         Move HAVE_DTRACE definition back to Platform.h
1086         https://bugs.webkit.org/show_bug.cgi?id=141033
1087
1088         Reviewed by Dan Bernstein.
1089
1090         * Configurations/Base.xcconfig:
1091         * JavaScriptCore.xcodeproj/project.pbxproj:
1092
1093 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
1094
1095         Removed fastMallocForbid / fastMallocAllow
1096         https://bugs.webkit.org/show_bug.cgi?id=141012
1097
1098         Reviewed by Mark Hahnenberg.
1099
1100         Copy non-current thread stacks before scanning them instead of scanning
1101         them in-place.
1102
1103         This operation is uncommon (i.e., never in the web content process),
1104         and even in a stress test with 4 threads it only copies about 27kB,
1105         so I think the performance cost is OK.
1106
1107         Scanning in-place requires a complex dance where we constrain our GC
1108         data structures not to use malloc, free, or any other interesting functions
1109         that might acquire locks. We've gotten this wrong many times in the past,
1110         and I just got it wrong again yesterday. Since this code path is rarely
1111         tested, I want it to just make sense, and not depend on or constrain the
1112         details of the rest of the GC heap's design.
1113
1114         * heap/MachineStackMarker.cpp:
1115         (JSC::otherThreadStack): Factored out a helper function for dealing with
1116         unaligned and/or backwards pointers.
1117
1118         (JSC::MachineThreads::tryCopyOtherThreadStack): This is now the only
1119         constrained function, and it only calls memcpy and low-level thread APIs.
1120
1121         (JSC::MachineThreads::tryCopyOtherThreadStacks): The design here is that
1122         you do one pass over all the threads to compute their combined size,
1123         and then a second pass to do all the copying. In theory, the threads may
1124         grow in between passes, in which case you'll continue until the threads
1125         stop growing. In practice, you never continue.
1126
1127         (JSC::growBuffer): Helper function for growing.
1128
1129         (JSC::MachineThreads::gatherConservativeRoots):
1130         (JSC::MachineThreads::gatherFromOtherThread): Deleted.
1131         * heap/MachineStackMarker.h: Updated for interface changes.
1132
1133 2015-01-28  Brian J. Burg  <burg@cs.washington.edu>
1134
1135         Web Inspector: remove CSS.setPropertyText, CSS.toggleProperty and related dead code
1136         https://bugs.webkit.org/show_bug.cgi?id=140961
1137
1138         Reviewed by Timothy Hatcher.
1139
1140         * inspector/protocol/CSS.json: Remove unused protocol methods.
1141
1142 2015-01-28  Dana Burkart  <dburkart@apple.com>
1143
1144         Move ASan flag settings from DebugRelease.xcconfig to Base.xcconfig
1145         https://bugs.webkit.org/show_bug.cgi?id=136765
1146
1147         Reviewed by Alexey Proskuryakov.
1148
1149         * Configurations/Base.xcconfig:
1150         * Configurations/DebugRelease.xcconfig:
1151
1152 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
1153
1154         ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath, which is more precise
1155         https://bugs.webkit.org/show_bug.cgi?id=140980
1156
1157         Reviewed by Oliver Hunt.
1158
1159         * bytecode/CallLinkStatus.cpp:
1160         (JSC::CallLinkStatus::computeFor):
1161
1162 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
1163
1164         Move DFGBinarySwitch out of the DFG so that all of the JITs can use it
1165         https://bugs.webkit.org/show_bug.cgi?id=140959
1166
1167         Rubber stamped by Geoffrey Garen.
1168         
1169         I want to use this for polymorphic stubs for https://bugs.webkit.org/show_bug.cgi?id=140660.
1170         This code no longer has DFG dependencies so this is a very clean move.
1171
1172         * CMakeLists.txt:
1173         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1174         * JavaScriptCore.xcodeproj/project.pbxproj:
1175         * dfg/DFGBinarySwitch.cpp: Removed.
1176         * dfg/DFGBinarySwitch.h: Removed.
1177         * dfg/DFGSpeculativeJIT.cpp:
1178         * jit/BinarySwitch.cpp: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.cpp.
1179         * jit/BinarySwitch.h: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.h.
1180
1181 2015-01-27  Commit Queue  <commit-queue@webkit.org>
1182
1183         Unreviewed, rolling out r179192.
1184         https://bugs.webkit.org/show_bug.cgi?id=140953
1185
1186         Caused numerous layout test failures (Requested by mattbaker_
1187         on #webkit).
1188
1189         Reverted changeset:
1190
1191         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
1192         pages"
1193         https://bugs.webkit.org/show_bug.cgi?id=140900
1194         http://trac.webkit.org/changeset/179192
1195
1196 2015-01-27  Michael Saboff  <msaboff@apple.com>
1197
1198         REGRESSION(r178591): 20% regression in Octane box2d
1199         https://bugs.webkit.org/show_bug.cgi?id=140948
1200
1201         Reviewed by Geoffrey Garen.
1202
1203         Added check that we have a lexical environment to the arguments is captured check.
1204         It doesn't make sense to resolve "arguments" when it really isn't captured.
1205
1206         * bytecompiler/BytecodeGenerator.cpp:
1207         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
1208
1209 2015-01-26  Geoffrey Garen  <ggaren@apple.com>
1210
1211         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1212         https://bugs.webkit.org/show_bug.cgi?id=140900
1213
1214         Reviewed by Mark Hahnenberg.
1215
1216         Removes some more custom allocation code.
1217
1218         Looks like a speedup. (See results attached to bugzilla.)
1219
1220         Will hopefully reduce memory use by improving sharing between the GC and
1221         malloc heaps.
1222
1223         * API/JSBase.cpp:
1224         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1225         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1226         * JavaScriptCore.xcodeproj/project.pbxproj: Feed the compiler.
1227
1228         * heap/BlockAllocator.cpp: Removed.
1229         * heap/BlockAllocator.h: Removed. No need for a custom allocator anymore.
1230
1231         * heap/CodeBlockSet.cpp:
1232         (JSC::CodeBlockSet::CodeBlockSet):
1233         * heap/CodeBlockSet.h: Feed the compiler.
1234
1235         * heap/CopiedBlock.h:
1236         (JSC::CopiedBlock::createNoZeroFill):
1237         (JSC::CopiedBlock::create):
1238         (JSC::CopiedBlock::CopiedBlock):
1239         (JSC::CopiedBlock::isOversize):
1240         (JSC::CopiedBlock::payloadEnd):
1241         (JSC::CopiedBlock::capacity):
1242         * heap/CopiedBlockInlines.h:
1243         (JSC::CopiedBlock::reportLiveBytes): Each copied block now tracks its
1244         own size, since we can't rely on Region to tell us our size anymore.
1245
1246         * heap/CopiedSpace.cpp:
1247         (JSC::CopiedSpace::~CopiedSpace):
1248         (JSC::CopiedSpace::tryAllocateOversize):
1249         (JSC::CopiedSpace::tryReallocateOversize):
1250         * heap/CopiedSpaceInlines.h:
1251         (JSC::CopiedSpace::recycleEvacuatedBlock):
1252         (JSC::CopiedSpace::recycleBorrowedBlock):
1253         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
1254         (JSC::CopiedSpace::allocateBlock):
1255         (JSC::CopiedSpace::startedCopying): Deallocate blocks directly, rather
1256         than pushing them onto the block allocator's free list; the block
1257         allocator doesn't exist anymore.
1258
1259         * heap/CopyWorkList.h:
1260         (JSC::CopyWorkListSegment::create):
1261         (JSC::CopyWorkListSegment::CopyWorkListSegment):
1262         (JSC::CopyWorkList::~CopyWorkList):
1263         (JSC::CopyWorkList::append):
1264         (JSC::CopyWorkList::CopyWorkList): Deleted.
1265         * heap/GCSegmentedArray.h:
1266         (JSC::GCArraySegment::GCArraySegment):
1267         * heap/GCSegmentedArrayInlines.h:
1268         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
1269         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
1270         (JSC::GCSegmentedArray<T>::clear):
1271         (JSC::GCSegmentedArray<T>::expand):
1272         (JSC::GCSegmentedArray<T>::refill):
1273         (JSC::GCArraySegment<T>::create):
1274         * heap/GCThreadSharedData.cpp:
1275         (JSC::GCThreadSharedData::GCThreadSharedData):
1276         * heap/GCThreadSharedData.h: Feed the compiler.
1277
1278         * heap/HandleBlock.h:
1279         * heap/HandleBlockInlines.h:
1280         (JSC::HandleBlock::create):
1281         (JSC::HandleBlock::HandleBlock):
1282         (JSC::HandleBlock::payloadEnd):
1283         * heap/HandleSet.cpp:
1284         (JSC::HandleSet::~HandleSet):
1285         (JSC::HandleSet::grow): Same as above.
1286
1287         * heap/Heap.cpp:
1288         (JSC::Heap::Heap):
1289         * heap/Heap.h: Removed the block allocator since it is unused now.
1290
1291         * heap/HeapBlock.h:
1292         (JSC::HeapBlock::destroy):
1293         (JSC::HeapBlock::HeapBlock):
1294         (JSC::HeapBlock::region): Deleted. Removed the Region pointer from each
1295         HeapBlock since a HeapBlock is just a normal allocation now.
1296
1297         * heap/HeapInlines.h:
1298         (JSC::Heap::blockAllocator): Deleted.
1299
1300         * heap/HeapTimer.cpp:
1301         * heap/MarkStack.cpp:
1302         (JSC::MarkStackArray::MarkStackArray):
1303         * heap/MarkStack.h: Feed the compiler.
1304
1305         * heap/MarkedAllocator.cpp:
1306         (JSC::MarkedAllocator::allocateBlock): No need to use a custom code path
1307         based on size, since we use a general purpose allocator now.
1308
1309         * heap/MarkedBlock.cpp:
1310         (JSC::MarkedBlock::create):
1311         (JSC::MarkedBlock::destroy):
1312         (JSC::MarkedBlock::MarkedBlock):
1313         * heap/MarkedBlock.h:
1314         (JSC::MarkedBlock::capacity): Track block size explicitly, like CopiedBlock.
1315
1316         * heap/MarkedSpace.cpp:
1317         (JSC::MarkedSpace::freeBlock):
1318         * heap/MarkedSpace.h:
1319
1320         * heap/Region.h: Removed.
1321
1322         * heap/SlotVisitor.cpp:
1323         (JSC::SlotVisitor::SlotVisitor): Removed reference to block allocator.
1324
1325         * heap/SuperRegion.cpp: Removed.
1326         * heap/SuperRegion.h: Removed.
1327
1328         * heap/WeakBlock.cpp:
1329         (JSC::WeakBlock::create):
1330         (JSC::WeakBlock::WeakBlock):
1331         * heap/WeakBlock.h:
1332         * heap/WeakSet.cpp:
1333         (JSC::WeakSet::~WeakSet):
1334         (JSC::WeakSet::addAllocator):
1335         (JSC::WeakSet::removeAllocator): Removed reference to block allocator.
1336
1337 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
1338
1339         [ARM] Typo fix after r176083
1340         https://bugs.webkit.org/show_bug.cgi?id=140937
1341
1342         Reviewed by Anders Carlsson.
1343
1344         * assembler/ARMv7Assembler.h:
1345         (JSC::ARMv7Assembler::ldrh):
1346
1347 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
1348
1349         [Win] Unreviewed gardening, skip failing tests.
1350
1351         * tests/exceptionFuzz.yaml: Skip exception fuzz tests due to bug140928.
1352         * tests/mozilla/mozilla-tests.yaml: Skip ecma/Date/15.9.5.28-1.js due to bug140927.
1353
1354 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
1355
1356         [Win] Enable JSC stress tests by default
1357         https://bugs.webkit.org/show_bug.cgi?id=128307
1358
1359         Unreviewed typo fix after r179165.
1360
1361         * tests/mozilla/mozilla-tests.yaml:
1362
1363 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
1364
1365         [Win] Enable JSC stress tests by default
1366         https://bugs.webkit.org/show_bug.cgi?id=128307
1367
1368         Reviewed by Brent Fulgham.
1369
1370         * tests/mozilla/mozilla-tests.yaml: Skipped on Windows.
1371         * tests/stress/ftl-arithcos.js: Skipped on Windows.
1372
1373 2015-01-26  Ryosuke Niwa  <rniwa@webkit.org>
1374
1375         Parse a function expression as a primary expression
1376         https://bugs.webkit.org/show_bug.cgi?id=140908
1377
1378         Reviewed by Mark Lam.
1379
1380         Moved the code to generate an AST node for a function expression from parseMemberExpression
1381         to parsePrimaryExpression to match the ES6 specification terminology:
1382         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-primary-expression
1383
1384         There should be no behavior change from this change since parsePrimaryExpression is only
1385         called in parseMemberExpression other than the fact failIfStackOverflow() is called.
1386
1387         * parser/Parser.cpp:
1388         (JSC::Parser<LexerType>::parsePrimaryExpression):
1389         (JSC::Parser<LexerType>::parseMemberExpression):
1390
1391 2015-01-26  Myles C. Maxfield  <mmaxfield@apple.com>
1392
1393         [iOS] [SVG -> OTF Converter] Flip the switch off on iOS
1394         https://bugs.webkit.org/show_bug.cgi?id=140860
1395
1396         Reviewed by Darin Adler.
1397
1398         The fonts it makes are grotesque. (See what I did there? Typographic
1399         humor is the best humor.)
1400
1401         * Configurations/FeatureDefines.xcconfig:
1402
1403 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
1404
1405         Web Inspector: Rename InjectedScriptHost::type to subtype
1406         https://bugs.webkit.org/show_bug.cgi?id=140841
1407
1408         Reviewed by Timothy Hatcher.
1409
1410         We were using this to set the subtype of an "object" type RemoteObject
1411         so we should clean up the name and call it subtype.
1412
1413         * inspector/InjectedScriptHost.h:
1414         * inspector/InjectedScriptSource.js:
1415         * inspector/JSInjectedScriptHost.cpp:
1416         (Inspector::JSInjectedScriptHost::subtype):
1417         (Inspector::JSInjectedScriptHost::type): Deleted.
1418         * inspector/JSInjectedScriptHost.h:
1419         * inspector/JSInjectedScriptHostPrototype.cpp:
1420         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1421         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
1422         (Inspector::jsInjectedScriptHostPrototypeFunctionType): Deleted.
1423
1424 2015-01-23  Michael Saboff  <msaboff@apple.com>
1425
1426         LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds
1427         https://bugs.webkit.org/show_bug.cgi?id=140843
1428
1429         Reviewed by Oliver Hunt.
1430
1431         When we are in vmEntryToJavaScript, we keep the stack pointer at an
1432         alignment sutiable for pointing to a call frame header, which is the
1433         alignment post making a call.  We adjust the sp when calling to JS code,
1434         but don't adjust it before calling the out of stack handler.
1435
1436         * llint/LowLevelInterpreter32_64.asm:
1437         Moved stack point down 8 bytes to get it aligned.
1438
1439 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
1440
1441         Web Inspector: Object Previews in the Console
1442         https://bugs.webkit.org/show_bug.cgi?id=129204
1443
1444         Reviewed by Timothy Hatcher.
1445
1446         Update the very old, unused object preview code. Part of this comes from
1447         the earlier WebKit legacy implementation, and the Blink implementation.
1448
1449         A RemoteObject may include a preview, if it is asked for, and if the
1450         RemoteObject is an object. Previews are a shallow (single level) list
1451         of a limited number of properties on the object. The previewed
1452         properties are always stringified (even if primatives). Previews are
1453         limited to just 5 properties or 100 indices. Previews are marked
1454         as lossless if they are a complete snapshot of the object.
1455
1456         There is a path to make previews two levels deep, that is currently
1457         unused but should soon be used for tables (e.g. IndexedDB).
1458
1459         * inspector/InjectedScriptSource.js:
1460         - Move some code off of InjectedScript to be generic functions
1461         usable by RemoteObject as well.
1462         - Update preview generation to use 
1463
1464         * inspector/protocol/Runtime.json:
1465         - Add a new type, "accessor" for preview objects. This represents
1466         a getter / setter. We currently don't get the value.
1467
1468 2015-01-23  Michael Saboff  <msaboff@apple.com>
1469
1470         Immediate crash when setting JS breakpoint
1471         https://bugs.webkit.org/show_bug.cgi?id=140811
1472
1473         Reviewed by Mark Lam.
1474
1475         When the DFG stack layout phase doesn't allocate a register for the scope register,
1476         it incorrectly sets the scope register in the code block to a bad value, one with
1477         an offset of 0.  Changed it so that we set the code block's scope register to the 
1478         invalid VirtualRegister instead.
1479
1480         No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
1481         We crash with that ASSERT in testapi and likely many other tests as well.
1482
1483         * bytecode/CodeBlock.cpp:
1484         (JSC::CodeBlock::CodeBlock):
1485         * bytecode/CodeBlock.h:
1486         (JSC::CodeBlock::setScopeRegister):
1487         (JSC::CodeBlock::scopeRegister):
1488         Added ASSERTs to catch any future improper setting of the code block's scope register.
1489
1490         * dfg/DFGStackLayoutPhase.cpp:
1491         (JSC::DFG::StackLayoutPhase::run):
1492
1493 2015-01-22  Mark Hahnenberg  <mhahnenb@gmail.com>
1494
1495         EdenCollections unnecessarily visit SmallStrings
1496         https://bugs.webkit.org/show_bug.cgi?id=140762
1497
1498         Reviewed by Geoffrey Garen.
1499
1500         * heap/Heap.cpp:
1501         (JSC::Heap::copyBackingStores): Also added a GCPhase for copying
1502         backing stores, which is a significant portion of garbage collection.
1503         (JSC::Heap::visitSmallStrings): Check to see if we need to visit
1504         SmallStrings based on the collection type.
1505         * runtime/SmallStrings.cpp:
1506         (JSC::SmallStrings::SmallStrings):
1507         (JSC::SmallStrings::visitStrongReferences): Set the fact that we have
1508         visited the SmallStrings since the last modification.
1509         * runtime/SmallStrings.h:
1510         (JSC::SmallStrings::needsToBeVisited): If we're doing a
1511         FullCollection, we need to visit. Otherwise, it depends on whether
1512         we've been visited since the last modification/allocation.
1513
1514 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
1515
1516         Add a build flag for ES6 class syntax
1517         https://bugs.webkit.org/show_bug.cgi?id=140760
1518
1519         Reviewed by Michael Saboff.
1520
1521         Added ES6_CLASS_SYNTAX build flag and used it in tokenizer to recognize
1522         "class", "extends", "static" and "super" keywords.
1523
1524         * Configurations/FeatureDefines.xcconfig:
1525         * parser/Keywords.table:
1526         * parser/ParserTokens.h:
1527
1528 2015-01-22  Commit Queue  <commit-queue@webkit.org>
1529
1530         Unreviewed, rolling out r178894.
1531         https://bugs.webkit.org/show_bug.cgi?id=140775
1532
1533         Broke JSC and bindings tests (Requested by ap_ on #webkit).
1534
1535         Reverted changeset:
1536
1537         "put_by_val_direct need to check the property is index or not
1538         for using putDirect / putDirectIndex"
1539         https://bugs.webkit.org/show_bug.cgi?id=140426
1540         http://trac.webkit.org/changeset/178894
1541
1542 2015-01-22  Mark Lam  <mark.lam@apple.com>
1543
1544         BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
1545         <https://webkit.org/b/140743>
1546
1547         Reviewed by Oliver Hunt.
1548
1549         BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
1550         op_put_to_scope to an inappropriate value (i.e. 0).  As a result, the execution
1551         of put_to_scope could store a wrong inferred value into the VariableWatchpointSet
1552         for which ever captured variable is at local index 0.  In practice, this turns
1553         out to be the local for the Arguments object.  In this reproduction case in the
1554         bug, the wrong inferred value written there is the boolean true.
1555
1556         Subsequently, DFG compilation occurs and CreateArguments is emitted to first do
1557         a check of the local for the Arguments object.  But because that local has a
1558         wrong inferred value, the check always discovers a non-null value and we never
1559         actually create the Arguments object.  Immediately after this, an OSR exit
1560         occurs leaving the Arguments object local uninitialized.  Later on at arguments
1561         tear off, we run into a boolean true where we had expected to find an Arguments
1562         object, which in turn, leads to the crash.
1563
1564         The fix is to:
1565         1. In the case where the resolveModeType is LocalClosureVar, change the
1566            5th operand of op_put_to_scope to be a boolean.  True means that the
1567            local var is watchable.  False means it is not watchable.  We no longer
1568            pass the local index (instead of true) and UINT_MAX (instead of false).
1569
1570            This allows us to express more clearer in the code what that value means,
1571            as well as remove the redundant way of getting the local's identifier.
1572            The identifier is always the one passed in the 2nd operand. 
1573
1574         2. Previously, though intuitively, we know that the watchable variable
1575            identifier should be the same as the one that is passed in operand 2, this
1576            relationship was not clear in the code.  By code analysis, I confirmed that 
1577            the callers of BytecodeGenerator::emitPutToScope() always use the same
1578            identifier for operand 2 and for filling out the ResolveScopeInfo from
1579            which we get the watchable variable identifier later.  I've changed the
1580            code to make this clear now by always using the identifier passed in
1581            operand 2.
1582
1583         3. In the case where the resolveModeType is LocalClosureVar,
1584            initializeCapturedVariable() and emitPutToScope() will now query
1585            hasWatchableVariable() to determine if the local is watchable or not.
1586            Accordingly, we pass the boolean result of hasWatchableVariable() as
1587            operand 5 of op_put_to_scope.
1588
1589         Also added some assertions.
1590
1591         * bytecode/CodeBlock.cpp:
1592         (JSC::CodeBlock::CodeBlock):
1593         * bytecompiler/BytecodeGenerator.cpp:
1594         (JSC::BytecodeGenerator::initializeCapturedVariable):
1595         (JSC::BytecodeGenerator::hasConstant):
1596         (JSC::BytecodeGenerator::emitPutToScope):
1597         * bytecompiler/BytecodeGenerator.h:
1598         (JSC::BytecodeGenerator::hasWatchableVariable):
1599         (JSC::BytecodeGenerator::watchableVariableIdentifier):
1600         (JSC::BytecodeGenerator::watchableVariable): Deleted.
1601
1602 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
1603
1604         PropertyListNode::emitNode duplicates the code to put a constant property
1605         https://bugs.webkit.org/show_bug.cgi?id=140761
1606
1607         Reviewed by Geoffrey Garen.
1608
1609         Extracted PropertyListNode::emitPutConstantProperty to share the code.
1610
1611         Also made PropertyListNode::emitBytecode private since nobody is calling this function directly.
1612
1613         * bytecompiler/NodesCodegen.cpp:
1614         (JSC::PropertyListNode::emitBytecode):
1615         (JSC::PropertyListNode::emitPutConstantProperty): Added.
1616         * parser/Nodes.h:
1617
1618 2015-01-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1619
1620         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
1621         https://bugs.webkit.org/show_bug.cgi?id=140426
1622
1623         Reviewed by Geoffrey Garen.
1624
1625         In the put_by_val_direct operation, we use JSObject::putDirect.
1626         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
1627         This patch changes Identifier::asIndex() to return Optional<uint32_t>.
1628         It forces callers to check the value is index or not explicitly.
1629         Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
1630
1631         * bytecode/GetByIdStatus.cpp:
1632         (JSC::GetByIdStatus::computeFor):
1633         * bytecode/PutByIdStatus.cpp:
1634         (JSC::PutByIdStatus::computeFor):
1635         * bytecompiler/BytecodeGenerator.cpp:
1636         (JSC::BytecodeGenerator::emitDirectPutById):
1637         * dfg/DFGOperations.cpp:
1638         (JSC::DFG::operationPutByValInternal):
1639         * jit/JITOperations.cpp:
1640         * jit/Repatch.cpp:
1641         (JSC::emitPutTransitionStubAndGetOldStructure):
1642         * jsc.cpp:
1643         * llint/LLIntSlowPaths.cpp:
1644         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1645         * runtime/Arguments.cpp:
1646         (JSC::Arguments::getOwnPropertySlot):
1647         (JSC::Arguments::put):
1648         (JSC::Arguments::deleteProperty):
1649         (JSC::Arguments::defineOwnProperty):
1650         * runtime/ArrayPrototype.cpp:
1651         (JSC::arrayProtoFuncSort):
1652         * runtime/JSArray.cpp:
1653         (JSC::JSArray::defineOwnProperty):
1654         * runtime/JSCJSValue.cpp:
1655         (JSC::JSValue::putToPrimitive):
1656         * runtime/JSGenericTypedArrayViewInlines.h:
1657         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1658         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1659         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1660         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1661         * runtime/JSObject.cpp:
1662         (JSC::JSObject::put):
1663         (JSC::JSObject::putDirectAccessor):
1664         (JSC::JSObject::putDirectCustomAccessor):
1665         (JSC::JSObject::deleteProperty):
1666         (JSC::JSObject::putDirectMayBeIndex):
1667         (JSC::JSObject::defineOwnProperty):
1668         * runtime/JSObject.h:
1669         (JSC::JSObject::getOwnPropertySlot):
1670         (JSC::JSObject::getPropertySlot):
1671         (JSC::JSObject::putDirectInternal):
1672         * runtime/JSString.cpp:
1673         (JSC::JSString::getStringPropertyDescriptor):
1674         * runtime/JSString.h:
1675         (JSC::JSString::getStringPropertySlot):
1676         * runtime/LiteralParser.cpp:
1677         (JSC::LiteralParser<CharType>::parse):
1678         * runtime/PropertyName.h:
1679         (JSC::toUInt32FromCharacters):
1680         (JSC::toUInt32FromStringImpl):
1681         (JSC::PropertyName::asIndex):
1682         * runtime/PropertyNameArray.cpp:
1683         (JSC::PropertyNameArray::add):
1684         * runtime/StringObject.cpp:
1685         (JSC::StringObject::deleteProperty):
1686         * runtime/Structure.cpp:
1687         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1688
1689 2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>
1690
1691         Consolidate out arguments of parseFunctionInfo into a struct
1692         https://bugs.webkit.org/show_bug.cgi?id=140754
1693
1694         Reviewed by Oliver Hunt.
1695
1696         Introduced ParserFunctionInfo for storing out arguments of parseFunctionInfo.
1697
1698         * JavaScriptCore.xcodeproj/project.pbxproj:
1699         * parser/ASTBuilder.h:
1700         (JSC::ASTBuilder::createFunctionExpr):
1701         (JSC::ASTBuilder::createGetterOrSetterProperty): This one takes a property name in addition to
1702         ParserFunctionInfo since the property name and the function name could differ.
1703         (JSC::ASTBuilder::createFuncDeclStatement):
1704         * parser/Parser.cpp:
1705         (JSC::Parser<LexerType>::parseFunctionInfo):
1706         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1707         (JSC::Parser<LexerType>::parseProperty):
1708         (JSC::Parser<LexerType>::parseMemberExpression):
1709         * parser/Parser.h:
1710         * parser/ParserFunctionInfo.h: Added.
1711         * parser/SyntaxChecker.h:
1712         (JSC::SyntaxChecker::createFunctionExpr):
1713         (JSC::SyntaxChecker::createFuncDeclStatement):
1714         (JSC::SyntaxChecker::createClassDeclStatement):
1715         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1716
1717 2015-01-21  Mark Hahnenberg  <mhahnenb@gmail.com>
1718
1719         Change Heap::m_compiledCode to use a Vector
1720         https://bugs.webkit.org/show_bug.cgi?id=140717
1721
1722         Reviewed by Andreas Kling.
1723
1724         Right now it's a DoublyLinkedList, which is iterated during each
1725         collection. This contributes to some of the longish Eden pause times.
1726         A Vector would be more appropriate and would also allow ExecutableBase
1727         to be 2 pointers smaller.
1728
1729         * heap/Heap.cpp:
1730         (JSC::Heap::deleteAllCompiledCode):
1731         (JSC::Heap::deleteAllUnlinkedFunctionCode):
1732         (JSC::Heap::clearUnmarkedExecutables):
1733         * heap/Heap.h:
1734         * runtime/Executable.h: No longer need to inherit from DoublyLinkedListNode.
1735
1736 2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>
1737
1738         BytecodeGenerator shouldn't expose all of its member variables
1739         https://bugs.webkit.org/show_bug.cgi?id=140752
1740
1741         Reviewed by Mark Lam.
1742
1743         Added "private:" and removed unused data members as detected by clang.
1744
1745         * bytecompiler/BytecodeGenerator.cpp:
1746         (JSC::BytecodeGenerator::BytecodeGenerator):
1747         * bytecompiler/BytecodeGenerator.h:
1748         (JSC::BytecodeGenerator::lastOpcodeID): Added. Used in BinaryOpNode::emitBytecode.
1749         * bytecompiler/NodesCodegen.cpp:
1750         (JSC::BinaryOpNode::emitBytecode):
1751
1752 2015-01-21  Joseph Pecoraro  <pecoraro@apple.com>
1753
1754         Web Inspector: ASSERT expanding objects in console PrimitiveBindingTraits<T>::assertValueHasExpectedType
1755         https://bugs.webkit.org/show_bug.cgi?id=140746
1756
1757         Reviewed by Timothy Hatcher.
1758
1759         * inspector/InjectedScriptSource.js:
1760         Do not add impure properties to the descriptor object that will
1761         eventually be sent to the frontend.
1762
1763 2015-01-21  Matthew Mirman  <mmirman@apple.com>
1764
1765         Updated split such that it does not include the empty end of input string match.
1766         https://bugs.webkit.org/show_bug.cgi?id=138129
1767         <rdar://problem/18807403>
1768
1769         Reviewed by Filip Pizlo.
1770
1771         * runtime/StringPrototype.cpp:
1772         (JSC::stringProtoFuncSplit):
1773         * tests/stress/empty_eos_regex_split.js: Added.
1774
1775 2015-01-21  Michael Saboff  <msaboff@apple.com>
1776
1777         Eliminate Scope slot from JavaScript CallFrame
1778         https://bugs.webkit.org/show_bug.cgi?id=136724
1779
1780         Reviewed by Geoffrey Garen.
1781
1782         This finishes the removal of the scope chain slot from the call frame header.
1783
1784         * dfg/DFGOSRExitCompilerCommon.cpp:
1785         (JSC::DFG::reifyInlinedCallFrames):
1786         * dfg/DFGPreciseLocalClobberize.h:
1787         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1788         * dfg/DFGSpeculativeJIT32_64.cpp:
1789         (JSC::DFG::SpeculativeJIT::emitCall):
1790         * dfg/DFGSpeculativeJIT64.cpp:
1791         (JSC::DFG::SpeculativeJIT::emitCall):
1792         * ftl/FTLJSCall.cpp:
1793         (JSC::FTL::JSCall::emit):
1794         * ftl/FTLLowerDFGToLLVM.cpp:
1795         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
1796         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
1797         * interpreter/JSStack.h:
1798         * interpreter/VMInspector.cpp:
1799         (JSC::VMInspector::dumpFrame):
1800         * jit/JITCall.cpp:
1801         (JSC::JIT::compileOpCall):
1802         * jit/JITCall32_64.cpp:
1803         (JSC::JIT::compileOpCall):
1804         * jit/JITOpcodes32_64.cpp:
1805         (JSC::JIT::privateCompileCTINativeCall):
1806         * jit/Repatch.cpp:
1807         (JSC::generateByIdStub):
1808         (JSC::linkClosureCall):
1809         * jit/ThunkGenerators.cpp:
1810         (JSC::virtualForThunkGenerator):
1811         (JSC::nativeForGenerator):
1812         Deleted ScopeChain slot from JSStack.  Removed all code where ScopeChain was being
1813         read or set.  In most cases this was where we make JS calls.
1814
1815         * interpreter/CallFrameClosure.h:
1816         (JSC::CallFrameClosure::setArgument):
1817         (JSC::CallFrameClosure::resetCallFrame): Deleted.
1818         * interpreter/Interpreter.cpp:
1819         (JSC::Interpreter::execute):
1820         (JSC::Interpreter::executeCall):
1821         (JSC::Interpreter::executeConstruct):
1822         (JSC::Interpreter::prepareForRepeatCall):
1823         * interpreter/ProtoCallFrame.cpp:
1824         (JSC::ProtoCallFrame::init):
1825         * interpreter/ProtoCallFrame.h:
1826         (JSC::ProtoCallFrame::scope): Deleted.
1827         (JSC::ProtoCallFrame::setScope): Deleted.
1828         * llint/LLIntData.cpp:
1829         (JSC::LLInt::Data::performAssertions):
1830         * llint/LowLevelInterpreter.asm:
1831         * llint/LowLevelInterpreter64.asm:
1832         Removed the related scopeChainValue member from ProtoCallFrame.  Reduced the number of
1833         registers that needed to be copied from the ProtoCallFrame to a callee's frame
1834         from 5 to 4.
1835
1836         * llint/LowLevelInterpreter32_64.asm:
1837         In addition to the prior changes, also deleted the unused macro getDeBruijnScope.
1838
1839 2015-01-21  Michael Saboff  <msaboff@apple.com>
1840
1841         Eliminate construct methods from NullGetterFunction and NullSetterFunction classes
1842         https://bugs.webkit.org/show_bug.cgi?id=140708
1843
1844         Reviewed by Mark Lam.
1845
1846         Eliminated construct methods and change getConstructData() for both classes to return
1847         ConstructTypeNone as they can never be called.
1848
1849         * runtime/NullGetterFunction.cpp:
1850         (JSC::NullGetterFunction::getConstructData):
1851         (JSC::constructReturnUndefined): Deleted.
1852         * runtime/NullSetterFunction.cpp:
1853         (JSC::NullSetterFunction::getConstructData):
1854         (JSC::constructReturnUndefined): Deleted.
1855
1856 2015-01-21  Csaba Osztrogonác  <ossy@webkit.org>
1857
1858         Remove ENABLE(INSPECTOR) ifdef guards
1859         https://bugs.webkit.org/show_bug.cgi?id=140668
1860
1861         Reviewed by Darin Adler.
1862
1863         * Configurations/FeatureDefines.xcconfig:
1864         * bindings/ScriptValue.cpp:
1865         (Deprecated::ScriptValue::toInspectorValue):
1866         * bindings/ScriptValue.h:
1867         * inspector/ConsoleMessage.cpp:
1868         * inspector/ConsoleMessage.h:
1869         * inspector/ContentSearchUtilities.cpp:
1870         * inspector/ContentSearchUtilities.h:
1871         * inspector/IdentifiersFactory.cpp:
1872         * inspector/IdentifiersFactory.h:
1873         * inspector/InjectedScript.cpp:
1874         * inspector/InjectedScript.h:
1875         * inspector/InjectedScriptBase.cpp:
1876         * inspector/InjectedScriptBase.h:
1877         * inspector/InjectedScriptHost.cpp:
1878         * inspector/InjectedScriptHost.h:
1879         * inspector/InjectedScriptManager.cpp:
1880         * inspector/InjectedScriptManager.h:
1881         * inspector/InjectedScriptModule.cpp:
1882         * inspector/InjectedScriptModule.h:
1883         * inspector/InspectorAgentRegistry.cpp:
1884         * inspector/InspectorBackendDispatcher.cpp:
1885         * inspector/InspectorBackendDispatcher.h:
1886         * inspector/InspectorProtocolTypes.h:
1887         * inspector/JSGlobalObjectConsoleClient.cpp:
1888         * inspector/JSGlobalObjectInspectorController.cpp:
1889         * inspector/JSGlobalObjectInspectorController.h:
1890         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1891         * inspector/JSGlobalObjectScriptDebugServer.h:
1892         * inspector/JSInjectedScriptHost.cpp:
1893         * inspector/JSInjectedScriptHost.h:
1894         * inspector/JSInjectedScriptHostPrototype.cpp:
1895         * inspector/JSInjectedScriptHostPrototype.h:
1896         * inspector/JSJavaScriptCallFrame.cpp:
1897         * inspector/JSJavaScriptCallFrame.h:
1898         * inspector/JSJavaScriptCallFramePrototype.cpp:
1899         * inspector/JSJavaScriptCallFramePrototype.h:
1900         * inspector/JavaScriptCallFrame.cpp:
1901         * inspector/JavaScriptCallFrame.h:
1902         * inspector/ScriptCallFrame.cpp:
1903         (Inspector::ScriptCallFrame::buildInspectorObject):
1904         * inspector/ScriptCallFrame.h:
1905         * inspector/ScriptCallStack.cpp:
1906         (Inspector::ScriptCallStack::buildInspectorArray):
1907         * inspector/ScriptCallStack.h:
1908         * inspector/ScriptDebugServer.cpp:
1909         * inspector/agents/InspectorAgent.cpp:
1910         * inspector/agents/InspectorAgent.h:
1911         * inspector/agents/InspectorConsoleAgent.cpp:
1912         * inspector/agents/InspectorConsoleAgent.h:
1913         * inspector/agents/InspectorDebuggerAgent.cpp:
1914         * inspector/agents/InspectorDebuggerAgent.h:
1915         * inspector/agents/InspectorRuntimeAgent.cpp:
1916         * inspector/agents/InspectorRuntimeAgent.h:
1917         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
1918         * inspector/agents/JSGlobalObjectConsoleAgent.h:
1919         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1920         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
1921         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1922         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1923         * inspector/scripts/codegen/cpp_generator_templates.py:
1924         (CppGeneratorTemplates):
1925         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1926         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1927         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1928         * inspector/scripts/tests/expected/enum-values.json-result:
1929         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1930         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1931         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1932         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1933         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1934         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1935         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1936         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1937         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1938         * runtime/TypeSet.cpp:
1939         (JSC::TypeSet::inspectorTypeSet):
1940         (JSC::StructureShape::inspectorRepresentation):
1941
1942 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
1943
1944         Web Inspector: Clean up InjectedScriptSource.js
1945         https://bugs.webkit.org/show_bug.cgi?id=140709
1946
1947         Reviewed by Timothy Hatcher.
1948
1949         This patch includes some relevant Blink patches and small changes.
1950         
1951         Patch by <aandrey@chromium.org>
1952         DevTools: Remove console last result $_ on console clear.
1953         https://src.chromium.org/viewvc/blink?revision=179179&view=revision
1954
1955         Patch by <eustas@chromium.org>
1956         [Inspect DOM properties] incorrect CSS Selector Syntax
1957         https://src.chromium.org/viewvc/blink?revision=156903&view=revision
1958
1959         * inspector/InjectedScriptSource.js:
1960
1961 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
1962
1963         Web Inspector: Cleanup RuntimeAgent a bit
1964         https://bugs.webkit.org/show_bug.cgi?id=140706
1965
1966         Reviewed by Timothy Hatcher.
1967
1968         * inspector/InjectedScript.h:
1969         * inspector/InspectorBackendDispatcher.h:
1970         * inspector/ScriptCallFrame.cpp:
1971         * inspector/agents/InspectorRuntimeAgent.cpp:
1972         (Inspector::InspectorRuntimeAgent::evaluate):
1973         (Inspector::InspectorRuntimeAgent::getProperties):
1974         (Inspector::InspectorRuntimeAgent::run):
1975         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1976         (Inspector::recompileAllJSFunctionsForTypeProfiling):
1977         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
1978
1979 2015-01-20  Matthew Mirman  <mmirman@apple.com>
1980
1981         Made Identity in the DFG allocate a new temp register and move 
1982         the old data to it.
1983         https://bugs.webkit.org/show_bug.cgi?id=140700
1984         <rdar://problem/19339106>
1985
1986         Reviewed by Filip Pizlo.
1987
1988         * dfg/DFGSpeculativeJIT64.cpp:
1989         (JSC::DFG::SpeculativeJIT::compile): 
1990         Added scratch registers for Identity. 
1991         * tests/mozilla/mozilla-tests.yaml: enabled previously failing test
1992
1993 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
1994
1995         Web Inspector: Expanding event objects in console shows undefined for most values, it should have real values
1996         https://bugs.webkit.org/show_bug.cgi?id=137306
1997
1998         Reviewed by Timothy Hatcher.
1999
2000         Provide another optional parameter to getProperties, to gather a list
2001         of all own and getter properties.
2002
2003         * inspector/InjectedScript.cpp:
2004         (Inspector::InjectedScript::getProperties):
2005         * inspector/InjectedScript.h:
2006         * inspector/InjectedScriptSource.js:
2007         * inspector/agents/InspectorRuntimeAgent.cpp:
2008         (Inspector::InspectorRuntimeAgent::getProperties):
2009         * inspector/agents/InspectorRuntimeAgent.h:
2010         * inspector/protocol/Runtime.json:
2011
2012 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
2013
2014         Web Inspector: Should show dynamic specificity values
2015         https://bugs.webkit.org/show_bug.cgi?id=140647
2016
2017         Reviewed by Benjamin Poulain.
2018
2019         * inspector/protocol/CSS.json:
2020         Clarify CSSSelector optional values and add "dynamic" property indicating
2021         if the selector can be dynamic based on the element it is matched against.
2022
2023 2015-01-20  Commit Queue  <commit-queue@webkit.org>
2024
2025         Unreviewed, rolling out r178751.
2026         https://bugs.webkit.org/show_bug.cgi?id=140694
2027
2028         Caused 32-bit JSC test failures (Requested by JoePeck on
2029         #webkit).
2030
2031         Reverted changeset:
2032
2033         "put_by_val_direct need to check the property is index or not
2034         for using putDirect / putDirectIndex"
2035         https://bugs.webkit.org/show_bug.cgi?id=140426
2036         http://trac.webkit.org/changeset/178751
2037
2038 2015-01-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2039
2040         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
2041         https://bugs.webkit.org/show_bug.cgi?id=140426
2042
2043         Reviewed by Geoffrey Garen.
2044
2045         In the put_by_val_direct operation, we use JSObject::putDirect.
2046         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
2047         This patch changes Identifier::asIndex() to return Optional<uint32_t>.
2048         It forces callers to check the value is index or not explicitly.
2049         Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
2050
2051         * bytecode/GetByIdStatus.cpp:
2052         (JSC::GetByIdStatus::computeFor):
2053         * bytecode/PutByIdStatus.cpp:
2054         (JSC::PutByIdStatus::computeFor):
2055         * bytecompiler/BytecodeGenerator.cpp:
2056         (JSC::BytecodeGenerator::emitDirectPutById):
2057         * dfg/DFGOperations.cpp:
2058         (JSC::DFG::operationPutByValInternal):
2059         * jit/JITOperations.cpp:
2060         * jit/Repatch.cpp:
2061         (JSC::emitPutTransitionStubAndGetOldStructure):
2062         * jsc.cpp:
2063         * llint/LLIntSlowPaths.cpp:
2064         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2065         * runtime/Arguments.cpp:
2066         (JSC::Arguments::getOwnPropertySlot):
2067         (JSC::Arguments::put):
2068         (JSC::Arguments::deleteProperty):
2069         (JSC::Arguments::defineOwnProperty):
2070         * runtime/ArrayPrototype.cpp:
2071         (JSC::arrayProtoFuncSort):
2072         * runtime/JSArray.cpp:
2073         (JSC::JSArray::defineOwnProperty):
2074         * runtime/JSCJSValue.cpp:
2075         (JSC::JSValue::putToPrimitive):
2076         * runtime/JSGenericTypedArrayViewInlines.h:
2077         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2078         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2079         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
2080         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
2081         * runtime/JSObject.cpp:
2082         (JSC::JSObject::put):
2083         (JSC::JSObject::putDirectAccessor):
2084         (JSC::JSObject::putDirectCustomAccessor):
2085         (JSC::JSObject::deleteProperty):
2086         (JSC::JSObject::putDirectMayBeIndex):
2087         (JSC::JSObject::defineOwnProperty):
2088         * runtime/JSObject.h:
2089         (JSC::JSObject::getOwnPropertySlot):
2090         (JSC::JSObject::getPropertySlot):
2091         (JSC::JSObject::putDirectInternal):
2092         * runtime/JSString.cpp:
2093         (JSC::JSString::getStringPropertyDescriptor):
2094         * runtime/JSString.h:
2095         (JSC::JSString::getStringPropertySlot):
2096         * runtime/LiteralParser.cpp:
2097         (JSC::LiteralParser<CharType>::parse):
2098         * runtime/PropertyName.h:
2099         (JSC::toUInt32FromCharacters):
2100         (JSC::toUInt32FromStringImpl):
2101         (JSC::PropertyName::asIndex):
2102         * runtime/PropertyNameArray.cpp:
2103         (JSC::PropertyNameArray::add):
2104         * runtime/StringObject.cpp:
2105         (JSC::StringObject::deleteProperty):
2106         * runtime/Structure.cpp:
2107         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2108
2109 2015-01-20  Michael Saboff  <msaboff@apple.com>
2110
2111         REGRESSION(178696): Sporadic crashes while garbage collecting
2112         https://bugs.webkit.org/show_bug.cgi?id=140688
2113
2114         Reviewed by Geoffrey Garen.
2115
2116         Added missing visitor.append(&thisObject->m_nullSetterFunction).
2117
2118         * runtime/JSGlobalObject.cpp:
2119         (JSC::JSGlobalObject::visitChildren):
2120
2121 2015-01-19  Brian J. Burg  <burg@cs.washington.edu>
2122
2123         Web Replay: code generator should take supplemental specifications and allow cross-framework references
2124         https://bugs.webkit.org/show_bug.cgi?id=136312
2125
2126         Reviewed by Joseph Pecoraro.
2127
2128         Some types are shared between replay inputs from different frameworks.
2129         Previously, these type declarations were duplicated in every input
2130         specification file in which they were used. This caused some type encoding
2131         traits to be emitted twice if used from WebCore inputs and WebKit2 inputs.
2132
2133         This patch teaches the replay inputs code generator to accept multiple
2134         input specification files. Inputs can freely reference types from other
2135         frameworks without duplicating declarations.
2136
2137         On the code generation side, the model could contain types and inputs from
2138         frameworks that are not the target framework. Only generate code for the
2139         target framework.
2140
2141         To properly generate cross-framework type encoding traits, use
2142         Type.encoding_type_argument in more places, and add the export macro for WebCore
2143         and the Test framework.
2144
2145         Adjust some tests so that enum coverage is preserved by moving the enum types
2146         into "Test" (the target framework for tests).
2147
2148         * JavaScriptCore.vcxproj/copy-files.cmd:
2149         For Windows, copy over JSInputs.json as if it were a private header.
2150
2151         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSInputs.json a private header.
2152         * replay/JSInputs.json:
2153         Put all primitive types and WTF types in this specification file.
2154
2155         * replay/scripts/CodeGeneratorReplayInputs.py:
2156         (Input.__init__):
2157         (InputsModel.__init__): Keep track of the input's framework.
2158         (InputsModel.parse_specification): Parse the framework here. Adjust to new format,
2159         and allow either types or inputs to be missing from a single file.
2160
2161         (InputsModel.parse_type_with_framework):
2162         (InputsModel.parse_input_with_framework):
2163         (Generator.should_generate_item): Added helper method.
2164         (Generator.generate_header): Filter inputs to generate.
2165         (Generator.generate_implementation): Filter inputs to generate.
2166         (Generator.generate_enum_trait_declaration): Filter enums to generate.
2167         Add WEBCORE_EXPORT macro to enum encoding traits.
2168
2169         (Generator.generate_for_each_macro): Filter inputs to generate.
2170         (Generator.generate_enum_trait_implementation): Filter enums to generate.
2171         (generate_from_specifications): Added.
2172         (generate_from_specifications.parse_json_from_file):
2173         (InputsModel.parse_toplevel): Deleted.
2174         (InputsModel.parse_type_with_framework_name): Deleted.
2175         (InputsModel.parse_input): Deleted.
2176         (generate_from_specification): Deleted.
2177         * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
2178         * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Removed.
2179         * replay/scripts/tests/expected/fail-on-no-types.json-error: Removed.
2180         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
2181         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
2182         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
2183         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
2184         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
2185         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
2186         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
2187         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
2188         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
2189         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2190         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
2191         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
2192         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json:
2193         * replay/scripts/tests/fail-on-duplicate-enum-type.json:
2194         * replay/scripts/tests/fail-on-duplicate-input-names.json:
2195         * replay/scripts/tests/fail-on-duplicate-type-names.json:
2196         * replay/scripts/tests/fail-on-enum-type-missing-values.json:
2197         * replay/scripts/tests/fail-on-missing-input-member-name.json:
2198         * replay/scripts/tests/fail-on-missing-input-name.json:
2199         * replay/scripts/tests/fail-on-missing-input-queue.json:
2200         * replay/scripts/tests/fail-on-missing-type-mode.json:
2201         * replay/scripts/tests/fail-on-missing-type-name.json:
2202         * replay/scripts/tests/fail-on-no-inputs.json:
2203         Removed, no longer required to be in a single file.
2204
2205         * replay/scripts/tests/fail-on-no-types.json:
2206         Removed, no longer required to be in a single file.
2207
2208         * replay/scripts/tests/fail-on-unknown-input-queue.json:
2209         * replay/scripts/tests/fail-on-unknown-member-type.json:
2210         * replay/scripts/tests/fail-on-unknown-type-mode.json:
2211         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json:
2212         * replay/scripts/tests/generate-enum-encoding-helpers.json:
2213         * replay/scripts/tests/generate-enum-with-guard.json:
2214         Include enums that are and are not generated.
2215
2216         * replay/scripts/tests/generate-enums-with-same-base-name.json:
2217         * replay/scripts/tests/generate-event-loop-shape-types.json:
2218         * replay/scripts/tests/generate-input-with-guard.json:
2219         * replay/scripts/tests/generate-input-with-vector-members.json:
2220         * replay/scripts/tests/generate-inputs-with-flags.json:
2221         * replay/scripts/tests/generate-memoized-type-modes.json:
2222
2223 2015-01-20  Tomas Popela  <tpopela@redhat.com>
2224
2225         [GTK] Cannot compile 2.7.3 on PowerPC machines
2226         https://bugs.webkit.org/show_bug.cgi?id=140616
2227
2228         Include climits for INT_MAX and wtf/DataLog.h for dataLogF
2229
2230         Reviewed by Csaba Osztrogonác.
2231
2232         * runtime/BasicBlockLocation.cpp:
2233
2234 2015-01-19  Michael Saboff  <msaboff@apple.com>
2235
2236         A "cached" null setter should throw a TypeException when called in strict mode and doesn't
2237         https://bugs.webkit.org/show_bug.cgi?id=139418
2238
2239         Reviewed by Filip Pizlo.
2240
2241         Made a new NullSetterFunction class similar to NullGetterFunction.  The difference is that 
2242         NullSetterFunction will throw a TypeError per the ECMA262 spec for a strict mode caller.
2243
2244         * CMakeLists.txt:
2245         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2246         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2247         * JavaScriptCore.xcodeproj/project.pbxproj:
2248         Added new files NullSetterFunction.cpp and NullSetterFunction.h.
2249
2250         * runtime/GetterSetter.h:
2251         (JSC::GetterSetter::GetterSetter):
2252         (JSC::GetterSetter::isSetterNull):
2253         (JSC::GetterSetter::setSetter):
2254         Change setter instances from using NullGetterFunction to using NullSetterFunction.
2255
2256         * runtime/JSGlobalObject.cpp:
2257         (JSC::JSGlobalObject::init):
2258         * runtime/JSGlobalObject.h:
2259         (JSC::JSGlobalObject::nullSetterFunction):
2260         Added m_nullSetterFunction and accessor.
2261
2262         * runtime/NullSetterFunction.cpp: Added.
2263         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
2264         (JSC::GetCallerStrictnessFunctor::operator()):
2265         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
2266         (JSC::callerIsStrict):
2267         Method to determine if the caller is in strict mode.
2268
2269         (JSC::callReturnUndefined):
2270         (JSC::constructReturnUndefined):
2271         (JSC::NullSetterFunction::getCallData):
2272         (JSC::NullSetterFunction::getConstructData):
2273         * runtime/NullSetterFunction.h: Added.
2274         (JSC::NullSetterFunction::create):
2275         (JSC::NullSetterFunction::createStructure):
2276         (JSC::NullSetterFunction::NullSetterFunction):
2277         Class with handlers for a null setter.
2278
2279 2015-01-19  Saam Barati  <saambarati1@gmail.com>
2280
2281         Web Inspector: Provide a front end for JSC's Control Flow Profiler
2282         https://bugs.webkit.org/show_bug.cgi?id=138454
2283
2284         Reviewed by Timothy Hatcher.
2285
2286         This patch puts the final touches on what JSC needs to provide
2287         for the Web Inspector to show a UI for the control flow profiler.
2288
2289         * inspector/agents/InspectorRuntimeAgent.cpp:
2290         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2291         * runtime/ControlFlowProfiler.cpp:
2292         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
2293         * runtime/FunctionHasExecutedCache.cpp:
2294         (JSC::FunctionHasExecutedCache::getFunctionRanges):
2295         (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges): Deleted.
2296         * runtime/FunctionHasExecutedCache.h:
2297
2298 2015-01-19  David Kilzer  <ddkilzer@apple.com>
2299
2300         [iOS] Only use LLVM static library arguments on 64-bit builds of libllvmForJSC.dylib
2301         <http://webkit.org/b/140658>
2302
2303         Reviewed by Filip Pizlo.
2304
2305         * Configurations/LLVMForJSC.xcconfig: Set OTHER_LDFLAGS_LLVM
2306         only when building for 64-bit architectures.
2307
2308 2015-01-19  Filip Pizlo  <fpizlo@apple.com>
2309
2310         ClosureCallStubRoutine no longer needs codeOrigin
2311         https://bugs.webkit.org/show_bug.cgi?id=140659
2312
2313         Reviewed by Michael Saboff.
2314         
2315         Once upon a time, we would look for the CodeOrigin associated with a return PC. This search
2316         would start with the CodeBlock according to the caller frame's call frame header. But if the
2317         call was a closure call, the return PC would be inside some closure call stub. So if the
2318         CodeBlock search failed, we would search *all* closure call stub routines to see which one
2319         encompasses the return PC. Then, we would use the CodeOrigin stored in the stub routine
2320         object. This was all a bunch of madness, and we actually got rid of it - we now determine
2321         the CodeOrigin for a call frame using the encoded code origin bits inside the tag of the
2322         argument count.
2323         
2324         This patch removes the final vestiges of the madness:
2325         
2326         - Remove the totally unused method declaration for the thing that did the closure call stub
2327           search.
2328         
2329         - Remove the CodeOrigin field from the ClosureCallStubRoutine. Except for that crazy search
2330           that we no longer do, everyone else who finds a ClosureCallStubRoutine will find it via
2331           the CallLinkInfo. The CallLinkInfo also has the CodeOrigin, so we don't need this field
2332           anymore.
2333
2334         * bytecode/CodeBlock.h:
2335         * jit/ClosureCallStubRoutine.cpp:
2336         (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
2337         * jit/ClosureCallStubRoutine.h:
2338         (JSC::ClosureCallStubRoutine::executable):
2339         (JSC::ClosureCallStubRoutine::codeOrigin): Deleted.
2340         * jit/Repatch.cpp:
2341         (JSC::linkClosureCall):
2342
2343 2015-01-19  Saam Barati  <saambarati1@gmail.com>
2344
2345         Basic block start offsets should never be larger than end offsets in the control flow profiler
2346         https://bugs.webkit.org/show_bug.cgi?id=140377
2347
2348         Reviewed by Filip Pizlo.
2349
2350         The bytecode generator will emit code more than once for some AST nodes. For instance, 
2351         the finally block of TryNode will emit two code paths for its finally block: one for 
2352         the normal path, and another for the path where an exception is thrown in the catch block. 
2353         
2354         This repeated code emission of the same AST node previously broke how the control 
2355         flow profiler computed text ranges of basic blocks because when the same AST node 
2356         is emitted multiple times, there is a good chance that there are ranges that span 
2357         from the end offset of one of these duplicated nodes back to the start offset of 
2358         the same duplicated node. This caused a basic block range to report a larger start 
2359         offset than end offset. This was incorrect. Now, when this situation is encountered 
2360         while linking a CodeBlock, the faulty range in question is ignored.
2361
2362         * bytecode/CodeBlock.cpp:
2363         (JSC::CodeBlock::CodeBlock):
2364         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2365         * bytecode/CodeBlock.h:
2366         * bytecompiler/NodesCodegen.cpp:
2367         (JSC::ForInNode::emitMultiLoopBytecode):
2368         (JSC::ForOfNode::emitBytecode):
2369         (JSC::TryNode::emitBytecode):
2370         * parser/Parser.cpp:
2371         (JSC::Parser<LexerType>::parseConditionalExpression):
2372         * runtime/ControlFlowProfiler.cpp:
2373         (JSC::ControlFlowProfiler::ControlFlowProfiler):
2374         * runtime/ControlFlowProfiler.h:
2375         (JSC::ControlFlowProfiler::dummyBasicBlock):
2376
2377 2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
2378
2379         [SVG -> OTF Converter] Flip the switch on
2380         https://bugs.webkit.org/show_bug.cgi?id=140592
2381
2382         Reviewed by Antti Koivisto.
2383
2384         * Configurations/FeatureDefines.xcconfig:
2385
2386 2015-01-19  Brian J. Burg  <burg@cs.washington.edu>
2387
2388         Web Replay: convert to is<T> and downcast<T> for decoding replay inputs
2389         https://bugs.webkit.org/show_bug.cgi?id=140512
2390
2391         Reviewed by Chris Dumez.
2392
2393         Generate a SPECIALIZE_TYPE_TRAITS_* chunk of code for each input. This cannot
2394         be done using REPLAY_INPUT_NAMES_FOR_EACH macro since that doesn't fully qualify
2395         input types, and the type traits macro is defined in namespace WTF.
2396
2397         * replay/NondeterministicInput.h: Make overridden methods public.
2398         * replay/scripts/CodeGeneratorReplayInputs.py:
2399         (Generator.generate_header):
2400         (Generator.qualified_input_name): Allow forcing qualification. WTF is never a target framework.
2401         (Generator.generate_input_type_trait_declaration): Added.
2402         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Add a template.
2403         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
2404         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
2405         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
2406         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
2407         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
2408         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2409         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
2410         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
2411
2412 2015-01-19  Commit Queue  <commit-queue@webkit.org>
2413
2414         Unreviewed, rolling out r178653.
2415         https://bugs.webkit.org/show_bug.cgi?id=140634
2416
2417         Broke multiple SVG tests on Mountain Lion (Requested by ap on
2418         #webkit).
2419
2420         Reverted changeset:
2421
2422         "[SVG -> OTF Converter] Flip the switch on"
2423         https://bugs.webkit.org/show_bug.cgi?id=140592
2424         http://trac.webkit.org/changeset/178653
2425
2426 2015-01-18  Dean Jackson  <dino@apple.com>
2427
2428         ES6: Support Array.of construction
2429         https://bugs.webkit.org/show_bug.cgi?id=140605
2430         <rdar://problem/19513655>
2431
2432         Reviewed by Geoffrey Garen.
2433
2434         Add and implementation of Array.of, described in 22.1.2.3 of the ES6
2435         specification (15 Jan 2015). The Array.of() method creates a new Array
2436         instance with a variable number of arguments, regardless of number or type
2437         of the arguments.
2438
2439         * runtime/ArrayConstructor.cpp:
2440         (JSC::arrayConstructorOf): Create a new empty Array, then iterate
2441         over the arguments, setting them to the appropriate index.
2442
2443 2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
2444
2445         [SVG -> OTF Converter] Flip the switch on
2446         https://bugs.webkit.org/show_bug.cgi?id=140592
2447
2448         Reviewed by Antti Koivisto.
2449
2450         * Configurations/FeatureDefines.xcconfig:
2451
2452 2015-01-17  Brian J. Burg  <burg@cs.washington.edu>
2453
2454         Web Inspector: highlight data for overlay should use protocol type builders
2455         https://bugs.webkit.org/show_bug.cgi?id=129441
2456
2457         Reviewed by Timothy Hatcher.
2458
2459         Add a new domain for overlay types.
2460
2461         * CMakeLists.txt:
2462         * DerivedSources.make:
2463         * inspector/protocol/OverlayTypes.json: Added.
2464
2465 2015-01-17  Michael Saboff  <msaboff@apple.com>
2466
2467         Crash in JSScope::resolve() on tools.ups.com
2468         https://bugs.webkit.org/show_bug.cgi?id=140579
2469
2470         Reviewed by Geoffrey Garen.
2471
2472         For op_resolve_scope of a global property or variable that needs to check for the var
2473         injection check watchpoint, we need to keep the scope around with a Phantom.  The
2474         baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint
2475         fired.
2476
2477         * dfg/DFGByteCodeParser.cpp:
2478         (JSC::DFG::ByteCodeParser::parseBlock):
2479
2480 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2481
2482         Web Inspector: code generator should introduce typedefs for protocol types that are arrays
2483         https://bugs.webkit.org/show_bug.cgi?id=140557
2484
2485         Reviewed by Joseph Pecoraro.
2486
2487         Currently, there is no generated type name for "array" type declarations such as Console.CallStack.
2488         This makes it longwinded and confusing to use the type in C++ code.
2489
2490         This patch adds a typedef for array type declarations, so types such as Console::CallStack
2491         can be referred to directly, rather than using Inspector::Protocol::Array<Console::CallFrame>.
2492
2493         Some tests were updated to cover array type declarations used as parameters and type members.
2494
2495         * inspector/ScriptCallStack.cpp: Use the new typedef.
2496         (Inspector::ScriptCallStack::buildInspectorArray):
2497         * inspector/ScriptCallStack.h:
2498         * inspector/scripts/codegen/cpp_generator.py:
2499         (CppGenerator.cpp_protocol_type_for_type): If an ArrayType is nominal, use the typedef'd name instead.
2500         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2501         (_generate_typedefs_for_domain): Also generate typedefs for array type declarations.
2502         (_generate_typedefs_for_domain.Inspector):
2503         * inspector/scripts/codegen/models.py: Save the name of an ArrayType when it is a type declaration.
2504         (ArrayType.__init__):
2505         (Protocol.resolve_types):
2506         (Protocol.lookup_type_reference):
2507         * inspector/scripts/tests/commands-with-async-attribute.json:
2508         * inspector/scripts/tests/commands-with-optional-call-return-parameters.json:
2509         * inspector/scripts/tests/events-with-optional-parameters.json:
2510         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2511         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2512         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2513         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2514         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2515         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2516         * inspector/scripts/tests/type-declaration-object-type.json:
2517
2518 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2519
2520         Web Replay: purge remaining PassRefPtr uses and minor cleanup
2521         https://bugs.webkit.org/show_bug.cgi?id=140456
2522
2523         Reviewed by Andreas Kling.
2524
2525         Get rid of PassRefPtr. Introduce default initializers where it makes sense.
2526         Remove mistaken uses of AtomicString that were not removed as part of r174113.
2527
2528         * replay/EmptyInputCursor.h:
2529         * replay/InputCursor.h:
2530         (JSC::InputCursor::InputCursor):
2531
2532 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2533
2534         Web Inspector: code generator should fail on duplicate parameter and member names
2535         https://bugs.webkit.org/show_bug.cgi?id=140555
2536
2537         Reviewed by Timothy Hatcher.
2538
2539         * inspector/scripts/codegen/models.py:
2540         (find_duplicates): Add a helper function to find duplicates in a list.
2541         (Protocol.parse_type_declaration):
2542         (Protocol.parse_command):
2543         (Protocol.parse_event):
2544         * inspector/scripts/tests/expected/fail-on-duplicate-command-call-parameter-names.json-error: Added.
2545         * inspector/scripts/tests/expected/fail-on-duplicate-command-return-parameter-names.json-error: Added.
2546         * inspector/scripts/tests/expected/fail-on-duplicate-event-parameter-names.json-error: Added.
2547         * inspector/scripts/tests/expected/fail-on-duplicate-type-member-names.json-error: Added.
2548         * inspector/scripts/tests/fail-on-duplicate-command-call-parameter-names.json: Added.
2549         * inspector/scripts/tests/fail-on-duplicate-command-return-parameter-names.json: Added.
2550         * inspector/scripts/tests/fail-on-duplicate-event-parameter-names.json: Added.
2551         * inspector/scripts/tests/fail-on-duplicate-type-member-names.json: Added.
2552
2553 2015-01-16  Michael Saboff  <msaboff@apple.com>
2554
2555         REGRESSION (r174226): Header on huffingtonpost.com is too large
2556         https://bugs.webkit.org/show_bug.cgi?id=140306
2557
2558         Reviewed by Filip Pizlo.
2559
2560         BytecodeGenerator::willResolveToArguments() is used to check to see if we can use the
2561         arguments register or whether we need to resolve "arguments".  If the arguments have
2562         been captured, then they are stored in the lexical environment and the arguments
2563         register is not used.
2564
2565         Changed BytecodeGenerator::willResolveToArguments() to also check to see if the arguments
2566         register is captured.  Renamed the function to willResolveToArgumentsRegister() to
2567         better indicate what we are checking.
2568
2569         Aligned 32 and 64 bit paths in ArgumentsRecoveryGenerator::generateFor() for creating
2570         an arguments object that was optimized out of an inlined callFrame.  The 32 bit path
2571         incorrectly calculated the location of the reified callee frame.  This alignment resulted
2572         in the removal of operationCreateInlinedArgumentsDuringOSRExit()
2573
2574         * bytecompiler/BytecodeGenerator.cpp:
2575         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
2576         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister):
2577         (JSC::BytecodeGenerator::emitCall):
2578         (JSC::BytecodeGenerator::emitConstruct):
2579         (JSC::BytecodeGenerator::emitEnumeration):
2580         (JSC::BytecodeGenerator::willResolveToArguments): Deleted.
2581         * bytecompiler/BytecodeGenerator.h:
2582         * bytecompiler/NodesCodegen.cpp:
2583         (JSC::BracketAccessorNode::emitBytecode):
2584         (JSC::DotAccessorNode::emitBytecode):
2585         (JSC::getArgumentByVal):
2586         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2587         (JSC::ArrayPatternNode::emitDirectBinding):
2588         * dfg/DFGOSRExitCompilerCommon.cpp:
2589         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
2590         * dfg/DFGOperations.cpp:
2591         (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
2592         * dfg/DFGOperations.h:
2593         (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
2594
2595 2015-01-15  Csaba Osztrogonác  <ossy@webkit.org>
2596
2597         Remove ENABLE(SQL_DATABASE) guards
2598         https://bugs.webkit.org/show_bug.cgi?id=140434
2599
2600         Reviewed by Darin Adler.
2601
2602         * CMakeLists.txt:
2603         * Configurations/FeatureDefines.xcconfig:
2604         * DerivedSources.make:
2605         * inspector/protocol/Database.json:
2606
2607 2015-01-14  Alexey Proskuryakov  <ap@apple.com>
2608
2609         Web Inspector and regular console use different source code locations for messages
2610         https://bugs.webkit.org/show_bug.cgi?id=140478
2611
2612         Reviewed by Brian Burg.
2613
2614         * inspector/ConsoleMessage.h: Expose computed source location.
2615
2616         * inspector/agents/InspectorConsoleAgent.cpp:
2617         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2618         (Inspector::InspectorConsoleAgent::stopTiming):
2619         (Inspector::InspectorConsoleAgent::count):
2620         * inspector/agents/InspectorConsoleAgent.h:
2621         addMessageToConsole() now takes a pre-made ConsoleMessage object.
2622
2623         * inspector/JSGlobalObjectConsoleClient.cpp:
2624         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
2625         (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
2626         * inspector/JSGlobalObjectInspectorController.cpp:
2627         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2628         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2629         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2630         Updated for the above changes.
2631
2632 2015-01-15  Mark Lam  <mark.lam@apple.com>
2633
2634         [Part 2] Argument object created by "Function dot arguments" should use a clone of argument values.
2635         <https://webkit.org/b/140093>
2636
2637         Reviewed by Geoffrey Garen.
2638
2639         * interpreter/StackVisitor.cpp:
2640         (JSC::StackVisitor::Frame::createArguments):
2641         - We should not fetching the lexicalEnvironment here.  The reason we've
2642           introduced the ClonedArgumentsCreationMode is because the lexicalEnvironment
2643           may not be available to us at this point.  Instead, we'll just pass a nullptr.
2644
2645         * runtime/Arguments.cpp:
2646         (JSC::Arguments::tearOffForCloning):
2647         * runtime/Arguments.h:
2648         (JSC::Arguments::finishCreation):
2649         - Use the new tearOffForCloning() to tear off arguments right out of the values
2650           passed on the stack.  tearOff() is not appropriate for this purpose because
2651           it takes slowArgumentsData into account.
2652
2653 2015-01-14  Matthew Mirman  <mmirman@apple.com>
2654
2655         Removed accidental commit of "invalid_array.js" 
2656         http://trac.webkit.org/changeset/178439
2657
2658         * tests/stress/invalid_array.js: Removed.
2659
2660 2015-01-14  Matthew Mirman  <mmirman@apple.com>
2661
2662         Fixes operationPutByIdOptimizes such that they check that the put didn't
2663         change the structure of the object who's property access is being
2664         cached.  Also removes uses of the new base value from the cache generation code.
2665         https://bugs.webkit.org/show_bug.cgi?id=139500
2666
2667         Reviewed by Filip Pizlo.
2668
2669         * jit/JITOperations.cpp:
2670         (JSC::operationPutByIdStrictOptimize): saved the structure before the put.
2671         (JSC::operationPutByIdNonStrictOptimize): ditto.
2672         (JSC::operationPutByIdDirectStrictOptimize): ditto.
2673         (JSC::operationPutByIdDirectNonStrictOptimize): ditto.
2674         * jit/Repatch.cpp:
2675         (JSC::generateByIdStub):
2676         (JSC::tryCacheGetByID):
2677         (JSC::tryBuildGetByIDList):
2678         (JSC::emitPutReplaceStub):
2679         (JSC::emitPutTransitionStubAndGetOldStructure): Added.
2680         (JSC::tryCachePutByID):
2681         (JSC::repatchPutByID):
2682         (JSC::tryBuildPutByIdList):
2683         (JSC::tryRepatchIn):
2684         (JSC::emitPutTransitionStub): Deleted.
2685         * jit/Repatch.h:
2686         * llint/LLIntSlowPaths.cpp:
2687         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2688         * runtime/JSPropertyNameEnumerator.h:
2689         (JSC::genericPropertyNameEnumerator):
2690         * runtime/Operations.h:
2691         (JSC::normalizePrototypeChainForChainAccess): restructured to not use the base value.
2692         (JSC::normalizePrototypeChain): restructured to not use the base value.
2693         * tests/mozilla/mozilla-tests.yaml:
2694         * tests/stress/proto-setter.js: Added.
2695         * tests/stress/put-by-id-build-list-order-recurse.js: Added.
2696         Added test that fails without this patch.
2697
2698 2015-01-13  Joseph Pecoraro  <pecoraro@apple.com>
2699
2700         Web Inspector: Remove unused ResizeImage and DecodeImageData timeline events
2701         https://bugs.webkit.org/show_bug.cgi?id=140404
2702
2703         Reviewed by Timothy Hatcher.
2704
2705         * inspector/protocol/Timeline.json:
2706
2707 2015-01-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2708
2709         DFG can call PutByValDirect for generic arrays
2710         https://bugs.webkit.org/show_bug.cgi?id=140389
2711
2712         Reviewed by Geoffrey Garen.
2713
2714         Computed properties in object initializers (ES6) use the put_by_val_direct operation.
2715         However, current DFG asserts that put_by_val_direct is not used for the generic array,
2716         the assertion failure is raised.
2717         This patch allow DFG to use put_by_val_direct to generic arrays.
2718
2719         And fix the DFG put_by_val_direct implementation for string properties.
2720         At first, put_by_val_direct is inteded to be used for spread elements.
2721         So the property keys were limited to numbers (indexes).
2722         But now, it's also used for computed properties in object initializers.
2723
2724         * dfg/DFGOperations.cpp:
2725         (JSC::DFG::operationPutByValInternal):
2726         * dfg/DFGSpeculativeJIT64.cpp:
2727         (JSC::DFG::SpeculativeJIT::compile):
2728
2729 2015-01-13  Geoffrey Garen  <ggaren@apple.com>
2730
2731         Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
2732         https://bugs.webkit.org/show_bug.cgi?id=140397
2733
2734         Reviewed by Geoffrey Garen.
2735
2736         Patch by Alexey Proskuryakov.
2737
2738         Reviewed, performance tested, and ChangeLogged by Geoffrey Garen.
2739
2740         No performance change.
2741
2742         No test, since this is a small past-the-end read, which is very
2743         difficult to turn into a reproducible failing test -- and existing tests
2744         crash reliably using ASan.
2745
2746         * bytecompiler/NodesCodegen.cpp:
2747         (JSC::BracketAccessorNode::emitBytecode):
2748         (JSC::DotAccessorNode::emitBytecode):
2749         (JSC::FunctionCallBracketNode::emitBytecode):
2750         (JSC::PostfixNode::emitResolve):
2751         (JSC::DeleteBracketNode::emitBytecode):
2752         (JSC::DeleteDotNode::emitBytecode):
2753         (JSC::PrefixNode::emitResolve):
2754         (JSC::UnaryOpNode::emitBytecode):
2755         (JSC::BitwiseNotNode::emitBytecode):
2756         (JSC::BinaryOpNode::emitBytecode):
2757         (JSC::EqualNode::emitBytecode):
2758         (JSC::StrictEqualNode::emitBytecode):
2759         (JSC::ThrowableBinaryOpNode::emitBytecode):
2760         (JSC::AssignDotNode::emitBytecode):
2761         (JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any
2762         register used across a call to a function that might allocate a new
2763         temporary register must be held in a RefPtr.
2764
2765 2015-01-12  Michael Saboff  <msaboff@apple.com>
2766
2767         Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
2768         https://bugs.webkit.org/show_bug.cgi?id=140348
2769
2770         Reviewed by Mark Lam.
2771
2772         We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late
2773         because those registers may have been spilled on the stack and replaced with other values by
2774         the time we call down to gatherFromCurrentThread().
2775
2776         Now we get the register contents at the same place that we demarcate the current top of
2777         stack using the address of a local variable, in Heap::markRoots().  The register contents
2778         buffer is passed along with the demarcation pointer.  These need to be done at this level 
2779         in the call tree and no lower, as markRoots() calls various functions that visit object
2780         pointers that may be latter proven dead.  Any of those pointers that are left on the
2781         stack or in registers could be incorrectly marked as live if we scan the stack contents
2782         from a called function or one of its callees.  The stack demarcation pointer and register
2783         saving need to be done in the same function so that we have a consistent stack, active
2784         and spilled registers.
2785
2786         Because we don't want to make unnecessary calls to get the register contents, we use
2787         a macro to allocated, and possibly align, the register structure and get the actual
2788         register contents.
2789
2790
2791         * heap/Heap.cpp:
2792         (JSC::Heap::markRoots):
2793         (JSC::Heap::gatherStackRoots):
2794         * heap/Heap.h:
2795         * heap/MachineStackMarker.cpp:
2796         (JSC::MachineThreads::gatherFromCurrentThread):
2797         (JSC::MachineThreads::gatherConservativeRoots):
2798         * heap/MachineStackMarker.h:
2799
2800 2015-01-12  Benjamin Poulain  <benjamin@webkit.org>
2801
2802         Add basic pattern matching support to the url filters
2803         https://bugs.webkit.org/show_bug.cgi?id=140283
2804
2805         Reviewed by Andreas Kling.
2806
2807         * JavaScriptCore.xcodeproj/project.pbxproj:
2808         Make YarrParser.h private in order to use it from WebCore.
2809
2810 2015-01-12  Geoffrey Garen  <ggaren@apple.com>
2811
2812         Out of bounds read in IdentifierArena::makeIdentifier
2813         https://bugs.webkit.org/show_bug.cgi?id=140376
2814
2815         Patch by Alexey Proskuryakov.
2816
2817         Reviewed and ChangeLogged by Geoffrey Garen.
2818
2819         No test, since this is a small past-the-end read, which is very
2820         difficult to turn into a reproducible failing test -- and existing tests
2821         crash reliably using ASan.
2822
2823         * parser/ParserArena.h:
2824         (JSC::IdentifierArena::makeIdentifier):
2825         (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
2826         zero-length string input, like we do in the literal parser, since it is
2827         not valid to dereference characters in a zero-length string.
2828
2829         A zero-length string is allowed in JavaScript -- for example, "".
2830
2831 2015-01-11  Sam Weinig  <sam@webkit.org>
2832
2833         Remove support for SharedWorkers
2834         https://bugs.webkit.org/show_bug.cgi?id=140344
2835
2836         Reviewed by Anders Carlsson.
2837
2838         * Configurations/FeatureDefines.xcconfig:
2839
2840 2015-01-12  Myles C. Maxfield  <mmaxfield@apple.com>
2841
2842         Allow targetting the SVG->OTF font converter with ENABLE(SVG_OTF_CONVERTER)
2843         https://bugs.webkit.org/show_bug.cgi?id=136769
2844
2845         Reviewed by Antti Koivisto.
2846
2847         * Configurations/FeatureDefines.xcconfig:
2848
2849 2015-01-12  Commit Queue  <commit-queue@webkit.org>
2850
2851         Unreviewed, rolling out r178266.
2852         https://bugs.webkit.org/show_bug.cgi?id=140363
2853
2854         Broke a JSC test (Requested by ap on #webkit).
2855
2856         Reverted changeset:
2857
2858         "Local JSArray* "keys" in objectConstructorKeys() is not
2859         marked during garbage collection"
2860         https://bugs.webkit.org/show_bug.cgi?id=140348
2861         http://trac.webkit.org/changeset/178266
2862
2863 2015-01-12  Michael Saboff  <msaboff@apple.com>
2864
2865         Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
2866         https://bugs.webkit.org/show_bug.cgi?id=140348
2867
2868         Reviewed by Mark Lam.
2869
2870         Move the address of the local variable that is used to demarcate the top of the stack for 
2871         conservative roots down to MachineThreads::gatherFromCurrentThread() since it also gets
2872         the register values using setjmp().  That way we don't lose any callee save register
2873         contents between Heap::markRoots(), where it was set, and gatherFromCurrentThread().
2874         If we lose any JSObject* that are only in callee save registers, they will be GC'ed
2875         erroneously.
2876
2877         * heap/Heap.cpp:
2878         (JSC::Heap::markRoots):
2879         (JSC::Heap::gatherStackRoots):
2880         * heap/Heap.h:
2881         * heap/MachineStackMarker.cpp:
2882         (JSC::MachineThreads::gatherFromCurrentThread):
2883         (JSC::MachineThreads::gatherConservativeRoots):
2884         * heap/MachineStackMarker.h:
2885
2886 2015-01-11  Eric Carlson  <eric.carlson@apple.com>
2887
2888         Fix typo in testate.c error messages
2889         https://bugs.webkit.org/show_bug.cgi?id=140305
2890
2891         Reviewed by Geoffrey Garen.
2892
2893         * API/tests/testapi.c:
2894         (main): "... script did not timed out ..." -> "... script did not time out ..."
2895
2896 2015-01-09  Michael Saboff  <msaboff@apple.com>
2897
2898         Breakpoint doesn't fire in this HTML5 game
2899         https://bugs.webkit.org/show_bug.cgi?id=140269
2900
2901         Reviewed by Mark Lam.
2902
2903         When parsing a single line cached function, use the lineStartOffset of the
2904         location where we found the cached function instead of the cached lineStartOffset.
2905         The cache location's lineStartOffset has not been adjusted for any possible
2906         containing functions.
2907
2908         This change is not needed for multi-line cached functions.  Consider the
2909         single line source:
2910
2911         function outer(){function inner1(){doStuff();}; (function inner2() {doMoreStuff()})()}
2912
2913         The first parser pass, we parse and cache inner1() and inner2() with a lineStartOffset
2914         of 0.  Later when we parse outer() and find inner1() in the cache, SourceCode start
2915         character is at outer()'s outermost open brace.  That is what we should use for
2916         lineStartOffset for inner1().  When done parsing inner1() we set the parsing token
2917         to the saved location for inner1(), including the lineStartOffset of 0.  We need
2918         to use the value of lineStartOffset before we started parsing inner1().  That is
2919         what the fix does.  When we parse inner2() the lineStartOffset will be correct.
2920
2921         For a multi-line function, the close brace is guaranteed to be on a different line
2922         than the open brace.  Hence, its lineStartOffset will not change with the change of
2923         the SourceCode start character
2924
2925         * parser/Parser.cpp:
2926         (JSC::Parser<LexerType>::parseFunctionInfo):
2927
2928 2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>
2929
2930         Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint
2931         https://bugs.webkit.org/show_bug.cgi?id=140279
2932         rdar://problem/19422299
2933
2934         Reviewed by Oliver Hunt.
2935
2936         * runtime/MapData.cpp:
2937         (JSC::MapData::replaceAndPackBackingStore):
2938         The cell table also needs to have its values fixed.
2939
2940 2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>
2941
2942         Web Inspector: Remove or use TimelineAgent Resource related event types
2943         https://bugs.webkit.org/show_bug.cgi?id=140155
2944
2945         Reviewed by Timothy Hatcher.
2946
2947         Remove unused / stale Timeline event types.
2948
2949         * inspector/protocol/Timeline.json:
2950
2951 2015-01-09  Csaba Osztrogonác  <ossy@webkit.org>
2952
2953         REGRESSION(r177925): It broke the !ENABLE(INSPECTOR) build
2954         https://bugs.webkit.org/show_bug.cgi?id=140098
2955
2956         Reviewed by Brian Burg.
2957
2958         * inspector/InspectorBackendDispatcher.h: Missing ENABLE(INSPECTOR) guard added.
2959
2960 2015-01-08  Mark Lam  <mark.lam@apple.com>
2961
2962         Argument object created by "Function dot arguments" should use a clone of the argument values.
2963         <https://webkit.org/b/140093>
2964
2965         Reviewed by Geoffrey Garen.
2966
2967         After the change in <https://webkit.org/b/139827>, the dfg-tear-off-arguments-not-activation.js
2968         test will crash.  The relevant code which manifests the issue is as follows:
2969
2970             function bar() {
2971                 return foo.arguments;
2972             }
2973
2974             function foo(p) {
2975                 var x = 42;
2976                 if (p)
2977                     return (function() { return x; });
2978                 else
2979                     return bar();
2980             }
2981
2982         In this case, foo() has no knowledge of bar() needing its LexicalEnvironment and
2983         has dead code eliminated the SetLocal that stores it into its designated local.
2984         In bar(), the factory for the Arguments object (for creating foo.arguments) tries
2985         to read foo's LexicalEnvironment from its designated lexicalEnvironment local,
2986         but instead, finds it to be uninitialized.  This results in a null pointer access
2987         which causes a crash.
2988
2989         This can be resolved by having bar() instantiate a clone of the Arguments object
2990         instead, and populate its elements with values fetched directly from foo's frame.
2991         There's no need to reference foo's LexicalEnvironment (whether present or not).
2992
2993         * interpreter/StackVisitor.cpp:
2994         (JSC::StackVisitor::Frame::createArguments):
2995         * runtime/Arguments.h:
2996         (JSC::Arguments::finishCreation):
2997
2998 2015-01-08  Mark Lam  <mark.lam@apple.com>
2999
3000         Make the LLINT and Baseline JIT's op_create_arguments and op_get_argument_by_val use their lexicalEnvironment operand.
3001         <https://webkit.org/b/140236>
3002
3003         Reviewed by Geoffrey Garen.
3004
3005         Will change the DFG to use the operand on a subsequent pass.  For now,
3006         the DFG uses a temporary thunk (operationCreateArgumentsForDFG()) to
3007         retain the old behavior of getting the lexicalEnviroment from the
3008         ExecState.
3009
3010         * bytecompiler/BytecodeGenerator.cpp:
3011         (JSC::BytecodeGenerator::BytecodeGenerator):
3012         (JSC::BytecodeGenerator::emitGetArgumentByVal):
3013         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3014         - When the lexicalEnvironment is not available, pass the invalid VirtualRegister
3015           instead of an empty JSValue as the lexicalEnvironment operand.
3016
3017         * dfg/DFGOperations.cpp:
3018         - Use the lexicalEnvironment from the ExecState for now.
3019
3020         * dfg/DFGSpeculativeJIT32_64.cpp:
3021         (JSC::DFG::SpeculativeJIT::compile):
3022         * dfg/DFGSpeculativeJIT64.cpp:
3023         (JSC::DFG::SpeculativeJIT::compile):
3024         - Use the operationCreateArgumentsForDFG() thunk for now.
3025
3026         * interpreter/CallFrame.cpp:
3027         (JSC::CallFrame::lexicalEnvironmentOrNullptr):
3028         * interpreter/CallFrame.h:
3029         - Added this convenience function to return either the
3030           lexicalEnvironment or a nullptr so that we don't need to do a
3031           conditional check on codeBlock->needsActivation() at multiple sites.
3032
3033         * interpreter/StackVisitor.cpp:
3034         (JSC::StackVisitor::Frame::createArguments):
3035         * jit/JIT.h:
3036         * jit/JITInlines.h:
3037         (JSC::JIT::callOperation):
3038         * jit/JITOpcodes.cpp:
3039         (JSC::JIT::emit_op_create_arguments):
3040         (JSC::JIT::emitSlow_op_get_argument_by_val):
3041         * jit/JITOpcodes32_64.cpp:
3042         (JSC::JIT::emit_op_create_arguments):
3043         (JSC::JIT::emitSlow_op_get_argument_by_val):
3044         * jit/JITOperations.cpp:
3045         * jit/JITOperations.h:
3046         * llint/LLIntSlowPaths.cpp:
3047         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3048         * runtime/Arguments.h:
3049         (JSC::Arguments::create):
3050         (JSC::Arguments::finishCreation):
3051         * runtime/CommonSlowPaths.cpp:
3052         (JSC::SLOW_PATH_DECL):
3053         * runtime/JSLexicalEnvironment.cpp:
3054         (JSC::JSLexicalEnvironment::argumentsGetter):
3055
3056 2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>
3057
3058         Web Inspector: Pause Reason Improvements (Breakpoint, Debugger Statement, Pause on Next Statement)
3059         https://bugs.webkit.org/show_bug.cgi?id=138991
3060
3061         Reviewed by Timothy Hatcher.
3062
3063         * debugger/Debugger.cpp:
3064         (JSC::Debugger::Debugger):
3065         (JSC::Debugger::pauseIfNeeded):
3066         (JSC::Debugger::didReachBreakpoint):
3067         When actually pausing, if we hit a breakpoint ensure the reason
3068         is PausedForBreakpoint, otherwise use the current reason.
3069
3070         * debugger/Debugger.h:
3071         Make pause reason and pausing breakpoint ID public.
3072
3073         * inspector/agents/InspectorDebuggerAgent.h:
3074         * inspector/agents/InspectorDebuggerAgent.cpp:
3075         (Inspector::buildAssertPauseReason):
3076         (Inspector::buildCSPViolationPauseReason):
3077         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
3078         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
3079         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3080         (Inspector::buildObjectForBreakpointCookie):
3081         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3082         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
3083         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3084         (Inspector::InspectorDebuggerAgent::pause):
3085         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
3086         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3087         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
3088         Clean up creation of pause reason objects and other cleanup
3089         of PassRefPtr use and InjectedScript use.
3090
3091         (Inspector::InspectorDebuggerAgent::didPause):
3092         Clean up so that we first check for an Exception, and then fall
3093         back to including a Pause Reason derived from the Debugger.
3094
3095         * inspector/protocol/Debugger.json:
3096         Add new DebuggerStatement, Breakpoint, and PauseOnNextStatement reasons.
3097
3098 2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>
3099
3100         Web Inspector: Type check NSArray's in ObjC Interfaces have the right object types
3101         https://bugs.webkit.org/show_bug.cgi?id=140209
3102
3103         Reviewed by Timothy Hatcher.
3104
3105         Check the types of objects in NSArrays for all interfaces (commands, events, types)
3106         when the user can set an array of objects. Previously we were only type checking
3107         they were RWIJSONObjects, now we add an explicit check for the exact object type.
3108
3109         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3110         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3111         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3112         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3113         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3114         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
3115         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
3116         * inspector/scripts/codegen/objc_generator.py:
3117         (ObjCGenerator.objc_class_for_array_type):
3118         (ObjCGenerator):
3119
3120 2015-01-07  Mark Lam  <mark.lam@apple.com>
3121
3122         Add the lexicalEnvironment as an operand to op_get_argument_by_val.
3123         <https://webkit.org/b/140233>
3124
3125         Reviewed by Filip Pizlo.
3126
3127         This patch only adds the operand to the bytecode.  It is not in use yet.
3128
3129         * bytecode/BytecodeList.json:
3130         * bytecode/BytecodeUseDef.h:
3131         (JSC::computeUsesForBytecodeOffset):
3132         * bytecode/CodeBlock.cpp:
3133         (JSC::CodeBlock::dumpBytecode):
3134         * bytecompiler/BytecodeGenerator.cpp:
3135         (JSC::BytecodeGenerator::emitGetArgumentByVal):
3136         * llint/LowLevelInterpreter32_64.asm:
3137         * llint/LowLevelInterpreter64.asm:
3138
3139 2015-01-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3140
3141         Investigate the character type of repeated string instead of checking is8Bit flag
3142         https://bugs.webkit.org/show_bug.cgi?id=140139
3143
3144         Reviewed by Darin Adler.
3145
3146         Instead of checking is8Bit flag of the repeated string, investigate
3147         the actual value of the repeated character since i8Bit flag give a false negative case.
3148
3149         * runtime/StringPrototype.cpp:
3150         (JSC::repeatCharacter):
3151         (JSC::stringProtoFuncRepeat):
3152         (JSC::repeatSmallString): Deleted.
3153
3154 2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>
3155
3156         Web Inspector: ObjC Generate types from the GenericTypes domain
3157         https://bugs.webkit.org/show_bug.cgi?id=140229
3158
3159         Reviewed by Timothy Hatcher.
3160
3161         Generate types from the GenericTypes domain, as they are expected
3162         by other domains (like Page domain). Also, don't include the @protocol
3163         forward declaration for a domain if it doesn't have any commands.
3164
3165         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
3166         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
3167         (ObjCBackendDispatcherHeaderGenerator): Deleted.
3168         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations_for_domains): Deleted.
3169         * inspector/scripts/codegen/objc_generator.py:
3170         (ObjCGenerator):
3171         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3172         * inspector/scripts/tests/expected/enum-values.json-result:
3173         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3174         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3175         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3176         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3177         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3178         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3179         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3180         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3181         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3182
3183 2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>
3184
3185         Web Inspector: Remove unnecessary copyRef for paramsObject in generated dispatchers
3186         https://bugs.webkit.org/show_bug.cgi?id=140228
3187
3188         Reviewed by Timothy Hatcher.
3189
3190         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3191         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3192         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3193         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3194         * inspector/scripts/tests/expected/enum-values.json-result:
3195         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3196
3197 2015-01-07  Saam Barati  <saambarati1@gmail.com>
3198
3199         interpret op_profile_type in the LLInt instead of unconditionally calling into the slow path
3200         https://bugs.webkit.org/show_bug.cgi?id=140165
3201
3202         Reviewed by Michael Saboff.
3203
3204         Inlining the functionality of TypeProfilerLog::recordTypeInformationForLocation
3205         into the LLInt speeds up type profiling.
3206
3207         * llint/LLIntOffsetsExtractor.cpp:
3208         * llint/LowLevelInterpreter.asm:
3209         * llint/LowLevelInterpreter32_64.asm:
3210         * llint/LowLevelInterpreter64.asm:
3211         * runtime/CommonSlowPaths.cpp:
3212         (JSC::SLOW_PATH_DECL):
3213         * runtime/CommonSlowPaths.h:
3214         * runtime/TypeProfilerLog.h:
3215         (JSC::TypeProfilerLog::recordTypeInformationForLocation): Deleted.
3216
3217 2015-01-07  Brian J. Burg  <burg@cs.washington.edu>
3218
3219         Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
3220         https://bugs.webkit.org/show_bug.cgi?id=140053
3221
3222         Reviewed by Andreas Kling.
3223
3224         This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
3225         related to Web Inspector. It also converts many uses of RefPtr to Ref where
3226         references are always non-null. These two refactorings have been combined since
3227         they tend to require similar changes to the code.
3228
3229         Creation methods for subclasses of InspectorValue now return a Ref, and callsites
3230         have been updated to take a Ref instead of RefPtr.
3231
3232         Builders for typed protocol objects now return a Ref. Since there is no implicit
3233         call to operator&, callsites now must explicitly call .release() to convert a
3234         builder object into the corresponding protocol object once required fields are set.
3235         Update callsites and use auto to eliminate repetition of longwinded protocol types.
3236
3237         Tests for inspector protocol and replay inputs have been rebaselined.
3238
3239         * bindings/ScriptValue.cpp:
3240         (Deprecated::jsToInspectorValue):
3241         (Deprecated::ScriptValue::toInspectorValue):
3242         * bindings/ScriptValue.h:
3243         * inspector/ConsoleMessage.cpp:
3244         (Inspector::ConsoleMessage::addToFrontend):
3245         * inspector/ContentSearchUtilities.cpp:
3246         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
3247         (Inspector::ContentSearchUtilities::searchInTextByLines):
3248         * inspector/ContentSearchUtilities.h:
3249         * inspector/InjectedScript.cpp:
3250         (Inspector::InjectedScript::getFunctionDetails):
3251         (Inspector::InjectedScript::getProperties):
3252         (Inspector::InjectedScript::getInternalProperties):
3253         (Inspector::InjectedScript::wrapCallFrames):
3254         (Inspector::InjectedScript::wrapObject):
3255         (Inspector::InjectedScript::wrapTable):
3256         * inspector/InjectedScript.h:
3257         * inspector/InjectedScriptBase.cpp:
3258         (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits.
3259         * inspector/InspectorBackendDispatcher.cpp:
3260         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase):
3261         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive):
3262         (Inspector::InspectorBackendDispatcher::create):
3263         (Inspector::InspectorBackendDispatcher::dispatch):
3264         (Inspector::InspectorBackendDispatcher::sendResponse):
3265         (Inspector::InspectorBackendDispatcher::reportProtocolError):
3266         (Inspector::getPropertyValue): Add a comment to clarify what this clever code does.
3267         (Inspector::InspectorBackendDispatcher::getInteger):
3268         (Inspector::InspectorBackendDispatcher::getDouble):
3269         (Inspector::InspectorBackendDispatcher::getString):
3270         (Inspector::InspectorBackendDispatcher::getBoolean):
3271         (Inspector::InspectorBackendDispatcher::getObject):
3272         (Inspector::InspectorBackendDispatcher::getArray):
3273         (Inspector::InspectorBackendDispatcher::getValue):
3274         * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect
3275         protocol error strings.
3276         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
3277         Convert the supplemental dispatcher's reference to Ref since it is never null.
3278         * inspector/InspectorEnvironment.h:
3279         * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and
3280         StructItemTraits. Add more versions of addItem to handle pushing various types.
3281         (Inspector::Protocol::Array::openAccessors):
3282         (Inspector::Protocol::Array::addItem):
3283         (Inspector::Protocol::Array::create):
3284         (Inspector::Protocol::StructItemTraits::push):
3285         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument.
3286         (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted.
3287         (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted.
3288         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted.
3289         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted.
3290         (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted.
3291         (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted.
3292         (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted.
3293         (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted.
3294         (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted.
3295         * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have
3296         the same call signature as other getters. Use Ref where possible.
3297         (Inspector::InspectorObjectBase::getBoolean):
3298         (Inspector::InspectorObjectBase::getString):
3299         (Inspector::InspectorObjectBase::getObject):
3300         (Inspector::InspectorObjectBase::getArray):
3301         (Inspector::InspectorObjectBase::getValue):
3302         (Inspector::InspectorObjectBase::writeJSON):
3303         (Inspector::InspectorArrayBase::get):
3304         (Inspector::InspectorObject::create):
3305         (Inspector::InspectorArray::create):
3306         (Inspector::InspectorValue::null):
3307         (Inspector::InspectorString::create):
3308         (Inspector::InspectorBasicValue::create):
3309         (Inspector::InspectorObjectBase::get): Deleted.
3310         * inspector/InspectorValues.h:
3311         (Inspector::InspectorObjectBase::setValue):
3312         (Inspector::InspectorObjectBase::setObject):
3313         (Inspector::InspectorObjectBase::setArray):
3314         (Inspector::InspectorArrayBase::pushValue):
3315         (Inspector::InspectorArrayBase::pushObject):
3316         (Inspector::InspectorArrayBase::pushArray):
3317         * inspector/JSGlobalObjectConsoleClient.cpp:
3318         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3319         (Inspector::JSGlobalObjectConsoleClient::count):
3320         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
3321         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
3322         * inspector/JSGlobalObjectConsoleClient.h:
3323         * inspector/JSGlobalObjectInspectorController.cpp:
3324         (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
3325         * inspector/JSGlobalObjectInspectorController.h:
3326         * inspector/ScriptCallFrame.cpp:
3327         (Inspector::ScriptCallFrame::buildInspectorObject):
3328         * inspector/ScriptCallFrame.h:
3329         * inspector/ScriptCallStack.cpp:
3330         (Inspector::ScriptCallStack::create):
3331         (Inspector::ScriptCallStack::buildInspectorArray):
3332         * inspector/ScriptCallStack.h:
3333         * inspector/agents/InspectorAgent.cpp:
3334         (Inspector::InspectorAgent::enable):
3335         (Inspector::InspectorAgent::inspect):
3336         (Inspector::InspectorAgent::activateExtraDomain):
3337         * inspector/agents/InspectorAgent.h:
3338         * inspector/agents/InspectorDebuggerAgent.cpp:
3339         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3340         (Inspector::buildObjectForBreakpointCookie):
3341         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3342         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3343         (Inspector::InspectorDebuggerAgent::continueToLocation):
3344         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3345         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3346         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
3347         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3348         (Inspector::InspectorDebuggerAgent::didParseSource):
3349         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3350         (Inspector::InspectorDebuggerAgent::breakProgram):
3351         * inspector/agents/InspectorDebuggerAgent.h:
3352         * inspector/agents/InspectorRuntimeAgent.cpp:
3353         (Inspector::buildErrorRangeObject):
3354         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3355         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3356         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3357         * inspector/agents/InspectorRuntimeAgent.h:
3358         * inspector/scripts/codegen/cpp_generator.py:
3359         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
3360         (CppGenerator.cpp_type_for_type_with_name):
3361         (CppGenerator.cpp_type_for_formal_async_parameter):
3362         (CppGenerator.should_use_references_for_type):
3363         (CppGenerator):
3364         * inspector/scripts/codegen/cpp_generator_templates.py:
3365         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3366         (CppBackendDispatcherHeaderGenerator.generate_output):
3367         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
3368         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3369         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
3370         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3371         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3372         (CppFrontendDispatcherHeaderGenerator.generate_output):
3373         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3374         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3375         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3376         (CppProtocolTypesHeaderGenerator.generate_output):
3377         (_generate_class_for_object_declaration):
3378         (_generate_unchecked_setter_for_member):
3379         (_generate_forward_declarations_for_binding_traits):
3380         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3381         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3382         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3383         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3384         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3385         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3386         (ObjCProtocolTypesImplementationGenerator.generate_output):
3387         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3388         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3389         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3390         * inspector/scripts/tests/expected/enum-values.json-result:
3391         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3392         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3393         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3394         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3395         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3396         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3397         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3398         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3399         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3400         * replay/EncodedValue.cpp:
3401         (JSC::EncodedValue::asObject):
3402         (JSC::EncodedValue::asArray):
3403         (JSC::EncodedValue::put<EncodedValue>):
3404         (JSC::EncodedValue::append<EncodedValue>):
3405         (JSC::EncodedValue::get<EncodedValue>):
3406         * replay/EncodedValue.h:
3407         * replay/scripts/CodeGeneratorReplayInputs.py:
3408         (Type.borrow_type):
3409         (Type.argument_type):
3410         (Generator.generate_member_move_expression):
3411         * runtime/ConsoleClient.cpp:
3412         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3413         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
3414         (JSC::ConsoleClient::logWithLevel):
3415         (JSC::ConsoleClient::clear):
3416         (JSC::ConsoleClient::dir):
3417         (JSC::ConsoleClient::dirXML):
3418         (JSC::ConsoleClient::table):
3419         (JSC::ConsoleClient::trace):
3420         (JSC::ConsoleClient::assertCondition):
3421       &nbs